jan-leila/nix-config
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into main

Browse source
This commit is contained in:
Lithospherical 2025-10-12 03:41:34 +00:00
commit 28a962d712
118 changed files with 6316 additions and 971 deletions
Download patch file Download diff file Expand all files Collapse all files

1
configurations/home-manager/default.nix
View file

@ -8,5 +8,6 @@
in {
leyla = lib.mkIf users.leyla.isNormalUser (import ./leyla);
eve = lib.mkIf users.eve.isNormalUser (import ./eve);
ivy = lib.mkIf users.ivy.isNormalUser (import ./ivy);
git = lib.mkIf (osConfig.services.forgejo.enable or false) (import ./git);
}

2
configurations/home-manager/eve/packages.nix
View file

@ -17,7 +17,6 @@ in {
# See https://search.nixos.org/packages for all options
home.packages = lib.lists.optionals userConfig.isDesktopUser (
with pkgs; [
ungoogled-chromium
gnomeExtensions.dash-to-panel
]
);
@ -61,6 +60,7 @@ in {
steam.enable = true;
piper.enable = hardware.piperMouse.enable;
krita.enable = true;
ungoogled-chromium.enable = true;
})
];
};

55
configurations/home-manager/ivy/default.nix Normal file
View file

@ -0,0 +1,55 @@
{osConfig, ...}: let
userConfig = osConfig.host.users.ivy;
in {
imports = [
./packages.nix
];
home = {
username = userConfig.name;
homeDirectory = osConfig.users.users.ivy.home;
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
stateVersion = "23.11"; # Please read the comment before changing.
# Home Manager is pretty good at managing dotfiles. The primary way to manage
# plain files is through 'home.file'.
file = {
# # Building this configuration will create a copy of 'dotfiles/screenrc' in
# # the Nix store. Activating the configuration will then make '~/.screenrc' a
# # symlink to the Nix store copy.
# ".screenrc".source = dotfiles/screenrc;
# # You can also set the file content immediately.
# ".gradle/gradle.properties".text = ''
# org.gradle.console=verbose
# org.gradle.daemon.idletimeout=3600000
# '';
};
# Home Manager can also manage your environment variables through
# 'home.sessionVariables'. If you don't want to manage your shell through Home
# Manager then you have to manually source 'hm-session-vars.sh' located at
# either
#
# ~/.nix-profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# /etc/profiles/per-user/ivy/etc/profile.d/hm-session-vars.sh
#
sessionVariables = {
# EDITOR = "emacs";
};
};
}

73
configurations/home-manager/ivy/packages.nix Normal file
View file

@ -0,0 +1,73 @@
{
lib,
pkgs,
config,
osConfig,
...
}: {
config = {
nixpkgs.config = {
allowUnfree = true;
};
# Programs that need to be installed with some extra configuration
programs = lib.mkMerge [
{
# Let Home Manager install and manage itself.
home-manager.enable = true;
}
(lib.mkIf (config.user.isDesktopUser || config.user.isTerminalUser) {
# git = {
# enable = true;
# userName = "Ivy";
# userEmail = "ivy@example.com"; # Update this with actual email
# extraConfig.init.defaultBranch = "main";
# };
openssh = {
enable = true;
hostKeys = [
{
type = "ed25519";
path = "${config.home.username}_${osConfig.networking.hostName}_ed25519";
}
];
};
})
(lib.mkIf config.user.isDesktopUser {
vscode = {
enable = true;
package = pkgs.vscodium;
mutableExtensionsDir = false;
profiles.default = {
enableUpdateCheck = false;
enableExtensionUpdateCheck = false;
extraExtensions = {
# Cline extension (Claude AI assistant)
claudeDev.enable = true;
# Auto Rename Tag
autoRenameTag.enable = true;
# Live Server
liveServer.enable = true;
};
extensions = let
extension-pkgs = pkgs.nix-vscode-extensions.forVSCodeVersion config.programs.vscode.package.version;
in (
with extension-pkgs.open-vsx; [
streetsidesoftware.code-spell-checker
]
);
};
};
firefox.enable = true;
discord.enable = true;
signal-desktop-bin.enable = true;
claude-code.enable = true;
})
];
};
}

