#+title: SwarselSystems: NixOS + Emacs Configuration
#+EXPORT_FILE_NAME: site/index.html
#+HTML_HEAD: >
#+end_src
and is finally parsed as:
#+begin_src markdown :tangle no :noweb yes :results silent
<>
#+end_src
Note that noweb-reffed blocks will not always be indented correctly. You will want to account for that when checking your nix flake with the formatter of your choice. Personally, I have solved this issue using the functions defined in [[#h:59d4306e-9b73-4b2c-b039-6a6518c357fc][org-mode: Upon-save actions (Auto-tangle, export to html, formatting)]]. Originally, I also automatically exported to html there, but it incurred a too high memory penalty which made Emacs become sluggish over time - instead I now build the website version whenever I push to GitHub.
- [[#h:8fc9f66a-7412-4091-8dee-a06f897baf67][Appendix B: Supplementary Files]]
This section holds files that are not written in nix but are still referenced in the configuration in some way. This is mostly used for configuration of programs that have no native nix support, like tridactyl, as well as "meta" files like the [[#h:bf3e6fc0-a95a-46d0-9305-0d1068b2f1ec][GitHub Readme]] or the [[#h:abed312c-5bf7-43f5-b0d0-43cce513ccb9][GitHub Workflow: Build-and-deploy]]. Note that shell scripts are still defined under their respective entry in [[#h:64a5cc16-6b16-4802-b421-c67ccef853e1][Packages]]. Over time, the goal is to reduce this section to a minimum, but things like the aforementioned tridactyl might stay for a long time, until we have a stable nix interface to configure browser plugins.
- [[#h:8ea35dcc-ef94-4c10-9112-8be8efd6f424][Appendix C: Explanations to nix functions and operators]]
When I started to learn about nix, I found that journey quite arduous; while I disagree with the general public in that the documentation is too sparse, I will say that, while it is very good, reading (and understanding!) it requires a certain level of existing nix knowledge that one will problably not have when starging out. Hence, the goal of this document is to explain common nix functions as they come up in this document (I thing I wrote this before :sweat:), in hopes that you will be able to understand most of the code. When a new function appears for the first time, I will try to link to an entry in the appendix.
*** HTML version of this document
:PROPERTIES:
:CUSTOM_ID: h:12880c64-229c-4063-9eea-387a97490676
:END:
I will also quickly talk about the webpage that (I hope) you are currently viewing works:
The =.html= version of this page is built by a GitHub workflow; it can also be generated manually by calling the chord =C-SPC o e=, or by executing the below block
#+begin_src emacs-lisp :tangle no :export code :results silent
(org-html-export-to-html)
#+end_src
The web version is useful because it allows navigation using org-mode links, which makes the configuration easier to follow in a number of ways:
- mobile-friendly documentation
- Functionality to save links to certain headers in a "Pinned" menu that can be toggled
- These links are locally saved
I add a javascript bit to the file in order to have a darkmode toggle when exporting to html (defined in [[#h:cf6a12cf-929b-4080-9945-e6f02afc7990][HTML Export: Darkmode toggle]]). NOTE: What I am doing is defining an elisp multiline string which gives me heredoc capabilities for defining blocks that should be both exported to the final =.html= but should also be shown in the document itself (only putting a =#+[begin/end]_export= block would not show the block in the content of the page) which is then output as html and exported to both.
#+begin_src elisp :noweb yes :exports both :results html
"
<>
"
#+end_src
I also add this javascript to add header pinning functionality to the site, using the same trick as above (this is defined in [[#h:e5f900a0-9d68-4269-a663-53c52434c342][HTML Export: Docs QoL]]):
#+begin_src elisp :tangle no :noweb yes :exports both :results html
"
"
#+end_src
** TODO Structure of this flake
:PROPERTIES:
:CUSTOM_ID: h:2c5529ed-e6d9-44b6-b0d3-5bf96a6bed64
:END:
The structure of this flake as seen many revisions, however lately I have settled on a system that I have grown to like:
- =hosts=: This folder is used to house all configurations that are used across the infrastructure. At the top level, it splits into the subfolders =nixos=, =home=, =darwin=, and =android=. These folders specify the mode that the configuration is running in:
- nixos: Full NixOS host (may or may not also use home-manager)
- darwin: Host that uses NixOS on MacOS (may or may not use home-manager)
- home: Host that uses only home-manager (no full NixOS)
- android: Phone using nix-on-droid (may or may not use home-manager)
The corresponding configurations are automatically generated by =mkFullHostConfigs= and =mkHalfHostConfigs=. A "full" host either in the nixos or darwin folder, while a "half" host is in either of home or android. This has to do with the scheme in which these configurations are generated.
These folders hold on the first level a folder describing the machine archetype (=x86_64-linux= or =aarch64-linux= for linux, =x86_64-darwin= or =aarch64-darwin= for macs). Those folders then hold a number of folders, the actual configurations. At this time, the files stored in this folder are:
- default.nix:
This file holds the abstracted configuration of the host. This should mostly be enabling [[#h:f0f1c961-3e7a-47b8-99ab-1654bb45dffc][Profiles]] as well as setting some [[#h:79f7150f-b162-4f57-abdf-07f40dffd932][Configuration options]].
- hardware-config.nix:
It is not clearly defined what I hold in this file. Mostly it is just the attributes that nix originally sets when setting up the system for the first time (although at this time modified by me!), bar any filesystem configuration. This makes my deployment in [[#h:74db57ae-0bb9-4257-84be-eddbc85130dd][swarsel-bootstrap]] a little bit simpler.
- disk-config.nix
Holds the aforementioned filesystem configuration and is applied using [[https://github.com/nix-community/disko][disko]].
- The hosts// folders may also have a =secrets= folder, under which files of the ending =.nix.enc= may be stored. As the name suggests, these files should be encrypted. Specifically, they need to be [[https://github.com/getsops/sops][sops]]-encrypted files (sops does not seem to suggest a file ending other than .yml or others, which is not verbose enough for me, so I went with =.enc=). This should have the structure of a nix expression, e.g.:
#+begin_src nix-ts :tangle no
{
my_value = 2;
my_attrSet = {
enable = true;
};
}
#+end_src
It is also possible to pass it as a function:
#+begin_src nix-ts :tangle no
{ config }: {
my_value = 2;
my_attrSet = {
enable = config.myconfig.enable;
};
}
#+end_src
Using the mechanisms in [[#h:82b8ede2-02d8-4c43-8952-7200ebd4dc23][PII management]] (which in turn uses [[#h:87c7893e-e946-4fc0-8973-1ca27d15cf0e][extra-builtins]] and [[#h:315e6ef6-27d5-4cd8-85ff-053eabe60ddb][sops-decrypt-and-cache]]), these files are decrypted during evaluation time and stored under a persistent directory. As the name suggests, I am using these files to store personally identifiable information - these "secrets" are stored world-readable in the nix store. As such, this should not be used to store important secrets, but rather information that you would not like everyone on the internet to easily find in your git repo.
Other than that, the =secrets= folder will also be used to store conventional (decryted at activation-time) sops-encrypted secrets in the standard =.yaml= / =.toml= / =.ini= formats.
- =modules=
This folder holds the most part of the actual system configuration done in this repository. At some point I thought it was cool to have my whole configuration exposed under the flakes =nixosModules=, which is indeed achieved (its usefulness is however debatable). In any way, this folder splits up as:
- nixos: Holds true NixOS configuration
- home: Holds configuration to be used by home-manager (either as a NixOS submodule or not)
- shared: This is for configuraion bits that are to be used by both types.
The nixos and home folders further split up:
- common: Configuration that can be used by all hosts (TODO: this currently includes configuration used by my user devices, which will mostly not be used by servers)
- server: Configuration to be used on servers
- darwin: Holds configuration for nix-darwin.
- optional: Configuration that will be used rather rarely
This structure is very optionated and highly subjective. I will possibly change this in the future.
By themselves, most of the files in the modules folder will not do anything. In order for them to do something, their corresponding =config.swarselmodules= attribute needs to be enabled. This is partly done using...
- =profiles=: This folder splits up into =home= and =nixos= subfolders, where groupings of module enablers are stored for the respective home and nix setups. Note that =home= profiles are also used in NixOS setups (extensively even)! This is used to quickly enable common configuration for a machine use, e.g. the [[#h:dfc076fd-ee74-4663-b164-653370c52b75][Server]] profile.
- =nix=: This special folder holds mostly =.nix= files that are not automatically loaded, but rather setup specific things that affect most of the flake. For example, here lies the aforementioned [[#h:87c7893e-e946-4fc0-8973-1ca27d15cf0e][extra-builtins]] as well as the setup for the [[*Globals][Globals]] system. Also in here are the flake-parts files that you read about earlier. This gives the following functionality:
- =lib=: I define some utility functions that I add to the nixpkgs library under the =swarselsystems= attribute set. An example would be the =mkIfElse= function.
- =checks=: As part of a [[#h:4d0548db-99b2-4e07-b762-6d86fbb26d4c][Devshell (checks)]], I declare pre-commit hooks that should run before I push changes to my repo.
- =overlays=: Here we also define the main (default) overlay I am using in my configuration. It is responsible for adding my defined packages and modifications to the final nixpkgs. Also I add some other conveniences like all past stable nixpkgs and some other package sets.
- =apps=: I also define [[#h:52e1fae8-0e8c-4be6-a6ce-758ada652dd3][Apps]], which is an output of derivations that can be called by =nix run= without having the flake locally - this is mostly used for my =swarsel-*= utilities.
- =topology=: I also created a diagram of my infrastructure using [[https://github.com/oddlama/nix-topology][nix-topology]]. While I do not update this too often, this (I think) can quickly give a good overview of the scope of this flake as well as its services.
- =pkgs=: This folder holds derivations (mostly packages) that I define myself. This is mostly used to grab versions that are not (yet) in nixpkgs, or modified versions of another package. Each derivation in this folder is in turn in its own folder which holds a defautlt.nix. Using the mechanism in [[#h:64a5cc16-6b16-4802-b421-c67ccef853e1][Packages]], these are automatically built and available to all configurations (packages still need to be installed e.g. in =environment.systemPackages=). Note that the folder at the top level splits up in =config= and =flake= subdirectories:
- The =config= dir is used for packages that need the actual config of the machine where they run in order to be built. These packages cannot simply be released as a flake output (or better, it would not make a lot of sense). Instead, these are added within the configuration as an overlay
- The =flake= dir is used for the conventional packages that I described above.
- =files=: This is kind of a catchall folder that holds (nearly) all non-nix files. It mostly holds blocks created in [[#h:8fc9f66a-7412-4091-8dee-a06f897baf67][Appendix B: Supplementary Files]], but also some more specific directories:
- =scripts=: This folder holds a bunch of shell scripts that I use for various tasks. Nearly all of these are made into a derivation using =pkgs.writeShellApplication=. In the future (TODO?), I might convert these to native nix, but in the past I kept the as true shellfiles in case I ever wanted to move away from nix. This is becoming less and less likely, however. And even in case that this would happen, I could retrieve these files from the nix store and would simply have to remove the nix store paths.
- =wallpaper=: Holds my wallpapers and profile pictures :)
- =topology-images=: Holds pictures used by [[#h:391e7712-fef3-4f13-a3ed-d36e228166fd][Topology]] :)
- =secrets=: Unlike the similar folder under =hosts=, this folder holds sops-encrypted secrets and PIIs that are used by a number of hosts that is greater than one.
- =install=: This folder holds another [[#h:1d4514b4-e952-4faf-b30e-d89e73a526c6][Installer flake]]. That flake pulls in the =nixosConfigurationsMinimal= that are defined in [[#h:5c5bf78a-9a66-436f-bd85-85871d9d402b][Hosts]] of the main flake, which enables me to build an extemely reduced configuration when I deploy a new host for the first time - this is used by [[#h:74db57ae-0bb9-4257-84be-eddbc85130dd][swarsel-bootstrap]] in the first installation step. It also holds the configuration of the two installer images that I use to deploy this flake:
- [[#h:8583371d-5d47-468b-84ba-210aad7e2c90][Drugstore (ISO installer config)]]: This is the general installer ISO that I use whenever I can when I want to deploy a new host. It has a few conveniences like some of my utility programs for figuring out some dependencies or network quirks, as well as my public ssh keys so that I can immediately login to them.
- [[#h:e9fe580c-f1b2-4d7b-aaff-bbdf89a8c9f9][Brick Road (kexec image)]]: This is a kexec tarball that can be used by [[#h:74db57ae-0bb9-4257-84be-eddbc85130dd][swarsel-bootstrap]] in case that I need to deploy to a machine that has less than 1GB of RAM. It is basically just an even more stripped down version of the detault one used by nixos-anywhere, but notably I added cryptsetup so that it can be used when setting up an encrypted device using disko.
- =.github=: Canonically, this holds github related files like the [[#h:bf3e6fc0-a95a-46d0-9305-0d1068b2f1ec][GitHub Readme]] and some workflows.
** Hosts
:PROPERTIES:
:CUSTOM_ID: h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02
:END:
Here I give a brief overview over the host machines that I am using. This is held in markdown so that I can render it into my [[#h:bf3e6fc0-a95a-46d0-9305-0d1068b2f1ec][GitHub Readme]] without further effort.
#+begin_src markdown :tangle no :noweb-ref hosts
| Name | Hardware | Use |
|---------------------|-----------------------------------------------------|-----------------------------------------------------------------|
|💻 **pyramid** | Framework Laptop 16, AMD 7940HS, RX 7700S, 64GB RAM | Work laptop |
|💻 **bakery** | Lenovo Ideapad 720S-13IKB | Personal laptop |
|💻 **machpizza** | MacBook Pro 2016 | MacOS reference and build sandbox |
|🏠 **treehouse** | NVIDIA DGX Spark | AI Workstation, remote builder, hm-only-reference |
|🖥️ **summers** | ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM | Homeserver (microvms), remote builder, data storage |
|🖥️ **winters** | ASRock J4105-ITX, 32GB RAM | Homeserver (IoT server in spe) |
|🖥️ **hintbooth** | HUNSN RM02, 8GB RAM | Router, DNS Resolver, home NGINX endpoint |
|☁️ **stoicclub** | Cloud Server: 1 vCPUs, 8GB RAM | Authoritative DNS server |
|☁️ **liliputsteps** | Cloud Server: 1 vCPUs, 8GB RAM | SSH bastion |
|☁️ **twothreetunnel**| Cloud Server: 2 vCPUs, 8GB RAM | Service proxy |
|☁️ **eagleland** | Cloud Server: 2 vCPUs, 8GB RAM | Mailserver |
|☁️ **moonside** | Cloud Server: 4 vCPUs, 24GB RAM | Game servers, syncthing + other lightweight services |
|☁️ **belchsfactory** | Cloud Server: 4 vCPUs, 24GB RAM | Hydra builder and nix binary cache |
|🪟 **chaostheater** | Asus Z97-A, i7-4790k, GTX970, 32GB RAM | Home Game Streaming Server (Windows/AtlasOS, not nix-managed) |
|📱 **magicant** | Samsung Galaxy Z Flip 6 | Phone |
|💿 **drugstore** | - | NixOS-installer ISO for bootstrapping new hosts |
|💿 **policestation** | - | NixOS live ISO for generating cryptographic keys |
|💿 **brickroad** | - | Kexec tarball for bootstrapping low-memory machines |
|❔ **hotel** | - | Demo config for checking out this configuration |
|❔ **toto** | - | Helper configuration for testing purposes |
#+end_src
** Programs
:PROPERTIES:
:CUSTOM_ID: h:3bb92528-c61c-4b8d-8214-bf2a40baaa32
:END:
This is meant to give a brief overview over the main programs/components that I use on a daily basis on my client machines. This should be mostly useful for people wanting to rice their config, or people who believed this repos title and are looking for =.dotfiles= :p
On [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]], I run a combination of different services that are all replaced by [[#h:385cc6c7-416c-4570-a5d3-bf8fb7c841e7][Noctalia Shell]] when I am running on [[#h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb][Niri]], which has grown to become my default recently.
#+begin_src markdown :tangle no :noweb-ref programs
| Topic | Program |
|---------------|-----------------------------------------------------------------------------------------------------------------------------|
|🐚 **Shell** | [zsh](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix) |
|🚪 **DM** | [greetd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/common/login.nix) |
|🪟 **WM** | [SwayFX](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sway.nix) or [Niri](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/optional/niri.nix) |
|⛩️ **Bar** | [Waybar](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/waybar.nix) or [Noctalia Shell](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/optional/noctalia.nix) |
|✒️ **Editor** | [Emacs](https://github.com/Swarsel/.dotfiles/tree/main/files/emacs/init.el) |
|🖥️ **Terminal**| [Kitty](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/kitty.nix) |
|🚀 **Launcher**| [Fuzzel](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/fuzzel.nix) or [Noctalia Shell](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/optional/noctalia.nix) |
|🚨 **Alerts** | [Mako](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/mako.nix) or [Noctalia Shell](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/optional/noctalia.nix) |
|🌐 **Browser** | [Firefox](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/zsh.nix) |
|🎨 **Theme** | [City-Lights (managed by stylix)](https://github.com/Swarsel/.dotfiles/tree/main/modules/home/common/sharedsetup.nix) |
#+end_src
** Services
:PROPERTIES:
:CUSTOM_ID: h:191e82b6-6ae5-4ec8-ae6d-dc683ce325d9
:END:
This is a comprehensive list of the services/components ran by my server machines.
#+begin_src markdown :tangle no :noweb-ref services
| Topic | Program |
|------------------------------|----------------------------------------------------------------------------------------------------------------|
|📖 **Books** | [Kavita](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kavita.nix) |
|📼 **Videos** | [Jellyfin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/jellyfin.nix) |
|🎵 **Music** | [Navidrome](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/navidrome.nix) + [Spotifyd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/spotifyd.nix) + [MPD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mpd.nix) |
|🗨️ **Messaging** | [Matrix](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/matrix.nix) |
|📁 **Filesharing** | [Nextcloud](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nextcloud.nix) |
|🎞️ **Photos** | [Immich](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/immich.nix) |
|📄 **Documents** | [Paperless](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/paperless.nix) |
|🔄 **File Sync** | [Syncthing](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/syncthing.nix) |
|💾 **Backups** | [Restic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/restic.nix) |
|👁️ **Monitoring** | [Grafana](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/monitoring.nix) |
|🍴 **RSS** | [FreshRss](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/freshrss.nix) |
|🌳 **Git** | [Forgejo](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/forgejo.nix) |
|⚓ **Anki Sync** | [Anki Sync Server](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/ankisync.nix) |
|🪪 **SSO** | [Kanidm](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kanidm.nix) + [oauth2-proxy](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/oauth2-proxy.nix) |
|💸 **Finance** | [Firefly-III](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/firefly-iii.nix) |
|🃏 **Collections** | [Koillection](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/koillection.nix) |
|🗃️ **Shell History** | [Atuin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/atuin.nix) |
|📅 **CalDav/CardDav** | [Radicale](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/radicale.nix) |
|↔️ **P2P Filesharing** | [Croc](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/croc.nix) |
|✂️ **Paste Tool** | [Microbin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/microbin.nix) |
|📸 **Image Sharing** | [Slink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/slink.nix) |
|🔗 **Link Shortener** | [Shlink](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/shlink.nix) |
|⛏️ **Minecraft** | [Minecraft](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/minecraft.nix) |
|☁️ **S3** | [Garage](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/garage.nix) |
|🕸️ **Nix Binary Cache** | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/attic.nix) |
|🐙 **Nix Build farm** | [Hydra](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/hydra.nix) |
|🔑 **Cert-based SSH** | [OPKSSH](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/opkssh.nix) |
|🔨 **Home Asset Management**| [Homebox](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/homebox.nix) |
|👀 **DNS Records** | [NSD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nsd.nix) |
|✉️ **Mail** | [simple-nixos-mailserver](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mailserver.nix) |
|🚇 **VPN Access** | [Firezone](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/firezone.nix) |
|🛡️ **Local DNS Resolver** | [AdGuard Home](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/adguardhome.nix) |
|🛎️ **DHCP** | [Kea](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/kea.nix) |
#+end_src
* An introduction to nix
:PROPERTIES:
:CUSTOM_ID: h:10a6f80d-7e00-4db1-953a-811993c22cb0
:END:
This is where it gets interesting.
In this section, I want to give an overview over some important concepts needed when working in the nix ecosystem.
** Nix, NixOS, Nixpkgs, and Nix
:PROPERTIES:
:CUSTOM_ID: h:6d0a91d4-e478-45ae-82de-0997fa289e7a
:END:
First off, when talking about nix, we need to differentiate between several things:
- The [[#h:b2222c7c-0bd5-44f8-aa69-17869d6913c0][nix language]]
- The [[#h:f4fa6a46-e016-48f8-9ead-608b739c706a][nix package manager]]
- The linux distribution [[#h:d62af55c-a7f3-47ba-b2a5-78cc60b03aef][NixOS]]
- the =nix-community= input [[#h:f4e89635-e006-4c41-a545-d4b56c7ac293][nixpkgs]]
While these terms are all connected with each other, it is important to keep in mind that fundamentally those are separate entities. Let us briefly talk about each one:
*** nix language
:PROPERTIES:
:CUSTOM_ID: h:b2222c7c-0bd5-44f8-aa69-17869d6913c0
:END:
The base of all the other concepts named above is the =nix language=, a pure functional programming language that is declarative, dynamically typed, and evaluated lazily. That means:
- Functions are just values, that can be assigned to variables, passed as arguments to other functions, or returned by functions
- All variables are immutable (their values cannot change during computation)
- Values will only be computed when their result is needed
- There is no sequential order of operations; instead, operations get ordered they need to evaluate another expression that they depend on
- We do not need to specify a values type when declaring it
Now, I will give a brief overview over some important concepts of the nix language. This aims to only build the essential understanding needed for dealing with the configuration I am using (this should be sufficient to then understand most other configurations online). For deepening your knowledge, you might want to check out the [[https://nix.dev/reference/nix-manual.html][nix reference manual]].
**** Derivations and the nix store
:PROPERTIES:
:CUSTOM_ID: h:45135360-96d4-4348-b6fb-e8bc4685611e
:END:
The main purpose of the nix language is to build packages. These packages are built by functions that can be roughly described by something like this:
~f: { source, compiler, dependencies, etc. } -> package~
This function along with all its inputs we call a =derivation=. What is important to realize is that such a derivation can itself depend on other derivations, and the resulting package does not necessarily need to be a callable program (a more correct name for the function result is =outputs=). When we as nix users define a package, we will usually use a function called =pkgs.stdenv.mkDerivation= (ore one of its derived wrappers like =buildRustPackage=; for now, it is not important what these do exactly), which will run things like install phases and setup hooks for us. It is a wrapper around nix function ~derivation(name, system, builder, args=[],outputs=["out"])~, where =name= is the derivation name, =system= is the system architecture to build for, =builder= is the executable responsible for building the result, =args= are arbitrary arguments passed to =builder=, and =outputs=, which can be thought of a list of locations where we want to put different build artifacts that can be referenced separately when using the package. There are [[https://nix.dev/manual/nix/2.28/language/advanced-attributes][more attributes]], but these five are the most important and commonly used ones.
Building a package (in nix terms: "realising") from a derivation causes the package to be created in the =nix store=. This is a read-only filesystem that is usually located at =/nix/store=. When building a package, nix will place its content of each output at =/nix/store/---/=, where == is a unique identifier that changes whenever one of the inputs to the above function changes. That means that it is no problem to store different versions of the same file on one system, and each program can use the correct dependencies that it needs.
A key observation that follows from this is that packages are declarative and reproducible; when not changing the inputs, a derivation will always yield the same package with the same store path.
We call the set of derivations (and, recursively, the derivations that those depend on) that a derivation depends on its =closure=.
Usually when installing a package, we do not need all the outputs it provides: For example, the [[https://search.nixos.org/packages?channel=25.11&query=pcsclite][pcscliteWithPolkit package on nixpkgs]] that is used for configuring smart cards provides 5 outputs: =out=, =dev=, =doc=, =man=, and =lib=. By default, a NixOS system will install =out=, =man=, =info= and =doc= outputs (the latter three have respective =documentation..enable= NixOS options, where == would be either of =man=, =info=, or =doc=) as well as any outputs listed in =environment.extraOutputsToInstall= (by default an empty list). However, if we need to debug something, we might need the =dev= output of the package, which can then be installed by referencing =pcscliteWithPolkit.dev=.
Also, a note that may be useful when reading package source code (for example in =nixpkgs=); you will often come across =$out= and =$src=. The =$out= represents the root of that build output (=$src= are the build sources). You will often see that in build phases (it is there set as an environment variable). In other places, you will instead see =placeholder =, which will be replaced by the outputs future location in the nix store.
**** Types in the nix language
:PROPERTIES:
:CUSTOM_ID: h:7bbb4e50-f5e9-4496-a0cd-d8eb34aa2514
:END:
The nix language supports the following types and how they look in the wild:
- null: =null=
- bool: =true=
- strings: ="text"=
- strings can also be defined as =multiline strings=
- Those will look for the lowest level of indent shared over all lines and strip it:
#+begin_src bash :tangle no :exports both
swarsel-instantiate "
''
indent0
indent2
indent1
''
"
#+end_src
#+RESULTS:
: indent0\n indent2\n indent1\n
/(you can ignore the [[#h:95ebfd13-1f6b-427f-950d-e30c1ed6f9fa][swarsel-instantiate]]; it is just a wrapper around =nix-instantiate= that preloads nixpkgs. I will use this to show you the evaluation results of nix calls)/
- note that tab characters will /not/ be stripped:
#+begin_src bash :tangle no :exports both
swarsel-instantiate "
''
indentTab
indent1
indent2
''
"
#+end_src
#+RESULTS:
: \tindentTab\nindent1\n indent2\n
- an URI string can assume the type of string without need for quoting (e.g. you can write =http://about.org= instead of ="http://about.org"=)
- Strings can be interpolated by using =${expression}= (read on for an example)
- =expression= can be any valid nix expression that is compatible with the enclosing type (here: string)
- As in many languages, you have =\n=, =\r=, and =\t= available
- in normal strings, you can escape stuff using =\=
- the following characters need to be escaped in normal strings:
- Backslash: =\= (escape using =\\=)
- Double quote: ="= (using =\"=)
- Opening of nix expression: =${= (using =\${=)
- in multiline strings, you escape stuff using one or two apostrophes ='=
- the following characters need to be escaped in multline strings:
- Two apostrophes are escaped with a single apostrophe: =''= (escape with ='''=)
- All other things are escaped using =''=:
- Dollar sign: =$= (escape with =''$=)
- =\n=, =\r=, and =\t= (=''\n= and so on)
- =''\= is a catchall for all other escaping
- somewhat interestingly, double dollars =$$= (as used in Makefiles) never need to be escaped
- ints: 1
- floats: 1.1
- paths: =/home=
- a path can also be given as a relative path (e.g. =./.config=)
- attribute sets: ={ }=
- these hold name value pairs, e.g. ={ a = 3; }=
- a "chain" of attributes, separated by dots, is called an =attribute path=, e.g. =config.environment.systemPackages=
- in such a chain, all attributes but the last will be =attribute sets=
- =config.environment.systemPackages = ;= is equivalent to =config = { environment = { systemPackages = ; }; };=
- lists: [ ]
- these hold values, e.g. =[ { a = 3; b = 2; } ]=. In this example, the list holds a single value, that is, the attribute set ={ a = 3; b = 2; }=.
- functions: =arg: body=
- =arg= can be any of these data types, including functions
- when =arg= is an attribute set, some special things apply:
- default values can be specified using =arg ? defaultValue=, e.g. ={ name ? "Default", age }: "${name} is ${age} years old"= will yield ="X is 20 years old"= when called using the attribute set ={ name = "X"; age = "20"; }=. Otherwise it will yield "Default is 20 years old" when called using ={ age = "20"; }=. When not passing =age= in this example, it will throw an error (also not that we had to pass =age= as a string as the value is not cast to a string automatically. Alternatively, we could have passed =age = 20;= and updated the function body to ="${name} is ${builtins.toString age} years old"=. But that is just a sidenote)
Let's see this in action:
Calling with explicit values:
#+begin_src bash :tangle no :exports both
swarsel-instantiate 'let f = {name ? "Default", age }: "${name} is ${age} years old"; in f { name = "X"; age = "20"; }'
#+end_src
#+RESULTS:
: X is 20 years old
Calling by using a default value with =?=:
#+begin_src bash :tangle no :exports both
swarsel-instantiate 'let f = {name ? "Default", age }: "${name} is ${age} years old"; in f { age = "20"; }'
#+end_src
#+RESULTS:
: Default is 20 years old
Not passing =age= errors out:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
swarsel-instantiate 'let f = {name ? "Default", age }: "${name} is ${age} years old"; in f { }'
#+end_src
#+RESULTS:
#+begin_example
error:
… from call site
at «string»:1:104:
1| let lib = import ; in let f = {name ? "Default", age }: "${name} is ${age} years old"; in f { }
| ^
error: function 'f' called without required argument 'age'
at «string»:1:44:
1| let lib = import ; in let f = {name ? "Default", age }: "${name} is ${age} years old"; in f { }
| ^
#+end_example
- the evaluator will error out if it is called with an argument that is not explicitely mentioned in the function definition. Passing a superfluous =another= errors out:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
swarsel-instantiate 'let f = {name ? "Default", age }: "${name} is ${age} years old"; in f { age = "2"; another = "0"; }'
#+end_src
#+RESULTS:
#+begin_example
error:
… from call site
at «string»:1:104:
1| let lib = import ; in let f = {name ? "Default", age }: "${name} is ${age} years old"; in f { age = "2"; another = "0"; }
| ^
error: function 'f' called with unexpected argument 'another'
at «string»:1:44:
1| let lib = import ; in let f = {name ? "Default", age }: "${name} is ${age} years old"; in f { age = "2"; another = "0"; }
| ^
#+end_example
- this behaviour can be suppressed by adding an ellipsis =...= to the function arguments (={ name ? "Default", age, ... }:=). Adding this ellipsis =...= to the function definition, we can now pass =another=:
#+begin_src bash :tangle no :exports both
swarsel-instantiate 'let f = {name ? "Default", age, ... }: "${name} is ${age} years old"; in f { age = "2"; another = "0"; }'
#+end_src
#+RESULTS:
: Default is 2 years old
The latter is useful mainly in the NixOS module system, where a lot of things will be passed by default. More on that later.
Finally, we can make the values in =...= available by using =@= as in =extra @ { name, ... }: "${name} likes ${extra.object}"=:
#+begin_src bash :tangle no :exports both
swarsel-instantiate 'let f = extra @ { name, ... }: "${name} likes ${extra.object}"; in f { name = "Nyx"; object = "nix"; }'
#+end_src
#+RESULTS:
: Nyx likes nix
Note that it is equivalent to write ={} @ extra=:
#+begin_src bash :tangle no :exports both
swarsel-instantiate 'let f = { name, ... } @ extra: "${name} likes ${extra.object}"; in f { name = "Nyx"; object = "nix"; }'
#+end_src
#+RESULTS:
: Nyx likes nix
This looks cumberesome on first sight, but is for example useful when referencing flake inputs in the flake outputs, as it allows you to forego listing them all in the arguments (which can be a very long list!). More on that later.
**** Language features
:PROPERTIES:
:CUSTOM_ID: h:5b660aa4-6dbb-4ca7-a006-c97319ae6b7e
:END:
- The functions available to the nix language can be found in [[https://hydra.nixos.org/build/318491462/download/1/manual/language/builtins.html][the nix reference manual]]. Some explanations to common functions are provided in [[#h:ebe86cf4-fe65-464f-8f64-04b57870c5e9][Builtin functions]].
- Scopes are static in nix; scoped variables are not inherited by the context of the evaluation
- Variables can be created in an enclosing scope using =let in =. You actually saw me use this several times in the above function call. Note that "usually", you will not be able to declare arbitrary variables; this is because usually we will be working within [[#h:8067f8fc-92d7-46af-b1be-e8a337d7a953][The module system]] - in that scope, you either need to resort to the =let ... in= construct or you need to declare things as module options (more on that later). In general nix however, this would be no problem.
- another way to add an expression to the scope is using the =rec= keyword:
- this adds all attributes of the enclosing attribute
- the following will error out:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
swarsel-instantiate '
{
a = true;
b = a;
}
'
#+end_src
#+RESULTS:
: error: undefined variable 'a'
: at «string»:4:9:
: 3| a = true;
: 4| b = a;
: | ^
: 5| }
- however, =rec= makes =a= available to the scope (also remember that the order of expressions does /not/ matter):
#+begin_src bash :tangle no :exports both
swarsel-instantiate '
rec {
b = a;
a = true;
}
'
#+end_src
#+RESULTS:
: { a = true; b = true; }
- the last way to something to the scope is by using =with=:
- this adds the passed set to the lexical scope of the enclosing expression:
- the following will error out:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
swarsel-instantiate '
let
functions = {
print = v: v;
};
in
print "ok"
'
#+end_src
#+RESULTS:
: error: undefined variable 'print'
: at «string»:7:5:
: 6| in
: 7| print "ok"
: | ^
: 8|
- using =with= will make it work:
#+begin_src bash :tangle no :exports both
swarsel-instantiate '
let
functions = {
print = v: v;
};
in
with functions; print "ok"
'
#+end_src
#+RESULTS:
: ok
- generally, the values of the variable in the innermmost scope is given precedence in evaluation:
#+begin_src bash :tangle no :exports both
swarsel-instantiate '
let
scope = "outer";
in
let
scope = "inner";
in
scope
'
#+end_src
#+RESULTS:
: inner
- the same holds true for =with=:
#+begin_src bash :tangle no :exports both
swarsel-instantiate '
with { scope = "outer"; }; with { scope = "inner"; }; scope
'
#+end_src
#+RESULTS:
: inner
- you can copy variables from an outer scope by using =inherit () ;=
- This is syntactic sugar to achieve the same as = = .;=
- when not in a string, we can place parentheses around a nix expression to provide its return value to other expressions (remember the =builtins.toString (-1)= example from before. =-1= is indeed a nix expression.)
- you can write inline comments using =#= and multiline comments using =/* ... */=
- The following words are reserved keywords and cannot be used for variable names: =assert=, =else=, =if=, =in= =inherit=, =let=, =or=, =rec=, =then=, =with=
**** Operators
:PROPERTIES:
:CUSTOM_ID: h:f995d46f-ff07-4a5e-9164-ed7aef369c42
:END:
The following operators work as you know them from most other programming languages:
- Any operator involving numbers (=+=, =-=, =*=, =/=)
/Sidenote:/ When negating a number in actual nix code you will need to wrap it in parentheses nearly every time due to function evaluation:
#+begin_src bash :tangle no :exports both
swarsel-instantiate '
builtins.toString (-1)
'
#+end_src
#+RESULTS:
: -1
but:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
swarsel-instantiate '
builtins.toString -1
'
#+end_src
#+RESULTS:
#+begin_example
error:
… while calling the 'sub' builtin
at «string»:2:21:
1| let lib = import ; in
2| builtins.toString -1
| ^
3|
… while evaluating the first argument of the subtraction
error: expected an integer but found the built-in function 'toString': «primop toString»
#+end_example
- Logical operators (=!=, ====, =!==, =<=, =>=, =>==, =<==, =&&=, =||=)
- additionally, logical implications are available as =->= (defined as =!v1 || v2= a.k.a. =if v1 then v2 else true=)
The following operators are nix specific:
- Concatenations can be done between strings and paths (in any order) using =+=
- List Concatenations however use the =++= operator
- you can use the =?= operator on an attribue set to check whether it has an attribute:
#+begin_src bash :tangle no :exports both
swarsel-instantiate '
{ exists = true; } ? exists
'
swarsel-instantiate '
{ exists = true; } ? noExists
'
#+end_src
#+RESULTS:
| true |
| false |
- Attribute selection (on attribute sets) is done using =.=:
#+begin_src bash :tangle no :exports both
swarsel-instantiate '
{ v = 1; }.v
'
#+end_src
#+RESULTS:
: 1
- Updates to attribute sets are done using [[#h:b1fe7a9a-661b-4446-aefa-98373108f8fd][The '//' operator]]
**** Flakes
:PROPERTIES:
:CUSTOM_ID: h:b44026d5-bf7e-4ab3-a31b-68b72292e908
:END:
Next, we shall talk about some concepts regarding nix flakes.
What are flakes? The answer is surprisingly simple: Flakes can be thought of packages that contain nix expressions. They can include other flakes as inputs (acting as libraries if you want) and build on their functionality (in fact, this is exactly what happens when you are using [[#h:d62af55c-a7f3-47ba-b2a5-78cc60b03aef][NixOS]] with [[#h:f4e89635-e006-4c41-a545-d4b56c7ac293][nixpkgs]]). What exactly is provided by a flake is up to the owner entirely, although there are some "norms" that we will get to later.
A directory becomes a flake as soon as it contains a file called =flake.nix=, which contains an attribute set that has at least an attribute =outputs=, which must be a function returning an attribute set. Hence, the simplest possible flake is the following:
#+begin_src nix-ts :tangle no
{
outputs = _: { };
}
#+end_src
What is very nice about flakes is that each flake generates a corresponding =flake.lock= file the first time a nix command is called targetting it. This file exactly specifies at which revision every flake input should be pulled in. This makes flakes very nice for declaratively setting up development environments that can then be committed to a project; this enables collaborators to do [[#h:c22f65c4-4c0d-4aea-9b70-d34c295764f0][nix develop]] which will setup a reproducible environment, which is the same for every developer.
That was a very dry introduction. Now, what we are usually interested in when pulling in a flake is any of the following:
- modules to extend our configuration with
- packages that are not in =nixpkgs=
and, to a somewhat lesser degree:
- flake templates
- devshells
Where these things come from we will learn soon.
***** Why flakes
:PROPERTIES:
:CUSTOM_ID: h:96d28671-8b9d-4fbc-8620-1a7d5fcec480
:END:
Flakes are, as of writing, an experimental feature in nix, although their interface has been quite stable for a while now - in fact, stable enough that most bigger nix projects are exposing a flake nowadays. People like to (mistakenly) claim that it is because of flakes that we have version pinning in nix. In fact, people were doing this long before flakes were a thing using a construct that looks roughly like this:
#+begin_src nix-ts :tangle no
let
let pkgs = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/0b20bf89e0035b6d62ad58f9db8fdbc99c2b01e8.tar.gz") {};
in
pkgs.mkShell {
buildInputs = [ pkgs.cowsay ];
}
#+end_src
This approach simply imports a chunk of nix code that is fetched using =fetchTarball= - and the version is pinned by the git revision. However, imagine a bigger project; even if you were to import every input like this and pass the expressions to the modules that need them, updating the inputs manually would be a chore. And even though projects like [[https://github.com/nmattia/niv][niv]] and [[https://github.com/andir/npins][npins]] exist(/ed) to help with these problems, flakes provide a uniform interface and are reasonably easy to work with, and provide a lot more other stuff on the side.
That being said, some people decide to work without flakes. Depending on the reasoning, I think this is totally fair (as really for the code itself they dont automatically provide a lot of extra functionality that cannot be achieved with other tools). However, some people dismiss flakes for the only reason being "they are too complex" with really is not at all true (which is what I hope to prove to you soon!). A simple project devshell for example could very reasonably be built only from the =fetchTarball= construct I showed above.
****** Channels
:PROPERTIES:
:CUSTOM_ID: h:2cb443a5-9de2-4ae5-8a7e-d8e96748d599
:END:
Finally and for completeness sake, a historical note on nix channels.
Nix channels are one of the official mechanisms to provide package sources. They are managed manually through the cli. A channel would be given a name (like =nixpkgs=) which could then in nix code be referenced for example like:
#+begin_src nix-ts :tangle no
{ pkgs ? import {} }: ...
#+end_src
Really, this leaves it up to the caller to decide what =nixpkgs= really is, along with a few other considerations that I do not want to get into. This chapter is intentionally left short; I just want you to know how the pattern above (the ==) looks so that you know what you are working with if you encounter it in the wild.
Channels are not a great tool for reproducability and I would advise against using them if possible.
***** Flake arguments
:PROPERTIES:
:CUSTOM_ID: h:2dec2fcf-5923-4bae-9407-027dd9d917e1
:END:
Let us now talk about arguments that a flake (kind of) expects.
****** Inputs
:PROPERTIES:
:CUSTOM_ID: h:e965faf8-5782-4720-aa44-d20d700a339c
:END:
As we already learned, a flake must provide an attribute called =outputs= (whatever that might mean at this point!). However, unless we want to build everything that our flake provides from the ground up, we probably also want to pass some libraries or build tools to it. This is done using the attribute called =inputs=. An =inputs= definition might look something like this:
#+begin_src nix-ts :tangle no
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
hydra = {
url = "github:nixos/hydra/nix-2.30";
inputs.nix-eval-jobs.follows = "nix-eval-jobs";
};
nix-eval-jobs = {
url = "github:nix-community/nix-eval-jobs/v2.30.0";
flake = false;
};
toplevel.url = "./..";
};
}
#+end_src
This is a surprisingly real-world example from my [[#h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b][flake.nix]] that we can use so explain most of the important =inputs= options:
- the most important attribute is =url=. It describes where the source should be fetched from. As you can see from the =toplevel= input, you can put as an input a path on the local filesystem. Note that by default, it is expected that every input is itself a flake - meaning, a =flake.nix= exists there which will be loaded into our flake along with its dependencies. You can also see that we set this to =false= for the =nix-eval-jobs= input. This is usually done when the target project is simply not a flake. Nix will then load in the contents of the repository as a raw filetree.
However, if you go and check out [[https://github.com/nix-community/nix-eval-jobs][nix-eval-jobs]] you will see that this project /does/ have a =flake.nix=, and it is also very active; so what is going on here? In this particular case, this is done to avoid pulling in the dependencies that the =nix-eval-jobs= would bring along. Instead, the files provided by it must be then made to work using what is provided in the parent flake. This is not a common pattern, but something that is good to know.
Another interesting option is the =hydra.inputs.nix-eval-jobs.follows=. Let us first talk about the general interface ==: This structure allows to customize options for the *dependency* of a flake input. For example, we could have customized the source of the =nix-eval-jobs= dependency of =hydra= had we written =hydra.inputs.nix-eval-jobs.url = ...=. The =follows= option takes a similar approach by setting an input dependency to the same version as some other input of the parent flake (in our case, it is pinned to the =nix-eval-jobs= v2.30.0 version).
When we are done defining our flake inputs, we can then decide what our flake shoud actually do.
****** Outputs
:PROPERTIES:
:CUSTOM_ID: h:66a04339-dbc7-4d98-a763-5a9be9185f9b
:END:
As we already learned earlier, =outputs= is a function returning an attribute set. In fact, it is usually a function that takes as an argument an attribute set containing our inputs, looking roughly like this:
#+begin_src nix-ts :tangle no
{
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
outputs = inputs @ { self, nixpkgs, ... }:
let
inherit (self) outputs;
in
{
nixosConfigurations = {
main = nixpkgs.lib.nixosSystem {
modules = [ "${self}/configuration.nix" ];
specialArgs = {
inherit inputs outputs;
};
};
};
};
}
#+end_src
With what we learned so far, you are already able to understand most of what is going on here:
- outputs is a function that expects =self= and =nixpkgs= but /tolerates/ other attributes in the set, and the attribute set =inputs= can be referenced.
- an attribute =outputs= is inherited from the outer scope =self=, meaning =outputs = self.outputs;= (what =self= is and why we can reference the =outputs= in the same place where we are defining them I will explain shortly)
- the resulting attribute set holds an attribute called =nixosConfigurations= that holds an attribute called =main=, which is set by calling a function that we now do not want to get into too much.
You might (rightfully!) wonder where the =self= argument comes from. It is actually not a flake input. Instead, =self= is a special flake construct that refers to the root of the current flake, meaning all flake attributes can be accessed using =self.=. Moreover, when using =self= as a path, it refers to the path os the current flake in the nix store. This can be used to reference files within the repository without needing relative paths (this is exactly what happenss in =self.outputs.nixosConfigurations.main.modules=: it loads in =configuration.nix=, which resides in the same directory as the =flake.nix=. We could have also written =./configuration.nix= here instead).
Another question might be what happens when we load in =self.outputs= while defining outputs. Normally that should not work? Remember that nix is a lazy language. When =outputs= is first created in the =let ... in= block, its value will be something along the lines of =outputs = ;=. That means, not all values are loaded upon instanciation, but only whenever they are needed. And if a value is needed, nix will then move on to compute that value.
Of course that does mean that we need to be careful to not introduce circular chains of dependency. Doing that would result in what is called an =infinite recursion error=, a type of error that can be very hard to wrap one's head around. Luckily, when writing a simple config, you are not very likely to encounter it in a shape that is not rather easily solved.
Like we saw here with =nixosConfigurations= and some other outputs that we heard about earlier, there are some "standard" outputs that nix recognizes and is able to apply some defaults on. Let us quickly go over them:
****** Standard flake outputs
:PROPERTIES:
:CUSTOM_ID: h:680b38c1-14de-4892-8840-2c82accd6827
:END:
I will now list output names and explain what they to; some outputs are what I call "system-scoped". That means they have toplevel attribute in the name of system architectures, e.g. =x86_64-linux=. I will mention when an output is system-scoped. This list is roughly ordered by importance to a NixOS beginner:
- =nixosConfigurations=: A set of NixOS host configurations
- =devShells=: *system-scoped*. A set of devshells that can be used by calling [[#h:c22f65c4-4c0d-4aea-9b70-d34c295764f0][nix develop]]. Defaults to the devshell called =default=.
- =nixosModules=: A set of nixos [[#h:de7bc464-e04f-45d4-9d29-e46592535419][Modules]]. By default, when consuming one of these modules but not specifying which one, the overlay =default= will be chosen.
- =overlays=: A set of nixpkgs [[#h:7a059bd9-13f8-4005-b270-b41eeb6a4af2][Overlays]]. By default, when consuming one of these overlays but not specifying which one, the overlay =default= will be chosen.
- =checks=: *system-scoped*. Flake checks to perform when calling [[#h:b07b1776-75cd-4a40-9e71-fb00eab65c6f][nix flake check]]
- =formatter=: *system-scoped*. Formatting package/config to use when calling [[#h:cf6cc5fa-cbaa-415a-b1d8-c6c5b7016700][nix fmt]]
- =packages=: *system-scoped*. Packages that can be directly built using [[#h:fa377c74-36e5-4aea-bc39-4d3def4b67d1][nix build]]
- =apps=: *system-scoped*. Packages that can be directly run using [[#h:9f55f619-892e-488c-936f-43962f90cde8][nix run]]
- =templates=: A set of templates that can be initialized using =nix flake init -t =. By default, the =default= template will be chosen.
- =legacyPackages=: *system-scoped*. An alternative to =packages= that does not provide guarantees on the structure within. An attribute here might be a package, but it could also be a package set in need of further evaluation. This is used for example in =nix flake show nixpkgs= because the number of packages in =packages= takes *very* long to evaluate. Whenever nix encounters a =legacyPackages= however, it simply displays "omitted" instead of evaluating everything within. In a way you could say =legacyPackages= contains an attribute that is closer to what the structure used by the [[#h:2cb443a5-9de2-4ae5-8a7e-d8e96748d599][Channels]] construct yields.
- =hydraJobs=: An arbitrarily deeply nested attribute set of derivations that defines jobs that should run on a hydra build farm
- =bundlers=: A set of bundlers (a bundler packages app for usage outside of the nix store). Will choose the =default= bundler by default
The following are also recognized by nix, but are deprecated:
- =devShell=: *system-scoped, deprecated*. A single devshell that can be used by calling [[#h:c22f65c4-4c0d-4aea-9b70-d34c295764f0][nix develop]].
- =overlay=: *deprecated*. A single overlay.
- =nixosModule=: *deprecated*. A single nixos module.
- =defaultApp=: *system-scoped, deprecated*. The app that this flake should default to. Instead, you can also define =apps..default=.
- =defaultPackage=: *system-scoped, deprecated*. The package that this flake should default to. Instead, you can also define =packages..default=.
- =defaultTemplates=: *deprecated*. The template that this flake should default to. Instead, you can also define =templates.default=.
- =defaultBundler=: *deprecated*. The bundler that this flake should default to. Instead, you can also define =bundlers.default=.
- =bundler=: *deprecated*. A single bundler.
Again, you can also define other outputs (for example, a widely used output that is not recognized by nix is =homeModules=, used in, you guessed it, modules for home-manager). [[#h:b07b1776-75cd-4a40-9e71-fb00eab65c6f][nix flake check]] will simply emit a warning when it encounters such an output, but there are no other side-effects. Also, keep in mind that flake outputs are things that your flake /exposes/ to others. That means, unless you have written NixOS modules that you want to share with the world, you probably do not need a =nixosModules= output in your flake.
***** References
:PROPERTIES:
:CUSTOM_ID: h:410e74cc-6fea-43cc-9d4a-3c88d6437760
:END:
When interacting with flakes on the CLI, you will always do it in the same style:
~#>~
The flake reference can be an absolute or relative path, but also a URI. It can also be an identifier in the [[#h:e6aeff2e-de6c-411c-ae24-77c2928e8e4f][Registries]]. This means that all of the following are valid (the output to stderr is needed because my flake loads some nix values per default that get printed to the command line on stderr, which org-babel does not capture. This makes the evaluator sad):
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix run nixpkgs#cowsay -- hello 2>/dev/null
nix run github:nixos/nixpkgs#cowsay -- hello 2>/dev/null
nix run .#pkgs.x86_64-linux.cowsay -- hello 2>/dev/null
nix run /home/swarsel/.dotfiles#pkgs.x86_64-linux.cowsay -- hello 2>/dev/null
#+end_src
#+RESULTS:
#+begin_example
_______
< hello >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
_______
< hello >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
_______
< hello >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
_______
< hello >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
#+end_example
However:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix shell n#cowsay^man --command hello
#+end_src
#+RESULTS:
: error: unable to execute 'hello': No such file or directory
This happens because the =man= output of =cowsay= does not provide the package itself, but only its manpage. =nix run= reads your mind a little more in that case and makes it available anyways (this is because the =apps= output is tailored towards running programs):
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix run nixpkgs#cowsay^man -- hello
#+end_src
#+RESULTS:
: _______
: < hello >
: -------
: \ ^__^
: \ (oo)\_______
: (__)\ )\/\
: ||----w |
: || ||
***** Registries
:PROPERTIES:
:CUSTOM_ID: h:e6aeff2e-de6c-411c-ae24-77c2928e8e4f
:END:
All you really need to know about flake registries is that they provide a shorthand to access flake [[#h:410e74cc-6fea-43cc-9d4a-3c88d6437760][References]] easily. By default, the =nixpkgs= identifier is provided when installing nix with flakes. Additional registries can however be configured (I do this in [[#h:24c9146f-2147-4fd5-bafc-d5853e15cf12][General NixOS settings (nix config, stateVersion)]]). For example, I have configured a =n= identifier that simply mirriors the =nixpkgs= identifier, which allows me to save on some typing with most nix commands:
#+begin_src bash :tangle no :exports both :results output :eval never-export
nix run n#cowsay -- hello
#+end_src
#+RESULTS:
: _______
: < hello >
: -------
: \ ^__^
: \ (oo)\_______
: (__)\ )\/\
: ||----w |
: || ||
**** Essential commands
:PROPERTIES:
:CUSTOM_ID: h:b06ed01d-9ed1-438c-8643-8850218a4350
:END:
Finally, here are some of the most essential nix commands. Note that there is a "legacy CLI" as well as a "new CLI", the latter of which is enabled by setting ==--experimental-features 'nix-command'== or enabling =nix.settings.experimental-features = [ "nix-command" ];=. I will only talk about the new CLI, which is meant to deprecate the legacy one. Also, these explanations assume that we are interacting with them in =flakes= (which also need to be separately enabled by appending =flakes= to the two snippets given above).
***** nix shell
:PROPERTIES:
:CUSTOM_ID: h:403a8ebd-f094-4795-aca3-60de62c77ef9
:END:
This is a very important command. It spawns a subshell in which the commands specified are available. You can pass multiple arguments:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix shell nixpkgs#cowsay n#bonsai 2>/dev/null
#+end_src
#+RESULTS:
***** nix build
:PROPERTIES:
:CUSTOM_ID: h:fa377c74-36e5-4aea-bc39-4d3def4b67d1
:END:
This is the essential command to trigger a nix build of stuff. Anything that is a =derivation= can be built. Typically, these are the =packages= and =legacyPackages= outputs of a flake; for these outputs, the full path does not need to be specified. For example, to build the very simple [[#h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1][t2ts]] tool from this flake:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix build .#ts2t 2>/dev/null && echo success
#+end_src
#+RESULTS:
: success
However, you can also specify the full path
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix build .#packages.x86_64-linux.ts2t 2>/dev/null && echo success
#+end_src
#+RESULTS:
: success
What is often useful is to build a =nixosConfiguration= using =nix build= prior to applying it. E.g. this can be done using the [[#h:a320569e-7bf0-4552-9039-b2a8e0939a12][Bakery (Lenovo ThinkPad)]] host:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix build .#nixosConfigurations.bakery.config.system.build.toplevel 2>/dev/null && echo success
#+end_src
#+RESULTS:
: success
***** nix run
:PROPERTIES:
:CUSTOM_ID: h:9f55f619-892e-488c-936f-43962f90cde8
:END:
This is the command that allows you to run a command directly. These apps are per default defined under the =apps= output, and that again allows to run them directly instead of specifying the full path. For example to run the [[#h:74db57ae-0bb9-4257-84be-eddbc85130dd][swarsel-bootstrap]] tool that I expore under [[#h:52e1fae8-0e8c-4be6-a6ce-758ada652dd3][Apps]]:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix run s#swarsel-bootstrap -- --help 2>/dev/null
#+end_src
#+RESULTS:
#+begin_example
Remotely installs SwarselSystem on a target machine including secret deployment.
USAGE: /nix/store/mwa8qhmhzfx1jrjw3kzynfhf7ynh2mgm-swarsel-bootstrap/bin/swarsel-bootstrap -n -d [OPTIONS]
ARGS:
-n specify target_hostname of the target host to deploy the nixos config on.
-d specify ip or url to the target host.
-a specify the architecture of the target host.
target during install process.
OPTIONS:
-u specify target_user with sudo access. nix-config will be cloned to their home.
Default='swarsel'.
--port specify the ssh port to use for remote access. Default=22.
--debug Enable debug mode.
--no-disko-deps Upload only disk script and not dependencies (for use on low ram).
-h | --help Print this help.
#+end_example
***** nix develop
:PROPERTIES:
:CUSTOM_ID: h:c22f65c4-4c0d-4aea-9b70-d34c295764f0
:END:
This command spins up a development shell in the current directory, provided that the passed nix expression exposes a =devshell=:
If the current directory has such a =flake.nix=, you can simply do
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix develop 2>/dev/null
#+end_src
#+RESULTS:
Otherwise you can pass the path (or any flake reference); again, per default the =default= devshell will be loaded. If you need another one, use the syntax we discussed above. For example, here is how to use a path in the nix store, loading the =deploy= devshell:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix develop swarsel#deploy 2>&1
#+end_src
#+RESULTS:
***** nix eval
:PROPERTIES:
:CUSTOM_ID: h:2786825a-5a6d-4b04-9bdf-6b69a6916ad8
:END:
This command evaluates the nix expression given to it:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix eval .#nixosConfigurations.pyramid.config.networking.hostName 2>/dev/null
#+end_src
#+RESULTS:
: "pyramid"
***** nix repl
:PROPERTIES:
:CUSTOM_ID: h:e525f73a-8920-4628-8bd7-cdcc3c425346
:END:
This starts the nix REPL ("Read Evaluate Print Loop"), an interactive environment for evaluating nix expressions for the given environment. Usually you will want to start this pointing to your flake like:
#+begin_src bash :tangle no :exports both :results output :eval never-export
nix repl . 2>/dev/null
#+end_src
#+RESULTS:
: Nix 2.30.3
: Type :? for help.
: Using saved setting for 'extra-substituters = https://nix-community.cachix.org' from ~/.local/share/nix/trusted-settings.json.
: Using saved setting for 'extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=' from ~/.local/share/nix/trusted-settings.json.
: Loading installable 'git+file:///home/swarsel/.dotfiles#'...
: Added 25 variables.
: apps, checks, darwinConfigurations, darwinConfigurationsMinimal, devShells, diskoConfigurations, formatter, globals, guestConfigurations, homeConfigurations, homeLib, homeModules, legacyPackages, lib, nixOnDroidConfigurations, nixosConfigurations, nixosConfigurationsMinimal, nixosModules, nodes, overlays
: ... and 5 more; view with :ll
:
In there you get tab completion and have all functions available that you can use in your flake. This is my preferred command to get insight into what is happening in my config if some error is not obvious.
***** nix fmt
:PROPERTIES:
:CUSTOM_ID: h:cf6cc5fa-cbaa-415a-b1d8-c6c5b7016700
:END:
This uses the formatter that is defined in the passed flakes =formatter= output and formats the repository accordingly.
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix fmt 2>&1
#+end_src
#+RESULTS:
: Using saved setting for 'extra-substituters = https://nix-community.cachix.org' from ~/.local/share/nix/trusted-settings.json.
: Using saved setting for 'extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=' from ~/.local/share/nix/trusted-settings.json.
: traversed 582 files
: emitted 387 files for processing
: formatted 0 files (0 changed) in 24ms
***** nix hash
:PROPERTIES:
:CUSTOM_ID: h:092fe295-4211-4b19-a071-53b5f3061a9b
:END:
This command allows us to convert between different hasn algorithms that are used by nix. The interesting command for us is =nix hash convert=, which is used like
#+begin_src bash :tangle no :exports both :results output
nix hash convert --from base16 --hash-algo sha1 --to nix32 bb0d59cfdddd37f62fee1e214be3467acffe58df
#+end_src
#+RESULTS:
: vxcgxkvs8viln88yxqpzcdyxvp7mj3dv
The supported formats for =--from= are: =base16=, =nix32=, =base64=, and =sri=. Per default, nix will try to choose the correct format from the input.
The supported formats for =--to= are: =base16=, =nix32=, =base64=, and =sri=. The default is =sri=.
The supported hashing algorithms for =--hash-algo= are: =blake3=, =md5=, =sha1=, =sha256=, and =sha512=. For SRI hashes, this can be omitted.
***** nix flake
:PROPERTIES:
:CUSTOM_ID: h:17a08338-74c8-477e-ad8a-866267eef0c8
:END:
This is the main command that we use to interact with our flake. It has several subcommand, but only a few really interest us:
****** nix flake update
:PROPERTIES:
:CUSTOM_ID: h:10205ee6-475b-4785-9d3a-cefd5a4595c0
:END:
This updates your flake inputs. That means, it will fetch the latest revisions from the =inputs.= source that we discussed in [[#h:2dec2fcf-5923-4bae-9407-027dd9d917e1][Flake arguments]]. By default, all flake inputs will be updates:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix flake update
#+end_src
#+RESULTS:
It is also possible to only update specific inputs:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix flake update home-manager
#+end_src
#+RESULTS:
To lock an input from ever updating, a nice trick is to pin it to a specific revision in the inputs' source url like I do in [[#h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b][flake.nix skeleton (inputs)]] for the =nixpkgs-kernel= input.
****** nix flake check
:PROPERTIES:
:CUSTOM_ID: h:b07b1776-75cd-4a40-9e71-fb00eab65c6f
:END:
This evaluates the entire flake and runs its tests, if there are any.
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix flake check
#+end_src
#+RESULTS:
****** nix flake show
:PROPERTIES:
:CUSTOM_ID: h:54e532ec-0056-4cd1-b257-aac17ccd944b
:END:
This lists all outputs of the passed flake. The default is the flake in the current directory. This can be useful to check whether outputs are configured correctly or which templates are exposed by a flake.
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix flake show . 2>/dev/null
#+end_src
#+RESULTS:
****** nix flake init
:PROPERTIES:
:CUSTOM_ID: h:a084fd59-fba1-4661-9807-cd0e06c21f2b
:END:
This initializes a new flake. Per default it chooses the simple flake that you might have seen before if you ever tried this command. After you already have your own config flake, this command is mainly useful to create a project flake from a template. If you have a flake that exposes =templates= as outputs, you can list them as showen in [[#h:54e532ec-0056-4cd1-b257-aac17ccd944b][nix flake show]] and then initialize the flake using:
#+begin_src bash :tangle no :exports both :results discard :eval never-export
nix flake init -t .#
#+end_src
Keep in mind that you are free in choosing the flake reference.
*** nix package manager
:PROPERTIES:
:CUSTOM_ID: h:f4fa6a46-e016-48f8-9ead-608b739c706a
:END:
In contrast to the [[#h:b2222c7c-0bd5-44f8-aa69-17869d6913c0][nix language]], there really is not much important stuff that you need to know about the nix package manager. Just keep in mind that the nix package manager is the tool that the [[#h:b2222c7c-0bd5-44f8-aa69-17869d6913c0][nix language]] was invented for in the first place. It aims to escape the dependancy problems that conventional package managers bring by the mechanisms that we learned about earlier.
In practice, you should never need to install a package with the nix package manager imperatively. For things you only need once you can resort to [[#h:403a8ebd-f094-4795-aca3-60de62c77ef9][nix shell]] or [[#h:9f55f619-892e-488c-936f-43962f90cde8][nix run]] or even [[https://github.com/nix-community/comma][comma]]. Otherwise you should probably make it available in your config or in a devshell.
*** nixpkgs
:PROPERTIES:
:CUSTOM_ID: h:f4e89635-e006-4c41-a545-d4b56c7ac293
:END:
Nixpkgs is the name of the community project that provides loads of packages for different architectures and is the main building block that [[#h:d62af55c-a7f3-47ba-b2a5-78cc60b03aef][NixOS]] builds upon.
The main way that we as users interact with nixpkgs (unless we contribute to it) is that we add it as one of the [[#h:e965faf8-5782-4720-aa44-d20d700a339c][Inputs]] of our flake. That will provide the majority of packages and modules that we will need to build our system. However, there are a few things that deserves a special mention:
**** Configuring nixpkgs
:PROPERTIES:
:CUSTOM_ID: h:8c8e9bd2-c00e-44f6-a142-78756341494c
:END:
The main way of configuring nixpkgs is the =nixpkgs.config= option. There we can configure what packages we want to use. Some flags that we might want to set are:
- ~{ allowUnfree = true; }=~ to allow packages with an unfree license to be built
- ~{ permittedInsecurePackages = [ ]; }~ to selectively allow packages that are marked as insecure to be built
- ~{ cudaSupport = true; }=~ to build packages with CUDRA support by default
- ~{ rocmSupport = true; }=~ to build packages with ROCm support by default
**** Overrides
:PROPERTIES:
:CUSTOM_ID: h:3bc8d573-b38c-493f-9545-5f239bcc6294
:END:
A simple way to modify packages that are already in nixpkgs is the use of overrides. Two main override methods exist:
- =override= for overriding the arguments passed to a function
- =overrideAttrs= for overriding the attribute set passed to =stdenv.mkDervivation=
=overrideAttrs= is used as follows:
#+begin_src nix-ts :tangle no
pkgs..overrideAttrs (finalAttrs: previousAttrs: { pname = previousAttrs.pname + "-new"; })
#+end_src
in the wild, this can be used for example directly when installing packages:
#+begin_src nix-ts :tangle no
{ pkgs, ... }: {
environment.systemPackages = [
(pkgs.hello.overrideAttrs (finalAttrs: previousAttrs: { pname = previousAttrs.pname + "-new"; }))
];
}
#+end_src
For an explanation to =override= and the =overrideAttrs= parameters, read on.
**** Overlays
:PROPERTIES:
:CUSTOM_ID: h:14be98e8-94ca-4ecb-995e-8e7131a8eb32
:END:
Other than that, we can also extend nixpkgs with packages that it does not normally ship with; this is done using a concept called =overlays=. An overlay is defined as such
#+begin_src nix-ts :tangle no
final: prev: { newVesktop = prev.vesktop.override { withSystemVencord = true; }; }
#+end_src
This overlay will add a =newVesktop= package with a vesktop package that has the =withSystemVencord= flag set to true to nixpkgs when applied (this is due to =override= overriding the arguments of the =vesktop package=; such flags can be found by checking out the source of the package. To find that source. you can use the [[https://search.nixos.org/packages?query=][nix package search]] to search for a package, and then click the "source" button, which for the vesktop example yields [[https://github.com/NixOS/nixpkgs/blob/2e21f6c5797fcccfc1e8eced873aea8401a71135/pkgs/by-name/ve/vesktop/package.nix][this GitHub page]]. There you will also see that =withSystemVencord= defaults to =false=.). In this case of course, this has the same effect as simply using an override, so this is better used for adding new packages.
When installing =newVesktop afterwards=, we will get a =vekstop= that will have system vencord enabled. Overlays can also be added by referencing a [[#h:66a04339-dbc7-4d98-a763-5a9be9185f9b][flake overlay output]]. Here is an example of how to use both of these methods in practise:
#+begin_src nix-ts :tangle no
{ outputs, inputs, ... }:
{
nixpkgs.overlays = [
outputs.overlays.this
inputs.someExternalFlake.overlays.default
(final: prev: { vesktop = prev.vesktop.override { withSystemVencord = true; }; })
];
}
#+end_src
This will add the previous =vesktop= override as well as the =this= overlay from our flake (keep in mind that =outputs= refers to the outputs that our flake exposes) and the default overlay from a flake input called =someExternalFlake=.
Also keep the parentheses around the inline overlay in mind; we need to pass whole elements to the list, so we use parentheses to evaluate a nix expression. This is the standard equivalent to the =${}= approach that we took with strings, as you remember.
*** NixOS
:PROPERTIES:
:CUSTOM_ID: h:d62af55c-a7f3-47ba-b2a5-78cc60b03aef
:END:
NixOS is the name of the linux distribution that relies on the [[#h:f4fa6a46-e016-48f8-9ead-608b739c706a][nix package manager]]. NixOS also relies heavily on [[#h:f4e89635-e006-4c41-a545-d4b56c7ac293][nixpkgs]] to provide packages, library functions, and modules. The one part this really important to understand here is the module system.
**** The module system
:PROPERTIES:
:CUSTOM_ID: h:8067f8fc-92d7-46af-b1be-e8a337d7a953
:END:
The module system can be thought of a nix library acts as an extension to nix in NixOS. It much enhances the ways in which we can set values within "the configuration" - for example, it becomes possible to set something like =environment.systemPackages= in two files, and both set values will be merged. Also, to these so-called "options" we can easily add type checking.
***** Modules
:PROPERTIES:
:CUSTOM_ID: h:de7bc464-e04f-45d4-9d29-e46592535419
:END:
This provides a broad overview over [[https://github.com/NixOS/nixpkgs/blob/5c7a370a208d93d458193fc05ed84ced0ba7f387/lib/modules.nix][the module system]].
On a very high level, a module is just a function returning an attribute set. Hence the simplest possible module should be:
#+begin_src nix-ts :tangle no
_: { }
#+end_src
Actually, because of syntactic sugar, the module arguments can be omitted if they are not accessed at all, so the simplest simplest module is actually:
#+begin_src nix-ts :tangle no
{ }
#+end_src
but that is just a note for completeness sake.
In the module systems, the above attribute sets supports three main options:
- =imports=, which allows for importing further files
- =options=, for declaring Nixoptions that should be added to the module system
- =config=, for setting said options.
****** imports
:PROPERTIES:
:CUSTOM_ID: h:2982102b-1cf7-4be5-b267-348f19ef60bd
:END:
=imports= is a simple list that takes paths to other nix files and adds them to be evaluated by the module system:
#+begin_src nix-ts :tangle no
_:
{
imports = [
./configuration.nix
./extras
]
}
#+end_src
The module system will pass an attribute as an argument to this function. When a module requires *no* args from the outer scope. As soon as you pass any argument however, you also need to pass the ellipsis =...= to the attribute set. This is because the module systems always adds the following arguments to each module contained within:
- =lib= for library functions
- =pkgs= the set of packages of the systems architecture
- =options=, the option declarations. Note that you only need to import this if you need the access the option declarations themselves. You will not need this for declaring options in a moduls - i.e. you will only need to add this *very* rarely
- =config=, the option definitions - you need this whenever you want to access configuration parts that has been defined somewhere
- the set of values passed to =specialArgs= in the call to =nixpkgs.lib.nixosSystem=. To that, everything should be added that is needed to be evaluated when resolving the model structure (e.g. imports)
- =specialArgs= includes =modulesPath=, which can be used to import =nixpkgs= modules without knowing their location in the nix store
- this happens by default in =hardware-configuration.nix=:
#+begin_src nix-ts :tangle no
{ modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
};
#+end_src
Remember now what we said above: here we now need to pass the ellipsis =...=, only ={ modulesPath }= would error out because of the other passed arguments. =_= works because that accepts /any/ value.
- any values set under =_module.args= (sometimes you might see =extraArgs=; that has been deprecated in favor of =_module.args=)
If a directory is passed to =imports=, nix will look for a file called =default.nix= in the passed directory.
****** options
:PROPERTIES:
:CUSTOM_ID: h:311fd85d-1d89-4b04-818a-139210f1c518
:END:
Options are *declared* (not defined) using =lib.mkOption= (or one of its derivatives, like =lib.mkEnableOption=, which creates a boolean option defaulting to =false=)
#+begin_src nix-ts :tangle no
{ lib, ... }:
{
options.myBool = lib.mkOption {
type = lib.types.bool;
default = true;
description = "An example of a boolean option definition.";
};
}
#+end_src
****** config
:PROPERTIES:
:CUSTOM_ID: h:e868b977-c258-4a4d-9995-1d6193827bff
:END:
=config= is what we use to actually set the values for which we declared options somewhere. Note that an option does not need to be declared in the same file where it is set (in fact, option declarations need to be unique across the entire module system). We call the process of setting a value under =config.= an *option definition*.
We can extend our module from [[#h:311fd85d-1d89-4b04-818a-139210f1c518][options]]:
#+begin_src nix-ts :tangle no
{ lib, ... }:
{
options.myBool = lib.mkOption {
type = lib.types.bool;
default = true;
description = "An example of a boolean option definition.";
};
config.myBool = false;
}
#+end_src
This will define =config.myBool= to be =false=, which can now be referenced in another file under =config.myBool=.
If a file does not use either =imports= or =options= but only =config=, you can omit the =config= attribute:
#+begin_src nix-ts :tangle no
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.cowsay ];
}
#+end_src
If we would however declare options in the same file, we would need to write:
#+begin_src nix-ts :tangle no
{ lib, pkgs, ... }:
{
options.myDo = lib.mkEnableOption "do it"; # this expects a string that will be prepended by "whether to" and appended a dot
config.environment.systemPackages = [ pkgs.cowsay ];
}
#+end_src
* flake.nix
:PROPERTIES:
:CUSTOM_ID: h:c7588c0d-2528-485d-b2df-04d6336428d7
:END:
Handling the flake.nix file used to be a bit of a chore, since it felt like writing so much boilerplate code just to define new systems. For a while, I used noweb-ref in order to alleviate this problem (see [[#h:dae0c5bb-edb7-4fe4-ae31-9f8f064cc53c][Appendix A: Noweb-Ref blocks]], an example of the repository at that time would be =acc0ad6: Add several NixOS hosts on Proxmox and Oracle Cloud=.). However, the true answer laid in making use of builtin nix functionality.
Nowadays, I use flake-parts to manage my flake. It allows me to conveniently split the actual flake into multiple files ("parts") using the following mechanism:
- =imports= are files pulled in to build the flake configuration (similar to the imports in the module system)
- =systems= defines the architectures that the flake should be provided for - I go here for the four "main" architectures, although true support is only provided for linux systems (see [[#h:6ed1a641-dba8-4e85-a62e-be93264df57a][Packages (pkgs)]] for the main reason)
** flake.nix skeleton (inputs)
:PROPERTIES:
:CUSTOM_ID: h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b
:END:
In general, a nix flake consists of one or more inputs and several outputs. The inputs are used to define where nix should be looking for packages, modules, and more (the most common input is =nixpkgs=, which provides a lot of packages, library functions and modules). The outputs generate expressions that can be used in .nix files as well as system configurations using these files.
In the start, I enable some public cache repositories. This saves some time during rebuilds because it avoids building as many packages from scratch - this is mainly important for community flakes like =emacs-overlay=, which basically would trigger a rebuild whenever updating the flake. The repository does of course not hold everything, but it lightens the pain. It would look cleaner if this were to be used only inside a nix configuration block of an actual system, but I want these caches to be used for e.g. app calls as well.
In many flakes, you see a structure like this: =outputs = inputs@ [...]=, the =inputs@= makes it so that all inputs are automatically passed to the outputs and can be called as =inputs.=, whereas explicit arguments may just be called by using == (for a more detailed explanation, s). For most flakes this is fully sufficient, as they do not need to be called often and it saves me maintainance effort with this file. In fact, I also used to make use of this mechanism. However, using flake-parts, all I really need for the outputs function is inputs, which is why my outputs = inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } { [...] ). Note that flake-parts must inherit these inputs and no other arguments are expected.
In this section I am creating some attributes that define general concepts of my configuration:
- =nixosModules= imports self-defined options that I only want to use on NixOS systems. All modules are held as separately as possible, to allow for easier sharing with other people mostly.
- =homeModules= imports modules that are to be used on NixOS and non-NixOS systems. These are mostly used to define outputs (monitors), keyboards and special commands for machines.
- =packages= holds packages that I am building myself. These are mostly shell scripts, but also a few others such as AppImages and firefox addons.
- =devShells= provides a development shell that can be used as a bootstrap for new installs using =nix develop= while inside the flake directory. It received an overhaul in =0a6cf0e feat: add checks to devShell=, since when it is handled using =forAllSystems= and now including pre-commit-hook checks.
- =formatter= provides the formatter that is to be used on =.nix= files. It can be called by using =nix fmt=.
- =check= provides the pre-commit-hook checks that I have explained in [[#h:4d0548db-99b2-4e07-b762-6d86fbb26d4c][Devshell (checks)]].
- =overlays= imports a few community overlays (such as the emacs-overlay) and also three overlays of my own:
1) =additions= holds derivations that I am adding myself to nixpkgs - i.e. this is where the packages defined in =/pkgs= get added to nixpkgs.
2) =modifications= holds derivations that I have performed overrides on. The list of interesting attribute overrides can be found by looking at the source code of a derivation and looking at the start of the file for lines of the form = ? =. But this can also be used to, for example, fetch a different version of a package instead.
3) =nixpkgs-stable= holds the newest version of stable nixpkgs. I only use this on packages that seem broken on unstable, which are not many.
4) =zjstatus= holds some options for =zellij=, but I have stopped using it since I prefer =tmux=.
They are defined in [[#h:7a059bd9-13f8-4005-b270-b41eeb6a4af2][Overlays]]. The way this is handled was simplified in =647a2ae feat: simplify overlay structure=; however, the old structure might be easier to understand as a reference.
Here we define inputs and outputs of the flake. First, the following list is for the outputs of the flake.
Format: ,
Mind the comma at the end. You need this because the =...= is being passed as the last argument in the template at [[#h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b][flake.nix template]].
Here, just add the input names, urls and other options that are needed, like =nixpkgs.follows=. By using the latter option, you tell the package to not provide it's own package repository, but instead 'nest' itself into another, which is very useful.
A short overview over each input and what it does:
- [[https://github.com/NixOS/nixpkgs][nixpkgs]]
This is the base repository that I am following for all packages. I follow the unstable branch. Also I pull in some older revisions of nixpkgs stable for various purposes.
- [[https://github.com/nix-community/home-manager][home-manager]]
This handles user-level configuration and mostly provides dotfiles that are generated and symlinked to =~/.config/=.
- [[https://github.com/Swarsel/swarsel-nix][swarsel-nix]]
This pulls in the very dotfiles you are currently reading. I am adding this to the flake registry in order to
- [[https://github.com/nix-community/NUR][NUR]]
The nix user repository contains user provided modules, packages and expressions. These are not audited by the nix community, so be aware of supply chain vulnerabilities when using those. I am only really using rycee's firefox addons from there which saves me a lot of hassle, and it seems to be a safe resource.
- [[https://github.com/nix-community/nixGL][nixGL]]
This solves the problem that nix has with =OpenGL=, as libraries are not linked and programs will often fail to find drivers. Nowadays, this is included in the [[#h:90af1862-90b3-4c93-8730-2443bc62986a][nixGL]] module of home-manager, but even that requres a binary for nixGL, which is what I pull from this input.
- [[https://github.com/danth/stylix][stylix]]
As described before, this handles all theme related options.
- [[https://github.com/Mic92/sops-nix][sops-nix]]
This provides declarative secrets management for NixOS and home manager using sops and age keys. It is a bit more cumbersome to use on home manager systems - which is a bother because I then have to resort to that configuration to keep everything supported - but it is super practical and really the primary reason why it makes sense for me to go for NixOS, as I do not have to do any extra secrets provisioning.
- [[https://github.com/nix-community/lanzaboote][Lanzaboote]]
Provides secure boot for NixOS. Needed for my Surface Pro 3.
- [[https://github.com/nix-community/nix-on-droid][nix-on-droid]]
This brings nix to android in an app that is similar to tmux! Of course most of the configuration does not apply to this, but it is still neat to have!
- [[https://github.com/NixOS/nixos-hardware][nixos-hardware]]
Provides specific hardware setting for some hardware configurations. For example, this sets some better defaults for my Lenovo Thinkpad P14s Gen2.
- [[https://github.com/nix-community/nixos-generators][nixos-generators]]
Provides me with images that I can use to create LXCs on Proxmox.
- [[https://github.com/Swarsel/nswitch-rcm-nix][nswitch-rcm-nix]]
Allows auto injection of payloads upon connecting a Nintendo Switch.
- [[https://github.com/nix-community/nix-index-database][nix-index-database]]
This provides a database for =nix-index= that is updated weekly. This allows for declarative management, without needing to run the =nix-index= command for database assembly.
- [[https://github.com/nix-community/disko][disko]]
disko provides declarative disk partitioning, which I use for impermanence as well as [[https://github.com/nix-community/nixos-anywhere][nixos-anywhere]].
- [[https://github.com/nix-community/impermanence][Impermanence]]
Some of my machines are using a btrfs filesystem that wipes the root directory on each reboot. This forces me to pay more attention in keeping my system declarative as well as helping me keeping the system uncluttered. However, it is a chore to make sure that important files are not deleted. This flake helps with this problem, allowing me to select files and directories for persisting.
- [[https://github.com/dj95/zjstatus][zjstatus]]
This provides utilities for customizing a statusbar in zellij. Currently unused as I prefer tmux for now and might be removed in the future.
- [[https://github.com/TamtamHero/fw-fanctrl][fw-fanctrl]]
This provides access to the internal fans of Frameworks laptops. This is a bit more nice to use than directly using ectool.
- [[https://github.com/LnL7/nix-darwin][nix-darwin]]
After learning that MacOS systems can also be configured using nix, I managed to get access to an old MacBook for testing. This allows to set most general settings that can otherwise be set using the Mac GUI.
- [[https://github.com/cachix/git-hooks.nix][pre-commit-hooks]]
Provides access to several checks that can be hooked to be run before several stages in the process.
- [[https://github.com/oddlama/nix-topology][nix-topology]]
This automatically creates a topology diagram of my configuration.
- [[https://github.com/hercules-ci/flake-parts][flake-parts]]
The aforementioned system that allows for more convenient flake crafting.
- [[https://github.com/numtide/devshell][devshell]]
This provides devshell support for flake-parts
- [[https://github.com/Gerg-L/spicetify-nix][spicetify]]
This is a improved spotify client. This provides a NixOs module to manage it.
- [[https://github.com/sodiboo/niri-flake][niri-flake]]
This is an optional input that I reserve to use in the future; it provides a module to manage [[#h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb][Niri]] in a way that is way more all-encompassing than the current modules in nixpkgs/home-manager. However, I do not include this by default as this leads to a full compilation of latest niri - this is used only be the niri config evaluator, but is even built if niri is not included in the final config. Also, the binary cache provided by this flake does usually not have the latest niri cached.
- [[https://github.com/microvm-nix/microvm.nix][microvm.nix]]
This flake brings support for microvms to nix. This is basically a more isolated alternative to classic NixOs containers, while keeping most of their benefits.
- [[https://github.com/numtide/treefmt-nix][treefmt-nix]]
This allows to specify a range of formatters for different languages and aspects which can all be run upon =nix fmt=.
- [[https://github.com/oddlama/nixos-extra-modules][nixos-extra-modules]]
This is a collection of modules that add some qualitative functions to several aspects of nix, for example:
- microvm management
- wireguard support for nix-topology
- some extensions to the network library
At the moment I am not using the full range of modules, but my usage keeps increasing steadily. Using this module forced me to make some adjustments in my config, namely exposing the =nodes= output in [[#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02][Hosts]].
- [[https://github.com/nix-community/dns.nix][dns.nix]]
This adds a module that helps with creating zone files (like [[#h:dc1dbc54-46f7-406d-a551-527e97439614][nsd (dns) - site1]]). This flake was competing with [[https://github.com/Janik-Haag/nixos-dns/][NixOS-DNS]] for my favour - while the latter adds many nice utilities that generage records straight from a host configuration, I prefer to do this myself using the [[#h:af83893d-c0f9-4b45-b816-4849110d41b3][Globals]] + [[#h:5c3027b4-ba66-445e-9c5f-c27e332c90e5][Share sconfiguration between nodes (automatically active)]] systems. In the end, I just tried out dns.nix without giving NixOS-DNS a chance and it has been working great, but I believe NixOS-DNS still deserves a mention here, as it would have been a great fit as well, most likely.
- [[https://github.com/Infinidoge/nix-minecraft][nix-minecraft]]
This adds a module that makes it easier to manage (modded) minecraft servers. At the moment, it does not really work with Forge 1.20.1 (which is what my server is running), so I am not making full use of it right now, but I keep close watch on it every day.
- [[https://gitlab.com/simple-nixos-mailserver/nixos-mailserver][nixos-mailserver]]
This adds a module that basically sets up a full mailserver stack. Apart of DNS records and a few extra steps for e.g. a web client, this is one-stop solution that has been working greatly for me.
- [[https://github.com/NixOS/hydra][hydra]]
The hydra module already exists in nixpkgs - however, because, I am also using [[https://github.com/shlevy/nix-plugins][nix-plugins]], I need to build all tools that are using nix against a specific nix version (this is also why I pull in =nix-eval-jobs= as a flake input).
- [[https://github.com/thelegy/nixos-nftables-firewall][nixos-nftables-firewall]]
This flake introduces a module that allows for more structurized nftables config.
- [[#h:c88d569e-70c4-4dd6-a959-be649fdeaa71][topologyPrivate]]
This input per default provides a simple output =topologyPrivate = false;=. This is the value that is normally used in the config. When I export my setup to a topology diagram, there are some public IPs and domains that I want to obfuscate. When doing that, I can then override this input.
- [[https://github.com/noctalia-dev/noctalia-shell][noctalia]]
A flake that provides options for the desktop shell =noctalia-shell=.
- [[https://github.com/Swarsel/niritiling][niritiling]]
A flake that provides window tiling for niri
- [[https://github.com/Swarsel/noctoggle][noctoggle]]
A flake that toggles the noctalia-shell bar when Super is pressed
#+begin_src nix :noweb yes :tangle flake.nix
{
description = "SwarseFlake - Nix Flake for all SwarselSystems";
nixConfig = {
extra-substituters = [
"https://nix-community.cachix.org"
];
extra-trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
};
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
hydra.url = "github:nixos/hydra/nix-2.30";
# hydra.inputs.nix.follows = "nix";
hydra.inputs.nix-eval-jobs.follows = "nix-eval-jobs";
# nix = {
# url = "github:NixOS/nix/2.30-maintenance";
# # We want to control the deps precisely
# flake = false;
# };
nix-eval-jobs = {
url = "github:nix-community/nix-eval-jobs/v2.30.0";
# We want to control the deps precisely
flake = false;
};
smallpkgs.url = "github:nixos/nixpkgs/08fcb0dcb59df0344652b38ea6326a2d8271baff?narHash=sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc%3D&shallow=1";
nixpkgs-dev.url = "github:Swarsel/nixpkgs/main";
nixpkgs-bisect.url = "github:nixos/nixpkgs/master";
# nixpkgs-update.url = "github:r-ryantm/nixpkgs/auto-update/oauth2-proxy";
# nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version
nixpkgs-kernel.url = "github:nixos/nixpkgs/dd9b079222d43e1943b6ebd802f04fd959dc8e61?narHash=sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE%3D"; #specifically pinned for kernel version
nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11";
nixpkgs-oddlama.url = "github:oddlama/nixpkgs/update/firezone-server";
nixpkgs-stable24_05.url = "github:NixOS/nixpkgs/nixos-24.05";
nixpkgs-stable24_11.url = "github:NixOS/nixpkgs/nixos-24.11";
nixpkgs-stable25_05.url = "github:NixOS/nixpkgs/nixos-25.05";
nixpkgs-stable25_11.url = "github:NixOS/nixpkgs/nixos-25.11";
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-index-database = {
url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
dns = {
url = "github:kirelagin/dns.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
emacs-overlay = {
# url = "github:swarsel/emacs-overlay/fix";
# url = "github:nix-community/emacs-overlay/aba8daa237dc07a3bb28a61c252a718e8eb38057?narHash=sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ%3D";
url = "github:nix-community/emacs-overlay";
# inputs.nixpkgs.follows = "nixpkgs";
};
noctalia = {
url = "github:noctalia-dev/noctalia-shell";
inputs.nixpkgs.follows = "nixpkgs";
};
topologyPrivate.url = "./files/topology/public";
den.url = "github:vic/den";
import-tree.url = "github:vic/import-tree";
swarsel-nix.url = "github:Swarsel/swarsel-nix/main";
systems.url = "github:nix-systems/default";
nur.url = "github:nix-community/NUR";
nixgl.url = "github:guibou/nixGL";
# stylix.url = "github:danth/stylix";
stylix.url = "github:Swarsel/stylix";
sops.url = "github:Mic92/sops-nix";
lanzaboote.url = "github:nix-community/lanzaboote";
nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05";
nixos-images.url = "github:Swarsel/nixos-images/main";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nswitch-rcm-nix.url = "github:Swarsel/nswitch-rcm-nix";
disko.url = "github:nix-community/disko";
impermanence.url = "github:nix-community/impermanence";
zjstatus.url = "github:dj95/zjstatus";
nix-darwin.url = "github:lnl7/nix-darwin";
pre-commit-hooks.url = "github:cachix/git-hooks.nix";
vbc-nix.url = "git+ssh://git@github.com/vbc-it/vbc-nix.git?ref=main";
nix-topology.url = "github:oddlama/nix-topology";
flake-parts.url = "github:hercules-ci/flake-parts";
devshell.url = "github:numtide/devshell";
spicetify-nix.url = "github:Gerg-l/spicetify-nix";
# spicetify-nix.url = "github:Swarsel/spicetify-nix";
niri-flake.url = "github:sodiboo/niri-flake";
nixos-extra-modules.url = "github:oddlama/nixos-extra-modules/main";
microvm.url = "github:astro/microvm.nix";
treefmt-nix.url = "github:numtide/treefmt-nix";
nix-minecraft.url = "github:Infinidoge/nix-minecraft";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall";
pia.url = "github:Swarsel/pia.nix/custom";
niritiling.url = "github:Swarsel/niritiling";
noctoggle.url = "git+ssh://git@github.com/Swarsel/noctoggle.git?ref=main";
};
outputs =
inputs:
let
mkNixos = { name, system }: {
den.hosts.${system} = {
${name} = { host, ... }: {
instantiate = inputs.self.outputs.instantiateNixos { minimal = false; } host.name host.system;
users.swarsel = {};
};
"${name}-minimal" = { host, ... }: {
instantiate = inputs.self.outputs.instantiateNixos { minimal = true; } host.name host.system;
intoAttr = [ "nixosConfigurationsMinimal" host.name ];
};
};
};
in
inputs.flake-parts.lib.mkFlake { inherit inputs; specialArgs = { inherit mkNixos; }; } {
imports = [ (inputs.import-tree [ ./flake ./aspects ]) ];
systems = [
"x86_64-linux"
"aarch64-linux"
"x86_64-darwin"
"aarch64-darwin"
];
};
}
#+end_src
** Auxiliary files
:PROPERTIES:
:CUSTOM_ID: h:23602ad9-91f6-4eba-943a-2308070fbaec
:END:
Here I define some extra files that are crucial for success in building my configurations. These are not pulled in by the flake directly, but I still feel like they should be mentioned at the flake level.
*** extra-builtins
:PROPERTIES:
:CUSTOM_ID: h:87c7893e-e946-4fc0-8973-1ca27d15cf0e
:END:
This file is used by [[https://github.com/shlevy/nix-plugins][nix-plugins]]. nix-plugins generally allows for the introduction of arbitrary functions into the =builtins= set. However, I do not want to allow just any function to be added there. Instead, I only add a single function called =sopsImportEncrypted=. This function is used in order to help me store PII (personally identifiable information) in my repo without having to resort to either:
- [[https://github.com/AGWA/git-crypt][git-crypt]]
- a separate repo containing my secrets
As for the second approach, I actually used this up to some point (see for example =7e11641: feat: add initial oauth2-proxy and freshrss oidc= as one of the lasts commits still using this system). However, it is quite bothersome to constantly have to keep two repositories up to date and in sync. Also, having a repo that every configuration relied upon that was also a private repo led to the problem that my demo configuration ([[#h:e1498bef-ec67-483d-bf02-76264e30be8e][Hotel (Demo Physical/VM)]]) would fail to build with that present, and I had to take several extra steps to make it buildable. Ever since deleting that dependency I also got rid of that problem. The whole system is inspired by [[https://oddlama.org/blog/evaluation-time-secrets-in-nix/][this blog article]] and large parts of it are adapted from [[https://github.com/oddlama/nix-config][oddlama's nix-config]].
The builtin that is added is a simple call to the =exec= function that calls a bash script. In order to keep some sanity, we are checking that we are actually calling it no an encryted nix file (even though there is no syntax check inside) and that the path given is a true nix path. Note that a string path will not be accepted, as that can have impurity implications.
#+begin_src nix-ts :tangle files/nix/extra-builtins.nix
# adapted from https://github.com/oddlama/nix-config/blob/main/nix/extra-builtins.nix
{ exec, ... }:
let
assertMsg = pred: msg: pred || builtins.throw msg;
hasSuffix =
suffix: content:
let
lenContent = builtins.stringLength content;
lenSuffix = builtins.stringLength suffix;
in
lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix;
in
{
# Instead of calling sops directly here, we call a wrapper script that will cache the output
# in a predictable path in /tmp, which allows us to only require the password for each encrypted
# file once.
sopsImportEncrypted =
nixFile:
assert assertMsg (builtins.isPath nixFile)
"The file to decrypt must be given as a path (not a string) to prevent impurity.";
assert assertMsg (hasSuffix ".nix.enc" nixFile)
"The content of the decrypted file must be a nix expression and should therefore end in .nix.enc";
exec [
../scripts/sops-decrypt-and-cache.sh
nixFile
];
}
#+end_src
*** sops-decrypt-and-cache
:PROPERTIES:
:CUSTOM_ID: h:315e6ef6-27d5-4cd8-85ff-053eabe60ddb
:END:
This is the file that manages the actual decryption of the files mentioned in [[#h:87c7893e-e946-4fc0-8973-1ca27d15cf0e][extra-builtins]]. We simply fetch the appropriate system age key from the ssh host key and then call =sops decrypt=. Since it would be a bother to decrypt these files on every build, I keep the result cached and only re-decrypt if it changes. Keeping it cached outside the nix store incurrs a theoretical bit of impurity. However, this is easier to manage and also nothing really relies on these files being present.
#+begin_src shell :tangle files/scripts/sops-decrypt-and-cache.sh :shebang #!/usr/bin/env bash
# adapted from https://github.com/oddlama/nix-config/blob/main/nix/rage-decrypt-and-cache.sh
set -euo pipefail
print_out_path=false
if [[ $1 == "--print-out-path" ]]; then
print_out_path=true
shift
fi
file="$1"
shift
basename="${file%".enc"}"
# store path prefix or ./ if applicable
[[ $file == "/nix/store/"* ]] && basename="${basename#*"-"}"
[[ $file == "./"* ]] && basename="${basename#"./"}"
# Calculate a unique content-based identifier (relocations of
# the source file in the nix store should not affect caching)
new_name="$(sha512sum "$file")"
new_name="${new_name:0:32}-${basename//"/"/"%"}"
# Derive the path where the decrypted file will be stored
out="/var/tmp/nix-import-encrypted/$UID/$new_name"
umask 077
mkdir -p "$(dirname "$out")"
# Decrypt only if necessary
if [[ ! -e $out ]]; then
agekey=$(sudo ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key || sudo ssh-to-age -private-key -i ~/.ssh/sops)
SOPS_AGE_KEY="$agekey" sops decrypt --output "$out" "$file"
fi
# Print out path or decrypted content
if [[ $print_out_path == true ]]; then
echo "$out"
else
cat "$out"
fi
#+end_src
** Library functions
:PROPERTIES:
:CUSTOM_ID: h:f9b7ffba-b7e2-4554-9a35-ece0bf173e1c
:END:
This section defines all functions of my own that I add to =lib=. These are used in all places over the config, however mainly in the files responsible for handling various imports.
A breakdown for the functions that have a non-obvious purpose:
- =pkgsFor=: This function reads all available systems from nixpkgs and generates pkgs for them. This is needed for my generation of home-manager and nix-on-droid systems in [[#h:5c5bf78a-9a66-436f-bd85-85871d9d402b][Hosts]].
- uses [[#h:94690fcb-e039-49da-9bd3-610fa80fa08b][nixpkgs.lib.genAttrs]]
- Also, in that function I am defining the =pkgs= that should be used when I reference =pkgs= in the actual configuration. I want to make sure that the correct system is used (keep in mind this is for home-manager configurations, which need that info! As a remark, you would not set this for a NixOS host), that I load my [[#h:7a059bd9-13f8-4005-b270-b41eeb6a4af2][Overlays]] (extra packages and modifications that I add to =pkgs=), as well as a setting that allows me to install unfree software. As a base package set I choose =nixpkgs= from my inputs (and so does nearly every configuration out there. Keep in mind however that you could use any package set here! =nixpkgs= however also comes with a lot of useful =lib= functions (that are not =builtins= to the nix language!))
- =mkTrueOption=: Defines a nixos module option that is by default enables (as opposed to =mkEnableOption= which are per default disabled).
- uses lib.mkOption to create the defaulted option.
- =mkStrong=:
- An alias for ([[#h:9e81b727-1436-4228-82b1-1edec5c50e06][nixpkgs.lib.mkOverride]] 60), which is higher than setting an option normally (i.e. =option = value=; which has priority 100), but being of lower priority than using [[#h:16599d68-0ca5-40fa-810e-76b5c739b2b1][nixpkgs.lib.mkForce]], which has priority 50 (lower priority takes precedence). For completeness' sake, the priority set when using [[#h:41180e6c-2a13-4b46-89b2-791562b4b816][nixpkgs.lib.mkDefault]] is 1000 (a very low value).
- =forEachLinuxSystem=: performs the =pkgsFor= function for a set of =systems= (here: =x86_64-linux= and =aarch64-linux=). I need to use this in the [[#h:6ed1a641-dba8-4e85-a62e-be93264df57a][Packages (pkgs)]] section in order to avoid trying to build those packages for darwin systems.
- uses [[#h:94690fcb-e039-49da-9bd3-610fa80fa08b][nixpkgs.lib.genAttrs]]
- =readHosts=: Reads the names of directories under the =hosts/= folder for a particular system type
- uses [[#h:1fb6ff92-7cc1-4447-8a63-460f24633053][builtins.readDir]]
- uses [[#h:0fded8e7-6160-4fcd-a491-42f0debfec52][nixpkgs.lib.attrNames]] to acquire attribute names from the outputs of =builtins.readDir=
- =readNix=: reads all files in a directory that are not =default.nix= (usually used to simply load everything from a folder and is called inside that respective =default.nix=).
- uses [[#h:1fb6ff92-7cc1-4447-8a63-460f24633053][builtins.readDir]]
- uses [[#h:0fded8e7-6160-4fcd-a491-42f0debfec52][nixpkgs.lib.attrNames]] to acquire attribute names from the outputs of =builtins.readDir=
- =mkImports=: These are used to help with importing files mostly:
- uses [[#h:a4f9752a-33a6-4dd4-97ea-ef6bf340bd8e][nixpkgs.lib.map]] to actually import the list of modules that are passed to =mkImports= in names.
- =cidrToSubnetMask=: this takes in an IP address in cidr notation (for example 192.168.1.0/24) and returns the matching subnet mask (here: 255.255.255.0)
- uses [[#h:4c98ce64-4ee7-4453-b5a7-b8fd142362ca][nixpkgs.lib.toInt]] to grab the CIDR mask as an int
- uses [[#h:e853e1b7-a078-478d-8192-02f389fe8369][nixpkgs.lib.genList]] to both get the bitwise representation of said CIDR mask as well as converting it to the octet notation of the subnet mask.
- uses [[#h:18de50e8-180d-43c7-b651-bb0f38369e85][nixpkgs.lib.concatStringsSep]] to build the final subnet most of the octets calculated.
- =mkIfElseList= generates either one or another list based on a conditional
- uses [[#h:82c26445-2af4-4a6c-ae91-c804325fdf11][nixpkgs.lib.mkMerge]] to merge the results of the de-facto =if= and =else=, yielding a single list in the end.
- =getBaseDomain= takes in a domain (like =sub.about.com=) and extracts only the base domain (here: =about.com=)
- uses [[#h:74f83083-d987-4935-a4ec-8b8f4c764779][nixpkgs.lib.split]] to get the parts of the input domain
- uses [[#h:38d8aecf-d997-4b50-80a2-c86314b5e67e][nixpkgs.lib.filter]] to keep only the non-empty strings (checking using [[#h:331d759d-835c-400c-8799-c894cf1d2071][nixpkgs.lib.isString]]) from the list generatded by split
- uses [[#h:0a53b0f2-438b-4b10-942c-a5d5ecca7e39][nixpkgs.lib.tail]] to strip the subdomain which keeps the base domain and then conjoins the remaining two elements using [[#h:18de50e8-180d-43c7-b651-bb0f38369e85][nixpkgs.lib.concatStringsSep]]. Indeed this means that this function would break for deeper subdomain nestings, but so far I am not using these.
- =getSubDomain= works in a similar way on a domain subdomain (for the above example: =sub=)
- works similar to =getBaseDomain= but I also calls [[#h:48183c56-2ddf-4d6f-800a-08282b81252c][nixpkgs.lib.length]] to make sure we have an element left which we then grab by [[#h:7cb4c6e7-9b3f-43fc-994e-7f62a3f98572][nixpkgs.lib.head]].
- =toCapitalized=: returns the capitalized version of a string (="about"= -> ="About"=)
- uses [[#h:a22ddf24-fd22-4842-af4a-58bfda110998][nixpkgs.lib.stringLength]] to prevent working on an empty string
- [[#h:6f73291f-812c-4310-9e17-253e22a6fd74][nixpkgs.lib.subString]] as well as =nixpkgs.lib.toUpper= and =nixpkgs.lib.toLower= to build the respective capitalized string
Concerning the =flake = _:= part:
- this is a mechanism introduced by [[https://flake.parts/][flake-parts]]. A =flake= output is akin to a 'normal' output of a standard nix flake (meaning, it will not be built specifically for each system defined by =mkFlake=)
- =lib= is then defined as the merged set of the =nixpkgs= and =home-manager= lib's, as well as some extra functions that I defined in the let-block (the =.extend()= method adds attributes to a set)
#+begin_src nix-ts :tangle flake/lib.nix
{ self, inputs, ... }:
let
swarselsystems =
let
inherit (inputs) systems;
inherit (inputs.nixpkgs) lib;
in
rec {
cidrToSubnetMask = cidr:
let
prefixLength = lib.toInt (lib.last (lib.splitString "/" cidr));
bits = lib.genList (i: if i < prefixLength then 1 else 0) 32;
octets = lib.genList
(i:
let
octetBits = lib.sublist (i * 8) 8 bits;
octetValue = lib.foldl (acc: bit: acc * 2 + bit) 0 octetBits;
in
octetValue
) 4;
subnetMask = lib.concatStringsSep "." (map toString octets);
in
subnetMask;
mkIfElseList = p: yes: no: lib.mkMerge [
(lib.mkIf p yes)
(lib.mkIf (!p) no)
];
mkIfElse = p: yes: no: if p then yes else no;
getSubDomain = domain:
let
parts = builtins.split "\\." domain;
domainParts = builtins.filter (x: builtins.isString x && x != "") parts;
in
if builtins.length domainParts > 0
then builtins.head domainParts
else "";
getBaseDomain = domain:
let
parts = builtins.split "\\." domain;
domainParts = builtins.filter (x: builtins.isString x && x != "") parts;
baseParts = builtins.tail domainParts;
in
builtins.concatStringsSep "." baseParts;
pkgsFor = lib.genAttrs (import systems) (system:
import inputs.nixpkgs {
inherit system;
overlays = [
self.overlays.default
self.overlays.stables
self.overlays.modifications
];
config.allowUnfree = true;
}
);
toCapitalized = str:
if builtins.stringLength str == 0 then
""
else
let
first = builtins.substring 0 1 str;
rest = builtins.substring 1 (builtins.stringLength str - 1) str;
upper = lib.toUpper first;
lower = lib.toLower rest;
in
upper + lower;
mkTrueOption = lib.mkOption {
type = lib.types.bool;
default = true;
};
mkStrong = lib.mkOverride 60;
# forEachSystem = f: lib.genAttrs (import systems) (system: f pkgsFor.${system});
forEachLinuxSystem = f: lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: f pkgsFor.${system});
readHosts = type: lib.attrNames (builtins.readDir "${self}/hosts/${type}");
readNix = type: lib.filter (name: name != "default.nix" && name != "optional" && name != "darwin") (lib.attrNames (builtins.readDir "${self}/${type}"));
mkImports = names: baseDir: lib.map (name: "${self}/${baseDir}/${name}") names;
};
in
{
flake = _:
{
lib = inputs.nixpkgs.lib.extend (_: _: {
inherit (inputs.home-manager.lib) hm;
inherit swarselsystems;
});
swarselsystemsLib = swarselsystems;
homeLib = self.outputs.lib;
};
}
#+end_src
** Packages (pkgs)
:PROPERTIES:
:CUSTOM_ID: h:6ed1a641-dba8-4e85-a62e-be93264df57a
:END:
This does not use =perSystem= from =flake-parts= for package outputs, since some of my custom packages are not able to be built on darwin systems, and I was not yet interested in writing logic for handling that. Instead I use =forEachLinuxSystem= as described in [[#h:f9b7ffba-b7e2-4554-9a35-ece0bf173e1c][Library functions]] in roder to only build this for linux hosts.
Other nix users can make use of these packages either by installing them directly in their config (using my flake as an input and then installing =.=) or by making use of the overlay that I provide in [[#h:7a059bd9-13f8-4005-b270-b41eeb6a4af2][Overlays]]. In the latter case all packages will be made available to the consuming flake.
You might now be wondering why I then have a =perSystem= in this file. This has to do with the =nixos-extra-modules= flake output that I pulled in in [[#h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b][flake.nix skeleton (inputs)]]: it provides a few library functions that I want to use in the [[#h:af83893d-c0f9-4b45-b816-4849110d41b3][Globals]] system. Since however these globals are evaluated to a flake output I need to make sure that these library functions are not only available from within a configuration, but also as a callable expression in the flake - and of course they also should be available in configurations. Generally, =lib= exists under =pkgs=, which means that it is built for an architecture. So, if I want to expand lib, I need to make sure this is done for all architectures. For that, I extend the flake-parts =perSystem= options by a pkgs option using =mkTransposedPerSystemModule=. This points to a file that will specify the correct =pkgs= - in this case, this is the same file. We then add a module arg named =pkgs= which can no make use of the =system= parameter thanks to what we did above, and set the correct overlay - the =self.overlay.defaults= includes the overlay from =nixos-extra-modules= that we need (see [[#h:7a059bd9-13f8-4005-b270-b41eeb6a4af2][Overlays]]). Finally, we make this =pkgs= available as an output.
The =_module.args= part is needed because we need to set/override the =flake-parts= =pkgs= as per https://flake.parts/module-arguments.html?highlight=modulewith#pkgs.
More information on the actual packages build can be found in [[#h:64a5cc16-6b16-4802-b421-c67ccef853e1][Packages]].
#+begin_src nix-ts :tangle flake/packages.nix
{ self, inputs, ... }:
{
imports = [
(
{ lib, flake-parts-lib, ... }:
flake-parts-lib.mkTransposedPerSystemModule {
name = "pkgs";
file = ./packages.nix;
option = lib.mkOption {
type = lib.types.unspecified;
};
}
)
];
flake = _:
let
inherit (self.outputs) lib;
in
{
packages = lib.swarselsystems.forEachLinuxSystem (pkgs: import "${self}/pkgs/flake" { inherit self lib pkgs; });
};
perSystem = { pkgs, system, ... }:
{
# see https://flake.parts/module-arguments.html?highlight=modulewith#persystem-module-parameters
_module.args.pkgs = import inputs.nixpkgs {
inherit system;
config = {
allowUnfree = true;
permittedInsecurePackages = [
# matrix
"olm-3.2.16"
# sonarr
"aspnetcore-runtime-wrapped-6.0.36"
"aspnetcore-runtime-6.0.36"
"dotnet-sdk-wrapped-6.0.428"
"dotnet-sdk-6.0.428"
#
"SDL_ttf-2.0.11"
];
};
overlays = [
self.overlays.default
self.overlays.stables
self.overlays.modifications
];
};
inherit pkgs;
};
}
#+end_src
** Globals
:PROPERTIES:
:CUSTOM_ID: h:af83893d-c0f9-4b45-b816-4849110d41b3
:END:
This file is used to parse each =nixosConfiguration= present in this flake and scan them for options set under the =globals= attribute set. I use =lib.evalModules= to evaluate a mini module system that only consists of these globals options and then load them into the actual configuration by providing a =globals= output to the flake. This treads a dangerous ground of infinite recursions, which is why both the module system as well as the inherited attributes are kept to the minimal size. Each module has a globals option loaded from a module file which will be separately loaded by this mini-evaluation.
- uses [[#h:b9663237-2232-4554-bc81-843be28a707c][nixpkgs.lib.mapAttrsToList]] on =config.nodes=
- uses [[#h:21389cc9-fd89-45ca-9836-592f84a45bb4][nixpkgs.lib.flip]] to reverse the function argument order of the =mapAttrsToList= call, so that we can give the attribute set (=config.nodes=) first. Alternatively, we could have written =lib.mapAttrsToList (name: cfg: [...]) config.nodes= but it would be harder to read since there would be a big block between the arguments.
- uses [[#h:22264e49-b6d0-4c1f-8d05-2ef1f3da3d54][nixpkgs.lib.concatLists]]. =options.config._globalDefs= holds the =options.globals.definitions= for each node (which in turn basically holds the information that has been set for each node under the =globals= option), so the concatenated list will look something like =[ { services.kanidm.domain = "foo"; }; } { services.freshrss.domain = "bar"; } ]=.
- uses [[#h:82c26445-2af4-4a6c-ae91-c804325fdf11][nixpkgs.lib.mkMerge]] to merge these seperate attribute sets in the list into one big attribute set (the above attribute set example would become then ={ services = { kanidm.domain = "foo"; freshrss.domain = "bar"; }; }=. You can see how this can now be referenced as a "global" set.
I also have a file for global values that cannot be attributed to one =nixosConfiguration= alsone; the structure of this =globals.nix.enc= requires a toplevel =globals= - that means, =globals.nix.enc= has the structure ={ globals = [...] }=.
Lastly, in order make this actually available to my configurations, i use the =inherit (globalsSystem.config.globals) [...]= which produces the =globals= output which I will pass to the =specialArgs= of my =nixosConfigurations=, which is when I will be finally able to use these definitions in my config.
Similar to [[#h:6ed1a641-dba8-4e85-a62e-be93264df57a][Packages (pkgs)]], we again create a perSystem module for =globals=. We want this because we need to ingest the right =lib= with the extensions from =nixos-extra-modules= as discussed in [[#h:6ed1a641-dba8-4e85-a62e-be93264df57a][Packages (pkgs)]]. One side effect is that instead of a single =globals= output, we instead create outputs of the form =globals.=. This is not a problem as long as we pass one of these in [[#h:5c5bf78a-9a66-436f-bd85-85871d9d402b][Hosts]], but it needs to be kept in mind. In effect, because we overrode =pkgs=, we can now use the =perSystem= module argument =pkgs= which will fetch the right =pkgs=. Anther method would be using =inputs'= together with =inputs'.pkgs.lib= as per https://flake.parts/module-arguments.html?highlight=modulewith#inputs.
#+begin_src nix-ts :tangle flake/globals.nix
# adapted from https://github.com/oddlama/nix-config/blob/main/nix/globals.nix
{ self, inputs, ... }:
{
imports = [
(
{ lib, flake-parts-lib, ... }:
flake-parts-lib.mkTransposedPerSystemModule {
name = "globals";
file = ./globals.nix;
option = lib.mkOption {
type = lib.types.unspecified;
};
}
)
];
perSystem = { lib, pkgs, ... }:
{
globals =
let
globalsSystem = lib.evalModules {
prefix = [ "globals" ];
specialArgs = {
inherit (pkgs) lib;
inherit (self.outputs) nodes;
inherit inputs;
inherit (inputs.topologyPrivate) topologyPrivate;
};
modules = [
../modules/nixos/common/globals.nix
(
{ lib, ... }:
let
sopsImportEncrypted =
assert lib.assertMsg (builtins ? extraBuiltins.sopsImportEncrypted)
"The extra builtin 'sopsImportEncrypted' is not available, so repo.secrets cannot be decrypted. Did you forget to add nix-plugins and point it to `./files/nix/extra-builtins.nix` ?";
builtins.extraBuiltins.sopsImportEncrypted;
in
{
imports = [
(sopsImportEncrypted ../secrets/repo/globals.nix.enc)
];
}
)
(
{ lib, ... }:
{
globals = lib.mkMerge (
lib.concatLists (
lib.flip lib.mapAttrsToList self.outputs.nodes (
name: cfg:
builtins.addErrorContext "while aggregating globals from nixosConfigurations.${name} into flake-level globals:" cfg.config._globalsDefs
)
)
);
}
)
];
};
in
{
inherit (globalsSystem.config.globals)
domains
services
networks
hosts
user
root
general
;
};
};
}
#+end_src
** Hosts (Legacy)
:PROPERTIES:
:CUSTOM_ID: h:5c5bf78a-9a66-436f-bd85-85871d9d402b
:END:
Here I define my hosts. Earlier (in [[#h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b][flake.nix skeleton]]), I told you how I used to use noweb-ref blocks to achieve this task. You see, a single =nixosConfiguration= uses =nixpkgs.lib.nixosSystem=, passing modules and arguments to define itself. I have automated this process by reading all directories in the =hosts/= directory and then applying =nixpkgs.lib.nixosSystem= as a function on these returns. I also provide a =nixosConfigurationsMinimal= output which is ingested by the flake in =install/flake.nix= to be used during the initial deployment of a new system (it basically just disables most modules).
Note that the =config= top-level module attribute [[https://flake.parts/module-arguments.html?highlight=modulewith#config][includes the entire flake config]] (this is not the same behaviour as for =perSystem=).
There are a few interesting =specialArgs= to be noted:
- we pass =withHomeManager= for all normal hosts (all hosts that are discovered) to keep compatibility with configurations that do not use home-manager.
- =mkNixosHost=: Very much akin to a simple call of =nixpkgs.lib.nixosSystem=, I simply define =specialArgs= and =modules= that I want to use for every configuration. Here, I load all the extra modules from my other input flakes. Also, I add the =globals= output from [[#h:af83893d-c0f9-4b45-b816-4849110d41b3][Globals]] and the =nodes= output that I define right here (it simply mirrors all "full" configurations - nixOS and darwin. I like to refer to home-manager only and nix-on-droid as a "half" configurations). It is also here that I set the node name for the configuration (I prefer this explicit call over referencing =networking.hostName= or such) and the directory that should be used for secrets of a configuration.
- =mkDarwinHost= works in the same way but for darwin machines.
- =mkHalfHost= is a function that either creates a pure home-manager configuration or a nix-on-droid one. The type must be explicitly passed when calling the function. Here, again, we make use of =pkgsFor= that we defined in [[#h:f9b7ffba-b7e2-4554-9a35-ece0bf173e1c][Library functions]]. Also, we make sure to pass =extraSpecialArgs= (the pendant to =specialArgs=, just for home-manager configurations).
- =diskoConfigurations=: specifies a default disko configuration that is to be used if someone pulls in my flake as a disko configuration. This is not used by me, but I think it is kind of neat.
- =nodes=: As stated above, a shorthand for my configurations. Is built using the [[#h:b1fe7a9a-661b-4446-aefa-98373108f8fd][The '//' operator]]
- =guestConfigurations=: This holds all microvm hosts.
The rest of the functions are used to build full NixOS systems as well as halfConfigurations regardless of system architecture:
- =readHostDirs= simply gets the config directories
- =mkHalfHostsForArch= generates attribute sets for every halfHost found through =readHostDirs=
- =mkHostsForArch= does the same for full NixOS configurations
- =mkConfigurationsPerArch= is the wrapper that calls =mkHalfHostsForArch= or =mkHostsForArch= depending on the config it is called for, holding all configurations in principal
- =halfConfigurationsPerArch= returns all halfConfigurations of a certain type (android or home-manager only)
- =ConfigurationsPerArch= does the same for full NixOS systems (NixOS or darwin). These can further be specialized by passing in the corresponding =minimal= arg that is used during bootstrapping.
#+begin_src nix-ts :tangle flake/hosts.nix
{ self, inputs, ... }:
{
flake = { config, ... }:
let
inherit (self) outputs;
inherit (outputs) lib homeLib;
# lib = (inputs.nixpkgs.lib // inputs.home-manager.lib).extend (_: _: { swarselsystems = import "${self}/lib" { inherit self lib inputs outputs; inherit (inputs) systems; }; });
mkNixosHost = { minimal }: configName: arch:
inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs self minimal homeLib configName arch;
inherit (config.pkgs.${arch}) lib;
inherit (config) nodes topologyPrivate;
globals = config.globals.${arch};
type = "nixos";
withHomeManager = true;
extraModules = [ "${self}/modules/nixos/common/globals.nix" ];
};
modules = [
inputs.disko.nixosModules.disko
inputs.home-manager.nixosModules.home-manager
inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
inputs.microvm.nixosModules.host
inputs.microvm.nixosModules.microvm
inputs.nix-index-database.nixosModules.nix-index
inputs.nix-minecraft.nixosModules.minecraft-servers
inputs.nix-topology.nixosModules.default
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
inputs.simple-nixos-mailserver.nixosModules.default
inputs.sops.nixosModules.sops
inputs.stylix.nixosModules.stylix
inputs.swarsel-nix.nixosModules.default
inputs.nixos-nftables-firewall.nixosModules.default
inputs.pia.nixosModules.default
inputs.niritiling.nixosModules.default
inputs.noctoggle.nixosModules.default
(inputs.nixos-extra-modules + "/modules/guests")
(inputs.nixos-extra-modules + "/modules/interface-naming.nix")
"${self}/hosts/nixos/${arch}/${configName}"
"${self}/profiles/nixos"
"${self}/modules/nixos"
{
_module.args.dns = inputs.dns;
microvm.guest.enable = lib.mkDefault false;
networking.hostName = lib.swarselsystems.mkStrong configName;
node = {
name = lib.mkForce configName;
arch = lib.mkForce arch;
type = lib.mkForce "nixos";
secretsDir = ../hosts/nixos/${arch}/${configName}/secrets;
configDir = ../hosts/nixos/${arch}/${configName};
lockFromBootstrapping = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true);
};
swarselprofiles = {
minimal = lib.mkIf minimal (lib.swarselsystems.mkStrong true);
};
swarselmodules.server = {
ssh = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true);
};
swarselsystems = {
mainUser = lib.swarselsystems.mkStrong "swarsel";
};
}
];
};
mkDarwinHost = { minimal }: configName: arch:
inputs.nix-darwin.lib.darwinSystem {
specialArgs = {
inherit inputs lib outputs self minimal configName;
inherit (config) nodes topologyPrivate;
withHomeManager = true;
globals = config.globals.${arch};
};
modules = [
# inputs.disko.nixosModules.disko
# inputs.sops.nixosModules.sops
# inputs.impermanence.nixosModules.impermanence
# inputs.lanzaboote.nixosModules.lanzaboote
# inputs.fw-fanctrl.nixosModules.default
# inputs.nix-topology.nixosModules.default
inputs.home-manager.darwinModules.home-manager
"${self}/hosts/darwin/${arch}/${configName}"
"${self}/modules/nixos/darwin"
# needed for infrastructure
"${self}/modules/shared/meta.nix"
"${self}/modules/nixos/common/globals.nix"
{
node = {
name = lib.mkForce configName;
arch = lib.mkForce arch;
type = lib.mkForce "darwin";
secretsDir = ../hosts/darwin/${arch}/${configName}/secrets;
};
}
];
};
mkHalfHost = configName: type: arch:
let
systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration;
pkgs = lib.swarselsystems.pkgsFor.${arch};
in
systemFunc {
inherit pkgs;
extraSpecialArgs = {
inherit inputs lib outputs self configName arch type;
inherit (config) nodes topologyPrivate;
globals = config.globals.${arch};
minimal = false;
};
modules = [
inputs.stylix.homeModules.stylix
inputs.nix-index-database.homeModules.nix-index
inputs.sops.homeManagerModules.sops
inputs.spicetify-nix.homeManagerModules.default
inputs.swarsel-nix.homeModules.default
"${self}/hosts/${type}/${arch}/${configName}"
"${self}/profiles/home"
"${self}/modules/nixos/common/pii.nix"
{
node = {
name = lib.mkForce configName;
arch = lib.mkForce arch;
type = lib.mkForce type;
secretsDir = ../hosts/${type}/${arch}/${configName}/secrets;
};
}
];
};
linuxArches = [ "x86_64-linux" "aarch64-linux" ];
darwinArches = [ "x86_64-darwin" "aarch64-darwin" ];
mkArches = type: if (type == "nixos") then linuxArches else if (type == "darwin") then darwinArches else linuxArches ++ darwinArches;
readHostDirs = hostDir:
if builtins.pathExists hostDir then
builtins.attrNames
(
lib.filterAttrs (name: type: type == "directory" && name != "pyramid")
(builtins.readDir hostDir)
) else [ ];
mkHalfHostsForArch = type: arch:
let
hostDir = "${self}/hosts/${type}/${arch}";
hosts = readHostDirs hostDir;
in
lib.genAttrs hosts (host: mkHalfHost host type arch);
mkHostsForArch = type: arch: minimal:
let
hostDir = "${self}/hosts/${type}/${arch}";
hosts = readHostDirs hostDir;
in
if (type == "nixos") then
lib.genAttrs hosts (host: mkNixosHost { inherit minimal; } host arch)
else if (type == "darwin") then
lib.genAttrs hosts (host: mkDarwinHost { inherit minimal; } host arch)
else { };
mkConfigurationsPerArch = type: minimal:
let
arches = mkArches type;
toMake = if (minimal == null) then (arch: _: mkHalfHostsForArch type arch) else (arch: _: mkHostsForArch type arch minimal);
in
lib.concatMapAttrs toMake
(lib.listToAttrs (map (a: { name = a; value = { }; }) arches));
halfConfigurationsPerArch = type: mkConfigurationsPerArch type null;
configurationsPerArch = type: minimal: mkConfigurationsPerArch type minimal;
in
rec {
nixosConfigurations = configurationsPerArch "nixos" false;
nixosConfigurationsMinimal = configurationsPerArch "nixos" true;
darwinConfigurations = configurationsPerArch "darwin" false;
darwinConfigurationsMinimal = configurationsPerArch "darwin" true;
homeConfigurations = halfConfigurationsPerArch "home";
nixOnDroidConfigurations = halfConfigurationsPerArch "android";
guestConfigurations = lib.flip lib.concatMapAttrs config.nixosConfigurations (
_: node:
lib.flip lib.mapAttrs' (node.config.guests or { }) (
guestName: guestDef:
lib.nameValuePair guestDef.nodeName node.config.microvm.vms.${guestName}.config
)
);
diskoConfigurations.default = import "${self}/files/templates/hosts/nixos/disk-config.nix";
nodes = config.nixosConfigurations
// config.darwinConfigurations
// config.guestConfigurations;
guestResources = lib.mapAttrs
(name: _:
let
f = arg: lib.foldr (base: acc: base + acc) 0 (map (node: nodes."${name}-${node}".config.microvm.${arg}) (builtins.attrNames nodes.${name}.config.guests));
in
{
mem = f "mem";
vcpu = f "vcpu";
})
nodes;
"@" = lib.mapAttrs (_: v: v.config.system.build.toplevel) config.nodes;
};
}
#+end_src
** Topology (nix-topology generated network diagram)
:PROPERTIES:
:CUSTOM_ID: h:391e7712-fef3-4f13-a3ed-d36e228166fd
:END:
This defines some topology for the [[https://github.com/oddlama/nix-topology][nix-topology]] modole that can not otherwise be parsed from the config (or is global). For example, this is used to define a number of switches, printers and routers. The topology graph is built from left to right, meaning that =nodes.internet = mkInternet { connections = [ (mkConnection "moonside" "wan") ]; };= means that the node =internet= 'initiates' the connection to the node =moonside= (=internet= will be on the left).
Another note concerning [[https://flake.parts/][flake-parts]]:
- =perSystem= is a mechanism that tells flake-parts to build the following attribute set for all systems. This replaces the need to handle myself any =system= or =pkgs= variables, this is done by flake-parts. In this case this is needed so that the topology diagram can be built locally.
#+begin_src nix-ts :tangle flake/topology.nix
{ self, inputs, ... }:
{
imports = [
inputs.nix-topology.flakeModule
];
perSystem = { system, ... }:
let
inherit (self.outputs) lib;
in
{
topology.modules = [
({ config, ... }:
let
globals = self.outputs.globals.${system};
inherit (config.lib.topology)
mkInternet
mkDevice
mkSwitch
mkRouter
mkConnection
;
in
{
renderer = "elk";
networks = {
fritz-lan = {
name = "Fritz!Box LAN";
inherit (globals.networks.home-lan) cidrv4 cidrv6;
};
services = {
name = "VLAN: Services";
inherit (globals.networks.home-lan.vlans.services) cidrv4 cidrv6;
};
home = {
name = "VLAN: Home";
inherit (globals.networks.home-lan.vlans.home) cidrv4 cidrv6;
};
devices = {
name = "VLAN: Devices";
inherit (globals.networks.home-lan.vlans.devices) cidrv4 cidrv6;
};
guests = {
name = "VLAN: Guests";
inherit (globals.networks.home-lan.vlans.guests) cidrv4 cidrv6;
};
fritz-wg = {
name = "WireGuard: Fritz!Box tunnel";
inherit (globals.networks.fritz-wg) cidrv4 cidrv6;
};
wgProxy = {
name = "WireGuard: Web proxy tunnel";
inherit (globals.networks.twothreetunnel-wgProxy) cidrv4 cidrv6;
};
wgHome = {
name = "WireGuard: Home proxy tunnel";
inherit (globals.networks.home-wgHome) cidrv4 cidrv6;
};
};
nodes = {
internet = mkInternet {
connections = [
(mkConnection "fritzbox" "dsl")
(mkConnection "magicant" "wifi")
(mkConnection "liliputsteps" "lan")
(mkConnection "treehouse" "eth1")
(mkConnection "toto" "bootstrapper")
(mkConnection "hotel" "demo host")
];
};
fritzbox = mkRouter "FRITZ!Box" {
info = "FRITZ!Box 7682";
image = "${self}/files/topology-images/Fritz!Box_7682.png";
interfaceGroups = [
[
"eth1"
"eth2"
"eth3"
"eth-wan"
"wifi"
]
[ "dsl" ]
];
connections = {
eth1 = mkConnection "winters" "eth1";
eth-wan = mkConnection "hintbooth" "lan";
};
interfaces = {
eth1 = {
addresses = [ globals.networks.home-lan.hosts.fritzbox.ipv4 ];
network = "fritz-lan";
};
eth2 = { };
eth3 = { };
eth-wan = {
addresses = [ globals.networks.home-lan.hosts.fritzbox.ipv4 ];
network = "fritz-lan";
};
wifi = {
addresses = [ globals.networks.home-lan.hosts.fritzbox.ipv4 ];
virtual = true;
renderer.hidePhysicalConnections = true;
network = "fritz-lan";
physicalConnections = [
(mkConnection "pyramid" "wifi")
(mkConnection "bakery" "wifi")
(mkConnection "machpizza" "wifi")
];
};
fritz-wg = {
addresses = [ globals.networks.fritz-wg.hosts.fritzbox.ipv4 ];
network = "fritz-wg";
virtual = true;
renderer.hidePhysicalConnections = true;
type = "wireguard";
physicalConnections = [
(mkConnection "pyramid" "fritz-wg")
(mkConnection "magicant" "fritz-wg")
];
};
};
};
switch-livingroom = mkSwitch "Switch Livingroom" {
info = "TL-SG108E";
image = "${self}/files/topology-images/TL-SG108E.png";
interfaceGroups = [
# trunk
[ "eth1" ]
# devices
[ "eth2" "eth5" "eth6" ]
# home
[ "eth3" "eth8" ]
# guests
[ "eth4" "eth7" ]
];
interfaces = {
eth2 = { network = lib.mkForce "devices"; };
eth3 = { network = lib.mkForce "home"; };
eth5 = { network = lib.mkForce "devices"; };
eth6 = { network = lib.mkForce "devices"; };
eth7 = { network = lib.mkForce "guests"; };
eth8 = { network = lib.mkForce "home"; };
};
connections = {
eth2 = mkConnection "nswitch" "eth1";
eth3 = mkConnection "bakery" "eth1";
eth5 = mkConnection "ps4" "eth1";
eth6 = mkConnection "ender3" "eth1";
eth7 = mkConnection "pc" "eth1";
eth8 = mkConnection "pyramid" "eth1";
};
};
switch-bedroom = mkSwitch "Switch Bedroom" {
info = "Cisco SG 200-08";
image = "${self}/files/topology-images/Cisco_SG_200-08.png";
interfaceGroups = [
# trunk
[ "eth1" ]
# devices
[ "eth2" ]
# guests
[ "eth3" "eth4" "eth5" "eth6" "eth7" "eth8" ]
];
interfaces = {
eth2 = { network = lib.mkForce "devices"; };
eth3 = { network = lib.mkForce "guests"; };
};
connections = {
eth2 = mkConnection "printer" "eth1";
eth3 = mkConnection "machpizza" "eth1";
};
};
nswitch = mkDevice "Nintendo Switch" {
info = "Atmosphère 1.3.2 @ FW 19.0.1";
image = "${self}/files/topology-images/nintendo-switch.png";
interfaces.eth1 = { };
};
ps4 = mkDevice "PlayStation 4" {
info = "GoldHEN @ FW 5.05";
image = "${self}/files/topology-images/ps4.png";
interfaces.eth1 = { };
};
ender3 = mkDevice "Ender 3" {
info = "SKR V1.3, TMC2209 (Dual), TFT35";
deviceIcon = "${self}/files/topology-images/ender3.png";
icon = "${self}/files/topology-images/raspi.png";
interfaces.eth1 = { };
services = {
octoprint = {
name = "OctoPrint";
icon = "${self}/files/topology-images/octoprint.png";
};
};
};
magicant = mkDevice "magicant" {
icon = "${self}/files/topology-images/phone.png";
info = "Samsung Z Flip 6";
image = "${self}/files/topology-images/zflip6.png";
interfaces = {
wifi = { };
fritz-wg.network = "fritz-wg";
};
};
machpizza = mkDevice "machpizza" {
info = "MacBook Pro 2016";
icon = "devices.laptop";
deviceIcon = "${self}/files/topology-images/mac.png";
interfaces = {
eth1.network = "guests";
wifi = { };
};
};
treehouse = mkDevice "treehouse" {
info = "NVIDIA DGX Spark";
icon = "${self}/files/topology-images/home-manager.png";
deviceIcon = "${self}/files/topology-images/dgxos.png";
interfaces = {
eth1 = { };
wifi = { };
};
services = {
ollama = {
name = "Ollama";
icon = "services.ollama";
};
openwebui = {
name = "Open WebUI";
icon = "services.open-webui";
};
comfyui = {
name = "Comfy UI";
icon = "${self}/files/topology-images/comfyui.png";
};
};
};
pc = mkDevice "Chaostheater" {
info = "ASUS Z97-A, i7-4790k, GTX970, 32GB RAM";
icon = "${self}/files/topology-images/windows.png";
deviceIcon = "${self}/files/topology-images/atlasos.png";
services = {
sunshine = {
name = "Sunshine";
icon = "${self}/files/topology-images/sunshine.png";
};
};
interfaces.eth1.network = "guests";
};
printer = mkDevice "Printer" {
info = "DELL C2665dnf";
image = "${self}/files/topology-images/DELL-C2665dnf.png";
interfaces.eth1 = { };
};
};
})
];
};
}
#+end_src
** Devshell (checks/pre-commit-hooks)
:PROPERTIES:
:CUSTOM_ID: h:4d0548db-99b2-4e07-b762-6d86fbb26d4c
:END:
This file defines a number of checks that can either be run by calling =nix flake check= or while in a =nix-shell= or =nix develop=. This helps me make sure that my flake confirms to my self-imposed standards. The GitHub actions perform less checks than are being done here (they are only checking the formatting, as well as =statix= and =deadnix=).
