From 35c8ebb56abc9cafe3b654b05574f5db8919467a Mon Sep 17 00:00:00 2001 From: Lucy Hochkamp Date: Wed, 10 Sep 2025 15:33:48 +0200 Subject: [PATCH] meow --- flake.lock | 17 -- flake.nix | 1 - hm-modules/alacritty.nix | 51 ---- hm-modules/firefox.nix | 418 ++++++++++++++++++---------- hm-modules/helix.nix | 24 +- hm-modules/module-list.nix | 6 +- hm-modules/mpv.nix | 20 ++ instances/ds9/default.nix | 2 +- instances/ds9/secrets/wg.yaml | 57 ++++ instances/picard/default.nix | 2 +- instances/picard/secrets/wg.yaml | 57 ++++ instances/theseus/configuration.nix | 73 +---- modules/desktop/common-programs.nix | 4 +- modules/desktop/niri.nix | 48 ++-- modules/module-list.nix | 1 + modules/presets/cli.nix | 62 +++-- modules/presets/development.nix | 61 ++++ modules/presets/gui.nix | 48 ++-- modules/presets/home-manager.nix | 4 +- modules/services/wireguard.nix | 119 +++++--- 20 files changed, 670 insertions(+), 405 deletions(-) delete mode 100644 hm-modules/alacritty.nix create mode 100644 hm-modules/mpv.nix create mode 100644 instances/ds9/secrets/wg.yaml create mode 100644 instances/picard/secrets/wg.yaml create mode 100644 modules/presets/development.nix diff --git a/flake.lock b/flake.lock index 017bf260..c9859923 100644 --- a/flake.lock +++ b/flake.lock @@ -545,22 +545,6 @@ "type": "github" } }, - "nix-flatpak": { - "locked": { - "lastModified": 1739444422, - "narHash": "sha256-iAVVHi7X3kWORftY+LVbRiStRnQEob2TULWyjMS6dWg=", - "owner": "gmodena", - "repo": "nix-flatpak", - "rev": "5e54c3ca05a7c7d968ae1ddeabe01d2a9bc1e177", - "type": "github" - }, - "original": { - "owner": "gmodena", - "ref": "latest", - "repo": "nix-flatpak", - "type": "github" - } - }, "nixos-hardware": { "locked": { "lastModified": 1757103352, @@ -747,7 +731,6 @@ "mtxclient": "mtxclient", "nheko": "nheko", "niri": "niri", - "nix-flatpak": "nix-flatpak", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", diff --git a/flake.nix b/flake.nix index 0a225a7a..e02ffc93 100644 --- a/flake.nix +++ b/flake.nix @@ -6,7 +6,6 @@ nixpkgs-master.url = "github:nixos/nixpkgs?ref=master"; mobile-nixos.url = "github:mobile-nixos/mobile-nixos"; mobile-nixos.flake = false; - nix-flatpak.url = "github:gmodena/nix-flatpak?ref=latest"; home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; diff --git a/hm-modules/alacritty.nix b/hm-modules/alacritty.nix deleted file mode 100644 index 30b0d830..00000000 --- a/hm-modules/alacritty.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ - pkgs, - config, - lib, - inputs, - ... -}: -let - cfg = config.xyno.alacritty; -in -{ - options.xyno.alacritty.enable = lib.mkOption { default = false; }; - config = lib.mkIf cfg.enable { - programs.alacritty = { - enable = true; - settings = { - font.normal.family = "JetBrainsMono NerdFont"; - colors = { - primary = { - # hard contrast - background = "#1d2021"; - # normal background = "#282828"; - # soft contrast background = = "#32302f" - foreground = "#ebdbb2"; - }; - normal = { - black = "#282828"; - red = "#cc241d"; - green = "#98971a"; - yellow = "#d79921"; - blue = "#458588"; - magenta = "#b16286"; - cyan = "#689d6a"; - white = "#a89984"; - }; - bright = { - black = "#928374"; - red = "#fb4934"; - green = "#b8bb26"; - yellow = "#fabd2f"; - blue = "#83a598"; - magenta = "#d3869b"; - cyan = "#8ec07c"; - white = "#ebdbb2"; - }; - }; - }; - }; - - }; -} diff --git a/hm-modules/firefox.nix b/hm-modules/firefox.nix index 915e6cad..638007d6 100644 --- a/hm-modules/firefox.nix +++ b/hm-modules/firefox.nix @@ -10,54 +10,13 @@ let in { options.xyno.firefox.enable = lib.mkOption { default = false; }; - options.xyno.firefox.package = lib.mkOption { - type = lib.types.package; - default = inputs.zen-browser.packages.${pkgs.system}.default; - }; config = lib.mkIf cfg.enable { - programs.firefox = { + programs.zen-browser = { enable = true; - package = cfg.package; languagePacks = [ "en-US" "de" ]; - preferences = { - "widget.use-xdg-desktop-portal.file-picker" = 1; - "font.default.x-western" = "sans-serif"; - "font.name.sans-serif.x-western" = "Source Sans 3"; - "font.name.monospace.x-western" = "JetBrainsMono Nerd Font"; - "font.size.vaiable.x-western" = "14"; - "network.proxy.allow_hijacking_localhost" = true; - "browser.newtabpage.pinned" = builtins.toJSON [ - # won't ever see that but whatever - { - url = "https://mastodon.catgirl.cloud"; - label = "fedi"; - } - { - url = "https://youtube.com"; - label = "YouTube"; - } - { - url = "https://tagesschau.de"; - label = "Tagesschau"; - } - { - url = "https://heise.de"; - label = "heise"; - } - ]; - - # things ripped from https://github.com/yokoffing/Betterfox/blob/main/Fastfox.js - "media.memory_cache_max_size" = 65536; - "media.cache_readahead_limit" = 7200; - "media.cache_resume_threshold" = 3600; - "network.http.max-connections" = 1000; - "network.http.max-persistent-connections-per-server" = 10; - "network.http.max-urgent-start-excessive-connections-per-host" = 5; - "network.ssl_tokens_cache_capacity" = 10240; - }; policies = { # Updates & Background Services AppAutoUpdate = false; @@ -97,7 +56,7 @@ in }; "keepassxc-browser@keepassxc.org" = { - default_area = "navbar"; + default_area = "menupanel"; install_url = moz "keepassxc-browser"; installation_mode = "force_installed"; private_browsing = true; @@ -122,131 +81,294 @@ in install_url = moz "web-clipper-obsidian"; installation_mode = "force_installed"; private_browsing = true; - + }; + "@testpilot-containers" = { + default_area = "menupanel"; + install_url = moz "multi_account_containers"; + installation_mode = "force_installed"; + private_browsing = true; + }; + "{7a7a4a92-a2a0-41d1-9fd7-1e92480d612d}" = { + default_area = "menupanel"; + install_url = moz "styl_us"; + installation_mode = "force_installed"; + private_browsing = true; }; }; }; - }; - profiles.default = { - bookmarks.settings = [ - { - name = "wikipedia"; - tags = [ "wiki" ]; - keyword = "wiki"; - url = "https://en.wikipedia.org/wiki/Special:Search?search=%s&go=Go"; - } - { - name = "mastodon.catgirl.cloud"; - tags = [ "fedi" ]; - keyword = "fedi"; - url = "https://mastodon.catgirl.cloud"; - } - { - name = "YouTube"; - tags = [ "yt" ]; - keyword = "yt"; - url = "https://youtube.com"; - } - { - name = "tagesschau.de"; - tags = [ "news" ]; - keyword = "tagesschau"; - url = "https://tagesschau.de"; - } - { - name = "heise.de"; - tags = [ "news" ]; - keyword = "heise"; - url = "https://heise.de"; - } - "seperator" - { - name = "Nix sites"; - toolbar = true; - bookmarks = [ + profiles.lucy = { + spacesForce = true; + spaces = { + main = { + id = "59c80d1b-ec79-4d65-a337-aa69e3af8614"; + icon = "⛧"; + }; + work = { + id = "7753b3d5-28e4-4575-9b8f-f9fa999bddd8"; + position = 1001; + icon = "πŸš‚"; + container = 2; + }; + }; + containersForce = true; + containers = { + work = { + id = 2; + icon = "dollar"; + color = "blue"; + }; + }; + settings = { + "widget.use-xdg-desktop-portal.file-picker" = 1; + "font.default.x-western" = "sans-serif"; + "font.name.sans-serif.x-western" = "Source Sans 3"; + "font.name.monospace.x-western" = "JetBrainsMono Nerd Font"; + "font.size.variable.x-western" = "14"; + "browser.display.use_document_fonts" = "0"; + "network.proxy.allow_hijacking_localhost" = true; + "browser.newtabpage.pinned" = builtins.toJSON [ + # won't ever see that but whatever { - name = "homepage"; - url = "https://nixos.org/"; + url = "https://mastodon.catgirl.cloud"; + label = "fedi"; } { - name = "wiki"; - tags = [ - "wiki" - "nix" - ]; - url = "https://wiki.nixos.org/"; + url = "https://youtube.com"; + label = "YouTube"; + } + { + url = "https://tagesschau.de"; + label = "Tagesschau"; + } + { + url = "https://heise.de"; + label = "heise"; + } + { + url = "https://j.hailsatan.eu"; + label = "Lucy+"; } ]; - } - ]; + "privacy.trackingprotection.enabled" = true; + "privacy.trackingprotection.socialtracking.enabled" = true; + "privacy.trackingprotection.emailtracking.enabled" = true; - extensions.settings = { - "uBlock0@raymondhill.net" = { + "zen.view.use-single-toolbar" = false; + "zen.welcome-screen.seen" = true; + # things ripped from https://github.com/yokoffing/Betterfox/blob/main/Fastfox.js + "media.memory_cache_max_size" = 65536; + "media.cache_readahead_limit" = 7200; + "media.cache_resume_threshold" = 3600; + "network.http.max-connections" = 1000; + "network.http.max-persistent-connections-per-server" = 10; + "network.http.max-urgent-start-excessive-connections-per-host" = 5; + "network.ssl_tokens_cache_capacity" = 10240; + "extensions.webextensions.ExtensionStorageIDB.enabled" = false; }; - }; - search = { - force = true; - default = "DuckDuckGo"; - privateDefault = "DuckDuckGo"; - - engines = { - "Nix Packages" = { - urls = [ + bookmarks.force = true; + bookmarks.settings = [ + { + name = "wikipedia"; + tags = [ "wiki" ]; + keyword = "wiki"; + url = "https://en.wikipedia.org/wiki/Special:Search?search=%s&go=Go"; + } + { + name = "mastodon.catgirl.cloud"; + tags = [ "fedi" ]; + keyword = "fedi"; + url = "https://mastodon.catgirl.cloud"; + } + { + name = "YouTube"; + tags = [ "video" ]; + keyword = "yt"; + url = "https://youtube.com"; + } + { + name = "Lucy+"; + tags = [ "video" ]; + keyword = "j"; + url = "https://j.hailsatan.eu"; + } + { + name = "tagesschau.de"; + tags = [ "news" ]; + keyword = "tagesschau"; + url = "https://tagesschau.de"; + } + { + name = "heise.de"; + tags = [ "news" ]; + keyword = "heise"; + url = "https://heise.de"; + } + "separator" + { + name = "Nix sites"; + toolbar = true; + bookmarks = [ { - template = "https://search.nixos.org/packages"; - params = [ - { - name = "channel"; - value = "unstable"; - } - { - name = "query"; - value = "{searchTerms}"; - } + name = "Nixpkgs Manual"; + tags = [ + "nix" ]; + url = "https://ryantm.github.io/nixpkgs/"; + } + { + name = "NixOS Manual"; + tags = [ + "nix" + ]; + url = "https://nixos.org/manual/nixos/stable/#sec-option-declarations"; + } + { + name = "homepage"; + url = "https://nixos.org/"; + } + { + name = "wiki"; + tags = [ + "wiki" + "nix" + ]; + url = "https://wiki.nixos.org/"; } ]; - icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; - definedAliases = [ "@np" ]; + } + + ]; + + extensions.force = true; + extensions.settings = { + "vimium-c@gdh1995.cn".settings = { + searchEngines = '' + g|go|gg|google|Google: https://www.google.com/search?q=%s \\ + www.google.com re=/^(?:\\.[a-z]{2,4})?\\/search\\b.*?[#&?]q=([^#&]*)/i \\ + blank=https://www.google.com/ Google + g.m|gm|g.map|gmap: https://www.google.com/maps?q=%s \\ + blank=https://www.google.com/maps Google Maps + y|yt: https://www.youtube.com/results?search_query=%s \\ + blank=https://www.youtube.com/ YouTube + w|wiki: https://www.wikipedia.org/w/index.php?search=%s Wikipedia + g.s|gs|gscholar: https://scholar.google.com/scholar?q=$s \\ + scholar.google.com re=/^(?:\\.[a-z]{2,4})?\\/scholar\\b.*?