caem/nixos-system-config
caem/nixos-system-config
1
Fork 0
Code Releases Activity

Replace legacy configuration with the new

Browse source 
The old configuration is still available in the legacy branch of this
repository. It contains the mostly server oriented configuration while
this new configuration is aimed at desktop usage.
This commit is contained in:
caem 2024-04-04 01:41:19 +02:00
parent ab0f848847
commit eff6860aa2
35 changed files with 266 additions and 1091 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
.github/workflows/main.yml vendored
View file

@ -1,26 +0,0 @@
name: "Update flake.lock"
on:
workflow_dispatch:
schedule:
- cron: "0 8 * * *"
jobs:
update_lockfile:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@v1
- name: Update flake.lock
uses: DeterminateSystems/update-flake-lock@v19
with:
git-author-name: 'caem'
git-author-email: 'caem@dirae.org'
git-committer-name: 'caem'
git-committer-email: 'caem@dirae.org'
pr-title: "Automated: Update flake.lock"
pr-labels: |
dependencies
automated

6
.gitignore vendored
View file

@ -1,5 +1 @@
nixos/result
pw
.stfolder
privkey
privpsk
secrets/

42
README.md
View file

@ -2,40 +2,12 @@
Modular multi-purpose NixOS configuration.
## About
Feel free to do whatever with this configuration.
This configuration [erases your darlings](https://grahamc.com/blog/erase-your-darlings/) using ZFS snapshots.
Currently only used for my homeserver, [desktop runs on Gentoo](https://git.dirae.org/caem/dotfiles).
This is the NixOS configuration I daily drive on my desktop. Feel free to use
and modify this configuration to your needs. No attribution required. I hold no
accountabilty for whatever you do with this configuration.
## Layout
```
/nix/config
├── flake.lock
├── flake.nix ; Master configuration file
├── overlays ; Package overlays
├── packages ; Packages with configurations
│   ├── nginx
│   │   └── homeserver.nix
│   ├── syncthing
│   │   └── homeserver.nix
│   └── vim
│   └── package.nix
├── pw ; Password of your user
├── sets ; Sets of packages
│   └── meta
│   └── sysadmin.nix
├── systems ; System specific configuration
│   ├── common.nix
│   ├── hardware ; Hardware configuration of each system
│   │   ├── homeserver.nix
│   │   └── qemu-vm.nix
│   ├── homeserver.nix
│   ├── persist ; Persistence configuration of each system
│   │   ├── common.nix
│   │   ├── homeserver.nix
│   │   └── qemu-vm.nix
│   └── qemu-vm.nix
└── users ; User specific configuration
├── media.nix
├── none.nix
└── user.nix
```
todo
## Screenshot
todo

200
flake.lock
View file

@ -1,44 +1,12 @@
{
"nodes": {
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1694622745,
"narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=",
"lastModified": 1708968331,
"narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e",
"rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
"type": "github"
},
"original": {
@ -47,178 +15,24 @@
"type": "github"
}
},
"nixops": {
"inputs": {
"nixpkgs": "nixpkgs",
"utils": "utils"
},
"locked": {
"lastModified": 1677688500,
"narHash": "sha256-yF2tS9Zo8JCIdPjhy19grmJk8wUFMxMu9cPlgfMJuTg=",
"owner": "NixOS",
"repo": "nixops",
"rev": "fc9b55c55da62f949028143b974f67fdc7f40c8b",
"type": "github"
},
"original": {
"id": "nixops",
"type": "indirect"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1672525397,
"narHash": "sha256-WASDnyxHKWVrEe0dIzkpH+jzKlCKAk0husv0f/9pyxg=",
"lastModified": 1712026416,
"narHash": "sha256-N/3VR/9e1NlN49p7kCiATiEY6Tzdo+CbrAG8kqCQKcI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8ba56d7c0d7490680f2d51ba46a141eca7c46afa",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-22_11": {
"locked": {
"lastModified": 1669558522,
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
"rev": "080a4a27f206d07724b88da096e27ef63401a504",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-22.11",
"type": "indirect"
}
},
"nixpkgs-23_05": {
"locked": {
"lastModified": 1684782344,
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1694959747,
"narHash": "sha256-CXQ2MuledDVlVM5dLC4pB41cFlBWxRw4tCBsFrq3cRk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "970a59bd19eff3752ce552935687100c46e820a5",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1694937365,
"narHash": "sha256-iHZSGrb9gVpZRR4B2ishUN/1LRKWtSHZNO37C8z1SmA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5d017a8822e0907fb96f7700a319f9fe2434de02",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1670751203,
"narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"root": {
"inputs": {
"impermanence": "impermanence",
"nixops": "nixops",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"simple-mailserver": "simple-mailserver"
}
},
"simple-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_3",
"nixpkgs-22_11": "nixpkgs-22_11",
"nixpkgs-23_05": "nixpkgs-23_05",
"utils": "utils_2"
},
"locked": {
"lastModified": 1687462267,
"narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "24128c3052090311688b09a400aa408ba61c6ee5",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-23.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"utils_2": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
"nixpkgs": "nixpkgs"
}
}
},

