xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: xin:f87136fc942ea1beb32965d67802d636e6c6a1a3
Branches Tags
xin:master
xin:testing-weilite
xin:testing-raspite
xin:deploy
xin:testing-calcite
xin:next
xin:deploy-comin-eval
...
compare: xin:a3d9de6ad2d10fae0c4c1a695f89d0dd38a718ed
Branches Tags
xin:testing-weilite
xin:testing-raspite
xin:deploy
xin:testing-calcite
xin:next
xin:deploy-comin-eval
xin:master

15 commits
f87136fc94 ... a3d9de6ad2

Author SHA1 Message Date
xinyangli
a3d9de6ad2
osmium: added 2024-11-24 17:26:49 +08:00
xinyangli
647c409206
dolomite: reinstall hk-00 2024-11-23 09:46:49 +08:00
xinyangli
544a41048a
specify homeConfigurations in garnix.yaml 2024-11-22 14:47:27 +08:00
xinyangli
d5ff5cbbb2
dolomite: refactor 2024-11-22 14:45:16 +08:00
xinyangli
9bf25972e9
chore: clean up flake.nix, remove inputs from specialArgs 2024-11-22 13:13:54 +08:00
xinyangli
f0bee7364a
calcite: handle mouse keys with keyd 2024-11-22 12:08:06 +08:00
xinyangli
69cf719b65
weilite: add jackett and derper 2024-11-22 12:07:10 +08:00
xinyangli
6d5436bbaa
calcite,dolomite: minor fixes 2024-11-20 10:28:31 +08:00
xinyangli
1b513bd869
flake.lock: upgrade to 2024-11-17 2024-11-17 13:05:41 +08:00
xinyangli
7f3a0af1cb
calcite: fix font size 2024-11-17 12:03:55 +08:00
xinyangli
5f40031b58
massicot: fix strict redirect url matching enforced by kanidm 1.4.0 2024-11-14 19:02:15 +08:00
xinyangli
40b1e9ff23
flake.lock: update 2024.11.14 2024-11-14 16:05:59 +08:00
xinyangli
f1079f3095
calcite: add notification center and kdeconnect 2024-11-14 15:48:11 +08:00
xinyangli
854f450677
modules: drop stylix 2024-11-14 15:47:04 +08:00
xinyangli
d4aaa6c4a3
calcite: switch to greetd and gtklock 2024-11-13 21:24:26 +08:00
41 changed files with 1374 additions and 747 deletions
Show stats Expand all files Collapse all files

10
.sops.yaml
View file

@ -7,7 +7,7 @@ keys:
- &host-la-00 age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
- &host-massicot age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
- &host-weilite age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml
- &host-hk-00 age1w3x5mz2g8jc9aq8cajdpg62f8n5p4qr6jgjlxw9seagyw0t0fsuqvkmym0
- &host-hk-00 age1hrckkydr9yhnyw6qqqptz45yc9suszccu0nd53q2zhlksgy9pqaqmlsdmu
creation_rules:
- path_regex: machines/calcite/secrets.yaml
key_groups:
@ -24,6 +24,14 @@ creation_rules:
- age:
- *xin
- *host-massicot
- path_regex: machines/dolomite/secrets/secrets.yaml
key_groups:
- age:
- *xin
- *host-sgp-00
- *host-tok-00
- *host-la-00
- *host-hk-00
- path_regex: machines/dolomite/secrets/sgp-00.yaml
key_groups:
- age:

419
flake.lock generated
View file

@ -1,126 +1,12 @@
{
"nodes": {
"base16": {
"inputs": {
"fromYaml": "fromYaml"
},
"locked": {
"lastModified": 1708890466,
"narHash": "sha256-LlrC09LoPi8OPYOGPXegD72v+//VapgAqhbOFS3i8sc=",
"owner": "SenchoPens",
"repo": "base16.nix",
"rev": "665b3c6748534eb766c777298721cece9453fdae",
"type": "github"
},
"original": {
"owner": "SenchoPens",
"repo": "base16.nix",
"type": "github"
}
},
"base16-fish": {
"flake": false,
"locked": {
"lastModified": 1622559957,
"narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=",
"owner": "tomyun",
"repo": "base16-fish",
"rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe",
"type": "github"
},
"original": {
"owner": "tomyun",
"repo": "base16-fish",
"type": "github"
}
},
"base16-foot": {
"flake": false,
"locked": {
"lastModified": 1696725948,
"narHash": "sha256-65bz2bUL/yzZ1c8/GQASnoiGwaF8DczlxJtzik1c0AU=",
"owner": "tinted-theming",
"repo": "base16-foot",
"rev": "eedbcfa30de0a4baa03e99f5e3ceb5535c2755ce",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-foot",
"type": "github"
}
},
"base16-helix": {
"flake": false,
"locked": {
"lastModified": 1720809814,
"narHash": "sha256-numb3xigRGnr/deF7wdjBwVg7fpbTH7reFDkJ75AJkY=",
"owner": "tinted-theming",
"repo": "base16-helix",
"rev": "34f41987bec14c0f3f6b2155c19787b1f6489625",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-helix",
"type": "github"
}
},
"base16-kitty": {
"flake": false,
"locked": {
"lastModified": 1665001328,
"narHash": "sha256-aRaizTYPpuWEcvoYE9U+YRX+Wsc8+iG0guQJbvxEdJY=",
"owner": "kdrag0n",
"repo": "base16-kitty",
"rev": "06bb401fa9a0ffb84365905ffbb959ae5bf40805",
"type": "github"
},
"original": {
"owner": "kdrag0n",
"repo": "base16-kitty",
"type": "github"
}
},
"base16-tmux": {
"flake": false,
"locked": {
"lastModified": 1696725902,
"narHash": "sha256-wDPg5elZPcQpu7Df0lI5O8Jv4A3T6jUQIVg63KDU+3Q=",
"owner": "tinted-theming",
"repo": "base16-tmux",
"rev": "c02050bebb60dbb20cb433cd4d8ce668ecc11ba7",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-tmux",
"type": "github"
}
},
"base16-vim": {
"flake": false,
"locked": {
"lastModified": 1716150083,
"narHash": "sha256-ZMhnNmw34ogE5rJZrjRv5MtG3WaqKd60ds2VXvT6hEc=",
"owner": "tinted-theming",
"repo": "base16-vim",
"rev": "6e955d704d046b0dc3e5c2d68a2a6eeffd2b5d3d",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-vim",
"type": "github"
}
},
"catppuccin": {
"locked": {
"lastModified": 1730458408,
"narHash": "sha256-JQ+SphQn13bdibKUrBBBznYehXX4xJrxD1ifBp6vSWw=",
"lastModified": 1731232837,
"narHash": "sha256-0aIwr/RC/oe7rYkfJb47xjdEQDSNcqpFGsEa+EPlDEs=",
"owner": "catppuccin",
"repo": "nix",
"rev": "191fbf2d81a63fad8f62f1233c0051f09b75d0ad",
"rev": "32359bf226fe874d3b7a0a5753d291a4da9616fe",
"type": "github"
},
"original": {
@ -132,22 +18,19 @@
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": [
"flake-utils"
],
"flake-utils": "flake-utils",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixpkgs"
],
"stable": [
"nixpkgs"
]
"stable": "stable"
},
"locked": {
"lastModified": 1728263678,
"narHash": "sha256-gyUVsPAWY9AgVKjrNPoowrIr5BvK4gI0UkDXvv8iSxA=",
"lastModified": 1731527002,
"narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "b0a62f234fae02a006123e661ff70e62af16106b",
"rev": "e3ad42138015fcdf2524518dd564a13145c72ea1",
"type": "github"
},
"original": {
@ -178,6 +61,26 @@
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1732221404,
"narHash": "sha256-fWTyjgGt+BHmkeJ5IxOR4zGF4/uc+ceWmhBjOBSVkgQ=",
"owner": "nix-community",
"repo": "disko",
"rev": "97c0c4d7072f19b598ed332e9f7f8ad562c6885b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -224,22 +127,6 @@
"type": "github"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
@ -281,15 +168,12 @@
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
@ -299,6 +183,24 @@
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
@ -316,43 +218,6 @@
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": [
"stylix",
"systems"
]
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"fromYaml": {
"flake": false,
"locked": {
"lastModified": 1689549921,
"narHash": "sha256-iX0pk/uB019TdBGlaJEWvBCfydT6sRq+eDcGPifVsCM=",
"owner": "SenchoPens",
"repo": "fromYaml",
"rev": "11fbbbfb32e3289d3c631e0134a23854e7865c84",
"type": "github"
},
"original": {
"owner": "SenchoPens",
"repo": "fromYaml",
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": [
@ -409,23 +274,6 @@
"type": "github"
}
},
"gnome-shell": {
"flake": false,
"locked": {
"lastModified": 1713702291,
"narHash": "sha256-zYP1ehjtcV8fo+c+JFfkAqktZ384Y+y779fzmR9lQAU=",
"owner": "GNOME",
"repo": "gnome-shell",
"rev": "0d0aadf013f78a7f7f1dc984d0d812971864b934",
"type": "github"
},
"original": {
"owner": "GNOME",
"ref": "46.1",
"repo": "gnome-shell",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -433,11 +281,11 @@
]
},
"locked": {
"lastModified": 1730837930,
"narHash": "sha256-0kZL4m+bKBJUBQse0HanewWO0g8hDdCvBhudzxgehqc=",
"lastModified": 1731786860,
"narHash": "sha256-130gQ5k8kZlxjBEeLpE+SvWFgSOFgQFeZlqIik7KgtQ=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2f607e07f3ac7e53541120536708e824acccfaa8",
"rev": "1bd5616e33c0c54d7a5b37db94160635a9b27aeb",
"type": "github"
},
"original": {
@ -468,27 +316,6 @@
"type": "github"
}
},
"home-manager_3": {
"inputs": {
"nixpkgs": [
"stylix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1724435763,
"narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"ixx": {
"inputs": {
"flake-utils": [
@ -563,6 +390,27 @@
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"colmena",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-index-database": {
"inputs": {
"nixpkgs": [
@ -570,11 +418,11 @@
]
},
"locked": {
"lastModified": 1730604744,
"narHash": "sha256-/MK6QU4iOozJ4oHTfZipGtOgaT/uy/Jm4foCqHQeYR4=",
"lastModified": 1731814505,
"narHash": "sha256-l9ryrx1Twh08a+gxrMGM9O/aZKEimZfa6sZVyPCImgI=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "cc2ddbf2df8ef7cc933543b1b42b845ee4772318",
"rev": "bdba246946fb079b87b4cada4df9b1cdf1c06132",
"type": "github"
},
"original": {
@ -594,11 +442,11 @@
]
},
"locked": {
"lastModified": 1730944043,
"narHash": "sha256-DIYTHa57pQQc9ARiMpJWYkaoiTaQPLH7Y4qK0J10Khk=",
"lastModified": 1731808759,
"narHash": "sha256-WwJqguc/5Q7HEwHlgDzDT8mtd8ZxInxZM2neJKC1oh8=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"rev": "0a959b25ff573f079ed032f88d8c988561b96a96",
"rev": "5cf92678e6799ce45442dee4c9cb8094843c7cfa",
"type": "github"
},
"original": {
@ -609,11 +457,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1730919458,
"narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=",
"lastModified": 1731797098,
"narHash": "sha256-UhWmEZhwJZmVZ1jfHZFzCg+ZLO9Tb/v3Y6LC0UNyeTo=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "e1cc1f6483393634aee94514186d21a4871e78d7",
"rev": "672ac2ac86f7dff2f6f3406405bddecf960e0db6",
"type": "github"
},
"original": {
@ -653,11 +501,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"lastModified": 1731652201,
"narHash": "sha256-XUO0JKP1hlww0d7mm3kpmIr4hhtR4zicg5Wwes9cPMg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"rev": "c21b77913ea840f8bcf9adf4c41cecc2abffd38d",
"type": "github"
},
"original": {
@ -669,11 +517,11 @@
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1730602179,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"lastModified": 1731797254,
"narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
"type": "github"
},
"original": {
@ -685,11 +533,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1731119255,
"narHash": "sha256-rDHKmBBUu7XSK+68yXEI9TJVc2TaQH7SVieP9pH3h7k=",
"lastModified": 1731819057,
"narHash": "sha256-nfqKsQhFCakM+eIKGf/JWu/g56rOPoGny10EZN8q7R0=",
"owner": "xinyangli",
"repo": "nixpkgs",
"rev": "ca12ccda69b37abe3ea78dab388b0bfe638eb743",
"rev": "b2644ed7258502987ad4a70cf8959bf5a26ce26d",
"type": "github"
},
"original": {
@ -699,22 +547,6 @@
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1725194671,
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixvim": {
"inputs": {
"devshell": "devshell",
@ -743,11 +575,11 @@
},
"nur": {
"locked": {
"lastModified": 1730959878,
"narHash": "sha256-UZ6oSptjE04ooORHvvR+kiGnr/nhzWgYwGryxUkKAv0=",
"lastModified": 1731819675,
"narHash": "sha256-GGp/rEfxRdi1BD9TlHoXxp2g9IuKDp0Jk7wYh1LacP8=",
"owner": "nix-community",
"repo": "NUR",
"rev": "bc4d2a3b71c75d81cc247b1bf991b63f75358004",
"rev": "59740d792bea5caa547c9bc7ce366802ecfafb7f",
"type": "github"
},
"original": {
@ -758,7 +590,7 @@
},
"nuschtosSearch": {
"inputs": {
"flake-utils": "flake-utils_2",
"flake-utils": "flake-utils_3",
"ixx": "ixx",
"nixpkgs": [
"my-nixvim",
@ -784,7 +616,8 @@
"inputs": {
"catppuccin": "catppuccin",
"colmena": "colmena",
"flake-utils": "flake-utils",
"disko": "disko",
"flake-utils": "flake-utils_2",
"home-manager": "home-manager",
"my-nixvim": "my-nixvim",
"nix-index-database": "nix-index-database",
@ -793,8 +626,7 @@
"nixpkgs": "nixpkgs_2",
"nixpkgs-stable": "nixpkgs-stable",
"nur": "nur",
"sops-nix": "sops-nix",
"stylix": "stylix"
"sops-nix": "sops-nix"
}
},
"sops-nix": {
@ -805,11 +637,11 @@
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1730883027,
"narHash": "sha256-pvXMOJIqRW0trsW+FzRMl6d5PbsM4rWfD5lcKCOrrwI=",
"lastModified": 1731814239,
"narHash": "sha256-TGnMXCeXS924w9W6CvRFtUCUFr8E/RK138lHxU3vcw8=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c5ae1e214ff935f2d3593187a131becb289ea639",
"rev": "47fc1d8c72dbd69b32ecb2019b5b648da3dd20ce",
"type": "github"
},
"original": {
@ -818,33 +650,19 @@
"type": "github"
}
},
"stylix": {
"inputs": {
"base16": "base16",
"base16-fish": "base16-fish",
"base16-foot": "base16-foot",
"base16-helix": "base16-helix",
"base16-kitty": "base16-kitty",
"base16-tmux": "base16-tmux",
"base16-vim": "base16-vim",
"flake-compat": "flake-compat_4",
"flake-utils": "flake-utils_3",
"gnome-shell": "gnome-shell",
"home-manager": "home-manager_3",
"nixpkgs": "nixpkgs_3",
"systems": "systems_3"
},
"stable": {
"locked": {
"lastModified": 1725416430,
"narHash": "sha256-DkF49DlcaZHV9v3m5ctQnC9qNqsEdfNhwjQArx5Q+Zw=",
"owner": "xinyangli",
"repo": "stylix",
"rev": "7aad490478518af03367dabfb5811b3f87ea93a1",
"lastModified": 1730883749,
"narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dba414932936fde69f0606b4f1d87c5bc0003ede",
"type": "github"
},
"original": {
"owner": "xinyangli",
"repo": "stylix",
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
@ -878,21 +696,6 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [

