xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: xyno:28dc0896b9de3f943fd4127e49de47b0f43667c9
Branches Tags
xyno:main
..
compare: xyno:f7afa33a13d66aa1d9dec2c139d1551fbbd55167
Branches Tags
xyno:main

No commits in common. "28dc0896b9de3f943fd4127e49de47b0f43667c9" and "f7afa33a13d66aa1d9dec2c139d1551fbbd55167" have entirely different histories.
28dc0896b9 ... f7afa33a13

52 changed files with 678 additions and 2748 deletions
Download patch file Download diff file Expand all files Collapse all files

11
.helix/languages.toml
View file

@ -1,11 +1,6 @@
[language-server.nixd] [language-server.nil]
command = "nixd" command = "nil"
# args = ["--log=debug"]
[language-server.nixd.config.nixd]
nixpkgs = { expr = "import (builtins.getFlake (builtins.toString ./.)).inputs.nixpkgs { }" }
options = { nixos = { expr = "(builtins.getFlake (builtins.toString ./.)).colmenaHive.nodes.theseus.options" }}#, home-manager = { expr = "(builtins.getFlake (builtins.toString ./.)).colmenaHive.nodes.theseus.options.home-manager.users.type.getSubOptions []" } }
[[language]] [[language]]
name = "nix" name = "nix"
formatter = {command = "nixfmt"} formatter = {command = "nixfmt"}
language-servers = [ "nixd" ] language-servers = [ "nil" ]

1078
flake.lock generated
View file

File diff suppressed because it is too large Load diff

60
flake.nix
View file

@ -15,19 +15,12 @@
colmena.url = "github:zhaofengli/colmena/release-0.4.x"; colmena.url = "github:zhaofengli/colmena/release-0.4.x";
colmena.inputs.nixpkgs.follows = "nixpkgs"; colmena.inputs.nixpkgs.follows = "nixpkgs";
oldConf.url = "github:thexyno/nixos-config";
# software # software
rust-overlay = { # https://github.com/nix-community/lanzaboote/issues/485#issuecomment-3466684727
url = "github:oxalica/rust-overlay";
inputs.nixpkgs.follows = "nixpkgs";
};
lanzaboote = { lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2"; url = "github:nix-community/lanzaboote/v0.4.2";
# Optional but recommended to limit the size of your system closure. # Optional but recommended to limit the size of your system closure.
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
inputs.rust-overlay.follows = "rust-overlay";
}; };
zen-browser.url = "github:0xc000022070/zen-browser-flake"; zen-browser.url = "github:0xc000022070/zen-browser-flake";
@ -40,6 +33,10 @@
niri.inputs.nixpkgs.follows = "nixpkgs-master"; niri.inputs.nixpkgs.follows = "nixpkgs-master";
xwayland-satellite.url = "github:Supreeeme/xwayland-satellite"; xwayland-satellite.url = "github:Supreeeme/xwayland-satellite";
xwayland-satellite.inputs.nixpkgs.follows = "nixpkgs-master"; xwayland-satellite.inputs.nixpkgs.follows = "nixpkgs-master";
nheko.url = "github:Nheko-Reborn/nheko";
nheko.flake = false;
mtxclient.url = "github:Nheko-Reborn/mtxclient";
mtxclient.flake = false;
nix-ci.url = "git+https://git.xyno.systems/xyno/nix-ci"; nix-ci.url = "git+https://git.xyno.systems/xyno/nix-ci";
nix-ci.inputs.nixpkgs.follows = "nixpkgs"; nix-ci.inputs.nixpkgs.follows = "nixpkgs";
@ -52,23 +49,13 @@
helix.inputs.nixpkgs.follows = "nixpkgs-master"; helix.inputs.nixpkgs.follows = "nixpkgs-master";
# csharp-language-server.url = "github:sofusa/csharp-language-server"; # csharp-language-server.url = "github:sofusa/csharp-language-server";
# csharp-language-server.inputs.nixpkgs.follows = "nixpkgs-master"; # csharp-language-server.inputs.nixpkgs.follows = "nixpkgs-master";
# # authentik # authentik
# authentik.url = "github:nix-community/authentik-nix";
# authentik.inputs.nixpkgs.follows = "nixpkgs";
# terranix.url = "github:terranix/terranix";
# terranix.inputs.nixpkgs.follows = "nixpkgs";
# non flake inputs, maybe use npins in the future?
adw-colors.url = "github:lassekongo83/adw-colors";
adw-colors.flake = false;
nheko.url = "github:Nheko-Reborn/nheko";
nheko.flake = false;
mtxclient.url = "github:Nheko-Reborn/mtxclient";
mtxclient.flake = false;
authentik.url = "github:nix-community/authentik-nix";
authentik.inputs.nixpkgs.follows = "nixpkgs";
terranix.url = "github:terranix/terranix";
terranix.inputs.nixpkgs.follows = "nixpkgs";
}; };
@ -114,7 +101,7 @@
inputs.lanzaboote.nixosModules.lanzaboote inputs.lanzaboote.nixosModules.lanzaboote
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
# inputs.authentik.nixosModules.default inputs.authentik.nixosModules.default
inputs.nix-index-database.nixosModules.nix-index inputs.nix-index-database.nixosModules.nix-index
] ]
++ (import ./modules/module-list.nix); ++ (import ./modules/module-list.nix);
@ -126,19 +113,11 @@
importConfigs = importConfigs =
n: n:
map (x: { map (x: {
${x} = ${x} = {nodes, ...}: {
{ nodes, pkgs, ... }: networking.hostName = x;
{ imports = modules ++ [ (./instances/${x}) ];
nixpkgs.overlays = overlays; _module.args.otherNodes = lib.filterAttrs (n: v: n != x) nodes;
nix.package = pkgs.unstable.lixPackageSets.latest.lix; };
networking.hostName = x;
imports = modules ++ [ (./instances/${x}) ];
_module.args.otherNodes = lib.filterAttrs (n: v: n != x) nodes;
deployment.privilegeEscalationCommand = [
"run0"
"--unit=colmena-apply"
];
};
}) n; }) n;
in in
lib.foldl' lib.recursiveUpdate { } ( lib.foldl' lib.recursiveUpdate { } (
@ -151,9 +130,13 @@
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };
nixpkgs = genPkgs "x86_64-linux"; nixpkgs = genPkgs "x86_64-linux";
}; };
deployment.privilegeEscalationCommand = [
"run0"
"--unit=colmena-apply"
];
} }
(importConfigs [ (importConfigs [
"nemesis" "ds9"
"picard" "picard"
"theseus" "theseus"
]) ])
@ -195,7 +178,6 @@
devShells.${system}.default = pkgs.mkShell { devShells.${system}.default = pkgs.mkShell {
packages = [ packages = [
pkgs.nixfmt-rfc-style pkgs.nixfmt-rfc-style
pkgs.nixd
pkgs.nil pkgs.nil
pkgs.sops pkgs.sops
(pkgs.runCommand "nix-config-bin" { } '' (pkgs.runCommand "nix-config-bin" { } ''
@ -205,7 +187,7 @@
pkgs.colmena pkgs.colmena
] ]
++ (lib.attrValues self.packages.${system}); ++ (lib.attrValues self.packages.${system});
SOPS_CONFIG = (pkgs.callPackage ./sops.nix { instanceConfigs = self.colmenaHive.nodes; }); SOPS_CONFIG = (pkgs.callPackage ./sops.nix { instanceConfigs = lib.xyno.getDirs ./instances; });
}; };

8
hm-modules/dark-theme.nix
View file

@ -23,10 +23,10 @@ in
gtk4.extraConfig.gtk-application-prefer-dark-theme = 1; gtk4.extraConfig.gtk-application-prefer-dark-theme = 1;
gtk3.extraConfig.gtk-application-prefer-dark-theme = 1; gtk3.extraConfig.gtk-application-prefer-dark-theme = 1;
}; };
# qt = { qt = {
# enable = true; enable = true;
# style.name = "breeze"; style.name = "breeze";
# }; };
}; };
} }

2
hm-modules/firefox.nix
View file

@ -362,7 +362,7 @@ in
"user-filters" = "user-filters" =
''marketplace.visualstudio.com##+js(rpnt, script, /"(DisableVSCodeDownloadButtonEnabled|Microsoft\\.VisualStudio\\.Services\\.Gallery\\.DisableVSCodeDownloadButton)":true/, "$1":false)''; ''marketplace.visualstudio.com##+js(rpnt, script, /"(DisableVSCodeDownloadButtonEnabled|Microsoft\\.VisualStudio\\.Services\\.Gallery\\.DisableVSCodeDownloadButton)":true/, "$1":false)'';
"hostnameSwitchesString" = "hostnameSwitchesString" =
"no-large-media: behind-the-scene false\nno-remote-fonts: * false\nno-csp-reports: * true"; "no-large-media: behind-the-scene false\nno-remote-fonts: * true\nno-csp-reports: * true";
}; };
}; };

5
hm-modules/git.nix
View file

@ -9,14 +9,13 @@ in
{ {
options.xyno.git.enable = lib.mkEnableOption "xynos git config"; options.xyno.git.enable = lib.mkEnableOption "xynos git config";
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
programs.difftastic.git.enable = true;
programs.difftastic.enable = true;
programs.git = { programs.git = {
enable = true; enable = true;
difftastic.enable = true;
lfs.enable = true; lfs.enable = true;
# Default configs # Default configs
settings = { extraConfig = {
commit.gpgSign = true; commit.gpgSign = true;
gpg.format = "ssh"; gpg.format = "ssh";

186
hm-modules/helix.nix
View file

@ -22,21 +22,20 @@ in
# nodePackages_latest.prettier # nodePackages_latest.prettier
dprint dprint
markdown-oxide markdown-oxide
# codebook codebook
## python ## python
# ruff-lsp # ruff-lsp
# nodePackages_latest.pyright # nodePackages_latest.pyright
# inputs.csharp-language-server.packages.${pkgs.system}.csharp-language-server # inputs.csharp-language-server.packages.${pkgs.system}.csharp-language-server
] ]
++ (optionals cfg.withLargeLSPs [ ++ (optionals cfg.withLargeLSPs [
netcoredbg
nodePackages_latest.typescript-language-server nodePackages_latest.typescript-language-server
nodePackages_latest.vscode-langservers-extracted nodePackages_latest.vscode-langservers-extracted
typescript typescript
# jsonnet-language-server # jsonnet-language-server
# jsonnet # jsonnet
lazygit lazygit
ltex-ls-plus # languagetool
tinymist # typst lsp
]); ]);
programs.helix = { programs.helix = {
@ -108,7 +107,8 @@ in
keys = { keys = {
normal = { normal = {
space."=" = ":fmt"; space."=" = ":fmt";
"C-g" = ":sh tmux popup -d \"#{pane_current_path}\" -xC -yC -w80%% -h80%% -E lazygit"; "C-g" =
":sh tmux popup -d \"#{pane_current_path}\" -xC -yC -w80%% -h80%% -E lazygit";
"C-t" = ":sh tmux split-window -v -l '35%%'"; "C-t" = ":sh tmux split-window -v -l '35%%'";
"C-h" = ":sh tmux select-pane -t '{left-of}'"; "C-h" = ":sh tmux select-pane -t '{left-of}'";
"C-l" = ":sh tmux select-pane -t '{right-of}'"; "C-l" = ":sh tmux select-pane -t '{right-of}'";
@ -143,143 +143,55 @@ in
language-server.csharp = { language-server.csharp = {
command = "csharp-language-server"; command = "csharp-language-server";
}; };
language-server.ltex = { language-server.codebook = {
command = "ltex-ls-plus"; command = "codebook-lsp";
config = { args = ["serve"];
additionalRules.motherTongue = "de-DE";
additionalRules.enablePickyRules = true;
language = [
"en-US"
"de-DE"
];
};
}; };
language-server.tinymist = { language = flatten [
command = "tinymist"; (map
}; (x: {
# language-server.nil = { name = x;
# command = "nil"; language-servers = [
# config.nil.nix = { "typescript-language-server"
# maxMemoryMB = 5120; "eslint"
# flake = { ];
# autoEvalInputs = true; #formatter = { command = "dprint"; args = [ "fmt" "--stdin" x ]; };
# autoArchive = true; # formatter = { command = "prettier"; args = [ "--parser" "typescript" ]; };
# }; })
# };
# };
language =
let
applySingleConfig =
languages: config:
let
applied =
foldl'
(
acc: l:
if (any (x: l.name == x) config.languages) then
{
done = acc.done ++ [
(mkMerge [
l
config.conf
])
];
notFound = filter (x: x != l.name) acc.notFound;
}
else
{
done = acc.done ++ [ l ];
notFound = acc.notFound;
}
)
{
done = [ ];
notFound = config.languages;
}
languages;
in
applied.done ++ (map (x: { name = x; } // config.conf) applied.notFound);
applyConfs = lspConfs: languages: foldl' applySingleConfig languages lspConfs;
in
applyConfs
[ [
{ "typescript"
languages = [ "javascript"
"typescript" "jsx"
"javascript" "tsx"
"jsx"
"tsx"
];
conf = {
language-servers = [
"typescript-language-server"
"eslint"
];
};
}
{
languages = [
"markdown"
"typst"
"bibtex"
"comment"
"latex"
"html"
];
conf = {
language-servers = [
"ltex"
];
};
}
] ]
[ )
{ {
name = "__common__"; name = "nix";
scope = "source.__common__"; formatter = {
file-types = [ ]; command = "nixpkgs-fmt";
language-servers = [ };
"ltex" }
]; {
} name = "python";
# { language-servers = [
# name = "nix"; "pyright"
# language-servers = [ "ruff"
# "nixd"
# ];
# formatter = {
# command = "nixpkgs-fmt";
# };
# }
{
name = "python";
language-servers = [
"pyright"
"ruff"
];
}
{
name = "markdown";
language-servers = [
"markdown-oxide"
];
}
{
name = "typst";
language-servers = [
"tinymist"
];
}
{
name = "c-sharp";
language-servers = [ "csharp" ];
formatter = {
command = "dotnet";
args = [ "csharpier" ];
};
}
]; ];
}
{
name = "markdown";
language-servers = ["codebook"];
}
{
name = "c-sharp";
language-servers = [ "csharp" ];
formatter = {
command = "dotnet";
args = [ "csharpier" ];
};
}
];
}; };
}; };
}; };