65
flake.nix
View file

@ -1,58 +1,19 @@
{
description = "Modular multi-purpose NixOS configuration.";
description = "Modular NixOS configuration.";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
inputs = {
impermanence.url = "github:nix-community/impermanence";
};
# https://nixos.wiki/wiki/Impermanence
impermanence.url = "github:nix-community/impermanence";
simple-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
};
outputs = { self, nixpkgs, nixpkgs-unstable, nixops, ... }@attrs: let
outputs = { self, nixpkgs, impermanence, ... }:
{
nixosConfigurations.workstation = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
overlay-unstable = final: prev: {
unstable = import nixpkgs-unstable {
inherit system;
config.allowUnfree = true;
};
};
user = "user"; # Select user from the `./users` directory
in {
# Media homeserver
nixosConfigurations.homeserver = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = attrs;
modules = [
({ config, pkgs, ...}: { nixpkgs.overlays = [ overlay-unstable ]; })
./users/${user}.nix
./systems/homeserver.nix
];
};
# dirae.org
nixosConfigurations.dirae = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = attrs;
modules = [
({ config, pkgs, ...}: { nixpkgs.overlays = [ overlay-unstable ]; })
./users/${user}.nix
./systems/dirae.nix
];
};
# Debugging VM configuration
nixosConfigurations.qemu-vm = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = attrs;
modules = [
({ config, pkgs, ...}: { nixpkgs.overlays = [ overlay-unstable ]; })
./users/${user}.nix
./systems/qemu-vm.nix
];
};
modules = [
impermanence.nixosModules.impermanence
./machines/workstation.nix
./users/hu.nix
];
};
};
}

91
machines/hardware/workstation.nix Normal file
View file

@ -0,0 +1,91 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.initrd.postDeviceCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount /dev/nvme0n1p2 /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
'';
fileSystems."/" =
{ device = "/dev/disk/by-uuid/8e515c16-703a-43ea-8653-ec0f739ba532";
fsType = "btrfs";
options = [ "subvol=root" "compress=zstd" "noatime" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/8e515c16-703a-43ea-8653-ec0f739ba532";
fsType = "btrfs";
options = [ "subvol=home" "compress=zstd" "noatime" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/8e515c16-703a-43ea-8653-ec0f739ba532";
fsType = "btrfs";
options = [ "subvol=nix" "compress=zstd" "noatime" ];
};
fileSystems."/var/log" =
{ device = "/dev/disk/by-uuid/8e515c16-703a-43ea-8653-ec0f739ba532";
fsType = "btrfs";
options = [ "subvol=log" "compress=zstd" "noatime" ];
neededForBoot = true;
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A925-0013";
fsType = "vfat";
};
fileSystems."/media/vault" =
{ device = "/dev/disk/by-uuid/048d175b-0e3e-4ec7-955b-3d9a45f9f237";
fsType = "xfs";
};
fileSystems."/media/attic" =
{ device = "/dev/disk/by-uuid/ec32ce36-9f53-4f44-ac8f-2c9163f0b3d7";
fsType = "xfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp34s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

