xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

meow

Browse source
This commit is contained in:
Lucy Hochkamp 2025-09-10 15:33:48 +02:00
parent c999ed6520
commit 35c8ebb56a
No known key found for this signature in database
20 changed files with 670 additions and 405 deletions
Download patch file Download diff file Expand all files Collapse all files

17
flake.lock generated
View file

@ -545,22 +545,6 @@
"type": "github"
}
},
"nix-flatpak": {
"locked": {
"lastModified": 1739444422,
"narHash": "sha256-iAVVHi7X3kWORftY+LVbRiStRnQEob2TULWyjMS6dWg=",
"owner": "gmodena",
"repo": "nix-flatpak",
"rev": "5e54c3ca05a7c7d968ae1ddeabe01d2a9bc1e177",
"type": "github"
},
"original": {
"owner": "gmodena",
"ref": "latest",
"repo": "nix-flatpak",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1757103352,
@ -747,7 +731,6 @@
"mtxclient": "mtxclient",
"nheko": "nheko",
"niri": "niri",
"nix-flatpak": "nix-flatpak",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-master": "nixpkgs-master",

1
flake.nix
View file

@ -6,7 +6,6 @@
nixpkgs-master.url = "github:nixos/nixpkgs?ref=master";
mobile-nixos.url = "github:mobile-nixos/mobile-nixos";
mobile-nixos.flake = false;
nix-flatpak.url = "github:gmodena/nix-flatpak?ref=latest";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";

51
hm-modules/alacritty.nix
View file

@ -1,51 +0,0 @@
{
pkgs,
config,
lib,
inputs,
...
}:
let
cfg = config.xyno.alacritty;
in
{
options.xyno.alacritty.enable = lib.mkOption { default = false; };
config = lib.mkIf cfg.enable {
programs.alacritty = {
enable = true;
settings = {
font.normal.family = "JetBrainsMono NerdFont";
colors = {
primary = {
# hard contrast
background = "#1d2021";
# normal background = "#282828";
# soft contrast background = = "#32302f"
foreground = "#ebdbb2";
};
normal = {
black = "#282828";
red = "#cc241d";
green = "#98971a";
yellow = "#d79921";
blue = "#458588";
magenta = "#b16286";
cyan = "#689d6a";
white = "#a89984";
};
bright = {
black = "#928374";
red = "#fb4934";
green = "#b8bb26";
yellow = "#fabd2f";
blue = "#83a598";
magenta = "#d3869b";
cyan = "#8ec07c";
white = "#ebdbb2";
};
};
};
};
};
}

