sorceress
/
nix-infra
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sorceress:518c89795b3a0522994945bf21f2bb694c1ce752
Branches Tags
sorceress:mistress
sorceress:lappytappy
sorceress:flakes
...
compare: sorceress:e60bbd7f41bdb4456319637f38a25425b6f5fef7
Branches Tags
sorceress:mistress
sorceress:lappytappy
sorceress:flakes

8 Commits
518c89795b ... e60bbd7f41

Author SHA1 Message Date
Agatha Lovelace e60bbd7f41
car_video.mp4 2024-11-22 17:33:30 +01:00
Agatha Lovelace 957a138ef6
Set up Transmission + Jellyfin 2024-11-22 17:33:01 +01:00
Agatha Lovelace 6318113c76
Configure Windows VM 2024-11-22 17:31:21 +01:00
Agatha Lovelace b108f84b8b
Configure Headscale 2024-11-22 17:30:26 +01:00
Agatha Lovelace 9300a07f5b
Set up Nix build server 2024-11-22 17:28:12 +01:00
Agatha Lovelace d1d94f9c24
Configure EarlyOOM 2024-11-22 17:26:56 +01:00
Agatha Lovelace b30f9a4f46
Cleanup / reformat 2024-11-22 17:26:16 +01:00
Agatha Lovelace 0d1378aa0d
:c 2024-11-22 17:01:30 +01:00
18 changed files with 593 additions and 254 deletions
Show Stats Expand all files Collapse all files

4
common/default.nix
View File

@ -30,10 +30,12 @@
dogdns dogdns
du-dust du-dust
git git
headscale
imagemagick imagemagick
jq jq
killall killall
mtr mtr
nmap
openssl openssl
rsync rsync
sqlite-interactive sqlite-interactive
@ -41,6 +43,8 @@
xclip xclip
]; ];
services.tailscale.enable = true;
# 🥺 # 🥺
# security.please.enable = true; # security.please.enable = true;
} }

118
common/fragments/bittorrent/default.nix Normal file
View File

@ -0,0 +1,118 @@
{
config,
pkgs,
lib,
...
}:
{
imports = [ ./netns.nix ];
system.fsPackages = with pkgs; [
gocryptfs
cifs-utils
];
systemd.mounts = [
{
after = [ "network.target" ];
what = "//library.technogothic.net/backup";
where = "/mnt/library-raw";
type = "cifs";
options = "gid=users,file_mode=0664,dir_mode=0775";
mountConfig.EnvironmentFile = "/var/lib/secrets/hetzner-env";
}
{
what = "/mnt/library-raw";
where = "/mnt/library";
type = "fuse.gocryptfs";
options = "allow_other,passfile=/var/lib/secrets/gocryptfs-pass";
wantedBy = [ "multi-user.target" ];
}
];
systemd.services."container@transmission" = {
bindsTo = [ "ve-transmission.service" ];
after = [
"ve-transmission.service"
"mnt-library.mount"
];
};
containers.transmission = {
autoStart = true;
extraFlags = [ "--network-namespace-path=/run/netns/transmission" ];
bindMounts = {
"/var/lib/transmission" = {
hostPath = "/var/lib/transmission";
isReadOnly = false;
};
"/mnt/library" = {
hostPath = "/mnt/library";
isReadOnly = false;
};
"/etc/resolv.conf" = {
hostPath = toString (pkgs.writeText "resolv.conf" "nameserver 74.82.42.42");
};
};
config = {
services.transmission = {
enable = true;
package = pkgs.transmission_4;
webHome = pkgs.flood-for-transmission;
settings = {
rpc-bind-address = "::";
rpc-whitelist-enabled = false;
rpc-host-whitelist-enabled = false;
download-dir = "/mnt/library/Downloads";
incomplete-dir = "/mnt/library/.incomplete";
watch-dir = "/mnt/library/watchdir";
};
openRPCPort = true;
openPeerPorts = true;
};
users.users.transmission.extraGroups = [ "users" ];
# https://github.com/NixOS/nixpkgs/issues/258793
systemd.services.transmission.serviceConfig = {
RootDirectoryStartOnly = lib.mkForce (lib.mkForce false);
RootDirectory = lib.mkForce (lib.mkForce "");
};
system.stateVersion = config.system.stateVersion;
};
};
# Jellyfin
services.jellyfin = {
enable = true;
openFirewall = true;
};
environment.systemPackages = with pkgs; [
jellyfin
jellyfin-web
jellyfin-ffmpeg
];
# SMB Share
services.samba = {
enable = true;
openFirewall = true;
extraConfig = ''
server string = Watchtower
guest account = nobody
map to guest = bad user
'';
shares.Library = {
path = "/mnt/library";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
};
};
}

