xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: xin:9bf25972e90a10a10c18daf0f63a4938d06e5d21
Branches Tags
xin:master
xin:deploy
xin:testing-weilite
xin:testing-raspite
xin:testing-calcite
xin:next
xin:deploy-comin-eval
..
compare: xin:1b513bd869ff908974dd88f8dff2f23a204eb2e4
Branches Tags
xin:deploy
xin:testing-weilite
xin:testing-raspite
xin:testing-calcite
xin:next
xin:deploy-comin-eval
xin:master

No commits in common. "9bf25972e90a10a10c18daf0f63a4938d06e5d21" and "1b513bd869ff908974dd88f8dff2f23a204eb2e4" have entirely different histories.
9bf25972e9 ... 1b513bd869

17 changed files with 112 additions and 401 deletions
Show stats Expand all files Collapse all files

12
flake.lock generated
View file

@ -513,11 +513,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1731819057,
"narHash": "sha256-nfqKsQhFCakM+eIKGf/JWu/g56rOPoGny10EZN8q7R0=",
"lastModified": 1731815985,
"narHash": "sha256-PgX3UFz1YESfEeGmp2HYYBc/3Vp59bPbBLtNN4VMIgI=",
"owner": "xinyangli",
"repo": "nixpkgs",
"rev": "b2644ed7258502987ad4a70cf8959bf5a26ce26d",
"rev": "5ddf4ef59567ff1e43adacde9f677f2cbd958287",
"type": "github"
},
"original": {
@ -555,11 +555,11 @@
},
"nur": {
"locked": {
"lastModified": 1731819675,
"narHash": "sha256-GGp/rEfxRdi1BD9TlHoXxp2g9IuKDp0Jk7wYh1LacP8=",
"lastModified": 1731815686,
"narHash": "sha256-6HPZVrwQOZzeaW5QseyXnghK76a3aDnRoQf+L+cpNms=",
"owner": "nix-community",
"repo": "NUR",
"rev": "59740d792bea5caa547c9bc7ce366802ecfafb7f",
"rev": "4cde5b2ea07d8c05570d7305738a9870b1a14700",
"type": "github"
},
"original": {

116
flake.nix
View file

@ -58,56 +58,35 @@
home-manager,
nixpkgs,
nixos-hardware,
sops-nix,
flake-utils,
nur,
catppuccin,
my-nixvim,
nix-vscode-extensions,
colmena,
nix-index-database,
...
}:
}@inputs:
let
editorOverlay = (
final: prev: {
inherit (nix-vscode-extensions.extensions.${prev.stdenv.system}) vscode-marketplace;
inherit (self.packages.${prev.stdenv.system}) nixvim;
}
);
nixvimOverlay = (final: prev: { nixvim = self.packages.${prev.stdenv.system}.nixvim; });
overlayModule =
{ ... }:
{
nixpkgs.overlays = [
editorOverlay
nixvimOverlay
(import ./overlays/add-pkgs.nix)
];
};
deploymentModule = {
deployment.targetUser = "xin";
};
sharedHmModules = [
self.homeManagerModules.default
sops-nix.homeManagerModules.sops
nix-index-database.hmModules.nix-index
catppuccin.homeManagerModules.catppuccin
];
sharedNixosModules = [
self.nixosModules.default
sops-nix.nixosModules.sops
];
nodeNixosModules = {
calcite = [
nixos-hardware.nixosModules.asus-zephyrus-ga401
nur.nixosModules.nur
catppuccin.nixosModules.catppuccin
machines/calcite/configuration.nix
(mkHome "xin" "calcite")
];
};
sharedColmenaModules = [
self.nixosModules.default
deploymentModule
] ++ sharedNixosModules;
];
sharedHmModules = [
inputs.sops-nix.homeManagerModules.sops
inputs.nix-index-database.hmModules.nix-index
catppuccin.homeManagerModules.catppuccin
self.homeManagerModules
];
mkHome =
user: host:
{ ... }:
@ -119,29 +98,43 @@
sharedModules = sharedHmModules;
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = {
inherit inputs;
};
};
home-manager.users.${user} = (import ./home).${user}.${host};
}
];
};
mkHomeConfiguration = user: host: {
name = user;
value = home-manager.lib.homeManagerConfiguration {
pkgs = import nixpkgs { system = "x86_64-linux"; };
modules = [
(import ./home).${user}.${host}
overlayModule
] ++ sharedHmModules;
extraSpecialArgs = {
inherit inputs;
};
};
};
mkNixos =
{
hostname,
system ? null,
system,
modules,
specialArgs ? { },
}:
nixpkgs.lib.nixosSystem {
modules = sharedNixosModules ++ nodeNixosModules.${hostname};
};
# TODO:
mkColmenaHive =
{
hostname,
}:
colmena.lib.makeHive {
meta = {
# FIXME:
nixpkgs = import nixpkgs { system = "x86_64-linux"; };
inherit system;
specialArgs = specialArgs // {
inherit inputs system;
};
modules = [
self.nixosModules.default
nur.nixosModules.nur
catppuccin.nixosModules.catppuccin
] ++ modules;
};
in
{
@ -152,12 +145,16 @@
overlayModule
];
};
homeManagerModules.default = import ./modules/home-manager;
homeManagerModules = import ./modules/home-manager;
colmenaHive = colmena.lib.makeHive {
homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ];
colmenaHive = inputs.colmena.lib.makeHive {
meta = {
# FIXME:
nixpkgs = import nixpkgs { system = "x86_64-linux"; };
specialArgs = {
inherit inputs;
};
};
massicot =
@ -244,7 +241,12 @@
nixosConfigurations = {
calcite = mkNixos {
hostname = "calcite";
system = "x86_64-linux";
modules = [
nixos-hardware.nixosModules.asus-zephyrus-ga401
machines/calcite/configuration.nix
(mkHome "xin" "calcite")
];
};
} // self.colmenaHive.nodes;
@ -253,17 +255,6 @@
system:
let
pkgs = nixpkgs.legacyPackages.${system};
mkHomeConfiguration = user: host: {
name = user;
value = home-manager.lib.homeManagerConfiguration {
inherit pkgs;
modules = [
(import ./home).${user}.${host}
overlayModule
] ++ sharedHmModules;
};
};
in
{
devShells = {
@ -271,19 +262,16 @@
packages = with pkgs; [
nix
git
colmena.packages.${system}.colmena
inputs.colmena.packages.${system}.colmena
sops
nix-output-monitor
nil
nvd
nh
(python3.withPackages (ps: with ps; [ requests ]))
];
};
};
homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ];
packages = {
nixvim = my-nixvim.packages.${system}.default;
};

