felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Compare commits

base: felixalb/nixos-config:a05526b4bcc01692f64c57376cab2de3c33b835a
Branches Tags
felixalb/nixos-config:main felixalb/nixos-config:nixos-26.05 felixalb/nixos-config:nixos-25.11
..
compare: felixalb/nixos-config:nixos-26.05
Branches Tags
felixalb/nixos-config:nixos-26.05 felixalb/nixos-config:main felixalb/nixos-config:nixos-25.11

197 Commits
a05526b4bc .. nixos-26.05

Author SHA1 Message Date
felixalb f26fa172b8 challenger+defiant: Set bind-mount fsType=none 2026-06-01 10:38:27 +02:00
felixalb 23626db89f challenger/nextcloud: Update to version 33 2026-06-01 10:38:15 +02:00
felixalb fb847fc9c6 challenger/nvidia: Upgrade to 26.05, lock to Nvidia 580 2026-06-01 10:37:45 +02:00
felixalb f474909415 defiant: update to nixos 26.05 2026-05-31 22:40:01 +02:00
felixalb ebbc271378 common: disable promtail (deprecated). Point auto-upgrade to upgrade branch 2026-05-31 19:04:12 +02:00
felixalb a07eb1f799 worf: re-add spotify 2026-05-31 17:21:24 +02:00
felixalb 33a35ce214 home/base, home/neovim: Fix changes for 26.05 2026-05-31 17:16:51 +02:00
felixalb 18baeec24d flake: update to 26.05 2026-05-31 11:07:15 +02:00
felixalb 7d6ab0d4b6 base: add packages diffr, nixfmt 2026-05-28 12:05:41 +02:00
felixalb f37cc9f91d fa-t14-2025: add package gnumeric 2026-05-28 12:05:22 +02:00
felixalb afa7721ab9 common/fa-t14-2025: add oldssh 2026-05-27 14:47:15 +02:00
felixalb a4aa586b71 flake: update 2026-05-11 23:14:56 +02:00
felixalb 422a166925 challenger/frigate: init 2026-05-06 20:33:58 +02:00
felixalb 22b3907223 challenger/calibre: restore stable package 2026-05-06 20:33:58 +02:00
felixalb a578f30600 flake: update 2026-05-06 20:27:58 +02:00
felixalb b4e209dd97 leonard/www-amalie-mansaker-no: update 2026-05-06 20:26:53 +02:00
felixalb e7b8c49834 leonard: use linuxPackages_latest 2026-05-04 12:34:05 +02:00
Felix Albrigtsen 39f73a21b2 flake: update 2026-04-28 14:51:03 +02:00
felixalb 92f7943221 morn: add swapfile 2026-04-08 22:17:03 +02:00
felixalb 41ed408c23 leonard: add swapfile 2026-04-08 22:14:25 +02:00
felixalb 7918ebd7ea defiant/nginx: ip allowlist on nextcloud 2026-04-08 22:03:14 +02:00
felixalb 7401e3bb5e sisko: replace pwndbg 2026-04-08 21:15:15 +02:00
felixalb 817b959d36 base: remove fallback dns resolver 2026-04-08 21:15:15 +02:00
Felix Albrigtsen 670f5b6559 flake: update, fixes GHSA-g3g9-5vj6-r3gj 2026-04-08 09:28:51 +02:00
felixalb 05ca36c4fa flake: change channel to small. update. 2026-04-04 22:34:20 +02:00
felixalb d3776db311 defiant/vaultwarden: unpublish 2026-03-29 15:52:03 +02:00
Felix Albrigtsen d117a6422c flake: update. fa-t14-2025: minor fixes 2026-03-13 09:56:47 +01:00
felixalb 42d69bb8c5 flake: fix pwndbg 2026-02-20 17:47:29 +01:00
felixalb 4e93e8dc04 challenger/audiobookshelf: fix mount again. 
challenger: other minor updates
 2026-02-18 18:12:13 +01:00
felixalb 7d8a3a10dc flake: bump inputs 2026-02-04 18:11:49 +01:00
Felix Albrigtsen 14ff95a90d fa-t14-2025: minor home-manager changes 2026-01-26 12:39:52 +01:00
felixalb f8ca64ee28 WIP: leonard: add backup.nix, mysqlBackup 2026-01-26 00:15:44 +01:00
felixalb 97b7cb8e53 flake: update 2026-01-24 20:22:48 +01:00
felixalb 0ffb502f68 defiant/wireguard: deprecate old peers 2025-12-31 20:59:58 +01:00
felixalb 27596cfcee defiant/dyndns: change domain name 2025-12-31 20:21:01 +01:00
felixalb ec9811bf31 prometheus: add constellation 2025-12-16 07:48:24 +01:00
felixalb 7c9efc9638 leonard: update amalie-mansaker-no 2025-12-12 20:18:06 +01:00
felixalb ad36469dd2 Merge pull request 'nixos-25.11' (#6) from nixos-25.11 into main 
Reviewed-on: #6
 2025-12-08 21:07:41 +01:00
felixalb bd05773d1a auto-upgrade: point back to the main branch 2025-12-08 21:05:23 +01:00
felixalb 77cdedf958 defiant: update to nixos 25.11 2025-12-08 20:59:46 +01:00
felixalb b4b8fa2309 worf: fix 25.11. Clean flake. 2025-12-04 17:22:33 +01:00
felixalb aca430fb18 challenger/audiobookshelf: fix mount order 2025-12-02 19:38:08 +01:00
felixalb 8aa123303c challenger: update to nixos 25.11. Update to nextcloud 32 2025-12-02 00:14:36 +01:00
felixalb f7ce8585b5 burnham: remove host 2025-12-01 23:22:05 +01:00
felixalb 1af2ea3552 malcolm: remove host (superceded by leonard) 2025-12-01 23:17:25 +01:00
felixalb d9b62f7c0a sisko: Update to nixos 25.11 2025-12-01 00:24:11 +01:00
felixalb 774bd0c0d8 morn: update to 25.11 2025-12-01 00:02:06 +01:00
felixalb 9c0ea93934 flake: update to 25.11. Breaks worf/darwin. 2025-11-30 23:54:27 +01:00
felixalb 520a96878b leonard: Add amalie-mansaker-no 2025-11-23 18:56:03 +01:00
felixalb 9eed01bb4a defiant: enable cloud backups 2025-11-17 21:30:04 +01:00
felixalb f5cc555c1b challenger: cleanup, remove ersatztv 2025-11-14 23:49:56 +01:00
felixalb b4ca418a34 defiant: cleanup, remove flame, remove koillection 2025-11-14 23:38:46 +01:00
felixalb 261b19f7c3 challenger: add audiobookshelf 2025-11-13 23:12:05 +01:00
felixalb c0e19e7c21 morn: add thelounge 2025-11-06 22:05:31 +01:00
felixalb c601ed7d39 flake: update 2025-11-03 20:17:40 +01:00
felixalb 4b922cd23d defiant/nginx: wiki-wackattac-eu has moved to leonard 2025-11-02 15:06:10 +01:00
felixalb 68950a4507 leonard: Add wiki-wackattack-eu 2025-11-02 15:05:43 +01:00
felixalb 0c08f92444 defiant/matrix-synapse: Fix oidc provider mapping typo 2025-11-02 12:23:19 +01:00
felixalb f4630467f6 defiant/matrix-synapse: require matrix-user role in keycloak 2025-11-01 19:50:55 +01:00
felixalb ee4bb0ee2d defiant/monitoring: update prometheus target list 2025-10-19 00:36:51 +02:00
felixalb 410e673673 sops: add recovery key 2025-10-18 23:59:13 +02:00
felixalb 492bd530d3 challenger/backup: add hostBackups 2025-10-18 23:46:32 +02:00
felixalb 14483e95e7 defiant/nginx: Move www.feal.no and www.kinealbrigtsen.no to leonard 2025-10-18 22:33:08 +02:00
felixalb 483f30229f leonard: add www-feal-no. add www-kinealbrigtsen-no. configure outgoing firewall 2025-10-18 22:25:05 +02:00
felixalb 49a3c0211e leonard: init host 2025-10-17 21:02:28 +02:00
felixalb b1fed06b7d worf: add mpv 2025-10-17 19:39:04 +02:00
felixalb 9c24a7bfa5 wireguard: add Amalies phone. Disable burnham endpoint 2025-10-16 23:04:06 +02:00
felixalb 64777e4caf flake: update 2025-10-12 18:12:47 +02:00
felixalb 36574ed5b0 worf: rebuild needs sudo now 2025-09-16 19:21:26 +02:00
felixalb b438b63306 defiant/nginx: temporarily add forwards for mccoy 2025-09-14 20:46:26 +02:00
felixalb 4e8156139b defiant/gitea: Disable default theme 2025-09-14 20:46:26 +02:00
felixalb 4a25256ee6 flake: update 2025-09-09 22:35:27 +02:00
felixalb 5633f4b551 sisko: add rtl-sdr, gqrx, hashcat, immersed. Remove bambu-studio 2025-09-09 22:25:07 +02:00
felixalb d30b0b1a97 sisko: add lutris 2025-08-22 19:08:21 +02:00
felixalb 5c07d9540b sisko: add docker 2025-08-22 19:08:21 +02:00
Felix Albrigtsen 8d3d918c94 My friendship with github education is over 2025-08-22 09:56:11 +02:00
Felix Albrigtsen fc7e3decc6 fa-t14-2025: Minor adjustments 2025-08-21 15:43:28 +02:00
Felix Albrigtsen 0490048a14 fa-t14-2025: Add docker, minor adjustments. home: improve tmux config 2025-08-21 15:43:28 +02:00
felixalb 74b7feb043 sisko: minor changes 2025-08-03 17:51:59 +02:00
felixalb 5701615d29 base: remove manual nixpkgs registry/nix-path override, not needed since 24.05 2025-08-02 17:22:27 +02:00
felixalb 4e2f1cb44d flake: update all inputs. Remove deprecated matrix-synapse options 2025-07-31 00:24:22 +02:00
felixalb 73e2ee8fa7 flake: remove hyprswitch input 2025-07-31 00:24:22 +02:00
felixalb 03fbccbbd2 defiant: stop minecraft server 2025-07-31 00:24:22 +02:00
felixalb 3ecca821d0 defiant: Generalize wireguard config 2025-07-31 00:24:22 +02:00
felixalb ee23a6eb75 sisko: various minor changes 2025-07-31 00:07:40 +02:00
felixalb 5dcd4c11bb challenger/backup: cleanup, add books/music 2025-07-31 00:04:51 +02:00
felixalb eb4b58bed7 morn: add miniflux 2025-07-06 23:59:16 +02:00
felixalb c9efb5c1dd remove old hosts voyager and felixalbpc 2025-07-06 23:32:29 +02:00
felixalb ac1e8d2f3f challenger/backup: Add remote cloud backups 2025-07-03 23:41:23 +02:00
felixalb dc5b6f9915 flake: update. sisko: add bambu studio/orcaslicer, fix updates 2025-07-03 23:26:02 +02:00
Felix Albrigtsen 03c4f8ca88 fa-t14-2025: Minor adjustments, add SecureCRT(WIP) 2025-06-16 09:40:56 +02:00
Felix Albrigtsen 126473d75d fa-t14-2025: Add swap and power management 2025-06-16 09:40:48 +02:00
felixalb 08ca7edf69 Merge pull request 'Upgrade to nixos 25.05' (#4) from nixos-25.05 into main 
Reviewed-on: #4
 2025-06-08 22:12:40 +02:00
felixalb f72393cc25 defiant: re-enable backups 2025-06-08 22:07:28 +02:00
felixalb c4ea7efc9c challenger: update to nixos 25.05. Update to nextcloud 31 2025-06-08 22:00:06 +02:00
felixalb 3f814a9d50 challenger/jellyfin: fix GPU access, remove DeviceAllow 2025-06-08 18:27:14 +02:00
felixalb 75212dc4bf defiant: update homeassistant 2025-06-08 18:20:06 +02:00
felixalb d40e8b6898 defiant: disable some unused services 2025-06-08 18:20:06 +02:00
felixalb c73d9761bc defiant: temporarily move/disable backups when moving house 2025-06-08 18:20:06 +02:00
felixalb d380110543 sisko: Update to nixos 25.05 2025-06-08 17:38:32 +02:00
felixalb cf6a836f80 sisko: Change to NetworkManager. Add misc. packages 2025-06-08 17:27:33 +02:00
felixalb 7f892fa284 sisko: add cantata 2025-06-08 17:19:59 +02:00
Felix Albrigtsen 9d9644dff7 fa-t14-2025: Add fake-stable microsoft edge 2025-06-04 13:00:52 +02:00
felixalb e545add397 worf: Update to nixos 25.05 2025-06-03 22:26:01 +02:00
Felix Albrigtsen de319def43 flake: Start switching to NixOS 25.05 2025-06-03 22:26:01 +02:00
Felix Albrigtsen 4f99ff9c1e Configure fa-t14 2025-06-03 22:26:01 +02:00
felixalb 7c10e96035 malcolm: WIP CTF tools 2025-06-03 22:25:41 +02:00
felixalb 73c0eda7cf malcolm/kinealbrigtsen: Remove CSP to fix awful WP plugins 2025-06-03 22:25:41 +02:00
felixalb 2c36272339 WIP: new host fa-t14-2025 2025-06-03 08:37:13 +02:00
felixalb 277a650098 flake: bump inputs. challenger: add feal-syn2 backup mount 2025-05-20 23:00:58 +02:00
felixalb e289cab72f base: add some utilities 2025-05-20 23:00:58 +02:00
felixalb 9d86516046 wireguard: add Turtle 2025-05-16 01:23:42 +02:00
felixalb bca8a78af9 morn: configure glance 2025-04-22 18:34:37 +02:00
felixalb 93783fe482 auto-upgrade: init attempt at auto upgrade 2025-04-22 18:33:42 +02:00
felixalb f2e408c338 flake: update 2025-04-20 10:56:20 +02:00
felixalb 8425654777 defiant/minecraft: disable online-mode 2025-04-20 10:33:36 +02:00
felixalb 54546d512f sisko: Add some CTF tools 2025-04-05 13:42:13 +02:00
felixalb 2fbc6223e1 felixalbpc: Update python 2025-04-01 09:57:15 +02:00
felixalb 0fd4b10b1c felixalbpc: try to disable ipv6 temporary addresses. Add sl2 shell alias 2025-04-01 09:57:15 +02:00
felixalb ff99371792 sisko/firefox: add tridactyl support 2025-03-26 20:45:52 +01:00
felixalb 017b500180 sisko: minor additions; xfce, alvr 2025-03-22 15:35:06 +01:00
felixalb 2b4254952a home: Add fzf 2025-03-19 20:08:35 +01:00
felixalb 4ec8b69cde morn: Init new host 2025-03-19 17:37:57 +01:00
felixalb ed47f7b1bf home/neovim: Fix lightline, disable coc 2025-03-19 17:22:31 +01:00