153
flake.nix
View file

@ -34,9 +34,12 @@
colmena = {
url = "github:zhaofengli/colmena";
inputs.stable.follows = "nixpkgs";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-index-database = {
@ -52,12 +55,6 @@
catppuccin = {
url = "github:catppuccin/nix";
};
stylix = {
url = "github:xinyangli/stylix";
# inputs.nixpkgs.follows = "nixpkgs";
# inputs.home-manager.follows = "home-manager";
};
};
outputs =
@ -66,35 +63,73 @@
home-manager,
nixpkgs,
nixos-hardware,
sops-nix,
flake-utils,
nur,
catppuccin,
my-nixvim,
nix-vscode-extensions,
colmena,
nix-index-database,
disko,
...
}@inputs:
}:
let
nixvimOverlay = (final: prev: { nixvim = self.packages.${prev.stdenv.system}.nixvim; });
editorOverlay = (
final: prev: {
inherit (nix-vscode-extensions.extensions.${prev.stdenv.system}) vscode-marketplace;
inherit (self.packages.${prev.stdenv.system}) nixvim;
}
);
overlayModule =
{ ... }:
{
nixpkgs.overlays = [
nixvimOverlay
editorOverlay
(import ./overlays/add-pkgs.nix)
];
};
deploymentModule = {
deployment.targetUser = "xin";
};
sharedColmenaModules = [
self.nixosModules.default
deploymentModule
];
sharedHmModules = [
inputs.sops-nix.homeManagerModules.sops
inputs.nix-index-database.hmModules.nix-index
self.homeManagerModules.default
sops-nix.homeManagerModules.sops
nix-index-database.hmModules.nix-index
catppuccin.homeManagerModules.catppuccin
self.homeManagerModules
];
sharedNixosModules = [
self.nixosModules.default
sops-nix.nixosModules.sops
];
nodeNixosModules = {
calcite = [
nixos-hardware.nixosModules.asus-zephyrus-ga401
nur.nixosModules.nur
catppuccin.nixosModules.catppuccin
machines/calcite/configuration.nix
(mkHome "xin" "calcite")
];
hk-00 = [
./machines/dolomite/claw.nix
./machines/dolomite/common.nix
disko.nixosModules.disko
];
la-00 = [
./machines/dolomite/bandwagon.nix
./machines/dolomite/common.nix
];
tok-00 = [
./machines/dolomite/lightsail.nix
./machines/dolomite/common.nix
];
osmium = [
./machines/osmium
];
};
sharedColmenaModules = [
deploymentModule
] ++ sharedNixosModules;
mkHome =
user: host:
{ ... }:
@ -106,42 +141,29 @@
sharedModules = sharedHmModules;
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = {
inherit inputs;
};
};
home-manager.users.${user} = (import ./home).${user}.${host};
}
];
};
mkHomeConfiguration = user: host: {
name = user;
value = home-manager.lib.homeManagerConfiguration {
pkgs = import nixpkgs { system = "x86_64-linux"; };
modules = [
(import ./home).${user}.${host}
overlayModule
] ++ sharedHmModules;
extraSpecialArgs = {
inherit inputs;
};
};
};
mkNixos =
{
system,
modules,
specialArgs ? { },
hostname,
system ? null,
}:
nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = specialArgs // {
inherit inputs system;
modules = sharedNixosModules ++ nodeNixosModules.${hostname};
};
# TODO:
mkColmenaHive =
{
hostname,
}:
colmena.lib.makeHive {
meta = {
# FIXME:
nixpkgs = import nixpkgs { system = "x86_64-linux"; };
};
modules = [
self.nixosModules.default
nur.nixosModules.nur
] ++ modules;
};
in
{
@ -152,16 +174,12 @@
overlayModule
];
};
homeManagerModules = import ./modules/home-manager;
homeManagerModules.default = import ./modules/home-manager;
homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ];
colmenaHive = inputs.colmena.lib.makeHive {
colmenaHive = colmena.lib.makeHive {
meta = {
# FIXME:
nixpkgs = import nixpkgs { system = "x86_64-linux"; };
specialArgs = {
inherit inputs;
};
};
massicot =
@ -179,7 +197,7 @@
tok-00 =
{ ... }:
{
imports = [ machines/dolomite ] ++ sharedColmenaModules;
imports = nodeNixosModules.tok-00 ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux";
networking.hostName = "tok-00";
system.stateVersion = "23.11";
@ -193,7 +211,7 @@
la-00 =
{ ... }:
{
imports = [ machines/dolomite ] ++ sharedColmenaModules;
imports = nodeNixosModules.la-00 ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux";
networking.hostName = "la-00";
system.stateVersion = "21.05";
@ -207,7 +225,7 @@
hk-00 =
{ ... }:
{
imports = [ machines/dolomite ] ++ sharedColmenaModules;
imports = nodeNixosModules.hk-00 ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux";
networking.hostName = "hk-00";
system.stateVersion = "24.05";
@ -248,12 +266,11 @@
nixosConfigurations = {
calcite = mkNixos {
system = "x86_64-linux";
modules = [
nixos-hardware.nixosModules.asus-zephyrus-ga401
machines/calcite/configuration.nix
(mkHome "xin" "calcite")
];
hostname = "calcite";
};
osmium = mkNixos {
hostname = "osmium";
};
} // self.colmenaHive.nodes;
@ -262,6 +279,17 @@
system:
let
pkgs = nixpkgs.legacyPackages.${system};
mkHomeConfiguration = user: host: {
name = user;
value = home-manager.lib.homeManagerConfiguration {
inherit pkgs;
modules = [
(import ./home).${user}.${host}
overlayModule
] ++ sharedHmModules;
};
};
in
{
devShells = {
@ -269,16 +297,19 @@
packages = with pkgs; [
nix
git
colmena
colmena.packages.${system}.colmena
sops
nix-output-monitor
nil
nvd
nh
(python3.withPackages (ps: with ps; [ requests ]))
];
};
};
homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ];
packages = {
nixvim = my-nixvim.packages.${system}.default;
};

