felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: felixalb:main
Branches Tags
felixalb:main felixalb:nixos-25.11
..
compare: felixalb:024e67f6cfd0fabdccac1dfcc15cc396946e1990
Branches Tags
felixalb:main felixalb:nixos-25.11

75 Commits
main ... 024e67f6cf

Author SHA1 Message Date
Felix Albrigtsen
024e67f6cf worf: add prismlauncher 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
48a03b9af3 nextcloud: move out of container 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
2ad5c53abd nextcloud: fix reverse proxy 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
2957af19b5 voyager: add nextcloud 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
3c2ca93725 voyager: move snappymail 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
de481fadbd defiant: More minecraft 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
65588566ec defiant: replace minecraft server 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
b5fbacf353 Update flake, add minecraft 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
08c34c2b99 worf: add nvim-emmet 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
7a55c25add neovim: add peristant undo file 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
1395285184 edison: enable flatpak 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
2b78818dd1 edison: install steam 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
187e61a942 defiant/metrics: Remove zfs exporter, fix snmp exporter 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
6f0c449648 metrics: fix iptables rules 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
8f4dfe7251 voyager: cleanup secrets 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
6b22ce630f Move metrics,gitea,vaultwarden from voyager to defiant 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
35a2f1f4fd Update DNS, add wackattack proxy 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
6137e829b4 Move more services to defiant. Remove sarek. 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
f8e9d5b20a update readme 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
d7141187a0 defiant: Configure matrix-synapse. Remove janeway. 2024-01-05 16:38:36 +01:00
Felix Albrigtsen
a1a5ca0466 defiant: add hardware config 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
7af1688fb7 Initialize defiant 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
0c6923bae6 voyager: add home-manager 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
becd1f7a77 voyager: Upgrade to nixos-23.11 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
ef0865e42c janeway: move postgres abckup 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
fd76930f3b worf: update to nixos-23.11 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
7764ba6abb Flake -> 23.05. Patch/update sarek 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
554dded213 sarek: remove jupyter 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
aad746338a voyager: various cleanups 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
8b577024a0 Worf: various updates: nvim-telescope, yabai, sketchybar, builders 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
c3e09c0b7c voyager: add time machine, cleanup 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
fc1aa2468f worf: Add yabai/skhd. Add sarek as builder 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
f108b0cad2 worf: Add texlive, remove gs, ++ 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
d321a40cbc voyager: move addons 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
1496eadc02 voyager: remove synapse 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
1161ce68f3 janeway: add/fix synapse 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
de9a701f7d janeway: add keys 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
b69e3f7352 add host: janeway 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
621dfaf8cc remove host: chapel 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
29af401712 worf: minor updates 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
84fcb581eb sarek: docker -> podman 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
130cf2454a hedgedoc: move from voyaer to sarek 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
a12250f9e6 voyager: remove flame. Move DNS to base.nix 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
5a55fa3bb1 sarek: intialize service config. Move firewall to base.nix 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
14a9479482 sarek: initialize postgresql 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
25b4755227 voyager/sarek: Fix NFS export 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
e67906aa47 sarek: Manually configure networking 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
b01e7aa19c zsh: add unstable nix-shell 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
78ea6488c8 zsh: add zoxide. worf: remove vscode, add alacritty 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
54dfb01236 Add sarek and related NFS shares 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
aee4ce0099 Update jupyter server 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
73e4b0a658 Enable xrdp, replace exa with eza 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
5e03fd3019 Minor update; fix DHCP 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
29e3e5413a Add jupyter 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
251dd42b27 edison: add pipewire 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
57f5808ed2 Update flake, update edison-gui 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
59a24b2043 Develop edison, standardize home-manager 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
cd90d88972 Add edison 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
c43b1c1bf6 Prepare remote building, add searx 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
a367bcea17 Update worf, ctf-shell and flake.lock 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
040e088a60 Cleanup ctf-shell, add linux-only packages 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
31c4e373b9 Add ctf-shell, minor worf fixes 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
23ffa63687 Minor worf updates 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
c1dfb2d09a Update flake, fix gitea 2024-01-05 16:38:35 +01:00
Felix Albrigtsen
0257578e50 Add workers with matrix-synapse-next, various fixes and updates 2024-01-05 16:38:32 +01:00
Felix Albrigtsen
86fbd85038 Switch channel, update flake 2024-01-05 16:38:01 +01:00
Felix Albrigtsen
17dc3d9e67 Added snappymail test config 2024-01-05 16:38:01 +01:00
Felix Albrigtsen
ff36b3de6d Minor worf updates 2024-01-05 16:38:01 +01:00
Felix Albrigtsen
f09ffaff15 Worf: git+vim 2024-01-05 16:38:01 +01:00
Felix Albrigtsen
7b6131a114 Configure zsh, cleanup worf 2024-01-05 16:38:00 +01:00
Felix Albrigtsen
80c4f39bd8 More worf-config 2024-01-05 16:38:00 +01:00
Felix Albrigtsen
7f76b412dd Add home-manager and fix worf 2024-01-05 16:38:00 +01:00
Felix Albrigtsen
eb118745a2 Add worf 2024-01-05 16:38:00 +01:00
Felix Albrigtsen
344d447b8e Add worf keys and zfs-exporter 2024-01-05 16:38:00 +01:00
Felix Albrigtsen
0f7361260c voyager: adjust gitea 2024-01-05 16:37:47 +01:00
158 changed files with 8591 additions and 6610 deletions
Expand all files Collapse all files

43
.sops.yaml
View File

@@ -1,50 +1,27 @@
keys: keys:
- &bw_recovery age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur - &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
- &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
- &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773 - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
- &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
- &host_morn age14ar8q5454khxxf5ur2nxwk533nzycz2lh3635qwz35wh8yq0jpqskj2ksx
- &user_felixalb_sisko age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
- &user_felixalb_worf age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
creation_rules: creation_rules:
# Global secrets # Global secrets
- path_regex: secrets/[^/]+\.yaml$ - path_regex: secrets/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bw_recovery - *user_felixalb_old
- *user_felixalb_sisko - *user_felixalb
- *user_felixalb_worf
# Host specific secrets # Host specific secrets
- path_regex: secrets/burnham/[^/]+\.yaml$ - path_regex: secrets/voyager/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *host_burnham - *host_voyager
- *bw_recovery - *user_felixalb_old
- *user_felixalb_sisko - *user_felixalb
- *user_felixalb_worf
- path_regex: secrets/challenger/[^/]+\.yaml$
key_groups:
- age:
- *host_challenger
- *bw_recovery
- *user_felixalb_sisko
- *user_felixalb_worf
- path_regex: secrets/defiant/[^/]+\.yaml$ - path_regex: secrets/defiant/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *host_defiant - *host_defiant
- *bw_recovery - *user_felixalb
- *user_felixalb_sisko
- *user_felixalb_worf
- path_regex: secrets/morn/[^/]+\.yaml$
key_groups:
- age:
- *host_morn
- *bw_recovery
- *user_felixalb_sisko
- *user_felixalb_worf

38
README.md
View File

@@ -1,7 +1,5 @@
## Felixalbs nixos config ## Felixalbs nixos config
![](https://github.com/NixOS/nixos-artwork/blob/master/releases/24.05-uakari/uakari.png?raw=true)
Contains configurations for some nixos servers, some nixos desktops and a [nix-darwin](https://github.com/LnL7/nix-darwin) host. Contains configurations for some nixos servers, some nixos desktops and a [nix-darwin](https://github.com/LnL7/nix-darwin) host.
Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix). Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix).
@@ -16,39 +14,3 @@ nix --extra-experimental-features "nix-command flakes" build ".#nixosConfigurati
``` ```
nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake github+felixalbrigtsen/nixos-server-conf.git --upgrade nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake github+felixalbrigtsen/nixos-server-conf.git --upgrade
``` ```
# Services and tools
Below is a list of _most_ of the services configured in this repo, at least the ones that are accessible to the public.
It might be incomplete or out of date, but should generally describe the state of my homelab.
Other installed packages and tools are described in the config files (like ./hosts/HOSTNAME/configuration.nix), but not listed here.
## Public / important services
- Matrix ([source](./hosts/defiant/services/matrix/default.nix)) - Decentralized, encrypted chat - Contact me at @felixalb:feal.no
- [Nextcloud](https://cloud.feal.no) ([source](./hosts/challenger/services/nextcloud.nix)) - Personal cloud services and "google replacements", including file hosting, notes, calendar and webmail
- [Gitea](https://git.feal.no) ([source](./hosts/defiant/services/gitea.nix)) - Software forge / git server
- [Hedgedoc](https://md.feal.no) ([source](./hosts/defiant/services/hedgedoc.nix)) - Collaborative markdown notes editor
- HomeAssistant ([source](./hosts/defiant/services/home-assistant.nix))- Home automation / IOT controller
- [VaultWarden](https://pw.feal.no) ([source](./hosts/defiant/services/vaultwarden.nix)) - BitWarden Password Manager backend
- [KeyCloak](https://iam.feal.no) ([source](./hosts/defiant/services/nextcloud.nix)) - Authentication provider, giving SSO with OIDC or SAML
- [Jellyfin](https://jf.feal.no) ([source](./hosts/challenger/services/jellyfin.nix)) - Local media streaming
## Networking
- I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)).
- A long time ago, I switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix).
- PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking.
- A simple custom DynDNS thing is defined [here](./common/domeneshop-dyndns.nix) and used [here](./hosts/defiant/services/dyndns.nix).
## Monitoring
- Prometheus ([source](./hosts/defiant/services/monitoring/prometheus.nix)) - Pull-based metrics system that fetches metrics over HTTP from a range of exporters and stores them in a time-series database
- Loki ([source](./hosts/defiant/services/monitoring/loki.nix)) - Central logging for all my hosts
- Grafana ([source](./hosts/defiant/services/monitoring/grafana.nix)) - Visualization and alerting for all my metrics and logs
- Uptime-Kuma ([source](./hosts/defiant/services/monitoring/uptime-kuma.nix)) - Uptime / health check with alerting
## Dotfiles and user tools
- (Neo)vim ([source](./home/neovim.nix)) - Text editor with my configuration for IDE-like support for autocompletion, syntax highlighting and efficient editing.
- Zsh ([source](./home/zsh.nix)) - My shell of choice

42
base.nix
View File

@@ -5,8 +5,8 @@
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
networking = { networking = {
domain = lib.mkDefault "home.feal.no"; domain = "home.feal.no";
nameservers = lib.mkDefault [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ]; nameservers = [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ];
useDHCP = lib.mkDefault false; useDHCP = lib.mkDefault false;
}; };
@@ -29,40 +29,31 @@
trusted-users = [ "felixalb" ]; trusted-users = [ "felixalb" ];
builders-use-substitutes = true; builders-use-substitutes = true;
}; };
registry= {
nixpkgs.flake = inputs.nixpkgs;
};
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
}; };
programs.zsh.enable = true; programs.zsh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
bat
bottom bottom
eza
file
git git
gnugrep gnugrep
gnutar gnutar
htop
iotop
lm_sensors
nix-output-monitor
p7zip
python3
ripgrep ripgrep
rsync rsync
screen tree
unzip eza
usbutils
vim
wget wget
zip
] ++ lib.optionals (pkgs.stdenv.isLinux) [
dmidecode
lm_sensors
pciutils
]; ];
services.openssh = { services.openssh = {
enable = true; enable = true;
openFirewall = lib.mkDefault true;
settings = { settings = {
PermitRootLogin = "no"; PermitRootLogin = "no";
PasswordAuthentication = false; PasswordAuthentication = false;
@@ -71,12 +62,13 @@
extraConfig = '' extraConfig = ''
AllowTcpForwarding yes AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding yes AllowAgentForwarding yes
AuthenticationMethods publickey AuthenticationMethods publickey
''; '';
}; };
programs.mosh.enable = true; networking.firewall.allowedTCPPorts = [ 22 ];
users.users.felixalb = { users.users.felixalb = {
isNormalUser = true; isNormalUser = true;
@@ -84,12 +76,12 @@
"wheel" "wheel"
"docker" "docker"
]; ];
uid = lib.mkDefault 1000; uid = 1000;
openssh.authorizedKeys.keys = lib.mkDefault [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiPHhj0YbklJnJNcxD0IlzPxLTGfv095H5zyS/1Wb64 felixalb@edison.home.feal.no"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5M7hYl3saBNMAo6sczgfUvASEJWFHuERB7xvf4gxst nix-builder-worf" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5M7hYl3saBNMAo6sczgfUvASEJWFHuERB7xvf4gxst nix-builder-worf"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJky33ynjqyWP+hh24gFCMFIEqe3CjIIowGM9jiPbT79 felixalb@sisko.home.feal.no"
]; ];
shell = pkgs.zsh; shell = pkgs.zsh;
}; };

15
common/auto-upgrade.nix
View File

@@ -1,15 +0,0 @@
{ config, pkgs, lib, ... }:
{
system.autoUpgrade = {
enable = true;
flake = "git+https://git.feal.no/felixalb/nixos-config.git";
flags = [
# Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs.
"--refresh"
"--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.11"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable"
"--no-write-lock-file"
];
};
}

