xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: xin:7a795e5ed9aba21216ca84ab5886c9df787359a3
Branches Tags
xin:master
xin:deploy
xin:testing-weilite
xin:testing-raspite
xin:testing-calcite
xin:next
xin:deploy-comin-eval
..
compare: xin:9a53ca1cea4bbf5b929306924a55a1f8f2589a79
Branches Tags
xin:deploy
xin:testing-weilite
xin:testing-raspite
xin:testing-calcite
xin:next
xin:deploy-comin-eval
xin:master

No commits in common. "7a795e5ed9aba21216ca84ab5886c9df787359a3" and "9a53ca1cea4bbf5b929306924a55a1f8f2589a79" have entirely different histories.
7a795e5ed9 ... 9a53ca1cea

57 changed files with 911 additions and 1496 deletions
Show stats Expand all files Collapse all files

8
flake.lock generated
View file

@ -293,11 +293,11 @@
"nixvim": "nixvim" "nixvim": "nixvim"
}, },
"locked": { "locked": {
"lastModified": 1724306750, "lastModified": 1724158316,
"narHash": "sha256-mT8DXzj0zHfGJ+zuxFAnqnk+0bDEFgEk7TvEk59WbWQ=", "narHash": "sha256-cz2N0vPfe0jmjxqKWh7dgVecLqmPLHQrvxGJk0atDbg=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "81990813485a580d69853d8429e3b8aece7f66a6", "rev": "a5eb7fe89ee8ba654f339d8f75cecb39851743ec",
"revCount": 11, "revCount": 4,
"type": "git", "type": "git",
"url": "https://git.xinyang.life/xin/nixvim" "url": "https://git.xinyang.life/xin/nixvim"
}, },

250
flake.nix
View file

@ -52,28 +52,28 @@
catppuccin.url = "github:catppuccin/nix"; catppuccin.url = "github:catppuccin/nix";
}; };
outputs = outputs =
{ { self
self, , home-manager
home-manager, , nixpkgs
nixpkgs, , nixos-hardware
nixos-hardware, , flake-utils
flake-utils, , nur
nur, , catppuccin
catppuccin, , my-nixvim
my-nixvim, , ...
...
}@inputs: }@inputs:
let let
nixvimOverlay = (final: prev: { nixvim = self.packages.${prev.stdenv.system}.nixvim; }); nixvimOverlay = (final: prev: {
overlayModule = nixvim = self.packages.${prev.stdenv.system}.nixvim;
{ ... }: });
{ overlayModule = { ... }: {
nixpkgs.overlays = [ nixpkgs.overlays = [
nixvimOverlay nixvimOverlay
(import ./overlays/add-pkgs.nix) (import ./overlays/add-pkgs.nix)
]; ];
}; };
deploymentModule = { deploymentModule = {
deployment.targetUser = "xin"; deployment.targetUser = "xin";
}; };
@ -87,25 +87,20 @@
catppuccin.homeManagerModules.catppuccin catppuccin.homeManagerModules.catppuccin
self.homeManagerModules self.homeManagerModules
]; ];
mkHome = mkHome = user: host: { ... }: {
user: host: imports = [
{ ... }: home-manager.nixosModules.home-manager
{ {
imports = [ home-manager = {
home-manager.nixosModules.home-manager sharedModules = sharedHmModules;
{ useGlobalPkgs = true;
home-manager = { useUserPackages = true;
sharedModules = sharedHmModules; extraSpecialArgs = { inherit inputs; };
useGlobalPkgs = true; };
useUserPackages = true; home-manager.users.${user} = (import ./home).${user}.${host};
extraSpecialArgs = { }
inherit inputs; ];
}; };
};
home-manager.users.${user} = (import ./home).${user}.${host};
}
];
};
mkHomeConfiguration = user: host: { mkHomeConfiguration = user: host: {
name = user; name = user;
value = home-manager.lib.homeManagerConfiguration { value = home-manager.lib.homeManagerConfiguration {
@ -119,109 +114,94 @@
}; };
}; };
}; };
mkNixos = mkNixos = { system, modules, specialArgs ? { } }: nixpkgs.lib.nixosSystem {
{ inherit system;
system, specialArgs = specialArgs // { inherit inputs system; };
modules, modules = [
specialArgs ? { }, self.nixosModules.default
}: nur.nixosModules.nur
nixpkgs.lib.nixosSystem { ] ++ modules;
inherit system; };
specialArgs = specialArgs // {
inherit inputs system;
};
modules = [
self.nixosModules.default
nur.nixosModules.nur
] ++ modules;
};
in in
{ {
nixpkgs = nixpkgs; nixpkgs = nixpkgs;
nixosModules.default = { nixosModules.default = { imports = [ ./modules/nixos overlayModule ]; };
imports = [
./modules/nixos
overlayModule
];
};
homeManagerModules = import ./modules/home-manager; homeManagerModules = import ./modules/home-manager;
homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ];
colmenaHive = inputs.colmena.lib.makeHive { colmenaHive = inputs.colmena.lib.makeHive {
meta = { meta = {
nixpkgs = import nixpkgs { system = "x86_64-linux"; }; nixpkgs = import nixpkgs {
system = "x86_64-linux";
};
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
}; };
massicot = massicot = { ... }: {
{ ... }: deployment.targetHost = "49.13.13.122";
{ deployment.buildOnTarget = true;
deployment.targetHost = "49.13.13.122";
deployment.buildOnTarget = true;
imports = [ imports = [
{ nixpkgs.system = "aarch64-linux"; } { nixpkgs.system = "aarch64-linux"; }
machines/massicot machines/massicot
] ++ sharedColmenaModules; ] ++ sharedColmenaModules;
}; };
tok-00 = tok-00 = { ... }: {
{ ... }: imports = [
{ machines/dolomite
imports = [ machines/dolomite ] ++ sharedColmenaModules; ] ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux"; nixpkgs.system = "x86_64-linux";
networking.hostName = "tok-00"; networking.hostName = "tok-00";
system.stateVersion = "23.11"; system.stateVersion = "23.11";
deployment = { deployment = {
targetHost = "video01.namely.icu"; targetHost = "video01.namely.icu";
buildOnTarget = false; buildOnTarget = false;
tags = [ "proxy" ]; tags = [ "proxy" ];
};
}; };
};
la-00 = la-00 = { ... }: {
{ ... }: imports = [
{ machines/dolomite
imports = [ machines/dolomite ] ++ sharedColmenaModules; ] ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux"; nixpkgs.system = "x86_64-linux";
networking.hostName = "la-00"; networking.hostName = "la-00";
system.stateVersion = "21.05"; system.stateVersion = "21.05";
deployment = { deployment = {
targetHost = "la-00.video.namely.icu"; targetHost = "la-00.video.namely.icu";
buildOnTarget = false; buildOnTarget = false;
tags = [ "proxy" ]; tags = [ "proxy" ];
};
}; };
};
raspite = raspite = { ... }: {
{ ... }: deployment = {
{ targetHost = "raspite.local";
deployment = { buildOnTarget = false;
targetHost = "raspite.local";
buildOnTarget = false;
};
nixpkgs.system = "aarch64-linux";
imports = [
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
nixos-hardware.nixosModules.raspberry-pi-4
machines/raspite/configuration.nix
] ++ sharedColmenaModules;
}; };
nixpkgs.system = "aarch64-linux";
imports = [
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
nixos-hardware.nixosModules.raspberry-pi-4
machines/raspite/configuration.nix
] ++ sharedColmenaModules;
};
weilite = weilite = { ... }: {
{ ... }: imports = [
{ machines/weilite
imports = [ machines/weilite ] ++ sharedColmenaModules; ] ++ sharedColmenaModules;
deployment = { deployment = {
targetHost = "weilite.coho-tet.ts.net"; targetHost = "weilite.coho-tet.ts.net";
targetPort = 22; targetPort = 22;
buildOnTarget = false; buildOnTarget = false;
};
nixpkgs.system = "x86_64-linux";
}; };
nixpkgs.system = "x86_64-linux";
};
}; };
nixosConfigurations = { nixosConfigurations = {
@ -235,30 +215,18 @@
}; };
} // self.colmenaHive.nodes; } // self.colmenaHive.nodes;
} } // flake-utils.lib.eachDefaultSystem (system:
// flake-utils.lib.eachDefaultSystem ( let pkgs = nixpkgs.legacyPackages.${system}; in
system: {
let devShells = {
pkgs = nixpkgs.legacyPackages.${system}; default = pkgs.mkShell {
in packages = with pkgs; [ nix git colmena sops nix-output-monitor nil nvd ];
{
devShells = {
default = pkgs.mkShell {
packages = with pkgs; [
nix
git
colmena
sops
nix-output-monitor
nil
nvd
];
};
}; };
};
packages = { packages = {
nixvim = my-nixvim.packages.${system}.default; nixvim = my-nixvim.packages.${system}.default;
}; };
} }
); );
} }

2
home/default.nix
View file

@ -2,4 +2,4 @@
xin = { xin = {
calcite = import ./xin/calcite.nix; calcite = import ./xin/calcite.nix;
}; };
} }

127
home/xin/calcite.nix
View file

@ -1,6 +1,8 @@
{ config, pkgs, ... }@inputs: { config, pkgs, ... }@inputs:
{ {
imports = [ ./common ]; imports = [
./common
];
programs.nix-index-database.comma.enable = true; programs.nix-index-database.comma.enable = true;
@ -44,42 +46,15 @@
}; };
custom-hm = { custom-hm = {
alacritty = { alacritty = { enable = true; };
enable = true; direnv = { enable = true; };
}; fish = { enable = true; };
cosmic-term = { git = { enable = true; signing.enable = true; };
enable = true; neovim = { enable = true; };
}; vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; llm = true; };
direnv = { zellij = { enable = true; };
enable = true;
};
fish = {
enable = true;
};
git = {
enable = true;
signing.enable = true;
};
neovim = {
enable = true;
};
vscode = {
enable = true;
languages = {
cxx = true;
python = true;
scala = true;
latex = true;
};
llm = true;
};
zellij = {
enable = true;
};
}; };
programs.gnome-shell.enable = true;
programs.atuin = { programs.atuin = {
enable = true; enable = true;
flags = [ "--disable-up-arrow" ]; flags = [ "--disable-up-arrow" ];
@ -93,82 +68,10 @@
programs.firefox.profiles.default = { programs.firefox.profiles.default = {
isDefault = true; isDefault = true;
userChrome = '' userChrome = builtins.readFile "${pkgs.fetchgit {
#titlebar { url = "https://gist.github.com/0ded98af9fe3da35f3688f81364d8c14.git";
display: none; rev = "11bb4f428382052bcbbceb6cc3fef97f3c939481";
} hash = "sha256-J11indzEGdUA0HSW8eFe5AjesOxCL/G05KwkJk9GZSY=";
}}/userChrome.css";
#sidebar-header {
display: none;
}
[titlepreface*="."] #sidebar-header {
visibility: collapse !important;
}
[titlepreface*="."] #titlebar {
visibility: collapse;
}
#sidebar-box{
--uc-sidebar-width: 33px;
--uc-sidebar-hover-width: 300px;
--uc-autohide-sidebar-delay: 90ms;
position: relative;
min-width: var(--uc-sidebar-width) !important;
width: var(--uc-sidebar-width) !important;
max-width: var(--uc-sidebar-width) !important;
z-index:1;
}
#sidebar-box[positionend]{ direction: rtl }
#sidebar-box[positionend] > *{ direction: ltr }
#sidebar-box[positionend]:-moz-locale-dir(rtl){ direction: ltr }
#sidebar-box[positionend]:-moz-locale-dir(rtl) > *{ direction: rtl }
#main-window[sizemode="fullscreen"] #sidebar-box{ --uc-sidebar-width: 1px; }
#sidebar-splitter{ display: none }
#sidebar-header{
overflow: hidden;
color: var(--chrome-color, inherit) !important;
padding-inline: 0 !important;
}
#sidebar-header::before,
#sidebar-header::after{
content: "";
display: -moz-box;
padding-left: 8px;
}
#sidebar-switcher-target{
-moz-box-pack: start !important;
}
#sidebar-header,
#sidebar{
transition: min-width 115ms linear var(--uc-autohide-sidebar-delay) !important;
min-width: var(--uc-sidebar-width) !important;
will-change: min-width;
}
#sidebar-box:hover > #sidebar-header,
#sidebar-box:hover > #sidebar{
min-width: var(--uc-sidebar-hover-width) !important;
transition-delay: 0ms !important;
}
.sidebar-panel{
background-color: transparent !important;
color: var(--newtab-text-primary-color) !important;
}
.sidebar-panel #search-box{
-moz-appearance: none !important;
background-color: rgba(249,249,250,0.1) !important;
color: inherit !important;
}
'';
}; };
} }