27
home/xin/calcite.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ pkgs, lib, ... }:
let
homeDirectory = "/home/xin";
in
@ -36,13 +36,23 @@ in
home.packages = with pkgs; [
thunderbird
remmina
qq
wechat-uos
wpsoffice
ttf-wps-fonts
];
# Theme
catppuccin = {
enable = true;
accent = "peach";
flavor = "mocha";
};
# Missing from catppuccin module
services.swaync.style = pkgs.fetchurl {
url = "https://github.com/catppuccin/swaync/releases/download/v0.2.3/mocha.css";
hash = "sha256-Hie/vDt15nGCy4XWERGy1tUIecROw17GOoasT97kIfc=";
};
xdg.enable = true;
@ -51,6 +61,12 @@ in
fcitx5.addons = with pkgs; [ fcitx5-rime ];
};
# Using wayland
home.sessionVariables = {
GTK_IM_MODULE = lib.mkForce "";
QT_IM_MODULE = lib.mkForce "";
};
custom-hm = {
alacritty = {
enable = true;
@ -70,6 +86,14 @@ in
};
neovim = {
enable = true;
font = {
normal = [
"JetbrainsMono Nerd Font"
"Noto Sans Mono CJK SC"
"Ubuntu"
];
size = 12.0;
};
};
vscode = {
enable = true;
@ -84,6 +108,7 @@ in
zellij = {
enable = true;
};
gui = {
niri.enable = true;
waybar.enable = true;

74
machines/calcite/configuration.nix
View file

@ -4,7 +4,9 @@
lib,
...
}:
let
inherit (lib) mkForce getExe;
in
{
imports = [
# Include the results of the hardware scan.
@ -34,6 +36,11 @@
boot.supportedFilesystems = [ "ntfs" ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
documentation = {
nixos.enable = false;
man.enable = false;
};
security.tpm2 = {
enable = true;
# expose /run/current-system/sw/lib/libtpm2_pkcs11.so
@ -43,7 +50,7 @@
# TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
tctiEnvironment.enable = true;
};
services.gnome.gnome-keyring.enable = lib.mkForce false;
# services.gnome.gnome-keyring.enable = lib.mkForce false;
security.pam.services.login.enableGnomeKeyring = lib.mkForce false;
services.ssh-tpm-agent.enable = true;
@ -98,14 +105,51 @@
LC_TIME = "en_US.utf8";
};
services.displayManager = {
enable = true;
defaultSession = "niri";
};
# ====== GUI ======
programs.niri.enable = true;
environment.sessionVariables.NIXOS_OZONE_WL = "1";
security.pam.services.gtklock = { }; # Required by gtklock
services.xserver.displayManager.gdm.enable = true;
catppuccin = {
enable = true;
accent = "rosewater";
flavor = "mocha";
};
xdg.portal = {
enable = true;
extraPortals = [
pkgs.xdg-desktop-portal-gnome
pkgs.xdg-desktop-portal-gtk
];
configPackages = [ pkgs.niri ];
};
systemd.user.services.xdg-desktop-portal-gtk.after = [ "graphical-session.target" ];
systemd.user.services.xdg-desktop-portal-gnome.after = [ "graphical-session.target" ];
systemd.user.services.xdg-desktop-portal-gnome.wantedBy = [ "graphical-session.target" ];
services.greetd =
let
niri-login-config = pkgs.writeText "niri-login-config.kdl" ''
animations {
off
}
hotkey-overlay {
skip-at-startup
}
'';
in
{
enable = true;
vt = 1;
settings = {
default_session = {
command = "${pkgs.dbus}/bin/dbus-run-session -- ${getExe pkgs.niri} -c ${niri-login-config} -- ${getExe pkgs.greetd.gtkgreet} -l -c niri-session -s ${pkgs.magnetic-catppuccin-gtk}/share/themes/Catppuccin-GTK-Dark/gtk-3.0/gtk.css";
};
};
};
# Keyboard mapping on internal keyboard
services.keyd = {
@ -120,6 +164,15 @@
};
};
};
"logiM720" = {
ids = [ "046d:b015" ];
settings = {
main = {
mouse2 = "leftmeta";
# leftalt = "mouse1";
};
};
};
};
};
@ -166,6 +219,7 @@
services.smartd.enable = true;
# Allow unfree packages
nixpkgs.system = "x86_64-linux";
nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
@ -229,7 +283,6 @@
# IM
element-desktop
tdesktop
qq
# Password manager
bitwarden
@ -246,8 +299,6 @@
# Writting
zotero
# onlyoffice-bin
wpsoffice
zed-editor
config.nur.repos.linyinfeng.wemeet
@ -300,8 +351,6 @@
exporters.blackbox.enable = true;
};
custom.stylix.enable = false;
services.ollama = {
enable = true;
acceleration = "cuda";
@ -311,7 +360,6 @@
services.gvfs.enable = true;
services.flatpak.enable = true;
xdg.portal.enable = true;
# Fonts
fonts = {

15
machines/calcite/network.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, pkgs, lib, ... }:
{
imports = [ ];
@ -10,7 +10,6 @@
dns = "systemd-resolved";
};
};
systemd.services.NetworkManager-wait-online.enable = false;
services.resolved = {
enable = true;
@ -25,6 +24,7 @@
services.dae.enable = true;
services.dae.configFile = "/var/lib/dae/config.dae";
systemd.services.dae.after = lib.mkIf (config.networking.networkmanager.enable) [ "NetworkManager-wait-online.service" ];
custom.sing-box = {
enable = false;
@ -46,14 +46,13 @@
# Use nftables to manager firewall
networking.nftables.enable = true;
# Add gsconnect, open firewall
programs.kdeconnect = {
enable = true;
package = pkgs.gnomeExtensions.gsconnect;
};
programs.wireshark = {
enable = true;
package = pkgs.wireshark-qt;
};
programs.kdeconnect = {
enable = true;
package = pkgs.valent;
};
}

12
machines/dolomite/bandwagon.nix
View file

@ -1,21 +1,11 @@
{
config,
lib,
pkgs,
modulesPath,
...
}:
let
cfg = config.isBandwagon;
in
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
options = {
isBandwagon = lib.mkEnableOption "Bandwagon instance";
};
config = lib.mkIf cfg {
config = {
boot.initrd.availableKernelModules = [
"ata_piix"
"xhci_pci"

47
machines/dolomite/claw.nix
View file

@ -1,22 +1,14 @@
{
config,
lib,
modulesPath,
...
}:
let
cfg = config.isClaw;
in
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
options = {
isClaw = lib.mkEnableOption "Lightsail instance";
};
config = lib.mkIf cfg {
config = {
boot.initrd.availableKernelModules = [
"uhci_hcd"
"virtio_blk"
@ -26,6 +18,38 @@ in
"xen_blkfront"
"vmw_pvscsi"
];
disko.devices = {
disk = {
main = {
device = "/dev/vda";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "500M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "xfs";
mountpoint = "/";
};
};
};
};
};
};
};
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
@ -34,11 +58,6 @@ in
device = "/dev/vda";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/fe563e38-9a57-447a-ba57-c3e53ddd84ee";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking

36
machines/dolomite/common.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, ... }:
{
config = {
sops = {
secrets = {
wg_private_key = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
wg_ipv6_local_addr = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
"sing-box/password" = {
owner = "root";
sopsFile = ./secrets/secrets.yaml;
};
"sing-box/uuid" = {
owner = "root";
sopsFile = ./secrets/secrets.yaml;
};
};
};
custom.prometheus = {
enable = true;
exporters.blackbox.enable = true;
};
commonSettings = {
auth.enable = true;
proxyServer.enable = true;
};
};
}