The devshell also provides a number of useful shorthand commands, as well as a 'safe' version of nixpkgs that I can use to rebuild from in case a version bump in nixpkgs suddenly breaks [[https://github.com/shlevy/nix-plugins][nix-plugins]].
Aside from the =default= devShell which is the one that should usually be called interactively, I also define a =deploy= devshell: this one compiles nix-plugins against an earlier version of nix, which is needed so that the version nixos-anywhere that I am using works. However, that version is a little annoying since it had a bug in nix-plugins that is here fixed using a patch file. I guess it also serves as another fallback should problems with the current nix-plugins version arise.
#+begin_src nix-ts :tangle flake/devshell.nix
{ self, inputs, ... }:
{
imports = [
inputs.devshell.flakeModule
inputs.pre-commit-hooks.flakeModule
];
perSystem = { pkgs, config, system, ... }:
{
pre-commit = {
check.enable = true;
settings = {
addGcRoot = true;
hooks = {
check-added-large-files.enable = true;
check-case-conflicts.enable = true;
check-executables-have-shebangs.enable = true;
check-shebang-scripts-are-executable.enable = false;
check-merge-conflicts.enable = true;
deadnix.enable = true;
detect-private-keys.enable = true;
end-of-file-fixer.enable = true;
fix-byte-order-marker.enable = true;
flake-checker.enable = true;
forbid-new-submodules.enable = true;
mixed-line-endings.enable = true;
nixpkgs-fmt.enable = true;
statix.enable = true;
trim-trailing-whitespace.enable = true;
treefmt.enable = true;
destroyed-symlinks = {
enable = true;
entry = "${inputs.pre-commit-hooks.checks.${system}.pre-commit-hooks}/bin/destroyed-symlinks";
};
shellcheck = {
enable = true;
entry = "${pkgs.shellcheck}/bin/shellcheck --shell=bash";
};
shfmt = {
enable = true;
entry = "${pkgs.shfmt}/bin/shfmt -i 4 -sr -d -s -l";
};
};
};
};
devshells = {
deploy =
let
nix-version = "2_28";
in
{
packages = [
(builtins.trace "alarm: pinned nix_${nix-version}" pkgs.stable25_05.nixVersions."nix_${nix-version}")
pkgs.git
pkgs.just
pkgs.age
pkgs.ssh-to-age
pkgs.sops
];
env =
[
{
name = "NIX_CONFIG";
value = ''
plugin-files = ${pkgs.stable25_05.nix-plugins.overrideAttrs (o: {
buildInputs = [pkgs.stable25_05.nixVersions."nix_${nix-version}" pkgs.stable25_05.boost];
patches = (o.patches or []) ++ [./files/patches/nix-plugins.patch];
})}/lib/nix/plugins
extra-builtins-file = ${self + /files/nix/extra-builtins.nix}
'';
}
];
};
default =
let
nix-version = "2_30";
in
{
packages = [
(builtins.trace "alarm: pinned nix_${nix-version}" pkgs.nixVersions."nix_${nix-version}")
pkgs.git
pkgs.just
pkgs.age
pkgs.ssh-to-age
pkgs.sops
pkgs.nixpkgs-fmt
self.packages.${system}.swarsel-build
self.packages.${system}.swarsel-deploy
(pkgs.symlinkJoin {
name = "home-manager";
buildInputs = [ pkgs.makeWrapper ];
paths = [ pkgs.home-manager ];
postBuild = ''
wrapProgram $out/bin/home-manager \
--append-flags '--flake .#$(hostname)'
'';
})
];
commands = [
{
package = pkgs.statix;
help = "Lint flake";
}
{
package = pkgs.deadnix;
help = "Check flake for dead code";
}
{
package = pkgs.nix-tree;
help = "Interactively browse dependency graphs of Nix derivations";
}
{
package = pkgs.nvd;
help = "Diff two nix toplevels and show which packages were upgraded";
}
{
package = pkgs.nix-diff;
help = "Explain why two Nix derivations differ";
}
{
package = pkgs.nix-output-monitor;
help = "Nix Output Monitor (a drop-in alternative for `nix` which shows a build graph)";
name = "nom \"$@\"";
}
{
name = "hm";
help = "Manage home-manager config";
command = "home-manager \"$@\"";
}
{
name = "fmt";
help = "Format flake";
command = "nixpkgs-fmt --check \"$FLAKE\"";
}
{
name = "sd";
help = "Build and deploy this nix config to nodes";
command = "swarsel-deploy \"$@\"";
}
{
name = "sl";
help = "Build and deploy a config to nodes";
command = "swarsel-deploy \${1} switch";
}
{
name = "sw";
help = "Build and switch to the host's config locally";
command = "swarsel-deploy $(hostname) switch";
}
{
name = "bld";
help = "Build a number of configurations";
command = "swarsel-build \"$@\"";
}
{
name = "c";
help = "Work with the flake git repository";
command = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/ \"$@\"";
}
];
# devshell.startup.pre-commit-install.text = "pre-commit install";
devshell.startup.pre-commit.text = config.pre-commit.installationScript;
env =
let
nix-plugins = pkgs.nix-plugins.override {
nixComponents = pkgs.nixVersions."nixComponents_${nix-version}";
};
in
[
{
name = "NIX_CONFIG";
value = ''
plugin-files = ${nix-plugins}/lib/nix/plugins
extra-builtins-file = ${self + /files/nix/extra-builtins.nix}
'';
}
];
};
};
};
}
#+end_src
** Templates
:PROPERTIES:
:CUSTOM_ID: h:e817f769-9aa9-4192-b649-c269080f4fee
:END:
This file defines the templates that are being exposed by the flake. These can be used by running =nix flake init -t github:Swarsel/.dotfiles#= by others. Personally, I mostly use these as part of the [[#h:154b6df4-dd50-4f60-9794-05a140d02994][project]] utility.
Otherwise, I define the function =mkTemplates= here which builds a named attribute set for each type of template that I have.
- uses [[#h:c63cd469-7724-4a05-b932-8843722a00f0][builtins.listToAttrs]]
#+begin_src nix-ts :tangle flake/templates.nix
{ self, ... }:
{
flake = _: {
templates =
let
mkTemplates = names: builtins.listToAttrs (map
(name: {
inherit name;
value = {
path = "${self}/files/templates/${name}";
description = "${name} project ";
};
})
names);
templateNames = [
"python"
"rust"
"go"
"cpp"
"latex"
"default"
];
in
mkTemplates templateNames;
};
}
#+end_src
** Formatter (treefmt-nix)
:PROPERTIES:
:CUSTOM_ID: h:5fce36ae-715d-42d3-9ad4-46137d85083f
:END:
Defines a formatter that can be called using =nix fmt=.
Usually all formatting in this repo is done automatically while editing in emacs. However, it is nice to have a backup formatter to rely on and treefmt is extermely nice to work with, as it allows setting formatters for all kinds of aspects of the flake.
#+begin_src nix-ts :tangle flake/formatter.nix
{ inputs, ... }:
{
imports = [
inputs.treefmt-nix.flakeModule
];
perSystem = { pkgs, ... }: {
# formatter is set by treefmt to:
# formatter = lib.mkIf config.treefmt.flakeFormatter (lib.mkDefault config.treefmt.build.wrapper);
treefmt = {
projectRootFile = "flake.nix";
programs = {
nixfmt = {
enable = true;
package = pkgs.nixpkgs-fmt;
};
deadnix.enable = true;
statix.enable = true;
shfmt = {
enable = true;
indent_size = 4;
simplify = true;
# needed to replicate what my Emacs shfmt does
# there is no builtin option for space-redirects
package = pkgs.symlinkJoin {
name = "shfmt";
buildInputs = [ pkgs.makeWrapper ];
paths = [ pkgs.shfmt ];
postBuild = ''
wrapProgram $out/bin/shfmt \
--add-flags '-sr'
'';
};
};
shellcheck.enable = true;
};
settings.formatter.shellcheck.options = [
"--shell"
"bash"
];
};
};
}
#+end_src
** Modules
:PROPERTIES:
:CUSTOM_ID: h:e8eb0617-3441-421d-9b44-716ed40159ab
:END:
This exposes all of my modular configuration as modules. Other people can use them in their flake using =imports = [ inputs..nixosModules ];=. Per default, this enables some mechanisms like config sharing between nodes and the globals system.
=nixosModules= is a `defined` flake output, where external tools might expect some sort of structure; hence, I call the default output =default=, which will, in many cases, allow the user to just reference to the flake itself (which will then use =nixosModules.default= automatically.
=homeModules= on the other hand is not standardized in this way (for example, many flakes refer to =homeManagerModules= instead); in order not to unnecessarily break things, I leave it as is.
#+begin_src nix-ts :tangle flake/modules.nix
{ self, ... }:
{
flake = _:
let
inherit (self.outputs) lib;
in
{
nixosModules.default = import "${self}/modules/nixos" { inherit lib; };
homeModules = import "${self}/modules/home" { inherit lib; };
};
}
#+end_src
** Instantiation Functions
#+begin_src nix-ts :tangle flake/instantiate.nix
{ self, inputs, ... }:
{
flake = { config, ... }: {
instantiateNixos = { minimal }: configName: arch: { modules }:
let
inherit (self) outputs;
inherit (outputs) lib homeLib;
mkStrong = lib.mkOverride 60;
in
inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs self homeLib configName arch minimal;
inherit (config.pkgs.${arch}) lib;
inherit (config) nodes topologyPrivate;
globals = config.globals.${arch};
type = "nixos";
withHomeManager = true;
extraModules = [ "${self}/modules-clone/nixos/common/globals.nix" ];
};
modules = modules ++ [
inputs.disko.nixosModules.disko
inputs.home-manager.nixosModules.home-manager
inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
inputs.microvm.nixosModules.host
inputs.microvm.nixosModules.microvm
inputs.nix-index-database.nixosModules.nix-index
inputs.nix-minecraft.nixosModules.minecraft-servers
inputs.nix-topology.nixosModules.default
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
inputs.simple-nixos-mailserver.nixosModules.default
inputs.sops.nixosModules.sops
inputs.stylix.nixosModules.stylix
inputs.swarsel-nix.nixosModules.default
inputs.nixos-nftables-firewall.nixosModules.default
inputs.pia.nixosModules.default
inputs.niritiling.nixosModules.default
inputs.noctoggle.nixosModules.default
(inputs.nixos-extra-modules + "/modules/guests")
(inputs.nixos-extra-modules + "/modules/interface-naming.nix")
"${self}/profiles-clone/nixos"
"${self}/modules-clone/nixos"
{
_module.args.dns = inputs.dns;
microvm.guest.enable = lib.mkDefault false;
networking.hostName = mkStrong configName;
node = {
name = lib.mkForce configName;
arch = lib.mkForce arch;
type = lib.mkForce "nixos";
secretsDir = ../hosts/nixos/${arch}/${configName}/secrets;
configDir = ../hosts/nixos/${arch}/${configName};
lockFromBootstrapping = lib.mkIf (!minimal) (mkStrong true);
};
swarselprofiles = {
minimal = lib.mkIf minimal (mkStrong true);
};
swarselmodules.server = {
ssh = lib.mkIf (!minimal) (mkStrong true);
};
swarselsystems = {
mainUser = mkStrong "swarsel";
};
}
];
};
};
}
#+end_src
** Den
#+begin_src nix-ts :tangle flake/den.nix
{ inputs, ... }:
{
imports = [ inputs.den.flakeModule ];
}
#+end_src
** Apps
:PROPERTIES:
:CUSTOM_ID: h:52e1fae8-0e8c-4be6-a6ce-758ada652dd3
:END:
This defines some apps; they differ from normal packages in that they can be called using =nix run =. So, for example, I can call my deployment script using =nix run --experimental-features 'nix-command flakes' github:Swarsel/.dotfiles -- -n -d = (here I did not specify =#swarsel-bootstrap= since it is set as the default. In general, whenever the =#...= part is ommitted, the object under the default attribute will be used. This is also true for =nixosConfigurations=: in that case, the default will be the current hostname of the machine).
- uses [[#h:c63cd469-7724-4a05-b932-8843722a00f0][builtins.listToAttrs]]
- uses [[#h:b1fe7a9a-661b-4446-aefa-98373108f8fd][The '//' operator]] to add the default output to thte set of built apps.
#+begin_src nix-ts :tangle flake/apps.nix
{ self, ... }:
{
perSystem = { system, ... }:
let
mkApps = system: names: self: builtins.listToAttrs (map
(name: {
inherit name;
value = {
type = "app";
program = "${self.packages.${system}.${name}}/bin/${name}";
meta = {
description = "Custom app ${name}.";
};
};
})
names);
appNames = [
"swarsel-bootstrap"
"swarsel-install"
"swarsel-rebuild"
"swarsel-postinstall"
];
appSet = mkApps system appNames self;
in
{
apps = appSet // {
default = appSet.swarsel-bootstrap;
};
};
}
#+end_src
** Overlays/Overrides
:PROPERTIES:
:CUSTOM_ID: h:7a059bd9-13f8-4005-b270-b41eeb6a4af2
:END:
In this section I define packages that I manually add to nixpkgs, or that I want to use in a modified way. This can be useful for packages that are currently awaiting a PR or public packages that I do not want to maintain. This is done in a three step process.
The first overlay stage is responsible for extending the base nixpkgs:
1) =additions=
These are for the aforementioned added packages.
NOTE: The packages themselves are built in [[#h:6ed1a641-dba8-4e85-a62e-be93264df57a][Packages (pkgs)]]; here, we just add them to the overlay that we then use in the configuration.
2) =nixpkgs-stable-versions=
These are simply mirrors of other branches of nixpkgs (mostly past stable branches). Useful for packages that are broken on nixpkgs, but do not need to be on bleeding edge anyways. Automatically fetches all inputs names =nixpkgs-= and adds them under the name in ==. They will be available under =pkgs.=.
The second stage of overlays is responsible to replace packages in nixpkgs with stable versions. The benefit here is that I have a central place (this part of the config) where I can declare what needs to be stable - broken packages tend to be enduser packages, as packages with huge dependency chains will normally be caught earlier upstream if there is a failure (see [[#h:b562adaf-536c-4267-88a5-026d8a0cda61][Current issues]]). In effect, that means I can override package =xyz= right here, and then use =pkgs.xyz= in the rest of the config, whereas I would need to use =pkgs..xyz= if I were to only use =nixpkgs-stable-versions= from the first stage.
Note that packages with bigger dependencies should NOT be added here. Such as:
- chromium
- bluez
- pipewire
As doing so will trigger enormous rebuilds of e.g. =electron=.
The third stage takes care of further modifications that should be performed to the packages after they have been overridden in stages 1 and 2: These modifications are for packages that do not fit my usecase, meaning I need to perform modifications on them.
As part of the modifications, I add some of my own library functions to be used alongside the functions provided by =nixpkgs= and =home-manager=.
On the structure of overlays: as you notice, all of the attributes within overlays are functions which take =final= and =prev= as arguments. This is a convention (sometimes you also see =super= instead of =final=) that aims to tell you that =final= represents the =pkgs= set after it has gone over all modifications, while =prev= is the =pkgs= set before the current modification.
- So, in =additions=, the =final= set is the same as in =modifications=, but their =prev= sets differ.
- This starts to make a difference when you use multiple overlays and have one overlay depend on the modifications in another overlay.
- The =_= argument is used like in a number of other programing languages and signals that the argument is never actually used in the function.
#+begin_src nix-ts :tangle flake/overlays.nix
{ self, inputs, ... }:
let
inherit (self) outputs;
inherit (outputs) lib;
in
{
flake = _:
{
overlays =
let
nixpkgs-stable-versions = final: _:
let
nixpkgsInputs =
lib.filterAttrs
(name: _v: builtins.match "^nixpkgs-.*" name != null)
inputs;
rename = name: builtins.replaceStrings [ "nixpkgs-" ] [ "" ] name;
mkPkgs = src:
import src {
inherit (final.stdenv.hostPlatform) system;
config.allowUnfree = true;
};
in
builtins.listToAttrs (map
(name: {
name = rename name;
value = mkPkgs nixpkgsInputs.${name};
})
(builtins.attrNames nixpkgsInputs));
in
rec {
default = additions;
additions = final: prev:
let
additions = final: _: import "${self}/pkgs/flake" { pkgs = final; inherit self lib; }
// {
swarsel-nix = import inputs.swarsel-nix {
pkgs = prev;
};
zjstatus = inputs.zjstatus.packages.${prev.stdenv.hostPlatform.system}.default;
};
in
(additions final prev)
// (nixpkgs-stable-versions final prev)
// (inputs.niri-flake.overlays.niri final prev)
// (inputs.noctalia.overlays.default final prev)
// (inputs.vbc-nix.overlays.default final prev)
// (inputs.nur.overlays.default final prev)
// (inputs.emacs-overlay.overlay final prev)
// (inputs.nix-topology.overlays.default final prev)
// (inputs.nix-index-database.overlays.nix-index final prev)
// (inputs.nixgl.overlay final prev)
// (inputs.nix-minecraft.overlay final prev)
// (inputs.nixos-extra-modules.overlays.default final prev);
stables = final: prev:
let
mkUsePkgsFrom = pkgsFrom: names:
builtins.listToAttrs (map
(name: {
inherit name;
value = pkgsFrom.${name};
})
names);
from =
let
stablePackages = nixpkgs-stable-versions final prev;
in
key:
stablePackages.${key} or (throw "Missing nixpkgs input nixpkgs-${key}");
in
(mkUsePkgsFrom (from "dev") [
# "swayosd"
"firezone-relay"
"firezone-server-web"
"firezone-server-api"
"firezone-server-domain"
])
// (mkUsePkgsFrom (from "stable24_05") [
"awscli2"
])
// (mkUsePkgsFrom (from "stable24_11") [
"python39"
"spotify"
"vieb"
])
// (mkUsePkgsFrom (from "stable25_05") [
"steam-fhsenv-without-steam"
"transmission_3"
])
// (mkUsePkgsFrom (from "stable") [
# "anki"
"azure-cli"
# "bat-extras.batgrep"
# "bluez"
"calibre"
# "chromium"
"dwarfs"
"gotenberg"
"khal"
"libreoffice"
"libreoffice-qt"
"nerd-fonts-symbols-only"
"noto-fonts-color-emoji"
# "pipewire"
"podman"
"teams-for-linux"
# "vesktop"
"virtualbox"
]);
modifications = final: prev:
let
modifications = final: prev: {
# vesktop = prev.vesktop.override {
# withSystemVencord = true;
# };
lib = prev.lib // {
swarselsystems = self.outputs.swarselsystemsLib;
hm = self.outputs.homeLib;
};
firefox = prev.firefox.override {
nativeMessagingHosts = [
prev.tridactyl-native
prev.browserpass
# prev.plasma5Packages.plasma-browser-integration
];
};
isync = prev.isync.override {
withCyrusSaslXoauth2 = true;
};
mgba = final.swarsel-mgba;
noctalia-shell = prev.noctalia-shell.override {
calendarSupport = true;
};
retroarch = prev.retroarch.withCores (cores: with cores; [
snes9x # snes
nestopia # nes
dosbox # dos
scummvm # scumm
vba-m # gb/a
mgba # gb/a
melonds # ds
dolphin # gc/wii
]);
};
in
modifications final prev;
};
};
}
#+end_src
** Installer images (live iso, kexec)
:PROPERTIES:
:CUSTOM_ID: h:1d1ccae5-62ca-4d37-a28e-c59987850ed2
:END:
This sections makes use of [[https://github.com/nix-community/nixos-generators][nixos-generators]] in order to easily allow me to build a live ISO of my installer system. It can be built using =nix build --print-out-paths --no-link #live-iso=, and can then be copied to a USB drive using, for example, =dd=.
In a similar way, =nix build --print-out-paths --no-link .#pnap-kexec --system = will build the kexec tarball that I need when using disko to deploy to a low-RAM systems.
This is an improvement to what I did earlier, where I did not use =nixos-generators= but instead manually imported the needed modules to make this configration into a bootable USB image. Now, I can just write this in the same way that I would to write any other configuration.
#+begin_src nix-ts :tangle flake/iso.nix
{ self, inputs, ... }:
{
perSystem = { pkgs, system, ... }:
{
packages = {
# nix build --print-out-paths --no-link .#live-iso
live-iso = inputs.nixos-generators.nixosGenerate {
inherit pkgs system;
specialArgs = { inherit self; };
modules = [
inputs.home-manager.nixosModules.home-manager
"${self}/install/installer-config.nix"
];
format = {
x86_64-linux = "install-iso";
aarch64-linux = "sd-aarch64-installer";
}.${system};
};
keygen = inputs.nixos-generators.nixosGenerate {
inherit pkgs system;
modules = [
inputs.home-manager.nixosModules.home-manager
"${self}/install/keygen-config.nix"
];
format = {
x86_64-linux = "install-iso";
aarch64-linux = "sd-aarch64-installer";
}.${system};
};
# nix build --print-out-paths --no-link .#pnap-kexec --system
swarsel-kexec = (inputs.smallpkgs.legacyPackages.${system}.nixos [
{
imports = [ "${self}/install/kexec.nix" ];
_file = __curPos.file;
system.kexec-installer.name = "swarsel-kexec";
}
inputs.nixos-images.nixosModules.kexec-installer
]).config.system.build.kexecInstallerTarball;
};
};
}
#+end_src
** Installer flake
:PROPERTIES:
:CUSTOM_ID: h:1d4514b4-e952-4faf-b30e-d89e73a526c6
:END:
When using tools like (the builtin) =nixos-rebuild= or =nixos-anywhere=, these tools expect the flake to have a certain structure; namely, they expect to find an output named =nixosConfigurations=, which is implicitely used when passing =--flake .#= (it is used in front of ==).
When I define my configurations, I am actually defining two versions for each actual system:
- One 'regular' config that should be used by all rebuild tools such as =nixos-rebuild=
- One 'minimal' config that should be used by =nixos-anywhere= during initial deployment of a system
Now, I could of course define a == and =-minimal= attribute for each configuration and just put these under =nixosConfigurations=, but that would have several drawbacks:
- evaluation time would increase
- my =nodes= output (that holds information for all actual systems) would bloat
- it is actually not clear that == and =-minimal= represent the same config
Hence, what I instead do is to define another output =nixosConfigurationsMinimal= as an output to this flakes' config, and then use it to set the =nixosConfigurations= of another, minimal, flake that I keep in =install/=. When using =nixos-anywhere= during initial deployment, I will then point it to that minimal flake, where the minimal configs can be found.
#+begin_src nix-ts :tangle install/flake.nix
{
description = "Minimal installer flake - automatically generated by SwarselSystems.org";
inputs.swarsel.url = "./..";
outputs = { swarsel, ... }: { nixosConfigurations = swarsel.nixosConfigurationsMinimal; };
}
#+end_src
* System
:PROPERTIES:
:CUSTOM_ID: h:02cd20be-1ffa-4904-9d5a-da5a89ba1421
:END:
This section holds most of the relevant NixOS side of configuration.
** Manual steps when setting up a new machine
:PROPERTIES:
:CUSTOM_ID: h:ed34ee4d-31f9-4d27-bc6e-ba37ee502d5a
:END:
In the [[#h:a86fe971-f169-4052-aacf-15e0f267c6cd][Introduction (no code)]], I mentioned that this is a nearly fully declarative config. In fact, most client configs are in one way or another not fully declarative. I use oneshotting systemd services + sentinel files for most such tasks (which makes them declarative!), but some of them I would rather perform manually once. This mainly concerns work related things.
Whenever I encounter a configuration bit that needs manual steps, I use a [[#h:dae0c5bb-edb7-4fe4-ae31-9f8f064cc53c][Appendix A: Noweb-Ref blocks]] to tangle that bit of information into a central place (here). I discern between the following scenarios:
- =setup=: Used in a standard NixOs + home-manager deployment
- =worksetup=: Stuff to be done only on work machines
- =homemanageronlysetup=: Steps that are needed only on machines that are not running NixOs.
#+begin_src markdown :noweb yes :exports results :results html
These steps are required when setting up a normal NixOS host:
<>
If the new machine is a work machine, these steps are additionally needed:
<>
If the new machine is home-manager only, perform these steps:
<>
#+end_src
#+RESULTS:
#+begin_export html
These steps are required when setting up a normal NixOS host:
- setup yubikey (automatic yubikey enrollment is not yet supported by `disko`):
- `systemd-cryptenroll --fido2-device=auto /dev/`
If the new machine is a work machine, these steps are additionally needed:
- setup the work VPN:
- using the laptop certificate `.pem` as User cert and private key (CA cert: none)
- vpn gateway is found in `nixosConfig.repo.secrets.local.work.vpnGateway`
- setup gpgsm for signing of mails using S/MIME:
- `gpgsm --import ~/Certificates/.p12`
- `gpgsm --import ~/Certificates/harica-root.pem`
- `gpgsm --import ~/Certificates/harica-intermediate.pem`
- `gpgsm --list-keys --with-validation "HARICA Client RSA Root CA 2021"`
- trust the certificate and set passphrase
- setup pizauth for microsoft mail sync (account names are possibly `uni` and `work`):
- `pizauth auth `
- `pizauth dump > ~/.pizauth.state`
If the new machine is home-manager only, perform these steps:
- (Optional) Install openssh-server
- Set hostname to the name specified in the home-manager configuration
- Install nix, either:
- (if upgrading existing nix) Install nix version matching with version that `nix-plugins` is compiled against: `nix-env --install --file '' cacert -I nixpkgs=channel:nixpkgs-unstable --attr nixVersions.nix_x_yy`
- (or installing nix freshly):
- Grab the link to the install script of the needed nix version from https://releases.nixos.org/?prefix=nix, e.g. https://releases.nixos.org/nix/nix-2.30.1/install
- `bash <(curl -L https://releases.nixos.org/nix/nix-x-yy-y/install) --daemon`
- add the following to /etc/nix/nix.conf to become a trusted user: `trusted-users = @wheel root swarsel`
- For the first build:
1) Clone dotfile repo & change into it
2) `nix --extra-experimental-features 'nix-command flakes' develop`
3) `home-manager --extra-experimental-features 'nix-command flakes' switch --flake .#$(hostname) --show-trace`
#+end_export
** TODO Current issues
:PROPERTIES:
:CUSTOM_ID: h:b562adaf-536c-4267-88a5-026d8a0cda61
:END:
Besides the manual steps outlined above, sometimes things break when I update this flake. The fix, for me, is most of the times one of these two:
- instead of the broken package, use the package from the latest stable nixpkgs release where the package is still functoning (this is why I pull all of these in as inputs)
- if the broken component is critical, I perform manual patches/overrides.
In order to keep track of these changes, I gather them here in a similar style to what you saw in [[#h:ed34ee4d-31f9-4d27-bc6e-ba37ee502d5a][Manual steps when setting up a new machine]]. I simply prefix them with the date and check them after a while to see if things got better. TODO: this list is not comprehensive probably
#+begin_src markdown :noweb yes :exports results :results html
Currently, these adaptions are made to the configuration to account for bugs in upstream repos:
<>
#+end_src
#+RESULTS:
#+begin_export html
Currently, these adaptions are made to the configuration to account for bugs in upstream repos:
- 20260302:
- navidrome is having build issues and set to stable
- noto-fonts is having build issues and set to stable
- libreoffice-* is having build issues and set to stable
- also need to set services.gotenberg.libreoffice.package to stable
- 20260224:
- azure-cli is having build issues and set to stable
- dwarfs is having build issues and set to stable
- shortkeys is having build issues and disabled
- anki is having build issues and set to stable
- khal is having build issues and set to stable
- 202501102:
- flake:
- emacs-overlay:
- : version pinned because emacsclient is currently broken on latest
- niri-flake:
- currently not using the sugared version of screenshot-[,window], as it is currently broken
- home-manager:
- emacs-tramp:
- using stable version in extraPackages (broken in unstable)
- :ensure nil in emacs tramp settings to use package in extraPackages
- emacs-calfwL
- pinned to version not in nixpkgs (is in latest emacs-overlay, but that is broken)
- vesktop:
- running stable version (broken in unstable)
- batgrep:
- running stable version (broken in unstable)
- swayosd:
- pinned to version not in nixpkgs (fixes https://github.com/ErikReider/SwayOSD/issues/175)
#+end_export
** System specific configuration
:PROPERTIES:
:CUSTOM_ID: h:88bf4b90-e94b-46fb-aaf1-a381a512860d
:END:
This section mainly exists to house different =default.nix= files to define some modules that should be loaded on respective systems.
Every host is housed in the =hosts/= directory, which is then subdivided by each respective system (=nixos/=, =home-manager/=, =nix-on-droid/=, =darwin/=). As described earlier, some of these configurations (nixos and darwin) can be defined automatically in this flake. For home-manager and nix-on-droid, the system architecture must be defined manually.
*** TODO Template
:PROPERTIES:
:CUSTOM_ID: h:373bd9e8-616e-434e-bfab-c216ce4470e9
:END:
This is the template that I use for new deployments of personal machines. Servers are usually highly tailored to their specific task and I do not consider it worth a time to craft a template for that. Also, at least at the current time, I only provide a template for NixOS hosts, as I rarely ever use anything else.
TODO: I dont think this template would currently work out of the box
**** Main Configuration
:PROPERTIES:
:CUSTOM_ID: h:859aec97-65a2-4633-b7d8-73d4ccf89cc5
:END:
#+begin_src nix-ts :tangle files/templates/hosts/nixos/default.nix
{ self, config, inputs, pkgs, lib, ... }:
let
primaryUser = config.swarselsystems.mainUser;
modulesPath = "${self}/modules";
sharedOptions = {
isBtrfs = true;
};
in
{
imports = [
# ---- nixos-hardware here ----
./hardware-configuration.nix
./disk-config.nix
"${modulesPath}/nixos/optional/virtualbox.nix"
# "${modulesPath}/nixos/optional/vmware.nix"
"${modulesPath}/nixos/optional/autologin.nix"
"${modulesPath}/nixos/optional/nswitch-rcm.nix"
"${modulesPath}/nixos/optional/gaming.nix"
inputs.home-manager.nixosModules.home-manager
{
home-manager.users."${primaryUser}".imports = [
"${modulesPath}/home/optional/gaming.nix"
];
}
];
boot = {
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
};
networking = {
hostName = "TEMPLATE";
firewall.enable = true;
};
swarselsystems = lib.recursiveUpdate
{
wallpaper = self + /files/wallpaper/landscape/lenovowp.png;
hasBluetooth = true;
hasFingerprint = true;
isImpermanence = true;
isSecureBoot = true;
isCrypted = true;
isSwap = true;
swapSize = "32G";
rootDisk = "TEMPLATE";
}
sharedOptions;
home-manager.users."${primaryUser}".swarselsystems = lib.recursiveUpdate
{
isLaptop = true;
isNixos = true;
cpuCount = 16;
}
sharedOptions;
}
#+end_src
**** disko
:PROPERTIES:
:CUSTOM_ID: h:24757d1e-6e88-4843-ab20-5e0c1b7ae29e
:END:
Acceptance of arbitraty argumments is here needed because =disko= passes =diskoFile= to this file.
#+begin_src nix-ts :tangle files/templates/hosts/nixos/disk-config.nix
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
environment.systemPackages = [
pkgs.yubikey-manager
];
}
#+end_src
*** Physical hosts
:PROPERTIES:
:CUSTOM_ID: h:58dc6384-0d19-4f71-9043-4014bd033ba2
:END:
This is a list of all physical machines that I maintain.
**** pyramid (Framework Laptop 16)
:PROPERTIES:
:CUSTOM_ID: h:6c6e9261-dfa1-42d8-ab2a-8b7c227be6d9
:END:
My work machine. Built for more security, this is the gold standard of my configurations at the moment. Most of the client work configurations are in [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]] and [[#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6][home-manager/work]].
***** Main Configuration
:PROPERTIES:
:CUSTOM_ID: h:567c0055-f5f7-4e53-8f13-d767d7166e9d
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/pyramid/default.nix
{ self, config, inputs, lib, minimal, ... }:
let
primaryUser = config.swarselsystems.mainUser;
in
{
imports = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./disk-config.nix
./hardware-configuration.nix
"${self}/modules/nixos/optional/amdcpu.nix"
"${self}/modules/nixos/optional/amdgpu.nix"
"${self}/modules/nixos/optional/framework.nix"
"${self}/modules/nixos/optional/gaming.nix"
"${self}/modules/nixos/optional/hibernation.nix"
"${self}/modules/nixos/optional/nswitch-rcm.nix"
"${self}/modules/nixos/optional/virtualbox.nix"
"${self}/modules/nixos/optional/work.nix"
"${self}/modules/nixos/optional/niri.nix"
"${self}/modules/nixos/optional/noctalia.nix"
];
topology.self = {
interfaces = {
eth1.network = lib.mkForce "home";
wifi = { };
fritz-wg.network = "fritz-wg";
};
};
swarselsystems = {
lowResolution = "1280x800";
highResolution = "2560x1600";
isLaptop = true;
isNixos = true;
isBtrfs = true;
isLinux = true;
sharescreen = "eDP-2";
info = "Framework Laptop 16, 7940HS, RX7700S, 64GB RAM";
firewall = lib.mkForce true;
wallpaper = self + /files/wallpaper/landscape/lenovowp.png;
hasBluetooth = true;
hasFingerprint = true;
isImpermanence = false;
isSecureBoot = true;
isCrypted = true;
inherit (config.repo.secrets.local) hostName;
inherit (config.repo.secrets.local) fqdn;
hibernation.offset = 533760;
};
home-manager.users."${primaryUser}" = {
swarselsystems = {
isSecondaryGpu = true;
SecondaryGpuCard = "pci-0000_03_00_0";
cpuCount = 16;
temperatureHwmon = {
isAbsolutePath = true;
path = "/sys/devices/virtual/thermal/thermal_zone0/";
input-filename = "temp4_input";
};
monitors = {
main = {
# name = "BOE 0x0BC9 Unknown";
name = "BOE 0x0BC9";
mode = "2560x1600";
scale = "1";
position = "2560,0";
workspace = "15:L";
output = "eDP-2";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
personal = true;
};
networking.nftables.firewall.zones.untrusted.interfaces = [ "wlan*" "enp*" ];
# networking.nftables = {
# enable = lib.mkForce false;
# firewall.enable = lib.mkForce false;
# };
}
#+end_src
***** hardware-configuration
:PROPERTIES:
:CUSTOM_ID: h:25115a54-c634-4896-9a41-254064ce9fcc
:END:
=dcdebugmask= enums: https://docs.kernel.org/gpu/amdgpu/driver-core.html#c.DC_DEBUG_MASK
This system is built with support for arm emulation, so it can build configurations that are meant to run on most of my cloud hosts (even though the remote builders are a better fit for this).
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
# Fix Wlan after suspend or Hibernate
# environment.etc."systemd/system-sleep/fix-wifi.sh".source =
# pkgs.writeShellScript "fix-wifi.sh" ''
# case $1/$2 in
# pre/*)
# ${pkgs.kmod}/bin/modprobe -r mt7921e mt792x_lib mt76
# echo 1 > /sys/bus/pci/devices/0000:04:00.0/remove
# ;;
# post/*)
# ${pkgs.kmod}/bin/modprobe mt7921e
# echo 1 > /sys/bus/pci/rescan
# ;;
# esac
# '';
boot = {
# kernelPackages = lib.mkDefault pkgs.kernel.linuxPackages;
kernelPackages = lib.mkDefault pkgs.kernel.linuxPackages_latest;
# kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
binfmt.emulatedSystems = [ "aarch64-linux" ];
initrd = {
availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
"usb_storage"
"cryptd"
"usbhid"
"sd_mod"
"r8152"
"drm"
"drm_kms_helper"
"ttm"
"gpu_sched"
];
# allow to remote build on arm (needed for moonside)
kernelModules = [ "sg" ];
luks.devices."cryptroot" = {
# improve performance on ssds
bypassWorkqueues = true;
preLVM = true;
# crypttabExtraOpts = ["fido2-device=auto"];
};
};
kernelModules = [ "amdgpu" "kvm-amd" ];
kernelParams = [
# deep sleep is discontinued by amd
# "mem_sleep_default=deep"
# supposedly, this helps save power on laptops
# in reality (at least on this model), this just generate excessive heat on the CPUs
# "amd_pstate=passive"
# Fix screen flickering issue at the cost of battery life (disable PSR and PSR-SU, keep PR enabled)
# TODO: figure out if this is worth it
# test PSR/PR state with 'sudo grep '' /sys/kernel/debug/dri/0000*/eDP-2/*_capability'
# ref:
# https://old.reddit.com/r/framework/comments/1goh7hc/anyone_else_get_this_screen_flickering_issue/
# https://www.reddit.com/r/NixOS/comments/1hjruq1/graphics_corruption_on_kernel_6125_and_up/
# https://gitlab.freedesktop.org/drm/amd/-/issues/3797
"amdgpu.dcdebugmask=0x410"
];
extraModulePackages = [ ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces..useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp196s0f3u1c2.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
#+end_src
***** disko
:PROPERTIES:
:CUSTOM_ID: h:e0da04c7-4199-44b0-b525-6cfc64072b45
:END:
This system uses an encrypted root that is however not impermanent. At some point I should reset this host, but this will probably not happen while I use this machine at work.
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/pyramid/disk-config.nix
{
disko.devices = {
disk = {
nvme0n1 = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "gpt";
partitions = {
ESP = {
label = "boot";
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
luks = {
size = "100%";
label = "luks";
content = {
type = "luks";
name = "cryptroot";
extraOpenArgs = [
"--allow-discards"
"--perf-no_read_workqueue"
"--perf-no_write_workqueue"
];
# https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
settings = { crypttabExtraOpts = [ "fido2-device=auto" "token-timeout=10" ]; };
content = {
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [ "subvol=root" "compress=zstd" "noatime" ];
};
"/home" = {
mountpoint = "/home";
mountOptions = [ "subvol=home" "compress=zstd" "noatime" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "subvol=nix" "compress=zstd" "noatime" ];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = [ "subvol=persist" "compress=zstd" "noatime" ];
};
"/log" = {
mountpoint = "/var/log";
mountOptions = [ "subvol=log" "compress=zstd" "noatime" ];
};
"/swap" = {
mountpoint = "/swap";
swap.swapfile.size = "64G";
};
};
};
};
};
};
};
};
};
};
fileSystems = {
"/persist".neededForBoot = true;
"/home".neededForBoot = true;
"/".neededForBoot = true; # this is ok because this is not a impermanence host
"/var/log".neededForBoot = true;
};
}
#+end_src
**** Bakery (Lenovo ThinkPad)
:PROPERTIES:
:CUSTOM_ID: h:a320569e-7bf0-4552-9039-b2a8e0939a12
:END:
My personal laptop. Closely follows the =pyramid= config, but leaves out some security features that I consider a bother on my work machine. Contrary to =pyramid=, this uses a clean, impermanent setup.
***** Main Configuration
:PROPERTIES:
:CUSTOM_ID: h:6f80d614-d76a-433b-8956-78d7b323b68c
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/bakery/default.nix
{ self, config, inputs, lib, minimal, ... }:
let
primaryUser = config.swarselsystems.mainUser;
in
{
imports = [
inputs.nixos-hardware.nixosModules.common-cpu-intel
./disk-config.nix
./hardware-configuration.nix
"${self}/modules/nixos/optional/gaming.nix"
"${self}/modules/nixos/optional/nswitch-rcm.nix"
"${self}/modules/nixos/optional/virtualbox.nix"
];
topology.self.interfaces = {
eth1.network = lib.mkForce "home";
wifi = { };
};
swarselsystems = {
isLaptop = true;
isNixos = true;
isBtrfs = true;
isLinux = true;
lowResolution = "1280x800";
highResolution = "1920x1080";
sharescreen = "eDP-1";
info = "Lenovo Ideapad 720S-13IKB";
firewall = lib.mkForce true;
wallpaper = self + /files/wallpaper/landscape/lenovowp.png;
hasBluetooth = true;
hasFingerprint = true;
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isSwap = true;
rootDisk = "/dev/nvme0n1";
swapSize = "4G";
};
home-manager.users."${primaryUser}" = {
# home.stateVersion = lib.mkForce "23.05";
swarselsystems = {
monitors = {
main = {
name = "LG Display 0x04EF Unknown";
mode = "1920x1080"; # TEMPLATE
scale = "1";
position = "1920,0";
workspace = "15:L";
output = "eDP-1";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
personal = true;
};
}
#+end_src
***** hardware-configuration
:PROPERTIES:
:CUSTOM_ID: h:bbba1646-fb5f-4d04-baf0-f606037a8b39
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/bakery/hardware-configuration.nix
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
#+end_src
***** disko
:PROPERTIES:
:CUSTOM_ID: h:72444f85-7951-47c0-858f-b51d8299de8c
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/bakery/disk-config.nix
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
environment.systemPackages = [
pkgs.yubikey-manager
];
}
#+end_src
**** Winters (Server: ASRock J4105-ITX)
:PROPERTIES:
:CUSTOM_ID: h:932ef6b0-4c14-4200-8e3f-2e208e748746
:END:
This used to be my main server (it is now replaced by [[#h:82bf7fb1-631b-4acd-966b-d0c71a9eb463][Summers (Server: ASUS Z10PA-D8)]]). Currently I use this host as a staging system for several services, and in the future this will be my IoT management system.
***** Main Configuration
:PROPERTIES:
:CUSTOM_ID: h:8ad68406-4a75-45ba-97ad-4c310b921124
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/winters/default.nix
{ self, lib, minimal, globals, ... }:
{
imports = [
./hardware-configuration.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
"${self}/modules/nixos/optional/nix-topology-self.nix"
];
topology.self.interfaces."eth1" = { };
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
networking.hosts = {
${globals.networks.home-lan.hosts.hintbooth.ipv4} = [ "server.hintbooth.${globals.domains.main}" ];
${globals.networks.home-lan.hosts.hintbooth.ipv6} = [ "server.hintbooth.${globals.domains.main}" ];
};
swarselsystems = {
info = "ASRock J4105-ITX, 32GB RAM";
flakePath = "/root/.dotfiles";
isImpermanence = false;
isSecureBoot = false;
isCrypted = false;
isBtrfs = false;
isLinux = true;
isNixos = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
wgHome = {
isClient = true;
serverName = "hintbooth";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
diskEncryption = lib.mkForce false;
};
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" "enp3s0" ];
}
#+end_src
***** hardware-configuration
:PROPERTIES:
:CUSTOM_ID: h:0fdefb4f-ce53-4caf-89ed-5d79646f70f0
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/winters/hardware-configuration.nix
{ lib, config, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
supportedFilesystems = [ "zfs" ];
# zfs.extraPools = [ "Vault" ];
};
fileSystems = {
"/" =
{
device = "/dev/disk/by-uuid/30e2f96a-b01d-4c27-9ebb-d5d7e9f0031f";
fsType = "ext4";
};
"/boot" =
{
device = "/dev/disk/by-uuid/F0D8-8BD1";
fsType = "vfat";
};
};
swapDevices =
[{ device = "/dev/disk/by-uuid/a8eb6f3b-69bf-4160-90aa-9247abc108e0"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces..useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
#+end_src
**** Summers (Server: ASUS Z10PA-D8)
:PROPERTIES:
:CUSTOM_ID: h:82bf7fb1-631b-4acd-966b-d0c71a9eb463
:END:
This is my current main server at home; all services except filesystem backups run in separate microvms (see [[#h:5e571d89-6590-4aa4-a5f4-5c871683d09b][Guests]]). Generally, all services that have any amount of significant data will be run on this server, and not on the Oracle Cloud instances.
***** Main Configuration
:PROPERTIES:
:CUSTOM_ID: h:dc2233df-cd78-43cc-bb45-57568a83fb24
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/default.nix
{ self, config, inputs, lib, minimal, confLib, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
inputs.nixos-hardware.nixosModules.common-cpu-intel
"${self}/modules/nixos/optional/systemd-networkd-server-home.nix"
"${self}/modules/nixos/optional/microvm-host.nix"
];
topology.self = {
interfaces = {
"lan" = { };
"bmc" = { };
};
};
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
hardware.enableRedistributableFirmware = true;
swarselsystems = {
info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM";
flakePath = "/root/.dotfiles";
isImpermanence = true;
isSecureBoot = true;
isCrypted = true;
isBtrfs = true;
isLinux = true;
isNixos = true;
isSwap = false;
proxyHost = "twothreetunnel";
writeGlobalNetworks = false;
networkKernelModules = [ "igb" ];
rootDisk = "/dev/disk/by-id/ata-TS120GMTS420S_J024880123";
withMicroVMs = true;
localVLANs = [ "services" "home" ]; # devices is only provided on interface for bmc
initrdVLAN = "home";
server = {
wireguard.interfaces = {
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
wgHome = {
isClient = true;
serverName = "hintbooth";
};
};
restic.targets = {
SwarselState = {
repository = config.repo.secrets.local.resticRepoState;
# nextcloud stores all data in state dir and has no data that needs backup
paths = lib.map (guest: "/Vault/guests/${guest}/state") (builtins.filter (name: name != "nextcloud") (builtins.attrNames config.guests));
};
SwarselStorage = {
repository = config.repo.secrets.local.resticRepoStorage;
paths = [
"/Vault/Eternor/Pictures"
"/Vault/Eternor/Documents/paperless"
];
};
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
wireguard = true;
restic = true;
podman = true;
opkssh = true;
};
guests = lib.mkIf (!minimal && config.swarselsystems.withMicroVMs) (
{ }
// confLib.mkMicrovm "ankisync" { withZfs = true; }
// confLib.mkMicrovm "atuin" { withZfs = true; }
// confLib.mkMicrovm "audio" { withZfs = true; eternorPaths = [ "Music" ]; }
// confLib.mkMicrovm "firefly" { withZfs = true; }
// confLib.mkMicrovm "forgejo" { withZfs = true; }
// confLib.mkMicrovm "freshrss" { withZfs = true; }
// confLib.mkMicrovm "homebox" { withZfs = true; }
// confLib.mkMicrovm "immich" { withZfs = true; eternorPaths = [ "Pictures" ]; }
// confLib.mkMicrovm "jellyfin" { withZfs = true; eternorPaths = [ "Videos" ]; }
// confLib.mkMicrovm "kanidm" { withZfs = true; }
// confLib.mkMicrovm "kavita" { withZfs = true; eternorPaths = [ "Books" ]; }
// confLib.mkMicrovm "koillection" { withZfs = true; }
// confLib.mkMicrovm "matrix" { withZfs = true; }
// confLib.mkMicrovm "monitoring" { withZfs = true; }
// confLib.mkMicrovm "nextcloud" { withZfs = true; }
// confLib.mkMicrovm "paperless" { withZfs = true; eternorPaths = [ "Documents" ]; }
// confLib.mkMicrovm "radicale" { withZfs = true; }
// confLib.mkMicrovm "storage" { withZfs = true; eternorPaths = [ "Books" "Videos" "Music" "Pictures" "Software" "Documents" ]; }
// confLib.mkMicrovm "transmission" { withZfs = true; eternorPaths = [ "Books" "Videos" "Music" "Software" ]; }
);
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" "bmc" ];
}
#+end_src
***** hardware-configuration
:PROPERTIES:
:CUSTOM_ID: h:394b1f22-a61b-41da-9fe7-7625f164ed57
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/hardware-configuration.nix
{ config, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
supportedFilesystems = [ "zfs" ];
zfs.extraPools = [ "Vault" ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces..useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
#+end_src
***** disko
:PROPERTIES:
:CUSTOM_ID: h:664b45fd-bd7e-4fff-bfc5-29f7a0657be6
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/disk-config.nix
{ lib, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}
#+end_src
***** Guests
:PROPERTIES:
:CUSTOM_ID: h:5e571d89-6590-4aa4-a5f4-5c871683d09b
:END:
#+begin_src bash :results output :eval never-export
echo "Currently using $(nix eval .#guestResources.summers.mem 2>/dev/null) MB out of 128GB RAM"
echo "Currently using $(nix eval .#guestResources.summers.vcpu 2>/dev/null) vCPUs. 48 threads are available."
#+end_src
#+RESULTS:
: Currently using 54272 MB out of 128GB RAM
: Currently using 40 vCPUs. 48 threads are available.
****** Kavita
:PROPERTIES:
:CUSTOM_ID: h:14a705ff-1924-41da-a6f8-1537e2f5bfb6
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/kavita/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
kavita = true;
};
}
#+end_src
****** Jellyfin
:PROPERTIES:
:CUSTOM_ID: h:84c85e0f-dcbc-4d2e-bc5c-2f5615b67450
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/jellyfin/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 3;
vcpu = 4;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
jellyfin = true;
};
}
#+end_src
****** Audio
:PROPERTIES:
:CUSTOM_ID: h:dd59a022-e05e-488f-afdd-766de3814f1e
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/audio/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 4;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
navidrome = true;
spotifyd = true;
mpd = true;
};
}
#+end_src
****** Matrix
:PROPERTIES:
:CUSTOM_ID: h:1ab43f9c-f32d-4c7c-85a5-b07bd5172112
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/matrix/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 6;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
matrix = true;
};
}
#+end_src
****** Nextcloud
:PROPERTIES:
:CUSTOM_ID: h:3de0bfe4-0d9c-4fb8-9289-9910516652a8
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/nextcloud/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 3;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
nextcloud = true;
nginx = true;
acme = false;
};
}
#+end_src
****** Immich
:PROPERTIES:
:CUSTOM_ID: h:e6b7438f-6487-4bd4-9a3a-d0853d5d2b7b
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/immich/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 16;
vcpu = 14;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
immich = true;
};
}
#+end_src
****** Paperless
:PROPERTIES:
:CUSTOM_ID: h:b6f71fde-9d35-43f8-82da-10a9203bb8d9
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/paperless/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 8;
vcpu = 4;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
paperless = true;
};
}
#+end_src
****** Transmission
:PROPERTIES:
:CUSTOM_ID: h:782cd89f-7bc8-48c9-bdb8-177c6a62c235
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/transmission/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 4;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
transmission = true;
};
}
#+end_src
****** Storage
:PROPERTIES:
:CUSTOM_ID: h:c4bd66cb-447e-4e1e-9d99-706c446c51e6
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/storage/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 4;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
nfs = true;
syncthing = true;
};
}
#+end_src
****** Monitoring
:PROPERTIES:
:CUSTOM_ID: h:ca57b719-c2cd-4f4c-b14a-71e3447292bd
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/monitoring/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 3;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
grafana = true;
};
}
#+end_src
****** FreshRSS
:PROPERTIES:
:CUSTOM_ID: h:7c611318-52fe-4d76-980b-df851a6af4ca
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/freshrss/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 3;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
freshrss = true;
nginx = true;
acme = false;
};
}
#+end_src
****** Kanidm
:PROPERTIES:
:CUSTOM_ID: h:589e154d-78d9-4938-bd11-66413120030a
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/kanidm/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 4;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
kanidm = true;
};
}
#+end_src
****** Firefly-III
:PROPERTIES:
:CUSTOM_ID: h:bd23aa0c-0d40-4360-b0ef-23de844ad88e
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/firefly/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 3;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
firefly-iii = true;
nginx = true;
acme = false;
};
}
#+end_src
****** Koillection
:PROPERTIES:
:CUSTOM_ID: h:11f3fb05-abed-4766-8da1-fc95432c22d0
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/koillection/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
koillection = true;
};
}
#+end_src
****** Radicale
:PROPERTIES:
:CUSTOM_ID: h:215533a7-d017-4618-a9e2-18327f22663f
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/radicale/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
radicale = true;
};
}
#+end_src
****** Atuin
:PROPERTIES:
:CUSTOM_ID: h:24bdcac0-e4ef-49df-8686-18a8d5730311
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/atuin/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
atuin = true;
};
}
#+end_src
****** Forgejo
:PROPERTIES:
:CUSTOM_ID: h:37b9df5f-3755-4dc4-82f5-aaed75cb0ffa
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/forgejo/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
forgejo = true;
};
}
#+end_src
****** Anki Sync Server
:PROPERTIES:
:CUSTOM_ID: h:b1f52613-2928-4b5c-b9bf-3788c409d745
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/ankisync/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
ankisync = true;
};
}
#+end_src
****** Homebox
:PROPERTIES:
:CUSTOM_ID: h:aef416e8-f0d5-4ced-8dd4-c0f904bac2ff
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/summers/guests/homebox/default.nix
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
homebox = true;
};
}
#+end_src
**** Hintbooth (Router: HUNSN RM02)
:PROPERTIES:
:CUSTOM_ID: h:58c7563e-6954-42e6-a622-9d06523e8e24
:END:
This machine serves as my home router (see [[#h:b54f2bbb-0088-46b2-957d-fd8234b772c3][Router]]). It also provides an http proxy endpoint in my local network over DNS rewrites.
***** Main Configuration
:PROPERTIES:
:CUSTOM_ID: h:624b3c6a-6e31-4734-a6ea-7c5b461a3429
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/default.nix
{ self, config, lib, minimal, confLib, globals, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server-home.nix"
"${self}/modules/nixos/optional/microvm-host.nix"
];
topology.self = {
interfaces = {
lan2.physicalConnections = [{ node = "summers"; interface = "lan"; }];
lan3.physicalConnections = [{ node = "summers"; interface = "bmc"; }];
lan4.physicalConnections = [{ node = "switch-bedroom"; interface = "eth1"; }];
lan5.physicalConnections = [{ node = "switch-livingroom"; interface = "eth1"; }];
};
};
globals.general = {
homeProxy = config.node.name;
routerServer = config.node.name;
};
swarselsystems = {
info = "HUNSN RM02, 8GB RAM";
flakePath = "/root/.dotfiles";
isImpermanence = true;
isSecureBoot = true;
isCrypted = true;
isBtrfs = true;
isLinux = true;
isNixos = true;
rootDisk = "/dev/sda";
swapSize = "8G";
networkKernelModules = [ "igb" ];
withMicroVMs = true;
localVLANs = map (name: "${name}") (builtins.attrNames globals.networks.home-lan.vlans);
initrdVLAN = "home";
server = {
wireguard.interfaces = {
wgHome = {
isServer = true;
peers = [
"hintbooth-adguardhome"
"hintbooth-nginx"
"summers"
"summers-ankisync"
"summers-atuin"
"summers-audio"
"summers-firefly"
"summers-forgejo"
"summers-freshrss"
"summers-homebox"
"summers-immich"
"summers-jellyfin"
"summers-kanidm"
"summers-kavita"
"summers-koillection"
"summers-matrix"
"summers-monitoring"
"summers-nextcloud"
"summers-paperless"
"summers-radicale"
"summers-storage"
"summers-transmission"
"winters"
];
};
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
router = true;
};
swarselmodules = {
server = {
wireguard = true;
};
};
guests = lib.mkIf (!minimal && config.swarselsystems.withMicroVMs) (
{ }
// confLib.mkMicrovm "adguardhome" { }
// confLib.mkMicrovm "nginx" { }
);
}
#+end_src
***** hardware-configuration
:PROPERTIES:
:CUSTOM_ID: h:b4a0b41c-52eb-4f0b-ba0b-64036c52e594
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/hardware-configuration.nix
{ config, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
extraModulePackages = [ ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces..useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
#+end_src
***** disko
:PROPERTIES:
:CUSTOM_ID: h:1500fb57-334b-4f1b-92de-566ea07924d1
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/disk-config.nix
{ lib, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}
#+end_src
***** Guests
:PROPERTIES:
:CUSTOM_ID: h:c19725c0-0523-40f2-8083-9a4f53b6c2d1
:END:
#+begin_src bash :results output :eval never-export
echo "Currently using $(nix eval .#guestResources.hintbooth.mem 2>/dev/null) MB out of 8GB RAM"
echo "Currently using $(nix eval .#guestResources.hintbooth.vcpu 2>/dev/null) vCPUs. 4 threads are available."
#+end_src
#+RESULTS:
: Currently using 4096 MB out of 8GB RAM
: Currently using 2 vCPUs. 2 cores are available for a total of 4 threads.
****** Adguardhome
:PROPERTIES:
:CUSTOM_ID: h:f479a908-8071-4d69-97ea-c03bfd7b88bf
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/guests/adguardhome/default.nix
{ self, config, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
"${self}/modules/nixos/optional/microvm-guest-shares.nix"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
globals.general.homeDnsServer = config.node.name;
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
adguardhome = true;
};
}
#+end_src
****** Nginx
:PROPERTIES:
:CUSTOM_ID: h:90dc7f71-f9da-49ef-b273-edfab7daaa05
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hintbooth/guests/nginx/default.nix
{ self, config, lib, minimal, globals, confLib, ... }:
let
inherit (confLib.static) nginxAccessRules;
in
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
"${self}/modules/nixos/optional/microvm-guest-shares.nix"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = config.node.name;
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
};
};
};
globals.general.homeWebProxy = config.node.name;
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 3072 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
nginx = true;
};
services.nginx = {
upstreams.fritzbox = {
servers.${globals.networks.home-lan.hosts.fritzbox.ipv4} = { };
};
virtualHosts.${globals.services.fritzbox.domain} = {
useACMEHost = globals.domains.main;
forceSSL = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://fritzbox";
proxyWebsockets = true;
};
extraConfig = ''
proxy_ssl_verify off;
'' + nginxAccessRules;
};
};
}
#+end_src
**** machpizza (MacBook Pro)
:PROPERTIES:
:CUSTOM_ID: h:28e1a7eb-356b-4015-83f7-9c552c8c0e9d
:END:
A Mac notebook that I have received from work. I use this machine for getting accustomed to the Apple ecosystem as well as as a sandbox for nix-darwin configurations (the darwin configuration is severely under-developed).
#+begin_src nix-ts :tangle hosts/darwin/x86_64-darwin/machpizza/default.nix
{ lib, config, ... }:
let
inherit (config.repo.secrets.local) workUser;
in
{
# Auto upgrade nix package and the daemon service.
services.nix-daemon.enable = true;
services.karabiner-elements.enable = true;
home-manager.users.workUser.home = {
username = lib.mkForce workUser;
swarselsystems = {
isDarwin = true;
isLaptop = true;
isNixos = false;
isBtrfs = false;
mainUser = workUser;
homeDir = "/home/${workUser}";
flakePath = "/home/${workUser}/.dotfiles";
};
};
}
#+end_src
**** Magicant (Phone)
:PROPERTIES:
:CUSTOM_ID: h:729af373-37e7-4379-9a3d-b09792219415
:END:
My phone. I use only a minimal config for remote debugging here.
#+begin_src nix-ts :tangle hosts/android/aarch64-linux/magicant/default.nix
{ pkgs, ... }: {
environment = {
packages = with pkgs; [
vim
git
openssh
# toybox
dig
man
gnupg
curl
deadnix
statix
nixpgks-fmt
nvd
];
etcBackupExtension = ".bak";
extraOutputsToInstall = [
"doc"
"info"
"devdoc"
];
motd = null;
};
android-integration = {
termux-open.enable = true;
xdg-open.enable = true;
termux-open-url.enable = true;
termux-reload-settings.enable = true;
termux-setup-storage.enable = true;
};
# Backup etc files instead of failing to activate generation if a file already exists in /etc
# Read the changelog before changing this value
system.stateVersion = "23.05";
# Set up nix for flakes
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
}
#+end_src
**** Treehouse (DGX Spark)
:PROPERTIES:
:CUSTOM_ID: h:ced1795a-9884-4277-bcde-6f7b9b1cc2f0
:END:
This is my workstation locatated at my workplace - I use it as a remote builder and for testing things on ARM architecture.
#+begin_src nix-ts :tangle hosts/home/aarch64-linux/treehouse/default.nix
{ self, pkgs, ... }:
{
imports = [
"${self}/modules/home"
];
services.xcape = {
enable = true;
mapExpression = {
Control_L = "Escape";
};
};
home.packages = with pkgs; [
attic-client
];
# programs.zsh.initContent = "
# export GPG_TTY=\"$(tty)\"
# export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
# gpgconf --launch gpg-agent
# ";
swarselmodules.pii = true;
swarselsystems = {
isLaptop = false;
isNixos = false;
wallpaper = self + /files/wallpaper/landscape/surfacewp.png;
};
swarselprofiles = {
dgxspark = true;
};
}
#+end_src
*** Virtual hosts
:PROPERTIES:
:CUSTOM_ID: h:4dc59747-9598-4029-aa7d-92bf186d6c06
:END:
My server setup was originally built on Proxmox VE; back when I started, I created all kinds of wild Debian/Ubuntu/etc. KVMs and LXCs on there. However, the root disk suffered a weird failure at some point where it became unable to be cloned, while still functioning. I was for a long time rewriting all machines on there to use NixOS instead; this process is now finished.
Nowadays, this section holds only hosts living in the cloud. For VM guests on physical hosts, see the =Guests= section under the corresponding hostname in [[#h:58dc6384-0d19-4f71-9043-4014bd033ba2][Physical hosts]].
**** Moonside (OCI)
:PROPERTIES:
:CUSTOM_ID: h:f547ed16-5e6e-4744-9e33-af090e0a175b
:END:
This machine used to be my proxy server, a functionality that is now provided by [[#h:19300583-322b-4e0b-b657-857fbf23dfa1][Twothreetunnel (OCI)]]; nowadays, I use it to run non-crucial services in the cloud - i.e. any service that does not use important private data. As an effect, this mostly holds some text and image sharing tools as well as a number of game servers.
***** Main Configuration
:PROPERTIES:
:CUSTOM_ID: h:a8f20a56-ce92-43d8-8bfe-3edccebf2bf9
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/moonside/default.nix
{ self, lib, config, minimal, ... }:
let
inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
in
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
"${self}/modules/nixos/optional/nix-topology-self.nix"
];
system.stateVersion = "23.11";
services.syncthing = {
dataDir = lib.mkForce "/sync";
settings = {
devices = config.swarselsystems.syncthing.devices // {
"${dev1}" = {
id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7";
};
"${dev2}" = {
id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH";
};
"${dev3}" = {
id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR";
};
};
folders = {
"Documents" = {
path = "/sync/Documents";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "2";
};
devices = [ "pyramid" ];
id = "hgr3d-pfu3w";
};
"runandbun" = {
path = "/sync/runandbun";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" "magicant" ];
id = "kwnql-ev64v";
};
"${loc1}" = {
path = "/sync/${loc1}";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "3";
};
devices = [ dev1 dev2 dev3 ];
id = "5gsxv-rzzst";
};
};
};
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "VM.Standard.A1.Flex, 4 vCPUs, 24GB RAM";
isImpermanence = true;
isSecureBoot = false;
isCrypted = false;
isSwap = false;
rootDisk = "/dev/sda";
isBtrfs = true;
isNixos = true;
isLinux = true;
isCloud = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
restic.targets = {
SwarselMoonside = {
repository = config.repo.secrets.local.resticRepo;
paths = [
"/persist/opt/minecraft"
];
};
};
};
syncthing = {
serviceDomain = config.repo.secrets.common.services.domains.syncthing3;
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
wireguard = true;
croc = true;
microbin = true;
shlink = true;
slink = true;
syncthing = true;
minecraft = true;
restic = true;
diskEncryption = lib.mkForce false;
};
}
#+end_src
***** hardware-configuration
:PROPERTIES:
:CUSTOM_ID: h:f99c05ab-f047-4350-b80a-4c1ff55b91bf
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/moonside/hardware-configuration.nix
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}
#+end_src
***** disko
:PROPERTIES:
:CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/moonside/disk-config.nix
# NOTE: ... is needed because dikso passes diskoFile
{ lib
, config
, ...
}:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
disk1 = {
type = "disk";
device = "/dev/sdb";
content = {
type = "gpt";
partitions = {
sync = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-L" "sync" "-f" ]; # force overwrite
subvolumes = {
"/sync" = {
mountpoint = "/sync";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}
#+end_src
**** Belchsfactory (OCI)
:PROPERTIES:
:CUSTOM_ID: h:90457194-6b97-4cd6-90bc-4f42d0d69f51
:END:
This machine acts as my build farm and nix binary cache. It also provides an S3 bucket that is meant to be used for the binary cache (however, it is ocasionally used to have a separate object storage).
***** Main Configuration
:PROPERTIES:
:CUSTOM_ID: h:cb78799c-d47a-43d4-88ad-d32fcc0abd0b
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/belchsfactory/default.nix
{ self, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
"${self}/modules/nixos/optional/nix-topology-self.nix"
];
node.lockFromBootstrapping = lib.mkForce false;
topology.self = {
icon = "devices.cloud-server";
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "VM.Standard.A1.Flex, 4 vCPUs, 24GB RAM";
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isSwap = false;
rootDisk = "/dev/sda";
isBtrfs = true;
isNixos = true;
isLinux = true;
isCloud = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
garage = {
data_dir = {
capacity = "150G";
path = "/var/lib/garage/data";
};
keys = {
nixos = [
"attic"
];
};
buckets = [
"attic"
];
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
wireguard = true;
ssh-builder = true;
postgresql = true;
attic = true;
garage = true;
hydra = false;
};
}
#+end_src
***** hardware-configuration
:PROPERTIES:
:CUSTOM_ID: h:e9e29520-5800-4756-ad13-1ec9747ab911
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}
#+end_src
***** disko
:PROPERTIES:
:CUSTOM_ID: h:19a83f57-9e7a-44b9-ae7f-2f021f21abf7
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/belchsfactory/disk-config.nix
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko = {
imageBuilder.extraDependencies = [ pkgs.kmod ];
devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}
#+end_src
**** Stoicclub (OCI)
:PROPERTIES:
:CUSTOM_ID: h:1888ded8-69dc-431f-bb39-5089a8e8b1f4
:END:
This machine is the authoritative DNS server for my domain and is responsible for pushing records to Hurricane Electric as well as Hetzner Cloud.
***** Main Configuration
:PROPERTIES:
:CUSTOM_ID: h:0fe53305-52c3-4cc3-81fe-33408070165e
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/stoicclub/default.nix
{ self, config, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
"${self}/modules/nixos/optional/nix-topology-self.nix"
];
topology.self = {
icon = "devices.cloud-server";
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM";
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isSwap = false;
rootDisk = "/dev/disk/by-id/scsi-360e1a5236f034316a10a97cc703ce9e3";
isBtrfs = true;
isNixos = true;
isLinux = true;
isCloud = true;
isBastionTarget = true;
};
globals.general.dnsServer = config.node.name;
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
nsd = true;
};
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ];
}
#+end_src
***** hardware-configuration
:PROPERTIES:
:CUSTOM_ID: h:0430a228-87ca-4511-89cf-0f9540bb99ba
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/stoicclub/hardware-configuration.nix
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}
#+end_src
***** disko
:PROPERTIES:
:CUSTOM_ID: h:1638acbc-b651-4ddb-8498-f85aa67762f0
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/stoicclub/disk-config.nix
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko = {
imageBuilder.extraDependencies = [ pkgs.kmod ];
devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}
#+end_src
**** Liliputsteps (OCI)
:PROPERTIES:
:CUSTOM_ID: h:a6baab45-b608-4289-bc92-4454bb0856c6
:END:
This servers is an SSH bastion responsible for shielding my others cloud instances from unauthorized access.
***** Main Configuration
:PROPERTIES:
:CUSTOM_ID: h:b58a57d9-7986-489e-a5e8-3ec4c2924b45
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/liliputsteps/default.nix
{ self, config, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
"${self}/modules/nixos/optional/nix-topology-self.nix"
];
topology.self = {
icon = "devices.cloud-server";
interfaces.ProxyJump = {
virtual = true;
physicalConnections = [
(config.lib.topology.mkConnection "moonside" "lan")
(config.lib.topology.mkConnection "twothreetunnel" "lan")
(config.lib.topology.mkConnection "belchsfactory" "lan")
(config.lib.topology.mkConnection "stoicclub" "lan")
(config.lib.topology.mkConnection "eagleland" "wan")
];
};
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM";
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isSwap = false;
rootDisk = "/dev/disk/by-id/scsi-360fb180663ec4f2793a763a087d46885";
isBtrfs = true;
isNixos = true;
isLinux = true;
isCloud = true;
mainUser = "jump";
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
bastion = true;
# ssh = false;
};
# users.users.swarsel.enable = lib.mkForce false;
# home-manager.users.swarsel.enable = lib.mkForce false
}
#+end_src
***** hardware-configuration
:PROPERTIES:
:CUSTOM_ID: h:aa85497a-7ebd-4532-b585-0bbcc9b3b269
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}
#+end_src
***** disko
:PROPERTIES:
:CUSTOM_ID: h:496fc493-219e-4916-a66f-6345eea95917
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/liliputsteps/disk-config.nix
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko = {
imageBuilder.extraDependencies = [ pkgs.kmod ];
devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}
#+end_src
**** Twothreetunnel (OCI)
:PROPERTIES:
:CUSTOM_ID: h:19300583-322b-4e0b-b657-857fbf23dfa1
:END:
This host acts as my main http proxy for external access.
***** Main Configuration
:PROPERTIES:
:CUSTOM_ID: h:7e66d04d-55c7-4195-b1ee-a013dac26217
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/twothreetunnel/default.nix
{ self, config, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
"${self}/modules/nixos/optional/nix-topology-self.nix"
];
topology.self = {
icon = "devices.cloud-server";
};
globals.general = {
webProxy = config.node.name;
oauthServer = config.node.name;
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM";
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isSwap = false;
rootDisk = "/dev/disk/by-id/scsi-3608deb9b0d4244de95c6620086ff740d";
isBtrfs = true;
isNixos = true;
isLinux = true;
isCloud = true;
server = {
wireguard.interfaces = {
wgProxy = {
isServer = true;
peers = [
"moonside"
"winters"
"summers"
"summers-ankisync"
"summers-atuin"
"summers-audio"
"summers-firefly"
"summers-forgejo"
"summers-freshrss"
"summers-homebox"
"summers-immich"
"summers-jellyfin"
"summers-kanidm"
"summers-kavita"
"summers-koillection"
"summers-matrix"
"summers-monitoring"
"summers-nextcloud"
"summers-paperless"
"summers-radicale"
"summers-storage"
"belchsfactory"
"eagleland"
"hintbooth-adguardhome"
];
};
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
nginx = true;
oauth2-proxy = true;
wireguard = true;
firezone = true;
};
networking.nftables = {
firewall.zones.untrusted.interfaces = [ "lan" ];
chains.forward.dnat = {
after = [ "conntrack" ];
rules = [ "ct status dnat accept" ];
};
};
}
#+end_src
***** hardware-configuration
:PROPERTIES:
:CUSTOM_ID: h:3424e7fc-3d73-4442-9fb7-cf6921785764
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}
#+end_src
***** disko
:PROPERTIES:
:CUSTOM_ID: h:cf827191-9a24-46a3-b4a5-e4225412a2c7
:END:
#+begin_src nix-ts :tangle hosts/nixos/aarch64-linux/twothreetunnel/disk-config.nix
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko = {
imageBuilder.extraDependencies = [ pkgs.kmod ];
devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}
#+end_src
**** Eagleland (Hetzner)
:PROPERTIES:
:CUSTOM_ID: h:81bc8746-b46b-4d29-87de-ddbd77788b43
:END:
This is my mailserver. Since I do not really want to trust Oracle Cloud with any important data, I am running this one on Hetzner.
***** Main Configuration
:PROPERTIES:
:CUSTOM_ID: h:faee045f-a5dd-419a-b374-fc22518d4cd8
:END:
:PROPERTIES:
:CUSTOM_ID: h:96540b9c-1610-45f2-ba19-916051ab5e10
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/eagleland/default.nix
{ self, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
"${self}/modules/nixos/optional/nix-topology-self.nix"
];
topology.self = {
icon = "devices.cloud-server";
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "2vCPU, 4GB Ram";
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isCloud = true;
isSwap = true;
swapSize = "4G";
rootDisk = "/dev/sda";
isBtrfs = true;
isNixos = true;
isLinux = true;
proxyHost = "twothreetunnel"; # mail shall not be proxied through twothreetunnel
server = {
wireguard.interfaces = {
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselmodules.server = {
mailserver = true;
postgresql = true;
nginx = true;
wireguard = true;
};
swarselprofiles = {
server = true;
};
networking.nftables.firewall.zones.untrusted.interfaces = [ "wan" ];
}
#+end_src
***** hardware-configuration
:PROPERTIES:
:CUSTOM_ID: h:44c29a70-d5fc-49c1-b02e-a5cd2ec6119b
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/eagleland/hardware-configuration.nix
{ lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/profiles/qemu-guest.nix")
];
boot = {
initrd = {
availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}
#+end_src
***** disko
:PROPERTIES:
:CUSTOM_ID: h:5c77e384-fdae-4994-bce3-ca736722529c
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/eagleland/disk-config.nix
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko = {
imageBuilder.extraDependencies = [ pkgs.kmod ];
devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}
#+end_src
*** Utility hosts
:PROPERTIES:
:CUSTOM_ID: h:89ce533d-4856-4988-b456-0951d4453db8
:END:
The machines listed here are not real hosts per se, but are rather used in some aspects of testing or deployment, i.e. these hosts do not exist permanently.
**** Toto (Physical/VM)
:PROPERTIES:
:CUSTOM_ID: h:6b495f0e-fc11-44c8-a9e8-83f3d95c8857
:END:
This is a slim setup for developing base configuration. I do not track the hardware-configuration for this host here because I often switch this configuration between running on a QEMU VM and a physical laptop and do not want to constantly adapt the config here to reflect the current state.
***** Main Configuration
:PROPERTIES:
:CUSTOM_ID: h:4e53b40b-98b2-4615-b1b0-3696a75edd6e
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/toto/default.nix
{ self, lib, ... }:
{
imports = [
./disk-config.nix
./hardware-configuration.nix
];
topology.self.interfaces."bootstrapper" = { };
networking = {
hostName = "toto";
firewall.enable = false;
};
swarselprofiles = {
minimal = lib.mkForce true;
};
swarselmodules = {
server = {
network = lib.mkForce false;
diskEncryption = lib.mkForce false;
};
};
swarselsystems = {
info = "~SwarselSystems~ remote install helper";
wallpaper = self + /files/wallpaper/landscape/lenovowp.png;
isImpermanence = true;
isCrypted = true;
isSecureBoot = false;
isSwap = true;
swapSize = "2G";
# rootDisk = "/dev/nvme0n1";
rootDisk = "/dev/vda";
# rootDisk = "/dev/vda";
isBtrfs = true;
isLinux = true;
isLaptop = false;
isNixos = true;
};
}
#+end_src
***** disko
:PROPERTIES:
:CUSTOM_ID: h:cec82b06-39ca-4c0e-b4f5-c1fda9b14e6d
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/toto/disk-config.nix
# NOTE: ... is needed because dikso passes diskoFile
{ lib
, pkgs
, config
, ...
}:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
environment.systemPackages = [
pkgs.yubikey-manager
];
}
#+end_src
**** TODO Drugstore (live ISO installer config)
:PROPERTIES:
:CUSTOM_ID: h:8583371d-5d47-468b-84ba-210aad7e2c90
:END:
This is a live environment ISO that I use to bootstrap new systems. It only loads a minimal configuration and no graphical interface. After booting this image on a host, find out its IP and bootstrap the system using the =bootstrap= utility.
NOTE: Yes, the path to this system does not follow the scheme outlined above - I still consider this a 'config' however, so I keep it here.
TODO: cleanup this mess
Steps to recover using live ISO:
- unlock LUKS: =cryptsetup luksOpen /dev/ cryptroot=
- mount root: =mount -t btrfs -o subvol=root /dev/mapper/cryptroot /mnt=
- mounted other subvolumes: =mount -t btrfs -o subvol= /dev/mapper/cryptroot /mnt/= for all subvolumes
- mounted boot: =mount -o umask=077 /dev/ /mnt/boot=
- mount sbctl keys: =mount -o bind /mnt/persist/var/lib/sbctl /mnt/var/lib/sbctl=
- make it look like nixos system: =touch /mnt/etc/NIXOS=
- chroot: =nixos-enter=
- Then to e.g. fix missing bootloader entries: =/nix/var/nix/profiles/system/bin/switch-to-configuration boot=
#+begin_src nix-ts :tangle install/installer-config.nix
{ self, config, pkgs, lib, ... }:
let
pubKeys = lib.filesystem.listFilesRecursive "${self}/secrets/public/ssh";
stateVersion = lib.mkDefault "23.05";
homeFiles = {
".bash_history" = {
text = ''
swarsel-install -n hotel
'';
};
};
in
{
config = {
home-manager.users.root.home = {
inherit stateVersion;
file = homeFiles;
};
home-manager.users.swarsel = {
home = {
username = "swarsel";
homeDirectory = lib.mkDefault "/home/swarsel";
inherit stateVersion;
keyboard.layout = "us";
sessionVariables = {
FLAKE = "/home/swarsel/.dotfiles";
};
file = homeFiles;
};
};
security.sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
Defaults lecture = never
'';
security.pam = {
sshAgentAuth.enable = true;
services = {
sudo.u2fAuth = true;
};
};
nix = {
channel.enable = false;
package = pkgs.nixVersions.nix_2_28;
extraOptions = ''
plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
buildInputs = [config.nix.package pkgs.boost];
patches = o.patches or [];
})}/lib/nix/plugins
extra-builtins-file = ${../files/nix/extra-builtins.nix}
'';
settings.experimental-features = [ "nix-command" "flakes" ];
};
boot = {
supportedFilesystems = lib.mkForce [ "brtfs" "vfat" ];
loader.systemd-boot = {
enable = true;
};
};
services = {
qemuGuest.enable = true;
openssh = {
enable = true;
settings.PermitRootLogin = "yes";
authorizedKeysFiles = lib.mkForce [
"/etc/ssh/authorized_keys.d/%u"
];
};
};
environment.systemPackages = with pkgs; [
curl
git
gnupg
networkmanager
rsync
ssh-to-age
sops
vim
just
sbctl
lsof
dig
cryptsetup
btrfs-progs
];
programs = {
git.enable = true;
};
fileSystems."/boot".options = [ "umask=0077" ];
environment.etc."issue".text = ''
�[32m~SwarselSystems~�[0m
IP of primary interface: �[31m\4�[0m
These IPs were also found: \4{eth0} \4{eth1} \4{eth2} \4{eth3} \4{eth4} \4{eth5} \4{wlan0}
The Password for all users & root is '�[31msetup�[0m'.
Install the system remotely by running '�[33mbootstrap -n -d �[0m' on a machine with deployed secrets.
Alternatively, run '�[33mswarsel-install -n �[0m' for a local install. For your convenience, an example call is in the bash history (press up on the keyboard to access).
'';
networking = {
hostName = "drugstore";
wireless.enable = lib.mkForce false;
# dhcpcd.runHook = "${pkgs.utillinux}/bin/agetty --reload";
networkmanager.enable = true;
usePredictableInterfaceNames = false;
};
services.getty.autologinUser = lib.mkForce "root";
users = {
allowNoPasswordLogin = true;
groups.swarsel = { };
users = {
swarsel = {
name = "swarsel";
group = "swarsel";
isNormalUser = true;
password = "setup"; # this is overwritten after install
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = [ "wheel" ];
};
root = {
initialHashedPassword = lib.mkForce null;
password = lib.mkForce config.users.users.swarsel.password; # this is overwritten after install
openssh.authorizedKeys.keys = config.users.users.swarsel.openssh.authorizedKeys.keys;
};
};
};
programs.bash.shellAliases = {
"swarsel-install" = "nix run github:Swarsel/.dotfiles#swarsel-install --";
"swarsel-net-manufacturer" = "lspci -nn | grep -i 'network\\|ethernet'";
"swarsel-kernel-module" = "lspci -k -d";
};
system.activationScripts.cache = {
text = ''
mkdir -p -m=0777 /home/swarsel/.local/state/nix/profiles
mkdir -p -m=0777 /home/swarsel/.local/state/home-manager/gcroots
mkdir -p -m=0777 /home/swarsel/.local/share/nix/
printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /home/swarsel/.local/share/nix/trusted-settings.json > /dev/null
mkdir -p /root/.local/share/nix/
printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json > /dev/null
'';
};
systemd = {
services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
};
system.stateVersion = lib.mkForce "23.05";
};
}
#+end_src
**** Policestation (live ISO key generator config)
:PROPERTIES:
:CUSTOM_ID: h:ab5924ed-9c36-4bda-9b90-d6ae1143f5c8
:END:
This live ISO config provides a secure environment for setting up cryptographic keys. All networking capabilities are turned off and only necessary tools for generating the keys are enabled.
#+begin_src nix-ts :tangle install/keygen-config.nix
{ config, pkgs, lib, ... }:
{
config = {
home-manager.users.nixos = {
home = {
inherit (config.system) stateVersion;
username = "nixos";
homeDirectory = "/home/nixos";
keyboard.layout = "us";
file.".gnupg/gpg-hardened.conf" = {
text = ''
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
no-comments
no-emit-version
no-greeting
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
require-cross-certification
require-secmem
no-symkey-cache
armor
use-agent
throw-keyids
'';
};
};
services.gpg-agent = {
enable = true;
enableBashIntegration = true;
enableSshSupport = true;
pinentry = {
package = pkgs.pinentry-curses;
program = "pinentry-curses";
};
defaultCacheTtl = 60;
maxCacheTtl = 120;
};
programs.gpg = {
enable = true;
};
};
programs = {
ssh.startAgent = false;
gnupg = {
dirmngr.enable = true;
agent = {
enable = true;
enableSSHSupport = true;
};
};
};
swapDevices = [ ];
services = {
pcscd.enable = true;
udev.packages = [ pkgs.yubikey-personalization ];
getty.autologinUser = "nixos";
};
nix = {
channel.enable = false;
settings.experimental-features = [ "nix-command" "flakes" ];
};
environment.interactiveShellInit = ''
unset HISTFILE
export GNUPGHOME="/run/user/$(id -u)/gnupg"
if [ ! -d "$GNUPGHOME" ]; then
install -m=0700 --directory="$GNUPGHOME"
fi
[ ! -f "$GNUPGHOME/gpg.conf" ] && cp /home/nixos/gpg-hardened.conf "$GNUPGHOME/gpg.conf"
[ ! -f "$GNUPGHOME/gpg-agent.conf" ] && cp /home/nixos/gpg-agent.conf "$GNUPGHOME/gpg-agent.conf"
'';
environment.systemPackages = with pkgs; [
paperkey
pgpdump
parted
cryptsetup
yubikey-manager
yubikey-personalization
pcsc-tools
];
boot = {
initrd.network.enable = false;
tmp.cleanOnBoot = true;
kernel.sysctl = {
"kernel.unprivileged_bpf_disabled" = 1;
};
};
networking = {
hostName = "policestation";
resolvconf.enable = false;
dhcpcd.enable = false;
dhcpcd.allowInterfaces = [ ];
interfaces = { };
firewall.enable = true;
useDHCP = false;
useNetworkd = false;
wireless.enable = false;
networkmanager.enable = lib.mkForce false;
};
users.users.nixos = {
isNormalUser = true;
extraGroups = [ "wheel" ];
initialHashedPassword = "";
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
systemd = {
targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
};
system.stateVersion = lib.mkForce "23.05";
};
}
#+end_src
**** Brick Road (kexec image)
:PROPERTIES:
:CUSTOM_ID: h:e9fe580c-f1b2-4d7b-aaff-bbdf89a8c9f9
:END:
This is a specialized kexec image that I use to have disko available on RAM-limited machines, as the kexec provided directly by nixos-anywhere does not include it. Note that I had to strip most other stuff from this image, so this is not a good image for general deployment.
#+begin_src nix-ts :tangle install/kexec.nix
{ lib, pkgs, modulesPath, options, ... }:
{
disabledModules = [
# This module adds values to multiple lists (systemPackages, supportedFilesystems)
# which are impossible/unpractical to remove, so we disable the entire module.
"profiles/base.nix"
];
imports = [
# reduce closure size by removing perl
"${modulesPath}/profiles/perlless.nix"
# FIXME: we still are left with nixos-generate-config due to nixos-install-tools
{ system.forbiddenDependenciesRegexes = lib.mkForce [ ]; }
];
config = {
networking.hostName = "brickroad";
system = {
# nixos-option is mainly useful for interactive installations
tools.nixos-option.enable = false;
# among others, this prevents carrying a stdenv with gcc in the image
extraDependencies = lib.mkForce [ ];
};
# prevents shipping nixpkgs, unnecessary if system is evaluated externally
nix.registry = lib.mkForce { };
# would pull in nano
programs.nano.enable = false;
# prevents strace
environment = {
defaultPackages = lib.mkForce [
pkgs.parted
pkgs.gptfdisk
pkgs.e2fsprogs
];
systemPackages = with pkgs; [
cryptsetup.bin
];
# Don't install the /lib/ld-linux.so.2 stub. This saves one instance of nixpkgs.
ldso32 = null;
};
# included in systemd anyway
systemd.sysusers.enable = true;
# normal users are not allowed with sys-users
# see https://github.com/NixOS/nixpkgs/pull/328926
users.users.nixos = {
isSystemUser = true;
isNormalUser = lib.mkForce false;
shell = "/run/current-system/sw/bin/bash";
group = "nixos";
};
users.groups.nixos = { };
security = {
# we have still run0 from systemd and most of the time we just use root
sudo.enable = false;
polkit.enable = lib.mkForce false;
# introduces x11 dependencies
pam.services.su.forwardXAuth = lib.mkForce false;
};
documentation = {
enable = false;
man.enable = false;
nixos.enable = false;
info.enable = false;
doc.enable = false;
};
services = {
# no dependency on x11
dbus.implementation = "broker";
# we prefer root as this is also what we use in nixos-anywhere
getty.autologinUser = lib.mkForce "root";
# included in systemd anyway
userborn.enable = false;
};
# we are missing this from base.nix
boot.supportedFilesystems = [
"ext4"
"btrfs"
"xfs"
];
} // lib.optionalAttrs (options.hardware ? firmwareCompression) {
hardware.firmwareCompression = "xz";
};
}
#+end_src
***** TODO Hotel (Demo Physical/VM)
:PROPERTIES:
:CUSTOM_ID: h:e1498bef-ec67-483d-bf02-76264e30be8e
:END:
This is just a demo host. It applies all the configuration found in the common parts of the flake, but disables all secrets-related features (as they would not work without the proper SSH keys). TODO: provide a public secret that can be used to test the environment
I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to run in a virtualized environment. I also enable =qemuGuest= for a smoother experience when testing on QEMU.
****** Main configuration
:PROPERTIES:
:CUSTOM_ID: h:9f1f3439-b0af-4dcd-a96f-b6aa7b6cd2ab
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hotel/default.nix
{ self, config, pkgs, lib, minimal, ... }:
let
mainUser = "demo";
in
{
imports = [
./hardware-configuration.nix
./disk-config.nix
{
_module.args.diskDevice = config.swarselsystems.rootDisk;
}
];
environment.variables = {
WLR_RENDERER_ALLOW_SOFTWARE = 1;
};
topology.self.interfaces."demo host" = { };
services.qemuGuest.enable = true;
boot = {
loader.systemd-boot.enable = lib.mkForce true;
loader.efi.canTouchEfiVariables = true;
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
};
networking = {
hostName = "hotel";
firewall.enable = true;
};
swarselmodules = {
server = {
network = lib.mkForce false;
diskEncryption = lib.mkForce false;
};
};
swarselsystems = {
info = "~SwarselSystems~ demo host";
wallpaper = self + /files/wallpaper/landscape/lenovowp.png;
isImpermanence = true;
isCrypted = true;
isSecureBoot = false;
isSwap = true;
swapSize = "4G";
rootDisk = "/dev/vda";
isBtrfs = false;
inherit mainUser;
isLinux = true;
isPublic = true;
isNixos = true;
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
hotel = true;
minimal = true;
};
}
#+end_src
****** disko
:PROPERTIES:
:CUSTOM_ID: h:849e4233-ba40-4fec-acfe-0d76e1e4371b
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hotel/disk-config.nix
# NOTE: ... is needed because dikso passes diskoFile
{ lib
, pkgs
, config
, diskDevice ? config.swarselsystem.rootDisk
, ...
}:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = diskDevice;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
environment.systemPackages = [
pkgs.yubikey-manager
];
}
#+end_src
****** NixOS dummy options configuration
:PROPERTIES:
:CUSTOM_ID: h:6f9c1a3b-452e-4944-86e8-cb17603cc3f9
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hotel/options.nix
_:
{ }
#+end_src
****** home-manager dummy options configuration
:PROPERTIES:
:CUSTOM_ID: h:88ccb198-74b9-4269-8e22-af1277f44667
:END:
#+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/hotel/options-home.nix
_:
{ }
#+end_src
** Aspects
*** Modules
**** Defaults
=den.default= applies settings to all hosts, users, and homes. This is the right place for =stateVersion= and other global policies.
#+begin_src nix-ts :tangle aspects/defaults.nix
{ lib, den, ... }:
{
den = {
schema.user.classes = lib.mkDefault [ "homeManager" ];
ctx.user.includes = [ den.provides.mutual-provider ];
default = {
nixos = { lib, minimal, ... }: {
users.mutableUsers = lib.mkIf (!minimal) (lib.mkDefault false);
system.stateVersion = lib.mkDefault "23.05";
};
homeManager = {
home.stateVersion = lib.mkDefault "23.05";
};
includes = [
den.provides.define-user
];
};
};
}
#+end_src
**** Shared Options
#+begin_src nix-ts :tangle aspects/shared.nix
{
den = {
schema.conf = { lib, ... }: {
options = {
isPublic = lib.mkEnableOption "mark this as a public config (= without secrets)";
isMicroVM = lib.mkEnableOption "mark this config as a microvm";
mainUser = lib.mkOption {
type = lib.types.str;
default = "swarsel";
};
};
};
};
}
#+end_src
**** Battery: SOPS shared secrets
This is the battery for SOPS secrets that are used in home-manager.
#+begin_src nix-ts :tangle aspects/battery-sops.nix
{ lib, den, ... }:
let
hostContext = { name, args, class }: { host }: {
nixos.sops.secrets.${name} = lib.mkIf (!host.isPublic) args // lib.optionalAttrs (class == "homeManager") { owner = host.mainUser; };
};
# deadnix: skip
hostUserContext = { name, args, class }: { host, user }: {
nixos.sops.secrets.${name} = lib.mkIf (!host.isPublic) args // lib.optionalAttrs (class == "homeManager") { owner = host.mainUser; };
};
homeContext = { name, args }: { home }: {
homeManager.sops.secrets.${name} = lib.mkIf (!home.isPublic) args;
};
in
{
den.provides.sops = { name, args, class ? "homeManager" }: den.lib.parametric.exactly {
includes = [
(hostContext { inherit name args class; })
(hostUserContext { inherit name args class; })
] ++ lib.optional (class == "homeManager") (homeContext { inherit name args; });
};
}
#+end_src
**** Battery: PII
This is the battery for PII
#+begin_src nix-ts :tangle aspects/battery-pii.nix
{ lib, ... }:
let
# If the given expression is a bare set, it will be wrapped in a function,
# so that the imported file can always be applied to the inputs, similar to
# how modules can be functions or sets.
constSet = x: if builtins.isAttrs x then (_: x) else x;
sopsImportEncrypted =
assert lib.assertMsg (builtins ? extraBuiltins.sopsImportEncrypted)
"The extra builtin 'sopsImportEncrypted' is not available, so repo.secrets cannot be decrypted. Did you forget to add nix-plugins and point it to `/files/nix/extra-builtins.nix` ?";
builtins.extraBuiltins.sopsImportEncrypted;
importEncrypted =
path:
constSet (
if builtins.pathExists path then
sopsImportEncrypted path
else
{ }
);
in
{
den = {
schema.conf = { config, inputs, lib, homeLib, nodes, globals, ... }: {
options = {
repo = {
secretFiles = lib.mkOption {
default = { };
type = lib.types.attrsOf lib.types.path;
example = lib.literalExpression "{ local = ./pii.nix.enc; }";
description = ''
This is for storing PII.
Each path given here must be an sops-encrypted .nix file. For each attribute ``,
the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.`.
'';
};
secrets = lib.mkOption {
readOnly = true;
default = lib.mapAttrs (_: x: importEncrypted x { inherit lib homeLib nodes globals inputs config; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles;
type = lib.types.unspecified;
description = "Exposes the loaded repo secrets.";
};
};
};
config = {
repo.secretFiles =
let
local = config.node.secretsDir + "/pii.nix.enc";
in
(lib.optionalAttrs (lib.pathExists local) { inherit local; }) // {
common = ../secrets/repo/pii.nix.enc;
};
};
};
};
}
#+end_src
**** Users
#+begin_src nix-ts :tangle aspects/users.nix
{ den, ... }:
let
hostContext = { host, ... }: {
nixos = { minimal, lib, config, ... }: {
users.users.swarsel = {
uid = 1000;
autoSubUidGidRange = false;
subUidRanges = [
{
count = 65534;
startUid = 100001;
}
];
subGidRanges = [
{
count = 999;
startGid = 1001;
}
];
description = "Leon S";
password = lib.mkIf (minimal || host.isPublic) "setup";
hashedPasswordFile = lib.mkIf (!minimal && !host.isPublic) config.sops.secrets.main-user-hashed-pw.path;
extraGroups = lib.optionals (!minimal && !host.isMicroVM) [ "input" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
};
};
};
in
{
den = {
aspects.swarsel = {
includes = [
hostContext
(den.provides.sops { class = "nixos"; name = "main-user-hashed-pw"; args = { neededForUsers = true; }; })
den.provides.primary-user
(den.provides.user-shell "zsh")
];
};
aspects.root = { globals, ... }: {
nixos = {
users.users.root = globals.root.hashedPassword;
};
};
};
}
#+end_src
**** Work
#+begin_src nix-ts :tangle aspects/work.nix
{ self, den, ... }:
let
sopsFile = self + /secrets/work/secrets.yaml;
certsSopsFile = self + /secrets/repo/certs.yaml;
hostContext = { host }: common host;
homeContext = { home }: common home;
common = from: {
nixos = { lib, pkgs, config, ... }:
let
inherit (from) mainUser;
inherit (config.swarselsystems) homeDir;
iwd = config.networking.networkmanager.wifi.backend == "iwd";
owner = mainUser;
in
{
options.swarselsystems = {
hostName = lib.mkOption {
type = lib.types.str;
default = config.node.name;
};
fqdn = lib.mkOption {
type = lib.types.str;
default = "";
};
};
config = {
sops =
let
secretNames = [
"vcuser"
"vcpw"
"govcuser"
"govcpw"
"govcurl"
"govcdc"
"govcds"
"govchost"
"govcnetwork"
"govcpool"
"baseuser"
"basepw"
];
in
{
secrets = builtins.listToAttrs (
map
(name: {
inherit name;
value = { inherit owner sopsFile; };
})
secretNames
);
templates = {
"network-manager-work.env".content = ''
BASEUSER=${config.sops.placeholder.baseuser}
BASEPASS=${config.sops.placeholder.basepw}
'';
};
};
boot.initrd = {
systemd.enable = lib.mkForce true; # make sure we are using initrd systemd even when not using Impermanence
luks = {
# disable "support" since we use systemd-cryptenroll
# make sure yubikeys are enrolled using
# sudo systemd-cryptenroll --fido2-device=auto --fido2-with-user-verification=no --fido2-with-user-presence=true --fido2-with-client-pin=no /dev/nvme0n1p2
yubikeySupport = false;
fido2Support = false;
};
};
programs = {
browserpass.enable = true;
_1password.enable = true;
_1password-gui = {
enable = true;
package = pkgs._1password-gui-beta;
polkitPolicyOwners = [ "${mainUser}" ];
};
};
networking = {
inherit (config.swarselsystems) hostName fqdn;
networkmanager = {
wifi.scanRandMacAddress = false;
ensureProfiles = {
environmentFiles = [
"${config.sops.templates."network-manager-work.env".path}"
];
profiles = {
VBC = {
"802-1x" = {
eap = if (!iwd) then "ttls;" else "peap;";
identity = "$BASEUSER";
password = "$BASEPASS";
phase2-auth = "mschapv2";
};
connection = {
id = "VBC";
type = "wifi";
autoconnect-priority = "500";
uuid = "3988f10e-6451-381f-9330-a12e66f45051";
secondaries = "48d09de4-0521-47d7-9bd5-43f97e23ff82"; # vpn uuid
};
ipv4 = { method = "auto"; };
ipv6 = {
# addr-gen-mode = "default";
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
wifi = {
cloned-mac-address = "permanent";
mac-address = "E8:65:38:52:63:FF";
mac-address-randomization = "1";
mode = "infrastructure";
band = "a";
ssid = "VBC";
};
wifi-security = {
# auth-alg = "open";
key-mgmt = "wpa-eap";
};
};
};
};
};
nftables = {
firewall = {
zones = {
virbr = {
interfaces = [ "virbr*" ];
};
};
rules = {
virbr-dns-dhcp = {
from = [ "virbr" ];
to = [ "local" ];
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 67 547 ];
};
virbr-forward = {
from = [ "virbr" ];
to = [ "untrusted" ];
verdict = "accept";
};
virbr-forward-return = {
from = [ "untrusted" ];
to = [ "virbr" ];
extraLines = [
"ct state { established, related } accept"
];
};
};
};
chains.postrouting.libvirt-masq = {
after = [ "dnat" ];
rules = [
"iifname \"virbr*\" masquerade"
];
};
};
search = [
"vbc.ac.at"
"clip.vbc.ac.at"
"imp.univie.ac.at"
];
};
systemd.services = {
virtqemud.path = with pkgs; [
qemu_kvm
libvirt
];
virtstoraged.path = with pkgs; [
qemu_kvm
libvirt
];
virtnetworkd.path = with pkgs; [
dnsmasq
iproute2
nftables
];
};
virtualisation = {
docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true;
spiceUSBRedirection.enable = true;
libvirtd = {
enable = true;
qemu = {
package = pkgs.qemu_kvm;
runAsRoot = true;
swtpm.enable = true;
vhostUserPackages = with pkgs; [ virtiofsd ];
};
};
};
environment.systemPackages = with pkgs; [
remmina
python39
qemu
packer
gnumake
libisoburn
govc
terraform
opentofu
terragrunt
graphviz
azure-cli
# vm
virt-manager
virt-viewer
virtiofsd
spice
spice-gtk
spice-protocol
virtio-win
win-spice
powershell
gh
];
services = {
spice-vdagentd.enable = true;
openssh = {
enable = true;
extraConfig = ''
'';
};
syncthing = {
settings = {
"winters" = {
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
};
"moonside@oracle" = {
id = "VPCDZB6-MGVGQZD-Q6DIZW3-IZJRJTO-TCC3QUQ-2BNTL7P-AKE7FBO-N55UNQE";
};
folders = {
"Documents" = {
path = "${homeDir}/Documents";
devices = [ "moonside@oracle" ];
id = "hgr3d-pfu3w";
};
};
};
};
# udev.extraRules = ''
# # lock screen when yubikey removed
# ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend"
# '';
};
# cgroups v1 is required for centos7 dockers
# specialisation = {
# cgroup_v1.configuration = {
# boot.kernelParams = [
# "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1"
# "systemd.unified_cgroup_hierarchy=0"
# ];
# };
# };
};
};
homeManager = { self, config, pkgs, lib, vars, ... }:
let
source = if (config ? home) then "home" else "host";
inherit (config.swarselsystems) homeDir;
inherit (config.repo.secrets.local.mail) allMailAddresses;
inherit (config.repo.secrets.local.work) mailAddress;
in
{
config = {
home = {
packages = with pkgs; [
teams-for-linux
shellcheck
dig
docker
postman
# rclone
libguestfs-with-appliance
prometheus.cli
tigervnc
# openstackclient
step-cli
vscode-fhs
copilot-cli
antigravity
rustdesk-vbc
];
sessionVariables = {
AWS_CA_BUNDLE = source.sops.secrets.harica-root-ca.path;
};
};
systemd.user.sessionVariables = {
DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work";
} // lib.optionalAttrs (!config.swarselsystems.isPublic) {
SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses;
SWARSEL_MAIL_WORK = lib.mkForce mailAddress;
};
accounts.email.accounts.work =
let
inherit (from.repo.secrets.local.work) mailName;
in
{
primary = false;
address = mailAddress;
userName = mailAddress;
realName = mailName;
passwordCommand = "pizauth show work";
imap = {
host = "outlook.office365.com";
port = 993;
tls.enable = true; # SSL/TLS
};
smtp = {
host = "outlook.office365.com";
port = 587;
tls = {
enable = true; # SSL/TLS
useStartTls = true;
};
};
thunderbird = {
enable = true;
profiles = [ "default" ];
settings = id: {
"mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth
"mail.server.server_${id}.authMethod" = 10; # oauth
# "toolkit.telemetry.enabled" = false;
# "toolkit.telemetry.rejected" = true;
# "toolkit.telemetry.prompted" = 2;
};
};
msmtp = {
enable = true;
extraConfig = {
auth = "xoauth2";
host = "outlook.office365.com";
protocol = "smtp";
port = "587";
tls = "on";
tls_starttls = "on";
from = "${mailAddress}";
user = "${mailAddress}";
passwordeval = "pizauth show work";
};
};
mu.enable = true;
mbsync = {
enable = true;
expunge = "both";
patterns = [ "INBOX" ];
extraConfig = {
account = {
AuthMechs = "XOAUTH2";
};
};
};
};
wayland.windowManager.sway =
let
inherit (from.repo.secrets.local.work) user1 user1Long domain1 mailAddress;
in
{
config = {
keybindings =
let
inherit (config.wayland.windowManager.sway.config) modifier;
in
{
"${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}";
"${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}";
};
};
};
stylix = {
targets.firefox.profileNames =
let
inherit (from.repo.secrets.local.work) user1 user2 user3;
in
[
"${user1}"
"${user2}"
"${user3}"
"work"
];
};
programs =
let
inherit (from.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long path1 site1 site2 site3 site4 site5 site6 site7 clouds;
in
{
openstackclient = {
enable = true;
inherit clouds;
};
awscli = {
enable = true;
package = pkgs.awscli2;
};
zsh = {
shellAliases = {
dssh = "ssh -l ${user1Long}";
cssh = "ssh -l ${user2Long}";
wssh = "ssh -l ${user3Long}";
};
cdpath = [
"~/Documents/Work"
];
dirHashes = {
d = "$HOME/.dotfiles";
w = "$HOME/Documents/Work";
s = "$HOME/.dotfiles/secrets";
pr = "$HOME/Documents/Private";
ac = path1;
};
sessionVariables = {
VSPHERE_USER = "$(cat ${source.sops.secrets.vcuser.path})";
VSPHERE_PW = "$(cat ${source.sops.secrets.vcpw.path})";
GOVC_USERNAME = "$(cat ${source.sops.secrets.govcuser.path})";
GOVC_PASSWORD = "$(cat ${source.sops.secrets.govcpw.path})";
GOVC_URL = "$(cat ${source.sops.secrets.govcurl.path})";
GOVC_DATACENTER = "$(cat ${source.sops.secrets.govcdc.path})";
GOVC_DATASTORE = "$(cat ${source.sops.secrets.govcds.path})";
GOVC_HOST = "$(cat ${source.sops.secrets.govchost.path})";
GOVC_RESOURCE_POOL = "$(cat ${source.sops.secrets.govcpool.path})";
GOVC_NETWORK = "$(cat ${source.sops.secrets.govcnetwork.path})";
};
};
ssh.matchBlocks = from.repo.secrets.local.work.sshConfig;
firefox = {
profiles =
let
isDefault = false;
in
{
"${user1}" = lib.recursiveUpdate
{
inherit isDefault;
id = 1;
settings = {
"browser.startup.homepage" = "${site1}|${site2}";
};
}
vars.firefox;
"${user2}" = lib.recursiveUpdate
{
inherit isDefault;
id = 2;
settings = {
"browser.startup.homepage" = "${site3}";
};
}
vars.firefox;
"${user3}" = lib.recursiveUpdate
{
inherit isDefault;
id = 3;
}
vars.firefox;
work = lib.recursiveUpdate
{
inherit isDefault;
id = 4;
settings = {
"browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
};
}
vars.firefox;
};
};
chromium = {
enable = true;
package = pkgs.chromium;
extensions = [
# 1password
"gejiddohjgogedgjnonbofjigllpkmbf"
# dark reader
"eimadpbcbfnmbkopoojfekhnkhdbieeh"
# ublock origin
"cjpalhdlnbpafiamejdnhcphjbkeiagm"
# i still dont care about cookies
"edibdbjcniadpccecjdfdjjppcpchdlm"
# browserpass
"naepdomgkenhinolocfifgehidddafch"
];
};
};
services = {
shikane = {
settings =
let
workRight = [
"m=HP Z32"
"s=CN41212T55"
"v=HP Inc."
];
workLeft = [
"m=HP 732pk"
"s=CNC4080YL5"
"v=HP Inc."
];
exec = [ "notify-send shikane \"Profile $SHIKANE_PROFILE_NAME has been applied\"" ];
in
{
profile = [
{
name = "work-internal-on";
inherit exec;
output = [
{
match = config.swarselsystems.sharescreen;
enable = true;
scale = 1.7;
position = "2560,0";
}
{
match = workRight;
enable = true;
scale = 1.0;
mode = "3840x2160@60Hz";
position = "-1280,0";
}
{
match = workLeft;
enable = true;
scale = 1.0;
transform = "270";
mode = "3840x2160@60Hz";
position = "-3440,-1050";
}
];
}
{
name = "work-internal-off";
inherit exec;
output = [
{
match = config.swarselsystems.sharescreen;
enable = false;
scale = 1.7;
position = "2560,0";
}
{
match = workRight;
enable = true;
scale = 1.0;
mode = "3840x2160@60Hz";
position = "-1280,0";
}
{
match = workLeft;
enable = true;
scale = 1.0;
transform = "270";
mode = "3840x2160@60Hz";
position = "-3440,-1050";
}
];
}
];
};
};
kanshi = {
settings = [
{
# seminary room
output = {
criteria = "Applied Creative Technology Transmitter QUATTRO201811";
scale = 1.0;
mode = "1280x720";
};
}
{
# work side screen
output = {
criteria = "HP Inc. HP 732pk CNC4080YL5";
scale = 1.0;
mode = "3840x2160";
transform = "270";
};
}
# {
# # work side screen
# output = {
# criteria = "Hewlett Packard HP Z24i CN44250RDT";
# scale = 1.0;
# mode = "1920x1200";
# transform = "270";
# };
# }
{
# work main screen
output = {
criteria = "HP Inc. HP Z32 CN41212T55";
scale = 1.0;
mode = "3840x2160";
};
}
{
profile = {
name = "lidopen";
exec = [
"${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
"${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP Z32 CN41212T55' --image ${self}/files/wallpaper/landscape/botanicswp.png --mode ${config.stylix.imageScalingMode}"
"${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/portrait/op6wp.png --mode ${config.stylix.imageScalingMode}"
];
outputs = [
{
criteria = config.swarselsystems.sharescreen;
status = "enable";
scale = 1.5;
position = "2560,0";
}
{
criteria = "HP Inc. HP 732pk CNC4080YL5";
scale = 1.0;
mode = "3840x2160";
position = "-3440,-1050";
transform = "270";
}
{
criteria = "HP Inc. HP Z32 CN41212T55";
scale = 1.0;
mode = "3840x2160";
position = "-1280,0";
}
];
};
}
{
profile =
let
monitor = "Applied Creative Technology Transmitter QUATTRO201811";
in
{
name = "lidopen";
exec = [
"${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
"${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/services/navidrome.png --mode ${config.stylix.imageScalingMode}"
"${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'"
];
outputs = [
{
criteria = config.swarselsystems.sharescreen;
status = "enable";
scale = 1.7;
position = "2560,0";
}
{
criteria = "Applied Creative Technology Transmitter QUATTRO201811";
scale = 1.0;
mode = "1280x720";
position = "10000,10000";
}
];
};
}
{
profile = {
name = "lidclosed";
exec = [
"${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP Z32 CN41212T55' --image ${self}/files/wallpaper/landscape/botanicswp.png --mode ${config.stylix.imageScalingMode}"
"${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/portrait/op6wp.png --mode ${config.stylix.imageScalingMode}"
];
outputs = [
{
criteria = config.swarselsystems.sharescreen;
status = "disable";
}
{
criteria = "HP Inc. HP 732pk CNC4080YL5";
scale = 1.0;
mode = "3840x2160";
position = "-3440,-1050";
transform = "270";
}
{
criteria = "HP Inc. HP Z32 CN41212T55";
scale = 1.0;
mode = "3840x2160";
position = "-1280,0";
}
];
};
}
{
profile =
let
monitor = "Applied Creative Technology Transmitter QUATTRO201811";
in
{
name = "lidclosed";
exec = [
"${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/services/navidrome.png --mode ${config.stylix.imageScalingMode}"
];
outputs = [
{
criteria = config.swarselsystems.sharescreen;
status = "disable";
}
{
criteria = "Applied Creative Technology Transmitter QUATTRO201811";
scale = 1.0;
mode = "1280x720";
position = "10000,10000";
}
];
};
}
];
};
};
systemd.user.services = {
pizauth.Service = {
ExecStartPost = [
"${pkgs.toybox}/bin/sleep 1"
"//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'"
];
};
teams-applet = {
Unit = {
Description = "teams applet";
Requires = [ "graphical-session.target" ];
After = [
"graphical-session.target"
"tray.target"
];
PartOf = [
"tray.target"
];
};
Install = {
WantedBy = [ "tray.target" ];
};
Service = {
ExecStart = "${pkgs.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true";
};
};
onepassword-applet = {
Unit = {
Description = "1password applet";
Requires = [ "graphical-session.target" ];
After = [
"graphical-session.target"
"tray.target"
];
PartOf = [
"tray.target"
];
};
Install = {
WantedBy = [ "tray.target" ];
};
Service = {
ExecStart = "${pkgs._1password-gui-beta}/bin/1password";
};
};
};
services.pizauth = {
enable = true;
extraConfig = ''
auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi";
error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\"";
token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state";
'';
accounts = {
work = {
authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
scopes = [
"https://outlook.office365.com/IMAP.AccessAsUser.All"
"https://outlook.office365.com/SMTP.Send"
"offline_access"
];
loginHint = "${from.repo.secrets.local.work.mailAddress}";
};
};
};
xdg =
let
inherit (from.repo.secrets.local.work) user1 user2 user3;
in
{
mimeApps = {
defaultApplications = {
"x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
};
};
desktopEntries =
let
terminal = false;
categories = [ "Application" ];
icon = "firefox";
in
{
firefox_work = {
name = "Firefox (work)";
genericName = "Firefox work";
exec = "firefox -p work";
inherit terminal categories icon;
};
"firefox_${user1}" = {
name = "Firefox (${user1})";
genericName = "Firefox ${user1}";
exec = "firefox -p ${user1}";
inherit terminal categories icon;
};
"firefox_${user2}" = {
name = "Firefox (${user2})";
genericName = "Firefox ${user2}";
exec = "firefox -p ${user2}";
inherit terminal categories icon;
};
"firefox_${user3}" = {
name = "Firefox (${user3})";
genericName = "Firefox ${user3}";
exec = "firefox -p ${user3}";
inherit terminal categories icon;
};
};
};
swarselsystems = {
startup = [
# { command = "nextcloud --background"; }
# { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }
# { command = "element-desktop --hidden --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
# { command = "anki"; }
# { command = "obsidian"; }
# { command = "nm-applet"; }
# { command = "feishin"; }
# { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }
# { command = "1password"; }
];
monitors = {
work_back_middle = rec {
name = "LG Electronics LG Ultra HD 0x000305A6";
mode = "2560x1440";
scale = "1";
position = "5120,0";
workspace = "1:一";
# output = "DP-10";
output = name;
};
work_front_left = rec {
name = "LG Electronics LG Ultra HD 0x0007AB45";
mode = "3840x2160";
scale = "1";
position = "5120,0";
workspace = "1:一";
# output = "DP-7";
output = name;
};
work_middle_middle_main = rec {
name = "HP Inc. HP Z32 CN41212T55";
mode = "3840x2160";
scale = "1";
position = "-1280,0";
workspace = "1:一";
# output = "DP-3";
output = name;
};
# work_middle_middle_main = rec {
# name = "HP Inc. HP 732pk CNC4080YL5";
# mode = "3840x2160";
# scale = "1";
# position = "-1280,0";
# workspace = "11:M";
# # output = "DP-8";
# output = name;
# };
work_middle_middle_side = rec {
name = "HP Inc. HP 732pk CNC4080YL5";
mode = "3840x2160";
transform = "270";
scale = "1";
position = "-3440,-1050";
workspace = "12:S";
# output = "DP-8";
output = name;
};
work_middle_middle_old = rec {
name = "Hewlett Packard HP Z24i CN44250RDT";
mode = "1920x1200";
transform = "270";
scale = "1";
position = "-2480,0";
workspace = "12:S";
# output = "DP-9";
output = name;
};
work_seminary = rec {
name = "Applied Creative Technology Transmitter QUATTRO201811";
mode = "1280x720";
scale = "1";
position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse
workspace = "14:T";
# output = "DP-4";
output = name;
};
};
inputs = {
"1133:45081:MX_Master_2S_Keyboard" = {
xkb_layout = "us";
xkb_variant = "altgr-intl";
};
# "2362:628:PIXA3854:00_093A:0274_Touchpad" = {
# dwt = "enabled";
# tap = "enabled";
# natural_scroll = "enabled";
# middle_emulation = "enabled";
# drag_lock = "disabled";
# };
"1133:50504:Logitech_USB_Receiver" = {
xkb_layout = "us";
xkb_variant = "altgr-intl";
};
"1133:45944:MX_KEYS_S" = {
xkb_layout = "us";
xkb_variant = "altgr-intl";
};
};
};
};
};
};
in
{
den = {
aspects.work = {
includes = [
hostContext
homeContext
(den.provides.sops { name = "harica-root-ca"; args = { sopsFile = certsSopsFile; path = "/home/swarsel/.aws/certs/harica-root.pem"; }; })
(den.provides.sops { name = "yubikey-1"; args = { inherit sopsFile; }; })
(den.provides.sops { name = "ucKey"; args = { inherit sopsFile; }; })
];
};
};
}
#+end_src
**** Shell
#+begin_src nix-ts :tangle aspects/shell.nix
{ den, ... }:
{
den.aspects.shell = {
provides.zsh = {
includes = [
(den.provides.sops { name = "croc-password"; args = { }; })
(den.provides.sops { name = "github-nixpkgs-review-token"; args = { }; })
];
nixos = { pkgs, ... }: {
programs.zsh = {
enable = true;
enableCompletion = false;
};
users.defaultUserShell = pkgs.zsh;
environment = {
shells = with pkgs; [ zsh ];
pathsToLink = [ "/share/zsh" ];
};
};
homeManager = { self, config, pkgs, lib, minimal, globals, confLib, arch, ... }:
let
inherit (config.swarselsystems) flakePath isNixos homeDir;
crocDomain = globals.services.croc.domain;
in
{
programs.zsh = {
enable = true;
} // lib.optionalAttrs (!minimal) {
shellAliases =
{
nb = "nix build";
nbl = "nix build --builders \"\"";
nbo = "nix build --offline --builders \"\"";
nd = "nix develop";
ns = "nix shell";
hmswitch = lib.mkIf (!isNixos) "${lib.getExe pkgs.home-manager} --flake ${flakePath}#$(hostname) switch |& nom";
nswitch = lib.mkIf isNixos "cd ${flakePath}; swarsel-deploy $(hostname) switch; cd -;";
ntest = lib.mkIf isNixos "cd ${flakePath}; swarsel-deploy $(hostname) test; cd -;";
nboot = lib.mkIf isNixos "cd ${flakePath}; swarsel-deploy $(hostname) boot; cd -;";
ndry = lib.mkIf isNixos "cd ${flakePath}; swarsel-deploy $(hostname) dry-activate; cd -;";
magit = "emacsclient -nc -e \"(magit-status)\"";
config = "git --git-dir=$HOME/.cfg/ --work-tree=$HOME";
g = "git";
c = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/";
passpush = "cd ~/.local/share/password-store; git add .; git commit -m 'pass file changes'; git push; cd -;";
passpull = "cd ~/.local/share/password-store; git pull; cd -;";
hotspot = "nmcli connection up local; nmcli device wifi hotspot;";
youtube-dl = "yt-dlp";
cat-orig = "cat";
# cdr = "cd \"$( (find $DOCUMENT_DIR_WORK $DOCUMENT_DIR_PRIV -maxdepth 1 && echo $FLAKE) | fzf )\"";
cdr = "source cdr";
nix-ldd-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
nix-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
nix-ldd-locate = "nix-locate --minimal --top-level -w ";
nix-store-search = "ls /nix/store | grep";
fs-diff = "sudo mount -o subvol=/ /dev/mapper/cryptroot /mnt ; fs-diff";
lt = "eza -las modified --total-size";
boot-diff = "nix store diff-closures /run/*-system";
gen-diff = "nix profile diff-closures --profile /nix/var/nix/profiles/system";
cc = "wl-copy";
build-topology = "nix build --override-input topologyPrivate ${self}/files/topology/private ${flakePath}#topology.${arch}.config.output";
build-topology-dev = "nix build --show-trace --override-input nix-topology ${homeDir}/Documents/Private/nix-topology --override-input topologyPrivate ${self}/files/topology/private ${flakePath}#topology.${arch}.config.output";
build-iso = "nix build --print-out-paths .#live-iso";
nix-review-local = "nix run nixpkgs#nixpkgs-review -- rev HEAD";
nix-review-post = "nix run nixpkgs#nixpkgs-review -- pr --post-result --systems linux";
};
autosuggestion.enable = true;
enableCompletion = true;
syntaxHighlighting.enable = true;
autocd = false;
cdpath = [
"~/.dotfiles"
];
defaultKeymap = "emacs";
dirHashes = {
dl = "$HOME/Downloads";
gh = "$HOME/Documents/GitHub";
};
history = {
expireDuplicatesFirst = true;
append = true;
ignoreSpace = true;
ignoreDups = true;
path = "${config.home.homeDirectory}/.histfile";
save = 100000;
size = 100000;
};
historySubstringSearch = {
enable = true;
searchDownKey = "^[OB";
searchUpKey = "^[OA";
};
initContent = ''
my-forward-word() {
local WORDCHARS=$WORDCHARS
WORDCHARS="''${WORDCHARS//:}"
WORDCHARS="''${WORDCHARS//\/}"
WORDCHARS="''${WORDCHARS//.}"
zle forward-word
}
zle -N my-forward-word
# ctrl + right
bindkey "^[[1;5C" my-forward-word
# shift + right
bindkey "^[[1;2C" forward-word
my-backward-word() {
local WORDCHARS=$WORDCHARS
WORDCHARS="''${WORDCHARS//:}"
WORDCHARS="''${WORDCHARS//\/}"
WORDCHARS="''${WORDCHARS//.}"
zle backward-word
}
zle -N my-backward-word
# ctrl + left
bindkey "^[[1;5D" my-backward-word
# shift + left
bindkey "^[[1;2D" backward-word
my-backward-delete-word() {
local WORDCHARS=$WORDCHARS
WORDCHARS="''${WORDCHARS//:}"
WORDCHARS="''${WORDCHARS//\/}"
WORDCHARS="''${WORDCHARS//.}"
zle backward-delete-word
}
zle -N my-backward-delete-word
# ctrl + del
bindkey '^H' my-backward-delete-word
'';
sessionVariables = lib.mkIf (!config.swarselsystems.isPublic) {
CROC_RELAY = crocDomain;
CROC_PASS = "$(cat ${confLib.getConfig.sops.secrets.croc-password.path or ""})";
GITHUB_TOKEN = "$(cat ${confLib.getConfig.sops.secrets.github-nixpkgs-review-token.path or ""})";
QT_QPA_PLATFORM_PLUGIN_PATH = "${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins";
};
};
};
};
};
}
#+end_src
*** Hosts
**** Pyramid
#+begin_src nix-ts :tangle aspects/hosts/pyramid.nix
{ mkNixos, lib, den, ... }:
let
hostContext = { host }:
let
inherit (host) mainUser;
in
{
nixos = { self, inputs, lib, ... }: {
imports = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
"${self}/hosts/nixos/x86_64-linux/pyramid/disk-config.nix"
"${self}/hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix"
"${self}/modules/nixos/optional/amdcpu.nix"
"${self}/modules/nixos/optional/amdgpu.nix"
"${self}/modules/nixos/optional/framework.nix"
"${self}/modules/nixos/optional/gaming.nix"
"${self}/modules/nixos/optional/hibernation.nix"
"${self}/modules/nixos/optional/nswitch-rcm.nix"
"${self}/modules/nixos/optional/virtualbox.nix"
"${self}/modules/nixos/optional/work.nix"
"${self}/modules/nixos/optional/niri.nix"
"${self}/modules/nixos/optional/noctalia.nix"
];
topology.self = {
interfaces = {
eth1.network = lib.mkForce "home";
wifi = { };
fritz-wg.network = "fritz-wg";
};
};
swarselsystems = {
lowResolution = "1280x800";
highResolution = "2560x1600";
isLaptop = true;
isNixos = true;
isBtrfs = true;
isLinux = true;
sharescreen = "eDP-2";
info = "Framework Laptop 16, 7940HS, RX7700S, 64GB RAM";
firewall = lib.mkForce true;
wallpaper = self + /files/wallpaper/landscape/lenovowp.png;
hasBluetooth = true;
hasFingerprint = true;
isImpermanence = false;
isSecureBoot = true;
isCrypted = true;
inherit (host.repo.secrets.local) hostName;
inherit (host.repo.secrets.local) fqdn;
hibernation.offset = 533760;
};
};
home-manager = { lib, minimal, ... }: {
users."${mainUser}" = {
swarselsystems = {
isSecondaryGpu = true;
SecondaryGpuCard = "pci-0000_03_00_0";
cpuCount = 16;
temperatureHwmon = {
isAbsolutePath = true;
path = "/sys/devices/virtual/thermal/thermal_zone0/";
input-filename = "temp4_input";
};
monitors = {
main = {
# name = "BOE 0x0BC9 Unknown";
name = "BOE 0x0BC9";
mode = "2560x1600";
scale = "1";
position = "2560,0";
workspace = "15:L";
output = "eDP-2";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
personal = true;
};
networking.nftables.firewall.zones.untrusted.interfaces = [ "wlan*" "enp*" ];
};
};
in
lib.recursiveUpdate (mkNixos
{
name = "pyramid";
system = "x86_64-linux";
}) {
den.aspects.pyramid = {
includes = [
hostContext
den.aspects.work
];
};
}
#+end_src
** NixOS
:PROPERTIES:
:CUSTOM_ID: h:6da812f5-358c-49cb-aff2-0a94f20d70b3
:END:
Here we have NixOS options. All options are split into smaller files that are loaded by the general =default.nix=. Common files are used by all user hosts equally, optionals need to be added to the machine's =default.nix= on a case-by-case basis.
#+begin_src nix-ts :tangle modules/nixos/default.nix
# @ future me: dont panic, optionals and darwin are not read in by readNix
{ lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/nixos";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/nixos";
}
#+end_src
*** Common
:PROPERTIES:
:CUSTOM_ID: h:1c1250cd-e9b4-4715-8d9f-eb09e64bfc7f
:END:
These are system-level settings specific to NixOS machines. All settings that are required on all machines should go here.
**** Imports
:PROPERTIES:
:CUSTOM_ID: h:4acbe063-188b-42e7-b75c-b6d2e232e784
:END:
This section is for setting things that should be used on hosts that are using the default NixOS configuration.
#+begin_src nix-ts :tangle modules/nixos/common/default.nix
{ lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/nixos/common";
sharedNames = lib.swarselsystems.readNix "modules/shared";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/nixos/common" ++
lib.swarselsystems.mkImports sharedNames "modules/shared";
}
#+end_src
**** Share configuration between nodes (distributed config, automatically active)
:PROPERTIES:
:CUSTOM_ID: h:5c3027b4-ba66-445e-9c5f-c27e332c90e5
:END:
This section of code allows different =nixosConfigurations= (i.e. hosts) to "send" configuration to each other. That means host A can define in a module some configuration that should then be applied on host B. This is very useful for servers, where the full functionality may be split over multiple hosts.
An example:
[[#h:82bf7fb1-631b-4acd-966b-d0c71a9eb463][Summers (Server: ASUS Z10PA-D8)]] provides a service and loads a module. In that module I can then also define:
- nginx config for the internal proxy [[#h:90dc7f71-f9da-49ef-b273-edfab7daaa05][hintbooth-nginx]]
- nginx config for the external proxy [[#h:19300583-322b-4e0b-b657-857fbf23dfa1][Twothreetunnel (OCI)]]
- dns records to be published by [[#h:1888ded8-69dc-431f-bb39-5089a8e8b1f4][Stoicclub (OCI)]]
Note that not all configuration can be sent by default, rather it has bo be defined in =forwardedOptions= below (otherwise we get an infinite recursion error). For options that do not take a submodule as argument, we need to define every last option we set by hand - see for example the =services.firezone.gateway= options below, where we redefine =[ "enable" "name" "apiUrl" "tokenFile" "package" "logLevel" ]=.
#+begin_src nix-ts :tangle modules/nixos/common/nodes.nix
# adapted from https://github.com/oddlama/nix-config/blob/main/modules/distributed-config.nix
{ config, lib, nodes, ... }:
let
nodeName = config.node.name;
mkForwardedOption =
path:
lib.mkOption {
type = lib.mkOptionType {
name = "Same type that the receiving option `${lib.concatStringsSep "." path}` normally accepts.";
merge =
_loc: defs:
builtins.filter (x: builtins.isAttrs x -> ((x._type or "") != "__distributed_config_empty")) (
map (x: x.value) defs
);
};
default = {
_type = "__distributed_config_empty";
};
description = ''
Anything specified here will be forwarded to `${lib.concatStringsSep "." path}`
on the given node. Forwarding happens as-is to the raw values,
so validity can only be checked on the receiving node.
'';
};
expandOptions = basePath: optionNames: map (option: basePath ++ [ option ]) optionNames;
splitPath = path: lib.splitString "." path;
forwardedOptions = [
(splitPath "boot.kernel.sysctl")
(splitPath "networking.nftables.chains.postrouting")
(splitPath "services.kanidm.provision.groups")
(splitPath "services.kanidm.provision.systems.oauth2")
(splitPath "sops.secrets")
(splitPath "swarselsystems.server.dns")
(splitPath "topology.self.services")
(splitPath "environment.persistence")
]
++ expandOptions (splitPath "networking.nftables.firewall") [ "zones" "rules" ]
++ expandOptions (splitPath "services.firezone.gateway") [ "enable" "name" "apiUrl" "tokenFile" "package" "logLevel" ]
++ expandOptions (splitPath "services.nginx") [ "upstreams" "virtualHosts" ]
;
attrsForEachOption =
f: lib.foldl' (acc: path: lib.recursiveUpdate acc (lib.setAttrByPath path (f path))) { } forwardedOptions;
in
{
options.nodes = lib.mkOption {
description = "Options forwarded to the given node.";
default = { };
type = lib.types.attrsOf (
lib.types.submodule {
options = attrsForEachOption mkForwardedOption;
}
);
};
config =
let
getConfig =
path: otherNode:
let
cfg = nodes.${otherNode}.config.nodes.${nodeName} or null;
in
lib.optionals (cfg != null) (lib.getAttrFromPath path cfg);
mergeConfigFromOthers = path: lib.mkMerge (lib.concatMap (getConfig path) (lib.attrNames nodes));
in
attrsForEachOption mergeConfigFromOthers;
}
#+end_src
**** Global options (automatically active)
:PROPERTIES:
:CUSTOM_ID: h:85c9b83f-40c3-4558-bb28-a37b6f8597b9
:END:
Since I am maintaining an infrastructure of moderate size, it is also useful to be able to have some mechanism of shared variables between configurations. For example, I have to reference the domain of my identity management system in some places across the config, which I can reference using =globals.services.kanidm.domain=.