418
hm-modules/firefox.nix
View file

@ -10,54 +10,13 @@ let
in
{
options.xyno.firefox.enable = lib.mkOption { default = false; };
options.xyno.firefox.package = lib.mkOption {
type = lib.types.package;
default = inputs.zen-browser.packages.${pkgs.system}.default;
};
config = lib.mkIf cfg.enable {
programs.firefox = {
programs.zen-browser = {
enable = true;
package = cfg.package;
languagePacks = [
"en-US"
"de"
];
preferences = {
"widget.use-xdg-desktop-portal.file-picker" = 1;
"font.default.x-western" = "sans-serif";
"font.name.sans-serif.x-western" = "Source Sans 3";
"font.name.monospace.x-western" = "JetBrainsMono Nerd Font";
"font.size.vaiable.x-western" = "14";
"network.proxy.allow_hijacking_localhost" = true;
"browser.newtabpage.pinned" = builtins.toJSON [
# won't ever see that but whatever
{
url = "https://mastodon.catgirl.cloud";
label = "fedi";
}
{
url = "https://youtube.com";
label = "YouTube";
}
{
url = "https://tagesschau.de";
label = "Tagesschau";
}
{
url = "https://heise.de";
label = "heise";
}
];
# things ripped from https://github.com/yokoffing/Betterfox/blob/main/Fastfox.js
"media.memory_cache_max_size" = 65536;
"media.cache_readahead_limit" = 7200;
"media.cache_resume_threshold" = 3600;
"network.http.max-connections" = 1000;
"network.http.max-persistent-connections-per-server" = 10;
"network.http.max-urgent-start-excessive-connections-per-host" = 5;
"network.ssl_tokens_cache_capacity" = 10240;
};
policies = {
# Updates & Background Services
AppAutoUpdate = false;
@ -97,7 +56,7 @@ in
};
"keepassxc-browser@keepassxc.org" = {
default_area = "navbar";
default_area = "menupanel";
install_url = moz "keepassxc-browser";
installation_mode = "force_installed";
private_browsing = true;
@ -122,131 +81,294 @@ in
install_url = moz "web-clipper-obsidian";
installation_mode = "force_installed";
private_browsing = true;
};
"@testpilot-containers" = {
default_area = "menupanel";
install_url = moz "multi_account_containers";
installation_mode = "force_installed";
private_browsing = true;
};
"{7a7a4a92-a2a0-41d1-9fd7-1e92480d612d}" = {
default_area = "menupanel";
install_url = moz "styl_us";
installation_mode = "force_installed";
private_browsing = true;
};
};
};
};
profiles.default = {
bookmarks.settings = [
{
name = "wikipedia";
tags = [ "wiki" ];
keyword = "wiki";
url = "https://en.wikipedia.org/wiki/Special:Search?search=%s&go=Go";
}
{
name = "mastodon.catgirl.cloud";
tags = [ "fedi" ];
keyword = "fedi";
url = "https://mastodon.catgirl.cloud";
}
{
name = "YouTube";
tags = [ "yt" ];
keyword = "yt";
url = "https://youtube.com";
}
{
name = "tagesschau.de";
tags = [ "news" ];
keyword = "tagesschau";
url = "https://tagesschau.de";
}
{
name = "heise.de";
tags = [ "news" ];
keyword = "heise";
url = "https://heise.de";
}
"seperator"
{
name = "Nix sites";
toolbar = true;
bookmarks = [
profiles.lucy = {
spacesForce = true;
spaces = {
main = {
id = "59c80d1b-ec79-4d65-a337-aa69e3af8614";
icon = "";
};
work = {
id = "7753b3d5-28e4-4575-9b8f-f9fa999bddd8";
position = 1001;
icon = "🚂";
container = 2;
};
};
containersForce = true;
containers = {
work = {
id = 2;
icon = "dollar";
color = "blue";
};
};
settings = {
"widget.use-xdg-desktop-portal.file-picker" = 1;
"font.default.x-western" = "sans-serif";
"font.name.sans-serif.x-western" = "Source Sans 3";
"font.name.monospace.x-western" = "JetBrainsMono Nerd Font";
"font.size.variable.x-western" = "14";
"browser.display.use_document_fonts" = "0";
"network.proxy.allow_hijacking_localhost" = true;
"browser.newtabpage.pinned" = builtins.toJSON [
# won't ever see that but whatever
{
name = "homepage";
url = "https://nixos.org/";
url = "https://mastodon.catgirl.cloud";
label = "fedi";
}
{
name = "wiki";
tags = [
"wiki"
"nix"
];
url = "https://wiki.nixos.org/";
url = "https://youtube.com";
label = "YouTube";
}
{
url = "https://tagesschau.de";
label = "Tagesschau";
}
{
url = "https://heise.de";
label = "heise";
}
{
url = "https://j.hailsatan.eu";
label = "Lucy+";
}
];
}
];
"privacy.trackingprotection.enabled" = true;
"privacy.trackingprotection.socialtracking.enabled" = true;
"privacy.trackingprotection.emailtracking.enabled" = true;
extensions.settings = {
"uBlock0@raymondhill.net" = {
"zen.view.use-single-toolbar" = false;
"zen.welcome-screen.seen" = true;
# things ripped from https://github.com/yokoffing/Betterfox/blob/main/Fastfox.js
"media.memory_cache_max_size" = 65536;
"media.cache_readahead_limit" = 7200;
"media.cache_resume_threshold" = 3600;
"network.http.max-connections" = 1000;
"network.http.max-persistent-connections-per-server" = 10;
"network.http.max-urgent-start-excessive-connections-per-host" = 5;
"network.ssl_tokens_cache_capacity" = 10240;
"extensions.webextensions.ExtensionStorageIDB.enabled" = false;
};
};
search = {
force = true;
default = "DuckDuckGo";
privateDefault = "DuckDuckGo";
engines = {
"Nix Packages" = {
urls = [
bookmarks.force = true;
bookmarks.settings = [
{
name = "wikipedia";
tags = [ "wiki" ];
keyword = "wiki";
url = "https://en.wikipedia.org/wiki/Special:Search?search=%s&go=Go";
}
{
name = "mastodon.catgirl.cloud";
tags = [ "fedi" ];
keyword = "fedi";
url = "https://mastodon.catgirl.cloud";
}
{
name = "YouTube";
tags = [ "video" ];
keyword = "yt";
url = "https://youtube.com";
}
{
name = "Lucy+";
tags = [ "video" ];
keyword = "j";
url = "https://j.hailsatan.eu";
}
{
name = "tagesschau.de";
tags = [ "news" ];
keyword = "tagesschau";
url = "https://tagesschau.de";
}
{
name = "heise.de";
tags = [ "news" ];
keyword = "heise";
url = "https://heise.de";
}
"separator"
{
name = "Nix sites";
toolbar = true;
bookmarks = [
{
template = "https://search.nixos.org/packages";
params = [
{
name = "channel";
value = "unstable";
}
{
name = "query";
value = "{searchTerms}";
}
name = "Nixpkgs Manual";
tags = [
"nix"
];
url = "https://ryantm.github.io/nixpkgs/";
}
{
name = "NixOS Manual";
tags = [
"nix"
];
url = "https://nixos.org/manual/nixos/stable/#sec-option-declarations";
}
{
name = "homepage";
url = "https://nixos.org/";
}
{
name = "wiki";
tags = [
"wiki"
"nix"
];
url = "https://wiki.nixos.org/";
}
];
icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@np" ];
}
];
extensions.force = true;
extensions.settings = {
"vimium-c@gdh1995.cn".settings = {
searchEngines = ''
g|go|gg|google|Google: https://www.google.com/search?q=%s \\
www.google.com re=/^(?:\\.[a-z]{2,4})?\\/search\\b.*?[#&?]q=([^#&]*)/i \\
blank=https://www.google.com/ Google
g.m|gm|g.map|gmap: https://www.google.com/maps?q=%s \\
blank=https://www.google.com/maps Google Maps
y|yt: https://www.youtube.com/results?search_query=%s \\
blank=https://www.youtube.com/ YouTube
w|wiki: https://www.wikipedia.org/w/index.php?search=%s Wikipedia
g.s|gs|gscholar: https://scholar.google.com/scholar?q=$s \\
scholar.google.com re=/^(?:\\.[a-z]{2,4})?\\/scholar\\b.*?[#&?]q=([^#&]*)/i \\
blank=https://scholar.google.com/ Google Scholar
a|ae|ali|alie|aliexp: https://www.aliexpress.com/wholesale?SearchText=%s \\
blank=https://www.aliexpress.com/ AliExpress
az|amazon: https://www.amazon.com/s?k=%s \\
blank=https://www.amazon.com/ Amazon
\\:i: vimium://sed/s/^//,lower\\ $S re= Lower case
v.m|math: vimium://math\\ $S re= Calculate
v.p: vimium://parse\\ $S re= Redo Search
gh|github: https://github.com/search?q=$s \\
blank=https://github.com/ GitHub Repo
ge|gitee: https://search.gitee.com/?type=repository&q=$s \\
blank=https://gitee.com/ Gitee
js\\:|Js: javascript:\\ $S; JavaScript
'';
keyLayout = 2;
scrollStepSize = 150;
searchUrl = "https://duckduckgo.com/?tq=$s DDG";
keyMappings = ''
#!no-check
unmap gs
map gs LinkHints.activateHover
map <c-i> enterInsertMode key="<c-esc>"
'';
};
"Nix Options" = {
urls = [
{
template = "https://search.nixos.org/options";
params = [
{
name = "channel";
value = "unstable";
}
{
name = "query";
value = "{searchTerms}";
}
];
}
];
icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@no" ];
"{7a7a4a92-a2a0-41d1-9fd7-1e92480d612d}".settings = {
dbInChromeStorage = true; # required for Stylus
};
"NixOS Wiki" = {
urls = [
{
template = "https://wiki.nixos.org/w/index.php";
params = [
{
name = "search";
value = "{searchTerms}";
}
];
}
"uBlock0@raymondhill.net".settings = {
selectedFilterLists = [
"user-filters"
"ublock-filters"
"ublock-badware"
"ublock-privacy"
"ublock-quick-fixes"
"ublock-unbreak"
"easylist"
"easyprivacy"
"urlhaus-1"
"plowe-0"
"fanboy-cookiemonster"
"ublock-cookies-easylist"
"fanboy-social"
"easylist-chat"
"easylist-newsletters"
"easylist-notifications"
"easylist-annoyances"
];
icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@nw" ];
"user-filters" =
''marketplace.visualstudio.com##+js(rpnt, script, /"(DisableVSCodeDownloadButtonEnabled|Microsoft\\.VisualStudio\\.Services\\.Gallery\\.DisableVSCodeDownloadButton)":true/, "$1":false)'';
};
};
search = {
force = true;
default = "ddg";
privateDefault = "ddg";
engines = {
"Nix Packages" = {
urls = [
{
template = "https://search.nixos.org/packages";
params = [
{
name = "channel";
value = "unstable";
}
{
name = "query";
value = "{searchTerms}";
}
];
}
];
icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@np" ];
};
"Nix Options" = {
urls = [
{
template = "https://search.nixos.org/options";
params = [
{
name = "channel";
value = "unstable";
}
{
name = "query";
value = "{searchTerms}";
}
];
}
];
icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@no" ];
};
"NixOS Wiki" = {
urls = [
{
template = "https://wiki.nixos.org/w/index.php";
params = [
{
name = "search";
value = "{searchTerms}";
}
];
}
];
icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@nw" ];
};
};
};
};