182
machines/dolomite/default.nix
View file

@ -1,182 +0,0 @@
{ config, lib, ... }:
let
awsHosts = [ "tok-00" ];
bwgHosts = [ "la-00" ];
clawHosts = [ "hk-00" ];
in
{
imports = [
../sops.nix
./bandwagon.nix
./lightsail.nix
./claw.nix
];
config = {
isBandwagon = builtins.elem config.networking.hostName bwgHosts;
isLightsail = builtins.elem config.networking.hostName awsHosts;
isClaw = builtins.elem config.networking.hostName clawHosts;
sops = {
secrets = {
wg_private_key = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
wg_ipv6_local_addr = {
owner = "root";
sopsFile = ./secrets + "/${config.networking.hostName}.yaml";
};
};
};
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
networking.firewall.trustedInterfaces = [ "tun0" ];
security.acme = {
acceptTerms = true;
certs.${config.deployment.targetHost} = {
email = "me@namely.icu";
# Avoid port conflict
listenHTTP = if config.services.caddy.enable then ":30310" else ":80";
};
};
services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = ''
reverse_proxy 127.0.0.1:30310
'';
networking.firewall.allowedTCPPorts = [
80
8080
];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
custom.prometheus = {
enable = true;
exporters.blackbox.enable = true;
};
custom.kanidm-client = {
enable = true;
uri = "https://auth.xinyang.life/";
asSSHAuth = {
enable = true;
allowedGroups = [ "linux_users" ];
};
sudoers = [ "xin@auth.xinyang.life" ];
};
services.openssh = {
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkForce "no";
GSSAPIAuthentication = "no";
KerberosAuthentication = "no";
};
};
services.fail2ban.enable = true;
programs.mosh.enable = true;
security.sudo = {
execWheelOnly = true;
wheelNeedsPassword = false;
};
services.sing-box =
let
singTls = {
enabled = true;
server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path =
config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
};
password = {
_secret = config.sops.secrets.singbox_password.path;
};
uuid = {
_secret = config.sops.secrets.singbox_uuid.path;
};
in
{
enable = true;
settings = {
inbounds =
[
{
tag = "sg0";
type = "trojan";
listen = "::";
listen_port = 8080;
users = [
{
name = "proxy";
password = password;
}
];
tls = singTls;
}
]
++ lib.forEach (lib.range 6311 6314) (port: {
tag = "sg" + toString (port - 6310);
type = "tuic";
listen = "::";
listen_port = port;
congestion_control = "bbr";
users = [
{
name = "proxy";
uuid = uuid;
password = password;
}
];
tls = singTls;
});
outbounds = [
{
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{
public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
}
{
type = "direct";
tag = "direct";
}
];
route = {
rules = [
{
inbound = "sg0";
outbound = "direct";
}
{
inbound = "sg4";
outbound = "direct";
}
];
};
};
};
};
}

8
machines/dolomite/lightsail.nix
View file

@ -1,11 +1,9 @@
{
config,
lib,
pkgs,
modulesPath,
...
}:
with lib;
let
cfg = config.ec2;
in
@ -20,11 +18,7 @@ in
"${modulesPath}/virtualisation/amazon-init.nix"
];
options = {
isLightsail = mkEnableOption "Lightsail instance";
};
config = mkIf config.isLightsail {
config = {
boot.loader.grub.device = "/dev/nvme0n1";
# from nixpkgs amazon-image.nix

30
machines/dolomite/secrets/hk-00.yaml
View file

@ -1,5 +1,5 @@
wg_private_key: ENC[AES256_GCM,data:M4lSTVf5cCbjuPjabYzGV1RQ0ZarM9vP2V8l1MJbLCKPTKGZV5wi9a3IIzA=,iv:M9jU7/xpzHxV3pYIfZqxGnsnbrx8wKN4zKa4qqyL7ak=,tag:+sQMIpmEwqOsBWBnqN6J1Q==,type:str]
wg_ipv6_local_addr: ENC[AES256_GCM,data:mzZDRHo5bD6Vji4LuvE8vEmQR/J5MeCXuS0DVihJcQdBw/NJ5zdATNVD,iv:5OevY9C3oqPhhksnd5itz8TWorFsm/mjs430c2ki+ZM=,tag:/hixvECSasepzvZdBOoO7g==,type:str]
wg_private_key: ENC[AES256_GCM,data:rzWGmeKVKjSaViN7fkgwLXdD7gLwTaNd9dtTdj6POMXqjk6uYNXKhKES/d0=,iv:M9jU7/xpzHxV3pYIfZqxGnsnbrx8wKN4zKa4qqyL7ak=,tag:Pz8P7mq1DpGPVwgTTFmFiw==,type:str]
wg_ipv6_local_addr: ENC[AES256_GCM,data:SuRSCFKW5MM2mtDNNfa3By7hrz66Y+nw/Ij+uO0MHwklAlkydVVKi89D,iv:5OevY9C3oqPhhksnd5itz8TWorFsm/mjs430c2ki+ZM=,tag:DjZjY54Pb1AHIyyzQIlHaw==,type:str]
sops:
kms: []
gcp_kms: []
@ -9,23 +9,23 @@ sops:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNmVpY09ZNzhacDdpdVUr
SGc2NGNrRWlMMzE2RVNSN0tHTGNoeVhlWUFRCnpqNy9qMExKUFA0akFnNG1HS0h2
NXlmWkJMemJkam5oSEFaSENkRTRnczQKLS0tIGNha0RWbGFUWGpROEdoKy9WbC9n
WTUrUjMydHRHODN3TDhyakpHNG1hZjQKR3I8TwUDvvht9ck8YIplCjafhUdvxw7M
VNSjUoacKg0Uu5m777UlBpDdDXBwulrVryFxrKA0Q395+YRJ2Sg0wQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDNXJzOHF2M3RkV2MxeThi
NzFXcHg2QVZzQXZWMlFibE10MnhiekJnSVNzCjJ4TVBXZmk1ZWk5Rjl0WUlHNWc2
bUdHcCsraEpWb2hqVDAxaVpNdC9SOXMKLS0tIFJ2amxtTXY2VnF2NUlVYXdJZG5R
RHk3SjZIUTQ3VmJpcElmMXd3dFp1RVEKQCe/BYPU9b8aNsTV1z5VKfnesp8KT98T
iRWUz4cuNLEUbmO9H2AuoM2iVtsFmYyPRz2NlSPUMdCHR7MnAGbkFg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w3x5mz2g8jc9aq8cajdpg62f8n5p4qr6jgjlxw9seagyw0t0fsuqvkmym0
- recipient: age1hrckkydr9yhnyw6qqqptz45yc9suszccu0nd53q2zhlksgy9pqaqmlsdmu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZC9GU085TmV6b1FsdGFw
OEFJeVM1WFJib1lFM1luQmlQSGt3Ym1PaVVjCkd4TmhIcVB2Nk4xaHdwSVVHOGJJ
TVErNHZ1ZURKMmk2SzJUajFTV0tJSE0KLS0tIG5jVnZHNm55dncvaDdsWXNidDB1
TURVTjR3RUJzMmxmNVIyTk5rM0YvMU0KP3R78NlGqbRHmSn2WqanPq8Y9m+olBLO
2CTJI9QQfPACzz9KoEt5hlpqVpsgQT9CGDpyYEwXrFyxFY4QIh5NPw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArY25mNU1DVnc5eHdPWlpt
a2RtMVRLa3BwRTJQbWIrREcrRGtSdHNsUnpvCkZQN1k0blBON1FLOG5SeFRRalc3
UTUvNVV6RXpxZmUzVGJlMEVkRzVqUFEKLS0tIHpNYWdaTkMycGp3WW9VNkYrUzZD
NmhOZldZa2lQVEFQQk8zNFI3dm1QaHcKdTuNNHPE/Co4Eg5KWfIFb47w4nt6n7K4
7gSrkobL+aZJTGZcEjwh6LsqmxoPbU0jyVk6Lb8cv2I71p1UcF32JA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-17T10:52:20Z"
mac: ENC[AES256_GCM,data:lxqZaTqs5d/b/iIZ7BbD2jYJq3fTIbFlbdwKbCAAiXJv8abxN6SjOKuecKEvkJ0Y7qf2e0Cl8lbRwSy5FJb9Wsl9O4LzF0KBu0lssnBtDuZujFldgxJSWB8kQ3vMsPQ+NbmRME3zdKazmuhEwS0h/O6L6KmnfHjtfnDpAjYD+MY=,iv:Xue3R2qGxiw5/hjr9dLiLqeKDTpnwAnx8v9M3qjz5EM=,tag:T67z1oCMoW/ApF6tFJL3dA==,type:str]
lastmodified: "2024-11-22T07:15:56Z"
mac: ENC[AES256_GCM,data:fJcdcoGiqkEPOyINmCjLf+PUc46pCkjZB8q8CE1vxpgLQg+SuaYRByVTuse1xHPVj/ytBiHFHk9btEFcf4F69IyMJl7abuIakTvJctkfs1Y1/lSiDvYBi8+S6n1Oloj63osRX0XKKIabju262zb7KsA6Vyxg9hSJI54dbVRkCqg=,iv:a0dHwBQbQJm1grg9S4T6VMg8177px0sc19GWvvUJYDs=,tag:T1CivleWWnijQQDm/3xP4A==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