20
machines/persist/workstation.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, lib, pkgs, impermanence, ... }:
{
environment.persistence."/nix/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos"
"/var/lib/systemd/coredump"
{
directory = "/var/lib/colord";
user = "colord";
group = "colord";
mode = "u=rwx,g=rx,o=";
}
];
files = [
"/etc/machine-id"
];
};
}

81
machines/workstation.nix Normal file
View file

@ -0,0 +1,81 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware/workstation.nix
./persist/workstation.nix
../wm/xmonad.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.supportedFilesystems = [ "btrfs" "xfs" ];
networking = {
hostName = "workstation";
enableIPv6 = false;
nameservers = [ "1.1.1.1" ];
defaultGateway = "192.168.2.1";
interfaces.enp34s0.ipv4.addresses = [{
address = "192.168.2.68";
prefixLength = 24;
}];
};
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
useXkbConfig = true;
};
nixpkgs.config.allowUnfree = true;
services.xserver.videoDrivers = [ "nvidia" ];
hardware = {
opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
nvidia = {
modesetting.enable = true;
nvidiaSettings = true;
open = false;
package = config.boot.kernelPackages.nvidiaPackages.production;
};
};
programs.mtr.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse.enable = true;
jack.enable = true;
};
# Todo: Move these packages out in the correct files.
environment.systemPackages = with pkgs; [
fastfetch
neovim
firefox
rofi
wget
unzip
git
tree
];
system.stateVersion = "23.11";
}

28
packages/akkoma/package.nix
View file

@ -1,28 +0,0 @@
{ pkgs, ... }:
{
services.akkoma = {
enable = true;
config = {
":pleroma" = {
":instance" = {
name = "Dirae";
description = "This server uses NixOS btw";
email = "caem@dirae.org";
registration_open = false;
};
"Pleroma.Upload".filters = map (pkgs.formats.elixirConf { }).lib.mkRaw [
"Pleroma.Upload.Filter.Exiftool"
"Pleroma.Upload.Filter.Dedupe"
"Pleroma.Upload.Filter.AnonymizeFilename"
];
};
"Pleroma.Web.Endpoint" = {
url.host = "social.dirae.org";
};
};
};
}

27
packages/deluge/homeserver.nix
View file

@ -1,27 +0,0 @@
{ ... }:
{
services.deluge = {
enable = true;
user = "media";
declarative = true;
dataDir = "/mnt/mass/Services/Deluge";
authFile = "/mnt/mass/Services/Deluge/auth";
config = {
download_location = "/mnt/mass/Torrents/incomplete";
move_completed_path = "/mnt/mass/Torrents";
move_completed = true;
listen_random_port = false;
outgoing_interface = "wg0";
listen_interface = "wg0";
allow_remote = true;
listen_ports = [ 57597 ];
max_active_seeding = -1;
max_active_downloading = 5;
max_active_limit = -1;
};
};
networking.firewall.allowedTCPPorts = [ 57597 58846 ];
}

