diff --git a/flake.lock b/flake.lock index 50dd949..4240a48 100644 --- a/flake.lock +++ b/flake.lock @@ -513,11 +513,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1731819057, - "narHash": "sha256-nfqKsQhFCakM+eIKGf/JWu/g56rOPoGny10EZN8q7R0=", + "lastModified": 1731815985, + "narHash": "sha256-PgX3UFz1YESfEeGmp2HYYBc/3Vp59bPbBLtNN4VMIgI=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "b2644ed7258502987ad4a70cf8959bf5a26ce26d", + "rev": "5ddf4ef59567ff1e43adacde9f677f2cbd958287", "type": "github" }, "original": { @@ -555,11 +555,11 @@ }, "nur": { "locked": { - "lastModified": 1731819675, - "narHash": "sha256-GGp/rEfxRdi1BD9TlHoXxp2g9IuKDp0Jk7wYh1LacP8=", + "lastModified": 1731815686, + "narHash": "sha256-6HPZVrwQOZzeaW5QseyXnghK76a3aDnRoQf+L+cpNms=", "owner": "nix-community", "repo": "NUR", - "rev": "59740d792bea5caa547c9bc7ce366802ecfafb7f", + "rev": "4cde5b2ea07d8c05570d7305738a9870b1a14700", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 1000f83..12522d4 100644 --- a/flake.nix +++ b/flake.nix @@ -58,56 +58,35 @@ home-manager, nixpkgs, nixos-hardware, - sops-nix, flake-utils, nur, catppuccin, my-nixvim, - nix-vscode-extensions, - colmena, - nix-index-database, ... - }: + }@inputs: let - editorOverlay = ( - final: prev: { - inherit (nix-vscode-extensions.extensions.${prev.stdenv.system}) vscode-marketplace; - inherit (self.packages.${prev.stdenv.system}) nixvim; - } - ); + nixvimOverlay = (final: prev: { nixvim = self.packages.${prev.stdenv.system}.nixvim; }); overlayModule = { ... }: { nixpkgs.overlays = [ - editorOverlay + nixvimOverlay (import ./overlays/add-pkgs.nix) ]; }; deploymentModule = { deployment.targetUser = "xin"; }; - sharedHmModules = [ - self.homeManagerModules.default - sops-nix.homeManagerModules.sops - nix-index-database.hmModules.nix-index - catppuccin.homeManagerModules.catppuccin - ]; - sharedNixosModules = [ - self.nixosModules.default - sops-nix.nixosModules.sops - ]; - nodeNixosModules = { - calcite = [ - nixos-hardware.nixosModules.asus-zephyrus-ga401 - nur.nixosModules.nur - catppuccin.nixosModules.catppuccin - machines/calcite/configuration.nix - (mkHome "xin" "calcite") - ]; - }; sharedColmenaModules = [ + self.nixosModules.default deploymentModule - ] ++ sharedNixosModules; + ]; + sharedHmModules = [ + inputs.sops-nix.homeManagerModules.sops + inputs.nix-index-database.hmModules.nix-index + catppuccin.homeManagerModules.catppuccin + self.homeManagerModules + ]; mkHome = user: host: { ... }: @@ -119,29 +98,43 @@ sharedModules = sharedHmModules; useGlobalPkgs = true; useUserPackages = true; + extraSpecialArgs = { + inherit inputs; + }; }; home-manager.users.${user} = (import ./home).${user}.${host}; } ]; }; + mkHomeConfiguration = user: host: { + name = user; + value = home-manager.lib.homeManagerConfiguration { + pkgs = import nixpkgs { system = "x86_64-linux"; }; + modules = [ + (import ./home).${user}.${host} + overlayModule + ] ++ sharedHmModules; + extraSpecialArgs = { + inherit inputs; + }; + }; + }; mkNixos = { - hostname, - system ? null, + system, + modules, + specialArgs ? { }, }: nixpkgs.lib.nixosSystem { - modules = sharedNixosModules ++ nodeNixosModules.