felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: felixalb:nixos-25.11
Branches Tags
felixalb:main felixalb:nixos-25.11
..
compare: felixalb:f80d75db7a8c26f9bf2d127eaf0f1e4b967389c8
Branches Tags
felixalb:main felixalb:nixos-25.11

75 Commits
nixos-25.1 ... f80d75db7a

Author SHA1 Message Date
Felix Albrigtsen
f80d75db7a worf: add prismlauncher 2024-01-05 13:42:12 +01:00
Felix Albrigtsen
582f336b79 nextcloud: move out of container 2024-01-03 18:34:33 +01:00
Felix Albrigtsen
e465dc9970 nextcloud: fix reverse proxy 2024-01-03 03:05:47 +01:00
Felix Albrigtsen
118c4a15c3 voyager: add nextcloud 2024-01-03 02:35:57 +01:00
Felix Albrigtsen
72f404dba1 voyager: move snappymail 2024-01-02 21:43:04 +01:00
Felix Albrigtsen
deeb9d6d9d defiant: More minecraft 2024-01-02 17:10:38 +01:00
Felix Albrigtsen
c5071291c2 defiant: replace minecraft server 2023-12-29 23:44:37 +01:00
Felix Albrigtsen
f1e913ed04 Update flake, add minecraft 2023-12-29 15:56:47 +01:00
Felix Albrigtsen
1517723254 worf: add nvim-emmet 2023-12-28 23:38:24 +01:00
Felix Albrigtsen
e3bf9306c4 neovim: add peristant undo file 2023-12-28 16:23:44 +01:00
Felix Albrigtsen
c755f46162 edison: enable flatpak 2023-12-26 16:45:25 +01:00
Felix Albrigtsen
d657c42e73 edison: install steam 2023-12-25 13:31:43 +01:00
Felix Albrigtsen
6f6ff80ad8 defiant/metrics: Remove zfs exporter, fix snmp exporter 2023-12-26 15:46:41 +01:00
Felix Albrigtsen
b3dccf7213 metrics: fix iptables rules 2023-12-26 12:21:30 +01:00
Felix Albrigtsen
75009c127f voyager: cleanup secrets 2023-12-26 11:48:13 +01:00
Felix Albrigtsen
a0efb86dd9 Move metrics,gitea,vaultwarden from voyager to defiant 2023-12-26 11:45:12 +01:00
Felix Albrigtsen
f20c42d899 Update DNS, add wackattack proxy 2023-12-25 02:08:15 +01:00
Felix Albrigtsen
cd8f480282 Move more services to defiant. Remove sarek. 2023-12-25 01:37:05 +01:00
Felix Albrigtsen
e679fe079c update readme 2023-12-25 00:10:00 +01:00
Felix Albrigtsen
9643dddc45 defiant: Configure matrix-synapse. Remove janeway. 2023-12-25 00:06:26 +01:00
Felix Albrigtsen
0b133701a6 defiant: add hardware config 2023-12-24 17:40:47 +01:00
Felix Albrigtsen
b16d768b01 Initialize defiant 2023-12-24 17:14:10 +01:00
Felix Albrigtsen
4891bd7537 voyager: add home-manager 2023-12-18 23:52:17 +01:00
Felix Albrigtsen
7c2d7a434b voyager: Upgrade to nixos-23.11 2023-12-18 23:38:15 +01:00
Felix Albrigtsen
16cc6ee085 janeway: move postgres abckup 2023-12-18 22:29:55 +01:00
Felix Albrigtsen
99f3a415b4 worf: update to nixos-23.11 2023-12-17 01:05:34 +01:00
Felix Albrigtsen
cb2d4c5db2 Flake -> 23.05. Patch/update sarek 2023-12-16 17:38:22 +01:00
Felix Albrigtsen
2545ec2f36 sarek: remove jupyter 2023-12-16 16:45:59 +01:00
Felix Albrigtsen
d029fcabf5 voyager: various cleanups 2023-12-18 23:17:57 +01:00
Felix Albrigtsen
df220efff3 Worf: various updates: nvim-telescope, yabai, sketchybar, builders 2023-12-07 10:22:35 +01:00
Felix Albrigtsen
57062782a0 voyager: add time machine, cleanup 2023-11-16 15:54:54 +01:00
Felix Albrigtsen
8838b0ecf7 worf: Add yabai/skhd. Add sarek as builder 2023-11-16 14:37:23 +01:00
Felix Albrigtsen
4da7b08cd4 worf: Add texlive, remove gs, ++ 2023-11-02 11:14:28 +01:00
Felix Albrigtsen
17e317b59e voyager: move addons 2023-10-15 03:51:20 +02:00
Felix Albrigtsen
475ee691e0 voyager: remove synapse 2023-10-15 03:54:17 +02:00
Felix Albrigtsen
31ff1c1c43 janeway: add/fix synapse 2023-10-15 03:50:59 +02:00
Felix Albrigtsen
eef3988051 janeway: add keys 2023-10-14 01:43:51 +02:00
Felix Albrigtsen
7375fc3569 add host: janeway 2023-10-14 01:22:32 +02:00
Felix Albrigtsen
303033630c remove host: chapel 2023-10-14 00:11:53 +02:00
Felix Albrigtsen
701b671d48 worf: minor updates 2023-10-14 00:09:22 +02:00
Felix Albrigtsen
519cf5bac7 sarek: docker -> podman 2023-10-06 00:33:00 +02:00
Felix Albrigtsen
f0749acfc0 hedgedoc: move from voyaer to sarek 2023-10-06 00:19:04 +02:00
Felix Albrigtsen
5fb2307cd9 voyager: remove flame. Move DNS to base.nix 2023-10-05 23:46:22 +02:00
Felix Albrigtsen
efbaf1ffed sarek: intialize service config. Move firewall to base.nix 2023-10-05 23:44:58 +02:00
Felix Albrigtsen
ef3cc3097e sarek: initialize postgresql 2023-10-05 22:14:29 +02:00
Felix Albrigtsen
9c1ef59a22 voyager/sarek: Fix NFS export 2023-10-05 22:04:10 +02:00
Felix Albrigtsen
ec318f7f9d sarek: Manually configure networking 2023-10-05 22:05:09 +02:00
Felix Albrigtsen
82d60072a7 zsh: add unstable nix-shell 2023-10-05 17:32:21 +02:00
Felix Albrigtsen
5809dcc3fb zsh: add zoxide. worf: remove vscode, add alacritty 2023-10-03 01:26:14 +02:00
Felix Albrigtsen
3215030c6d Add sarek and related NFS shares 2023-10-03 01:25:33 +02:00
Felix Albrigtsen
9d22b16f45 Update jupyter server 2023-10-03 01:23:45 +02:00
Felix Albrigtsen
bdb2ba523b Enable xrdp, replace exa with eza 2023-09-22 12:32:13 +02:00
Felix Albrigtsen
d0fdcf212b Minor update; fix DHCP 2023-09-18 14:00:45 +02:00
Felix Albrigtsen
4e49dc393a Add jupyter 2023-09-18 13:59:48 +02:00
Felix Albrigtsen
62eef1ab58 edison: add pipewire 2023-09-15 17:12:47 +02:00
Felix Albrigtsen
c921b06d99 Update flake, update edison-gui 2023-09-15 17:04:17 +02:00
Felix Albrigtsen
5c0749c36e Develop edison, standardize home-manager 2023-09-15 00:21:07 +02:00
Felix Albrigtsen
c293e91a79 Add edison 2023-09-13 23:40:50 +02:00
Felix Albrigtsen
28b690c50e Prepare remote building, add searx 2023-09-13 23:21:28 +02:00
Felix Albrigtsen
36bd5c6460 Update worf, ctf-shell and flake.lock 2023-09-13 23:20:31 +02:00
Felix Albrigtsen
5a94663e2e Cleanup ctf-shell, add linux-only packages 2023-08-24 15:47:43 +02:00
Felix Albrigtsen
cf150bba83 Add ctf-shell, minor worf fixes 2023-08-21 23:54:18 +02:00
Felix Albrigtsen
6f87add17b Minor worf updates 2023-08-18 19:06:07 +02:00
Felix Albrigtsen
b3bf98d396 Update flake, fix gitea 2023-08-18 19:02:07 +02:00
Felix Albrigtsen
c266d7f1db Add workers with matrix-synapse-next, various fixes and updates 2023-08-14 08:37:20 +02:00
Felix Albrigtsen
85ed4119f9 Switch channel, update flake 2023-08-13 10:33:41 +02:00
Felix Albrigtsen
e5d4bc2c1e Added snappymail test config 2023-08-12 22:00:15 +02:00
Felix Albrigtsen
45b65458a4 Minor worf updates 2023-08-08 08:51:20 +02:00
Felix Albrigtsen
714907374e Worf: git+vim 2023-07-27 13:13:03 +02:00
Felix Albrigtsen
095af4edbe Configure zsh, cleanup worf 2023-07-27 11:33:44 +02:00
Felix Albrigtsen
a3abe31539 More worf-config 2023-07-26 15:22:24 +02:00
Felix Albrigtsen
934b4ed1af Add home-manager and fix worf 2023-07-26 10:48:52 +02:00
Felix Albrigtsen
e150b77290 Add worf 2023-07-26 09:06:51 +02:00
Felix Albrigtsen
e0b6859414 Add worf keys and zfs-exporter 2023-07-25 19:15:19 +02:00
Felix Albrigtsen
372022c000 Add stash, adjust gitea 2023-06-29 23:31:55 +02:00
158 changed files with 8590 additions and 6609 deletions
Expand all files Collapse all files

43
.sops.yaml
View File

@@ -1,50 +1,27 @@
keys: keys:
- &bw_recovery age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur - &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
- &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct - &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
- &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773 - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
- &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
- &host_morn age14ar8q5454khxxf5ur2nxwk533nzycz2lh3635qwz35wh8yq0jpqskj2ksx
- &user_felixalb_sisko age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
- &user_felixalb_worf age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
creation_rules: creation_rules:
# Global secrets # Global secrets
- path_regex: secrets/[^/]+\.yaml$ - path_regex: secrets/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bw_recovery - *user_felixalb_old
- *user_felixalb_sisko - *user_felixalb
- *user_felixalb_worf
# Host specific secrets # Host specific secrets
- path_regex: secrets/burnham/[^/]+\.yaml$ - path_regex: secrets/voyager/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *host_burnham - *host_voyager
- *bw_recovery - *user_felixalb_old
- *user_felixalb_sisko - *user_felixalb
- *user_felixalb_worf
- path_regex: secrets/challenger/[^/]+\.yaml$
key_groups:
- age:
- *host_challenger
- *bw_recovery
- *user_felixalb_sisko
- *user_felixalb_worf
- path_regex: secrets/defiant/[^/]+\.yaml$ - path_regex: secrets/defiant/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *host_defiant - *host_defiant
- *bw_recovery - *user_felixalb
- *user_felixalb_sisko
- *user_felixalb_worf
- path_regex: secrets/morn/[^/]+\.yaml$
key_groups:
- age:
- *host_morn
- *bw_recovery
- *user_felixalb_sisko
- *user_felixalb_worf

38
README.md
View File

@@ -1,7 +1,5 @@
## Felixalbs nixos config ## Felixalbs nixos config
![](https://github.com/NixOS/nixos-artwork/blob/master/releases/24.05-uakari/uakari.png?raw=true)
Contains configurations for some nixos servers, some nixos desktops and a [nix-darwin](https://github.com/LnL7/nix-darwin) host. Contains configurations for some nixos servers, some nixos desktops and a [nix-darwin](https://github.com/LnL7/nix-darwin) host.
Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix). Secrets are managed with [sops-nix](https://github.com/Mic92/sops-nix).
@@ -16,39 +14,3 @@ nix --extra-experimental-features "nix-command flakes" build ".#nixosConfigurati
``` ```
nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake github+felixalbrigtsen/nixos-server-conf.git --upgrade nixos-rebuild switch --update-input nixpkgs --update-input unstable --no-write-lock-file --refresh --flake github+felixalbrigtsen/nixos-server-conf.git --upgrade
``` ```
# Services and tools
Below is a list of _most_ of the services configured in this repo, at least the ones that are accessible to the public.
It might be incomplete or out of date, but should generally describe the state of my homelab.
Other installed packages and tools are described in the config files (like ./hosts/HOSTNAME/configuration.nix), but not listed here.
## Public / important services
- Matrix ([source](./hosts/defiant/services/matrix/default.nix)) - Decentralized, encrypted chat - Contact me at @felixalb:feal.no
- [Nextcloud](https://cloud.feal.no) ([source](./hosts/challenger/services/nextcloud.nix)) - Personal cloud services and "google replacements", including file hosting, notes, calendar and webmail
- [Gitea](https://git.feal.no) ([source](./hosts/defiant/services/gitea.nix)) - Software forge / git server
- [Hedgedoc](https://md.feal.no) ([source](./hosts/defiant/services/hedgedoc.nix)) - Collaborative markdown notes editor
- HomeAssistant ([source](./hosts/defiant/services/home-assistant.nix))- Home automation / IOT controller
- [VaultWarden](https://pw.feal.no) ([source](./hosts/defiant/services/vaultwarden.nix)) - BitWarden Password Manager backend
- [KeyCloak](https://iam.feal.no) ([source](./hosts/defiant/services/nextcloud.nix)) - Authentication provider, giving SSO with OIDC or SAML
- [Jellyfin](https://jf.feal.no) ([source](./hosts/challenger/services/jellyfin.nix)) - Local media streaming
## Networking
- I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)).
- A long time ago, I switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix).
- PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking.
- A simple custom DynDNS thing is defined [here](./common/domeneshop-dyndns.nix) and used [here](./hosts/defiant/services/dyndns.nix).
## Monitoring
- Prometheus ([source](./hosts/defiant/services/monitoring/prometheus.nix)) - Pull-based metrics system that fetches metrics over HTTP from a range of exporters and stores them in a time-series database
- Loki ([source](./hosts/defiant/services/monitoring/loki.nix)) - Central logging for all my hosts
- Grafana ([source](./hosts/defiant/services/monitoring/grafana.nix)) - Visualization and alerting for all my metrics and logs
- Uptime-Kuma ([source](./hosts/defiant/services/monitoring/uptime-kuma.nix)) - Uptime / health check with alerting
## Dotfiles and user tools
- (Neo)vim ([source](./home/neovim.nix)) - Text editor with my configuration for IDE-like support for autocompletion, syntax highlighting and efficient editing.
- Zsh ([source](./home/zsh.nix)) - My shell of choice

