diff --git a/README.md b/README.md index 84f8f56..ef2f592 100644 --- a/README.md +++ b/README.md @@ -37,8 +37,9 @@ Other installed packages and tools are described in the config files (like ./hos ## Networking - I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)). -- I recently switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix) and [here](./hosts/burnham/services/wireguard.nix). +- A long time ago, I switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix). - PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking. +- A simple custom DynDNS thing is defined [here](./common/domeneshop-dyndns.nix) and used [here](./hosts/defiant/services/dyndns.nix). ## Monitoring diff --git a/common/auto-upgrade.nix b/common/auto-upgrade.nix index 65ddbb9..d8c7042 100644 --- a/common/auto-upgrade.nix +++ b/common/auto-upgrade.nix @@ -7,7 +7,7 @@ flags = [ # Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs. "--refresh" - "--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.05" + "--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.11" "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable" "--no-write-lock-file" ]; diff --git a/flake.lock b/flake.lock index c6f3ebc..d5071d8 100644 --- a/flake.lock +++ b/flake.lock @@ -18,11 +18,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", "type": "github" }, "original": { @@ -36,11 +36,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1681202837, - "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "owner": "numtide", "repo": "flake-utils", - "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -56,35 +56,36 @@ ] }, "locked": { - "lastModified": 1758463745, - "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=", + "lastModified": 1764776959, + "narHash": "sha256-d+5CGloq7Lo1u2SkzhF8oiOdUc6Z5emh22nTXUB9CFA=", "owner": "nix-community", "repo": "home-manager", - "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3", + "rev": "e1680d594a9281651cbf7d126941a8c8e2396183", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-25.05", + "ref": "release-25.11", "repo": "home-manager", "type": "github" } }, "matrix-synapse-next": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { - "lastModified": 1753216555, - "narHash": "sha256-qfgVfgXjVPV7vEER4PVFiGUOUW08GHH71CVXgYW8EVc=", + "lastModified": 1765214213, + "narHash": "sha256-WSk8CTdIDFFP5VMJj9beve19nPMMdTsWnkCHVXqO/3E=", "owner": "dali99", "repo": "nixos-matrix-modules", - "rev": "099db715d1eba526a464f271b05cead5166fd9a9", + "rev": "82959f612ffd523a49c92f84358a9980a851747b", "type": "github" }, "original": { "owner": "dali99", - "ref": "v0.7.1", "repo": "nixos-matrix-modules", "type": "github" } @@ -92,20 +93,20 @@ "nix-darwin": { "inputs": { "nixpkgs": [ - "nixpkgs" + "nixpkgs-darwin" ] }, "locked": { - "lastModified": 1749744770, - "narHash": "sha256-MEM9XXHgBF/Cyv1RES1t6gqAX7/tvayBC1r/KPyK1ls=", - "owner": "lnl7", + "lastModified": 1764161084, + "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=", + "owner": "nix-darwin", "repo": "nix-darwin", - "rev": "536f951efb1ccda9b968e3c9dee39fbeb6d3fdeb", + "rev": "e95de00a471d07435e0527ff4db092c84998698e", "type": "github" }, "original": { - "owner": "lnl7", - "ref": "nix-darwin-25.05", + "owner": "nix-darwin", + "ref": "nix-darwin-25.11", "repo": "nix-darwin", "type": "github" } @@ -114,14 +115,16 @@ "inputs": { "flake-compat": "flake-compat", "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_2" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { - "lastModified": 1734314370, - "narHash": "sha256-9PhjDAAuXP4tuJg+kM1AozKwBFyHHJ8ZqhQD+peqGtg=", + "lastModified": 1764813963, + "narHash": "sha256-Vs7Mamto+T8r1evk9myHepgHGNJkS2Kr0BF64NIei94=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "616634de04e87b621bc3d495af114c4e9c6ccd36", + "rev": "491200d6848402bbab1421cccbc15a46f08c7f78", "type": "github" }, "original": { @@ -132,22 +135,22 @@ }, "nixpkgs": { "locked": { - "lastModified": 1706098335, - "narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=", + "lastModified": 