xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

some slight changes

Browse source
This commit is contained in:
Lucy Hochkamp 2024-03-17 09:07:28 +01:00
parent be17bb97d2
commit ff468ca2d7
No known key found for this signature in database
70 changed files with 245 additions and 2131 deletions
Download patch file Download diff file Expand all files Collapse all files

11
darwin-common.nix
View file

@ -1,5 +1,4 @@
{ config, pkgs, inputs, ... }: { { config, pkgs, inputs, ... }: {
programs.gnupg.agent.enable = true;
programs.zsh.enable = true; programs.zsh.enable = true;
environment.pathsToLink = [ "/share/zsh" ]; environment.pathsToLink = [ "/share/zsh" ];
services.nix-daemon.enable = true; services.nix-daemon.enable = true;
@ -24,16 +23,6 @@
sshKey = "/Users/xyno/.ssh/id_ed25519"; sshKey = "/Users/xyno/.ssh/id_ed25519";
publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUorQkJYdWZYQUpoeVVIVmZocWxrOFk0ekVLSmJLWGdKUXZzZEU0ODJscFYgcm9vdEBpc28K"; publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUorQkJYdWZYQUpoeVVIVmZocWxrOFk0ekVLSmJLWGdKUXZzZEU0ODJscFYgcm9vdEBpc28K";
} }
#{
# systems = [ "aarch64-linux" "x86_64-linux" ];
# speedFactor = 2;
# supportedFeatures = [ "kvm" "big-parallel" ];
# sshUser = "ragon";
# maxJobs = 8;
# hostName = "192.168.65.7";
# sshKey = "/Users/ragon/.ssh/id_ed25519";
# publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUM4aG9teFlQZlk4bS9JQ2c2NVNWNU9Temp3eW1sNmxEMXhGNi9zWUxPQkY=";
#}
]; ];
nix.extraOptions = '' nix.extraOptions = ''
builders-use-substitutes = true builders-use-substitutes = true

334
flake.lock generated
View file

@ -83,101 +83,7 @@
"type": "github" "type": "github"
} }
}, },
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1710169806,
"narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
"owner": "nix-community",
"repo": "disko",
"rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": [
"neovim-nightly-overlay",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709336216,
"narHash": "sha256-Dt/wOWeW6Sqm11Yh+2+t0dfEWxoMxGBvv3JpIocFl9E=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "f7b3c975cf067e56e7cda6cb098ebe3fb4d74ca2",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"neovim-nightly-overlay",
"hercules-ci-effects",
"nixpkgs"
]
},
"locked": {
"lastModified": 1701473968,
"narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
"type": "github"
},
"original": {
"id": "flake-parts",
"type": "indirect"
}
},
"flake-parts_3": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
@ -213,64 +119,6 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"hercules-ci-effects": {
"inputs": {
"flake-parts": "flake-parts_2",
"nixpkgs": [
"neovim-nightly-overlay",
"nixpkgs"
]
},
"locked": {
"lastModified": 1708547820,
"narHash": "sha256-xU/KC1PWqq5zL9dQ9wYhcdgxAwdeF/dJCLPH3PNZEBg=",
"owner": "hercules-ci",
"repo": "hercules-ci-effects",
"rev": "0ca27bd58e4d5be3135a4bef66b582e57abe8f4a",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "hercules-ci-effects",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -365,74 +213,9 @@
"type": "github" "type": "github"
} }
}, },
"neovim-flake": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs"
},
"locked": {
"dir": "contrib",
"lastModified": 1681563256,
"narHash": "sha256-efqY64VXxpcBCBouHwl0d0fJ6Aol3gzQB7/eXFO4gI0=",
"owner": "neovim",
"repo": "neovim",
"rev": "eb151a9730f0000ff46e0b3467e29bb9f02ae362",
"type": "github"
},
"original": {
"dir": "contrib",
"owner": "neovim",
"repo": "neovim",
"type": "github"
}
},
"neovim-nightly-overlay": {
"inputs": {
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"hercules-ci-effects": "hercules-ci-effects",
"neovim-flake": "neovim-flake",
"nixpkgs": [
"nixpkgs-master"
]
},
"locked": {
"lastModified": 1710201806,
"narHash": "sha256-ySFpQv1cVsm1uGr/cbtfvWht6Kszfy/aP3TjiLQ8h0w=",
"owner": "nix-community",
"repo": "neovim-nightly-overlay",
"rev": "a6185e08ac09b6528b7120cd2886610eaffd68de",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "neovim-nightly-overlay",
"type": "github"
}
},
"nix-vscode-extensions": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1710206084,
"narHash": "sha256-W6jg8xtOohOM0Mxqx/5K03y4CNOAYw7hvc5ORccMVlI=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"rev": "cfbb96201a78804e92794d6fe57466f777da74aa",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"type": "github"
}
},
"nixd": { "nixd": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_3", "flake-parts": "flake-parts",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
@ -469,16 +252,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1709961763, "lastModified": 1710162809,
"narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=", "narHash": "sha256-i2R2bcnQp+85de67yjgZVvJhd6rRnJbSYNpGmB6Leb8=",
"owner": "nixos", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3030f185ba6a4bf4f18b87f345f104e6a6961f34", "rev": "ddcd7598b2184008c97e6c9c6a21c5f37590b8d2",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "NixOS",
"ref": "nixos-unstable", "ref": "nixos-23.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -533,38 +316,6 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": {
"locked": {
"lastModified": 1684570954,
"narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1710162809,
"narHash": "sha256-i2R2bcnQp+85de67yjgZVvJhd6rRnJbSYNpGmB6Leb8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ddcd7598b2184008c97e6c9c6a21c5f37590b8d2",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nnn-nvim": { "nnn-nvim": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -613,38 +364,6 @@
"type": "github" "type": "github"
} }
}, },
"octoprint-spoolmanager": {
"flake": false,
"locked": {
"lastModified": 1647619589,
"narHash": "sha256-JKPegbnv7nxyhAi8AqF/TDQVaj67JTlcWYHhetX5AGQ=",
"owner": "OllisGit",
"repo": "OctoPrint-SpoolManager",
"rev": "dea8d64c1849c970f3616e158260c4c6fef5a4b7",
"type": "github"
},
"original": {
"owner": "OllisGit",
"repo": "OctoPrint-SpoolManager",
"type": "github"
}
},
"octoprint-telegram": {
"flake": false,
"locked": {
"lastModified": 1646577349,
"narHash": "sha256-z/Nhixz83pikM616OEn+bK1889DTdC8F1E7WiBy8gsY=",
"owner": "fabianonline",
"repo": "OctoPrint-Telegram",
"rev": "d8fa9ac4a65600a25deacad9bc0d3e9cc0167751",
"type": "github"
},
"original": {
"owner": "fabianonline",
"repo": "OctoPrint-Telegram",
"type": "github"
}
},
"pandoc-latex-template": { "pandoc-latex-template": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -688,23 +407,18 @@
"agenix": "agenix", "agenix": "agenix",
"agkozak-zsh-prompt": "agkozak-zsh-prompt", "agkozak-zsh-prompt": "agkozak-zsh-prompt",
"darwin": "darwin_2", "darwin": "darwin_2",
"disko": "disko",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"impermanence": "impermanence", "impermanence": "impermanence",
"lolpizza": "lolpizza", "lolpizza": "lolpizza",
"miro": "miro", "miro": "miro",
"neovim-nightly-overlay": "neovim-nightly-overlay",
"nix-vscode-extensions": "nix-vscode-extensions",
"nixd": "nixd", "nixd": "nixd",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs",
"nixpkgs-darwin": "nixpkgs-darwin", "nixpkgs-darwin": "nixpkgs-darwin",
"nixpkgs-master": "nixpkgs-master", "nixpkgs-master": "nixpkgs-master",
"nnn-nvim": "nnn-nvim", "nnn-nvim": "nnn-nvim",
"noice-nvim": "noice-nvim", "noice-nvim": "noice-nvim",
"notify-nvim": "notify-nvim", "notify-nvim": "notify-nvim",
"octoprint-spoolmanager": "octoprint-spoolmanager",
"octoprint-telegram": "octoprint-telegram",
"pandoc-latex-template": "pandoc-latex-template", "pandoc-latex-template": "pandoc-latex-template",
"spoons": "spoons", "spoons": "spoons",
"utils": "utils", "utils": "utils",
@ -778,39 +492,9 @@
"type": "github" "type": "github"
} }
}, },
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": { "utils": {
"inputs": { "inputs": {
"systems": "systems_5" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1710146030,