5
hm-modules/mpv.nix
View file

@ -14,11 +14,6 @@ in
programs.mpv = { programs.mpv = {
enable = true; enable = true;
scripts = with pkgs.mpvScripts; [ mpv-webm sponsorblock ]; scripts = with pkgs.mpvScripts; [ mpv-webm sponsorblock ];
config = {
profile = "gpu-hq";
ytdl-format = "bestvideo[width<=1920]+bestaudio";
cache-secs = 1200;
};
}; };
}; };

36
instances/ds9/configuration.nix Normal file
View file

@ -0,0 +1,36 @@
{
config,
pkgs,
lib,
...
}:
{
nixpkgs.system = "x86_64-linux";
imports = [
./hardware-configuration.nix
./services/attic.nix
./services/immich.nix
./services/jellyfin.nix
./services/paperless.nix
./services/ytdl-sub.nix
];
time.timeZone = "Europe/Berlin";
networking.hostId = "7b4c2932";
xyno.presets.cli.enable = true;
xyno.presets.server.enable = true;
xyno.services.wireguard.enable = true;
xyno.services.caddy.enable = true;
xyno.services.monitoring.enable = true;
xyno.services.authentik.enable = true;
xyno.presets.home-manager.enable = true;
xyno.system.user.enable = true;
xyno.networking.networkd = {
enable = true;
};
system.stateVersion = "24.11";
}

11
instances/ds9/default.nix Normal file
View file

@ -0,0 +1,11 @@
{
imports = [ ./configuration.nix ];
xyno.services.monitoring.prometheusServer = true;
xyno.meta = {
sopsKey = "fada7e7be28e186e463ad745a38d17f36849d8a7";
};
xyno.services.wireguard.pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc=";
deployment = {
targetHost = "ds9.hailsatan.eu";
};
}

59
instances/ds9/hardware-configuration.nix Normal file
View file

@ -0,0 +1,59 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ "${modulesPath}/installer/scan/not-detected.nix" ];
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.initrd.availableKernelModules = [ "r8169" "ahci" "vfio-pci" "xhci_pci" "ehci_pci" "nvme" "usbhid" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-amd" ];
nix.settings.max-jobs = lib.mkDefault 12;
powerManagement.powertop.enable = true;
powerManagement.cpuFreqGovernor = "powersave";
powerManagement.scsiLinkPolicy = "min_power";
services.zfs.autoScrub.enable = true;
services.sanoid.datasets."rpool/content/safe/data/media" = { };
services.sanoid.enable = true;
services.sanoid.interval = "0/8:00:00";
swapDevices = [{ device = "/dev/disk/by-id/nvme-eui.000000000000000100a075202c247839-part1"; randomEncryption = true; }];
fileSystems."/boot".device = "/dev/disk/by-uuid/149F-23AA";
fileSystems."/" = {
device = "spool/safe/persist";
fsType = "zfs";
};
fileSystems."/nix" = {
device = "spool/local/nix";
fsType = "zfs";
};
fileSystems."/var/log" = {
device = "spool/local/journal";
fsType = "zfs";
};
fileSystems."/data" = {
device = "rpool/content/safe/data";
fsType = "zfs";
};
fileSystems."/data/media" = {
device = "rpool/content/safe/data/media";
fsType = "zfs";
};
fileSystems."/backups" = {
device = "rpool/content/local/backups";
fsType = "zfs";
};
}

0
instances/nemesis/secrets/atticd.yaml → instances/ds9/secrets/atticd.yaml
View file

0
instances/nemesis/secrets/authentik.yaml → instances/ds9/secrets/authentik.yaml
View file

0
instances/nemesis/secrets/wg.yaml → instances/ds9/secrets/wg.yaml
View file

0
instances/nemesis/secrets/woodpecker.yaml → instances/ds9/secrets/woodpecker.yaml
View file

0
instances/nemesis/services/attic.nix → instances/ds9/services/attic.nix
View file

0
instances/nemesis/services/immich.nix → instances/ds9/services/immich.nix
View file

0
instances/nemesis/services/jellyfin.nix → instances/ds9/services/jellyfin.nix
View file

0
instances/nemesis/services/paperless.nix → instances/ds9/services/paperless.nix
View file

0
instances/nemesis/services/woodpecker.nix → instances/ds9/services/woodpecker.nix
View file

0
instances/nemesis/services/ytdl-sub.nix → instances/ds9/services/ytdl-sub.nix
View file

131
instances/nemesis/configuration.nix
View file

@ -1,131 +0,0 @@
{
config,
pkgs,
lib,
inputs,
...
}:
{
nixpkgs.system = "x86_64-linux";
imports = [
./hardware-configuration.nix
./services/traccar.nix
./services/navidrome.nix
# ./services/attic.nix
# ./services/immich.nix
# ./services/jellyfin.nix
# ./services/paperless.nix
# ./services/ytdl-sub.nix
];
time.timeZone = "Europe/Berlin";
networking.hostId = "7b4c2932";
containers.ds9 = {
autoStart = true;
timeoutStartSec = "10000000min";
privateNetwork = true;
enableTun = true;
additionalCapabilities = [
"CAP_NET_ADMIN"
"CAP_MKNOD"
"CAP_BPF"
"CAP_DAC_READ_SEARCH"
"CAP_SYS_RESOURCE"
"CAP_SYS_ADMIN"
];
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
# hostAddress6 = "fc00::1";
# localAddress6 = "fc00::2";
path = inputs.oldConf.nixosConfigurations.ds9.config.system.build.toplevel;
bindMounts = {
"/data" = {
hostPath = "/data";
isReadOnly = false;
};
"/backups" = {
hostPath = "/backups";
isReadOnly = false;
};
"/persistent" = {
hostPath = "/oldds9/persistent";
isReadOnly = false;
};
"/var/lib/containers" = {
hostPath = "/oldds9/persistent/var/lib/containers";
isReadOnly = false;
};
};
};
networking.nat.enable = true;
networking.nat.enableIPv6 = true;
networking.nat.internalInterfaces = [ "ve-+" ];
networking.nat.externalInterface = "enp1s0f1"; # TODO: changeme
services.traefik.staticConfigOptions.entryPoints.websecure.proxyProtocol.trustedIPs = ["10.0.0.1"];
services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router.rule =
lib.mkForce "HostRegexp(`^.+\.hailsatan\.eu$`)";
# services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router.tls.options = "old";
services.traefik.dynamicConfigOptions.http.routers.simpleproxy-oldds9-router-robotstxt.rule =
lib.mkForce "HostRegexp(`^.+\.hailsatan\.eu$`) && Path(`/robots.txt`)";
xyno.services.traefik = {
enable = true;
simpleProxy.oldds9 = {
host = "*.hailsatan.eu";
internal = "http://192.168.100.11";
};
};
users.users.root.password = "hunter2";
systemd.services."dyndns-refresh" = {
script = ''
set -eu
export PATH=$PATH:${pkgs.curl}/bin:${pkgs.jq}/bin:${pkgs.iproute2}/bin
${pkgs.bash}/bin/bash ${config.sops.secrets.dyndns.path}
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
startAt = "*:0/10";
};
sops.secrets.dyndns = {
sopsFile = ./secrets/dyndns.yaml;
};
xyno.services.kanidm = {
enable = true;
setupTraefik = true;
};
xyno.services.oauth2Proxy.enable = true;
xyno.services.postgres.enable = true;
xyno.presets.cli.enable = true;
xyno.presets.server.enable = true;
xyno.impermanence.enable = true;
# xyno.services.wireguard.enable = true;
# xyno.services.caddy.enable = true;
# xyno.services.monitoring.enable = true;
# xyno.services.authentik.enable = true;
xyno.presets.home-manager.enable = true;
xyno.system.user.enable = true;
xyno.networking.networkd = {
enable = true;
};
networking.useDHCP = lib.mkForce false;
networking.interfaces."enp1s0f1" = {
useDHCP = true;
tempAddress = "enabled";
};
systemd.network.networks."40-enp1s0f1" = {
networkConfig = {
IPv6AcceptRA = true;
};
};
system.stateVersion = "25.11";
}

11
instances/nemesis/default.nix
View file

@ -1,11 +0,0 @@
{
imports = [ ./configuration.nix ];
# xyno.services.monitoring.prometheusServer = true;
xyno.meta = {
sopsKey = "fada7e7be28e186e463ad745a38d17f36849d8a7";
};
# xyno.services.wireguard.pubKey = "aZvSeAhKG3B5I2My5IqQoSlntMzbCHM6OU92WEScohc=";
deployment = {
targetHost = "nemesis.xyno.systems";
};
}

150
instances/nemesis/hardware-configuration.nix
View file

@ -1,150 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ "${modulesPath}/installer/scan/not-detected.nix" ];
# boot.lanzaboote = {
# enable = true;
# pkiBundle = "/var/lib/sbctl";
# };
# boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = true;
boot.initrd.availableKernelModules = [
"r8169"
"ahci"
"vfio-pci"
"xhci_pci"
"ehci_pci"
"nvme"
"usbhid"
"sd_mod"
"sr_mod"
];
boot.kernelModules = [ "kvm-amd" ];
nix.settings.max-jobs = lib.mkDefault 12;
powerManagement.powertop.enable = true;
powerManagement.cpuFreqGovernor = "powersave";
powerManagement.scsiLinkPolicy = "min_power";
services.zfs.autoScrub.enable = true;
services.sanoid.datasets."rpool/content/safe/data/media" = { };
services.sanoid.datasets."rpool/content/safe/data" = { };
services.sanoid.datasets."spool/nemesis/persistent" = { };
services.sanoid.enable = true;
services.sanoid.interval = "0/8:00:00";
# boot.initrd.systemd = {
# enable = true;
# };
boot.initrd.network = {
enable = true;
postCommands = ''
zpool import rpool
zpool import spool
echo "zfs load-key -a; killall zfs" >> /root/.profile
'';
ssh = {
enable = true;
port = 2222;
hostKeys = [
"/persistent/initrd/ssh_host_rsa_key"
"/persistent/initrd/ssh_host_ed25519_key"
];
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/oMAi5jyQsNohfhcSH2ItisTpBGB0WtYTVxJYKKqhj" # TODO
];
};
};
# swapDevices = [
# {
# device = "/dev/disk/by-id/nvme-eui.000000000000000100a075202c247839-part1";
# randomEncryption = true;
# }
# ];
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/149F-23AA";
fsType = "vfat";
options = [
"noauto"
"x-systemd.automount"
];
};
zramSwap.enable = true;
zramSwap.writebackDevice = "/dev/zvol/spool/nemesis/zswap";
fileSystems."/persistent/var/lib/postgresql" = {
# has things of https://wiki.archlinux.org/title/ZFS#Databases set
device = "spool/nemesis/postgres";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/persistent" = {
device = "spool/nemesis/persistent";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/var/log" = lib.mkForce {
device = "spool/nemesis/varlog";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/nix" = {
device = "spool/local/nix";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/data" = {
device = "rpool/content/safe/data";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/data/media" = {
device = "rpool/content/safe/data/media";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/backups" = {
device = "rpool/content/local/backups";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/oldds9/persistent" = {
device = "spool/safe/persist";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/oldds9/persistent/var/lib/containers" = {
device = "spool/safe/containers";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/oldds9/varlog" = {
device = "spool/local/journal";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [ "size=8G" ];
neededForBoot = true;
};
}