96
common/fragments/bittorrent/netns.nix Normal file
View File

@ -0,0 +1,96 @@
{
config,
pkgs,
lib,
...
}:
# Collectivized from https://gist.github.com/c0deaddict/53aedbb69c8cbfebfec8f4428dc03102 ☭
let
veth = "ve-transmission";
hostIp = "10.0.0.1/24";
guestIp = "10.0.0.2/24";
in
{
# https://mth.st/blog/nixos-wireguard-netns/
systemd.services."netns@" = {
description = "%I network namespace";
before = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
PrivateNetwork = true;
ExecStart = "${pkgs.writers.writeDash "netns-up" ''
${pkgs.iproute}/bin/ip netns add $1
${pkgs.utillinux}/bin/umount /var/run/netns/$1
${pkgs.utillinux}/bin/mount --bind /proc/self/ns/net /var/run/netns/$1
''} %I";
ExecStop = "${pkgs.iproute}/bin/ip netns del %I";
};
};
systemd.services."wireguard-ccvpn-fr" = {
bindsTo = [ "netns@transmission.service" ];
after = [ "netns@transmission.service" ];
};
networking.wireguard.interfaces.ccvpn-fr = {
ips = [
"10.128.4.199/32"
"fd64:e20:68a3::4c7/128"
];
privateKeyFile = "/var/lib/secrets/ccvpn-fr-key";
socketNamespace = "init";
interfaceNamespace = "transmission";
peers = [
{
publicKey = "QFbr19X11tqUZRerZgItb25FnBsNsd7NyJvAkWTRU1U=";
# Forward all traffic via VPN.
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "fr.204vpn.net:51820";
persistentKeepalive = 15;
}
];
};
# https://developers.redhat.com/blog/2018/10/22/introduction-to-linux-interfaces-for-virtual-networking#veth
systemd.services.${veth} =
let
ns = "transmission";
ipHost = "${pkgs.iproute}/bin/ip";
ipGuest = "${ipHost} netns exec ${ns} ${pkgs.iproute}/bin/ip";
in
{
description = "Veth interface for download";
bindsTo = [ "netns@${ns}.service" ];
after = [ "netns@${ns}.service" ];
wantedBy = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writers.writeDash "veth-up" ''
${ipHost} link add ${veth} type veth peer name veth1 netns ${ns}
${ipHost} addr add ${hostIp} dev ${veth}
${ipHost} link set dev ${veth} up
${ipGuest} addr add ${guestIp} dev veth1
${ipGuest} link set dev veth1 up
'';
ExecStop = pkgs.writers.writeDash "veth-down" ''
${ipHost} link del ${veth}
'';
};
};
networking.firewall.allowedTCPPorts = [ 9091 ];
services.nginx.enable = true;
# TODO: change when headscale updates
services.nginx.virtualHosts."watchtower.agatha.thorns.home.arpa" = {
locations."/transmission" = {
proxyPass = "http://10.0.0.2:9091/transmission";
proxyWebsockets = true;
};
};
}

41
common/fragments/graphical/barebones.nix Normal file
View File

@ -0,0 +1,41 @@
{ pkgs, ... }:
{
# Config for client devices, but not necessarily a full desktop environment.
imports = [
../restic.nix
../yubikey.nix
];
# User packages
users.users.agatha.packages = with pkgs; [
android-tools
broot
colmena
exiftool
ffmpeg
flac
hyperfine
just
magic-wormhole
neofetch
nil
pfetch
pridefetch
rink
sshfs
unstable.rustmission
whois
wireguard-tools
yt-dlp
];
home-manager.users.agatha = {
programs.direnv.enable = true;
home.sessionVariables = {
"DIRENV_LOG_FORMAT" = "";
};
programs.ssh.enable = true;
};
}