59
machines/dolomite/secrets/secrets.yaml Normal file
View file

@ -0,0 +1,59 @@
sing-box:
password: ENC[AES256_GCM,data:YfMSwvgAu7wBEYCP9/L+FFVdd9dL1Ls3,iv:C9KlVngh74z/VjjOGxnlpA4CqFv7TCSD3KSm2l/xGB4=,tag:/94NFyVHzPIkqn+/NzKTHQ==,type:str]
uuid: ENC[AES256_GCM,data:bDjrhciE0lttJfdL8cvGSf7/gdMRu/Fid+q0yBUqEvWH5ZSm,iv:Oy/U1c2sW5a2eQQxXAEjqaE85xX5rFapz9k/DtcZR+w=,tag:s0HwGkhqvnCQkzfbTEHUWw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNc0ZvdUIzRXJhVVRuTWZ6
dkN5OTVDR0tWSXhBZEI1U2srLzJmSnMvOXk4ClhaWk15Wng5WHJPVmtNSTM2OHpF
ZWUrcXNKV21BZ05xMkRwcnFRVkFGd0EKLS0tIGQ1c3psYmV5YXZZR1N6WjZRQndH
TW5WeXVXS2ZtRklPbEs4S1BGYVFxSncKmwg7cINY6Vk8WCWdOEk8quBn67tiieiD
6bWyq+OQbDoAzwOdZ1Bt6q7YrTWSlrFjs8mk/YWUSFmn2g25grKABg==
-----END AGE ENCRYPTED FILE-----
- recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLbUhaSXdmbXJmUGtHb1lr
Sk1GSGJUMHhNQ1lET2VleXlmcDBPd3NodlNNCmRWVUNQOExWVzI0VzR3Wk0vbkp5
NmV4NlUrbUxNbWdMNGNRdDdvbzhsSmsKLS0tIHgyVFI3REcySGRLai9lVTI2VWpn
enVSUjBoRHN3ekc2ci9oaUhqdnRiVHMKAS+KAsqqF/xm80mucgpHbky2Lw3k/kxH
iQGzhzMsNY3jY/nSARcRjWSRrugDtK5ou+rJySGCOov7U2AlulZl3A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBha21uc3dQZWZTQmp0Q0pT
WEk5cy9oUm1yN2FxdDU4THIySEk2SDJrMVd3CnZ6c2VneTMwRC8vUG5sM0s1SHNx
dm9mSDdhem1CdkpPQ0dpY2pSbzN0Nk0KLS0tIEpLVGtBSEsyMnpFSk81ekRhVU84
bTRzTS8wemRHNUJrZWJlc2l0bXFIN3MK8IB0DBkJdTU4evQO41hf/GKGvSm39bWd
CDKCn62RnWLEDlq3xRddqQnr4ogk/6D0lhxvbrN8obCq+Ev1wakAcg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKbEpyNkhrZ0lldU9Bc0lr
Q21ENWFOS0UwK1gzZ1A1SjFKUkRzUTNBV0gwCnBYY0dPakZnaVJWekdlS2hUaXIx
a3J2VjhCalVPMk5qcFkzekpYR0Y2WUEKLS0tIEhYQWUxZjIvTit4R0hHMDYxZXpu
amV1YmxraDRETmdmTmU3ekhQdGlOVjAKzJGI5WomWDMSLHeJZ8Rka4rRv6AEaYnp
NgYpsDF6uhB2a270xzGDHXOUjRFUMhYiz3p+tN/RSzt00Ks/q5SyPg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hrckkydr9yhnyw6qqqptz45yc9suszccu0nd53q2zhlksgy9pqaqmlsdmu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRWwwSTd6cGJpZXl6ZjZk
TlJySzdxNXlNMWdjVisrZEUxQWVuNXVqb1NBCklTSkVST092MURDL0JhT1dpWGR1
QzdJbXROM2ZIRjZUUG5FaFBUVUNHWTgKLS0tIHJycG8vUGJoOVNCcmxwVVlJQ0NO
NlBsZmpCODUwNThCc1RrUkNHMWdQeUUKRHsKHjCRmJ0L5W7Aw5LTf0jlulvBOt4u
IQWkyuw/5Co3cS9DHZ41zlFDKld/+jr1DFpATUSvSTFL+laNcwWwCQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-22T07:16:07Z"
mac: ENC[AES256_GCM,data:ldGU1of+oldDpdgGrlryUSsudUjk2FOKQ/4krY+5fOb07NRl0nvVgWBhVoHbY7JgdFO9EXxJfhLe/vkxjeQ6XxbZQkJFaXBY8MM4S8CPFdUwd2Ebr6e+aNvJR586LtZOfJ0cU8zr/DGm00zIaQParbzXPLq2fvahKgzqv84bM3Y=,iv:ZBzkMkkRRtJ9lIOdrG1fC0YayPZlT7Gsdos7ulFJjD0=,tag:3rSlPFWeVNfeyTIia0hU2w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

6
machines/massicot/default.nix
View file

@ -1,12 +1,10 @@
{
inputs,
pkgs,
...
}:
{
imports = [
inputs.sops-nix.nixosModules.sops
./hardware-configuration.nix
./networking.nix
./services.nix
@ -54,6 +52,10 @@
git
];
# Disable docs on servers
documentation.nixos.enable = false;
documentation.man.enable = false;
system.stateVersion = "22.11";
networking = {

23
machines/massicot/kanidm-provision.nix
View file

@ -73,8 +73,8 @@
systems.oauth2 = {
forgejo = {
displayName = "ForgeJo";
originUrl = "https://git.xinyang.life/";
originLanding = "https://git.xinyang.life/user/oauth2/kandim";
originUrl = "https://git.xinyang.life/user/oauth2/kanidm/callback";
originLanding = "https://git.xinyang.life/user/oauth2/kanidm";
allowInsecureClientDisablePkce = true;
scopeMaps = {
forgejo-access = [
@ -96,8 +96,8 @@
};
gts = {
displayName = "GoToSocial";
originUrl = "https://xinyang.life/";
originLanding = "https://xinyang.life/";
originUrl = "https://xinyang.life/auth/callback";
originLanding = "https://xinyang.life/auth/callback";
allowInsecureClientDisablePkce = true;
scopeMaps = {
gts-users = [
@ -133,7 +133,7 @@
hedgedoc = {
displayName = "HedgeDoc";
originUrl = "https://docs.xinyang.life/";
originUrl = "https://docs.xinyang.life/auth/oauth2/callback";
originLanding = "https://docs.xinyang.life/auth/oauth2";
allowInsecureClientDisablePkce = true;
scopeMaps = {
@ -147,9 +147,9 @@
immich = {
displayName = "Immich";
originUrl = [
"https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"
"https://immich.xinyang.life:8000/auth/login/"
"https://immich.xinyang.life:8000/user-settings/"
"https://immich.xinyang.life:8000/api/oauth/mobile-redirect"
"https://immich.xinyang.life:8000/auth/login"
"https://immich.xinyang.life:8000/user-settings"
];
originLanding = "https://immich.xinyang.life:8000/auth/login?autoLaunch=0";
allowInsecureClientDisablePkce = true;
@ -163,8 +163,9 @@
};
miniflux = {
displayName = "Miniflux";
originUrl = "https://rss.xinyang.life/";
originLanding = "https://rss.xinyang.life/";
originUrl = "https://rss.xinyang.life/oauth2/oidc/callback";
originLanding = "https://rss.xinyang.life/oauth2/oidc/redirect";
scopeMaps = {
miniflux-users = [
"openid"
@ -175,7 +176,7 @@
};
grafana = {
displayName = "Grafana";
originUrl = "https://grafana.xinyang.life/";
originUrl = "https://grafana.xinyang.life/login/generic_oauth";
originLanding = "https://grafana.xinyang.life/";
scopeMaps = {
grafana-users = [

1
machines/massicot/services.nix
View file

@ -101,7 +101,6 @@ in
services.matrix-conduit = {
enable = true;
# package = inputs.conduit.packages.${pkgs.system}.default;
package = pkgs.matrix-conduit;
settings.global = {
server_name = "xinyang.life";

111
machines/osmium/default.nix Normal file
View file

@ -0,0 +1,111 @@
{
pkgs,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/sd-card/sd-image.nix")
./sd-image-aarch64-orangepi-r1plus.nix
];
config = {
system.stateVersion = "24.05";
nixpkgs.system = "aarch64-linux";
boot.tmp.useTmpfs = false;
boot.kernelModules = [
"br_netfilter"
"bridge"
];
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv4.ip_nonlocal_bind" = 1;
"net.ipv6.conf.all.forwarding" = 1;
"net.ipv6.ip_nonlocal_bind" = 1;
"net.bridge.bridge-nf-call-ip6tables" = 1;
"net.bridge.bridge-nf-call-iptables" = 1;
"net.bridge.bridge-nf-call-arptables" = 1;
"fs.inotify.max_user_watches" = 524288;
"dev.i915.perf_stream_paranoid" = 0;
"net.ipv4.conf.all.rp_filter" = 0;
"vm.max_map_count" = 2000000;
"net.ipv4.conf.all.route_localnet" = 1;
"net.ipv4.conf.all.send_redirects" = 0;
"kernel.msgmnb" = 65536;
"kernel.msgmax" = 65536;
"net.ipv4.tcp_timestamps" = 0;
"net.ipv4.tcp_synack_retries" = 1;
"net.ipv4.tcp_syn_retries" = 1;
"net.ipv4.tcp_tw_recycle" = 1;
"net.ipv4.tcp_tw_reuse" = 1;
"net.ipv4.tcp_fin_timeout" = 15;
"net.ipv4.tcp_keepalive_time" = 1800;
"net.ipv4.tcp_keepalive_probes" = 3;
"net.ipv4.tcp_keepalive_intvl" = 15;
"net.ipv4.ip_local_port_range" = "2048 65535";
"fs.file-max" = 102400;
"net.ipv4.tcp_max_tw_buckets" = 180000;
};
commonSettings = {
nix.enableMirrors = true;
auth.enable = true;
};
documentation.enable = false;
time.timeZone = "Asia/Shanghai";
i18n = {
defaultLocale = "en_US.UTF-8";
};
environment.systemPackages = with pkgs; [
lsof
wget
curl
neovim
jq
iptables
ebtables
tcpdump
busybox
ethtool
socat
htop
iftop
lm_sensors
];
programs.command-not-found.enable = false;
networking = {
useDHCP = false;
hostName = "osmium";
};
systemd.network = {
enable = true;
networks."lan" = {
matchConfig.Name = "enu1";
networkConfig.DHCP = "no";
linkConfig.RequiredForOnline = "no";
};
networks."wan" = {
matchConfig.Name = "end0";
networkConfig.DHCP = "yes";
linkConfig.RequiredForOnline = "yes";
};
};
services.dae = {
enable = true;
configFile = "/var/lib/dae/config.dae";
};
services.tailscale.enable = true;
};
}

44
machines/osmium/sd-image-aarch64-orangepi-r1plus.nix Normal file
View file

@ -0,0 +1,44 @@
{
config,
modulesPath,
lib,
pkgs,
...
}:
let
in
{
imports = [
(modulesPath + "/profiles/base.nix")
];
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = [
"earlycon"
"console=ttyS2,1500000"
"consoleblank=0"
];
boot.supportedFilesystems = lib.mkForce [
"ext4"
"vfat"
"ntfs"
];
sdImage = {
compressImage = false;
imageBaseName = "nixos-sd-image-orange-pi-r1-plus-lts";
firmwarePartitionOffset = 16;
populateFirmwareCommands = ''
echo "Install U-Boot: ${pkgs.ubootOrangePiR1LtsPackage}"
dd if=${pkgs.ubootOrangePiR1LtsPackage}/idbloader.img of=$img seek=64 conv=notrunc
dd if=${pkgs.ubootOrangePiR1LtsPackage}/u-boot.itb of=$img seek=16384 conv=notrunc
'';
populateRootCommands = ''
mkdir -p ./files/boot
${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot
'';
};
}