42
base.nix
View File

@@ -5,8 +5,8 @@
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
networking = { networking = {
domain = lib.mkDefault "home.feal.no"; domain = "home.feal.no";
nameservers = lib.mkDefault [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ]; nameservers = [ "192.168.10.175" "192.168.10.1" "1.1.1.1" ];
useDHCP = lib.mkDefault false; useDHCP = lib.mkDefault false;
}; };
@@ -29,40 +29,31 @@
trusted-users = [ "felixalb" ]; trusted-users = [ "felixalb" ];
builders-use-substitutes = true; builders-use-substitutes = true;
}; };
registry= {
nixpkgs.flake = inputs.nixpkgs;
};
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
}; };
programs.zsh.enable = true; programs.zsh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
bat
bottom bottom
eza
file
git git
gnugrep gnugrep
gnutar gnutar
htop
iotop
lm_sensors
nix-output-monitor
p7zip
python3
ripgrep ripgrep
rsync rsync
screen tree
unzip eza
usbutils
vim
wget wget
zip
] ++ lib.optionals (pkgs.stdenv.isLinux) [
dmidecode
lm_sensors
pciutils
]; ];
services.openssh = { services.openssh = {
enable = true; enable = true;
openFirewall = lib.mkDefault true;
settings = { settings = {
PermitRootLogin = "no"; PermitRootLogin = "no";
PasswordAuthentication = false; PasswordAuthentication = false;
@@ -71,12 +62,13 @@
extraConfig = '' extraConfig = ''
AllowTcpForwarding yes AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding yes AllowAgentForwarding yes
AuthenticationMethods publickey AuthenticationMethods publickey
''; '';
}; };
programs.mosh.enable = true; networking.firewall.allowedTCPPorts = [ 22 ];
users.users.felixalb = { users.users.felixalb = {
isNormalUser = true; isNormalUser = true;
@@ -84,12 +76,12 @@
"wheel" "wheel"
"docker" "docker"
]; ];
uid = lib.mkDefault 1000; uid = 1000;
openssh.authorizedKeys.keys = lib.mkDefault [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKzPICGew7uN0cmvRmbwkwTCodTBUgEhkoftQnZuO4Q felixalbrigtsen@gmail.com"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTXSL0w7OUcz1LzEt1T3I3K5RgyNV+MYz0x/1RbpDHQ felixalb@worf"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiPHhj0YbklJnJNcxD0IlzPxLTGfv095H5zyS/1Wb64 felixalb@edison.home.feal.no"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5M7hYl3saBNMAo6sczgfUvASEJWFHuERB7xvf4gxst nix-builder-worf" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5M7hYl3saBNMAo6sczgfUvASEJWFHuERB7xvf4gxst nix-builder-worf"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJky33ynjqyWP+hh24gFCMFIEqe3CjIIowGM9jiPbT79 felixalb@sisko.home.feal.no"
]; ];
shell = pkgs.zsh; shell = pkgs.zsh;
}; };

15
common/auto-upgrade.nix
View File

@@ -1,15 +0,0 @@
{ config, pkgs, lib, ... }:
{
system.autoUpgrade = {
enable = true;
flake = "git+https://git.feal.no/felixalb/nixos-config.git";
flags = [
# Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs.
"--refresh"
"--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.11"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable"
"--no-write-lock-file"
];
};
}

45
common/domeneshop-dyndns.nix
View File

@@ -1,45 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.domeneshop-dyndns;
in {
options.services.domeneshop-dyndns = {
enable = lib.mkEnableOption "Domeneshop DynDNS";
domain = lib.mkOption {
type = lib.types.str;
description = "Domain name to configure";
};
netrcFile = lib.mkOption {
type = lib.types.path;
description = "Path to the file that contains `machine api.domeneshop.no login <DDNS_TOKEN> password <DDNS_SECRET>` from https://domene.shop/admin?view=api";
};
startAt = lib.mkOption {
type = lib.types.str;
default = "*:0/10"; # Every 10 minutes
description = "Systemd onCalendar expression for when to run the timer";
};
};
config = lib.mkIf cfg.enable {
systemd.services.domeneshop-dyndns = {
serviceConfig.LoadCredential = "netrc:${cfg.netrcFile}";
startAt = cfg.startAt;
script = ''
DNSNAME="${cfg.domain}"
NEW_IP="$(${lib.getExe pkgs.curl} --silent https://ipinfo.io/ip)"
OLD_IP="$(${lib.getExe pkgs.getent} hosts "$DNSNAME" | ${lib.getExe pkgs.gawk} '{ print $1 }')"
if [[ "$NEW_IP" != "$OLD_IP" ]]; then
echo "Old IP ($OLD_IP) does not match new IP ($NEW_IP), updating..."
${lib.getExe pkgs.curl} --silent --netrc-file "$CREDENTIALS_DIRECTORY/netrc" "https://api.domeneshop.no/v0/dyndns/update?hostname=$DNSNAME&myip=$NEW_IP"
else
echo "Old IP ($OLD_IP) matches new IP ($NEW_IP), exiting..."
fi
'';
};
};
}

9
common/metrics-exporters.nix
View File

@@ -1,7 +1,6 @@
{ config, pkgs, values, ... }: { config, pkgs, values, ... }:
let
metricsHost = "192.168.10.175"; # defiant.home.feal.no {
in {
services.prometheus.exporters.node = { services.prometheus.exporters.node = {
enable = true; enable = true;
port = 9100; port = 9100;
@@ -12,7 +11,7 @@ in {
# TODO: Move this into the node-exporter systemd service # TODO: Move this into the node-exporter systemd service
allowedTCPPorts = [ 9100 ]; allowedTCPPorts = [ 9100 ];
extraCommands = '' extraCommands = ''
iptables -A INPUT -p tcp -m tcp --source ${metricsHost}/32 --dport 9100 -j ACCEPT iptables -A INPUT -p tcp -m tcp --source 192.168.10.175/32 --dport 9100 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9100 -j DROP iptables -A INPUT -p tcp -m tcp --dport 9100 -j DROP
''; '';
}; };
@@ -26,7 +25,7 @@ in {
}; };
clients = [ clients = [
{ {
url = "http://${metricsHost}:3100/loki/api/v1/push"; url = "http://grafana.home.feal.no:3100/loki/api/v1/push";
} }
]; ];
scrape_configs = [ scrape_configs = [

8
common/pwndbg-gdb-alias.nix
View File

@@ -1,8 +0,0 @@
{ pwndbg }:
# "$ coredumpctl gdb" always runs "gdb" from your path.
pwndbg.overrideAttrs ({ installPhase ? "", ... }: {
installPhase = installPhase + ''
ln -s $out/bin/pwndbg $out/bin/gdb
'';
})

81
common/securecrt.nix
View File

@@ -1,81 +0,0 @@
{
lib,
stdenv,
fetchurl,
autoPatchelfHook,
dpkg,
cups,
gtkmm3,
icu74,
krb5,
makeWrapper,
openssl,
pango,
python312,
xcb-util-cursor,
xorg,
}:
let
packageId = "scrt_ubuntu2464_deb_963";
in stdenv.mkDerivation rec {
pname = "securecrt";
version = "9.6.3";
src = fetchurl {
url = "https://www.vandyke.com/cgi-bin/download_1.php";
name = "${pname}-${version}.deb";
curlOpts = "-X POST --data 'pid=${packageId}&export_check=accept&country=no&su";
sha256 = "sha256-PsFuxJ7H0rJCWWi+rvzrlRUJlp9R4MG14d883/kl9Lo=";
};
unpackCmd = "dpkg -x $curSrc source";
nativeBuildInputs = [
dpkg
autoPatchelfHook
];
buildInputs = [
cups
gtkmm3
icu74
krb5
makeWrapper
openssl
pango
python312
xcb-util-cursor
xorg.xcbutilkeysyms
xorg.xcbutilwm
];
dontConfigure = true;
dontBuild = true;
dontWrapQTApps = true;
installPhase = ''
runhook preInstall
mkdir -p "$out"
cp -R usr/* "$out/"
wrapProgram "$out/bin/SecureCRT" --set QT_QPA_PLATFORM_PLUGIN_PATH "$out/lib/scrt/plugins/platforms"
runhook postInstall
'';
meta = with lib; {
homepage = "https://www.vandyke.com/products/securecrt/unix.html";
description = "Terminal emulator for computing professionals, with advanced session management";
license = {
free = false;
fullName = "Unknown / Custom";
};
platforms = with lib.platforms; linux ++ darwin ++ windows;
broken = !(stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isx86_64);
};
mainProgram = "SecureCRT";
}

44
common/wireguard-peers.nix
View File

@@ -1,44 +0,0 @@
[
{ # Sulu
publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
allowedIPs = [
"10.100.0.3/32"
];
}
{ # Worf
publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
allowedIPs = [
"10.100.0.4/32"
];
}
{ # Phone
publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
allowedIPs = [
"10.100.0.5/32"
];
}
{ # Riker
publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
allowedIPs = [
"10.100.0.6/32"
];
}
{ # fa-t14-2025
publicKey = "UPpUVWQqOKT65MFym1sFDTstNmuynDYE4LOOtbWqEng=";
allowedIPs = [
"10.100.0.7/32"
];
}
{ # Turtle
publicKey = "mDzAtRPv+O5TDHa9DGodF/KKuFXRBYwSqfPyeWfdfRI=";
allowedIPs = [
"10.100.0.8/32"
];
}
{ # Amalies phone
publicKey = "Iqoq00e5rUNygmjOKmSPzvDTzvUdpxkpwVrD6UJXG2w=";
allowedIPs = [
"10.100.0.9/32"
];
}
]

219
flake.lock generated
View File

@@ -1,28 +1,13 @@
{ {
"nodes": { "nodes": {
"extra-config": {
"locked": {
"lastModified": 1745649002,
"narHash": "sha256-XNBExt3+U3o4lip+yj6oorCEPZ9Qe8PzBSFM5ZzVtSA=",
"ref": "refs/heads/main",
"rev": "50c9c15db2b309d299b1c19089c962979e01f45b",
"revCount": 13,
"type": "git",
"url": "file:///home/felixalb/nix-extra-config"
},
"original": {
"type": "git",
"url": "file:///home/felixalb/nix-extra-config"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1747046372, "lastModified": 1673956053,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -36,11 +21,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1731533236, "lastModified": 1681202837,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -56,32 +41,30 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1764776959, "lastModified": 1703367386,
"narHash": "sha256-d+5CGloq7Lo1u2SkzhF8oiOdUc6Z5emh22nTXUB9CFA=", "narHash": "sha256-FMbm48UGrBfOWGt8+opuS+uLBLQlRfhiYXhHNcYMS5k=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e1680d594a9281651cbf7d126941a8c8e2396183", "rev": "d5824a76bc6bb93d1dce9ebbbcb09a9b6abcc224",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-25.11", "ref": "release-23.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"matrix-synapse-next": { "matrix-synapse-next": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs-lib": "nixpkgs-lib"
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1765214213, "lastModified": 1701507532,
"narHash": "sha256-WSk8CTdIDFFP5VMJj9beve19nPMMdTsWnkCHVXqO/3E=", "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
"owner": "dali99", "owner": "dali99",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"rev": "82959f612ffd523a49c92f84358a9980a851747b", "rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -93,20 +76,20 @@
"nix-darwin": { "nix-darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs-darwin" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1764161084, "lastModified": 1703649338,
"narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=", "narHash": "sha256-n2MkBotGgTQsfB+wH09R+otBwYCvGCsnHX7eUMGkKL0=",
"owner": "nix-darwin", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "e95de00a471d07435e0527ff4db092c84998698e", "rev": "8a8321271f0835fae2cb195e1137cb381fdbcc8e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-darwin", "owner": "lnl7",
"ref": "nix-darwin-25.11", "ref": "master",
"repo": "nix-darwin", "repo": "nix-darwin",
"type": "github" "type": "github"
} }
@@ -115,16 +98,14 @@
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": "nixpkgs"
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1764813963, "lastModified": 1703812100,
"narHash": "sha256-Vs7Mamto+T8r1evk9myHepgHGNJkS2Kr0BF64NIei94=", "narHash": "sha256-JN8qbWz6OPEEPwP+AmfAmlhPE19RqUqND6hGAeK2Od0=",
"owner": "Infinidoge", "owner": "Infinidoge",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "491200d6848402bbab1421cccbc15a46f08c7f78", "rev": "7d23e6f5635499a34d09950981cf42bb072f4fa2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -135,89 +116,92 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1764677808, "lastModified": 1698318101,
"narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=", "narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
"owner": "NixOS", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1aab89277eb2d87823d5b69bae631a2496cff57a", "rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "nixos",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-2211": {
"locked": {
"narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
}
},
"nixpkgs-darwin": {
"locked": {
"lastModified": 1764806471,
"narHash": "sha256-NsPsz003eWD8wp8vj5BnQzPoDyeQKRUfS2dvan2Y30M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6707b1809330d0f912f5813963bb29f6f194ee81",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-25.11-darwin",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1764667669,
"narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "418468ac9527e799809c900eda37cbff999199b6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": {
"locked": {
"lastModified": 1673743903,
"narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1703351344,
"narHash": "sha256-9FEelzftkE9UaJ5nqxidaJJPEhe9TPhbypLHmc2Mysc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7790e078f8979a9fcd543f9a47427eeaba38f268",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1703467016,
"narHash": "sha256-/5A/dNPhbQx/Oa2d+Get174eNI3LERQ7u6WTWOlR1eQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d02d818f22c777aa4e854efc3242ec451e5d462a",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"extra-config": "extra-config",
"home-manager": "home-manager", "home-manager": "home-manager",
"matrix-synapse-next": "matrix-synapse-next", "matrix-synapse-next": "matrix-synapse-next",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nix-minecraft": "nix-minecraft", "nix-minecraft": "nix-minecraft",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"nixpkgs-2211": "nixpkgs-2211", "sops-nix": "sops-nix",
"nixpkgs-darwin": "nixpkgs-darwin", "unstable": "unstable",
"nixpkgs-unstable": "nixpkgs-unstable", "voyager-addons": "voyager-addons"
"sops-nix": "sops-nix"
} }
}, },
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ],
"nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1764483358, "lastModified": 1703387502,
"narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", "narHash": "sha256-JnWuQmyanPtF8c5yAEFXVWzaIlMxA3EAZCh8XNvnVqE=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "5aca6ff67264321d47856a2ed183729271107c9c", "rev": "e523e89763ff45f0a6cf15bcb1092636b1da9ed3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -240,6 +224,37 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"unstable": {
"locked": {
"lastModified": 1703438236,
"narHash": "sha256-aqVBq1u09yFhL7bj1/xyUeJjzr92fXVvQSSEx6AdB1M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5f64a12a728902226210bf01d25ec6cbb9d9265b",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"voyager-addons": {
"locked": {
"lastModified": 1704460893,
"narHash": "sha256-rK+GBsfkua1Ou4YHcpQciDOdeS3q23GfTit2SddgTv0=",
"ref": "refs/heads/main",
"rev": "238bcd33b3e2562fcf76f86348909990ddc3d6cc",
"revCount": 3,
"type": "git",
"url": "ssh://git@git.feal.no:2222/felixalb/voyager-addons.git"
},
"original": {
"type": "git",
"url": "ssh://git@git.feal.no:2222/felixalb/voyager-addons.git"
}
} }
}, },
"root": "root", "root": "root",

