1
Fork 0

Replace legacy configuration with the new

The old configuration is still available in the legacy branch of this
repository. It contains the mostly server oriented configuration while
this new configuration is aimed at desktop usage.
This commit is contained in:
caem 2024-04-04 01:41:19 +02:00
parent ab0f848847
commit eff6860aa2
35 changed files with 266 additions and 1091 deletions

View file

@ -1,26 +0,0 @@
name: "Update flake.lock"
on:
workflow_dispatch:
schedule:
- cron: "0 8 * * *"
jobs:
update_lockfile:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v1
- name: Update flake.lock
uses: DeterminateSystems/update-flake-lock@v19
with:
git-author-name: 'caem'
git-author-email: 'caem@dirae.org'
git-committer-name: 'caem'
git-committer-email: 'caem@dirae.org'
pr-title: "Automated: Update flake.lock"
pr-labels: |
dependencies
automated

6
.gitignore vendored
View file

@ -1,5 +1 @@
nixos/result
pw
.stfolder
privkey
privpsk
secrets/

View file

@ -2,40 +2,12 @@
Modular multi-purpose NixOS configuration.
## About
Feel free to do whatever with this configuration.
This configuration [erases your darlings](https://grahamc.com/blog/erase-your-darlings/) using ZFS snapshots.
Currently only used for my homeserver, [desktop runs on Gentoo](https://git.dirae.org/caem/dotfiles).
This is the NixOS configuration I daily drive on my desktop. Feel free to use
and modify this configuration to your needs. No attribution required. I hold no
accountabilty for whatever you do with this configuration.
## Layout
```
/nix/config
├── flake.lock
├── flake.nix ; Master configuration file
├── overlays ; Package overlays
├── packages ; Packages with configurations
│   ├── nginx
│   │   └── homeserver.nix
│   ├── syncthing
│   │   └── homeserver.nix
│   └── vim
│   └── package.nix
├── pw ; Password of your user
├── sets ; Sets of packages
│   └── meta
│   └── sysadmin.nix
├── systems ; System specific configuration
│   ├── common.nix
│   ├── hardware ; Hardware configuration of each system
│   │   ├── homeserver.nix
│   │   └── qemu-vm.nix
│   ├── homeserver.nix
│   ├── persist ; Persistence configuration of each system
│   │   ├── common.nix
│   │   ├── homeserver.nix
│   │   └── qemu-vm.nix
│   └── qemu-vm.nix
└── users ; User specific configuration
├── media.nix
├── none.nix
└── user.nix
```
todo
## Screenshot
todo

View file

@ -1,44 +1,12 @@
{
"nodes": {
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1694622745,
"narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=",
"lastModified": 1708968331,
"narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e",
"rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
"type": "github"
},
"original": {
@ -47,178 +15,24 @@
"type": "github"
}
},
"nixops": {
"inputs": {
"nixpkgs": "nixpkgs",
"utils": "utils"
},
"locked": {
"lastModified": 1677688500,
"narHash": "sha256-yF2tS9Zo8JCIdPjhy19grmJk8wUFMxMu9cPlgfMJuTg=",
"owner": "NixOS",
"repo": "nixops",
"rev": "fc9b55c55da62f949028143b974f67fdc7f40c8b",
"type": "github"
},
"original": {
"id": "nixops",
"type": "indirect"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1672525397,
"narHash": "sha256-WASDnyxHKWVrEe0dIzkpH+jzKlCKAk0husv0f/9pyxg=",
"lastModified": 1712026416,
"narHash": "sha256-N/3VR/9e1NlN49p7kCiATiEY6Tzdo+CbrAG8kqCQKcI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8ba56d7c0d7490680f2d51ba46a141eca7c46afa",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-22_11": {
"locked": {
"lastModified": 1669558522,
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
"rev": "080a4a27f206d07724b88da096e27ef63401a504",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-22.11",
"type": "indirect"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1684782344,
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1694959747,
"narHash": "sha256-CXQ2MuledDVlVM5dLC4pB41cFlBWxRw4tCBsFrq3cRk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "970a59bd19eff3752ce552935687100c46e820a5",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1694937365,
"narHash": "sha256-iHZSGrb9gVpZRR4B2ishUN/1LRKWtSHZNO37C8z1SmA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5d017a8822e0907fb96f7700a319f9fe2434de02",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1670751203,
"narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"root": {
"inputs": {
"impermanence": "impermanence",
"nixops": "nixops",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"simple-mailserver": "simple-mailserver"
}
},
"simple-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_3",
"nixpkgs-22_11": "nixpkgs-22_11",
"nixpkgs-23_05": "nixpkgs-23_05",
"utils": "utils_2"
},
"locked": {
"lastModified": 1687462267,
"narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "24128c3052090311688b09a400aa408ba61c6ee5",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-23.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"utils_2": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
"nixpkgs": "nixpkgs"
}
}
},

