diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 36398b5..0000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: "Update flake.lock" - -on: - workflow_dispatch: - schedule: - - cron: "0 8 * * *" - -jobs: - update_lockfile: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - name: Install Nix - uses: DeterminateSystems/nix-installer-action@v1 - - name: Update flake.lock - uses: DeterminateSystems/update-flake-lock@v19 - with: - git-author-name: 'caem' - git-author-email: 'caem@dirae.org' - git-committer-name: 'caem' - git-committer-email: 'caem@dirae.org' - pr-title: "Automated: Update flake.lock" - pr-labels: | - dependencies - automated diff --git a/.gitignore b/.gitignore index cdb74b0..4bd922a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1 @@ -nixos/result -pw -.stfolder -privkey -privpsk +secrets/ diff --git a/README.md b/README.md index ff004ab..a8d0cb0 100644 --- a/README.md +++ b/README.md @@ -2,40 +2,12 @@ Modular multi-purpose NixOS configuration. ## About -Feel free to do whatever with this configuration. -This configuration [erases your darlings](https://grahamc.com/blog/erase-your-darlings/) using ZFS snapshots. -Currently only used for my homeserver, [desktop runs on Gentoo](https://git.dirae.org/caem/dotfiles). +This is the NixOS configuration I daily drive on my desktop. Feel free to use +and modify this configuration to your needs. No attribution required. I hold no +accountabilty for whatever you do with this configuration. ## Layout -``` -/nix/config -├── flake.lock -├── flake.nix ; Master configuration file -├── overlays ; Package overlays -├── packages ; Packages with configurations -│   ├── nginx -│   │   └── homeserver.nix -│   ├── syncthing -│   │   └── homeserver.nix -│   └── vim -│   └── package.nix -├── pw ; Password of your user -├── sets ; Sets of packages -│   └── meta -│   └── sysadmin.nix -├── systems ; System specific configuration -│   ├── common.nix -│   ├── hardware ; Hardware configuration of each system -│   │   ├── homeserver.nix -│   │   └── qemu-vm.nix -│   ├── homeserver.nix -│   ├── persist ; Persistence configuration of each system -│   │   ├── common.nix -│   │   ├── homeserver.nix -│   │   └── qemu-vm.nix -│   └── qemu-vm.nix -└── users ; User specific configuration - ├── media.nix - ├── none.nix - └── user.nix -``` +todo + +## Screenshot +todo diff --git a/flake.lock b/flake.lock index 13374ac..57ddecb 100644 --- a/flake.lock +++ b/flake.lock @@ -1,44 +1,12 @@ { "nodes": { - "blobs": { - "flake": false, - "locked": { - "lastModified": 1604995301, - "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", - "owner": "simple-nixos-mailserver", - "repo": "blobs", - "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", - "type": "gitlab" - }, - "original": { - "owner": "simple-nixos-mailserver", - "repo": "blobs", - "type": "gitlab" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1668681692, - "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "009399224d5e398d03b22badca40a37ac85412a1", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "impermanence": { "locked": { - "lastModified": 1694622745, - "narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=", + "lastModified": 1708968331, + "narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=", "owner": "nix-community", "repo": "impermanence", - "rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e", + "rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30", "type": "github" }, "original": { @@ -47,178 +15,24 @@ "type": "github" } }, - "nixops": { - "inputs": { - "nixpkgs": "nixpkgs", - "utils": "utils" - }, - "locked": { - "lastModified": 1677688500, - "narHash": "sha256-yF2tS9Zo8JCIdPjhy19grmJk8wUFMxMu9cPlgfMJuTg=", - "owner": "NixOS", - "repo": "nixops", - "rev": "fc9b55c55da62f949028143b974f67fdc7f40c8b", - "type": "github" - }, - "original": { - "id": "nixops", - "type": "indirect" - } - }, "nixpkgs": { "locked": { - "lastModified": 1672525397, - "narHash": "sha256-WASDnyxHKWVrEe0dIzkpH+jzKlCKAk0husv0f/9pyxg=", + "lastModified": 