jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

reformat
All checks were successful
Build / nix-build (native-x86_64, telperion) (push) Successful in 2m13s
Details
Build / nix-build (native-x86_64, gandalf) (push) Successful in 3m23s
Details
Build / nix-build (native-x86_64, shadowfax) (push) Successful in 4m38s
Details

Browse source
This commit is contained in:
Joseph Hanson 2024-12-27 21:30:25 -06:00
parent ada913b9c0
commit 2b6d062d16
86 changed files with 1280 additions and 837 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.archive/home/modules/programs/de/default.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
imports = [
./gnome
];

46
.archive/home/modules/programs/de/gnome/default.nix
View file

@ -1,10 +1,16 @@
# Adjusted manually from generated output of dconf2nix
# https://github.com/gvolpe/dconf2nix
{ lib, pkgs, osConfig, ... }:
with lib.hm.gvariant; {
{
lib,
pkgs,
osConfig,
...
}:
with lib.hm.gvariant;
{
config = lib.mkIf osConfig.mySystem.de.gnome.enable {
# add user packages
home.packages = with pkgs; [
home.packages = with pkgs; [
dconf2nix
];
@ -20,13 +26,39 @@ with lib.hm.gvariant; {
home = [ "<Super>e" ];
};
"org/gnome/desktop/wm/preferences" = {
workspace-names = [ "sys" "talk" "web" "edit" "run" ];
workspace-names = [
"sys"
"talk"
"web"
"edit"
"run"
];
button-layout = "appmenu:minimize,close";
};
"org/gnome/shell" = {
disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
favorite-apps = [ "com.mitchellh.ghostty.desktop" "vivaldi-stable.desktop" "obsidian.desktop" "code.desktop" "vesktop.desktop" ];
disabled-extensions = [
"apps-menu@gnome-shell-extensions.gcampax.github.com"
"light-style@gnome-shell-extensions.gcampax.github.com"
"places-menu@gnome-shell-extensions.gcampax.github.com"
"drive-menu@gnome-shell-extensions.gcampax.github.com"
"window-list@gnome-shell-extensions.gcampax.github.com"
"workspace-indicator@gnome-shell-extensions.gcampax.github.com"
];
enabled-extensions = [
"appindicatorsupport@rgcjonas.gmail.com"
"caffeine@patapon.info"
"dash-to-dock@micxgx.gmail.com"
"gsconnect@andyholmes.github.io"
"Vitals@CoreCoding.com"
"sp-tray@sp-tray.esenliyim.github.com"
];
favorite-apps = [
"com.mitchellh.ghostty.desktop"
"vivaldi-stable.desktop"
"obsidian.desktop"
"code.desktop"
"vesktop.desktop"
];
};
"org/gnome/nautilus/preferences" = {
default-folder-viewer = "list-view";

47
.archive/hosts/durincore/default.nix
View file

@ -1,11 +1,17 @@
{ ... }: {
{ ... }:
{
config = {
networking.hostId = "ad4380db";
networking.hostName = "durincore";
# Kernel mods
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
availableKernelModules = [
"xhci_pci"
"nvme"
"usb_storage"
"sd_mod"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
@ -13,31 +19,34 @@
};
fileSystems = {
"/" =
{
device = "rpool/root";
fsType = "zfs";
};
"/" = {
device = "rpool/root";
fsType = "zfs";
};
"/home" =
{
device = "rpool/home";
fsType = "zfs";
};
"/home" = {
device = "rpool/home";
fsType = "zfs";
};
"/boot" =
{
device = "/dev/disk/by-uuid/F1B9-CA7C";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/F1B9-CA7C";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
};
swapDevices = [ ];
# System settings and services.
mySystem = {
system.motd.networkInterfaces = [ "enp0s31f6" "wlp4s0" ];
system.motd.networkInterfaces = [
"enp0s31f6"
"wlp4s0"
];
};
};

73
.archive/hosts/legiondary/default.nix
View file

@ -1,50 +1,56 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
config,
lib,
modulesPath,
...
}:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "2132e3bf";
networking.hostName = "legiondary";
boot = {
initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usb_storage" "usbhid" "sd_mod" ];
initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems =
{
"/" =
{
device = "zroot/root";
fsType = "zfs";
};
"/nix" =
{
device = "zroot/nix";
fsType = "zfs";
};
"/var" =
{
device = "zroot/var";
fsType = "zfs";
};
"/home" =
{
device = "zroot/home";
fsType = "zfs";
};
fileSystems = {
"/" = {
device = "zroot/root";
fsType = "zfs";
};
"/nix" = {
device = "zroot/nix";
fsType = "zfs";
};
"/var" = {
device = "zroot/var";
fsType = "zfs";
};
"/home" = {
device = "zroot/home";
fsType = "zfs";
};
};
# fileSystems."/boot" =
# { device = "/dev/disk/by-uuid/E532-B74A";
# fsType = "vfat";
@ -58,6 +64,9 @@
# System settings and services.
mySystem = {
purpose = "Development";
system.motd.networkInterfaces = [ "eno1" "wlp4s0" ];
system.motd.networkInterfaces = [
"eno1"
"wlp4s0"
];
};
}

28
.archive/modules/nixos/containers/lego-auto/default.nix
View file

@ -3,9 +3,9 @@ with lib;
let
app = "lego-auto";
image = "ghcr.io/bjw-s/lego-auto:v0.3.0";
user = "999"; #string
group = "102"; #string
port = 9898; #int
user = "999"; # string
group = "102"; # string
port = 9898; # int
cfg = config.mySystem.services.${app};
appFolder = "/eru/containers/volumes/${app}";
in
@ -43,16 +43,18 @@ in
extraOptions = [
"--dns=1.1.1.1"
];
environment = {
TZ = "America/Chicago";
LA_DATADIR = "/cert";
LA_CACHEDIR = "/cert/.cache";
LA_EMAIL = cfg.email;
LA_DOMAINS = cfg.domains;
LA_PROVIDER = cfg.provider;
} // lib.optionalAttrs (cfg.provider == "dnsimple") {
DNSIMPLE_OAUTH_TOKEN_FILE = "/config/dnsimple-token";
};
environment =
{
TZ = "America/Chicago";
LA_DATADIR = "/cert";
LA_CACHEDIR = "/cert/.cache";
LA_EMAIL = cfg.email;
LA_DOMAINS = cfg.domains;
LA_PROVIDER = cfg.provider;
}
// lib.optionalAttrs (cfg.provider == "dnsimple") {
DNSIMPLE_OAUTH_TOKEN_FILE = "/config/dnsimple-token";
};
volumes = [
"${appFolder}/cert:/cert"