View file

@ -1,58 +1,19 @@
{
description = "Modular multi-purpose NixOS configuration.";
description = "Modular NixOS configuration.";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
inputs = {
impermanence.url = "github:nix-community/impermanence";
};
# https://nixos.wiki/wiki/Impermanence
impermanence.url = "github:nix-community/impermanence";
simple-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
};
outputs = { self, nixpkgs, nixpkgs-unstable, nixops, ... }@attrs: let
outputs = { self, nixpkgs, impermanence, ... }:
{
nixosConfigurations.workstation = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
overlay-unstable = final: prev: {
unstable = import nixpkgs-unstable {
inherit system;
config.allowUnfree = true;
};
};
user = "user"; # Select user from the `./users` directory
in {
# Media homeserver
nixosConfigurations.homeserver = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = attrs;
modules = [
({ config, pkgs, ...}: { nixpkgs.overlays = [ overlay-unstable ]; })
./users/${user}.nix
./systems/homeserver.nix
];
};
# dirae.org
nixosConfigurations.dirae = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = attrs;
modules = [
({ config, pkgs, ...}: { nixpkgs.overlays = [ overlay-unstable ]; })
./users/${user}.nix
./systems/dirae.nix
];
};
# Debugging VM configuration
nixosConfigurations.qemu-vm = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = attrs;
modules = [
({ config, pkgs, ...}: { nixpkgs.overlays = [ overlay-unstable ]; })
./users/${user}.nix
./systems/qemu-vm.nix
];
};
modules = [
impermanence.nixosModules.impermanence
./machines/workstation.nix
./users/hu.nix
];
};
};
}

View file

@ -0,0 +1,91 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.initrd.postDeviceCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount /dev/nvme0n1p2 /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
'';
fileSystems."/" =
{ device = "/dev/disk/by-uuid/8e515c16-703a-43ea-8653-ec0f739ba532";
fsType = "btrfs";
options = [ "subvol=root" "compress=zstd" "noatime" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/8e515c16-703a-43ea-8653-ec0f739ba532";
fsType = "btrfs";
options = [ "subvol=home" "compress=zstd" "noatime" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/8e515c16-703a-43ea-8653-ec0f739ba532";
fsType = "btrfs";
options = [ "subvol=nix" "compress=zstd" "noatime" ];
};
fileSystems."/var/log" =
{ device = "/dev/disk/by-uuid/8e515c16-703a-43ea-8653-ec0f739ba532";
fsType = "btrfs";
options = [ "subvol=log" "compress=zstd" "noatime" ];
neededForBoot = true;
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A925-0013";
fsType = "vfat";
};
fileSystems."/media/vault" =
{ device = "/dev/disk/by-uuid/048d175b-0e3e-4ec7-955b-3d9a45f9f237";
fsType = "xfs";
};
fileSystems."/media/attic" =
{ device = "/dev/disk/by-uuid/ec32ce36-9f53-4f44-ac8f-2c9163f0b3d7";
fsType = "xfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp34s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,20 @@
{ config, lib, pkgs, impermanence, ... }:
{
environment.persistence."/nix/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos"
"/var/lib/systemd/coredump"
{
directory = "/var/lib/colord";
user = "colord";
group = "colord";
mode = "u=rwx,g=rx,o=";
}
];
files = [
"/etc/machine-id"
];
};
}