24
hm-modules/helix.nix
View file

@ -1,30 +1,34 @@
{ pkgs, config, lib, inputs, ... }:
with lib;
let
cfg = config.xyno.helix;
in
{
options.xyno.helix.enable = lib.mkOption { default = false; };
config = lib.mkIf cfg.enable {
options.xyno.helix.enable = mkOption { default = false; };
options.xyno.helix.withLargeLSPs = mkOption { default = false; };
config = mkIf cfg.enable {
home.packages = with pkgs; [
jsonnet-language-server
jsonnet
nixpkgs-fmt
# omnisharp-roslyn
## ts
# nodePackages_latest.prettier
typescript
dprint
nodePackages_latest.typescript-language-server
nodePackages_latest.vscode-langservers-extracted
markdown-oxide
## python
# ruff-lsp
# nodePackages_latest.pyright
# inputs.csharp-language-server.packages.${pkgs.system}.csharp-language-server
] ++ (optionals cfg.withLargeLSPs [
netcoredbg
];
nodePackages_latest.typescript-language-server
nodePackages_latest.vscode-langservers-extracted
typescript
jsonnet-language-server
jsonnet
]);
programs.helix = {
package = inputs.helix.packages.${pkgs.stdenv.hostPlatform.system}.default;
package = inputs.helix.packages.${pkgs.system}.default;
enable = true;
defaultEditor = true;
settings = {
@ -117,7 +121,7 @@ in
language-server.csharp = {
command = "csharp-language-server";
};
language = lib.flatten [
language = flatten [
(map
(x: {
name = x;

6
hm-modules/module-list.nix
View file

@ -1,7 +1,9 @@
{ inputs, ... }:
[
./alacritty.nix
./borgmatic.nix
./dark-theme.nix
./firefox.nix
./git.nix
./helix.nix
./dark-theme.nix
./mpv.nix
]

20
hm-modules/mpv.nix Normal file
View file

@ -0,0 +1,20 @@
{
pkgs,
config,
lib,
inputs,
...
}:
let
cfg = config.xyno.mpv;
in
{
options.xyno.mpv.enable = lib.mkOption { default = false; };
config = lib.mkIf cfg.enable {
programs.mpv = {
enable = true;
scripts = with pkgs.mpvScripts; [ mpv-webm sponsorblock ];
};
};
}

2
instances/ds9/default.nix
View file

@ -5,7 +5,7 @@
publicHostname = "ds9.hailsatan.eu";
prometheusServer = true;
wg = {
pubKey = "";
pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc=";
# server = true;
# v4 = "10.13.12.1";
};