111
common/fragments/graphical/default.nix
View File

@ -1,6 +1,12 @@
{ pkgs, config, lib, ... }: { {
pkgs,
config,
lib,
...
}:
{
imports = [ imports = [
../restic.nix ./barebones.nix
./audio.nix ./audio.nix
./bspwm.nix ./bspwm.nix
./clipboard.nix ./clipboard.nix
@ -22,26 +28,19 @@
(final: prev: { (final: prev: {
pads = final.callPackage ../../../common/pkgs/pads.nix { }; pads = final.callPackage ../../../common/pkgs/pads.nix { };
bspm = final.callPackage ../../../common/pkgs/bspm.nix { }; bspm = final.callPackage ../../../common/pkgs/bspm.nix { };
polybar-scripts = polybar-scripts = final.callPackage ../../../common/pkgs/polybar-scripts.nix { };
final.callPackage ../../../common/pkgs/polybar-scripts.nix { };
}) })
]; ];
# User packages # User packages
users.users.agatha.packages = with pkgs; [ users.users.agatha.packages = with pkgs; [
android-tools
blueberry blueberry
brightnessctl brightnessctl
broot
bspm bspm
cider cider
colmena
darktable darktable
dino dino
element-desktop element-desktop
exiftool
ffmpeg
flac
flameshot flameshot
gimp gimp
glib glib
@ -52,32 +51,19 @@
gnome.gnome-disk-utility gnome.gnome-disk-utility
gnome.gnome-font-viewer gnome.gnome-font-viewer
gnome.nautilus gnome.nautilus
hyperfine
just
magic-wormhole
mpv mpv
mumble mumble
neofetch
nil
nitrogen nitrogen
nmap
obs-studio obs-studio
obsidian obsidian
pfetch
polybar-scripts polybar-scripts
pridefetch
prismlauncher prismlauncher
rink
rofi-calc rofi-calc
rofimoji rofimoji
speechd speechd
sshfs
tdesktop tdesktop
whois
wireguard-tools
xdg-utils xdg-utils
xdotool xdotool
yt-dlp
yubioath-flutter yubioath-flutter
]; ];
@ -100,20 +86,22 @@
enable = true; enable = true;
displayManager = { displayManager = {
gdm.enable = true; gdm.enable = true;
# gdm.wayland = true;
sessionPackages = [ pkgs.sway ]; sessionPackages = [ pkgs.sway ];
session = [{ session = [
{
manage = "window"; manage = "window";
name = "bspwm"; name = "bspwm";
start = let cfg = config.home-manager.users.agatha; start =
in '' let
${cfg.services.sxhkd.package}/bin/sxhkd ${ cfg = config.home-manager.users.agatha;
toString cfg.services.sxhkd.extraOptions in
} & ''
${cfg.services.sxhkd.package}/bin/sxhkd ${toString cfg.services.sxhkd.extraOptions} &
${cfg.xsession.windowManager.bspwm.package}/bin/bspwm -c ${cfg.xdg.configHome}/bspwm/bspwmrc ${cfg.xsession.windowManager.bspwm.package}/bin/bspwm -c ${cfg.xdg.configHome}/bspwm/bspwmrc
''; '';
}]; }
];
}; };
# Layout overrides # Layout overrides
layout = lib.mkForce "eu,de(qwerty),ua,ru"; layout = lib.mkForce "eu,de(qwerty),ua,ru";
@ -150,51 +138,6 @@
<Multi_key> <p><l> : "🥺" <Multi_key> <p><l> : "🥺"
<Multi_key> <m><s> : "/html <span data-mx-spoiler=\"\"></span>" <Multi_key> <m><s> : "/html <span data-mx-spoiler=\"\"></span>"
''; '';
programs.direnv.enable = true;
home.sessionVariables = { "DIRENV_LOG_FORMAT" = ""; };
programs.ssh.enable = true;
programs.ssh.matchBlocks = {
"bloodletting" = { hostname = "technogothic.net"; };
"backups" = {
match = ''originalhost backups exec "ip r | rg 10.21.0.0/16"'';
hostname = "10.20.1.2";
user = "agatha";
identityFile = [ "~/.ssh/id_ed25519" ];
};
"work" = {
match = ''originalhost work exec "ip r | rg 10.21.0.0/16"'';
hostname = "10.21.221.6";
forwardX11 = true;
forwardX11Trusted = true;
forwardAgent = true;
extraOptions."TCPKeepAlive" = "yes";
};
"ritual" = {
match = ''originalhost ritual exec "ip r | rg 10.21.0.0/16"'';
hostname = "10.21.221.60";
};
"watchtower" = {
match = ''originalhost watchtower exec "ip r | rg 10.21.0.0/16"'';
hostname = "10.21.220.205";
};
};
xdg.desktopEntries.element-work = {
name = "Element @ Work";
icon = "im.riot.Riot";
exec = "${pkgs.element-desktop}/bin/element-desktop --profile=work";
categories = [ "Network" "InstantMessaging" "Chat" "VideoConference" ];
mimeType = [ "x-scheme-handler/element" ];
settings.StartupWMClass = "element";
settings.Keywords =
"Matrix;matrix.org;chat;irc;communications;talk;riot;vector;";
};
}; };
services.gvfs.enable = true; services.gvfs.enable = true;
@ -224,7 +167,12 @@
fonts.fontconfig.enable = true; fonts.fontconfig.enable = true;
fonts.fontDir.enable = true; fonts.fontDir.enable = true;
fonts.packages = with pkgs; [ fonts.packages = with pkgs; [
(nerdfonts.override { fonts = [ "DaddyTimeMono" "NerdFontsSymbolsOnly" ]; }) (nerdfonts.override {
fonts = [
"DaddyTimeMono"
"NerdFontsSymbolsOnly"
];
})
cantarell-fonts cantarell-fonts
cm_unicode cm_unicode
corefonts corefonts
@ -254,13 +202,14 @@
hardware.bluetooth = { hardware.bluetooth = {
enable = true; enable = true;
settings = { General = { Disable = "Headset"; }; }; settings = {
General = {
Disable = "Headset";
};
};
}; };
# Virtual Camera config # Virtual Camera config
boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
boot.kernelModules = [ "v4l2loopback" ]; boot.kernelModules = [ "v4l2loopback" ];
# Fix Wireguard NetworkManager connections
networking.firewall.checkReversePath = "loose";
} }

15
common/fragments/headscale.nix Normal file
View File

@ -0,0 +1,15 @@
{ pkgs, ... }:
{
services.headscale = {
enable = true;
port = 52812;
settings.server_url = "https://hs.technogothic.net";
settings.dns_config = {
nameservers = [
"94.140.14.14"
"94.140.15.15"
]; # AdGuard Public DNS
base_domain = "thorns.home.arpa";
};
};
}

