jan-leila/nix-config
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: jan-leila:main
Branches Tags
jan-leila:main
Lithospherical:main
Lithospherical:eve
Lithospherical:469ba567
..
compare: Lithospherical:main
Branches Tags
Lithospherical:main
Lithospherical:eve
Lithospherical:469ba567
jan-leila:main

No commits in common. "main" and "main" have entirely different histories.
main ... main

33 changed files with 659 additions and 807 deletions
Download patch file Download diff file Expand all files Collapse all files

33
README.md
View file

@ -41,33 +41,30 @@ nix multi user, multi system, configuration with `sops` secret management, `home
## Research topics ## Research topics
- Look into this for auto rotating sops keys `https://technotim.live/posts/rotate-sops-encryption-keys/` - Look into this for auto rotating sops keys `https://technotim.live/posts/rotate-sops-encryption-keys/`
- Look into this for npins https://jade.fyi/blog/pinning-nixos-with-npins/ - Look into this for flake templates https://nix.dev/manual/nix/2.22/command-ref/new-cli/nix3-flake-init
- https://nixos-and-flakes.thiscute.world/ - https://nixos-and-flakes.thiscute.world/
- nix config mcp https://github.com/utensils/mcp-nixos
# Tasks: # Tasks:
## Tech Debt ## Tech Debt
- monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/) - monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/)
- syncthing folder passwords
- nfs export should be backed by the same values for server and client - nfs export should be backed by the same values for server and client
## New Features ## New Features
- crab-hole
- figure out why syncthing and jellyfins permissions don't propagate downwards
- figure out steam vr things?
- auto turn off on power loss - nut
- zfs email after scrubbing # TODO: test this
- SMART test with email results
- fix nfs
- samba mounts
- offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs) - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
- Create Tor guard/relay server - samba mounts
- migrate away from flakes and move to npins - figure out steam vr things?
- whisper - Open GL?
- figure out ai vs code plugin - rotate sops encryption keys periodically (and somehow sync between devices?)
- nix mcp - zfs email after scrubbing # TODO: test this
- wake on LAN for updates
- ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix
- zfs encryption FIDO2 2fa (look into shavee) - zfs encryption FIDO2 2fa (look into shavee)
- Secure Boot - https://github.com/nix-community/lanzaboote - Secure Boot - https://github.com/nix-community/lanzaboote
- rotate sops encryption keys periodically (and somehow sync between devices?) - SMART test with email results
- wake on LAN for updates - Create Tor guard/relay server
- remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html - remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html
- ISO target that contains authorized keys for nixos-anywhere https://github.com/diegofariasm/yggdrasil/blob/4acc43ebc7bcbf2e41376d14268e382007e94d78/hosts/bootstrap/default.nix - migrate away from flakes and move to npins
- fix nfs
- fix home assistant
- create adguard server

45
configurations/home-manager/leyla/dconf.nix
View file

@ -1,23 +1,26 @@
{pkgs, ...}: { {pkgs, ...}: {
config = { config = {
gnome = {
extraWindowControls = true;
colorScheme = "prefer-dark";
clockFormat = "24h";
extensions = [
pkgs.gnomeExtensions.dash-to-dock
];
hotkeys = {
"Open Terminal" = {
binding = "<Super>t";
command = "kgx";
};
};
};
dconf = { dconf = {
enable = true; enable = true;
settings = { settings = {
"org/gnome/desktop/interface".color-scheme = "prefer-dark";
"org/gnome/desktop/wm/preferences".button-layout = ":minimize,maximize,close";
"org/gnome/shell" = {
disable-user-extensions = false; # enables user extensions
enabled-extensions = [
# Put UUIDs of extensions that you want to enable here.
# If the extension you want to enable is packaged in nixpkgs,
# you can easily get its UUID by accessing its extensionUuid
# field (look at the following example).
pkgs.gnomeExtensions.dash-to-dock.extensionUuid
# Alternatively, you can manually pass UUID as a string.
# "dash-to-dock@micxgx.gmail.com"
];
};
"org/gnome/shell/extensions/dash-to-dock" = { "org/gnome/shell/extensions/dash-to-dock" = {
"dock-position" = "LEFT"; "dock-position" = "LEFT";
"intellihide-mode" = "ALL_WINDOWS"; "intellihide-mode" = "ALL_WINDOWS";
@ -26,6 +29,18 @@
"show-mounts" = false; "show-mounts" = false;
}; };
"org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = [
"/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/"
];
};
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = {
binding = "<Super>t";
command = "kgx";
name = "Open Terminal";
};
"org/gnome/shell" = { "org/gnome/shell" = {
favorite-apps = ["org.gnome.Nautilus.desktop" "firefox.desktop" "codium.desktop" "steam.desktop" "org.gnome.Console.desktop"]; favorite-apps = ["org.gnome.Nautilus.desktop" "firefox.desktop" "codium.desktop" "steam.desktop" "org.gnome.Console.desktop"];
# app-picker-layout = # app-picker-layout =

26
configurations/home-manager/leyla/default.nix
View file

@ -82,5 +82,31 @@
# EDITOR = "emacs"; # EDITOR = "emacs";
}; };
}; };
user = {
continue = {
enable = true;
docs = {
"Continue Docs" = {
startUrl = "https://docs.continue.dev";
};
"Nixpkgs" = {
startUrl = "https://ryantm.github.io/nixpkgs/#preface";
};
"Nix Manual" = {
startUrl = "https://nixos.org/manual/nixos/stable/";
};
"Home manager Manual" = {
startUrl = "https://nix-community.github.io/home-manager/";
};
"Nix Docs" = {
startUrl = "https://nix.dev/index.html";
};
"Linux Man Page" = {
startUrl = "https://linux.die.net/man/";
};
};
};
};
}; };
} }

2
configurations/home-manager/leyla/packages/default.nix
View file

@ -69,6 +69,8 @@ in {
(with pkgs; [ (with pkgs; [
aileron aileron
gnomeExtensions.dash-to-dock
proxmark3 proxmark3
]) ])
++ ( ++ (