9
.archive/modules/nixos/containers/unifi/default.nix
View file

@ -6,8 +6,8 @@ let
version = "8.4.62";
cfg = config.mySystem.services.${app};
appFolder = "/eru/containers/volumes/${app}";
# persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
in
# persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
{
options.mySystem.services.${app} = {
enable = mkEnableOption "${app}";
@ -19,7 +19,12 @@ in
allowedTCPPorts = [ 8443 ];
};
podman0 = {
allowedTCPPorts = [ 8080 8443 8880 8843 ];
allowedTCPPorts = [
8080
8443
8880
8843
];
allowedUDPPorts = [ 3478 ];
};
};

13
.archive/modules/nixos/de/kde.nix
View file

@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
let
cfg = config.mySystem.de.kde;
flameshotOverride = pkgs.unstable.flameshot.override { enableWlrSupport = true; };
@ -6,14 +11,15 @@ in
{
options = {
mySystem.de.kde = {
enable = lib.mkEnableOption "KDE" // { default = false; };
enable = lib.mkEnableOption "KDE" // {
default = false;
};
};
};
config = lib.mkIf cfg.enable {
# Ref: https://wiki.nixos.org/wiki/KDE
# KDE
services = {
displayManager = {
@ -43,7 +49,6 @@ in
jack.enable = true;
};
# extra pkgs and extensions
environment = {
systemPackages = with pkgs; [

7
.archive/modules/nixos/services/cockpit/default.nix
View file

@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
with lib;
let
cfg = config.mySystem.services.cockpit;

7
.archive/modules/nixos/services/vault/default.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.mySystem.services.vault;
in

5
.archive/profiles/disko-telchar.nix
View file

@ -40,7 +40,10 @@
"/home/user" = { };
# Parent is not mounted so the mountpoint must be set
"/nix" = {
mountOptions = [ "compress=zstd" "noatime" ];
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/nix";
};
};

9
.archive/profiles/hw-framework-16-7840hs.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
{
mySystem = {
security.wheelNeedsSudoPassword = false;
@ -16,7 +21,7 @@
};
};
# For updating firmware on the Framework.
# For updating firmware on the Framework.
services.fwupd.enable = true;
networking = {

10
.archive/profiles/hw-legion-15arh05h.nix
View file

@ -10,7 +10,10 @@
boot = {
# for managing/mounting ntfs
supportedFilesystems = [ "ntfs" "nfs" ];
supportedFilesystems = [
"ntfs"
"nfs"
];
loader = {
grub = {
@ -18,7 +21,10 @@
zfsSupport = true;
device = "nodev";
mirroredBoots = [
{ devices = [ "nodev" ]; path = "/boot"; }
{
devices = [ "nodev" ];
path = "/boot";
}
];
};
};

7
.archive/profiles/role-workstation.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
# Role for workstations
# Covers desktops/laptops, expected to have a GUI and do workloads
# Will have home-manager installs

93
flake.lock
View file

@ -237,24 +237,6 @@
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
@ -269,9 +251,9 @@
"type": "github"
}
},
"flake-utils_5": {
"flake-utils_4": {
"inputs": {
"systems": "systems_6"
"systems": "systems_5"
},
"locked": {
"lastModified": 1710146030,
@ -287,9 +269,9 @@
"type": "github"
}
},
"flake-utils_6": {
"flake-utils_5": {
"inputs": {
"systems": "systems_7"
"systems": "systems_6"
},
"locked": {
"lastModified": 1681202837,
@ -670,25 +652,6 @@
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz"
}
},
"mise": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1735325928,
"narHash": "sha256-MfOIDwb6pMakn9eCulGrPwAMuL5qFOhwaEoFFeuv8cY=",
"owner": "jdx",
"repo": "mise",
"rev": "323a85b6f7632b906cb113a428519f2ba89197e7",
"type": "github"
},
"original": {
"owner": "jdx",
"repo": "mise",
"type": "github"
}
},
"mk-naked-shell": {
"flake": false,
"locked": {
@ -757,7 +720,7 @@
"nix-minecraft": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_4",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs-unstable"
]
@ -779,7 +742,7 @@
"nix-vscode-extensions": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-utils": "flake-utils_5",
"flake-utils": "flake-utils_4",
"nixpkgs": [
"nixpkgs"
]
@ -891,22 +854,6 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1729980323,
"narHash": "sha256-eWPRZAlhf446bKSmzw6x7RWEE4IuZgAp8NW3eXZwRAY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "86e78d3d2084ff87688da662cf78c2af085d8e73",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1735141468,
"narHash": "sha256-VIAjBr1qGcEbmhLwQJD6TABppPMggzOvqFsqkDoMsAY=",
@ -922,7 +869,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_3": {
"locked": {
"lastModified": 1734649271,
"narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=",
@ -938,7 +885,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_4": {
"locked": {
"lastModified": 1682134069,
"narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
@ -977,7 +924,7 @@
"nur": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": "nixpkgs_4",
"nixpkgs": "nixpkgs_3",
"treefmt-nix": "treefmt-nix"
},
"locked": {
@ -1111,12 +1058,11 @@
"hyprland-plugins": "hyprland-plugins",
"krewfile": "krewfile",
"lix-module": "lix-module",
"mise": "mise",
"nix-inspect": "nix-inspect",
"nix-minecraft": "nix-minecraft",
"nix-vscode-extensions": "nix-vscode-extensions",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"nixvirt-git": "nixvirt-git",
"nur": "nur",
@ -1281,21 +1227,6 @@
"type": "github"
}
},
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"talhelper": {
"inputs": {
"flake-parts": "flake-parts_2",
@ -1362,8 +1293,8 @@
},
"vscode-server": {
"inputs": {
"flake-utils": "flake-utils_6",
"nixpkgs": "nixpkgs_5"
"flake-utils": "flake-utils_5",
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1729422940,

4
flake.nix
View file

@ -92,9 +92,6 @@
url = "github:hyprwm/hyprland-plugins";
inputs.hyprland.follows = "hyprland";
};
# Mise
mise.url = "github:jdx/mise";
};
outputs =
@ -110,7 +107,6 @@
lix-module,
vscode-server,
krewfile,
mise,
...
}@inputs:
let

8
nixos/home/jahanson/global.nix
View file

@ -1,4 +1,9 @@
{ pkgs, config, inputs, ... }:
{
pkgs,
config,
inputs,
...
}:
with config;
{
imports = [
@ -76,7 +81,6 @@ with config;
# filesystem tools
gptfdisk # sgdisk
# system call monitoring
strace # system call monitoring
ltrace # library call monitoring

3
nixos/home/modules/default.nix
View file

@ -1,4 +1,5 @@
{ lib, ... }: {
{ lib, ... }:
{
imports = [
./shell

3
nixos/home/modules/programs/browsers/default.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
imports = [
./firefox
];