45
common/domeneshop-dyndns.nix
View File

@@ -1,45 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.domeneshop-dyndns;
in {
options.services.domeneshop-dyndns = {
enable = lib.mkEnableOption "Domeneshop DynDNS";
domain = lib.mkOption {
type = lib.types.str;
description = "Domain name to configure";
};
netrcFile = lib.mkOption {
type = lib.types.path;
description = "Path to the file that contains `machine api.domeneshop.no login <DDNS_TOKEN> password <DDNS_SECRET>` from https://domene.shop/admin?view=api";
};
startAt = lib.mkOption {
type = lib.types.str;
default = "*:0/10"; # Every 10 minutes
description = "Systemd onCalendar expression for when to run the timer";
};
};
config = lib.mkIf cfg.enable {
systemd.services.domeneshop-dyndns = {
serviceConfig.LoadCredential = "netrc:${cfg.netrcFile}";
startAt = cfg.startAt;
script = ''
DNSNAME="${cfg.domain}"
NEW_IP="$(${lib.getExe pkgs.curl} --silent https://ipinfo.io/ip)"
OLD_IP="$(${lib.getExe pkgs.getent} hosts "$DNSNAME" | ${lib.getExe pkgs.gawk} '{ print $1 }')"
if [[ "$NEW_IP" != "$OLD_IP" ]]; then
echo "Old IP ($OLD_IP) does not match new IP ($NEW_IP), updating..."
${lib.getExe pkgs.curl} --silent --netrc-file "$CREDENTIALS_DIRECTORY/netrc" "https://api.domeneshop.no/v0/dyndns/update?hostname=$DNSNAME&myip=$NEW_IP"
else
echo "Old IP ($OLD_IP) matches new IP ($NEW_IP), exiting..."
fi
'';
};
};
}

9
common/metrics-exporters.nix
View File

@@ -1,7 +1,6 @@
{ config, pkgs, values, ... }: { config, pkgs, values, ... }:
let
metricsHost = "192.168.10.175"; # defiant.home.feal.no {
in {
services.prometheus.exporters.node = { services.prometheus.exporters.node = {
enable = true; enable = true;
port = 9100; port = 9100;
@@ -12,7 +11,7 @@ in {
# TODO: Move this into the node-exporter systemd service # TODO: Move this into the node-exporter systemd service
allowedTCPPorts = [ 9100 ]; allowedTCPPorts = [ 9100 ];
extraCommands = '' extraCommands = ''
iptables -A INPUT -p tcp -m tcp --source ${metricsHost}/32 --dport 9100 -j ACCEPT iptables -A INPUT -p tcp -m tcp --source 192.168.10.175/32 --dport 9100 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9100 -j DROP iptables -A INPUT -p tcp -m tcp --dport 9100 -j DROP
''; '';
}; };
@@ -26,7 +25,7 @@ in {
}; };
clients = [ clients = [
{ {
url = "http://${metricsHost}:3100/loki/api/v1/push"; url = "http://grafana.home.feal.no:3100/loki/api/v1/push";
} }
]; ];
scrape_configs = [ scrape_configs = [

8
common/pwndbg-gdb-alias.nix
View File

@@ -1,8 +0,0 @@
{ pwndbg }:
# "$ coredumpctl gdb" always runs "gdb" from your path.
pwndbg.overrideAttrs ({ installPhase ? "", ... }: {
installPhase = installPhase + ''
ln -s $out/bin/pwndbg $out/bin/gdb
'';
})

81
common/securecrt.nix
View File

@@ -1,81 +0,0 @@
{
lib,
stdenv,
fetchurl,
autoPatchelfHook,
dpkg,
cups,
gtkmm3,
icu74,
krb5,
makeWrapper,
openssl,
pango,
python312,
xcb-util-cursor,
xorg,
}:
let
packageId = "scrt_ubuntu2464_deb_963";
in stdenv.mkDerivation rec {
pname = "securecrt";
version = "9.6.3";
src = fetchurl {
url = "https://www.vandyke.com/cgi-bin/download_1.php";
name = "${pname}-${version}.deb";
curlOpts = "-X POST --data 'pid=${packageId}&export_check=accept&country=no&su";
sha256 = "sha256-PsFuxJ7H0rJCWWi+rvzrlRUJlp9R4MG14d883/kl9Lo=";
};
unpackCmd = "dpkg -x $curSrc source";
nativeBuildInputs = [
dpkg
autoPatchelfHook
];
buildInputs = [
cups
gtkmm3
icu74
krb5
makeWrapper
openssl
pango
python312
xcb-util-cursor
xorg.xcbutilkeysyms
xorg.xcbutilwm
];
dontConfigure = true;
dontBuild = true;
dontWrapQTApps = true;
installPhase = ''
runhook preInstall
mkdir -p "$out"
cp -R usr/* "$out/"
wrapProgram "$out/bin/SecureCRT" --set QT_QPA_PLATFORM_PLUGIN_PATH "$out/lib/scrt/plugins/platforms"
runhook postInstall
'';
meta = with lib; {
homepage = "https://www.vandyke.com/products/securecrt/unix.html";
description = "Terminal emulator for computing professionals, with advanced session management";
license = {
free = false;
fullName = "Unknown / Custom";
};
platforms = with lib.platforms; linux ++ darwin ++ windows;
broken = !(stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isx86_64);
};
mainProgram = "SecureCRT";
}

44
common/wireguard-peers.nix
View File

@@ -1,44 +0,0 @@
[
{ # Sulu
publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
allowedIPs = [
"10.100.0.3/32"
];
}
{ # Worf
publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
allowedIPs = [
"10.100.0.4/32"
];
}
{ # Phone
publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
allowedIPs = [
"10.100.0.5/32"
];
}
{ # Riker
publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
allowedIPs = [
"10.100.0.6/32"
];
}
{ # fa-t14-2025
publicKey = "UPpUVWQqOKT65MFym1sFDTstNmuynDYE4LOOtbWqEng=";
allowedIPs = [
"10.100.0.7/32"
];
}
{ # Turtle
publicKey = "mDzAtRPv+O5TDHa9DGodF/KKuFXRBYwSqfPyeWfdfRI=";
allowedIPs = [
"10.100.0.8/32"
];
}
{ # Amalies phone
publicKey = "Iqoq00e5rUNygmjOKmSPzvDTzvUdpxkpwVrD6UJXG2w=";
allowedIPs = [
"10.100.0.9/32"
];
}
]

219
flake.lock generated
View File

@@ -1,28 +1,13 @@
{ {
"nodes": { "nodes": {
"extra-config": {
"locked": {
"lastModified": 1745649002,
"narHash": "sha256-XNBExt3+U3o4lip+yj6oorCEPZ9Qe8PzBSFM5ZzVtSA=",
"ref": "refs/heads/main",
"rev": "50c9c15db2b309d299b1c19089c962979e01f45b",
"revCount": 13,
"type": "git",
"url": "file:///home/felixalb/nix-extra-config"
},
"original": {
"type": "git",
"url": "file:///home/felixalb/nix-extra-config"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1747046372, "lastModified": 1673956053,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -36,11 +21,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1681202837,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -56,32 +41,30 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1764776959, "lastModified": 1703367386,
"narHash": "sha256-d+5CGloq7Lo1u2SkzhF8oiOdUc6Z5emh22nTXUB9CFA=", "narHash": "sha256-FMbm48UGrBfOWGt8+opuS+uLBLQlRfhiYXhHNcYMS5k=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e1680d594a9281651cbf7d126941a8c8e2396183", "rev": "d5824a76bc6bb93d1dce9ebbbcb09a9b6abcc224",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-25.11", "ref": "release-23.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"matrix-synapse-next": { "matrix-synapse-next": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs-lib": "nixpkgs-lib"
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1765214213, "lastModified": 1701507532,
"narHash": "sha256-WSk8CTdIDFFP5VMJj9beve19nPMMdTsWnkCHVXqO/3E=", "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
"owner": "dali99", "owner": "dali99",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"rev": "82959f612ffd523a49c92f84358a9980a851747b", "rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -93,20 +76,20 @@
"nix-darwin": { "nix-darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs-darwin" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1764161084, "lastModified": 1703649338,
"narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=", "narHash": "sha256-n2MkBotGgTQsfB+wH09R+otBwYCvGCsnHX7eUMGkKL0=",
"owner": "nix-darwin", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "e95de00a471d07435e0527ff4db092c84998698e", "rev": "8a8321271f0835fae2cb195e1137cb381fdbcc8e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-darwin", "owner": "lnl7",
"ref": "nix-darwin-25.11", "ref": "master",
"repo": "nix-darwin", "repo": "nix-darwin",
"type": "github" "type": "github"
} }
@@ -115,16 +98,14 @@
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": "nixpkgs"
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1764813963, "lastModified": 1703812100,
"narHash": "sha256-Vs7Mamto+T8r1evk9myHepgHGNJkS2Kr0BF64NIei94=", "narHash": "sha256-JN8qbWz6OPEEPwP+AmfAmlhPE19RqUqND6hGAeK2Od0=",
"owner": "Infinidoge", "owner": "Infinidoge",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "491200d6848402bbab1421cccbc15a46f08c7f78", "rev": "7d23e6f5635499a34d09950981cf42bb072f4fa2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -135,89 +116,92 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1764677808, "lastModified": 1698318101,
"narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=", "narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
"owner": "NixOS", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1aab89277eb2d87823d5b69bae631a2496cff57a", "rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "nixos",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-2211": {
"locked": {
"narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
}
},
"nixpkgs-darwin": {
"locked": {
"lastModified": 1764806471,
"narHash": "sha256-NsPsz003eWD8wp8vj5BnQzPoDyeQKRUfS2dvan2Y30M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6707b1809330d0f912f5813963bb29f6f194ee81",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-25.11-darwin",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1764667669,
"narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "418468ac9527e799809c900eda37cbff999199b6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": {
"locked": {
"lastModified": 1673743903,
"narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1703351344,
"narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7790e078f8979a9fcd543f9a47427eeaba38f268",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1703467016,
"narHash": "sha256-/5A/dNPhbQx/Oa2d+Get174eNI3LERQ7u6WTWOlR1eQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d02d818f22c777aa4e854efc3242ec451e5d462a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"extra-config": "extra-config",
"home-manager": "home-manager", "home-manager": "home-manager",
"matrix-synapse-next": "matrix-synapse-next", "matrix-synapse-next": "matrix-synapse-next",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nix-minecraft": "nix-minecraft", "nix-minecraft": "nix-minecraft",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"nixpkgs-2211": "nixpkgs-2211", "sops-nix": "sops-nix",
"nixpkgs-darwin": "nixpkgs-darwin", "unstable": "unstable",
"nixpkgs-unstable": "nixpkgs-unstable", "voyager-addons": "voyager-addons"
"sops-nix": "sops-nix"
} }
}, },
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ],
"nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1764483358, "lastModified": 1703387502,
"narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", "narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "5aca6ff67264321d47856a2ed183729271107c9c", "rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -240,6 +224,37 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"unstable": {
"locked": {
"lastModified": 1703438236,
"narHash": "sha256-aqVBq1u09yFhL7bj1/xyUeJjzr92fXVvQSSEx6AdB1M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5f64a12a728902226210bf01d25ec6cbb9d9265b",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"voyager-addons": {
"locked": {
"lastModified": 1704460893,
"narHash": "sha256-rK+GBsfkua1Ou4YHcpQciDOdeS3q23GfTit2SddgTv0=",
"ref": "refs/heads/main",
"rev": "238bcd33b3e2562fcf76f86348909990ddc3d6cc",
"revCount": 3,
"type": "git",
"url": "ssh://git@git.feal.no:2222/felixalb/voyager-addons.git"
},
"original": {
"type": "git",
"url": "ssh://git@git.feal.no:2222/felixalb/voyager-addons.git"
}
} }
}, },
"root": "root", "root": "root",