Do note that the below does not achieve anything on its own - as is, these would only be normal ("local") NixOS options. The real magic, as we have touched on before, happens in [[#h:af83893d-c0f9-4b45-b816-4849110d41b3][Globals]], where we then ingest the values here and expose them as a flake output.
#+begin_src nix-ts :tangle modules/nixos/common/globals.nix
{ lib, options, ... }:
let
inherit (lib)
mkOption
types
;
firewallOptions = {
allowedTCPPorts = mkOption {
type = types.listOf types.port;
default = [ ];
description = "Convenience option to open specific TCP ports for traffic from the network.";
};
allowedUDPPorts = mkOption {
type = types.listOf types.port;
default = [ ];
description = "Convenience option to open specific UDP ports for traffic from the network.";
};
allowedTCPPortRanges = mkOption {
type = lib.types.listOf (lib.types.attrsOf lib.types.port);
default = [ ];
description = "Convenience option to open specific TCP port ranges for traffic from another node.";
};
allowedUDPPortRanges = mkOption {
type = lib.types.listOf (lib.types.attrsOf lib.types.port);
default = [ ];
description = "Convenience option to open specific UDP port ranges for traffic from another node.";
};
};
networkOptions = netSubmod: {
cidrv4 = mkOption {
type = types.nullOr types.net.cidrv4;
description = "The CIDRv4 of this network";
default = null;
};
subnetMask4 = mkOption {
type = types.nullOr types.net.ipv4;
description = "The dotted decimal form of the subnet mask of this network";
readOnly = true;
default = lib.swarselsystems.cidrToSubnetMask netSubmod.config.cidrv4;
};
cidrv6 = mkOption {
type = types.nullOr types.net.cidrv6;
description = "The CIDRv6 of this network";
default = null;
};
firewallRuleForAll = mkOption {
default = { };
description = ''
If this is a wireguard network: Allows you to set specific firewall rules for traffic originating from any participant in this
wireguard network. A corresponding rule `-to-` will be created to easily expose
services to the network.
'';
type = types.submodule {
options = firewallOptions;
};
};
hosts = mkOption {
default = { };
type = types.attrsOf (
types.submodule (hostSubmod: {
options = {
id = mkOption {
type = types.int;
description = "The id of this host in the network";
};
mac = mkOption {
type = types.nullOr types.net.mac;
description = "The MAC of the interface on this host that belongs to this network.";
default = null;
};
ipv4 = mkOption {
type = types.nullOr types.net.ipv4;
description = "The IPv4 of this host in this network";
readOnly = true;
default =
if netSubmod.config.cidrv4 == null then
null
else
lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv4;
};
ipv6 = mkOption {
type = types.nullOr types.net.ipv6;
description = "The IPv6 of this host in this network";
readOnly = true;
default =
if netSubmod.config.cidrv6 == null then
null
else
lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv6;
};
cidrv4 = mkOption {
type = types.nullOr types.str; # FIXME: this is not types.net.cidr because it would zero out the host part
description = "The IPv4 of this host in this network, including CIDR mask";
readOnly = true;
default =
if netSubmod.config.cidrv4 == null then
null
else
lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv4;
};
cidrv6 = mkOption {
type = types.nullOr types.str; # FIXME: this is not types.net.cidr because it would zero out the host part
description = "The IPv6 of this host in this network, including CIDR mask";
readOnly = true;
default =
if netSubmod.config.cidrv6 == null then
null
else
# if we use the /32 wan address as local address directly, do not use the network address in ipv6
lib.net.cidr.hostCidr (if hostSubmod.config.id == 0 then 1 else hostSubmod.config.id) netSubmod.config.cidrv6;
};
firewallRuleForNode = mkOption {
default = { };
description = ''
If this is a wireguard network: Allows you to set specific firewall rules just for traffic originating from another network node.
A corresponding rule `-node--to-` will be created to easily expose
services to that node.
'';
type = types.attrsOf (
types.submodule {
options = firewallOptions;
}
);
};
};
})
);
};
};
in
{
options = {
globals = mkOption {
default = { };
type = types.submodule {
options = {
root = {
hashedPassword = mkOption {
type = types.str;
};
};
user = {
name = mkOption {
type = types.str;
};
work = mkOption {
type = types.str;
};
};
services = mkOption {
type = types.attrsOf (
types.submodule (serviceSubmod: {
options = {
domain = mkOption {
type = types.str;
};
subDomain = mkOption {
readOnly = true;
type = types.str;
default = lib.swarselsystems.getSubDomain serviceSubmod.config.domain;
};
baseDomain = mkOption {
readOnly = true;
type = types.str;
default = lib.swarselsystems.getBaseDomain serviceSubmod.config.domain;
};
proxyAddress4 = mkOption {
type = types.nullOr types.str;
default = null;
};
proxyAddress6 = mkOption {
type = types.nullOr types.str;
default = null;
};
serviceAddress = mkOption {
type = types.nullOr types.str;
default = null;
};
homeServiceAddress = mkOption {
type = types.nullOr types.str;
default = null;
};
isHome = mkOption {
type = types.bool;
default = false;
};
};
})
);
};
networks = mkOption {
default = { };
type = types.attrsOf (
types.submodule (netSubmod: {
options = networkOptions netSubmod // {
vlans = mkOption {
default = { };
type = types.attrsOf (
types.submodule (vlanNetSubmod: {
options = networkOptions vlanNetSubmod // {
id = mkOption {
type = types.ints.between 1 4094;
description = "The VLAN id";
};
name = mkOption {
description = "The name of this VLAN";
default = vlanNetSubmod.config._module.args.name;
type = types.str;
};
};
})
);
};
};
})
);
};
hosts = mkOption {
type = types.attrsOf (
types.submodule {
options = {
defaultGateway4 = mkOption {
type = types.nullOr types.net.ipv4;
};
defaultGateway6 = mkOption {
type = types.nullOr types.net.ipv6;
};
wanAddress4 = mkOption {
type = types.nullOr types.net.ipv4;
};
wanAddress6 = mkOption {
type = types.nullOr types.net.ipv6;
};
isHome = mkOption {
type = types.bool;
};
};
}
);
};
domains = {
main = mkOption {
type = types.str;
};
externalDns = mkOption {
type = types.listOf types.str;
description = "List of external dns nameservers";
};
};
general = lib.mkOption {
type = types.submodule {
freeformType = types.unspecified;
};
};
};
};
};
_globalsDefs = mkOption {
type = types.unspecified;
default = options.globals.definitions;
readOnly = true;
internal = true;
};
};
}
#+end_src
**** Expose home-manager sops secrets in NixOS (automatically active)
:PROPERTIES:
:CUSTOM_ID: h:a8bbe15f-a7dd-4e6d-ba49-26206c38e9c8
:END:
If you have worked on a system using NixOS + home-manager as a submodule, you have probably noticed that it is a hassle to use sops-nix in the home-manager configuration - as least as long as you want to retain compatibility with home-manager only systems. You might have also noticed that the home-manager sops secrets take up a considerable amount of time.
Hence, here I am mirroring all of the home-manager secrets that I use across the configuration. I would like to automate this process, but the only way I see for doing this would be by defining a dummy configuration that has these values set in the respective home-manager modules and copying that here, which seems brittle to me.
In the respective modules that use home-manager secrets (for example [[#h:506d01fc-c20b-473a-ac78-bce4b53fe0e3][Mail]]) I then use an =optionalAttrs= that checks if we have a NixOS system and only includes the config if that is not the case in order to not import the same secret twice.
#+begin_src nix-ts :tangle modules/nixos/common/home-manager-secrets.nix
{ self, lib, config, globals, withHomeManager, ... }:
let
inherit (config.swarselsystems) mainUser homeDir;
inherit (config.repo.secrets.common.emacs) radicaleUser;
certsSopsFile = self + /secrets/repo/certs.yaml;
workSopsFile = self + /secrets/work/secrets.yaml;
in
{
config = { } // lib.optionalAttrs withHomeManager {
sops =
let
modules = config.home-manager.users.${mainUser}.swarselmodules;
in
{
secrets = (lib.optionalAttrs modules.mail {
address1-token = { owner = mainUser; };
address2-token = { owner = mainUser; };
address3-token = { owner = mainUser; };
address4-token = { owner = mainUser; };
}) // (lib.optionalAttrs modules.waybar {
github-notifications-token = { owner = mainUser; };
}) // (lib.optionalAttrs modules.emacs {
fever-pw = { path = "${homeDir}/.emacs.d/.fever"; owner = mainUser; };
}) // (lib.optionalAttrs modules.zsh {
croc-password = { owner = mainUser; };
github-nixpkgs-review-token = { owner = mainUser; };
}) // (lib.optionalAttrs modules.emacs {
emacs-radicale-pw = { owner = mainUser; };
github-forge-token = { owner = mainUser; };
}) // (lib.optionalAttrs (modules ? optional-work) {
harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; };
yubikey-1 = { sopsFile = workSopsFile; owner = mainUser; };
ucKey = { sopsFile = workSopsFile; owner = mainUser; };
}) // (lib.optionalAttrs (modules ? optional-noctalia) {
radicale-token = { owner = mainUser; };
}) // (lib.optionalAttrs modules.anki {
anki-user = { owner = mainUser; };
anki-pw = { owner = mainUser; };
});
templates = {
authinfo = lib.mkIf modules.emacs {
path = "${homeDir}/.emacs.d/.authinfo";
content = ''
machine ${globals.services.radicale.domain} login ${radicaleUser} password ${config.sops.placeholder.emacs-radicale-pw}
'';
owner = mainUser;
};
};
};
};
}
#+end_src
**** Topology (automatically active)
:PROPERTIES:
:CUSTOM_ID: h:e2e7444b-cb85-4719-b154-e5f37274d02d
:END:
This is just some additional configuration that proliferates some [[#h:391e7712-fef3-4f13-a3ed-d36e228166fd][Topology]] node fields automatically from my own options.
#+begin_src nix-ts :tangle modules/nixos/common/topology.nix
{ lib, config, ... }:
{
options.swarselsystems.info = lib.mkOption {
type = lib.types.str;
default = "";
};
config.topology = {
id = config.node.name;
self = {
hardware.info = config.swarselsystems.info;
icon = lib.mkIf config.swarselsystems.isLaptop "devices.laptop";
};
};
}
#+end_src
**** General NixOS settings (nix config, stateVersion)
:PROPERTIES:
:CUSTOM_ID: h:24c9146f-2147-4fd5-bafc-d5853e15cf12
:END:
We disable the warnings that trigger when rebuilding with a dirty flake. At this point, I am also disabling channels and pinning the flake registry - the latter lets me use the local version of nixpkgs for commands like =nix shell= (without it, we will always download the newest version of nixpkgs for these commands).
Also, the system state version is set here. No need to touch it.
A breakdown of the flags being set:
- =nixpgks.config.allowUnfree=: allows packages with an unfree license to be built
- nix.settings:
- experimental-features:
- nix-command: Enables the =nix= command from nix 2.4
- flakes: Enables flakes to be used
- ca-derivations: Enables content-addressed derivations, which stops unnecessary rebuiluds - to be used with my TODO private hydra and the binary cache =cache.ngi0.nixos.org= in [[#h:aee5ec75-7ca6-40d8-b6ac-a3e7e33a474b][flake.nix template]]
- cgroups: allows the use of cgroups in builds
- pipe-operators: Enables 'piping' instead of the classic currying syntax - =fun arg= can be expressed as =arg |> fun=. Associatively, it is weaker than functions: =a |> b |> d c |> e = e ((d c) (b a))=
- trusted-users: these users have elevated privileges in nix (mostly used to acknowledge binary caches) - root is added per default here
- connect-timeout: normally, nix tries to reach the cache for 300 seconds for each derivation per cache. This setting lets me change that
- bash-prompt-prefix: adds a prefix to shells spawned by =nix develop=
- [min,max]-free: amounts of space where intermittent GC will be run during builds
- flake registry: URI of the global flake registry (I disable it)
- auto-optimise-store: create hardlinks in the nix store to save space
- warn-dirty: I do not need to see the warning when I have uncommited changes
- max-jobs: How many build jobs should be run in parallel. =auto= sets this to the number of CPUs (which is all) - on systems with many cores this can lead to OOM situations. The default is now =1=, but used to be =auto=, I set this manually just to be safe in the future.
- use-cgroups: Actually run builds within cgroups
- nix.channel.enable: whether to use channels
- nix.registry: Sets the registry for this flake, which I set to its inputs. This allows me to use e.g. =nixpkgs= directly in =nix repl=
- nix.nixPath: Basically the same as =nix.registry=, but for the legacy nix commands
#+begin_src nix-ts :tangle modules/nixos/common/settings.nix
{ self, lib, pkgs, config, outputs, inputs, minimal, globals, withHomeManager, ... }:
let
inherit (config.swarselsystems) mainUser;
inherit (config.repo.secrets.common) atticPublicKey;
settings = if minimal then { } else {
environment.etc."nixos/configuration.nix".source = pkgs.writeText "configuration.nix" ''
assert builtins.trace "This location is not used. The config is found in ${config.swarselsystems.flakePath}!" false;
{ }
'';
nix =
let
flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
in
{
settings = {
connect-timeout = 5;
bash-prompt-prefix = "�[33m$SHLVL:\\w �[0m";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"�[31m\"; else printf \"�[32m\"; fi)λ �[0m";
fallback = true;
min-free = 128000000;
max-free = 1000000000;
flake-registry = "";
auto-optimise-store = true;
warn-dirty = false;
max-jobs = 1;
use-cgroups = lib.mkIf config.swarselsystems.isLinux true;
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 10d";
};
optimise = {
automatic = true;
dates = "weekly";
};
channel.enable = false;
registry = rec {
nixpkgs.flake = inputs.nixpkgs;
# swarsel.flake = inputs.swarsel;
swarsel.flake = self;
n = nixpkgs;
s = swarsel;
};
nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
};
services.dbus.implementation = "broker";
systemd.services.nix-daemon = {
environment.TMPDIR = "/var/tmp";
};
};
in
{
options.swarselmodules.general = lib.mkEnableOption "general nix settings";
config = lib.mkIf config.swarselmodules.general
(lib.recursiveUpdate
{
sops.secrets = lib.mkIf (!minimal) {
github-api-token = { owner = mainUser; };
};
nix =
let
nix-version = "2_30";
in
{
package = pkgs.nixVersions."nix_${nix-version}";
settings = {
experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
"cgroups"
"pipe-operators"
];
substituters = [
"https://${globals.services.attic.domain}/${mainUser}"
];
trusted-public-keys = [
atticPublicKey
];
trusted-users = [
"@wheel"
"${config.swarselsystems.mainUser}"
(lib.mkIf config.swarselmodules.server.ssh-builder "builder")
];
};
# extraOptions = ''
# plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins
# extra-builtins-file = ${self + /nix/extra-builtins.nix}
# '' + lib.optionalString (!minimal) ''
# !include ${config.sops.secrets.github-api-token.path}
# '';
# extraOptions = ''
# plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
# buildInputs = [config.nix.package pkgs.boost];
# patches = o.patches or [];
# })}/lib/nix/plugins
# extra-builtins-file = ${self + /nix/extra-builtins.nix}
# '';
extraOptions =
let
nix-plugins = pkgs.nix-plugins.override {
nixComponents = pkgs.nixVersions."nixComponents_${nix-version}";
};
in
''
plugin-files = ${nix-plugins}/lib/nix/plugins
extra-builtins-file = ${self + /files/nix/extra-builtins.nix}
'' + lib.optionalString (!minimal) ''
!include ${config.sops.secrets.github-api-token.path}
'';
};
system.stateVersion = lib.mkDefault "23.05";
nixpkgs = {
overlays = [
outputs.overlays.default
outputs.overlays.stables
outputs.overlays.modifications
] ++ lib.optionals withHomeManager [
(final: prev:
let
additions = final: _: import "${self}/pkgs/config" {
inherit self config lib;
pkgs = final;
homeConfig = config.home-manager.users.${config.swarselsystems.mainUser} or { };
};
in
additions final prev
)
];
config = lib.mkIf (!config.swarselsystems.isMicroVM) {
allowUnfree = true;
};
};
}
settings);
}
#+end_src
**** Setup home-manager base
:PROPERTIES:
:CUSTOM_ID: h:7f6d6908-4d02-4907-9c70-f802f4358520
:END:
We enable the use of =home-manager= as a NixoS module. A nice trick here is the =extraSpecialArgs = self= line (=inherit ...=). This is useful to refer to the root of the flake (which is otherwise quite hard while maintaining flake purity).
#+begin_src nix-ts :tangle modules/nixos/common/home-manager.nix
{ self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, arch, type, withHomeManager, ... }:
{
options.swarselmodules.home-manager = lib.mkEnableOption "home-manager";
config = lib.mkIf config.swarselmodules.home-manager {
home-manager = lib.mkIf withHomeManager {
useGlobalPkgs = true;
useUserPackages = true;
verbose = true;
backupFileExtension = "hm-bak";
overwriteBackup = true;
users.${config.swarselsystems.mainUser}.imports = [
inputs.nix-index-database.homeModules.nix-index
# inputs.sops.homeManagerModules.sops # this is not needed!! we add these secrets in nixos scope
inputs.spicetify-nix.homeManagerModules.default
inputs.swarsel-nix.homeModules.default
{
imports = [
"${self}/profiles/home"
"${self}/modules/home"
{
swarselprofiles = {
minimal = lib.mkIf minimal true;
};
}
];
# node = {
# secretsDir = if (!config.swarselsystems.isNixos) then ../../../hosts/home/${configName}/secrets else ../../../hosts/nixos/${configName}/secrets;
# };
home.stateVersion = lib.mkDefault config.system.stateVersion;
}
];
extraSpecialArgs = {
inherit (inputs) self nixgl;
inherit inputs outputs globals nodes minimal configName arch type;
lib = homeLib;
};
};
};
}
#+end_src
**** User setup, Make users non-mutable
:PROPERTIES:
:CUSTOM_ID: h:48959890-fbc7-4d28-b33c-f33e028ab473
:END:
This ensures that all user-configuration happens here in the config file.
In case of using a fully setup system, this makes also sure that no further user level modifications can be made using CLI utilities (e.g. usermod etc.). Everything must be defined in the flake.
For that reason, make sure that =sops-nix= is properly working before finishing the minimal setup, otherwise we might lose user access. The bootstrapping script takes care of this.
#+begin_src nix-ts :tangle modules/nixos/common/users.nix
{ pkgs, config, lib, globals, minimal, ... }:
{
options.swarselmodules.users = lib.mkEnableOption "user config";
config = lib.mkIf config.swarselmodules.users {
sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { neededForUsers = true; };
users = {
mutableUsers = lib.mkIf (!minimal) false;
users = {
root = {
inherit (globals.root) hashedPassword;
# shell = pkgs.zsh;
};
"${config.swarselsystems.mainUser}" = {
isNormalUser = true;
uid = 1000;
autoSubUidGidRange = false;
subUidRanges = [
{
count = 65534;
startUid = 100001;
}
];
subGidRanges = [
{
count = 999;
startGid = 1001;
}
];
description = "Leon S";
password = lib.mkIf (minimal || config.swarselsystems.isPublic) "setup";
hashedPasswordFile = lib.mkIf (!minimal && !config.swarselsystems.isPublic) config.sops.secrets.main-user-hashed-pw.path;
extraGroups = [ "wheel" ] ++ lib.optionals (!minimal && !config.swarselsystems.isMicroVM) [ "networkmanager" "input" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
packages = with pkgs; [ ];
};
};
};
};
}
#+end_src
**** Setup login keymap
:PROPERTIES:
:CUSTOM_ID: h:7248f338-8cad-4443-9060-deae7955b26f
:END:
Next, we setup the keymap in case we are not in a graphical session. At this point, I always resort to us/altgr-intl, as it is comfortable to use and I do not write too much German anyways.
#+begin_src nix-ts :tangle modules/nixos/common/xserver.nix
{ lib, config, ... }:
{
options.swarselmodules.xserver = lib.mkEnableOption "xserver keymap";
config = lib.mkIf config.swarselmodules.packages {
services.xserver = {
xkb = {
layout = "us";
variant = "altgr-intl";
};
};
};
}
#+end_src
**** Time, locale settings
:PROPERTIES:
:CUSTOM_ID: h:852d59ab-63c3-4831-993d-b5e23b877796
:END:
Setup timezone and locale. I want to use the US layout, but have the rest adapted to my country and timezone. Also, there is an issue with running Windows/Linux dualboot on the same machine where the hardware clock desyncs between the two OS'es. We fix that bug here as well.
#+begin_src nix-ts :tangle modules/nixos/common/time.nix
{ lib, config, ... }:
{
options.swarselmodules.time = lib.mkEnableOption "time config";
config = lib.mkIf config.swarselmodules.time {
time = {
timeZone = "Europe/Vienna";
# hardwareClockInLocalTime = true;
};
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "de_AT.UTF-8";
LC_IDENTIFICATION = "de_AT.UTF-8";
LC_MEASUREMENT = "de_AT.UTF-8";
LC_MONETARY = "de_AT.UTF-8";
LC_NAME = "de_AT.UTF-8";
LC_NUMERIC = "de_AT.UTF-8";
LC_PAPER = "de_AT.UTF-8";
LC_TELEPHONE = "de_AT.UTF-8";
LC_TIME = "de_AT.UTF-8";
};
};
};
}
#+end_src
**** TODO PII management
:PROPERTIES:
:CUSTOM_ID: h:82b8ede2-02d8-4c43-8952-7200ebd4dc23
:END:
This is also exposed to home-manager configurations, in case this ever breaks, I can also go back to importing =nixosConfig= as an attribute in the input attribute set and call the secrets using =nixosConfig.repo.secrets=.
Two modes of operation are supported:
- loading in a secret as a plain attribute set ={a = 3;}=
- loading in a function ={ nodes, ...}: {mac = nodes.xxx.interface.mac;}=
Both cases should return the proper values - in the second case the parent set must be passed to the inherit under =options.repo.secrets=.
In general, there are three types of pii file:
- Per-node secrets: found under the nodes =secretDir= as =pii.nix.enc= (exposed as =config.repo.secrets.local=)
- Common secrets: found in =secrets/repo/pii.nix.enc= (exposed as =config.repo.secrets.common=)
- if those use =globals= as in input argument, it needs to have ={ }= as an input argument as we cannot pass it to the global evaluator.
- Global definitions of networks and domains: found in =secrets/repo/globals.nix.enc= (not exposed to nodes, but only loaded in in [[#h:af83893d-c0f9-4b45-b816-4849110d41b3][Globals]])
- these cannot use =globals= as input argument, as that would cause infinite recursion
This system, while highly pleasant to work with during everyday use, sometimes has quirks:
- =nixos-rebuild= cannot be used
- this is because we need to call =nix build= in a separate step where [[#h:315e6ef6-27d5-4cd8-85ff-053eabe60ddb][sops-decrypt-and-cache]] will be cached. Once we have a finished build we can switch to that (all of this is handled by [[#h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e][swarsel-deploy]])
- this is a bit cumbersome for hosts that are not supported by [[#h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e][swarsel-deploy]] (currently this is mostly home-manager only configurations). In principal, building their config locally should work without issue, however, sometimes the decrypt step hiccups. In that case I usually resort to scp'ing the decrypted secrets to the host in question using [[#h:788937cf-8816-466b-8e57-1b695cb50f52][justfile]]'s =just secrets= command. After that, the secrets in =/var/tmp/nix-import-encrypted= need to be moved to the correct dir depending on the build user uid (0/root or 1000/swarsel). After that I delete the cached secrets again. TODO: fix this behaviour.
- the used nix version needs to be kept in sync with the version of nix that nix-plugins is compiled against
- currently, this mostly poses an issue when provisioning new hosts - the version of nixos-anywhere that I am using uses nix =2.28.x=, so I wrote a dedicated [[#h:4d0548db-99b2-4e07-b762-6d86fbb26d4c][Devshell (checks)]] (called =deploy=) that is used to set this environment up. This devshell is automatically used by the [[#h:788937cf-8816-466b-8e57-1b695cb50f52][justfile]] command =just bootstrap=.
#+begin_src nix-ts :tangle modules/nixos/common/pii.nix
# largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix
{ config, inputs, lib, homeLib, nodes, globals, ... }:
let
# If the given expression is a bare set, it will be wrapped in a function,
# so that the imported file can always be applied to the inputs, similar to
# how modules can be functions or sets.
constSet = x: if builtins.isAttrs x then (_: x) else x;
# Try to access the extra builtin we loaded via nix-plugins.
# Throw an error if that doesn't exist.
sopsImportEncrypted =
assert lib.assertMsg (builtins ? extraBuiltins.sopsImportEncrypted)
"The extra builtin 'sopsImportEncrypted' is not available, so repo.secrets cannot be decrypted. Did you forget to add nix-plugins and point it to `/files/nix/extra-builtins.nix` ?";
builtins.extraBuiltins.sopsImportEncrypted;
# This "imports" an encrypted .nix.age file by evaluating the decrypted content.
importEncrypted =
path:
constSet (
if builtins.pathExists path then
sopsImportEncrypted path
else
{ }
);
in
{
options = {
repo = {
secretFiles = lib.mkOption {
default = { };
type = lib.types.attrsOf lib.types.path;
example = lib.literalExpression "{ local = ./pii.nix.enc; }";
description = ''
This file manages the origin for this machine's repository-secrets. Anything that is
technically not a secret in the classical sense (i.e. that it has to be protected
after it has been deployed), but something you want to keep secret from the public;
Anything that you wouldn't want people to see on GitHub, but that can live unencrypted
on your own devices. Consider it a more ergonomic nix alternative to using git-crypt.
All of these secrets may (and probably will be) put into the world-readable nix-store
on the build and target hosts. You'll most likely want to store personally identifiable
information here, such as:
- MAC Addreses
- Static IP addresses
- Your full name (when configuring your users)
- Your postal address (when configuring e.g. home-assistant)
- ...
Each path given here must be an sops-encrypted .nix file. For each attribute ``,
the corresponding file will be decrypted, imported and exposed as {option}`repo.secrets.`.
'';
};
secrets = lib.mkOption {
readOnly = true;
default = lib.mapAttrs (_: x: importEncrypted x { inherit lib homeLib nodes globals inputs config; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles;
type = lib.types.unspecified;
description = "Exposes the loaded repo secrets. This option is read-only.";
};
};
swarselmodules.pii = lib.mkEnableOption "enable pii management";
};
config = lib.mkIf config.swarselmodules.pii {
repo.secretFiles =
let
local = config.node.secretsDir + "/pii.nix.enc";
in
(lib.optionalAttrs (lib.pathExists local) { inherit local; }) // lib.optionalAttrs true {
common = ../../../secrets/repo/pii.nix.enc;
};
};
}
#+end_src
**** Lanzaboote (secure boot)
:PROPERTIES:
:CUSTOM_ID: h:d9a89071-b3ba-44d1-b5e0-e9ca6270d377
:END:
This dynamically uses systemd boot or Lanzaboote depending on the minimal system state and `config.swarselsystems.isSecureBoot`.
#+begin_src nix-ts :tangle modules/nixos/common/lanzaboote.nix
{ lib, pkgs, config, minimal, ... }:
let
inherit (config.swarselsystems) isSecureBoot isImpermanence;
in
{
options.swarselmodules.lanzaboote = lib.mkEnableOption "lanzaboote config";
config = lib.mkIf config.swarselmodules.lanzaboote {
environment.systemPackages = lib.mkIf isSecureBoot [
pkgs.sbctl
];
environment.persistence."/persist" = lib.mkIf (isImpermanence && isSecureBoot) {
directories = [{ directory = "/var/lib/sbctl"; }];
};
boot = {
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = lib.swarselsystems.mkIfElse (minimal || !isSecureBoot) (lib.mkForce true) (lib.mkForce false);
};
lanzaboote = lib.mkIf (!minimal && isSecureBoot) {
enable = true;
pkiBundle = "/var/lib/sbctl";
configurationLimit = 6;
};
};
};
}
#+end_src
**** Boot
:PROPERTIES:
:CUSTOM_ID: h:a1311b07-2a8d-4c1f-addc-8572fc184e0d
:END:
Here I set some general boot options, mostly enabling an emergency shell and some extra tools that would normally not be available in stage 1. Also I reduce the bootloaders default timeout because I do not really need that anymore ever since I have stopped to use specialisations.
#+begin_src nix-ts :tangle modules/nixos/common/boot.nix
{ lib, pkgs, config, globals, ... }:
{
options.swarselmodules.boot = lib.mkEnableOption "boot config";
config = lib.mkIf config.swarselmodules.boot {
boot = {
initrd.systemd = {
enable = true;
emergencyAccess = globals.root.hashedPassword;
users.root.shell = "${pkgs.bashInteractive}/bin/bash";
storePaths = [ "${pkgs.bashInteractive}/bin/bash" ];
extraBin = {
ip = "${pkgs.iproute2}/bin/ip";
ping = "${pkgs.iputils}/bin/ping";
cryptsetup = "${pkgs.cryptsetup}/bin/cryptsetup";
};
};
kernelParams = [ "log_buf_len=16M" ];
tmp.useTmpfs = true;
loader.timeout = lib.mkDefault 2;
};
console.earlySetup = true;
};
}
#+end_src
**** Impermanence
:PROPERTIES:
:CUSTOM_ID: h:e7668594-fa8b-4d36-a695-a58222478988
:END:
This is where the impermanence magic happens. When this is enabled, the root directory is rolled back to a blanket state on each reboot.
Normally, doing that also resets the lecture that happens on the first use of =sudo=, so we disable that at this point. Also, here we can set files to be persisted. Do note that you should still pay attention to files that need sudo access, as these need to be copied manually.
#+begin_src nix-ts :tangle modules/nixos/common/impermanence.nix
{ config, lib, ... }:
let
mapperTarget = lib.swarselsystems.mkIfElse config.swarselsystems.isCrypted "/dev/mapper/cryptroot" "/dev/disk/by-label/nixos";
inherit (config.swarselsystems) isImpermanence isCrypted isBtrfs;
in
{
options.swarselmodules.impermanence = lib.mkEnableOption "impermanence config";
config = lib.mkIf config.swarselmodules.impermanence {
security.sudo.extraConfig = lib.mkIf isImpermanence ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
# This script does the actual wipe of the system
# So if it doesn't run, the btrfs system effectively acts like a normal system
# Taken from https://github.com/NotAShelf/nyx/blob/2a8273ed3f11a4b4ca027a68405d9eb35eba567b/modules/core/common/system/impermanence/default.nix
boot.tmp.useTmpfs = lib.mkIf (!isImpermanence) true;
boot.initrd.systemd = lib.mkIf (isImpermanence && isBtrfs) {
enable = true;
services.rollback = {
description = "Rollback BTRFS root subvolume to a pristine state";
wantedBy = [ "initrd.target" ];
# make sure it's done after encryption
# i.e. LUKS/TPM process
after = lib.swarselsystems.mkIfElseList isCrypted [ "systemd-cryptsetup@cryptroot.service" ] [ "dev-disk-by\\x2dlabel-nixos.device" ];
requires = lib.mkIf (!isCrypted) [ "dev-disk-by\\x2dlabel-nixos.device" ];
# mount the root fs before clearing
before = [ "sysroot.mount" ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /mnt
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvolid=5 -t btrfs ${mapperTarget} /mnt
btrfs subvolume list -o /mnt/root
# While we're tempted to just delete /root and create
# a new snapshot from /root-blank, /root is already
# populated at this point with a number of subvolumes,
# which makes `btrfs subvolume delete` fail.
# So, we remove them first.
#
# /root contains subvolumes:
# - /root/var/lib/portables
# - /root/var/lib/machines
btrfs subvolume list -o /mnt/root |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..." &&
btrfs subvolume delete /mnt/root
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/root-blank /mnt/root
# Once we're done rolling back to a blank snapshot,
# we can unmount /mnt and continue on the boot process.
umount /mnt
'';
};
};
environment.persistence."/persist" = lib.mkIf isImpermanence {
hideMounts = true;
directories =
[
"/root/.dotfiles"
"/etc/nix"
"/etc/NetworkManager/system-connections"
"/var/lib/nixos"
"/var/tmp"
{
directory = "/var/tmp/nix-import-encrypted"; # Decrypted repo-secrets can be kept
mode = "1777";
}
# "/etc/secureboot"
];
files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/machine-id"
];
};
};
}
#+end_src
*** Client
:PROPERTIES:
:CUSTOM_ID: h:1bb03c4c-7749-47c1-9af6-1b3d748cebf4
:END:
This section is to be used for modules that are most likely only used on client PCs (like my laptops) but no on servers.
**** Imports
:PROPERTIES:
:CUSTOM_ID: h:4acbe063-188b-42e7-b75c-b6d2e232e784
:END:
This section is for setting things that should be used on clients that are using the default NixOS configuration.
#+begin_src nix-ts :tangle modules/nixos/client/default.nix
{ lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/nixos/client";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/nixos/client";
}
#+end_src
**** System Packages
:PROPERTIES:
:CUSTOM_ID: h:0e7e8bea-ec58-499c-9731-09dddfc39532
:END:
Mostly used to install some compilers and lsp's that I want to have available when not using a devShell flake. Most other packages should go in [[#h:893a7f33-7715-415b-a895-2687ded31c18][Installed packages]].
#+begin_src nix-ts :tangle modules/nixos/client/packages.nix
{ lib, config, pkgs, minimal, ... }:
{
options.swarselmodules.packages = lib.mkEnableOption "install packages";
config = lib.mkIf config.swarselmodules.packages {
environment.systemPackages = with pkgs; lib.optionals (!minimal) [
# yubikey packages
gnupg
yubikey-personalization
yubico-pam
yubioath-flutter
yubikey-manager
yubikey-touch-detector
yubico-piv-tool
cfssl
pcsc-tools
pcscliteWithPolkit.out
# ledger packages
ledger-live-desktop
# pinentry
dbus
# swaylock-effects
syncthingtray-minimal
swayosd
# secure boot
sbctl
libsForQt5.qt5.qtwayland
# do not do this! clashes with the flake
# nix-index
nixos-generators
# commit hooks
pre-commit
# proc info
acpi
# pci info
pciutils
usbutils
# better make for general tasks
just
# sops
ssh-to-age
sops
# keyboards
qmk
vial
via
# theme related
adwaita-icon-theme
# kde-connect
xdg-desktop-portal
xdg-desktop-portal-gtk
xdg-desktop-portal-wlr
# bluetooth
bluez
ghostscript_headless
wireguard-tools
nixd
zig
zls
elk-to-svg
] ++ lib.optionals minimal [
networkmanager
curl
git
gnupg
rsync
ssh-to-age
sops
vim
just
sbctl
];
nixpkgs.config.permittedInsecurePackages = lib.mkIf (!minimal) [
"jitsi-meet-1.0.8043"
"electron-29.4.6"
"SDL_ttf-2.0.11"
# audacity?
"mbedtls-2.28.10"
# "qtwebengine-5.15.19"
];
};
}
#+end_src
**** Environment setup
:PROPERTIES:
:CUSTOM_ID: h:f4006367-0965-4b4f-a3b0-45f63b07d2b8
:END:
Next, we will setup some environment variables that need to be set on the system-side. We apply some compatibility options for chromium apps on wayland, enable the wordlist and make metadata reading possible for my file explorer (nautilus).
#+begin_src nix-ts :tangle modules/nixos/client/env.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.env = lib.mkEnableOption "environment config";
config = lib.mkIf config.swarselmodules.env {
environment = {
wordlist.enable = true;
sessionVariables = {
NIXOS_OZONE_WL = "1";
SWARSEL_LO_RES = config.swarselsystems.lowResolution;
SWARSEL_HI_RES = config.swarselsystems.highResolution;
GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (with pkgs.gst_all_1; [
gst-plugins-good
gst-plugins-bad
gst-plugins-ugly
gst-libav
]);
} // (lib.optionalAttrs (!config.swarselsystems.isPublic) { });
};
};
}
#+end_src
**** Security (polkit)
:PROPERTIES:
:CUSTOM_ID: h:e2d40df9-0026-4caa-8476-9dc2353055a1
:END:
Needed for control over system-wide privileges etc. Also I make sure that the root user has access to =SSH_AUTH_SOCK= (without this, root will not be able to read my =nix-secrets= repository, however, that does not matter anymore since I stopped using that solution) in order to be able to keep using the same agent upon escalation.
#+begin_src nix-ts :tangle modules/nixos/client/polkit.nix
{ lib, config, minimal, ... }:
{
options.swarselmodules.security = lib.mkEnableOption "security config";
config = lib.mkIf config.swarselmodules.security {
security = {
# pki.certificateFiles = [
# config.sops.secrets.harica-root-ca.path
# ];
pam.services = lib.mkIf (!minimal) {
login.u2fAuth = true;
sudo.u2fAuth = true;
sshd.u2fAuth = false;
swaylock = {
u2fAuth = true;
fprintAuth = false;
};
};
polkit.enable = lib.mkIf (!minimal) true;
sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
'' + lib.optionalString (!minimal) ''
Defaults env_keep+=XDG_RUNTIME_DIR
Defaults env_keep+=WAYLAND_DISPLAY
'';
};
};
}
#+end_src
**** Reduce systemd timeouts
:PROPERTIES:
:CUSTOM_ID: h:12858442-c129-4aa1-9c9c-a0916e36b302
:END:
There is a persistent bug over Linux kernels that makes the user wait 1m30s on system shutdown due to the reason =a stop job is running for session 1 of user ...=. I do not want to wait that long and am confident no important data is lost by doing this.
Nowadays, it seems that this bug was fixed (I think it was caused by VirtualBox), but still, I keep these shorter timeouts just to be safe (or unsafe, depending on your viewpoint).
#+begin_src nix-ts :tangle modules/nixos/client/systemd.nix
{ lib, config, ... }:
{
options.swarselmodules.systemdTimeout = lib.mkEnableOption "systemd timeout config";
config = lib.mkIf config.swarselmodules.systemdTimeout {
# systemd
systemd.settings.Manager = {
DefaultTimeoutStartSec = "60s";
DefaultTimeoutStopSec = "15s";
};
};
}
#+end_src
**** Hardware settings
:PROPERTIES:
:CUSTOM_ID: h:1fa7cf61-5c03-43a3-a7f0-3d6ee246b31b
:END:
Enable OpenGL, Sound, Bluetooth, support for my custom keyboards and various other drivers.
#+begin_src nix-ts :tangle modules/nixos/client/hardware.nix
{ pkgs, config, lib, ... }:
{
options.swarselmodules.hardware = lib.mkEnableOption "hardware config";
options.swarselsystems = {
hasBluetooth = lib.mkEnableOption "bluetooth availability";
hasFingerprint = lib.mkEnableOption "fingerprint sensor availability";
trackpoint = {
isAvailable = lib.mkEnableOption "trackpoint availability";
trackpoint.device = lib.mkOption {
type = lib.types.str;
default = "";
};
};
};
config = lib.mkIf config.swarselmodules.hardware {
hardware = {
# opengl.driSupport32Bit = true is replaced with graphics.enable32Bit and hence redundant
graphics = {
enable = true;
enable32Bit = true;
};
trackpoint = lib.mkIf config.swarselsystems.trackpoint.isAvailable {
enable = true;
inherit (config.swarselsystems.trackpoint) device;
};
keyboard.qmk.enable = true;
enableAllFirmware = lib.mkDefault true;
bluetooth = lib.mkIf config.swarselsystems.hasBluetooth {
enable = true;
package = pkgs.bluez;
powerOnBoot = true;
settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
};
};
};
services.fprintd.enable = lib.mkIf config.swarselsystems.hasFingerprint true;
};
}
#+end_src
**** Pulseaudio
:PROPERTIES:
:CUSTOM_ID: h:63f6773e-b321-4b1d-a206-3913658cf62d
:END:
This is only used on systems not running Pipewire (none at the moment).
#+begin_src nix-ts :tangle modules/nixos/client/pulseaudio.nix
{ config, pkgs, lib, ... }: {
options.swarselmodules.pulseaudio = lib.mkEnableOption "pulseaudio config";
config = lib.mkIf config.swarselmodules.pulseaudio {
services.pulseaudio = {
enable = lib.mkIf (!config.services.pipewire.enable) true;
package = pkgs.pulseaudioFull;
};
};
}
#+end_src
**** Pipewire
:PROPERTIES:
:CUSTOM_ID: h:aa433f5e-a455-4414-b76b-0a2692fa06aa
:END:
Pipewire handles communication on Wayland. This enables several sound tools as well as screen sharing in combinaton with =xdg-desktop-portal-wlr= when using [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]].
#+begin_src nix-ts :tangle modules/nixos/client/pipewire.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.pipewire = lib.mkEnableOption "pipewire config";
config = lib.mkIf config.swarselmodules.pipewire {
security.rtkit.enable = true; # this is required for pipewire real-time access
services.pipewire = {
enable = true;
package = pkgs.pipewire;
pulse.enable = true;
jack.enable = true;
audio.enable = true;
wireplumber.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
};
};
}
#+end_src
**** Common network settings
:PROPERTIES:
:CUSTOM_ID: h:7d696b64-debe-4a95-80b5-1e510156a6c6
:END:
Here I only enable =networkmanager= and a few default networks. The rest of the network config is done separately in [[#h:88bf4b90-e94b-46fb-aaf1-a381a512860d][System specific configuration]].
#+begin_src nix-ts :tangle modules/nixos/client/network.nix
{ self, lib, pkgs, config, globals, ... }:
let
certsSopsFile = self + /secrets/repo/certs.yaml;
clientSopsFile = config.node.secretsDir + "/secrets.yaml";
inherit (config.repo.secrets.common.network) wlan1 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
iwd = config.networking.networkmanager.wifi.backend == "iwd";
in
{
options.swarselsystems = {
firewall = lib.swarselsystems.mkTrueOption;
};
options.swarselmodules.network = lib.mkEnableOption "network config";
config = lib.mkIf config.swarselmodules.network {
sops = {
secrets = lib.mkIf (!config.swarselsystems.isPublic) {
wlan1-pw = { };
wlan2-pw = { };
laptop-hotspot-pw = { };
mobile-hotspot-pw = { };
eduroam-user = { };
eduroam-pw = { };
pia-vpn-user = { };
pia-vpn-pw = { };
home-wireguard-client-private-key = { sopsFile = clientSopsFile; };
home-wireguard-server-public-key = { };
home-wireguard-endpoint = { };
pia-vpn1-crl-pem = { sopsFile = certsSopsFile; };
pia-vpn1-ca-pem = { sopsFile = certsSopsFile; };
};
templates = lib.mkIf (!config.swarselsystems.isPublic) {
"network-manager.env".content = ''
WLAN1_PW=${config.sops.placeholder.wlan1-pw}
WLAN2_PW=${config.sops.placeholder.wlan2-pw}
LAPTOP_HOTSPOT_PW=${config.sops.placeholder.laptop-hotspot-pw}
MOBILE_HOTSPOT_PW=${config.sops.placeholder.mobile-hotspot-pw}
EDUROAM_USER=${config.sops.placeholder.eduroam-user}
EDUROAM_PW=${config.sops.placeholder.eduroam-pw}
PIA_VPN_USER=${config.sops.placeholder.pia-vpn-user}
PIA_VPN_PW=${config.sops.placeholder.pia-vpn-pw}
HOME_WIREGUARD_CLIENT_PRIVATE_KEY=${config.sops.placeholder.home-wireguard-client-private-key}
HOME_WIREGUARD_SERVER_PUBLIC_KEY=${config.sops.placeholder.home-wireguard-server-public-key}
HOME_WIREGUARD_ENDPOINT=${config.sops.placeholder.home-wireguard-endpoint}
'';
};
};
services.resolved.enable = true;
networking = {
hostName = config.node.name;
hosts = {
"${globals.networks.home-lan.hosts.winters.ipv4}" = [ globals.services.transmission.domain ];
};
wireless.iwd = {
enable = true;
settings = {
IPv6 = {
Enabled = true;
};
Settings = {
AutoConnect = true;
};
# DriverQuirks = {
# UseDefaultInterface = true;
# };
};
};
nftables.enable = lib.mkDefault true;
enableIPv6 = lib.mkDefault true;
firewall = {
enable = lib.swarselsystems.mkStrong config.swarselsystems.firewall;
checkReversePath = lib.mkDefault false;
allowedUDPPorts = [ 51820 ]; # 51820: wireguard
allowedTCPPortRanges = [
{ from = 1714; to = 1764; } # kde-connect
];
allowedUDPPortRanges = [
{ from = 1714; to = 1764; } # kde-connect
];
};
networkmanager = {
enable = true;
wifi.backend = "iwd";
dns = "systemd-resolved";
plugins = [
# list of plugins: https://search.nixos.org/packages?query=networkmanager-
# docs https://networkmanager.dev/docs/vpn/
pkgs.networkmanager-openconnect
pkgs.networkmanager-openvpn
];
ensureProfiles = lib.mkIf (!config.swarselsystems.isPublic) {
environmentFiles = [
"${config.sops.templates."network-manager.env".path}"
];
profiles =
let
inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
in
{
${wlan1} = {
connection = {
id = wlan1;
# permissions = "";
type = "wifi";
autoconnect-priority = "999";
};
ipv4 = {
# dns-search = "";
method = "auto";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
# dns-search = "";
method = "auto";
};
wifi = {
# mac-address-blacklist = "";
mode = "infrastructure";
# band = "a";
ssid = wlan1;
};
wifi-security = {
# auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$WLAN1_PW";
};
};
LAN-Party = {
connection = {
autoconnect = "false";
id = "LAN-Party";
type = "ethernet";
};
ethernet = {
auto-negotiate = "true";
cloned-mac-address = "preserve";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
eduroam = {
"802-1x" = {
eap = if (!iwd) then "ttls;" else "peap;";
identity = "$EDUROAM_USER";
password = "$EDUROAM_PW";
phase2-auth = "mschapv2";
anonymous-identity = lib.mkIf iwd eduroam-anon;
};
connection = {
id = "eduroam";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "eduroam";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-eap";
};
};
local = {
connection = {
autoconnect = "false";
id = "local";
type = "ethernet";
};
ethernet = { };
ipv4 = {
address1 = "10.42.1.1/24";
method = "shared";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
${mobile1} = {
connection = {
id = mobile1;
type = "wifi";
autoconnect-priority = "500";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = mobile1;
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$MOBILE_HOTSPOT_PW";
};
};
home-wireguard = {
connection = {
id = "HomeVPN";
type = "wireguard";
autoconnect = "false";
interface-name = "wg1";
};
wireguard = { private-key = "$HOME_WIREGUARD_CLIENT_PRIVATE_KEY"; };
"wireguard-peer.$HOME_WIREGURARD_SERVER_PUBLIC_KEY" = {
endpoint = "$HOME_WIREGUARD_ENDPOINT";
allowed-ips = home-wireguard-allowed-ips;
};
ipv4 = {
method = "ignore";
address1 = home-wireguard-address;
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "ignore";
};
proxy = { };
};
pia-vpn1 = {
connection = {
autoconnect = "false";
id = "PIA ${vpn1-location}";
type = "vpn";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
vpn = {
auth = "sha1";
ca = config.sops.secrets."pia-vpn1-ca-pem".path;
challenge-response-flags = "2";
cipher = vpn1-cipher;
compress = "yes";
connection-type = "password";
crl-verify-file = config.sops.secrets."pia-vpn1-crl-pem".path;
dev = "tun";
password-flags = "0";
remote = vpn1-address;
remote-cert-tls = "server";
reneg-seconds = "0";
service-type = "org.freedesktop.NetworkManager.openvpn";
username = "$PIA_VPN_USER";
};
vpn-secrets = { password = "$PIA_VPN_PW"; };
};
Hotspot = {
connection = {
autoconnect = "false";
id = "Hotspot";
type = "wifi";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "default";
method = "ignore";
};
proxy = { };
wifi = {
mode = "ap";
ssid = "Hotspot-${config.swarselsystems.mainUser}";
};
wifi-security = {
group = "ccmp;";
key-mgmt = "wpa-psk";
pairwise = "ccmp;";
proto = "rsn;";
psk = "$MOBILE_HOTSPOT_PW";
};
};
};
};
};
};
systemd.services.NetworkManager-ensure-profiles.after = [ "NetworkManager.service" ];
};
}
#+end_src
**** sops
:PROPERTIES:
:CUSTOM_ID: h:d87d80fd-2ac7-4f29-b338-0518d06b4deb
:END:
I use sops-nix to handle secrets that I want to have available on my machines at all times. For some reason validateSopsFiles needs to be turned off, probably because my age keys are not real age keys but just the host ssh keys being read in by =ssh-go-age=. The default sopsfile is the one that is available to all systems - if the secret in question is not in that file, we need to override =sopsFile= in the respective secret.
Do note that we have to account for impermanent file systems here, otherwise system activation will fail because the secret files cannot be found.
#+begin_src nix-ts :tangle modules/nixos/client/sops.nix
{ self, config, lib, ... }:
{
options.swarselmodules.sops = lib.mkEnableOption "sops config";
config = lib.mkIf config.swarselmodules.sops {
sops = {
# age.sshKeyPaths = lib.swarselsystems.mkIfElseList config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" "/persist/.ssh/ssh_host_ed25519_key" ] [ "${config.swarselsystems.homeDir}/.ssh/sops" "/etc/ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}/etc/ssh/ssh_host_ed25519_key" ];
# defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${config.swarselsystems.flakePath}/secrets/repo/common.yaml";
defaultSopsFile = self + "/secrets/repo/common.yaml";
validateSopsFiles = false;
};
};
}
#+end_src
**** Remote building
:PROPERTIES:
:CUSTOM_ID: h:43aa6c7e-ef6a-4907-9d22-3e6fb5ba4c08
:END:
This defines all remote builds that I want to use on client machines. This includes the nixbuild.net machine as well as my own private builders. I can use these to perform x86_64 builds as well as aarch64.
#+begin_src nix-ts :tangle modules/nixos/client/remotebuild.nix
{ lib, config, globals, ... }:
let
inherit (config.swarselsystems) homeDir mainUser isClient;
in
{
options.swarselmodules.remotebuild = lib.mkEnableOption "enable remote builds on this machine";
config = lib.mkIf config.swarselmodules.remotebuild {
sops.secrets = {
builder-key = lib.mkIf isClient { owner = mainUser; path = "${homeDir}/.ssh/builder"; mode = "0600"; };
nixbuild-net-key = { owner = mainUser; path = "${homeDir}/.ssh/nixbuild-net"; mode = "0600"; };
};
nix = {
settings.builders-use-substitutes = true;
distributedBuilds = true;
buildMachines = [
(lib.mkIf isClient {
hostName = config.repo.secrets.common.builder1-ip;
system = "aarch64-linux";
maxJobs = 20;
speedFactor = 10;
})
(lib.mkIf isClient {
hostName = globals.hosts.belchsfactory.wanAddress4;
system = "aarch64-linux";
maxJobs = 4;
speedFactor = 2;
protocol = "ssh-ng";
})
{
hostName = "eu.nixbuild.net";
system = "x86_64-linux";
maxJobs = 100;
speedFactor = 2;
supportedFeatures = [ "big-parallel" ];
}
];
};
programs.ssh = {
knownHosts = {
nixbuild = {
hostNames = [ "eu.nixbuild.net" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIQCZc54poJ8vqawd8TraNryQeJnvH1eLpIDgbiqymM";
};
builder1 = lib.mkIf isClient {
hostNames = [ config.repo.secrets.common.builder1-ip ];
publicKey = config.repo.secrets.common.builder1-pubHostKey;
};
jump = lib.mkIf isClient {
hostNames = [ globals.hosts.liliputsteps.wanAddress4 ];
publicKey = config.repo.secrets.common.jump-pubHostKey;
};
builder2 = lib.mkIf isClient {
hostNames = [ globals.hosts.belchsfactory.wanAddress4 ];
publicKey = config.repo.secrets.common.builder2-pubHostKey;
};
};
extraConfig = ''
Host eu.nixbuild.net
ConnectTimeout 1
PubkeyAcceptedKeyTypes ssh-ed25519
ServerAliveInterval 60
IPQoS throughput
IdentityFile ${config.sops.secrets.nixbuild-net-key.path}
'' + lib.optionalString isClient ''
Host ${config.repo.secrets.common.builder1-ip}
ConnectTimeout 1
User ${mainUser}
IdentityFile ${config.sops.secrets.builder-key.path}
Host ${globals.hosts.belchsfactory.wanAddress4}
ConnectTimeout 5
ProxyJump ${globals.hosts.liliputsteps.wanAddress4}
User builder
IdentityFile ${config.sops.secrets.builder-key.path}
Host ${globals.hosts.liliputsteps.wanAddress4}
ConnectTimeout 1
User jump
IdentityFile ${config.sops.secrets.builder-key.path}
'';
};
};
}
#+end_src
**** Theme (stylix)
:PROPERTIES:
:CUSTOM_ID: h:e6e44705-94af-49fe-9ca0-0629d0f7d932
:END:
By default, [[https://github.com/danth/stylix][stylix]] wants to style GRUB as well. However, I think that looks horrible.
=theme= is defined in [[#h:2e9b84d7-cb18-4e74-83f8-65ada11a8911][stylix color scheme]].
#+begin_src nix-ts :noweb yes :tangle modules/nixos/client/stylix.nix
{ self, lib, config, vars, withHomeManager, ... }:
{
options.swarselmodules.stylix = lib.mkEnableOption "stylix config";
config = {
stylix = {
enable = true;
base16Scheme = "${self}/files/stylix/swarsel.yaml";
} // lib.optionalAttrs config.swarselmodules.stylix
(lib.recursiveUpdate
{
targets.grub.enable = false; # the styling makes grub more ugly
image = config.swarselsystems.wallpaper;
}
vars.stylix);
} // lib.optionalAttrs withHomeManager {
home-manager.users."${config.swarselsystems.mainUser}" = {
stylix = {
targets = vars.stylixHomeTargets;
};
};
};
}
#+end_src
**** Programs (including zsh setup)
:PROPERTIES:
:CUSTOM_ID: h:2bbf5f31-246d-4738-925f-eca40681f7b6
:END:
Some programs profit from being installed through dedicated NixOS settings on system-level; these go here. Notably the zsh setup goes here and cannot be deleted under any circumstances (its config is in a subsection)
#+begin_src nix-ts :tangle modules/nixos/client/programs.nix
{ lib, config, ... }:
{
options.swarselmodules.programs = lib.mkEnableOption "small program modules config";
config = lib.mkIf config.swarselmodules.programs {
programs = {
dconf.enable = true;
evince.enable = true;
kdeconnect.enable = true;
};
};
}
#+end_src
***** zsh
:PROPERTIES:
:CUSTOM_ID: h:7daa06ff-d3b0-4491-97ce-770b749c52f9
:END:
Here I disable global completion to prevent redundant compinit calls and cache invalidation that slow down shell startup (enabled on the home-manager side).
#+begin_src nix-ts :tangle modules/nixos/client/zsh.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.zsh = lib.mkEnableOption "zsh base config";
config = lib.mkIf config.swarselmodules.zsh {
programs.zsh = {
enable = true;
enableCompletion = false;
};
users.defaultUserShell = pkgs.zsh;
environment.shells = with pkgs; [ zsh ];
environment.pathsToLink = [ "/share/zsh" ];
};
}
#+end_src
***** nautilus
:PROPERTIES:
:CUSTOM_ID: h:e31fa37e-220f-4e97-89ae-6a5219309a05
:END:
This enabled the right-click context menu entry in nautilus that allows to open a folder in a terminal - I never use this to be honest, but I feel like the file explorer would not be complete otherwise.
#+begin_src nix-ts :tangle modules/nixos/client/nautilus.nix
{ lib, config, ... }:
{
options.swarselmodules.nautilus = lib.mkEnableOption "nautilus config";
config = lib.mkIf config.swarselmodules.nautilus {
programs.nautilus-open-any-terminal = {
enable = true;
terminal = "kitty";
};
};
}
#+end_src
***** syncthing
:PROPERTIES:
:CUSTOM_ID: h:1e6d3d56-e415-43a2-8e80-3bad8062ecf8
:END:
This is the syncthing client configuration. Contrary to the [[#h:ad2787a2-7b1c-4326-aeff-9d8d6c3f591d][server syncthing config]], this sets all directories as send+receive (the servers only receive). Apart from that, I only really need to sync my Obsidian stuff and some Emacs files.
#+begin_src nix-ts :tangle modules/nixos/client/syncthing.nix
{ lib, config, pkgs, ... }:
let
inherit (config.swarselsystems) mainUser homeDir;
devices = config.swarselsystems.syncthing.syncDevices;
servicePort = 8384;
in
{
options.swarselmodules.syncthing = lib.mkEnableOption "syncthing config";
config = lib.mkIf config.swarselmodules.syncthing {
services.syncthing = {
enable = true;
systemService = true;
guiAddress = "127.0.0.1:${builtins.toString servicePort}";
package = pkgs.syncthing;
user = mainUser;
dataDir = homeDir;
configDir = "${homeDir}/.config/syncthing";
openDefaultPorts = true;
overrideDevices = true;
overrideFolders = true;
settings = {
options = {
urAccepted = -1;
};
inherit (config.swarselsystems.syncthing) devices;
folders = {
"Default Folder" = lib.mkDefault {
path = "${homeDir}/Sync";
inherit devices;
id = "default";
};
"Obsidian" = {
path = "${homeDir}/Obsidian";
inherit devices;
id = "yjvni-9eaa7";
};
"Org" = {
path = "${homeDir}/Org";
inherit devices;
id = "a7xnl-zjj3d";
};
"Vpn" = {
path = "${homeDir}/Vpn";
inherit devices;
id = "hgp9s-fyq3p";
};
};
};
};
};
}
#+end_src
**** Services
:PROPERTIES:
:CUSTOM_ID: h:79f3258f-ed9d-434d-b50a-e58d57ade2a7
:END:
Setting up some hardware services as well as keyboard related settings. Here we make sure that we can use the CAPS key as a ESC/CTRL double key, which is a lifesaver.
***** blueman
:PROPERTIES:
:CUSTOM_ID: h:b91df05b-113d-4d09-93d1-b271e5b76810
:END:
Enables the blueman service including the nice system tray icon.
#+begin_src nix-ts :tangle modules/nixos/client/blueman.nix
{ lib, config, ... }:
{
options.swarselmodules.blueman = lib.mkEnableOption "blueman config";
config = lib.mkIf config.swarselmodules.blueman {
services.blueman.enable = true;
services.hardware.bolt.enable = true;
};
}
#+end_src
***** Network devices
:PROPERTIES:
:CUSTOM_ID: h:73ed28cb-2f82-47b2-8bc5-208278b55788
:END:
In this section we enable compatibility with several network devices I have at home, mainly printers and scanners.
This allows me to use my big scanner/printer's scanning function over the network.
This also allows me to use my big scanner/printer's printing function over the network. Most of the settings are driver related.
Avahi is the service used for the network discovery.
#+begin_src nix-ts :tangle modules/nixos/client/networkdevices.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.networkDevices = lib.mkEnableOption "network device config";
config = lib.mkIf config.swarselmodules.networkDevices {
# enable scanners over network
hardware.sane = {
enable = true;
extraBackends = [ pkgs.sane-airscan ];
};
# enable discovery and usage of network devices (esp. printers)
services.printing = {
enable = true;
drivers = [
pkgs.gutenprint
pkgs.gutenprintBin
];
browsedConf = ''
BrowseDNSSDSubTypes _cups,_print
BrowseLocalProtocols all
BrowseRemoteProtocols all
CreateIPPPrinterQueues All
BrowseProtocols all
'';
};
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
};
}
#+end_src
***** enable GVfs
:PROPERTIES:
:CUSTOM_ID: h:f101daa2-604d-4553-99e2-f64b9c207f51
:END:
This is being set to allow myself to use all functions of nautilus in NixOS.
#+begin_src nix-ts :tangle modules/nixos/client/gvfs.nix
{ lib, config, ... }:
{
options.swarselmodules.gvfs = lib.mkEnableOption "gvfs config for nautilus";
config = lib.mkIf config.swarselmodules.gvfs {
services.gvfs.enable = true;
};
}
#+end_src
***** interception-tools: Make CAPS work as ESC/CTRL
:PROPERTIES:
:CUSTOM_ID: h:08d213d5-a9f4-4309-8635-ba557b01dc7d
:END:
This is a super-convenient configuration bit that lets my remap my =CAPS= key to =ESC= if pressed shortly, and =CTRL= if being held. Interception-tools can do many other things as well, but that is really all I need when I am typing on my laptops internal keyboard.
#+begin_src nix-ts :tangle modules/nixos/client/interceptiontools.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.interceptionTools = lib.mkEnableOption "interception tools config";
config = lib.mkIf config.swarselmodules.interceptionTools {
# Make CAPS work as a dual function ESC/CTRL key
services.interception-tools = {
enable = true;
udevmonConfig =
let
dualFunctionKeysConfig = builtins.toFile "dual-function-keys.yaml" ''
TIMING:
TAP_MILLISEC: 200
DOUBLE_TAP_MILLISEC: 0
MAPPINGS:
- KEY: KEY_CAPSLOCK
TAP: KEY_ESC
HOLD: KEY_LEFTCTRL
'';
in
''
- JOB: |
${pkgs.interception-tools}/bin/intercept -g $DEVNODE \
| ${pkgs.interception-tools-plugins.dual-function-keys}/bin/dual-function-keys -c ${dualFunctionKeysConfig} \
| ${pkgs.interception-tools}/bin/uinput -d $DEVNODE
DEVICE:
EVENTS:
EV_KEY: [KEY_CAPSLOCK]
'';
};
};
}
#+end_src
***** keyd: remap SUPER (not used)
:PROPERTIES:
:CUSTOM_ID: h:6a0fb66c-dfda-47e9-87b2-8b02d58dd68b
:END:
This is an unused service that can also be used to remap keybinds. I tried to use this in the past to implement the self-hiding topbar that I know from [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]] in [[#h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb][Niri]]. That did not work. Still, it cannot hurt to keep this reference in here.
#+begin_src nix-ts :tangle modules/nixos/client/keyd.nix
{ lib, config, ... }:
let
moduleName = "keyd";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} tools config";
config = lib.mkIf config.swarselmodules.${moduleName} {
services.keyd = {
enable = true;
keyboards = {
default = {
ids = [ "*" ];
settings = {
main = {
leftmeta = "overload(meta, macro(rightmeta+z))";
rightmeta = "overload(meta, macro(rightmeta+z))";
};
};
};
};
};
};
}
#+end_src
***** power-profiles-daemon
:PROPERTIES:
:CUSTOM_ID: h:82fbba41-3a46-4db7-aade-49e4c23fc475
:END:
This enables power profile management. The available modes are:
- power-saver
- balanced
- performance
Most of the time I am using =power-saver=, however, it is good to be able to choose.
This is also used by [[#h:385cc6c7-416c-4570-a5d3-bf8fb7c841e7][Noctalia-shell]] in order to set and get the profiles.
#+begin_src nix-ts :tangle modules/nixos/client/power-profiles-daemon.nix
{ lib, config, ... }:
{
options.swarselmodules.ppd = lib.mkEnableOption "power profiles daemon config";
config = lib.mkIf config.swarselmodules.ppd {
services.power-profiles-daemon.enable = true;
};
}
#+end_src
***** SwayOSD
:PROPERTIES:
:CUSTOM_ID: h:5db15758-17d8-4bde-811d-d11ccdd3f3d3
:END:
[[#h:388e71be-f00a-4d45-ade1-218ce942057d][SwayOSD]] provides a neat visual overlay when changing the system volume or brightness. However, the libinput backend needs some fixing, which is done here.
Nowadays, this is not used in favor of [[#h:96e05275-38df-401b-8809-d45d8f59e43c][Noctalia-shell]].
#+begin_src nix-ts :tangle modules/nixos/client/swayosd.nix
{ lib, pkgs, config, ... }:
{
options.swarselmodules.swayosd = lib.mkEnableOption "swayosd settings";
config = lib.mkIf config.swarselmodules.swayosd {
environment.systemPackages = [ pkgs.swayosd ];
services.udev.packages = [ pkgs.swayosd ];
systemd.services.swayosd-libinput-backend = {
description = "SwayOSD LibInput backend for listening to certain keys like CapsLock, ScrollLock, VolumeUp, etc.";
documentation = [ "https://github.com/ErikReider/SwayOSD" ];
wantedBy = [ "graphical.target" ];
partOf = [ "graphical.target" ];
after = [ "graphical.target" ];
serviceConfig = {
Type = "dbus";
BusName = "org.erikreider.swayosd";
ExecStart = "${pkgs.swayosd}/bin/swayosd-libinput-backend";
Restart = "on-failure";
};
};
};
}
#+end_src
**** Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules
:PROPERTIES:
:CUSTOM_ID: h:7a89b5e3-b700-4167-8b14-2b8172f33936
:END:
***** Yubikey
:PROPERTIES:
:CUSTOM_ID: h:49aa792d-edfb-4eac-ae31-ecf23c4dca00
:END:
This takes care of the main Yubikey related configuration on the NixOS side - note that the starting of the gpg-agent is done in the sway settings, to also perform this step of the setup for non NixOS-machines at the same time.
I want to use the ssh-agent from gpg-agent's ssh compatibility, which is why we disable ssh-agent. Also, we load some extra udev rules using =hardware.gpgSmartcards.enable=.
Many guides state that it is needed to enable =pcscd= to use the smartcard mode (CCID) of the Yubikey. However, enabling it causes some problems when locking the screen and unplugging the Yubikey, after which the Yubikey only becomes available again as a smart card after about one minute. I found that is is sufficient to enable =services.gpg-agent.enableScDaemon= in home-manager instead.
Also, since I use a GPG key in sops, it seems that scdaemon creates an instance at boot which sometimes hogs the Yubikey, which leads to significant delays after e.g. locking the screen and unplugging the Yubikey. Since I do not need the GPG key for the actual sops secrets (I use machine age keys instead), I kill that process.
#+begin_src nix-ts :tangle modules/nixos/client/hardwarecompatibility-yubikey.nix
{ lib, config, pkgs, ... }:
let
inherit (config.swarselsystems) mainUser;
inherit (config.repo.secrets.common.yubikeys) cfg1 cfg2;
in
{
options.swarselmodules.yubikey = lib.mkEnableOption "yubikey config";
config = lib.mkIf config.swarselmodules.yubikey {
programs.ssh = {
startAgent = false; # yes we want this to use FIDO2 keys
# enableAskPassword = true;
# askPassword = lib.getExe pkgs.kdePackages.ksshaskpass;
};
services = {
gnome.gcr-ssh-agent.enable = false;
yubikey-agent.enable = false;
pcscd.enable = true;
udev.packages = with pkgs; [
yubikey-personalization
];
};
hardware.gpgSmartcards.enable = true;
security.pam.u2f = {
enable = true;
control = "sufficient";
settings = {
interactive = false; # displays a prompt BEFORE asking for presence
cue = true; # prints a message that a touch is requrired
origin = "pam://${mainUser}"; # make the keys work on all machines
authfile = pkgs.writeText "u2f-mappings" (lib.concatStrings [
mainUser
cfg1
cfg2
]);
};
};
environment.systemPackages = with pkgs; [
kdePackages.ksshaskpass
];
};
}
#+end_src
***** Ledger
:PROPERTIES:
:CUSTOM_ID: h:c3cba64c-cdd7-4d58-a2c2-6a7fb36ad6c4
:END:
This performs the necessary configuration to support this hardware.
#+begin_src nix-ts :tangle modules/nixos/client/hardwarecompatibility-ledger.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.ledger = lib.mkEnableOption "ledger config";
config = lib.mkIf config.swarselmodules.ledger {
hardware.ledger.enable = true;
services.udev.packages = with pkgs; [
ledger-udev-rules
];
};
}
#+end_src
***** Keyboards
:PROPERTIES:
:CUSTOM_ID: h:103b68b6-33a1-4369-a534-5f36dfa95e03
:END:
This loads some udev rules that I need for my split keyboards.
#+begin_src nix-ts :tangle modules/nixos/client/hardwarecompatibility-keyboards.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.keyboards = lib.mkEnableOption "keyboards config";
config = lib.mkIf config.swarselmodules.keyboards {
services.udev.packages = with pkgs; [
qmk-udev-rules
vial
via
];
};
}
#+end_src
**** System Login (greetd)
:PROPERTIES:
:CUSTOM_ID: h:eae45839-223a-4027-bce3-e26e092c9096
:END:
This section houses the greetd related settings. I do not really want to use a display manager, but it is useful to have setup in some ways - in my case for starting sway/niri on system startup. Notably the default user login setting that is commented out here goes into the *system specific* settings, make sure to update it there.n
#+begin_src nix-ts :tangle modules/nixos/client/login.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.login = lib.mkEnableOption "login config";
config = lib.mkIf config.swarselmodules.login {
services.greetd = {
enable = true;
settings = {
# initial_session.command = "sway";
initial_session.command = "uwsm start -- niri-uwsm.desktop";
# --cmd sway
default_session.command = ''
${pkgs.tuigreet}/bin/tuigreet \
--time \
--asterisks \
--user-menu \
--cmd "uwsm start -- niri-uwsm.desktop"
'';
};
};
# environment.etc."greetd/environments".text = ''
# sway
# '';
};
}
#+end_src
**** nix-ld
:PROPERTIES:
:CUSTOM_ID: h:404cc18b-b5f8-48d9-a407-a0fd70d57f46
:END:
This provides libraries for binaries that are not patched for use on NixOS. This really makes the biggest gripe with NixOS go away, that being having to run a binary that is only found in a single spot. It is most of the times possible to patch such a file, but this makes such a situation take much less time to resolve.
Only some binaries that touch system settings might still not work, apart from that, the list of libraries I have curated here should be quite exhaustive.
When a program does not work, start with =nix-ldd =. This will tell you which library is missing. Afterwards, continue with =nix-locate = to find which packages provide that library. Add it to libraries below and rebuild. After a reboot, it will be visible using =nix-ldd=. It can also be useful to take a look at =ldd= to see which libraries are needed in general.
#+begin_src nix-ts :tangle modules/nixos/client/nix-ld.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.nix-ld = lib.mkEnableOption "nix-ld config";
config = lib.mkIf config.swarselmodules.nix-ld {
programs.nix-ld = {
enable = true;
libraries = with pkgs; [
SDL
SDL2
SDL2_image
SDL2_mixer
SDL2_ttf
SDL_image
SDL_mixer
SDL_ttf
alsa-lib
at-spi2-atk
at-spi2-core
atk
bzip2
cairo
cups
curl
dbus
dbus-glib
expat
ffmpeg
flac
fontconfig
freeglut
freetype
fuse3
gdk-pixbuf
glew_1_10
glib
gnome2.GConf
pango
gtk2
gtk3
icu
libGL
libappindicator-gtk2
libappindicator-gtk3
libcaca
libcanberra
libcap
libdbusmenu-gtk2
libdrm
libelf
libgbm
libgcrypt
libglvnd
libidn
libindicator-gtk2
libjpeg
libmikmod
libnotify
libogg
libpng
libpng12
libpulseaudio
librsvg
libsamplerate
libtheora
libtiff
libudev0-shim
libunwind
libusb1
libuuid
libva
libvdpau
libvorbis
libvpx
libxkbcommon
libxml2
libz
mesa
nspr
nss
openssl
pango
pipewire
pixman
speex
steam-fhsenv-without-steam
systemd
tbb
vulkan-loader
libice
libsm
libx11
libxscrnsaver
libxcomposite
libxcursor
libxdamage
libxext
libxfixes
libxft
libxi
libxinerama
libxmu
libxrandr
libxrender
libxt
libxtst
libxxf86vm
libxcb
libxshmfence
zlib
];
};
};
}
#+end_src
**** Summary of nixos-rebuild diff
:PROPERTIES:
:CUSTOM_ID: h:b751d77d-246c-4bd6-b689-3467d82bf9c3
:END:
This snippet is added to the activation script that is run after every rebuild and shows what packages have been added and removed. This is actually not the optimal place to add that snipped, but the correct spot is in some perl file that I have not had the leisure to take a look at yet.
#+begin_src nix-ts :tangle modules/nixos/client/nvd-rebuild.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.nvd = lib.mkEnableOption "nvd config";
config = lib.mkIf config.swarselmodules.nvd {
environment.systemPackages = [
pkgs.nvd
];
# system.activationScripts.diff = {
# supportsDryActivation = true;
# text = ''
# ${pkgs.nvd}/bin/nvd --color=always --nix-bin-dir=${pkgs.nix}/bin diff \
# /run/current-system "$systemConfig"
# '';
# };
};
}
#+end_src
**** gnome-keyring
:PROPERTIES:
:CUSTOM_ID: h:ce50eb90-8bf4-4203-b502-c3165d2fbf1f
:END:
Used for storing sessions in e.g. Nextcloud. Using this on a system level keeps the login information when logging out of the session as well.
#+begin_src nix-ts :tangle modules/nixos/client/gnome-keyring.nix
{ lib, config, ... }:
{
options.swarselmodules.gnome-keyring = lib.mkEnableOption "gnome-keyring config";
config = lib.mkIf config.swarselmodules.gnome-keyring {
services.gnome.gnome-keyring = {
enable = true;
};
programs.seahorse.enable = true;
};
}
#+end_src
**** Sway
:PROPERTIES:
:CUSTOM_ID: h:f78ffdd3-232b-4313-bd89-d6fb331fef22
:END:
This is used to better integrate Sway into the system on NixOS hosts. On the home-manager side, the =package= attribute will be =null= for such an host, using the systems derivation instead.
#+begin_src nix-ts :tangle modules/nixos/client/sway.nix
{ lib, config, pkgs, withHomeManager, ... }:
let
inherit (config.swarselsystems) mainUser;
in
{
options.swarselmodules.sway = lib.mkEnableOption "sway config";
config = lib.mkIf config.swarselmodules.sway
{
programs.sway = {
enable = true;
package = pkgs.swayfx;
wrapperFeatures = {
base = true;
gtk = true;
};
};
} // lib.optionalAttrs withHomeManager {
inherit (config.home-manager.users.${mainUser}.wayland.windowManager.sway) extraSessionCommands;
};
}
#+end_src
**** xdg-portal (Screensharing)
:PROPERTIES:
:CUSTOM_ID: h:872d5f46-2ffd-4076-9a2c-98783dd29434
:END:
This allows me to use screen sharing on Wayland when using [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]]. The implementation is a bit crude and only the whole screen can be shared. However, most of the time that is all I need to do anyways.
Nowadays, I only need to enable portals in general for use with [[#h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb][Niri]], which implements screensharing using gnome-portal (which allows for neat things like hiding shared windows based on =app_id=).
#+begin_src nix-ts :tangle modules/nixos/client/xdg-portal.nix
{ lib, config, ... }:
{
options.swarselmodules.xdg-portal = lib.mkEnableOption "xdg portal config";
config = lib.mkIf config.swarselmodules.xdg-portal {
xdg.portal = {
enable = true;
# config = {
# common = {
# default = "wlr";
# };
# };
# wlr.enable = true;
# wlr.settings.screencast = {
# output_name = "eDP-1";
# chooser_type = "simple";
# chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or";
# };
};
};
}
#+end_src
**** Podman (distrobox)
:PROPERTIES:
:CUSTOM_ID: h:1bef3914-a258-4585-b232-e0fbe9e7a9b5
:END:
I am using distrobox to quickly circumvent isses that I cannot immediately solve on NixOS (which has not happened in a while, but you never know). It is always the goal to quickly get things working on NixOS, but this should usually prevent me from getting completely stuck.
#+begin_src nix-ts :tangle modules/nixos/client/distrobox.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.distrobox = lib.mkEnableOption "distrobox config";
config = lib.mkIf config.swarselmodules.distrobox {
environment.systemPackages = with pkgs; [
distrobox
boxbuddy
];
virtualisation.podman = {
enable = true;
dockerCompat = true;
package = pkgs.podman;
};
};
}
#+end_src
**** Appimage
:PROPERTIES:
:CUSTOM_ID: h:cfc22f8d-251e-4636-98d6-a43cdb112b68
:END:
Adds the necessary tools to allow .appimage programs handling easily.
#+begin_src nix-ts :tangle modules/nixos/client/appimage.nix
{ lib, config, ... }:
{
options.swarselmodules.appimage = lib.mkEnableOption "appimage config";
config = lib.mkIf config.swarselmodules.appimage {
programs.appimage = {
enable = true;
binfmt = true;
};
};
}
#+end_src
**** Handle lid switch correctly
:PROPERTIES:
:CUSTOM_ID: h:a5a0d84e-c7b3-4164-a4c7-2e2d8ada69cd
:END:
This turns off the display when the lid is closed. When we are docked it just turns it off, when using the laptop standalone it instead sends it to suspend.
Notably we also make sure to handle the fingerprint sensor especially, because it can misfire or stop working on wakeup otherwise.
#+begin_src nix-ts :tangle modules/nixos/client/lid.nix
{ lib, config, ... }:
{
options.swarselmodules.lid = lib.mkEnableOption "lid config";
config = lib.mkIf config.swarselmodules.lid {
services.logind.settings.Login = {
HandleLidSwitch = "suspend";
HandleLidSwitchDocked = "ignore";
};
services.acpid = {
enable = true;
handlers.lidClosed = {
event = "button/lid \\w+ close";
action = ''
cat /sys/class/backlight/amdgpu_bl1/device/enabled
if grep -Fxq disabled /sys/class/backlight/amdgpu_bl1/device/enabled
then
echo "Lid closed. Disabling fprintd."
systemctl stop fprintd
ln -s /dev/null /run/systemd/transient/fprintd.service
systemctl daemon-reload
fi
'';
};
handlers.lidOpen = {
event = "button/lid \\w+ open";
action = ''
if ! $(systemctl is-active --quiet fprintd); then
echo "Lid open. Enabling fprintd."
rm -f /run/systemd/transient/fprintd.service
systemctl daemon-reload
systemctl start fprintd
fi
'';
};
};
};
}
#+end_src
**** Low battery notification
:PROPERTIES:
:CUSTOM_ID: h:adf894d7-b3c6-4b8b-b13f-c28b3a5e1e17
:END:
Since I hide the waybar completely during normal operation, I run the risk of not noticing when my battery is about to run out. This module sends a notification when the battery level falls below 10%. Written by [[https://gist.github.com/cafkafk][cafkafk]].
Nowadays, I have replaced this with [[#h:385cc6c7-416c-4570-a5d3-bf8fb7c841e7][Noctalia-shell]].
#+begin_src nix-ts :tangle modules/nixos/client/lowbattery.nix
{ pkgs, lib, config, ... }:
{
options.swarselmodules.lowBattery = lib.mkEnableOption "low battery notification config";
config = lib.mkIf config.swarselmodules.lowBattery {
systemd.user.services."battery-low" =
let
target = "sway-session.target";
in
{
enable = true;
description = "Timer for battery check that alerts at 10% or less";
partOf = [ target ];
wantedBy = [ target ];
serviceConfig = {
Type = "simple";
ExecStart = pkgs.writeShellScript "battery-low-notification"
''
if (( 10 >= $(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%" | ${lib.getExe pkgs.ripgrep} -o "\d+") && $(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%" | ${lib.getExe pkgs.ripgrep} -o "\d+") > 0 ));
then ${lib.getExe pkgs.libnotify} --urgency=critical "low battery" "$(${lib.getExe pkgs.acpi} -b | head -n 1 | ${lib.getExe pkgs.ripgrep} -o "\d+%")";
fi;
'';
};
};
systemd.user.timers."battery-low" = {
wantedBy = [ "timers.target" ];
timerConfig = {
# Every Minute
OnCalendar = "*-*-* *:*:00";
Unit = "battery-low.service";
};
};
};
}
#+end_src
**** Auto-login
:PROPERTIES:
:CUSTOM_ID: h:fa8d9ec4-3e22-458a-9239-859cffe7f55c
:END:
Auto login for the initial session. This basically skips the [[#h:eae45839-223a-4027-bce3-e26e092c9096][System Login (greetd)]] screen.
#+begin_src nix-ts :tangle modules/nixos/client/autologin.nix
{ lib, config, ... }:
let
inherit (config.swarselsystems) mainUser;
in
{
options.swarselmodules.autologin = lib.mkEnableOption "optional autologin settings";
config = lib.mkIf config.swarselmodules.autologin {
services = {
getty.autologinUser = mainUser;
greetd.settings.initial_session.user = mainUser;
};
};
}
#+end_src
**** UWSM
:PROPERTIES:
:CUSTOM_ID: h:74f5961d-2881-4a42-b99f-94c8f70c8196
:END:
UWSM is a helper tool meant to help with chaining systemd services correctly. When starting/ending sessions using it, we can be sure that the corresponding services also start and end with it - this is not standard behaviour!
#+begin_src nix-ts :tangle modules/nixos/client/uwsm.nix
{ lib, config, pkgs, ... }:
let
moduleName = "uwsm";
cfg = config.programs.uwsm;
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
programs.uwsm = {
enable = true;
waylandCompositors = {
sway = {
prettyName = "Sway";
comment = "Sway compositor managed by UWSM";
binPath = "/run/current-system/sw/bin/sway";
};
niri = lib.mkIf (config.programs ? niri) {
prettyName = "Niri";
comment = "Niri compositor managed by UWSM";
binPath = "/run/current-system/sw/bin/niri-session";
};
};
};
services.displayManager.sessionPackages =
let
mk_uwsm_desktop_entry =
opts:
(pkgs.writeTextFile {
name = "${opts.name}-uwsm";
text = ''
[Desktop Entry]
Name=${opts.prettyName} (UWSM)
Comment=${opts.comment}
Exec=${lib.getExe cfg.package} start -F -- ${opts.binPath} ${lib.strings.escapeShellArgs opts.extraArgs}
Type=Application
'';
destination = "/share/wayland-sessions/${opts.name}-uwsm.desktop";
derivationArgs = {
passthru.providedSessions = [ "${opts.name}-uwsm" ];
};
});
in
lib.mkForce (lib.mapAttrsToList
(
name: value:
mk_uwsm_desktop_entry {
inherit name;
inherit (value)
prettyName
comment
binPath
extraArgs
;
}
)
cfg.waylandCompositors);
};
}
#+end_src
**** Firezone Client
:PROPERTIES:
:CUSTOM_ID: h:4d018a21-637b-4c7d-b9c9-7f1b95144a07
:END:
This is the VPN client that I use to access my internal network at home.
#+begin_src nix-ts :tangle modules/nixos/client/firezone-client.nix
{ lib, config, ... }:
let
moduleName = "firezone-client";
inherit (config.swarselsystems) mainUser;
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
services.firezone.gui-client = {
enable = true;
inherit (config.node) name;
allowedUsers = [ mainUser ];
};
};
}
#+end_src
*** Server
:PROPERTIES:
:CUSTOM_ID: h:e492c24a-83a0-4bcb-a084-706f49318651
:END:
In a similar way as the [[#h:1bb03c4c-7749-47c1-9af6-1b3d748cebf4][Client]] section, these modules are to be used mostly on servers.
**** Imports
:PROPERTIES:
:CUSTOM_ID: h:4e64e564-b7cb-469f-bd79-cd3efb3caa62
:END:
First, we enable the use of =home-manager= as a NixoS module.
Also, we disable the warnings that trigger when rebuilding with a dirty flake. At this point, I am also disabling channels and pinning the flake registry - the latter lets me use the local version of nixpkgs for commands like =nix shell= (without it, we will always download the newest version of nixpkgs for these commands).
Also, the system state version is set here. No need to touch it.
#+begin_src nix-ts :tangle modules/nixos/server/default.nix
{ lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/nixos/server";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/nixos/server";
}
#+end_src
**** General NixOS Server settings
:PROPERTIES:
:CUSTOM_ID: h:dc365e83-f6c8-4d05-a390-b5f2d01649b4
:END:
Here we just define some aliases for rebuilding the system, and we allow some insecure packages that are needed by some server derivations. It would be more elegant to define these in the respective module, but nixpkgs needs to be defined before we can evaluate modules within it, so this must be a top-level configuration.
#+begin_src nix-ts :tangle modules/nixos/server/settings.nix
{ lib, config, ... }:
let
inherit (config.swarselsystems) flakePath;
in
{
options.swarselmodules.server.general = lib.mkEnableOption "general setting on server";
options.swarselsystems = {
shellAliases = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = { };
};
};
config = lib.mkIf config.swarselmodules.server.general {
environment.shellAliases = lib.recursiveUpdate
{
nswitch = "cd ${flakePath}; swarsel-deploy $(hostname) switch; cd -;";
ntest = "cd ${flakePath}; swarsel-deploy $(hostname) test; cd -;";
nboot = "cd ${flakePath}; swarsel-deploy $(hostname) boot; cd -;";
ndry = "cd ${flakePath}; swarsel-deploy $(hostname) dry-activate; cd -;";
}
config.swarselsystems.shellAliases;
nixpkgs.config = lib.mkIf (!config.swarselsystems.isMicroVM) {
permittedInsecurePackages = [
# matrix
"olm-3.2.16"
# sonarr
"aspnetcore-runtime-wrapped-6.0.36"
"aspnetcore-runtime-6.0.36"
"dotnet-sdk-wrapped-6.0.428"
"dotnet-sdk-6.0.428"
#
"SDL_ttf-2.0.11"
];
};
};
}
#+end_src
**** Persistent user/group IDs
:PROPERTIES:
:CUSTOM_ID: h:2ae284ba-423e-4181-9447-a45ff7187591
:END:
When using microvms, I opted to use ZFS with it, and mount datasets into the microvms. That however means that we need to make sure that userids stay consistent between microvm reboots. This could be done by persisting =/var/lib/nixos=, but even then it would not be guaranteed that all UIDs/GIDs match up with the hypervising host, which would not be a big problem, but I like to keep it consistent anyways.
With this, evaluation will fail if there are any users/groups that are not declaratively managed.
#+begin_src nix-ts :tangle modules/nixos/server/id.nix
{ lib, config, confLib, ... }:
let
inherit (lib)
concatLists
flip
mapAttrsToList
mkDefault
mkIf
mkOption
types
;
cfg = config.users.persistentIds;
in
{
options = {
swarselmodules.server.ids = lib.mkEnableOption "enable persistent ids on server";
users = {
persistentIds = mkOption {
default = { };
description = ''
Maps a user or group name to its expected uid/gid values. If a user/group is
used on the system without specifying a uid/gid, this module will assign the
corresponding ids defined here, or show an error if the definition is missing.
'';
type = types.attrsOf (
types.submodule {
options = {
uid = mkOption {
type = types.nullOr types.int;
default = null;
description = "The uid to assign if it is missing in `users.users.`.";
};
gid = mkOption {
type = types.nullOr types.int;
default = null;
description = "The gid to assign if it is missing in `users.groups.`.";
};
};
}
);
};
users = mkOption {
type = types.attrsOf (
types.submodule (
{ name, ... }:
{
config.uid =
let
persistentUid = cfg.${name}.uid or null;
in
mkIf (persistentUid != null) (mkDefault persistentUid);
}
)
);
};
groups = mkOption {
type = types.attrsOf (
types.submodule (
{ name, ... }:
{
config.gid =
let
persistentGid = cfg.${name}.gid or null;
in
mkIf (persistentGid != null) (mkDefault persistentGid);
}
)
);
};
};
};
config = lib.mkIf config.swarselmodules.server.ids {
assertions =
concatLists
(
flip mapAttrsToList config.users.users (
name: user: [
{
assertion = user.uid != null;
message = "non-persistent uid detected for '${name}', please assign one via `users.persistentIds`";
}
{
assertion = !user.autoSubUidGidRange;
message = "non-persistent subUids/subGids detected for: ${name}";
}
]
)
)
++ flip mapAttrsToList config.users.groups (
name: group: {
assertion = group.gid != null;
message = "non-persistent gid detected for '${name}', please assign one via `users.persistentIds`";
}
);
users.persistentIds = {
systemd-coredump = confLib.mkIds 998;
systemd-oom = confLib.mkIds 997;
polkituser = confLib.mkIds 973;
nscd = confLib.mkIds 972;
};
};
}
#+end_src
**** System Packages (Server Programs)
:PROPERTIES:
:CUSTOM_ID: h:6f2967d9-7e32-4605-bb5c-5e27770bec0f
:END:
This is a collection of packages that are useful for server-type hosts that do not really fit into other modules; the optional part of the list is for packages that are built as part of [[#h:c01a91b8-b751-4978-b987-733de63c8211][Packages (config)]]; systems that are not built with home-manager will not be able to pass the required parameters to build these packages, hence we cannot build them here. This mostly applies to microvms.
#+begin_src nix-ts :tangle modules/nixos/server/packages.nix
{ lib, config, pkgs, withHomeManager, ... }:
{
options.swarselmodules.server.packages = lib.mkEnableOption "enable packages on server";
config = lib.mkIf config.swarselmodules.server.packages {
environment.systemPackages = with pkgs; [
gnupg
nvd
nix-output-monitor
ssh-to-age
git
emacs
vim
sops
tmux
busybox
ndisc6
tcpdump
swarsel-deploy
] ++ lib.optionals withHomeManager [
swarsel-gens
swarsel-switch
];
};
}
#+end_src
**** nfs/samba (smb)
:PROPERTIES:
:CUSTOM_ID: h:d6840d31-110c-465f-93fa-0306f755de28
:END:
Handles my main NFS share. User password setup is currently not declarative, I need to write a service for it at some point.
#+begin_src nix-ts :tangle modules/nixos/server/nfs.nix
{ lib, config, pkgs, globals, confLib, ... }:
let
nfsUser = globals.user.name;
in
{
options.swarselmodules.server.nfs = lib.mkEnableOption "enable nfs on server";
config = lib.mkIf config.swarselmodules.server.nfs {
users.persistentIds = {
avahi = confLib.mkIds 978;
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/cache/samba"; }
];
};
services = {
# add a user with sudo smbpasswd -a
samba = {
package = pkgs.samba4;
enable = true;
openFirewall = true;
settings.Eternor = {
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
path = "/storage";
writable = "true";
comment = "Eternor";
"valid users" = nfsUser;
};
};
avahi = {
publish.enable = true;
publish.userServices = true; # Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile`
nssmdns4 = true;
enable = true;
openFirewall = true;
};
# This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued
samba-wsdd = {
enable = true;
openFirewall = true;
};
};
};
}
#+end_src
**** acme
:PROPERTIES:
:CUSTOM_ID: h:ebe3413f-ef12-4b22-9121-380d599d83ca
:END:
This sets up acme which I use to generate certificates. Nowadays I no longer use cloudflare but acme-dns, which allows me to have my dns records spread out over multiple providers for redundancy.
#+begin_src nix-ts :tangle modules/nixos/server/acme.nix
{ self, pkgs, lib, config, globals, confLib, ... }:
let
inherit (config.repo.secrets.common) dnsProvider dnsBase dnsMail;
sopsFile = self + "/secrets/nginx/acme.json";
in
{
options.swarselmodules.server.acme = lib.mkEnableOption "enable acme on server";
config = lib.mkIf config.swarselmodules.server.acme {
environment.systemPackages = with pkgs; [
lego
];
sops = {
secrets = {
acme-creds = { format = "json"; key = ""; group = "acme"; inherit sopsFile; mode = "0660"; };
};
templates."certs.secret".content = ''
ACME_DNS_API_BASE = ${dnsBase}
ACME_DNS_STORAGE_PATH=${config.sops.secrets.acme-creds.path}
'';
};
users = {
persistentIds.acme = confLib.mkIds 967;
groups.acme.members = lib.mkIf config.swarselmodules.server.nginx [ "nginx" ];
};
security.acme = {
acceptTerms = true;
defaults = {
inherit dnsProvider;
email = dnsMail;
environmentFile = "${config.sops.templates."certs.secret".path}";
reloadServices = [ "nginx" ];
dnsPropagationCheck = true;
};
certs."${globals.domains.main}" = {
domain = "*.${globals.domains.main}";
};
};
environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
directories = [{ directory = "/var/lib/acme"; }];
};
};
}
#+end_src
**** NGINX
:PROPERTIES:
:CUSTOM_ID: h:302468d2-106a-41c8-b2bc-9fdc40064a9c
:END:
This is the general NGINX config usind on [[#h:19300583-322b-4e0b-b657-857fbf23dfa1][Twothreetunnel (OCI)]] and the [[#h:90dc7f71-f9da-49ef-b273-edfab7daaa05][Nginx]] guest on [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hintbooth (Router: HUNSN RM02)]]. The virtualhosts themselves are declared in the respective service modules.
#+begin_src nix-ts :tangle modules/nixos/server/nginx.nix
{ pkgs, lib, config, ... }:
let
serviceUser = "nginx";
serviceGroup = serviceUser;
sslBasePath = "/etc/ssl";
dhParamsPathBase = "${sslBasePath}/dhparams.pem";
dhParamsPath =
if config.swarselsystems.isImpermanence then
"/persist/${dhParamsPathBase}"
else
"${dhParamsPathBase}";
in
{
options.swarselmodules.server.nginx = lib.mkEnableOption "enable nginx on server";
options.services.nginx = {
recommendedSecurityHeaders = lib.mkEnableOption "additional security headers by default in each location block.";
defaultStapling = lib.mkEnableOption "add ssl stapling in each location block..";
virtualHosts = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule (topmod: {
options = {
defaultStapling = lib.mkOption {
type = lib.types.bool;
default = config.services.nginx.defaultStapling;
description = "Whether to add ssl stapling to this location.";
};
locations = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule (submod: {
options = {
recommendedSecurityHeaders = lib.mkOption {
type = lib.types.bool;
default = config.services.nginx.recommendedSecurityHeaders;
description = "Whether to add additional security headers to this location.";
};
X-Frame-Options = lib.mkOption {
type = lib.types.str;
default = "DENY";
description = "The value to use for X-Frame-Options";
};
};
config = {
extraConfig = lib.mkIf submod.config.recommendedSecurityHeaders (lib.mkBefore ''
# Hide upstream's versions
proxy_hide_header Strict-Transport-Security;
proxy_hide_header Referrer-Policy;
proxy_hide_header X-Content-Type-Options;
proxy_hide_header X-Frame-Options;
# Enable HTTP Strict Transport Security (HSTS)
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
# Minimize information leaked to other domains
add_header Referrer-Policy "origin-when-cross-origin";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "${submod.config.X-Frame-Options}";
add_header X-Content-Type-Options "nosniff";
''
);
};
})
);
};
};
config = {
extraConfig = lib.mkIf topmod.config.defaultStapling (lib.mkBefore ''
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;
'');
};
})
);
};
};
config = lib.mkIf config.swarselmodules.server.nginx {
swarselmodules.server.acme = lib.mkDefault true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
environment.persistence = {
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
files = [ dhParamsPathBase ];
};
"/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/cache/nginx"; user = "nginx"; group = "nginx"; }
];
};
};
services.nginx = {
enable = true;
user = serviceUser;
group = serviceGroup;
statusPage = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedBrotliSettings = true;
recommendedSecurityHeaders = true;
defaultStapling = true;
sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:!aNULL";
sslDhparam = dhParamsPathBase;
virtualHosts.fallback = {
default = true;
rejectSSL = true;
locations."/".extraConfig = ''
deny all;
'';
};
};
systemd.services.generateDHParams = {
before = [ "nginx.service" ];
requiredBy = [ "nginx.service" ];
after = [ "local-fs.target" ];
requires = [ "local-fs.target" ];
serviceConfig = {
Type = "oneshot";
};
script = ''
set -eu
install -d -m 0755 ${sslBasePath}
${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else ""}
if [ ! -f "${dhParamsPath}" ]; then
${pkgs.openssl}/bin/openssl dhparam -out "${dhParamsPath}" 4096
chmod 0644 "${dhParamsPath}"
chown ${serviceUser}:${serviceGroup} "${dhParamsPath}"
else
echo 'Already generated DHParams'
fi
'';
};
# system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
# deps = [ "generateDHParams" "users" "groups" ];
# };
# system.activationScripts."generateDHParams" =
# {
# text = ''
# set -eu
# ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${sslBasePath}" else "${pkgs.coreutils}/bin/install -d -m 0755 ${sslBasePath}"}
# if [ ! -f "${dhParamsPath}" ]; then
# ${pkgs.openssl}/bin/openssl dhparam -out ${dhParamsPath} 4096
# chmod 0644 ${dhParamsPath}
# chown ${serviceUser}:${serviceGroup} ${dhParamsPath}
# fi
# '';
# deps = [
# (lib.mkIf config.swarselsystems.isImpermanence "specialfs")
# (lib.mkIf (!config.swarselsystems.isImpermanence) "etc")
# ];
# };
};
}
#+end_src
**** ssh
:PROPERTIES:
:CUSTOM_ID: h:f3db197d-1d03-4bf8-b59f-f9891b358f0b
:END:
Here I am forcing =startWhenNeeded= to false so that the value will not be set to true in containers = this would be a problem because it would delay ssh host key generation.
#+begin_src nix-ts :tangle modules/nixos/server/ssh.nix
{ self, lib, config, withHomeManager, confLib, ... }:
{
options.swarselmodules.server.ssh = lib.mkEnableOption "enable ssh on server";
config = lib.mkIf config.swarselmodules.server.ssh {
services.openssh = {
enable = true;
startWhenNeeded = lib.mkForce false;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "yes";
AllowUsers = [
"root"
config.swarselsystems.mainUser
];
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
users = {
persistentIds = {
sshd = lib.mkIf config.swarselmodules.server.ids (confLib.mkIds 979);
};
users = {
"${config.swarselsystems.mainUser}".openssh.authorizedKeys.keyFiles = lib.mkIf withHomeManager [
(self + /secrets/public/ssh/yubikey.pub)
(self + /secrets/public/ssh/magicant.pub)
# (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
];
root.openssh.authorizedKeys.keyFiles = [
(self + /secrets/public/ssh/yubikey.pub)
(self + /secrets/public/ssh/magicant.pub)
# (lib.mkIf config.swarselsystems.isBastionTarget (self + /secrets/public/ssh/jump.pub))
];
};
};
security.sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
'';
};
}
#+end_src
**** Bastion
:PROPERTIES:
:CUSTOM_ID: h:d858c65c-4ca8-4ee5-971b-1a4aa4ccaa57
:END:
Some extra config to harden the config on my ssh bastion host. It makes it so that logging in as the jump user is prohibited on that host, and forwardAgent is forbidden.
#+begin_src nix-ts :tangle modules/nixos/server/bastion.nix
{ self, lib, config, withHomeManager, confLib, ... }:
{
options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server";
config = lib.mkIf config.swarselmodules.server.bastion ({
users = {
persistentIds.jump = confLib.mkIds 1001;
groups = {
jump = { };
};
users = {
jump = {
autoSubUidGidRange = false;
isNormalUser = true;
useDefaultShell = true;
group = lib.mkForce "jump";
createHome = lib.mkForce true;
openssh.authorizedKeys.keyFiles = [
(self + /secrets/public/ssh/yubikey.pub)
(self + /secrets/public/ssh/magicant.pub)
(self + /secrets/public/ssh/builder.pub)
];
};
};
};
services.openssh = {
enable = true;
startWhenNeeded = lib.mkForce false;
authorizedKeysInHomedir = false;
extraConfig = ''
Match User jump
PermitTTY no
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
'';
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkDefault "no";
AllowUsers = [
"jump"
];
};
hostKeys = lib.mkIf (!config.swarselmodules.server.ssh) [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
} // lib.optionalAttrs withHomeManager {
home-manager.users.jump.config = {
home.stateVersion = lib.mkDefault "23.05";
programs.ssh = {
enable = true;
enableDefaultConfig = false;
matchBlocks = {
"*" = {
forwardAgent = false;
};
} // config.repo.secrets.local.ssh.hosts;
};
};
});
}
#+end_src
**** ssh builder config
:PROPERTIES:
:CUSTOM_ID: h:24eca48d-715f-4459-b7cd-8c3e74fd93a4
:END:
Restricts access to the system by the nix build user as per https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834.
#+begin_src nix-ts :tangle modules/nixos/server/ssh-builder.nix
{ self, pkgs, lib, config, confLib, ... }:
let
ssh-restrict = "restrict,pty,command=\"${wrapper-dispatch-ssh-nix}/bin/wrapper-dispatch-ssh-nix\" ";
wrapper-dispatch-ssh-nix = pkgs.writeShellScriptBin "wrapper-dispatch-ssh-nix" ''
case $SSH_ORIGINAL_COMMAND in
"nix-daemon --stdio")
exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-daemon --stdio
;;
"nix-store --serve --write")
exec env NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ${config.nix.package}/bin/nix-store --serve --write
;;
*)
echo "Access only allowed for using the nix remote builder" 1>&2
exit
esac
'';
in
{
options.swarselmodules.server.ssh-builder = lib.mkEnableOption "enable ssh-builder config on server";
config = lib.mkIf config.swarselmodules.server.ssh-builder {
users = {
persistentIds.builder = confLib.mkIds 965;
groups.builder = { };
users.builder = {
useDefaultShell = true;
isSystemUser = true;
group = "builder";
openssh.authorizedKeys.keys = [
''${ssh-restrict} ${builtins.readFile "${self}/secrets/public/ssh/builder.pub"}''
];
};
};
services.openssh = {
settings = {
AllowUsers = [
"builder"
];
};
};
};
}
#+end_src
**** Network settings (globals.networks population)
:PROPERTIES:
:CUSTOM_ID: h:0ff3acc5-9ce8-4b22-a2e2-f6f1e69d47a5
:END:
Generate hostId using =head -c4 /dev/urandom | od -A none -t x4=
This section is mainly used to populate entries in =globals.networks= with the interfaces defined in the local secrets of the respective host. Also, we expose some convenient values under =globals.hosts= and setup basic networking.
#+begin_src nix-ts :tangle modules/nixos/server/network.nix
{ lib, config, ... }:
let
netConfig = config.repo.secrets.local.networking;
netPrefix = "${if config.swarselsystems.isCloud then config.node.name else "home"}";
in
{
options = {
swarselmodules.server.network = lib.mkEnableOption "enable server network config";
swarselsystems.server = {
localNetwork = lib.mkOption {
type = lib.types.str;
default = "";
};
netConfigName = lib.mkOption {
type = lib.types.str;
default = "${netPrefix}-${config.swarselsystems.server.localNetwork}";
readOnly = true;
};
netConfigPrefix = lib.mkOption {
type = lib.types.str;
default = netPrefix;
readOnly = true;
};
};
};
config = lib.mkIf config.swarselmodules.server.network {
swarselsystems.server.localNetwork = netConfig.localNetwork or "";
globals.networks = lib.mkIf config.swarselsystems.writeGlobalNetworks (lib.mapAttrs'
(netName: _:
lib.nameValuePair "${netPrefix}-${netName}" {
hosts.${config.node.name} = {
inherit (netConfig.networks.${netName}) id;
mac = netConfig.networks.${netName}.mac or null;
};
}
)
netConfig.networks);
globals.hosts.${config.node.name} = {
defaultGateway4 = netConfig.defaultGateway4 or null;
defaultGateway6 = netConfig.defaultGateway6 or null;
wanAddress4 = netConfig.wanAddress4 or null;
wanAddress6 = netConfig.wanAddress6 or null;
isHome = if (netPrefix == "home") then true else false;
};
networking = {
inherit (netConfig) hostId;
hostName = config.node.name;
nftables.enable = lib.mkDefault false;
enableIPv6 = lib.mkDefault true;
firewall = {
enable = lib.mkDefault true;
};
};
};
}
#+end_src
**** Disk encryption
:PROPERTIES:
:CUSTOM_ID: h:19d829f6-580f-4e04-8776-2bfd83c3c3dd
:END:
The hostkey can be generated with =ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key=.
Use =lspci -v | grep -iA8 'network\|ethernet'= to supposedly find out which kernel module is needed for networking in initrd. However I prefer a different approach:
Use =lspci -nn | grep -i network= to find out manufacturer info:
#+begin_src shell :exports both
lspci -nn | grep -i 'network\|ethernet'
#+end_src
#+RESULTS:
: 04:00.0 Network controller [0280]: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter [14c3:0616]
From the last bracket you then find out the correct kernel module:
#+begin_src shell :exports both :results output
lspci -k -d 14c3:0616
#+end_src
#+RESULTS:
: 04:00.0 Network controller: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter
: Subsystem: MEDIATEK Corp. Device e616
: Kernel driver in use: mt7921e
: Kernel modules: mt7921e
A little note about the secrets part:
systemd-initrd provides a lightweight SSH server in form of dropbear - in order to not crash we need to have a hostkey ready in the initrd. I achieve this by generating a hostkey in the build process in casy I am doing an initial install (another way - and safer - would be to push that in [[#h:74db57ae-0bb9-4257-84be-eddbc85130dd][swarsel-bootstrap]] I guess) - this results in the hostkey landing in the nix store. However, I only ever spend like 5 minutes in this state before I rebuild to the full system, where this hostkey is no longer used. This is because upon first activation, we will then run another =ssh-keygen= that will then write to persisted storage. All "unlock" SSH hosts are to be reached over port 2222, and =systemctl default= will be run immediately upon login, which will guide towards attaining a working system (in normal operation, it will simply ask for the password).
I also take some precautions in how I get networking information during stage 1. For the most part, I just use [[#h:12370671-7892-4a74-a804-84f871acde06][systemd-networkd (server)]], however, for hosts in my local network, I take another step to define the network in the =kernelParams=, to make extra sure I can reach it.
#+begin_src nix-ts :tangle modules/nixos/server/disk-encrypt.nix
{ self, pkgs, lib, config, minimal, ... }:
let
hostKeyPathBase = "/etc/secrets/initrd/ssh_host_ed25519_key";
hostKeyPath =
if config.swarselsystems.isImpermanence then
"/persist/${hostKeyPathBase}"
else
"${hostKeyPathBase}";
# this key is only used only for ssh to stage 1 in initial provisioning (in nix store)
generatedHostKey = pkgs.runCommand "initrd-hostkey" { } ''
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f $out
'';
in
{
options.swarselmodules.server.diskEncryption = lib.mkEnableOption "enable disk encryption config";
options.swarselsystems.networkKernelModules = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
config = lib.mkIf (config.swarselmodules.server.diskEncryption && config.swarselsystems.isCrypted) {
# as soon as we hit a stable system, we will use a persisted key
# @future me: dont mkIf this to minimal, we need to create this as soon as possible
system.activationScripts.ensureInitrdHostkey = {
text = ''
[[ -e ${hostKeyPath} ]] || ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f ${hostKeyPath}
'';
deps = [
"users"
] ++ lib.optional config.swarselsystems.isImpermanence "createPersistentStorageDirs";
};
environment.persistence."/persist" = lib.mkIf (config.swarselsystems.isImpermanence && (config.swarselprofiles.server || minimal)) {
files = [ hostKeyPathBase ];
};
boot = lib.mkIf (!config.swarselsystems.isClient) {
# kernelParams = lib.mkIf (!config.swarselsystems.isCloud && ((config.swarselsystems.localVLANs == []) || isRouter)) [
# "ip=${localIp}::${gatewayIp}:${subnetMask}:${config.networking.hostName}::none"
# ];
initrd = {
secrets."/tmp${hostKeyPathBase}" = if minimal then (lib.mkForce generatedHostKey) else (lib.mkForce hostKeyPath); # need to mkForce this or it behaves stateful
availableKernelModules = config.swarselsystems.networkKernelModules;
kernelModules = config.swarselsystems.networkKernelModules; # at least summers needs this to actually find the interfaces
network = {
enable = true;
flushBeforeStage2 = true;
ssh = {
enable = true;
port = 2222; # avoid hostkey changed nag
authorizedKeys = [
''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/yubikey.pub"}''
''command="/bin/systemctl default" ${builtins.readFile "${self}/secrets/public/ssh/magicant.pub"}''
];
hostKeys = [ "/tmp${hostKeyPathBase}" ]; # use a tmp file otherwise persist mount will be unhappy
};
};
systemd = {
initrdBin = with pkgs; [
cryptsetup
];
};
};
};
};
}
#+end_src
**** Attic setup
:PROPERTIES:
:CUSTOM_ID: h:046d3d66-1f13-4a41-a6b7-7ed76f863773
:END:
By default, attic only provides a cli client to authenticate to caches. I want all my servers to use my main binary cache, which is what I set up here.
#+begin_src nix-ts :tangle modules/nixos/server/attic-setup.nix
{ lib, config, pkgs, globals, ... }:
{
options.swarselmodules.server.attic-setup = lib.mkEnableOption "enable attic setup";
config = lib.mkIf config.swarselmodules.server.attic-setup {
environment.systemPackages = with pkgs; [
attic-client
];
sops = {
secrets = {
attic-cache-key = { };
};
templates = {
"attic-env".content = ''
DOMAIN=https://${globals.services.attic.domain}
TOKEN=${config.sops.placeholder.attic-cache-key}
'';
};
};
systemd.services.attic-cache-setup = {
description = "Ensure attic is authenticated to cache";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
EnvironmentFile = [
config.sops.templates.attic-env.path
];
};
script =
let
attic = lib.getExe pkgs.attic-client;
in
''
set -eu
if ${attic} cache info ${config.swarselsystems.mainUser} >/dev/null 2>&1; then
echo "cache already authenticated"
exit 0
fi
echo "cache not authenticated, attempting login..."
${attic} login ${config.swarselsystems.mainUser} "$DOMAIN" "$TOKEN" --set-default
${attic} use ${config.swarselsystems.mainUser}
'';
};
};
}
#+end_src
**** TODO Wireguard
:PROPERTIES:
:CUSTOM_ID: h:8cf0018d-00ba-4616-87d9-f91c614face9
:END:
I use wireguard for two things:
- proxying of my services (both internal and external) to my proxy node
- proxying of my internal services to an internal [[#h:302468d2-106a-41c8-b2bc-9fdc40064a9c][NGINX]] in order to save on bandwidth
At current, this means that I am running two wireguard interfaces - the following configuration allows me to define an arbitrary number of wireguard interfaces that each host can be part of (either as "client" or "server"). All of these connections are really point-to-point. On the client side, I set =persistentKeepalive= unconditionally, which is lazy (and a bit of a security issue). Also, I noticed that I lose 12 bits of MTU somewhere - I would have expected to be able to set MTU 1420, but that does not seem to be the case. TODO:fix both
In order to define a new wireguard interface, I have to:
- add another - network to globals
- add its members under hosts
- add the =wgInterfaceName= together with id to the server nodes local pii
- make sure all members have their private keys in their secrets file and their public key under =secrets/public/wg=
- make sure that all preshared keys exist in =secrets/repo/wg.yaml= TODO: maybe split wg.yaml into per-interface files with finer-grained acl
#+begin_src nix-ts :tangle modules/nixos/server/wireguard.nix
{ self, lib, pkgs, config, confLib, nodes, globals, ... }:
let
inherit (confLib.gen {
name = "wireguard";
port = 52829;
user = "systemd-network";
group = "systemd-network";
}) servicePort serviceName serviceUser serviceGroup;
inherit (config.swarselsystems) sopsFile;
wgSopsFile = self + "/secrets/repo/wg.yaml";
cfg = config.swarselsystems.server.wireguard;
inherit (cfg) interfaces;
ifaceList = builtins.attrValues interfaces;
in
{
options = {
swarselmodules.server.${serviceName} =
lib.mkEnableOption "enable ${serviceName} settings";
swarselsystems.server.wireguard = {
interfaces =
let
topConfig = config;
in
lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ config, name, ... }: {
options = {
isServer = lib.mkEnableOption "set this interface as a wireguard server";
isClient = lib.mkEnableOption "set this interface as a wireguard client";
serverName = lib.mkOption {
type = lib.types.str;
default = if config.isServer then topConfig.node.name else "";
description = "Hostname of the WireGuard server this interface connects to (when isClient = true).";
};
serverNetConfigPrefix = lib.mkOption {
type = lib.types.str;
default =
let
serverCfg = nodes.${config.serverName}.config;
in
if serverCfg.swarselsystems.isCloud
then serverCfg.node.name
else "home";
readOnly = true;
description = "Prefix used to look up the server network in globals.networks.\"-wg\".";
};
ifName = lib.mkOption {
type = lib.types.str;
default = name;
description = "Name of the WireGuard interface.";
};
port = lib.mkOption {
type = lib.types.int;
default = servicePort;
description = "Port of the WireGuard interface.";
};
peers = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = lib.attrNames (lib.filterAttrs (name: _: name != topConfig.node.name) globals.networks."${config.serverNetConfigPrefix}-${config.ifName}".hosts);
description = "WireGuard peer config names of this wireguardinterface.";
};
};
}));
default = { };
description = "WireGuard interfaces defined on this host.";
};
};
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
assertions = lib.concatLists (
lib.flip lib.mapAttrsToList interfaces (
ifName: ifCfg:
let
assertionPrefix = "While evaluating the wireguard network ${ifName}:";
in
[
{
assertion = ifCfg.isServer || (ifCfg.isClient && ifCfg.serverName != "");
message = "${assertionPrefix}: This node must either be a server for the wireguard network or a client with serverName set.";
}
{
assertion = lib.stringLength ifName < 16;
message = "${assertionPrefix}: The specified linkName '${ifName}' is too long (must be max 15 characters).";
}
]
)
);
topology.self.interfaces = lib.mapAttrs'
(wgName: _:
lib.nameValuePair "${wgName}" {
network = wgName;
}
)
config.swarselsystems.server.wireguard.interfaces;
environment.systemPackages = with pkgs; [
wireguard-tools
];
sops.secrets =
lib.mkMerge (
[
{
wireguard-private-key = {
inherit sopsFile;
owner = serviceUser;
group = serviceGroup;
mode = "0600";
};
}
] ++ (map
(i:
let
clientSecrets =
lib.optionalAttrs i.isClient {
"wireguard-${i.serverName}-${config.node.name}-${i.ifName}-presharedKey" = {
sopsFile = wgSopsFile;
owner = serviceUser;
group = serviceGroup;
mode = "0600";
};
};
serverSecrets =
lib.optionalAttrs i.isServer (builtins.listToAttrs (map
(clientName: {
name = "wireguard-${config.node.name}-${clientName}-${i.ifName}-presharedKey";
value = {
sopsFile = wgSopsFile;
owner = serviceUser;
group = serviceGroup;
mode = "0600";
};
})
i.peers));
in
clientSecrets // serverSecrets
)
ifaceList)
);
networking.firewall = {
checkReversePath = lib.mkIf (lib.any (i: i.isClient) ifaceList) "loose";
allowedUDPPorts = lib.mkMerge (
lib.flip lib.mapAttrsToList interfaces (
_: ifCfg:
lib.optional ifCfg.isServer ifCfg.port
)
);
};
networking.nftables.firewall = {
zones = lib.mkMerge
(
lib.flip lib.mapAttrsToList interfaces (
ifName: ifCfg:
{
${ifName}.interfaces = [ ifName ];
}
// lib.listToAttrs (map
(peer:
let
peerNet = globals.networks."${ifCfg.serverNetConfigPrefix}-${ifName}".hosts.${peer};
in
lib.nameValuePair "${ifName}-node-${peer}" {
parent = ifName;
ipv4Addresses = lib.optional (peerNet.ipv4 != null) peerNet.ipv4;
ipv6Addresses = lib.optional (peerNet.ipv6 != null) peerNet.ipv6;
}
)
ifCfg.peers)
)
);
rules = lib.mkMerge (
lib.flip lib.mapAttrsToList interfaces (
ifName: ifCfg:
let
inherit (config.networking.nftables.firewall) localZoneName;
netCfg = globals.networks."${ifCfg.serverNetConfigPrefix}-${ifName}";
in
{
"${ifName}-to-${localZoneName}" = {
inherit (netCfg.firewallRuleForAll) allowedTCPPorts allowedUDPPorts allowedTCPPortRanges allowedUDPPortRanges;
from = [ ifName ];
to = [ localZoneName ];
ignoreEmptyRule = true;
};
}
// lib.listToAttrs (map
(peer:
lib.nameValuePair "${ifName}-node-${peer}-to-${localZoneName}" (
lib.mkIf (netCfg.hosts.${config.node.name}.firewallRuleForNode ? ${peer}) {
inherit (netCfg.hosts.${config.node.name}.firewallRuleForNode.${peer}) allowedTCPPorts allowedTCPPortRanges allowedUDPPorts allowedUDPPortRanges;
from = [ "${ifName}-node-${peer}" ];
to = [ localZoneName ];
ignoreEmptyRule = true;
}
)
)
ifCfg.peers)
)
);
};
systemd.network = {
enable = true;
networks = lib.mkMerge (map
(i:
let
inherit (i) ifName;
in
{
"50-${ifName}" = {
matchConfig.Name = ifName;
linkConfig = {
MTUBytes = 1408; # TODO: figure out where we lose those 12 bits (8 from pppoe maybe + ???)
};
address = [
globals.networks."${i.serverNetConfigPrefix}-${ifName}".hosts.${config.node.name}.cidrv4
globals.networks."${i.serverNetConfigPrefix}-${ifName}".hosts.${config.node.name}.cidrv6
];
};
})
ifaceList);
netdevs = lib.mkMerge (map
(i:
let
inherit (i) ifName;
in
{
"50-${ifName}" = {
netdevConfig = {
Kind = "wireguard";
Name = ifName;
};
wireguardConfig = {
ListenPort = lib.mkIf i.isServer servicePort;
PrivateKeyFile = config.sops.secrets.wireguard-private-key.path;
RouteTable = lib.mkIf i.isClient "main";
};
wireguardPeers =
lib.optionals i.isClient [
{
PublicKey =
builtins.readFile "${self}/secrets/public/wg/${i.serverName}.pub";
PresharedKeyFile =
config.sops.secrets."wireguard-${i.serverName}-${config.node.name}-${i.ifName}-presharedKey".path;
Endpoint =
"server.${i.serverName}.${globals.domains.main}:${toString servicePort}";
PersistentKeepalive = 25;
AllowedIPs =
let
wgNetwork = globals.networks."${i.serverNetConfigPrefix}-${i.ifName}";
in
(lib.optional (wgNetwork.cidrv4 != null) wgNetwork.cidrv4)
++ (lib.optional (wgNetwork.cidrv6 != null) wgNetwork.cidrv6);
}
]
++ lib.optionals i.isServer (map
(clientName: {
PublicKey =
builtins.readFile "${self}/secrets/public/wg/${clientName}.pub";
PresharedKeyFile =
config.sops.secrets."wireguard-${i.serverName}-${clientName}-${i.ifName}-presharedKey".path;
AllowedIPs =
let
clientInWgNetwork =
globals.networks."${i.serverNetConfigPrefix}-${i.ifName}".hosts.${clientName};
in
(lib.optional (clientInWgNetwork.ipv4 != null)
(lib.net.cidr.make 32 clientInWgNetwork.ipv4))
++ (lib.optional (clientInWgNetwork.ipv6 != null)
(lib.net.cidr.make 128 clientInWgNetwork.ipv6));
})
i.peers);
};
})
ifaceList);
};
};
}
#+end_src
**** BTRFS
:PROPERTIES:
:CUSTOM_ID: h:475b0892-bdbd-4aa2-b68e-86a037f27b04
:END:
This literally just adds the btrfs parameters.
#+begin_src nix-ts :tangle modules/nixos/server/btrfs.nix
{ lib, config, ... }:
{
options.swarselmodules.btrfs = lib.mkEnableOption "optional btrfs settings";
config = lib.mkIf config.swarselmodules.btrfs {
boot = {
supportedFilesystems = lib.mkIf config.swarselsystems.isBtrfs [ "btrfs" ];
};
};
}
#+end_src
**** Router
:PROPERTIES:
:CUSTOM_ID: h:b54f2bbb-0088-46b2-957d-fd8234b772c3
:END:
This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hintbooth (Router: HUNSN RM02)]] act as the router for my internal network. This is not a reusable module and highly adapted to its hardware. Below is a rough sketch of the functionality:
- six LAN ports, five of which are bridged
- lan1–lan5 are enslaved into said bridge and behave as a single VLAN‑aware switch
- all VLANs are defined under =globals.networks.home-lan.vlans=
- for each VLAN, a routed interface me-${vlanName} is created on the router (NOTE: this interface also serves as the communication link to the local microvms - the respective extra interfaces are defined in [[#h:049fc27e-a28f-4ff0-b5f0-d81401bdd56f][systemd-networkd (server home)]])
- RA and forwarding are enabled on these me-* interfaces so the router advertises vlanCfg.cidrv6 and routes between VLANs / WAN / WireGuard
- the sixth LAN port is used as the WAN / untrusted uplink to the =Fritz!Box=
- the mapping from MAC addresses to interfaces is defined in =config.repo.secrets.local.networking.networks..mac= (and performed in [[#h:99bf6c0e-2566-4a50-b219-fb6a7d4fb2cd][systemd-networkd (base)]] using =renameInterfacesByMac=)
- connectivity to microvms should not be lost in case there is no cable connected to the router
- this is achieved by connecting the veth interface pair veth-br / veth-int
- veth-br is part of the bridge and carries all VLANs tagged, as if it were another physical switch port
- veth-int stays on the host side and is used as the internal attachment point for microvms / guests
- ConfigureWithoutCarrier and ActivationPolicy = "always-up" are used so that the bridge and veth side stay UP; this however does not guarantee connectivity by itself as the kernel will not route packets if the underlying interface is not up (see also [[#h:049fc27e-a28f-4ff0-b5f0-d81401bdd56f][systemd-networkd (server home)]])
- nftables firewall is derived from the same VLAN definitions:
- a zone =vlan-*= is created for each VLAN and bound to =me-*=, as well as zones for WAN, WG, and DNS
- all internal =vlan-*= zones are allowed to go to untrusted; NAT is implemented via a custom postrouting chain that masquerades both IPv4 and IPv6 traffic
- any VLAN with internet access is allowed to reach AdGuardHome for DNS (access-adguardhome-dns)
- this is important so that we can make use of the internal nginx instance to prevent bottlenecks over the web proxy
- policy between internal networks:
- the home VLAN is allowed to access the services and devices VLANs
- the services VLAN is allowed to reach selected ports on local (currently wireguard)
- WireGuard peers in wgHome are allowed to talk to each other (wgHome → wgHome)
- global IPv4/IPv6 forwarding is enabled via boot.kernel.sysctl so this host acts as the main router between all VLANs, the WireGuard network, and the WAN (untrusted)
#+begin_src nix-ts :tangle modules/nixos/server/router.nix
{ lib, config, globals, ... }:
let
serviceName = "router";
bridgeVLANs = lib.mapAttrsToList
(_: vlan: {
VLAN = vlan.id;
})
globals.networks.home-lan.vlans;
selectVLANs = vlans: map (vlan: { VLAN = globals.networks.home-lan.vlans.${vlan}.id; }) vlans;
lan1VLANs = selectVLANs [ "home" "devices" "guests" ];
lan2VLANs = selectVLANs [ "home" "devices" "services" ];
lan3VLANs = selectVLANs [ "home" "devices" "services" ];
lan4VLANs = lan3VLANs;
# TODO: remove services and reset ports 5+6 on swLR to guest when kitchen construction is finished
lan5VLANs = selectVLANs [ "home" "devices" "services" "guests" ];
inherit (globals.general) homeDnsServer;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName}
{
services.avahi.reflector = true;
topology.self.interfaces = (lib.mapAttrs'
(vlanName: _:
lib.nameValuePair "vlan-${vlanName}" {
network = lib.mkForce vlanName;
}
)
globals.networks.home-lan.vlans) // (lib.mapAttrs'
(vlanName: _:
lib.nameValuePair "me-${vlanName}" {
network = lib.mkForce vlanName;
}
)
globals.networks.home-lan.vlans);
networking.nftables = {
firewall = {
zones = {
untrusted.interfaces = [ "lan" ];
wgHome.interfaces = [ "wgHome" ];
adguardhome.ipv4Addresses = [ globals.networks.home-lan.vlans.services.hosts.${homeDnsServer}.ipv4 ];
adguardhome.ipv6Addresses = [ globals.networks.home-lan.vlans.services.hosts.${homeDnsServer}.ipv6 ];
}
// lib.flip lib.concatMapAttrs globals.networks.home-lan.vlans (
vlanName: _: {
"vlan-${vlanName}".interfaces = [ "me-${vlanName}" ];
}
);
rules = {
masquerade-internet = {
from = map (name: "vlan-${name}") globals.general.internetVLANs;
to = [ "untrusted" ];
# masquerade = true; NOTE: custom rule below for ip4 + ip6
late = true; # Only accept after any rejects have been processed
verdict = "accept";
};
# Allow access to the AdGuardHome DNS server from any VLAN that has internet access
access-adguardhome-dns = {
from = map (name: "vlan-${name}") globals.general.internetVLANs;
to = [ "adguardhome" ];
verdict = "accept";
};
# Allow devices in the home VLAN to talk to any of the services or home devices.
access-services = {
from = [ "vlan-home" ];
to = [
"vlan-services"
"vlan-devices"
];
late = true;
verdict = "accept";
};
# Allow the services VLAN to talk to our wireguard server
services-to-local = {
from = [ "vlan-services" ];
to = [ "local" ];
allowedUDPPorts = [ 52829 547 ];
};
# Forward traffic between wireguard participants
forward-proxy-home-vpn-traffic = {
from = [ "wgHome" ];
to = [ "wgHome" ];
verdict = "accept";
};
};
};
chains.postrouting = {
masquerade-internet = {
after = [ "hook" ];
late = true;
rules =
lib.forEach
(map (name: "vlan-${name}") globals.general.internetVLANs)
(
zone:
lib.concatStringsSep " " [
"meta protocol { ip, ip6 }"
(lib.head config.networking.nftables.firewall.zones.${zone}.ingressExpression)
(lib.head config.networking.nftables.firewall.zones.untrusted.egressExpression)
"masquerade random"
]
);
};
};
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv4.conf.all.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
};
systemd.network = {
wait-online.anyInterface = true;
netdevs = {
"10-veth" = {
netdevConfig = {
Kind = "veth";
Name = "veth-br";
};
peerConfig = {
Name = "veth-int";
};
};
"20-br" = {
netdevConfig = {
Kind = "bridge";
Name = "br";
};
bridgeConfig = {
VLANFiltering = true;
};
};
};
networks = {
"40-br" = {
matchConfig.Name = "br";
bridgeConfig = { };
linkConfig = {
ActivationPolicy = "always-up";
RequiredForOnline = "no";
};
networkConfig = {
ConfigureWithoutCarrier = true;
LinkLocalAddressing = "no";
};
};
"15-veth-br" = {
matchConfig.Name = "veth-br";
linkConfig = {
RequiredForOnline = "no";
};
networkConfig = {
Bridge = "br";
};
inherit bridgeVLANs;
};
"15-veth-int" = {
matchConfig.Name = "veth-int";
linkConfig = {
ActivationPolicy = "always-up";
RequiredForOnline = "no";
};
networkConfig = {
ConfigureWithoutCarrier = true;
LinkLocalAddressing = "no";
};
vlan = map (name: "vlan-${name}") (builtins.attrNames globals.networks.home-lan.vlans);
};
# br
"30-lan1" = {
matchConfig.MACAddress = config.repo.secrets.local.networking.networks.lan1.mac;
linkConfig.RequiredForOnline = "enslaved";
networkConfig = {
Bridge = "br";
ConfigureWithoutCarrier = true;
};
bridgeVLANs = lan1VLANs;
};
# winters
"30-lan2" = {
matchConfig.MACAddress = config.repo.secrets.local.networking.networks.lan2.mac;
linkConfig.RequiredForOnline = "enslaved";
networkConfig = {
Bridge = "br";
ConfigureWithoutCarrier = true;
};
bridgeVLANs = lan2VLANs;
};
# summers
"30-lan3" = {
matchConfig.MACAddress = config.repo.secrets.local.networking.networks.lan3.mac;
linkConfig.RequiredForOnline = "enslaved";
networkConfig = {
Bridge = "br";
ConfigureWithoutCarrier = true;
};
bridgeVLANs = lan3VLANs;
};
# summers
"30-lan4" = {
matchConfig.MACAddress = config.repo.secrets.local.networking.networks.lan4.mac;
linkConfig.RequiredForOnline = "enslaved";
networkConfig = {
Bridge = "br";
ConfigureWithoutCarrier = true;
};
bridgeVLANs = lan4VLANs;
};
# lr
"30-lan5" = {
matchConfig.MACAddress = config.repo.secrets.local.networking.networks.lan5.mac;
linkConfig.RequiredForOnline = "enslaved";
networkConfig = {
Bridge = "br";
ConfigureWithoutCarrier = true;
};
bridgeVLANs = lan5VLANs;
};
} // lib.flip lib.concatMapAttrs globals.networks.home-lan.vlans (
vlanName: vlanCfg: {
"40-me-${vlanName}" = lib.mkForce {
address = [
vlanCfg.hosts.${config.node.name}.cidrv4
vlanCfg.hosts.${config.node.name}.cidrv6
];
matchConfig.Name = "me-${vlanName}";
networkConfig = {
IPv4Forwarding = "yes";
IPv6PrivacyExtensions = "yes";
IPv6SendRA = true;
IPv6AcceptRA = false;
};
ipv6Prefixes = [
{
Prefix = vlanCfg.cidrv6;
}
];
ipv6SendRAConfig = {
Managed = true; # set RA M flag -> DHCPv6 for addresses
OtherInformation = true; # optional, for “other info” via DHCPv6
};
linkConfig.RequiredForOnline = "routable";
};
}
);
};
};
}
#+end_src
**** kavita
:PROPERTIES:
:CUSTOM_ID: h:d33f5982-dfe6-42d0-9cf2-2cd8c7b04295
:END:
Kavita is the service I use for my library management. It seems more tailored towards comics/graphic novels, but still I prefer its interface to what calibre offers.