8
home/xin/common/default.nix
View file

@ -1,10 +1,4 @@
{ { inputs, pkgs, lib, ... }: {
inputs,
pkgs,
lib,
...
}:
{
imports = [ ]; imports = [ ];
home.packages = with pkgs; [ home.packages = with pkgs; [

26
home/xin/gold/default.nix
View file

@ -1,15 +1,15 @@
{ pkgs, home-manager, ... }: { pkgs, home-manager, ... }:
home-manager.lib.homeManagerConfiguration { home-manager.lib.homeManagerConfiguration {
inherit pkgs; inherit pkgs;
modules = [ modules = [
../common ../common
{ {
home.username = "xin"; home.username = "xin";
home.homeDirectory = "/home/xin"; home.homeDirectory = "/home/xin";
home.stateVersion = "23.05"; home.stateVersion = "23.05";
# Let Home Manager install and manage itself. # Let Home Manager install and manage itself.
programs.home-manager.enable = true; programs.home-manager.enable = true;
} }
]; ];
} }

5
home/xin/raspite/default.nix
View file

@ -1,6 +1,9 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = [ ../common ]; imports = [
../common
];
home.username = "xin"; home.username = "xin";
home.homeDirectory = "/home/xin"; home.homeDirectory = "/home/xin";

78
machines/calcite/configuration.nix
View file

@ -1,17 +1,13 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
{ {
imports = [ imports =
# Include the results of the hardware scan. [
./hardware-configuration.nix # Include the results of the hardware scan.
./network.nix ./hardware-configuration.nix
../sops.nix ./network.nix
]; ../sops.nix
];
commonSettings = { commonSettings = {
auth.enable = true; auth.enable = true;
@ -26,11 +22,7 @@
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi"; boot.loader.efi.efiSysMountPoint = "/boot/efi";
# boot.kernelPackages = pkgs.linuxPackages_latest; # boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelModules = [ boot.kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" ];
"nvidia"
"nvidia_modeset"
"nvidia_uvm"
];
boot.supportedFilesystems = [ "ntfs" ]; boot.supportedFilesystems = [ "ntfs" ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
@ -53,9 +45,7 @@
programs.steam = { programs.steam = {
enable = true; enable = true;
gamescopeSession = { gamescopeSession = { enable = true; };
enable = true;
};
}; };
programs.oidc-agent.enable = true; programs.oidc-agent.enable = true;
@ -103,6 +93,7 @@
services.xserver.displayManager.gdm.enable = true; services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true; services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11 # Configure keymap in X11
services.xserver = { services.xserver = {
xkb.layout = "us"; xkb.layout = "us";
@ -144,12 +135,7 @@
users.users.xin = { users.users.xin = {
isNormalUser = true; isNormalUser = true;
description = "xin"; description = "xin";
extraGroups = [ extraGroups = [ "networkmanager" "wheel" "wireshark" "tss" ];
"networkmanager"
"wheel"
"wireshark"
"tss"
];
}; };
services.kanidm = { services.kanidm = {
@ -193,14 +179,13 @@
# reference: https://nixos.wiki/wiki/Python # reference: https://nixos.wiki/wiki/Python
( (
let let
my-python-packages = my-python-packages = python-packages: with python-packages; [
python-packages: with python-packages; [ pandas
pandas requests
requests numpy
numpy pyyaml
pyyaml setuptools
setuptools ];
];
python-with-my-packages = python3.withPackages my-python-packages; python-with-my-packages = python3.withPackages my-python-packages;
in in
python-with-my-packages python-with-my-packages
@ -295,19 +280,14 @@
acceleration = "cuda"; acceleration = "cuda";
}; };
# MTP support # MTP support
services.gvfs.enable = true; services.gvfs.enable = true;
# Fonts # Fonts
fonts = { fonts = {
packages = with pkgs; [ packages = with pkgs; [
(nerdfonts.override { (nerdfonts.override { fonts = [ "FiraCode" ]; })
fonts = [
"FiraCode"
"FiraMono"
"JetBrainsMono"
];
})
noto-fonts noto-fonts
noto-fonts-emoji noto-fonts-emoji
liberation_ttf liberation_ttf
@ -325,19 +305,9 @@
]; ];
fontconfig = { fontconfig = {
defaultFonts = { defaultFonts = {
serif = [ serif = [ "Noto Serif CJK SC" "Ubuntu" ];
"Noto Serif CJK SC" sansSerif = [ "Noto Sans CJK SC" "Ubuntu" ];
"Ubuntu" monospace = [ "FiraCode NerdFont Mono" "Noto Sans Mono CJK SC" "Ubuntu" ];
];
sansSerif = [
"Noto Sans CJK SC"
"Ubuntu"
];
monospace = [
"FiraCode NerdFont Mono"
"Noto Sans Mono CJK SC"
"Ubuntu"
];
}; };
}; };
enableDefaultPackages = true; enableDefaultPackages = true;

56
machines/calcite/hardware-configuration.nix
View file

@ -1,23 +1,14 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ];
"xhci_pci"
"nvme"
"ahci"
"usbhid"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.initrd.luks.devices.cryptroot = { boot.initrd.luks.devices.cryptroot = {
device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d"; device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d";
@ -25,29 +16,26 @@
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
# device = "/dev/disk/by-label/NIXROOT"; { # device = "/dev/disk/by-label/NIXROOT";
device = "/dev/mapper/cryptroot"; device = "/dev/mapper/cryptroot";
fsType = "btrfs"; fsType = "btrfs";
}; };
fileSystems."/boot/efi" = { fileSystems."/boot/efi" =
device = "/dev/disk/by-label/EFIBOOT"; { device = "/dev/disk/by-label/EFIBOOT";
fsType = "vfat"; fsType = "vfat";
}; };
fileSystems."/media/data" = { fileSystems."/media/data" =
device = "/dev/nvme0n1p7"; { device = "/dev/nvme0n1p7";
fsType = "ntfs-3g"; fsType = "ntfs-3g";
options = [ options = [ "rw" "uid=1000" "nofail" "x-systemd.device-timeout=2" ];
"rw" };
"uid=1000"
"nofail" swapDevices =
"x-systemd.device-timeout=2" [ { device = "/dev/disk/by-label/NIXSWAP"; }
]; ];
};
swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

10
machines/calcite/network.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, ...}:
{ {
imports = [ ]; imports = [ ];
@ -10,7 +10,6 @@
dns = "systemd-resolved"; dns = "systemd-resolved";
}; };
}; };
systemd.services.NetworkManager-wait-online.enable = false;
services.resolved = { services.resolved = {
enable = true; enable = true;
@ -38,11 +37,10 @@
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 3389 ]; networking.firewall.allowedTCPPorts = [ 3389 ];
networking.firewall.allowedUDPPorts = [ networking.firewall.allowedUDPPorts = [ 3389 41641 ];
3389 networking.firewall.trustedInterfaces = [
41641 "tailscale0"
]; ];
networking.firewall.trustedInterfaces = [ "tailscale0" ];
# Use nftables to manager firewall # Use nftables to manager firewall
networking.nftables.enable = true; networking.nftables.enable = true;

34
machines/dolomite/bandwagon.nix
View file

@ -1,42 +1,30 @@
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
let let
cfg = config.isBandwagon; cfg = config.isBandwagon;
in in
{ {
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
options = { options = {
isBandwagon = lib.mkEnableOption "Bandwagon instance"; isBandwagon = lib.mkEnableOption "Bandwagon instance";
}; };
config = lib.mkIf cfg { config = lib.mkIf cfg {
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
"ata_piix"
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-label/NIXROOT"; { device = "/dev/disk/by-label/NIXROOT";
fsType = "xfs"; fsType = "xfs";
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-label/NIXBOOT"; { device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ ]; swapDevices = [ ];