125
configurations/home-manager/leyla/packages/vscode/default.nix
View file

@ -1,24 +1,31 @@
{ {
lib, lib,
pkgs, pkgs,
inputs,
config, config,
osConfig, osConfig,
... ...
}: let }: let
nix-development-enabled = osConfig.host.nix-development.enable; nix-development-enabled = osConfig.host.nix-development.enable;
ai-tooling-enabled = osConfig.host.ai.enable; ai-tooling-enabled = config.user.continue.enable && osConfig.host.ai.enable;
in { in {
imports = [
./user-words.nix
];
config = lib.mkIf config.user.isDesktopUser { config = lib.mkIf config.user.isDesktopUser {
nixpkgs = {
overlays = [
inputs.nix-vscode-extensions.overlays.default
];
};
programs = { programs = {
bash.shellAliases = { bash.shellAliases = {
code = "codium"; code = "codium";
}; };
vscode = { vscode = let
extensions = inputs.nix-vscode-extensions.extensions.${pkgs.system};
open-vsx = extensions.open-vsx;
vscode-marketplace = extensions.vscode-marketplace;
in {
package = pkgs.vscodium; package = pkgs.vscodium;
mutableExtensionsDir = false; mutableExtensionsDir = false;
@ -30,6 +37,7 @@ in {
userSettings = lib.mkMerge [ userSettings = lib.mkMerge [
{ {
"workbench.colorTheme" = "Atom One Dark"; "workbench.colorTheme" = "Atom One Dark";
"cSpell.userWords" = import ./user-words.nix;
"javascript.updateImportsOnFileMove.enabled" = "always"; "javascript.updateImportsOnFileMove.enabled" = "always";
"editor.tabSize" = 2; "editor.tabSize" = 2;
"editor.insertSpaces" = false; "editor.insertSpaces" = false;
@ -44,75 +52,64 @@ in {
"editor.formatOnType" = true; "editor.formatOnType" = true;
}; };
"alejandra.program" = "alejandra"; "alejandra.program" = "alejandra";
"nixpkgs" = {
"expr" = "import <nixpkgs> {}";
};
}) })
(lib.mkIf ai-tooling-enabled { (lib.mkIf ai-tooling-enabled {
}) "continue.telemetryEnabled" = false;
})
]; ];
extensions = let extensions = (
extension-pkgs = pkgs.nix-vscode-extensions.forVSCodeVersion config.programs.vscode.package.version; with open-vsx;
in ( [
( # vs code feel extensions
with extension-pkgs.open-vsx; ( ms-vscode.atom-keybindings
[ akamud.vscode-theme-onedark
# vs code feel extensions streetsidesoftware.code-spell-checker
ms-vscode.atom-keybindings streetsidesoftware.code-spell-checker-german
akamud.vscode-theme-onedark streetsidesoftware.code-spell-checker-italian
streetsidesoftware.code-spell-checker jeanp413.open-remote-ssh
streetsidesoftware.code-spell-checker-german
streetsidesoftware.code-spell-checker-italian
jeanp413.open-remote-ssh
# html extensions # html extensions
formulahendry.auto-rename-tag formulahendry.auto-rename-tag
ms-vscode.live-server ms-vscode.live-server
# js extensions # js extensions
dsznajder.es7-react-js-snippets dsznajder.es7-react-js-snippets
dbaeumer.vscode-eslint dbaeumer.vscode-eslint
standard.vscode-standard standard.vscode-standard
orta.vscode-jest firsttris.vscode-jest-runner
stylelint.vscode-stylelint stylelint.vscode-stylelint
tauri-apps.tauri-vscode tauri-apps.tauri-vscode
# go extensions # go extensions
golang.go golang.go
# astro blog extensions # astro blog extensions
astro-build.astro-vscode astro-build.astro-vscode
unifiedjs.vscode-mdx unifiedjs.vscode-mdx
# misc extensions # misc extensions
tamasfe.even-better-toml tamasfe.even-better-toml
] ]
++ (lib.lists.optionals nix-development-enabled [ ++ (lib.lists.optionals nix-development-enabled [
# nix extensions # nix extensions
pinage404.nix-extension-pack pinage404.nix-extension-pack
jnoortheen.nix-ide jnoortheen.nix-ide
kamadorueda.alejandra kamadorueda.alejandra
]) ])
) ++ (
) with vscode-marketplace;
++ ( [
with extension-pkgs.vscode-marketplace; ( # js extensions
[ karyfoundation.nearley
# js extensions ]
karyfoundation.nearley ++ (lib.lists.optionals ai-tooling-enabled [
] continue.continue
++ (lib.lists.optionals ai-tooling-enabled [
]) ])
) )
)
++ (
with pkgs.codium-extensions; (
[]
++ (
lib.lists.optionals ai-tooling-enabled [
ai-code
]
)
)
)
); );
}; };
}; };

75
configurations/home-manager/leyla/packages/vscode/user-words.nix
View file

@ -1,69 +1,6 @@
{...}: { [
config.programs.vscode.profiles.default.userSettings = { "leyla"
"cSpell.userWords" = [ "webdav"
"leyla" "ollama"
"ollama" "optimise"
"webdav" ]
"pname"
"direnv"
"deepseek"
"qwen"
"syncthing"
"immich"
"sonos"
"makemkv"
"hass"
"qbittorent"
"prostudiomasters"
"tmpfiles"
"networkmanager"
"Networkd"
"networkmanager"
"dialout"
"adbusers"
"protonmail"
"authkey"
"netdevs"
"atomix"
"geary"
"gedit"
"hitori"
"iagno"
"alsa"
"timezoned"
"pipewire"
"pulseaudio"
"rtkit"
"disko"
"ashift"
"autotrim"
"canmount"
"mountpoint"
"xattr"
"acltype"
"relatime"
"keyformat"
"keylocation"
"vdevs"
# codium extensions
"akamud"
"onedark"
"jeanp"
"dsznajder"
"dbaeumer"
"orta"
"tauri"
"unifiedjs"
"tamasfe"
"pinage"
"jnoortheen"
"kamadorueda"
"karyfoundation"
"nearley"
# nix.optimise is spelled wrong
"optimise"
];
};
}