${hostname}; - }; - # TODO: - mkColmenaHive = - { - hostname, - }: - colmena.lib.makeHive { - meta = { - # FIXME: - nixpkgs = import nixpkgs { system = "x86_64-linux"; }; + inherit system; + specialArgs = specialArgs // { + inherit inputs system; }; + modules = [ + self.nixosModules.default + nur.nixosModules.nur + catppuccin.nixosModules.catppuccin + ] ++ modules; }; in { @@ -152,12 +145,16 @@ overlayModule ]; }; - homeManagerModules.default = import ./modules/home-manager; + homeManagerModules = import ./modules/home-manager; - colmenaHive = colmena.lib.makeHive { + homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; + + colmenaHive = inputs.colmena.lib.makeHive { meta = { - # FIXME: nixpkgs = import nixpkgs { system = "x86_64-linux"; }; + specialArgs = { + inherit inputs; + }; }; massicot = @@ -244,7 +241,12 @@ nixosConfigurations = { calcite = mkNixos { - hostname = "calcite"; + system = "x86_64-linux"; + modules = [ + nixos-hardware.nixosModules.asus-zephyrus-ga401 + machines/calcite/configuration.nix + (mkHome "xin" "calcite") + ]; }; } // self.colmenaHive.nodes; @@ -253,17 +255,6 @@ system: let pkgs = nixpkgs.legacyPackages.${system}; - - mkHomeConfiguration = user: host: { - name = user; - value = home-manager.lib.homeManagerConfiguration { - inherit pkgs; - modules = [ - (import ./home).${user}.${host} - overlayModule - ] ++ sharedHmModules; - }; - }; in { devShells = { @@ -271,19 +262,16 @@ packages = with pkgs; [ nix git - colmena.packages.${system}.colmena + inputs.colmena.packages.${system}.colmena sops nix-output-monitor nil nvd nh - (python3.withPackages (ps: with ps; [ requests ])) ]; }; }; - homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; - packages = { nixvim = my-nixvim.packages.${system}.default; }; diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index 11dd9ed..3b3c4ea 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -38,8 +38,6 @@ in remmina qq wechat-uos - wpsoffice - ttf-wps-fonts ]; # Theme diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 8ad5348..60480c1 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -16,7 +16,6 @@ in ]; commonSettings = { - auth.enable = true; nix = { enableMirrors = true; signing.enable = true; @@ -36,11 +35,6 @@ in boot.supportedFilesystems = [ "ntfs" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; - documentation = { - nixos.enable = false; - man.enable = false; - }; - security.tpm2 = { enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so @@ -120,15 +114,13 @@ in xdg.portal = { enable = true; extraPortals = [ - pkgs.xdg-desktop-portal-gnome pkgs.xdg-desktop-portal-gtk + pkgs.xdg-desktop-portal-gnome ]; configPackages = [ pkgs.niri ]; }; systemd.user.services.xdg-desktop-portal-gtk.after = [ "graphical-session.target" ]; - systemd.user.services.xdg-desktop-portal-gnome.after = [ "graphical-session.target" ]; - systemd.user.services.xdg-desktop-portal-gnome.wantedBy = [ "graphical-session.target" ]; services.greetd = let @@ -164,15 +156,6 @@ in }; }; }; - "logiM720" = { - ids = [ "046d:b015" ]; - settings = { - main = { - mouse2 = "leftmeta"; - # leftalt = "mouse1"; - }; - }; - }; }; }; @@ -219,7 +202,6 @@ in services.smartd.enable = true; # Allow unfree packages - nixpkgs.system = "x86_64-linux"; nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" @@ -299,6 +281,7 @@ in # Writting zotero # onlyoffice-bin + wpsoffice config.nur.repos.linyinfeng.wemeet diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index e3bb640..32e2425 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -58,8 +58,31 @@ in exporters.blackbox.enable = true; }; - custom.commonSettings = { - auth.enable = true; + custom.kanidm-client = { + enable = true; + uri = "https://auth.xinyang.life/"; + asSSHAuth = { + enable = true; + allowedGroups = [ "linux_users" ]; + }; + sudoers = [ "xin@auth.xinyang.life" ]; + }; + + services.openssh = { + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = lib.mkForce "no"; + GSSAPIAuthentication = "no"; + KerberosAuthentication = "no"; + }; + }; + services.fail2ban.enable = true; + programs.mosh.enable = true; + + security.sudo = { + execWheelOnly = true; + wheelNeedsPassword = false; }; services.sing-box = diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index e461039..611b30d 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -1,10 +1,12 @@ { + inputs, pkgs, ... }: { imports = [ + inputs.sops-nix.nixosModules.sops ./hardware-configuration.nix ./networking.nix ./services.nix diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 6a43aa3..4be75c5 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -101,6 +101,7 @@ in services.matrix-conduit = { enable = true; + # package = inputs.conduit.packages.