130
flake.nix
View File

@@ -2,24 +2,19 @@
description = "Felixalb System flake"; description = "Felixalb System flake";
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; # Remember to update ./common/auto-upgrade.nix nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-25.11-darwin"; unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11"; nix-darwin.url = "github:lnl7/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs-darwin"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager/release-25.11"; home-manager.url = "github:nix-community/home-manager/release-23.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; # TODO: Lock to release matrix-synapse-next.url = "github:dali99/nixos-matrix-modules";
matrix-synapse-next.inputs.nixpkgs.follows = "nixpkgs";
nix-minecraft.url = "github:Infinidoge/nix-minecraft"; nix-minecraft.url = "github:Infinidoge/nix-minecraft";
nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
extra-config.url = "git+file:///home/felixalb/nix-extra-config"; voyager-addons.url = "git+ssh://git@git.feal.no:2222/felixalb/voyager-addons.git";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -32,97 +27,100 @@
, nix-minecraft , nix-minecraft
, nix-darwin , nix-darwin
, nixpkgs , nixpkgs
, nixpkgs-2211
, nixpkgs-darwin
, nixpkgs-unstable
, sops-nix , sops-nix
, extra-config , unstable
, voyager-addons
, ... }@inputs: , ... }@inputs:
let let
pkgs-overlay = final: prev: { overlay-unstable = final: prev: {
unstable = import nixpkgs-unstable { unstable = unstable.legacyPackages.${prev.system};
system = prev.system;
config.allowUnfree = true;
};
nixpkgs-2211 = import nixpkgs-2211 {
system = prev.system;
config.allowUnfree = true;
};
pwndbg-gdb-alias = prev.callPackage ./common/pwndbg-gdb-alias.nix { };
securecrt = prev.callPackage ./common/securecrt.nix { };
}; };
in in
{ {
nixosConfigurations = let nixosConfigurations = {
normalSys = name: hostConfig: nixpkgs.lib.nixosSystem { voyager = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; # TODO - Handle system = "x86_64-linux";
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
modules = [ modules = [
({ config, pkgs, ... }: { # Overlays-module makes "pkgs.unstable" available in configuration.nix
# Make "pkgs.unstable" etc. available ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
nixpkgs.overlays = [ pkgs-overlay ] ++ hostConfig.overlays or [ ];
})
./hosts/${name}/configuration.nix ./hosts/voyager/configuration.nix
voyager-addons.nixosModules.default
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager { home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.users = { home-manager.users."felixalb" = import ./hosts/voyager/home.nix;
"felixalb" = import ./hosts/${name}/home.nix;
} // hostConfig.home-manager-users or { };
} }
] ++ hostConfig.modules or [ ];
};
in {
# Media / storage server
challenger = normalSys "challenger" {
modules = [
extra-config.nixosModules.default
]; ];
}; };
defiant = nixpkgs.lib.nixosSystem {
# General application server system = "x86_64-linux";
defiant = normalSys "defiant" { specialArgs = {
inherit inputs;
};
modules = [ modules = [
./common/domeneshop-dyndns.nix # Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
./hosts/defiant/configuration.nix
sops-nix.nixosModules.sops
matrix-synapse-next.nixosModules.default matrix-synapse-next.nixosModules.default
home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/defiant/home.nix;
}
]; ];
}; };
edison = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
# Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
# Work laptop ./hosts/edison/configuration.nix
fa-t14-2025 = normalSys "fa-t14-2025" { }; sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager {
# Web host home-manager.useGlobalPkgs = true;
leonard = normalSys "leonard" { }; home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/edison/home.nix;
# General application server }
morn = normalSys "morn" { }; ];
};
# Home desktop redshirt = nixpkgs.lib.nixosSystem {
sisko = normalSys "sisko" { }; system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
./hosts/redshirt/configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
sops-nix.nixosModules.sops
];
};
}; };
# Daily driver macbook
darwinConfigurations.worf = nix-darwin.lib.darwinSystem { darwinConfigurations.worf = nix-darwin.lib.darwinSystem {
system = "aarch64-darwin"; system = "aarch64-darwin";
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
modules = [ modules = [
({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
./hosts/worf/configuration.nix ./hosts/worf/configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
home-manager.darwinModules.home-manager { home-manager.darwinModules.home-manager {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/worf/home.nix; home-manager.users."felixalb" = import ./hosts/worf/home.nix;
} }
# sops-nix.nixosModules.sops
]; ];
}; };

65
home/alacritty.nix
View File

@@ -9,17 +9,14 @@
window = { window = {
padding = { padding = {
x = 8; x = 4;
y = 2; y = 4;
}; };
dynamic_padding = true;
dynamic_title = true;
decorations = "none"; # full/none/transparent/buttonless decorations = "none"; # full/none/transparent/buttonless
# Transparency: # Transparency:
opacity = lib.mkDefault 0.95; # opacity = 0.95;
}; };
scrolling = { scrolling = {
@@ -47,37 +44,10 @@
size = 14; size = 14;
}; };
draw_bold_text_with_bright_colors = true;
colors = { colors = {
draw_bold_text_with_bright_colors = true; # # Tomorrow Night Bright
# # gruvbox_material_medium_dark
# primary = {
# background = "0x282828";
# foreground = "0xd4be98";
# };
# normal = {
# black = "0x3c3836";
# red = "0xea6962";
# green = "0xa9b665";
# yellow = "0xd8a657";
# blue = "0x7daea3";
# magenta = "0xd3869b";
# cyan = "0x89b482";
# white = "0xd4be98";
# };
# bright = {
# black = "0x3c3836";
# red = "0xea6962";
# green = "0xa9b665";
# yellow = "0xd8a657";
# blue = "0x7daea3";
# magenta = "0xd3869b";
# cyan = "0x89b482";
# white = "0xd4be98";
# };
# # # Tomorrow Night Bright
# primary = { # primary = {
# background = "0x141414"; # background = "0x141414";
# foreground = "0xeaeaea"; # foreground = "0xeaeaea";
@@ -110,7 +80,6 @@
# white = "0xffffff"; # white = "0xffffff";
# }; # };
# Nord: # Nord:
primary = { primary = {
background = "0x2e3440"; background = "0x2e3440";
@@ -179,10 +148,10 @@
# indexed_colors: [] # indexed_colors: []
}; };
bell = { visual_bell = {
animation = "Ease"; animation = "EaseOutExpo";
color = "0xffffff"; color = "0xffffff";
duration = 100; duration = 200;
}; };
# Key bindings # Key bindings
@@ -337,19 +306,29 @@
# - { key: Delete, chars: "\x1b[3~" } # - { key: Delete, chars: "\x1b[3~" }
mouse = {
double_click = { threshold = 300; };
triple_click = { threshold = 300; };
hide_when_typing = false;
};
selection = { selection = {
semantic_escape_chars = ",`|:\"' ()[]{}<>"; semantic_escape_chars = ",`|:\"' ()[]{}<>";
save_to_clipboard = false; save_to_clipboard = false;
}; };
mouse_bindings = [
{ mouse = "Middle"; action = "PasteSelection"; }
];
cursor = { cursor = {
style = { style = "Block";
shape = "Block"; blinking = true;
blinking = "on";
};
unfocused_hollow = true; unfocused_hollow = true;
}; };
dynamic_title = true;
}; };
}; };
} }

43
home/amalieem/default.nix
View File

@@ -1,43 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./../alacritty.nix
];
home = {
packages = with pkgs; [
papers
kitty
pavucontrol
# Window Manager Extras
bibata-cursors
hyprcursor
hypridle
hyprlock
hyprpaper
hyprshot
nautilus
networkmanager
swaynotificationcenter
waybar
wl-clipboard
];
sessionVariables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
};
programs = {
alacritty = {
enable = true;
settings.window.opacity = 0.92;
};
firefox.enable = true;
wofi.enable = true;
};
home.stateVersion = "24.11";
}

39
home/base.nix
View File

@@ -1,38 +1,19 @@
{ pkgs, lib, ... }: { pkgs, ... }:
{ {
imports = [ imports = [
./neovim.nix ./neovim.nix
./zsh.nix ./zsh.nix
]; ];
home = {
packages = with pkgs; [
bat
bottom
# ncdu
neofetch
pwgen
sshfs
sshuttle
];
sessionVariables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
};
programs.nix-index = { programs.nix-index = {
enable = true; enable = true;
enableZshIntegration = true; enableZshIntegration = true;
}; };
programs.fzf.enable = true;
programs.git = { programs.git = {
enable = true; enable = true;
settings = { extraConfig = {
pull.rebase = true; pull.rebase = true;
push.autoSetupRemote = true; push.autoSetupRemote = true;
color.ui = "auto"; color.ui = "auto";
@@ -41,10 +22,7 @@
user = { user = {
name = "Felix Albrigtsen"; name = "Felix Albrigtsen";
email = lib.mkDefault "felix@albrigtsen.it"; email = "felix@albrigtsen.it";
};
safe = {
directory = "/config";
}; };
}; };
ignores = [ ignores = [
@@ -55,15 +33,4 @@
]; ];
}; };
programs.tmux = {
enable = true;
sensibleOnTop = true;
baseIndex = 1;
clock24 = true;
keyMode = "vi";
mouse = true;
terminal = "screen-256color";
};
} }

20
home/neovim.nix
View File

@@ -21,6 +21,7 @@ in {
telescope-nvim telescope-nvim
nvim-lspconfig nvim-lspconfig
copilot-vim
nvim-treesitter nvim-treesitter
coc-css coc-css
@@ -28,9 +29,9 @@ in {
coc-html coc-html
coc-json coc-json
coc-nvim coc-nvim
coc-pyright
vim-nix vim-nix
vim-puppet
]; ];
withNodeJs = true; withNodeJs = true;
@@ -50,7 +51,7 @@ in {
" Integrate status with lightline " Integrate status with lightline
let g:lightline = { let g:lightline = {
\ 'active': { \ 'active': {
\ 'left': [[ 'mode', 'paste', 'filename', 'readonly', 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status' ]] \ 'left': [[ 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status' ]]
\ } \ }
\ } \ }
@@ -97,16 +98,11 @@ in {
" Nerdtree-settings " Nerdtree-settings
" Toggle nerdtree on Ctrl+t " Toggle nerdtree on Ctrl+t
nmap <silent> <C-t> :NERDTreeToggle<CR> nmap <silent> <C-t> :NERDTreeToggle<CR>
autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
autocmd VimEnter * wincmd p " Unselect nerdtree window
" Close vim is Nerdtree is the only buffer left " Close vim is Nerdtree is the only buffer left
autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif
if empty($AERC_ACCOUNT) && empty($MOZ_APP_LAUNCHER)
autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
autocmd VimEnter * wincmd p " Unselect nerdtree window
endif
autocmd Filetype go setlocal expandtab tabstop=4 shiftwidth=4 softtabstop=4
" List and switch buffers on Ctrl+k " List and switch buffers on Ctrl+k
" nnoremap <C-k> :set nomore <Bar> :ls <Bar> :set more <CR>:b<Space> " nnoremap <C-k> :set nomore <Bar> :ls <Bar> :set more <CR>:b<Space>
nnoremap <silent> <C-k> !echo "Did you mean C-a?"<CR> nnoremap <silent> <C-k> !echo "Did you mean C-a?"<CR>
@@ -120,18 +116,12 @@ in {
nnoremap <C-s> <cmd>Telescope find_files<cr> nnoremap <C-s> <cmd>Telescope find_files<cr>
nnoremap <C-g> <cmd>Telescope live_grep<cr> nnoremap <C-g> <cmd>Telescope live_grep<cr>
" Don't darken the background
autocmd VimEnter * highlight normal ctermbg=NONE guibg=NONE
" Show trailing whitespace " Show trailing whitespace
highlight ExtraWhitespace ctermbg=red guibg=red highlight ExtraWhitespace ctermbg=red guibg=red
match ExtraWhitespace /\s\+$/ match ExtraWhitespace /\s\+$/
" Disable search highlights " Disable search highlights
map <Leader><Space> :noh<CR> map <Leader><Space> :noh<CR>
" Start with Coc disabled
" autocmd VimEnter * CocDisable
''; '';
}; };

31
home/zsh.nix
View File

@@ -2,7 +2,6 @@
programs = { programs = {
zsh = { zsh = {
enable = true; enable = true;
history.extended = true;
prezto = { prezto = {
enable = true; enable = true;
@@ -22,7 +21,6 @@
"terminal" "terminal"
"editor" "editor"
"history" "history"
"history-substring-search"
# "directory" # "directory"
"spectrum" "spectrum"
# "utility" # "utility"
@@ -30,39 +28,32 @@
"git" "git"
"autosuggestions" "autosuggestions"
"syntax-highlighting" "syntax-highlighting"
"history-substring-search"
"prompt" "prompt"
]; ];
}; };
initContent = '' initExtra = ''
# Autocomplete ../ # Autocomplete ../
zstyle ':completion:*' special-dirs true zstyle ':completion:*' special-dirs true
export PATH="$HOME/.config/emacs/bin:$HOME/.cargo/bin:$PATH" export PATH="$HOME/.config/emacs/bin:$PATH"
unalias "gs" unalias "gs"
if [ -f ~/.config/zsh-extras ]; then
source ~/.config/zsh-extras
fi
''; '';
shellAliases = { shellAliases = {
c = "z";
em = "emacsclient -c";
emnw = "emacsclient -nw";
grep = "grep --color=auto";
l = "exa -l"; l = "exa -l";
ls = "ls --color=auto"; c = "z";
nd = "nix develop --command zsh"; tree = "exa --tree --icons";
s = "nix-shell --run zsh"; s = "nix-shell --run zsh";
sp = "nix-shell --run zsh -p"; sp = "nix-shell --run zsh -p";
spu = "nix-shell -I nixpkgs=channel:nixos-unstable --run zsh -p"; spu = "nix-shell -I nixpkgs=channel:nixos-unstable --run zsh -p";
tree = "exa --tree --icons"; em = "emacsclient -c";
emnw = "emacsclient -nw";
"git clone git clone" = "git clone";
gcm = "git commit -m";
gpl = "git pull";
gps = "git push";
gst = "git status -sb"; gst = "git status -sb";
gcm = "git commit -m";
gps = "git push";
gpl = "git pull";
"git clone git clone" = "git clone";
}; };
}; };

37
hosts/challenger/amalieem.nix
View File

@@ -1,37 +0,0 @@
{ config, pkgs, lib, ... }:
let
cmdChownManga = pkgs.writeScriptBin "chownManga" ''
#!${pkgs.stdenv.shell}
chown -R amalieem:komga /tank/media/komga/Amalie
chmod -R 750 /tank/media/komga/Amalie
'';
in {
users.users."amalieem" = {
isNormalUser = true;
home = "/home/amalieem";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7e+BAoXIFmTeeBYAVImQAcyx6SCoYCErA7h16OGL70 amalieem@wentworth"
];
packages = with pkgs; [
cmdChownManga
mangal
rsync
];
};
security.sudo = {
enable = true;
extraRules = [{
commands = [
{
command = "${lib.getExe cmdChownManga}";
options = [ "NOPASSWD" ];
}
];
users = [ "amalieem" ];
}];
};
}