36
configurations/nixos/defiant/configuration.nix
View file

@ -17,12 +17,6 @@
"services/zfs_smtp_token" = { "services/zfs_smtp_token" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml"; sopsFile = "${inputs.secrets}/defiant-services.yaml";
}; };
"services/paperless_password" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml";
mode = "0700";
owner = "paperless";
group = "paperless";
};
}; };
host = { host = {
@ -115,6 +109,13 @@
}; };
}; };
}; };
# home-assistant = {
# enable = false;
# subdomain = "home";
# };
adguardhome = {
enable = false;
};
}; };
systemd.network = { systemd.network = {
@ -201,7 +202,7 @@
autoSnapshot.enable = true; autoSnapshot.enable = true;
}; };
# temp enable desktop environment for setup # temp enable desktop enviroment for setup
# Enable the X11 windowing system. # Enable the X11 windowing system.
xserver.enable = true; xserver.enable = true;
@ -281,23 +282,10 @@
subdomain = "search"; subdomain = "search";
}; };
home-assistant = { virt-home-assistant = {
enable = true; enable = false;
subdomain = "home"; networkBridge = "bond0";
openFirewall = true; hostDevice = "0x10c4:0xea60";
database = "postgres";
extensions = {
sonos.enable = true;
jellyfin.enable = true;
wyoming.enable = true;
};
};
paperless = {
enable = true;
subdomain = "documents";
passwordFile = config.sops.secrets."services/paperless_password".path;
}; };
qbittorrent = { qbittorrent = {

7
configurations/nixos/horizon/configuration.nix
View file

@ -126,13 +126,6 @@
}; };
syncthing.enable = true; syncthing.enable = true;
ollama = {
enable = true;
loadModels = [
"llama3.1:8b"
];
};
}; };
# Enable touchpad support (enabled default in most desktopManager). # Enable touchpad support (enabled default in most desktopManager).

56
flake.lock generated
View file

@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1752113600, "lastModified": 1750680230,
"narHash": "sha256-7LYDxKxZgBQ8LZUuolAQ8UkIB+jb4A2UmiR+kzY9CLI=", "narHash": "sha256-kD88T/NqmcgfOBFAwphN30ccaUdj6K6+LG0XdM2w2LA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "79264292b7e3482e5702932949de9cbb69fedf6d", "rev": "8fd2d6c75009ac75f9a6fb18c33a239806778d01",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -28,11 +28,11 @@
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1752379414, "lastModified": 1750737804,
"narHash": "sha256-0R3slhrjrnzyxR/fAYy5UliZvSgaVS38YCESBdH5RJw=", "narHash": "sha256-wClGd2PhxdjjphR6wIgoiDcR+Gfg4/+FyseSOjIIzVU=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "51e77bb95540b7dd6c60f8fd65a0c472a2c9c3b7", "rev": "aaaf4fec792bad465ea4a35c0be5bc2a54f33095",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -115,11 +115,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1752467539, "lastModified": 1750730235,
"narHash": "sha256-4kaR+xmng9YPASckfvIgl5flF/1nAZOplM+Wp9I5SMI=", "narHash": "sha256-rZErlxiV7ssvI8t7sPrKU+fRigNc2KvoKZG3gtUtK50=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "1e54837569e0b80797c47be4720fab19e0db1616", "rev": "d07e9cceb4994ed64a22b9b36f8b76923e87ac38",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -185,11 +185,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1751313918, "lastModified": 1750618568,
"narHash": "sha256-HsJM3XLa43WpG+665aGEh8iS8AfEwOIQWk3Mke3e7nk=", "narHash": "sha256-w9EG5FOXrjXGfbqCcQg9x1lMnTwzNDW5BMXp8ddy15E=",
"owner": "LnL7", "owner": "LnL7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "e04a388232d9a6ba56967ce5b53a8a6f713cdfcf", "rev": "1dd19f19e4b53a1fd2e8e738a08dd5fe635ec7e5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -227,11 +227,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1752459325, "lastModified": 1750730765,
"narHash": "sha256-46TgjdxT02a4nFd9HCXCf8kK5ZSH7r9gYROLtc8zVOg=", "narHash": "sha256-MIcOcvxqAXUv2TJjf19aVXdtVrD8Gkcfi4W4pKkT0Lw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "61c2e99ebd586f463a6c0ebe3d931e74883b163d", "rev": "1a1442e13dc1730de0443f80dcf02658365e999a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -242,11 +242,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1752048960, "lastModified": 1750431636,
"narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=", "narHash": "sha256-vnzzBDbCGvInmfn2ijC4HsIY/3W1CWbwS/YQoFgdgPg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806", "rev": "1552a9f4513f3f0ceedcf90320e48d3d47165712",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -258,11 +258,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1751984180, "lastModified": 1750506804,
"narHash": "sha256-LwWRsENAZJKUdD3SpLluwDmdXY9F45ZEgCb0X+xgOL0=", "narHash": "sha256-VLFNc4egNjovYVxDGyBYTrvVCgDYgENp5bVi9fPTDYc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9807714d6944a957c2e036f84b0ff8caf9930bc0", "rev": "4206c4cb56751df534751b058295ea61357bbbaa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -293,11 +293,11 @@
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1752531440, "lastModified": 1749061163,
"narHash": "sha256-04tQ3EUrtmZ7g6fVUkZC4AbAG+Z7lng79qU3jsiqWJY=", "narHash": "sha256-WflcbitH7ErNZBFqZCdy1ODUqKF51xbu2zYfqA35+1M=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "f016767c13aa36dde91503f7a9f01bdd02468045", "rev": "1c5c059c0c7b6ce691993262fe10a2b63e1c31ba",
"revCount": 20, "revCount": 19,
"type": "git", "type": "git",
"url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git" "url": "ssh://git@git.jan-leila.com/jan-leila/nix-config-secrets.git"
}, },
@ -313,11 +313,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1751606940, "lastModified": 1750119275,
"narHash": "sha256-KrDPXobG7DFKTOteqdSVeL1bMVitDcy7otpVZWDE6MA=", "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "3633fc4acf03f43b260244d94c71e9e14a2f6e0d", "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
modules/common-modules/overlays/default.nix
View file

@ -2,6 +2,5 @@
{inputs, ...}: { {inputs, ...}: {
nixpkgs.overlays = [ nixpkgs.overlays = [
inputs.steam-fetcher.overlays.default inputs.steam-fetcher.overlays.default
inputs.nix-vscode-extensions.overlays.default
]; ];
} }