66
flake.nix
View file

@ -16,13 +16,6 @@
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
darwin.url = "github:lnl7/nix-darwin/master"; darwin.url = "github:lnl7/nix-darwin/master";
darwin.inputs.nixpkgs.follows = "nixpkgs"; darwin.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay";
neovim-nightly-overlay.inputs.nixpkgs.follows = "nixpkgs-master";
neovim-nightly-overlay.inputs.neovim-flake.url = "github:neovim/neovim?dir=contrib&rev=eb151a9730f0000ff46e0b3467e29bb9f02ae362";
neovim-nightly-overlay.inputs.neovim-flake.inputs.nixpkgs.follows = "nixpkgs-master";
# programs # programs
xynoblog.url = "github:thexyno/blog"; xynoblog.url = "github:thexyno/blog";
@ -45,9 +38,6 @@
noice-nvim.url = "github:folke/noice.nvim"; noice-nvim.url = "github:folke/noice.nvim";
noice-nvim.flake = false; noice-nvim.flake = false;
## vscode
nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions";
## zsh ## zsh
zsh-completions.url = "github:zsh-users/zsh-completions"; zsh-completions.url = "github:zsh-users/zsh-completions";
zsh-completions.flake = false; zsh-completions.flake = false;
@ -76,19 +66,12 @@
pandoc-latex-template.url = "github:Wandmalfarbe/pandoc-latex-template"; pandoc-latex-template.url = "github:Wandmalfarbe/pandoc-latex-template";
pandoc-latex-template.flake = false; pandoc-latex-template.flake = false;
## octoprint
octoprint-telegram.url = "github:fabianonline/OctoPrint-Telegram";
octoprint-telegram.flake = false;
octoprint-spoolmanager.url = "github:OllisGit/OctoPrint-SpoolManager";
octoprint-spoolmanager.flake = false;
}; };
outputs = outputs =
inputs @ { self inputs @ { self
, nixpkgs , nixpkgs
, nixpkgs-darwin , nixpkgs-darwin
, neovim-nightly-overlay
, nixpkgs-master , nixpkgs-master
, agenix , agenix
, home-manager , home-manager
@ -107,13 +90,8 @@
my = import ./lib { inherit inputs; lib = self; }; my = import ./lib { inherit inputs; lib = self; };
}); });
genPkgs = system: import nixpkgs {
inherit system;
config.allowUnfree = true;
};
overlays = [ overlays = [
self.overlays.default self.overlays.default
neovim-nightly-overlay.overlay
nixd.overlays.default nixd.overlays.default
]; ];
genPkgsWithOverlays = system: import nixpkgs { genPkgsWithOverlays = system: import nixpkgs {
@ -126,15 +104,11 @@
}; };
hmConfig = { hm, pkgs, inputs, config, ... }: {
imports = (lib.my.mapModulesRec' ./hm-imports (x: x)) ++ [ "${impermanence}/home-manager.nix" ];
};
rev = if (lib.hasAttrByPath [ "rev" ] self.sourceInfo) then self.sourceInfo.rev else "Dirty Build"; rev = if (lib.hasAttrByPath [ "rev" ] self.sourceInfo) then self.sourceInfo.rev else "Dirty Build";
nixosSystem = system: extraModules: hostName: nixosSystem = system: extraModules: hostName:
let let
pkgs = genPkgs system; pkgs = genPkgsWithOverlays system;
in in
nixpkgs.lib.nixosSystem nixpkgs.lib.nixosSystem
rec { rec {
@ -159,12 +133,9 @@
home-manager.extraSpecialArgs = { inherit inputs; }; home-manager.extraSpecialArgs = { inherit inputs; };
} }
(lib.mkIf config.ragon.user.enable { ])
# import hm stuff if enabled
home-manager.users.ragon = hmConfig;
})])
./nixos-common.nix ./nixos-common.nix
] ++ (lib.my.mapModulesRec' (toString ./nixos-modules) import) ++ extraModules; ] ++ extraModules;
}; };
darwinSystem = system: extraModules: hostName: darwinSystem = system: extraModules: hostName:
let let
@ -178,15 +149,13 @@
home-manager.darwinModules.home-manager home-manager.darwinModules.home-manager
{ {
nixpkgs.overlays = overlays; nixpkgs.overlays = overlays;
#system.darwinLabel = "${config.system.darwinLabel}@${rev}";
networking.hostName = hostName; networking.hostName = hostName;
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = { inherit inputs pkgs; }; home-manager.extraSpecialArgs = { inherit inputs pkgs; };
home-manager.users.xyno = hmConfig;
} }
./darwin-common.nix ./darwin-common.nix
] ++ (lib.my.mapModulesRec' (toString ./darwin-modules) import) ++ extraModules; ] ++ extraModules;
}; };
processConfigurations = lib.mapAttrs (n: v: v n); processConfigurations = lib.mapAttrs (n: v: v n);
@ -202,38 +171,17 @@
}; };
my = self.packages."${prev.system}"; my = self.packages."${prev.system}";
}; };
nixosModules = lib.my.mapModulesRec ./nixos-modules import; # nixosModules = lib.my.mapModulesRec ./nixos-modules import;
#darwinModules = [ ]; # darwinModules = lib.my.mapModulesRec ./darwin-modules import;
darwinModules = lib.my.mapModulesRec ./darwin-modules import;
nixosConfigurations = processConfigurations { nixosConfigurations = processConfigurations {
picard = nixosSystem "x86_64-linux" [ ./hosts/picard/default.nix ]; picard = nixosSystem "x86_64-linux" [ ./hosts/picard/default.nix ];
ds9 = nixosSystem "x86_64-linux" [ ./hosts/ds9/default.nix ]; ds9 = nixosSystem "x86_64-linux" [ ./hosts/ds9/default.nix ];
daedalusvm = nixosSystem "aarch64-linux" [ ./hosts/daedalusvm/default.nix ];
octopi = nixosSystem "aarch64-linux" [ ./hosts/octopi/default.nix ];
icarus = nixosSystem "x86_64-linux" [ ./hosts/icarus/default.nix ];
beliskner = nixosSystem "x86_64-linux" [ ./hosts/beliskner/default.nix ];
}; };
darwinConfigurations = processConfigurations { darwinConfigurations = processConfigurations {
daedalus = darwinSystem "aarch64-darwin" [ ./hosts/daedalus/default.nix ]; daedalus = darwinSystem "aarch64-darwin" [ ./hosts/daedalus/default.nix ];
}; };
homeConfigurations."fedora-vm" =
let pkgs = genPkgsWithOverlays "aarch64-linux"; in
home-manager.lib.homeManagerConfiguration {
inherit pkgs;
extraSpecialArgs = { inherit inputs; };
modules = [
hmConfig
{
ragon.vscode.enable = true;
home.username = "ragon";
home.packages = [ pkgs.openvscode-server ];
home.homeDirectory = "/home/ragon.linux";
}
];
};
} // utils.lib.eachDefaultSystem (system: } // utils.lib.eachDefaultSystem (system:
let pkgs = nixpkgs.legacyPackages.${system}; in let pkgs = nixpkgs.legacyPackages.${system}; in
{ {

56
hm-imports/zsh/zshrc
View file

@ -1,56 +0,0 @@
# AGKOZAK_MULTILINE=0
# AGKOZAK_PROMPT_CHAR=( "%F{red}N%f")
autoload -Uz history-search-end
zle -N history-beginning-search-backward-end history-search-end
zle -N history-beginning-search-forward-end history-search-end
bindkey -M vicmd '^[[A' history-beginning-search-backward-end \
'^[OA' history-beginning-search-backward-end \
'^[[B' history-beginning-search-forward-end \
'^[OB' history-beginning-search-forward-end
bindkey -M viins '^[[A' history-beginning-search-backward-end \
'^[OA' history-beginning-search-backward-end \
'^[[B' history-beginning-search-forward-end \
'^[OB' history-beginning-search-forward-end
hash go 2>/dev/null && export PATH=$PATH:$(go env GOPATH)/bin
hash yarn 2>/dev/null && export PATH=$PATH:$HOME/.yarn/bin
hash dotnet 2>/dev/null && export PATH=$PATH:$HOME/.dotnet/tools
hash direnv 2>/dev/null && eval "$(direnv hook zsh)" # needed for lorri
export PATH=$PATH:$HOME/.local/bin
export PATH=$PATH:$HOME/flutter/flutter/bin
hash kitty 2>/dev/null && alias ssh="kitty kitten ssh"
hash helm 2>/dev/null && . <(helm completion zsh)
hash kubectl 2>/dev/null && . <(kubectl completion zsh)
export NNN_ARCHIVE="\\.(7z|a|ace|alz|arc|arj|bz|bz2|cab|cpio|deb|gz|jar|lha|lz|lzh|lzma|lzo|rar|rpm|rz|t7z|tar|tbz|tbz2|tgz|tlz|txz|tZ|tzo|war|xpi|xz|Z|zip)$"
if [[ -d "$HOME/miniconda3" ]]; then
export PATH=$PATH:$HOME/miniconda3/bin
. <(~/miniconda3/bin/conda shell.zsh hook)
fi
n ()
{
# Block nesting of nnn in subshells
if [ -n $NNNLVL ] && [ "${NNNLVL:-0}" -ge 1 ]; then
echo "nnn is already running"
return
fi
export NNN_TMPFILE="$HOME/.config/nnn/.lastd"
# Unmask ^Q (, ^V etc.) (if required, see `stty -a`) to Quit nnn
# stty start undef
# stty stop undef
# stty lwrap undef
# stty lnext undef
nnn -d "$@"
if [ -f "$NNN_TMPFILE" ]; then
. "$NNN_TMPFILE"
rm -f "$NNN_TMPFILE" > /dev/null
fi
}

46
hm-imports/cli.nix → hm-modules/cli.nix
View file

@ -3,7 +3,6 @@
home.stateVersion = lib.mkDefault "22.05"; home.stateVersion = lib.mkDefault "22.05";
home.packages = with pkgs; [ home.packages = with pkgs; [
my.scripts my.scripts
jq jq
nnn nnn
@ -13,8 +12,6 @@
curl curl
fd fd
file file
lorri
fzf
git git
neofetch neofetch
ripgrep ripgrep
@ -22,16 +19,16 @@
unzip unzip
pv pv
killall killall
lefthook
yt-dlp yt-dlp
aria2 aria2
libqalculate
]; ];
home.shellAliases = { home.shellAliases = {
v = "nvim"; v = "nvim";
c = "code";
vim = "nvim"; vim = "nvim";
gpl = "git pull"; gpl = "git pull";
gp = "git push"; gp = "git push";
gd = "git diff";
lg = "lazygit"; lg = "lazygit";
gc = "git commit -v"; gc = "git commit -v";
kb = "git commit -m \"\$(curl -s http://whatthecommit.com/index.txt)\""; kb = "git commit -m \"\$(curl -s http://whatthecommit.com/index.txt)\"";
@ -48,48 +45,10 @@
}; };
programs = { programs = {
# gpg = {
# enable = true;
# settings = {
# cert-digest-algo = "SHA512";
# charset = "utf-8";
# default-preference-list = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
# auto-key-retrieve = true;
# fixed-list-mode = true;
# keyserver = "hkps://keyserver.ubuntu.com:443";
# list-options = [ "show-uid-validity" "show-unusable-subkeys" ];
# no-comments = true;
# no-emit-version = true;
# no-greeting = true;
# no-symkey-cache = true;
# personal-cipher-preferences = "AES256 AES192 AES";
# personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
# personal-digest-preferences = "SHA512 SHA384 SHA256";
# require-cross-certification = true;
# s2k-cipher-algo = "AES256";
# s2k-digest-algo = "SHA512";
# throw-keyids = true;
# use-agent = true;
# verbose = true;
# verify-options = "show-uid-validity";
# with-fingerprint = true;
# with-key-origin = true;
# };
# };
bat = { bat = {
enable = true; enable = true;
config.theme = "gruvbox-dark"; config.theme = "gruvbox-dark";
}; };
fzf = {
enable = true;
enableZshIntegration = true;
defaultOptions = [
"--height 40%"
"--layout=reverse"
"--border"
"--inline-info"
];
};
git = { git = {
enable = true; enable = true;
lfs.enable = true; lfs.enable = true;
@ -120,7 +79,6 @@
}; };
}; };
}; };
} }

3
hm-imports/files.nix → hm-modules/files.nix
View file

@ -1,5 +1,8 @@
{ inputs, config, lib, pkgs, ... }: { inputs, config, lib, pkgs, ... }:
{ {
imports = [
"${inputs.impermanence}/home-manager.nix"
];
home.file = { home.file = {
# Home nix config. # Home nix config.
".config/nixpkgs/config.nix".text = "{ allowUnfree = true; }"; ".config/nixpkgs/config.nix".text = "{ allowUnfree = true; }";

0
hm-imports/nvim/config/lua/.luarc.json → hm-modules/nvim/config/lua/.luarc.json
View file

0
hm-imports/nvim/config/lua/dark_notify.lua → hm-modules/nvim/config/lua/dark_notify.lua
View file

0
hm-imports/nvim/config/lua/filetypes.lua → hm-modules/nvim/config/lua/filetypes.lua
View file

