diff --git a/flake.lock b/flake.lock index 4d39e64..12edbd9 100644 --- a/flake.lock +++ b/flake.lock @@ -293,11 +293,11 @@ "nixvim": "nixvim" }, "locked": { - "lastModified": 1724306750, - "narHash": "sha256-mT8DXzj0zHfGJ+zuxFAnqnk+0bDEFgEk7TvEk59WbWQ=", + "lastModified": 1724158316, + "narHash": "sha256-cz2N0vPfe0jmjxqKWh7dgVecLqmPLHQrvxGJk0atDbg=", "ref": "refs/heads/master", - "rev": "81990813485a580d69853d8429e3b8aece7f66a6", - "revCount": 11, + "rev": "a5eb7fe89ee8ba654f339d8f75cecb39851743ec", + "revCount": 4, "type": "git", "url": "https://git.xinyang.life/xin/nixvim" }, diff --git a/flake.nix b/flake.nix index df2735f..eeccc83 100644 --- a/flake.nix +++ b/flake.nix @@ -52,28 +52,28 @@ catppuccin.url = "github:catppuccin/nix"; }; + outputs = - { - self, - home-manager, - nixpkgs, - nixos-hardware, - flake-utils, - nur, - catppuccin, - my-nixvim, - ... + { self + , home-manager + , nixpkgs + , nixos-hardware + , flake-utils + , nur + , catppuccin + , my-nixvim + , ... }@inputs: let - nixvimOverlay = (final: prev: { nixvim = self.packages.${prev.stdenv.system}.nixvim; }); - overlayModule = - { ... }: - { - nixpkgs.overlays = [ - nixvimOverlay - (import ./overlays/add-pkgs.nix) - ]; - }; + nixvimOverlay = (final: prev: { + nixvim = self.packages.${prev.stdenv.system}.nixvim; + }); + overlayModule = { ... }: { + nixpkgs.overlays = [ + nixvimOverlay + (import ./overlays/add-pkgs.nix) + ]; + }; deploymentModule = { deployment.targetUser = "xin"; }; @@ -87,25 +87,20 @@ catppuccin.homeManagerModules.catppuccin self.homeManagerModules ]; - mkHome = - user: host: - { ... }: - { - imports = [ - home-manager.nixosModules.home-manager - { - home-manager = { - sharedModules = sharedHmModules; - useGlobalPkgs = true; - useUserPackages = true; - extraSpecialArgs = { - inherit inputs; - }; - }; - home-manager.users.${user} = (import ./home).${user}.${host}; - } - ]; - }; + mkHome = user: host: { ... }: { + imports = [ + home-manager.nixosModules.home-manager + { + home-manager = { + sharedModules = sharedHmModules; + useGlobalPkgs = true; + useUserPackages = true; + extraSpecialArgs = { inherit inputs; }; + }; + home-manager.users.${user} = (import ./home).${user}.${host}; + } + ]; + }; mkHomeConfiguration = user: host: { name = user; value = home-manager.lib.homeManagerConfiguration { @@ -119,109 +114,94 @@ }; }; }; - mkNixos = - { - system, - modules, - specialArgs ? { }, - }: - nixpkgs.lib.nixosSystem { - inherit system; - specialArgs = specialArgs // { - inherit inputs system; - }; - modules = [ - self.nixosModules.default - nur.nixosModules.nur - ] ++ modules; - }; + mkNixos = { system, modules, specialArgs ? { } }: nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = specialArgs // { inherit inputs system; }; + modules = [ + self.nixosModules.default + nur.nixosModules.nur + ] ++ modules; + }; in { nixpkgs = nixpkgs; - nixosModules.default = { - imports = [ - ./modules/nixos - overlayModule - ]; - }; + nixosModules.default = { imports = [ ./modules/nixos overlayModule ]; }; homeManagerModules = import ./modules/home-manager; homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; colmenaHive = inputs.colmena.lib.makeHive { meta = { - nixpkgs = import nixpkgs { system = "x86_64-linux"; }; + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; specialArgs = { inherit inputs; }; }; - massicot = - { ... }: - { - deployment.targetHost = "49.13.13.122"; - deployment.buildOnTarget = true; + massicot = { ... }: { + deployment.targetHost = "49.13.13.122"; + deployment.buildOnTarget = true; - imports = [ - { nixpkgs.system = "aarch64-linux"; } - machines/massicot - ] ++ sharedColmenaModules; - }; + imports = [ + { nixpkgs.system = "aarch64-linux"; } + machines/massicot + ] ++ sharedColmenaModules; + }; - tok-00 = - { ... }: - { - imports = [ machines/dolomite ] ++ sharedColmenaModules; - nixpkgs.system = "x86_64-linux"; - networking.hostName = "tok-00"; - system.stateVersion = "23.11"; - deployment = { - targetHost = "video01.namely.icu"; - buildOnTarget = false; - tags = [ "proxy" ]; - }; + tok-00 = { ... }: { + imports = [ + machines/dolomite + ] ++ sharedColmenaModules; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "tok-00"; + system.stateVersion = "23.11"; + deployment = { + targetHost = "video01.namely.icu"; + buildOnTarget = false; + tags = [ "proxy" ]; }; + }; - la-00 = - { ... }: - { - imports = [ machines/dolomite ] ++ sharedColmenaModules; - nixpkgs.system = "x86_64-linux"; - networking.hostName = "la-00"; - system.stateVersion = "21.05"; - deployment = { - targetHost = "la-00.video.namely.icu"; - buildOnTarget = false; - tags = [ "proxy" ]; - }; + la-00 = { ... }: { + imports = [ + machines/dolomite + ] ++ sharedColmenaModules; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "la-00"; + system.stateVersion = "21.05"; + deployment = { + targetHost = "la-00.video.namely.icu"; + buildOnTarget = false; + tags = [ "proxy" ]; }; + }; - raspite = - { ... }: - { - deployment = { - targetHost = "raspite.local"; - buildOnTarget = false; - }; - nixpkgs.system = "aarch64-linux"; - imports = [ - "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" - nixos-hardware.nixosModules.raspberry-pi-4 - machines/raspite/configuration.nix - ] ++ sharedColmenaModules; + raspite = { ... }: { + deployment = { + targetHost = "raspite.local"; + buildOnTarget = false; }; + nixpkgs.system = "aarch64-linux"; + imports = [ + "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" + nixos-hardware.nixosModules.raspberry-pi-4 + machines/raspite/configuration.nix + ] ++ sharedColmenaModules; + }; - weilite = - { ... }: - { - imports = [ machines/weilite ] ++ sharedColmenaModules; - deployment = { - targetHost = "weilite.coho-tet.ts.net"; - targetPort = 22; - buildOnTarget = false; - }; - nixpkgs.system = "x86_64-linux"; + weilite = { ... }: { + imports = [ + machines/weilite + ] ++ sharedColmenaModules; + deployment = { + targetHost = "weilite.coho-tet.ts.net"; + targetPort = 22; + buildOnTarget = false; }; + nixpkgs.system = "x86_64-linux"; + }; }; nixosConfigurations = { @@ -235,30 +215,18 @@ }; } // self.colmenaHive.nodes; - } - // flake-utils.lib.eachDefaultSystem ( - system: - let - pkgs = nixpkgs.legacyPackages.${system}; - in - { - devShells = { - default = pkgs.mkShell { - packages = with pkgs; [ - nix - git - colmena - sops - nix-output-monitor - nil - nvd - ]; - }; + } // flake-utils.lib.eachDefaultSystem (system: + let pkgs = nixpkgs.legacyPackages.${system}; in + { + devShells = { + default = pkgs.mkShell { + packages = with pkgs; [ nix git colmena sops nix-output-monitor nil nvd ]; }; + }; - packages = { - nixvim = my-nixvim.packages.${system}.default; - }; - } + packages = { + nixvim = my-nixvim.packages.${system}.default; + }; + } ); } diff --git a/home/default.nix b/home/default.nix index ddd31bf..0c683f6 100644 --- a/home/default.nix +++ b/home/default.nix @@ -2,4 +2,4 @@ xin = { calcite = import ./xin/calcite.nix; }; -} +} \ No newline at end of file diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index 2de5642..130bd00 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -1,6 +1,8 @@ { config, pkgs, ... }@inputs: { - imports = [ ./common ]; + imports = [ + ./common + ]; programs.nix-index-database.comma.enable = true; @@ -44,42 +46,15 @@ }; custom-hm = { - alacritty = { - enable = true; - }; - cosmic-term = { - enable = true; - }; - direnv = { - enable = true; - }; - fish = { - enable = true; - }; - git = { - enable = true; - signing.enable = true; - }; - neovim = { - enable = true; - }; - vscode = { - enable = true; - languages = { - cxx = true; - python = true; - scala = true; - latex = true; - }; - llm = true; - }; - zellij = { - enable = true; - }; + alacritty = { enable = true; }; + direnv = { enable = true; }; + fish = { enable = true; }; + git = { enable = true; signing.enable = true; }; + neovim = { enable = true; }; + vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; llm = true; }; + zellij = { enable = true; }; }; - programs.gnome-shell.enable = true; - programs.atuin = { enable = true; flags = [ "--disable-up-arrow" ]; @@ -93,82 +68,10 @@ programs.firefox.profiles.default = { isDefault = true; - userChrome = '' - #titlebar { - display: none; - } - - #sidebar-header { - display: none; - } - - [titlepreface*="."] #sidebar-header { - visibility: collapse !important; - } - [titlepreface*="."] #titlebar { - visibility: collapse; - } - - #sidebar-box{ - --uc-sidebar-width: 33px; - --uc-sidebar-hover-width: 300px; - --uc-autohide-sidebar-delay: 90ms; - position: relative; - min-width: var(--uc-sidebar-width) !important; - width: var(--uc-sidebar-width) !important; - max-width: var(--uc-sidebar-width) !important; - z-index:1; - } - - #sidebar-box[positionend]{ direction: rtl } - #sidebar-box[positionend] > *{ direction: ltr } - - #sidebar-box[positionend]:-moz-locale-dir(rtl){ direction: ltr } - #sidebar-box[positionend]:-moz-locale-dir(rtl) > *{ direction: rtl } - - #main-window[sizemode="fullscreen"] #sidebar-box{ --uc-sidebar-width: 1px; } - - #sidebar-splitter{ display: none } - - #sidebar-header{ - overflow: hidden; - color: var(--chrome-color, inherit) !important; - padding-inline: 0 !important; - } - - #sidebar-header::before, - #sidebar-header::after{ - content: ""; - display: -moz-box; - padding-left: 8px; - } - - #sidebar-switcher-target{ - -moz-box-pack: start !important; - } - - #sidebar-header, - #sidebar{ - transition: min-width 115ms linear var(--uc-autohide-sidebar-delay) !important; - min-width: var(--uc-sidebar-width) !important; - will-change: min-width; - } - #sidebar-box:hover > #sidebar-header, - #sidebar-box:hover > #sidebar{ - min-width: var(--uc-sidebar-hover-width) !important; - transition-delay: 0ms !important; - } - - .sidebar-panel{ - background-color: transparent !important; - color: var(--newtab-text-primary-color) !important; - } - - .sidebar-panel #search-box{ - -moz-appearance: none !important; - background-color: rgba(249,249,250,0.1) !important; - color: inherit !important; - } - ''; + userChrome = builtins.readFile "${pkgs.fetchgit { + url = "https://gist.github.com/0ded98af9fe3da35f3688f81364d8c14.git"; + rev = "11bb4f428382052bcbbceb6cc3fef97f3c939481"; + hash = "sha256-J11indzEGdUA0HSW8eFe5AjesOxCL/G05KwkJk9GZSY="; + }}/userChrome.css"; }; } diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index 8fbf3bb..6957c4d 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -1,10 +1,4 @@ -{ - inputs, - pkgs, - lib, - ... -}: -{ +{ inputs, pkgs, lib, ... }: { imports = [ ]; home.packages = with pkgs; [ diff --git a/home/xin/gold/default.nix b/home/xin/gold/default.nix index 694b3c7..192e11c 100644 --- a/home/xin/gold/default.nix +++ b/home/xin/gold/default.nix @@ -1,15 +1,15 @@ { pkgs, home-manager, ... }: -home-manager.lib.homeManagerConfiguration { - inherit pkgs; - modules = [ - ../common - { - home.username = "xin"; - home.homeDirectory = "/home/xin"; - home.stateVersion = "23.05"; + home-manager.lib.homeManagerConfiguration { + inherit pkgs; + modules = [ + ../common + { + home.username = "xin"; + home.homeDirectory = "/home/xin"; + home.stateVersion = "23.05"; - # Let Home Manager install and manage itself. - programs.home-manager.enable = true; - } - ]; -} + # Let Home Manager install and manage itself. + programs.home-manager.enable = true; + } + ]; + } diff --git a/home/xin/raspite/default.nix b/home/xin/raspite/default.nix index 888383c..d09be89 100644 --- a/home/xin/raspite/default.nix +++ b/home/xin/raspite/default.nix @@ -1,6 +1,9 @@ + { config, pkgs, ... }: { - imports = [ ../common ]; + imports = [ + ../common + ]; home.username = "xin"; home.homeDirectory = "/home/xin"; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 947f2d2..8817563 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -1,17 +1,13 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: { - imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ./network.nix - ../sops.nix - ]; + imports = + [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./network.nix + ../sops.nix + ]; commonSettings = { auth.enable = true; @@ -26,11 +22,7 @@ boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.efiSysMountPoint = "/boot/efi"; # boot.kernelPackages = pkgs.linuxPackages_latest; - boot.kernelModules = [ - "nvidia" - "nvidia_modeset" - "nvidia_uvm" - ]; + boot.kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" ]; boot.supportedFilesystems = [ "ntfs" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; @@ -53,9 +45,7 @@ programs.steam = { enable = true; - gamescopeSession = { - enable = true; - }; + gamescopeSession = { enable = true; }; }; programs.oidc-agent.enable = true; @@ -103,6 +93,7 @@ services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; + # Configure keymap in X11 services.xserver = { xkb.layout = "us"; @@ -144,12 +135,7 @@ users.users.xin = { isNormalUser = true; description = "xin"; - extraGroups = [ - "networkmanager" - "wheel" - "wireshark" - "tss" - ]; + extraGroups = [ "networkmanager" "wheel" "wireshark" "tss" ]; }; services.kanidm = { @@ -193,14 +179,13 @@ # reference: https://nixos.wiki/wiki/Python ( let - my-python-packages = - python-packages: with python-packages; [ - pandas - requests - numpy - pyyaml - setuptools - ]; + my-python-packages = python-packages: with python-packages; [ + pandas + requests + numpy + pyyaml + setuptools + ]; python-with-my-packages = python3.withPackages my-python-packages; in python-with-my-packages @@ -295,19 +280,14 @@ acceleration = "cuda"; }; + # MTP support services.gvfs.enable = true; # Fonts fonts = { packages = with pkgs; [ - (nerdfonts.override { - fonts = [ - "FiraCode" - "FiraMono" - "JetBrainsMono" - ]; - }) + (nerdfonts.override { fonts = [ "FiraCode" ]; }) noto-fonts noto-fonts-emoji liberation_ttf @@ -325,19 +305,9 @@ ]; fontconfig = { defaultFonts = { - serif = [ - "Noto Serif CJK SC" - "Ubuntu" - ]; - sansSerif = [ - "Noto Sans CJK SC" - "Ubuntu" - ]; - monospace = [ - "FiraCode NerdFont Mono" - "Noto Sans Mono CJK SC" - "Ubuntu" - ]; + serif = [ "Noto Serif CJK SC" "Ubuntu" ]; + sansSerif = [ "Noto Sans CJK SC" "Ubuntu" ]; + monospace = [ "FiraCode NerdFont Mono" "Noto Sans Mono CJK SC" "Ubuntu" ]; }; }; enableDefaultPackages = true; diff --git a/machines/calcite/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix index 0bfa83f..8a08bcd 100644 --- a/machines/calcite/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -1,23 +1,14 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: +{ config, lib, pkgs, modulesPath, ... }: { - imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "nvme" - "ahci" - "usbhid" - ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ]; boot.initrd.kernelModules = [ ]; boot.initrd.luks.devices.cryptroot = { device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d"; @@ -25,29 +16,26 @@ boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = { - # device = "/dev/disk/by-label/NIXROOT"; - device = "/dev/mapper/cryptroot"; - fsType = "btrfs"; - }; + fileSystems."/" = + { # device = "/dev/disk/by-label/NIXROOT"; + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; + }; - fileSystems."/boot/efi" = { - device = "/dev/disk/by-label/EFIBOOT"; - fsType = "vfat"; - }; + fileSystems."/boot/efi" = + { device = "/dev/disk/by-label/EFIBOOT"; + fsType = "vfat"; + }; - fileSystems."/media/data" = { - device = "/dev/nvme0n1p7"; - fsType = "ntfs-3g"; - options = [ - "rw" - "uid=1000" - "nofail" - "x-systemd.device-timeout=2" + fileSystems."/media/data" = + { device = "/dev/nvme0n1p7"; + fsType = "ntfs-3g"; + options = [ "rw" "uid=1000" "nofail" "x-systemd.device-timeout=2" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-label/NIXSWAP"; } ]; - }; - - swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index 89e9255..3ed94c5 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, ...}: { imports = [ ]; @@ -10,7 +10,6 @@ dns = "systemd-resolved"; }; }; - systemd.services.NetworkManager-wait-online.enable = false; services.resolved = { enable = true; @@ -38,11 +37,10 @@ # Open ports in the firewall. networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ 3389 ]; - networking.firewall.allowedUDPPorts = [ - 3389 - 41641 + networking.firewall.allowedUDPPorts = [ 3389 41641 ]; + networking.firewall.trustedInterfaces = [ + "tailscale0" ]; - networking.firewall.trustedInterfaces = [ "tailscale0" ]; # Use nftables to manager firewall networking.nftables.enable = true; diff --git a/machines/dolomite/bandwagon.nix b/machines/dolomite/bandwagon.nix index 70daacf..32d2b9f 100644 --- a/machines/dolomite/bandwagon.nix +++ b/machines/dolomite/bandwagon.nix @@ -1,42 +1,30 @@ -{ - config, - lib, - pkgs, - modulesPath, - ... -}: +{ config, lib, pkgs, modulesPath, ... }: let cfg = config.isBandwagon; in { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + options = { isBandwagon = lib.mkEnableOption "Bandwagon instance"; }; config = lib.mkIf cfg { - boot.initrd.availableKernelModules = [ - "ata_piix" - "xhci_pci" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; + boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = { - device = "/dev/disk/by-label/NIXROOT"; - fsType = "xfs"; - }; + fileSystems."/" = + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "xfs"; + }; - fileSystems."/boot" = { - device = "/dev/disk/by-label/NIXBOOT"; - fsType = "vfat"; - }; + fileSystems."/boot" = + { device = "/dev/disk/by-label/NIXBOOT"; + fsType = "vfat"; + }; swapDevices = [ ]; diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 019867c..22fc0e8 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: let - awsHosts = [ "tok-00" ]; + awsHosts = [ "tok-00"]; bwgHosts = [ "la-00" ]; in { @@ -10,6 +10,7 @@ in ./lightsail.nix ]; + config = { isBandwagon = builtins.elem config.networking.hostName bwgHosts; isLightsail = builtins.elem config.networking.hostName awsHosts; @@ -36,18 +37,10 @@ in acceptTerms = true; certs.${config.deployment.targetHost} = { email = "me@namely.icu"; - # Avoid port conflict - listenHTTP = if config.services.caddy.enable then ":30310" else ":80"; + listenHTTP = ":80"; }; }; - services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = '' - reverse_proxy 127.0.0.1:30310 - ''; - - networking.firewall.allowedTCPPorts = [ - 80 - 8080 - ]; + networking.firewall.allowedTCPPorts = [ 80 8080 ]; networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); custom.prometheus = { @@ -82,129 +75,119 @@ in wheelNeedsPassword = false; }; - services.sing-box = - let - singTls = { - enabled = true; - server_name = config.deployment.targetHost; - key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; - certificate_path = - config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; - }; - password = { - _secret = config.sops.secrets.singbox_password.path; - }; - uuid = { - _secret = config.sops.secrets.singbox_uuid.path; - }; - in - { - enable = true; - settings = { - dns = { - servers = [ - { - tag = "warp"; - address = "1.1.1.1"; - detour = "wg-out"; - } - { - tag = "directdns"; - address = "h3://8.8.8.8/dns-query"; - } - ]; - rules = [ - { - outbound = "wg-out"; - server = "warp"; - } - { - outbound = "direct"; - server = "directdns"; - } - ]; - }; - inbounds = - [ - { - tag = "sg0"; - type = "trojan"; - listen = "::"; - listen_port = 8080; - users = [ - { - name = "proxy"; - password = password; - } - ]; - tls = singTls; - } - ] - ++ lib.forEach (lib.range 6311 6314) (port: { - tag = "sg" + toString (port - 6310); - type = "tuic"; - listen = "::"; - listen_port = port; - congestion_control = "bbr"; - users = [ - { - name = "proxy"; - uuid = uuid; - password = password; - } - ]; - tls = singTls; - }); - outbounds = [ + services.sing-box = let + singTls = { + enabled = true; + server_name = config.deployment.targetHost; + key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; + certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; + }; + password = { + _secret = config.sops.secrets.singbox_password.path; + }; + uuid = { + _secret = config.sops.secrets.singbox_uuid.path; + }; + in + { + enable = true; + settings = { + dns = { + servers = [ { - type = "wireguard"; - tag = "wg-out"; - private_key = { - _secret = config.sops.secrets.wg_private_key.path; - }; - local_address = [ - "172.16.0.2/32" - { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } - ]; - peers = [ - { - public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; - allowed_ips = [ - "0.0.0.0/0" - "::/0" - ]; - server = "162.159.192.1"; - server_port = 500; - } - ]; + tag = "warp"; + address = "1.1.1.1"; + detour = "wg-out"; } { - type = "direct"; - tag = "direct"; - } - { - type = "dns"; - tag = "dns-out"; + tag = "directdns"; + address = "h3://8.8.8.8/dns-query"; } ]; - route = { - rules = [ - { - outbound = "dns-out"; - protocol = "dns"; - } - { - inbound = "sg0"; - outbound = "direct"; - } - { - inbound = "sg4"; - outbound = "direct"; + rules = [ + { + outbound = "wg-out"; + server = "warp"; + } + { + outbound = "direct"; + server = "directdns"; + } + ]; + }; + inbounds = [ + { + tag = "sg0"; + type = "trojan"; + listen = "::"; + listen_port = 8080; + users = [ + { name = "proxy"; + password = password; } ]; - }; + tls = singTls; + } + ] ++ lib.forEach (lib.range 6311 6314) (port: { + tag = "sg" + toString (port - 6310); + type = "tuic"; + listen = "::"; + listen_port = port; + congestion_control = "bbr"; + users = [ + { name = "proxy"; + uuid = uuid; + password = password; + } + ]; + tls = singTls; + }); + outbounds = [ + { + type = "wireguard"; + tag = "wg-out"; + private_key = { + _secret = config.sops.secrets.wg_private_key.path; + }; + local_address = [ + "172.16.0.2/32" + { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } + ]; + peers = [ + { public_key= "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; + allowed_ips = [ "0.0.0.0/0" "::/0" ]; + server = "162.159.192.1"; + server_port = 500; + } + ]; + } + { + type = "direct"; + tag = "direct"; + } + { + type = "dns"; + tag = "dns-out"; + } + ]; + route = { + rules = [ + { + outbound = "dns-out"; + protocol = "dns"; + } + { + inbound = "sg0"; + outbound = "direct"; + } + { + inbound = "sg4"; + outbound = "direct"; + } + ]; }; }; + }; }; } diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix index 18afeda..bd8634c 100644 --- a/machines/dolomite/lightsail.nix +++ b/machines/dolomite/lightsail.nix @@ -1,16 +1,10 @@ -{ - config, - lib, - pkgs, - modulesPath, - ... -}: +{ config, lib, pkgs, modulesPath, ... }: with lib; let cfg = config.ec2; in { - imports = [ + imports = [ "${modulesPath}/profiles/headless.nix" # Note: While we do use the headless profile, we also explicitly # turn on the serial console on ttyS0 below. This is because @@ -45,22 +39,18 @@ in fsType = "vfat"; }; - boot.extraModulePackages = [ config.boot.kernelPackages.ena ]; + boot.extraModulePackages = [ + config.boot.kernelPackages.ena + ]; boot.initrd.kernelModules = [ "xen-blkfront" ]; boot.initrd.availableKernelModules = [ "nvme" ]; - boot.kernelParams = [ - "console=ttyS0,115200n8" - "random.trust_cpu=on" - ]; + boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ]; # Prevent the nouveau kernel module from being loaded, as it # interferes with the nvidia/nvidia-uvm modules needed for CUDA. # Also blacklist xen_fbfront to prevent a 30 second delay during # boot. - boot.blacklistedKernelModules = [ - "nouveau" - "xen_fbfront" - ]; + boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ]; boot.loader.grub.efiSupport = cfg.efi; boot.loader.grub.efiInstallAsRemovable = cfg.efi; @@ -74,7 +64,7 @@ in systemd.services.fetch-ec2-metadata = { wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; + after = ["network-online.target"]; path = [ pkgs.curl ]; script = builtins.readFile ./ec2-metadata-fetcher.sh; serviceConfig.Type = "oneshot"; diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 4513a2b..bcdc5f7 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -1,10 +1,4 @@ -{ - inputs, - config, - libs, - pkgs, - ... -}: +{ inputs, config, libs, pkgs, ... }: { imports = [ diff --git a/machines/massicot/hardware-configuration.nix b/machines/massicot/hardware-configuration.nix index c67deb1..89358f7 100644 --- a/machines/massicot/hardware-configuration.nix +++ b/machines/massicot/hardware-configuration.nix @@ -5,19 +5,9 @@ efiSupport = true; device = "nodev"; }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/AC27-D9D6"; - fsType = "vfat"; - }; - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "xen_blkfront" - ]; + fileSystems."/boot" = { device = "/dev/disk/by-uuid/AC27-D9D6"; fsType = "vfat"; }; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { - device = "/dev/sda1"; - fsType = "ext4"; - }; - + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + } diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 95c75df..71ca402 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -21,11 +21,7 @@ members = [ "xin" ]; }; immich-users = { - members = [ - "xin" - "zhuo" - "ycm" - ]; + members = [ "xin" "zhuo" "ycm" ]; }; grafana-superadmins = { members = [ "xin" ]; @@ -69,12 +65,7 @@ originLanding = "https://git.xinyang.life/user/oauth2/kandim"; allowInsecureClientDisablePkce = true; scopeMaps = { - forgejo-access = [ - "openid" - "email" - "profile" - "groups" - ]; + forgejo-access = [ "openid" "email" "profile" "groups" ]; }; claimMaps = { forgejo_role = { @@ -92,12 +83,7 @@ originLanding = "https://xinyang.life/"; allowInsecureClientDisablePkce = true; scopeMaps = { - gts-users = [ - "openid" - "email" - "profile" - "groups" - ]; + gts-users = [ "openid" "email" "profile" "groups" ]; }; }; owncloud = { @@ -106,11 +92,7 @@ originLanding = "https://home.xinyang.life:9201/"; public = true; scopeMaps = { - ocis-users = [ - "openid" - "email" - "profile" - ]; + ocis-users = [ "openid" "email" "profile" ]; }; }; hedgedoc = { @@ -119,11 +101,7 @@ originLanding = "https://docs.xinyang.life/auth/oauth2"; allowInsecureClientDisablePkce = true; scopeMaps = { - hedgedoc-users = [ - "openid" - "email" - "profile" - ]; + hedgedoc-users = [ "openid" "email" "profile" ]; }; }; immich-mobile = { @@ -132,11 +110,7 @@ originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; allowInsecureClientDisablePkce = true; scopeMaps = { - immich-users = [ - "openid" - "email" - "profile" - ]; + immich-users = [ "openid" "email" "profile" ]; }; }; miniflux = { @@ -144,11 +118,7 @@ originUrl = "https://rss.xinyang.life/"; originLanding = "https://rss.xinyang.life/"; scopeMaps = { - miniflux-users = [ - "openid" - "email" - "profile" - ]; + miniflux-users = [ "openid" "email" "profile" ]; }; }; grafana = { @@ -156,12 +126,7 @@ originUrl = "https://grafana.xinyang.life/"; originLanding = "https://grafana.xinyang.life/"; scopeMaps = { - grafana-users = [ - "openid" - "email" - "profile" - "groups" - ]; + grafana-users = [ "openid" "email" "profile" "groups" ]; }; claimMaps = { grafana_role = { diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix index 94be559..9588be9 100644 --- a/machines/massicot/networking.nix +++ b/machines/massicot/networking.nix @@ -1,14 +1,11 @@ -{ pkgs, ... }: -{ +{ pkgs, ... }: { networking = { interfaces = { eth0.useDHCP = true; - eth0.ipv6.addresses = [ - { - address = "2a01:4f8:c17:345f::1"; - prefixLength = 64; - } - ]; + eth0.ipv6.addresses = [{ + address = "2a01:4f8:c17:345f::1"; + prefixLength = 64; + }]; }; defaultGateway6 = { address = "fe80::1"; diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 336a039..3137765 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -1,24 +1,10 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: let kanidm_listen_port = 5324; in { - networking.firewall.allowedTCPPorts = [ - 80 - 443 - 2222 - 8448 - ]; - networking.firewall.allowedUDPPorts = [ - 80 - 443 - 8448 - ]; + networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ]; + networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; custom.vaultwarden = { enable = true; @@ -46,23 +32,16 @@ in exporters.miniflux.enable = true; }; - systemd.mounts = - map - (share: { - what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; - where = "/mnt/storage/${share}"; - type = "cifs"; - options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; - before = [ "${share}.service" ]; - after = [ "cachefilesd.service" ]; - wantedBy = [ "${share}.service" ]; - }) - [ - "forgejo" - "gotosocial" - "conduit" - "hedgedoc" - ]; + systemd.mounts = map + (share: { + what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; + where = "/mnt/storage/${share}"; + type = "cifs"; + options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; + before = [ "${share}.service" ]; + after = [ "cachefilesd.service" ]; + wantedBy = [ "${share}.service" ]; + }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ]; services.cachefilesd.enable = true; @@ -103,7 +82,6 @@ in bindaddress = "[::]:${toString kanidm_listen_port}"; tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem''; tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; - online_backup.versions = 7; # db_path = "/var/lib/kanidm/kanidm.db"; }; provision = import ./kanidm-provision.nix; @@ -246,14 +224,11 @@ in allow_assign_grafana_admin = true; auto_login = true; }; - "auth" = { - disable_login_form = true; - }; + "auth" = { disable_login_form = true; }; }; }; - systemd.services.grafana.serviceConfig.EnvironmentFile = - config.sops.secrets.grafana_oauth_secret.path; + systemd.services.grafana.serviceConfig.EnvironmentFile = config.sops.secrets.grafana_oauth_secret.path; users.users.git = { isSystemUser = true; @@ -264,7 +239,9 @@ in users.groups.git = { }; users.users = { - ${config.services.caddy.user}.extraGroups = [ config.services.ntfy-sh.group ]; + ${config.services.caddy.user}.extraGroups = [ + config.services.ntfy-sh.group + ]; }; services.caddy = { diff --git a/machines/netdrives.nix b/machines/netdrives.nix index 2fedf53..8092196 100644 --- a/machines/netdrives.nix +++ b/machines/netdrives.nix @@ -1,7 +1,7 @@ { pkgs, config, ... }: { sops.secrets = { - autofs-nas = { + autofs-nas = { owner = "davfs2"; }; autofs-nas-secret = { @@ -19,4 +19,4 @@ ]; }; -} +} \ No newline at end of file diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index 049e67e..71bc747 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -1,19 +1,17 @@ -{ - config, - lib, - pkgs, - ... -}: +{ config, lib, pkgs, ... }: { - imports = [ ./hass.nix ]; + imports = [ + ./hass.nix + ]; commonSettings.nix.enableMirrors = true; nixpkgs.overlays = [ # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243 (final: super: { - makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; }); + makeModulesClosure = x: + super.makeModulesClosure (x // { allowMissing = true; }); }) ]; @@ -24,7 +22,7 @@ ]; system.stateVersion = "24.05"; - + networking = { hostName = "raspite"; useDHCP = false; diff --git a/machines/raspite/hass.nix b/machines/raspite/hass.nix index 68d161b..8482129 100644 --- a/machines/raspite/hass.nix +++ b/machines/raspite/hass.nix @@ -1,5 +1,4 @@ -{ config, pkgs, ... }: -{ +{ config, pkgs, ... }: { services.home-assistant = { enable = true; extraComponents = [ @@ -10,12 +9,14 @@ ]; openFirewall = false; config = { - default_config = { }; + default_config = {}; http = { server_host = "::1"; base_url = "raspite.local:1000"; use_x_forward_for = true; - trusted_proxies = [ "::1" ]; + trusted_proxies = [ + "::1" + ]; }; }; }; @@ -27,17 +28,16 @@ users.groups.dialout.members = config.users.groups.wheel.members; - environment.systemPackages = with pkgs; [ zigbee2mqtt ]; - - networking.firewall.allowedTCPPorts = [ - 1000 - 1001 + environment.systemPackages = with pkgs; [ + zigbee2mqtt ]; + networking.firewall.allowedTCPPorts = [ 1000 1001 ]; + services.caddy = { - enable = true; + enable = true; virtualHosts = { - # reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port} + # reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port} "raspite.local:1000".extraConfig = '' reverse_proxy http://[::1]:8123 ''; diff --git a/machines/sops.nix b/machines/sops.nix index aeb99d9..de0cf5b 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -1,9 +1,4 @@ -{ - inputs, - config, - lib, - ... -}: +{ inputs, config, lib, ... }: { imports = [ inputs.sops-nix.nixosModules.sops ]; config = { @@ -16,22 +11,24 @@ owner = "root"; }; singbox_sg_server = { - owner = "root"; + owner = "root"; }; singbox_jp_server = { - owner = "root"; + owner = "root"; }; singbox_password = { - owner = "root"; + owner = "root"; }; singbox_uuid = { - owner = "root"; + owner = "root"; }; private_dns_address = { - owner = "root"; + owner = "root"; }; }; - secrets.grafana_cloud_api = lib.mkIf config.services.prometheus.enable { owner = "prometheus"; }; + secrets.grafana_cloud_api = lib.mkIf config.services.prometheus.enable { + owner = "prometheus"; + }; }; }; } diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 5718b56..0ad8822 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -1,11 +1,4 @@ -{ - inputs, - config, - pkgs, - lib, - modulesPath, - ... -}: +{ inputs, config, pkgs, lib, modulesPath, ... }: with lib; @@ -26,21 +19,17 @@ with lib; }; boot = { - loader = { + loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; - initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ahci" - "usb_storage" - "sd_mod" - ]; + initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; kernelModules = [ "kvm-intel" ]; }; - environment.systemPackages = [ pkgs.virtiofsd ]; + environment.systemPackages = [ + pkgs.virtiofsd + ]; sops = { defaultSopsFile = ./secrets.yaml; @@ -58,15 +47,13 @@ with lib; }; systemd.mounts = [ - { - what = "immich"; + { what = "immich"; where = "/mnt/XinPhotos/immich"; type = "virtiofs"; options = "rw"; wantedBy = [ "immich-server.service" ]; } - { - what = "originals"; + { what = "originals"; where = "/mnt/XinPhotos/originals"; type = "virtiofs"; options = "ro,nodev,nosuid"; @@ -74,10 +61,7 @@ with lib; } ]; - services.openssh.ports = [ - 22 - 2222 - ]; + services.openssh.ports = [ 22 2222 ]; services.immich = { enable = true; @@ -106,10 +90,7 @@ with lib; enable = true; package = pkgs.caddy.withPlugins { caddyModules = [ - { - repo = "github.com/caddy-dns/cloudflare"; - version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; - } + { repo = "github.com/caddy-dns/cloudflare"; version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; } ]; vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk="; }; @@ -134,7 +115,7 @@ with lib; }; time.timeZone = "Asia/Shanghai"; - + fileSystems."/" = { device = "/dev/disk/by-label/nixos"; fsType = "btrfs"; @@ -143,10 +124,7 @@ with lib; fileSystems."/boot" = { device = "/dev/sda1"; fsType = "vfat"; - options = [ - "fmask=0022" - "dmask=0022" - ]; + options = [ "fmask=0022" "dmask=0022" ]; }; system.stateVersion = "24.11"; diff --git a/modules/home-manager/alacritty.nix b/modules/home-manager/alacritty.nix index f5219ad..b4b7c2a 100644 --- a/modules/home-manager/alacritty.nix +++ b/modules/home-manager/alacritty.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, pkgs, lib, ... }: with lib; let @@ -25,7 +25,6 @@ in window = { resize_increments = true; dynamic_padding = true; - decorations = "none"; }; }; }; diff --git a/modules/home-manager/cosmic-term.nix b/modules/home-manager/cosmic-term.nix deleted file mode 100644 index 2d59b89..0000000 --- a/modules/home-manager/cosmic-term.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: - -let - inherit (lib) mkEnableOption mkIf; - - cfg = config.custom-hm.cosmic-term; -in -{ - options.custom-hm.cosmic-term = { - enable = mkEnableOption "cosmic-term"; - }; - - config = mkIf cfg.enable { home.packages = [ pkgs.cosmic-term ]; }; -} diff --git a/modules/home-manager/default.nix b/modules/home-manager/default.nix index c7408b7..14159ce 100644 --- a/modules/home-manager/default.nix +++ b/modules/home-manager/default.nix @@ -1,7 +1,6 @@ { imports = [ ./alacritty.nix - ./cosmic-term.nix ./direnv.nix ./fish.nix ./git.nix diff --git a/modules/home-manager/direnv.nix b/modules/home-manager/direnv.nix index 3669908..46297b8 100644 --- a/modules/home-manager/direnv.nix +++ b/modules/home-manager/direnv.nix @@ -24,7 +24,6 @@ in direnv = { enable = true; stdlib = changeCacheDir; - nix-direnv.enable = true; }; }; }; diff --git a/modules/home-manager/fish.nix b/modules/home-manager/fish.nix index 4d265d5..927b69f 100644 --- a/modules/home-manager/fish.nix +++ b/modules/home-manager/fish.nix @@ -1,9 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: with lib; @@ -15,12 +10,7 @@ in enable = mkEnableOption "fish"; plugins = mkOption { type = types.listOf types.str; - default = [ - "pisces" - "done" - "hydro" - "grc" - ]; + default = [ "pisces" "done" "hydro" "grc" ]; }; functions = { enable = mkOption { @@ -40,65 +30,40 @@ in home.packages = [ pkgs.grc ]; programs.fish = { enable = true; - plugins = - with pkgs; - (filter - ( - e: - hasAttr e.name ( - builtins.listToAttrs # { "xxx" = true; } - ( - map (p: { - name = p; - value = true; - }) cfg.plugins - ) # { name = "xxx"; value = true; } - ) - ) - [ - { - name = "pisces"; - src = fishPlugins.pisces.src; - } - { - name = "done"; - src = fishPlugins.done.src; - } - { - name = "hydro"; - src = fishPlugins.hydro.src; - } - { - name = "grc"; - src = fishPlugins.grc.src; - } - ] - ); - interactiveShellInit = - let - extraInit = - if cfg.functions.enable then - '' - ${pkgs.nix-your-shell}/bin/nix-your-shell fish | source - function fish_right_prompt - if test -n "$IN_NIX_SHELL" - echo -n "" - else if test $SHLVL -ge 3 - echo -n "<🚀lv$SHLVL>" - end - end - function fish_command_not_found - ${pkgs.comma}/bin/comma $argv - end - set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha) - '' - else - ""; - in - '' - fish_config prompt choose default - '' - + extraInit; + plugins = with pkgs; (filter ( + e: hasAttr e.name (builtins.listToAttrs # { "xxx" = true; } + (map (p: { name = p; value = true; }) cfg.plugins) # { name = "xxx"; value = true; } + )) [ + { name = "pisces"; + src = fishPlugins.pisces.src; + } + { name = "done"; + src = fishPlugins.done.src; + } + { name = "hydro"; + src = fishPlugins.hydro.src; + } + { name = "grc"; + src = fishPlugins.grc.src; + } + ]); + interactiveShellInit = let + extraInit = if cfg.functions.enable then '' + ${pkgs.nix-your-shell}/bin/nix-your-shell fish | source + function fish_right_prompt + if test -n "$IN_NIX_SHELL" + echo -n "" + else if test $SHLVL -ge 3 + echo -n "<🚀lv$SHLVL>" + end + end + function fish_command_not_found + ${pkgs.comma}/bin/comma $argv + end + '' else ""; + in '' + fish_config prompt choose arrow + '' + extraInit; functions = mkIf cfg.functions.enable { gitignore = "curl -sL https://www.gitignore.io/api/$argv"; }; diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix index 66f1ceb..5b2bc63 100644 --- a/modules/home-manager/git.nix +++ b/modules/home-manager/git.nix @@ -1,9 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: with lib; @@ -37,12 +32,16 @@ in d = "diff"; s = "status"; }; - signing = mkIf cfg.signing.enable { + signing = mkIf cfg.signing.enable { signByDefault = true; key = cfg.signing.keyFile; }; - extraConfig.user = mkIf cfg.signing.enable { signingkey = cfg.signing.keyFile; }; - extraConfig.gpg = mkIf cfg.signing.enable { format = "ssh"; }; + extraConfig.user = mkIf cfg.signing.enable { + signingkey = cfg.signing.keyFile; + }; + extraConfig.gpg = mkIf cfg.signing.enable { + format = "ssh"; + }; }; }; } diff --git a/modules/home-manager/tmux.nix b/modules/home-manager/tmux.nix index ffcd441..9e26dfe 100644 --- a/modules/home-manager/tmux.nix +++ b/modules/home-manager/tmux.nix @@ -1 +1 @@ -{ } +{} \ No newline at end of file diff --git a/modules/home-manager/vim.nix b/modules/home-manager/vim.nix index 1bab02b..f66535f 100644 --- a/modules/home-manager/vim.nix +++ b/modules/home-manager/vim.nix @@ -1,9 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: let inherit (lib) mkIf mkEnableOption getExe; cfg = config.custom-hm.neovim; @@ -18,10 +13,7 @@ in enable = mkEnableOption "neovim configurations"; }; config = mkIf cfg.enable { - home.packages = with pkgs; [ - nixvim - neovide - ]; + home.packages = with pkgs; [ nixvim neovide ]; programs.neovim.enable = false; home.file.".config/neovide/config.toml" = { source = tomlFormat.generate "neovide-config" neovideConfig; diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index 5c801fc..9017f4c 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -1,10 +1,4 @@ -{ - inputs, - config, - lib, - pkgs, - ... -}: +{ inputs, config, lib, pkgs, ... }: with lib; let @@ -12,10 +6,7 @@ let packages = { nixPackages = { - systemPackages = with pkgs; [ - nixd - nixpkgs-fmt - ]; + systemPackages = with pkgs; [ nixd nixpkgs-fmt ]; extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ jnoortheen.nix-ide ]; @@ -26,15 +17,10 @@ let }; }; cxxPackages = { - systemPackages = with pkgs; [ - clang-tools - cmake-format - ]; + systemPackages = with pkgs; [ clang-tools cmake-format ]; extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ llvm-vs-code-extensions.vscode-clangd - (ms-vscode.cmake-tools.overrideAttrs (_: { - sourceRoot = "extension"; - })) + (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; })) twxs.cmake ms-vscode.cpptools ]; @@ -57,10 +43,7 @@ let settings = { }; }; scalaPackages = { - systemPackages = with pkgs; [ - coursier - metals - ]; + systemPackages = with pkgs; [ coursier metals ]; extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ scala-lang.scala scalameta.metals @@ -78,56 +61,20 @@ let { "name" = "xelatex"; "command" = "xelatex"; - "args" = [ - "-synctex=1" - "-interaction=nonstopmode" - "-file-line-error" - "%DOCFILE%" - ]; + "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ]; } { "name" = "pdflatex"; "command" = "pdflatex"; - "args" = [ - "-synctex=1" - "-interaction=nonstopmode" - "-file-line-error" - "%DOCFILE%" - ]; - } - { - "name" = "bibtex"; - "command" = "bibtex"; - "args" = [ "%DOCFILE%" ]; + "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ]; } + { "name" = "bibtex"; "command" = "bibtex"; "args" = [ "%DOCFILE%" ]; } ]; "latex-workshop.latex.recipes" = [ - { - "name" = "xelatex"; - "tools" = [ "xelatex" ]; - } - { - "name" = "pdflatex"; - "tools" = [ "pdflatex" ]; - } - { - "name" = "xe->bib->xe->xe"; - "tools" = [ - "xelatex" - "bibtex" - "xelatex" - "xelatex" - ]; - } - { - "name" = "pdf->bib->pdf->pdf"; - "tools" = [ - "pdflatex" - "bibtex" - "pdflatex" - "pdflatex" - ]; - } + { "name" = "xelatex"; "tools" = [ "xelatex" ]; } + { "name" = "pdflatex"; "tools" = [ "pdflatex" ]; } + { "name" = "xe->bib->xe->xe"; "tools" = [ "xelatex" "bibtex" "xelatex" "xelatex" ]; } + { "name" = "pdf->bib->pdf->pdf"; "tools" = [ "pdflatex" "bibtex" "pdflatex" "pdflatex" ]; } ]; "[latex]" = { "editor.formatOnPaste" = false; @@ -141,15 +88,9 @@ let }; llmExtensions = [ pkgs.vscode-extensions.continue.continue ]; - languages = [ - "nix" - "cxx" - "python" - "scala" - "latex" - ]; - zipAttrsWithLanguageOption = ( - attr: (map (l: (lib.mkIf cfg.languages.${l} packages."${l}Packages".${attr})) languages) + languages = [ "nix" "cxx" "python" "scala" "latex" ]; + zipAttrsWithLanguageOption = (attr: + (map (l: (lib.mkIf cfg.languages.${l} packages."${l}Packages".${attr})) languages) ); in { @@ -170,71 +111,64 @@ in config = mkIf cfg.enable { nixpkgs.config.allowUnfree = true; - home.packages = lib.mkMerge ( - [ - [ pkgs.clang-tools ] - (mkIf cfg.llm [ pkgs.ollama ]) - ] - ++ zipAttrsWithLanguageOption "systemPackages" - ); + home.packages = lib.mkMerge ([ + [ pkgs.clang-tools ] + (mkIf cfg.llm [ pkgs.ollama ]) + ] ++ zipAttrsWithLanguageOption "systemPackages"); programs.vscode = { enable = true; package = pkgs.vscode.override { commandLineArgs = "--enable-wayland-ime"; }; enableUpdateCheck = false; enableExtensionUpdateCheck = false; mutableExtensionsDir = false; - extensions = lib.mkMerge ( - [ - (with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ - mkhl.direnv + extensions = lib.mkMerge ([ + (with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ + mkhl.direnv - ms-azuretools.vscode-docker - ms-vscode-remote.remote-ssh - vscodevim.vim - github.vscode-pull-request-github - gruntfuggly.todo-tree # todo highlight + ms-azuretools.vscode-docker + ms-vscode-remote.remote-ssh + vscodevim.vim + github.vscode-pull-request-github + gruntfuggly.todo-tree # todo highlight - # Markdown - davidanson.vscode-markdownlint - # Latex - # Scale / chisel - sterben.fpga-support + # Markdown + davidanson.vscode-markdownlint + # Latex + # Scale / chisel + sterben.fpga-support - ms-vscode-remote.remote-ssh-edit - mushan.vscode-paste-image - ]) + ms-vscode-remote.remote-ssh-edit + mushan.vscode-paste-image + ]) - (with pkgs.vscode-extensions; [ - waderyan.gitblame - catppuccin.catppuccin-vsc - # Rust - rust-lang.rust-analyzer - ]) + (with pkgs.vscode-extensions; [ + waderyan.gitblame + catppuccin.catppuccin-vsc + # Rust + rust-lang.rust-analyzer + ]) - (mkIf cfg.llm llmExtensions) - ] - ++ zipAttrsWithLanguageOption "extension" - ); - userSettings = lib.mkMerge ( - [ - { - "workbench.colorTheme" = "Catppuccin Macchiato"; - "terminal.integrated.sendKeybindingsToShell" = true; - "extensions.ignoreRecommendations" = true; - "files.autoSave" = "afterDelay"; - "editor.inlineSuggest.enabled" = true; - "editor.rulers" = [ 80 ]; - "editor.mouseWheelZoom" = true; - "git.autofetch" = false; - "window.zoomLevel" = -1; + (mkIf cfg.llm llmExtensions) + ] ++ zipAttrsWithLanguageOption "extension"); + userSettings = lib.mkMerge ([ + { + "workbench.colorTheme" = "Catppuccin Macchiato"; + "terminal.integrated.sendKeybindingsToShell" = true; + "extensions.ignoreRecommendations" = true; + "files.autoSave" = "afterDelay"; + "editor.inlineSuggest.enabled" = true; + "editor.rulers" = [ + 80 + ]; + "editor.mouseWheelZoom" = true; + "git.autofetch" = false; + "window.zoomLevel" = -1; - "extensions.experimental.affinity" = { - "vscodevim.vim" = 1; - }; - } - ] - ++ zipAttrsWithLanguageOption "settings" - ); + "extensions.experimental.affinity" = { + "vscodevim.vim" = 1; + }; + } + ] ++ zipAttrsWithLanguageOption "settings"); }; home.file.".continue/config.json".text = lib.generators.toJSON { } { @@ -246,7 +180,7 @@ in } ]; tabAutocompleteModel = { - model = "deepseek-coder:6.7b-base"; + model ="deepseek-coder:6.7b-base"; provider = "ollama"; title = "codegemma"; }; diff --git a/modules/home-manager/zellij.nix b/modules/home-manager/zellij.nix index be2d4fe..e03047c 100644 --- a/modules/home-manager/zellij.nix +++ b/modules/home-manager/zellij.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, pkgs, lib, ... }: with lib; @@ -14,22 +14,20 @@ in enable = true; settings = { default_shell = "fish"; + keybinds = { + unbind = [ + "Ctrl p" + "Ctrl n" + ]; + shared_except = { + _args = [ "pane" "locked" ]; + bind = { + _args = [ "Ctrl b"]; + SwitchToMode = "Pane"; + }; + }; + }; }; }; - xdg.configFile."zellij/config.kdl".text = '' - keybinds { - shared_except "pane" "locked" { - bind "Ctrl b" { SwitchToMode "Pane"; } - } - shared_except "locked" { - bind "Ctrl h" { MoveFocusOrTab "Left"; } - bind "Ctrl l" { MoveFocusOrTab "Right"; } - bind "Ctrl j" { MoveFocus "Down"; } - bind "Ctrl k" { MoveFocus "Up"; } - unbind "Alt h" "Alt l" "Alt j" "Alt k" - } - unbind "Ctrl p" "Ctrl n" - } - ''; }; } diff --git a/modules/nixos/common-settings/auth.nix b/modules/nixos/common-settings/auth.nix index d0a54cb..f70d350 100644 --- a/modules/nixos/common-settings/auth.nix +++ b/modules/nixos/common-settings/auth.nix @@ -1,17 +1,7 @@ -{ - config, - lib, - pkgs, - ... -}: +{ config, lib, pkgs, ... }: let - inherit (lib) - mkIf - mkEnableOption - mkOption - types - ; + inherit (lib) mkIf mkEnableOption mkOption types; cfg = config.commonSettings.auth; in @@ -48,3 +38,4 @@ in }; }; } + diff --git a/modules/nixos/common-settings/nix-conf.nix b/modules/nixos/common-settings/nix-conf.nix index 96759bc..5313b9f 100644 --- a/modules/nixos/common-settings/nix-conf.nix +++ b/modules/nixos/common-settings/nix-conf.nix @@ -1,17 +1,7 @@ -{ - config, - lib, - pkgs, - ... -}: +{ config, lib, pkgs, ... }: let - inherit (lib) - mkIf - mkEnableOption - mkOption - types - ; + inherit (lib) mkIf mkEnableOption mkOption types; cfg = config.commonSettings.nix; in @@ -43,10 +33,7 @@ in nix.optimise.automatic = true; nix.settings = { - experimental-features = [ - "nix-command" - "flakes" - ]; + experimental-features = [ "nix-command" "flakes" ]; auto-optimise-store = true; trusted-users = [ "root" ]; @@ -65,7 +52,10 @@ in "xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y=" ]; - secret-key-files = mkIf cfg.signing.enable [ cfg.signing.keyFile ]; + secret-key-files = mkIf cfg.signing.enable [ + cfg.signing.keyFile + ]; }; }; } + diff --git a/modules/nixos/forgejo-actions-runner.nix b/modules/nixos/forgejo-actions-runner.nix index b0584c4..5b76c69 100644 --- a/modules/nixos/forgejo-actions-runner.nix +++ b/modules/nixos/forgejo-actions-runner.nix @@ -1,9 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: let cfg = config.custom.forgejo-actions-runner; in @@ -11,7 +6,9 @@ in options = { custom.forgejo-actions-runner = { enable = lib.mkEnableOption "TPM supported ssh agent in go"; - tokenFile = lib.mkOption { type = lib.types.path; }; + tokenFile = lib.mkOption { + type = lib.types.path; + }; }; }; config = lib.mkIf cfg.enable { diff --git a/modules/nixos/hedgedoc.nix b/modules/nixos/hedgedoc.nix index a632a78..6aa5de2 100644 --- a/modules/nixos/hedgedoc.nix +++ b/modules/nixos/hedgedoc.nix @@ -1,9 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: with lib; @@ -31,12 +26,22 @@ in }; oidc = { enable = mkEnableOption "OIDC support for HedgeDoc"; - baseURL = mkOption { type = types.str; }; - authorizationURL = mkOption { type = types.str; }; - tokenURL = mkOption { type = types.str; }; - userProfileURL = mkOption { type = types.str; }; + baseURL = mkOption { + type = types.str; + }; + authorizationURL = mkOption { + type = types.str; + }; + tokenURL = mkOption { + type = types.str; + }; + userProfileURL = mkOption { + type = types.str; + }; + }; + environmentFile = mkOption { + type = types.path; }; - environmentFile = mkOption { type = types.path; }; }; }; config = mkIf cfg.enable { diff --git a/modules/nixos/inbounds.nix b/modules/nixos/inbounds.nix index cd6fb9e..0cbd33f 100644 --- a/modules/nixos/inbounds.nix +++ b/modules/nixos/inbounds.nix @@ -1,16 +1,19 @@ -{ config, lib, ... }: +{ config +, lib +, ... }: let cfg = config.custom.sing-box-server; - secretFileType = lib.types.submodule { _secret = lib.types.path; }; + secretFileType = lib.types.submodule { + _secret = lib.types.path; + }; singTls = { enabled = true; server_name = config.deployment.targetHost; key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; - certificate_path = - config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; + certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; }; -in +in { options = { enable = lib.mkEnableOption "sing-box proxy server"; @@ -19,11 +22,17 @@ in type = lib.types.str; default = "proxy"; }; - password = lib.mkOption { type = secretFileType; }; - uuid = lib.mkOption { type = secretFileType; }; + password = lib.mkOption { + type = secretFileType; + }; + uuid = lib.mkOption { + type = secretFileType; + }; }; wgOut = { - privKeyFile = lib.mkOption { type = lib.types.path; }; + privKeyFile = lib.mkOption { + type = lib.types.path; + }; pubkey = lib.mkOption { type = lib.types.str; default = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; @@ -64,19 +73,17 @@ in } ]; }; - inbounds = - [ - # TODO: Trojan and tuic enable - { - tag = "trojan-in"; - type = "trojan"; - listen = "::"; - listen_port = 8080; - users = map (u: removeAttrs u [ "uuid" ]) cfg.users; - tls = singTls; - } - ] - ++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: { + inbounds = [ + # TODO: Trojan and tuic enable + { + tag = "trojan-in"; + type = "trojan"; + listen = "::"; + listen_port = 8080; + users = map (u: removeAttrs u [ "uuid" ]) cfg.users; + tls = singTls; + } + ] ++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: { tag = "tuic-in" + toString port; type = "tuic"; listen = "::"; @@ -95,40 +102,25 @@ in "2606:4700:110:82ed:a443:3c62:6cbc:b59b/128" ]; peers = [ - { - public_key = cfg.wgOut.pubkey; - allowed_ips = [ - "0.0.0.0/0" - "::/0" - ]; + { public_key= cfg.wgOut.pubkey; + allowed_ips = [ "0.0.0.0/0" "::/0" ]; server = "162.159.192.1"; server_port = 500; } ]; } - { - type = "direct"; - tag = "direct-out"; - } - { - type = "dns"; - tag = "dns-out"; - } + { type = "direct"; tag = "direct-out"; } + { type = "dns"; tag = "dns-out"; } ]; route = { - rules = - [ - { - outbound = "dns-out"; - protocol = "dns"; - } - ] - ++ lib.forEach cfg.tuic.directPorts (port: { - inbound = "tuic-in" + toString port; - outbound = "direct-out"; - }); + rules = [ + { outbound = "dns-out"; protocol = "dns"; } + ] ++ lib.forEach cfg.tuic.directPorts (port: { + inbound = "tuic-in" + toString port; + outbound = "direct-out"; + }); }; }; }; }; -} +} \ No newline at end of file diff --git a/modules/nixos/kanidm-client.nix b/modules/nixos/kanidm-client.nix index 80e2bf9..41d974d 100644 --- a/modules/nixos/kanidm-client.nix +++ b/modules/nixos/kanidm-client.nix @@ -1,9 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: with lib; let @@ -32,29 +27,31 @@ in type = types.listOf types.str; default = [ ]; }; - uri = mkOption { type = types.str; }; + uri = mkOption { + type = types.str; + }; }; }; config = mkIf cfg.enable { - services.kanidm = mkMerge [ - (mkIf cfg.enable { - enableClient = true; - clientSettings = { - uri = cfg.uri; - }; - }) - (mkIf cfg.asSSHAuth.enable { - enablePam = true; - unixSettings = { - pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups; - default_shell = "/bin/sh"; - }; - }) - ]; + services.kanidm = mkMerge + [ (mkIf cfg.enable { + enableClient = true; + clientSettings = { + uri = cfg.uri; + }; + }) + (mkIf cfg.asSSHAuth.enable { + enablePam = true; + unixSettings = { + pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups; + default_shell = "/bin/sh"; + }; + }) + ]; services.openssh = mkIf cfg.asSSHAuth.enable { enable = true; authorizedKeysCommand = "/etc/ssh/auth %u"; - authorizedKeysCommandUser = "kanidm-ssh-runner"; + authorizedKeysCommandUser = "kanidm-ssh-runner"; settings = mkIf cfg.asSSHAuth.enable { PasswordAuthentication = false; KbdInteractiveAuthentication = false; @@ -73,10 +70,8 @@ in }; users.groups.wheel.members = cfg.sudoers; users.groups.kanidm-ssh-runner = { }; - users.users.kanidm-ssh-runner = { - isSystemUser = true; - group = "kanidm-ssh-runner"; - }; + users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; }; }; } + diff --git a/modules/nixos/miniflux.nix b/modules/nixos/miniflux.nix index 0653f41..2d539e0 100644 --- a/modules/nixos/miniflux.nix +++ b/modules/nixos/miniflux.nix @@ -1,19 +1,6 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: let - inherit (lib) - mkEnableOption - mkPackageOption - mkOption - types - literalExpression - mkIf - mkDefault - ; + inherit (lib) mkEnableOption mkPackageOption mkOption types literalExpression mkIf mkDefault; cfg = config.custom.miniflux; defaultAddress = "localhost:8080"; @@ -31,15 +18,12 @@ in package = mkPackageOption pkgs "miniflux" { }; - oauth2SecretFile = mkOption { type = types.path; }; + oauth2SecretFile = mkOption { + type = types.path; + }; environment = mkOption { - type = - with types; - attrsOf (oneOf [ - int - str - ]); + type = with types; attrsOf (oneOf [ int str ]); }; createDatabaseLocally = mkOption { @@ -66,22 +50,17 @@ in services.postgresql = lib.mkIf cfg.createDatabaseLocally { enable = true; - ensureUsers = [ - { - name = "miniflux"; - ensureDBOwnership = true; - } - ]; + ensureUsers = [{ + name = "miniflux"; + ensureDBOwnership = true; + }]; ensureDatabases = [ "miniflux" ]; }; systemd.services.miniflux-dbsetup = lib.mkIf cfg.createDatabaseLocally { description = "Miniflux database setup"; requires = [ "postgresql.service" ]; - after = [ - "network.target" - "postgresql.service" - ]; + after = [ "network.target" "postgresql.service" ]; serviceConfig = { Type = "oneshot"; User = config.services.postgresql.superUser; @@ -93,12 +72,8 @@ in description = "Miniflux service"; wantedBy = [ "multi-user.target" ]; requires = lib.optional cfg.createDatabaseLocally "miniflux-dbsetup.service"; - after = - [ "network.target" ] - ++ lib.optionals cfg.createDatabaseLocally [ - "postgresql.service" - "miniflux-dbsetup.service" - ]; + after = [ "network.target" ] + ++ lib.optionals cfg.createDatabaseLocally [ "postgresql.service" "miniflux-dbsetup.service" ]; serviceConfig = { Type = "notify"; @@ -129,19 +104,12 @@ in ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_UNIX" - ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged" - ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; UMask = "0077"; }; diff --git a/modules/nixos/oidc-agent.nix b/modules/nixos/oidc-agent.nix index 61eea1c..35ce679 100644 --- a/modules/nixos/oidc-agent.nix +++ b/modules/nixos/oidc-agent.nix @@ -1,20 +1,10 @@ -{ - config, - lib, - pkgs, - ... -}: +{ config, lib, pkgs, ... }: let - inherit (lib) - mkIf - mkEnableOption - mkOption - types - ; + inherit (lib) mkIf mkEnableOption mkOption types; cfg = config.programs.oidc-agent; - providerFormat = pkgs.formats.json { }; + providerFormat = pkgs.formats.json {}; in { options.programs.oidc-agent = { @@ -28,7 +18,7 @@ in }; providers = mkOption { type = providerFormat.type; - default = { }; + default = {}; description = '' Configuration of providers which contains a json array of json objects each describing an issuer, see https://indigo-dc.gitbook.io/oidc-agent/configuration/issuers diff --git a/modules/nixos/prometheus/blackbox.nix b/modules/nixos/prometheus/blackbox.nix index 1bfd896..7886b06 100644 --- a/modules/nixos/prometheus/blackbox.nix +++ b/modules/nixos/prometheus/blackbox.nix @@ -1,9 +1,4 @@ -{ - config, - lib, - pkgs, - ... -}: +{ config, lib, pkgs, ... }: let cfg = config.custom.prometheus; in @@ -13,7 +8,7 @@ in enable = true; listenAddress = "127.0.0.1"; configFile = pkgs.writeText "blackbox.config.yaml" ( - lib.generators.toYAML { } { + lib.generators.toYAML {} { modules = { tcp4_connect = { prober = "tcp"; @@ -30,7 +25,7 @@ in }; services.prometheus.scrapeConfigs = [ - { + { job_name = "blackbox"; scrape_interval = "1m"; metrics_path = "/probe"; @@ -78,13 +73,8 @@ in alert = "HighProbeLatency"; expr = "probe_duration_seconds > 0.5"; for = "2m"; - labels = { - severity = "warning"; - }; - annotations = { - summary = "High request latency on {{ $labels.instance }}"; - description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; - }; + labels = { severity = "warning"; }; + annotations = { summary = "High request latency