${pkgs.system}.default; package = pkgs.matrix-conduit; settings.global = { server_name = "xinyang.life"; diff --git a/machines/sops.nix b/machines/sops.nix index 3f56687..aeb99d9 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -1,9 +1,11 @@ { + inputs, config, lib, ... }: { + imports = [ inputs.sops-nix.nixosModules.sops ]; config = { sops = { defaultSopsFile = ./secrets.yaml; diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 8a58896..2fdacc1 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -1,13 +1,14 @@ { + inputs, config, pkgs, - lib, modulesPath, ... }: { imports = [ + inputs.sops-nix.nixosModules.sops (modulesPath + "/profiles/qemu-guest.nix") ./services ]; @@ -149,15 +150,6 @@ permitCertUid = "caddy"; }; - services.tailscale.derper = { - enable = true; - domain = "derper00.namely.icu"; - openFirewall = true; - verifyClients = true; - }; - # tailscale derper module use nginx for reverse proxy - services.nginx.enable = lib.mkForce false; - services.caddy = { enable = true; package = pkgs.caddy.withPlugins { @@ -173,9 +165,6 @@ ]; vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI="; }; - virtualHosts."derper00.namely.icu:8443".extraConfig = '' - reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port} - ''; virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.immich.port} ''; diff --git a/machines/weilite/services/default.nix b/machines/weilite/services/default.nix index d70e175..031018b 100644 --- a/machines/weilite/services/default.nix +++ b/machines/weilite/services/default.nix @@ -2,6 +2,5 @@ imports = [ ./ocis.nix ./restic.nix - ./media-download.nix ]; } diff --git a/machines/weilite/services/media-download.nix b/machines/weilite/services/media-download.nix deleted file mode 100644 index 36ae424..0000000 --- a/machines/weilite/services/media-download.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - services.jackett = { - enable = true; - openFirewall = false; - }; -} diff --git a/modules/home-manager/gui/niri.nix b/modules/home-manager/gui/niri.nix index d26bf93..8eb07b6 100644 --- a/modules/home-manager/gui/niri.nix +++ b/modules/home-manager/gui/niri.nix @@ -84,12 +84,8 @@ in enable = true; timeouts = [ { - timeout = 600; - command = ''[ "$(${pkgs.tlp}/bin/tlp-stat -m)" == "battery" ] && /run/current-system/systemd/bin/systemctl suspend''; - } - { - timeout = 1200; - command = ''${getExe pkgs.niri} msg action power-off-monitors''; + timeout = 900; + command = "/run/current-system/systemd/bin/systemctl suspend"; } ]; events = [ diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index a34febe..9af7fdd 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -1,4 +1,5 @@ { + inputs, config, lib, pkgs, @@ -15,7 +16,7 @@ let nixd nixpkgs-fmt ]; - extension = with pkgs.vscode-marketplace; [ + extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ jnoortheen.nix-ide ]; settings = { @@ -29,16 +30,13 @@ let clang-tools cmake-format ]; - extension = - with pkgs.vscode-marketplace; - [ - llvm-vs-code-extensions.vscode-clangd - (ms-vscode.cmake-tools.overrideAttrs (_: { - sourceRoot = "extension"; - })) - twxs.cmake - ] - ++ (with pkgs.vscode-extensions; [ ms-vscode.cpptools ]); + extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ + llvm-vs-code-extensions.vscode-clangd + (ms-vscode.cmake-tools.overrideAttrs (_: { + sourceRoot = "extension"; + })) + twxs.cmake + ] ++ (with pkgs.vscode-extensions; [ ms-vscode.cpptools ]); settings = { "cmake.configureOnEdit" = false; "cmake.showOptionsMovedNotification" = false; @@ -52,7 +50,7 @@ let }; pythonPackages = { systemPackages = with pkgs; [ ]; - extension = with pkgs.vscode-marketplace; [ + extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ ms-python.python ]; settings = { }; @@ -62,7 +60,7 @@ let coursier metals ]; - extension = with pkgs.vscode-marketplace; [ + extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ scala-lang.scala scalameta.metals ]; @@ -70,7 +68,7 @@ let }; latexPackages = { systemPackages = with pkgs; [ texliveSmall ]; - extension = with pkgs.vscode-marketplace; [ + extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ james-yu.latex-workshop ]; settings = { @@ -186,7 +184,7 @@ in mutableExtensionsDir = false; extensions = lib.mkMerge ( [ - (with pkgs.vscode-marketplace; [ + (with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ mkhl.direnv ms-azuretools.vscode-docker diff --git a/modules/home-manager/xdg-autostart.nix b/modules/home-manager/xdg-autostart.nix deleted file mode 100644 index d2127ae..0000000 --- a/modules/home-manager/xdg-autostart.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -let - cfg = config.xdg.autoStart; - inherit (lib) hm types; -in -{ - - options.xdg.autoStart = { - - packages = lib.mkOption { - description = '' - List of packages which should be autostarted. - - This module tries to select the package’s default desktop file, - which is either described by its .desktopItem attribute - or by its first entry of its .desktopItems attribute. - - Users who want to specifically select a certain desktop file - or who want to write their own - can make use of the {option}`xdg.autoStart.desktopItems` option. - ''; - - type = types.listOf types.package; - default = [ ]; - example = lib.literalExpression '' - with pkgs; [ - pkgs.trilium-desktop - ] - ''; - }; - - desktopItems = lib.mkOption { - description = '' - List of desktop files which should be autostarted. - - Users should prefer to use {option}`xdg.autoStart.packages` - and only use this option in case - they want to specifically - select a package’s desktop item - or want to create their own desktop item. - - Be warned, this may shadow entries of {option}`xdg.autoStart.packages`. - ''; - - type = types.attrsOf (types.unspecified); # TODO replace unspecified - default = { }; - # TODO improve example, take one where it would make sense to use this option - example = lib.literalExpression '' - { - discord = pkgs.discord.desktopItem - firefox-custom = makeDesktopItem { - exec = "firefox -P custom"; - }; - } - ''; - }; - - }; - - config = - let - # helpers - retrieveDesktopItem = ( - pkg: - if pkg ? desktopItem then - pkg.desktopItem - else if pkg ? desktopItems && pkg.desktopItems != [ ] then - builtins.head pkg.desktopItems - else - abort "package '${pkg.pname}' is missing a desktop file" - ); - emulateDesktopItem = (pkg: lib.nameValuePair pkg.pname (retrieveDesktopItem pkg)); - embedDesktopItem = ( - name: deskItem: - lib.nameValuePair "autostart/${name}.desktop" { - source = "${deskItem}/share/applications/${deskItem.name}"; - } - ); - # parse opts - desktopItemsPackages = builtins.listToAttrs (map emulateDesktopItem cfg.packages); - desktopItems = desktopItemsPackages // cfg.desktopItems; - in - { - assertions = [ - (hm.assertions.assertPlatform "xdg.autoStart" pkgs lib.platforms.linux) - ]; - - xdg.configFile = lib.attrsets.mapAttrs' embedDesktopItem desktopItems; - }; - -} diff --git a/modules/home-manager/zellij.nix b/modules/home-manager/zellij.nix index fcb8f04..d925365 