1712026416, + "narHash": "sha256-N/3VR/9e1NlN49p7kCiATiEY6Tzdo+CbrAG8kqCQKcI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8ba56d7c0d7490680f2d51ba46a141eca7c46afa", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-22_11": { - "locked": { - "lastModified": 1669558522, - "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", + "rev": "080a4a27f206d07724b88da096e27ef63401a504", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-22.11", - "type": "indirect" - } - }, - "nixpkgs-23_05": { - "locked": { - "lastModified": 1684782344, - "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-23.05", - "type": "indirect" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1694959747, - "narHash": "sha256-CXQ2MuledDVlVM5dLC4pB41cFlBWxRw4tCBsFrq3cRk=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "970a59bd19eff3752ce552935687100c46e820a5", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1694937365, - "narHash": "sha256-iHZSGrb9gVpZRR4B2ishUN/1LRKWtSHZNO37C8z1SmA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "5d017a8822e0907fb96f7700a319f9fe2434de02", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1670751203, - "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-unstable", "type": "indirect" } }, "root": { "inputs": { "impermanence": "impermanence", - "nixops": "nixops", - "nixpkgs": "nixpkgs_2", - "nixpkgs-unstable": "nixpkgs-unstable", - "simple-mailserver": "simple-mailserver" - } - }, - "simple-mailserver": { - "inputs": { - "blobs": "blobs", - "flake-compat": "flake-compat", - "nixpkgs": "nixpkgs_3", - "nixpkgs-22_11": "nixpkgs-22_11", - "nixpkgs-23_05": "nixpkgs-23_05", - "utils": "utils_2" - }, - "locked": { - "lastModified": 1687462267, - "narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=", - "owner": "simple-nixos-mailserver", - "repo": "nixos-mailserver", - "rev": "24128c3052090311688b09a400aa408ba61c6ee5", - "type": "gitlab" - }, - "original": { - "owner": "simple-nixos-mailserver", - "ref": "nixos-23.05", - "repo": "nixos-mailserver", - "type": "gitlab" - } - }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_2": { - "locked": { - "lastModified": 1605370193, - "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5021eac20303a61fafe17224c087f5519baed54d", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" + "nixpkgs": "nixpkgs" } } }, diff --git a/flake.nix b/flake.nix index 5d0eb05..1acd55e 100644 --- a/flake.nix +++ b/flake.nix @@ -1,58 +1,19 @@ { - description = "Modular multi-purpose NixOS configuration."; + description = "Modular NixOS configuration."; - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + inputs = { + impermanence.url = "github:nix-community/impermanence"; + }; - # https://nixos.wiki/wiki/Impermanence - impermanence.url = "github:nix-community/impermanence"; - - simple-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; - }; - - outputs = { self, nixpkgs, nixpkgs-unstable, nixops, ... }@attrs: let + outputs = { self, nixpkgs, impermanence, ... }: + { + nixosConfigurations.workstation = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - overlay-unstable = final: prev: { - unstable = import nixpkgs-unstable { - inherit system; - config.allowUnfree = true; - }; - }; - - user = "user"; # Select user from the `./users` directory - in { - # Media homeserver - nixosConfigurations.homeserver = nixpkgs.lib.nixosSystem { - inherit system; - specialArgs = attrs; - modules = [ - ({ config, pkgs, ...}: { nixpkgs.overlays = [ overlay-unstable ]; }) - ./users/${user}.nix - ./systems/homeserver.nix - ]; - }; - - # dirae.org - nixosConfigurations.dirae = nixpkgs.lib.nixosSystem { - inherit system; - specialArgs = attrs; - modules = [ - ({ config, pkgs, ...}: { nixpkgs.overlays = [ overlay-unstable ]; }) - ./users/${user}.nix - ./systems/dirae.nix - ]; - }; - - # Debugging VM configuration - nixosConfigurations.qemu-vm = nixpkgs.lib.nixosSystem { - inherit system; - specialArgs = attrs; - modules = [ - ({ config, pkgs, ...