2
home/xin/calcite.nix
View file

@ -38,8 +38,6 @@ in
remmina
qq
wechat-uos
wpsoffice
ttf-wps-fonts
];
# Theme

21
machines/calcite/configuration.nix
View file

@ -16,7 +16,6 @@ in
];
commonSettings = {
auth.enable = true;
nix = {
enableMirrors = true;
signing.enable = true;
@ -36,11 +35,6 @@ in
boot.supportedFilesystems = [ "ntfs" ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
documentation = {
nixos.enable = false;
man.enable = false;
};
security.tpm2 = {
enable = true;
# expose /run/current-system/sw/lib/libtpm2_pkcs11.so
@ -120,15 +114,13 @@ in
xdg.portal = {
enable = true;
extraPortals = [
pkgs.xdg-desktop-portal-gnome
pkgs.xdg-desktop-portal-gtk
pkgs.xdg-desktop-portal-gnome
];
configPackages = [ pkgs.niri ];
};
systemd.user.services.xdg-desktop-portal-gtk.after = [ "graphical-session.target" ];
systemd.user.services.xdg-desktop-portal-gnome.after = [ "graphical-session.target" ];
systemd.user.services.xdg-desktop-portal-gnome.wantedBy = [ "graphical-session.target" ];
services.greetd =
let
@ -164,15 +156,6 @@ in
};
};
};
"logiM720" = {
ids = [ "046d:b015" ];
settings = {
main = {
mouse2 = "leftmeta";
# leftalt = "mouse1";
};
};
};
};
};
@ -219,7 +202,6 @@ in
services.smartd.enable = true;
# Allow unfree packages
nixpkgs.system = "x86_64-linux";
nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
@ -299,6 +281,7 @@ in
# Writting
zotero
# onlyoffice-bin
wpsoffice
config.nur.repos.linyinfeng.wemeet

27
machines/dolomite/default.nix
View file

@ -58,8 +58,31 @@ in
exporters.blackbox.enable = true;
};
custom.commonSettings = {
auth.enable = true;
custom.kanidm-client = {
enable = true;
uri = "https://auth.xinyang.life/";
asSSHAuth = {
enable = true;
allowedGroups = [ "linux_users" ];
};
sudoers = [ "xin@auth.xinyang.life" ];
};
services.openssh = {
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkForce "no";
GSSAPIAuthentication = "no";
KerberosAuthentication = "no";
};
};
services.fail2ban.enable = true;
programs.mosh.enable = true;
security.sudo = {
execWheelOnly = true;
wheelNeedsPassword = false;
};
services.sing-box =