100644 --- a/modules/home-manager/zellij.nix +++ b/modules/home-manager/zellij.nix @@ -26,9 +26,10 @@ in bind "Ctrl l" { MoveFocusOrTab "Right"; } bind "Ctrl j" { MoveFocus "Down"; } bind "Ctrl k" { MoveFocus "Up"; } - unbind "Alt h" "Alt l" "Alt j" "Alt k" "Alt f" + unbind "Alt h" "Alt l" "Alt j" "Alt k" } unbind "Ctrl p" "Ctrl n" + unbind "Alt f" } ''; }; diff --git a/modules/nixos/common-settings/proxy-server.nix b/modules/nixos/common-settings/proxy-server.nix deleted file mode 100644 index a6b5af9..0000000 --- a/modules/nixos/common-settings/proxy-server.nix +++ /dev/null @@ -1,165 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: - -let - inherit (lib) - mkIf - mkEnableOption - mkOption - types - ; - - cfg = config.commonSettings.proxyServer; - - singTls = { - enabled = true; - server_name = config.deployment.targetHost; - key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; - certificate_path = - config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; - }; - - mkSingConfig = - { uuid, password, ... }: - { - inbounds = - [ - { - tag = "sg0"; - type = "trojan"; - listen = "::"; - listen_port = 8080; - users = [ - { - name = "proxy"; - password = password; - } - ]; - tls = singTls; - } - ] - ++ lib.forEach (lib.range 6311 6314) (port: { - tag = "sg" + toString (port - 6310); - type = "tuic"; - listen = "::"; - listen_port = port; - congestion_control = "bbr"; - users = [ - { - name = "proxy"; - uuid = uuid; - password = password; - } - ]; - tls = singTls; - }); - outbounds = [ - { - type = "wireguard"; - tag = "wg-out"; - private_key = { - _secret = config.sops.secrets.wg_private_key.path; - }; - local_address = [ - "172.16.0.2/32" - { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } - ]; - peers = [ - { - public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; - allowed_ips = [ - "0.0.0.0/0" - "::/0" - ]; - server = "162.159.192.1"; - server_port = 500; - } - ]; - } - { - type = "direct"; - tag = "direct"; - } - ]; - route = { - rules = [ - { - inbound = "sg0"; - outbound = "direct"; - } - { - inbound = "sg4"; - outbound = "direct"; - } - ]; - }; - }; -in -{ - options.commonSettings.proxyServer = { - enable = mkEnableOption "sing-box as a server"; - uuidFile = mkOption { - type = types.path; - }; - passwordFile = mkOption { - type = types.path; - }; - }; - - config = mkIf cfg.enable { - boot.kernel.sysctl = { - "net.core.default_qdisc" = "fq"; - "net.ipv4.tcp_congestion_control" = "bbr"; - }; - - networking.firewall.trustedInterfaces = [ "tun0" ]; - - sops = { - secrets = { - wg_private_key = { - owner = "root"; - sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; - }; - wg_ipv6_local_addr = { - owner = "root"; - sopsFile = ./secrets + "/${config.networking.hostName}.yaml"; - }; - }; - }; - - security.acme = { - acceptTerms = true; - certs.${config.deployment.targetHost} = { - email = "me@namely.icu"; - # Avoid port conflict - listenHTTP = if config.services.caddy.enable then ":30310" else ":80"; - }; - }; - services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = '' - reverse_proxy 127.0.0.1:30310 - ''; - - networking.firewall.allowedTCPPorts = [ - 80 - 8080 - ]; - networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); - - custom.prometheus = { - enable = true; - exporters.blackbox.enable = true; - }; - - services.sing-box = { - enable = true; - settings = mkSingConfig { - uuid = cfg.uuidFile; - password = cfg.passwordFile; - }; - }; - }; -} diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix index 135a2cb..35b6981 100644 --- a/overlays/add-pkgs.nix +++ b/overlays/add-pkgs.nix @@ -1,5 +1,3 @@ -( - final: prev: - { - } -) +(final: prev: { + oidc-agent = prev.callPackage ./pkgs/oidc-agent { }; +})