sorceress
/
nix-infra
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sorceress:e60bbd7f41bdb4456319637f38a25425b6f5fef7
Branches Tags
sorceress:mistress
sorceress:lappytappy
sorceress:flakes
..
compare: sorceress:518c89795b3a0522994945bf21f2bb694c1ce752
Branches Tags
sorceress:mistress
sorceress:lappytappy
sorceress:flakes

No commits in common. "e60bbd7f41bdb4456319637f38a25425b6f5fef7" and "518c89795b3a0522994945bf21f2bb694c1ce752" have entirely different histories.
e60bbd7f41 ... 518c89795b

18 changed files with 254 additions and 593 deletions
Show Stats Expand all files Collapse all files

4
common/default.nix
View File

@ -30,12 +30,10 @@
dogdns dogdns
du-dust du-dust
git git
headscale
imagemagick imagemagick
jq jq
killall killall
mtr mtr
nmap
openssl openssl
rsync rsync
sqlite-interactive sqlite-interactive
@ -43,8 +41,6 @@
xclip xclip
]; ];
services.tailscale.enable = true;
# 🥺 # 🥺
# security.please.enable = true; # security.please.enable = true;
} }

118
common/fragments/bittorrent/default.nix
View File

@ -1,118 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
imports = [ ./netns.nix ];
system.fsPackages = with pkgs; [
gocryptfs
cifs-utils
];
systemd.mounts = [
{
after = [ "network.target" ];
what = "//library.technogothic.net/backup";
where = "/mnt/library-raw";
type = "cifs";
options = "gid=users,file_mode=0664,dir_mode=0775";
mountConfig.EnvironmentFile = "/var/lib/secrets/hetzner-env";
}
{
what = "/mnt/library-raw";
where = "/mnt/library";
type = "fuse.gocryptfs";
options = "allow_other,passfile=/var/lib/secrets/gocryptfs-pass";
wantedBy = [ "multi-user.target" ];
}
];
systemd.services."container@transmission" = {
bindsTo = [ "ve-transmission.service" ];
after = [
"ve-transmission.service"
"mnt-library.mount"
];
};
containers.transmission = {
autoStart = true;
extraFlags = [ "--network-namespace-path=/run/netns/transmission" ];
bindMounts = {
"/var/lib/transmission" = {
hostPath = "/var/lib/transmission";
isReadOnly = false;
};
"/mnt/library" = {
hostPath = "/mnt/library";
isReadOnly = false;
};
"/etc/resolv.conf" = {
hostPath = toString (pkgs.writeText "resolv.conf" "nameserver 74.82.42.42");
};
};
config = {
services.transmission = {
enable = true;
package = pkgs.transmission_4;
webHome = pkgs.flood-for-transmission;
settings = {
rpc-bind-address = "::";
rpc-whitelist-enabled = false;
rpc-host-whitelist-enabled = false;
download-dir = "/mnt/library/Downloads";
incomplete-dir = "/mnt/library/.incomplete";
watch-dir = "/mnt/library/watchdir";
};
openRPCPort = true;
openPeerPorts = true;
};
users.users.transmission.extraGroups = [ "users" ];
# https://github.com/NixOS/nixpkgs/issues/258793
systemd.services.transmission.serviceConfig = {
RootDirectoryStartOnly = lib.mkForce (lib.mkForce false);
RootDirectory = lib.mkForce (lib.mkForce "");
};
system.stateVersion = config.system.stateVersion;
};
};
# Jellyfin
services.jellyfin = {
enable = true;
openFirewall = true;
};
environment.systemPackages = with pkgs; [
jellyfin
jellyfin-web
jellyfin-ffmpeg
];
# SMB Share
services.samba = {
enable = true;
openFirewall = true;
extraConfig = ''
server string = Watchtower
guest account = nobody
map to guest = bad user
'';
shares.Library = {
path = "/mnt/library";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
};
};
}