57
instances/ds9/secrets/wg.yaml Normal file
View file

@ -0,0 +1,57 @@
wg:
privkey: ENC[AES256_GCM,data:b7wB43mIt64PLb4ig80/TwjEDvHldH+g1cMg4y0t45xD5moCIyTQQMYW8XI=,iv:c6YJzKnSqbG2A7tp9I8CGqo8jPtNh14oHlrTI8/gVrA=,tag:hhfzSb5ubiMFcQu0FdGmzg==,type:str]
sops:
lastmodified: "2025-09-06T23:31:51Z"
mac: ENC[AES256_GCM,data:dp1W5HM1NjubonM1Cxa21gTGozYzZLQgjcBmAnDxnK7GEec3lHgWFXkQ6KALmuisIFpvR7SkVjCu4gyZzmh0IuGpqtpHpluzny1uHBUCQer7ojsdNkcp5kETUk8VwiZZja6Gj0kDtXfEf103bpT0T0Z+UOVMrWKoWGQbv4brVaQ=,iv:FfcsqVdd7YVkQmCplzLTv/sHDSNAEHjcP4OxOZA7g28=,tag:/43cCFLF6cgX1iNfGk+ohw==,type:str]
pgp:
- created_at: "2025-09-06T23:31:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hL4DAAAAAAAAAAASBAMEQwLDACmQv4ORHq85U/BoynySfEpqqyUtzPZOiFR4Hj2s
eF5hblqTIMcdiRkIVeF+Lg1Oor4tui8MgKwKA7kfq54MQysMFtpRWIu2AMrneC9E
wJ+FnhKTaRrqiH7v41OLtjX1twZxOWUvHo+kOhEN29UhwdiaA12f5BnN4a7qzz4w
Y0cl6YKlE6XKn345TVvl3GXB/+/4VUrReDmAjxJhZ/gdmLBQ1Pjz6/Nvp/gu3BZP
0l4BXwEklaJ/2ILKbGmdzyH9XAl2BW768+B7ygawHtPOnlMtyoJG8/3FMWv/ZbcP
Ar38mIH2+rbQMgTwe3WAbaQ0QPwZrw0bZFvqcWdGpBU8qQDmpr67A0gH2TfXTIhY
=E1SN
-----END PGP MESSAGE-----
fp: 0D98D5964AC8BB1CA034CE4EC456133700066642
- created_at: "2025-09-06T23:31:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMAwAAAAAAAAAAAQv/dOE7FqGma8ic/QIX01yqNL4si2Dq/QNnHWfGeHdIwUtb
bERaEk92TgixAopOvGiXNoxNMORaFmbbt93ikVIEO4omYQjyrMgM1iv+UtRgom3i
Cdo2esCcNzVsktpM611JopoEZWMetoZ9arQUZkpR1lS7oa/yvSVDavv6WWe2/Uug
pisC4btLdQW1yy8fvH1TUolBXOHI28Ms5AMTh8wqHIFOv5szVJU+nD+8jiL63Wmw
q94HwU4B5/o3KazpbpPv4b7EtLr+aki2n0NYsgKNI9e8in4Hl4fmcnGNWhkryg/5
7iY2y50aG8vJyd7KnVmsgv08cN9Cdb5YSljE4V4Lh4cgISVEHJCyfaITAH+kozyL
wNskdIkFABpMotNPKXvTEFIqxHhosCKZjcmJiK7VI1cSKO7UujUpgJspia4gvd2f
aAgyVVLaJjO2xA5fAa6hJWolib0jJdFc7OjfMV1lneEQrDI8KGC6kkwAkYRDTECn
9n1B6s3607KSVTLux69L0lgBY2l9TErn/JygNrGsOhxrL8HdEHbT8vM/ys0Ty0sp
6IkhEP3WAruWafBlI+Ih3Vfeo/Ixb6s1f+v721Ft0CtoZEah57xKEpqthrkqYt6q
v/GJ8XdboDBZ
=7YJl
-----END PGP MESSAGE-----
fp: fada7e7be28e186e463ad745a38d17f36849d8a7
- created_at: "2025-09-06T23:31:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGLAwAAAAAAAAAAAQv1HZzh5kRuqrRm/ZEk5zhzjs1ijDOWvkAdFexm77xWGKFo
geaixzxqq7y9wz9DowXJGAf5PETFJK08BCW9eJFesX+Qbnbb8baxaK/L1O0bJfw9
fdcUeA5cZ8soBUqKFFi5XYGYKHh2HbKyXHvSrgZq7aG+9OTa2Qhw8XbbPu6TeeqS
jRpsmVD2K/60zVrwV9ZtNe1lBdl8S9BHFJEceCtFDuBi4Or+OkLBXatTzxUSu1Qv
atdQX0gliUOrlytafuGwbcKrMuMPX7WXbaAPblewuDUPemBr4YBLJOn1hIhJy9vb
Yz9JtP9VZgH5OWh0icsEuCAgxzh8LW/cZ5FUmx30m19949AROHjlemtSlrvgkU5c
FwoN9wZCeVncWzWcRVlWBHbp4aqOCZXTDKnZEK0pX+jPaUgIVwXwV0L66dfb265E
PLA2xe+HcIvuCsdctgywuoO/9czJw3wt63FBAq66BzUITdd619o4CkqbuBnm/5Of
+SY7jScWxnzlQttwBbfSWAHOJFkVS4hczvhzsAoYFMJjN6f9yEWsoXen85JnUJoM
WhjGOJkCF+AoX/Z0SA9WibgALjIPqvLLfrLSMPoWFrbysc2p+17RqaqlQSSVk5uB
epnIJRWjUTU=
=zxBa
-----END PGP MESSAGE-----
fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
unencrypted_suffix: _unencrypted
version: 3.10.2

2
instances/picard/default.nix
View file

@ -5,7 +5,7 @@
publicHostname = "xyno.space";
# prometheusServer = true;
wg = {
pubKey = "";
pubKey = "7JcdTbWfsyGWhJM1Rk9Y4xZVLPHcTmoG/Ne/AFCYKFs=";
server = true;
v4 = "10.13.12.1";
};

57
instances/picard/secrets/wg.yaml Normal file
View file

@ -0,0 +1,57 @@
wg:
privkey: ENC[AES256_GCM,data:DI5T9OXnCt73WUfTFqgLA2Y/OkBZTp+i0kxpiUKWmN4Kyd6bf6HF3vg7htE=,iv:ziWU6P9SxQUaTs4VOtIcDg9Dq+a250nO6W42WASCFa8=,tag:cyfe6XWcsQL8W0ofoY/rEw==,type:str]
sops:
lastmodified: "2025-09-06T23:32:40Z"
mac: ENC[AES256_GCM,data:kgS8W00EhWjW9tb4YSaURdfhcsQB+XnUZvxTkG1ZCWNXbiZiGB+86lW4xrPxurIIMqF05XQwJdYY/ozo5Pd5WG5KDO8pL9gC1m2Y6NC7VwKmgnb9YZIZt1DXhUEKp18xpWmXOxt/ngNw5Md4157TEh7Mg1+bMfb+csEXhSEKoaY=,iv:V2TrHF3ArAo/thVmOTn74qk/z1OQLcQndv/8Zel/cPY=,tag:cp3nOmytYNW5+d1jfR5gpA==,type:str]
pgp:
- created_at: "2025-09-06T23:32:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hL4DAAAAAAAAAAASBAMEOWDso+44YL1Yjk4aH4+VjZuLsF5POF3Rx+GDkSXG7Yzt
KuZo4xwbjPI/fi/xIL3bcctEPk4/8hlWcr40noUnIlNlaCgYtJBMKsC+DPH3nnup
i9AlSOCgHIVK6xG6MTH8Uu1xw1MmkIHirqJWJbwe8t8SkGg5mOJQ7B2rRHgGabQw
UYynNAum+34V0GFF5/qqfvEmPsQaL243mxwmv9OV5gtgNginqgsSUt96mGAhosbF
0l4BjnH1+z9a28AetL7mnYxnp7HI5MhBsYdbZ4MEdO1gm3WoJMRdo782s7eLMPm0
n9lk+uQaue/7i1h18RsBX2ZI7/2tjlUT1Y0SedGqwcavTHIRvZxfxniuJwTak7AW
=HRzI
-----END PGP MESSAGE-----
fp: 0D98D5964AC8BB1CA034CE4EC456133700066642
- created_at: "2025-09-06T23:32:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMAwAAAAAAAAAAAQv/W+Kq5oUP8N23z1P5ziOBd229k5zAv9jnafbd4PbelYWC
mDuhJRX2XuA54kPiKaw7T9etCCcMySMmAt28xqmX0vhIOgv2iYFlEPKS9kKELdxJ
65sU3AOwGhfS0B8NiqRtqY4X6i6mhQg4kpkCRBt3R18tBghptTY1BvdqWWqN4bvF
U8U7iROLyXujAelNb16nlY52WF3PI9NKyyf3lKDs37KfWeQxqm6y/quOQiArAkxY
wlcVR1/n7rgcTCk4FKT1ZqGbxAS9a0AewEhVPFKj/V7LbRPivREVeKjF58G86JjR
JUkV6ArT7Ga4a8vyu/261MzJH0y4THEvyn5+b/8TPPuQ1YRxTxXThgTdGHu1pdne
22GUntDWZAh4kToVn/C4LI7lUK0Z6h3c7vJX/ZpxRu85+geTpCoFB72fL7bN3MQ4
rpIfyEbziHZS6lKn3xqt6rEd6LNrii/QSiNvpoCZuceLhNy69q+WOzyTLPXeu2qQ
3JQzbhH1gju41ftJsRsK0lgBcvdzEffwPxL0fluuRR/EEUjPB+wIy7o4PzbNK8ke
/gPdEDjZjbS70Ou2i0bOQ7bG+MmiwtOX97xRyADOVfvfFTiBM60n8pQZirJBKtUP
rAdiwCNBZZso
=cySR
-----END PGP MESSAGE-----
fp: fada7e7be28e186e463ad745a38d17f36849d8a7
- created_at: "2025-09-06T23:32:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMAwAAAAAAAAAAAQwArQg7nleMnXFrZv8Z8PKdudWCP4dt2Yy9aD2jkTQeExJD
u/BeVG9pmDmyFsgcU3077/GLReo7OVDFBDwPQnWPQc7ycEeCRzJ6Jg99+QiGNI38
cMU/es3gIc51UiUQZgicaDLU1pHAg1nhbucRcPgzQSz78Jh1kfjwU0Ll4bc5nIXU
kCLBQfMsZMw5ct7lPc/MmvUCXvXd/dvub22vBBFg3mX/NYuMY83ASsOa2sHDr9Dt
dBWHzglU/xNN/HBZmjAFviCibZRNoFMSO5WiJSZN34CbXcasPPv57k6dA5lzvXru
GHoz6XDFmri2QdwjYeqCv1SUrBp3ViDFpfAcnx0fu8h1I3v6oqMJoJ+vJuyLsS2M
XFm2CUa5xaFus5CW3iuXjhZQjDw83xRjZEhAKaTf5y+XjnmOzhF16AMb22vXFeUf
8HUx6QZ/kd0TuI3+XCiQSEY6n2B94dzN8NsEJdCEICwURJN9dwzoiqt6lhPyvp1n
VgkNO8TiwtmSNhU6xGWW0lgB914CeDHRrF+Q/slRJWt/ow+OHcFGk61yneHLLJlE
Ab8/4ajiV/jEFVpXpLaw6fAaFZxCGiVCEMaiczq+Q8lKkM+SGkoP6WVLMy4MS7k5
2oZM8qxFf4WU
=xPB1
-----END PGP MESSAGE-----
fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
unencrypted_suffix: _unencrypted
version: 3.10.2

