diff --git a/flake.lock b/flake.lock index 4d39e64..2570c21 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,119 @@ { "nodes": { + "base16": { + "inputs": { + "fromYaml": "fromYaml" + }, + "locked": { + "lastModified": 1708890466, + "narHash": "sha256-LlrC09LoPi8OPYOGPXegD72v+//VapgAqhbOFS3i8sc=", + "owner": "SenchoPens", + "repo": "base16.nix", + "rev": "665b3c6748534eb766c777298721cece9453fdae", + "type": "github" + }, + "original": { + "owner": "SenchoPens", + "repo": "base16.nix", + "type": "github" + } + }, + "base16-fish": { + "flake": false, + "locked": { + "lastModified": 1622559957, + "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", + "owner": "tomyun", + "repo": "base16-fish", + "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", + "type": "github" + }, + "original": { + "owner": "tomyun", + "repo": "base16-fish", + "type": "github" + } + }, + "base16-foot": { + "flake": false, + "locked": { + "lastModified": 1696725948, + "narHash": "sha256-65bz2bUL/yzZ1c8/GQASnoiGwaF8DczlxJtzik1c0AU=", + "owner": "tinted-theming", + "repo": "base16-foot", + "rev": "eedbcfa30de0a4baa03e99f5e3ceb5535c2755ce", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-foot", + "type": "github" + } + }, + "base16-helix": { + "flake": false, + "locked": { + "lastModified": 1720809814, + "narHash": "sha256-numb3xigRGnr/deF7wdjBwVg7fpbTH7reFDkJ75AJkY=", + "owner": "tinted-theming", + "repo": "base16-helix", + "rev": "34f41987bec14c0f3f6b2155c19787b1f6489625", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-helix", + "type": "github" + } + }, + "base16-kitty": { + "flake": false, + "locked": { + "lastModified": 1665001328, + "narHash": "sha256-aRaizTYPpuWEcvoYE9U+YRX+Wsc8+iG0guQJbvxEdJY=", + "owner": "kdrag0n", + "repo": "base16-kitty", + "rev": "06bb401fa9a0ffb84365905ffbb959ae5bf40805", + "type": "github" + }, + "original": { + "owner": "kdrag0n", + "repo": "base16-kitty", + "type": "github" + } + }, + "base16-tmux": { + "flake": false, + "locked": { + "lastModified": 1696725902, + "narHash": "sha256-wDPg5elZPcQpu7Df0lI5O8Jv4A3T6jUQIVg63KDU+3Q=", + "owner": "tinted-theming", + "repo": "base16-tmux", + "rev": "c02050bebb60dbb20cb433cd4d8ce668ecc11ba7", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-tmux", + "type": "github" + } + }, + "base16-vim": { + "flake": false, + "locked": { + "lastModified": 1716150083, + "narHash": "sha256-ZMhnNmw34ogE5rJZrjRv5MtG3WaqKd60ds2VXvT6hEc=", + "owner": "tinted-theming", + "repo": "base16-vim", + "rev": "6e955d704d046b0dc3e5c2d68a2a6eeffd2b5d3d", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-vim", + "type": "github" + } + }, "catppuccin": { "locked": { "lastModified": 1724156255, @@ -110,6 +224,22 @@ "type": "github" } }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -186,6 +316,43 @@ "type": "github" } }, + "flake-utils_3": { + "inputs": { + "systems": [ + "stylix", + "systems" + ] + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "fromYaml": { + "flake": false, + "locked": { + "lastModified": 1689549921, + "narHash": "sha256-iX0pk/uB019TdBGlaJEWvBCfydT6sRq+eDcGPifVsCM=", + "owner": "SenchoPens", + "repo": "fromYaml", + "rev": "11fbbbfb32e3289d3c631e0134a23854e7865c84", + "type": "github" + }, + "original": { + "owner": "SenchoPens", + "repo": "fromYaml", + "type": "github" + } + }, "git-hooks": { "inputs": { "flake-compat": [ @@ -242,6 +409,23 @@ "type": "github" } }, + "gnome-shell": { + "flake": false, + "locked": { + "lastModified": 1713702291, + "narHash": "sha256-zYP1ehjtcV8fo+c+JFfkAqktZ384Y+y779fzmR9lQAU=", + "owner": "GNOME", + "repo": "gnome-shell", + "rev": "0d0aadf013f78a7f7f1dc984d0d812971864b934", + "type": "github" + }, + "original": { + "owner": "GNOME", + "ref": "46.1", + "repo": "gnome-shell", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -284,6 +468,27 @@ "type": "github" } }, + "home-manager_3": { + "inputs": { + "nixpkgs": [ + "stylix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715930644, + "narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "my-nixvim": { "inputs": { "flake-parts": "flake-parts", @@ -464,6 +669,22 