69
configurations/home-manager/leyla/packages/default.nix
View file

@ -37,6 +37,12 @@ in {
dbeaver-bin.enable = true;
bruno.enable = true;
piper.enable = hardware.piperMouse.enable;
proxmark3.enable = true;
openrgb.enable = hardware.openRGB.enable;
via.enable = hardware.viaKeyboard.enable;
claude-code.enable = osConfig.host.ai.enable;
davinci-resolve.enable = hardware.graphicsAcceleration.enable;
mfoc.enable = true;
})
(lib.mkIf (hardware.directAccess.enable && config.user.isDesktopUser) {
anki.enable = true;
@ -50,6 +56,22 @@ in {
firefox.enable = true;
steam.enable = true;
krita.enable = true;
ungoogled-chromium.enable = true;
libreoffice.enable = true;
mapillary-uploader.enable = true;
inkscape.enable = true;
gimp.enable = true;
freecad.enable = true;
onionshare.enable = true;
pdfarranger.enable = true;
picard.enable = true;
qflipper.enable = true;
openvpn.enable = true;
noisetorch.enable = true;
tor-browser.enable = true;
gdx-liftoff.enable = true;
# polycule package is now working with Flutter 3.29
polycule.enable = true;
})
];
}
@ -66,53 +88,6 @@ in {
nixpkgs.config = {
allowUnfree = true;
};
home.packages = (
(with pkgs; [
proxmark3
])
++ (
lib.lists.optionals hardware.directAccess.enable (with pkgs; [
#foss platforms
ungoogled-chromium
libreoffice
inkscape
gimp
freecad
# cura
# kicad-small
onionshare
# rhythmbox
# wireshark
# rpi-imager
# fritzing
mfoc
tor-browser
pdfarranger
picard
gdx-liftoff
# proprietary platforms
(lib.mkIf hardware.graphicsAcceleration.enable davinci-resolve)
# development tools
# androidStudioPackages.canary
qFlipper
# system tools
openvpn
noisetorch
# hardware management tools
(lib.mkIf hardware.openRGB.enable openrgb)
(lib.mkIf hardware.viaKeyboard.enable via)
(lib.mkIf osConfig.host.ai.enable claude-code)
])
)
);
})
];
}

38
configurations/home-manager/leyla/packages/vscode/default.nix
View file

@ -71,13 +71,47 @@ in {
claudeDev = lib.mkIf ai-tooling-enabled {
enable = true;
mcp = {
nixos.enable = true;
eslint.enable = true;
nixos = {
enable = true;
autoApprove = {
nixos_search = true;
nixos_info = true;
home_manager_search = true;
home_manager_info = true;
darwin_search = true;
darwin_info = true;
nixos_flakes_search = true;
};
};
eslint = {
enable = true;
autoApprove = {
lint-files = true;
};
};
vitest = {
enable = true;
autoApprove = {
list_tests = true;
run_tests = true;
analyze_coverage = true;
set_project_root = true;
};
};
sleep = {
enable = true;
timeout = 18000; # 5 hours to match claude codes timeout
autoApprove = {
sleep = true;
};
};
};
};
# misc extensions
evenBetterToml.enable = true;
direnv.enable = config.programs.direnv.enable;
conventionalCommits.enable = true;
};
extensions = let