84
hosts/challenger/backup.nix
View File

@@ -1,84 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.restic.backups = let
localJob = name: paths: {
inherit paths;
repository = "/mnt/feal-syn1/backup/challenger/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
"--keep-yearly 10"
];
};
cloudJob = name: paths: {
inherit paths;
# "rsyncnet" connection details specified in /root/.ssh/config
repository = "sftp://rsyncnet/restic/challenger/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
# rsync.net keeps daily snapshots
"--keep-weekly 4"
"--keep-monthly 36"
];
};
in {
# Calibre metadata and config
calibre = localJob "calibre" [
"/var/lib/calibre-web"
"/var/lib/calibre-server"
];
# Other system backups (NB: Large!)
hostBackups = localJob "hostBackups" [
"/tank/backup"
] // {
pruneOpts = [ "--keep-monthly 12" ];
};
media = localJob "media" [
"/tank/media/books"
"/tank/media/komga"
"/tank/media/music"
];
media-remote = cloudJob "media" [
"/tank/media/books"
"/tank/media/komga"
"/tank/media/music"
] // {
pruneOpts = [ "--keep-monthly 12" ];
};
# Nextcloud config and data
nextcloud = localJob "nextcloud" [ "/tank/nextcloud" ];
nextcloud-remote = cloudJob "nextcloud" [ "/tank/nextcloud" ];
# Postgresql databases
postgres = (localJob "postgres" [ "/var/backup/postgres" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
postgres-remote = (cloudJob "postgres" [ "/var/backup/postgres" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
# Transmission metadata/config
transmission = localJob "transmission" [ "/var/lib/transmission" ];
# TODO: timemachine
};
sops.secrets."restic/calibre" = { };
sops.secrets."restic/hostBackups" = { };
sops.secrets."restic/media" = { };
sops.secrets."restic/nextcloud" = { };
sops.secrets."restic/postgres" = { };
sops.secrets."restic/transmission" = { };
environment.systemPackages = with pkgs; [
restic
];
}

65
hosts/challenger/configuration.nix
View File

@@ -1,65 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
./hardware-configuration.nix
../../base.nix
../../common/metrics-exporters.nix
./amalieem.nix
./backup.nix
# ./exports.nix
./filesystems.nix
# ./services/archivebox.nix
./services/audiobookshelf.nix
./services/calibre.nix
./services/jellyfin.nix
./services/komga.nix
./services/nextcloud.nix
./services/nginx.nix
./services/postgres.nix
./services/timemachine.nix
];
networking = {
hostName = "challenger";
bridges.br0.interfaces = [ "ens18" ];
interfaces.br0.useDHCP = false;
interfaces.br0.ipv4.addresses = [
{ address = "192.168.10.161"; prefixLength = 24; }
];
hostId = "828ab735";
defaultGateway = "192.168.10.1";
};
sops.defaultSopsFile = ../../secrets/challenger/challenger.yaml;
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
zfs
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
security.polkit.enable = true; # Required for nextcloud
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
];
hardware.nvidia = {
modesetting.enable = true;
open = false;
};
hardware.graphics.enable = true;
services.xserver.videoDrivers = ["nvidia"];
system.stateVersion = "24.05";
}

21
hosts/challenger/exports.nix
View File

@@ -1,21 +0,0 @@
{ config, pkgs, lib, ... }:
{
fileSystems = {
"/export/riker-backup" = {
device = "/tank/backup/riker";
options = [ "bind" ];
};
};
# Enable nfs4 only
# services.nfs.server = {
# enable = true;
# exports = ''
# /export 192.168.10.67(rw,fsid=0,no_subtree_check)
# /export/riker-backup 192.168.10.67(rw,nohide,no_subtree_check,no_root_squash)
# '';
# };
# networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
# networking.firewall.allowedUDPPorts = [ 111 20048];
}

48
hosts/challenger/filesystems.nix
View File

@@ -1,48 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Boot drives are defined in ./hardware-configuration.nix
environment.systemPackages = with pkgs; [ cifs-utils ];
# Local zfs
boot = {
zfs = {
extraPools = [ "tank" ];
requestEncryptionCredentials = false;
};
supportedFilesystems = [ "zfs" ];
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
fileSystems = {
"/mnt/feal-syn1/backup" = {
# device = "feal-syn1.home.feal.no:/volume2/backup";
device = "192.168.10.162:/volume2/backup";
fsType = "nfs";
options = [
"defaults"
"noatime"
"rw"
"nfsvers=3"
"x-systemd.automount"
"noauto"
];
};
"/mnt/feal-syn2/backup" = {
# device = "feal-syn1.home.feal.no:/volume2/backup";
device = "192.168.11.163:/volume1/challenger";
fsType = "nfs";
options = [
"defaults"
"noatime"
"rw"
"nfsvers=3"
"x-systemd.automount"
"noauto"
];
};
};
}

39
hosts/challenger/hardware-configuration.nix
View File

@@ -1,39 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7101364b-9056-4309-afeb-3c17b220684f";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/FDCE-A287";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ {
device = "/swapfile";
size = 16*1024;
} ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.eno2.useDHCP = lib.mkDefault true;
# networking.interfaces.idrac.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

12
hosts/challenger/home.nix
View File

@@ -1,12 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "24.05";
}

35
hosts/challenger/services/archivebox.nix
View File

@@ -1,35 +0,0 @@
{ config, lib, ... }:
let
host = "127.0.1.2";
port = "5009";
uid = 911;
gid = 911;
in {
users.users.archivebox = {
inherit uid;
group = "archivebox";
isSystemUser = true;
useDefaultShell = true;
description = "ArchiveBox web archiving tool";
};
users.groups.archivebox = {
inherit gid;
};
# ArchiveBox - Open source self-hosted web archiving.
virtualisation.oci-containers.containers.archivebox = {
image = "archivebox/archivebox:0.8.5rc50";
ports = [ "${host}:${port}:8000" ];
volumes = [
"/tank/archivebox:/data"
];
};
services.nginx.virtualHosts."archivebox.home.feal.no" = {
locations."/" = {
proxyPass = "http://${host}:${port}";
};
};
}

57
hosts/challenger/services/audiobookshelf.nix
View File

@@ -1,57 +0,0 @@
{ config, lib, pkgs, ... }:
let
domain = "audiobooks.home.feal.no";
host = "127.0.1.2";
port = 5016;
in {
fileSystems = {
"/var/lib/audiobookshelf" = {
device = "/tank/media/audiobookshelf/config";
options = [ "bind" ];
};
};
services.audiobookshelf = {
enable = true;
dataDir = "audiobookshelf";
inherit host port;
};
systemd.services.audiobookshelf = {
requires = [ "var-lib-audiobookshelf.mount" ];
serviceConfig = {
# Better safe than sorry :)
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [
"/var/lib/audiobookshelf"
"/tank/media/audiobookshelf"
];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
};
};
services.nginx.virtualHosts.${domain} = {
locations."/" = {
proxyPass = "http://${host}:${toString port}";
proxyWebsockets = true;
};
};
}

35
hosts/challenger/services/jellyfin.nix
View File

@@ -1,35 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Jellyfin - Media Streaming platform
services.jellyfin.enable = true;
users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ];
services.nginx.virtualHosts."jellyfin.home.feal.no" = {
serverAliases = [ "jf.feal.no" ];
locations = {
"= /" = {
return = "302 http://$host/web/";
};
"/" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_buffering off;
'';
};
"/socket" = {
proxyPass = "http://127.0.0.1:8096";
proxyWebsockets = true;
};
};
extraConfig = ''
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
'';
};
}

21
hosts/challenger/services/komga.nix
View File

@@ -1,21 +0,0 @@
{ config, lib, pkgs, ... }:
let
domain = "komga.home.feal.no";
port = 5001;
in {
services.komga = {
enable = true;
stateDir = "/tank/media/komga";
settings.server = {
inherit port;
};
};
services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://127.0.0.1:${toString port}";
extraConfig = ''
client_max_body_size 512M;
'';
};
}

154
hosts/challenger/services/nextcloud.nix
View File

@@ -1,154 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.nextcloud;
hostName = "cloud.feal.no";
in {
services.nextcloud = {
enable = true;
package = pkgs.nextcloud32;
inherit hostName;
home = "/tank/nextcloud";
https = true;
webfinger = true;
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminuser = "ncadmin";
adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
};
settings = {
default_phone_region = "NO";
log_type = "file";
overwriteprotocol = "https";
trusted_proxies = [ "192.168.10.175" ]; # defiant
# Docs: https://github.com/pulsejet/nextcloud-oidc-login
oidc_login_auto_redirect = true;
oidc_login_button_text = "Log in with KeyCloak";
oidc_login_client_id = "nextcloud";
oidc_login_client_secret = "dont_put_secrets_here_use_secretFile";
oidc_login_code_challenge_method = "S256";
oidc_login_end_session_redirect' = true;
oidc_login_logout_url = "https://cloud.feal.no/apps/oidc_login/oidc";
oidc_login_provider_url = "https://iam.feal.no/realms/feal.no";
oidc_login_redir_fallback = true;
oidc_login_attributes = {
id = "preferred_username";
mail = "email";
name = "name";
login_filter = "nextcloud-roles";
};
oidc_login_filter_allowed_values = [ "nextcloud-user" ];
oidc_login_disable_registration = false;
"memories.exiftool" = pkgs.writeShellScript "exiftool-perl" ''
${lib.getExe pkgs.perl} ${cfg.home}/store-apps/memories/bin-ext/exiftool/exiftool "$@"
'';
"memories.exiftool_no_local" = false;
"memories.vod.disable" = false;
"memories.vod.ffmpeg" = "${lib.getExe pkgs.ffmpeg-headless}";
"memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
preview_ffmpeg_path = "${pkgs.ffmpeg-headless}/bin/ffmpeg";
};
secretFile = config.sops.secrets."nextcloud/secretsjson".path;
phpOptions = {
"opcache.interned_strings_buffer" = "16";
"upload_max_filesize" = lib.mkForce "8G";
"post_max_size" = lib.mkForce "8G";
"memory_limit" = lib.mkForce "8G";
};
poolSettings = {
"pm" = "ondemand";
"pm.max_children" = 32;
"pm.process_idle_timeout" = "10s";
"pm.max_requests" = 500;
};
};
environment.systemPackages = [
cfg.occ # "occ CMD" in the docs -> "sudo -u nextcloud nextcloud-occ CMD"
pkgs.nodejs_20 # For Recognize; Put /run/current-system/sw/bin/node in the "node_binary" field in the web UI -> Memories
];
sops.secrets."nextcloud/adminpass" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
sops.secrets."nextcloud/secretsjson" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
services.postgresql = {
ensureDatabases = [ "nextcloud" ];
ensureUsers = [ {
name = "nextcloud";
ensureDBOwnership = true;
} ];
};
systemd.services.nextcloud-cron = {
path = with pkgs; [
exiftool
ffmpeg-headless
];
};
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
systemd.services."phpfpm-nextcloud" = {
requires = [ "tank-nextcloud.mount" ];
path = with pkgs; [
# perl
# perlPackages.ImageExifTool
exiftool
ffmpeg-headless
];
serviceConfig = {
PrivateDevices = lib.mkForce false;
WorkingDirectory = "/tank/nextcloud";
NoNewPrivileges = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
InaccessiblePaths = [ "/tank/media" "/tank/backup" ];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
};
};
# Notes:
# - Install Memories and Recognize from the app store
# - They might need to be forced on with "nextcloud-occ app:enable memories", etc.
# - Run "nextcloud-occ maintenance:repair" to fix broken paths
# - Download ai models and maps with the commands given in the ui
# - libtensorflow doesn't work properly through node, but recognize still works(?)
}

50
hosts/defiant/backup.nix
View File

@@ -1,50 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.restic.backups = let
localJob = name: paths: {
inherit paths;
repository = "/mnt/feal-syn1/backup/defiant/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
"--keep-daily 3"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
cloudJob = name: paths: {
inherit paths;
# "rsyncnet" connection details specified in /root/.ssh/config
repository = "sftp://rsyncnet/restic/defiant/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
# rsync.net keeps daily snapshots
"--keep-weekly 4"
"--keep-monthly 36"
];
};
in {
postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
postgres-remote = (cloudJob "postgres" [ "/tank/backup/postgresql" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
gitea-remote = (cloudJob "gitea" [ "/tank/services/gitea" ]);
matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
matrix-synapse-remote = (cloudJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
vaultwarden-remote = (cloudJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
};
# TODO: home-assistant, pihole
sops.secrets."restic/postgres" = { };
sops.secrets."restic/gitea" = { };
sops.secrets."restic/matrix-synapse" = { };
sops.secrets."restic/vaultwarden" = { };
}

29
hosts/defiant/configuration.nix
View File

@@ -5,29 +5,18 @@
[ [
../../base.nix ../../base.nix
../../common/metrics-exporters.nix ../../common/metrics-exporters.nix
./filesystems.nix
./hardware-configuration.nix ./hardware-configuration.nix
# Infrastructure
./backup.nix
./libvirt.nix
./services/dyndns.nix
./services/nginx.nix ./services/nginx.nix
./services/pihole.nix ./services/pihole.nix
./services/postgresql.nix ./services/postgresql.nix
./services/wireguard.nix
# Services ./services/flame.nix
./services/gitea.nix ./services/gitea.nix
./services/hedgedoc.nix ./services/hedgedoc.nix
./services/home-assistant.nix ./services/matrix-synapse.nix
./services/keycloak.nix ./services/metrics
./services/matrix ./services/minecraft.nix
./services/microbin.nix
# ./services/minecraft/home.nix
./services/monitoring
# ./services/rtl-tcp.nix
# ./services/searx.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
]; ];
@@ -45,6 +34,16 @@
sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml; sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;
environment.variables = { EDITOR = "vim"; }; environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
zfs
];
boot = {
zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.prometheus.exporters.zfs.enable = true;
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker"; virtualisation.oci-containers.backend = "docker";

