diff --git a/.envrc b/.envrc deleted file mode 100644 index 8392d15..0000000 --- a/.envrc +++ /dev/null @@ -1 +0,0 @@ -use flake \ No newline at end of file diff --git a/.gitignore b/.gitignore index ce2538f..e2f5dd2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1 @@ -result -.direnv -.vscode/* -!.vscode/settings.json \ No newline at end of file +result \ No newline at end of file diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index dcfaddd..0000000 --- a/.gitmodules +++ /dev/null @@ -1,3 +0,0 @@ -[submodule "secrets"] - path = secrets - url = git@git.jan-leila.com:jan-leila/nix-config-secrets.git diff --git a/.hooks/post-commit b/.hooks/post-commit index 56c439d..7803850 100755 --- a/.hooks/post-commit +++ b/.hooks/post-commit @@ -1,6 +1,3 @@ -#!/usr/bin/env nix-shell -#! nix-shell -i bash ../shell.nix - -echo "restoring stashed changes" +#!/usr/bin/env bash git stash pop -q diff --git a/.hooks/pre-commit b/.hooks/pre-commit index f98c64f..5721472 100755 --- a/.hooks/pre-commit +++ b/.hooks/pre-commit @@ -1,22 +1,11 @@ -#!/usr/bin/env nix-shell -#! nix-shell -i bash ../shell.nix +#!/usr/bin/env bash -echo "stashing all uncommitted changes" git stash -q --keep-index -echo "checking flakes all compile" -nix flake check - -if [ ! $? -eq 0 ]; then - exit 1 -fi - -echo "running linter" -alejandra -q . +./lint.sh RESULT=$? -echo "adding lint changes to commit" git add -u exit $RESULT \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml index a6e6f4f..e9ddb56 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,11 +9,3 @@ creation_rules: key_groups: - age: - *leyla - - path_regex: secrets/vpn-keys.yaml$ - key_groups: - - age: - - *leyla - - path_regex: secrets/application-keys.yaml$ - key_groups: - - age: - - *leyla \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index 8d6717e..0000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "cSpell.words": [ - "attrsets", - "bitwarden", - "forgejo", - "gids", - "headscale", - "hesperium", - "jellyfin", - "macvlan", - "nextcloud", - "nixos", - "nixpkgs", - "pihole", - "pkgs", - "rpool", - "searx", - "ublock", - "uids" - ] -} \ No newline at end of file diff --git a/README.md b/README.md index bc31eca..60e9169 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,3 @@ -# nix-config - -https://git.jan-leila.com/jan-leila/nix-config - -nix multi user, multi system, configuration with `sops` secret management, `home-manager`, and `nixos-anywhere` setup via `disko` with `zfs` + `impermanence` - # Hosts ## Host Map @@ -11,17 +5,14 @@ nix multi user, multi system, configuration with `sops` secret management, `home | :---------: | :------------------------: | :--------------: | :-------: | | `twilight` | Desktop Computer | Leyla | Desktop | | `horizon` | 13 inch Framework Laptop | Leyla | Laptop | -| `defiant` | NAS Server | Leyla | Server | -| `hesperium` | Mac | ????? | ??? | -| `emergent` | Desktop Computer | Eve | Desktop | -| `threshold` | Laptop | Eve | Laptop | -| `wolfram` | Steam Deck | House | Handheld | -| `ceder` | A5 Tablet (not using nix) | Leyla | Tablet | -| `skate` | A6 Tablet (not using nix) | Leyla | Tablet | -| `shale` | A6 Tablet (not using nix) | Eve | Tablet | -| `coven` | Pixel 8 (not using nix) | Leyla | Android | +| `defiant` | NAS Server | Leyla | Service | +| `emergent` | Desktop Computer | Eve | Laptop | +| `threshold` | Laptop | Eve | Desktop | # Tooling +## Lint +`./lint.sh` + ## Rebuilding `./rebuild.sh` @@ -31,40 +22,45 @@ nix multi user, multi system, configuration with `sops` secret management, `home ## New host setup `./install.sh --target 192.168.1.130 --flake hostname` -## Updating Secrets -`sops secrets/secrets_file_here.yaml` - -## Inspecting a configuration -`nix-inspect -p .` - # Notes: ## Research topics -- Look into this for auto rotating sops keys `https://technotim.live/posts/rotate-sops-encryption-keys/` +- Look into this for rotating sops keys `https://technotim.live/posts/rotate-sops-encryption-keys/` +- Look into this for openssh known configurations https://search.nixos.org/options?channel=unstable&from=0&size=15&sort=alpha_asc&type=packages&query=services.openssh - Look into this for flake templates https://nix.dev/manual/nix/2.22/command-ref/new-cli/nix3-flake-init -- https://nixos-and-flakes.thiscute.world/ +- Look into this for headscale https://carlosvaz.com/posts/setting-up-headscale-on-nixos/ +- Look into this for home assistant configuration https://nixos.wiki/wiki/Home_Assistant https://myme.no/posts/2021-11-25-nixos-home-assistant.html + +## Configuration +set up git configuration for local development: `git config --local include.path .gitconfig` + +to update passwords run: `nix shell nixpkgs#sops -c sops secrets/user-passwords.yaml` (NOTE: this depends on the SOPS_AGE_KEY_DIRECTORY environment variable being set) # Tasks: ## Tech Debt -- monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/) -- syncthing folder passwords -- nfs export should be backed by the same values for server and client +- vscode extensions should be in own flake (make sure to add the nixpkgs.overlays in it too) +- join config for systemd.tmpfiles.rules and service directory bindings +- monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` +- move applications in server environment into their own flakes +- pihole config files ## New Features - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs) +- fix pre commit hook +- Flake templates +- home assistant virtual machine +- searxng docker +- nextcloud ??? - samba mounts +- firefox declarative??? - figure out steam vr things? - Open GL? +- util functions +- openssh known hosts - rotate sops encryption keys periodically (and somehow sync between devices?) -- zfs email after scrubbing # TODO: test this -- wake on LAN for updates -- ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix -- zfs encryption FIDO2 2fa (look into shavee) -- Secure Boot - https://github.com/nix-community/lanzaboote -- SMART test with email results -- Create Tor guard/relay server -- remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html -- migrate away from flakes and move to npins -- fix nfs -- fix home assistant -- create adguard server \ No newline at end of file +- zfs email after scrubbing +- headscale server (just needs to be tested) +- mastodon server +- tail scale clients +- wake on LAN +- ISO target that contains authorized keys for nixos-anywhere \ No newline at end of file diff --git a/build-installer.sh b/build-installer.sh deleted file mode 100644 index e124091..0000000 --- a/build-installer.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bash - -while [ $# -gt 0 ]; do - case "$1" in - --flake*|-f*) - if [[ "$1" != *=* ]]; then shift; fi - flake="${1#*=}" - ;; - # --user*|-u*) - # if [[ "$1" != *=* ]]; then shift; fi - # user="${1#*=}" - # ;; - --help|-h) - echo "--help -h: print this message" - echo "--flake -f: set the flake to build an installer for" - # echo "--user -u: set the user to install flake as on the target system" - exit 0 - ;; - *) - echo "Error: Invalid argument $1" - exit 1 - ;; - esac - shift -done - -flake=${flake:-"basic"} -user=${user:-$USER} - -nix build .#installerConfigurations.$flake.config.system.build.isoImage \ No newline at end of file diff --git a/configurations/darwin/hesperium/configuration.nix b/configurations/darwin/hesperium/configuration.nix deleted file mode 100644 index f8af5c8..0000000 --- a/configurations/darwin/hesperium/configuration.nix +++ /dev/null @@ -1,16 +0,0 @@ -{...}: { - host = { - users = { - leyla = { - isDesktopUser = true; - isTerminalUser = true; - isPrincipleUser = true; - }; - eve.isNormalUser = false; - }; - }; - - system.stateVersion = 5; - - nixpkgs.hostPlatform = "aarch64-darwin"; -} diff --git a/configurations/darwin/hesperium/default.nix b/configurations/darwin/hesperium/default.nix deleted file mode 100644 index 220a6fb..0000000 --- a/configurations/darwin/hesperium/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{...}: { - imports = [ - ./configuration.nix - ]; -} diff --git a/configurations/home-manager/default.nix b/configurations/home-manager/default.nix deleted file mode 100644 index a7fa478..0000000 --- a/configurations/home-manager/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - lib, - config, - osConfig, - ... -}: let - users = config.host.users; -in { - leyla = lib.mkIf users.leyla.isNormalUser (import ./leyla); - eve = lib.mkIf users.eve.isNormalUser (import ./eve); - git = lib.mkIf (osConfig.services.forgejo.enable or false) (import ./git); -} diff --git a/configurations/home-manager/eve/default.nix b/configurations/home-manager/eve/default.nix deleted file mode 100644 index 192c980..0000000 --- a/configurations/home-manager/eve/default.nix +++ /dev/null @@ -1,56 +0,0 @@ -{osConfig, ...}: let - userConfig = osConfig.host.users.eve; -in { - imports = [ - ./packages.nix - ./gnomeconf.nix - ]; - - home = { - username = userConfig.name; - homeDirectory = osConfig.users.users.eve.home; - - # This value determines the Home Manager release that your configuration is - # compatible with. This helps avoid breakage when a new Home Manager release - # introduces backwards incompatible changes. - # - # You should not change this value, even if you update Home Manager. If you do - # want to update the value, then make sure to first check the Home Manager - # release notes. - stateVersion = "23.11"; # Please read the comment before changing. - - # Home Manager is pretty good at managing dotfiles. The primary way to manage - # plain files is through 'home.file'. - file = { - # # Building this configuration will create a copy of 'dotfiles/screenrc' in - # # the Nix store. Activating the configuration will then make '~/.screenrc' a - # # symlink to the Nix store copy. - # ".screenrc".source = dotfiles/screenrc; - - # # You can also set the file content immediately. - # ".gradle/gradle.properties".text = '' - # org.gradle.console=verbose - # org.gradle.daemon.idletimeout=3600000 - # ''; - }; - - # Home Manager can also manage your environment variables through - # 'home.sessionVariables'. If you don't want to manage your shell through Home - # Manager then you have to manually source 'hm-session-vars.sh' located at - # either - # - # ~/.nix-profile/etc/profile.d/hm-session-vars.sh - # - # or - # - # ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh - # - # or - # - # /etc/profiles/per-user/leyla/etc/profile.d/hm-session-vars.sh - # - sessionVariables = { - # EDITOR = "emacs"; - }; - }; -} diff --git a/configurations/home-manager/eve/gnomeconf.nix b/configurations/home-manager/eve/gnomeconf.nix deleted file mode 100644 index fbad391..0000000 --- a/configurations/home-manager/eve/gnomeconf.nix +++ /dev/null @@ -1,12 +0,0 @@ -{pkgs, ...}: { - config = { - dconf = { - enable = true; - settings = { - "org/gnome/shell".enabled-extensions = [ - pkgs.gnomeExtensions.dash-to-panel.extensionUuid - ]; - }; - }; - }; -} diff --git a/configurations/home-manager/eve/packages.nix b/configurations/home-manager/eve/packages.nix deleted file mode 100644 index 295597a..0000000 --- a/configurations/home-manager/eve/packages.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: let - userConfig = osConfig.host.users.eve; - hardware = osConfig.host.hardware; -in { - config = { - nixpkgs.config = { - allowUnfree = true; - }; - - # Packages that can be installed without any extra configuration - # See https://search.nixos.org/packages for all options - home.packages = lib.lists.optionals userConfig.isDesktopUser ( - with pkgs; [ - ungoogled-chromium - krita - gnomeExtensions.dash-to-panel - (lib.mkIf hardware.piperMouse.enable piper) - ] - ); - - # Packages that need to be installed with some extra configuration - # See https://home-manager-options.extranix.com/ for all options - programs = lib.mkMerge [ - { - # Let Home Manager install and manage itself. - home-manager.enable = true; - } - (lib.mkIf (config.user.isDesktopUser || config.user.isTerminalUser) { - git = { - enable = true; - userName = "Eve"; - userEmail = "evesnrobins@gmail.com"; - extraConfig.init.defaultBranch = "main"; - }; - - openssh = { - enable = true; - hostKeys = [ - { - type = "ed25519"; - path = "${config.home.username}_${osConfig.networking.hostName}_ed25519"; - } - ]; - }; - }) - (lib.mkIf config.user.isDesktopUser { - vscode = { - enable = true; - package = pkgs.vscodium; - }; - - firefox.enable = true; - bitwarden.enable = true; - discord.enable = true; - makemkv.enable = true; - signal-desktop-bin.enable = true; - steam.enable = true; - }) - ]; - }; -} diff --git a/configurations/home-manager/git/default.nix b/configurations/home-manager/git/default.nix deleted file mode 100644 index 2276e7a..0000000 --- a/configurations/home-manager/git/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{osConfig, ...}: { - home = { - username = osConfig.users.users.git.name; - homeDirectory = osConfig.users.users.git.home; - - # This value determines the Home Manager release that your configuration is - # compatible with. This helps avoid breakage when a new Home Manager release - # introduces backwards incompatible changes. - # - # You should not change this value, even if you update Home Manager. If you do - # want to update the value, then make sure to first check the Home Manager - # release notes. - stateVersion = "23.11"; # Please read the comment before changing. - }; - - programs.ssh.extraConfig = '' - AuthorizedKeysFile - /var/lib/forgejo/.ssh/authorized_keys - ''; -} diff --git a/configurations/home-manager/leyla/dconf.nix b/configurations/home-manager/leyla/dconf.nix deleted file mode 100644 index ef75db6..0000000 --- a/configurations/home-manager/leyla/dconf.nix +++ /dev/null @@ -1,89 +0,0 @@ -{pkgs, ...}: { - config = { - gnome = { - extraWindowControls = true; - colorScheme = "prefer-dark"; - clockFormat = "24h"; - extensions = [ - pkgs.gnomeExtensions.dash-to-dock - ]; - hotkeys = { - "Open Terminal" = { - binding = "t"; - command = "kgx"; - }; - }; - }; - - dconf = { - enable = true; - settings = { - "org/gnome/shell/extensions/dash-to-dock" = { - "dock-position" = "LEFT"; - "intellihide-mode" = "ALL_WINDOWS"; - "show-trash" = false; - "require-pressure-to-show" = false; - "show-mounts" = false; - }; - - "org/gnome/shell" = { - favorite-apps = ["org.gnome.Nautilus.desktop" "firefox.desktop" "codium.desktop" "steam.desktop" "org.gnome.Console.desktop"]; - # app-picker-layout = - # builtins.map ( - # applications: - # lib.hm.gvariant (builtins.listToAttrs (lib.lists.imap0 (i: v: lib.attrsets.nameValuePair v (lib.hm.gvariant.mkVariant "{'position': <${i}>}")) applications)) - # ) [ - # [ - # "org.gnome.Nautilus.desktop" - # "bitwarden.desktop" - # "firefox.desktop" - # "torbrowser.desktop" - # "chromium-browser.desktop" - # "codium.desktop" - # "idea-community.desktop" - # "org.gnome.TextEditor.desktop" - # "dbeaver.desktop" - # "bruno.desktop" - # "anki.desktop" - # "obsidian.desktop" - # "signal-desktop.desktop" - # "discord.desktop" - # "gimp.desktop" - # "org.inkscape.Inkscape.desktop" - # "org.kde.krita.desktop" - # "davinci-resolve.desktop" - # "com.obsproject.Studio.desktop" - # "org.freecad.FreeCAD.desktop" - # "makemkv.desktop" - # "easytag.desktop" - # "transmission-gtk.desktop" - # ] - # [ - # "SteamVR.desktop" - # "Beat Saber.desktop" - # "Noun Town.desktop" - # "WEBFISHING.desktop" - # "Factorio.desktop" - # ] - # [ - # "org.gnome.Settings.desktop" - # "org.gnome.SystemMonitor.desktop" - # "org.gnome.Snapshot.desktop" - # "org.gnome.Usage.desktop" - # "org.gnome.DiskUtility.desktop" - # "org.gnome.Evince.desktop" - # "org.gnome.fonts.desktop" - # "noisetorch.desktop" - # "nvidia-settings.desktop" - # "OpnRGB.desktop" - # "org.freedesktop.Piper.desktop" - # "via-nativia.desktop" - # "protonvpn-app.desktop" - # "simple-scan.desktop" - # ] - # ]; - }; - }; - }; - }; -} diff --git a/configurations/home-manager/leyla/default.nix b/configurations/home-manager/leyla/default.nix deleted file mode 100644 index 49abfe1..0000000 --- a/configurations/home-manager/leyla/default.nix +++ /dev/null @@ -1,112 +0,0 @@ -{ - config, - osConfig, - ... -}: { - imports = [ - ./packages - ./i18n.nix - ./impermanence.nix - ./dconf.nix - ]; - - config = { - # Home Manager needs a bit of information about you and the paths it should - # manage. - home = { - username = osConfig.host.users.leyla.name; - homeDirectory = osConfig.users.users.leyla.home; - - # This value determines the Home Manager release that your configuration is - # compatible with. This helps avoid breakage when a new Home Manager release - # introduces backwards incompatible changes. - # - # You should not change this value, even if you update Home Manager. If you do - # want to update the value, then make sure to first check the Home Manager - # release notes. - stateVersion = "23.11"; # Please read the comment before changing. - - # Home Manager is pretty good at managing dotfiles. The primary way to manage - # plain files is through 'home.file'. - file = { - # # Building this configuration will create a copy of 'dotfiles/screenrc' in - # # the Nix store. Activating the configuration will then make '~/.screenrc' a - # # symlink to the Nix store copy. - # ".screenrc".source = dotfiles/screenrc; - - # # You can also set the file content immediately. - # ".gradle/gradle.properties".text = '' - # org.gradle.console=verbose - # org.gradle.daemon.idletimeout=3600000 - # ''; - "${config.xdg.configHome}/user-dirs.dirs" = { - force = true; - text = '' - # This file is written by xdg-user-dirs-update - # If you want to change or add directories, just edit the line you're - # interested in. All local changes will be retained on the next run. - # Format is XDG_xxx_DIR="$HOME/yyy", where yyy is a shell-escaped - # homedir-relative path, or XDG_xxx_DIR="/yyy", where /yyy is an - # absolute path. No other format is supported. - # - XDG_DESKTOP_DIR="$HOME/desktop" - XDG_DOWNLOAD_DIR="$HOME/downloads" - XDG_DOCUMENTS_DIR="$HOME/documents" - XDG_TEMPLATES_DIR="$HOME/documents/templates" - XDG_MUSIC_DIR="$HOME/documents/music" - XDG_PICTURES_DIR="$HOME/documents/photos" - XDG_VIDEOS_DIR="$HOME/documents/videos" - XDG_PUBLICSHARE_DIR="$HOME/documents/public" - ''; - }; - }; - - keyboard.layout = "us,it,de"; - - # Home Manager can also manage your environment variables through - # 'home.sessionVariables'. If you don't want to manage your shell through Home - # Manager then you have to manually source 'hm-session-vars.sh' located at - # either - # - # ~/.nix-profile/etc/profile.d/hm-session-vars.sh - # - # or - # - # ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh - # - # or - # - # /etc/profiles/per-user/leyla/etc/profile.d/hm-session-vars.sh - # - sessionVariables = { - # EDITOR = "emacs"; - }; - }; - - user = { - continue = { - enable = true; - docs = { - "Continue Docs" = { - startUrl = "https://docs.continue.dev"; - }; - "Nixpkgs" = { - startUrl = "https://ryantm.github.io/nixpkgs/#preface"; - }; - "Nix Manual" = { - startUrl = "https://nixos.org/manual/nixos/stable/"; - }; - "Home manager Manual" = { - startUrl = "https://nix-community.github.io/home-manager/"; - }; - "Nix Docs" = { - startUrl = "https://nix.dev/index.html"; - }; - "Linux Man Page" = { - startUrl = "https://linux.die.net/man/"; - }; - }; - }; - }; - }; -} diff --git a/configurations/home-manager/leyla/i18n.nix b/configurations/home-manager/leyla/i18n.nix deleted file mode 100644 index f12cd95..0000000 --- a/configurations/home-manager/leyla/i18n.nix +++ /dev/null @@ -1,12 +0,0 @@ -{...}: { - i18n = { - defaultLocale = "en_IE.UTF-8"; - - extraLocaleSettings = { - # LC_ADDRESS = "en_IE.UTF-8"; # lets just get used to this one now - # LC_TELEPHONE = "en_IE.UTF-8"; # lets just get used to this one now - LC_MONETARY = "en_US.UTF-8"; # to be changed once I move - LC_PAPER = "en_US.UTF-8"; # convenient for american printers until I move - }; - }; -} diff --git a/configurations/home-manager/leyla/impermanence.nix b/configurations/home-manager/leyla/impermanence.nix deleted file mode 100644 index 041bff8..0000000 --- a/configurations/home-manager/leyla/impermanence.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - lib, - config, - osConfig, - ... -}: { - config = lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist/home/leyla" = { - directories = [ - "desktop" - "downloads" - "documents" - ]; - files = [ - ".bash_history" # keep shell history around - "${config.xdg.dataHome}/recently-used.xbel" # gnome recently viewed files - ]; - allowOther = true; - }; - }; -} diff --git a/configurations/home-manager/leyla/packages/default.nix b/configurations/home-manager/leyla/packages/default.nix deleted file mode 100644 index 63f9661..0000000 --- a/configurations/home-manager/leyla/packages/default.nix +++ /dev/null @@ -1,118 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: let - hardware = osConfig.host.hardware; -in { - imports = [ - ./vscode - ./firefox.nix - ./direnv.nix - ./openssh.nix - ./git.nix - ./makemkv.nix - ]; - - config = lib.mkMerge [ - { - programs = lib.mkMerge [ - { - # Let Home Manager install and manage itself. - home-manager.enable = true; - } - (lib.mkIf (config.user.isTerminalUser || config.user.isDesktopUser) { - bash.enable = true; - git.enable = true; - openssh.enable = true; - }) - (lib.mkIf config.user.isDesktopUser { - bitwarden.enable = true; - obs-studio.enable = hardware.graphicsAcceleration.enable; - qbittorrent.enable = true; - prostudiomasters.enable = true; - protonvpn-gui.enable = true; - dbeaver-bin.enable = true; - bruno.enable = true; - }) - (lib.mkIf (hardware.directAccess.enable && config.user.isDesktopUser) { - anki.enable = true; - makemkv.enable = true; - discord.enable = true; - signal-desktop-bin.enable = true; - calibre.enable = true; - obsidian.enable = true; - jetbrains.idea-community.enable = true; - vscode.enable = true; - firefox.enable = true; - steam.enable = true; - }) - ]; - } - (lib.mkIf config.user.isTerminalUser { - home.packages = with pkgs; [ - # command line tools - sox - yt-dlp - ffmpeg - imagemagick - ]; - }) - (lib.mkIf config.user.isDesktopUser { - nixpkgs.config = { - allowUnfree = true; - }; - - home.packages = ( - (with pkgs; [ - aileron - - proxmark3 - ]) - ++ ( - lib.lists.optionals hardware.directAccess.enable (with pkgs; [ - #foss platforms - ungoogled-chromium - libreoffice - inkscape - gimp - krita - freecad - # cura - # kicad-small - onionshare - # rhythmbox - - # wireshark - # rpi-imager - # fritzing - mfoc - tor-browser - pdfarranger - picard - - gdx-liftoff - - # proprietary platforms - (lib.mkIf hardware.graphicsAcceleration.enable davinci-resolve) - - # development tools - # androidStudioPackages.canary - qFlipper - - # system tools - openvpn - noisetorch - - # hardware management tools - (lib.mkIf hardware.piperMouse.enable piper) - (lib.mkIf hardware.openRGB.enable openrgb) - (lib.mkIf hardware.viaKeyboard.enable via) - ]) - ) - ); - }) - ]; -} diff --git a/configurations/home-manager/leyla/packages/direnv.nix b/configurations/home-manager/leyla/packages/direnv.nix deleted file mode 100644 index 038c149..0000000 --- a/configurations/home-manager/leyla/packages/direnv.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ - lib, - config, - osConfig, - ... -}: let - userConfig = osConfig.host.users.leyla; -in { - config = lib.mkIf userConfig.isDesktopUser { - programs = { - direnv = { - enable = true; - enableBashIntegration = true; - nix-direnv.enable = true; - config = { - global.hide_env_diff = true; - whitelist.exact = ["${config.home.homeDirectory}/documents/code/nix-config"]; - }; - }; - }; - }; -} diff --git a/configurations/home-manager/leyla/packages/firefox.nix b/configurations/home-manager/leyla/packages/firefox.nix deleted file mode 100644 index 1613cb3..0000000 --- a/configurations/home-manager/leyla/packages/firefox.nix +++ /dev/null @@ -1,343 +0,0 @@ -{ - lib, - pkgs, - inputs, - ... -}: { - config = { - programs.firefox = { - profiles.leyla = { - settings = { - "browser.search.defaultenginename" = "Searx"; - "browser.search.order.1" = "Searx"; - }; - - search = { - force = true; - default = "Searx"; - engines = { - "Nix Packages" = { - urls = [ - { - template = "https://search.nixos.org/packages"; - params = [ - { - name = "type"; - value = "packages"; - } - { - name = "query"; - value = "{searchTerms}"; - } - ]; - } - ]; - icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; - definedAliases = ["@np"]; - }; - "NixOS Wiki" = { - urls = [{template = "https://nixos.wiki/index.php?search={searchTerms}";}]; - icon = "https://nixos.wiki/favicon.png"; - updateInterval = 24 * 60 * 60 * 1000; # every day - definedAliases = ["@nw"]; - }; - "Searx" = { - urls = [{template = "https://search.jan-leila.com/?q={searchTerms}";}]; - icon = "https://nixos.wiki/favicon.png"; - updateInterval = 24 * 60 * 60 * 1000; # every day - definedAliases = ["@searx"]; - }; - }; - }; - - extensions.packages = with inputs.firefox-addons.packages.