palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

..

1 commit
main ... feature/bu

Author SHA1 Message Date
Ingolf Wagner
f64a23810b
🚧 bugwarrior with taskwarrior3 2024-09-22 12:34:45 +09:00
189 changed files with 4109 additions and 2456 deletions
.forgejo/workflows
nix_build.yaml
components
chaospott.nixdefault.nix
gui
audio.nixbrowser.nixdefault.nixkde.nixnoti.nixsteam.nix
xorg
default.nix
mainUser.nix
media
video.nix
monitor
container.nixdefault.nixlogs-promtail.nixmetrics-export-zfs.nixmetrics-netdata.nixmetrics-prometheus.nixmetrics-telegraf.nixopentelemetry.nix
network
hosts.nixnginx.nix
sshd
default.nixknown-hosts-manual.nix
syncthing.nix
tinc
private.nixsecret.nix
wireguard.nix
terminal
default.nixhoard.nixwtf.nix
timezone.nix
virtualisation
docker.nixpodman.nixvirtualbox.nix
features/network
fail2ban.nix
flake.lockflake.nix
homes
common
default.nixeditor.nix
oh-my-posh
default.nixgmay.jsongruvbox.json
packages.nix
starship-rs
default.nixgruvbox-rainbow.toml
terminal.nix
palo
atuin.nixdefault.nixgit.nixi3.nix
packages
development.nixgraphics.nixlogseq.nixmedia.nixnextcloud.nixpackages.nixsocial.nix
stylix.nixtaskwarrior.nix
tina
stylix.nix
images
lib
remote-access.nix
machine-init-configuration.nix
remote-install
README.mdconfig.nixremote-install.nix
translate-setup
README.mdaudio.nixconfig.nixx11.nix
usb-init-configuration.nix
windows-rescue
README.mdconfig.nix
yubikey-image.nix
machines
cherry
configuration.nix
facts
ssh.root.cherry.id_ed25519.pubssh.root.chungus.id_ed25519.pub
ferdium.nix
hardware-configuration
graphics.nix
network-tinc.nixnetwork-tinc_retiolum.nixnetwork-wireguard-wg0.nixssh-cherry.nixssh-chungus.nixsyncthing.nix
chungus
configuration.nix
facts
ssh.paperless-ngx.id_ed25519.pubssh.rbackup.id_ed25519.pubssh.syncoid.id_ed25519.pubsyncoid.ssh.id_ed25519.pub
hass.nixmedia-audiobookshelf.nixmedia-castget.nixmedia-jellyfin.nixmedia-navidrome.nixmedia-syncthing.nixnetwork-tinc-retiolum.nixnetwork-tinc.nixnetwork-wireguard.nixservice-atuin.nix
Show more

4
.forgejo/workflows/nix_build.yaml
View file

@ -48,8 +48,8 @@ jobs:
rm .ssh_key
- name: nix build orbi
run: nix build .#nixosConfigurations.orbi.config.system.build.toplevel
# - name: nix build cream
# run: nix build .#nixosConfigurations.cream.config.system.build.toplevel
- name: nix build cream
run: nix build .#nixosConfigurations.cream.config.system.build.toplevel
- name: nix build cherry
run: nix build .#nixosConfigurations.cherry.config.system.build.toplevel
- name: nix build chungus

2
components/chaospott.nix
View file

@ -13,7 +13,7 @@ with lib;
};
config = mkIf (config.components.chaospott.enable && config.components.gui.audio.enable) {
services.pulseaudio.zeroconf.discovery.enable = true;
hardware.pulseaudio.zeroconf.discovery.enable = true;
environment.systemPackages = with pkgs; [
paprefs
];

1
components/default.nix
View file

@ -5,6 +5,7 @@
./gui
./mainUser.nix
./media
./monitor
./network
./nixos
./terminal

78
components/gui/audio.nix
View file

@ -12,54 +12,46 @@ with lib;
default = config.components.gui.enable;
};
config = mkMerge [
(mkIf (config.components.gui.audio.enable) {
config = mkIf (config.components.gui.audio.enable) {
security.rtkit.enable = true;
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
};
security.rtkit.enable = true;
environment.systemPackages = with pkgs; [
alsa-utils
hardware.pulseaudio.enable = false;
# PulseAudio control
# ------------------
ponymix
pavucontrol
lxqt.pavucontrol-qt
];
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
};
services.pipewire = {
#enable = true;
systemWide = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
environment.systemPackages = with pkgs; [
alsa-utils
alsaUtils
environment.etc = {
"wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = ''
bluez_monitor.properties = {
["bluez5.enable-sbc-xq"] = true,
["bluez5.enable-msbc"] = true,
["bluez5.enable-hw-volume"] = true,
["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
}
'';
};
})
# PulseAudio control
# ------------------
ponymix
pavucontrol
lxqt.pavucontrol-qt
];
{
services.pipewire = {
enable = true;
systemWide = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
# this is always true
# seems other options enable this one
services.pipewire.enable = config.components.gui.audio.enable;
services.pulseaudio.enable = false;
}
];
environment.etc = {
"wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = ''
bluez_monitor.properties = {
["bluez5.enable-sbc-xq"] = true,
["bluez5.enable-msbc"] = true,
["bluez5.enable-hw-volume"] = true,
["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
}
'';
};
};
}

5
components/gui/browser.nix
View file

@ -8,14 +8,11 @@ in
programs.chromium.extensions = [
"nngceckbapebfimnlniiiahkandclblb" # bitwarden
# "edibdbjcniadpccecjdfdjjppcpchdlm" # I still don't care about cookies
"edibdbjcniadpccecjdfdjjppcpchdlm" # I still don't care about cookies
"gcbommkclmclpchllfjekcdonpmejbdp" # https everywhere
"cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
"dbepggeogbaibhgnhhndojpepiihcmeb" # vimium
"jinjaccalgkegednnccohejagnlnfdag" # Violentmonkey
# "dpplabbmogkhghncfbfdeeokoefdjegm" # Proxy SwitchySharp
# "mooikfkahbdckldjjndioackbalphokd" # Selenium IDE
# "hnkcfpcejkafcihlgbojoidoihckciin" # Referer Control
];
# overwrite use zram on small RAM systems

3
components/gui/default.nix
View file

@ -16,9 +16,8 @@ with lib;
./browser.nix
./cups.nix
./home-manager
./kde.nix
./kmonad.nix
./noti.nix # todo: make this different (use password store and such)
#./noti.nix # todo: make this different (use password store and such)
./pass.nix
./steam.nix
./suspend.nix

19
components/gui/kde.nix
View file

@ -1,19 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options.components.gui.kde.enable = lib.mkOption {
type = lib.types.bool;
default = config.components.gui.enable;
};
config = lib.mkIf (config.components.gui.kde.enable) {
services.desktopManager.plasma6.enable = true;
};
}

54
components/gui/noti.nix
View file

@ -16,41 +16,29 @@ with lib;
# todo : put this in `/homes`
config = mkIf (config.components.gui.noti.enable) {
clan.core.facts.services.noti = {
secret."noti.yaml" = { };
generator = {
prompt = "noti.yaml";
path = with pkgs; [ coreutils ];
script = ''
echo "$prompt_value" > "$secrets"/noti.yaml
'';
};
};
systemd.tmpfiles.settings.noti = {
# don't like to use a non tmpfs here, but does not work another way
"${config.users.users.mainUser.home}/.config/noti/noti.yaml"."C+" = {
user = config.users.users.mainUser.name;
group = config.users.users.mainUser.group;
mode = "400";
argument = config.clan.core.facts.services.noti.secret."noti.yaml".path;
};
};
# sops.secrets.pushover_user_key = { };
# sops.secrets.pushover_api_key = { };
# sops.templates."noti.yaml".owner = config.users.users.mainUser.name;
# sops.templates."noti.yaml".group = config.users.users.mainUser.group;
# sops.templates."noti.yaml".content = ''
# pushover:
# userKey: ${config.sops.placeholder.pushover_user_key}
# apiToken: ${config.sops.placeholder.pushover_api_key}
# '';
sops.secrets.pushover_user_key = { };
sops.secrets.pushover_api_key = { };
sops.templates."noti.yaml".owner = config.users.users.mainUser.name;
sops.templates."noti.yaml".group = config.users.users.mainUser.group;
sops.templates."noti.yaml".content = ''
pushover:
userKey: ${config.sops.placeholder.pushover_user_key}
apiToken: ${config.sops.placeholder.pushover_api_key}
'';
home-manager.users.mainUser = {
programs.noti.enable = true;
# xdg.configFile."noti/noti.yaml".target = "/run/facts/mainUser.noti.yaml";
};
home.packages = [
(pkgs.writers.writeBashBin "noti" ''
${pkgs.noti}/bin/noti --file ${config.sops.templates."noti.yaml".path} "$@"
'')
(pkgs.writers.writeBashBin "noti-pushover" ''
${pkgs.noti}/bin/noti --pushover --file ${config.sops.templates."noti.yaml".path} "$@"
'')
];
## not working :(
#programs.noti.enable = true;
#xdg.configFile."noti/noti.yaml".source = toString config.sops.templates."noti.yaml".path;
};
};
}

2
components/gui/steam.nix
View file

@ -18,6 +18,8 @@ with lib;
/var/run/wrappers/bin/sudo -u steam -i ${pkgs.steam}/bin/steam $@
'')
pkgs.xorg.xhost
# to use xbox controllers
pkgs.xboxdrv
];
users.users.steam = {

117
components/gui/xorg/default.nix
View file

@ -14,85 +14,72 @@ with lib;
default = config.components.gui.enable;
};
options.components.gui.xorg.lightdm.enable = mkOption {
type = lib.types.bool;
default = config.components.gui.xorg.enable;
};
config = mkIf (config.components.gui.xorg.enable && config.components.gui.enable) {
options.components.gui.xorg.sddm.enable = mkOption {
type = lib.types.bool;
default = !config.components.gui.xorg.lightdm.enable;
};
# system.custom.fonts.enable = true;
services.displayManager = {
defaultSession = lib.mkDefault "none+i3";
autoLogin.enable = lib.mkDefault true;
autoLogin.user = config.users.users.mainUser.name;
};
config = mkMerge [
services.xserver = {
(mkIf (config.components.gui.xorg.lightdm.enable && config.components.gui.xorg.enable) {
enable = true;
services.displayManager = {
defaultSession = "none+i3";
autoLogin.enable = lib.mkDefault true;
autoLogin.user = config.users.users.mainUser.name;
displayManager = {
lightdm.enable = lib.mkDefault true;
};
services.xserver.displayManager.lightdm.enable = true;
desktopManager.xterm.enable = false;
windowManager.i3.enable = true;
})
# mouse/touchpad
# --------------
(mkIf (config.components.gui.xorg.sddm.enable && config.components.gui.xorg.enable) {
};
services.xserver.displayManager.sddm.enable = true;
})
(mkIf (config.components.gui.xorg.enable && config.components.gui.enable) {
services.xserver.enable = true;
services.xserver.windowManager.i3.enable = true;
services.libinput = {
enable = true;
touchpad = {
disableWhileTyping = true;
tapping = true;
scrollMethod = "twofinger";
accelSpeed = "1.3";
naturalScrolling = true;
horizontalScrolling = true;
};
services.libinput = {
enable = true;
touchpad = {
disableWhileTyping = true;
tapping = true;
scrollMethod = "twofinger";
accelSpeed = "1.3";
naturalScrolling = true;
horizontalScrolling = true;
};
};
# Packages
# --------
environment.systemPackages = with pkgs; [
# Packages
# --------
environment.systemPackages = with pkgs; [
xclip
#xtrlock-pam
xorg.xev
xclip
xtrlock-pam
xorg.xev
dmenu
arandr
xcalib
flameshot
feh
dmenu
arandr
xcalib
flameshot
feh
];
];
# Xresources config
# -----------------
# spread the Xresource config
# across different files
# just add a file into `/etc/X11/Xresource.d/` and it will be
# evaluated.
services.xserver.displayManager.sessionCommands = ''
for file in `ls /etc/X11/Xresource.d/`
do
${pkgs.xorg.xrdb}/bin/xrdb -merge /etc/X11/Xresource.d/$file
done
'';
environment.etc."/X11/Xresource.d/.keep".text = "";
# Xresources config
# -----------------
# spread the Xresource config
# across different files
# just add a file into `/etc/X11/Xresource.d/` and it will be
# evaluated.
services.xserver.displayManager.sessionCommands = ''
for file in `ls /etc/X11/Xresource.d/`
do
${pkgs.xorg.xrdb}/bin/xrdb -merge /etc/X11/Xresource.d/$file
done
'';
environment.etc."/X11/Xresource.d/.keep".text = "";
})
];
};
}

24
components/mainUser.nix
View file

@ -73,20 +73,16 @@ in
uid = cfg.uid;
home = "/home/${cfg.userName}";
initialPassword = cfg.userName;
extraGroups =
[
"wheel"
"networkmanager"
"transmission"
"wireshark"
"audio"
"pipewire"
"input"
"dialout"
]
++ dockerGroup
++ vboxGroup
++ cfg.extraGroups;
extraGroups = [
"wheel"
"networkmanager"
"transmission"
"wireshark"
"audio"
"pipewire"
"input"
"dialout"
] ++ dockerGroup ++ vboxGroup ++ cfg.extraGroups;
openssh.authorizedKeys.keyFiles = cfg.authorizedKeyFiles;
group = config.users.groups.mainUser.name;
};

8
components/media/video.nix
View file

@ -136,7 +136,7 @@ in
home-manager.sharedModules = [
{
programs.obs-studio = {
enable = false;
enable = true;
plugins = with pkgs.obs-studio-plugins; [
obs-backgroundremoval
obs-vaapi
@ -161,17 +161,17 @@ in
# obs studio stuff
obs-cli
v4l-utils
#obs-cmd
obs-cmd
# to record your screen
# ---------------------
#simplescreenrecorder
simplescreenrecorder
screenKey
#obs-studio
# to transcode video material
# ---------------------------
# handbrake
handbrake
ffmpeg-full
];

18
components/monitor/container.nix Normal file
View file

@ -0,0 +1,18 @@
{ lib, config, ... }:
with lib;
with types;
{
imports = [
./default.nix
../timezone.nix
];
config = {
components.monitor.enable = mkDefault true;
components.monitor.metrics.enable = mkDefault false;
components.monitor.opentelemetry.enable = false;
services.journald.extraConfig = "SystemMaxUse=1G";
};
}

32
components/monitor/default.nix Normal file
View file

@ -0,0 +1,32 @@
{ lib, config, ... }:
with lib;
with types;
{
options.components.monitor = {
enable = mkOption {
type = bool;
default = true;
};
metrics.enable = mkOption {
type = bool;
default = config.components.monitor.enable;
};
logs.enable = mkOption {
type = bool;
default = config.components.monitor.enable;
};
};
imports = [
./logs-promtail.nix
./metrics-export-zfs.nix
./metrics-netdata.nix
./metrics-prometheus.nix
./metrics-telegraf.nix
./opentelemetry.nix
];
config = mkIf config.components.monitor.enable { };
}