56
instances/nemesis/secrets/dyndns.yaml
View file

@ -1,56 +0,0 @@
dyndns: ENC[AES256_GCM,data:E+yFHhfpyB3kFb59Nokjr4kIBpgRVZPLZzpHjwp9Ixd9b4rr8Fky0yz4b+/5MlXsSKsR4zfhUi/4yudeYVrSwMWeLibKHeAtoWYTlnEjhBn30wvlEA08M3zmvfMRvGB0Ur2bmax5OzCQbh2v0NKB+4mrIN9SVhBIR89Y5DLm7sd7KIJJxTruo2d+ODphAzFFNtuuyg4s3iq2+Y5H/zwrpgT4Td39h1ys+hfk4ght/OAseTZfda4qCdHhT0S4+aoCkhiyPUxr80KtuHhmt6UvpsazSDJmZyKyVJ3PpYcfS1VfBqAIdNc2enxxquNBRwppd3V8pXjIZKzPRTySFnLpgPIJBhnFkozJm44jaOttoSFrbrF1+7/iL/ssNWpHQvtr0Ke5jS1EPb6k0MZZnJxhGKUiZWzDL/Xb7FJex8pE5gTTK+24VD13mvIW2qCrtXybTydnid/76SzYpdz407mHgBsQUorA,iv:WGbR31NhtayYfdn89diNlOwWkUOulYmBVs9qqZSNieo=,tag:yvqJ6Ok2i0GC5ZSFYWySsg==,type:str]
sops:
lastmodified: "2025-12-01T18:59:41Z"
mac: ENC[AES256_GCM,data:DGjRJWTAl2q58KDAcCxk30gvsin8C7/yBvw5qt+gGcHgJr4ggdVU1afW2Hn+qkexuSK0vLZP6tPJo6reiwyEAZNREPXnU21DUm83lMybu/zRdLFenA03ffPgJ4V+a6m9Ya/CmJzz/vaUxxtyeqCgynUI24otI/+ta0Hh1LQCbC4=,iv:t7NbX7mMMh2r2b0FLrmssxlFJSd9TTGAb7kjoYeKnzc=,tag:MKvgoxYoOj5TT/EzD8hKzw==,type:str]
pgp:
- created_at: "2025-11-24T13:05:23Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hL4DAAAAAAAAAAASBAMEIEXAYYvAspPhhSKpflgdFds2UrMJYMBl1TyKwMsTxQd/
Chj1aQqRRdrQ0tF3Mkd13EEDJwU3kgJWrrh8uB5ukU+yYuig5kS5Gl51eW5H+FlD
YFYJFsvJBIqbpNzpI7zitD4OvBZ6UCmwul+X9ibYVZRJjrZ6e4zSPmOk9D4Srecw
Pz9nn6NnUA5PXd627Kt4JFBQ1OiLon/ZMBTKhk/vHuUKdYYJNQleJFnpWCU3lNN2
0l4BTf26neMgV1qi34Nb86n3Jk8zqC/pMOgtoN2IrY45kR5lUDqGHTemKHw3JdmO
9oiuqPnlGJktOxdAk+8jHxDrVwRsth+2f+U0cLkMNGTBcY8g1OPWk65ObwIpZ1rZ
=NWw0
-----END PGP MESSAGE-----
fp: 0D98D5964AC8BB1CA034CE4EC456133700066642
- created_at: "2025-11-24T15:13:16Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMAwAAAAAAAAAAAQv9EPOBFyrp+Zysk3SaNiYaQl928f0pe84uSO9Fm4VPqKtC
xjov8740j38gvQIXpI2zADMlemLGzftbJPfBarSFVlukYoQkjs0SXQD0ukXsiCw2
eLpEyOx57BFQMRwiNeh6gSkS6WeHAJNiQj1rY11MvyAsDIup8su5XPEw5DWjr3R0
JdY029HuF6wqpmtgZnaFn6vmPYWYdtnYsxjqOJSPx+rXbWagiDgYy3DAOc7ltyIs
bZoAsjVwQW/tl3hjWhKFeOSfsd9vdUX1TacKqqNZy4mLeEHZOYANeeLkOb+T1T4r
Cexau6H3xZqc87T4S1ZBpEyWawIJHmIalFDoj466mUMOTJth7LxW7vfAdMpwbl1K
HHbTK7vyYxLeo/e5rw646eVmbyPeFf3gF/IXRWB8qoL4g/atGbbQ+WJ86mLgMDg9
9AqgVhSbVLoaWooqjh40tJ53raNm5HsO8ozfrJ9hx7Dq3QmCivpA14Q7UD6Yu1nT
RxY6Ng7ykHGGIx3LacV70lgBoinGEzvbxe2Se7B+FOlEL+zFywRt8yFwqc0SXY6o
qLriyhU2p05gvV45oR3pm9336VtwKu1lsN+Z9guKDZmKSgfIxZ22NulsA7E2zV8Z
MacEdQskbB7J
=zk6P
-----END PGP MESSAGE-----
fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
- created_at: "2025-11-29T08:16:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMAwAAAAAAAAAAAQv+OaIQywQwV7AS4gi4GjVHFVyhk7Wd3/5fLlMt9UeB56gt
l5+4VVkIzslwiuu9NF5KfvuXr4OQG3cOnb7KRgU5UEUEQtaDrMLFO/TwbBzVTC40
YNHOya0Ow3MRcEegnM3ox5vL4nHLQwevL0jY8TUxa1xfcTvSj8qOQ9zzzkxzR3L6
XvD6+dL9pHh1gtU6vlmPIm1PLsWalp0LJAOij3FQdzaxWpDRc0U+Wwr4lt5LiYS2
jOFc5OZFeIOqMfzul5GCy933eu+V+Ch8PXa5/6PtWxFHx5bvF2pclubguRLziux1
koeCxBpK3coHT1NX5AEmbtCEieFY9bMy6JTiih4I8eM2nkPjWyqByGh2mFuzjf4V
OBGyHUZHK+KpDkRkwSS/6GqX3n89KMsf6aZwM35CkBvdG3PamyO8eVmE36OTGe4g
1oj12rIjIj4dKtQ68vRgexvlH1Qq3GBHfsJRF5lRi4dKtPPLjU2P1fJWFcjszIEe
q2QEcpDbCPYelI7mhwzT0lgBND6Yxso3tpW/Il/uRKao/9H+DgIYaIIRBml/cqaq
VqDnFIYodxuW73R8n5GlfctY+gya9ZiGlK5uJwlghRE8gCVUjFrDnFS+uiVC6QI6
SepzVJKOMUB8
=7yY4
-----END PGP MESSAGE-----
fp: fada7e7be28e186e463ad745a38d17f36849d8a7
unencrypted_suffix: _unencrypted
version: 3.11.0

80
instances/nemesis/secrets/kanidm.yaml
View file

@ -1,80 +0,0 @@
oauth2Proxy:
cookieSecret: ENC[AES256_GCM,data:CA6VBdPT3tuit4eWfBi1ycau4kErwAMfLwJ0maYr+/8Th8q51ZFHaWOcCA8=,iv:HSWCUEgVTkB9tKfzZWXUzH/sCoVZztzwbr1ZUwZBLBs=,tag:qOdClvQl2Cgn3lHXXA/o1Q==,type:str]
kanidm:
adminPassword: ENC[AES256_GCM,data:JQHTQHwXKMgbc0SRdkhMjKjZBznuIbHdcR4TXsmikKWX+5T4VOSqo4CwlXj0XQSV,iv:ruCMDfPlwcAUXdRypB0lNSH1UuV9ryS4vLSleVHnWwc=,tag:V4phitbR0tk6jUrdyFlZWQ==,type:str]
idmAdminPassword: ENC[AES256_GCM,data:D128I5u5pTP6xgSiP+EIZWJmbkXDfHHLh7Bw8wAiMxYPpjGG3EDsdG+8CwOUP8jZ,iv:5h/UZ7BHviKYIY0zpTo/seFHvMcGucDLeey9bc+GDlo=,tag:DSelYBlzIN94K7tOI3QtDA==,type:str]
sops:
lastmodified: "2025-12-03T21:25:56Z"
mac: ENC[AES256_GCM,data:R3cxPrzR5tT0CMNvrtBWDCE8RTvPj9tPslkGhubfOREQBR+qIw7e84uSrswo2+KJkc+AL7CPzVSgsdcSjalNxIqLlL2Gg1y/BKgE6UDB5GDT49+cfCL68hFYkZ+4Cl6bKdLpOuuhsR92NwQk171bx+KCgjE2KUBRFDjOllo+V7M=,iv:LdeRN1jnLNKL3pXVVEQ3BzI3csJSRil5gkQOnxyLi+U=,tag:Ti9Ryuc4kyeuKDwRelQI2A==,type:str]
pgp:
- created_at: "2025-11-29T10:45:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hL4DAAAAAAAAAAASBAMEYHWKHKXoJ9J5HDHfY9FhItdcvUdWz57Wl79xKzH94s42
B7k57At1H6mW3BOrbnDNgNyBs6dHIG1jTA+4yITgIAcn/bl9JRbMOjmDZZzzevJi
4yQdnm8C6mxQhbUNDpWJ4He6+m7vMZx8uq0S6dq0a5aAE/7ph7Z4gvIbBjZIA6gw
z/GwpL9SyZjSyTW8Z9XPLebonCp1lhD0tsVHk9GKoL46UWlYzq87XSyJOo4AHGAO
0l4BWq3e7iDmzdxwtCoIC7PKHPmigUielz1qDdCGAIMQsAhaJqOa24gCUW7cklgk
A18EVlSyfeqGaqr//cuGqm8TnrG9cfLtMgnjUv3UQfBWVOh5P8ccKTbl4SUY2BfQ
=JRop
-----END PGP MESSAGE-----
fp: 0D98D5964AC8BB1CA034CE4EC456133700066642
- created_at: "2025-11-29T10:45:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMAwAAAAAAAAAAAQv9GuE7hANGXNsAGi3e1oB4c2y9jpvi3RkEifcxBg19yf9n
L9t3Av1Ym2H/Bc5Sw5++qrF7Jy3Aujt1T8ytayxzVsuLesgkuDzjtot0JgUsRSWK
r2dXDoo9gaftX434fGViamHTX2wHBo9VEwqe/c2NjwLeIx/O6u4FwJmUAgzGy1pp
I5TSpYMky4coLbFpDX7AuUuPymI6lGNad6JoeOoTP2gb5Kt2Ycr7ZqzOp2kaPxua
yw5HuoiXLkzxywuWh+IIbqanyN8qxbjvEOS4ZJHegECZhDS27kocwiXhUlcT1NC1
1pFW7EJaVMzikSBy06LiPWsYjNmQIR9o8uoeP//XMcq34N0036IxVaOWs8Qnls97
TJM6lCov4c0XcNrfop15hWNK2gxSzNwxWkmG5PUHwfRi9JGvL6Ng/EHbJS+6F3Nx
z7H2jAIdzc9StMd411SJrZSpDk1wpnecroUWYdO5OIKJu70J5FvNSaKripEECy1x
wBrqY5RLmi/qYsfyCupg0lgBPGUyJbV2XLt1Qcf4eStzy5ZYi8gnn02T0EWvCspf
0tKMs7hbLm6FwK7vG7Cmc1LQCm73oW09cZCrLurd9JtiRftfww9pBEc85MfPUBIt
PYAWvU26TshG
=vU9m
-----END PGP MESSAGE-----
fp: fada7e7be28e186e463ad745a38d17f36849d8a7
- created_at: "2025-11-29T10:45:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMAwAAAAAAAAAAAQwAnX5FoTN8ft2sFXRotgVGt2he9RJMiq0orduWeTXZPLK8
mvyYOcrQ71fOIm9sIg6hJfabeR2GjBsm09XIXJ71zLl0lWgb8SvcYmbgaJJ+svfY
pPrW+ZninOUZgwkJ8L1gM3ZWOJlx+92NKtdxifIY98SMKacT+aVe7vNTrQVwmRn9
cZZQd8B75zN7IV99bJCG2BYvSt+p8gZ1vm3GxhowctbSgCl6knHDHJlpXE7SyLHv
ReHjfCFetJQd/XqLL4vZifrlpGKyGPP5pYnEQT5bbsJr9exBeZQ7PsAB0OG+KpOB
r4IvB78XGJlbHTnqlP6GKAKek6NSldlEq5tCsKo5wl3Jg2/SgxSbOhbb5YmOqwcq
S+JJhbfjRGSJMMXLOP9QtLQU5qktwip5g+ZxgKDrcgQvUPUsbV3PEW9l/0WoCf1Q
7e+mBJ+TRJVOjS9hC1mr/C6kkJJurdpH3PvUSncSk4s0+bkw66nLwmc3QLpI6DV7
BLJVkOUQzUWaB6k6NVkE0lgBbVYeyaOS3JcoFHrYex6bDHjliD/SH+xjc8wyJR8s
wz5CwfFPqudE9ZYvilJ3lN2AtJrRBaxtR5dgrG2fUx9OB6FSOoRVOpmnFC3YUt6a
FNZYBn5X10t/
=Mj7y
-----END PGP MESSAGE-----
fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
- created_at: "2025-11-29T10:45:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwAAAAAAAAAAAQ//a9QFgxhKeW4xcFeERaCiO5nb07wS8BxENBw57RDTp52F
0kzEdp+HnkVujYMC5cjKlz3x6ZT+CFcVT8HZTwTjlrtCdO/R1OGeO0NcC/tRQNvV
LUgaV9mCzYAbfJG1skdz9EMZZ3W9qPBgKXbX7vGhPirwXyAUUEfQsWon8eOymrd6
FoapcdLo9ymTnar14WH0kM7B0i4Kqv6+NKquc0OiL8eSufL4wubJrXZZkOdtnXCD
omwFtYmF+IgQAzaCBWLGY3sOW9nD27Y9F1vToOpKQvxE+IT3VGTZN02Xy2J4lhnJ
IE2SmaeY29g2QWIRePCrehpaRNCjlmTS7j7SRT2K9bOVcbiwljUidwkC58323EmC
UlacFRSY5Cfeav2VL188ywh4vihnUpWJoncHKvcUEEeLykbQcdpy2Zwl6u6UB+2g
oDmhk1pFV4ejJlRe1BpLHiBcnA5/OFsWxMGQp57mZ2vyGWYQgtsQZ71JVENq7nSt
TKi6OPhRTZX2Wk8lcZMjm+5XeNrGMSUEYwCPRza+5C0f3LzSfjmmGDLxwaQmCaYI
ZjKSuj14N9VQNJJ8Yxn9uni1acKs+q1XM1b3gJUT2gpFbOjh1BjtAGrat1f4mKk9
0PwxBA7cZkdmgJ0t/oNja8ElpOMLMTbI7yYOLY3hD64CtFKWWwpxbD7bK65neRTS
WAE9cEyjhq3TOKNdKaIP5N6a6Sq+98N9xE7/3/lVYncFZ1zV4+9l8Gyjr4rsSSV+
68gg9t6FUPIHyNHdrvmqLLQP+paA9RMb7yOMkULB8zBKJrZMXnu+wsI=
=Du56
-----END PGP MESSAGE-----
fp: 4019fd893bba15618c2f93a38ef418ce360bc418
unencrypted_suffix: _unencrypted
version: 3.11.0

48
instances/nemesis/services/navidrome.nix
View file

@ -1,48 +0,0 @@
{
config,
...
}:
let
host = "music.xyno.systems";
internalIp = "127.0.0.5";
in
{
services.kanidm.provision = {
groups = {
navidrome_users.members = [ "application_admins" ];
};
};
xyno.services.oauth2Proxy.hosts."${host}" = {
allowedGroups = [ "navidrome_users" ];
};
xyno.services.traefik.simpleProxy = {
navidrome = {
inherit host;
inherit (config.xyno.services.oauth2Proxy.hosts.${host}) middlewares;
internal = "http://${internalIp}:4533";
};
navidrome-subsonic = {
inherit host;
rule = "Host(`${host}`) && PathPrefix(`/rest/`) && !Query(`c`, `NavidromeUI`)";
internal = "http://${internalIp}:4533";
};
};
services.navidrome = {
enable = true;
settings = {
Address = internalIp;
MusicFolder = "/data/media/beets/music";
ReverseProxyWhitelist = "127.0.0.1/32";
BaseUrl = "https://${host}";
Prometheus = {
Enabled = false; # TODO
};
ReverseProxyUserHeader = "X-Auth-Request-Preferred-Username";
Scanner = {
Schedule = "45 0 * * *"; # daily at 0:45
};
};
};
xyno.impermanence.directories = [ "/var/lib/navidrome" ];
}