${pkgs.system}; [ - bitwarden - terms-of-service-didnt-read - multi-account-containers - shinigami-eyes - - ublock-origin - sponsorblock - dearrow - df-youtube - return-youtube-dislikes - - privacy-badger - decentraleyes - clearurls - localcdn - - snowflake - - deutsch-de-language-pack - dictionary-german - - # ( - # buildFirefoxXpiAddon rec { - # pname = "italiano-it-language-pack"; - # version = "132.0.20241110.231641"; - # addonId = "langpack-it@firefox.mozilla.org"; - # url = "https://addons.mozilla.org/firefox/downloads/file/4392453/italiano_it_language_pack-${version}.xpi"; - # sha256 = ""; - # meta = with lib; - # { - # description = "Firefox Language Pack for Italiano (it) – Italian"; - # license = licenses.mpl20; - # mozPermissions = []; - # platforms = platforms.all; - # }; - # } - # ) - # ( - # buildFirefoxXpiAddon rec { - # pname = "dizionario-italiano"; - # version = "5.1"; - # addonId = "it-IT@dictionaries.addons.mozilla.org"; - # url = "https://addons.mozilla.org/firefox/downloads/file/1163874/dizionario_italiano-${version}.xpi"; - # sha256 = ""; - # meta = with lib; - # { - # description = "Add support for Italian to spellchecking"; - # license = licenses.gpl3; - # mozPermissions = []; - # platforms = platforms.all; - # }; - # } - # ) - ]; - - settings = { - # Disable irritating first-run stuff - "browser.disableResetPrompt" = true; - "browser.download.panel.shown" = true; - "browser.feeds.showFirstRunUI" = false; - "browser.messaging-system.whatsNewPanel.enabled" = false; - "browser.rights.3.shown" = true; - "browser.shell.checkDefaultBrowser" = false; - "browser.shell.defaultBrowserCheckCount" = 1; - "browser.startup.homepage_override.mstone" = "ignore"; - "browser.uitour.enabled" = false; - "startup.homepage_override_url" = ""; - "trailhead.firstrun.didSeeAboutWelcome" = true; - "browser.bookmarks.restore_default_bookmarks" = false; - "browser.bookmarks.addedImportButton" = true; - "browser.newtabpage.activity-stream.feeds.section.topstories" = false; - - # Usage Experience - "browser.startup.homepage" = "about:home"; - "browser.download.useDownloadDir" = false; - "browser.uiCustomization.state" = builtins.toJSON { - "currentVersion" = 20; - "newElementCount" = 6; - "dirtyAreaCache" = [ - "nav-bar" - "PersonalToolbar" - "toolbar-menubar" - "TabsToolbar" - "unified-extensions-area" - "vertical-tabs" - ]; - "placements" = { - "widget-overflow-fixed-list" = []; - "unified-extensions-area" = [ - "privacy_privacy_com-browser-action" - # bitwarden - "_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action" - "ublock0_raymondhill_net-browser-action" - "sponsorblocker_ajay_app-browser-action" - "dearrow_ajay_app-browser-action" - "jid1-mnnxcxisbpnsxq_jetpack-browser-action" - "_testpilot-containers-browser-action" - "addon_simplelogin-browser-action" - "_74145f27-f039-47ce-a470-a662b129930a_-browser-action" - "jid1-bofifl9vbdl2zq_jetpack-browser-action" - "dfyoutube_example_com-browser-action" - "_b86e4813-687a-43e6-ab65-0bde4ab75758_-browser-action" - "_762f9885-5a13-4abd-9c77-433dcd38b8fd_-browser-action" - "_b11bea1f-a888-4332-8d8a-cec2be7d24b9_-browse-action" - "jid0-3guet1r69sqnsrca5p8kx9ezc3u_jetpack-browser-action" - ]; - "nav-bar" = [ - "back-button" - "forward-button" - "stop-reload-button" - "urlbar-container" - "downloads-button" - "unified-extensions-button" - "reset-pbm-toolbar-button" - ]; - "toolbar-menubar" = [ - "menubar-items" - ]; - "TabsToolbar" = [ - "firefox-view-button" - "tabbrowser-tabs" - "new-tab-button" - "alltabs-button" - ]; - "vertical-tabs" = []; - "PersonalToolbar" = [ - "import-button" - "personal-bookmarks" - ]; - }; - "seen" = [ - "save-to-pocket-button" - "developer-button" - "privacy_privacy_com-browser-action" - "sponsorblocker_ajay_app-browser-action" - "ublock0_raymondhill_net-browser-action" - "addon_simplelogin-browser-action" - "dearrow_ajay_app-browser-action" - "_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action" - "_74145f27-f039-47ce-a470-a662b129930a_-browser-action" - "jid1-bofifl9vbdl2zq_jetpack-browser-action" - "dfyoutube_example_com-browser-action" - "_testpilot-containers-browser-action" - "_b86e4813-687a-43e6-ab65-0bde4ab75758_-browser-action" - "jid1-mnnxcxisbpnsxq_jetpack-browser-action" - "_762f9885-5a13-4abd-9c77-433dcd38b8fd_-browser-action" - "_b11bea1f-a888-4332-8d8a-cec2be7d24b9_-browser-action" - "jid0-3guet1r69sqnsrca5p8kx9ezc3u_jetpack-browser-action" - ]; - }; - "browser.newtabpage.activity-stream.feeds.topsites" = false; - "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; - "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false; - "browser.newtabpage.blocked" = lib.genAttrs [ - # Facebook - "4gPpjkxgZzXPVtuEoAL9Ig==" - # Reddit - "gLv0ja2RYVgxKdp0I5qwvA==" - # Amazon - "K00ILysCaEq8+bEqV/3nuw==" - # Twitter - "T9nJot5PurhJSy8n038xGA==" - ] (_: 1); - "identity.fxaccounts.enabled" = false; - - # Security - "privacy.trackingprotection.enabled" = true; - "dom.security.https_only_mode" = true; - - "extensions.formautofill.addresses.enabled" = false; - "extensions.formautofill.creditCards.enabled" = false; - "signon.rememberSignons" = false; - "privacy.sanitize.sanitizeOnShutdown" = true; - "privacy.clearOnShutdown_v2.cache" = true; - "privacy.clearOnShutdown_v2.cookiesAndStorage" = true; - "privacy.clearOnShutdown_v2.historyFormDataAndDownloads" = true; - "urlclassifier.trackingSkipURLs" = ""; - "urlclassifier.features.socialtracking.skipURLs" = ""; - "dom.security.https_only_mode_pbm" = true; - "dom.security.https_only_mode_error_page_user_suggestions" = true; - - # Disable telemetry - "app.shield.optoutstudies.enabled" = false; - "browser.discovery.enabled" = false; - "browser.newtabpage.activity-stream.feeds.telemetry" = false; - "browser.newtabpage.activity-stream.telemetry" = false; - "browser.ping-centre.telemetry" = false; - "datareporting.healthreport.service.enabled" = false; - "datareporting.healthreport.uploadEnabled" = false; - "datareporting.policy.dataSubmissionEnabled" = false; - "datareporting.sessions.current.clean" = true; - "devtools.onboarding.telemetry.logged" = false; - "toolkit.telemetry.archive.enabled" = false; - "toolkit.telemetry.bhrPing.enabled" = false; - "toolkit.telemetry.enabled" = false; - "toolkit.telemetry.firstShutdownPing.enabled" = false; - "toolkit.telemetry.hybridContent.enabled" = false; - "toolkit.telemetry.newProfilePing.enabled" = false; - "toolkit.telemetry.prompted" = 2; - "toolkit.telemetry.rejected" = true; - "toolkit.telemetry.reportingpolicy.firstRun" = false; - "toolkit.telemetry.server" = ""; - "toolkit.telemetry.shutdownPingSender.enabled" = false; - "toolkit.telemetry.unified" = false; - "toolkit.telemetry.unifiedIsOptIn" = false; - "toolkit.telemetry.updatePing.enabled" = false; - }; - - bookmarks = { - force = true; - settings = [ - { - name = "Media"; - url = "https://media.jan-leila.com/"; - keyword = ""; - tags = [""]; - } - { - name = "Photos"; - url = "https://photos.jan-leila.com"; - keyword = ""; - tags = [""]; - } - { - name = "Git"; - url = "https://git.jan-leila.com/"; - keyword = ""; - tags = [""]; - } - { - name = "Home Automation"; - url = "https://home.jan-leila.com/"; - keyword = ""; - tags = [""]; - } - { - name = "Mail"; - url = "https://mail.protonmail.com"; - keyword = ""; - tags = [""]; - } - { - name = "Open Street Map"; - url = "https://www.openstreetmap.org/"; - keyword = ""; - tags = [""]; - } - { - name = "Password Manager"; - url = "https://vault.bitwarden.com/"; - keyword = ""; - tags = [""]; - } - { - name = "Mastodon"; - url = "https://mspsocial.net"; - keyword = ""; - tags = [""]; - } - { - name = "Linked In"; - url = "https://www.linkedin.com/"; - keyword = ""; - tags = [""]; - } - { - name = "Job Search"; - url = "https://www.jobsinnetwork.com/?state=cleaned_history&language%5B%5D=en&query=react&locations.countryCode%5B%5D=IT&locations.countryCode%5B%5D=DE&locations.countryCode%5B%5D=NL&experience%5B%5D=medior&experience%5B%5D=junior&page=1"; - keyword = ""; - tags = [""]; - } - { - name = "React Docs"; - url = "https://react.dev/"; - keyword = ""; - tags = [""]; - } - # Template - # { - # name = ""; - # url = ""; - # keyword = ""; - # tags = [""]; - # } - ]; - }; - }; - }; - }; -} diff --git a/configurations/home-manager/leyla/packages/git.nix b/configurations/home-manager/leyla/packages/git.nix deleted file mode 100644 index 568cd7a..0000000 --- a/configurations/home-manager/leyla/packages/git.nix +++ /dev/null @@ -1,11 +0,0 @@ -{...}: { - config = { - programs = { - git = { - userName = "Leyla Becker"; - userEmail = "git@jan-leila.com"; - extraConfig.init.defaultBranch = "main"; - }; - }; - }; -} diff --git a/configurations/home-manager/leyla/packages/makemkv.nix b/configurations/home-manager/leyla/packages/makemkv.nix deleted file mode 100644 index ee71955..0000000 --- a/configurations/home-manager/leyla/packages/makemkv.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ - config, - inputs, - ... -}: { - config = { - sops.secrets = { - "application-keys/makemkv" = { - sopsFile = "${inputs.secrets}/application-keys.yaml"; - }; - }; - programs.makemkv = { - appKeyFile = config.sops.placeholder."application-keys/makemkv"; - destinationDir = "/home/leyla/downloads/makemkv"; - }; - }; -} diff --git a/configurations/home-manager/leyla/packages/openssh.nix b/configurations/home-manager/leyla/packages/openssh.nix deleted file mode 100644 index 91aec11..0000000 --- a/configurations/home-manager/leyla/packages/openssh.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - config, - osConfig, - ... -}: { - config = { - programs = { - openssh = { - authorizedKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHeItmt8TRW43uNcOC+eIurYC7Eunc0V3LGocQqLaYj leyla@horizon" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIILimFIW2exEH/Xo7LtXkqgE04qusvnPNpPWSCeNrFkP leyla@defiant" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBiZkg1c2aaNHiieBX4cEziqvJVj9pcDfzUrKU/mO0I leyla@twilight" - ]; - hostKeys = [ - { - type = "ed25519"; - path = "${config.home.username}_${osConfig.networking.hostName}_ed25519"; - } - ]; - }; - }; - }; -} diff --git a/configurations/home-manager/leyla/packages/vscode/default.nix b/configurations/home-manager/leyla/packages/vscode/default.nix deleted file mode 100644 index c21e01d..0000000 --- a/configurations/home-manager/leyla/packages/vscode/default.nix +++ /dev/null @@ -1,118 +0,0 @@ -{ - lib, - pkgs, - inputs, - config, - osConfig, - ... -}: let - nix-development-enabled = osConfig.host.nix-development.enable; - ai-tooling-enabled = config.user.continue.enable && osConfig.host.ai.enable; -in { - config = lib.mkIf config.user.isDesktopUser { - nixpkgs = { - overlays = [ - inputs.nix-vscode-extensions.overlays.default - ]; - }; - - programs = { - bash.shellAliases = { - code = "codium"; - }; - - vscode = let - extensions = inputs.nix-vscode-extensions.extensions.${pkgs.system}; - open-vsx = extensions.open-vsx; - vscode-marketplace = extensions.vscode-marketplace; - in { - package = pkgs.vscodium; - - mutableExtensionsDir = false; - - profiles.default = { - enableUpdateCheck = false; - enableExtensionUpdateCheck = false; - - userSettings = lib.mkMerge [ - { - "workbench.colorTheme" = "Atom One Dark"; - "cSpell.userWords" = import ./user-words.nix; - "javascript.updateImportsOnFileMove.enabled" = "always"; - "editor.tabSize" = 2; - "editor.insertSpaces" = false; - } - (lib.mkIf nix-development-enabled { - "nix.enableLanguageServer" = true; - "nix.serverPath" = "nil"; - "[nix]" = { - "editor.defaultFormatter" = "kamadorueda.alejandra"; - "editor.formatOnPaste" = true; - "editor.formatOnSave" = true; - "editor.formatOnType" = true; - }; - "alejandra.program" = "alejandra"; - "nixpkgs" = { - "expr" = "import {}"; - }; - }) - (lib.mkIf ai-tooling-enabled { - "continue.telemetryEnabled" = false; - }) - ]; - - extensions = ( - with open-vsx; - [ - # vs code feel extensions - ms-vscode.atom-keybindings - akamud.vscode-theme-onedark - streetsidesoftware.code-spell-checker - streetsidesoftware.code-spell-checker-german - streetsidesoftware.code-spell-checker-italian - jeanp413.open-remote-ssh - - # html extensions - formulahendry.auto-rename-tag - ms-vscode.live-server - - # js extensions - dsznajder.es7-react-js-snippets - dbaeumer.vscode-eslint - standard.vscode-standard - firsttris.vscode-jest-runner - stylelint.vscode-stylelint - tauri-apps.tauri-vscode - - # go extensions - golang.go - - # astro blog extensions - astro-build.astro-vscode - unifiedjs.vscode-mdx - - # misc extensions - tamasfe.even-better-toml - ] - ++ (lib.lists.optionals nix-development-enabled [ - # nix extensions - pinage404.nix-extension-pack - jnoortheen.nix-ide - kamadorueda.alejandra - ]) - ++ ( - with vscode-marketplace; - [ - # js extensions - karyfoundation.nearley - ] - ++ (lib.lists.optionals ai-tooling-enabled [ - continue.continue - ]) - ) - ); - }; - }; - }; - }; -} diff --git a/configurations/home-manager/leyla/packages/vscode/user-words.nix b/configurations/home-manager/leyla/packages/vscode/user-words.nix deleted file mode 100644 index b581118..0000000 --- a/configurations/home-manager/leyla/packages/vscode/user-words.nix +++ /dev/null @@ -1,6 +0,0 @@ -[ - "leyla" - "webdav" - "ollama" - "optimise" -] diff --git a/configurations/installer/basic/configuration.nix b/configurations/installer/basic/configuration.nix deleted file mode 100644 index 4e63727..0000000 --- a/configurations/installer/basic/configuration.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - lib, - pkgs, - modulesPath, - ... -}: { - imports = [(modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")]; - - systemd.services.sshd.wantedBy = pkgs.lib.mkForce ["multi-user.target"]; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AaAeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee username@host" - ]; - - isoImage.squashfsCompression = "gzip -Xcompression-level 1"; - - networking.hostName = "installer"; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/configurations/installer/basic/default.nix b/configurations/installer/basic/default.nix deleted file mode 100644 index 220a6fb..0000000 --- a/configurations/installer/basic/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{...}: { - imports = [ - ./configuration.nix - ]; -} diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix deleted file mode 100644 index 7d9c6d8..0000000 --- a/configurations/nixos/defiant/configuration.nix +++ /dev/null @@ -1,315 +0,0 @@ -# server nas -{ - inputs, - config, - ... -}: { - sops.secrets = { - "vpn-keys/tailscale-authkey/defiant" = { - sopsFile = "${inputs.secrets}/vpn-keys.yaml"; - }; - "vpn-keys/proton-wireguard/defiant-p2p" = { - sopsFile = "${inputs.secrets}/vpn-keys.yaml"; - mode = "0640"; - owner = "root"; - group = "systemd-network"; - }; - "services/zfs_smtp_token" = { - sopsFile = "${inputs.secrets}/defiant-services.yaml"; - }; - }; - - host = { - users = { - leyla = { - isDesktopUser = true; - isTerminalUser = true; - isPrincipleUser = true; - }; - }; - impermanence.enable = true; - storage = { - enable = true; - encryption = true; - notifications = { - enable = true; - host = "smtp.protonmail.ch"; - port = 587; - to = "leyla@jan-leila.com"; - user = "leyla@jan-leila.com"; - tokenFile = config.sops.secrets."services/zfs_smtp_token".path; - }; - pool = { - # We are having to boot off of the nvm cache drive because I cant figure out how to boot via the HBA - bootDrives = ["nvme-Samsung_SSD_990_PRO_4TB_S7KGNU0X907881F"]; - vdevs = [ - [ - "ata-ST18000NE000-3G6101_ZVTCXVEB" - "ata-ST18000NE000-3G6101_ZVTCXWSC" - "ata-ST18000NE000-3G6101_ZVTD10EH" - "ata-ST18000NT001-3NF101_ZVTE0S3Q" - "ata-ST18000NT001-3NF101_ZVTEF27J" - "ata-ST18000NE000-3G6101_ZVTJ7359" - ] - # TODO: this needs to be configured manually - [ - "ata-ST4000NE001-2MA101_WS2275P3" - "ata-ST4000NE001-2MA101_WS227B9F" - "ata-ST4000NE001-2MA101_WS227CEW" - "ata-ST4000NE001-2MA101_WS227CYN" - "ata-ST4000NE001-2MA101_WS23TBWV" - "ata-ST4000NE001-2MA101_WS23TC5F" - ] - ]; - cache = [ - "nvme-Samsung_SSD_990_PRO_4TB_S7KGNU0X907881F" - ]; - }; - }; - network_storage = { - enable = true; - directories = [ - { - folder = "leyla_documents"; - user = "leyla"; - group = "leyla"; - bind = "/home/leyla/documents"; - } - { - folder = "eve_documents"; - user = "eve"; - group = "eve"; - } - { - folder = "users_documents"; - user = "root"; - group = "users"; - } - { - folder = "media"; - user = "jellyfin"; - group = "jellyfin_media"; - bind = config.services.jellyfin.media_directory; - } - ]; - nfs = { - enable = true; - directories = ["leyla_documents" "eve_documents" "users_documents" "media"]; - }; - }; - reverse_proxy = { - enable = true; - enableACME = true; - hostname = "jan-leila.com"; - }; - postgres = { - extraUsers = { - leyla = { - isAdmin = true; - }; - }; - }; - # home-assistant = { - # enable = false; - # subdomain = "home"; - # }; - adguardhome = { - enable = false; - }; - }; - - systemd.network = { - enable = true; - - # config = { - # routeTables = { - # p2p = 1; - # }; - # }; - - netdevs = { - "10-bond0" = { - netdevConfig = { - Kind = "bond"; - Name = "bond0"; - }; - bondConfig = { - Mode = "802.3ad"; - TransmitHashPolicy = "layer3+4"; - }; - }; - - # "15-p2p0" = { - # netdevConfig = { - # Kind = "wireguard"; - # Name = "p2p0"; - # MTUBytes = "1280"; - # }; - # wireguardConfig = { - # PrivateKeyFile = config.sops.secrets."vpn-keys/proton-wireguard/defiant-p2p".path; - # ListenPort = 51820; - # # RouteTable = "p2p"; - # }; - # wireguardPeers = [ - # { - # PublicKey = "rRO6yJim++Ezz6scCLMaizI+taDjU1pzR2nfW6qKbW0="; - # Endpoint = "185.230.126.146:51820"; - # AllowedIPs = ["0.0.0.0/0"]; - # RouteTable = "off"; - # } - # ]; - # }; - }; - networks = { - "40-bond0" = { - matchConfig.Name = "bond0"; - linkConfig = { - RequiredForOnline = "degraded-carrier"; - RequiredFamilyForOnline = "any"; - }; - networkConfig.DHCP = "yes"; - - address = [ - "192.168.1.10/32" - ]; - - gateway = ["192.168.1.1"]; - dns = ["192.168.1.1"]; - }; - - # "45-p2p0" = { - # matchConfig.Name = "p2p0"; - # address = [ - # "10.2.0.2/32" - # ]; - # routes = [ - # { - # Destination = "0.0.0.0/0"; - # } - # ]; - # linkConfig.RequiredForOnline = false; - # }; - }; - }; - - # limit arc usage to 50gb because ollama doesn't play nice with zfs using up all of the memory - boot.kernelParams = ["zfs.zfs_arc_max=53687091200"]; - - services = { - # TODO: move zfs scrubbing into module - zfs = { - autoScrub.enable = true; - autoSnapshot.enable = true; - }; - - # temp enable desktop enviroment for setup - # Enable the X11 windowing system. - xserver.enable = true; - - # Enable the GNOME Desktop Environment. - displayManager = { - gdm.enable = true; - }; - desktopManager = { - gnome.enable = true; - }; - - ollama = { - enable = true; - exposePort = true; - - acceleration = false; - - loadModels = [ - # conversation models - "llama3.1:8b" - "deepseek-r1:8b" - "deepseek-r1:32b" - "deepseek-r1:70b" - - # auto complete models - "qwen2.5-coder:1.5b-base" - "qwen2.5-coder:7b" - "deepseek-coder:6.7b" - "deepseek-coder:33b" - - # agent models - "qwen3:8b" - "qwen3:32b" - - # embedding models - "nomic-embed-text:latest" - ]; - }; - tailscale = { - enable = true; - authKeyFile = config.sops.secrets."vpn-keys/tailscale-authkey/defiant".path; - useRoutingFeatures = "server"; - extraUpFlags = [ - "--advertise-exit-node" - "--advertise-routes=192.168.0.0/24" - "--accept-dns=false" - ]; - extraSetFlags = [ - "--advertise-exit-node" - "--advertise-routes=192.168.0.0/24" - "--accept-dns=false" - ]; - }; - - syncthing.enable = true; - - fail2ban.enable = true; - - jellyfin = { - enable = true; - subdomain = "media"; - extraSubdomains = ["jellyfin"]; - }; - - immich = { - enable = true; - subdomain = "photos"; - }; - - forgejo = { - enable = true; - subdomain = "git"; - }; - - searx = { - enable = true; - subdomain = "search"; - }; - - virt-home-assistant = { - enable = false; - networkBridge = "bond0"; - hostDevice = "0x10c4:0xea60"; - }; - - qbittorrent = { - enable = true; - mediaDir = "/srv/qbittorent"; - openFirewall = true; - webPort = 8084; - }; - }; - - # disable computer sleeping - systemd.targets = { - sleep.enable = false; - suspend.enable = false; - hibernate.enable = false; - hybrid-sleep.enable = false; - }; - services.displayManager.gdm.autoSuspend = false; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It's perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? -} diff --git a/configurations/nixos/defiant/default.nix b/configurations/nixos/defiant/default.nix deleted file mode 100644 index fe850af..0000000 --- a/configurations/nixos/defiant/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -# server nas -{...}: { - imports = [ - ./hardware-configuration.nix - ./configuration.nix - ]; -} diff --git a/configurations/nixos/emergent/configuration.nix b/configurations/nixos/emergent/configuration.nix deleted file mode 100644 index 90aecab..0000000 --- a/configurations/nixos/emergent/configuration.nix +++ /dev/null @@ -1,160 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page, on -# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -{ - lib, - pkgs, - ... -}: { - imports = [ - ./nvidia-drivers.nix - ]; - - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - # networking.hostName = "nixos"; # Define your hostname. - # Pick only one of the below networking options. - # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - - # Set your time zone. - # time.timeZone = "Europe/Amsterdam"; - - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - - # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkb.options in tty. - # }; - - # Enable the X11 windowing system. - services.xserver.enable = true; - # Enable wacom touchscreen device - services.xserver.wacom.enable = true; - - # installed opentabletdriver - hardware.opentabletdriver.enable = true; - - # Enable the GNOME Desktop Environment. - services.displayManager.gdm.enable = true; - services.desktopManager.gnome.enable = true; - - host = { - users = { - eve = { - isDesktopUser = true; - isTerminalUser = true; - isPrincipleUser = true; - }; - }; - hardware = { - piperMouse.enable = true; - }; - - storage = { - enable = true; - pool = { - mode = ""; - drives = ["wwn-0x5000039fd0cf05eb"]; - }; - }; - }; - - # Configure keymap in X11 - # services.xserver.xkb.layout = "us"; - # services.xserver.xkb.options = "eurosign:e,caps:escape"; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # Enable sound. - # services.pulseaudio.enable = true; - # OR - # services.pipewire = { - # enable = true; - # pulse.enable = true; - # }; - - # Enable touchpad support (enabled default in most desktopManager). - # services.libinput.enable = true; - - # Define a user account. Don't forget to set a password with ‘passwd’. - # users.users.alice = { - # isNormalUser = true; - # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. - # packages = with pkgs; [ - # tree - # ]; - # }; - - # programs.firefox.enable = true; - - nixpkgs.config.allowUnfree = true; - - # Packages that can be installed without any extra configuration - # See https://search.nixos.org/packages for all options - environment.systemPackages = with pkgs; [ - wget - ]; - - # Packages that need to be installed with some extra configuration - # See https://search.nixos.org/options for all options - programs = {}; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - # services.openssh.enable = true; - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - networking = { - networkmanager.enable = true; - useDHCP = lib.mkDefault true; - hostId = "7e35eb97"; # arbitrary id number generated via this command: `head -c4 /dev/urandom | od -A none -t x4` - hostName = "emergent"; # Define your hostname. - }; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how - # to actually do that. - # - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "25.05"; # Did you read the comment? -} diff --git a/configurations/nixos/emergent/default.nix b/configurations/nixos/emergent/default.nix deleted file mode 100644 index 452334a..0000000 --- a/configurations/nixos/emergent/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -# evs desktop -{...}: { - imports = [ - ./configuration.nix - ./hardware-configuration.nix - ]; -} diff --git a/configurations/nixos/emergent/hardware-configuration.nix b/configurations/nixos/emergent/hardware-configuration.nix deleted file mode 100644 index 4e13149..0000000 --- a/configurations/nixos/emergent/hardware-configuration.nix +++ /dev/null @@ -1,32 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"]; - boot.initrd.kernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; - - swapDevices = []; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp42s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/configurations/nixos/emergent/nvidia-drivers.nix b/configurations/nixos/emergent/nvidia-drivers.nix deleted file mode 100644 index fb66cf6..0000000 --- a/configurations/nixos/emergent/nvidia-drivers.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - # Enable OpenGL - hardware.graphics = { - enable = true; - }; - - # Load nvidia driver for Xorg and Wayland - services = { - xserver = { - # Load nvidia driver for Xorg and Wayland - videoDrivers = ["nvidia"]; - }; - # Use X instead of wayland - displayManager.gdm.wayland = false; - }; - - hardware.nvidia = { - # Modesetting is required. - modesetting.enable = true; - - # Nvidia power management. Experimental, and can cause sleep/suspend to fail. - # Enable this if you have graphical corruption issues or application crashes after waking - # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead - # of just the bare essentials. - powerManagement.enable = false; - - # Fine-grained power management. Turns off GPU when not in use. - # Experimental and only works on modern Nvidia GPUs (Turing or newer). - powerManagement.finegrained = false; - - # Use the NVidia open source kernel module (not to be confused with the - # independent third-party "nouveau" open source driver). - # Support is limited to the Turing and later architectures. Full list of - # supported GPUs is at: - # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus - # Only available from driver 515.43.04+ - open = true; - - # Enable the Nvidia settings menu, - # accessible via `nvidia-settings`. - nvidiaSettings = true; - - # Optionally, you may need to select the appropriate driver version for your specific GPU. - package = config.boot.kernelPackages.nvidiaPackages.stable; - }; -} diff --git a/configurations/nixos/horizon/configuration.nix b/configurations/nixos/horizon/configuration.nix deleted file mode 100644 index 42dcbb9..0000000 --- a/configurations/nixos/horizon/configuration.nix +++ /dev/null @@ -1,147 +0,0 @@ -{ - lib, - pkgs, - config, - inputs, - ... -}: { - imports = [ - inputs.nixos-hardware.nixosModules.framework-11th-gen-intel - ]; - - nixpkgs.config.allowUnfree = true; - - boot = { - initrd = { - availableKernelModules = ["usb_storage" "sd_mod"]; - }; - kernelModules = ["sg"]; - - # Bootloader. - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - }; - - host = { - users = { - leyla = { - isDesktopUser = true; - isTerminalUser = true; - isPrincipleUser = true; - }; - eve.isDesktopUser = true; - }; - - hardware = { - directAccess.enable = true; - }; - - ai = { - enable = true; - models = { - "Llama 3.1 8B" = { - model = "llama3.1:8b"; - roles = ["chat" "edit" "apply"]; - apiBase = "http://defiant:11434"; - }; - "Deepseek Coder:6.7B" = { - model = "deepseek-coder:6.7b"; - roles = ["chat" "edit" "apply"]; - apiBase = "http://defiant:11434"; - }; - "Deepseek Coder:33B" = { - model = "deepseek-coder:33b"; - roles = ["chat" "edit" "apply"]; - apiBase = "http://defiant:11434"; - }; - - "Deepseek r1:8B" = { - model = "deepseek-r1:8b"; - roles = ["chat"]; - apiBase = "http://defiant:11434"; - }; - - "Deepseek r1:32B" = { - model = "deepseek-r1:32b"; - roles = ["chat"]; - apiBase = "http://defiant:11434"; - }; - - "qwen2.5-coder:1.5b-base" = { - model = "qwen2.5-coder:1.5b-base"; - roles = ["autocomplete"]; - apiBase = "http://defiant:11434"; - }; - - "nomic-embed-text:latest" = { - model = "nomic-embed-text:latest"; - roles = ["embed"]; - apiBase = "http://defiant:11434"; - }; - }; - }; - }; - - environment.systemPackages = with pkgs; [ - cachefilesd - webtoon-dl - ]; - services.cachefilesd.enable = true; - - programs = { - adb.enable = true; - }; - - networking = { - networkmanager.enable = true; - hostName = "horizon"; # Define your hostname. - }; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - - hardware = { - graphics.enable = true; - }; - - sops.secrets = { - "vpn-keys/tailscale-authkey/horizon" = { - sopsFile = "${inputs.secrets}/vpn-keys.yaml"; - }; - }; - - services = { - # sudo fprintd-enroll - fprintd = { - enable = true; - }; - # firmware update tool - fwupd = { - enable = true; - }; - tailscale = { - enable = true; - authKeyFile = config.sops.secrets."vpn-keys/tailscale-authkey/horizon".path; - useRoutingFeatures = "client"; - }; - - syncthing.enable = true; - }; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It's perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? -} diff --git a/configurations/nixos/horizon/default.nix b/configurations/nixos/horizon/default.nix deleted file mode 100644 index 1263215..0000000 --- a/configurations/nixos/horizon/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -# leyla laptop -{...