233
machines/dolomite/default.nix
View file

@ -1,6 +1,6 @@
{ config, lib, ... }: { config, lib, ... }:
let let
awsHosts = [ "tok-00" ]; awsHosts = [ "tok-00"];
bwgHosts = [ "la-00" ]; bwgHosts = [ "la-00" ];
in in
{ {
@ -10,6 +10,7 @@ in
./lightsail.nix ./lightsail.nix
]; ];
config = { config = {
isBandwagon = builtins.elem config.networking.hostName bwgHosts; isBandwagon = builtins.elem config.networking.hostName bwgHosts;
isLightsail = builtins.elem config.networking.hostName awsHosts; isLightsail = builtins.elem config.networking.hostName awsHosts;
@ -36,18 +37,10 @@ in
acceptTerms = true; acceptTerms = true;
certs.${config.deployment.targetHost} = { certs.${config.deployment.targetHost} = {
email = "me@namely.icu"; email = "me@namely.icu";
# Avoid port conflict listenHTTP = ":80";
listenHTTP = if config.services.caddy.enable then ":30310" else ":80";
}; };
}; };
services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = '' networking.firewall.allowedTCPPorts = [ 80 8080 ];
reverse_proxy 127.0.0.1:30310
'';
networking.firewall.allowedTCPPorts = [
80
8080
];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
custom.prometheus = { custom.prometheus = {
@ -82,129 +75,119 @@ in
wheelNeedsPassword = false; wheelNeedsPassword = false;
}; };
services.sing-box = services.sing-box = let
let singTls = {
singTls = { enabled = true;
enabled = true; server_name = config.deployment.targetHost;
server_name = config.deployment.targetHost; key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
certificate_path = };
config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; password = {
}; _secret = config.sops.secrets.singbox_password.path;
password = { };
_secret = config.sops.secrets.singbox_password.path; uuid = {
}; _secret = config.sops.secrets.singbox_uuid.path;
uuid = { };
_secret = config.sops.secrets.singbox_uuid.path; in
}; {
in enable = true;
{ settings = {
enable = true; dns = {
settings = { servers = [
dns = {
servers = [
{
tag = "warp";
address = "1.1.1.1";
detour = "wg-out";
}
{
tag = "directdns";
address = "h3://8.8.8.8/dns-query";
}
];
rules = [
{
outbound = "wg-out";
server = "warp";
}
{
outbound = "direct";
server = "directdns";
}
];
};
inbounds =
[
{
tag = "sg0";
type = "trojan";
listen = "::";
listen_port = 8080;
users = [
{
name = "proxy";
password = password;
}
];
tls = singTls;
}
]
++ lib.forEach (lib.range 6311 6314) (port: {
tag = "sg" + toString (port - 6310);
type = "tuic";
listen = "::";
listen_port = port;
congestion_control = "bbr";
users = [
{
name = "proxy";
uuid = uuid;
password = password;
}
];
tls = singTls;
});
outbounds = [
{ {
type = "wireguard"; tag = "warp";
tag = "wg-out"; address = "1.1.1.1";
private_key = { detour = "wg-out";
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{
public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
} }
{ {
type = "direct"; tag = "directdns";
tag = "direct"; address = "h3://8.8.8.8/dns-query";
}
{
type = "dns";
tag = "dns-out";
} }
]; ];
route = { rules = [
rules = [ {
{ outbound = "wg-out";
outbound = "dns-out"; server = "warp";
protocol = "dns"; }
} {
{ outbound = "direct";
inbound = "sg0"; server = "directdns";
outbound = "direct"; }
} ];
{ };
inbound = "sg4"; inbounds = [
outbound = "direct"; {
tag = "sg0";
type = "trojan";
listen = "::";
listen_port = 8080;
users = [
{ name = "proxy";
password = password;
} }
]; ];
}; tls = singTls;
}
] ++ lib.forEach (lib.range 6311 6314) (port: {
tag = "sg" + toString (port - 6310);
type = "tuic";
listen = "::";
listen_port = port;
congestion_control = "bbr";
users = [
{ name = "proxy";
uuid = uuid;
password = password;
}
];
tls = singTls;
});
outbounds = [
{
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{ public_key= "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [ "0.0.0.0/0" "::/0" ];
server = "162.159.192.1";
server_port = 500;
}
];
}
{
type = "direct";
tag = "direct";
}
{
type = "dns";
tag = "dns-out";
}
];
route = {
rules = [
{
outbound = "dns-out";
protocol = "dns";
}
{
inbound = "sg0";
outbound = "direct";
}
{
inbound = "sg4";
outbound = "direct";
}
];
}; };
}; };
};
}; };
} }

26
machines/dolomite/lightsail.nix
View file

@ -1,16 +1,10 @@
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
with lib; with lib;
let let
cfg = config.ec2; cfg = config.ec2;
in in
{ {
imports = [ imports = [
"${modulesPath}/profiles/headless.nix" "${modulesPath}/profiles/headless.nix"
# Note: While we do use the headless profile, we also explicitly # Note: While we do use the headless profile, we also explicitly
# turn on the serial console on ttyS0 below. This is because # turn on the serial console on ttyS0 below. This is because
@ -45,22 +39,18 @@ in
fsType = "vfat"; fsType = "vfat";
}; };
boot.extraModulePackages = [ config.boot.kernelPackages.ena ]; boot.extraModulePackages = [
config.boot.kernelPackages.ena
];
boot.initrd.kernelModules = [ "xen-blkfront" ]; boot.initrd.kernelModules = [ "xen-blkfront" ];
boot.initrd.availableKernelModules = [ "nvme" ]; boot.initrd.availableKernelModules = [ "nvme" ];
boot.kernelParams = [ boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ];
"console=ttyS0,115200n8"
"random.trust_cpu=on"
];
# Prevent the nouveau kernel module from being loaded, as it # Prevent the nouveau kernel module from being loaded, as it
# interferes with the nvidia/nvidia-uvm modules needed for CUDA. # interferes with the nvidia/nvidia-uvm modules needed for CUDA.
# Also blacklist xen_fbfront to prevent a 30 second delay during # Also blacklist xen_fbfront to prevent a 30 second delay during
# boot. # boot.
boot.blacklistedKernelModules = [ boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ];
"nouveau"
"xen_fbfront"
];
boot.loader.grub.efiSupport = cfg.efi; boot.loader.grub.efiSupport = cfg.efi;
boot.loader.grub.efiInstallAsRemovable = cfg.efi; boot.loader.grub.efiInstallAsRemovable = cfg.efi;
@ -74,7 +64,7 @@ in
systemd.services.fetch-ec2-metadata = { systemd.services.fetch-ec2-metadata = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
after = [ "network-online.target" ]; after = ["network-online.target"];
path = [ pkgs.curl ]; path = [ pkgs.curl ];
script = builtins.readFile ./ec2-metadata-fetcher.sh; script = builtins.readFile ./ec2-metadata-fetcher.sh;
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";

8
machines/massicot/default.nix
View file

@ -1,10 +1,4 @@
{ { inputs, config, libs, pkgs, ... }:
inputs,
config,
libs,
pkgs,
...
}:
{ {
imports = [ imports = [

18
machines/massicot/hardware-configuration.nix
View file

@ -5,19 +5,9 @@
efiSupport = true; efiSupport = true;
device = "nodev"; device = "nodev";
}; };
fileSystems."/boot" = { fileSystems."/boot" = { device = "/dev/disk/by-uuid/AC27-D9D6"; fsType = "vfat"; };
device = "/dev/disk/by-uuid/AC27-D9D6"; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
fsType = "vfat";
};
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
];
boot.initrd.kernelModules = [ "nvme" ]; boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
device = "/dev/sda1";
fsType = "ext4";
};
} }

51
machines/massicot/kanidm-provision.nix
View file

@ -21,11 +21,7 @@
members = [ "xin" ]; members = [ "xin" ];
}; };
immich-users = { immich-users = {
members = [ members = [ "xin" "zhuo" "ycm" ];
"xin"
"zhuo"
"ycm"
];
}; };
grafana-superadmins = { grafana-superadmins = {
members = [ "xin" ]; members = [ "xin" ];
@ -69,12 +65,7 @@
originLanding = "https://git.xinyang.life/user/oauth2/kandim"; originLanding = "https://git.xinyang.life/user/oauth2/kandim";
allowInsecureClientDisablePkce = true; allowInsecureClientDisablePkce = true;
scopeMaps = { scopeMaps = {
forgejo-access = [ forgejo-access = [ "openid" "email" "profile" "groups" ];
"openid"
"email"
"profile"
"groups"
];
}; };
claimMaps = { claimMaps = {
forgejo_role = { forgejo_role = {
@ -92,12 +83,7 @@
originLanding = "https://xinyang.life/"; originLanding = "https://xinyang.life/";
allowInsecureClientDisablePkce = true; allowInsecureClientDisablePkce = true;
scopeMaps = { scopeMaps = {
gts-users = [ gts-users = [ "openid" "email" "profile" "groups" ];
"openid"
"email"
"profile"
"groups"
];
}; };
}; };
owncloud = { owncloud = {
@ -106,11 +92,7 @@
originLanding = "https://home.xinyang.life:9201/"; originLanding = "https://home.xinyang.life:9201/";
public = true; public = true;
scopeMaps = { scopeMaps = {
ocis-users = [ ocis-users = [ "openid" "email" "profile" ];
"openid"
"email"
"profile"
];
}; };
}; };
hedgedoc = { hedgedoc = {
@ -119,11 +101,7 @@
originLanding = "https://docs.xinyang.life/auth/oauth2"; originLanding = "https://docs.xinyang.life/auth/oauth2";
allowInsecureClientDisablePkce = true; allowInsecureClientDisablePkce = true;
scopeMaps = { scopeMaps = {
hedgedoc-users = [ hedgedoc-users = [ "openid" "email" "profile" ];
"openid"
"email"
"profile"
];
}; };
}; };
immich-mobile = { immich-mobile = {
@ -132,11 +110,7 @@
originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
allowInsecureClientDisablePkce = true; allowInsecureClientDisablePkce = true;
scopeMaps = { scopeMaps = {
immich-users = [ immich-users = [ "openid" "email" "profile" ];
"openid"
"email"
"profile"
];
}; };
}; };
miniflux = { miniflux = {
@ -144,11 +118,7 @@
originUrl = "https://rss.xinyang.life/"; originUrl = "https://rss.xinyang.life/";
originLanding = "https://rss.xinyang.life/"; originLanding = "https://rss.xinyang.life/";
scopeMaps = { scopeMaps = {
miniflux-users = [ miniflux-users = [ "openid" "email" "profile" ];
"openid"
"email"
"profile"
];
}; };
}; };
grafana = { grafana = {
@ -156,12 +126,7 @@
originUrl = "https://grafana.xinyang.life/"; originUrl = "https://grafana.xinyang.life/";
originLanding = "https://grafana.xinyang.life/"; originLanding = "https://grafana.xinyang.life/";
scopeMaps = { scopeMaps = {
grafana-users = [ grafana-users = [ "openid" "email" "profile" "groups" ];
"openid"
"email"
"profile"
"groups"
];
}; };
claimMaps = { claimMaps = {
grafana_role = { grafana_role = {

13
machines/massicot/networking.nix
View file

@ -1,14 +1,11 @@
{ pkgs, ... }: { pkgs, ... }: {
{
networking = { networking = {
interfaces = { interfaces = {
eth0.useDHCP = true; eth0.useDHCP = true;
eth0.ipv6.addresses = [ eth0.ipv6.addresses = [{
{ address = "2a01:4f8:c17:345f::1";
address = "2a01:4f8:c17:345f::1"; prefixLength = 64;
prefixLength = 64; }];
}
];
}; };
defaultGateway6 = { defaultGateway6 = {
address = "fe80::1"; address = "fe80::1";