72
packages/forgejo/dirae.nix
View file

@ -1,72 +0,0 @@
{ pkgs, config, lib, ... }: let
# theme = builtins.fetchurl {
# url = "";
# sha256 = "";
# };
in
{
# systemd.services.gitea.preStart = lib.mkAfter ''
# mkdir -p ${config.services.gitea.stateDir}/custom/public/css
# cp -f ${theme} ${config.services.gitea.stateDir}/custom/public/css/
# '';
services.gitea = {
enable = true;
package = pkgs.forgejo;
appName = "git.dirae.org";
settings = {
service = {
DISABLE_REGISTRATION = true;
};
server = {
DOMAIN = "git.dirae.org";
ROOT_URL = "https://git.dirae.org";
HTTP_PORT = 3001;
};
"ui" = {
THEMES = ''
forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green
'';
DEFAULT_THEME = "forgejo-dark";
};
"ui.user" = {
REPO_PAGING_NUM = 50;
};
"ui.meta" = {
AUTHOR = "dirae.org Forgejo instance";
DESCRIPTION = "Forgejo instance hosting git repositories for dirae.org";
KEYWORDS = "go,git,self-hosted,gitea,forgejo,foss,oss,decentrialised,federation";
};
"repository" = {
DEFAULT_BRANCH = "master";
DISABLE_STARS = true;
ENABLE_PUSH_CREATE_USER = true;
DEFAULT_REPO_UNITS = ''
repo.code,repo.releases,repo.issues,repo.pulls
'';
PREFERRED_LICENSES="GPL-3.0-or-later,AGPL-3.0-or-later";
};
};
database = {
type = "postgres";
passwordFile = "/var/keys/gitea/db";
};
};
services.postgresql = {
enable = true;
authentication = ''
local gitea all ident map=gitea-users
'';
identMap = ''
gitea-users gitea gitea
'';
};
}

26
packages/gitlab/package.nix
View file

@ -1,26 +0,0 @@
{ ... }:
{
services.gitlab = {
enable = true;
host = "gitlab.dirae.org";
# Server is running on limited budet :,)
# https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html
puma.workers = 0;
puma.threadsMax = 1;
user = "gitlab";
group = "gitlab";
https = true;
databasePasswordFile = "/var/keys/gitlab/db_password";
initialRootPasswordFile = "/var/keys/gitlab/root_password";
secrets = {
dbFile = "/var/keys/gitlab/db";
secretFile = "/var/keys/gitlab/secret";
otpFile = "/var/keys/gitlab/otp";
jwsFile = "/var/keys/gitlab/jws";
};
};
}

33
packages/mailserver/package.nix
View file

@ -1,33 +0,0 @@
{ simple-mailserver, ... }:
{
imports = [
simple-mailserver.nixosModule
];
mailserver = {
enable = true;
fqdn = "dirae.org";
domains = [ "dirae.org" ];
loginAccounts = {
"caem@dirae.org" = {
hashedPasswordFile = "/nix/config/packages/mailserver/pw";
aliases = [
"admin@dirae.org"
"postmaser@dirae.org"
"legal@dirae.org"
"contact@dirae.org"
"dmca@dirae.org"
"pt@dirae.org"
"cali@dirae.org"
"abuse@dirae.org"
];
};
};
# Managed in configuration for nginx
certificateScheme = "acme";
};
}

61
packages/nginx/dirae.nix
View file

@ -1,61 +0,0 @@
{ ... }:
let
fqdn = "dirae.org";
serverConfig."m.server" = "dirae.org:443";
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
security.acme.acceptTerms = true;
security.acme.defaults.email = "caem@dirae.org";
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"caem.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = "/var/www/caem";
};
};
"dirae.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
root = "/var/www/dirae";
};
locations."/.well-known/matrix/server".extraConfig = ''
return 200 '{"m.server": "dirae.org:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
locations."/_matrix".proxyPass = "http://127.0.0.1:8008";
};
"git.dirae.org" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
};
# "gitlab.dirae.org" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
# };
# };
};
};
}

16
packages/nginx/homeserver.nix
View file

@ -1,16 +0,0 @@
{ ... }:
{
services.nginx = {
enable = true;
user = "media";
virtualHosts."192.168.2.69" = {
root = "/mnt/mass/Torrents";
extraConfig = ''
autoindex on;
'';
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
}