30
hosts/defiant/filesystems.nix
View File

@@ -1,30 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Boot drives are defined in ./hardware-configuration.nix
boot = {
zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ];
};
services.prometheus.exporters.zfs.enable = true;
environment.systemPackages = with pkgs; [
cifs-utils
zfs
];
fileSystems = {
"/mnt/feal-syn1/backup" = {
device = "192.168.10.162:/volume2/backup";
fsType = "nfs";
options = [
"defaults"
"noatime"
"rw"
"nfsvers=3"
"x-systemd.automount"
"noauto"
];
};
};
}

6
hosts/defiant/home.nix
View File

@@ -1,5 +1,11 @@
{ pkgs, lib, ... }: { pkgs, lib, ... }:
{ {
home.packages = with pkgs; [
bat
bottom
ncdu
neofetch
];
imports = [ imports = [
./../../home/base.nix ./../../home/base.nix

18
hosts/defiant/libvirt.nix
View File

@@ -1,18 +0,0 @@
{ config, pkgs, lib, ... }:
{
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
boot.extraModprobeConfig = "options kvm_amd nested=1";
boot.kernelModules = [ "kvm-amd" "kvm-intel" ];
users.users.felixalb.extraGroups = [ "libvirtd" ];
fileSystems."/var/lib/libvirt/images" = {
device = "/tank/iso";
options = [ "bind" ];
};
# On a gui-enabled machine, connect with:
# $ virt-manager --connect "qemu+ssh://defiant/system?socket=/var/run/libvirt/libvirt-sock"
}

11
hosts/defiant/services/dyndns.nix
View File

@@ -1,11 +0,0 @@
{ config, pkgs, lib, ... }:
{
sops.secrets."domeneshop/netrc" = { };
services.domeneshop-dyndns = {
enable = true;
domain = "site3.feal.no";
netrcFile = config.sops.secrets."domeneshop/netrc".path;
};
}

22
hosts/defiant/services/flame.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, pkgs, lib, ... }:
let
domain = "flame.home.feal.no";
host = "127.0.1.2";
port = "5005";
in {
# Flame - Homelab dashboard/linktree
virtualisation.oci-containers.containers = {
flame = {
image = "pawelmalak/flame";
ports = [ "${host}:${port}:5005" ];
volumes = [
"/var/lib/flame/data:/app/data/"
];
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${host}:${port}";
};
}

11
hosts/defiant/services/gitea.nix
View File

@@ -36,6 +36,7 @@ in {
OPENID_CONNECT_SCOPES = "email profile openid"; OPENID_CONNECT_SCOPES = "email profile openid";
UPDATE_AVATAR = true; UPDATE_AVATAR = true;
ACCOUNT_LINKING = "auto"; ACCOUNT_LINKING = "auto";
USERNAME = "email";
}; };
log.LEVEL = "Info"; log.LEVEL = "Info";
@@ -44,16 +45,18 @@ in {
ui = { ui = {
THEMES="gitea,arc-green,nord"; THEMES="gitea,arc-green,nord";
#DEFAULT_THEME="nord"; DEFAULT_THEME="nord";
}; };
}; };
# TODO: configure mailer # TODO:
# - Backup
# - services.gitea.dump?
# - ZFS snapshots?
# - configure mailer
}; };
systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work"; systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work";
services.postgresqlBackup.databases = [ "gitea" ];
networking.firewall.allowedTCPPorts = [ sshPort ]; networking.firewall.allowedTCPPorts = [ sshPort ];
} }

29
hosts/defiant/services/hedgedoc.nix
View File

@@ -4,7 +4,7 @@ let
domain = "md.feal.no"; domain = "md.feal.no";
port = 3300; port = 3300;
host = "127.0.1.2"; host = "127.0.1.2";
authServerUrl = "https://iam.feal.no"; authServerUrl = "https://auth.feal.no";
in { in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = { sops.secrets."hedgedoc/env" = {
@@ -21,8 +21,9 @@ in {
allowFreeURL = true; allowFreeURL = true;
allowAnonymous = false; allowAnonymous = false;
allowAnonymousEdits = true; allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
# dbURL = "postgres://hedgedoc@localhost/hedgedoc";
db = { db = {
username = "hedgedoc"; username = "hedgedoc";
database = "hedgedoc"; database = "hedgedoc";
@@ -31,23 +32,20 @@ in {
}; };
email = false; email = false;
oauth2 = let oauth2 = {
oidc = "${authServerUrl}/realms/feal.no/protocol/openid-connect"; baseURL = "${authServerUrl}/oauth2";
in { tokenURL = "${authServerUrl}/oauth2/token";
providerName = "Keycloak"; authorizationURL = "${authServerUrl}/ui/oauth2";
authorizationURL = "${oidc}/auth"; userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
baseURL = "${authServerUrl}";
tokenURL = "${oidc}/token";
userProfileURL = "${oidc}/userinfo";
clientID = "hedgedoc"; clientID = "hedgedoc";
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
scope = "openid email profile"; scope = "openid email profile";
userProfileDisplayNameAttr = "name"; userProfileUsernameAttr = "name";
userProfileEmailAttr = "email"; userProfileEmailAttr = "email";
userProfileUsernameAttr = "preferred_username"; userProfileDisplayNameAttr = "displayname";
rolesClaim = "hedgedoc-roles";
accessRole = "hedgedoc-user"; providerName = "KaniDM";
}; };
}; };
}; };
@@ -55,6 +53,7 @@ in {
systemd.services.hedgedoc = { systemd.services.hedgedoc = {
requires = [ requires = [
"postgresql.service" "postgresql.service"
# "kanidm.service"
]; ];
serviceConfig = let serviceConfig = let
workDir = "/var/lib/hedgedoc"; workDir = "/var/lib/hedgedoc";
@@ -96,8 +95,6 @@ in {
}]; }];
}; };
services.postgresqlBackup.databases = [ "hedgedoc" ];
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
listen = [ listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43443; ssl = true; }

41
hosts/defiant/services/home-assistant.nix
View File

@@ -1,41 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "ha.home.feal.no";
in {
# Home-assistant - Smart Home Controller
# https://www.home-assistant.io/installation/linux#install-home-assistant-container
# The container is supposed to run as "privileged", but I believe this is only to allow device access (dongles/radios/etc.)
virtualisation.oci-containers.containers = {
homeassistant = {
image = "ghcr.io/home-assistant/home-assistant:2025.5.3";
extraOptions = [
"--network=host"
"--device=/dev/ttyUSB0" # Sonoff Zigbee 3.0 USB
];
volumes = [
"/tank/services/homeassistant/config:/config"
];
environment = {
TZ = "Europe/Oslo";
};
};
};
# Requires addition to configuration.yaml:
# http:
# server_host: 127.0.0.1
# use_x_forwarded_for: true
# trusted_proxies: 127.0.0.1
services.nginx.virtualHosts."${domain}" = {
locations."/" = {
proxyPass = "http://127.0.0.1:8123";
proxyWebsockets = true;
};
listen = [
{ addr = "192.168.10.175"; port = 80; ssl = false; }
{ addr = "192.168.10.175"; port = 8123; ssl = false; }
];
};
}

33
hosts/defiant/services/keycloak.nix
View File

@@ -1,33 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.keycloak.settings;
hostname = "iam.feal.no";
in {
sops.secrets."keycloak/postgres" = { };
services.keycloak = {
enable = true;
database = {
type = "postgresql";
createLocally = true;
username = "keycloak";
passwordFile = config.sops.secrets."keycloak/postgres".path;
};
settings = {
cache = "local";
hostname = "https://${hostname}";
hostname-backchannel-dynamic = false;
http-enabled = true;
http-host = "127.0.1.2";
http-port = 5060;
proxy-headers = "xforwarded";
};
};
# The main reverse proxy is defined in ./nginx.nix
services.nginx.virtualHosts.${hostname} = {
locations."= /".return = "302 ${cfg.hostname}/realms/feal.no/account";
};
}

29
hosts/defiant/services/matrix/synapse.nix → hosts/defiant/services/matrix-synapse.nix
View File

@@ -6,12 +6,6 @@
group = "matrix-synapse"; group = "matrix-synapse";
}; };
sops.secrets."matrix/synapse/oidcsecret" = {
restartUnits = [ "matrix-synapse.service" ];
owner = "matrix-synapse";
group = "matrix-synapse";
};
services.matrix-synapse-next = { services.matrix-synapse-next = {
enable = true; enable = true;
enableNginx = true; enableNginx = true;
@@ -75,34 +69,11 @@
tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt"; tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt";
tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key"; tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key";
enableSlidingSync = true;
oidc_providers = [
{
idp_id = "keycloak";
idp_name = "Keycloak";
issuer = "https://iam.feal.no/realms/feal.no";
client_id = "matrix-synapse";
client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path;
user_mapping_provider.config = {
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name }}";
};
attribute_requirements = [{
attribute = "matrix-roles";
value = "matrix-user";
}];
backchannel_logout_enabled = true;
enable_registration = false;
}
];
}; };
}; };
services.redis.servers."".enable = true; services.redis.servers."".enable = true;
services.postgresqlBackup.databases = [ "matrix-synapse" ];
services.nginx.virtualHosts."matrix.feal.no" = { services.nginx.virtualHosts."matrix.feal.no" = {
listen = [ listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43443; ssl = true; }

14
hosts/defiant/services/matrix/admin.nix
View File

@@ -1,14 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "matrix-admin.home.feal.no";
# backend = "http://127.0.0.1:8008";
backend = "http://unix:/run/matrix-synapse/matrix-synapse.sock";
synapse-admin = pkgs.callPackage ./adminPkg.nix { };
in {
services.nginx.virtualHosts."${domain}" = {
locations."/".root = "${synapse-admin}";
locations."/_synapse".proxyPass = "${backend}";
locations."/_matrix".proxyPass = "${backend}";
};
}

14
hosts/defiant/services/matrix/adminPkg.nix
View File

@@ -1,14 +0,0 @@
{ lib, stdenvNoCC, fetchzip }:
stdenvNoCC.mkDerivation rec {
name = "synapse-admin";
version = "0.8.7";
src = fetchzip {
url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/${version}/synapse-admin-${version}-dirty.tar.gz";
hash = "sha256-maaiU9ilmzE5lV9Ofjpli4g08/UcgZ82FaIMRrfOy7s=";
};
phases = [ "installPhase" ];
installPhase = ''
cp -r $src $out
'';
}

8
hosts/defiant/services/matrix/default.nix
View File

@@ -1,8 +0,0 @@
{ ... }:
{
imports = [
./synapse.nix
./admin.nix
];
}

0
hosts/defiant/services/monitoring/dashboards/node-exporter-full.json → hosts/defiant/services/metrics/dashboards/node-exporter-full.json
View File

7019
hosts/defiant/services/metrics/dashboards/openwrt.json Normal file
View File

File diff suppressed because it is too large Load Diff

0
hosts/defiant/services/monitoring/dashboards/synology-nas-details.json → hosts/defiant/services/metrics/dashboards/synology-nas-details.json
View File

1
hosts/defiant/services/monitoring/default.nix → hosts/defiant/services/metrics/default.nix
View File

@@ -6,6 +6,5 @@
./grafana.nix ./grafana.nix
./loki.nix ./loki.nix
./snmp-exporter.nix ./snmp-exporter.nix
./uptime-kuma.nix
]; ];
} }

6
hosts/defiant/services/monitoring/grafana.nix → hosts/defiant/services/metrics/grafana.nix
View File

@@ -44,6 +44,12 @@ in {
url = "https://grafana.com/api/dashboards/14284/revisions/9/download"; url = "https://grafana.com/api/dashboards/14284/revisions/9/download";
options.path = dashboards/synology-nas-details.json; options.path = dashboards/synology-nas-details.json;
} }
{
name = "OpenWRT";
type = "file";
url = "https://grafana.com/api/dashboards/11147/revisions/1/download";
options.path = dashboards/openwrt.json;
}
]; ];
}; };
}; };

8
hosts/defiant/services/monitoring/loki.nix → hosts/defiant/services/metrics/loki.nix
View File

@@ -51,6 +51,7 @@ in {
boltdb_shipper = { boltdb_shipper = {
active_index_directory = "${saveDirectory}/boltdb-shipper-index"; active_index_directory = "${saveDirectory}/boltdb-shipper-index";
cache_location = "${saveDirectory}/boltdb-shipper-cache"; cache_location = "${saveDirectory}/boltdb-shipper-cache";
shared_store = "filesystem";
cache_ttl = "24h"; cache_ttl = "24h";
}; };
filesystem = { filesystem = {
@@ -59,18 +60,15 @@ in {
}; };
limits_config = { limits_config = {
allow_structured_metadata = false; enforce_metric_name = false;
reject_old_samples = true; reject_old_samples = true;
reject_old_samples_max_age = "72h"; reject_old_samples_max_age = "72h";
}; };
compactor = { compactor = {
working_directory = "${saveDirectory}/compactor"; working_directory = "${saveDirectory}/compactor";
shared_store = "filesystem";
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [
cfg.configuration.server.http_listen_port
];
} }