81
machines/workstation.nix Normal file
View file

@ -0,0 +1,81 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware/workstation.nix
./persist/workstation.nix
../wm/xmonad.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.supportedFilesystems = [ "btrfs" "xfs" ];
networking = {
hostName = "workstation";
enableIPv6 = false;
nameservers = [ "1.1.1.1" ];
defaultGateway = "192.168.2.1";
interfaces.enp34s0.ipv4.addresses = [{
address = "192.168.2.68";
prefixLength = 24;
}];
};
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
useXkbConfig = true;
};
nixpkgs.config.allowUnfree = true;
services.xserver.videoDrivers = [ "nvidia" ];
hardware = {
opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
nvidia = {
modesetting.enable = true;
nvidiaSettings = true;
open = false;
package = config.boot.kernelPackages.nvidiaPackages.production;
};
};
programs.mtr.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse.enable = true;
jack.enable = true;
};
# Todo: Move these packages out in the correct files.
environment.systemPackages = with pkgs; [
fastfetch
neovim
firefox
rofi
wget
unzip
git
tree
];
system.stateVersion = "23.11";
}

View file

@ -1,28 +0,0 @@
{ pkgs, ... }:
{
services.akkoma = {
enable = true;
config = {
":pleroma" = {
":instance" = {
name = "Dirae";
description = "This server uses NixOS btw";
email = "caem@dirae.org";
registration_open = false;
};
"Pleroma.Upload".filters = map (pkgs.formats.elixirConf { }).lib.mkRaw [
"Pleroma.Upload.Filter.Exiftool"
"Pleroma.Upload.Filter.Dedupe"
"Pleroma.Upload.Filter.AnonymizeFilename"
];
};
"Pleroma.Web.Endpoint" = {
url.host = "social.dirae.org";
};
};
};
}

View file

@ -1,27 +0,0 @@
{ ... }:
{
services.deluge = {
enable = true;
user = "media";
declarative = true;
dataDir = "/mnt/mass/Services/Deluge";
authFile = "/mnt/mass/Services/Deluge/auth";
config = {
download_location = "/mnt/mass/Torrents/incomplete";
move_completed_path = "/mnt/mass/Torrents";
move_completed = true;
listen_random_port = false;
outgoing_interface = "wg0";
listen_interface = "wg0";
allow_remote = true;
listen_ports = [ 57597 ];
max_active_seeding = -1;
max_active_downloading = 5;
max_active_limit = -1;
};
};
networking.firewall.allowedTCPPorts = [ 57597 58846 ];
}

View file

@ -1,72 +0,0 @@
{ pkgs, config, lib, ... }: let
# theme = builtins.fetchurl {
# url = "";
# sha256 = "";
# };
in
{
# systemd.services.gitea.preStart = lib.mkAfter ''
# mkdir -p ${config.services.gitea.stateDir}/custom/public/css
# cp -f ${theme} ${config.services.gitea.stateDir}/custom/public/css/
# '';
services.gitea = {
enable = true;
package = pkgs.forgejo;
appName = "git.dirae.org";
settings = {
service = {
DISABLE_REGISTRATION = true;
};
server = {
DOMAIN = "git.dirae.org";
ROOT_URL = "https://git.dirae.org";
HTTP_PORT = 3001;
};
"ui" = {
THEMES = ''
forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green
'';
DEFAULT_THEME = "forgejo-dark";
};
"ui.user" = {
REPO_PAGING_NUM = 50;
};
"ui.meta" = {
AUTHOR = "dirae.org Forgejo instance";
DESCRIPTION = "Forgejo instance hosting git repositories for dirae.org";
KEYWORDS = "go,git,self-hosted,gitea,forgejo,foss,oss,decentrialised,federation";
};
"repository" = {
DEFAULT_BRANCH = "master";
DISABLE_STARS = true;
ENABLE_PUSH_CREATE_USER = true;
DEFAULT_REPO_UNITS = ''
repo.code,repo.releases,repo.issues,repo.pulls
'';
PREFERRED_LICENSES="GPL-3.0-or-later,AGPL-3.0-or-later";
};
};
database = {
type = "postgres";
passwordFile = "/var/keys/gitea/db";
};
};
services.postgresql = {
enable = true;
authentication = ''
local gitea all ident map=gitea-users
'';
identMap = ''
gitea-users gitea gitea
'';
};
}

View file

@ -1,26 +0,0 @@
{ ... }:
{
services.gitlab = {
enable = true;
host = "gitlab.dirae.org";
# Server is running on limited budet :,)
# https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html
puma.workers = 0;
puma.threadsMax = 1;
user = "gitlab";
group = "gitlab";
https = true;
databasePasswordFile = "/var/keys/gitlab/db_password";
initialRootPasswordFile = "/var/keys/gitlab/root_password";
secrets = {
dbFile = "/var/keys/gitlab/db";
secretFile = "/var/keys/gitlab/secret";
otpFile = "/var/keys/gitlab/otp";
jwsFile = "/var/keys/gitlab/jws";
};
};
}