130
flake.nix
View File

@@ -2,24 +2,19 @@
description = "Felixalb System flake"; description = "Felixalb System flake";
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; # Remember to update ./common/auto-upgrade.nix nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-25.11-darwin"; unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11"; nix-darwin.url = "github:lnl7/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs-darwin"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager/release-25.11"; home-manager.url = "github:nix-community/home-manager/release-23.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; # TODO: Lock to release matrix-synapse-next.url = "github:dali99/nixos-matrix-modules";
matrix-synapse-next.inputs.nixpkgs.follows = "nixpkgs";
nix-minecraft.url = "github:Infinidoge/nix-minecraft"; nix-minecraft.url = "github:Infinidoge/nix-minecraft";
nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
extra-config.url = "git+file:///home/felixalb/nix-extra-config"; voyager-addons.url = "git+ssh://git@git.feal.no:2222/felixalb/voyager-addons.git";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@@ -32,97 +27,100 @@
, nix-minecraft , nix-minecraft
, nix-darwin , nix-darwin
, nixpkgs , nixpkgs
, nixpkgs-2211
, nixpkgs-darwin
, nixpkgs-unstable
, sops-nix , sops-nix
, extra-config , unstable
, voyager-addons
, ... }@inputs: , ... }@inputs:
let let
pkgs-overlay = final: prev: { overlay-unstable = final: prev: {
unstable = import nixpkgs-unstable { unstable = unstable.legacyPackages.${prev.system};
system = prev.system;
config.allowUnfree = true;
};
nixpkgs-2211 = import nixpkgs-2211 {
system = prev.system;
config.allowUnfree = true;
};
pwndbg-gdb-alias = prev.callPackage ./common/pwndbg-gdb-alias.nix { };
securecrt = prev.callPackage ./common/securecrt.nix { };
}; };
in in
{ {
nixosConfigurations = let nixosConfigurations = {
normalSys = name: hostConfig: nixpkgs.lib.nixosSystem { voyager = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; # TODO - Handle system = "x86_64-linux";
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
modules = [ modules = [
({ config, pkgs, ... }: { # Overlays-module makes "pkgs.unstable" available in configuration.nix
# Make "pkgs.unstable" etc. available ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
nixpkgs.overlays = [ pkgs-overlay ] ++ hostConfig.overlays or [ ];
})
./hosts/${name}/configuration.nix ./hosts/voyager/configuration.nix
voyager-addons.nixosModules.default
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager { home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.users = { home-manager.users."felixalb" = import ./hosts/voyager/home.nix;
"felixalb" = import ./hosts/${name}/home.nix;
} // hostConfig.home-manager-users or { };
} }
] ++ hostConfig.modules or [ ];
};
in {
# Media / storage server
challenger = normalSys "challenger" {
modules = [
extra-config.nixosModules.default
]; ];
}; };
defiant = nixpkgs.lib.nixosSystem {
# General application server system = "x86_64-linux";
defiant = normalSys "defiant" { specialArgs = {
inherit inputs;
};
modules = [ modules = [
./common/domeneshop-dyndns.nix # Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
./hosts/defiant/configuration.nix
sops-nix.nixosModules.sops
matrix-synapse-next.nixosModules.default matrix-synapse-next.nixosModules.default
home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/defiant/home.nix;
}
]; ];
}; };
edison = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
# Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
# Work laptop ./hosts/edison/configuration.nix
fa-t14-2025 = normalSys "fa-t14-2025" { }; sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager {
# Web host home-manager.useGlobalPkgs = true;
leonard = normalSys "leonard" { }; home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/edison/home.nix;
# General application server }
morn = normalSys "morn" { }; ];
};
# Home desktop redshirt = nixpkgs.lib.nixosSystem {
sisko = normalSys "sisko" { }; system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
./hosts/redshirt/configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
sops-nix.nixosModules.sops
];
};
}; };
# Daily driver macbook
darwinConfigurations.worf = nix-darwin.lib.darwinSystem { darwinConfigurations.worf = nix-darwin.lib.darwinSystem {
system = "aarch64-darwin"; system = "aarch64-darwin";
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
modules = [ modules = [
({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
./hosts/worf/configuration.nix ./hosts/worf/configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
home-manager.darwinModules.home-manager { home-manager.darwinModules.home-manager {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/worf/home.nix; home-manager.users."felixalb" = import ./hosts/worf/home.nix;
} }
# sops-nix.nixosModules.sops
]; ];
}; };

65
home/alacritty.nix
View File

@@ -9,17 +9,14 @@
window = { window = {
padding = { padding = {
x = 8; x = 4;
y = 2; y = 4;
}; };
dynamic_padding = true;
dynamic_title = true;
decorations = "none"; # full/none/transparent/buttonless decorations = "none"; # full/none/transparent/buttonless
# Transparency: # Transparency:
opacity = lib.mkDefault 0.95; # opacity = 0.95;
}; };
scrolling = { scrolling = {
@@ -47,37 +44,10 @@
size = 14; size = 14;
}; };
draw_bold_text_with_bright_colors = true;
colors = { colors = {
draw_bold_text_with_bright_colors = true; # # Tomorrow Night Bright
# # gruvbox_material_medium_dark
# primary = {
# background = "0x282828";
# foreground = "0xd4be98";
# };
# normal = {
# black = "0x3c3836";
# red = "0xea6962";
# green = "0xa9b665";
# yellow = "0xd8a657";
# blue = "0x7daea3";
# magenta = "0xd3869b";
# cyan = "0x89b482";
# white = "0xd4be98";
# };
# bright = {
# black = "0x3c3836";
# red = "0xea6962";
# green = "0xa9b665";
# yellow = "0xd8a657";
# blue = "0x7daea3";
# magenta = "0xd3869b";
# cyan = "0x89b482";
# white = "0xd4be98";
# };
# # # Tomorrow Night Bright
# primary = { # primary = {
# background = "0x141414"; # background = "0x141414";
# foreground = "0xeaeaea"; # foreground = "0xeaeaea";
@@ -110,7 +80,6 @@
# white = "0xffffff"; # white = "0xffffff";
# }; # };
# Nord: # Nord:
primary = { primary = {
background = "0x2e3440"; background = "0x2e3440";
@@ -179,10 +148,10 @@
# indexed_colors: [] # indexed_colors: []
}; };
bell = { visual_bell = {
animation = "Ease"; animation = "EaseOutExpo";
color = "0xffffff"; color = "0xffffff";
duration = 100; duration = 200;
}; };
# Key bindings # Key bindings
@@ -337,19 +306,29 @@
# - { key: Delete, chars: "\x1b[3~" } # - { key: Delete, chars: "\x1b[3~" }
mouse = {
double_click = { threshold = 300; };
triple_click = { threshold = 300; };
hide_when_typing = false;
};
selection = { selection = {
semantic_escape_chars = ",`|:\"' ()[]{}<>"; semantic_escape_chars = ",`|:\"' ()[]{}<>";
save_to_clipboard = false; save_to_clipboard = false;
}; };
mouse_bindings = [
{ mouse = "Middle"; action = "PasteSelection"; }
];
cursor = { cursor = {
style = { style = "Block";
shape = "Block"; blinking = true;
blinking = "on";
};
unfocused_hollow = true; unfocused_hollow = true;
}; };
dynamic_title = true;
}; };
}; };
} }

43
home/amalieem/default.nix
View File

@@ -1,43 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./../alacritty.nix
];
home = {
packages = with pkgs; [
papers
kitty
pavucontrol
# Window Manager Extras
bibata-cursors
hyprcursor
hypridle
hyprlock
hyprpaper
hyprshot
nautilus
networkmanager
swaynotificationcenter
waybar
wl-clipboard
];
sessionVariables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
};
programs = {
alacritty = {
enable = true;
settings.window.opacity = 0.92;
};
firefox.enable = true;
wofi.enable = true;
};
home.stateVersion = "24.11";
}

39
home/base.nix
View File

@@ -1,38 +1,19 @@
{ pkgs, lib, ... }: { pkgs, ... }:
{ {
imports = [ imports = [
./neovim.nix ./neovim.nix
./zsh.nix ./zsh.nix
]; ];
home = {
packages = with pkgs; [
bat
bottom
# ncdu
neofetch
pwgen
sshfs
sshuttle
];
sessionVariables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
};
programs.nix-index = { programs.nix-index = {
enable = true; enable = true;
enableZshIntegration = true; enableZshIntegration = true;
}; };
programs.fzf.enable = true;
programs.git = { programs.git = {
enable = true; enable = true;
settings = { extraConfig = {
pull.rebase = true; pull.rebase = true;
push.autoSetupRemote = true; push.autoSetupRemote = true;
color.ui = "auto"; color.ui = "auto";
@@ -41,10 +22,7 @@
user = { user = {
name = "Felix Albrigtsen"; name = "Felix Albrigtsen";
email = lib.mkDefault "felix@albrigtsen.it"; email = "felix@albrigtsen.it";
};
safe = {
directory = "/config";
}; };
}; };
ignores = [ ignores = [
@@ -55,15 +33,4 @@
]; ];
}; };
programs.tmux = {
enable = true;
sensibleOnTop = true;
baseIndex = 1;
clock24 = true;
keyMode = "vi";
mouse = true;
terminal = "screen-256color";
};
} }

20
home/neovim.nix
View File

@@ -21,6 +21,7 @@ in {
telescope-nvim telescope-nvim
nvim-lspconfig nvim-lspconfig
copilot-vim
nvim-treesitter nvim-treesitter
coc-css coc-css
@@ -28,9 +29,9 @@ in {
coc-html coc-html
coc-json coc-json
coc-nvim coc-nvim
coc-pyright
vim-nix vim-nix
vim-puppet
]; ];
withNodeJs = true; withNodeJs = true;
@@ -50,7 +51,7 @@ in {
" Integrate status with lightline " Integrate status with lightline
let g:lightline = { let g:lightline = {
\ 'active': { \ 'active': {
\ 'left': [[ 'mode', 'paste', 'filename', 'readonly', 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status' ]] \ 'left': [[ 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status' ]]
\ } \ }
\ } \ }
@@ -97,16 +98,11 @@ in {
" Nerdtree-settings " Nerdtree-settings
" Toggle nerdtree on Ctrl+t " Toggle nerdtree on Ctrl+t
nmap <silent> <C-t> :NERDTreeToggle<CR> nmap <silent> <C-t> :NERDTreeToggle<CR>
autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
autocmd VimEnter * wincmd p " Unselect nerdtree window
" Close vim is Nerdtree is the only buffer left " Close vim is Nerdtree is the only buffer left
autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif
if empty($AERC_ACCOUNT) && empty($MOZ_APP_LAUNCHER)
autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
autocmd VimEnter * wincmd p " Unselect nerdtree window
endif
autocmd Filetype go setlocal expandtab tabstop=4 shiftwidth=4 softtabstop=4
" List and switch buffers on Ctrl+k " List and switch buffers on Ctrl+k
" nnoremap <C-k> :set nomore <Bar> :ls <Bar> :set more <CR>:b<Space> " nnoremap <C-k> :set nomore <Bar> :ls <Bar> :set more <CR>:b<Space>
nnoremap <silent> <C-k> !echo "Did you mean C-a?"<CR> nnoremap <silent> <C-k> !echo "Did you mean C-a?"<CR>
@@ -120,18 +116,12 @@ in {
nnoremap <C-s> <cmd>Telescope find_files<cr> nnoremap <C-s> <cmd>Telescope find_files<cr>
nnoremap <C-g> <cmd>Telescope live_grep<cr> nnoremap <C-g> <cmd>Telescope live_grep<cr>
" Don't darken the background
autocmd VimEnter * highlight normal ctermbg=NONE guibg=NONE
" Show trailing whitespace " Show trailing whitespace
highlight ExtraWhitespace ctermbg=red guibg=red highlight ExtraWhitespace ctermbg=red guibg=red
match ExtraWhitespace /\s\+$/ match ExtraWhitespace /\s\+$/
" Disable search highlights " Disable search highlights
map <Leader><Space> :noh<CR> map <Leader><Space> :noh<CR>
" Start with Coc disabled
" autocmd VimEnter * CocDisable
''; '';
}; };