47
nixos/home/modules/programs/browsers/firefox/default.nix
View file

@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
with lib;
let
cfg = config.myHome.programs.firefox;
@ -6,27 +11,25 @@ in
{
options.myHome.programs.firefox.enable = mkEnableOption "Firefox";
config = mkIf cfg.enable
{
programs.firefox = {
enable = true;
package = pkgs.firefox.override
{
extraPolicies = {
DontCheckDefaultBrowser = true;
DisablePocket = true;
# See nixpkgs' firefox/wrapper.nix to check which options you can use
nativeMessagingHosts = [
# Gnome shell native connector
pkgs.gnome-browser-connector
# plasma connector
# plasma5Packages.plasma-browser-integration
];
};
};
policies = import ./policies.nix;
profiles.default = import ./profile-default.nix { inherit pkgs; };
config = mkIf cfg.enable {
programs.firefox = {
enable = true;
package = pkgs.firefox.override {
extraPolicies = {
DontCheckDefaultBrowser = true;
DisablePocket = true;
# See nixpkgs' firefox/wrapper.nix to check which options you can use
nativeMessagingHosts = [
# Gnome shell native connector
pkgs.gnome-browser-connector
# plasma connector
# plasma5Packages.plasma-browser-integration
];
};
};
policies = import ./policies.nix;
profiles.default = import ./profile-default.nix { inherit pkgs; };
};
};
}

3
nixos/home/modules/programs/default.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
imports = [
./browsers
./thunderbird

7
nixos/home/modules/programs/thunderbird/default.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.myHome.programs.thunderbird;

3
nixos/home/modules/security/default.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
imports = [
./ssh
];

3
nixos/home/modules/security/ssh/default.nix
View file

@ -1,5 +1,6 @@
{ config, lib, ... }:
with lib; let
with lib;
let
cfg = config.myHome.security.ssh;
in
{

39
nixos/home/modules/shell/atuind/default.nix
View file

@ -1,5 +1,11 @@
{ config, pkgs, lib, ... }:
with lib; let
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.myHome.shell.atuind;
in
{
@ -9,22 +15,21 @@ in
config = mkMerge [
(mkIf cfg.enable {
systemd.user.services.atuind =
{
Install = {
WantedBy = [ "default.target" ];
};
Unit = {
After = [ "network.target" ];
};
Service = {
Environment = "ATUIN_LOG=info";
ExecStart = "${pkgs.unstable.atuin}/bin/atuin daemon";
# Remove the socket file if the daemon is not running.
# Unexpected shutdowns may have left this file here.
ExecStartPre="/run/current-system/sw/bin/bash -c '! pgrep atuin && /run/current-system/sw/bin/rm -f ~/.local/share/atuin/atuin.sock'";
};
systemd.user.services.atuind = {
Install = {
WantedBy = [ "default.target" ];
};
Unit = {
After = [ "network.target" ];
};
Service = {
Environment = "ATUIN_LOG=info";
ExecStart = "${pkgs.unstable.atuin}/bin/atuin daemon";
# Remove the socket file if the daemon is not running.
# Unexpected shutdowns may have left this file here.
ExecStartPre = "/run/current-system/sw/bin/bash -c '! pgrep atuin && /run/current-system/sw/bin/rm -f ~/.local/share/atuin/atuin.sock'";
};
};
})
];
}

3
nixos/home/modules/shell/default.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
imports = [
./atuind
./fish

3
nixos/home/modules/shell/fish/default.nix
View file

@ -96,6 +96,9 @@ in
set -gx SSH_ASKPASS_REQUIRE "prefer" # This is for git to use the ssh-askpass
set -gx ATUIN_SYNC_ADDRESS "https://sh.hsn.dev"
# Mise https://mise.jdx.dev
mise activate fish | source
# One Password cli
if test -e ~/.config/op/plugins.sh
source ~/.config/op/plugins.sh

7
nixos/home/modules/shell/git/default.nix
View file

@ -1,4 +1,9 @@
{ pkgs, config, lib, ... }:
{
pkgs,
config,
lib,
...
}:
let
cfg = config.myHome.shell.git;
in

14
nixos/home/modules/shell/starship/default.nix
View file

@ -1,12 +1,16 @@
{ lib
, config
, ...
{
lib,
config,
...
}:
with lib; let
with lib;
let
cfg = config.myHome.shell.starship;
in
{
options.myHome.shell.starship = { enable = mkEnableOption "starship"; };
options.myHome.shell.starship = {
enable = mkEnableOption "starship";
};
config = mkIf cfg.enable {
programs.starship = {

10
nixos/home/modules/shell/wezterm/default.nix
View file

@ -1,5 +1,11 @@
{ config, pkgs, lib, ... }:
with lib; let
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.myHome.shell.wezterm;
in
{

12
nixos/hosts/gandalf/config/sanoid.nix
View file

@ -14,22 +14,22 @@
};
datasets = {
"eru/xen-backups" = {
useTemplate = ["production"];
useTemplate = [ "production" ];
};
"eru/hansonhive" = {
useTemplate = ["production"];
useTemplate = [ "production" ];
};
"eru/tm_joe" = {
useTemplate = ["production"];
useTemplate = [ "production" ];
};
"eru/tm_elisia" = {
useTemplate = ["production"];
useTemplate = [ "production" ];
};
"eru/containers/volumes/xo-data" = {
useTemplate = ["production"];
useTemplate = [ "production" ];
};
"eru/containers/volumes/xo-redis-data" = {
useTemplate = ["production"];
useTemplate = [ "production" ];
};
};
};

6
nixos/hosts/gandalf/default.nix
View file

@ -9,9 +9,9 @@
...
}:
# let
# sanoidConfig = import ./config/sanoid.nix { };
# disks = import ./config/disks.nix;
# smartdDevices = map (device: { inherit device; }) disks;
# sanoidConfig = import ./config/sanoid.nix { };
# disks = import ./config/disks.nix;
# smartdDevices = map (device: { inherit device; }) disks;
# in
{
imports = [

9
nixos/hosts/shadowfax/config/disks.nix
View file

@ -1,15 +1,13 @@
[
# zroot
"/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"
"/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314200DT2P0C"
"/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH3142017H2P0C"
"/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314201AD2P0C"
"/dev/disk/by-id/nvme-SOLIDIGM_SSDPFKNU020TZ_PHEH314201E72P0C"
# nahar
"/dev/nvme0" # These are required to fix a smartctl bug I have yet to upgrade to a version that fixes it.
"/dev/nvme0"
"/dev/nvme1"
"/dev/nvme2"
"/dev/nvme3"
"/dev/nvme4"
"/dev/nvme5"
# moria
"/dev/disk/by-id/scsi-35000cca23bc8a504"
"/dev/disk/by-id/scsi-35000cca23bd29918"
@ -31,5 +29,4 @@
"/dev/disk/by-id/scsi-35000cca0461810f8"
"/dev/disk/by-id/scsi-35000cca04618b930"
"/dev/disk/by-id/scsi-35000cca04618cec4"
]