View file

@ -1,33 +0,0 @@
{ simple-mailserver, ... }:
{
imports = [
simple-mailserver.nixosModule
];
mailserver = {
enable = true;
fqdn = "dirae.org";
domains = [ "dirae.org" ];
loginAccounts = {
"caem@dirae.org" = {
hashedPasswordFile = "/nix/config/packages/mailserver/pw";
aliases = [
"admin@dirae.org"
"postmaser@dirae.org"
"legal@dirae.org"
"contact@dirae.org"
"dmca@dirae.org"
"pt@dirae.org"
"cali@dirae.org"
"abuse@dirae.org"
];
};
};
# Managed in configuration for nginx
certificateScheme = "acme";
};
}

View file

@ -1,61 +0,0 @@
{ ... }:
let
fqdn = "dirae.org";
serverConfig."m.server" = "dirae.org:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
security.acme.acceptTerms = true;
security.acme.defaults.email = "caem@dirae.org";
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"caem.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = "/var/www/caem";
};
};
"dirae.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = "/var/www/dirae";
};
locations."/.well-known/matrix/server".extraConfig = ''
return 200 '{"m.server": "dirae.org:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
};
"git.dirae.org" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
};
# "gitlab.dirae.org" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
# };
# };
};
};
}

View file

@ -1,16 +0,0 @@
{ ... }:
{
services.nginx = {
enable = true;
user = "media";
virtualHosts."192.168.2.69" = {
root = "/mnt/mass/Torrents";
extraConfig = ''
autoindex on;
'';
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
}

View file

@ -1,18 +0,0 @@
{ ... }:
{
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
ChallengeResponseAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
users.users."user".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnopPaLuQT4+5LzqiBM4JfdRamzArszOrfoDy96KpQL9jeZQhT4E7LE63tySza4auJyTkFcnfGEQQaAlCUYTVvWrvB6l2nG7mVZ5Cr0YvQ1U9AY+1OPE5wCSDUk9zaUm3ldWgUWRA/MyGtzm3kQ+ZtYIOqtvF6Ki5vPRYl+QR0cjThw5Sr/99sTqZwgmbPoAkLXnioSI+oOgV6H8M9XCuvwmlm6YKfBrjTQltj93GpSf24Lf9YaFc51Auao78AfOof/EtGWlcBrvfdjaS/scxSmHO9r/AShV/BEVboG+89i+Qia67cATGIwDLB6HZO1dO5qTSImzcQ/QnFW1E0IGZy3LvKd/FT8QCpHjDtPlsxWwIuTgyLD3c9OZTTA8w619QBKic3KEhuRkhuwOqSPgpvgkK8hS91gr8spL+6U4Bdgo8gZH14kj7ZhiNsIur0Chj/X1uCHGXEHhlV4ky2XAxhGSSr9fy06w4uPsIXGnSufm8jbBAhYDrNzaod2Q/73VE= user@workstation"
];
networking.firewall.allowedTCPPorts = [ 22 ];
}

View file

@ -1,31 +0,0 @@
{ pkgs, ... }:
{
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.matrix-synapse = {
enable = true;
settings.server_name = "dirae.org";
settings.listeners = [
{
port = 8008;
bind_addresses = [ "127.0.0.1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = true;
}];
}
];
};
}

View file

@ -1,18 +0,0 @@
{ ... }:
{
imports = [
../../users/media.nix
];
services.syncthing = {
enable = true;
user = "media";
dataDir = "/mnt/mass";
configDir = "/mnt/mass/Services/Syncthing";
guiAddress = "0.0.0.0:8384";
};
networking.firewall.allowedTCPPorts = [ 8384 22000 ];
networking.firewall.allowedUDPPorts = [ 22000 21027 ];
}

View file

@ -1,34 +0,0 @@
{ pkgs, ... }:
{
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
((vim_configurable.override { }).customize{
name = "vim";
vimrcConfig.packages.plugins = with pkgs.vimPlugins; {
start = [ vim-nix ];
opt = [];
};
vimrcConfig.customRC = ''
syntax on
set tabstop=4
set shiftwidth=4 smarttab
set expandtab
set noswapfile
set incsearch
set noerrorbells
set smartindent
set number
set relativenumber
set nobackup
set scrolloff=8
set sidescrolloff=8
set fileencoding='utf-8'
set nohlsearch
'';
})
];
}