185
components/monitor/logs-promtail.nix Normal file
View file

@ -0,0 +1,185 @@
{ config, lib, ... }:
with lib;
with types;
let
cfg = config.components.monitor.promtail;
in
{
options.components.monitor.promtail = {
enable = mkOption {
type = lib.types.bool;
default = config.components.monitor.logs.enable;
};
port = mkOption {
type = int;
default = 3500;
description = "port to provide promtail export";
};
};
config = mkMerge [
(mkIf config.components.monitor.opentelemetry.enable {
services.opentelemetry-collector.settings = {
receivers.loki = {
protocols.http.endpoint = "127.0.0.1:${toString cfg.port}";
use_incoming_timestamp = true;
};
service.pipelines.logs.receivers = [ "loki" ];
};
})
(mkIf config.components.monitor.promtail.enable {
services.promtail = {
enable = true;
configuration = {
server.disable = true;
positions.filename = "/var/cache/promtail/positions.yaml";
clients = [
{ url = "http://127.0.0.1:${toString cfg.port}/loki/api/v1/push"; }
];
scrape_configs =
let
_replace = index: replacement: ''{{ Replace .Value "${toString index}" "${replacement}" 1 }}'';
_elseif = index: ''{{ else if eq .Value "${toString index}" }}'';
_if = index: ''{{ if eq .Value "${toString index}" }}'';
_end = ''{{ end }}'';
elseblock = index: replacement: "${_elseif index}${_replace index replacement}";
ifblock = index: replacement: "${_if index}${_replace index replacement}";
createTemplateLine =
list:
"${
concatStrings (
imap0 (
index: replacement: if index == 0 then ifblock index replacement else elseblock index replacement
) list
)
}${_end}";
in
[
{
job_name = "journal";
journal = {
json = true;
max_age = "12h";
labels.job = "systemd-journal";
};
pipeline_stages = [
{
# Set of key/value pairs of JMESPath expressions. The key will be
# the key in the extracted data while the expression will be the value,
# evaluated as a JMESPath from the source data.
json.expressions = {
# journalctl -o json | jq and you'll see these
boot_id = "_BOOT_ID";
facility = "SYSLOG_FACILITY";
facility_label = "SYSLOG_FACILITY";
instance = "_HOSTNAME";
msg = "MESSAGE";
priority = "PRIORITY";
priority_label = "PRIORITY";
transport = "_TRANSPORT";
unit = "_SYSTEMD_UNIT";
# coredump
#coredump_cgroup = "COREDUMP_CGROUP";
#coredump_exe = "COREDUMP_EXE";
#coredump_cmdline = "COREDUMP_CMDLINE";
#coredump_uid = "COREDUMP_UID";
#coredump_gid = "COREDUMP_GID";
};
}
{
# Set the unit (defaulting to the transport like audit and kernel)
template = {
source = "unit";
template = "{{if .unit}}{{.unit}}{{else}}{{.transport}}{{end}}";
};
}
{
# Normalize session IDs (session-1234.scope -> session.scope) to limit number of label values
replace = {
source = "unit";
expression = "^(session-\\d+.scope)$";
replace = "session.scope";
};
}
{
# Map priority to human readable
template = {
source = "priority_label";
#template = ''{{ if eq .Value "0" }}{{ Replace .Value "0" "emerg" 1 }}{{ else if eq .Value "1" }}{{ Replace .Value "1" "alert" 1 }}{{ else if eq .Value "2" }}{{ Replace .Value "2" "crit" 1 }}{{ else if eq .Value "3" }}{{ Replace .Value "3" "err" 1 }}{{ else if eq .Value "4" }}{{ Replace .Value "4" "warning" 1 }}{{ else if eq .Value "5" }}{{ Replace .Value "5" "notice" 1 }}{{ else if eq .Value "6" }}{{ Replace .Value "6" "info" 1 }}{{ else if eq .Value "7" }}{{ Replace .Value "7" "debug" 1 }}{{ end }}'';
template = createTemplateLine [
"emergency"
"alert"
"critical"
"error"
"warning"
"notice"
"info"
"debug"
];
};
}
{
# Map facility to human readable
template = {
source = "facility_label";
template = createTemplateLine [
"kern" # Kernel messages
"user" # User-level messages
"mail" # Mail system Archaic POSIX still supported and sometimes used (for more mail(1))
"daemon" # System daemons All daemons, including systemd and its subsystems
"auth" # Security/authorization messages Also watch for different facility 10
"syslog" # Messages generated internally by syslogd For syslogd implementations (not used by systemd, see facility 3)
"lpr" # Line printer subsystem (archaic subsystem)
"news" # Network news subsystem (archaic subsystem)
"uucp" # UUCP subsystem (archaic subsystem)
"clock" # Clock daemon systemd-timesyncd
"authpriv" # Security/authorization messages Also watch for different facility 4
"ftp" # FTP daemon
"-" # NTP subsystem
"-" # Log audit
"-" # Log alert
"cron" # Scheduling daemon
"local0" # Local use 0 (local0)
"local1" # Local use 1 (local1)
"local2" # Local use 2 (local2)
"local3" # Local use 3 (local3)
"local4" # Local use 4 (local4)
"local5" # Local use 5 (local5)
"local6" # Local use 6 (local6)
"local7" # Local use 7 (local7)
];
};
}
{
# Key is REQUIRED and the name for the label that will be created.
# Value is optional and will be the name from extracted data whose value
# will be used for the value of the label. If empty, the value will be
# inferred to be the same as the key.
labels = {
boot_id = "";
facility = "";
facility_label = "";
instance = "";
priority = "";
priority_label = "";
transport = "";
unit = "";
};
}
{
# Write the proper message instead of JSON
output.source = "msg";
}
];
}
];
};
};
})
];
}

39
components/monitor/metrics-export-zfs.nix Normal file
View file

@ -0,0 +1,39 @@
{
pkgs,
config,
lib,
...
}:
with lib;
with types;
{
options.components.monitor.exporters.zfs.enable = mkOption {
type = lib.types.bool;
default = config.components.monitor.metrics.enable;
};
config = mkMerge [
(mkIf config.components.monitor.exporters.zfs.enable {
services.telegraf.extraConfig.inputs.zfs = { };
services.prometheus.exporters.zfs.enable = true;
services.opentelemetry-collector.settings = {
receivers.prometheus.config.scrape_configs = [
{
job_name = "zfs";
scrape_interval = "10s";
static_configs = [
{
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.zfs.port}" ];
}
];
}
];
service.pipelines.metrics.receivers = [ "prometheus" ];
};
})
];
}

40
components/monitor/metrics-netdata.nix Normal file
View file

@ -0,0 +1,40 @@
{
lib,
pkgs,
config,
...
}:
with lib;
with types;
{
options.components.monitor.netdata = {
enable = mkOption {
type = bool;
default = config.components.monitor.metrics.enable;
};
};
config = mkIf config.components.monitor.netdata.enable {
# netdata sink
services.opentelemetry-collector.settings.receivers.prometheus.config.scrape_configs = [
{
job_name = "netdata";
scrape_interval = "10s";
metrics_path = "/api/v1/allmetrics";
params.format = [ "prometheus" ];
static_configs = [ { targets = [ "127.0.0.1:19999" ]; } ];
}
];
# https://docs.netdata.cloud/daemon/config/
services.netdata = {
enable = lib.mkDefault true;
config = {
global = {
"memory mode" = "ram";
};
};
};
};
}

45
components/monitor/metrics-prometheus.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, lib, ... }:
with lib;
with types;
let
cfg = config.components.monitor.prometheus;
in
{
options.components.monitor.prometheus = {
enable = mkOption {
type = lib.types.bool;
default = config.components.monitor.metrics.enable;
};
port = mkOption {
type = int;
default = 8090;
description = "port to provide Prometheus export";
};
};
config = mkMerge [
(mkIf config.components.monitor.prometheus.enable {
services.prometheus = {
checkConfig = "syntax-only";
enable = true;
};
})
(mkIf config.components.monitor.prometheus.enable {
services.opentelemetry-collector.settings = {
exporters.prometheus.endpoint = "127.0.0.1:${toString cfg.port}";
service.pipelines.metrics.exporters = [ "prometheus" ];
};
services.prometheus.scrapeConfigs = [
{
job_name = "opentelemetry";
metrics_path = "/metrics";
scrape_interval = "10s";
static_configs = [ { targets = [ "localhost:${toString cfg.port}" ]; } ];
}
];
})
];
}

57
components/monitor/metrics-telegraf.nix Normal file
View file

@ -0,0 +1,57 @@
{
config,
pkgs,
lib,
...
}:
with lib;
with types;
let
cfg = config.components.monitor.telegraf;
in
{
options.components.monitor.telegraf = {
enable = mkOption {
type = lib.types.bool;
default = config.components.monitor.metrics.enable;
};
influxDBPort = mkOption {
type = int;
default = 8088;
description = "Port to listen on influxDB input";
};
};
config = lib.mkMerge [
(mkIf config.components.monitor.telegraf.enable {
# opentelemetry wireing
services.opentelemetry-collector.settings = {
receivers.influxdb.endpoint = "127.0.0.1:${toString cfg.influxDBPort}";
service.pipelines.metrics.receivers = [ "influxdb" ];
};
services.telegraf.extraConfig.outputs.influxdb_v2.urls = [
"http://127.0.0.1:${toString cfg.influxDBPort}"
];
})
(mkIf config.components.monitor.telegraf.enable {
systemd.services.telegraf.path = [ pkgs.inetutils ];
services.telegraf = {
enable = true;
extraConfig = {
# https://github.com/influxdata/telegraf/tree/master/plugins/inputs < all them plugins
inputs = {
cpu = { };
diskio = { };
processes = { };
system = { };
systemd_units = { };
ping = [ { urls = [ "10.100.0.1" ]; } ]; # actually important to make machine visible over wireguard
};
};
};
})
];
}

218
components/monitor/opentelemetry.nix Normal file
View file

@ -0,0 +1,218 @@
{
pkgs,
config,
lib,
...
}:
with lib;
with types;
let
cfg = config.components.monitor.opentelemetry;
in
{
options.components.monitor.opentelemetry = {
enable = mkOption {
type = bool;
default = config.components.monitor.enable;
description = "weather or not to use opentelemetry";
};
receiver.endpoint = mkOption {
type = nullOr str;
default = null;
description = "endpoint to receive the opentelementry data from other collectors";
};
exporter.endpoint = mkOption {
type = nullOr str;
default = null;
description = "endpoint to ship opentelementry data too";
};
exporter.debug = mkOption {
type = nullOr (enum [
"logs"
"metrics"
]);
default = null;
description = "enable debug exporter.";
};
metrics.endpoint = mkOption {
type = str;
default = "127.0.0.1:8100";
description = "endpoint on where to provide opentelementry metrics";
};
};
config = mkMerge [
(mkIf config.components.monitor.opentelemetry.enable {
services.opentelemetry-collector = {
enable = true;
package = pkgs.opentelemetry-collector-contrib;
};
})
# add default tags to metrics
# todo : make sure we filter out metrics from otlp receivers
(mkIf config.components.monitor.enable {
services.opentelemetry-collector.settings = {
processors = {
# https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/processor/resourcedetectionprocessor/README.md
"resourcedetection/system" = {
detectors = [ "system" ];
override = false;
system.hostname_sources = [ "os" ];
};
metricstransform.transforms = [
{
include = ".*";
match_type = "regexp";
action = "update";
operations = [
{
action = "add_label";
new_label = "machine";
new_value = config.networking.hostName;
}
];
}
];
};
};
})
(mkIf config.components.monitor.metrics.enable {
services.opentelemetry-collector.settings = {
service.pipelines.metrics.processors = [
"metricstransform"
"resourcedetection/system"
];
};
})
(mkIf config.components.monitor.logs.enable {
services.opentelemetry-collector.settings = {
service.pipelines.logs.processors = [ "resourcedetection/system" ];
};
})
(mkIf (config.components.monitor.opentelemetry.exporter.debug != null) {
services.opentelemetry-collector.settings = {
exporters.debug = {
verbosity = "detailed";
sampling_initial = 5;
sampling_thereafter = 200;
};
service.pipelines.${config.components.monitor.opentelemetry.exporter.debug} = {
exporters = [ "debug" ];
};
};
})
# ship to next instance
(mkIf (config.components.monitor.opentelemetry.exporter.endpoint != null) {
services.opentelemetry-collector.settings = {
exporters.otlp = {
endpoint = cfg.exporter.endpoint;
tls.insecure = true;
};
};
})
(mkIf
(
config.components.monitor.opentelemetry.exporter.endpoint != null
&& config.components.monitor.logs.enable
)
{
services.opentelemetry-collector.settings = {
service.pipelines.logs.exporters = [ "otlp" ];
};
}
)
(mkIf
(
config.components.monitor.opentelemetry.exporter.endpoint != null
&& config.components.monitor.metrics.enable
)
{
services.opentelemetry-collector.settings = {
service.pipelines.metrics.exporters = [ "otlp" ];
};
}
)
# ship from other instance
(mkIf (config.components.monitor.opentelemetry.receiver.endpoint != null) {
services.opentelemetry-collector.settings = {
receivers.otlp.protocols.grpc.endpoint = cfg.receiver.endpoint;
};
})
(mkIf
(
config.components.monitor.opentelemetry.receiver.endpoint != null
&& config.components.monitor.logs.enable
)
{
services.opentelemetry-collector.settings = {
service.pipelines.logs.receivers = [ "otlp" ];
};
}
)
(mkIf
(
config.components.monitor.opentelemetry.receiver.endpoint != null
&& config.components.monitor.metrics.enable
)
{
services.opentelemetry-collector.settings = {
service.pipelines.metrics.receivers = [ "otlp" ];
};
}
)
# scrape opentelemetry-colectors metrics
# todo: this should be collected another way (opentelemetry internal?)
# todo : enable me only when metrics.endpoint is set.
(mkIf config.components.monitor.metrics.enable {
services.opentelemetry-collector.settings = {
receivers = {
prometheus.config.scrape_configs = [
{
job_name = "otelcol";
scrape_interval = "10s";
static_configs = [
{
targets = [ cfg.metrics.endpoint ];
}
];
metric_relabel_configs = [
{
source_labels = [ "__name__" ];
regex = ".*grpc_io.*";
action = "drop";
}
];
}
];
};
service = {
pipelines.metrics = {
receivers = [ "prometheus" ];
};
# todo : this should be automatically be collected
# open telemetries own metrics?
telemetry.metrics.address = cfg.metrics.endpoint;
};
};
})
(mkIf (!config.components.monitor.metrics.enable) {
services.opentelemetry-collector.settings = {
service.telemetry.metrics.level = "none";
};
})
];
}

4
components/network/hosts.nix
View file

@ -1,9 +1,5 @@
{ clanLib, ... }:
{
networking.extraHosts = ''
95.216.66.212 orbi.public
'';
services.openssh.knownHosts = {
"orbi.public".publicKey = clanLib.readFact "ssh.id_ed25519.pub" "orbi";
};
}