96
common/fragments/bittorrent/netns.nix
View File

@ -1,96 +0,0 @@
{
config,
pkgs,
lib,
...
}:
# Collectivized from https://gist.github.com/c0deaddict/53aedbb69c8cbfebfec8f4428dc03102 ☭
let
veth = "ve-transmission";
hostIp = "10.0.0.1/24";
guestIp = "10.0.0.2/24";
in
{
# https://mth.st/blog/nixos-wireguard-netns/
systemd.services."netns@" = {
description = "%I network namespace";
before = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
PrivateNetwork = true;
ExecStart = "${pkgs.writers.writeDash "netns-up" ''
${pkgs.iproute}/bin/ip netns add $1
${pkgs.utillinux}/bin/umount /var/run/netns/$1
${pkgs.utillinux}/bin/mount --bind /proc/self/ns/net /var/run/netns/$1
''} %I";
ExecStop = "${pkgs.iproute}/bin/ip netns del %I";
};
};
systemd.services."wireguard-ccvpn-fr" = {
bindsTo = [ "netns@transmission.service" ];
after = [ "netns@transmission.service" ];
};
networking.wireguard.interfaces.ccvpn-fr = {
ips = [
"10.128.4.199/32"
"fd64:e20:68a3::4c7/128"
];
privateKeyFile = "/var/lib/secrets/ccvpn-fr-key";
socketNamespace = "init";
interfaceNamespace = "transmission";
peers = [
{
publicKey = "QFbr19X11tqUZRerZgItb25FnBsNsd7NyJvAkWTRU1U=";
# Forward all traffic via VPN.
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "fr.204vpn.net:51820";
persistentKeepalive = 15;
}
];
};
# https://developers.redhat.com/blog/2018/10/22/introduction-to-linux-interfaces-for-virtual-networking#veth
systemd.services.${veth} =
let
ns = "transmission";
ipHost = "${pkgs.iproute}/bin/ip";
ipGuest = "${ipHost} netns exec ${ns} ${pkgs.iproute}/bin/ip";
in
{
description = "Veth interface for download";
bindsTo = [ "netns@${ns}.service" ];
after = [ "netns@${ns}.service" ];
wantedBy = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writers.writeDash "veth-up" ''
${ipHost} link add ${veth} type veth peer name veth1 netns ${ns}
${ipHost} addr add ${hostIp} dev ${veth}
${ipHost} link set dev ${veth} up
${ipGuest} addr add ${guestIp} dev veth1
${ipGuest} link set dev veth1 up
'';
ExecStop = pkgs.writers.writeDash "veth-down" ''
${ipHost} link del ${veth}
'';
};
};
networking.firewall.allowedTCPPorts = [ 9091 ];
services.nginx.enable = true;
# TODO: change when headscale updates
services.nginx.virtualHosts."watchtower.agatha.thorns.home.arpa" = {
locations."/transmission" = {
proxyPass = "http://10.0.0.2:9091/transmission";
proxyWebsockets = true;
};
};
}

41
common/fragments/graphical/barebones.nix
View File

@ -1,41 +0,0 @@
{ pkgs, ... }:
{
# Config for client devices, but not necessarily a full desktop environment.
imports = [
../restic.nix
../yubikey.nix
];
# User packages
users.users.agatha.packages = with pkgs; [
android-tools
broot
colmena
exiftool
ffmpeg
flac
hyperfine
just
magic-wormhole
neofetch
nil
pfetch
pridefetch
rink
sshfs
unstable.rustmission
whois
wireguard-tools
yt-dlp
];
home-manager.users.agatha = {
programs.direnv.enable = true;
home.sessionVariables = {
"DIRENV_LOG_FORMAT" = "";
};
programs.ssh.enable = true;
};
}

