felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

nixos-25.11 #6

Merged
felixalb merged 10 commits from nixos-25.11 into main 2025-12-08 21:07:42 +01:00
Conversation 0 Commits 10 Files Changed 32 +91 -515
32 changed files with 91 additions and 515 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -37,8 +37,9 @@ Other installed packages and tools are described in the config files (like ./hos
## Networking ## Networking
- I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)). - I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)).
- I recently switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix) and [here](./hosts/burnham/services/wireguard.nix). - A long time ago, I switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix).
- PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking. - PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking.
- A simple custom DynDNS thing is defined [here](./common/domeneshop-dyndns.nix) and used [here](./hosts/defiant/services/dyndns.nix).
## Monitoring ## Monitoring

2
common/auto-upgrade.nix
View File

@@ -7,7 +7,7 @@
flags = [ flags = [
# Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs. # Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs.
"--refresh" "--refresh"
"--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.05" "--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.11"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable" "--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable"
"--no-write-lock-file" "--no-write-lock-file"
]; ];

132
flake.lock generated
View File

@@ -18,11 +18,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1747046372,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -36,11 +36,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1681202837, "lastModified": 1731533236,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401", "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -56,35 +56,36 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1758463745, "lastModified": 1764776959,
"narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=", "narHash": "sha256-d+5CGloq7Lo1u2SkzhF8oiOdUc6Z5emh22nTXUB9CFA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3", "rev": "e1680d594a9281651cbf7d126941a8c8e2396183",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-25.05", "ref": "release-25.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"matrix-synapse-next": { "matrix-synapse-next": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs" "nixpkgs": [
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1753216555, "lastModified": 1765214213,
"narHash": "sha256-qfgVfgXjVPV7vEER4PVFiGUOUW08GHH71CVXgYW8EVc=", "narHash": "sha256-WSk8CTdIDFFP5VMJj9beve19nPMMdTsWnkCHVXqO/3E=",
"owner": "dali99", "owner": "dali99",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"rev": "099db715d1eba526a464f271b05cead5166fd9a9", "rev": "82959f612ffd523a49c92f84358a9980a851747b",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "dali99", "owner": "dali99",
"ref": "v0.7.1",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"type": "github" "type": "github"
} }
@@ -92,20 +93,20 @@
"nix-darwin": { "nix-darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs-darwin"
] ]
}, },
"locked": { "locked": {
"lastModified": 1749744770, "lastModified": 1764161084,
"narHash": "sha256-MEM9XXHgBF/Cyv1RES1t6gqAX7/tvayBC1r/KPyK1ls=", "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=",
"owner": "lnl7", "owner": "nix-darwin",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "536f951efb1ccda9b968e3c9dee39fbeb6d3fdeb", "rev": "e95de00a471d07435e0527ff4db092c84998698e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "lnl7", "owner": "nix-darwin",
"ref": "nix-darwin-25.05", "ref": "nix-darwin-25.11",
"repo": "nix-darwin", "repo": "nix-darwin",
"type": "github" "type": "github"
} }
@@ -114,14 +115,16 @@
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_2" "nixpkgs": [
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1734314370, "lastModified": 1764813963,
"narHash": "sha256-9PhjDAAuXP4tuJg+kM1AozKwBFyHHJ8ZqhQD+peqGtg=", "narHash": "sha256-Vs7Mamto+T8r1evk9myHepgHGNJkS2Kr0BF64NIei94=",
"owner": "Infinidoge", "owner": "Infinidoge",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "616634de04e87b621bc3d495af114c4e9c6ccd36", "rev": "491200d6848402bbab1421cccbc15a46f08c7f78",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -132,22 +135,22 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1706098335, "lastModified": 1764677808,
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=", "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651", "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "owner": "NixOS",
"ref": "nixos-23.11", "ref": "nixos-25.11",
"type": "indirect" "repo": "nixpkgs",
"type": "github"
} }
}, },
"nixpkgs-2211": { "nixpkgs-2211": {
"locked": { "locked": {
"lastModified": 1658083977,
"narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=", "narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
@@ -157,13 +160,29 @@
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
} }
}, },
"nixpkgs-darwin": {
"locked": {
"lastModified": 1764806471,
"narHash": "sha256-NsPsz003eWD8wp8vj5BnQzPoDyeQKRUfS2dvan2Y30M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6707b1809330d0f912f5813963bb29f6f194ee81",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-25.11-darwin",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1762111121, "lastModified": 1764667669,
"narHash": "sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw=", "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b3d51a0365f6695e7dd5cdf3e180604530ed33b4", "rev": "418468ac9527e799809c900eda37cbff999199b6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -173,38 +192,6 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": {
"locked": {
"lastModified": 1715266358,
"narHash": "sha256-doPgfj+7FFe9rfzWo1siAV2mVCasW+Bh8I1cToAXEE4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "f1010e0469db743d14519a1efd37e23f8513d714",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1761999846,
"narHash": "sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3de8f8d73e35724bf9abef41f1bdbedda1e14a31",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"extra-config": "extra-config", "extra-config": "extra-config",
@@ -212,8 +199,9 @@
"matrix-synapse-next": "matrix-synapse-next", "matrix-synapse-next": "matrix-synapse-next",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nix-minecraft": "nix-minecraft", "nix-minecraft": "nix-minecraft",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs",
"nixpkgs-2211": "nixpkgs-2211", "nixpkgs-2211": "nixpkgs-2211",
"nixpkgs-darwin": "nixpkgs-darwin",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
@@ -225,11 +213,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1752544651, "lastModified": 1764483358,
"narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "2c8def626f54708a9c38a5861866660395bb3461", "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
"type": "github" "type": "github"
}, },
"original": { "original": {