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1714912032, + "narHash": "sha256-clkcOIkg8G4xuJh+1onLG4HPMpbtzdLv4rHxFzgsH9c=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ee4a6e0f566fe5ec79968c57a9c2c3c25f2cf41d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixvim": { "inputs": { "devshell": "devshell", @@ -541,7 +762,8 @@ "nixpkgs": "nixpkgs_2", "nixpkgs-stable": "nixpkgs-stable", "nur": "nur", - "sops-nix": "sops-nix" + "sops-nix": "sops-nix", + "stylix": "stylix" } }, "sops-nix": { @@ -565,6 +787,36 @@ "type": "github" } }, + "stylix": { + "inputs": { + "base16": "base16", + "base16-fish": "base16-fish", + "base16-foot": "base16-foot", + "base16-helix": "base16-helix", + "base16-kitty": "base16-kitty", + "base16-tmux": "base16-tmux", + "base16-vim": "base16-vim", + "flake-compat": "flake-compat_4", + "flake-utils": "flake-utils_3", + "gnome-shell": "gnome-shell", + "home-manager": "home-manager_3", + "nixpkgs": "nixpkgs_3", + "systems": "systems_3" + }, + "locked": { + "lastModified": 1724444244, + "narHash": "sha256-fH1lyJvJjUhZ8xMlmiI18EZNzodDSe74rFuwlZDL0aQ=", + "owner": "danth", + "repo": "stylix", + "rev": "d042af478ce87e188139480922a3085218194106", + "type": "github" + }, + "original": { + "owner": "danth", + "repo": "stylix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -595,6 +847,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index df2735f..27e4293 100644 --- a/flake.nix +++ b/flake.nix @@ -50,6 +50,7 @@ }; catppuccin.url = "github:catppuccin/nix"; + stylix.url = "github:danth/stylix"; }; outputs = @@ -106,29 +107,14 @@ } ]; }; - mkHomeConfiguration = user: host: { - name = user; - value = home-manager.lib.homeManagerConfiguration { - pkgs = import nixpkgs { system = "x86_64-linux"; }; - modules = [ - (import ./home).${user}.${host} - overlayModule - ] ++ sharedHmModules; - extraSpecialArgs = { - inherit inputs; - }; - }; - }; mkNixos = { - system, modules, specialArgs ? { }, }: nixpkgs.lib.nixosSystem { - inherit system; specialArgs = specialArgs // { - inherit inputs system; + inherit inputs; }; modules = [ self.nixosModules.default @@ -146,11 +132,9 @@ }; homeManagerModules = import ./modules/home-manager; - homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; - colmenaHive = inputs.colmena.lib.makeHive { meta = { - nixpkgs = import nixpkgs { system = "x86_64-linux"; }; + nixpkgs = import nixpkgs { localSystem = "x86_64-linux"; }; specialArgs = { inherit inputs; }; @@ -162,17 +146,13 @@ deployment.targetHost = "49.13.13.122"; deployment.buildOnTarget = true; - imports = [ - { nixpkgs.system = "aarch64-linux"; } - machines/massicot - ] ++ sharedColmenaModules; + imports = [ machines/massicot ] ++ sharedColmenaModules; }; tok-00 = { ... }: { imports = [ machines/dolomite ] ++ sharedColmenaModules; - nixpkgs.system = "x86_64-linux"; networking.hostName = "tok-00"; system.stateVersion = "23.11"; deployment = { @@ -186,7 +166,6 @@ { ... }: { imports = [ machines/dolomite ] ++ sharedColmenaModules; - nixpkgs.system = "x86_64-linux"; networking.hostName = "la-00"; system.stateVersion = "21.05"; deployment = { @@ -203,7 +182,6 @@ targetHost = "raspite.local"; buildOnTarget = false; }; - nixpkgs.system = "aarch64-linux"; imports = [ "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" nixos-hardware.nixosModules.raspberry-pi-4 @@ -220,26 +198,28 @@ targetPort = 22; buildOnTarget = false; }; - nixpkgs.system = "x86_64-linux"; }; }; - nixosConfigurations = { - calcite = mkNixos { - system = "x86_64-linux"; - modules = [ - nixos-hardware.nixosModules.asus-zephyrus-ga401 - machines/calcite/configuration.nix - (mkHome "xin" "calcite") - ]; - }; - } // self.colmenaHive.nodes; - } // flake-utils.lib.eachDefaultSystem ( system: let - pkgs = nixpkgs.legacyPackages.${system}; + pkgs = import nixpkgs { localSystem = system; }; + + mkHomeConfiguration = user: host: { + name = user; + value = home-manager.lib.homeManagerConfiguration { + inherit pkgs; + modules = [ + (import ./home).${user}.${host} + overlayModule + ] ++ sharedHmModules; + extraSpecialArgs = { + inherit inputs; + }; + }; + }; in { devShells = { @@ -258,7 +238,18 @@ packages = { nixvim = my-nixvim.packages.