73
instances/theseus/configuration.nix
View file

@ -13,42 +13,15 @@
home-manager.users.${config.xyno.system.user.name} = (
{ ... }:
{
xyno.git.enable = true;
xyno.borgmatic.enable = true;
home.packages = [
# work
# (pkgs.unstable.jetbrains.rider.override { jdk = pkgs.unstable.openjdk21; })
pkgs.unstable.jetbrains.rider
pkgs.android-studio
# (pkgs.unstable.android-studio.override { jdk = pkgs.unstable.openjdk21; })
(pkgs.firefox-devedition.overrideAttrs (super: self: { meta.priority = 1; }))
];
services.flatpak.update.auto.enable = true;
services.flatpak = {
enable = true;
packages = [
"com.unicornsonlsd.finamp"
# "io.github.softfever.OrcaSlicer"
"io.anytype.anytype"
"org.bionus.Grabber"
"org.getmonero.Monero"
{
appId = "org.gimp.GIMP";
origin = "flathub-beta";
}
"org.kicad.KiCad"
"org.pencil2d.Pencil2D"
];
};
}
);
nixpkgs.config.permittedInsecurePackages = [
"olm-3.2.16"
];
virtualisation.podman.enable = true;
services.vsmartcard-vpcd.enable = true;
hardware.gpgSmartcards.enable = true;
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 35963 ] ;
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 35963 ];
environment.systemPackages = with pkgs; [
aerc
@ -65,38 +38,15 @@
supersonic
nheko
anki-bin
nixpkgs-manual
nixpkgs-manual.lib-docs
(
let
helpScript = pkgs.writeShellScriptBin "nixpkgs-help" ''
exec xdg-open ${pkgs.nixpkgs-manual}/share/doc/nixpkgs/index.html
'';
desktopItem = pkgs.makeDesktopItem {
name = "nixpkgs-manual";
desktopName = "nixpkgs Manual";
genericName = "System Manual";
comment = "View nixpkgs documentation in a web browser";
icon = "nix-snowflake";
exec = "nixpkgs-help";
categories = [ "System" ];
};
in
pkgs.symlinkJoin {
name = "nixpkgs-help";
paths = [
helpScript
desktopItem
];
}
)
# (nheko.overrideAttrs (
# super: self: {
# src = inputs.nheko;
# }
# ))
gimp3
anytype
monero-gui
orca-slicer
kicad
dune3d
pencil2d
python311Packages.brother-ql
ptouch-print
];
time.timeZone = "Europe/Berlin";
@ -116,8 +66,10 @@
xyno.hardware.kmonad.enable = true;
xyno.presets.cli.enable = true;
xyno.presets.gui.enable = true;
xyno.presets.development.enable = true;
xyno.presets.home-manager.enable = true;
xyno.system.user.enable = true;
services.openssh.enable = true;
xyno.user-services.syncthing = {
enable = true;
tray = true;
@ -132,7 +84,6 @@
services.blueman.enable = true;
services.power-profiles-daemon.enable = true;
programs.kdeconnect.enable = true;
services.flatpak.enable = true;
system.stateVersion = "24.11";
}

4
modules/desktop/common-programs.nix
View file

@ -13,8 +13,7 @@ in
lib.mkEnableOption "install some commonly used programs";
config = lib.mkIf cfg.enable {
home-manager.users.${config.xyno.system.user.name} = lib.mkIf config.xyno.presets.home-manager.enable ({...}: {
# xyno.alacritty.enable = true;
xyno.helix.enable = true;
xyno.firefox.enable = true;
});
programs.steam = {
enable = true;
@ -24,7 +23,6 @@ in
};
programs.evolution.enable = true;
services.gnome.evolution-data-server.enable = true;
services.flatpak.enable = true;
programs.fuse.userAllowOther = true;
programs.nix-ld.enable = true;
programs.gamescope.enable = true;