#+begin_src nix-ts :tangle modules/nixos/server/kavita.nix
{ lib, config, globals, dns, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users = {
persistentIds.kavita = confLib.mkIds 995;
users.${serviceUser} = {
extraGroups = [ "users" ];
};
};
sops.secrets.kavita-token = { inherit sopsFile; owner = serviceUser; };
# networking.firewall.allowedTCPPorts = [ servicePort ];
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
services.${serviceName} = {
enable = true;
user = serviceUser;
settings.Port = servicePort;
tokenKeyFile = config.sops.secrets.kavita-token.path;
dataDir = "/var/lib/${serviceName}";
};
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** jellyfin
:PROPERTIES:
:CUSTOM_ID: h:e0d4c16e-ab64-48ac-9734-1ab62953ad4b
:END:
My video streaming service of choice. In the past I used plex, but I prefer using jellyfin now, which looks more clean (and is not payment incentivised).
#+begin_src nix-ts :tangle modules/nixos/server/jellyfin.nix
{ pkgs, lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users = {
persistentIds.jellyfin = confLib.mkIds 994;
users.${serviceUser} = {
extraGroups = [ "video" "render" "users" ];
};
};
# nixpkgs.config.packageOverrides = pkgs: {
# intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
# };
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD
# intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
libva-vdpau-driver
libvdpau-va-gl
];
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
services.${serviceName} = {
enable = true;
user = serviceUser;
# openFirewall = true; # this works only for the default ports
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/cache/${serviceName}"; user = serviceUser; group = serviceGroup; }
];
};
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** navidrome
:PROPERTIES:
:CUSTOM_ID: h:f347f3ad-5100-4c4f-8616-cfd7f8e14a72
:END:
My music streaming service. In the past I used subsonic and gonic, but I prefer the tag based management. Sadly the jukebox seems not to work on NixOS (TODO?)
#+begin_src nix-ts :tangle modules/nixos/server/navidrome.nix
{ pkgs, config, lib, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "navidrome"; port = 4040; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
environment.systemPackages = with pkgs; [
pciutils
alsa-utils
mpv
];
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
users = {
groups = {
${serviceGroup} = {
gid = 61593;
};
};
users = {
${serviceUser} = {
isSystemUser = true;
uid = 61593;
group = serviceGroup;
extraGroups = [ "audio" "utmp" "users" "pipewire" ];
};
};
};
hardware = {
enableAllFirmware = lib.mkForce true;
};
# networking.firewall.allowedTCPPorts = [ servicePort ];
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
services.snapserver = {
enable = true;
settings = {
stream = {
port = 1704;
source = "pipe:///tmp/snapfifo?name=default";
bind_to_address = "0.0.0.0";
};
};
};
systemd.services = {
${serviceName}.serviceConfig = {
PrivateDevices = lib.mkForce false;
PrivateUsers = lib.mkForce false;
RestrictRealtime = lib.mkForce false;
SystemCallFilter = lib.mkForce null;
RootDirectory = lib.mkForce null;
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
services.${serviceName} = {
enable = true;
settings = {
LogLevel = "debug";
Address = "0.0.0.0";
Port = servicePort;
MusicFolder = "/storage/Music";
PlaylistsPath = "./Playlists";
AutoImportPlaylists = false;
EnableSharing = true;
EnableTranscodingConfig = true;
Scanner.GroupAlbumReleases = true;
ScanSchedule = "@every 24h";
# MPVPath = "";
# MPVCommandTemplate = "${pkgs.mpv}/bin/mpv --audio-device=%d --input-ipc-server=%s --no-audio-display --log-file=/tmp/mpv.log --pause %f";
# MPVCmdTemplate = "${pkgs.mpv}/bin/mpv --no-audio-display --pause %f --input-ipc-server=%s --audio-channels=stereo --audio-samplerate=48000 --audio-format=s16 --ao=pcm --ao-pcm-file=/tmp/snapfifo --log-file=/tmp/mpv.log";
ReverseProxyWhitelist = "0.0.0.0/0";
ReverseProxyUserHeader = "X-User";
Jukebox = {
Enabled = true;
Default = "default";
Devices = [
# use mpv --audio-device=help to get these
[ "default" "alsa/sysdefault:CARD=PCH" ]
];
};
# Switch using --impure as these credential files are not stored within the flake
# sops-nix is not supported for these which is why we need to resort to these
LastFM = {
inherit (config.repo.secrets.local.LastFM) ApiKey Secret;
};
Spotify = {
inherit (config.repo.secrets.local.Spotify) ID Secret;
};
UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png";
UIWelcomeMessage = "~SwarselSound~";
EnableInsightsCollector = false;
};
};
nodes =
let
genNginx = toAddress: extraConfigPre: {
upstreams = {
${serviceName} = {
servers = {
"${toAddress}:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = {
"${serviceDomain}" = {
useACMEHost = globals.domains.main;
forceSSL = true;
acmeRoot = null;
oauth2 = {
enable = true;
allowedGroups = [ "navidrome_access" ];
};
extraConfig = extraConfigPre;
locations =
let
extraConfig = ''
proxy_redirect http:// https://;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
'';
in
{
"/" = {
proxyPass = "http://${serviceName}";
proxyWebsockets = true;
inherit extraConfig;
};
"/share" = {
proxyPass = "http://${serviceName}";
proxyWebsockets = true;
setOauth2Headers = false;
bypassAuth = true;
inherit extraConfig;
};
"/rest" = {
proxyPass = "http://${serviceName}";
proxyWebsockets = true;
setOauth2Headers = false;
bypassAuth = true;
inherit extraConfig;
};
};
};
};
};
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = genNginx serviceAddress "";
${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
};
};
}
#+end_src
**** spotifyd
:PROPERTIES:
:CUSTOM_ID: h:ec9c5a7d-ea8b-46d5-809c-163c917f5c41
:END:
Simple config for running spotifyd which allows me to remote play spotify songs on my speakers.
#+begin_src nix-ts :tangle modules/nixos/server/spotifyd.nix
{ lib, config, confLib, ... }:
let
inherit (confLib.gen { name = "spotifyd"; port = 1025; }) servicePort serviceName serviceUser serviceGroup;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users.groups.${serviceGroup} = {
gid = 65136;
};
users.users.${serviceUser} = {
isSystemUser = true;
uid = 65136;
group = serviceGroup;
extraGroups = [ "audio" "utmp" "pipewire" ];
};
networking.firewall.allowedTCPPorts = [ servicePort ];
services.pipewire.systemWide = true;
# https://github.com/Spotifyd/spotifyd/issues/1366
networking.hosts."0.0.0.0" = [ "apresolve.spotify.com" ];
# hacky way to enable multi-session
# when another user connects, the service will crash and the new user will login
systemd.services.spotifyd.serviceConfig.RestartSec = lib.mkForce 1;
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/cache/private/spotifyd"; }
];
};
services.spotifyd = {
enable = true;
settings = {
global = {
dbus_type = "session";
use_mpris = false;
device = "sysdefault:CARD=PCH";
# device = "default";
device_name = "SwarselSpot";
# backend = "pulseaudio";
backend = "alsa";
# mixer = "alsa";
zeroconf_port = servicePort;
};
};
};
};
}
#+end_src
**** mpd
:PROPERTIES:
:CUSTOM_ID: h:baa4149b-3788-4b05-87ec-0ee9d0726117
:END:
My jukebox replacement since the native one in [[#h:f347f3ad-5100-4c4f-8616-cfd7f8e14a72][navidrome]] does not work :)
#+begin_src nix-ts :tangle modules/nixos/server/mpd.nix
{ lib, config, pkgs, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "mpd"; port = 3254; }) servicePort serviceName serviceUser serviceGroup;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users = {
groups = {
mpd = { };
};
users = {
${serviceUser} = {
isSystemUser = true;
group = serviceGroup;
extraGroups = [ "audio" "utmp" ];
};
};
};
sops = {
secrets.mpd-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
environment.systemPackages = with pkgs; [
pciutils
alsa-utils
mpv
];
# topology.self.services.${serviceName} = {
# info = "http://localhost:${builtins.toString servicePort}";
# icon = lib.mkForce "${self}/files/topology-images/mpd.png";
# };
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = "mpd"; group = "mpd"; }];
};
services.${serviceName} = {
enable = true;
openFirewall = true;
settings = {
music_directory = "/storage/Music";
bind_to_address = "any";
port = servicePort;
};
user = serviceUser;
group = serviceGroup;
credentials = [
{
passwordFile = config.sops.secrets.mpd-pw.path;
permissions = [
"read"
"add"
"control"
"admin"
];
}
];
};
};
}
#+end_src
**** pipewire
:PROPERTIES:
:CUSTOM_ID: h:ce6a4371-e44f-419a-be9e-e17c7abdaf3a
:END:
Needed for audio and stuff.
#+begin_src nix-ts :tangle modules/nixos/server/pipewire.nix
{ lib, config, confLib, ... }:
{
config = lib.mkIf (config.swarselmodules.server.mpd || config.swarselmodules.server.navidrome) {
security.rtkit.enable = true; # this is required for pipewire real-time access
users.persistentIds.rtkit = confLib.mkIds 996;
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/pipewire"; user = "pipewire"; group = "pipewire"; }];
};
services.pipewire = {
enable = true;
pulse.enable = true;
jack.enable = true;
audio.enable = true;
wireplumber.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
};
};
}
#+end_src
**** postgresql
:PROPERTIES:
:CUSTOM_ID: h:6ca43d5a-8ba6-4cd1-96b9-f088f11662c0
:END:
Many services require a databasee, and I like to go with full postgres when giving the chance. Each host will usually run its own instance instead of maintaining a centralised one.
#+begin_src nix-ts :tangle modules/nixos/server/postgresql.nix
{ config, lib, pkgs, confLib, ... }:
let
inherit (confLib.gen { name = "postgresql"; port = 3254; }) serviceName;
postgresVersion = 14;
postgresDirPrefix = "/var/lib";
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
services = {
${serviceName} = {
enable = true;
package = pkgs."postgresql_${builtins.toString postgresVersion}";
dataDir = "${postgresDirPrefix}/${serviceName}/${builtins.toString postgresVersion}";
};
};
environment.persistence = {
"/persist".directories = lib.mkIf (config.swarselsystems.isImpermanence && config.swarselsystems.isCloud) [
{ directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }
];
"/state".directories = lib.mkIf config.swarselsystems.isMicroVM [
{ directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }
];
};
};
}
#+end_src
**** podman
:PROPERTIES:
:CUSTOM_ID: h:669e1715-7685-4157-8283-a1f8f39212eb
:END:
Allows me to spin up containers for services that do not provide NixOS options.
#+begin_src nix-ts :tangle modules/nixos/server/podman.nix
{ config, lib, confLib, ... }:
let
serviceName = "podman";
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users.persistentIds = {
podman = confLib.mkIds 969;
};
virtualisation = {
podman.enable = true;
oci-containers.backend = "podman";
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/containers"; }
];
};
networking.nftables.firewall = lib.mkIf config.networking.nftables.enable {
zones.podman = {
interfaces = [ "podman0" ];
};
rules = {
podman-to-postgres = lib.mkIf config.services.postgresql.enable {
from = [ "podman" ];
to = [ "local" ];
before = [ "drop" ];
allowedTCPPorts = [ config.services.postgresql.settings.port ];
};
local-to-podman = {
from = [ "local" "wgProxy" "wgHome" ];
to = [ "podman" ];
before = [ "drop" ];
verdict = "accept";
};
};
};
};
}
#+end_src
**** matrix (use db)
:PROPERTIES:
:CUSTOM_ID: h:1e68d84a-8f99-422f-89ac-78f664ac0013
:END:
My messenger of choice. I use this mainly to bridge messages of whatsapp/telegram/signal into it, which allows me to only use a single app for all of my communication needs. TODO: add synapse oidc
#+begin_src nix-ts :tangle modules/nixos/server/matrix.nix
{ lib, config, pkgs, globals, dns, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
federationPort = 8448;
whatsappPort = 29318;
telegramPort = 29317;
signalPort = 29328;
baseUrl = "https://${serviceDomain}";
clientConfig."m.homeserver".base_url = baseUrl;
serverConfig."m.server" = "${serviceDomain}:443";
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselmodules.server = {
postgresql = true;
};
environment.systemPackages = with pkgs; [
matrix-synapse
lottieconverter
ffmpeg
];
sops = {
secrets = {
matrix-shared-secret = { inherit sopsFile; owner = serviceUser; };
mautrix-telegram-as-token = { inherit sopsFile; owner = serviceUser; };
mautrix-telegram-hs-token = { inherit sopsFile; owner = serviceUser; };
mautrix-telegram-api-id = { inherit sopsFile; owner = serviceUser; };
mautrix-telegram-api-hash = { inherit sopsFile; owner = serviceUser; };
};
templates = {
"matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrix-shared-secret} http://localhost:${builtins.toString servicePort}
'';
matrixshared = {
owner = serviceUser;
content = ''
registration_shared_secret: ${config.sops.placeholder.matrix-shared-secret}
'';
};
mautrixtelegram = {
owner = serviceUser;
content = ''
MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrix-telegram-as-token}
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrix-telegram-hs-token}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrix-telegram-api-id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrix-telegram-api-hash}
'';
};
};
};
# networking.firewall.allowedTCPPorts = [ servicePort federationPort ];
systemd = {
timers."restart-bridges" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1d";
OnUnitActiveSec = "1d";
Unit = "restart-bridges.service";
};
};
services = {
"restart-bridges" = {
script = ''
systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
};
};
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort federationPort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/matrix-synapse"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/lib/mautrix-whatsapp"; user = "mautrix-whatsapp"; group = "mautrix-whatsapp"; }
{ directory = "/var/lib/mautrix-telegram"; user = "mautrix-telegram"; group = "mautrix-telegram"; }
{ directory = "/var/lib/mautrix-signal"; user = "mautrix-signal"; group = "mautrix-signal"; }
];
};
services = {
postgresql = {
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
matrix-synapse = {
enable = true;
dataDir = "/var/lib/matrix-synapse";
settings = {
app_service_config_files =
let
inherit (config.services.matrix-synapse) dataDir;
in
[
"${dataDir}/telegram-registration.yaml"
"${dataDir}/whatsapp-registration.yaml"
"${dataDir}/signal-registration.yaml"
"${dataDir}/doublepuppet.yaml"
];
server_name = serviceDomain;
public_baseurl = "https://${serviceDomain}";
listeners = [
{
port = servicePort;
bind_addresses = [
"0.0.0.0"
# "::1"
];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
];
};
extraConfigFiles = [
config.sops.templates.matrixshared.path
];
};
mautrix-telegram = {
enable = true;
environmentFile = config.sops.templates.mautrixtelegram.path;
registerToSynapse = false;
settings = {
homeserver = {
address = "http://localhost:${builtins.toString servicePort}";
domain = serviceDomain;
};
appservice = {
address = "http://localhost:${builtins.toString telegramPort}";
hostname = "0.0.0.0";
port = telegramPort;
provisioning.enabled = true;
id = "telegram";
# ephemeral_events = true; # not needed due to double puppeting
public = {
enabled = false;
};
database = "postgresql:///mautrix-telegram?host=/run/postgresql";
};
bridge = {
relaybot.authless_portals = true;
allow_avatar_remove = true;
allow_contact_info = true;
sync_channel_members = true;
startup_sync = true;
sync_create_limit = 0;
sync_direct_chats = true;
telegram_link_preview = true;
permissions = {
"*" = "relaybot";
"@swarsel:${serviceDomain}" = "admin";
};
animated_sticker = {
target = "gif";
args = {
width = 256;
height = 256;
fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported
};
};
};
};
};
mautrix-whatsapp = {
enable = true;
registerToSynapse = false;
settings = {
homeserver = {
address = "http://localhost:${builtins.toString servicePort}";
domain = serviceDomain;
};
database = {
type = "postgres";
uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql";
};
appservice = {
address = "http://localhost:${builtins.toString whatsappPort}";
hostname = "0.0.0.0";
port = whatsappPort;
};
bridge = {
displayname_template = "{{or .FullName .PushName .JID}} (WA)";
history_sync = {
backfill = true;
max_initial_conversations = -1;
message_count = -1;
request_full_sync = true;
full_sync_config = {
days_limit = 900;
size_mb_limit = 5000;
storage_quota_mb = 5000;
};
};
login_shared_secret_map = {
${serviceDomain} = "as_token:doublepuppet";
};
sync_manual_marked_unread = true;
send_presence_on_typing = true;
parallel_member_sync = true;
url_previews = true;
caption_in_message = true;
extev_polls = true;
permissions = {
"*" = "relay";
"@swarsel:${serviceDomain}" = "admin";
};
};
};
};
mautrix-signal = {
enable = true;
registerToSynapse = false;
settings = {
homeserver = {
address = "http://localhost:${builtins.toString servicePort}";
domain = serviceDomain;
};
database = {
type = "postgres";
uri = "postgresql:///mautrix-signal?host=/run/postgresql";
};
appservice = {
address = "http://localhost:${builtins.toString signalPort}";
hostname = "0.0.0.0";
port = signalPort;
};
bridge = {
displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)";
login_shared_secret_map = {
${serviceDomain} = "as_token:doublepuppet";
};
caption_in_message = true;
permissions = {
"*" = "relay";
"@swarsel:${serviceDomain}" = "admin";
};
};
};
};
};
# restart the bridges daily. this is done for the signal bridge mainly which stops carrying
# messages out after a while.
users.persistentIds = {
mautrix-signal = confLib.mkIds 993;
mautrix-whatsapp = confLib.mkIds 992;
mautrix-telegram = confLib.mkIds 991;
};
nodes =
let
genNginx = toAddress: extraConfig: {
upstreams = {
${serviceName} = {
servers = {
"${toAddress}:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = {
"${serviceDomain}" = {
useACMEHost = globals.domains.main;
forceSSL = true;
acmeRoot = null;
listen = [
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
extraParameters = [
"default_server"
];
}
{
addr = "[::0]";
port = 8448;
ssl = true;
extraParameters = [
"default_server"
];
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::0]";
port = 443;
ssl = true;
}
];
inherit extraConfig;
locations = {
"~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://${serviceName}";
extraConfig = ''
client_max_body_size 0;
'';
};
"= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
"= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
};
};
};
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = genNginx serviceAddress "";
${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
};
};
}
#+end_src
**** nextcloud
:PROPERTIES:
:CUSTOM_ID: h:d11ad8d5-25d7-4691-b319-61c16ccef715
:END:
My file server. I aim to decomission this as soon as I can, however, I need a replacement for the cospend plugin (a shared expense manager).
#+begin_src nix-ts :tangle modules/nixos/server/nextcloud.nix
{ pkgs, lib, config, globals, dns, confLib, ... }:
let
inherit (config.repo.secrets.local.nextcloud) adminuser;
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome dnsServer webProxy homeWebProxy homeServiceAddress nginxAccessRules;
nextcloudVersion = "33";
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
sops.secrets = {
nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
users.persistentIds = {
nextcloud = confLib.mkIds 990;
redis-nextcloud = confLib.mkIds 976;
};
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/lib/redis-${serviceName}"; user = serviceUser; group = serviceGroup; }
];
};
services = {
${serviceName} = {
enable = true;
settings = {
trusted_proxies = [ "0.0.0.0" ];
overwriteprotocol = "https";
};
package = pkgs."nextcloud${nextcloudVersion}";
hostName = serviceDomain;
home = "/var/lib/${serviceName}";
datadir = "/var/lib/${serviceName}";
https = true;
configureRedis = true;
maxUploadSize = "4G";
extraApps = {
inherit (pkgs."nextcloud${nextcloudVersion}Packages".apps) mail calendar contacts cospend phonetrack polls tasks sociallogin;
};
extraAppsEnable = true;
config = {
inherit adminuser;
adminpassFile = config.sops.secrets.nextcloud-admin-pw.path;
dbtype = "sqlite";
};
};
};
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** immich (use db)
:PROPERTIES:
:CUSTOM_ID: h:33bad8ad-b362-4bf1-8a49-b9df92329aed
:END:
My photo service. It does some cool things like face recognition automatically (locally).
#+begin_src nix-ts :tangle modules/nixos/server/immich.nix
{ lib, pkgs, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselmodules.server = {
postgresql = true;
};
users = {
persistentIds = {
immich = confLib.mkIds 989;
redis-immich = confLib.mkIds 977;
};
users.${serviceUser} = {
extraGroups = [ "video" "render" "users" ];
};
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
# networking.firewall.allowedTCPPorts = [ servicePort ];
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/cache/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/lib/redis-${serviceName}"; user = "redis-${serviceUser}"; group = "redis-${serviceGroup}"; }
];
};
services.${serviceName} = {
enable = true;
package = pkgs.immich;
host = "0.0.0.0";
port = servicePort;
# openFirewall = true;
mediaLocation = "/storage/Pictures/${serviceName}"; # dataDir
environment = {
IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003";
};
};
nodes =
let
extraConfigLoc = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
'';
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** paperless (tika, gotenberg)
:PROPERTIES:
:CUSTOM_ID: h:89638fb5-0593-4420-9567-f85f0223e341
:END:
This is my personal document management system. It automatically pulls documents from several sources, the only manual step for physical documents is to put them in my scanner and use email delivery.
Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml='s. This is needed for e.g. online services that only send their invoices through email body text.
#+begin_src nix-ts :tangle modules/nixos/server/paperless.nix
{ lib, pkgs, config, dns, globals, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "paperless"; port = 28981; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
tikaPort = 9998;
gotenbergPort = 3002;
kanidmDomain = globals.services.kanidm.domain;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users = {
persistentIds = {
redis-paperless = confLib.mkIds 975;
};
users.${serviceUser} = {
extraGroups = [ "users" ];
};
};
sops.secrets = {
paperless-admin-pw = { inherit sopsFile; owner = serviceUser; };
kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
# networking.firewall.allowedTCPPorts = [ servicePort ];
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/lib/redis-${serviceName}"; user = "redis-${serviceUser}"; group = "redis-${serviceGroup}"; }
{ directory = "/var/lib/private/tika"; }
{ directory = "/var/cache/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/cache/private/tika"; }
];
};
services = {
${serviceName} = {
enable = true;
mediaDir = "/storage/Documents/${serviceName}";
dataDir = "/var/lib/${serviceName}";
user = serviceUser;
port = servicePort;
passwordFile = config.sops.secrets.paperless-admin-pw.path;
address = "0.0.0.0";
settings = {
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_URL = "https://${serviceDomain}";
PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
optimize = 1;
invalidate_digital_signatures = true;
pdfa_image_compression = "lossless";
};
PAPERLESS_TIKA_ENABLED = "true";
PAPERLESS_TIKA_ENDPOINT = "http://localhost:${builtins.toString tikaPort}";
PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:${builtins.toString gotenbergPort}";
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
openid_connect = {
OAUTH_PKCE_ENABLED = "True";
APPS = [
rec {
provider_id = "kanidm";
name = "Kanidm";
client_id = "paperless";
# secret will be added by paperless-web.service (see below)
#secret = "";
settings.server_url = "https://${kanidmDomain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
}
];
};
};
};
};
tika = {
enable = true;
port = tikaPort;
openFirewall = false;
listenAddress = "127.0.0.1";
enableOcr = true;
};
gotenberg = {
enable = true;
package = pkgs.gotenberg;
libreoffice.package = pkgs.libreoffice;
port = gotenbergPort;
bindIP = "127.0.0.1";
timeout = "600s";
chromium.package = pkgs.chromium;
};
};
# Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
systemd.services.paperless-web.script = lib.mkBefore ''
oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path})
export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
--compact-output \
--arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret'
)
'';
nodes =
let
extraConfigLoc = ''
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
'';
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** transmission
:PROPERTIES:
:CUSTOM_ID: h:5afeb311-ab86-4029-be53-2160f6d836c3
:END:
I use this configuration for sailing.
#+begin_src nix-ts :tangle modules/nixos/server/transmission.nix
{ self, pkgs, lib, config, confLib, ... }:
let
inherit (confLib.gen { name = "transmission"; port = 9091; }) serviceName servicePort serviceDomain;
inherit (confLib.static) isHome homeServiceAddress homeWebProxy nginxAccessRules;
inherit (config.swarselsystems) sopsFile;
lidarrUser = "lidarr";
lidarrGroup = lidarrUser;
lidarrPort = 8686;
radarrUser = "radarr";
radarrGroup = radarrUser;
radarrPort = 7878;
sonarrUser = "sonarr";
sonarrGroup = sonarrUser;
sonarrPort = 8989;
readarrUser = "readarr";
readarrGroup = readarrUser;
readarrPort = 8787;
prowlarrUser = "prowlarr";
prowlarrGroup = prowlarrUser;
prowlarrPort = 9696;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} and friends on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
sops.secrets = {
pia = { inherit sopsFile; };
};
# this user/group section is probably unneeded
users = {
persistentIds = {
prowlarr = confLib.mkIds 971;
readarr = confLib.mkIds 970;
};
groups = {
dockeruser = {
gid = 1155;
};
"${radarrGroup}" = { };
"${readarrGroup}" = { };
"${sonarrGroup}" = { };
"${lidarrGroup}" = { };
"${prowlarrGroup}" = { };
};
users = {
dockeruser = {
isSystemUser = true;
uid = 1155;
group = "docker";
extraGroups = [ "users" ];
};
"${radarrUser}" = {
isSystemUser = true;
group = radarrGroup;
extraGroups = [ "users" ];
};
"${readarrGroup}" = {
isSystemUser = true;
group = readarrGroup;
extraGroups = [ "users" ];
};
"${sonarrGroup}" = {
isSystemUser = true;
group = sonarrGroup;
extraGroups = [ "users" ];
};
"${lidarrUser}" = {
isSystemUser = true;
group = lidarrGroup;
extraGroups = [ "users" ];
};
"${prowlarrGroup}" = {
isSystemUser = true;
group = prowlarrGroup;
extraGroups = [ "users" ];
};
};
};
virtualisation.docker.enable = true;
environment.systemPackages = with pkgs; [
docker
];
topology.self.services = {
radarr.info = "https://${serviceDomain}/radarr";
readarr = {
name = "Readarr";
info = "https://${serviceDomain}/readarr";
icon = "${self}/files/topology-images/readarr.png";
};
sonarr.info = "https://${serviceDomain}/sonarr";
lidarr.info = "https://${serviceDomain}/lidarr";
prowlarr.info = "https://${serviceDomain}/prowlarr";
};
globals.services.transmission = {
domain = serviceDomain;
inherit isHome;
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/radarr"; user = radarrUser; group = radarrGroup; }
{ directory = "/var/lib/readarr"; user = readarrUser; group = readarrGroup; }
{ directory = "/var/lib/sonarr"; user = sonarrUser; group = sonarrGroup; }
{ directory = "/var/lib/lidarr"; user = lidarrUser; group = lidarrGroup; }
{ directory = "/var/lib/private/prowlarr"; user = prowlarrUser; group = prowlarrGroup; }
];
};
services = {
pia = {
enable = true;
credentials.credentialsFile = config.sops.secrets.pia.path;
protocol = "wireguard";
autoConnect = {
enable = true;
region = "sweden";
};
portForwarding.enable = true;
dns.enable = true;
};
radarr = {
enable = true;
user = radarrUser;
group = radarrGroup;
settings.server.port = radarrPort;
openFirewall = true;
dataDir = "/var/lib/radarr";
};
readarr = {
enable = true;
user = readarrUser;
group = readarrGroup;
settings.server.port = readarrPort;
openFirewall = true;
dataDir = "/var/lib/readarr";
};
sonarr = {
enable = true;
user = sonarrUser;
group = sonarrGroup;
settings.server.port = sonarrPort;
openFirewall = true;
dataDir = "/var/lib/sonarr";
};
lidarr = {
enable = true;
user = lidarrUser;
group = lidarrGroup;
settings.server.port = lidarrPort;
openFirewall = true;
dataDir = "/var/lib/lidarr";
};
prowlarr = {
enable = true;
settings.server.port = prowlarrPort;
openFirewall = true;
};
};
nodes = {
${homeWebProxy}.services.nginx = {
upstreams = {
transmission = {
servers = {
"${homeServiceAddress}:${builtins.toString servicePort}" = { };
};
};
radarr = {
servers = {
"${homeServiceAddress}:${builtins.toString radarrPort}" = { };
};
};
readarr = {
servers = {
"${homeServiceAddress}:${builtins.toString readarrPort}" = { };
};
};
sonarr = {
servers = {
"${homeServiceAddress}:${builtins.toString sonarrPort}" = { };
};
};
lidarr = {
servers = {
"${homeServiceAddress}:${builtins.toString lidarrPort}" = { };
};
};
prowlarr = {
servers = {
"${homeServiceAddress}:${builtins.toString prowlarrPort}" = { };
};
};
};
virtualHosts = {
"${serviceDomain}" = {
enableACME = false;
forceSSL = false;
acmeRoot = null;
extraConfig = nginxAccessRules;
locations = {
"/" = {
proxyPass = "http://transmission";
extraConfig = ''
client_max_body_size 0;
'';
};
"/radarr" = {
proxyPass = "http://radarr";
extraConfig = ''
client_max_body_size 0;
'';
};
"/readarr" = {
proxyPass = "http://readarr";
extraConfig = ''
client_max_body_size 0;
'';
};
"/sonarr" = {
proxyPass = "http://sonarr";
extraConfig = ''
client_max_body_size 0;
'';
};
"/lidarr" = {
proxyPass = "http://lidarr";
extraConfig = ''
client_max_body_size 0;
'';
};
"/prowlarr" = {
proxyPass = "http://prowlarr";
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
};
};
};
}
#+end_src
**** syncthing
:PROPERTIES:
:CUSTOM_ID: h:ad2787a2-7b1c-4326-aeff-9d8d6c3f591d
:END:
This is the server syncthings config, which makes sure that the servers nevers override client data. They also store more folders that the clients.
#+begin_src nix-ts :tangle modules/nixos/server/syncthing.nix
{ lib, config, globals, dns, confLib, ... }:
let
inherit (config.swarselsystems.syncthing) serviceDomain;
inherit (confLib.gen { name = "syncthing"; port = 8384; }) servicePort serviceName serviceUser serviceGroup serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
specificServiceName = "${serviceName}-${config.node.name}";
cfg = config.services.${serviceName};
devices = config.swarselsystems.syncthing.syncDevices;
in
{
options = {
swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
swarselsystems.syncthing = {
serviceDomain = lib.mkOption {
type = lib.types.str;
default = config.repo.secrets.common.services.domains.syncthing1;
};
syncDevices = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "magicant" "winters" "pyramid" "moonside@oracle" ];
};
devices = lib.mkOption {
type = lib.types.attrs;
default = {
"magicant" = {
id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
};
"winters" = {
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
};
"moonside@oracle" = {
id = "VPCDZB6-MGVGQZD-Q6DIZW3-IZJRJTO-TCC3QUQ-2BNTL7P-AKE7FBO-N55UNQE";
};
"pyramid" = {
id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB";
};
};
};
};
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users.users.${serviceUser} = {
extraGroups = [ "users" ];
group = serviceGroup;
isSystemUser = true;
};
users.groups.${serviceGroup} = { };
# networking.firewall.allowedTCPPorts = [ servicePort ];
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy} = {
allowedTCPPorts = [ servicePort 22000 ];
allowedUDPPorts = [ 20000 21027 ];
};
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy} = {
allowedTCPPorts = [ servicePort 20000 ];
allowedUDPPorts = [ 20000 21027 ];
};
};
};
services.${specificServiceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
services.${serviceName} = rec {
enable = true;
user = serviceUser;
group = serviceGroup;
dataDir = if config.swarselsystems.isMicroVM then "/storage/Documents/syncthing" else (lib.mkDefault "/var/lib/${serviceName}");
configDir = if config.swarselsystems.isMicroVM then "/var/lib/syncthing/.config/syncthing" else "${cfg.dataDir}/.config/${serviceName}";
guiAddress = "0.0.0.0:${builtins.toString servicePort}";
openDefaultPorts = lib.mkIf (!isProxied) true; # opens ports TCP/UDP 22000 and UDP 21027 for discovery
relay.enable = false;
settings = {
urAccepted = -1;
inherit (config.swarselsystems.syncthing) devices;
folders = {
"Default Folder" = lib.mkForce {
path = "${cfg.dataDir}/Sync";
type = "receiveonly";
versioning = null;
inherit devices;
id = "default";
};
"Obsidian" = {
path = "${cfg.dataDir}/Obsidian";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
inherit devices;
id = "yjvni-9eaa7";
};
"Org" = {
path = "${cfg.dataDir}/Org";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
inherit devices;
id = "a7xnl-zjj3d";
};
"Vpn" = {
path = "${cfg.dataDir}/Vpn";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
inherit devices;
id = "hgp9s-fyq3p";
};
};
};
};
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = {
"${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain; serviceName = specificServiceName; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain; serviceName = specificServiceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** restic backups
:PROPERTIES:
:CUSTOM_ID: h:b73ac8bf-b721-4563-9eff-973925c99a39
:END:
This manages backups for my pictures and obsidian files.
Note: you still need to run =restic- init= once on the host to get the bucket running.
#+begin_src nix-ts :tangle modules/nixos/server/restic.nix
{ lib, pkgs, config, ... }:
let
inherit (config.swarselsystems) sopsFile;
inherit (config.swarselsystems.server.restic) targets;
in
{
options.swarselmodules.server.restic = lib.mkEnableOption "enable restic backups on server";
options.swarselsystems.server.restic = {
targets = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
bucketName = lib.mkOption {
type = lib.types.str;
default = name;
};
repository = lib.mkOption {
type = lib.types.str;
};
paths = lib.mkOption {
type = lib.types.listOf lib.types.str;
};
withPostgres = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
}));
default = { };
};
};
config = lib.mkIf config.swarselmodules.server.restic {
sops = {
secrets =
lib.mkMerge (lib.mapAttrsToList
(name: _: {
"resticpw-${name}" = { inherit sopsFile; };
"resticaccesskey-${name}" = { inherit sopsFile; };
"resticsecretaccesskey-${name}" = { inherit sopsFile; };
})
targets);
templates =
lib.mkMerge (lib.mapAttrsToList
(name: _: {
"restic-env-${name}".content = ''
AWS_ACCESS_KEY_ID=${config.sops.placeholder."resticaccesskey-${name}"}
AWS_SECRET_ACCESS_KEY=${config.sops.placeholder."resticsecretaccesskey-${name}"}
'';
})
targets);
};
services.restic.backups =
lib.mapAttrs'
(name: target:
lib.nameValuePair target.bucketName {
environmentFile =
config.sops.templates."restic-env-${name}".path;
passwordFile =
config.sops.secrets."resticpw-${name}".path;
inherit (target) paths repository;
pruneOpts = [
"--keep-daily 3"
"--keep-weekly 2"
"--keep-monthly 3"
"--keep-yearly 100"
];
backupPrepareCommand = ''
${pkgs.restic}/bin/restic prune
'';
initialize = true;
timerConfig = {
OnCalendar = "03:00";
};
}
)
targets;
};
}
#+end_src
**** monitoring (Grafana, Prometheus)
:PROPERTIES:
:CUSTOM_ID: h:a31c7192-e11d-4a26-915d-1bbc38e373d3
:END:
This section exposes several metrics that I use to check the health of my server. I need to expand on the exporters section at some point, but for now I have everything I need.
#+begin_src nix-ts :tangle modules/nixos/server/monitoring.nix
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
prometheusPort = 9090;
prometheusUser = "prometheus";
prometheusGroup = prometheusUser;
grafanaUpstream = "grafana";
prometheusUpstream = "prometheus";
prometheusWebRoot = "prometheus";
kanidmDomain = globals.services.kanidm.domain;
inherit (config.swarselsystems) sopsFile;
# sopsFile2 = config.node.secretsDir + "/secrets2.yaml";
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
sops = {
secrets = {
grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
prometheus-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
kanidm-grafana-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
# prometheus-admin-hash = { sopsFile = sopsFile2; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
prometheus-admin-hash = { inherit sopsFile; owner = prometheusUser; group = prometheusGroup; mode = "0440"; };
};
templates = {
"web-config" = {
content = ''
basic_auth_users:
admin: ${config.sops.placeholder.prometheus-admin-hash}
'';
owner = prometheusUser;
group = prometheusGroup;
mode = "0440";
};
};
};
users = {
persistentIds = {
nextcloud-exporter = confLib.mkIds 988;
node-exporter = confLib.mkIds 987;
grafana = confLib.mkIds 974;
};
groups.nextcloud-exporter = { };
users = {
nextcloud-exporter = {
group = "nextcloud-exporter";
extraGroups = [ "nextcloud" ];
};
${serviceUser} = {
extraGroups = [ "users" ];
};
};
};
# networking.firewall.allowedTCPPorts = [ servicePort prometheusPort ];
topology.self.services.prometheus.info = "https://${serviceDomain}/${prometheusWebRoot}";
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort prometheusPort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort prometheusPort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [
{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }
{ directory = "/var/lib/prometheus2"; user = prometheusUser; group = prometheusGroup; }
];
};
services = {
${serviceName} = {
enable = true;
dataDir = "/var/lib/${serviceName}";
provision = {
enable = true;
datasources.settings = {
datasources = [
{
name = "prometheus";
type = "prometheus";
url = "https://${serviceDomain}/prometheus";
editable = false;
access = "proxy";
basicAuth = true;
basicAuthUser = "admin";
jsonData = {
httpMethod = "POST";
manageAlerts = true;
prometheusType = "Prometheus";
prometheusVersion = "> 2.50.x";
cacheLevel = "High";
disableRecordingRules = false;
incrementalQueryOverlapWindow = "10m";
};
secureJsonData = {
basicAuthPassword = "$__file{/run/secrets/prometheus-admin-pw}";
};
}
];
};
};
settings = {
analytics.reporting_enabled = false;
users.allow_sign_up = false;
security = {
# admin_password = "$__file{/run/secrets/grafana-admin-pw}";
disable_initial_admin_creation = true;
secret_key = "$__file{${config.sops.secrets.grafana-admin-pw.path}}";
cookie_secure = true;
disable_gravatar = true;
};
server = {
domain = serviceDomain;
root_url = "https://${serviceDomain}";
http_port = servicePort;
http_addr = "0.0.0.0";
protocol = "http";
enforce_domain = true;
enable_gzip = true;
};
"auth.generic_oauth" = {
enabled = true;
name = "Kanidm";
icon = "signin";
allow_sign_up = true;
#auto_login = true;
client_id = "grafana";
client_secret = "$__file{${config.sops.secrets.kanidm-grafana-client.path}}";
scopes = "openid email profile";
login_attribute_path = "preferred_username";
auth_url = "https://${kanidmDomain}/ui/oauth2";
token_url = "https://${kanidmDomain}/oauth2/token";
api_url = "https://${kanidmDomain}/oauth2/openid/grafana/userinfo";
use_pkce = true;
use_refresh_token = true;
# Allow mapping oauth2 roles to server admin
allow_assign_grafana_admin = true;
role_attribute_path = "contains(groups[*], 'server_admin') && 'GrafanaAdmin' || contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'";
};
};
};
prometheus =
let
nextcloudUser = config.repo.secrets.local.nextcloud.adminuser;
in
{
enable = true;
webExternalUrl = "https://${serviceDomain}/${prometheusWebRoot}";
port = prometheusPort;
listenAddress = "0.0.0.0";
globalConfig = {
scrape_interval = "10s";
};
webConfigFile = config.sops.templates.web-config.path;
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
}];
}
{
job_name = "zfs";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}" ];
}];
}
{
job_name = "nginx";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
}];
}
{
job_name = "nextcloud";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.nextcloud.port}" ];
}];
}
];
exporters = {
node = {
enable = true;
port = 9000;
enabledCollectors = [ "systemd" ];
extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
};
zfs = {
enable = true;
port = 9134;
pools = [
"Vault"
];
};
restic = {
enable = false;
port = 9753;
};
nginx = {
enable = true;
port = 9113;
sslVerify = false;
scrapeUri = "http://localhost/nginx_status";
};
nextcloud = lib.mkIf config.swarselmodules.server.nextcloud {
enable = true;
port = 9205;
url = "https://${serviceDomain}/ocs/v2.php/apps/serverinfo/api/v1/info";
username = nextcloudUser;
passwordFile = config.sops.secrets.nextcloud-admin-pw.path;
};
};
};
};
nodes =
let
extraConfig = ''
allow ${globals.networks.home-lan.vlans.services.cidrv4};
allow ${globals.networks.home-lan.vlans.services.cidrv6};
'';
genNginx = toAddress: extraConfigPre: {
upstreams = {
"${grafanaUpstream}" = {
servers = {
"${toAddress}:${builtins.toString servicePort}" = { };
};
};
"${prometheusUpstream}" = {
servers = {
"${toAddress}:${builtins.toString prometheusPort}" = { };
};
};
};
virtualHosts = {
"${serviceDomain}" = {
useACMEHost = globals.domains.main;
forceSSL = true;
acmeRoot = null;
extraConfig = extraConfigPre;
locations =
let
extraConfig = ''
client_max_body_size 0;
'';
in
{
"/" = {
proxyPass = "http://${grafanaUpstream}";
proxyWebsockets = true;
inherit extraConfig;
};
"/${prometheusWebRoot}" = {
proxyPass = "http://${prometheusUpstream}";
inherit extraConfig;
};
};
};
};
};
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = genNginx serviceAddress "";
${homeWebProxy}.services.nginx = genNginx homeServiceAddress (extraConfig + nginxAccessRules);
};
};
}
#+end_src
**** Jenkins (currently unused)
:PROPERTIES:
:CUSTOM_ID: h:23452a18-a0a1-4515-8612-ceb19bb5fc22
:END:
This is a WIP Jenkins instance. It is used to automatically build a new system when pushes to the main repository are detected. I do not use this however, as I actually prefer to build them using [[#h:59f9ba07-8f63-4317-8def-83855a2a2ac1][Hydra]].
#+begin_src nix-ts :tangle modules/nixos/server/jenkins.nix
{ pkgs, lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
services.jenkins = {
enable = true;
withCLI = true;
port = servicePort;
packages = [ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ];
listenAddress = "0.0.0.0";
home = "/var/lib/${serviceName}";
};
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** Emacs elfeed (RSS Server, unused)
:PROPERTIES:
:CUSTOM_ID: h:4e6824bc-c3db-485d-b543-4072e6283b62
:END:
This was an approach of hosting an RSS server from within emacs. That would have been useful as it would have allowed me to allow my feeds from any device. However, it proved impossible to do bidirectional syncing, so I abandoned this configuration in favor of [[#h:9da3df74-6fc5-4ee1-a345-23ab4e8a613d][FreshRSS]].
#+begin_src nix-ts :tangle modules/nixos/server/emacs.nix
{ lib, config, confLib, ... }:
let
inherit (confLib.gen { name = "emacs"; port = 9812; }) servicePort serviceName;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} server on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
networking.firewall.allowedTCPPorts = [ servicePort ];
services.${serviceName} = {
enable = true;
install = true;
startWithGraphical = false;
};
};
}
#+end_src
**** FreshRSS
:PROPERTIES:
:CUSTOM_ID: h:9da3df74-6fc5-4ee1-a345-23ab4e8a613d
:END:
FreshRSS is a more 'classical' RSS aggregator that I can just host as a distinct service. This also has its upsides because I jave more control over the state this way.
It serves both a Greader API at https://${serviceName}/api/greader.php, as well as a Fever API at https://${serviceName}/api/fever.php.
I am using this with CapyReader on my phone, set it up as a FreshRSS account with Server URL =https://${serviceName}/api/greader.php
FreshRSS claims to support HTTP header auth, but at least it does not work with my oauth2-proxy setup. Until this is fixed, I resorted to the "form" login, since I mostly do not use the web version anyways.
#+begin_src nix-ts :tangle modules/nixos/server/freshrss.nix
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "freshrss"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome webProxy homeWebProxy dnsServer homeServiceAddress nginxAccessRules;
inherit (config.swarselsystems) sopsFile;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users = {
persistentIds = {
freshrss = confLib.mkIds 986;
};
users.${serviceUser} = {
extraGroups = [ "users" ];
group = serviceGroup;
isSystemUser = true;
};
};
users.groups.${serviceGroup} = { };
sops = {
secrets = {
freshrss-pw = { inherit sopsFile; owner = serviceUser; };
kanidm-freshrss-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
# freshrss-oidc-crypto-key = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
# templates = {
# "freshrss-env" = {
# content = ''
# DATA_PATH=${config.services.freshrss.dataDir}
# OIDC_ENABLED=1
# OIDC_PROVIDER_METADATA_URL=https://${kanidmDomain}/.well-known/openid-configuration
# OIDC_CLIENT_ID=freshrss
# OIDC_CLIENT_SECRET=${config.sops.placeholder.kanidm-freshrss-client}
# OIDC_CLIENT_CRYPTO_KEY=${config.sops.placeholder.oidc-crypto-key}
# OIDC_REMOTE_USER_CLAIM=preferred_username
# OIDC_SCOPES=openid groups email profile
# OIDC_X_FORWARDED_HEADERS=X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto
# '';
# owner = "freshrss";
# group = "freshrss";
# mode = "0440";
# };
# };
};
# topology.self.services.${serviceName} = {
# name = "FreshRSS";
# info = "https://${serviceDomain}";
# icon = "${self}/files/topology-images/${serviceName}.png";
# };
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
services.${serviceName} =
let
inherit (config.repo.secrets.local.freshrss) defaultUser;
in
{
inherit defaultUser;
enable = true;
virtualHost = serviceDomain;
baseUrl = "https://${serviceDomain}";
authType = "form";
dataDir = "/var/lib/freshrss";
passwordFile = config.sops.secrets.freshrss-pw.path;
};
# systemd.services.freshrss-config.serviceConfig.EnvironmentFile = [
# config.sops.templates.freshrss-env.path
# ];
nodes =
let
genNginx = toAddress: extraConfig: {
upstreams = {
${serviceName} = {
servers = {
"${toAddress}:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = {
"${serviceDomain}" = {
useACMEHost = globals.domains.main;
forceSSL = true;
acmeRoot = null;
oauth2.enable = true;
oauth2.allowedGroups = [ "ttrss_access" ];
inherit extraConfig;
locations = {
"/" = {
proxyPass = "http://${serviceName}";
};
"/api" = {
proxyPass = "http://${serviceName}";
setOauth2Headers = false;
bypassAuth = true;
};
};
};
};
};
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = genNginx serviceAddress "";
${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
};
};
}
#+end_src
**** forgejo (git server)
:PROPERTIES:
:CUSTOM_ID: h:a9965660-4358-4b9a-8c46-d55f28598344
:END:
My selfhosted git solution. TODO: federate
#+begin_src nix-ts :tangle modules/nixos/server/forgejo.nix
{ lib, config, pkgs, globals, dns, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "forgejo"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
kanidmDomain = globals.services.kanidm.domain;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
# networking.firewall.allowedTCPPorts = [ servicePort ];
users = {
persistentIds = {
forgejo = confLib.mkIds 985;
};
users.${serviceUser} = {
group = serviceGroup;
isSystemUser = true;
};
};
users.groups.${serviceGroup} = { };
sops.secrets = {
kanidm-forgejo-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
services.${serviceName} = {
enable = true;
stateDir = "/var/lib/${serviceName}";
user = serviceUser;
group = serviceGroup;
lfs.enable = lib.mkDefault true;
settings = {
DEFAULT = {
APP_NAME = "~SwaGit~";
};
server = {
PROTOCOL = "http";
HTTP_PORT = servicePort;
HTTP_ADDR = "0.0.0.0";
DOMAIN = serviceDomain;
ROOT_URL = "https://${serviceDomain}";
};
# federation.ENABLED = true;
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_INTERNAL_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
};
session.COOKIE_SECURE = true;
oauth2_client = {
# Never use auto account linking with this, otherwise users cannot change
# their new user name and they could potentially overtake other users accounts
# by setting their email address to an existing account.
# With "login" linking the user must choose a non-existing username first or login
# with the existing account to link.
ACCOUNT_LINKING = "login";
USERNAME = "nickname";
# This does not mean that you cannot register via oauth, but just that there should
# be a confirmation dialog shown to the user before the account is actually created.
# This dialog allows changing user name and email address before creating the account.
ENABLE_AUTO_REGISTRATION = false;
REGISTER_EMAIL_CONFIRM = false;
UPDATE_AVATAR = true;
};
};
};
systemd.services.${serviceName} = {
serviceConfig.RestartSec = "60"; # Retry every minute
preStart =
let
exe = lib.getExe config.services.forgejo.package;
providerName = "kanidm";
clientId = serviceName;
args = lib.escapeShellArgs (
lib.concatLists [
[
"--name"
providerName
]
[
"--provider"
"openidConnect"
]
[
"--key"
clientId
]
[
"--auto-discover-url"
"https://${kanidmDomain}/oauth2/openid/${clientId}/.well-known/openid-configuration"
]
[
"--scopes"
"email"
]
[
"--scopes"
"profile"
]
[
"--group-claim-name"
"groups"
]
[
"--admin-group"
"admin"
]
[ "--skip-local-2fa" ]
]
);
in
lib.mkAfter ''
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
SECRET="$(< ${config.sops.secrets.kanidm-forgejo-client.path})"
if [[ -z "$provider_id" ]]; then
${exe} admin auth add-oauth ${args} --secret "$SECRET"
else
${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
fi
'';
};
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** Anki Sync Server
:PROPERTIES:
:CUSTOM_ID: h:cb3f6552-7751-4f9a-b4c7-8d8ba5b255c4
:END:
I am an extensive user of Anki, and this allows me to sync my collection on my own.
#+begin_src nix-ts :tangle modules/nixos/server/ankisync.nix
{ self, lib, config, globals, dns, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "ankisync"; port = 27701; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
ankiUser = globals.user.name;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
# networking.firewall.allowedTCPPorts = [ servicePort ];
sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
topology.self.services.anki = {
name = lib.mkForce "Anki Sync Server";
icon = lib.mkForce "${self}/files/topology-images/${serviceName}.png";
info = "https://${serviceDomain}";
};
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/private/anki-sync-server"; }];
};
services.anki-sync-server = {
enable = true;
port = servicePort;
address = "0.0.0.0";
# openFirewall = true;
users = [
{
username = ankiUser;
passwordFile = config.sops.secrets.anki-pw.path;
}
];
};
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** kanidm
:PROPERTIES:
:CUSTOM_ID: h:ee625136-29ab-4696-919f-7b0d0042f6dd
:END:
The forgejo configuration is a little broken and will show a 500 error when signing in through kanidm. However, when pressing back and refreshing the page, I am logged in. Currently I cannot be bothered to fix this.
A stupid (but simple) way to get the =originUrl= is to simply set any URL there and try to auth using kanidm. Then check the logs (=journalctl -eu kanidm=) and check for the line that says something along the lines of
`🚧 [warn]: Invalid OAuth2 redirect_uri (must be an exact match to a redirect-url) - got `
To get other URLs (token, etc.), use https:///oauth2/openid//.well-known/oauth-authorization-server, e.g. https:///oauth2/openid/nextcloud/.well-known/oauth-authorization-server, with clienID being the client name as specified in kanidm.
Create user:
kanidm login -D idm_admin
kanidm person credential create-reset-token
#+begin_src nix-ts :tangle modules/nixos/server/kanidm.nix
{ self, lib, pkgs, config, globals, dns, confLib, ... }:
let
certsSopsFile = self + /secrets/repo/certs.yaml;
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy homeProxyIf webProxyIf dnsServer homeServiceAddress nginxAccessRules;
oauth2ProxyDomain = globals.services.oauth2-proxy.domain;
immichDomain = globals.services.immich.domain;
paperlessDomain = globals.services.paperless.domain;
forgejoDomain = globals.services.forgejo.domain;
grafanaDomain = globals.services.grafana.domain;
nextcloudDomain = globals.services.nextcloud.domain;
certBase = "/etc/ssl";
certsDir = "${certBase}/certs";
privateDir = "${certBase}/private";
certPathBase = "${certsDir}/${serviceName}.crt";
certPath =
if config.swarselsystems.isImpermanence then
"/persist${certPathBase}"
else
"${certPathBase}";
keyPathBase = "${privateDir}/${serviceName}.key";
keyPath =
if config.swarselsystems.isImpermanence then
"/persist${keyPathBase}"
else
"${keyPathBase}";
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users = {
persistentIds = {
kanidm = confLib.mkIds 984;
};
users.${serviceUser} = {
group = serviceGroup;
isSystemUser = true;
};
groups.${serviceGroup} = { };
};
sops = {
secrets = {
"kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-idm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-immich" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-paperless" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-forgejo" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-grafana" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-nextcloud" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-freshrss" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
};
# networking.firewall.allowedTCPPorts = [ servicePort ];
globals = {
general.idmServer = config.node.name;
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
environment.persistence = {
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
files = [
certPathBase
keyPathBase
];
};
"/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
};
systemd.services = {
"generateSSLCert-${serviceName}" =
let
daysValid = 3650;
renewBeforeDays = 365;
in
{
before = [ "${serviceName}.service" ];
requiredBy = [ "${serviceName}.service" ];
after = [ "local-fs.target" ];
requires = [ "local-fs.target" ];
serviceConfig = {
Type = "oneshot";
};
script = ''
set -eu
${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""}
${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""}
need_gen=0
if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
need_gen=1
else
enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
seconds_left=$(( end_epoch - now_epoch ))
days_left=$(( seconds_left / 86400 ))
if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
need_gen=1
else
echo 'Certificate exists and is still valid'
fi
fi
if [ "$need_gen" -eq 1 ]; then
${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
-keyout "${keyPath}" \
-out "${certPath}" \
-subj "/CN=${serviceDomain}" \
-addext "subjectAltName=DNS:${serviceDomain}"
chmod 0644 "${certPath}"
chmod 0600 "${keyPath}"
chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
fi
'';
};
kanidm = {
environment.KANIDM_TRUST_X_FORWARD_FOR = "true";
serviceConfig.RestartSec = "30";
};
};
# system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence {
# deps = [ "generateSSLCert-${serviceName}" "users" "groups" ];
# };
# system.activationScripts."generateSSLCert-${serviceName}" =
# let
# daysValid = 3650;
# renewBeforeDays = 365;
# in
# {
# text = ''
# set -eu
# ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
# ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""}
# ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
# ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""}
# need_gen=0
# if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then
# need_gen=1
# else
# enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)"
# end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
# now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
# seconds_left=$(( end_epoch - now_epoch ))
# days_left=$(( seconds_left / 86400 ))
# if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
# need_gen=1
# fi
# fi
# if [ "$need_gen" -eq 1 ]; then
# ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
# -keyout "${keyPath}" \
# -out "${certPath}" \
# -subj "/CN=${serviceDomain}" \
# -addext "subjectAltName=DNS:${serviceDomain}"
# chmod 0644 "${certPath}"
# chmod 0600 "${keyPath}"
# chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
# fi
# '';
# deps = [
# "etc"
# (lib.mkIf config.swarselsystems.isImpermanence "specialfs")
# ];
# };
services = {
${serviceName} = {
package = pkgs.kanidmWithSecretProvisioning_1_9;
server = {
enable = true;
settings = {
domain = serviceDomain;
origin = "https://${serviceDomain}";
# tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
tls_chain = certPathBase;
# tls_key = config.sops.secrets.kanidm-self-signed-key.path;
tls_key = keyPathBase;
bindaddress = "0.0.0.0:${toString servicePort}";
# trust_x_forward_for = true;
};
};
client = {
enable = true;
settings = {
uri = config.services.kanidm.server.settings.origin;
verify_ca = true;
verify_hostnames = true;
};
};
provision = {
enable = true;
adminPasswordFile = config.sops.secrets.kanidm-admin-pw.path;
idmAdminPasswordFile = config.sops.secrets.kanidm-idm-admin-pw.path;
groups = {
"immich.access" = { };
"paperless.access" = { };
"forgejo.access" = { };
"forgejo.admins" = { };
"grafana.access" = { };
"grafana.editors" = { };
"grafana.admins" = { };
"grafana.server-admins" = { };
"nextcloud.access" = { };
"nextcloud.admins" = { };
"navidrome.access" = { };
"freshrss.access" = { };
"firefly.access" = { };
"radicale.access" = { };
"slink.access" = { };
"opkssh.access" = { };
"adguardhome.access" = { };
};
inherit (config.repo.secrets.local) persons;
systems = {
oauth2 = {
immich = {
displayName = "Immich";
originUrl = [
"https://${immichDomain}/auth/login"
"https://${immichDomain}/user-settings"
"app.immich:///oauth-callback"
"https://${immichDomain}/api/oauth/mobile-redirect"
];
originLanding = "https://${immichDomain}/";
basicSecretFile = config.sops.secrets.kanidm-immich.path;
preferShortUsername = true;
enableLegacyCrypto = true; # can use RS256 / HS256, not ES256
scopeMaps."immich.access" = [
"openid"
"email"
"profile"
];
};
paperless = {
displayName = "Paperless";
originUrl = "https://${paperlessDomain}/accounts/oidc/kanidm/login/callback/";
originLanding = "https://${paperlessDomain}/";
basicSecretFile = config.sops.secrets.kanidm-paperless.path;
preferShortUsername = true;
scopeMaps."paperless.access" = [
"openid"
"email"
"profile"
];
};
forgejo = {
displayName = "Forgejo";
originUrl = "https://${forgejoDomain}/user/oauth2/kanidm/callback";
originLanding = "https://${forgejoDomain}/";
basicSecretFile = config.sops.secrets.kanidm-forgejo.path;
scopeMaps."forgejo.access" = [
"openid"
"email"
"profile"
];
# XXX: PKCE is currently not supported by gitea/forgejo,
# see https://github.com/go-gitea/gitea/issues/21376.
allowInsecureClientDisablePkce = true;
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup."forgejo.admins" = [ "admin" ];
};
};
grafana = {
displayName = "Grafana";
originUrl = "https://${grafanaDomain}/login/generic_oauth";
originLanding = "https://${grafanaDomain}/";
basicSecretFile = config.sops.secrets.kanidm-grafana.path;
preferShortUsername = true;
scopeMaps."grafana.access" = [
"openid"
"email"
"profile"
];
claimMaps.groups = {
joinType = "array";
valuesByGroup = {
"grafana.editors" = [ "editor" ];
"grafana.admins" = [ "admin" ];
"grafana.server-admins" = [ "server_admin" ];
};
};
};
nextcloud = {
displayName = "Nextcloud";
originUrl = " https://${nextcloudDomain}/apps/sociallogin/custom_oidc/kanidm";
originLanding = "https://${nextcloudDomain}/";
basicSecretFile = config.sops.secrets.kanidm-nextcloud.path;
allowInsecureClientDisablePkce = true;
scopeMaps."nextcloud.access" = [
"openid"
"email"
"profile"
];
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup = {
"nextcloud.admins" = [ "admin" ];
};
};
};
opkssh = {
displayName = "OPKSSH";
originUrl = [
"http://localhost:3000"
"http://localhost:3000/login-callback"
"http://localhost:10001/login-callback"
"http://localhost:11110/login-callback"
];
originLanding = "http://localhost:3000";
public = true;
enableLocalhostRedirects = true;
scopeMaps."opkssh.access" = [
"openid"
"email"
"profile"
];
};
oauth2-proxy = {
displayName = "Oauth2-Proxy";
originUrl = "https://${oauth2ProxyDomain}/oauth2/callback";
originLanding = "https://${oauth2ProxyDomain}/";
basicSecretFile = config.sops.secrets.kanidm-oauth2-proxy.path;
scopeMaps = {
"freshrss.access" = [
"openid"
"email"
"profile"
];
"navidrome.access" = [
"openid"
"email"
"profile"
];
"firefly.access" = [
"openid"
"email"
"profile"
];
"radicale.access" = [
"openid"
"email"
"profile"
];
"slink.access" = [
"openid"
"email"
"profile"
];
"adguardhome.access" = [
"openid"
"email"
"profile"
];
};
preferShortUsername = true;
claimMaps.groups = {
joinType = "array";
valuesByGroup = {
"freshrss.access" = [ "ttrss_access" ];
"navidrome.access" = [ "navidrome_access" ];
"firefly.access" = [ "firefly_access" ];
"radicale.access" = [ "radicale_access" ];
"slink.access" = [ "slink_access" ];
"adguardhome.access" = [ "adguardhome_access" ];
};
};
};
};
};
};
};
};
nodes =
let
extraConfig = ''
allow ${globals.networks.home-lan.vlans.services.cidrv4};
allow ${globals.networks.home-lan.vlans.services.cidrv6};
'';
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; };
${homeWebProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; extraConfig = extraConfig + nginxAccessRules; serviceAddress = homeServiceAddress; };
};
};
}
#+end_src
**** oauth2-proxy
:PROPERTIES:
:CUSTOM_ID: h:605f5974-e985-4572-b353-fd1d3ccbadae
:END:
This can be used to add OIDC in a way to services that do not support it natively, by tacking it onto the corresponding NGINX service config. In here, it is enabled by setting the =oauth2.enable= option on the respective =virtualHost=.
#+begin_src nix-ts :tangle modules/nixos/server/oauth2-proxy.nix
{ lib, config, pkgs, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "oauth2-proxy"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf oauthServer nginxAccessRules homeServiceAddress;
kanidmDomain = globals.services.kanidm.domain;
mainDomain = globals.domains.main;
inherit (config.swarselsystems) sopsFile;
in
{
options = {
swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
# largely based on https://github.com/oddlama/nix-config/blob/main/modules/oauth2-proxy.nix
services.nginx.virtualHosts = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule (
{ config, ... }:
{
options.oauth2 = {
enable = lib.mkEnableOption "access protection of this virtualHost using oauth2-proxy.";
allowedGroups = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = ''
A list of kanidm groups that are allowed to access this resource, or the
empty list to allow any authenticated client.
'';
};
X-User = lib.mkOption {
type = lib.types.str;
default = "$upstream_http_x_auth_request_user";
description = "The variable to set as X-User";
};
X-Email = lib.mkOption {
type = lib.types.str;
default = "$upstream_http_x_auth_request_email";
description = "The variable to set as X-Email";
};
X-Access-Token = lib.mkOption {
type = lib.types.str;
default = "$upstream_http_x_auth_request_access_token";
description = "The variable to set as X-Access-Token";
};
};
options.locations = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule (locationSubmodule: {
options = {
setOauth2Headers = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether to add oauth2 headers to this location. Only takes effect is oauth2 is actually enabled on the parent vhost.";
};
bypassAuth = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether to set auth_request off for this location. Only takes effect is oauth2 is actually enabled on the parent vhost.";
};
};
config = lib.mkIf config.oauth2.enable {
extraConfig = lib.optionalString locationSubmodule.config.setOauth2Headers ''
proxy_set_header X-User $user;
proxy_set_header Remote-User $user;
proxy_set_header X-Remote-User $user;
proxy_set_header X-Email $email;
# proxy_set_header X-Access-Token $token;
add_header Set-Cookie $auth_cookie;
'' + lib.optionalString locationSubmodule.config.bypassAuth ''
auth_request off;
'';
};
})
);
};
config = lib.mkIf config.oauth2.enable {
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# set variables that can be used in locations..extraConfig
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user ${config.oauth2.X-User};
auth_request_set $email ${config.oauth2.X-Email};
# if you enabled --pass-access-token, this will pass the token to the backend
# auth_request_set $token ${config.oauth2.X-Access-Token};
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
'';
locations = {
"/oauth2/" = {
proxyPass = "http://oauth2-proxy";
setOauth2Headers = false;
bypassAuth = true;
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
"= /oauth2/auth" = {
proxyPass = "http://oauth2-proxy/oauth2/auth" + lib.optionalString (config.oauth2.allowedGroups != [ ]) "?allowed_groups=${lib.concatStringsSep "," config.oauth2.allowedGroups}";
setOauth2Headers = false;
bypassAuth = true;
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
};
}
)
);
};
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
sops = {
secrets = {
"oauth2-cookie-secret" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
"kanidm-oauth2-proxy-client" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
templates = {
"kanidm-oauth2-proxy-client-env" = {
content = ''
OAUTH2_PROXY_CLIENT_SECRET="${config.sops.placeholder.kanidm-oauth2-proxy-client}"
OAUTH2_PROXY_COOKIE_SECRET=${config.sops.placeholder.oauth2-cookie-secret}
'';
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
};
};
users = {
persistentIds.oauth2-proxy = confLib.mkIds 966;
};
# needed for homeWebProxy
networking.firewall.allowedTCPPorts = [ servicePort ];
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
services = {
${serviceName} = {
enable = true;
package = pkgs.oauth2-proxy;
cookie = {
domain = ".${mainDomain}";
secure = true;
expire = "900m";
secretFile = null;
};
clientSecretFile = null;
reverseProxy = true;
httpAddress = "0.0.0.0:${builtins.toString servicePort}";
redirectURL = "https://${serviceDomain}/oauth2/callback";
setXauthrequest = true;
upstream = [
"static://202"
];
extraConfig = {
code-challenge-method = "S256";
whitelist-domain = ".${mainDomain}";
set-authorization-header = true;
pass-access-token = true;
skip-jwt-bearer-tokens = true;
oidc-issuer-url = "https://${kanidmDomain}/oauth2/openid/oauth2-proxy";
provider-display-name = "Kanidm";
};
provider = "oidc";
scope = "openid email";
loginURL = "https://${kanidmDomain}/ui/oauth2";
redeemURL = "https://${kanidmDomain}/oauth2/token";
validateURL = "https://${kanidmDomain}/oauth2/openid/oauth2-proxy/userinfo";
clientID = serviceName;
email.domains = [ "*" ];
};
};
systemd.services = {
${serviceName} = {
# after = [ "kanidm.service" ];
serviceConfig = {
RuntimeDirectory = serviceName;
RuntimeDirectoryMode = "0750";
UMask = "007"; # TODO remove once https://github.com/oauth2-proxy/oauth2-proxy/issues/2141 is fixed
RestartSec = "60"; # Retry every minute
EnvironmentFile = [
config.sops.templates.kanidm-oauth2-proxy-client-env.path
];
};
};
};
nodes =
let
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
allow ${globals.networks.home-lan.vlans.services.cidrv4};
allow ${globals.networks.home-lan.vlans.services.cidrv6};
'';
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceAddress serviceDomain serviceName extraConfig; };
${homeWebProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceDomain serviceName; extraConfig = extraConfig + nginxAccessRules; serviceAddress = globals.hosts.${oauthServer}.wanAddress4; };
};
};
}
#+end_src
**** Firefly-III
:PROPERTIES:
:CUSTOM_ID: h:4248e9eb-4b9f-4771-bbfb-7186ef7a8331
:END:
My expenses tracker.
#+begin_src nix-ts :tangle modules/nixos/server/firefly-iii.nix
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "firefly-iii"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome dnsServer webProxy homeWebProxy homeServiceAddress nginxAccessRules;
nginxGroup = "nginx";
inherit (config.swarselsystems) sopsFile;
cfg = config.services.firefly-iii;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users = {
persistentIds = {
firefly-iii = confLib.mkIds 983;
};
groups.${serviceGroup} = { };
users.${serviceUser} = {
group = lib.mkForce serviceGroup;
extraGroups = lib.mkIf cfg.enableNginx [ nginxGroup ];
isSystemUser = true;
};
};
sops = {
secrets = {
"firefly-iii-app-key" = { inherit sopsFile; owner = serviceUser; group = if cfg.enableNginx then nginxGroup else serviceGroup; mode = "0440"; };
};
};
# topology.self.services.${serviceName} = {
# name = "Firefly-III";
# info = "https://${serviceDomain}";
# icon = "${self}/files/topology-images/${serviceName}.png";
# };
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
services = {
${serviceName} = {
enable = true;
user = serviceUser;
group = if cfg.enableNginx then nginxGroup else serviceGroup;
dataDir = "/var/lib/${serviceName}";
settings = {
TZ = config.repo.secrets.common.location.timezone;
APP_URL = "https://${serviceDomain}";
APP_KEY_FILE = config.sops.secrets.firefly-iii-app-key.path;
APP_ENV = "local";
DB_CONNECTION = "sqlite";
TRUSTED_PROXIES = "**";
# turning these on breaks api access using the waterfly app
# AUTHENTICATION_GUARD = "remote_user_guard";
# AUTHENTICATION_GUARD_HEADER = "X-User";
# AUTHENTICATION_GUARD_EMAIL = "X-Email";
};
enableNginx = true;
virtualHost = serviceDomain;
};
nginx = {
virtualHosts = {
"${serviceDomain}" = {
locations = {
"/api" = {
setOauth2Headers = false;
extraConfig = ''
index index.php;
try_files $uri $uri/ /index.php?$query_string;
add_header Access-Control-Allow-Methods 'GET, POST, HEAD, OPTIONS';
'';
};
};
};
};
};
};
nodes =
let
genNginx = toAddress: extraConfig: {
upstreams = {
${serviceName} = {
servers = {
"${toAddress}:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = {
"${serviceDomain}" = {
useACMEHost = globals.domains.main;
forceSSL = true;
acmeRoot = null;
oauth2 = {
enable = true;
allowedGroups = [ "firefly_access" ];
};
inherit extraConfig;
locations = {
"/" = {
proxyPass = "http://${serviceName}";
};
"/api" = {
proxyPass = "http://${serviceName}";
setOauth2Headers = false;
bypassAuth = true;
};
};
};
};
};
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = genNginx serviceAddress "";
${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
};
};
}
#+end_src
**** Koillection (use db)
:PROPERTIES:
:CUSTOM_ID: h:09c0fed3-b9c6-487f-a5f6-49be039e5fa2
:END:
My collection tracker. I am not too happy with its GUI, but the API is good, and I mostly use it to check what I have manually anyways.
#+begin_src nix-ts :tangle modules/nixos/server/koillection.nix
{ self, lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/var/lib/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress proxyAddress4 proxyAddress6 topologyContainerName;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
serviceDB = "koillection";
postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
postgresPort = config.services.postgresql.settings.port; # 5432
containerRev = "sha256:bb8ad2b6891441d8ec5c3169b684b71574f3bb3e9afb345bad2f91d833d60340";
inherit (config.swarselsystems) sopsFile;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselmodules.server = {
podman = true;
postgresql = true;
};
sops.secrets = {
koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
koillection-env-file = { inherit sopsFile; };
};
topology.nodes.${topologyContainerName}.services.${serviceName} = {
name = lib.swarselsystems.toCapitalized serviceName;
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort postgresPort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort postgresPort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; }];
};
virtualisation.oci-containers.containers = {
koillection = {
image = "koillection/koillection@${containerRev}";
ports = [
"${toString servicePort}:80"
];
volumes = [
"${serviceDir}/uploads:/uploads"
];
environment = {
APP_DEBUG = "0";
APP_ENV = "prod";
HTTPS_ENABLED = "1";
UPLOAD_MAX_FILESIZE = "512M";
PHP_MEMORY_LIMIT = "512M";
PHP_TZ = config.repo.secrets.common.location.timezone;
CORS_ALLOW_ORIGIN = "https?://(localhost|swag\\.swarsel\\.win)(:[0-9]+)?$";
DB_DRIVER = "pdo_pgsql";
DB_NAME = serviceDB;
DB_HOST = "host.docker.internal";
DB_USER = serviceUser;
# DB_PASSWORD set in koillection-env-file
DB_PORT = "${toString postgresPort}";
DB_VERSION = "16";
};
environmentFiles = [
config.sops.secrets.koillection-env-file.path
];
extraOptions = [
"--add-host=host.docker.internal:host-gateway" # podman
];
};
};
# networking.firewall.allowedTCPPorts = [ servicePort postgresPort ];
systemd.services.postgresql.postStart =
let
passwordPath = config.sops.secrets.koillection-db-password.path;
in
''
${config.services.postgresql.package}/bin/psql -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${passwordPath}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${serviceDB} WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
services = {
postgresql = {
enable = true;
enableTCPIP = true;
ensureDatabases = [ serviceDB ];
ensureUsers = [
{
name = serviceDB;
ensureDBOwnership = true;
}
];
authentication = ''
host ${serviceDB} ${serviceDB} 10.88.0.0/16 scram-sha-256
'';
};
};
nodes =
let
extraConfigLoc = ''
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
'';
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** Atuin (use db)
:PROPERTIES:
:CUSTOM_ID: h:27eac8b9-c202-4e45-9b80-42592f1e41c8
:END:
Used to sync shell history accross machines and have it backed up somewhere.
#+begin_src nix-ts :tangle modules/nixos/server/atuin.nix
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "atuin"; port = 8888; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselmodules.server = {
postgresql = true;
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
services.${serviceName} = {
enable = true;
host = "0.0.0.0";
port = servicePort;
# openFirewall = true;
openRegistration = false;
};
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** Radicale
:PROPERTIES:
:CUSTOM_ID: h:c1ca2d28-51d2-45bd-83b5-05007ae94ae6
:END:
Selfhosted calendar and contacts.
#+begin_src nix-ts :tangle modules/nixos/server/radicale.nix
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
inherit (config.swarselsystems) sopsFile;
cfg = config.services.${serviceName};
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
sops = {
secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
templates =
let
inherit (config.repo.secrets.local.radicale) user1;
in
{
"radicale-users" = {
content = ''
${user1}:${config.sops.placeholder.radicale-user}
'';
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
};
};
users.persistentIds = {
radicale = confLib.mkIds 982;
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
services.${serviceName} = {
enable = true;
settings = {
server = {
hosts = [
"0.0.0.0:${builtins.toString servicePort}"
"[::]:${builtins.toString servicePort}"
];
};
auth =
{
type = "htpasswd";
htpasswd_filename = config.sops.templates.radicale-users.path;
htpasswd_encryption = "autodetect";
};
storage = {
filesystem_folder = "/var/lib/radicale/collections";
};
};
rights = {
# all: match authenticated users only
root = {
user = ".+";
collection = "";
permissions = "R";
};
principal = {
user = ".+";
collection = "{user}";
permissions = "RW";
};
calendars = {
user = ".+";
collection = "{user}/[^/]+";
permissions = "rw";
};
};
};
systemd.tmpfiles.settings."10-radicale" = {
"${cfg.settings.storage.filesystem_folder}" = {
d = {
group = serviceGroup;
user = serviceUser;
mode = "0750";
};
};
};
# networking.firewall.allowedTCPPorts = [ servicePort ];
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 16; maxBodyUnit = "M"; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 16; maxBodyUnit = "M"; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** croc
:PROPERTIES:
:CUSTOM_ID: h:f922e8d6-f6e8-4779-a7ad-4037229c9bf0
:END:
P2P filesharing similar to what you might know from wormhole(/-rs), but fully self-hosted.
#+begin_src nix-ts :tangle modules/nixos/server/croc.nix
{ self, lib, config, pkgs, dns, globals, confLib, ... }:
let
inherit (confLib.gen { name = "croc"; proxy = config.node.name; }) serviceName serviceDomain proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome dnsServer;
servicePorts = [
9009
9010
9011
9012
9013
];
inherit (config.swarselsystems) sopsFile;
cfg = config.services.croc;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
sops = {
secrets = {
croc-password = { inherit sopsFile; };
};
templates = {
"croc-env" = {
content = ''
CROC_PASS="${config.sops.placeholder.croc-password}"
'';
};
};
};
topology.self.services.${serviceName} = {
name = lib.swarselsystems.toCapitalized serviceName;
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome;
};
services.${serviceName} = {
enable = true;
ports = servicePorts;
pass = config.sops.secrets.croc-password.path;
openFirewall = true;
};
systemd.services = {
${serviceName} = {
serviceConfig = {
ExecStart = lib.mkForce "${pkgs.croc}/bin/croc ${lib.optionalString cfg.debug "--debug"} relay --ports ${
lib.concatMapStringsSep "," toString cfg.ports}";
EnvironmentFile = [
config.sops.templates.croc-env.path
];
};
};
};
# ports are opened on the firewall for croc, no nginx config
};
}
#+end_src
**** microbin
:PROPERTIES:
:CUSTOM_ID: h:13071cc3-5cba-44b5-8b5b-2a27be22e021
:END:
Basically a selfhosted pastebin that also offers syntax highlighting.
#+begin_src nix-ts :tangle modules/nixos/server/microbin.nix
{ self, lib, config, dns, globals, confLib, ... }:
let
inherit (confLib.gen { name = "microbin"; port = 8777; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
inherit (config.swarselsystems) sopsFile;
cfg = config.services.${serviceName};
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users = {
persistentIds.${serviceName} = confLib.mkIds 964;
groups.${serviceGroup} = { };
users.${serviceUser} = {
isSystemUser = true;
group = serviceGroup;
};
};
sops = {
secrets = {
microbin-admin-username = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-admin-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-uploader-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
templates = {
"microbin-env" = {
content = ''
MICROBIN_ADMIN_USERNAME="${config.sops.placeholder.microbin-admin-username}"
MICROBIN_ADMIN_PASSWORD="${config.sops.placeholder.microbin-admin-password}"
MICROBIN_UPLOADER_PASSWORD="${config.sops.placeholder.microbin-uploader-password}"
'';
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
};
};
topology.self.services.${serviceName} = {
name = lib.swarselsystems.toCapitalized serviceName;
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
services.${serviceName} = {
enable = true;
passwordFile = config.sops.templates.microbin-env.path;
dataDir = "/var/lib/microbin";
settings = {
MICROBIN_HIDE_LOGO = true;
MICROBIN_PORT = servicePort;
MICROBIN_EDITABLE = true;
MICROBIN_HIDE_HEADER = true;
MICROBIN_HIDE_FOOTER = true;
MICROBIN_NO_LISTING = false;
MICROBIN_HIGHLIGHTSYNTAX = true;
MICROBIN_BIND = "0.0.0.0";
MICROBIN_PRIVATE = true;
MICROBIN_PUBLIC_PATH = "https://${serviceDomain}";
MICROBIN_READONLY = true;
MICROBIN_SHOW_READ_STATS = true;
MICROBIN_TITLE = "~SwarselScratch~";
MICROBIN_THREADS = 1;
MICROBIN_GC_DAYS = 30;
MICROBIN_ENABLE_BURN_AFTER = true;
MICROBIN_QR = true;
MICROBIN_ETERNAL_PASTA = true;
MICROBIN_ENABLE_READONLY = true;
MICROBIN_DEFAULT_EXPIRY = "1week";
MICROBIN_NO_FILE_UPLOAD = false;
MICROBIN_MAX_FILE_SIZE_ENCRYPTED_MB = 256;
MICROBIN_MAX_FILE_SIZE_UNENCRYPTED_MB = 1024;
MICROBIN_DISABLE_UPDATE_CHECKING = true;
MICROBIN_DISABLE_TELEMETRY = true;
MICROBIN_LIST_SERVER = false;
};
};
systemd.services = {
${serviceName} = {
serviceConfig = {
DynamicUser = lib.mkForce false;
User = serviceUser;
Group = serviceGroup;
};
};
};
# networking.firewall.allowedTCPPorts = [ servicePort ];
environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
{ directory = cfg.dataDir; user = serviceUser; group = serviceGroup; mode = "0700"; }
];
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 1; maxBodyUnit = "G"; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 1; maxBodyUnit = "G"; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** shlink
:PROPERTIES:
:CUSTOM_ID: h:4ccdcd5c-a4dd-49e4-94e7-d81db970059c
:END:
Self-hosted link shortener.
#+begin_src nix-ts :tangle modules/nixos/server/shlink.nix
{ self, lib, config, dns, globals, confLib, ... }:
let
inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6 topologyContainerName;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
inherit (config.swarselsystems) sopsFile;
in
{
options = {
swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselmodules.server = {
podman = true;
};
sops = {
secrets = {
shlink-api = { inherit sopsFile; };
};
templates = {
"shlink-env" = {
content = ''
INITIAL_API_KEY=${config.sops.placeholder.shlink-api}
'';
};
};
};
topology.nodes.${topologyContainerName}.services.${serviceName} = {
name = lib.swarselsystems.toCapitalized serviceName;
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
virtualisation.oci-containers.containers.${serviceName} = {
image = "shlinkio/shlink@${containerRev}";
environment = {
"DEFAULT_DOMAIN" = serviceDomain;
"PORT" = "${builtins.toString servicePort}";
"USE_HTTPS" = "false";
"DEFAULT_SHORT_CODES_LENGTH" = "4";
"WEB_WORKER_NUM" = "1";
"TASK_WORKER_NUM" = "1";
};
environmentFiles = [
config.sops.templates.shlink-env.path
];
ports = [ "${builtins.toString servicePort}:${builtins.toString servicePort}" ];
volumes = [
"${serviceDir}/data:/etc/shlink/data"
];
};
systemd.tmpfiles.settings."11-shlink" = builtins.listToAttrs (
map
(path: {
name = "${serviceDir}/${path}";
value = {
d = {
group = "root";
user = "1001";
mode = "0750";
};
};
}) [
"data"
"data/cache"
"data/locks"
"data/log"
"data/proxies"
]
);
# networking.firewall.allowedTCPPorts = [ servicePort ];
environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
{ directory = serviceDir; }
{ directory = "/var/lib/containers"; }
];
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** slink
:PROPERTIES:
:CUSTOM_ID: h:e46c37ac-5610-4603-8afc-2f5f008fc14d
:END:
Image sharing service similar to imgur.
Deployment notes:
- enable user: =podman exec -it slink slink user:activate --email==
- make user admin: =podman exec -it slink slink user:grant:role --email= ROLE_ADMIN=
- finally, disable new user registration in web ui
#+begin_src nix-ts :tangle modules/nixos/server/slink.nix
{ lib, config, dns, globals, confLib, ... }:
let
inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6 topologyContainerName;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9";
in
{
options = {
swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselmodules.server = {
podman = true;
};
topology.nodes.${topologyContainerName}.services.${serviceName} = {
name = lib.swarselsystems.toCapitalized serviceName;
info = "https://${serviceDomain}";
icon = "services.not-available";
};
virtualisation.oci-containers.containers.${serviceName} = {
image = "anirdev/slink@${containerRev}";
environment = {
"ORIGIN" = "https://${serviceDomain}";
"TZ" = config.repo.secrets.common.location.timezone;
"STORAGE_PROVIDER" = "local";
"IMAGE_MAX_SIZE" = "50M";
"USER_APPROVAL_REQUIRED" = "true";
};
ports = [ "${builtins.toString servicePort}:${builtins.toString servicePort}" ];
volumes = [
"${serviceDir}/var/data:/app/var/data"
"${serviceDir}/images:/app/slink/images"
];
};
systemd.tmpfiles.settings."12-slink" = builtins.listToAttrs (
map
(path: {
name = "${serviceDir}/${path}";
value = {
d = {
group = "root";
user = "root";
mode = "0750";
};
};
}) [
"var/data"
"images"
]
);
# networking.firewall.allowedTCPPorts = [ servicePort ];
environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
{ directory = serviceDir; }
];
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
nodes =
let
genNginx = toAddress: extraConfig: {
upstreams = {
${serviceName} = {
servers = {
"${toAddress}:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = {
"${serviceDomain}" = {
useACMEHost = globals.domains.main;
forceSSL = true;
acmeRoot = null;
oauth2 = {
enable = true;
allowedGroups = [ "slink_access" ];
};
inherit extraConfig;
locations = {
"/" = {
proxyPass = "http://${serviceName}";
};
"/image" = {
proxyPass = "http://${serviceName}";
setOauth2Headers = false;
bypassAuth = true;
};
};
};
};
};
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = genNginx serviceAddress "";
${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
};
};
}
#+end_src
**** Snipe-IT (currently unused)
:PROPERTIES:
:CUSTOM_ID: h:470f7ee3-3307-4949-b0fa-403171e3859a
:END:
This is an asset management system. However, for my needs it is a bit too convoluted, so I use [[#h:5b4feb1b-e7a3-43f1-9930-8d00012742ad][Homebox (use db)]] instead.
#+begin_src nix-ts :tangle modules/nixos/server/snipe-it.nix
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy webProxyIf homeProxyIf dnsServer homeServiceAddress nginxAccessRules;
# sopsFile = config.node.secretsDir + "/secrets2.yaml";
inherit (config.swarselsystems) sopsFile;
serviceDB = "snipeit";
mysqlPort = 3306;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
sops = {
secrets = {
snipe-it-appkey = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
};
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
services.snipe-it = {
enable = true;
appKeyFile = config.sops.secrets.snipe-it-appkey.path;
appURL = "https://${serviceDomain}";
hostName = serviceDomain;
user = serviceUser;
group = serviceGroup;
dataDir = "/var/lib/snipeit";
database = {
user = serviceUser;
port = mysqlPort;
name = serviceDB;
host = "localhost";
createLocally = true;
};
};
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** Homebox (use db)
:PROPERTIES:
:CUSTOM_ID: h:5b4feb1b-e7a3-43f1-9930-8d00012742ad
:END:
My asset manager. I use it to track tools, cables and boardgames mostly.
#+begin_src nix-ts :tangle modules/nixos/server/homebox.nix
{ self, lib, pkgs, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "homebox"; port = 7745; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
topology.self.services.${serviceName} = {
name = "Homebox";
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
swarselmodules.server = {
postgresql = true;
};
users.persistentIds = {
homebox = confLib.mkIds 981;
};
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM {
directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }];
};
services.${serviceName} = {
enable = true;
package = pkgs.bisect.homebox;
database.createLocally = true;
settings = {
HBOX_WEB_PORT = builtins.toString servicePort;
HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
HBOX_STORAGE_CONN_STRING = "file:///var/lib/homebox";
HBOX_STORAGE_PREFIX_PATH = ".data";
};
};
# networking.firewall.allowedTCPPorts = [ servicePort ];
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** OPKSSH
:PROPERTIES:
:CUSTOM_ID: h:6e30509a-1320-4993-a9c7-70d28ef2906a
:END:
Allows certificate based SSH logins easily. I use this to be able to quickly give people access to my server when needed (by giving them the permissions in [[#h:ee625136-29ab-4696-919f-7b0d0042f6dd][kanidm]])
#+begin_src nix-ts :tangle modules/nixos/server/opkssh.nix
{ lib, config, globals, confLib, ... }:
let
inherit (confLib.gen { name = "opkssh"; user = "opksshuser"; group = "opksshuser"; }) serviceName serviceUser serviceGroup;
kanidmDomain = globals.services.kanidm.domain;
inherit (config.swarselsystems) mainUser;
mailAddress = config.repo.secrets.common.mail.address4;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users.persistentIds = {
opksshuser = confLib.mkIds 980;
};
services.${serviceName} = {
enable = true;
user = serviceUser;
group = serviceGroup;
providers = {
kanidm = {
lifetime = "oidc";
issuer = "https://${kanidmDomain}/oauth2/openid/${serviceName}";
clientId = serviceName;
};
};
authorizations = [
{
user = mainUser;
principal = mailAddress;
inherit (config.services.opkssh.providers.kanidm) issuer;
}
];
};
};
}
#+end_src
**** Garage
:PROPERTIES:
:CUSTOM_ID: h:81c76be4-45f1-44e5-890d-6d082a95ab51
:END:
Garage acts as my s3 endpoint. I use it on two of my servers:
- [[#h:932ef6b0-4c14-4200-8e3f-2e208e748746][Winters (Server: ASRock J4105-ITX)]]: General s3 storage
- [[#h:90457194-6b97-4cd6-90bc-4f42d0d69f51][Belchsfactory (OCI)]]: s3 storage for nix binary cache (used by [[#h:092593d2-0ca0-4f86-9951-6127a3594e25][Attic (nix binary cache)]])
Generate the admin token using =openssl rand -base64 32=.
Generate the rpc token using =openssl rand -hex 32=.
If a website is to be deployed using a s3 bucket, add the corresponding files in one of two ways:
either 1) use vhost addressing: =aws s3 cp s3:// --endpoint-url https://. --region swarsel=
or 2) use classic path addressing =aws s3 cp s3:/// --endpoint-url https:// --region swarsel=
#+begin_src nix-ts :tangle modules/nixos/server/garage.nix
# inspired by https://github.com/atropos112/nixos/blob/7fef652006a1c939f4caf9c8a0cb0892d9cdfe21/modules/garage.nix
{ self, lib, pkgs, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "garage"; port = 3900; domain = config.repo.secrets.common.services.domains."garage-${config.node.name}"; }) servicePort serviceName specificServiceName serviceDomain subDomain baseDomain serviceAddress proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
cfg = lib.recursiveUpdate config.services.${serviceName} config.swarselsystems.server.${serviceName};
inherit (config.swarselsystems) sopsFile mainUser;
# needs SSD
metadata_dir = "/var/lib/garage/meta";
# metadata_dir = if config.swarselsystems.isCloud then "/var/lib/garage/meta" else "/Vault/data/garage/meta";
garageRpcPort = 3901;
garageWebPort = 3902;
garageAdminPort = 3903;
garageK2VPort = 3904;
adminDomain = "${subDomain}-admin.${baseDomain}";
webDomain = "${subDomain}-web.${baseDomain}";
in
{
options = {
swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
swarselsystems.server.${serviceName} = {
data_dir = {
path = lib.mkOption {
type = lib.types.str;
description = "Directory where Garage stores its metadata";
};
capacity = lib.mkOption {
type = lib.types.str;
};
};
buckets = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "List of buckets to create";
};
keys = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.str);
default = { };
description = "Keys and their associated buckets. Each key gets full access (read/write/owner) to its listed buckets.";
example = {
my_key_name = [ "bucket1" "bucket2" ];
my_other_key = [ "bucket2" "bucket3" ];
};
};
};
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
assertions = [
{
assertion = config.swarselsystems.server.${serviceName}.buckets != [ ];
message = "If Garage is enabled, at least one bucket must be specified in swarselsystems.server.${serviceName}.buckets";
}
{
assertion = builtins.length (lib.attrsToList config.swarselsystems.server.${serviceName}.keys) > 0;
message = "If Garage is enabled, at least one key must be specified in swarselsystems.server.${serviceName}.keys";
}
{
assertion =
let
allKeyBuckets = lib.flatten (lib.attrValues config.swarselsystems.server.${serviceName}.keys);
invalidBuckets = builtins.filter (bucket: !(lib.elem bucket config.swarselsystems.server.${serviceName}.buckets)) allKeyBuckets;
in
invalidBuckets == [ ];
message = "All buckets referenced in keys must exist in the buckets list";
}
];
# networking.firewall.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
topology.self.services.${serviceName} = {
name = lib.swarselsystems.toCapitalized serviceName;
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
sops = {
secrets.garage-admin-token = { inherit sopsFile; };
secrets.garage-rpc-secret = { inherit sopsFile; };
};
# DynamicUser cannot read above secrets
systemd.services.${serviceName}.serviceConfig = {
DynamicUser = false;
ProtectHome = lib.mkForce false;
};
environment = {
persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
{ directory = "/var/lib/garage"; }
(lib.mkIf config.swarselsystems.isCloud { directory = config.swarselsystems.server.${serviceName}.data_dir.path; })
];
systemPackages = [
cfg.package
];
};
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
};
};
services.${specificServiceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
services.${serviceName} = {
enable = true;
package = pkgs.garage_2;
settings = {
data_dir = [ config.swarselsystems.server.${serviceName}.data_dir ];
inherit metadata_dir;
db_engine = "lmdb";
block_size = "128M";
use_local_tz = false;
disable_scrub = true;
replication_factor = 1;
compression_level = "none";
rpc_bind_addr = "[::]:${builtins.toString garageRpcPort}";
# we are not joining our nodes, just use the private ipv4
rpc_public_addr = "${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4}:${builtins.toString garageRpcPort}";
rpc_secret_file = config.sops.secrets.garage-rpc-secret.path;
s3_api = {
s3_region = mainUser;
api_bind_addr = "[::]:${builtins.toString servicePort}";
root_domain = ".${serviceDomain}";
};
s3_web = {
bind_addr = "[::]:${builtins.toString garageWebPort}";
root_domain = ".${config.repo.secrets.common.services.domains."garage-web-${config.node.name}"}";
add_host_to_metrics = true;
};
admin = {
api_bind_addr = "[::]:${builtins.toString garageAdminPort}";
admin_token_file = config.sops.secrets.garage-admin-token.path;
};
k2v_api = {
api_bind_addr = "[::]:${builtins.toString garageK2VPort}";
};
};
};
systemd.services = {
garage-buckets = {
description = "Create Garage buckets";
after = [ "garage.service" ];
wants = [ "garage.service" ];
wantedBy = [ "multi-user.target" ];
path = [ cfg.package pkgs.gawk pkgs.coreutils ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = "root";
Group = "root";
};
script = ''
garage status
# Checking repeatedly with garage status until getting 0 exit code
while ! garage status >/dev/null 2>&1; do
echo "Garage not yet operational, waiting..."
echo "Current garage status output:"
garage status 2>&1 || true
echo "---"
sleep 5
done
# Now we check if garage status shows any failed nodes by checking for ==== FAILED NODES ====
while garage status | grep -q "==== FAILED NODES ===="; do
echo "Garage has failed nodes, waiting..."
echo "Current garage status output:"
garage status 2>&1 || true
echo "---"
sleep 5
done
echo "Garage is operational, proceeding with bucket management."
# Get list of existing buckets
existing_buckets=$(garage bucket list | tail -n +2 | awk '{print $3}' | grep -v '^$' || true)
# Create buckets that should exist
${lib.concatMapStringsSep "\n" (bucket: ''
if [[ "$(garage bucket info ${lib.escapeShellArg bucket} 2>&1 >/dev/null)" == *"Bucket not found"* ]]; then
echo "Creating bucket ${lib.escapeShellArg bucket}"
garage bucket create ${lib.escapeShellArg bucket}
else
echo "Bucket ${lib.escapeShellArg bucket} already exists"
fi
'')
cfg.buckets}
# Remove buckets that shouldn't exist
for bucket in $existing_buckets; do
should_exist=false
${lib.concatMapStringsSep "\n" (bucket: ''
if [[ "$bucket" == ${lib.escapeShellArg bucket} ]]; then
should_exist=true
fi
'')
cfg.buckets}
if [[ "$should_exist" == "false" ]]; then
echo "Removing bucket $bucket"
garage bucket delete --yes "$bucket"
fi
done
'';
};
garage-keys = {
description = "Create Garage keys and set permissions";
after = [ "garage-buckets.service" ];
wants = [ "garage-buckets.service" ];
requires = [ "garage-buckets.service" ];
wantedBy = [ "multi-user.target" ];
path = [ cfg.package pkgs.gawk pkgs.coreutils ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = "root";
Group = "root";
};
script = ''
garage key list
echo "Managing keys..."
# Get list of existing keys
existing_keys=$(garage key list | tail -n +2 | awk '{print $3}' | grep -v '^$' || true)
# Create keys that should exist
${lib.concatStringsSep "\n" (lib.mapAttrsToList (keyName: _: ''
if [[ "$(garage key info ${lib.escapeShellArg keyName} 2>&1)" == *"0 matching keys"* ]]; then
echo "Creating key ${lib.escapeShellArg keyName}"
garage key create ${lib.escapeShellArg keyName}
else
echo "Key ${lib.escapeShellArg keyName} already exists"
fi
'')
cfg.keys)}
# Set up key permissions for buckets
${lib.concatStringsSep "\n" (lib.mapAttrsToList (
keyName: buckets:
lib.concatMapStringsSep "\n" (bucket: ''
echo "Granting full access to key ${lib.escapeShellArg keyName} for bucket ${lib.escapeShellArg bucket}"
garage bucket allow --read --write --owner --key ${lib.escapeShellArg keyName} ${lib.escapeShellArg bucket}
'')
buckets
)
cfg.keys)}
# Remove permissions from buckets that are no longer associated with keys
${lib.concatStringsSep "\n" (lib.mapAttrsToList (keyName: buckets: ''
# Get current buckets this key has access to
current_buckets=$(garage key info ${lib.escapeShellArg keyName} | grep -A 1000 "==== BUCKETS FOR THIS KEY ====" | tail -n +3 | awk '{print $3}' | grep -v '^$' || true)
# Remove access from buckets not in the desired list
for current_bucket in $current_buckets; do
should_have_access=false
${lib.concatMapStringsSep "\n" (bucket: ''
if [[ "$current_bucket" == ${lib.escapeShellArg bucket} ]]; then
should_have_access=true
fi
'')
buckets}
if [[ "$should_have_access" == "false" ]]; then
echo "Removing access for key ${lib.escapeShellArg keyName} from bucket $current_bucket"
garage bucket deny --key ${lib.escapeShellArg keyName} $current_bucket
fi
done
'')
cfg.keys)}
# Remove keys that shouldn't exist
for key in $existing_keys; do
should_exist=false
${lib.concatStringsSep "\n" (lib.mapAttrsToList (keyName: _: ''
if [[ "$key" == ${lib.escapeShellArg keyName} ]]; then
should_exist=true
fi
'')
cfg.keys)}
if [[ "$should_exist" == "false" ]]; then
echo "Removing key $key"
garage key delete --yes "$key"
fi
done
'';
};
};
nodes =
let
genNginx = toAddress: extraConfig: {
upstreams = {
${serviceName} = {
servers = {
"${toAddress}:${builtins.toString servicePort}" = { };
};
};
"${serviceName}Web" = {
servers = {
"${toAddress}:${builtins.toString garageWebPort}" = { };
};
};
"${serviceName}Admin" = {
servers = {
"${toAddress}:${builtins.toString garageAdminPort}" = { };
};
};
};
virtualHosts = {
"${adminDomain}" = {
useACMEHost = globals.domains.main;
forceSSL = true;
acmeRoot = null;
oauth2.enable = false;
inherit extraConfig;
locations = {
"/" = {
proxyPass = "http://${serviceName}Admin";
};
};
};
"*.${webDomain}" = {
useACMEHost = globals.domains.main;
forceSSL = true;
acmeRoot = null;
oauth2.enable = false;
inherit extraConfig;
locations = {
"/" = {
proxyPass = "http://${serviceName}Web";
};
};
};
"${serviceDomain}" = {
serverAliases = [ "*.${serviceDomain}" ];
useACMEHost = globals.domains.main;
forceSSL = true;
acmeRoot = null;
oauth2.enable = false;
inherit extraConfig;
locations = {
"/" = {
proxyPass = "http://${serviceName}";
extraConfig = ''
client_max_body_size 0;
client_body_timeout 600s;
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_request_buffering off;
'';
};
};
};
};
};
in
{
${dnsServer}.swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
"${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
"${subDomain}-admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
"${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
"*.${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
"*.${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = genNginx serviceAddress "";
${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
};
};
}
#+end_src
**** Set host domain for dns
:PROPERTIES:
:CUSTOM_ID: h:d1458f94-64e0-4804-8e92-35b87716e494
:END:
This is used to have a dns record that points to the public IP of my cloud servers (which is useful for consolidating IPv4 and IPv6).
#+begin_src nix-ts :tangle modules/nixos/server/dns-hostrecord.nix
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "dns-hostrecord"; proxy = config.node.name; }) serviceName proxyAddress4 proxyAddress6;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf (config.swarselmodules.server.${serviceName} && config.swarselsystems.isCloud) {
nodes.stoicclub.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords = {
"server.${config.node.name}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
};
}
#+end_src
**** Set dns host entries for home servers
:PROPERTIES:
:CUSTOM_ID: h:c539061e-8aa8-4c5a-a2a0-22490cd4e5de
:END:
This makes sure that my servers at home know about the home NGINX endpoint and use it over the external one.
#+begin_src nix-ts :tangle modules/nixos/server/dns-home.nix
{ lib, config, globals, confLib, ... }:
let
inherit (confLib.gen { name = "dns-home"; }) serviceName;
inherit (confLib.static) homeProxy;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
networking.hosts = {
${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv4} = [ "server.${homeProxy}.${globals.domains.main}" ];
${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv6} = [ "server.${homeProxy}.${globals.domains.main}" ];
};
};
}
#+end_src
**** nsd (dns)
:PROPERTIES:
:CUSTOM_ID: h:ef5b7ace-4870-4dfa-9532-9a9d2722dc9a
:END:
This is the setup of my authoritative dns server. This here is the general configuration that handles setup as well as zone transfers to Hetzner and Hurricane Electric. Domain specific config at:
- [[#h:dc1dbc54-46f7-406d-a551-527e97439614][nsd (dns) - site1]]
#+begin_src nix-ts :tangle modules/nixos/server/nsd/default.nix
{ self, lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "nsd"; port = 53; }) serviceName servicePort proxyAddress4 proxyAddress6;
inherit (config.swarselsystems) sopsFile;
in
{
options = {
swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
swarselsystems.server.dns = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
options = {
subdomainRecords = lib.mkOption {
type = lib.types.attrsOf dns.lib.types.subzone;
default = { };
};
};
}
);
};
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
sops.secrets = {
tsig-key = { inherit sopsFile; };
};
# services.resolved.enable = false;
networking = {
# nameservers = [ "1.1.1.1" "8.8.8.8" ];
firewall = {
allowedUDPPorts = [ servicePort ];
allowedTCPPorts = [ servicePort ];
};
};
topology.self.services.${serviceName} = {
name = lib.toUpper serviceName;
icon = "${self}/files/topology-images/${serviceName}.png";
};
services.nsd = {
enable = true;
keys = {
"${globals.domains.main}.${proxyAddress4}" = {
algorithm = "hmac-sha256";
keyFile = config.sops.secrets.tsig-key.path;
};
"${globals.domains.main}.${proxyAddress6}" = {
algorithm = "hmac-sha256";
keyFile = config.sops.secrets.tsig-key.path;
};
"${globals.domains.main}" = {
algorithm = "hmac-sha256";
keyFile = config.sops.secrets.tsig-key.path;
};
};
interfaces = [
"10.1.2.157"
"2603:c020:801f:a0cc::9d"
];
zones = {
"${globals.domains.main}" =
let
keyName4 = "${globals.domains.main}.${proxyAddress4}";
keyName6 = "${globals.domains.main}.${proxyAddress6}";
keyName = "${globals.domains.main}";
transferList = [
"213.239.242.238 ${keyName4}"
"2a01:4f8:0:a101::a:1 ${keyName6}"
"213.133.100.103 ${keyName4}"
"2a01:4f8:0:1::5ddc:2 ${keyName6}"
"193.47.99.3 ${keyName4}"
"2001:67c:192c::add:a3 ${keyName6}"
];
in
{
outgoingInterface = "2603:c020:801f:a0cc::9d";
notify = transferList ++ [
"216.218.130.2 ${keyName}"
];
provideXFR = transferList ++ [
"216.218.133.2 ${keyName}"
"2001:470:600::2 ${keyName}"
];
# dnssec = true;
data = dns.lib.toString "${globals.domains.main}" (import ./site1.nix { inherit config globals dns proxyAddress4 proxyAddress6; });
};
};
};
};
}
#+end_src
***** nsd (dns) - site1
:PROPERTIES:
:CUSTOM_ID: h:dc1dbc54-46f7-406d-a551-527e97439614
:END:
These are the specific records in use for my main domain.
#+begin_src nix-ts :tangle modules/nixos/server/nsd/site1.nix
{ config, globals, dns, proxyAddress4, proxyAddress6, ... }:
with dns.lib.combinators; {
SOA = {
nameServer = "soa";
adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
serial = 2026010201; # update this on changes for secondary dns
};
useOrigin = false;
NS = [
"soa"
"srv"
] ++ globals.domains.externalDns;
CAA = [
{
issuerCritical = false;
tag = "issue";
value = "letsencrypt.org";
}
{
issuerCritical = false;
tag = "issuewild";
value = "letsencrypt.org";
}
{
issuerCritical = false;
tag = "iodef";
value = "mailto:${config.repo.secrets.common.dnsMail}";
}
];
A = [ config.repo.secrets.local.dns.homepage-ip ];
SRV = [
{
service = "_matrix";
proto = "_tcp";
port = 443;
target = "${globals.services.matrix.subDomain}";
priority = 10;
weight = 5;
}
{
service = "_submissions";
proto = "_tcp";
port = 465;
target = "${globals.services.mailserver.subDomain}";
priority = 5;
weight = 0;
ttl = 3600;
}
{
service = "_submission";
proto = "_tcp";
port = 587;
target = "${globals.services.mailserver.subDomain}";
priority = 5;
weight = 0;
ttl = 3600;
}
{
service = "_imap";
proto = "_tcp";
port = 143;
target = "${globals.services.mailserver.subDomain}";
priority = 5;
weight = 0;
ttl = 3600;
}
{
service = "_imaps";
proto = "_tcp";
port = 993;
target = "${globals.services.mailserver.subDomain}";
priority = 5;
weight = 0;
ttl = 3600;
}
];
MX = [
{
preference = 10;
exchange = "${globals.services.mailserver.subDomain}";
}
];
DKIM = [
{
selector = "mail";
k = "rsa";
p = config.repo.secrets.local.dns.mailserver.dkim-public;
ttl = 10800;
}
];
TXT = [
(with spf; strict [ "a:${globals.services.mailserver.subDomain}.${globals.domains.main}" ])
"google-site-verification=${config.repo.secrets.local.dns.google-site-verification}"
];
DMARC = [
{
p = "none";
ttl = 10800;
}
];
subdomains = config.swarselsystems.server.dns.${globals.domains.main}.subdomainRecords // {
"www".CNAME = [ "${globals.domains.main}." ];
"_acme-challenge".CNAME = [ "${config.repo.secrets.local.dns.acme-challenge-domain}." ];
"soa" = host proxyAddress4 proxyAddress6;
"srv" = host proxyAddress4 proxyAddress6;
};
}
#+end_src
**** Minecraft
:PROPERTIES:
:CUSTOM_ID: h:948d4f4e-b752-4e2e-b8a9-35d9d7f246c6
:END:
Handles my minecraft server. It runs forge, so the full server is not NixOS managed, but merely the service that starts it (good enough I guess.)
#+begin_src nix-ts :tangle modules/nixos/server/minecraft/default.nix
{ self, lib, config, pkgs, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; proxy = config.node.name; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome dnsServer;
inherit (config.swarselsystems) mainUser;
worldName = "${mainUser}craft";
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
topology.self.services.${serviceName} = {
name = "Minecraft";
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome;
};
networking.firewall.allowedTCPPorts = [ servicePort ];
environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
{ directory = serviceDir; mode = "0755"; }
];
systemd.services.minecraft-swarselcraft = {
description = "Minecraft Server";
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
serviceConfig = {
User = "root";
WorkingDirectory = "${serviceDir}/${worldName}";
ExecStart = "${lib.getExe pkgs.temurin-jre-bin-17} @user_jvm_args.txt @libraries/net/minecraftforge/forge/1.20.1-47.2.20/unix_args.txt nogui";
Restart = "always";
RestartSec = 30;
StandardInput = "null";
};
wantedBy = [ "multi-user.target" ];
};
};
}
#+end_src
**** Mailserver
:PROPERTIES:
:CUSTOM_ID: h:64cbeb7e-0773-4eb5-8e52-6b97c8f685e2
:END:
This runs a mailserver using simple-nixos-mailserver.
When changing the hashed passwords, =dovecot= needs to be restarted manually, it will not happen upon rebuild.
#+begin_src nix-ts :tangle modules/nixos/server/mailserver.nix
{ self, lib, config, globals, dns, confLib, ... }:
let
inherit (config.swarselsystems) sopsFile;
inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome webProxy homeWebProxy dnsServer homeServiceAddress nginxAccessRules;
inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 alias2_2 alias2_3 user3;
baseDomain = globals.domains.main;
roundcubeDomain = config.repo.secrets.common.services.domains.roundcube;
endpointAddress4 = globals.hosts.${config.node.name}.wanAddress4 or null;
endpointAddress6 = globals.hosts.${config.node.name}.wanAddress6 or null;
in
{
options = {
swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
users = {
persistentIds = {
knot-resolver = confLib.mkIds 963;
postfix-tlspol = confLib.mkIds 962;
roundcube = confLib.mkIds 961;
redis-rspamd = confLib.mkIds 960;
};
};
globals.services = {
${serviceName} = {
domain = serviceDomain;
proxyAddress4 = endpointAddress4;
proxyAddress6 = endpointAddress6;
};
roundcube = {
domain = roundcubeDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
topology.self.services = lib.listToAttrs (map
(service:
lib.nameValuePair "${service}" {
name = lib.swarselsystems.toCapitalized service;
info = lib.mkIf (service == "postfix" || service == "roundcube") (if service == "postfix" then "https://${serviceDomain}" else "https://${roundcubeDomain}");
icon = "${self}/files/topology-images/${service}.png";
}
)
[ "postfix" "dovecot" "rspamd" "clamav" "roundcube" ]);
sops.secrets = {
user1-hashed-pw = { inherit sopsFile; owner = serviceUser; };
user2-hashed-pw = { inherit sopsFile; owner = serviceUser; };
user3-hashed-pw = { inherit sopsFile; owner = serviceUser; };
};
environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
{ directory = "/var/vmail"; user = serviceUser; group = serviceGroup; mode = "0770"; }
{ directory = "/var/sieve"; user = serviceUser; group = serviceGroup; mode = "0770"; }
{ directory = "/var/dkim"; user = "rspamd"; group = "rspamd"; mode = "0700"; }
{ directory = serviceDir; user = serviceUser; group = serviceGroup; mode = "0700"; }
# { directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }
{ directory = "/var/lib/rspamd"; user = "rspamd"; group = "rspamd"; mode = "0700"; }
{ directory = "/var/lib/roundcube"; user = "roundcube"; group = "roundcube"; mode = "0700"; }
{ directory = "/var/lib/redis-rspamd"; user = "redis-rspamd"; group = "redis-rspamd"; mode = "0700"; }
{ directory = "/var/lib/postfix"; user = "root"; group = "root"; mode = "0755"; }
{ directory = "/var/lib/knot-resolver"; user = "knot-resolver"; group = "knot-resolver"; mode = "0770"; }
];
mailserver = {
enable = true;
stateVersion = 3;
fqdn = serviceDomain;
domains = [ baseDomain ];
indexDir = "${serviceDir}/indices";
openFirewall = true;
# certificateScheme = "acme";
dmarcReporting.enable = true;
enableSubmission = true;
enableSubmissionSsl = true;
enableImapSsl = true;
x509.useACMEHost = globals.domains.main;
loginAccounts = {
"${user1}@${baseDomain}" = {
hashedPasswordFile = config.sops.secrets.user1-hashed-pw.path;
aliases = [
"${alias1_1}@${baseDomain}"
"${alias1_2}@${baseDomain}"
"${alias1_3}@${baseDomain}"
"${alias1_4}@${baseDomain}"
];
};
"${user2}@${baseDomain}" = {
hashedPasswordFile = config.sops.secrets.user2-hashed-pw.path;
aliases = [
"${alias2_1}@${baseDomain}"
"${alias2_2}@${baseDomain}"
"${alias2_3}@${baseDomain}"
];
sendOnly = true;
};
"${user3}@${baseDomain}" = {
hashedPasswordFile = config.sops.secrets.user3-hashed-pw.path;
aliases = [
"@${baseDomain}"
];
catchAll = [
baseDomain
];
};
};
};
services.roundcube = {
enable = true;
# this is the url of the vhost, not necessarily the same as the fqdn of
# the mailserver
hostName = roundcubeDomain;
extraConfig = ''
$config['imap_host'] = "ssl://${config.mailserver.fqdn}";
$config['smtp_host'] = "ssl://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
configureNginx = true;
};
# the rest of the ports are managed by snm
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
virtualHosts = {
"${roundcubeDomain}" = {
useACMEHost = globals.domains.main;
enableACME = false;
forceSSL = true;
acmeRoot = null;
locations = {
"/".recommendedSecurityHeaders = false;
"~ ^/(SQL|bin|config|logs|temp|vendor)/".recommendedSecurityHeaders = false;
"~ ^/(CHANGELOG.md|INSTALL|LICENSE|README.md|SECURITY.md|UPGRADING|composer.json|composer.lock)".recommendedSecurityHeaders = false;
"~* \\.php(/|$)".recommendedSecurityHeaders = false;
};
};
};
};
nodes =
let
extraConfigLoc = ''
proxy_ssl_server_name on;
proxy_ssl_name ${roundcubeDomain};
'';
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host endpointAddress4 endpointAddress6;
"${globals.services.roundcube.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; protocol = "https"; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; protocol = "https"; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** Attic (nix binary cache)
:PROPERTIES:
:CUSTOM_ID: h:092593d2-0ca0-4f86-9951-6127a3594e25
:END:
This is my nix binary cache (similar to cachix).
Generate the attic server token using =openssl genrsa -traditional 4096 | base64 -w0=
# Copy and paste from the atticd output
$ attic login local http://localhost:8080 eyJ...
✍️ Configuring server "local"
$ attic cache create hello
✨ Created cache "hello" on "local"
#+begin_src nix-ts :tangle modules/nixos/server/attic.nix
{ lib, config, pkgs, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "attic"; port = 8091; }) serviceName serviceDir servicePort serviceAddress serviceDomain proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
inherit (config.swarselsystems) mainUser isPublic sopsFile;
serviceDB = "atticd";
in
{
options = {
swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
topology.self.services.${serviceName} = {
name = lib.swarselsystems.toCapitalized serviceName;
info = "https://${serviceDomain}";
# attic does not have a logo
};
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
sops = lib.mkIf (!isPublic) {
secrets = {
attic-server-token = { inherit sopsFile; };
attic-garage-access-key = { inherit sopsFile; };
attic-garage-secret-key = { inherit sopsFile; };
};
templates = {
"attic.env" = {
content = ''
ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=${config.sops.placeholder.attic-server-token}
AWS_ACCESS_KEY_ID=${config.sops.placeholder.attic-garage-access-key}
AWS_SECRET_ACCESS_KEY=${config.sops.placeholder.attic-garage-secret-key}
'';
};
};
};
# networking.firewall.allowedTCPPorts = [ servicePort ];
services.atticd = {
enable = true;
# NOTE: remove once https://github.com/zhaofengli/attic/pull/268 is merged
package = pkgs.attic-server.overrideAttrs
(oldAttrs: {
patches = (oldAttrs.patches or [ ]) ++ [
(pkgs.writeText "remove-s3-checksums.patch" ''
diff --git a/server/src/storage/s3.rs b/server/src/storage/s3.rs
index 1d5719f3..036f3263 100644
--- a/server/src/storage/s3.rs
+++ b/server/src/storage/s3.rs
@@ -278,10 +278,6 @@ impl StorageBackend for S3Backend {
CompletedPart::builder()
.set_e_tag(part.e_tag().map(str::to_string))
.set_part_number(Some(part_number as i32))
- .set_checksum_crc32(part.checksum_crc32().map(str::to_string))
- .set_checksum_crc32_c(part.checksum_crc32_c().map(str::to_string))
- .set_checksum_sha1(part.checksum_sha1().map(str::to_string))
- .set_checksum_sha256(part.checksum_sha256().map(str::to_string))
.build()
})
.collect::>();
'')
];
});
environmentFile = config.sops.templates."attic.env".path;
settings = {
listen = "[::]:${builtins.toString servicePort}";
api-endpoint = "https://${serviceDomain}/";
allowed-hosts = [
serviceDomain
];
require-proof-of-possession = false;
compression = {
type = "zstd";
level = 3;
};
database.url = "postgresql:///atticd?host=/run/postgresql";
storage =
if config.swarselmodules.server.garage then {
type = "s3";
region = mainUser;
bucket = serviceName;
# attic must be patched to never serve pre-signed s3 urls directly
# otherwise it will redirect clients to this localhost endpoint
endpoint = "http://127.0.0.1:3900"; # garage port
} else {
type = "local";
path = serviceDir;
};
garbage-collection = {
interval = "1 day";
default-retention-period = "3 months";
};
chunking = {
nar-size-threshold = if config.swarselmodules.server.garage then 0 else 64 * 1024; # garage using s3
min-size = 16 * 1024;
avg-size = 64 * 1024;
max-size = 256 * 1024;
};
};
};
services.postgresql = {
enable = true;
enableTCPIP = true;
ensureDatabases = [ serviceDB ];
ensureUsers = [
{
name = serviceDB;
ensureDBOwnership = true;
}
];
};
systemd.services.atticd = lib.mkIf config.swarselmodules.server.garage {
requires = [ "garage.service" ];
after = [ "garage.service" ];
};
nodes =
let
extraConfigLoc = ''
client_body_timeout 600s;
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
proxy_request_buffering off;
'';
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** Hydra
:PROPERTIES:
:CUSTOM_ID: h:59f9ba07-8f63-4317-8def-83855a2a2ac1
:END:
My buildserver config.
Need to create user manually:
# su - hydra
$ hydra-create-user alice --full-name 'Alice Q. User' \
--email-address 'alice@example.org' --password-prompt --role admin
#+begin_src nix-ts :tangle modules/nixos/server/hydra.nix
{ inputs, lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "hydra"; port = 8002; }) serviceName servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
inherit (config.swarselsystems) sopsFile;
in
{
options = {
swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
sops = {
secrets = {
nixbuild-net-key = { mode = "0600"; };
hydra-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
templates = {
"hydra-env" = {
content = ''
HYDRA_PW="${config.sops.placeholder.hydra-pw}"
'';
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
};
};
services.hydra = {
enable = true;
package = inputs.hydra.packages.${config.node.arch}.hydra;
port = servicePort;
hydraURL = "https://${serviceDomain}";
listenHost = "*";
notificationSender = "hydra@${globals.domains.main}";
minimumDiskFreeEvaluator = 20; # 20G
minimumDiskFree = 20; # 20G
useSubstitutes = true;
smtpHost = globals.services.mailserver.domain;
buildMachinesFiles = [
"/etc/nix/machines"
];
extraConfig = ''
using_frontend_proxy 1
'';
};
systemd.services.hydra-user-setup = {
description = "Create admin user for Hydra";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = "hydra";
EnvironmentFile = [
config.sops.templates.hydra-env.path
];
};
wantedBy = [ "multi-user.target" ];
requires = [ "hydra-init.service" ];
after = [ "hydra-init.service" ];
environment = lib.mkForce config.systemd.services.hydra-init.environment;
script = ''
set -eu
if [ ! -e ~hydra/.user-setup-done ]; then
/run/current-system/sw/bin/hydra-create-user admin --full-name 'admin' --email-address 'admin@${globals.domains.main}' --password "$HYDRA_PW" --role admin
touch ~hydra/.user-setup-done
fi
'';
};
environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
];
nix = {
settings.builders-use-substitutes = true;
distributedBuilds = true;
buildMachines = [
{
hostName = "localhost";
protocol = null;
system = config.node.arch;
supportedFeatures = [ "kvm" "nixos-test" "big-parallel" "benchmark" ];
maxJobs = 4;
}
];
};
# networking.firewall.allowedTCPPorts = [ servicePort ];
programs.ssh = {
extraConfig = ''
StrictHostKeyChecking no
'';
};
nodes =
let
extraConfigLoc = ''
proxy_set_header X-Request-Base /hydra;
'';
in
{
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
**** Kea DHCP
:PROPERTIES:
:CUSTOM_ID: h:82f3b6af-89a4-4eef-9f24-8d64855c862d
:END:
This is the dhcp config that runs on my router.
#+begin_src nix-ts :tangle modules/nixos/server/kea.nix
{ self, lib, config, globals, confLib, ... }:
let
inherit (confLib.gen { name = "kea"; dir = "/var/lib/private/kea"; }) serviceName serviceDir;
inherit (confLib.static) homeDnsServer;
dhcpX = intX:
let
x = builtins.toString intX;
in
{
enable = true;
settings = {
reservations-out-of-pool = true;
lease-database = {
name = "/var/lib/kea/dhcp${x}.leases";
persist = true;
type = "memfile";
};
valid-lifetime = 86400;
renew-timer = 3600;
interfaces-config = {
interfaces = map (name: "me-${name}") (builtins.attrNames globals.networks.home-lan.vlans);
service-sockets-max-retries = -1;
};
"subnet${x}" = lib.flip lib.mapAttrsToList globals.networks.home-lan.vlans (
vlanName: vlanCfg: {
inherit (vlanCfg) id;
interface = "me-${vlanName}";
subnet = vlanCfg."cidrv${x}";
rapid-commit = lib.mkIf (intX == 6) true;
pools = [
{
pool = "${lib.net.cidr.host 100 vlanCfg."cidrv${x}"} - ${lib.net.cidr.host (-6) vlanCfg."cidrv${x}"}";
}
];
pd-pools = lib.mkIf (intX == 6) [
{
prefix = builtins.replaceStrings [ "::" ] [ ":0:0:100::" ] (lib.head (lib.splitString "/" vlanCfg.cidrv6));
prefix-len = 56;
delegated-len = 64;
}
];
option-data =
lib.optional (intX == 4)
{
name = "routers";
data = vlanCfg.hosts.hintbooth."ipv${x}";
}
# Advertise DNS server for VLANS that have internet access
++
lib.optional
(lib.elem vlanName globals.general.internetVLANs)
{
name = if (intX == 4) then "domain-name-servers" else "dns-servers";
data = globals.networks.home-lan.vlans.services.hosts.${homeDnsServer}."ipv${x}";
};
reservations = lib.concatLists (
lib.forEach (builtins.attrValues vlanCfg.hosts) (
hostCfg:
lib.optional (hostCfg.mac != null) {
hw-address = lib.mkIf (intX == 4) hostCfg.mac;
duid = lib.mkIf (intX == 6) "00:03:00:01:${hostCfg.mac}"; # 00:03 = duid type 3; 00:01 = ethernet
ip-address = lib.mkIf (intX == 4) hostCfg."ipv${x}";
ip-addresses = lib.mkIf (intX == 6) [ hostCfg."ipv${x}" ];
prefixes = lib.mkIf (intX == 6) [
"${builtins.replaceStrings ["::"] [":0:0:${builtins.toString (256 + hostCfg.id)}::"] (lib.head (lib.splitString "/" vlanCfg.cidrv6))}/64"
];
}
)
);
}
);
};
};
in
{
options = {
swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
{ directory = serviceDir; mode = "0700"; }
];
users.persistentIds.kea = confLib.mkIds 968;
topology = {
extractors.kea.enable = false;
self.services.${serviceName} = {
name = lib.swarselsystems.toCapitalized serviceName;
icon = "${self}/files/topology-images/${serviceName}.png";
};
};
services.kea = {
dhcp4 = dhcpX 4;
dhcp6 = dhcpX 6;
};
};
}
#+end_src
**** nftables (firewall)
:PROPERTIES:
:CUSTOM_ID: h:13ea6bdd-2f35-4ab8-8f6d-ae77b567ebc5
:END:
This is the main declarative nftables configuration that I run on all servers. It basically just makes sure that the rules remain in place even when nfables stops and that the =networking.allowed*Port[...]= options work on the untrusted zone.
#+begin_src nix-ts :tangle modules/nixos/server/nftables.nix
{ lib, config, confLib, ... }:
let
inherit (confLib.gen { name = "nftables"; }) serviceName;
in
{
options = {
swarselmodules.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
};
config = lib.mkIf config.swarselmodules.${serviceName} {
networking.nftables = {
stopRuleset = lib.mkDefault ''
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop
ct state {established, related} accept
iifname lo accept
meta l4proto ipv6-icmp accept
meta l4proto icmp accept
ip protocol igmp accept
tcp dport ${toString (lib.head config.services.openssh.ports)} accept
}
chain forward {
type filter hook forward priority filter; policy drop;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
'';
firewall = {
enable = true;
localZoneName = "local";
snippets = {
nnf-common.enable = false;
nnf-conntrack.enable = true;
nnf-drop.enable = true;
nnf-loopback.enable = true;
nnf-ssh.enable = true;
nnf-dhcpv6.enable = true;
};
rules.untrusted-to-local = {
from = [ "untrusted" ];
to = [ "local" ];
inherit (config.networking.firewall)
allowedTCPPorts
allowedTCPPortRanges
allowedUDPPorts
allowedUDPPortRanges
;
};
rules.icmp-and-igmp = {
after = [
"ct"
"ssh"
];
from = "all";
to = [ "local" ];
extraLines = [
"meta l4proto ipv6-icmp accept"
"meta l4proto icmp accept"
"ip protocol igmp accept"
];
};
};
};
};
}
#+end_src
**** Firezone
:PROPERTIES:
:CUSTOM_ID: h:f5daab4a-4699-47d0-a114-84fe596bc651
:END:
Firezone provides VPN access to my services at home - this works separately from the [[#h:8cf0018d-00ba-4616-87d9-f91c614face9][Wireguard]] mesh that I run between my server nodes.