31
home/zsh.nix
View File

@@ -2,7 +2,6 @@
programs = { programs = {
zsh = { zsh = {
enable = true; enable = true;
history.extended = true;
prezto = { prezto = {
enable = true; enable = true;
@@ -22,7 +21,6 @@
"terminal" "terminal"
"editor" "editor"
"history" "history"
"history-substring-search"
# "directory" # "directory"
"spectrum" "spectrum"
# "utility" # "utility"
@@ -30,39 +28,32 @@
"git" "git"
"autosuggestions" "autosuggestions"
"syntax-highlighting" "syntax-highlighting"
"history-substring-search"
"prompt" "prompt"
]; ];
}; };
initContent = '' initExtra = ''
# Autocomplete ../ # Autocomplete ../
zstyle ':completion:*' special-dirs true zstyle ':completion:*' special-dirs true
export PATH="$HOME/.config/emacs/bin:$HOME/.cargo/bin:$PATH" export PATH="$HOME/.config/emacs/bin:$PATH"
unalias "gs" unalias "gs"
if [ -f ~/.config/zsh-extras ]; then
source ~/.config/zsh-extras
fi
''; '';
shellAliases = { shellAliases = {
c = "z";
em = "emacsclient -c";
emnw = "emacsclient -nw";
grep = "grep --color=auto";
l = "exa -l"; l = "exa -l";
ls = "ls --color=auto"; c = "z";
nd = "nix develop --command zsh"; tree = "exa --tree --icons";
s = "nix-shell --run zsh"; s = "nix-shell --run zsh";
sp = "nix-shell --run zsh -p"; sp = "nix-shell --run zsh -p";
spu = "nix-shell -I nixpkgs=channel:nixos-unstable --run zsh -p"; spu = "nix-shell -I nixpkgs=channel:nixos-unstable --run zsh -p";
tree = "exa --tree --icons"; em = "emacsclient -c";
emnw = "emacsclient -nw";
"git clone git clone" = "git clone";
gcm = "git commit -m";
gpl = "git pull";
gps = "git push";
gst = "git status -sb"; gst = "git status -sb";
gcm = "git commit -m";
gps = "git push";
gpl = "git pull";
"git clone git clone" = "git clone";
}; };
}; };

37
hosts/challenger/amalieem.nix
View File

@@ -1,37 +0,0 @@
{ config, pkgs, lib, ... }:
let
cmdChownManga = pkgs.writeScriptBin "chownManga" ''
#!${pkgs.stdenv.shell}
chown -R amalieem:komga /tank/media/komga/Amalie
chmod -R 750 /tank/media/komga/Amalie
'';
in {
users.users."amalieem" = {
isNormalUser = true;
home = "/home/amalieem";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7e+BAoXIFmTeeBYAVImQAcyx6SCoYCErA7h16OGL70 amalieem@wentworth"
];
packages = with pkgs; [
cmdChownManga
mangal
rsync
];
};
security.sudo = {
enable = true;
extraRules = [{
commands = [
{
command = "${lib.getExe cmdChownManga}";
options = [ "NOPASSWD" ];
}
];
users = [ "amalieem" ];
}];
};
}

84
hosts/challenger/backup.nix
View File

@@ -1,84 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.restic.backups = let
localJob = name: paths: {
inherit paths;
repository = "/mnt/feal-syn1/backup/challenger/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
"--keep-yearly 10"
];
};
cloudJob = name: paths: {
inherit paths;
# "rsyncnet" connection details specified in /root/.ssh/config
repository = "sftp://rsyncnet/restic/challenger/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
# rsync.net keeps daily snapshots
"--keep-weekly 4"
"--keep-monthly 36"
];
};
in {
# Calibre metadata and config
calibre = localJob "calibre" [
"/var/lib/calibre-web"
"/var/lib/calibre-server"
];
# Other system backups (NB: Large!)
hostBackups = localJob "hostBackups" [
"/tank/backup"
] // {
pruneOpts = [ "--keep-monthly 12" ];
};
media = localJob "media" [
"/tank/media/books"
"/tank/media/komga"
"/tank/media/music"
];
media-remote = cloudJob "media" [
"/tank/media/books"
"/tank/media/komga"
"/tank/media/music"
] // {
pruneOpts = [ "--keep-monthly 12" ];
};
# Nextcloud config and data
nextcloud = localJob "nextcloud" [ "/tank/nextcloud" ];
nextcloud-remote = cloudJob "nextcloud" [ "/tank/nextcloud" ];
# Postgresql databases
postgres = (localJob "postgres" [ "/var/backup/postgres" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
postgres-remote = (cloudJob "postgres" [ "/var/backup/postgres" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
# Transmission metadata/config
transmission = localJob "transmission" [ "/var/lib/transmission" ];
# TODO: timemachine
};
sops.secrets."restic/calibre" = { };
sops.secrets."restic/hostBackups" = { };
sops.secrets."restic/media" = { };
sops.secrets."restic/nextcloud" = { };
sops.secrets."restic/postgres" = { };
sops.secrets."restic/transmission" = { };
environment.systemPackages = with pkgs; [
restic
];
}

65
hosts/challenger/configuration.nix
View File

@@ -1,65 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
./hardware-configuration.nix
../../base.nix
../../common/metrics-exporters.nix
./amalieem.nix
./backup.nix
# ./exports.nix
./filesystems.nix
# ./services/archivebox.nix
./services/audiobookshelf.nix
./services/calibre.nix
./services/jellyfin.nix
./services/komga.nix
./services/nextcloud.nix
./services/nginx.nix
./services/postgres.nix
./services/timemachine.nix
];
networking = {
hostName = "challenger";
bridges.br0.interfaces = [ "ens18" ];
interfaces.br0.useDHCP = false;
interfaces.br0.ipv4.addresses = [
{ address = "192.168.10.161"; prefixLength = 24; }
];
hostId = "828ab735";
defaultGateway = "192.168.10.1";
};
sops.defaultSopsFile = ../../secrets/challenger/challenger.yaml;
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
zfs
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
security.polkit.enable = true; # Required for nextcloud
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
];
hardware.nvidia = {
modesetting.enable = true;
open = false;
};
hardware.graphics.enable = true;
services.xserver.videoDrivers = ["nvidia"];
system.stateVersion = "24.05";
}

21
hosts/challenger/exports.nix
View File

@@ -1,21 +0,0 @@
{ config, pkgs, lib, ... }:
{
fileSystems = {
"/export/riker-backup" = {
device = "/tank/backup/riker";
options = [ "bind" ];
};
};
# Enable nfs4 only
# services.nfs.server = {
# enable = true;
# exports = ''
# /export 192.168.10.67(rw,fsid=0,no_subtree_check)
# /export/riker-backup 192.168.10.67(rw,nohide,no_subtree_check,no_root_squash)
# '';
# };
# networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
# networking.firewall.allowedUDPPorts = [ 111 20048];
}

48
hosts/challenger/filesystems.nix
View File

@@ -1,48 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Boot drives are defined in ./hardware-configuration.nix
environment.systemPackages = with pkgs; [ cifs-utils ];
# Local zfs
boot = {
zfs = {
extraPools = [ "tank" ];
requestEncryptionCredentials = false;
};
supportedFilesystems = [ "zfs" ];
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
fileSystems = {
"/mnt/feal-syn1/backup" = {
# device = "feal-syn1.home.feal.no:/volume2/backup";
device = "192.168.10.162:/volume2/backup";
fsType = "nfs";
options = [
"defaults"
"noatime"
"rw"
"nfsvers=3"
"x-systemd.automount"
"noauto"
];
};
"/mnt/feal-syn2/backup" = {
# device = "feal-syn1.home.feal.no:/volume2/backup";
device = "192.168.11.163:/volume1/challenger";
fsType = "nfs";
options = [
"defaults"
"noatime"
"rw"
"nfsvers=3"
"x-systemd.automount"
"noauto"
];
};
};
}

39
hosts/challenger/hardware-configuration.nix
View File

@@ -1,39 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7101364b-9056-4309-afeb-3c17b220684f";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/FDCE-A287";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ {
device = "/swapfile";
size = 16*1024;
} ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.eno2.useDHCP = lib.mkDefault true;
# networking.interfaces.idrac.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

12
hosts/challenger/home.nix
View File

@@ -1,12 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "24.05";
}

35
hosts/challenger/services/archivebox.nix
View File

@@ -1,35 +0,0 @@
{ config, lib, ... }:
let
host = "127.0.1.2";
port = "5009";
uid = 911;
gid = 911;
in {
users.users.archivebox = {
inherit uid;
group = "archivebox";
isSystemUser = true;
useDefaultShell = true;
description = "ArchiveBox web archiving tool";
};
users.groups.archivebox = {
inherit gid;
};
# ArchiveBox - Open source self-hosted web archiving.
virtualisation.oci-containers.containers.archivebox = {
image = "archivebox/archivebox:0.8.5rc50";
ports = [ "${host}:${port}:8000" ];
volumes = [
"/tank/archivebox:/data"
];
};
services.nginx.virtualHosts."archivebox.home.feal.no" = {
locations."/" = {
proxyPass = "http://${host}:${port}";
};
};
}

57
hosts/challenger/services/audiobookshelf.nix
View File

@@ -1,57 +0,0 @@
{ config, lib, pkgs, ... }:
let
domain = "audiobooks.home.feal.no";
host = "127.0.1.2";
port = 5016;
in {
fileSystems = {
"/var/lib/audiobookshelf" = {
device = "/tank/media/audiobookshelf/config";
options = [ "bind" ];
};
};
services.audiobookshelf = {
enable = true;
dataDir = "audiobookshelf";
inherit host port;
};
systemd.services.audiobookshelf = {
requires = [ "var-lib-audiobookshelf.mount" ];
serviceConfig = {
# Better safe than sorry :)
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [
"/var/lib/audiobookshelf"
"/tank/media/audiobookshelf"
];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
};
};
services.nginx.virtualHosts.${domain} = {
locations."/" = {
proxyPass = "http://${host}:${toString port}";
proxyWebsockets = true;
};
};
}

35
hosts/challenger/services/jellyfin.nix
View File

@@ -1,35 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Jellyfin - Media Streaming platform
services.jellyfin.enable = true;
users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ];
services.nginx.virtualHosts."jellyfin.home.feal.no" = {
serverAliases = [ "jf.feal.no" ];
locations = {
"= /" = {
return = "302 http://$host/web/";
};
"/" = {
proxyPass = "http://127.0.0.1:8096";
extraConfig = ''
proxy_buffering off;
'';
};
"/socket" = {
proxyPass = "http://127.0.0.1:8096";
proxyWebsockets = true;
};
};
extraConfig = ''
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
'';
};
}

21
hosts/challenger/services/komga.nix
View File

@@ -1,21 +0,0 @@
{ config, lib, pkgs, ... }:
let
domain = "komga.home.feal.no";
port = 5001;
in {
services.komga = {
enable = true;
stateDir = "/tank/media/komga";
settings.server = {
inherit port;
};
};
services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://127.0.0.1:${toString port}";
extraConfig = ''
client_max_body_size 512M;
'';
};
}

154
hosts/challenger/services/nextcloud.nix
View File

@@ -1,154 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.nextcloud;
hostName = "cloud.feal.no";
in {
services.nextcloud = {
enable = true;
package = pkgs.nextcloud32;
inherit hostName;
home = "/tank/nextcloud";
https = true;
webfinger = true;
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminuser = "ncadmin";
adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
};
settings = {
default_phone_region = "NO";
log_type = "file";
overwriteprotocol = "https";
trusted_proxies = [ "192.168.10.175" ]; # defiant
# Docs: https://github.com/pulsejet/nextcloud-oidc-login
oidc_login_auto_redirect = true;
oidc_login_button_text = "Log in with KeyCloak";
oidc_login_client_id = "nextcloud";
oidc_login_client_secret = "dont_put_secrets_here_use_secretFile";
oidc_login_code_challenge_method = "S256";
oidc_login_end_session_redirect' = true;
oidc_login_logout_url = "https://cloud.feal.no/apps/oidc_login/oidc";
oidc_login_provider_url = "https://iam.feal.no/realms/feal.no";
oidc_login_redir_fallback = true;
oidc_login_attributes = {
id = "preferred_username";
mail = "email";
name = "name";
login_filter = "nextcloud-roles";
};
oidc_login_filter_allowed_values = [ "nextcloud-user" ];
oidc_login_disable_registration = false;
"memories.exiftool" = pkgs.writeShellScript "exiftool-perl" ''
${lib.getExe pkgs.perl} ${cfg.home}/store-apps/memories/bin-ext/exiftool/exiftool "$@"
'';
"memories.exiftool_no_local" = false;
"memories.vod.disable" = false;
"memories.vod.ffmpeg" = "${lib.getExe pkgs.ffmpeg-headless}";
"memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
preview_ffmpeg_path = "${pkgs.ffmpeg-headless}/bin/ffmpeg";
};
secretFile = config.sops.secrets."nextcloud/secretsjson".path;
phpOptions = {
"opcache.interned_strings_buffer" = "16";
"upload_max_filesize" = lib.mkForce "8G";
"post_max_size" = lib.mkForce "8G";
"memory_limit" = lib.mkForce "8G";
};
poolSettings = {
"pm" = "ondemand";
"pm.max_children" = 32;
"pm.process_idle_timeout" = "10s";
"pm.max_requests" = 500;
};
};
environment.systemPackages = [
cfg.occ # "occ CMD" in the docs -> "sudo -u nextcloud nextcloud-occ CMD"
pkgs.nodejs_20 # For Recognize; Put /run/current-system/sw/bin/node in the "node_binary" field in the web UI -> Memories
];
sops.secrets."nextcloud/adminpass" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
sops.secrets."nextcloud/secretsjson" = {
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
services.postgresql = {
ensureDatabases = [ "nextcloud" ];
ensureUsers = [ {
name = "nextcloud";
ensureDBOwnership = true;
} ];
};
systemd.services.nextcloud-cron = {
path = with pkgs; [
exiftool
ffmpeg-headless
];
};
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
systemd.services."phpfpm-nextcloud" = {
requires = [ "tank-nextcloud.mount" ];
path = with pkgs; [
# perl
# perlPackages.ImageExifTool
exiftool
ffmpeg-headless
];
serviceConfig = {
PrivateDevices = lib.mkForce false;
WorkingDirectory = "/tank/nextcloud";
NoNewPrivileges = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
InaccessiblePaths = [ "/tank/media" "/tank/backup" ];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
CapabilityBoundingSet = "~CAP_FSETID ~CAP_SETFCAP ~CAP_SETUID ~CAP_SETGID ~CAP_SETPCAP ~CAP_NET_ADMIN ~CAP_SYS_ADMIN ~CAP_SYS_PTRACE ";
};
};
# Notes:
# - Install Memories and Recognize from the app store
# - They might need to be forced on with "nextcloud-occ app:enable memories", etc.
# - Run "nextcloud-occ maintenance:repair" to fix broken paths
# - Download ai models and maps with the commands given in the ui
# - libtensorflow doesn't work properly through node, but recognize still works(?)
}