0
hm-imports/nvim/config/lua/keybindings.lua → hm-modules/nvim/config/lua/keybindings.lua
View file

0
hm-imports/nvim/config/lua/plugin/cmp.lua → hm-modules/nvim/config/lua/plugin/cmp.lua
View file

0
hm-imports/nvim/config/lua/plugin/dap.lua → hm-modules/nvim/config/lua/plugin/dap.lua
View file

0
hm-imports/nvim/config/lua/plugin/gitsigns.lua → hm-modules/nvim/config/lua/plugin/gitsigns.lua
View file

0
hm-imports/nvim/config/lua/plugin/lsp.lua → hm-modules/nvim/config/lua/plugin/lsp.lua
View file

0
hm-imports/nvim/config/lua/plugin/lualine.lua → hm-modules/nvim/config/lua/plugin/lualine.lua
View file

0
hm-imports/nvim/config/lua/plugin/nnn.lua → hm-modules/nvim/config/lua/plugin/nnn.lua
View file

0
hm-imports/nvim/config/lua/plugin/noice.lua → hm-modules/nvim/config/lua/plugin/noice.lua
View file

0
hm-imports/nvim/config/lua/plugin/telescope.lua → hm-modules/nvim/config/lua/plugin/telescope.lua
View file

0
hm-imports/nvim/config/lua/plugin/terminal.lua → hm-modules/nvim/config/lua/plugin/terminal.lua
View file

0
hm-imports/nvim/config/lua/plugin/treesitter.lua → hm-modules/nvim/config/lua/plugin/treesitter.lua
View file

0
hm-imports/nvim/config/lua/utils.lua → hm-modules/nvim/config/lua/utils.lua
View file

0
hm-imports/nvim/config/nvim.lua → hm-modules/nvim/config/nvim.lua
View file

1
hm-imports/nvim/default.nix → hm-modules/nvim/default.nix
View file

@ -54,7 +54,6 @@ in
programs.neovim = programs.neovim =
{ {
enable = true; enable = true;
package = pkgs.neovim-nightly;
extraConfig = '' extraConfig = ''
set runtimepath^=~/.config/nvim set runtimepath^=~/.config/nvim
lua dofile('${./config/nvim.lua}') lua dofile('${./config/nvim.lua}')

0
hm-imports/tmux/default.nix → hm-modules/tmux/default.nix
View file

0
hm-imports/tmux/tmux-switch-colors/dark.tmux → hm-modules/tmux/tmux-switch-colors/dark.tmux
View file

0
hm-imports/tmux/tmux-switch-colors/light.tmux → hm-modules/tmux/tmux-switch-colors/light.tmux
View file

0
hm-imports/tmux/tmux-switch-colors/start_theme_switcher.sh → hm-modules/tmux/tmux-switch-colors/start_theme_switcher.sh
View file

0
hm-imports/tmux/tmux-switch-colors/theme_setter.sh → hm-modules/tmux/tmux-switch-colors/theme_setter.sh
View file

0
hm-imports/tmux/tmux-switch-colors/theme_switcher.sh → hm-modules/tmux/tmux-switch-colors/theme_switcher.sh
View file

0
hm-imports/vscode/PLEASE FORGIVE ME FOR THIS SINFUL ACT → hm-modules/vscode/PLEASE FORGIVE ME FOR THIS SINFUL ACT
View file

2
hm-imports/vscode/default.nix → hm-modules/vscode/default.nix
View file

@ -3,7 +3,7 @@ let
cfg = config.ragon.vscode; cfg = config.ragon.vscode;
#marketplace = inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; #marketplace = inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace;
#marketplace-release = inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace-release; #marketplace-release = inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace-release;
marketplace = (import ../../data/vscode-extensions.nix { inherit pkgs lib; }); marketplace = (import ./vscode-extensions.nix { inherit pkgs lib; });
in in
{ {

0
hm-imports/vscode/extensions.toml → hm-modules/vscode/extensions.toml
View file

0
data/vscode-extensions.nix → hm-modules/vscode/vscode-extensions.nix
View file

20
hm-imports/xonsh/default.nix → hm-modules/xonsh/default.nix
View file

@ -41,26 +41,6 @@ in
$PROMPT_FIELDS['sshhostname'] = lambda: "{user}@{hostname}" if "SSH_TTY" in ''${...} else $PROMPT_FIELDS['rootuser']() $PROMPT_FIELDS['sshhostname'] = lambda: "{user}@{hostname}" if "SSH_TTY" in ''${...} else $PROMPT_FIELDS['rootuser']()
$PROMPT = '{gitstatus:{RESET}[{}{RESET}] }{sshhostname:{} }{BOLD_GREEN}{short_cwd}{RED}{last_return_code_if_nonzero: [{BOLD_INTENSE_RED}{}{RED}] }{RESET}{BOLD_BLUE}{RESET}> ' $PROMPT = '{gitstatus:{RESET}[{}{RESET}] }{sshhostname:{} }{BOLD_GREEN}{short_cwd}{RED}{last_return_code_if_nonzero: [{BOLD_INTENSE_RED}{}{RED}] }{RESET}{BOLD_BLUE}{RESET}> '
$VI_MODE = True $VI_MODE = True
aliases['v'] = "nvim"
aliases['c'] = "code"
aliases['vim'] = "nvim"
aliases['gpl'] = "git pull"
aliases['gpf'] = "git push --force-with-lease --force-if-includes"
aliases['gp'] = "git push"
aliases['gd'] = "git diff"
aliases['lg'] = "lazygit"
aliases['gc'] = "git commit -v"
# aliases['kb'] = "git commit -m \"\$(curl -s http://whatthecommit.com/index.txt)\""
aliases['gs'] = "git status -v"
aliases['gfc'] = "git fetch && git checkout"
aliases['gl'] = "git log --graph"
aliases['l'] = "eza -la --git"
aliases['la'] = "eza -la --git"
aliases['ls'] = "eza"
aliases['ll'] = "eza -l --git"
aliases['cat'] = "bat"
aliases['p'] = "cd ~/proj"
aliases['pd'] = "cd ~/proj/devsaur"
# https://xon.sh/xonshrc.html?highlight=nix#use-the-nix-package-manager-with-xonsh # https://xon.sh/xonshrc.html?highlight=nix#use-the-nix-package-manager-with-xonsh
import os.path import os.path

2
hm-imports/zsh/default.nix → hm-modules/zsh/default.nix
View file

@ -15,7 +15,7 @@ in
"${pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k/powerlevel10k.zsh-theme" "${pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k/powerlevel10k.zsh-theme"
# "${inputs.agkozak-zsh-prompt}/agkozak-zsh-prompt.plugin.zsh" # "${inputs.agkozak-zsh-prompt}/agkozak-zsh-prompt.plugin.zsh"
"${pkgs.oh-my-zsh}/share/oh-my-zsh/plugins/git/git.plugin.zsh" "${pkgs.oh-my-zsh}/share/oh-my-zsh/plugins/git/git.plugin.zsh"
"${pkgs.oh-my-zsh}/share/oh-my-zsh/plugins/globalias/globalias.plugin.zsh" #"${pkgs.oh-my-zsh}/share/oh-my-zsh/plugins/globalias/globalias.plugin.zsh"
"${inputs.zsh-vim-mode}/zsh-vim-mode.plugin.zsh" "${inputs.zsh-vim-mode}/zsh-vim-mode.plugin.zsh"
"${inputs.zsh-syntax-highlighting}/zsh-syntax-highlighting.plugin.zsh" "${inputs.zsh-syntax-highlighting}/zsh-syntax-highlighting.plugin.zsh"
"${inputs.zsh-completions}/zsh-completions.plugin.zsh" "${inputs.zsh-completions}/zsh-completions.plugin.zsh"

0
hm-imports/zsh/p10k.zsh → hm-modules/zsh/p10k.zsh
View file

9
nixos-modules/cli/zsh/zshrc → hm-modules/zsh/zshrc
View file

@ -1,5 +1,3 @@
AGKOZAK_MULTILINE=0
AGKOZAK_PROMPT_CHAR=( "%F{red}N%f")
autoload -Uz history-search-end autoload -Uz history-search-end
zle -N history-beginning-search-backward-end history-search-end zle -N history-beginning-search-backward-end history-search-end
@ -16,9 +14,8 @@ bindkey -M viins '^[[A' history-beginning-search-backward-end \
hash go 2>/dev/null && export PATH=$PATH:$(go env GOPATH)/bin hash go 2>/dev/null && export PATH=$PATH:$(go env GOPATH)/bin
hash yarn 2>/dev/null && export PATH=$PATH:$HOME/.yarn/bin hash yarn 2>/dev/null && export PATH=$PATH:$HOME/.yarn/bin
hash direnv 2>/dev/null && eval "$(direnv hook zsh)" # needed for lorri hash dotnet 2>/dev/null && export PATH=$PATH:$HOME/.dotnet/tools
hash helm 2>/dev/null && . <(helm completion zsh) hash direnv 2>/dev/null && eval "$(direnv hook zsh)"
hash kubectl 2>/dev/null && . <(kubectl completion zsh)
export NNN_ARCHIVE="\\.(7z|a|ace|alz|arc|arj|bz|bz2|cab|cpio|deb|gz|jar|lha|lz|lzh|lzma|lzo|rar|rpm|rz|t7z|tar|tbz|tbz2|tgz|tlz|txz|tZ|tzo|war|xpi|xz|Z|zip)$" export NNN_ARCHIVE="\\.(7z|a|ace|alz|arc|arj|bz|bz2|cab|cpio|deb|gz|jar|lha|lz|lzh|lzma|lzo|rar|rpm|rz|t7z|tar|tbz|tbz2|tgz|tlz|txz|tZ|tzo|war|xpi|xz|Z|zip)$"
n () n ()
@ -44,3 +41,5 @@ n ()
rm -f "$NNN_TMPFILE" > /dev/null rm -f "$NNN_TMPFILE" > /dev/null
fi fi
} }