This has some state:
- OIDC setup:
- =Settings > Identity Providers > Kanidm > Edit=:
- Note the UUIDs in the URLs under "Ensure the OAuth application has the following redirect URLs whitelisted:":
- the first one is =accountId=, the second is the =externalId=, update them in the Kanidm config
- Relay setup:
- =Relays > Relays > Deploy=:
- note FIREZONE_TOKEN and add it as the firezone-relay-token secret
- Gateway setup:
- =Sites > Home > Deploy Gateway=:
- note FIREZONE_TOKEN and add it as the firezone-gateway-token secret
- After initial deployment, setup the user account under =Actors > Add Actor=:
- use OIDC login
#+begin_src nix-ts :tangle modules/nixos/server/firezone.nix
{ self, lib, pkgs, config, globals, confLib, dns, nodes, ... }:
let
inherit (confLib.gen { name = "firezone"; dir = "/var/lib/private/firezone"; }) serviceName serviceDir serviceAddress serviceDomain proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied homeProxy webProxy homeWebProxy homeProxyIf webProxyIf idmServer dnsServer homeServiceAddress nginxAccessRules;
inherit (config.swarselsystems) sopsFile;
apiPort = 8081;
webPort = 8080;
relayPort = 3478;
domainPort = 9003;
homeServices = lib.attrNames (lib.filterAttrs (_: serviceCfg: serviceCfg.isHome) globals.services);
homeDomains = map (name: globals.services.${name}.domain) homeServices;
allow = group: resource: {
"${group}@${resource}" = {
inherit group resource;
description = "Allow ${group} access to ${resource}";
};
};
in
{
options = {
swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy} = {
allowedTCPPorts = [ apiPort webPort domainPort ];
allowedUDPPorts = [ relayPort ];
allowedUDPPortRanges = [
{
from = config.services.firezone.relay.lowestPort;
to = config.services.firezone.relay.highestPort;
}
];
};
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy} = {
allowedTCPPorts = [ apiPort webPort domainPort ];
allowedUDPPorts = [ relayPort ];
allowedUDPPortRanges = [
{
from = config.services.firezone.relay.lowestPort;
to = config.services.firezone.relay.highestPort;
}
];
};
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
topology.self.services.${serviceName} = {
name = lib.swarselsystems.toCapitalized serviceName;
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
sops = {
secrets = {
kanidm-firezone-client = { inherit sopsFile; mode = "0400"; };
firezone-relay-token = { inherit sopsFile; mode = "0400"; };
firezone-smtp-password = { inherit sopsFile; mode = "0440"; };
firezone-adapter-config = { inherit sopsFile; mode = "0440"; };
};
};
environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
{ directory = serviceDir; mode = "0700"; }
];
services.firezone = {
server = {
enable = true;
enableLocalDB = true;
smtp = {
inherit (config.repo.secrets.local.firezone.mail) from username;
host = globals.services.mailserver.domain;
port = 465;
implicitTls = true;
passwordFile = config.sops.secrets.firezone-smtp-password.path;
};
provision = {
enable = true;
accounts.main = {
name = "Home";
relayGroups.relays.name = "Relays";
gatewayGroups.home.name = "Home";
actors.admin = {
type = "account_admin_user";
name = "Admin";
email = "admin@${globals.domains.main}";
};
groups.anyone = {
name = "anyone";
members = [
"admin"
];
};
auth.oidc =
let
client_id = "firezone";
in
{
name = "Kanidm";
adapter = "openid_connect";
adapter_config = {
scope = "openid email profile";
response_type = "code";
inherit client_id;
discovery_document_uri = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
clientSecretFile = config.sops.secrets.kanidm-firezone-client.path;
};
};
resources =
lib.genAttrs homeDomains
(domain: {
type = "dns";
name = domain;
address = domain;
gatewayGroups = [ "home" ];
filters = [
{ protocol = "icmp"; }
{
protocol = "tcp";
ports = [
443
80
];
}
{
protocol = "udp";
ports = [ 443 ];
}
];
})
// {
"home.vlan-services.v4" = {
type = "cidr";
name = "home.vlan-services.v4";
address = globals.networks.home-lan.vlans.services.cidrv4;
gatewayGroups = [ "home" ];
};
"home.vlan-services.v6" = {
type = "cidr";
name = "home.vlan-services.v6";
address = globals.networks.home-lan.vlans.services.cidrv6;
gatewayGroups = [ "home" ];
};
};
policies =
{ }
// allow "everyone" "home.vlan-services.v4"
// allow "anyone" "home.vlan-services.v4"
// allow "everyone" "home.vlan-services.v6"
// allow "anyone" "home.vlan-services.v6"
// lib.mergeAttrsList (map (domain: allow "everyone" domain) homeDomains)
// lib.mergeAttrsList (map (domain: allow "anyone" domain) homeDomains);
};
};
domain = {
settings.ERLANG_DISTRIBUTION_PORT = domainPort;
package = pkgs.firezone-server-domain;
};
api = {
externalUrl = "https://${serviceDomain}/api/";
address = "0.0.0.0";
port = apiPort;
package = pkgs.firezone-server-api;
};
web = {
externalUrl = "https://${serviceDomain}/";
address = "0.0.0.0";
port = webPort;
package = pkgs.firezone-server-web;
};
};
relay = {
enable = true;
port = relayPort;
inherit (config.node) name;
apiUrl = "wss://${serviceDomain}/api/";
tokenFile = config.sops.secrets.firezone-relay-token.path;
publicIpv4 = proxyAddress4;
publicIpv6 = proxyAddress6;
openFirewall = lib.mkIf (!isProxied) true;
package = pkgs.firezone-relay;
};
};
# systemd.services.firezone-initialize =
# let
# generateSecrets =
# let
# requiredSecrets = lib.filterAttrs (_: v: v == null) cfg.settingsSecret;
# in
# ''
# mkdir -p secrets
# chmod 700 secrets
# ''
# + lib.concatLines (
# lib.forEach (builtins.attrNames requiredSecrets) (secret: ''
# if [[ ! -e secrets/${secret} ]]; then
# echo "Generating ${secret}"
# # Some secrets like TOKENS_KEY_BASE require a value >=64 bytes.
# head -c 64 /dev/urandom | base64 -w 0 > secrets/${secret}
# chmod 600 secrets/${secret}
# fi
# '')
# );
# loadSecretEnvironment =
# component:
# let
# relevantSecrets = lib.subtractLists (builtins.attrNames cfg.${component}.settings) (
# builtins.attrNames cfg.settingsSecret
# );
# in
# lib.concatLines (
# lib.forEach relevantSecrets (
# secret:
# ''export ${secret}=$(< ${
# if cfg.settingsSecret.${secret} == null then
# "secrets/${secret}"
# else
# "\"$CREDENTIALS_DIRECTORY/${secret}\""
# })''
# )
# );
# in
# {
# script = lib.mkForce ''
# mkdir -p "$TZDATA_DIR"
# # Generate and load secrets
# ${generateSecrets}
# ${loadSecretEnvironment "domain"}
# echo "Running migrations"
# ${lib.getExe cfg.domain.package} eval "Domain.Release.migrate(manual: true)"
# '';
# };
nodes =
let
genNginx = toAddress: extraConfig: {
upstreams = {
${serviceName} = {
servers."${toAddress}:${builtins.toString webPort}" = { };
};
"${serviceName}-api" = {
servers."${toAddress}:${builtins.toString apiPort}" = { };
};
};
virtualHosts = {
${serviceDomain} = {
useACMEHost = globals.domains.main;
forceSSL = true;
acmeRoot = null;
inherit extraConfig;
locations = {
"/" = {
# The trailing slash is important to strip the location prefix from the request
proxyPass = "http://${serviceName}/";
proxyWebsockets = true;
};
"/api/" = {
# The trailing slash is important to strip the location prefix from the request
proxyPass = "http://${serviceName}-api/";
proxyWebsockets = true;
};
};
};
};
};
in
{
${homeProxy} =
let
nodeCfg = nodes.${homeProxy}.config;
nodePkgs = nodes.${homeProxy}.pkgs;
in
{
sops.secrets.firezone-gateway-token = { inherit (nodeCfg.swarselsystems) sopsFile; mode = "0400"; };
networking.nftables = {
firewall = {
zones.firezone.interfaces = [ "tun-firezone" ];
rules = {
# masquerade firezone traffic
masquerade-firezone = {
from = [ "firezone" ];
to = [ "vlan-services" ];
# masquerade = true; NOTE: custom rule below for ip4 + ip6
late = true; # Only accept after any rejects have been processed
verdict = "accept";
};
# forward firezone traffic
forward-incoming-firezone-traffic = {
from = [ "firezone" ];
to = [ "vlan-services" ];
verdict = "accept";
};
# FIXME: is this needed? conntrack should take care of it and we want to masquerade anyway
forward-outgoing-firezone-traffic = {
from = [ "vlan-services" ];
to = [ "firezone" ];
verdict = "accept";
};
};
};
chains.postrouting = {
masquerade-firezone = {
after = [ "hook" ];
late = true;
rules =
lib.forEach
[
"firezone"
]
(
zone:
lib.concatStringsSep " " [
"meta protocol { ip, ip6 }"
(lib.head nodeCfg.networking.nftables.firewall.zones.${zone}.ingressExpression)
(lib.head nodeCfg.networking.nftables.firewall.zones.vlan-services.egressExpression)
"masquerade random"
]
);
};
};
};
environment.persistence."/persist".directories = lib.mkIf nodeCfg.swarselsystems.isImpermanence [
{ directory = "${serviceDir}-gateway"; mode = "0700"; }
];
boot.kernel.sysctl = {
"net.core.wmem_max" = 16777216;
"net.core.rmem_max" = 134217728;
};
services.firezone.gateway = {
enable = true;
# logLevel = "trace";
inherit (nodeCfg.node) name;
apiUrl = "wss://${globals.services.firezone.domain}/api/";
tokenFile = nodeCfg.sops.secrets.firezone-gateway-token.path;
package = nodePkgs.stable25_05.firezone-gateway; # newer versions of firezone-gateway are not compatible with server package
};
topology.self.services."${serviceName}-gateway" = {
name = lib.swarselsystems.toCapitalized "${serviceName} Gateway";
icon = "${self}/files/topology-images/${serviceName}.png";
};
};
${idmServer} =
let
nodeCfg = nodes.${idmServer}.config;
accountId = "3e996ad9-c100-40e8-807a-282a5c5e8b6c";
externalId = "31e7f702-28a7-4bbc-9690-b6db9d4a162a";
in
{
sops.secrets.kanidm-firezone = { inherit (nodeCfg.swarselsystems) sopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
services.kanidm.provision = {
groups."firezone.access" = { };
systems.oauth2.firezone = {
displayName = "Firezone VPN";
# NOTE: state: both uuids are runtime values
originUrl = [
"https://${globals.services.firezone.domain}/${accountId}/sign_in/providers/${externalId}/handle_callback"
"https://${globals.services.firezone.domain}/${accountId}/settings/identity_providers/openid_connect/${externalId}/handle_callback"
];
originLanding = "https://${globals.services.firezone.domain}/";
basicSecretFile = nodeCfg.sops.secrets.kanidm-firezone.path;
preferShortUsername = true;
scopeMaps."firezone.access" = [
"openid"
"email"
"profile"
];
};
};
};
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = genNginx serviceAddress "";
${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
};
};
}
#+end_src
**** Adguardhome
:PROPERTIES:
:CUSTOM_ID: h:ecb66cb8-12b5-44e8-ad6b-7848711e1ffe
:END:
Handles my home DNS server. It also provides some nice blocklists, but the main usecase is the rewrite of service records to the homeProxy IP, which circumvents bottlenecks by connecting out to the external proxy.
#+begin_src nix-ts :tangle modules/nixos/server/adguardhome.nix
{ lib, config, globals, dns, confLib, ... }:
let
inherit (confLib.gen { name = "adguardhome"; port = 3000; }) serviceName servicePort serviceAddress serviceDomain proxyAddress4 proxyAddress6;
inherit (confLib.static) isHome isProxied homeProxyIf webProxy webProxyIf homeWebProxy dnsServer homeDnsServer homeServiceAddress nginxAccessRules;
homeServices = lib.attrNames (lib.filterAttrs (_: serviceCfg: serviceCfg.isHome) globals.services);
homeDomains = map (name: globals.services.${name}.domain) homeServices;
in
{
options = {
swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
};
config = lib.mkIf config.swarselmodules.server.${serviceName} {
globals = {
networks = {
${webProxyIf}.hosts = lib.mkIf isProxied {
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
};
${homeProxyIf}.hosts = lib.mkIf isHome {
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
};
};
services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
homeServiceAddress = lib.mkIf isHome homeServiceAddress;
};
};
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
services.adguardhome = {
enable = true;
mutableSettings = false;
host = "0.0.0.0";
port = servicePort;
settings = {
dns = {
bind_hosts = [
globals.networks.home-lan.vlans.services.hosts.${homeDnsServer}.ipv4
globals.networks.home-lan.vlans.services.hosts.${homeDnsServer}.ipv6
];
ratelimit = 300;
upstream_dns = [
"https://dns.cloudflare.com/dns-query"
"https://dns.google/dns-query"
"https://doh.mullvad.net/dns-query"
];
bootstrap_dns = [
"1.1.1.1"
"2606:4700:4700::1111"
"8.8.8.8"
"2001:4860:4860::8844"
];
dhcp.enabled = false;
};
filtering.rewrites = (map
(domain: {
inherit domain;
# FIXME: change to homeWebProxy once that is setup
answer = globals.networks.home-lan.vlans.services.hosts.${homeWebProxy}.ipv4;
# answer = globals.hosts.${webProxy}.wanAddress4;
enabled = true;
})
homeDomains) ++ [
{
domain = "smb.${globals.domains.main}";
answer = globals.networks.home-lan.vlans.services.hosts.summers-storage.ipv4;
enabled = true;
}
];
filters = [
{
name = "AdGuard DNS filter";
url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
enabled = true;
}
{
name = "AdAway Default Blocklist";
url = "https://adaway.org/hosts.txt";
enabled = true;
}
{
name = "OISD (Big)";
url = "https://big.oisd.nl";
enabled = true;
}
];
user_rules = config.repo.secrets.local.adguardUserRules;
};
};
environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
{
directory = "/var/lib/private/AdGuardHome";
mode = "0700";
}
];
nodes = {
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; proxyWebsockets = true; oauth2 = true; oauth2Groups = [ "adguardhome_access" ]; };
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; proxyWebsockets = true; oauth2 = true; oauth2Groups = [ "adguardhome_access" ]; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
};
};
}
#+end_src
*** Darwin
:PROPERTIES:
:CUSTOM_ID: h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47
:END:
This section is to be used for darwin modules, in case I can ever be bothered to actually write them.
**** Imports
:PROPERTIES:
:CUSTOM_ID: h:25a95a30-8e4f-4fe3-9b8e-508a82e0a1b4
:END:
This section sets up all the imports that are used in the home-manager section.
#+begin_src nix-ts :tangle modules/nixos/darwin/default.nix
{ self, lib, config, outputs, globals, withHomeManager, ... }:
let
macUser = globals.user.work;
in
{
imports = [
];
options.swarselmodules.optional.darwin = lib.mkEnableOption "optional darwin settings";
config = lib.mkIf config.swarselmodules.optional.darwin
{
nix.settings.experimental-features = "nix-command flakes";
nixpkgs = {
hostPlatform = "x86_64-darwin";
overlays = [
outputs.overlays.default
outputs.overlays.stables
outputs.overlays.modifications
];
config = {
allowUnfree = true;
};
};
system.stateVersion = 4;
} // lib.optionalAttrs withHomeManager {
home-manager.users."${macUser}".imports = [
"${self}/modules/home/darwin"
];
};
}
#+end_src
*** TODO Optional
:PROPERTIES:
:CUSTOM_ID: h:f9aa9af0-9b8d-43ff-901d-9ffccdd70589
:END:
These sets of configuration do not need to be deployed on every host, for a multitude of reasons.
- The gaming set is not needed on weak machines, and also not on my work machine.
- The VirtualBox package takes forever to build, and I do not need virtual machines on every host.
- There are some hosts that I do not want to autologin to.
- =nswitch-rcm= is a tool I wrote for easy payload flashing of a Nintendo Switch in RCM mode. However, that is not needed on every machine.
- The work profile is only used on my work laptop.
TODO: evaluate whether I should keep using this structure.
#+begin_src nix-ts :tangle modules/nixos/optional/default.nix
# @ future me: dont panic, this file is not read in by readNix
{ lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/nixos/optional";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/nixos/optional";
}
#+end_src
**** Niri
:PROPERTIES:
:CUSTOM_ID: h:58162d08-3ded-441d-861e-2ebf30e32538
:END:
Auto login for the initial session.
#+begin_src nix-ts :tangle modules/nixos/optional/niri.nix
{ self, inputs, config, pkgs, ... }:
{
imports = [
inputs.niri-flake.nixosModules.niri
];
config = {
niri-flake.cache.enable = true;
home-manager.users.${config.swarselsystems.mainUser}.imports = [
"${self}/modules/home/optional/niri.nix"
];
environment.systemPackages = with pkgs; [
wl-clipboard
wayland-utils
libsecret
cage
gamescope
xwayland-satellite-unstable
];
services.niritiling.enable = true;
programs = {
niri = {
enable = true;
package = pkgs.niri-stable; # the actual niri that will be installed and used
};
};
};
}
#+end_src
**** Noctalia
:PROPERTIES:
:CUSTOM_ID: h:96e05275-38df-401b-8809-d45d8f59e43c
:END:
#+begin_src nix-ts :tangle modules/nixos/optional/noctalia.nix
{ self, inputs, config, ... }:
{
disabledModules = [ "programs/gpu-screen-recorder.nix" ];
imports = [
"${inputs.nixpkgs-dev}/nixos/modules/programs/gpu-screen-recorder.nix"
];
config = {
home-manager.users.${config.swarselsystems.mainUser}.imports = [
"${self}/modules/home/optional/noctalia.nix"
];
services = {
upower.enable = true; # needed for battery percentage
gnome.evolution-data-server.enable = true; # needed for calendar integration
noctoggle = {
enable = true;
# noctaliaPackage = pkgs.noctalia-shell;
};
};
programs = {
gpu-screen-recorder.enable = true;
evolution.enable = true;
};
};
}
#+end_src
**** gaming
:PROPERTIES:
:CUSTOM_ID: h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431
:END:
This opens a few gaming ports and installs the steam configuration suite for gaming. There are more options in [[#h:84fd7029-ecb6-4131-9333-289982f24ffa][Gaming]] (home-manager side).
#+begin_src nix-ts :tangle modules/nixos/optional/gaming.nix
{ self, lib, pkgs, config, withHomeManager, ... }:
{
config = {
programs.steam = {
enable = true;
package = pkgs.steam;
extraCompatPackages = [
pkgs.proton-ge-bin
];
};
# specialisation = {
# gaming.configuration = {
# networking = {
# firewall.enable = lib.mkForce false;
# firewall = {
# allowedUDPPorts = [ 4380 27036 14242 34197 ]; # 34197: factorio; 4380 27036 14242: barotrauma;
# allowedTCPPorts = [ ]; # 34197: factorio; 4380 27036 14242: barotrauma; 51820: wireguard
# allowedTCPPortRanges = [
# { from = 27015; to = 27030; } # barotrauma
# { from = 27036; to = 27037; } # barotrauma
# ];
# allowedUDPPortRanges = [
# { from = 27000; to = 27031; } # barotrauma
# { from = 58962; to = 58964; } # barotrauma
# ];
# };
# };
# hardware.xone.enable = true;
# environment.systemPackages = [
# pkgs.linuxKernel.packages.linux_6_12.xone
# ];
# };
# };
} // lib.optionalAttrs withHomeManager {
home-manager.users."${config.swarselsystems.mainUser}" = {
imports = [
"${self}/modules/home/optional/gaming.nix"
];
};
};
}
#+end_src
**** VirtualBox
:PROPERTIES:
:CUSTOM_ID: h:b3523246-14e9-4284-ba22-cebc5ca36732
:END:
This sets the VirtualBox configuration. Guest should not be enabled if not direly needed, it will make rebuilds unbearably slow. I only use this privately to run an old editor that does not run well under wine, so I put it into it's own specialisation.
#+begin_src nix-ts :tangle modules/nixos/optional/virtualbox.nix
{ lib, config, pkgs, ... }:
{
config = {
# specialisation = {
# VBox.configuration = {
virtualisation.virtualbox = {
host = {
enable = true;
enableKvm = true;
addNetworkInterface = lib.mkIf config.virtualisation.virtualbox.host.enableKvm false;
package = pkgs.virtualbox;
enableExtensionPack = true;
};
# leaving this here for future notice. setting guest.enable = true will make 'restarting sysinit-reactivation.target' take till timeout on nixos-rebuild switch
guest = {
enable = false;
};
};
# run an older kernel to provide compatibility with windows vm
# boot = {
# kernelPackages = lib.mkForce pkgs.stable24_05.linuxPackages;
# # kernelParams = [
# # "amd_iommu=on"
# # ];
# };
# fixes the issue of running together with QEMU
# NOTE: once you start a QEMU VM (use kvm) VirtualBox will fail to start VMs
# boot.kernelParams = [ "kvm.enable_virt_at_load=0" ];
# };
# };
};
}
#+end_src
**** VmWare
:PROPERTIES:
:CUSTOM_ID: h:34db28fb-62f7-4597-a9ff-0de2991a8415
:END:
This sets the VirtualBox configuration. Guest should not be enabled if not direly needed, it will make rebuilds unbearably slow.
#+begin_src nix-ts :tangle modules/nixos/optional/vmware.nix
_:
{
config = {
virtualisation.vmware.host.enable = true;
virtualisation.vmware.guest.enable = true;
};
}
#+end_src
**** nswitch-rcm
:PROPERTIES:
:CUSTOM_ID: h:5c41c4ee-22ca-405b-9e4f-cc4051634edd
:END:
This smashes Atmosphère 1.3.2 on the switch, which is what I am currenty using.
#+begin_src nix-ts :tangle modules/nixos/optional/nswitch-rcm.nix
{ pkgs, ... }:
{
config = {
services.nswitch-rcm = {
enable = true;
package = pkgs.fetchurl {
url = "https://github.com/Atmosphere-NX/Atmosphere/releases/download/1.3.2/fusee.bin";
hash = "sha256-5AXzNsny45SPLIrvWJA9/JlOCal5l6Y++Cm+RtlJppI=";
};
};
};
}
#+end_src
**** Framework
:PROPERTIES:
:CUSTOM_ID: h:bb542fa6-b087-4c1c-838e-d9ec14e4eb85
:END:
This holds configuration that is specific to framework laptops.
#+begin_src nix-ts :tangle modules/nixos/optional/framework.nix
{ self, lib, config, withHomeManager, ... }:
{
config = {
services = {
fwupd = {
enable = true;
# framework also uses lvfs-testing, but I do not want to use it
extraRemotes = [ "lvfs" ];
};
udev.extraRules = ''
# disable Wakeup on Framework Laptop 16 Keyboard (ANSI)
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0012", ATTR{power/wakeup}="disabled"
# disable Wakeup on Framework Laptop 16 Numpad Module
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0014", ATTR{power/wakeup}="disabled"
# disable Wakeup on Framework Laptop 16 Trackpad
ACTION=="add", SUBSYSTEM=="i2c", DRIVERS=="i2c_hid_acpi", ATTRS{name}=="PIXA3854:00", ATTR{power/wakeup}="disabled"
'';
};
hardware.fw-fanctrl = {
enable = true;
config = {
defaultStrategy = "lazy";
};
};
} // lib.optionalAttrs withHomeManager {
home-manager.users."${config.swarselsystems.mainUser}" = {
imports = [
"${self}/modules/home/optional/framework.nix"
];
};
};
}
#+end_src
**** AMD CPU
:PROPERTIES:
:CUSTOM_ID: h:b64b8988-94fa-440f-8cf1-ee5568bfd75e
:END:
#+begin_src nix-ts :tangle modules/nixos/optional/amdcpu.nix
_:
{
config = {
hardware = {
cpu.amd.updateMicrocode = true;
};
};
}
#+end_src
**** AMD GPU
:PROPERTIES:
:CUSTOM_ID: h:0dc68d4f-72b3-465a-8d73-4453d06e7853
:END:
#+begin_src nix-ts :tangle modules/nixos/optional/amdgpu.nix
_:
{
config = {
hardware = {
amdgpu = {
opencl.enable = true;
initrd.enable = true;
# amdvlk = {
# enable = true;
# support32Bit.enable = true;
# };
};
};
};
}
#+end_src
**** Hibernation
:PROPERTIES:
:CUSTOM_ID: h:15b581ab-09fe-4f84-af26-2f1fbf7d726b
:END:
#+begin_src nix-ts :tangle modules/nixos/optional/hibernation.nix
{ lib, config, ... }:
{
options.swarselsystems = {
hibernation = {
offset = lib.mkOption {
type = lib.types.int;
default = 0;
};
resumeDevice = lib.mkOption {
type = lib.types.str;
default = "/dev/disk/by-label/nixos";
};
};
};
config = {
boot = {
kernelParams = [
"resume_offset=${builtins.toString config.swarselsystems.hibernation.offset}"
# "mem_sleep_default=deep"
];
inherit (config.swarselsystems.hibernation) resumeDevice;
};
systemd.services."systemd-suspend-then-hibernate".aliases = [ "systemd-suspend.service" ];
powerManagement.enable = true;
systemd.sleep.settings.Sleep = {
HibernateDelaySec = "120m";
SuspendState = "freeze";
};
};
}
#+end_src
**** work
:PROPERTIES:
:CUSTOM_ID: h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf
:END:
Options that I need specifically at work. There are more options at [[#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6][Work]] (home-manager side).
When setting up a new machine:
#+begin_src markdown :noweb-ref worksetup :exports both :results html
- setup the work VPN:
- using the laptop certificate `.pem` as User cert and private key (CA cert: none)
- vpn gateway is found in `nixosConfig.repo.secrets.local.work.vpnGateway`
#+end_src
#+begin_src nix-ts :tangle modules/nixos/optional/work.nix
{ self, lib, pkgs, config, withHomeManager, ... }:
let
inherit (config.swarselsystems) mainUser homeDir;
iwd = config.networking.networkmanager.wifi.backend == "iwd";
owner = mainUser;
sopsFile = self + /secrets/work/secrets.yaml;
in
{
options.swarselsystems = {
hostName = lib.mkOption {
type = lib.types.str;
default = config.node.name;
};
fqdn = lib.mkOption {
type = lib.types.str;
default = "";
};
};
config = {
sops =
let
secretNames = [
"vcuser"
"vcpw"
"govcuser"
"govcpw"
"govcurl"
"govcdc"
"govcds"
"govchost"
"govcnetwork"
"govcpool"
"baseuser"
"basepw"
];
in
{
secrets = builtins.listToAttrs (
map
(name: {
inherit name;
value = { inherit owner sopsFile; };
})
secretNames
);
templates = {
"network-manager-work.env".content = ''
BASEUSER=${config.sops.placeholder.baseuser}
BASEPASS=${config.sops.placeholder.basepw}
'';
};
};
boot.initrd = {
systemd.enable = lib.mkForce true; # make sure we are using initrd systemd even when not using Impermanence
luks = {
# disable "support" since we use systemd-cryptenroll
# make sure yubikeys are enrolled using
# sudo systemd-cryptenroll --fido2-device=auto --fido2-with-user-verification=no --fido2-with-user-presence=true --fido2-with-client-pin=no /dev/nvme0n1p2
yubikeySupport = false;
fido2Support = false;
};
};
programs = {
browserpass.enable = true;
_1password.enable = true;
_1password-gui = {
enable = true;
package = pkgs._1password-gui-beta;
polkitPolicyOwners = [ "${mainUser}" ];
};
};
networking = {
inherit (config.swarselsystems) hostName fqdn;
networkmanager = {
wifi.scanRandMacAddress = false;
ensureProfiles = {
environmentFiles = [
"${config.sops.templates."network-manager-work.env".path}"
];
profiles = {
VBC = {
"802-1x" = {
eap = if (!iwd) then "ttls;" else "peap;";
identity = "$BASEUSER";
password = "$BASEPASS";
phase2-auth = "mschapv2";
};
connection = {
id = "VBC";
type = "wifi";
autoconnect-priority = "500";
uuid = "3988f10e-6451-381f-9330-a12e66f45051";
secondaries = "48d09de4-0521-47d7-9bd5-43f97e23ff82"; # vpn uuid
};
ipv4 = { method = "auto"; };
ipv6 = {
# addr-gen-mode = "default";
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
wifi = {
cloned-mac-address = "permanent";
mac-address = "E8:65:38:52:63:FF";
mac-address-randomization = "1";
mode = "infrastructure";
band = "a";
ssid = "VBC";
};
wifi-security = {
# auth-alg = "open";
key-mgmt = "wpa-eap";
};
};
};
};
};
nftables = {
firewall = {
zones = {
virbr = {
interfaces = [ "virbr*" ];
};
};
rules = {
virbr-dns-dhcp = {
from = [ "virbr" ];
to = [ "local" ];
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 67 547 ];
};
virbr-forward = {
from = [ "virbr" ];
to = [ "untrusted" ];
verdict = "accept";
};
virbr-forward-return = {
from = [ "untrusted" ];
to = [ "virbr" ];
extraLines = [
"ct state { established, related } accept"
];
};
};
};
chains.postrouting.libvirt-masq = {
after = [ "dnat" ];
rules = [
"iifname \"virbr*\" masquerade"
];
};
};
search = [
"vbc.ac.at"
"clip.vbc.ac.at"
"imp.univie.ac.at"
];
};
systemd.services = {
virtqemud.path = with pkgs; [
qemu_kvm
libvirt
];
virtstoraged.path = with pkgs; [
qemu_kvm
libvirt
];
virtnetworkd.path = with pkgs; [
dnsmasq
iproute2
nftables
];
};
virtualisation = {
docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true;
spiceUSBRedirection.enable = true;
libvirtd = {
enable = true;
qemu = {
package = pkgs.qemu_kvm;
runAsRoot = true;
swtpm.enable = true;
vhostUserPackages = with pkgs; [ virtiofsd ];
};
};
};
environment.systemPackages = with pkgs; [
remmina
python39
qemu
packer
gnumake
libisoburn
govc
terraform
opentofu
terragrunt
graphviz
azure-cli
# vm
virt-manager
virt-viewer
virtiofsd
spice
spice-gtk
spice-protocol
virtio-win
win-spice
powershell
gh
];
services = {
spice-vdagentd.enable = true;
openssh = {
enable = true;
extraConfig = ''
'';
};
syncthing = {
settings = {
"winters" = {
id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
};
"moonside@oracle" = {
id = "VPCDZB6-MGVGQZD-Q6DIZW3-IZJRJTO-TCC3QUQ-2BNTL7P-AKE7FBO-N55UNQE";
};
folders = {
"Documents" = {
path = "${homeDir}/Documents";
devices = [ "moonside@oracle" ];
id = "hgr3d-pfu3w";
};
};
};
};
# udev.extraRules = ''
# # lock screen when yubikey removed
# ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend"
# '';
};
# cgroups v1 is required for centos7 dockers
# specialisation = {
# cgroup_v1.configuration = {
# boot.kernelParams = [
# "SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1"
# "systemd.unified_cgroup_hierarchy=0"
# ];
# };
# };
} // lib.optionalAttrs withHomeManager {
home-manager.users."${config.swarselsystems.mainUser}" = {
imports = [
"${self}/modules/home/optional/work.nix"
];
};
};
}
#+end_src
**** Uni
:PROPERTIES:
:CUSTOM_ID: h:a94e9a54-5393-4586-a1c2-34a90030b588
:END:
#+begin_src nix-ts :tangle modules/nixos/optional/uni.nix :noweb yes
{ self, config, withHomeManager, ... }:
{
config = { } // lib.optionalAttrs withHomeManager {
home-manager.users."${config.swarselsystems.mainUser}" = {
imports = [
"${self}/modules/home/optional/work.nix"
];
};
};
}
#+end_src
**** microvm-host
:PROPERTIES:
:CUSTOM_ID: h:ded3276e-3e97-4863-a29e-b978d8aae1c9
:END:
Some standard options that should be set for every microvm host.
#+begin_src nix-ts :tangle modules/nixos/optional/microvm-host.nix
{ config, lib, confLib, ... }:
{
config = lib.mkIf (config.guests != { }) {
systemd.tmpfiles.settings."15-microvms" = builtins.listToAttrs (
map
(path: {
name = "${lib.optionalString config.swarselsystems.isImpermanence "/persist"}/microvms/${path}";
value = {
d = {
group = "kvm";
user = "microvm";
mode = "0750";
};
};
})
(builtins.attrNames config.guests)
);
users.persistentIds.microvm = confLib.mkIds 999;
};
}
#+end_src
**** microvm-guest
:PROPERTIES:
:CUSTOM_ID: h:46419b40-c40b-4b55-ac6f-a30169322bd6
:END:
Some standard options that should be set for every microvm guest. We set the default
#+begin_src nix-ts :tangle modules/nixos/optional/microvm-guest.nix
{ self, config, inputs, ... }:
{
imports = [
inputs.disko.nixosModules.disko
inputs.home-manager.nixosModules.home-manager
inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
inputs.microvm.nixosModules.microvm
inputs.nix-index-database.nixosModules.nix-index
inputs.nix-minecraft.nixosModules.minecraft-servers
inputs.nix-topology.nixosModules.default
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
inputs.simple-nixos-mailserver.nixosModules.default
inputs.sops.nixosModules.sops
inputs.stylix.nixosModules.stylix
inputs.swarsel-nix.nixosModules.default
inputs.nixos-nftables-firewall.nixosModules.default
inputs.pia.nixosModules.default
(inputs.nixos-extra-modules + "/modules/interface-naming.nix")
"${self}/modules/shared/meta.nix"
];
config = {
_module.args.dns = inputs.dns;
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
# NOTE: this is needed, we dont import sevrer network module for microvms
globals.hosts.${config.node.name}.isHome = true;
systemd.network.networks."10-vlan-services" = {
dhcpV6Config = {
WithoutRA = "solicit";
# duid-en is nice in principle, but I already have MAC info anyways for reservations
DUIDType = "link-layer";
};
# networkConfig = {
# IPv6PrivacyExtensions = "no";
# IPv6AcceptRA = false;
# };
ipv6AcceptRAConfig = {
DHCPv6Client = "always";
};
};
# microvm = {
# mount the writeable overlay so that we can use nix shells inside the microvm
# volumes = [
# {
# image = "/tmp/nix-store-overlay-${config.networking.hostName}.img";
# autoCreate = true;
# mountPoint = config.microvm.writableStoreOverlay;
# size = 1024;
# }
# ];
# };
};
}
#+end_src
**** microvm-guest-shares
:PROPERTIES:
:CUSTOM_ID: h:1ba0d688-e20c-418f-bb73-6c73662e20e9
:END:
Some standard options that should be set for every microvm guest. We set the default
#+begin_src nix-ts :tangle modules/nixos/optional/microvm-guest-shares.nix
{ lib, config, microVMParent, nodes, ... }:
{
config = {
microvm = {
shares = [
{
tag = "persist";
source = "${lib.optionalString nodes.${microVMParent}.config.swarselsystems.isImpermanence "/persist"}/microvms/${config.networking.hostName}";
mountPoint = "/persist";
proto = "virtiofs";
}
];
};
};
}
#+end_src
**** systemd-networkd (base)
:PROPERTIES:
:CUSTOM_ID: h:99bf6c0e-2566-4a50-b219-fb6a7d4fb2cd
:END:
This set of options enables the network of the system to be managed by =systemd-networkd=:
- =networking.useNetworkd= has the effect that options from =networking.*= are not performed using network scripts but rather using =systemd-networkd=.
- =systemd.network.enable= enables the actual management of networks using the =systemd-networkd= interface.
#+begin_src nix-ts :tangle modules/nixos/optional/systemd-networkd-base.nix
{ lib, config, ... }:
{
networking = {
useDHCP = lib.mkForce false;
useNetworkd = true;
dhcpcd.enable = lib.mkIf (!config.swarselsystems.isMicroVM) false;
renameInterfacesByMac = lib.mkIf (!config.swarselsystems.isMicroVM) (lib.mapAttrs (_: v: if (v ? mac) then v.mac else "") (
config.repo.secrets.local.networking.networks or { }
));
};
systemd.network.enable = true;
}
#+end_src
**** systemd-networkd (server base)
:PROPERTIES:
:CUSTOM_ID: h:12370671-7892-4a74-a804-84f871acde06
:END:
Some standard options that should be set vor every microvm guest. We set the default
#+begin_src nix-ts :tangle modules/nixos/optional/systemd-networkd-server.nix
{ self, lib, config, globals, ... }:
let
inherit (config.swarselsystems) isCrypted localVLANs;
inherit (globals.general) routerServer;
isRouter = config.node.name == routerServer;
ifName = config.swarselsystems.server.localNetwork;
in
{
imports = [
"${self}/modules/nixos/optional/systemd-networkd-base.nix"
];
boot.initrd.systemd.network = lib.mkIf (isCrypted && ((localVLANs == [ ]) || isRouter)) {
enable = true;
networks."10-${ifName}" = config.systemd.network.networks."10-${ifName}";
};
systemd = {
network = {
wait-online.enable = false;
networks =
let
netConfig = config.repo.secrets.local.networking;
in
{
"10-${ifName}" = lib.mkIf (isRouter || (localVLANs == [ ])) {
# address = lib.optionals (isRouter || (localVLANs == [ ])) [
address = [
"${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv4}"
"${globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.cidrv6}"
];
routes = [
{
Gateway = netConfig.defaultGateway6;
GatewayOnLink = true;
}
{
Gateway = netConfig.defaultGateway4;
GatewayOnLink = true;
}
];
networkConfig = {
IPv6PrivacyExtensions = true;
IPv6AcceptRA = false;
};
matchConfig.MACAddress = netConfig.networks.${config.swarselsystems.server.localNetwork}.mac;
linkConfig.RequiredForOnline = "routable";
};
};
};
};
}
#+end_src
**** TODO systemd-networkd (server home)
:PROPERTIES:
:CUSTOM_ID: h:049fc27e-a28f-4ff0-b5f0-d81401bdd56f
:END:
This sets up the networking framework that is needed for a server that manages its VLAN interfaces using =systemd-networkd=. A host that is not both in the home network and using VLANs should rather be using [[#h:12370671-7892-4a74-a804-84f871acde06][systemd-networkd (server base)]] only.
We will differentiate between a host that uses microvms versus a host that is not using them.
For a host with microvms the general idea is as follows:
- For each local VLAN we create a VLAN here - we also create a macvlan interface for the hosts which is bound to the respective VLAN interface; also binding to that VLAN interface are the macvtap devices that are being created by the microvm module.
- normally, a guest using macvtap is not reachable by the host unless using a switch that supports hairpin-mode. However, consumers of the same VLAN can still communicate, which is realized using the macvlan =me-*= interface.
- even then, the kernel will only route requests when the underlying interface is up. In the case that no physical ports are used, this means that the bridge interface would effectively not work (even when administratively set to UP using =activationPolicy=) - the aforementioned =veth= takes care of that problem.
- this is really only a consideration for the [[#h:b54f2bbb-0088-46b2-957d-fd8234b772c3][Router]] (because if the interface to the router is missing on the hosts, there will be no connectivity anyways) and is hence implemented there
The principle is the same for a host without microvms, but we do not need the local =me-*= interfaces and can ignore =macvtap= config.
A VLAN can also be used as the initrd network - this is however disabled for the router host. For that host, we need to connect from the =FritzBox!= side in case we need to reboot it (TODO: fix interface naming lan/wan which blocks this)
#+begin_src nix-ts :tangle modules/nixos/optional/systemd-networkd-server-home.nix
{ self, lib, config, globals, ... }:
let
inherit (globals.general) routerServer;
inherit (config.swarselsystems) withMicroVMs isCrypted initrdVLAN;
isRouter = config.node.name == routerServer;
localVLANsList = config.swarselsystems.localVLANs;
localVLANs = lib.genAttrs localVLANsList (x: globals.networks.home-lan.vlans.${x});
in
{
imports = [
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
];
config = {
assertions = [
{
assertion = ((localVLANsList != [ ]) && (initrdVLAN != null)) || (localVLANsList == [ ]) || (!isCrypted);
message = "This host uses VLANs and disk encryption, thus a VLAN must be specified for initrd or disk encryption must be removed.";
}
];
boot.initrd = lib.mkIf (isCrypted && (localVLANsList != [ ]) && (!isRouter)) {
availableKernelModules = [ "8021q" ];
kernelModules = [ "8021q" ]; # at least summers needs this to actually find the interfaces
systemd.network = {
enable = true;
netdevs."30-vlan-${initrdVLAN}" = {
netdevConfig = {
Kind = "vlan";
Name = "vlan-${initrdVLAN}";
};
vlanConfig.Id = globals.networks.home-lan.vlans.${initrdVLAN}.id;
};
networks = {
"10-lan" = {
matchConfig.Name = "lan";
# This interface should only be used from attached vlans.
# So don't acquire a link local address and only wait for
# this interface to gain a carrier.
networkConfig.LinkLocalAddressing = "no";
linkConfig.RequiredForOnline = "carrier";
vlan = [ "vlan-${initrdVLAN}" ];
};
"30-vlan-${initrdVLAN}" = {
address = [
globals.networks.home-lan.vlans.${initrdVLAN}.hosts.${config.node.name}.cidrv4
globals.networks.home-lan.vlans.${initrdVLAN}.hosts.${config.node.name}.cidrv6
];
matchConfig.Name = "vlan-${initrdVLAN}";
networkConfig = {
IPv6PrivacyExtensions = "yes";
};
linkConfig.RequiredForOnline = "routable";
};
};
};
};
topology.self.interfaces = (lib.mapAttrs'
(vlanName: _:
lib.nameValuePair "vlan-${vlanName}" {
network = lib.mkForce vlanName;
}
)
localVLANs) // (lib.mapAttrs'
(vlanName: _:
lib.nameValuePair "me-${vlanName}" {
network = lib.mkForce vlanName;
}
)
localVLANs);
systemd.network = {
netdevs = lib.flip lib.concatMapAttrs localVLANs (
vlanName: vlanCfg: {
"30-vlan-${vlanName}" = {
netdevConfig = {
Kind = "vlan";
Name = "vlan-${vlanName}";
};
vlanConfig.Id = vlanCfg.id;
};
# Create a MACVTAP for ourselves too, so that we can communicate with
# our guests on the same interface.
"40-me-${vlanName}" = lib.mkIf withMicroVMs {
netdevConfig = {
Name = "me-${vlanName}";
Kind = "macvlan";
};
extraConfig = ''
[MACVLAN]
Mode=bridge
'';
};
}
);
networks = {
"10-lan" = lib.mkIf (!isRouter) {
matchConfig.Name = "lan";
# This interface should only be used from attached vlans.
# So don't acquire a link local address and only wait for
# this interface to gain a carrier.
networkConfig.LinkLocalAddressing = "no";
linkConfig.RequiredForOnline = "carrier";
vlan = map (name: "vlan-${name}") (builtins.attrNames localVLANs);
};
# Remaining macvtap interfaces should not be touched.
"90-macvtap-ignore" = lib.mkIf withMicroVMs {
matchConfig.Kind = "macvtap";
linkConfig.ActivationPolicy = "manual";
linkConfig.Unmanaged = "yes";
};
}
// lib.flip lib.concatMapAttrs localVLANs (
vlanName: vlanCfg:
let
me = {
address = [
vlanCfg.hosts.${config.node.name}.cidrv4
vlanCfg.hosts.${config.node.name}.cidrv6
];
gateway = lib.optionals (vlanName == "services") [ vlanCfg.hosts.${routerServer}.ipv4 vlanCfg.hosts.${routerServer}.ipv6 ];
matchConfig.Name = "${if withMicroVMs then "me" else "vlan"}-${vlanName}";
networkConfig.IPv6PrivacyExtensions = "yes";
linkConfig.RequiredForOnline = "routable";
};
in
{
"30-vlan-${vlanName}" = if (!withMicroVMs) then me else {
matchConfig.Name = "vlan-${vlanName}";
# This interface should only be used from attached macvlans.
# So don't acquire a link local address and only wait for
# this interface to gain a carrier.
networkConfig.LinkLocalAddressing = "no";
networkConfig.MACVLAN = "me-${vlanName}";
linkConfig.RequiredForOnline = if isRouter then "no" else "carrier";
};
"40-me-${vlanName}" = lib.mkIf withMicroVMs (lib.mkDefault me);
}
);
};
};
}
#+end_src
**** nix-topology node config
:PROPERTIES:
:CUSTOM_ID: h:cf8bde8c-edc8-4b48-a29e-86f01b4b1b50
:END:
Hold standard options for nix-topology per config
#+begin_src nix-ts :tangle modules/nixos/optional/nix-topology-self.nix
{ lib, config, globals, confLib, ... }:
let
inherit (confLib.static) webProxy;
in
{
topology.self = {
icon = lib.mkIf config.swarselsystems.isCloud "devices.cloud-server";
interfaces = {
wan = lib.mkIf (config.swarselsystems.isCloud && config.swarselsystems.server.localNetwork == "wan") { };
lan = lib.mkIf (config.swarselsystems.isCloud && config.swarselsystems.server.localNetwork == "lan") { };
wgProxy = lib.mkIf (config.swarselsystems.server.wireguard ? wgHome) {
addresses = [ globals.networks."${webProxy}-wg.hosts".${config.node.name}.ipv4 ];
renderer.hidePhysicalConnections = true;
virtual = true;
type = "wireguard";
};
wgHome = lib.mkIf (config.swarselsystems.server.wireguard ? wgHome) {
addresses = [ globals.networks.home-wgHome.hosts.${config.node.name}.ipv4 ];
renderer.hidePhysicalConnections = true;
virtual = true;
type = "wireguard";
};
};
};
}
#+end_src
** Home-manager
:PROPERTIES:
:CUSTOM_ID: h:08ded95b-9c43-475d-a0b2-fc088a512287
:END:
The general structure here is the same as in the [[#h:6da812f5-358c-49cb-aff2-0a94f20d70b3][NixOS]] section.
#+begin_src nix-ts :tangle modules/home/default.nix
# @ future me: dont panic, this file is not read in by readNix
{ lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/home";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/home";
}
#+end_src
*** Steps to setup/upgrade home-manager only
:PROPERTIES:
:CUSTOM_ID: h:360f9da1-334e-4b04-b049-45085db8f10c
:END:
Steps to get a home-manager only setup up and running:
#+begin_src markdown :noweb-ref homemanageronlysetup :exports both :results html
- (Optional) Install openssh-server
- Set hostname to the name specified in the home-manager configuration
- Install nix, either:
- (if upgrading existing nix) Install nix version matching with version that `nix-plugins` is compiled against: `nix-env --install --file '' cacert -I nixpkgs=channel:nixpkgs-unstable --attr nixVersions.nix_x_yy`
- (or installing nix freshly):
- Grab the link to the install script of the needed nix version from https://releases.nixos.org/?prefix=nix, e.g. https://releases.nixos.org/nix/nix-2.30.1/install
- `bash <(curl -L https://releases.nixos.org/nix/nix-x-yy-y/install) --daemon`
- add the following to /etc/nix/nix.conf to become a trusted user: `trusted-users = @wheel root swarsel`
- For the first build:
1) Clone dotfile repo & change into it
2) `nix --extra-experimental-features 'nix-command flakes' develop`
3) `home-manager --extra-experimental-features 'nix-command flakes' switch --flake .#$(hostname) --show-trace`
#+end_src
*** TODO Common
:PROPERTIES:
:CUSTOM_ID: h:f0a6b5e0-2157-4522-b5e1-3f0abd91c05e
:END:
TODO: split this into actual common and client sections
**** Imports
:PROPERTIES:
:CUSTOM_ID: h:16fd2e85-fdd4-440a-81f0-65b9b098a43a
:END:
This section sets up all the imports that are used in the home-manager section.
#+begin_src nix-ts :tangle modules/home/common/default.nix
{ lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/home/common";
sharedNames = lib.swarselsystems.readNix "modules/shared";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/home/common" ++
lib.swarselsystems.mkImports sharedNames "modules/shared";
}
#+end_src
**** Mirror home-manager shared options (automatically active)
:PROPERTIES:
:CUSTOM_ID: h:30b81bf9-1e69-4ce8-88af-5592896bcee4
:END:
#+begin_src nix-ts :tangle modules/home/common/sharedoptions.nix
{ lib, config, nixosConfig ? null, ... }:
let
# mirrorAttrs = lib.mapAttrs (_: v: lib.mkDefault v) nixosConfig.swarselsystems;
mkDefaultCommonAttrs = base: defaults:
lib.mapAttrs (_: v: lib.mkDefault v)
(lib.filterAttrs (k: _: base ? ${k}) defaults);
in
{
# config.swarselsystems = mirrorAttrs;
config.swarselsystems = lib.mkIf (nixosConfig != null) (mkDefaultCommonAttrs config.swarselsystems (nixosConfig.swarselsystems or { }));
}
#+end_src
**** General home-manager-settings (nix)
:PROPERTIES:
:CUSTOM_ID: h:4af4f67f-7c48-4754-b4bd-6800e3a66664
:END:
Again, we adapt =nix= to our needs, enable the home-manager command for non-NixOS machines (NixOS machines are using it as a module) and setting user information that I always keep the same.
#+begin_src nix-ts :tangle modules/home/common/settings.nix
{ self, outputs, lib, pkgs, config, globals, confLib, ... }:
let
inherit (config.swarselsystems) mainUser flakePath isNixos isLinux;
inherit (confLib.getConfig.repo.secrets.common) atticPublicKey;
in
{
options.swarselmodules.general = lib.mkEnableOption "general nix settings";
config =
let
nix-version = "2_30";
in
lib.mkIf config.swarselmodules.general {
nix = lib.mkIf (!config.swarselsystems.isNixos) {
package = lib.mkForce pkgs.nixVersions."nix_${nix-version}";
# extraOptions = ''
# plugin-files = ${pkgs.dev.nix-plugins}/lib/nix/plugins
# extra-builtins-file = ${self + /nix/extra-builtins.nix}
# '';
extraOptions =
let
nix-plugins = pkgs.nix-plugins.override {
nixComponents = pkgs.nixVersions."nixComponents_${nix-version}";
};
in
''
plugin-files = ${nix-plugins}/lib/nix/plugins
extra-builtins-file = ${self + /files/nix/extra-builtins.nix}
'';
settings = {
experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
"cgroups"
"pipe-operators"
];
substituters = [
"https://${globals.services.attic.domain}/${mainUser}"
];
trusted-public-keys = [
atticPublicKey
];
trusted-users = [
"@wheel"
"${mainUser}"
(lib.mkIf ((config.swarselmodules ? server) ? ssh-builder) "builder")
];
connect-timeout = 5;
bash-prompt-prefix = lib.mkIf config.swarselsystems.isClient "�[33m$SHLVL:\\w �[0m";
bash-prompt = lib.mkIf config.swarselsystems.isClient "$(if [[ $? -gt 0 ]]; then printf \"�[31m\"; else printf \"�[32m\"; fi)λ �[0m";
fallback = true;
min-free = 128000000;
max-free = 1000000000;
auto-optimise-store = true;
warn-dirty = false;
max-jobs = 1;
use-cgroups = lib.mkIf isLinux true;
};
};
nixpkgs = lib.mkIf (!isNixos) {
overlays = [
outputs.overlays.default
outputs.overlays.stables
outputs.overlays.modifications
(final: prev:
let
additions = final: _: import "${self}/pkgs/config" {
inherit self config lib;
pkgs = final;
homeConfig = config;
};
in
additions final prev
)
];
config = {
allowUnfree = true;
};
};
programs = {
# home-manager.enable = lib.mkIf (!isNixos) true;
man = {
enable = true;
generateCaches = true;
};
};
targets.genericLinux.enable = lib.mkIf (!isNixos) true;
home = {
username = lib.mkDefault mainUser;
homeDirectory = lib.mkDefault "/home/${mainUser}";
stateVersion = lib.mkDefault "23.05";
keyboard.layout = "us";
sessionVariables = {
FLAKE = "/home/${mainUser}/.dotfiles";
};
extraOutputsToInstall = [
"doc"
"info"
"devdoc"
];
packages = lib.mkIf (!isNixos) [
(pkgs.symlinkJoin {
name = "home-manager";
buildInputs = [ pkgs.makeWrapper ];
paths = [ pkgs.home-manager ];
postBuild = ''
wrapProgram $out/bin/home-manager \
--append-flags '--flake ${flakePath}#$(hostname)'
'';
})
];
};
};
}
#+end_src
**** nixGL
:PROPERTIES:
:CUSTOM_ID: h:90af1862-90b3-4c93-8730-2443bc62986a
:END:
This integrates nixGL into home-manager. NixGL provies OpenGL and Vulkan APIs to nix installed utilities. This is needed for graphical applications on non-NixOS systems.
to get the info for the secondary gpu, use `lspci -nn | grep VGA`
It can be set to either:
- a number, selecting the n-th non-default GPU
- a PCI bus id in the form =pci-XXX_YY_ZZ_U=
- a PCI id in the form =vendor_id:device_id=
#+begin_src nix-ts :tangle modules/home/common/nixgl.nix
{ lib, config, inputs, ... }:
{
options.swarselmodules.nixgl = lib.mkEnableOption "nixgl settings";
options.swarselsystems = {
isSecondaryGpu = lib.mkEnableOption "device has a secondary GPU";
SecondaryGpuCard = lib.mkOption {
type = lib.types.str;
default = "";
};
};
config = lib.mkIf config.swarselmodules.nixgl {
nixGL = lib.mkIf (!config.swarselsystems.isNixos) {
inherit (inputs.nixgl) packages;
defaultWrapper = lib.mkDefault "mesa";
vulkan.enable = lib.mkDefault false;
prime = lib.mkIf config.swarselsystems.isSecondaryGpu {
card = config.swarselsystems.secondaryGpuCard;
installScript = "mesa";
};
offloadWrapper = lib.mkIf config.swarselsystem.isSecondaryGpu "mesaPrime";
installScripts = [
"mesa"
"mesaPrime"
];
};
};
}
#+end_src
**** Installed packages
:PROPERTIES:
:CUSTOM_ID: h:893a7f33-7715-415b-a895-2687ded31c18
:END:
Here are defined some packages that I would like to use across all my machines. Most of these should not require further setup. Notably the cura package is severely outdated on nixpkgs, so I just fetch a more recent AppImage and run that instead.
Also, I define some useful shell scripts here.
Programming languages and default lsp's are defined here: [[#h:0e7e8bea-ec58-499c-9731-09dddfc39532][System Packages]]
***** Packaged
:PROPERTIES:
:CUSTOM_ID: h:6ef9bb5f-c5ee-496e-86e2-d8d271a34d75
:END:
This holds packages that I can use as provided, or with small modifications (as in the =texlive= package that needs special configuration).
#+begin_src nix-ts :tangle modules/home/common/packages.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.packages = lib.mkEnableOption "packages settings";
config = lib.mkIf config.swarselmodules.packages {
home.packages = with pkgs; [
# audio stuff
spek # spectrum analyzer
losslessaudiochecker
ffmpeg_7-full
flac
mediainfo
picard-tools
audacity
sox
calibre
# printing
cups
simple-scan
cura-appimage
# ssh login using idm
opkssh
# cache
attic-client
# dict
(aspellWithDicts (dicts: with dicts; [ de en en-computers en-science ]))
# browser
vieb
mgba
# utilities
util-linux
nmap
lsof
nvd
nix-output-monitor
hyprpicker # color picker
findutils
units
vim
sshfs
fuse
# ventoy
poppler-utils
# nix
alejandra
nixpkgs-fmt
deadnix
statix
nix-tree
nix-diff
nix-visualize
nix-init
nix-inspect
(nixpkgs-review.override { nix = config.nix.package; })
manix
# shellscripts
shfmt
# local file sharing
wormhole-rs
croc
# b2 backup @backblaze
restic
# "big" programs
# obs-studio
gimp
inkscape
zoom-us
# nomacs
libreoffice-qt
xournalpp
# obsidian
# spotify
# vesktop # discord client
# nextcloud-client # enables a systemd service that I do not want
# spotify-player
# element-desktop
nicotine-plus
transmission_3
mktorrent
hugo
# kyria
qmk
qmk-udev-rules
# firefox related
tridactyl-native
# mako related
# mako
libnotify
# general utilities
unrar
# samba
cifs-utils
zbar # qr codes
readline
autotiling
brightnessctl
libappindicator-gtk3
sqlite
speechd
networkmanagerapplet
psmisc # kill etc
lm_sensors
# jq # used for searching the i3 tree in check.sh files
# specifically needed for anki
# mpv
# anki-bin
# dirvish file previews
fd
imagemagick
# poppler
ffmpegthumbnailer
mediainfo
gnutar
unzip
#nautilus
nautilus
tumbler
libgsf
# wayland stuff
wtype
wl-mirror
wl-clipboard
wf-recorder
kanshi
# screenshotting tools
grim
slurp
# the following packages are used (in some way) by waybar
pavucontrol
#keychain
qalculate-gtk
gcr # needed for gnome-secrets to work
seahorse
# sops-related
sops
ssh-to-age
# mail related packages
mu
# latex and related packages
(texlive.combine {
inherit (pkgs.texlive) scheme-full
dvisvgm dvipng# for preview and export as html
wrapfig amsmath ulem hyperref capt-of;
})
# font stuff
cantarell-fonts
nerd-fonts.fira-code
(iosevka-bin.override { variant = "Aile"; })
nerd-fonts.symbols-only
noto-fonts-color-emoji
font-awesome_5
];
};
}
#+end_src
***** Self-defined
:PROPERTIES:
:CUSTOM_ID: h:96cbea91-ff13-4120-b8a9-496b2fa96e70
:END:
This is just a separate container for derivations defined in [[#h:64a5cc16-6b16-4802-b421-c67ccef853e1][Packages]]. This is a good idea so that I do not lose track of package names I have defined myself, as this was once a problem in the past already.
#+begin_src nix-ts :tangle modules/home/common/custom-packages.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.ownpackages = lib.mkEnableOption "own packages settings";
config = lib.mkIf config.swarselmodules.ownpackages {
home.packages = with pkgs; lib.mkIf (!config.swarselsystems.isPublic) [
pass-fuzzel
cdw
cdb
cdr
bak
timer
e
niri-resize
swarselcheck
swarselcheck-niri
waybarupdate
opacitytoggle
fs-diff
github-notifications
hm-specialisation
t2ts
ts2t
vershell
eontimer
project
fhs
swarsel-bootstrap
swarsel-displaypower
swarsel-deploy
swarsel-instantiate
swarselzellij
sshrm
endme
git-replace
prstatus
swarsel-gens
swarsel-switch
swarsel-sops
];
};
}
#+end_src
**** sops
:PROPERTIES:
:CUSTOM_ID: h:d87d80fd-2ac7-4f29-b338-0518d06b4deb
:END:
I use sops-nix to handle secrets that I want to have available on my machines at all times. Procedure to add a new machine:
- `ssh-keygen -t ed25519 -C "NAME sops"` in .ssh directory (or wherever) - name e.g. "sops"
- cat ~/.ssh/sops.pub | ssh-to-age | wl-copy
- add the output to .sops.yaml
- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/public/NAME.pub
- update entry for sops.age.sshKeyPaths
Since we are using the home-manager implementation here, we need to specify the runtime path.
At the same time, I want to avoid running the homeManager module of sops on a NixOS machine. Note that we cannot use =lib.mkIf= in the line =config == ...= as this would evaluate the blocks that are within; however, on a NixOS machine, there will be no =sops= module in the homeManager scope. Hence we use =optionalAttrs=. Also, we cannot make use of =config.swarselsystems.isNixos= because that will lead to an infinite recursion. Hence, we take the =type= arg that we passed during host declaration to make sure sops stays disabled. This is used in all places in the home-manager config that make use of sops-secrets.
#+begin_src nix-ts :tangle modules/home/common/sops.nix
{ self, config, lib, type, ... }:
let
inherit (config.swarselsystems) homeDir;
in
{
options.swarselmodules.sops = lib.mkEnableOption "sops settings";
config = lib.optionalAttrs (type != "nixos") {
sops = lib.mkIf (!config.swarselsystems.isNixos) {
age.sshKeyPaths = [ "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.ssh/sops" ];
# defaultSopsFile = "${if config.swarselsystems.isImpermanence then "/persist" else ""}${homeDir}/.dotfiles/secrets/repo/common.yaml";
defaultSopsFile = self + "/secrets/repo/common.yaml";
validateSopsFiles = false;
};
};
}
#+end_src
**** Yubikey
:PROPERTIES:
:CUSTOM_ID: h:4c850b80-56e0-437b-b564-2dd897027b2f
:END:
#+begin_src nix-ts :tangle modules/home/common/yubikey.nix
{ lib, config, confLib, type, ... }:
let
inherit (config.swarselsystems) homeDir;
in
{
options.swarselmodules.yubikey = lib.mkEnableOption "yubikey settings";
config = lib.mkIf config.swarselmodules.yubikey ({
pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
ids = [
confLib.getConfig.repo.secrets.common.yubikeys.dev1
confLib.getConfig.secrets.common.yubikeys.dev2
];
};
} // lib.optionalAttrs (type != "nixos") {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
u2f-keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
};
});
}
#+end_src
**** SSH Machines
:PROPERTIES:
:CUSTOM_ID: h:edd6720e-1f90-40bf-b6f9-30a19d4cae08
:END:
It is very convenient to have SSH aliases in place for machines that I use. This is mainly used for some server machines and some university clusters. We also enable agent forwarding to have our Yubikey SSH key accessible on the remote host.
#+begin_src nix-ts :tangle modules/home/common/ssh.nix
{ lib, config, confLib, type, ... }:
{
options.swarselmodules.ssh = lib.mkEnableOption "ssh settings";
config = lib.mkIf config.swarselmodules.ssh ({
programs.ssh = {
enable = true;
enableDefaultConfig = false;
extraConfig = ''
SetEnv TERM=xterm-256color
ServerAliveInterval 20
'';
matchBlocks = {
"*" = {
forwardAgent = false;
addKeysToAgent = "no";
compression = false;
serverAliveInterval = 0;
serverAliveCountMax = 3;
hashKnownHosts = false;
userKnownHostsFile = "~/.ssh/known_hosts";
controlMaster = "no";
controlPath = "~/.ssh/master-%r@%n:%p";
controlPersist = "no";
};
} // confLib.getConfig.repo.secrets.common.ssh.hosts;
};
} // lib.optionalAttrs (type != "nixos") {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
builder-key = { path = "${config.home.homeDirectory}/.ssh/builder"; mode = "0600"; };
};
});
}
#+end_src
**** Theme (stylix)
:PROPERTIES:
:CUSTOM_ID: h:a92318cd-413e-4e78-a478-e63b09df019c
:END:
These section allows home-manager to allow theme settings, and handles some other appearance-related settings like cursor styles. Interestingly, system icons (adwaita) still need to be setup on system-level, and will break if defined here.
This section has been notably empty ever since switching to stylix. Only Emacs is not allowed to be styled by it, because it becomes more ugly compared to my handcrafted setup.
=theme= is defined in [[#h:2e9b84d7-cb18-4e74-83f8-65ada11a8911][stylix color scheme]].
#+begin_src nix-ts :noweb yes :tangle modules/home/common/stylix.nix
{ self, lib, config, vars, ... }:
{
options.swarselmodules.stylix = lib.mkEnableOption "stylix settings";
config = lib.mkIf config.swarselmodules.stylix {
stylix = lib.mkIf (!config.swarselsystems.isNixos && config.swarselmodules.stylix) (lib.recursiveUpdate
{
enable = true;
base16Scheme = "${self}/files/stylix/swarsel.yaml";
targets = vars.stylixHomeTargets;
}
vars.stylix);
};
}
#+end_src
**** Desktop Entries, MIME types (xdg)
:PROPERTIES:
:CUSTOM_ID: h:867556e6-5a24-4c43-9d47-3edca2f16488
:END:
Some programs lack a dmenu launcher - I define them myself here.
TODO: Non-NixOS machines (=sp3) should not use these by default, but instead the programs prefixed with "nixGL". I need to figure out how to automate this process, as it is not feasible to write desktop entries for all programs installed on that machine.
#+begin_src nix-ts :tangle modules/home/common/desktop.nix
{ lib, config, ... }:
{
options.swarselmodules.desktop = lib.mkEnableOption "desktop settings";
config = lib.mkIf config.swarselmodules.desktop {
xdg.desktopEntries = {
cura = {
name = "Ultimaker Cura";
genericName = "Cura";
exec = "cura";
terminal = false;
categories = [ "Application" ];
};
teamsNoGpu = {
name = "Microsoft Teams (no GPU)";
genericName = "Teams (no GPU)";
exec = "teams-for-linux --disableGpu=true --trayIconEnabled=true";
terminal = false;
categories = [ "Application" ];
};
rustdesk-vbc = {
name = "Rustdesk VBC";
genericName = "rustdesk-vbc";
exec = "rustdesk-vbc";
terminal = false;
categories = [ "Application" ];
};
anki = {
name = "Anki Flashcards";
genericName = "Anki";
exec = "anki";
terminal = false;
categories = [ "Application" ];
};
element = {
name = "Element Matrix Client";
genericName = "Element";
exec = "element-desktop -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds";
terminal = false;
categories = [ "Application" ];
};
emacsclient-newframe = {
name = "Emacs (Client, New Frame)";
genericName = "Emacs (Client, New Frame)";
exec = "emacsclient -r %u";
icon = "emacs";
terminal = false;
categories = [ "Development" "TextEditor" ];
};
};
xdg = {
configFile."mimeapps.list".force = true;
mimeApps = {
enable = true;
defaultApplications = {
"application/epub+zip" = [ "calibre-ebook-viewer.desktop" ];
"application/metalink+xml" = [ "emacsclient.desktop" ];
"application/msword" = [ "writer.desktop" ];
"application/pdf" = [ "org.gnome.Evince.desktop" ];
"application/sql" = [ "emacsclient.desktop" ];
"application/vnd.ms-excel" = [ "calc.desktop" ];
"application/vnd.ms-powerpoint" = [ "impress.desktop" ];
"application/x-extension-htm" = [ "firefox.desktop" ];
"application/x-extension-html" = [ "firefox.desktop" ];
"application/x-extension-shtml" = [ "firefox.desktop" ];
"application/x-extension-xht" = [ "firefox.desktop" ];
"application/x-extension-xhtml" = [ "firefox.desktop" ];
"application/xhtml+xml" = [ "firefox.desktop" ];
"audio/flac" = [ "mpv.desktop" ];
"audio/mp3" = [ "mpv.desktop" ];
"audio/ogg" = [ "mpv.desktop" ];
"audio/wav" = [ "mpv.desktop" ];
"image/gif" = [ "imv.desktop" ];
"image/jpeg" = [ "imv.desktop" ];
"image/png" = [ "imv.desktop" ];
"image/svg" = [ "imv.desktop" ];
"image/vnd.adobe.photoshop" = [ "gimp.desktop" ];
"image/vnd.dxf" = [ "org.inkscape.Inkscape.desktop" ];
"image/webp" = [ "firefox.desktop" ];
"text/csv" = [ "emacsclient.desktop" ];
"text/html" = [ "firefox.desktop" ];
"text/plain" = [ "emacsclient.desktop" ];
"video/3gp" = [ "umpv.desktop" ];
"video/flv" = [ "umpv.desktop" ];
"video/mkv" = [ "umpv.desktop" ];
"video/mp4" = [ "umpv.desktop" ];
"x-scheme-handler/chrome" = [ "firefox.desktop" ];
"x-scheme-handler/http" = [ "firefox.desktop" ];
"x-scheme-handler/https" = [ "firefox.desktop" ];
};
associations = {
added = {
"application/x-zerosize" = [ "emacsclient.desktop" ];
"application/epub+zip" = [ "calibre-ebook-viewer.desktop" ];
};
};
};
};
};
}
#+end_src
**** Linking dotfiles (Symlinks home.file)
:PROPERTIES:
:CUSTOM_ID: h:5ef03803-e150-41bc-b603-e80d60d96efc
:END:
This section should be used in order to symlink already existing configuration files using `home.file` and setting session variables using `home.sessionVariables`.
As for the `home.sessionVariables`, it should be noted that environment variables that are needed at system start should NOT be loaded here, but instead in `programs.zsh.config.extraSessionCommands` (in the home-manager programs section). This is also where all the wayland related variables are stored.
Also, we link some files to the users XDG configuration home:
Also in firefox `about:config > toolkit.legacyUserProfileCustomizations.stylesheets` to true.
#+begin_src nix-ts :tangle modules/home/common/symlink.nix
{ self, lib, config, ... }:
{
options.swarselmodules.symlink = lib.mkEnableOption "symlink settings";
config = lib.mkIf config.swarselmodules.symlink {
home.file = {
"init.el" = lib.mkDefault {
source = self + /files/emacs/init.el;
target = ".emacs.d/init.el";
};
"early-init.el" = {
source = self + /files/emacs/early-init.el;
target = ".emacs.d/early-init.el";
};
# on NixOS, Emacs does not find the aspell dicts easily. Write the configuration manually
".aspell.conf" = {
source = self + /files/config/.aspell.conf;
target = ".aspell.conf";
};
".gitmessage" = {
source = self + /files/git/.gitmessage;
target = ".gitmessage";
};
};
xdg.configFile = {
"tridactyl/tridactylrc".source = self + /files/firefox/tridactyl/tridactylrc;
"tridactyl/themes/base16-codeschool.css".source = self + /files/firefox/tridactyl/themes/base16-codeschool.css;
"tridactyl/themes/swarsel.css".source = self + /files/firefox/tridactyl/themes/swarsel.css;
# "swayidle/config".source = self + /files/swayidle/config;
};
};
}
#+end_src
**** Sourcing environment variables
:PROPERTIES:
:CUSTOM_ID: h:4486b02f-4fb8-432b-bfa2-2e786206341d
:END:
Sets environment variables. Here I am only setting the EDITOR variable, most variables are set in the [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]] section.
#+begin_src nix-ts :tangle modules/home/common/env.nix
{ lib, config, confLib, globals, ... }:
let
inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
inherit (confLib.getConfig.repo.secrets.common.calendar) source1 source1-name source2 source2-name source3 source3-name;
inherit (confLib.getConfig.repo.secrets.common) fullName openrouterApi instaDomain sportDomain;
inherit (config.swarselsystems) isPublic homeDir;
DISPLAY = ":0";
in
{
options.swarselmodules.env = lib.mkEnableOption "env settings";
config = lib.mkIf config.swarselmodules.env {
home.sessionVariables = {
inherit DISPLAY;
EDITOR = "e -w";
} // (lib.optionalAttrs (!isPublic) { });
systemd.user.sessionVariables = {
DOCUMENT_DIR_PRIV = lib.mkForce "${homeDir}/Documents/Private";
FLAKE = "${config.home.homeDirectory}/.dotfiles";
} // lib.optionalAttrs (!isPublic) {
SWARSEL_DOMAIN = globals.domains.main;
SWARSEL_RSS_DOMAIN = globals.services.freshrss.domain;
SWARSEL_MUSIC_DOMAIN = globals.services.navidrome.domain;
SWARSEL_FILES_DOMAIN = globals.services.nextcloud.domain;
SWARSEL_INSTA_DOMAIN = instaDomain;
SWARSEL_SPORT_DOMAIN = sportDomain;
SWARSEL_MAIL1 = address1;
SWARSEL_MAIL2 = address2;
SWARSEL_MAIL3 = address3;
SWARSEL_MAIL4 = address4;
SWARSEL_CAL1 = source1;
SWARSEL_CAL1NAME = source1-name;
SWARSEL_CAL2 = source2;
SWARSEL_CAL2NAME = source2-name;
SWARSEL_CAL3 = source3;
SWARSEL_CAL3NAME = source3-name;
SWARSEL_FULLNAME = fullName;
SWARSEL_MAIL_ALL = lib.mkDefault allMailAddresses;
GITHUB_NOTIFICATION_TOKEN_PATH = confLib.getConfig.sops.secrets.github-notifications-token.path;
OPENROUTER_API_KEY = openrouterApi;
};
};
}
#+end_src
**** General Programs: bottom, imv, less, lesspipe, sioyek, bat, carapace, wlogout, swayr, yt-dlp, mpv, jq, nix-index, ripgrep, pandoc, fzf, zoxide, timidity
:PROPERTIES:
:CUSTOM_ID: h:f0e0b580-2e1c-4ca6-a983-f05d3ebbbcde
:END:
This section is for programs that require no further configuration. zsh Integration is enabled by default for these.
#+begin_src nix-ts :tangle modules/home/common/programs.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.programs = lib.mkEnableOption "programs settings";
config = lib.mkIf config.swarselmodules.programs {
programs = {
bat = {
enable = true;
extraPackages = [
pkgs.bat-extras.batdiff
pkgs.bat-extras.batman
pkgs.bat-extras.batwatch
pkgs.bat-extras.batgrep
];
# extraPackages = with pkgs.bat-extras; [ batdiff batman batgrep batwatch ];
};
bottom.enable = true;
carapace.enable = true;
fzf = {
enable = true;
enableBashIntegration = false;
enableZshIntegration = false;
};
imv.enable = true;
jq.enable = true;
less.enable = true;
lesspipe.enable = true;
mpv.enable = true;
pandoc.enable = true;
rclone.enable = true;
ripgrep.enable = true;
sioyek.enable = true;
swayr.enable = true;
timidity.enable = true;
wlogout = {
enable = true;
layout = [
{
label = "lock";
action = "loginctl lock-session";
text = "Lock";
keybind = "l";
circular = true;
}
{
label = "hibernate";
action = "systemctl hibernate";
text = "Hibernate";
keybind = "h";
circular = true;
}
{
label = "logout";
action = "loginctl terminate-user $USER";
text = "Logout";
keybind = "u";
circular = true;
}
{
label = "shutdown";
action = "systemctl poweroff";
text = "Shutdown";
keybind = "p";
circular = true;
}
{
label = "suspend";
action = "systemctl suspend";
text = "Suspend";
keybind = "s";
circular = true;
}
{
label = "reboot";
action = "systemctl reboot";
text = "Reboot";
keybind = "r";
circular = true;
}
];
};
yt-dlp.enable = true;
zoxide = {
enable = true;
enableZshIntegration = true;
options = [
"--cmd cd"
];
};
};
home.sessionVariables = {
_ZO_EXCLUDE_DIRS = "$HOME:$HOME/.ansible/*:$HOME/test/*:/persist";
};
};
}
#+end_src
**** nix-index
:PROPERTIES:
:CUSTOM_ID: h:64dbbb9e-8097-4c1b-813c-8c10cf9b9748
:END:
nix-index provides a way to find out which packages are provided by which derivations. By default it also comes with a replacement for =command-not-found.sh=, however, the implementation is based on a channel based setup. I like consistency, so I replace the command with one that provides a flakes-based output. This also uses the =nix-index-with-full-db= from the nix-index-database input thanks to its overlay.
#+begin_src nix-ts :tangle modules/home/common/nix-index.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.nix-index = lib.mkEnableOption "nix-index settings";
config = lib.mkIf config.swarselmodules.nix-index {
programs.nix-index =
let
commandNotFound = pkgs.runCommandLocal "command-not-found.sh" { } ''
mkdir -p $out/etc/profile.d
cat > $out/etc/profile.d/command-not-found.sh <<'EOF'
# Adapted from https://github.com/bennofs/nix-index/blob/master/command-not-found.sh
command_not_found_handle() {
if [ -n "''${MC_SID-}" ] || ! [ -t 1 ]; then
>&2 echo "$1: command not found"
return 127
fi
echo -n "searching nix-index..."
ATTRS=$(@nix-locate@ --minimal --no-group --type x --type s --whole-name --at-root "/bin/$1")
case $(echo -n "$ATTRS" | grep -c "^") in
0)
>&2 echo -ne "$(@tput@ el1)\r"
>&2 echo "$1: command not found"
;;
*)
>&2 echo -ne "$(@tput@ el1)\r"
>&2 echo "The program ‘$(@tput@ setaf 4)$1$(@tput@ sgr0)’ is currently not installed."
>&2 echo "It is provided by the following derivation(s):"
while read -r ATTR; do
ATTR=''${ATTR%.out}
>&2 echo " $(@tput@ setaf 12)nixpkgs#$(@tput@ setaf 4)$ATTR$(@tput@ sgr0)"
done <<< "$ATTRS"
;;
esac
return 127
}
command_not_found_handler() {
command_not_found_handle "$@"
return $?
}
EOF
substitute $out/etc/profile.d/command-not-found.sh \
$out/etc/profile.d/command-not-found.sh \
--replace-fail @nix-locate@ ${pkgs.nix-index}/bin/nix-locate \
--replace-fail @tput@ ${pkgs.ncurses}/bin/tput
'';
in
{
enable = true;
package = pkgs.symlinkJoin {
name = "nix-index";
paths = [ commandNotFound ];
};
};
programs.nix-index-database.comma.enable = true;
};
}
#+end_src
**** nix-your-shell
:PROPERTIES:
:CUSTOM_ID: h:3fd72021-e174-49d0-a42e-58f6ed3682f2
:END:
#+begin_src nix-ts :tangle modules/home/common/nix-your-shell.nix
{ lib, config, ... }:
let
moduleName = "nix-your-shell";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
programs.${moduleName} = {
enable = true;
enableZshIntegration = true;
};
};
}
#+end_src
**** password-store
:PROPERTIES:
:CUSTOM_ID: h:ac0e5e62-0dbf-4782-9a96-9e558eae86ae
:END:
Enables password store with the =pass-otp= extension which allows me to store and generate one-time-passwords.
#+begin_src nix-ts :tangle modules/home/common/password-store.nix
{ lib, config, pkgs, ... }:
{
options.swarselmodules.passwordstore = lib.mkEnableOption "passwordstore settings";
config = lib.mkIf config.swarselmodules.passwordstore {
programs.password-store = {
enable = true;
settings = {
PASSWORD_STORE_DIR = "$HOME/.local/share/password-store";
};
package = pkgs.pass.withExtensions (exts: [ exts.pass-otp ]);
};
};
}
#+end_src
**** direnv
:PROPERTIES:
:CUSTOM_ID: h:1ab84307-b3fb-4c32-9def-4b89a53a8547
:END:
Enables direnv, which I use for nearly all of my nix dev flakes.
#+begin_src nix-ts :tangle modules/home/common/direnv.nix
{ lib, config, ... }:
{
options.swarselmodules.direnv = lib.mkEnableOption "direnv settings";
config = lib.mkIf config.swarselmodules.direnv {
programs.direnv = {
enable = true;
silent = true;
nix-direnv.enable = true;
};
};
}
#+end_src
**** eza
:PROPERTIES:
:CUSTOM_ID: h:1bd6b0c7-f201-43e2-9624-6c50de00a1f6
:END:
Eza provides me with a better =ls= command and some other useful aliases.
#+begin_src nix-ts :tangle modules/home/common/eza.nix
{ lib, config, ... }:
{
options.swarselmodules.eza = lib.mkEnableOption "eza settings";
config = lib.mkIf config.swarselmodules.eza {
programs.eza = {
enable = true;
icons = "auto";
git = true;
extraOptions = [
"-l"
"--group-directories-first"
];
};
};
}
#+end_src
**** atuin
:PROPERTIES:
:CUSTOM_ID: h:38f127f3-003b-418b-85ba-a3bcf44bf16c
:END:
#+begin_src nix-ts :tangle modules/home/common/atuin.nix
{ lib, config, globals, ... }:
let
atuinDomain = globals.services.atuin.domain;
in
{
options.swarselmodules.atuin = lib.mkEnableOption "atuin settings";
config = lib.mkIf config.swarselmodules.atuin {
programs.atuin = {
enable = true;
enableZshIntegration = true;
enableBashIntegration = true;
settings = {
auto_sync = true;
sync_frequency = "5m";
sync_address = "https://${atuinDomain}";
};
};
};
}
#+end_src
**** git
:PROPERTIES:
:CUSTOM_ID: h:419675ec-3310-438e-80ae-9eaa798a319d
:END:
Here I set up my git config, automatic signing of commits, useful aliases for my ost used commands (for when I am not using [[#h:d2c7323d-f8c6-4f23-b70a-930e3e4ecce5][Magit]]) as well as a git template defined in [[#h:5ef03803-e150-41bc-b603-e80d60d96efc][Linking dotfiles]].
#+begin_src nix-ts :tangle modules/home/common/git.nix
{ lib, config, globals, minimal, confLib, ... }:
let
inherit (confLib.getConfig.repo.secrets.common.mail) address1;
inherit (confLib.getConfig.repo.secrets.common) fullName;
gitUser = globals.user.name;
in
{
options.swarselmodules.git = lib.mkEnableOption "git settings";
config = lib.mkIf config.swarselmodules.git {
programs.git = {
enable = true;
} // lib.optionalAttrs (!minimal) {
settings = {
alias = {
a = "add";
c = "commit";
cl = "clone";
co = "checkout";
b = "branch";
i = "init";
m = "merge";
s = "status";
r = "restore";
p = "pull";
pp = "push";
};
user = {
email = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) (lib.mkDefault address1);
name = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) fullName;
};
};
signing = {
key = "0x76FD3810215AE097";
signByDefault = true;
};
lfs.enable = true;
includes = [
{
contents = {
github = {
user = gitUser;
};
commit = {
template = "~/.gitmessage";
};
};
}
];
};
programs.difftastic.enable = lib.mkIf (!minimal) true;
};
}
#+end_src
**** Fuzzel
:PROPERTIES:
:CUSTOM_ID: h:069cabf3-df14-49ba-8d17-75f2bcf34fbf
:END:
Here I only need to set basic layout options - the rest is being managed by stylix.
#+begin_src nix-ts :tangle modules/home/common/fuzzel.nix
{ lib, config, ... }:
{
options.swarselmodules.fuzzel = lib.mkEnableOption "fuzzel settings";
config = lib.mkIf config.swarselmodules.fuzzel {
programs.fuzzel = {
enable = true;
settings = {
main = {
layer = "overlay";
lines = "10";
width = "40";
};
border.radius = "0";
};
};
};
}
#+end_src
**** Starship
:PROPERTIES:
:CUSTOM_ID: h:55212502-c8f6-43af-ae99-55c8377ef34e
:END:
Starship makes my =zsh= look cooler! I have symbols for most programming languages and toolchains, also I build my own powerline.
#+begin_src nix-ts :tangle modules/home/common/starship.nix
{ lib, config, ... }:
{
options.swarselmodules.starship = lib.mkEnableOption "starship settings";
config = lib.mkIf config.swarselmodules.starship {
programs.starship = {
enable = true;
enableZshIntegration = true;
settings = {
add_newline = false;
format = "$shlvl$character";
right_format = "$all";
command_timeout = 3000;
directory.substitutions = {
"Documents" = " ";
"Downloads" = " ";
"Music" = " ";
"Pictures" = " ";
};
git_status = {
style = "bg:#394260";
format = "[[($all_status$ahead_behind)](fg:#769ff0 bg:#394260)]($style) ";
};
character = {
success_symbol = "[λ](bold green)";
error_symbol = "[λ](bold red)";
};
shlvl = {
disabled = false;
symbol = "↳";
format = "[$symbol]($style) ";
repeat = true;
repeat_offset = 1;
style = "blue";
};
nix_shell = {
disabled = false;
heuristic = true;
format = "[$symbol$name]($style)";
symbol = " ";
};
aws.symbol = " ";
buf.symbol = " ";
c.symbol = " ";
conda.symbol = " ";
dart.symbol = " ";
directory.read_only = " ";
docker_context.symbol = " ";
elixir.symbol = " ";
elm.symbol = " ";
fossil_branch.symbol = " ";
git_branch.symbol = " ";
golang.symbol = " ";
guix_shell.symbol = " ";
haskell.symbol = " ";
haxe.symbol = " ";
hg_branch.symbol = " ";
hostname.ssh_symbol = " ";
java.symbol = " ";
julia.symbol = " ";
lua.symbol = " ";
memory_usage.symbol = " ";
meson.symbol = " ";
nim.symbol = " ";
nodejs.symbol = " ";
os.symbols = {
Alpaquita = " ";
Alpine = " ";
Amazon = " ";
Android = " ";
Arch = " ";
Artix = " ";
CentOS = " ";
Debian = " ";
DragonFly = " ";
Emscripten = " ";
EndeavourOS = " ";
Fedora = " ";
FreeBSD = " ";
Garuda = " ";
Gentoo = " ";
HardenedBSD = " ";
Illumos = " ";
Linux = " ";
Mabox = " ";
Macos = " ";
Manjaro = " ";
Mariner = " ";
MidnightBSD = " ";
Mint = " ";
NetBSD = " ";
NixOS = " ";
OpenBSD = " ";
openSUSE = " ";
OracleLinux = " ";
Pop = " ";
Raspbian = " ";
Redhat = " ";
RedHatEnterprise = " ";
Redox = " ";
Solus = " ";
SUSE = " ";
Ubuntu = " ";
Unknown = " ";
Windows = " ";
};
package.symbol = " ";
pijul_channel.symbol = " ";
python.symbol = " ";
rlang.symbol = " ";
ruby.symbol = " ";
rust.symbol = " ";
scala.symbol = " ";
};
};
};
}
#+end_src
**** Kitty
:PROPERTIES:
:CUSTOM_ID: h:5f1287db-d2e8-49aa-8c58-730129c7795c
:END:
Kitty is the terminal emulator of choice for me, it is nice to configure using nix, fast, and has a nice style.
The theme is handled by stylix.
#+begin_src nix-ts :tangle modules/home/common/kitty.nix
{ lib, config, ... }:
{
options.swarselmodules.kitty = lib.mkEnableOption "kitty settings";
config = lib.mkIf config.swarselmodules.kitty {
programs.kitty = {
enable = true;
keybindings =
let
bindWithModifier = lib.mapAttrs' (key: lib.nameValuePair ("ctrl+shift" + key));
in
bindWithModifier {
"page_up" = "scroll_page_up";
"up" = "scroll_page_up";
"page_down" = "scroll_page_down";
"down" = "scroll_page_down";
"w" = "no_op";
};
settings = {
cursor_blink_interval = 0;
disable_ligatures = "cursor";
enable_audio_bell = false;
notify_on_cmd_finish = "always 20";
open_url_with = "xdg-open";
scrollback_lines = 100000;
scrollback_pager_history_size = 512;
};
};
};
}
#+end_src
**** zsh
:PROPERTIES:
:CUSTOM_ID: h:91dd4cc4-aada-4e74-be23-0cc69ed85af5
:END:
zsh is the most convenient shell for me and it happens to be super neat to configure within home manager.
Here we set some aliases (some of them should be shellApplications instead) as well as some zsh plugins like =fzf-tab=.
Concerning the shell extensions, =zle = will run an existing widget and =zle -N = will make a function available for use. The =my-= functions all remove =.= =/= and =:= from the =WORDCHARS= so that functions will stop there. The keycodes can be found using =showkeys -a=
Regarding =initContent=:
To specify the order, use lib.mkOrder.
Common order values:
- 500 (mkBefore: Early initialization (replaces initExtraFirst
- 550: Before completion initialization (replaces initExtraBeforeCompInit
- 1000 (default: General configuration (replaces initExtra
- 1500 (mkAfter: Last to run configuration
To specify both content in Early initialization and General configuration, use lib.mkMerge:
#+begin_src nix-ts :tangle no
let
zshConfigEarlyInit = lib.mkOrder 500 "do something";
zshConfig = lib.mkOrder 1000 "do something";
in
lib.mkMerge [ zshConfigEarlyInit zshConfig ];
#+end_src
Currently I only use it as before with =initExtra= though.
#+begin_src nix-ts :tangle modules/home/common/zsh.nix
{ self, config, pkgs, lib, minimal, globals, confLib, type, arch, ... }:
let
inherit (config.swarselsystems) flakePath isNixos homeDir;
crocDomain = globals.services.croc.domain;
in
{
options.swarselmodules.zsh = lib.mkEnableOption "zsh settings";
options.swarselsystems = {
shellAliases = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = { };
};
};
config = lib.mkIf config.swarselmodules.zsh
({
programs.zsh = {
enable = true;
}
// lib.optionalAttrs (!minimal) {
shellAliases = lib.recursiveUpdate
{
nb = "nix build";
nbl = "nix build --builders \"\"";
nbo = "nix build --offline --builders \"\"";
nd = "nix develop";
ns = "nix shell";
hmswitch = lib.mkIf (!isNixos) "${lib.getExe pkgs.home-manager} --flake ${flakePath}#$(hostname) switch |& nom";
nswitch = lib.mkIf isNixos "cd ${flakePath}; swarsel-deploy $(hostname) switch; cd -;";
ntest = lib.mkIf isNixos "cd ${flakePath}; swarsel-deploy $(hostname) test; cd -;";
nboot = lib.mkIf isNixos "cd ${flakePath}; swarsel-deploy $(hostname) boot; cd -;";
ndry = lib.mkIf isNixos "cd ${flakePath}; swarsel-deploy $(hostname) dry-activate; cd -;";
magit = "emacsclient -nc -e \"(magit-status)\"";
config = "git --git-dir=$HOME/.cfg/ --work-tree=$HOME";
g = "git";
c = "git --git-dir=$FLAKE/.git --work-tree=$FLAKE/";
passpush = "cd ~/.local/share/password-store; git add .; git commit -m 'pass file changes'; git push; cd -;";
passpull = "cd ~/.local/share/password-store; git pull; cd -;";
hotspot = "nmcli connection up local; nmcli device wifi hotspot;";
youtube-dl = "yt-dlp";
cat-orig = "cat";
# cdr = "cd \"$( (find $DOCUMENT_DIR_WORK $DOCUMENT_DIR_PRIV -maxdepth 1 && echo $FLAKE) | fzf )\"";
cdr = "source cdr";
nix-ldd-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
nix-ldd = "LD_LIBRARY_PATH=$NIX_LD_LIBRARY_PATH ldd";
nix-ldd-locate = "nix-locate --minimal --top-level -w ";
nix-store-search = "ls /nix/store | grep";
fs-diff = "sudo mount -o subvol=/ /dev/mapper/cryptroot /mnt ; fs-diff";
lt = "eza -las modified --total-size";
boot-diff = "nix store diff-closures /run/*-system";
gen-diff = "nix profile diff-closures --profile /nix/var/nix/profiles/system";
cc = "wl-copy";
build-topology = "nix build --override-input topologyPrivate ${self}/files/topology/private ${flakePath}#topology.${arch}.config.output";
build-topology-dev = "nix build --show-trace --override-input nix-topology ${homeDir}/Documents/Private/nix-topology --override-input topologyPrivate ${self}/files/topology/private ${flakePath}#topology.${arch}.config.output";
build-iso = "nix build --print-out-paths .#live-iso";
nix-review-local = "nix run nixpkgs#nixpkgs-review -- rev HEAD";
nix-review-post = "nix run nixpkgs#nixpkgs-review -- pr --post-result --systems linux";
}
config.swarselsystems.shellAliases;
autosuggestion.enable = true;
enableCompletion = true;
syntaxHighlighting.enable = true;
autocd = false;
cdpath = [
"~/.dotfiles"
# "~/Documents/GitHub"
];
defaultKeymap = "emacs";
dirHashes = {
dl = "$HOME/Downloads";
gh = "$HOME/Documents/GitHub";
};
history = {
expireDuplicatesFirst = true;
append = true;
ignoreSpace = true;
ignoreDups = true;
path = "${config.home.homeDirectory}/.histfile";
save = 100000;
size = 100000;
};
historySubstringSearch = {
enable = true;
searchDownKey = "^[OB";
searchUpKey = "^[OA";
};
plugins = [
# {
# name = "fzf-tab";
# src = pkgs.zsh-fzf-tab;
# }
];
initContent = ''
my-forward-word() {
local WORDCHARS=$WORDCHARS
WORDCHARS="''${WORDCHARS//:}"
WORDCHARS="''${WORDCHARS//\/}"
WORDCHARS="''${WORDCHARS//.}"
zle forward-word
}
zle -N my-forward-word
# ctrl + right
bindkey "^[[1;5C" my-forward-word
# shift + right
bindkey "^[[1;2C" forward-word
my-backward-word() {
local WORDCHARS=$WORDCHARS
WORDCHARS="''${WORDCHARS//:}"
WORDCHARS="''${WORDCHARS//\/}"
WORDCHARS="''${WORDCHARS//.}"
zle backward-word
}
zle -N my-backward-word
# ctrl + left
bindkey "^[[1;5D" my-backward-word
# shift + left
bindkey "^[[1;2D" backward-word
my-backward-delete-word() {
local WORDCHARS=$WORDCHARS
WORDCHARS="''${WORDCHARS//:}"
WORDCHARS="''${WORDCHARS//\/}"
WORDCHARS="''${WORDCHARS//.}"
zle backward-delete-word
}
zle -N my-backward-delete-word
# ctrl + del
bindkey '^H' my-backward-delete-word
'';
sessionVariables = lib.mkIf (!config.swarselsystems.isPublic) {
CROC_RELAY = crocDomain;
CROC_PASS = "$(cat ${confLib.getConfig.sops.secrets.croc-password.path or ""})";
GITHUB_TOKEN = "$(cat ${confLib.getConfig.sops.secrets.github-nixpkgs-review-token.path or ""})";
QT_QPA_PLATFORM_PLUGIN_PATH = "${pkgs.libsForQt5.qt5.qtbase.bin}/lib/qt-${pkgs.libsForQt5.qt5.qtbase.version}/plugins";
# QTWEBENGINE_CHROMIUM_FLAGS = "--no-sandbox";
};
};
} // lib.optionalAttrs (type != "nixos") {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
croc-password = { };
github-nixpkgs-review-token = { };
};
});
}
#+end_src
**** bash
:PROPERTIES:
:CUSTOM_ID: h:ab30e218-665c-46ad-9708-9d92ebc34fed
:END:
#+begin_src nix-ts :tangle modules/home/common/bash.nix
{ config, lib, ... }:
{
options.swarselmodules.bash = lib.mkEnableOption "bash settings";
config = lib.mkIf config.swarselmodules.bash {
programs.bash = {
enable = true;
# needed for remote builders
bashrcExtra = lib.mkIf (!config.swarselsystems.isNixos) ''
export PATH="/nix/var/nix/profiles/default/bin:$PATH"
'';
historyFile = "${config.home.homeDirectory}/.histfile";
historySize = 100000;
historyFileSize = 100000;
historyControl = [
"ignoreboth"
];
};
};
}
#+end_src
**** zellij
:PROPERTIES:
:CUSTOM_ID: h:87a28654-8377-41c9-8e6c-2d488e62575f
:END:
***** Main config
:PROPERTIES:
:CUSTOM_ID: h:00de4901-631c-4b4c-86ce-d9d6e62ed8c7
:END:
#+begin_src nix-ts :tangle modules/home/common/zellij.nix
{ self, lib, config, pkgs, ... }:
{
options.swarselmodules.zellij = lib.mkEnableOption "zellij settings";
config = lib.mkIf config.swarselmodules.zellij {
programs.zellij = {
enable = true;
enableZshIntegration = true;
attachExistingSession = false;
exitShellOnExit = true;
settings = {
pane_frames = false;
simplified_ui = false;
default_shell = "zsh";
copy_on_select = true;
on_force_close = "quit";
show_startup_tips = false;
support_kitty_keyboard_protocol = true;
default_layout = "swarsel";
layout_dir = "${config.home.homeDirectory}/.config/zellij/layouts";
theme_dir = "${config.home.homeDirectory}/.config/zellij/themes";
scrollback_lines_to_serialize = config.programs.kitty.settings.scrollback_lines;
session_serialization = true;
copy_command =
if pkgs.stdenv.hostPlatform.isLinux then
"wl-copy"
else if pkgs.stdenv.hostPlatform.isDarwin then
"pbcopy"
else
"";
ui.pane_frames = {
rounded_corners = true;
hide_session_name = true;
};
plugins = {
tab-bar.path = "tab-bar";
status-bar.path = "status-bar";
strider.path = "strider";
compact-bar.path = "compact-bar";
# configuration.path = "configuration";
# filepicker.path = "strider";
# plugin-manager.path = "plugin-manager";
# session-manager.path = "session-manager";
# welcome-screen.path = "session-manager";
};
};
};
home.packages = with pkgs; [
zjstatus
];
xdg.configFile = {
# "zellij/config.kdl".text = import "${self}/files/zellij/config.kdl.nix" { inherit config; };
"zellij/layouts/swarsel.kdl".text = import "${self}/files/zellij/layouts/swarsel.kdl.nix" { inherit config pkgs; };
};
};
}
#+end_src
***** Keybinds
:PROPERTIES:
:CUSTOM_ID: h:f65f9574-3b50-472d-8e24-2023271d1887
:END:
#+begin_src nix-ts :tangle modules/home/common/zellij-keybinds.nix
{ lib, config, ... }:
{
config = lib.mkIf config.swarselmodules.zellij {
programs.zellij = {
settings.keybinds = {
_props.clear-defaults = true;
locked = {
_children = [
{
bind = {
_args = [ "Ctrl g" ];
_children = [{ SwitchToMode._args = [ "normal" ]; }];
};
}
];
};
pane = {
_children = [
{
bind = {
_args = [ "Ctrl p" ];
_children = [{ SwitchToMode._args = [ "normal" ]; }];
};
}
{
bind = {
_args = [ "left" ];
_children = [{ MoveFocus._args = [ "left" ]; }];
};
}
{
bind = {
_args = [ "down" ];
_children = [{ MoveFocus._args = [ "down" ]; }];
};
}
{
bind = {
_args = [ "up" ];
_children = [{ MoveFocus._args = [ "up" ]; }];
};
}
{
bind = {
_args = [ "right" ];
_children = [{ MoveFocus._args = [ "right" ]; }];
};
}
{
bind = {
_args = [ "h" ];
_children = [{ MoveFocus._args = [ "left" ]; }];
};
}
{
bind = {
_args = [ "j" ];
_children = [{ MoveFocus._args = [ "down" ]; }];
};
}
{
bind = {
_args = [ "k" ];
_children = [{ MoveFocus._args = [ "up" ]; }];
};
}
{
bind = {
_args = [ "l" ];
_children = [{ MoveFocus._args = [ "right" ]; }];
};
}
{
bind = {
_args = [ "d" ];
_children = [
{ NewPane._args = [ "down" ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "e" ];
_children = [
{ TogglePaneEmbedOrFloating = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "f" ];
_children = [
{ ToggleFocusFullscreen = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "n" ];
_children = [
{ NewPane = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "p" ];
_children = [{ SwitchFocus = { }; }];
};
}
{
bind = {
_args = [ "f12" ];
_children = [
{ ToggleFloatingPanes = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
];
};
tab = {
_children = [
{
bind = {
_args = [ "Ctrl t" ];
_children = [{ SwitchToMode._args = [ "normal" ]; }];
};
}
{
bind = {
_args = [ "left" ];
_children = [{ GoToPreviousTab = { }; }];
};
}
{
bind = {
_args = [ "down" ];
_children = [{ GoToNextTab = { }; }];
};
}
{
bind = {
_args = [ "up" ];
_children = [{ GoToPreviousTab = { }; }];
};
}
{
bind = {
_args = [ "right" ];
_children = [{ GoToNextTab = { }; }];
};
}
{
bind = {
_args = [ "1" ];
_children = [
{ GoToTab._args = [ 1 ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "2" ];
_children = [
{ GoToTab._args = [ 2 ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "3" ];
_children = [
{ GoToTab._args = [ 3 ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "4" ];
_children = [
{ GoToTab._args = [ 4 ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "5" ];
_children = [
{ GoToTab._args = [ 5 ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "6" ];
_children = [
{ GoToTab._args = [ 6 ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "7" ];
_children = [
{ GoToTab._args = [ 7 ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "8" ];
_children = [
{ GoToTab._args = [ 8 ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "9" ];
_children = [
{ GoToTab._args = [ 9 ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "h" ];
_children = [{ GoToPreviousTab = { }; }];
};
}
{
bind = {
_args = [ "j" ];
_children = [{ GoToNextTab = { }; }];
};
}
{
bind = {
_args = [ "k" ];
_children = [{ GoToPreviousTab = { }; }];
};
}
{
bind = {
_args = [ "l" ];
_children = [{ GoToNextTab = { }; }];
};
}
{
bind = {
_args = [ "n" ];
_children = [
{ NewTab = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "r" ];
_children = [
{ SwitchToMode._args = [ "renametab" ]; }
{ TabNameInput._args = [ 0 ]; }
];
};
}
{
bind = {
_args = [ "s" ];
_children = [
{ ToggleActiveSyncTab = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "x" ];
_children = [
{ CloseTab = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
];
};
resize = {
_children = [
{
bind = {
_args = [ "Ctrl n" ];
_children = [{ SwitchToMode._args = [ "normal" ]; }];
};
}
{
bind = {
_args = [ "left" ];
_children = [{ Resize._args = [ "Increase left" ]; }];
};
}
{
bind = {
_args = [ "down" ];
_children = [{ Resize._args = [ "Increase down" ]; }];
};
}
{
bind = {
_args = [ "up" ];
_children = [{ Resize._args = [ "Increase up" ]; }];
};
}
{
bind = {
_args = [ "right" ];
_children = [{ Resize._args = [ "Increase right" ]; }];
};
}
{
bind = {
_args = [ "+" ];
_children = [{ Resize._args = [ "Increase" ]; }];
};
}
{
bind = {
_args = [ "-" ];
_children = [{ Resize._args = [ "Decrease" ]; }];
};
}
{
bind = {
_args = [ "=" ];
_children = [{ Resize._args = [ "Increase" ]; }];
};
}
{
bind = {
_args = [ "H" ];
_children = [{ Resize._args = [ "Decrease left" ]; }];
};
}
{
bind = {
_args = [ "J" ];
_children = [{ Resize._args = [ "Decrease down" ]; }];
};
}
{
bind = {
_args = [ "K" ];
_children = [{ Resize._args = [ "Decrease up" ]; }];
};
}
{
bind = {
_args = [ "L" ];
_children = [{ Resize._args = [ "Decrease right" ]; }];
};
}
{
bind = {
_args = [ "h" ];
_children = [{ Resize._args = [ "Increase left" ]; }];
};
}
{
bind = {
_args = [ "j" ];
_children = [{ Resize._args = [ "Increase down" ]; }];
};
}
{
bind = {
_args = [ "k" ];
_children = [{ Resize._args = [ "Increase up" ]; }];
};
}
{
bind = {
_args = [ "l" ];
_children = [{ Resize._args = [ "Increase right" ]; }];
};
}
];
};
move = {
_children = [
{
bind = {
_args = [ "Ctrl h" ];
_children = [{ SwitchToMode._args = [ "normal" ]; }];
};
}
{
bind = {
_args = [ "left" ];
_children = [{ MovePane._args = [ "left" ]; }];
};
}
{
bind = {
_args = [ "down" ];
_children = [{ MovePane._args = [ "down" ]; }];
};
}
{
bind = {
_args = [ "up" ];
_children = [{ MovePane._args = [ "up" ]; }];
};
}
{
bind = {
_args = [ "right" ];
_children = [{ MovePane._args = [ "right" ]; }];
};
}
{
bind = {
_args = [ "h" ];
_children = [{ MovePane._args = [ "left" ]; }];
};
}
{
bind = {
_args = [ "j" ];
_children = [{ MovePane._args = [ "down" ]; }];
};
}
{
bind = {
_args = [ "k" ];
_children = [{ MovePane._args = [ "up" ]; }];
};
}
{
bind = {
_args = [ "l" ];
_children = [{ MovePane._args = [ "right" ]; }];
};
}
];
};
scroll = {
_children = [
{
bind = {
_args = [ "e" ];
_children = [
{ EditScrollback = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "s" ];
_children = [
{ SwitchToMode._args = [ "entersearch" ]; }
{ SearchInput._args = [ 0 ]; }
];
};
}
];
};
search = {
_children = [
{
bind = {
_args = [ "c" ];
_children = [{ SearchToggleOption._args = [ "CaseSensitivity" ]; }];
};
}
{
bind = {
_args = [ "n" ];
_children = [{ Search._args = [ "down" ]; }];
};
}
{
bind = {
_args = [ "o" ];
_children = [{ SearchToggleOption._args = [ "WholeWord" ]; }];
};
}
{
bind = {
_args = [ "p" ];
_children = [{ Search._args = [ "up" ]; }];
};
}
{
bind = {
_args = [ "w" ];
_children = [{ SearchToggleOption._args = [ "Wrap" ]; }];
};
}
];
};
session = {
_children = [
{
bind = {
_args = [ "Ctrl o" ];
_children = [{ SwitchToMode._args = [ "normal" ]; }];
};
}
{
bind = {
_args = [ "c" ];
_children = [
{
LaunchOrFocusPlugin._args = [ "configuration" ];
LaunchOrFocusPlugin._children = [
{ floating._args = [ true ]; }
{ move_to_focused_tab._args = [ true ]; }
];
}
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "p" ];
_children = [
{
LaunchOrFocusPlugin._args = [ "plugin-manager" ];
LaunchOrFocusPlugin._children = [
{ floating._args = [ true ]; }
{ move_to_focused_tab._args = [ true ]; }
];
}
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "w" ];
_children = [
{
LaunchOrFocusPlugin._args = [ "session-manager" ];
LaunchOrFocusPlugin._children = [
{ floating._args = [ true ]; }
{ move_to_focused_tab._args = [ true ]; }
];
}
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
];
};
"shared_except \"locked\"" = {
_children = [
{
bind = {
_args = [ "Alt left" ];
_children = [{ MoveFocusOrTab._args = [ "left" ]; }];
};
}
{
bind = {
_args = [ "Alt down" ];
_children = [{ MoveFocus._args = [ "down" ]; }];
};
}
{
bind = {
_args = [ "Alt up" ];
_children = [{ MoveFocus._args = [ "up" ]; }];
};
}
{
bind = {
_args = [ "Alt right" ];
_children = [{ MoveFocusOrTab._args = [ "right" ]; }];
};
}
{
bind = {
_args = [ "Alt +" ];
_children = [{ Resize._args = [ "Increase" ]; }];
};
}
{
bind = {
_args = [ "Alt -" ];
_children = [{ Resize._args = [ "Decrease" ]; }];
};
}
{
bind = {
_args = [ "Alt =" ];
_children = [{ Resize._args = [ "Increase" ]; }];
};
}
{
bind = {
_args = [ "Alt r" ];
_children = [
{
WriteChars._args = [ "source cdr" ];
}
{
WriteChars._args = [ "\n" ];
}
];
};
}
{
bind = {
_args = [ "Alt f" ];
_children = [{ ToggleFloatingPanes = { }; }];
};
}
{
bind = {
_args = [ "Ctrl g" ];
_children = [{ SwitchToMode._args = [ "locked" ]; }];
};
}
{
bind = {
_args = [ "Alt h" ];
_children = [{ MoveFocusOrTab._args = [ "left" ]; }];
};
}
{
bind = {
_args = [ "Alt i" ];
_children = [{ MoveTab._args = [ "left" ]; }];
};
}
{
bind = {
_args = [ "Alt j" ];
_children = [{ MoveFocus._args = [ "down" ]; }];
};
}
{
bind = {
_args = [ "Alt k" ];
_children = [{ MoveFocus._args = [ "up" ]; }];
};
}
{
bind = {
_args = [ "Alt p" ];
_children = [{ NewPane = { }; }];
};
}
{
bind = {
_args = [ "Alt n" ];
_children = [{ NewTab = { }; }];
};
}
];
};
"shared_except \"locked\" \"move\"" = {
_children = [
{
bind = {
_args = [ "Ctrl h" ];
_children = [{ SwitchToMode._args = [ "move" ]; }];
};
}
];
};
"shared_except \"locked\" \"session\"" = {
_children = [
{
bind = {
_args = [ "Ctrl o" ];
_children = [{ SwitchToMode._args = [ "session" ]; }];
};
}
];
};
"shared_except \"locked\" \"scroll\" \"search\" \"tmux\"" = {
_children = [
{
bind = {
_args = [ "Ctrl b" ];
_children = [{ SwitchToMode._args = [ "tmux" ]; }];
};
}
];
};
"shared_except \"locked\" \"scroll\" \"search\"" = {
_children = [
{
bind = {
_args = [ "Ctrl s" ];
_children = [{ SwitchToMode._args = [ "scroll" ]; }];
};
}
];
};
"shared_except \"locked\" \"tab\"" = {
_children = [
{
bind = {
_args = [ "Ctrl t" ];
_children = [{ SwitchToMode._args = [ "tab" ]; }];
};
}
];
};
"shared_except \"locked\" \"pane\"" = {
_children = [
{
bind = {
_args = [ "Ctrl p" ];
_children = [{ SwitchToMode._args = [ "pane" ]; }];
};
}
];
};
"shared_except \"locked\" \"resize\"" = {
_children = [
{
bind = {
_args = [ "Ctrl n" ];
_children = [{ SwitchToMode._args = [ "resize" ]; }];
};
}
];
};
"shared_except \"normal\" \"locked\" \"entersearch\"" = {
_children = [
{
bind = {
_args = [ "enter" ];
_children = [{ SwitchToMode._args = [ "normal" ]; }];
};
}
];
};
"shared_except \"normal\" \"locked\" \"entersearch\" \"renametab\" \"renamepane\"" = {
_children = [
{
bind = {
_args = [ "esc" ];
_children = [{ SwitchToMode._args = [ "normal" ]; }];
};
}
];
};
"shared_among \"pane\" \"tmux\"" = {
_children = [
{
bind = {
_args = [ "x" ];
_children = [
{ CloseFocus = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
];
};
"shared_among \"scroll\" \"search\"" = {
_children = [
{
bind = {
_args = [ "PageDown" ];
_children = [{ PageScrollDown = { }; }];
};
}
{
bind = {
_args = [ "PageUp" ];
_children = [{ PageScrollUp = { }; }];
};
}
{
bind = {
_args = [ "left" ];
_children = [{ PageScrollUp = { }; }];
};
}
{
bind = {
_args = [ "down" ];
_children = [{ ScrollDown = { }; }];
};
}
{
bind = {
_args = [ "up" ];
_children = [{ ScrollUp = { }; }];
};
}
{
bind = {
_args = [ "right" ];
_children = [{ PageScrollDown = { }; }];
};
}
{
bind = {
_args = [ "Ctrl b" ];
_children = [{ PageScrollUp = { }; }];
};
}
{
bind = {
_args = [ "Ctrl c" ];
_children = [
{ ScrollToBottom = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "d" ];
_children = [{ HalfPageScrollDown = { }; }];
};
}
{
bind = {
_args = [ "Ctrl f" ];
_children = [{ PageScrollDown = { }; }];
};
}
{
bind = {
_args = [ "h" ];
_children = [{ PageScrollUp = { }; }];
};
}
{
bind = {
_args = [ "j" ];
_children = [{ ScrollDown = { }; }];
};
}
{
bind = {
_args = [ "k" ];
_children = [{ ScrollUp = { }; }];
};
}
{
bind = {
_args = [ "l" ];
_children = [{ PageScrollDown = { }; }];
};
}
{
bind = {
_args = [ "Ctrl s" ];
_children = [{ SwitchToMode._args = [ "normal" ]; }];
};
}
{
bind = {
_args = [ "u" ];
_children = [{ HalfPageScrollUp = { }; }];
};
}
];
};
entersearch = {
_children = [
{
bind = {
_args = [ "Ctrl c" ];
_children = [{ SwitchToMode._args = [ "scroll" ]; }];
};
}
{
bind = {
_args = [ "esc" ];
_children = [{ SwitchToMode._args = [ "scroll" ]; }];
};
}
{
bind = {
_args = [ "enter" ];
_children = [{ SwitchToMode._args = [ "search" ]; }];
};
}
];
};
renametab = {
_children = [
{
bind = {
_args = [ "esc" ];
_children = [
{ UndoRenameTab = { }; }
{ SwitchToMode._args = [ "tab" ]; }
];
};
}
];
};
"shared_among \"renametab\" \"renamepane\"" = {
_children = [
{
bind = {
_args = [ "Ctrl c" ];
_children = [{ SwitchToMode._args = [ "normal" ]; }];
};
}
];
};
renamepane = {
_children = [
{
bind = {
_args = [ "esc" ];
_children = [
{ UndoRenamePane = { }; }
{ SwitchToMode._args = [ "pane" ]; }
];
};
}
];
};
"shared_among \"session\" \"tmux\"" = {
_children = [
{
bind = {
_args = [ "d" ];
_children = [{ Detach = { }; }];
};
}
];
};
tmux = {
_children = [
{
bind = {
_args = [ "left" ];
_children = [
{ MoveFocus._args = [ "left" ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "down" ];
_children = [
{ MoveFocus._args = [ "down" ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "up" ];
_children = [
{ MoveFocus._args = [ "up" ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "right" ];
_children = [
{ MoveFocus._args = [ "right" ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "space" ];
_children = [{ NextSwapLayout = { }; }];
};
}
{
bind = {
_args = [ "\"" ];
_children = [
{ NewPane._args = [ "down" ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "%" ];
_children = [
{ NewPane._args = [ "right" ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "," ];
_children = [{ SwitchToMode._args = [ "renametab" ]; }];
};
}
{
bind = {
_args = [ "[" ];
_children = [{ SwitchToMode._args = [ "scroll" ]; }];
};
}
{
bind = {
_args = [ "Ctrl b" ];
_children = [
{ Write._args = [ 2 ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "c" ];
_children = [
{ NewTab = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "h" ];
_children = [
{ MoveFocus._args = [ "left" ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "j" ];
_children = [
{ MoveFocus._args = [ "down" ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "k" ];
_children = [
{ MoveFocus._args = [ "up" ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "l" ];
_children = [
{ MoveFocus._args = [ "right" ]; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "n" ];
_children = [
{ GoToNextTab = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "o" ];
_children = [{ FocusNextPane = { }; }];
};
}
{
bind = {
_args = [ "p" ];
_children = [
{ GoToPreviousTab = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
{
bind = {
_args = [ "z" ];
_children = [
{ ToggleFocusFullscreen = { }; }
{ SwitchToMode._args = [ "normal" ]; }
];
};
}
];
};
};
};
};
}
#+end_src
**** tmux
:PROPERTIES:
:CUSTOM_ID: h:45de9430-f925-4df6-9db6-bffb5b8f1604
:END:
#+begin_src nix-ts :tangle modules/home/common/tmux.nix
{ lib, config, pkgs, ... }:
let
tmux-super-fingers = pkgs.tmuxPlugins.mkTmuxPlugin
{
pluginName = "tmux-super-fingers";
version = "unstable-2023-01-06";
src = pkgs.fetchFromGitHub {
owner = "artemave";
repo = "tmux_super_fingers";
rev = "2c12044984124e74e21a5a87d00f844083e4bdf7";
sha256 = "sha256-cPZCV8xk9QpU49/7H8iGhQYK6JwWjviL29eWabuqruc=";
};
};
in
{
options.swarselmodules.tmux = lib.mkEnableOption "tmux settings";
config = lib.mkIf config.swarselmodules.tmux {
home.packages = with pkgs; [
lsof
sesh
];
programs.tmux = {
enable = true;
shell = "${pkgs.zsh}/bin/zsh";
terminal = "tmux-256color";
historyLimit = 100000;
plugins = with pkgs;
[
tmuxPlugins.tmux-thumbs
{
plugin = tmux-super-fingers;
extraConfig = "set -g @super-fingers-key f";
}
tmuxPlugins.sensible
# must be before continuum edits right status bar
{
plugin = tmuxPlugins.catppuccin;
extraConfig = ''
set -g @catppuccin_flavour 'frappe'
set -g @catppuccin_window_tabs_enabled on
set -g @catppuccin_date_time "%H:%M"
'';
}
{
plugin = tmuxPlugins.resurrect;
extraConfig = ''
set -g @resurrect-strategy-vim 'session'
set -g @resurrect-strategy-nvim 'session'
set -g @resurrect-capture-pane-contents 'on'
'';
}
{
plugin = tmuxPlugins.continuum;
extraConfig = ''
set -g @continuum-restore 'on'
set -g @continuum-boot 'on'
set -g @continuum-save-interval '10'
'';
}
tmuxPlugins.better-mouse-mode
tmuxPlugins.yank
];
extraConfig = ''
set -g default-terminal "tmux-256color"
set -ag terminal-overrides ",xterm-256color:RGB"
set-option -g prefix C-a
unbind-key C-b
bind-key C-a send-prefix
set -g mouse on
# Open new split at cwd of current split
bind | split-window -h -c "#{pane_current_path}"
bind - split-window -v -c "#{pane_current_path}"
# Use vim keybindings in copy mode
set-window-option -g mode-keys vi
# v in copy mode starts making selection
bind-key -T copy-mode-vi v send-keys -X begin-selection
bind-key -T copy-mode-vi C-v send-keys -X rectangle-toggle
bind-key -T copy-mode-vi y send-keys -X copy-selection-and-cancel
# Escape turns on copy mode
bind Escape copy-mode
set-option -g status-position top
# make Prefix p paste the buffer.
unbind p
bind p paste-buffer
'';
};
};
}
#+end_src
**** Mail
:PROPERTIES:
:CUSTOM_ID: h:506d01fc-c20b-473a-ac78-bce4b53fe0e3
:END:
Normally I use 4 mail accounts - here I set them all up. Three of them are Google accounts (sadly), which are a chore to setup. The last is just a sender account that I setup SMTP for here.
#+begin_src nix-ts :tangle modules/home/common/mail.nix
{ lib, config, globals, confLib, type, ... }:
let
inherit (confLib.getConfig.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4;
inherit (confLib.getConfig.repo.secrets.common) fullName;
inherit (config.swarselsystems) xdgDir;
in
{
options.swarselmodules.mail = lib.mkEnableOption "mail settings";
config = lib.mkIf config.swarselmodules.mail
({
programs = {
mbsync = {
enable = true;
};
msmtp = {
enable = true;
};
mu = {
enable = true;
};
};
services.mbsync = {
enable = true;
};
# this is needed so that mbsync can use the passwords from sops
systemd.user.services.mbsync.Unit.After = [ "sops-nix.service" ];
programs.thunderbird = {
enable = true;
profiles.default = {
isDefault = true;
withExternalGnupg = true;
settings = {
"mail.identity.default.archive_enabled" = true;
"mail.identity.default.archive_keep_folder_structure" = true;
"mail.identity.default.compose_html" = false;
"mail.identity.default.protectSubject" = true;
"mail.identity.default.reply_on_top" = 1;
"mail.identity.default.sig_on_reply" = false;
"mail.identity.default.sig_bottom" = false;
"gfx.webrender.all" = true;
"gfx.webrender.enabled" = true;
};
};
settings = {
"mail.server.default.allow_utf8_accept" = true;
"mail.server.default.max_articles" = 1000;
"mail.server.default.check_all_folders_for_new" = true;
"mail.show_headers" = 1;
"mail.identity.default.auto_quote" = true;
"mail.identity.default.attachPgpKey" = true;
"mailnews.default_sort_order" = 2;
"mailnews.default_sort_type" = 18;
"mailnews.default_view_flags" = 0;
"mailnews.sort_threads_by_root" = true;
"mailnews.headers.showMessageId" = true;
"mailnews.headers.showOrganization" = true;
"mailnews.headers.showReferences" = true;
"mailnews.headers.showUserAgent" = true;
"mail.imap.expunge_after_delete" = true;
"mail.server.default.delete_model" = 2;
"mail.warn_on_delete_from_trash" = false;
"mail.warn_on_shift_delete" = false;
"toolkit.telemetry.enabled" = false;
"toolkit.telemetry.rejected" = true;
"toolkit.telemetry.prompted" = 2;
"app.update.auto" = false;
"privacy.donottrackheader.enabled" = true;
};
};
xdg.mimeApps.defaultApplications = {
"x-scheme-handler/mailto" = [ "thunderbird.desktop" ];
"x-scheme-handler/mid" = [ "thunderbird.desktop" ];
"message/rfc822" = [ "thunderbird.desktop" ];
};
accounts = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
email =
let
defaultSettings = {
imap = {
host = "imap.gmail.com";
port = 993;
tls.enable = true; # SSL/TLS
};
smtp = {
host = "smtp.gmail.com";
port = 465;
tls.enable = true; # SSL/TLS
};
thunderbird = {
enable = true;
profiles = [ "default" ];
};
mu.enable = true;
msmtp = {
enable = true;
};
mbsync = {
enable = true;
create = "maildir";
expunge = "both";
patterns = [ "*" "![Gmail]*" "[Gmail]/Sent Mail" "[Gmail]/Starred" "[Gmail]/All Mail" ];
extraConfig = {
channel = {
Sync = "All";
};
account = {
Timeout = 120;
PipelineDepth = 1;
AuthMechs = "LOGIN";
};
};
};
};
in
{
maildirBasePath = "Mail";
accounts = {
swarsel = {
imap = {
host = globals.services.mailserver.domain;
port = 993;
tls.enable = true; # SSL/TLS
};
smtp = {
host = globals.services.mailserver.domain;
port = 465;
tls.enable = true; # SSL/TLS
};
thunderbird = {
enable = true;
profiles = [ "default" ];
};
address = address4;
userName = address4;
realName = fullName;
passwordCommand = "cat ${confLib.getConfig.sops.secrets.address4-token.path}";
mu.enable = true;
msmtp = {
enable = true;
};
mbsync = {
enable = true;
create = "maildir";
expunge = "both";
patterns = [ "*" ];
extraConfig = {
channel = {
Sync = "All";
};
account = {
Timeout = 120;
PipelineDepth = 1;
AuthMechs = "LOGIN";
};
};
};
};
leon = lib.recursiveUpdate
{
primary = true;
address = address1;
userName = address1;
realName = fullName;
passwordCommand = "cat ${confLib.getConfig.sops.secrets.address1-token.path}";
gpg = {
key = "0x76FD3810215AE097";
signByDefault = true;
};
}
defaultSettings;
nautilus = lib.recursiveUpdate
{
primary = false;
address = address2;
userName = address2;
realName = address2-name;
passwordCommand = "cat ${confLib.getConfig.sops.secrets.address2-token.path}";
}
defaultSettings;
mrswarsel = lib.recursiveUpdate
{
primary = false;
address = address3;
userName = address3;
realName = address3-name;
passwordCommand = "cat ${confLib.getConfig.sops.secrets.address3-token.path}";
}
defaultSettings;
};
};
};
} // lib.optionalAttrs (type != "nixos") {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
address1-token = { path = "${xdgDir}/secrets/address1-token"; };
address2-token = { path = "${xdgDir}/secrets/address2-token"; };
address3-token = { path = "${xdgDir}/secrets/address3-token"; };
address4-token = { path = "${xdgDir}/secrets/address4-token"; };
};
});
}
#+end_src
**** Home-manager: Emacs
:PROPERTIES:
:CUSTOM_ID: h:c05d1b64-7110-4151-b436-46bc447113b4
:END:
By using the emacs-overlay NixOS module, I can install all Emacs packages that I want to use right through NixOS. This is done by passing my =init.el= file to the configuration which will then be parsed upon system rebuild, looking for =use-package= sections in the Elisp code. Also I define here the style of Emacs that I want to run - I am going with native Wayland Emacs here (=emacs-pgtk=). All of the nice options such as =tree-sitter= support are enabled by default, so I do not need to adjust the build process.
Lastly, I am defining some more packages here that the parser has problems finding. Also there are some packages that are not in ELPA or MELPA that I still want to use, like =calfw= and =fast-scroll=, so I build them here.
#+begin_src nix-ts :tangle modules/home/common/emacs.nix
{ self, lib, config, pkgs, globals, inputs, type, ... }:
let
inherit (config.swarselsystems) homeDir mainUser isPublic isNixos;
inherit (config.repo.secrets.common.emacs) radicaleUser;
in
{
options.swarselmodules.emacs = lib.mkEnableOption "emacs settings";
config = lib.mkIf config.swarselmodules.emacs ({
# needed for elfeed
# enable emacs overlay for bleeding edge features
# also read init.el file and install use-package packages
home.activation.setupEmacsOrgFiles =
lib.hm.dag.entryAfter [ "writeBoundary" ] ''
set -eu
if [ ! -d ${homeDir}/Org ]; then
${pkgs.coreutils}/bin/install -d -m 0755 ${homeDir}/Org
${pkgs.coreutils}/bin/chown ${mainUser}:syncthing ${homeDir}/Org
fi
# create dummy files to make Emacs calendar work
# these have low modified dates and should be marked as sync-conflicts
for file in "Tasks" "Archive" "Journal"; do
if [ ! -f ${homeDir}/Org/"$file".org ]; then
${pkgs.coreutils}/bin/touch --time=access --time=modify -t 197001010000.00 ${homeDir}/Org/"$file".org
${pkgs.coreutils}/bin/chown ${mainUser}:syncthing ${homeDir}/Org/"$file".org
fi
done
# when the configuration is build again, these sync-conflicts will be cleaned up
for file in $(find ${homeDir}/Org/ -name "*sync-conflict*"); do
${pkgs.coreutils}/bin/rm "$file"
done
'';
programs.emacs = {
enable = true;
package = pkgs.emacsWithPackagesFromUsePackage {
config = self + /files/emacs/init.el;
package = pkgs.emacs-unstable-pgtk;
alwaysEnsure = true;
alwaysTangle = true;
extraEmacsPackages = epkgs: [
epkgs.mu4e
epkgs.use-package
epkgs.lsp-bridge
epkgs.doom-themes
epkgs.vterm
# pkgs.stable.emacs.pkgs.elpaPackages.tramp # use the unstable version from elpa
epkgs.treesit-grammars.with-all-grammars
# build the rest of the packages myself
# org-calfw is severely outdated on MELPA and throws many warnings on emacs startup
# build the package from the haji-ali fork, which is well-maintained
(epkgs.trivialBuild rec {
pname = "eglot-booster";
version = "main-29-10-2024";
src = pkgs.fetchFromGitHub {
owner = "jdtsmith";
repo = "eglot-booster";
rev = "e6daa6bcaf4aceee29c8a5a949b43eb1b89900ed";
hash = "sha256-PLfaXELkdX5NZcSmR1s/kgmU16ODF8bn56nfTh9g6bs=";
};
packageRequires = [ epkgs.jsonrpc epkgs.eglot ];
})
(inputs.nixpkgs-dev.legacyPackages.${pkgs.stdenv.hostPlatform.system}.emacsPackagesFor pkgs.emacs-git-pgtk).calfw
# epkgs.calfw
# (epkgs.trivialBuild rec {
# pname = "calfw";
# version = "1.0.0-20231002";
# src = pkgs.fetchFromGitHub {
# owner = "haji-ali";
# repo = "emacs-calfw";
# rev = "bc99afee611690f85f0cd0bd33300f3385ddd3d3";
# hash = "sha256-0xMII1KJhTBgQ57tXJks0ZFYMXIanrOl9XyqVmu7a7Y=";
# };
# packageRequires = [ epkgs.howm ];
# })
(epkgs.trivialBuild rec {
pname = "fast-scroll";
version = "1.0.0-20191016";
src = pkgs.fetchFromGitHub {
owner = "ahungry";
repo = "fast-scroll";
rev = "3f6ca0d5556fe9795b74714304564f2295dcfa24";
hash = "sha256-w1wmJW7YwXyjvXJOWdN2+k+QmhXr4IflES/c2bCX3CI=";
};
packageRequires = [ ];
})
];
};
};
services.emacs = {
enable = true;
socketActivation.enable = false;
startWithUserSession = "graphical";
};
} // lib.optionalAttrs (type != "nixos") {
sops = lib.mkIf (!isPublic && !isNixos) {
secrets = {
fever-pw = { path = "${homeDir}/.emacs.d/.fever"; };
emacs-radicale-pw = { };
github-forge-token = { };
};
templates = {
authinfo = {
path = "${homeDir}/.emacs.d/.authinfo";
content = ''
machine ${globals.services.radicale.domain} login ${radicaleUser} password ${config.sops.placeholder.emacs-radicale-pw}
machine api.github.com login ${mainUser}^forge password ${config.sops.placeholder.github-forge-token}
'';
};
};
};
});
}
#+end_src
**** Waybar
:PROPERTIES:
:CUSTOM_ID: h:0bf51f63-01c0-4053-a591-7f0c5697c690
:END:
Again I am just using the first bar option here that I was able to find good understandable documentation for. Of note is that the `cpu` section's `format` is not defined here, but in section 1 (since not every machine has the same number of cores)
This section is mostly used to deliver the correct information to Waybar. AMD systems have changing hwmon paths that can be specifically set here. Also the cpu count can be set here for Waybars cpu module, but 8 is usually a good setting to show
These are explicit waybar options. Laptops do not need the battery module. However, this leads to a slight problem with theming: my waybar modules alternate their background-color between black and grey. The battery module is usually on grey background. If I were to simply delete that, I would now have two modules on black background. To avoid this, I define a pseudo-module =custom/pseudobat= that simply shows a static image and calls =wlogout= on right click. This wastes a little bit of screen space, but that is a price I am willing to pay for consistency.
The rest of the related configuration is found here:
- [[#h:a9530c81-1976-442b-b597-0b4bed6baf25][Waybar]]
- [[#h:f93f66f9-6b8b-478e-b139-b2f382c1f25e][waybarupdate]]
#+begin_src nix-ts :tangle modules/home/common/waybar.nix
{ self, config, lib, pkgs, type, ... }:
let
inherit (config.swarselsystems) xdgDir;
generateIcons = n: lib.concatStringsSep " " (builtins.map (x: "{icon" + toString x + "}") (lib.range 0 (n - 1)));
modulesLeft = [
"custom/outer-left-arrow-dark"
"mpris"
"custom/left-arrow-light"
"network"
"custom/vpn"
"custom/left-arrow-dark"
"pulseaudio"
"custom/left-arrow-light"
];
modulesRight = [
"custom/left-arrow-dark"
"group/hardware"
"custom/left-arrow-light"
"clock#2"
"custom/left-arrow-dark"
"clock#1"
];
in
{
options.swarselmodules.waybar = lib.mkEnableOption "waybar settings";
options.swarselsystems = {
cpuCount = lib.mkOption {
type = lib.types.int;
default = 8;
};
temperatureHwmon = {
isAbsolutePath = lib.mkEnableOption "absolute temperature path";
path = lib.mkOption {
type = lib.types.str;
default = "";
};
input-filename = lib.mkOption {
type = lib.types.str;
default = "";
};
};
waybarModules = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = modulesLeft ++ [
"custom/pseudobat"
] ++ modulesRight;
};
cpuString = lib.mkOption {
type = lib.types.str;
default = generateIcons config.swarselsystems.cpuCount;
description = "The generated icons string for use by Waybar.";
internal = true;
};
};
config = lib.mkIf config.swarselmodules.waybar ({
swarselsystems = {
waybarModules = lib.mkIf config.swarselsystems.isLaptop (modulesLeft ++ [
"battery"
] ++ modulesRight);
};
services.playerctld.enable = true;
programs.waybar = {
enable = true;
systemd = {
enable = false;
target = "sway-session.target";
# inherit (config.wayland.systemd) target;
};
settings = {
mainBar = {
ipc = true;
id = "bar-0";
# mode = "hide";
# mode = "overlay";
# passthrough = false;
# start_hidden = true;
layer = "top";
position = "top";
modules-left = [ "sway/workspaces" "niri/workspaces" "custom/outer-right-arrow-dark" "niri/window" "sway/window" ];
modules-center = [ "sway/mode" "privacy" "custom/github" "custom/configwarn" "custom/nix-updates" ];
"sway/mode" = {
format = "{} ";
};
"niri/window" = {
format = "{title} ({app_id}) ";
};
modules-right = config.swarselsystems.waybarModules;
"custom/pseudobat" = lib.mkIf (!config.swarselsystems.isLaptop) {
format = "";
on-click-right = "${pkgs.wlogout}/bin/wlogout -p layer-shell";
};
"custom/configwarn" = {
exec = "${pkgs.waybarupdate}/bin/waybarupdate";
interval = 60;
};
"custom/scratchpad-indicator" = {
interval = 3;
exec = "${pkgs.swayfx}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[]) | first(select(.name==\"__i3_scratch\")) | .floating_nodes | length | select(. >= 1)'";
format = "{} ";
on-click = "${pkgs.swayfx}/bin/swaymsg 'scratchpad show'";
on-click-right = "${pkgs.swayfx}/bin/swaymsg 'move scratchpad'";
};
"custom/github" = {
format = "{} ";
return-type = "json";
interval = 60;
exec = "${pkgs.github-notifications}/bin/github-notifications";
on-click = "${pkgs.xdg-utils}/bin/xdg-open https://github.com/notifications";
};
idle_inhibitor = {
format = "{icon}";
format-icons = {
activated = "";
deactivated = "";
};
};
"group/hardware" = {
orientation = "inherit";
drawer = {
"transition-left-to-right" = false;
};
modules = [
"tray"
"temperature"
"power-profiles-daemon"
"custom/left-arrow-light"
"custom/left-arrow-dark"
"custom/scratchpad-indicator"
"custom/left-arrow-light"
"disk"
"custom/left-arrow-dark"
"memory"
"custom/left-arrow-light"
"cpu"
"custom/left-arrow-dark"
"backlight/slider"
"idle_inhibitor"
];
};
"backlight/slider" = {
min = 0;
max = 100;
orientation = "horizontal";
device = "intel_backlight";
};
power-profiles-daemon = {
format = "{icon}";
tooltip-format = "Power profile: {profile}\nDriver: {driver}";
tooltip = true;
format-icons = {
"default" = "";
"performance" = "";
"balanced" = "";
"power-saver" = "";
};
};
temperature = {
hwmon-path = lib.mkIf (!config.swarselsystems.temperatureHwmon.isAbsolutePath) config.swarselsystems.temperatureHwmon.path;
hwmon-path-abs = lib.mkIf config.swarselsystems.temperatureHwmon.isAbsolutePath config.swarselsystems.temperatureHwmon.path;
input-filename = lib.mkIf config.swarselsystems.temperatureHwmon.isAbsolutePath config.swarselsystems.temperatureHwmon.input-filename;
critical-threshold = 80;
format-critical = " {temperatureC}°C";
format = " {temperatureC}°C";
};
mpris = {
format = "{player_icon} {title} [{position}/{length}] ";
format-paused = "{player_icon} {title} [{position}/{length}] ";
player-icons = {
"default" = "▶ ";
"mpv" = "🎵 ";
"spotify" = " ";
};
status-icons = {
"paused" = " ";
};
interval = 1;
title-len = 20;
artist-len = 20;
album-len = 10;
};
"custom/left-arrow-dark" = {
format = "";
tooltip = false;
};
"custom/outer-left-arrow-dark" = {
format = "";
tooltip = false;
};
"custom/left-arrow-light" = {
format = "";
tooltip = false;
};
"custom/right-arrow-dark" = {
format = "";
tooltip = false;
};
"custom/outer-right-arrow-dark" = {
format = "";
tooltip = false;
};
"custom/right-arrow-light" = {
format = "";
tooltip = false;
};
"sway/workspaces" = {
disable-scroll = true;
format = "{name}";
};
"clock#1" = {
min-length = 8;
interval = 1;
format = "{:%H:%M:%S}";
# on-click-right= "gnome-clocks";
tooltip-format = "{:%Y %B} \n{calendar} {:%Y %B} \n{calendar} .p12`
- `gpgsm --import ~/Certificates/harica-root.pem`
- `gpgsm --import ~/Certificates/harica-intermediate.pem`
- `gpgsm --list-keys --with-validation "HARICA Client RSA Root CA 2021"`
- trust the certificate and set passphrase
#+end_src
#+begin_src nix-ts :tangle modules/home/common/gpg-agent.nix
{ self, lib, config, pkgs, ... }:
let
inherit (config.swarselsystems) mainUser homeDir;
in
{
options.swarselmodules.gpgagent = lib.mkEnableOption "gpg agent settings";
config = lib.mkIf config.swarselmodules.gpgagent {
services.gpg-agent = {
enable = true;
verbose = true;
enableZshIntegration = true;
enableScDaemon = true;
enableSshSupport = true;
enableExtraSocket = true;
pinentry.package = pkgs.wayprompt;
pinentry.program = "pinentry-wayprompt";
# pinentry.package = pkgs.pinentry.gtk2;
defaultCacheTtl = 600;
maxCacheTtl = 7200;
extraConfig = ''
allow-loopback-pinentry
allow-emacs-pinentry
'';
sshKeys = [
"4BE7925262289B476DBBC17B76FD3810215AE097"
];
};
programs.gpg = {
enable = true;
scdaemonSettings = {
disable-ccid = true; # prevent conflicts between pcscd and scdameon
# pcsc-shared = true; # as long as only one key is used, this prevents key from not being detected sometimes
};
publicKeys = [
{
source = "${self}/secrets/public/gpg/gpg-public-key-0x76FD3810215AE097.asc";
trust = 5;
}
];
};
systemd.user.tmpfiles.rules = [
"d ${homeDir}/.gnupg 0700 ${mainUser} users - -"
];
# assure correct permissions
# systemd.user.tmpfiles.settings."30-gpgagent".rules = {
# "${homeDir}/.gnupg" = {
# d = {
# group = "users";
# user = mainUser;
# mode = "0700";
# };
# };
# };
};
}
#+end_src
**** gammastep
:PROPERTIES:
:CUSTOM_ID: h:74e236be-a977-4d38-b8c5-0b9feef8af91
:END:
This service changes the screen hue at night. I am not sure if that really does something, but I like the color anyways.
#+begin_src nix-ts :tangle modules/home/common/gammastep.nix
{ lib, config, confLib, ... }:
let
inherit (confLib.getConfig.repo.secrets.common.location) latitude longitude;
in
{
options.swarselmodules.gammastep = lib.mkEnableOption "gammastep settings";
config = lib.mkIf config.swarselmodules.gammastep {
systemd.user.services.gammastep = confLib.overrideTarget "sway-session.target";
services.gammastep = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
enable = true;
provider = "manual";
inherit longitude latitude;
};
};
}
#+end_src
**** Spicetify
:PROPERTIES:
:CUSTOM_ID: h:d1fb3075-ad52-4c1b-ba45-5ddbd0d3b708
:END:
#+begin_src nix-ts :tangle modules/home/common/spicetify.nix
{ inputs, lib, config, pkgs, ... }:
let
moduleName = "spicetify";
spicePkgs = inputs.spicetify-nix.legacyPackages.${pkgs.stdenv.system};
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "${moduleName} settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
programs.spicetify = {
enable = true;
# spotifyPackage = pkgs.stable24_11.spotify;
spotifyPackage = pkgs.spotify;
enabledExtensions = with spicePkgs.extensions; [
fullAppDisplay
shuffle
hidePodcasts
fullAlbumDate
skipStats
history
];
};
};
}
#+end_src
**** Obsidian
:PROPERTIES:
:CUSTOM_ID: h:ffd97152-63ce-41a0-a40e-c78ba3eb6722
:END:
#+begin_src nix-ts :tangle modules/home/common/obsidian.nix
{ lib, config, pkgs, confLib, ... }:
let
moduleName = "obsidian";
inherit (confLib.getConfig.repo.secrets.common.obsidian) userIgnoreFilters;
name = "Main";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} with settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
home.file = {
"${config.programs.obsidian.vaults.${name}.target}/.obsidian/app.json".force = true;
"${config.programs.obsidian.vaults.${name}.target}/.obsidian/appearance.json".force = true;
"${config.programs.obsidian.vaults.${name}.target}/.obsidian/core-plugins.json".force = true;
};
programs.obsidian =
let
pluginSource = pkgs.nur.repos.swarsel;
in
{
enable = true;
package = pkgs.obsidian;
defaultSettings = {
app = {
attachmentFolderPath = "attachments";
alwaysUpdateLinks = true;
spellcheck = false;
inherit userIgnoreFilters;
vimMode = false;
newFileLocation = "current";
};
hotkeys = {
"graph:open" = [ ];
"omnisearch:show-modal" = [
{
modifiers = [
"Mod"
];
key = "S";
}
];
"editor:save-file" = [ ];
"editor:delete-paragraph" = [ ];
};
corePlugins = [
"backlink"
"bookmarks"
"canvas"
"command-palette"
"daily-notes"
"editor-status"
"file-explorer"
"file-recovery"
"global-search"
"graph"
"note-composer"
"outgoing-link"
"outline"
"page-preview"
"properties"
"slides"
"switcher"
"tag-pane"
"templates"
"word-count"
];
# communityPlugins = with pkgs.swarsel-nix; [
communityPlugins = with pluginSource; [
advanced-tables
calendar
file-hider
linter
omnisearch
sort-and-permute-lines
tag-wrangler
tray
];
};
vaults = {
${name} = {
target = "./Obsidian/${name}";
settings = {
appearance = {
baseFontSize = lib.mkForce 19;
};
# communityPlugins = with pkgs.swarsel-nix; [
communityPlugins = with pluginSource; [
{
pkg = advanced-tables;
enable = true;
}
{
pkg = calendar;
enable = true;
}
{
pkg = sort-and-permute-lines;
enable = true;
}
{
pkg = tag-wrangler;
enable = true;
}
{
pkg = tray;
enable = true;
settings = {
launchOnStartup = false;
hideOnLaunch = true;
runInBackground = true;
hideTaskbarIcon = false;
createTrayIcon = true;
};
}
{
pkg = file-hider;
enable = true;
settings =
{
hidden = true;
hiddenList = [
"attachments"
"images"
"ltximg"
"logseq"
];
};
}
{
pkg = linter;
enable = true;
settings = {
auto-correct-common-misspellings = {
skip-words-with-multiple-capitals = true;
};
convert-bullet-list-markers = {
enabled = true;
};
};
}
{
pkg = omnisearch;
enable = true;
settings = {
hideExcluded = true;
};
}
];
};
};
};
};
};
}
#+end_src
**** Anki
:PROPERTIES:
:CUSTOM_ID: h:6f2839dc-c681-4697-8e93-4ef191362434
:END:
#+begin_src nix-ts :tangle modules/home/common/anki.nix
{ lib, config, pkgs, globals, confLib, type, ... }:
let
moduleName = "anki";
inherit (config.swarselsystems) isPublic isNixos;
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
config = lib.mkIf config.swarselmodules.${moduleName}
({
programs.anki = {
enable = true;
package = pkgs.anki;
hideBottomBar = true;
hideBottomBarMode = "always";
hideTopBar = true;
hideTopBarMode = "always";
reduceMotion = true;
spacebarRatesCard = true;
# videoDriver = "opengl";
profiles."User 1".sync = {
autoSync = false; # sync on profile close will delay system shutdown
syncMedia = true;
autoSyncMediaMinutes = 5;
url = "https://${globals.services.ankisync.domain}";
usernameFile = confLib.getConfig.sops.secrets.anki-user.path;
# this is not the password but the syncKey
# get it by logging in or out, saving preferences and then
# show details on the "settings wont be saved" dialog
keyFile = confLib.getConfig.sops.secrets.anki-pw.path;
};
addons =
let
minimize-to-tray = pkgs.anki-utils.buildAnkiAddon
(finalAttrs: {
pname = "minimize-to-tray";
version = "2.0.1";
src = pkgs.fetchFromGitHub {
owner = "simgunz";
repo = "anki21-addons_minimize-to-tray";
rev = finalAttrs.version;
sparseCheckout = [ "src" ];
hash = "sha256-xmvbIOfi9K0yEUtUNKtuvv2Vmqrkaa4Jie6J1s+FuqY=";
};
sourceRoot = "${finalAttrs.src.name}/src";
});
in
[
(minimize-to-tray.withConfig
{
config = {
hide_on_startup = "true";
};
})
];
};
} // lib.optionalAttrs (type != "nixos") {
sops = lib.mkIf (!isPublic && !isNixos) {
secrets = {
anki-user = { };
anki-pw = { };
};
};
});
}
#+end_src
**** Element-desktop
:PROPERTIES:
:CUSTOM_ID: h:add71e84-43ff-40c7-9173-de43a13bbae6
:END:
#+begin_src nix-ts :tangle modules/home/common/element.nix
{ lib, config, globals, ... }:
let
moduleName = "element-desktop";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
programs.element-desktop = {
enable = true;
settings = {
default_server_config = {
"m.homeserver" = {
base_url = "https://${globals.services.matrix.domain}/";
};
};
UIFeature = {
feedback = false;
voip = false;
widgets = false;
shareSocial = false;
registration = false;
passwordReset = false;
deactivate = false;
};
};
};
};
}
#+end_src
**** Hexchat
:PROPERTIES:
:CUSTOM_ID: h:812cedcd-520e-417e-8923-aaae5ff5e316
:END:
#+begin_src nix-ts :tangle modules/home/common/hexchat.nix
{ lib, config, confLib, ... }:
let
moduleName = "hexchat";
inherit (confLib.getConfig.repo.secrets.common.irc) irc_nick1;
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
programs.${moduleName} = {
enable = true;
settings = {
inherit irc_nick1;
};
};
};
}
#+end_src
**** obs-studio
:PROPERTIES:
:CUSTOM_ID: h:ef995044-6833-40d6-825b-64063c00a790
:END:
#+begin_src nix-ts :tangle modules/home/common/obs-studio.nix
{ lib, config, ... }:
let
moduleName = "obs-studio";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
programs.${moduleName} = {
enable = true;
};
};
}
#+end_src
**** spotify-player
:PROPERTIES:
:CUSTOM_ID: h:b99d62a1-4560-429f-81c1-29fc544a46fb
:END:
#+begin_src nix-ts :tangle modules/home/common/spotify-player.nix
{ lib, config, ... }:
let
moduleName = "spotify-player";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
programs.${moduleName} = {
enable = true;
};
};
}
#+end_src
**** vesktop
:PROPERTIES:
:CUSTOM_ID: h:f5e191c5-b8c0-4f66-aa38-9cbfb1619058
:END:
#+begin_src nix-ts :tangle modules/home/common/vesktop.nix
{ lib, pkgs, config, ... }:
let
moduleName = "vesktop";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
programs.${moduleName} = {
enable = true;
package = pkgs.vesktop;
settings = {
appBadge = false;
arRPC = false;
checkUpdates = false;
customTitleBar = false;
disableMinSize = true;
minimizeToTray = true;
tray = true;
staticTitle = true;
hardwareAcceleration = true;
discordBranch = "stable";
};
vencord = {
useSystem = true;
settings = {
autoUpdate = false;
autoUpdateNotification = false;
enableReactDevtools = false;
frameless = false;
transparent = false;
winCtrlQ = false;
notifyAboutUpdates = false;
useQuickCss = true;
disableMinSize = true;
winNativeTitleBar = false;
plugins = {
MessageLogger = {
enabled = true;
ignoreSelf = true;
};
ChatInputButtonAPI = {
enabled = false;
};
CommandsAPI = {
enabled = true;
};
MemberListDecoratorsAPI = {
enabled = false;
};
MessageAccessoriesAPI = {
enabled = true;
};
MessageDecorationsAPI = {
enabled = false;
};
MessageEventsAPI = {
enabled = false;
};
MessagePopoverAPI = {
enabled = false;
};
MessageUpdaterAPI = {
enabled = false;
};
ServerListAPI = {
enabled = false;
};
UserSettingsAPI = {
enabled = true;
};
FakeNitro = {
enabled = true;
};
};
};
};
};
};
}
#+end_src
**** batsignal
:PROPERTIES:
:CUSTOM_ID: h:b30fcdf0-93d8-4600-a267-e210bec8e680
:END:
#+begin_src nix-ts :tangle modules/home/common/batsignal.nix
{ lib, config, ... }:
let
moduleName = "batsignal";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
services.${moduleName} = {
enable = true;
extraArgs = [
"-W"
" Consider charging the battery"
"-C"
" Battery is low; plug in charger now"
"-D"
" Device will lose power in a few seconds"
"-c"
"10"
"-d"
"5"
];
};
};
}
#+end_src
**** autotiling
:PROPERTIES:
:CUSTOM_ID: h:a7bac755-510c-424b-b964-18fb9e4a6667
:END:
#+begin_src nix-ts :tangle modules/home/common/autotiling.nix
{ lib, config, ... }:
let
moduleName = "autotiling";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
services.${moduleName} = {
enable = true;
systemdTarget = "sway-session.target";
};
};
}
#+end_src
**** swayidle
:PROPERTIES:
:CUSTOM_ID: h:2e23f3d9-ab65-4f2f-912f-dc236189c457
:END:
#+begin_src nix-ts :tangle modules/home/common/swayidle.nix
{ lib, config, pkgs, ... }:
let
moduleName = "swayidle";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
services.${moduleName} =
let
brightnessctl = "${lib.getExe pkgs.brightnessctl}";
swaylock = "${lib.getExe pkgs.swaylock-effects}";
suspend = "${pkgs.systemd}/bin/systemctl suspend";
noctalia = "/etc/profiles/per-user/${config.swarselsystems.mainUser}/bin/noctalia-shell ipc call";
in
{
enable = true;
# systemdTarget = "sway-session.target";
extraArgs = [ "-w" ];
timeouts = [
{ timeout = 60; command = "${brightnessctl} -s; ${brightnessctl} set 80%-"; resumeCommand = "${brightnessctl} -r"; }
# { timeout = 300; command = "${lib.getExe pkgs.swaylock-effects} -f --screenshots --clock --effect-blur 7x5 --effect-vignette 0.5:0.5 --fade-in 0.2"; }
# { timeout = 300; command = "${swaylock} -f"; }
{ timeout = 300; command = "${noctalia} lockScreen lock || ${swaylock} -f"; }
# { timeout = 600; command = ''${pkgs.sway}/bin/swaymsg "output * dpms off"; resumeCommand = "${pkgs.sway}/bin/swaymsg output * dpms on''; }
# { timeout = 600; command = "${noctalia} sessionMenu lockAndSuspend || ${suspend}"; }
{ timeout = 600; command = "${suspend}"; }
];
events = {
# { event = "before-sleep"; command = "${noctalia} lockScreen lock || ${lib.getExe pkgs.swaylock-effects} -f --screenshots --clock --effect-blur 7x5 --effect-vignette 0.5:0.5 --fade-in 0.2"; }
# { event = "after-resume"; command = "${swaylock} -f "; }
before-sleep = "${noctalia} lockScreen lock || ${swaylock} -f ";
# lock = "${swaylock} -f ";
};
};
};
}
#+end_src
**** swaylock
:PROPERTIES:
:CUSTOM_ID: h:8e508f62-d3e4-48bc-8bce-641bf38a0106
:END:
#+begin_src nix-ts :tangle modules/home/common/swaylock.nix
{ lib, config, pkgs, ... }:
let
moduleName = "swaylock";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
programs.${moduleName} = {
enable = true;
package = pkgs.swaylock-effects;
settings = {
screenshots = true;
clock = true;
effect-blur = "7x5";
effect-vignette = "0.5:0.5";
fade-in = "0.2";
};
};
};
}
#+end_src
**** opkssh
:PROPERTIES:
:CUSTOM_ID: h:99bde2b8-ab38-4082-b06b-4afde9d06228
:END:
#+begin_src nix-ts :tangle modules/home/common/opkssh.nix
{ lib, config, globals, ... }:
let
moduleName = "opkssh";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
programs.${moduleName} = {
enable = true;
settings = {
default_provider = "kanidm";
providers = [
{
alias = "kanidm";
issuer = "https://${globals.services.kanidm.domain}/oauth2/openid/opkssh";
client_id = "opkssh";
scopes = "openid email profile";
redirect_uris = [
"http://localhost:3000/login-callback"
"http://localhost:10001/login-callback"
"http://localhost:11110/login-callback"
];
}
];
};
};
};
}
#+end_src
**** Khal
:PROPERTIES:
:CUSTOM_ID: h:771a6e35-9299-4df0-8d07-0a3443099484
:END:
#+begin_src nix-ts :tangle modules/home/common/khal.nix
{ lib, config, pkgs, ... }:
let
moduleName = "khal";
in
{
options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings";
config = lib.mkIf config.swarselmodules.${moduleName} {
programs.${moduleName} = {
enable = true;
package = pkgs.khal;
};
};
}
#+end_src
*** Server
:PROPERTIES:
:CUSTOM_ID: h:b1a00339-6e9b-4ae4-b5dc-6fd5669a2ddb
:END:
This is again configuration that is mostly needed on servers. Most things should be done using the NixOS config instead, consider carefully if a home-manager config must be used.
**** Imports
:PROPERTIES:
:CUSTOM_ID: h:7b4ee01a-b505-47da-8fb9-0b41285d0eab
:END:
This section sets up all the imports that are used in the home-manager section.
#+begin_src nix-ts :tangle modules/home/server/default.nix
{ self, lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/home/server";
modulesPath = "${self}/modules";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/home/server" ++ [
"${modulesPath}/home/common/settings.nix"
];
}
#+end_src
**** Symlinking dotfiles
:PROPERTIES:
:CUSTOM_ID: h:9fac0904-b615-4d9d-9bae-54a6691999c3
:END:
This section should be used in order to symlink already existing configuration files using `home.file` and setting session variables using `home.sessionVariables`.
As for the `home.sessionVariables`, it should be noted that environment variables that are needed at system start should NOT be loaded here, but instead in `programs.zsh.config.extraSessionCommands` (in the home-manager programs section). This is also where all the wayland related variables are stored.
#+begin_src nix-ts :tangle modules/home/server/symlink.nix
{ self, lib, config, ... }:
{
options.swarselmodules.server.dotfiles = lib.mkEnableOption "server dotfiles settings";
config = lib.mkIf config.swarselmodules.server.dotfiles {
home.file = {
"init.el" = lib.mkForce {
source = self + /files/emacs/server.el;
target = ".emacs.d/init.el";
};
};
};
}
#+end_src
*** Darwin
:PROPERTIES:
:CUSTOM_ID: h:e0536bff-2552-4ac4-a34a-a23937a2c30f
:END:
Again, mostly a placeholder for future home-manager modules that run on darwin systems.
**** Imports
:PROPERTIES:
:CUSTOM_ID: h:cff37bdf-4f22-419a-af4e-2665ede9add0
:END:
This section sets up all the imports that are used in the home-manager section.
#+begin_src nix-ts :tangle modules/home/darwin/default.nix
{ self, ... }:
{
home.stateVersion = "23.05";
imports = [
"${self}/modules/home/common/settings.nix"
"${self}/modules/shared/options.nix"
"${self}/modules/shared/vars.nix"
];
}
#+end_src
*** Optional
:PROPERTIES:
:CUSTOM_ID: h:be623200-557e-4bb7-bb11-1ec5d76c6b8b
:END:
Akin to the [[#h:f9aa9af0-9b8d-43ff-901d-9ffccdd70589][Optional]] NixOS modules.
#+begin_src nix-ts :tangle modules/home/optional/default.nix
{ lib, ... }:
let
importNames = lib.swarselsystems.readNix "modules/home/optional";
in
{
imports = lib.swarselsystems.mkImports importNames "modules/home/optional";
}
#+end_src
**** Niri
:PROPERTIES:
:CUSTOM_ID: h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb
:END:
#+begin_src nix-ts :tangle modules/home/optional/niri.nix
{ inputs, config, pkgs, lib, vars, type, ... }:
{
imports = lib.optionals (type != "nixos") [
inputs.niri-flake.homeModules.niri
];
config = {
programs.niri = {
package = pkgs.niri-stable; # which package to use for niri validation
settings = {
gestures.hot-corners.enable = false;
hotkey-overlay.skip-at-startup = true;
debug = {
honor-xdg-activation-with-invalid-serial = [ ];
};
xwayland-satellite = {
enable = true;
path = "${lib.getExe pkgs.xwayland-satellite-unstable}";
};
prefer-no-csd = true;
layer-rules = [
{ matches = [{ namespace = "^notificatioans$"; }]; block-out-from = "screen-capture"; }
{ matches = [{ namespace = "^wallpaper$"; }]; place-within-backdrop = true; }
{ matches = [{ namespace = "^noctalia-overview*"; }]; place-within-backdrop = true; }
];
window-rules = [
{
matches = [{ app-id = ".*"; }];
opacity = 0.95;
default-column-width = { proportion = 0.5; };
shadow = {
enable = true;
draw-behind-window = true;
};
clip-to-geometry = true;
geometry-corner-radius = { top-left = 5.0; top-right = 5.0; bottom-left = 5.0; bottom-right = 5.0; };
}
{ matches = [{ app-id = "at.yrlf.wl_mirror"; }]; opacity = 1.0; }
{ matches = [{ app-id = "Gimp"; }]; opacity = 1.0; }
{ matches = [{ app-id = "^firefox$"; }]; opacity = 0.95; }
{ matches = [{ app-id = "^special.*"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; }
{ matches = [{ app-id = "chromium-browser"; }]; opacity = 0.99; }
{ matches = [{ app-id = "^qalculate-gtk$"; }]; open-floating = true; }
{ matches = [{ app-id = "^blueman$"; }]; open-floating = true; }
{ matches = [{ app-id = "^pavucontrol$"; }]; open-floating = true; }
{ matches = [{ app-id = "^syncthingtray$"; }]; open-floating = true; }
{ matches = [{ app-id = "^Element$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screen-capture"; }
# { matches = [{ app-id = "^Element$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; }
{ matches = [{ app-id = "^vesktop$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; block-out-from = "screen-capture"; }
# { matches = [{ app-id = "^vesktop$"; }]; default-column-width = { proportion = 0.9; }; open-on-workspace = "Scratchpad"; block-out-from = "screencast"; }
{ matches = [{ app-id = "^com.nextcloud.desktopclient.nextcloud$"; }]; open-floating = true; }
{ matches = [{ title = ".*1Password.*"; }]; excludes = [{ app-id = "^firefox$"; } { app-id = "^emacs$"; } { app-id = "^kitty$"; }]; open-floating = true; block-out-from = "screen-capture"; }
{ matches = [{ title = "(?:Open|Save) (?:File|Folder|As)"; }]; open-floating = true; }
{ matches = [{ title = "^Add$"; }]; open-floating = true; }
{ matches = [{ title = "^Picture-in-Picture$"; }]; open-floating = true; }
{ matches = [{ title = "Syncthing Tray"; }]; open-floating = true; }
{ matches = [{ title = "^Emacs Popup Frame$"; }]; open-floating = true; }
{ matches = [{ title = "^Emacs Popup Anchor$"; }]; open-floating = true; }
{ matches = [{ app-id = "^spotifytui$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; }
{ matches = [{ app-id = "^kittyterm$"; }]; open-floating = true; default-column-width = { proportion = 0.5; }; }
];
environment = vars.waylandSessionVariables // {
DISPLAY = ":0";
QT_QPA_PLATFORM = lib.mkForce "wayland";
EDITOR = "emacsclient -c";
};
screenshot-path = "~/Pictures/Screenshots/screenshot_%Y-%m-%d-%H%M%S.png";
input = {
mod-key = "Super";
keyboard = {
xkb = {
layout = "us";
variant = "altgr-intl";
};
};
mouse = {
natural-scroll = false;
};
touchpad = {
enable = true;
tap = true;
tap-button-map = "left-right-middle";
natural-scroll = true;
scroll-method = "two-finger";
click-method = "clickfinger";
disabled-on-external-mouse = true;
drag = true;
drag-lock = false;
dwt = true;
dwtp = true;
};
};
cursor = {
hide-after-inactive-ms = 2000;
hide-when-typing = true;
};
layout = {
background-color = "transparent";
border = {
enable = true;
width = 1;
};
focus-ring = {
enable = false;
};
gaps = 5;
};
binds = with config.lib.niri.actions; let
sh = spawn "sh" "-c";
in
{
"Mod+Shift+t".action = toggle-window-rule-opacity;
"Mod+m".action = focus-workspace-previous;
"Mod+Shift+Space".action = toggle-window-floating;
"Mod+Shift+f".action = fullscreen-window;
# "Mod+q".action = sh "${resizer} && niri msg action close-window";
"Mod+q".action = sh "niri msg action close-window";
# "Mod+f".action = sh "${resizer} && exec firefox";
"Mod+f".action = sh "exec firefox";
# "Mod+Space".action = spawn "noctalia-shell" "ipc" "call" "launcher" "toggle";
# "Mod+Space".action = sh "${resizer} && exec noctalia-shell ipc call launcher toggle";
"Mod+Space".action = sh "exec noctalia-shell ipc call launcher toggle";
# "Mod+Space".action = sh "${resizer} & exec fuzzel";
"Mod+z".action = spawn "noctalia-shell" "ipc" "call" "bar" "toggle";
"Mod+Shift+c".action = spawn "qalculate-gtk";
"Mod+Ctrl+p".action = spawn "1password" "--quick-acces";
"Mod+Shift+Escape".action = spawn "kitty" "-o" "confirm_os_window_close=0" "btm";
"Mod+h".action = sh ''hyprpicker | wl-copy'';
# "Mod+s".action = spawn "grim" "-g" "\"$(slurp)\"" "-t" "png" "-" "|" "wl-copy" "-t" "image/png";
# "Mod+s".action = screenshot { show-pointer = false; };
"Mod+s".action.screenshot = { show-pointer = false; };
# "Mod+Shift+s".action = spawn "slurp" "|" "grim" "-g" "-" "Pictures/Screenshots/$(date +'screenshot_%Y-%m-%d-%H%M%S.png')";
# "Mod+Shift+s".action = screenshot-window { write-to-disk = true; };
"Mod+Shift+s".action.screenshot-window = { write-to-disk = true; };
# "Mod+Shift+v".action = spawn "wf-recorder" "-g" "'$(slurp -f %o -or)'" "-f" "~/Videos/screenrecord_$(date +%Y-%m-%d-%H%M%S).mkv";
# "Mod+e".action = sh "${resizer} && exec emacsclient -nquc -a emacs -e '(dashboard-open)'";
"Mod+e".action = sh "exec emacsclient -nquc -a emacs -e '(dashboard-open)'";
# "Mod+c".action = sh "${resizer} && exec emacsclient -ce '(org-capture)'";
"Mod+c".action = sh "exec emacsclient -ce '(org-capture)'";
# "Mod+t".action = sh "${resizer} && exec emacsclient -ce '(org-agenda)'";
"Mod+t".action = sh "exec emacsclient -ce '(org-agenda)'";
# "Mod+Shift+m".action = sh "${resizer} && exec emacsclient -ce '(mu4e)'";
"Mod+Shift+m".action = sh "exec emacsclient -ce '(mu4e)'";
# "Mod+Shift+a".action = sh "${resizer} && exec emacsclient -ce '(swarsel/open-calendar)'";
"Mod+Shift+a".action = sh "exec emacsclient -ce '(swarsel/open-calendar)'";
"Mod+a".action = spawn "swarselcheck-niri" "-s";
"Mod+x".action = spawn "swarselcheck-niri" "-k";
"Mod+d".action = spawn "swarselcheck-niri" "-d";
"Mod+w".action = spawn "swarselcheck-niri" "-e";
"Mod+p".action = spawn "pass-fuzzel";
"Mod+o".action = spawn "pass-fuzzel" "--otp";
"Mod+Shift+p".action = spawn "pass-fuzzel" "--type";
"Mod+Shift+o".action = spawn "pass-fuzzel" "--otp" "--type";
"Mod+Left".action = focus-column-or-monitor-left;
"Mod+Right".action = focus-column-or-monitor-right;
"Mod+Down".action = focus-window-or-workspace-down;
"Mod+Up".action = focus-window-or-workspace-up;
"Mod+Shift+Left".action = move-column-left-or-to-monitor-left;
"Mod+Shift+Right".action = move-column-right-or-to-monitor-right;
"Mod+Shift+Down".action = move-window-down-or-to-workspace-down;
"Mod+Shift+Up".action = move-window-up-or-to-workspace-up;
# "Mod+Ctrl+Shift+c".action = "reload";
# "Mod+Ctrl+Shift+r".action = "exec swarsel-displaypower";
# "Mod+Shift+e".action = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
# "Mod+r".action = "mode resize";
# "Mod+Return".action = "exec kitty";
# "Mod+Return".action = sh "${resizer} && exec kitty -o confirm_os_window_close=0";
"Mod+Return".action = sh "exec kitty -o confirm_os_window_close=0";
"XF86AudioRaiseVolume".action = spawn "noctalia-shell" "ipc" "call" "volume" "increase";
"XF86AudioLowerVolume".action = spawn "noctalia-shell" "ipc" "call" "volume" "decrease";
"XF86AudioMute".action = spawn "noctalia-shell" "ipc" "call" "volume" "muteOutput";
"XF86AudioPrev".action = spawn "noctalia-shell" "ipc" "call" "media" "previous";
"XF86AudioPlay".action = spawn "noctalia-shell" "ipc" "call" "media" "playPause";
"XF86AudioNext".action = spawn "noctalia-shell" "ipc" "call" "media" "next";
"XF86MonBrightnessUp".action = spawn "noctalia-shell" "ipc" "call" "brightness" "increase";
"XF86MonBrightnessDown".action = spawn "noctalia-shell" "ipc" "call" "brightness" "decrease";
"XF86Display".action = spawn "wl-mirror" "eDP-1";
"Mod+Escape".action = spawn "noctalia-shell" "ipc" "call" "sessionMenu" "toggle";
"Mod+i".action = spawn "noctalia-shell" "ipc" "call" "launcher" "emoji";
"Mod+Equal".action = set-column-width "+10%";
"Mod+Minus".action = set-column-width "-10%";
"Mod+1".action = focus-workspace 1;
"Mod+2".action = focus-workspace 2;
"Mod+3".action = focus-workspace 3;
"Mod+4".action = focus-workspace 4;
"Mod+5".action = focus-workspace 5;
"Mod+6".action = focus-workspace 6;
"Mod+7".action = focus-workspace 7;
"Mod+8".action = focus-workspace 8;
"Mod+9".action = focus-workspace 9;
"Mod+0".action = focus-workspace 0;
"Mod+Shift+1".action = move-column-to-index 1;
"Mod+Shift+2".action = move-column-to-index 2;
"Mod+Shift+3".action = move-column-to-index 3;
"Mod+Shift+4".action = move-column-to-index 4;
"Mod+Shift+5".action = move-column-to-index 5;
"Mod+Shift+6".action = move-column-to-index 6;
"Mod+Shift+7".action = move-column-to-index 7;
"Mod+Shift+8".action = move-column-to-index 8;
"Mod+Shift+9".action = move-column-to-index 9;
"Mod+Shift+0".action = move-column-to-index 0;
};
spawn-at-startup = [
# { command = [ "vesktop" "--start-minimized" "--enable-speech-dispatcher" "--ozone-platform-hint=auto" "--enable-features=WaylandWindowDecorations" "--enable-wayland-ime" ]; }
# { command = [ "element-desktop" "--hidden" "--enable-features=UseOzonePlatform" "--ozone-platform=wayland" "--disable-gpu-driver-bug-workarounds" ]; }
# { command = [ "anki" ]; }
# { command = [ "obsidian" ]; }
# { command = [ "nm-applet" ]; }
# { command = [ "niri" "msg" "action" "focus-workspace" "2" ]; }
# { command = [ "noctalia-shell" ]; }
# { argv = [ "pkill" "mako" ]; }
{ argv = [ "systemctl" "--user" "restart" "noctalia-shell.target" ]; }
];
# workspaces = {
# "01-Main" = {
# name = "Scratchpad";
# };
# "99-Scratchpad" = {
# name = "";
# };
# };
};
};
xdg.portal = {
enable = true;
xdgOpenUsePortal = true;
config.niri = {
default = [
"gtk"
"gnome"
];
"org.freedesktop.impl.portal.Access" = [ "gtk" ];
"org.freedesktop.impl.portal.Notification" = [ "gtk" ];
"org.freedesktop.impl.portal.Secret" = [ "gnome-keyring" ];
"org.freedesktop.impl.portal.FileChooser" = [ "gtk" ];
"org.freedesktop.impl.portal.ScreenCast" = [ "xdg-desktop-portal-gnome" ];
"org.freedesktop.impl.portal.Screenshot" = [ "xdg-desktop-portal-gnome" ];
};
extraPortals = [
pkgs.gnome-keyring
pkgs.xdg-desktop-portal-gtk
pkgs.xdg-desktop-portal-gnome
];
};
swarselmodules.gnome-keyring = lib.swarselsystems.mkStrong true;
home.packages = [
pkgs.nirius
];
};
}
#+end_src
**** Noctalia
:PROPERTIES:
:CUSTOM_ID: h:385cc6c7-416c-4570-a5d3-bf8fb7c841e7
:END:
Apart from configuring Noctalia, I here also add some systemd chains to make sure the Noctalia tray is actually ready to receive tray icons.
#+begin_src nix-ts :tangle modules/home/optional/noctalia.nix
{ self, inputs, config, pkgs, lib, confLib, type, ... }:
let
inherit (confLib.getConfig.repo.secrets.common) caldavTasksEndpoint;
inherit (config.swarselsystems) xdgDir;
in
{
imports = [
inputs.noctalia.homeModules.default
];
options.swarselmodules.optional-noctalia = lib.swarselsystems.mkTrueOption;
config = {
systemd.user = {
targets = {
noctalia-shell.Unit = {
After = [ "graphical-session.target" ];
};
tray = {
Unit = {
Wants = [ "noctalia-init.service" ];
After = [
"noctalia-shell.service"
"noctalia-init.service"
];
};
Install.WantedBy = [ "noctalia-shell.target" ];
};
};
services = {
noctalia-shell = {
Unit.PartOf = [ "noctalia-shell.target" ];
Install.WantedBy = [ "noctalia-shell.target" ];
};
noctalia-init = {
Unit = {
Requires = [ "noctalia-shell.service" ];
After = [ "noctalia-shell.service" ];
};
Service = {
Type = "oneshot";
ExecStart = "${pkgs.coreutils}/bin/sleep 3";
RemainAfterExit = true;
};
Install = {
WantedBy = [ "tray.target" ];
};
};
};
};
programs = {
fastfetch.enable = true;
noctalia-shell = {
enable = true;
package = pkgs.noctalia-shell;
systemd.enable = true;
settings = {
bar = {
barType = "simple";
position = "top";
monitors = [ ];
density = "default";
showCapsule = false;
showOutline = false;
capsuleOpacity = lib.mkForce 1;
backgroundOpacity = lib.mkForce 0.5;
useSeparateOpacity = true;
floating = false;
marginVertical = 4;
marginHorizontal = 0;
frameThickness = 8;
frameRadius = 12;
outerCorners = false;
hideOnOverview = false;
displayMode = "non_exclusive";
autoHideDelay = 100;
autoShowDelay = 300;
screenOverrides = [ ];
widgets = {
left = [
{
characterCount = 4;
colorizeIcons = false;
emptyColor = "primary";
enableScrollWheel = false;
focusedColor = "secondary";
followFocusedScreen = false;
groupedBorderOpacity = 1;
hideUnoccupied = false;
iconScale = 0.5;
id = "Workspace";
labelMode = "name";
occupiedColor = "primary";
pillSize = 0.4;
reverseScroll = false;
showApplications = true;
showBadge = true;
showLabelsOnlyWhenOccupied = false;
unfocusedIconsOpacity = 0.25;
}
{
defaultSettings = {
completedCount = 0;
count = 0;
current_page_id = 0;
isExpanded = false;
pages = [
{
id = 0;
name = "General";
}
];
priorityColors = {
high = "#f44336";
low = "#9e9e9e";
medium = "#2196f3";
};
showBackground = true;
showCompleted = true;
todos = [ ];
useCustomColors = false;
};
id = "plugin:ba7043:todo";
}
];
center = [
{
colorizeIcons = true;
hideMode = "hidden";
id = "ActiveWindow";
maxWidth = 145;
scrollingMode = "hover";
showIcon = true;
useFixedWidth = false;
}
{
id = "plugin:privacy-indicator";
}
{
id = "plugin:screen-recorder";
}
];
right = [
{
blacklist = [
"bluetooth*"
];
colorizeIcons = false;
drawerEnabled = true;
hidePassive = true;
id = "Tray";
pinned = [ ];
}
{
displayMode = "alwaysShow";
id = "Volume";
middleClickCommand = "pavucontrol";
}
{
id = "NotificationHistory";
hideWhenZero = false;
showUnreadBadge = true;
}
{
id = "plugin:github-feed";
}
{
id = "plugin:clipper";
}
{
displayMode = "onhover";
id = "Network";
}
{
displayMode = "onhover";
id = "Bluetooth";
}
{
displayMode = "onhover";
id = "VPN";
}
{
deviceNativePath = "__default__";
hideIfIdle = true;
hideIfNotDetected = true;
id = "Battery";
showNoctaliaPerformance = false;
showPowerProfiles = true;
}
{
iconColor = "none";
id = "SessionMenu";
}
{
customFont = "FiraCode Nerd Font Mono";
formatHorizontal = "ddd dd. MMM HH:mm:ss";
formatVertical = "";
id = "Clock";
tooltipFormat = "ddd dd. MMM HH:mm:ss";
useCustomFont = true;
usePrimaryColor = true;
}
{
colorizeDistroLogo = false;
colorizeSystemIcon = "none";
customIconPath = "${self}/files/icons/swarsel.png";
enableColorization = true;
icon = "noctalia";
id = "ControlCenter";
useDistroLogo = false;
}
];
};
};
general = {
avatarImage = "${self}/files/icons/swarsel.png";
dimmerOpacity = 0.2;
showScreenCorners = false;
forceBlackScreenCorners = false;
scaleRatio = 1;
radiusRatio = 0.2;
iRadiusRatio = 1;
boxRadiusRatio = 1;
screenRadiusRatio = 1;
animationSpeed = 1.5;
animationDisabled = false;
compactLockScreen = true;
lockOnSuspend = true;
showSessionButtonsOnLockScreen = true;
showHibernateOnLockScreen = false;
enableShadows = true;
shadowDirection = "center";
shadowOffsetX = 0;
shadowOffsetY = 0;
language = "";
allowPanelsOnScreenWithoutBar = true;
showChangelogOnStartup = true;
telemetryEnabled = false;
enableLockScreenCountdown = true;
lockScreenCountdownDuration = 10000;
autoStartAuth = true;
allowPasswordWithFprintd = true;
};
ui = {
fontDefaultScale = 1;
fontFixedScale = 1;
tooltipsEnabled = true;
panelBackgroundOpacity = lib.mkForce 1;
panelsAttachedToBar = true;
settingsPanelMode = "centered";
wifiDetailsViewMode = "grid";
bluetoothDetailsViewMode = "grid";
networkPanelView = "wifi";
bluetoothHideUnnamedDevices = false;
boxBorderEnabled = false;
};
location = {
name = confLib.getConfig.repo.secrets.common.location.timezoneSpecific;
weatherEnabled = true;
weatherShowEffects = false;
useFahrenheit = false;
use12hourFormat = false;
showWeekNumberInCalendar = true;
showCalendarEvents = true;
showCalendarWeather = true;
analogClockInCalendar = false;
firstDayOfWeek = 1;
hideWeatherTimezone = false;
hideWeatherCityName = false;
};
calendar = {
cards = [
{
enabled = true;
id = "calendar-header-card";
}
{
enabled = true;
id = "calendar-month-card";
}
{
enabled = true;
id = "weather-card";
}
];
};
wallpaper = {
enabled = true;
overviewEnabled = true;
directory = "${self}/files/wallpaper/landscape";
monitorDirectories = [ ];
enableMultiMonitorDirectories = true;
showHiddenFiles = false;
viewMode = "single";
setWallpaperOnAllMonitors = false;
fillMode = "crop";
fillColor = "#000000";
useSolidColor = false;
solidColor = "#1a1a2e";
automationEnabled = true;
wallpaperChangeMode = "random";
randomIntervalSec = 300;
transitionDuration = 500;
transitionType = "random";
transitionEdgeSmoothness = 0.05;
panelPosition = "follow_bar";
hideWallpaperFilenames = false;
useWallhaven = false;
wallhavenQuery = "";
wallhavenSorting = "relevance";
wallhavenOrder = "desc";
wallhavenCategories = "111";
wallhavenPurity = "100";
wallhavenRatios = "";
wallhavenApiKey = "";
wallhavenResolutionMode = "atleast";
wallhavenResolutionWidth = "";
wallhavenResolutionHeight = "";
sortOrder = "name";
};
appLauncher = {
enableClipboardHistory = false;
autoPasteClipboard = false;
enableClipPreview = true;
clipboardWrapText = true;
clipboardWatchTextCommand = "wl-paste --type text --watch cliphist store";
clipboardWatchImageCommand = "wl-paste --type image --watch cliphist store";
position = "center";
pinnedApps = [ ];
useApp2Unit = false;
sortByMostUsed = true;
terminalCommand = "kitty -e";
customLaunchPrefixEnabled = false;
customLaunchPrefix = "";
viewMode = "list";
showCategories = false;
iconMode = "native";
density = "compact";
overviewLayer = false;
showIconBackground = false;
enableSettingsSearch = false;
enableWindowsSearch = false;
enableSessionSearch = false;
ignoreMouseInput = true;
screenshotAnnotationTool = "";
};
controlCenter = {
position = "close_to_bar_button";
diskPath = "/";
shortcuts = {
left = [
{
id = "Network";
}
{
id = "Bluetooth";
}
];
right = [
{
id = "Notifications";
}
{
id = "PowerProfile";
}
{
id = "KeepAwake";
}
{
id = "plugin:screen-recorder";
}
];
};
cards = [
{
enabled = true;
id = "profile-card";
}
{
enabled = true;
id = "shortcuts-card";
}
{
enabled = true;
id = "audio-card";
}
{
enabled = true;
id = "brightness-card";
}
{
enabled = true;
id = "weather-card";
}
{
enabled = true;
id = "media-sysmon-card";
}
];
};
systemMonitor = {
cpuWarningThreshold = 80;
cpuCriticalThreshold = 90;
tempWarningThreshold = 80;
tempCriticalThreshold = 90;
gpuWarningThreshold = 80;
gpuCriticalThreshold = 90;
memWarningThreshold = 80;
memCriticalThreshold = 90;
swapWarningThreshold = 80;
swapCriticalThreshold = 90;
diskWarningThreshold = 80;
diskCriticalThreshold = 90;
diskAvailWarningThreshold = 20;
diskAvailCriticalThreshold = 10;
cpuPollingInterval = 1000;
gpuPollingInterval = 3000;
enableDgpuMonitoring = false;
memPollingInterval = 1000;
diskPollingInterval = 30000;
networkPollingInterval = 1000;
loadAvgPollingInterval = 3000;
useCustomColors = true;
warningColor = "#5ec4ff";
criticalColor = "#d95468";
externalMonitor = "btm";
};
dock = {
enabled = false;
};
network = {
wifiEnabled = true;
bluetoothRssiPollingEnabled = false;
bluetoothRssiPollIntervalMs = 10000;
wifiDetailsViewMode = "grid";
bluetoothDetailsViewMode = "grid";
bluetoothHideUnnamedDevices = false;
};
sessionMenu = {
enableCountdown = true;
countdownDuration = 3000;
position = "center";
showHeader = true;
largeButtonsStyle = true;
largeButtonsLayout = "grid";
showNumberLabels = true;
powerOptions = [
{
action = "lock";
command = "";
countdownEnabled = true;
enabled = true;
keybind = "L";
}
{
action = "suspend";
command = "";
countdownEnabled = true;
enabled = true;
keybind = "S";
}
{
action = "hibernate";
command = "";
countdownEnabled = true;
enabled = true;
keybind = "H";
}
{
action = "reboot";
command = "";
countdownEnabled = true;
enabled = true;
keybind = "R";
}
{
action = "logout";
command = "";
countdownEnabled = true;
enabled = true;
keybind = "U";
}
{
action = "shutdown";
command = "";
countdownEnabled = true;
enabled = true;
keybind = "P";
}
{
action = "rebootToUefi";
command = "";
countdownEnabled = true;
enabled = true;
keybind = "B";
}
];
};
notifications = {
enabled = true;
monitors = [ ];
location = "top_right";
overlayLayer = true;
backgroundOpacity = 0.5;
respectExpireTimeout = true;
lowUrgencyDuration = 3;
normalUrgencyDuration = 8;
criticalUrgencyDuration = 15;
enableMediaToast = false;
enableKeyboardLayoutToast = true;
batteryWarningThreshold = 20;
batteryCriticalThreshold = 5;
saveToHistory = {
low = true;
normal = true;
critical = true;
};
sounds.enabled = false;
};
osd = {
enabled = true;
location = "right";
autoHideMs = 2000;
overlayLayer = true;
backgroundOpacity = 0.5;
monitors = [ ];
enabledTypes = [ 0 1 2 3 ];
};
audio = {
volumeStep = 5;
volumeOverdrive = false;
cavaFrameRate = 30;
visualizerType = "linear";
mprisBlacklist = [ ];
preferredPlayer = "";
volumeFeedback = false;
};
brightness = {
brightnessStep = 5;
enforceMinimum = true;
enableDdcSupport = false;
};
nightLight = {
enabled = true;
autoSchedule = true;
nightTemp = "3700";
dayTemp = "5500";
manualSunrise = "06:30";
manualSunset = "18:30";
};
hooks.enabled = false;
desktopWidgets.enabled = false;
plugins = {
sources = [
{
enabled = true;
name = "Official Noctalia Plugins";
url = "https://github.com/noctalia-dev/noctalia-plugins";
}
{
enabled = true;
name = "Dev";
url = "https://github.com/Swarsel/noctalia-plugins";
}
];
states = lib.listToAttrs
(map
(plugin:
lib.nameValuePair plugin {
enabled = true;
sourceUrl = "https://github.com/noctalia-dev/noctalia-plugins";
})
[
"clipper"
"github-feed"
"privacy-indicator"
"kaomoji-provider"
"unicode-picker"
"screen-recorder"
]) // {
todo = {
enabled = true;
sourceUrl = "https://github.com/Swarsel/noctalia-plugins";
};
};
};
pluginSettings = {
clipper = {
enableTodoIntegration = false;
};
todo = {
caldavEnabled = true;
caldavUrl = caldavTasksEndpoint;
caldavUsername = config.swarselsystems.mainUser;
caldavPasswordType = "file";
caldavPasswordCmd = "";
caldavPasswordFile = confLib.getConfig.sops.secrets.radicale-token.path;
caldavSyncInterval = 300;
current_page_id = 1;
pages = [
{
id = 0;
name = "General";
}
{
id = 1;
name = "Work";
}
];
};
privacy-indicator = {
hideInactive = true;
iconSpacing = 4;
removeMargins = true;
};
screen-recorder = {
hideInactive = true;
directory = "";
filenamePattern = "recording_yyyyMMdd_HHmmss";
frameRate = "60";
audioCodec = "opus";
videoCodec = "h264";
quality = "very_high";
colorRange = "limited";
showCursor = true;
copyToClipboard = true;
audioSource = "default_output";
videoSource = "portal";
resolution = "original";
};
github-feed = {
username = lib.toUpper config.swarselsystems.mainUser;
token = confLib.getConfig.repo.secrets.common.noctaliaGithubToken;
refreshInterval = 300;
maxEvents = 50;
showStars = false;
showForks = false;
showPRs = false;
showRepoCreations = false;
showMyRepoStars = true;
showMyRepoForks = true;
openInBrowser = true;
# my fork:
showNotificationBadge = true;
colorizationEnabled = true;
colorizationIcon = "None";
colorizationBadge = "Primary";
colorizationBadgeText = "None";
defaultTab = 1;
enableSystemNotifications = true;
notifyGitHubNotifications = true;
notifyStars = true;
notifyForks = true;
notifyPRs = true;
notifyRepoCreations = true;
notifyMyRepoStars = true;
notifyMyRepoForks = true;
};
};
};
};
};
} // lib.optionalAttrs (type != "nixos") {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
radicale-token = { path = "${xdgDir}/secrets/radicaleToken"; };
};
};
}
#+end_src
**** Gaming
:PROPERTIES:
:CUSTOM_ID: h:84fd7029-ecb6-4131-9333-289982f24ffa
:END:
The rest of the settings is at [[#h:fb3f3e01-7df4-4b06-9e91-aa9cac61a431][gaming]].
#+begin_src nix-ts :tangle modules/home/optional/gaming.nix
{ config, pkgs, confLib, ... }:
let
inherit (config.swarselsystems) isNixos;
in
{
config = {
# specialisation = {
# gaming.configuration = {
home.packages = with pkgs; [
# lutris
wine
protonplus
winetricks
libudev-zero
dwarfs
fuse-overlayfs
# steam
steam-run
patchelf
gamescope
vulkan-tools
moonlight-qt
ns-usbloader
quark-goldleaf
# gog games installing
heroic
# minecraft
prismlauncher # has overrides
temurin-bin-17
pokefinder
retroarch
flips
];
programs.lutris = {
enable = true;
extraPackages = with pkgs; [
winetricks
gamescope
umu-launcher
];
steamPackage = if isNixos then confLib.getConfig.programs.steam.package else pkgs.steam;
winePackages = with pkgs; [
wineWow64Packages.waylandFull
];
protonPackages = with pkgs; [
proton-ge-bin
];
};
# };
# };
};
}
#+end_src
**** Work (pizauth)
:PROPERTIES:
:CUSTOM_ID: h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6
:END:
The rest of the settings is at [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]]. Here, I am setting up the different firefox profiles that I need for the SSO sites that I need to access at work as well as a few ssh shorthands.
When setting up a new machine:
#+begin_src markdown :noweb-ref worksetup :exports both :results html
- setup pizauth for microsoft mail sync (account names are possibly `uni` and `work`):
- `pizauth auth `
- `pizauth dump > ~/.pizauth.state`
#+end_src
#+begin_src nix-ts :tangle modules/home/optional/work.nix :noweb yes
{ self, config, pkgs, lib, vars, confLib, type, ... }:
let
inherit (config.swarselsystems) homeDir mainUser;
inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses;
inherit (confLib.getConfig.repo.secrets.local.work) mailAddress;
sopsFile = self + /secrets/work/secrets.yaml;
certsSopsFile = self + /secrets/repo/certs.yaml;
in
{
options.swarselmodules.optional-work = lib.swarselsystems.mkTrueOption;
config = {
home = {
packages = with pkgs; [
teams-for-linux
shellcheck
dig
docker
postman
# rclone
libguestfs-with-appliance
prometheus.cli
tigervnc
# openstackclient
step-cli
vscode-fhs
copilot-cli
antigravity
rustdesk-vbc
];
sessionVariables = {
AWS_CA_BUNDLE = confLib.getConfig.sops.secrets.harica-root-ca.path;
};
};
systemd.user.sessionVariables = {
DOCUMENT_DIR_WORK = lib.mkForce "${homeDir}/Documents/Work";
} // lib.optionalAttrs (!config.swarselsystems.isPublic) {
SWARSEL_MAIL_ALL = lib.mkForce allMailAddresses;
SWARSEL_MAIL_WORK = lib.mkForce mailAddress;
};
accounts.email.accounts.work =
let
inherit (confLib.getConfig.repo.secrets.local.work) mailName;
in
{
primary = false;
address = mailAddress;
userName = mailAddress;
realName = mailName;
passwordCommand = "pizauth show work";
imap = {
host = "outlook.office365.com";
port = 993;
tls.enable = true; # SSL/TLS
};
smtp = {
host = "outlook.office365.com";
port = 587;
tls = {
enable = true; # SSL/TLS
useStartTls = true;
};
};
thunderbird = {
enable = true;
profiles = [ "default" ];
settings = id: {
"mail.smtpserver.smtp_${id}.authMethod" = 10; # oauth
"mail.server.server_${id}.authMethod" = 10; # oauth
# "toolkit.telemetry.enabled" = false;
# "toolkit.telemetry.rejected" = true;
# "toolkit.telemetry.prompted" = 2;
};
};
msmtp = {
enable = true;
extraConfig = {
auth = "xoauth2";
host = "outlook.office365.com";
protocol = "smtp";
port = "587";
tls = "on";
tls_starttls = "on";
from = "${mailAddress}";
user = "${mailAddress}";
passwordeval = "pizauth show work";
};
};
mu.enable = true;
mbsync = {
enable = true;
expunge = "both";
patterns = [ "INBOX" ];
extraConfig = {
account = {
AuthMechs = "XOAUTH2";
};
};
};
};
# wayland.windowManager.sway.config = {
# output = {
# "Applied Creative Technology Transmitter QUATTRO201811" = {
# bg = "${self}/files/wallpaper/navidrome.png ${config.stylix.imageScalingMode}";
# };
# "Hewlett Packard HP Z24i CN44250RDT" = {
# bg = "${self}/files/wallpaper/op6wp.png ${config.stylix.imageScalingMode}";
# };
# "HP Inc. HP 732pk CNC4080YL5" = {
# bg = "${self}/files/wallpaper/botanicswp.png ${config.stylix.imageScalingMode}";
# };
# };
# };
wayland.windowManager.sway =
let
inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long domain1 mailAddress;
in
{
config = {
keybindings =
let
inherit (config.wayland.windowManager.sway.config) modifier;
in
{
"${modifier}+Shift+d" = "exec ${pkgs.quickpass}/bin/quickpass work/adm/${user1}/${user1Long}@${domain1}";
"${modifier}+Shift+i" = "exec ${pkgs.quickpass}/bin/quickpass work/${mailAddress}";
};
};
};
stylix = {
targets.firefox.profileNames =
let
inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3;
in
[
"${user1}"
"${user2}"
"${user3}"
"work"
];
};
programs =
let
inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long path1 site1 site2 site3 site4 site5 site6 site7 clouds;
in
{
openstackclient = {
enable = true;
inherit clouds;
};
awscli = {
enable = true;
package = pkgs.awscli2;
# settings = {
# "default" = { };
# "profile s3-imagebuilder-prod" = { };
# };
# credentials = {
# "s3-imagebuilder-prod" = {
# aws_access_key_id = "5OYXY4879EJG9I91K1B6";
# credential_process = "${pkgs.pass}/bin/pass show work/awscli/s3-imagebuilder-prod/secret-key";
# };
# };
};
# this is no longer needed since moving away from bitbucket
# git.settings.user.email = lib.mkForce gitMail;
zsh = {
shellAliases = {
dssh = "ssh -l ${user1Long}";
cssh = "ssh -l ${user2Long}";
wssh = "ssh -l ${user3Long}";
};
cdpath = [
"~/Documents/Work"
];
dirHashes = {
d = "$HOME/.dotfiles";
w = "$HOME/Documents/Work";
s = "$HOME/.dotfiles/secrets";
pr = "$HOME/Documents/Private";
ac = path1;
};
sessionVariables = {
VSPHERE_USER = "$(cat ${confLib.getConfig.sops.secrets.vcuser.path})";
VSPHERE_PW = "$(cat ${confLib.getConfig.sops.secrets.vcpw.path})";
GOVC_USERNAME = "$(cat ${confLib.getConfig.sops.secrets.govcuser.path})";
GOVC_PASSWORD = "$(cat ${confLib.getConfig.sops.secrets.govcpw.path})";
GOVC_URL = "$(cat ${confLib.getConfig.sops.secrets.govcurl.path})";
GOVC_DATACENTER = "$(cat ${confLib.getConfig.sops.secrets.govcdc.path})";
GOVC_DATASTORE = "$(cat ${confLib.getConfig.sops.secrets.govcds.path})";
GOVC_HOST = "$(cat ${confLib.getConfig.sops.secrets.govchost.path})";
GOVC_RESOURCE_POOL = "$(cat ${confLib.getConfig.sops.secrets.govcpool.path})";
GOVC_NETWORK = "$(cat ${confLib.getConfig.sops.secrets.govcnetwork.path})";
};
};
ssh.matchBlocks = confLib.getConfig.repo.secrets.local.work.sshConfig;
firefox = {
profiles =
let
isDefault = false;
in
{
"${user1}" = lib.recursiveUpdate
{
inherit isDefault;
id = 1;
settings = {
"browser.startup.homepage" = "${site1}|${site2}";
};
}
vars.firefox;
"${user2}" = lib.recursiveUpdate
{
inherit isDefault;
id = 2;
settings = {
"browser.startup.homepage" = "${site3}";
};
}
vars.firefox;
"${user3}" = lib.recursiveUpdate
{
inherit isDefault;
id = 3;
}
vars.firefox;
work = lib.recursiveUpdate
{
inherit isDefault;
id = 4;
settings = {
"browser.startup.homepage" = "${site4}|${site5}|${site6}|${site7}";
};
}
vars.firefox;
};
};
chromium = {
enable = true;
package = pkgs.chromium;
extensions = [
# 1password
"gejiddohjgogedgjnonbofjigllpkmbf"
# dark reader
"eimadpbcbfnmbkopoojfekhnkhdbieeh"
# ublock origin
"cjpalhdlnbpafiamejdnhcphjbkeiagm"
# i still dont care about cookies
"edibdbjcniadpccecjdfdjjppcpchdlm"
# browserpass
"naepdomgkenhinolocfifgehidddafch"
];
};
};
services = {
shikane = {
settings =
let
workRight = [
"m=HP Z32"
"s=CN41212T55"
"v=HP Inc."
];
workLeft = [
"m=HP 732pk"
"s=CNC4080YL5"
"v=HP Inc."
];
exec = [ "notify-send shikane \"Profile $SHIKANE_PROFILE_NAME has been applied\"" ];
in
{
profile = [
{
name = "work-internal-on";
inherit exec;
output = [
{
match = config.swarselsystems.sharescreen;
enable = true;
scale = 1.7;
position = "2560,0";
}
{
match = workRight;
enable = true;
scale = 1.0;
mode = "3840x2160@60Hz";
position = "-1280,0";
}
{
match = workLeft;
enable = true;
scale = 1.0;
transform = "270";
mode = "3840x2160@60Hz";
position = "-3440,-1050";
}
];
}
{
name = "work-internal-off";
inherit exec;
output = [
{
match = config.swarselsystems.sharescreen;
enable = false;
scale = 1.7;
position = "2560,0";
}
{
match = workRight;
enable = true;
scale = 1.0;
mode = "3840x2160@60Hz";
position = "-1280,0";
}
{
match = workLeft;
enable = true;
scale = 1.0;
transform = "270";
mode = "3840x2160@60Hz";
position = "-3440,-1050";
}
];
}
];
};
};
kanshi = {
settings = [
{
# seminary room
output = {
criteria = "Applied Creative Technology Transmitter QUATTRO201811";
scale = 1.0;
mode = "1280x720";
};
}
{
# work side screen
output = {
criteria = "HP Inc. HP 732pk CNC4080YL5";
scale = 1.0;
mode = "3840x2160";
transform = "270";
};
}
# {
# # work side screen
# output = {
# criteria = "Hewlett Packard HP Z24i CN44250RDT";
# scale = 1.0;
# mode = "1920x1200";
# transform = "270";
# };
# }
{
# work main screen
output = {
criteria = "HP Inc. HP Z32 CN41212T55";
scale = 1.0;
mode = "3840x2160";
};
}
{
profile = {
name = "lidopen";
exec = [
"${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
"${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP Z32 CN41212T55' --image ${self}/files/wallpaper/landscape/botanicswp.png --mode ${config.stylix.imageScalingMode}"
"${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/portrait/op6wp.png --mode ${config.stylix.imageScalingMode}"
];
outputs = [
{
criteria = config.swarselsystems.sharescreen;
status = "enable";
scale = 1.5;
position = "2560,0";
}
{
criteria = "HP Inc. HP 732pk CNC4080YL5";
scale = 1.0;
mode = "3840x2160";
position = "-3440,-1050";
transform = "270";
}
{
criteria = "HP Inc. HP Z32 CN41212T55";
scale = 1.0;
mode = "3840x2160";
position = "-1280,0";
}
];
};
}
{
profile =
let
monitor = "Applied Creative Technology Transmitter QUATTRO201811";
in
{
name = "lidopen";
exec = [
"${pkgs.swaybg}/bin/swaybg --output '${config.swarselsystems.sharescreen}' --image ${config.swarselsystems.wallpaper} --mode ${config.stylix.imageScalingMode}"
"${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/services/navidrome.png --mode ${config.stylix.imageScalingMode}"
"${pkgs.kanshare}/bin/kanshare ${config.swarselsystems.sharescreen} '${monitor}'"
];
outputs = [
{
criteria = config.swarselsystems.sharescreen;
status = "enable";
scale = 1.7;
position = "2560,0";
}
{
criteria = "Applied Creative Technology Transmitter QUATTRO201811";
scale = 1.0;
mode = "1280x720";
position = "10000,10000";
}
];
};
}
{
profile = {
name = "lidclosed";
exec = [
"${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP Z32 CN41212T55' --image ${self}/files/wallpaper/landscape/botanicswp.png --mode ${config.stylix.imageScalingMode}"
"${pkgs.swaybg}/bin/swaybg --output 'HP Inc. HP 732pk CNC4080YL5' --image ${self}/files/wallpaper/portrait/op6wp.png --mode ${config.stylix.imageScalingMode}"
];
outputs = [
{
criteria = config.swarselsystems.sharescreen;
status = "disable";
}
{
criteria = "HP Inc. HP 732pk CNC4080YL5";
scale = 1.0;
mode = "3840x2160";
position = "-3440,-1050";
transform = "270";
}
{
criteria = "HP Inc. HP Z32 CN41212T55";
scale = 1.0;
mode = "3840x2160";
position = "-1280,0";
}
];
};
}
{
profile =
let
monitor = "Applied Creative Technology Transmitter QUATTRO201811";
in
{
name = "lidclosed";
exec = [
"${pkgs.swaybg}/bin/swaybg --output '${monitor}' --image ${self}/files/wallpaper/services/navidrome.png --mode ${config.stylix.imageScalingMode}"
];
outputs = [
{
criteria = config.swarselsystems.sharescreen;
status = "disable";
}
{
criteria = "Applied Creative Technology Transmitter QUATTRO201811";
scale = 1.0;
mode = "1280x720";
position = "10000,10000";
}
];
};
}
];
};
};
systemd.user.services = {
pizauth.Service = {
ExecStartPost = [
"${pkgs.toybox}/bin/sleep 1"
"//bin/sh -c '${lib.getExe pkgs.pizauth} restore < ${homeDir}/.pizauth.state'"
];
};
teams-applet = {
Unit = {
Description = "teams applet";
Requires = [ "graphical-session.target" ];
After = [
"graphical-session.target"
"tray.target"
];
PartOf = [
"tray.target"
];
};
Install = {
WantedBy = [ "tray.target" ];
};
Service = {
ExecStart = "${pkgs.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true";
};
};
onepassword-applet = {
Unit = {
Description = "1password applet";
Requires = [ "graphical-session.target" ];
After = [
"graphical-session.target"
"tray.target"
];
PartOf = [
"tray.target"
];
};
Install = {
WantedBy = [ "tray.target" ];
};
Service = {
ExecStart = "${pkgs._1password-gui-beta}/bin/1password";
};
};
};
services.pizauth = {
enable = true;
extraConfig = ''
auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi";
error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\"";
token_event_cmd = "pizauth dump > ${homeDir}/.pizauth.state";
'';
accounts = {
work = {
authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
scopes = [
"https://outlook.office365.com/IMAP.AccessAsUser.All"
"https://outlook.office365.com/SMTP.Send"
"offline_access"
];
loginHint = "${confLib.getConfig.repo.secrets.local.work.mailAddress}";
};
};
};
xdg =
let
inherit (confLib.getConfig.repo.secrets.local.work) user1 user2 user3;
in
{
mimeApps = {
defaultApplications = {
"x-scheme-handler/msteams" = [ "teams-for-linux.desktop" ];
};
};
desktopEntries =
let
terminal = false;
categories = [ "Application" ];
icon = "firefox";
in
{
firefox_work = {
name = "Firefox (work)";
genericName = "Firefox work";
exec = "firefox -p work";
inherit terminal categories icon;
};
"firefox_${user1}" = {
name = "Firefox (${user1})";
genericName = "Firefox ${user1}";
exec = "firefox -p ${user1}";
inherit terminal categories icon;
};
"firefox_${user2}" = {
name = "Firefox (${user2})";
genericName = "Firefox ${user2}";
exec = "firefox -p ${user2}";
inherit terminal categories icon;
};
"firefox_${user3}" = {
name = "Firefox (${user3})";
genericName = "Firefox ${user3}";
exec = "firefox -p ${user3}";
inherit terminal categories icon;
};
};
};
swarselsystems = {
startup = [
# { command = "nextcloud --background"; }
# { command = "vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }
# { command = "element-desktop --hidden --enable-features=UseOzonePlatform --ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
# { command = "anki"; }
# { command = "obsidian"; }
# { command = "nm-applet"; }
# { command = "feishin"; }
# { command = "teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }
# { command = "1password"; }
];
monitors = {
work_back_middle = rec {
name = "LG Electronics LG Ultra HD 0x000305A6";
mode = "2560x1440";
scale = "1";
position = "5120,0";
workspace = "1:一";
# output = "DP-10";
output = name;
};
work_front_left = rec {
name = "LG Electronics LG Ultra HD 0x0007AB45";
mode = "3840x2160";
scale = "1";
position = "5120,0";
workspace = "1:一";
# output = "DP-7";
output = name;
};
work_middle_middle_main = rec {
name = "HP Inc. HP Z32 CN41212T55";
mode = "3840x2160";
scale = "1";
position = "-1280,0";
workspace = "1:一";
# output = "DP-3";
output = name;
};
# work_middle_middle_main = rec {
# name = "HP Inc. HP 732pk CNC4080YL5";
# mode = "3840x2160";
# scale = "1";
# position = "-1280,0";
# workspace = "11:M";
# # output = "DP-8";
# output = name;
# };
work_middle_middle_side = rec {
name = "HP Inc. HP 732pk CNC4080YL5";
mode = "3840x2160";
transform = "270";
scale = "1";
position = "-3440,-1050";
workspace = "12:S";
# output = "DP-8";
output = name;
};
work_middle_middle_old = rec {
name = "Hewlett Packard HP Z24i CN44250RDT";
mode = "1920x1200";
transform = "270";
scale = "1";
position = "-2480,0";
workspace = "12:S";
# output = "DP-9";
output = name;
};
work_seminary = rec {
name = "Applied Creative Technology Transmitter QUATTRO201811";
mode = "1280x720";
scale = "1";
position = "10000,10000"; # i.e. this screen is inaccessible by moving the mouse
workspace = "14:T";
# output = "DP-4";
output = name;
};
};
inputs = {
"1133:45081:MX_Master_2S_Keyboard" = {
xkb_layout = "us";
xkb_variant = "altgr-intl";
};
# "2362:628:PIXA3854:00_093A:0274_Touchpad" = {
# dwt = "enabled";
# tap = "enabled";
# natural_scroll = "enabled";
# middle_emulation = "enabled";
# drag_lock = "disabled";
# };
"1133:50504:Logitech_USB_Receiver" = {
xkb_layout = "us";
xkb_variant = "altgr-intl";
};
"1133:45944:MX_KEYS_S" = {
xkb_layout = "us";
xkb_variant = "altgr-intl";
};
};
};
} // lib.optionalAttrs (type != "nixos") {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) {
harica-root-ca = {
sopsFile = certsSopsFile;
path = "${homeDir}/.aws/certs/harica-root.pem";
owner = mainUser;
};
yubikey-1 = { inherit sopsFile; owner = mainUser; };
ucKey = { inherit sopsFile; owner = mainUser; };
};
};
}
#+end_src
**** Uni
:PROPERTIES:
:CUSTOM_ID: h:52b41e73-46f3-4c2c-af64-eafb51e3b6b6
:END:
#+begin_src nix-ts :tangle modules/home/optional/uni.nix :noweb yes
{ confLib, ... }:
{
config = {
services.pizauth = {
enable = true;
accounts = {
uni = {
authUri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
tokenUri = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
clientId = "08162f7c-0fd2-4200-a84a-f25a4db0b584";
clientSecret = "TxRBilcHdC6WGBee]fs?QR:SJ8nI[g82";
scopes = [
"https://outlook.office365.com/IMAP.AccessAsUser.All"
"https://outlook.office365.com/SMTP.Send"
"offline_access"
];
loginHint = "${confLib.getConfig.repo.secrets.local.uni.mailAddress}";
};
};
};
};
}
#+end_src
**** Framework
:PROPERTIES:
:CUSTOM_ID: h:8a7b1c26-3448-42d3-932a-5d05d54b5490
:END:
This holds configuration that is specific to framework laptops.
#+begin_src nix-ts :tangle modules/home/optional/framework.nix
_:
{
config = {
swarselsystems = {
inputs = {
"12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = {
xkb_layout = "us";
xkb_variant = "altgr-intl";
};
};
};
};
}
#+end_src
** Shared
:PROPERTIES:
:CUSTOM_ID: h:3552f06f-07e0-4bb1-a50f-fd1efb2d7778
:END:
This section is for modules that are to be used on =NixOS= and =home-manager= scopes alike. This is for example needed in order to allow me to define and set my own custom functions only once in the =NixOS= config and then mirror them into the corresponding =home-manager= option.
*** TODO Configuration options
:PROPERTIES:
:CUSTOM_ID: h:79f7150f-b162-4f57-abdf-07f40dffd932
:END:
These are my own configuration options that are used in multiple places throughout the configuration - for which reason I did not put them right where they are used for the first time.
TODO: check which of these can be replaced but builtin functions.
#+begin_src nix-ts :noweb yes :tangle modules/shared/options.nix
{ self, config, lib, ... }:
{
options.swarselsystems = {
proxyHost = lib.mkOption {
type = lib.types.str;
default = config.node.name;
};
isBastionTarget = lib.mkOption {
type = lib.types.bool;
default = false;
};
isCloud = lib.mkOption {
type = lib.types.bool;
default = false;
};
isServer = lib.mkOption {
type = lib.types.bool;
default = config.swarselsystems.isCloud;
};
isClient = lib.mkOption {
type = lib.types.bool;
default = config.swarselsystems.isLaptop;
};
isMicroVM = lib.mkOption {
type = lib.types.bool;
default = false;
};
isSwap = lib.mkOption {
type = lib.types.bool;
default = true;
};
writeGlobalNetworks = lib.mkOption {
type = lib.types.bool;
default = true;
};
swapSize = lib.mkOption {
type = lib.types.str;
default = "8G";
};
rootDisk = lib.mkOption {
type = lib.types.str;
default = "";
};
# @ future me: dont put this under server prefix
# home-manager would then try to import all swarselsystems.server.* options
localVLANs = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
# @ future me: dont put this under server prefix
# home-manager would then try to import all swarselsystems.server.* options
initrdVLAN = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
};
mainUser = lib.mkOption {
type = lib.types.str;
default = "swarsel";
};
isCrypted = lib.mkEnableOption "uses full disk encryption";
withMicroVMs = lib.mkEnableOption "enable MicroVMs on this host";
isImpermanence = lib.mkEnableOption "use impermanence on this system";
isSecureBoot = lib.mkEnableOption "use secure boot on this system";
isLaptop = lib.mkEnableOption "laptop host";
isNixos = lib.mkEnableOption "nixos host";
isPublic = lib.mkEnableOption "is a public machine (no secrets)";
isDarwin = lib.mkEnableOption "darwin host";
isLinux = lib.mkEnableOption "whether this is a linux machine";
isBtrfs = lib.mkEnableOption "use btrfs filesystem";
sopsFile = lib.mkOption {
type = lib.types.either lib.types.str lib.types.path;
# default = (if config.swarselsystems.isImpermanence then "/persist" else "") + config.node.secretsDir + "/secrets.yaml";
default = config.node.secretsDir + "/secrets.yaml";
};
homeDir = lib.mkOption {
type = lib.types.str;
default = "/home/swarsel";
};
xdgDir = lib.mkOption {
type = lib.types.str;
default = "/run/user/1000";
};
flakePath = lib.mkOption {
type = lib.types.str;
default = "/home/swarsel/.dotfiles";
};
wallpaper = lib.mkOption {
type = lib.types.path;
default = "${self}/files/wallpaper/landscape/lenovowp.png";
};
sharescreen = lib.mkOption {
type = lib.types.str;
default = "";
};
lowResolution = lib.mkOption {
type = lib.types.str;
default = "";
};
highResolution = lib.mkOption {
type = lib.types.str;
default = "";
};
};
}
#+end_src
*** Variables (vars; holds firefox & stylix config parts)
:PROPERTIES:
:CUSTOM_ID: h:ea362c55-97b4-45fd-bf41-ab461c444212
:END:
At work I am using several services that are using SSO login - however, as I am using four different accounts at work, this becomes a chore here. Hence, I have defined multiple profiles in [[#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6][Work]] that are all practically using the same configuration. To save screen space, I template that profile here.
Set in firefox =about:config > toolkit.legacyUserProfileCustomizations.stylesheets= to true. This should in principle be set automatically using the below config, but it seems not to be working reliably.
For styling, I am using the [[https://github.com/danth/stylix][stylix]] NixOS module, loaded by flake. This package is really great, as it adds nix expressions for basically everything. Ever since switching to this, I did not have to play around with theming anywhere else.
The full list of nerd-fonts can be found here: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/data/fonts/nerd-fonts/manifests/fonts.json
This is where the theme for the whole OS is defined. Originally, this noweb-ref section could not be copied to the general NixOS config since they are on different folder structure levels in the config, which would have made the flake impure. By now, I have found out that using the =${self}= method for referencing the flake root, I could circumvent this problem. Also, the noweb-ref block could in general be replaced by a custom attribute set (see for example [[#h:e7f98ad8-74a6-4860-a368-cce154285ff0][firefox]]). The difference here was, for a long time, that this block is used in a NixOS and a home-manager-only configuration, verbatim. If I were to use an attribute set, I would have to duplicate this block once each for NixOS and home-manager. Alas, this block stays (for now). However, I learned how to use an attribute set in a custom home-manager module and pass it to both NixOS and home-manager configurations, which also removed the need for that use of it.
In short, the options defined here are passed to the modules systems using =_modules.args= - they can then be used by passing =vars= as an attribute in the input attribute set of a modules system file (=basically all files in this configuration)
#+begin_src nix-ts :noweb yes :tangle modules/shared/vars.nix
{ self, pkgs, ... }:
{
_module.args = {
vars = rec {
waylandSessionVariables = {
ANKI_WAYLAND = "1";
MOZ_ENABLE_WAYLAND = "1";
MOZ_WEBRENDER = "1";
NIXOS_OZONE_WL = "1";
OBSIDIAN_USE_WAYLAND = "1";
QT_QPA_PLATFORM = "wayland-egl";
QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
SDL_VIDEODRIVER = "wayland";
_JAVA_AWT_WM_NONREPARENTING = "1";
};
waylandExports =
let
renderedWaylandExports = map (key: "export ${key}=${waylandSessionVariables.${key}};") (builtins.attrNames waylandSessionVariables);
in
builtins.concatStringsSep "\n" renderedWaylandExports;
stylix = {
polarity = "dark";
opacity.popups = 0.5;
cursor = {
package = pkgs.banana-cursor;
# package = pkgs.capitaine-cursors;
name = "Banana";
# name = "capitaine-cursors";
size = 16;
};
fonts = {
sizes = {
terminal = 10;
applications = 11;
};
serif = {
# package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; });
# package = pkgs.cantarell-fonts;
# package = pkgs.montserrat;
# name = "Cantarell";
package = pkgs.iosevka-bin.override { variant = "Aile"; };
name = "Iosevka Aile";
# name = "FiraCode Nerd Font Propo";
# name = "Montserrat";
};
sansSerif = {
# package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; });
# package = pkgs.cantarell-fonts;
# package = pkgs.montserrat;
# name = "Cantarell";
package = pkgs.iosevka-bin.override { variant = "Aile"; };
name = "Iosevka Aile";
# name = "FiraCode Nerd Font Propo";
# name = "Montserrat";
};
monospace = {
package = pkgs.nerd-fonts.fira-code; # has overrides
name = "FiraCode Nerd Font";
};
emoji = {
package = pkgs.noto-fonts-color-emoji;
name = "Noto Color Emoji";
};
};
};
stylixHomeTargets = {
emacs.enable = false;
waybar.enable = false;
sway.useWallpaper = false;
spicetify.enable = true;
firefox.profileNames = [ "default" ];
};
firefox = {
userChrome = builtins.readFile "${self}/files/firefox/chrome/userChrome.css";
extensions = {
packages = with pkgs.nur.repos.rycee.firefox-addons; [
tridactyl
tampermonkey
sidebery
browserpass
clearurls
darkreader
# enhancer-for-youtube
istilldontcareaboutcookies
translate-web-pages
ublock-origin
reddit-enhancement-suite
sponsorblock
web-archives
onepassword-password-manager
single-file
widegithub
enhanced-github
unpaywall
don-t-fuck-with-paste
# plasma-integration
noscript
# configure a shortcut 'ctrl+shift+c' with behaviour 'do nothing' in order to disable the dev console shortcut
# (buildFirefoxXpiAddon {
# pname = "shortkeys";
# version = "4.0.2";
# addonId = "Shortkeys@Shortkeys.com";
# url = "https://addons.mozilla.org/firefox/downloads/file/3673761/shortkeys-4.0.2.xpi";
# sha256 = "c6fe12efdd7a871787ac4526eea79ecc1acda8a99724aa2a2a55c88a9acf467c";
# meta = with lib;
# {
# description = "Easily customizable custom keyboard shortcuts for Firefox. To configure this addon go to Addons (ctrl+shift+a) ->Shortkeys ->Options. Report issues here (please specify that the issue is found in Firefox): https://github.com/mikecrittenden/shortkeys";
# mozPermissions = [
# "tabs"
# "downloads"
# "clipboardWrite"
# "browsingData"
# "storage"
# "bookmarks"
# "sessions"
# ""
# ];
# platforms = platforms.all;
# };
# })
];
};
settings =
{
"extensions.autoDisableScopes" = 0;
"browser.bookmarks.showMobileBookmarks" = true;
"browser.autofocus" = false;
"toolkit.legacyUserProfileCustomizations.stylesheets" = true;
"browser.search.suggest.enabled" = false;
"browser.search.suggest.enabled.private" = false;
"browser.urlbar.suggest.searches" = false;
"browser.urlbar.showSearchSuggestionsFirst" = false;
"browser.topsites.contile.enabled" = false;
"browser.newtabpage.activity-stream.feeds.section.topstories" = false;
"browser.newtabpage.activity-stream.feeds.snippets" = false;
"browser.newtabpage.activity-stream.section.highlights.includePocket" = false;
"browser.newtabpage.activity-stream.section.highlights.includeBookmarks" = false;
"browser.newtabpage.activity-stream.section.highlights.includeDownloads" = false;
"browser.newtabpage.activity-stream.section.highlights.includeVisited" = false;
"browser.newtabpage.activity-stream.showSponsored" = false;
"browser.newtabpage.activity-stream.system.showSponsored" = false;
"browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
};
search = {
# default = "Kagi";
default = "google";
# privateDefault = "Kagi";
privateDefault = "google";
engines = {
"Kagi" = {
urls = [{
template = "https://kagi.com/search";
params = [
{ name = "q"; value = "{searchTerms}"; }
];
}];
icon = "https://kagi.com/favicon.ico";
updateInterval = 24 * 60 * 60 * 1000; # every day
definedAliases = [ "@k" ];
};
"Nix Packages" = {
urls = [{
template = "https://search.nixos.org/packages";
params = [
{ name = "type"; value = "packages"; }
{ name = "query"; value = "{searchTerms}"; }
];
}];
icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@np" ];
};
"NixOS Wiki" = {
urls = [{
template = "https://nixos.wiki/index.php?search={searchTerms}";
}];
icon = "https://nixos.wiki/favicon.png";
updateInterval = 24 * 60 * 60 * 1000; # every day
definedAliases = [ "@nw" ];
};
"NixOS Options" = {
urls = [{
template = "https://search.nixos.org/options";
params = [
{ name = "query"; value = "{searchTerms}"; }
];
}];
icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@no" ];
};
"Home Manager Options" = {
urls = [{
template = "https://home-manager-options.extranix.com/";
params = [
{ name = "query"; value = "{searchTerms}"; }
];
}];
icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@hm" "@ho" "@hmo" ];
};
"Confluence search" = {
urls = [{
template = "https://vbc.atlassian.net/wiki/search";
params = [
{ name = "text"; value = "{searchTerms}"; }
];
}];
definedAliases = [ "@c" "@cf" "@confluence" ];
};
"Jira search" = {
urls = [{
template = "https://vbc.atlassian.net/issues/";
params = [
{ name = "jql"; value = "textfields ~ \"{searchTerms}*\"&wildcardFlag=true"; }
];
}];
definedAliases = [ "@j" "@jire" ];
};
"google".metaData.alias = "@g";
};
force = true; # this is required because otherwise the search.json.mozlz4 symlink gets replaced on every firefox restart
};
};
};
};
}
#+end_src
*** Meta options (options only)
:PROPERTIES:
:CUSTOM_ID: h:30b81bf9-1e69-4ce8-88af-5592896bcee4
:END:
#+begin_src nix-ts :tangle modules/shared/meta.nix
{ lib, ... }:
{
options = {
node = {
secretsDir = lib.mkOption {
description = "Path to the secrets directory for this node.";
type = lib.types.path;
default = ./.;
};
configDir = lib.mkOption {
description = "Path to the base directory for this node.";
type = lib.types.path;
default = ./.;
};
name = lib.mkOption {
type = lib.types.str;
};
arch = lib.mkOption {
type = lib.types.str;
};
type = lib.mkOption {
type = lib.types.str;
};
lockFromBootstrapping = lib.mkOption {
description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap.";
type = lib.types.bool;
};
};
};
}
#+end_src
*** Config Library (confLib)
:PROPERTIES:
:CUSTOM_ID: h:a33322d5-014a-4072-a4a5-91bc71c343b8
:END:
#+begin_src nix-ts :noweb yes :tangle modules/shared/config-lib.nix
{ self, config, lib, globals, inputs, outputs, minimal, nixosConfig ? null, ... }:
let
domainDefault = service: config.repo.secrets.common.services.domains.${service};
proxyDefault = config.swarselsystems.proxyHost;
addressDefault =
if
config.swarselsystems.proxyHost != config.node.name
then
if
config.swarselsystems.server.wireguard.interfaces.wgProxy.isClient
then
globals.networks."${config.swarselsystems.server.wireguard.interfaces.wgProxy.serverNetConfigPrefix}-wgProxy".hosts.${config.node.name}.ipv4
else
globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4
else
"localhost";
in
{
_module.args = {
confLib = rec {
getConfig = if nixosConfig == null then config else nixosConfig;
gen = { name ? "n/a", user ? name, group ? user, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec {
servicePort = port;
serviceName = name;
specificServiceName = "${name}-${config.node.name}";
serviceUser = user;
serviceGroup = group;
serviceDomain = domain;
baseDomain = lib.swarselsystems.getBaseDomain domain;
subDomain = lib.swarselsystems.getSubDomain domain;
serviceDir = dir;
serviceAddress = address;
serviceProxy = proxy;
serviceNode = config.node.name;
topologyContainerName = "${serviceNode}-${config.virtualisation.oci-containers.backend}-${name}";
proxyAddress4 = globals.hosts.${proxy}.wanAddress4 or null;
proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null;
};
static = rec {
inherit (globals.hosts.${config.node.name}) isHome;
inherit (globals.general) homeProxy webProxy dnsServer homeDnsServer homeWebProxy idmServer oauthServer;
webProxyIf = "${webProxy}-wgProxy";
homeProxyIf = "home-wgHome";
isProxied = config.node.name != webProxy;
nginxAccessRules = ''
allow ${globals.networks.home-lan.vlans.home.cidrv4};
allow ${globals.networks.home-lan.vlans.home.cidrv6};
allow ${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv4};
allow ${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv6};
deny all;
'';
homeServiceAddress = lib.optionalString (config.swarselsystems.server.wireguard.interfaces ? wgHome) globals.networks."${config.swarselsystems.server.wireguard.interfaces.wgHome.serverNetConfigPrefix}-wgHome".hosts.${config.node.name}.ipv4;
};
mkIds = id: {
uid = id;
gid = id;
};
mkDeviceMac = id:
let
mod = n: d: n - (n / d) * d;
toHexByte = n:
let
hex = "0123456789abcdef";
hi = n / 16;
lo = mod n 16;
in
builtins.substring hi 1 hex
+ builtins.substring lo 1 hex;
max = 16777215; # 256^3 - 1
b1 = id / (256 * 256);
r1 = mod id (256 * 256);
b2 = r1 / 256;
b3 = mod r1 256;
in
if
(id <= max)
then
(builtins.concatStringsSep ":"
(map toHexByte [ b1 b2 b3 ]))
else
(throw "Device MAC ID too large (max is 16777215)");
mkMicrovm =
if config.swarselsystems.withMicroVMs then
(guestName:
{ eternorPaths ? [ ]
, withZfs ? false
, ...
}:
{
${guestName} =
{
backend = "microvm";
autostart = true;
zfs = lib.mkIf withZfs
({
# stateful config usually bind-mounted to /var/lib/ that should be backed up remotely
"/state" = {
pool = "Vault";
dataset = "guests/${guestName}/state";
};
# other stuff that should only reside on zfs, not backed up remotely
"/persist" = {
pool = "Vault";
dataset = "guests/${guestName}/persist";
};
} // lib.optionalAttrs (eternorPaths != [ ])
(lib.listToAttrs (map
# data that is pulled in externally by services, some of which is backed up externally
(eternorPath:
lib.nameValuePair "/storage/${eternorPath}" {
pool = "Vault";
dataset = "Eternor/${eternorPath}";
})
eternorPaths)));
modules = [
(config.node.configDir + /guests/${guestName}/default.nix)
{
node.secretsDir = config.node.configDir + /secrets/${guestName};
node.configDir = config.node.configDir + /guests/${guestName};
networking.nftables.firewall = {
zones.untrusted.interfaces = lib.mkIf
(
lib.length config.guests.${guestName}.networking.links == 1
)
config.guests.${guestName}.networking.links;
};
fileSystems = {
"/persist".neededForBoot = true;
} // lib.optionalAttrs withZfs {
"/state".neededForBoot = true;
};
}
"${self}/modules/nixos/optional/microvm-guest.nix"
"${self}/modules/nixos/optional/systemd-networkd-base.nix"
];
microvm = {
system = config.node.arch;
baseMac = config.repo.secrets.local.networking.networks.lan.mac;
interfaces.vlan-services = {
mac = lib.mkForce "02:${lib.substring 3 5 config.guests.${guestName}.microvm.baseMac}:${mkDeviceMac globals.networks.home-lan.vlans.services.hosts."${config.node.name}-${guestName}".id}";
};
};
extraSpecialArgs = {
inherit (inputs.self) nodes;
inherit (inputs.self.pkgs.${config.node.arch}) lib;
inherit inputs outputs minimal;
inherit (inputs) self;
withHomeManager = false;
microVMParent = config.node.name;
globals = inputs.self.globals.${config.node.arch};
};
};
}) else
(_: {
_ = { };
});
overrideTarget = target: {
Unit = {
PartOf = lib.mkForce [ target ];
After = lib.mkForce [ target ];
};
Install.WantedBy = lib.mkForce [ target ];
};
genNginx =
{ serviceAddress
, serviceName
, serviceDomain
, servicePort
, protocol ? "http"
, maxBody ? (-1)
, maxBodyUnit ? ""
, noSslVerify ? false
, proxyWebsockets ? false
, oauth2 ? false
, oauth2Groups ? [ ]
, extraConfig ? ""
, extraConfigLoc ? ""
}: {
upstreams = {
${serviceName} = {
servers = {
"${serviceAddress}:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = {
"${serviceDomain}" = {
useACMEHost = globals.domains.main;
forceSSL = true;
acmeRoot = null;
oauth2 = {
enable = lib.mkIf oauth2 true;
allowedGroups = lib.mkIf (oauth2Groups != [ ]) oauth2Groups;
};
locations = {
"/" = {
proxyPass = "${protocol}://${serviceName}";
proxyWebsockets = lib.mkIf proxyWebsockets true;
extraConfig = lib.optionalString (maxBody != (-1)) ''
client_max_body_size ${builtins.toString maxBody}${maxBodyUnit};
'' + extraConfigLoc;
};
};
extraConfig = lib.optionalString noSslVerify ''
proxy_ssl_verify off;
'' + extraConfig;
};
};
};
};
};
}
#+end_src
*** Packages
:PROPERTIES:
:CUSTOM_ID: h:64a5cc16-6b16-4802-b421-c67ccef853e1
:END:
This is the central station for self-defined packages. These are all referenced in =default.nix=. For scripts that are packaged via =writeShellApplication=, I now keep the executable body directly inside the Nix package definitions. Where a shell block still exists for readability in this document, it is no longer tangled to =files/scripts= and serves as documentation only.
Note: The structure of generating the packages was changed in commit =2cf03a3 refactor: package and module generation=. That commit can be checked out in order to see a simpler version of achieving the same thing.
**** Packages (flake)
:PROPERTIES:
:CUSTOM_ID: h:2803e3ab-b746-46c0-bcc4-051a23185bc3
:END:
#+begin_src nix-ts :tangle pkgs/flake/default.nix
{ self, lib, pkgs, ... }:
let
mkPackages = names: pkgs: builtins.listToAttrs (map
(name: {
inherit name;
value = pkgs.callPackage "${self}/pkgs/flake/${name}" { inherit self name; };
})
names);
packageNames = lib.swarselsystems.readNix "pkgs/flake";
in
mkPackages packageNames pkgs
#+end_src
***** pass-fuzzel
:PROPERTIES:
:CUSTOM_ID: h:4fce458d-7c9c-4bcd-bd90-76b745fe5ce3
:END:
This app allows me, in conjunction with my Yubikey, to quickly enter passwords when the need arises. Normal and TOTP passwords are supported, and they can either be printed directly or copied to the clipboard.
#+begin_src nix-ts :tangle pkgs/flake/pass-fuzzel/default.nix
{ name, writeShellApplication, libnotify, pass, fuzzel, wtype, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ libnotify (pass.withExtensions (exts: [ exts.pass-otp ])) fuzzel wtype ];
text = ''
# Adapted from https://code.kulupu.party/thesuess/home-manager/src/branch/main/modules/river.nix
shopt -s nullglob globstar
otp=0
typeit=0
while :; do
case ''${1:-} in
-t | --type)
typeit=1
;;
-o | --otp)
otp=1
;;
,*) break ;;
esac
shift
done
export PASSWORD_STORE_DIR=~/.local/share/password-store
prefix=''${PASSWORD_STORE_DIR-~/.local/share/password-store}
if [[ $otp -eq 0 ]]; then
password_files=("$prefix"/**/*.gpg)
else
password_files=("$prefix"/otp/**/*.gpg)
fi
password_files=("''${password_files[@]#"$prefix"/}")
password_files=("''${password_files[@]%.gpg}")
password=$(printf '%s\n' "''${password_files[@]}" | fuzzel --dmenu "$@")
[[ -n $password ]] || exit
if [[ $otp -eq 0 ]]; then
if [[ $typeit -eq 0 ]]; then
pass show -c "$password" &> /tmp/pass-fuzzel
else
pass show "$password" | {
IFS= read -r pass
printf %s "$pass"
} | wtype -
fi
else
if [[ $typeit -eq 0 ]]; then
pass otp -c "$password" &> /tmp/pass-fuzzel
else
pass otp "$password" | {
IFS= read -r pass
printf %s "$pass"
} | wtype -
fi
fi
notify-send -u critical -a pass -t 1000 "Copied/Typed Password"
'';
}
#+end_src
***** quickpass
:PROPERTIES:
:CUSTOM_ID: h:62b9c8cd-b585-4e93-8352-2bfa4a76aec9
:END:
This helper types a selected password entry directly into the active window, which is useful in places where clipboard pasting is blocked or inconvenient.
#+begin_src nix-ts :tangle pkgs/flake/quickpass/default.nix
{ name, writeShellApplication, libnotify, pass, wtype, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ libnotify pass wtype ];
text = ''
shopt -s nullglob globstar
notify-send "$(env | grep -E 'WAYLAND|SWAY')"
password="$1"
pass show "$password" | {
IFS= read -r pass
printf %s "$pass"
} | wtype -
notify-send -u critical -a pass -t 1000 "Typed Password"
'';
}
#+end_src
***** cura5
:PROPERTIES:
:CUSTOM_ID: h:799579f3-ddd3-4f76-928a-a8c665980476
:END:
The version of =cura= used to be quite outdated in nixpkgs. I am fetching a newer AppImage here and use that instead.
#+begin_src nix-ts :tangle pkgs/flake/cura5/default.nix
# taken from https://github.com/NixOS/nixpkgs/issues/186570#issuecomment-1627797219
{ appimageTools, fetchurl, writeScriptBin, pkgs, ... }:
let
cura5 = appimageTools.wrapType2 rec {
pname = "cura5";
version = "5.9.0";
src = fetchurl {
url = "https://github.com/Ultimaker/Cura/releases/download/${version}/UltiMaker-Cura-${version}-linux-X64.AppImage";
hash = "sha256-STtVeM4Zs+PVSRO3cI0LxnjRDhOxSlttZF+2RIXnAp4=";
};
extraPkgs = pkgs: with pkgs; [ ];
};
in
writeScriptBin "cura" ''
#! ${pkgs.bash}/bin/bash
# AppImage version of Cura loses current working directory and treats all paths relative to $HOME.
# So we convert each of the files passed as argument to an absolute path.
# This fixes use cases like `cd /path/to/my/files; cura mymodel.stl anothermodel.stl`.
args=()
for a in "$@"; do
if [ -e "$a" ]; then
a="$(realpath "$a")"
fi
args+=("$a")
done
exec "${cura5}/bin/cura5" "''${args[@]}"
''
#+end_src
***** hm-specialisation
:PROPERTIES:
:CUSTOM_ID: h:e6612cff-0804-47ef-9f2b-d2cc6d81a896
:END:
This script allows for quick git home-manager specialisation switching.
#+begin_src nix-ts :tangle pkgs/flake/hm-specialisation/default.nix
{ name, writeShellApplication, fzf, findutils, home-manager, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ fzf findutils home-manager ];
text = ''
genpath=$(home-manager generations | head -1 | awk '{print $7}')
dirs=$(find "$genpath/specialisation" -type l 2>/dev/null; [ -d "$genpath" ] && echo "$genpath")
"$(echo "$dirs" | fzf --prompt="Choose home-manager specialisation to activate")"/activate
'';
}
#+end_src
***** cdw
:PROPERTIES:
:CUSTOM_ID: h:73b14c7a-5444-4fed-b7ac-d65542cdeda3
:END:
This script allows for quick git worktree switching.
#+begin_src nix-ts :tangle pkgs/flake/cdw/default.nix
{ name, writeShellApplication, fzf, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ fzf ];
text = ''
cd "$(git worktree list | fzf | awk '{print $1}')"
'';
}
#+end_src
***** cdb
:PROPERTIES:
:CUSTOM_ID: h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1
:END:
This script allows for quick git branch switching.
#+begin_src nix-ts :tangle pkgs/flake/cdb/default.nix
{ name, writeShellApplication, fzf, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ fzf ];
text = ''
git checkout "$(git branch --list | grep -v "^\*" | fzf | awk '{print $1}')"
'';
}
#+end_src
***** prstatus
:PROPERTIES:
:CUSTOM_ID: h:bc5be0e7-2dab-4185-9a52-eb98afe3159f
:END:
This script allows for quick checking of nixpkgs PR statuses.
#+begin_src nix-ts :tangle pkgs/flake/prstatus/default.nix
{ name, writeShellApplication, curl, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ curl ];
text = ''
curl https://nixpkgs.molybdenum.software/api/v2/landings/"$1"
'';
}
#+end_src
***** bak
:PROPERTIES:
:CUSTOM_ID: h:03b1b77b-3ca8-4a8f-8e28-9f29004d96d3
:END:
This script lets me quickly backup files by appending =.bak= to the filename.
#+begin_src nix-ts :tangle pkgs/flake/bak/default.nix
{ name, writeShellApplication, ... }:
writeShellApplication {
inherit name;
text = ''
cp -r "$1"{,.bak}
'';
}
#+end_src
***** timer
:PROPERTIES:
:CUSTOM_ID: h:3c72d263-411c-44f0-90ff-55f14d4d9d49
:END:
A timer that uses TTS to say something once the timer runs out.
#+begin_src nix-ts :tangle pkgs/flake/timer/default.nix
{ name, writeShellApplication, speechd, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ speechd ];
text = ''
sleep "$1"; while true; do spd-say "$2"; sleep 0.5; done;
'';
}
#+end_src
***** e
:PROPERTIES:
:CUSTOM_ID: h:1834df06-9238-4efa-9af6-851dafe66c68
:END:
This is a shorthand for calling emacsclient mostly. Also, it hides the kittyterm scratchpad window that I sometimes use for calling a command quickly, in case it is on the screen. After emacs closes, the kittyterm window is then shown again if it was visible earlier.
#+begin_src nix-ts :tangle pkgs/flake/e/default.nix
{ name, writeShellApplication, emacs30-pgtk, sway, jq, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ emacs30-pgtk sway jq ];
text = ''
wait=0
while :; do
case ''${1:-} in
-w | --wait)
wait=1
;;
,*) break ;;
esac
shift
done
STR=$(swaymsg -t get_tree | jq -r 'recurse(.nodes[]) | select(.name == "__i3_scratch")' | grep kittyterm || true)
if [ "$STR" == "" ]; then
swaymsg '[title="kittyterm"]' scratchpad show
emacsclient -c -a "" "$@"
swaymsg '[title="kittyterm"]' scratchpad show
else
if [[ $wait -eq 0 ]]; then
emacsclient -n -c -a "" "$@"
else
emacsclient -c -a "" "$@"
fi
fi
'';
}
#+end_src
***** niri-resize
:PROPERTIES:
:CUSTOM_ID: h:82f4f414-749b-4d5a-aaaa-6e3ec15fbc3d
:END:
This helper adjusts focused-column behavior in Niri based on the current tiling state, so single-window layouts become easier to read without manual resizing.
#+begin_src nix-ts :tangle pkgs/flake/niri-resize/default.nix
{ name, writeShellApplication, jq, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ jq ];
text = ''
WORKSPACE=$(niri msg -j workspaces | jq -r '.[] | select(.is_focused == true) | .id')
COUNT=$(niri msg -j windows | jq --argjson ws "$WORKSPACE" -r '.[] | select(.workspace_id == $ws and .is_floating == false) | .app_id' | wc -l)
while [[ $COUNT == "0" || $COUNT == "2" ]]; do
COUNT=$(niri msg -j windows | jq --argjson ws "$WORKSPACE" -r '.[] | select(.workspace_id == $ws and .is_floating == false) | .app_id' | wc -l)
done
if [[ $COUNT == "1" ]]; then
niri msg action maximize-column
fi
'';
}
#+end_src
***** swarselcheck
:PROPERTIES:
:CUSTOM_ID: h:82f4f414-749b-4d5a-aaaa-6e3ec15fbc3d
:END:
This app checks for different apps that I keep around in the scratchpad for quick viewing and hiding (messengers and music players mostly) and then behaves like the kittyterm hider that I described in [[#h:1834df06-9238-4efa-9af6-851dafe66c68][e]].
#+begin_src nix-ts :tangle pkgs/flake/swarselcheck/default.nix
{ name, writeShellApplication, kitty, element-desktop, vesktop, spotify-player, jq, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ kitty element-desktop vesktop spotify-player jq ];
text = ''
kitty=0
element=0
vesktop=0
spotifyplayer=0
while :; do
case ''${1:-} in
-k | --kitty)
kitty=1
;;
-e | --element)
element=1
;;
-d | --vesktop)
vesktop=1
;;
-s | --spotifyplayer)
spotifyplayer=1
;;
,*) break ;;
esac
shift
done
if [[ $kitty -eq 1 ]]; then
STR=$(swaymsg -t get_tree | jq -r 'recurse(.nodes[]) | select(.name == "__i3_scratch")' | grep kittyterm || true)
CHECK=$(swaymsg -t get_tree | grep kittyterm || true)
if [ "$CHECK" == "" ]; then
exec kitty --app-id kittyterm -T kittyterm -o confirm_os_window_close=0 zellij attach --create kittyterm &
sleep 1
fi
if [ "$STR" == "" ]; then
exec swaymsg '[title="kittyterm"]' scratchpad show
else
exec swaymsg '[title="kittyterm"]' scratchpad show
fi
elif [[ $element -eq 1 ]]; then
STR=$(swaymsg -t get_tree | grep Element || true)
if [ "$STR" == "" ]; then
exec element-desktop
else
exec swaymsg '[app_id=Element]' kill
fi
elif [[ $vesktop -eq 1 ]]; then
STR=$(swaymsg -t get_tree | grep vesktop || true)
if [ "$STR" == "" ]; then
exec vesktop
else
exec swaymsg '[app_id=vesktop]' kill
fi
elif [[ $spotifyplayer -eq 1 ]]; then
STR=$(swaymsg -t get_tree | jq -r 'recurse(.nodes[]) | select(.name == "__i3_scratch")' | grep spotifytui || true)
CHECK=$(swaymsg -t get_tree | grep spotifytui || true)
if [ "$CHECK" == "" ]; then
exec kitty --add-id spotifytui -T spotifytui -o confirm_os_window_close=0 spotify_player &
sleep 1
fi
if [ "$STR" == "" ]; then
exec swaymsg '[title="spotifytui"]' scratchpad show
else
exec swaymsg '[title="spotifytui"]' scratchpad show
fi
fi
'';
}
#+end_src
***** swarselcheck-niri
:PROPERTIES:
:CUSTOM_ID: h:96da8360-2d23-4e86-9602-415fbdb972af
:END:
This is the Niri-native variant of my scratchpad toggler: it inspects running windows via Niri JSON state and either spawns or closes the matching helper app.
#+begin_src nix-ts :tangle pkgs/flake/swarselcheck-niri/default.nix
{ self, name, writeShellApplication, kitty, element-desktop, vesktop, spotify-player, jq, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ kitty element-desktop vesktop spotify-player jq ];
text = ''
while :; do
case ''${1:-} in
-k | --kitty)
cmd=(sh -c 'kitty --app-id kittyterm -T kittyterm -o confirm_os_window_close=0 zellij --config ${self}/files/zellij/config-kittyterm.kdl attach --create kittyterm' '&')
searchapp="kittyterm"
;;
-e | --element)
cmd=(element-desktop)
searchapp="Element"
;;
-d | --vesktop)
cmd=(vesktop)
searchapp="vesktop"
;;
-s | --spotifyplayer)
cmd=(sh -c 'kitty --add-id spotifytui -T spotifytui -o confirm_os_window_close=0 spotify_player' '&')
searchapp="spotifytui"
;;
*) break ;;
esac
shift
done
WIN_INFO=$(niri msg -j windows | jq --arg search "$searchapp" '.[] | select (.app_id | test($search)) | { id, is_focused, workspace_id }')
ID=$(echo "$WIN_INFO" | jq -r '.id // empty')
if [ -z "$ID" ]; then
niri msg action spawn -- "''${cmd[@]}"
else
niri msg action close-window --id "$ID"
fi
'';
}
#+end_src
***** swarselzellij
:PROPERTIES:
:CUSTOM_ID: h:564c102c-e335-4f17-a613-c5a436bb4864
:END:
This is a small convenience launcher that opens my preferred terminal multiplexer setup with predictable terminal flags.
#+begin_src nix-ts :tangle pkgs/flake/swarselzellij/default.nix
{ name, writeShellApplication, kitty, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ kitty ];
text = ''
# KITTIES=$(($(pgrep -P 1 kitty | wc -l) - 1))
# if ((KITTIES < 1)); then
# exec kitty -o confirm_os_window_close=0 zellij attach --create main
# else
# exec kitty -o confirm_os_window_close=0 zellij attach --create "temp $KITTIES"
# fi
exec kitty -o confirm_os_window_close=0 zellij
'';
}
#+end_src
***** waybarupdate
:PROPERTIES:
:CUSTOM_ID: h:f93f66f9-6b8b-478e-b139-b2f382c1f25e
:END:
This scripts checks if there are uncommited changes in either my dotfile repo, my university repo, or my passfile repo. In that case a warning will be shown in waybar.
#+begin_src nix-ts :tangle pkgs/flake/waybarupdate/default.nix
{ name, writeShellApplication, git, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ git ];
text = ''
CFG=$(git --git-dir="$HOME"/.dotfiles/.git --work-tree="$HOME"/.dotfiles/ status -s | wc -l)
CSE=$(git --git-dir="$DOCUMENT_DIR_PRIV"/CSE_TUWIEN/.git --work-tree="$DOCUMENT_DIR_PRIV"/CSE_TUWIEN/ status -s | wc -l)
PASS=$(($(git --git-dir="$HOME"/.local/share/password-store/.git --work-tree="$HOME"/.local/share/password-store/ status -s | wc -l) + $(git --git-dir="$HOME"/.local/share/password-store/.git --work-tree="$HOME"/.local/share/password-store/ diff origin/main..HEAD | wc -l)))
if [[ $CFG != 0 ]]; then
CFG_STR='CONFIG'
else
CFG_STR=""
fi
if [[ $CSE != 0 ]]; then
CSE_STR=' CSE'
else
CSE_STR=""
fi
if [[ $PASS != 0 ]]; then
PASS_STR=' PASS'
else
PASS_STR=""
fi
OUT="$CFG_STR""$CSE_STR""$PASS_STR"
echo "$OUT"
'';
}
#+end_src
***** opacitytoggle
:PROPERTIES:
:CUSTOM_ID: h:a1d94db2-837a-40c4-bbd8-81ce847440ee
:END:
This app quickly toggles between 5% and 0% transparency.
#+begin_src nix-ts :tangle pkgs/flake/opacitytoggle/default.nix
{ name, writeShellApplication, sway, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ sway ];
text = ''
if swaymsg opacity plus 0.01 -q; then
swaymsg opacity 1
else
swaymsg opacity 0.95
fi
'';
}
#+end_src
***** fs-diff
:PROPERTIES:
:CUSTOM_ID: h:7c4e41b3-8c1e-4f71-87a6-30d40baed6a0
:END:
This utility is used to compare the current state of the root directory with the blanket state that is stored in /root-blank (the snapshot that is restored on each reboot of an impermanence machine). Using this, I can find files that I will lose once I reboot - if there are important files in that list, I can then easily add them to the persist options.
#+begin_src nix-ts :tangle pkgs/flake/fs-diff/default.nix
{ name, writeShellApplication, ... }:
writeShellApplication {
inherit name;
text = ''
set -euo pipefail
OLD_TRANSID=$(sudo btrfs subvolume find-new /mnt/root-blank 9999999)
OLD_TRANSID=''${OLD_TRANSID#transid marker was }
sudo btrfs subvolume find-new "/mnt/root" "$OLD_TRANSID" |
sed '$d' |
cut -f17- -d' ' |
sort |
uniq |
while read -r path; do
path="/$path"
if [ -L "$path" ]; then
: # The path is a symbolic link, so is probably handled by NixOS already
elif [ -d "$path" ]; then
: # The path is a directory, ignore
else
echo "$path"
fi
done
'';
}
#+end_src
***** github-notifications
:PROPERTIES:
:CUSTOM_ID: h:a9398c4e-4d3b-4942-b03c-192f9c0517e5
:END:
This utility checks if there are updated packages in nixpkgs-unstable. It does so by fully building the most recent configuration, which I do not love, but it has its merits once I am willing to switch to the newer version.
#+begin_src nix-ts :tangle pkgs/flake/github-notifications/default.nix
{ name, writeShellApplication, jq, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ jq ];
text = ''
count=$(curl -u Swarsel:"$(cat "$GITHUB_NOTIFICATION_TOKEN_PATH")" https://api.github.com/notifications | jq '. | length')
if [[ "$count" != "0" ]]; then
echo "{\"text\":\"$count\"}"
fi
'';
}
#+end_src
***** kanshare
:PROPERTIES:
:CUSTOM_ID: h:3981cd16-00c0-4ea8-95e2-c6d8c04ec4e5
:END:
This utility checks if there are updated packages in nixpkgs-unstable. It does so by fully building the most recent configuration, which I do not love, but it has its merits once I am willing to switch to the newer version.
#+begin_src nix-ts :tangle pkgs/flake/kanshare/default.nix
{ name, writeShellApplication, wlr-randr, busybox, wl-mirror, mako, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ wlr-randr busybox wl-mirror mako ];
text = ''
makoctl mode -a do-not-disturb
wlr-randr | grep "$2" | cut -d" " -f1 | xargs -I{} wl-present mirror "$1" --fullscreen-output {}
makoctl mode -r do-not-disturb
'';
}
#+end_src
***** swarsel-bootstrap
:PROPERTIES:
:CUSTOM_ID: h:74db57ae-0bb9-4257-84be-eddbc85130dd
:END:
This program sets up a new NixOS host remotely. It also takes care of secret management on the new host.
#+begin_src nix-ts :tangle pkgs/flake/swarsel-bootstrap/default.nix
{ name, writeShellApplication, openssh, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ openssh ];
text = ''
# highly inspired by https://github.com/EmergentMind/nix-config/blob/dev/files/scripts/bootstrap-nixos.sh
set -eo pipefail
target_hostname=""
target_destination=""
target_arch=""
target_user="swarsel"
ssh_port="22"
persist_dir=""
disk_encryption=0
disk_encryption_args=""
no_disko_deps="false"
temp=$(mktemp -d)
function help_and_exit() {
echo
echo "Remotely installs SwarselSystem on a target machine including secret deployment."
echo
echo "USAGE: $0 -n -d [OPTIONS]"
echo
echo "ARGS:"
echo " -n specify target_hostname of the target host to deploy the nixos config on."
echo " -d specify ip or url to the target host."
echo " -a specify the architecture of the target host."
echo " target during install process."
echo
echo "OPTIONS:"
echo " -u specify target_user with sudo access. nix-config will be cloned to their home."
echo " Default=''${target_user}."
echo " --port specify the ssh port to use for remote access. Default=''${ssh_port}."
echo " --debug Enable debug mode."
echo " --no-disko-deps Upload only disk script and not dependencies (for use on low ram)."
echo " -h | --help Print this help."
exit 0
}
function cleanup() {
rm -rf "$temp"
rm -rf /tmp/disko-password
}
trap cleanup exit
function red() {
echo -e "\x1B[31m[!] $1 \x1B[0m"
if [ -n "''${2-}" ]; then
echo -e "\x1B[31m[!] $($2) \x1B[0m"
fi
}
function green() {
echo -e "\x1B[32m[+] $1 \x1B[0m"
if [ -n "''${2-}" ]; then
echo -e "\x1B[32m[+] $($2) \x1B[0m"
fi
}
function yellow() {
echo -e "\x1B[33m[*] $1 \x1B[0m"
if [ -n "''${2-}" ]; then
echo -e "\x1B[33m[*] $($2) \x1B[0m"
fi
}
function yes_or_no() {
echo -en "\x1B[32m[+] $* [y/n] (default: y): \x1B[0m"
while true; do
read -rp "" yn
yn=''${yn:-y}
case $yn in
[Yy]*) return 0 ;;
[Nn]*) return 1 ;;
esac
done
}
function update_sops_file() {
key_name=$1
key_type=$2
key=$3
if [ ! "$key_type" == "hosts" ] && [ ! "$key_type" == "users" ]; then
red "Invalid key type passed to update_sops_file. Must be either 'hosts' or 'users'."
exit 1
fi
cd "''${git_root}"
SOPS_FILE=".sops.yaml"
sed -i "{
# Remove any * and & entries for this host
/[*&]$key_name/ d;
# Inject a new age: entry
# n matches the first line following age: and p prints it, then we transform it while reusing the spacing
/age:/{n; p; s/\(.*- \*\).*/\1$key_name/};
# Inject a new hosts or user: entry
/&$key_type/{n; p; s/\(.*- &\).*/\1$key_name $key/}
}" $SOPS_FILE
green "Updating .sops.yaml"
cd -
}
while [[ $# -gt 0 ]]; do
case "$1" in
-n)
shift
target_hostname=$1
;;
-d)
shift
target_destination=$1
;;
-a)
shift
target_arch=$1
;;
-u)
shift
target_user=$1
;;
--port)
shift
ssh_port=$1
;;
--no-disko-deps)
no_disko_deps="true"
;;
--debug)
set -x
;;
-h | --help) help_and_exit ;;
,*)
echo "Invalid option detected."
help_and_exit
;;
esac
shift
done
if [[ $target_arch == "" || $target_destination == "" || $target_hostname == "" ]]; then
red "error: target_arch, target_destination or target_hostname not set."
help_and_exit
fi
LOCKED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.node.lockFromBootstrapping)"
if [[ $LOCKED == "true" ]]; then
red "THIS SYSTEM IS LOCKED FROM BOOTSTRAPPING - set 'node.lockFromBootstrapping = lib.mkForce false;' to proceed"
exit
fi
green "~SwarselSystems~ remote installer"
green "Reading system information for $target_hostname ..."
DISK="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.rootDisk)"
green "Root Disk: $DISK"
CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isCrypted)"
if [[ $CRYPTED == "true" ]]; then
green "Encryption: ✓"
disk_encryption=1
disk_encryption_args=(
--disk-encryption-keys
/tmp/disko-password
/tmp/disko-password
)
else
red "Encryption: X"
disk_encryption=0
fi
IMPERMANENCE="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isImpermanence)"
if [[ $IMPERMANENCE == "true" ]]; then
green "Impermanence: ✓"
persist_dir="/persist"
else
red "Impermanence: X"
persist_dir=""
fi
SWAP="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSwap)"
if [[ $SWAP == "true" ]]; then
green "Swap: ✓"
else
red "Swap: X"
fi
SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)"
if [[ $SECUREBOOT == "true" ]]; then
green "Secure Boot: ✓"
else
red "Secure Boot: X"
fi
ssh_cmd="ssh -oport=''${ssh_port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -t $target_user@$target_destination"
# ssh_root_cmd=$(echo "$ssh_cmd" | sed "s|''${target_user}@|root@|") # uses @ in the sed switch to avoid it triggering on the $ssh_key value
ssh_root_cmd=''${ssh_cmd/''${target_user}@/root@}
scp_cmd="scp -oport=''${ssh_port} -o StrictHostKeyChecking=no"
if [[ -z ''${FLAKE} ]]; then
FLAKE=/home/"$target_user"/.dotfiles
fi
if [ ! -d "$FLAKE" ]; then
cd /home/"$target_user"
yellow "Flake directory not found - cloning repository from GitHub"
git clone git@github.com:Swarsel/.dotfiles.git || (yellow "Could not clone repository via SSH - defaulting to HTTPS" && git clone https://github.com/Swarsel/.dotfiles.git)
FLAKE=/home/"$target_user"/.dotfiles
fi
cd "$FLAKE"
rm install/flake.lock || true
git_root=$(git rev-parse --show-toplevel)
# ------------------------
green "Wiping known_hosts of $target_destination"
sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
# ------------------------
green "Preparing a new ssh_host_ed25519_key pair for $target_hostname."
# Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/$persist_dir/etc/ssh"
# Generate host ssh key pair without a passphrase
ssh-keygen -t ed25519 -f "$temp/$persist_dir/etc/ssh/ssh_host_ed25519_key" -C root@"$target_hostname" -N ""
# Set the correct permissions so sshd will accept the key
chmod 600 "$temp/$persist_dir/etc/ssh/ssh_host_ed25519_key"
echo "Adding ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
# This will fail if we already know the host, but that's fine
ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
# ------------------------
# when using luks, disko expects a passphrase on /tmp/disko-password, so we set it for now and will update the passphrase later
# via the config
if [ "$disk_encryption" -eq 1 ]; then
while true; do
green "Set disk encryption passphrase:"
read -rs luks_passphrase
green "Please confirm passphrase:"
read -rs luks_passphrase_confirm
if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
echo "$luks_passphrase" > /tmp/disko-password
$ssh_root_cmd "echo '$luks_passphrase' > /tmp/disko-password"
break
else
red "Passwords do not match"
fi
done
fi
# ------------------------
green "Generating hardware-config.nix for $target_hostname and adding it to the nix-config."
$ssh_root_cmd "nixos-generate-config --force --no-filesystems --root /mnt"
mkdir -p "$FLAKE"/hosts/nixos/"$target_arch"/"$target_hostname"
$scp_cmd root@"$target_destination":/mnt/etc/nixos/hardware-configuration.nix "''${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix
# ------------------------
green "Generating hostkey for ssh initrd"
$ssh_root_cmd "mkdir -p $temp/etc/secrets/initrd /etc/secrets/initrd"
$ssh_root_cmd "ssh-keygen -t ed25519 -N '''' -f $temp/etc/secrets/initrd/ssh_host_ed25519_key"
$ssh_root_cmd "cp $temp/etc/secrets/initrd/ssh_host_ed25519_key /etc/secrets/initrd/ssh_host_ed25519_key"
# ------------------------
green "Deploying minimal NixOS installation on $target_destination"
if [[ $no_disko_deps == "true" ]]; then
green "Building without disko dependencies (using custom kexec)"
nix run github:nix-community/nixos-anywhere/1.10.0 -- "''${disk_encryption_args[@]}" --no-disko-deps --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" --kexec "$(nix build --print-out-paths .#packages."$target_arch".swarsel-kexec)/swarsel-kexec-$target_arch.tar.gz" root@"$target_destination"
else
green "Building with disko dependencies (using nixos-images kexec)"
nix run github:nix-community/nixos-anywhere/1.10.0 -- "''${disk_encryption_args[@]}" --ssh-port "$ssh_port" --extra-files "$temp" --flake ./install#"$target_hostname" root@"$target_destination"
fi
echo "Updating ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
# ------------------------
while true; do
read -rp "Press Enter to continue once the remote host has finished booting."
if nc -z "$target_destination" "''${ssh_port}" 2> /dev/null; then
green "$target_destination is booted. Continuing..."
break
else
yellow "$target_destination is not yet ready."
fi
done
# ------------------------
if [[ $SECUREBOOT == "true" ]]; then
green "Setting up secure boot keys"
$ssh_root_cmd "mkdir -p /var/lib/sbctl"
read -ra scp_call <<< "''${scp_cmd}"
sudo "''${scp_call[@]}" -r /var/lib/sbctl root@"$target_destination":/var/lib/
$ssh_root_cmd "sbctl enroll-keys --ignore-immutable --microsoft || true"
fi
# ------------------------
if [ -n "$persist_dir" ]; then
$ssh_root_cmd "cp /etc/machine-id $persist_dir/etc/machine-id || true"
$ssh_root_cmd "cp -R /etc/ssh/ $persist_dir/etc/ssh/ || true"
fi
# ------------------------
green "Generating an age key based on the new ssh_host_ed25519_key."
target_key=$(
ssh-keyscan -p "$ssh_port" -t ssh-ed25519 "$target_destination" 2>&1 |
grep ssh-ed25519 |
cut -f2- -d" " ||
(
red "Failed to get ssh key. Host down?"
exit 1
)
)
host_age_key=$(nix shell nixpkgs#ssh-to-age.out -c sh -c "echo $target_key | ssh-to-age")
if grep -qv '^age1' <<< "$host_age_key"; then
red "The result from generated age key does not match the expected format."
yellow "Result: $host_age_key"
yellow "Expected format: age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
exit 1
else
echo "$host_age_key"
fi
green "Updating nix-secrets/.sops.yaml"
update_sops_file "$target_hostname" "hosts" "$host_age_key"
yellow ".sops.yaml has been updated. There may be superfluous entries, you might need to edit manually."
if yes_or_no "Do you want to manually edit .sops.yaml now?"; then
vim "''${git_root}"/.sops.yaml
fi
green "Updating all secrets files to reflect updates .sops.yaml"
sops updatekeys --yes --enable-local-keyservice "''${git_root}"/hosts/nixos/"$target_arch"/"$target_hostname"/secrets/* || true
# --------------------------
green "Making ssh_host_ed25519_key available to home-manager for user $target_user"
sed -i "/$target_hostname/d; /$target_destination/d" ~/.ssh/known_hosts
$ssh_root_cmd "mkdir -p /home/$target_user/.ssh; chown -R $target_user:users /home/$target_user/.ssh/"
$scp_cmd root@"$target_destination":/etc/ssh/ssh_host_ed25519_key root@"$target_destination":/home/"$target_user"/.ssh/ssh_host_ed25519_key
$ssh_root_cmd "chown $target_user:users /home/$target_user/.ssh/ssh_host_ed25519_key"
# __________________________
if yes_or_no "Add ssh host fingerprints for git upstream repositories? (This is needed for building the full config)"; then
green "Adding ssh host fingerprints for git{lab,hub}"
$ssh_cmd "mkdir -p /home/$target_user/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /home/$target_user/.ssh/known_hosts"
$ssh_root_cmd "mkdir -p /root/.ssh/; ssh-keyscan -t ssh-ed25519 gitlab.com github.com | tee /root/.ssh/known_hosts"
fi
# --------------------------
if yes_or_no "Do you want to copy your full nix-config and nix-secrets to $target_hostname?"; then
green "Adding ssh host fingerprint at $target_destination to ~/.ssh/known_hosts"
ssh-keyscan -p "$ssh_port" "$target_destination" >> ~/.ssh/known_hosts || true
green "Copying full nix-config to $target_hostname"
cd "''${git_root}"
just sync "$target_user" "$target_destination"
if [ -n "$persist_dir" ]; then
$ssh_root_cmd "cp -r /home/$target_user/.dotfiles $persist_dir/.dotfiles || true"
$ssh_root_cmd "cp -r /home/$target_user/.ssh $persist_dir/.ssh || true"
fi
if yes_or_no "Do you want to rebuild immediately?"; then
green "Building nix-config for $target_hostname"
# yellow "Reminder: The password is 'setup'"
$ssh_root_cmd "mkdir -p /root/.local/share/nix/; printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | tee /root/.local/share/nix/trusted-settings.json"
# $ssh_cmd -oForwardAgent=yes "cd .dotfiles && sudo nixos-rebuild --show-trace --flake .#$target_hostname switch"
store_path=$(nix build --no-link --print-out-paths .#nixosConfigurations."$target_hostname".config.system.build.toplevel)
green "Copying generation to $target_hostname"
nix copy --to "ssh://root@$target_destination" "$store_path"
# prev_system=$($ssh_root_cmd " readlink -e /nix/var/nix/profiles/system")
green "Linking generation in bootloader"
$ssh_root_cmd "/run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set $store_path"
green "Setting generation to activate upon next boot"
$ssh_root_cmd "$store_path/bin/switch-to-configuration boot"
else
echo
green "NixOS was successfully installed!"
echo "Post-install config build instructions:"
echo "To copy nix-config from this machine to the $target_hostname, run the following command from ~/nix-config"
echo "just sync $target_user $target_destination"
echo "To rebuild, sign into $target_hostname and run the following command from ~/nix-config"
echo "cd nix-config"
# see above FIXME:(bootstrap)
echo "sudo nixos-rebuild .pre-commit-config.yaml show-trace --flake .#$target_hostname switch"
# echo "just rebuild"
echo
fi
fi
green "NixOS was successfully installed!"
if yes_or_no "You can now commit and push the nix-config, which includes the hardware-configuration.nix for $target_hostname?"; then
cd "''${git_root}"
deadnix hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix -qe
nixpkgs--fmt hosts/nixos/"$target_arch"/"$target_hostname"/hardware-configuration.nix
(.pre-commit-config.yaml mit run --all-files 2> /dev/null || true) &&
git add "$git_root/hosts/nixos/$target_arch/$target_hostname/hardware-configuration.nix" &&
git add "$git_root/.sops.yaml" &&
git add "$git_root/secrets" &&
(git commit -m "feat: deployed $target_hostname" || true) && git push
fi
if yes_or_no "Reboot now?"; then
$ssh_root_cmd "reboot"
fi
rm -rf /tmp/disko-password
'';
}
#+end_src
***** swarsel-rebuild
:PROPERTIES:
:CUSTOM_ID: h:1eabdc59-8832-44ca-a22b-11f848ab150a
:END:
This script is a local fallback bootstrap path: it prepares a buildable clone on a target machine and installs a selected host generation for demonstration or recovery scenarios.
#+begin_src nix-ts :tangle pkgs/flake/swarsel-rebuild/default.nix
{ name, writeShellApplication, git, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ git ];
text = ''
set -eo pipefail
target_config="hotel"
target_arch=""
target_user="swarsel"
function help_and_exit() {
echo
echo "Builds SwarselSystem configuration."
echo
echo "USAGE: $0 [OPTIONS]"
echo
echo "ARGS:"
echo " -n specify nixos config to build."
echo " Default: hotel"
echo " -u specify user to deploy for."
echo " Default: swarsel"
echo " -a specify target architecture."
echo " -h | --help Print this help."
exit 0
}
function red() {
echo -e "\x1B[31m[!] $1 \x1B[0m"
if [ -n "''${2-}" ]; then
echo -e "\x1B[31m[!] $($2) \x1B[0m"
fi
}
function green() {
echo -e "\x1B[32m[+] $1 \x1B[0m"
if [ -n "''${2-}" ]; then
echo -e "\x1B[32m[+] $($2) \x1B[0m"
fi
}
function yellow() {
echo -e "\x1B[33m[*] $1 \x1B[0m"
if [ -n "''${2-}" ]; then
echo -e "\x1B[33m[*] $($2) \x1B[0m"
fi
}
while [[ $# -gt 0 ]]; do
case "$1" in
-n)
shift
target_config=$1
;;
-a)
shift
target_arch=$1
;;
-u)
shift
target_user=$1
;;
-h | --help) help_and_exit ;;
,*)
echo "Invalid option detected."
help_and_exit
;;
esac
shift
done
if [[ $target_arch == "" ]]; then
red "error: target_arch not set."
help_and_exit
fi
cd /home/"$target_user"
if [ ! -d /home/"$target_user"/.dotfiles ]; then
green "Cloning repository from GitHub"
git clone https://github.com/Swarsel/.dotfiles.git
else
red "A .dotfiles repository is in the way. Please (re-)move the repository and try again."
exit 1
fi
local_keys=$(ssh-add -L || true)
pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
read -ra pub_arr <<< "$pub_key"
cd .dotfiles
if [[ $local_keys != *"''${pub_arr[1]}"* ]]; then
yellow "The ssh key for this configuration is not available."
green "Adjusting flake.nix so that the configuration is buildable"
sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix
sed -i '/vbc-nix = {/,/^[[:space:]]*};/d' flake.nix
sed -i '/[[:space:]]*\/\/ (inputs.vbc-nix.overlays.default final prev)/d' overlays/default.nix
rm modules/home/common/env.nix
rm modules/home/common/gammastep.nix
rm modules/home/common/git.nix
rm modules/home/common/mail.nix
rm modules/home/common/yubikey.nix
rm modules/nixos/server/restic.nix
rm hosts/nixos/aarch64-linux/milkywell/default.nix
rm -rf modules/nixos/server
rm -rf modules/home/server
nix flake update vbc-nix
git add .
else
green "Valid SSH key found! Continuing with installation"
fi
sudo nixos-generate-config --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/
git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/hardware-configuration.nix
green "Installing flake $target_config"
sudo nixos-rebuild --show-trace --flake .#"$target_config" boot
yellow "Please keep in mind that this is only a demo of the configuration. Things might break unexpectedly."