felixalb fbfb89280b sisko: fix bluetooth ertm and xpadneo for wireless xbox controller 2025-03-11 20:07:34 +01:00
felixalb b4d85a796a sisko: Add music listening software; mpd, ncmpcpp, picard, easyeffects 2025-03-07 23:57:44 +01:00
felixalb ae8f914ab3 sisko: Remove user amalieem 2025-03-07 23:25:00 +01:00
felixalb 9ab61ca7de challenger: remove navidrome 2025-03-04 21:23:37 +01:00
felixalb a455c7ec07 flake: update. home/alacritty: fix conflicting definitions 2025-03-02 20:00:13 +01:00
felixalb b8a90d668d sisko: install emacs, fwupd 2025-02-23 18:08:16 +01:00
felixalb d258017804 home/neovim: remove pyright 2025-02-20 18:03:46 +01:00
felixalb 1d6a77238b worf: Disable stealth firewall (allow ping, etc.) 2025-02-20 18:03:35 +01:00
felixalb 47db333feb worf: Update yabay/sketchybar/alacritty config 2025-02-18 21:41:32 +01:00
felixalb da2ca7f42e flake: update, fix nix-darwin input, add tmux 2025-02-16 21:07:40 +01:00
felixalb 0a1b0fbe51 challenger: disable unused services 2025-02-15 01:09:28 +01:00
felixalb 1639675eac challenger: move to VM 2025-02-15 01:08:37 +01:00
felixalb 2894eaf108 defiant: Add 'home' minecraft server 2025-02-04 10:21:11 +01:00
felixalb 66725eae8c Flake: Update inputs 2025-02-04 10:19:27 +01:00
felixalb 9660f29fe4 felixalbpc: Prepare for hyprland 2025-02-04 10:19:27 +01:00
felixalb 6802751fa9 challenger: mount feal-syn1:/volume2/backup using systemd.automount 2025-01-27 19:45:29 +01:00
felixalb 26f4174b0b challenger: set kernel params to prevent cpu hissy fits 2025-01-16 21:51:08 +01:00
felixalb f2230c6e70 challenger: re-add backup nfs mount 2025-01-16 21:51:08 +01:00
felixalb 05134a6121 challenger: disable nvidia.open 2025-01-16 21:51:08 +01:00
felixalb c5ca99e05f challenger/nextcloud: fix typo 2025-01-16 21:51:08 +01:00
felixalb 28296d5066 challenger: add user amalieem 2025-01-16 21:51:08 +01:00
felixalb 807462cd54 defiant/homeassistant: add zigbee dongle 2024-12-31 16:06:15 +01:00
felixalb 98d66602b3 defiant/keycloak: fix hostname settings after 24.11 upgrade 2024-12-31 16:05:56 +01:00
felixalb 512c0595cb defiant: add SearXNG 2024-12-31 16:02:54 +01:00
felixalb 86556fb69f flake: update 2024-12-31 12:44:05 +01:00
felixalb 049d3d82c6 sisko: Various fixes. Add amalieem. 2024-12-31 12:44:05 +01:00
felixalb e1a252c5ee sops: Add felixalb-sisko, clean up voyager 2024-12-31 12:13:43 +01:00
felixalb 3918fe6057 sisko: minor changes 2024-12-21 21:31:06 +01:00
felixalb 1eb3cdcc13 home: WIP fix terminal colors 2024-12-19 17:42:35 +01:00
felixalb 4346f269da Flake: Update inputs 2024-12-19 13:05:48 +01:00
felixalb f683a5dce6 challenger: update to nixos 24.11 2024-12-15 21:02:26 +01:00
felixalb 9465c9bb52 challenger: Jellyfin can use all cards 2024-12-15 13:50:37 +01:00
felixalb 12773b8c62 challenger: Disable NFS in both directions to avoid extreme crashes 2024-12-15 13:50:37 +01:00
felixalb c49fc1fb4d felixalbpc: Minor changes 2024-12-11 10:57:01 +01:00
felixalb f27205efdb flake: update. sisko: various minor updates 2024-12-11 10:56:46 +01:00
felixalb ee7fef1479 flake: update nix-darwin 2024-12-05 13:22:56 +01:00
felixalb 78595b4bdc felixalbpc: Update to nixos 24.11 2024-12-05 13:21:23 +01:00
felixalb 47f79b9cd0 felixalbpc: Add puppet-lint 2024-12-05 13:21:23 +01:00
felixalb c1417cf36d sisko: Install and configure desktop apps, hyprland, etc. 2024-12-03 22:44:25 +01:00
felixalb fab563fa2d worf: Update to nixos 24.11 2024-12-01 12:45:21 +01:00
felixalb 87ced23c91 flake: No need for unstable packages 2024-12-01 12:45:21 +01:00
felixalb 1b0b37c13c defiant: Update to NixOS 24.11 2024-12-01 12:31:01 +01:00
felixalb b4b74227c3 defiant: Add koillection 2024-12-01 12:30:43 +01:00
felixalb 8b6089f014 base: Update SSH keys 2024-12-01 10:54:59 +01:00
felixalb 8759e193ff sisko: Init new host 2024-12-01 10:34:34 +01:00
felixalb c281b2de38 Flake: Update to NixOS 24.11 2024-12-01 10:34:34 +01:00
felixalb f429873cd7 Grrr, darwin breaky 2024-11-24 22:23:20 +01:00
felixalb 3f6f68c010 I'm on a 🚂🚋🚋🚋🚋˙⊹⁺. 2024-11-23 08:39:40 +01:00
felixalb 823f5b3d12 shells/CTF: darwin = tier 300 support 2024-11-23 08:29:23 +01:00
felixalb 110b410fbd challenger: update nextcloud 2024-11-14 22:19:21 +01:00
felixalb 8c880f3c7b challenger: Add archivebox 2024-11-14 22:19:21 +01:00
felixalb 157c54ae65 felixalbpc: Configure openstackclient, keymapp, keyring, ssh-agent 2024-11-05 13:21:10 +01:00
felixalb 9fe5f0aae7 defiant/nginx: re-enable NextCloud 2024-10-22 20:41:06 +02:00
felixalb 713b9a5615 worf/home: Various small fixes 2024-10-22 20:34:45 +02:00
felixalb 3ddb78788b challenger: Re-enable nvidia, various fixes. NFS still broken :( 2024-10-21 23:24:47 +02:00
felixalb 5fed94ef27 flake: Replace nixpkgs overrides with cleaner ones 2024-10-06 02:58:51 +02:00
felixalb dab63bfbeb flake: clean up :) 2024-10-06 01:57:55 +02:00
felixalb 97b481de0a challenger: disable nvidia drivers and nfs exports 2024-10-05 21:46:13 +02:00
felixalb a3a2ec1b9a challenger: Add backups for calibre and nextcloud 2024-10-05 21:44:48 +02:00
felixalb 5216c0257f worf: Update nix-darwin input 2024-10-05 21:43:26 +02:00
felixalb b17ff565c3 defiant: Fix nfs-client, replace borg with restic 2024-10-05 10:53:54 +02:00
felixalb 6de16fb116 challenger: Fix nfs-client, replace borg with restic 2024-10-05 00:53:43 +02:00
felixalb 12e4d22136 worf: various package cleanups 2024-10-05 00:53:07 +02:00
felixalb 7177ee5b17 Worf: Add challenger as builder 2024-10-05 00:53:07 +02:00
felixalb 56e92e70f1 felixalbpc/home/zsh/neovim: Various small QoL improvements and fixes 2024-09-30 15:46:45 +02:00
felixalb 69949e872d defiant/matrix-synapse: Add sliding sync 2024-09-25 19:56:59 +02:00
felixalb b553f83da8 felixalbpc/flake: fix group bug 2024-09-25 19:56:37 +02:00
felixalb bfcb4f7dce defiant/nginx: Fix broken git-default. Temporarily disable nextcloud 2024-09-25 19:28:52 +02:00
felixalb 85ea8f5ac3 felixalbpc: Minor fixes, new packages, etc. Update flake inputs. 2024-09-23 14:23:43 +02:00
felixalb 2688f28aaf Challenger/netatalk: Temporarily fix time machine 2024-09-15 23:05:09 +02:00
felixalb 93306b9332 Merge pull request 'Add felixalbpc. Remove edison. Clean home-manager base and flake.' (#3) from add-felixalbpc into main 
Reviewed-on: #3
 2024-09-13 14:12:10 +02:00
felixalb 38648a08ed Finish felixalbpc, cleanup home-manager 2024-09-13 14:11:01 +02:00
felixalb 5ea3e8730d Multiple changes (cleanup, remove edison, add felixalbpc) 
- Removes hold host edison
- Adds new host, felixalbpc, a work machine. This requires some cleanup
  to fit into the office network, use other SSH keys, etc.
- Clean up some package installs, putting more things into the common
  home-manager packages, rather than systemwide or host-specific homes.
- Various small changes like disabling Github Copilot on nvim startup.
 2024-09-13 14:10:54 +02:00
140 changed files with 4126 additions and 1574 deletions
Expand all files Collapse all files
.sops.yaml
+30 -9
View File
@@ -1,38 +1,59 @@
keys:
- &bw_recovery age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
- &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct
- &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773
- &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
- &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
- &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
- &host_leonard age1djj3jvt0usurh43t8jsrs74t5pvj54w77vy7qgln9ykckag233eqyth4fl
- &host_morn age14ar8q5454khxxf5ur2nxwk533nzycz2lh3635qwz35wh8yq0jpqskj2ksx
- &user_felixalb_sisko age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
- &user_felixalb_worf age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
creation_rules:
# Global secrets
- path_regex: secrets/[^/]+\.yaml$
key_groups:
- age:
- *user_felixalb
- *bw_recovery
- *user_felixalb_sisko
- *user_felixalb_worf
# Host specific secrets
- path_regex: secrets/burnham/[^/]+\.yaml$
key_groups:
- age:
- *host_burnham
- *user_felixalb
- *bw_recovery
- *user_felixalb_sisko
- *user_felixalb_worf
- path_regex: secrets/challenger/[^/]+\.yaml$
key_groups:
- age:
- *host_challenger
- *user_felixalb
- *bw_recovery
- *user_felixalb_sisko
- *user_felixalb_worf
- path_regex: secrets/defiant/[^/]+\.yaml$
key_groups:
- age:
- *host_defiant
- *user_felixalb
- *bw_recovery
- *user_felixalb_sisko
- *user_felixalb_worf
- path_regex: secrets/voyager/[^/]+\.yaml$
- path_regex: secrets/leonard/[^/]+\.yaml$
key_groups:
- age:
- *host_voyager
- *user_felixalb
- *host_leonard
- *bw_recovery
- *user_felixalb_sisko
- *user_felixalb_worf
- path_regex: secrets/morn/[^/]+\.yaml$
key_groups:
- age:
- *host_morn
- *bw_recovery
- *user_felixalb_sisko
- *user_felixalb_worf
README.md
+2 -1
View File
@@ -37,8 +37,9 @@ Other installed packages and tools are described in the config files (like ./hos
## Networking
- I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)).
- I recently switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix) and [here](./hosts/burnham/services/wireguard.nix).
- A long time ago, I switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix).
- PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking.
- A simple custom DynDNS thing is defined [here](./common/domeneshop-dyndns.nix) and used [here](./hosts/defiant/services/dyndns.nix).
## Monitoring
base.nix
+12 -12
View File
@@ -6,7 +6,7 @@
networking = {
domain = lib.mkDefault "home.feal.no";
nameservers = lib.mkDefault [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ];
nameservers = lib.mkDefault [ "192.168.10.175" "192.168.10.1" ];
useDHCP = lib.mkDefault false;
};
@@ -29,19 +29,13 @@
trusted-users = [ "felixalb" ];
builders-use-substitutes = true;
};
registry= {
nixpkgs.flake = inputs.nixpkgs;
};
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
};
programs.zsh.enable = true;
environment.systemPackages = with pkgs; [
bottom
duf
diffr
eza
file
git
@@ -51,6 +45,7 @@
iotop
lm_sensors
nix-output-monitor
nixfmt
p7zip
python3
ripgrep
@@ -61,10 +56,15 @@
vim
wget
zip
] ++ lib.optionals (pkgs.stdenv.isLinux) [
dmidecode
lm_sensors
pciutils
];
services.openssh = {
enable = true;
openFirewall = lib.mkDefault true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
@@ -78,20 +78,20 @@
'';
};
networking.firewall.allowedTCPPorts = [ 22 ];
programs.mosh.enable = true;
users.users.felixalb = {
isNormalUser = true;
extraGroups = lib.mkDefault [
extraGroups = [
"wheel"
"docker"
];
uid = lib.mkDefault 1000;
openssh.authorizedKeys.keys = lib.mkDefault [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiPHhj0YbklJnJNcxD0IlzPxLTGfv095H5zyS/1Wb64 felixalb@edison.home.feal.no"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5M7hYl3saBNMAo6sczgfUvASEJWFHuERB7xvf4gxst nix-builder-worf"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJky33ynjqyWP+hh24gFCMFIEqe3CjIIowGM9jiPbT79 felixalb@sisko.home.feal.no"
];
shell = pkgs.zsh;
};
common/auto-upgrade.nix
+15
View File
@@ -0,0 +1,15 @@
{ config, pkgs, lib, ... }:
{
system.autoUpgrade = {
enable = true;
flake = "git+https://git.feal.no/felixalb/nixos-config.git?ref=nixos-26.05"; # TODO - restore to main
flags = [
# Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs.