}: { nixpkgs.overlays = [ overlay-unstable ]; }) - ./users/${user}.nix - ./systems/qemu-vm.nix - ]; - }; + modules = [ + impermanence.nixosModules.impermanence + ./machines/workstation.nix + ./users/hu.nix + ]; + }; }; } diff --git a/machines/hardware/workstation.nix b/machines/hardware/workstation.nix new file mode 100644 index 0000000..94507a1 --- /dev/null +++ b/machines/hardware/workstation.nix @@ -0,0 +1,91 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + boot.initrd.postDeviceCommands = lib.mkAfter '' + mkdir /btrfs_tmp + mount /dev/nvme0n1p2 /btrfs_tmp + if [[ -e /btrfs_tmp/root ]]; then + mkdir -p /btrfs_tmp/old_roots + timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") + mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" + fi + + delete_subvolume_recursively() { + IFS=$'\n' + for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do + delete_subvolume_recursively "/btrfs_tmp/$i" + done + btrfs subvolume delete "$1" + } + + for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do + delete_subvolume_recursively "$i" + done + + btrfs subvolume create /btrfs_tmp/root + umount /btrfs_tmp + ''; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/8e515c16-703a-43ea-8653-ec0f739ba532"; + fsType = "btrfs"; + options = [ "subvol=root" "compress=zstd" "noatime" ]; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/8e515c16-703a-43ea-8653-ec0f739ba532"; + fsType = "btrfs"; + options = [ "subvol=home" "compress=zstd" "noatime" ]; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-uuid/8e515c16-703a-43ea-8653-ec0f739ba532"; + fsType = "btrfs"; + options = [ "subvol=nix" "compress=zstd" "noatime" ]; + }; + + fileSystems."/var/log" = + { device = "/dev/disk/by-uuid/8e515c16-703a-43ea-8653-ec0f739ba532"; + fsType = "btrfs"; + options = [ "subvol=log" "compress=zstd" "noatime" ]; + neededForBoot = true; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/A925-0013"; + fsType = "vfat"; + }; + + fileSystems."/media/vault" = + { device = "/dev/disk/by-uuid/048d175b-0e3e-4ec7-955b-3d9a45f9f237"; + fsType = "xfs"; + }; + + fileSystems."/media/attic" = + { device = "/dev/disk/by-uuid/ec32ce36-9f53-4f44-ac8f-2c9163f0b3d7"; + fsType = "xfs"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp34s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/machines/persist/workstation.nix b/machines/persist/workstation.nix new file mode 100644 index 0000000..529a2ce --- /dev/null +++ b/machines/persist/workstation.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, impermanence, ... }: + +{ + environment.persistence."/nix/persist" = { + hideMounts = true; + directories = [ + "/var/lib/nixos" + "/var/lib/systemd/coredump" + { + directory = "/var/lib/colord"; + user = "colord"; + group = "colord"; + mode = "u=rwx,g=rx,o="; + } + ]; + files = [ + "/etc/machine-id" + ]; + }; +} diff --git a/machines/workstation.nix b/machines/workstation.nix new file mode 100644 index 0000000..41b283a --- /dev/null +++ b/machines/workstation.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + ./hardware/workstation.nix + ./persist/workstation.nix + ../wm/xmonad.nix + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.supportedFilesystems = [ "btrfs" "xfs" ]; + + networking = { + hostName = "workstation"; + enableIPv6 = false; + nameservers = [ "1.1.1.1" ]; + defaultGateway = "192.168.2.1"; + interfaces.enp34s0.ipv4.addresses = [{ + address = "192.168.2.68"; + prefixLength = 24; + }]; + }; + + time.timeZone = "Europe/Berlin"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + useXkbConfig = true; + }; + + nixpkgs.config.allowUnfree = true; + services.xserver.videoDrivers = [ "nvidia" ]; + hardware = { + opengl = { + enable = true; + driSupport = true; + driSupport32Bit = true; + }; + nvidia = { + modesetting.enable = true; + nvidiaSettings = true; + open = false; + package = config.boot.kernelPackages.nvidiaPackages.production; + }; + }; + + programs.mtr.enable = true; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa = { + enable = true; + support32Bit = true; + }; + pulse.enable = true; + jack.enable = true; + }; + + # Todo: Move these packages out in the correct files. + environment.systemPackages = with pkgs; [ + fastfetch + neovim + firefox + rofi + wget + unzip + git + tree + ]; + + system.stateVersion = "23.11"; +} + diff --git a/packages/akkoma/package.nix b/packages/akkoma/package.nix deleted file mode 100644 index c27be5f..0000000 --- a/packages/akkoma/package.