'';
}
#+end_src
***** swarsel-install
:PROPERTIES:
:CUSTOM_ID: h:fbd8aaf2-9dca-4ca3-aca1-19d0d188a435
:END:
Autoformatting always puts the =EOF= with indentation, which makes shfmt check fail. When editing this block, unindent them manually.
#+begin_src nix-ts :tangle pkgs/flake/swarsel-install/default.nix
{ name, writeShellApplication, git, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ git ];
text = ''
set -eo pipefail
target_config="hotel"
target_hostname="hotel"
target_user="swarsel"
target_arch=""
persist_dir=""
target_disk="/dev/vda"
disk_encryption=0
function help_and_exit() {
echo
echo "Locally installs SwarselSystem on this machine."
echo
echo "USAGE: $0 -n -d [OPTIONS]"
echo
echo "ARGS:"
echo " -n specify the nixos config to deploy."
echo " Default: hotel"
echo " -d specify disk to install on."
echo " Default: /dev/vda"
echo " -u specify user to deploy for."
echo " Default: swarsel"
echo " -a specify target architecture."
echo " -h | --help Print this help."
exit 0
}
function red() {
echo -e "\x1B[31m[!] $1 \x1B[0m"
if [ -n "''${2-}" ]; then
echo -e "\x1B[31m[!] $($2) \x1B[0m"
fi
}
function green() {
echo -e "\x1B[32m[+] $1 \x1B[0m"
if [ -n "''${2-}" ]; then
echo -e "\x1B[32m[+] $($2) \x1B[0m"
fi
}
function yellow() {
echo -e "\x1B[33m[*] $1 \x1B[0m"
if [ -n "''${2-}" ]; then
echo -e "\x1B[33m[*] $($2) \x1B[0m"
fi
}
while [[ $# -gt 0 ]]; do
case "$1" in
-n)
shift
target_config=$1
target_hostname=$1
;;
-u)
shift
target_user=$1
;;
-d)
shift
target_disk=$1
;;
-a)
shift
target_arch=$1
;;
-h | --help) help_and_exit ;;
,*)
echo "Invalid option detected."
help_and_exit
;;
esac
shift
done
function cleanup() {
sudo rm -rf .cache/nix
sudo rm -rf /root/.cache/nix
}
trap cleanup exit
if [[ $target_arch == "" || $target_hostname == "" ]]; then
red "error: target_arch or target_hostname not set."
help_and_exit
fi
green "~SwarselSystems~ local installer"
cd /home/"$target_user"
sudo rm -rf /root/.cache/nix
sudo rm -rf .cache/nix
sudo rm -rf .dotfiles
green "Cloning repository from GitHub"
git clone https://github.com/Swarsel/.dotfiles.git
local_keys=$(ssh-add -L || true)
pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/public/ssh/yubikey.pub)
read -ra pub_arr <<< "$pub_key"
cd .dotfiles
if [[ $local_keys != *"''${pub_arr[1]}"* ]]; then
yellow "The ssh key for this configuration is not available."
green "Adjusting flake.nix so that the configuration is buildable ..."
sed -i '/vbc-nix = {/,/^[[:space:]]*};/d' flake.nix
sed -i '/[[:space:]]*\/\/ (inputs.vbc-nix.overlays.default final prev)/d' overlays/default.nix
nix flake update vbc-nix
git add .
else
green "Valid SSH key found! Continuing with installation"
fi
green "Reading system information for $target_config ..."
DISK="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.rootDisk)"
green "Root Disk in config: $DISK - Root Disk passed in cli: $target_disk"
CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isCrypted)"
if [[ $CRYPTED == "true" ]]; then
green "Encryption: ✓"
disk_encryption=1
else
red "Encryption: X"
disk_encryption=0
fi
IMPERMANENCE="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isImpermanence)"
if [[ $IMPERMANENCE == "true" ]]; then
green "Impermanence: ✓"
persist_dir="/persist"
else
red "Impermanence: X"
persist_dir=""
fi
SWAP="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSwap)"
if [[ $SWAP == "true" ]]; then
green "Swap: ✓"
else
red "Swap: X"
fi
SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)"
if [[ $SECUREBOOT == "true" ]]; then
green "Secure Boot: ✓"
else
red "Secure Boot: X"
fi
if [ "$disk_encryption" -eq 1 ]; then
while true; do
green "Set disk encryption passphrase:"
read -rs luks_passphrase
green "Please confirm passphrase:"
read -rs luks_passphrase_confirm
if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then
echo "$luks_passphrase" > /tmp/disko-password
break
else
red "Passwords do not match"
fi
done
fi
green "Setting up disk ..."
if [[ $target_config == "hotel" ]]; then
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/v1.10.0 -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks --arg diskDevice "$target_disk"
else
sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks
fi
sudo mkdir -p /mnt/"$persist_dir"/home/"$target_user"/
sudo cp -r /home/"$target_user"/.dotfiles /mnt/"$persist_dir"/home/"$target_user"/
sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user"
green "Generating hardware configuration ..."
sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/
git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_arch"/"$target_config"/hardware-configuration.nix
sudo mkdir -p /root/.local/share/nix/
printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | sudo tee /root/.local/share/nix/trusted-settings.json > /dev/null
green "Installing flake $target_config"
store_path=$(nix build --no-link --print-out-paths .#nixosConfigurationsMinimal."$target_config".config.system.build.toplevel)
green "Linking generation in bootloader"
sudo "/run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set $store_path"
green "Setting generation to activate upon next boot"
sudo "$store_path/bin/switch-to-configuration boot"
green "Installation finished! Reboot to see changes"
'';
}
#+end_src
***** swarsel-postinstall
:PROPERTIES:
:CUSTOM_ID: h:c98a7615-e5da-4f47-8ed1-2b2ea65519e9
:END:
This post-install helper applies host-specific finishing steps after the initial deployment, most notably secure-boot key enrollment and a first full rebuild.
#+begin_src nix-ts :tangle pkgs/flake/swarsel-postinstall/default.nix
{ name, writeShellApplication, git, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ git ];
text = ''
set -eo pipefail
target_config="hotel"
target_user="swarsel"
function help_and_exit() {
echo
echo "Locally installs SwarselSystem on this machine."
echo
echo "USAGE: $0 -d [OPTIONS]"
echo
echo "ARGS:"
echo " -d specify disk to install on."
echo " -n specify the nixos config to deploy."
echo " Default: hotel"
echo " Default: hotel"
echo " -u specify user to deploy for."
echo " Default: swarsel"
echo " -h | --help Print this help."
exit 0
}
function green() {
echo -e "\x1B[32m[+] $1 \x1B[0m"
if [ -n "''${2-}" ]; then
echo -e "\x1B[32m[+] $($2) \x1B[0m"
fi
}
while [[ $# -gt 0 ]]; do
case "$1" in
-n)
shift
target_config=$1
;;
-u)
shift
target_user=$1
;;
-h | --help) help_and_exit ;;
,*)
echo "Invalid option detected."
help_and_exit
;;
esac
shift
done
function cleanup() {
sudo rm -rf .cache/nix
sudo rm -rf /root/.cache/nix
}
trap cleanup exit
sudo rm -rf .cache/nix
sudo rm -rf /root/.cache/nix
green "~SwarselSystems~ remote post-installer"
cd /home/"$target_user"/.dotfiles
SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_config".config.swarselsystems.isSecureBoot)"
if [[ $SECUREBOOT == "true" ]]; then
green "Setting up secure boot keys"
sudo mkdir -p /var/lib/sbctl
sbctl create-keys || true
sbctl enroll-keys --ignore-immutable --microsoft || true
fi
sudo nixos-rebuild --flake .#"$target_config" switch
green "Post-install finished!"
'';
}
#+end_src
***** t2ts
:PROPERTIES:
:CUSTOM_ID: h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1
:END:
Small convenience conversion from a human-readable timestamp to Unix epoch seconds.
#+begin_src nix-ts :tangle pkgs/flake/t2ts/default.nix
{ name, writeShellApplication, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ ];
text = ''
date -d"$1" +%s
'';
}
#+end_src
***** ts2t
:PROPERTIES:
:CUSTOM_ID: h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1
:END:
Inverse helper for [[#h:5ad99997-e54c-4f0b-9ab7-15f76b1e16e1][t2ts]]: converts Unix epoch values back into a readable date/time representation.
#+begin_src nix-ts :tangle pkgs/flake/ts2t/default.nix
{ name, writeShellApplication, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ ];
text = ''
date -d @"$1" 2>/dev/null || date -r "$1"
'';
}
#+end_src
***** vershell
:PROPERTIES:
:CUSTOM_ID: h:7806b129-a4a5-4d10-af27-6cbeafbcb294
:END:
Quick utility to open an ephemeral shell from an explicitly selected nixpkgs revision and package.
#+begin_src nix-ts :tangle pkgs/flake/vershell/default.nix
{ name, writeShellApplication, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ ];
text = ''
nix shell github:nixos/nixpkgs/"$1"#"$2";
'';
}
#+end_src
***** eontimer
:PROPERTIES:
:CUSTOM_ID: h:9fda7829-09a4-4b8f-86f6-08b078ab2874
:END:
A derivation for eontimer :)
#+begin_src nix-ts :tangle pkgs/flake/eontimer/default.nix
{ lib
, python3
, fetchFromGitHub
, makeDesktopItem
, writeShellScript
, ...
}:
let
wrapper = writeShellScript "eontimer-wrapper" ''
export QT_QPA_PLATFORM=xcb
exec @out@/bin/EonTimer
'';
in
python3.pkgs.buildPythonApplication rec {
pname = "eontimer";
version = "3.0.0-rc.6";
pyproject = true;
src = fetchFromGitHub {
owner = "DasAmpharos";
repo = "EonTimer";
rev = version;
hash = "sha256-+XN/VGGlEg2gVncRZrWDOZ2bfxt8xyIu22F2wHlG6YI=";
};
build-system = [
python3.pkgs.setuptools
python3.pkgs.wheel
];
dependencies = with python3.pkgs; [
altgraph
certifi
charset-normalizer
idna
libsass
macholib
packaging
pillow
pipdeptree
platformdirs
pyinstaller
pyinstaller-hooks-contrib
pyside6
requests
setuptools
shiboken6
urllib3
];
nativeBuildInputs = [
python3.pkgs.pyinstaller
];
buildPhase = ''
runHook preBuild
pyinstaller --clean --noconfirm EonTimer.spec
runHook postBuild
'';
installPhase = ''
runHook preInstall
mkdir -p $out/bin
mkdir -p $out/share/applications
cp dist/EonTimer $out/bin/
install -Dm755 -T ${wrapper} $out/bin/eontimer
substituteInPlace $out/bin/eontimer --subst-var out
runHook postInstall
'';
postInstall = ''
install -Dm755 -t $out/share/applications ${
makeDesktopItem {
name = "eontimer";
desktopName = "EonTimer";
comment = "Start EonTimer";
exec = "eontimer";
}
}/share/applications/eontimer.desktop
'';
meta = {
description = "Pokémon RNG Timer";
homepage = "https://github.com/DasAmpharos/EonTimer";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ ];
mainProgram = "eon-timer";
};
}
#+end_src
***** project
:PROPERTIES:
:CUSTOM_ID: h:154b6df4-dd50-4f60-9794-05a140d02994
:END:
This helper bootstraps a new project directory by initializing git, applying one of my flake templates, and immediately allowing direnv.
#+begin_src nix-ts :tangle pkgs/flake/project/default.nix
{ name, writeShellApplication, ... }:
writeShellApplication {
inherit name;
text = ''
set -euo pipefail
if [ ! -d "$(pwd)/.git" ]; then
git init
fi
nix flake init --template "$FLAKE"#"$1"
direnv allow
'';
}
#+end_src
***** fhs
:PROPERTIES:
:CUSTOM_ID: h:36d6c17c-6d91-4297-b76d-9d7feab6c1a0
:END:
General-purpose FHS development shell wrapper for tools that still assume a traditional Linux filesystem layout.
#+begin_src nix-ts :tangle pkgs/flake/fhs/default.nix
{ name, pkgs, ... }:
let
base = pkgs.appimageTools.defaultFhsEnvArgs;
in
pkgs.buildFHSEnv (base // {
inherit name;
targetPkgs = pkgs: (base.targetPkgs pkgs) ++ [ pkgs.pkg-config ];
profile = "export FHS=1";
runScript = "zsh";
extraOutputsToInstall = [ "dev" ];
})
#+end_src
***** swarsel-displaypower
:PROPERTIES:
:CUSTOM_ID: h:814d5e7f-4b95-412d-b246-33f888514ec6
:END:
A crude script to power on all displays that might be attached. Needed because sometimes displays do not awake from sleep.
#+begin_src nix-ts :tangle pkgs/flake/swarsel-displaypower/default.nix
{ name, writeShellApplication, sway, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ sway ];
text = ''
swaymsg "output * power on" > /dev/null 2>&1 || true
swaymsg "output * dpms on" > /dev/null 2>&1 || true
'';
}
#+end_src
***** swarsel-mgba
:PROPERTIES:
:CUSTOM_ID: h:799579f3-ddd3-4f76-928a-a8c665980476
:END:
AppImage version of mgba in which the lua scripting works.
#+begin_src nix-ts :tangle pkgs/flake/swarsel-mgba/default.nix
{ appimageTools, fetchurl, ... }:
let
pname = "mgba";
version = "0.10.4";
src = fetchurl {
url = "https://github.com/mgba-emu/mgba/releases/download/${version}/mGBA-${version}-appimage-x64.appimage";
hash = "sha256-rDihDfuA8DqxvCe6UeavCzpjeU+fSqUbFnyTNC2dc1I=";
};
appimageContents = appimageTools.extractType2 { inherit pname version src; };
in
appimageTools.wrapType2 {
inherit pname version src;
extraInstallCommands = ''
install -Dm444 ${appimageContents}/io.mgba.mGBA.desktop -t $out/share/applications
substituteInPlace $out/share/applications/io.mgba.mGBA.desktop \
--replace-fail 'Exec=mgba-qt %f' 'Exec=mgba'
cp -r ${appimageContents}/usr/share/icons $out/share
'';
}
#+end_src
***** swarsel-deploy
:PROPERTIES:
:CUSTOM_ID: h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e
:END:
Remote deployment helper that builds one or more hosts, copies closures, activates the selected action, and prints diffs for quick review.
#+begin_src nix-ts :tangle pkgs/flake/swarsel-deploy/default.nix
# heavily inspired from https://github.com/oddlama/nix-config/blob/d42cbde676001a7ad8a3cace156e050933a4dcc3/pkgs/deploy.nix
{ name, bc, nix-output-monitor, writeShellApplication, ... }:
writeShellApplication {
runtimeInputs = [ bc nix-output-monitor ];
inherit name;
text = ''
set -euo pipefail
shopt -s lastpipe # allow cmd | readarray
function die() {
echo "error: $*" >&2
exit 1
}
function show_help() {
echo 'Usage: deploy [OPTIONS] [ACTION]'
echo "Builds, pushes and activates nixosConfigurations on target systems."
echo ""
echo 'ACTION:'
echo ' switch [default] Switch immediately to the new configuration and make it the boot default'
echo ' boot Make the configuration the new boot default'
echo " test Activate the configuration but don't make it the boot default"
echo " dry-activate Don't activate, just show what would be done"
echo ""
echo 'OPTIONS: [passed to nix build]'
}
function time_start() {
T_START=$(date +%s.%N)
}
function time_next() {
T_END=$(date +%s.%N)
T_LAST=$(${bc}/bin/bc <<< "scale=1; ($T_END - $T_START)/1")
T_START="$T_END"
}
USER_FLAKE_DIR=$(git rev-parse --show-toplevel 2> /dev/null || pwd) ||
die "Could not determine current working directory. Something went very wrong."
[[ -e "$USER_FLAKE_DIR/flake.nix" ]] ||
die "Could not determine location of your project's flake.nix. Please run this at or below your main directory containing the flake.nix."
cd "$USER_FLAKE_DIR"
[[ $# -gt 0 ]] || {
show_help
exit 1
}
OPTIONS=()
POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do
case "$1" in
"help" | "--help" | "-help" | "-h")
show_help
exit 1
;;
-*) OPTIONS+=("$1") ;;
*) POSITIONAL_ARGS+=("$1") ;;
esac
shift
done
[[ ''${#POSITIONAL_ARGS[@]} -ge 1 ]] ||
die "Missing argument: "
[[ ''${#POSITIONAL_ARGS[@]} -le 2 ]] ||
die "Too many arguments given."
tr , '\n' <<< "''${POSITIONAL_ARGS[0]}" | sort -u | readarray -t HOSTS
ACTION="''${POSITIONAL_ARGS[1]-switch}"
# Expand flake paths for hosts definitions
declare -A TOPLEVEL_FLAKE_PATHS
for host in "''${HOSTS[@]}"; do
TOPLEVEL_FLAKE_PATHS["$host"]=".#nixosConfigurations.$host.config.system.build.toplevel"
done
time_start
# Get outputs of all derivations (should be cached)
declare -A TOPLEVEL_STORE_PATHS
for host in "''${HOSTS[@]}"; do
toplevel="''${TOPLEVEL_FLAKE_PATHS["$host"]}"
# Make sudo call to get prompt out of the way
sudo echo "�[1;36m Building �[m📦 �[34m$host�[m"
nix build --no-link "''${OPTIONS[@]}" --show-trace --log-format internal-json -v "$toplevel" |& ${nix-output-monitor}/bin/nom --json ||
die "Failed to get derivation path for $host from ''${TOPLEVEL_FLAKE_PATHS["$host"]}"
TOPLEVEL_STORE_PATHS["$host"]=$(nix build --no-link --print-out-paths "''${OPTIONS[@]}" "$toplevel")
time_next
echo "�[1;32m Built �[m✅ �[34m$host�[m �[33m''${TOPLEVEL_STORE_PATHS["$host"]}�[m �[90min ''${T_LAST}s�[m"
done
current_host=$(hostname)
for host in "''${HOSTS[@]}"; do
store_path="''${TOPLEVEL_STORE_PATHS["$host"]}"
if [ "$host" = "$current_host" ]; then
echo -e "\033[1;36m Running locally for $host... \033[m"
ssh_prefix="sudo"
else
echo -e "\033[1;36m Copying \033[m➡️ \033[34m$host\033[m"
nix copy --to "ssh://$host" "$store_path"
time_next
echo -e "\033[1;32m Copied \033[m✅ \033[34m$host\033[m \033[90min ''${T_LAST}s\033[m"
ssh_prefix="ssh $host --"
fi
echo -e "\033[1;36m Applying \033[m⚙️ \033[34m$host\033[m"
prev_system=$($ssh_prefix readlink -e /nix/var/nix/profiles/system)
$ssh_prefix /run/current-system/sw/bin/nix-env --profile /nix/var/nix/profiles/system --set "$store_path" ||
die "Failed to set system profile"
$ssh_prefix "$store_path"/bin/switch-to-configuration "$ACTION" ||
echo "Error while activating new system" >&2
if [[ -n $prev_system ]]; then
$ssh_prefix nvd --color always diff "$prev_system" "$store_path" || true
fi
time_next
echo -e "\033[1;32m Applied \033[m✅ \033[34m$host\033[m \033[90min ''${T_LAST}s\033[m"
done
'';
}
#+end_src
***** swarsel-build
:PROPERTIES:
:CUSTOM_ID: h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e
:END:
Batch build helper for host systems that delegates output handling to =nom= for clearer progress and diagnostics.
#+begin_src nix-ts :tangle pkgs/flake/swarsel-build/default.nix
{ name, nix-output-monitor, writeShellApplication, ... }:
writeShellApplication {
runtimeInputs = [ nix-output-monitor ];
inherit name;
text = ''
set -euo pipefail
[[ "$#" -ge 1 ]] \
|| { echo "usage: build ..." >&2; exit 1; }
HOSTS=()
for h in "$@"; do
HOSTS+=(".#nixosConfigurations.$h.config.system.build.toplevel")
done
nom build --no-link --print-out-paths --show-trace "''${HOSTS[@]}"
'';
}
#+end_src
***** swarsel-instantiate
:PROPERTIES:
:CUSTOM_ID: h:95ebfd13-1f6b-427f-950d-e30c1ed6f9fa
:END:
This is a convenience function that calls =nix-instantiate= with a number of flags that I need in order to evaluate nix expressions in org-src blocks.
#+begin_src nix-ts :tangle pkgs/flake/swarsel-instantiate/default.nix
{ name, writeShellApplication, ... }:
writeShellApplication {
inherit name;
text = ''
set -euo pipefail
nix-instantiate --strict --eval --expr "let lib = import ; in $*"
'';
}
#+end_src
***** sshrm
:PROPERTIES:
:CUSTOM_ID: h:02842543-caca-4d4c-a4d2-7ac749b5c136
:END:
This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually.
#+begin_src nix-ts :tangle pkgs/flake/sshrm/default.nix
{ name, writeShellApplication, openssh, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ openssh ];
text = ''
HISTFILE="$HOME"/.histfile
last_ssh_cmd=$(grep -E "ssh " "$HISTFILE" | sed -E 's/^: [0-9]+:[0-9]+;//' | grep "^ssh " | tail -1)
host=$(echo "$last_ssh_cmd" | sed -E 's/.*ssh ([^@ ]+@)?([^ ]+).*/\2/')
if [[ -n $host ]]; then
echo "Removing SSH host key for: $host"
ssh-keygen -R "$host"
else
echo "No valid SSH command found in history."
fi
'';
}
#+end_src
***** endme
:PROPERTIES:
:CUSTOM_ID: h:abbd18a2-73ae-4ee4-8487-06fef23638bb
:END:
Sometimes my DE crashes after putting it to suspend - to be precise, it happens when I put it into suspend when I have multiple screens plugged in. I have never taken the time to debug the issue, but instead just switch to a different TTY and then use this script to kill the hanging session.
#+begin_src nix-ts :tangle pkgs/flake/endme/default.nix
{ name, writeShellApplication, ... }:
writeShellApplication {
inherit name;
text = ''
set -euo pipefail
systemctl --user stop graphical-session.target
systemctl --user stop graphical-session-pre.target
'';
}
#+end_src
***** git-replace
:PROPERTIES:
:CUSTOM_ID: h:e1330feb-4a9b-4e6d-9d15-6d2adb5879d2
:END:
This script allows for quick git replace of a string.
#+begin_src nix-ts :tangle pkgs/flake/git-replace/default.nix
{ name, writeShellApplication, git, gnugrep, findutils, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ git gnugrep findutils ];
text = ''
function help_and_exit() {
echo
echo "Remotely installs SwarselSystem on a target machine including secret deployment."
echo
echo "USAGE: $0 [-f/-t} "
echo
echo "ARGS:"
echo " -f | --filenames Replace in filenames."
echo " -d | --directory Replace text in files within this directory."
echo " -r | --repo Replace text in files in the entire git repo."
echo " -h | --help Print this help."
exit 0
}
target_files=false
target_repo=false
target_dirs=false
while [[ $# -gt 0 ]]; do
case "$1" in
-f | --filenames)
shift
target_files=true
;;
-r | --repo)
shift
target_repo=true
;;
-d | --directory)
shift
target_dirs=rue
;;
-h | --help) help_and_exit ;;
*)
echo "Invalid option detected."
help_and_exit
;;
esac
shift
done
if [[ $target_files == "true" ]]; then
for file in $(git ls-files | grep "$1" | sed -e "s/\($1[^/]*\).*/\1/" | uniq); do
git mv "$file" "''${file//$1/$2}"
done
fi
if [[ $target_repo == "true" ]]; then
git grep -l "$1" | xargs sed -i "s/$1/$2/g"
fi
if [[ $target_dirs == "true" ]]; then
grep -rl "$1" . | xargs sed -i "s/$1/$2/g"
fi
'';
}
#+end_src
***** gen-sops-guest
:PROPERTIES:
:CUSTOM_ID: h:c9f65ba6-f24e-4855-ad17-28315b63d086
:END:
This script quickly generates a block in =.sops.yaml= for a guest host.
#+begin_src nix-ts :tangle pkgs/flake/gen-sops-guest/default.nix
{ name, writeShellApplication, ... }:
writeShellApplication {
inherit name;
text = ''
if [ "$#" -lt 3 ]; then
echo "Usage: $0 [service2 ...]" >&2
echo "Example: $0 hintbooth hosts/nixos/x86_64-linux adguardhome nginx" >&2
exit 1
fi
HOST="$1"
ARCH_PATH="$2"
shift 2
for service in "$@"; do
cat </dev/null | grep -q '^pipefail[[:space:]]*on'; then
cdr_had_pipefail=1
fi
set +e
set +u
set +o pipefail 2>/dev/null || true
DOCUMENT_DIR_WORK=${homeConfig.systemd.user.sessionVariables.DOCUMENT_DIR_WORK or ""}
DOCUMENT_DIR_PRIV=${homeConfig.systemd.user.sessionVariables.DOCUMENT_DIR_PRIV}
FLAKE=${homeConfig.home.sessionVariables.FLAKE}
cdr_target="$( (find "$DOCUMENT_DIR_WORK" "$DOCUMENT_DIR_PRIV" -maxdepth 1 && echo "$FLAKE") | fzf )"
if [ -n "$cdr_target" ]; then
cd "$cdr_target" || true
fi
if [ "$cdr_had_errexit" -eq 1 ]; then set -e; else set +e; fi
if [ "$cdr_had_nounset" -eq 1 ]; then set -u; else set +u; fi
if [ "$cdr_had_pipefail" -eq 1 ]; then set -o pipefail; else set +o pipefail 2>/dev/null || true; fi
'';
}
#+end_src
***** swarsel-gens
:PROPERTIES:
:CUSTOM_ID: h:999c8ac5-4fca-467e-9810-fc861068a0ff
:END:
This script quickly lists all nix generatinos on the system
#+begin_src nix-ts :tangle pkgs/config/swarsel-gens/default.nix
{ name, writeShellApplication, config, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ config.nix.package ];
text = ''
sudo nix-env --list-generations --profile /nix/var/nix/profiles/system
'';
}
#+end_src
***** swarsel-switch
:PROPERTIES:
:CUSTOM_ID: h:209c0d31-aefa-4800-bc81-54727d2712f5
:END:
This script quickly switches to another nix generation.
#+begin_src nix-ts :tangle pkgs/config/swarsel-switch/default.nix
{ name, writeShellApplication, config, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ config.nix.package ];
text = ''
sudo nix-env --switch-generation "$1" -p /nix/var/nix/profiles/system && sudo /nix/var/nix/profiles/system/bin/switch-to-configuration switch
'';
}
#+end_src
***** swarsel-sops
:PROPERTIES:
:CUSTOM_ID: h:530d8021-cf9f-48b1-9913-8937f77e4e33
:END:
#+begin_src nix-ts :tangle pkgs/config/swarsel-sops/default.nix
{ name, sops, homeConfig, writeShellApplication, ... }:
writeShellApplication {
inherit name;
runtimeInputs = [ sops ];
text = ''
sops updatekeys ${homeConfig.swarselsystems.flakePath}/secrets/repo/*
sops updatekeys ${homeConfig.swarselsystems.flakePath}/secrets/nginx/*
sops updatekeys ${homeConfig.swarselsystems.flakePath}/secrets/work/*
sops updatekeys ${homeConfig.swarselsystems.flakePath}/hosts/*/*/*/secrets/*/secrets.yaml
'';
}
#+end_src
** Profiles
:PROPERTIES:
:CUSTOM_ID: h:f0f1c961-3e7a-47b8-99ab-1654bb45dffc
:END:
In this section I define custom modules under the =swarsel= attribute. These are mostly used to define settings specific to a host. I keep these settings confined to either home-manager or nixos to maintain compatibility with non-NixOS machines.
Note: The structure of generating the packages was changed in commit =2cf03a3 refactor: package and module generation=. That commit can be checked out in order to see a simpler version of achieving the same thing.
*** NixOS
:PROPERTIES:
:CUSTOM_ID: h:14e68518-8ec7-48ec-b208-0e3d6d49954d
:END:
Modules that need to be loaded on the NixOS level. Note that these will not be available on systems that are not running NixOS.
#+begin_src nix-ts :tangle profiles/nixos/default.nix
{ lib, ... }:
let
profileNames = lib.swarselsystems.readNix "profiles/nixos";
in
{
imports = lib.swarselsystems.mkImports profileNames "profiles/nixos";
}
#+end_src
**** Personal
:PROPERTIES:
:CUSTOM_ID: h:32d654de-8db2-403a-9a27-4c46d7b9172d
:END:
#+begin_src nix-ts :tangle profiles/nixos/personal/default.nix :mkdirp yes
{ lib, config, ... }:
{
options.swarselprofiles.personal = lib.mkEnableOption "is this a personal host";
config = lib.mkIf config.swarselprofiles.personal {
swarselmodules = {
# keyd = lib.mkDefault true;
appimage = lib.mkDefault true;
autologin = lib.mkDefault true;
blueman = lib.mkDefault true;
boot = lib.mkDefault true;
btrfs = lib.mkDefault true;
distrobox = lib.mkDefault true;
env = lib.mkDefault true;
firezone-client = lib.mkDefault true;
general = lib.mkDefault true;
gnome-keyring = lib.mkDefault true;
gvfs = lib.mkDefault true;
hardware = lib.mkDefault true;
home-manager = lib.mkDefault true;
impermanence = lib.mkDefault true;
interceptionTools = lib.mkDefault true;
keyboards = lib.mkDefault true;
lanzaboote = lib.mkDefault true;
ledger = lib.mkDefault true;
lid = lib.mkDefault true;
login = lib.mkDefault true;
lowBattery = lib.mkDefault false;
nautilus = lib.mkDefault true;
network = lib.mkDefault true;
networkDevices = lib.mkDefault true;
nftables = lib.mkDefault true;
nix-ld = lib.mkDefault true;
nvd = lib.mkDefault true;
packages = lib.mkDefault true;
pii = lib.mkDefault true;
pipewire = lib.mkDefault true;
ppd = lib.mkDefault true;
programs = lib.mkDefault true;
pulseaudio = lib.mkDefault true;
remotebuild = lib.mkDefault true;
security = lib.mkDefault true;
sops = lib.mkDefault true;
stylix = lib.mkDefault true;
sway = lib.mkDefault false; # niri
swayosd = lib.mkDefault false; # niri
syncthing = lib.mkDefault true;
systemdTimeout = lib.mkDefault true;
time = lib.mkDefault true;
users = lib.mkDefault true;
uwsm = lib.mkDefault true;
xdg-portal = lib.mkDefault true;
xserver = lib.mkDefault true;
yubikey = lib.mkDefault true;
zsh = lib.mkDefault true;
};
home-manager.users."${config.swarselsystems.mainUser}" = {
swarselprofiles = {
personal = lib.mkDefault true;
};
};
};
}
#+end_src
**** Minimal
:PROPERTIES:
:CUSTOM_ID: h:b926f0c8-7968-4079-924c-a5d0ae4d3a45
:END:
#+begin_src nix-ts :tangle profiles/nixos/minimal/default.nix :mkdirp yes
{ lib, config, ... }:
{
options.swarselprofiles.minimal = lib.mkEnableOption "declare this a minimal host";
config = lib.mkIf config.swarselprofiles.minimal {
swarselmodules = {
general = lib.mkDefault true;
home-manager = lib.mkDefault true;
xserver = lib.mkDefault true;
lanzaboote = lib.mkDefault true;
time = lib.mkDefault true;
users = lib.mkDefault true;
impermanence = lib.mkDefault true;
security = lib.mkDefault true;
sops = lib.mkDefault true;
pii = lib.mkDefault true;
zsh = lib.mkDefault true;
yubikey = lib.mkDefault true;
autologin = lib.mkDefault true;
boot = lib.mkDefault true;
btrfs = lib.mkDefault true;
nftables = lib.mkDefault true;
server = {
ssh = lib.mkDefault true;
diskEncryption = lib.mkDefault true;
};
};
};
}
#+end_src
**** Hotel
:PROPERTIES:
:CUSTOM_ID: h:b79fbb59-9cf2-48eb-b469-2589223dda95
:END:
#+begin_src nix-ts :tangle profiles/nixos/hotel/default.nix :mkdirp yes
{ lib, config, ... }:
{
options.swarselprofiles.hotel = lib.mkEnableOption "is this a hotel host";
config = lib.mkIf config.swarselprofiles.hotel {
swarselprofiles.personal = true;
swarselmodules = {
yubikey = false;
};
};
}
#+end_src
**** Server
:PROPERTIES:
:CUSTOM_ID: h:dfc076fd-ee74-4663-b164-653370c52b75
:END:
#+begin_src nix-ts :tangle profiles/nixos/localserver/default.nix :mkdirp yes
{ lib, config, ... }:
{
options.swarselprofiles.server = lib.mkEnableOption "is this a server";
config = lib.mkIf config.swarselprofiles.server {
swarselmodules = {
general = lib.mkDefault true;
lanzaboote = lib.mkDefault true;
pii = lib.mkDefault true;
home-manager = lib.mkDefault true;
xserver = lib.mkDefault true;
time = lib.mkDefault true;
users = lib.mkDefault true;
impermanence = lib.mkDefault true;
btrfs = lib.mkDefault true;
sops = lib.mkDefault true;
boot = lib.mkDefault true;
nftables = lib.mkDefault true;
server = {
general = lib.mkDefault true;
ids = lib.mkDefault true;
network = lib.mkDefault true;
diskEncryption = lib.mkDefault true;
packages = lib.mkDefault true;
ssh = lib.mkDefault true;
attic-setup = lib.mkDefault true;
dns-hostrecord = lib.mkDefault true;
};
};
};
}
#+end_src
**** MicroVM
:PROPERTIES:
:CUSTOM_ID: h:fd4f28dd-7cdc-40b1-8b43-be0ef6e1ad29
:END:
#+begin_src nix-ts :tangle profiles/nixos/microvm/default.nix :mkdirp yes
{ lib, config, ... }:
{
options.swarselprofiles.microvm = lib.mkEnableOption "is this a server";
config = lib.mkIf config.swarselprofiles.microvm {
swarselsystems = {
isLinux = true;
isNixos = true;
};
swarselmodules = {
general = lib.mkDefault true;
pii = lib.mkDefault true;
xserver = lib.mkDefault true;
time = lib.mkDefault true;
users = lib.mkDefault true;
impermanence = lib.mkDefault true;
btrfs = lib.mkDefault true;
sops = lib.mkDefault true;
nftables = lib.mkDefault true;
server = {
general = lib.mkDefault true;
ids = lib.mkDefault true;
packages = lib.mkDefault true;
ssh = lib.mkDefault true;
wireguard = lib.mkDefault true;
dns-home = lib.mkDefault true;
opkssh = true;
};
};
};
}
#+end_src
**** Router
:PROPERTIES:
:CUSTOM_ID: h:f3af356a-e732-471b-b8b3-37dcd70297d5
:END:
#+begin_src nix-ts :tangle profiles/nixos/router/default.nix :mkdirp yes
{ lib, config, ... }:
{
options.swarselprofiles.router = lib.mkEnableOption "enable the router profile";
config = lib.mkIf config.swarselprofiles.router {
swarselmodules = {
nftables = lib.mkDefault true;
server = {
router = lib.mkDefault true;
kea = lib.mkDefault true;
};
};
};
}
#+end_src
*** home-manager
:PROPERTIES:
:CUSTOM_ID: h:ced5841f-c088-4d88-b3a1-7d62aad8837b
:END:
This holds modules that are to be used on most hosts. These are also the most important options to configure, as these allow me easy access to monitor, keyboard, and other setups.
#+BEGIN_src nix-ts :tangle profiles/home/default.nix
{ lib, ... }:
let
profileNames = lib.swarselsystems.readNix "profiles/home";
in
{
imports = lib.swarselsystems.mkImports profileNames "profiles/home";
}
#+end_src
**** Personal
:PROPERTIES:
:CUSTOM_ID: h:26512487-8c29-4b92-835b-d67394c3f5ef
:END:
#+begin_src nix-ts :tangle profiles/home/personal/default.nix :mkdirp yes
{ lib, config, ... }:
{
options.swarselprofiles.personal = lib.mkEnableOption "is this a personal host";
config = lib.mkIf config.swarselprofiles.personal {
swarselmodules = {
anki = lib.mkDefault true;
anki-tray = lib.mkDefault true;
attic-store-push = lib.mkDefault true;
atuin = lib.mkDefault true;
autotiling = lib.mkDefault false; # niri
batsignal = lib.mkDefault false; # niri
blueman-applet = lib.mkDefault true;
desktop = lib.mkDefault true;
direnv = lib.mkDefault true;
element-desktop = lib.mkDefault true;
element-tray = lib.mkDefault true;
emacs = lib.mkDefault true;
env = lib.mkDefault true;
eza = lib.mkDefault true;
firefox = lib.mkDefault true;
firezone-tray = lib.mkDefault true;
fuzzel = lib.mkDefault true;
gammastep = lib.mkDefault false; # niri
general = lib.mkDefault true;
git = lib.mkDefault true;
gnome-keyring = lib.mkDefault true;
gpgagent = lib.mkDefault true;
hexchat = lib.mkDefault true;
kanshi = lib.mkDefault false; # niri
kdeconnect = lib.mkDefault true;
kitty = lib.mkDefault true;
khal = lib.mkDefault true;
mail = lib.mkDefault true;
mako = lib.mkDefault false; # niri
nix-index = lib.mkDefault true;
nixgl = lib.mkDefault true;
nix-your-shell = lib.mkDefault true;
nm-applet = lib.mkDefault true;
obs-studio = lib.mkDefault true;
obsidian = lib.mkDefault true;
obsidian-tray = lib.mkDefault true;
opkssh = lib.mkDefault true;
ownpackages = lib.mkDefault true;
packages = lib.mkDefault true;
passwordstore = lib.mkDefault true;
programs = lib.mkDefault true;
sops = lib.mkDefault false;
spicetify = lib.mkDefault true;
spotify-player = lib.mkDefault true;
ssh = lib.mkDefault true;
starship = lib.mkDefault true;
stylix = lib.mkDefault true;
sway = lib.mkDefault false; # niri
swayidle = lib.mkDefault true;
swaylock = lib.mkDefault false; # niri
swayosd = lib.mkDefault true;
symlink = lib.mkDefault true;
tmux = lib.mkDefault true;
vesktop = lib.mkDefault true;
vesktop-tray = lib.mkDefault true;
shikane = lib.mkDefault true;
syncthing-tray = lib.mkDefault true;
waybar = lib.mkDefault true;
yubikey = lib.mkDefault false;
yubikeytouch = lib.mkDefault true;
zellij = lib.mkDefault true;
zsh = lib.mkDefault true;
};
};
}
#+end_src
**** DGX Spark
:PROPERTIES:
:CUSTOM_ID: h:6d30ef28-ee26-4954-90f6-53c33dee9217
:END:
#+begin_src nix-ts :tangle profiles/home/dgxspark/default.nix :mkdirp yes
{ lib, config, ... }:
{
options.swarselprofiles.dgxspark = lib.mkEnableOption "is this a dgx spark host";
config = lib.mkIf config.swarselprofiles.dgxspark {
swarselmodules = {
atuin = lib.mkDefault true;
bash = lib.mkDefault true;
blueman-applet = lib.mkDefault true;
direnv = lib.mkDefault true;
eza = lib.mkDefault true;
firefox = lib.mkDefault true;
fuzzel = lib.mkDefault true;
general = lib.mkDefault true;
git = lib.mkDefault true;
gpgagent = lib.mkDefault true;
kitty = lib.mkDefault true;
nix-index = lib.mkDefault true;
nixgl = lib.mkDefault true;
nix-your-shell = lib.mkDefault true;
nm-applet = lib.mkDefault true;
sops = lib.mkDefault true;
starship = lib.mkDefault true;
stylix = lib.mkDefault true;
tmux = lib.mkDefault true;
zellij = lib.mkDefault true;
zsh = lib.mkDefault true;
};
};
}
#+end_src
**** Minimal
:PROPERTIES:
:CUSTOM_ID: h:26512487-8c29-4b92-835b-d67394c3f5ef
:END:
#+begin_src nix-ts :tangle profiles/home/minimal/default.nix :mkdirp yes
{ lib, config, ... }:
{
options.swarselprofiles.minimal = lib.mkEnableOption "is this a personal host";
config = lib.mkIf config.swarselprofiles.minimal {
swarselmodules = {
general = lib.mkDefault true;
sops = lib.mkDefault true;
kitty = lib.mkDefault true;
zsh = lib.mkDefault true;
git = lib.mkDefault true;
};
};
}
#+end_src
**** Hotel
:PROPERTIES:
:CUSTOM_ID: h:36a0209f-2c17-4808-a1d0-a9e1920c307a
:END:
#+begin_src nix-ts :tangle profiles/home/hotel/default.nix :mkdirp yes
{ lib, config, ... }:
{
options.swarselprofiles.hotel = lib.mkEnableOption "is this a hotel host";
config = lib.mkIf config.swarselprofiles.hotel {
swarselprofiles.personal = true;
swarselmodules = {
yubikey = lib.mkForce false;
ssh = lib.mkForce false;
env = lib.mkForce false;
git = lib.mkForce false;
mail = lib.mkForce false;
emacs = lib.mkForce false;
obsidian = lib.mkForce false;
gammastep = lib.mkForce false;
};
};
}
#+end_src
**** Local Server
:PROPERTIES:
:CUSTOM_ID: h:8027b858-369e-4f12-bbaf-f15eeee3d904
:END:
#+begin_src nix-ts :tangle profiles/home/localserver/default.nix :mkdirp yes
{ lib, config, ... }:
{
options.swarselprofiles.server.local = lib.mkEnableOption "is this a local server";
config = lib.mkIf config.swarselprofiles.server.local {
swarselmodules = {
general = lib.mkDefault true;
server = {
dotfiles = lib.mkDefault true;
};
};
};
}
#+end_src
* Emacs
:PROPERTIES:
:CUSTOM_ID: h:ed4cd05c-0879-41c6-bc39-3f1246a96f04
:END:
** Initialization (early-init.el)
:PROPERTIES:
:CUSTOM_ID: h:2c331451-45ed-4592-9e00-d36b5bf31248
:END:
In this section I handle my early init file; it takes care of frame-setup for emacsclient buffers.
*** Increase startup performance
:PROPERTIES:
:CUSTOM_ID: h:38e03b65-9dfc-4547-b27d-236664d7dc15
:END:
First, I use some advice from doomemacs regarding garbace collection; here I make sure that during startup, the garbace collectur will not run, which will improve startup times. Now, that might not really be needed since I will usually only start the emacs server once during startup and then not touch it again, however, since I am building my emacs configuration using NixOS, there is some merit to this since I will usually need to restart the server once I rebuild my configuration.
Also, inspired by a setting I have seen in protesilaos' configuration, I apply the same idea to the =file-name-handler-alist= and =vc-handled-backends=.
In the end, we need to restore those values to values that will work during normal operation. For that, I add a hook to the startup function that will revert the values once Emacs has finished initialization.
Also packed into the hook function is the line =(fset 'epg-wait-for-status 'ignore)=. This line is needed at the end of the configuration in order to allow for my Yubikey to be used to encrypt and decrypt =.gpg= files. Without it, Emacs will just hang forever and basically crash.
#+begin_src emacs-lisp :tangle files/emacs/early-init.el :mkdirp yes
;; -*- lexical-binding: t; -*-
(defvar swarsel-file-name-handler-alist file-name-handler-alist)
(defvar swarsel-vc-handled-backends vc-handled-backends)
(defun swarsel/restore-startup-settings ()
"Restore startup-tuned variables to their regular runtime values."
(setq gc-cons-threshold (* 32 1024 1024)
gc-cons-percentage 0.1
jit-lock-defer-time 0.05
read-process-output-max (* 1024 1024)
file-name-handler-alist swarsel-file-name-handler-alist
vc-handled-backends swarsel-vc-handled-backends)
(fset 'epg-wait-for-status #'ignore))
(setq gc-cons-threshold most-positive-fixnum
gc-cons-percentage 0.6
file-name-handler-alist nil
vc-handled-backends nil)
(add-hook 'emacs-startup-hook #'swarsel/restore-startup-settings)
#+end_src
*** Setup frames
:PROPERTIES:
:CUSTOM_ID: h:782b3632-afb2-4c67-8c46-ff94408aef5d
:END:
Next, I will setup the basic frame for my emacs buffers. Note that I use a tiling window manager, so I do not need to hold myself up with sizing the windows myself. I also disable some GUI tools that I (like many others) do not find to be particularly useful. Also I inhibit many startup functions here, even though it does not affect me greatly since I use another solution for that.
We also make require immediate compilation of native code.
For the =default-frame-alist=, I used to also set ='(right-divider-width . 4)= and ='(bottom-divider-width . 4)=, but I did not like the look of the divider bar and usually know my splits anyways, so this is no longer set.
#+begin_src emacs-lisp :tangle files/emacs/early-init.el :mkdirp yes
(tool-bar-mode 0)
(menu-bar-mode 0)
(scroll-bar-mode 0)
(setq frame-inhibit-implied-resize t
ring-bell-function 'ignore
use-dialog-box nil
use-file-dialog nil
use-short-answers t
inhibit-startup-message t
inhibit-splash-screen t
inhibit-startup-screen t
inhibit-x-resources t
inhibit-startup-buffer-menu t
inhibit-startup-echo-area-message user-login-name ; this needs to be set to the username or it will not have an effect
comp-deferred-compilation nil ; compile all Elisp to native code immediately
)
(setq-default left-margin-width 1
right-margin-width 1)
(setq-default default-frame-alist
(append
(list
'(undecorated . t) ; no title bar, borders etc.
'(background-color . "#1D252C") ; load doom-citylight colors to avoid white flash
'(foreground-color . "#A0B3C5") ; load doom-citylight colors to avoid white flash
'(font . "FiraCode Nerd Font")
'(vertical-scroll-bars . nil)
'(horizontal-scroll-bars . nil)
'(internal-border-width . 5)
'(tool-bar-lines . 0)
'(menu-bar-lines . 0))))
#+end_src
*** Make C-i, C-m, C-[ available in graphic sessions
:PROPERTIES:
:CUSTOM_ID: h:396c47f2-7e2f-4fad-ae71-6483bf7e3e42
:END:
By default, emacs binds
- =C-i= to the =TAB= key
- =C-m= to the =RET= key
- =C-[= to the =ECS= key
These keybinds exist to make Emacs work well in terminal mode. However, most of the time I am using Emacs in a graphic session, and I would hence like to have these keybinds available for personal use.
NOTE: To use these keybinds, you need to enclose the binding in angled brackets (=<>=). Then they can be used normally
#+begin_src emacs-lisp :tangle files/emacs/early-init.el :mkdirp yes
(add-hook
'after-make-frame-functions
(lambda (frame)
(with-selected-frame frame
(when (display-graphic-p)
(define-key input-decode-map (kbd "C-i") [DUMMY-i])
(define-key input-decode-map (kbd "C-[") [DUMMY-lsb])
(define-key input-decode-map (kbd "C-m") [DUMMY-m])
))))
#+end_src
** Personal settings
:PROPERTIES:
:CUSTOM_ID: h:601ba407-b906-4869-8ef6-67a9fc285fba
:END:
This section is used to define my own functions, own variables, and own keybindings.
*** Custom functions
:PROPERTIES:
:CUSTOM_ID: h:b7b5976a-db2b-493d-8794-1924a0e12aec
:END:
In this section I define extra functions that I need. Some of these functions I wrote myself, some I found after internet reseach. For functions I found on the internet, I will link the original source I found it in.
**** Emacs/Evil state toggle
:PROPERTIES:
:CUSTOM_ID: h:b715d7cf-da09-4e0c-95bc-8281b4f3ce9c
:END:
Since I am rebinding the =C-z= hotkey for emacs-evil-state toggling, I want to have a function that still lets me perform this action quickly.
We set a keybinding to this in [[#h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5][Custom Keybindings]].
#+begin_src emacs-lisp
;; -*- lexical-binding: t; -*-
(defun swarsel/toggle-evil-state ()
(interactive)
(if (or (evil-emacs-state-p) (evil-insert-state-p))
(evil-normal-state)
(evil-emacs-state)))
#+end_src
**** Switching to last used buffer
:PROPERTIES:
:CUSTOM_ID: h:1e0ee570-e509-4ecb-a3af-b75543731bb0
:END:
I often find myself bouncing between two buffers when I do not want to use a window split. This function simply jumps to the last used buffer.
We set a keybinding to this in [[#h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5][Custom Keybindings]].
#+begin_src emacs-lisp
(defun swarsel/last-buffer () (interactive) (switch-to-buffer nil))
#+end_src
**** mu4e functions
:PROPERTIES:
:CUSTOM_ID: h:34506761-06b9-43b5-a818-506d9b3faf28
:END:
I use these functions to let me switch between my main email accounts, as mu4e by itself has trouble doing so. =mu4e-switch-account= allows for manual choosing of the sender account, while =mu4e-rfs--matching-address= and =mu4e-send-from-correct-address= are used when replying to a mail; they switch the sender account to the one that received the mail.
By default, the sender email will not be changed after sending a mail; however, I want Emacs to always use my main address when not replying to another email. For that I use =mu4e-restore-default=.
Used here: [[#h:b92a18cf-eec3-4605-a8c2-37133ade3574][mu4e]]
#+begin_src emacs-lisp
(defun swarsel/mu4e-switch-account ()
(interactive)
(let ((account (completing-read "Select account: " mu4e-user-mail-address-list)))
(setq user-mail-address account)))
(defun swarsel/mu4e-rfs--matching-address ()
(cl-loop for to-data in (mu4e-message-field mu4e-compose-parent-message :to)
for to-email = (pcase to-data
(`(_ . email) email)
(x (mu4e-contact-email x)))
for to-name = (pcase to-data
(`(_ . name) name)
(x (mu4e-contact-name x)))
when (mu4e-user-mail-address-p to-email)
return (list to-name to-email)))
(defun swarsel/mu4e-send-from-correct-address ()
(when mu4e-compose-parent-message
(save-excursion
(when-let ((dest (swarsel/mu4e-rfs--matching-address)))
(cl-destructuring-bind (from-user from-addr) dest
(setq user-mail-address from-addr)
(when (and (boundp 'user-mail-address)
(stringp user-mail-address)
(string-equal user-mail-address (getenv "SWARSEL_MAIL_WORK")))
(mml-secure-message-sign-smime))
(message-position-on-field "From")
(message-beginning-of-line)
(delete-region (point) (line-end-position))
(insert (format "%s <%s>" (or from-user user-full-name) from-addr)))))))
(defun swarsel/mu4e-restore-default ()
(setq user-mail-address (getenv "SWARSEL_MAIL4")
user-full-name (getenv "SWARSEL_FULLNAME")))
#+end_src
**** Create non-existant directories when finding file
:PROPERTIES:
:CUSTOM_ID: h:4b9d74ef-0376-45bb-bc15-d24a04ca7e81
:END:
This function will check if a directory for which a file we want to open exists; if not, it will offer to create the directories for me.
#+begin_src emacs-lisp
(defun swarsel/with-buffer-name-prompt-and-make-subdirs ()
(let ((parent-directory (file-name-directory buffer-file-name)))
(when (and (not (file-exists-p parent-directory))
(y-or-n-p (format "Directory `%s' does not exist! Create it? " parent-directory)))
(make-directory parent-directory t))))
(add-to-list 'find-file-not-found-functions #'swarsel/with-buffer-name-prompt-and-make-subdirs)
#+end_src
**** [crux] Duplicate Lines
:PROPERTIES:
:CUSTOM_ID: h:91e2f45f-54fa-4b60-8758-b2ef9b439af7
:END:
When programming, I like to be able to duplicate a line. There are easier functions than the one below, but they either
1) screw with undo/redo
2) move the cursor wildly
The below function avoids these problems. Originally I used the function =duplicate-line= found here: [[https://stackoverflow.com/questions/88399/how-do-i-duplicate-a-whole-line-in-emacs]]
However, this function does not work on regions. Later, I found a solution implemented by [[https://github.com/bbatsov/crux][crux]]. I do not need the whole package, so I just extracted the three functions I needed from it.
We set a keybinding to this in [[#h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5][Custom Keybindings]].
#+begin_src emacs-lisp
(defun crux-get-positions-of-line-or-region ()
"Return positions (beg . end) of the current line or region."
(let (beg end)
(if (and mark-active (> (point) (mark)))
(exchange-point-and-mark))
(setq beg (line-beginning-position))
(if mark-active
(exchange-point-and-mark))
(setq end (line-end-position))
(cons beg end)))
(defun crux-duplicate-current-line-or-region (arg)
"Duplicates the current line or region ARG times.
If there's no region, the current line will be duplicated. However, if
there's a region, all lines that region covers will be duplicated."
(interactive "p")
(pcase-let* ((origin (point))
(`(,beg . ,end) (crux-get-positions-of-line-or-region))
(region (buffer-substring-no-properties beg end)))
(dotimes (_i arg)
(goto-char end)
(newline)
(insert region)
(setq end (point)))
(goto-char (+ origin (* (length region) arg) arg))))
(defun crux-duplicate-and-comment-current-line-or-region (arg)
"Duplicates and comments the current line or region ARG times.
If there's no region, the current line will be duplicated. However, if
there's a region, all lines that region covers will be duplicated."
(interactive "p")
(pcase-let* ((origin (point))
(`(,beg . ,end) (crux-get-positions-of-line-or-region))
(region (buffer-substring-no-properties beg end)))
(comment-or-uncomment-region beg end)
(setq end (line-end-position))
(dotimes (_ arg)
(goto-char end)
(newline)
(insert region)
(setq end (point)))
(goto-char (+ origin (* (length region) arg) arg))))
#+end_src
**** [prot] org-id-headings
:PROPERTIES:
:CUSTOM_ID: h:4819720a-9220-4c34-b903-ed4179f3ad1c
:END:
These functions by protesilaos generate heading links in an org-file similar to the normal =org-store-link= approach when not using properties. This approach has a weakness however - if the heading name is changed, the link breaks. These functions generate a unique identifier for each heading which will not break and also works when exporting the file to html, for example.
#+begin_src emacs-lisp
(defun prot-org--id-get ()
"Get the CUSTOM_ID of the current entry.
If the entry already has a CUSTOM_ID, return it as-is, else
create a new one."
(let* ((pos (point))
(id (org-entry-get pos "CUSTOM_ID")))
(if (and id (stringp id) (string-match-p "\\S-" id))
id
(setq id (org-id-new "h"))
(org-entry-put pos "CUSTOM_ID" id)
id)))
(declare-function org-map-entries "org")
(defun prot-org-id-headlines ()
"Add missing CUSTOM_ID to all headlines in current file."
(interactive)
(org-map-entries
(lambda () (prot-org--id-get))))
(defun prot-org-id-headline ()
"Add missing CUSTOM_ID to headline at point."
(interactive)
(prot-org--id-get))
#+end_src
**** Inhibit Messages in Echo Area
:PROPERTIES:
:CUSTOM_ID: h:285e5c0a-875d-46a8-bb9b-0222b3d73878
:END:
Emacs likes to send messages to the echo area; this is generally a good thing. However, it bothers me a lot when I am currently working in minibuffer where I receive an echo area message that is actually important and it is then overwritten by e.g. the mu4e update message. This section makes it possible to find the root function calling the message function and disabling it here.
Usage: Enable the =(advice-add 'message :around #'who-called-me?)= by running this code block, which will show a full trace of all messages being sent to the echo area:
#+begin_src emacs-lisp :tangle no :export both :results silent
(advice-add 'message :around #'who-called-me?)
#+end_src
Once the root function has been found, it can be disabled via =advice=add= as in the last block in this section. To disable the stack tracing, run =(advice-remove 'message #'who-called-me?)= or the following code block:
#+begin_src emacs-lisp :tangle no :results silent
(advice-remove 'message #'who-called-me?)
#+end_src
Lastly, individual messages can be reenabled using the =(advice-remove ' #'suppress-messages)= approach. Use this when you accidentally disabled a helpful message.
#+begin_src emacs-lisp
(defun suppress-messages (old-fun &rest args)
(cl-flet ((silence (&rest args1) (ignore)))
(advice-add 'message :around #'silence)
(unwind-protect
(apply old-fun args)
(advice-remove 'message #'silence))))
(advice-add 'pixel-scroll-precision :around #'suppress-messages)
(advice-add 'mu4e--server-filter :around #'suppress-messages)
(advice-add 'org-unlogged-message :around #'suppress-messages)
(advice-add 'magit-auto-revert-mode--init-kludge :around #'suppress-messages)
(advice-add 'push-mark :around #'suppress-messages)
(advice-add 'evil-insert :around #'suppress-messages)
(advice-add 'evil-visual-char :around #'suppress-messages)
;; to reenable
;; (advice-remove 'timer-event-handler #'suppress-messages)
(defun who-called-me? (old-fun format &rest args)
(let ((trace nil) (n 1) (frame nil))
(while (setf frame (backtrace-frame n))
(setf n (1+ n)
trace (cons (cadr frame) trace)) )
(apply old-fun (concat "<<%S>>\n" format) (cons trace args))))
;; enable to get message backtrace, the first function shown in backtrace calls the other functions
;; (advice-add 'message :around #'who-called-me?)
;; disable to stop receiving backtrace
(advice-remove 'message #'who-called-me?)
#+end_src
**** Move up one directory for find-file
:PROPERTIES:
:CUSTOM_ID: h:de249f2a-6a2b-4114-8046-09d1014a7391
:END:
I find it very annoying that the standard behavior for M-DEL only deletes one word when using find-file. This function makes it so that we always go up by one directory level instead.
This function was found here: [[https://www.reddit.com/r/emacs/comments/re31i6/how_to_go_up_one_directory_when_using_findfile_cx/]]
#+begin_src emacs-lisp
(defun up-directory (path)
"Move up a directory in PATH without affecting the kill buffer."
(interactive "p")
(if (string-match-p "/." (minibuffer-contents))
(let ((end (point)))
(re-search-backward "/.")
(forward-char)
(delete-region (point) end))))
(define-key minibuffer-local-filename-completion-map
[C-backspace] #'up-directory)
#+end_src
**** Magit: List directories using vertico/consult
:PROPERTIES:
:CUSTOM_ID: h:1f8bfddf-a12a-49c8-beaa-97baa47abb9f
:END:
At work and when working on private projects, I often have to jump between several git repositories. This function fires up a picker that gets me to the magit overview page of that repository.
We set a keybinding to this in [[#h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5][Custom Keybindings]].
#+begin_src emacs-lisp
(declare-function consult--read "consult")
(defun swarsel/consult-magit-repos ()
(interactive)
(require 'magit)
(let ((repos (magit-list-repos)))
(unless repos
(user-error "No repositories found in `magit-repository-directories'"))
(let ((repo
(if (or (fboundp 'consult--read)
(require 'consult nil t))
(consult--read repos
:prompt "Magit repo: "
:require-match t
:history 'my/consult-magit-repos-history
:sort t)
(completing-read "Magit repo: "
repos
nil
t
nil
'my/consult-magit-repos-history))))
(when (and repo (> (length repo) 0))
(magit-status repo)))))
#+end_src
**** org-mode: General setup
:PROPERTIES:
:CUSTOM_ID: h:06b77d28-3fd5-4554-8c7d-32c1b0ec8da5
:END:
Sets up the basic settings that I want to have active in org-mode buffers.
Used here: [[#h:877c9401-a354-4e44-a235-db1a90d19e00][General org-mode]]
#+begin_src emacs-lisp
(defun swarsel/org-mode-setup ()
(variable-pitch-mode 1)
(add-hook 'org-tab-first-hook 'org-end-of-line)
(visual-line-mode 1))
#+end_src
**** org-mode: Visual-fill column
:PROPERTIES:
:CUSTOM_ID: h:fa710375-2efe-49b4-af6a-a875aca6e4a2
:END:
This function sets the width of buffers in org-mode.
Used in: [[#h:bbcfa895-4d46-4b1d-b84e-f634e982c46e][Centered org-mode Buffers]]
#+begin_src emacs-lisp
(defun swarsel/org-mode-visual-fill ()
(setq visual-fill-column-width 150
visual-fill-column-center-text t)
(visual-fill-column-mode 1))
#+end_src
**** org-mode: Upon-save actions (Auto-tangle, export to html, formatting)
:PROPERTIES:
:CUSTOM_ID: h:59d4306e-9b73-4b2c-b039-6a6518c357fc
:END:
This section handles everything that shoudld happen when I save =SwarselSystems.org=. It:
1) automatically tangles all configuration blocks in this file
2) exports the configuration file as html for an easier reading experience with working links and index
3) formats the generated =.nix= files in accordance to the =Alejandra=-style.
We set a hook that runs everytime we save the file. It would be a bit more efficient to only export and format when we enter a magit window for instance (since especially the html export takes times), however, since I cannot be sure to only ever commit from magit (I do indeed sometimes use git from the command line), I prefer this approach.
#+begin_src emacs-lisp
(defun swarsel/run-formatting ()
(interactive)
(let ((default-directory (expand-file-name "~/.dotfiles")))
(shell-command "nixpkgs-fmt . > /dev/null")))
(defun swarsel/org-babel-tangle-config ()
(interactive)
(when (string-equal (buffer-file-name)
swarsel-swarsel-org-filepath)
;; Dynamic scoping to the rescue
(let ((org-confirm-babel-evaluate nil))
;; (org-html-export-to-html)
(org-babel-tangle)
(swarsel/run-formatting)
)))
(defun swarsel/org-babel-tangle-single-block-advice (orig-fun &rest args)
"Run ORIG-FUN with redisplay and messages temporarily inhibited."
(let ((inhibit-redisplay t)
(inhibit-message t))
(apply orig-fun args)))
(defun swarsel/org-babel-tangle-timing-advice (orig-fun &rest args)
"Run ORIG-FUN and report elapsed tangle time."
(let ((tim (current-time)))
(prog1 (apply orig-fun args)
(message "org-tangle took %f sec" (float-time (time-subtract (current-time) tim))))))
(defun swarsel/markdown-mode-keys ()
"Local markdown key customizations."
(local-set-key (kbd "C-c C-x C-l") #'org-latex-preview)
(local-set-key (kbd "C-c C-x C-u") #'markdown-toggle-url-hiding))
(defun swarsel/eglot-ensure-and-format ()
"Ensure eglot is running and enable format-on-save for current buffer."
(eglot-ensure)
(add-hook 'before-save-hook #'eglot-format nil 'local))
;; (add-hook 'org-mode-hook (lambda () (add-hook 'after-save-hook #'swarsel/org-babel-tangle-config)))
#+end_src
**** org-mode: Fold current heading
:PROPERTIES:
:CUSTOM_ID: h:dfa66e78-5748-45e3-a975-db3da104bb3a
:END:
Normally emacs cycles between three states:
1) fully folded
2) One heading expanded
3) All headings expanded
However, I want to be able to fold a single heading consistently.
We set a keybinding to this in [[#h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5][Custom Keybindings]].
#+begin_src emacs-lisp
(defun org-fold-outer ()
(interactive)
(org-beginning-of-line)
(if (string-match "^*+" (thing-at-point 'line t))
(outline-up-heading 1))
(outline-hide-subtree)
)
#+end_src
**** corfu: Do not interrupt navigation
:PROPERTIES:
:CUSTOM_ID: h:a1802f9b-bb71-4fd5-86fa-945da18e8b81
:END:
These three functions allow me to keep using the normal navigation keys even when a corfu completion pops up.
These functions are used here: [[#h:5653d693-ecca-4c95-9633-66b9e3241070][Corfu]]
#+begin_src emacs-lisp
(defun swarsel/corfu-normal-return (&optional arg)
(interactive)
(corfu-quit)
(newline)
)
(defun swarsel/corfu-quit-and-up (&optional arg)
(interactive)
(corfu-quit)
(evil-previous-visual-line))
(defun swarsel/corfu-quit-and-down (&optional arg)
(interactive)
(corfu-quit)
(evil-next-visual-line))
#+end_src
**** Disable garbage collection while minibuffer is active
:PROPERTIES:
:CUSTOM_ID: h:3c436647-71e6-441c-b452-d817ad2f8331
:END:
#+begin_src emacs-lisp
(defun swarsel/minibuffer-setup-hook ()
(setq gc-cons-threshold most-positive-fixnum))
(defun swarsel/minibuffer-exit-hook ()
(setq gc-cons-threshold (* 32 1024 1024)))
(add-hook 'minibuffer-setup-hook #'swarsel/minibuffer-setup-hook)
(add-hook 'minibuffer-exit-hook #'swarsel/minibuffer-exit-hook)
#+end_src
**** Insert link to another header in org file
:PROPERTIES:
:CUSTOM_ID: h:06e70e44-502b-4a49-8b48-63c511f1c377
:END:
When writing this file, I often want to refer to a different section of the file. One way to do this is to =C-x O= (consult-org-heading) to get to said heading, then =C=c s= (org-store-link), finally =C-o= (evil-jump-backward) to get back to the origin and insert the link using =C-c C-l= (org-insert-link).
These two scripts just let me do all of this in one step. I have styled the picker in a way that is similar to consult-org-heading.
We set a keybinding to this in [[#h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5][Custom Keybindings]].
#+begin_src emacs-lisp
(defun swarsel/org-colorize-outline (parents raw)
(let* ((palette ["#58B6ED" "#8BD49C" "#33CED8" "#4B9CCC"
"yellow" "orange" "salmon" "red"])
(n (length parents))
(colored-parents
(cl-mapcar
(lambda (p i)
(propertize p 'face `(:foreground ,(aref palette (mod i (length palette))) :weight bold)))
parents
(number-sequence 0 (1- n)))))
(concat
(when parents
(string-join colored-parents "/"))
(when parents "/")
(propertize raw 'face `(:foreground ,(aref palette (mod n (length palette)))
:weight bold)))))
(defun swarsel/org-insert-link-to-heading ()
(interactive)
(let ((candidates '()))
(org-map-entries
(lambda ()
(let* ((raw (org-get-heading t t t t))
(parents (org-get-outline-path t))
(m (copy-marker (point)))
(colored (swarsel/org-colorize-outline parents raw)))
(push (cons colored m) candidates))))
(let* ((choice (completing-read "Heading: " (mapcar #'car candidates)))
(marker (cdr (assoc choice candidates)))
id raw-heading)
(unless marker
(user-error "No marker for heading??"))
(save-excursion
(goto-char marker)
(setq id (prot-org--id-get))
(setq raw-heading (org-get-heading t t t t)))
(insert (org-link-make-string (format "#%s" id)
raw-heading)))))
#+end_src
*** Custom Keybindings
:PROPERTIES:
:CUSTOM_ID: h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5
:END:
This defines a set of keybinds that I want to have available globally. I have one set of keys that is globally available through the =C-SPC= prefix. This set is used mostly for functions that I have trouble remembering the original keybind for, or that I just want to have gathered in a common space.
I also define some keybinds to some combinations directly. Those are used mostly for custom functions that I call often enough to warrant this.
#+begin_src emacs-lisp
;; Make ESC quit prompts
(global-set-key (kbd "") 'keyboard-escape-quit)
;; Set up general keybindings
(use-package general
:config
(general-create-definer swarsel/leader-keys
:keymaps '(normal insert visual emacs)
:prefix "SPC"
:global-prefix "C-SPC")
(swarsel/leader-keys
"e" '(:ignore e :which-key "evil")
"eo" '(evil-jump-backward :which-key "cursor jump backwards")
"eO" '(evil-jump-forward :which-key "cursor jump forwards")
"t" '(:ignore t :which-key "toggles")
"ts" '(hydra-text-scale/body :which-key "scale text")
"te" '(swarsel/toggle-evil-state :which-key "emacs/evil")
"tl" '(display-line-numbers-mode :which-key "line numbers")
"tp" '(evil-cleverparens-mode :wk "cleverparens")
"to" '(olivetti-mode :wk "olivetti")
"td" '(darkroom-tentative-mode :wk "darkroom")
"tw" '((lambda () (interactive) (toggle-truncate-lines)) :which-key "line wrapping")
"m" '(:ignore m :which-key "modes/programs")
"mm" '((lambda () (interactive) (mu4e)) :which-key "mu4e")
"mg" '((lambda () (interactive) (magit-list-repositories)) :which-key "magit-list-repos")
"mc" '((lambda () (interactive) (swarsel/open-calendar)) :which-key "calendar")
"mp" '(popper-toggle :which-key "popper")
"md" '(dirvish :which-key "dirvish")
"mr" '(bjm/elfeed-load-db-and-open :which-key "elfeed")
"o" '(:ignore o :which-key "org")
"op" '((lambda () (interactive) (org-present)) :which-key "org-present")
"oa" '((lambda () (interactive) (org-agenda)) :which-key "org-agenda")
"oa" '((lambda () (interactive) (org-refile)) :which-key "org-refile")
"ob" '((lambda () (interactive) (org-babel-mark-block)) :which-key "Mark whole src-block")
"ol" '((lambda () (interactive) (org-insert-link)) :which-key "insert link")
"oc" '((lambda () (interactive) (org-store-link)) :which-key "copy (=store) link")
"os" '(shfmt-region :which-key "format sh-block")
"od" '((lambda () (interactive) (org-babel-demarcate-block)) :which-key "demarcate (split) src-block")
"on" '(nixpkgs-fmt-region :which-key "format nix-block")
"ot" '(swarsel/org-babel-tangle-config :which-key "tangle file")
"oe" '(org-html-export-to-html :which-key "export to html")
"c" '(:ignore c :which-key "capture")
"ct" '((lambda () (interactive) (org-capture nil "tt")) :which-key "task")
"l" '(:ignore l :which-key "links")
"lc" '((lambda () (interactive) (progn (find-file swarsel-swarsel-org-filepath) (org-overview) )) :which-key "SwarselSystems.org")
"le" '((lambda () (interactive) (progn (find-file swarsel-swarsel-org-filepath) (goto-char (org-find-exact-headline-in-buffer "Emacs") ) (org-overview) (org-cycle) )) :which-key "Emacs.org")
"lr" '(swarsel/consult-magit-repos :which-key "List repos")
"ln" '((lambda () (interactive) (progn (find-file swarsel-swarsel-org-filepath) (goto-char (org-find-exact-headline-in-buffer "System") ) (org-overview) (org-cycle))) :which-key "Nixos.org")
"lp" '((lambda () (interactive) (projectile-switch-project)) :which-key "switch project")
"lg" '((lambda () (interactive) (magit-list-repositories)) :which-key "list git repos")
"h" '(:ignore h :which-key "help")
"hy" '(yas-describe-tables :which-key "yas tables")
"hb" '(embark-bindings :which-key "current key bindings")
"h" '(:ignore t :which-key "describe")
"he" 'view-echo-area-messages
"hf" 'describe-function
"hF" 'describe-face
"hl" '(view-lossage :which-key "show command keypresses")
"hL" 'find-library
"hm" 'describe-mode
"ho" 'describe-symbol
"hk" 'describe-key
"hK" 'describe-keymap
"hp" 'describe-package
"hv" 'describe-variable
"hd" 'devdocs-lookup
"w" '(:ignore t :which-key "window")
"wl" 'windmove-right
"w " 'windmove-right
"wh" 'windmove-left
"w " 'windmove-left
"wk" 'windmove-up
"w " 'windmove-up
"wj" 'windmove-down
"w " 'windmove-down
"wr" 'winner-redo
"wd" 'delete-window
"w=" 'balance-windows-area
"wD" 'kill-buffer-and-window
"wu" 'winner-undo
"wr" 'winner-redo
"w/" 'evil-window-vsplit
"w\\" 'evil-window-vsplit
"w-" 'evil-window-split
"wm" '(delete-other-windows :wk "maximize")
"" 'up-list
"" 'down-list
)
;; General often used hotkeys
(general-define-key
"C-M-a" (lambda () (interactive) (org-capture nil "a")) ; make new anki card
"C-c d" 'crux-duplicate-current-line-or-region
"C-c D" 'crux-duplicate-and-comment-current-line-or-region
"" 'swarsel/last-buffer
"M-\\" 'indent-region
"M-r" 'swarsel/consult-magit-repos
"M-i" 'swarsel/org-insert-link-to-heading
"" 'yank
"" 'kill-region
"" 'kill-ring-save
"" 'evil-undo
"" 'evil-redo
"C-S-c C-S-c" 'mc/edit-lines
"C->" 'mc/mark-next-like-this
"C-<" 'mc/mark-previous-like-this
"C-c C-<" 'mc/mark-all-like-this
))
#+end_src
*** Directory setup / File structure
:PROPERTIES:
:CUSTOM_ID: h:07951589-54ba-4e3e-bd7b-4106cd22ff6a
:END:
In this section I setup some aliases that I use for various directories on my system. This is just to prevent setting the same stuff too often.
#+begin_src emacs-lisp
;; set Nextcloud directory for journals etc.
(setq
swarsel-emacs-directory "~/.emacs.d"
swarsel-dotfiles-directory (getenv "FLAKE")
swarsel-swarsel-org-filepath (expand-file-name "SwarselSystems.org" swarsel-dotfiles-directory)
swarsel-tasks-org-file "Tasks.org"
swarsel-archive-org-file "Archive.org"
swarsel-work-projects-directory (getenv "DOCUMENT_DIR_WORK")
swarsel-private-projects-directory (getenv "DOCUMENT_DIR_PRIV")
)
#+end_src
*** Unclutter .emacs.d
:PROPERTIES:
:CUSTOM_ID: h:0cf30b76-91d9-41da-a10b-74199bc36d40
:END:
In this section I move the =custom.el= out of it's standard location in =.emacs.d=. Firstly, I dislike using this file at all since I would rather have fully stateful configuration as commanded by this file. Secondly, this file is too easily permanently changed. Recently I figured out the last bits that I needed to remove from custom.el to no longer be reliant on it, so I now just write it to a temporary file (through =make-temp=file=) which will be cleaned on shutdown. However, I like to retain the custom framework because it is nice for testing out theme customizations, hence why I still load the file.
This section also sets the emacs directory to the =~/.cache/= directory which is useful for files that I do not want to have lying around in my =.emacs.d=.
#+begin_src emacs-lisp
;; Change the user-emacs-directory to keep unwanted things out of ~/.emacs.d
(setq user-emacs-directory (expand-file-name "~/.cache/emacs/")
url-history-file (expand-file-name "url/history" user-emacs-directory))
;; Use no-littering to automatically set common paths to the new user-emacs-directory
(use-package no-littering
:config
(setq custom-file (make-temp-file "emacs-custom-"))
(load custom-file t))
#+end_src
*** Move backup files to another location
:PROPERTIES:
:CUSTOM_ID: h:329f529a-ef9f-4787-b311-1c485e05b754
:END:
Many people dislike the Emacs backup files; I do enjoy them, but have to admit that they clutter the filesystem a little too much. Also, I rarely need to access these over different sessions. Hence I move them to =/tmp= - if Emacs unexpectedly crashes, the files can be recovered, but the backup files will not gather everywhere and will be deleted upon shutdown.
#+begin_src emacs-lisp
(let ((backup-dir "~/tmp/emacs/backups")
(auto-saves-dir "~/tmp/emacs/auto-saves/"))
(dolist (dir (list backup-dir auto-saves-dir))
(when (not (file-directory-p dir))
(make-directory dir t)))
(setq backup-directory-alist `(("." . ,backup-dir))
auto-save-file-name-transforms `((".*" ,auto-saves-dir t))
auto-save-list-file-prefix (concat auto-saves-dir ".saves-")
tramp-backup-directory-alist `((".*" . ,backup-dir))
tramp-auto-save-directory auto-saves-dir))
(setq backup-by-copying t ; Don't delink hardlinks
delete-old-versions t ; Clean up the backups
version-control t ; Use version numbers on backups,
kept-new-versions 5 ; keep some new versions
kept-old-versions 2 ; and some old ones, too
backup-by-copying-when-linked t)
#+end_src
** General init.el setup + UI
:PROPERTIES:
:CUSTOM_ID: h:786b447d-03ad-4c1d-b114-c37caa2d591c
:END:
In this general section I have settings that I either consider to be integral to my experience when using Emacs or have no other section that I feel they belong to.
*** General setup
:PROPERTIES:
:CUSTOM_ID: h:76a5bd78-a20d-4068-bea8-a38fdb26428e
:END:
Here I set up some things that are too minor to put under other categories.
- Firstly we disable to having to type `yes` and `no` and switch it to `y` and `n`.
- We also enable the marking of trailing whitespaces.
- Also, make emacs highlight the current line globally
- Emacs defaults to pausing all display redrawing on any input. This may have been useful previously, but is not necessary nowadays.
- I also disable the suspend-frame function, as I never use it and it is quite confusing when accidentally hitting the keys for it.
#+begin_src emacs-lisp
;; use UTF-8 everywhere
(set-language-environment "UTF-8")
;; (profiler-start 'cpu)
;; set default font size
;; (defalias 'yes-or-no-p 'y-or-n-p)
;;(setq-default show-trailing-whitespace t)
(add-hook 'before-save-hook 'delete-trailing-whitespace)
(global-hl-line-mode 1)
;; (setq redisplay-dont-pause t) ;; obsolete
(blink-cursor-mode -1) ;; blink-cursor is an unexpected source of slowdown
(global-subword-mode 1) ; Iterate through CamelCase words
(setq blink-matching-paren nil) ;; this makes the cursor jump around annoyingly
(delete-selection-mode 1)
(setq vc-follow-symlinks t)
(setq require-final-newline t)
(winner-mode 1)
(setq load-prefer-newer t)
(setq-default bidi-paragraph-direction 'left-to-right
bidi-display-reordering 'left-to-right
bidi-inhibit-bpa t)
(global-so-long-mode)
(setq fast-but-imprecise-scrolling t
redisplay-skip-fontification-on-input t
inhibit-compacting-font-caches t)
(setq idle-update-delay 1.0
which-func-update-delay 1.0)
(setq undo-limit 80000000
evil-want-fine-undo t
auto-save-default t)
(setq browse-url-browser-function 'browse-url-firefox)
;; (setenv "DISPLAY" ":0") ;; needed for firefox
;; disable a keybind that does more harm than good
(global-set-key [remap suspend-frame]
(lambda ()
(interactive)
(message "This keybinding is disabled (was 'suspend-frame')")))
(setq visible-bell nil)
(setq initial-major-mode 'fundamental-mode
initial-scratch-message nil)
(add-hook 'prog-mode-hook 'display-line-numbers-mode)
;; (add-hook 'text-mode-hook 'display-line-numbers-mode)
;; (global-visual-line-mode 1)
#+end_src
*** Mark all themes as safe
:PROPERTIES:
:CUSTOM_ID: h:0debe8fd-b319-4ab7-a92c-784fa7896b75
:END:
Normally when switching themes in emacs, the user will be warned that themes can run malicious code. I only run one theme really and deem it safe. It is however annoying to be asked this on every new system and it also creates lines in custom.el to answer that query, so here I declare all themes as safe.
#+begin_src emacs-lisp
(setq custom-safe-themes t)
#+end_src
*** Show less compilation warnings
:PROPERTIES:
:CUSTOM_ID: h:b587e869-9911-443b-bc6d-8fb3ce31908d
:END:
When Emacs compiles stuff, it often shows a bunch of warnings that I do not need to deal with. Here we silence those. Some will be disabled completely, and some only when we have native compilation available (which should be most of the time, however).
This is really not needed anymore ever since I started managing my emacs packages with nix, but I still keep this around in case I ever move away from it.
#+begin_src emacs-lisp
(setq byte-compile-warnings '(not free-vars unresolved noruntime lexical make-local))
;; Make native compilation silent and prune its cache.
(when (native-comp-available-p)
(setq native-comp-async-report-warnings-errors 'silent) ; Emacs 28 with native compilation
(setq native-compile-prune-cache t)) ; Emacs 29
#+end_src
*** Better garbage collection
:PROPERTIES:
:CUSTOM_ID: h:1667913c-2272-4010-bf3a-356455b97c83
:END:
This sets up automatic garbage collection when the frame is unused. There is a lot of discussion on whether it is smart to tamper with garbage collection - in my eyes it is worth running this, because I often times switch away from Emacs for a while when researching. That times can be then used to run GC.
#+begin_src emacs-lisp
(setq garbage-collection-messages nil)
(defmacro k-time (&rest body)
"Measure and return the time it takes evaluating BODY."
`(let ((time (current-time)))
,@body
(float-time (time-since time))))
;; When idle for 15sec run the GC no matter what.
(defvar k-gc-timer
(run-with-idle-timer 15 t
(lambda ()
;; (message "Garbage Collector has run for %.06fsec"
(k-time (garbage-collect)))))
;; )
#+end_src
*** Indentation
:PROPERTIES:
:CUSTOM_ID: h:6527b3ce-b76d-431a-9960-a57da7c53e1b
:END:
Here I define several options related to indentation; I first make it so that only whitespace will be used instead of tab characters for indentation, and I also set a small standard indent.
We set =tab-always-indent= to ='complete= in order to indent first and then do completion if there are any. Also we make it so that python will not complain about missing indentation info.
Lastly, I load the =highlight-indent-guides= package. This adds a neat visual indicator of the indentation level, which is useful for languages like python.
#+begin_src emacs-lisp
(setq-default indent-tabs-mode nil
tab-width 2)
(setq tab-always-indent 'complete)
(use-package python
:ensure nil
:custom
(python-indent-guess-indent-offset-verbose nil))
(use-package highlight-indent-guides
:hook (prog-mode . highlight-indent-guides-mode)
:custom
(highlight-indent-guides-method 'column)
(highlight-indent-guides-responsive nil)
:config
(set-face-attribute 'highlight-indent-guides-even-face nil :background "gray10")
(set-face-attribute 'highlight-indent-guides-odd-face nil :background "gray20")
(set-face-attribute 'highlight-indent-guides-stack-even-face nil :background "gray40")
(set-face-attribute 'highlight-indent-guides-stack-odd-face nil :background "gray50"))
;; (use-package aggressive-indent)
;; (global-aggressive-indent-mode 1)
#+end_src
*** Scrolling
:PROPERTIES:
:CUSTOM_ID: h:3dc9fb1d-cd16-4bd0-a9ac-55a944415a90
:END:
By default, emacs scrolls half a page when reaching the bottom of the buffer. This is extremely annoying. This sets up more granular scrolling that allows scrolling with a mouse wheel or the two-finger touchscreen gesture. This now also works in buffers with a very small frame.
#+begin_src emacs-lisp
(setq mouse-wheel-scroll-amount
'(1
((shift) . 5)
((meta) . 0.5)
((control) . text-scale))
mouse-drag-copy-region nil
make-pointer-invisible t
mouse-wheel-progressive-speed t
mouse-wheel-follow-mouse t)
(setq-default scroll-preserve-screen-position t
scroll-conservatively 1
scroll-margin 0
next-screen-context-lines 0)
(pixel-scroll-precision-mode 1)
#+end_src
*** Evil
:PROPERTIES:
:CUSTOM_ID: h:5bf9f014-ee96-42da-b285-7b34f04e6bb1
:END:
**** General evil
:PROPERTIES:
:CUSTOM_ID: h:218376e8-086b-46bf-91b3-78295d5d440f
:END:
This setups up evil, which brings vim-like keybindings to emacs. In the same location, I also unbind the =C-z= key (I am very unhappy with this implementation, but it is the only thing that works consistently so far) to make it available for [[#h:c3cc1c12-3ab8-42b7-be07-63f54eac397f][cape]] later.
Also, I setup initial modes for several major-modes depending on what I deem fit.
#+begin_src emacs-lisp
;; Emulate vim in emacs
(use-package evil
:init
(setq evil-want-integration t) ; loads evil
(setq evil-want-keybinding nil) ; loads "helpful bindings" for other modes
(setq evil-want-C-u-scroll t) ; scrolling using C-u
(setq evil-want-C-i-jump nil) ; jumping with C-i
(setq evil-want-Y-yank-to-eol t) ; give Y some utility
(setq evil-shift-width 2) ; uniform indent
(setq evil-respect-visual-line-mode nil) ; i am torn on this one
(setq evil-split-window-below t)
(setq evil-vsplit-window-right t)
:config
(evil-mode 1)
;; make normal mode respect wrapped lines
(define-key evil-normal-state-map (kbd "j") 'evil-next-visual-line)
(define-key evil-normal-state-map (kbd "") 'evil-next-visual-line)
(define-key evil-normal-state-map (kbd "k") 'evil-previous-visual-line)
(define-key evil-normal-state-map (kbd "") 'evil-previous-visual-line)
(define-key evil-normal-state-map (kbd "C-z") nil)
(define-key evil-insert-state-map (kbd "C-z") nil)
(define-key evil-visual-state-map (kbd "C-z") nil)
(define-key evil-motion-state-map (kbd "C-z") nil)
(define-key evil-operator-state-map (kbd "C-z") nil)
(define-key evil-replace-state-map (kbd "C-z") nil)
(define-key global-map (kbd "C-z") nil)
(evil-set-undo-system 'undo-tree)
;; Don't use evil-mode in these contexts, or use it in a specific mode
(evil-set-initial-state 'messages-buffer-mode 'emacs)
(evil-set-initial-state 'dashboard-mode 'emacs)
(evil-set-initial-state 'dired-mode 'emacs)
(evil-set-initial-state 'cfw:details-mode 'emacs)
(evil-set-initial-state 'Custom-mode 'emacs) ; god knows why this mode is in uppercase
(evil-set-initial-state 'mu4e-headers-mode 'normal)
(evil-set-initial-state 'python-inferior-mode 'normal)
(add-hook 'org-capture-mode-hook 'evil-insert-state)
(add-to-list 'evil-buffer-regexps '("COMMIT_EDITMSG" . insert)))
#+end_src
**** evil-collection
:PROPERTIES:
:CUSTOM_ID: h:bde208f3-01ef-4dc6-9981-65f3d2a8189b
:END:
This gives support for many different modes, and works beautifully out of the box.
#+begin_src emacs-lisp
(use-package evil-collection
:after evil
:config
(evil-collection-init))
#+end_src
**** evil-snipe
:PROPERTIES:
:CUSTOM_ID: h:d80e3f7d-0185-4a15-832b-d756e576265c
:END:
This package changes the char-search commands like =f= by showing the results in a more visual manner. It also gives a 2-character search using =s= and =S=.
#+begin_src emacs-lisp
;; enables 2-char inline search
(use-package evil-snipe
:after evil
:demand
:config
(evil-snipe-mode +1)
;; replace 1-char searches (f&t) with this better UI
(evil-snipe-override-mode +1))
#+end_src
**** evil-cleverparens
:PROPERTIES:
:CUSTOM_ID: h:b06a378d-5248-4451-8eee-e65a3a768b1d
:END:
This helps keeping parentheses balanced which is useful when writing in languages like Elisp. I do not activate this by default, as most languages do not profit from this enough in my eyes.
#+begin_src emacs-lisp
;; for parentheses-heavy languades modify evil commands to keep balance of parantheses
(use-package evil-cleverparens)
#+end_src
**** evil-surround
:PROPERTIES:
:CUSTOM_ID: h:aac82e5e-d882-4870-b644-ebdd0a2daae3
:END:
This minor-mode adds functionality for doing better surround-commands; for example =ci[= will let you change the word within square brackets.
#+begin_src emacs-lisp
;; enables surrounding text with S
(use-package evil-surround
:config
(global-evil-surround-mode 1))
#+end_src
**** evil-visual-mark-mode
:PROPERTIES:
:CUSTOM_ID: h:df6729b6-2135-4070-bcab-a6a26f0fb2c4
:END:
This makes it so that when setting a mark in evil mode (using =m =), it creates a visual marker at that place that reminds me what the key for that marker position is (the marker is of course not part of the text of the document, and is hence not saved).
#+begin_src emacs-lisp
(use-package evil-visual-mark-mode
:commands evil-visual-mark-mode)
#+end_src
**** evil-textobj-tree-sitter
:PROPERTIES:
:CUSTOM_ID: h:cd9a0fb6-e287-4c3c-8013-6aad64ef89cb
:END:
This adds support for tree-sitter objects. This allows for the following chords:
- "...af" around function
- "...if" inside function
#+begin_src emacs-lisp
(use-package evil-textobj-tree-sitter
:config
;; bind `function.outer`(entire function block) to `f` for use in things like `vaf`, `yaf`
(define-key evil-outer-text-objects-map "f" (evil-textobj-tree-sitter-get-textobj "function.outer"))
;; bind `function.inner`(function block without name and args) to `f` for use in things like `vif`, `yif`
(define-key evil-inner-text-objects-map "f" (evil-textobj-tree-sitter-get-textobj "function.inner"))
;; You can also bind multiple items and we will match the first one we can find
(define-key evil-outer-text-objects-map "a" (evil-textobj-tree-sitter-get-textobj ("if_statement.outer" "conditional.outer" "loop.outer") '((python-mode . ((if_statement.outer) @if_statement.outer)) (python-ts-mode . ((if_statement.outer) @if_statement.outer))))))
#+end_src
**** evil-numbers
:PROPERTIES:
:CUSTOM_ID: h:06002ad2-686a-42c5-82d7-61f1340e262d
:END:
A very simple package that brings back the vim possibility of incrementing/decrementing numbers. I do not need it often, but it is nice to have.
#+begin_src emacs-lisp
(use-package evil-numbers)
#+end_src
*** ispell
:PROPERTIES:
:CUSTOM_ID: h:e888d7a7-1755-4109-af11-5358b8cf140e
:END:
This sets up a wordlist that is, for example, used in completions. When coding, I do not really need this, but it is sometimes useful when writing prose.
#+begin_src emacs-lisp
;; set the NixOS wordlist by hand
(setq ispell-alternate-dictionary (getenv "WORDLIST"))
#+end_src
*** Font Configuration
:PROPERTIES:
:CUSTOM_ID: h:60f87342-0491-4c56-8057-6f075cf35753
:END:
Here I define my fonts to be used. Honestly I do not understand the face-attributes and pitches of emacs all too well. It seems this configuration works fine, but I might have to revisit this at some point in the future.
#+begin_src emacs-lisp
(setq swarsel/fixed-font "FiraCode Nerd Font"
swarsel/variable-font "Iosevka Aile")
(set-face-attribute 'default nil :font swarsel/fixed-font :height 100)
(set-face-attribute 'fixed-pitch nil :font swarsel/fixed-font :height 130)
(set-face-attribute 'variable-pitch nil :font swarsel/variable-font :weight 'light :height 130)
#+end_src
*** Theme
:PROPERTIES:
:CUSTOM_ID: h:72a9704b-83d2-4b74-a1f6-d333203f62db
:END:
I have grown to love the =doom-citylights= theme and have modeled my whole system after it. Also solaire-mode is a nice mode that inverts the alt-faces with the normal faces for specific 'minor' buffers (like Help-buffers).
#+begin_src emacs-lisp
(use-package solaire-mode
:custom
(solaire-global-mode +1))
(use-package doom-themes
:hook
(server-after-make-frame . (lambda () (load-theme
'doom-city-lights t)))
:config
(load-theme 'doom-city-lights t)
(doom-themes-treemacs-config)
(doom-themes-org-config))
#+end_src
*** Icons
:PROPERTIES:
:CUSTOM_ID: h:eb0ea526-a83a-4664-b3a1-2b40d3a31493
:END:
This section loads the base icons used in my configuration. I am using =nerd-icons= over =all-the-icons= since the former seems to have more integrations with different packages than the latter.
Used in:
- [[#h:b190d512-bfb5-42ec-adec-8d86bab726ce][Vertico and friends]]
- [[#h:5653d693-ecca-4c95-9633-66b9e3241070][Corfu]]
#+begin_src emacs-lisp
(use-package nerd-icons)
#+end_src
*** Variable Pitch Mode
:PROPERTIES:
:CUSTOM_ID: h:455ed7ac-ee7f-4f94-b857-f2c58b2282d0
:END:
This minor mode allows mixing fixed and variable pitch fonts within the same buffer.
#+begin_src emacs-lisp
(use-package mixed-pitch
:custom
(mixed-pitch-set-height nil)
(mixed-pitch-variable-pitch-cursor nil)
:hook
(text-mode . mixed-pitch-mode))
#+end_src
*** Modeline
:PROPERTIES:
:CUSTOM_ID: h:ed585848-875a-4673-910c-d2e1901dd95b
:END:
Here I set up the modeline with some information that I find useful. I was using the doom modeline for a while. Most informations I disabled for it, except for the cursor information (row + column) as well as a widget for =mu4e= and git information.
I have currently disabled this in favor of [[#h:80ed2431-9c9a-4bfc-a3c0-08a2a058d208][mini-modeline]], which saves more screen space and holds only the information I really need.
#+begin_src emacs-lisp
(use-package doom-modeline
:init
;; (doom-modeline-mode)
;; (column-number-mode)
:custom
((doom-modeline-height 22)
(doom-modeline-indent-info nil)
(doom-modeline-buffer-encoding nil)))
#+end_src
*** mini-modeline
:PROPERTIES:
:CUSTOM_ID: h:80ed2431-9c9a-4bfc-a3c0-08a2a058d208
:END:
I have found that the doom-modeline, while very useful, consumes too much screen space for my liking. This modeline takes a more minimalistic approach. The only information that is shown is:
- the line number
- state of the file (whether it is saved etc.)
- the name of the file
- the percentage of the cursor in the file
- the major mode of the file
- the current evil mode
This is really the perfect solution for me, but it might not be for everyone.
#+begin_src emacs-lisp
(use-package mini-modeline
:after smart-mode-line
:custom
(mini-modeline-display-gui-line nil)
(mini-modeline-enhance-visual nil)
(mini-modeline-truncate-p nil)
(mini-modeline-l-format nil)
(mini-modeline-right-padding 5)
(mini-modeline-r-format '("%e" mode-line-front-space mode-line-mule-info mode-line-client
mode-line-modified mode-line-remote mode-line-frame-identification
mode-line-buffer-identification " " mode-line-position " " mode-name evil-mode-line-tag))
:config
(mini-modeline-mode t)
(setq window-divider-default-places t
window-divider-default-bottom-width 1
window-divider-default-right-width 1)
(window-divider-mode 1))
(use-package smart-mode-line
:config
(sml/setup)
(add-to-list 'sml/replacer-regexp-list '("^~/Documents/Work/" ":WK:"))
(add-to-list 'sml/replacer-regexp-list '("^~/Documents/Private/" ":PR:"))
(add-to-list 'sml/replacer-regexp-list '("^~/.dotfiles/" ":D:") t)
)
#+end_src
*** Helper Modes
:PROPERTIES:
:CUSTOM_ID: h:39ae01e9-8053-4f76-aa77-8cbbbcff9652
:END:
**** Vertico, Orderless, Marginalia, Consult, Embark
:PROPERTIES:
:CUSTOM_ID: h:b190d512-bfb5-42ec-adec-8d86bab726ce
:END:
This set of packages uses the default emacs completion framework and works together to provide a very nice user experience.
***** vertico
:PROPERTIES:
:CUSTOM_ID: h:d7c7f597-f870-4e01-8f7e-27dd31dd245d
:END:
Vertico simply provides a vertically stacking completion framework.
#+begin_src emacs-lisp
(setq read-buffer-completion-ignore-case t
read-file-name-completion-ignore-case t
completion-ignore-case t)
(use-package vertico
:custom
(vertico-scroll-margin 0)
(vertico-count 10)
(vertico-resize t)
(vertico-cycle t)
:init
(vertico-mode)
(vertico-mouse-mode))
#+end_src
***** vertico-directory
:PROPERTIES:
:CUSTOM_ID: h:10d4f2bd-8c72-430b-a9ed-9b5e279ec0b4
:END:
This package allows for =Ido=-like directory navigation.
#+begin_src emacs-lisp
(use-package vertico-directory
:ensure nil
:after vertico
:bind (:map vertico-map
("RET" . vertico-directory-enter)
("C-DEL" . vertico-directory-delete-word)
("DEL" . vertico-directory-delete-char))
;; Tidy shadowed file names
:hook (rfn-eshadow-update-overlay . vertico-directory-tidy))
#+end_src
***** orderless
:PROPERTIES:
:CUSTOM_ID: h:211fc0bd-0d64-4577-97d8-6abc94435f04
:END:
Orderless allows for fuzzy matching.
When first installing orderless, I often times faced the problem, that when editing long files and calling =consult-line=, Emacs would hang when changing a search term in the middle (e.g. from =servicse.xserver= to =servic.xserver= in order to fix the typo). The below orderless rules have a more strict matching that has a positive impact on performance.
#+begin_src emacs-lisp
(use-package orderless
:config
(orderless-define-completion-style orderless+initialism
(orderless-matching-styles '(orderless-initialism orderless-literal orderless-regexp)))
(setq completion-styles '(orderless)
completion-category-defaults nil
completion-category-overrides
'((file (styles partial-completion orderless+initialism))
(buffer (styles orderless+initialism))
(consult-multi (styles orderless+initialism))
(command (styles orderless+initialism))
(eglot (styles orderless+initialism))
(variable (styles orderless+initialism))
(symbol (styles orderless+initialism)))
orderless-matching-styles '(orderless-literal orderless-regexp)))
#+end_src
***** consult
:PROPERTIES:
:CUSTOM_ID: h:49ab82bf-812d-4fbe-a5b6-d3ad703fe32c
:END:
Consult provides better implementations for several user functions, e.g. =consult-line= or =consult-outline=.
The big winner here are the convenient keybinds being setup here for general use. Also, I setup vim-navigation for minibuffer completions. =consult-buffer= is set twice because I am still used to that weird =C-M-j= command that I chose for =ivy-switch-buffer= when I first started using Emacs. I want to move to the other command but for now it is not feasible to delete the other one.
#+begin_src emacs-lisp
(use-package consult
:custom
(consult-fontify-max-size 1024)
:bind
(("C-x b" . consult-buffer)
("C-c " . consult-global-mark)
("C-c C-a" . consult-org-agenda)
("C-x O" . consult-org-heading)
("C-M-j" . consult-buffer)
("C-s" . consult-line)
("M-g M-g" . consult-goto-line)
("M-g i" . consult-imenu)
("M-s M-s" . consult-line-multi)
:map minibuffer-local-map
("C-j" . next-line)
("C-k" . previous-line)))
#+end_src
***** embark
:PROPERTIES:
:CUSTOM_ID: h:1c564ee5-ccd7-48be-b69a-d963400c4704
:END:
Embark allows acting on the results in the minibuffer while the completion is still ongoing - this is extremely useful since it allows to, for example, read the documentation for several functions without closing the help search. It can also collect the results of a grep operation into a seperate buffer that edits the result in their original location.
I have stripped down the embark keybinds heavily. It is very useful to me even in it's current state, but it quickly becomes overwhelming. =embark-dwim= acts on a candidate without closing the minibuffer, which is very useful. =embark-act= lets the user choose from all actions, but has an overwhelming interface.
#+begin_src emacs-lisp
(use-package embark
:bind
(("C-." . embark-act)
("M-." . embark-dwim)
("C-h B" . embark-bindings)
("C-c c" . embark-collect))
:custom
(prefix-help-command #'embark-prefix-help-command)
(embark-quit-after-action '((t . nil)))
:config
(add-to-list 'display-buffer-alist
'("\\`\\*Embark Collect \\(Live\\|Completions\\)\\*"
nil
(window-parameters (mode-line-format . none)))))
#+end_src
***** embark-consult
:PROPERTIES:
:CUSTOM_ID: h:6287551c-a6f7-4870-b3f3-210d6f038b6f
:END:
Provides previews for embark.
#+begin_src emacs-lisp
(use-package embark-consult
:after (embark consult)
:demand t ; only necessary if you have the hook below
;; if you want to have consult previews as you move around an
;; auto-updating embark collect buffer
:hook
(embark-collect-mode . consult-preview-at-point-mode))
#+end_src
***** marginalia
:PROPERTIES:
:CUSTOM_ID: h:f32040a4-882f-4e6b-97f1-a0105c44c034
:END:
Marginalia adds more information to completion results.
I set the annotation-mode of marginalia to =heavy=. This gives even more information on the stuff that you are looking at. One thing I am missing from ivy is the highlighting on =mode=-commands based on the current state of the mode. Also, I do not understand all the shorthands used by marginalia yet.
#+begin_src emacs-lisp
(use-package marginalia
:after vertico
:bind (:map minibuffer-local-map
("M-A" . marginalia-cycle))
:init
(marginalia-mode)
;; (setq marginalia-annotators '(marginalia-annotators-heavy marginalia-annotators-light nil))
)
#+end_src
***** nerd-icons-completion
:PROPERTIES:
:CUSTOM_ID: h:d70ec2fb-da43-4523-9ee4-774ececdb80e
:END:
As stated above, this simply provides nerd-icons to the completion framework.
It is originally enabled here: [[#h:eb0ea526-a83a-4664-b3a1-2b40d3a31493][Icons]]
#+begin_src emacs-lisp
(use-package nerd-icons-completion
:after (marginalia nerd-icons)
:hook (marginalia-mode . nerd-icons-completion-marginalia-setup)
:init
(nerd-icons-completion-mode))
#+end_src
**** Helpful + which-key: Better help defaults
:PROPERTIES:
:CUSTOM_ID: h:cbf6bd48-2503-489a-89da-e3359564e989
:END:
This pair of packages provides information on keybinds in addition to function names, which makes it easier to remember keybinds (=which-key=). The =helpful= package provides a better =Help= framework for Emacs. For some reason, the Help windows are always being focused by the cursor even though I have set =help-window-select= to nil. I do not understand why.
#+begin_src emacs-lisp
(use-package which-key
:init (which-key-mode)
:diminish which-key-mode
:custom
(which-key-idle-delay 0.3))
(use-package helpful
:bind
(("C-h f" . helpful-callable)
("C-h v" . helpful-variable)
("C-h k" . helpful-key)
("C-h C-." . helpful-at-point))
:custom
(help-window-select nil))
#+end_src
*** Ligatures
:PROPERTIES:
:CUSTOM_ID: h:bbbd9cc8-3a84-4810-a3d5-b8536a5fbda1
:END:
Personally, I think ligatures are fancy. With this mode, they stay 'cursorable'. However, I do not need them in all modes, so I only use them in programming modes.
#+begin_src emacs-lisp
(use-package ligature
:init
(global-ligature-mode t)
:config
(ligature-set-ligatures 'prog-mode
'("|||>" "<|||" "<==>" "" "---" "-<<"
"<~~" "<~>" "<*>" "<||" "<|>" "<$>" "<==" "<=>" "<=<" "<->"
"<--" "<-<" "<<=" "<<-" "<<<" "<+>" "" "###" "#_(" "..<"
"..." "+++" "/==" "///" "_|_" "www" "&&" "^=" "~~" "~@" "~="
"~>" "~-" "**" "*>" "*/" "||" "|}" "|]" "|=" "|>" "|-" "{|"
"[|" "]#" "::" ":=" ":>" ":<" "$>" "==" "=>" "!=" "!!" ">:"
">=" ">>" ">-" "-~" "-|" "->" "--" "-<" "<~" "<*" "<|" "<:"
"<$" "<=" "<>" "<-" "<<" "<+" "" "++" "?:" "?="
"?." "??" "/*" "/=" "/>" "//" "__" "~~" "(*" "*)" "\\\\"
"://" ";;")))
#+end_src
*** Popup (popper) + Shackle Buffers
:PROPERTIES:
:CUSTOM_ID: h:e9d40e63-0e1f-47df-98f7-5427992588a4
:END:
The popper package allows to declare different buffers as 'popup-type', which sort of acts like a scratchpad. It can be toggled at any time using =popper-toggle= and the resulting frame can be freely customized (with =shackle=) to a certain size. It is also possible to prevent a buffer from appearing - I do this for example to the =*Warnings*= buffer, since usually I am not interested in it's output.
=popper-echo-mode= shows all buffers that are currently stored as a popup in the echo area when a popup is opened - this is useful since you can cycle between all popup buffers.
#+begin_src emacs-lisp
(use-package popper
:bind (("M-[" . popper-toggle))
:init
(setq popper-reference-buffers
'("\\*Messages\\*"
("\\*Warnings\\*" . hide)
"Output\\*$"
"\\*Async Shell Command\\*"
"\\*Async-native-compile-log\\*"
help-mode
helpful-mode
"*Occur*"
"*scratch*"
"*julia*"
"*Python*"
"*rustic-compilation*"
"*cargo-run*"
;; ("*tex-shell*" . hide)
(compilation-mode . hide)))
(popper-mode +1)
(popper-echo-mode +1))
(use-package shackle
:config
(setq shackle-rules '(("*Messages*" :select t :popup t :align right :size 0.3)
("*Warnings*" :ignore t :popup t :align right :size 0.3)
("*Occur*" :select t :popup t :align below :size 0.2)
("*scratch*" :select t :popup t :align below :size 0.2)
("*Python*" :select t :popup t :align below :size 0.2)
("*rustic-compilation*" :select t :popup t :align below :size 0.4)
("*cargo-run*" :select t :popup t :align below :size 0.2)
("*tex-shell*" :ignore t :popup t :align below :size 0.2)
(helpful-mode :select t :popup t :align right :size 0.35)
(help-mode :select t :popup t :align right :size 0.4)))
(shackle-mode 1))
#+end_src
*** Indicate first and last line of buffer
:PROPERTIES:
:CUSTOM_ID: h:a6d23c8c-125f-4e36-af30-ff0a1e0d5a28
:END:
This places little angled indicators on the fringe of a window which indicate buffer boundaries. This is not super useful, but makes use of a space that I want to keep for aesthetic reasons anyways and makes it a bit more useful in the process.
#+begin_src emacs-lisp
(setq-default indicate-buffer-boundaries t)
#+end_src
*** Authentication
:PROPERTIES:
:CUSTOM_ID: h:053a36bf-168f-4f63-a0c4-f0139dc6cc3b
:END:
This defines the authentication sources used by =org-calfw= ([[#h:c760f04e-622f-4b3e-8916-53ca8cce6edc][Calendar]]) and [[#h:1a8585ed-d9f2-478f-a132-440ada1cde2c][Forge]].
This file is written using home-manager [[#h:d87d80fd-2ac7-4f29-b338-0518d06b4deb][sops]] in [[#h:c05d1b64-7110-4151-b436-46bc447113b4][Home-manager: Emacs]]
#+begin_src emacs-lisp
;; (setq auth-sources '( "~/.emacs.d/.caldav" "~/.emacs.d/.authinfo.gpg")
;; auth-source-cache-expiry nil) ; default is 2h
(setq auth-sources '( "~/.emacs.d/.authinfo")
auth-source-cache-expiry nil)
#+end_src
** Modules
:PROPERTIES:
:CUSTOM_ID: h:f2622fd3-7f14-47a8-8c21-33574fcbf14b
:END:
This section houses all configuration bits that are related to a specific package that is not fundamental to my Emacs experience.
At some point this will receive further sorting, but for now this is good enough.
*** Org Mode
:PROPERTIES:
:CUSTOM_ID: h:99544398-72af-4382-b8e1-01b2221baff4
:END:
org-mode is probably my most-used mode in Emcas. It acts as my organizer, config management tool and calender even.
Note that nearly all headings within the =Org-mode= heading are coded within the =use-package= setup, so be very careful about moving stuff about here.
**** General org-mode
:PROPERTIES:
:CUSTOM_ID: h:877c9401-a354-4e44-a235-db1a90d19e00
:END:
This sets up the basic org-mode. I wrote a function to handle some of the initial org-mode behaviour in [[#h:06b77d28-3fd5-4554-8c7d-32c1b0ec8da5][org-mode setup.
]]
This part of the configuration mostly makes some aesthetic changes, enables neat LaTeX and points Emacs to some files that it needs for org-mode
#+begin_src emacs-lisp
(defun swarsel/org-agenda-done-and-archive ()
"Mark TODO at point as DONE, archive it, and save all agenda files."
(interactive)
(let ((org-archive-location "~/Org/Archive.org::Archive"))
(org-agenda-todo "DONE")
(org-agenda-archive)
(dolist (buf (buffer-list))
(with-current-buffer buf
(when (and buffer-file-name
(string-prefix-p (expand-file-name "~/Org/") (file-truename buffer-file-name))
(derived-mode-p 'org-mode))
(save-buffer))))))
(with-eval-after-load 'org-agenda
(define-key org-agenda-mode-map (kbd "C-a") #'swarsel/org-agenda-done-and-archive))
(use-package org
;;:diminish (org-indent-mode)
:hook (org-mode . swarsel/org-mode-setup)
;; :mode "\\.nix\\'"
:bind
(("C-" . org-fold-outer)
("C-c s" . org-store-link))
:custom
(org-html-htmlize-output-type nil)
(org-fold-core-style 'overlays)
(org-src-preserve-indentation nil)
(org-src-fontify-natively t)
(org-export-with-broken-links 'mark)
(org-confirm-babel-evaluate nil)
:config
(setq org-ellipsis " ⤵"
org-link-descriptive t
org-hide-emphasis-markers t)
(setq org-startup-folded t)
(setq org-support-shift-select t)
(setq org-agenda-start-with-log-mode t)
(setq org-fontify-quote-and-verse-blocks t)
(setq org-log-done 'time)
(setq org-log-into-drawer t)
(setq org-startup-with-inline-images t)
(setq org-export-headline-levels 6)
(setq org-image-actual-width nil)
(setq org-format-latex-options '(:foreground "White" :background default :scale 2.0 :html-foreground "Black" :html-background "Transparent" :html-scale 1.0 :matchers ("begin" "$1" "$" "$$" "\\(" "\\[")))
(setq org-agenda-files '("/home/swarsel/Org/Tasks.org"
"/home/swarsel/Org/Archive.org"
))
(setq org-capture-templates
'(("t" "Todo" entry (file+headline "~/Org/Tasks.org" "Inbox")
"* TODO %?\n %i\n %a")
("j" "Journal" entry (file+olp+datetree "~/Org/Journal.org")
"* %?\nEntered on %U\n %i\n %a")))
(setq org-refile-targets
'((swarsel-archive-org-file :maxlevel . 1)
(swarsel-tasks-org-file :maxlevel . 1)))
(org-babel-do-load-languages
'org-babel-load-languages
'((emacs-lisp . t)
(python . t)
(js . t)
(shell . t)))
(set-face-attribute 'org-block nil :foreground nil :inherit 'fixed-pitch)
(set-face-attribute 'org-table nil :inherit 'fixed-pitch)
(set-face-attribute 'org-formula nil :inherit 'fixed-pitch)
(set-face-attribute 'org-code nil :inherit '(shadow fixed-pitch))
(set-face-attribute 'org-quote nil :inherit '(shadow fixed-pitch))
(set-face-attribute 'org-verse nil :inherit '(shadow fixed-pitch))
(set-face-attribute 'org-verbatim nil :inherit '(shadow fixed-pitch))
(set-face-attribute 'org-special-keyword nil :inherit '(font-lock-comment-face fixed-pitch))
(set-face-attribute 'org-meta-line nil :inherit '(font-lock-comment-face fixed-pitch))
(set-face-attribute 'org-checkbox nil :inherit 'fixed-pitch)
(dolist (face '((org-level-1 . 1.2)
(org-level-2 . 1.1)
(org-level-3 . 1.0)
(org-level-4 . 1.0)
(org-level-5 . 1.0)
(org-level-6 . 1.0)
(org-level-7 . 1.0)
(org-level-8 . 1.0)))
(set-face-attribute (car face) nil :font swarsel/variable-font :weight 'medium :height (cdr face)))
(add-to-list 'org-src-lang-modes '("conf-unix" . conf-unix))
(advice-add 'org-babel-tangle-single-block :around #'swarsel/org-babel-tangle-single-block-advice)
(advice-add 'org-babel-tangle :around #'swarsel/org-babel-tangle-timing-advice)
(require 'org-tempo)
(add-to-list 'org-structure-template-alist '("sh" . "src shell"))
(add-to-list 'org-structure-template-alist '("el" . "src emacs-lisp"))
(add-to-list 'org-structure-template-alist '("py" . "src python :results output"))
(add-to-list 'org-structure-template-alist '("nix" . "src nix-ts :tangle"))
(add-to-list 'org-structure-template-alist '("ne" . "bash :exports both"))
)
#+end_src
**** org-appear
:PROPERTIES:
:CUSTOM_ID: h:62829574-a069-44b8-afb3-401a268d2747
:END:
This package makes emphasis-markers appear when the cursor moves over them. Very useful as I enjoy the clean look of not always seeing them, but it is annoying not to be able to edit them properly.
#+begin_src emacs-lisp
(use-package org-appear
:hook (org-mode . org-appear-mode)
:init
(setq org-appear-autolinks t)
(setq org-appear-autokeywords t)
(setq org-appear-autoentities t)
(setq org-appear-autosubmarkers t))
#+end_src
**** Centered org-mode Buffers
:PROPERTIES:
:CUSTOM_ID: h:bbcfa895-4d46-4b1d-b84e-f634e982c46e
:END:
I like org-mode buffers to be centered, as I do not find that enormous lines are of big use.
Function definition in: [[#h:fa710375-2efe-49b4-af6a-a875aca6e4a2][Visual-fill column]]
#+begin_src emacs-lisp
(use-package visual-fill-column
:hook (org-mode . swarsel/org-mode-visual-fill))
#+end_src
**** aucTex
:PROPERTIES:
:CUSTOM_ID: h:4696e2fc-3296-47dc-8fc3-66912c329d4c
:END:
This provides several utilities for LaTeX in Emacs, including many completions and convenience functions for math-mode.
#+begin_src emacs-lisp
(use-package auctex
:hook ((LaTeX-mode . visual-line-mode)
(LaTeX-mode . flyspell-mode)
(LaTeX-mode . LaTeX-math-mode)
(LaTeX-mode . reftex-mode))
:custom
(TeX-auto-save t)
(TeX-save-query nil)
(TeX-parse-self t)
(TeX-engine 'luatex)
(TeX-master nil)
(LaTeX-electric-left-right-brace t)
(font-latex-fontify-script nil)
(TeX-electric-sub-and-superscript t))
#+end_src
**** org-fragtog
:PROPERTIES:
:CUSTOM_ID: h:a02b1162-3e19-46f1-8efc-9f375971645c
:END:
This package automatically toggles LaTeX-fragments in org-files. It seems to also work in markdown-files which is a nice addition, as my Obsidian notes are held in markdown.
#+begin_src emacs-lisp
(use-package org-fragtog
:hook ((org-mode . org-fragtog-mode)
(markdown-mode . org-fragtog-mode)))
#+end_src
**** org-modern
:PROPERTIES:
:CUSTOM_ID: h:95b42e77-767c-4461-9ba8-b1c1cd18266c
:END:
This just makes org-mode a little bit more beautiful, mostly by making the =begin_src= and =end_src= tags in source-blocks turn into more beautiful icons, as well as hiding =#+= tags before them, as well as in the properties section of the file.
#+begin_src emacs-lisp
(use-package org-modern
:config (setq org-modern-block-name
'((t . t)
("src" "»" "∥")))
:hook (org-mode . org-modern-mode))
#+end_src
**** Presentations (org-present)
:PROPERTIES:
:CUSTOM_ID: h:4e11a845-a7bb-4eb5-b4ce-5b2f52e07425
:END:
Recently I have grown fond of holding presentations using Emacs.
When holding presentations, I think it is important to not have too many distractions on your slides. org-present just shows a plain background, is very responsive, and it is still an org buffer (so you can e.g. run source block codes while in the presentation).
#+begin_src emacs-lisp
(use-package org-present
:bind (:map org-present-mode-keymap
("q" . org-present-quit)
("" . swarsel/org-present-prev)
("<up>" . 'ignore)
("<down>" . 'ignore)
("" . swarsel/org-present-next))
:hook ((org-present-mode . swarsel/org-present-start)
(org-present-mode-quit . swarsel/org-present-end))
:config
(add-hook 'org-present-after-navigate-functions #'swarsel/org-present-slide)
(setq org-present-startup-folded t)
)
(use-package hide-mode-line)
(defun swarsel/org-reveal-at-point ()
"Reveal the org entry at point if it is a heading."
(when (and (derived-mode-p 'org-mode)
(org-at-heading-p))
(org-show-entry)
(org-show-children)))
(defun swarsel/org-present-maybe-read-only ()
"Toggle read-only based on whether cursor is inside a src block."
(if (org-in-src-block-p)
(when buffer-read-only
(org-present-read-write)
(evil-insert-state 1))
(unless buffer-read-only
(org-present-read-only)
(evil-insert-state 1))))
(defun swarsel/org-present-narrow (orig-fn &rest args)
(cl-letf (((symbol-function 'show-all) #'ignore))
(apply orig-fn args))
(org-overview)
(org-show-entry))
(advice-add 'org-present-narrow :around #'swarsel/org-present-narrow)
(defun swarsel/org-present-start ()
(setq-local face-remapping-alist `((default (:height 1.5) variable-pitch)
(header-line (:height 4.0) variable-pitch)
(org-document-title (:height 2.75) org-document-title)
(org-code (:height 1.2) org-code)
(org-verbatim (:family ,swarsel/fixed-font :height 1.0) org-verbatim)
(org-quote (:height 1.0) org-quote)
(org-verse (:height 1.0) org-verse)
(org-table (:family ,swarsel/fixed-font :weight regular :height 1.0) org-table)
(org-block (:height 0.9) org-block)
(org-link (:underline nil) org-link)
(org-block-begin-line (:height 0.7) org-block)
))
(setq header-line-format " ")
(setq visual-fill-column-width 150)
(setq indicate-buffer-boundaries nil)
(setq inhibit-message nil)
(setq org-babel-eval-error-notify t)
;; (breadcrumb-mode 0)
(org-display-inline-images)
(global-hl-line-mode 0)
;; (display-line-numbers-mode 0)
;; (org-modern-mode 0)
(evil-insert-state 1)
(org-present-read-only)
;; (org-present-hide-cursor)
(org-overview) ; fold everything on start
(add-hook 'post-command-hook #'swarsel/org-reveal-at-point nil t)
(add-hook 'post-command-hook #'swarsel/org-present-maybe-read-only nil t)
)
(defun swarsel/org-present-end ()
(setq-local face-remapping-alist `((org-verbatim (:family ,swarsel/fixed-font :weight regular)
org-verbatim)
(org-table (:family ,swarsel/fixed-font :weight regular) org-table)
(org-meta-line (:family ,swarsel/fixed-font :weight regular) org-meta-line)
(org-formula (:family ,swarsel/fixed-font :weight regular) org-formula)
(org-checkbox (:family ,swarsel/fixed-font :weight regular) org-checkbox)
(org-latex-and-related (:family ,swarsel/fixed-font :weight regular)
org-latex-and-related)
(org-indent (:family ,swarsel/fixed-font :weight regular) org-indent)
(org-code (:family ,swarsel/fixed-font :weight regular) org-code)
(org-document-info-keyword (:family ,swarsel/fixed-font :weight regular)
org-document-info-keyword)
(org-block-end-line (:family ,swarsel/fixed-font :weight regular) org-block-end-line)
(org-block-begin-line (:family ,swarsel/fixed-font :weight regular)
org-block-begin-line)
(org-block (:family ,swarsel/fixed-font :weight regular) org-block)
(mu4e-compose-header-face (:family ,swarsel/fixed-font :weight regular)
mu4e-compose-header-face)
(mu4e-compose-separator-face (:family ,swarsel/fixed-font :weight regular)
mu4e-compose-separator-face)
(mu4e-contact-face (:family ,swarsel/fixed-font :weight regular) mu4e-contact-face)
(mu4e-link-face (:family ,swarsel/fixed-font :weight regular) mu4e-link-face)
(mu4e-header-value-face (:family ,swarsel/fixed-font :weight regular)
mu4e-header-value-face)
(mu4e-header-key-face (:family ,swarsel/fixed-font :weight regular)
mu4e-header-key-face)
(message-header-other (:family ,swarsel/fixed-font :weight regular)
message-header-other)
(message-header-subject (:family ,swarsel/fixed-font :weight regular)
message-header-subject)
(message-header-xheader (:family ,swarsel/fixed-font :weight regular)
message-header-xheader)
(message-header-newsgroups (:family ,swarsel/fixed-font :weight regular)
message-header-newsgroups)
(message-header-cc (:family ,swarsel/fixed-font :weight regular) message-header-cc)
(message-header-to (:family ,swarsel/fixed-font :weight regular) message-header-to)
(message-header-name (:family ,swarsel/fixed-font :weight regular)
message-header-name)
(markdown-math-face (:family ,swarsel/fixed-font :weight regular) markdown-math-face)
(markdown-language-keyword-face (:family ,swarsel/fixed-font :weight regular)
markdown-language-keyword-face)
(markdown-language-info-face (:family ,swarsel/fixed-font :weight regular)
markdown-language-info-face)
(markdown-inline-code-face (:family ,swarsel/fixed-font :weight regular)
markdown-inline-code-face)
(markdown-gfm-checkbox-face (:family ,swarsel/fixed-font :weight regular)
markdown-gfm-checkbox-face)
(markdown-code-face (:family ,swarsel/fixed-font :weight regular) markdown-code-face)
(line-number-minor-tick (:family ,swarsel/fixed-font :weight regular)
line-number-minor-tick)
(line-number-major-tick (:family ,swarsel/fixed-font :weight regular)
line-number-major-tick)
(line-number-current-line (:family ,swarsel/fixed-font :weight regular)
line-number-current-line)
(line-number (:family ,swarsel/fixed-font :weight regular) line-number)
(font-lock-variable-name-face (:family ,swarsel/fixed-font :weight regular)
font-lock-variable-name-face)
(font-lock-type-face (:family ,swarsel/fixed-font :weight regular)
font-lock-type-face)
(font-lock-string-face (:family ,swarsel/fixed-font :weight regular)
font-lock-string-face)
(font-lock-regexp-grouping-construct (:family ,swarsel/fixed-font :weight regular)
font-lock-regexp-grouping-construct)
(font-lock-regexp-grouping-backslash (:family ,swarsel/fixed-font :weight regular)
font-lock-regexp-grouping-backslash)
(font-lock-preprocessor-face (:family ,swarsel/fixed-font :weight regular)
font-lock-preprocessor-face)
(font-lock-negation-char-face (:family ,swarsel/fixed-font :weight regular)
font-lock-negation-char-face)
(font-lock-keyword-face (:family ,swarsel/fixed-font :weight regular)
font-lock-keyword-face)
(font-lock-function-name-face (:family ,swarsel/fixed-font :weight regular)
font-lock-function-name-face)
(font-lock-doc-face (:family ,swarsel/fixed-font :weight regular) font-lock-doc-face)
(font-lock-constant-face (:family ,swarsel/fixed-font :weight regular)
font-lock-constant-face)
(font-lock-comment-delimiter-face (:family ,swarsel/fixed-font :weight regular)
font-lock-comment-delimiter-face)
(font-lock-builtin-face (:family ,swarsel/fixed-font :weight regular)
font-lock-builtin-face)
(font-latex-sectioning-5-face (:family ,swarsel/fixed-font :weight regular)
font-latex-sectioning-5-face)
(font-latex-warning-face (:family ,swarsel/fixed-font :weight regular)
font-latex-warning-face)
(font-latex-sedate-face (:family ,swarsel/fixed-font :weight regular)
font-latex-sedate-face)
(font-latex-math-face (:family ,swarsel/fixed-font :weight regular)
font-latex-math-face)
(diff-removed (:family ,swarsel/fixed-font :weight regular) diff-removed)
(diff-hunk-header (:family ,swarsel/fixed-font :weight regular) diff-hunk-header)
(diff-header (:family ,swarsel/fixed-font :weight regular) diff-header)
(diff-function (:family ,swarsel/fixed-font :weight regular) diff-function)
(diff-file-header (:family ,swarsel/fixed-font :weight regular) diff-file-header)
(diff-context (:family ,swarsel/fixed-font :weight regular) diff-context)
(diff-added (:family ,swarsel/fixed-font :weight regular) diff-added)
(default (:family "Sans Serif" :weight light) variable-pitch default)
))
(setq header-line-format nil)
(setq visual-fill-column-width 150)
(setq indicate-buffer-boundaries t)
(setq inhibit-message nil)
(setq org-babel-no-eval-on-error nil)
;; (breadcrumb-mode 1)
(global-hl-line-mode 1)
;; (display-line-numbers-mode 1)
(org-remove-inline-images)
;; (org-modern-mode 1)
(evil-normal-state 1)
;; (org-present-show-cursor)
(remove-hook 'post-command-hook #'swarsel/org-reveal-at-point t)
(remove-hook 'post-command-hook #'swarsel/org-present-maybe-read-only t)
)
(defun swarsel/org-present-slide-open ()
(org-overview)
(org-show-entry)
(org-show-children)
)
(defun swarsel/org-present-prev ()
(interactive)
(beginning-of-buffer)
(org-present-prev)
(swarsel/org-present-slide-open)
)
(defun swarsel/org-present-next ()
(interactive)
(let* ((next-heading (save-excursion
(when (outline-next-heading) (point))))
(next-block (save-excursion
(when (re-search-forward "^#\\+begin_src" nil t)
(match-beginning 0))))
(target (cond
((and next-heading next-block) (min next-heading next-block))
(next-heading next-heading)
(next-block next-block)
(t nil))))
(if (and target (< target (point-max)))
(progn
(goto-char target)
(org-fold-show-entry)
(unless (pos-visible-in-window-p (point-max))
(recenter 0)))
(org-present-next))))
#+end_src
**** Render markdown blocks as body to expand noweb blocks
:PROPERTIES:
:CUSTOM_ID: h:d4137200-7f91-43d9-9550-e0b6bfda1683
:END:
I have written this function to allow me to get a preview of the information that is gathered throughout the file and aggregated in [[#h:ed34ee4d-31f9-4d27-bc6e-ba37ee502d5a][Manual steps when setting up a new machine]]. Normally, running a markdown source block does nothing in Emacs. Hence, I just let it return the output, which inserts the noweb-ref blocks.
#+begin_src emacs-lisp
(defun org-babel-execute:markdown (body params)
"Just return BODY unchanged, allowing noweb expansion."
body)
#+end_src
*** Nix Mode
:PROPERTIES:
:CUSTOM_ID: h:406c2ecc-0e3e-4d9f-9ae3-3eb1f8b87d1b
:END:
This adds a nix mode to Emacs. This has become increasingly useful since I have added [[#h:cd552ba1-4db1-4605-8ead-4fcb6a466826][lsp-mode in org-src blocks]], because since that time, I am now able to actually make use of major modes while I theoretically stay in org-mode.
It supports all functions that I normally need. Note that getting completions for flake inputs is a bit finnicky and I am not quite fond of it yet.