10
nixos/hosts/shadowfax/config/sanoid.nix
View file

@ -14,19 +14,19 @@
};
datasets = {
"nahar/scrypted" = {
useTemplate = ["production"];
useTemplate = [ "production" ];
};
"nahar/containers/volumes/plex" = {
useTemplate = ["production"];
useTemplate = [ "production" ];
};
"nahar/containers/volumes/scrypted" = {
useTemplate = ["production"];
useTemplate = [ "production" ];
};
"nahar/containers/volumes/jellyfin" = {
useTemplate = ["production"];
useTemplate = [ "production" ];
};
"nahar/containers/volumes/scrutiny" = {
useTemplate = ["production"];
useTemplate = [ "production" ];
};
};
};

10
nixos/hosts/shadowfax/default.nix
View file

@ -47,10 +47,7 @@ in
nvidia-container-toolkit.enable = true;
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
];
users.users.root.openssh.authorizedKeys.keys = [ ];
# Network settings
networking = {
@ -187,7 +184,10 @@ in
scrutiny = {
enable = true;
devices = disks;
extraCapabilities = [ "SYS_RAWIO" ];
extraCapabilities = [
"SYS_RAWIO"
"SYS_ADMIN"
];
containerVolumeLocation = "/nahar/containers/volumes/scrutiny";
port = 8585;
};

46
nixos/hosts/telperion/config/bind.nix
View file

@ -1,27 +1,27 @@
{config, ...}:
{ config, ... }:
''
include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
acl trusted {
10.33.44.0/24; # LAN
10.1.1.0/24; # Servers
10.1.2.0/24; # Trusted
10.1.3.0/24; # IoT
10.1.4.0/24; # Video
};
acl trusted {
10.33.44.0/24; # LAN
10.1.1.0/24; # Servers
10.1.2.0/24; # Trusted
10.1.3.0/24; # IoT
10.1.4.0/24; # Video
};
zone "jahanson.tech." {
type master;
file "${config.sops.secrets."bind/zones/jahanson.tech".path}";
journal "${config.services.bind.directory}/db.jahanson.tech.jnl";
allow-transfer {
key "externaldns";
zone "jahanson.tech." {
type master;
file "${config.sops.secrets."bind/zones/jahanson.tech".path}";
journal "${config.services.bind.directory}/db.jahanson.tech.jnl";
allow-transfer {
key "externaldns";
};
update-policy {
grant externaldns zonesub ANY;
};
allow-query {
trusted;
};
};
update-policy {
grant externaldns zonesub ANY;
};
allow-query {
trusted;
};
};
''
''

90
nixos/hosts/telperion/config/haproxy.nix
View file

@ -1,53 +1,53 @@
{ ... }:
''
global
log /dev/log local0
log /dev/log local1 notice
daemon
global
log /dev/log local0
log /dev/log local1 notice
daemon
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 20s
timeout connect 10s
timeout client 1h
timeout server 1h
timeout http-keep-alive 10s
timeout check 10s
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 20s
timeout connect 10s
timeout client 1h
timeout server 1h
timeout http-keep-alive 10s
timeout check 10s
frontend k8s_homelab_apiserver
bind *:6443
mode tcp
option tcplog
default_backend k8s_homelab_controlplane
frontend k8s_homelab_apiserver
bind *:6443
mode tcp
option tcplog
default_backend k8s_homelab_controlplane
frontend k8s_theshire_apiserver
bind *:6444
mode tcp
option tcplog
default_backend k8s_theshire_controlplane
frontend k8s_theshire_apiserver
bind *:6444
mode tcp
option tcplog
default_backend k8s_theshire_controlplane
backend k8s_homelab_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server shadowfax 10.1.1.61:6443 check
backend k8s_homelab_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server shadowfax 10.1.1.61:6443 check
backend k8s_theshire_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server bilbo 10.1.1.62:6443 check
server frodo 10.1.1.63:6443 check
server sam 10.1.1.64:6443 check
backend k8s_theshire_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server bilbo 10.1.1.62:6443 check
server frodo 10.1.1.63:6443 check
server sam 10.1.1.64:6443 check
''

34
nixos/hosts/telperion/default.nix
View file

@ -1,18 +1,29 @@
# Do not modify this file! It was generated by `nixos-generate-config`
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
config,
lib,
modulesPath,
...
}:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "ce196a02";
networking.hostName = "telperion";
boot = {
initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
@ -69,7 +80,10 @@
mySystem = {
purpose = "Production";
system = {
motd.networkInterfaces = [ "enp2s0" "wlp3s0" ];
motd.networkInterfaces = [
"enp2s0"
"wlp3s0"
];
};
services = {
@ -88,7 +102,11 @@
haproxy = {
enable = true;
config = import ./config/haproxy.nix { inherit config; };
tcpPorts = [ 6443 6444 50000 ];
tcpPorts = [
6443
6444
50000
];
};
matchbox = {

4
nixos/hosts/varda/default.nix
View file

@ -1,4 +1,5 @@
{ pkgs, ... }: {
{ pkgs, ... }:
{
imports = [ ./resources/prune-backup.nix ];
networking.hostId = "cdab8473";
@ -22,7 +23,6 @@
swapDevices = [ ];
# System settings and services.
mySystem = {
purpose = "Production";

4
nixos/hosts/varda/resources/prune-backup.nix
View file

@ -1,7 +1,9 @@
{ pkgs, ... }:
let
cleanupScript = pkgs.writeShellScriptBin "cleanup-backups.sh" (builtins.readFile ./prune-backups.sh);
cleanupScript = pkgs.writeShellScriptBin "cleanup-backups.sh" (
builtins.readFile ./prune-backups.sh
);
in
{
systemd.timers.cleanup-backups = {