View file

@ -1,30 +0,0 @@
{ pkgs, ... }:
{
networking.wg-quick.interfaces = {
wg0 = {
address = [ "10.174.110.32/32" ];
dns = [ "10.128.0.1" ];
mtu = 1320;
privateKeyFile = "/nix/config/packages/wireguard/privkey";
# Route local traffic through local network
preUp = ''
${pkgs.unixtools.route}/bin/route add -net 192.168.2.0 netmask 255.255.255.0 metric 0 dev eno1
'';
postDown = ''
${pkgs.unixtools.route}/bin/route del -net 192.168.2.0 netmask 255.255.255.0 metric 0 dev eno1
'';
peers = [{
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
presharedKeyFile = "/nix/config/packages/wireguard/privpsk";
allowedIPs = [ "0.0.0.0/0" ];
endpoint = "nl.vpn.airdns.org:1637";
persistentKeepalive = 15;
}];
};
};
networking.firewall.allowedUDPPorts = [ 1637 ];
}

View file

@ -1,13 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
htop
wget
curl
git
tree
];
services.openssh.enable = true;
}

View file

@ -1,20 +0,0 @@
# Common configuration for all systems
{ pkgs, ... }:
{
nix = {
settings.auto-optimise-store = true;
# Clean generations older than a week
gc = {
automatic = false; # Flip this to do it automatically
dates = "weekly";
options = "--delete-older-than 7d";
};
};
nixpkgs.config.allowUnfree = true;
system.stateVersion = "23.05";
}

View file

@ -1,55 +0,0 @@
{ ... }:
{
imports = [
./common.nix
./hardware/dirae.nix
# ./persist/dirae.nix
../sets/meta/sysadmin.nix
../packages/vim/package.nix
../packages/sshd/package.nix
../packages/mailserver/package.nix
../packages/nginx/dirae.nix
../packages/forgejo/dirae.nix
../packages/synapse/package.nix
../packages/akkoma/package.nix
];
boot = {
loader = {
grub = {
enable = true;
device = "/dev/vda";
};
};
kernel = {
sysctl."net.ipv6.conf.eth0.disable_ipv6" = true;
};
};
networking = {
hostName = "dirae";
enableIPv6 = false;
hostId = "149e5b5c";
interfaces = {
enp6s18.ipv4.addresses = [{
address = "91.210.224.148";
prefixLength = 24;
}];
};
nameservers = [ "1.1.1.1" "8.8.8.8" ];
defaultGateway = "91.210.224.1";
firewall = {
enable = true;
};
};
time.timeZone = "Europe/Berlin";
# To not mess up SSH sessions from weird terminals
environment.sessionVariables = {
TERM = "xterm";
};
}

View file

@ -1,47 +0,0 @@
{ lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "virtio_pci" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.kernelParams = [ "nohibernate" ];
boot.extraModulePackages = [ ];
boot.zfs.devNodes = "/dev/disk/by-path";
# Will enable this later when everything is stable
# boot.initrd.postDeviceCommands = lib.mkAfter ''
# zfs rollback -r local/root@blank
# '';
fileSystems."/" = {
device = "local/root";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/B33B-0EBE";
fsType = "vfat";
};
fileSystems."/nix" = {
device = "local/nix";
fsType = "zfs";
};
swapDevices = [
{ device = "/dev/disk/by-uuid/a2a0b9a3-52c9-4eb6-b03b-bcbbae0547a3"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -1,49 +0,0 @@
{ config, lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "ums_realtek" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.postDeviceCommands = lib.mkAfter ''
zfs rollback -r local/root@blank
'';
fileSystems."/" = {
device = "local/root";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/5C0E-1600";
fsType = "vfat";
};
fileSystems."/nix" = {
device = "local/nix";
fsType = "zfs";
};
fileSystems."/mnt/mass" = {
device = "/dev/disk/by-uuid/f04baac4-40a9-4115-b09d-83b252ee69ad";
fsType = "xfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -1,45 +0,0 @@
{lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.initrd.postDeviceCommands = lib.mkAfter ''
zfs rollback -r local/root@blank
'';
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.zfs.devNodes = "/dev/disk/by-path";
fileSystems."/" = {
device = "local/root";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/1FD8-C4B8";
fsType = "vfat";
};
fileSystems."/nix" = {
device = "local/nix";
fsType = "zfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -1,59 +0,0 @@
{ ... }:
{
imports = [
./common.nix
./hardware/homeserver.nix
./persist/common.nix
../sets/meta/sysadmin.nix
../packages/vim/package.nix
../packages/nginx/homeserver.nix
../packages/syncthing/homeserver.nix
../packages/wireguard/package.nix
../packages/deluge/homeserver.nix
];
boot = {
loader = {
efi = {
canTouchEfiVariables = true;
};
grub = {
enable = true;
efiSupport = true;
device = "nodev";
};
};
kernel = {
sysctl."net.ipv6.conf.eth0.disable_ipv6" = true;
};
};
networking = {
hostName = "homeserver";
enableIPv6 = false;
hostId = "95f846dc";
interfaces = {
eno1.ipv4.addresses = [{
address = "192.168.2.69";
prefixLength = 24;
}];
};
nameservers = [ "1.1.1.1" "8.8.8.8" ];
defaultGateway = "192.168.2.1";
firewall = {
enable = true;
allowedTCPPorts = [ 22 ];
};
};
time.timeZone = "Europe/Berlin";
console.keyMap = "uk";
# To not mess up SSH sessions from weird terminals
environment.sessionVariables = {
TERM = "xterm";
};
}