"--refresh"
"--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-26.05-small"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable"
"--no-write-lock-file"
];
};
}
common/metrics-exporters.nix
+1 -36
View File
@@ -17,41 +17,6 @@ in {
'';
};
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 28183;
grpc_listen_port = 0;
};
clients = [
{
url = "http://${metricsHost}:3100/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "systemd-journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = config.networking.hostName;
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
{
source_labels = [ "__journal_priority_keyword" ];
target_label = "level";
}
];
}
];
};
};
# TODO: Configure fluent-bit or rsyslog
}
common/oldssh.nix
+44
View File
@@ -0,0 +1,44 @@
# Credit https://git.pvv.ntnu.no/oysteikt 2026
{
openssh,
fetchurl,
lib
}:
openssh.overrideAttrs (prev: rec {
# Old crypto was removed in v10.0
version = "9.9p2";
src = fetchurl {
url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
hash = "sha256-karbYD4IzChe3fll4RmdAlhfqU2ZTWyuW0Hhch4hVnM=";
};
configureFlags = prev.configureFlags ++ [
"--enable-dsa-keys"
];
# Broken patches, meant for 10.3p :p
patches = lib.filter (x: !(lib.any (suf: lib.hasSuffix suf (baseNameOf x)) [
"dont_create_privsep_path.patch"
"pkcs11-fix-pinentry.patch"
"pkcs11-tests-allow-module-path.patch"
"ssh-agent-tests-increase-timeout.patch"
])) prev.patches;
# We actually needed the `dont_create_privsep_path` one :3
postPatch = prev.postPatch + ''
substituteInPlace Makefile.in \
--replace-fail '$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)' '''
'';
# Tihi
doInstallCheck = false;
postFixup = ''
rm -rf $out/libexec $out/etc
rm $out/bin/ssh-* $out/bin/sshd $out/bin/sftp
cd $out/bin
for filename in *; do mv {,old}"$filename"; done;
'';
})
common/securecrt.nix
+81
View File
@@ -0,0 +1,81 @@
{
lib,
stdenv,
fetchurl,
autoPatchelfHook,
dpkg,
cups,
gtkmm3,
icu74,
krb5,
makeWrapper,
openssl,
pango,
python312,
xcb-util-cursor,
xorg,
}:
let
packageId = "scrt_ubuntu2464_deb_963";
in stdenv.mkDerivation rec {
pname = "securecrt";
version = "9.6.3";
src = fetchurl {
url = "https://www.vandyke.com/cgi-bin/download_1.php";
name = "${pname}-${version}.deb";
curlOpts = "-X POST --data 'pid=${packageId}&export_check=accept&country=no&su";
sha256 = "sha256-PsFuxJ7H0rJCWWi+rvzrlRUJlp9R4MG14d883/kl9Lo=";
};
unpackCmd = "dpkg -x $curSrc source";
nativeBuildInputs = [
dpkg
autoPatchelfHook
];
buildInputs = [
cups
gtkmm3
icu74
krb5
makeWrapper
openssl
pango
python312
xcb-util-cursor
xorg.xcbutilkeysyms
xorg.xcbutilwm
];
dontConfigure = true;
dontBuild = true;
dontWrapQTApps = true;
installPhase = ''
runhook preInstall
mkdir -p "$out"
cp -R usr/* "$out/"
wrapProgram "$out/bin/SecureCRT" --set QT_QPA_PLATFORM_PLUGIN_PATH "$out/lib/scrt/plugins/platforms"
runhook postInstall
'';
meta = with lib; {
homepage = "https://www.vandyke.com/products/securecrt/unix.html";
description = "Terminal emulator for computing professionals, with advanced session management";
license = {
free = false;
fullName = "Unknown / Custom";
};
platforms = with lib.platforms; linux ++ darwin ++ windows;
broken = !(stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isx86_64);
};
mainProgram = "SecureCRT";
}
common/wireguard-peers.nix
+38
View File
@@ -0,0 +1,38 @@
[
{ # Worf
publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
allowedIPs = [
"10.100.0.4/32"
];
}
{ # Phone
publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
allowedIPs = [
"10.100.0.5/32"
];
}
{ # Riker
publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
allowedIPs = [
"10.100.0.6/32"
];
}
{ # fa-t14-2025
publicKey = "UPpUVWQqOKT65MFym1sFDTstNmuynDYE4LOOtbWqEng=";
allowedIPs = [
"10.100.0.7/32"
];
}
{ # Turtle
publicKey = "mDzAtRPv+O5TDHa9DGodF/KKuFXRBYwSqfPyeWfdfRI=";
allowedIPs = [
"10.100.0.8/32"
];
}
{ # Amalies phone
publicKey = "Iqoq00e5rUNygmjOKmSPzvDTzvUdpxkpwVrD6UJXG2w=";
allowedIPs = [
"10.100.0.9/32"
];
}
]
flake.lock
Generated
+163 -97
View File
@@ -2,11 +2,11 @@
"nodes": {
"extra-config": {
"locked": {
"lastModified": 1720193877,
"narHash": "sha256-f+ZtFQTbbmieTYLANn0AOz439/sIH+HumOAhItdYYig=",
"lastModified": 1775160379,
"narHash": "sha256-xrY3E3RTHP/c8MRKtciVbpXrgPCEnSQeNK4dCF53i9E=",
"ref": "refs/heads/main",
"rev": "f9817deef3d4e56a31a89ee93419a9acd278e922",
"revCount": 9,
"rev": "66b4e90b64ecfacc1fff901f3197388f70bc53c8",
"revCount": 15,
"type": "git",
"url": "file:///home/felixalb/nix-extra-config"
},
@@ -18,11 +18,11 @@
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
@@ -31,24 +31,6 @@
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@@ -56,35 +38,36 @@
]
},
"locked": {
"lastModified": 1720042825,
"narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
"lastModified": 1779726825,
"narHash": "sha256-RUkMrREjKDQrA+dA9+xZviGAxM5W1aVdyOr/bSYpHrE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
"rev": "b179bde238977f7d4454fc770b1a727eaf55111c",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.05",
"ref": "release-26.05",
"repo": "home-manager",
"type": "github"
}
},
"matrix-synapse-next": {
"inputs": {
"nixpkgs": "nixpkgs"
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1717234745,
"narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=",
"lastModified": 1765214213,
"narHash": "sha256-WSk8CTdIDFFP5VMJj9beve19nPMMdTsWnkCHVXqO/3E=",
"owner": "dali99",
"repo": "nixos-matrix-modules",
"rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456",
"rev": "82959f612ffd523a49c92f84358a9980a851747b",
"type": "github"
},
"original": {
"owner": "dali99",
"ref": "v0.6.0",
"repo": "nixos-matrix-modules",
"type": "github"
}
@@ -92,20 +75,20 @@
"nix-darwin": {
"inputs": {
"nixpkgs": [
"nixpkgs"
"nixpkgs-darwin"
]
},
"locked": {
"lastModified": 1725975477,
"narHash": "sha256-sBnXxmYBb0S85Vkny97z2TFLd5SJW5o0k6KQNwpSLb0=",
"owner": "lnl7",
"lastModified": 1779036909,
"narHash": "sha256-zXcwYQGCT6pzinK+1dBB2ekTVtfxGZAapb3Evdcu4fY=",
"owner": "nix-darwin",
"repo": "nix-darwin",
"rev": "5b2d8e9a47c3e17514650d1ce7d5e907114db82b",
"rev": "56c666e108467d87d13508936aade6d567f2a501",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"owner": "nix-darwin",
"ref": "nix-darwin-26.05",
"repo": "nix-darwin",
"type": "github"
}
@@ -113,15 +96,17 @@
"nix-minecraft": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_2"
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1710638386,
"narHash": "sha256-8etSpxJaCYBWTViHqQRR6o76WfDX2CuD1o2UQXQrwao=",
"lastModified": 1780113881,
"narHash": "sha256-AMOOt682Odr4GZwCwZ08/Q/21/Sh3DxfmOAoiQbTKhk=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
"rev": "8f292bc64336ac9559d33c9a074a214d783a4c8e",
"rev": "d9bd57f218cda7d6aac4b52546240da0df76a1f9",
"type": "github"
},
"original": {
@@ -132,64 +117,134 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1706098335,
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"lastModified": 1780203844,
"narHash": "sha256-K5sT4jTpGs15ADhviMKNBH38REpPf5Q6mM1+N6cArVE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11",
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1710628718,
"narHash": "sha256-y+l3eH53UlENaYa1lmnCBHusZb1kxBEFd2/c7lDsGpw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6dc11d9859d6a18ab0c5e5829a5b8e4810658de3",
"rev": "b51242d7d43689db2f3be91bd05d5b24fbb469c4",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"ref": "nixos-26.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"nixpkgs-2211": {
"locked": {
"lastModified": 1698318101,
"narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
"owner": "nixos",
"lastModified": 1658083977,
"narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
}
},
"nixpkgs-darwin": {
"locked": {
"lastModified": 1780020239,
"narHash": "sha256-ik+V883hTc6GG7TzjxMdhEoMV0hCbQPfsRtNsB1qWUQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
"rev": "c85dc29a9bcafa665b8ce0654ca019cdb05e63c6",
"type": "github"
},
"original": {
"owner": "nixos",
"owner": "NixOS",
"ref": "nixpkgs-26.05-darwin",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1779560665,
"narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"pwndbg": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"pyproject-build-systems": "pyproject-build-systems",
"pyproject-nix": "pyproject-nix",
"uv2nix": "uv2nix"
},
"locked": {
"lastModified": 1723688146,
"narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
"lastModified": 1780187278,
"narHash": "sha256-vIC3RsPexOT2zcacHBcIQ5CPrPIisSLiMBS6tblGLDw=",
"owner": "pwndbg",
"repo": "pwndbg",
"rev": "07a27367b17e2b7172d6c7a2b891e4c5471275b6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"owner": "pwndbg",
"repo": "pwndbg",
"type": "github"
}
},
"pyproject-build-systems": {
"inputs": {
"nixpkgs": [
"pwndbg",
"nixpkgs"
],
"pyproject-nix": [
"pwndbg",
"pyproject-nix"
],
"uv2nix": [
"pwndbg",
"uv2nix"
]
},
"locked": {
"lastModified": 1763662255,
"narHash": "sha256-4bocaOyLa3AfiS8KrWjZQYu+IAta05u3gYZzZ6zXbT0=",
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"rev": "042904167604c681a090c07eb6967b4dd4dae88c",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"type": "github"
}
},
"pyproject-nix": {
"inputs": {
"nixpkgs": [
"pwndbg",
"nixpkgs"
]
},
"locked": {
"lastModified": 1769936401,
"narHash": "sha256-kwCOegKLZJM9v/e/7cqwg1p/YjjTAukKPqmxKnAZRgA=",
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"rev": "b0d513eeeebed6d45b4f2e874f9afba2021f7812",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"type": "github"
}
},
@@ -200,24 +255,26 @@
"matrix-synapse-next": "matrix-synapse-next",
"nix-darwin": "nix-darwin",
"nix-minecraft": "nix-minecraft",
"nixpkgs": "nixpkgs_3",
"sops-nix": "sops-nix",
"unstable": "unstable"
"nixpkgs": "nixpkgs",
"nixpkgs-2211": "nixpkgs-2211",
"nixpkgs-darwin": "nixpkgs-darwin",
"nixpkgs-unstable": "nixpkgs-unstable",
"pwndbg": "pwndbg",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
]
},
"locked": {
"lastModified": 1710644594,
"narHash": "sha256-RquCuzxfy4Nr8DPbdp3D/AsbYep21JgQzG8aMH9jJ4A=",
"lastModified": 1777944972,
"narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "83b68a0e8c94b72cdd0a6e547a14ca7eb1c03616",
"rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
"type": "github"
},
"original": {
@@ -241,19 +298,28 @@
"type": "github"
}
},
"unstable": {
"uv2nix": {
"inputs": {
"nixpkgs": [
"pwndbg",
"nixpkgs"
],
"pyproject-nix": [
"pwndbg",
"pyproject-nix"
]
},
"locked": {
"lastModified": 1723637854,
"narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9",
"lastModified": 1769957392,
"narHash": "sha256-6PkqwwYf5K2CHi2V+faI/9pqjfz/HxUkI/MVid6hlOY=",
"owner": "pyproject-nix",
"repo": "uv2nix",
"rev": "d18bc50ae1c3d4be9c41c2d94ea765524400af75",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"owner": "pyproject-nix",
"repo": "uv2nix",
"type": "github"
}
}
flake.nix
+67 -97
View File
@@ -2,151 +2,121 @@
description = "Felixalb System flake";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
# Nixpkgs and friends
nixpkgs.url = "github:NixOS/nixpkgs/nixos-26.05-small"; # Remember to update ./common/auto-upgrade.nix
nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-26.05-darwin";
nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nix-darwin.url = "github:lnl7/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-26.05";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs-darwin";
home-manager.url = "github:nix-community/home-manager/release-24.05";
home-manager.url = "github:nix-community/home-manager/release-26.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
matrix-synapse-next.url = "github:dali99/nixos-matrix-modules/v0.6.0";
nix-minecraft.url = "github:Infinidoge/nix-minecraft";
# Other inputs
extra-config.url = "git+file:///home/felixalb/nix-extra-config";
matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; # TODO: Lock to release
matrix-synapse-next.inputs.nixpkgs.follows = "nixpkgs";
nix-minecraft.url = "github:Infinidoge/nix-minecraft";
nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
pwndbg.url = "github:pwndbg/pwndbg";
pwndbg.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = {
self
, extra-config
, home-manager
, matrix-synapse-next
, nix-minecraft
, nix-darwin
, nix-minecraft
, nixpkgs
, nixpkgs-2211
, nixpkgs-darwin
, nixpkgs-unstable
, pwndbg
, sops-nix
, unstable
, extra-config
, ... }@inputs:
let
pkgs-overlay = final: prev: {
unstable = unstable.legacyPackages.${prev.system};
python311 = prev.python311.override {
packageOverrides = self: super: {
# k5test is broken on darwin, as of 24.05
gssapi = super.gssapi.overrideAttrs (old: {
doInstallCheck = false;
});
};
unstable = import nixpkgs-unstable {
system = prev.system;
config.allowUnfree = true;
};
nixpkgs-2211 = import nixpkgs-2211 {
system = prev.system;
config.allowUnfree = true;
};
pwndbg = pwndbg.packages."${prev.system}".default;
securecrt = prev.callPackage ./common/securecrt.nix { };
oldssh = prev.callPackage ./common/oldssh.nix { };
};
in
{
nixosConfigurations = {
# Networking / VPN Gateway
burnham = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
nixosConfigurations = let
normalSys = name: hostConfig: nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; # TODO - Handle
specialArgs = {
inherit inputs;
};
modules = [
# Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
({ config, pkgs, ... }: {
# Make "pkgs.unstable" etc. available
nixpkgs.overlays = [ pkgs-overlay ] ++ hostConfig.overlays or [ ];
})
./hosts/burnham/configuration.nix
./common/domeneshop-dyndns.nix
./hosts/${name}/configuration.nix
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/burnham/home.nix;
home-manager.users = {
"felixalb" = import ./hosts/${name}/home.nix;
} // hostConfig.home-manager-users or { };
}
];
] ++ hostConfig.modules or [ ];
};
in {
# Media / storage server
challenger = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
challenger = normalSys "challenger" {
modules = [
# Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
./hosts/challenger/configuration.nix
extra-config.nixosModules.default
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/challenger/home.nix;
}
];
};
# General application server
defiant = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
defiant = normalSys "defiant" {
modules = [
# Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
./hosts/defiant/configuration.nix
./common/domeneshop-dyndns.nix
sops-nix.nixosModules.sops
matrix-synapse-next.nixosModules.default
home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/defiant/home.nix;
}
];
};
# Work desktop
felixalbpc = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
# Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
./hosts/felixalbpc/configuration.nix
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/felixalbpc/home.nix;
}
];
};
# Work laptop
fa-t14-2025 = normalSys "fa-t14-2025" { };
