xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

treewide: apply the new rfc nixfmt

Browse source
This commit is contained in:
xinyangli 2024-08-25 17:45:58 +08:00
parent e702d503b9
commit 7a795e5ed9
Signed by: xin
SSH key fingerprint: SHA256:qZ/tzd8lYRtUFSrfBDBMcUqV4GHKxqeqRA3huItgvbk
53 changed files with 1371 additions and 888 deletions
Download patch file Download diff file Expand all files Collapse all files

78
machines/calcite/configuration.nix
View file

@ -1,13 +1,17 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./network.nix
../sops.nix
];
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./network.nix
../sops.nix
];
commonSettings = {
auth.enable = true;
@ -22,7 +26,11 @@
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
# boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" ];
boot.kernelModules = [
"nvidia"
"nvidia_modeset"
"nvidia_uvm"
];
boot.supportedFilesystems = [ "ntfs" ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
@ -45,7 +53,9 @@
programs.steam = {
enable = true;
gamescopeSession = { enable = true; };
gamescopeSession = {
enable = true;
};
};
programs.oidc-agent.enable = true;
@ -93,7 +103,6 @@
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11
services.xserver = {
xkb.layout = "us";
@ -135,7 +144,12 @@
users.users.xin = {
isNormalUser = true;
description = "xin";
extraGroups = [ "networkmanager" "wheel" "wireshark" "tss" ];
extraGroups = [
"networkmanager"
"wheel"
"wireshark"
"tss"
];
};
services.kanidm = {
@ -179,13 +193,14 @@
# reference: https://nixos.wiki/wiki/Python
(
let
my-python-packages = python-packages: with python-packages; [
pandas
requests
numpy
pyyaml
setuptools
];
my-python-packages =
python-packages: with python-packages; [
pandas
requests
numpy
pyyaml
setuptools
];
python-with-my-packages = python3.withPackages my-python-packages;
in
python-with-my-packages
@ -280,14 +295,19 @@
acceleration = "cuda";
};
# MTP support
services.gvfs.enable = true;
# Fonts
fonts = {
packages = with pkgs; [
(nerdfonts.override { fonts = [ "FiraCode" "FiraMono" "JetBrainsMono" ]; })
(nerdfonts.override {
fonts = [
"FiraCode"
"FiraMono"
"JetBrainsMono"
];
})
noto-fonts
noto-fonts-emoji
liberation_ttf
@ -305,9 +325,19 @@
];
fontconfig = {
defaultFonts = {
serif = [ "Noto Serif CJK SC" "Ubuntu" ];
sansSerif = [ "Noto Sans CJK SC" "Ubuntu" ];
monospace = [ "FiraCode NerdFont Mono" "Noto Sans Mono CJK SC" "Ubuntu" ];
serif = [
"Noto Serif CJK SC"
"Ubuntu"
];
sansSerif = [
"Noto Sans CJK SC"
"Ubuntu"
];
monospace = [
"FiraCode NerdFont Mono"
"Noto Sans Mono CJK SC"
"Ubuntu"
];
};
};
enableDefaultPackages = true;

56
machines/calcite/hardware-configuration.nix
View file

@ -1,14 +1,23 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ];
boot.initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"ahci"
"usbhid"
];
boot.initrd.kernelModules = [ ];
boot.initrd.luks.devices.cryptroot = {
device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d";
@ -16,26 +25,29 @@
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ # device = "/dev/disk/by-label/NIXROOT";
device = "/dev/mapper/cryptroot";
fsType = "btrfs";
};
fileSystems."/" = {
# device = "/dev/disk/by-label/NIXROOT";
device = "/dev/mapper/cryptroot";
fsType = "btrfs";
};
fileSystems."/boot/efi" =
{ device = "/dev/disk/by-label/EFIBOOT";
fsType = "vfat";
};
fileSystems."/boot/efi" = {
device = "/dev/disk/by-label/EFIBOOT";
fsType = "vfat";
};
fileSystems."/media/data" =
{ device = "/dev/nvme0n1p7";
fsType = "ntfs-3g";
options = [ "rw" "uid=1000" "nofail" "x-systemd.device-timeout=2" ];
};
swapDevices =
[ { device = "/dev/disk/by-label/NIXSWAP"; }
fileSystems."/media/data" = {
device = "/dev/nvme0n1p7";
fsType = "ntfs-3g";
options = [
"rw"
"uid=1000"
"nofail"
"x-systemd.device-timeout=2"
];
};
swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