}: { - imports = [ - ./configuration.nix - ./hardware-configuration.nix - ]; -} diff --git a/configurations/nixos/horizon/hardware-configuration.nix b/configurations/nixos/horizon/hardware-configuration.nix deleted file mode 100644 index cec4914..0000000 --- a/configurations/nixos/horizon/hardware-configuration.nix +++ /dev/null @@ -1,45 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel"]; - boot.extraModulePackages = []; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/866d422b-f816-4ad9-9846-791839cb9337"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/disk/by-uuid/E138-65B5"; - fsType = "vfat"; - }; - }; - - swapDevices = [ - {device = "/dev/disk/by-uuid/be98e952-a072-4c3a-8c12-69500b5a2fff";} - ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp170s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/configurations/nixos/twilight/configuration.nix b/configurations/nixos/twilight/configuration.nix deleted file mode 100644 index 111c002..0000000 --- a/configurations/nixos/twilight/configuration.nix +++ /dev/null @@ -1,210 +0,0 @@ -{ - inputs, - config, - pkgs, - ... -}: { - imports = [ - ./monitors.nix - ]; - - nixpkgs.config.allowUnfree = true; - - boot.initrd.availableKernelModules = ["usb_storage"]; - boot.kernelModules = ["sg"]; - - boot.loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - - sops.secrets = { - "vpn-keys/tailscale-authkey/twilight" = { - sopsFile = "${inputs.secrets}/vpn-keys.yaml"; - }; - }; - host = { - users = { - leyla = { - isDesktopUser = true; - isTerminalUser = true; - isPrincipleUser = true; - }; - eve.isDesktopUser = true; - }; - hardware = { - piperMouse.enable = true; - viaKeyboard.enable = true; - openRGB.enable = true; - graphicsAcceleration.enable = true; - directAccess.enable = true; - }; - ai = { - enable = true; - # TODO: benchmark twilight against defiant and prune this list of models that are faster on defiant - models = { - # conversation models - "Llama 3.1 8B" = { - model = "lamma3.1:8b"; - roles = ["chat" "edit" "apply"]; - }; - "deepseek-r1:8b" = { - model = "deepseek-r1:8b"; - roles = ["chat" "edit" "apply"]; - }; - "deepseek-r1:32b" = { - model = "deepseek-r1:32b"; - roles = ["chat" "edit" "apply"]; - }; - - # auto complete models - "qwen2.5-coder:1.5b-base" = { - model = "qwen2.5-coder:1.5b-base"; - roles = ["autocomplete"]; - }; - "qwen2.5-coder:7b" = { - model = "qwen2.5-coder:7b"; - roles = ["autocomplete"]; - }; - "deepseek-coder:6.7b" = { - model = "deepseek-coder:6.7b"; - roles = ["autocomplete"]; - }; - "deepseek-coder:33b" = { - model = "deepseek-coder:33b"; - roles = ["autocomplete"]; - }; - - # agent models - "qwen3:32b" = { - model = "qwen3:32b"; - roles = ["chat" "edit" "apply"]; - }; - - # embedding models - "nomic-embed-text:latest" = { - model = "nomic-embed-text:latest"; - roles = ["embed"]; - }; - }; - }; - }; - services = { - ollama = { - enable = true; - exposePort = true; - - loadModels = [ - # conversation models - "llama3.1:8b" - "deepseek-r1:8b" - "deepseek-r1:32b" - - # auto complete models - "qwen2.5-coder:1.5b-base" - "qwen2.5-coder:7b" - "deepseek-coder:6.7b" - "deepseek-coder:33b" - - # agent models - "qwen3:32b" - - # embedding models - "nomic-embed-text:latest" - ]; - }; - - tailscale = { - enable = true; - authKeyFile = config.sops.secrets."vpn-keys/tailscale-authkey/twilight".path; - useRoutingFeatures = "both"; - extraUpFlags = [ - "--advertise-exit-node" - "--advertise-routes=192.168.0.0/24" - ]; - extraSetFlags = [ - "--advertise-exit-node" - "--advertise-routes=192.168.0.0/24" - ]; - }; - - syncthing.enable = true; - }; - - boot.supportedFilesystems = ["nfs"]; - - fileSystems = { - "/mnt/leyla_documents" = { - device = "defiant:/exports/leyla_documents"; - fsType = "nfs"; - options = [ - "x-systemd.automount" - "noauto" - "user" - "noatime" - "nofail" - "soft" - "x-systemd.idle-timeout=600" - "fsc" - ]; - }; - - "/mnt/users_documents" = { - device = "defiant:/exports/users_documents"; - fsType = "nfs"; - options = [ - "x-systemd.automount" - "noauto" - "user" - "nofail" - "soft" - "x-systemd.idle-timeout=600" - "fsc" - ]; - }; - - "/mnt/media" = { - device = "defiant:/exports/media"; - fsType = "nfs"; - options = [ - "x-systemd.automount" - "noauto" - "user" - "noatime" - "nofail" - "soft" - "x-systemd.idle-timeout=600" - "noatime" - "nodiratime" - "relatime" - "rsize=32768" - "wsize=32768" - "fsc" - ]; - }; - }; - - environment.systemPackages = with pkgs; [ - cachefilesd - ]; - hardware.steam-hardware.enable = true; # Provides udev rules for controller, HTC vive, and Valve Index - - networking = { - networkmanager.enable = true; - hostName = "twilight"; # Define your hostname. - }; - - # enabled virtualisation for docker - # virtualisation.docker.enable = true; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It's perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? -} diff --git a/configurations/nixos/twilight/default.nix b/configurations/nixos/twilight/default.nix deleted file mode 100644 index 43a9164..0000000 --- a/configurations/nixos/twilight/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -# leyla desktop -{...}: { - imports = [ - ./configuration.nix - ./hardware-configuration.nix - ./nvidia-drivers.nix - ]; -} diff --git a/configurations/nixos/twilight/hardware-configuration.nix b/configurations/nixos/twilight/hardware-configuration.nix deleted file mode 100644 index 1389caf..0000000 --- a/configurations/nixos/twilight/hardware-configuration.nix +++ /dev/null @@ -1,42 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ - config, - lib, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "sd_mod"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-amd"]; - boot.extraModulePackages = []; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/8be49c65-2b57-48f1-b74d-244d26061adb"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/disk/by-uuid/3006-3867"; - fsType = "vfat"; - options = ["fmask=0022" "dmask=0022"]; - }; - }; - - swapDevices = []; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/configurations/nixos/twilight/nvidia-drivers.nix b/configurations/nixos/twilight/nvidia-drivers.nix deleted file mode 100644 index 47763f8..0000000 --- a/configurations/nixos/twilight/nvidia-drivers.nix +++ /dev/null @@ -1,47 +0,0 @@ -{config, ...}: { - services = { - xserver = { - # Load nvidia driver for Xorg and Wayland - videoDrivers = ["nvidia"]; - }; - # Use X instead of wayland for gaming reasons - displayManager.gdm.wayland = false; - }; - - hardware = { - # Enable OpenGL - graphics.enable = true; - - # install graphics drivers - nvidia = { - # Modesetting is required. - modesetting.enable = true; - - # Nvidia power management. Experimental, and can cause sleep/suspend to fail. - # Enable this if you have graphical corruption issues or application crashes after waking - # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead - # of just the bare essentials. - powerManagement.enable = false; - - # Fine-grained power management. Turns off GPU when not in use. - # Experimental and only works on modern Nvidia GPUs (Turing or newer). - powerManagement.finegrained = false; - - # Use the NVidia open source kernel module (not to be confused with the - # independent third-party "nouveau" open source driver). - # Support is limited to the Turing and later architectures. Full list of - # supported GPUs is at: - # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus - # Only available from driver 515.43.04+ - # Currently alpha-quality/buggy, so false is currently the recommended setting. - open = true; - - # Enable the Nvidia settings menu, - # accessible via `nvidia-settings`. - nvidiaSettings = true; - - # Optionally, you may need to select the appropriate driver version for your specific GPU. - package = config.boot.kernelPackages.nvidiaPackages.production; - }; - }; -} diff --git a/configurations/syncthing/default.nix b/configurations/syncthing/default.nix deleted file mode 100644 index 397f678..0000000 --- a/configurations/syncthing/default.nix +++ /dev/null @@ -1,119 +0,0 @@ -{config, ...}: { - folders = { - leyla_documents = { - id = "hvrj0-9bm1p"; - }; - leyla_calendar = { - id = "8oatl-1rv6w"; - }; - leyla_supernote_notes = { - id = "dwbuv-zffnf"; - }; - eve_records = { - id = "by6at-d4h9n"; - }; - share = { - id = "73ot0-cxmkx"; - }; - }; - devices = { - defiant = { - id = "3R6E6Y4-2F7MF2I-IGB4WE6-A3SQSMV-LIBYSAM-2OXHHU2-KJ6CGIV-QNMCPAR"; - folders = { - leyla_documents = { - folder = config.folders.leyla_documents; - path = "/mnt/sync/leyla/documents"; - }; - leyla_calendar = { - folder = config.folders.leyla_calendar; - path = "/mnt/sync/leyla/calendar"; - }; - leyla_supernote_notes = { - folder = config.folders.leyla_supernote_notes; - path = "/mnt/sync/leyla/notes"; - }; - eve_records = { - folder = config.folders.eve_records; - path = "/mnt/sync/eve/records"; - }; - share = { - folder = config.folders.share; - path = "/mnt/sync/default/share"; - }; - }; - }; - twilight = { - id = "UDIYL7V-OAZ2BI3-EJRAWFB-GZYVDWR-JNUYW3F-FFQ35MU-XBTGWEF-QD6K6QN"; - folders = { - leyla_documents = { - folder = config.folders.leyla_documents; - path = "/mnt/sync/leyla/documents"; - }; - share = { - folder = config.folders.share; - path = "/mnt/sync/default/share"; - }; - }; - }; - horizon = { - id = "OGPAEU6-5UR56VL-SP7YC4Y-IMVCRTO-XFD4CYN-Z6T5TZO-PFZNAT6-4MKWPQS"; - folders = { - leyla_documents = { - folder = config.folders.leyla_documents; - path = "/mnt/sync/leyla/documents"; - }; - share = { - folder = config.folders.share; - path = "/mnt/sync/default/share"; - }; - }; - }; - coven = { - id = "QGU7NN6-OMXTWVA-YCZ73S5-2O7ECTS-MUCTN4M-YH6WLEL-U4U577I-7PBNCA5"; - folders = { - leyla_documents = { - folder = config.folders.leyla_documents; - }; - share = { - folder = config.folders.share; - }; - }; - }; - ceder = { - id = "MGXUJBS-7AENXHB-7YQRNWG-QILKEJD-5462U2E-WAQW4R4-I2TVK5H-SMK6LAA"; - folders = { - share = { - folder = config.folders.share; - }; - leyla_documents = { - folder = config.folders.leyla_documents; - }; - leyla_calendar = { - folder = config.folders.leyla_calendar; - }; - leyla_notes = { - folder = config.folders.leyla_supernote_notes; - }; - }; - }; - emergent = { - id = "6MIDMKJ-7IFHXVX-FIR3YTB-KVE75LN-PA6IOTN-I257LWR-MMC4K6C-5H4SHQN"; - folders = { - eve_records = { - folder = config.folders.eve_records; - }; - share = { - folder = config.folders.share; - }; - }; - }; - shale = { - id = "AOAXEVD-QJ2IVRA-6G44Q7Q-TGUPXU2-FWWKOBH-DPKWC5N-LBAEHWJ-7EQF4AM"; - folders = { - share = { - folder = config.folders.share; - }; - }; - }; - }; -} diff --git a/const/sops_age_key_directory.nix b/const/sops_age_key_directory.nix deleted file mode 100644 index cf948df..0000000 --- a/const/sops_age_key_directory.nix +++ /dev/null @@ -1 +0,0 @@ -"/var/lib/sops-nix" diff --git a/enviroments/client/default.nix b/enviroments/client/default.nix new file mode 100644 index 0000000..86ff67b --- /dev/null +++ b/enviroments/client/default.nix @@ -0,0 +1,57 @@ +{pkgs, ...}: { + imports = [ + ../common + ]; + + services = { + # Enable CUPS to print documents. + printing.enable = true; + + xserver = { + # Enable the X11 windowing system. + enable = true; + + # Enable the GNOME Desktop Environment. + displayManager.gdm.enable = true; + desktopManager = { + gnome.enable = true; + xterm.enable = false; + }; + + # Get rid of xTerm + excludePackages = [pkgs.xterm]; + + # Configure keymap in X11 + xkb = { + layout = "us,it,de"; + variant = ""; + }; + }; + + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + }; + + # Enable sound with pipewire. + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + + environment.systemPackages = with pkgs; [ + # helvetica font + aileron + + cachefilesd + + gnomeExtensions.dash-to-dock + ]; +} diff --git a/enviroments/common/default.nix b/enviroments/common/default.nix new file mode 100644 index 0000000..0194ec1 --- /dev/null +++ b/enviroments/common/default.nix @@ -0,0 +1,155 @@ +{pkgs, ...}: { + imports = [ + ../../users + ]; + + nix = { + settings = { + experimental-features = ["nix-command" "flakes"]; + trusted-users = ["leyla"]; + }; + gc.automatic = true; + }; + + # Enable networking + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "America/Chicago"; + + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_US.UTF-8"; + LC_IDENTIFICATION = "en_US.UTF-8"; + LC_MEASUREMENT = "en_US.UTF-8"; + LC_MONETARY = "en_US.UTF-8"; + LC_NAME = "en_US.UTF-8"; + LC_NUMERIC = "en_US.UTF-8"; + LC_PAPER = "en_US.UTF-8"; + LC_TELEPHONE = "en_US.UTF-8"; + LC_TIME = "en_US.UTF-8"; + }; + + users = { + users = { + leyla = { + uid = 1000; + description = "Leyla"; + group = "leyla"; + }; + + ester = { + uid = 1001; + description = "Ester"; + group = "ester"; + }; + + eve = { + uid = 1002; + description = "Eve"; + group = "eve"; + }; + + jellyfin = { + uid = 2000; + group = "jellyfin"; + isSystemUser = true; + }; + + forgejo = { + uid = 2002; + group = "forgejo"; + isSystemUser = true; + }; + + pihole = { + uid = 2003; + group = "pihole"; + isSystemUser = true; + }; + }; + + groups = { + leyla = { + gid = 1000; + members = ["lelya"]; + }; + + ester = { + gid = 1001; + members = ["ester"]; + }; + + eve = { + gid = 1002; + members = ["eve"]; + }; + + users = { + gid = 100; + members = ["leyla" "ester" "eve"]; + }; + + jellyfin = { + gid = 2000; + members = ["jellyfin" "leyla"]; + }; + + jellyfin_media = { + gid = 2001; + members = ["jellyfin" "leyla" "ester" "eve"]; + }; + + forgejo = { + gid = 2002; + members = ["forgejo" "leyla"]; + }; + + pihole = { + gid = 2003; + members = ["pihole" "leyla"]; + }; + }; + }; + + services = { + openssh = { + enable = true; + ports = [22]; + settings = { + PasswordAuthentication = false; + AllowUsers = ["leyla"]; # Allows all users by default. Can be [ "user1" "user2" ] + UseDns = true; + X11Forwarding = false; + }; + }; + }; + + environment.sessionVariables = rec { + SOPS_AGE_KEY_DIRECTORY = "/var/lib/sops-nix"; + SOPS_AGE_KEY_FILE = "${SOPS_AGE_KEY_DIRECTORY}/key.txt"; + }; + + sops = { + defaultSopsFormat = "yaml"; + gnupg.sshKeyPaths = []; + + age = { + keyFile = "/var/lib/sops-nix/key.txt"; + sshKeyPaths = []; + # generateKey = true; + }; + }; + # List packages installed in system profile. + environment.systemPackages = with pkgs; [ + wget + + # version control + git + + # system debuging tools + iputils + dnsutils + ]; +} diff --git a/enviroments/server/default.nix b/enviroments/server/default.nix new file mode 100644 index 0000000..6c18f29 --- /dev/null +++ b/enviroments/server/default.nix @@ -0,0 +1,258 @@ +{ + lib, + config, + pkgs, + ... +}: { + imports = [ + ../common + ]; + + options = { + domains = { + base_domain = lib.mkOption { + type = lib.types.str; + }; + headscale = { + subdomain = lib.mkOption { + type = lib.types.str; + description = "subdomain of base domain that headscale will be hosted at"; + default = "headscale"; + }; + }; + jellyfin = { + subdomain = lib.mkOption { + type = lib.types.str; + description = "subdomain of base domain that jellyfin will be hosted at"; + default = "jellyfin"; + }; + hostname = lib.mkOption { + type = lib.types.str; + description = "hosname that jellyfin will be hosted at"; + default = "${config.domains.jellyfin.subdomain}.${config.domains.base_domain}"; + }; + }; + forgejo = { + subdomain = lib.mkOption { + type = lib.types.str; + description = "subdomain of base domain that foregjo will be hosted at"; + default = "forgejo"; + }; + hostname = lib.mkOption { + type = lib.types.str; + description = "hosname that forgejo will be hosted at"; + default = "${config.domains.forgejo.subdomain}.${config.domains.base_domain}"; + }; + }; + }; + }; + + config = { + sops.secrets = { + "services/pi-hole" = { + sopsFile = ../../secrets/defiant-services.yaml; + }; + }; + + # Runtime + virtualisation.podman = { + enable = true; + autoPrune.enable = true; + dockerCompat = true; + defaultNetwork.settings = { + # Required for container networking to be able to use names. + dns_enabled = true; + }; + }; + virtualisation.oci-containers.backend = "podman"; + + virtualisation.oci-containers.containers.pihole = { + image = "pihole/pihole:2024.07.0"; + hostname = "pihole"; + volumes = [ + "/home/pihole:/etc/pihole:rw" # TODO; set this based on configs + "${config.sops.secrets."services/pi-hole".path}:/var/lib/pihole/webpassword.txt" + ]; + environment = { + TZ = config.time.timeZone; + WEBPASSWORD_FILE = "/var/lib/pihole/webpassword.txt"; + PIHOLE_UID = toString config.users.users.pihole.uid; + PIHOLE_GID = toString config.users.groups.pihole.gid; + }; + log-driver = "journald"; + extraOptions = [ + "--ip=192.168.1.201" # TODO: set this to some ip address from configs + "--network=macvlan" + ]; + }; + + systemd = { + tmpfiles.rules = [ + "d /home/jellyfin 755 jellyfin jellyfin -" + "d /home/jellyfin/media 775 jellyfin jellyfin_media -" + "d /home/jellyfin/config 750 jellyfin jellyfin -" + "d /home/jellyfin/cache 755 jellyfin jellyfin_media -" + "d /home/forgejo 750 forgejo forgejo -" + "d /home/forgejo/data 750 forgejo forgejo -" + "d /home/pihole 750 pihole pihole -" + ]; + + services = { + "podman-pihole" = { + serviceConfig = { + Restart = lib.mkOverride 500 "always"; + }; + after = [ + "podman-network-macvlan.service" + ]; + requires = [ + "podman-network-macvlan.service" + ]; + partOf = [ + "podman-compose-root.target" + ]; + wantedBy = [ + "podman-compose-root.target" + ]; + }; + + "podman-network-macvlan" = { + path = [ pkgs.podman ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "podman network rm -f macvlan"; + }; + # TODO: check subnet against pi-hole ip address + # TODO: make lan configurable + # TODO: make parent interface configurable + script = '' + podman network inspect macvlan || podman network create --driver macvlan --subnet 192.168.1.0/24 --gateway 192.168.1.1 --opt parent=bond0 macvlan + ''; + partOf = [ "podman-compose-root.target" ]; + wantedBy = [ "podman-compose-root.target" ]; + }; + }; + + # disable computer sleeping + targets = { + sleep.enable = false; + suspend.enable = false; + hibernate.enable = false; + hybrid-sleep.enable = false; + + # Root service + # When started, this will automatically create all resources and start + # the containers. When stopped, this will teardown all resources. + "podman-compose-root" = { + unitConfig = { + Description = "Root target for podman targets."; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; + }; + + services = { + # DNS stub needs to be disabled so pi hole can bind + # resolved.extraConfig = "DNSStubListener=no"; + + nfs.server = { + enable = true; + exports = '' + /home/leyla 192.168.1.0/22(rw,sync,no_subtree_check,crossmnt) + /home/eve 192.168.1.0/22(rw,sync,no_subtree_check,crossmnt) + /home/ester 192.168.1.0/22(rw,sync,no_subtree_check,crossmnt) + /home/users 192.168.1.0/22(rw,sync,no_subtree_check,crossmnt) + ''; + }; + + postgresql = { + enable = true; + ensureDatabases = ["forgejo"]; + identMap = '' + # ArbitraryMapName systemUser DBUser + superuser_map root postgres + superuser_map postgres postgres + superuser_map forgejo forgejo + ''; + # configuration here lets users access the db that matches their name and lets user postgres access everything + authentication = pkgs.lib.mkOverride 10 '' + # type database DBuser auth-method optional_ident_map + local sameuser all peer map=superuser_map + ''; + }; + + headscale = { + enable = true; + address = "0.0.0.0"; + port = 8080; + settings = { + server_url = "http://${config.domains.headscale.subdomain}.${config.domains.base_domain}"; + dns_config.base_domain = config.domains.base_domain; + logtail.enabled = false; + }; + }; + + jellyfin = { + enable = true; + user = "jellyfin"; + group = "jellyfin"; + dataDir = "/home/jellyfin/config"; # location on existing server: /home/docker/jellyfin/config + cacheDir = "/home/jellyfin/cache"; # location on existing server: /home/docker/jellyfin/cache + }; + + forgejo = { + enable = true; + database.type = "postgres"; + lfs.enable = true; + settings = { + server = { + DOMAIN = config.domains.forgejo.hostname; + HTTP_PORT = 8081; + }; + service.DISABLE_REGISTRATION = true; + }; + stateDir = "/home/forgejo/data"; + }; + + nginx = { + enable = false; # TODO: enable this when you want to test all the configs + virtualHosts = { + ${config.domains.headscale.hostname} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.headscale.port}"; + proxyWebsockets = true; + }; + }; + ${config.domains.jellyfin.hostname} = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:8096"; + }; + ${config.domains.forgejo.hostname} = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}"; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "jan-leila@protonmail.com"; + }; + + networking.firewall.allowedTCPPorts = [53 2049 3000 8081]; + + environment.systemPackages = [ + config.services.headscale.package + pkgs.jellyfin + pkgs.jellyfin-web + pkgs.jellyfin-ffmpeg + ]; + }; +} diff --git a/flake.lock b/flake.lock index ee4ebda..a424800 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1751607816, - "narHash": "sha256-5PtrwjqCIJ4DKQhzYdm8RFePBuwb+yTzjV52wWoGSt4=", + "lastModified": 1726842196, + "narHash": "sha256-u9h03JQUuQJ607xmti9F9Eh6E96kKUAGP+aXWgwm70o=", "owner": "nix-community", "repo": "disko", - "rev": "da6109c917b48abc1f76dd5c9bf3901c8c80f662", + "rev": "51994df8ba24d5db5459ccf17b6494643301ad28", "type": "github" }, "original": { @@ -20,35 +20,14 @@ "type": "github" } }, - "firefox-addons": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "dir": "pkgs/firefox-addons", - "lastModified": 1751688200, - "narHash": "sha256-4W+Bw2G9bTUuvAVS0g1rTdm5jyxxZoPFSSSk3S5yOPQ=", - "owner": "rycee", - "repo": "nur-expressions", - "rev": "7dc9a3c333983e3dcc19eb29b8e98184ef7e51e7", - "type": "gitlab" - }, - "original": { - "dir": "pkgs/firefox-addons", - "owner": "rycee", - "repo": "nur-expressions", - "type": "gitlab" - } - }, "flake-compat": { + "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -62,11 +41,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -75,39 +54,6 @@ "type": "github" } }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flakey-profile": { - "locked": { - "lastModified": 1712898590, - "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=", - "owner": "lf-", - "repo": "flakey-profile", - "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d", - "type": "github" - }, - "original": { - "owner": "lf-", - "repo": "flakey-profile", - "type": "github" - } - }, "home-manager": { "inputs": { "nixpkgs": [ @@ -115,11 +61,11 @@ ] }, "locked": { - "lastModified": 1751690735, - "narHash": "sha256-/FkoEVh6LzzunOYd5yZ2uo4HHzLqaKi6VH2kPus9hk0=", + "lastModified": 1726863345, + "narHash": "sha256-fjbKe1/UJpLT6tQLAKJ/djJFdnmAh2kkdsgmylyFrQA=", "owner": "nix-community", "repo": "home-manager", - "rev": "e8da7372fd1f0da3fe3874af3aa9ddd78662d8ae", + "rev": "dfe4d334b172071e7189d971ddecd3a7f811b48d", "type": "github" }, "original": { @@ -128,110 +74,20 @@ "type": "github" } }, - "impermanence": { - "locked": { - "lastModified": 1737831083, - "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", - "owner": "nix-community", - "repo": "impermanence", - "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "impermanence", - "type": "github" - } - }, - "lix": { - "flake": false, - "locked": { - "lastModified": 1746827285, - "narHash": "sha256-hsFe4Tsqqg4l+FfQWphDtjC79WzNCZbEFhHI8j2KJzw=", - "rev": "47aad376c87e2e65967f17099277428e4b3f8e5a", - "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?rev=47aad376c87e2e65967f17099277428e4b3f8e5a" - }, - "original": { - "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/2.93.0.tar.gz" - } - }, - "lix-module": { - "inputs": { - "flake-utils": "flake-utils", - "flakey-profile": "flakey-profile", - "lix": "lix", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1746838955, - "narHash": "sha256-11R4K3iAx4tLXjUs+hQ5K90JwDABD/XHhsM9nkeS5N8=", - "rev": "cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc", - "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz?rev=cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc" - }, - "original": { - "type": "tarball", - "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz" - } - }, - "nix-darwin": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1751313918, - "narHash": "sha256-HsJM3XLa43WpG+665aGEh8iS8AfEwOIQWk3Mke3e7nk=", - "owner": "LnL7", - "repo": "nix-darwin", - "rev": "e04a388232d9a6ba56967ce5b53a8a6f713cdfcf", - "type": "github" - }, - "original": { - "owner": "LnL7", - "repo": "nix-darwin", - "type": "github" - } - }, - "nix-syncthing": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1741849924, - "narHash": "sha256-5vyb1H6HtW24QVqfI56P4QVQP6vHh1jS9ULwnunCO94=", - "ref": "main", - "rev": "86bcb200c83b6a5d13b3583126b9d8dc6770613a", - "revCount": 6, - "type": "git", - "url": "https://git.jan-leila.com/jan-leila/nix-syncthing" - }, - "original": { - "ref": "main", - "type": "git", - "url": "https://git.jan-leila.com/jan-leila/nix-syncthing" - } - }, "nix-vscode-extensions": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1751681058, - "narHash": "sha256-b9JMD1j+zqGbrWSobXq4icjOm5tdoy7dWBLSe6WTCSE=", + "lastModified": 1726796602, + "narHash": "sha256-rYMcODISSljSETcqUUTMo++ZEa1CC6Xx6d3xuydishM=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "0cadf3b87cce52af29c3cc98be8ee81b3c05f2c1", + "rev": "91dea80194080f017c6edf84fd94e33f6c12aec3", "type": "github" }, "original": { @@ -242,11 +98,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1751432711, - "narHash": "sha256-136MeWtckSHTN9Z2WRNRdZ8oRP3vyx3L8UxeBYE+J9w=", + "lastModified": 1726724509, + "narHash": "sha256-sVeAM1tgVi52S1e29fFBTPUAFSzgQwgLon3CrztXGm8=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "497ae1357f1ac97f1aea31a4cb74ad0d534ef41f", + "rev": "10d5e0ecc32984c1bf1a9a46586be3451c42fd94", "type": "github" }, "original": { @@ -258,11 +114,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1751271578, - "narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=", + "lastModified": 1726755586, + "narHash": "sha256-PmUr/2GQGvFTIJ6/Tvsins7Q43KTMvMFhvG6oaYK+Wk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df", + "rev": "c04d5652cfa9742b1d519688f65d1bbccea9eb7e", "type": "github" }, "original": { @@ -272,52 +128,59 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1725762081, + "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1725534445, + "narHash": "sha256-Yd0FK9SkWy+ZPuNqUgmVPXokxDgMJoGuNpMEtkfcf84=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9bb1e7571aadf31ddb4af77fc64b2d59580f9a39", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "disko": "disko", - "firefox-addons": "firefox-addons", - "flake-compat": "flake-compat", "home-manager": "home-manager", - "impermanence": "impermanence", - "lix-module": "lix-module", - "nix-darwin": "nix-darwin", - "nix-syncthing": "nix-syncthing", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", - "secrets": "secrets", - "sops-nix": "sops-nix", - "steam-fetcher": "steam-fetcher" - } - }, - "secrets": { - "flake": false, - "locked": { - "lastModified": 1749061163, - "narHash": "sha256-WflcbitH7ErNZBFqZCdy1ODUqKF51xbu2zYfqA35+1M=", - "ref": "refs/heads/main", - "rev": "1c5c059c0c7b6ce691993262fe10a2b63e1c31ba", - "revCount": 19, - "type": "git", - "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git" - }, - "original": { - "type": "git", - "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git" + "sops-nix": "sops-nix" } }, "sops-nix": { "inputs": { - "nixpkgs": [ - "nixpkgs" - ] + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1751606940, - "narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=", + "lastModified": 1726524647, + "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d", + "rev": "e2d404a7ea599a013189aa42947f66cede0645c8", "type": "github" }, "original": { @@ -326,26 +189,6 @@ "type": "github" } }, - "steam-fetcher": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1714795926, - "narHash": "sha256-PkgC9jqoN6cJ8XYzTA2PlrWs7aPJkM3BGiTxNqax0cA=", - "owner": "nix-community", - "repo": "steam-fetcher", - "rev": "12f66eafb7862d91b3e30c14035f96a21941bd9c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "steam-fetcher", - "type": "github" - } - }, "systems": { "locked": { "lastModified": 1681028828, @@ -360,21 +203,6 @@ "repo": "default", "type": "github" } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 651a210..70992b0 100644 --- a/flake.nix +++ b/flake.nix @@ -5,176 +5,75 @@ # base packages nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - lix-module = { - url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + # encrypt files that contain secreats that I would like to not encrypt + sops-nix.url = "github:Mic92/sops-nix"; - # secret encryption - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - # self hosted repo of secrets file to further protect files in case of future encryption vulnerabilities - secrets = { - url = "git+ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git"; - flake = false; - }; - - # common config for syncthing - nix-syncthing = { - url = "git+https://git.jan-leila.com/jan-leila/nix-syncthing?ref=main"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - # disk configurations + # declairtive disk configuration disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; - # delete your darlings - impermanence = { - url = "github:nix-community/impermanence"; - }; - - nix-darwin = { - url = "github:LnL7/nix-darwin"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - # users home directories + # managment per user home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; - # firefox extensions - firefox-addons = { - url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + # repo of hardware configs for prebuilt systems + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; # vscode extensions nix-vscode-extensions = { url = "github:nix-community/nix-vscode-extensions"; inputs.nixpkgs.follows = "nixpkgs"; }; - - # pregenerated hardware configurations - nixos-hardware = { - url = "github:NixOS/nixos-hardware/master"; - }; - - # this is just here so that we have a lock on it for our dev shells - flake-compat = { - url = "github:edolstra/flake-compat"; - }; - - steam-fetcher = { - url = "github:nix-community/steam-fetcher"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = { self, nixpkgs, - sops-nix, - nix-syncthing, - home-manager, - impermanence, + disko, + nixos-hardware, ... } @ inputs: let - util = import ./util {inherit inputs;}; - forEachPkgs = util.forEachPkgs; - - mkNixosInstaller = util.mkNixosInstaller; - mkNixosSystem = util.mkNixosSystem; - mkDarwinSystem = util.mkDarwinSystem; - mkHome = util.mkHome; - syncthingConfiguration = util.syncthingConfiguration; - - installerSystems = { - basic = mkNixosInstaller "basic" []; - }; - - nixosSystems = { - horizon = mkNixosSystem "horizon"; - twilight = mkNixosSystem "twilight"; - defiant = mkNixosSystem "defiant"; - emergent = mkNixosSystem "emergent"; - }; - - darwinSystems = { - hesperium = mkDarwinSystem "hesperium"; - }; - - homeSystems = { - # stand alone home manager configurations here: - # name = mkHome "name" - }; - - systemsHomes = nixpkgs.lib.attrsets.mergeAttrsList ( - nixpkgs.lib.attrsets.mapAttrsToList (hostname: system: ( - nixpkgs.lib.attrsets.mapAttrs' (user: _: { - name = "${user}@${hostname}"; - value = mkHome { - user = user; - host = hostname; - system = system.pkgs.hostPlatform.system; - osConfig = system.config; - }; - }) - system.config.home-manager.users - )) - (nixosSystems // darwinSystems) - ); - - homeConfigurations = - systemsHomes - // homeSystems; + forEachSystem = nixpkgs.lib.genAttrs [ + "aarch64-darwin" + "aarch64-linux" + "x86_64-darwin" + "x86_64-linux" + ]; + forEachPkgs = lambda: forEachSystem (system: lambda nixpkgs.legacyPackages.