59
machines/massicot/services.nix
View file

@ -1,24 +1,10 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
kanidm_listen_port = 5324; kanidm_listen_port = 5324;
in in
{ {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ];
80 networking.firewall.allowedUDPPorts = [ 80 443 8448 ];
443
2222
8448
];
networking.firewall.allowedUDPPorts = [
80
443
8448
];
custom.vaultwarden = { custom.vaultwarden = {
enable = true; enable = true;
@ -46,23 +32,16 @@ in
exporters.miniflux.enable = true; exporters.miniflux.enable = true;
}; };
systemd.mounts = systemd.mounts = map
map (share: {
(share: { what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; where = "/mnt/storage/${share}";
where = "/mnt/storage/${share}"; type = "cifs";
type = "cifs"; options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";
options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; before = [ "${share}.service" ];
before = [ "${share}.service" ]; after = [ "cachefilesd.service" ];
after = [ "cachefilesd.service" ]; wantedBy = [ "${share}.service" ];
wantedBy = [ "${share}.service" ]; }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ];
})
[
"forgejo"
"gotosocial"
"conduit"
"hedgedoc"
];
services.cachefilesd.enable = true; services.cachefilesd.enable = true;
@ -103,7 +82,6 @@ in
bindaddress = "[::]:${toString kanidm_listen_port}"; bindaddress = "[::]:${toString kanidm_listen_port}";
tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem''; tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem'';
tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
online_backup.versions = 7;
# db_path = "/var/lib/kanidm/kanidm.db"; # db_path = "/var/lib/kanidm/kanidm.db";
}; };
provision = import ./kanidm-provision.nix; provision = import ./kanidm-provision.nix;
@ -246,14 +224,11 @@ in
allow_assign_grafana_admin = true; allow_assign_grafana_admin = true;
auto_login = true; auto_login = true;
}; };
"auth" = { "auth" = { disable_login_form = true; };
disable_login_form = true;
};
}; };
}; };
systemd.services.grafana.serviceConfig.EnvironmentFile = systemd.services.grafana.serviceConfig.EnvironmentFile = config.sops.secrets.grafana_oauth_secret.path;
config.sops.secrets.grafana_oauth_secret.path;
users.users.git = { users.users.git = {
isSystemUser = true; isSystemUser = true;
@ -264,7 +239,9 @@ in
users.groups.git = { }; users.groups.git = { };
users.users = { users.users = {
${config.services.caddy.user}.extraGroups = [ config.services.ntfy-sh.group ]; ${config.services.caddy.user}.extraGroups = [
config.services.ntfy-sh.group
];
}; };
services.caddy = { services.caddy = {

4
machines/netdrives.nix
View file

@ -1,7 +1,7 @@
{ pkgs, config, ... }: { pkgs, config, ... }:
{ {
sops.secrets = { sops.secrets = {
autofs-nas = { autofs-nas = {
owner = "davfs2"; owner = "davfs2";
}; };
autofs-nas-secret = { autofs-nas-secret = {
@ -19,4 +19,4 @@
]; ];
}; };
} }

16
machines/raspite/configuration.nix
View file

@ -1,19 +1,17 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
{ {
imports = [ ./hass.nix ]; imports = [
./hass.nix
];
commonSettings.nix.enableMirrors = true; commonSettings.nix.enableMirrors = true;
nixpkgs.overlays = [ nixpkgs.overlays = [
# Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243 # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243
(final: super: { (final: super: {
makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; }); makeModulesClosure = x:
super.makeModulesClosure (x // { allowMissing = true; });
}) })
]; ];
@ -24,7 +22,7 @@
]; ];
system.stateVersion = "24.05"; system.stateVersion = "24.05";
networking = { networking = {
hostName = "raspite"; hostName = "raspite";
useDHCP = false; useDHCP = false;

22
machines/raspite/hass.nix
View file

@ -1,5 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, ... }: {
{
services.home-assistant = { services.home-assistant = {
enable = true; enable = true;
extraComponents = [ extraComponents = [
@ -10,12 +9,14 @@
]; ];
openFirewall = false; openFirewall = false;
config = { config = {
default_config = { }; default_config = {};
http = { http = {
server_host = "::1"; server_host = "::1";
base_url = "raspite.local:1000"; base_url = "raspite.local:1000";
use_x_forward_for = true; use_x_forward_for = true;
trusted_proxies = [ "::1" ]; trusted_proxies = [
"::1"
];
}; };
}; };
}; };
@ -27,17 +28,16 @@
users.groups.dialout.members = config.users.groups.wheel.members; users.groups.dialout.members = config.users.groups.wheel.members;
environment.systemPackages = with pkgs; [ zigbee2mqtt ]; environment.systemPackages = with pkgs; [
zigbee2mqtt
networking.firewall.allowedTCPPorts = [
1000
1001
]; ];
networking.firewall.allowedTCPPorts = [ 1000 1001 ];
services.caddy = { services.caddy = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
# reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port} # reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
"raspite.local:1000".extraConfig = '' "raspite.local:1000".extraConfig = ''
reverse_proxy http://[::1]:8123 reverse_proxy http://[::1]:8123
''; '';

21
machines/sops.nix
View file

@ -1,9 +1,4 @@
{ { inputs, config, lib, ... }:
inputs,
config,
lib,
...
}:
{ {
imports = [ inputs.sops-nix.nixosModules.sops ]; imports = [ inputs.sops-nix.nixosModules.sops ];
config = { config = {
@ -16,22 +11,24 @@
owner = "root"; owner = "root";
}; };
singbox_sg_server = { singbox_sg_server = {
owner = "root"; owner = "root";
}; };
singbox_jp_server = { singbox_jp_server = {
owner = "root"; owner = "root";
}; };
singbox_password = { singbox_password = {
owner = "root"; owner = "root";
}; };
singbox_uuid = { singbox_uuid = {
owner = "root"; owner = "root";
}; };
private_dns_address = { private_dns_address = {
owner = "root"; owner = "root";
}; };
}; };
secrets.grafana_cloud_api = lib.mkIf config.services.prometheus.enable { owner = "prometheus"; }; secrets.grafana_cloud_api = lib.mkIf config.services.prometheus.enable {
owner = "prometheus";
};
}; };
}; };
} }

46
machines/weilite/default.nix
View file

@ -1,11 +1,4 @@
{ { inputs, config, pkgs, lib, modulesPath, ... }:
inputs,
config,
pkgs,
lib,
modulesPath,
...
}:
with lib; with lib;
@ -26,21 +19,17 @@ with lib;
}; };
boot = { boot = {
loader = { loader = {
systemd-boot.enable = true; systemd-boot.enable = true;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
}; };
initrd.availableKernelModules = [ initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
"uhci_hcd"
"ehci_pci"
"ahci"
"usb_storage"
"sd_mod"
];
kernelModules = [ "kvm-intel" ]; kernelModules = [ "kvm-intel" ];
}; };
environment.systemPackages = [ pkgs.virtiofsd ]; environment.systemPackages = [
pkgs.virtiofsd
];
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
@ -58,15 +47,13 @@ with lib;
}; };
systemd.mounts = [ systemd.mounts = [
{ { what = "immich";
what = "immich";
where = "/mnt/XinPhotos/immich"; where = "/mnt/XinPhotos/immich";
type = "virtiofs"; type = "virtiofs";
options = "rw"; options = "rw";
wantedBy = [ "immich-server.service" ]; wantedBy = [ "immich-server.service" ];
} }
{ { what = "originals";
what = "originals";
where = "/mnt/XinPhotos/originals"; where = "/mnt/XinPhotos/originals";
type = "virtiofs"; type = "virtiofs";
options = "ro,nodev,nosuid"; options = "ro,nodev,nosuid";
@ -74,10 +61,7 @@ with lib;
} }
]; ];
services.openssh.ports = [ services.openssh.ports = [ 22 2222 ];
22
2222
];
services.immich = { services.immich = {
enable = true; enable = true;
@ -106,10 +90,7 @@ with lib;
enable = true; enable = true;
package = pkgs.caddy.withPlugins { package = pkgs.caddy.withPlugins {
caddyModules = [ caddyModules = [
{ { repo = "github.com/caddy-dns/cloudflare"; version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; }
repo = "github.com/caddy-dns/cloudflare";
version = "89f16b99c18ef49c8bb470a82f895bce01cbaece";
}
]; ];
vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk="; vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk=";
}; };
@ -134,7 +115,7 @@ with lib;
}; };
time.timeZone = "Asia/Shanghai"; time.timeZone = "Asia/Shanghai";
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-label/nixos"; device = "/dev/disk/by-label/nixos";
fsType = "btrfs"; fsType = "btrfs";
@ -143,10 +124,7 @@ with lib;
fileSystems."/boot" = { fileSystems."/boot" = {
device = "/dev/sda1"; device = "/dev/sda1";
fsType = "vfat"; fsType = "vfat";
options = [ options = [ "fmask=0022" "dmask=0022" ];
"fmask=0022"
"dmask=0022"
];
}; };
system.stateVersion = "24.11"; system.stateVersion = "24.11";

3
modules/home-manager/alacritty.nix
View file

@ -1,4 +1,4 @@
{ config, lib, ... }: { config, pkgs, lib, ... }:
with lib; with lib;
let let
@ -25,7 +25,6 @@ in
window = { window = {
resize_increments = true; resize_increments = true;
dynamic_padding = true; dynamic_padding = true;
decorations = "none";
}; };
}; };
}; };

19
modules/home-manager/cosmic-term.nix
View file

@ -1,19 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.custom-hm.cosmic-term;
in
{
options.custom-hm.cosmic-term = {
enable = mkEnableOption "cosmic-term";
};
config = mkIf cfg.enable { home.packages = [ pkgs.cosmic-term ]; };
}

1
modules/home-manager/default.nix
View file

@ -1,7 +1,6 @@
{ {
imports = [ imports = [
./alacritty.nix ./alacritty.nix
./cosmic-term.nix
./direnv.nix ./direnv.nix
./fish.nix ./fish.nix
./git.nix ./git.nix

1
modules/home-manager/direnv.nix
View file

@ -24,7 +24,6 @@ in
direnv = { direnv = {
enable = true; enable = true;
stdlib = changeCacheDir; stdlib = changeCacheDir;
nix-direnv.enable = true;
}; };
}; };
}; };

107
modules/home-manager/fish.nix
View file

@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
with lib; with lib;
@ -15,12 +10,7 @@ in
enable = mkEnableOption "fish"; enable = mkEnableOption "fish";
plugins = mkOption { plugins = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ default = [ "pisces" "done" "hydro" "grc" ];
"pisces"
"done"
"hydro"
"grc"
];
}; };
functions = { functions = {
enable = mkOption { enable = mkOption {
@ -40,65 +30,40 @@ in
home.packages = [ pkgs.grc ]; home.packages = [ pkgs.grc ];
programs.fish = { programs.fish = {
enable = true; enable = true;
plugins = plugins = with pkgs; (filter (
with pkgs; e: hasAttr e.name (builtins.listToAttrs # { "xxx" = true; }
(filter (map (p: { name = p; value = true; }) cfg.plugins) # { name = "xxx"; value = true; }
( )) [
e: { name = "pisces";
hasAttr e.name ( src = fishPlugins.pisces.src;
builtins.listToAttrs # { "xxx" = true; } }
( { name = "done";
map (p: { src = fishPlugins.done.src;
name = p; }
value = true; { name = "hydro";
}) cfg.plugins src = fishPlugins.hydro.src;
) # { name = "xxx"; value = true; } }
) { name = "grc";
) src = fishPlugins.grc.src;
[ }
{ ]);
name = "pisces"; interactiveShellInit = let
src = fishPlugins.pisces.src; extraInit = if cfg.functions.enable then ''
} ${pkgs.nix-your-shell}/bin/nix-your-shell fish | source
{ function fish_right_prompt
name = "done"; if test -n "$IN_NIX_SHELL"
src = fishPlugins.done.src; echo -n "<nix-shell>"
} else if test $SHLVL -ge 3
{ echo -n "<🚀lv$SHLVL>"
name = "hydro"; end
src = fishPlugins.hydro.src; end
} function fish_command_not_found
{ ${pkgs.comma}/bin/comma $argv
name = "grc"; end
src = fishPlugins.grc.src; '' else "";
} in ''
] fish_config prompt choose arrow
); '' + extraInit;
interactiveShellInit =
let
extraInit =
if cfg.functions.enable then
''
${pkgs.nix-your-shell}/bin/nix-your-shell fish | source
function fish_right_prompt
if test -n "$IN_NIX_SHELL"
echo -n "<nix-shell>"
else if test $SHLVL -ge 3
echo -n "<🚀lv$SHLVL>"
end
end
function fish_command_not_found
${pkgs.comma}/bin/comma $argv
end
set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha)
''
else
"";
in
''
fish_config prompt choose default
''
+ extraInit;
functions = mkIf cfg.functions.enable { functions = mkIf cfg.functions.enable {
gitignore = "curl -sL https://www.gitignore.io/api/$argv"; gitignore = "curl -sL https://www.gitignore.io/api/$argv";
}; };