# Web host
malcolm = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
# Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
leonard = normalSys "leonard" { };
./hosts/malcolm/configuration.nix
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/malcolm/home.nix;
}
];
};
# General application server
morn = normalSys "morn" { };
# Home desktop
sisko = normalSys "sisko" { };
};
# Daily driver macbook
darwinConfigurations.worf = nix-darwin.lib.darwinSystem {
system = "aarch64-darwin";
@@ -154,14 +124,14 @@
inherit inputs;
};
modules = [
./hosts/worf/configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
./hosts/worf/configuration.nix
home-manager.darwinModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/worf/home.nix;
}
# sops-nix.nixosModules.sops
];
};
home/alacritty.nix
+30 -2
View File
@@ -19,7 +19,7 @@
decorations = "none"; # full/none/transparent/buttonless
# Transparency:
# opacity = 0.95;
opacity = lib.mkDefault 0.95;
};
scrolling = {
@@ -50,7 +50,34 @@
colors = {
draw_bold_text_with_bright_colors = true;
# # Tomorrow Night Bright
# # gruvbox_material_medium_dark
# primary = {
# background = "0x282828";
# foreground = "0xd4be98";
# };
# normal = {
# black = "0x3c3836";
# red = "0xea6962";
# green = "0xa9b665";
# yellow = "0xd8a657";
# blue = "0x7daea3";
# magenta = "0xd3869b";
# cyan = "0x89b482";
# white = "0xd4be98";
# };
# bright = {
# black = "0x3c3836";
# red = "0xea6962";
# green = "0xa9b665";
# yellow = "0xd8a657";
# blue = "0x7daea3";
# magenta = "0xd3869b";
# cyan = "0x89b482";
# white = "0xd4be98";
# };
# # # Tomorrow Night Bright
# primary = {
# background = "0x141414";
# foreground = "0xeaeaea";
@@ -83,6 +110,7 @@
# white = "0xffffff";
# };
# Nord:
primary = {
background = "0x2e3440";
home/amalieem/default.nix
+43
View File
@@ -0,0 +1,43 @@
{ pkgs, lib, ... }:
{
imports = [
./../alacritty.nix
];
home = {
packages = with pkgs; [
papers
kitty
pavucontrol
# Window Manager Extras
bibata-cursors
hyprcursor
hypridle
hyprlock
hyprpaper
hyprshot
nautilus
networkmanager
swaynotificationcenter
waybar
wl-clipboard
];
sessionVariables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
};
programs = {
alacritty = {
enable = true;
settings.window.opacity = 0.92;
};
firefox.enable = true;
wofi.enable = true;
};
home.stateVersion = "24.11";
}
home/base.nix
+21 -4
View File
@@ -9,8 +9,8 @@
packages = with pkgs; [
bat
bottom
ncdu
neofetch
# ncdu
pwgen
sshfs
sshuttle
];
@@ -26,10 +26,12 @@
enableZshIntegration = true;
};
programs.fzf.enable = true;
programs.git = {
enable = true;
extraConfig = {
settings = {
pull.rebase = true;
push.autoSetupRemote = true;
color.ui = "auto";
@@ -40,13 +42,28 @@
name = "Felix Albrigtsen";
email = lib.mkDefault "felix@albrigtsen.it";
};
safe = {
directory = "/config";
};
};
ignores = [
"*~"
"*.swp"
"*~"
".DS_Store"
".gdb_history"
".vscode"
];
};
programs.tmux = {
enable = true;
sensibleOnTop = true;
baseIndex = 1;
clock24 = true;
keyMode = "vi";
mouse = true;
terminal = "screen-256color";
};
}
home/neovim.nix
+17 -9
View File
@@ -24,17 +24,19 @@ in {
nvim-treesitter
coc-css
coc-go
coc-html
coc-json
coc-nvim
coc-pyright
vim-nix
vim-puppet
go-nvim
];
withNodeJs = true;
withPython3 = true;
withRuby = false;
extraConfig = ''
let mapleader = ','
@@ -51,7 +53,7 @@ in {
" Integrate status with lightline
let g:lightline = {
\ 'active': {
\ 'left': [[ 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status' ]]
\ 'left': [[ 'mode', 'paste', 'filename', 'readonly', 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status' ]]
\ }
\ }
@@ -98,11 +100,16 @@ in {
" Nerdtree-settings
" Toggle nerdtree on Ctrl+t
nmap <silent> <C-t> :NERDTreeToggle<CR>
autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
autocmd VimEnter * wincmd p " Unselect nerdtree window
" Close vim is Nerdtree is the only buffer left
autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif
if empty($AERC_ACCOUNT) && empty($MOZ_APP_LAUNCHER)
autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
autocmd VimEnter * wincmd p " Unselect nerdtree window
endif
autocmd Filetype go setlocal expandtab tabstop=4 shiftwidth=4 softtabstop=4
" List and switch buffers on Ctrl+k
" nnoremap <C-k> :set nomore <Bar> :ls <Bar> :set more <CR>:b<Space>
nnoremap <silent> <C-k> !echo "Did you mean C-a?"<CR>
@@ -116,6 +123,9 @@ in {
nnoremap <C-s> <cmd>Telescope find_files<cr>
nnoremap <C-g> <cmd>Telescope live_grep<cr>
" Don't darken the background
autocmd VimEnter * highlight normal ctermbg=NONE guibg=NONE
" Show trailing whitespace
highlight ExtraWhitespace ctermbg=red guibg=red
match ExtraWhitespace /\s\+$/
@@ -123,10 +133,8 @@ in {
" Disable search highlights
map <Leader><Space> :noh<CR>
" Start with copilot disabled
if exists("*Copilot")
autocmd VimEnter * Copilot disable
endif
" Start with Coc disabled
" autocmd VimEnter * CocDisable
'';
};
home/zsh.nix
+18 -11
View File
@@ -34,28 +34,35 @@
];
};
initExtra = ''
initContent = ''
# Autocomplete ../
zstyle ':completion:*' special-dirs true
export PATH="$HOME/.config/emacs/bin:$PATH"
export PATH="$HOME/.config/emacs/bin:$HOME/.cargo/bin:$PATH"
unalias "gs"
if [ -f ~/.config/zsh-extras ]; then
source ~/.config/zsh-extras
fi
'';
shellAliases = {
l = "exa -l";
c = "z";
tree = "exa --tree --icons";
em = "emacsclient -c";
emnw = "emacsclient -nw";
grep = "grep --color=auto";
l = "exa -l";
ls = "ls --color=auto";
nd = "nix develop --command zsh";
s = "nix-shell --run zsh";
sp = "nix-shell --run zsh -p";
spu = "nix-shell -I nixpkgs=channel:nixos-unstable --run zsh -p";
nd = "nix develop --command zsh";
em = "emacsclient -c";
emnw = "emacsclient -nw";
gst = "git status -sb";
gcm = "git commit -m";
gps = "git push";
gpl = "git pull";
tree = "exa --tree --icons";
"git clone git clone" = "git clone";
gcm = "git commit -m";
gpl = "git pull";
gps = "git push";
gst = "git status -sb";
};
};
hosts/burnham/configuration.nix
-40
View File
@@ -1,40 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
# Infrastructure
./services/wireguard.nix
# Other
./services/dyndns.nix
./services/nginx.nix
./services/thelounge.nix
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking = {
hostName = "burnham";
defaultGateway = "192.168.11.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.11.109"; prefixLength = 24; }
];
};
hostId = "8e24f235";
};
sops.defaultSopsFile = ../../secrets/burnham/burnham.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "23.11";
}
hosts/burnham/services/dyndns.nix
-11
View File
@@ -1,11 +0,0 @@
{ config, pkgs, lib, ... }:
{
sops.secrets."domeneshop/netrc" = { };
services.domeneshop-dyndns = {
enable = true;
domain = "site2.feal.no";
netrcFile = config.sops.secrets."domeneshop/netrc".path;
};
}
hosts/burnham/services/wireguard.nix
-62
View File
@@ -1,62 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.networking.wireguard.interfaces."wg0";
in {
networking = {
nat = {
enable = true;
externalInterface = "ens18";
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = [ cfg.listenPort ];
wireguard.interfaces."wg0" = {
ips = [ "10.100.0.2/24" ];
listenPort = 51820;
privateKeyFile = "/etc/wireguard/burnham.private";
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
'';
peers = [
{ # Defiant
publicKey = "8/711GhmN9+NcduHF4JPkfoZPE0qsDLuwhABcPyjNxI=";
persistentKeepalive = 120;
allowedIPs = [
"10.100.0.1/32"
"192.168.10.0/24"
];
endpoint = "site3.feal.no:51902";
}
{ # Worf
publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
allowedIPs = [
"10.100.0.4/32"
];
}
{ # Phone
publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
allowedIPs = [
"10.100.0.5/32"
];
}
{ # Riker
publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
allowedIPs = [
"10.100.0.6/32"
];
}
{ # Work-laptop
publicKey = "px4YstB16lFjgdLQkH55wz8gQRupX/LTxg8dNFijDTA=";
allowedIPs = [
"10.100.0.7/32"
];
}
];
};
};
}
hosts/challenger/amalieem.nix
+37
View File
@@ -0,0 +1,37 @@
{ config, pkgs, lib, ... }:
let
cmdChownManga = pkgs.writeScriptBin "chownManga" ''
#!${pkgs.stdenv.shell}
chown -R amalieem:komga /tank/media/komga/Amalie
chmod -R 750 /tank/media/komga/Amalie
'';
in {
users.users."amalieem" = {
isNormalUser = true;
home = "/home/amalieem";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7e+BAoXIFmTeeBYAVImQAcyx6SCoYCErA7h16OGL70 amalieem@wentworth"
];
packages = with pkgs; [
cmdChownManga
mangal
rsync
];
};
security.sudo = {
enable = true;
extraRules = [{
commands = [
{
command = "${lib.getExe cmdChownManga}";
options = [ "NOPASSWD" ];
}
];
users = [ "amalieem" ];
}];
};
}
hosts/challenger/backup.nix
+73 -31
View File
@@ -1,38 +1,80 @@
{ config, pkgs, lib, ... }:
{
services.borgbackup.jobs =
let
borgJob = name: {
environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/voyager/${name}";
compression = "auto,zstd";
};
in {
postgresDaily = borgJob "postgres::daily" // {
paths = "/var/backup/postgres";
startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
services.restic.backups = let
localJob = name: paths: {
inherit paths;
repository = "/mnt/feal-syn1/backup/challenger/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
"--keep-yearly 10"
];
};
cloudJob = name: paths: {
inherit paths;
# "rsyncnet" connection details specified in /root/.ssh/config
repository = "sftp://rsyncnet/restic/challenger/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
# rsync.net keeps daily snapshots
"--keep-weekly 4"
"--keep-monthly 36"
];
};
in {
postgresWeekly = borgJob "postgres::weekly" // {
paths = "/var/backup/postgres";
startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
# TODO: timemachine, nextcloud, komga, calibre
# Calibre metadata and config
calibre = localJob "calibre" [
"/var/lib/calibre-web"
"/var/lib/calibre-server"
];
# Other system backups (NB: Large!)
hostBackups = localJob "hostBackups" [
"/tank/backup"
] // {
pruneOpts = [ "--keep-monthly 12" ];
};
sops.secrets."borg/postgres" = { };
sops.secrets."borg/transmission" = { };
media = localJob "media" [
"/tank/media/books"
"/tank/media/komga"
"/tank/media/music"
];
media-remote = cloudJob "media" [
"/tank/media/books"
"/tank/media/komga"
"/tank/media/music"
] // {
pruneOpts = [ "--keep-monthly 12" ];
};
# Nextcloud config and data
nextcloud = localJob "nextcloud" [ "/tank/nextcloud" ];
nextcloud-remote = cloudJob "nextcloud" [ "/tank/nextcloud" ];
# Postgresql databases
postgres = (localJob "postgres" [ "/var/backup/postgres" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
postgres-remote = (cloudJob "postgres" [ "/var/backup/postgres" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
# TODO: timemachine
};
sops.secrets."restic/calibre" = { };
sops.secrets."restic/hostBackups" = { };
sops.secrets."restic/media" = { };
sops.secrets."restic/nextcloud" = { };
sops.secrets."restic/postgres" = { };
environment.systemPackages = with pkgs; [
restic
];
}
hosts/challenger/configuration.nix
+22 -7
View File
@@ -7,15 +7,17 @@
../../base.nix
../../common/metrics-exporters.nix
./amalieem.nix
./backup.nix
./exports.nix
# ./exports.nix
./filesystems.nix
# ./services/archivebox.nix
./services/audiobookshelf.nix
./services/calibre.nix
./services/ersatztv.nix
./services/frigate.nix
./services/jellyfin.nix
./services/komga.nix
./services/navidrome.nix
./services/nextcloud.nix
./services/nginx.nix
./services/postgres.nix
@@ -24,7 +26,7 @@
networking = {
hostName = "challenger";
bridges.br0.interfaces = [ "enp5s0" ];
bridges.br0.interfaces = [ "ens18" ];
interfaces.br0.useDHCP = false;
interfaces.br0.ipv4.addresses = [
{ address = "192.168.10.161"; prefixLength = 24; }
@@ -44,16 +46,29 @@
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
security.polkit.enable = true; # Required for nextcloud
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
"nvidia-kernel-modules"
"nvidia-settings"
"nvidia-x11"
];
hardware.nvidia = {
modesetting.enable = true;
open = false;
# https://github.com/sircam-html/nixos-conf/blob/main/guides/nvidia-nixos-guide.md
package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
version = "580.142";
sha256_64bit = "sha256-IJFfzz/+icNVDPk7YKBKKFRTFQ2S4kaOGRGkNiBEdWM=";
sha256_aarch64 = "sha256-0000000000000000000000000000000000000000000=";
openSha256 = "sha256-0000000000000000000000000000000000000000000=";
settingsSha256 = "sha256-BnrIlj5AvXTfqg/qcBt2OS9bTDDZd3uhf5jqOtTMTQM=";
persistencedSha256 = "sha256-0000000000000000000000000000000000000000000=";
};
};
hardware.opengl.enable = true;
hardware.graphics.enable = true;
services.xserver.videoDrivers = ["nvidia"];
system.stateVersion = "24.05";
hosts/challenger/exports.nix
+17 -7
View File
@@ -1,12 +1,22 @@
{ config, pkgs, lib, ... }:
{
# Enable nfs4 only
services.nfs.server = {
enable = true;
exports = ''
''; # TODO
fileSystems = {
"/export/riker-backup" = {
device = "/tank/backup/riker";
options = [ "bind" ];
fsType = "none";
};
};
networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
networking.firewall.allowedUDPPorts = [ 111 20048];
# Enable nfs4 only
# services.nfs.server = {
# enable = true;
# exports = ''
# /export 192.168.10.67(rw,fsid=0,no_subtree_check)
# /export/riker-backup 192.168.10.67(rw,nohide,no_subtree_check,no_root_squash)
# '';
# };
# networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
# networking.firewall.allowedUDPPorts = [ 111 20048];
}
hosts/challenger/filesystems.nix
+24 -2
View File
@@ -9,9 +9,9 @@
zfs = {
extraPools = [ "tank" ];
requestEncryptionCredentials = false;
forceImportRoot = false;
};
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.zfs.autoScrub = {
enable = true;
@@ -20,8 +20,30 @@
fileSystems = {
"/mnt/feal-syn1/backup" = {
device = "feal-syn1.home.feal.no:/volume2/backup";
# device = "feal-syn1.home.feal.no:/volume2/backup";
device = "192.168.10.162:/volume2/backup";
fsType = "nfs";
options = [
"defaults"
"noatime"
"rw"
"nfsvers=3"
"x-systemd.automount"
"noauto"
];
};
"/mnt/feal-syn2/backup" = {
# device = "feal-syn1.home.feal.no:/volume2/backup";
device = "192.168.11.163:/volume1/challenger";
fsType = "nfs";
options = [
"defaults"
"noatime"
"rw"
"nfsvers=3"
"x-systemd.automount"
"noauto"
];
};
};
}
hosts/challenger/hardware-configuration.nix
+5 -8
View File
@@ -1,25 +1,22 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/ea31d0ea-2949-420a-99ea-7f77c4b7091e";
{ device = "/dev/disk/by-uuid/7101364b-9056-4309-afeb-3c17b220684f";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/169B-94E2";
{ device = "/dev/disk/by-uuid/FDCE-A287";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
hosts/challenger/services/archivebox.nix
+35
View File
@@ -0,0 +1,35 @@
{ config, lib, ... }:
let
host = "127.0.1.2";
port = "5009";
uid = 911;
gid = 911;
in {
users.users.archivebox = {
inherit uid;
group = "archivebox";
isSystemUser = true;
useDefaultShell = true;
description = "ArchiveBox web archiving tool";
};
users.groups.archivebox = {
inherit gid;
};