2
machines/massicot/default.nix
View file

@ -1,10 +1,12 @@
{
inputs,
pkgs,
...
}:
{
imports = [
inputs.sops-nix.nixosModules.sops
./hardware-configuration.nix
./networking.nix
./services.nix

1
machines/massicot/services.nix
View file

@ -101,6 +101,7 @@ in
services.matrix-conduit = {
enable = true;
# package = inputs.conduit.packages.${pkgs.system}.default;
package = pkgs.matrix-conduit;
settings.global = {
server_name = "xinyang.life";

2
machines/sops.nix
View file

@ -1,9 +1,11 @@
{
inputs,
config,
lib,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
config = {
sops = {
defaultSopsFile = ./secrets.yaml;

15
machines/weilite/default.nix
View file

@ -1,13 +1,14 @@
{
inputs,
config,
pkgs,
lib,
modulesPath,
...
}:
{
imports = [
inputs.sops-nix.nixosModules.sops
(modulesPath + "/profiles/qemu-guest.nix")
./services
];
@ -149,15 +150,6 @@
permitCertUid = "caddy";
};
services.tailscale.derper = {
enable = true;
domain = "derper00.namely.icu";
openFirewall = true;
verifyClients = true;
};
# tailscale derper module use nginx for reverse proxy
services.nginx.enable = lib.mkForce false;
services.caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
@ -173,9 +165,6 @@
];
vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI=";
};
virtualHosts."derper00.namely.icu:8443".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
'';
virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';

1
machines/weilite/services/default.nix
View file

@ -2,6 +2,5 @@
imports = [
./ocis.nix
./restic.nix
./media-download.nix
];
}

6
machines/weilite/services/media-download.nix
View file

@ -1,6 +0,0 @@
{
services.jackett = {
enable = true;
openFirewall = false;
};
}

8
modules/home-manager/gui/niri.nix
View file

@ -84,12 +84,8 @@ in
enable = true;
timeouts = [
{
timeout = 600;
command = ''[ "$(${pkgs.tlp}/bin/tlp-stat -m)" == "battery" ] && /run/current-system/systemd/bin/systemctl suspend'';
}
{
timeout = 1200;
command = ''${getExe pkgs.niri} msg action power-off-monitors'';
timeout = 900;
command = "/run/current-system/systemd/bin/systemctl suspend";
}
];
events = [

28
modules/home-manager/vscode.nix
View file

@ -1,4 +1,5 @@
{
inputs,
config,
lib,
pkgs,
@ -15,7 +16,7 @@ let
nixd
nixpkgs-fmt
];
extension = with pkgs.vscode-marketplace; [
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
jnoortheen.nix-ide
];
settings = {
@ -29,16 +30,13 @@ let
clang-tools
cmake-format
];
extension =
with pkgs.vscode-marketplace;
[
llvm-vs-code-extensions.vscode-clangd
(ms-vscode.cmake-tools.overrideAttrs (_: {
sourceRoot = "extension";
}))
twxs.cmake
]
++ (with pkgs.vscode-extensions; [ ms-vscode.cpptools ]);
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
llvm-vs-code-extensions.vscode-clangd
(ms-vscode.cmake-tools.overrideAttrs (_: {
sourceRoot = "extension";
}))
twxs.cmake
] ++ (with pkgs.vscode-extensions; [ ms-vscode.cpptools ]);
settings = {
"cmake.configureOnEdit" = false;
"cmake.showOptionsMovedNotification" = false;
@ -52,7 +50,7 @@ let
};
pythonPackages = {
systemPackages = with pkgs; [ ];
extension = with pkgs.vscode-marketplace; [
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
ms-python.python
];
settings = { };
@ -62,7 +60,7 @@ let
coursier
metals
];
extension = with pkgs.vscode-marketplace; [
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
scala-lang.scala
scalameta.metals
];
@ -70,7 +68,7 @@ let
};
latexPackages = {
systemPackages = with pkgs; [ texliveSmall ];
extension = with pkgs.vscode-marketplace; [
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
james-yu.latex-workshop
];
settings = {
@ -186,7 +184,7 @@ in
mutableExtensionsDir = false;
extensions = lib.mkMerge (
[
(with pkgs.vscode-marketplace; [
(with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
mkhl.direnv
ms-azuretools.vscode-docker