29
flake.nix
View File

@@ -2,18 +2,22 @@
description = "Felixalb System flake"; description = "Felixalb System flake";
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; # Remember to update ./common/auto-upgrade.nix nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; # Remember to update ./common/auto-upgrade.nix
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-25.11-darwin";
nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nix-darwin.url = "github:lnl7/nix-darwin/nix-darwin-25.05"; nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs-darwin";
home-manager.url = "github:nix-community/home-manager/release-25.05"; home-manager.url = "github:nix-community/home-manager/release-25.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
matrix-synapse-next.url = "github:dali99/nixos-matrix-modules/v0.7.1"; matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; # TODO: Lock to release
matrix-synapse-next.inputs.nixpkgs.follows = "nixpkgs";
nix-minecraft.url = "github:Infinidoge/nix-minecraft"; nix-minecraft.url = "github:Infinidoge/nix-minecraft";
nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
extra-config.url = "git+file:///home/felixalb/nix-extra-config"; extra-config.url = "git+file:///home/felixalb/nix-extra-config";
@@ -29,6 +33,7 @@
, nix-darwin , nix-darwin
, nixpkgs , nixpkgs
, nixpkgs-2211 , nixpkgs-2211
, nixpkgs-darwin
, nixpkgs-unstable , nixpkgs-unstable
, sops-nix , sops-nix
, extra-config , extra-config
@@ -52,7 +57,7 @@
{ {
nixosConfigurations = let nixosConfigurations = let
normalSys = name: hostConfig: nixpkgs.lib.nixosSystem { normalSys = name: hostConfig: nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux"; # TODO - Handle
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
@@ -75,13 +80,6 @@
}; };
in { in {
# Networking / VPN Gateway
burnham = normalSys "burnham" {
modules = [
./common/domeneshop-dyndns.nix
];
};
# Media / storage server # Media / storage server
challenger = normalSys "challenger" { challenger = normalSys "challenger" {
modules = [ modules = [
@@ -103,9 +101,6 @@
# Web host # Web host
leonard = normalSys "leonard" { }; leonard = normalSys "leonard" { };
# Web host
malcolm = normalSys "malcolm" { };
# General application server # General application server
morn = normalSys "morn" { }; morn = normalSys "morn" { };

2
home/base.nix
View File

@@ -32,7 +32,7 @@
programs.git = { programs.git = {
enable = true; enable = true;
extraConfig = { settings = {
pull.rebase = true; pull.rebase = true;
push.autoSetupRemote = true; push.autoSetupRemote = true;
color.ui = "auto"; color.ui = "auto";

40
hosts/burnham/configuration.nix
View File

@@ -1,40 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
# Infrastructure
./services/wireguard.nix
# Other
./services/dyndns.nix
./services/nginx.nix
./services/thelounge.nix
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking = {
hostName = "burnham";
defaultGateway = "192.168.11.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.11.109"; prefixLength = 24; }
];
};
hostId = "8e24f235";
};
sops.defaultSopsFile = ../../secrets/burnham/burnham.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "23.11";
}