18
common/fragments/minecraft.nix
View File

@ -1,7 +1,11 @@
{ pkgs, config, lib, ... }: {
pkgs,
config,
lib,
...
}:
let let
rsyncSSHKeys = config.users.users.agatha.openssh.authorizedKeys.keys rsyncSSHKeys = config.users.users.agatha.openssh.authorizedKeys.keys;
++ config.users.users.julia.openssh.authorizedKeys.keys;
jre8 = pkgs.temurin-bin-8; jre8 = pkgs.temurin-bin-8;
jre17 = pkgs.temurin-bin-17; jre17 = pkgs.temurin-bin-17;
@ -33,7 +37,8 @@ let
allow-flight = true; allow-flight = true;
max-tick-time = 2 * 60 * 1000; max-tick-time = 2 * 60 * 1000;
}; };
in { in
{
services.modded-minecraft-servers = { services.modded-minecraft-servers = {
eula = true; eula = true;
@ -72,7 +77,10 @@ in {
}; };
}; };
systemd.services.mc-e2e.path = with pkgs; [ getconf gawk ]; systemd.services.mc-e2e.path = with pkgs; [
getconf
gawk
];
users.users.agatha.packages = with pkgs; [ mcrcon ]; users.users.agatha.packages = with pkgs; [ mcrcon ];
} }

39
common/fragments/virt.nix Normal file
View File

@ -0,0 +1,39 @@
{ pkgs, lib, ... }:
{
boot = {
initrd.kernelModules = [
"vfio_pci"
"vfio"
"vfio_iommu_type1"
"amdgpu"
];
kernelParams =
let
gpuIDs = [
"1002:67df" # Graphics
"1002:aaf0" # Audio
];
in
[
# enable IOMMU
"amd_iommu=on"
("vfio-pci.ids=" + lib.concatStringsSep "," gpuIDs)
];
};
hardware.opengl.enable = true;
virtualisation.spiceUSBRedirection.enable = true;
services.openssh.settings.X11Forwarding = true;
# Virtualization
virtualisation.libvirtd = {
enable = true;
onBoot = "start";
onShutdown = "shutdown";
};
programs.virt-manager.enable = true;
users.users.agatha.extraGroups = [ "libvirtd" ];
}

17
common/linux-specific.nix
View File

@ -1,3 +1,4 @@
{ config, ... }:
{ {
imports = [ ./users ]; imports = [ ./users ];
@ -50,4 +51,20 @@
''; '';
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;
}; };
services.earlyoom = {
enable = true;
freeSwapThreshold = 5;
freeMemThreshold = 5;
extraArgs = [
"-g"
"--avoid '^(sshd|systemd.*|tailscale.*|)$'"
];
};
# Fix Wireguard and Tailscale with NetworkManager
networking.firewall = {
checkReversePath = "loose";
trustedInterfaces = [ "tailscale0" ];
allowedUDPPorts = [ config.services.tailscale.port ];
};
} }

17
common/remote-builds.nix Normal file
View File

@ -0,0 +1,17 @@
{
nix.distributedBuilds = true;
nix.buildMachines = [
{
hostName = "tears";
systems = [
"x86_64-linux"
"i686-linux"
];
supportedFeatures = [ "big-parallel" ];
maxJobs = 4;
sshUser = "root";
sshKey = "/Users/agatha/Projects/nix-infra/secrets/id_ed25519-nix-builder";
}
];
}

16
common/users/julia.nix
View File

@ -1,16 +0,0 @@
{ config, pkgs, ... }: {
users.users = {
julia = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIa/G3M13aVJpOIX8U/5duiGiNNGmM88/0k0+o0EUGRI cardno:20 876 680"
];
};
};
users.users.root.openssh.authorizedKeys.keys =
config.users.users.julia.openssh.authorizedKeys.keys;
}