48
modules/desktop/niri.nix
View file

@ -5,6 +5,7 @@
lib,
...
}:
with lib;
let
cfg = config.xyno.desktop.niri;
floatingAppids = [
@ -14,7 +15,7 @@ let
"org.gnome.NautilusPreviewer"
"io.github.Qalculate.qalculate-qt"
];
matchFloat = lib.concatStringsSep "\n" (
matchFloat = concatStringsSep "\n" (
map (x: ''
window-rule {
match app-id="${x}"
@ -25,43 +26,44 @@ let
);
in
{
options.xyno.desktop.niri.enable = lib.mkEnableOption "enable the niri desktop with xynos config";
options.xyno.desktop.niri.launcher = lib.mkOption { type = lib.types.str; };
options.xyno.desktop.niri.term = lib.mkOption { type = lib.types.str; };
options.xyno.desktop.niri.extraConfig = lib.mkOption { type = lib.types.lines; };
config = lib.mkIf cfg.enable {
options.xyno.desktop.niri.enable = mkEnableOption "enable the niri desktop with xynos config";
options.xyno.desktop.niri.launcher = mkOption { type = types.str; };
options.xyno.desktop.niri.term = mkOption { type = types.str; };
options.xyno.desktop.niri.extraConfig = mkOption { type = types.lines; };
config = mkIf cfg.enable {
xyno.desktop = {
foot.enable = lib.mkDefault true;
fuzzel.enable = lib.mkDefault true;
mako.enable = lib.mkDefault true;
shikane.enable = lib.mkDefault true;
swayidle.enable = lib.mkDefault true;
waybar.enable = lib.mkDefault true;
wpaperd.enable = lib.mkDefault true;
foot.enable = mkDefault true;
fuzzel.enable = mkDefault true;
mako.enable = mkDefault true;
shikane.enable = mkDefault true;
swayidle.enable = mkDefault true;
waybar.enable = mkDefault true;
wpaperd.enable = mkDefault true;
};
nixpkgs.overlays = [
inputs.niri.overlays.default
];
services.displayManager.defaultSession = mkDefault "niri";
home-manager.users.${config.xyno.system.user.name} =
lib.mkIf config.xyno.presets.home-manager.enable
mkIf config.xyno.presets.home-manager.enable
(
{ ... }:
{
xyno.dark-theme.enable = true;
home.file.".config/xdg-desktop-portal-termfilechooser/config".text = ''
[filechooser]
cmd=${pkgs.xdg-desktop-portal-termfilechooser}/share/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh
default_dir=$HOME
env=TERMCMD=footclient --app-id floating-alacritty
open_mode = suggested
save_mode = suggested
'';
# home.file.".config/xdg-desktop-portal-termfilechooser/config".text = ''
# [filechooser]
# cmd=${pkgs.xdg-desktop-portal-termfilechooser}/share/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh
# default_dir=$HOME
# env=TERMCMD=footclient --app-id floating-alacritty
# open_mode = suggested
# save_mode = suggested
# '';
}
);
xdg.portal = {
extraPortals = [
pkgs.xdg-desktop-portal-termfilechooser
# pkgs.xdg-desktop-portal-termfilechooser
];
config.niri.default = [
"gnome"

1
modules/module-list.nix
View file

@ -17,6 +17,7 @@
./networking/networkd.nix
./presets/cli.nix
./presets/common.nix
./presets/development.nix
./presets/gui.nix
./presets/server.nix
./presets/home-manager.nix

62
modules/presets/cli.nix
View file

@ -11,6 +11,17 @@ in
options.xyno.presets.cli.enable =
lib.mkEnableOption "enables xynos cli config with fish and helix and stuff";
config = lib.mkIf cfg.enable {
home-manager.users.${config.xyno.system.user.name} =
lib.mkIf config.xyno.presets.home-manager.enable
(
{ ... }:
{
xyno.helix.enable = true;
home.sessionVariables.LOCALE_ARCHIVE_2_27 = lib.mkForce "/run/current-system/sw/lib/locale/locale-archive";
systemd.user.sessionVariables.LOCALE_ARCHIVE_2_27 = lib.mkForce "/run/current-system/sw/lib/locale/locale-archive";
}
);
xyno.cli.fish.enable = true;
xyno.cli.starship.enable = true;
security.sudo.enable = false;
@ -31,19 +42,15 @@ in
LC_TIME = "de_DE.UTF-8";
LC_COLLATE = "de_DE.UTF-8";
};
home-manager.users.xyno.home.sessionVariables.LOCALE_ARCHIVE_2_27 =
lib.mkForce "/run/current-system/sw/lib/locale/locale-archive";
home-manager.users.xyno.systemd.user.sessionVariables.LOCALE_ARCHIVE_2_27 =
lib.mkForce "/run/current-system/sw/lib/locale/locale-archive";
nix.settings = {
substituters = [
# "https://cache.lix.systems"
"https://helix.cachix.org"
# "https://helix.cachix.org"
];
trusted-public-keys = [
# "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
"helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
# "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
];
trusted-users = lib.mkDefault [
"root"
@ -78,33 +85,35 @@ in
# pinentrywlavor = "curses";
# enableSSHSupport = true;
};
services.udev.packages = [ pkgs.yubikey-personalization ]; # needed for yubikeys to be used as smartcards
environment.systemPackages = with pkgs; [
jq
fd
(pkgs.writeShellScriptBin "sudo" "run0 $@")
aria2
openssl
bat
bottom
curl
croc
dig
fd
ffmpeg
file
fzf
git
helix
htop
imagemagick
bat
ffmpeg
poppler
w3m
curl
aria2
fzf
file
git
neofetch
ripgrep
pv
yt-dlp
moar
helix
jq
lm_sensors
dig
moar
neofetch
nix-output-monitor
(pkgs.writeShellScriptBin "sudo" "run0 $@")
poppler
pv
ripgrep
w3m
yt-dlp
p7zip
];
programs.mosh.enable = true;
environment.variables.EDITOR = "hx";
@ -125,6 +134,7 @@ in
p = "cd ~/proj";
ytl = ''yt-dlp -f "bv*+mergeall[vcodec=none]" --audio-multistreams'';
sudo = "run0";
less = "moar";
};
};
}