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ pkgs, ... }: - -{ - services.akkoma = { - enable = true; - - config = { - ":pleroma" = { - ":instance" = { - name = "Dirae"; - description = "This server uses NixOS btw"; - email = "caem@dirae.org"; - registration_open = false; - }; - - "Pleroma.Upload".filters = map (pkgs.formats.elixirConf { }).lib.mkRaw [ - "Pleroma.Upload.Filter.Exiftool" - "Pleroma.Upload.Filter.Dedupe" - "Pleroma.Upload.Filter.AnonymizeFilename" - ]; - }; - - "Pleroma.Web.Endpoint" = { - url.host = "social.dirae.org"; - }; - }; - }; -} diff --git a/packages/deluge/homeserver.nix b/packages/deluge/homeserver.nix deleted file mode 100644 index c1d3f95..0000000 --- a/packages/deluge/homeserver.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ ... }: - -{ - services.deluge = { - enable = true; - user = "media"; - declarative = true; - dataDir = "/mnt/mass/Services/Deluge"; - authFile = "/mnt/mass/Services/Deluge/auth"; - - config = { - download_location = "/mnt/mass/Torrents/incomplete"; - move_completed_path = "/mnt/mass/Torrents"; - move_completed = true; - listen_random_port = false; - outgoing_interface = "wg0"; - listen_interface = "wg0"; - allow_remote = true; - listen_ports = [ 57597 ]; - max_active_seeding = -1; - max_active_downloading = 5; - max_active_limit = -1; - }; - }; - - networking.firewall.allowedTCPPorts = [ 57597 58846 ]; -} diff --git a/packages/forgejo/dirae.nix b/packages/forgejo/dirae.nix deleted file mode 100644 index 804f422..0000000 --- a/packages/forgejo/dirae.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ pkgs, config, lib, ... }: let - # theme = builtins.fetchurl { - # url = ""; - # sha256 = ""; - # }; -in -{ - # systemd.services.gitea.preStart = lib.mkAfter '' - # mkdir -p ${config.services.gitea.stateDir}/custom/public/css - # cp -f ${theme} ${config.services.gitea.stateDir}/custom/public/css/ - # ''; - - services.gitea = { - enable = true; - package = pkgs.forgejo; - - appName = "git.dirae.org"; - settings = { - service = { - DISABLE_REGISTRATION = true; - }; - - server = { - DOMAIN = "git.dirae.org"; - ROOT_URL = "https://git.dirae.org"; - HTTP_PORT = 3001; - }; - - "ui" = { - THEMES = '' - forgejo-auto,forgejo-light,forgejo-dark,auto,gitea,arc-green - ''; - DEFAULT_THEME = "forgejo-dark"; - }; - - "ui.user" = { - REPO_PAGING_NUM = 50; - }; - - "ui.meta" = { - AUTHOR = "dirae.org Forgejo instance"; - DESCRIPTION = "Forgejo instance hosting git repositories for dirae.org"; - KEYWORDS = "go,git,self-hosted,gitea,forgejo,foss,oss,decentrialised,federation"; - }; - - "repository" = { - DEFAULT_BRANCH = "master"; - DISABLE_STARS = true; - ENABLE_PUSH_CREATE_USER = true; - DEFAULT_REPO_UNITS = '' - repo.code,repo.releases,repo.issues,repo.pulls - ''; - PREFERRED_LICENSES="GPL-3.0-or-later,AGPL-3.0-or-later"; - }; - }; - - database = { - type = "postgres"; - passwordFile = "/var/keys/gitea/db"; - }; - }; - - services.postgresql = { - enable = true; - authentication = '' - local gitea all ident map=gitea-users - ''; - identMap = '' - gitea-users gitea gitea - ''; - }; -} diff --git a/packages/gitlab/package.nix b/packages/gitlab/package.nix deleted file mode 100644 index 9b19471..0000000 --- a/packages/gitlab/package.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ ... }: - -{ - services.gitlab = { - enable = true; - host = "gitlab.dirae.org"; - - # Server is running on limited budet :,) - # https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html - puma.workers = 0; - puma.threadsMax = 1; - - user = "gitlab"; - group = "gitlab"; - - https = true; - databasePasswordFile = "/var/keys/gitlab/db_password"; - initialRootPasswordFile = "/var/keys/gitlab/root_password"; - secrets = { - dbFile = "/var/keys/gitlab/db"; - secretFile = "/var/keys/gitlab/secret"; - otpFile = "/var/keys/gitlab/otp"; - jwsFile = "/var/keys/gitlab/jws"; - }; - }; -} diff --git a/packages/mailserver/package.nix b/packages/mailserver/package.nix deleted file mode 100644 index 327d609..0000000 --- a/packages/mailserver/package.