2
components/network/nginx.nix
View file

@ -175,7 +175,7 @@ with lib;
];
})
(entry { machine = "cherry"; })
#(entry { machine = "cream"; })
(entry { machine = "cream"; })
(entry { machine = "mobi"; })
(entry { machine = "bobi"; })
{

26
components/network/sshd/default.nix
View file

@ -8,6 +8,7 @@
with lib;
with types;
let
defaultRootKeyFiles = [ "${assets}/mrvandalo_rsa.pub" ];
cfg = config.components.network.sshd;
# maybe ascii-image-converter is also nice here
@ -29,6 +30,11 @@ in
type = bool;
default = true;
};
rootKeyFiles = mkOption {
type = with types; listOf path;
default = [ ];
description = "keys to root login";
};
onlyTincAccess = mkOption {
type = bool;
default = false;
@ -36,13 +42,6 @@ in
make sure ssh is only available trough the tinc
'';
};
allowMosh = mkOption {
type = bool;
default = true;
description = ''
make mosh port available
'';
};
};
config = mkMerge [
@ -65,27 +64,18 @@ in
# settings.LoginGraceTime = 0;
};
users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;
# todo enable again when I can it's possible to set the `-q` ssh option in clan
#services.openssh.banner = builtins.readFile sshBanner;
})
(mkIf (cfg.onlyTincAccess && cfg.enable) {
# fixme: this is not working
networking.firewall.extraCommands = ''
iptables --table nat --append PREROUTING ! --in-interface tinc.+ --protocol tcp --match tcp --dport 22 --jump REDIRECT --to-ports 0
'';
})
(mkIf (cfg.allowMosh && cfg.enable) {
networking.firewall.allowedUDPPortRanges = [
{
from = 60000;
to = 61000;
}
];
})
];
}

9
components/network/sshd/known-hosts-manual.nix
View file

@ -15,18 +15,11 @@ in
services.openssh.knownHosts = {
orbi = {
hostNames = [
"git.ingolf-wagner.de"
"95.216.66.212"
];
publicKey = publicKey "orbi";
};
forgejo = {
hostNames = [
"[git.ingolf-wagner.de]:2222"
];
publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQVomwXedtY4ZAKA1Bcsz6Ud2Ys3mjjGJXLcWQLceXKmmAQfOWqqLrTddhrLjmZImS3HTexGK7iNmYYCd/lG+7j1rMebmk3cddH6qr/4WB5SSexbLV4/vlk18kia6O+52ybrMzejwcfr9qNEg+bkrmc4btsWcT/w21vRyOzsmRRnk+S54prLGtiCypFqwGYnyr6HPXO3lqCLHIR/XurcFvh/aM/RGusWh889TXA39FezDcV6OZisZTTC4BBoUAS8r6XJnrIahZJmfEHp/FbKJV0pShCCQXtpkUBu7g6B2T+8u91fY4kc8O293XhaxjTBfkZH2lGodppGG12vAQSeznppbzlT82uTx80jyt7Hw/IAjn9j8D+iKC7fA9qawVz+p1UtqHQd43+8gOSiHILOUMhVxp7ZrfhYmaiOKrkR4+Juc9P2UsqrAvxS1WaYT4KaEZfze7/DCdK0h2SSY2jgCU9sNeJG6M4s/pPj+iI/O+AagHfBZ+bF2y+OKEZOW4J+OpqnEY3lANdxsMsD9PwBpAVAn9FAJzAy+gfXINu0wqGhtA3qWM0QVjcSXsfQJQ2XrbMPd9+pvOl1Ej5SSbjXYcPt9dXWl+L69dbU5qb8WRGl2ZxloUaRcOrOkmhybwI/61LfaGzLslnNn8ARjJgzu9xSipT5D4cZ1FgB9ezqC73Q==";
};
};
};

17
components/network/syncthing.nix
View file

@ -43,7 +43,6 @@ with lib;
in
clanMachines
// (device "iPhone" "RPQBSRB-DYEUUWQ-EAPMBA2-PL4MJ73-Y4F4ZTH-TAD7DUE-GEK56BG-HYW6YAF")
// (device "iPad" "NEGOJYU-EEDRM4E-XVZUKFO-63LAIOO-WHFFS2V-3SH3KR2-VYEFQLW-4QOFBQU")
// (device "bumba" "JS7PWTO-VKFGBUP-GNFLSWP-MGFJ2KH-HLO2LKW-V3RPCR6-PCB5SQC-42FCKQZ");
settings.folders = {
@ -61,7 +60,7 @@ with lib;
path = lib.mkDefault "/tmp/books";
devices = [
"chungus"
# "cream"
"cream"
"cherry"
];
versioning = {
@ -74,7 +73,7 @@ with lib;
path = lib.mkDefault "/tmp/desktop";
devices = [
"chungus"
# "cream"
"cream"
"cherry"
];
};
@ -83,7 +82,7 @@ with lib;
path = lib.mkDefault "/tmp/finance";
devices = [
"chungus"
# "cream"
"cream"
"cherry"
];
versioning = {
@ -103,9 +102,9 @@ with lib;
enable = lib.mkDefault false;
path = lib.mkDefault "/tmp/logseq";
devices = [
"cherry"
"chungus"
"iPad"
"cream"
"cherry"
"iPhone"
];
};
@ -122,7 +121,7 @@ with lib;
path = lib.mkDefault "/tmp/oscar_cpap";
devices = [
"chungus"
# "cream"
"cream"
"cherry"
];
};
@ -131,7 +130,7 @@ with lib;
path = lib.mkDefault "/tmp/password-store";
devices = [
"chungus"
# "cream"
"cream"
"cherry"
];
versioning = {
@ -144,7 +143,7 @@ with lib;
enable = lib.mkDefault false;
path = lib.mkDefault "/tmp/password-store";
devices = [
# "cream"
"cream"
"cherry"
"orbi"
];

11
components/network/tinc/private.nix
View file

@ -14,7 +14,7 @@ let
bobi = "10.23.42.25";
cherry = "10.23.42.29";
chungus = "10.23.42.28";
# cream = "10.23.42.27";
cream = "10.23.42.27";
mobi = "10.23.42.23";
orbi = "10.23.42.100";
};
@ -28,7 +28,6 @@ let
"photoprism.orbi" = hosts.orbi;
# chungus
"video.chungus" = hosts.chungus;
"music.chungus" = hosts.chungus;
"de.tts.chungus" = hosts.chungus;
"en.tts.chungus" = hosts.chungus;
"flix.chungus" = hosts.chungus;
@ -68,10 +67,10 @@ in
subnets = [ { address = hosts.bobi; } ];
settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
};
# cream = {
# subnets = [ { address = hosts.cream; } ];
# settings.Ed25519PublicKey = Ed25519PublicKey "cream";
# };
cream = {
subnets = [ { address = hosts.cream; } ];
settings.Ed25519PublicKey = Ed25519PublicKey "cream";
};
cherry = {
subnets = [ { address = hosts.cherry; } ];
settings.Ed25519PublicKey = Ed25519PublicKey "cherry";

24
components/network/tinc/secret.nix
View file

@ -12,7 +12,7 @@ let
port = 721;
hosts = {
cherry = "10.123.42.29";
# cream = "10.123.42.27";
cream = "10.123.42.27";
robi = "10.123.42.123";
sternchen = "10.123.42.25";
sterni = "10.123.42.24";
@ -35,10 +35,10 @@ in
subnets = [ { address = hosts.sternchen; } ];
settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB";
};
# cream = {
# subnets = [ { address = hosts.cream; } ];
# settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
# };
cream = {
subnets = [ { address = hosts.cream; } ];
settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
};
cherry = {
subnets = [ { address = hosts.cherry; } ];
settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC";
@ -80,13 +80,13 @@ in
);
services.openssh.knownHosts = {
# "cream.${network}" = {
# hostNames = [
# "cream.${network}"
# hosts.cream
# ];
# publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
# };
"cream.${network}" = {
hostNames = [
"cream.${network}"
hosts.cream
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
};
"sternchen.${network}" = {
hostNames = [
"sterni.${network}"

2
components/network/wireguard.nix
View file

@ -25,8 +25,6 @@ with lib;
config = {
networking.extraHosts = ''
10.100.0.1 cache.orbi.wg0
10.100.0.1 orbi.wg0
10.100.0.2 chungus.wg0
'';
};

1
components/terminal/default.nix
View file

@ -17,6 +17,7 @@ with lib;
./direnv.nix
./git.nix
./heygpt.nix
./hoard.nix
./remote-install.nix
./wtf.nix
./zsh.nix

83
components/terminal/hoard.nix Normal file
View file

@ -0,0 +1,83 @@
{
pkgs,
config,
lib,
...
}:
with lib;
let
hoardSrc = pkgs.fetchFromGitHub {
owner = "Hyde46";
repo = "hoard";
rev = "v1.3.1";
sha256 = "sha256-Gm3X6/g5JQJEl7wRvWcO4j5XpROhtfRJ72LNaUeZRGc=";
};
in
{
options.components.terminal.hoard.enable = mkOption {
type = lib.types.bool;
default = config.components.terminal.enable;
};
config = mkIf (config.components.terminal.hoard.enable) {
# todo : sync via syncthing
#backup.dirs = [
# "/root/.config/hoard"
# "/home/palo/.config/hoard"
#];
environment.systemPackages = [ pkgs.legacy_2211.hoard ];
home-manager.users.mainUser = {
xdg.configFile."hoard/config.yml".text = builtins.toJSON {
version = "1.0.1";
default_namespace = "default";
config_home_path = "/home/palo/.config/hoard";
trove_path = "/home/palo/.config/hoard/trove.yml";
query_prefix = " >";
primary_color = [
87
142
87
];
secondary_color = [
203
184
144
];
tertiary_color = [
30
30
30
];
command_color = [
30
30
30
];
parameter_token = "#";
read_from_current_directory = true;
};
programs.zsh.initExtra = ''
export HOARD_NOBIND=1
source ${hoardSrc}/src/shell/hoard.zsh
bindkey '^x' _hoard_list_widget
'';
};
# use showkey -a
# Ctrl-h is equivalent to Ctrl-Backspace (for some reason)
programs.zsh.interactiveShellInit = ''
export HOARD_NOBIND=1
source ${hoardSrc}/src/shell/hoard.zsh
bindkey '^x' _hoard_list_widget
'';
programs.bash.interactiveShellInit = ''
export HOARD_NOBIND=1
source ${hoardSrc}/src/shell/hoard.bash
bind -x '"\C-x": __hoard_list'
'';
};
}

2
components/terminal/wtf.nix
View file

@ -23,7 +23,7 @@ let
${pkgs.iw}/bin/iw dev \
| ${pkgs.gnused}/bin/sed -n 's/^\s*Interface\s\+\([0-9a-z]\+\)$/\1/p'
); do
inet=$(${pkgs.iproute2}/bin/ip addr show $dev \
inet=$(${pkgs.iproute}/bin/ip addr show $dev \
| ${pkgs.gnused}/bin/sed -n 's/.*inet \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*/\1/p') \
|| unset inet
ssid=$(${pkgs.iw}/bin/iw dev $dev link \

3
components/timezone.nix
View file

@ -3,4 +3,7 @@
# some system stuff
# -----------------
time.timeZone = "Europe/Berlin";
#time.timeZone = "Pacific/Auckland";
#time.timeZone = "Asia/Singapore";
#time.timeZone = "Asia/Makassar";
}

1
components/virtualisation/docker.nix
View file

@ -15,7 +15,6 @@ with lib;
config = mkIf config.components.virtualisation.docker.enable {
virtualisation.docker.enable = true;
virtualisation.docker.extraPackages = [ pkgs.zfs ];
};

17
components/virtualisation/podman.nix
View file

@ -12,20 +12,13 @@ with lib;
default = config.components.virtualisation.enable;
};
config = mkMerge [
(mkIf config.components.virtualisation.podman.enable {
config = mkIf config.components.virtualisation.podman.enable {
virtualisation.podman.enable = true;
virtualisation.podman.enable = true;
# make sure /var/lib/containers/storage is a zfs dataset
virtualisation.podman.extraPackages = [ pkgs.zfs ];
# make sure /var/lib/containers/storage is a zfs dataset
virtualisation.podman.extraPackages = [ pkgs.zfs ];
})
(mkIf (config.components.virtualisation.podman.enable && (!config.virtualisation.docker.enable)) {
virtualisation.podman.dockerCompat = true;
virtualisation.podman.dockerSocket.enable = true;
})
];
};
}

11
components/virtualisation/virtualbox.nix
View file

@ -14,13 +14,10 @@ with lib;
config = mkIf config.components.virtualisation.virtualbox.enable {
virtualisation.virtualbox.host.enable = true;
virtualisation.virtualbox.host.enableExtensionPack = true;
virtualisation.virtualbox.guest.enable = true;
virtualisation.virtualbox.guest.dragAndDrop = true;
# https://discourse.nixos.org/t/issue-with-virtualbox-in-24-11/57607/2
boot.kernelParams = [ "kvm.enable_virt_at_load=0" ];
virtualisation.virtualbox = {
host.enable = true;
guest.enable = true;
};
users.extraGroups.vboxusers.members = [ config.users.users.mainUser.name ];

1
features/network/fail2ban.nix
View file

@ -16,6 +16,7 @@ with lib;
environment.systemPackages = [ pkgs.fail2ban ];
services.fail2ban = {
enable = true;
#package = pkgs.legacy_2311.fail2ban;
jails = { };
};
})