1764677808, + "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a77ab169a83a4175169d78684ddd2e54486ac651", + "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a", "type": "github" }, "original": { - "id": "nixpkgs", - "ref": "nixos-23.11", - "type": "indirect" + "owner": "NixOS", + "ref": "nixos-25.11", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-2211": { "locked": { - "lastModified": 1658083977, "narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=", "type": "tarball", "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz" @@ -157,13 +160,29 @@ "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz" } }, + "nixpkgs-darwin": { + "locked": { + "lastModified": 1764806471, + "narHash": "sha256-NsPsz003eWD8wp8vj5BnQzPoDyeQKRUfS2dvan2Y30M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6707b1809330d0f912f5813963bb29f6f194ee81", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-25.11-darwin", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { - "lastModified": 1762111121, - "narHash": "sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw=", + "lastModified": 1764667669, + "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b3d51a0365f6695e7dd5cdf3e180604530ed33b4", + "rev": "418468ac9527e799809c900eda37cbff999199b6", "type": "github" }, "original": { @@ -173,38 +192,6 @@ "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1715266358, - "narHash": "sha256-doPgfj+7FFe9rfzWo1siAV2mVCasW+Bh8I1cToAXEE4=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "f1010e0469db743d14519a1efd37e23f8513d714", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1761999846, - "narHash": "sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "3de8f8d73e35724bf9abef41f1bdbedda1e14a31", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { "extra-config": "extra-config", @@ -212,8 +199,9 @@ "matrix-synapse-next": "matrix-synapse-next", "nix-darwin": "nix-darwin", "nix-minecraft": "nix-minecraft", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs", "nixpkgs-2211": "nixpkgs-2211", + "nixpkgs-darwin": "nixpkgs-darwin", "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix" } @@ -225,11 +213,11 @@ ] }, "locked": { - "lastModified": 1752544651, - "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", + "lastModified": 1764483358, + "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "2c8def626f54708a9c38a5861866660395bb3461", + "rev": "5aca6ff67264321d47856a2ed183729271107c9c", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f715b39..a3f2df7 100644 --- a/flake.nix +++ b/flake.nix @@ -2,18 +2,22 @@ description = "Felixalb System flake"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; # Remember to update ./common/auto-upgrade.nix - nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; # Remember to update ./common/auto-upgrade.nix + nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-25.11-darwin"; nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; - nix-darwin.url = "github:lnl7/nix-darwin/nix-darwin-25.05"; - nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; + nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11"; + nix-darwin.inputs.nixpkgs.follows = "nixpkgs-darwin"; - home-manager.url = "github:nix-community/home-manager/release-25.05"; + home-manager.url = "github:nix-community/home-manager/release-25.11"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; - matrix-synapse-next.url = "github:dali99/nixos-matrix-modules/v0.7.1"; + matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; # TODO: Lock to release + matrix-synapse-next.inputs.nixpkgs.follows = "nixpkgs"; + nix-minecraft.url = "github:Infinidoge/nix-minecraft"; + nix-minecraft.inputs.nixpkgs.follows = "nixpkgs"; extra-config.url = "git+file:///home/felixalb/nix-extra-config"; @@ -29,6 +33,7 @@ , nix-darwin , nixpkgs , nixpkgs-2211 + , nixpkgs-darwin , nixpkgs-unstable , sops-nix , extra-config @@ -52,7 +57,7 @@ { nixosConfigurations = let normalSys = name: hostConfig: nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; + system = "x86_64-linux"; # TODO - Handle specialArgs = { inherit inputs; }; @@ -75,13 +80,6 @@ }; in { - # Networking / VPN Gateway - burnham = normalSys "burnham" { - modules = [ - ./common/domeneshop-dyndns.nix - ]; - }; - # Media / storage server challenger = normalSys "challenger" { modules = [ @@ -103,9 +101,6 @@ # Web host leonard = normalSys "leonard" { }; - # Web host - malcolm = normalSys "malcolm" { }; - # General application server morn = normalSys "morn" { }; diff --git a/home/base.nix b/home/base.nix index 8479206..0d52432 100644 --- a/home/base.nix +++ b/home/base.nix @@ -32,7 +32,7 @@ programs.git = { enable = true; - extraConfig = { + settings = { pull.rebase = true; push.autoSetupRemote = true; color.ui = "auto"; diff --git a/hosts/burnham/configuration.nix b/hosts/burnham/configuration.nix deleted file mode 100644 index a5796af..0000000 --- a/hosts/burnham/configuration.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - imports = - [ - ../../base.nix - ../../common/metrics-exporters.nix - ./hardware-configuration.nix - - # Infrastructure - ./services/wireguard.nix - - # Other - ./services/dyndns.nix - ./services/nginx.nix - ./services/thelounge.nix - ]; - - boot.loader.systemd-boot.enable = lib.mkForce false; - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/sda"; - - networking = { - hostName = "burnham"; - defaultGateway = "192.168.11.1"; - interfaces.ens18.ipv4 = { - addresses = [ - { address = "192.168.11.109"; prefixLength = 24; } - ]; - }; - hostId = "8e24f235"; - }; - - sops.defaultSopsFile = ../../secrets/burnham/burnham.yaml; - - environment.variables = { EDITOR = "vim"; }; - - system.stateVersion = "23.11"; -} - diff --git a/hosts/burnham/hardware-configuration.nix b/hosts/burnham/hardware-configuration.nix deleted file mode 100644 index 73cc5f5..0000000 --- a/hosts/burnham/hardware-configuration.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/31ff6d37-52d6-43c3-a214-5d38a6c38b0e"; - fsType = "ext4"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/cce59ee7-7c83-4165-a9b0-f950cd2e3273"; } - ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - #networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/burnham/home.nix b/hosts/burnham/home.nix deleted file mode 100644 index 963c567..0000000 --- a/hosts/burnham/home.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, lib, ... }: -{ - imports = [ - ./../../home/base.nix - ]; - - programs = { - zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; - }; - - home.stateVersion = "23.05"; -} diff --git a/hosts/burnham/services/dyndns.nix b/hosts/burnham/services/dyndns.nix deleted file mode 100644 index 3e7ac60..0000000 --- a/hosts/burnham/services/dyndns.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - sops.secrets."domeneshop/netrc" = { }; - - services.domeneshop-dyndns = { - enable = true; - domain = "site2.feal.no"; - netrcFile = config.sops.secrets."domeneshop/netrc".path; - }; -} diff --git a/hosts/burnham/services/nginx.nix b/hosts/burnham/services/nginx.nix deleted file mode 100644 index e4f4a00..0000000 --- a/hosts/burnham/services/nginx.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, values, ... }: -{ - services.nginx = { - enable = true; - enableReload = true; - - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - security.acme = { - acceptTerms = true; - defaults.email = "felix@albrigtsen.it"; - }; -} diff --git a/hosts/burnham/services/thelounge.nix b/hosts/burnham/services/thelounge.nix deleted file mode 100644 index ecfa4d8..0000000 --- a/hosts/burnham/services/thelounge.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, lib, ... }: -let - cfg = config.services.thelounge.extraConfig; - domain = "irc.home.feal.no"; -in { - services.thelounge = { - enable = true; - - extraConfig = { - public = false; - host = "127.0.1.2"; - port = 9000; - reverseProxy = true; - }; - }; - - services.nginx.virtualHosts.${domain} = { - locations."/".proxyPass = "http://${cfg.host}:${toString cfg.port}"; - }; -} - diff --git a/hosts/burnham/services/wireguard.nix b/hosts/burnham/services/wireguard.nix deleted file mode 100644 index ef75a2d..0000000 --- a/hosts/burnham/services/wireguard.