11
machines/secrets.yaml
View file

@ -4,8 +4,9 @@ autofs-nas-secret: ENC[AES256_GCM,data:gbOizRZAvh79HlJWIWeKTk79Ux311XGL1eIswc0P2
github_public_token: ENC[AES256_GCM,data:6Gt+oJcCRHeoLK7CRndMMbszTXSEbnN0nQzsVOnl/+zB4hxbEPD5k/vkkl+cZ/qmxdxFXV0OOsYvktn44Yv1DMUE3mkB0hcAdoyPwLuYM7W3RpOoW3OktH8DRCUi6msvFp3ykpdmIl9WyjVhc/lMwTaYJQyRh1ue,iv:PJSFtJBelyc3rzd6hqjMp+ciU2Q3FTOEXsiq5F2KKTY=,tag:Y/stRg6kwyjjIFZCXS/peg==,type:str]
singbox_sg_server: ENC[AES256_GCM,data:SF2ja6W4TwThwoug5x2KTA==,iv:Vx9wNTdVHkReux4YeQY+0VkC1Wqg/CRkY7frVY/3e50=,tag:7XA9KSoR0GA6FoYRhCv4BQ==,type:str]
singbox_jp_server: ENC[AES256_GCM,data:S3Bs5yVMzyz6vD51GYElOM5h,iv:nXetY339YuOi2jFEb3xkPTglHRMk/quIrQL4ko+8MxY=,tag:o9d55cZuWmX4NDYexWjvYQ==,type:str]
singbox_password: ENC[AES256_GCM,data:bZ50/gG53D9fyGnQ7ky8VRdNEDhGjbFD,iv:W2HaHeSkvmS6jHSnfOJ6tD2QXuUq1A+mfZf7sEXB++E=,tag:nbr2zNCs3RAr/uidkp08ng==,type:str]
singbox_uuid: ENC[AES256_GCM,data:gYppcUvF5Aj4mBQTMy56kb9JazUM6SeiYLspqiZjbTkPOhhk,iv:+uwt/N9LpFaJK6MjoczyrZ039MDZn4kRmtEoq4OvdFU=,tag:IiBZRfFpjKB/swmJNjodyA==,type:str]
sing-box:
password: ENC[AES256_GCM,data:xyqmoJEDI5959zHPTVelln/iThtoeDwS,iv:rLyqJsE/4JDf08RlMLLPh+MKJkba9bL0z8jx6bTEfgc=,tag:cgLHdeLIyPvLhRNaVcQ0TQ==,type:str]
uuid: ENC[AES256_GCM,data:lWBCM5wyz6BcUUHdvynkn5y166Kk15jO0EhWUDuhXXhrve5l,iv:RmDJYFnYqIEIShLn25sf4h8AO2E3+3Xa2U9Mff+Xk2w=,tag:SN0DUdwZXKO/VEnozrr5mA==,type:str]
grafana_cloud_api: ENC[AES256_GCM,data:eEvPAwtThK1FMhbrnmSo89+GlWZAF+LQRMLXA2C6f1vR7ZPlXJZGWzjYwDcPlnpiC737/cG14M4kZqvPGBuNub5A83rBS/+FeebvGDIF59L5PC1Ys1jWBB9YRI/L9EU0tvwTTUCvLRA9j28n7Jw7wR6mWXm63XA+OMu8/UbTwbeV/WUQn8vnwqadSUdCnNKJXMsAY+q9t/st0DPm5+aNxA==,iv:cHvbeCmLFmJPNKsl1BBYx9WJP7ZJWi+8c9yHZWc6FTs=,tag:87C+0FVvzDIowE0+QpY1zA==,type:str]
private_dns_address: ENC[AES256_GCM,data:YJxNOH4hsZHResvANEqJRTANhnL4PLp/Pmi/PhgtSTbTKiJKPqudhTEkNg==,iv:8+qG5rQXAKfrykEjt9qrbtyNaBuKvi7EaIWouRqEipY=,tag:VH0w5ZbXcWFGZ9GLavm7/w==,type:str]
sops:
@ -86,8 +87,8 @@ sops:
NzA1cy80ZW5vUFplQzVMZ0txSmVkMUEKFUvgmJNdo9sV33gOx7LVUSCYvIqCNwaP
u+XoWTfg4kp9f4KVTy/8huPsVLhZBUaf6jI10mV2z4QwaLHje4JiHw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-17T12:19:12Z"
mac: ENC[AES256_GCM,data:3Z22GxxDjR2FVZ7VnFY/QhQ1i//1WC93GIwK4d51i13OWmcb71UPmmA6O/HlvLdP6goFCj95eRMUEiiVcdKagt1ca6HsDd6bkOEXwdl//fgOHUsgx5SNtA4kVJwK2bJuUvG72aOiLq89qvNprMLslJ47YqS9WM3rudk3Wp/P+og=,iv:GMN806nsrQg0+ZS0AReamzVv2FrLGELfA6x3RLNE/II=,tag:j2Bq9xYETCSL13zHx1BztA==,type:str]
lastmodified: "2024-11-22T05:48:59Z"
mac: ENC[AES256_GCM,data:In/gSIYnXKbbv1lzS/nmSESCHBcBv/TtkvhzdNiIn73N4kP9aJ+1JE8Npix8zNItzk46DX+nHBk8Kwgl6uq26YtL+sMTBKh5K8Ny0H8ivlgS+olXswv3Y9h1cYD7FBHUKzbMuiJd0ppjC0ZIn20rRpb4d57rwUbvY0KstyQW4JA=,iv:DcdTAimbXXpKhhiB9rriS75+XGNOCcScqi/804+Xx6g=,tag:NHW+UViRmbUDHb0gTd9TDg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0
version: 3.9.1

8
machines/sops.nix
View file

@ -1,11 +1,9 @@
{
inputs,
config,
lib,
...
}:
{
imports = [ inputs.sops-nix.nixosModules.sops ];
config = {
sops = {
defaultSopsFile = ./secrets.yaml;
@ -21,12 +19,6 @@
singbox_jp_server = {
owner = "root";
};
singbox_password = {
owner = "root";
};
singbox_uuid = {
owner = "root";
};
private_dns_address = {
owner = "root";
};

15
machines/weilite/default.nix
View file

@ -1,14 +1,13 @@
{
inputs,
config,
pkgs,
lib,
modulesPath,
...
}:
{
imports = [
inputs.sops-nix.nixosModules.sops
(modulesPath + "/profiles/qemu-guest.nix")
./services
];
@ -150,6 +149,15 @@
permitCertUid = "caddy";
};
services.tailscale.derper = {
enable = true;
domain = "derper00.namely.icu";
openFirewall = true;
verifyClients = true;
};
# tailscale derper module use nginx for reverse proxy
services.nginx.enable = lib.mkForce false;
services.caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
@ -165,6 +173,9 @@
];
vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI=";
};
virtualHosts."derper00.namely.icu:8443".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
'';
virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';

1
machines/weilite/services/default.nix
View file

@ -2,5 +2,6 @@
imports = [
./ocis.nix
./restic.nix
./media-download.nix
];
}

6
machines/weilite/services/media-download.nix Normal file
View file

@ -0,0 +1,6 @@
{
services.jackett = {
enable = true;
openFirewall = false;
};
}

2
modules/home-manager/alacritty.nix
View file

@ -21,7 +21,7 @@ in
"alacritty-zellij"
];
};
font.size = 10.0;
font.size = 12.0;
window = {
resize_increments = true;
dynamic_padding = true;

BIN
modules/home-manager/gui/bwmountains.jpg Executable file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 655 KiB

13
modules/home-manager/gui/default.nix
View file

@ -1,7 +1,20 @@
{ config, lib, ... }:
let
inherit (lib) mkOption types;
cfg = config.custom-hm.gui;
in
{
imports = [
./niri.nix
./fuzzel.nix
./gtklock.nix
./waybar.nix
];
options.custom-hm.gui = {
wallpaper = mkOption {
type = types.path;
default = ./bwmountains.jpg;
};
};
}

31
modules/home-manager/gui/fuzzel.nix
View file

@ -1,4 +1,9 @@
{ config, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.custom-hm.gui.fuzzel;
@ -9,6 +14,28 @@ in
};
config = mkIf cfg.enable {
programs.fuzzel.enable = true;
programs.fuzzel = {
enable = true;
settings = {
main = {
fields = "filename,name,exec,generic";
y-margin = 30;
width = 40;
font = "Ubuntu";
use-bold = true;
line-height = 30;
};
};
};
home.packages = with pkgs; [
networkmanager_dmenu
networkmanagerapplet
];
xdg.configFile."networkmanager-dmenu/config.ini".text = ''
[dmenu]
dmenu_command = fuzzel --dmenu
wifi_chars =
wifi_icons = 󰤯󰤟󰤢󰤥󰤨
'';
};
}