17
modules/home-manager/git.nix
View file

@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
with lib; with lib;
@ -37,12 +32,16 @@ in
d = "diff"; d = "diff";
s = "status"; s = "status";
}; };
signing = mkIf cfg.signing.enable { signing = mkIf cfg.signing.enable {
signByDefault = true; signByDefault = true;
key = cfg.signing.keyFile; key = cfg.signing.keyFile;
}; };
extraConfig.user = mkIf cfg.signing.enable { signingkey = cfg.signing.keyFile; }; extraConfig.user = mkIf cfg.signing.enable {
extraConfig.gpg = mkIf cfg.signing.enable { format = "ssh"; }; signingkey = cfg.signing.keyFile;
};
extraConfig.gpg = mkIf cfg.signing.enable {
format = "ssh";
};
}; };
}; };
} }

2
modules/home-manager/tmux.nix
View file

@ -1 +1 @@
{ } {}

12
modules/home-manager/vim.nix
View file

@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
inherit (lib) mkIf mkEnableOption getExe; inherit (lib) mkIf mkEnableOption getExe;
cfg = config.custom-hm.neovim; cfg = config.custom-hm.neovim;
@ -18,10 +13,7 @@ in
enable = mkEnableOption "neovim configurations"; enable = mkEnableOption "neovim configurations";
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
home.packages = with pkgs; [ home.packages = with pkgs; [ nixvim neovide ];
nixvim
neovide
];
programs.neovim.enable = false; programs.neovim.enable = false;
home.file.".config/neovide/config.toml" = { home.file.".config/neovide/config.toml" = {
source = tomlFormat.generate "neovide-config" neovideConfig; source = tomlFormat.generate "neovide-config" neovideConfig;

190
modules/home-manager/vscode.nix
View file

@ -1,10 +1,4 @@
{ { inputs, config, lib, pkgs, ... }:
inputs,
config,
lib,
pkgs,
...
}:
with lib; with lib;
let let
@ -12,10 +6,7 @@ let
packages = { packages = {
nixPackages = { nixPackages = {
systemPackages = with pkgs; [ systemPackages = with pkgs; [ nixd nixpkgs-fmt ];
nixd
nixpkgs-fmt
];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
jnoortheen.nix-ide jnoortheen.nix-ide
]; ];
@ -26,15 +17,10 @@ let
}; };
}; };
cxxPackages = { cxxPackages = {
systemPackages = with pkgs; [ systemPackages = with pkgs; [ clang-tools cmake-format ];
clang-tools
cmake-format
];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
llvm-vs-code-extensions.vscode-clangd llvm-vs-code-extensions.vscode-clangd
(ms-vscode.cmake-tools.overrideAttrs (_: { (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; }))
sourceRoot = "extension";
}))
twxs.cmake twxs.cmake
ms-vscode.cpptools ms-vscode.cpptools
]; ];
@ -57,10 +43,7 @@ let
settings = { }; settings = { };
}; };
scalaPackages = { scalaPackages = {
systemPackages = with pkgs; [ systemPackages = with pkgs; [ coursier metals ];
coursier
metals
];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
scala-lang.scala scala-lang.scala
scalameta.metals scalameta.metals
@ -78,56 +61,20 @@ let
{ {
"name" = "xelatex"; "name" = "xelatex";
"command" = "xelatex"; "command" = "xelatex";
"args" = [ "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ];
"-synctex=1"
"-interaction=nonstopmode"
"-file-line-error"
"%DOCFILE%"
];
} }
{ {
"name" = "pdflatex"; "name" = "pdflatex";
"command" = "pdflatex"; "command" = "pdflatex";
"args" = [ "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ];
"-synctex=1"
"-interaction=nonstopmode"
"-file-line-error"
"%DOCFILE%"
];
}
{
"name" = "bibtex";
"command" = "bibtex";
"args" = [ "%DOCFILE%" ];
} }
{ "name" = "bibtex"; "command" = "bibtex"; "args" = [ "%DOCFILE%" ]; }
]; ];
"latex-workshop.latex.recipes" = [ "latex-workshop.latex.recipes" = [
{ { "name" = "xelatex"; "tools" = [ "xelatex" ]; }
"name" = "xelatex"; { "name" = "pdflatex"; "tools" = [ "pdflatex" ]; }
"tools" = [ "xelatex" ]; { "name" = "xe->bib->xe->xe"; "tools" = [ "xelatex" "bibtex" "xelatex" "xelatex" ]; }
} { "name" = "pdf->bib->pdf->pdf"; "tools" = [ "pdflatex" "bibtex" "pdflatex" "pdflatex" ]; }
{
"name" = "pdflatex";
"tools" = [ "pdflatex" ];
}
{
"name" = "xe->bib->xe->xe";
"tools" = [
"xelatex"
"bibtex"
"xelatex"
"xelatex"
];
}
{
"name" = "pdf->bib->pdf->pdf";
"tools" = [
"pdflatex"
"bibtex"
"pdflatex"
"pdflatex"
];
}
]; ];
"[latex]" = { "[latex]" = {
"editor.formatOnPaste" = false; "editor.formatOnPaste" = false;
@ -141,15 +88,9 @@ let
}; };
llmExtensions = [ pkgs.vscode-extensions.continue.continue ]; llmExtensions = [ pkgs.vscode-extensions.continue.continue ];
languages = [ languages = [ "nix" "cxx" "python" "scala" "latex" ];
"nix" zipAttrsWithLanguageOption = (attr:
"cxx" (map (l: (lib.mkIf cfg.languages.${l} packages."${l}Packages".${attr})) languages)
"python"
"scala"
"latex"
];
zipAttrsWithLanguageOption = (
attr: (map (l: (lib.mkIf cfg.languages.${l} packages."${l}Packages".${attr})) languages)
); );
in in
{ {
@ -170,71 +111,64 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
home.packages = lib.mkMerge ( home.packages = lib.mkMerge ([
[ [ pkgs.clang-tools ]
[ pkgs.clang-tools ] (mkIf cfg.llm [ pkgs.ollama ])
(mkIf cfg.llm [ pkgs.ollama ]) ] ++ zipAttrsWithLanguageOption "systemPackages");
]
++ zipAttrsWithLanguageOption "systemPackages"
);
programs.vscode = { programs.vscode = {
enable = true; enable = true;
package = pkgs.vscode.override { commandLineArgs = "--enable-wayland-ime"; }; package = pkgs.vscode.override { commandLineArgs = "--enable-wayland-ime"; };
enableUpdateCheck = false; enableUpdateCheck = false;
enableExtensionUpdateCheck = false; enableExtensionUpdateCheck = false;
mutableExtensionsDir = false; mutableExtensionsDir = false;
extensions = lib.mkMerge ( extensions = lib.mkMerge ([
[ (with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
(with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ mkhl.direnv
mkhl.direnv
ms-azuretools.vscode-docker ms-azuretools.vscode-docker
ms-vscode-remote.remote-ssh ms-vscode-remote.remote-ssh
vscodevim.vim vscodevim.vim
github.vscode-pull-request-github github.vscode-pull-request-github
gruntfuggly.todo-tree # todo highlight gruntfuggly.todo-tree # todo highlight
# Markdown # Markdown
davidanson.vscode-markdownlint davidanson.vscode-markdownlint
# Latex # Latex
# Scale / chisel # Scale / chisel
sterben.fpga-support sterben.fpga-support
ms-vscode-remote.remote-ssh-edit ms-vscode-remote.remote-ssh-edit
mushan.vscode-paste-image mushan.vscode-paste-image
]) ])
(with pkgs.vscode-extensions; [ (with pkgs.vscode-extensions; [
waderyan.gitblame waderyan.gitblame
catppuccin.catppuccin-vsc catppuccin.catppuccin-vsc
# Rust # Rust
rust-lang.rust-analyzer rust-lang.rust-analyzer
]) ])
(mkIf cfg.llm llmExtensions) (mkIf cfg.llm llmExtensions)
] ] ++ zipAttrsWithLanguageOption "extension");
++ zipAttrsWithLanguageOption "extension" userSettings = lib.mkMerge ([
); {
userSettings = lib.mkMerge ( "workbench.colorTheme" = "Catppuccin Macchiato";
[ "terminal.integrated.sendKeybindingsToShell" = true;
{ "extensions.ignoreRecommendations" = true;
"workbench.colorTheme" = "Catppuccin Macchiato"; "files.autoSave" = "afterDelay";
"terminal.integrated.sendKeybindingsToShell" = true; "editor.inlineSuggest.enabled" = true;
"extensions.ignoreRecommendations" = true; "editor.rulers" = [
"files.autoSave" = "afterDelay"; 80
"editor.inlineSuggest.enabled" = true; ];
"editor.rulers" = [ 80 ]; "editor.mouseWheelZoom" = true;
"editor.mouseWheelZoom" = true; "git.autofetch" = false;
"git.autofetch" = false; "window.zoomLevel" = -1;
"window.zoomLevel" = -1;
"extensions.experimental.affinity" = { "extensions.experimental.affinity" = {
"vscodevim.vim" = 1; "vscodevim.vim" = 1;
}; };
} }
] ] ++ zipAttrsWithLanguageOption "settings");
++ zipAttrsWithLanguageOption "settings"
);
}; };
home.file.".continue/config.json".text = lib.generators.toJSON { } { home.file.".continue/config.json".text = lib.generators.toJSON { } {
@ -246,7 +180,7 @@ in
} }
]; ];
tabAutocompleteModel = { tabAutocompleteModel = {
model = "deepseek-coder:6.7b-base"; model ="deepseek-coder:6.7b-base";
provider = "ollama"; provider = "ollama";
title = "codegemma"; title = "codegemma";
}; };