1101
flake.lock generated
View file

File diff suppressed because it is too large Load diff

199
flake.nix
View file

@ -10,40 +10,37 @@
clan-fact-generators.url = "github:mrvandalo/clan-fact-generators";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
flake-parts.url = "github:hercules-ci/flake-parts";
healthchecks.inputs.nixpkgs.follows = "nixpkgs";
healthchecks.url = "github:mrvandalo/nixos-healthchecks";
#healthchecks.url = "git+file:///home/palo/dev/nixos/healthcheck";
home-manager-utils.inputs.home-manager.follows = "home-manager";
home-manager-utils.url = "github:mrvandalo/home-manager-utils";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager";
kmonad.inputs.nixpkgs.follows = "nixpkgs"; # fixme: kmonad crashes every now and than and the keyboard is not usable anymore.
kmonad.url = "github:kmonad/kmonad?dir=nix"; # todo: mabye use https://github.com/jtroo/kanata instead
landingpage.url = "github:mrVanDalo/landingpage";
nixos-anywhere.url = "github:nix-community/nixos-anywhere";
nix-topology.inputs.nixpkgs.follows = "nixpkgs";
nix-topology.url = "github:oddlama/nix-topology";
nixos-anywhere.url = "github:nix-community/nixos-anywhere";
nixos-hardware.url = "github:nixos/nixos-hardware";
nixpkgs-legacy_2211.url = "github:nixos/nixpkgs/nixos-22.11";
nixpkgs-legacy_2311.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs-legacy_2405.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small";
nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
permown.inputs.nixpkgs.follows = "nixpkgs";
permown.url = "github:mrVanDalo/module.permown";
polygon-art.url = "git+https://git.ingolf-wagner.de/palo/polygon-art.git";
private-parts.inputs.nixpkgs.follows = "nixpkgs"; # only private input
private-parts.url = "git+ssh://forgejo@git.ingolf-wagner.de:2222/palo/nixos-private-parts.git?ref=main";
private-parts.url = "git+ssh://forgejo@git.ingolf-wagner.de/palo/nixos-private-parts.git?ref=main";
#private-parts.url = "git+file:///home/palo/dev/nixos/nixos-private-parts";
share-http.inputs.nixpkgs.follows = "nixpkgs"; # only private input
share-http.url = "git+ssh://forgejo@git.ingolf-wagner.de:2222/palo/share-host.git?ref=main";
retiolum.url = "github:Mic92/retiolum";
srvos.url = "github:nix-community/srvos";
stylix.inputs.home-manager.follows = "home-manager";
stylix.inputs.nixpkgs.follows = "nixpkgs";
stylix.url = "github:danth/stylix";
taskwarrior.url = "github:mrvandalo/taskwarrior-flake";
#taskwarrior.url = "git+file:///home/palo/dev/nixos/taskwarrior-flake";
telemetry.inputs.nixpkgs.follows = "nixpkgs";
telemetry.url = "github:mrvandalo/nixos-telemetry";
#telemetry.url = "git+file:///home/palo/dev/nixos/nixos-telemetry";
taskshell.inputs.nixpkgs.follows = "nixpkgs";
taskshell.url = "github:mrvandalo/taskshell";
treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
treefmt-nix.url = "github:numtide/treefmt-nix";
devshell.url = "github:numtide/devshell";
# smoke test framwork to trigger tests (enable if I want to use it for real)
#smoke = {
@ -55,29 +52,30 @@
outputs =
inputs@{
self,
clan-core,
clan-fact-generators,
devshell,
flake-parts,
healthchecks,
home-manager,
home-manager-utils,
kmonad,
landingpage,
nix-topology,
nixos-anywhere,
nixos-hardware,
nixpkgs,
nixpkgs-legacy_2211,
nixpkgs-legacy_2311,
nixpkgs-legacy_2405,
nixpkgs-unstable-small,
permown,
polygon-art,
private-parts,
self,
share-http,
retiolum,
srvos,
stylix,
taskwarrior,
telemetry,
taskshell,
treefmt-nix,
nix-topology,
}:
let
@ -95,10 +93,6 @@
"python-2.7.18.8"
"electron-27.3.11" # for logseq
"electron-28.3.3" # for logseq
"aspnetcore-runtime-wrapped-6.0.36" # for jellyfin
"aspnetcore-runtime-6.0.36" # for jellyfin
"dotnet-sdk-wrapped-6.0.428" # for jellyfin
"dotnet-sdk-6.0.428" # for jellyfin
];
in
import nixpkgs {
@ -114,19 +108,33 @@
inherit allowUnfree permittedInsecurePackages;
};
};
legacy_2211 = import nixpkgs-legacy_2211 {
inherit system;
config = {
inherit allowUnfree permittedInsecurePackages;
};
};
legacy_2311 = import nixpkgs-legacy_2311 {
inherit system;
config = {
inherit allowUnfree permittedInsecurePackages;
};
};
legacy_2405 = import nixpkgs-legacy_2405 {
inherit system;
config = {
inherit allowUnfree permittedInsecurePackages;
};
};
polygon-art = polygon-art.packages.${system};
landingpage = landingpage.packages.${system}.plain;
share-via-http = share-http.packages.${system}.default;
inherit (taskwarrior.packages.${system})
bugwarrior
tasksh
taskwarrior-hooks
;
healthchecks = self.packages.${system}.healthchecks;
kmonad = kmonad.packages.${system}.kmonad;
tasksh = taskshell.packages.${system}.tasksh;
inherit (self.packages.${system})
otpmenu
taskwarrior-hooks
nsxiv
systemctl-find-service-config
bugwarrior
;
})
];
@ -158,7 +166,6 @@
nixpkgs.pkgs = meta.pkgs;
nixpkgs.hostPlatform = meta.system;
clan.core.facts.secretStore = "password-store";
clan.core.vars.settings.secretStore = "password-store";
imports =
modules
@ -206,26 +213,25 @@
];
};
defaultAuthorizedKeys =
{ config, pkgs, ... }:
{
users.users.root.openssh.authorizedKeys.keyFiles = [
# yubikey key
./assets/mrvandalo_rsa.pub
# backup key
"${config.clan.core.settings.directory}/machines/chungus/facts/ssh.syncoid.id_ed25519.pub"
"${config.clan.core.settings.directory}/machines/chungus/facts/ssh.rbackup.id_ed25519.pub"
"${config.clan.core.settings.directory}/machines/chungus/facts/ssh.paperless-ngx.id_ed25519.pub"
];
environment.systemPackages = [ pkgs.borgbackup ];
};
defaultModules = [
# make flake inputs accessiable in NixOS
{
_module.args.self = self;
_module.args.inputs = self.inputs;
}
# ssh keys
(
{ config, ... }:
{
users.users.root.openssh.authorizedKeys.keyFiles = [
# master key
./assets/mrvandalo_rsa.pub
# backup key
"${config.clan.core.clanDir}/machines/chungus/facts/ssh.syncoid.id_ed25519.pub"
"${config.clan.core.clanDir}/machines/chungus/facts/ssh.rbackup.id_ed25519.pub"
];
}
)
{
# disable emergency mode everywhere, although it might be needed on laptops
boot.initrd.systemd.emergencyAccess = false;
@ -250,9 +256,7 @@
"nix-command"
"flakes"
];
# https://nix.dev/manual/nix/2.17/advanced-topics/cores-vs-jobs
nix.settings.max-jobs = 1;
nix.settings.cores = 4;
# no channesl needed this way
nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
@ -265,23 +269,20 @@
./components
./features
#./modules
clan-core.nixosModules.clanCore
telemetry.nixosModules.telemetry
inputs.clan-core.nixosModules.clanCore
{
clan.core.settings.directory = ./.; # fixes issues with clanCore https://git.clan.lol/clan/clan-core/issues/1979
clan.core.clanDir = ./.; # fixes issues with clanCore https://git.clan.lol/clan/clan-core/issues/1979
}
# inputs.stylix.nixosModules.stylix # fixme: not working
permown.nixosModules.permown
kmonad.nixosModules.default
home-manager.nixosModules.home-manager
# retiolum.nixosModules.retiolum # fixme: not working
];
boot.loader.systemd-boot.configurationLimit = lib.mkDefault 10;
boot.loader.generic-extlinux-compatible.configurationLimit = lib.mkDefault 10;
boot.loader.grub.configurationLimit = lib.mkDefault 10;
environment.systemPackages = [
pkgs.systemctl-find-service-config
pkgs.healthchecks
];
}
)
# My Structure
@ -291,8 +292,8 @@
#./system/all # todo : spread this across features and components
# some modules I always use
telemetry.nixosModules.telemetry
permown.nixosModules.permown
kmonad.nixosModules.default
# some default things I always want
(
{ pkgs, ... }:
@ -321,28 +322,25 @@
# https://github.com/danth/stylix/issues/543
stylix.targets.hyprpaper.enable = lib.mkForce false;
stylix.targets.hyprland.enable = lib.mkForce false;
stylix.targets.swaylock.enable = lib.mkForce false;
stylix.targets.qt.platform = "qtct";
# running into strange problems
# fixme: remove if possible
stylix.targets.vim.enable = lib.mkForce false;
}
];
stylix.fonts = {
serif = {
package = pkgs.nerd-fonts.ubuntu;
package = pkgs.nerdfonts.override { fonts = [ "Ubuntu" ]; };
name = "Ubuntu";
};
sansSerif = {
package = pkgs.nerd-fonts.ubuntu;
package = pkgs.nerdfonts.override { fonts = [ "Ubuntu" ]; };
name = "Ubuntu";
};
monospace = {
package = pkgs.nerd-fonts.jetbrains-mono;
package = pkgs.nerdfonts.override { fonts = [ "JetBrainsMono" ]; };
name = "JetBrains Mono";
};
emoji = config.stylix.fonts.monospace;
emoji = {
package = pkgs.noto-fonts-emoji;
name = "Noto Color Emoji";
};
sizes.popups = 15;
};
};
@ -361,7 +359,6 @@
home-manager.backupFileExtension = "backup";
home-manager.sharedModules = [
home-manager-utils.hmModule
taskwarrior.hmModules.bugwarrior
];
};
@ -378,10 +375,9 @@
systems = [ "x86_64-linux" ];
imports = [
clan-core.flakeModules.default
healthchecks.flakeModule
./nix/formatter.nix
./nix/devshells.nix
./nix/packages
./nix/verify
./nix/topology
];
@ -393,13 +389,35 @@
machines = {
cream = clanSetup {
name = "cream";
host = "cream.bear";
modules = [
zerotierModules
nixos-hardware.nixosModules.framework-12th-gen-intel
retiolum.nixosModules.retiolum
private-parts.nixosModules.cream
homeManagerModules
stylixModules
{ home-manager.users.mainUser.gui.enable = true; }
{
home-manager.users.mainUser = import ./homes/palo;
home-manager.users.root = import ./homes/root;
}
{
clan.core.machineDescription = "Laptop";
}
];
};
cherry = clanSetup {
name = "cherry";
host = "cherry.bear";
modules = [
healthchecks.nixosModules.default
self.nixosModules.verify
zerotierModules
nixos-hardware.nixosModules.framework-13th-gen-intel
retiolum.nixosModules.retiolum
private-parts.nixosModules.cherry
homeManagerModules
stylixModules
@ -409,17 +427,8 @@
home-manager.users.root = import ./homes/root;
}
{
clan.core.settings.machine.description = "Laptop";
clan.core.machineDescription = "Laptop";
}
(
{ config, ... }:
{
# keys only to access cherry
users.users.root.openssh.authorizedKeys.keyFiles = [
"${config.clan.core.settings.directory}/machines/cherry/facts/ssh.root.cherry.id_ed25519.pub"
];
}
)
];
};
@ -427,28 +436,20 @@
name = "chungus";
host = "chungus.bear";
modules = [
healthchecks.nixosModules.default
self.nixosModules.verify
zerotierModules
zerotierControllerModule
homeManagerModules
stylixModules
retiolum.nixosModules.retiolum
private-parts.nixosModules.chungus
{
home-manager.users.mainUser = import ./homes/palo;
home-manager.users.root = import ./homes/root;
}
{
clan.core.settings.machine.description = "Home Server";
clan.core.machineDescription = "Home Server";
}
(
{ config, ... }:
{
# keys only to access chungus
users.users.root.openssh.authorizedKeys.keyFiles = [
"${config.clan.core.settings.directory}/machines/cherry/facts/ssh.root.chungus.id_ed25519.pub"
];
}
)
];
};
@ -457,13 +458,11 @@
host = "orbi.bear";
#host = "95.216.66.212";
modules = [
defaultAuthorizedKeys
healthchecks.nixosModules.default
self.nixosModules.verify
homeManagerModules
stylixModules
zerotierModules
srvos.nixosModules.hardware-hetzner-online-intel
private-parts.nixosModules.orbi
#srvos.nixosModules.server
#srvos.nixosModules.mixins-terminfo
{
@ -471,7 +470,7 @@
home-manager.users.root = import ./homes/root;
}
{
clan.core.settings.machine.description = "Internet Server";
clan.core.machineDescription = "Internet Server";
}
];
};
@ -481,7 +480,6 @@
#host = "167.235.205.150";
host = "95.217.18.54";
modules = [
defaultAuthorizedKeys
homeManagerModules
stylixModules
srvos.nixosModules.hardware-hetzner-cloud
@ -493,7 +491,7 @@
home-manager.users.root = import ./homes/root;
}
{
clan.core.settings.machine.description = "Dummy Internet Server";
clan.core.machineDescription = "Dummy Internet Server";
}
];
};
@ -503,7 +501,6 @@
#host = "usbstick.bear";
host = "10.100.0.100";
modules = [
defaultAuthorizedKeys
homeManagerModules
stylixModules
zerotierModules
@ -513,7 +510,7 @@
home-manager.users.root = import ./homes/root;
}
{
clan.core.settings.machine.description = "USB-Stick for Backup";
clan.core.machineDescription = "USB-Stick for Backup";
}
];
};

4
homes/common/default.nix
View file

@ -1,14 +1,12 @@
{ lib, ... }:
{
imports = [
./editor.nix
./network.nix
./starship-rs
./oh-my-posh
./packages.nix
./terminal.nix
./zfs.nix
];
options.gui.enable = lib.mkEnableOption "should GUI packages be anabled?";
}

5
homes/common/editor.nix
View file

@ -4,6 +4,7 @@
enable = true;
defaultEditor = lib.mkDefault true;
};
# enable = true;
#};
programs.helix = {
enable = true;
};
}

15
homes/common/oh-my-posh/default.nix Normal file
View file

@ -0,0 +1,15 @@
{
pkgs,
config,
lib,
...
}:
with lib;
{
programs.oh-my-posh = {
enable = true;
# https://ohmyposh.dev/docs/themes
#useTheme = "gmay"; # ganz nice, aber farben sind ein bisl schrill
settings = builtins.fromJSON (builtins.readFile ./gmay.json);
};
}