119
common/fragments/graphical/default.nix
View File

@ -1,12 +1,6 @@
{ { pkgs, config, lib, ... }: {
pkgs,
config,
lib,
...
}:
{
imports = [ imports = [
./barebones.nix ../restic.nix
./audio.nix ./audio.nix
./bspwm.nix ./bspwm.nix
./clipboard.nix ./clipboard.nix
@ -28,19 +22,26 @@
(final: prev: { (final: prev: {
pads = final.callPackage ../../../common/pkgs/pads.nix { }; pads = final.callPackage ../../../common/pkgs/pads.nix { };
bspm = final.callPackage ../../../common/pkgs/bspm.nix { }; bspm = final.callPackage ../../../common/pkgs/bspm.nix { };
polybar-scripts = final.callPackage ../../../common/pkgs/polybar-scripts.nix { }; polybar-scripts =
final.callPackage ../../../common/pkgs/polybar-scripts.nix { };
}) })
]; ];
# User packages # User packages
users.users.agatha.packages = with pkgs; [ users.users.agatha.packages = with pkgs; [
android-tools
blueberry blueberry
brightnessctl brightnessctl
broot
bspm bspm
cider cider
colmena
darktable darktable
dino dino
element-desktop element-desktop
exiftool
ffmpeg
flac
flameshot flameshot
gimp gimp
glib glib
@ -51,19 +52,32 @@
gnome.gnome-disk-utility gnome.gnome-disk-utility
gnome.gnome-font-viewer gnome.gnome-font-viewer
gnome.nautilus gnome.nautilus
hyperfine
just
magic-wormhole
mpv mpv
mumble mumble
neofetch
nil
nitrogen nitrogen
nmap
obs-studio obs-studio
obsidian obsidian
pfetch
polybar-scripts polybar-scripts
pridefetch
prismlauncher prismlauncher
rink
rofi-calc rofi-calc
rofimoji rofimoji
speechd speechd
sshfs
tdesktop tdesktop
whois
wireguard-tools
xdg-utils xdg-utils
xdotool xdotool
yt-dlp
yubioath-flutter yubioath-flutter
]; ];
@ -86,22 +100,20 @@
enable = true; enable = true;
displayManager = { displayManager = {
gdm.enable = true; gdm.enable = true;
# gdm.wayland = true;
sessionPackages = [ pkgs.sway ]; sessionPackages = [ pkgs.sway ];
session = [ session = [{
{ manage = "window";
manage = "window"; name = "bspwm";
name = "bspwm"; start = let cfg = config.home-manager.users.agatha;
start = in ''
let ${cfg.services.sxhkd.package}/bin/sxhkd ${
cfg = config.home-manager.users.agatha; toString cfg.services.sxhkd.extraOptions
in } &
'' ${cfg.xsession.windowManager.bspwm.package}/bin/bspwm -c ${cfg.xdg.configHome}/bspwm/bspwmrc
${cfg.services.sxhkd.package}/bin/sxhkd ${toString cfg.services.sxhkd.extraOptions} & '';
${cfg.xsession.windowManager.bspwm.package}/bin/bspwm -c ${cfg.xdg.configHome}/bspwm/bspwmrc }];
'';
}
];
}; };
# Layout overrides # Layout overrides
layout = lib.mkForce "eu,de(qwerty),ua,ru"; layout = lib.mkForce "eu,de(qwerty),ua,ru";
@ -138,6 +150,51 @@
<Multi_key> <p><l> : "🥺" <Multi_key> <p><l> : "🥺"
<Multi_key> <m><s> : "/html <span data-mx-spoiler=\"\"></span>" <Multi_key> <m><s> : "/html <span data-mx-spoiler=\"\"></span>"
''; '';
programs.direnv.enable = true;
home.sessionVariables = { "DIRENV_LOG_FORMAT" = ""; };
programs.ssh.enable = true;
programs.ssh.matchBlocks = {
"bloodletting" = { hostname = "technogothic.net"; };
"backups" = {
match = ''originalhost backups exec "ip r | rg 10.21.0.0/16"'';
hostname = "10.20.1.2";
user = "agatha";
identityFile = [ "~/.ssh/id_ed25519" ];
};
"work" = {
match = ''originalhost work exec "ip r | rg 10.21.0.0/16"'';
hostname = "10.21.221.6";
forwardX11 = true;
forwardX11Trusted = true;
forwardAgent = true;
extraOptions."TCPKeepAlive" = "yes";
};
"ritual" = {
match = ''originalhost ritual exec "ip r | rg 10.21.0.0/16"'';
hostname = "10.21.221.60";
};
"watchtower" = {
match = ''originalhost watchtower exec "ip r | rg 10.21.0.0/16"'';
hostname = "10.21.220.205";
};
};
xdg.desktopEntries.element-work = {
name = "Element @ Work";
icon = "im.riot.Riot";
exec = "${pkgs.element-desktop}/bin/element-desktop --profile=work";
categories = [ "Network" "InstantMessaging" "Chat" "VideoConference" ];
mimeType = [ "x-scheme-handler/element" ];
settings.StartupWMClass = "element";
settings.Keywords =
"Matrix;matrix.org;chat;irc;communications;talk;riot;vector;";
};
}; };
services.gvfs.enable = true; services.gvfs.enable = true;
@ -167,12 +224,7 @@
fonts.fontconfig.enable = true; fonts.fontconfig.enable = true;
fonts.fontDir.enable = true; fonts.fontDir.enable = true;
fonts.packages = with pkgs; [ fonts.packages = with pkgs; [
(nerdfonts.override { (nerdfonts.override { fonts = [ "DaddyTimeMono" "NerdFontsSymbolsOnly" ]; })
fonts = [
"DaddyTimeMono"
"NerdFontsSymbolsOnly"
];
})
cantarell-fonts cantarell-fonts
cm_unicode cm_unicode
corefonts corefonts
@ -202,14 +254,13 @@
hardware.bluetooth = { hardware.bluetooth = {
enable = true; enable = true;
settings = { settings = { General = { Disable = "Headset"; }; };
General = {
Disable = "Headset";
};
};
}; };
# Virtual Camera config # Virtual Camera config
boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
boot.kernelModules = [ "v4l2loopback" ]; boot.kernelModules = [ "v4l2loopback" ];
# Fix Wireguard NetworkManager connections
networking.firewall.checkReversePath = "loose";
} }

15
common/fragments/headscale.nix
View File

@ -1,15 +0,0 @@
{ pkgs, ... }:
{
services.headscale = {
enable = true;
port = 52812;
settings.server_url = "https://hs.technogothic.net";
settings.dns_config = {
nameservers = [
"94.140.14.14"
"94.140.15.15"
]; # AdGuard Public DNS
base_domain = "thorns.home.arpa";
};
};
}

18
common/fragments/minecraft.nix
View File

@ -1,11 +1,7 @@
{ { pkgs, config, lib, ... }:
pkgs,
config,
lib,
...
}:
let let
rsyncSSHKeys = config.users.users.agatha.openssh.authorizedKeys.keys; rsyncSSHKeys = config.users.users.agatha.openssh.authorizedKeys.keys
++ config.users.users.julia.openssh.authorizedKeys.keys;
jre8 = pkgs.temurin-bin-8; jre8 = pkgs.temurin-bin-8;
jre17 = pkgs.temurin-bin-17; jre17 = pkgs.temurin-bin-17;
@ -37,8 +33,7 @@ let
allow-flight = true; allow-flight = true;
max-tick-time = 2 * 60 * 1000; max-tick-time = 2 * 60 * 1000;
}; };
in in {
{
services.modded-minecraft-servers = { services.modded-minecraft-servers = {
eula = true; eula = true;
@ -77,10 +72,7 @@ in
}; };
}; };
systemd.services.mc-e2e.path = with pkgs; [ systemd.services.mc-e2e.path = with pkgs; [ getconf gawk ];
getconf
gawk
];
users.users.agatha.packages = with pkgs; [ mcrcon ]; users.users.agatha.packages = with pkgs; [ mcrcon ];
} }