9
machines/calcite/network.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ...}:
{ config, pkgs, ... }:
{
imports = [ ];
@ -38,10 +38,11 @@
# Open ports in the firewall.
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 3389 ];
networking.firewall.allowedUDPPorts = [ 3389 41641 ];
networking.firewall.trustedInterfaces = [
"tailscale0"
networking.firewall.allowedUDPPorts = [
3389
41641
];
networking.firewall.trustedInterfaces = [ "tailscale0" ];
# Use nftables to manager firewall
networking.nftables.enable = true;

34
machines/dolomite/bandwagon.nix
View file

@ -1,30 +1,42 @@
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
let
cfg = config.isBandwagon;
in
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
options = {
isBandwagon = lib.mkEnableOption "Bandwagon instance";
};
config = lib.mkIf cfg {
boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.availableKernelModules = [
"ata_piix"
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "xfs";
};
fileSystems."/" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "xfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat";
};
swapDevices = [ ];

214
machines/dolomite/default.nix
View file

@ -1,6 +1,6 @@
{ config, lib, ... }:
let
awsHosts = [ "tok-00"];
awsHosts = [ "tok-00" ];
bwgHosts = [ "la-00" ];
in
{
@ -10,7 +10,6 @@ in
./lightsail.nix
];
config = {
isBandwagon = builtins.elem config.networking.hostName bwgHosts;
isLightsail = builtins.elem config.networking.hostName awsHosts;
@ -45,7 +44,10 @@ in
reverse_proxy 127.0.0.1:30310
'';
networking.firewall.allowedTCPPorts = [ 80 8080 ];
networking.firewall.allowedTCPPorts = [
80
8080
];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
custom.prometheus = {
@ -80,119 +82,129 @@ in
wheelNeedsPassword = false;
};
services.sing-box = let
singTls = {
enabled = true;
server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
};
password = {
_secret = config.sops.secrets.singbox_password.path;
};
uuid = {
_secret = config.sops.secrets.singbox_uuid.path;
};
in
{
enable = true;
settings = {
dns = {
servers = [
{
tag = "warp";
address = "1.1.1.1";
detour = "wg-out";
}
{
tag = "directdns";
address = "h3://8.8.8.8/dns-query";
}
];
rules = [
{
outbound = "wg-out";
server = "warp";
}
{
outbound = "direct";
server = "directdns";
}
];
services.sing-box =
let
singTls = {
enabled = true;
server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path =
config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
};
inbounds = [
{
tag = "sg0";
type = "trojan";
listen = "::";
listen_port = 8080;
users = [
{ name = "proxy";
password = password;
password = {
_secret = config.sops.secrets.singbox_password.path;
};
uuid = {
_secret = config.sops.secrets.singbox_uuid.path;
};
in
{
enable = true;
settings = {
dns = {
servers = [
{
tag = "warp";
address = "1.1.1.1";
detour = "wg-out";
}
{
tag = "directdns";
address = "h3://8.8.8.8/dns-query";
}
];
tls = singTls;
}
] ++ lib.forEach (lib.range 6311 6314) (port: {
tag = "sg" + toString (port - 6310);
type = "tuic";
listen = "::";
listen_port = port;
congestion_control = "bbr";
users = [
{ name = "proxy";
uuid = uuid;
password = password;
rules = [
{
outbound = "wg-out";
server = "warp";
}
{
outbound = "direct";
server = "directdns";
}
];
tls = singTls;
});
outbounds = [
{
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{ public_key= "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [ "0.0.0.0/0" "::/0" ];
server = "162.159.192.1";
server_port = 500;
};
inbounds =
[
{
tag = "sg0";
type = "trojan";
listen = "::";
listen_port = 8080;
users = [
{
name = "proxy";
password = password;
}
];
tls = singTls;
}
];
}
{
type = "direct";
tag = "direct";
}
{
type = "dns";
tag = "dns-out";
}
];
route = {
rules = [
]
++ lib.forEach (lib.range 6311 6314) (port: {
tag = "sg" + toString (port - 6310);
type = "tuic";
listen = "::";
listen_port = port;
congestion_control = "bbr";
users = [
{
name = "proxy";
uuid = uuid;
password = password;
}
];
tls = singTls;
});
outbounds = [
{
outbound = "dns-out";
protocol = "dns";
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{
public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
}
{
inbound = "sg0";
outbound = "direct";
type = "direct";
tag = "direct";
}
{
inbound = "sg4";
outbound = "direct";
type = "dns";
tag = "dns-out";
}
];
route = {
rules = [
{
outbound = "dns-out";
protocol = "dns";
}
{
inbound = "sg0";
outbound = "direct";
}
{
inbound = "sg4";
outbound = "direct";
}
];
};
};
};
};
};
}