${system}.default; + nixosConfigurations = { + calcite = mkNixos { + modules = [ + nixos-hardware.nixosModules.asus-zephyrus-ga401 + machines/calcite/configuration.nix + (mkHome "xin" "calcite") + ]; + }; + } // self.colmenaHive.nodes; }; + + homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; } ); } diff --git a/garnix.yaml b/garnix.yaml new file mode 100644 index 0000000..dd4f0ed --- /dev/null +++ b/garnix.yaml @@ -0,0 +1,11 @@ +builds: + exclude: [] + include: + - '*.x86_64-linux.*' + - defaultPackage.x86_64-linux + - devShell.x86_64-linux + - homeConfigurations.* + - darwinConfigurations.* + - nixosConfigurations.* + - nixosConfigurations.aarch64-linux.calcite + - homeConfigurations.aarch64-linux.xin diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index 2de5642..11307f9 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }@inputs: +{ inputs, pkgs, ... }: { imports = [ ./common ]; @@ -36,6 +36,12 @@ enable = true; flavor = "mocha"; }; + + stylix = { + targets = { + gtk.enable = true; + }; + }; xdg.enable = true; i18n.inputMethod = { diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 947f2d2..f89165c 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -290,6 +290,8 @@ exporters.blackbox.enable = true; }; + custom.stylix.enable = true; + services.ollama = { enable = true; acceleration = "cuda"; @@ -334,7 +336,7 @@ "Ubuntu" ]; monospace = [ - "FiraCode NerdFont Mono" + "JetbrainsMono Nerd Font" "Noto Sans Mono CJK SC" "Ubuntu" ]; diff --git a/machines/dolomite/bandwagon.nix b/machines/dolomite/bandwagon.nix index 70daacf..d6db704 100644 --- a/machines/dolomite/bandwagon.nix +++ b/machines/dolomite/bandwagon.nix @@ -16,6 +16,7 @@ in }; config = lib.mkIf cfg { + nixpkgs.hostPlatform = "x86_64-linux"; boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix index 18afeda..b1cba45 100644 --- a/machines/dolomite/lightsail.nix +++ b/machines/dolomite/lightsail.nix @@ -25,6 +25,8 @@ in }; config = mkIf config.isLightsail { + nixpkgs.hostPlatform = "x86_64-linux"; + boot.loader.grub.device = "/dev/nvme0n1"; # from nixpkgs amazon-image.nix diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 4513a2b..ef09ea5 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -11,7 +11,7 @@ inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ./networking.nix - ./services.nix + ./services ]; sops = { diff --git a/machines/massicot/hardware-configuration.nix b/machines/massicot/hardware-configuration.nix index c67deb1..560ac23 100644 --- a/machines/massicot/hardware-configuration.nix +++ b/machines/massicot/hardware-configuration.nix @@ -19,5 +19,5 @@ device = "/dev/sda1"; fsType = "ext4"; }; - + nixpkgs.hostPlatform = "aarch64-linux"; } diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix deleted file mode 100644 index 336a039..0000000 --- a/machines/massicot/services.nix +++ /dev/null @@ -1,322 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -let - kanidm_listen_port = 5324; -in -{ - networking.firewall.allowedTCPPorts = [ - 80 - 443 - 2222 - 8448 - ]; - networking.firewall.allowedUDPPorts = [ - 80 - 443 - 8448 - ]; - - custom.vaultwarden = { - enable = true; - domain = "vaultwarden.xinyang.life"; - }; - - custom.hedgedoc = { - enable = true; - caddy = true; - domain = "docs.xinyang.life"; - mediaPath = "/mnt/storage/hedgedoc"; - oidc = { - enable = true; - baseURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc"; - authorizationURL = "https://auth.xinyang.life/ui/oauth2"; - tokenURL = "https://auth.xinyang.life/oauth2/token"; - userProfileURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc/userinfo"; - }; - environmentFile = config.sops.secrets.hedgedoc_env.path; - }; - - custom.prometheus = { - enable = true; - exporters.blackbox.enable = true; - exporters.miniflux.enable = true; - }; - - systemd.mounts = - map - (share: { - what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; - where = "/mnt/storage/${share}"; - type = "cifs"; - options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; - before = [ "${share}.service" ]; - after = [ "cachefilesd.service" ]; - wantedBy = [ "${share}.service" ]; - }) - [ - "forgejo" - "gotosocial" - "conduit" - "hedgedoc" - ]; - - services.cachefilesd.enable = true; - - system.activationScripts = { - conduit-media-link.text = '' - mkdir -m 700 -p /var/lib/private/matrix-conduit/media - chown conduit:conduit /var/lib/private/matrix-conduit/media - mount --bind --verbose /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media - ''; - }; - security.acme = { - acceptTerms = true; - certs."auth.xinyang.life" = { - email = "lixinyang411@gmail.com"; - listenHTTP = "127.0.0.1:1360"; - group = "kanidm"; - }; - }; - - services.ntfy-sh = { - enable = true; - group = "caddy"; - settings = { - listen-unix = "/var/run/ntfy-sh/ntfy.sock"; - listen-unix-mode = 432; # octal 0660 - base-url = "https://ntfy.xinyang.life"; - }; - }; - - systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh"; - - services.kanidm = { - package = pkgs.kanidm.withSecretProvisioning; - enableServer = true; - serverSettings = { - domain = "auth.xinyang.life"; - origin = "https://auth.xinyang.life"; - bindaddress = "[::]:${toString kanidm_listen_port}"; - tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem''; - tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; - online_backup.versions = 7; - # db_path = "/var/lib/kanidm/kanidm.db"; - }; - provision = import ./kanidm-provision.nix; - }; - - custom.miniflux = { - enable = true; - environment = { - LOG_LEVEL = "debug"; - LISTEN_ADDR = "127.0.0.1:58173"; - BASE_URL = "https://rss.xinyang.life/"; - OAUTH2_PROVIDER = "oidc"; - OAUTH2_CLIENT_ID = "miniflux"; - OAUTH2_REDIRECT_URL = "https://rss.xinyang.life/oauth2/oidc/callback"; - OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.xinyang.life/oauth2/openid/miniflux"; - OAUTH2_USER_CREATION = 1; - }; - oauth2SecretFile = config.sops.secrets."miniflux/oauth2_secret".path; - }; - - services.matrix-conduit = { - enable = true; - # package = inputs.conduit.packages.${pkgs.system}.default; - package = pkgs.matrix-conduit; - settings.global = { - server_name = "xinyang.life"; - port = 6167; - # database_path = "/var/lib/matrix-conduit/"; - max_concurrent_requests = 100; - log = "info"; - database_backend = "rocksdb"; - allow_registration = false; - - well_known = { - client = "https://msg.xinyang.life"; - server = "msg.xinyang.life:443"; - }; - }; - }; - - services.gotosocial = { - enable = true; - settings = { - log-level = "debug"; - host = "xinyang.life"; - letsencrypt-enabled = false; - bind-address = "localhost"; - instance-expose-public-timeline = true; - oidc-enabled = true; - oidc-idp-name = "Kanidm"; - oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts"; - oidc-client-id = "gts"; - oidc-link-existing = true; - storage-local-base-path = "/mnt/storage/gotosocial/storage"; - }; - environmentFile = config.sops.secrets.gts_env.path; - }; - - services.forgejo = { - enable = true; - # Use cutting edge instead of lts - package = pkgs.forgejo; - repositoryRoot = "/mnt/storage/forgejo/repositories"; - lfs = { - enable = true; - contentDir = "/mnt/storage/forgejo/lfs"; - }; - settings = { - service.DISABLE_REGISTRATION = true; - server = { - ROOT_URL = "https://git.xinyang.life/"; - START_SSH_SERVER = false; - SSH_USER = config.services.forgejo.user; - SSH_DOMAIN = "ssh.xinyang.life"; - SSH_PORT = 22; - LFS_MAX_FILE_SIZE = 10737418240; - LANDING_PAGE = "/explore/repos"; - }; - repository = { - ENABLE_PUSH_CREATE_USER = true; - }; - service = { - ENABLE_BASIC_AUTHENTICATION = false; - }; - oauth2 = { - ENABLED = false; # Disable forgejo as oauth2 provider - }; - oauth2_client = { - ACCOUNT_LINKING = "auto"; - USERNAME = "email"; - ENABLE_AUTO_REGISTRATION = true; - UPDATE_AVATAR = false; - OPENID_CONNECT_SCOPES = "openid profile email groups"; - }; - other = { - SHOW_FOOTER_VERSION = false; - }; - }; - }; - - systemd.services.forgejo = { - serviceConfig = { - EnvironmentFile = config.sops.secrets."forgejo/env".path; - ExecStartPost = '' - ${lib.getExe config.services.forgejo.package} admin auth update-oauth \ - --id 1 \ - --name kanidm \ - --provider openidConnect \ - --key forgejo \ - --secret $CLIENT_SECRET \ - --icon-url https://auth.xinyang.life/pkg/img/favicon.png \ - --group-claim-name forgejo_role --admin-group Admin - ''; - }; - }; - - services.grafana = { - enable = true; - settings = { - server = { - http_addr = "127.0.0.1"; - http_port = 3003; - root_url = "https://grafana.xinyang.life"; - domain = "grafana.xinyang.life"; - }; - "auth.generic_oauth" = { - enabled = true; - name = "Kanidm"; - client_id = "grafana"; - scopes = "openid,profile,email,groups"; - auth_url = "https://auth.xinyang.life/ui/oauth2"; - token_url = "https://auth.xinyang.life/oauth2/token"; - api_url = "https://auth.xinyang.life/oauth2/openid/grafana/userinfo"; - use_pkce = true; - use_refresh_token = true; - allow_sign_up = true; - login_attribute_path = "preferred_username"; - groups_attribute_path = "groups"; - role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'"; - allow_assign_grafana_admin = true; - auto_login = true; - }; - "auth" = { - disable_login_form = true; - }; - }; - }; - - systemd.services.grafana.serviceConfig.EnvironmentFile = - config.sops.secrets.grafana_oauth_secret.path; - - users.users.git = { - isSystemUser = true; - useDefaultShell = true; - group = "git"; - extraGroups = [ "forgejo" ]; - }; - users.groups.git = { }; - - users.users = { - ${config.services.caddy.user}.extraGroups = [ config.services.ntfy-sh.group ]; - }; - - services.caddy = { - enable = true; - virtualHosts."xinyang.life:443".extraConfig = '' - tls internal - encode zstd gzip - reverse_proxy /.well-known/matrix/* localhost:6167 - reverse_proxy * http://localhost:8080 { - flush_interval -1 - } - ''; - virtualHosts."https://msg.xinyang.life:443".extraConfig = '' - reverse_proxy /_matrix/* localhost:6167 - ''; - virtualHosts."https://git.xinyang.life:443".extraConfig = '' - reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} - ''; - - virtualHosts."http://auth.xinyang.life:80".extraConfig = '' - reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} - ''; - virtualHosts."https://auth.xinyang.life".extraConfig = '' - reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { - header_up Host {upstream_hostport} - header_down Access-Control-Allow-Origin "*" - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } - } - ''; - - virtualHosts."https://rss.xinyang.life".extraConfig = '' - reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR} - ''; - - virtualHosts."https://ntfy.xinyang.life".extraConfig = '' - reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix} - @httpget { - protocol http - method GET - path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/) - } - redir @httpget https://{host}{uri} - ''; - - virtualHosts."https://grafana.xinyang.life".extraConfig = - let - grafanaSettings = config.services.grafana.settings.server; - in - '' - reverse_proxy http://${grafanaSettings.http_addr}:${toString grafanaSettings.http_port} - ''; - }; -} diff --git a/machines/massicot/services/conduit.nix b/machines/massicot/services/conduit.nix new file mode 100644 index 0000000..505c699 --- /dev/null +++ b/machines/massicot/services/conduit.nix @@ -0,0 +1,46 @@ +{ pkgs, lib, ... }: +let + inherit (lib) mkForce; +in +{ + config = { + custom.cifs-mounts = [ "conduit" ]; + + services.matrix-conduit = { + enable = true; + # package = inputs.conduit.packages.${pkgs.system}.default; + package = pkgs.matrix-conduit; + settings.global = { + server_name = "xinyang.life"; + port = 6167; + # database_path = "/var/lib/matrix-conduit/"; + max_concurrent_requests = 100; + log = "info"; + database_backend = "rocksdb"; + allow_registration = false; + + well_known = { + client = "https://msg.xinyang.life"; + server = "msg.xinyang.life:443"; + }; + }; + }; + + systemd.services.conduit = { + serviceConfig = { + DynamicUser = mkForce false; + }; + }; + + users.users.conduit = { + group = "conduit"; + isSystemUser = true; + }; + users.groups.conduit = { }; + + services.caddy.enable = true; + services.caddy.virtualHosts."https://msg.xinyang.life:443".extraConfig = '' + reverse_proxy /_matrix/* localhost:6167 + ''; + }; +} diff --git a/machines/massicot/services/default.nix b/machines/massicot/services/default.nix new file mode 100644 index 0000000..cb4ebc1 --- /dev/null +++ b/machines/massicot/services/default.nix @@ -0,0 +1,22 @@ +{ + imports = [ + ./conduit.nix + ./forgejo.nix + ./gotosocial.nix + ./grafana.nix + ./hedgedoc.nix + ./kanidm + ./miniflux.nix + ./ntfy.nix + ./storagebox.nix + ./vaultwarden.nix + ]; + config = { + + custom.prometheus = { + enable = true; + exporters.blackbox.enable = true; + exporters.miniflux.enable = true; + }; + }; +} diff --git a/machines/massicot/services/forgejo.nix b/machines/massicot/services/forgejo.nix new file mode 100644 index 0000000..f2dd9b6 --- /dev/null +++ b/machines/massicot/services/forgejo.nix @@ -0,0 +1,84 @@ +{ + config, + lib, + pkgs, + ... +}: +let + inherit (lib) getExe; +in +{ + config = { + custom.cifs-mounts = [ "forgejo" ]; + services.forgejo = { + enable = true; + # Use cutting edge instead of lts + package = pkgs.forgejo; + repositoryRoot = "/mnt/storage/forgejo/repositories"; + lfs = { + enable = true; + contentDir = "/mnt/storage/forgejo/lfs"; + }; + settings = { + service.DISABLE_REGISTRATION = true; + server = { + ROOT_URL = "https://git.xinyang.life/"; + START_SSH_SERVER = false; + SSH_USER = config.services.forgejo.user; + SSH_DOMAIN = "ssh.xinyang.life"; + SSH_PORT = 22; + LFS_MAX_FILE_SIZE = 10737418240; + LANDING_PAGE = "/explore/repos"; + }; + repository = { + ENABLE_PUSH_CREATE_USER = true; + }; + service = { + ENABLE_BASIC_AUTHENTICATION = false; + }; + oauth2 = { + ENABLED = false; # Disable forgejo as oauth2 provider + }; + oauth2_client = { + ACCOUNT_LINKING = "auto"; + USERNAME = "email"; + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = false; + OPENID_CONNECT_SCOPES = "openid profile email groups"; + }; + other = { + SHOW_FOOTER_VERSION = false; + }; + }; + }; + + systemd.services.forgejo = { + serviceConfig = { + EnvironmentFile = config.sops.secrets."forgejo/env".path; + ExecStartPost = '' + ${getExe config.services.forgejo.package} admin auth update-oauth \ + --id 1 \ + --name kanidm \ + --provider openidConnect \ + --key forgejo \ + --secret $CLIENT_SECRET \ + --icon-url https://auth.xinyang.life/pkg/img/favicon.png \ + --group-claim-name forgejo_role --admin-group Admin + ''; + }; + }; + + users.users.git = { + isSystemUser = true; + useDefaultShell = true; + group = "git"; + extraGroups = [ "forgejo" ]; + }; + users.groups.git = { }; + + services.caddy.enable = true; + services.caddy.virtualHosts."https://git.xinyang.life:443".extraConfig = '' + reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} + ''; + }; +} diff --git a/machines/massicot/services/gotosocial.nix b/machines/massicot/services/gotosocial.nix new file mode 100644 index 0000000..d6fe1d3 --- /dev/null +++ b/machines/massicot/services/gotosocial.nix @@ -0,0 +1,33 @@ +{ config, ... }: +{ + config = { + custom.cifs-mounts = [ "gotosocial" ]; + services.gotosocial = { + enable = true; + settings = { + log-level = "debug"; + host = "xinyang.life"; + letsencrypt-enabled = false; + bind-address = "localhost"; + instance-expose-public-timeline = true; + oidc-enabled = true; + oidc-idp-name = "Kanidm"; + oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts"; + oidc-client-id = "gts"; + oidc-link-existing = true; + storage-local-base-path = "/mnt/storage/gotosocial/storage"; + }; + environmentFile = config.sops.secrets.gts_env.path; + }; + + services.caddy.enable = true; + services.caddy.virtualHosts."xinyang.life:443".extraConfig = '' + tls internal + encode zstd gzip + reverse_proxy /.well-known/matrix/* localhost:6167 + reverse_proxy * http://localhost:8080 { + flush_interval -1 + } + ''; + }; +} diff --git a/machines/massicot/services/grafana.nix b/machines/massicot/services/grafana.nix new file mode 100644 index 0000000..a8e2cea --- /dev/null +++ b/machines/massicot/services/grafana.nix @@ -0,0 +1,47 @@ +{ config, ... }: +{ + config = { + services.grafana = { + enable = true; + settings = { + server = { + http_addr = "127.0.0.1"; + http_port = 3003; + root_url = "https://grafana.xinyang.life"; + domain = "grafana.xinyang.life"; + }; + "auth.generic_oauth" = { + enabled = true; + name = "Kanidm"; + client_id = "grafana"; + scopes = "openid,profile,email,groups"; + auth_url = "https://auth.xinyang.life/ui/oauth2"; + token_url = "https://auth.xinyang.life/oauth2/token"; + api_url = "https://auth.xinyang.life/oauth2/openid/grafana/userinfo"; + use_pkce = true; + use_refresh_token = true; + allow_sign_up = true; + login_attribute_path = "preferred_username"; + groups_attribute_path = "groups"; + role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'"; + allow_assign_grafana_admin = true; + auto_login = true; + }; + "auth" = { + disable_login_form = true; + }; + }; + }; + + systemd.services.grafana.serviceConfig.EnvironmentFile = + config.sops.secrets.grafana_oauth_secret.path; + + services.caddy.virtualHosts."https://grafana.xinyang.life".extraConfig = + let + grafanaSettings = config.services.grafana.settings.server; + in + '' + reverse_proxy http://${grafanaSettings.http_addr}:${toString grafanaSettings.http_port} + ''; + }; +} diff --git a/machines/massicot/services/hedgedoc.nix b/machines/massicot/services/hedgedoc.nix new file mode 100644 index 0000000..5aa2d2e --- /dev/null +++ b/machines/massicot/services/hedgedoc.nix @@ -0,0 +1,20 @@ +{ config, ... }: +{ + config = { + custom.cifs-mounts = [ "hedgedoc" ]; + custom.hedgedoc = { + enable = true; + caddy = true; + domain = "docs.xinyang.life"; + mediaPath = "/mnt/storage/hedgedoc"; + oidc = { + enable = true; + baseURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc"; + authorizationURL = "https://auth.xinyang.life/ui/oauth2"; + tokenURL = "https://auth.xinyang.life/oauth2/token"; + userProfileURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc/userinfo"; + }; + environmentFile = config.sops.secrets.hedgedoc_env.path; + }; + }; +} diff --git a/machines/massicot/services/kanidm/default.nix b/machines/massicot/services/kanidm/default.nix new file mode 100644 index 0000000..381644d --- /dev/null +++ b/machines/massicot/services/kanidm/default.nix @@ -0,0 +1,52 @@ +{ config, pkgs, ... }: +let + kanidm_listen_port = 5324; +in +{ + config = { + services.caddy = { + virtualHosts."http://auth.xinyang.life:80".extraConfig = '' + reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} + ''; + virtualHosts."https://auth.xinyang.life".extraConfig = '' + reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { + header_up Host {upstream_hostport} + header_down Access-Control-Allow-Origin "*" + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + } + ''; + }; + + services.kanidm = { + package = pkgs.kanidm.withSecretProvisioning; + enableServer = true; + serverSettings = { + domain = "auth.xinyang.life"; + origin = "https://auth.xinyang.life"; + bindaddress = "[::]:${toString kanidm_listen_port}"; + tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem''; + tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; + online_backup.versions = 7; + # db_path = "/var/lib/kanidm/kanidm.db"; + }; + provision = import ./kanidm-provision.nix; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + security.acme = { + acceptTerms = true; + certs."auth.xinyang.life" = { + email = "lixinyang411@gmail.com"; + listenHTTP = "127.0.0.1:1360"; + group = "kanidm"; + }; + }; + + }; +} diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/services/kanidm/kanidm-provision.nix similarity index 100% rename from machines/massicot/kanidm-provision.nix rename to machines/massicot/services/kanidm/kanidm-provision.nix diff --git a/machines/massicot/services/miniflux.nix b/machines/massicot/services/miniflux.nix new file mode 100644 index 0000000..703aac4 --- /dev/null +++ b/machines/massicot/services/miniflux.nix @@ -0,0 +1,26 @@ +{ config, ... }: +{ + config = { + custom.miniflux = { + enable = true; + environment = { + LOG_LEVEL = "debug"; + LISTEN_ADDR = "127.0.0.1:58173"; + BASE_URL = "https://rss.xinyang.life/"; + OAUTH2_PROVIDER = "oidc"; + OAUTH2_CLIENT_ID = "miniflux"; + OAUTH2_REDIRECT_URL = "https://rss.xinyang.life/oauth2/oidc/callback"; + OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.xinyang.life/oauth2/openid/miniflux"; + OAUTH2_USER_CREATION = 1; + }; + oauth2SecretFile = config.sops.secrets."miniflux/oauth2_secret".path; + }; + + services.caddy = { + enable = true; + virtualHosts."https://rss.xinyang.life".extraConfig = '' + reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR} + ''; + }; + }; +} diff --git