30
modules/home-manager/zellij.nix
View file

@ -1,4 +1,4 @@
{ config, lib, ... }: { config, pkgs, lib, ... }:
with lib; with lib;
@ -14,22 +14,20 @@ in
enable = true; enable = true;
settings = { settings = {
default_shell = "fish"; default_shell = "fish";
keybinds = {
unbind = [
"Ctrl p"
"Ctrl n"
];
shared_except = {
_args = [ "pane" "locked" ];
bind = {
_args = [ "Ctrl b"];
SwitchToMode = "Pane";
};
};
};
}; };
}; };
xdg.configFile."zellij/config.kdl".text = ''
keybinds {
shared_except "pane" "locked" {
bind "Ctrl b" { SwitchToMode "Pane"; }
}
shared_except "locked" {
bind "Ctrl h" { MoveFocusOrTab "Left"; }
bind "Ctrl l" { MoveFocusOrTab "Right"; }
bind "Ctrl j" { MoveFocus "Down"; }
bind "Ctrl k" { MoveFocus "Up"; }
unbind "Alt h" "Alt l" "Alt j" "Alt k"
}
unbind "Ctrl p" "Ctrl n"
}
'';
}; };
} }

15
modules/nixos/common-settings/auth.nix
View file

@ -1,17 +1,7 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
inherit (lib) inherit (lib) mkIf mkEnableOption mkOption types;
mkIf
mkEnableOption
mkOption
types
;
cfg = config.commonSettings.auth; cfg = config.commonSettings.auth;
in in
@ -48,3 +38,4 @@ in
}; };
}; };
} }

24
modules/nixos/common-settings/nix-conf.nix
View file

@ -1,17 +1,7 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
inherit (lib) inherit (lib) mkIf mkEnableOption mkOption types;
mkIf
mkEnableOption
mkOption
types
;
cfg = config.commonSettings.nix; cfg = config.commonSettings.nix;
in in
@ -43,10 +33,7 @@ in
nix.optimise.automatic = true; nix.optimise.automatic = true;
nix.settings = { nix.settings = {
experimental-features = [ experimental-features = [ "nix-command" "flakes" ];
"nix-command"
"flakes"
];
auto-optimise-store = true; auto-optimise-store = true;
trusted-users = [ "root" ]; trusted-users = [ "root" ];
@ -65,7 +52,10 @@ in
"xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y=" "xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y="
]; ];
secret-key-files = mkIf cfg.signing.enable [ cfg.signing.keyFile ]; secret-key-files = mkIf cfg.signing.enable [
cfg.signing.keyFile
];
}; };
}; };
} }

11
modules/nixos/forgejo-actions-runner.nix
View file

@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
cfg = config.custom.forgejo-actions-runner; cfg = config.custom.forgejo-actions-runner;
in in
@ -11,7 +6,9 @@ in
options = { options = {
custom.forgejo-actions-runner = { custom.forgejo-actions-runner = {
enable = lib.mkEnableOption "TPM supported ssh agent in go"; enable = lib.mkEnableOption "TPM supported ssh agent in go";
tokenFile = lib.mkOption { type = lib.types.path; }; tokenFile = lib.mkOption {
type = lib.types.path;
};
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {

27
modules/nixos/hedgedoc.nix
View file

@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
with lib; with lib;
@ -31,12 +26,22 @@ in
}; };
oidc = { oidc = {
enable = mkEnableOption "OIDC support for HedgeDoc"; enable = mkEnableOption "OIDC support for HedgeDoc";
baseURL = mkOption { type = types.str; }; baseURL = mkOption {
authorizationURL = mkOption { type = types.str; }; type = types.str;
tokenURL = mkOption { type = types.str; }; };
userProfileURL = mkOption { type = types.str; }; authorizationURL = mkOption {
type = types.str;
};
tokenURL = mkOption {
type = types.str;
};
userProfileURL = mkOption {
type = types.str;
};
};
environmentFile = mkOption {
type = types.path;
}; };
environmentFile = mkOption { type = types.path; };
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {

86
modules/nixos/inbounds.nix
View file

@ -1,16 +1,19 @@
{ config, lib, ... }: { config
, lib
, ... }:
let let
cfg = config.custom.sing-box-server; cfg = config.custom.sing-box-server;
secretFileType = lib.types.submodule { _secret = lib.types.path; }; secretFileType = lib.types.submodule {
_secret = lib.types.path;
};
singTls = { singTls = {
enabled = true; enabled = true;
server_name = config.deployment.targetHost; server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path = certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
}; };
in in
{ {
options = { options = {
enable = lib.mkEnableOption "sing-box proxy server"; enable = lib.mkEnableOption "sing-box proxy server";
@ -19,11 +22,17 @@ in
type = lib.types.str; type = lib.types.str;
default = "proxy"; default = "proxy";
}; };
password = lib.mkOption { type = secretFileType; }; password = lib.mkOption {
uuid = lib.mkOption { type = secretFileType; }; type = secretFileType;
};
uuid = lib.mkOption {
type = secretFileType;
};
}; };
wgOut = { wgOut = {
privKeyFile = lib.mkOption { type = lib.types.path; }; privKeyFile = lib.mkOption {
type = lib.types.path;
};
pubkey = lib.mkOption { pubkey = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; default = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
@ -64,19 +73,17 @@ in
} }
]; ];
}; };
inbounds = inbounds = [
[ # TODO: Trojan and tuic enable
# TODO: Trojan and tuic enable {
{ tag = "trojan-in";
tag = "trojan-in"; type = "trojan";
type = "trojan"; listen = "::";
listen = "::"; listen_port = 8080;
listen_port = 8080; users = map (u: removeAttrs u [ "uuid" ]) cfg.users;
users = map (u: removeAttrs u [ "uuid" ]) cfg.users; tls = singTls;
tls = singTls; }
} ] ++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: {
]
++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: {
tag = "tuic-in" + toString port; tag = "tuic-in" + toString port;
type = "tuic"; type = "tuic";
listen = "::"; listen = "::";
@ -95,40 +102,25 @@ in
"2606:4700:110:82ed:a443:3c62:6cbc:b59b/128" "2606:4700:110:82ed:a443:3c62:6cbc:b59b/128"
]; ];
peers = [ peers = [
{ { public_key= cfg.wgOut.pubkey;
public_key = cfg.wgOut.pubkey; allowed_ips = [ "0.0.0.0/0" "::/0" ];
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1"; server = "162.159.192.1";
server_port = 500; server_port = 500;
} }
]; ];
} }
{ { type = "direct"; tag = "direct-out"; }
type = "direct"; { type = "dns"; tag = "dns-out"; }
tag = "direct-out";
}
{
type = "dns";
tag = "dns-out";
}
]; ];
route = { route = {
rules = rules = [
[ { outbound = "dns-out"; protocol = "dns"; }
{ ] ++ lib.forEach cfg.tuic.directPorts (port: {
outbound = "dns-out"; inbound = "tuic-in" + toString port;
protocol = "dns"; outbound = "direct-out";
} });
]
++ lib.forEach cfg.tuic.directPorts (port: {
inbound = "tuic-in" + toString port;
outbound = "direct-out";
});
}; };
}; };
}; };
}; };
} }

49
modules/nixos/kanidm-client.nix
View file

@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
with lib; with lib;
let let
@ -32,29 +27,31 @@ in
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [ ];
}; };
uri = mkOption { type = types.str; }; uri = mkOption {
type = types.str;
};
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.kanidm = mkMerge [ services.kanidm = mkMerge
(mkIf cfg.enable { [ (mkIf cfg.enable {
enableClient = true; enableClient = true;
clientSettings = { clientSettings = {
uri = cfg.uri; uri = cfg.uri;
}; };
}) })
(mkIf cfg.asSSHAuth.enable { (mkIf cfg.asSSHAuth.enable {
enablePam = true; enablePam = true;
unixSettings = { unixSettings = {
pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups; pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups;
default_shell = "/bin/sh"; default_shell = "/bin/sh";
}; };
}) })
]; ];
services.openssh = mkIf cfg.asSSHAuth.enable { services.openssh = mkIf cfg.asSSHAuth.enable {
enable = true; enable = true;
authorizedKeysCommand = "/etc/ssh/auth %u"; authorizedKeysCommand = "/etc/ssh/auth %u";
authorizedKeysCommandUser = "kanidm-ssh-runner"; authorizedKeysCommandUser = "kanidm-ssh-runner";
settings = mkIf cfg.asSSHAuth.enable { settings = mkIf cfg.asSSHAuth.enable {
PasswordAuthentication = false; PasswordAuthentication = false;
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;
@ -73,10 +70,8 @@ in
}; };
users.groups.wheel.members = cfg.sudoers; users.groups.wheel.members = cfg.sudoers;
users.groups.kanidm-ssh-runner = { }; users.groups.kanidm-ssh-runner = { };
users.users.kanidm-ssh-runner = { users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; };
isSystemUser = true;
group = "kanidm-ssh-runner";
};
}; };
} }

62
modules/nixos/miniflux.nix
View file

@ -1,19 +1,6 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
inherit (lib) inherit (lib) mkEnableOption mkPackageOption mkOption types literalExpression mkIf mkDefault;
mkEnableOption
mkPackageOption
mkOption
types
literalExpression
mkIf
mkDefault
;
cfg = config.custom.miniflux; cfg = config.custom.miniflux;
defaultAddress = "localhost:8080"; defaultAddress = "localhost:8080";
@ -31,15 +18,12 @@ in
package = mkPackageOption pkgs "miniflux" { }; package = mkPackageOption pkgs "miniflux" { };
oauth2SecretFile = mkOption { type = types.path; }; oauth2SecretFile = mkOption {
type = types.path;
};
environment = mkOption { environment = mkOption {
type = type = with types; attrsOf (oneOf [ int str ]);
with types;
attrsOf (oneOf [
int
str
]);
}; };
createDatabaseLocally = mkOption { createDatabaseLocally = mkOption {
@ -66,22 +50,17 @@ in
services.postgresql = lib.mkIf cfg.createDatabaseLocally { services.postgresql = lib.mkIf cfg.createDatabaseLocally {
enable = true; enable = true;
ensureUsers = [ ensureUsers = [{
{ name = "miniflux";
name = "miniflux"; ensureDBOwnership = true;
ensureDBOwnership = true; }];
}
];
ensureDatabases = [ "miniflux" ]; ensureDatabases = [ "miniflux" ];
}; };
systemd.services.miniflux-dbsetup = lib.mkIf cfg.createDatabaseLocally { systemd.services.miniflux-dbsetup = lib.mkIf cfg.createDatabaseLocally {
description = "Miniflux database setup"; description = "Miniflux database setup";
requires = [ "postgresql.service" ]; requires = [ "postgresql.service" ];
after = [ after = [ "network.target" "postgresql.service" ];
"network.target"
"postgresql.service"
];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = config.services.postgresql.superUser; User = config.services.postgresql.superUser;
@ -93,12 +72,8 @@ in
description = "Miniflux service"; description = "Miniflux service";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = lib.optional cfg.createDatabaseLocally "miniflux-dbsetup.service"; requires = lib.optional cfg.createDatabaseLocally "miniflux-dbsetup.service";
after = after = [ "network.target" ]
[ "network.target" ] ++ lib.optionals cfg.createDatabaseLocally [ "postgresql.service" "miniflux-dbsetup.service" ];
++ lib.optionals cfg.createDatabaseLocally [
"postgresql.service"
"miniflux-dbsetup.service"
];
serviceConfig = { serviceConfig = {
Type = "notify"; Type = "notify";
@ -129,19 +104,12 @@ in
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
RestrictAddressFamilies = [ RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ SystemCallFilter = [ "@system-service" "~@privileged" ];
"@system-service"
"~@privileged"
];
UMask = "0077"; UMask = "0077";
}; };