18
packages/sshd/package.nix
View file

@ -1,18 +0,0 @@
{ ... }:
{
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
ChallengeResponseAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
users.users."user".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnopPaLuQT4+5LzqiBM4JfdRamzArszOrfoDy96KpQL9jeZQhT4E7LE63tySza4auJyTkFcnfGEQQaAlCUYTVvWrvB6l2nG7mVZ5Cr0YvQ1U9AY+1OPE5wCSDUk9zaUm3ldWgUWRA/MyGtzm3kQ+ZtYIOqtvF6Ki5vPRYl+QR0cjThw5Sr/99sTqZwgmbPoAkLXnioSI+oOgV6H8M9XCuvwmlm6YKfBrjTQltj93GpSf24Lf9YaFc51Auao78AfOof/EtGWlcBrvfdjaS/scxSmHO9r/AShV/BEVboG+89i+Qia67cATGIwDLB6HZO1dO5qTSImzcQ/QnFW1E0IGZy3LvKd/FT8QCpHjDtPlsxWwIuTgyLD3c9OZTTA8w619QBKic3KEhuRkhuwOqSPgpvgkK8hS91gr8spL+6U4Bdgo8gZH14kj7ZhiNsIur0Chj/X1uCHGXEHhlV4ky2XAxhGSSr9fy06w4uPsIXGnSufm8jbBAhYDrNzaod2Q/73VE= user@workstation"
];
networking.firewall.allowedTCPPorts = [ 22 ];
}

31
packages/synapse/package.nix
View file

@ -1,31 +0,0 @@
{ pkgs, ... }:
{
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.matrix-synapse = {
enable = true;
settings.server_name = "dirae.org";
settings.listeners = [
{
port = 8008;
bind_addresses = [ "127.0.0.1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = true;
}];
}
];
};
}

18
packages/syncthing/homeserver.nix
View file

@ -1,18 +0,0 @@
{ ... }:
{
imports = [
../../users/media.nix
];
services.syncthing = {
enable = true;
user = "media";
dataDir = "/mnt/mass";
configDir = "/mnt/mass/Services/Syncthing";
guiAddress = "0.0.0.0:8384";
};
networking.firewall.allowedTCPPorts = [ 8384 22000 ];
networking.firewall.allowedUDPPorts = [ 22000 21027 ];
}

34
packages/vim/package.nix
View file

@ -1,34 +0,0 @@
{ pkgs, ... }:
{
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
((vim_configurable.override { }).customize{
name = "vim";
vimrcConfig.packages.plugins = with pkgs.vimPlugins; {
start = [ vim-nix ];
opt = [];
};
vimrcConfig.customRC = ''
syntax on
set tabstop=4
set shiftwidth=4 smarttab
set expandtab
set noswapfile
set incsearch
set noerrorbells
set smartindent
set number
set relativenumber
set nobackup
set scrolloff=8
set sidescrolloff=8
set fileencoding='utf-8'
set nohlsearch
'';
})
];
}

30
packages/wireguard/package.nix
View file

@ -1,30 +0,0 @@
{ pkgs, ... }:
{
networking.wg-quick.interfaces = {
wg0 = {
address = [ "10.174.110.32/32" ];
dns = [ "10.128.0.1" ];
mtu = 1320;
privateKeyFile = "/nix/config/packages/wireguard/privkey";
# Route local traffic through local network
preUp = ''
${pkgs.unixtools.route}/bin/route add -net 192.168.2.0 netmask 255.255.255.0 metric 0 dev eno1
'';
postDown = ''
${pkgs.unixtools.route}/bin/route del -net 192.168.2.0 netmask 255.255.255.0 metric 0 dev eno1
'';
peers = [{
publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
presharedKeyFile = "/nix/config/packages/wireguard/privpsk";
allowedIPs = [ "0.0.0.0/0" ];
endpoint = "nl.vpn.airdns.org:1637";
persistentKeepalive = 15;
}];
};
};
networking.firewall.allowedUDPPorts = [ 1637 ];
}

13
sets/meta/sysadmin.nix
View file

@ -1,13 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
htop
wget
curl
git
tree
];
services.openssh.enable = true;
}