155
hosts/beliskner/default.nix
View file

@ -1,155 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, config, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
documentation.enable = false;
documentation.nixos.enable = false;
documentation.man.enable = false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
boot.loader.systemd-boot.enable = false;
networking.interfaces."ens3" = {
ipv6 = {
addresses = [
{
address = "2a00:6800:3:744::1";
prefixLength = 64;
}
];
};
ipv4 = {
addresses = [
{
address = "195.90.211.163";
prefixLength = 22;
}
];
};
};
networking.defaultGateway6 = { address = "2a00:6800:3::1"; interface = "ens3"; };
networking.defaultGateway = { address = "195.90.208.1"; interface = "ens3"; };
networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
networking.useDHCP = false;
# networking.interfaces.eno1.useDHCP = true;
networking.hostId = "7c28236a";
# Immutable users due to tmpfs
users.mutableUsers = false;
services.postgresql.package = pkgs.postgresql_13;
services.grafana = {
enable = true;
settings.server = {
domain = "beliskner.kangaroo-galaxy.ts.net";
root_url = "https://beliskner.kangaroo-galaxy.ts.net/";
};
};
services.grafana.settings = {
analytics.reporting_enabled = false;
users = {
allow_sign_up = false;
};
#auth.proxy = ''
# enabled = true
# header_name = "X-Webauth-User"
# header_property = "username"
# auto_sign_up = true
# allow_sign_up = true
# whitelist = "127.0.0.1, ::1"
#'';
};
ragon.agenix.secrets."prometheusBlackboxConfig.yaml" = { owner = "prometheus"; };
services.prometheus.scrapeConfigs = [{
job_name = "blackbox";
file_sd_configs = [{
files = [
config.age.secrets."prometheusBlackboxConfig.yaml".path
];
}];
}];
services.prometheus.checkConfig = false;
services.prometheus.exporters.blackbox = {
enable = true;
configFile = pkgs.writeText "blackboxexporter" ''
modules:
dns:
prober: dns
http_2xx:
prober: http
timeout: 5s
http:
method: GET
preferred_ip_protocol: "ip4" # defaults to "ip6"
'';
};
services.caddy = {
enable = true;
virtualHosts = {
"beliskner.kangaroo-galaxy.ts.net" = {
extraConfig = ''
#forward_auth unix//run/tailscale/tailscaled.sock {
# uri /auth
# header_up Remote-Addr {remote_host}
# header_up Remote-Port {remote_port}
# header_up Original-URI {uri}
# copy_headers {
# Tailscale-User>X-Webauth-User
# Tailscale-Name>X-Webauth-Name
# Tailscale-Login>X-Webauth-Login
# Tailscale-Tailnet>X-Webauth-Tailnet
# Tailscale-Profile-Picture>X-Webauth-Profile-Picture
# }
#}
reverse_proxy {
to http://localhost:${toString config.services.grafana.settings.server.http_port}
flush_interval -1
transport http {
keepalive 310s
compression off
}
}
'';
};
};
};
networking.firewall.trustedInterfaces = [ "lo" "tailscale0" ];
services.tailscale = {
enable = true;
permitCertUid = "caddy";
};
age.identityPaths = lib.mkForce [ "/nix/persistent/etc/ssh/ssh_host_ed25519_key" ];
ragon = {
cli.enable = false;
user.enable = false;
tailscaleToVpn.enable = true;
persist.enable = true;
persist.baseDir = "/nix/persistent";
persist.extraDirectories = [
"/var/lib/tailscale"
"/var/lib/caddy"
"/var/log"
];
services = {
ssh.enable = true;
};
};
}

85
hosts/beliskner/disk-config.nix
View file

@ -1,85 +0,0 @@
{ ... }: {
disko.devices = {
disk = {
vda = {
type = "disk";
device = "/dev/vda";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "boot";
start = "0";
end = "1M";
part-type = "primary";
flags = [ "bios_grub" ];
}
{
name = "esp";
start = "1MiB";
end = "265MiB";
part-type = "primary";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
}
{
name = "luks";
start = "265MiB";
end = "100%";
part-type = "primary";
content = {
type = "luks";
name = "crypted";
extraOpenArgs = [ "--allow-discards" ];
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
keyFile = "/tmp/secret.key";
content = {
type = "lvm_pv";
vg = "pool";
};
};
}
];
};
};
};
lvm_vg = {
pool = {
type = "lvm_vg";
lvs = {
nix = {
size = "100%FREE";
content = {
type = "filesystem";
format = "xfs";
mountpoint = "/nix";
mountOptions = [
"defaults"
];
};
};
};
};
};
nodev = {
"/" = {
fsType = "tmpfs";
mountOptions = [
"size=2G"
"defaults"
"mode=755"
];
};
};
};
}

27
hosts/beliskner/hardware-configuration.nix
View file

@ -1,27 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, inputs, ... }:
let
pubkeys = import ../../data/pubkeys.nix;
in
{
imports = [ "${modulesPath}/profiles/qemu-guest.nix" inputs.disko.nixosModules.disko ./disk-config.nix ];
#boot.initrd.luks.devices."crypted".device = "/dev/vda2";
boot.initrd = {
network = {
enable = true;
ssh = {
enable = true;
port = 2222;
hostKeys = [
"/nix/persistent/etc/nixos/secrets/initrd/ssh_host_rsa_key"
"/nix/persistent/etc/nixos/secrets/initrd/ssh_host_ed25519_key"
];
authorizedKeys = pubkeys.ragon.user;
};
};
};
powerManagement.cpuFreqGovernor = "performance";
}

150
hosts/daedalus/default.nix
View file

@ -63,65 +63,72 @@ with lib.my;
environment.pathsToLink = [ "/share/fish" ]; environment.pathsToLink = [ "/share/fish" ];
ragon.services.borgmatic = #ragon.services.borgmatic =
let # let
tmMountPath = "/tmp/timeMachineSnapshotForBorg"; # tmMountPath = "/tmp/timeMachineSnapshotForBorg";
in # in
{ # {
enable = false; # enable = false;
configurations."daedalus-ds9" = { # configurations."daedalus-ds9" = {
source_directories = [ # source_directories = [
# tmMountPath # # tmMountPath
"/Users/ragon" # "/Users/ragon"
]; # ];
exclude_if_present = [ ".nobackup" ]; # exclude_if_present = [ ".nobackup" ];
repositories = [ # repositories = [
{ path = "ssh://ragon@ds9/backups/daedalus/borgmatic"; label = "ds9"; } # { path = "ssh://ragon@ds9/backups/daedalus/borgmatic"; label = "ds9"; }
{ path = "ssh://root@gatebridge/media/backup/daedalus"; label = "gatebridge"; } # { path = "ssh://root@gatebridge/media/backup/daedalus"; label = "gatebridge"; }
]; # ];
encryption_passcommand = pkgs.writeShellScript "getBorgmaticPw" ''security find-generic-password -a daedalus -s borgmaticKey -g 2>&1 | grep -E 'password' | sed 's/^.*"\(.*\)"$/\1/g' ''; # encryption_passcommand = pkgs.writeShellScript "getBorgmaticPw" ''security find-generic-password -a daedalus -s borgmaticKey -g 2>&1 | grep -E 'password' | sed 's/^.*"\(.*\)"$/\1/g' '';
compression = "auto,zstd,10"; # compression = "auto,zstd,10";
#ssh_command = "ssh -o GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path} -i ${config.age.secrets.picardResticSSHKey.path}"; # #ssh_command = "ssh -o GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path} -i ${config.age.secrets.picardResticSSHKey.path}";
keep_hourly = 24; # keep_hourly = 24;
keep_daily = 7; # keep_daily = 7;
keep_weekly = 4; # keep_weekly = 4;
keep_monthly = 12; # keep_monthly = 12;
keep_yearly = 10; # keep_yearly = 10;
# before_backup = [ # # before_backup = [
# (pkgs.writeShellScript # # (pkgs.writeShellScript
# "apfsSnapshot" # # "apfsSnapshot"
# '' # # ''
# tmutil localsnapshot # # tmutil localsnapshot
# SNAPSHOT=$(tmutil listlocalsnapshots / | grep TimeMachine | tail -n 1) # # SNAPSHOT=$(tmutil listlocalsnapshots / | grep TimeMachine | tail -n 1)
# mkdir -p "${tmMountPath}" # # mkdir -p "${tmMountPath}"
# mount_apfs -s $SNAPSHOT /System/Volumes/Data "${tmMountPath}" # # mount_apfs -s $SNAPSHOT /System/Volumes/Data "${tmMountPath}"
# '') # # '')
# ]; # # ];
# after_backup = [ # # after_backup = [
# (pkgs.writeShellScript # # (pkgs.writeShellScript
# "apfsSnapshotUnmount" # # "apfsSnapshotUnmount"
# '' # # ''
# diskutil unmount "${tmMountPath}" # # diskutil unmount "${tmMountPath}"
# SNAPSHOT=$(tmutil listlocalsnapshots / | grep TimeMachine | tail -n 1) # # SNAPSHOT=$(tmutil listlocalsnapshots / | grep TimeMachine | tail -n 1)
# tmutil deletelocalsnapshots $(echo $SNAPSHOT | sed 's/com\.apple\.TimeMachine\.\(.*\)\.local/\1/g') # # tmutil deletelocalsnapshots $(echo $SNAPSHOT | sed 's/com\.apple\.TimeMachine\.\(.*\)\.local/\1/g')
# '') # # '')
# ]; # # ];
# on_error = [ # # on_error = [
# # #
# (pkgs.writeShellScript # # (pkgs.writeShellScript
# "apfsSnapshotUnmountError" # # "apfsSnapshotUnmountError"
# '' # # ''
# diskutil unmount "${tmMountPath}" # # diskutil unmount "${tmMountPath}"
# '') # # '')
# ]; # # ];
}; # };
}; # };
programs.gnupg.agent.enable = lib.mkForce false;
home-manager.users.xyno = { pkgs, lib, inputs, config, ... }: home-manager.users.xyno = { pkgs, lib, inputs, config, ... }:
{ {
ragon.nvim.maximal = true; imports = [
../../hm-modules/nvim
../../hm-modules/tmux
../../hm-modules/vscode
../../hm-modules/xonsh
../../cli.nix
../../files.nix
];
ragon.nvim.maximal = false;
home.file.".hammerspoon/init.lua".source = home.file.".hammerspoon/init.lua".source =
let let
@ -134,7 +141,6 @@ with lib.my;
src = ./hammerspoon.lua; inherit notmuchMails; src = ./hammerspoon.lua; inherit notmuchMails;
}; };
home.file.".hammerspoon/Spoons/MiroWindowsManager.spoon".source = "${inputs.miro}/MiroWindowsManager.spoon"; home.file.".hammerspoon/Spoons/MiroWindowsManager.spoon".source = "${inputs.miro}/MiroWindowsManager.spoon";
home.file.".finicky.js".source = ./finicky.js;
ragon.vscode.enable = true; ragon.vscode.enable = true;
ragon.xonsh.enable = true; ragon.xonsh.enable = true;
@ -150,8 +156,6 @@ with lib.my;
EDITOR = "nvim"; EDITOR = "nvim";
VISUAL = "nvim"; VISUAL = "nvim";
COLORTERM = "truecolor"; # emacs tty fix COLORTERM = "truecolor"; # emacs tty fix
PATH = "$PATH:$HOME/go/bin:$HOME/development/flutter/bin:/Applications/Android Studio.app/Contents/bin/:/Applications/Docker.app/Contents/Resources/bin:/Applications/Android Studio.app/Contents/jre/Contents/Home/bin";
# JAVA_HOME = "/Applications/Android Studio.app/Contents/jre/Contents/Home/";
}; };
home.packages = with pkgs; [ home.packages = with pkgs; [
mosh mosh
@ -164,38 +168,8 @@ with lib.my;
pandoc pandoc
micromamba micromamba
#unstable.qutebrowser
#unstable.python311Packages.adblock
]; ];
# home.activation = {
# aliasApplications =
# let
# apps = pkgs.buildEnv {
# name = "home-manager-applications";
# paths = config.home.packages;
# pathsToLink = "/Applications";
# };
# in
# lib.hm.dag.entryAfter [ "writeBoundary" ] ''
# # Install MacOS applications to the user environment.
# HM_APPS="$HOME/Applications/Home Manager Apps"
# # Reset current state
# [ -e "$HM_APPS" ] && $DRY_RUN_CMD rm -r "$HM_APPS"
# $DRY_RUN_CMD mkdir -p "$HM_APPS"
# # .app dirs need to be actual directories for Finder to detect them as Apps.
# # The files inside them can be symlinks though.
# $DRY_RUN_CMD cp --recursive --symbolic-link --no-preserve=mode -H ${apps}/Applications/* "$HM_APPS" || true # can fail if no apps exist
# # Modes need to be stripped because otherwise the dirs wouldn't have +w,
# # preventing us from deleting them again
# # In the env of Apps we build, the .apps are symlinks. We pass all of them as
# # arguments to cp and make it dereference those using -H
# '';
# };
}; };
} }