${system}); in { - formatter = forEachPkgs (system: pkgs: pkgs.alejandra); + packages = forEachPkgs (pkgs: import ./pkgs {inherit pkgs;}); - # templates = import ./templates; - - devShells = forEachPkgs (system: pkgs: { - default = pkgs.mkShell { - packages = with pkgs; [ - # for version controlling this repo - git - # for formatting code in this repo - alejandra - # for editing secrets in the secrets repo - sops - # for viewing configuration options defined in this repo - nix-inspect - # for installing flakes from this repo onto other systems - nixos-anywhere - # for updating disko configurations - disko - # for viewing dconf entries - dconf-editor + nixosConfigurations = { + # Leyla Laptop + horizon = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs;}; + modules = [ + ./hosts/horizon/configuration.nix + inputs.home-manager.nixosModules.default + nixos-hardware.nixosModules.framework-11th-gen-intel ]; - - SOPS_AGE_KEY_DIRECTORY = import ./const/sops_age_key_directory.nix; - - shellHook = '' - git config core.hooksPath .hooks - ''; }; - }); - - installerConfigurations = installerSystems; - - nixosConfigurations = nixosSystems; - - darwinConfigurations = darwinSystems; - - homeConfigurations = homeConfigurations; - - syncthingConfiguration = syncthingConfiguration; + # Leyla Desktop + twilight = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs;}; + modules = [ + ./hosts/twilight/configuration.nix + inputs.home-manager.nixosModules.default + ]; + }; + # NAS Service + defiant = nixpkgs.lib.nixosSystem { + specialArgs = {inherit inputs;}; + modules = [ + disko.nixosModules.disko + ./hosts/defiant/disko-config.nix + ./hosts/defiant/configuration.nix + ]; + }; + }; }; } diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix new file mode 100644 index 0000000..ec5cf1d --- /dev/null +++ b/hosts/defiant/configuration.nix @@ -0,0 +1,65 @@ +# server nas +{ + config, + pkgs, + inputs, + ... +}: { + imports = [ + inputs.home-manager.nixosModules.default + inputs.sops-nix.nixosModules.sops + + ./hardware-configuration.nix + + ../../enviroments/server + ]; + + users.leyla.isThinUser = true; + + boot.loader.grub = { + enable = true; + zfsSupport = true; + efiSupport = true; + efiInstallAsRemovable = true; + }; + + domains = { + base_domain = "jan-leila.com"; + headscale.subdomain = "vpn"; + jellyfin.subdomain = "media"; + forgejo.subdomain = "git"; + }; + + services = { + zfs = { + autoScrub.enable = true; + autoSnapshot.enable = true; + }; + + # temp enable desktop enviroment for setup + # Enable the X11 windowing system. + xserver = { + enable = true; + + # Enable the GNOME Desktop Environment. + displayManager = { + gdm.enable = true; + }; + desktopManager = { + gnome.enable = true; + xterm.enable = false; + }; + + # Get rid of xTerm + excludePackages = [pkgs.xterm]; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/hosts/defiant/disko-config.nix b/hosts/defiant/disko-config.nix new file mode 100644 index 0000000..a913aeb --- /dev/null +++ b/hosts/defiant/disko-config.nix @@ -0,0 +1,136 @@ +{lib, ...}: let + bootDisk = devicePath: { + type = "disk"; + device = devicePath; + content = { + type = "gpt"; + + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + }; + }; + }; + zfsDisk = devicePath: { + type = "disk"; + device = devicePath; + content = { + type = "gpt"; + partitions = { + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + cacheDisk = devicePath: swapSize: { + type = "disk"; + device = devicePath; + content = { + type = "gpt"; + partitions = { + encryptedSwap = { + size = swapSize; + content = { + type = "swap"; + randomEncryption = true; + discardPolicy = "both"; + resumeDevice = true; + }; + }; + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; +in { + disko.devices = { + disk = { + boot = bootDisk "/dev/disk/by-path/pci-0000:23:00.3-usb-0:1:1.0-scsi-0:0:0:0"; + + hd_13_tb_a = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXVEB"; + hd_13_tb_b = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTCXWSC"; + hd_13_tb_c = zfsDisk "/dev/disk/by-id/ata-ST18000NE000-3G6101_ZVTD10EH"; + + # ssd_2_tb_a = cacheDisk "64G" "/dev/disk/by-id/XXX"; + }; + zpool = { + zroot = { + type = "zpool"; + mode = { + topology = { + type = "topology"; + vdev = [ + { + # should this only mirror for this inital config with 3 drives we will used raidz2 for future configs??? + mode = "mirror"; + members = [ + "hd_13_tb_a" + "hd_13_tb_b" + "hd_13_tb_c" + ]; + } + ]; + cache = []; + # cache = [ "ssd_2_tb_a" ]; + }; + }; + + options = { + ashift = "12"; + }; + + rootFsOptions = { + encryption = "on"; + keyformat = "hex"; + keylocation = "prompt"; + compression = "lz4"; + xattr = "sa"; + acltype = "posixacl"; + "com.sun:auto-snapshot" = "false"; + }; + + mountpoint = "/"; + postCreateHook = "zfs list -t snapshot -H -o name | grep -E '^zroot@blank$' || zfs snapshot zroot@blank"; + + datasets = { + "nix" = { + type = "zfs_fs"; + mountpoint = "/nix"; + }; + "home" = { + type = "zfs_fs"; + mountpoint = "/mnt/home"; + options = { + "com.sun:auto-snapshot" = "true"; + }; + }; + "var" = { + type = "zfs_fs"; + mountpoint = "/var"; + }; + }; + }; + }; + }; +} diff --git a/configurations/nixos/defiant/hardware-configuration.nix b/hosts/defiant/hardware-configuration.nix similarity index 54% rename from configurations/nixos/defiant/hardware-configuration.nix rename to hosts/defiant/hardware-configuration.nix index d4a638b..edfaeee 100644 --- a/configurations/nixos/defiant/hardware-configuration.nix +++ b/hosts/defiant/hardware-configuration.nix @@ -4,57 +4,79 @@ { config, lib, + pkgs, modulesPath, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") + ../hardware-common.nix ]; boot = { initrd = { - availableKernelModules = ["xhci_pci" "aacraid" "ahci" "usbhid" "nvme" "usb_storage" "sd_mod"]; + availableKernelModules = ["xhci_pci" "aacraid" "ahci" "usbhid" "usb_storage" "sd_mod"]; kernelModules = []; }; kernelModules = ["kvm-amd"]; extraModulePackages = []; - # Bootloader. - loader = { - systemd-boot.enable = true; - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; - }; supportedFilesystems = ["zfs"]; - zfs.extraPools = ["rpool"]; + zfs.extraPools = ["zroot"]; }; + swapDevices = []; + networking = { - hostName = "defiant"; # Define your hostname. hostId = "c51763d6"; + hostName = "defiant"; # Define your hostname. useNetworkd = true; }; systemd.network = { enable = true; - networks = { - "30-eno1" = { - matchConfig.Name = "eno1"; - networkConfig.Bond = "bond0"; + netdevs = { + "10-bond0" = { + netdevConfig = { + Kind = "bond"; + Name = "bond0"; + }; + bondConfig = { + Mode = "802.3ad"; + TransmitHashPolicy = "layer3+4"; + }; }; - "30-eno2" = { - matchConfig.Name = "eno2"; + }; + + networks = { + "30-enp4s0" = { + matchConfig.Name = "enp4s0"; networkConfig.Bond = "bond0"; + DHCP = "no"; + }; + "30-enp5s0" = { + matchConfig.Name = "enp5s0"; + networkConfig.Bond = "bond0"; + DHCP = "no"; + }; + + "40-bond0" = { + matchConfig.Name = "bond0"; + linkConfig.RequiredForOnline = "carrier"; + networkConfig.LinkLocalAddressing = "no"; + DHCP = "ipv4"; + + address = [ + # configure addresses including subnet mask + "192.168.1.10/24" + # TODO: ipv6 address configuration + ]; }; }; }; - networking.networkmanager.enable = true; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware = { # TODO: hardware graphics diff --git a/hosts/hardware-common.nix b/hosts/hardware-common.nix new file mode 100644 index 0000000..920d609 --- /dev/null +++ b/hosts/hardware-common.nix @@ -0,0 +1,15 @@ +{lib, ...}: { + options = { + hardware = { + piperMouse = { + enable = lib.mkEnableOption "host has a piper mouse"; + }; + viaKeyboard = { + enable = lib.mkEnableOption "host has a via keyboard"; + }; + openRGB = { + enable = lib.mkEnableOption "host has open rgb hardware"; + }; + }; + }; +} diff --git a/hosts/horizon/configuration.nix b/hosts/horizon/configuration.nix new file mode 100644 index 0000000..c83fcc6 --- /dev/null +++ b/hosts/horizon/configuration.nix @@ -0,0 +1,49 @@ +# leyla laptop +{ + config, + pkgs, + inputs, + ... +}: { + imports = [ + inputs.home-manager.nixosModules.default + inputs.sops-nix.nixosModules.sops + + ./hardware-configuration.nix + + ../../enviroments/client + ]; + + users = { + leyla.isFullUser = true; + ester.isFullUser = true; + eve.isFullUser = true; + }; + + # enabled virtualisation for docker + virtualisation.docker = { + enable = true; + rootless = { + enable = true; + setSocketVariable = true; + }; + }; + users.extraGroups.docker.members = ["leyla"]; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/hosts/horizon/hardware-configuration.nix b/hosts/horizon/hardware-configuration.nix new file mode 100644 index 0000000..1e203f3 --- /dev/null +++ b/hosts/horizon/hardware-configuration.nix @@ -0,0 +1,106 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ../hardware-common.nix + ]; + + boot = { + initrd = { + availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"]; + kernelModules = []; + }; + kernelModules = ["kvm-intel" "sg"]; + extraModulePackages = []; + + # Bootloader. + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/866d422b-f816-4ad9-9846-791839cb9337"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/E138-65B5"; + fsType = "vfat"; + }; + + "/mnt/leyla_home" = { + device = "defiant:/home/leyla"; + fsType = "nfs"; + options = ["x-systemd.automount" "user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; + }; + + "/mnt/eve_home" = { + device = "defiant:/home/eve"; + fsType = "nfs"; + options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; + }; + + "/mnt/ester_home" = { + device = "defiant:/home/ester"; + fsType = "nfs"; + options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; + }; + + "/mnt/users_home" = { + device = "defiant:/home/users"; + fsType = "nfs"; + options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; + }; + + # "/mnt/legacy_leyla_home" = + # { + # device = "server.arpa:/home/leyla"; + # fsType = "nfs"; + # options = [ "x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc" ]; + # }; + + # "/mnt/legacy_share_home" = + # { + # device = "server.arpa:/home/share"; + # fsType = "nfs"; + # options = [ "x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc" ]; + # }; + + # "/mnt/legacy_docker_home" = + # { + # device = "server.arpa:/home/docker"; + # fsType = "nfs"; + # options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=600" ]; + # }; + }; + + services.cachefilesd.enable = true; + + swapDevices = [ + {device = "/dev/disk/by-uuid/be98e952-a072-4c3a-8c12-69500b5a2fff";} + ]; + + networking = { + useDHCP = lib.mkDefault true; + hostName = "horizon"; # Define your hostname. + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + hardware = { + graphics.enable = true; + cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + }; +} diff --git a/configurations/nixos/twilight/monitors.nix b/hosts/twilight/configuration.nix similarity index 85% rename from configurations/nixos/twilight/monitors.nix rename to hosts/twilight/configuration.nix index 1308f50..6441e2a 100644 --- a/configurations/nixos/twilight/monitors.nix +++ b/hosts/twilight/configuration.nix @@ -1,4 +1,28 @@ -{pkgs, ...}: { +# leyla laptop +{ + config, + pkgs, + inputs, + ... +}: { + imports = [ + inputs.home-manager.nixosModules.default + inputs.sops-nix.nixosModules.sops + + ./hardware-configuration.nix + + ../../enviroments/client + ]; + + users = { + leyla = { + isFullUser = true; + hasGPU = true; + }; + ester.isFullUser = true; + eve.isFullUser = true; + }; + systemd.tmpfiles.rules = [ "L+ /run/gdm/.config/monitors.xml - - - - ${pkgs.writeText "gdm-monitors.xml" '' @@ -196,4 +220,18 @@ ''}" ]; + + # enabled virtualisation for docker + # virtualisation.docker.enable = true; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? } diff --git a/hosts/twilight/hardware-configuration.nix b/hosts/twilight/hardware-configuration.nix new file mode 100644 index 0000000..b2f11ee --- /dev/null +++ b/hosts/twilight/hardware-configuration.nix @@ -0,0 +1,125 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ../hardware-common.nix + ]; + + boot = { + initrd = { + availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"]; + kernelModules = []; + }; + kernelModules = ["kvm-amd" "sg"]; + extraModulePackages = []; + + # Bootloader. + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + }; + + services.xserver = { + # Load nvidia driver for Xorg and Wayland + videoDrivers = ["nvidia"]; + + # Use X instead of wayland for gaming reasons + displayManager.gdm.wayland = false; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/8be49c65-2b57-48f1-b74d-244d26061adb"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/disk/by-uuid/3006-3867"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; + + "/mnt/leyla_home" = { + device = "server.arpa:/home/leyla"; + fsType = "nfs"; + options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; + }; + + "/mnt/share_home" = { + device = "server.arpa:/home/share"; + fsType = "nfs"; + options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; + }; + + "/mnt/docker_home" = { + device = "server.arpa:/home/docker"; + fsType = "nfs"; + options = ["x-systemd.automount" "noauto" "x-systemd.idle-timeout=600"]; + }; + }; + + swapDevices = []; + + networking = { + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + useDHCP = lib.mkDefault true; + hostName = "twilight"; # Define your hostname. + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + + hardware = { + piperMouse.enable = true; + viaKeyboard.enable = true; + openRGB.enable = true; + + # Enable OpenGL + graphics.enable = true; + + # install graphics drivers + nvidia = { + # Modesetting is required. + modesetting.enable = true; + + # Nvidia power management. Experimental, and can cause sleep/suspend to fail. + # Enable this if you have graphical corruption issues or application crashes after waking + # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead + # of just the bare essentials. + powerManagement.enable = false; + + # Fine-grained power management. Turns off GPU when not in use. + # Experimental and only works on modern Nvidia GPUs (Turing or newer). + powerManagement.finegrained = false; + + # Use the NVidia open source kernel module (not to be confused with the + # independent third-party "nouveau" open source driver). + # Support is limited to the Turing and later architectures. Full list of + # supported GPUs is at: + # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus + # Only available from driver 515.43.04+ + # Currently alpha-quality/buggy, so false is currently the recommended setting. + open = false; + + # Enable the Nvidia settings menu, + # accessible via `nvidia-settings`. + nvidiaSettings = true; + + # Optionally, you may need to select the appropriate driver version for your specific GPU. + package = config.boot.kernelPackages.nvidiaPackages.production; + }; + + cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + }; +} diff --git a/install.sh b/install.sh index c77d748..882a935 100755 --- a/install.sh +++ b/install.sh @@ -39,7 +39,6 @@ if [ -z ${flake} ]; then exit 1; fi -# TODO: we might not need to copy the key over here anymore? temp=$(mktemp -d) # Function to cleanup temporary directory on exit cleanup() { @@ -52,4 +51,4 @@ mkdir -p $temp$SOPS_AGE_KEY_DIRECTORY cp -r $SOPS_AGE_KEY_DIRECTORY/* $temp$SOPS_AGE_KEY_DIRECTORY # commit number in this is because the main branch of nixos-anywhere is broken right now -nixos-anywhere --extra-files $temp --flake ".#$flake" ${user:-nixos}@$target +nix run github:nix-community/nixos-anywhere/b3b6bfebba35d55fba485ceda588984dec74c54f -- --extra-files $temp --flake ".#$flake" ${user:-nixos}@$target diff --git a/lint.sh b/lint.sh new file mode 100755 index 0000000..3fc29e9 --- /dev/null +++ b/lint.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +nix run git+https://github.com/kamadorueda/alejandra -- -q . diff --git a/modules/common-modules/default.nix b/modules/common-modules/default.nix deleted file mode 100644 index 3dd1923..0000000 --- a/modules/common-modules/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -# this folder is for modules that are common between nixos, home-manager, and darwin -{...}: { - imports = [ - ./overlays - ./pkgs - ]; -} diff --git a/modules/common-modules/overlays/default.nix b/modules/common-modules/overlays/default.nix deleted file mode 100644 index 1fab060..0000000 --- a/modules/common-modules/overlays/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -# this folder is for derivation overlays -{inputs, ...}: { - nixpkgs.overlays = [ - inputs.steam-fetcher.overlays.default - ]; -} diff --git a/modules/common-modules/pkgs/default.nix b/modules/common-modules/pkgs/default.nix deleted file mode 100644 index e955354..0000000 --- a/modules/common-modules/pkgs/default.nix +++ /dev/null @@ -1,23 +0,0 @@ -{pkgs, ...}: { - nixpkgs.overlays = [ - (final: prev: { - webtoon-dl = - pkgs.callPackage - ./webtoon-dl.nix - {}; - }) - # TODO: this package always needs to be called with the --in-process-gpu flag for some reason, can we automate that? - (final: prev: { - prostudiomasters = - pkgs.callPackage - ./prostudiomasters.nix - {}; - }) - (final: prev: { - noita_entangled_worlds = pkgs.callPackage ./noita-entangled-worlds.nix {}; - }) - (final: prev: { - gdx-liftoff = pkgs.callPackage ./gdx-liftoff.nix {}; - }) - ]; -} diff --git a/modules/common-modules/pkgs/gdx-liftoff.nix b/modules/common-modules/pkgs/gdx-liftoff.nix deleted file mode 100644 index d2e9424..0000000 --- a/modules/common-modules/pkgs/gdx-liftoff.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ - stdenv, - fetchurl, - makeWrapper, - jdk, - lib, - xorg, - libGL, - ... -}: -stdenv.mkDerivation rec { - pname = "gdx-liftoff"; - version = "1.13.5.1"; - - src = fetchurl { - url = "https://github.com/libgdx/gdx-liftoff/releases/download/v${version}/gdx-liftoff-${version}.jar"; - hash = "sha256-9vCXGNGwI/P4VmcdIzTv2GPAX8bZb7nkfopaRAf6yMA="; - }; - - dontUnpack = true; - - nativeBuildInputs = [makeWrapper]; - - runtimeDependencies = lib.makeLibraryPath [ - # glfw - libGL - xorg.libX11 - xorg.libXcursor - xorg.libXext - xorg.libXrandr - xorg.libXxf86vm - ]; - - installPhase = '' - runHook preInstall - - install -Dm644 $src $out/lib/gdx-liftoff-${version}.jar - - makeWrapper ${lib.getExe jdk} $out/bin/gdx-liftoff-${version} \ - --append-flags "-jar $out/lib/gdx-liftoff-${version}.jar"\ - ${lib.optionalString stdenv.hostPlatform.isLinux "--prefix LD_LIBRARY_PATH : ${runtimeDependencies}"} - runHook postInstall - ''; -} diff --git a/modules/common-modules/pkgs/noita-entangled-worlds.nix b/modules/common-modules/pkgs/noita-entangled-worlds.nix deleted file mode 100644 index 322ce41..0000000 --- a/modules/common-modules/pkgs/noita-entangled-worlds.nix +++ /dev/null @@ -1,46 +0,0 @@ -# not working yet -{ - pkgs, - rustPlatform, - fetchFromGitHub, - ... -}: let - version = "1.5.3"; - repo = fetchFromGitHub { - owner = "IntQuant"; - repo = "noita_entangled_worlds"; - rev = "v${version}"; - hash = "sha256-frrpD0aWTeDbZYtp15R+quUUAZf7OvHlbSLtGJJtAqk="; - }; -in - rustPlatform.buildRustPackage { - name = "noita-proxy-${version}"; - src = repo + "/noita-proxy"; - prePatch = '' - substituteInPlace Cargo.toml \ - --replace "path = \"../shared\"" "path = \"${repo + "/shared"}\"" - ''; - nativeBuildInputs = with pkgs; [ - pkg-config - python3 - cmake - ]; - buildInputs = with pkgs; [ - openssl - openssl.dev - libpulseaudio - libjack2 - alsa-lib - xorg.libxcb - xorg.libxcb.dev - libopus - ]; - propagatedBuildInputs = with pkgs; [ - steamworks-sdk-redist - ]; - runtimeDependencies = with pkgs; [ - steamworks-sdk-redist - ]; - doCheck = false; - cargoHash = "sha256-TzUS6d6PopgGf2i1yVaXaXdzNrvfSz+Gv67BAtxYmb4="; - } diff --git a/modules/common-modules/pkgs/prostudiomasters.nix b/modules/common-modules/pkgs/prostudiomasters.nix deleted file mode 100644 index c1c03fe..0000000 --- a/modules/common-modules/pkgs/prostudiomasters.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - fetchurl, - appimageTools, -}: let - pname = "prostudiomasters"; - version = "2.5.6"; - src = fetchurl { - url = "https://download.prostudiomasters.com/linux/ProStudioMasters-${version}.AppImage"; - hash = "sha256-7owOwdcucFfl+JsVj+Seau2KOz0J4P/ep7WrBSNSmbs="; - }; -in - appimageTools.wrapType2 { - inherit pname version src; - } diff --git a/modules/common-modules/pkgs/webtoon-dl.nix b/modules/common-modules/pkgs/webtoon-dl.nix deleted file mode 100644 index 4341098..0000000 --- a/modules/common-modules/pkgs/webtoon-dl.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - buildGoModule, - fetchFromGitHub, - ... -}: -buildGoModule rec { - pname = "webtoon-dl"; - version = "0.0.10"; - - src = fetchFromGitHub { - owner = "robinovitch61"; - repo = "webtoon-dl"; - rev = "v${version}"; - hash = "sha256-geVb3LFPZxPQYARZnaqOr5sgaN6mqkEX5ZiLvg8mF5k="; - }; - - vendorHash = "sha256-NTqUygJ6b6kTnLUnJqxCo/URzaRouPLACEPi2Ob1s9w="; -} diff --git a/modules/darwin-modules/default.nix b/modules/darwin-modules/default.nix deleted file mode 100644 index 5f4447b..0000000 --- a/modules/darwin-modules/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -# this folder container modules that are for darwin only -{...}: { - imports = [ - ./home-manager - ./users.nix - ./system.nix - ]; -} diff --git a/modules/darwin-modules/home-manager/default.nix b/modules/darwin-modules/home-manager/default.nix deleted file mode 100644 index 1ebec5f..0000000 --- a/modules/darwin-modules/home-manager/default.nix +++ /dev/null @@ -1,2 +0,0 @@ -# modules in this folder are to adapt home-manager modules configs to darwin-module configs -{...}: {} diff --git a/modules/darwin-modules/system.nix b/modules/darwin-modules/system.nix deleted file mode 100644 index ee56162..0000000 --- a/modules/darwin-modules/system.nix +++ /dev/null @@ -1,27 +0,0 @@ -{self, ...}: { - system.configurationRevision = self.rev or self.dirtyRev or null; - - nix = { - gc = { - automatic = true; - interval = [ - { - Hour = 4; - Minute = 15; - Weekday = 7; - } - ]; - options = "--delete-older-than 7d"; - }; - optimise = { - automatic = true; - interval = [ - { - Hour = 4; - Minute = 15; - Weekday = 7; - } - ]; - }; - }; -} diff --git a/modules/darwin-modules/users.nix b/modules/darwin-modules/users.nix deleted file mode 100644 index 72fd1b1..0000000 --- a/modules/darwin-modules/users.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ - lib, - config, - ... -}: let - host = config.host; -in { - users = { - users = { - leyla = { - name = lib.mkForce host.users.leyla.name; - home = lib.mkForce "/home/${host.users.leyla.name}"; - }; - }; - }; -} diff --git a/modules/home-manager-modules/continue.nix b/modules/home-manager-modules/continue.nix deleted file mode 100644 index 20ec52b..0000000 --- a/modules/home-manager-modules/continue.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: let - ai-tooling-enabled = config.user.continue.enable && osConfig.host.ai.enable; -in { - options.user.continue = { - enable = lib.mkEnableOption "should continue be enabled on this machine"; - docs = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { - options = { - name = lib.mkOption { - type = lib.types.str; - default = name; - }; - startUrl = lib.mkOption { - type = lib.types.str; - }; - }; - })); - }; - context = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { - options = { - provider = lib.mkOption { - type = lib.types.str; - default = name; - }; - }; - })); - default = { - "code" = {}; - "docs" = {}; - "diff" = {}; - "terminal" = {}; - "problems" = {}; - "folder" = {}; - "codebase" = {}; - }; - }; - }; - - config = - lib.mkIf ai-tooling-enabled - (lib.mkMerge [ - { - home = { - file = { - ".continue/config.yaml".source = (pkgs.formats.yaml {}).generate "continue-config" { - name = "Assistant"; - version = "1.0.0"; - schema = "v1"; - models = lib.attrsets.attrValues osConfig.host.ai.models; - context = lib.attrsets.attrValues config.user.continue.context; - docs = lib.attrsets.attrValues config.user.continue.docs; - }; - }; - }; - } - (lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - ".continue/index" - ".continue/sessions" - ]; - allowOther = true; - }; - }) - ]); -} diff --git a/modules/home-manager-modules/default.nix b/modules/home-manager-modules/default.nix deleted file mode 100644 index f83f143..0000000 --- a/modules/home-manager-modules/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -# this folder container modules that are for home manager only -{...}: { - imports = [ - ./sops.nix - ./user.nix - ./flipperzero.nix - ./i18n.nix - ./openssh.nix - ./continue.nix - ./gnome.nix - ./programs - ]; -} diff --git a/modules/home-manager-modules/flipperzero.nix b/modules/home-manager-modules/flipperzero.nix deleted file mode 100644 index 6354bc0..0000000 --- a/modules/home-manager-modules/flipperzero.nix +++ /dev/null @@ -1,3 +0,0 @@ -{lib, ...