121
homes/common/oh-my-posh/gmay.json Normal file
View file

@ -0,0 +1,121 @@
{
"$schema": "https://raw.githubusercontent.com/JanDeDobbeleer/oh-my-posh/main/themes/schema.json",
"blocks": [
{
"alignment": "left",
"segments": [
{
"background": "#076678",
"foreground": "#EBDBB2",
"leading_diamond": "\ue0b6",
"style": "diamond",
"template": " {{ if .WSL }}WSL at {{ end }}{{.Icon}} ",
"type": "os"
},
{
"background": "#AF3A03",
"foreground": "#EBDBB2",
"powerline_symbol": "\ue0b0",
"style": "powerline",
"template": " \uf0e7 ",
"type": "root"
},
{
"background": "#076678",
"foreground": "#EBDBB2",
"powerline_symbol": "\ue0b0",
"style": "powerline",
"template": " {{ if .SSHSession }}\ueba9 {{ end }}{{ .UserName }}@{{ .HostName }} ",
"type": "session"
},
{
"background": "#B57614",
"foreground": "#EBDBB2",
"powerline_symbol": "\ue0b0",
"properties": {
"style": "full"
},
"style": "powerline",
"template": " \ue5ff {{ .Path }} ",
"type": "path"
},
{
"background": "#79740E",
"foreground": "#EBDBB2",
"powerline_symbol": "\ue0b0",
"properties": {
"time_format": "2006-01-02 15:04:05"
},
"style": "powerline",
"template": " {{ .CurrentDate | date .Format }} ",
"type": "time"
},
{
"type": "project",
"style": "powerline",
"powerline_symbol": "",
"foreground": "#193549",
"background": "#ffeb3b",
"template": " {{ if .Error }}{{ .Error }}{{ else }}{{ if .Version }} {{.Version}}{{ end }} {{ if .Name }}{{ .Name }}{{ end }}{{ end }} "
},
{
"type": "git",
"style": "powerline",
"powerline_symbol": "",
"background": "#427b58",
"foreground": "#EBDBB2",
"background_templates": [
"{{ if or (.Working.Changed) (.Staging.Changed) }}#8f3f71{{ end }}",
"{{ if and (gt .Ahead 0) (gt .Behind 0) }}#076678{{ end }}",
"{{ if gt .Ahead 0 }}#076678{{ end }}",
"{{ if gt .Behind 0 }}#076678{{ end }}"
],
"template": "{{ .UpstreamIcon }}{{ .HEAD }}{{if .BranchStatus }} {{ .BranchStatus }}{{ end }}{{ if .Working.Changed }}  {{ .Working.String }}{{ end }}{{ if and (.Working.Changed) (.Staging.Changed) }} |{{ end }}{{ if .Staging.Changed }}  {{ .Staging.String }}{{ end }}{{ if gt .StashCount 0 }}  {{ .StashCount }}{{ end }}",
"properties": {
"fetch_status": true,
"fetch_upstream_icon": true,
"untracked_modes": {
"/Users/user/Projects/oh-my-posh/": "no"
},
"source": "cli",
"mapped_branches": {
"feat/*": "🚀 ",
"bug/*": "🐛 "
}
}
},
{
"background": "#427B58",
"background_templates": [
"{{ if gt .Code 0 }}#9D0006{{ end }}"
],
"foreground": "#EBDBB2",
"leading_diamond": "<transparent,background>\ue0b0</>",
"properties": {
"always_enabled": true
},
"style": "diamond",
"template": " \ueb05 ",
"trailing_diamond": "\ue0b4",
"type": "status"
}
],
"type": "prompt"
},
{
"alignment": "left",
"newline": true,
"segments": [
{
"foreground": "#076678",
"style": "plain",
"template": "\uf0a9 ",
"type": "text"
}
],
"type": "prompt"
}
],
"final_space": true,
"version": 2
}

69
homes/common/oh-my-posh/gruvbox.json Normal file
View file

@ -0,0 +1,69 @@
{
"$schema": "https://raw.githubusercontent.com/JanDeDobbeleer/oh-my-posh/main/themes/schema.json",
"blocks": [
{
"alignment": "left",
"segments": [
{
"background": "#3A3A3A",
"foreground": "#ffffff",
"style": "powerline",
"template": "{{ if .WSL }}WSL at{{ end }} {{.Icon}} ",
"type": "os"
},
{
"background": "#fbf1c7",
"background_templates": [
"{{ if .Root }}#af3a03{{ end }}"
],
"foreground": "#282828",
"foreground_templates": [
"{{ if .Root }}#fbf1c7{{ end }}"
],
"powerline_symbol": "\ue0b0",
"style": "powerline",
"template": " {{ if .SSHSession }} {{ end }}{{ .HostName }} ",
"type": "session"
},
{
"background": "#458588",
"foreground": "#282828",
"powerline_symbol": "\ue0b0",
"properties": {
"style": "full"
},
"style": "powerline",
"template": " {{ .Path }} ",
"type": "path"
},
{
"background": "#98971A",
"background_templates": [
"{{ if or (.Working.Changed) (.Staging.Changed) }}#FF9248{{ end }}",
"{{ if and (gt .Ahead 0) (gt .Behind 0) }}#ff4500{{ end }}",
"{{ if gt .Ahead 0 }}#B388FF{{ end }}",
"{{ if gt .Behind 0 }}#B388FF{{ end }}"
],
"foreground": "#282828",
"leading_diamond": "\ue0b6",
"powerline_symbol": "\ue0b0",
"properties": {
"branch_max_length": 25,
"fetch_stash_count": true,
"fetch_status": true,
"branch_icon": "\uE0A0 ",
"branch_identical_icon": "\u25CF"
},
"style": "powerline",
"template": " {{ .HEAD }}{{if .BranchStatus }} {{ .BranchStatus }}{{ end }}{{ if .Working.Changed }} \uf044 {{ .Working.String }}{{ end }}{{ if and (.Working.Changed) (.Staging.Changed) }} |{{ end }}{{ if .Staging.Changed }} \uf046 {{ .Staging.String }}{{ end }}{{ if gt .StashCount 0 }} \ueb4b {{ .StashCount }}{{ end }} ",
"trailing_diamond": "\ue0b4",
"type": "git"
}
],
"type": "prompt"
}
],
"console_title_template": "{{ .Folder }}",
"final_space": true,
"version": 2
}

8
homes/common/packages.nix
View file

@ -23,9 +23,7 @@ with lib;
gimoji
#tldr
tealdeer
navi # cheatsheet manager
tldr
bandwhich # todo : put this to common/networking.nix
@ -39,12 +37,8 @@ with lib;
(writers.writeBashBin "vulnix-system" ''
${vulnix}/bin/vulnix --profile /nix/var/nix/profiles/system
'')
# cpu load monitor
glances
];
# cpu load monitor
programs.btop.enable = true;
}

33
homes/common/starship-rs/default.nix
View file

@ -1,33 +0,0 @@
{
pkgs,
config,
lib,
...
}:
with lib;
with config.lib.stylix.colors.withHashtag;
{
programs.starship = {
enable = true;
# download presets from : https://starship.rs/presets/
settings = builtins.fromTOML ((builtins.readFile ./gruvbox-rainbow.toml)) // {
palettes.stylix = {
color_fg0 = base01;
color_terminal_fg = base05;
color_terminal_bg = base00;
color_bg1 = base04;
color_bg2 = base02;
color_bg3 = base03;
color_blue = base0D;
color_aqua = base0C;
color_green = base0B;
color_orange = base0F;
color_purple = base0E;
color_red = base08;
color_yellow = base0A;
};
};
};
}

184
homes/common/starship-rs/gruvbox-rainbow.toml
View file

@ -1,184 +0,0 @@
"$schema" = 'https://starship.rs/config-schema.json'
format = """
$os\
$username\
$hostname \
[](bg:color_yellow fg:color_terminal_bg)\
$directory\
[](fg:color_yellow bg:color_aqua)\
$git_branch\
$git_status\
[](fg:color_aqua bg:color_blue)\
$c\
$rust\
$golang\
$nodejs\
$php\
$java\
$kotlin\
$haskell\
$python\
[](fg:color_blue bg:color_bg3)\
$docker_context\
$conda\
[](fg:color_bg3 bg:color_bg1)\
$time\
[ ](fg:color_bg1)\
$character"""
palette = 'stylix' # we use stylix instead of gruvbox_dark
# todo : use stylix/base16 scheme
[palettes.gruvbox_dark]
color_fg0 = '#fbf1c7'
color_terminal_bg = '#fbf1c7' # original background
color_terminal_fg = '#3c3836' # original foreground
color_bg1 = '#3c3836'
color_bg2 = '#665c54'
color_bg3 = '#665c54'
color_blue = '#458588'
color_aqua = '#689d6a'
color_green = '#98971a'
color_orange = '#d65d0e'
color_purple = '#b16286'
color_red = '#cc241d'
color_yellow = '#d79921'
[os]
disabled = false
style = "bold bg:color_blue fg:color_terminal_bg"
#format = "[$symbol ]($style)"
format = "[](color_blue)[$symbol ]($style)[ ](fg:color_blue bg:color_terminal_bg)"
[os.symbols]
Alpine = ""
Amazon = ""
Android = ""
Arch = "󰣇"
Artix = "󰣇"
CentOS = ""
Debian = "󰣚"
EndeavourOS = ""
Fedora = "󰣛"
Gentoo = "󰣨"
Linux = "󰌽"
Macos = "󰀵"
Manjaro = ""
Mint = "󰣭"
NixOS = ""
Pop = ""
Raspbian = "󰐿"
RedHatEnterprise = "󱄛"
Redhat = "󱄛"
SUSE = ""
Ubuntu = "󰕈"
Windows = "󰍲"
[username]
show_always = true
style_user = "bg:color_terminal_bg fg:color_terminal_fg"
style_root = "bg:color_terminal_bg fg:color_red bold"
format = '[$user]($style)'
[hostname]
ssh_only = true
style = "bg:color_terminal_bg fg:color_terminal_fg"
ssh_symbol = "@"
format = "[$ssh_symbol$hostname]($style)"
[directory]
style = "fg:color_fg0 bg:color_yellow"
format = "[ $path ]($style)"
truncation_length = 3
truncation_symbol = "…/"
[directory.substitutions]
"Documents" = "󰈙 "
"Downloads" = " "
"Music" = "󰝚 "
"Pictures" = " "
"Developer" = "󰲋 "
"dev" = "󰲋 "
[git_branch]
symbol = ""
style = "bg:color_aqua"
format = '[[ $symbol $branch ](fg:color_fg0 bg:color_aqua)]($style)'
[git_status]
style = "bg:color_aqua"
format = '[[($all_status$ahead_behind )](fg:color_fg0 bg:color_aqua)]($style)'
[nodejs]
symbol = ""
style = "bg:color_blue"
format = '[[ $symbol( $version) ](fg:color_fg0 bg:color_blue)]($style)'
[c]
symbol = " "
style = "bg:color_blue"
format = '[[ $symbol( $version) ](fg:color_fg0 bg:color_blue)]($style)'
[rust]
symbol = ""
style = "bg:color_blue"
format = '[[ $symbol( $version) ](fg:color_fg0 bg:color_blue)]($style)'
[golang]
symbol = ""
style = "bg:color_blue"
format = '[[ $symbol( $version) ](fg:color_fg0 bg:color_blue)]($style)'
[php]
symbol = ""
style = "bg:color_blue"
format = '[[ $symbol( $version) ](fg:color_fg0 bg:color_blue)]($style)'
[java]
symbol = ""
style = "bg:color_blue"
format = '[[ $symbol( $version) ](fg:color_fg0 bg:color_blue)]($style)'
[kotlin]
symbol = ""
style = "bg:color_blue"
format = '[[ $symbol( $version) ](fg:color_fg0 bg:color_blue)]($style)'
[haskell]
symbol = ""
style = "bg:color_blue"
format = '[[ $symbol( $version) ](fg:color_fg0 bg:color_blue)]($style)'
[python]
symbol = ""
style = "bg:color_blue"
format = '[[ $symbol( $version) ](fg:color_fg0 bg:color_blue)]($style)'
[docker_context]
symbol = ""
style = "bg:color_bg3"
format = '[[ $symbol( $context) ](fg:color_fg0 bg:color_bg3)]($style)'
[conda]
style = "bg:color_bg3"
format = '[[ $symbol( $environment) ](fg:color_fg0 bg:color_bg3)]($style)'
[time]
disabled = false
time_format = "%R"
style = "bg:color_bg1"
format = '[[  $time ](fg:color_fg0 bg:color_bg1)]($style)'
[line_break]
disabled = false
[character]
disabled = false
success_symbol = "[](fg:color_bg2)[ ](bold fg:color_terminal_fg bg:color_bg2)[](fg:color_bg2)"
error_symbol = "[](fg:color_bg2)[ ](bold fg:color_red bg:color_bg2)[](fg:color_bg2)"
vimcmd_symbol = '[](bold fg:color_green)'
vimcmd_replace_one_symbol = '[](bold fg:color_purple)'
vimcmd_replace_symbol = '[](bold fg:color_purple)'
vimcmd_visual_symbol = '[](bold fg:color_yellow)'

25
homes/common/terminal.nix
View file

@ -37,4 +37,29 @@
enableZshIntegration = true;
};
# provide better `Ctrl+r` command in terminal
programs.atuin = {
enable = true;
enableBashIntegration = true;
enableZshIntegration = true;
#package = pkgs.atuin;
package = pkgs.legacy_2405.atuin.overrideAttrs (_old: {
# as cursed as doing mitigations=off in the kernel command line
patches = [ "${assets}/0001-make-atuin-on-zfs-fast-again.patch" ];
});
settings = {
auto_sync = true;
sync_frequency = "5m";
sync_address = "http://chungus.private:8888";
search_mode = "fuzzy";
style = "full";
inline_height = 20;
keymap_mode = "vim-normal";
# With workspace filtering enabled, Atuin will filter for commands executed
# in any directory within a git repository tree.
workspaces = true;
};
};
}

28
homes/palo/atuin.nix
View file

@ -1,28 +0,0 @@
{
# provide better `Ctrl+r` command in terminal
programs.atuin = {
enable = true;
enableBashIntegration = true;
enableZshIntegration = true;
daemon.enable = true;
settings = {
auto_sync = true;
sync_frequency = "5m";
sync_address = "http://chungus.private:8888";
search_mode = "fuzzy";
style = "full";
inline_height = 20;
keymap_mode = "vim-normal";
# because the daemon can't remember my mode (with Ctrl-r)
filter_mode = "directory";
# With workspace filtering enabled, Atuin will filter for commands executed
# in any directory within a git repository tree.
workspaces = true;
};
};
}

3
homes/palo/default.nix
View file

@ -3,7 +3,6 @@
imports = [
../common
./atuin.nix
./git.nix
./gpg.nix
./gui
@ -13,7 +12,7 @@
./stylix.nix
./taskwarrior.nix
./tmux.nix
#./zellij.nix
./zellij.nix
];
home.stateVersion = "22.11";

1
homes/palo/git.nix
View file

@ -14,7 +14,6 @@ with pkgs;
"*.swp"
"*~"
".idea"
"*.iml"
".*penis.*"
"result"
".envrc"