30
hosts/burnham/hardware-configuration.nix
View File

@@ -1,30 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/31ff6d37-52d6-43c3-a214-5d38a6c38b0e";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/cce59ee7-7c83-4165-a9b0-f950cd2e3273"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
#networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

12
hosts/burnham/home.nix
View File

@@ -1,12 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "23.05";
}

11
hosts/burnham/services/dyndns.nix
View File

@@ -1,11 +0,0 @@
{ config, pkgs, lib, ... }:
{
sops.secrets."domeneshop/netrc" = { };
services.domeneshop-dyndns = {
enable = true;
domain = "site2.feal.no";
netrcFile = config.sops.secrets."domeneshop/netrc".path;
};
}

19
hosts/burnham/services/nginx.nix
View File

@@ -1,19 +0,0 @@
{ config, values, ... }:
{
services.nginx = {
enable = true;
enableReload = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "felix@albrigtsen.it";
};
}

21
hosts/burnham/services/thelounge.nix
View File

@@ -1,21 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.thelounge.extraConfig;
domain = "irc.home.feal.no";
in {
services.thelounge = {
enable = true;
extraConfig = {
public = false;
host = "127.0.1.2";
port = 9000;
reverseProxy = true;
};
};
services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://${cfg.host}:${toString cfg.port}";
};
}

38
hosts/burnham/services/wireguard.nix
View File

@@ -1,38 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.networking.wireguard.interfaces."wg0";
in {
networking = {
nat = {
enable = true;
externalInterface = "ens18";
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = [ cfg.listenPort ];
wireguard.interfaces."wg0" = {
ips = [ "10.100.0.2/24" ];
listenPort = 51820;
privateKeyFile = "/etc/wireguard/burnham.private";
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
'';
peers = [
{ # Defiant
publicKey = "8/711GhmN9+NcduHF4JPkfoZPE0qsDLuwhABcPyjNxI=";
persistentKeepalive = 120;
allowedIPs = [
"10.100.0.1/32"
"192.168.10.0/24"
];
endpoint = "site3.feal.no:51902";
}
] ++ (import ../../../common/wireguard-peers.nix);
};
};
}

1
hosts/challenger/services/audiobookshelf.nix
View File

@@ -18,6 +18,7 @@ in {
}; };
systemd.services.audiobookshelf = { systemd.services.audiobookshelf = {
requires = [ "var-lib-audiobookshelf.mount" ];
serviceConfig = { serviceConfig = {
# Better safe than sorry :) # Better safe than sorry :)
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";

2
hosts/challenger/services/nextcloud.nix
View File

@@ -5,7 +5,7 @@ let
in { in {
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud31; package = pkgs.nextcloud32;
inherit hostName; inherit hostName;
home = "/tank/nextcloud"; home = "/tank/nextcloud";
https = true; https = true;

2
hosts/defiant/configuration.nix
View File

@@ -27,7 +27,7 @@
# ./services/minecraft/home.nix # ./services/minecraft/home.nix
./services/monitoring ./services/monitoring
# ./services/rtl-tcp.nix # ./services/rtl-tcp.nix
./services/searx.nix # ./services/searx.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
]; ];

2
hosts/defiant/services/monitoring/prometheus.nix
View File

@@ -17,14 +17,12 @@ in {
static_configs = [ static_configs = [
{ {
targets = [ targets = [
"burnham.home.feal.no:9100"
"challenger.home.feal.no:9100" "challenger.home.feal.no:9100"
"defiant.home.feal.no:9100" "defiant.home.feal.no:9100"
"leonard.home.feal.no:9100" "leonard.home.feal.no:9100"
"morn.home.feal.no:9100" "morn.home.feal.no:9100"
"scotty.home.feal.no:9100" "scotty.home.feal.no:9100"
"sisko.home.feal.no:9100" "sisko.home.feal.no:9100"
"sulu.home.feal.no:9100"
]; ];
} }
]; ];

2
hosts/fa-t14-2025/desktop.nix
View File

@@ -29,7 +29,7 @@
fontDir.enable = true; fontDir.enable = true;
packages = with pkgs; [ packages = with pkgs; [
noto-fonts noto-fonts
noto-fonts-emoji noto-fonts-color-emoji
noto-fonts-cjk-sans noto-fonts-cjk-sans
font-awesome font-awesome
fira-code fira-code