93
instances/nemesis/services/traccar.nix
View file

@ -1,93 +0,0 @@
{
pkgs,
lib,
config,
...
}:
{
xyno.services.traefik.simpleProxy.traccar = {
host = "track.66642.bot";
internal = "http://127.0.0.4:8082";
};
services.kanidm.provision = {
groups = {
traccar_users.members = [ "traccar_admins" ];
traccar_admins.members = [ "application_admins" ];
};
systems.oauth2.traccar = {
displayName = "Traccar";
originUrl = "https://track.66642.bot/api/session/openid/callback";
originLanding = "https://track.66642.bot/login";
imageFile = "${pkgs.traccar}/web/logo.svg";
# public = true;
scopeMaps."traccar_users" = [
"openid"
"profile"
"email"
"groups"
];
allowInsecureClientDisablePkce = true;
};
};
xyno.services.kanidm.templates."traccar" = {
text = p: ''
OPENID_CLIENT_ID=${p.clientId}
OPENID_CLIENT_SECRET=${p.basicSecret}
DATABASE_URL='jdbc:postgresql://localhost/traccar?socketFactory=org.newsclub.net.unix.AFUNIXSocketFactory$FactoryArg&amp;socketFactoryArg=/run/postgresql/.s.PGSQL.5432'
'';
wantedBy = [ "traccar.service" ];
};
systemd.services.traccar.serviceConfig.ExecStart =
lib.mkForce "${pkgs.openjdk}/bin/java -cp './tracker-server.jar:./lib/*:${pkgs.junixsocket-common}/share/java/junixsocket-common-${pkgs.junixsocket-common.version}.jar:${pkgs.junixsocket-native-common}/share/java/junixsocket-native-common-${pkgs.junixsocket-common.version}.jar' org.traccar.Main /var/lib/traccar/config.xml"; # forgive it for what it has done
services.traccar = {
enable = true;
environmentFile = config.xyno.services.kanidm.templates.traccar.path;
settings = {
database.driver = "org.postgresql.Driver";
database.url = "$DATABASE_URL";
database.user = "traccar";
mail.debug = "true"; # log mail content instead of sending email
openid.adminGroup = "traccar_admins@idm.xyno.systems";
openid.allowGroup = "traccar_users@idm.xyno.systems";
openid.clientId = "$OPENID_CLIENT_ID";
openid.clientSecret = "$OPENID_CLIENT_SECRET";
openid.force = "true";
openid.issuerUrl = "https://idm.xyno.systems/oauth2/openid/traccar";
web.address = "127.0.0.4";
web.url = "https://track.66642.bot";
};
};
systemd.services.postgresql-install-timescale-in-traccar = {
after = [
"postgresql.service"
"postgresql-setup.service"
];
requires = [
"postgresql.service"
"postgresql-setup.service"
];
requiredBy = [ "traccar.service" ];
serviceConfig = {
User = "postgres";
Group = "postgres";
Type = "oneshot";
RemainAfterExit = true;
};
path = [ config.services.postgresql.finalPackage ];
environment.PGPORT = builtins.toString config.services.postgresql.settings.port;
script = ''
psql -d traccar -tAc "CREATE EXTENSION IF NOT EXISTS timescaledb;"
'';
};
services.postgresql.settings.shared_preload_libraries = [ "timescaledb" ];
services.postgresql.ensureDatabases = [ "traccar" ];
services.postgresql.ensureUsers = [
{
name = "traccar";
ensureDBOwnership = true;
}
];
}

2
instances/picard/configuration.nix
View file

@ -20,7 +20,7 @@
xyno.presets.server.enable = true; xyno.presets.server.enable = true;
xyno.presets.cli.enable = true; xyno.presets.cli.enable = true;
xyno.services.wireguard.enable = true; xyno.services.wireguard.enable = true;
# xyno.services.caddy.enable = true; xyno.services.caddy.enable = true;
xyno.services.monitoring.enable = true; xyno.services.monitoring.enable = true;
xyno.presets.home-manager.enable = true; xyno.presets.home-manager.enable = true;
xyno.system.user.enable = true; xyno.system.user.enable = true;

35
instances/theseus/configuration.nix
View file

@ -12,35 +12,6 @@ let
''; '';
in in
{ {
# containers.podmantest = {
# privateNetwork = true;
# enableTun = true;
# additionalCapabilities = [
# "CAP_NET_ADMIN"
# "CAP_MKNOD"
# "CAP_BPF"
# "CAP_DAC_READ_SEARCH"
# "CAP_SYS_RESOURCE"
# "CAP_SYS_ADMIN"
# ];
# hostAddress = "192.168.100.10";
# localAddress = "192.168.100.11";
# config =
# { ... }:
# {
# virtualisation.oci-containers.containers.test = {
# image = "docker.io/library/nginx";
# ports = [
# "80:80"
# "443:443"
# ];
# };
# };
# };
# networking.nat.enable = true;
# networking.nat.internalInterfaces = [ "ve-+" ];
# networking.nat.externalInterface = "enp195s0f4u1u3";
nixpkgs.system = "x86_64-linux"; nixpkgs.system = "x86_64-linux";
imports = [ ./hardware-configuration.nix ]; imports = [ ./hardware-configuration.nix ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
@ -77,7 +48,7 @@ in
pandoc pandoc
tectonic tectonic
rquickshare rquickshare
unstable.supersonic-wayland supersonic-wayland
nheko nheko
anki-bin anki-bin
gimp3 gimp3
@ -88,21 +59,19 @@ in
ptouch-print ptouch-print
hledger hledger
super-productivity
]; ];
environment.variables."LEDGER_FILE" = "~/docs/hledger/main.journal"; environment.variables."LEDGER_FILE" = "~/docs/hledger/main.journal";
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
# orcaslicer # orcaslicer
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
1880 1880
2021 2021
4711
]; ];
networking.firewall.allowedUDPPorts = [ networking.firewall.allowedUDPPorts = [
1880 1880
5353
2021 2021
]; ];

2
instances/theseus/hardware-configuration.nix
View file

@ -16,7 +16,7 @@
"${inputs.nixos-hardware}/framework/13-inch/7040-amd" "${inputs.nixos-hardware}/framework/13-inch/7040-amd"
]; ];
hardware.framework.laptop13.audioEnhancement.enable = true; hardware.framework.laptop13.audioEnhancement.enable = true;
hardware.framework.laptop13.audioEnhancement.hideRawDevice = false; # hardware.framework.laptop13.audioEnhancement.hideRawDevice = false;
services.fwupd.enable = true; services.fwupd.enable = true;
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [

32
modules/desktop/audio.nix
View file

@ -229,39 +229,9 @@ in
]; ];
}; };
}; };
configPackages = [
(pkgs.writeTextDir "share/pipewire/pipewire.conf.d/snapcast-discover.conf" ''
context.modules = [
{
name = libpipewire-module-snapcast-discover
args = {
snapcast.discover-local = true
stream.rules = [
{
matches = [
{
snapcast.ip = "~.*"
}
]
actions = {
create-stream = {
# node.name = "Snapcast"
# snapcast.stream-name = "default"
}
}
}
]
}
}
]
'')
];
wireplumber.extraConfig."98-bluetooth"."wireplumber.settings"."bluetooth.autoswitch-to-headset-profile" = wireplumber.extraConfig."98-bluetooth"."wireplumber.settings"."bluetooth.autoswitch-to-headset-profile" =
false; false;
wireplumber.configPackages = mapAttrsToList (n: v: eqPkg v) cfg.eq ++ [ wireplumber.configPackages = mapAttrsToList (n: v: eqPkg v) cfg.eq;
];
}; };
}; };

27
modules/desktop/fcitx5.nix Normal file
View file

@ -0,0 +1,27 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.xyno.desktop.fcitx5;
in
{
options.xyno.desktop.fcitx5.enable = lib.mkEnableOption "enable fcitx5 input daemon thing";
config = lib.mkIf cfg.enable {
i18n.inputMethod = {
type = "fcitx5";
enable = true;
fcitx5.addons = with pkgs; [
fcitx5-table-other
];
fcitx5.waylandFrontend = true;
fcitx5.quickPhrase = {
":pleading:" = "🥺";
":pointing_right:" = "👉";
":pointing_left:" = "👈";
};
};
};
}

81
modules/desktop/ibus.nix
View file

@ -1,81 +0,0 @@
{
pkgs,
config,
lib,
...
}:
with lib;
let
cfg = config.xyno.desktop.ibus;
in
{
options.xyno.desktop.ibus.enable = mkEnableOption "enable ibus input daemon thing";
options.xyno.desktop.ibus.wantedBy = mkOption {
type = types.str;
default = "niri.service";
};
config = mkIf cfg.enable {
services.libinput.enable = true;
# just... enable ibus as input method and maybe now we have consistent unicode input everywhere
# fuck qt tbh
i18n.inputMethod = {
enable = true;
package = pkgs.ibus;
# ibus.engines = with pkgs.ibus-engines; [ uniemoji ];
};
# home-manager.sharedModules = [
# (
# { lib, ... }:
# {
# dconf.settings = {
# "org/gnome/desktop/input-sources" = {
# sources = [
# (lib.hm.gvariant.mkTuple [
# "xkb"
# "us"
# ])
# (lib.hm.gvariant.mkTuple [
# "ibus"
# "libpinyin"
# ])
# (lib.hm.gvariant.mkTuple [
# "ibus"
# "mozc-jp"
# ])
# ];
# };
# };
# }
# )
# ];
systemd.user.services."org.freedesktop.IBus.session.generic".wantedBy = [ cfg.wantedBy ];
systemd.packages = [ pkgs.ibus ];
# systemd.user.services.ibus =
# let
# ibusPackage = config.i18n.inputMethod.package;
# in
# assert hasPrefix "ibus-with-plugins" ibusPackage.name;
# {
# # panel is weird...
# # default is ${ibusPackage}/libexec/ibus-ui-gtk3 which works but sends a notification that it's misconfigured
# # wayland support can be enabled with --enable-wayland-im but that segfaults (possible due to zwp_input_method_v1 not being available?)
# script = ''
# exec ${ibusPackage}/bin/ibus-daemon --xim --replace --panel '${ibusPackage}/libexec/ibus-ui-gtk3'
# '';
# serviceConfig = {
# Type = "dbus";
# BusName = "org.freedesktop.IBus";
# Restart = "on-abnormal";
# };
# unitConfig = {
# CollectMode = "inactive-or-failed";
# };
# # yeah we hardcoding this now, fuck it
# wantedBy = [ cfg.wantedBy ];
# partOf = [ "graphical-session.target" ];
# };
};
}

45
modules/desktop/niri.nix
View file

@ -14,8 +14,6 @@ let
"KeePassXC" "KeePassXC"
"org.gnome.NautilusPreviewer" "org.gnome.NautilusPreviewer"
"io.github.Qalculate.qalculate-qt" "io.github.Qalculate.qalculate-qt"
"ibus-ui-emojier"
"ibus-ui-gtk3"
]; ];
matchFloat = concatStringsSep "\n" ( matchFloat = concatStringsSep "\n" (
map (x: '' map (x: ''
@ -54,22 +52,20 @@ in
value = 1; value = 1;
} }
]; ];
home-manager.sharedModules = [ home-manager.users.${config.xyno.system.user.name} = mkIf config.xyno.presets.home-manager.enable (
( { ... }:
{ ... }: {
{ xyno.dark-theme.enable = true;
xyno.dark-theme.enable = true; # home.file.".config/xdg-desktop-portal-termfilechooser/config".text = ''
# home.file.".config/xdg-desktop-portal-termfilechooser/config".text = '' # [filechooser]
# [filechooser] # cmd=${pkgs.xdg-desktop-portal-termfilechooser}/share/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh
# cmd=${pkgs.xdg-desktop-portal-termfilechooser}/share/xdg-desktop-portal-termfilechooser/yazi-wrapper.sh # default_dir=$HOME
# default_dir=$HOME # env=TERMCMD=footclient --app-id floating-alacritty
# env=TERMCMD=footclient --app-id floating-alacritty # open_mode = suggested
# open_mode = suggested # save_mode = suggested
# save_mode = suggested # '';
# ''; }
} );
)
];
xdg.portal = { xdg.portal = {
extraPortals = [ extraPortals = [
@ -92,16 +88,7 @@ in
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
playerctl playerctl
xwayland-satellite xwayland-satellite
nirius
]; ];
systemd.user.services.niriusd = {
unitConfig.PartOf = "graphical-session.target";
unitConfig.After = "graphical-session.target";
unitConfig.Requisite = "graphical-session.target";
serviceConfig.Restart = "on-failure";
wantedBy = [ "niri.service" ];
script = "exec ${pkgs.nirius}/bin/niriusd";
};
programs.niri.enable = true; programs.niri.enable = true;
environment.etc."niri/config.kdl".mode = "444"; # copy file so niri detects changes environment.etc."niri/config.kdl".mode = "444"; # copy file so niri detects changes
environment.etc."niri/config.kdl".text = '' environment.etc."niri/config.kdl".text = ''
@ -118,15 +105,11 @@ in
Mod+T { spawn "${cfg.term}" "tmux" "new-session" "-t" "main"; } Mod+T { spawn "${cfg.term}" "tmux" "new-session" "-t" "main"; }
Mod+Shift+T { spawn "${cfg.term}"; } Mod+Shift+T { spawn "${cfg.term}"; }
Mod+Y { spawn "${cfg.term}" "--app-id" "floating-alacritty" "-W" "120x37" "yazi"; } Mod+Y { spawn "${cfg.term}" "--app-id" "floating-alacritty" "-W" "120x37" "yazi"; }
Mod+Shift+M { spawn "sh" "-c" "notify-send -t 3000 -a umpv umpv-paste $(wl-paste); umpv $(wl-paste)"; }
Mod+P { spawn "keepassxc"; } Mod+P { spawn "keepassxc"; }
Mod+S { spawn "qalculate-qt"; } Mod+S { spawn "qalculate-qt"; }
Mod+Shift+N { spawn "makoctl" "dismiss" "-a"; } Mod+Shift+N { spawn "makoctl" "dismiss" "-a"; }
Mod+N { spawn "makoctl" "dismiss"; } Mod+N { spawn "makoctl" "dismiss"; }
Mod+E { spawn "makoctl" "menu" "fuzzel -d"; } Mod+E { spawn "makoctl" "menu" "fuzzel -d"; }
Mod+G { spawn "nirius" "toggle-follow-mode"; }
Mod+Shift+bracketleft { spawn "nirius" "scratchpad-show"; }
Mod+Shift+bracketright { spawn "nirius" "scratchpad-toggle"; }
XF86AudioRaiseVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.03+"; } XF86AudioRaiseVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.03+"; }
XF86AudioLowerVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.03-"; } XF86AudioLowerVolume allow-when-locked=true { spawn "wpctl" "set-volume" "@DEFAULT_AUDIO_SINK@" "0.03-"; }
XF86AudioMute allow-when-locked=true { spawn "wpctl" "set-mute" "@DEFAULT_AUDIO_SINK@" "toggle"; } XF86AudioMute allow-when-locked=true { spawn "wpctl" "set-mute" "@DEFAULT_AUDIO_SINK@" "toggle"; }