84
nixos/lib/default.nix
View file

@ -4,40 +4,60 @@ with lib;
rec {
firstOrDefault = first: default: if first != null then first else default;
existsOrDefault = x: set: default: if builtins.hasAttr x set then builtins.getAttr x set else default;
existsOrDefault =
x: set: default:
if builtins.hasAttr x set then builtins.getAttr x set else default;
# main service builder
mkService = options: (
let
user = existsOrDefault "user" options "568";
group = existsOrDefault "group" options "568";
mkService =
options:
(
let
user = existsOrDefault "user" options "568";
group = existsOrDefault "group" options "568";
enableBackups = (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options)
&& (lib.attrsets.attrByPath [ "persistence" "enable" ] true options);
enableBackups =
(lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options)
&& (lib.attrsets.attrByPath [ "persistence" "enable" ] true options);
# Security options for containers
containerExtraOptions = lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [ "--privileged" ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [ "--read-only" ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [ (map (folders: "--tmpfs=${folders}") tmpfsFolders) ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [ "--security-opt=no-new-privileges" ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [ "--cap-drop=ALL" ]
;
in
{
virtualisation.oci-containers.containers.${options.app} = mkIf options.container.enable {
image = "${options.container.image}";
user = "${user}:${group}";
environment = {
TZ = options.timeZone;
} // options.container.env;
environmentFiles = lib.attrsets.attrByPath [ "container" "envFiles" ] [ ] options;
volumes = [ "/etc/localtime:/etc/localtime:ro" ] ++
lib.optionals (lib.attrsets.hasAttrByPath [ "container" "persistentFolderMount" ] options) [
"${options.persistence.folder}:${options.container.persistentFolderMount}:rw"
] ++ lib.attrsets.attrByPath [ "container" "volumes" ] [ ] options;
extraOptions = containerExtraOptions;
};
systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options) [ "d ${options.persistence.folder} 0750 ${user} ${group} -" ];
}
);
# Security options for containers
containerExtraOptions =
lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [
"--privileged"
]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [
"--read-only"
]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [
(map (folders: "--tmpfs=${folders}") tmpfsFolders)
]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [
"--security-opt=no-new-privileges"
]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [
"--cap-drop=ALL"
];
in
{
virtualisation.oci-containers.containers.${options.app} = mkIf options.container.enable {
image = "${options.container.image}";
user = "${user}:${group}";
environment = {
TZ = options.timeZone;
} // options.container.env;
environmentFiles = lib.attrsets.attrByPath [ "container" "envFiles" ] [ ] options;
volumes =
[ "/etc/localtime:/etc/localtime:ro" ]
++ lib.optionals (lib.attrsets.hasAttrByPath [ "container" "persistentFolderMount" ] options) [
"${options.persistence.folder}:${options.container.persistentFolderMount}:rw"
]
++ lib.attrsets.attrByPath [ "container" "volumes" ] [ ] options;
extraOptions = containerExtraOptions;
};
systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [
"persistence"
"folder"
] options) [ "d ${options.persistence.folder} 0750 ${user} ${group} -" ];
}
);
}

4
nixos/modules/nixos/containers/jellyfin/default.nix
View file

@ -45,7 +45,9 @@ in
${pkgs.podman}/bin/podman run \
--rm \
--name=${app} \
--user="${toString config.users.users."${user}".uid}:${toString config.users.groups."${group}".gid}" \
--user="${toString config.users.users."${user}".uid}:${
toString config.users.groups."${group}".gid
}" \
--device='nvidia.com/gpu=all' \
--log-driver=journald \
--cidfile=/run/${app}.ctr-id \

7
nixos/modules/nixos/containers/plex/default.nix
View file

@ -51,7 +51,9 @@ in
--cidfile=/run/${app}.ctr-id \
--cgroups=no-conmon \
--sdnotify=conmon \
--user="${toString config.users.users."${user}".uid}:${toString config.users.groups."${group}".gid}" \
--user="${toString config.users.users."${user}".uid}:${
toString config.users.groups."${group}".gid
}" \
--volume="${volumeLocation}:/config:rw" \
--volume="/moria/media:/media:rw" \
--volume="tmpfs:/config/Library/Application Support/Plex Media Server/Logs:rw" \
@ -78,7 +80,7 @@ in
];
};
sops.secrets ={
sops.secrets = {
"restic/plex/env" = {
sopsFile = ./secrets.sops.yaml;
owner = user;
@ -155,6 +157,5 @@ in
# }
# ];
};
}

3
nixos/modules/nixos/containers/scrutiny/default.nix
View file

@ -85,8 +85,7 @@ in
# using the --device and --cap-add flags
extraOptions =
(map (disk: "--device=${toString disk}") cfg.devices)
++
(map (cap: "--cap-add=${cap}") cfg.extraCapabilities);
++ (map (cap: "--cap-add=${cap}") cfg.extraCapabilities);
};
};
}

2
nixos/modules/nixos/default.nix
View file

@ -57,7 +57,7 @@ with lib;
config = {
systemd.tmpfiles.rules = [
"d ${config.mySystem.persistentFolder} 777 - - -" #The - disables automatic cleanup, so the file wont be removed after a period
"d ${config.mySystem.persistentFolder} 777 - - -" # The - disables automatic cleanup, so the file wont be removed after a period
];
};
}

24
nixos/modules/nixos/editor/vim.nix
View file

@ -14,13 +14,21 @@ in
programs.vim.defaultEditor = true;
# Visual mode off and syntax highlighting on
home-manager.users = mapAttrs
(user: _: {
home.file.".vimrc".text = ''
set mouse-=a
syntax on
'';
})
(listToAttrs (map (u: { name = u; value = { }; }) users));
home-manager.users =
mapAttrs
(user: _: {
home.file.".vimrc".text = ''
set mouse-=a
syntax on
'';
})
(
listToAttrs (
map (u: {
name = u;
value = { };
}) users
)
);
};
}

15
nixos/modules/nixos/editor/vscode.nix
View file

@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
with lib;
let
cfg = config.mySystem.editor.vscode;
@ -74,8 +79,12 @@ let
}
];
# Extract extension strings and coerce them to a list of valid attribute paths.
vscodeCommunityExtensionsPackages = map (ext: getAttrFromPath (splitString "." ext) pkgs.vscode-marketplace) vscodeCommunityExtensions;
nixpkgsExtensionsPackages = map (ext: getAttrFromPath (splitString "." ext) pkgs.vscode-extensions) vscodeNixpkgsExtensions;
vscodeCommunityExtensionsPackages = map (
ext: getAttrFromPath (splitString "." ext) pkgs.vscode-marketplace
) vscodeCommunityExtensions;
nixpkgsExtensionsPackages = map (
ext: getAttrFromPath (splitString "." ext) pkgs.vscode-extensions
) vscodeNixpkgsExtensions;
marketplaceExtensionsPackages = pkgs.vscode-utils.extensionsFromVscodeMarketplace marketplaceExtensions;
in
{

7
nixos/modules/nixos/games/steam/steam.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.mySystem.games.steam;
in

7
nixos/modules/nixos/hardware/nvidia/default.nix
View file

@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
with lib;
let
cfg = config.mySystem.hardware.nvidia;

13
nixos/modules/nixos/lib.nix
View file

@ -88,10 +88,7 @@
else
null;
remoteResticTemplate =
if builtins.hasAttr "remoteResticTemplate" options then
options.remoteResticTemplate
else
null;
if builtins.hasAttr "remoteResticTemplate" options then options.remoteResticTemplate else null;
# 2:05 daily backup with 3h random delay
timerConfig = {
OnCalendar = "02:05";
@ -125,7 +122,9 @@
inherit (options) user passwordFile environmentFile;
# Move the path to the zfs snapshot path
paths = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.paths;
exclude = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.excludePaths;
exclude = map (
x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}"
) options.excludePaths;
repository = "${options.localResticTemplate}";
};
@ -142,7 +141,9 @@
paths = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.paths;
repository = remoteResticTemplate;
repositoryFile = remoteResticTemplateFile;
exclude = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.excludePaths;
exclude = map (
x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}"
) options.excludePaths;
};
};
}