39
common/fragments/virt.nix
View File

@ -1,39 +0,0 @@
{ pkgs, lib, ... }:
{
boot = {
initrd.kernelModules = [
"vfio_pci"
"vfio"
"vfio_iommu_type1"
"amdgpu"
];
kernelParams =
let
gpuIDs = [
"1002:67df" # Graphics
"1002:aaf0" # Audio
];
in
[
# enable IOMMU
"amd_iommu=on"
("vfio-pci.ids=" + lib.concatStringsSep "," gpuIDs)
];
};
hardware.opengl.enable = true;
virtualisation.spiceUSBRedirection.enable = true;
services.openssh.settings.X11Forwarding = true;
# Virtualization
virtualisation.libvirtd = {
enable = true;
onBoot = "start";
onShutdown = "shutdown";
};
programs.virt-manager.enable = true;
users.users.agatha.extraGroups = [ "libvirtd" ];
}

17
common/linux-specific.nix
View File

@ -1,4 +1,3 @@
{ config, ... }:
{ {
imports = [ ./users ]; imports = [ ./users ];
@ -51,20 +50,4 @@
''; '';
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;
}; };
services.earlyoom = {
enable = true;
freeSwapThreshold = 5;
freeMemThreshold = 5;
extraArgs = [
"-g"
"--avoid '^(sshd|systemd.*|tailscale.*|)$'"
];
};
# Fix Wireguard and Tailscale with NetworkManager
networking.firewall = {
checkReversePath = "loose";
trustedInterfaces = [ "tailscale0" ];
allowedUDPPorts = [ config.services.tailscale.port ];
};
} }

17
common/remote-builds.nix
View File

@ -1,17 +0,0 @@
{
nix.distributedBuilds = true;
nix.buildMachines = [
{
hostName = "tears";
systems = [
"x86_64-linux"
"i686-linux"
];
supportedFeatures = [ "big-parallel" ];
maxJobs = 4;
sshUser = "root";
sshKey = "/Users/agatha/Projects/nix-infra/secrets/id_ed25519-nix-builder";
}
];
}

16
common/users/julia.nix Normal file
View File

@ -0,0 +1,16 @@
{ config, pkgs, ... }: {
users.users = {
julia = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIa/G3M13aVJpOIX8U/5duiGiNNGmM88/0k0+o0EUGRI cardno:20 876 680"
];
};
};
users.users.root.openssh.authorizedKeys.keys =
config.users.users.julia.openssh.authorizedKeys.keys;
}