3
modules/desktop/waybar/cal.nix
View file

@ -24,14 +24,13 @@ let
UNTIL="1d" UNTIL="1d"
EVENT="$( EVENT="$(
(khal list "$SINCE" "$UNTIL" \ khal list "$SINCE" "$UNTIL" \
--day-format 'SKIPME' \ --day-format 'SKIPME' \
--format "{start-end-time-style} {title:.31}{repeat-symbol}" | --format "{start-end-time-style} {title:.31}{repeat-symbol}" |
grep -v SKIPME | # filter out headers grep -v SKIPME | # filter out headers
grep -v -P '| |' | # filter out continuing all day events grep -v -P '| |' | # filter out continuing all day events
grep -v '^ ' | # exclude full-day events grep -v '^ ' | # exclude full-day events
head -n 1 # show just the first head -n 1 # show just the first
) || echo ""
)" )"
if [ -z "$EVENT" ]; then if [ -z "$EVENT" ]; then

15
modules/module-list.nix
View file

@ -5,9 +5,9 @@
./desktop/audio.nix ./desktop/audio.nix
./desktop/common-programs.nix ./desktop/common-programs.nix
./desktop/easyeffects.nix ./desktop/easyeffects.nix
./desktop/fcitx5.nix
./desktop/foot.nix ./desktop/foot.nix
./desktop/fuzzel.nix ./desktop/fuzzel.nix
./desktop/ibus.nix
./desktop/mako.nix ./desktop/mako.nix
./desktop/niri.nix ./desktop/niri.nix
./desktop/shikane.nix ./desktop/shikane.nix
@ -21,22 +21,17 @@
./presets/common.nix ./presets/common.nix
./presets/development.nix ./presets/development.nix
./presets/gui.nix ./presets/gui.nix
./presets/home-manager.nix
./presets/server.nix ./presets/server.nix
# ./services/authentik ./presets/home-manager.nix
# ./services/caddy ./services/authentik
./services/kanidm.nix ./services/caddy
./services/traefik.nix
./services/postgres.nix
./services/oauth2Proxy/default.nix
./services/oauth2Proxy/integration.nix
./services/monitoring.nix ./services/monitoring.nix
./services/wireguard.nix ./services/wireguard.nix
./system/impermanence.nix ./system/impermanence.nix
./system/meta.nix ./system/meta.nix
./system/user.nix ./system/user.nix
./to-upstream/fido2-hid-bridge.nix
./user-services/khal.nix ./user-services/khal.nix
./user-services/syncthing.nix ./user-services/syncthing.nix
./to-upstream/fido2-hid-bridge.nix
] ]

15
modules/presets/cli.nix
View file

@ -1,6 +1,5 @@
{ {
config, config,
inputs,
lib, lib,
pkgs, pkgs,
... ...
@ -45,11 +44,6 @@ in
LC_COLLATE = "de_DE.UTF-8"; LC_COLLATE = "de_DE.UTF-8";
}; };
nix.channel.enable = false;
nix.nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"nixpkgs-master=${inputs.nixpkgs-master}"
];
nix.settings = { nix.settings = {
substituters = [ substituters = [
# "https://cache.lix.systems" # "https://cache.lix.systems"
@ -61,7 +55,6 @@ in
# "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o=" # "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
# "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs=" # "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
]; ];
trusted-users = lib.mkDefault [ trusted-users = lib.mkDefault [
"root" "root"
"@wheel" "@wheel"
@ -84,8 +77,6 @@ in
# https://github.com/NixOS/nixpkgs/issues/361592 needed for run0 # https://github.com/NixOS/nixpkgs/issues/361592 needed for run0
security.pam.services.systemd-run0 = { }; security.pam.services.systemd-run0 = { };
# services.ssh.knownHosts = lib.mapAttrs' (n: v: lib.nameValuePair v.deployment.targetHost { publicKey = v.})
programs.yazi = { programs.yazi = {
enable = true; enable = true;
initLua = pkgs.writeText "yazi-init.lua" '' initLua = pkgs.writeText "yazi-init.lua" ''
@ -139,7 +130,7 @@ in
imagemagick imagemagick
jq jq
lm_sensors lm_sensors
moor moar
neofetch neofetch
nix-output-monitor nix-output-monitor
poppler poppler
@ -154,7 +145,7 @@ in
programs.mosh.enable = true; programs.mosh.enable = true;
environment.variables.EDITOR = "hx"; environment.variables.EDITOR = "hx";
environment.variables.VISUAL = "hx"; environment.variables.VISUAL = "hx";
environment.variables.PAGER = "moor"; environment.variables.PAGER = "moar";
environment.shellAliases = { environment.shellAliases = {
l = "ls -alh"; l = "ls -alh";
@ -170,7 +161,7 @@ in
p = "cd ~/proj"; p = "cd ~/proj";
ytl = ''yt-dlp -f "bv*+mergeall[vcodec=none]" --audio-multistreams''; ytl = ''yt-dlp -f "bv*+mergeall[vcodec=none]" --audio-multistreams'';
sudo = "run0"; sudo = "run0";
less = "moor"; less = "moar";
}; };
}; };
} }

131
modules/presets/gui.nix
View file

@ -1,7 +1,6 @@
{ {
pkgs, pkgs,
config, config,
inputs,
lib, lib,
... ...
}: }:
@ -22,7 +21,6 @@ in
pkgs.yubikey-personalization pkgs.yubikey-personalization
]; ];
xyno.desktop.niri.enable = true; xyno.desktop.niri.enable = true;
xyno.desktop.ibus.enable = true;
xyno.desktop.audio.enable = mkDefault true; xyno.desktop.audio.enable = mkDefault true;
xyno.user-services.khal.enable = true; xyno.user-services.khal.enable = true;
boot.kernelPackages = mkDefault pkgs.linuxPackages_zen; boot.kernelPackages = mkDefault pkgs.linuxPackages_zen;
@ -42,60 +40,9 @@ in
qt = { qt = {
enable = true; enable = true;
platformTheme = "qt5ct"; style = "breeze";
# platformTheme = "gnome";
}; };
home-manager.sharedModules =
let
gruvboxDarkColors = pkgs.writeText "gruvbox-dark.conf" ''
[ColorScheme]
active_colors=#ffebdbb2, #ff1d2021, #ffbdae93, #ffa89984, #ff3c3836, #ff504945, #ffebdbb2, #ffebdbb2, #ffebdbb2, #ff282828, #ff1d2021, #ff504945, #ff458588, #ff282828, #ff458588, #ffcc241d, #ff282828, #ffebdbb2, #ff1d2021, #ffebdbb2, #ffbdae93
disabled_colors=#ffbdae93, #ff1d2021, #ffbdae93, #ffa89984, #ff3c3836, #ff504945, #ffbdae93, #ffbdae93, #ffbdae93, #ff282828, #ff1d2021, #ff504945, #ff438184, #ff3c3836, #ff458588, #ffcc241d, #ff282828, #ffebdbb2, #ff1d2021, #ffebdbb2, #ffbdae93
inactive_colors=#ffebdbb2, #ff1d2021, #ffbdae93, #ffa89984, #ff3c3836, #ff504945, #ffebdbb2, #ffebdbb2, #ffebdbb2, #ff282828, #ff1d2021, #ff504945, #ff438184, #ffa89984, #ff458588, #ffcc241d, #ff282828, #ffebdbb2, #ff1d2021, #ffebdbb2, #ffbdae93
'';
qt5ctConf = pkgs.writeText "qt5ct.conf" ''
[Appearance]
color_scheme_path=${gruvboxDarkColors}
custom_palette=true
icon_theme=breeze-dark
standard_dialogs=xdgdesktopportal
style=Breeze
[Fonts]
fixed="Source Sans 3,12,-1,5,50,0,0,0,0,0"
general="Source Sans 3,12,-1,5,50,0,0,0,0,0"
'';
in
[
{
home.file.".config/qt5ct/qt5ct.conf".source = qt5ctConf;
home.file.".config/qt6ct/qt6ct.conf".source = qt5ctConf;
dconf = {
settings = {
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
gtk-theme = "adw-gtk3-dark";
};
};
};
gtk = {
enable = true;
iconTheme.name = "breeze-dark";
gtk4.extraConfig.gtk-application-prefer-dark-theme = 1;
gtk3.extraConfig.gtk-application-prefer-dark-theme = 1;
gtk3.theme.package = pkgs.adw-gtk3;
gtk3.theme.name = "adw-gtk3-dark";
gtk3.extraCss = ''
@import url("${inputs.adw-colors}/themes/adw-gruvbox/gtk3-dark.css");
'';
gtk4.extraCss = ''
@import url("${inputs.adw-colors}/themes/adw-gruvbox/gtk4-dark.css");
'';
};
}
];
programs.yazi = { programs.yazi = {
settings.keymap.mgr.prepend_keymap = [ settings.keymap.mgr.prepend_keymap = [
@ -123,34 +70,11 @@ in
# enable the gnome shit # enable the gnome shit
services.gnome.gnome-keyring.enable = true; services.gnome.gnome-keyring.enable = true;
services.gnome.gnome-online-accounts.enable = true; services.gnome.gnome-online-accounts.enable = true;
environment.systemPackages = with pkgs; [ services.gnome.core-apps.enable = true;
gnome-calendar
gnome-clocks
gnome-font-viewer
mate.engrampa
papirus-folders
kdePackages.gwenview
kdePackages.skanlite
kdePackages.okular
kdePackages.breeze-gtk
kdePackages.breeze.qt5
kdePackages.breeze
kdePackages.breeze-icons
nautilus # for xdg portal
];
services.gnome.gcr-ssh-agent.enable = mkForce false; services.gnome.gcr-ssh-agent.enable = mkForce false;
# services.gnome.sushi.enable = true; services.gnome.sushi.enable = true;
services.gnome.gnome-settings-daemon.enable = true; services.gnome.gnome-settings-daemon.enable = true;
services.gvfs.enable = true;
programs.thunar = {
enable = true;
plugins = with pkgs.xfce; [
thunar-archive-plugin
thunar-volman
];
};
services.tumbler.enable = true; # thunar image preview
services.gvfs.enable = true; # thunar network device mount
xdg.terminal-exec = { xdg.terminal-exec = {
enable = true; enable = true;
@ -164,28 +88,35 @@ in
{ pkgs, ... }: { pkgs, ... }:
{ {
xyno.mpv.enable = true; xyno.mpv.enable = true;
# xdg.mimeApps = { # xdg.mimeApps = {
# enable = true; # enable = true;
# defaultApplications = { # defaultApplications = {
# "x-scheme-handler/mailto" = [ "aerc.desktop" ]; # "x-scheme-handler/mailto" = [ "aerc.desktop" ];
# "inode/directory" = [ "org.gnome.Nautilus.desktop" ]; # "inode/directory" = [ "org.gnome.Nautilus.desktop" ];
# "application/x-gnome-saved-search" = [ "org.gnome.Nautilus.desktop" ]; # "application/x-gnome-saved-search" = [ "org.gnome.Nautilus.desktop" ];
# "x-scheme-handler/http" = "userapp-Zen-D2P132.desktop"; # "x-scheme-handler/http" = "userapp-Zen-D2P132.desktop";
# "x-scheme-handler/https" = "userapp-Zen-D2P132.desktop"; # "x-scheme-handler/https" = "userapp-Zen-D2P132.desktop";
# "x-scheme-handler/chrome" = "userapp-Zen-D2P132.desktop"; # "x-scheme-handler/chrome" = "userapp-Zen-D2P132.desktop";
# "text/html" = "userapp-Zen-D2P132.desktop"; # "text/html" = "userapp-Zen-D2P132.desktop";
# "application/x-extension-htm" = "userapp-Zen-D2P132.desktop"; # "application/x-extension-htm" = "userapp-Zen-D2P132.desktop";
# "application/x-extension-html" = "userapp-Zen-D2P132.desktop"; # "application/x-extension-html" = "userapp-Zen-D2P132.desktop";
# "application/x-extension-shtml" = "userapp-Zen-D2P132.desktop"; # "application/x-extension-shtml" = "userapp-Zen-D2P132.desktop";
# "application/xhtml+xml" = "userapp-Zen-D2P132.desktop"; # "application/xhtml+xml" = "userapp-Zen-D2P132.desktop";
# "application/x-extension-xhtml" = "userapp-Zen-D2P132.desktop"; # "application/x-extension-xhtml" = "userapp-Zen-D2P132.desktop";
# "application/x-extension-xht" = "userapp-Zen-D2P132.desktop"; # "application/x-extension-xht" = "userapp-Zen-D2P132.desktop";
# "application/pdf" = "org.gnome.Evince.desktop"; # "application/pdf" = "org.gnome.Evince.desktop";
# }; # };
# }; # };
}; };
environment.systemPackages = with pkgs; [
kdePackages.breeze-gtk
kdePackages.breeze.qt5
kdePackages.breeze
kdePackages.breeze-icons
];
# fonts # fonts
fonts.fontconfig.defaultFonts = { fonts.fontconfig.defaultFonts = {
sansSerif = [ sansSerif = [