17
hosts/defiant/services/monitoring/prometheus.nix → hosts/defiant/services/metrics/prometheus.nix
View File

@@ -17,16 +17,23 @@ in {
static_configs = [ static_configs = [
{ {
targets = [ targets = [
"challenger.home.feal.no:9100" "voyager.home.feal.no:9100"
"constellation.home.feal.no:9100" "sulu.home.feal.no:9100"
"mccoy.home.feal.no:9100"
"dlink-feal.home.feal.no:9100"
"edison.home.feal.no:9100"
"defiant.home.feal.no:9100" "defiant.home.feal.no:9100"
"leonard.home.feal.no:9100" "scotty.home.feal.no:9100"
"morn.home.feal.no:9100"
"sisko.home.feal.no:9100"
]; ];
} }
]; ];
} }
{
job_name = "openwrt";
static_configs = [
{ targets = ["dlink-feal.home.feal.no:9100"]; }
];
}
{ {
job_name = "snmp"; job_name = "snmp";
static_configs = [{ static_configs = [{

20
hosts/defiant/services/metrics/snmp-exporter.nix Normal file
View File

@@ -0,0 +1,20 @@
{ config, pkgs, ... }:
{
environment.systemPackages = [
pkgs.prometheus-snmp-exporter
];
systemd.services.prometheus-snmp-exporter = {
enable = true;
description = "Gather data from SNMP devices and expose them as Prometheus metrics";
unitConfig = {
Type = "simple";
};
serviceConfig = {
ExecStart = "${pkgs.prometheus-snmp-exporter}/bin/snmp_exporter --config.file='/tank/services/metrics/prometheus/snmp.yml'";
# snmp.yml = https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml + https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
};
wantedBy = [ "multi-user.target" ];
};
}

41
hosts/defiant/services/microbin.nix
View File

@@ -1,41 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.microbin;
domain = "p.feal.no";
address = "127.0.1.2";
port = 5006;
in {
services.microbin = {
enable = true;
passwordFile = config.sops.secrets."microbin/secrets".path;
settings = {
MICROBIN_BIND = address;
MICROBIN_DISABLE_TELEMETRY = true;
MICROBIN_ENABLE_BURN_AFTER = true;
MICROBIN_FOOTER_TEXT = "Be nice or go away";
MICROBIN_NO_FILE_UPLOAD = true;
MICROBIN_NO_LISTING = true;
MICROBIN_PORT = port;
MICROBIN_PUBLIC_PATH = "https://${domain}/";
MICROBIN_QR = true;
MICROBIN_TITLE = "Temporary pasta collection";
};
};
sops.secrets."microbin/secrets" = { };
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
];
locations."/" = {
proxyPass = "http://${address}:${toString port}";
};
};
}

4
hosts/defiant/services/minecraft/wack.nix → hosts/defiant/services/minecraft.nix
View File

@@ -51,16 +51,16 @@
"_Oblivion" = "289be565-d73e-4cb1-a047-dcc319acdc80"; "_Oblivion" = "289be565-d73e-4cb1-a047-dcc319acdc80";
Crisju = "8b77dc43-27ba-4710-bbfd-4e01e6ec7461"; Crisju = "8b77dc43-27ba-4710-bbfd-4e01e6ec7461";
Dandellion = "f393413b-59fc-49d7-a5c4-83a5d177132c"; Dandellion = "f393413b-59fc-49d7-a5c4-83a5d177132c";
Evaraknes = "a6adfad8-6c3b-4a0d-912e-d84a0caa1caa";
Taschmex = "a3a258b0-901f-43d9-b130-dad3b29cd7ee"; Taschmex = "a3a258b0-901f-43d9-b130-dad3b29cd7ee";
guy_montag = "cb8aa890-a5a3-41f2-9bb7-1edb20c5a31f"; guy_montag = "cb8aa890-a5a3-41f2-9bb7-1edb20c5a31f";
koppern = "3450494c-b945-4fa2-938c-5519adec005f"; koppern = "3450494c-b945-4fa2-938c-5519adec005f";
krloer = "ab3029e2-76b6-4219-854e-16091fe5e421"; krloer = "ab3029e2-76b6-4219-854e-16091fe5e421";
tictac1255 = "bab1f702-0e8b-4b98-8cce-bbfaed534d13";
}; };
}; };
}; };
# TODO: Automated backup job (https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/commit/57d1dfd121fdb23fcef54e0632f6f6278c6bb753/hosts/greddost/services/minecraft/default.nix#L144)
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"minecraft-server" "minecraft-server"
]; ];

50
hosts/defiant/services/minecraft/home.nix
View File

@@ -1,50 +0,0 @@
{ config, pkgs, lib, inputs, ... }:
{
imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
services.minecraft-servers = {
enable = true;
eula = true;
openFirewall = true;
dataDir = "/var/lib/minecraft-server";
servers.home = {
enable = true;
jvmOpts = "-Xms4G -Xmx4G";
package = pkgs.fabricServers.fabric-1_21_4;
serverProperties = {
motd = "Home <3";
difficulty = "easy";
view-distance = 16;
simulation-distance = 16;
enable-command-block = true;
enable-rcon = true;
online-mode = false;
"rcon.password" = "wack";
};
symlinks = {
mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues {
FabricAPI = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/8FAH9fuR/fabric-api-0.114.2%2B1.21.4.jar";
sha256 = "sha256-nL1bcAaMW0tRCpfW0prd3mce14ZNcl7pAUabVXAQfWs=";
};
Lithium = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/zVOQw7YU/lithium-fabric-0.14.6%2Bmc1.21.4.jar";
sha256 = "sha256-iF4hy+3XVJP7Fv6R2dsrYq6Ct0MQJLX4/4Yh5WEJm90=";
};
});
};
};
};
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"minecraft-server"
];
networking.firewall.allowedUDPPorts = [ 24454 ];
}

1661
hosts/defiant/services/monitoring/snmp-exporter-conf.yml
View File

File diff suppressed because it is too large Load Diff

12
hosts/defiant/services/monitoring/snmp-exporter.nix
View File

@@ -1,12 +0,0 @@
{ config, pkgs, ... }:
{
services.prometheus.exporters.snmp = {
enable = true;
configurationPath = ./snmp-exporter-conf.yml;
# snmp.yml is built from
# https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml
# and
# https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
};
}

16
hosts/defiant/services/monitoring/uptime-kuma.nix
View File

@@ -1,16 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.uptime-kuma;
in {
services.uptime-kuma = {
enable = true;
settings = {
PORT = "5059";
HOST = "127.0.1.2";
};
};
services.nginx.virtualHosts."uptime.home.feal.no" = {
locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
};
}

48
hosts/defiant/services/nginx.nix
View File

@@ -1,8 +1,5 @@
{ config, values, ... }: { config, values, ... }:
let {
gitea = config.services.gitea.settings;
keycloak = config.services.keycloak.settings;
in {
services.nginx = { services.nginx = {
enable = true; enable = true;
enableReload = true; enableReload = true;
@@ -34,7 +31,7 @@ in {
# Publicly exposed services: # Publicly exposed services:
services.nginx.virtualHosts = let services.nginx.virtualHosts = let
publicProxy = upstream: overrides: { publicProxy = upstream: {
listen = [ listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; } { addr = "192.168.10.175"; port = 43080; ssl = false; }
@@ -43,31 +40,34 @@ in {
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "${upstream}"; locations."/".proxyPass = "${upstream}";
};
in {
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
"git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
"wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";
"cloud.feal.no" = {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
];
enableACME = true;
forceSSL = true;
extraConfig = '' extraConfig = ''
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
server_tokens off; server_tokens off;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
''; '';
} // overrides; locations."/".proxyPass = "http://voyager.home.feal.no/";
in {
"amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
"cloud.feal.no" = publicProxy "" {
locations."/" = {
proxyPass = "http://challenger.home.feal.no";
extraConfig = ''
client_max_body_size 8G;
'';
};
}; };
"feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
"git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
"iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" { };
"kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
"wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
}; };
} }

6
hosts/defiant/services/pihole.nix
View File

@@ -30,12 +30,6 @@ in {
rewrite /(.*) /admin/$1 break; rewrite /(.*) /admin/$1 break;
''; '';
}; };
locations."/admin" = {
extraConfig = ''
rewrite ^/admin/(.*) $scheme://${domain}/$1 break;
'';
};
}; };
} }

17
hosts/defiant/services/postgresql.nix
View File

@@ -2,24 +2,15 @@
{ {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
enableTCPIP = true; enableTCPIP = false;
authentication = ''
host all all 172.16.0.0/12 md5
'';
}; };
services.postgresqlBackup = { services.postgresqlBackup = {
enable = true; # enable = true;
location = "/tank/backup/postgresql"; location = "/data/backup/postgresql/";
startAt = "*-*-* 03:15:00"; startAt = "*-*-* 03:15:00";
backupAll = true;
# Each service is registered in its own configuration file
databases = [ ];
}; };
# Docker containers on this host can reach postgres
networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port 5432 -s 172.16.0.0/12 -j ACCEPT";
environment.systemPackages = [ config.services.postgresql.package ]; environment.systemPackages = [ config.services.postgresql.package ];
} }

14
hosts/defiant/services/rtl-tcp.nix
View File

@@ -1,14 +0,0 @@
{ config, pkgs, lib, ... }:
let
port = 1457;
in {
hardware.rtl-sdr.enable = true;
systemd.services.rtl-tcp = {
script = "${pkgs.rtl-sdr}/bin/rtl_tcp -a 0.0.0.0 -p ${toString port} -s 2000000 -T";
serviceConfig = {
Group = "plugdev";
};
};
networking.firewall.allowedTCPPorts = [ port ];
}

39
hosts/defiant/services/searx.nix
View File

@@ -1,39 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.searx;
domain = "search.home.feal.no";
in {
services.searx = {
enable = true;
environmentFile = config.sops.secrets."searx/envfile".path;
settings = {
server = {
secret_key = "@SEARX_SECRET_KEY@";
base_url = "http://${domain}";
};
};
runInUwsgi = true;
uwsgiConfig = {
socket = "/run/searx/searx.sock";
chmod-socket = "660";
};
redisCreateLocally = true;
};
sops.secrets."searx/envfile" = {
owner = "searx";
group = "searx";
};
users.groups."searx".members = [ "nginx" ];
services.nginx.virtualHosts."${domain}" = {
locations."/".extraConfig = ''
include ${config.services.nginx.package}/conf/uwsgi_params;
uwsgi_pass unix:${cfg.uwsgiConfig.socket};
'';
};
}

20
hosts/defiant/services/vaultwarden.nix
View File

@@ -2,9 +2,8 @@
let let
cfg = config.services.vaultwarden; cfg = config.services.vaultwarden;
domain = "pw.feal.no"; domain = "pw.feal.no";
address = "127.0.1.2"; address = "127.0.0.1";
port = 3011; port = 3011; # Note: The websocket port is left as default(3012)
wsPort = 3012;
in { in {
sops.secrets."vaultwarden/admintoken" = { sops.secrets."vaultwarden/admintoken" = {
owner = "vaultwarden"; owner = "vaultwarden";
@@ -20,16 +19,11 @@ in {
rocketAddress = address; rocketAddress = address;
rocketPort = port; rocketPort = port;
websocketEnabled = true; websocketEnabled = true;
websocketAddress = address; # databaseUrl = "postgresql://vaultwarden:@localhost/vaultwarden?sslmode=disable";
websocketPort = wsPort;
signupsAllowed = true;
signupsVerify = true;
signupsDomainsWhitelist = "albrigtsen.it";
databaseUrl = "postgresql://vaultwarden@/vaultwarden"; databaseUrl = "postgresql://vaultwarden@/vaultwarden";
signupsAllowed = false;
}; };
}; };
@@ -41,8 +35,6 @@ in {
}]; }];
}; };
services.postgresqlBackup.databases = [ "vaultwarden" ];
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@@ -60,7 +52,7 @@ in {
proxyWebsockets = true; proxyWebsockets = true;
}; };
locations."/notifications/hub" = { locations."/notifications/hub" = {
proxyPass = "http://${address}:${toString wsPort}"; proxyPass = "http://localhost:3012";
proxyWebsockets = true; proxyWebsockets = true;
}; };
locations."/notifications/hub/negotiate" = { locations."/notifications/hub/negotiate" = {

38
hosts/defiant/services/wireguard.nix
View File

@@ -1,38 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.networking.wireguard.interfaces."wg0";
in {
networking = {
nat = {
enable = true;
externalInterface = "enp3s0";
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = [ cfg.listenPort ];
wireguard.interfaces."wg0" = {
ips = [ "10.100.0.1/24" ];
listenPort = 51820;
privateKeyFile = "/etc/wireguard/defiant.private";
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
'';
peers = [
{ # Burnham
publicKey = "JcfyrMoZmnbibVLaIKuGSARAX2alFv4kwLbJaLBNbzo=";
persistentKeepalive = 60;
allowedIPs = [
"10.100.0.2/32"
"192.168.11.0/24"
];
#endpoint = "site2.feal.no:51902";
}
] ++ (import ../../../common/wireguard-peers.nix);
};
};
}

43
hosts/edison/configuration.nix Normal file
View File

@@ -0,0 +1,43 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
./desktop.nix
];
virtualisation.docker.enable = true;
networking = {
hostName = "edison";
defaultGateway = "192.168.10.1";
# Networking / Wi-Fi is configured with NM for now. TODO
networkmanager.enable = true;
};
console.keyMap = "us";
# sops.defaultSopsFile = ../../secrets/edison/edison.yaml;
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
pavucontrol
];
programs.steam.enable = true;
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
"steam"
"steam-original"
"steam-run"
];
system.stateVersion = "23.05";
}