on {{ $labels.instance }}"; description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; }; } ]; } diff --git a/modules/nixos/prometheus/caddy.nix b/modules/nixos/prometheus/caddy.nix index 98e6783..96b7f43 100644 --- a/modules/nixos/prometheus/caddy.nix +++ b/modules/nixos/prometheus/caddy.nix @@ -13,7 +13,9 @@ in services.prometheus.scrapeConfigs = [ { job_name = "caddy"; - static_configs = [ { targets = [ "127.0.0.1:2019" ]; } ]; + static_configs = [ + { targets = [ "127.0.0.1:2019" ]; } + ]; } ]; @@ -25,12 +27,8 @@ in alert = "UpstreamHealthy"; expr = "caddy_reverse_proxy_upstreams_healthy != 1"; for = "5m"; - labels = { - severity = "critical"; - }; - annotations = { - summary = "Upstream {{ $labels.unstream }} not healthy"; - }; + labels = { severity = "critical"; }; + annotations = { summary = "Upstream {{ $labels.unstream }} not healthy"; }; } ]; } diff --git a/modules/nixos/prometheus/default.nix b/modules/nixos/prometheus/default.nix index ed2544a..a560737 100644 --- a/modules/nixos/prometheus/default.nix +++ b/modules/nixos/prometheus/default.nix @@ -1,31 +1,26 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: with lib; let cfg = config.custom.prometheus; - mkExporterOption = - enableOption: - (mkOption { - type = types.bool; - default = enableOption; - description = "Enable this exporter"; - }); + mkExporterOption = enableOption: (mkOption { + type = types.bool; + default = enableOption; + description = "Enable this exporter"; + }); mkRulesOption = mkOption { - type = types.listOf ( - types.submodule { - options = { - name = mkOption { type = lib.types.str; }; - rules = mkOption { type = lib.types.listOf lib.types.attrs; }; + type = types.listOf (types.submodule { + options = { + name = mkOption { + type = lib.types.str; }; - } - ); + rules = mkOption { + type = lib.types.listOf lib.types.attrs; + }; + }; + }); }; in { @@ -59,172 +54,153 @@ in }; grafana = { enable = mkEnableOption "Grafana Cloud"; - password_file = mkOption { type = types.path; }; + password_file = mkOption { + type = types.path; + }; }; ruleModules = mkRulesOption; }; }; - config = mkIf cfg.enable { - services.tailscale = { - enable = true; - permitCertUid = config.services.caddy.user; - openFirewall = true; - }; - - services.caddy = { - enable = true; - virtualHosts."${config.networking.hostName}.coho-tet.ts.net".extraConfig = '' - reverse_proxy 127.0.0.1:${toString config.services.prometheus.port} - ''; - }; - - services.prometheus = mkIf cfg.enable { - enable = true; - port = 9091; - globalConfig.external_labels = { - hostname = config.networking.hostName; - }; - remoteWrite = mkIf cfg.grafana.enable [ - { - name = "grafana"; - url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push"; - basic_auth = { - username = "1340065"; - password_file = cfg.grafana.password_file; - }; - } - ]; - exporters = { - node = { - enable = true; - enabledCollectors = [ - "loadavg" - "time" - "systemd" - ]; - listenAddress = "127.0.0.1"; - port = 9100; - }; - }; - scrapeConfigs = [ - { - job_name = "prometheus"; - static_configs = [ { targets = [ "localhost:${toString config.services.prometheus.port}" ]; } ]; - } - { - job_name = "node"; - static_configs = [ - { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } - ]; - } - ]; - - alertmanager = { + config = mkIf cfg.enable + { + services.tailscale = { enable = true; - listenAddress = "127.0.0.1"; - logLevel = "debug"; - configuration = { - route = { - receiver = "ntfy"; - }; - receivers = [ + permitCertUid = config.services.caddy.user; + openFirewall = true; + }; + + services.caddy = { + enable = true; + virtualHosts."${config.networking.hostName}.coho-tet.ts.net".extraConfig = '' + reverse_proxy 127.0.0.1:${toString config.services.prometheus.port} + ''; + }; + + services.prometheus = mkIf cfg.enable + { + enable = true; + port = 9091; + globalConfig.external_labels = { hostname = config.networking.hostName; }; + remoteWrite = mkIf cfg.grafana.enable [ { - name = "ntfy"; - webhook_configs = [ + name = "grafana"; + url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push"; + basic_auth = { + username = "1340065"; + password_file = cfg.grafana.password_file; + }; + } + ]; + exporters = { + node = { + enable = true; + enabledCollectors = [ + "loadavg" + "time" + "systemd" + ]; + listenAddress = "127.0.0.1"; + port = 9100; + }; + }; + scrapeConfigs = [ + { + job_name = "prometheus"; + static_configs = [ + { targets = [ "localhost:${toString config.services.prometheus.port}" ]; } + ]; + } + { + job_name = "node"; + static_configs = [ + { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } + ]; + } + ]; + + alertmanager = { + enable = true; + listenAddress = "127.0.0.1"; + logLevel = "debug"; + configuration = { + route = { + receiver = "ntfy"; + }; + receivers = [ { - url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL '' - Alert {{.status}} - {{range .alerts}}-----{{range $k,$v := .labels}} - {{$k}}={{$v}}{{end}} - {{end}} - ''}"; - send_resolved = true; + name = "ntfy"; + webhook_configs = [ + { + url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL '' + Alert {{.status}} + {{range .alerts}}-----{{range $k,$v := .labels}} + {{$k}}={{$v}}{{end}} + {{end}} + ''}"; + send_resolved = true; + } + ]; + } + ]; + }; + }; + + alertmanagers = [ + { + scheme = "http"; + static_configs = [ + { + targets = [ + "${config.services.prometheus.alertmanager.listenAddress}:${toString config.services.prometheus.alertmanager.port}" + ]; } ]; } ]; + rules = [ (lib.generators.toYAML { } { groups = cfg.ruleModules; }) ]; }; - }; - - alertmanagers = [ + custom.prometheus.ruleModules = [ { - scheme = "http"; - static_configs = [ + name = "system_alerts"; + rules = [ { - targets = [ - "${config.services.prometheus.alertmanager.listenAddress}:${toString config.services.prometheus.alertmanager.port}" - ]; + alert = "SystemdFailedUnits"; + expr = "node_systemd_unit_state{state=\"failed\"} > 0"; + for = "5m"; + labels = { severity = "critical"; }; + annotations = { summary = "Systemd has failed units on {{ $labels.instance }}"; description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!"; }; + } + { + alert = "HighLoadAverage"; + expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})"; + for = "1m"; + labels = { severity = "warning"; }; + annotations = { summary = "High load average detected on {{ $labels.instance }}"; description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; }; + } + { + alert = "HighTransmitTraffic"; + expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000"; + for = "1m"; + labels = { severity = "warning"; }; + annotations = { summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})"; description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute."; }; + } + { + alert = "NetworkTrafficExceedLimit"; + expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200''; + for = "0m"; + labels = { severity = "critical"; }; + annotations = { summary = "Outbound network traffic exceed 300GB for last 30 day"; }; + } + { + alert = "JobDown"; + expr = "up == 0"; + for = "1m"; + labels = { severity = "critical"; }; + annotations = { summary = "Job {{ $labels.job }} down for 1m."; }; } ]; } ]; - rules = [ (lib.generators.toYAML { } { groups = cfg.ruleModules; }) ]; }; - custom.prometheus.ruleModules = [ - { - name = "system_alerts"; - rules = [ - { - alert = "SystemdFailedUnits"; - expr = "node_systemd_unit_state{state=\"failed\"} > 0"; - for = "5m"; - labels = { - severity = "critical"; - }; - annotations = { - summary = "Systemd has failed units on {{ $labels.instance }}"; - description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!"; - }; - } - { - alert = "HighLoadAverage"; - expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})"; - for = "1m"; - labels = { - severity = "warning"; - }; - annotations = { - summary = "High load average detected on {{ $labels.instance }}"; - description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; - }; - } - { - alert = "HighTransmitTraffic"; - expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000"; - for = "1m"; - labels = { - severity = "warning"; - }; - annotations = { - summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})"; - description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute."; - }; - } - { - alert = "NetworkTrafficExceedLimit"; - expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200''; - for = "0m"; - labels = { - severity = "critical"; - }; - annotations = { - summary = "Outbound network traffic exceed 300GB for last 30 day"; - }; - } - { - alert = "JobDown"; - expr = "up == 0"; - for = "1m"; - labels = { - severity = "critical"; - }; - annotations = { - summary = "Job {{ $labels.job }} down for 1m."; - }; - } - ]; - } - ]; - }; } diff --git a/modules/nixos/prometheus/gotosocial.nix b/modules/nixos/prometheus/gotosocial.nix index e5da05e..a643d19 100644 --- a/modules/nixos/prometheus/gotosocial.nix +++ b/modules/nixos/prometheus/gotosocial.nix @@ -10,7 +10,9 @@ in services.prometheus.scrapeConfigs = [ { job_name = "gotosocial"; - static_configs = [ { targets = [ "localhost:8080" ]; } ]; + static_configs = [ + { targets = [ "localhost:8080" ]; } + ]; } ]; }; diff --git a/modules/nixos/prometheus/immich.nix b/modules/nixos/prometheus/immich.nix index 4b92500..095075d 100644 --- a/modules/nixos/prometheus/immich.nix +++ b/modules/nixos/prometheus/immich.nix @@ -3,10 +3,9 @@ let cfg = config.custom.prometheus; immichEnv = config.services.immich.environment; metricPort = - if builtins.hasAttr "IMMICH_API_METRICS_PORT" immichEnv then - immichEnv.IMMICH_API_METRICS_PORT - else - 8081; + if builtins.hasAttr "IMMICH_API_METRICS_PORT" immichEnv + then immichEnv.IMMICH_API_METRICS_PORT + else 8081; in { config = lib.mkIf (cfg.enable && cfg.exporters.immich.enable) { @@ -17,7 +16,9 @@ in services.prometheus.scrapeConfigs = [ { job_name = "immich"; - static_configs = [ { targets = [ "127.0.0.1:${toString metricPort}" ]; } ]; + static_configs = [ + { targets = [ "127.0.0.1:${toString metricPort}" ]; } + ]; } ]; }; diff --git a/modules/nixos/prometheus/miniflux.nix b/modules/nixos/prometheus/miniflux.nix index b437b00..5339de3 100644 --- a/modules/nixos/prometheus/miniflux.nix +++ b/modules/nixos/prometheus/miniflux.nix @@ -8,7 +8,9 @@ in services.prometheus.scrapeConfigs = [ { job_name = "miniflux"; - static_configs = [ { targets = [ config.systemd.services.miniflux.environment.LISTEN_ADDR ]; } ]; + static_configs = [ + { targets = [ config.systemd.services.miniflux.environment.LISTEN_ADDR ]; } + ]; } ]; }; diff --git a/modules/nixos/prometheus/ntfy-sh.nix b/modules/nixos/prometheus/ntfy-sh.nix index 94e81f7..513f130 100644 --- a/modules/nixos/prometheus/ntfy-sh.nix +++ b/modules/nixos/prometheus/ntfy-sh.nix @@ -8,7 +8,9 @@ in services.prometheus.scrapeConfigs = [ { job_name = "ntfy-sh"; - static_configs = [ { targets = [ "ntfy.xinyang.life" ]; } ]; + static_configs = [ + { targets = [ "ntfy.xinyang.life" ]; } + ]; } ]; }; diff --git a/modules/nixos/prometheus/restic.nix b/modules/nixos/prometheus/restic.nix index a3ab710..750b61a 100644 --- a/modules/nixos/prometheus/restic.nix +++ b/modules/nixos/prometheus/restic.nix @@ -9,7 +9,9 @@ in services.prometheus.scrapeConfigs = [ (lib.mkIf cfg.exporters.restic.enable { job_name = "restic"; - static_configs = [ { targets = [ config.services.restic.server.listenAddress ]; } ]; + static_configs = [ + { targets = [ config.services.restic.server.listenAddress ]; } + ]; }) ]; @@ -21,25 +23,15 @@ in alert = "ResticCheckFailed"; expr = "restic_check_success == 0"; for = "5m"; - labels = { - severity = "critical"; - }; - annotations = { - summary = "Restic check failed (instance {{ $labels.instance }})"; - description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; - }; + labels = { severity = "critical"; }; + annotations = { summary = "Restic check failed (instance {{ $labels.instance }})"; description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; }; } { alert = "ResticOutdatedBackup"; expr = "time() - restic_backup_timestamp > 518400"; for = "0m"; - labels = { - severity = "critical"; - }; - annotations = { - summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated"; - description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; - }; + labels = { severity = "critical"; }; + annotations = { summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated"; description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; }; } ]; } diff --git a/modules/nixos/restic.nix b/modules/nixos/restic.nix index 1d6685c..07a8dad 100644 --- a/modules/nixos/restic.nix +++ b/modules/nixos/restic.nix @@ -1,9 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: let cfg = config.custom.restic; in @@ -50,3 +45,4 @@ in }; }; } + diff --git a/modules/nixos/sing-box.nix b/modules/nixos/sing-box.nix index 695356e..572291b 100644 --- a/modules/nixos/sing-box.nix +++ b/modules/nixos/sing-box.nix @@ -1,10 +1,4 @@ -{ - config, - pkgs, - lib, - utils, - ... -}: +{ config, pkgs, lib, utils, ... }: let cfg = config.custom.sing-box; settingsFormat = pkgs.formats.json { }; @@ -22,7 +16,9 @@ in }; configFile = { - urlFile = lib.mkOption { type = lib.types.path; }; + urlFile = lib.mkOption { + type = lib.types.path; + }; name = lib.mkOption { type = lib.types.str; default = "config.json"; @@ -66,10 +62,10 @@ in systemd.packages = [ cfg.package ]; - systemd.services.sing-box = - let - configFile = cfg.stateDir + "/${cfg.configFile.name}"; - in + systemd.services.sing-box = + let + configFile = cfg.stateDir + "/${cfg.configFile.name}"; + in { preStart = '' umask 0077 @@ -85,3 +81,4 @@ in }; }; } + diff --git a/modules/nixos/ssh-tpm-agent.nix b/modules/nixos/ssh-tpm-agent.nix index 1465bce..f368c46 100644 --- a/modules/nixos/ssh-tpm-agent.nix +++ b/modules/nixos/ssh-tpm-agent.nix @@ -1,10 +1,5 @@ # Temporary workaround -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: let cfg = config.services.ssh-tpm-agent; in diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix index 82c0e41..b4c7d04 100644 --- a/modules/nixos/vaultwarden.nix +++ b/modules/nixos/vaultwarden.nix @@ -1,9 +1,4 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: with lib; @@ -28,7 +23,7 @@ in }; }; config = mkIf cfg.enable { - services.vaultwarden = { + services.vaultwarden = { enable = true; dbBackend = "sqlite"; config = { @@ -49,3 +44,4 @@ in }; }; } + diff --git a/oci-images/nix-ci-base/flake.nix b/oci-images/nix-ci-base/flake.nix index 9ef4fc0..8e6b882 100644 --- a/oci-images/nix-ci-base/flake.nix +++ b/oci-images/nix-ci-base/flake.nix @@ -6,78 +6,72 @@ flake-utils.url = "github:numtide/flake-utils"; }; - outputs = - { - self, - flake-utils, - nix, - nixpkgs, - ... - }: - flake-utils.lib.eachDefaultSystem ( - system: - let - pkgs = (import nixpkgs) { inherit system; }; - lib = pkgs.lib; - in - rec { - packages = rec { - # a modified version of the nixos/nix image - # re-using the upstream nix docker image generation code - base = import (nix + "/docker.nix") { - inherit pkgs; - name = "nix-ci-base"; - maxLayers = 10; - extraPkgs = with pkgs; [ - nodejs_20 # nodejs is needed for running most 3rdparty actions - # add any other pre-installed packages here - curl - xz - openssl - coreutils-full - cmake - gnumake - gcc + outputs = { + self, + flake-utils, + nix, + nixpkgs, + ... + }: + flake-utils.lib.eachDefaultSystem (system: let + pkgs = (import nixpkgs) { + inherit system; + }; + lib = pkgs.lib; + in rec { + packages = rec { + # a modified version of the nixos/nix image + # re-using the upstream nix docker image generation code + base = import (nix + "/docker.nix") { + inherit pkgs; + name = "nix-ci-base"; + maxLayers = 10; + extraPkgs = with pkgs; [ + nodejs_20 # nodejs is needed for running most 3rdparty actions + # add any other pre-installed packages here + curl + xz + openssl + coreutils-full + cmake + gnumake + gcc + ]; + # change this is you want + channelURL = "https://nixos.org/channels/nixpkgs-23.11"; + nixConf = { + substituters = [ + "https://mirrors.bfsu.edu.cn/nix-channels/store" + "https://mirrors.ustc.edu.cn/nix-channels/store" + "https://cache.nixos.org/" + + "https://nix-community.cachix.org" ]; - # change this is you want - channelURL = "https://nixos.org/channels/nixpkgs-23.11"; - nixConf = { - substituters = [ - "https://mirrors.bfsu.edu.cn/nix-channels/store" - "https://mirrors.ustc.edu.cn/nix-channels/store" - "https://cache.nixos.org/" - - "https://nix-community.cachix.org" - ]; - accept-flake-config = "true"; - log-lines = "300"; - trusted-public-keys = [ - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - # allow using the new flake commands in our workflows - experimental-features = [ - "nix-command" - "flakes" - ]; - }; - }; - # make /bin/sleep available on the image - runner = pkgs.dockerTools.buildImage { - name = "nix-runner"; - tag = "2.21.0-pkgs-23.11"; - - fromImage = base; - fromImageName = null; - fromImageTag = "latest"; - - copyToRoot = pkgs.buildEnv { - name = "image-root"; - paths = [ pkgs.coreutils-full ]; - pathsToLink = [ "/bin" ]; # add coreutuls (which includes sleep) to /bin - }; + accept-flake-config = "true"; + log-lines = "300"; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + # allow using the new flake commands in our workflows + experimental-features = ["nix-command" "flakes"]; }; }; - } - ); + # make /bin/sleep available on the image + runner = pkgs.dockerTools.buildImage { + name = "nix-runner"; + tag = "2.21.0-pkgs-23.11"; + + fromImage = base; + fromImageName = null; + fromImageTag = "latest"; + + copyToRoot = pkgs.buildEnv { + name = "image-root"; + paths = [pkgs.coreutils-full]; + pathsToLink = ["/bin"]; # add coreutuls (which includes sleep) to /bin + }; + }; + }; + }); } diff --git a/overlays/add-ime-electron.nix b/overlays/add-ime-electron.nix index fe54704..74e94c6 100644 --- a/overlays/add-ime-electron.nix +++ b/overlays/add-ime-electron.nix @@ -1,13 +1,8 @@ -{ - config, - pkgs, - lib, - ... -}: +{ config, pkgs, lib, ... }: { nixpkgs.overlays = [ - (self: super: { + (self: super: { element-desktop = super.element-desktop.override { commandLineArgs = "--enable-wayland-ime"; }; }) ]; diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix index e423f43..35b6981 100644 --- a/overlays/add-pkgs.nix +++ b/overlays/add-pkgs.nix @@ -1 +1,3 @@ -(final: prev: { oidc-agent = prev.callPackage ./pkgs/oidc-agent { }; }) +(final: prev: { + oidc-agent = prev.callPackage ./pkgs/oidc-agent { }; +}) diff --git a/overlays/pkgs/oidc-agent/default.nix b/overlays/pkgs/oidc-agent/default.nix index 9634c4c..42f398e 100644 --- a/overlays/pkgs/oidc-agent/default.nix +++ b/overlays/pkgs/oidc-agent/default.nix @@ -1,15 +1,14 @@ -{ - lib, - stdenv, - fetchFromGitHub, - curl, - webkitgtk, - libmicrohttpd, - libsecret, - qrencode, - libsodium, - pkg-config, - help2man, +{ lib +, stdenv +, fetchFromGitHub +, curl +, webkitgtk +, libmicrohttpd +, libsecret +, qrencode +, libsodium +, pkg-config +, help2man }: stdenv.mkDerivation rec { @@ -20,7 +19,8 @@ stdenv.mkDerivation rec { owner = "indigo-dc"; repo = "oidc-agent"; rev = "v${version}"; - sha256 = "sha256-cOK/rZ/jnyALLuhDM3+qvwwe4Fjkv8diQBkw7NfVo0c="; + sha256 = "sha256-cOK/rZ/jnyALLuhDM3+qvwwe4Fjkv8diQBkw7NfVo0c=" + ; }; buildInputs = [ @@ -47,6 +47,7 @@ stdenv.mkDerivation rec { make install_man PREFIX=$out ''; + meta = with lib; { description = "oidc-agent for managing OpenID Connect tokens on the command line"; homepage = "https://github.com/indigo-dc/oidc-agent"; @@ -54,3 +55,4 @@ stdenv.mkDerivation rec { license = licenses.mit; }; } +