#+begin_src emacs-lisp
(use-package nix-mode
:after lsp-mode
:ensure t
:hook
(nix-mode . lsp-deferred) ;; So that envrc mode will work
:custom
(lsp-disabled-clients '((nix-mode . nix-nil))) ;; Disable nil so that nixd will be used as lsp-server
:config
(setq lsp-nix-nixd-server-path "nixd"
lsp-nix-nixd-formatting-command [ "nixpkgs-fmt" ]
lsp-nix-nixd-nixpkgs-expr "import (builtins.getFlake \"/home/swarsel/.dotfiles\").inputs.nixpkgs { }"
lsp-nix-nixd-nixos-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.pyramid.options"
lsp-nix-nixd-home-manager-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.pyramid.options.home-manager.users.type.getSubOptions []"
))
(use-package nix-ts-mode
:after lsp-mode
:mode "\\.nix\\'" "\\.nix\\.enc\\'"
:ensure t
:hook
(nix-ts-mode . lsp-deferred) ;; So that envrc mode will work
:custom
(lsp-disabled-clients '((nix-ts-mode . nix-nil))) ;; Disable nil so that nixd will be used as lsp-server
:config
(setq lsp-nix-nixd-server-path "nixd"
lsp-nix-nixd-formatting-command [ "nixpkgs-fmt" ]
lsp-nix-nixd-nixpkgs-expr "import (builtins.getFlake \"/home/swarsel/.dotfiles\").inputs.nixpkgs { }"
lsp-nix-nixd-nixos-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.pyramid.options"
lsp-nix-nixd-home-manager-options-expr "(builtins.getFlake \"/home/swarsel/.dotfiles\").nixosConfigurations.pyramid.options.home-manager.users.type.getSubOptions []"
))
#+end_src
*** HCL Mode
:PROPERTIES:
:CUSTOM_ID: h:e8074881-3441-4abd-b25b-358a87e7984f
:END:
This adds support for Hashicorp Configuration Language. Used at work, it is mostly a [[#h:7834adb0-fbd3-4136-bdb7-6dbc9a083296][Terraform Mode]] that does not support autoformatting upon save. It still is nice :)
#+begin_src emacs-lisp
(use-package hcl-mode
:mode "\\.hcl\\'"
:custom
(hcl-indent-level 2))
#+end_src
*** Jenkinsfile/Groovy
:PROPERTIES:
:CUSTOM_ID: h:c9e3ffd7-4fb1-4a04-8563-92ceec4b4410
:END:
This adds support for Groovy, which I specifically need to work with Jenkinsfiles. Similar to [[id:7aa9803f-b419-40fa-aafc-4bb934c8f687][HCL Mode]], it just provides some nice functions.
#+begin_src emacs-lisp
(use-package groovy-mode)
(use-package jenkinsfile-mode
:mode "Jenkinsfile")
#+end_src
*** Ansible
:PROPERTIES:
:CUSTOM_ID: h:77fa79d8-81d5-46f2-82f9-8e2922538d44
:END:
This is supposed to provide auto-completion when turned on. Of course I cannot globally turn this on since it would run in any =.yaml= file then, but even when manually started, it seems to do nothing. This would be nice at work.
#+begin_src emacs-lisp
(use-package ansible)
#+end_src
*** Dockerfile
:PROPERTIES:
:CUSTOM_ID: h:534d8729-4422-4f0c-9ae6-d3737d4a6dd3
:END:
This adds support for Dockerfiles in a similar way to [[id:ebd53be9-c38a-4a0f-a7b4-eee30a0074fc][Jenkinsfile/Groovy]].
#+begin_src emacs-lisp
(use-package dockerfile-mode
:mode "Dockerfile")
#+end_src
*** Terraform Mode
:PROPERTIES:
:CUSTOM_ID: h:7834adb0-fbd3-4136-bdb7-6dbc9a083296
:END:
This adds support for Terraform configuration files. This is basically the same as the [[id:7aa9803f-b419-40fa-aafc-4bb934c8f687][HCL Mode]] mode as the languages are very similar.
#+begin_src emacs-lisp
(use-package terraform-mode
:mode "\\.tf\\'"
:hook (terraform-mode . outline-minor-mode)
:custom
(terraform-indent-level 2)
(terraform-format-on-save t))
#+end_src
*** nix formatting
:PROPERTIES:
:CUSTOM_ID: h:5ca7484b-b9d6-4023-88d1-a1e37d5df249
:END:
Adds functions for formatting nix code. I make huge use of this using the chords =C- o b= (org-babel-mark-block) and then =C- o n= (nixpkgs-fmt-region). This is what I use to keep my nix org-src-blocks formatted. However, using [[id:a67adf2f-20ce-49d6-ba6b-0341ca3d9972][org-mode: Upon-save actions (Auto-tangle, export to html, formatting)]], the resulting tangled files will be formatted in any case.
Note that for files that are not managed using this file (which there should normally not be many of), we can still use =nix fmt= for running treefmt for formatting and checks.
#+begin_src emacs-lisp
(use-package nixpkgs-fmt)
#+end_src
*** shfmt
:PROPERTIES:
:CUSTOM_ID: h:489a71c4-38af-44a3-a9ef-8b1ed1ee4ac4
:END:
Adds functions for formatting shellscripts. Similarly to [[id:460a47fd-cddc-4080-9eba-6724fc63606e][nix formatting]]m I use this using the chords =C- o b= (org-babel-mark-block) and then =C- o s= (shfmt-region). This is what I use to keep shell script blocks formatted in this file. This is also handled by treefmt, but still, I want this file to stay organized as well.
#+begin_src emacs-lisp
(use-package shfmt
:custom
(shfmt-command "shfmt")
(shfmt-arguments '("-i" "4" "-s" "-sr")))
#+end_src
*** Markdown Mode
:PROPERTIES:
:CUSTOM_ID: h:50327461-a11b-4e81-830a-90febc720cfa
:END:
**** Mode
:PROPERTIES:
:CUSTOM_ID: h:734dc40a-a2c4-4839-b884-cb99b81aa6fe
:END:
Adds a mode for markdown, specifically MultiMarkdown, which allows me to render LaTeX and other nice things.
#+begin_src emacs-lisp
(use-package markdown-mode
:ensure t
:mode ("README\\.md\\'" . gfm-mode)
:init
(setq markdown-command "multimarkdown")
:hook (markdown-mode . swarsel/markdown-mode-keys)
:bind (:map markdown-mode-map
("C-c C-e" . markdown-do)
("C-c C-x C-l" . org-latex-preview)
("C-c C-x C-u" . markdown-toggle-url-hiding)))
#+end_src
**** LaTeX in Markdown
:PROPERTIES:
:CUSTOM_ID: h:8d90fe51-0b32-423a-a159-4f853bc29b68
:END:
Allows me to render LaTeX just where I write it. I do not need this as much anymore, but during my studies this was very valuable to me.
#+begin_src emacs-lisp :tangle no
;; Keybindings are configured in use-package markdown-mode above.
#+end_src
*** elfeed
:PROPERTIES:
:CUSTOM_ID: h:a83c5820-2016-44ae-90a0-4756bb471c01
:END:
This adds elfeed, a neat RSS reader for Emacs. I use this as a client for [[#h:9da3df74-6fc5-4ee1-a345-23ab4e8a613d][FreshRSS]]. While I read most of my feeds on my phone (using Capy Reader), it is still good to have an Emacs-native reader as well. Some time ago I was still running a separate Emacs instance on my server: [[id:0e07e2fb-adc4-4fd8-9b54-0a59338a471e][Emacs elfeed (RSS Server)]]. This instance would then sync the read feeds to other instances. This was very brittle however and is only left as a historical note.
#+begin_src emacs-lisp
(use-package elfeed
:custom
(elfeed-db-directory "~/.elfeed/db/")
(elfeed-use-curl t)
(elfeed-set-timeout 36000)
:config
(define-key elfeed-show-mode-map (kbd ";") #'visual-fill-column-mode)
(define-key elfeed-show-mode-map (kbd "j") #'elfeed-goodies/split-show-next)
(define-key elfeed-show-mode-map (kbd "k") #'elfeed-goodies/split-show-prev)
(define-key elfeed-search-mode-map (kbd "j") #'next-line)
(define-key elfeed-search-mode-map (kbd "k") #'previous-line)
(define-key elfeed-show-mode-map (kbd "S-SPC") #'scroll-down-command))
(use-package elfeed-goodies
:after elfeed
:config
(elfeed-goodies/setup))
(use-package elfeed-protocol
:after elfeed
:custom
(elfeed-protocol-enabled-protocols '(fever))
(elfeed-protocol-fever-update-unread-only t)
(elfeed-protocol-fever-fetch-category-as-tag t)
:config
(elfeed-protocol-enable)
(let ((domain (getenv "SWARSEL_RSS_DOMAIN")))
(setq elfeed-protocol-feeds
`((,(concat "fever+https://Swarsel@" domain)
:api-url ,(concat "https://" domain "/api/fever.php")
:password-file "~/.emacs.d/.fever")))))
#+end_src
*** Ripgrep
:PROPERTIES:
:CUSTOM_ID: h:87453f1c-8ea5-4d0a-862d-8973d5bc5405
:END:
This is the ripgrep package for Emacs.
#+begin_src emacs-lisp
(use-package rg)
#+end_src
*** Tree-sitter
:PROPERTIES:
:CUSTOM_ID: h:543641d0-02a9-459e-a2d6-96c8fcc06864
:END:
Tree-sitter is a parsing library integrated into Emacs to provide better syntax highlighting and code analysis. It generates concrete syntax trees for source code, enabling more accurate and efficient text processing. Emacs' tree-sitter integration enhances language support, offering features like incremental parsing and precise syntax-aware editing. This improves the development experience by providing robust and dynamic syntax features, making it easier for me to navigate and manipulate code.
In order to update the language grammars, run the next command below. NOTE: since we now load =epkgs.treesit-grammars.with-all-grammars= in [[#h:c05d1b64-7110-4151-b436-46bc447113b4][Home-manager: Emacs]], we actually never run this anymore. I leave it here however for a potential future reader. For safety, I still instruct treesit to install missing grammars on the fly.
#+begin_src emacs-lisp :tangle no :export both
(mapc #'treesit-install-language-grammar (mapcar #'car treesit-language-source-alist))
#+end_src
#+RESULTS:
| bash | c | cmake | cpp | css | elisp | go | html | javascript | json | julia | latex | make | markdown | R | python | typescript | rust | sql | toml | tsx | yaml |
#+begin_src emacs-lisp
;; (use-package emacs
;; :ensure nil
;; :init
;; (setq treesit-language-source-alist
;; '((bash . ("https://github.com/tree-sitter/tree-sitter-bash"))
;; (c . ("https://github.com/tree-sitter/tree-sitter-c"))
;; (cmake . ("https://github.com/uyha/tree-sitter-cmake"))
;; (cpp . ("https://github.com/tree-sitter/tree-sitter-cpp"))
;; (css . ("https://github.com/tree-sitter/tree-sitter-css"))
;; (elisp . ("https://github.com/Wilfred/tree-sitter-elisp"))
;; (go . ("https://github.com/tree-sitter/tree-sitter-go"))
;; (html . ("https://github.com/tree-sitter/tree-sitter-html"))
;; (javascript . ("https://github.com/tree-sitter/tree-sitter-javascript"))
;; (json . ("https://github.com/tree-sitter/tree-sitter-json"))
;; (julia . ("https://github.com/tree-sitter/tree-sitter-julia"))
;; (latex . ("https://github.com/latex-lsp/tree-sitter-latex"))
;; (make . ("https://github.com/alemuller/tree-sitter-make"))
;; (markdown . ("https://github.com/ikatyang/tree-sitter-markdown"))
;; (nix . ("https://github.com/nix-community/tree-sitter-nix"))
;; (R . ("https://github.com/r-lib/tree-sitter-r"))
;; (python . ("https://github.com/tree-sitter/tree-sitter-python"))
;; (typescript . ("https://github.com/tree-sitter/tree-sitter-typescript" "typescript/src" "typescript"))
;; (rust . ("https://github.com/tree-sitter/tree-sitter-rust"))
;; (sql . ("https://github.com/m-novikov/tree-sitter-sql"))
;; (toml . ("https://github.com/tree-sitter/tree-sitter-toml"))
;; (tsx . ("https://github.com/tree-sitter/tree-sitter-typescript" "master" "typescript/src"))
;; (yaml . ("https://github.com/ikatyang/tree-sitter-yaml"))))
;; )
(use-package treesit-auto
:custom
(treesit-auto-install t)
:config
(treesit-auto-add-to-auto-mode-alist 'all)
(global-treesit-auto-mode))
#+end_src
#+RESULTS:
: t
*** direnv (envrc)
:PROPERTIES:
:CUSTOM_ID: h:82ddeef2-99f8-465b-ba36-07c3eaad717b
:END:
In emacs, there are two packages for managing dev environments - emacs-direnv (direnv) and envrc. Direnv uses the global Emacs environment whereas envrc is buffer-local. I do not really care about this difference. What is more important to me is that emacs should not block upon handling a bigger flake.nix while setting up the dev environment. This seems to be better handled by envrc.
#+begin_src emacs-lisp
;; (use-package direnv
;; :custom (direnv-always-show-summary nil)
;; :config (direnv-mode))
(use-package envrc
:hook (after-init . envrc-global-mode))
#+end_src
*** avy
:PROPERTIES:
:CUSTOM_ID: h:efb3f0fd-e846-4df9-ba48-2e45d776f68f
:END:
=avy= provides the ability to search for any character on the screen (not only in the current buffer!) - I enjoy this utility a lot and use it possibly even more often than the native vim commands.
#+begin_src emacs-lisp
(use-package avy
:bind
(("M-o" . avy-goto-char-timer))
:custom
(avy-all-windows 'all-frames))
#+end_src
*** devdocs
:PROPERTIES:
:CUSTOM_ID: h:d9a6cb44-736e-4608-951f-e928e1b757c0
:END:
=devdocs= is a very nice package that provides documentation from [[https:devdocs.io]]. This is very useful since e.g. =pyright= provides only a very bad documentation and I do not want to leave Emacs all the time just to read documentation.
To install a documentation, use the =devdocs=install= command and select the appropriate version. =devdocs-update-all= can be used to download and reinstall all installed documents if a newer version is available. Check documentation with =devdocs-lookup= (=C-SPC h d=).
#+begin_src emacs-lisp
(use-package devdocs
:hook ((python-mode . (lambda () (setq-local devdocs-current-docs '("python~3.12" "numpy~1.23" "matplotlib~3.7" "pandas~1"))))
(python-ts-mode . (lambda () (setq-local devdocs-current-docs '("python~3.12" "numpy~1.23" "matplotlib~3.7" "pandas~1"))))
(c-mode . (lambda () (setq-local devdocs-current-docs '("c"))))
(c-ts-mode . (lambda () (setq-local devdocs-current-docs '("c"))))
(c++-mode . (lambda () (setq-local devdocs-current-docs '("cpp"))))
(c++-ts-mode . (lambda () (setq-local devdocs-current-docs '("cpp")))))
)
; (devdocs-update-all)
#+end_src
*** Projectile
:PROPERTIES:
:CUSTOM_ID: h:5cde5032-251e-4cc4-9202-b4ce996f92c2
:END:
projectile is useful for keeping track of your git projects within Emacs. I mostly use it to quickly switch between projects.
#+begin_src emacs-lisp
(use-package projectile
:diminish projectile-mode
:config (projectile-mode)
:custom ((projectile-completion-system 'auto)) ;; integrate ivy into completion system
:bind-keymap
("C-c p" . projectile-command-map) ; all projectile commands under this
:init
;; NOTE: Set this to the folder where you keep your Git repos!
(when (file-directory-p swarsel-work-projects-directory)
(when (file-directory-p swarsel-private-projects-directory)
(setq projectile-project-search-path (list swarsel-work-projects-directory swarsel-private-projects-directory))))
(setq projectile-switch-project-action #'magit-status))
#+end_src
*** Magit
:PROPERTIES:
:CUSTOM_ID: h:d2c7323d-f8c6-4f23-b70a-930e3e4ecce5
:END:
magit is the best git utility I have ever used - it has a beautiful interface and is very verbose. Here I mostly just setup the list of repositories that I want to expost to magit.
Also, Emacs needs a little extra love to accept my Yubikey for git commits etc. We set that here: [[id:59df9a4c-2a1f-466b-abe2-fbb8524cd0ed][Yubikey support]].
#+begin_src emacs-lisp
(use-package magit
:config
(setq magit-repository-directories `((,swarsel-work-projects-directory . 3)
(,swarsel-private-projects-directory . 3)
("~/.dotfiles/" . 0)))
:custom
(magit-display-buffer-function #'magit-display-buffer-same-window-except-diff-v1)) ; stay in the same window
#+end_src
*** Yubikey support
:PROPERTIES:
:CUSTOM_ID: h:d78709dd-4f79-441c-9166-76f61f90359a
:END:
The following settings are needed to make sure emacs works for magit commits and pushes. It is not a beautiful solution since commiting uses pinentry-emacs and pushing uses pinentry-gtk2, but it works for now at least. This works especially well since I have switched from =pinentry-gtk3= to =pinentry-waypromt=.
#+begin_src emacs-lisp
;; yubikey support for pushing commits
;; commiting is enabled through nixos gpg-agent config
(use-package pinentry
:config
(pinentry-start)
(setq epg-pinentry-mode 'loopback)
(setenv "SSH_AUTH_SOCK" (string-chop-newline (shell-command-to-string "gpgconf --list-dirs agent-ssh-socket"))))
#+end_src
*** Forge
:PROPERTIES:
:CUSTOM_ID: h:1a8585ed-d9f2-478f-a132-440ada1cde2c
:END:
NOTE: Make sure to configure a GitHub token before using this package!
- https://magit.vc/manual/forge/Token-Creation.html#Token-Creation
- https://magit.vc/manual/ghub/Getting-Started.html#Getting-Started
- https://magit.vc/manual/ghub/Storing-a-Token.html
- https://www.emacswiki.org/emacs/GnuPG
(1) in practice: github -<> settings -<> developer option -<>
create classic token with repo; user; read:org permissions
(2)machine api.github.com login USERNAME^forge password 012345abcdef...
The above is handled by [[id:ebb558ed-883a-486f-a6f5-8b283eb735a3][Home-manager: Emacs]] and only here as a historical note. Forge lets me interact with non-core git objects like issues and pull requests from within emacs.
#+begin_src emacs-lisp
(use-package forge
:after magit
:init
(setq forge-add-default-bindings nil))
#+end_src
*** git-timemachine
:PROPERTIES:
:CUSTOM_ID: h:cf5b0e6b-56a5-4a93-99fb-258eb7cb2eb4
:END:
This is just a nice utility to browse different versions of a file of a git project within Emacs.
#+begin_src emacs-lisp
(use-package git-timemachine
:hook (git-time-machine-mode . evil-normalize-keymaps)
:init (setq git-timemachine-show-minibuffer-details t))
#+end_src
*** Delimiters (brackets): rainbow-delimiters, highlight-parentheses
:PROPERTIES:
:CUSTOM_ID: h:d9671ab7-a75a-47c6-a1f4-376d126c9b0a
:END:
- rainbow-delimiters colors all delimiters, also ones not in current selection
- paren highlights the current delimiter selection especially bold
- highlight-parentheses boldly highlights all delimiters in current selection
I am not completely sure on electric-pair-mode yet, sometimes it is very helpful, sometimes it annoys me to no end.
#+begin_src emacs-lisp
(use-package rainbow-delimiters
:hook (prog-mode . rainbow-delimiters-mode))
(use-package highlight-parentheses
:config
(setq highlight-parentheses-colors '("black" "white" "black" "black" "black" "black" "black"))
(setq highlight-parentheses-background-colors '("magenta" "blue" "cyan" "green" "yellow" "orange" "red"))
(global-highlight-parentheses-mode t))
;; (electric-pair-mode 1)
;; (setq electric-pair-preserve-balance t)
;; (setq electric-pair-skip-self nil)
;; (setq electric-pair-delete-adjacent-pairs t)
;; don't skip newline when auto-pairing parenthesis
;; (setq electric-pair-skip-whitespace-chars '(9 32))
;; in org-mode buffers, do not pair < and > in order not to interfere with org-tempo
;; (add-hook 'org-mode-hook (lambda ()
;; (setq-local electric-pair-inhibit-predicate
;; `(lambda (c)
;; (if (char-equal c ?<) t (,electric-pair-inhibit-predicate c))))))
#+end_src
*** rainbow-mode
:PROPERTIES:
:CUSTOM_ID: h:d1a32a69-2f9a-45ef-95fe-a00e3551dc94
:END:
Complimentary to the delimiters-packages above, this package sets the background color of the delimiters, which makes it easier to see at a glance where we are in a delimiter-tree.
#+begin_src emacs-lisp
(use-package rainbow-mode
:hook ((css-mode css-ts-mode web-mode html-mode html-ts-mode) . rainbow-mode))
#+end_src
*** Corfu
:PROPERTIES:
:CUSTOM_ID: h:5653d693-ecca-4c95-9633-66b9e3241070
:END:
This is the company equivalent to the vertico gang.
I dislike the standard behaviour that makes the cursor move into the completion framework on presses of == and ==.
Nerd icons is originally enabled here: [[#h:eb0ea526-a83a-4664-b3a1-2b40d3a31493][Icons]]
Navigation functions defined here: [[#h:a1802f9b-bb71-4fd5-86fa-945da18e8b81][corfu: Do not interrupt navigation]]
#+begin_src emacs-lisp
(use-package corfu
:init
(global-corfu-mode)
(corfu-history-mode)
(corfu-popupinfo-mode) ; Popup completion info
:custom
(corfu-auto t)
(corfu-auto-prefix 3)
(corfu-auto-delay 1)
(corfu-cycle t)
(corfu-quit-no-match 'separator)
(corfu-separator ?\s)
;; (corfu-quit-no-match t)
(corfu-popupinfo-max-height 70)
(corfu-popupinfo-delay '(0.5 . 0.2))
;; (corfu-preview-current 'insert) ; insert previewed candidate
(corfu-preselect 'prompt)
(corfu-on-exact-match nil) ; Don't auto expand tempel snippets
;; Optionally use TAB for cycling, default is `corfu-complete'.
:bind (:map corfu-map
("M-SPC" . corfu-insert-separator)
("" . swarsel/corfu-normal-return)
;; ("C-" . swarsel/corfu-complete)
("S-" . corfu-popupinfo-scroll-down)
("S-" . corfu-popupinfo-scroll-up)
("C-" . corfu-previous)
("C-" . corfu-next)
(" " . swarsel/corfu-quit-and-up)
(" " . swarsel/corfu-quit-and-down))
)
(use-package nerd-icons-corfu
:after corfu
:config
(add-to-list 'corfu-margin-formatters #'nerd-icons-corfu-formatter)
(setq nerd-icons-corfu-mapping
'((array :style "cod" :icon "symbol_array" :face font-lock-type-face)
(boolean :style "cod" :icon "symbol_boolean" :face font-lock-builtin-face)
;; ...
(t :style "cod" :icon "code" :face font-lock-warning-face))))
#+end_src
*** cape
:PROPERTIES:
:CUSTOM_ID: h:c3cc1c12-3ab8-42b7-be07-63f54eac397f
:END:
cape adds even more completion capabilities by adding a lot of completion logic that is exposed as separate functions. I tried out adding these to the =completion-at-points-functions= alist, but I felt like it cluttered my suggestions too much. Hence I now just call the respective functions when I need them. For this I setup the =C-z= keybinding in [[#h:218376e8-086b-46bf-91b3-78295d5d440f][General evil]].
I leave the commented out alist extensions here in case I want to try them out at some point in the future.
#+begin_src emacs-lisp
(use-package cape
:bind
("C-z p" . completion-at-point) ;; capf
("C-z t" . complete-tag) ;; etags
("C-z d" . cape-dabbrev) ;; or dabbrev-completion
("C-z h" . cape-history)
("C-z f" . cape-file)
("C-z k" . cape-keyword)
("C-z s" . cape-elisp-symbol)
("C-z e" . cape-elisp-block)
("C-z a" . cape-abbrev)
("C-z l" . cape-line)
("C-z w" . cape-dict)
("C-z :" . cape-emoji)
("C-z \\" . cape-tex)
("C-z _" . cape-tex)
("C-z ^" . cape-tex)
("C-z &" . cape-sgml)
("C-z r" . cape-rfc1345)
)
#+end_src
*** rust
:PROPERTIES:
:CUSTOM_ID: h:3aa20438-edf6-4b13-a90d-3d5c51239c44
:END:
This sets up rustic-mode with tree-sitter support - there is still one issue to iron out with automatic adding of dependency crates, but everything else works fine now.
#+begin_src emacs-lisp
;;(use-package rustic
;; :init
;; (setq rust-mode-treesitter-derive t)
;; :config
;; (define-key rust-ts-mode-map (kbd "C-c C-c C-r") 'rustic-cargo-run)
;; (define-key rust-ts-mode-map (kbd "C-c C-c C-b") 'rustic-cargo-build)
;; (define-key rust-ts-mode-map (kbd "C-c C-c C-k") 'rustic-cargo-check)
;; (define-key rust-ts-mode-map (kbd "C-c C-c d") 'rustic-cargo-doc)
;; (define-key rust-ts-mode-map (kbd "C-c C-c a") 'rustic-cargo-add)
;; (setq rustic-format-on-save t)
;; (setq rustic-lsp-client 'eglot)
;; :mode ("\\.rs" . rustic-mode))
#+end_src
*** Tramp
:PROPERTIES:
:CUSTOM_ID: h:b9b27a88-06f3-470b-a604-a20b2079bc26
:END:
Tramp allows for SSH access of files over Emacs. I have no ideas what the options here mean, but this is a recommended configuration that I found (sadly I lost the link). I need to research more what these options really do.
#+begin_src emacs-lisp
(use-package tramp
;; :ensure nil
:init
(setq vc-ignore-dir-regexp
(format "\\(%s\\)\\|\\(%s\\)"
vc-ignore-dir-regexp
tramp-file-name-regexp))
(setq tramp-default-method "ssh")
(setq tramp-auto-save-directory
(expand-file-name "tramp-auto-save" user-emacs-directory))
(setq tramp-persistency-file-name
(expand-file-name "tramp-connection-history" user-emacs-directory))
(setq password-cache-expiry nil)
(setq tramp-use-ssh-controlmaster-options nil)
(setq remote-file-name-inhibit-cache nil)
:config
(customize-set-variable 'tramp-ssh-controlmaster-options
(concat
"-o ControlPath=/tmp/ssh-tramp-%%r@%%h:%%p "
"-o ControlMaster=auto -o ControlPersist=yes"))
)
#+end_src
*** diff-hl
:PROPERTIES:
:CUSTOM_ID: h:58415e95-8a7a-4517-acbb-5f1bb1028603
:END:
This is a simple highlighting utility that uses the margin to visually show the differences since the last git commit.
#+begin_src emacs-lisp
(use-package diff-hl
:hook
((prog-mode
org-mode) . diff-hl-mode)
:init
(diff-hl-margin-mode)
(diff-hl-show-hunk-mouse-mode))
#+end_src
*** Commenting
:PROPERTIES:
:CUSTOM_ID: h:d60ce0b1-cabf-43f5-a236-a1e4b400d2f5
:END:
This package allows for swift commenting out and in of code snippets. For some reason, it is a bit broken in my config, as it sometimes comments out too much, sometimes too little, and sometimes it splits lines during commenting. Also, in org-mode when inside a src-block, it often times jumps to the top of the block.
Still, this is avery convenient package.
#+begin_src emacs-lisp
(use-package evil-nerd-commenter
:bind ("M-/" . evilnc-comment-or-uncomment-lines))
#+end_src
*** eglot
:PROPERTIES:
:CUSTOM_ID: h:6cf0310b-2fdf-45f0-9845-4704649777eb
:END:
Up comes the section of lsp clients for Emacs. For a longer time, I thought that I had to choose one only, and after having started with =lsp-mode= I had tried out =lsp-booster= and then went to =eglot=. My requirements are as follow:
Must have:
- mostly unintrusive, non-blocking
- fast (configurable) completion
- xref (or similar)
Nice to have:
- Debugger
- Multi-lsp support (running two lsp's on a single project)
- Native Emacs support
=eglot= fills most items on the first list except for the non-blocking issue initially. It blocks sometimes on bigger projects as well as when entering directories using (nix-)direnv and the lsp is not yet loaded. The first issue is solved by using =eglot-booster=, which increases the parsing speed by what feels like a huge margin (but I never ran any actual tests). The second issue is solved with =eglot-sync-connect=, which avoids blocking the interface while the server is starting.
A blocking issue can still occur while entering a direnv that has a longer evaluation/build time. That issue can only be fixed by using Mic92's [[https://github.com/Mic92/emacs-direnv][emacs-direnv fork]], which calls direnv asynchronously, which in turn avoids the blocking. I am not using this on a daily basis however, since my environments are normally cached anyways and most of them (except for the LaTeX one) are not blocking for long enough for this to be worth it. However, I am considering spinning up my own fork of this at some point.
#+begin_src emacs-lisp
(use-package eglot
:hook
((python-mode
python-ts-mode
c-mode
c-ts-mode
c++-mode
c++-ts-mode
go-mode
go-ts-mode
;;rust-ts-mode
;;rustic-mode
tex-mode
LaTeX-mode
) . swarsel/eglot-ensure-and-format)
:custom
(eldoc-echo-area-use-multiline-p nil)
(eglot-events-buffer-size 0)
(eglot-sync-connect nil)
(eglot-connect-timeout nil)
(eglot-autoshutdown t)
(eglot-send-changes-idle-time 3)
(flymake-no-changes-timeout 5)
:config
(fset #'jsonrpc--log-event #'ignore)
:bind (:map eglot-mode-map
("M-(" . flymake-goto-next-error)
("C-c ," . eglot-code-actions)))
(use-package eglot-booster
:ensure nil
:after eglot
:config
(eglot-booster-mode))
(defalias 'start-lsp-server #'eglot)
#+end_src
*** lsp-mode & company
:PROPERTIES:
:CUSTOM_ID: h:7b9044cf-0fab-4dfa-87fc-f8c18e433e75
:END:
company is now disabled since it seems that corfu runs just fine with lsp-mode and I prefer it. Also I set the auto-guess-root option to true in order to stop excessive nag when editing within org-src blocks.
#+begin_src emacs-lisp
(use-package lsp-mode
:init
;; set prefix for lsp-command-keymap (few alternatives - "C-l", "C-c l")
(setq lsp-keymap-prefix "C-c l")
(setq lsp-auto-guess-root "t")
:commands lsp
:config
(lsp-register-client
(make-lsp-client :new-connection (lsp-stdio-connection "nixd")
:major-modes '(nix-mode nix-ts-mode)
:priority 0
:server-id 'nixd)))
;; (use-package company)
#+end_src
*** lsp-mode in org-src blocks
:PROPERTIES:
:CUSTOM_ID: h:cd552ba1-4db1-4605-8ead-4fcb6a466826
:END:
This incredible function allows to start a sub-pane in a org-file while in a source-block that spins up a lsp-server. In practise that allows me to use a nix lsp when editing complex blocks in my config. The only bother is that we have to add the modes where it should run manually to =org-babel-lang-list=, but that is a small price to pay for the usefulness that it brings.
#+begin_src emacs-lisp
;; thanks to https://tecosaur.github.io/emacs-config/config.html#lsp-support-src
(cl-defmacro lsp-org-babel-enable (lang)
"Support LANG in org source code block."
(setq centaur-lsp 'lsp-mode)
(cl-check-type lang string)
(let* ((edit-pre (intern (format "org-babel-edit-prep:%s" lang)))
(intern-pre (intern (format "lsp--%s" (symbol-name edit-pre)))))
`(progn
(defun ,intern-pre (info)
(let ((file-name (->> info caddr (alist-get :file))))
(unless file-name
(setq file-name (make-temp-file "babel-lsp-")))
(setq buffer-file-name file-name)
(lsp-deferred)))
(put ',intern-pre 'function-documentation
(format "Enable lsp-mode in the buffer of org source block (%s)."
(upcase ,lang)))
(if (fboundp ',edit-pre)
(advice-add ',edit-pre :after ',intern-pre)
(progn
(defun ,edit-pre (info)
(,intern-pre info))
(put ',edit-pre 'function-documentation
(format "Prepare local buffer environment for org source block (%s)."
(upcase ,lang))))))))
(defvar org-babel-lang-list
'( "nix" "nix-ts" "go" "python" "ipython" "bash" "sh" ))
(dolist (lang org-babel-lang-list)
(eval `(lsp-org-babel-enable ,lang)))
#+end_src
*** lsp-bridge
:PROPERTIES:
:CUSTOM_ID: h:f7bc590b-9f91-4f6a-8ffe-93e1dea90a61
:END:
This is another lsp-implementation for Emacs using multi-threading, so this should be the least blocking one. Still, in general I prefer [[#h:6cf0310b-2fdf-45f0-9845-4704649777eb][eglot]].
#+begin_src emacs-lisp
(use-package lsp-bridge
:ensure nil)
#+end_src
*** sideline-flymake
:PROPERTIES:
:CUSTOM_ID: h:d9cd31ea-6c8c-4f1f-83b8-7853bab53857
:END:
This brings back warnings and errors on the sideline for eglot; a feature that I have been missing from lsp-mode for a while.
#+begin_src emacs-lisp
(use-package sideline-flymake
:hook (flymake-mode . sideline-mode)
:init
(setq sideline-flymake-display-mode 'point) ; 'point to show errors only on point
; 'line to show errors on the current line
(setq sideline-backends-right '(sideline-flymake)))
#+end_src
*** Prevent breaking of hardlinks
:PROPERTIES:
:CUSTOM_ID: h:e9a30d0f-423f-4e85-af4b-f8560f1c1b53
:END:
This setting ensures that hard links are preserved during the backup process, which is useful for maintaining the integrity of files that are linked in multiple locations.
#+begin_src emacs-lisp :tangle no
(setq backup-by-copying-when-linked t)
#+end_src
*** Dirvish
:PROPERTIES:
:CUSTOM_ID: h:0918557a-8463-430c-b8df-6546dea9abd0
:END:
Dirvish is an improvement upon the dired-framework and has more features like file preview etc. Sadly it has an incompatibility with =openwith= which is why I have disabled that package.
#+begin_src emacs-lisp
(use-package dirvish
:init
(dirvish-override-dired-mode)
:config
(dirvish-peek-mode)
(dirvish-side-follow-mode)
;; (setq dirvish-open-with-programs
;; (append dirvish-open-with-programs '(
;; (("xlsx" "docx" "doc" "odt" "ods") "libreoffice" "%f")
;; (("jpg" "jpeg" "png") "imv" "%f")
;; (("pdf") "sioyek" "%f")
;; (("xopp") "xournalpp" "%f"))))
:custom
(delete-by-moving-to-trash t)
(dired-listing-switches
"-l --almost-all --human-readable --group-directories-first --no-group")
(dirvish-attributes
'(vc-state subtree-state nerd-icons collapse file-time file-size))
(dirvish-quick-access-entries
'(("h" "~/" "Home")
("c" "~/.dotfiles/" "Config")
("d" "~/Downloads/" "Downloads")
("D" "~/Documents/" "Documents")
("p" "~/Documents/GitHub/" "Projects")
("/" "/" "Root")))
:bind
((" d" . 'dirvish)
("C-=" . 'dirvish-side)
:map dirvish-mode-map
("h" . dired-up-directory)
("" . dired-up-directory)
("l" . dired-find-file)
("" . dired-find-file)
("j" . evil-next-visual-line)
("k" . evil-previous-visual-line)
("a" . dirvish-quick-access)
("f" . dirvish-file-info-menu)
("z" . dirvish-history-last)
("J" . dirvish-history-jump)
("y" . dirvish-yank-menu)
("/" . dirvish-narrow)
("TAB" . dirvish-subtree-toggle)
("M-f" . dirvish-history-go-forward)
("M-b" . dirvish-history-go-backward)
("M-l" . dirvish-ls-switches-menu)
("M-m" . dirvish-mark-menu)
("M-t" . dirvish-layout-toggle)
("M-s" . dirvish-setup-menu)
("M-e" . dirvish-emerge-menu)
("M-j" . dirvish-fd-jump)))
#+end_src
*** undo-tree
:PROPERTIES:
:CUSTOM_ID: h:1fc538d1-8c53-48b2-8652-66046f4bbbf8
:END:
Base emacs undo logic is very useful, but not easy to understand for me. I prefer undo-tree, which makes switching between branches easier and also allows quickly switching back to a much older state using the visualizer.
Evil needs to be told to use this mode, see =(evil-set-undo-system 'undo-tree)= in [[#h:218376e8-086b-46bf-91b3-78295d5d440f][Evil/General.]]
By default, I am not using undo-tree-mode in every buffer. This might change in the future, but for now this is fine. It can be enabled manually should the need arise.
While we are at it, we are also setting up a persistent undo-file for every file that we are working with.
#+begin_src emacs-lisp
(use-package undo-tree
:init (global-undo-tree-mode)
:bind (:map undo-tree-visualizer-mode-map
("h" . undo-tree-visualize-switch-branch-left)
("l" . undo-tree-visualize-switch-branch-left)
("j" . undo-tree-visualize-redo)
("k" . undo-tree-visualize-undo))
:config
(setq undo-tree-history-directory-alist '(("." . "~/.emacs.d/undo"))))
#+end_src
*** Hydra
:PROPERTIES:
:CUSTOM_ID: h:b6c18dd0-3377-47ea-80c3-ac1486454e18
:END:
Hydra allows for the writing of macro-style functions. I have not yet looked into this all too much, but it seems to be a potent feature.
#+begin_src emacs-lisp
(use-package hydra)
#+end_src
**** Text scaling
:PROPERTIES:
:CUSTOM_ID: h:c5681884-7040-4b55-ab1b-5777631a0514
:END:
I only wrote this in order to try out hydra; rarely do I really need this. However, it can be useful for [[#h:4e11a845-a7bb-4eb5-b4ce-5b2f52e07425][Presentations]]. It simply scales the text size.
#+begin_src emacs-lisp
;; change the text size of the current buffer
(defhydra hydra-text-scale (:timeout 4)
"scale text"
("j" text-scale-increase "in")
("k" text-scale-decrease "out")
("f" nil "finished" :exit t))
#+end_src
*** Email
:PROPERTIES:
:CUSTOM_ID: h:2f333330-b19d-4f64-85ea-146ff28667e8
:END:
**** mu4e
:PROPERTIES:
:CUSTOM_ID: h:b92a18cf-eec3-4605-a8c2-37133ade3574
:END:
In this section we are setting up mu4e, a mail client for emacs using mu with mbsync as backend. The mail accounts themselves are setup in the NixOS configuration, so we only need to add Emacs specific settings here.
The hook functions are defined here: [[#h:34506761-06b9-43b5-a818-506d9b3faf28][mu4e functions]]
#+begin_src emacs-lisp
(use-package mu4e
:ensure nil
;; :load-path "/usr/share/emacs/site-lisp/mu4e/"
;;:defer 20 ; Wait until 20 seconds after startup
:hook ((mu4e-compose-mode . swarsel/mu4e-send-from-correct-address)
(mu4e-compose-post . swarsel/mu4e-restore-default))
:config
;; This is set to 't' to avoid mail syncing issues when using mbsync
(setq send-mail-function 'sendmail-send-it)
(setq mu4e-change-filenames-when-moving t)
(setq mu4e-mu-binary (executable-find "mu"))
(setq mu4e-hide-index-messages t)
;; this is so that messages that target multiple addresses still are individually shown in the unreads
;; this is needed because otherwise after closing the view there will still be an unread message
(setq mu4e-search-skip-duplicates nil)
(setq mu4e-update-interval 60)
(setq mu4e-get-mail-command "mbsync -a")
(setq mu4e-maildir "~/Mail")
;; enable inline images
(setq mu4e-view-show-images t)
;; use imagemagick, if available
(when (fboundp 'imagemagick-register-types)
(imagemagick-register-types))
(setq mu4e-drafts-folder "/Drafts")
(setq mu4e-sent-folder "/Sent Mail")
(setq mu4e-refile-folder "/All Mail")
(setq mu4e-trash-folder "/Trash")
(setq mu4e-maildir-shortcuts
'((:maildir "/leon/Inbox" :key ?1)
(:maildir "/nautilus/Inbox" :key ?2)
(:maildir "/mrswarsel/Inbox" :key ?3)
(:maildir "/work/Inbox" :key ?4)
(:maildir "/Sent Mail" :key ?s)
(:maildir "/Trash" :key ?t)
(:maildir "/Drafts" :key ?d)
(:maildir "/All Mail" :key ?a)))
(setq user-mail-address (getenv "SWARSEL_MAIL4")
user-full-name (getenv "SWARSEL_FULLNAME"))
;; this does the equivalent of (setq mu4e-user-mail-address-list '(address1@about.com address2@about.com [...])))
(setq mu4e-user-mail-address-list
(mapcar #'intern (split-string (or (getenv "SWARSEL_MAIL_ALL") "") "[ ,]+" t)))
(setq mu4e--log-max-size 1000)
(mu4e t)
(let ((work (getenv "SWARSEL_MAIL_WORK")))
(when (and work (not (string-empty-p work)))
(setq swarsel-smime-cert-path "~/.Certificates/$SWARSEL_MAIL_WORK.pem")
(setq swarsel-smime-cert-path (substitute-env-vars swarsel-smime-cert-path))
(setq mml-secure-prefer-scheme 'smime)
(setq mml-secure-smime-sign-with-sender t)
(add-hook 'mu4e-compose-mode-hook
(lambda ()
(when (and (boundp 'user-mail-address)
(stringp user-mail-address)
(string-equal user-mail-address (getenv "SWARSEL_MAIL_WORK")))
(mml-secure-message-sign-smime))))
(setq smime-keys
`((,(getenv "SWARSEL_MAIL_WORK")
,swarsel-smime-cert-path
("~/Certificates/harica-root.pem"
"~/Certificates/harica-intermediate.pem"))))
))
)
#+end_src
**** mu4e-alert
:PROPERTIES:
:CUSTOM_ID: h:43209eeb-5d46-472e-b7c2-58a3fb465199
:END:
This adds the simple utility of sending desktop notifications whenever a new mail is received. I am using =libnotify= because I want to use this with =notify-send=.
#+begin_src emacs-lisp
(use-package mu4e-alert
:config
(mu4e-alert-enable-notifications)
(mu4e-alert-set-default-style 'libnotify)
(setq mu4e-alert-interesting-mail-query
(concat "(maildir:/leon/Inbox AND date:today..now"
" OR maildir:/work/Inbox AND date:today..now)"
" AND flag:unread"))
(alert-add-rule
:category "mu4e-alert"
:predicate (lambda (_) (string-match-p "^mu4e-" (symbol-name major-mode)))
:continue t)
(add-hook 'after-init-hook #'mu4e-alert-enable-notifications)
)
#+end_src
*** Calendar
:PROPERTIES:
:CUSTOM_ID: h:c760f04e-622f-4b3e-8916-53ca8cce6edc
:END:
This provides a beautiful calender to emacs.
#+begin_src emacs-lisp
(use-package org-caldav
:init
;; set org-caldav-sync-initalization
(setq swarsel-caldav-synced 0)
;; (setq org-caldav-url "https://cal.example.org/swarsel/calendar")
;; (setq org-caldav-calendars
;; '((:calendar-id "personal"
;; :inbox "~/Calendars/leon_cal.org")))
;; (setq org-caldav-files '("~/Calendars/leon_cal.org"))
;; (setq org-caldav-backup-file "~/org-caldav/org-caldav-backup.org")
;; (setq org-caldav-save-directory "~/org-caldav/")
:config
(setq org-icalendar-alarm-time 1)
;; This makes sure to-do items as a category can show up on the calendar
(setq org-icalendar-include-todo t)
;; This ensures all org "deadlines" show up, and show up as due dates
(setq org-icalendar-use-deadline '(event-if-todo event-if-not-todo todo-due))
;; This ensures "scheduled" org items show up, and show up as start times
(setq org-icalendar-use-scheduled '(todo-start event-if-todo event-if-not-todo))
)
(use-package calfw
:ensure nil
:bind ("C-c A" . swarsel/open-calendar)
:init
(use-package calfw-cal
:ensure nil)
(use-package calfw-org
:ensure nil)
(use-package calfw-ical
:ensure nil)
:config
(bind-key "g" 'cfw:refresh-calendar-buffer cfw:calendar-mode-map)
(bind-key "q" 'evil-quit cfw:details-mode-map)
;; dont change the order of days in this one, as it will break weekend markings
(setq calendar-day-name-array
["Sunday" "Monday" "Tuesday" "Wednesday" "Thursday" "Friday" "Saturday"])
;; First day of the week
(setq calendar-week-start-day 1) ; 0:Sunday, 1:Monday
;; (custom-set-faces
;; '(cfw:face-title ((t (:foreground "#f0dfaf" :weight bold :height 65))))
;; )
)
(defun swarsel/open-calendar ()
(interactive)
;; (unless (eq swarsel-caldav-synced 1) (org-caldav-sync) (setq swarsel-caldav-synced 1))
;; (select-frame (make-frame '((name . "calendar")))) ; makes a new frame and selects it
;; (set-face-attribute 'default (selected-frame) :height 65) ; reduces the font size of the new frame
(cfw:open-calendar-buffer
:contents-sources
(list
(cfw:org-create-source "Blue") ; orgmode source
(cfw:ical-create-source (getenv "SWARSEL_CAL1NAME") (getenv "SWARSEL_CAL1") "Cyan")
(cfw:ical-create-source (getenv "SWARSEL_CAL2NAME") (getenv "SWARSEL_CAL2") "Green")
(cfw:ical-create-source (getenv "SWARSEL_CAL3NAME") (getenv "SWARSEL_CAL3") "Magenta")
)))
#+end_src
*** Dashboard: emacs startup screen
:PROPERTIES:
:CUSTOM_ID: h:48f5be2b-b3d2-4276-bd49-2630733f23d5
:END:
This sets up the =dashboard=, which is really quite useless. But, it looks cool and makes me happy whenever I start an emacsclient without a file name as argument :)
#+begin_src emacs-lisp
(use-package dashboard
:ensure t
:config
(dashboard-setup-startup-hook)
;; (setq initial-buffer-choice (lambda () (get-buffer-create "*dashboard*")))
(let ((files-domain (getenv "SWARSEL_FILES_DOMAIN"))
(music-domain (getenv "SWARSEL_MUSIC_DOMAIN"))
(insta-domain (getenv "SWARSEL_INSTA_DOMAIN"))
(sport-domain (getenv "SWARSEL_SPORT_DOMAIN"))
(swarsel-domain (getenv "SWARSEL_DOMAIN"))
)
(setq dashboard-display-icons-p t ;; display icons on both GUI and terminal
dashboard-icon-type 'nerd-icons ;; use `nerd-icons' package
dashboard-set-file-icons t
dashboard-items '((recents . 5)
(projects . 5)
(agenda . 5))
dashboard-set-footer nil
dashboard-banner-logo-title "Welcome to SwarsEmacs!"
dashboard-image-banner-max-height 300
dashboard-startup-banner "~/.dotfiles/files/icons/swarsel.png"
dashboard-projects-backend 'projectile
dashboard-projects-switch-function 'magit-status
dashboard-set-navigator t
dashboard-startupify-list '(dashboard-insert-banner
dashboard-insert-newline
dashboard-insert-banner-title
dashboard-insert-newline
dashboard-insert-navigator
dashboard-insert-newline
dashboard-insert-init-info
dashboard-insert-items
)
dashboard-navigator-buttons
`(;; line1
((,""
"SwarselSocial"
"Browse Swarsele"
(lambda (&rest _) (browse-url ,insta-domain)))
(,""
"SwarselSound"
"Browse SwarselSound"
(lambda (&rest _) (browse-url ,(concat "https://" music-domain))) )
(,""
"SwarselSwarsel"
"Browse Swarsel"
(lambda (&rest _) (browse-url "https://github.com/Swarsel")) )
(,""
"SwarselStash"
"Browse SwarselStash"
(lambda (&rest _) (browse-url ,(concat "https://" files-domain))) )
(,""
"SwarselSport"
"Browse SwarselSports"
(lambda (&rest _) (browse-url ,sport-domain)))
)
(
(,""
,swarsel-domain
,(concat "Browse " swarsel-domain)
(lambda (&rest _) (browse-url ,(concat "https://" swarsel-domain))))
)
))))
(use-package recentf
:ensure nil
:config
(add-to-list 'recentf-exclude "\\Archive\\.org\\'")
(add-to-list 'recentf-exclude "\\Tasks\\.org\\'"))
#+end_src
*** vterm
:PROPERTIES:
:CUSTOM_ID: h:a81fb9de-6b6b-4a4a-b758-5107c6e7f0cb
:END:
#+begin_src emacs-lisp
(use-package vterm
:ensure t
:custom
(vterm-tramp-shells '(("ssh" "'sh'"))))
#+end_src
*** multiple cursors
:PROPERTIES:
:CUSTOM_ID: h:1f4d32a0-c1ed-4409-aec4-7b5c96aa21dd
:END:
#+begin_src emacs-lisp
(use-package multiple-cursors)
#+end_src
*** Less logging
:PROPERTIES:
:CUSTOM_ID: h:438d928f-77a8-477a-ac8b-ca54ec673f91
:END:
#+begin_src emacs-lisp
(setq message-log-max 30)
(setq comint-buffer-maximum-size 50)
(add-hook 'comint-output-filter-functions 'comint-truncate-buffer)
#+end_src
*** Popup frames
:PROPERTIES:
:CUSTOM_ID: h:5322b631-a108-49a0-b95a-b61a70070dd9
:END:
#+begin_src emacs-lisp
(defun prot-window-delete-popup-frame (&rest _)
"Kill selected selected frame if it has parameter `prot-window-popup-frame'.
Use this function via a hook."
(when (frame-parameter nil 'prot-window-popup-frame)
(delete-frame)))
(defmacro prot-window-define-with-popup-frame (command)
"Define interactive function which calls COMMAND in a new frame.
Make the new frame have the `prot-window-popup-frame' parameter."
`(defun ,(intern (format "prot-window-popup-%s" command)) ()
,(format "Run `%s' in a popup frame with `prot-window-popup-frame' parameter.
Also see `prot-window-delete-popup-frame'." command)
(interactive)
(let ((frame (make-frame '((prot-window-popup-frame . t)
(title . "Emacs Popup Frame")))))
(unwind-protect
(progn
(select-frame frame)
(switch-to-buffer " prot-window-hidden-buffer-for-popup-frame")
(condition-case nil
(call-interactively ',command)
((quit error user-error)
(delete-frame frame))))
(dolist (fr (frame-list))
(when (string= (frame-parameter fr 'name) "Emacs Popup Anchor")
(delete-frame fr)))))))
(declare-function org-capture "org-capture" (&optional goto keys))
(defvar org-capture-after-finalize-hook)
;;;###autoload (autoload 'prot-window-popup-org-capture "prot-window")
(prot-window-define-with-popup-frame org-capture)
(add-hook 'org-capture-after-finalize-hook #'prot-window-delete-popup-frame)
(declare-function mu4e "mu4e" (&optional goto keys))
;;;###autoload (autoload 'prot-window-popup-mu4e "prot-window")
(prot-window-define-with-popup-frame mu4e)
(advice-add 'mu4e-quit :after #'prot-window-delete-popup-frame)
(declare-function swarsel/open-calendar "swarsel/open-calendar" (&optional goto keys))
;;;###autoload (autoload 'prot-window-popup-swarsel/open-calendar "prot-window")
(prot-window-define-with-popup-frame swarsel/open-calendar)
(advice-add 'bury-buffer :after #'prot-window-delete-popup-frame)
(declare-function org-agenda "org-agenda" (&optional goto keys))
;;;###autoload (autoload 'prot-window-popup-org-agenda "prot-window")
(prot-window-define-with-popup-frame org-agenda)
#+end_src
* Appendix A: Noweb-Ref blocks
:PROPERTIES:
:CUSTOM_ID: h:dae0c5bb-edb7-4fe4-ae31-9f8f064cc53c
:END:
This sections is no longer used really. An introduction can be found in [[#h:bcc3ebbe-df8a-46bd-b42d-73aad6fc66e5][Structure of this file]] under the historical note. The little noweb-ref blocks that I still use are found in [[#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02][Hosts]] and [[#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32][Services]].
** General steps when setting up a new machine
:PROPERTIES:
:CUSTOM_ID: h:cc04139d-e9b7-48fe-8e21-fb43aac35b88
:END:
These general steps are needed when setting up a new machine and do not fit into another block well:
#+begin_src markdown :noweb-ref setup :exports both :results html
- setup yubikey (automatic yubikey enrollment is not yet supported by `disko`):
- `systemd-cryptenroll --fido2-device=auto /dev/`
#+end_src
** Current patches and fixes
:PROPERTIES:
:CUSTOM_ID: h:e1798163-5d88-4776-aa44-57ed2df92e45
:END:
These are current deviations from the standard settings that I take while some things are broken upstream
#+begin_src markdown :noweb-ref fixes :exports both :results html
- 20260101:
- nixos:
- firezone-gateway does not work in newer versions with firezone-server (currently working version v1.4.8)
- 20251102:
- flake:
- emacs-overlay:
- : version pinned because emacsclient is currently broken on latest
- niri-flake:
- currently not using the sugared version of screenshot-[,window], as it is currently broken
- home-manager:
- emacs-tramp:
- using stable version in extraPackages (broken in unstable)
- :ensure nil in emacs tramp settings to use package in extraPackages
- emacs-calfwL
- pinned to version not in nixpkgs (is in latest emacs-overlay, but that is broken)
- vesktop:
- running stable version (broken in unstable)
- batgrep:
- running stable version (broken in unstable)
- swayosd:
- pinned to version not in nixpkgs (fixes https://github.com/ErikReider/SwayOSD/issues/175)
#+end_src
** HTML export javascript: Darkmode toggle
:PROPERTIES:
:CUSTOM_ID: h:cf6a12cf-929b-4080-9945-e6f02afc7990
:END:
This adds a simple darkmode toggle to the [[#h:12880c64-229c-4063-9eea-387a97490676][HTML version of this document]].
#+begin_src javascript :noweb-ref js-darkmode-toggle :exports code
#+end_src
** HTML export javascript: Docs QoL
:PROPERTIES:
:CUSTOM_ID: h:e5f900a0-9d68-4269-a663-53c52434c342
:END:
This adds the following functionalities to the [[#h:12880c64-229c-4063-9eea-387a97490676][HTML version of this document]]:
- Section pinning with persistent pins
- Copy section links to clipboard button
- Searching in table of contents
- Skip to next section buttons (one for simply next section, one for same level, one for at least higher level)
#+begin_src javascript :noweb-ref js-docs-qol :exports code
(function() {
function ready(fn) {
if (document.readyState === 'loading') {
document.addEventListener('DOMContentLoaded', fn);
} else {
fn();
}
}
ready(function initPinned() {
const STORAGE_KEY = 'org-pinned-items-v2';
let pinnedPanel = document.getElementById('pinned-panel');
if (!pinnedPanel) {
pinnedPanel = document.createElement('aside');
pinnedPanel.id = 'pinned-panel';
pinnedPanel.innerHTML = `
Clear All
`;
document.body.appendChild(pinnedPanel);
}
let showBtn = document.getElementById('show-pinned-btn');
if (!showBtn) {
showBtn = document.createElement('button');
showBtn.id = 'show-pinned-btn';
showBtn.type = 'button';
showBtn.textContent = 'Pinned';
document.body.appendChild(showBtn);
}
const content = document.getElementById('content');
const pinnedList = document.getElementById('pinned-list');
const toggleBtn = document.getElementById('toggle-pinned-btn');
const clearAllBtn = document.getElementById('clear-all-pins-btn');
const toc = document.getElementById('table-of-contents');
const body = document.body;
if (!content || !pinnedList || !toggleBtn || !clearAllBtn || !toc) return;
function injectSearch() {
if (document.getElementById('toc-search-input')) return;
const searchContainer = document.createElement('div');
searchContainer.id = 'toc-search-container';
const searchInput = document.createElement('input');
searchInput.id = 'toc-search-input';
searchInput.type = 'text';
searchInput.placeholder = 'Search TOC...';
searchInput.autocomplete = 'off';
const clearBtn = document.createElement('button');
clearBtn.id = 'toc-search-clear';
clearBtn.type = 'button';
clearBtn.textContent = 'Clear';
searchContainer.appendChild(searchInput);
searchContainer.appendChild(clearBtn);
toc.insertBefore(searchContainer, toc.firstChild);
function filterTOC(term) {
const allLinks = toc.querySelectorAll('a');
allLinks.forEach(link => {
const li = link.closest('li');
if (!li) return;
const text = link.textContent.toLowerCase();
const matches = text.includes(term);
if (matches) {
li.classList.remove('hidden-by-search');
let parent = li.parentElement;
while (parent && parent !== toc) {
if (parent.tagName === 'UL') {
parent.style.display = '';
}
if (parent.tagName === 'LI') {
parent.classList.remove('hidden-by-search');
}
parent = parent.parentElement;
}
} else {
li.classList.add('hidden-by-search');
}
});
if (term === '') {
const allLis = toc.querySelectorAll('li');
allLis.forEach(li => li.classList.remove('hidden-by-search'));
}
}
searchInput.addEventListener('input', function(e) {
const term = e.target.value.toLowerCase();
filterTOC(term);
});
clearBtn.addEventListener('click', function() {
searchInput.value = '';
filterTOC('');
searchInput.focus();
});
}
injectSearch();
function addHeadingLinks() {
const headers = content.querySelectorAll('h1, h2, h3, h4, h5, h6, h7, h8, h9');
headers.forEach(header => {
const id = header.getAttribute('id');
if (!id) return;
if (header.querySelector('.heading-link')) return;
const link = document.createElement('a');
link.className = 'heading-link';
link.href = '#' + id;
link.textContent = '#';
link.title = 'Copy link to this heading';
const pinBtn = header.querySelector('.toc-pin-btn');
if (pinBtn) {
header.insertBefore(link, pinBtn);
} else {
header.appendChild(link);
}
link.addEventListener('click', function(e) {
e.preventDefault();
const url = window.location.origin + window.location.pathname + '#' + id;
if (navigator.clipboard && navigator.clipboard.writeText) {
navigator.clipboard.writeText(url)
.then(() => {
const originalText = link.textContent;
link.textContent = '✓';
setTimeout(() => {
link.textContent = originalText;
}, 1000);
})
.catch(err => {
console.warn('Failed to copy to clipboard', err);
window.location.hash = id;
});
} else {
window.location.hash = id;
}
});
});
}
addHeadingLinks();
function addNextHeadingButtons() {
const headers = Array.from(content.querySelectorAll('h1, h2, h3, h4, h5, h6, h7, h8, h9'));
function getLevel(header) {
return parseInt(header.tagName.substring(1), 10);
}
headers.forEach((header, index) => {
const currentLevel = getLevel(header);
const headingLink = header.querySelector('.heading-link');
const pinBtn = header.querySelector('.toc-pin-btn');
function insertActionBtn(btn) {
if (pinBtn) {
header.insertBefore(btn, pinBtn);
return;
}
if (headingLink && headingLink.parentNode === header) {
headingLink.after(btn);
return;
}
header.appendChild(btn);
}
const nextHeader = headers[index + 1];
if (nextHeader && !header.querySelector('.heading-next')) {
const nextId = nextHeader.getAttribute('id');
if (nextId) {
const nextBtn = document.createElement('button');
nextBtn.className = 'heading-next';
nextBtn.type = 'button';
nextBtn.textContent = '↓';
nextBtn.title = 'Jump to next heading';
insertActionBtn(nextBtn);
nextBtn.addEventListener('click', function(e) {
e.preventDefault();
nextHeader.scrollIntoView({ behavior: 'smooth', block: 'start' });
history.pushState(null, null, '#' + nextId);
});
}
}
if (!header.querySelector('.heading-skip')) {
let skipHeader = null;
for (let i = index + 1; i < headers.length; i++) {
if (getLevel(headers[i]) <= currentLevel) {
skipHeader = headers[i];
break;
}
}
if (skipHeader) {
const skipId = skipHeader.getAttribute('id');
if (skipId) {
const skipBtn = document.createElement('button');
skipBtn.className = 'heading-skip';
skipBtn.type = 'button';
skipBtn.textContent = '⇣';
skipBtn.title = 'Skip to next section (same level)';
insertActionBtn(skipBtn);
skipBtn.addEventListener('click', function(e) {
e.preventDefault();
skipHeader.scrollIntoView({ behavior: 'smooth', block: 'start' });
history.pushState(null, null, '#' + skipId);
});
}
}
}
if (!header.querySelector('.heading-skip-up')) {
let upHeader = null;
for (let i = index + 1; i < headers.length; i++) {
if (getLevel(headers[i]) < currentLevel) {
upHeader = headers[i];
break;
}
}
if (upHeader) {
const upId = upHeader.getAttribute('id');
if (upId) {
const upBtn = document.createElement('button');
upBtn.className = 'heading-skip-up';
upBtn.type = 'button';
upBtn.textContent = '⇑';
upBtn.title = 'Jump to next higher-level section (escape subsections)';
insertActionBtn(upBtn);
upBtn.addEventListener('click', function(e) {
e.preventDefault();
upHeader.scrollIntoView({ behavior: 'smooth', block: 'start' });
history.pushState(null, null, '#' + upId);
});
}
}
}
});
}
addNextHeadingButtons();
let mobileTocBtn = document.getElementById('mobile-toc-toggle');
if (!mobileTocBtn) {
mobileTocBtn = document.createElement('button');
mobileTocBtn.id = 'mobile-toc-toggle';
mobileTocBtn.type = 'button';
mobileTocBtn.textContent = 'TOC';
document.body.appendChild(mobileTocBtn);
}
let mobilePinnedBtn = document.getElementById('mobile-pinned-toggle');
if (!mobilePinnedBtn) {
mobilePinnedBtn = document.createElement('button');
mobilePinnedBtn.id = 'mobile-pinned-toggle';
mobilePinnedBtn.type = 'button';
mobilePinnedBtn.textContent = 'Pinned';
document.body.appendChild(mobilePinnedBtn);
}
function anyMobilePanelOpen() {
return toc.classList.contains('mobile-visible') ||
pinnedPanel.classList.contains('mobile-visible');
}
function updateBodyMobilePanelState() {
if (anyMobilePanelOpen()) body.classList.add('mobile-panel-open');
else body.classList.remove('mobile-panel-open');
}
document.addEventListener('click', function(e) {
if (window.innerWidth > 1000) return;
if (!anyMobilePanelOpen()) return;
const clickedInsideToc = toc.contains(e.target);
const clickedInsidePinned = pinnedPanel.contains(e.target);
const clickedTocBtn = mobileTocBtn.contains(e.target);
const clickedPinnedBtn = mobilePinnedBtn.contains(e.target);
const clickedInteractive =
e.target.tagName === 'A' ||
e.target.tagName === 'BUTTON' ||
e.target.tagName === 'INPUT' ||
e.target.tagName === 'TEXTAREA' ||
e.target.closest('a') ||
e.target.closest('button');
if (!clickedInsideToc && !clickedInsidePinned && !clickedTocBtn && !clickedPinnedBtn && !clickedInteractive) {
toc.classList.remove('mobile-visible');
pinnedPanel.classList.remove('mobile-visible');
updateBodyMobilePanelState();
}
});
mobileTocBtn.addEventListener('click', function() {
const isOpen = toc.classList.toggle('mobile-visible');
if (isOpen) {
pinnedPanel.classList.remove('mobile-visible');
}
updateBodyMobilePanelState();
});
mobilePinnedBtn.addEventListener('click', function() {
const isOpen = pinnedPanel.classList.toggle('mobile-visible');
if (isOpen) {
toc.classList.remove('mobile-visible');
}
updateBodyMobilePanelState();
});
const pinnedItems = new Map();
let initiallyPinnedHrefs = new Set();
function loadFromStorage() {
try {
const raw = window.localStorage && localStorage.getItem(STORAGE_KEY);
if (!raw) return;
const arr = JSON.parse(raw);
if (!Array.isArray(arr)) return;
initiallyPinnedHrefs = new Set(arr);
} catch (e) {
console.warn('Pinned: failed to load from localStorage', e);
}
}
function saveToStorage() {
try {
if (!window.localStorage) return;
const arr = [];
pinnedItems.forEach((entry, href) => {
if (entry.li) arr.push(href);
});
localStorage.setItem(STORAGE_KEY, JSON.stringify(arr));
} catch (e) {
console.warn('Pinned: failed to save to localStorage', e);
}
}
function sortPinnedList() {
const items = Array.from(pinnedList.children)
.map(li => {
const link = li.querySelector('a');
return {
li: li,
text: link ? link.textContent.trim()
.toLowerCase() : ''
};
});
items.sort((a, b) => a.text.localeCompare(b.text));
items.forEach(item => pinnedList.appendChild(item.li));
}
function hidePinnedPanel() {
pinnedPanel.classList.add('hidden');
content.classList.add('pinned-hidden');
showBtn.classList.add('visible');
}
function showPinnedPanel() {
pinnedPanel.classList.remove('hidden');
content.classList.remove('pinned-hidden');
showBtn.classList.remove('visible');
}
toggleBtn.addEventListener('click', hidePinnedPanel);
showBtn.addEventListener('click', showPinnedPanel);
clearAllBtn.addEventListener('click', function() {
if (pinnedItems.size === 0) return;
const confirmed = confirm('Are you sure you want to clear all pinned items?');
if (!confirmed) return;
pinnedItems.forEach((entry, href) => {
if (entry.li && entry.li.parentElement) {
entry.li.parentElement.removeChild(entry.li);
}
entry.li = null;
entry.btns.forEach(b => b.textContent = '[pin]');
});
saveToStorage();
});
function attachPinBehavior(pinBtn, href, text) {
if (!href) return;
if (!pinnedItems.has(href)) {
pinnedItems.set(href, {
li: null,
btns: new Set(),
text: text
});
}
const entry = pinnedItems.get(href);
entry.btns.add(pinBtn);
pinBtn.textContent = entry.li ? '[unpin]' : '[pin]';
pinBtn.addEventListener('click', function(e) {
e.preventDefault();
e.stopPropagation();
const current = pinnedItems.get(href);
if (!current) return;
if (current.li) {
if (current.li.parentElement) {
current.li.parentElement.removeChild(current.li);
}
current.li = null;
current.btns.forEach(b => b.textContent = '[pin]');
saveToStorage();
} else {
const li = document.createElement('li');
const a = document.createElement('a');
a.href = href;
a.textContent = current.text;
const removeBtn = document.createElement('button');
removeBtn.className = 'pin-remove';
removeBtn.type = 'button';
removeBtn.textContent = '✕';
removeBtn.addEventListener('click', () => {
const cur = pinnedItems.get(href);
if (!cur) return;
if (cur.li && cur.li.parentElement) {
cur.li.parentElement.removeChild(cur.li);
}
cur.li = null;
cur.btns.forEach(b => b.textContent = '[pin]');
saveToStorage();
});
li.appendChild(a);
li.appendChild(removeBtn);
pinnedList.appendChild(li);
current.li = li;
current.btns.forEach(b => b.textContent = '[unpin]');
sortPinnedList();
saveToStorage();
}
});
}
loadFromStorage();
const tocLinks = document.querySelectorAll('#text-table-of-contents a');
tocLinks.forEach(link => {
if (link.parentElement && link.parentElement.classList.contains('toc-entry')) {
return;
}
const li = link.closest('li');
if (!li) return;
const wrapper = document.createElement('span');
wrapper.className = 'toc-entry';
li.insertBefore(wrapper, link);
wrapper.appendChild(link);
const pinBtn = document.createElement('button');
pinBtn.className = 'toc-pin-btn';
pinBtn.type = 'button';
pinBtn.textContent = '[pin]';
wrapper.appendChild(pinBtn);
const href = link.getAttribute('href');
const text = link.textContent.trim();
attachPinBehavior(pinBtn, href, text);
});
const headers = content.querySelectorAll('h2, h3, h4, h5, h6, h7, h8, h9');
headers.forEach(header => {
const id = header.getAttribute('id');
if (!id) return;
if (header.querySelector('.toc-pin-btn')) return;
const href = '#' + id;
const text = header.textContent.trim();
const pinBtn = document.createElement('button');
pinBtn.className = 'toc-pin-btn';
pinBtn.type = 'button';
pinBtn.textContent = '[pin]';
pinBtn.style.marginLeft = '0.8rem';
pinBtn.style.fontSize = '0.75em';
header.appendChild(pinBtn);
attachPinBehavior(pinBtn, href, text);
});
initiallyPinnedHrefs.forEach(href => {
const entry = pinnedItems.get(href);
if (!entry) return;
const li = document.createElement('li');
const a = document.createElement('a');
a.href = href;
a.textContent = entry.text;
const removeBtn = document.createElement('button');
removeBtn.className = 'pin-remove';
removeBtn.type = 'button';
removeBtn.textContent = '✕';
removeBtn.addEventListener('click', () => {
const cur = pinnedItems.get(href);
if (!cur) return;
if (cur.li && cur.li.parentElement) {
cur.li.parentElement.removeChild(cur.li);
}
cur.li = null;
cur.btns.forEach(b => b.textContent = '[pin]');
saveToStorage();
});
li.appendChild(a);
li.appendChild(removeBtn);
pinnedList.appendChild(li);
entry.li = li;
entry.btns.forEach(b => b.textContent = '[unpin]');
});
sortPinnedList();
saveToStorage();
});
})();
#+end_src
* Appendix B: Supplementary Files
:PROPERTIES:
:CUSTOM_ID: h:8fc9f66a-7412-4091-8dee-a06f897baf67
:END:
This section now holds some of the configuration files that cannot be defined directly within NixOS configuration. These files are usually symlinked using =home.file=.
** Server Emacs config
:PROPERTIES:
:CUSTOM_ID: h:c1e53aed-fb47-4aff-930c-dc52f3c5dcb8
:END:
On my server, I use a reduced, self-contained emacs configuration that only serves as an elfeed sync server. This is currently unused, however, I am keeping this in here for now as a reference. The big problem here was the bidirectional syncing using =bjm/elfeed-updater=. As I am using this both on a laptop client (using elfeed) as well as on a mobile phone (using elfeed-cljsrn over elfeed-web), I set up a Syncthing service to take care of the feeds as well as the db state. However, I could only either achieve changes propagating properly from the laptop to the server or from the phone to the server. Both would not work. This current state represents the state where from-laptop changes would propagate. To allow from-phone changes, change =(elfeed-db-load)= in =bjm/elfeed-updater= to =(elfeed-db-save)=.
#+begin_src emacs-lisp :tangle files/emacs/server.el
(require 'package)
(package-initialize nil)
(setq package-enable-at-startup nil)
(add-to-list 'package-archives '("org" . "http://orgmode.org/elpa/") t)
(add-to-list 'package-archives
'("melpa" . "https://melpa.org/packages/") t)
(package-initialize)
(let ((default-directory "~/.emacs.d/elpa/"))
(normal-top-level-add-subdirs-to-load-path))
(unless (package-installed-p 'use-package)
(package-refresh-contents)
(package-install 'use-package))
(require 'use-package)
(use-package elfeed
:ensure t
:bind (:map elfeed-search-mode-map
("q" . bjm/elfeed-save-db-and-bury)))
(require 'elfeed)
(use-package elfeed-org
:ensure t
:config
(elfeed-org)
(setq rmh-elfeed-org-files (list "/var/lib/syncthing/.elfeed/elfeed.org")))
(use-package elfeed-goodies
:ensure t)
(elfeed-goodies/setup)
(use-package elfeed-web
:ensure t)
(global-set-key (kbd "C-x w") 'bjm/elfeed-load-db-and-open)
(define-key elfeed-show-mode-map (kbd "j") 'elfeed-goodies/split-show-next)
(define-key elfeed-show-mode-map (kbd "k") 'elfeed-goodies/split-show-prev)
(define-key elfeed-search-mode-map (kbd "j") 'next-line)
(define-key elfeed-search-mode-map (kbd "k") 'previous-line)
(define-key elfeed-show-mode-map (kbd "S-SPC") 'scroll-down-command)
(defun bjm/elfeed-save-db-and-bury ()
"Wrapper to save the elfeed db to disk before burying buffer"
(interactive)
(elfeed-db-save)
(quit-window))
(defun bjm/elfeed-load-db-and-open ()
"Wrapper to load the elfeed db from disk before opening"
(interactive)
(elfeed-db-load)
(elfeed)
(elfeed-search-update--force)
(elfeed-update))
(defun bjm/elfeed-updater ()
"Wrapper to load the elfeed db from disk before opening"
(interactive)
(elfeed-db-load))
(run-with-timer 0 (* 1 60) 'bjm/elfeed-updater)
(setq httpd-port 9812)
(setq httpd-host "0.0.0.0")
(setq httpd-root "/root/.emacs.d/elpa/elfeed-web-20240729.1741/")
(setq elfeed-db-directory "/var/lib/syncthing/.elfeed/db/")
(httpd-start)
(elfeed-web-start)
#+end_src
** tridactylrc
:PROPERTIES:
:CUSTOM_ID: h:fc64f42f-e7cf-4829-89f6-2d0d58e04f51
:END:
This is the configuration file for tridactyl, which provides keyboard-driven navigation in firefox. Pay attention to the warnings in this file; depending on your browsing behaviour, you might expose yourself to some vulnerabilities by copying this configuration.
The =command= command can be supplied with a =-p= flag that will take a single argmuent which is exposed as =JS_ARG=. I use this in a function that switches to an open tab if it exists and otherwise creates it.
#+begin_src config :tangle files/firefox/tridactyl/tridactylrc :mkdirp yes
sanitise tridactyllocal tridactylsync
colourscheme swarsel
" General Settings
set update.lastchecktime 1720629386560
set update.lastnaggedversion 1.24.1
set update.nag true
set update.nagwait 7
set update.checkintervalsecs 86400
set configversion 2.0
set searchurls.no https://search.nixos.org/options?query=
set searchurls.np https://search.nixos.org/packages?query=
set searchurls.hm https://home-manager-options.extranix.com/?query=
set searchurls.@c https://vbc.atlassian.net/wiki/search?text=
set searchurls.@j https://vbc.atlassian.net/issues/?jql=textfields%20~%20%22%s*%22&wildcardFlag=true
set completions.Tab.statusstylepretty true
set hintfiltermode vimperator-reflow
set hintnames numeric
unbind --mode=hint
" Binds
bind buffer #
bind gd tabdetach
bind gD composite tabduplicate; tabdetach
bind d composite tabprev; tabclose #
bind D tabclose
bind c hint -J
bindurl ^http(s)?://www\.google\.com c hint -Jc [class="LC20lb MBeuO DKV0Md"],[class="YmvwI"],[class="YyVfkd"],[class="fl"]
bindurl ^http(s)?://news\.ycombinator\.com c hint -Jc [class="titleline"],[class="age"]
bindurl ^http(s)?://lobste\.rs c hint -Jc [class="u-url"],[class="comments_label"]
bindurl ^http(s)?://reddit\.com c hint -Jc [class="title may-blank loggedin"],[class="bylink comments may-blank"]
bindurl ^http(s)?://github\.com c hint -Jc [class="Link--primary"],[class="AppHeader-button Button--secondary Button--medium Button p-0 color-fg-muted"],[class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"],[class="prc-ActionList-ItemLabel-TmBhn"],[class="PRIVATE_TreeView-item-content-text prc-TreeView-TreeViewItemContentText-smZM-"]
bindurl ^http(s)?://vbc\.atlassian\.net\/wiki c hint -Jc [class="_1reo15vq _18m915vq _1bto1l2s _kqswh2mm _o5721q9c _syaz1fxt"],[class="_11c81ixg _1reo15vq _18m915vq _18s81b66 _kqswh2mm _k48p1wq8 _o5721q9c _1bto1l2s _u5f31b66"],[class="_1r04ze3t _kqswstnw"],[class="css-a61etj"],[class="jira-macro-table-underline-pdfexport"]
bindurl ^http(s)?://www\.google\.com gi composite focusinput -l ; text.end_of_line
" Work
command tab_or_tabopen jsb -p (async () => {let tabs = await browser.tabs.query({}); let tab = tabs.find(t => t.url.includes(JS_ARG)); if (tab) {browser.tabs.update(tab.id, { active: true });} else {tri.excmds.tabopen(JS_ARG);}})()
command tab_or_tabopen_local jsb -p (async () => {const currentWindow = await browser.windows.getCurrent(); const tabs = await browser.tabs.query({ windowId: currentWindow.id }); const tab = tabs.find(t => t.url.includes(JS_ARG)); if (tab) {browser.tabs.update(tab.id, { active: true });} else {tri.excmds.tabopen(JS_ARG);}})()
bind gwa tab_or_tabopen_local apic-impimba-1.m.imp.ac.at
bind gwA tab_or_tabopen_local artifactory.imp.ac.at
bind gwb tab_or_tabopen_local bitbucket.vbc.ac.at
bind gwc tab_or_tabopen_local vbc.atlassian.net/wiki
bind gwd tab_or_tabopen_local datadomain-impimba-2.imp.ac.at
bind gwe tab_or_tabopen_local exivity.vbc.ac.at
bind gwg tab_or_tabopen_local github.com
bind gwG tab_or_tabopen_local goc.egi.eu
bind gwh tab_or_tabopen_local jupyterhub.vbc.ac.at
bind gwj tab_or_tabopen_local jenkins.vbc.ac.at
bind gwJ tab_or_tabopen_local test-jenkins.vbc.ac.at
bind gwl tab_or_tabopen_local lucid.app
bind gwm tab_or_tabopen_local monitoring.vbc.ac.at/grafana
bind gwM tab_or_tabopen_local monitoring.vbc.ac.at/prometheus
bind gwn tab_or_tabopen_local netbox.vbc.ac.at
bind gwN tab_or_tabopen_local nap.imp.ac.at
bind gwo tab_or_tabopen_local outlook.office.com
bind gws tab_or_tabopen_local satellite.vbc.ac.at
bind gwt tab_or_tabopen_local tower.vbc.ac.at
bind gwv tab_or_tabopen_local vc-impimba-1.m.imp.ac.at/ui
bind gwx tab_or_tabopen_local xclarity.vbc.ac.at
unbind --mode=normal gh
bind ghp tab_or_tabopen_local https://github.com/pulls
bind ghi tab_or_tabopen_local https://github.com/issues/assigned?q=is%3Aissue%20state%3Aopen%20archived%3Afalse%20(assignee%3A%40me%20OR%20author%3A%40me)%20sort%3Aupdated-desc
bind ghv tab_or_tabopen_local github.com/orgs/vbc-it/repositories
bind ghc tab_or_tabopen_local github.com/orgs/CLIP-HPC/repositories
bind ghd tab_or_tabopen_local github.com/Swarsel/.dotfiles
bind ghni tab_or_tabopen_local github.com/NixOS/nixpkgs/issues
bind ghnp tab_or_tabopen_local github.com/NixOS/nixpkgs/pulls
unbind --mode=normal gp
bind gprn tab_or_tabopen_local www.reddit.com/r/NixOS/
bind gpd tab_or_tabopen_local discourse.nixos.org/
bind gpp tab_or_tabopen_local parkour.wien/categories
" Search in page
set findcase smart
bind / fillcmdline find
bind ? fillcmdline find -?
bind n findnext 1
bind N findnext -1
bind j scrollline 4
bind k scrollline -4
" WARNING: This file defines and runs a command called fixamo_quiet. If you
" also have a malicious addon that operates on `` installed this
" will allow it to steal your firefox account credentials!
"
" With those credentials, an attacker can read anything in your sync account,
" publish addons to the AMO, etc, etc.
"
" Without this command a malicious addon can steal credentials from any site
" that you visit that is not in the restrictedDomains list.
"
" You should comment out the fixamo lines unless you are entirely sure that
" they are what you want.
command fixamo_quiet jsb tri.excmds.setpref("privacy.resistFingerprinting.block_mozAddonManager", "true").then(tri.excmds.setpref("extensions.webextensions.restrictedDomains", '""'))
command fixamo js tri.excmds.setpref("privacy.resistFingerprinting.block_mozAddonManager", "true").then(tri.excmds.setpref("extensions.webextensions.restrictedDomains", '""').then(tri.excmds.fillcmdline_tmp(3000, "Permissions added to user.js. Please restart Firefox to make them take affect.")))
fixamo_quiet
set allowautofocus false
" The following modification allows Tridactyl to function on more pages, e.g. raw GitHub pages.
" You may not wish to run this. Mozilla strongly feels that you shouldn't.
" Read https://wiki.mozilla.org/Security/CSP#Goals for more information.
"
" Equivalent to `set csp clobber` before it was removed.
" This weakens your defences against cross-site-scripting attacks
" and other types of code-injection by reducing the strictness
" of Content Security Policy on all sites in a couple of ways.
"
" We remove the sandbox directive
" https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
" which allows our iframe (and anyone else's) to run on any website.
"
" We weaken the style-src directive
" https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
" to allow us to theme our elements.
" This exposes you to 'cross site styling' attacks
jsb browser.webRequest.onHeadersReceived.addListener(tri.request.clobberCSP,{urls:[""],types:["main_frame"]},["blocking","responseHeaders"])
" default is 300ms
set hintdelay 500
" Some pages like github break on the tridactyl quick search. have this as a fallback
unbind
" Do not let websites steal sitefocus
set allowautofocus false
" whitelist sites
" :seturl [URL regex for sites with text editors you use] allowautofocus true
" stronger blacklist for specific sites
seturl vbc.atlassian.net preventautofocusjackhammer true
" Subconfig Settings
seturl www.google.com followpagepatterns.next Next
seturl www.google.com followpagepatterns.prev Previous
" Autocmds
autocmd DocStart undefined mode ignore
autocmd DocStart pokerogue.net mode ignore
autocmd DocStart typelit.io mode ignore
autocmd DocStart vc-impimba-1.m.imp.ac.at/ui/webconsole mode ignore
" For syntax highlighting see https://github.com/tridactyl/vim-tridactyl
" vim: set filetype=tridactyl
#+end_src
** tridactyl theme
:PROPERTIES:
:CUSTOM_ID: h:86f1fd9b-56ee-4fd2-8b35-9ea104d83df0
:END:
#+begin_src config :tangle files/firefox/tridactyl/themes/swarsel.css :mkdirp yes
:root {
--base00: #1D252C;
--base01: #171D23;
--base02: #5EC4FF;
--base03: #566C7D;
--base04: #5EC4FF;
--base05: #A0B3C5;
--base06: #C06ECE;
--base07: #A0B3C5;
--base08: #D95468;
--base09: #FFA880;
--base0A: #5EC4FF;
--base0B: #8BD49C;
--base0C: #008B94;
--base0D: #5EC4FF;
--base0E: #C06ECE;
--base0F: #5EC4FF;
--tridactyl-def-fg: var(--base02);
--tridactyl-cmdl-bg: var(--base00);
--tridactyl-cmdl-fg: var(--base0C);
--tridactyl-font-family: "San Francisco", sans-serif;
--tridactyl-cmdl-font-size: 1.5rem;
--tridactyl-cmdl-line-height: 1.5;
--tridactyl-cmplt-option-height: 1.4em;
--tridactyl-cmplt-font-size: var(--tridactyl-small-font-size);
--tridactyl-cmplt-border-top: unset;
--tridactyl-status-font-size: 9px;
--tridactyl-status-font-family: "Fira Code", monospace;
--tridactyl-status-border: 1px var(--tridactyl-fg) solid;
--tridactyl-header-font-size: var(--tridactyl-small-font-size);
--tridactyl-header-font-weight: 200;
--tridactyl-header-border-bottom: unset;
--tridactyl-hintspan-font-size: var(--tridactyl-font-size);
--tridactyl-hint-active-fg: none;
}
:root #command-line-holder {
order: 1;
border: 2px solid var(--tridactyl-cmdl-fg);
color: var(--tridactyl-cmdl-bg);
}
:root #tridactyl-input {
width: 90%;
padding: 1rem;
color: var(--tridactyl-def-fg);
}
:root #completions table {
font-size: 0.8rem;
font-weight: 200;
border-spacing: 0;
table-layout: fixed;
padding: 1rem;
padding-top: 0;
}
:root #completions > div {
max-height: calc(20 * var(--tridactyl-cmplt-option-height));
min-height: calc(10 * var(--tridactyl-cmplt-option-height));
}
/* COMPLETIONS */
:root #completions {
font-weight: 200;
order: 2;
color: var(--tridactyl-def-fg);
background: var(--tridactyl-cmdl-bg);
}
/* Olie doesn't know how CSS inheritance works */
:root #completions .HistoryCompletionSource {
max-height: unset;
min-height: unset;
}
:root #completions .HistoryCompletionSource table {
width: 100%;
font-size: 9pt;
border-spacing: 0;
table-layout: fixed;
}
/* redundancy 2: redundancy 2: more redundancy */
:root #completions .BmarkCompletionSource {
max-height: unset;
min-height: unset;
}
:root #completions table tr { white-space: nowrap;
overflow: hidden;
text-overflow: ellipsis;
}
:root #completions .url {
background: var(--tridactyl-cmdl-bg);
}
:root #completions .focused {
background: #44391F;
}
:root #completions .focused .url {
background: #44391F;
}
:root #completions .BufferCompletionSource table {
width: unset;
font-size: unset;
border-spacing: unset;
table-layout: unset;
}
:root #completions table tr {
white-space: nowrap;
overflow: hidden;
text-overflow: ellipsis;
}
:root #completions .sectionHeader {
background: unset;
padding: 1rem !important;
padding-left: unset;
padding-bottom: 0.2rem;
}
:root #cmdline_iframe {
position: fixed !important;
bottom: unset;
top: 25% !important;
left: 10% !important;
z-index: 2147483647 !important;
width: 80% !important;
box-shadow: rgba(0, 0, 0, 0.5) 0px 0px 15px !important;
}
:root .TridactylStatusIndicator {
position: fixed !important;
bottom: 0 !important;
font-weight: 200 !important;
padding: 0.8ex !important;
}
/* #Shydactyl-normal { */
/* border-color: green !important; */
/* } */
/* #Shydactyl-insert { */
/* border-color: yellow !important; */
/* } */
#+end_src
** Waybar style.css
:PROPERTIES:
:CUSTOM_ID: h:77b1c523-5074-4610-b320-90af95e6134d
:END:
This is the stylesheet used by waybar.
#+begin_src css :tangle files/waybar/style.css :mkdirp yes
@define-color foreground #fdf6e3;
@define-color background #1a1a1a;
@define-color background-alt #292b2e;
@define-color foreground-warning #268bd2;
@define-color background-warning @background;
@define-color foreground-error red;
@define-color background-error @background;
@define-color foreground-critical gold;
@define-color background-critical blue;
,* {
border: none;
border-radius: 0;
font-family: "FiraCode Nerd Font Propo", "Font Awesome 5 Free";
font-size: 14px;
min-height: 0;
margin: -1px 0px;
}
window#waybar {
background: transparent;
color: @foreground;
transition-duration: .5s;
}
window#waybar.hidden {
opacity: 0.2;
}
#mpris {
padding: 0 10px;
background-color: transparent;
color: #1DB954;
font-family: Monospace;
font-size: 12px;
}
#custom-right-arrow-dark,
#custom-left-arrow-dark {
color: @background;
background: @background-alt;
font-size: 24px;
}
#window {
font-size: 12px;
padding: 0 20px;
}
#mode {
background: @background-critical;
color: @foreground-critical;
padding: 0 3px;
}
#privacy,
#custom-configwarn {
color: black;
padding: 0 3px;
animation-name: configblink;
animation-duration: 0.5s;
animation-timing-function: linear;
animation-iteration-count: infinite;
animation-direction: alternate;
}
#custom-nix-updates {
color: white;
padding: 0 3px;
}
#custom-outer-right-arrow-dark,
#custom-outer-left-arrow-dark {
color: @background;
font-size: 24px;
}
#custom-outer-left-arrow-dark,
#custom-left-arrow-dark,
#custom-left-arrow-light {
margin: 0 -1px;
}
#custom-right-arrow-light,
#custom-left-arrow-light {
color: @background-alt;
background: @background;
font-size: 24px;
}
#workspaces,
#clock.1,
#clock.2,
#clock.3,
#pulseaudio,
#memory,
#cpu,
#temperature,
#custom-scratchpad-indicator,
#power-profiles-daemon,
#idle_inhibitor,
#backlight-slider,
#mpris,
#tray {
background: @background;
}
#network,
#custom-vpn,
#clock.2,
#battery,
#cpu,
#custom-pseudobat,
#disk {
background: @background-alt;
}
#workspaces button {
padding: 0 2px;
color: #fdf6e3;
}
#workspaces button.focused {
color: @foreground-warning;
}
#workspaces button:hover {
background: @foreground;
color: @background;
border: @foreground;
padding: 0 2px;
box-shadow: inherit;
text-shadow: inherit;
}
#workspaces button.urgent {
color: @background-critical;
background: @foreground-critical;
}
#custom-vpn,
#network {
color: #cc99c9;
}
#temperature,
#power-profiles-daemon {
color: #9ec1cf;
}
#disk {
/*color: #b58900;*/
color: #9ee09e;
}
#custom-scratchpad-indicator {
color: #ffffff;
}
#disk.warning {
color: @foreground-error;
background-color: @background-error;
}
#disk.critical,
#temperature.critical {
color: @foreground-critical;
background-color: @background-critical;
animation-name: blink;
animation-duration: 0.5s;
animation-timing-function: linear;
animation-iteration-count: infinite;
animation-direction: alternate;
}
#pulseaudio.muted {
color: @foreground-error;
}
#memory {
/*color: #2aa198;*/
color: #fdfd97;
}
#cpu {
/*color: #6c71c4;*/
color: #feb144;
}
#pulseaudio {
/*color: #268bd2;*/
color: #ff6663;
}
#battery,
#custom-pseudobat {
color: cyan;
}
#battery.discharging {
color: #859900;
}
@keyframes blink {
to {
color: @foreground-error;
background-color: @background-error;
}
}
@keyframes configblink {
to {
color: @foreground-error;
background-color: transparent;
}
}
#battery.critical:not(.charging) {
color: @foreground-critical;
background-color: @background-critical;
animation-name: blink;
animation-duration: 0.5s;
animation-timing-function: linear;
animation-iteration-count: infinite;
animation-direction: alternate;
}
#backlight-slider slider {
min-height: 0px;
min-width: 0px;
opacity: 0;
background-image: none;
border: none;
box-shadow: none;
}
#backlight-slider trough {
min-height: 5px;
min-width: 80px;
border-radius: 5px;
background-color: black;
}
#backlight-slider highlight {
min-width: 0px;
border-radius: 5px;
background-color: grey;
}
#clock.1,
#clock.2,
#clock.3 {
font-family: Monospace;
}
#clock,
#pulseaudio,
#memory,
#cpu,
#tray,
#temperature,
#power-profiles-daemon,
#network,
#custom-vpn,
#mpris,
#battery,
#custom-scratchpad-indicator,
#custom-pseudobat,
#disk {
padding: 0 3px;
}
#+end_src
** Doc Page style.css
:PROPERTIES:
:CUSTOM_ID: h:6d8fa5d7-8c28-4183-b9e8-c656995176cb
:END:
This is the stylesheet used by the [[#h:12880c64-229c-4063-9eea-387a97490676][HTML version of this document]]. Mostly this holds logic for hiding/showing the pin icons and resizing the page dynamically.
#+begin_src css :tangle site/style.css :mkdirp yes
html, body {
margin: 0;
padding: 0;
background-color: #1d252c;
color: #b7c5d3;
font-family: "Inter", "Fira Sans", system-ui, sans-serif;
line-height: 1.6;
overflow-x: hidden;
}
body {
display: flex;
}
#table-of-contents {
position: fixed;
top: 0;
left: 0;
width: 280px;
height: 100vh;
overflow-y: auto;
padding: 1.2rem 1rem;
background-color: #232b32;
border-right: 1px solid #2f3b45;
font-size: 0.9rem;
display: flex;
flex-direction: column;
}
#table-of-contents h2 {
display: none;
}
#toc-search-container {
margin-bottom: 1rem;
position: sticky;
top: 0;
background-color: #232b32;
z-index: 10;
padding-bottom: 0.5rem;
display: flex;
align-items: center;
gap: 0.5rem;
}
#toc-search-input {
flex: 1;
padding: 0.5rem;
background-color: #1d252c;
border: 1px solid #2f3b45;
color: #b7c5d3;
border-radius: 4px;
font-size: 0.9rem;
box-sizing: border-box;
}
#toc-search-input:focus {
outline: none;
border-color: #5ec4ff;
}
#toc-search-clear {
padding: 0.5rem 0.7rem;
background-color: #2f3b45;
border: 1px solid #3a4a56;
color: #b7c5d3;
cursor: pointer;
font-size: 0.85rem;
border-radius: 4px;
transition: background-color 0.2s, color 0.2s;
white-space: nowrap;
}
#toc-search-clear:hover {
background-color: #3a4a56;
color: #ff6b6b;
}
.hidden-by-search {
display: none !important;
}
#text-table-of-contents {
flex: 1;
}
#text-table-of-contents ul {
list-style: none;
padding-left: 0;
}
#text-table-of-contents li {
margin: 0.2rem 0;
position: relative;
}
.toc-entry {
display: inline-flex;
align-items: center;
}
#text-table-of-contents a {
color: #b7c5d3;
text-decoration: none;
}
#text-table-of-contents a:hover {
color: #5ec4ff;
}
#text-table-of-contents ul ul {
padding-left: 1rem;
border-left: 1px solid #2f3b45;
}
#content {
margin-left: 300px;
margin-right: 320px;
padding: 2rem 3rem;
max-width: 1200px;
width: calc(100vw - 620px);
box-sizing: border-box;
transition: margin 0.3s ease, padding 0.3s ease,
width 0.3s ease, max-width 0.3s ease;
}
#content.pinned-hidden {
margin-right: 0;
width: calc(100vw - 300px);
}
h1, h2, h3, h4, h5, h6, h7, h8, h9 {
color: #70e1e8;
font-weight: 500;
margin-top: 2.2rem;
}
h1 { font-size: 2rem; }
h2 { font-size: 1.6rem; }
h3 { font-size: 1.3rem; }
h4 { font-size: 1.2rem; }
h5 { font-size: 1.1rem; }
h6 { font-size: 1.0rem; }
h7 { font-size: 0.95rem; }
h8 { font-size: 0.925rem; }
h9 { font-size: 0.9rem; }
a {
color: #5ec4ff;
}
a:hover {
text-decoration: underline;
}
pre, code {
font-family: "Fira Code", monospace;
background-color: #232b32;
color: #b7c5d3;
}
pre {
padding: 1rem;
overflow-x: auto;
border: 1px solid #2f3b45;
border-radius: 4px;
max-width: 100%;
box-sizing: border-box;
}
code {
padding: 0.15rem 0.3rem;
border-radius: 3px;
}
table {
border-collapse: collapse;
max-width: 100%;
}
th, td {
border: 1px solid #2f3b45;
padding: 0.5rem 0.8rem;
}
th {
background-color: #232b32;
color: #70e1e8;
}
blockquote {
border-left: 3px solid #5ec4ff;
margin-left: 0;
padding-left: 1rem;
color: #718ca1;
}
#pinned-panel {
position: fixed;
top: 0;
right: 0;
width: 280px;
height: 100vh;
overflow-y: auto;
padding: 1.2rem 1rem;
padding-bottom: 5rem;
background-color: #232b32;
border-left: 1px solid #2f3b45;
font-size: 0.9rem;
box-sizing: border-box;
transition: transform 0.3s ease;
}
#pinned-panel.hidden {
transform: translateX(100%);
}
#pinned-panel-header {
display: flex;
justify-content: space-between;
align-items: center;
}
#pinned-panel h2 {
margin: 0;
font-size: 1rem;
color: #70e1e8;
font-weight: 500;
}
#toggle-pinned-btn {
background: none;
border: none;
color: #718ca1;
cursor: pointer;
font-size: 1.2rem;
padding: 0;
line-height: 1;
}
#toggle-pinned-btn:hover {
color: #5ec4ff;
}
#pinned-list {
list-style: none;
padding-left: 0;
}
#pinned-list li {
margin: 0.5rem 0;
display: flex;
justify-content: space-between;
align-items: center;
}
#pinned-list a {
color: #b7c5d3;
text-decoration: none;
flex: 1;
}
#pinned-list a:hover {
color: #5ec4ff;
}
.pin-remove {
background: none;
border: none;
color: #718ca1;
cursor: pointer;
font-size: 0.9rem;
padding: 0 0.3rem;
}
.pin-remove:hover {
color: #ff6b6b;
}
.toc-pin-btn {
opacity: 0;
visibility: hidden;
transition: opacity 0.2s, visibility 0.2s;
cursor: pointer;
margin-left: 0.4rem;
font-size: 0.85rem;
color: #718ca1;
background: none;
border: none;
padding: 0;
}
.toc-pin-btn:hover {
color: #5ec4ff;
}
#text-table-of-contents .toc-entry:hover .toc-pin-btn {
opacity: 1;
visibility: visible;
}
#show-pinned-btn {
position: fixed;
top: 4.5rem;
right: 1rem;
background-color: #232b32;
border: 1px solid #2f3b45;
color: #b7c5d3;
cursor: pointer;
padding: 0.5rem 0.8rem;
font-size: 0.9rem;
border-radius: 4px;
display: none;
z-index: 1000;
}
#show-pinned-btn:hover {
background-color: #2f3b45;
color: #5ec4ff;
}
#show-pinned-btn.visible {
display: block;
}
#mobile-toc-toggle,
#mobile-pinned-toggle {
position: fixed;
top: 1rem;
z-index: 1100;
padding: 0.5rem 0.8rem;
border-radius: 4px;
border: 1px solid #2f3b45;
background-color: #232b32;
color: #b7c5d3;
font-size: 0.8rem;
cursor: pointer;
display: none;
}
#mobile-toc-toggle {
left: 1rem;
}
#mobile-pinned-toggle {
right: 1rem;
}
#mobile-toc-toggle:hover,
#mobile-pinned-toggle:hover {
background-color: #2f3b45;
color: #5ec4ff;
}
.heading-next {
opacity: 0;
visibility: hidden;
transition: opacity 0.2s, visibility 0.2s;
margin-left: 0.5rem;
color: #718ca1;
text-decoration: none;
font-size: 0.8em;
vertical-align: middle;
cursor: pointer;
background: none;
border: none;
padding: 0;
}
.heading-next:hover {
color: #5ec4ff;
text-decoration: none;
}
h1:hover .heading-next,
h2:hover .heading-next,
h3:hover .heading-next,
h4:hover .heading-next,
h5:hover .heading-next,
h6:hover .heading-next,
h7:hover .heading-next,
h8:hover .heading-next,
h9:hover .heading-next {
opacity: 1;
visibility: visible;
}
.heading-skip {
opacity: 0;
visibility: hidden;
transition: opacity 0.2s, visibility 0.2s;
margin-left: 0.5rem;
color: #718ca1;
text-decoration: none;
font-size: 0.8em;
vertical-align: middle;
cursor: pointer;
background: none;
border: none;
padding: 0;
}
.heading-skip:hover {
color: #5ec4ff;
text-decoration: none;
}
h1:hover .heading-skip,
h2:hover .heading-skip,
h3:hover .heading-skip,
h4:hover .heading-skip,
h5:hover .heading-skip,
h6:hover .heading-skip,
h7:hover .heading-skip,
h8:hover .heading-skip,
h9:hover .heading-skip {
opacity: 1;
visibility: visible;
}
.heading-skip-up {
opacity: 0;
visibility: hidden;
transition: opacity 0.2s, visibility 0.2s;
margin-left: 0.5rem;
color: #718ca1;
text-decoration: none;
font-size: 0.8em;
vertical-align: middle;
cursor: pointer;
background: none;
border: none;
padding: 0;
}
.heading-skip-up:hover {
color: #5ec4ff;
text-decoration: none;
}
h1:hover .heading-skip-up,
h2:hover .heading-skip-up,
h3:hover .heading-skip-up,
h4:hover .heading-skip-up,
h5:hover .heading-skip-up,
h6:hover .heading-skip-up,
h7:hover .heading-skip-up,
h8:hover .heading-skip-up,
h9:hover .heading-skip-up {
opacity: 1;
visibility: visible;
}
@media (max-width: 1600px) {
#content {
max-width: 100%;
}
}
@media (max-width: 1300px) {
#mobile-pinned-toggle {
display: block;
}
#pinned-panel {
display: block !important;
position: fixed;
top: 0;
right: 0;
width: 260px;
max-width: 80vw;
height: 100vh;
overflow-y: auto;
transform: translateX(100%);
transition: transform 0.25s ease;
z-index: 1000;
}
#pinned-panel.mobile-visible {
transform: translateX(0);
}
#show-pinned-btn {
display: none !important;
}
#content,
#content.pinned-hidden {
margin-right: 0;
width: calc(100vw - 300px);
max-width: 100%;
padding: 1.8rem 2.2rem;
}
}
@media (max-width: 1000px) {
#mobile-toc-toggle,
#mobile-pinned-toggle {
display: block;
}
#table-of-contents {
display: block;
position: fixed;
top: 0;
left: 0;
width: 260px;
max-width: 80vw;
height: 100vh;
overflow-y: auto;
transform: translateX(-100%);
transition: transform 0.25s ease;
z-index: 1000;
}
#table-of-contents.mobile-visible {
transform: translateX(0);
}
#pinned-panel {
display: block !important;
position: fixed;
top: 0;
right: 0;
width: 260px;
max-width: 80vw;
height: 100vh;
overflow-y: auto;
transform: translateX(100%);
transition: transform 0.25s ease;
z-index: 1000;
}
#pinned-panel.mobile-visible {
transform: translateX(0);
}
#content,
#content.pinned-hidden {
margin-left: 0;
margin-right: 0;
width: 100vw;
max-width: 100%;
padding: 1.5rem 1.25rem;
}
#toc-search-container {
top: 3rem;
margin-top: 2.5rem;
}
}
.heading-link {
opacity: 0;
visibility: hidden;
transition: opacity 0.2s, visibility 0.2s;
margin-left: 0.5rem;
color: #718ca1;
text-decoration: none;
font-size: 0.8em;
vertical-align: middle;
}
.heading-link:hover {
color: #5ec4ff;
text-decoration: none;
}
h1:hover .heading-link,
h2:hover .heading-link,
h3:hover .heading-link,
h4:hover .heading-link,
h5:hover .heading-link,
h6:hover .heading-link,
h7:hover .heading-link,
h8:hover .heading-link,
h9:hover .heading-link {
opacity: 1;
visibility: visible;
}
@media (max-width: 700px) {
#content {
padding: 1.2rem 1rem;
}
}
.darkmode-layer,
.darkmode-toggle {
z-index: 500;
}
html,
body {
overflow-x: hidden;
}
h1 .toc-pin-btn,
h2 .toc-pin-btn,
h3 .toc-pin-btn,
h4 .toc-pin-btn,
h5 .toc-pin-btn,
h6 .toc-pin-btn,
h7 .toc-pin-btn,
h8 .toc-pin-btn,
h9 .toc-pin-btn {
opacity: 0;
visibility: hidden;
transition: opacity 0.2s, visibility 0.2s;
}
h1:hover .toc-pin-btn,
h2:hover .toc-pin-btn,
h3:hover .toc-pin-btn,
h4:hover .toc-pin-btn,
h5:hover .toc-pin-btn,
h6:hover .toc-pin-btn,
h7:hover .toc-pin-btn,
h8:hover .toc-pin-btn,
h9:hover .toc-pin-btn {
opacity: 1;
visibility: visible;
}
#clear-all-pins-btn {
width: 100%;
margin: 0.5rem 0;
padding: 0.4rem 0.6rem;
background-color: #2f3b45;
border: 1px solid #3a4a56;
color: #b7c5d3;
cursor: pointer;
font-size: 0.85rem;
border-radius: 4px;
transition: background-color 0.2s, color 0.2s;
}
#clear-all-pins-btn:hover {
background-color: #3a4a56;
color: #ff6b6b;
}
@media (max-width: 1000px) {
body.mobile-panel-open {
overflow: hidden;
}
}
#+end_src
** justfile
:PROPERTIES:
:CUSTOM_ID: h:788937cf-8816-466b-8e57-1b695cb50f52
:END:
This file defines a few workflows that I often need to run when working on my configuration. This works similar to =make=, but is geared towards general tasks and as such requires no extra handling (as long as there are no dependencies involved) or =.PHONY= recipes.
(In the org-src block I still call it a Makefile in order to get syntax highlighting)
#+begin_src makefile :tangle justfile
default:
@just --list
check:
nix flake check --keep-going
check-trace:
nix flake check --show-trace
update:
nix flake update
iso CONFIG="live-iso":
rm -rf result
nix build --print-out-paths .#live-iso
iso-install DRIVE: iso
sudo dd if=$(eza --sort changed result/iso/*.iso | tail -n1) of={{DRIVE}} bs=4M status=progress oflag=sync
dd DRIVE ISO:
sudo dd if=$(eza --sort changed {{ISO}} | tail -n1) of={{DRIVE}} bs=4M status=progress oflag=sync
sync USER HOST:
rsync -rltv --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/
secrets USER HOST:
rsync -rltv -e "ssh -l {{USER}}" /var/tmp/nix-import-encrypted/1000/ {{USER}}@{{HOST}}:/var/tmp/nix-import-encrypted/0
bootstrap DEST CONFIG ARCH="x86_64-linux" NODISKODEPS="":
nix develop .#deploy --command zsh -c "swarsel-bootstrap {{NODISKODEPS}} -n {{CONFIG}} -d {{DEST}} -a {{ARCH}}"
#+end_src
** aspell.conf
:PROPERTIES:
:CUSTOM_ID: h:038feb42-6e1e-4b65-abe9-e26746b72b78
:END:
#+begin_src shell :tangle files/config/.aspell.conf
dict-dir /run/current-system/sw/lib/aspell
#+end_src
** nix-plugins.patch
:PROPERTIES:
:CUSTOM_ID: h:931ff2fd-61f0-4f8f-b221-d879780f38d7
:END:
#+begin_src diff :tangle files/patches/nix-plugins.patch :mkdirp yes
diff --git a/extra-builtins.cc b/extra-builtins.cc
index 3a0f90e..bb10f8b 100644
--- a/extra-builtins.cc
+++ b/extra-builtins.cc
@@ -1,9 +1,9 @@
-#include
-#include
-#include
-#include
-#include
-#include
-#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
#include "nix-plugins-config.h"
#+end_src
** Zellij layout swarsel.kdl.nix
:PROPERTIES:
:CUSTOM_ID: h:bed316c9-47ed-494f-8375-998ef1315d7b
:END:
#+begin_src shell :tangle files/zellij/layouts/swarsel.kdl.nix
{ config, pkgs }:
let
inherit (config.lib.stylix) colors;
in
''
layout {
swap_tiled_layout name="vertical" {
tab max_panes=5 {
pane split_direction="vertical" {
pane
pane { children; }
}
}
tab max_panes=8 {
pane split_direction="vertical" {
pane { children; }
pane { pane; pane; pane; pane; }
}
}
tab max_panes=12 {
pane split_direction="vertical" {
pane { children; }
pane { pane; pane; pane; pane; }
pane { pane; pane; pane; pane; }
}
}
}
swap_tiled_layout name="horizontal" {
tab max_panes=5 {
pane
pane
}
tab max_panes=8 {
pane {
pane split_direction="vertical" { children; }
pane split_direction="vertical" { pane; pane; pane; pane; }
}
}
tab max_panes=12 {
pane {
pane split_direction="vertical" { children; }
pane split_direction="vertical" { pane; pane; pane; pane; }
pane split_direction="vertical" { pane; pane; pane; pane; }
}
}
}
swap_tiled_layout name="stacked" {
tab min_panes=5 {
pane split_direction="vertical" {
pane
pane stacked=true { children; }
}
}
}
swap_floating_layout name="staggered" {
floating_panes
}
swap_floating_layout name="enlarged" {
floating_panes max_panes=10 {
pane { x "5%"; y 1; width "90%"; height "90%"; }
pane { x "5%"; y 2; width "90%"; height "90%"; }
pane { x "5%"; y 3; width "90%"; height "90%"; }
pane { x "5%"; y 4; width "90%"; height "90%"; }
pane { x "5%"; y 5; width "90%"; height "90%"; }
pane { x "5%"; y 6; width "90%"; height "90%"; }
pane { x "5%"; y 7; width "90%"; height "90%"; }
pane { x "5%"; y 8; width "90%"; height "90%"; }
pane { x "5%"; y 9; width "90%"; height "90%"; }
pane focus=true { x 10; y 10; width "90%"; height "90%"; }
}
}
swap_floating_layout name="spread" {
floating_panes max_panes=1 {
pane {y "50%"; x "50%"; }
}
floating_panes max_panes=2 {
pane { x "1%"; y "25%"; width "45%"; }
pane { x "50%"; y "25%"; width "45%"; }
}
floating_panes max_panes=3 {
pane focus=true { y "55%"; width "45%"; height "45%"; }
pane { x "1%"; y "1%"; width "45%"; }
pane { x "50%"; y "1%"; width "45%"; }
}
floating_panes max_panes=4 {
pane { x "1%"; y "55%"; width "45%"; height "45%"; }
pane focus=true { x "50%"; y "55%"; width "45%"; height "45%"; }
pane { x "1%"; y "1%"; width "45%"; height "45%"; }
pane { x "50%"; y "1%"; width "45%"; height "45%"; }
}
}
default_tab_template {
children
pane size=1 borderless=true {
plugin location="file://${pkgs.zjstatus}/bin/zjstatus.wasm" {
format_left "{mode}#[bg=#${colors.base00}] {tabs}"
format_center ""
format_right "#[bg=#${colors.base00},fg=#${colors.base02}]#[bg=#${colors.base02},fg=#${colors.base01},bold] #[bg=#${colors.base02},fg=#${colors.base01},bold] {session} #[bg=#${colors.base02},fg=#${colors.base01},bold]"
format_space ""
format_hide_on_overlength "false"
format_precedence "lcr"
border_enabled "false"
border_char "─"
border_format "#[fg=#6C7086]{char}"
border_position "top"
mode_normal "#[bg=#${colors.base0B},fg=#${colors.base01},bold] NORMAL#[bg=#${colors.base01},fg=#${colors.base0B}]█"
mode_locked "#[bg=#${colors.base04},fg=#${colors.base01},bold] LOCKED #[bg=#${colors.base01},fg=#${colors.base04}]█"
mode_resize "#[bg=#${colors.base08},fg=#${colors.base01},bold] RESIZE#[bg=#${colors.base01},fg=#${colors.base08}]█"
mode_pane "#[bg=#${colors.base0D},fg=#${colors.base01},bold] PANE#[bg=#${colors.base01},fg=#${colors.base0D}]█"
mode_tab "#[bg=#${colors.base07},fg=#${colors.base01},bold] TAB#[bg=#${colors.base01},fg=#${colors.base07}]█"
mode_scroll "#[bg=#${colors.base0A},fg=#${colors.base01},bold] SCROLL#[bg=#${colors.base01},fg=#${colors.base0A}]█"
mode_enter_search "#[bg=#${colors.base0D},fg=#${colors.base01},bold] ENT-SEARCH#[bg=#${colors.base01},fg=#${colors.base0D}]█"
mode_search "#[bg=#${colors.base0D},fg=#${colors.base01},bold] SEARCHARCH#[bg=#${colors.base01},fg=#${colors.base0D}]█"
mode_rename_tab "#[bg=#${colors.base07},fg=#${colors.base01},bold] RENAME-TAB#[bg=#${colors.base01},fg=#${colors.base07}]█"
mode_rename_pane "#[bg=#${colors.base0D},fg=#${colors.base01},bold] RENAME-PANE#[bg=#${colors.base01},fg=#${colors.base0D}]█"
mode_session "#[bg=#${colors.base0E},fg=#${colors.base01},bold] SESSION#[bg=#${colors.base01},fg=#${colors.base0E}]█"
mode_move "#[bg=#${colors.base0F},fg=#${colors.base01},bold] MOVE#[bg=#${colors.base01},fg=#${colors.base0F}]█"
mode_prompt "#[bg=#${colors.base0D},fg=#${colors.base01},bold] PROMPT#[bg=#${colors.base01},fg=#${colors.base0D}]█"
mode_tmux "#[bg=#${colors.base09},fg=#${colors.base01},bold] TMUX#[bg=#${colors.base01},fg=#${colors.base09}]█"
// formatting for inactive tabs
tab_normal "#[bg=#${colors.base01},fg=#${colors.base0C}]█#[bg=#${colors.base0C},fg=#${colors.base01},bold]{index} #[bg=#${colors.base01},fg=#${colors.base0C},bold] {name}{floating_indicator}#[bg=#${colors.base01},fg=#${colors.base01},bold]█"
tab_normal_fullscreen "#[bg=#${colors.base01},fg=#${colors.base0C}]█#[bg=#${colors.base0C},fg=#${colors.base01},bold]{index} #[bg=#${colors.base01},fg=#${colors.base0C},bold] {name}{fullscreen_indicator}#[bg=#${colors.base01},fg=#${colors.base01},bold]█"
tab_normal_sync "#[bg=#${colors.base01},fg=#${colors.base0C}]█#[bg=#${colors.base0C},fg=#${colors.base01},bold]{index} #[bg=#${colors.base01},fg=#${colors.base0C},bold] {name}{sync_indicator}#[bg=#${colors.base01},fg=#${colors.base01},bold]█"
// formatting for the current active tab
tab_active "#[bg=#${colors.base01},fg=#${colors.base09}]█#[bg=#${colors.base09},fg=#${colors.base01},bold]{index} #[bg=#${colors.base01},fg=#${colors.base09},bold] {name}{floating_indicator}#[bg=#${colors.base01},fg=#${colors.base01},bold]█"
tab_active_fullscreen "#[bg=#${colors.base01},fg=#${colors.base09}]█#[bg=#${colors.base09},fg=#${colors.base01},bold]{index} #[bg=#${colors.base01},fg=#${colors.base09},bold] {name}{fullscreen_indicator}#[bg=#${colors.base01},fg=#${colors.base01},bold]█"
tab_active_sync "#[bg=#${colors.base01},fg=#${colors.base09}]█#[bg=#${colors.base09},fg=#${colors.base01},bold]{index} #[bg=#${colors.base01},fg=#${colors.base09},bold] {name}{sync_indicator}#[bg=#${colors.base01},fg=#${colors.base01},bold]█"
// separator between the tabs
tab_separator "#[bg=#${colors.base00}] "
// indicators
tab_sync_indicator " "
tab_fullscreen_indicator " "
tab_floating_indicator " "
command_git_branch_command "git rev-parse --abbrev-ref HEAD"
command_git_branch_format "#[fg=blue] {stdout} "
command_git_branch_interval "10"
command_git_branch_rendermode "static"
datetime "#[fg=#6C7086,bold] {format} "
datetime_format "%A, %d %b %Y %H:%M"
datetime_timezone "Europe/Vienna"
}
}
}
}
''
#+end_src
** Zellij kittyterm config.kdl
:PROPERTIES:
:CUSTOM_ID: h:ae07e867-fc17-4dd7-bd21-5886265308ee
:END:
#+begin_src nix-ts :tangle files/zellij/config-kittyterm.kdl
copy_command "wl-copy"
copy_on_select true
default_layout "swarsel"
default_shell "zsh"
keybinds clear-defaults=true {
entersearch {
bind "Ctrl c" {
SwitchToMode "scroll"
}
bind "esc" {
SwitchToMode "scroll"
}
bind "enter" {
SwitchToMode "search"
}
}
locked {
bind "Ctrl g" {
SwitchToMode "normal"
}
}
move {
bind "Ctrl h" {
SwitchToMode "normal"
}
bind "left" {
MovePane "left"
}
bind "down" {
MovePane "down"
}
bind "up" {
MovePane "up"
}
bind "right" {
MovePane "right"
}
bind "h" {
MovePane "left"
}
bind "j" {
MovePane "down"
}
bind "k" {
MovePane "up"
}
bind "l" {
MovePane "right"
}
}
pane {
bind "Ctrl p" {
SwitchToMode "normal"
}
bind "left" {
MoveFocus "left"
}
bind "down" {
MoveFocus "down"
}
bind "up" {
MoveFocus "up"
}
bind "right" {
MoveFocus "right"
}
bind "h" {
MoveFocus "left"
}
bind "j" {
MoveFocus "down"
}
bind "k" {
MoveFocus "up"
}
bind "l" {
MoveFocus "right"
}
bind "d" {
NewPane "down"
SwitchToMode "normal"
}
bind "e" {
TogglePaneEmbedOrFloating
SwitchToMode "normal"
}
bind "f" {
ToggleFocusFullscreen
SwitchToMode "normal"
}
bind "n" {
NewPane
SwitchToMode "normal"
}
bind "p" {
SwitchFocus
}
bind "f12" {
ToggleFloatingPanes
SwitchToMode "normal"
}
}
renamepane {
bind "esc" {
UndoRenamePane
SwitchToMode "pane"
}
}
renametab {
bind "esc" {
UndoRenameTab
SwitchToMode "tab"
}
}
resize {
bind "Ctrl n" {
SwitchToMode "normal"
}
bind "left" {
Resize "Increase left"
}
bind "down" {
Resize "Increase down"
}
bind "up" {
Resize "Increase up"
}
bind "right" {
Resize "Increase right"
}
bind "+" {
Resize "Increase"
}
bind "-" {
Resize "Decrease"
}
bind "=" {
Resize "Increase"
}
bind "H" {
Resize "Decrease left"
}
bind "J" {
Resize "Decrease down"
}
bind "K" {
Resize "Decrease up"
}
bind "L" {
Resize "Decrease right"
}
bind "h" {
Resize "Increase left"
}
bind "j" {
Resize "Increase down"
}
bind "k" {
Resize "Increase up"
}
bind "l" {
Resize "Increase right"
}
}
scroll {
bind "e" {
EditScrollback
SwitchToMode "normal"
}
bind "s" {
SwitchToMode "entersearch"
SearchInput 0
}
}
search {
bind "c" {
SearchToggleOption "CaseSensitivity"
}
bind "n" {
Search "down"
}
bind "o" {
SearchToggleOption "WholeWord"
}
bind "p" {
Search "up"
}
bind "w" {
SearchToggleOption "Wrap"
}
}
session {
bind "Ctrl o" {
SwitchToMode "normal"
}
bind "c" {
LaunchOrFocusPlugin "configuration" {
floating true
move_to_focused_tab true
}
SwitchToMode "normal"
}
bind "p" {
LaunchOrFocusPlugin "plugin-manager" {
floating true
move_to_focused_tab true
}
SwitchToMode "normal"
}
bind "w" {
LaunchOrFocusPlugin "session-manager" {
floating true
move_to_focused_tab true
}
SwitchToMode "normal"
}
}
shared_among "pane" "tmux" {
bind "x" {
CloseFocus
SwitchToMode "normal"
}
}
shared_among "renametab" "renamepane" {
bind "Ctrl c" {
SwitchToMode "normal"
}
}
shared_among "scroll" "search" {
bind "PageDown" {
PageScrollDown
}
bind "PageUp" {
PageScrollUp
}
bind "left" {
PageScrollUp
}
bind "down" {
ScrollDown
}
bind "up" {
ScrollUp
}
bind "right" {
PageScrollDown
}
bind "Ctrl b" {
PageScrollUp
}
bind "Ctrl c" {
ScrollToBottom
SwitchToMode "normal"
}
bind "d" {
HalfPageScrollDown
}
bind "Ctrl f" {
PageScrollDown
}
bind "h" {
PageScrollUp
}
bind "j" {
ScrollDown
}
bind "k" {
ScrollUp
}
bind "l" {
PageScrollDown
}
bind "Ctrl s" {
SwitchToMode "normal"
}
bind "u" {
HalfPageScrollUp
}
}
shared_among "session" "tmux" {
bind "d" {
Detach
}
}
shared_except "locked" {
bind "Alt left" {
MoveFocusOrTab "left"
}
bind "Alt down" {
MoveFocus "down"
}
bind "Alt up" {
MoveFocus "up"
}
bind "Alt right" {
MoveFocusOrTab "right"
}
bind "Alt +" {
Resize "Increase"
}
bind "Alt -" {
Resize "Decrease"
}
bind "Alt =" {
Resize "Increase"
}
bind "Alt r" {
WriteChars "source cdr"
WriteChars "\n"
}
bind "Alt f" {
ToggleFloatingPanes
}
bind "Ctrl g" {
SwitchToMode "locked"
}
bind "Alt h" {
MoveFocusOrTab "left"
}
bind "Alt i" {
MoveTab "left"
}
bind "Alt j" {
MoveFocus "down"
}
bind "Alt k" {
MoveFocus "up"
}
bind "Alt p" {
NewPane
}
bind "Alt n" {
NewTab
}
}
shared_except "locked" "move" {
bind "Ctrl h" {
SwitchToMode "move"
}
}
shared_except "locked" "pane" {
bind "Ctrl p" {
SwitchToMode "pane"
}
}
shared_except "locked" "resize" {
bind "Ctrl n" {
SwitchToMode "resize"
}
}
shared_except "locked" "scroll" "search" {
bind "Ctrl s" {
SwitchToMode "scroll"
}
}
shared_except "locked" "scroll" "search" "tmux" {
bind "Ctrl b" {
SwitchToMode "tmux"
}
}
shared_except "locked" "session" {
bind "Ctrl o" {
SwitchToMode "session"
}
}
shared_except "locked" "tab" {
bind "Ctrl t" {
SwitchToMode "tab"
}
}
shared_except "normal" "locked" "entersearch" {
bind "enter" {
SwitchToMode "normal"
}
}
shared_except "normal" "locked" "entersearch" "renametab" "renamepane" {
bind "esc" {
SwitchToMode "normal"
}
}
tab {
bind "Ctrl t" {
SwitchToMode "normal"
}
bind "left" {
GoToPreviousTab
}
bind "down" {
GoToNextTab
}
bind "up" {
GoToPreviousTab
}
bind "right" {
GoToNextTab
}
bind "1" {
GoToTab 1
SwitchToMode "normal"
}
bind "2" {
GoToTab 2
SwitchToMode "normal"
}
bind "3" {
GoToTab 3
SwitchToMode "normal"
}
bind "4" {
GoToTab 4
SwitchToMode "normal"
}
bind "5" {
GoToTab 5
SwitchToMode "normal"
}
bind "6" {
GoToTab 6
SwitchToMode "normal"
}
bind "7" {
GoToTab 7
SwitchToMode "normal"
}
bind "8" {
GoToTab 8
SwitchToMode "normal"
}
bind "9" {
GoToTab 9
SwitchToMode "normal"
}
bind "h" {
GoToPreviousTab
}
bind "j" {
GoToNextTab
}
bind "k" {
GoToPreviousTab
}
bind "l" {
GoToNextTab
}
bind "n" {
NewTab
SwitchToMode "normal"
}
bind "r" {
SwitchToMode "renametab"
TabNameInput 0
}
bind "s" {
ToggleActiveSyncTab
SwitchToMode "normal"
}
bind "x" {
CloseTab
SwitchToMode "normal"
}
}
tmux {
bind "left" {
MoveFocus "left"
SwitchToMode "normal"
}
bind "down" {
MoveFocus "down"
SwitchToMode "normal"
}
bind "up" {
MoveFocus "up"
SwitchToMode "normal"
}
bind "right" {
MoveFocus "right"
SwitchToMode "normal"
}
bind "space" {
NextSwapLayout
}
bind "\"" {
NewPane "down"
SwitchToMode "normal"
}
bind "%" {
NewPane "right"
SwitchToMode "normal"
}
bind "," {
SwitchToMode "renametab"
}
bind "[" {
SwitchToMode "scroll"
}
bind "Ctrl b" {
Write 2
SwitchToMode "normal"
}
bind "c" {
NewTab
SwitchToMode "normal"
}
bind "h" {
MoveFocus "left"
SwitchToMode "normal"
}
bind "j" {
MoveFocus "down"
SwitchToMode "normal"
}
bind "k" {
MoveFocus "up"
SwitchToMode "normal"
}
bind "l" {
MoveFocus "right"
SwitchToMode "normal"
}
bind "n" {
GoToNextTab
SwitchToMode "normal"
}
bind "o" {
FocusNextPane
}
bind "p" {
GoToPreviousTab
SwitchToMode "normal"
}
bind "z" {
ToggleFocusFullscreen
SwitchToMode "normal"
}
}
}
layout_dir "/home/swarsel/.config/zellij/layouts"
on_force_close "detach"
pane_frames false
plugins {
compact-bar {
path "compact-bar"
}
status-bar {
path "status-bar"
}
strider {
path "strider"
}
tab-bar {
path "tab-bar"
}
}
scrollback_lines_to_serialize 100000
session_serialization true
show_startup_tips false
simplified_ui false
support_kitty_keyboard_protocol true
theme_dir "/home/swarsel/.config/zellij/themes"
ui {
pane_frames {
hide_session_name true
rounded_corners true
}
}
#+end_src
** Vieb config
:PROPERTIES:
:CUSTOM_ID: h:0124a4eb-4ea3-455c-939d-ba4584c703af
:END:
#+begin_src shell :tangle files/vieb/viebrc
" Options
set adblocker=update
set adblockernotifications=all
set cache=clearonquit
set noclearcookiesonquit
set nocleardownloadsoncompleted
set nocleardownloadsonquit
set clearhistoryinterval=none
set noclearlocalstorageonquit
set noclosablepinnedtabs
set commandhist=persistuseronly
set containerkeeponreopen
set containernewtab=s:usecurrent
set containershowname=automatic
set containersplitpage=s:usecurrent
set containerstartuppage=main
set countlimit=100
" set nodarkreader
set darkreaderbg=#181a1b
set darkreaderbrightness=100
set darkreadercontrast=100
set darkreaderfg=#e8e6e3
set darkreadergrayscale=0
set darkreadermode=dark
set darkreadersepia=0
set darkreadertextstroke=0
set devtoolsposition=split
set dialogalert=notifyblock
set dialogconfirm=notifyallow
set dialogprompt=notifyblock
set downloadmethod=automatic
set downloadpath=
set encodeurlcopy=nospaces
set encodeurlext=nospaces
set explorehist=persist
set externalcommand=
set favicons=session
set followchars=numbers
set followfallbackaction=filter
set followlabelposition=outsiderighttop
set follownewtabswitch
set guifontsize=14
set guifullscreennavbar=oninput
set guifullscreentabbar=onupdate
set guihidetimeout=5000
set guinavbar=oninput
set guiscrollbar=onscroll
set guitabbar=onupdate
set historyperpage=100
set ignorecase
set incsearch
set inputfocusalignment=rememberend
set keeprecentlyclosed
set lang=en
set loadingindicator=line
set mapsuggest=9000000000000000
set mapsuggestposition=topright
set markposition=newtab
set markpositionshifted=default
set maxmapdepth=10
set menupage=elementasneeded
set menusuggest=both
set menuvieb=both
set mintabwidth=28
set mouse=all
set mousedisabledbehavior=nothing
set nomousefocus
set mousenewtabswitch
set mousevisualmode=onswitch
set nativenotification=never
set nativetheme=dark
set newtaburl=
set notificationduration=6000
set notificationforpermissions=silent
set notificationforsystemcommands=errors
set notificationlimitsmall=3
set notificationposition=bottomright
set pdfbehavior=download
set permissioncamera=ask
set permissioncertificateerror=allow
set permissionclipboardread=allow
set permissionclipboardwrite=allow
set permissionclosepage=allow
set permissiondisplaycapture=ask
set permissionfullscreen=allow
set permissiongeolocation=block
set permissionhid=block
set permissionidledetection=block
set permissionmediadevices=allowfull
set permissionmicrophone=ask
set permissionmidi=ask
set permissionmidisysex=ask
set permissionnotifications=ask
set permissionopenexternal=ask
set permissionpersistentstorage=ask
set permissionpointerlock=block
set permissionscreenwakelock=block
set permissionsensors=block
set permissionserial=block
set permissionunknown=ask
set permissionusb=allow
set permissionwindowmanagement=ask
set pointerposlocalid=domain
set pointerpostype=casing
set noquitonlasttabclose
set redirecttohttp
set noreloadtaboncrash
set replacespecial=special
set replacestartup=never
set requesttimeout=20000
set restoretabs=all
set scrollposlocalid=domain
set scrollpostype=casing
set searchemptyscope=global
set searchpointeralignment=left
set searchscope=global
set shell=
set showcmd
set smartcase
set spell
set nosplitbelow
set nosplitright
set nosponsorblock
set suggestbouncedelay=100
set suggestcommands=9000000000000000
set suggesttopsites=10
set suspendbackgroundtab
set suspendonrestore=regular
set suspendtimeout=0
set tabclosefocus=left
set tabcycle
set tabnewposition=right
set tabopenmuted=never
set taboverflow=scroll
set tabreopenmuted=remember
set tabreopenposition=right
set timeout
set timeoutlen=2000
set translateapi=auto
set translatekey=
set translatelang=en-us
set translateurl=https://api-free.deepl.com/v2/
" set nouserscript
" set nouserstyle
set useragent=%firefox
set vimcommand=gvim
set windowfullscreen=restore
set windowmaximize=restore
set windowposition=restore
set windowsize=restore
set windowtitle="%app - %title"
" Commands
colorscheme default
" Mappings
nmap o
nmap t <:tabnew>
nmap b buffer
nmap g0 <:buffer 0>
nmap g^ <:buffer 0>
nmap g$ <:buffer -1>
nmap <:buffer #>
nmap J
nmap K
nmap >>
nmap
nmap O
nmap gx0 <:lclose>
nmap gx$ <:rclose>
nmap x
nunmap [
nunmap ]
nmap [[
nmap ]]
nmap [c
nmap ]c
nmap zz
nmap zi