42
modules/common-modules/pkgs/codium-extensions/ai-code.nix
View file

@ -1,42 +0,0 @@
{
buildNpmPackage,
vscode-utils,
pkgs,
...
}: let
version = "0.0.1";
pname = "ai-code";
publisher = "jan-leila";
vsix = buildNpmPackage {
inherit version pname;
src = builtins.fetchGit {
url = "ssh://git@git.jan-leila.com/jan-leila/ai-code.git";
rev = "480b51830602b28009e6b5c5014e7e2970a0a3b3";
};
npmDepsHash = "sha256-WxLb+e0itOCIRXpVOjcbPm6QNWbdSKZOPeXLyOa4ROQ=";
nativeBuildInputs = with pkgs; [
vsce
];
buildPhase = ''
${pkgs.vsce}/bin/vsce package -o ${pname}.zip
'';
installPhase = ''
mkdir -p $out
mv ${pname}.zip $out/${pname}.zip
'';
};
in
vscode-utils.buildVscodeExtension {
inherit pname version;
src = "${vsix}/${pname}.zip";
vscodeExtUniqueId = "${publisher}.${pname}";
vscodeExtPublisher = publisher;
vscodeExtName = pname;
}

3
modules/common-modules/pkgs/codium-extensions/default.nix
View file

@ -1,3 +0,0 @@
{pkgs, ...}: {
ai-code = pkgs.callPackage ./ai-code.nix {};
}

3
modules/common-modules/pkgs/default.nix
View file

@ -19,8 +19,5 @@
(final: prev: { (final: prev: {
gdx-liftoff = pkgs.callPackage ./gdx-liftoff.nix {}; gdx-liftoff = pkgs.callPackage ./gdx-liftoff.nix {};
}) })
(final: prev: {
codium-extensions = pkgs.callPackage ./codium-extensions {};
})
]; ];
} }

73
modules/home-manager-modules/continue.nix Normal file
View file

@ -0,0 +1,73 @@
{
lib,
pkgs,
config,
osConfig,
...
}: let
ai-tooling-enabled = config.user.continue.enable && osConfig.host.ai.enable;
in {
options.user.continue = {
enable = lib.mkEnableOption "should continue be enabled on this machine";
docs = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
name = lib.mkOption {
type = lib.types.str;
default = name;
};
startUrl = lib.mkOption {
type = lib.types.str;
};
};
}));
};
context = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
provider = lib.mkOption {
type = lib.types.str;
default = name;
};
};
}));
default = {
"code" = {};
"docs" = {};
"diff" = {};
"terminal" = {};
"problems" = {};
"folder" = {};
"codebase" = {};
};
};
};
config =
lib.mkIf ai-tooling-enabled
(lib.mkMerge [
{
home = {
file = {
".continue/config.yaml".source = (pkgs.formats.yaml {}).generate "continue-config" {
name = "Assistant";
version = "1.0.0";
schema = "v1";
models = lib.attrsets.attrValues osConfig.host.ai.models;
context = lib.attrsets.attrValues config.user.continue.context;
docs = lib.attrsets.attrValues config.user.continue.docs;
};
};
};
}
(lib.mkIf osConfig.host.impermanence.enable {
home.persistence."/persist${config.home.homeDirectory}" = {
directories = [
".continue/index"
".continue/sessions"
];
allowOther = true;
};
})
]);
}

2
modules/home-manager-modules/default.nix
View file

@ -6,7 +6,7 @@
./flipperzero.nix ./flipperzero.nix
./i18n.nix ./i18n.nix
./openssh.nix ./openssh.nix
./gnome.nix ./continue.nix
./programs ./programs
]; ];
} }

106
modules/home-manager-modules/gnome.nix
View file

@ -1,106 +0,0 @@
{
lib,
config,
...
}: {
options.gnome = {
extraWindowControls = lib.mkEnableOption "Should we add back in the minimize and maximize window controls?";
clockFormat = lib.mkOption {
type = lib.types.enum [
"12h"
"24h"
];
default = "24h";
};
colorScheme = lib.mkOption {
type = lib.types.enum [
"default"
"prefer-dark"
"prefer-light"
];
default = "default";
};
accentColor = lib.mkOption {
type = lib.types.enum [
"blue"
"teal"
"green"
"yellow"
"orange"
"red"
"pink"
"purple"
"slate"
];
default = "blue";
};
extensions = lib.mkOption {
type = lib.types.listOf lib.types.package;
default = [];
description = "The set of extensions to install and enable in the user environment.";
};
hotkeys = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
key = lib.mkOption {
type = lib.types.strMatching "[a-zA-Z0-9-]+";
default = builtins.replaceStrings [" " "/" "_"] ["-" "-" "-"] name;
};
name = lib.mkOption {
type = lib.types.str;
default = name;
};
binding = lib.mkOption {
type = lib.types.str;
};
command = lib.mkOption {
type = lib.types.str;
};
};
}));
default = {};
};
};
config = {
home.packages = config.gnome.extensions;
dconf = {
settings = lib.mkMerge [
{
"org/gnome/shell" = {
disable-user-extensions = false; # enables user extensions
enabled-extensions = builtins.map (extension: extension.extensionUuid) config.gnome.extensions;
};
"org/gnome/desktop/wm/preferences".button-layout = lib.mkIf config.gnome.extraWindowControls ":minimize,maximize,close";
"org/gnome/desktop/interface".color-scheme = config.gnome.colorScheme;
"org/gnome/desktop/interface".accent-color = config.gnome.accentColor;
"org/gnome/desktop/interface".clock-format = config.gnome.clockFormat;
}
(
lib.mkMerge (
builtins.map (value: let
entry = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/${value.key}";
in {
${entry} = {
binding = value.binding;
command = value.command;
name = value.name;
};
"org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = [
"/${entry}/"
];
};
})
(
lib.attrsets.mapAttrsToList (_: value: value) config.gnome.hotkeys
)
)
)
];
};
};
}

28
modules/home-manager-modules/programs/anki.nix
View file

@ -1,15 +1,29 @@
{ {
lib, lib,
pkgs,
config, config,
osConfig, osConfig,
... ...
}: { }: {
config = lib.mkIf (config.programs.anki.enable && osConfig.host.impermanence.enable) { options.programs.anki = {
home.persistence."/persist${config.home.homeDirectory}" = { enable = lib.mkEnableOption "enable anki";
directories = [
"${config.xdg.dataHome}/Anki2/"
];
allowOther = true;
};
}; };
config = lib.mkIf config.programs.anki.enable (lib.mkMerge [
{
home.packages = with pkgs; [
anki
];
}
(
lib.mkIf osConfig.host.impermanence.enable {
home.persistence."/persist${config.home.homeDirectory}" = {
directories = [
"${config.xdg.dataHome}/Anki2/"
];
allowOther = true;
};
}
)
]);
} }