16
nixos/modules/nixos/programs/shell/fish.nix
View file

@ -4,16 +4,14 @@ let
cfg = config.mySystem.shell.fish;
in
{
options.mySystem.shell.fish =
{
enable = mkEnableOption "Fish";
enablePlugins = mkOption
{
type = lib.types.bool;
description = "If we want to add fish plugins";
default = true;
};
options.mySystem.shell.fish = {
enable = mkEnableOption "Fish";
enablePlugins = mkOption {
type = lib.types.bool;
description = "If we want to add fish plugins";
default = true;
};
};
# Install fish systemwide
config.programs.fish = mkIf cfg.enable {

3
nixos/modules/nixos/security/1password/default.nix
View file

@ -1,5 +1,6 @@
{ config, lib, ... }:
with lib; let
with lib;
let
cfg = config.mySystem.security._1password;
user = "jahanson";
in

7
nixos/modules/nixos/services/bind/default.nix
View file

@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
with lib;
let
cfg = config.mySystem.services.bind;

13
nixos/modules/nixos/services/dnsmasq/default.nix
View file

@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
with lib;
let
cfg = config.mySystem.services.dnsmasq;
@ -25,7 +30,11 @@ in
networking.firewall = {
# dhcp ports | tftp port
allowedUDPPorts = [ 67 68 69 ]; # server/client/tftp
allowedUDPPorts = [
67
68
69
]; # server/client/tftp
};
# Proxy DHCP for PXE booting. This leaves DHCP address allocation alone and dhcp clients

11
nixos/modules/nixos/services/haproxy/default.nix
View file

@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
with lib;
let
cfg = config.mySystem.services.haproxy;
@ -6,7 +11,9 @@ let
in
{
options.mySystem.services.haproxy = {
enable = mkEnableOption "haproxy" // { default = false; };
enable = mkEnableOption "haproxy" // {
default = false;
};
package = mkPackageOption pkgs "haproxy" { };
config = mkOption {
type = types.str;

13
nixos/modules/nixos/services/libvirt-qemu/default.nix
View file

@ -1,4 +1,10 @@
{ lib, config, pkgs, inputs, ... }:
{
lib,
config,
pkgs,
inputs,
...
}:
with lib;
let
cfg = config.mySystem.services.libvirt-qemu;
@ -11,7 +17,10 @@ in
config = mkIf cfg.enable {
networking.firewall = {
allowedTCPPorts = [ 16509 16514 ];
allowedTCPPorts = [
16509
16514
];
};
# Enable bind with domain configuration

7
nixos/modules/nixos/services/matchbox/default.nix
View file

@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
with lib;
let
cfg = config.mySystem.services.matchbox;

10
nixos/modules/nixos/services/nginx/default.nix
View file

@ -52,8 +52,14 @@ in
};
networking.firewall = {
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 80 443 ];
allowedTCPPorts = [
80
443
];
allowedUDPPorts = [
80
443
];
};
# required for using acme certs

82
nixos/modules/nixos/services/podman/default.nix
View file

@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
with lib;
let
cfg = config.mySystem.services.podman;
@ -6,47 +11,46 @@ in
{
options.mySystem.services.podman.enable = mkEnableOption "Podman";
config = mkIf cfg.enable
{
virtualisation.podman = {
enable = true;
config = mkIf cfg.enable {
virtualisation.podman = {
enable = true;
dockerCompat = true;
extraPackages = [ pkgs.zfs ];
dockerCompat = true;
extraPackages = [ pkgs.zfs ];
# regular cleanup
autoPrune.enable = true;
autoPrune.dates = "weekly";
# regular cleanup
autoPrune.enable = true;
autoPrune.dates = "weekly";
# and add dns
defaultNetwork.settings = {
dns_enabled = false;
};
};
virtualisation.oci-containers = {
backend = "podman";
};
environment.systemPackages = with pkgs; [
podman-tui # status of containers in the terminal
unstable.lazydocker
];
programs.fish.shellAliases = {
# lazydocker --> lazypodman
lazypodman = "sudo DOCKER_HOST=unix:///run/podman/podman.sock lazydocker";
};
networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];
# extra user for containers
users.groups.kah = { };
users.users = {
kah = {
uid = 568;
group = "kah";
};
jahanson.extraGroups = [ "kah" ];
# and add dns
defaultNetwork.settings = {
dns_enabled = false;
};
};
virtualisation.oci-containers = {
backend = "podman";
};
environment.systemPackages = with pkgs; [
podman-tui # status of containers in the terminal
unstable.lazydocker
];
programs.fish.shellAliases = {
# lazydocker --> lazypodman
lazypodman = "sudo DOCKER_HOST=unix:///run/podman/podman.sock lazydocker";
};
networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];
# extra user for containers
users.groups.kah = { };
users.users = {
kah = {
uid = 568;
group = "kah";
};
jahanson.extraGroups = [ "kah" ];
};
};
}

7
nixos/modules/nixos/services/sanoid/default.nix
View file

@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
with lib;
let
cfg = config.mySystem.services.sanoid;

7
nixos/modules/nixos/system/borg/pikabackup/default.nix
View file

@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
let
cfg = config.mySystem.system.borg.pika-backup;
user = "jahanson";

16
nixos/modules/nixos/system/fingerprint-reader-on-laptop-lid/default.nix
View file

@ -12,7 +12,12 @@
# On Framework 16 the USB is:
# Bus 005 Device 007: ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd
# Use `findfp.sh` to find the correct USB device.
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.mySystem.system.fingerprint-reader-on-laptop-lid;
laptop-lid = pkgs.writeShellScript "laptop-lid" ''
@ -79,8 +84,13 @@ in
systemd.services.fingerprint-laptop-lid = {
enable = true;
description = "Disable fingerprint reader when laptop lid closes";
serviceConfig = { ExecStart = "${laptop-lid}"; };
wantedBy = [ "multi-user.target" "suspend.target" ];
serviceConfig = {
ExecStart = "${laptop-lid}";
};
wantedBy = [
"multi-user.target"
"suspend.target"
];
after = [ "suspend.target" ];
};
};

7
nixos/modules/nixos/system/incus/default.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = config.mySystem.system.incus;
user = "jahanson";