a/machines/massicot/services/ntfy.nix b/machines/massicot/services/ntfy.nix new file mode 100644 index 0000000..02ff488 --- /dev/null +++ b/machines/massicot/services/ntfy.nix @@ -0,0 +1,29 @@ +{ config, ... }: +{ + config = { + services.ntfy-sh = { + enable = true; + group = "caddy"; + settings = { + listen-unix = "/var/run/ntfy-sh/ntfy.sock"; + listen-unix-mode = 432; # octal 0660 + base-url = "https://ntfy.xinyang.life"; + }; + }; + systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh"; + + users.users = { + ${config.services.caddy.user}.extraGroups = [ config.services.ntfy-sh.group ]; + }; + + services.caddy.virtualHosts."https://ntfy.xinyang.life".extraConfig = '' + reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix} + @httpget { + protocol http + method GET + path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/) + } + redir @httpget https://{host}{uri} + ''; + }; +} diff --git a/machines/massicot/services/storagebox.nix b/machines/massicot/services/storagebox.nix new file mode 100644 index 0000000..9cbd8f3 --- /dev/null +++ b/machines/massicot/services/storagebox.nix @@ -0,0 +1,25 @@ +{ config, lib, ... }: +let + inherit (lib) mkDefault mkOption types; + + cfg = config.custom; +in +{ + options = { + custom.cifs-mounts = mkOption { type = with types; (listOf str); }; + }; + + config = { + services.cachefilesd.enable = true; + + systemd.mounts = map (share: { + what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; + where = "/mnt/storage/${share}"; + type = "cifs"; + options = mkDefault "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; + before = [ "${share}.service" ]; + after = [ "cachefilesd.service" ]; + wantedBy = [ "${share}.service" ]; + }) cfg.cifs-mounts; + }; +} diff --git a/machines/massicot/services/vaultwarden.nix b/machines/massicot/services/vaultwarden.nix new file mode 100644 index 0000000..7d754c0 --- /dev/null +++ b/machines/massicot/services/vaultwarden.nix @@ -0,0 +1,8 @@ +{ + config = { + custom.vaultwarden = { + enable = true; + domain = "vaultwarden.xinyang.life"; + }; + }; +} diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index 049e67e..8eaa463 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -17,6 +17,8 @@ }) ]; + nixpkgs.hostPlatform = "aarch64-linux"; + environment.systemPackages = with pkgs; [ git libraspberrypi diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 3fe5855..a08c54e 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,4 +1,3 @@ -{ config, pkgs, ... }: { imports = [ ./common-settings/auth.nix @@ -8,6 +7,7 @@ ./prometheus ./hedgedoc.nix ./sing-box.nix + ./stylix.nix ./kanidm-client.nix ./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge ./forgejo-actions-runner.nix diff --git a/modules/nixos/stylix.nix b/modules/nixos/stylix.nix new file mode 100644 index 0000000..c2ab1a9 --- /dev/null +++ b/modules/nixos/stylix.nix @@ -0,0 +1,54 @@ +{ + inputs, + config, + pkgs, + lib, + ... +}: +let + inherit (lib) mkEnableOption mkIf; + cfg = config.custom.stylix; +in +{ + imports = [ inputs.stylix.nixosModules.stylix ]; + + options = { + custom.stylix = { + enable = mkEnableOption "style management with stylix"; + }; + }; + + config = mkIf cfg.enable { + stylix.enable = true; + stylix.image = pkgs.fetchurl { + url = "https://github.com/NixOS/nixos-artwork/blob/master/wallpapers/nixos-wallpaper-catppuccin-mocha.png?raw=true"; + hash = "sha256-fmKFYw2gYAYFjOv4lr8IkXPtZfE1+88yKQ4vjEcax1s="; + }; + + stylix.base16Scheme = "${pkgs.base16-schemes}/share/themes/catppuccin-mocha.yaml"; + stylix.polarity = "dark"; + stylix.autoEnable = false; + stylix.homeManagerIntegration.autoImport = true; + stylix.homeManagerIntegration.followSystem = true; + stylix.fonts = { + monospace = { + name = "JetBrainsMono Nerd Font"; + package = pkgs.nerdfonts.override { fonts = [ "JetBrainsMono" ]; }; + }; + serif = { + name = "Noto Serif CJK SC"; + package = pkgs.noto-fonts; + }; + sansSerif = { + name = "Noto Sans CJK SC"; + package = pkgs.noto-fonts; + }; + }; + + stylix.targets = { + console.enable = true; + gnome.enable = if config.services.xserver.desktopManager.gnome.enable then true else false; + gtk.enable = true; + }; + }; +}