107
modules/services/caddy/default.nix
View file

@ -7,16 +7,71 @@
with lib; with lib;
let let
cfg = config.xyno.services.caddy; cfg = config.xyno.services.caddy;
schema = import ./json-schema.nix { wildcardMatcherStr = wildcard: hostName: content: ''
inherit pkgs lib; @${hostName} host ${hostName}.${wildcard}
schema = builtins.fromJSON (builtins.readFile ./caddy_schema.json); handle @${hostName} {
${content.extraConfig}
}
'';
genOneWildcard = wildcard: host: {
extraConfig = ''
# extra pre
${host.extraConfigPre}
# block bots
${optionalString host.blockBots "import blockBots"}
# hosts handler
${concatStrings (mapAttrsToList (n: v: wildcardMatcherStr wildcard n v) host.hosts)}
# extra post
${host.extraConfigPost}
abort
'';
}; };
genVHostsFromWildcard = mapAttrs' (
n: v: nameValuePair "*.${n}" (genOneWildcard n v)
) cfg.wildcardHosts;
schema = import ./json-schema.nix { inherit pkgs lib; schema = builtins.fromJSON (builtins.readFile ./caddy_schema.json); };
in in
{ {
options.xyno.services.caddy.enable = mkEnableOption "enables caddy with the desec plugin"; options.xyno.services.caddy.enable = mkEnableOption "enables caddy with the desec plugin";
options.xyno.services.caddy.config = mkOption { options.xyno.services.caddy.config = mkOption {
default = { }; default = {};
type = schema.type; type = schema.type;
};
options.xyno.services.caddy.wildcardHosts = mkOption {
example = {
"hailsatan.eu" = {
blockBots = true;
hosts.md.extraConfig = ''reverse_proxy ...'';
};
};
default = { };
type =
with types;
attrsOf (submodule {
options = {
blockBots = mkOption {
type = bool;
default = false;
};
extraConfigPre = mkOption {
type = str;
default = "";
};
extraConfigPost = mkOption {
type = str;
default = "";
};
hosts = mkOption {
default = {};
type = attrsOf (submodule {
options = {
extraConfig = mkOption { type = lines; };
};
});
};
};
});
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
@ -24,32 +79,34 @@ in
443 443
]; ];
networking.firewall.allowedUDPPorts = [ 443 ]; networking.firewall.allowedUDPPorts = [ 443 ];
xyno.services.caddy.config = {
apps = {
http.metrics.per_host = true;
tls.automation.policies = [
{
issuers = [
{
ca = "https://acme-v02.api.letsencrypt.org/directory";
challenges.dns.provider = {
name = "desec";
token.path = ""; # TODO
};
}
];
module = "acme";
}
];
};
};
services.caddy = { services.caddy = {
enable = true; enable = true;
package = pkgs.caddy-desec; package = pkgs.caddy-desec;
adapter = "json"; adapter = "json";
configFile = json.generate "caddy-config.json" cfg.config; configFile = json.generate "caddy-config.json" cfg.config;
# virtualHosts = genVHostsFromWildcard;
# email = mkDefault "ssl@xyno.systems";
# acmeCA = mkDefault "https://acme-v02.api.letsencrypt.org/directory";
# globalConfig = ''
# metrics {
# per_host
# }
# '';
# extraConfig = ''
# (blockBots) {
# @botForbidden header_regexp User-Agent "(?i)AdsBot-Google|Amazonbot|anthropic-ai|Applebot|Applebot-Extended|AwarioRssBot|AwarioSmartBot|Bytespider|CCBot|ChatGPT|ChatGPT-User|Claude-Web|ClaudeBot|cohere-ai|DataForSeoBot|Diffbot|FacebookBot|Google-Extended|GPTBot|ImagesiftBot|magpie-crawler|omgili|Omgilibot|peer39_crawler|PerplexityBot|YouBot"
# handle @botForbidden {
# redir https://hil-speed.hetzner.com/10GB.bin
# }
# handle /robots.txt {
# respond <<TXT
# User-Agent: *
# Disallow: /
# TXT 200
# }
# }
# '';
}; };
xyno.services.monitoring.exporters.caddy = 2019; xyno.services.monitoring.exporters.caddy = 2019;

8
modules/services/caddy/json-schema.nix
View file

@ -36,11 +36,6 @@ let
in in
result; result;
deref = x: if x ? "$ref" then getRef x."$ref" else x; deref = x: if x ? "$ref" then getRef x."$ref" else x;
fileSubmod = types.submodule {
options.path = mkOption {
type = types.pathWith { inStore = false; absolute = true; };
};
};
buildOptionType = buildOptionType =
{ {
spec, spec,
@ -48,8 +43,7 @@ let
... ...
}: }:
let let
strType = if spec ? enum then types.enum spec.enum else types.str;
strType = if spec ? enum then types.enum spec.enum else (types.either types.str fileSubmod);
objType = types.submodule { objType = types.submodule {
freeformType = json.type; freeformType = json.type;
options = submoduleOptions { inherit spec depth; }; options = submoduleOptions { inherit spec depth; };

285
modules/services/kanidm.nix
View file

@ -1,285 +0,0 @@
{
pkgs,
lib,
config,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
mkOption
converge
mkMerge
filterAttrsRecursive
literalExpression
mapAttrsToList
concatStringsSep
attrNames
;
inherit (lib.types)
str
nullOr
pathWith
submodule
listOf
functionTo
attrsOf
lines
;
absPath = pathWith {
inStore = false;
absolute = true;
};
cfg = config.xyno.services.kanidm;
tlsDir = "/run/generated/kanidm-tls";
package = pkgs.kanidmWithSecretProvisioning_1_8.overrideAttrs (old: {
doCheck = false;
patches = old.patches ++ [
(pkgs.writeText "patch-kanidm-name" ''
diff --git a/server/lib/src/value.rs b/server/lib/src/value.rs
index 86b5a74c1..c83b2f93d 100644
--- a/server/lib/src/value.rs
+++ b/server/lib/src/value.rs
@@ -64,7 +64,7 @@ lazy_static! {
/// Only lowercase+numbers, with limited chars.
pub static ref INAME_RE: Regex = {
#[allow(clippy::expect_used)]
- Regex::new("^[a-z][a-z0-9-_\\.]{0,63}$").expect("Invalid Iname regex found")
+ Regex::new("^[a-z0-9-_\\.]{0,64}$").expect("Invalid Iname regex found")
};
/// Only alpha-numeric with limited special chars and space
'')
];
});
templatePlaceholders = {
clientId = ''\($get.attrs.name[0])'';
basicSecret = ''\($secret.secret)'';
env = v: ''\(env.${v})'';
};
in
{
options.xyno.services.kanidm.enable = mkEnableOption "enables kanidm";
options.xyno.services.kanidm.domain = mkOption {
default = "idm.xyno.systems";
type = str;
};
options.xyno.services.kanidm.isReplica = mkEnableOption "replica"; # TODO
options.xyno.services.kanidm.setupTraefik = mkEnableOption "traefik";
options.xyno.services.kanidm.templates = mkOption {
type = attrsOf (
submodule (
{ name, ... }:
{
options = {
path = mkOption {
type = absPath;
default = "/run/generated/kanidmTemplates/${name}";
};
user = mkOption {
type = str;
default = "root";
};
group = mkOption {
type = str;
default = "kanidm";
};
chmod = mkOption {
type = str;
default = "440";
};
wantedBy = mkOption {
type = listOf str;
default = [ ];
example = [ "traccar.service" ];
};
text = mkOption {
type = functionTo lines;
description = ''
jq templated string
current placeholders: ${concatStringsSep ", " (attrNames templatePlaceholders)}
'';
example = literalExpression ''
p: ${"''"}
OAUTH2_PROXY_CLIENT_ID=''${p.clientId}
OAUTH2_PROXY_CLIENT_SECRET=''${p.clientSecret}
${"''"}
'';
};
environmentFiles = mkOption {
type = listOf absPath;
default = [ ];
description = ''
add environment variables to the template file.
the environment variable BANANA would be accessible as
```
COOKIE_SECRET=''${p.env "BANANA"}
```
in the template
'';
};
};
}
)
);
example = {
traccar.text = p: ''
OPENID_CLIENTID=${p.clientId}
OPENID_SECRET=${p.basicSecret}
'';
};
};
options.xyno.services.kanidm.tls = {
keyPem = mkOption {
type = nullOr absPath;
default = null;
description = "autogenerated if unset";
};
certPem = mkOption {
default = "${tlsDir}/cert.pem";
type = absPath;
};
};
config = mkMerge [
(mkIf cfg.enable {
services.kanidm = {
enableServer = true;
enableClient = true;
inherit package;
clientSettings.uri = "https://${cfg.domain}";
provision = {
enable = true;
adminPasswordFile = config.sops.secrets."kanidm/adminPassword".path;
idmAdminPasswordFile = config.sops.secrets."kanidm/idmAdminPassword".path;
instanceUrl = "https://127.0.0.3:8443";
acceptInvalidCerts = true;
autoRemove = true;
groups.application_admins = {};
};
serverSettings = {
trust_x_forward_for = true;
tls_key = if cfg.tls.keyPem != null then cfg.tls.keyPem else "${tlsDir}/key.pem";
tls_chain = cfg.tls.certPem;
bindaddress = "127.0.0.3:8443";
origin = "https://${cfg.domain}";
domain = cfg.domain;
};
};
systemd.tmpfiles.rules = [ "d /run/generated/kanidmTemplates 1755 root kanidm -" ];
systemd.services = mkMerge (
(mapAttrsToList (n: v: {
"generate-kanidm-template-${n}" = {
serviceConfig = {
User = "root";
Group = "kanidm";
Type = "oneshot";
PrivateTmp = true;
EnvironmentFile = v.environmentFiles;
};
requires = [ "kanidm.service" ] ++ (lib.optional cfg.setupTraefik "traefik.service");
after = [
"kanidm.service"
"systemd-tmpfiles-setup.service"
]
++ (lib.optional cfg.setupTraefik "traefik.service");
before = v.wantedBy;
partOf = v.wantedBy;
wantedBy = if (builtins.length v.wantedBy) == 0 then [ "multi-user.target" ] else v.wantedBy;
enableStrictShellChecks = true;
path = [
package
pkgs.jq
];
environment.KANIDM_TOKEN_CACHE_PATH = "/tmp/kanidm-token-cache";
script =
let
templateText = v.text templatePlaceholders;
in
''
KANIDM_PASSWORD=$(cat "${
config.sops.secrets."kanidm/idmAdminPassword".path
}") kanidm login -D idm_admin
jq -r -s \
-f "${pkgs.writeText "kanidm-template-${n}" ''"${templateText}"''}" \
--argjson get "$(kanidm system oauth2 get --output json "${n}")" \
--argjson secret "$(kanidm system oauth2 show-basic-secret --output json "${n}")" \
> "${v.path}"
chown "${v.user}:${v.group}" "${v.path}"
chmod "${v.chmod}" "${v.path}"
'';
};
}) cfg.templates)
++ [
(mkIf (cfg.tls.keyPem == null) {
generate-kanidm-tls =
let
units = [
"kanidm.service"
]
++ (lib.optional cfg.setupTraefik "traefik.service");
in
{
serviceConfig = {
User = "root";
Group = "kanidm";
Type = "oneshot";
};
wantedBy = units;
before = units;
script = ''
mkdir -p ${tlsDir}
cd ${tlsDir}
${config.services.kanidm.package}/bin/kanidmd cert-generate -c ${
let
toml = pkgs.formats.toml { };
filterConfig = converge (filterAttrsRecursive (_: v: v != null));
in
toml.generate "kanidm-tls.conf" (filterConfig (config.services.kanidm.serverSettings))
}
chmod +g ${tlsDir}/*
'';
};
})
]
);
sops.secrets."kanidm/adminPassword" = {
sopsFile = ../../instances/${config.networking.hostName}/secrets/kanidm.yaml;
reloadUnits = [ "kanidm.service" ];
owner = "kanidm";
};
sops.secrets."kanidm/idmAdminPassword" = {
sopsFile = ../../instances/${config.networking.hostName}/secrets/kanidm.yaml;
reloadUnits = [ "kanidm.service" ];
owner = "kanidm";
};
xyno.impermanence.directories = [ "/var/lib/kanidm" ];
})
(mkIf (cfg.enable && cfg.setupTraefik) {
xyno.services.traefik.simpleProxy.kanidm = {
host = cfg.domain;
internal = "https://127.0.0.3:8443";
transport = "kanidm-https";
};
services.traefik.dynamicConfigOptions.http = mkIf (cfg.tls.keyPem == null) {
serversTransports."kanidm-https" = {
serverName = cfg.domain;
rootcas = [
"${tlsDir}/ca.pem"
];
};
};
})
];
}