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ simple-mailserver, ... }: - -{ - imports = [ - simple-mailserver.nixosModule - ]; - - mailserver = { - enable = true; - fqdn = "dirae.org"; - domains = [ "dirae.org" ]; - - loginAccounts = { - "caem@dirae.org" = { - hashedPasswordFile = "/nix/config/packages/mailserver/pw"; - - aliases = [ - "admin@dirae.org" - "postmaser@dirae.org" - "legal@dirae.org" - "contact@dirae.org" - "dmca@dirae.org" - "pt@dirae.org" - "cali@dirae.org" - "abuse@dirae.org" - ]; - }; - }; - - # Managed in configuration for nginx - certificateScheme = "acme"; - }; -} diff --git a/packages/nginx/dirae.nix b/packages/nginx/dirae.nix deleted file mode 100644 index 1938401..0000000 --- a/packages/nginx/dirae.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ ... }: -let - fqdn = "dirae.org"; - serverConfig."m.server" = "dirae.org:443"; - mkWellKnown = data: '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON data}'; - ''; -in { - security.acme.acceptTerms = true; - security.acme.defaults.email = "caem@dirae.org"; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - virtualHosts = { - "caem.dev" = { - enableACME = true; - forceSSL = true; - locations."/" = { - root = "/var/www/caem"; - }; - }; - - "dirae.org" = { - enableACME = true; - forceSSL = true; - locations."/" = { - root = "/var/www/dirae"; - }; - locations."/.well-known/matrix/server".extraConfig = '' - return 200 '{"m.server": "dirae.org:443"}'; - default_type application/json; - add_header Access-Control-Allow-Origin *; - ''; - locations."/_matrix".proxyPass = "http://127.0.0.1:8008"; - - }; - - "git.dirae.org" = { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://127.0.0.1:3001"; - }; - - # "gitlab.dirae.org" = { - # enableACME = true; - # forceSSL = true; - # locations."/" = { - # proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; - # }; - # }; - }; - }; -} diff --git a/packages/nginx/homeserver.nix b/packages/nginx/homeserver.nix deleted file mode 100644 index 56b91b0..0000000 --- a/packages/nginx/homeserver.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ ... }: - -{ - services.nginx = { - enable = true; - user = "media"; - virtualHosts."192.168.2.69" = { - root = "/mnt/mass/Torrents"; - extraConfig = '' - autoindex on; - ''; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 ]; -} diff --git a/packages/sshd/package.nix b/packages/sshd/package.nix deleted file mode 100644 index 1ca4024..0000000 --- a/packages/sshd/package.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: - -{ - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - ChallengeResponseAuthentication = false; - KbdInteractiveAuthentication = false; - }; - }; - - users.users."user".openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnopPaLuQT4+5LzqiBM4JfdRamzArszOrfoDy96KpQL9jeZQhT4E7LE63tySza4auJyTkFcnfGEQQaAlCUYTVvWrvB6l2nG7mVZ5Cr0YvQ1U9AY+1OPE5wCSDUk9zaUm3ldWgUWRA/MyGtzm3kQ+ZtYIOqtvF6Ki5vPRYl+QR0cjThw5Sr/99sTqZwgmbPoAkLXnioSI+oOgV6H8M9XCuvwmlm6YKfBrjTQltj93GpSf24Lf9YaFc51Auao78AfOof/EtGWlcBrvfdjaS/scxSmHO9r/AShV/BEVboG+89i+Qia67cATGIwDLB6HZO1dO5qTSImzcQ/QnFW1E0IGZy3LvKd/FT8QCpHjDtPlsxWwIuTgyLD3c9OZTTA8w619QBKic3KEhuRkhuwOqSPgpvgkK8hS91gr8spL+6U4Bdgo8gZH14kj7ZhiNsIur0Chj/X1uCHGXEHhlV4ky2XAxhGSSr9fy06w4uPsIXGnSufm8jbBAhYDrNzaod2Q/73VE= user@workstation" - ]; - - networking.firewall.allowedTCPPorts = [ 22 ]; -} diff --git a/packages/synapse/package.nix b/packages/synapse/package.nix deleted file mode 100644 index 73ad666..0000000 --- a/packages/synapse/package.