2
modules/nixos-modules/desktop.nix
View file

@ -22,7 +22,7 @@
gnome-characters # character set viewer gnome-characters # character set viewer
gnome-music # music player gnome-music # music player
gnome-photos # photo viewer gnome-photos # photo viewer
gnome-logs # log viewer gnome-logs # log viwer
gnome-maps # map viewer gnome-maps # map viewer
gnome-tour # welcome tour gnome-tour # welcome tour
hitori # sudoku game hitori # sudoku game

12
modules/nixos-modules/impermanence.nix
View file

@ -25,18 +25,6 @@
} }
]; ];
# fixes issues with /var/lib/private not having the correct permissions https://github.com/nix-community/impermanence/issues/254
system.activationScripts."createPersistentStorageDirs".deps = ["var-lib-private-permissions" "users" "groups"];
system.activationScripts = {
"var-lib-private-permissions" = {
deps = ["specialfs"];
text = ''
mkdir -p /persist/system/root/var/lib/private
chmod 0700 /persist/system/root/var/lib/private
'';
};
};
programs.fuse.userAllowOther = true; programs.fuse.userAllowOther = true;
boot.initrd.postResumeCommands = lib.mkAfter '' boot.initrd.postResumeCommands = lib.mkAfter ''

4
modules/nixos-modules/ollama.nix
View file

@ -28,6 +28,10 @@
}; };
})) }))
(lib.mkIf config.host.impermanence.enable { (lib.mkIf config.host.impermanence.enable {
# TODO: move this somewhere common
systemd.tmpfiles.rules = [
"d /var/lib/private 0700 root root"
];
environment.persistence."/persist/system/root" = { environment.persistence."/persist/system/root" = {
enable = true; enable = true;
hideMounts = true; hideMounts = true;

72
modules/nixos-modules/server/adguardhome.nix Normal file
View file

@ -0,0 +1,72 @@
{
lib,
config,
...
}: let
dnsPort = 53;
in {
options.host.adguardhome = {
enable = lib.mkEnableOption "should home-assistant be enabled on this computer";
directory = lib.mkOption {
type = lib.types.str;
default = "/var/lib/AdGuardHome/";
};
};
config = lib.mkIf config.host.adguardhome.enable (lib.mkMerge [
{
services.adguardhome = {
enable = true;
mutableSettings = false;
settings = {
dns = {
bootstrap_dns = [
"1.1.1.1"
"9.9.9.9"
];
upstream_dns = [
"dns.quad9.net"
];
};
filtering = {
protection_enabled = true;
filtering_enabled = true;
parental_enabled = false; # Parental control-based DNS requests filtering.
safe_search = {
enabled = false; # Enforcing "Safe search" option for search engines, when possible.
};
};
# The following notation uses map
# to not have to manually create {enabled = true; url = "";} for every filter
# This is, however, fully optional
filters =
map (url: {
enabled = true;
url = url;
}) [
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt"
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist
];
};
};
networking.firewall.allowedTCPPorts = [
dnsPort
];
}
(lib.mkIf config.host.impermanence.enable {
environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
{
directory = config.host.adguardhome.directory;
user = "adguardhome";
group = "adguardhome";
}
];
};
})
]);
}

5
modules/nixos-modules/server/default.nix
View file

@ -8,10 +8,9 @@
./jellyfin.nix ./jellyfin.nix
./forgejo.nix ./forgejo.nix
./searx.nix ./searx.nix
./home-assistant.nix ./virt-home-assistant.nix
./wyoming.nix ./adguardhome.nix
./immich.nix ./immich.nix
./qbittorent.nix ./qbittorent.nix
./paperless.nix
]; ];
} }

24
modules/nixos-modules/server/fail2ban.nix
View file

@ -16,6 +16,20 @@ in {
failregex = "limiting requests, excess:.* by zone.*client: <HOST>" failregex = "limiting requests, excess:.* by zone.*client: <HOST>"
'') '')
); );
# "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (
# pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
# [INCLUDES]
# before = common.conf
# [Definition]
# failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
# ignoreregex =
# [Init]
# datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
# '')
# );
}; };
services.fail2ban = { services.fail2ban = {
@ -47,6 +61,16 @@ in {
bantime = 600; bantime = 600;
maxretry = 5; maxretry = 5;
}; };
# home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
# enabled = true;
# filter = "hass";
# action = ''iptables-multiport[name=HTTP, port="http,https"]'';
# logpath = "${config.services.home-assistant.configDir}/*.log";
# backend = "auto";
# findtime = 600;
# bantime = 600;
# maxretry = 5;
# };
# TODO; figure out if there is any fail2ban things we can do on searx # TODO; figure out if there is any fail2ban things we can do on searx
# searx-iptables.settings = lib.mkIf config.services.searx.enable {}; # searx-iptables.settings = lib.mkIf config.services.searx.enable {};
}; };

6
modules/nixos-modules/server/forgejo.nix
View file

@ -28,12 +28,6 @@ in {
extraUsers = { extraUsers = {
${db_user} = { ${db_user} = {
isClient = true; isClient = true;
createUser = true;
};
};
extraDatabases = {
${db_user} = {
name = db_user;
}; };
}; };
}; };