20
systems/common.nix
View file

@ -1,20 +0,0 @@
# Common configuration for all systems
{ pkgs, ... }:
{
nix = {
settings.auto-optimise-store = true;
# Clean generations older than a week
gc = {
automatic = false; # Flip this to do it automatically
dates = "weekly";
options = "--delete-older-than 7d";
};
};
nixpkgs.config.allowUnfree = true;
system.stateVersion = "23.05";
}

55
systems/dirae.nix
View file

@ -1,55 +0,0 @@
{ ... }:
{
imports = [
./common.nix
./hardware/dirae.nix
# ./persist/dirae.nix
../sets/meta/sysadmin.nix
../packages/vim/package.nix
../packages/sshd/package.nix
../packages/mailserver/package.nix
../packages/nginx/dirae.nix
../packages/forgejo/dirae.nix
../packages/synapse/package.nix
../packages/akkoma/package.nix
];
boot = {
loader = {
grub = {
enable = true;
device = "/dev/vda";
};
};
kernel = {
sysctl."net.ipv6.conf.eth0.disable_ipv6" = true;
};
};
networking = {
hostName = "dirae";
enableIPv6 = false;
hostId = "149e5b5c";
interfaces = {
enp6s18.ipv4.addresses = [{
address = "91.210.224.148";
prefixLength = 24;
}];
};
nameservers = [ "1.1.1.1" "8.8.8.8" ];
defaultGateway = "91.210.224.1";
firewall = {
enable = true;
};
};
time.timeZone = "Europe/Berlin";
# To not mess up SSH sessions from weird terminals
environment.sessionVariables = {
TERM = "xterm";
};
}

47
systems/hardware/dirae.nix
View file

@ -1,47 +0,0 @@
{ lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "virtio_pci" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.kernelParams = [ "nohibernate" ];
boot.extraModulePackages = [ ];
boot.zfs.devNodes = "/dev/disk/by-path";
# Will enable this later when everything is stable
# boot.initrd.postDeviceCommands = lib.mkAfter ''
# zfs rollback -r local/root@blank
# '';
fileSystems."/" = {
device = "local/root";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/B33B-0EBE";
fsType = "vfat";
};
fileSystems."/nix" = {
device = "local/nix";
fsType = "zfs";
};
swapDevices = [
{ device = "/dev/disk/by-uuid/a2a0b9a3-52c9-4eb6-b03b-bcbbae0547a3"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

49
systems/hardware/homeserver.nix
View file

@ -1,49 +0,0 @@
{ config, lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "ums_realtek" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.postDeviceCommands = lib.mkAfter ''
zfs rollback -r local/root@blank
'';
fileSystems."/" = {
device = "local/root";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/5C0E-1600";
fsType = "vfat";
};
fileSystems."/nix" = {
device = "local/nix";
fsType = "zfs";
};
fileSystems."/mnt/mass" = {
device = "/dev/disk/by-uuid/f04baac4-40a9-4115-b09d-83b252ee69ad";
fsType = "xfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

45
systems/hardware/qemu-vm.nix
View file

@ -1,45 +0,0 @@
{lib, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.initrd.postDeviceCommands = lib.mkAfter ''
zfs rollback -r local/root@blank
'';
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.zfs.devNodes = "/dev/disk/by-path";
fileSystems."/" = {
device = "local/root";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/1FD8-C4B8";
fsType = "vfat";
};
fileSystems."/nix" = {
device = "local/nix";
fsType = "zfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