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ pkgs, ... }: - -{ - services.postgresql.enable = true; - services.postgresql.initialScript = pkgs.writeText "synapse-init" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - - services.matrix-synapse = { - enable = true; - settings.server_name = "dirae.org"; - - settings.listeners = [ - { - port = 8008; - bind_addresses = [ "127.0.0.1" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [{ - names = [ "client" "federation" ]; - compress = true; - }]; - } - ]; - }; -} diff --git a/packages/syncthing/homeserver.nix b/packages/syncthing/homeserver.nix deleted file mode 100644 index cddef3b..0000000 --- a/packages/syncthing/homeserver.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: - -{ - imports = [ - ../../users/media.nix - ]; - - services.syncthing = { - enable = true; - user = "media"; - dataDir = "/mnt/mass"; - configDir = "/mnt/mass/Services/Syncthing"; - guiAddress = "0.0.0.0:8384"; - }; - - networking.firewall.allowedTCPPorts = [ 8384 22000 ]; - networking.firewall.allowedUDPPorts = [ 22000 21027 ]; -} diff --git a/packages/vim/package.nix b/packages/vim/package.nix deleted file mode 100644 index 6736793..0000000 --- a/packages/vim/package.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ pkgs, ... }: - -{ - environment.variables = { EDITOR = "vim"; }; - - environment.systemPackages = with pkgs; [ - ((vim_configurable.override { }).customize{ - name = "vim"; - - vimrcConfig.packages.plugins = with pkgs.vimPlugins; { - start = [ vim-nix ]; - opt = []; - }; - - vimrcConfig.customRC = '' - syntax on - set tabstop=4 - set shiftwidth=4 smarttab - set expandtab - set noswapfile - set incsearch - set noerrorbells - set smartindent - set number - set relativenumber - set nobackup - set scrolloff=8 - set sidescrolloff=8 - set fileencoding='utf-8' - set nohlsearch - ''; - }) - ]; -} diff --git a/packages/wireguard/package.nix b/packages/wireguard/package.nix deleted file mode 100644 index 0845c90..0000000 --- a/packages/wireguard/package.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ pkgs, ... }: - -{ - networking.wg-quick.interfaces = { - wg0 = { - address = [ "10.174.110.32/32" ]; - dns = [ "10.128.0.1" ]; - mtu = 1320; - privateKeyFile = "/nix/config/packages/wireguard/privkey"; - - # Route local traffic through local network - preUp = '' - ${pkgs.unixtools.route}/bin/route add -net 192.168.2.0 netmask 255.255.255.0 metric 0 dev eno1 - ''; - postDown = '' - ${pkgs.unixtools.route}/bin/route del -net 192.168.2.0 netmask 255.255.255.0 metric 0 dev eno1 - ''; - - peers = [{ - publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk="; - presharedKeyFile = "/nix/config/packages/wireguard/privpsk"; - allowedIPs = [ "0.0.0.0/0" ]; - endpoint = "nl.vpn.airdns.org:1637"; - persistentKeepalive = 15; - }]; - }; - }; - - networking.firewall.allowedUDPPorts = [ 1637 ]; -} diff --git a/sets/meta/sysadmin.nix b/sets/meta/sysadmin.nix deleted file mode 100644 index ac5c14c..0000000 --- a/sets/meta/sysadmin.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - htop - wget - curl - git - tree - ]; - - services.openssh.enable = true; -} diff --git a/systems/common.nix b/systems/common.nix deleted file mode 100644 index e59b0ee..0000000 --- a/systems/common.nix +++ /dev/null @@ -1,20 +0,0 @@ -# Common configuration for all systems - -{ pkgs, ... }: - -{ - nix = { - settings.auto-optimise-store = true; - - # Clean generations older than a week - gc = { - automatic = false; # Flip this to do it automatically - dates = "weekly"; - options = "--delete-older-than 7d"; - }; - }; - - nixpkgs.config.allowUnfree = true; - - system.stateVersion = "23.05"; -} diff --git a/systems/dirae.nix b/systems/dirae.nix deleted file mode 100644 index cb82f97..0000000 --- a/systems/dirae.