22
hosts/daedalus/finicky.js
View file

@ -1,22 +0,0 @@
module.exports = {
defaultBrowser: "/Applications/Arc.app",
handlers: [
{
match: /^https?:\/\/gitlab\.com\/.*$/,
browser: "Vivaldi.app"
},
{
match: /^https?:\/\/.*\.atlassian\.com\/.*$/,
browser: "Vivaldi.app"
},
{
match: 'localhost:44422',
browser: "Vivaldi.app"
},
{
match: 'localhost:7104',
browser: "Vivaldi.app"
}
]
}

64
hosts/daedalusvm/default.nix
View file

@ -1,64 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, inputs, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Don't Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Immutable users due to tmpfs
users.mutableUsers = false;
users.users."nzbr" = {
extraGroups = [ "wheel" ];
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkFgHr6OMwsnGhdG4TwKdthlJC/B9ELqZfrmJ9Sf7qk"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkNP8Lo20fw3Ysq3B64Iep9WyVKWxdv5KJOZRLmAaaM"
];
};
services.openssh.forwardX11 = true;
services.rpcbind.enable = true;
boot.supportedFilesystems = [ "nfs" "nfs4" ];
environment.systemPackages = [ pkgs.nfs-utils pkgs.virt-manager pkgs.firefox pkgs.kitty inputs.nixpkgs.legacyPackages.x86_64-linux.hello ];
services.tailscale.enable = true;
nix.settings.extra-platforms = [ "x86_64-linux" ];
nix.settings.extra-sandbox-paths = [ "/tmp/rosetta" "/run/binfmt" ];
boot.binfmt.registrations."rosetta" = {
interpreter = "/tmp/rosetta/rosetta";
fixBinary = true;
wrapInterpreterInShell = false;
matchCredentials = true;
magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00'';
mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
};
services.qemuGuest.enable = true;
services.xserver.desktopManager.xfce.enable = true;
services.xserver.desktopManager.xfce.enableScreensaver = false;
services.xserver.enable = true;
services.spice-vdagentd.enable = true;
programs.gnome-terminal.enable = true;
services.gvfs.enable = true;
ragon = {
cli.enable = true;
user.enable = true;
system.security.enable = false;
services = {
docker.enable = true;
ssh.enable = true;
};
};
}

41
hosts/daedalusvm/hardware-configuration.nix
View file

@ -1,41 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
fileSystems."/tmp/rosetta" = {
device = "rosetta";
fsType = "virtiofs";
};
imports = [ ];
boot.initrd.availableKernelModules = [ "virtio_pci" "xhci_pci" "usb_storage" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/cd9a98fe-0ba3-401d-a2e0-4332faf279dd";
fsType = "btrfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/7A8E-EF98";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/f322c2e1-2aec-4a21-bf76-f01022d07f10"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

42
hosts/ds9/backup.nix Normal file
View file

@ -0,0 +1,42 @@
{ pkgs, lib, ... }: {
ragon.agenix.secrets."ds9OffsiteBackupSSH" = { };
ragon.agenix.secrets."ds9SyncoidHealthCheckUrl" = { };
ragon.agenix.secrets."gatebridgeHostKeys" = { };
ragon.agenix.secrets."borgmaticEncryptionKey" = { };
# Backup Target
users.users.picardbackup = {
createHome = false;
group = "users";
uid = 993;
home = "/backups/picard";
shell = "/run/current-system/sw/bin/bash";
isSystemUser = true;
openssh.authorizedKeys.keys = [
''command="${pkgs.borgbackup}/bin/borg serve --restrict-to-path /backups/picard/",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvCF8KGgpF9O8Q7k+JXqZ5eMeEeTaMhCIk/2ZFOzXL0''
];
};
services.borgmatic = {
enable = true;
configurations."ds9-offsite" = {
source_directories = [ "/backups" "/data" "/persistent" ];
repositories = [{ label = "gatebridge"; path = "ssh://root@gatebridge/media/backup/ds9"; }];
exclude_if_present = [ ".nobackup" ];
#upload_rate_limit = "4000";
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.borgmaticEncryptionKey.path}";
compression = "auto,zstd,10";
ssh_command = "ssh -o GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path} -i ${config.age.secrets.ds9OffsiteBackupSSH.path}";
before_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/start" ];
after_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})" ];
on_error = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/fail" ];
retention = {
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = 10;
};
};
};
}

47
hosts/ds9/custom-caddy.nix Normal file
View file

@ -0,0 +1,47 @@
{ pkgs, ... }:
with pkgs;
caddy.override {
buildGoModule = args: buildGoModule (args // {
src = stdenv.mkDerivation rec {
pname = "caddy-using-xcaddy-${xcaddy.version}";
inherit (caddy) version;
dontUnpack = true;
dontFixup = true;
nativeBuildInputs = [
cacert
go
];
plugins = [
"github.com/caddy-dns/ionos@751e8e24162290ee74bea465ae733a2bf49551a6"
];
configurePhase = ''
export GOCACHE=$TMPDIR/go-cache
export GOPATH="$TMPDIR/go"
export XCADDY_SKIP_BUILD=1
'';
buildPhase = ''
${xcaddy}/bin/xcaddy build "${caddy.src.rev}" ${lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins}
cd buildenv*
go mod vendor
'';
installPhase = ''
cp -r --reflink=auto . $out
'';
outputHash = "sha256-QsGrtpBJ9b2Nn3i5mUHYA60481ceTJDeCRl0qL6OWlE=";
outputHashMode = "recursive";
};
subPackages = [ "." ];
ldflags = [ "-s" "-w" ]; ## don't include version info twice
vendorHash = null;
});
}