1
hosts/fa-t14-2025/home.nix
View File

@@ -44,7 +44,6 @@ in {
hyprlock hyprlock
hyprpaper hyprpaper
hyprshot hyprshot
hyprswitch
nautilus nautilus
rofi-rbw-wayland rofi-rbw-wayland
swaynotificationcenter swaynotificationcenter

49
hosts/malcolm/configuration.nix
View File

@@ -1,49 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../common/auto-upgrade.nix
../../common/metrics-exporters.nix
./services/mysql.nix
./services/nginx.nix
./services/www-ctf-feal-no.nix
./services/www-kinealbrigtsen-no.nix
];
networking = {
hostName = "malcolm";
bridges.br0.interfaces = [ "ens18" ];
interfaces.br0.useDHCP = false;
interfaces.br0.ipv4.addresses = [
{ address = "192.168.11.106"; prefixLength = 24; }
];
hostId = "620c42d0";
defaultGateway = "192.168.11.1";
# Prepend the following output rules to disallow talking to other devices on LAN
firewall.extraCommands = lib.strings.concatLines ([
"iptables -F OUTPUT"
] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
"iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
"iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
"iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
]);
};
# virtualisation.oci-containers.backend = "docker";
# systemd.services.docker.postStart = lib.concatMapStringsSep "\n" (rule: "${pkgs.iptables}/bin/iptables ${rule}") ([
# "-F DOCKER-USER"
# ] ++ (map (addr: "-A DOCKER-USER -p udp --dport 53 -d ${addr} -j RETURN") config.networking.nameservers) ++ [
# "-A DOCKER-USER -d 192.168.10.0/24 -j REJECT"
# "-A DOCKER-USER -d 192.168.11.0/24 -j REJECT"
# "-A DOCKER-USER -j RETURN"
# ]);
system.stateVersion = "24.05";
}

30
hosts/malcolm/hardware-configuration.nix
View File

@@ -1,30 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7240554f-d9d9-457a-91d5-c70c09d96595";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/88C2-BAC8";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

12
hosts/malcolm/home.nix
View File

@@ -1,12 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "24.05";
}

10
hosts/malcolm/services/mysql.nix
View File

@@ -1,10 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
# TODO: services.mysqlBackup
}

17
hosts/malcolm/services/nginx.nix
View File

@@ -1,17 +0,0 @@
{ config, values, ... }:
{
services.nginx = {
enable = true;
clientMaxBodySize = "100m";
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."kinealbrigtsen.no".default = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

14
hosts/malcolm/services/www-ctf-feal-no.nix
View File

@@ -1,14 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."ctf.feal.no" = {
locations = {
"/".return = "302 https://www.feal.no/";
"/cc/" = {
alias = "${pkgs.cyberchef}/share/cyberchef/";
index = "index.html";
};
"= /cc".return = "302 /cc/";
};
};
}

95
hosts/malcolm/services/www-kinealbrigtsen-no.nix
View File

@@ -1,95 +0,0 @@
{ config, pkgs, lib, ... }:
{
users.users.www-kinealbrigtsen-no = {
isSystemUser = true;
group = "www-kinealbrigtsen-no";
};
users.groups.www-kinealbrigtsen-no = { };
services.mysql.ensureDatabases = [
"www_kinealbrigtsen_no"
];
services.mysql.ensureUsers = [
{
name = "www-kinealbrigtsen-no";
ensurePermissions = {
# "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures
"www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX";
};
}
];
services.phpfpm.pools.www-kinealbrigtsen-no = {
user = "www-kinealbrigtsen-no";
group = "www-kinealbrigtsen-no";
phpOptions = lib.generators.toKeyValue {} {
upload_max_filesize = "1000M";
post_max_size = "1000M";
memory_limit = "1000M";
};
settings = {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.process_idle_timeout" = "10s";
"pm.max_requests" = 1000;
};
};
services.nginx.virtualHosts."kinealbrigtsen.no" = {
serverAliases = [ "www.kinealbrigtsen.no" ];
root = "/var/www/www-kinealbrigtsen-no";
locations = {
"/".extraConfig = ''
try_files $uri $uri/ /index.php?$args;
'';
"~ \\.php$".extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket};
'';
"~ /\\.ht".extraConfig = ''
deny all;
'';
"/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
"/robots.txt".extraConfig = ''
allow all;
log_not_found off;
access_log off;
'';
"~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig = ''
expires max;
log_not_found off;
'';
};
extraConfig = ''
index index.php index.html;
set_real_ip_from 192.168.11.0/24;
real_ip_header X-Forwarded-For;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
'';
};
# TODO:
# - Configure a mailer so wp_mail() works
# - Enable periodic backups
}