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, pkgs, lib, ... }: -let - cfg = config.networking.wireguard.interfaces."wg0"; -in { - networking = { - nat = { - enable = true; - externalInterface = "ens18"; - internalInterfaces = [ "wg0" ]; - }; - firewall.allowedUDPPorts = [ cfg.listenPort ]; - - wireguard.interfaces."wg0" = { - ips = [ "10.100.0.2/24" ]; - listenPort = 51820; - privateKeyFile = "/etc/wireguard/burnham.private"; - - postSetup = '' - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE - ''; - postShutdown = '' - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE - ''; - - peers = [ - { # Defiant - publicKey = "8/711GhmN9+NcduHF4JPkfoZPE0qsDLuwhABcPyjNxI="; - persistentKeepalive = 120; - allowedIPs = [ - "10.100.0.1/32" - "192.168.10.0/24" - ]; - endpoint = "site3.feal.no:51902"; - } - ] ++ (import ../../../common/wireguard-peers.nix); - }; - }; -} diff --git a/hosts/challenger/services/audiobookshelf.nix b/hosts/challenger/services/audiobookshelf.nix index 61696dd..2597380 100644 --- a/hosts/challenger/services/audiobookshelf.nix +++ b/hosts/challenger/services/audiobookshelf.nix @@ -18,6 +18,7 @@ in { }; systemd.services.audiobookshelf = { + requires = [ "var-lib-audiobookshelf.mount" ]; serviceConfig = { # Better safe than sorry :) CapabilityBoundingSet = ""; diff --git a/hosts/challenger/services/nextcloud.nix b/hosts/challenger/services/nextcloud.nix index f510638..73af9ad 100644 --- a/hosts/challenger/services/nextcloud.nix +++ b/hosts/challenger/services/nextcloud.nix @@ -5,7 +5,7 @@ let in { services.nextcloud = { enable = true; - package = pkgs.nextcloud31; + package = pkgs.nextcloud32; inherit hostName; home = "/tank/nextcloud"; https = true; diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix index a4e17dd..198f37c 100644 --- a/hosts/defiant/configuration.nix +++ b/hosts/defiant/configuration.nix @@ -27,7 +27,7 @@ # ./services/minecraft/home.nix ./services/monitoring # ./services/rtl-tcp.nix - ./services/searx.nix + # ./services/searx.nix ./services/vaultwarden.nix ]; diff --git a/hosts/defiant/services/monitoring/prometheus.nix b/hosts/defiant/services/monitoring/prometheus.nix index db5e65e..42b57f2 100644 --- a/hosts/defiant/services/monitoring/prometheus.nix +++ b/hosts/defiant/services/monitoring/prometheus.nix @@ -17,14 +17,12 @@ in { static_configs = [ { targets = [ - "burnham.home.feal.no:9100" "challenger.home.feal.no:9100" "defiant.home.feal.no:9100" "leonard.home.feal.no:9100" "morn.home.feal.no:9100" "scotty.home.feal.no:9100" "sisko.home.feal.no:9100" - "sulu.home.feal.no:9100" ]; } ]; diff --git a/hosts/fa-t14-2025/desktop.nix b/hosts/fa-t14-2025/desktop.nix index c3063cd..69ed1d4 100644 --- a/hosts/fa-t14-2025/desktop.nix +++ b/hosts/fa-t14-2025/desktop.nix @@ -29,7 +29,7 @@ fontDir.enable = true; packages = with pkgs; [ noto-fonts - noto-fonts-emoji + noto-fonts-color-emoji noto-fonts-cjk-sans font-awesome fira-code diff --git a/hosts/fa-t14-2025/home.nix b/hosts/fa-t14-2025/home.nix index 820801d..2c8d705 100644 --- a/hosts/fa-t14-2025/home.nix +++ b/hosts/fa-t14-2025/home.nix @@ -44,7 +44,6 @@ in { hyprlock hyprpaper hyprshot - hyprswitch nautilus rofi-rbw-wayland swaynotificationcenter diff --git a/hosts/malcolm/configuration.nix b/hosts/malcolm/configuration.nix deleted file mode 100644 index 8f29b6f..0000000 --- a/hosts/malcolm/configuration.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - ./hardware-configuration.nix - - ../../base.nix - ../../common/auto-upgrade.nix - ../../common/metrics-exporters.nix - - ./services/mysql.nix - ./services/nginx.nix - ./services/www-ctf-feal-no.nix - ./services/www-kinealbrigtsen-no.nix - ]; - - networking = { - hostName = "malcolm"; - bridges.br0.interfaces = [ "ens18" ]; - interfaces.br0.useDHCP = false; - interfaces.br0.ipv4.addresses = [ - { address = "192.168.11.106"; prefixLength = 24; } - ]; - - hostId = "620c42d0"; - defaultGateway = "192.168.11.1"; - - # Prepend the following output rules to disallow talking to other devices on LAN - firewall.extraCommands = lib.strings.concatLines ([ - "iptables -F OUTPUT" - ] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS - "iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging - "iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" - "iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse" - "iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse" - ]); - }; - - # virtualisation.oci-containers.backend = "docker"; - # systemd.services.docker.postStart = lib.concatMapStringsSep "\n" (rule: "${pkgs.iptables}/bin/iptables ${rule}") ([ - # "-F DOCKER-USER" - # ] ++ (map (addr: "-A DOCKER-USER -p udp --dport 53 -d ${addr} -j RETURN") config.networking.nameservers) ++ [ - # "-A DOCKER-USER -d 192.168.10.0/24 -j REJECT" - # "-A DOCKER-USER -d 192.168.11.0/24 -j REJECT" - # "-A DOCKER-USER -j RETURN" - # ]); - - system.stateVersion = "24.05"; -} diff --git a/hosts/malcolm/hardware-configuration.nix b/hosts/malcolm/hardware-configuration.nix deleted file mode 100644 index f4a4021..0000000 --- a/hosts/malcolm/hardware-configuration.nix +++ /dev/null @@ -1,30 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/7240554f-d9d9-457a-91d5-c70c09d96595"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/88C2-BAC8"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; - - swapDevices = [ ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/malcolm/home.nix b/hosts/malcolm/home.nix deleted file mode 100644 index 04b5729..0000000 --- a/hosts/malcolm/home.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, lib, ... }: -{ - imports = [ - ./../../home/base.nix - ]; - - programs = { - zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; - }; - - home.stateVersion = "24.05"; -} diff --git a/hosts/malcolm/services/mysql.nix b/hosts/malcolm/services/mysql.nix deleted file mode 100644 index 128f2d6..0000000 --- a/hosts/malcolm/services/mysql.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - services.mysql = { - enable = true; - package = pkgs.mariadb; - }; - - # TODO: services.mysqlBackup -} diff --git a/hosts/malcolm/services/nginx.nix b/hosts/malcolm/services/nginx.nix deleted file mode 100644 index 78acbfa..0000000 --- a/hosts/malcolm/services/nginx.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, values, ... }: -{ - services.nginx = { - enable = true; - - clientMaxBodySize = "100m"; - - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - - virtualHosts."kinealbrigtsen.no".default = true; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; -} diff --git a/hosts/malcolm/services/www-ctf-feal-no.nix b/hosts/malcolm/services/www-ctf-feal-no.nix deleted file mode 100644 index cbf8d4c..0000000 --- a/hosts/malcolm/services/www-ctf-feal-no.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - services.nginx.virtualHosts."ctf.feal.no" = { - locations = { - "/".return = "302 https://www.feal.no/"; - "/cc/" = { - alias = "${pkgs.cyberchef}/share/cyberchef/"; - index = "index.html"; - }; - "= /cc".return = "302 /cc/"; - }; - }; -} diff --git a/hosts/malcolm/services/www-kinealbrigtsen-no.nix b/hosts/malcolm/services/www-kinealbrigtsen-no.nix deleted file mode 100644 index f970fd4..0000000 --- a/hosts/malcolm/services/www-kinealbrigtsen-no.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - users.users.www-kinealbrigtsen-no = { - isSystemUser = true; - group = "www-kinealbrigtsen-no"; - }; - - users.groups.www-kinealbrigtsen-no = { }; - - services.mysql.ensureDatabases = [ - "www_kinealbrigtsen_no" - ]; - services.mysql.ensureUsers = [ - { - name = "www-kinealbrigtsen-no"; - ensurePermissions = { - # "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures - "www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX"; - }; - } - ]; - - services.phpfpm.pools.www-kinealbrigtsen-no = { - user = "www-kinealbrigtsen-no"; - group = "www-kinealbrigtsen-no"; - phpOptions = lib.generators.toKeyValue {} { - upload_max_filesize = "1000M"; - post_max_size = "1000M"; - memory_limit = "1000M"; - }; - - settings = { - "listen.owner" = config.services.nginx.user; - "listen.group" = config.services.nginx.group; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 4; - "pm.process_idle_timeout" = "10s"; - "pm.max_requests" = 1000; - }; - }; - - services.nginx.virtualHosts."kinealbrigtsen.no" = { - serverAliases = [ "www.kinealbrigtsen.no" ]; - root = "/var/www/www-kinealbrigtsen-no"; - locations = { - "/".extraConfig = '' - try_files $uri $uri/ /index.php?