96
modules/home-manager/xdg-autostart.nix
View file

@ -1,96 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.xdg.autoStart;
inherit (lib) hm types;
in
{
options.xdg.autoStart = {
packages = lib.mkOption {
description = ''
List of packages which should be autostarted.
This module tries to select the packages default desktop file,
which is either described by its .desktopItem attribute
or by its first entry of its .desktopItems attribute.
Users who want to specifically select a certain desktop file
or who want to write their own
can make use of the {option}`xdg.autoStart.desktopItems` option.
'';
type = types.listOf types.package;
default = [ ];
example = lib.literalExpression ''
with pkgs; [
pkgs.trilium-desktop
]
'';
};
desktopItems = lib.mkOption {
description = ''
List of desktop files which should be autostarted.
Users should prefer to use {option}`xdg.autoStart.packages`
and only use this option in case
they want to specifically
select a packages desktop item
or want to create their own desktop item.
Be warned, this may shadow entries of {option}`xdg.autoStart.packages`.
'';
type = types.attrsOf (types.unspecified); # TODO replace unspecified
default = { };
# TODO improve example, take one where it would make sense to use this option
example = lib.literalExpression ''
{
discord = pkgs.discord.desktopItem
firefox-custom = makeDesktopItem {
exec = "firefox -P custom";
};
}
'';
};
};
config =
let
# helpers
retrieveDesktopItem = (
pkg:
if pkg ? desktopItem then
pkg.desktopItem
else if pkg ? desktopItems && pkg.desktopItems != [ ] then
builtins.head pkg.desktopItems
else
abort "package '${pkg.pname}' is missing a desktop file"
);
emulateDesktopItem = (pkg: lib.nameValuePair pkg.pname (retrieveDesktopItem pkg));
embedDesktopItem = (
name: deskItem:
lib.nameValuePair "autostart/${name}.desktop" {
source = "${deskItem}/share/applications/${deskItem.name}";
}
);
# parse opts
desktopItemsPackages = builtins.listToAttrs (map emulateDesktopItem cfg.packages);
desktopItems = desktopItemsPackages // cfg.desktopItems;
in
{
assertions = [
(hm.assertions.assertPlatform "xdg.autoStart" pkgs lib.platforms.linux)
];
xdg.configFile = lib.attrsets.mapAttrs' embedDesktopItem desktopItems;
};
}

3
modules/home-manager/zellij.nix
View file

@ -26,9 +26,10 @@ in
bind "Ctrl l" { MoveFocusOrTab "Right"; }
bind "Ctrl j" { MoveFocus "Down"; }
bind "Ctrl k" { MoveFocus "Up"; }
unbind "Alt h" "Alt l" "Alt j" "Alt k" "Alt f"
unbind "Alt h" "Alt l" "Alt j" "Alt k"
}
unbind "Ctrl p" "Ctrl n"
unbind "Alt f"
}
'';
};

165
modules/nixos/common-settings/proxy-server.nix
View file

@ -1,165 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.commonSettings.proxyServer;
singTls = {
enabled = true;
server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path =
config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
};
mkSingConfig =
{ uuid, password, ... }:
{
inbounds =
[
{
tag = "sg0";
type = "trojan";
listen = "::";
listen_port = 8080;
users = [
{
name = "proxy";
password = password;
}
];
tls = singTls;
}
]
++ lib.forEach (lib.range 6311 6314) (port: {
tag = "sg" + toString (port - 6310);
type = "tuic";
listen = "::";
listen_port = port;
congestion_control = "bbr";
users = [
{
name = "proxy";
uuid = uuid;
password = password;
}
];
tls = singTls;
});
outbounds = [
{
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{
public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
}
{
type = "direct";
tag = "direct";
}
];
route = {
rules = [
{
inbound = "sg0";
outbound = "direct";
}
{
inbound = "sg4";
outbound = "direct";
}
];
};
};
in
{
options.commonSettings.proxyServer = {
enable = mkEnableOption "sing-box as a server";
uuidFile = mkOption {
type = types.path;
};
passwordFile = mkOption {
type = types.path;
};
};
config = mkIf cfg.enable {
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
networking.firewall.trustedInterfaces = [ "tun0" ];
sops = {
secrets = {
wg_private_key = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
wg_ipv6_local_addr = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
};
};
security.acme = {
acceptTerms = true;
certs.${config.deployment.targetHost} = {
email = "me@namely.icu";
# Avoid port conflict
listenHTTP = if config.services.caddy.enable then ":30310" else ":80";
};
};
services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = ''
reverse_proxy 127.0.0.1:30310
'';
networking.firewall.allowedTCPPorts = [
80
8080
];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
custom.prometheus = {
enable = true;
exporters.blackbox.enable = true;
};
services.sing-box = {
enable = true;
settings = mkSingConfig {
uuid = cfg.uuidFile;
password = cfg.passwordFile;
};
};
};
}

8
overlays/add-pkgs.nix
View file

@ -1,5 +1,3 @@
(
final: prev:
{
}
)
(final: prev: {
oidc-agent = prev.callPackage ./pkgs/oidc-agent { };
})