18
modules/nixos/oidc-agent.nix
View file

@ -1,20 +1,10 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
inherit (lib) inherit (lib) mkIf mkEnableOption mkOption types;
mkIf
mkEnableOption
mkOption
types
;
cfg = config.programs.oidc-agent; cfg = config.programs.oidc-agent;
providerFormat = pkgs.formats.json { }; providerFormat = pkgs.formats.json {};
in in
{ {
options.programs.oidc-agent = { options.programs.oidc-agent = {
@ -28,7 +18,7 @@ in
}; };
providers = mkOption { providers = mkOption {
type = providerFormat.type; type = providerFormat.type;
default = { }; default = {};
description = '' description = ''
Configuration of providers which contains a json array of json objects Configuration of providers which contains a json array of json objects
each describing an issuer, see https://indigo-dc.gitbook.io/oidc-agent/configuration/issuers each describing an issuer, see https://indigo-dc.gitbook.io/oidc-agent/configuration/issuers

20
modules/nixos/prometheus/blackbox.nix
View file

@ -1,9 +1,4 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
cfg = config.custom.prometheus; cfg = config.custom.prometheus;
in in
@ -13,7 +8,7 @@ in
enable = true; enable = true;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
configFile = pkgs.writeText "blackbox.config.yaml" ( configFile = pkgs.writeText "blackbox.config.yaml" (
lib.generators.toYAML { } { lib.generators.toYAML {} {
modules = { modules = {
tcp4_connect = { tcp4_connect = {
prober = "tcp"; prober = "tcp";
@ -30,7 +25,7 @@ in
}; };
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [
{ {
job_name = "blackbox"; job_name = "blackbox";
scrape_interval = "1m"; scrape_interval = "1m";
metrics_path = "/probe"; metrics_path = "/probe";
@ -78,13 +73,8 @@ in
alert = "HighProbeLatency"; alert = "HighProbeLatency";
expr = "probe_duration_seconds > 0.5"; expr = "probe_duration_seconds > 0.5";
for = "2m"; for = "2m";
labels = { labels = { severity = "warning"; };
severity = "warning"; annotations = { summary = "High request latency on {{ $labels.instance }}"; description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; };
};
annotations = {
summary = "High request latency on {{ $labels.instance }}";
description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes.";
};
} }
]; ];
} }

12
modules/nixos/prometheus/caddy.nix
View file

@ -13,7 +13,9 @@ in
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [
{ {
job_name = "caddy"; job_name = "caddy";
static_configs = [ { targets = [ "127.0.0.1:2019" ]; } ]; static_configs = [
{ targets = [ "127.0.0.1:2019" ]; }
];
} }
]; ];
@ -25,12 +27,8 @@ in
alert = "UpstreamHealthy"; alert = "UpstreamHealthy";
expr = "caddy_reverse_proxy_upstreams_healthy != 1"; expr = "caddy_reverse_proxy_upstreams_healthy != 1";
for = "5m"; for = "5m";
labels = { labels = { severity = "critical"; };
severity = "critical"; annotations = { summary = "Upstream {{ $labels.unstream }} not healthy"; };
};
annotations = {
summary = "Upstream {{ $labels.unstream }} not healthy";
};
} }
]; ];
} }

312
modules/nixos/prometheus/default.nix
View file

@ -1,31 +1,26 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
with lib; with lib;
let let
cfg = config.custom.prometheus; cfg = config.custom.prometheus;
mkExporterOption = mkExporterOption = enableOption: (mkOption {
enableOption: type = types.bool;
(mkOption { default = enableOption;
type = types.bool; description = "Enable this exporter";
default = enableOption; });
description = "Enable this exporter";
});
mkRulesOption = mkOption { mkRulesOption = mkOption {
type = types.listOf ( type = types.listOf (types.submodule {
types.submodule { options = {
options = { name = mkOption {
name = mkOption { type = lib.types.str; }; type = lib.types.str;
rules = mkOption { type = lib.types.listOf lib.types.attrs; };
}; };
} rules = mkOption {
); type = lib.types.listOf lib.types.attrs;
};
};
});
}; };
in in
{ {
@ -59,172 +54,153 @@ in
}; };
grafana = { grafana = {
enable = mkEnableOption "Grafana Cloud"; enable = mkEnableOption "Grafana Cloud";
password_file = mkOption { type = types.path; }; password_file = mkOption {
type = types.path;
};
}; };
ruleModules = mkRulesOption; ruleModules = mkRulesOption;
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable
services.tailscale = { {
enable = true; services.tailscale = {
permitCertUid = config.services.caddy.user;
openFirewall = true;
};
services.caddy = {
enable = true;
virtualHosts."${config.networking.hostName}.coho-tet.ts.net".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.prometheus.port}
'';
};
services.prometheus = mkIf cfg.enable {
enable = true;
port = 9091;
globalConfig.external_labels = {
hostname = config.networking.hostName;
};
remoteWrite = mkIf cfg.grafana.enable [
{
name = "grafana";
url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push";
basic_auth = {
username = "1340065";
password_file = cfg.grafana.password_file;
};
}
];
exporters = {
node = {
enable = true;
enabledCollectors = [
"loadavg"
"time"
"systemd"
];
listenAddress = "127.0.0.1";
port = 9100;
};
};
scrapeConfigs = [
{
job_name = "prometheus";
static_configs = [ { targets = [ "localhost:${toString config.services.prometheus.port}" ]; } ];
}
{
job_name = "node";
static_configs = [
{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }
];
}
];
alertmanager = {
enable = true; enable = true;
listenAddress = "127.0.0.1"; permitCertUid = config.services.caddy.user;
logLevel = "debug"; openFirewall = true;
configuration = { };
route = {
receiver = "ntfy"; services.caddy = {
}; enable = true;
receivers = [ virtualHosts."${config.networking.hostName}.coho-tet.ts.net".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.prometheus.port}
'';
};
services.prometheus = mkIf cfg.enable
{
enable = true;
port = 9091;
globalConfig.external_labels = { hostname = config.networking.hostName; };
remoteWrite = mkIf cfg.grafana.enable [
{ {
name = "ntfy"; name = "grafana";
webhook_configs = [ url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push";
basic_auth = {
username = "1340065";
password_file = cfg.grafana.password_file;
};
}
];
exporters = {
node = {
enable = true;
enabledCollectors = [
"loadavg"
"time"
"systemd"
];
listenAddress = "127.0.0.1";
port = 9100;
};
};
scrapeConfigs = [
{
job_name = "prometheus";
static_configs = [
{ targets = [ "localhost:${toString config.services.prometheus.port}" ]; }
];
}
{
job_name = "node";
static_configs = [
{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }
];
}
];
alertmanager = {
enable = true;
listenAddress = "127.0.0.1";
logLevel = "debug";
configuration = {
route = {
receiver = "ntfy";
};
receivers = [
{ {
url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL '' name = "ntfy";
Alert {{.status}} webhook_configs = [
{{range .alerts}}-----{{range $k,$v := .labels}} {
{{$k}}={{$v}}{{end}} url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL ''
{{end}} Alert {{.status}}
''}"; {{range .alerts}}-----{{range $k,$v := .labels}}
send_resolved = true; {{$k}}={{$v}}{{end}}
{{end}}
''}";
send_resolved = true;
}
];
}
];
};
};
alertmanagers = [
{
scheme = "http";
static_configs = [
{
targets = [
"${config.services.prometheus.alertmanager.listenAddress}:${toString config.services.prometheus.alertmanager.port}"
];
} }
]; ];
} }
]; ];
rules = [ (lib.generators.toYAML { } { groups = cfg.ruleModules; }) ];
}; };
}; custom.prometheus.ruleModules = [
alertmanagers = [
{ {
scheme = "http"; name = "system_alerts";
static_configs = [ rules = [
{ {
targets = [ alert = "SystemdFailedUnits";
"${config.services.prometheus.alertmanager.listenAddress}:${toString config.services.prometheus.alertmanager.port}" expr = "node_systemd_unit_state{state=\"failed\"} > 0";
]; for = "5m";
labels = { severity = "critical"; };
annotations = { summary = "Systemd has failed units on {{ $labels.instance }}"; description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!"; };
}
{
alert = "HighLoadAverage";
expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})";
for = "1m";
labels = { severity = "warning"; };
annotations = { summary = "High load average detected on {{ $labels.instance }}"; description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; };
}
{
alert = "HighTransmitTraffic";
expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000";
for = "1m";
labels = { severity = "warning"; };
annotations = { summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})"; description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute."; };
}
{
alert = "NetworkTrafficExceedLimit";
expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200'';
for = "0m";
labels = { severity = "critical"; };
annotations = { summary = "Outbound network traffic exceed 300GB for last 30 day"; };
}
{
alert = "JobDown";
expr = "up == 0";
for = "1m";
labels = { severity = "critical"; };
annotations = { summary = "Job {{ $labels.job }} down for 1m."; };
} }
]; ];
} }
]; ];
rules = [ (lib.generators.toYAML { } { groups = cfg.ruleModules; }) ];
}; };
custom.prometheus.ruleModules = [
{
name = "system_alerts";
rules = [
{
alert = "SystemdFailedUnits";
expr = "node_systemd_unit_state{state=\"failed\"} > 0";
for = "5m";
labels = {
severity = "critical";
};
annotations = {
summary = "Systemd has failed units on {{ $labels.instance }}";
description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!";
};
}
{
alert = "HighLoadAverage";
expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})";
for = "1m";
labels = {
severity = "warning";
};
annotations = {
summary = "High load average detected on {{ $labels.instance }}";
description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs.";
};
}
{
alert = "HighTransmitTraffic";
expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000";
for = "1m";
labels = {
severity = "warning";
};
annotations = {
summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})";
description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute.";
};
}
{
alert = "NetworkTrafficExceedLimit";
expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200'';
for = "0m";
labels = {
severity = "critical";
};
annotations = {
summary = "Outbound network traffic exceed 300GB for last 30 day";
};
}
{
alert = "JobDown";
expr = "up == 0";
for = "1m";
labels = {
severity = "critical";
};
annotations = {
summary = "Job {{ $labels.job }} down for 1m.";
};
}
];
}
];
};
} }