246
hosts/ds9/default.nix
View file

@ -1,16 +1,29 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, inputs, pkgs, lib, ... }: { config, inputs, pkgs, lib, ... }:
let let
pubkeys = import ../../data/pubkeys.nix; pubkeys = import ../../data/pubkeys.nix;
caddy-with-plugins = import ./custom-caddy.nix { inherit pkgs; };
in in
{ {
imports = imports =
[ [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./backup.nix
./plex.nix
./hardware-configuration.nix ./hardware-configuration.nix
../../nixos-modules/networking/tailscale.nix
../../nixos-modules/services/docker.nix
../../nixos-modules/services/libvirt.nix
../../nixos-modules/services/msmtp.nix
../../nixos-modules/services/paperless.nix
../../nixos-modules/services/photoprism.nix
../../nixos-modules/services/samba.nix
../../nixos-modules/services/ssh.nix
../../nixos-modules/system/agenix.nix
../../nixos-modules/system/fs.nix
../../nixos-modules/system/persist.nix
../../nixos-modules/system/security.nix
../../nixos-modules/user
]; ];
# Don't Use the systemd-boot EFI boot loader. # Don't Use the systemd-boot EFI boot loader.
@ -25,84 +38,13 @@ in
services.syncthing.enable = true; services.syncthing.enable = true;
services.syncthing.user = "ragon"; services.syncthing.user = "ragon";
ragon.agenix.secrets."ds9OffsiteBackupSSH" = { };
ragon.agenix.secrets."ds9SyncoidHealthCheckUrl" = { };
ragon.agenix.secrets."gatebridgeHostKeys" = { };
ragon.agenix.secrets."borgmaticEncryptionKey" = { };
# services.syncoid =
# let
# datasets = {
# backups = "rpool/content/local/backups";
# data = "rpool/content/safe/data";
# ds9persist2 = "spool/safe/persist";
# hassosvm2 = "spool/safe/vms/hassos";
# };
# in
# lib.mkMerge (
# [{
# localSourceAllow = [
# "hold"
# "send"
# "snapshot"
# "destroy"
# "mount"
# ];
# enable = true;
# interval = "*-*-* 2:15:00";
# commonArgs = [ "--sshoption" "GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path}" ];
# sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
# }] ++
# (builtins.attrValues
# (builtins.mapAttrs (n: v: { commands.${n} = { target = "root@gatebridge:backup/${n}"; source = v; sendOptions = "w"; }; }) (datasets))
# )
# );
# systemd.services."syncoid-ds9persist2" = {
# # ExecStartPost commands are only run if the ExecStart command succeeded
# # serviceConfig.ExecStartPost = pkgs.writeShellScript "backupSuccessful" ''
# # ${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})
# # '';
# unitConfig.OnFailure = "backupFailure.service";
# };
# systemd.services.backupFailure = {
# enable = true;
# script = "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/fail";
# };
services.borgmatic = {
enable = true;
configurations."ds9-offsite" = {
source_directories = [ "/backups" "/data" "/persistent" ];
repositories = [{ label = "gatebridge"; path = "ssh://root@gatebridge/media/backup/ds9"; }];
exclude_if_present = [ ".nobackup" ];
#upload_rate_limit = "4000";
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.borgmaticEncryptionKey.path}";
compression = "auto,zstd,10";
ssh_command = "ssh -o GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path} -i ${config.age.secrets.ds9OffsiteBackupSSH.path}";
before_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/start" ];
after_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})" ];
on_error = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/fail" ];
# postgresql_databases = [{ name = "all"; pg_dump_command = "${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dumpall"; pg_restore_command = "${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_restore"; }];
retention = {
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = 10;
};
};
};
programs.mosh.enable = true; programs.mosh.enable = true;
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
networking.useDHCP = true; networking.useDHCP = true;
networking.bridges."br0".interfaces = [ ]; networking.bridges."br0".interfaces = [ ];
networking.hostId = "7b4c2932"; networking.hostId = "7b4c2932";
networking.firewall.allowedTCPPorts = [ 9000 25565 ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
services.nginx.defaultListenAddresses = [ "100.83.96.25" ];
services.nginx.clientMaxBodySize = lib.mkForce "8g";
services.nginx.virtualHosts."_".
listenAddresses = [ "0.0.0.0" "[::0]" ];
boot.initrd.network = { boot.initrd.network = {
enable = true; enable = true;
postCommands = '' postCommands = ''
@ -124,25 +66,6 @@ in
}; };
boot.kernel.sysctl."fs.inotify.max_user_instances" = 512; boot.kernel.sysctl."fs.inotify.max_user_instances" = 512;
services.openssh.sftpServerExecutable = "internal-sftp";
# Backup Target
users.users.picardbackup = {
createHome = false;
group = "users";
uid = 993;
home = "/backups/picard";
shell = "/run/current-system/sw/bin/bash";
isSystemUser = true;
openssh.authorizedKeys.keys = [
''command="${pkgs.borgbackup}/bin/borg serve --restrict-to-path /backups/picard/",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvCF8KGgpF9O8Q7k+JXqZ5eMeEeTaMhCIk/2ZFOzXL0''
];
};
# Enable Scanning
hardware.sane.enable = true;
hardware.sane.extraBackends = [ pkgs.sane-airscan ];
services.avahi.enable = true; services.avahi.enable = true;
services.avahi.nssmdns = true; services.avahi.nssmdns = true;
services.avahi.publish.enable = true; services.avahi.publish.enable = true;
@ -169,70 +92,6 @@ in
</service> </service>
</service-group> </service-group>
''; '';
# Webhook service to trigger scanning the ADF from HomeAssistant
#systemd.services.scanhook = {
# description = "webhook go server to trigger scanning";
# documentation = [ "https://github.com/adnanh/webhook" ];
# wantedBy = [ "multi-user.target" ];
# path = with pkgs; [ bash ];
# serviceConfig = {
# TemporaryFileSystem = "/:ro";
# BindReadOnlyPaths = [
# "/nix/store"
# "-/etc/resolv.conf"
# "-/etc/nsswitch.conf"
# "-/etc/hosts"
# "-/etc/localtime"
# ];
# BindPaths = [
# "/data/applications/paperless-consumption"
# ];
# LockPersonality = true;
# NoNewPrivileges = true;
# PrivateMounts = true;
# PrivateTmp = true;
# PrivateUsers = true;
# ProcSubset = "pid";
# ProtectHome = true;
# ProtectControlGroups = true;
# ProtectKernelLogs = true;
# ProtectKernelModules = true;
# ProtectKernelTunables = true;
# ProtectProc = "invisible";
# RestrictNamespaces = true;
# RestrictRealtime = true;
# RestrictSUIDSGID = true;
# DynamicUser = true;
# ExecStart =
# let
# scanScript = pkgs.writeScript "plscan.sh" ''
# #!/usr/bin/env bash
# export PATH=${lib.makeBinPath [ pkgs.strace pkgs.gnugrep pkgs.coreutils pkgs.sane-backends pkgs.sane-airscan pkgs.imagemagick ]}
# export LD_LIBRARY_PATH=${config.environment.sessionVariables.LD_LIBRARY_PATH} # Adds SANE Libraries to the ld library path of this script
# set -x
# date="''$(date --iso-8601=seconds)"
# filename="Scan ''$date.pdf"
# tmpdir="''$(mktemp -d)"
# pushd "''$tmpdir"
# scanimage --batch=out%d.jpg --format=jpeg --mode Gray -d "airscan:e0:Canon MB5100 series" --source "ADF Duplex" --resolution 300
# for i in $(ls out*.jpg | grep 'out.*[24680]\.jpg'); do convert $i -rotate 180 $i; done # rotate even stuff
# convert out*.jpg /data/applications/paperless-consumption/"''$filename"
# chmod 666 /data/applications/paperless-consumption/"''$filename"
# popd
# rm -r "''$tmpdir"
# '';
# hooksFile = pkgs.writeText "webhook.json" (builtins.toJSON [
# {
# id = "scan-webhook";
# execute-command = "${scanScript}";
# }
# ]);
# in
# "${pkgs.webhook}/bin/webhook -hooks ${hooksFile} -verbose";
# };
#};
networking.firewall.allowedTCPPorts = [ 9000 25565 ];
# Immutable users due to tmpfs # Immutable users due to tmpfs
users.mutableUsers = false; users.mutableUsers = false;
@ -272,7 +131,7 @@ in
services.smartd = { services.smartd = {
enable = true; enable = true;
extraOptions = [ "--interval=7200" ]; extraOptions = [ "--interval=7200" ];
#notifications.test = true; notifications.test = true;
}; };
nixpkgs.overlays = [ nixpkgs.overlays = [
(self: super: { (self: super: {
@ -286,54 +145,54 @@ in
ZED_EMAIL_OPTS = "@ADDRESS@"; ZED_EMAIL_OPTS = "@ADDRESS@";
ZED_NOTIFY_INTERVAL_SECS = 7200; ZED_NOTIFY_INTERVAL_SECS = 7200;
#ZED_NOTIFY_VERBOSE = true; ZED_NOTIFY_VERBOSE = true;
ZED_USE_ENCLOSURE_LEDS = false; ZED_USE_ENCLOSURE_LEDS = false;
ZED_SCRUB_AFTER_RESILVER = true; ZED_SCRUB_AFTER_RESILVER = true;
}; };
services.plex = { systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.ionos.path;
services.caddy = {
enable = true; enable = true;
openFirewall = true; package = caddy-with-plugins;
user = "ragon"; globalConfig = ''
group = "users"; acme_dns ionos {
api_token "{$IONOS_API_KEY}"
}
'';
virtualHosts."*.hailsatan.eu".extraConfig = ''
@paperless host paperless.hailsatan.eu
handle @paperless {
reverse_proxy ${config.ragon.services.paperless.location}
}
@photos host photos.hailsatan.eu
handle @photos {
reverse_proxy ${config.ragon.services.photoprism.location}
}
@bzzt-api host bzzt-api.hailsatan.eu
handle @bzzt-api {
reverse_proxy http://127.0.0.1:5001
}
@bzzt-lcg host bzzt-lcg.hailsatan.eu
handle @bzzt-lcg {
reverse_proxy http://127.0.0.1:5003
}
@bzzt host bzzt.hailsatan.eu
handle @bzzt {
reverse_proxy http://127.0.0.1:5002
}
'';
}; };
services.nginx.virtualHosts."bzzt-api.hailsatan.eu" = {
useACMEHost = "hailsatan.eu";
listenAddresses = [ "10.0.0.2" "100.83.96.25" ];
addSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:5001";
"/".proxyWebsockets = true;
};
};
services.nginx.virtualHosts."bzzt-lcg.hailsatan.eu" = {
useACMEHost = "hailsatan.eu";
addSSL = true;
listenAddresses = [ "10.0.0.2" "100.83.96.25" ];
locations = {
"/".proxyPass = "http://127.0.0.1:5003";
"/".proxyWebsockets = true;
};
};
services.nginx.virtualHosts."bzzt.hailsatan.eu" = {
useACMEHost = "hailsatan.eu";
forceSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:5002";
"/".proxyWebsockets = true;
};
};
virtualisation.docker.enable = true;
ragon = { ragon = {
agenix.secrets."ionos" = { };
cli.enable = true; cli.enable = true;
user.enable = true; user.enable = true;
persist.enable = true; persist.enable = true;
persist.extraDirectories = [ "/var/lib/syncthing" config.services.plex.dataDir "/var/lib/minecraft" "/var/lib/bzzt" ]; persist.extraDirectories = [ "/var/lib/syncthing" config.services.plex.dataDir "/var/lib/minecraft" "/var/lib/bzzt" ];
services = { services = {
docker.enable = true;
samba.enable = true; samba.enable = true;
samba.shares = { samba.shares = {
TimeMachine = { TimeMachine = {
@ -356,7 +215,6 @@ in
}; };
docker.enable = true; docker.enable = true;
ssh.enable = true; ssh.enable = true;
nginx.enable = true;
msmtp.enable = true; msmtp.enable = true;
photoprism.enable = true; photoprism.enable = true;
tailscale.enable = true; tailscale.enable = true;

9
hosts/ds9/plex.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, pkgs, lib, inputs, ... }: {
ragon.persist.extraDirectories = [ config.services.plex.dataDir ];
services.plex = {
enable = true;
openFirewall = true;
user = "ragon";
group = "users";
};
}

41
hosts/icarus/default.nix
View file

@ -1,41 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, config, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
documentation.enable = false;
documentation.nixos.enable = false;
documentation.man.enable = false;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
security.polkit.enable = true; # needed for libvirtd
services.glusterfs.enable = true;
environment.systemPackages = [ pkgs.python3 ];
virtualisation.libvirtd = {
enable = true;
qemu.swtpm.enable = true;
};
# Immutable users due to tmpfs
users.mutableUsers = false;
programs.mosh.enable = true;
ragon = {
services = {
ssh.enable = true;
};
};
}

43
hosts/icarus/hardware-configuration.nix
View file

@ -1,43 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/1687e097-8b1f-45bb-9b6c-1ccea8ba05e5";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/B52A-633F";
fsType = "vfat";
};
fileSystems."/gluster" =
{
device = "/dev/disk/by-uuid/09b6577c-af50-4fab-abe5-9d89fb85cad7";
fsType = "xfs";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/e71527bd-1461-46cd-88aa-a168c429d44b"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
#networking.useDHCP = lib.mkDefault true;
networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

60
hosts/octopi/default.nix
View file

@ -1,60 +0,0 @@
{ config, inputs, pkgs, lib, ... }:
{
imports = [
"${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
"${inputs.nixos-hardware}/raspberry-pi/4/default.nix"
];
nixpkgs.overlays = [
(final: super: {
makeModulesClosure = x:
super.makeModulesClosure (x // { allowMissing = true; });
})
];
boot.loader.systemd-boot.enable = false;
boot.kernelPackages = pkgs.linuxPackages_rpi4;
# networking.usePredictableInterfaceNames = false;
documentation.enable = false;
documentation.nixos.enable = false;
nix = {
autoOptimiseStore = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
# Free up to 1GiB whenever there is less than 100MiB left.
extraOptions = ''
min-free = ${toString (100 * 1024 * 1024)}
max-free = ${toString (1024 * 1024 * 1024)}
'';
};
powerManagement.cpuFreqGovernor = "ondemand";
# Assuming this is installed on top of the disk image.
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
};
};
ragon.services.ssh.enable = true;
ragon.services.tailscale.enable = true;
networking.useDHCP = true;
services.mjpg-streamer.enable = true;
services.mjpg-streamer.inputPlugin = "input_uvc.so -d /dev/video0 -r 1280x720 -f 15 -u";
services.octoprint = {
enable = true;
plugins = plugins: with plugins; [ telegram ];
};
security.sudo.wheelNeedsPassword = false;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkFgHr6OMwsnGhdG4TwKdthlJC/B9ELqZfrmJ9Sf7qk"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8RjUQ6DDDDgsVbqq+6zz1q6cBkus/BLUGa9JoWsqB4"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkNP8Lo20fw3Ysq3B64Iep9WyVKWxdv5KJOZRLmAaaM"
];
networking.firewall.allowedTCPPorts = [ 5000 5050 ];
}