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ ... }: - -{ - imports = [ - ./common.nix - ./hardware/dirae.nix -# ./persist/dirae.nix - ../sets/meta/sysadmin.nix - ../packages/vim/package.nix - ../packages/sshd/package.nix - ../packages/mailserver/package.nix - ../packages/nginx/dirae.nix - ../packages/forgejo/dirae.nix - ../packages/synapse/package.nix - ../packages/akkoma/package.nix - ]; - - boot = { - loader = { - grub = { - enable = true; - device = "/dev/vda"; - }; - }; - - kernel = { - sysctl."net.ipv6.conf.eth0.disable_ipv6" = true; - }; - }; - - networking = { - hostName = "dirae"; - enableIPv6 = false; - hostId = "149e5b5c"; - interfaces = { - enp6s18.ipv4.addresses = [{ - address = "91.210.224.148"; - prefixLength = 24; - }]; - }; - nameservers = [ "1.1.1.1" "8.8.8.8" ]; - defaultGateway = "91.210.224.1"; - firewall = { - enable = true; - }; - }; - - time.timeZone = "Europe/Berlin"; - - # To not mess up SSH sessions from weird terminals - environment.sessionVariables = { - TERM = "xterm"; - }; -} - diff --git a/systems/hardware/dirae.nix b/systems/hardware/dirae.nix deleted file mode 100644 index 241b90c..0000000 --- a/systems/hardware/dirae.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ lib, modulesPath, ... }: - -{ - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "virtio_pci" "virtio_blk" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.kernelParams = [ "nohibernate" ]; - boot.extraModulePackages = [ ]; - boot.zfs.devNodes = "/dev/disk/by-path"; - - # Will enable this later when everything is stable -# boot.initrd.postDeviceCommands = lib.mkAfter '' -# zfs rollback -r local/root@blank -# ''; - - fileSystems."/" = { - device = "local/root"; - fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/B33B-0EBE"; - fsType = "vfat"; - }; - - fileSystems."/nix" = { - device = "local/nix"; - fsType = "zfs"; - }; - - swapDevices = [ - { device = "/dev/disk/by-uuid/a2a0b9a3-52c9-4eb6-b03b-bcbbae0547a3"; } - ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens18.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/systems/hardware/homeserver.nix b/systems/hardware/homeserver.nix deleted file mode 100644 index 6083dac..0000000 --- a/systems/hardware/homeserver.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ config, lib, modulesPath, ... }: - -{ - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "ums_realtek" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - boot.initrd.postDeviceCommands = lib.mkAfter '' - zfs rollback -r local/root@blank - ''; - - fileSystems."/" = { - device = "local/root"; - fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/5C0E-1600"; - fsType = "vfat"; - }; - - fileSystems."/nix" = { - device = "local/nix"; - fsType = "zfs"; - }; - - fileSystems."/mnt/mass" = { - device = "/dev/disk/by-uuid/f04baac4-40a9-4115-b09d-83b252ee69ad"; - fsType = "xfs"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno1.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/systems/hardware/qemu-vm.nix b/systems/hardware/qemu-vm.nix deleted file mode 100644 index a1ec463..0000000 --- a/systems/hardware/qemu-vm.nix +++ /dev/null @@ -1,45 +0,0 @@ -{lib, modulesPath, ... }: - -{ - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; - boot.initrd.kernelModules = [ ]; - - boot.initrd.postDeviceCommands = lib.mkAfter '' - zfs rollback -r local/root@blank - ''; - - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - boot.zfs.devNodes = "/dev/disk/by-path"; - - fileSystems."/" = { - device = "local/root"; - fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/1FD8-C4B8"; - fsType = "vfat"; - }; - - fileSystems."/nix" = { - device = "local/nix"; - fsType = "zfs"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/systems/homeserver.nix b/systems/homeserver.nix deleted file mode 100644 index 527c553..0000000 --- a/systems/homeserver.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ ... }: - -{ - imports = [ - ./common.nix - ./hardware/homeserver.nix - ./persist/common.nix - ../sets/meta/sysadmin.nix - ../packages/vim/package.nix - ../packages/nginx/homeserver.nix - ../packages/syncthing/homeserver.nix - ../packages/wireguard/package.nix - ../packages/deluge/homeserver.nix - ]; - - boot = { - loader = { - efi = { - canTouchEfiVariables = true; - }; - grub = { - enable = true; - efiSupport = true; - device = "nodev"; - }; - }; - - kernel = { - sysctl."net.ipv6.conf.eth0.disable_ipv6" = true; - }; - }; - - networking = { - hostName = "homeserver"; - enableIPv6 = false; - hostId = "95f846dc"; - interfaces = { - eno1.ipv4.addresses = [{ - address = "192.168.2.69"; - prefixLength = 24; - }]; - }; - nameservers = [ "1.1.1.1" "8.8.8.8" ]; - defaultGateway = "192.168.2.1"; - firewall = { - enable = true; - allowedTCPPorts = [ 22 ]; - }; - }; - - time.timeZone = "Europe/Berlin"; - - console.keyMap = "uk"; - - # To not mess up SSH sessions from weird terminals - environment.sessionVariables = { - TERM = "xterm"; - }; -} diff --git a/systems/persist/common.nix b/systems/persist/common.nix deleted file mode 100644 index 25700c4..0000000 --- a/systems/persist/common.