50
hosts/defiant/backup.nix
View File

@@ -1,50 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.restic.backups = let
localJob = name: paths: {
inherit paths;
repository = "/mnt/feal-syn1/backup/defiant/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
"--keep-daily 3"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
cloudJob = name: paths: {
inherit paths;
# "rsyncnet" connection details specified in /root/.ssh/config
repository = "sftp://rsyncnet/restic/defiant/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
# rsync.net keeps daily snapshots
"--keep-weekly 4"
"--keep-monthly 36"
];
};
in {
postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
postgres-remote = (cloudJob "postgres" [ "/tank/backup/postgresql" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
gitea-remote = (cloudJob "gitea" [ "/tank/services/gitea" ]);
matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
matrix-synapse-remote = (cloudJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
vaultwarden-remote = (cloudJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
};
# TODO: home-assistant, pihole
sops.secrets."restic/postgres" = { };
sops.secrets."restic/gitea" = { };
sops.secrets."restic/matrix-synapse" = { };
sops.secrets."restic/vaultwarden" = { };
}

29
hosts/defiant/configuration.nix
View File

@@ -5,29 +5,18 @@
[ [
../../base.nix ../../base.nix
../../common/metrics-exporters.nix ../../common/metrics-exporters.nix
./filesystems.nix
./hardware-configuration.nix ./hardware-configuration.nix
# Infrastructure
./backup.nix
./libvirt.nix
./services/dyndns.nix
./services/nginx.nix ./services/nginx.nix
./services/pihole.nix ./services/pihole.nix
./services/postgresql.nix ./services/postgresql.nix
./services/wireguard.nix
# Services ./services/flame.nix
./services/gitea.nix ./services/gitea.nix
./services/hedgedoc.nix ./services/hedgedoc.nix
./services/home-assistant.nix ./services/matrix-synapse.nix
./services/keycloak.nix ./services/metrics
./services/matrix ./services/minecraft.nix
./services/microbin.nix
# ./services/minecraft/home.nix
./services/monitoring
# ./services/rtl-tcp.nix
# ./services/searx.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
]; ];
@@ -45,6 +34,16 @@
sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml; sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;
environment.variables = { EDITOR = "vim"; }; environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
zfs
];
boot = {
zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.prometheus.exporters.zfs.enable = true;
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker"; virtualisation.oci-containers.backend = "docker";

30
hosts/defiant/filesystems.nix
View File

@@ -1,30 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Boot drives are defined in ./hardware-configuration.nix
boot = {
zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ];
};
services.prometheus.exporters.zfs.enable = true;
environment.systemPackages = with pkgs; [
cifs-utils
zfs
];
fileSystems = {
"/mnt/feal-syn1/backup" = {
device = "192.168.10.162:/volume2/backup";
fsType = "nfs";
options = [
"defaults"
"noatime"
"rw"
"nfsvers=3"
"x-systemd.automount"
"noauto"
];
};
};
}

6
hosts/defiant/home.nix
View File

@@ -1,5 +1,11 @@
{ pkgs, lib, ... }: { pkgs, lib, ... }:
{ {
home.packages = with pkgs; [
bat
bottom
ncdu
neofetch
];
imports = [ imports = [
./../../home/base.nix ./../../home/base.nix

18
hosts/defiant/libvirt.nix
View File

@@ -1,18 +0,0 @@
{ config, pkgs, lib, ... }:
{
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
boot.extraModprobeConfig = "options kvm_amd nested=1";
boot.kernelModules = [ "kvm-amd" "kvm-intel" ];
users.users.felixalb.extraGroups = [ "libvirtd" ];
fileSystems."/var/lib/libvirt/images" = {
device = "/tank/iso";
options = [ "bind" ];
};
# On a gui-enabled machine, connect with:
# $ virt-manager --connect "qemu+ssh://defiant/system?socket=/var/run/libvirt/libvirt-sock"
}

11
hosts/defiant/services/dyndns.nix
View File

@@ -1,11 +0,0 @@
{ config, pkgs, lib, ... }:
{
sops.secrets."domeneshop/netrc" = { };
services.domeneshop-dyndns = {
enable = true;
domain = "site3.feal.no";
netrcFile = config.sops.secrets."domeneshop/netrc".path;
};
}

22
hosts/defiant/services/flame.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, pkgs, lib, ... }:
let
domain = "flame.home.feal.no";
host = "127.0.1.2";
port = "5005";
in {
# Flame - Homelab dashboard/linktree
virtualisation.oci-containers.containers = {
flame = {
image = "pawelmalak/flame";
ports = [ "${host}:${port}:5005" ];
volumes = [
"/var/lib/flame/data:/app/data/"
];
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${host}:${port}";
};
}

11
hosts/defiant/services/gitea.nix
View File

@@ -36,6 +36,7 @@ in {
OPENID_CONNECT_SCOPES = "email profile openid"; OPENID_CONNECT_SCOPES = "email profile openid";
UPDATE_AVATAR = true; UPDATE_AVATAR = true;
ACCOUNT_LINKING = "auto"; ACCOUNT_LINKING = "auto";
USERNAME = "email";
}; };
log.LEVEL = "Info"; log.LEVEL = "Info";
@@ -44,16 +45,18 @@ in {
ui = { ui = {
THEMES="gitea,arc-green,nord"; THEMES="gitea,arc-green,nord";
#DEFAULT_THEME="nord"; DEFAULT_THEME="nord";
}; };
}; };
# TODO: configure mailer # TODO:
# - Backup
# - services.gitea.dump?
# - ZFS snapshots?
# - configure mailer
}; };
systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work"; systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work";
services.postgresqlBackup.databases = [ "gitea" ];
networking.firewall.allowedTCPPorts = [ sshPort ]; networking.firewall.allowedTCPPorts = [ sshPort ];
} }

29
hosts/defiant/services/hedgedoc.nix
View File

@@ -4,7 +4,7 @@ let
domain = "md.feal.no"; domain = "md.feal.no";
port = 3300; port = 3300;
host = "127.0.1.2"; host = "127.0.1.2";
authServerUrl = "https://iam.feal.no"; authServerUrl = "https://auth.feal.no";
in { in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = { sops.secrets."hedgedoc/env" = {
@@ -21,8 +21,9 @@ in {
allowFreeURL = true; allowFreeURL = true;
allowAnonymous = false; allowAnonymous = false;
allowAnonymousEdits = true; allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
# dbURL = "postgres://hedgedoc@localhost/hedgedoc";
db = { db = {
username = "hedgedoc"; username = "hedgedoc";
database = "hedgedoc"; database = "hedgedoc";
@@ -31,23 +32,20 @@ in {
}; };
email = false; email = false;
oauth2 = let oauth2 = {
oidc = "${authServerUrl}/realms/feal.no/protocol/openid-connect"; baseURL = "${authServerUrl}/oauth2";
in { tokenURL = "${authServerUrl}/oauth2/token";
providerName = "Keycloak"; authorizationURL = "${authServerUrl}/ui/oauth2";
authorizationURL = "${oidc}/auth"; userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
baseURL = "${authServerUrl}";
tokenURL = "${oidc}/token";
userProfileURL = "${oidc}/userinfo";
clientID = "hedgedoc"; clientID = "hedgedoc";
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
scope = "openid email profile"; scope = "openid email profile";
userProfileDisplayNameAttr = "name"; userProfileUsernameAttr = "name";
userProfileEmailAttr = "email"; userProfileEmailAttr = "email";
userProfileUsernameAttr = "preferred_username"; userProfileDisplayNameAttr = "displayname";
rolesClaim = "hedgedoc-roles";
accessRole = "hedgedoc-user"; providerName = "KaniDM";
}; };
}; };
}; };
@@ -55,6 +53,7 @@ in {
systemd.services.hedgedoc = { systemd.services.hedgedoc = {
requires = [ requires = [
"postgresql.service" "postgresql.service"
# "kanidm.service"
]; ];
serviceConfig = let serviceConfig = let
workDir = "/var/lib/hedgedoc"; workDir = "/var/lib/hedgedoc";
@@ -96,8 +95,6 @@ in {
}]; }];
}; };
services.postgresqlBackup.databases = [ "hedgedoc" ];
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
listen = [ listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43443; ssl = true; }

41
hosts/defiant/services/home-assistant.nix
View File

@@ -1,41 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "ha.home.feal.no";
in {
# Home-assistant - Smart Home Controller
# https://www.home-assistant.io/installation/linux#install-home-assistant-container
# The container is supposed to run as "privileged", but I believe this is only to allow device access (dongles/radios/etc.)
virtualisation.oci-containers.containers = {
homeassistant = {
image = "ghcr.io/home-assistant/home-assistant:2025.5.3";
extraOptions = [
"--network=host"
"--device=/dev/ttyUSB0" # Sonoff Zigbee 3.0 USB
];
volumes = [
"/tank/services/homeassistant/config:/config"
];
environment = {
TZ = "Europe/Oslo";
};
};
};
# Requires addition to configuration.yaml:
# http:
# server_host: 127.0.0.1
# use_x_forwarded_for: true
# trusted_proxies: 127.0.0.1
services.nginx.virtualHosts."${domain}" = {
locations."/" = {
proxyPass = "http://127.0.0.1:8123";
proxyWebsockets = true;
};
listen = [
{ addr = "192.168.10.175"; port = 80; ssl = false; }
{ addr = "192.168.10.175"; port = 8123; ssl = false; }
];
};
}

33
hosts/defiant/services/keycloak.nix
View File

@@ -1,33 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.keycloak.settings;
hostname = "iam.feal.no";
in {
sops.secrets."keycloak/postgres" = { };
services.keycloak = {
enable = true;
database = {
type = "postgresql";
createLocally = true;
username = "keycloak";
passwordFile = config.sops.secrets."keycloak/postgres".path;
};
settings = {
cache = "local";
hostname = "https://${hostname}";
hostname-backchannel-dynamic = false;
http-enabled = true;
http-host = "127.0.1.2";
http-port = 5060;
proxy-headers = "xforwarded";
};
};
# The main reverse proxy is defined in ./nginx.nix
services.nginx.virtualHosts.${hostname} = {
locations."= /".return = "302 ${cfg.hostname}/realms/feal.no/account";
};
}

29
hosts/defiant/services/matrix/synapse.nix → hosts/defiant/services/matrix-synapse.nix
View File

@@ -6,12 +6,6 @@
group = "matrix-synapse"; group = "matrix-synapse";
}; };
sops.secrets."matrix/synapse/oidcsecret" = {
restartUnits = [ "matrix-synapse.service" ];
owner = "matrix-synapse";
group = "matrix-synapse";
};
services.matrix-synapse-next = { services.matrix-synapse-next = {
enable = true; enable = true;
enableNginx = true; enableNginx = true;
@@ -75,34 +69,11 @@
tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt"; tls_certificate_path = "/etc/ssl-snakeoil/matrix_feal_no.crt";
tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key"; tls_private_key_path = "/etc/ssl-snakeoil/matrix_feal_no.key";
enableSlidingSync = true;
oidc_providers = [
{
idp_id = "keycloak";
idp_name = "Keycloak";
issuer = "https://iam.feal.no/realms/feal.no";
client_id = "matrix-synapse";
client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path;
user_mapping_provider.config = {
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name }}";
};
attribute_requirements = [{
attribute = "matrix-roles";
value = "matrix-user";
}];
backchannel_logout_enabled = true;
enable_registration = false;
}
];
}; };
}; };
services.redis.servers."".enable = true; services.redis.servers."".enable = true;
services.postgresqlBackup.databases = [ "matrix-synapse" ];
services.nginx.virtualHosts."matrix.feal.no" = { services.nginx.virtualHosts."matrix.feal.no" = {
listen = [ listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43443; ssl = true; }

14
hosts/defiant/services/matrix/admin.nix
View File

@@ -1,14 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "matrix-admin.home.feal.no";
# backend = "http://127.0.0.1:8008";
backend = "http://unix:/run/matrix-synapse/matrix-synapse.sock";
synapse-admin = pkgs.callPackage ./adminPkg.nix { };
in {
services.nginx.virtualHosts."${domain}" = {
locations."/".root = "${synapse-admin}";
locations."/_synapse".proxyPass = "${backend}";
locations."/_matrix".proxyPass = "${backend}";
};
}

14
hosts/defiant/services/matrix/adminPkg.nix
View File

@@ -1,14 +0,0 @@
{ lib, stdenvNoCC, fetchzip }:
stdenvNoCC.mkDerivation rec {
name = "synapse-admin";
version = "0.8.7";
src = fetchzip {
url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/${version}/synapse-admin-${version}-dirty.tar.gz";
hash = "sha256-maaiU9ilmzE5lV9Ofjpli4g08/UcgZ82FaIMRrfOy7s=";
};
phases = [ "installPhase" ];
installPhase = ''
cp -r $src $out
'';
}

8
hosts/defiant/services/matrix/default.nix
View File

@@ -1,8 +0,0 @@
{ ... }:
{
imports = [
./synapse.nix
./admin.nix
];
}

0
hosts/defiant/services/monitoring/dashboards/node-exporter-full.json → hosts/defiant/services/metrics/dashboards/node-exporter-full.json
View File

7019
hosts/defiant/services/metrics/dashboards/openwrt.json Normal file
View File

File diff suppressed because it is too large Load Diff

0
hosts/defiant/services/monitoring/dashboards/synology-nas-details.json → hosts/defiant/services/metrics/dashboards/synology-nas-details.json
View File

1
hosts/defiant/services/monitoring/default.nix → hosts/defiant/services/metrics/default.nix
View File