21
modules/services/monitoring.nix
View file

@ -9,21 +9,17 @@ with lib;
let let
cfg = config.xyno.services.monitoring; cfg = config.xyno.services.monitoring;
# firstInstanceWithPromServer = firstInstanceWithPromServer = if cfg.prometheusServer then config.networking.hostName else (builtins.head (
# if cfg.prometheusServer then attrValues (filterAttrs (n: v: v.config.xyno.services.monitoring.prometheusServer) (otherNodes))
# config.networking.hostName )).config.networking.hostName;
# else vmBasicAuthUsername = "xyno-monitoring";
# (builtins.head (
# attrValues (filterAttrs (n: v: v.config.xyno.services.monitoring.prometheusServer) (otherNodes))
# )).config.networking.hostName;
# vmBasicAuthUsername = "xyno-monitoring";
in in
{ {
options.xyno.services.monitoring.enable = options.xyno.services.monitoring.enable =
mkEnableOption "enables monitoring (prometheus exporters and stuff)"; mkEnableOption "enables monitoring (prometheus exporters and stuff)";
options.xyno.services.monitoring.remoteWriteUrl = mkOption { options.xyno.services.monitoring.remoteWriteUrl = mkOption {
type = types.str; type = types.str;
default = "https://metrics.xyno.systems/api/v1/write"; default = "http://${firstInstanceWithPromServer}.${config.xyno.services.wireguard.monHostsDomain}:8428/api/v1/write";
description = "where prometheus metrics should be pushed to"; description = "where prometheus metrics should be pushed to";
}; };
options.xyno.services.monitoring.prometheusServer = mkOption { options.xyno.services.monitoring.prometheusServer = mkOption {
@ -48,9 +44,8 @@ in
enabledCollectors = [ "systemd" ]; enabledCollectors = [ "systemd" ];
}; };
xyno.services.monitoring.exporters.node = config.services.prometheus.exporters.node.port; xyno.services.monitoring.exporters.node = config.services.prometheus.exporters.node.port;
# TODO: oauth2 with client per host -> kanidm -> oauth2-proxy -> victoriametrics server
services.vmagent = { services.vmagent = {
remoteWrite.url = if cfg.prometheusServer then "http://localhost:8428/api/v1/write" else cfg.remoteWriteUrl; remoteWrite.url = cfg.remoteWriteUrl;
remoteWrite.basicAuthUsername = vmBasicAuthUsername; remoteWrite.basicAuthUsername = vmBasicAuthUsername;
remoteWrite.basicAuthPasswordFile = config.sops.secrets."victoriametrics/basicAuthPassword".path; remoteWrite.basicAuthPasswordFile = config.sops.secrets."victoriametrics/basicAuthPassword".path;
@ -89,9 +84,7 @@ in
]; ];
}; };
services.grafana.declarativePlugins = with pkgs.grafanaPlugins; [ services.grafana.declarativePlugins = with pkgs.grafanaPlugins; [ victoriametrics-metrics-datasource ];
victoriametrics-metrics-datasource
];
}) })
]; ];

85
modules/services/oauth2Proxy/default.nix
View file

@ -1,85 +0,0 @@
{
pkgs,
lib,
config,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
mkOption
getExe
;
inherit (lib.types)
pathWith
listOf
;
cfg = config.xyno.services.oauth2Proxy;
settingsFormat = pkgs.formats.toml { };
configFile = settingsFormat.generate "oauth2-proxy.conf" cfg.settings;
absPath = pathWith {
inStore = false;
absolute = true;
};
in
{
options.xyno.services.oauth2Proxy = {
enable = mkEnableOption "oauth2-proxy";
package = lib.mkPackageOption pkgs "oauth2-proxy" { };
settings = mkOption {
type = settingsFormat.type;
description = "what to add to the config toml file";
};
environmentFiles = mkOption {
type = listOf absPath;
default = [ ];
example = [ "/run/secrets/oauth2Proxy" ];
};
};
config = mkIf cfg.enable {
systemd.services.oauth2-proxy = {
wantedBy = [ "multi-user.target" ];
description = "OAuth2 Proxy (66642's less weird version)";
confinement.enable = true;
after = [ "network.target" ];
serviceConfig = {
BindReadOnlyPaths = [
"-/etc/resolv.conf"
"-/run/systemd"
"/etc/hosts"
"${config.security.pki.caBundle}:/etc/ssl/certs/ca-certificates.crt"
];
ExecStart = "${getExe cfg.package} --config=${configFile}";
EnvironmentFile = cfg.environmentFiles;
DynamicUser = true;
CapabilityBoundingSet = [ "" ];
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
PrivateDevices = true;
UMask = "0022";
SystemCallFilter = [ "@system-service" ];
SystemCallErrorNumber = "EPERM";
LockPersonality = true;
PrivateTmp = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
};
};
};
}

208
modules/services/oauth2Proxy/integration.nix
View file

@ -1,208 +0,0 @@
{
lib,
config,
...
}:
let
inherit (lib)
mkIf
mkOption
mkMerge
attrNames
mapAttrsToList
;
inherit (lib.types)
str
nullOr
submodule
listOf
attrsOf
;
cfg = config.xyno.services.oauth2Proxy;
kanidmCfg = config.xyno.services.kanidm;
oauth2ProxyInternalHostPort = "127.0.0.4:4180";
oauth2ProxyInternalHostPortMetrics = "127.0.0.4:4181";
in
{
options.xyno.services.oauth2Proxy = {
domain = mkOption {
default = "oauth.xyno.systems";
type = str;
};
hosts = mkOption {
type = attrsOf (
submodule (
{ name, ... }:
{
options.allowedGroups = mkOption {
type = nullOr (listOf str);
default = null;
};
options.allowed_email_domains = mkOption {
type = nullOr (listOf str);
default = null;
};
options.allowed_emails = mkOption {
type = nullOr (listOf str);
default = null;
};
options.middlewares = mkOption {
type = listOf str;
description = "add to your service";
default = [
"oauth-errors"
"oauth-host-${name}"
];
};
}
)
);
example = {
"navidrome.xyno.systems" = {
allowedGroups = [ "navidrome_access@idm.xyno.systems" ];
};
};
default = { };
};
};
config = mkIf (cfg.enable && config.xyno.services.kanidm.enable) {
services.kanidm.provision = {
groups = {
proxy_users.members = [ "application_admins" ];
};
systems.oauth2.oauth2_proxy = {
displayName = "oauth2 proxy";
originUrl = [
"https://${cfg.domain}/oauth2/callback"
]
++ (mapAttrsToList (n: v: "https://${n}/oauth2/callback") cfg.hosts);
originLanding = "https://${cfg.domain}/oauth2/sign_in";
preferShortUsername = true;
claimMaps = {
"proxy_group" = {
joinType = "array";
valuesByGroup = {
"proxy_users" = [
"proxy_users"
];
};
};
};
scopeMaps."proxy_users" = [
"email"
"openid"
];
};
};
xyno.services.kanidm.templates.oauth2_proxy = {
wantedBy = [
"oauth2-proxy.service"
];
text = p: ''
OAUTH2_PROXY_CLIENT_ID=${p.clientId}
OAUTH2_PROXY_CLIENT_SECRET=${p.basicSecret}
OAUTH2_PROXY_COOKIE_SECRET=${p.env "COOKIE_SECRET"}
OAUTH2_PROXY_OIDC_ISSUER_URL=https://${kanidmCfg.domain}/oauth2/openid/${p.clientId}
'';
environmentFiles = [ config.sops.templates.oauth2ProxyEnv.path ];
};
sops.secrets."oauth2Proxy/cookieSecret" = {
sopsFile = ../../../instances/${config.networking.hostName}/secrets/kanidm.yaml;
};
sops.templates."oauth2ProxyEnv" = {
restartUnits = [ "generate-kanidm-template-oauth2_proxy.service" ];
content = ''
COOKIE_SECRET=${config.sops.placeholder."oauth2Proxy/cookieSecret"}
'';
};
xyno.services.monitoring.exporters.oauth2Proxy = "http://${oauth2ProxyInternalHostPortMetrics}";
systemd.services.oauth2Proxy.after = [ "traefik.service" ];
xyno.services.oauth2Proxy = {
environmentFiles = [ kanidmCfg.templates.oauth2_proxy.path ];
settings = mkMerge [
{
provider = "oidc";
scope = "openid email";
oidc_groups_claim = "proxy_group";
allowed_groups = [ "proxy_users" ];
http_address = "${oauth2ProxyInternalHostPort}";
https_address = "";
whitelist_domains = attrNames cfg.hosts;
email_domains = "*";
skip_provider_button = true;
code_challenge_method = "S256";
set_xauthrequest = true;
}
(mkIf config.xyno.services.monitoring.enable {
metrics_address = "http://${oauth2ProxyInternalHostPortMetrics}";
})
];
};
xyno.services.traefik.simpleProxy = mkMerge (
[
{
oauth = {
rule = "Host(`${cfg.domain}`) && PathPrefix(`/oauth2`)";
internal = "http://${oauth2ProxyInternalHostPort}";
middlewares = [ "auth-headers" ];
host = cfg.domain;
};
}
]
++ (mapAttrsToList (n: v: {
"oauth-host-${n}" = {
rule = "Host(`${n}`) && PathPrefix(`/oauth2`)";
internal = "http://${oauth2ProxyInternalHostPort}";
middlewares = [ "auth-headers" ];
host = n;
};
}) cfg.hosts)
);
services.traefik.dynamicConfigOptions.http.middlewares = mkMerge (
(mapAttrsToList (n: v: {
"oauth-host-${n}" =
let
maybeQueryArg =
name: value:
if name == "middlewares" || value == null then
null
else
"${name}=${lib.concatStringsSep "," (builtins.map lib.escapeURL value)}";
allArgs = lib.mapAttrsToList maybeQueryArg v;
cleanArgs = builtins.filter (x: x != null) allArgs;
cleanArgsStr = lib.concatStringsSep "&" cleanArgs;
in
{
forwardAuth = {
address = "https://${cfg.domain}/oauth2/auth?${cleanArgsStr}";
authResponseHeaders = [
"X-Auth-Request-User"
"X-Auth-Request-Groups"
"X-Auth-Request-Email"
"X-Auth-Request-Preferred-Username"
];
trustForwardHeader = true;
};
};
}) cfg.hosts)
++ [
{
auth-headers.headers = {
frameDeny = true;
contentTypeNosniff = true;
};
oauth-errors.errors = {
status = [ "401-403" ];
service = config.xyno.services.traefik.simpleProxy.oauth.serviceName;
query = "/oauth2/sign_in?rd={url}";
};
}
]
);
};
}

6
modules/services/postgres.nix
View file

@ -12,9 +12,7 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_18; package = pkgs.postgresql_17_jit;
enableJIT = true;
extensions = ps: with ps; [ timescaledb-apache ];
identMap = '' identMap = ''
# ArbitraryMapName systemUser DBUser # ArbitraryMapName systemUser DBUser
superuser_map root postgres superuser_map root postgres
@ -28,7 +26,7 @@ in
}; };
xyno.services.monitoring.exporters.postgres = config.services.prometheus.exporters.postgres.port; xyno.services.monitoring.exporters.postgres = config.services.prometheus.exporters.postgres.port;
xyno.impermanence.directories = [ "/var/lib/postgresql" ]; xyno.impermanence.extraDirectories = [ "/var/lib/postgresql" ];
services.borgmatic.settings.postgresql_databases = [ services.borgmatic.settings.postgresql_databases = [
{ {