}: { - options.hardware.flipperzero.enable = lib.mkEnableOption "enable flipperzero hardware"; -} diff --git a/modules/home-manager-modules/gnome.nix b/modules/home-manager-modules/gnome.nix deleted file mode 100644 index 8c70cf6..0000000 --- a/modules/home-manager-modules/gnome.nix +++ /dev/null @@ -1,106 +0,0 @@ -{ - lib, - config, - ... -}: { - options.gnome = { - extraWindowControls = lib.mkEnableOption "Should we add back in the minimize and maximize window controls?"; - clockFormat = lib.mkOption { - type = lib.types.enum [ - "12h" - "24h" - ]; - default = "24h"; - }; - colorScheme = lib.mkOption { - type = lib.types.enum [ - "default" - "prefer-dark" - "prefer-light" - ]; - default = "default"; - }; - accentColor = lib.mkOption { - type = lib.types.enum [ - "blue" - "teal" - "green" - "yellow" - "orange" - "red" - "pink" - "purple" - "slate" - ]; - default = "blue"; - }; - extensions = lib.mkOption { - type = lib.types.listOf lib.types.package; - default = []; - description = "The set of extensions to install and enable in the user environment."; - }; - hotkeys = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { - options = { - key = lib.mkOption { - type = lib.types.strMatching "[a-zA-Z0-9-]+"; - default = builtins.replaceStrings [" " "/" "_"] ["-" "-" "-"] name; - }; - name = lib.mkOption { - type = lib.types.str; - default = name; - }; - binding = lib.mkOption { - type = lib.types.str; - }; - command = lib.mkOption { - type = lib.types.str; - }; - }; - })); - default = {}; - }; - }; - - config = { - home.packages = config.gnome.extensions; - dconf = { - settings = lib.mkMerge [ - { - "org/gnome/shell" = { - disable-user-extensions = false; # enables user extensions - enabled-extensions = builtins.map (extension: extension.extensionUuid) config.gnome.extensions; - }; - - "org/gnome/desktop/wm/preferences".button-layout = lib.mkIf config.gnome.extraWindowControls ":minimize,maximize,close"; - - "org/gnome/desktop/interface".color-scheme = config.gnome.colorScheme; - "org/gnome/desktop/interface".accent-color = config.gnome.accentColor; - "org/gnome/desktop/interface".clock-format = config.gnome.clockFormat; - } - ( - lib.mkMerge ( - builtins.map (value: let - entry = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/${value.key}"; - in { - ${entry} = { - binding = value.binding; - command = value.command; - name = value.name; - }; - - "org/gnome/settings-daemon/plugins/media-keys" = { - custom-keybindings = [ - "/${entry}/" - ]; - }; - }) - ( - lib.attrsets.mapAttrsToList (_: value: value) config.gnome.hotkeys - ) - ) - ) - ]; - }; - }; -} diff --git a/modules/home-manager-modules/i18n.nix b/modules/home-manager-modules/i18n.nix deleted file mode 100644 index 2c93e59..0000000 --- a/modules/home-manager-modules/i18n.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - lib, - config, - ... -}: { - options = { - i18n = { - defaultLocale = lib.mkOption { - type = lib.types.str; - default = "en_US.UTF-8"; - example = "nl_NL.UTF-8"; - description = '' - The default locale. It determines the language for program - messages, the format for dates and times, sort order, and so on. - It also determines the character set, such as UTF-8. - ''; - }; - - extraLocaleSettings = lib.mkOption { - type = lib.types.attrsOf lib.types.str; - default = {}; - example = { - LC_MESSAGES = "en_US.UTF-8"; - LC_TIME = "de_DE.UTF-8"; - }; - description = '' - A set of additional system-wide locale settings other than - `LANG` which can be configured with - {option}`i18n.defaultLocale`. - ''; - }; - }; - }; - - config = { - home.sessionVariables = - { - LANG = config.i18n.defaultLocale; - } - // config.i18n.extraLocaleSettings; - }; -} diff --git a/modules/home-manager-modules/openssh.nix b/modules/home-manager-modules/openssh.nix deleted file mode 100644 index c8ba22d..0000000 --- a/modules/home-manager-modules/openssh.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ - pkgs, - config, - osConfig, - lib, - ... -}: { - options.programs.openssh = { - enable = lib.mkEnableOption "should we enable openssh"; - authorizedKeys = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - }; - hostKeys = lib.mkOption { - type = lib.types.listOf lib.types.attrs; - default = []; - example = [ - { - type = "rsa"; - bits = 4096; - path = "${config.home.username}_${osConfig.networking.hostName}_rsa"; - rounds = 100; - openSSHFormat = true; - } - { - type = "ed25519"; - path = "${config.home.username}_${osConfig.networking.hostName}_ed25519"; - rounds = 100; - comment = "key comment"; - } - ]; - description = '' - NixOS can automatically generate SSH host keys. This option - specifies the path, type and size of each key. See - {manpage}`ssh-keygen(1)` for supported types - and sizes. Paths are relative to home directory - ''; - }; - }; - - config = lib.mkIf config.programs.openssh.enable ( - lib.mkMerge [ - ( - lib.mkIf ((builtins.length config.programs.openssh.hostKeys) != 0) { - services.ssh-agent.enable = true; - programs.ssh = { - enable = true; - compression = true; - addKeysToAgent = "confirm"; - extraConfig = lib.strings.concatLines ( - builtins.map (hostKey: "IdentityFile ~/.ssh/${hostKey.path}") config.programs.openssh.hostKeys - ); - }; - - systemd.user.services = builtins.listToAttrs ( - builtins.map (hostKey: - lib.attrsets.nameValuePair "ssh-gen-keys-${hostKey.path}" { - Install = { - WantedBy = ["default.target"]; - }; - Service = let - path = "${config.home.homeDirectory}/.ssh/${hostKey.path}"; - in { - Restart = "always"; - Type = "simple"; - ExecStart = "${ - pkgs.writeShellScript "ssh-gen-keys" '' - if ! [ -s "${path}" ]; then - if ! [ -h "${path}" ]; then - rm -f "${path}" - fi - mkdir -p "$(dirname '${path}')" - chmod 0755 "$(dirname '${path}')" - ${pkgs.openssh}/bin/ssh-keygen \ - -t "${hostKey.type}" \ - ${lib.optionalString (hostKey ? bits) "-b ${toString hostKey.bits}"} \ - ${lib.optionalString (hostKey ? rounds) "-a ${toString hostKey.rounds}"} \ - ${lib.optionalString (hostKey ? comment) "-C '${hostKey.comment}'"} \ - ${lib.optionalString (hostKey ? openSSHFormat && hostKey.openSSHFormat) "-o"} \ - -f "${path}" \ - -N "" - chown ${config.home.username} ${path}* - chgrp ${config.home.username} ${path}* - fi - '' - }"; - }; - }) - config.programs.openssh.hostKeys - ); - } - ) - (lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - files = lib.lists.flatten ( - builtins.map (hostKey: [".ssh/${hostKey.path}" ".ssh/${hostKey.path}.pub"]) config.programs.openssh.hostKeys - ); - }; - }) - ] - ); -} diff --git a/modules/home-manager-modules/programs/anki.nix b/modules/home-manager-modules/programs/anki.nix deleted file mode 100644 index c2f93ea..0000000 --- a/modules/home-manager-modules/programs/anki.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - lib, - config, - osConfig, - ... -}: { - config = lib.mkIf (config.programs.anki.enable && osConfig.host.impermanence.enable) { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - "${config.xdg.dataHome}/Anki2/" - ]; - allowOther = true; - }; - }; -} diff --git a/modules/home-manager-modules/programs/bitwarden.nix b/modules/home-manager-modules/programs/bitwarden.nix deleted file mode 100644 index b9b91c4..0000000 --- a/modules/home-manager-modules/programs/bitwarden.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: { - options.programs.bitwarden = { - enable = lib.mkEnableOption "enable bitwarden"; - }; - - config = lib.mkIf config.programs.bitwarden.enable (lib.mkMerge [ - { - home.packages = with pkgs; [ - bitwarden - ]; - } - ( - lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - "${config.xdg.configHome}/Bitwarden" - ]; - allowOther = true; - }; - } - ) - ]); -} diff --git a/modules/home-manager-modules/programs/bruno.nix b/modules/home-manager-modules/programs/bruno.nix deleted file mode 100644 index 00b248f..0000000 --- a/modules/home-manager-modules/programs/bruno.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: { - options.programs.bruno = { - enable = lib.mkEnableOption "enable bruno"; - }; - - config = lib.mkIf config.programs.bruno.enable (lib.mkMerge [ - { - home.packages = with pkgs; [ - bruno - ]; - } - ( - lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - "${config.xdg.configHome}/bruno/" - ]; - allowOther = true; - }; - } - ) - ]); -} diff --git a/modules/home-manager-modules/programs/calibre.nix b/modules/home-manager-modules/programs/calibre.nix deleted file mode 100644 index 9e5f34e..0000000 --- a/modules/home-manager-modules/programs/calibre.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: { - options.programs.calibre = { - enable = lib.mkEnableOption "enable calibre"; - }; - - config = lib.mkIf config.programs.calibre.enable (lib.mkMerge [ - { - home.packages = with pkgs; [ - calibre - ]; - } - ( - lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - "${config.xdg.configHome}/calibre" - ]; - allowOther = true; - }; - } - ) - ]); -} diff --git a/modules/home-manager-modules/programs/dbeaver.nix b/modules/home-manager-modules/programs/dbeaver.nix deleted file mode 100644 index a962459..0000000 --- a/modules/home-manager-modules/programs/dbeaver.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: { - options.programs.dbeaver-bin = { - enable = lib.mkEnableOption "enable dbeaver"; - }; - - config = lib.mkIf config.programs.dbeaver-bin.enable (lib.mkMerge [ - { - home.packages = with pkgs; [ - dbeaver-bin - ]; - } - ( - lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - "${config.xdg.dataHome}/DBeaverData/" - ]; - allowOther = true; - }; - } - ) - ]); -} diff --git a/modules/home-manager-modules/programs/default.nix b/modules/home-manager-modules/programs/default.nix deleted file mode 100644 index ee52da2..0000000 --- a/modules/home-manager-modules/programs/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{...}: { - imports = [ - ./firefox.nix - ./signal.nix - ./bitwarden.nix - ./makemkv.nix - ./obs.nix - ./anki.nix - ./qbittorrent.nix - ./discord.nix - ./obsidian.nix - ./prostudiomasters.nix - ./idea.nix - ./protonvpn.nix - ./calibre.nix - ./bruno.nix - ./dbeaver.nix - ./steam.nix - ]; -} diff --git a/modules/home-manager-modules/programs/discord.nix b/modules/home-manager-modules/programs/discord.nix deleted file mode 100644 index e8605a5..0000000 --- a/modules/home-manager-modules/programs/discord.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: { - options.programs.discord = { - enable = lib.mkEnableOption "enable discord"; - }; - - config = lib.mkIf config.programs.discord.enable (lib.mkMerge [ - { - home.packages = with pkgs; [ - discord - ]; - } - ( - lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - "${config.xdg.configHome}/discord/" - ]; - allowOther = true; - }; - } - ) - ]); -} diff --git a/modules/home-manager-modules/programs/firefox.nix b/modules/home-manager-modules/programs/firefox.nix deleted file mode 100644 index 907b619..0000000 --- a/modules/home-manager-modules/programs/firefox.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - lib, - config, - osConfig, - ... -}: let - buildProfilePersistence = profile: { - directories = [ - ".mozilla/firefox/${profile}/extensions" - ]; - files = [ - ".mozilla/firefox/${profile}/cookies.sqlite" - ".mozilla/firefox/${profile}/favicons.sqlite" - # Permissions and ${profileName} levels for each site - ".mozilla/firefox/${profile}/permissions.sqlite" - ".mozilla/firefox/${profile}/content-prefs.sqlite" - # Browser history and bookmarks - ".mozilla/firefox/${profile}/places.sqlite" - # I guess this is useful? - # https://bugzilla.mozilla.org/show_bug.cgi?id=1511384 - # https://developer.mozilla.org/en-US/docs/Web/API/Storage_API/Storage_quotas_and_eviction_criteria - ".mozilla/firefox/${profile}/storage.sqlite" - # Extension configuration - ".mozilla/firefox/${profile}/extension-settings.json" - ]; - allowOther = true; - }; -in { - config = lib.mkIf (config.programs.firefox.enable && osConfig.host.impermanence.enable) { - home.persistence."/persist${config.home.homeDirectory}" = lib.mkMerge ( - ( - lib.attrsets.mapAttrsToList - (profile: _: buildProfilePersistence profile) - config.programs.firefox.profiles - ) - ++ ( - lib.lists.optional - ((builtins.length (lib.attrsets.mapAttrsToList (key: value: value) config.programs.firefox.profiles)) == 0) - (buildProfilePersistence "default") - ) - ); - }; -} diff --git a/modules/home-manager-modules/programs/idea.nix b/modules/home-manager-modules/programs/idea.nix deleted file mode 100644 index f0a928c..0000000 --- a/modules/home-manager-modules/programs/idea.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: { - options.programs.jetbrains.idea-community = { - enable = lib.mkEnableOption "enable idea-community"; - }; - - config = lib.mkIf config.programs.jetbrains.idea-community.enable (lib.mkMerge [ - { - home.packages = with pkgs; [ - jetbrains.idea-community - ]; - } - ( - lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - # configuration - "${config.xdg.configHome}/JetBrains/" - # plugins - "${config.xdg.dataHome}/JetBrains/" - # System and Logs - "${config.xdg.cacheHome}/JetBrains/" - ]; - }; - } - ) - ]); -} diff --git a/modules/home-manager-modules/programs/makemkv.nix b/modules/home-manager-modules/programs/makemkv.nix deleted file mode 100644 index eca059d..0000000 --- a/modules/home-manager-modules/programs/makemkv.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: { - options.programs.makemkv = { - enable = lib.mkEnableOption "enable makemkv"; - appKeyFile = lib.mkOption { - type = lib.types.str; - }; - destinationDir = lib.mkOption { - type = lib.types.str; - }; - }; - - config = lib.mkIf config.programs.makemkv.enable (lib.mkMerge [ - { - home.packages = with pkgs; [ - makemkv - ]; - - sops.templates."MakeMKV.settings.conf".content = '' - app_DestinationDir = "${config.programs.makemkv.destinationDir}" - app_DestinationType = "2" - app_Key = "${config.programs.makemkv.appKeyFile}" - ''; - - home.file.".MakeMKV/settings.conf".source = config.lib.file.mkOutOfStoreSymlink config.sops.templates."MakeMKV.settings.conf".path; - } - ( - lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - ".MakeMKV" - ]; - }; - } - ) - ]); -} diff --git a/modules/home-manager-modules/programs/obs.nix b/modules/home-manager-modules/programs/obs.nix deleted file mode 100644 index 98c4fea..0000000 --- a/modules/home-manager-modules/programs/obs.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - lib, - config, - osConfig, - ... -}: { - config = lib.mkIf config.programs.obs-studio.enable (lib.mkMerge [ - ( - lib.mkIf osConfig.host.impermanence.enable { - # TODO: map impermanence for obs - } - ) - ]); -} diff --git a/modules/home-manager-modules/programs/obsidian.nix b/modules/home-manager-modules/programs/obsidian.nix deleted file mode 100644 index 4d28b3e..0000000 --- a/modules/home-manager-modules/programs/obsidian.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - lib, - config, - osConfig, - ... -}: { - config = lib.mkIf config.programs.obsidian.enable (lib.mkMerge [ - ( - lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - "${config.xdg.configHome}/obsidian" - ]; - }; - } - ) - ]); -} diff --git a/modules/home-manager-modules/programs/prostudiomasters.nix b/modules/home-manager-modules/programs/prostudiomasters.nix deleted file mode 100644 index 9e6088f..0000000 --- a/modules/home-manager-modules/programs/prostudiomasters.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: { - options.programs.prostudiomasters = { - enable = lib.mkEnableOption "enable prostudiomasters"; - }; - - config = lib.mkIf config.programs.prostudiomasters.enable (lib.mkMerge [ - { - home.packages = with pkgs; [ - prostudiomasters - ]; - } - ( - lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - "${config.xdg.configHome}/ProStudioMasters" - ]; - }; - } - ) - ]); -} diff --git a/modules/home-manager-modules/programs/protonvpn.nix b/modules/home-manager-modules/programs/protonvpn.nix deleted file mode 100644 index dd11aae..0000000 --- a/modules/home-manager-modules/programs/protonvpn.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: { - options.programs.protonvpn-gui = { - enable = lib.mkEnableOption "enable protonvpn"; - }; - - config = lib.mkIf config.programs.protonvpn-gui.enable (lib.mkMerge [ - { - home.packages = with pkgs; [ - protonvpn-gui - ]; - } - ( - lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - "${config.xdg.configHome}/protonvpn" - "${config.xdg.configHome}/Proton" - ]; - }; - } - ) - ]); -} diff --git a/modules/home-manager-modules/programs/qbittorrent.nix b/modules/home-manager-modules/programs/qbittorrent.nix deleted file mode 100644 index 02e23df..0000000 --- a/modules/home-manager-modules/programs/qbittorrent.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: { - options.programs.qbittorrent = { - enable = lib.mkEnableOption "enable qbittorrent"; - }; - - config = lib.mkIf config.programs.qbittorrent.enable (lib.mkMerge [ - { - home.packages = with pkgs; [ - qbittorrent - ]; - } - ( - lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - "${config.xdg.configHome}/qBittorrent" - ]; - }; - } - ) - ]); -} diff --git a/modules/home-manager-modules/programs/signal.nix b/modules/home-manager-modules/programs/signal.nix deleted file mode 100644 index fdf0af9..0000000 --- a/modules/home-manager-modules/programs/signal.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: { - options.programs.signal-desktop-bin = { - enable = lib.mkEnableOption "enable signal"; - }; - - config = lib.mkIf config.programs.signal-desktop-bin.enable (lib.mkMerge [ - { - home.packages = with pkgs; [ - signal-desktop-bin - ]; - } - ( - lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - "${config.xdg.configHome}/Signal" - ]; - }; - } - ) - ]); -} diff --git a/modules/home-manager-modules/programs/steam.nix b/modules/home-manager-modules/programs/steam.nix deleted file mode 100644 index 4661151..0000000 --- a/modules/home-manager-modules/programs/steam.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - lib, - pkgs, - config, - osConfig, - ... -}: { - options.programs.steam = { - enable = lib.mkEnableOption "enable steam"; - }; - - config = lib.mkIf config.programs.steam.enable ( - lib.mkMerge [ - { - home.packages = with pkgs; [ - steam - steam.run - ]; - } - ( - lib.mkIf osConfig.host.impermanence.enable { - home.persistence."/persist${config.home.homeDirectory}" = { - directories = [ - { - directory = "${config.xdg.dataHome}/Steam"; - method = "symlink"; - } - ]; - allowOther = true; - }; - } - ) - ] - ); - - # TODO: bind impermanence config -} diff --git a/modules/home-manager-modules/sops.nix b/modules/home-manager-modules/sops.nix deleted file mode 100644 index 910fbb6..0000000 --- a/modules/home-manager-modules/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{...}: { - config = { - sops = { - age.keyFile = "/var/lib/sops-nix/key.txt"; - }; - }; -} diff --git a/modules/home-manager-modules/user.nix b/modules/home-manager-modules/user.nix deleted file mode 100644 index efce22d..0000000 --- a/modules/home-manager-modules/user.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ - lib, - config, - osConfig, - ... -}: { - options.user = { - isDesktopUser = lib.mkOption { - type = lib.types.bool; - default = osConfig.host.users.${config.home.username}.isDesktopUser; - }; - isTerminalUser = lib.mkOption { - type = lib.types.bool; - default = osConfig.host.users.${config.home.username}.isTerminalUser; - }; - }; -} diff --git a/modules/nixos-modules/ai.nix b/modules/nixos-modules/ai.nix deleted file mode 100644 index d8cd63d..0000000 --- a/modules/nixos-modules/ai.nix +++ /dev/null @@ -1,46 +0,0 @@ -{lib, ...}: { - options.host = { - ai = { - enable = lib.mkEnableOption "should we use AI on this machine"; - models = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { - options = { - name = lib.mkOption { - type = lib.types.str; - default = name; - }; - model = lib.mkOption { - type = lib.types.str; - }; - provider = lib.mkOption { - type = lib.types.str; - default = "ollama"; - }; - apiBase = lib.mkOption { - type = lib.types.str; - default = "http://localhost:11434"; - }; - roles = lib.mkOption { - type = lib.types.listOf (lib.types.enum [ - "chat" - "autocomplete" - "embed" - "rerank" - "edit" - "apply" - "summarize" - ]); - default = []; - }; - }; - })); - }; - default = {}; - }; - }; - - config = { - # TODO: configure ollama to download any modules listed in options.host.ai.models.{name}.model if options.host.ai.models.{name}.apiBase is localhost - # TODO: if we have any models that have a non localhost options.host.ai.models.{name}.apiBase then set services.ollama.enable to a lib.mkAfter true - }; -} diff --git a/modules/nixos-modules/default.nix b/modules/nixos-modules/default.nix deleted file mode 100644 index 2ba1a58..0000000 --- a/modules/nixos-modules/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -# this folder container modules that are for nixos only -{...}: { - imports = [ - ./home-manager - ./system.nix - ./hardware.nix - ./users.nix - ./desktop.nix - ./ssh.nix - ./i18n.nix - ./sync.nix - ./impermanence.nix - ./disko.nix - ./ollama.nix - ./ai.nix - ./tailscale.nix - ./steam.nix - ./server - ]; - - nixpkgs.config.permittedInsecurePackages = [ - "dotnet-sdk-6.0.428" - ]; -} diff --git a/modules/nixos-modules/desktop.nix b/modules/nixos-modules/desktop.nix deleted file mode 100644 index 900aacf..0000000 --- a/modules/nixos-modules/desktop.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: { - options.host.desktop.enable = lib.mkEnableOption "should desktop configuration be enabled"; - - config = lib.mkMerge [ - { - host.desktop.enable = lib.mkDefault true; - } - (lib.mkIf config.host.desktop.enable { - environment.gnome.excludePackages = with pkgs; [ - xterm # default terminal - atomix # puzzle game - cheese # webcam tool - epiphany # web browser - geary # email reader - gedit # text editor - decibels # audio player - gnome-characters # character set viewer - gnome-music # music player - gnome-photos # photo viewer - gnome-logs # log viwer - gnome-maps # map viewer - gnome-tour # welcome tour - hitori # sudoku game - iagno # go game - tali # poker game - yelp # help viewer - ]; - services = { - # Enable CUPS to print documents. - printing.enable = true; - - xserver = { - # Enable the X11 windowing system. - enable = true; - - # Get rid of xTerm - desktopManager.xterm.enable = false; - }; - - # Enable the GNOME Desktop Environment. - displayManager.gdm.enable = true; - desktopManager.gnome.enable = true; - - pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - - # If you want to use JACK applications, uncomment this - #jack.enable = true; - - # use the example session manager (no others are packaged yet so this is enabled by default, - # no need to redefine it in your config for now) - #media-session.enable = true; - }; - automatic-timezoned = { - enable = true; - }; - - # Enable sound with pipewire. - pulseaudio.enable = false; - }; - - # enable RealtimeKit for pulse audio - security.rtkit.enable = true; - }) - ]; -} diff --git a/modules/nixos-modules/disko.nix b/modules/nixos-modules/disko.nix deleted file mode 100644 index 3d15498..0000000 --- a/modules/nixos-modules/disko.nix +++ /dev/null @@ -1,266 +0,0 @@ -{ - lib, - pkgs, - config, - inputs, - ... -}: let - # there currently is a bug with disko that causes long disk names to be generated improperly this hash function should alleviate it when used for disk names instead of what we are defaulting to - # max gpt length is 36 and disk adds formats it like disk-xxxx-zfs which means we need to be 9 characters under that - hashDisk = drive: (builtins.substring 0 27 (builtins.hashString "sha256" drive)); - - vdevs = - builtins.map ( - disks: - builtins.map (disk: lib.attrsets.nameValuePair (hashDisk disk) disk) disks - ) - config.host.storage.pool.vdevs; - cache = - builtins.map ( - disk: lib.attrsets.nameValuePair (hashDisk disk) disk - ) - config.host.storage.pool.cache; - - datasets = config.host.storage.pool.datasets // config.host.storage.pool.extraDatasets; -in { - options.host.storage = { - enable = lib.mkEnableOption "are we going create zfs disks with disko on this device"; - encryption = lib.mkEnableOption "is the vdev going to be encrypted"; - notifications = { - enable = lib.mkEnableOption "are notifications enabled"; - host = lib.mkOption { - type = lib.types.str; - description = "what is the host that we are going to send the email to"; - }; - port = lib.mkOption { - type = lib.types.port; - description = "what port is the host using to receive mail on"; - }; - to = lib.mkOption { - type = lib.types.str; - description = "what account is the email going to be sent to"; - }; - user = lib.mkOption { - type = lib.types.str; - description = "what user is the email going to be set from"; - }; - tokenFile = lib.mkOption { - type = lib.types.str; - description = "file containing the password to be used by msmtp for notifications"; - }; - }; - pool = { - mode = lib.mkOption { - type = lib.types.str; - default = "raidz2"; - description = "what level of redundancy should this pool have"; - }; - # list of drives in pool that will have a boot partition put onto them - bootDrives = lib.mkOption { - type = lib.types.listOf lib.types.str; - description = "list of disks that are going to have a boot partition installed on them"; - default = lib.lists.flatten config.host.storage.pool.vdevs; - }; - # shorthand for vdevs if you only have 1 vdev - drives = lib.mkOption { - type = lib.types.listOf lib.types.str; - description = "list of drives that are going to be in the vdev"; - default = []; - }; - # list of all drives in each vdev - vdevs = lib.mkOption { - type = lib.types.listOf (lib.types.listOf lib.types.str); - description = "list of disks that are going to be in"; - default = [config.host.storage.pool.drives]; - }; - # list of cache drives for pool - cache = lib.mkOption { - type = lib.types.listOf lib.types.str; - description = "list of drives that are going to be used as cache"; - default = []; - }; - # Default datasets that are needed to make a functioning system - datasets = lib.mkOption { - type = lib.types.attrsOf (inputs.disko.lib.subType { - types = {inherit (inputs.disko.lib.types) zfs_fs zfs_volume;}; - }); - default = { - "local" = { - type = "zfs_fs"; - options.canmount = "off"; - }; - # nix directory needs to be available pre persist and doesn't need to be snapshotted or backed up - "local/system/nix" = { - type = "zfs_fs"; - mountpoint = "/nix"; - options = { - atime = "off"; - relatime = "off"; - canmount = "on"; - }; - }; - # dataset for root that gets rolled back on every boot - "local/system/root" = { - type = "zfs_fs"; - mountpoint = "/"; - options = { - canmount = "on"; - }; - postCreateHook = '' - zfs snapshot rpool/local/system/root@blank - ''; - }; - }; - }; - extraDatasets = lib.mkOption { - type = lib.types.attrsOf (inputs.disko.lib.subType { - types = {inherit (inputs.disko.lib.types) zfs_fs zfs_volume;}; - }); - description = "List of datasets to define"; - default = {}; - }; - }; - }; - - config = lib.mkIf config.host.storage.enable { - programs.msmtp = lib.mkIf config.host.storage.notifications.enable { - enable = true; - setSendmail = true; - defaults = { - aliases = "/etc/aliases"; - port = config.host.storage.notifications.port; - tls_trust_file = "/etc/ssl/certs/ca-certificates.crt"; - tls = "on"; - auth = "login"; - tls_starttls = "off"; - }; - accounts = { - zfs_notifications = { - host = config.host.storage.notifications.host; - passwordeval = "cat ${config.host.storage.notifications.tokenFile}"; - user = config.host.storage.notifications.user; - from = config.host.storage.notifications.user; - }; - }; - }; - - services.zfs = { - autoScrub.enable = true; - autoSnapshot.enable = true; - - zed = lib.mkIf config.host.storage.notifications.enable { - # this option is broken we are just going to disable it - enableMail = false; - - settings = { - ZED_DEBUG_LOG = "/tmp/zed.debug.log"; - ZED_EMAIL_ADDR = [config.host.storage.notifications.to]; - ZED_EMAIL_PROG = "${pkgs.msmtp}/bin/msmtp"; - ZED_EMAIL_OPTS = "@ADDRESS@"; - - ZED_NOTIFY_INTERVAL_SECS = 3600; - ZED_NOTIFY_VERBOSE = true; - - ZED_USE_ENCLOSURE_LEDS = true; - ZED_SCRUB_AFTER_RESILVER = true; - }; - }; - }; - - disko.devices = { - disk = ( - builtins.listToAttrs ( - builtins.map - (drive: - lib.attrsets.nameValuePair (drive.name) { - type = "disk"; - device = "/dev/disk/by-id/${drive.value}"; - content = { - type = "gpt"; - partitions = { - ESP = lib.mkIf (builtins.elem drive.value config.host.storage.pool.bootDrives) { - # The 2GB here for the boot partition might be a bit overkill we probably only need like 1/4th of that but storage is cheap - size = "2G"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = ["umask=0077"]; - }; - }; - zfs = { - size = "100%"; - content = { - type = "zfs"; - pool = "rpool"; - }; - }; - }; - }; - }) - ( - (lib.lists.flatten vdevs) ++ cache - ) - ) - ); - zpool = { - rpool = { - type = "zpool"; - mode = { - topology = { - type = "topology"; - vdev = ( - builtins.map (disks: { - mode = config.host.storage.pool.mode; - members = - builtins.map (disk: disk.name) disks; - }) - vdevs - ); - cache = builtins.map (disk: disk.name) cache; - }; - }; - - options = { - ashift = "12"; - autotrim = "on"; - }; - - rootFsOptions = - { - canmount = "off"; - mountpoint = "none"; - - xattr = "sa"; - acltype = "posixacl"; - relatime = "on"; - - compression = "lz4"; - - "com.sun:auto-snapshot" = "false"; - } - // ( - lib.attrsets.optionalAttrs config.host.storage.encryption { - encryption = "on"; - keyformat = "hex"; - keylocation = "prompt"; - } - ); - - datasets = lib.mkMerge [ - ( - lib.attrsets.mapAttrs (name: value: { - type = value.type; - options = value.options; - mountpoint = value.mountpoint; - postCreateHook = value.postCreateHook; - }) - datasets - ) - ]; - }; - }; - }; - }; -} diff --git a/modules/nixos-modules/hardware.nix b/modules/nixos-modules/hardware.nix deleted file mode 100644 index 07e6fa8..0000000 --- a/modules/nixos-modules/hardware.