@@ -6,6 +6,5 @@
./grafana.nix ./grafana.nix
./loki.nix ./loki.nix
./snmp-exporter.nix ./snmp-exporter.nix
./uptime-kuma.nix
]; ];
} }

6
hosts/defiant/services/monitoring/grafana.nix → hosts/defiant/services/metrics/grafana.nix
View File

@@ -44,6 +44,12 @@ in {
url = "https://grafana.com/api/dashboards/14284/revisions/9/download"; url = "https://grafana.com/api/dashboards/14284/revisions/9/download";
options.path = dashboards/synology-nas-details.json; options.path = dashboards/synology-nas-details.json;
} }
{
name = "OpenWRT";
type = "file";
url = "https://grafana.com/api/dashboards/11147/revisions/1/download";
options.path = dashboards/openwrt.json;
}
]; ];
}; };
}; };

8
hosts/defiant/services/monitoring/loki.nix → hosts/defiant/services/metrics/loki.nix
View File

@@ -51,6 +51,7 @@ in {
boltdb_shipper = { boltdb_shipper = {
active_index_directory = "${saveDirectory}/boltdb-shipper-index"; active_index_directory = "${saveDirectory}/boltdb-shipper-index";
cache_location = "${saveDirectory}/boltdb-shipper-cache"; cache_location = "${saveDirectory}/boltdb-shipper-cache";
shared_store = "filesystem";
cache_ttl = "24h"; cache_ttl = "24h";
}; };
filesystem = { filesystem = {
@@ -59,18 +60,15 @@ in {
}; };
limits_config = { limits_config = {
allow_structured_metadata = false; enforce_metric_name = false;
reject_old_samples = true; reject_old_samples = true;
reject_old_samples_max_age = "72h"; reject_old_samples_max_age = "72h";
}; };
compactor = { compactor = {
working_directory = "${saveDirectory}/compactor"; working_directory = "${saveDirectory}/compactor";
shared_store = "filesystem";
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [
cfg.configuration.server.http_listen_port
];
} }

15
hosts/defiant/services/monitoring/prometheus.nix → hosts/defiant/services/metrics/prometheus.nix
View File

@@ -17,16 +17,23 @@ in {
static_configs = [ static_configs = [
{ {
targets = [ targets = [
"challenger.home.feal.no:9100" "voyager.home.feal.no:9100"
"sulu.home.feal.no:9100"
"mccoy.home.feal.no:9100"
"dlink-feal.home.feal.no:9100"
"edison.home.feal.no:9100"
"defiant.home.feal.no:9100" "defiant.home.feal.no:9100"
"leonard.home.feal.no:9100"
"morn.home.feal.no:9100"
"scotty.home.feal.no:9100" "scotty.home.feal.no:9100"
"sisko.home.feal.no:9100"
]; ];
} }
]; ];
} }
{
job_name = "openwrt";
static_configs = [
{ targets = ["dlink-feal.home.feal.no:9100"]; }
];
}
{ {
job_name = "snmp"; job_name = "snmp";
static_configs = [{ static_configs = [{

20
hosts/defiant/services/metrics/snmp-exporter.nix Normal file
View File

@@ -0,0 +1,20 @@
{ config, pkgs, ... }:
{
environment.systemPackages = [
pkgs.prometheus-snmp-exporter
];
systemd.services.prometheus-snmp-exporter = {
enable = true;
description = "Gather data from SNMP devices and expose them as Prometheus metrics";
unitConfig = {
Type = "simple";
};
serviceConfig = {
ExecStart = "${pkgs.prometheus-snmp-exporter}/bin/snmp_exporter --config.file='/tank/services/metrics/prometheus/snmp.yml'";
# snmp.yml = https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml + https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
};
wantedBy = [ "multi-user.target" ];
};
}

41
hosts/defiant/services/microbin.nix
View File

@@ -1,41 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.microbin;
domain = "p.feal.no";
address = "127.0.1.2";
port = 5006;
in {
services.microbin = {
enable = true;
passwordFile = config.sops.secrets."microbin/secrets".path;
settings = {
MICROBIN_BIND = address;
MICROBIN_DISABLE_TELEMETRY = true;
MICROBIN_ENABLE_BURN_AFTER = true;
MICROBIN_FOOTER_TEXT = "Be nice or go away";
MICROBIN_NO_FILE_UPLOAD = true;
MICROBIN_NO_LISTING = true;
MICROBIN_PORT = port;
MICROBIN_PUBLIC_PATH = "https://${domain}/";
MICROBIN_QR = true;
MICROBIN_TITLE = "Temporary pasta collection";
};
};
sops.secrets."microbin/secrets" = { };
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
];
locations."/" = {
proxyPass = "http://${address}:${toString port}";
};
};
}

4
hosts/defiant/services/minecraft/wack.nix → hosts/defiant/services/minecraft.nix
View File

@@ -51,16 +51,16 @@
"_Oblivion" = "289be565-d73e-4cb1-a047-dcc319acdc80"; "_Oblivion" = "289be565-d73e-4cb1-a047-dcc319acdc80";
Crisju = "8b77dc43-27ba-4710-bbfd-4e01e6ec7461"; Crisju = "8b77dc43-27ba-4710-bbfd-4e01e6ec7461";
Dandellion = "f393413b-59fc-49d7-a5c4-83a5d177132c"; Dandellion = "f393413b-59fc-49d7-a5c4-83a5d177132c";
Evaraknes = "a6adfad8-6c3b-4a0d-912e-d84a0caa1caa";
Taschmex = "a3a258b0-901f-43d9-b130-dad3b29cd7ee"; Taschmex = "a3a258b0-901f-43d9-b130-dad3b29cd7ee";
guy_montag = "cb8aa890-a5a3-41f2-9bb7-1edb20c5a31f"; guy_montag = "cb8aa890-a5a3-41f2-9bb7-1edb20c5a31f";
koppern = "3450494c-b945-4fa2-938c-5519adec005f"; koppern = "3450494c-b945-4fa2-938c-5519adec005f";
krloer = "ab3029e2-76b6-4219-854e-16091fe5e421"; krloer = "ab3029e2-76b6-4219-854e-16091fe5e421";
tictac1255 = "bab1f702-0e8b-4b98-8cce-bbfaed534d13";
}; };
}; };
}; };
# TODO: Automated backup job (https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/commit/57d1dfd121fdb23fcef54e0632f6f6278c6bb753/hosts/greddost/services/minecraft/default.nix#L144)
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"minecraft-server" "minecraft-server"
]; ];

50
hosts/defiant/services/minecraft/home.nix
View File

@@ -1,50 +0,0 @@
{ config, pkgs, lib, inputs, ... }:
{
imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
services.minecraft-servers = {
enable = true;
eula = true;
openFirewall = true;
dataDir = "/var/lib/minecraft-server";
servers.home = {
enable = true;
jvmOpts = "-Xms4G -Xmx4G";
package = pkgs.fabricServers.fabric-1_21_4;
serverProperties = {
motd = "Home <3";
difficulty = "easy";
view-distance = 16;
simulation-distance = 16;
enable-command-block = true;
enable-rcon = true;
online-mode = false;
"rcon.password" = "wack";
};
symlinks = {
mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues {
FabricAPI = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/8FAH9fuR/fabric-api-0.114.2%2B1.21.4.jar";
sha256 = "sha256-nL1bcAaMW0tRCpfW0prd3mce14ZNcl7pAUabVXAQfWs=";
};
Lithium = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/zVOQw7YU/lithium-fabric-0.14.6%2Bmc1.21.4.jar";
sha256 = "sha256-iF4hy+3XVJP7Fv6R2dsrYq6Ct0MQJLX4/4Yh5WEJm90=";
};
});
};
};
};
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"minecraft-server"
];
networking.firewall.allowedUDPPorts = [ 24454 ];
}

1661
hosts/defiant/services/monitoring/snmp-exporter-conf.yml
View File

File diff suppressed because it is too large Load Diff

12
hosts/defiant/services/monitoring/snmp-exporter.nix
View File

@@ -1,12 +0,0 @@
{ config, pkgs, ... }:
{
services.prometheus.exporters.snmp = {
enable = true;
configurationPath = ./snmp-exporter-conf.yml;
# snmp.yml is built from
# https://github.com/prometheus/snmp_exporter/blob/main/snmp.yml
# and
# https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_MIB_Guide.pdf
};
}

16
hosts/defiant/services/monitoring/uptime-kuma.nix
View File

@@ -1,16 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.uptime-kuma;
in {
services.uptime-kuma = {
enable = true;
settings = {
PORT = "5059";
HOST = "127.0.1.2";
};
};
services.nginx.virtualHosts."uptime.home.feal.no" = {
locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
};
}

48
hosts/defiant/services/nginx.nix
View File

@@ -1,8 +1,5 @@
{ config, values, ... }: { config, values, ... }:
let {
gitea = config.services.gitea.settings;
keycloak = config.services.keycloak.settings;
in {
services.nginx = { services.nginx = {
enable = true; enable = true;
enableReload = true; enableReload = true;
@@ -34,7 +31,7 @@ in {
# Publicly exposed services: # Publicly exposed services:
services.nginx.virtualHosts = let services.nginx.virtualHosts = let
publicProxy = upstream: overrides: { publicProxy = upstream: {
listen = [ listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; } { addr = "192.168.10.175"; port = 43080; ssl = false; }
@@ -43,31 +40,34 @@ in {
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "${upstream}"; locations."/".proxyPass = "${upstream}";
};
in {
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
"git.feal.no" = publicProxy "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
"wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";
"cloud.feal.no" = {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
];
enableACME = true;
forceSSL = true;
extraConfig = '' extraConfig = ''
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
server_tokens off; server_tokens off;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
''; '';
} // overrides; locations."/".proxyPass = "http://voyager.home.feal.no/";
in {
"amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
"cloud.feal.no" = publicProxy "" {
locations."/" = {
proxyPass = "http://challenger.home.feal.no";
extraConfig = ''
client_max_body_size 8G;
'';
};
}; };
"feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
"git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
"iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" { };
"kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
"wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
}; };
} }

6
hosts/defiant/services/pihole.nix
View File

@@ -30,12 +30,6 @@ in {
rewrite /(.*) /admin/$1 break; rewrite /(.*) /admin/$1 break;
''; '';
}; };
locations."/admin" = {
extraConfig = ''
rewrite ^/admin/(.*) $scheme://${domain}/$1 break;
'';
};
}; };
} }

17
hosts/defiant/services/postgresql.nix
View File

@@ -2,24 +2,15 @@
{ {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
enableTCPIP = true; enableTCPIP = false;
authentication = ''
host all all 172.16.0.0/12 md5
'';
}; };
services.postgresqlBackup = { services.postgresqlBackup = {
enable = true; # enable = true;
location = "/tank/backup/postgresql"; location = "/data/backup/postgresql/";
startAt = "*-*-* 03:15:00"; startAt = "*-*-* 03:15:00";
backupAll = true;
# Each service is registered in its own configuration file
databases = [ ];
}; };
# Docker containers on this host can reach postgres
networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port 5432 -s 172.16.0.0/12 -j ACCEPT";
environment.systemPackages = [ config.services.postgresql.package ]; environment.systemPackages = [ config.services.postgresql.package ];
} }

14
hosts/defiant/services/rtl-tcp.nix
View File

@@ -1,14 +0,0 @@
{ config, pkgs, lib, ... }:
let
port = 1457;
in {
hardware.rtl-sdr.enable = true;
systemd.services.rtl-tcp = {
script = "${pkgs.rtl-sdr}/bin/rtl_tcp -a 0.0.0.0 -p ${toString port} -s 2000000 -T";
serviceConfig = {
Group = "plugdev";
};
};
networking.firewall.allowedTCPPorts = [ port ];
}

39
hosts/defiant/services/searx.nix
View File

@@ -1,39 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.searx;
domain = "search.home.feal.no";
in {
services.searx = {
enable = true;
environmentFile = config.sops.secrets."searx/envfile".path;
settings = {
server = {
secret_key = "@SEARX_SECRET_KEY@";
base_url = "http://${domain}";
};
};
runInUwsgi = true;
uwsgiConfig = {
socket = "/run/searx/searx.sock";
chmod-socket = "660";
};
redisCreateLocally = true;
};
sops.secrets."searx/envfile" = {
owner = "searx";
group = "searx";
};
users.groups."searx".members = [ "nginx" ];
services.nginx.virtualHosts."${domain}" = {
locations."/".extraConfig = ''
include ${config.services.nginx.package}/conf/uwsgi_params;
uwsgi_pass unix:${cfg.uwsgiConfig.socket};
'';
};
}

20
hosts/defiant/services/vaultwarden.nix
View File

@@ -2,9 +2,8 @@
let let
cfg = config.services.vaultwarden; cfg = config.services.vaultwarden;
domain = "pw.feal.no"; domain = "pw.feal.no";
address = "127.0.1.2"; address = "127.0.0.1";
port = 3011; port = 3011; # Note: The websocket port is left as default(3012)
wsPort = 3012;
in { in {
sops.secrets."vaultwarden/admintoken" = { sops.secrets."vaultwarden/admintoken" = {
owner = "vaultwarden"; owner = "vaultwarden";
@@ -20,16 +19,11 @@ in {
rocketAddress = address; rocketAddress = address;
rocketPort = port; rocketPort = port;
websocketEnabled = true; websocketEnabled = true;
websocketAddress = address; # databaseUrl = "postgresql://vaultwarden:@localhost/vaultwarden?sslmode=disable";
websocketPort = wsPort;
signupsAllowed = true;
signupsVerify = true;
signupsDomainsWhitelist = "albrigtsen.it";
databaseUrl = "postgresql://vaultwarden@/vaultwarden"; databaseUrl = "postgresql://vaultwarden@/vaultwarden";
signupsAllowed = false;
}; };
}; };
@@ -41,8 +35,6 @@ in {
}]; }];
}; };
services.postgresqlBackup.databases = [ "vaultwarden" ];
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@@ -60,7 +52,7 @@ in {
proxyWebsockets = true; proxyWebsockets = true;
}; };
locations."/notifications/hub" = { locations."/notifications/hub" = {
proxyPass = "http://${address}:${toString wsPort}"; proxyPass = "http://localhost:3012";
proxyWebsockets = true; proxyWebsockets = true;
}; };
locations."/notifications/hub/negotiate" = { locations."/notifications/hub/negotiate" = {