35
hosts/picard/calcom.nix
View file

@ -1,35 +0,0 @@
{ config, pkgs, lib, ... }:
{
users.users.calcom = {
group = "calcom";
shell = "${pkgs.bash}/bin/bash";
uid = 592;
};
users.groups.calcom = {
gid = config.users.users.calcom.uid;
};
virtualisation.oci-containers.containers."calcom" = {
image = "calcom/cal.com:latest";
ports = [ "127.0.0.1:3469:3000" ];
user = "${toString config.users.users.calcom.uid}:${toString config.users.groups.calcom.gid}";
volumes = [
"/run/postgresql:/run/postgresql"
];
environmentFiles = [ config.age.secrets.picardCalCom.path ];
environment = {
DATABASE_URL = "postgresql://calcom:calcom@/run/postgresql";
NEXT_PUBLIC_WEBAPP_URL = "https://cal.xyno.systems";
CALCOM_TELEMETRY_DISABLED = 1;
};
};
services.postgresql = {
ensureDatabases = [ "calcom" ];
ensureUsers = [
{
name = "calcom";
ensureDBOwnership = true;
}
];
};
}

45
nixos-modules/cli/default.nix
View file

@ -13,50 +13,5 @@ in
# root shell # root shell
users.extraUsers.root.shell = pkgs.zsh; users.extraUsers.root.shell = pkgs.zsh;
environment.shellAliases = {
v = "nvim";
vim = "nvim";
gpl = "git pull";
gp = "git push";
lg = "lazygit";
gc = "git commit -v";
kb = "git commit -m \"\$(curl -s http://whatthecommit.com/index.txt)\"";
gs = "git status -v";
gfc = "git fetch && git checkout";
gl = "git log --graph";
l = "eza -la --git";
la = "eza -la --git";
ls = "eza";
ll = "eza -l --git";
cat = "bat";
};
environment.variables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
environment.systemPackages = with pkgs; [
nnn
bat
htop
eza
curl
fd
file
fzf
git
neofetch
tmux
ripgrep
pv
direnv # needed for lorri
unzip
tmux
aria2
yt-dlp
neovim
];
}; };
} }

53
nixos-modules/cli/zsh/zsh.nix
View file

@ -1,53 +0,0 @@
{ inputs, config, lib, pkgs, ... }:
let
cfg = config.ragon.cli;
in
{
config = lib.mkIf cfg.enable {
ragon.user.persistent = {
extraDirectories = [
".config/zsh"
];
};
programs.zsh = {
enable = true;
histSize = 10000;
histFile = "$HOME/.config/zsh/history";
# autosuggestions.enable = true;
enableCompletion = true;
setOptions = [
"HIST_IGNORE_DUPS"
"SHARE_HISTORY"
"HIST_FCNTL_LOCK"
"AUTO_CD"
"AUTO_MENU"
];
# interactiveShellInit broke agkozak-zsh-prompt for some reaaaaaaaason
promptInit =
let
zshrc = builtins.readFile ./zshrc;
sources = [
"${inputs.agkozak-zsh-prompt}/agkozak-zsh-prompt.plugin.zsh"
"${pkgs.oh-my-zsh}/share/oh-my-zsh/plugins/git/git.plugin.zsh"
"${pkgs.oh-my-zsh}/share/oh-my-zsh/plugins/globalias/globalias.plugin.zsh"
"${inputs.zsh-vim-mode}/zsh-vim-mode.plugin.zsh"
"${inputs.zsh-syntax-highlighting}/zsh-syntax-highlighting.plugin.zsh"
"${inputs.zsh-completions}/zsh-completions.plugin.zsh"
];
source = map (x: "source " + x) sources;
plugins = builtins.concatStringsSep "\n" (source);
in
''
${zshrc}
${plugins}
'';
};
};
}

20
nixos-modules/hardware/bluetooth.nix
View file

@ -1,20 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.hardware.bluetooth;
in
{
options.ragon.hardware.bluetooth.enable = lib.mkEnableOption "Enables bluetooth stuff (tlp,...)";
config = lib.mkIf cfg.enable {
hardware.bluetooth.enable = true;
services.blueman.enable = true;
hardware.pulseaudio = {
extraModules = [ pkgs.pulseaudio-modules-bt ];
package = pkgs.pulseaudioFull;
};
ragon.persist.extraDirectories = [
"/var/lib/bluetooth"
];
};
}

53
nixos-modules/hardware/hifiberry-dac.nix
View file

@ -1,53 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.hardware.hifiberry-dac;
in
{
options.ragon.hardware.hifiberry-dac.enable = lib.mkEnableOption "Enables hifiberry dac";
config = lib.mkIf cfg.enable {
hardware.deviceTree = {
overlays = [
# Equivalent to: https://github.com/raspberrypi/linux/blob/rpi-5.10.y/arch/arm/boot/dts/overlays/hifiberry-dac-overlay.dts
{
name = "hifiberry-dac-overlay";
dtsText = ''
// Definitions for HiFiBerry DAC
/dts-v1/;
/plugin/;
/ {
compatible = "brcm,bcm2835";
fragment@0 {
target = <&i2s>;
__overlay__ {
status = "okay";
};
};
fragment@1 {
target-path = "/";
__overlay__ {
pcm5102a-codec {
#sound-dai-cells = <0>;
compatible = "ti,pcm5102a";
status = "okay";
};
};
};
fragment@2 {
target = <&sound>;
__overlay__ {
compatible = "hifiberry,hifiberry-dac";
i2s-controller = <&i2s>;
status = "okay";
};
};
};
'';
}
];
};
};
}

22
nixos-modules/hardware/laptop.nix
View file

@ -1,22 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.hardware.laptop;
in
{
options.ragon.hardware.laptop.enable = lib.mkEnableOption "Enables laptop stuff (tlp,...)";
config = lib.mkIf cfg.enable {
services.tlp = {
enable = true;
settings = {
CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
CPU_ENERGY_PERF_POLICY_ON_BAT = "poversave";
};
};
services.xserver.libinput = {
enable = true;
};
hardware.acpilight.enable = true;
services.thermald.enable = true;
ragon.hardware.bluetooth.enable = true; # laptops normally have BT
};
}

12
nixos-modules/hardware/nvidia.nix
View file

@ -1,12 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.hardware.nvidia;
in
{
options.ragon.hardware.nvidia.enable = lib.mkEnableOption "Enables nvidia stuff (why didnt i buy amd?)";
config = lib.mkIf cfg.enable {
# nivea
services.xserver.videoDrivers = [ "nvidia" ];
};
}

60
nixos-modules/services/ddns.nix
View file

@ -1,60 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.services.ddns;
domain = config.ragon.services.nginx.domain;
dataDir = "/var/lib/inadyn";
cacheDir = "/var/cache/inadyn";
in
{
options.ragon.services.ddns.enable = mkEnableOption "Enables CloudFlare DDNS to the domain specified in ragon.services.nginx.domain and all subdomains";
options.ragon.services.ddns.ipv4 = mkBoolOpt true;
options.ragon.services.ddns.ipv6 = mkBoolOpt true;
config = mkIf cfg.enable {
systemd.services.inadyn = {
description = "inadyn DDNS Client";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = rec {
Type = "simple";
ExecStart =
pkgs.writeScript "run-inadyn.sh" ''
#!${pkgs.bash}/bin/bash
export PATH=$PATH:${pkgs.bash}/bin/bash # idk if that helps
source ${config.age.secrets.cloudflareAcme.path}
cat >/run/${RuntimeDirectory}/inadyn.cfg <<EOF
period = 180
user-agent = Mozilla/5.0
allow-ipv6 = true
${optionalString cfg.ipv4 ''
# ipv4
provider cloudflare.com:1 {
checkip-server = ipv4.icanhazip.com
username = ${domain}
password = $CLOUDFLARE_DNS_API_TOKEN
hostname = ${domain}
}
''}
${optionalString cfg.ipv6 ''
# ipv6
provider cloudflare.com:2 {
checkip-server = ipv6.icanhazip.com
username = ${domain}
password = $CLOUDFLARE_DNS_API_TOKEN
hostname = ${domain}
}
''}
EOF
exec ${pkgs.inadyn}/bin/inadyn -n --cache-dir=${cacheDir} -f /run/${RuntimeDirectory}/inadyn.cfg
'';
RuntimeDirectory = StateDirectory;
StateDirectory = builtins.baseNameOf dataDir;
};
};
systemd.tmpfiles.rules = [
"d ${cacheDir} 1777 root root 10m"
];
ragon.agenix.secrets.cloudflareAcme = { };
};
}

49
nixos-modules/services/gitlab.nix
View file

@ -1,49 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.services.gitlab;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.gitlab.enable = mkEnableOption "Enables gitlab";
options.ragon.services.gitlab.domainPrefix =
mkOption {
type = lib.types.str;
default = "gitlab";
};
config = lib.mkIf cfg.enable {
services.gitlab = {
enable = true;
https = true;
initialRootPasswordFile = "${config.age.secrets.gitlabInitialRootPassword.path}";
port = 443;
host = "${cfg.domainPrefix}.${domain}";
secrets = {
dbFile = "${config.age.secrets.gitlabDBFile.path}";
jwsFile = "${config.age.secrets.gitlabJWSFile.path}";
otpFile = "${config.age.secrets.gitlabOTPFile.path}";
secretFile = "${config.age.secrets.gitlabSecretFile.path}";
};
};
ragon.agenix.secrets = foldl (a: b: a // b) { } (map (a: { ${a} = { owner = "gitlab"; }; }) [
"gitlabDBFile"
"gitlabInitialRootPassword"
"gitlabJWSFile"
"gitlabOTPFile"
"gitlabSecretFile"
]);
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
locations."/".extraConfig = "client_max_body_size 4G;";
};
ragon.persist.extraDirectories = [
"${config.services.postgresql.dataDir}"
"${config.services.gitlab.statePath}"
];
};
}

32
nixos-modules/services/grafana.nix
View file

@ -1,32 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.grafana;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.grafana.enable = lib.mkEnableOption "Enables grafana";
options.ragon.services.grafana.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "grafana";
};
config = lib.mkIf cfg.enable {
services.grafana = {
enable = true;
settings.server.domain = "${cfg.domainPrefix}.${domain}";
settings.server.root_url = "https://${cfg.domainPrefix}.${domain}/";
};
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
addSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
"/".proxyWebsockets = true;
};
};
ragon.persist.extraDirectories = [
"${config.services.grafana.dataDir}"
];
};
}