55
hosts/edison/desktop.nix Normal file
View File

@@ -0,0 +1,55 @@
{ config, pkgs, lib, ... }:
{
services.xserver = {
enable = true;
desktopManager.xfce.enable = true;
videoDrivers = [ "nvidia" ];
layout = "us,no";
xkbVariant = "intl";
};
environment.systemPackages = with pkgs; [
xfce.xfce4-pulseaudio-plugin
];
services.picom.enable = true;
hardware.opengl.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
fonts = {
fontDir.enable = true;
packages = with pkgs; [
noto-fonts
noto-fonts-emoji
noto-fonts-cjk-sans
font-awesome
fira-code
hack-font
(nerdfonts.override {
fonts = [
"Hack"
];
})
];
};
# Remote:
services.xrdp = {
enable = true;
defaultWindowManager = "xfce4-session";
openFirewall = true;
};
services.flatpak.enable = true;
users.users."felixalb".packages = [ pkgs.flatpak ];
xdg.portal = {
enable = true;
extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
};
}

41
hosts/edison/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,41 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/14b254e1-d94f-4b9b-a910-7fcf7e33af46";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A197-7913";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/d56040a0-3009-4899-95fa-1b82e60e32e4"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

24
hosts/edison/home.nix Normal file
View File

@@ -0,0 +1,24 @@
{ pkgs, lib, ... }:
{
home.packages = with pkgs; [
bat
bottom
mumble
ncdu
neofetch
nix-index
];
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
alacritty.enable = true;
firefox.enable = true;
rofi.enable = true;
};
home.stateVersion = "23.05";
}

59
hosts/fa-t14-2025/configuration.nix
View File

@@ -1,59 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
./hardware-configuration.nix
./desktop.nix
];
networking = {
networkmanager.enable = true;
wireguard.enable = true;
tempAddresses = "disabled";
hostName = "fa-t14-2025";
nameservers = [ "9.9.9.9" ];
domain = "it.hime.no";
hostId = "f458d6aa";
search = [
"mktv.no"
"mktv.local"
];
};
services.openssh.openFirewall = false;
environment.systemPackages = with pkgs; [
inetutils
wireguard-tools
];
virtualisation.docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
users.users.felixalb = {
uid = 1000;
openssh.authorizedKeys.keys = [ ];
extraGroups = [ "networkmanager" ];
};
console.keyMap = "no";
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"securecrt"
"securefx"
];
};
system.stateVersion = "25.05";
}

51
hosts/fa-t14-2025/desktop.nix
View File

@@ -1,51 +0,0 @@
{ config, pkgs, lib, ... }:
{
hardware.graphics.enable = true;
services.xserver = {
enable = true;
xkb = {
options = "ctrl:nocaps";
layout = "no";
};
};
services.displayManager.ly.enable = true;
services.gnome.gnome-keyring.enable = true;
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
# Audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
# Fonts
fonts = {
fontDir.enable = true;
packages = with pkgs; [
noto-fonts
noto-fonts-color-emoji
noto-fonts-cjk-sans
font-awesome
fira-code
hack-font
nerd-fonts.hack
];
};
# Misc:
xdg.portal = {
enable = true;
wlr.enable = true;
};
location.provider = "geoclue2";
security.polkit.enable = true;
services.dbus.packages = [ pkgs.gcr ];
services.openssh.settings.X11Forwarding = true;
programs.nm-applet.enable = true;
}

51
hosts/fa-t14-2025/hardware-configuration.nix
View File

@@ -1,51 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.kernelParams = [ "resume_offset=3037184" "mem_sleep_default=deep" ];
boot.resumeDevice = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
powerManagement.enable = true;
services.power-profiles-daemon.enable = true;
services.logind.lidSwitch = "suspend-then-hibernate";
services.logind.lidSwitchDocked = "ignore";
services.logind.powerKey = "suspend-then-hibernate";
services.logind.powerKeyLongPress = "poweroff";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
fsType = "ext4";
};
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/3ecaedab-415c-4cce-a3a9-9f3782acb682";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0800-59D9";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [
{
device = "/var/lib/swapfile";
size = 32*1024;
}
];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

99
hosts/fa-t14-2025/home.nix
View File

@@ -1,99 +0,0 @@
{ pkgs, lib, ... }:
let
emailAddress = "felix.albrigtsen@mktv.no";
in {
imports = [
./../../home/base.nix
./../../home/alacritty.nix
];
home.packages = with pkgs; [
bc
catimg
chromium
dig
element-desktop
hunspellDicts.en_US
hunspellDicts.nb_NO
iperf3
jq
libreoffice
mpv
oauth2ms
openssl
openvpn
pavucontrol
pwgen
traceroute
virt-manager
w3m
nixpkgs-2211.remmina
(unstable.microsoft-edge.overrideAttrs ({ installPhase ? "", ... }: {
installPhase = installPhase + ''
ln -s $out/bin/microsoft-edge $out/bin/microsoft-edge-stable
'';
}))
# Window Manager Extras
bibata-cursors
brightnessctl
cliphist
hyprcursor
hypridle
hyprlock
hyprpaper
hyprshot
nautilus
rofi-rbw-wayland
swaynotificationcenter
waybar
wl-clipboard
(python312.withPackages (ps: with ps; [
numpy
pycryptodome
requests
]))
];
programs = {
aerc = {
enable = true;
package = pkgs.aerc;
};
firefox.enable = true;
git.extraConfig.user.email = emailAddress;
rbw = {
enable = true;
settings = {
base_url = "https://vault.mktv.no";
email = emailAddress;
pinentry = pkgs.pinentry-rofi;
};
};
rofi = {
enable = true;
# theme = "iggy";
theme = "Arc-Dark";
};
zsh = {
shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
prezto.pmodules = [ "ssh" ];
};
};
xdg.mimeApps = {
enable = true;
defaultApplications = {
"text/html" = "firefox.desktop";
"x-scheme-handler/http" = "firefox.desktop";
"x-scheme-handler/https" = "firefox.desktop";
"x-scheme-handler/about" = "firefox.desktop";
"x-scheme-handler/unknown" = "firefox.desktop";
};
};
home.stateVersion = "25.05";
}

53
hosts/leonard/configuration.nix
View File

@@ -1,53 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
../../common/auto-upgrade.nix
./hardware-configuration.nix
./services/mysql.nix
./services/nginx.nix
./services/postgresql.nix
./services/wiki-wackattack-eu.nix
./services/www-feal-no
./services/www-kinealbrigtsen-no.nix
./services/www-amalie-mansaker-no
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking = {
hostName = "leonard";
defaultGateway = "192.168.10.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.10.207"; prefixLength = 24; }
];
};
hostId = "b99c12d1";
# Prepend the following output rules to disallow talking to other devices on LAN
firewall.extraCommands = lib.strings.concatLines ([
"iptables -F OUTPUT"
] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
"iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
"iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
"iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
]);
};
sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "25.05";
}

24
hosts/leonard/hardware-configuration.nix
View File

@@ -1,24 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4a70c1d5-9d72-4581-8f75-733b91c10669";
fsType = "ext4";
};
swapDevices = [ ]; # TODO
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

12
hosts/leonard/home.nix
View File

@@ -1,12 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "25.05";
}

10
hosts/leonard/services/mysql.nix
View File

@@ -1,10 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
# TODO: services.mysqlBackup
}

19
hosts/leonard/services/nginx.nix
View File

@@ -1,19 +0,0 @@
{ config, values, ... }:
{
services.nginx = {
enable = true;
enableReload = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "felix@albrigtsen.it";
};
}

20
hosts/leonard/services/postgresql.nix
View File

@@ -1,20 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.postgresql = {
enable = true;
enableTCPIP = false;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
services.postgresqlBackup = {
enable = true;
location = "/backup/postgresql/";
startAt = "*-*-* 03:15:00";
backupAll = true;
};
environment.systemPackages = [ config.services.postgresql.package ];
}

38
hosts/leonard/services/wiki-wackattack-eu.nix
View File

@@ -1,38 +0,0 @@
{ config, ... }:
let
bindIP = "127.0.1.2";
port = 5051;
cfg = config.services.wiki-js;
in {
# sops.secrets."wikijs/envfile" = {
# restartUnits = [ "wiki-js.service" ];
# };
services.wiki-js = {
enable = true;
# environmentFile = config.sops.secrets."wikijs/envfile".path;
settings = {
inherit bindIP port;
db = {
type = "postgres";
host = "/run/postgresql";
db = "wiki-js";
user = "wiki-js";
};
};
};
services.postgresql = {
ensureDatabases = [ "wiki-js" ];
ensureUsers = [{
name = "wiki-js";
ensureDBOwnership = true;
}];
};
services.nginx.virtualHosts."wiki.wackattack.eu" = {
locations."/" = {
proxyPass = "http://${bindIP}:${toString port}";
};
};
}

11
hosts/leonard/services/www-amalie-mansaker-no/default.nix
View File

@@ -1,11 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."amalie.mansaker.no" = let
siteContent = pkgs.callPackage ./site.nix { };
in {
locations = {
"/".root = siteContent;
};
};
}

26
hosts/leonard/services/www-amalie-mansaker-no/site.nix
View File

@@ -1,26 +0,0 @@
{ stdenv, fetchgit, hugo }:
stdenv.mkDerivation {
name = "www-amalie-mansaker-no";
src = fetchgit {
url = "https://git.feal.no/amalieem/amalie.mansaker.no.git";
fetchSubmodules = true;
rev = "15142c93da33414a0be49384a03b704ad95e31be";
hash = "sha256-oq5NC11UDYjYKToPsEXovCiIBD5adamVwi3scOFzpHM=";
};
nativeBuildInputs = [ hugo ];
buildPhase = ''
cp -r $src/* .
${hugo}/bin/hugo
'';
installPhase = ''
runHook preInstall
mkdir -p $out
cp -r public/* $out/
runHook postInstall
'';
}

26
hosts/leonard/services/www-feal-no/default.nix
View File

@@ -1,26 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."feal.no" = {
default = true;
serverAliases = [
"www.feal.no"
];
locations = {
# TODO: Reinstate actual website
"/".return = "302 https://git.feal.no/";
"^~ /.well-known/" = {
alias = (toString ./well-known) + "/";
};
"/cc/" = {
alias = "${pkgs.cyberchef}/share/cyberchef/";
index = "index.html";
};
"= /cc".return = "302 /cc/";
};
};
}

5
hosts/leonard/services/www-feal-no/well-known/matrix/client
View File

@@ -1,5 +0,0 @@
{
"m.homeserver": {
"base_url": "https://matrix.feal.no:443"
}
}

1
hosts/leonard/services/www-feal-no/well-known/matrix/server
View File

@@ -1 +0,0 @@
{"m.server": "matrix.feal.no:443"}

95
hosts/leonard/services/www-kinealbrigtsen-no.nix
View File

@@ -1,95 +0,0 @@
{ config, pkgs, lib, ... }:
{
users.users.www-kinealbrigtsen-no = {
isSystemUser = true;
group = "www-kinealbrigtsen-no";
};
users.groups.www-kinealbrigtsen-no = { };
services.mysql.ensureDatabases = [
"www_kinealbrigtsen_no"
];
services.mysql.ensureUsers = [
{
name = "www-kinealbrigtsen-no";
ensurePermissions = {
# "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures
"www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX";
};
}
];
services.phpfpm.pools.www-kinealbrigtsen-no = {
user = "www-kinealbrigtsen-no";
group = "www-kinealbrigtsen-no";
phpOptions = lib.generators.toKeyValue {} {
upload_max_filesize = "1000M";
post_max_size = "1000M";
memory_limit = "1000M";
};
settings = {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.process_idle_timeout" = "10s";
"pm.max_requests" = 1000;
};
};
services.nginx.virtualHosts."kinealbrigtsen.no" = {
serverAliases = [ "www.kinealbrigtsen.no" ];
root = "/var/www/www-kinealbrigtsen-no";
locations = {
"/".extraConfig = ''
try_files $uri $uri/ /index.php?$args;
'';
"~ \\.php$".extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket};
'';
"~ /\\.ht".extraConfig = ''
deny all;
'';
"/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
"/robots.txt".extraConfig = ''
allow all;
log_not_found off;
access_log off;
'';
"~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig = ''
expires max;
log_not_found off;
'';
};
extraConfig = ''
index index.php index.html;
set_real_ip_from 192.168.11.0/24;
real_ip_header X-Forwarded-For;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
'';
};
# TODO:
# - Configure a mailer so wp_mail() works
# - Enable periodic backups
}

35
hosts/morn/configuration.nix
View File

@@ -1,35 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
../../common/auto-upgrade.nix
./hardware-configuration.nix
./services/nginx.nix
./services/glance
./services/miniflux.nix
./services/thelounge.nix
];
networking = {
hostName = "morn";
defaultGateway = "192.168.10.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.10.203"; prefixLength = 24; }
];
};
hostId = "89b7722d";
};
sops.defaultSopsFile = ../../secrets/morn/morn.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "24.11";
}

15
hosts/morn/services/glance/default.nix
View File

@@ -1,15 +0,0 @@
{ config, values, ... }:
{
services.glance = {
enable = true;
settings = import ./settings.nix;
};
services.nginx.virtualHosts."glance.home.feal.no" = let
inherit (config.services.glance.settings.server) host port;
in {
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
}