76
flake.lock
View File

@ -67,18 +67,12 @@
} }
}, },
"crane": { "crane": {
"inputs": {
"nixpkgs": [
"helix",
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1709610799, "lastModified": 1727974419,
"narHash": "sha256-5jfLQx0U9hXbi2skYMGodDJkIgffrjIOgMRjZqms2QE=", "narHash": "sha256-WD0//20h+2/yPGkO88d2nYbb23WMWYvnRyDQ9Dx4UHg=",
"owner": "ipetkov", "owner": "ipetkov",
"repo": "crane", "repo": "crane",
"rev": "81c393c776d5379c030607866afef6406ca1be57", "rev": "37e4f9f0976cb9281cd3f0c70081e5e0ecaee93f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -139,11 +133,11 @@
"systems": "systems_4" "systems": "systems_4"
}, },
"locked": { "locked": {
"lastModified": 1709126324, "lastModified": 1726560853,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "d465f4819400de7c8d874d50b982301f28a84605", "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -204,7 +198,7 @@
"inputs": { "inputs": {
"naersk": "naersk_2", "naersk": "naersk_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs"
], ],
"utils": "utils_3" "utils": "utils_3"
}, },
@ -232,11 +226,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1725452565, "lastModified": 1729690460,
"narHash": "sha256-kxduxKvEBSEhoxYHQbMCbxHT0t14kRF4zT6ZmWaqH6M=", "narHash": "sha256-x8qkGujBPuOefXPyjcaB8Ot0IYkQBy6O2ZYb8NrnB3k=",
"owner": "helix-editor", "owner": "helix-editor",
"repo": "helix", "repo": "helix",
"rev": "41db5d735eae03be9a69b1136844dac642484ed8", "rev": "101a74bf6edbbfdf9b0628a0bdbbc307ebe10ff2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -252,11 +246,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720042825, "lastModified": 1726989464,
"narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=", "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073", "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -468,11 +462,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1725544312, "lastModified": 1730070491,
"narHash": "sha256-ETyDNLOF5YvFO2lVlKttXgdHTqSGdp9ZCRRCjv2gaoM=", "narHash": "sha256-+RYCbdU6l4E4pr40++lrdhdE3gNC/BR54AL7xWG/YRU=",
"owner": "LnL7", "owner": "LnL7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "a55b3f1ab41bb6d5025ebeebb4da5fd240b9b3b3", "rev": "5c0c6aaa797d6ccbb6cdab14de0248135735709d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -497,11 +491,11 @@
}, },
"nixpkgs-darwin": { "nixpkgs-darwin": {
"locked": { "locked": {
"lastModified": 1725140114, "lastModified": 1730091932,
"narHash": "sha256-tlRqsd84YFI7dL8Lz/Sm+M9Bm+Mh7kUs+5ArJbZsuy8=", "narHash": "sha256-Xg1O6tAHBK8EVHMLylYFlpRmqtG/deKqTfI9atLRLE0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4927f77b7a68615ce99678086cd3dcd0eda34fdd", "rev": "9b9516e15a60ce6633efccb02d703f6eca973228",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -529,17 +523,18 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1725369773, "lastModified": 1729980323,
"narHash": "sha256-gT+rUDbw+TQuszQEzMUJWTW7QYtccZ5xxWmKOSrPvEw=", "narHash": "sha256-eWPRZAlhf446bKSmzw6x7RWEE4IuZgAp8NW3eXZwRAY=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8b4061fd60ccc3b3f44b73faa7c983eacf7a6f7b", "rev": "86e78d3d2084ff87688da662cf78c2af085d8e73",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "owner": "NixOS",
"ref": "nixpkgs-unstable", "ref": "nixpkgs-unstable",
"type": "indirect" "repo": "nixpkgs",
"type": "github"
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
@ -588,17 +583,18 @@
}, },
"nixpkgs_5": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1725407940, "lastModified": 1729973466,
"narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=", "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3", "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "owner": "NixOS",
"ref": "nixos-24.05", "ref": "nixos-24.05",
"type": "indirect" "repo": "nixpkgs",
"type": "github"
} }
}, },
"nixpkgs_6": { "nixpkgs_6": {
@ -638,21 +634,17 @@
}, },
"rust-overlay": { "rust-overlay": {
"inputs": { "inputs": {
"flake-utils": [
"helix",
"flake-utils"
],
"nixpkgs": [ "nixpkgs": [
"helix", "helix",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1709604635, "lastModified": 1728268235,
"narHash": "sha256-le4fwmWmjGRYWwkho0Gr7mnnZndOOe4XGbLw68OvF40=", "narHash": "sha256-lJMFnMO4maJuNO6PQ5fZesrTmglze3UFTTBuKGwR1Nw=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "e86c0fb5d3a22a5f30d7f64ecad88643fe26449d", "rev": "25685cc2c7054efc31351c172ae77b21814f2d42",
"type": "github" "type": "github"
}, },
"original": { "original": {