61
modules/presets/development.nix Normal file
View file

@ -0,0 +1,61 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.xyno.presets.development;
in
{
options.xyno.presets.development.enable =
mkEnableOption "enables xynos configs for a development machine";
config = mkIf cfg.enable {
home-manager.users.${config.xyno.system.user.name} = mkIf config.xyno.presets.home-manager.enable (
{ ... }:
{
xyno.helix.withLargeLSPs = true;
xyno.git.enable = true;
}
);
xyno.presets.cli.enable = true;
xyno.presets.home-manager.enable = true;
xyno.system.user.enable = true;
virtualisation.podman.enable = true;
environment.systemPackages = with pkgs; [
unstable.jetbrains.rider
android-studio
nixpkgs-manual
nixpkgs-manual.lib-docs
podman-compose
tio
(
let
helpScript = pkgs.writeShellScriptBin "nixpkgs-help" ''
exec xdg-open ${pkgs.nixpkgs-manual}/share/doc/nixpkgs/index.html
'';
desktopItem = pkgs.makeDesktopItem {
name = "nixpkgs-manual";
desktopName = "nixpkgs Manual";
genericName = "System Manual";
comment = "View nixpkgs documentation in a web browser";
icon = "nix-snowflake";
exec = "nixpkgs-help";
categories = [ "System" ];
};
in
pkgs.symlinkJoin {
name = "nixpkgs-help";
paths = [
helpScript
desktopItem
];
}
)
];
};
}

48
modules/presets/gui.nix
View file

@ -4,34 +4,36 @@
lib,
...
}:
with lib;
let
cfg = config.xyno.presets.gui;
in
{
options.xyno.presets.gui.enable = lib.mkEnableOption "enables xynos gui config";
options.xyno.presets.gui.terminalEmulator = lib.mkOption {
type = lib.types.str;
default = "alacritty";
options.xyno.presets.gui.enable = mkEnableOption "enables xynos gui config";
options.xyno.presets.gui.terminalEmulator = mkOption {
type = types.str;
default = "foot";
};
config = lib.mkIf cfg.enable {
config = mkIf cfg.enable {
services.udev.packages = [
pkgs.openocd # fix permission errors with connecting things (especially esp32-c3)
pkgs.ptouch-print
pkgs.yubikey-personalization
];
xyno.desktop.niri.enable = true;
xyno.desktop.audio.enable = lib.mkDefault true;
xyno.desktop.audio.enable = mkDefault true;
boot.kernelPackages = mkDefault pkgs.linuxPackages_zen;
security.soteria.enable = true;
security.rtkit.enable = true;
services.pcscd.enable = true;
services.pcscd.plugins = [ pkgs.pcsc-scm-scl011];
services.pcscd.plugins = [ pkgs.pcsc-scm-scl011 ];
xyno.hardware.kmonad.enable = true;
# wayland on electron
environment.sessionVariables.NIXOS_OZONE_WL = "1";
services.displayManager.defaultSession = "niri";
# gdm
services.xserver.displayManager.gdm.enable = true;
services.xserver.enable = true;
services.xserver.displayManager.gdm.wayland = true;
services.displayManager.gdm.enable = true;
# services.xserver.enable = true;
services.displayManager.gdm.wayland = true;
# ssh agent
programs.ssh.startAgent = true;
@ -67,8 +69,8 @@ in
# enable the gnome shit
services.gnome.gnome-keyring.enable = true;
services.gnome.gnome-online-accounts.enable = true;
services.gnome.core-utilities.enable = true;
services.gnome.gcr-ssh-agent.enable = lib.mkForce false;
services.gnome.core-apps.enable = true;
services.gnome.gcr-ssh-agent.enable = mkForce false;
services.gnome.sushi.enable = true;
services.gnome.gnome-settings-daemon.enable = true;
services.gvfs.enable = true;
@ -81,9 +83,10 @@ in
environment.sessionVariables.GTK_USE_PORTAL = "1";
# home-manager.users.${config.xyno.system.user.name} =
# { pkgs, ... }:
# {
home-manager.users.${config.xyno.system.user.name} =
{ pkgs, ... }:
{
xyno.mpv.enable = true;
# xdg.mimeApps = {
# enable = true;
# defaultApplications = {
@ -104,7 +107,7 @@ in
# };
# };
# };
};
environment.systemPackages = with pkgs; [
kdePackages.breeze-gtk
@ -113,11 +116,16 @@ in
kdePackages.breeze-icons
];
# fonts
fonts.fontconfig.defaultFonts = {
sansSerif = ["Source Sans 3" "Noto Sans Symbols 2"];
monospace = ["JetBrainsMono Nerd Font" "Noto Sans Symbols 2"];
sansSerif = [
"Source Sans 3"
"Noto Sans Symbols 2"
];
monospace = [
"JetBrainsMono Nerd Font"
"Noto Sans Symbols 2"
];
};
fonts.packages = with pkgs; [
nerd-fonts.jetbrains-mono

4
modules/presets/home-manager.nix
View file

@ -13,8 +13,8 @@ in
config = lib.mkIf cfg.enable {
home-manager.useGlobalPkgs = true;
home-manager.extraSpecialArgs = { inherit inputs;};
home-manager.sharedModules = (import ../../hm-modules/module-list.nix) ++ [
inputs.nix-flatpak.homeManagerModules.nix-flatpak
home-manager.sharedModules = (import ../../hm-modules/module-list.nix { inherit inputs;}) ++ [
inputs.zen-browser.homeModules.default
];
home-manager.users.${config.xyno.system.user.name} = {pkgs, ... }: {
home.stateVersion = lib.mkDefault "24.11";