78
homes/palo/i3.nix
View file

@ -87,37 +87,36 @@ in
format = "$icon $percentage $time";
}
{ block = "uptime"; }
# interferes with `bugwarrior pull`
# {
# block = "taskwarrior";
# interval = 60;
# format = " $icon $count.eng(w:3) todo ";
# format_singular = " $icon 1 task ";
# format_everything_done = "";
# warning_threshold = 10;
# critical_threshold = 20;
# filters = [
# {
# name = "active";
# filter = "+PENDING and ( +ACTIVE or +DUETODAY or +TODAY or +OVERDUE )";
# }
# ];
# }
# {
# block = "taskwarrior";
# interval = 60;
# format = " $icon $count.eng(w:2) ";
# format_singular = " $icon 1 task ";
# format_everything_done = "";
# warning_threshold = 3;
# critical_threshold = 5;
# filters = [
# {
# name = "started";
# filter = "+PENDING and +ACTIVE";
# }
# ];
# }
{
block = "taskwarrior";
interval = 60;
format = " $icon $count.eng(w:3) todo ";
format_singular = " $icon 1 task ";
format_everything_done = "";
warning_threshold = 10;
critical_threshold = 20;
filters = [
{
name = "active";
filter = "+PENDING and ( +ACTIVE or +DUETODAY or +TODAY or +OVERDUE )";
}
];
}
{
block = "taskwarrior";
interval = 60;
format = " $icon $count.eng(w:2) ";
format_singular = " $icon 1 task ";
format_everything_done = "";
warning_threshold = 3;
critical_threshold = 5;
filters = [
{
name = "started";
filter = "+PENDING and +ACTIVE";
}
];
}
{
block = "time";
interval = 60;
@ -126,7 +125,7 @@ in
{
block = "tea_timer";
format = " $icon {$minutes:$seconds |}";
done_cmd = "${pkgs.noti}/bin/noti -o -t 'Timer Finished' || ${pkgs.noti}/bin/noti -t 'Timer Finished'";
done_cmd = "${pkgs.noti}/bin/noti -t 'Timer Finished'";
}
];
};
@ -214,12 +213,9 @@ in
"XF86MonBrightnessDown" = "exec --no-startup-id ${pkgs.brightnessctl}/bin/brightnessctl set 5%-";
# --- Pulse/Pipewire Audio controls --- #
"XF86AudioRaiseVolume" =
"exec --no-startup-id ${pkgs.pulseaudio}/bin/pactl set-sink-volume @DEFAULT_SINK@ +5%";
"XF86AudioLowerVolume" =
"exec --no-startup-id ${pkgs.pulseaudio}/bin/pactl set-sink-volume @DEFAULT_SINK@ -5%";
"XF86AudioMute" =
"exec --no-startup-id ${pkgs.pulseaudio}/bin/pactl set-sink-mute @DEFAULT_SINK@ toggle";
"XF86AudioRaiseVolume" = "exec --no-startup-id ${pkgs.pulseaudio}/bin/pactl set-sink-volume @DEFAULT_SINK@ +5%";
"XF86AudioLowerVolume" = "exec --no-startup-id ${pkgs.pulseaudio}/bin/pactl set-sink-volume @DEFAULT_SINK@ -5%";
"XF86AudioMute" = "exec --no-startup-id ${pkgs.pulseaudio}/bin/pactl set-sink-mute @DEFAULT_SINK@ toggle";
"${modifier}+Return" = "exec ${cfg.config.terminal}";
"${modifier}+Shift+q" = "exit";
@ -237,9 +233,6 @@ in
"${modifier}+Shift+Up" = "move up";
"${modifier}+Shift+Right" = "move right";
# sticky window toggle
"${modifier}+Shift+s" = "sticky toggle";
"${modifier}+h" = "split h";
"${modifier}+v" = "split v";
"${modifier}+f" = "fullscreen toggle";
@ -322,8 +315,7 @@ in
"${modifier}+space" = "exec ${rofi}/bin/rofi -show drun -display-drun ''";
"${modifier}+Shift+c" = "reload";
"${modifier}+Shift+r" = "restart";
"${modifier}+Shift+e" =
"exec i3-nagbar -t warning -m 'Do you want to exit i3?' -b 'Yes' 'i3-msg exit'";
"${modifier}+Shift+e" = "exec i3-nagbar -t warning -m 'Do you want to exit i3?' -b 'Yes' 'i3-msg exit'";
"${modifier}+r" = "mode resize";

11
homes/palo/packages/development.nix
View file

@ -16,11 +16,9 @@ with lib;
# general
jetbrains.idea-ultimate
vscode
#vscode
#zed-editor
# minicom # for flipper zero
zed-editor
#jetbrains.mps
#jetbrains.datagrip
@ -47,6 +45,8 @@ with lib;
termtosvg
vhs
#legacy_2311.blockdiag
# nomad
#nomad
#vault
@ -106,7 +106,7 @@ with lib;
tmux
nethogs
#netsniff-ng # build problems
netsniff-ng
iftop
# shell
@ -114,7 +114,6 @@ with lib;
yq-go
gojq
jq
fx
ijq
miller

28
homes/palo/packages/graphics.nix
View file

@ -6,45 +6,23 @@
}:
with pkgs;
with lib;
let
use_override = false;
bambu-studio =
if use_override then
pkgs.bambu-studio.overrideAttrs (old: rec {
version = "01.10.02.76";
src = pkgs.fetchFromGitHub {
owner = "bambulab";
repo = "BambuStudio";
rev = "v${version}";
hash = "sha256-LvAi3I5lnnumhOUagyej28uVy0Lgd3e19HNQXOUWSvQ=";
};
})
else
pkgs.bambu-studio;
in
{
config = mkIf config.gui.enable {
home.packages = [
#pureref
pureref
gimp
inkscape
imagemagick
blender
lightburn
# to convert HEIC -> JPG
# heif-dec -q 92 <name>.HEIC
libheif
darktable
colorpicker
# CAD & 3D Plotting
openscad
fstl
orca-slicer
bambu-studio
legacy_2311.cura
qrencode

2
homes/palo/packages/logseq.nix
View file

@ -9,7 +9,7 @@ with lib;
{
config = mkIf config.gui.enable {
home.packages = [
pkgs.logseq
pkgs.legacy_2405.logseq
];
#home.file.".config/Logseq/Preferences".source = (pkgs.formats.json { }).generate "LogseqPreferences.json"
# {

3
homes/palo/packages/media.nix
View file

@ -11,9 +11,6 @@ with lib;
(mkIf config.gui.enable {
home.packages = [
pkgs.share-via-http
pkgs.freetube
pkgs.vlc

3
homes/palo/packages/nextcloud.nix
View file

@ -7,7 +7,7 @@
with pkgs;
with lib;
let
nextcloud-client = pkgs.nextcloud-client;
nextcloud-client = pkgs.legacy_2311.nextcloud-client;
nextcloudSync =
folder:
@ -51,7 +51,6 @@ in
(nextcloudSync "Kunstbuch")
(nextcloudSync "Flipper")
(nextcloudSync "AWS-SolutionArchitect-Professional")
(nextcloudSync "windows")
borrow

8
homes/palo/packages/packages.nix
View file

@ -55,14 +55,6 @@ with lib;
#seamly2d
#valentina
# xorg/x11 macros
# ---------------
# wait 2 secs, than record mouse movements (use Ctrl-C to stop recording)
# > cnee --record --mouse -o ./mouse-events.xnl --time 2
# replay 3 times the mouse movements (zsh only)
# > repeat 3 cnee --time 2 --replay -f ./mouse-events.xnl
xnee
];
};

3
homes/palo/packages/social.nix
View file

@ -9,10 +9,11 @@ with lib;
{
config = mkIf config.gui.enable {
programs.obs-studio.enable = false;
programs.obs-studio.enable = true;
home.packages = [
emoji-picker
signal-desktop
legacy_2311.fluffychat
];
};

2
homes/palo/stylix.nix
View file

@ -1,6 +1,8 @@
{ pkgs, config, ... }:
{
stylix.targets.swaylock.enable = config.gui.enable;
stylix.base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-light-medium.yaml";
stylix.fonts = {

84
homes/palo/taskwarrior.nix
View file

@ -7,22 +7,100 @@
with lib;
with types;
let
mkMagicMergeOption =
{
description ? "",
example ? { },
default ? { },
apply ? id,
...
}:
mkOption {
inherit
example
description
default
apply
;
type =
with lib.types;
let
valueType =
nullOr (oneOf [
bool
int
float
str
(attrsOf valueType)
(listOf valueType)
])
// {
description = "bool, int, float or str";
emptyValue.value = { };
};
in
valueType;
};
#taskwarrior-tui = pkgs.legacy_2311.taskwarrior-tui;
taskwarrior-tui = pkgs.taskwarrior-tui;
taskwarrior = pkgs.taskwarrior3;
in
{
config = mkIf config.gui.enable {
# bugwarrior (a bit fiddly)
imports = [
{
bugwarrior.enable = true;
options.bugwarrior.config = mkMagicMergeOption {
type = attrs;
default = { };
};
config = mkIf config.gui.enable {
home.file.".config/bugwarrior/bugwarrior.toml".source =
(pkgs.formats.toml { }).generate "bugwarriorrc.toml"
(
{
general.taskrc = pkgs.writeText "taskrc" "data.location=$HOME/.bugwarrior";
}
// config.bugwarrior.config
);
home.packages = [
pkgs.bugwarrior
#export TASKRC=$HOME/.bugwarrior/${pkgs.writeText "bugwarrior.taskrc" "data.location=$HOME/.bugwarrior"}
(pkgs.writers.writeBashBin "bugwarrior-sync" ''
set -eo pipefail
mkdir -p $HOME/.bugwarrior
touch $HOME/.bugwarrior/taskrc
export TASKRC=$HOME/.bugwarrior/taskrc
export TASKDATA=$HOME/.bugwarrior
echo "bugwarrior pull" | ${pkgs.boxes}/bin/boxes -d ansi
${pkgs.bugwarrior}/bin/bugwarrior pull "$@"
echo "task export" | ${pkgs.boxes}/bin/boxes -d ansi
${pkgs.taskwarrior}/bin/task export > $HOME/.bugwarrior/bugwarrior.json
unset TASKRC
unset TASKDATA
echo "task import" | ${pkgs.boxes}/bin/boxes -d ansi
${taskwarrior}/bin/task import rc.hooks=0 $HOME/.bugwarrior/bugwarrior.json
'')
];
};
}
];
config = mkIf config.gui.enable {
home.packages = [
pkgs.timewarrior
pkgs.bugwarrior
taskwarrior
pkgs.tasksh

2
homes/tina/stylix.nix
View file

@ -1,6 +1,8 @@
{ pkgs, config, ... }:
{
stylix.targets.swaylock.enable = config.gui.enable;
stylix.base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-light-medium.yaml";
stylix.fonts = {

148
images/lib/remote-access.nix Normal file
View file

@ -0,0 +1,148 @@
{
# cat ~/.ssh/id_rsa.pub
publicSshKey ? "",
# remote-install-get-hiddenReceiver
hiddenReceiver ? "",
}:
{
config,
lib,
pkgs,
...
}:
{
imports = [
{
# system setup
networking.hostName = "liveos";
users.extraUsers = {
root = {
openssh.authorizedKeys.keys = [ publicSshKey ];
};
};
}
{
# installed packages
environment.systemPackages = with pkgs; [
#style
most
rxvt_unicode.terminfo
#monitoring tools
htop
iotop
#network
iptables
iftop
nmap
#stuff for dl
aria2
#neat utils
pciutils
psmisc
tmux
usbutils
git
#unpack stuff
p7zip
unzip
unrar
#data recovery
ddrescue
ntfs3g
dosfstools
];
}
{
# bash configuration
programs.bash = {
enableCompletion = true;
interactiveShellInit = ''
HISTCONTROL='erasedups:ignorespace'
HISTSIZE=65536
HISTFILESIZE=$HISTSIZE
shopt -s checkhash
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
complete -d cd
'';
promptInit = ''
if test $UID = 0; then
PS1='\[\033[1;31m\]\w\[\033[0m\] '
PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
elif test $UID = 1337; then
PS1='\[\033[1;32m\]\w\[\033[0m\] '
PROMPT_COMMAND='echo -ne "\033]0;$$ $PWD\007"'
else
PS1='\[\033[1;33m\]\u@\w\[\033[0m\] '
PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
fi
if test -n "$SSH_CLIENT"; then
PS1='\[\033[35m\]\h'" $PS1"
PROMPT_COMMAND='echo -ne "\033]0;$$ $HOSTNAME $USER@$PWD\007"'
fi
'';
};
}
{
# ssh configuration
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
}
{
# hidden ssh announce
config =
let
torDirectory = "/var/lib/tor";
hiddenServiceDir = torDirectory + "/onion/hidden-ssh";
in
{
services.tor = {
enable = true;
client.enable = true;
relay.onionServices.hidden-ssh = {
version = 3;
map = [
{
port = 22;
target.port = 22;
}
];
};
};
systemd.services.hidden-ssh-announce = {
description = "irc announce hidden ssh";
after = [
"tor.service"
"network-online.target"
];
wants = [ "tor.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = pkgs.writers.writeDash "irc-announce-ssh" ''
set -efu
until test -e ${hiddenServiceDir}/hostname; do
echo "still waiting for ${hiddenServiceDir}/hostname"
sleep 1
done
until ${pkgs.tor}/bin/torify ${pkgs.netcat-openbsd}/bin/nc -z ${hiddenReceiver} 1337; do sleep 1; done && \
echo "torify ssh root@$(cat ${hiddenServiceDir}/hostname) -i ~/.ssh/id_rsa" | ${pkgs.tor}/bin/torify ${pkgs.nmap}/bin/ncat ${hiddenReceiver} 1337
'';
PrivateTmp = "true";
User = "tor";
Type = "oneshot";
};
};
};
}
];
}

61
images/machine-init-configuration.nix Normal file
View file

@ -0,0 +1,61 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
"${builtins.fetchTarball "https://github.com/nix-community/disko/archive/master.tar.gz"}/module.nix"
(import ./disko-config.nix { })
];
networking.hostName = "nixos";
boot.supportedFilesystems = [ "zfs" ];
# head -c4 /dev/urandom | od -A none -t x4
networking.hostId = "4750e4b8";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.tmpOnTmpfs = true; # make /tmp a tmpfs (performance!)
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
environment.systemPackages = with pkgs; [
vim
wget
htop
silver-searcher
];
environment.extraInit = ''
# use vi shortcuts
# ----------------
set -o vi
EDITOR=vim
'';
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de"
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

19
images/remote-install/README.md Normal file
View file

@ -0,0 +1,19 @@
# remote installation iso
- `./config.nix` : to generate the installation image
- `./remote-service.nix` : tor configuration you have to start on your machine.
## Steps
- import `./remote-service.nix` in your `/etc/nixos/configuration.nix`
- `nixos-rebuild switch`
- run `remote-install-get-hiddenReceiver` and enter the result in `./config.nix`
as `hiddenReceiver`
- set the public key in `./config.nix`
- run `nixos-generate -f install-iso -c ./config.nix`
- prepare the usb stick : `sudo if=<path of the iso> of=/dev/<device> bs=4096`
- boot the usb-stick at the new machine
- run `remote-install-start-service`
- after some time you will see a you can use to login to the new machine.
Now you can do the normal installations procedure.