58
flake.nix
View File

@ -1,7 +1,7 @@
{ {
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-24.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-24.05-darwin"; nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-24.05-darwin";
lix-module = { lix-module = {
@ -49,7 +49,7 @@
frq-friend = { frq-friend = {
url = "git+https://git.xenua.me/xenua/fedi-frq-friend"; url = "git+https://git.xenua.me/xenua/fedi-frq-friend";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs";
}; };
helix = { helix = {
@ -66,6 +66,7 @@
{ {
nixpkgs, nixpkgs,
nixpkgs-unstable, nixpkgs-unstable,
nixpkgs-darwin,
lix-module, lix-module,
home-manager, home-manager,
nix-darwin, nix-darwin,
@ -81,7 +82,7 @@
... ...
}: }:
let let
overlays = system: config: [ mkOverlays = system: config: [
(final: prev: { (final: prev: {
helix = helix =
let let
@ -106,6 +107,7 @@
unstable = import nixpkgs-unstable { inherit system config; }; unstable = import nixpkgs-unstable { inherit system config; };
}) })
colmena.overlay colmena.overlay
lix-module.overlays.default
]; ];
mkDesktop = hostname: { mkDesktop = hostname: {
imports = [ imports = [
@ -113,7 +115,6 @@
./common/linux-specific.nix ./common/linux-specific.nix
./hosts/${hostname}/configuration.nix ./hosts/${hostname}/configuration.nix
./common/options.nix ./common/options.nix
lix-module.nixosModules.default
(import "${home-manager}/nixos") (import "${home-manager}/nixos")
url-eater.nixosModules.default url-eater.nixosModules.default
colorpickle.nixosModules.default colorpickle.nixosModules.default
@ -154,7 +155,7 @@
nixpkgs = import nixpkgs rec { nixpkgs = import nixpkgs rec {
system = "x86_64-linux"; system = "x86_64-linux";
config.allowUnfree = true; config.allowUnfree = true;
overlays = overlays system config; overlays = mkOverlays system config;
}; };
}; };
@ -163,14 +164,13 @@
./common ./common
./common/linux-specific.nix ./common/linux-specific.nix
./hosts/bloodletting/configuration.nix ./hosts/bloodletting/configuration.nix
lix-module.nixosModules.default
(import "${home-manager}/nixos") (import "${home-manager}/nixos")
mms.module mms.module
]; ];
deployment = { deployment = {
targetUser = "root"; targetUser = "root";
targetHost = "bloodletting"; targetHost = "technogothic.net";
tags = [ "prod" ]; tags = [ "prod" ];
@ -220,7 +220,6 @@
./common ./common
./common/linux-specific.nix ./common/linux-specific.nix
./hosts/watchtower/configuration.nix ./hosts/watchtower/configuration.nix
lix-module.nixosModules.default
(import "${home-manager}/nixos") (import "${home-manager}/nixos")
]; ];
@ -229,6 +228,23 @@
targetHost = "watchtower"; targetHost = "watchtower";
tags = [ "prod" ]; tags = [ "prod" ];
keys = {
"hetzner-env" = {
keyCommand = [
"cat"
"./secrets/hetzner-env"
];
destDir = "/var/lib/secrets/";
};
"gocryptfs-pass" = {
keyCommand = [
"cat"
"./secrets/gocryptfs-pass"
];
destDir = "/var/lib/secrets/";
};
};
}; };
}; };
@ -236,22 +252,23 @@
tears = mkDesktop "tears"; tears = mkDesktop "tears";
}; };
darwinConfigurations."Agathas-Mac-mini" = nix-darwin.lib.darwinSystem { darwinConfigurations."Agathas-Mac-mini" = nix-darwin.lib.darwinSystem {
pkgs = import nixpkgs-darwin rec {
system = "aarch64-darwin";
config.allowUnfree = true;
overlays = mkOverlays system config;
};
modules = [ modules = [
./common ./common
./hosts/Agathas-Mac-mini/configuration.nix ./hosts/Agathas-Mac-mini/configuration.nix
lix-module.nixosModules.default
(import "${home-manager}/nix-darwin") (import "${home-manager}/nix-darwin")
(
{ config, ... }:
{
nixpkgs.overlays = overlays nixpkgs.system config;
}
)
]; ];
}; };
devShells."x86_64-linux".default = devShells =
let let
pkgs = import nixpkgs { system = "x86_64-linux"; }; patchedColmena =
system:
let
pkgs = import nixpkgs { inherit system; };
in in
pkgs.mkShell { pkgs.mkShell {
buildInputs = [ buildInputs = [
@ -260,5 +277,10 @@
'') '')
]; ];
}; };
in
{
"x86_64-linux".default = patchedColmena "x86_64-linux";
"aarch64-darwin".default = patchedColmena "aarch64-darwin";
};
}; };
} }

5
hosts/Agathas-Mac-mini/configuration.nix
View File

@ -2,6 +2,8 @@
{ {
imports = [ imports = [
../../common/home_manager/common.nix ../../common/home_manager/common.nix
../../common/remote-builds.nix
../../common/fragments/graphical/barebones.nix
../../common/fragments/graphical/iosevka.nix ../../common/fragments/graphical/iosevka.nix
]; ];
@ -17,6 +19,7 @@
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
]; ];
trusted-users = [ "@admin" ];
}; };
# Needed for the nix-darwin environment even if zsh is not used. # Needed for the nix-darwin environment even if zsh is not used.
@ -40,4 +43,6 @@
iosevka iosevka
siji siji
]; ];
system.stateVersion = 1;
} }