26
machines/dolomite/lightsail.nix
View file

@ -1,10 +1,16 @@
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
with lib;
let
cfg = config.ec2;
in
{
imports = [
imports = [
"${modulesPath}/profiles/headless.nix"
# Note: While we do use the headless profile, we also explicitly
# turn on the serial console on ttyS0 below. This is because
@ -39,18 +45,22 @@ in
fsType = "vfat";
};
boot.extraModulePackages = [
config.boot.kernelPackages.ena
];
boot.extraModulePackages = [ config.boot.kernelPackages.ena ];
boot.initrd.kernelModules = [ "xen-blkfront" ];
boot.initrd.availableKernelModules = [ "nvme" ];
boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ];
boot.kernelParams = [
"console=ttyS0,115200n8"
"random.trust_cpu=on"
];
# Prevent the nouveau kernel module from being loaded, as it
# interferes with the nvidia/nvidia-uvm modules needed for CUDA.
# Also blacklist xen_fbfront to prevent a 30 second delay during
# boot.
boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ];
boot.blacklistedKernelModules = [
"nouveau"
"xen_fbfront"
];
boot.loader.grub.efiSupport = cfg.efi;
boot.loader.grub.efiInstallAsRemovable = cfg.efi;
@ -64,7 +74,7 @@ in
systemd.services.fetch-ec2-metadata = {
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = ["network-online.target"];
after = [ "network-online.target" ];
path = [ pkgs.curl ];
script = builtins.readFile ./ec2-metadata-fetcher.sh;
serviceConfig.Type = "oneshot";

8
machines/massicot/default.nix
View file

@ -1,4 +1,10 @@
{ inputs, config, libs, pkgs, ... }:
{
inputs,
config,
libs,
pkgs,
...
}:
{
imports = [

18
machines/massicot/hardware-configuration.nix
View file

@ -5,9 +5,19 @@
efiSupport = true;
device = "nodev";
};
fileSystems."/boot" = { device = "/dev/disk/by-uuid/AC27-D9D6"; fsType = "vfat"; };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/AC27-D9D6";
fsType = "vfat";
};
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
}