76
flake.lock
View File

@ -67,12 +67,18 @@
} }
}, },
"crane": { "crane": {
"inputs": {
"nixpkgs": [
"helix",
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1727974419, "lastModified": 1709610799,
"narHash": "sha256-WD0//20h+2/yPGkO88d2nYbb23WMWYvnRyDQ9Dx4UHg=", "narHash": "sha256-5jfLQx0U9hXbi2skYMGodDJkIgffrjIOgMRjZqms2QE=",
"owner": "ipetkov", "owner": "ipetkov",
"repo": "crane", "repo": "crane",
"rev": "37e4f9f0976cb9281cd3f0c70081e5e0ecaee93f", "rev": "81c393c776d5379c030607866afef6406ca1be57",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -133,11 +139,11 @@
"systems": "systems_4" "systems": "systems_4"
}, },
"locked": { "locked": {
"lastModified": 1726560853, "lastModified": 1709126324,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "rev": "d465f4819400de7c8d874d50b982301f28a84605",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -198,7 +204,7 @@
"inputs": { "inputs": {
"naersk": "naersk_2", "naersk": "naersk_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs-unstable"
], ],
"utils": "utils_3" "utils": "utils_3"
}, },
@ -226,11 +232,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1729690460, "lastModified": 1725452565,
"narHash": "sha256-x8qkGujBPuOefXPyjcaB8Ot0IYkQBy6O2ZYb8NrnB3k=", "narHash": "sha256-kxduxKvEBSEhoxYHQbMCbxHT0t14kRF4zT6ZmWaqH6M=",
"owner": "helix-editor", "owner": "helix-editor",
"repo": "helix", "repo": "helix",
"rev": "101a74bf6edbbfdf9b0628a0bdbbc307ebe10ff2", "rev": "41db5d735eae03be9a69b1136844dac642484ed8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -246,11 +252,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1726989464, "lastModified": 1720042825,
"narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=", "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176", "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -462,11 +468,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1730070491, "lastModified": 1725544312,
"narHash": "sha256-+RYCbdU6l4E4pr40++lrdhdE3gNC/BR54AL7xWG/YRU=", "narHash": "sha256-ETyDNLOF5YvFO2lVlKttXgdHTqSGdp9ZCRRCjv2gaoM=",
"owner": "LnL7", "owner": "LnL7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "5c0c6aaa797d6ccbb6cdab14de0248135735709d", "rev": "a55b3f1ab41bb6d5025ebeebb4da5fd240b9b3b3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -491,11 +497,11 @@
}, },
"nixpkgs-darwin": { "nixpkgs-darwin": {
"locked": { "locked": {
"lastModified": 1730091932, "lastModified": 1725140114,
"narHash": "sha256-Xg1O6tAHBK8EVHMLylYFlpRmqtG/deKqTfI9atLRLE0=", "narHash": "sha256-tlRqsd84YFI7dL8Lz/Sm+M9Bm+Mh7kUs+5ArJbZsuy8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9b9516e15a60ce6633efccb02d703f6eca973228", "rev": "4927f77b7a68615ce99678086cd3dcd0eda34fdd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -523,18 +529,17 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1729980323, "lastModified": 1725369773,
"narHash": "sha256-eWPRZAlhf446bKSmzw6x7RWEE4IuZgAp8NW3eXZwRAY=", "narHash": "sha256-gT+rUDbw+TQuszQEzMUJWTW7QYtccZ5xxWmKOSrPvEw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "86e78d3d2084ff87688da662cf78c2af085d8e73", "rev": "8b4061fd60ccc3b3f44b73faa7c983eacf7a6f7b",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "id": "nixpkgs",
"ref": "nixpkgs-unstable", "ref": "nixpkgs-unstable",
"repo": "nixpkgs", "type": "indirect"
"type": "github"
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
@ -583,18 +588,17 @@
}, },
"nixpkgs_5": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1729973466, "lastModified": 1725407940,
"narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=", "narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cd3e8833d70618c4eea8df06f95b364b016d4950", "rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "id": "nixpkgs",
"ref": "nixos-24.05", "ref": "nixos-24.05",
"repo": "nixpkgs", "type": "indirect"
"type": "github"
} }
}, },
"nixpkgs_6": { "nixpkgs_6": {
@ -634,17 +638,21 @@
}, },
"rust-overlay": { "rust-overlay": {
"inputs": { "inputs": {
"flake-utils": [
"helix",
"flake-utils"
],
"nixpkgs": [ "nixpkgs": [
"helix", "helix",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1728268235, "lastModified": 1709604635,
"narHash": "sha256-lJMFnMO4maJuNO6PQ5fZesrTmglze3UFTTBuKGwR1Nw=", "narHash": "sha256-le4fwmWmjGRYWwkho0Gr7mnnZndOOe4XGbLw68OvF40=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "25685cc2c7054efc31351c172ae77b21814f2d42", "rev": "e86c0fb5d3a22a5f30d7f64ecad88643fe26449d",
"type": "github" "type": "github"
}, },
"original": { "original": {