143
nixos/modules/nixos/system/motd/default.nix
View file

@ -1,77 +1,86 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
motd = pkgs.writeShellScriptBin "motd"
''
#! /usr/bin/env bash
source /etc/os-release
service_status=$(systemctl list-units | grep podman-)
RED="\e[31m"
GREEN="\e[32m"
BOLD="\e[1m"
ENDCOLOR="\e[0m"
LOAD1=`cat /proc/loadavg | awk {'print $1'}`
LOAD5=`cat /proc/loadavg | awk {'print $2'}`
LOAD15=`cat /proc/loadavg | awk {'print $3'}`
motd = pkgs.writeShellScriptBin "motd" ''
#! /usr/bin/env bash
source /etc/os-release
service_status=$(systemctl list-units 'podman-*.service' 'plex.service' 'scrutiny.service' 'jellyfin.service' 'ollama.service' 'scrypted.service' | grep '\.service')
RED="\e[31m"
GREEN="\e[32m"
BOLD="\e[1m"
ENDCOLOR="\e[0m"
LOAD1=`cat /proc/loadavg | awk {'print $1'}`
LOAD5=`cat /proc/loadavg | awk {'print $2'}`
LOAD15=`cat /proc/loadavg | awk {'print $3'}`
MEMORY=`free -m | awk 'NR==2{printf "%s/%sMB (%.2f%%)\n", $3,$2,$3*100 / $2 }'`
MEMORY=`free -m | awk 'NR==2{printf "%s/%sMB (%.2f%%)\n", $3,$2,$3*100 / $2 }'`
# time of day
HOUR=$(date +"%H")
if [ $HOUR -lt 12 -a $HOUR -ge 0 ]
then TIME="morning"
elif [ $HOUR -lt 17 -a $HOUR -ge 12 ]
then TIME="afternoon"
else
TIME="evening"
fi
# time of day
HOUR=$(date +"%H")
if [ $HOUR -lt 12 -a $HOUR -ge 0 ]
then TIME="morning"
elif [ $HOUR -lt 17 -a $HOUR -ge 12 ]
then TIME="afternoon"
else
TIME="evening"
fi
uptime=`cat /proc/uptime | cut -f1 -d.`
upDays=$((uptime/60/60/24))
upHours=$((uptime/60/60%24))
upMins=$((uptime/60%60))
upSecs=$((uptime%60))
uptime=`cat /proc/uptime | cut -f1 -d.`
upDays=$((uptime/60/60/24))
upHours=$((uptime/60/60%24))
upMins=$((uptime/60%60))
upSecs=$((uptime%60))
figlet "$(hostname)" | lolcat -f
printf "$BOLD %-20s$ENDCOLOR %s\n" "Role:" "${config.mySystem.purpose}"
printf "\n"
${lib.strings.concatStrings (lib.lists.forEach cfg.networkInterfaces (x: "printf \"$BOLD * %-20s$ENDCOLOR %s\\n\" \"IPv4 ${x}\" \"$(ip -4 addr show ${x} | grep -oP '(?<=inet\\s)\\d+(\\.\\d+){3}')\"\n"))}
printf "$BOLD * %-20s$ENDCOLOR %s\n" "Release" "$PRETTY_NAME"
printf "$BOLD * %-20s$ENDCOLOR %s\n" "Kernel" "$(uname -rs)"
[ -f /var/run/reboot-required ] && printf "$RED * %-20s$ENDCOLOR %s\n" "A reboot is required"
printf "\n"
printf "$BOLD * %-20s$ENDCOLOR %s\n" "CPU usage" "$LOAD1, $LOAD5, $LOAD15 (1, 5, 15 min)"
printf "$BOLD * %-20s$ENDCOLOR %s\n" "Memory" "$MEMORY"
printf "$BOLD * %-20s$ENDCOLOR %s\n" "System uptime" "$upDays days $upHours hours $upMins minutes $upSecs seconds"
printf "\n"
if ! type "$zpool" &> /dev/null; then
printf "$BOLD Zpool status: $ENDCOLOR\n"
zpool status -x | sed -e 's/^/ /'
fi
if ! type "$zpool" &> /dev/null; then
printf "$BOLD Zpool usage: $ENDCOLOR\n"
zpool list -Ho name,cap,size | awk '{ printf("%-10s%+3s used out of %+5s\n", $1, $2, $3); }' | sed -e 's/^/ /'
fi
printf "\n"
figlet "$(hostname)" | lolcat -f
printf "$BOLD %-20s$ENDCOLOR %s\n" "Role:" "${config.mySystem.purpose}"
printf "\n"
${lib.strings.concatStrings (
lib.lists.forEach cfg.networkInterfaces (
x:
"printf \"$BOLD * %-20s$ENDCOLOR %s\\n\" \"IPv4 ${x}\" \"$(ip -4 addr show ${x} | grep -oP '(?<=inet\\s)\\d+(\\.\\d+){3}')\"\n"
)
)}
printf "$BOLD * %-20s$ENDCOLOR %s\n" "Release" "$PRETTY_NAME"
printf "$BOLD * %-20s$ENDCOLOR %s\n" "Kernel" "$(uname -rs)"
[ -f /var/run/reboot-required ] && printf "$RED * %-20s$ENDCOLOR %s\n" "A reboot is required"
printf "\n"
printf "$BOLD * %-20s$ENDCOLOR %s\n" "CPU usage" "$LOAD1, $LOAD5, $LOAD15 (1, 5, 15 min)"
printf "$BOLD * %-20s$ENDCOLOR %s\n" "Memory" "$MEMORY"
printf "$BOLD * %-20s$ENDCOLOR %s\n" "System uptime" "$upDays days $upHours hours $upMins minutes $upSecs seconds"
printf "\n"
if ! type "$zpool" &> /dev/null; then
printf "$BOLD Zpool status: $ENDCOLOR\n"
zpool status -x | sed -e 's/^/ /'
fi
if ! type "$zpool" &> /dev/null; then
printf "$BOLD Zpool usage: $ENDCOLOR\n"
zpool list -Ho name,cap,size | awk '{ printf("%-10s%+3s used out of %+5s\n", $1, $2, $3); }' | sed -e 's/^/ /'
fi
printf "\n"
if [[ -n "$service_status" ]]; then
printf "$BOLDService status$ENDCOLOR\n"
while IFS= read -r line; do
if [[ $line =~ ".scope" ]]; then
continue
fi
if echo "$line" | grep -q 'failed'; then
service_name=$(echo $line | awk '{print $2;}' | sed 's/podman-//g')
printf "$RED $ENDCOLOR%-50s $RED[failed]$ENDCOLOR\n" "$service_name"
elif echo "$line" | grep -q 'running'; then
service_name=$(echo $line | awk '{print $1;}' | sed 's/podman-//g')
printf "$GREEN $ENDCOLOR%-50s $GREEN[active]$ENDCOLOR\n" "$service_name"
else
echo "service status unknown"
fi
done <<< "$service_status"
fi
'';
if [[ -n "$service_status" ]]; then
printf "$BOLDService status$ENDCOLOR\n"
while IFS= read -r line; do
if [[ $line =~ ".scope" ]]; then
continue
fi
if echo "$line" | grep -q 'failed'; then
service_name=$(echo $line | awk '{print $2;}' | sed 's/podman-//g')
printf "$RED $ENDCOLOR%-50s $RED[failed]$ENDCOLOR\n" "$service_name"
elif echo "$line" | grep -q 'running'; then
service_name=$(echo $line | awk '{print $1;}' | sed 's/podman-//g')
printf "$GREEN $ENDCOLOR%-50s $GREEN[active]$ENDCOLOR\n" "$service_name"
else
echo "service status unknown"
fi
done <<< "$service_status"
fi
'';
cfg = config.mySystem.system.motd;
in
{