83
hosts/morn/services/glance/settings.nix
View File

@@ -1,83 +0,0 @@
{ config, ... }:
{
server = {
port = 5001;
host = "127.0.1.2";
};
pages =
let
fullCol = widgets: {
size = "full";
inherit widgets;
};
in
[
{
name = "Home";
columns = [
(fullCol [
{
type = "search";
search-engine = "http://search.home.feal.no/search?q={QUERY}";
}
{
type = "weather";
units = "metric";
location = "Trondheim, Norway";
}
])
(fullCol [
{
type = "hacker-news";
limit = 20;
collapse-after = 5;
}
{
type = "monitor";
cache = "5m";
sites =
let
site = title: url: { inherit title url; };
in
[
(site "Jellyfin" "http://jellyfin.home.feal.no")
(site "Gitea" "https://git.feal.no")
(site "VaultWarden" "https://pw.feal.no")
];
}
])
];
}
{
name = "News";
columns =
let
feed = title: url: { inherit title url; };
rss = title: feeds: {
type = "rss";
inherit title feeds;
};
in
[
(fullCol [
(rss "Norway" [
(feed "NRK" "https://www.nrk.no/toppsaker.rss")
(feed "Bygdeposten" "https://www.bygdeposten.no/service/rss")
(feed "Nidaros" "https://www.nidaros.no/service/rss")
])
])
(fullCol [
(rss "NTNU" [
(feed "OmegaV" "https://omegav.no/newsrss")
(feed "PVV" "https://www.pvv.ntnu.no/w/api.php?hidebots=1&urlversion=1&days=7&limit=50&action=feedrecentchanges&feedformat=atom")
(feed "IT-Varsel" "https://varsel.it.ntnu.no/subscribe/rss/")
])
])
];
}
];
}

23
hosts/morn/services/miniflux.nix
View File

@@ -1,23 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "rss.home.feal.no";
listen_addr = "127.0.1.2:5051";
in {
sops.secrets."miniflux/env" = { };
services.miniflux = {
enable = true;
adminCredentialsFile = config.sops.secrets."miniflux/env".path;
config = {
CREATE_ADMIN = true;
LISTEN_ADDR = listen_addr;
BASE_URL = "http://${domain}";
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${listen_addr}";
};
}

19
hosts/morn/services/nginx.nix
View File

@@ -1,19 +0,0 @@
{ config, values, ... }:
{
services.nginx = {
enable = true;
enableReload = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "felix@albrigtsen.it";
};
}

21
hosts/morn/services/thelounge.nix
View File

@@ -1,21 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.thelounge.extraConfig;
domain = "irc.home.feal.no";
in {
services.thelounge = {
enable = true;
extraConfig = {
public = false;
host = "127.0.1.2";
port = 9000;
reverseProxy = true;
};
};
services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://${cfg.host}:${toString cfg.port}";
};
}

73
hosts/redshirt/configuration.nix Normal file
View File

@@ -0,0 +1,73 @@
{ config, pkgs, ... }:
{
imports =
[
../../base.nix
./hardware-configuration.nix
];
networking.hostName = "redshirt";
networking.networkmanager.enable = true;
# Enable the X11 windowing system.
services.xserver = {
enable = true;
windowManager = {
qtile.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager).
libinput.enable = true;
};
# The NixOS module enables critical components needed to run Hyprland properly, such as: polkit, xdg-desktop-portal-hyprland, graphics drivers, fonts, dconf, xwayland, and adding a proper Desktop Entry to your Display Manager.
#programs.hyprland = {
# enable = true;
# package = pkgs.unstable.hyprland;
#};
services.xserver.displayManager = {
lightdm.enable = true;
#defaultSession = "hyprland";
};
# Configure keymap in X11
services.xserver.layout = "no";
fonts.fonts = with pkgs; [
(nerdfonts.override { fonts = [ "FiraCode" "Hack" ]; })
];
sound.enable = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
users.users.felixalb = {
extraGroups = [ "networkmanager" ];
};
environment.systemPackages = with pkgs; [
zsh
neovim
git
ripgrep
rsync
cifs-utils
];
documentation.man.generateCaches = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
system.stateVersion = "22.11";
}

41
hosts/redshirt/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,41 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/0d709ab3-0d10-46eb-9e4f-10a320af703e";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/6EE9-1C06";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/2067bbb4-b4fa-4326-9f58-4018857058a7"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

90
hosts/sisko/configuration.nix
View File

@@ -1,90 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
./desktop.nix
];
networking = {
hostName = "sisko";
# networkmanager.enable = true;
defaultGateway = "192.168.10.1";
interfaces.enp14s0 = {
ipv4 = {
addresses = [
{ address = "192.168.10.172"; prefixLength = 24; }
];
};
wakeOnLan.enable = true;
};
hostId = "b716d781";
};
hardware.bluetooth.enable = true;
hardware.rtl-sdr.enable = true;
sops.defaultSopsFile = ../../secrets/sisko/sisko.yaml;
environment.variables = { EDITOR = "vim"; };
users.users.felixalb.extraGroups = [
"dialout"
"libvirtd"
"networkmanager"
"plugdev"
];
programs = {
alvr = {
enable = true;
openFirewall = true;
};
firefox = {
enable = true;
nativeMessagingHosts.packages = with pkgs; [ tridactyl-native ];
};
gamemode.enable = true;
immersed.enable = true;
steam = {
enable = true;
remotePlay.openFirewall = true;
};
virt-manager.enable = true;
};
virtualisation = {
libvirtd.enable = true;
spiceUSBRedirection.enable = true;
};
environment.systemPackages = with pkgs; [
virtiofsd
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"discord"
"immersed"
"spotify"
"steam"
"steam-unwrapped"
];
permittedInsecurePackages = [
"openssl-1.1.1w"
];
rocmSupport = true;
};
services.fwupd.enable = true;
system.stateVersion = "24.11";
}

70
hosts/sisko/desktop.nix
View File

@@ -1,70 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Video
hardware.graphics = {
enable = true;
enable32Bit = true;
};
hardware.amdgpu.opencl.enable = true;
services.displayManager.ly.enable = true;
services.xserver.enable = true;
services.xserver.desktopManager.xfce.enable = true;
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
# Audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
# Misc
fonts = {
fontDir.enable = true;
packages = with pkgs; [
fira-code
font-awesome
hack-font
nerd-fonts.hack
noto-fonts
noto-fonts-cjk-sans
noto-fonts-color-emoji
];
};
environment.sessionVariables = {
NIXOS_OZONE_WL = "1";
SSH_AUTH_SOCK = "/run/user/${toString config.users.users.felixalb.uid}/keyring/ssh";
};
services.gnome.gnome-keyring.enable = true;
# Dark mode
home-manager.users.felixalb = {
dconf.settings = {
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
};
};
gtk = {
enable = true;
theme = {
name = "Adwaita-dark";
package = pkgs.gnome-themes-extra;
};
};
};
qt = {
enable = true;
platformTheme = "gnome";
style = "adwaita-dark";
};
}

55
hosts/sisko/hardware-configuration.nix
View File

@@ -1,55 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.extraModprobeConfig = "options bluetooth disable_ertm=1"; # Xbox controller
hardware.xpadneo.enable = true;
boot.kernel.sysctl = {
"vm.max_map_count" = 16777216;
# "fs.file-max" = 524288;
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ {
device = "/swapfile";
size = 64*1024;
} ];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.enp14s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp15s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

162
hosts/sisko/home.nix
View File

@@ -1,162 +0,0 @@
{ pkgs, lib, config, ... }:
{
imports = [
./../../home/base.nix
./../../home/alacritty.nix
];
home.packages = with pkgs; [
# GUI Applications
cantata
chromium
discord
easyeffects
element-desktop
emacs-gtk
feishin
gqrx
kitty
libreoffice
lutris
mpv
mumble
orca-slicer
papers
pavucontrol
picard
pkgsRocm.hashcat
prismlauncher
restic
runelite
spotify
swayimg
thunderbird
tor-browser
bolt-launcher
exiftool
ghidra
# pwndbg-gdb-alias # Broken in 25.05
snicat
# Window Manager Extras
bibata-cursors
cliphist
hyprcursor
hypridle
hyprlock
hyprpaper
hyprshot
nautilus
networkmanager
rofi-rbw-wayland
swaynotificationcenter
waybar
wl-clipboard
# Misc tools
abcde
bc
catimg
dante
dig
go
hunspellDicts.en_US
hunspellDicts.nb_NO
jq
nixpkgs-2211.remmina
ollama-rocm
openssl
playerctl
pwgen
restic
rocmPackages.clang
traceroute
w3m
(python313.withPackages (ps: with ps; [
numpy
pycryptodome
requests
]))
];
programs = {
aerc = {
enable = true;
package = pkgs.aerc;
};
alacritty = {
enable = true;
settings.window.opacity = 0.92;
};
ncmpcpp.enable = true;
rbw = {
enable = true;
settings = {
base_url = "https://pw.feal.no";
email = "felix@albrigtsen.it";
pinentry = pkgs.pinentry-gnome3;
};
};
rofi = {
enable = true;
theme = "iggy";
};
zsh = {
shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
prezto.pmodules = [ "ssh" ];
};
};
services = {
mpd = let
home = config.home.homeDirectory;
in {
enable = true;
musicDirectory = "${home}/mnt/music";
dataDir = "${home}/Music/mpd/data";
playlistDirectory = "${home}/Music/mpd/playlists";
extraConfig = ''
audio_output {
type "pipewire"
name "PipewireOut1"
}
'';
};
};
home.pointerCursor = {
name = "Bibata-Modern-Ice";
package = pkgs.bibata-cursors;
size = 24;
gtk.enable = true;
x11 = {
enable = true;
defaultCursor = true;
};
};
xdg.mimeApps = {
enable = true;
defaultApplications = {
"text/html" = "firefox.desktop";
"x-scheme-handler/http" = "firefox.desktop";
"x-scheme-handler/https" = "firefox.desktop";
"x-scheme-handler/about" = "firefox.desktop";
"x-scheme-handler/unknown" = "firefox.desktop";
"inode/directory" = "org.gnome.Nautilus.desktop";
"application/pdf" = "org.gnome.Papers.desktop";
} // builtins.listToAttrs (
builtins.map
( imgType: { name = "image/${imgType}"; value = "swayimg.desktop"; } )
[ "apng" "bmp" "gif" "heic" "heif" "jpeg" "png" "svg" "svg+xml" "tiff" ]
);
};
home.stateVersion = "24.11";
}

49
hosts/voyager/configuration.nix Normal file
View File

@@ -0,0 +1,49 @@
{ config, pkgs, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
./filesystems.nix
./wireguard.nix
./exports.nix
./services/snappymail.nix
./services/calibre.nix
./services/fancontrol.nix
./services/jellyfin.nix
./services/kanidm.nix
./services/nextcloud.nix
./services/nginx
./services/postgres.nix
./services/timemachine.nix
./services/transmission.nix
];
networking = {
hostName = "voyager";
bridges.br0.interfaces = [ "eno1" ];
interfaces.br0.useDHCP = false;
interfaces.br0.ipv4.addresses = [
{ address = "192.168.10.165"; prefixLength = 24; }
];
hostId = "8e84b235";
defaultGateway = "192.168.10.1";
};
sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml;
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
zfs
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
system.stateVersion = "22.11";
}

27
hosts/voyager/exports.nix Normal file
View File

@@ -0,0 +1,27 @@
{ config, pkgs, lib, ... }:
{
fileSystems = {
"/export/riker-backup" = {
device = "/tank/backup/riker";
options = [ "bind" ];
};
"/export/defiant-backup" = {
device = "/tank/backup/defiant";
options = [ "bind" ];
};
};
# Enable nfs4 only
services.nfs.server = {
enable = true;
exports = ''
/export 192.168.10.4(rw,fsid=0,no_subtree_check) 192.168.10.5(rw,fsid=0,no_subtree_check) 192.168.10.2(rw,fsid=0,no_subtree_check) 192.168.10.175(rw,fsid=0,no_subtree_check)
/export/riker-backup 192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
/export/doyle-backup 192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
/export/defiant-backup 192.168.10.175(rw,nohide,no_subtree_check,async,no_root_squash)
'';
};
networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
networking.firewall.allowedUDPPorts = [ 111 20048];
}

39
hosts/voyager/filesystems.nix Normal file
View File

@@ -0,0 +1,39 @@
{ config, pkgs, lib, ... }:
{
# Boot drives are defined in ./hardware-configuration.nix
environment.systemPackages = with pkgs; [ cifs-utils ];
# Local zfs
boot = {
zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.zfs.autoScrub.enable = true;
# Network mounts (import)
fileSystems = {
"/mnt/feal-syn1/media" = {
device = "feal-syn1.home.feal.no:/volume2/media";
fsType = "nfs";
options = [ "vers=3" ];
#options = [ "x-systemd.automount" "noauto" ];
};
"/mnt/feal-syn1/nfs_proxmox" = {
device = "//feal-syn1.home.feal.no/nfs_proxmox";
fsType = "cifs";
options = let
# this line prevents hanging on network split
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
in ["${automount_opts},credentials=/etc/feal-syn1-credentials"];
};
"/var/backup" = {
device = "/tank/backup/voyager";
options = [ "bind "];
};
};
}

Some files were not shown because too many files have changed in this diff Show More