309
modules/nixos-modules/server/home-assistant.nix
View file

@ -1,229 +1,130 @@
{ {
lib, lib,
pkgs,
config, config,
inputs,
... ...
}: let }: let
configDir = "/var/lib/hass"; configDir = "/var/lib/hass";
dbUser = "hass";
in { in {
options.services.home-assistant = { options.host.home-assistant = {
enable = lib.mkEnableOption "should home-assistant be enabled on this computer";
subdomain = lib.mkOption { subdomain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "subdomain of base domain that home-assistant will be hosted at"; description = "subdomain of base domain that home-assistant will be hosted at";
default = "home-assistant"; default = "home-assistant";
}; };
database = lib.mkOption {
type = lib.types.enum [
"builtin"
"postgres"
];
description = "what database do we want to use";
default = "builtin";
};
extensions = {
sonos = {
enable = lib.mkEnableOption "enable the sonos plugin";
port = lib.mkOption {
type = lib.types.int;
default = 1400;
description = "what port to use for sonos discovery";
};
};
jellyfin = {
enable = lib.mkEnableOption "enable the jellyfin plugin";
};
wyoming = {
enable = lib.mkEnableOption "enable wyoming";
};
};
}; };
config = lib.mkIf config.services.home-assistant.enable (lib.mkMerge [ config = lib.mkIf config.host.home-assistant.enable (lib.mkMerge [
{ {
host = { virtualisation.libvirt = {
reverse_proxy.subdomains.${config.services.home-assistant.subdomain} = { swtpm.enable = true;
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; connections."qemu:///session" = {
networks = [
websockets.enable = true; {
forwardHeaders.enable = true; definition = inputs.nix-virt.lib.network.writeXML (inputs.nix-virt.lib.network.templates.bridge
{
extraConfig = '' uuid = "d57e37e2-311f-4e5c-a484-97c2210c2770";
add_header Upgrade $http_upgrade; subnet_byte = 71;
add_header Connection \"upgrade\"; });
active = true;
proxy_buffering off; }
proxy_read_timeout 90;
'';
};
};
services.home-assistant = {
configDir = configDir;
extraComponents = [
"default_config"
"esphome"
"met"
"radio_browser"
"isal"
"zha"
"webostv"
"tailscale"
"syncthing"
"analytics_insights"
"unifi"
"openweathermap"
"ollama"
"mobile_app"
"logbook"
"ssdp"
"usb"
"webhook"
"bluetooth"
"dhcp"
"energy"
"history"
"backup"
"assist_pipeline"
"conversation"
"sun"
"zeroconf"
"cpuspeed"
];
config = {
http = {
server_port = 8123;
use_x_forwarded_for = true;
trusted_proxies = ["127.0.0.1" "::1"];
ip_ban_enabled = true;
login_attempts_threshold = 10;
};
homeassistant = {
external_url = "https://${config.services.home-assistant.subdomain}.${config.host.reverse_proxy.hostname}";
# internal_url = "http://192.168.1.2:8123";
};
recorder.db_url = "postgresql://@/${dbUser}";
"automation manual" = [];
"automation ui" = "!include automations.yaml";
mobile_app = {};
};
extraPackages = python3Packages:
with python3Packages; [
hassil
numpy
gtts
]; ];
domains = [
{
definition = inputs.nix-virt.lib.domain.writeXML (inputs.nix-virt.lib.domain.templates.linux
{
name = "Home Assistant";
uuid = "c5cc0efc-6101-4c1d-be31-acbba203ccde";
memory = {
count = 4;
unit = "GiB";
};
# storage_vol = {
# pool = "MyPool";
# volume = "Penguin.qcow2";
# };
});
}
];
};
}; };
# TODO: configure /var/lib/hass/secrets.yaml via sops # systemd.tmpfiles.rules = [
# "f ${config.services.home-assistant.configDir}/automations.yaml 0755 hass hass"
# ];
# services.home-assistant = {
# enable = true;
# configDir = configDir;
# extraComponents = [
# "met"
# "radio_browser"
# "isal"
# "zha"
# "jellyfin"
# "webostv"
# "tailscale"
# "syncthing"
# "sonos"
# "analytics_insights"
# "unifi"
# "openweathermap"
# ];
# config = {
# http = {
# server_port = 8082;
# use_x_forwarded_for = true;
# trusted_proxies = ["127.0.0.1" "::1"];
# ip_ban_enabled = true;
# login_attempts_threshold = 10;
# };
# # recorder.db_url = "postgresql://@/${db_user}";
# "automation manual" = [];
# "automation ui" = "!include automations.yaml";
# };
# extraPackages = python3Packages:
# with python3Packages; [
# hassil
# numpy
# gtts
# ];
# };
# host = {
# reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = {
# target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
networking.firewall.allowedUDPPorts = [ # websockets.enable = true;
1900 # forwardHeaders.enable = true;
];
systemd.tmpfiles.rules = [ # extraConfig = ''
"f ${config.services.home-assistant.configDir}/automations.yaml 0755 hass hass" # add_header Upgrade $http_upgrade;
]; # add_header Connection \"upgrade\";
# proxy_buffering off;
# proxy_read_timeout 90;
# '';
# };
# };
} }
(lib.mkIf (config.services.home-assistant.extensions.sonos.enable) {
services.home-assistant.extraComponents = ["sonos"];
networking.firewall.allowedTCPPorts = [
config.services.home-assistant.extensions.sonos.port
];
})
(lib.mkIf (config.services.home-assistant.extensions.jellyfin.enable) {
services.home-assistant.extraComponents = ["jellyfin"];
# TODO: configure port, address, and login information here
})
(lib.mkIf (config.services.home-assistant.extensions.wyoming.enable) {
services.home-assistant.extraComponents = ["wyoming"];
services.wyoming.enable = true;
})
(lib.mkIf (config.services.home-assistant.database == "postgres") {
host = {
postgres = {
enable = true;
extraUsers = {
${dbUser} = {
isClient = true;
createUser = true;
};
};
extraDatabases = {
${dbUser} = {
name = dbUser;
};
};
};
};
services.home-assistant = {
extraPackages = python3Packages:
with python3Packages; [
psycopg2
];
};
systemd.services.home-assistant = {
requires = [
config.systemd.services.postgresql.name
];
};
})
(lib.mkIf config.services.fail2ban.enable {
environment.etc = {
"fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[INCLUDES]
before = common.conf
[Definition]
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
ignoreregex =
[Init]
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
'')
);
};
services.fail2ban = {
jails = {
home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
enabled = true;
filter = "hass";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.home-assistant.configDir}/*.log";
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 5;
};
};
};
})
(lib.mkIf config.host.impermanence.enable { (lib.mkIf config.host.impermanence.enable {
assertions = [ # assertions = [
{ # {
assertion = config.services.home-assistant.configDir == configDir; # assertion = config.services.home-assistant.configDir == configDir;
message = "home assistant config directory does not match persistence"; # message = "home assistant config directory does not match persistence";
} # }
]; # ];
environment.persistence."/persist/system/root" = { # environment.persistence."/persist/system/root" = {
enable = true; # enable = true;
hideMounts = true; # hideMounts = true;
directories = [ # directories = [
{ # {
directory = configDir; # directory = configDir;
user = "hass"; # user = "hass";
group = "hass"; # group = "hass";
} # }
]; # ];
}; # };
}) })
]); ]);
} }