# ArchiveBox - Open source self-hosted web archiving.
virtualisation.oci-containers.containers.archivebox = {
image = "archivebox/archivebox:0.8.5rc50";
ports = [ "${host}:${port}:8000" ];
volumes = [
"/tank/archivebox:/data"
];
};
services.nginx.virtualHosts."archivebox.home.feal.no" = {
locations."/" = {
proxyPass = "http://${host}:${port}";
};
};
}
hosts/challenger/services/audiobookshelf.nix
+60
View File
@@ -0,0 +1,60 @@
{ config, lib, pkgs, ... }:
let
domain = "audiobooks.home.feal.no";
host = "127.0.1.2";
port = 5016;
in {
fileSystems = {
"/var/lib/audiobookshelf" = {
device = "/tank/media/audiobookshelf/config";
depends = [ "/tank/media/audiobookshelf" ];
fsType = "none";
options = [ "bind" ];
};
};
services.audiobookshelf = {
enable = true;
dataDir = "audiobookshelf";
inherit host port;
};
systemd.services.audiobookshelf = {
requires = [ "var-lib-audiobookshelf.mount" ];
serviceConfig = {
# Better safe than sorry :)
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [
"/var/lib/audiobookshelf"
"/tank/media/audiobookshelf"
];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
};
};
services.nginx.virtualHosts.${domain} = {
locations."/" = {
proxyPass = "http://${host}:${toString port}";
proxyWebsockets = true;
};
};
}
hosts/challenger/services/ersatztv.nix
-27
View File
@@ -1,27 +0,0 @@
{ config, lib, pkgs, ... }:
let
domain = "etv.home.feal.no";
bind = "127.0.0.1:8409";
in {
virtualisation.oci-containers.containers.ersatztv = {
autoStart = true;
image = "jasongdove/ersatztv:latest-nvidia";
volumes = [
"/var/lib/ersatztv:/root/.local/share/ersatztv"
"/tank/media/other/ersatztv:/media" # Filler, watermarks, etc.
];
ports = [
"${bind}:8409"
];
environment = {
TZ = "Europe/Oslo";
};
extraOptions = [
"--device=/dev/dri"
];
};
services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://${bind}";
};
}
hosts/challenger/services/frigate.nix
+50
View File
@@ -0,0 +1,50 @@
{ config, lib, pkgs, ... }:
{
fileSystems = {
"/var/lib/frigate" = {
device = "/tank/nvr/frigate";
depends = [ "/tank/nvr/frigate" ];
options = [ "bind" ];
fsType = "none";
};
};
services.frigate = {
enable = true;
hostname = "frigate.home.feal.no";
vaapiDriver = "nvidia";
checkConfig = false;
settings = {
# auth.reset_admin_password = true;
motion.enabled = true;
record.enabled = true;
# snapshots.enabled = true;
# detect = {
# enabled = true;
# fps = 5;
# };
cameras = {
driveway = {
ffmpeg.inputs = [
{
path = "rtsp://admin:placeholder@192.168.10.40/streaming/channels/101";
roles = [
"detect"
"record"
];
}
];
};
};
};
};
systemd.services.frigate.serviceConfig = {
# Allow GPU use
PrivateDevices = false;
# Allow cpuinfo
ProcSubset = "all";
};
}
hosts/challenger/services/jellyfin.nix
-4
View File
@@ -6,10 +6,6 @@
users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ];
systemd.services.jellyfin.serviceConfig = {
DeviceAllow = lib.mkForce [ "/dev/dri/card0" ];
};
services.nginx.virtualHosts."jellyfin.home.feal.no" = {
serverAliases = [ "jf.feal.no" ];
locations = {
hosts/challenger/services/komga.nix
+5 -3
View File
@@ -1,16 +1,18 @@
{ config, lib, pkgs, ... }:
let
domain = "komga.home.feal.no";
cfg = config.services.komga;
port = 5004;
in {
services.komga = {
enable = true;
stateDir = "/tank/media/komga";
port = 5001;
settings.server = {
inherit port;
};
};
services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
locations."/".proxyPass = "http://127.0.0.1:${toString port}";
extraConfig = ''
client_max_body_size 512M;
hosts/challenger/services/navidrome.nix
-20
View File
@@ -1,20 +0,0 @@
{ config, lib, pkgs, ... }:
let
domain = "music.feal.no";
cfg = config.services.navidrome;
in {
services.navidrome = {
enable = true;
settings = {
BaseUrl = "https://${domain}";
EnableSharing = true;
EnableTranscodingConfig = true;
MusicFolder = "/tank/media/music/";
SubsonicArtistParticipations = true;
};
};
services.nginx.virtualHosts."${domain}".locations."/" = {
proxyPass = "http://${cfg.settings.Address}:${toString cfg.settings.Port}";
};
}
hosts/challenger/services/nextcloud.nix
+6 -4
View File
@@ -5,7 +5,7 @@ let
in {
services.nextcloud = {
enable = true;
package = pkgs.nextcloud29;
package = pkgs.nextcloud33;
inherit hostName;
home = "/tank/nextcloud";
https = true;
@@ -46,7 +46,9 @@ in {
oidc_login_filter_allowed_values = [ "nextcloud-user" ];
oidc_login_disable_registration = false;
"memories.exiftool" = "${cfg.home}/store-apps/memories/bin-ext/exiftool-amd64-glibc";
"memories.exiftool" = pkgs.writeShellScript "exiftool-perl" ''
${lib.getExe pkgs.perl} ${cfg.home}/store-apps/memories/bin-ext/exiftool/exiftool "$@"
'';
"memories.exiftool_no_local" = false;
"memories.vod.disable" = false;
"memories.vod.ffmpeg" = "${lib.getExe pkgs.ffmpeg-headless}";
@@ -73,7 +75,7 @@ in {
environment.systemPackages = [
cfg.occ # "occ CMD" in the docs -> "sudo -u nextcloud nextcloud-occ CMD"
pkgs.nodejs_20 # For Recognize; Put /run/current-system/sw/bin/node in the "node_binary" field in the web UI -> Memories
pkgs.nodejs # For Recognize; Put /run/current-system/sw/bin/node in the "node_binary" field in the web UI -> Memories
];
sops.secrets."nextcloud/adminpass" = {
@@ -133,7 +135,7 @@ in {
ProtectProc = "invisible";
ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
InaccessbilePaths = [ "/tank/media" "/tank/backup" ];
InaccessiblePaths = [ "/tank/media" "/tank/backup" ];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
hosts/challenger/services/nginx.nix
+1 -1
View File
@@ -11,7 +11,7 @@
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."cloud.feal.no".default = true;
virtualHosts."jf.feal.no".default = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
hosts/challenger/services/timemachine.nix
+3 -3
View File
@@ -1,9 +1,9 @@
{ config, pkgs, ... }:
let
timeMachineDir = "/tank/backup/worf";
timeMachineDir = "/tank/backup/worf2";
user = "worf-backup";
sizeLimit = "800000"; # MiB
allowedIPs = "192.168.10.2 192.168.10.5"; #TODO
sizeLimit = "1000000"; # MiB
allowedIPs = "192.168.10.2 192.168.10.34"; #TODO
in {
services.avahi = {
enable = true;
hosts/defiant/backup.nix
+45 -57
View File
@@ -1,62 +1,50 @@
{ config, pkgs, lib, ... }:
{
services.borgbackup.jobs =
let
borgJob = name: {
environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/defiant/${name}";
compression = "auto,zstd";
};
in {
postgresDaily = borgJob "postgres::daily" // {
paths = "/data/backup/postgresql";
startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
postgresWeekly = borgJob "postgres::weekly" // {
paths = "/data/backup/postgresql";
startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
gitea = borgJob "gitea::weekly" // {
paths = "/tank/services/gitea";
startAt = "Mon *-*-* 05:15:00";
extraInitArgs = "--storage-quota 20G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/gitea".path}";
};
};
minecraft = borgJob "minecraft::weekly" // {
paths = "/var/lib/minecraft-wack";
startAt = "weekly";
extraInitArgs = "--storage-quota 20G";
encryption.mode = "none";
preHook = ''
${pkgs.mcrcon}/bin/mcrcon -p wack "say Starting Backup" "save-off" "save-all"
'';
postHook = ''
${pkgs.mcrcon}/bin/mcrcon -p wack "save-all" "say Completed Backup" "save-on" "save-all"
'';
};
services.restic.backups = let
localJob = name: paths: {
inherit paths;
repository = "/mnt/feal-syn1/backup/defiant/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
"--keep-daily 3"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
cloudJob = name: paths: {
inherit paths;
# "rsyncnet" connection details specified in /root/.ssh/config
repository = "sftp://rsyncnet/restic/defiant/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
# rsync.net keeps daily snapshots
"--keep-weekly 4"
"--keep-monthly 36"
];
};
in {
postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
postgres-remote = (cloudJob "postgres" [ "/tank/backup/postgresql" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
# TODO: Matrix (keys,media,db), home-assistant, pihole, vaultwarden
sops.secrets."borg/postgres" = { };
sops.secrets."borg/gitea" = { };
gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
gitea-remote = (cloudJob "gitea" [ "/tank/services/gitea" ]);
matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
matrix-synapse-remote = (cloudJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
vaultwarden-remote = (cloudJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
};
# TODO: home-assistant, pihole
sops.secrets."restic/postgres" = { };
sops.secrets."restic/gitea" = { };
sops.secrets."restic/matrix-synapse" = { };
sops.secrets."restic/vaultwarden" = { };
}
hosts/defiant/configuration.nix
+5 -14
View File
@@ -5,28 +5,29 @@
[
../../base.nix
../../common/metrics-exporters.nix
./filesystems.nix
./hardware-configuration.nix
# Infrastructure
./backup.nix
./libvirt.nix
./services/dyndns.nix
./services/nginx.nix
./services/pihole.nix
./services/postgresql.nix
./services/wireguard.nix
# Services
./services/dyndns.nix
./services/flame.nix
./services/gitea.nix
./services/hedgedoc.nix
./services/home-assistant.nix
./services/keycloak.nix
./services/matrix
./services/microbin.nix
# ./services/minecraft.nix
# ./services/minecraft/home.nix
./services/monitoring
./services/rtl-tcp.nix
# ./services/rtl-tcp.nix
# ./services/searx.nix
./services/vaultwarden.nix
];
@@ -44,16 +45,6 @@
sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
zfs
];
boot = {
zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.prometheus.exporters.zfs.enable = true;
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
hosts/defiant/filesystems.nix
+34
View File
@@ -0,0 +1,34 @@
{ config, pkgs, lib, ... }:
{
# Boot drives are defined in ./hardware-configuration.nix
boot = {
zfs = {
extraPools = [ "tank" ];
forceImportRoot = false;
};
supportedFilesystems = [ "zfs" ];
};
services.prometheus.exporters.zfs.enable = true;
environment.systemPackages = with pkgs; [
cifs-utils
zfs
];
fileSystems = {
"/mnt/feal-syn1/backup" = {
device = "192.168.10.162:/volume2/backup";
fsType = "nfs";
options = [
"defaults"
"noatime"
"rw"
"nfsvers=3"
"x-systemd.automount"
"noauto"
];
};
};
}
hosts/defiant/libvirt.nix
+1
View File
@@ -11,6 +11,7 @@
fileSystems."/var/lib/libvirt/images" = {
device = "/tank/iso";
options = [ "bind" ];
fsType = "none";
};
# On a gui-enabled machine, connect with:
hosts/defiant/services/dyndns.nix
+1 -1
View File
@@ -5,7 +5,7 @@
services.domeneshop-dyndns = {
enable = true;
domain = "site3.feal.no";
domain = "site2.feal.no";
netrcFile = config.sops.secrets."domeneshop/netrc".path;
};
}
hosts/defiant/services/flame.nix
-22
View File
@@ -1,22 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "flame.home.feal.no";
host = "127.0.1.2";
port = "5005";
in {
# Flame - Homelab dashboard/linktree
virtualisation.oci-containers.containers = {
flame = {
image = "pawelmalak/flame";
ports = [ "${host}:${port}:5005" ];
volumes = [
"/var/lib/flame/data:/app/data/"
];
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${host}:${port}";
};
}
hosts/defiant/services/gitea.nix
+1 -1
View File
@@ -44,7 +44,7 @@ in {
ui = {
THEMES="gitea,arc-green,nord";
DEFAULT_THEME="nord";
#DEFAULT_THEME="nord";
};
};
hosts/defiant/services/home-assistant.nix
+2 -1
View File
@@ -8,9 +8,10 @@ in {
virtualisation.oci-containers.containers = {
homeassistant = {
image = "ghcr.io/home-assistant/home-assistant:2024.1";
image = "ghcr.io/home-assistant/home-assistant:2025.5.3";
extraOptions = [
"--network=host"
"--device=/dev/ttyUSB0" # Sonoff Zigbee 3.0 USB
];
volumes = [
"/tank/services/homeassistant/config:/config"
hosts/defiant/services/keycloak.nix
+7 -6
View File
@@ -1,6 +1,7 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.keycloak.settings;
hostname = "iam.feal.no";
in {
sops.secrets."keycloak/postgres" = { };
@@ -16,17 +17,17 @@ in {
settings = {
cache = "local";
hostname = "iam.feal.no";
hostname-strict-backchannel = true;
http-enable = true;
hostname = "https://${hostname}";
hostname-backchannel-dynamic = false;
http-enabled = true;
http-host = "127.0.1.2";
http-port = 5060;
proxy = "edge";
proxy-headers = "xforwarded";
};
};
# The main reverse proxy is defined in ./nginx.nix
services.nginx.virtualHosts.${cfg.hostname} = {
locations."= /".return = "302 https://${cfg.hostname}/realms/feal.no/account";
services.nginx.virtualHosts.${hostname} = {
locations."= /".return = "302 ${cfg.hostname}/realms/feal.no/account";
};
}
hosts/defiant/services/matrix/synapse.nix
+9 -3
View File
@@ -75,6 +75,8 @@
tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt";
tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key";
enableSlidingSync = true;
oidc_providers = [
{
idp_id = "keycloak";
@@ -82,10 +84,14 @@
issuer = "https://iam.feal.no/realms/feal.no";
client_id = "matrix-synapse";
client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path;
user_mapping_provicer.config = {
user_mapping_provider.config = {
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name }}";
};
attribute_requirements = [{
attribute = "matrix-roles";
value = "matrix-user";
}];
backchannel_logout_enabled = true;
enable_registration = false;
}
@@ -93,10 +99,10 @@
};
};
services.postgresqlBackup.databases = [ "matrix-synapse" ];
services.redis.servers."".enable = true;
services.postgresqlBackup.databases = [ "matrix-synapse" ];
services.nginx.virtualHosts."matrix.feal.no" = {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
hosts/defiant/services/minecraft/home.nix
+50
View File
@@ -0,0 +1,50 @@
{ config, pkgs, lib, inputs, ... }:
{
imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
services.minecraft-servers = {
enable = true;
eula = true;
openFirewall = true;
dataDir = "/var/lib/minecraft-server";
servers.home = {
enable = true;
jvmOpts = "-Xms4G -Xmx4G";
package = pkgs.fabricServers.fabric-1_21_4;
serverProperties = {
motd = "Home <3";
difficulty = "easy";
view-distance = 16;
simulation-distance = 16;
enable-command-block = true;
enable-rcon = true;
online-mode = false;
"rcon.password" = "wack";
};