128
modules/home-manager/gui/gtklock.nix Normal file
View file

@ -0,0 +1,128 @@
# modified from https://github.com/isabelroses/dotfiles/blob/2fd4d2d0cb8254cad5ce4b089d81114e1b88ad02/modules/extra/home-manager/gtklock.nix
{
lib,
pkgs,
config,
...
}:
let
cfg = config.custom-hm.gui.gtklock;
inherit (lib.modules) mkIf;
inherit (lib.options)
mkOption
mkEnableOption
mkPackageOption
literalExpression
;
inherit (lib.strings) optionalString concatStringsSep;
inherit (lib.lists) optionals;
inherit (lib.types)
oneOf
str
path
listOf
either
package
nullOr
attrs
;
inherit (lib.generators) toINI;
# the main config includes two very niche options: style (which takes a path) and modules, which takes a list of module paths
# concatted by ";"
# for type checking purposes, I prefer templating the main section of the config and let the user safely choose options
# extraConfig takes an attrset, and converts it to the correct INI format - it's mostly just strings and integers, so that's fine
baseConfig = ''
[main]
${optionalString (cfg.config.gtk-theme != "") "gtk-theme=${cfg.config.gtk-theme}"}
${optionalString (cfg.config.style != "") "style=${cfg.config.style}"}
${optionalString (cfg.config.modules != [ ]) "modules=${concatStringsSep ";" cfg.config.modules}"}
'';
finalConfig = baseConfig + optionals (cfg.extraConfig != null) (toINI { } cfg.extraConfig);
in
{
options.custom-hm.gui.gtklock = {
enable = mkEnableOption "GTK-based lockscreen for Wayland";
package = mkPackageOption pkgs "gtklock" { };
config = {
gtk-theme = mkOption {
type = str;
default = "";
description = ''
GTK theme to use for gtklock.
'';
example = "Adwaita-dark";
};
style = mkOption {
type = oneOf [
str
path
];
default = pkgs.writeText "gtklock-style.css" ''
window {
background-image: url("${config.custom-hm.gui.wallpaper}");
background-size: cover;
background-repeat: no-repeat;
background-position: center;
}
'';
description = ''
The css file to be used for gtklock.
'';
example = literalExpression ''
pkgs.writeText "gtklock-style.css" '''
window {
background-size: cover;
background-repeat: no-repeat;
background-position: center;
}
'''
'';
};
modules = mkOption {
type = listOf (either package str);
default = [
# "${pkgs.gtklock-playerctl-module.outPath}/lib/gtklock/playerctl-module.so"
];
description = ''
A list of gtklock modulesto use. Can either be packages, absolute paths, or strings.
'';
example = literalExpression ''
[
"${pkgs.gtklock-powerbar-module.outPath}/lib/gtklock/powerbar-module.so"
"${pkgs.gtklock-playerctl-module.outPath}/lib/gtklock/playerctl-module.so"
];
'';
};
};
extraConfig = mkOption {
type = nullOr attrs;
default =
{
};
description = ''
Extra configuration to append to gtklock configuration file.
Mostly used for appending module configurations.
'';
example = literalExpression ''
countdown = {
countdown-position = "top-right";
justify = "right";
countdown = 20;
}
'';
};
};
config = mkIf cfg.enable {
home.packages = [ cfg.package ];
xdg.configFile."gtklock/config.ini".source = pkgs.writeText "gtklock-config.ini" finalConfig;
};
}

74
modules/home-manager/gui/niri.nix
View file

@ -5,38 +5,52 @@
...
}:
let
inherit (lib) mkIf mkEnableOption;
inherit (lib) mkIf mkEnableOption getExe;
cfg = config.custom-hm.gui.niri;
wallpaper = pkgs.fetchurl {
url = "https://github.com/NixOS/nixos-artwork/blob/master/wallpapers/nixos-wallpaper-catppuccin-mocha.png?raw=true";
hash = "sha256-fmKFYw2gYAYFjOv4lr8IkXPtZfE1+88yKQ4vjEcax1s=";
};
wallpaper = config.custom-hm.gui.wallpaper;
xwayland-satellite = pkgs.xwayland-satellite.overrideAttrs (drv: rec {
src = pkgs.fetchFromGitHub {
owner = "Supreeeme";
repo = "xwayland-satellite";
rev = "3e6f892d20d918479e67d1e6c90c4be824a9d4ab";
hash = "sha256-W1UUok7DPi4IXCYtc273FbVH1ifuCIcl+oO6CDqt8Dk=";
};
cargoDeps = drv.cargoDeps.overrideAttrs (
lib.const {
name = "xwayland-satellite-vendor.tar.gz";
inherit src;
outputHash = "sha256-/nK4cVgelaMtpym18RYNafPUFnMOG4uHRpVO8bOS3ow=";
}
);
});
in
{
imports = [
./themes.nix
];
options.custom-hm.gui.niri = {
enable = mkEnableOption "niri";
};
config = mkIf cfg.enable {
home.packages = with pkgs; [
xwayland-satellite
cosmic-files
];
home.pointerCursor = {
name = "Bibata-Modern-Ice";
size = 24;
package = pkgs.bibata-cursors;
gtk.enable = true;
};
gtk = {
enable = true;
theme = {
name = "Catppuccin-GTK-Dark";
package = pkgs.magnetic-catppuccin-gtk;
systemd.user.services.xwayland-satellite = {
Install = {
WantedBy = [ "graphical-session.target" ];
};
Unit = {
PartOf = [ "graphical-session.target" ];
After = [ "graphical-session.target" ];
};
Service = {
ExecStart = "${xwayland-satellite}/bin/xwayland-satellite";
Restart = "on-failure";
};
gtk2.configLocation = "${config.xdg.configHome}/gtk-2.0/gtkrc";
};
services.network-manager-applet.enable = true;
systemd.user.services.swaybg = {
Install = {
@ -52,12 +66,14 @@ in
};
};
programs.swaylock = {
services.swaync = {
enable = true;
settings = {
show-failed-attempts = true;
daemonize = true;
scaling = "fill";
};
custom-hm.gui.gtklock = {
enable = true;
config = {
gtk-theme = "Catppuccin-GTK-Dark";
};
};
@ -68,14 +84,18 @@ in
enable = true;
timeouts = [
{
timeout = 900;
command = "/run/current-system/systemd/bin/systemctl suspend";
timeout = 600;
command = ''[ "$(${pkgs.tlp}/bin/tlp-stat -m)" == "battery" ] && /run/current-system/systemd/bin/systemctl suspend'';
}
{
timeout = 1200;
command = ''${getExe pkgs.niri} msg action power-off-monitors'';
}
];
events = [
{
event = "lock";
command = "${pkgs.swaylock}/bin/swaylock";
command = "${getExe pkgs.gtklock}";
}
{
event = "before-sleep";

19
modules/home-manager/gui/themes.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, pkgs, ... }:
{
config = {
home.pointerCursor = {
name = "Bibata-Modern-Ice";
size = 24;
package = pkgs.bibata-cursors;
gtk.enable = true;
};
gtk = {
enable = true;
theme = {
name = "Catppuccin-GTK-Dark";
package = pkgs.magnetic-catppuccin-gtk;
};
gtk2.configLocation = "${config.xdg.configHome}/gtk-2.0/gtkrc";
};
};
}

3
modules/home-manager/gui/waybar.css
View file

@ -49,7 +49,8 @@ window#waybar {
#network,
#backlight,
#battery,
#tray {
#tray,
#custom-notification {
margin-right: 15px;
}
#clock {

30
modules/home-manager/gui/waybar.nix
View file

@ -57,6 +57,8 @@ in
"battery"
"custom/separator"
"tray"
"custom/separator"
"custom/notification"
];
"niri/workspaces" = {
all-outputs = true;
@ -158,16 +160,30 @@ in
icon-size = 18;
spacing = 14;
};
"custom/notification" = {
escape = true;
exec = "swaync-client -swb";
exec-if = "which swaync-client";
format = "{icon}";
format-icons = {
dnd-inhibited-none = "";
dnd-inhibited-notification = "<span foreground='red'><sup></sup></span>";
dnd-none = "";
dnd-notification = "<span foreground='red'><sup></sup></span>";
inhibited-none = "";
inhibited-notification = "<span foreground='red'><sup></sup></span>";
none = "";
notification = "<span foreground='red'><sup></sup></span>";
};
on-click = "swaync-client -t -sw";
on-click-right = "swaync-client -d -sw";
return-type = "json";
tooltip = false;
};
};
};
systemd.enable = true;
};
systemd.user.targets.tray = {
Unit = {
Description = "Home Manager System Tray";
Requires = [ "graphical-session-pre.target" ];
};
};
};
}

101
modules/home-manager/vim.nix
View file

@ -5,9 +5,29 @@
...
}:
let
inherit (lib) mkIf mkEnableOption getExe;
inherit (lib)
mkIf
mkEnableOption
getExe
types
attrsets
;
cfg = config.custom-hm.neovim;
tomlFormat = pkgs.formats.toml { };
fontItem =
with types;
either str (submodule {
options = {
family = {
type = str;
};
style = {
type = nullOr str;
default = null;
};
};
});
fontType = types.either fontItem (types.listOf fontItem);
neovideConfig = {
neovim-bin = getExe pkgs.nixvim;
fork = true;
@ -17,6 +37,78 @@ in
{
options.custom-hm.neovim = {
enable = mkEnableOption "neovim configurations";
font = {
# Required options
normal = lib.mkOption {
type = fontType;
description = ''
The normal font description. Can be:
- A table with "family" (required) and "style" (optional).
- A string indicating the font family.
- An array of strings or tables as described above.
'';
};
size = lib.mkOption {
type = lib.types.float;
description = "Required font size.";
};
# Optional options
bold = lib.mkOption {
type = types.nullOr fontType;
default = null;
description = ''
Optional bold font description. Can be:
- A table with "family" (optional) and "style" (optional).
- A string indicating the font family.
- An array of strings or tables as described above.
'';
};
italic = lib.mkOption {
type = types.nullOr fontType;
default = null;
description = "Optional italic font description.";
};
bold_italic = lib.mkOption {
type = types.nullOr fontType;
default = null;
description = "Optional bold-italic font description.";
};
features = lib.mkOption {
type = types.nullOr (lib.types.attrsOf (lib.types.listOf lib.types.str));
default = { };
description = ''
Optional font features. A table where the key is the font family and
the value is a list of font features. Each feature can be:
- +<feature> (e.g., +ss01)
- -<feature> (e.g., -calt)
- <feature>=<value> (e.g., ss02=2)
'';
};
width = lib.mkOption {
type = types.nullOr types.float;
default = null;
description = "Optional font width.";
};
hinting = lib.mkOption {
type = types.nullOr types.str;
default = null;
description = "Optional font hinting (none, slight, medium, full).";
};
edging = lib.mkOption {
type = types.nullOr types.str;
default = null;
description = "Optional font edging (none, antialiased, subpixel).";
};
};
};
config = mkIf cfg.enable {
home.packages = with pkgs; [
@ -25,7 +117,12 @@ in
];
programs.neovim.enable = false;
home.file.".config/neovide/config.toml" = {
source = tomlFormat.generate "neovide-config" neovideConfig;
source = tomlFormat.generate "neovide-config" (
neovideConfig
// (attrsets.filterAttrsRecursive (n: v: v != null) {
font = cfg.font;
})
);
};
};
}