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ impermanence, ... }: - -{ - imports = [ - impermanence.nixosModules.impermanence - ]; - - environment.persistence."/nix/persist" = { - directories = [ - "/etc/ssh" - "/var/lib" - ]; - - files = [ - "/etc/machine-id" - ]; - }; -} diff --git a/systems/persist/dirae.nix b/systems/persist/dirae.nix deleted file mode 100644 index 87316ea..0000000 --- a/systems/persist/dirae.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ impermanence, ... }: - -{ - imports = [ - impermanence.nixosModules.impermanence - ]; - - environment.persistence."/nix/persist" = { - hideMounts = true; - directories = [ - "/var/spool" - { directory = "/var/dkim"; user = "opendkim"; - group = "opendkim"; mode = "u=rwx,g=rx,o=rx"; } - { directory = "/var/sieve"; user = "virtualMail"; - group = "virtualMail"; mode = "u=rwx,g=rwx,o="; } - { directory = "/var/vmail"; user = "virtualMail"; - group = "virtualMail"; mode = "u=rwx,g=rws,o="; } - "/etc/dovecot" - "/etc/pki" - "/etc/ssh" - { directory = "/var/lib/acme"; user = "acme"; - group = "acme"; mode = "u=rwx,g=rx,o=rx"; } - { directory = "/var/lib/opendkim"; user = "opendkim"; - group = "opendkim"; mode = "u=rwx,g=,o="; } - "/var/lib/postfix" - "/var/log" - ]; - - files = [ - "/etc/machine-id" - ]; - }; -} diff --git a/systems/qemu-vm.nix b/systems/qemu-vm.nix deleted file mode 100644 index ffb8a4b..0000000 --- a/systems/qemu-vm.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: - -{ - imports = [ - ./hardware/qemu-vm.nix - ../sets/meta/sysadmin.nix - ../packages/vim/package.nix - ./common.nix - ./persist/common.nix - ]; - - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/vda"; - - networking.hostId = "e78229f8"; - - time.timeZone = "Europe/Berlin"; -} diff --git a/users/hu.nix b/users/hu.nix new file mode 100644 index 0000000..505fc26 --- /dev/null +++ b/users/hu.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +{ + programs.zsh.enable = true; + environment.variables = { + ZDOTDIR = "${config.users.users.hu.home}/.config/zsh"; + }; + + users.users.hu = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + shell = pkgs.zsh; + hashedPasswordFile = "/nix/config/secrets/hu/pass"; + }; + + # Todo: home-manager configuration +} diff --git a/users/media.nix b/users/media.nix deleted file mode 100644 index 96c0a5b..0000000 --- a/users/media.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: - -{ - users.users.media = { - isNormalUser = true; - description = "media"; - }; -} diff --git a/users/none.nix b/users/none.nix deleted file mode 100644 index a1677ed..0000000 --- a/users/none.nix +++ /dev/null @@ -1 +0,0 @@ -{ } diff --git a/users/user.nix b/users/user.nix deleted file mode 100644 index 3b1137e..0000000 --- a/users/user.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ ... }: - -{ - users.users.user = { - isNormalUser = true; - passwordFile = "/nix/config/pw"; # mkpasswd in config dir - description = "user"; - extraGroups = [ - "wheel" - "audio" - "video" - "docker" - "podman" - "networkmanager" - "kvm" - "libvirt" - "plugdev" - ]; - }; -} diff --git a/wm/xmonad.nix b/wm/xmonad.nix new file mode 100644 index 0000000..a37d27e --- /dev/null +++ b/wm/xmonad.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + xmobar + flameshot + rofi + feh + kitty + pavucontrol + picom + ]; + + services.xserver = { + enable = true; + xkb = { + layout = "de"; + options = "eurosign:e"; + }; + + windowManager.xmonad = { + enable = true; + enableContribAndExtras = true; + }; + }; + + # Todo: Get gnome-keyring working properly + services.gnome.gnome-keyring.enable = true; +}