59
systems/homeserver.nix
View file

@ -1,59 +0,0 @@
{ ... }:
{
imports = [
./common.nix
./hardware/homeserver.nix
./persist/common.nix
../sets/meta/sysadmin.nix
../packages/vim/package.nix
../packages/nginx/homeserver.nix
../packages/syncthing/homeserver.nix
../packages/wireguard/package.nix
../packages/deluge/homeserver.nix
];
boot = {
loader = {
efi = {
canTouchEfiVariables = true;
};
grub = {
enable = true;
efiSupport = true;
device = "nodev";
};
};
kernel = {
sysctl."net.ipv6.conf.eth0.disable_ipv6" = true;
};
};
networking = {
hostName = "homeserver";
enableIPv6 = false;
hostId = "95f846dc";
interfaces = {
eno1.ipv4.addresses = [{
address = "192.168.2.69";
prefixLength = 24;
}];
};
nameservers = [ "1.1.1.1" "8.8.8.8" ];
defaultGateway = "192.168.2.1";
firewall = {
enable = true;
allowedTCPPorts = [ 22 ];
};
};
time.timeZone = "Europe/Berlin";
console.keyMap = "uk";
# To not mess up SSH sessions from weird terminals
environment.sessionVariables = {
TERM = "xterm";
};
}

18
systems/persist/common.nix
View file

@ -1,18 +0,0 @@
{ impermanence, ... }:
{
imports = [
impermanence.nixosModules.impermanence
];
environment.persistence."/nix/persist" = {
directories = [
"/etc/ssh"
"/var/lib"
];
files = [
"/etc/machine-id"
];
};
}

33
systems/persist/dirae.nix
View file

@ -1,33 +0,0 @@
{ impermanence, ... }:
{
imports = [
impermanence.nixosModules.impermanence
];
environment.persistence."/nix/persist" = {
hideMounts = true;
directories = [
"/var/spool"
{ directory = "/var/dkim"; user = "opendkim";
group = "opendkim"; mode = "u=rwx,g=rx,o=rx"; }
{ directory = "/var/sieve"; user = "virtualMail";
group = "virtualMail"; mode = "u=rwx,g=rwx,o="; }
{ directory = "/var/vmail"; user = "virtualMail";
group = "virtualMail"; mode = "u=rwx,g=rws,o="; }
"/etc/dovecot"
"/etc/pki"
"/etc/ssh"
{ directory = "/var/lib/acme"; user = "acme";
group = "acme"; mode = "u=rwx,g=rx,o=rx"; }
{ directory = "/var/lib/opendkim"; user = "opendkim";
group = "opendkim"; mode = "u=rwx,g=,o="; }
"/var/lib/postfix"
"/var/log"
];
files = [
"/etc/machine-id"
];
};
}

18
systems/qemu-vm.nix
View file

@ -1,18 +0,0 @@
{ ... }:
{
imports = [
./hardware/qemu-vm.nix
../sets/meta/sysadmin.nix
../packages/vim/package.nix
./common.nix
./persist/common.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
networking.hostId = "e78229f8";
time.timeZone = "Europe/Berlin";
}

17
users/hu.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, lib, pkgs, ... }:
{
programs.zsh.enable = true;
environment.variables = {
ZDOTDIR = "${config.users.users.hu.home}/.config/zsh";
};
users.users.hu = {
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.zsh;
hashedPasswordFile = "/nix/config/secrets/hu/pass";
};
# Todo: home-manager configuration
}

8
users/media.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
users.users.media = {
isNormalUser = true;
description = "media";
};
}

1
users/none.nix
View file

@ -1 +0,0 @@
{ }

20
users/user.nix
View file

@ -1,20 +0,0 @@
{ ... }:
{
users.users.user = {
isNormalUser = true;
passwordFile = "/nix/config/pw"; # mkpasswd in config dir
description = "user";
extraGroups = [
"wheel"
"audio"
"video"
"docker"
"podman"
"networkmanager"
"kvm"
"libvirt"
"plugdev"
];
};
}

29
wm/xmonad.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
xmobar
flameshot
rofi
feh
kitty
pavucontrol
picom
];
services.xserver = {
enable = true;
xkb = {
layout = "de";
options = "eurosign:e";
};
windowManager.xmonad = {
enable = true;
enableContribAndExtras = true;
};
};
# Todo: Get gnome-keyring working properly
services.gnome.gnome-keyring.enable = true;
}