[#&?]q=([^#&]*)/i \\ + blank=https://scholar.google.com/ Google Scholar + a|ae|ali|alie|aliexp: https://www.aliexpress.com/wholesale?SearchText=%s \\ + blank=https://www.aliexpress.com/ AliExpress + az|amazon: https://www.amazon.com/s?k=%s \\ + blank=https://www.amazon.com/ Amazon + \\:i: vimium://sed/s/^//,lower\\ $S re= Lower case + v.m|math: vimium://math\\ $S re= Calculate + v.p: vimium://parse\\ $S re= Redo Search + gh|github: https://github.com/search?q=$s \\ + blank=https://github.com/ GitHub Repo + ge|gitee: https://search.gitee.com/?type=repository&q=$s \\ + blank=https://gitee.com/ Gitee δ»“εΊ“ + js\\:|Js: javascript:\\ $S; JavaScript + ''; + keyLayout = 2; + scrollStepSize = 150; + searchUrl = "https://duckduckgo.com/?tq=$s DDG"; + keyMappings = '' + #!no-check + unmap gs + map gs LinkHints.activateHover + map enterInsertMode key="" + ''; }; - - "Nix Options" = { - urls = [ - { - template = "https://search.nixos.org/options"; - params = [ - { - name = "channel"; - value = "unstable"; - } - { - name = "query"; - value = "{searchTerms}"; - } - ]; - } - ]; - icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; - definedAliases = [ "@no" ]; + "{7a7a4a92-a2a0-41d1-9fd7-1e92480d612d}".settings = { + dbInChromeStorage = true; # required for Stylus }; - - "NixOS Wiki" = { - urls = [ - { - template = "https://wiki.nixos.org/w/index.php"; - params = [ - { - name = "search"; - value = "{searchTerms}"; - } - ]; - } + "uBlock0@raymondhill.net".settings = { + selectedFilterLists = [ + "user-filters" + "ublock-filters" + "ublock-badware" + "ublock-privacy" + "ublock-quick-fixes" + "ublock-unbreak" + "easylist" + "easyprivacy" + "urlhaus-1" + "plowe-0" + "fanboy-cookiemonster" + "ublock-cookies-easylist" + "fanboy-social" + "easylist-chat" + "easylist-newsletters" + "easylist-notifications" + "easylist-annoyances" ]; - icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; - definedAliases = [ "@nw" ]; + "user-filters" = + ''marketplace.visualstudio.com##+js(rpnt, script, /"(DisableVSCodeDownloadButtonEnabled|Microsoft\\.VisualStudio\\.Services\\.Gallery\\.DisableVSCodeDownloadButton)":true/, "$1":false)''; + + }; + }; + search = { + force = true; + default = "ddg"; + privateDefault = "ddg"; + + engines = { + "Nix Packages" = { + urls = [ + { + template = "https://search.nixos.org/packages"; + params = [ + { + name = "channel"; + value = "unstable"; + } + { + name = "query"; + value = "{searchTerms}"; + } + ]; + } + ]; + icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; + definedAliases = [ "@np" ]; + }; + + "Nix Options" = { + urls = [ + { + template = "https://search.nixos.org/options"; + params = [ + { + name = "channel"; + value = "unstable"; + } + { + name = "query"; + value = "{searchTerms}"; + } + ]; + } + ]; + icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; + definedAliases = [ "@no" ]; + }; + + "NixOS Wiki" = { + urls = [ + { + template = "https://wiki.nixos.org/w/index.php"; + params = [ + { + name = "search"; + value = "{searchTerms}"; + } + ]; + } + ]; + icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; + definedAliases = [ "@nw" ]; + }; }; }; }; diff --git a/hm-modules/helix.nix b/hm-modules/helix.nix index 7e3bedd9..db7fcdb9 100644 --- a/hm-modules/helix.nix +++ b/hm-modules/helix.nix @@ -1,30 +1,34 @@ { pkgs, config, lib, inputs, ... }: +with lib; let cfg = config.xyno.helix; in { - options.xyno.helix.enable = lib.mkOption { default = false; }; - config = lib.mkIf cfg.enable { + options.xyno.helix.enable = mkOption { default = false; }; + options.xyno.helix.withLargeLSPs = mkOption { default = false; }; + config = mkIf cfg.enable { home.packages = with pkgs; [ - jsonnet-language-server - jsonnet nixpkgs-fmt # omnisharp-roslyn ## ts # nodePackages_latest.prettier - typescript dprint - nodePackages_latest.typescript-language-server - nodePackages_latest.vscode-langservers-extracted markdown-oxide ## python # ruff-lsp # nodePackages_latest.pyright # inputs.csharp-language-server.packages.${pkgs.system}.csharp-language-server + ] ++ (optionals cfg.withLargeLSPs [ netcoredbg - ]; + nodePackages_latest.typescript-language-server + nodePackages_latest.vscode-langservers-extracted + typescript + jsonnet-language-server + jsonnet + + ]); programs.helix = { - package = inputs.helix.packages.${pkgs.stdenv.hostPlatform.system}.default; + package = inputs.helix.packages.${pkgs.system}.default; enable = true; defaultEditor = true; settings = { @@ -117,7 +121,7 @@ in language-server.csharp = { command = "csharp-language-server"; }; - language = lib.flatten [ + language = flatten [ (map (x: { name = x; diff --git a/hm-modules/module-list.nix b/hm-modules/module-list.nix index 72302b51..cce9899c 100644 --- a/hm-modules/module-list.nix +++ b/hm-modules/module-list.nix @@ -1,7 +1,9 @@ +{ inputs, ... }: [ - ./alacritty.nix ./borgmatic.nix + ./dark-theme.nix + ./firefox.nix ./git.nix ./helix.nix - ./dark-theme.nix + ./mpv.nix ] diff --git a/hm-modules/mpv.nix b/hm-modules/mpv.nix new file mode 100644 index 00000000..852657d7 --- /dev/null +++ b/hm-modules/mpv.nix @@ -0,0 +1,20 @@ +{ + pkgs, + config, + lib, + inputs, + ... +}: +let + cfg = config.xyno.mpv; +in +{ + options.xyno.mpv.enable = lib.mkOption { default = false; }; + config = lib.mkIf cfg.enable { + programs.mpv = { + enable = true; + scripts = with pkgs.mpvScripts; [ mpv-webm sponsorblock ]; + }; + + }; +} diff --git a/instances/ds9/default.nix b/instances/ds9/default.nix index 47aa5670..fa78af95 100644 --- a/instances/ds9/default.nix +++ b/instances/ds9/default.nix @@ -5,7 +5,7 @@ publicHostname = "ds9.hailsatan.eu"; prometheusServer = true; wg = { - pubKey = ""; + pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc="; # server = true; # v4 = "10.13.12.1"; }; diff --git a/instances/ds9/secrets/wg.yaml b/instances/ds9/secrets/wg.yaml new file mode 100644 index 00000000..6db00ae6 --- /dev/null +++ b/instances/ds9/secrets/wg.yaml @@ -0,0 +1,57 @@ +wg: + privkey: ENC[AES256_GCM,data:b7wB43mIt64PLb4ig80/TwjEDvHldH+g1cMg4y0t45xD5moCIyTQQMYW8XI=,iv:c6YJzKnSqbG2A7tp9I8CGqo8jPtNh14oHlrTI8/gVrA=,tag:hhfzSb5ubiMFcQu0FdGmzg==,type:str] +sops: + lastmodified: "2025-09-06T23:31:51Z" + mac: ENC[AES256_GCM,data:dp1W5HM1NjubonM1Cxa21gTGozYzZLQgjcBmAnDxnK7GEec3lHgWFXkQ6KALmuisIFpvR7SkVjCu4gyZzmh0IuGpqtpHpluzny1uHBUCQer7ojsdNkcp5kETUk8VwiZZja6Gj0kDtXfEf103bpT0T0Z+UOVMrWKoWGQbv4brVaQ=,iv:FfcsqVdd7YVkQmCplzLTv/sHDSNAEHjcP4OxOZA7g28=,tag:/43cCFLF6cgX1iNfGk+ohw==,type:str] + pgp: + - created_at: "2025-09-06T23:31:32Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hL4DAAAAAAAAAAASBAMEQwLDACmQv4ORHq85U/BoynySfEpqqyUtzPZOiFR4Hj2s + eF5hblqTIMcdiRkIVeF+Lg1Oor4tui8MgKwKA7kfq54MQysMFtpRWIu2AMrneC9E + wJ+FnhKTaRrqiH7v41OLtjX1twZxOWUvHo+kOhEN29UhwdiaA12f5BnN4a7qzz4w + Y0cl6YKlE6XKn345TVvl3GXB/+/4VUrReDmAjxJhZ/gdmLBQ1Pjz6/Nvp/gu3BZP + 0l4BXwEklaJ/2ILKbGmdzyH9XAl2BW768+B7ygawHtPOnlMtyoJG8/3FMWv/ZbcP + Ar38mIH2+rbQMgTwe3WAbaQ0QPwZrw0bZFvqcWdGpBU8qQDmpr67A0gH2TfXTIhY + =E1SN + -----END PGP MESSAGE----- + fp: 0D98D5964AC8BB1CA034CE4EC456133700066642 + - created_at: "2025-09-06T23:31:32Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMAwAAAAAAAAAAAQv/dOE7FqGma8ic/QIX01yqNL4si2Dq/QNnHWfGeHdIwUtb + bERaEk92TgixAopOvGiXNoxNMORaFmbbt93ikVIEO4omYQjyrMgM1iv+UtRgom3i + Cdo2esCcNzVsktpM611JopoEZWMetoZ9arQUZkpR1lS7oa/yvSVDavv6WWe2/Uug + pisC4btLdQW1yy8fvH1TUolBXOHI28Ms5AMTh8wqHIFOv5szVJU+nD+8jiL63Wmw + q94HwU4B5/o3KazpbpPv4b7EtLr+aki2n0NYsgKNI9e8in4Hl4fmcnGNWhkryg/5 + 7iY2y50aG8vJyd7KnVmsgv08cN9Cdb5YSljE4V4Lh4cgISVEHJCyfaITAH+kozyL + wNskdIkFABpMotNPKXvTEFIqxHhosCKZjcmJiK7VI1cSKO7UujUpgJspia4gvd2f + aAgyVVLaJjO2xA5fAa6hJWolib0jJdFc7OjfMV1lneEQrDI8KGC6kkwAkYRDTECn + 9n1B6s3607KSVTLux69L0lgBY2l9TErn/JygNrGsOhxrL8HdEHbT8vM/ys0Ty0sp + 6IkhEP3WAruWafBlI+Ih3Vfeo/Ixb6s1f+v721Ft0CtoZEah57xKEpqthrkqYt6q + v/GJ8XdboDBZ + =7YJl + -----END PGP MESSAGE----- + fp: fada7e7be28e186e463ad745a38d17f36849d8a7 + - created_at: "2025-09-06T23:31:32Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGLAwAAAAAAAAAAAQv1HZzh5kRuqrRm/ZEk5zhzjs1ijDOWvkAdFexm77xWGKFo + geaixzxqq7y9wz9DowXJGAf5PETFJK08BCW9eJFesX+Qbnbb8baxaK/L1O0bJfw9 + fdcUeA5cZ8soBUqKFFi5XYGYKHh2HbKyXHvSrgZq7aG+9OTa2Qhw8XbbPu6TeeqS + jRpsmVD2K/60zVrwV9ZtNe1lBdl8S9BHFJEceCtFDuBi4Or+OkLBXatTzxUSu1Qv + atdQX0gliUOrlytafuGwbcKrMuMPX7WXbaAPblewuDUPemBr4YBLJOn1hIhJy9vb + Yz9JtP9VZgH5OWh0icsEuCAgxzh8LW/cZ5FUmx30m19949AROHjlemtSlrvgkU5c + FwoN9wZCeVncWzWcRVlWBHbp4aqOCZXTDKnZEK0pX+jPaUgIVwXwV0L66dfb265E + PLA2xe+HcIvuCsdctgywuoO/9czJw3wt63FBAq66BzUITdd619o4CkqbuBnm/5Of + +SY7jScWxnzlQttwBbfSWAHOJFkVS4hczvhzsAoYFMJjN6f9yEWsoXen85JnUJoM + WhjGOJkCF+AoX/Z0SA9WibgALjIPqvLLfrLSMPoWFrbysc2p+17RqaqlQSSVk5uB + epnIJRWjUTU= + =zxBa + -----END PGP MESSAGE----- + fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/instances/picard/default.nix b/instances/picard/default.nix index e867a324..e0e71eac 100644 --- a/instances/picard/default.nix +++ b/instances/picard/default.nix @@ -5,7 +5,7 @@ publicHostname = "xyno.space"; # prometheusServer = true; wg = { - pubKey = ""; + pubKey = "7JcdTbWfsyGWhJM1Rk9Y4xZVLPHcTmoG/Ne/AFCYKFs="; server = true; v4 = "10.13.12.1"; }; diff --git a/instances/picard/secrets/wg.yaml b/instances/picard/secrets/wg.yaml new file mode 100644 index 00000000..cb932040 --- /dev/null +++ b/instances/picard/secrets/wg.yaml @@ -0,0 +1,57 @@ +wg: + privkey: ENC[AES256_GCM,data:DI5T9OXnCt73WUfTFqgLA2Y/OkBZTp+i0kxpiUKWmN4Kyd6bf6HF3vg7htE=,iv:ziWU6P9SxQUaTs4VOtIcDg9Dq+a250nO6W42WASCFa8=,tag:cyfe6XWcsQL8W0ofoY/rEw==,type:str] +sops: + lastmodified: "2025-09-06T23:32:40Z" + mac: ENC[AES256_GCM,data:kgS8W00EhWjW9tb4YSaURdfhcsQB+XnUZvxTkG1ZCWNXbiZiGB+86lW4xrPxurIIMqF05XQwJdYY/ozo5Pd5WG5KDO8pL9gC1m2Y6NC7VwKmgnb9YZIZt1DXhUEKp18xpWmXOxt/ngNw5Md4157TEh7Mg1+bMfb+csEXhSEKoaY=,iv:V2TrHF3ArAo/thVmOTn74qk/z1OQLcQndv/8Zel/cPY=,tag:cp3nOmytYNW5+d1jfR5gpA==,type:str] + pgp: + - created_at: "2025-09-06T23:32:32Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hL4DAAAAAAAAAAASBAMEOWDso+44YL1Yjk4aH4+VjZuLsF5POF3Rx+GDkSXG7Yzt + KuZo4xwbjPI/fi/xIL3bcctEPk4/8hlWcr40noUnIlNlaCgYtJBMKsC+DPH3nnup + i9AlSOCgHIVK6xG6MTH8Uu1xw1MmkIHirqJWJbwe8t8SkGg5mOJQ7B2rRHgGabQw + UYynNAum+34V0GFF5/qqfvEmPsQaL243mxwmv9OV5gtgNginqgsSUt96mGAhosbF + 0l4BjnH1+z9a28AetL7mnYxnp7HI5MhBsYdbZ4MEdO1gm3WoJMRdo782s7eLMPm0 + n9lk+uQaue/7i1h18RsBX2ZI7/2tjlUT1Y0SedGqwcavTHIRvZxfxniuJwTak7AW + =HRzI + -----END PGP MESSAGE----- + fp: 0D98D5964AC8BB1CA034CE4EC456133700066642 + - created_at: "2025-09-06T23:32:32Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMAwAAAAAAAAAAAQv/W+Kq5oUP8N23z1P5ziOBd229k5zAv9jnafbd4PbelYWC + mDuhJRX2XuA54kPiKaw7T9etCCcMySMmAt28xqmX0vhIOgv2iYFlEPKS9kKELdxJ + 65sU3AOwGhfS0B8NiqRtqY4X6i6mhQg4kpkCRBt3R18tBghptTY1BvdqWWqN4bvF + U8U7iROLyXujAelNb16nlY52WF3PI9NKyyf3lKDs37KfWeQxqm6y/quOQiArAkxY + wlcVR1/n7rgcTCk4FKT1ZqGbxAS9a0AewEhVPFKj/V7LbRPivREVeKjF58G86JjR + JUkV6ArT7Ga4a8vyu/261MzJH0y4THEvyn5+b/8TPPuQ1YRxTxXThgTdGHu1pdne + 22GUntDWZAh4kToVn/C4LI7lUK0Z6h3c7vJX/ZpxRu85+geTpCoFB72fL7bN3MQ4 + rpIfyEbziHZS6lKn3xqt6rEd6LNrii/QSiNvpoCZuceLhNy69q+WOzyTLPXeu2qQ + 3JQzbhH1gju41ftJsRsK0lgBcvdzEffwPxL0fluuRR/EEUjPB+wIy7o4PzbNK8ke + /gPdEDjZjbS70Ou2i0bOQ7bG+MmiwtOX97xRyADOVfvfFTiBM60n8pQZirJBKtUP + rAdiwCNBZZso + =cySR + -----END PGP MESSAGE----- + fp: fada7e7be28e186e463ad745a38d17f36849d8a7 + - created_at: "2025-09-06T23:32:32Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMAwAAAAAAAAAAAQwArQg7nleMnXFrZv8Z8PKdudWCP4dt2Yy9aD2jkTQeExJD + u/BeVG9pmDmyFsgcU3077/GLReo7OVDFBDwPQnWPQc7ycEeCRzJ6Jg99+QiGNI38 + cMU/es3gIc51UiUQZgicaDLU1pHAg1nhbucRcPgzQSz78Jh1kfjwU0Ll4bc5nIXU + kCLBQfMsZMw5ct7lPc/MmvUCXvXd/dvub22vBBFg3mX/NYuMY83ASsOa2sHDr9Dt + dBWHzglU/xNN/HBZmjAFviCibZRNoFMSO5WiJSZN34CbXcasPPv57k6dA5lzvXru + GHoz6XDFmri2QdwjYeqCv1SUrBp3ViDFpfAcnx0fu8h1I3v6oqMJoJ+vJuyLsS2M + XFm2CUa5xaFus5CW3iuXjhZQjDw83xRjZEhAKaTf5y+XjnmOzhF16AMb22vXFeUf + 8HUx6QZ/kd0TuI3+XCiQSEY6n2B94dzN8NsEJdCEICwURJN9dwzoiqt6lhPyvp1n + VgkNO8TiwtmSNhU6xGWW0lgB914CeDHRrF+Q/slRJWt/ow+OHcFGk61yneHLLJlE + Ab8/4ajiV/jEFVpXpLaw6fAaFZxCGiVCEMaiczq+Q8lKkM+SGkoP6WVLMy4MS7k5 + 2oZM8qxFf4WU + =xPB1 + -----END PGP MESSAGE----- + fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/instances/theseus/configuration.nix b/instances/theseus/configuration.nix index aab8ecd0..52619b57 100644 --- a/instances/theseus/configuration.nix +++ b/instances/theseus/configuration.nix @@ -13,42 +13,15 @@ home-manager.users.${config.xyno.system.user.name} = ( { ... }: { - xyno.git.enable = true; xyno.borgmatic.enable = true; - home.packages = [ - # work - # (pkgs.unstable.jetbrains.rider.override { jdk = pkgs.unstable.openjdk21; }) - pkgs.unstable.jetbrains.rider - pkgs.android-studio - # (pkgs.unstable.android-studio.override { jdk = pkgs.unstable.openjdk21; }) - (pkgs.firefox-devedition.overrideAttrs (super: self: { meta.priority = 1; })) - ]; - services.flatpak.update.auto.enable = true; - services.flatpak = { - enable = true; - packages = [ - "com.unicornsonlsd.finamp" - # "io.github.softfever.OrcaSlicer" - "io.anytype.anytype" - "org.bionus.Grabber" - "org.getmonero.Monero" - { - appId = "org.gimp.GIMP"; - origin = "flathub-beta"; - } - "org.kicad.KiCad" - "org.pencil2d.Pencil2D" - ]; - }; } ); nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ]; - virtualisation.podman.enable = true; services.vsmartcard-vpcd.enable = true; hardware.gpgSmartcards.enable = true; - networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 35963 ] ; + networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 35963 ]; environment.systemPackages = with pkgs; [ aerc @@ -65,38 +38,15 @@ supersonic nheko anki-bin - nixpkgs-manual - nixpkgs-manual.lib-docs - ( - let - helpScript = pkgs.writeShellScriptBin "nixpkgs-help" '' - exec xdg-open ${pkgs.nixpkgs-manual}/share/doc/nixpkgs/index.html - ''; - desktopItem = pkgs.makeDesktopItem { - name = "nixpkgs-manual"; - desktopName = "nixpkgs Manual"; - genericName = "System Manual"; - comment = "View nixpkgs documentation in a web browser"; - icon = "nix-snowflake"; - exec = "nixpkgs-help"; - categories = [ "System" ]; - }; - - in - pkgs.symlinkJoin { - name = "nixpkgs-help"; - paths = [ - helpScript - desktopItem - ]; - - } - ) - # (nheko.overrideAttrs ( - # super: self: { - # src = inputs.nheko; - # } - # )) + gimp3 + anytype + monero-gui + orca-slicer + kicad + dune3d + pencil2d + python311Packages.brother-ql + ptouch-print ]; time.timeZone = "Europe/Berlin"; @@ -116,8 +66,10 @@ xyno.hardware.kmonad.enable = true; xyno.presets.cli.enable = true; xyno.presets.gui.enable = true; + xyno.presets.development.enable = true; xyno.presets.home-manager.enable = true; xyno.system.user.enable = true; + services.openssh.enable = true; xyno.user-services.syncthing = { enable = true; tray = true; @@ -132,7 +84,6 @@ services.blueman.enable = true; services.power-profiles-daemon.enable = true; programs.kdeconnect.enable = true; - services.flatpak.enable = true; system.stateVersion = "24.11"; } diff --git a/modules/desktop/common-programs.nix b/modules/desktop/common-programs.nix index d78922c6..b836e49e 100644 --- a/modules/desktop/common-programs.nix +++ b/modules/desktop/common-programs.nix @@ -13,8 +13,7 @@ in lib.mkEnableOption "install some commonly used programs"; config = lib.mkIf cfg.enable { home-manager.users.${config.xyno.system.user.name} = lib.mkIf config.xyno.presets.home-manager.enable ({...}: { - # xyno.alacritty.enable = true; - xyno.helix.enable = true; + xyno.firefox.enable = true; }); programs.steam = { enable = true; @@ -24,7 +23,6 @@ in }; programs.evolution.enable = true; services.gnome.evolution-data-server.enable = true; - services.flatpak.enable = true; programs.fuse.userAllowOther = true; programs.nix-ld.enable = true; programs.gamescope.enable = true; diff --git a/modules/desktop/niri.nix b/modules/desktop/niri.nix index 6af052cd..d46a2e55 100644 --- a/modules/desktop/niri.nix +++ b/modules/desktop/niri.nix @@ -5,6 +5,7 @@ lib, ... }: +with lib; let cfg = config.xyno.desktop.niri; floatingAppids = [ @@ -14,7 +15,7 @@ let "org.gnome.NautilusPreviewer" "io.github.Qalculate.qalculate-qt" ]; - matchFloat = lib.concatStringsSep "\n" ( + matchFloat = concatStringsSep "\n" ( map (x: '' window-rule { match app-id="${x}" @@ -25,43 +26,44 @@ let ); in { - options.xyno.desktop.niri.enable = lib.mkEnableOption "enable the niri desktop with xynos config"; - options.xyno.desktop.niri.launcher = lib.mkOption { type = lib.types.str; }; - options.xyno.desktop.niri.term = lib.mkOption { type = lib.types.str; }; - options.xyno.desktop.niri.extraConfig = lib.mkOption { type = lib.types.lines; }; - config = lib.mkIf cfg.enable { + options.xyno.desktop.niri.enable = mkEnableOption "enable the niri desktop with xynos config"; + options.xyno.desktop.niri.launcher = mkOption { type = types.str; }; + options.xyno.desktop.niri.term = mkOption { type = types.str; }; + options.xyno.desktop.niri.extraConfig = mkOption { type = types.lines; }; + config = mkIf cfg.enable { xyno.desktop = { - foot.enable = lib.mkDefault true; - fuzzel.enable = lib.mkDefault true; - mako.enable = lib.mkDefault true; - shikane.enable = lib.mkDefault true; - swayidle.enable = lib.mkDefault true; - waybar.enable = lib.mkDefault true; - wpaperd.enable = lib.mkDefault true; + foot.enable = mkDefault true; + fuzzel.enable = mkDefault true; + mako.enable = mkDefault true; + shikane.enable = mkDefault true; + swayidle.enable = mkDefault true; + waybar.enable = mkDefault true; + wpaperd.enable = mkDefault true; }; nixpkgs.overlays = [ inputs.niri.overlays.default ]; + services.displayManager.defaultSession = mkDefault "niri"; home-manager.users.${config.xyno.system.user.name} = - lib.mkIf config.xyno.presets.home-manager.enable + mkIf config.xyno.presets.home-manager.enable ( { ... }: { xyno.dark-theme.enable = true; - home.file.".config/xdg-desktop-portal-termfilechooser/config".text = '' - [filechooser] - cmd=${pkgs.xdg-desktop-portal-termfilechooser}/share/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh - default_dir=$HOME - env=TERMCMD=footclient --app-id floating-alacritty - open_mode = suggested - save_mode = suggested - ''; + # home.file.".config/xdg-desktop-portal-termfilechooser/config".text = '' + # [filechooser] + # cmd=${pkgs.xdg-desktop-portal-termfilechooser}/share/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh + # default_dir=$HOME + # env=TERMCMD=footclient --app-id floating-alacritty + # open_mode = suggested + # save_mode = suggested + # ''; } ); xdg.portal = { extraPortals = [ - pkgs.xdg-desktop-portal-termfilechooser + # pkgs.xdg-desktop-portal-termfilechooser ]; config.niri.default = [ "gnome" diff --git a/modules/module-list.nix b/modules/module-list.nix index 8a85749e..e4f19646 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -17,6 +17,7 @@ ./networking/networkd.nix ./presets/cli.nix ./presets/common.nix + ./presets/development.nix ./presets/gui.nix ./presets/server.nix ./presets/home-manager.nix diff --git a/modules/presets/cli.nix b/modules/presets/cli.nix index f6ea3e09..6fe4158f 100644 --- a/modules/presets/cli.nix +++ b/modules/presets/cli.nix @@ -11,6 +11,17 @@ in options.xyno.presets.cli.enable = lib.mkEnableOption "enables xynos cli config with fish and helix and stuff"; config = lib.mkIf cfg.enable { + home-manager.users.${config.xyno.system.user.name} = + lib.mkIf config.xyno.presets.home-manager.enable + ( + { ... }: + { + xyno.helix.enable = true; + home.sessionVariables.LOCALE_ARCHIVE_2_27 = lib.mkForce "/run/current-system/sw/lib/locale/locale-archive"; + systemd.user.sessionVariables.LOCALE_ARCHIVE_2_27 = lib.mkForce "/run/current-system/sw/lib/locale/locale-archive"; + } + ); + xyno.cli.fish.enable = true; xyno.cli.starship.enable = true; security.sudo.enable = false; @@ -31,19 +42,15 @@ in LC_TIME = "de_DE.UTF-8"; LC_COLLATE = "de_DE.UTF-8"; }; - home-manager.users.xyno.home.sessionVariables.LOCALE_ARCHIVE_2_27 = - lib.mkForce "/run/current-system/sw/lib/locale/locale-archive"; - home-manager.users.xyno.systemd.user.sessionVariables.LOCALE_ARCHIVE_2_27 = - lib.mkForce "/run/current-system/sw/lib/locale/locale-archive"; nix.settings = { substituters = [ # "https://cache.lix.systems" - "https://helix.cachix.org" + # "https://helix.cachix.org" ]; trusted-public-keys = [ # "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" - "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs=" + # "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs=" ]; trusted-users = lib.mkDefault [ "root" @@ -78,33 +85,35 @@ in # pinentrywlavor = "curses"; # enableSSHSupport = true; }; - services.udev.packages = [ pkgs.yubikey-personalization ]; # needed for yubikeys to be used as smartcards environment.systemPackages = with pkgs; [ - jq - fd + (pkgs.writeShellScriptBin "sudo" "run0 $@") + aria2 + openssl + bat bottom + curl + croc + dig + fd + ffmpeg + file + fzf + git + helix htop imagemagick - bat - ffmpeg - poppler - w3m - curl - aria2 - fzf - file - git - neofetch - ripgrep - pv - yt-dlp - moar - helix + jq lm_sensors - dig + moar + neofetch nix-output-monitor - (pkgs.writeShellScriptBin "sudo" "run0 $@") + poppler + pv + ripgrep + w3m + yt-dlp + p7zip ]; programs.mosh.enable = true; environment.variables.EDITOR = "hx"; @@ -125,6 +134,7 @@ in p = "cd ~/proj"; ytl = ''yt-dlp -f "bv*+mergeall[vcodec=none]" --audio-multistreams''; sudo = "run0"; + less = "moar"; }; }; } diff --git a/modules/presets/development.nix b/modules/presets/development.nix new file mode 100644 index 00000000..7a676174 --- /dev/null +++ b/modules/presets/development.nix @@ -0,0 +1,61 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; +let + cfg = config.xyno.presets.development; +in +{ + options.xyno.presets.development.enable = + mkEnableOption "enables xynos configs for a development machine"; + config = mkIf cfg.enable { + home-manager.users.