$args; - ''; - - "~ \\.php$".extraConfig = '' - include ${config.services.nginx.package}/conf/fastcgi_params; - - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket}; - ''; - - "~ /\\.ht".extraConfig = '' - deny all; - ''; - - "/favicon.ico".extraConfig = '' - log_not_found off; - access_log off; - ''; - - "/robots.txt".extraConfig = '' - allow all; - log_not_found off; - access_log off; - ''; - - "~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig = '' - expires max; - log_not_found off; - ''; - }; - extraConfig = '' - index index.php index.html; - set_real_ip_from 192.168.11.0/24; - real_ip_header X-Forwarded-For; - - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - ''; - }; - - # TODO: - # - Configure a mailer so wp_mail() works - # - Enable periodic backups -} diff --git a/hosts/morn/services/miniflux.nix b/hosts/morn/services/miniflux.nix index 3886975..1279314 100644 --- a/hosts/morn/services/miniflux.nix +++ b/hosts/morn/services/miniflux.nix @@ -9,7 +9,7 @@ in { enable = true; adminCredentialsFile = config.sops.secrets."miniflux/env".path; config = { - CREATE_ADMIN = "1"; + CREATE_ADMIN = true; LISTEN_ADDR = listen_addr; BASE_URL = "http://${domain}"; diff --git a/hosts/sisko/configuration.nix b/hosts/sisko/configuration.nix index a51788c..5ad6a51 100644 --- a/hosts/sisko/configuration.nix +++ b/hosts/sisko/configuration.nix @@ -39,7 +39,6 @@ programs = { alvr = { enable = true; - package = pkgs.unstable.alvr; openFirewall = true; }; diff --git a/hosts/sisko/desktop.nix b/hosts/sisko/desktop.nix index 2cc8986..6ed3c66 100644 --- a/hosts/sisko/desktop.nix +++ b/hosts/sisko/desktop.nix @@ -34,7 +34,7 @@ nerd-fonts.hack noto-fonts noto-fonts-cjk-sans - noto-fonts-emoji + noto-fonts-color-emoji ]; }; diff --git a/hosts/sisko/home.nix b/hosts/sisko/home.nix index a4c2958..d4d84a6 100644 --- a/hosts/sisko/home.nix +++ b/hosts/sisko/home.nix @@ -16,10 +16,9 @@ emacs-gtk feishin gqrx - jellyfin-media-player kitty libreoffice - unstable.lutris + lutris mpv mumble orca-slicer @@ -49,7 +48,6 @@ hyprlock hyprpaper hyprshot - hyprswitch nautilus networkmanager rofi-rbw-wayland @@ -105,7 +103,6 @@ rofi = { enable = true; theme = "iggy"; - package = pkgs.rofi-wayland; }; zsh = { shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; diff --git a/hosts/worf/configuration.nix b/hosts/worf/configuration.nix index ee86ec8..3d25304 100644 --- a/hosts/worf/configuration.nix +++ b/hosts/worf/configuration.nix @@ -111,13 +111,6 @@ }; - # firewall settings - alf = { - # 0 = disabled 1 = enabled 2 = blocks all connections except for essential services - globalstate = 1; - loggingenabled = 0; - }; - # dock settings dock = { autohide = true; @@ -133,12 +126,16 @@ }; }; + # firewall settings + networking.applicationFirewall = { + enable = true; + blockAllIncoming = true; + }; + system.keyboard = { enableKeyMapping = true; remapCapsLockToControl = true; }; - # nix.package = pkgs.nix; - system.stateVersion = 5; } diff --git a/hosts/worf/home.nix b/hosts/worf/home.nix index 5594ecf..edb4e35 100644 --- a/hosts/worf/home.nix +++ b/hosts/worf/home.nix @@ -26,7 +26,7 @@ prismlauncher restic snicat - spotify + # spotify # TODO - broken in 25.11 tldr w3m zellij @@ -61,7 +61,7 @@ apps = pkgs.buildEnv { name = "home-manager-applications"; paths = config.home.packages; - pathsToLink = "/Applications"; + pathsToLink = [ "/Applications" ] ; }; in lib.hm.dag.entryAfter [ "writeBoundary" ] '' diff --git a/hosts/worf/yabai.nix b/hosts/worf/yabai.nix index a3582c5..cf6d66e 100644 --- a/hosts/worf/yabai.nix +++ b/hosts/worf/yabai.nix @@ -5,7 +5,6 @@ let in { services.yabai = { enable = true; - package = pkgs.unstable.yabai; enableScriptingAddition = true; config = {