70
flake.nix
View File

@ -1,7 +1,7 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; nixpkgs.url = "nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable";
nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-24.05-darwin"; nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-24.05-darwin";
lix-module = { lix-module = {
@ -49,7 +49,7 @@
frq-friend = { frq-friend = {
url = "git+https://git.xenua.me/xenua/fedi-frq-friend"; url = "git+https://git.xenua.me/xenua/fedi-frq-friend";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
helix = { helix = {
@ -66,7 +66,6 @@
{ {
nixpkgs, nixpkgs,
nixpkgs-unstable, nixpkgs-unstable,
nixpkgs-darwin,
lix-module, lix-module,
home-manager, home-manager,
nix-darwin, nix-darwin,
@ -82,7 +81,7 @@
... ...
}: }:
let let
mkOverlays = system: config: [ overlays = system: config: [
(final: prev: { (final: prev: {
helix = helix =
let let
@ -107,7 +106,6 @@
unstable = import nixpkgs-unstable { inherit system config; }; unstable = import nixpkgs-unstable { inherit system config; };
}) })
colmena.overlay colmena.overlay
lix-module.overlays.default
]; ];
mkDesktop = hostname: { mkDesktop = hostname: {
imports = [ imports = [
@ -115,6 +113,7 @@
./common/linux-specific.nix ./common/linux-specific.nix
./hosts/${hostname}/configuration.nix ./hosts/${hostname}/configuration.nix
./common/options.nix ./common/options.nix
lix-module.nixosModules.default
(import "${home-manager}/nixos") (import "${home-manager}/nixos")
url-eater.nixosModules.default url-eater.nixosModules.default
colorpickle.nixosModules.default colorpickle.nixosModules.default
@ -155,7 +154,7 @@
nixpkgs = import nixpkgs rec { nixpkgs = import nixpkgs rec {
system = "x86_64-linux"; system = "x86_64-linux";
config.allowUnfree = true; config.allowUnfree = true;
overlays = mkOverlays system config; overlays = overlays system config;
}; };
}; };
@ -164,13 +163,14 @@
./common ./common
./common/linux-specific.nix ./common/linux-specific.nix
./hosts/bloodletting/configuration.nix ./hosts/bloodletting/configuration.nix
lix-module.nixosModules.default
(import "${home-manager}/nixos") (import "${home-manager}/nixos")
mms.module mms.module
]; ];
deployment = { deployment = {
targetUser = "root"; targetUser = "root";
targetHost = "technogothic.net"; targetHost = "bloodletting";
tags = [ "prod" ]; tags = [ "prod" ];
@ -220,6 +220,7 @@
./common ./common
./common/linux-specific.nix ./common/linux-specific.nix
./hosts/watchtower/configuration.nix ./hosts/watchtower/configuration.nix
lix-module.nixosModules.default
(import "${home-manager}/nixos") (import "${home-manager}/nixos")
]; ];
@ -228,23 +229,6 @@
targetHost = "watchtower"; targetHost = "watchtower";
tags = [ "prod" ]; tags = [ "prod" ];
keys = {
"hetzner-env" = {
keyCommand = [
"cat"
"./secrets/hetzner-env"
];
destDir = "/var/lib/secrets/";
};
"gocryptfs-pass" = {
keyCommand = [
"cat"
"./secrets/gocryptfs-pass"
];
destDir = "/var/lib/secrets/";
};
};
}; };
}; };
@ -252,35 +236,29 @@
tears = mkDesktop "tears"; tears = mkDesktop "tears";
}; };
darwinConfigurations."Agathas-Mac-mini" = nix-darwin.lib.darwinSystem { darwinConfigurations."Agathas-Mac-mini" = nix-darwin.lib.darwinSystem {
pkgs = import nixpkgs-darwin rec {
system = "aarch64-darwin";
config.allowUnfree = true;
overlays = mkOverlays system config;
};
modules = [ modules = [
./common ./common
./hosts/Agathas-Mac-mini/configuration.nix ./hosts/Agathas-Mac-mini/configuration.nix
lix-module.nixosModules.default
(import "${home-manager}/nix-darwin") (import "${home-manager}/nix-darwin")
(
{ config, ... }:
{
nixpkgs.overlays = overlays nixpkgs.system config;
}
)
]; ];
}; };
devShells = devShells."x86_64-linux".default =
let let
patchedColmena = pkgs = import nixpkgs { system = "x86_64-linux"; };
system:
let
pkgs = import nixpkgs { inherit system; };
in
pkgs.mkShell {
buildInputs = [
(pkgs.writeShellScriptBin "colmena" ''
${colmena.defaultPackage.${pkgs.system}}/bin/colmena --disable-emoji $@
'')
];
};
in in
{ pkgs.mkShell {
"x86_64-linux".default = patchedColmena "x86_64-linux"; buildInputs = [
"aarch64-darwin".default = patchedColmena "aarch64-darwin"; (pkgs.writeShellScriptBin "colmena" ''
${colmena.defaultPackage.${pkgs.system}}/bin/colmena --disable-emoji $@
'')
];
}; };
}; };
} }

5
hosts/Agathas-Mac-mini/configuration.nix
View File

@ -2,8 +2,6 @@
{ {
imports = [ imports = [
../../common/home_manager/common.nix ../../common/home_manager/common.nix
../../common/remote-builds.nix
../../common/fragments/graphical/barebones.nix
../../common/fragments/graphical/iosevka.nix ../../common/fragments/graphical/iosevka.nix
]; ];
@ -19,7 +17,6 @@
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
]; ];
trusted-users = [ "@admin" ];
}; };
# Needed for the nix-darwin environment even if zsh is not used. # Needed for the nix-darwin environment even if zsh is not used.
@ -43,6 +40,4 @@
iosevka iosevka
siji siji
]; ];
system.stateVersion = 1;
} }