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: { - options.host.hardware = { - piperMouse = { - enable = lib.mkEnableOption "host has a piper mouse"; - }; - viaKeyboard = { - enable = lib.mkEnableOption "host has a via keyboard"; - }; - openRGB = { - enable = lib.mkEnableOption "host has open rgb hardware"; - }; - graphicsAcceleration = { - enable = lib.mkEnableOption "host has a gpu for graphical acceleration"; - }; - directAccess = { - enable = lib.mkEnableOption "can a host be used on its own"; - }; - }; - config = lib.mkMerge [ - (lib.mkIf config.host.hardware.piperMouse.enable { - services.ratbagd.enable = true; - }) - (lib.mkIf config.host.hardware.viaKeyboard.enable { - hardware.keyboard.qmk.enable = true; - - services.udev.packages = [pkgs.via]; - }) - ]; -} diff --git a/modules/nixos-modules/home-manager/default.nix b/modules/nixos-modules/home-manager/default.nix deleted file mode 100644 index 10f86c7..0000000 --- a/modules/nixos-modules/home-manager/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -# modules in this folder are to adapt home-manager modules configs to nixos-module configs -{...}: { - imports = [ - ./flipperzero.nix - ./i18n.nix - ./openssh.nix - ./steam.nix - ]; -} diff --git a/modules/nixos-modules/home-manager/flipperzero.nix b/modules/nixos-modules/home-manager/flipperzero.nix deleted file mode 100644 index 6c94773..0000000 --- a/modules/nixos-modules/home-manager/flipperzero.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ - lib, - config, - ... -}: let - home-users = lib.attrsets.mapAttrsToList (_: user: user) config.home-manager.users; -in { - hardware.flipperzero.enable = lib.lists.any (home-user: home-user.hardware.flipperzero.enable) home-users; -} diff --git a/modules/nixos-modules/home-manager/i18n.nix b/modules/nixos-modules/home-manager/i18n.nix deleted file mode 100644 index 78b86fa..0000000 --- a/modules/nixos-modules/home-manager/i18n.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - lib, - config, - ... -}: let - home-users = lib.attrsets.mapAttrsToList (_: user: user) config.home-manager.users; -in { - config = { - i18n.supportedLocales = - lib.unique - (builtins.map (l: (lib.replaceStrings ["utf8" "utf-8" "UTF8"] ["UTF-8" "UTF-8" "UTF-8"] l) + "/UTF-8") ( - [ - "C.UTF-8" - "en_US.UTF-8" - config.i18n.defaultLocale - ] - ++ (lib.attrValues (lib.filterAttrs (n: v: n != "LANGUAGE") config.i18n.extraLocaleSettings)) - ++ ( - map (user-config: user-config.i18n.defaultLocale) home-users - ) - ++ (lib.lists.flatten ( - map (user-config: lib.attrValues (lib.filterAttrs (n: v: n != "LANGUAGE") user-config.i18n.extraLocaleSettings)) home-users - )) - )); - }; -} diff --git a/modules/nixos-modules/home-manager/openssh.nix b/modules/nixos-modules/home-manager/openssh.nix deleted file mode 100644 index 31a785f..0000000 --- a/modules/nixos-modules/home-manager/openssh.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ - config, - lib, - ... -}: { - users.users = - lib.attrsets.mapAttrs (name: value: { - openssh.authorizedKeys.keys = value.programs.openssh.authorizedKeys; - }) - config.home-manager.users; -} diff --git a/modules/nixos-modules/home-manager/steam.nix b/modules/nixos-modules/home-manager/steam.nix deleted file mode 100644 index d151bca..0000000 --- a/modules/nixos-modules/home-manager/steam.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - lib, - config, - ... -}: let - setupSteam = - lib.lists.any - (value: value) - (lib.attrsets.mapAttrsToList (name: value: value.programs.steam.enable) config.home-manager.users); -in { - config = lib.mkIf setupSteam { - programs.steam = { - enable = true; - # TODO: figure out how to not install steam here - # package = lib.mkDefault pkgs.emptyFile; - }; - }; -} diff --git a/modules/nixos-modules/i18n.nix b/modules/nixos-modules/i18n.nix deleted file mode 100644 index eada12c..0000000 --- a/modules/nixos-modules/i18n.nix +++ /dev/null @@ -1,3 +0,0 @@ -{...}: { - i18n.defaultLocale = "en_IE.UTF-8"; -} diff --git a/modules/nixos-modules/impermanence.nix b/modules/nixos-modules/impermanence.nix deleted file mode 100644 index 7735e97..0000000 --- a/modules/nixos-modules/impermanence.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ - config, - lib, - ... -}: { - options.host.impermanence.enable = lib.mkEnableOption "are we going to use impermanence on this device"; - - config = lib.mkMerge [ - { - assertions = [ - { - assertion = !(config.host.impermanence.enable && !config.host.storage.enable); - message = '' - Disko storage must be enabled to use impermanence. - ''; - } - ]; - } - ( - lib.mkIf config.host.impermanence.enable { - assertions = [ - { - assertion = config.host.impermanence.enable && config.host.storage.enable; - message = "Impermanence can not be used without managed host storage."; - } - ]; - - # fixes issues with /var/lib/private not having the correct permissions https://github.com/nix-community/impermanence/issues/254 - system.activationScripts."createPersistentStorageDirs".deps = ["var-lib-private-permissions" "users" "groups"]; - system.activationScripts = { - "var-lib-private-permissions" = { - deps = ["specialfs"]; - text = '' - mkdir -p /persist/system/root/var/lib/private - chmod 0700 /persist/system/root/var/lib/private - ''; - }; - }; - - programs.fuse.userAllowOther = true; - - boot.initrd.postResumeCommands = lib.mkAfter '' - zfs rollback -r rpool/local/system/root@blank - ''; - - fileSystems = { - "/".neededForBoot = true; - "/persist/system/root".neededForBoot = true; - "/persist/system/var/log".neededForBoot = true; - }; - - host.storage.pool.extraDatasets = { - # persist datasets are datasets that contain information that we would like to keep around - "persist" = { - type = "zfs_fs"; - options.canmount = "off"; - options = { - "com.sun:auto-snapshot" = "true"; - }; - }; - # this is where root data actually lives - "persist/system/root" = { - type = "zfs_fs"; - mountpoint = "/persist/system/root"; - }; - "persist/system/var/log" = { - type = "zfs_fs"; - mountpoint = "/persist/system/var/log"; - # logs should be append only so we shouldn't need to snapshot them - options = { - "com.sun:auto-snapshot" = "false"; - }; - }; - }; - - environment.persistence."/persist/system/var/log" = { - enable = true; - hideMounts = true; - directories = [ - "/var/log" - ]; - }; - - environment.persistence."/persist/system/root" = { - enable = true; - hideMounts = true; - directories = [ - "/var/lib/nixos" - "/var/lib/systemd/coredump" - ]; - files = [ - "/etc/machine-id" - ]; - }; - - security.sudo.extraConfig = "Defaults lecture=never"; - } - ) - ]; -} diff --git a/modules/nixos-modules/ollama.nix b/modules/nixos-modules/ollama.nix deleted file mode 100644 index 99819bf..0000000 --- a/modules/nixos-modules/ollama.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ - config, - lib, - ... -}: { - options = { - services.ollama.exposePort = lib.mkEnableOption "should we expose ollama on tailscale"; - }; - - config = lib.mkIf config.services.ollama.enable ( - lib.mkMerge [ - { - services.ollama = { - # TODO: these should match whats set in the users file - group = "ollama"; - user = "ollama"; - }; - } - (lib.mkIf config.services.ollama.exposePort (let - ports = [ - config.services.ollama.port - ]; - in { - services.ollama.host = "0.0.0.0"; - networking.firewall.interfaces.${config.services.tailscale.interfaceName} = { - allowedTCPPorts = ports; - allowedUDPPorts = ports; - }; - })) - (lib.mkIf config.host.impermanence.enable { - environment.persistence."/persist/system/root" = { - enable = true; - hideMounts = true; - directories = [ - { - directory = "/var/lib/private/ollama"; - user = config.services.ollama.user; - group = config.services.ollama.group; - mode = "0700"; - } - ]; - }; - }) - ] - ); -} diff --git a/modules/nixos-modules/server/adguardhome.nix b/modules/nixos-modules/server/adguardhome.nix deleted file mode 100644 index 866ad8a..0000000 --- a/modules/nixos-modules/server/adguardhome.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ - lib, - config, - ... -}: let - dnsPort = 53; -in { - options.host.adguardhome = { - enable = lib.mkEnableOption "should home-assistant be enabled on this computer"; - directory = lib.mkOption { - type = lib.types.str; - default = "/var/lib/AdGuardHome/"; - }; - }; - config = lib.mkIf config.host.adguardhome.enable (lib.mkMerge [ - { - services.adguardhome = { - enable = true; - mutableSettings = false; - settings = { - dns = { - bootstrap_dns = [ - "1.1.1.1" - "9.9.9.9" - ]; - upstream_dns = [ - "dns.quad9.net" - ]; - }; - filtering = { - protection_enabled = true; - filtering_enabled = true; - - parental_enabled = false; # Parental control-based DNS requests filtering. - safe_search = { - enabled = false; # Enforcing "Safe search" option for search engines, when possible. - }; - }; - # The following notation uses map - # to not have to manually create {enabled = true; url = "";} for every filter - # This is, however, fully optional - filters = - map (url: { - enabled = true; - url = url; - }) [ - "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt" - "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites - "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist - ]; - }; - }; - - networking.firewall.allowedTCPPorts = [ - dnsPort - ]; - } - (lib.mkIf config.host.impermanence.enable { - environment.persistence."/persist/system/root" = { - enable = true; - hideMounts = true; - directories = [ - { - directory = config.host.adguardhome.directory; - user = "adguardhome"; - group = "adguardhome"; - } - ]; - }; - }) - ]); -} diff --git a/modules/nixos-modules/server/default.nix b/modules/nixos-modules/server/default.nix deleted file mode 100644 index 7beee8b..0000000 --- a/modules/nixos-modules/server/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -{...}: { - imports = [ - ./fail2ban.nix - ./network_storage - ./reverse_proxy.nix - ./postgres.nix - ./podman.nix - ./jellyfin.nix - ./forgejo.nix - ./searx.nix - ./virt-home-assistant.nix - ./adguardhome.nix - ./immich.nix - ./qbittorent.nix - ]; -} diff --git a/modules/nixos-modules/server/fail2ban.nix b/modules/nixos-modules/server/fail2ban.nix deleted file mode 100644 index be83e6f..0000000 --- a/modules/nixos-modules/server/fail2ban.nix +++ /dev/null @@ -1,98 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: let - dataFolder = "/var/lib/fail2ban"; - dataFile = "fail2ban.sqlite3"; -in { - config = lib.mkIf config.services.fail2ban.enable (lib.mkMerge [ - { - environment.etc = { - "fail2ban/filter.d/nginx.local".text = lib.mkIf config.services.nginx.enable ( - pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = "limiting requests, excess:.* by zone.*client: " - '') - ); - # "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable ( - # pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - # [INCLUDES] - # before = common.conf - - # [Definition] - # failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from .*$ - - # ignoreregex = - - # [Init] - # datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S - # '') - # ); - }; - - services.fail2ban = { - maxretry = 5; - ignoreIP = [ - # Whitelist local networks - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" - - # tail scale tailnet - "100.64.0.0/10" - "fd7a:115c:a1e0::/48" - ]; - bantime = "24h"; # Ban IPs for one day on the first ban - bantime-increment = { - enable = true; # Enable increment of bantime after each violation - formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; - maxtime = "168h"; # Do not ban for more than 1 week - overalljails = true; # Calculate the ban time based on all the violations - }; - jails = { - nginx-iptables.settings = lib.mkIf config.services.nginx.enable { - enabled = true; - filter = "nginx"; - action = ''iptables-multiport[name=HTTP, port="http,https"]''; - backend = "auto"; - findtime = 600; - bantime = 600; - maxretry = 5; - }; - # home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable { - # enabled = true; - # filter = "hass"; - # action = ''iptables-multiport[name=HTTP, port="http,https"]''; - # logpath = "${config.services.home-assistant.configDir}/*.log"; - # backend = "auto"; - # findtime = 600; - # bantime = 600; - # maxretry = 5; - # }; - # TODO; figure out if there is any fail2ban things we can do on searx - # searx-iptables.settings = lib.mkIf config.services.searx.enable {}; - }; - }; - } - (lib.mkIf config.host.impermanence.enable { - assertions = [ - { - assertion = config.services.fail2ban.daemonSettings.Definition.dbfile == "${dataFolder}/${dataFile}"; - message = "fail2ban data file does not match persistence"; - } - ]; - - environment.persistence."/persist/system/root" = { - directories = [ - { - directory = dataFolder; - user = "fail2ban"; - group = "fail2ban"; - } - ]; - }; - }) - ]); -} diff --git a/modules/nixos-modules/server/forgejo.nix b/modules/nixos-modules/server/forgejo.nix deleted file mode 100644 index 40a5303..0000000 --- a/modules/nixos-modules/server/forgejo.nix +++ /dev/null @@ -1,112 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: let - forgejoPort = 8081; - stateDir = "/var/lib/forgejo"; - db_user = "forgejo"; - sshPort = 22222; -in { - options.services.forgejo = { - subdomain = lib.mkOption { - type = lib.types.str; - description = "subdomain of base domain that forgejo will be hosted at"; - default = "forgejo"; - }; - }; - - config = lib.mkIf config.services.forgejo.enable (lib.mkMerge [ - { - host = { - reverse_proxy.subdomains.${config.services.forgejo.subdomain} = { - target = "http://localhost:${toString forgejoPort}"; - }; - postgres = { - enable = true; - extraUsers = { - ${db_user} = { - isClient = true; - }; - }; - }; - }; - - services.forgejo = { - database = { - type = "postgres"; - socket = "/run/postgresql"; - }; - lfs.enable = true; - settings = { - server = { - DOMAIN = "${config.services.forgejo.subdomain}.${config.host.reverse_proxy.hostname}"; - HTTP_PORT = forgejoPort; - START_SSH_SERVER = true; - SSH_LISTEN_PORT = sshPort; - SSH_PORT = 22; - BUILTIN_SSH_SERVER_USER = config.users.users.git.name; - ROOT_URL = "https://git.jan-leila.com"; - }; - service = { - DISABLE_REGISTRATION = true; - }; - database = { - DB_TYPE = "postgres"; - NAME = db_user; - USER = db_user; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ - config.services.forgejo.settings.server.SSH_LISTEN_PORT - ]; - } - (lib.mkIf config.services.fail2ban.enable { - environment.etc = { - "fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable ( - pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from " - '') - ); - }; - - services.fail2ban = { - jails = { - forgejo-iptables.settings = lib.mkIf config.services.forgejo.enable { - enabled = true; - filter = "forgejo"; - action = ''iptables-multiport[name=HTTP, port="http,https"]''; - logpath = "${config.services.forgejo.settings.log.ROOT_PATH}/*.log"; - backend = "auto"; - findtime = 600; - bantime = 600; - maxretry = 5; - }; - }; - }; - }) - (lib.mkIf config.host.impermanence.enable { - assertions = [ - { - assertion = config.services.forgejo.stateDir == stateDir; - message = "forgejo state directory does not match persistence"; - } - ]; - environment.persistence."/persist/system/root" = { - enable = true; - hideMounts = true; - directories = [ - { - directory = stateDir; - user = "forgejo"; - group = "forgejo"; - } - ]; - }; - }) - ]); -} diff --git a/modules/nixos-modules/server/home-assistant.nix b/modules/nixos-modules/server/home-assistant.nix deleted file mode 100644 index a90bd6d..0000000 --- a/modules/nixos-modules/server/home-assistant.nix +++ /dev/null @@ -1,130 +0,0 @@ -{ - lib, - config, - inputs, - ... -}: let - configDir = "/var/lib/hass"; -in { - options.host.home-assistant = { - enable = lib.mkEnableOption "should home-assistant be enabled on this computer"; - subdomain = lib.mkOption { - type = lib.types.str; - description = "subdomain of base domain that home-assistant will be hosted at"; - default = "home-assistant"; - }; - }; - - config = lib.mkIf config.host.home-assistant.enable (lib.mkMerge [ - { - virtualisation.libvirt = { - swtpm.enable = true; - connections."qemu:///session" = { - networks = [ - { - definition = inputs.nix-virt.lib.network.writeXML (inputs.nix-virt.lib.network.templates.bridge - { - uuid = "d57e37e2-311f-4e5c-a484-97c2210c2770"; - subnet_byte = 71; - }); - active = true; - } - ]; - domains = [ - { - definition = inputs.nix-virt.lib.domain.writeXML (inputs.nix-virt.lib.domain.templates.linux - { - name = "Home Assistant"; - uuid = "c5cc0efc-6101-4c1d-be31-acbba203ccde"; - memory = { - count = 4; - unit = "GiB"; - }; - # storage_vol = { - # pool = "MyPool"; - # volume = "Penguin.qcow2"; - # }; - }); - } - ]; - }; - }; - - # systemd.tmpfiles.rules = [ - # "f ${config.services.home-assistant.configDir}/automations.yaml 0755 hass hass" - # ]; - # services.home-assistant = { - # enable = true; - # configDir = configDir; - # extraComponents = [ - # "met" - # "radio_browser" - # "isal" - # "zha" - # "jellyfin" - # "webostv" - # "tailscale" - # "syncthing" - # "sonos" - # "analytics_insights" - # "unifi" - # "openweathermap" - # ]; - # config = { - # http = { - # server_port = 8082; - # use_x_forwarded_for = true; - # trusted_proxies = ["127.0.0.1" "::1"]; - # ip_ban_enabled = true; - # login_attempts_threshold = 10; - # }; - # # recorder.db_url = "postgresql://@/${db_user}"; - # "automation manual" = []; - # "automation ui" = "!include automations.yaml"; - # }; - # extraPackages = python3Packages: - # with python3Packages; [ - # hassil - # numpy - # gtts - # ]; - # }; - # host = { - # reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = { - # target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; - - # websockets.enable = true; - # forwardHeaders.enable = true; - - # extraConfig = '' - # add_header Upgrade $http_upgrade; - # add_header Connection \"upgrade\"; - - # proxy_buffering off; - - # proxy_read_timeout 90; - # ''; - # }; - # }; - } - (lib.mkIf config.host.impermanence.enable { - # assertions = [ - # { - # assertion = config.services.home-assistant.configDir == configDir; - # message = "home assistant config directory does not match persistence"; - # } - # ]; - # environment.persistence."/persist/system/root" = { - # enable = true; - # hideMounts = true; - # directories = [ - # { - # directory = configDir; - # user = "hass"; - # group = "hass"; - # } - # ]; - # }; - }) - ]); -} diff --git a/modules/nixos-modules/server/immich.nix b/modules/nixos-modules/server/immich.nix deleted file mode 100644 index e7088a9..0000000 --- a/modules/nixos-modules/server/immich.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: let - mediaLocation = "/var/lib/immich"; -in { - options.services.immich = { - subdomain = lib.mkOption { - type = lib.types.str; - description = "subdomain of base domain that immich will be hosted at"; - default = "immich"; - }; - }; - - config = lib.mkIf config.services.immich.enable (lib.mkMerge [ - { - host = { - reverse_proxy.subdomains.${config.services.immich.subdomain} = { - target = "http://localhost:${toString config.services.immich.port}"; - - websockets.enable = true; - forwardHeaders.enable = true; - - extraConfig = '' - # allow large file uploads - client_max_body_size 50000M; - - # set timeout - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - proxy_redirect off; - ''; - }; - postgres = { - enable = true; - extraUsers = { - ${config.services.immich.database.user} = { - isClient = true; - }; - }; - }; - }; - - networking.firewall.interfaces.${config.services.tailscale.interfaceName} = { - allowedUDPPorts = [ - config.services.immich.port - ]; - allowedTCPPorts = [ - config.services.immich.port - ]; - }; - } - (lib.mkIf config.services.fail2ban.enable { - environment.etc = { - "fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable ( - pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = immich-server.*Failed login attempt for user.+from ip address\s? - journalmatch = CONTAINER_TAG=immich-server - '') - ); - }; - - services.fail2ban = { - jails = { - immich-iptables.settings = lib.mkIf config.services.immich.enable { - enabled = true; - filter = "immich"; - backend = "systemd"; - }; - }; - }; - }) - (lib.mkIf config.host.impermanence.enable { - assertions = [ - { - assertion = config.services.immich.mediaLocation == mediaLocation; - message = "immich media location does not match persistence"; - } - ]; - environment.persistence."/persist/system/root" = { - directories = [ - { - directory = mediaLocation; - user = "immich"; - group = "immich"; - } - ]; - }; - }) - ]); -} diff --git a/modules/nixos-modules/server/jellyfin.nix b/modules/nixos-modules/server/jellyfin.nix deleted file mode 100644 index a8bbe71..0000000 --- a/modules/nixos-modules/server/jellyfin.nix +++ /dev/null @@ -1,140 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: let - jellyfinPort = 8096; - dlanPort = 1900; - jellyfin_data_directory = "/var/lib/jellyfin"; - jellyfin_cache_directory = "/var/cache/jellyfin"; -in { - options.services.jellyfin = { - subdomain = lib.mkOption { - type = lib.types.str; - description = "subdomain of base domain that jellyfin will be hosted at"; - default = "jellyfin"; - }; - extraSubdomains = lib.mkOption { - type = lib.types.listOf lib.types.str; - description = "ex subdomain of base domain that jellyfin will be hosted at"; - default = []; - }; - media_directory = lib.mkOption { - type = lib.types.str; - description = "directory jellyfin media will be hosted at"; - default = "/srv/jellyfin/media"; - }; - }; - - config = lib.mkIf config.services.jellyfin.enable ( - lib.mkMerge [ - { - host.reverse_proxy.subdomains.jellyfin = { - target = "http://localhost:${toString jellyfinPort}"; - - subdomain = config.services.jellyfin.subdomain; - extraSubdomains = config.services.jellyfin.extraSubdomains; - - forwardHeaders.enable = true; - - extraConfig = '' - client_max_body_size 20M; - add_header X-Content-Type-Options "nosniff"; - - proxy_buffering off; - ''; - }; - environment.systemPackages = [ - pkgs.jellyfin - pkgs.jellyfin-web - pkgs.jellyfin-ffmpeg - ]; - - networking.firewall.allowedTCPPorts = [jellyfinPort dlanPort]; - } - (lib.mkIf config.services.fail2ban.enable { - environment.etc = { - "fail2ban/filter.d/jellyfin.local".text = lib.mkIf config.services.jellyfin.enable ( - pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = "^.*Authentication request for .* has been denied \\\(IP: \"\"\\\)\\\." - '') - ); - }; - - services.fail2ban = { - jails = { - jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable { - enabled = true; - filter = "jellyfin"; - action = ''iptables-multiport[name=HTTP, port="http,https"]''; - logpath = "${config.services.jellyfin.dataDir}/log/*.log"; - backend = "auto"; - findtime = 600; - bantime = 600; - maxretry = 5; - }; - }; - }; - }) - (lib.mkIf config.host.impermanence.enable { - fileSystems."/persist/system/jellyfin".neededForBoot = true; - - host.storage.pool.extraDatasets = { - # sops age key needs to be available to pre persist for user generation - "persist/system/jellyfin" = { - type = "zfs_fs"; - mountpoint = "/persist/system/jellyfin"; - options = { - atime = "off"; - relatime = "off"; - canmount = "on"; - }; - }; - }; - - assertions = [ - { - assertion = config.services.jellyfin.dataDir == jellyfin_data_directory; - message = "jellyfin data directory does not match persistence"; - } - { - assertion = config.services.jellyfin.cacheDir == jellyfin_cache_directory; - message = "jellyfin cache directory does not match persistence"; - } - ]; - - environment.persistence = { - "/persist/system/root" = { - directories = [ - { - directory = jellyfin_data_directory; - user = "jellyfin"; - group = "jellyfin"; - } - { - directory = jellyfin_cache_directory; - user = "jellyfin"; - group = "jellyfin"; - } - ]; - }; - - "/persist/system/jellyfin" = { - enable = true; - hideMounts = true; - directories = [ - { - directory = config.services.jellyfin.media_directory; - user = "jellyfin"; - group = "jellyfin_media"; - mode = "1770"; - } - ]; - }; - }; - }) - ] - ); -} diff --git a/modules/nixos-modules/server/network_storage/default.nix b/modules/nixos-modules/server/network_storage/default.nix deleted file mode 100644 index 00ea7ac..0000000 --- a/modules/nixos-modules/server/network_storage/default.nix +++ /dev/null @@ -1,90 +0,0 @@ -{ - config, - lib, - ... -}: let - export_directory = config.host.network_storage.export_directory; -in { - imports = [ - ./nfs.nix - ]; - - options = { - host.network_storage = { - enable = lib.mkEnableOption "is this machine going to export network storage"; - export_directory = lib.mkOption { - type = lib.types.path; - description = "what are exports going to be stored in"; - default = "/export"; - }; - directories = lib.mkOption { - type = lib.types.listOf (lib.types.submodule ({config, ...}: { - options = { - folder = lib.mkOption { - type = lib.types.str; - description = "what is the name of this export directory"; - }; - bind = lib.mkOption { - type = lib.types.nullOr lib.types.path; - description = "is this directory bound to anywhere"; - default = null; - }; - user = lib.mkOption { - type = lib.types.str; - description = "what user owns this directory"; - default = "nouser"; - }; - group = lib.mkOption { - type = lib.types.str; - description = "what group owns this directory"; - default = "nogroup"; - }; - _directory = lib.mkOption { - internal = true; - readOnly = true; - type = lib.types.path; - default = "${export_directory}/${config.folder}"; - }; - }; - })); - description = "list of directory names to export"; - }; - }; - }; - - config = lib.mkIf config.host.network_storage.enable (lib.mkMerge [ - { - # create any folders that we need to have for our exports - systemd.tmpfiles.rules = - [ - "d ${config.host.network_storage.export_directory} 2775 nobody nogroup -" - ] - ++ ( - builtins.map ( - directory: "d ${directory._directory} 2770 ${directory.user} ${directory.group}" - ) - config.host.network_storage.directories - ); - - # set up any bind mounts that we need for our exports - fileSystems = builtins.listToAttrs ( - builtins.map (directory: - lib.attrsets.nameValuePair directory._directory { - device = directory.bind; - options = ["bind"]; - }) ( - builtins.filter (directory: directory.bind != null) config.host.network_storage.directories - ) - ); - } - # (lib.mkIf config.host.impermanence.enable { - # environment.persistence."