51
machines/massicot/kanidm-provision.nix
View file

@ -21,7 +21,11 @@
members = [ "xin" ];
};
immich-users = {
members = [ "xin" "zhuo" "ycm" ];
members = [
"xin"
"zhuo"
"ycm"
];
};
grafana-superadmins = {
members = [ "xin" ];
@ -65,7 +69,12 @@
originLanding = "https://git.xinyang.life/user/oauth2/kandim";
allowInsecureClientDisablePkce = true;
scopeMaps = {
forgejo-access = [ "openid" "email" "profile" "groups" ];
forgejo-access = [
"openid"
"email"
"profile"
"groups"
];
};
claimMaps = {
forgejo_role = {
@ -83,7 +92,12 @@
originLanding = "https://xinyang.life/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
gts-users = [ "openid" "email" "profile" "groups" ];
gts-users = [
"openid"
"email"
"profile"
"groups"
];
};
};
owncloud = {
@ -92,7 +106,11 @@
originLanding = "https://home.xinyang.life:9201/";
public = true;
scopeMaps = {
ocis-users = [ "openid" "email" "profile" ];
ocis-users = [
"openid"
"email"
"profile"
];
};
};
hedgedoc = {
@ -101,7 +119,11 @@
originLanding = "https://docs.xinyang.life/auth/oauth2";
allowInsecureClientDisablePkce = true;
scopeMaps = {
hedgedoc-users = [ "openid" "email" "profile" ];
hedgedoc-users = [
"openid"
"email"
"profile"
];
};
};
immich-mobile = {
@ -110,7 +132,11 @@
originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
immich-users = [ "openid" "email" "profile" ];
immich-users = [
"openid"
"email"
"profile"
];
};
};
miniflux = {
@ -118,7 +144,11 @@
originUrl = "https://rss.xinyang.life/";
originLanding = "https://rss.xinyang.life/";
scopeMaps = {
miniflux-users = [ "openid" "email" "profile" ];
miniflux-users = [
"openid"
"email"
"profile"
];
};
};
grafana = {
@ -126,7 +156,12 @@
originUrl = "https://grafana.xinyang.life/";
originLanding = "https://grafana.xinyang.life/";
scopeMaps = {
grafana-users = [ "openid" "email" "profile" "groups" ];
grafana-users = [
"openid"
"email"
"profile"
"groups"
];
};
claimMaps = {
grafana_role = {

13
machines/massicot/networking.nix
View file

@ -1,11 +1,14 @@
{ pkgs, ... }: {
{ pkgs, ... }:
{
networking = {
interfaces = {
eth0.useDHCP = true;
eth0.ipv6.addresses = [{
address = "2a01:4f8:c17:345f::1";
prefixLength = 64;
}];
eth0.ipv6.addresses = [
{
address = "2a01:4f8:c17:345f::1";
prefixLength = 64;
}
];
};
defaultGateway6 = {
address = "fe80::1";

58
machines/massicot/services.nix
View file

@ -1,10 +1,24 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
kanidm_listen_port = 5324;
in
{
networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ];
networking.firewall.allowedUDPPorts = [ 80 443 8448 ];
networking.firewall.allowedTCPPorts = [
80
443
2222
8448
];
networking.firewall.allowedUDPPorts = [
80
443
8448
];
custom.vaultwarden = {
enable = true;
@ -32,16 +46,23 @@ in
exporters.miniflux.enable = true;
};
systemd.mounts = map
(share: {
what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
where = "/mnt/storage/${share}";
type = "cifs";
options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";
before = [ "${share}.service" ];
after = [ "cachefilesd.service" ];
wantedBy = [ "${share}.service" ];
}) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ];
systemd.mounts =
map
(share: {
what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
where = "/mnt/storage/${share}";
type = "cifs";
options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";
before = [ "${share}.service" ];
after = [ "cachefilesd.service" ];
wantedBy = [ "${share}.service" ];
})
[
"forgejo"
"gotosocial"
"conduit"
"hedgedoc"
];
services.cachefilesd.enable = true;
@ -225,11 +246,14 @@ in
allow_assign_grafana_admin = true;
auto_login = true;
};
"auth" = { disable_login_form = true; };
"auth" = {
disable_login_form = true;
};
};
};
systemd.services.grafana.serviceConfig.EnvironmentFile = config.sops.secrets.grafana_oauth_secret.path;
systemd.services.grafana.serviceConfig.EnvironmentFile =
config.sops.secrets.grafana_oauth_secret.path;
users.users.git = {
isSystemUser = true;
@ -240,9 +264,7 @@ in
users.groups.git = { };
users.users = {
${config.services.caddy.user}.extraGroups = [
config.services.ntfy-sh.group
];
${config.services.caddy.user}.extraGroups = [ config.services.ntfy-sh.group ];
};
services.caddy = {

4
machines/netdrives.nix
View file

@ -1,7 +1,7 @@
{ pkgs, config, ... }:
{
sops.secrets = {
autofs-nas = {
autofs-nas = {
owner = "davfs2";
};
autofs-nas-secret = {
@ -19,4 +19,4 @@
];
};
}
}