4
modules/nixos/prometheus/gotosocial.nix
View file

@ -10,7 +10,9 @@ in
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [
{ {
job_name = "gotosocial"; job_name = "gotosocial";
static_configs = [ { targets = [ "localhost:8080" ]; } ]; static_configs = [
{ targets = [ "localhost:8080" ]; }
];
} }
]; ];
}; };

11
modules/nixos/prometheus/immich.nix
View file

@ -3,10 +3,9 @@ let
cfg = config.custom.prometheus; cfg = config.custom.prometheus;
immichEnv = config.services.immich.environment; immichEnv = config.services.immich.environment;
metricPort = metricPort =
if builtins.hasAttr "IMMICH_API_METRICS_PORT" immichEnv then if builtins.hasAttr "IMMICH_API_METRICS_PORT" immichEnv
immichEnv.IMMICH_API_METRICS_PORT then immichEnv.IMMICH_API_METRICS_PORT
else else 8081;
8081;
in in
{ {
config = lib.mkIf (cfg.enable && cfg.exporters.immich.enable) { config = lib.mkIf (cfg.enable && cfg.exporters.immich.enable) {
@ -17,7 +16,9 @@ in
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [
{ {
job_name = "immich"; job_name = "immich";
static_configs = [ { targets = [ "127.0.0.1:${toString metricPort}" ]; } ]; static_configs = [
{ targets = [ "127.0.0.1:${toString metricPort}" ]; }
];
} }
]; ];
}; };

4
modules/nixos/prometheus/miniflux.nix
View file

@ -8,7 +8,9 @@ in
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [
{ {
job_name = "miniflux"; job_name = "miniflux";
static_configs = [ { targets = [ config.systemd.services.miniflux.environment.LISTEN_ADDR ]; } ]; static_configs = [
{ targets = [ config.systemd.services.miniflux.environment.LISTEN_ADDR ]; }
];
} }
]; ];
}; };

4
modules/nixos/prometheus/ntfy-sh.nix
View file

@ -8,7 +8,9 @@ in
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [
{ {
job_name = "ntfy-sh"; job_name = "ntfy-sh";
static_configs = [ { targets = [ "ntfy.xinyang.life" ]; } ]; static_configs = [
{ targets = [ "ntfy.xinyang.life" ]; }
];
} }
]; ];
}; };

22
modules/nixos/prometheus/restic.nix
View file

@ -9,7 +9,9 @@ in
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [
(lib.mkIf cfg.exporters.restic.enable { (lib.mkIf cfg.exporters.restic.enable {
job_name = "restic"; job_name = "restic";
static_configs = [ { targets = [ config.services.restic.server.listenAddress ]; } ]; static_configs = [
{ targets = [ config.services.restic.server.listenAddress ]; }
];
}) })
]; ];
@ -21,25 +23,15 @@ in
alert = "ResticCheckFailed"; alert = "ResticCheckFailed";
expr = "restic_check_success == 0"; expr = "restic_check_success == 0";
for = "5m"; for = "5m";
labels = { labels = { severity = "critical"; };
severity = "critical"; annotations = { summary = "Restic check failed (instance {{ $labels.instance }})"; description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; };
};
annotations = {
summary = "Restic check failed (instance {{ $labels.instance }})";
description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}";
};
} }
{ {
alert = "ResticOutdatedBackup"; alert = "ResticOutdatedBackup";
expr = "time() - restic_backup_timestamp > 518400"; expr = "time() - restic_backup_timestamp > 518400";
for = "0m"; for = "0m";
labels = { labels = { severity = "critical"; };
severity = "critical"; annotations = { summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated"; description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; };
};
annotations = {
summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated";
description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}";
};
} }
]; ];
} }

8
modules/nixos/restic.nix
View file

@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
cfg = config.custom.restic; cfg = config.custom.restic;
in in
@ -50,3 +45,4 @@ in
}; };
}; };
} }

21
modules/nixos/sing-box.nix
View file

@ -1,10 +1,4 @@
{ { config, pkgs, lib, utils, ... }:
config,
pkgs,
lib,
utils,
...
}:
let let
cfg = config.custom.sing-box; cfg = config.custom.sing-box;
settingsFormat = pkgs.formats.json { }; settingsFormat = pkgs.formats.json { };
@ -22,7 +16,9 @@ in
}; };
configFile = { configFile = {
urlFile = lib.mkOption { type = lib.types.path; }; urlFile = lib.mkOption {
type = lib.types.path;
};
name = lib.mkOption { name = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "config.json"; default = "config.json";
@ -66,10 +62,10 @@ in
systemd.packages = [ cfg.package ]; systemd.packages = [ cfg.package ];
systemd.services.sing-box = systemd.services.sing-box =
let let
configFile = cfg.stateDir + "/${cfg.configFile.name}"; configFile = cfg.stateDir + "/${cfg.configFile.name}";
in in
{ {
preStart = '' preStart = ''
umask 0077 umask 0077
@ -85,3 +81,4 @@ in
}; };
}; };
} }

7
modules/nixos/ssh-tpm-agent.nix
View file

@ -1,10 +1,5 @@
# Temporary workaround # Temporary workaround
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let
cfg = config.services.ssh-tpm-agent; cfg = config.services.ssh-tpm-agent;
in in

10
modules/nixos/vaultwarden.nix
View file

@ -1,9 +1,4 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
with lib; with lib;
@ -28,7 +23,7 @@ in
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "sqlite"; dbBackend = "sqlite";
config = { config = {
@ -49,3 +44,4 @@ in
}; };
}; };
} }

136
oci-images/nix-ci-base/flake.nix
View file

@ -6,78 +6,72 @@
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
}; };
outputs = outputs = {
{ self,
self, flake-utils,
flake-utils, nix,
nix, nixpkgs,
nixpkgs, ...
... }:
}: flake-utils.lib.eachDefaultSystem (system: let
flake-utils.lib.eachDefaultSystem ( pkgs = (import nixpkgs) {
system: inherit system;
let };
pkgs = (import nixpkgs) { inherit system; }; lib = pkgs.lib;
lib = pkgs.lib; in rec {
in packages = rec {
rec { # a modified version of the nixos/nix image
packages = rec { # re-using the upstream nix docker image generation code
# a modified version of the nixos/nix image base = import (nix + "/docker.nix") {
# re-using the upstream nix docker image generation code inherit pkgs;
base = import (nix + "/docker.nix") { name = "nix-ci-base";
inherit pkgs; maxLayers = 10;
name = "nix-ci-base"; extraPkgs = with pkgs; [
maxLayers = 10; nodejs_20 # nodejs is needed for running most 3rdparty actions
extraPkgs = with pkgs; [ # add any other pre-installed packages here
nodejs_20 # nodejs is needed for running most 3rdparty actions curl
# add any other pre-installed packages here xz
curl openssl
xz coreutils-full
openssl cmake
coreutils-full gnumake
cmake gcc
gnumake ];
gcc # change this is you want
channelURL = "https://nixos.org/channels/nixpkgs-23.11";
nixConf = {
substituters = [
"https://mirrors.bfsu.edu.cn/nix-channels/store"
"https://mirrors.ustc.edu.cn/nix-channels/store"
"https://cache.nixos.org/"
"https://nix-community.cachix.org"
]; ];
# change this is you want accept-flake-config = "true";
channelURL = "https://nixos.org/channels/nixpkgs-23.11"; log-lines = "300";
nixConf = { trusted-public-keys = [
substituters = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"https://mirrors.bfsu.edu.cn/nix-channels/store" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"https://mirrors.ustc.edu.cn/nix-channels/store" ];
"https://cache.nixos.org/" # allow using the new flake commands in our workflows
experimental-features = ["nix-command" "flakes"];
"https://nix-community.cachix.org"
];
accept-flake-config = "true";
log-lines = "300";
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
# allow using the new flake commands in our workflows
experimental-features = [
"nix-command"
"flakes"
];
};
};
# make /bin/sleep available on the image
runner = pkgs.dockerTools.buildImage {
name = "nix-runner";
tag = "2.21.0-pkgs-23.11";
fromImage = base;
fromImageName = null;
fromImageTag = "latest";
copyToRoot = pkgs.buildEnv {
name = "image-root";
paths = [ pkgs.coreutils-full ];
pathsToLink = [ "/bin" ]; # add coreutuls (which includes sleep) to /bin
};
}; };
}; };
} # make /bin/sleep available on the image
); runner = pkgs.dockerTools.buildImage {
name = "nix-runner";
tag = "2.21.0-pkgs-23.11";
fromImage = base;
fromImageName = null;
fromImageTag = "latest";
copyToRoot = pkgs.buildEnv {
name = "image-root";
paths = [pkgs.coreutils-full];
pathsToLink = ["/bin"]; # add coreutuls (which includes sleep) to /bin
};
};
};
});
} }

9
overlays/add-ime-electron.nix
View file

@ -1,13 +1,8 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
{ {
nixpkgs.overlays = [ nixpkgs.overlays = [
(self: super: { (self: super: {
element-desktop = super.element-desktop.override { commandLineArgs = "--enable-wayland-ime"; }; element-desktop = super.element-desktop.override { commandLineArgs = "--enable-wayland-ime"; };
}) })
]; ];

4
overlays/add-pkgs.nix
View file

@ -1 +1,3 @@
(final: prev: { oidc-agent = prev.callPackage ./pkgs/oidc-agent { }; }) (final: prev: {
oidc-agent = prev.callPackage ./pkgs/oidc-agent { };
})

28
overlays/pkgs/oidc-agent/default.nix
View file

@ -1,15 +1,14 @@
{ { lib
lib, , stdenv
stdenv, , fetchFromGitHub
fetchFromGitHub, , curl
curl, , webkitgtk
webkitgtk, , libmicrohttpd
libmicrohttpd, , libsecret
libsecret, , qrencode
qrencode, , libsodium
libsodium, , pkg-config
pkg-config, , help2man
help2man,
}: }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
@ -20,7 +19,8 @@ stdenv.mkDerivation rec {
owner = "indigo-dc"; owner = "indigo-dc";
repo = "oidc-agent"; repo = "oidc-agent";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-cOK/rZ/jnyALLuhDM3+qvwwe4Fjkv8diQBkw7NfVo0c="; sha256 = "sha256-cOK/rZ/jnyALLuhDM3+qvwwe4Fjkv8diQBkw7NfVo0c="
;
}; };
buildInputs = [ buildInputs = [
@ -47,6 +47,7 @@ stdenv.mkDerivation rec {
make install_man PREFIX=$out make install_man PREFIX=$out
''; '';
meta = with lib; { meta = with lib; {
description = "oidc-agent for managing OpenID Connect tokens on the command line"; description = "oidc-agent for managing OpenID Connect tokens on the command line";
homepage = "https://github.com/indigo-dc/oidc-agent"; homepage = "https://github.com/indigo-dc/oidc-agent";
@ -54,3 +55,4 @@ stdenv.mkDerivation rec {
license = licenses.mit; license = licenses.mit;
}; };
} }