101
hosts/bloodletting/configuration.nix
View File

@ -1,11 +1,17 @@
{ config, pkgs, lib, ... }: { {
config,
pkgs,
lib,
...
}:
{
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/users/julia.nix
../../common/fragments/bin.nix ../../common/fragments/bin.nix
../../common/fragments/fail2ban.nix ../../common/fragments/fail2ban.nix
../../common/fragments/frq-friend.nix ../../common/fragments/frq-friend.nix
../../common/fragments/grafana.nix ../../common/fragments/grafana.nix
../../common/fragments/headscale.nix
../../common/fragments/hedgedoc.nix ../../common/fragments/hedgedoc.nix
../../common/fragments/mastodon-ebooks.nix ../../common/fragments/mastodon-ebooks.nix
../../common/fragments/mastodon.nix ../../common/fragments/mastodon.nix
@ -24,8 +30,7 @@
nixpkgs.overlays = [ nixpkgs.overlays = [
(final: prev: { (final: prev: {
bin = final.callPackage ../../common/pkgs/bin.nix { }; bin = final.callPackage ../../common/pkgs/bin.nix { };
agatha-mastodon = agatha-mastodon = final.callPackage ../../common/pkgs/mastodon/default.nix { };
final.callPackage ../../common/pkgs/mastodon/default.nix { };
}) })
]; ];
@ -40,15 +45,19 @@
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
networking.interfaces.ens20 = { networking.interfaces.ens20 = {
ipv4.addresses = [{ ipv4.addresses = [
{
address = "91.198.192.199"; address = "91.198.192.199";
prefixLength = 27; prefixLength = 27;
}]; }
];
ipv6.addresses = [{ ipv6.addresses = [
{
address = "2001:67c:b54:1::6"; address = "2001:67c:b54:1::6";
prefixLength = 64; prefixLength = 64;
}]; }
];
}; };
networking.defaultGateway = { networking.defaultGateway = {
@ -63,11 +72,20 @@
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 20 21 22 80 443 990 ]; allowedTCPPorts = [
allowedTCPPortRanges = [{ 20
21
22
80
443
990
];
allowedTCPPortRanges = [
{
from = 40000; from = 40000;
to = 40200; to = 40200;
}]; }
];
trustedInterfaces = [ "podman0" ]; trustedInterfaces = [ "podman0" ];
}; };
@ -77,7 +95,7 @@
dockerCompat = true; dockerCompat = true;
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;
}; };
oci-containers = { backend = "podman"; }; oci-containers.backend = "podman";
}; };
# SSL/TLS Certificates # SSL/TLS Certificates
@ -86,13 +104,20 @@
security.acme.certs."technogothic.net" = { security.acme.certs."technogothic.net" = {
domain = "*.technogothic.net"; domain = "*.technogothic.net";
extraDomainNames = [ "technogothic.net" "*.argent.technogothic.net" ]; extraDomainNames = [
"technogothic.net"
"*.argent.technogothic.net"
];
dnsProvider = "hurricane"; dnsProvider = "hurricane";
credentialsFile = "/var/lib/secrets/hurricane-tokens"; credentialsFile = "/var/lib/secrets/hurricane-tokens";
group = "nginx"; group = "nginx";
}; };
security.acme.defaults.reloadServices = [ "nginx" "vsftpd" "prosody" ]; security.acme.defaults.reloadServices = [
"nginx"
"vsftpd"
"prosody"
];
systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
# Nginx # Nginx
@ -109,10 +134,14 @@
upstreams = { upstreams = {
"backend-mastodon-streaming" = { "backend-mastodon-streaming" = {
servers = builtins.listToAttrs (map (i: { servers = builtins.listToAttrs (
map (i: {
name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket"; name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket";
value = { fail_timeout = "0"; }; value = {
}) (lib.range 1 config.services.mastodon.streamingProcesses)); fail_timeout = "0";
};
}) (lib.range 1 config.services.mastodon.streamingProcesses)
);
extraConfig = '' extraConfig = ''
least_conn; least_conn;
''; '';
@ -126,7 +155,9 @@
serverAliases = [ "agatha.technogothic.net" ]; serverAliases = [ "agatha.technogothic.net" ];
locations."=/cv.pdf" = { alias = "/home/ftp/cv.pdf"; }; locations."=/cv.pdf" = {
alias = "/home/ftp/cv.pdf";
};
locations."=/.well-known/host-meta" = { locations."=/.well-known/host-meta" = {
return = "301 https://fv.technogothic.net$request_uri"; return = "301 https://fv.technogothic.net$request_uri";
@ -169,9 +200,7 @@
locations."/" = { locations."/" = {
proxyPass = "http://localhost:6162"; proxyPass = "http://localhost:6162";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = "client_max_body_size ${ extraConfig = "client_max_body_size ${toString config.services.bin.textUploadLimit}M;";
toString config.services.bin.textUploadLimit
}M;";
}; };
}; };
@ -181,7 +210,9 @@
root = "/home/ftp"; root = "/home/ftp";
locations."/" = { extraConfig = "autoindex on;"; }; locations."/" = {
extraConfig = "autoindex on;";
};
}; };
virtualHosts."fv.technogothic.net" = { virtualHosts."fv.technogothic.net" = {
@ -192,7 +223,9 @@
locations."/system/".alias = "/var/lib/mastodon/public-system/"; locations."/system/".alias = "/var/lib/mastodon/public-system/";
locations."/" = { tryFiles = "$uri @proxy"; }; locations."/" = {
tryFiles = "$uri @proxy";
};
locations."@proxy" = { locations."@proxy" = {
proxyPass = "http://unix:/run/mastodon-web/web.socket"; proxyPass = "http://unix:/run/mastodon-web/web.socket";
@ -225,6 +258,27 @@
extraConfig = "proxy_ssl_server_name on;"; extraConfig = "proxy_ssl_server_name on;";
}; };
}; };
virtualHosts."hs.technogothic.net" = {
useACMEHost = "technogothic.net";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
virtualHosts."carvideo.technogothic.net" = {
useACMEHost = "technogothic.net";
forceSSL = true;
serverAliases = [ "agatha.technogothic.net" ];
locations."/" = {
return = "301 https://ftp.technogothic.net/car_video.mp4";
};
};
}; };
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
@ -235,4 +289,3 @@
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment? system.stateVersion = "22.11"; # Did you read the comment?
} }