247
modules/services/traefik.nix
View file

@ -1,247 +0,0 @@
{
pkgs,
lib,
config,
...
}:
let
inherit (lib)
mapAttrsToList
mkMerge
splitString
concatStringsSep
mkIf
mkOption
mkEnableOption
;
inherit (lib.types)
str
bool
nullOr
anything
attrsOf
submodule
listOf
;
cfg = config.xyno.services.traefik;
simpleProxyOpts = mapAttrsToList (
n: v:
let
router = v.routerName;
service = v.serviceName;
spl = splitString "." v.host;
certDomain = if (builtins.length spl) > 2 then concatStringsSep "." (builtins.tail spl) else spl;
in
mkMerge [
(mkIf v.robotProtection {
routers."${router}-robotstxt" = {
service = "robotstxt";
rule = "Host(`${v.host}`) && Path(`/robots.txt`)";
tls.certResolver = "letsencrypt";
tls.domains = [
{
main = certDomain;
sans = [ "*.${certDomain}" ];
}
];
};
services.robotstxt = {
loadBalancer.servers = [
{ url = "http://127.0.0.2:8080"; }
];
};
})
{
routers.${router} = {
inherit service;
inherit (v) middlewares;
rule = if v.rule != null then v.rule else "Host(`${v.host}`)";
tls.certResolver = "letsencrypt";
tls.domains = [
{
main = certDomain;
sans = [ "*.${certDomain}" ];
}
];
};
services.${service} = {
loadBalancer.servers = [
{ url = v.internal; }
];
loadBalancer.serversTransport = mkIf (v.transport != null) v.transport;
};
}
]
) cfg.simpleProxy;
in
{
options.xyno.services.traefik.enable = mkEnableOption "enables traefik";
options.xyno.services.traefik.noBots = mkOption {
type = bool;
default = true;
};
options.xyno.services.traefik.simpleProxy = mkOption {
example = {
"example" = {
host = "example.org";
middlewares = [ "meow" ];
internal = "http://127.0.0.1:8080";
};
};
default = { };
type = attrsOf (
submodule (
{ config, name,... }:
{
options = {
middlewares = mkOption {
type = listOf str;
default = [];
};
internal = mkOption {
type = str;
description = "where to proxy to";
};
host = mkOption {
type = str;
description = "used for the route and tls";
};
routerName = mkOption {
type = str;
default = "simpleproxy-${name}-router";
};
serviceName = mkOption {
type = str;
default = "simpleproxy-${name}-service";
};
robotProtection = mkOption {
type = bool;
default = true;
description = "robots.txt and (soon) iocane";
};
rule = mkOption {
type = str;
default = "Host(`${config.host}`)";
description = "overrides the Host(`\${host}`) rule with something custom if set";
};
transport = mkOption {
type = nullOr anything;
default = null;
};
};
}
)
);
};
config = mkIf cfg.enable {
services.nginx = {
enable = mkIf cfg.noBots true;
defaultListen = mkIf cfg.noBots [
{
addr = "127.0.0.2";
port = 8080;
}
];
virtualHosts._.default = true;
virtualHosts._.locations."/".root = pkgs.writeTextFile {
name = "robots.txt";
destination = "/robots.txt";
text = ''
User-agent: *
Disallow: /
'';
};
};
services.traefik = {
enable = true;
environmentFiles = [
config.sops.templates."traefik.env".path
];
staticConfigOptions = {
accessLog = {};
metrics = mkIf config.xyno.services.monitoring.enable {
otlp.http.endpoint = "http://localhost:8429/v1/metrics";
};
entryponits.web = {
address = ":80";
redirections.entryPoint = {
to = "websecure";
scheme = "https";
permanent = true;
};
};
entrypoints.websecure = {
address = ":443";
http.tls.certResolver = "letsencrypt";
http3 = { };
};
log.level = "INFO";
certificatesResolvers.letsencrypt.acme = {
email = "ssl@xyno.systems";
caServer = "https://acme-v02.api.letsencrypt.org/directory";
dnsChallenge = {
resolvers = [
"8.8.8.8"
"1.1.1.1"
];
provider = "desec";
};
};
};
dynamicConfigOptions = {
http = mkMerge simpleProxyOpts;
# tls.options.default = {
# # mozilla modern
# minVersion = "VersionTLS13";
# curvePreferences = [
# "X25519"
# "CurveP256"
# "CurveP384"
# ];
# };
# tls.options.old = {
# # mozilla intermediate
# minVersion = "VersionTLS12";
# curvePreferences = [
# "X25519"
# "CurveP256"
# "CurveP384"
# ];
# cipherSuites = [
# "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
# "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
# "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
# "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
# "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
# "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
# ];
# };
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
networking.firewall.allowedUDPPorts = [ 443 ];
xyno.impermanence.directories = [ config.services.traefik.dataDir ];
sops.secrets."desec_token" = {
};
sops.templates."traefik.env".content = ''
DESEC_TOKEN=${config.sops.placeholder.desec_token}
DESEC_PROPAGATION_TIMEOUT=1200
LEGO_DISABLE_CNAME_SUPPORT=true
'';
sops.templates."traefik.env".reloadUnits = [ "traefik.service" ];
# services.borgmatic.settings.traefikql_databases = [
# {
# name = "all"; # gets run as root anyways so can log in
# }
# ];
};
}

18
modules/system/impermanence.nix
View file

@ -21,25 +21,24 @@ in
{ {
options.xyno.impermanence = { options.xyno.impermanence = {
enable = lib.mkEnableOption "erase all your darlings (they hate you anyways)"; enable = lib.mkEnableOption "erase all your darlings (they hate you anyways)";
files = lib.mkOption { type = lib.types.listOf lib.types.str; default = []; }; files = lib.mkOption { type = lib.types.listOf lib.types.str; };
directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];}; directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
user = { user = {
files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];}; files = lib.mkOption { type = lib.types.listOf lib.types.str; };
directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];}; directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
}; };
# have a seperate impermanence tree for "cache" files that can just be deleted if wanted # have a seperate impermanence tree for "cache" files that can just be deleted if wanted
cache = { cache = {
files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];}; files = lib.mkOption { type = lib.types.listOf lib.types.str; };
directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];}; directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
user = { user = {
files = lib.mkOption { type = lib.types.listOf lib.types.str; default = [];}; files = lib.mkOption { type = lib.types.listOf lib.types.str; };
directories = lib.mkOption { type = lib.types.listOf lib.types.anything; default = [];}; directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
}; };
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
users.mutableUsers = false;
xyno.impermanence.files = [ xyno.impermanence.files = [
"/etc/machine-id" # systemd/zfs unhappy otherwise "/etc/machine-id" # systemd/zfs unhappy otherwise
]; ];
@ -48,7 +47,6 @@ in
"/var/lib/systemd/coredump" "/var/lib/systemd/coredump"
"/etc/ssh" # host keys "/etc/ssh" # host keys
"/var/lib/sbctl" # lanzaboote "/var/lib/sbctl" # lanzaboote
"/var/lib/nixos"
]; ];
xyno.impermanence.user.directories = [ xyno.impermanence.user.directories = [

2
modules/system/meta.nix
View file

@ -1,6 +1,6 @@
{lib,...}: with lib;{ {lib,...}: with lib;{
options.xyno.meta = { options.xyno.meta = {
sopsKey = mkOption { type = types.str; }; sopsKey = mkOption { type = types.text; };
}; };
config = { config = {
sops.defaultSopsFile = ../../secrets/common.yaml; sops.defaultSopsFile = ../../secrets/common.yaml;

10
overlays/default.nix
View file

@ -28,5 +28,15 @@ inputs: self: super: {
python-uhid = super.callPackage ../packages/uhid.nix {}; python-uhid = super.callPackage ../packages/uhid.nix {};
caddy-desec = super.callPackage ../packages/caddy-desec.nix {}; caddy-desec = super.callPackage ../packages/caddy-desec.nix {};
# todo: remove on next supersonic release
supersonic-wayland = super.supersonic-wayland.overrideAttrs (old: {
patches = (if old?patches then old.patches else []) ++ [
(self.fetchpatch2 {
url = "https://github.com/dweymouth/supersonic/commit/ee742cf34ef7225d345c16354d9c21d72a41bf4a.patch";
hash = "sha256-kSeEbzrfJ4Pe8JC4rIWlSmADOcjrCRBNWlcO8VfVnn4=";
})
];
vendorHash = "sha256-Sh3PxRwb6ElSeWzdvIQ+nD9VVGlpUDwxG7nAoGWPTRQ=";
});
} }

9
secrets/common.yaml
View file

@ -1,18 +1,17 @@
victoriametrics: victoriametrics:
basicAuthPassword: ENC[AES256_GCM,data:5QuhkQ344qDYzhGZBJimaX94C6oxgYBRZw4MSlycdgs6zRAudMIu/HF1gpjythQpait81jMpFhIn57w433s7QQ==,iv:gytJ63cBaJseCis7gEPmOX6LeddNloQsTjc1SnS56jo=,tag:Jn6TevGsBEeHxYmVHy896w==,type:str] basicAuthPassword: ENC[AES256_GCM,data:5QuhkQ344qDYzhGZBJimaX94C6oxgYBRZw4MSlycdgs6zRAudMIu/HF1gpjythQpait81jMpFhIn57w433s7QQ==,iv:gytJ63cBaJseCis7gEPmOX6LeddNloQsTjc1SnS56jo=,tag:Jn6TevGsBEeHxYmVHy896w==,type:str]
desec_token: ENC[AES256_GCM,data:3aqlfpAEMyOSNGdLXm4lc0VZajduPkTYkYd+WA==,iv:sktNkKWaD/hjsQpSJzAZeCvwYXfvkhQ2A44BKedCZRg=,tag:XbxIr09c60V0PMDitSOD/w==,type:str]
wg: wg:
psk: ENC[AES256_GCM,data:Anpe6IxtzsqZyvas+ddV3yjJozdZgZOl2KG/Z4YtWUB5gAVLtxsQKc/WA/M=,iv:j/A5k2VXbdqUDXEd1WRfJYdb3DsUZ1B9gPHCpDpRjmw=,tag:KQGi1O5iP2+nQccgBzytSQ==,type:str] psk: ENC[AES256_GCM,data:Anpe6IxtzsqZyvas+ddV3yjJozdZgZOl2KG/Z4YtWUB5gAVLtxsQKc/WA/M=,iv:j/A5k2VXbdqUDXEd1WRfJYdb3DsUZ1B9gPHCpDpRjmw=,tag:KQGi1O5iP2+nQccgBzytSQ==,type:str]
msmtp: msmtp:
host: ENC[AES256_GCM,data:YxiLT5t2H52IZvB02Pjntvg=,iv:nuMPI6fuvQ4U0+xj3SF27ZO/b2knKUsO6jCf9aJqQa4=,tag:9DucIq+LUozuPLL3s8UjDQ==,type:str] host: ENC[AES256_GCM,data:YxiLT5t2H52IZvB02Pjntvg=,iv:nuMPI6fuvQ4U0+xj3SF27ZO/b2knKUsO6jCf9aJqQa4=,tag:9DucIq+LUozuPLL3s8UjDQ==,type:str]
port: ENC[AES256_GCM,data:W7L1,iv:q2TQTGTxOWCWqgjTBmVKarVbe+mNd/rwAupXJOl4WYQ=,tag:xW/GUGCIfn466icpIvyvCQ==,type:str] port: ENC[AES256_GCM,data:zbe7,iv:cwoK0oCIzwmQ6xHFX94KDfd7Fu+pC96c9+AnK/KpQp4=,tag:IfsCHk0SpBeQ4bD0WXyQcw==,type:int]
from: ENC[AES256_GCM,data:QpUgsghc7e5OFJO8afzx6bt1,iv:ffrlbqFu2p5/uwv5MN9rf7iZSmfozYSwr3WkEvXNZhA=,tag:B3g+6WexBw6j6EgukX5LDg==,type:str] from: ENC[AES256_GCM,data:QpUgsghc7e5OFJO8afzx6bt1,iv:ffrlbqFu2p5/uwv5MN9rf7iZSmfozYSwr3WkEvXNZhA=,tag:B3g+6WexBw6j6EgukX5LDg==,type:str]
user: ENC[AES256_GCM,data:H2OxJp6q1QCxBxIXThXrj+SU,iv:Cu7KFDaiqM0cuofnqkLnE6Zb6ufLw6wQRSk1pthDAAo=,tag:oM1VefUo9kK8k7lHKnxOjA==,type:str] user: ENC[AES256_GCM,data:H2OxJp6q1QCxBxIXThXrj+SU,iv:Cu7KFDaiqM0cuofnqkLnE6Zb6ufLw6wQRSk1pthDAAo=,tag:oM1VefUo9kK8k7lHKnxOjA==,type:str]
password: ENC[AES256_GCM,data:mAgsvDPzt8f/RB/2T8nrd+KUcuxUGIdCBDs5sFla5x0=,iv:qndiiKTuSpbf/gtNXPaZ6AnHHwzZ7IPJrDFriM7bKwE=,tag:5j+gjpaxIu03x1lBkRMLhQ==,type:str] password: ENC[AES256_GCM,data:mAgsvDPzt8f/RB/2T8nrd+KUcuxUGIdCBDs5sFla5x0=,iv:qndiiKTuSpbf/gtNXPaZ6AnHHwzZ7IPJrDFriM7bKwE=,tag:5j+gjpaxIu03x1lBkRMLhQ==,type:str]
aliases: ENC[AES256_GCM,data:fOZRYZ8rVs3IXhiS+VaP54gF4bir66oIZvb7ZfKV,iv:bsmh1ZCwERZuHrvORP68hj5Gz7j3+K6ZW8BR3/IQVQg=,tag:jWozmXpjk3JHCINSgP4KGg==,type:str] aliases: ENC[AES256_GCM,data:fOZRYZ8rVs3IXhiS+VaP54gF4bir66oIZvb7ZfKV,iv:bsmh1ZCwERZuHrvORP68hj5Gz7j3+K6ZW8BR3/IQVQg=,tag:jWozmXpjk3JHCINSgP4KGg==,type:str]
sops: sops:
lastmodified: "2025-11-24T11:48:22Z" lastmodified: "2025-09-06T16:50:17Z"
mac: ENC[AES256_GCM,data:wA4AwEX67amH4UneZqV03PnaLUscUnj4VAmOqzjOTA9dKAV3KzFwD4NqRs2Dy8ap6kOOIS67gZ+3WV8QySyLT84zhEPSjB6M1FURV+LQjd4nc5EBP4Y67osy/QGB4U0d6shHt1sTFmHG2dJvTB7sPDSlRvgDhHE/ApcWuNFUfTY=,iv:Umacpqk+Zge9a9tlSsfjz1mcQvtequK8K4qLVJu8PCg=,tag:H09qfzM/xyn7TLkPCgtS6Q==,type:str] mac: ENC[AES256_GCM,data:QdWLok9IBqTaO3StKRiAXcMIZSV5YJQoYY+3cZZ7xARbmvn5cDqnapv3HIJju7v5V48tNG3aXy1nJHG4kKVuDIMd7s7PPjLL1k0dEsnTs4YwE8XugZX86nXuSUZeUuQNfnR9sFOKho/o/I9W5hCp0IcEgo+Bs1dD3IvYxuv6Nzk=,iv:IHEDtI6lo76qPgBvBETg/SiT/tfFivN8r8J7tt93IbQ=,tag:ifW8UVaf5r8Y9HUUtCkAQQ==,type:str]
pgp: pgp:
- created_at: "2025-09-06T16:37:33Z" - created_at: "2025-09-06T16:37:33Z"
enc: |- enc: |-
@ -64,4 +63,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f fp: b730b2bf54eb792a14bfd3e68c14c08894376c5f
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.10.2

2
sops.nix
View file

@ -12,7 +12,7 @@ let
"0D98D5964AC8BB1CA034CE4EC456133700066642" # xyno main gpg key "0D98D5964AC8BB1CA034CE4EC456133700066642" # xyno main gpg key
]; ];
keysPerHost = ( keysPerHost = (
mapAttrs (n: v: (toList v.config.xyno.meta.sopsKey)) (filterAttrs (n: v: v.config.xyno.meta.sopsKey != null) instanceConfigs) mapAttrs (n: v: (toList v.sopsKey)) (filterAttrs (n: v: v ? sopsKey) instanceConfigs)
); );
desktopHostNames = [ "theseus" ]; desktopHostNames = [ "theseus" ];