16
machines/raspite/configuration.nix
View file

@ -1,17 +1,19 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hass.nix
];
imports = [ ./hass.nix ];
commonSettings.nix.enableMirrors = true;
nixpkgs.overlays = [
# Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243
(final: super: {
makeModulesClosure = x:
super.makeModulesClosure (x // { allowMissing = true; });
makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
})
];
@ -22,7 +24,7 @@
];
system.stateVersion = "24.05";
networking = {
hostName = "raspite";
useDHCP = false;

22
machines/raspite/hass.nix
View file

@ -1,4 +1,5 @@
{ config, pkgs, ... }: {
{ config, pkgs, ... }:
{
services.home-assistant = {
enable = true;
extraComponents = [
@ -9,14 +10,12 @@
];
openFirewall = false;
config = {
default_config = {};
default_config = { };
http = {
server_host = "::1";
base_url = "raspite.local:1000";
use_x_forward_for = true;
trusted_proxies = [
"::1"
];
trusted_proxies = [ "::1" ];
};
};
};
@ -28,16 +27,17 @@
users.groups.dialout.members = config.users.groups.wheel.members;
environment.systemPackages = with pkgs; [
zigbee2mqtt
environment.systemPackages = with pkgs; [ zigbee2mqtt ];
networking.firewall.allowedTCPPorts = [
1000
1001
];
networking.firewall.allowedTCPPorts = [ 1000 1001 ];
services.caddy = {
enable = true;
enable = true;
virtualHosts = {
# reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
# reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
"raspite.local:1000".extraConfig = ''
reverse_proxy http://[::1]:8123
'';

21
machines/sops.nix
View file

@ -1,4 +1,9 @@
{ inputs, config, lib, ... }:
{
inputs,
config,
lib,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
config = {
@ -11,24 +16,22 @@
owner = "root";
};
singbox_sg_server = {
owner = "root";
owner = "root";
};
singbox_jp_server = {
owner = "root";
owner = "root";
};
singbox_password = {
owner = "root";
owner = "root";
};
singbox_uuid = {
owner = "root";
owner = "root";
};
private_dns_address = {
owner = "root";
owner = "root";
};
};
secrets.grafana_cloud_api = lib.mkIf config.services.prometheus.enable {
owner = "prometheus";
};
secrets.grafana_cloud_api = lib.mkIf config.services.prometheus.enable { owner = "prometheus"; };
};
};
}

46
machines/weilite/default.nix
View file

@ -1,4 +1,11 @@
{ inputs, config, pkgs, lib, modulesPath, ... }:
{
inputs,
config,
pkgs,
lib,
modulesPath,
...
}:
with lib;
@ -19,17 +26,21 @@ with lib;
};
boot = {
loader = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"usb_storage"
"sd_mod"
];
kernelModules = [ "kvm-intel" ];
};
environment.systemPackages = [
pkgs.virtiofsd
];
environment.systemPackages = [ pkgs.virtiofsd ];
sops = {
defaultSopsFile = ./secrets.yaml;
@ -47,13 +58,15 @@ with lib;
};
systemd.mounts = [
{ what = "immich";
{
what = "immich";
where = "/mnt/XinPhotos/immich";
type = "virtiofs";
options = "rw";
wantedBy = [ "immich-server.service" ];
}
{ what = "originals";
{
what = "originals";
where = "/mnt/XinPhotos/originals";
type = "virtiofs";
options = "ro,nodev,nosuid";
@ -61,7 +74,10 @@ with lib;
}
];
services.openssh.ports = [ 22 2222 ];
services.openssh.ports = [
22
2222
];
services.immich = {
enable = true;
@ -90,7 +106,10 @@ with lib;
enable = true;
package = pkgs.caddy.withPlugins {
caddyModules = [
{ repo = "github.com/caddy-dns/cloudflare"; version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; }
{
repo = "github.com/caddy-dns/cloudflare";
version = "89f16b99c18ef49c8bb470a82f895bce01cbaece";
}
];
vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk=";
};
@ -115,7 +134,7 @@ with lib;
};
time.timeZone = "Asia/Shanghai";
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
@ -124,7 +143,10 @@ with lib;
fileSystems."/boot" = {
device = "/dev/sda1";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
options = [
"fmask=0022"
"dmask=0022"
];
};
system.stateVersion = "24.11";