38
hosts/defiant/services/wireguard.nix
View File

@@ -1,38 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.networking.wireguard.interfaces."wg0";
in {
networking = {
nat = {
enable = true;
externalInterface = "enp3s0";
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = [ cfg.listenPort ];
wireguard.interfaces."wg0" = {
ips = [ "10.100.0.1/24" ];
listenPort = 51820;
privateKeyFile = "/etc/wireguard/defiant.private";
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
'';
peers = [
{ # Burnham
publicKey = "JcfyrMoZmnbibVLaIKuGSARAX2alFv4kwLbJaLBNbzo=";
persistentKeepalive = 60;
allowedIPs = [
"10.100.0.2/32"
"192.168.11.0/24"
];
#endpoint = "site2.feal.no:51902";
}
] ++ (import ../../../common/wireguard-peers.nix);
};
};
}

43
hosts/edison/configuration.nix Normal file
View File

@@ -0,0 +1,43 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
./desktop.nix
];
virtualisation.docker.enable = true;
networking = {
hostName = "edison";
defaultGateway = "192.168.10.1";
# Networking / Wi-Fi is configured with NM for now. TODO
networkmanager.enable = true;
};
console.keyMap = "us";
# sops.defaultSopsFile = ../../secrets/edison/edison.yaml;
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
pavucontrol
];
programs.steam.enable = true;
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
"steam"
"steam-original"
"steam-run"
];
system.stateVersion = "23.05";
}

55
hosts/edison/desktop.nix Normal file
View File

@@ -0,0 +1,55 @@
{ config, pkgs, lib, ... }:
{
services.xserver = {
enable = true;
desktopManager.xfce.enable = true;
videoDrivers = [ "nvidia" ];
layout = "us,no";
xkbVariant = "intl";
};
environment.systemPackages = with pkgs; [
xfce.xfce4-pulseaudio-plugin
];
services.picom.enable = true;
hardware.opengl.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
fonts = {
fontDir.enable = true;
packages = with pkgs; [
noto-fonts
noto-fonts-emoji
noto-fonts-cjk-sans
font-awesome
fira-code
hack-font
(nerdfonts.override {
fonts = [
"Hack"
];
})
];
};
# Remote:
services.xrdp = {
enable = true;
defaultWindowManager = "xfce4-session";
openFirewall = true;
};
services.flatpak.enable = true;
users.users."felixalb".packages = [ pkgs.flatpak ];
xdg.portal = {
enable = true;
extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
};
}

41
hosts/edison/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,41 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/14b254e1-d94f-4b9b-a910-7fcf7e33af46";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A197-7913";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/d56040a0-3009-4899-95fa-1b82e60e32e4"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

24
hosts/edison/home.nix Normal file
View File

@@ -0,0 +1,24 @@
{ pkgs, lib, ... }:
{
home.packages = with pkgs; [
bat
bottom
mumble
ncdu
neofetch
nix-index
];
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
alacritty.enable = true;
firefox.enable = true;
rofi.enable = true;
};
home.stateVersion = "23.05";
}

59
hosts/fa-t14-2025/configuration.nix
View File

@@ -1,59 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
./hardware-configuration.nix
./desktop.nix
];
networking = {
networkmanager.enable = true;
wireguard.enable = true;
tempAddresses = "disabled";
hostName = "fa-t14-2025";
nameservers = [ "9.9.9.9" ];
domain = "it.hime.no";
hostId = "f458d6aa";
search = [
"mktv.no"
"mktv.local"
];
};
services.openssh.openFirewall = false;
environment.systemPackages = with pkgs; [
inetutils
wireguard-tools
];
virtualisation.docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
users.users.felixalb = {
uid = 1000;
openssh.authorizedKeys.keys = [ ];
extraGroups = [ "networkmanager" ];
};
console.keyMap = "no";
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"securecrt"
"securefx"
];
};
system.stateVersion = "25.05";
}

51
hosts/fa-t14-2025/desktop.nix
View File

@@ -1,51 +0,0 @@
{ config, pkgs, lib, ... }:
{
hardware.graphics.enable = true;
services.xserver = {
enable = true;
xkb = {
options = "ctrl:nocaps";
layout = "no";
};
};
services.displayManager.ly.enable = true;
services.gnome.gnome-keyring.enable = true;
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
# Audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
# Fonts
fonts = {
fontDir.enable = true;
packages = with pkgs; [
noto-fonts
noto-fonts-color-emoji
noto-fonts-cjk-sans
font-awesome
fira-code
hack-font
nerd-fonts.hack
];
};
# Misc:
xdg.portal = {
enable = true;
wlr.enable = true;
};
location.provider = "geoclue2";
security.polkit.enable = true;
services.dbus.packages = [ pkgs.gcr ];
services.openssh.settings.X11Forwarding = true;
programs.nm-applet.enable = true;
}

51
hosts/fa-t14-2025/hardware-configuration.nix
View File

@@ -1,51 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.kernelParams = [ "resume_offset=3037184" "mem_sleep_default=deep" ];
boot.resumeDevice = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
powerManagement.enable = true;
services.power-profiles-daemon.enable = true;
services.logind.lidSwitch = "suspend-then-hibernate";
services.logind.lidSwitchDocked = "ignore";
services.logind.powerKey = "suspend-then-hibernate";
services.logind.powerKeyLongPress = "poweroff";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
fsType = "ext4";
};
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/3ecaedab-415c-4cce-a3a9-9f3782acb682";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0800-59D9";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [
{
device = "/var/lib/swapfile";
size = 32*1024;
}
];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

99
hosts/fa-t14-2025/home.nix
View File

@@ -1,99 +0,0 @@
{ pkgs, lib, ... }:
let
emailAddress = "felix.albrigtsen@mktv.no";
in {
imports = [
./../../home/base.nix
./../../home/alacritty.nix
];
home.packages = with pkgs; [
bc
catimg
chromium
dig
element-desktop
hunspellDicts.en_US
hunspellDicts.nb_NO
iperf3
jq
libreoffice
mpv
oauth2ms
openssl
openvpn
pavucontrol
pwgen
traceroute
virt-manager
w3m
nixpkgs-2211.remmina
(unstable.microsoft-edge.overrideAttrs ({ installPhase ? "", ... }: {
installPhase = installPhase + ''
ln -s $out/bin/microsoft-edge $out/bin/microsoft-edge-stable
'';
}))
# Window Manager Extras
bibata-cursors
brightnessctl
cliphist
hyprcursor
hypridle
hyprlock
hyprpaper
hyprshot
nautilus
rofi-rbw-wayland
swaynotificationcenter
waybar
wl-clipboard
(python312.withPackages (ps: with ps; [
numpy
pycryptodome
requests
]))
];
programs = {
aerc = {
enable = true;
package = pkgs.aerc;
};
firefox.enable = true;
git.extraConfig.user.email = emailAddress;
rbw = {
enable = true;
settings = {
base_url = "https://vault.mktv.no";
email = emailAddress;
pinentry = pkgs.pinentry-rofi;
};
};
rofi = {
enable = true;
# theme = "iggy";
theme = "Arc-Dark";
};
zsh = {
shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
prezto.pmodules = [ "ssh" ];
};
};
xdg.mimeApps = {
enable = true;
defaultApplications = {
"text/html" = "firefox.desktop";
"x-scheme-handler/http" = "firefox.desktop";
"x-scheme-handler/https" = "firefox.desktop";
"x-scheme-handler/about" = "firefox.desktop";
"x-scheme-handler/unknown" = "firefox.desktop";
};
};
home.stateVersion = "25.05";
}

53
hosts/leonard/configuration.nix
View File

@@ -1,53 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
../../common/auto-upgrade.nix
./hardware-configuration.nix
./services/mysql.nix
./services/nginx.nix
./services/postgresql.nix
./services/wiki-wackattack-eu.nix
./services/www-feal-no
./services/www-kinealbrigtsen-no.nix
./services/www-amalie-mansaker-no
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking = {
hostName = "leonard";
defaultGateway = "192.168.10.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.10.207"; prefixLength = 24; }
];
};
hostId = "b99c12d1";
# Prepend the following output rules to disallow talking to other devices on LAN
firewall.extraCommands = lib.strings.concatLines ([
"iptables -F OUTPUT"
] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
"iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
"iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
"iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
]);
};
sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "25.05";
}

24
hosts/leonard/hardware-configuration.nix
View File

@@ -1,24 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/4a70c1d5-9d72-4581-8f75-733b91c10669";
fsType = "ext4";
};
swapDevices = [ ]; # TODO
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

12
hosts/leonard/home.nix
View File

@@ -1,12 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "25.05";
}

10
hosts/leonard/services/mysql.nix
View File

@@ -1,10 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
# TODO: services.mysqlBackup
}

19
hosts/leonard/services/nginx.nix
View File

@@ -1,19 +0,0 @@
{ config, values, ... }:
{
services.nginx = {
enable = true;
enableReload = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "felix@albrigtsen.it";
};
}

20
hosts/leonard/services/postgresql.nix
View File

@@ -1,20 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.postgresql = {
enable = true;
enableTCPIP = false;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
services.postgresqlBackup = {
enable = true;
location = "/backup/postgresql/";
startAt = "*-*-* 03:15:00";
backupAll = true;
};
environment.systemPackages = [ config.services.postgresql.package ];
}

38
hosts/leonard/services/wiki-wackattack-eu.nix
View File

@@ -1,38 +0,0 @@
{ config, ... }:
let
bindIP = "127.0.1.2";
port = 5051;
cfg = config.services.wiki-js;
in {
# sops.secrets."wikijs/envfile" = {
# restartUnits = [ "wiki-js.service" ];
# };
services.wiki-js = {
enable = true;
# environmentFile = config.sops.secrets."wikijs/envfile".path;
settings = {
inherit bindIP port;
db = {
type = "postgres";
host = "/run/postgresql";
db = "wiki-js";
user = "wiki-js";
};
};
};
services.postgresql = {
ensureDatabases = [ "wiki-js" ];
ensureUsers = [{
name = "wiki-js";
ensureDBOwnership = true;
}];
};
services.nginx.virtualHosts."wiki.wackattack.eu" = {
locations."/" = {
proxyPass = "http://${bindIP}:${toString port}";
};
};
}

11
hosts/leonard/services/www-amalie-mansaker-no/default.nix
View File

@@ -1,11 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."amalie.mansaker.no" = let
siteContent = pkgs.callPackage ./site.nix { };
in {
locations = {
"/".root = siteContent;
};
};
}

26
hosts/leonard/services/www-amalie-mansaker-no/site.nix
View File

@@ -1,26 +0,0 @@
{ stdenv, fetchgit, hugo }:
stdenv.mkDerivation {
name = "www-amalie-mansaker-no";
src = fetchgit {
url = "https://git.feal.no/amalieem/amalie.mansaker.no.git";
fetchSubmodules = true;
rev = "58265a25b37bf2286e0704e02ab3dde56a348d8b";
hash = "sha256-dPcv0AGjsWqDCWCjV2PeklBrWsIawLAccRQEYe3teOM=";
};
nativeBuildInputs = [ hugo ];
buildPhase = ''
cp -r $src/* .
${hugo}/bin/hugo
'';
installPhase = ''
runHook preInstall
mkdir -p $out
cp -r public/* $out/
runHook postInstall
'';
}

26
hosts/leonard/services/www-feal-no/default.nix
View File

@@ -1,26 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."feal.no" = {
default = true;
serverAliases = [
"www.feal.no"
];
locations = {
# TODO: Reinstate actual website
"/".return = "302 https://git.feal.no/";
"^~ /.well-known/" = {
alias = (toString ./well-known) + "/";
};
"/cc/" = {
alias = "${pkgs.cyberchef}/share/cyberchef/";
index = "index.html";
};
"= /cc".return = "302 /cc/";
};
};
}

5
hosts/leonard/services/www-feal-no/well-known/matrix/client
View File

@@ -1,5 +0,0 @@
{
"m.homeserver": {
"base_url": "https://matrix.feal.no:443"
}
}

1
hosts/leonard/services/www-feal-no/well-known/matrix/server
View File

@@ -1 +0,0 @@
{"m.server": "matrix.feal.no:443"}

95
hosts/leonard/services/www-kinealbrigtsen-no.nix
View File

@@ -1,95 +0,0 @@
{ config, pkgs, lib, ... }:
{
users.users.www-kinealbrigtsen-no = {
isSystemUser = true;
group = "www-kinealbrigtsen-no";
};
users.groups.www-kinealbrigtsen-no = { };
services.mysql.ensureDatabases = [
"www_kinealbrigtsen_no"
];
services.mysql.ensureUsers = [
{
name = "www-kinealbrigtsen-no";
ensurePermissions = {
# "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures
"www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX";
};
}
];
services.phpfpm.pools.www-kinealbrigtsen-no = {
user = "www-kinealbrigtsen-no";
group = "www-kinealbrigtsen-no";
phpOptions = lib.generators.toKeyValue {} {
upload_max_filesize = "1000M";
post_max_size = "1000M";
memory_limit = "1000M";
};
settings = {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.process_idle_timeout" = "10s";
"pm.max_requests" = 1000;
};
};
services.nginx.virtualHosts."kinealbrigtsen.no" = {
serverAliases = [ "www.kinealbrigtsen.no" ];
root = "/var/www/www-kinealbrigtsen-no";
locations = {
"/".extraConfig = ''
try_files $uri $uri/ /index.php?$args;
'';
"~ \\.php$".extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket};
'';
"~ /\\.ht".extraConfig = ''
deny all;
'';
"/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
"/robots.txt".extraConfig = ''
allow all;
log_not_found off;
access_log off;
'';
"~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig = ''
expires max;
log_not_found off;
'';
};
extraConfig = ''
index index.php index.html;
set_real_ip_from 192.168.11.0/24;
real_ip_header X-Forwarded-For;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
'';
};
# TODO:
# - Configure a mailer so wp_mail() works
# - Enable periodic backups
}