symlinks = {
mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues {
FabricAPI = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/8FAH9fuR/fabric-api-0.114.2%2B1.21.4.jar";
sha256 = "sha256-nL1bcAaMW0tRCpfW0prd3mce14ZNcl7pAUabVXAQfWs=";
};
Lithium = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/zVOQw7YU/lithium-fabric-0.14.6%2Bmc1.21.4.jar";
sha256 = "sha256-iF4hy+3XVJP7Fv6R2dsrYq6Ct0MQJLX4/4Yh5WEJm90=";
};
});
};
};
};
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"minecraft-server"
];
networking.firewall.allowedUDPPorts = [ 24454 ];
}
hosts/defiant/services/minecraft.nix → hosts/defiant/services/minecraft/wack.nix
View File
hosts/defiant/services/monitoring/grafana.nix
+9 -4
View File
@@ -9,10 +9,15 @@ in {
# TODO: Migrate sqlite to postgres
settings.server = {
domain = "grafana.home.feal.no";
http_port = 2342;
http_addr = "127.0.0.1";
settings = {
server = {
domain = "grafana.home.feal.no";
http_port = 2342;
http_addr = "127.0.0.1";
};
security = {
secret_key = "SW2YcwTIb9zpOOhoPsMm"; # TODO - Rotate
};
};
provision = {
hosts/defiant/services/monitoring/prometheus.nix
+4 -6
View File
@@ -17,14 +17,12 @@ in {
static_configs = [
{
targets = [
"burnham.home.feal.no:9100"
"challenger.home.feal.no:9100"
"constellation.home.feal.no:9100"
"defiant.home.feal.no:9100"
"edison.home.feal.no:9100"
"malcolm.home.feal.no:9100"
"mccoy.home.feal.no:9100"
"scotty.home.feal.no:9100"
"sulu.home.feal.no:9100"
"leonard.home.feal.no:9100"
"morn.home.feal.no:9100"
"sisko.home.feal.no:9100"
];
}
];
hosts/defiant/services/monitoring/snmp-exporter.nix
+9 -8
View File
@@ -1,12 +1,13 @@
{ config, pkgs, ... }:
{
services.prometheus.exporters.snmp = {
enable = true;
configurationPath = ./snmp-exporter-conf.yml;
# snmp.yml is built from
# https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml
# and
# https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
};
# TODO - Fix. Broken in 26.05
# services.prometheus.exporters.snmp = {
# enable = true;
# configurationPath = ./snmp-exporter-conf.yml;
# # snmp.yml is built from
# # https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml
# # and
# # https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
# };
}
hosts/defiant/services/nginx.nix
+47 -6
View File
@@ -12,8 +12,6 @@ in {
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."git.feal.no".default = true;
defaultListen = [
{
addr = "192.168.10.175";
@@ -33,6 +31,15 @@ in {
defaults.email = "felix@albrigtsen.it";
};
# security.acme.certs."domainname" = {
# dnsProvider = "domeneshop";
# environmentFile = config.sops.secrets."domeneshop/acme".path;
# webroot = null;
# };
sops.secrets."domeneshop/acme" = {
group = "nginx";
};
# Publicly exposed services:
services.nginx.virtualHosts = let
@@ -57,16 +64,50 @@ in {
} // overrides;
in {
"cloud.feal.no" = publicProxy "" {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
# Note: cloud.feal.no is overriden in the local DNS, to allow use through Wireguard VPN
{ addr = "192.168.10.175"; port = 443; ssl = true; }
{ addr = "192.168.10.175"; port = 80; ssl = false; }
];
locations."/" = {
proxyPass = "http://challenger.home.feal.no";
extraConfig = ''
client_max_body_size 8G;
'';
};
extraConfig = ''
# Direct local traffic and NAT Hairpin
allow 192.168.10.0/24;
# Wireguard
allow 10.100.0.0/24;
# AS16185
allow 82.146.64.0/19;
allow 217.31.96.0/20;
allow 185.166.44.0/22;
# NTNU
allow 129.241.0.0/16;
deny all;
'';
};
"git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" {};
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" {};
"iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" {};
"music.feal.no" = publicProxy "http://challenger.home.feal.no/" {};
"amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
"feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
"git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
"iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" { };
"kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
"wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
};
security.acme.certs."cloud.feal.no" = {
dnsProvider = "domeneshop";
environmentFile = config.sops.secrets."domeneshop/acme".path;
webroot = null;
};
}
hosts/defiant/services/pihole.nix
+1 -1
View File
@@ -4,7 +4,7 @@ let
dnsHost = "192.168.10.175";
webuiListen = "127.0.1.2:5053";
in {
# Flame - Homelab dashboard/linktree
# Pihole - Ad-blocking DNS recursor and authoritative DNS/DHCP
virtualisation.oci-containers.containers = {
pihole = {
image = "pihole/pihole";
hosts/defiant/services/postgresql.nix
+9 -2
View File
@@ -2,17 +2,24 @@
{
services.postgresql = {
enable = true;
enableTCPIP = false;
enableTCPIP = true;
authentication = ''
host all all 172.16.0.0/12 md5
'';
};
services.postgresqlBackup = {
enable = true;
location = "/data/backup/postgresql/";
location = "/tank/backup/postgresql";
startAt = "*-*-* 03:15:00";
# Each service is registered in its own configuration file
databases = [ ];
};
# Docker containers on this host can reach postgres
networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port 5432 -s 172.16.0.0/12 -j ACCEPT";
environment.systemPackages = [ config.services.postgresql.package ];
}
hosts/defiant/services/searx.nix
+39
View File
@@ -0,0 +1,39 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.searx;
domain = "search.home.feal.no";
in {
services.searx = {
enable = true;
environmentFile = config.sops.secrets."searx/envfile".path;
settings = {
server = {
secret_key = "@SEARX_SECRET_KEY@";
base_url = "http://${domain}";
};
};
runInUwsgi = true;
uwsgiConfig = {
socket = "/run/searx/searx.sock";
chmod-socket = "660";
};
redisCreateLocally = true;
};
sops.secrets."searx/envfile" = {
owner = "searx";
group = "searx";
};
users.groups."searx".members = [ "nginx" ];
services.nginx.virtualHosts."${domain}" = {
locations."/".extraConfig = ''
include ${config.services.nginx.package}/conf/uwsgi_params;
uwsgi_pass unix:${cfg.uwsgiConfig.socket};
'';
};
}
hosts/defiant/services/vaultwarden.nix
+8 -4
View File
@@ -1,7 +1,7 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.vaultwarden;
domain = "pw.feal.no";
domain = "pw.home.feal.no";
address = "127.0.1.2";
port = 3011;
wsPort = 3012;
@@ -43,13 +43,17 @@ in {
services.postgresqlBackup.databases = [ "vaultwarden" ];
security.acme.certs."pw.home.feal.no" = {
dnsProvider = "domeneshop";
environmentFile = config.sops.secrets."domeneshop/acme".path;
webroot = null;
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
{ addr = "192.168.10.175"; port = 443; ssl = true; }
{ addr = "192.168.10.175"; port = 80; ssl = false; }
];
extraConfig = ''
hosts/defiant/services/wireguard.nix
+3 -43
View File
@@ -16,53 +16,13 @@ in {
privateKeyFile = "/etc/wireguard/defiant.private";
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o enp3s0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o enp3s0 -j MASQUERADE
'';
peers = [
{ # Burnham
publicKey = "JcfyrMoZmnbibVLaIKuGSARAX2alFv4kwLbJaLBNbzo=";
persistentKeepalive = 60;
allowedIPs = [
"10.100.0.2/32"
"192.168.11.0/24"
];
endpoint = "site2.feal.no:51902";
}
{ # Sulu
publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
allowedIPs = [
"10.100.0.3/32"
];
}
{ # Worf
publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
allowedIPs = [
"10.100.0.4/32"
];
}
{ # Phone
publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
allowedIPs = [
"10.100.0.5/32"
];
}
{ # Riker
publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
allowedIPs = [
"10.100.0.6/32"
];
}
{ # Work-laptop
publicKey = "px4YstB16lFjgdLQkH55wz8gQRupX/LTxg8dNFijDTA=";
allowedIPs = [
"10.100.0.7/32"
];
}
];
peers = (import ../../../common/wireguard-peers.nix);
};
};
}
hosts/fa-t14-2025/configuration.nix
+59
View File
@@ -0,0 +1,59 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
./hardware-configuration.nix
./desktop.nix
];
networking = {
networkmanager.enable = true;
wireguard.enable = true;
tempAddresses = "disabled";
hostName = "fa-t14-2025";
nameservers = [ "9.9.9.9" ];
domain = "it.hime.no";
hostId = "f458d6aa";
search = [
"mktv.no"
"mktv.local"
];
};
services.openssh.openFirewall = false;
environment.systemPackages = with pkgs; [
inetutils
wireguard-tools
];
virtualisation.docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
users.users.felixalb = {
uid = 1000;
openssh.authorizedKeys.keys = [ ];
extraGroups = [ "networkmanager" ];
};
console.keyMap = "no";
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"securecrt"
"securefx"
];
};
system.stateVersion = "25.05";
}
hosts/fa-t14-2025/desktop.nix
+51
View File
@@ -0,0 +1,51 @@
{ config, pkgs, lib, ... }:
{
hardware.graphics.enable = true;
services.xserver = {
enable = true;
xkb = {
options = "ctrl:nocaps";
layout = "no";
};
};
services.displayManager.ly.enable = true;
services.gnome.gnome-keyring.enable = true;
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
# Audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
# Fonts
fonts = {
fontDir.enable = true;
packages = with pkgs; [
noto-fonts
noto-fonts-color-emoji
noto-fonts-cjk-sans
font-awesome
fira-code
hack-font
nerd-fonts.hack
];
};
# Misc:
xdg.portal = {
enable = true;
wlr.enable = true;
};
location.provider = "geoclue2";
security.polkit.enable = true;
services.dbus.packages = [ pkgs.gcr ];
services.openssh.settings.X11Forwarding = true;
programs.nm-applet.enable = true;
}
hosts/fa-t14-2025/hardware-configuration.nix
+53
View File
@@ -0,0 +1,53 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.kernelParams = [ "resume_offset=3037184" "mem_sleep_default=deep" ];
boot.resumeDevice = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
powerManagement.enable = true;
services.power-profiles-daemon.enable = true;
services.logind.settings.Login = {
HandleLidSwitch = "suspend-then-hibernate";
HandleLidSwitchDocked = "ignore";
HandlwPowerKey = "suspend-then-hibernate";
HandlePowerKeyLongPress = "poweroff";
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
fsType = "ext4";
};
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/3ecaedab-415c-4cce-a3a9-9f3782acb682";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0800-59D9";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [
{
device = "/var/lib/swapfile";
size = 32*1024;
}
];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
hosts/fa-t14-2025/home.nix
+107
View File
@@ -0,0 +1,107 @@
{ pkgs, lib, ... }:
let
emailAddress = "felix.albrigtsen@mktv.no";
in {
imports = [
./../../home/base.nix
./../../home/alacritty.nix
];
home.packages = with pkgs; [
bc
catimg
chromium
dig
element-desktop
gnumeric
hunspellDicts.en_US
hunspellDicts.nb_NO
iperf3
jq
libreoffice
mpv
oauth2ms
oldssh
openssl
openvpn
pavucontrol
pwgen
traceroute
virt-manager
w3m
nixpkgs-2211.remmina
unstable.microsoft-edge
# (unstable.microsoft-edge.overrideAttrs ({ installPhase ? "", ... }: {
# installPhase = installPhase + ''
# ln -s $out/bin/microsoft-edge $out/bin/microsoft-edge-stable
# '';
# }))
# Window Manager Extras
bibata-cursors
brightnessctl
cliphist
hyprcursor
hypridle
hyprlock
hyprpaper
hyprshot
nautilus
rofi-rbw-wayland
swaynotificationcenter
waybar
wl-clipboard
(python312.withPackages (ps: with ps; [
numpy
pycryptodome
requests
]))
];
programs = {
aerc = {
enable = true;
package = pkgs.aerc;
};
firefox.enable = true;
git.settings.user.email = emailAddress;
rbw = {
enable = true;
settings = {
base_url = "https://vault.mktv.no";
email = emailAddress;
pinentry = pkgs.pinentry-rofi;
lock_timeout = 60*60*8;
};
};
rofi = {
enable = true;
# theme = "iggy";
theme = "Arc-Dark";
};
zsh = {
shellAliases = {
"kssh" = "ssh -t controlnode ssh";
"ossh" = "oldssh -oHostKeyAlgorithms=+ssh-dss -oCiphers=+aes256-cbc -oKexAlgorithms=+diffie-hellman-group14-sha1";
"rebuild" = "sudo nixos-rebuild switch --flake /config";
};
prezto.pmodules = [ "ssh" ];
};
};
xdg.mimeApps = {
enable = true;
defaultApplications = {
"text/html" = "firefox.desktop";
"x-scheme-handler/http" = "firefox.desktop";
"x-scheme-handler/https" = "firefox.desktop";
"x-scheme-handler/about" = "firefox.desktop";
"x-scheme-handler/unknown" = "firefox.desktop";
};
};
home.stateVersion = "25.05";
}
hosts/felixalbpc/configuration.nix
-40
View File
@@ -1,40 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
./hardware-configuration.nix
./desktop
];
networking = {
interfaces.eno1 = {
useDHCP = true;
ipv6.addresses = [
{ address = "2001:700:300:22::15"; prefixLength = 64; }
];
};
tempAddresses = "disabled";
hostName = "felixalbpc";
nameservers = [ "129.241.0.200" "129.241.0.201" "2001:700:300::200" "2001:700:300::201" ];
domain = "it.ntnu.no";
hostId = "f458d6aa";
};
console.keyMap = "no";
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"copilot.vim"
];
users.users.felixalb = {
uid = 1328256;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ ];
};
system.stateVersion = "24.05";
}
hosts/felixalbpc/desktop/default.nix
-97
View File
@@ -1,97 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.xserver = {
enable = true;
displayManager.gdm = {
enable = true;
wayland = true;
};
xkb = {
options = "ctrl:nocaps";
variant = "intl";
layout = "no,us";
};
windowManager.qtile.enable = true;
};
programs.hyprland.enable = true;
hardware.keyboard.zsa.enable = true;
environment.sessionVariables.NIXOS_OZONE_WL = "1";
home-manager.users.felixalb = {
services = {
dunst.enable = true;
};
home.packages = with pkgs; [
i3lock
libnotify
pamixer
pavucontrol
sxhkd
xclip
xss-lock
];
};
hardware.opengl.enable = true;
# Audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
hardware.pulseaudio.enable = false;
# Fonts
fonts = {
fontDir.enable = true;
packages = with pkgs; [
noto-fonts
noto-fonts-emoji
noto-fonts-cjk-sans
font-awesome
fira-code
hack-font
(nerdfonts.override {
fonts = [
"Hack"
];
})
];
};
# # Dark mode
# home-manager.users.felixalb = {
# dconf.settings = {
# "org/gnome/desktop/interface" = {
# color-scheme = "prefer-dark";
# };
# };
# gtk = {
# enable = true;
# theme = {
# name = "Adwaita-dark";
# package = pkgs.gnome.gnome-themes-extra;
# };
# };
# };
# qt = {
# enable = true;
# platformTheme = "gnome";
# style = "adwaita-dark";
# };
# Misc:
xdg.portal = {