119
modules/services/wireguard.nix
View file

@ -7,11 +7,12 @@
...
}:
let
wgServer = instanceConfig?wg.server && instanceConfig.wg.server;
wgServer = instanceConfig ? wg.server && instanceConfig.wg.server;
cfg = config.xyno.services.wireguard;
ula = cfg.ula;
ulaPrefix = "${ula}:1337"; # /64 for normal vpn
monitoringUlaPrefix = "${ula}:2337"; # /64 for monitoring
v4Subnet = "10.13.12.0/24";
# uses a hash digest as the host identifier
genUlaForHost =
@ -23,35 +24,49 @@ let
in
"${prefix}:${localPart}";
# peers list for networkd
filteredConfigs = builtins.filter (x: x.hostName != config.networking.hostName ) (lib.attrValues instanceConfigs);
filteredConfigs = builtins.filter (x: x.hostName != config.networking.hostName) (
lib.attrValues instanceConfigs
);
wgPeersLists = map (
c:
(
(lib.optional (c?publicHostname) {
(lib.optional (c ? publicHostname) {
# if peer is publicly on the internet
AllowedIPs =
(lib.optionals ( c?wg.server && c.wg.server) [
"${ulaPrefix}::/48" # all traffic in the ula shall be sent to the server
(lib.optionals (c ? wg.server && c.wg.server) [
# is server
"::/0"
])
++ (lib.optionals (!c?wg.server || !c.wg.server) [
++ (lib.optionals (c ? wg.server && c.wg.server && c ? wg.v4 && instanceConfig ? wg.v4) [
# both client and server have a v4
"0.0.0.0/0"
])
++ (lib.optionals (!c ? wg.server || !c.wg.server) [
# is not server
"${genUlaForHost ulaPrefix c.hostName}/128" # if a host is reachable but shouldn't play server, send only to the hosts ip
])
++ (lib.optionals ((!c ? wg.server || !c.wg.server) && c ? wg.v4 && instanceConfig ? wg.v4) [
# no server, no ipv4 yay
"${c.wg.v4}/32"
]);
RouteTable = 1000;
Endpoint = "${c.publicHostname}:51820";
PersistentKeepalive = 25;
PublicKey = c.wg.pubKey;
PresharedKeyFile = config.sops.secrets."wg/psk".path;
})
++ (lib.optional ((!c ? publicHostname) && wgServer && (c ? wg.pubKey)) {
# if this is the server and the peer isn't reachable on the internet
AllowedIPs = [
"${genUlaForHost ulaPrefix c.hostName}/128"
"${genUlaForHost monitoringUlaPrefix c.hostName}/128"
]
++ (lib.optionals (c ? wg.v4 && instanceConfig ? wg.v4) [
"${c.wg.v4}/32"
]);
PublicKey = c.wg.pubKey;
PresharedKeyFile = config.sops.secrets."wg/psk".path;
})
++ (lib.optional
((!c?publicHostname) && wgServer && (c?wg.pubKey))
{
# if this is the server and the peer isn't reachable on the internet
AllowedIPs = [
"${genUlaForHost ulaPrefix c.hostName}/128"
"${genUlaForHost monitoringUlaPrefix c.hostName}/128"
];
PublicKey = c.wg.pubKey;
PresharedKeyFile = config.sops.secrets."wg/psk".path; # TODO
}
)
)
) filteredConfigs;
wgPeers = lib.flatten wgPeersLists;
@ -79,48 +94,72 @@ in
default = genUlaForHost monitoringUlaPrefix config.networking.hostName;
};
config = lib.mkIf cfg.enable {
networking.hosts = (lib.mapAttrs' (
n: v: {
value = ["${v.hostName}.${cfg.hostsDomain}"];
# TODO: add a all traffic through this network
networking.hosts =
(lib.mapAttrs' (n: v: {
value = [ "${v.hostName}.${cfg.hostsDomain}" ];
name = (genUlaForHost ulaPrefix v.hostName);
}
) instanceConfigs) // (lib.mapAttrs' (
n: v: {
value = ["${v.hostName}.${cfg.monHostsDomain}"];
}) instanceConfigs)
// (lib.mapAttrs' (n: v: {
value = [ "${v.hostName}.${cfg.monHostsDomain}" ];
name = (genUlaForHost monitoringUlaPrefix v.hostName);
}
) instanceConfigs);
}) instanceConfigs);
networking.firewall.allowedUDPPorts = lib.optional wgServer 51820;
networking.firewall.interfaces."wg0".allowedUDPPorts = lib.optional wgServer 53;
systemd.network.netdevs."wg0" = {
systemd.network.netdevs."99-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
Description = "main wireguard tunnel";
};
wireguardConfig = {
ListenPort = lib.mkIf wgServer 51820;
PrivateKeyFile = config.sops.secrets."wg/privkey".path; # TODO
PrivateKeyFile = config.sops.secrets."wg/privkey".path;
FirewallMark = "0x8888";
};
wireguardPeers = wgPeers;
};
systemd.network.networks."wg0" = {
systemd.network.networks."50-wg0" = {
matchConfig.Name = "wg0";
networkConfig = {
Description = "xyno wireguard";
IPMasquerade = lib.mkIf (instanceConfig ? wg.server && instanceConfig.wg.server) "both";
IPv4Forwarding = (instanceConfig ? wg.server && instanceConfig.wg.server);
IPv6Forwarding = (instanceConfig ? wg.server && instanceConfig.wg.server);
};
address = [
"${(genUlaForHost ulaPrefix config.networking.hostName)}/128"
"${(genUlaForHost monitoringUlaPrefix config.networking.hostName)}/128"
"${(genUlaForHost ulaPrefix config.networking.hostName)}/64"
"${(genUlaForHost monitoringUlaPrefix config.networking.hostName)}/64"
]
++ (lib.optionals (instanceConfig ? wg.v4) [ "${instanceConfig.wg.v4}/24" ]);
};
systemd.network.networks."51-wg0-all-traffic" = {
matchConfig.Name = "wg0";
networkConfig = {
Description = "xyno wireguard all traffic";
DNSDefaultRoute = true;
DNS = "2a07:e340::2#dns.mullvad.net";
DNSOverTLS = true;
};
routingPolicyRules = [
{
FirewallMark = "0x8888";
InvertRule = true;
Table = 1000;
Priority = 10;
}
];
};
services.prometheus.exporters.wireguard = lib.mkIf (wgServer && config.xyno.services.monitoring.enable) {
enable = true;
interfaces = [ "wg0" ];
};
services.prometheus.exporters.wireguard =
lib.mkIf (wgServer && config.xyno.services.monitoring.enable)
{
enable = true;
interfaces = [ "wg0" ];
};
services.coredns = lib.mkIf wgServer { # for non nixos devices to be able to resolve vpn hostnames
services.coredns = lib.mkIf wgServer {
# for non nixos devices to be able to resolve vpn hostnames
enable = true;
config = ''
. {
@ -132,9 +171,11 @@ in
'';
};
xyno.services.monitoring.exporters.coredns = lib.mkIf wgServer 9153;
xyno.services.monitoring.exporters.wireguard = lib.mkIf wgServer config.services.prometheus.exporters.wireguard.port;
xyno.services.monitoring.exporters.wireguard =
lib.mkIf wgServer config.services.prometheus.exporters.wireguard.port;
sops.secrets."wg/privkey" = {
reloadUnits = [ "systemd-networkd.service" ];
sopsFile = ../../instances/${config.networking.hostName}/secrets/wg.yaml;
};
sops.secrets."wg/psk" = {
reloadUnits = [ "systemd-networkd.service" ];