115
hosts/bloodletting/configuration.nix
View File

@ -1,17 +1,11 @@
{ { config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
{
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/users/julia.nix
../../common/fragments/bin.nix ../../common/fragments/bin.nix
../../common/fragments/fail2ban.nix ../../common/fragments/fail2ban.nix
../../common/fragments/frq-friend.nix ../../common/fragments/frq-friend.nix
../../common/fragments/grafana.nix ../../common/fragments/grafana.nix
../../common/fragments/headscale.nix
../../common/fragments/hedgedoc.nix ../../common/fragments/hedgedoc.nix
../../common/fragments/mastodon-ebooks.nix ../../common/fragments/mastodon-ebooks.nix
../../common/fragments/mastodon.nix ../../common/fragments/mastodon.nix
@ -30,7 +24,8 @@
nixpkgs.overlays = [ nixpkgs.overlays = [
(final: prev: { (final: prev: {
bin = final.callPackage ../../common/pkgs/bin.nix { }; bin = final.callPackage ../../common/pkgs/bin.nix { };
agatha-mastodon = final.callPackage ../../common/pkgs/mastodon/default.nix { }; agatha-mastodon =
final.callPackage ../../common/pkgs/mastodon/default.nix { };
}) })
]; ];
@ -45,19 +40,15 @@
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
networking.interfaces.ens20 = { networking.interfaces.ens20 = {
ipv4.addresses = [ ipv4.addresses = [{
{ address = "91.198.192.199";
address = "91.198.192.199"; prefixLength = 27;
prefixLength = 27; }];
}
];
ipv6.addresses = [ ipv6.addresses = [{
{ address = "2001:67c:b54:1::6";
address = "2001:67c:b54:1::6"; prefixLength = 64;
prefixLength = 64; }];
}
];
}; };
networking.defaultGateway = { networking.defaultGateway = {
@ -72,20 +63,11 @@
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ allowedTCPPorts = [ 20 21 22 80 443 990 ];
20 allowedTCPPortRanges = [{
21 from = 40000;
22 to = 40200;
80 }];
443
990
];
allowedTCPPortRanges = [
{
from = 40000;
to = 40200;
}
];
trustedInterfaces = [ "podman0" ]; trustedInterfaces = [ "podman0" ];
}; };
@ -95,7 +77,7 @@
dockerCompat = true; dockerCompat = true;
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;
}; };
oci-containers.backend = "podman"; oci-containers = { backend = "podman"; };
}; };
# SSL/TLS Certificates # SSL/TLS Certificates
@ -104,20 +86,13 @@
security.acme.certs."technogothic.net" = { security.acme.certs."technogothic.net" = {
domain = "*.technogothic.net"; domain = "*.technogothic.net";
extraDomainNames = [ extraDomainNames = [ "technogothic.net" "*.argent.technogothic.net" ];
"technogothic.net"
"*.argent.technogothic.net"
];
dnsProvider = "hurricane"; dnsProvider = "hurricane";
credentialsFile = "/var/lib/secrets/hurricane-tokens"; credentialsFile = "/var/lib/secrets/hurricane-tokens";
group = "nginx"; group = "nginx";
}; };
security.acme.defaults.reloadServices = [ security.acme.defaults.reloadServices = [ "nginx" "vsftpd" "prosody" ];
"nginx"
"vsftpd"
"prosody"
];
systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
# Nginx # Nginx
@ -134,14 +109,10 @@
upstreams = { upstreams = {
"backend-mastodon-streaming" = { "backend-mastodon-streaming" = {
servers = builtins.listToAttrs ( servers = builtins.listToAttrs (map (i: {
map (i: { name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket";
name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket"; value = { fail_timeout = "0"; };
value = { }) (lib.range 1 config.services.mastodon.streamingProcesses));
fail_timeout = "0";
};
}) (lib.range 1 config.services.mastodon.streamingProcesses)
);
extraConfig = '' extraConfig = ''
least_conn; least_conn;
''; '';
@ -155,9 +126,7 @@
serverAliases = [ "agatha.technogothic.net" ]; serverAliases = [ "agatha.technogothic.net" ];
locations."=/cv.pdf" = { locations."=/cv.pdf" = { alias = "/home/ftp/cv.pdf"; };
alias = "/home/ftp/cv.pdf";
};
locations."=/.well-known/host-meta" = { locations."=/.well-known/host-meta" = {
return = "301 https://fv.technogothic.net$request_uri"; return = "301 https://fv.technogothic.net$request_uri";
@ -200,7 +169,9 @@
locations."/" = { locations."/" = {
proxyPass = "http://localhost:6162"; proxyPass = "http://localhost:6162";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = "client_max_body_size ${toString config.services.bin.textUploadLimit}M;"; extraConfig = "client_max_body_size ${
toString config.services.bin.textUploadLimit
}M;";
}; };
}; };
@ -210,9 +181,7 @@
root = "/home/ftp"; root = "/home/ftp";
locations."/" = { locations."/" = { extraConfig = "autoindex on;"; };
extraConfig = "autoindex on;";
};
}; };
virtualHosts."fv.technogothic.net" = { virtualHosts."fv.technogothic.net" = {
@ -223,9 +192,7 @@
locations."/system/".alias = "/var/lib/mastodon/public-system/"; locations."/system/".alias = "/var/lib/mastodon/public-system/";
locations."/" = { locations."/" = { tryFiles = "$uri @proxy"; };
tryFiles = "$uri @proxy";
};
locations."@proxy" = { locations."@proxy" = {
proxyPass = "http://unix:/run/mastodon-web/web.socket"; proxyPass = "http://unix:/run/mastodon-web/web.socket";
@ -258,27 +225,6 @@
extraConfig = "proxy_ssl_server_name on;"; extraConfig = "proxy_ssl_server_name on;";
}; };
}; };
virtualHosts."hs.technogothic.net" = {
useACMEHost = "technogothic.net";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
virtualHosts."carvideo.technogothic.net" = {
useACMEHost = "technogothic.net";
forceSSL = true;
serverAliases = [ "agatha.technogothic.net" ];
locations."/" = {
return = "301 https://ftp.technogothic.net/car_video.mp4";
};
};
}; };
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
@ -289,3 +235,4 @@
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment? system.stateVersion = "22.11"; # Did you read the comment?
} }