35
images/remote-install/config.nix Normal file
View file

@ -0,0 +1,35 @@
{ pkgs, lib, ... }:
let
remote-access = import ../lib/remote-access.nix {
# cat ~/.ssh/id_rsa.pub
publicSshKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw==";
# remote-install-get-hiddenReceiver
hiddenReceiver = "";
};
in
{
imports = [ remote-access ];
# network configuration
# ---------------------
# no wifi
#networking.networkmanager.enable = true;
# wifi
networking.wireless.enable = true;
networking.wireless.networks."ssid".psk = "password";
# configuration
environment.extraInit = ''
# use vi shortcuts
# ----------------
set -o vi
EDITOR=vim
'';
}

18
images/remote-install/remote-install.nix Normal file
View file

@ -0,0 +1,18 @@
# installs scripts and tor to provide an announcement service for nixos-remote installation.
{
services.tor = {
enable = true;
client.enable = true;
relay.onionServices.liveos.map = [ { port = 1337; } ];
};
environment.systemPackages = [
(pkgs.writeShellScriptBin "remote-install-start-service" ''
echo "starting announcment server to receive remote-install iso onion id"
${pkgs.nmap}/bin/ncat -k -l -p 1337
'')
(pkgs.writeShellScriptBin "remote-install-get-hiddenReceiver" ''
sudo cat /var/lib/tor/onion/liveos/hostname
'')
];
}

34
images/translate-setup/README.md Normal file
View file

@ -0,0 +1,34 @@
# Create a easy to use Image for translation
using [nixos-generators](https://github.com/nix-community/nixos-generators).
## generate easy to use iso
```
nixos-generate -f install-iso -c config.nix
```
## generate vmware image
```
nixos-generate -f vmware -c config.nix
```
## run locally using qcow
```
nixos-generate --run -c config.nix
```
## how to install nixos-generators
```
nix-shell -I nixpkgs=channel:nixos-unstable -p nixos-generators
```
## how to start download service
```
iptables -F # kill firewall
python -m http.server 80 # nix-shell -p python3Full
```

22
images/translate-setup/audio.nix Normal file
View file

@ -0,0 +1,22 @@
{
pkgs,
lib,
config,
...
}:
{
users.users.mainUser.extraGroups = [
"audio"
"pipewire"
];
hardware.pulseaudio = {
enable = true;
package = pkgs.pulseaudioFull;
};
environment.systemPackages = with pkgs; [
alsaUtils
pavucontrol
];
}

63
images/translate-setup/config.nix Normal file
View file

@ -0,0 +1,63 @@
{
pkgs,
lib,
config,
...
}:
{
imports = [
./x11.nix
./audio.nix
];
#networking.networkmanager.enable = true;
#networking.wireless.enable = false;
# configuration
environment.extraInit = ''
# use vi shortcuts
# ----------------
set -o vi
EDITOR=vim
'';
services.xserver.displayManager.sessionCommands = ''
${pkgs.mumble}/bin/mumble mumble://name@lassul.us/party/hard &
${pkgs.vlc}/bin/vlc &
${pkgs.pavucontrol}/bin/pavucontrol &
'';
networking.hostName = "translate";
programs.bash = {
enableCompletion = true;
interactiveShellInit = ''
HISTCONTROL='erasedups:ignorespace'
HISTSIZE=65536
HISTFILESIZE=$HISTSIZE
shopt -s checkhash
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
complete -d cd
'';
promptInit = ''
if test $UID = 0; then
PS1='\[\033[1;31m\]\w\[\033[0m\] '
PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
elif test $UID = 1337; then
PS1='\[\033[1;32m\]\w\[\033[0m\] '
PROMPT_COMMAND='echo -ne "\033]0;$$ $PWD\007"'
else
PS1='\[\033[1;33m\]\u@\w\[\033[0m\] '
PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
fi
if test -n "$SSH_CLIENT"; then
PS1='\[\033[35m\]\h'" $PS1"
PROMPT_COMMAND='echo -ne "\033]0;$$ $HOSTNAME $USER@$PWD\007"'
fi
'';
};
}

60
images/translate-setup/x11.nix Normal file
View file

@ -0,0 +1,60 @@
{
pkgs,
config,
lib,
...
}:
{
services.xserver = {
enable = true;
desktopManager = {
xterm.enable = false;
xfce.enable = true;
};
displayManager = {
defaultSession = "xfce";
sddm = {
enable = true;
autoLogin = {
enable = true;
relogin = true;
user = config.users.users.mainUser.name;
};
};
sessionCommands = ''
${pkgs.mumble}/bin/mumble &
${pkgs.vlc}/bin/vlc &
${pkgs.pavucontrol}/bin/pavucontrol &
'';
};
# mouse/touchpad
# --------------
libinput = {
enable = true;
disableWhileTyping = true;
tapping = true;
scrollMethod = "twofinger";
accelSpeed = "2";
};
};
users.users.mainUser = {
isNormalUser = true;
name = "translator";
uid = 1001;
initialPassword = "translate";
};
# Packages
# --------
environment.systemPackages = with pkgs; [
flameshot
pavucontrol
mumble
vlc
];
}

58
images/usb-init-configuration.nix Normal file
View file

@ -0,0 +1,58 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
networking.hostName = "nixos";
# grub configuraton
# -----------------
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "/dev/sdb";
boot.loader.grub.efiInstallAsRemovable = true;
boot.tmpOnTmpfs = true;
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
environment.systemPackages = with pkgs; [
vim
wget
htop
silver-searcher
];
environment.extraInit = ''
# use vi shortcuts
# ----------------
set -o vi
EDITOR=vim
'';
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de"
];
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

14
images/windows-rescue/README.md Normal file
View file

@ -0,0 +1,14 @@
# To Fix Windows Issues
## reset password
- use `sfdisk -l` to list partitions
- find the partition which holds `Windows/System32/config`
- mount it `mkdir -p /media/sda2; mount /dev/sda2 /media/sda2`
- `cd /media/sda2/Windows/System32/config`
- list SAM database `chntpw -l SAM`
- edit SAM database `chntpw -i SAM`
- reboot
more details
[here](https://opensource.com/article/18/3/how-reset-windows-password-linux).

51
images/windows-rescue/config.nix Normal file
View file

@ -0,0 +1,51 @@
# NixOS livesystem to reset windows passwords
# Step by step guide : https://opensource.com/article/18/3/how-reset-windows-password-linux
# $ nixos-generator -f iso -c config.nix
{ pkgs, ... }:
let
wifi = {
ssid = "";
plainTextPassword = "";
};
remote-access = import ../lib/remote-access.nix {
publicSshKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw==";
hiddenReceiver = "";
};
in
{
imports = [ remote-access ];
environment.systemPackages = [
pkgs.chntpw
pkgs.ntfs3g
];
networking.dhcpcd.enable = true;
networking.wireless = {
enable = true;
networks."${wifi.ssid}".psk = wifi.plainTextPassword;
};
environment.extraInit = ''
# use vi shortcuts
# ----------------
set -o vi
EDITOR=vim
'';
services.xserver = {
enable = true;
displayManager.auto.enable = true;
desktopManager = {
default = "xfce";
xterm.enable = false;
xfce.enable = true;
xfce.extraSessionCommands = ''
${pkgs.midori}/bin/midori https://opensource.com/article/18/3/how-reset-windows-password-linux &
${pkgs.xfce.terminal}/bin/xfce4-terminal &
'';
};
};
}

75
images/yubikey-image.nix Normal file
View file

@ -0,0 +1,75 @@
# NixOS livesystem to generate yubikeys in an air-gapped manner
# screenshot: https://dl.thalheim.io/wmxIqucOEo2xuLk0Ut45fQ/yubikey-live-system.png
# $ nix-shell -p nixos-generate --run "nixos-generate -f iso -c yubikey-image.nix"
{ pkgs, ... }:
let
guide = pkgs.stdenv.mkDerivation {
name = "yubikey-guide-2019-01-21.html";
src = pkgs.fetchFromGitHub {
owner = "drduh";
repo = "YubiKey-Guide";
rev = "035d98ebbed54a0218ccbf23905054d32f97508e";
sha256 = "0rzy06a5xgfjpaklxdgrxml24d0vhk78lb577l3z4x7a2p32dbyq";
};
buildInputs = [ pkgs.pandoc ];
installPhase = "pandoc --highlight-style pygments -s --toc README.md -o $out";
};
in
{
environment.interactiveShellInit = ''
export GNUPGHOME=/run/user/$(id -u)/gnupghome
if [ ! -d $GNUPGHOME ]; then
mkdir $GNUPGHOME
fi
cp ${
pkgs.fetchurl {
url = "https://raw.githubusercontent.com/drduh/config/662c16404eef04f506a6a208f1253fee2f4895d9/gpg.conf";
sha256 = "118fmrsn28fz629y7wwwcx7r1wfn59h3mqz1snyhf8b5yh0sb8la";
}
} "$GNUPGHOME/gpg.conf"
echo "\$GNUPGHOME has been set up for you. Generated keys will be in $GNUPGHOME."
'';
environment.systemPackages = with pkgs; [
yubikey-personalization
yubikey-personalization-gui
yubikey-manager
yubikey-manager-qt
cryptsetup
pwgen
midori
paperkey
gnupg
ctmg
];
services.udev.packages = with pkgs; [ yubikey-personalization ];
services.pcscd.enable = true;
users.extraUsers.root.initialHashedPassword = "";
# make sure we are air-gapped
networking.wireless.enable = false;
networking.dhcpcd.enable = false;
services.getty.helpLine = "The 'root' account has an empty password.";
services.displayManager = {
defaultSession = "xfce";
autoLogin = {
enable = true;
user = "root";
};
};
services.xserver = {
enable = true;
desktopManager = {
xterm.enable = false;
xfce.enable = true;
};
displayManager = {
sessionCommands = ''
${pkgs.midori}/bin/midori ${guide} &
'';
};
};
}

68
machines/cherry/configuration.nix
View file

@ -13,19 +13,18 @@
./syncthing.nix
./network-tinc.nix
./network-tinc_retiolum.nix
./network-wireguard-wg0.nix
./network-wireguard-wg1.nix
./37c3.nix
./topology.nix
./ssh-chungus.nix
./ssh-cherry.nix
./ferdium.nix
];
#time.timeZone = lib.mkForce "Asia/Bangkok";
time.timeZone = lib.mkForce "Asia/Tokyo";
#clan.core.facts.services =
# let
# promptKey = key:
@ -46,10 +45,8 @@
# (promptKey "pushover.api_key");
components.virtualisation.enable = true;
components.virtualisation.qemu.enable = false;
components.gui.enable = true;
#components.gui.audio.enable = false;
components.mainUser.enable = true;
components.media.enable = true;
components.media.tts-client.enable = false;
@ -57,8 +54,9 @@
components.network.wifi.enable = true;
components.terminal.enable = true;
telemetry.enable = true;
telemetry.apps.opentelemetry.exporter.endpoint = "10.100.0.1:4317"; # orbi
components.monitor.enable = true;
components.monitor.opentelemetry.exporter.endpoint = "10.100.0.1:4317"; # orbi
#components.monitor.opentelemetry.exporter.debug = "logs";
home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
# todo: move to homemanager
@ -68,20 +66,24 @@
"terranix"
"my_github"
"logseq"
#"trello" # todo make it work
#"nextcloud-deck"
];
log_level = "INFO";
static_fields = [ "priority" ];
merge_annotations = false;
taskrc = pkgs.writeText "taskrc" ''
data.location=$HOME/.bugwarrior
'';
};
trello = {
service = "trello";
token = "@oracle:eval:${pkgs.pass}/bin/pass show bugwarrior/trello/token";
add_tags = "bugwarrior_pull,trello";
nextcloud-deck = {
service = "deck";
base_uri = "https://nextcloud.ingolf-wagner.de";
username = "palo";
password = "@oracle:eval:${pkgs.pass}/bin/pass show bugwarrior/nextcloud-deck/palo";
};
logseq = {
service = "logseq";
add_tags = "bugwarrior_pull,logseq";
add_tags = "bugwarrior,logseq";
description_template = "{{logseqtitle}}";
};
terranix = {
@ -91,31 +93,29 @@
username = "mrVanDalo";
default_priority = "";
description_template = "{{githubtitle}} {{githuburl}}";
add_tags = "bugwarrior_pull,github";
add_tags = "bugwarrior,github";
project_template = "terranix";
involved_issues = true;
query = "org:terranix is:open";
include_user_issues = false;
include_user_repos = false;
};
# todo: add gmail
# todo: add trello
my_github = {
service = "github";
login = "mrVanDalo";
token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
username = "mrVanDalo";
description_template = "{{githubtitle}} {{githuburl}}";
add_tags = "bugwarrior_pull,github";
add_tags = "bugwarrior,github";
include_user_issues = true;
include_user_repos = true;
exclude_repos = [
"azubi"
"csv-to-qif"
"stepp0r"
"nix-shell-mix"
];
};
# todo : add github issues
};
users.users.mainUser.extraGroups = [ "pipewire" ];
@ -137,20 +137,20 @@
};
};
# security.wrappers = {
# pmount = {
# source = "${pkgs.pmount}/bin/pmount";
# setuid = true;
# owner = "root";
# group = "root";
# };
# pumount = {
# source = "${pkgs.pmount}/bin/pumount";
# setuid = true;
# owner = "root";
# group = "root";
# };
# };
security.wrappers = {
pmount = {
source = "${pkgs.pmount}/bin/pmount";
setuid = true;
owner = "root";
group = "root";
};
pumount = {
source = "${pkgs.pmount}/bin/pumount";
setuid = true;
owner = "root";
group = "root";
};
};
services.printing.enable = true;

1
machines/cherry/facts/ssh.root.cherry.id_ed25519.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjJvuEviWlnptuKqA8MQ3QVVdvEGaez1VmShaj56QTg root@cherry

1
machines/cherry/facts/ssh.root.chungus.id_ed25519.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhrmPLOY18azllQEsK+je42aaqnpHm0k3f0bjQEnQXW palo@cherry

49
machines/cherry/ferdium.nix
View file

@ -1,49 +0,0 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
ferdium = pkgs.writeShellScriptBin "ferdium" ''
/var/run/wrappers/bin/sudo -u ferdium -i ${pkgs.ferdium}/bin/ferdium $@
'';
in
{
environment.systemPackages = [
ferdium
(pkgs.makeDesktopItem {
terminal = false;
exec = "${ferdium}/bin/ferdium";
name = "ferdium";
desktopName = "Ferdium";
icon = "${pkgs.ferdium}/share/icons/hicolor/512x512/apps/ferdium.png";
})
pkgs.xorg.xhost
];
users.users.ferdium = {
isNormalUser = false;
isSystemUser = true;
home = "/home/ferdium";
createHome = true;
extraGroups = [
"audio"
"input"
"video"
"pipewire"
];
group = "ferdium";
shell = pkgs.bashInteractive;
};
users.groups.ferdium = { };
security.sudo.extraConfig = ''
${config.users.extraUsers.mainUser.name} ALL=(ferdium) NOPASSWD: ALL
'';
}

16
machines/cherry/hardware-configuration/graphics.nix
View file

@ -5,13 +5,17 @@
hardware.graphics.enable = true;
hardware.graphics.extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD
#intel-vaapi-driver # For older processors. LIBVA_DRIVER_NAME=i965
#vaapi-intel-hybrid
intel-vaapi-driver # For older processors. LIBVA_DRIVER_NAME=i965
#vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
#vaapiVdpau
#libvdpau-va-gl
];
#hardware.graphics.enable32Bit = true;
#hardware.graphics.extraPackages32 = with pkgs.pkgsi686Linux; [ intel-vaapi-driver ];
hardware.graphics.enable32Bit = true;
hardware.graphics.extraPackages32 = with pkgs.pkgsi686Linux; [ intel-vaapi-driver ];
environment.systemPackages = [
pkgs.libva-utils # for CLI tools like : vainfo
];
environment.sessionVariables = {
LIBVA_DRIVER_NAME = "i965";
}; # Optionally, set the environment variable
}