2
hosts/morn/services/miniflux.nix
View File

@@ -9,7 +9,7 @@ in {
enable = true; enable = true;
adminCredentialsFile = config.sops.secrets."miniflux/env".path; adminCredentialsFile = config.sops.secrets."miniflux/env".path;
config = { config = {
CREATE_ADMIN = "1"; CREATE_ADMIN = true;
LISTEN_ADDR = listen_addr; LISTEN_ADDR = listen_addr;
BASE_URL = "http://${domain}"; BASE_URL = "http://${domain}";

1
hosts/sisko/configuration.nix
View File

@@ -39,7 +39,6 @@
programs = { programs = {
alvr = { alvr = {
enable = true; enable = true;
package = pkgs.unstable.alvr;
openFirewall = true; openFirewall = true;
}; };

2
hosts/sisko/desktop.nix
View File

@@ -34,7 +34,7 @@
nerd-fonts.hack nerd-fonts.hack
noto-fonts noto-fonts
noto-fonts-cjk-sans noto-fonts-cjk-sans
noto-fonts-emoji noto-fonts-color-emoji
]; ];
}; };

5
hosts/sisko/home.nix
View File

@@ -16,10 +16,9 @@
emacs-gtk emacs-gtk
feishin feishin
gqrx gqrx
jellyfin-media-player
kitty kitty
libreoffice libreoffice
unstable.lutris lutris
mpv mpv
mumble mumble
orca-slicer orca-slicer
@@ -49,7 +48,6 @@
hyprlock hyprlock
hyprpaper hyprpaper
hyprshot hyprshot
hyprswitch
nautilus nautilus
networkmanager networkmanager
rofi-rbw-wayland rofi-rbw-wayland
@@ -105,7 +103,6 @@
rofi = { rofi = {
enable = true; enable = true;
theme = "iggy"; theme = "iggy";
package = pkgs.rofi-wayland;
}; };
zsh = { zsh = {
shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";

15
hosts/worf/configuration.nix
View File

@@ -111,13 +111,6 @@
}; };
# firewall settings
alf = {
# 0 = disabled 1 = enabled 2 = blocks all connections except for essential services
globalstate = 1;
loggingenabled = 0;
};
# dock settings # dock settings
dock = { dock = {
autohide = true; autohide = true;
@@ -133,12 +126,16 @@
}; };
}; };
# firewall settings
networking.applicationFirewall = {
enable = true;
blockAllIncoming = true;
};
system.keyboard = { system.keyboard = {
enableKeyMapping = true; enableKeyMapping = true;
remapCapsLockToControl = true; remapCapsLockToControl = true;
}; };
# nix.package = pkgs.nix;
system.stateVersion = 5; system.stateVersion = 5;
} }

4
hosts/worf/home.nix
View File

@@ -26,7 +26,7 @@
prismlauncher prismlauncher
restic restic
snicat snicat
spotify # spotify # TODO - broken in 25.11
tldr tldr
w3m w3m
zellij zellij
@@ -61,7 +61,7 @@
apps = pkgs.buildEnv { apps = pkgs.buildEnv {
name = "home-manager-applications"; name = "home-manager-applications";
paths = config.home.packages; paths = config.home.packages;
pathsToLink = "/Applications"; pathsToLink = [ "/Applications" ] ;
}; };
in in
lib.hm.dag.entryAfter [ "writeBoundary" ] '' lib.hm.dag.entryAfter [ "writeBoundary" ] ''

1
hosts/worf/yabai.nix
View File

@@ -5,7 +5,6 @@ let
in { in {
services.yabai = { services.yabai = {
enable = true; enable = true;
package = pkgs.unstable.yabai;
enableScriptingAddition = true; enableScriptingAddition = true;
config = { config = {