22
hosts/ritual/configuration.nix
View File

@ -2,7 +2,7 @@
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/fragments/graphical ../../common/fragments/graphical
../../common/remote-builds.nix ../../common/fragments/yubikey.nix
../../common/home_manager/common.nix ../../common/home_manager/common.nix
]; ];
@ -14,9 +14,7 @@
boot.loader.systemd-boot.configurationLimit = 5; boot.loader.systemd-boot.configurationLimit = 5;
# Setup keyfile # Setup keyfile
boot.initrd.secrets = { boot.initrd.secrets = { "/crypto_keyfile.bin" = null; };
"/crypto_keyfile.bin" = null;
};
networking.hostName = "ritual"; networking.hostName = "ritual";
@ -29,7 +27,7 @@
dockerCompat = true; dockerCompat = true;
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;
}; };
oci-containers.backend = "podman"; oci-containers = { backend = "podman"; };
}; };
# Don't suspend when closed and plugged into power # Don't suspend when closed and plugged into power
@ -37,18 +35,7 @@
home-manager.users.agatha = { home-manager.users.agatha = {
xsession.windowManager.bspwm = { xsession.windowManager.bspwm = {
monitors = { monitors = { eDP-1 = [ "I" "II" "III" "IV" "V" "VI" "VII" "VIII" ]; };
eDP-1 = [
"I"
"II"
"III"
"IV"
"V"
"VI"
"VII"
"VIII"
];
};
rules = { rules = {
"Element".desktop = "II"; "Element".desktop = "II";
"TelegramDesktop".desktop = "III"; "TelegramDesktop".desktop = "III";
@ -81,3 +68,4 @@
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment? system.stateVersion = "22.11"; # Did you read the comment?
} }

52
hosts/tears/configuration.nix
View File

@ -1,8 +1,8 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/fragments/graphical/barebones.nix ../../common/fragments/graphical
../../common/fragments/virt.nix ../../common/fragments/yubikey.nix
../../common/home_manager/common.nix ../../common/home_manager/common.nix
]; ];
@ -14,9 +14,7 @@
boot.loader.systemd-boot.configurationLimit = 3; boot.loader.systemd-boot.configurationLimit = 3;
# Setup keyfile # Setup keyfile
boot.initrd.secrets = { boot.initrd.secrets = { "/crypto_keyfile.bin" = null; };
"/crypto_keyfile.bin" = null;
};
networking.hostName = "tears"; networking.hostName = "tears";
@ -29,13 +27,47 @@
dockerCompat = true; dockerCompat = true;
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;
}; };
oci-containers.backend = "podman"; oci-containers = { backend = "podman"; };
}; };
# Needed for remote builds home-manager.users.agatha = {
users.users.root.openssh.authorizedKeys.keys = [ xsession.windowManager.bspwm = {
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGCsAQfMx1X+8HEa88x+l3KdJPFAzXg0vL0l/pm56/ZR nix-builder" monitors = {
]; DP-1 = [ "I" "II" "III" "IV" "V" ];
HDMI-1 = [ "VI" "VII" "VIII" "IX" "X" ];
};
extraConfigEarly =
"xrandr --output HDMI-1 --mode 1920x1080 --rate 144 --dpi 92 --output DP-1 --mode 1920x1080 --rate 144 --dpi 92 --left-of HDMI-1";
rules = {
"Element".desktop = "I";
"TelegramDesktop".desktop = "II";
"dino".desktop = "II";
"Cider".desktop = "III";
"Geary".desktop = "IV";
"firefox" = {
desktop = "VI";
state = "tiled";
follow = false;
};
};
};
services.polybar = {
script = ''
polybar left &
polybar right &'';
settings."bar/right" = {
monitor = "\${env:MONITOR:HDMI-1}";
modules.right =
"filesystem battery pulseaudio xkeyboard memory cpu powermenu";
};
settings."bar/left".monitor = "\${env:MONITOR:DP-1}";
};
};
environment.graphical.theme.name = "bridge";
services.syncthing.dataDir = "/mnt/hdd/syncthing";
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions

7
hosts/watchtower/configuration.nix
View File

@ -1,8 +1,8 @@
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/users/julia.nix
../../common/home_manager/common.nix ../../common/home_manager/common.nix
../../common/fragments/bittorrent
../../common/fragments/home-assistant.nix ../../common/fragments/home-assistant.nix
../../common/fragments/sponsorblock.nix ../../common/fragments/sponsorblock.nix
]; ];
@ -17,7 +17,6 @@
# Enable networking # Enable networking
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
systemd.services.NetworkManager-wait-online.enable = false;
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall = { networking.firewall = {
@ -35,7 +34,9 @@
dockerCompat = true; dockerCompat = true;
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;
}; };
oci-containers.backend = "podman"; oci-containers = {
backend = "podman";
};
}; };
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default