4
modules/nixos-modules/server/jellyfin.nix
View file

@ -55,7 +55,7 @@ in {
} }
(lib.mkIf config.services.fail2ban.enable { (lib.mkIf config.services.fail2ban.enable {
environment.etc = { environment.etc = {
"fail2ban/filter.d/jellyfin.local".text = ( "fail2ban/filter.d/jellyfin.local".text = lib.mkIf config.services.jellyfin.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter '' pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition] [Definition]
failregex = "^.*Authentication request for .* has been denied \\\(IP: \"<ADDR>\"\\\)\\\." failregex = "^.*Authentication request for .* has been denied \\\(IP: \"<ADDR>\"\\\)\\\."
@ -65,7 +65,7 @@ in {
services.fail2ban = { services.fail2ban = {
jails = { jails = {
jellyfin-iptables.settings = { jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable {
enabled = true; enabled = true;
filter = "jellyfin"; filter = "jellyfin";
action = ''iptables-multiport[name=HTTP, port="http,https"]''; action = ''iptables-multiport[name=HTTP, port="http,https"]'';

110
modules/nixos-modules/server/paperless.nix
View file

@ -1,110 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
dataDir = "/var/lib/paperless";
in {
options.services.paperless = {
subdomain = lib.mkOption {
type = lib.types.str;
description = "subdomain of base domain that paperless will be hosted at";
default = "paperless";
};
database = {
user = lib.mkOption {
type = lib.types.str;
description = "what is the user and database that we are going to use for paperless";
default = "paperless";
};
};
};
config = lib.mkIf config.services.paperless.enable (lib.mkMerge [
{
host = {
reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
websockets.enable = true;
forwardHeaders.enable = true;
extraConfig = ''
# allow large file uploads
client_max_body_size 50000M;
'';
};
postgres = {
enable = true;
extraUsers = {
${config.services.paperless.database.user} = {
isClient = true;
createUser = true;
};
};
extraDatabases = {
${config.services.paperless.database.user} = {
name = config.services.paperless.database.user;
};
};
};
};
services.paperless = {
configureTika = true;
settings = {
PAPERLESS_URL = "https://${config.services.paperless.subdomain}.${config.host.reverse_proxy.hostname}";
PAPERLESS_DBENGINE = "postgresql";
PAPERLESS_DBHOST = "/run/postgresql";
PAPERLESS_DBNAME = config.services.paperless.database.user;
PAPERLESS_DBUSER = config.services.paperless.database.user;
};
};
}
(lib.mkIf config.services.fail2ban.enable {
environment.etc = {
"fail2ban/filter.d/paperless.local".text = (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>`\.$
ignoreregex =
'')
);
};
services.fail2ban = {
jails = {
paperless.settings = {
enabled = true;
filter = "paperless";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.paperless.dataDir}/log/*.log";
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 5;
};
};
};
})
(lib.mkIf config.host.impermanence.enable {
assertions = [
{
assertion = config.services.paperless.dataDir == dataDir;
message = "paperless data location does not match persistence";
}
];
environment.persistence."/persist/system/root" = {
directories = [
{
directory = dataDir;
user = "paperless";
group = "paperless";
}
];
};
})
]);
}

2
modules/nixos-modules/server/podman.nix
View file

@ -4,7 +4,7 @@
... ...
}: { }: {
options.host.podman = { options.host.podman = {
enable = lib.mkEnableOption "should podman be enabled on this computer"; enable = lib.mkEnableOption "should home-assistant be enabled on this computer";
macvlan = { macvlan = {
subnet = lib.mkOption { subnet = lib.mkOption {
type = lib.types.str; type = lib.types.str;

155
modules/nixos-modules/server/virt-home-assistant.nix Normal file
View file

@ -0,0 +1,155 @@
{
config,
lib,
pkgs,
...
}: {
options.services.virt-home-assistant = {
enable = lib.mkEnableOption "Wether to enable home assistant virtual machine";
networkBridge = lib.mkOption {
type = lib.types.str;
description = "what network bridge should we attach to the image";
};
hostDevice = lib.mkOption {
type = lib.types.str;
description = "what host devices should be attached to the image";
};
initialVersion = lib.mkOption {
type = lib.types.str;
description = "what home assistant image version should we pull for initial instal";
default = "15.0";
};
imageName = lib.mkOption {
type = lib.types.str;
description = "where should the image be installed to";
default = "home-assistant.qcow2";
};
installLocation = lib.mkOption {
type = lib.types.str;
description = "where should the image be installed to";
default = "/etc/hass";
};
virtualMachineName = lib.mkOption {
type = lib.types.str;
description = "what name should we give the virtual machine";
default = "home-assistant";
};
subdomain = lib.mkOption {
type = lib.types.str;
description = "subdomain of base domain that home-assistant will be hosted at";
default = "home-assistant";
};
};
config = lib.mkIf config.services.virt-home-assistant.enable (lib.mkMerge [
{
# environment.systemPackages = with pkgs; [
# virt-manager
# ];
# TODO: move this to external module and just have an assertion here that its enabled
# enable virtualization on the system
virtualisation = {
libvirtd = {
enable = true;
qemu.ovmf.enable = true;
};
};
# TODO: deactivation script?
# create service to install and start the container
systemd.services.virt-install-home-assistant = let
# TODO: all of these need to be escaped to be used in commands reliably
bridgedNetwork = config.services.virt-home-assistant.networkBridge;
hostDevice = config.services.virt-home-assistant.hostDevice;
virtualMachineName = config.services.virt-home-assistant.virtualMachineName;
imageName = config.services.virt-home-assistant.imageName;
installLocation = config.services.virt-home-assistant.installLocation;
installImage = "${installLocation}/${imageName}";
initialVersion = config.services.virt-home-assistant.initialVersion;
home-assistant-qcow2 = pkgs.fetchurl {
name = "home-assistant.qcow2";
url = "https://github.com/home-assistant/operating-system/releases/download/${initialVersion}/haos_ova-${initialVersion}.qcow2.xz";
hash = "sha256-V1BEjvvLNbMMKJVyMCmipjQ/3owoJteeVxoF9LDHo1U=";
postFetch = ''
cp $out src.xz
rm -r $out
${pkgs.xz}/bin/unxz src.xz --stdout > $out/${imageName}
'';
};
# Write a script to install the Home Assistant OS qcow2 image
virtInstallScript = pkgs.writeShellScriptBin "virt-install-hass" ''
# Copy the initial image out of the package store to the install location if we don't have one yet
if [ ! -f ${installImage} ]; then
cp ${home-assistant-qcow2} ${installLocation}
fi
# Check if VM already exists, and other pre-conditions
if ! ${pkgs.libvirt}/bin/virsh list --all | grep -q ${virtualMachineName}; then
${pkgs.virt-manager}/bin/virt-install --name ${virtualMachineName} \
--description "Home Assistant OS" \
--os-variant=generic \
--boot uefi \
--ram=2048 \
--vcpus=2 \
--import \
--disk ${installImage},bus=sata \
--network bridge=${bridgedNetwork} \
--host-device ${hostDevice} \
--graphics none
${pkgs.libvirt}/bin/virsh autostart ${virtualMachineName}
fi
'';
in {
description = "Install and start Home Assistant";
wantedBy = ["multi-user.target"];
after = ["local-fs.target"];
requires = ["libvirtd.service"];
serviceConfig.Type = "oneshot";
serviceConfig = {
ExecStart = "${virtInstallScript}/bin/virt-install-hass";
};
};
# TODO: figure out what we need to proxy to the virtual image
# host = {
# reverse_proxy.subdomains.${config.services.virt-home-assistant.subdomain} = {
# target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
# websockets.enable = true;
# forwardHeaders.enable = true;
# extraConfig = ''
# add_header Upgrade $http_upgrade;
# add_header Connection \"upgrade\";
# proxy_buffering off;
# proxy_read_timeout 90;
# '';
# };
# };
}
(lib.mkIf config.services.fail2ban.enable {
# TODO: figure out how to write a config for this, prob based on nginx proxy logs?
})
(lib.mkIf config.host.impermanence.enable {
# assertions = [
# {
# assertion = config.services.virt-home-assistant.installLocation == configDir;
# message = "home assistant install location does not match persistence";
# }
# ];
environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
{
directory = config.services.virt-home-assistant.installLocation;
}
];
};
})
]);
}