22
hosts/ritual/configuration.nix
View File

@ -2,7 +2,7 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/fragments/graphical ../../common/fragments/graphical
../../common/fragments/yubikey.nix ../../common/remote-builds.nix
../../common/home_manager/common.nix ../../common/home_manager/common.nix
]; ];
@ -14,7 +14,9 @@
boot.loader.systemd-boot.configurationLimit = 5; boot.loader.systemd-boot.configurationLimit = 5;
# Setup keyfile # Setup keyfile
boot.initrd.secrets = { "/crypto_keyfile.bin" = null; }; boot.initrd.secrets = {
"/crypto_keyfile.bin" = null;
};
networking.hostName = "ritual"; networking.hostName = "ritual";
@ -27,7 +29,7 @@
dockerCompat = true; dockerCompat = true;
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;
}; };
oci-containers = { backend = "podman"; }; oci-containers.backend = "podman";
}; };
# Don't suspend when closed and plugged into power # Don't suspend when closed and plugged into power
@ -35,7 +37,18 @@
home-manager.users.agatha = { home-manager.users.agatha = {
xsession.windowManager.bspwm = { xsession.windowManager.bspwm = {
monitors = { eDP-1 = [ "I" "II" "III" "IV" "V" "VI" "VII" "VIII" ]; }; monitors = {
eDP-1 = [
"I"
"II"
"III"
"IV"
"V"
"VI"
"VII"
"VIII"
];
};
rules = { rules = {
"Element".desktop = "II"; "Element".desktop = "II";
"TelegramDesktop".desktop = "III"; "TelegramDesktop".desktop = "III";
@ -68,4 +81,3 @@
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment? system.stateVersion = "22.11"; # Did you read the comment?
} }

52
hosts/tears/configuration.nix
View File

@ -1,8 +1,8 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/fragments/graphical ../../common/fragments/graphical/barebones.nix
../../common/fragments/yubikey.nix ../../common/fragments/virt.nix
../../common/home_manager/common.nix ../../common/home_manager/common.nix
]; ];
@ -14,7 +14,9 @@
boot.loader.systemd-boot.configurationLimit = 3; boot.loader.systemd-boot.configurationLimit = 3;
# Setup keyfile # Setup keyfile
boot.initrd.secrets = { "/crypto_keyfile.bin" = null; }; boot.initrd.secrets = {
"/crypto_keyfile.bin" = null;
};
networking.hostName = "tears"; networking.hostName = "tears";
@ -27,47 +29,13 @@
dockerCompat = true; dockerCompat = true;
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;
}; };
oci-containers = { backend = "podman"; }; oci-containers.backend = "podman";
}; };
home-manager.users.agatha = { # Needed for remote builds
xsession.windowManager.bspwm = { users.users.root.openssh.authorizedKeys.keys = [
monitors = { "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGCsAQfMx1X+8HEa88x+l3KdJPFAzXg0vL0l/pm56/ZR nix-builder"
DP-1 = [ "I" "II" "III" "IV" "V" ]; ];
HDMI-1 = [ "VI" "VII" "VIII" "IX" "X" ];
};
extraConfigEarly =
"xrandr --output HDMI-1 --mode 1920x1080 --rate 144 --dpi 92 --output DP-1 --mode 1920x1080 --rate 144 --dpi 92 --left-of HDMI-1";
rules = {
"Element".desktop = "I";
"TelegramDesktop".desktop = "II";
"dino".desktop = "II";
"Cider".desktop = "III";
"Geary".desktop = "IV";
"firefox" = {
desktop = "VI";
state = "tiled";
follow = false;
};
};
};
services.polybar = {
script = ''
polybar left &
polybar right &'';
settings."bar/right" = {
monitor = "\${env:MONITOR:HDMI-1}";
modules.right =
"filesystem battery pulseaudio xkeyboard memory cpu powermenu";
};
settings."bar/left".monitor = "\${env:MONITOR:DP-1}";
};
};
environment.graphical.theme.name = "bridge";
services.syncthing.dataDir = "/mnt/hdd/syncthing";
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions

7
hosts/watchtower/configuration.nix
View File

@ -1,8 +1,8 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/users/julia.nix
../../common/home_manager/common.nix ../../common/home_manager/common.nix
../../common/fragments/bittorrent
../../common/fragments/home-assistant.nix ../../common/fragments/home-assistant.nix
../../common/fragments/sponsorblock.nix ../../common/fragments/sponsorblock.nix
]; ];
@ -17,6 +17,7 @@
# Enable networking # Enable networking
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
systemd.services.NetworkManager-wait-online.enable = false;
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall = { networking.firewall = {
@ -34,9 +35,7 @@
dockerCompat = true; dockerCompat = true;
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;
}; };
oci-containers = { oci-containers.backend = "podman";
backend = "podman";
};
}; };
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default