enable = true;
wlr.enable = true;
};
location.provider = "geoclue2";
security.polkit.enable = true;
services.openssh.settings.X11Forwarding = true;
}
hosts/felixalbpc/hardware-configuration.nix
-35
View File
@@ -1,35 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptlvm".device = "/dev/disk/by-uuid/7516ebdb-14c3-4cb5-9d06-5e9d0e34b798";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/02ac773e-31ff-4579-ad9a-859ba74f2a9e";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/77ED-720D";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-label/swap"; }
];
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
hosts/felixalbpc/home.nix
-56
View File
@@ -1,56 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./../../home/base.nix
./../../home/alacritty.nix
];
home.packages = with pkgs; [
catimg
chromium
dante
dig
element-desktop
jq
maim
mpv
oauth2ms
openssl
openstackclient
pwgen
remmina
w3m
(python311.withPackages (ps: with ps; [
numpy
pycryptodome
python-novaclient
requests
]))
];
programs = {
aerc.enable = true;
alacritty.enable = true;
firefox.enable = true;
git.extraConfig.user.email = "felix.albrigtsen@ntnu.no";
rofi.enable = true;
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
neovim.plugins = with pkgs.vimPlugins; [ copilot-vim ];
};
xdg.mimeApps = {
enable = true;
defaultApplications = {
"text/html" = "firefox.desktop";
"x-scheme-handler/http" = "firefox.desktop";
"x-scheme-handler/https" = "firefox.desktop";
"x-scheme-handler/about" = "firefox.desktop";
"x-scheme-handler/unknown" = "firefox.desktop";
};
};
home.stateVersion = "24.05";
}
hosts/leonard/backup.nix
+43
View File
@@ -0,0 +1,43 @@
{ config, pkgs, lib, ... }:
{
services.restic.backups = let
localJob = name: paths: {
inherit paths;
repository = "/mnt/feal-syn1/backup/leonard/${name}"; # TODO - Mount first
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
"--keep-daily 3"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
cloudJob = name: paths: {
inherit paths;
# "rsyncnet" connection details specified in /root/.ssh/config
extraOptions = [ "rclone.program=\"ssh rsyncnet\"" ];
# repository = "rclone::/${name}";
repository = "rclone:";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
# rsync.net keeps daily snapshots
"--keep-weekly 4"
"--keep-monthly 36"
];
};
in {
# TODO - local NAS backups
mysql-remote = (cloudJob "postgres" [ "/var/backup/mysql" ]) // {
timerConfig.OnCalendar = "01:30"; # 1h after mysqlBackup
};
# WIP
# postgres-remote = (cloudJob "postgres" [ "/tank/backup/postgresql" ]) // {
# timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
# };
};
sops.secrets."restic/mysql" = { };
sops.secrets."restic/postgres" = { };
}
hosts/leonard/configuration.nix
+55
View File
@@ -0,0 +1,55 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
../../common/auto-upgrade.nix
./hardware-configuration.nix
./backup.nix
./services/mysql.nix
./services/nginx.nix
./services/postgresql.nix
./services/wiki-wackattack-eu.nix
./services/www-feal-no
./services/www-kinealbrigtsen-no.nix
./services/www-amalie-mansaker-no
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
networking = {
hostName = "leonard";
defaultGateway = "192.168.10.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.10.207"; prefixLength = 24; }
];
};
hostId = "b99c12d1";
# Prepend the following output rules to disallow talking to other devices on LAN
firewall.extraCommands = lib.strings.concatLines ([
"iptables -F OUTPUT"
] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
"iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
"iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
"iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
]);
};
sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "25.05";
}
hosts/malcolm/hardware-configuration.nix → hosts/leonard/hardware-configuration.nix
+7 -10
View File
@@ -1,6 +1,3 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
@@ -14,17 +11,17 @@
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7240554f-d9d9-457a-91d5-c70c09d96595";
{ device = "/dev/disk/by-uuid/4a70c1d5-9d72-4581-8f75-733b91c10669";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/88C2-BAC8";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ {
device = "/swapfile";
size = 4*1024;
} ];
swapDevices = [ ];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}
hosts/malcolm/home.nix → hosts/leonard/home.nix
+1 -1
View File
@@ -8,5 +8,5 @@
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "24.05";
home.stateVersion = "25.05";
}
hosts/malcolm/services/mysql.nix → hosts/leonard/services/mysql.nix
+4 -1
View File
@@ -6,5 +6,8 @@
package = pkgs.mariadb;
};
# TODO: services.mysqlBackup
services.mysqlBackup = {
enable = true;
calendar = "00:30:00";
};
}
hosts/burnham/services/nginx.nix → hosts/leonard/services/nginx.nix
View File
hosts/leonard/services/postgresql.nix
+20
View File
@@ -0,0 +1,20 @@
{ config, pkgs, lib, ... }:
{
services.postgresql = {
enable = true;
enableTCPIP = false;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
services.postgresqlBackup = {
enable = true;
location = "/backup/postgresql/";
startAt = "*-*-* 03:15:00";
backupAll = true;
};
environment.systemPackages = [ config.services.postgresql.package ];
}
hosts/leonard/services/wiki-wackattack-eu.nix
+38
View File
@@ -0,0 +1,38 @@
{ config, ... }:
let
bindIP = "127.0.1.2";
port = 5051;
cfg = config.services.wiki-js;
in {
# sops.secrets."wikijs/envfile" = {
# restartUnits = [ "wiki-js.service" ];
# };
services.wiki-js = {
enable = true;
# environmentFile = config.sops.secrets."wikijs/envfile".path;
settings = {
inherit bindIP port;
db = {
type = "postgres";
host = "/run/postgresql";
db = "wiki-js";
user = "wiki-js";
};
};
};
services.postgresql = {
ensureDatabases = [ "wiki-js" ];
ensureUsers = [{
name = "wiki-js";
ensureDBOwnership = true;
}];
};
services.nginx.virtualHosts."wiki.wackattack.eu" = {
locations."/" = {
proxyPass = "http://${bindIP}:${toString port}";
};
};
}
hosts/leonard/services/www-amalie-mansaker-no/default.nix
+11
View File
@@ -0,0 +1,11 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."amalie.mansaker.no" = let
siteContent = pkgs.callPackage ./site.nix { };
in {
locations = {
"/".root = siteContent;
};
};
}
hosts/leonard/services/www-amalie-mansaker-no/site.nix
+26
View File
@@ -0,0 +1,26 @@
{ stdenv, fetchgit, hugo }:
stdenv.mkDerivation {
name = "www-amalie-mansaker-no";
src = fetchgit {
url = "https://git.feal.no/amalieem/amalie.mansaker.no.git";
fetchSubmodules = true;
rev = "f5ff8133b9d31de0de7386be8831de0d0fab6f95";
hash = "sha256-fld2f9PW1vwnals6kUerXzqGP/anMs7abstaYfaXO4Q=";
};
nativeBuildInputs = [ hugo ];
buildPhase = ''
cp -r $src/* .
${hugo}/bin/hugo
'';
installPhase = ''
runHook preInstall
mkdir -p $out
cp -r public/* $out/
runHook postInstall
'';
}
hosts/leonard/services/www-feal-no/default.nix
+26
View File
@@ -0,0 +1,26 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."feal.no" = {
default = true;
serverAliases = [
"www.feal.no"
];
locations = {
# TODO: Reinstate actual website
"/".return = "302 https://git.feal.no/";
"^~ /.well-known/" = {
alias = (toString ./well-known) + "/";
};
"/cc/" = {
alias = "${pkgs.cyberchef}/share/cyberchef/";
index = "index.html";
};
"= /cc".return = "302 /cc/";
};
};
}
hosts/leonard/services/www-feal-no/well-known/matrix/client
+5
View File
@@ -0,0 +1,5 @@
{
"m.homeserver": {
"base_url": "https://matrix.feal.no:443"
}
}
hosts/leonard/services/www-feal-no/well-known/matrix/server
+1
View File
@@ -0,0 +1 @@
{"m.server": "matrix.feal.no:443"}
hosts/malcolm/services/www-kinealbrigtsen-no.nix → hosts/leonard/services/www-kinealbrigtsen-no.nix
+3 -1
View File
@@ -20,6 +20,9 @@
};
}
];
services.mysqlBackup.databases = [
"www_kinealbrigtsen_no"
];
services.phpfpm.pools.www-kinealbrigtsen-no = {
user = "www-kinealbrigtsen-no";
@@ -83,7 +86,6 @@
set_real_ip_from 192.168.11.0/24;
real_ip_header X-Forwarded-For;
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
hosts/malcolm/configuration.nix
-47
View File
@@ -1,47 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../common/metrics-exporters.nix
./services/mysql.nix
./services/nginx.nix
./services/www-kinealbrigtsen-no.nix
];
networking = {
hostName = "malcolm";
bridges.br0.interfaces = [ "ens18" ];
interfaces.br0.useDHCP = false;
interfaces.br0.ipv4.addresses = [
{ address = "192.168.11.106"; prefixLength = 24; }
];
hostId = "620c42d0";
defaultGateway = "192.168.11.1";
# Prepend the following output rules to disallow talking to other devices on LAN
firewall.extraCommands = lib.strings.concatLines ([
"iptables -F OUTPUT"
] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
"iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
"iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
"iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
]);
};
# virtualisation.oci-containers.backend = "docker";
# systemd.services.docker.postStart = lib.concatMapStringsSep "\n" (rule: "${pkgs.iptables}/bin/iptables ${rule}") ([
# "-F DOCKER-USER"
# ] ++ (map (addr: "-A DOCKER-USER -p udp --dport 53 -d ${addr} -j RETURN") config.networking.nameservers) ++ [
# "-A DOCKER-USER -d 192.168.10.0/24 -j REJECT"
# "-A DOCKER-USER -d 192.168.11.0/24 -j REJECT"
# "-A DOCKER-USER -j RETURN"
# ]);
system.stateVersion = "24.05";
}
hosts/morn/configuration.nix
+35
View File
@@ -0,0 +1,35 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
../../common/auto-upgrade.nix
./hardware-configuration.nix
./services/nginx.nix
./services/glance
./services/miniflux.nix
./services/thelounge.nix
];
networking = {
hostName = "morn";
defaultGateway = "192.168.10.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.10.203"; prefixLength = 24; }
];
};
hostId = "89b7722d";
};
sops.defaultSopsFile = ../../secrets/morn/morn.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "24.11";
}
hosts/burnham/hardware-configuration.nix → hosts/morn/hardware-configuration.nix
+16 -6
View File
@@ -1,3 +1,6 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
@@ -11,20 +14,27 @@
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/31ff6d37-52d6-43c3-a214-5d38a6c38b0e";
{ device = "/dev/disk/by-uuid/93307186-cbc3-4748-859f-0013a1e36def";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/cce59ee7-7c83-4165-a9b0-f950cd2e3273"; }
];
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/FFCD-993A";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ {
device = "/swapfile";
size = 4*1024;
} ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
#networking.useDHCP = lib.mkDefault true;
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}
hosts/burnham/home.nix → hosts/morn/home.nix
+1 -1
View File
@@ -8,5 +8,5 @@
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "23.05";
home.stateVersion = "24.11";
}
hosts/morn/services/glance/default.nix
+15
View File
@@ -0,0 +1,15 @@
{ config, values, ... }:
{
services.glance = {
enable = true;
settings = import ./settings.nix;
};
services.nginx.virtualHosts."glance.home.feal.no" = let
inherit (config.services.glance.settings.server) host port;
in {
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
}
hosts/morn/services/glance/settings.nix
+83
View File
@@ -0,0 +1,83 @@
{ config, ... }:
{
server = {
port = 5001;
host = "127.0.1.2";
};
pages =
let
fullCol = widgets: {
size = "full";
inherit widgets;
};
in
[
{
name = "Home";
columns = [
(fullCol [
{
type = "search";
search-engine = "http://search.home.feal.no/search?q={QUERY}";
}
{
type = "weather";
units = "metric";
location = "Trondheim, Norway";
}
])
(fullCol [
{
type = "hacker-news";
limit = 20;
collapse-after = 5;
}
{
type = "monitor";
cache = "5m";
sites =
let
site = title: url: { inherit title url; };
in
[
(site "Jellyfin" "http://jellyfin.home.feal.no")
(site "Gitea" "https://git.feal.no")
(site "VaultWarden" "https://pw.feal.no")
];
}
])
];
}
{
name = "News";
columns =
let
feed = title: url: { inherit title url; };
rss = title: feeds: {
type = "rss";
inherit title feeds;
};
in
[
(fullCol [
(rss "Norway" [
(feed "NRK" "https://www.nrk.no/toppsaker.rss")
(feed "Bygdeposten" "https://www.bygdeposten.no/service/rss")
(feed "Nidaros" "https://www.nidaros.no/service/rss")
])
])
(fullCol [
(rss "NTNU" [
(feed "OmegaV" "https://omegav.no/newsrss")
(feed "PVV" "https://www.pvv.ntnu.no/w/api.php?hidebots=1&urlversion=1&days=7&limit=50&action=feedrecentchanges&feedformat=atom")
(feed "IT-Varsel" "https://varsel.it.ntnu.no/subscribe/rss/")
])
])
];
}
];
}
hosts/morn/services/miniflux.nix
+23
View File
@@ -0,0 +1,23 @@
{ config, pkgs, lib, ... }:
let
domain = "rss.home.feal.no";
listen_addr = "127.0.1.2:5051";
in {
sops.secrets."miniflux/env" = { };
services.miniflux = {
enable = true;
adminCredentialsFile = config.sops.secrets."miniflux/env".path;
config = {
CREATE_ADMIN = true;
LISTEN_ADDR = listen_addr;
BASE_URL = "http://${domain}";
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${listen_addr}";
};
}
hosts/malcolm/services/nginx.nix → hosts/morn/services/nginx.nix
+6 -4
View File
@@ -2,16 +2,18 @@
{
services.nginx = {
enable = true;
clientMaxBodySize = "100m";
enableReload = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."kinealbrigtsen.no".default = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "felix@albrigtsen.it";
};
}
hosts/burnham/services/thelounge.nix → hosts/morn/services/thelounge.nix
View File
hosts/sisko/configuration.nix
+90
View File
@@ -0,0 +1,90 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
./desktop.nix
];
networking = {
hostName = "sisko";
# networkmanager.enable = true;
defaultGateway = "192.168.10.1";
interfaces.enp14s0 = {
ipv4 = {
addresses = [
{ address = "192.168.10.172"; prefixLength = 24; }
];
};
wakeOnLan.enable = true;
};
hostId = "b716d781";
};
hardware.bluetooth.enable = true;
hardware.rtl-sdr.enable = true;