68
nixos-modules/services/jellyfin.nix
View file

@ -1,68 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.jellyfin;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.jellyfin.enable = lib.mkEnableOption "Enables jellyfin";
options.ragon.services.jellyfin.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "j";
};
config = lib.mkIf cfg.enable {
services.jellyfin.enable = true;
services.jellyfin.openFirewall = true;
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
addSSL = true;
locations = {
"= /".extraConfig = "return 302 https://$host/web/;";
"/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
'';
};
"= /web/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
"/socket" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
};
};
ragon.persist.extraDirectories = [
"/var/cache/jellyfin"
"/var/lib/jellyfin"
];
};
}

168
nixos-modules/services/monitoring.nix
View file

@ -1,168 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = importTOML ../../data/monitoring.toml;
hostName = config.networking.hostName;
getHost = (y:
if (y == hostName)
then "127.0.0.1"
else
(
if (builtins.elem y (builtins.attrNames cfg.hostOverrides))
then cfg.hostOverrides.${y}
else y
)
);
in
{
config = mkMerge ([
(mkIf (cfg.master.hostname == hostName) {
services.loki.enable = true;
services.loki.configFile = pkgs.writeText "loki.yml" ''
ingester:
chunk_target_size: 5242880
auth_enabled: false
server:
http_listen_port: 3100
grpc_listen_port: 9096
common:
ring:
instance_addr: 127.0.0.1
kvstore:
store: inmemory
replication_factor: 1
path_prefix: /tmp/loki
schema_config:
configs:
- from: 2020-05-15
store: boltdb-shipper
object_store: filesystem
schema: v11
index:
prefix: index_
period: 24h
ruler:
alertmanager_url: http://localhost:9093
analytics:
reporting_enabled: false
'';
services.prometheus = {
# alertmanager.enable = true;
enable = true;
scrapeConfigs = foldl (a: b: a ++ b) [ ] (map
(x: (map
(y: {
job_name = "${x}_${y}";
static_configs = [
{
targets = [
''${getHost y}:${toString config.services.prometheus.exporters.${x}.port}''
];
}
];
})
cfg.exporters.${x}.hosts))
(builtins.attrNames cfg.exporters));
};
ragon.persist.extraDirectories = [
"/var/lib/${config.services.prometheus.stateDir}"
"${config.services.loki.dataDir}"
];
})
{
# some global settings
services.prometheus.exporters.node.enabledCollectors = [ "systemd" ];
services.prometheus.exporters.smokeping.hosts = [ "1.1.1.1" ];
}
(mkIf (builtins.elem hostName cfg.promtail.hosts) {
systemd.services.promtail.serviceConfig.SupplementaryGroups = lib.optional config.services.nginx.enable [ "nginx" ];
systemd.services.promtail.serviceConfig.ReadWritePaths = [ "/var/log/nginx" ];
services.promtail = {
enable = true;
configuration = {
server.http_listen_port = 28183;
positions.filename = "/tmp/positions.yaml";
clients = [{ url = "http://${cfg.master.ip}:3100/loki/api/v1/push"; }];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = hostName;
};
};
relabel_configs = [{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}];
}
] ++ lib.optionals false [
{
job_name = "nginx";
static_configs = [
{
targets = [ "localhost" ];
labels = {
job = "nginx";
__path__ = "/var/log/nginx/access.log";
host = hostName;
};
}
];
pipeline_stages = [
{
regex = {
expression = ''(?P<remote_addr>.+) - - \[(?P<time_local>.+)\] "(?P<method>.+) (?P<url>.+) (HTTP\/(?P<version>\d.\d))" (?P<status>\d{3}) (?P<body_bytes_sent>\d+) (["](?P<http_referer>(\-)|(.+))["]) (["](?P<http_user_agent>.+)["])'';
};
}
{
labels = {
remote_addr = null;
time_local = null;
method = null;
url = null;
status = null;
body_bytes_sent = null;
http_referer = null;
http_user_agent = null;
};
}
{
timestamp = {
source = "time_local";
format = "02/Jan/2006:15:04:05 -0700";
};
}
{
drop = {
source = "url";
expression = ''/(_matrix|.well-known|notifications|api|identity).*'';
};
}
];
}
];
};
};
})
] ++
(map
(x: {
services.prometheus.exporters.${x} = {
enable = (builtins.elem hostName cfg.exporters.${x}.hosts);
#openFirewall = (hostName != cfg.master.hostname);
#firewallFilter = if (hostName != cfg.master.hostname) then "-p tcp -s ${cfg.master.ip} -m tcp --dport ${toString config.services.prometheus.exporters.${x}.port}" else null;
};
})
(builtins.attrNames cfg.exporters))
);
}

56
nixos-modules/services/nginx.nix
View file

@ -1,56 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.nginx;
in
{
options.ragon.services.nginx.enable = lib.mkEnableOption "Enables nginx";
options.ragon.services.nginx.domain =
lib.mkOption {
type = lib.types.str;
default = "hailsatan.eu";
};
options.ragon.services.nginx.domains =
lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
clientMaxBodySize = "500m";
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
security.acme.defaults.email = "nixosacme@phochkamp.de";
security.acme.acceptTerms = true;
security.acme.certs."${cfg.domain}" = {
dnsProvider = "ionos";
dnsResolver = "1.1.1.1:53";
group = "nginx";
extraDomainNames = [
"*.${cfg.domain}"
];
credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
};
services.nginx.virtualHosts."_" = {
useACMEHost = "${cfg.domain}";
addSSL = true;
locations = {
"/" = {
extraConfig = ''
return 404;
'';
};
};
};
ragon.agenix.secrets.cloudflareAcme = { group = "nginx"; mode = "0440"; };
ragon.persist.extraDirectories = [
"/var/lib/acme"
];
};
}

11
nixos-modules/services/paperless.nix
View file

@ -7,10 +7,10 @@ let
in in
{ {
options.ragon.services.paperless.enable = mkEnableOption "Enables paperless ng"; options.ragon.services.paperless.enable = mkEnableOption "Enables paperless ng";
options.ragon.services.paperless.domainPrefix = options.ragon.services.paperless.location =
lib.mkOption { lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "paperless"; default = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.paperless = { services.paperless = {
@ -25,13 +25,6 @@ in
}; };
}; };
ragon.agenix.secrets.paperlessAdminPW = { group = "${config.services.paperless.user}"; mode = "0440"; }; ragon.agenix.secrets.paperlessAdminPW = { group = "${config.services.paperless.user}"; mode = "0440"; };
services.nginx.clientMaxBodySize = "100m";
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
addSSL = true;
locations."/".proxyPass = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
locations."/".proxyWebsockets = true;
};
ragon.persist.extraDirectories = [ ragon.persist.extraDirectories = [
"${config.services.paperless.dataDir}" "${config.services.paperless.dataDir}"
]; ];

12
nixos-modules/services/photoprism.nix
View file

@ -7,10 +7,10 @@ let
in in
{ {
options.ragon.services.photoprism.enable = mkEnableOption "Enables the hedgedoc BitWarden Server"; options.ragon.services.photoprism.enable = mkEnableOption "Enables the hedgedoc BitWarden Server";
options.ragon.services.photoprism.domainPrefix = options.ragon.services.photoprism.location =
mkOption { lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "photos"; default = "http://127.0.0.1:${toString config.ragon.services.photoprism.port}";
}; };
options.ragon.services.photoprism.port = options.ragon.services.photoprism.port =
mkOption { mkOption {
@ -31,12 +31,6 @@ in
]; ];
}; };
ragon.agenix.secrets.photoprismEnv.owner = "root"; ragon.agenix.secrets.photoprismEnv.owner = "root";
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://127.0.0.1:${cfg.port}";
};
ragon.persist.extraDirectories = [ ragon.persist.extraDirectories = [
"/var/lib/photoprism" "/var/lib/photoprism"
]; ];

68
nixos-modules/services/tailscale-to-vpn.nix
View file

@ -1,68 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.ragon.tailscaleToVpn;
ovpnConfigPath = cfg.ovpnConfigPath;
stateVer = config.system.stateVersion;
in
{
options.ragon.tailscaleToVpn = {
enable = mkEnableOption "tailscale-to-vpn. you need to enable nat to ve-+ able to use this";
ovpnConfigPath = mkOption {
type = types.str;
default = "/etc/openvpn/client.conf";
description = "full path to the OpenVPN client configuration file, is expected to be in /run";
};
};
config = mkIf cfg.enable {
networking.bridges.br-ovpn-ts = {
interfaces = [ ];
};
containers.TSTVPN-openvpn = {
ephemeral = true;
enableTun = true;
interfaces = [ "br-ovpn-ts" ];
localAddress = "192.168.102.11";
hostAddress = "192.168.102.10";
config = { config, pkgs, ... }: {
system.stateVersion = stateVer;
networking.interfaces.br-ovpn-ts = {
ipv4.addresses = [ "192.168.101.1/24" ];
};
services.openvpn.servers.bridge = {
config = ''
config /host${ovpnConfigPath}
dev ovpn-bridge
dev-type tun
'';
};
networking.nat = {
externalInterface = "ovpn-bridge";
internalInterfaces = [ "br-ovpn-ts" ];
};
};
privateNetwork = true;
bindMounts = {
"/host/run" = { hostPath = "/run"; isReadOnly = true; };
"/run/agenix.d" = { hostPath = "/run/agenix.d"; isReadOnly = true; };
};
};
containers.TSTVPN-tailscale = {
enableTun = true;
hostBridge = "br-ovpn-ts";
localAddress = "192.168.101.2/24";
privateNetwork = true;
config = { config, pkgs, ... }: {
system.stateVersion = stateVer;
services.tailscale = {
enable = true;
useRoutingFeatures = "both";
};
};
};
};
}

28
nixos-modules/services/unifi.nix
View file

@ -1,28 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.unifi;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.unifi.enable = lib.mkEnableOption "Enables the unifi console";
options.ragon.services.unifi.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "unifi";
};
config = lib.mkIf cfg.enable {
services.unifi = {
enable = true;
openFirewall = true;
};
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."/".proxyPass = "https://127.0.0.1:8443";
locations."/".proxyWebsockets = true;
};
ragon.persist.extraDirectories = [
"/var/lib/unifi"
];
};
}

0
secrets/cloudflareAcme.age → secrets/ionos.age
View file

2
secrets/secrets.nix
View file

@ -2,7 +2,7 @@ let
pubkeys = import ../data/pubkeys.nix; pubkeys = import ../data/pubkeys.nix;
in in
{ {
"cloudflareAcme.age".publicKeys = pubkeys.ragon.server; "ionos.age".publicKeys = pubkeys.ragon.server;
"nextshot.age".publicKeys = pubkeys.ragon.client; "nextshot.age".publicKeys = pubkeys.ragon.client;
"pulseLaunch.age".publicKeys = pubkeys.ragon.client; "pulseLaunch.age".publicKeys = pubkeys.ragon.client;
"rootPasswd.age".publicKeys = pubkeys.ragon.computers; "rootPasswd.age".publicKeys = pubkeys.ragon.computers;