63
modules/nixos-modules/server/wyoming.nix
View file

@ -1,63 +0,0 @@
{
lib,
config,
...
}: {
options.services.wyoming.enable = lib.mkEnableOption "should wyoming be enabled on this device";
config = lib.mkIf config.services.wyoming.enable (lib.mkMerge [
{
services.wyoming = {
# Text to speech
piper = {
servers = {
"en" = {
enable = true;
# see https://github.com/rhasspy/rhasspy3/blob/master/programs/tts/piper/script/download.py
voice = "en-us-amy-low";
uri = "tcp://0.0.0.0:10200";
speaker = 0;
};
};
};
# Speech to text
faster-whisper = {
servers = {
"en" = {
enable = true;
# see https://github.com/rhasspy/rhasspy3/blob/master/programs/asr/faster-whisper/script/download.py
model = "tiny-int8";
language = "en";
uri = "tcp://0.0.0.0:10300";
device = "cpu";
};
};
};
openwakeword = {
enable = true;
uri = "tcp://0.0.0.0:10400";
preloadModels = [
"ok_nabu"
];
# TODO: custom models
};
};
# needs access to /proc/cpuinfo
systemd.services."wyoming-faster-whisper-en".serviceConfig.ProcSubset = lib.mkForce "all";
}
(lib.mkIf config.host.impermanence.enable {
environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
{
directory = "/var/lib/private/wyoming";
mode = "0700";
}
];
};
})
]);
}

31
modules/nixos-modules/users.nix
View file

@ -17,13 +17,13 @@
eve = 1002; eve = 1002;
jellyfin = 2000; jellyfin = 2000;
forgejo = 2002; forgejo = 2002;
adguardhome = 2003;
hass = 2004; hass = 2004;
syncthing = 2007; syncthing = 2007;
ollama = 2008; ollama = 2008;
git = 2009; git = 2009;
immich = 2010; immich = 2010;
qbittorrent = 2011; qbittorrent = 2011;
paperless = 2012;
}; };
gids = { gids = {
@ -33,13 +33,13 @@
jellyfin_media = 2001; jellyfin_media = 2001;
jellyfin = 2000; jellyfin = 2000;
forgejo = 2002; forgejo = 2002;
adguardhome = 2003;
hass = 2004; hass = 2004;
syncthing = 2007; syncthing = 2007;
ollama = 2008; ollama = 2008;
git = 2009; git = 2009;
immich = 2010; immich = 2010;
qbittorrent = 2011; qbittorrent = 2011;
paperless = 2012;
}; };
users = config.users.users; users = config.users.users;
@ -127,6 +127,12 @@ in {
group = config.users.users.forgejo.name; group = config.users.users.forgejo.name;
}; };
adguardhome = {
uid = lib.mkForce uids.adguardhome;
isSystemUser = true;
group = config.users.users.adguardhome.name;
};
hass = { hass = {
uid = lib.mkForce uids.hass; uid = lib.mkForce uids.hass;
isSystemUser = true; isSystemUser = true;
@ -163,12 +169,6 @@ in {
isNormalUser = true; isNormalUser = true;
group = config.users.users.qbittorrent.name; group = config.users.users.qbittorrent.name;
}; };
paperless = {
uid = lib.mkForce uids.paperless;
isSystemUser = true;
group = config.users.users.paperless.name;
};
}; };
groups = { groups = {
@ -219,6 +219,14 @@ in {
]; ];
}; };
adguardhome = {
gid = lib.mkForce gids.adguardhome;
members = [
users.adguardhome.name
# leyla
];
};
hass = { hass = {
gid = lib.mkForce gids.hass; gid = lib.mkForce gids.hass;
members = [ members = [
@ -265,13 +273,6 @@ in {
leyla leyla
]; ];
}; };
paperless = {
gid = lib.mkForce gids.paperless;
members = [
users.paperless.name
];
};
}; };
}; };
} }

2
nix-config-secrets

@ -1 +1 @@
Subproject commit f016767c13aa36dde91503f7a9f01bdd02468045 Subproject commit 1c5c059c0c7b6ce691993262fe10a2b63e1c31ba

2
rebuild.sh
View file

@ -65,7 +65,7 @@ flake=${flake:-$target}
mode=${mode:-switch} mode=${mode:-switch}
user=${user:-$USER} user=${user:-$USER}
command="nixos-rebuild $mode --sudo --ask-sudo-password --flake .#$flake" command="nixos-rebuild $mode --use-remote-sudo --ask-sudo-password --flake .#$flake"
if [[ $host ]]; if [[ $host ]];
then then