/persist/system/root" = { - # enable = true; - # hideMounts = true; - # directories = [ - # config.host.network_storage.export_directory - # ]; - # }; - # }) - ]); -} diff --git a/modules/nixos-modules/server/network_storage/nfs.nix b/modules/nixos-modules/server/network_storage/nfs.nix deleted file mode 100644 index bad0452..0000000 --- a/modules/nixos-modules/server/network_storage/nfs.nix +++ /dev/null @@ -1,103 +0,0 @@ -{ - config, - lib, - ... -}: { - options = { - host.network_storage.nfs = { - enable = lib.mkEnableOption "is this server going to export network storage as nfs shares"; - port = lib.mkOption { - type = lib.types.int; - default = 2049; - description = "port that nfs will run on"; - }; - directories = lib.mkOption { - type = lib.types.listOf ( - lib.types.enum ( - builtins.map ( - directory: directory.folder - ) - config.host.network_storage.directories - ) - ); - description = "list of exported directories to be exported via nfs"; - }; - }; - }; - config = lib.mkMerge [ - { - assertions = [ - { - assertion = !(config.host.network_storage.nfs.enable && !config.host.network_storage.enable); - message = "nfs cant be enabled with network storage disabled"; - } - ]; - } - ( - lib.mkIf (config.host.network_storage.nfs.enable && config.host.network_storage.enable) { - services.nfs = { - settings = { - nfsd = { - threads = 32; - port = config.host.network_storage.nfs.port; - }; - }; - server = { - enable = true; - - lockdPort = 4001; - mountdPort = 4002; - statdPort = 4000; - - exports = lib.strings.concatLines ( - [ - "${config.host.network_storage.export_directory} 100.64.0.0/10(rw,fsid=0,no_subtree_check)" - ] - ++ ( - lib.lists.imap0 ( - i: directory: let - createOptions = fsid: "(rw,fsid=${toString fsid},nohide,insecure,no_subtree_check)"; - addresses = [ - # loopback - "127.0.0.1" - "::1" - # local network - # "192.168.0.0/24" - # tailscale - "100.64.0.0/10" - "fd7a:115c:a1e0::/48" - ]; - options = lib.strings.concatStrings ( - lib.strings.intersperse " " ( - lib.lists.imap0 (index: address: "${address}${createOptions (1 + (i * (builtins.length addresses)) + index)}") addresses - ) - ); - in "${directory._directory} ${options}" - ) - ( - builtins.filter ( - directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories - ) - config.host.network_storage.directories - ) - ) - ); - }; - }; - networking.firewall.interfaces.${config.services.tailscale.interfaceName} = let - ports = [ - 111 - config.host.network_storage.nfs.port - config.services.nfs.server.lockdPort - config.services.nfs.server.mountdPort - config.services.nfs.server.statdPort - 20048 - ]; - in { - allowedTCPPorts = ports; - allowedUDPPorts = ports; - }; - } - ) - ]; -} diff --git a/modules/nixos-modules/server/podman.nix b/modules/nixos-modules/server/podman.nix deleted file mode 100644 index e806e65..0000000 --- a/modules/nixos-modules/server/podman.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ - lib, - config, - ... -}: { - options.host.podman = { - enable = lib.mkEnableOption "should home-assistant be enabled on this computer"; - macvlan = { - subnet = lib.mkOption { - type = lib.types.str; - description = "Subnet for macvlan address range"; - }; - gateway = lib.mkOption { - type = lib.types.str; - description = "Gateway for macvlan"; - # TODO: see if we can default this to systemd network gateway - }; - networkInterface = lib.mkOption { - type = lib.types.str; - description = "Parent network interface for macvlan"; - # TODO: see if we can default this some interface? - }; - }; - }; - config = lib.mkIf config.host.podman.enable { - systemd = { - services = { - # "podman-network-macvlan" = { - # path = [pkgs.podman]; - # serviceConfig = { - # Type = "oneshot"; - # RemainAfterExit = true; - # ExecStop = "podman network rm -f macvlan"; - # }; - # script = '' - # podman network inspect macvlan || podman network create --driver macvlan --subnet ${config.host.podman.macvlan.subnet} --gateway ${config.host.podman.macvlan.gateway} --opt parent=${config.host.podman.macvlan.networkInterface} macvlan - # ''; - # partOf = ["podman-compose-root.target"]; - # wantedBy = ["podman-compose-root.target"]; - # }; - }; - # disable computer sleeping - targets = { - # Root service - # When started, this will automatically create all resources and start - # the containers. When stopped, this will teardown all resources. - "podman-compose-root" = { - unitConfig = { - Description = "Root target for podman targets."; - }; - wantedBy = ["multi-user.target"]; - }; - }; - }; - - virtualisation = { - # Runtime - podman = { - enable = true; - autoPrune.enable = true; - dockerCompat = true; - # defaultNetwork.settings = { - # # Required for container networking to be able to use names. - # dns_enabled = true; - # }; - }; - - oci-containers = { - backend = "podman"; - }; - }; - }; -} diff --git a/modules/nixos-modules/server/postgres.nix b/modules/nixos-modules/server/postgres.nix deleted file mode 100644 index 71ce44c..0000000 --- a/modules/nixos-modules/server/postgres.nix +++ /dev/null @@ -1,121 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - dataDir = "/var/lib/postgresql/16"; - adminUsers = lib.lists.filter (user: user.isAdmin) (lib.attrsets.mapAttrsToList (_: user: user) config.host.postgres.extraUsers); - clientUsers = lib.lists.filter (user: user.isClient) (lib.attrsets.mapAttrsToList (_: user: user) config.host.postgres.extraUsers); - createUsers = lib.lists.filter (user: user.createUser) (lib.attrsets.mapAttrsToList (_: user: user) config.host.postgres.extraUsers); - createDatabases = lib.attrsets.mapAttrsToList (_: user: user) config.host.postgres.extraDatabases; -in { - options = { - host.postgres = { - enable = lib.mkEnableOption "enable postgres"; - extraUsers = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { - options = { - name = lib.mkOption { - type = lib.types.str; - default = name; - }; - isAdmin = lib.mkOption { - type = lib.types.bool; - default = false; - }; - isClient = lib.mkOption { - type = lib.types.bool; - default = false; - }; - createUser = lib.mkOption { - type = lib.types.bool; - default = false; - }; - }; - })); - default = {}; - }; - extraDatabases = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { - options = { - name = lib.mkOption { - type = lib.types.str; - default = name; - }; - }; - })); - default = {}; - }; - }; - }; - - config = lib.mkIf config.host.postgres.enable (lib.mkMerge [ - { - services = { - postgresql = { - enable = true; - package = pkgs.postgresql_16; - ensureUsers = - [ - { - name = "postgres"; - } - ] - ++ ( - builtins.map (user: { - name = user.name; - ensureDBOwnership = true; - }) - createUsers - ); - ensureDatabases = builtins.map (database: database.name) createDatabases; - identMap = - '' - # ArbitraryMapName systemUser DBUser - - # Administration Users - superuser_map root postgres - superuser_map postgres postgres - '' - + ( - lib.strings.concatLines (builtins.map (user: "superuser_map ${user.name} postgres") adminUsers) - ) - + '' - - # Client Users - '' - + ( - lib.strings.concatLines (builtins.map (user: "user_map ${user.name} ${user.name}") clientUsers) - ); - # configuration here lets users access the db that matches their name and lets user postgres access everything - authentication = pkgs.lib.mkOverride 10 '' - # type database DBuser origin-address auth-method optional_ident_map - local all postgres peer map=superuser_map - local sameuser all peer map=user_map - ''; - }; - }; - } - - (lib.mkIf config.host.impermanence.enable { - assertions = [ - { - assertion = config.services.postgresql.dataDir == dataDir; - message = "postgres data directory does not match persistence"; - } - ]; - environment.persistence."/persist/system/root" = { - enable = true; - hideMounts = true; - directories = [ - { - directory = dataDir; - user = "postgres"; - group = "postgres"; - } - ]; - }; - }) - ]); -} diff --git a/modules/nixos-modules/server/qbittorent.nix b/modules/nixos-modules/server/qbittorent.nix deleted file mode 100644 index 9b7b7e8..0000000 --- a/modules/nixos-modules/server/qbittorent.nix +++ /dev/null @@ -1,160 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: let - qbittorent_data_directory = "/var/lib/qbittorrent"; -in { - options.services.qbittorrent = { - enable = lib.mkEnableOption "should the headless qbittorrent service be enabled"; - - dataDir = lib.mkOption { - type = lib.types.path; - default = "/var/lib/qbittorrent"; - description = lib.mdDoc '' - The directory where qBittorrent stores its data files. - ''; - }; - - mediaDir = lib.mkOption { - type = lib.types.path; - description = lib.mdDoc '' - The directory to create to store qbittorrent media. - ''; - }; - - user = lib.mkOption { - type = lib.types.str; - default = "qbittorrent"; - description = lib.mdDoc '' - User account under which qBittorrent runs. - ''; - }; - - group = lib.mkOption { - type = lib.types.str; - default = "qbittorrent"; - description = lib.mdDoc '' - Group under which qBittorrent runs. - ''; - }; - - webPort = lib.mkOption { - type = lib.types.port; - default = 8080; - description = lib.mdDoc '' - qBittorrent web UI port. - ''; - }; - - openFirewall = lib.mkOption { - type = lib.types.bool; - default = false; - description = "Open services.qBittorrent.webPort to the outside network."; - }; - - package = lib.mkOption { - type = lib.types.package; - default = pkgs.qbittorrent-nox; - defaultText = lib.literalExpression "pkgs.qbittorrent-nox"; - description = "The qbittorrent package to use."; - }; - }; - - config = lib.mkIf config.services.qbittorrent.enable (lib.mkMerge [ - { - networking.firewall = lib.mkIf config.services.qbittorrent.openFirewall { - allowedTCPPorts = [config.services.qbittorrent.webPort]; - }; - - systemd.services.qbittorrent = { - # based on the plex.nix service module and - # https://github.com/qbittorrent/qBittorrent/blob/master/dist/unix/systemd/qbittorrent-nox%40.service.in - description = "qBittorrent-nox service"; - documentation = ["man:qbittorrent-nox(1)"]; - after = ["network.target"]; - wantedBy = ["multi-user.target"]; - - serviceConfig = { - Type = "simple"; - User = config.services.qbittorrent.user; - Group = config.services.qbittorrent.group; - - # Run the pre-start script with full permissions (the "!" prefix) so it - # can create the data directory if necessary. - ExecStartPre = let - preStartScript = pkgs.writeScript "qbittorrent-run-prestart" '' - #!${pkgs.bash}/bin/bash - - # Create data directory if it doesn't exist - if ! test -d "$QBT_PROFILE"; then - echo "Creating initial qBittorrent data directory in: $QBT_PROFILE" - install -d -m 0755 -o "${config.services.qbittorrent.user}" -g "${config.services.qbittorrent.group}" "$QBT_PROFILE" - fi - ''; - in "!${preStartScript}"; - - #ExecStart = "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox"; - ExecStart = "${config.services.qbittorrent.package}/bin/qbittorrent-nox"; - # To prevent "Quit & shutdown daemon" from working; we want systemd to - # manage it! - #Restart = "on-success"; - #UMask = "0002"; - #LimitNOFILE = cfg.openFilesLimit; - }; - - environment = { - QBT_PROFILE = config.services.qbittorrent.dataDir; - QBT_WEBUI_PORT = toString config.services.qbittorrent.webPort; - }; - }; - } - (lib.mkIf config.host.impermanence.enable { - fileSystems."/persist/system/qbittorrent".neededForBoot = true; - - host.storage.pool.extraDatasets = { - # sops age key needs to be available to pre persist for user generation - "persist/system/qbittorrent" = { - type = "zfs_fs"; - mountpoint = "/persist/system/qbittorrent"; - options = { - canmount = "on"; - }; - }; - }; - - assertions = [ - { - assertion = config.services.qbittorrent.dataDir == qbittorent_data_directory; - message = "qbittorrent data directory does not match persistence"; - } - ]; - - environment.persistence = { - "/persist/system/root" = { - directories = [ - { - directory = qbittorent_data_directory; - user = "qbittorrent"; - group = "qbittorrent"; - } - ]; - }; - - "/persist/system/qbittorrent" = { - enable = true; - hideMounts = true; - directories = [ - { - directory = config.services.qbittorrent.mediaDir; - user = "qbittorrent"; - group = "qbittorrent"; - mode = "1775"; - } - ]; - }; - }; - }) - ]); -} diff --git a/modules/nixos-modules/server/reverse_proxy.nix b/modules/nixos-modules/server/reverse_proxy.nix deleted file mode 100644 index 26b4374..0000000 --- a/modules/nixos-modules/server/reverse_proxy.nix +++ /dev/null @@ -1,128 +0,0 @@ -{ - lib, - config, - ... -}: let - dataDir = "/var/lib/acme"; - httpPort = 80; - httpsPort = 443; -in { - options.host.reverse_proxy = { - enable = lib.mkEnableOption "turn on the reverse proxy"; - hostname = lib.mkOption { - type = lib.types.str; - description = "what host name are we going to be proxying from"; - }; - forceSSL = lib.mkOption { - type = lib.types.bool; - description = "force connections to use https"; - default = config.host.reverse_proxy.enableACME; - }; - enableACME = lib.mkOption { - type = lib.types.bool; - description = "auto renew certificates"; - default = true; - }; - subdomains = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { - options = { - subdomain = lib.mkOption { - type = lib.types.str; - description = "what is the default subdomain to be used for this application to be used for"; - default = name; - }; - extraSubdomains = lib.mkOption { - type = lib.types.listOf lib.types.str; - description = "extra domains that should be configured for this domain"; - default = []; - }; - - target = lib.mkOption { - type = lib.types.str; - description = "what url will all traffic to this application be forwarded to"; - }; - - websockets.enable = lib.mkEnableOption "should the default config proxy websockets"; - - forwardHeaders.enable = lib.mkEnableOption "should the default config contain forward headers"; - - extraConfig = lib.mkOption { - type = lib.types.lines; - default = ""; - description = '' - These lines go to the end of the upstream verbatim. - ''; - }; - }; - })); - }; - }; - - config = lib.mkIf config.host.reverse_proxy.enable (lib.mkMerge [ - { - security.acme = lib.mkIf config.host.reverse_proxy.enableACME { - acceptTerms = true; - defaults.email = "jan-leila@protonmail.com"; - }; - - services.nginx = { - enable = true; - virtualHosts = lib.mkMerge ( - lib.lists.flatten ( - lib.attrsets.mapAttrsToList ( - name: value: let - hostConfig = { - forceSSL = config.host.reverse_proxy.forceSSL; - enableACME = config.host.reverse_proxy.enableACME; - locations = { - "/" = { - proxyPass = value.target; - proxyWebsockets = value.websockets.enable; - recommendedProxySettings = value.forwardHeaders.enable; - extraConfig = - value.extraConfig; - }; - }; - }; - in ( - [ - { - ${"${value.subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig; - } - ] - ++ builtins.map (subdomain: {${"${subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig;}) - value.extraSubdomains - ) - ) - config.host.reverse_proxy.subdomains - ) - ); - }; - - networking.firewall.allowedTCPPorts = [ - httpPort - httpsPort - ]; - } - (lib.mkIf config.host.impermanence.enable { - # TODO: figure out how to write an assertion for this - # assertions = [ - # { - # assertion = security.acme.certs..directory == dataDir; - # message = "postgres data directory does not match persistence"; - # } - # ]; - environment.persistence."/persist/system/root" = { - enable = true; - hideMounts = true; - directories = [ - { - directory = dataDir; - user = "acme"; - group = "acme"; - } - ]; - }; - }) - ]); -} diff --git a/modules/nixos-modules/server/searx.nix b/modules/nixos-modules/server/searx.nix deleted file mode 100644 index d357308..0000000 --- a/modules/nixos-modules/server/searx.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ - config, - lib, - inputs, - ... -}: { - options.services.searx = { - subdomain = lib.mkOption { - type = lib.types.str; - description = "subdomain of base domain that searx will be hosted at"; - default = "searx"; - }; - }; - - config = lib.mkIf config.services.searx.enable { - sops.secrets = { - "services/searx" = { - sopsFile = "${inputs.secrets}/defiant-services.yaml"; - }; - }; - host = { - reverse_proxy.subdomains.searx = { - subdomain = config.services.searx.subdomain; - target = "http://localhost:${toString config.services.searx.settings.server.port}"; - }; - }; - services.searx = { - environmentFile = config.sops.secrets."services/searx".path; - - # Rate limiting - limiterSettings = { - real_ip = { - x_for = 1; - ipv4_prefix = 32; - ipv6_prefix = 56; - }; - - botdetection = { - ip_limit = { - filter_link_local = true; - link_token = true; - }; - }; - }; - - settings = { - server = { - port = 8083; - secret_key = "@SEARXNG_SECRET@"; - }; - - # Search engine settings - search = { - safe_search = 2; - autocomplete_min = 2; - autocomplete = "duckduckgo"; - }; - - # Enabled plugins - enabled_plugins = [ - "Basic Calculator" - "Hash plugin" - "Tor check plugin" - "Open Access DOI rewrite" - "Hostnames plugin" - "Unit converter plugin" - "Tracker URL remover" - ]; - }; - }; - }; -} diff --git a/modules/nixos-modules/server/virt-home-assistant.nix b/modules/nixos-modules/server/virt-home-assistant.nix deleted file mode 100644 index 4212668..0000000 --- a/modules/nixos-modules/server/virt-home-assistant.nix +++ /dev/null @@ -1,155 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - options.services.virt-home-assistant = { - enable = lib.mkEnableOption "Wether to enable home assistant virtual machine"; - networkBridge = lib.mkOption { - type = lib.types.str; - description = "what network bridge should we attach to the image"; - }; - hostDevice = lib.mkOption { - type = lib.types.str; - description = "what host devices should be attached to the image"; - }; - initialVersion = lib.mkOption { - type = lib.types.str; - description = "what home assistant image version should we pull for initial instal"; - default = "15.0"; - }; - imageName = lib.mkOption { - type = lib.types.str; - description = "where should the image be installed to"; - default = "home-assistant.qcow2"; - }; - installLocation = lib.mkOption { - type = lib.types.str; - description = "where should the image be installed to"; - default = "/etc/hass"; - }; - virtualMachineName = lib.mkOption { - type = lib.types.str; - description = "what name should we give the virtual machine"; - default = "home-assistant"; - }; - subdomain = lib.mkOption { - type = lib.types.str; - description = "subdomain of base domain that home-assistant will be hosted at"; - default = "home-assistant"; - }; - }; - config = lib.mkIf config.services.virt-home-assistant.enable (lib.mkMerge [ - { - # environment.systemPackages = with pkgs; [ - # virt-manager - # ]; - - # TODO: move this to external module and just have an assertion here that its enabled - # enable virtualization on the system - virtualisation = { - libvirtd = { - enable = true; - qemu.ovmf.enable = true; - }; - }; - - # TODO: deactivation script? - # create service to install and start the container - systemd.services.virt-install-home-assistant = let - # TODO: all of these need to be escaped to be used in commands reliably - bridgedNetwork = config.services.virt-home-assistant.networkBridge; - hostDevice = config.services.virt-home-assistant.hostDevice; - virtualMachineName = config.services.virt-home-assistant.virtualMachineName; - imageName = config.services.virt-home-assistant.imageName; - installLocation = config.services.virt-home-assistant.installLocation; - installImage = "${installLocation}/${imageName}"; - initialVersion = config.services.virt-home-assistant.initialVersion; - - home-assistant-qcow2 = pkgs.fetchurl { - name = "home-assistant.qcow2"; - url = "https://github.com/home-assistant/operating-system/releases/download/${initialVersion}/haos_ova-${initialVersion}.qcow2.xz"; - hash = "sha256-V1BEjvvLNbMMKJVyMCmipjQ/3owoJteeVxoF9LDHo1U="; - postFetch = '' - cp $out src.xz - rm -r $out - ${pkgs.xz}/bin/unxz src.xz --stdout > $out/${imageName} - ''; - }; - - # Write a script to install the Home Assistant OS qcow2 image - virtInstallScript = pkgs.writeShellScriptBin "virt-install-hass" '' - # Copy the initial image out of the package store to the install location if we don't have one yet - if [ ! -f ${installImage} ]; then - cp ${home-assistant-qcow2} ${installLocation} - fi - - # Check if VM already exists, and other pre-conditions - if ! ${pkgs.libvirt}/bin/virsh list --all | grep -q ${virtualMachineName}; then - ${pkgs.virt-manager}/bin/virt-install --name ${virtualMachineName} \ - --description "Home Assistant OS" \ - --os-variant=generic \ - --boot uefi \ - --ram=2048 \ - --vcpus=2 \ - --import \ - --disk ${installImage},bus=sata \ - --network bridge=${bridgedNetwork} \ - --host-device ${hostDevice} \ - --graphics none - ${pkgs.libvirt}/bin/virsh autostart ${virtualMachineName} - fi - ''; - in { - description = "Install and start Home Assistant"; - wantedBy = ["multi-user.target"]; - after = ["local-fs.target"]; - requires = ["libvirtd.service"]; - serviceConfig.Type = "oneshot"; - serviceConfig = { - ExecStart = "${virtInstallScript}/bin/virt-install-hass"; - }; - }; - - # TODO: figure out what we need to proxy to the virtual image - # host = { - # reverse_proxy.subdomains.${config.services.virt-home-assistant.subdomain} = { - # target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; - - # websockets.enable = true; - # forwardHeaders.enable = true; - - # extraConfig = '' - # add_header Upgrade $http_upgrade; - # add_header Connection \"upgrade\"; - - # proxy_buffering off; - - # proxy_read_timeout 90; - # ''; - # }; - # }; - } - (lib.mkIf config.services.fail2ban.enable { - # TODO: figure out how to write a config for this, prob based on nginx proxy logs? - }) - (lib.mkIf config.host.impermanence.enable { - # assertions = [ - # { - # assertion = config.services.virt-home-assistant.installLocation == configDir; - # message = "home assistant install location does not match persistence"; - # } - # ]; - environment.persistence."/persist/system/root" = { - enable = true; - hideMounts = true; - directories = [ - { - directory = config.services.virt-home-assistant.installLocation; - } - ]; - }; - }) - ]); -} diff --git a/modules/nixos-modules/ssh.nix b/modules/nixos-modules/ssh.nix deleted file mode 100644 index 6f5fac1..0000000 --- a/modules/nixos-modules/ssh.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - lib, - config, - ... -}: { - config = lib.mkMerge [ - { - services = { - openssh = { - enable = true; - ports = [22]; - settings = { - PasswordAuthentication = false; - UseDns = true; - X11Forwarding = false; - }; - }; - }; - } - (lib.mkIf config.host.impermanence.enable { - environment.persistence."/persist/system/root" = { - files = lib.lists.flatten ( - builtins.map (hostKey: [hostKey.path "${hostKey.path}.pub"]) config.services.openssh.hostKeys - ); - }; - }) - ]; -} diff --git a/modules/nixos-modules/steam.nix b/modules/nixos-modules/steam.nix deleted file mode 100644 index 20c0978..0000000 --- a/modules/nixos-modules/steam.nix +++ /dev/null @@ -1,9 +0,0 @@ -{...}: { - programs = { - steam = { - remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play - dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server - localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers - }; - }; -} diff --git a/modules/nixos-modules/sync.nix b/modules/nixos-modules/sync.nix deleted file mode 100644 index 8915dc8..0000000 --- a/modules/nixos-modules/sync.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ - config, - lib, - outputs, - ... -}: let - mountDir = "/mnt/sync"; - configDir = "/etc/syncthing"; -in { - config = lib.mkMerge [ - { - systemd = lib.mkIf config.services.syncthing.enable { - tmpfiles.rules = [ - "d ${mountDir} 2755 syncthing syncthing -" - "d ${config.services.syncthing.dataDir} 775 syncthing syncthing -" - "d ${config.services.syncthing.configDir} 755 syncthing syncthing -" - ]; - }; - } - (lib.mkIf config.services.syncthing.enable (lib.mkMerge [ - { - services.syncthing = { - user = "syncthing"; - group = "syncthing"; - dataDir = "${mountDir}/default"; - configDir = configDir; - overrideDevices = true; - overrideFolders = true; - configuration = outputs.syncthingConfiguration; - deviceName = config.networking.hostName; - }; - } - - (lib.mkIf config.host.impermanence.enable { - assertions = - [ - { - assertion = config.services.syncthing.configDir == configDir; - message = "syncthing config dir does not match persistence"; - } - ] - ++ lib.attrsets.mapAttrsToList (_: folder: { - assertion = lib.strings.hasPrefix mountDir folder.path; - message = "syncthing folder ${folder.label} is stored at ${folder.path} which not under the persisted path of ${mountDir}"; - }) - config.services.syncthing.settings.folders; - environment.persistence = { - "/persist/system/root" = { - enable = true; - hideMounts = true; - directories = [ - { - directory = mountDir; - user = "syncthing"; - group = "syncthing"; - } - { - directory = configDir; - user = "syncthing"; - group = "syncthing"; - } - ]; - }; - }; - }) - ])) - ]; -} diff --git a/modules/nixos-modules/system.nix b/modules/nixos-modules/system.nix deleted file mode 100644 index b839067..0000000 --- a/modules/nixos-modules/system.nix +++ /dev/null @@ -1,13 +0,0 @@ -{...}: { - nix = { - gc = { - automatic = true; - dates = "weekly"; - options = "--delete-older-than 7d"; - }; - optimise = { - automatic = true; - dates = ["weekly"]; - }; - }; -} diff --git a/modules/nixos-modules/tailscale.nix b/modules/nixos-modules/tailscale.nix deleted file mode 100644 index db664e8..0000000 --- a/modules/nixos-modules/tailscale.