${config.xyno.system.user.name} = mkIf config.xyno.presets.home-manager.enable ( + { ... }: + { + xyno.helix.withLargeLSPs = true; + xyno.git.enable = true; + } + ); + xyno.presets.cli.enable = true; + xyno.presets.home-manager.enable = true; + xyno.system.user.enable = true; + virtualisation.podman.enable = true; + + environment.systemPackages = with pkgs; [ + unstable.jetbrains.rider + android-studio + nixpkgs-manual + nixpkgs-manual.lib-docs + podman-compose + tio + ( + let + helpScript = pkgs.writeShellScriptBin "nixpkgs-help" '' + exec xdg-open ${pkgs.nixpkgs-manual}/share/doc/nixpkgs/index.html + ''; + desktopItem = pkgs.makeDesktopItem { + name = "nixpkgs-manual"; + desktopName = "nixpkgs Manual"; + genericName = "System Manual"; + comment = "View nixpkgs documentation in a web browser"; + icon = "nix-snowflake"; + exec = "nixpkgs-help"; + categories = [ "System" ]; + }; + + in + pkgs.symlinkJoin { + name = "nixpkgs-help"; + paths = [ + helpScript + desktopItem + ]; + + } + ) + ]; + }; +} diff --git a/modules/presets/gui.nix b/modules/presets/gui.nix index c2a9ecc1..69c4e8de 100644 --- a/modules/presets/gui.nix +++ b/modules/presets/gui.nix @@ -4,34 +4,36 @@ lib, ... }: +with lib; let cfg = config.xyno.presets.gui; in { - options.xyno.presets.gui.enable = lib.mkEnableOption "enables xynos gui config"; - options.xyno.presets.gui.terminalEmulator = lib.mkOption { - type = lib.types.str; - default = "alacritty"; + options.xyno.presets.gui.enable = mkEnableOption "enables xynos gui config"; + options.xyno.presets.gui.terminalEmulator = mkOption { + type = types.str; + default = "foot"; }; - config = lib.mkIf cfg.enable { + config = mkIf cfg.enable { services.udev.packages = [ pkgs.openocd # fix permission errors with connecting things (especially esp32-c3) pkgs.ptouch-print + pkgs.yubikey-personalization ]; xyno.desktop.niri.enable = true; - xyno.desktop.audio.enable = lib.mkDefault true; + xyno.desktop.audio.enable = mkDefault true; + boot.kernelPackages = mkDefault pkgs.linuxPackages_zen; security.soteria.enable = true; security.rtkit.enable = true; services.pcscd.enable = true; - services.pcscd.plugins = [ pkgs.pcsc-scm-scl011]; + services.pcscd.plugins = [ pkgs.pcsc-scm-scl011 ]; xyno.hardware.kmonad.enable = true; # wayland on electron environment.sessionVariables.NIXOS_OZONE_WL = "1"; - services.displayManager.defaultSession = "niri"; # gdm - services.xserver.displayManager.gdm.enable = true; - services.xserver.enable = true; - services.xserver.displayManager.gdm.wayland = true; + services.displayManager.gdm.enable = true; + # services.xserver.enable = true; + services.displayManager.gdm.wayland = true; # ssh agent programs.ssh.startAgent = true; @@ -67,8 +69,8 @@ in # enable the gnome shit services.gnome.gnome-keyring.enable = true; services.gnome.gnome-online-accounts.enable = true; - services.gnome.core-utilities.enable = true; - services.gnome.gcr-ssh-agent.enable = lib.mkForce false; + services.gnome.core-apps.enable = true; + services.gnome.gcr-ssh-agent.enable = mkForce false; services.gnome.sushi.enable = true; services.gnome.gnome-settings-daemon.enable = true; services.gvfs.enable = true; @@ -81,9 +83,10 @@ in environment.sessionVariables.GTK_USE_PORTAL = "1"; - # home-manager.users.${config.xyno.system.user.name} = - # { pkgs, ... }: - # { + home-manager.users.${config.xyno.system.user.name} = + { pkgs, ... }: + { + xyno.mpv.enable = true; # xdg.mimeApps = { # enable = true; # defaultApplications = { @@ -104,7 +107,7 @@ in # }; # }; - # }; + }; environment.systemPackages = with pkgs; [ kdePackages.breeze-gtk @@ -113,11 +116,16 @@ in kdePackages.breeze-icons ]; - # fonts fonts.fontconfig.defaultFonts = { - sansSerif = ["Source Sans 3" "Noto Sans Symbols 2"]; - monospace = ["JetBrainsMono Nerd Font" "Noto Sans Symbols 2"]; + sansSerif = [ + "Source Sans 3" + "Noto Sans Symbols 2" + ]; + monospace = [ + "JetBrainsMono Nerd Font" + "Noto Sans Symbols 2" + ]; }; fonts.packages = with pkgs; [ nerd-fonts.jetbrains-mono diff --git a/modules/presets/home-manager.nix b/modules/presets/home-manager.nix index 96dde1b3..47b8f8ca 100644 --- a/modules/presets/home-manager.nix +++ b/modules/presets/home-manager.nix @@ -13,8 +13,8 @@ in config = lib.mkIf cfg.enable { home-manager.useGlobalPkgs = true; home-manager.extraSpecialArgs = { inherit inputs;}; - home-manager.sharedModules = (import ../../hm-modules/module-list.nix) ++ [ - inputs.nix-flatpak.homeManagerModules.nix-flatpak + home-manager.sharedModules = (import ../../hm-modules/module-list.nix { inherit inputs;}) ++ [ + inputs.zen-browser.homeModules.default ]; home-manager.users.${config.xyno.system.user.name} = {pkgs, ... }: { home.stateVersion = lib.mkDefault "24.11"; diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix index 16481892..2c75cd2c 100644 --- a/modules/services/wireguard.nix +++ b/modules/services/wireguard.nix @@ -7,11 +7,12 @@ ... }: let - wgServer = instanceConfig?wg.server && instanceConfig.wg.server; + wgServer = instanceConfig ? wg.server && instanceConfig.wg.server; cfg = config.xyno.services.wireguard; ula = cfg.ula; ulaPrefix = "${ula}:1337"; # /64 for normal vpn monitoringUlaPrefix = "${ula}:2337"; # /64 for monitoring + v4Subnet = "10.13.12.0/24"; # uses a hash digest as the host identifier genUlaForHost = @@ -23,35 +24,49 @@ let in "${prefix}:${localPart}"; # peers list for networkd - filteredConfigs = builtins.filter (x: x.hostName != config.networking.hostName ) (lib.attrValues instanceConfigs); + filteredConfigs = builtins.filter (x: x.hostName != config.networking.hostName) ( + lib.attrValues instanceConfigs + ); wgPeersLists = map ( c: ( - (lib.optional (c?publicHostname) { + (lib.optional (c ? publicHostname) { # if peer is publicly on the internet AllowedIPs = - (lib.optionals ( c?wg.server && c.wg.server) [ - "${ulaPrefix}::/48" # all traffic in the ula shall be sent to the server + (lib.optionals (c ? wg.server && c.wg.server) [ + # is server + "::/0" ]) - ++ (lib.optionals (!c?wg.server || !c.wg.server) [ + ++ (lib.optionals (c ? wg.server && c.wg.server && c ? wg.v4 && instanceConfig ? wg.v4) [ + # both client and server have a v4 + "0.0.0.0/0" + ]) + ++ (lib.optionals (!c ? wg.server || !c.wg.server) [ + # is not server "${genUlaForHost ulaPrefix c.hostName}/128" # if a host is reachable but shouldn't play server, send only to the hosts ip + ]) + ++ (lib.optionals ((!c ? wg.server || !c.wg.server) && c ? wg.v4 && instanceConfig ? wg.v4) [ + # no server, no ipv4 yay + "${c.wg.v4}/32" ]); + RouteTable = 1000; Endpoint = "${c.publicHostname}:51820"; PersistentKeepalive = 25; PublicKey = c.wg.pubKey; + PresharedKeyFile = config.sops.secrets."wg/psk".path; + }) + ++ (lib.optional ((!c ? publicHostname) && wgServer && (c ? wg.pubKey)) { + # if this is the server and the peer isn't reachable on the internet + AllowedIPs = [ + "${genUlaForHost ulaPrefix c.hostName}/128" + "${genUlaForHost monitoringUlaPrefix c.hostName}/128" + ] + ++ (lib.optionals (c ? wg.v4 && instanceConfig ? wg.v4) [ + "${c.wg.v4}/32" + ]); + PublicKey = c.wg.pubKey; + PresharedKeyFile = config.sops.secrets."wg/psk".path; }) - ++ (lib.optional - ((!c?publicHostname) && wgServer && (c?wg.pubKey)) - { - # if this is the server and the peer isn't reachable on the internet - AllowedIPs = [ - "${genUlaForHost ulaPrefix c.hostName}/128" - "${genUlaForHost monitoringUlaPrefix c.hostName}/128" - ]; - PublicKey = c.wg.pubKey; - PresharedKeyFile = config.sops.secrets."wg/psk".path; # TODO - } - ) ) ) filteredConfigs; wgPeers = lib.flatten wgPeersLists; @@ -79,48 +94,72 @@ in default = genUlaForHost monitoringUlaPrefix config.networking.hostName; }; config = lib.mkIf cfg.enable { - networking.hosts = (lib.mapAttrs' ( - n: v: { - value = ["${v.hostName}.${cfg.hostsDomain}"]; + # TODO: add a all traffic through this network + networking.hosts = + (lib.mapAttrs' (n: v: { + value = [ "${v.hostName}.${cfg.hostsDomain}" ]; name = (genUlaForHost ulaPrefix v.hostName); - } - ) instanceConfigs) // (lib.mapAttrs' ( - n: v: { - value = ["${v.hostName}.${cfg.monHostsDomain}"]; + }) instanceConfigs) + // (lib.mapAttrs' (n: v: { + value = [ "${v.hostName}.${cfg.monHostsDomain}" ]; name = (genUlaForHost monitoringUlaPrefix v.hostName); - } - ) instanceConfigs); + }) instanceConfigs); networking.firewall.allowedUDPPorts = lib.optional wgServer 51820; networking.firewall.interfaces."wg0".allowedUDPPorts = lib.optional wgServer 53; - systemd.network.netdevs."wg0" = { + systemd.network.netdevs."99-wg0" = { netdevConfig = { Name = "wg0"; Kind = "wireguard"; Description = "main wireguard tunnel"; - + }; wireguardConfig = { ListenPort = lib.mkIf wgServer 51820; - PrivateKeyFile = config.sops.secrets."wg/privkey".path; # TODO + PrivateKeyFile = config.sops.secrets."wg/privkey".path; + FirewallMark = "0x8888"; }; wireguardPeers = wgPeers; }; - systemd.network.networks."wg0" = { + systemd.network.networks."50-wg0" = { matchConfig.Name = "wg0"; networkConfig = { Description = "xyno wireguard"; + IPMasquerade = lib.mkIf (instanceConfig ? wg.server && instanceConfig.wg.server) "both"; + IPv4Forwarding = (instanceConfig ? wg.server && instanceConfig.wg.server); + IPv6Forwarding = (instanceConfig ? wg.server && instanceConfig.wg.server); }; address = [ - "${(genUlaForHost ulaPrefix config.networking.hostName)}/128" - "${(genUlaForHost monitoringUlaPrefix config.networking.hostName)}/128" + "${(genUlaForHost ulaPrefix config.networking.hostName)}/64" + "${(genUlaForHost monitoringUlaPrefix config.networking.hostName)}/64" + ] + ++ (lib.optionals (instanceConfig ? wg.v4) [ "${instanceConfig.wg.v4}/24" ]); + }; + systemd.network.networks."51-wg0-all-traffic" = { + matchConfig.Name = "wg0"; + networkConfig = { + Description = "xyno wireguard all traffic"; + DNSDefaultRoute = true; + DNS = "2a07:e340::2#dns.mullvad.net"; + DNSOverTLS = true; + }; + routingPolicyRules = [ + { + FirewallMark = "0x8888"; + InvertRule = true; + Table = 1000; + Priority = 10; + } ]; }; - services.prometheus.exporters.wireguard = lib.mkIf (wgServer && config.xyno.services.monitoring.enable) { - enable = true; - interfaces = [ "wg0" ]; - }; + services.prometheus.exporters.wireguard = + lib.mkIf (wgServer && config.xyno.services.monitoring.enable) + { + enable = true; + interfaces = [ "wg0" ]; + }; - services.coredns = lib.mkIf wgServer { # for non nixos devices to be able to resolve vpn hostnames + services.coredns = lib.mkIf wgServer { + # for non nixos devices to be able to resolve vpn hostnames enable = true; config = '' . { @@ -132,9 +171,11 @@ in ''; }; xyno.services.monitoring.exporters.coredns = lib.mkIf wgServer 9153; - xyno.services.monitoring.exporters.wireguard = lib.mkIf wgServer config.services.prometheus.exporters.wireguard.port; + xyno.services.monitoring.exporters.wireguard = + lib.mkIf wgServer config.services.prometheus.exporters.wireguard.port; sops.secrets."wg/privkey" = { reloadUnits = [ "systemd-networkd.service" ]; + sopsFile = ../../instances/${config.networking.hostName}/secrets/wg.yaml; }; sops.secrets."wg/psk" = { reloadUnits = [ "systemd-networkd.service" ];