35
hosts/morn/configuration.nix
View File

@@ -1,35 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
../../common/auto-upgrade.nix
./hardware-configuration.nix
./services/nginx.nix
./services/glance
./services/miniflux.nix
./services/thelounge.nix
];
networking = {
hostName = "morn";
defaultGateway = "192.168.10.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.10.203"; prefixLength = 24; }
];
};
hostId = "89b7722d";
};
sops.defaultSopsFile = ../../secrets/morn/morn.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "24.11";
}

15
hosts/morn/services/glance/default.nix
View File

@@ -1,15 +0,0 @@
{ config, values, ... }:
{
services.glance = {
enable = true;
settings = import ./settings.nix;
};
services.nginx.virtualHosts."glance.home.feal.no" = let
inherit (config.services.glance.settings.server) host port;
in {
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
}

83
hosts/morn/services/glance/settings.nix
View File

@@ -1,83 +0,0 @@
{ config, ... }:
{
server = {
port = 5001;
host = "127.0.1.2";
};
pages =
let
fullCol = widgets: {
size = "full";
inherit widgets;
};
in
[
{
name = "Home";
columns = [
(fullCol [
{
type = "search";
search-engine = "http://search.home.feal.no/search?q={QUERY}";
}
{
type = "weather";
units = "metric";
location = "Trondheim, Norway";
}
])
(fullCol [
{
type = "hacker-news";
limit = 20;
collapse-after = 5;
}
{
type = "monitor";
cache = "5m";
sites =
let
site = title: url: { inherit title url; };
in
[
(site "Jellyfin" "http://jellyfin.home.feal.no")
(site "Gitea" "https://git.feal.no")
(site "VaultWarden" "https://pw.feal.no")
];
}
])
];
}
{
name = "News";
columns =
let
feed = title: url: { inherit title url; };
rss = title: feeds: {
type = "rss";
inherit title feeds;
};
in
[
(fullCol [
(rss "Norway" [
(feed "NRK" "https://www.nrk.no/toppsaker.rss")
(feed "Bygdeposten" "https://www.bygdeposten.no/service/rss")
(feed "Nidaros" "https://www.nidaros.no/service/rss")
])
])
(fullCol [
(rss "NTNU" [
(feed "OmegaV" "https://omegav.no/newsrss")
(feed "PVV" "https://www.pvv.ntnu.no/w/api.php?hidebots=1&urlversion=1&days=7&limit=50&action=feedrecentchanges&feedformat=atom")
(feed "IT-Varsel" "https://varsel.it.ntnu.no/subscribe/rss/")
])
])
];
}
];
}

23
hosts/morn/services/miniflux.nix
View File

@@ -1,23 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "rss.home.feal.no";
listen_addr = "127.0.1.2:5051";
in {
sops.secrets."miniflux/env" = { };
services.miniflux = {
enable = true;
adminCredentialsFile = config.sops.secrets."miniflux/env".path;
config = {
CREATE_ADMIN = true;
LISTEN_ADDR = listen_addr;
BASE_URL = "http://${domain}";
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${listen_addr}";
};
}

19
hosts/morn/services/nginx.nix
View File

@@ -1,19 +0,0 @@
{ config, values, ... }:
{
services.nginx = {
enable = true;
enableReload = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "felix@albrigtsen.it";
};
}

21
hosts/morn/services/thelounge.nix
View File

@@ -1,21 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.thelounge.extraConfig;
domain = "irc.home.feal.no";
in {
services.thelounge = {
enable = true;
extraConfig = {
public = false;
host = "127.0.1.2";
port = 9000;
reverseProxy = true;
};
};
services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://${cfg.host}:${toString cfg.port}";
};
}

73
hosts/redshirt/configuration.nix Normal file
View File

@@ -0,0 +1,73 @@
{ config, pkgs, ... }:
{
imports =
[
../../base.nix
./hardware-configuration.nix
];
networking.hostName = "redshirt";
networking.networkmanager.enable = true;
# Enable the X11 windowing system.
services.xserver = {
enable = true;
windowManager = {
qtile.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager).
libinput.enable = true;
};
# The NixOS module enables critical components needed to run Hyprland properly, such as: polkit, xdg-desktop-portal-hyprland, graphics drivers, fonts, dconf, xwayland, and adding a proper Desktop Entry to your Display Manager.
#programs.hyprland = {
# enable = true;
# package = pkgs.unstable.hyprland;
#};
services.xserver.displayManager = {
lightdm.enable = true;
#defaultSession = "hyprland";
};
# Configure keymap in X11
services.xserver.layout = "no";
fonts.fonts = with pkgs; [
(nerdfonts.override { fonts = [ "FiraCode" "Hack" ]; })
];
sound.enable = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
users.users.felixalb = {
extraGroups = [ "networkmanager" ];
};
environment.systemPackages = with pkgs; [
zsh
neovim
git
ripgrep
rsync
cifs-utils
];
documentation.man.generateCaches = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
system.stateVersion = "22.11";
}

41
hosts/redshirt/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,41 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/0d709ab3-0d10-46eb-9e4f-10a320af703e";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/6EE9-1C06";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/2067bbb4-b4fa-4326-9f58-4018857058a7"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

90
hosts/sisko/configuration.nix
View File

@@ -1,90 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
./desktop.nix
];
networking = {
hostName = "sisko";
# networkmanager.enable = true;
defaultGateway = "192.168.10.1";
interfaces.enp14s0 = {
ipv4 = {
addresses = [
{ address = "192.168.10.172"; prefixLength = 24; }
];
};
wakeOnLan.enable = true;
};
hostId = "b716d781";
};
hardware.bluetooth.enable = true;
hardware.rtl-sdr.enable = true;
sops.defaultSopsFile = ../../secrets/sisko/sisko.yaml;
environment.variables = { EDITOR = "vim"; };
users.users.felixalb.extraGroups = [
"dialout"
"libvirtd"
"networkmanager"
"plugdev"
];
programs = {
alvr = {
enable = true;
openFirewall = true;
};
firefox = {
enable = true;
nativeMessagingHosts.packages = with pkgs; [ tridactyl-native ];
};
gamemode.enable = true;
immersed.enable = true;
steam = {
enable = true;
remotePlay.openFirewall = true;
};
virt-manager.enable = true;
};
virtualisation = {
libvirtd.enable = true;
spiceUSBRedirection.enable = true;
};
environment.systemPackages = with pkgs; [
virtiofsd
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"discord"
"immersed"
"spotify"
"steam"
"steam-unwrapped"
];
permittedInsecurePackages = [
"openssl-1.1.1w"
];
rocmSupport = true;
};
services.fwupd.enable = true;
system.stateVersion = "24.11";
}

70
hosts/sisko/desktop.nix
View File

@@ -1,70 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Video
hardware.graphics = {
enable = true;
enable32Bit = true;
};
hardware.amdgpu.opencl.enable = true;
services.displayManager.ly.enable = true;
services.xserver.enable = true;
services.xserver.desktopManager.xfce.enable = true;
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
# Audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
# Misc
fonts = {
fontDir.enable = true;
packages = with pkgs; [
fira-code
font-awesome
hack-font
nerd-fonts.hack
noto-fonts
noto-fonts-cjk-sans
noto-fonts-color-emoji
];
};
environment.sessionVariables = {
NIXOS_OZONE_WL = "1";
SSH_AUTH_SOCK = "/run/user/${toString config.users.users.felixalb.uid}/keyring/ssh";
};
services.gnome.gnome-keyring.enable = true;
# Dark mode
home-manager.users.felixalb = {
dconf.settings = {
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
};
};
gtk = {
enable = true;
theme = {
name = "Adwaita-dark";
package = pkgs.gnome-themes-extra;
};
};
};
qt = {
enable = true;
platformTheme = "gnome";
style = "adwaita-dark";
};
}

55
hosts/sisko/hardware-configuration.nix
View File

@@ -1,55 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.extraModprobeConfig = "options bluetooth disable_ertm=1"; # Xbox controller
hardware.xpadneo.enable = true;
boot.kernel.sysctl = {
"vm.max_map_count" = 16777216;
# "fs.file-max" = 524288;
};
fileSystems."/" =
{ device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/60a70caf-ca37-488d-8c2a-98a7e9b67d84";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ {
device = "/swapfile";
size = 64*1024;
} ];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.enp14s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp15s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

162
hosts/sisko/home.nix
View File

@@ -1,162 +0,0 @@
{ pkgs, lib, config, ... }:
{
imports = [
./../../home/base.nix
./../../home/alacritty.nix
];
home.packages = with pkgs; [
# GUI Applications
cantata
chromium
discord
easyeffects
element-desktop
emacs-gtk
feishin
gqrx
kitty
libreoffice
lutris
mpv
mumble
orca-slicer
papers
pavucontrol
picard
pkgsRocm.hashcat
prismlauncher
restic
runelite
spotify
swayimg
thunderbird
tor-browser
bolt-launcher
exiftool
ghidra
# pwndbg-gdb-alias # Broken in 25.05
snicat
# Window Manager Extras
bibata-cursors
cliphist
hyprcursor
hypridle
hyprlock
hyprpaper
hyprshot
nautilus
networkmanager
rofi-rbw-wayland
swaynotificationcenter
waybar
wl-clipboard
# Misc tools
abcde
bc
catimg
dante
dig
go
hunspellDicts.en_US
hunspellDicts.nb_NO
jq
nixpkgs-2211.remmina
ollama-rocm
openssl
playerctl
pwgen
restic
rocmPackages.clang
traceroute
w3m
(python313.withPackages (ps: with ps; [
numpy
pycryptodome
requests
]))
];
programs = {
aerc = {
enable = true;
package = pkgs.aerc;
};
alacritty = {
enable = true;
settings.window.opacity = 0.92;
};
ncmpcpp.enable = true;
rbw = {
enable = true;
settings = {
base_url = "https://pw.feal.no";
email = "felix@albrigtsen.it";
pinentry = pkgs.pinentry-gnome3;
};
};
rofi = {
enable = true;
theme = "iggy";
};
zsh = {
shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
prezto.pmodules = [ "ssh" ];
};
};
services = {
mpd = let
home = config.home.homeDirectory;
in {
enable = true;
musicDirectory = "${home}/mnt/music";
dataDir = "${home}/Music/mpd/data";
playlistDirectory = "${home}/Music/mpd/playlists";
extraConfig = ''
audio_output {
type "pipewire"
name "PipewireOut1"
}
'';
};
};
home.pointerCursor = {
name = "Bibata-Modern-Ice";
package = pkgs.bibata-cursors;
size = 24;
gtk.enable = true;
x11 = {
enable = true;
defaultCursor = true;
};
};
xdg.mimeApps = {
enable = true;
defaultApplications = {
"text/html" = "firefox.desktop";
"x-scheme-handler/http" = "firefox.desktop";
"x-scheme-handler/https" = "firefox.desktop";
"x-scheme-handler/about" = "firefox.desktop";
"x-scheme-handler/unknown" = "firefox.desktop";
"inode/directory" = "org.gnome.Nautilus.desktop";
"application/pdf" = "org.gnome.Papers.desktop";
} // builtins.listToAttrs (
builtins.map
( imgType: { name = "image/${imgType}"; value = "swayimg.desktop"; } )
[ "apng" "bmp" "gif" "heic" "heif" "jpeg" "png" "svg" "svg+xml" "tiff" ]
);
};
home.stateVersion = "24.11";
}

49
hosts/voyager/configuration.nix Normal file
View File

@@ -0,0 +1,49 @@
{ config, pkgs, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
./filesystems.nix
./wireguard.nix
./exports.nix
./services/snappymail.nix
./services/calibre.nix
./services/fancontrol.nix
./services/jellyfin.nix
./services/kanidm.nix
./services/nextcloud.nix
./services/nginx
./services/postgres.nix
./services/timemachine.nix
./services/transmission.nix
];
networking = {
hostName = "voyager";
bridges.br0.interfaces = [ "eno1" ];
interfaces.br0.useDHCP = false;
interfaces.br0.ipv4.addresses = [
{ address = "192.168.10.165"; prefixLength = 24; }
];
hostId = "8e84b235";
defaultGateway = "192.168.10.1";
};
sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml;
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
zfs
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
system.stateVersion = "22.11";
}

27
hosts/voyager/exports.nix Normal file
View File

@@ -0,0 +1,27 @@
{ config, pkgs, lib, ... }:
{
fileSystems = {
"/export/riker-backup" = {
device = "/tank/backup/riker";
options = [ "bind" ];
};
"/export/defiant-backup" = {
device = "/tank/backup/defiant";
options = [ "bind" ];
};
};
# Enable nfs4 only
services.nfs.server = {
enable = true;
exports = ''
/export 192.168.10.4(rw,fsid=0,no_subtree_check) 192.168.10.5(rw,fsid=0,no_subtree_check) 192.168.10.2(rw,fsid=0,no_subtree_check) 192.168.10.175(rw,fsid=0,no_subtree_check)
/export/riker-backup 192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
/export/doyle-backup 192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
/export/defiant-backup 192.168.10.175(rw,nohide,no_subtree_check,async,no_root_squash)
'';
};
networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
networking.firewall.allowedUDPPorts = [ 111 20048];
}

39
hosts/voyager/filesystems.nix Normal file
View File

@@ -0,0 +1,39 @@
{ config, pkgs, lib, ... }:
{
# Boot drives are defined in ./hardware-configuration.nix
environment.systemPackages = with pkgs; [ cifs-utils ];
# Local zfs
boot = {
zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.zfs.autoScrub.enable = true;
# Network mounts (import)
fileSystems = {
"/mnt/feal-syn1/media" = {
device = "feal-syn1.home.feal.no:/volume2/media";
fsType = "nfs";
options = [ "vers=3" ];
#options = [ "x-systemd.automount" "noauto" ];
};
"/mnt/feal-syn1/nfs_proxmox" = {
device = "//feal-syn1.home.feal.no/nfs_proxmox";
fsType = "cifs";
options = let
# this line prevents hanging on network split
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
in ["${automount_opts},credentials=/etc/feal-syn1-credentials"];
};
"/var/backup" = {
device = "/tank/backup/voyager";
options = [ "bind "];
};
};
}

Some files were not shown because too many files have changed in this diff Show More