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - config, - lib, - ... -}: let - tailscale_data_directory = "/var/lib/tailscale"; -in { - options.host.tailscale = { - enable = lib.mkEnableOption "should tailscale be enabled on this computer"; - }; - - config = lib.mkIf config.services.tailscale.enable ( - lib.mkMerge [ - { - # any configs we want shared between all machines - } - (lib.mkIf config.host.impermanence.enable { - environment.persistence = { - "/persist/system/root" = { - enable = true; - hideMounts = true; - directories = [ - { - directory = tailscale_data_directory; - user = "root"; - group = "root"; - } - ]; - }; - }; - }) - ] - ); -} diff --git a/modules/nixos-modules/users.nix b/modules/nixos-modules/users.nix deleted file mode 100644 index 68bd78b..0000000 --- a/modules/nixos-modules/users.nix +++ /dev/null @@ -1,354 +0,0 @@ -{ - lib, - config, - inputs, - ... -}: let - SOPS_AGE_KEY_DIRECTORY = import ../../const/sops_age_key_directory.nix; - - host = config.host; - - principleUsers = host.principleUsers; - terminalUsers = host.terminalUsers; - normalUsers = host.normalUsers; - - uids = { - leyla = 1000; - eve = 1002; - jellyfin = 2000; - forgejo = 2002; - adguardhome = 2003; - hass = 2004; - syncthing = 2007; - ollama = 2008; - git = 2009; - immich = 2010; - qbittorrent = 2011; - }; - - gids = { - leyla = 1000; - eve = 1002; - users = 100; - jellyfin_media = 2001; - jellyfin = 2000; - forgejo = 2002; - adguardhome = 2003; - hass = 2004; - syncthing = 2007; - ollama = 2008; - git = 2009; - immich = 2010; - qbittorrent = 2011; - }; - - users = config.users.users; - leyla = users.leyla.name; - eve = users.eve.name; -in { - config = lib.mkMerge [ - { - # principle users are by definition trusted - nix.settings.trusted-users = builtins.map (user: user.name) principleUsers; - - # we should only be able to ssh into principle users of a computer who are also set up for terminal access - services.openssh.settings.AllowUsers = builtins.map (user: user.name) (lib.lists.intersectLists terminalUsers principleUsers); - - # we need to set up env variables to nix can find keys to decrypt passwords on rebuild - environment = { - sessionVariables = { - SOPS_AGE_KEY_DIRECTORY = SOPS_AGE_KEY_DIRECTORY; - SOPS_AGE_KEY_FILE = "${SOPS_AGE_KEY_DIRECTORY}/key.txt"; - }; - }; - - # set up user passwords - sops = { - defaultSopsFormat = "yaml"; - gnupg.sshKeyPaths = []; - - age = { - keyFile = "/var/lib/sops-nix/key.txt"; - sshKeyPaths = []; - # generateKey = true; - }; - - secrets = { - "passwords/leyla" = { - neededForUsers = true; - sopsFile = "${inputs.secrets}/user-passwords.yaml"; - }; - "passwords/eve" = { - neededForUsers = true; - sopsFile = "${inputs.secrets}/user-passwords.yaml"; - }; - }; - }; - - users = { - mutableUsers = false; - users = { - leyla = { - uid = lib.mkForce uids.leyla; - name = lib.mkForce host.users.leyla.name; - description = "Leyla"; - extraGroups = - (lib.lists.optionals host.users.leyla.isNormalUser ["networkmanager"]) - ++ (lib.lists.optionals host.users.leyla.isPrincipleUser ["wheel" "dialout"]) - ++ (lib.lists.optionals host.users.leyla.isDesktopUser ["adbusers"]); - hashedPasswordFile = config.sops.secrets."passwords/leyla".path; - isNormalUser = host.users.leyla.isNormalUser; - isSystemUser = !host.users.leyla.isNormalUser; - group = config.users.users.leyla.name; - }; - - eve = { - uid = lib.mkForce uids.eve; - name = lib.mkForce host.users.eve.name; - description = "Eve"; - extraGroups = - lib.optionals host.users.eve.isNormalUser ["networkmanager"] - ++ (lib.lists.optionals host.users.eve.isPrincipleUser ["wheel"]); - hashedPasswordFile = config.sops.secrets."passwords/eve".path; - isNormalUser = host.users.eve.isNormalUser; - isSystemUser = !host.users.eve.isNormalUser; - group = config.users.users.eve.name; - }; - - jellyfin = { - uid = lib.mkForce uids.jellyfin; - isSystemUser = true; - group = config.users.users.jellyfin.name; - }; - - forgejo = { - uid = lib.mkForce uids.forgejo; - isSystemUser = true; - group = config.users.users.forgejo.name; - }; - - adguardhome = { - uid = lib.mkForce uids.adguardhome; - isSystemUser = true; - group = config.users.users.adguardhome.name; - }; - - hass = { - uid = lib.mkForce uids.hass; - isSystemUser = true; - group = config.users.users.hass.name; - }; - - syncthing = { - uid = lib.mkForce uids.syncthing; - isSystemUser = true; - group = config.users.users.syncthing.name; - }; - - ollama = { - uid = lib.mkForce uids.ollama; - isSystemUser = true; - group = config.users.users.ollama.name; - }; - - git = { - uid = lib.mkForce uids.git; - isSystemUser = !config.services.forgejo.enable; - isNormalUser = config.services.forgejo.enable; - group = config.users.users.git.name; - }; - - immich = { - uid = lib.mkForce uids.immich; - isSystemUser = true; - group = config.users.users.immich.name; - }; - - qbittorrent = { - uid = lib.mkForce uids.qbittorrent; - isNormalUser = true; - group = config.users.users.qbittorrent.name; - }; - }; - - groups = { - leyla = { - gid = lib.mkForce gids.leyla; - members = [ - leyla - ]; - }; - - eve = { - gid = lib.mkForce gids.eve; - members = [ - eve - ]; - }; - - users = { - gid = lib.mkForce gids.users; - members = [ - leyla - eve - ]; - }; - - jellyfin_media = { - gid = lib.mkForce gids.jellyfin_media; - members = [ - users.jellyfin.name - leyla - eve - ]; - }; - - jellyfin = { - gid = lib.mkForce gids.jellyfin; - members = [ - users.jellyfin.name - # leyla - ]; - }; - - forgejo = { - gid = lib.mkForce gids.forgejo; - members = [ - users.forgejo.name - # leyla - ]; - }; - - adguardhome = { - gid = lib.mkForce gids.adguardhome; - members = [ - users.adguardhome.name - # leyla - ]; - }; - - hass = { - gid = lib.mkForce gids.hass; - members = [ - users.hass.name - # leyla - ]; - }; - - syncthing = { - gid = lib.mkForce gids.syncthing; - members = [ - users.syncthing.name - leyla - eve - ]; - }; - - ollama = { - gid = lib.mkForce gids.ollama; - members = [ - users.ollama.name - ]; - }; - - git = { - gid = lib.mkForce gids.git; - members = [ - users.git.name - ]; - }; - - immich = { - gid = lib.mkForce gids.immich; - members = [ - users.immich.name - # leyla - ]; - }; - - qbittorrent = { - gid = lib.mkForce gids.qbittorrent; - members = [ - users.qbittorrent.name - leyla - ]; - }; - }; - }; - } - (lib.mkIf config.host.impermanence.enable { - boot.initrd.postResumeCommands = lib.mkAfter ( - lib.strings.concatLines (builtins.map (user: "zfs rollback -r rpool/local/home/${user.name}@blank") - normalUsers) - ); - - systemd = { - tmpfiles.rules = - builtins.map ( - user: "d /persist/home/${user.name} 700 ${user.name} ${user.name} -" - ) - normalUsers; - }; - - fileSystems = lib.mkMerge [ - { - ${SOPS_AGE_KEY_DIRECTORY}.neededForBoot = true; - } - ( - builtins.listToAttrs ( - builtins.map (user: - lib.attrsets.nameValuePair "/persist/home/${user.name}" { - neededForBoot = true; - }) - normalUsers - ) - ) - ( - builtins.listToAttrs ( - builtins.map (user: - lib.attrsets.nameValuePair "/home/${user.name}" { - neededForBoot = true; - }) - normalUsers - ) - ) - ]; - - host.storage.pool.extraDatasets = lib.mkMerge ( - [ - { - # sops age key needs to be available to pre persist for user generation - "local/system/sops" = { - type = "zfs_fs"; - mountpoint = SOPS_AGE_KEY_DIRECTORY; - options = { - atime = "off"; - relatime = "off"; - canmount = "on"; - }; - }; - } - ] - ++ ( - builtins.map (user: { - "local/home/${user.name}" = { - type = "zfs_fs"; - mountpoint = "/home/${user.name}"; - options = { - canmount = "on"; - }; - postCreateHook = '' - zfs snapshot rpool/local/home/${user.name}@blank - ''; - }; - "persist/home/${user.name}" = { - type = "zfs_fs"; - mountpoint = "/persist/home/${user.name}"; - }; - }) - normalUsers - ) - ); - }) - ]; -} diff --git a/modules/system-modules/default.nix b/modules/system-modules/default.nix deleted file mode 100644 index 637b6b5..0000000 --- a/modules/system-modules/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -# this folder container modules that are for nixos and darwin -{...}: { - imports = [ - ./home-manager - ./system.nix - ./nix-development.nix - ./users.nix - ]; -} diff --git a/modules/system-modules/home-manager/default.nix b/modules/system-modules/home-manager/default.nix deleted file mode 100644 index 3745b8f..0000000 --- a/modules/system-modules/home-manager/default.nix +++ /dev/null @@ -1,2 +0,0 @@ -# modules in this folder are to adapt home-manager modules configs to system-module configs -{...}: {} diff --git a/modules/system-modules/nix-development.nix b/modules/system-modules/nix-development.nix deleted file mode 100644 index 6eeddc4..0000000 --- a/modules/system-modules/nix-development.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - lib, - pkgs, - config, - inputs, - ... -}: { - options.host.nix-development.enable = lib.mkEnableOption "should desktop configuration be enabled"; - - config = lib.mkMerge [ - { - host.nix-development.enable = lib.mkDefault true; - } - (lib.mkIf config.host.nix-development.enable { - nix = { - nixPath = ["nixpkgs=${inputs.nixpkgs}"]; - }; - environment.systemPackages = with pkgs; [ - # nix language server - nil - # nix formatter - alejandra - ]; - }) - ]; -} diff --git a/modules/system-modules/system.nix b/modules/system-modules/system.nix deleted file mode 100644 index f464835..0000000 --- a/modules/system-modules/system.nix +++ /dev/null @@ -1,7 +0,0 @@ -{...}: { - nix = { - settings = { - experimental-features = ["nix-command" "flakes"]; - }; - }; -} diff --git a/modules/system-modules/users.nix b/modules/system-modules/users.nix deleted file mode 100644 index cd9c900..0000000 --- a/modules/system-modules/users.nix +++ /dev/null @@ -1,113 +0,0 @@ -{ - lib, - config, - ... -}: let - host = config.host; - - hostUsers = host.hostUsers; - principleUsers = host.principleUsers; -in { - options.host = { - users = lib.mkOption { - default = {}; - type = lib.types.attrsOf (lib.types.submodule ({ - config, - name, - ... - }: { - options = { - name = lib.mkOption { - type = lib.types.str; - default = name; - description = '' - What should this users name on the system be - ''; - defaultText = lib.literalExpression "config.host.users.\${name}.name"; - }; - isPrincipleUser = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - User should be configured as root and have ssh access - ''; - defaultText = lib.literalExpression "config.host.users.\${name}.isPrincipleUser"; - }; - isDesktopUser = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - User should install their desktop applications - ''; - defaultText = lib.literalExpression "config.host.users.\${name}.isDesktopUser"; - }; - isTerminalUser = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - User should install their terminal applications - ''; - defaultText = lib.literalExpression "config.host.users.\${name}.isTerminalUser"; - }; - isNormalUser = lib.mkOption { - type = lib.types.bool; - default = config.isDesktopUser || config.isTerminalUser; - description = '' - User should install their applications and can log in - ''; - defaultText = lib.literalExpression "config.host.users.\${name}.isNormalUser"; - }; - }; - })); - }; - hostUsers = lib.mkOption { - default = lib.attrsets.mapAttrsToList (_: user: user) host.users; - }; - principleUsers = lib.mkOption { - default = lib.lists.filter (user: user.isPrincipleUser) hostUsers; - }; - normalUsers = lib.mkOption { - default = lib.lists.filter (user: user.isNormalUser) hostUsers; - }; - desktopUsers = lib.mkOption { - default = lib.lists.filter (user: user.isDesktopUser) hostUsers; - }; - terminalUsers = lib.mkOption { - default = lib.lists.filter (user: user.isTerminalUser) hostUsers; - }; - }; - - config = { - host.users = { - leyla = { - isPrincipleUser = lib.mkDefault false; - isDesktopUser = lib.mkDefault false; - isTerminalUser = lib.mkDefault false; - }; - eve = { - isPrincipleUser = lib.mkDefault false; - isDesktopUser = lib.mkDefault false; - isTerminalUser = lib.mkDefault false; - }; - }; - - assertions = - ( - builtins.map (user: { - assertion = !(user.isPrincipleUser && !user.isNormalUser); - message = '' - Non normal user ${user.name} can not be a principle user. - ''; - }) - hostUsers - ) - ++ [ - { - assertion = (builtins.length principleUsers) > 0; - message = '' - At least one user must be a principle user. - ''; - } - ]; - }; -} diff --git a/nix-config-secrets b/nix-config-secrets deleted file mode 160000 index 1c5c059..0000000 --- a/nix-config-secrets +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 1c5c059c0c7b6ce691993262fe10a2b63e1c31ba diff --git a/overlays/intellij.nix b/overlays/intellij.nix new file mode 100644 index 0000000..c907588 --- /dev/null +++ b/overlays/intellij.nix @@ -0,0 +1,18 @@ +_: { + # nixpkgs.overlays = [ + # (self: super: { + # # idea is too out of date for android gradle things + # jetbrains = { + # jdk = super.jdk17; + # idea-community = super.jetbrains.idea-community.overrideAttrs (oldAttrs: rec { + # version = "2023.3.3"; + # name = "idea-community-${version}"; + # src = super.fetchurl { + # sha256 = "sha256-3BI97Tx+3onnzT1NXkb62pa4dj9kjNDNvFt9biYgP9I="; + # url = "https://download.jetbrains.com/idea/ideaIC-${version}.tar.gz"; + # }; + # }); + # }; + # }) + # ]; +} diff --git a/overlays/vscodium.nix b/overlays/vscodium.nix new file mode 100644 index 0000000..7c5f863 --- /dev/null +++ b/overlays/vscodium.nix @@ -0,0 +1,14 @@ +_: { + # nixpkgs.overlays = [ + # (self: super: { + # # ui is broken on 1.84 + # vscodium = super.vscodium.overrideAttrs (oldAttrs: rec { + # version = "1.85.2.24019"; + # src = super.fetchurl { + # sha256 = "sha256-OBGFXOSN+Oq9uj/5O6tF0Kp7rxTY1AzNbhLK8G+EqVk="; + # url = "https://github.com/VSCodium/vscodium/releases/download/${version}/VSCodium-linux-x64-${version}.tar.gz"; + # }; + # }); + # }) + # ]; +} diff --git a/pkgs/default.nix b/pkgs/default.nix new file mode 100644 index 0000000..87a13d7 --- /dev/null +++ b/pkgs/default.nix @@ -0,0 +1,2 @@ +_: { +} diff --git a/rebuild.sh b/rebuild.sh index 36a1201..9988b7b 100755 --- a/rebuild.sh +++ b/rebuild.sh @@ -7,15 +7,13 @@ else preserve_result=false fi -show_trace=false - while [ $# -gt 0 ]; do case "$1" in --target*|-t*) if [[ "$1" != *=* ]]; then shift; fi # Value is next arg if no `=` target="${1#*=}" ;; - --flake*|-f*) + --flake*|-h*) if [[ "$1" != *=* ]]; then shift; fi flake="${1#*=}" ;; @@ -27,29 +25,20 @@ while [ $# -gt 0 ]; do if [[ "$1" != *=* ]]; then shift; fi user="${1#*=}" ;; - --host*) - if [[ "$1" != *=* ]]; then shift; fi - host="${1#*=}" - ;; --preserve-result) preserve_result=true ;; --no-preserve-result) preserve_result=false ;; - --show-trace) - show_trace=true - ;; --help|-h) echo "--help -h: print this message" echo "--target -t: set the target system to rebuild on" echo "--flake -f: set the flake to rebuild on the target system" echo "--mode -m: set the mode to rebuild flake as on the target system" echo "--user -u: set the user to rebuild flake as on the target system" - echo "--host: set the host that the flake will be rebuilt on (unset for current machine)" echo "--preserve-result: do not remove the generated result folder after building" echo "--no-preserve-result: remove any result folder after building" - echo "--show-trace: show trace on builds" exit 0 ;; *) @@ -65,26 +54,13 @@ flake=${flake:-$target} mode=${mode:-switch} user=${user:-$USER} -command="nixos-rebuild $mode --sudo --ask-sudo-password --flake .#$flake" - -if [[ $host ]]; +if [[ "$target" == "$(hostname)" ]]; then - command="$command --build-host $host" + nixos-rebuild $mode --use-remote-sudo --flake .#$flake +else + nixos-rebuild $mode --use-remote-sudo --target-host $user@$target --flake .#$flake fi -if [[ "$target" != "$(hostname)" ]]; -then - command="$command --target-host $user@$target" -fi - -if [[ "$show_trace" = true ]]; -then - command="$command --show-trace" -fi - -echo $command -$command - if [ -d "result" ]; then if [[ "$preserve_result" == "false" ]]; diff --git a/shell.nix b/shell.nix deleted file mode 100644 index d7c46b9..0000000 --- a/shell.nix +++ /dev/null @@ -1,14 +0,0 @@ -( - import - ( - let - lock = builtins.fromJSON (builtins.readFile ./flake.lock); - in - fetchTarball { - url = lock.nodes.flake-compat.locked.url or "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; - sha256 = lock.nodes.flake-compat.locked.narHash; - } - ) - {src = ./.;} -) -.shellNix diff --git a/templates/default.nix b/templates/default.nix new file mode 100644 index 0000000..eed7124 --- /dev/null +++ b/templates/default.nix @@ -0,0 +1 @@ +_: {} diff --git a/users/default.nix b/users/default.nix new file mode 100644 index 0000000..4c0b5d7 --- /dev/null +++ b/users/default.nix @@ -0,0 +1,7 @@ +{inputs, ...}: { + imports = [./leyla ./ester ./eve]; + + users.mutableUsers = false; + + home-manager.extraSpecialArgs = {inherit inputs;}; +} diff --git a/users/ester/default.nix b/users/ester/default.nix new file mode 100644 index 0000000..3597d2d --- /dev/null +++ b/users/ester/default.nix @@ -0,0 +1,42 @@ +{ + lib, + config, + pkgs, + ... +}: let + cfg = config.users.ester; +in { + options.users.ester = { + isFullUser = lib.mkEnableOption "ester"; + }; + + config = { + nixpkgs.config.allowUnfree = true; + + sops.secrets = lib.mkIf cfg.isFullUser { + "passwords/ester" = { + neededForUsers = true; + sopsFile = ../../secrets/user-passwords.yaml; + }; + }; + + users.users.ester = ( + if cfg.isFullUser + then { + isNormalUser = true; + extraGroups = ["networkmanager"]; + + hashedPasswordFile = config.sops.secrets."passwords/ester".path; + + packages = with pkgs; [ + firefox + bitwarden + discord + ]; + } + else { + isSystemUser = true; + } + ); + }; +} diff --git a/users/eve/default.nix b/users/eve/default.nix new file mode 100644 index 0000000..16787f8 --- /dev/null +++ b/users/eve/default.nix @@ -0,0 +1,44 @@ +{ + lib, + config, + pkgs, + ... +}: let + cfg = config.users.eve; +in { + options.users.eve = { + isFullUser = lib.mkEnableOption "eve"; + }; + + config = { + nixpkgs.config.allowUnfree = true; + + sops.secrets = lib.mkIf cfg.isFullUser { + "passwords/eve" = { + neededForUsers = true; + sopsFile = ../../secrets/user-passwords.yaml; + }; + }; + + users.users.eve = ( + if cfg.isFullUser + then { + isNormalUser = true; + extraGroups = ["networkmanager"]; + + hashedPasswordFile = config.sops.secrets."passwords/eve".path; + + packages = with pkgs; [ + firefox + bitwarden + discord + makemkv + signal-desktop + ]; + } + else { + isSystemUser = true; + } + ); + }; +} diff --git a/users/leyla/default.nix b/users/leyla/default.nix new file mode 100644 index 0000000..20f99ab --- /dev/null +++ b/users/leyla/default.nix @@ -0,0 +1,65 @@ +{ + lib, + config, + ... +}: let + cfg = config.users.leyla; +in { + imports = [ + ./packages.nix + ]; + + options.users.leyla = { + isFullUser = lib.mkEnableOption "create usable leyla user"; + isThinUser = lib.mkEnableOption "create usable user but witohut user applications"; + hasGPU = lib.mkEnableOption "installs gpu intensive programs"; + }; + + config = { + nixpkgs.config.allowUnfree = true; + + sops.secrets = lib.mkIf (cfg.isFullUser || cfg.isThinUser) { + "passwords/leyla" = { + neededForUsers = true; + sopsFile = ../../secrets/user-passwords.yaml; + }; + }; + + users.users.leyla = ( + if (cfg.isFullUser || cfg.isThinUser) + then { + isNormalUser = true; + extraGroups = lib.mkMerge [ + ["networkmanager" "wheel"] + ( + lib.mkIf (!cfg.isThinUser) ["adbusers"] + ) + ]; + + hashedPasswordFile = config.sops.secrets."passwords/leyla".path; + + openssh = { + authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHeItmt8TRW43uNcOC+eIurYC7Eunc0V3LGocQqLaYj leyla@horizon" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBiZkg1c2aaNHiieBX4cEziqvJVj9pcDfzUrKU/mO0I leyla@twilight" + ]; + }; + } + else { + isSystemUser = true; + } + ); + + # TODO: this should reference the home directory from the user config + services.openssh.hostKeys = [ + { + comment = "leyla@" + config.networking.hostName; + path = "/home/leyla/.ssh/leyla_" + config.networking.hostName + "_ed25519"; + rounds = 100; + type = "ed25519"; + } + ]; + + home-manager.users.leyla = lib.mkIf (cfg.isFullUser || cfg.isThinUser) (import ./home.nix); + }; +} diff --git a/users/leyla/home.nix b/users/leyla/home.nix new file mode 100644 index 0000000..118d0cc --- /dev/null +++ b/users/leyla/home.nix @@ -0,0 +1,127 @@ +{ + config, + pkgs, + ... +}: { + # Home Manager needs a bit of information about you and the paths it should + # manage. + home = { + username = "leyla"; + homeDirectory = "/home/leyla"; + + # This value determines the Home Manager release that your configuration is + # compatible with. This helps avoid breakage when a new Home Manager release + # introduces backwards incompatible changes. + # + # You should not change this value, even if you update Home Manager. If you do + # want to update the value, then make sure to first check the Home Manager + # release notes. + stateVersion = "23.11"; # Please read the comment before changing. + + # The home.packages option allows you to install Nix packages into your + # environment. + packages = [ + # # Adds the 'hello' command to your environment. It prints a friendly + # # "Hello, world!" when run. + # pkgs.hello + + # # It is sometimes useful to fine-tune packages, for example, by applying + # # overrides. You can do that directly here, just don't forget the + # # parentheses. Maybe you want to install Nerd Fonts with a limited number of + # # fonts? + # (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; }) + + # # You can also create simple shell scripts directly inside your + # # configuration. For example, this adds a command 'my-hello' to your + # # environment: + # (pkgs.writeShellScriptBin "my-hello" '' + # echo "Hello, ${config.home.username}!" + # '') + ]; + + # Home Manager is pretty good at managing dotfiles. The primary way to manage + # plain files is through 'home.file'. + file = { + # # Building this configuration will create a copy of 'dotfiles/screenrc' in + # # the Nix store. Activating the configuration will then make '~/.screenrc' a + # # symlink to the Nix store copy. + # ".screenrc".source = dotfiles/screenrc; + + # # You can also set the file content immediately. + # ".gradle/gradle.properties".text = '' + # org.gradle.console=verbose + # org.gradle.daemon.idletimeout=3600000 + # ''; + }; + + # Home Manager can also manage your environment variables through + # 'home.sessionVariables'. If you don't want to manage your shell through Home + # Manager then you have to manually source 'hm-session-vars.sh' located at + # either + # + # ~/.nix-profile/etc/profile.d/hm-session-vars.sh + # + # or + # + # ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh + # + # or + # + # /etc/profiles/per-user/leyla/etc/profile.d/hm-session-vars.sh + # + sessionVariables = { + # EDITOR = "emacs"; + }; + }; + + programs = { + # Let Home Manager install and manage itself. + home-manager.enable = true; + git = { + enable = true; + userName = "Leyla Becker"; + userEmail = "git@jan-leila.com"; + extraConfig.init.defaultBranch = "main"; + }; + }; + + dconf = { + enable = true; + settings = { + "org/gnome/desktop/interface".color-scheme = "prefer-dark"; + + "org/gnome/shell" = { + disable-user-extensions = false; # enables user extensions + enabled-extensions = [ + # Put UUIDs of extensions that you want to enable here. + # If the extension you want to enable is packaged in nixpkgs, + # you can easily get its UUID by accessing its extensionUuid + # field (look at the following example). + pkgs.gnomeExtensions.dash-to-dock.extensionUuid + + # Alternatively, you can manually pass UUID as a string. + # "dash-to-dock@micxgx.gmail.com" + ]; + }; + + "org/gnome/shell/extensions/dash-to-dock" = { + "dock-position" = "LEFT"; + "intellihide-mode" = "ALL_WINDOWS"; + "show-trash" = false; + "require-pressure-to-show" = false; + "show-mounts" = false; + }; + + "org/gnome/settings-daemon/plugins/media-keys" = { + custom-keybindings = [ + "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/" + ]; + }; + "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = { + binding = "t"; + command = "kgx"; + name = "Open Terminal"; + }; + }; + }; +} diff --git a/users/leyla/packages.nix b/users/leyla/packages.nix new file mode 100644 index 0000000..e206d22 --- /dev/null +++ b/users/leyla/packages.nix @@ -0,0 +1,135 @@ +{ + lib, + config, + pkgs, + inputs, + ... +}: let + cfg = config.users.leyla; +in { + imports = [ + ../../overlays/intellij.nix + ../../overlays/vscodium.nix + ]; + + nixpkgs = { + overlays = [ + inputs.nix-vscode-extensions.overlays.default + ]; + }; + + programs = { + bash.shellAliases = lib.mkIf cfg.isFullUser { + code = "codium"; + }; + + steam = lib.mkIf cfg.isFullUser { + enable = true; + remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play + dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server + }; + + noisetorch.enable = cfg.isFullUser; + + adb.enable = cfg.isFullUser; + }; + + users.users.leyla.packages = lib.mkIf (cfg.isFullUser || cfg.isThinUser) ( + lib.mkMerge [ + ( + with pkgs; [ + # comand line tools + yt-dlp + ffmpeg + imagemagick + ] + ) + ( + lib.mkIf (!cfg.isThinUser) ( + with pkgs; [ + #foss platforms + signal-desktop + bitwarden + firefox + ungoogled-chromium + libreoffice + inkscape + gimp + krita + freecad + # cura + kicad-small + makemkv + transmission_4-gtk + onionshare + easytag + # rhythmbox + (lib.mkIf cfg.hasGPU obs-studio) + # wireshark + # rpi-imager + # fritzing + + # proprietary platforms + discord + obsidian + steam + (lib.mkIf cfg.hasGPU davinci-resolve) + + # development tools + (vscode-with-extensions.override { + vscode = vscodium; + vscodeExtensions = with open-vsx; + [ + # vs code feel extensions + ms-vscode.atom-keybindings + akamud.vscode-theme-onedark + streetsidesoftware.code-spell-checker + streetsidesoftware.code-spell-checker-german + streetsidesoftware.code-spell-checker-italian + jeanp413.open-remote-ssh + + # nix extensions + pinage404.nix-extension-pack + jnoortheen.nix-ide + + # html extensions + formulahendry.auto-rename-tag + ms-vscode.live-server + + # js extensions + dsznajder.es7-react-js-snippets + dbaeumer.vscode-eslint + standard.vscode-standard + firsttris.vscode-jest-runner + stylelint.vscode-stylelint + tauri-apps.tauri-vscode + + # misc extensions + bungcip.better-toml + ] + ++ (with vscode-marketplace; [ + # js extensions + karyfoundation.nearley + ]); + }) + androidStudioPackages.canary + jetbrains.idea-community + dbeaver-bin + bruno + + # system tools + protonvpn-gui + openvpn + nextcloud-client + noisetorch + + # hardware managment tools + (lib.mkIf config.hardware.piperMouse.enable piper) + (lib.mkIf config.hardware.openRGB.enable openrgb) + (lib.mkIf config.hardware.viaKeyboard.enable via) + ] + ) + ) + ] + ); +} diff --git a/util/default.nix b/util/default.nix index fb2f83d..acd1997 100644 --- a/util/default.nix +++ b/util/default.nix @@ -1,128 +1,7 @@ -{inputs}: let - util = (import ./default.nix) {inherit inputs;}; - outputs = inputs.self.outputs; - - lib = inputs.lib; - nixpkgs = inputs.nixpkgs; - home-manager = inputs.home-manager; - nix-darwin = inputs.nix-darwin; - sops-nix = inputs.sops-nix; - nix-syncthing = inputs.nix-syncthing; - disko = inputs.disko; - impermanence = inputs.impermanence; - lix-module = inputs.lix-module; - - systems = [ - "aarch64-darwin" - "aarch64-linux" - "x86_64-darwin" - "x86_64-linux" - ]; - forEachSystem = nixpkgs.lib.genAttrs systems; - pkgsFor = system: nixpkgs.legacyPackages.${system}; - - common-modules = [ - ../modules/common-modules - ]; - - home-manager-modules = - common-modules - ++ [ - sops-nix.homeManagerModules.sops - impermanence.homeManagerModules.impermanence - ../modules/home-manager-modules - ]; - - home-manager-config = nixpkgs: { - home-manager.useUserPackages = true; - home-manager.backupFileExtension = "backup"; - home-manager.extraSpecialArgs = { - inherit inputs outputs util; - }; - home-manager.users = import ../configurations/home-manager (nixpkgs - // { - osConfig = nixpkgs.config; - }); - home-manager.sharedModules = home-manager-modules; - }; - - system-modules = - common-modules - ++ [ - home-manager-config - ../modules/system-modules - ]; -in { - forEachPkgs = lambda: forEachSystem (system: lambda system (pkgsFor system)); - - mkUnless = condition: yes: (lib.mkIf (!condition) yes); - mkIfElse = condition: yes: no: - lib.mkMerge [ - (lib.mkIf condition yes) - (lib.mkUnless condition no) - ]; - - mkNixosInstaller = host: userKeys: - nixpkgs.lib.nixosSystem { - modules = [ - { - # TODO: authorized keys for all users and hosts - } - ../configurations/nixos/${host} - ]; - }; - - mkNixosSystem = host: - nixpkgs.lib.nixosSystem { - specialArgs = {inherit inputs outputs util;}; - modules = - system-modules - ++ [ - sops-nix.nixosModules.sops - nix-syncthing.nixosModules.syncthing - impermanence.nixosModules.impermanence - home-manager.nixosModules.home-manager - disko.nixosModules.disko - lix-module.nixosModules.default - ../modules/nixos-modules - ../configurations/nixos/${host} - ]; - }; - - mkDarwinSystem = host: - nix-darwin.lib.darwinSystem { - specialArgs = {inherit inputs outputs util;}; - modules = - system-modules - ++ [ - sops-nix.darwinModules.sops - home-manager.darwinModules.home-manager - ../modules/darwin-modules - ../configurations/darwin/${host} - ]; - }; - - mkHome = { - user, - host, - system, - osConfig, - }: - home-manager.lib.homeManagerConfiguration { - pkgs = pkgsFor system; - extraSpecialArgs = { - inherit inputs util outputs osConfig; - }; - modules = - home-manager-modules - ++ [ - ../configurations/home-manager/${user} - ]; - }; - - syncthingConfiguration = nix-syncthing.lib.syncthingConfiguration { - modules = [ - (import ../configurations/syncthing) - ]; - }; +_: { + # mkUnless = condition: then: (mkIf (!condition) then); + # mkIfElse = condition: then: else: lib.mkMerge [ + # (mkIf condition then) + # (mkUnless condition else) + # ]; }