131
configurations/nixos/defiant/configuration.nix
View file

@ -132,23 +132,24 @@
};
};
# "20-wg0" = {
# netdevConfig = {
# Kind = "wireguard";
# Name = "wg0";
# };
# wireguardConfig = {
# PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path;
# ListenPort = 51820;
# };
# wireguardPeers = [
# {
# PublicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0=";
# Endpoint = "185.230.126.146:51820";
# AllowedIPs = ["0.0.0.0/0"];
# }
# ];
# };
"20-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path;
ListenPort = 51820;
};
wireguardPeers = [
{
PublicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0=";
Endpoint = "185.230.126.146:51820";
# Allow all traffic but use policy routing to prevent system-wide VPN
AllowedIPs = ["0.0.0.0/0"];
}
];
};
};
networks = {
"40-bond0" = {
@ -163,36 +164,67 @@
"192.168.1.10/32"
];
gateway = ["192.168.1.1"];
# Set lower priority for default gateway to allow WireGuard interface binding
routes = [
{
Destination = "0.0.0.0/0";
Gateway = "192.168.1.1";
Metric = 100;
}
];
dns = ["192.168.1.1"];
};
# For some reason this isn't working. It looks like traffic goes out and comes back but doesn't get correctly routed back to the wg interface on the return trip
# debugging steps:
# try sending data on the interface `ping -I wg0 8.8.8.8`
# view all traffic on the interface `sudo tshark -i wg0`
# see what applications are listening to port 14666 (thats what we currently have qbittorent set up to use) `ss -tuln | grep 14666`
# "50-wg0" = {
# matchConfig.Name = "wg0";
# networkConfig = {
# DHCP = "no";
# };
# address = [
# "10.2.0.2/32"
# ];
# # routes = [
# # {
# # Destination = "10.2.0.2/32";
# # Gateway = "10.2.0.1";
# # }
# # ];
# };
"50-wg0" = {
matchConfig.Name = "wg0";
networkConfig = {
DHCP = "no";
};
address = [
"10.2.0.2/32"
];
# Configure routing for application binding
routingPolicyRules = [
{
# Route traffic from VPN interface through VPN table
From = "10.2.0.2/32";
Table = 200;
Priority = 100;
}
];
routes = [
{
# Direct route to VPN gateway
Destination = "10.2.0.1/32";
Scope = "link";
}
{
# Route VPN subnet through VPN gateway in custom table
Destination = "10.2.0.0/16";
Gateway = "10.2.0.1";
Table = 200;
}
{
# Route all traffic through VPN gateway in custom table
Destination = "0.0.0.0/0";
Gateway = "10.2.0.1";
Table = 200;
}
];
};
};
};
# limit arc usage to 50gb because ollama doesn't play nice with zfs using up all of the memory
boot.kernelParams = ["zfs.zfs_arc_max=53687091200"];
# Enable policy routing and source routing for application-specific VPN binding
boot.kernel.sysctl = {
"net.ipv4.conf.all.rp_filter" = 2;
"net.ipv4.conf.default.rp_filter" = 2;
"net.ipv4.conf.wg0.rp_filter" = 2;
};
services = {
# temp enable desktop environment for setup
# Enable the X11 windowing system.
@ -306,12 +338,35 @@
passwordFile = config.sops.secrets."services/paperless_password".path;
};
panoramax = {
enable = false;
openFirewall = true;
};
qbittorrent = {
enable = true;
mediaDir = "/srv/qbittorent";
openFirewall = true;
webuiPort = 8084;
};
filebot-cleanup = {
enable = true;
licenseFile = "/srv/jellyfin/filebot_license.psm";
};
sonarr = {
enable = false;
openFirewall = true;
};
radarr = {
enable = false;
openFirewall = true;
};
bazarr = {
enable = false;
openFirewall = true;
};
};
# disable computer sleeping

2
configurations/nixos/defiant/default.nix
View file

@ -3,5 +3,7 @@
imports = [
./hardware-configuration.nix
./configuration.nix
./packages.nix
./filebot.nix
];
}

82
configurations/nixos/defiant/filebot.nix Normal file
View file

@ -0,0 +1,82 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.filebot-cleanup;
in {
options.services.filebot-cleanup = {
enable = mkEnableOption "Filebot cleanup service";
licenseFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to the Filebot license file";
};
cleanupDirectory = mkOption {
type = types.str;
default = "/srv/jellyfin/filebot_cleanup";
description = "Directory where cleaned up media files are stored";
};
};
config = mkIf cfg.enable {
users.groups.filebot_cleanup = {};
users.users.filebot_cleanup = {
isSystemUser = true;
group = "filebot_cleanup";
extraGroups = ["jellyfin_media"];
home = cfg.cleanupDirectory;
createHome = true;
};
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"filebot"
];
environment.systemPackages = with pkgs; [
filebot
];
systemd.services.filebot-cleanup = {
description = "Filebot media cleanup service";
serviceConfig = {
Type = "simple";
User = "filebot_cleanup";
Group = "filebot_cleanup";
ExecStart = pkgs.writeShellScript "filebot-cleanup" ''
${optionalString (cfg.licenseFile != null) ''
${pkgs.filebot}/bin/filebot --license "${cfg.licenseFile}"
''}
${pkgs.filebot}/bin/filebot -rename -r "/srv/jellyfin/media/Movies/" --output "${cfg.cleanupDirectory}/" --format "{jellyfin}" -non-strict --action duplicate
${pkgs.filebot}/bin/filebot -rename -r "/srv/jellyfin/media/Shows/" --output "${cfg.cleanupDirectory}/" --format "{jellyfin}" -non-strict --action duplicate
'';
StandardOutput = "journal";
StandardError = "journal";
};
wantedBy = ["multi-user.target"];
};
environment.persistence = lib.mkIf config.host.impermanence.enable {
"/persist/system/jellyfin" = {
enable = true;
hideMounts = true;
files = [
cfg.licenseFile
];
directories = [
{
directory = cfg.cleanupDirectory;
user = "filebot_cleanup";
group = "filebot_cleanup";
mode = "1770";
}
];
};
};
};
}

9
configurations/nixos/defiant/packages.nix Normal file
View file

@ -0,0 +1,9 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
ffsubsync
sox
yt-dlp
ffmpeg
imagemagick
];
}

1
configurations/nixos/horizon/configuration.nix
View file

@ -32,6 +32,7 @@
isPrincipleUser = true;
};
eve.isDesktopUser = true;
ivy.isDesktopUser = true;
};
hardware = {