View file

@ -1,18 +0,0 @@
{ impermanence, ... }:
{
imports = [
impermanence.nixosModules.impermanence
];
environment.persistence."/nix/persist" = {
directories = [
"/etc/ssh"
"/var/lib"
];
files = [
"/etc/machine-id"
];
};
}

View file

@ -1,33 +0,0 @@
{ impermanence, ... }:
{
imports = [
impermanence.nixosModules.impermanence
];
environment.persistence."/nix/persist" = {
hideMounts = true;
directories = [
"/var/spool"
{ directory = "/var/dkim"; user = "opendkim";
group = "opendkim"; mode = "u=rwx,g=rx,o=rx"; }
{ directory = "/var/sieve"; user = "virtualMail";
group = "virtualMail"; mode = "u=rwx,g=rwx,o="; }
{ directory = "/var/vmail"; user = "virtualMail";
group = "virtualMail"; mode = "u=rwx,g=rws,o="; }
"/etc/dovecot"
"/etc/pki"
"/etc/ssh"
{ directory = "/var/lib/acme"; user = "acme";
group = "acme"; mode = "u=rwx,g=rx,o=rx"; }
{ directory = "/var/lib/opendkim"; user = "opendkim";
group = "opendkim"; mode = "u=rwx,g=,o="; }
"/var/lib/postfix"
"/var/log"
];
files = [
"/etc/machine-id"
];
};
}

View file

@ -1,18 +0,0 @@
{ ... }:
{
imports = [
./hardware/qemu-vm.nix
../sets/meta/sysadmin.nix
../packages/vim/package.nix
./common.nix
./persist/common.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.hostId = "e78229f8";
time.timeZone = "Europe/Berlin";
}

17
users/hu.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, lib, pkgs, ... }:
{
programs.zsh.enable = true;
environment.variables = {
ZDOTDIR = "${config.users.users.hu.home}/.config/zsh";
};
users.users.hu = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.zsh;
hashedPasswordFile = "/nix/config/secrets/hu/pass";
};
# Todo: home-manager configuration
}

View file

@ -1,8 +0,0 @@
{ ... }:
{
users.users.media = {
isNormalUser = true;
description = "media";
};
}

View file

@ -1 +0,0 @@
{ }

View file

@ -1,20 +0,0 @@
{ ... }:
{
users.users.user = {
isNormalUser = true;
passwordFile = "/nix/config/pw"; # mkpasswd in config dir
description = "user";
extraGroups = [
"wheel"
"audio"
"video"
"docker"
"podman"
"networkmanager"
"kvm"
"libvirt"
"plugdev"
];
};
}

29
wm/xmonad.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
xmobar
flameshot
rofi
feh
kitty
pavucontrol
picom
];
services.xserver = {
enable = true;
xkb = {
layout = "de";
options = "eurosign:e";
};
windowManager.xmonad = {
enable = true;
enableContribAndExtras = true;
};
};
# Todo: Get gnome-keyring working properly
services.gnome.gnome-keyring.enable = true;
}