28
modules/home-manager/vscode.nix
View file

@ -1,5 +1,4 @@
{
inputs,
config,
lib,
pkgs,
@ -16,7 +15,7 @@ let
nixd
nixpkgs-fmt
];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
extension = with pkgs.vscode-marketplace; [
jnoortheen.nix-ide
];
settings = {
@ -30,13 +29,16 @@ let
clang-tools
cmake-format
];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
llvm-vs-code-extensions.vscode-clangd
(ms-vscode.cmake-tools.overrideAttrs (_: {
sourceRoot = "extension";
}))
twxs.cmake
] ++ (with pkgs.vscode-extensions; [ ms-vscode.cpptools ]);
extension =
with pkgs.vscode-marketplace;
[
llvm-vs-code-extensions.vscode-clangd
(ms-vscode.cmake-tools.overrideAttrs (_: {
sourceRoot = "extension";
}))
twxs.cmake
]
++ (with pkgs.vscode-extensions; [ ms-vscode.cpptools ]);
settings = {
"cmake.configureOnEdit" = false;
"cmake.showOptionsMovedNotification" = false;
@ -50,7 +52,7 @@ let
};
pythonPackages = {
systemPackages = with pkgs; [ ];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
extension = with pkgs.vscode-marketplace; [
ms-python.python
];
settings = { };
@ -60,7 +62,7 @@ let
coursier
metals
];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
extension = with pkgs.vscode-marketplace; [
scala-lang.scala
scalameta.metals
];
@ -68,7 +70,7 @@ let
};
latexPackages = {
systemPackages = with pkgs; [ texliveSmall ];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
extension = with pkgs.vscode-marketplace; [
james-yu.latex-workshop
];
settings = {
@ -184,7 +186,7 @@ in
mutableExtensionsDir = false;
extensions = lib.mkMerge (
[
(with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
(with pkgs.vscode-marketplace; [
mkhl.direnv
ms-azuretools.vscode-docker

96
modules/home-manager/xdg-autostart.nix Normal file
View file

@ -0,0 +1,96 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.xdg.autoStart;
inherit (lib) hm types;
in
{
options.xdg.autoStart = {
packages = lib.mkOption {
description = ''
List of packages which should be autostarted.
This module tries to select the packages default desktop file,
which is either described by its .desktopItem attribute
or by its first entry of its .desktopItems attribute.
Users who want to specifically select a certain desktop file
or who want to write their own
can make use of the {option}`xdg.autoStart.desktopItems` option.
'';
type = types.listOf types.package;
default = [ ];
example = lib.literalExpression ''
with pkgs; [
pkgs.trilium-desktop
]
'';
};
desktopItems = lib.mkOption {
description = ''
List of desktop files which should be autostarted.
Users should prefer to use {option}`xdg.autoStart.packages`
and only use this option in case
they want to specifically
select a packages desktop item
or want to create their own desktop item.
Be warned, this may shadow entries of {option}`xdg.autoStart.packages`.
'';
type = types.attrsOf (types.unspecified); # TODO replace unspecified
default = { };
# TODO improve example, take one where it would make sense to use this option
example = lib.literalExpression ''
{
discord = pkgs.discord.desktopItem
firefox-custom = makeDesktopItem {
exec = "firefox -P custom";
};
}
'';
};
};
config =
let
# helpers
retrieveDesktopItem = (
pkg:
if pkg ? desktopItem then
pkg.desktopItem
else if pkg ? desktopItems && pkg.desktopItems != [ ] then
builtins.head pkg.desktopItems
else
abort "package '${pkg.pname}' is missing a desktop file"
);
emulateDesktopItem = (pkg: lib.nameValuePair pkg.pname (retrieveDesktopItem pkg));
embedDesktopItem = (
name: deskItem:
lib.nameValuePair "autostart/${name}.desktop" {
source = "${deskItem}/share/applications/${deskItem.name}";
}
);
# parse opts
desktopItemsPackages = builtins.listToAttrs (map emulateDesktopItem cfg.packages);
desktopItems = desktopItemsPackages // cfg.desktopItems;
in
{
assertions = [
(hm.assertions.assertPlatform "xdg.autoStart" pkgs lib.platforms.linux)
];
xdg.configFile = lib.attrsets.mapAttrs' embedDesktopItem desktopItems;
};
}

2
modules/home-manager/zellij.nix
View file

@ -26,7 +26,7 @@ in
bind "Ctrl l" { MoveFocusOrTab "Right"; }
bind "Ctrl j" { MoveFocus "Down"; }
bind "Ctrl k" { MoveFocus "Up"; }
unbind "Alt h" "Alt l" "Alt j" "Alt k"
unbind "Alt h" "Alt l" "Alt j" "Alt k" "Alt f"
}
unbind "Ctrl p" "Ctrl n"
}

152
modules/nixos/common-settings/proxy-server.nix Normal file
View file

@ -0,0 +1,152 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.commonSettings.proxyServer;
singTls = {
enabled = true;
server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path =
config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
};
mkSingConfig =
{ uuid, password, ... }:
{
inbounds =
[
{
tag = "sg0";
type = "trojan";
listen = "::";
listen_port = 8080;
users = [
{
name = "proxy";
password = {
_secret = password;
};
}
];
tls = singTls;
}
]
++ lib.forEach (lib.range 6311 6314) (port: {
tag = "sg" + toString (port - 6310);
type = "tuic";
listen = "::";
listen_port = port;
congestion_control = "bbr";
users = [
{
name = "proxy";
uuid = {
_secret = uuid;
};
password = {
_secret = password;
};
}
];
tls = singTls;
});
outbounds = [
{
type = "wireguard";
tag = "wg-out";
private_key = {
_secret = config.sops.secrets.wg_private_key.path;
};
local_address = [
"172.16.0.2/32"
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
];
peers = [
{
public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1";
server_port = 500;
}
];
}
{
type = "direct";
tag = "direct";
}
];
route = {
rules = [
{
inbound = "sg0";
outbound = "direct";
}
{
inbound = "sg4";
outbound = "direct";
}
];
};
};
in
{
options.commonSettings.proxyServer = {
enable = mkEnableOption "sing-box as a server";
};
config = mkIf cfg.enable {
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
networking.firewall.trustedInterfaces = [ "tun0" ];
security.acme = {
acceptTerms = true;
certs.${config.deployment.targetHost} = {
email = "me@namely.icu";
# Avoid port conflict
listenHTTP = if config.services.caddy.enable then ":30310" else ":80";
};
};
services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = ''
reverse_proxy 127.0.0.1:30310
'';
networking.firewall.allowedTCPPorts = [
80
8080
];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
custom.prometheus = {
enable = true;
exporters.blackbox.enable = true;
};
services.sing-box = {
enable = true;
settings = mkSingConfig {
uuid = config.sops.secrets."sing-box/uuid".path;
password = config.sops.secrets."sing-box/password".path;
};
};
};
}

2
modules/nixos/default.nix
View file

@ -3,12 +3,12 @@
./common-settings/auth.nix
./common-settings/autoupgrade.nix
./common-settings/nix-conf.nix
./common-settings/proxy-server.nix
./restic.nix
./vaultwarden.nix
./prometheus
./hedgedoc.nix
./sing-box.nix
./stylix.nix
./kanidm-client.nix
./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge
./forgejo-actions-runner.nix

41
modules/nixos/stylix.nix
View file

@ -1,41 +0,0 @@
{
inputs,
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.custom.stylix;
in
{
imports = [ inputs.stylix.nixosModules.stylix ];
options = {
custom.stylix = {
enable = mkEnableOption "style management with stylix";
};
};
config = mkIf cfg.enable {
stylix.enable = true;
stylix.image = pkgs.fetchurl {
url = "https://github.com/NixOS/nixos-artwork/blob/master/wallpapers/nixos-wallpaper-catppuccin-mocha.png?raw=true";
hash = "sha256-fmKFYw2gYAYFjOv4lr8IkXPtZfE1+88yKQ4vjEcax1s=";
};
stylix.base16Scheme = "${pkgs.base16-schemes}/share/themes/catppuccin-mocha.yaml";
stylix.polarity = "dark";
stylix.autoEnable = false;
stylix.homeManagerIntegration.autoImport = true;
stylix.homeManagerIntegration.followSystem = true;
stylix.targets = {
console.enable = true;
# gnome.enable = if config.services.xserver.desktopManager.gnome.enable then true else false;
gnome.enable = false;
gtk.enable = true;
};
};
}

11
overlays/add-pkgs.nix
View file

@ -1,3 +1,12 @@
(final: prev: {
oidc-agent = prev.callPackage ./pkgs/oidc-agent { };
ubootOrangePiR1LtsPackage = prev.buildUBoot {
defconfig = "orangepi-r1-plus-lts-rk3328_defconfig";
enableParallelBuilding = true;
BL31 = "${prev.armTrustedFirmwareRK3328}/bl31.elf";
filesToInstall = [
"u-boot.itb"
"idbloader.img"
];
};
})

90
scripts/nixos-updater.py Normal file
View file

@ -0,0 +1,90 @@
import requests
import os
import socket
import json
from os import path as osp
from dataclasses import dataclass
"""
This updater consists of several parts:
- Update checker: Check an url for update (if outPath is different from /run/current-system or some specified profile) or maybe use timestamp for update
- Nix copy --from: copy from remote. Need to specify remote url.
- Create a symlink: /run/next-system -> <new system derivation>
- Listen for POST request to trigger system switch (optional)
"""
@dataclass
class GarnixConfig:
token: str
@dataclass
class Config:
check_type: str
check_url: str
remote_url: str
garnix: GarnixConfig
hostname: str = socket.gethostname()
class Nix:
def __init__(self, args):
self.args = args
def copy_from_remote(self):
# run nix copy with subprocess
pass
def eval(self):
class Updater:
def __init__(self, config: Config):
self.config = config
# TODO: Make this configurable
self.current_drv = os.readlink("/run/current-system")
self.next_dev = None
# checkers take an url and returns the outPath of the latest success build
def garnix_checker(self) -> str:
domain = "garnix.io"
build_endpoint = "/api/build/commit"
# Latest commit from git
# Check build status of this commit
resp = requests.get(
f"https://{domain}{build_endpoint}/40b1e9ff23aaa5f555420dd22414c3f137a02cfe"
)
# Raise error if status code is not valid
# Fetch outPath from eval endpoint
# TODO: In theory, this could be done by parsing raw log from garnix.
# Try to evaluate locally if eval endpoint is not configured
resp = resp.json()
# TODO
return "null"
def hydra_checker(self) -> str:
# TODO
return "null"
# Check for update
def poll(self) -> str | None:
cfg = self.config
if cfg.check_type == "garnix":
pass
elif cfg.check_type == "hydra":
pass
else:
pass
pass
if __name__ == "__main__":
pass