10
machines/cherry/network-tinc.nix
View file

@ -1,18 +1,10 @@
{ pkgs, config, ... }:
{ config, ... }:
{
tinc.private.enable = true;
tinc.private.ipv4 = "10.23.42.29";
healthchecks.localCommands.ping-private = pkgs.writers.writeBash "ping-private" ''
ping -c 1 -W 5 ${config.tinc.private.ipv4}
'';
tinc.secret.enable = true;
tinc.secret.ipv4 = "10.123.42.29";
healthchecks.localCommands.ping-secret = pkgs.writers.writeBash "ping-secret" ''
ping -c 1 -W 5 ${config.tinc.secret.ipv4}
'';
}

29
machines/cherry/network-tinc_retiolum.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, factsGenerator, ... }:
{
clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
networking.retiolum.port = 720;
networking.retiolum.nodename = "cherry";
services.tinc.networks.retiolum = {
ed25519PrivateKeyFile =
config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile =
config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.rsa_key.priv".path;
};
#fileSystems."/retiolum/sicily" = {
# device = "//sicily.r/tonne";
# fsType = "cifs";
# options = [
# "guest"
# "nofail"
# "noauto"
# "ro"
# "rsize=16777216"
# "cache=loose"
# "x-systemd.after=network.target"
# ];
#};
}

9
machines/cherry/network-wireguard-wg0.nix
View file

@ -1,16 +1,10 @@
{
pkgs,
config,
factsGenerator,
clanLib,
...
}:
{
healthchecks.localCommands.ping-wg0 = pkgs.writers.writeBash "ping-wg0" ''
ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value}
'';
networking.firewall.allowedUDPPorts = [ 51820 ];
clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clan.core.facts.services.wireguard_ip = factsGenerator.public {
@ -18,9 +12,6 @@
"wireguard.wg0.ip" = "10.100.0.7";
};
# actually important to make machine visible over wireguard
services.telegraf.extraConfig.inputs.ping = [ { urls = [ "10.100.0.1" ]; } ];
# Enable WireGuard
networking.wg-quick.interfaces = {
# Hub and Spoke Setup

46
machines/cherry/ssh-cherry.nix
View file

@ -1,46 +0,0 @@
{
config,
factsGenerator,
lib,
...
}:
let
hostname = "cherry";
in
{
# Defines the root SSH key to be used exclusively for accessing a secure machine.
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
# If the target machine becomes compromised by an attacker,
# they could potentially leverage the forwarded SSH agent to access the secure machine.
# This file prevents that scenario by restricting access strictly to the defined SSH key,
# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
name = "root.${hostname}";
};
systemd.tmpfiles.settings.mainUser = {
"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
user = config.users.users.mainUser.name;
group = config.users.users.mainUser.group;
mode = "400";
argument =
config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
};
};
home-manager.users.mainUser.programs.ssh.matchBlocks =
lib.genAttrs
[
"${hostname}.bear"
"${hostname}.private"
"${hostname}.wg0"
]
(name: {
identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
identitiesOnly = true;
});
}

46
machines/cherry/ssh-chungus.nix
View file

@ -1,46 +0,0 @@
{
config,
factsGenerator,
lib,
...
}:
let
hostname = "chungus";
in
{
# Defines the root SSH key to be used exclusively for accessing a secure machine.
# The need for this arises because deployments using the 'clan' command-line tool (e.g. 'clan machines update')
# make use of the 'ssh -A' option, which forwards the SSH agent from the client to the target machine.
# If the target machine becomes compromised by an attacker,
# they could potentially leverage the forwarded SSH agent to access the secure machine.
# This file prevents that scenario by restricting access strictly to the defined SSH key,
# which is only used to access the secure machine, so no other ssh-agent will contain this ssh key
clan.core.facts.services."ssh.root.${hostname}" = factsGenerator.ssh {
name = "root.${hostname}";
};
systemd.tmpfiles.settings.mainUser = {
"/run/facts/ssh.root.${hostname}.id_ed25519"."C+" = {
user = config.users.users.mainUser.name;
group = config.users.users.mainUser.group;
mode = "400";
argument =
config.clan.core.facts.services."ssh.root.${hostname}".secret."ssh.root.${hostname}.id_ed25519".path;
};
};
home-manager.users.mainUser.programs.ssh.matchBlocks =
lib.genAttrs
[
"${hostname}.bear"
"${hostname}.private"
"${hostname}.wg0"
]
(name: {
identityFile = "/run/facts/ssh.root.${hostname}.id_ed25519";
identitiesOnly = true;
});
}

2
machines/cherry/syncthing.nix
View file

@ -6,7 +6,7 @@
}:
{
healthchecks.http.syncthing-gui = {
verify.http.syncthing-gui = {
url = config.services.syncthing.guiAddress;
expectedContent = "syncthing";
};

12
machines/chungus/configuration.nix
View file

@ -15,8 +15,9 @@
./packages.nix
./network-tinc-retiolum.nix # make sure no service is open for this vpn!
./network-tinc.nix
./network-wireguard-wg0.nix
./network-wireguard.nix
./hass-mqtt.nix
./hass-zigbee2mqtt.nix
@ -45,9 +46,6 @@
./service-atuin.nix
./service-forgejo.nix
./service-paperless-backup.nix
./service-paperless-healthchecks.nix
./service-paperless-tika.nix
./service-paperless.nix
./service-s3.nix
#./service-taskwarrior.nix
@ -70,13 +68,11 @@
features.boot.ssh.kernelModules = [ "e1000e" ];
features.boot.tor.enable = true;
telemetry.enable = true;
telemetry.apps.opentelemetry.receiver.endpoint = "0.0.0.0:4317";
components.monitor.enable = true;
components.monitor.opentelemetry.receiver.endpoint = "0.0.0.0:4317";
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];
healthchecks.closed.wg0.host = "10.100.0.2";
services.printing.enable = false;
networking.hostName = "chungus";

1
machines/chungus/facts/ssh.paperless-ngx.id_ed25519.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5cHogtLN70T5g7b30r2RR4l6TEFB4t8O8FZ+NMUTfj paperless@chungus

2
machines/chungus/facts/ssh.rbackup.id_ed25519.pub
View file

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrcZBnx2h1cOlpHImuYhOu08gUdchzbKwbmOMUd54f3 rbackup@chungus
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrcZBnx2h1cOlpHImuYhOu08gUdchzbKwbmOMUd54f3 nixbld@cream

2
machines/chungus/facts/ssh.syncoid.id_ed25519.pub
View file

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHGxMlaCoAyD/lIYAxEts7vyWYJ7ut4P9Cjw7mvAPiL syncoid@chungus
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJHGxMlaCoAyD/lIYAxEts7vyWYJ7ut4P9Cjw7mvAPiL nixbld@cream

1
machines/chungus/facts/syncoid.ssh.id_ed25519.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrdJ4EXJ0HeZXTb4AzRKQeAORBWwcawOxj4EJhV62De nixbld@cherry

2
machines/chungus/hass.nix
View file

@ -2,7 +2,6 @@
config,
lib,
pkgs,
zerotierInterface,
...
}:
{
@ -18,6 +17,5 @@
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8123 ];
networking.firewall.interfaces.wg0.allowedUDPPorts = [ 8123 ];
networking.firewall.interfaces.${zerotierInterface}.allowedTCPPorts = [ 8123 ];
}

73
machines/chungus/media-audiobookshelf.nix
View file

@ -2,68 +2,43 @@
config,
lib,
pkgs,
zerotierInterface,
...
}:
with pkgs;
let
port = 8000;
group = "media";
port = 9002;
in
{
healthchecks.http.audiobookshelf-via-zerotier = {
url = "${config.networking.hostName}.${config.clan.static-hosts.topLevelDomain}:${toString port}";
expectedContent = "audiobookshelf";
};
networking.firewall.interfaces.${zerotierInterface}.allowedTCPPorts = [ port ];
users.users.audiobookshelf = {
isSystemUser = true;
group = lib.mkForce group;
group = group;
};
# systemd.services.audiobookshelf = {
# enable = true;
# description = "Self-hosted audiobook server for managing and playing audiobooks";
# serviceConfig = {
# Type = "simple";
# WorkingDirectory = "/srv/audiobookshelf";
# ExecStart = "${audiobookshelf}/bin/audiobookshelf --port ${toString port}";
# ExecReload = "${util-linux}/bin/kill -HUP $MAINPID";
# Restart = "always";
# User = config.users.users.audiobookshelf.name;
# Group = config.users.users.audiobookshelf.group;
# };
# wantedBy = [ "multi-user.target" ];
# requires = [ "network.target" ];
# };
# make available in retiolum
#networking.firewall.interfaces."tinc.retiolum".allowedTCPPorts = [ port ];
#networking.firewall.interfaces."tinc.retiolum".allowedUDPPorts = [ port ];
services.audiobookshelf = {
enable = true;
port = 8000;
};
networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ port ];
networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ port ];
services.nginx = {
networking.firewall.interfaces.wg0.allowedTCPPorts = [ port ];
networking.firewall.interfaces.wg0.allowedUDPPorts = [ port ];
systemd.services.audiobookshelf = {
enable = true;
recommendedProxySettings = true;
virtualHosts."audiobookshelf.${config.networking.hostName}.${config.clan.static-hosts.topLevelDomain}" =
{
listen = [
{
addr = "[::]";
port = port;
ssl = false;
}
];
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.audiobookshelf.port}";
proxyWebsockets = true;
extraConfig = ''
proxy_redirect http:// $scheme://;
'';
};
};
description = "Self-hosted audiobook server for managing and playing audiobooks";
serviceConfig = {
Type = "simple";
WorkingDirectory = "/srv/audiobookshelf";
ExecStart = "${audiobookshelf}/bin/audiobookshelf --port ${toString port}";
ExecReload = "${util-linux}/bin/kill -HUP $MAINPID";
Restart = "always";
User = config.users.users.audiobookshelf.name;
Group = config.users.users.audiobookshelf.group;
};
wantedBy = [ "multi-user.target" ];
requires = [ "network.target" ];
};
}

2
machines/chungus/media-castget.nix
View file

@ -4,7 +4,7 @@ let
in
{
services.castget = {
enable = false;
enable = true;
user = "media";
feeds = {
Alternativlos = {

6
machines/chungus/media-jellyfin.nix
View file

@ -7,15 +7,11 @@
{
services.jellyfin = {
enable = true;
openFirewall = true;
openFirewall = true; # todo: will open for retiolum as well
group = "media";
user = "media";
};
healthchecks.http.jellyfin = {
url = "flix.${config.networking.hostName}.private";
};
services.nginx = {
enable = true;
virtualHosts."flix.${config.networking.hostName}.private" = {

38
machines/chungus/media-navidrome.nix
View file

@ -2,53 +2,17 @@
config,
lib,
pkgs,
zerotierInterface,
...
}:
{
healthchecks.http.navidrome-tinc = {
url = "${config.networking.hostName}.private:${toString config.services.navidrome.settings.Port}/app/#/login";
expectedContent = "Navidrome";
};
healthchecks.http.navidrome-via-zerotier = {
url = "${config.networking.hostName}.${config.clan.static-hosts.topLevelDomain}:${toString config.services.navidrome.settings.Port}/app/#/login";
expectedContent = "Navidrome";
};
networking.firewall.interfaces.${zerotierInterface}.allowedTCPPorts = [
config.services.navidrome.settings.Port
];
services.navidrome = {
enable = true;
openFirewall = true;
group = "media";
user = "media";
settings.Address = "[::]";
settings.Port = 4533;
settings.Address = "0.0.0.0";
settings.MusicFolder = "/media/arr/lidarr";
};
services.nginx = {
enable = true;
virtualHosts."music.${config.networking.hostName}.private" = {
serverAliases = [
"music.${config.networking.hostName}.wg0"
"music.ingolf-wagner.de"
];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://localhost:${toString config.services.navidrome.settings.Port}";
extraConfig = ''
allow ${config.tinc.private.subnet};
allow ${config.wireguard.wg0.subnet};
deny all;
'';
};
};
};
}

2
machines/chungus/media-syncthing.nix
View file

@ -6,7 +6,7 @@
}:
{
healthchecks.http.syncthing-gui = {
verify.http.syncthing-gui = {
url = config.services.syncthing.guiAddress;
expectedContent = "syncthing";
};

14
machines/chungus/network-tinc-retiolum.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, factsGenerator, ... }:
{
clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
networking.retiolum.port = 720;
networking.retiolum.nodename = "centauri";
services.tinc.networks.retiolum = {
ed25519PrivateKeyFile =
config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile =
config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.rsa_key.priv".path;
};
}

5
machines/chungus/network-tinc.nix
View file

@ -1,11 +1,6 @@
{ pkgs, config, ... }:
{
tinc.private.enable = true;
tinc.private.ipv4 = "10.23.42.28";
healthchecks.localCommands.ping-private = pkgs.writers.writeBash "ping-private" ''
ping -c 1 -W 5 ${config.tinc.private.ipv4}
'';
}

9
machines/chungus/network-wireguard-wg0.nix → machines/chungus/network-wireguard.nix
View file

@ -1,16 +1,10 @@
{
pkgs,
config,
factsGenerator,
clanLib,
...
}:
{
healthchecks.localCommands.ping-wg0 = pkgs.writers.writeBash "ping-wg0" ''
ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value}
'';
networking.firewall.allowedUDPPorts = [ 51820 ];
clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clan.core.facts.services.wireguard_ip = factsGenerator.public {
@ -18,9 +12,6 @@
"wireguard.wg0.ip" = "10.100.0.2";
};
# actually important to make machine visible over wireguard
services.telegraf.extraConfig.inputs.ping = [ { urls = [ "10.100.0.1" ]; } ];
# Enable WireGuard
networking.wg-quick.interfaces = {
# Hub and Spoke Setup

19
machines/chungus/service-atuin.nix
View file

@ -1,25 +1,16 @@
{
pkgs,
config,
pkgs,
assets,
...
}:
{
healthchecks.http.atuin-tinc = {
url = "${config.networking.hostName}.private:${toString config.services.atuin.port}";
expectedContent = "version";
};
# healthchecks.http.atuin-wg0 = {
# url = "${config.networking.hostName}.wg0:${toString config.services.atuin.port}";
# expectedContent = "version";
# };
# networking.firewall.interfaces.wg0.allowedTCPPorts = [
# config.services.atuin.port
# ];
services.atuin = {
enable = true;
package = pkgs.legacy_2405.atuin.overrideAttrs (_old: {
# as cursed as doing mitigations=off in the kernel command line
patches = [ "${assets}/0001-make-atuin-on-zfs-fast-again.patch" ];
});
host = "0.0.0.0";
maxHistoryLength = 999999;
openRegistration = false;

Some files were not shown because too many files have changed in this diff Show more