sops.defaultSopsFile = ../../secrets/sisko/sisko.yaml;
environment.variables = { EDITOR = "vim"; };
users.users.felixalb.extraGroups = [
"dialout"
"libvirtd"
"networkmanager"
"plugdev"
];
programs = {
alvr = {
enable = true;
openFirewall = true;
};
firefox = {
enable = true;
nativeMessagingHosts.packages = with pkgs; [ tridactyl-native ];
};
gamemode.enable = true;
immersed.enable = true;
steam = {
enable = true;
remotePlay.openFirewall = true;
};
virt-manager.enable = true;
};
virtualisation = {
libvirtd.enable = true;
spiceUSBRedirection.enable = true;
};
environment.systemPackages = with pkgs; [
virtiofsd
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"discord"
"immersed"
"spotify"
"steam"
"steam-unwrapped"
];
permittedInsecurePackages = [
"openssl-1.1.1w"
];
rocmSupport = true;
};
services.fwupd.enable = true;
system.stateVersion = "24.11";
}
hosts/sisko/desktop.nix
+70
View File
@@ -0,0 +1,70 @@
{ config, pkgs, lib, ... }:
{
# Video
hardware.graphics = {
enable = true;
enable32Bit = true;
};
hardware.amdgpu.opencl.enable = true;
services.displayManager.ly.enable = true;
services.xserver.enable = true;
services.xserver.desktopManager.xfce.enable = true;
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
# Audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
# Misc
fonts = {
fontDir.enable = true;
packages = with pkgs; [
fira-code
font-awesome
hack-font
nerd-fonts.hack
noto-fonts
noto-fonts-cjk-sans
noto-fonts-color-emoji
];
};
environment.sessionVariables = {
NIXOS_OZONE_WL = "1";
SSH_AUTH_SOCK = "/run/user/${toString config.users.users.felixalb.uid}/keyring/ssh";
};
services.gnome.gnome-keyring.enable = true;
# Dark mode
home-manager.users.felixalb = {
dconf.settings = {
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
};
};
gtk = {
enable = true;
theme = {
name = "Adwaita-dark";
package = pkgs.gnome-themes-extra;
};
};
};
qt = {
enable = true;
platformTheme = "gnome";
style = "adwaita-dark";
};
}
hosts/sisko/hardware-configuration.nix
+55
View File
@@ -0,0 +1,55 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.extraModprobeConfig = "options bluetooth disable_ertm=1"; # Xbox controller
hardware.xpadneo.enable = true;
boot.kernel.sysctl = {
"vm.max_map_count" = 16777216;
# "fs.file-max" = 524288;
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ {
device = "/swapfile";
size = 64*1024;
} ];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.enp14s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp15s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
hosts/sisko/home.nix
+162
View File
@@ -0,0 +1,162 @@
{ pkgs, lib, config, ... }:
{
imports = [
./../../home/base.nix
./../../home/alacritty.nix
];
home.packages = with pkgs; [
# GUI Applications
cantata
chromium
discord
easyeffects
element-desktop
emacs-gtk
feishin
gqrx
kitty
libreoffice
lutris
mpv
mumble
orca-slicer
papers
pavucontrol
picard
pkgsRocm.hashcat
prismlauncher
restic
runelite
spotify
swayimg
thunderbird
tor-browser
bolt-launcher
exiftool
ghidra
pwndbg
snicat
# Window Manager Extras
bibata-cursors
cliphist
hyprcursor
hypridle
hyprlock
hyprpaper
hyprshot
nautilus
networkmanager
rofi-rbw-wayland
swaynotificationcenter
waybar
wl-clipboard
# Misc tools
abcde
bc
catimg
dante
dig
go
hunspellDicts.en_US
hunspellDicts.nb_NO
jq
nixpkgs-2211.remmina
ollama-rocm
openssl
playerctl
pwgen
restic
rocmPackages.clang
traceroute
w3m
(python313.withPackages (ps: with ps; [
numpy
pycryptodome
requests
]))
];
programs = {
aerc = {
enable = true;
package = pkgs.aerc;
};
alacritty = {
enable = true;
settings.window.opacity = 0.92;
};
ncmpcpp.enable = true;
rbw = {
enable = true;
settings = {
base_url = "https://pw.feal.no";
email = "felix@albrigtsen.it";
pinentry = pkgs.pinentry-gnome3;
};
};
rofi = {
enable = true;
theme = "iggy";
};
zsh = {
shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
prezto.pmodules = [ "ssh" ];
};
};
services = {
mpd = let
home = config.home.homeDirectory;
in {
enable = true;
musicDirectory = "${home}/mnt/music";
dataDir = "${home}/Music/mpd/data";
playlistDirectory = "${home}/Music/mpd/playlists";
extraConfig = ''
audio_output {
type "pipewire"
name "PipewireOut1"
}
'';
};
};
home.pointerCursor = {
name = "Bibata-Modern-Ice";
package = pkgs.bibata-cursors;
size = 24;
gtk.enable = true;
x11 = {
enable = true;
defaultCursor = true;
};
};
xdg.mimeApps = {
enable = true;
defaultApplications = {
"text/html" = "firefox.desktop";
"x-scheme-handler/http" = "firefox.desktop";
"x-scheme-handler/https" = "firefox.desktop";
"x-scheme-handler/about" = "firefox.desktop";
"x-scheme-handler/unknown" = "firefox.desktop";
"inode/directory" = "org.gnome.Nautilus.desktop";
"application/pdf" = "org.gnome.Papers.desktop";
} // builtins.listToAttrs (
builtins.map
( imgType: { name = "image/${imgType}"; value = "swayimg.desktop"; } )
[ "apng" "bmp" "gif" "heic" "heif" "jpeg" "png" "svg" "svg+xml" "tiff" ]
);
};
home.stateVersion = "24.11";
}
hosts/voyager/backup.nix
-47
View File
@@ -1,47 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.borgbackup.jobs =
let
borgJob = name: {
environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/voyager/${name}";
compression = "auto,zstd";
};
in {
postgresDaily = borgJob "postgres::daily" // {
paths = "/var/backup/postgres";
startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
postgresWeekly = borgJob "postgres::weekly" // {
paths = "/var/backup/postgres";
startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
transmission = borgJob "transmission::weekly" // {
paths = "/var/lib/transmission";
startAt = "weekly";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/transmission".path}";
};
};
# TODO: timemachine, nextcloud, komga, calibre
};
sops.secrets."borg/postgres" = { };
sops.secrets."borg/transmission" = { };
}
hosts/voyager/configuration.nix
-51
View File
@@ -1,51 +0,0 @@
{ config, pkgs, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
./backup.nix
./exports.nix
./filesystems.nix
./services/fancontrol.nix
./services/podgrab.nix
./services/snappymail.nix
./services/timemachine.nix
];
networking = {
hostName = "voyager";
bridges.br0.interfaces = [ "eno1" ];
interfaces.br0.useDHCP = false;
interfaces.br0.ipv4.addresses = [
{ address = "192.168.10.165"; prefixLength = 24; }
];
hostId = "8e84b235";
defaultGateway = "192.168.10.1";
};
sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml;
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
zfs
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
users.users."amalieem" = {
isNormalUser = true;
home = "/home/amalieem";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7e+BAoXIFmTeeBYAVImQAcyx6SCoYCErA7h16OGL70 amalieem@wentworth"
];
};
system.stateVersion = "22.11";
}
hosts/voyager/exports.nix
-27
View File
@@ -1,27 +0,0 @@
{ config, pkgs, lib, ... }:
{
fileSystems = {
"/export/riker-backup" = {
device = "/tank/backup/riker";
options = [ "bind" ];
};
"/export/defiant-backup" = {
device = "/tank/backup/defiant";
options = [ "bind" ];
};
};
# Enable nfs4 only
services.nfs.server = {
enable = true;
exports = ''
/export 192.168.10.4(rw,fsid=0,no_subtree_check) 192.168.10.5(rw,fsid=0,no_subtree_check) 192.168.10.2(rw,fsid=0,no_subtree_check) 192.168.10.175(rw,fsid=0,no_subtree_check)
/export/riker-backup 192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
/export/doyle-backup 192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
/export/defiant-backup 192.168.10.175(rw,nohide,no_subtree_check,async,no_root_squash)
'';
};
networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
networking.firewall.allowedUDPPorts = [ 111 20048];
}
hosts/voyager/filesystems.nix
-42
View File
@@ -1,42 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Boot drives are defined in ./hardware-configuration.nix
environment.systemPackages = with pkgs; [ cifs-utils ];
# Local zfs
boot = {
zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
# Network mounts (import)
fileSystems = {
"/mnt/feal-syn1/media" = {
device = "feal-syn1.home.feal.no:/volume2/media";
fsType = "nfs";
options = [ "vers=3" ];
#options = [ "x-systemd.automount" "noauto" ];
};
"/mnt/feal-syn1/nfs_proxmox" = {
device = "//feal-syn1.home.feal.no/nfs_proxmox";
fsType = "cifs";
options = let
# this line prevents hanging on network split
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
in ["${automount_opts},credentials=/etc/feal-syn1-credentials"];
};
"/var/backup" = {
device = "/tank/backup/voyager";
options = [ "bind "];
};
};
}
hosts/voyager/hardware-configuration.nix
-38
View File
@@ -1,38 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a6465c1c-4c93-423d-84a9-e4ecb9520741";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/D0C1-97CE";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.eno2.useDHCP = lib.mkDefault true;
# networking.interfaces.idrac.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}
hosts/voyager/home.nix
-12
View File
@@ -1,12 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "23.05";
}
hosts/voyager/modules/snappymail.nix
-102
View File
@@ -1,102 +0,0 @@
{ config, pkgs, lib, ... }:
let
inherit (lib) mkDefault mkEnableOption mkForce mkIf mkOption mkPackageOption generators types;
cfg = config.services.snappymail;
maxUploadSize = "256M";
in {
options.services.snappymail = {
enable = mkEnableOption "Snappymail";
package = mkPackageOption pkgs "snappymail" { };
dataDir = mkOption {
type = types.str;
default = "/var/lib/snappymail";
description = "State directory for snappymail";
};
hostname = mkOption {
type = types.nullOr types.str;
default = null;
example = "mail.example.com";
description = "Enable nginx with this hostname, null disables nginx";
};
user = mkOption {
type = types.str;
default = "snappymail";
description = "System user under which snappymail runs";
};
group = mkOption {
type = types.str;
default = "snappymail";
description = "System group under which snappymail runs";
};
};
config = mkIf cfg.enable {
users.users = mkIf (cfg.user == "snappymail") {
snappymail = {
description = "Snappymail service";
group = cfg.group;
home = cfg.dataDir;
isSystemUser = true;
};
};
users.groups = mkIf (cfg.group == "snappymail") {
snappymail = {};
};
services.phpfpm.pools.snappymail = {
user = cfg.user;
group = cfg.group;
phpOptions = generators.toKeyValue {} {
upload_max_filesize = maxUploadSize;
post_max_size = maxUploadSize;
memory_limit = maxUploadSize;
};
settings = {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
"pm" = "ondemand";
"pm.max_children" = 32;
"pm.process_idle_timeout" = "10s";
"pm.max_requests" = 500;
};
};
services.nginx = mkIf (cfg.hostname != null) {
virtualHosts."${cfg.hostname}" = {
locations."/".extraConfig = ''
index index.php;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
'';
locations."^~ /data".extraConfig = ''
deny all;
'';
locations."~ \\.php$".extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:${config.services.phpfpm.pools.snappymail.socket};
'';
extraConfig = ''
client_max_body_size ${maxUploadSize};
'';
root = if (cfg.package == pkgs.snappymail) then
pkgs.snappymail.override {
dataPath = cfg.dataDir;
}
else cfg.package;
};
};
};
}
hosts/voyager/services/fancontrol.nix
-63
View File
@@ -1,63 +0,0 @@
{ config, lib, pkgs, ... }:
{
systemd.timers."fancontrol" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar="*:0/3";
Unit = "fancontrol.service";
};
};
systemd.services."fancontrol" = {
environment = {
TEMP_MIN_FALLING = "50";
TEMP_MAX_RISING = "56";
TEMP_CRIT = "70";
LOW_FAN_SPEED = "0x10";
};
script = ''
SET_FAN_MANUAL="0x30 0x30 0x01 0x00" # Enable manual control
SET_FAN_AUTO="0x30 0x30 0x01 0x01" # Disable manual control
SET_FAN_LOW="0x30 0x30 0x02 0xff $LOW_FAN_SPEED"
SET_FAN_MAX="0x30 0x30 0x02 0xff 0x64" # force 100%
# Get all temperatures readings starting with "Temp ", find all two digit numbers followed by spaces, find the largest one, trim the trailing space
maxcoretemp=$(${pkgs.ipmitool}/bin/ipmitool sdr type temperature | grep '^Temp ' | grep -Po '\d{2} ' | sort -nr | head -n1 | xargs)
# Verify that we read a valid number
ISNUMBER='^[0-9]+$'
if ! [[ $maxcoretemp =~ $ISNUMBER ]] ; then
echo "Error: could not read temperature" >&2
exit 2
fi
echo "Highest measured CPU temperature: '$maxcoretemp'"
if [ "$maxcoretemp" -gt "$TEMP_CRIT" ]; then
echo "TOO HOT, CRITICAL CPU TEMP"
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MANUAL
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MAX
exit 1
fi
if [ "$maxcoretemp" -gt "$TEMP_MAX_RISING" ]; then
echo "TOO HOT, switching to IDRAC fan controL"
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_AUTO
exit 0
fi
if [ "$maxcoretemp" -lt "$TEMP_MIN_FALLING" ]; then
echo "Sufficiently cooled, stepping down fans"
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MANUAL
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_LOW
exit 0
fi
echo "Temperature is between limits, doing nothing..."
'';
};
}
hosts/voyager/services/podgrab.nix
-22
View File
@@ -1,22 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.podgrab;
domain = "podgrab.home.feal.no";
in {
sops.secrets."podgrab/password" = { };
services.podgrab = {
enable = true;
port = 5104;
passwordFile = config.sops.secrets."podgrab/password".path;
};
services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://localhost:${toString cfg.port}";
};
fileSystems."/tank/media/jellyfin/Podcasts" = {
device = "/var/lib/podgrab/data";
options = [ "bind "];
};
}
hosts/voyager/services/snappymail.nix
-17
View File
@@ -1,17 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [ ../modules/snappymail.nix ];
services.snappymail = {
enable = true;
hostname = "mail.home.feal.no";
};
services.nginx.virtualHosts."${config.services.snappymail.hostname}" = let
certPath = "/etc/ssl-snakeoil/home.feal.no";
in {
addSSL = true;
sslCertificate = "${certPath}.crt";
sslCertificateKey = "${certPath}.key";
};
}

Some files were not shown because too many files have changed in this diff Show More