22
nixos/modules/nixos/system/nix.nix
View file

@ -5,22 +5,20 @@ let
in
{
options.mySystem.nix = {
autoOptimiseStore = mkOption
{
type = lib.types.bool;
description = "If we want to auto optimise store";
default = true;
};
autoOptimiseStore = mkOption {
type = lib.types.bool;
description = "If we want to auto optimise store";
default = true;
};
gc = {
enable = mkEnableOption "automatic garbage collection" // {
default = true;
};
persistent = mkOption
{
type = lib.types.bool;
description = "Persistent timer for gc, runs at startup if timer missed";
default = true;
};
persistent = mkOption {
type = lib.types.bool;
description = "Persistent timer for gc, runs at startup if timer missed";
default = true;
};
};
};

32
nixos/modules/nixos/system/openssh.nix
View file

@ -5,19 +5,25 @@ let
in
{
options.mySystem.services.openssh = {
enable = mkEnableOption "openssh" // { default = true; };
passwordAuthentication = mkOption
{
type = lib.types.bool;
description = "If password can be accepted for ssh (commonly disable for security hardening)";
default = false;
};
permitRootLogin = mkOption
{
type = types.enum [ "yes" "without-password" "prohibit-password" "forced-commands-only" "no" ];
description = "If root can login via ssh (commonly disable for security hardening)";
default = "prohibit-password";
};
enable = mkEnableOption "openssh" // {
default = true;
};
passwordAuthentication = mkOption {
type = lib.types.bool;
description = "If password can be accepted for ssh (commonly disable for security hardening)";
default = false;
};
permitRootLogin = mkOption {
type = types.enum [
"yes"
"without-password"
"prohibit-password"
"forced-commands-only"
"no"
];
description = "If root can login via ssh (commonly disable for security hardening)";
default = "prohibit-password";
};
};
config = mkIf cfg.enable {

27
nixos/modules/nixos/system/pushover/default.nix
View file

@ -1,26 +1,33 @@
{ lib
, config
, pkgs
, ...
{
lib,
config,
pkgs,
...
}:
with lib;
let
cfg = config.mySystem.system.systemd.pushover-alerts;
in
{
options.mySystem.system.systemd.pushover-alerts.enable = mkEnableOption "Pushover alerts for systemd failures" // { default = true; };
options.mySystem.system.systemd.pushover-alerts.enable =
mkEnableOption "Pushover alerts for systemd failures"
// {
default = true;
};
options.systemd.services = mkOption {
type = with types; attrsOf (
submodule {
type =
with types;
attrsOf (submodule {
config.onFailure = [ "notify-pushover@%n.service" ];
}
);
});
};
config = {
# Warn if backups are disable and machine isnt a dev box
warnings = [
(mkIf (!cfg.enable && config.mySystem.purpose != "Development") "WARNING: Pushover SystemD notifications are disabled!")
(mkIf (
!cfg.enable && config.mySystem.purpose != "Development"
) "WARNING: Pushover SystemD notifications are disabled!")
];
systemd.services."notify-pushover@" = mkIf cfg.enable {

45
nixos/modules/nixos/system/security.nix
View file

@ -18,28 +18,27 @@ in
};
};
config =
{
security = {
sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword;
# Don't bother with the lecture or the need to keep state about who's been lectured
sudo.extraConfig = "Defaults lecture=\"never\"";
pam.sshAgentAuth.enable = cfg.sshAgentAuth.enable;
# Increase open file limit for sudoers
pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [
{
domain = "@wheel";
item = "nofile";
type = "soft";
value = "524288";
}
{
domain = "@wheel";
item = "nofile";
type = "hard";
value = "1048576";
}
];
};
config = {
security = {
sudo.wheelNeedsPassword = cfg.wheelNeedsSudoPassword;
# Don't bother with the lecture or the need to keep state about who's been lectured
sudo.extraConfig = "Defaults lecture=\"never\"";
pam.sshAgentAuth.enable = cfg.sshAgentAuth.enable;
# Increase open file limit for sudoers
pam.loginLimits = mkIf cfg.increaseWheelLoginLimits [
{
domain = "@wheel";
item = "nofile";
type = "soft";
value = "524288";
}
{
domain = "@wheel";
item = "nofile";
type = "hard";
value = "1048576";
}
];
};
};
}

64
nixos/modules/nixos/system/wifi_swap/default.nix
View file

@ -1,39 +1,45 @@
# turns off the wifi when the usb device 0bda:8156 is connected.
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.mySystem.framework_wifi_swap;
wifiSwap = pkgs.writeShellScriptBin "wifi_swap"
''
#! /usr/bin/env bash
# This script turns off the wifi and on when the usb device 0bda:8156 is connected or removed.
# It is useful when you want to use a wired connection instead of wifi.
# The script is run by udev when the usb device is connected.
# The script is located at /run/current-system/sw/bin/wifi_swap
# The udev rule is located at <nix-store>-extra-udev-rules/etc/udev/rules.d/99-local.rules
# The udev rule is:
# ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0bda", ATTR{idProduct}=="8156", RUN+="/run/current-system/sw/bin/wifi_swap"
# ACTION=="remove", SUBSYSTEM=="net", ENV{ID_USB_VENDOR_ID}=="0bda", ENV{ID_USB_MODEL_ID}=="8156", RUN+="/run/current-system/sw/bin/wifi_swap"
echo "wifi_swap ACTION: $ACTION" | systemd-cat -t wifi_swap
# Case or switch for $ACTION
case $ACTION in
add)
echo "Plugged in USB device 0bda:8156 (Realtek 2.5gbe). Turning Wi-Fi off." | systemd-cat -t wifi_swap
${pkgs.networkmanager.outPath}/bin/nmcli radio wifi off
;;
remove)
echo "unplugged in USB device 0bda:8156 (Realtek 2.5gbe) Turning Wi-Fi on." | systemd-cat -t wifi_swap
${pkgs.networkmanager.outPath}/bin/nmcli radio wifi on
;;
*)
echo "Uknown ACTION: $ACTION" | systemd-cat -t wifi_swap
;;
esac
'';
wifiSwap = pkgs.writeShellScriptBin "wifi_swap" ''
#! /usr/bin/env bash
# This script turns off the wifi and on when the usb device 0bda:8156 is connected or removed.
# It is useful when you want to use a wired connection instead of wifi.
# The script is run by udev when the usb device is connected.
# The script is located at /run/current-system/sw/bin/wifi_swap
# The udev rule is located at <nix-store>-extra-udev-rules/etc/udev/rules.d/99-local.rules
# The udev rule is:
# ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0bda", ATTR{idProduct}=="8156", RUN+="/run/current-system/sw/bin/wifi_swap"
# ACTION=="remove", SUBSYSTEM=="net", ENV{ID_USB_VENDOR_ID}=="0bda", ENV{ID_USB_MODEL_ID}=="8156", RUN+="/run/current-system/sw/bin/wifi_swap"
echo "wifi_swap ACTION: $ACTION" | systemd-cat -t wifi_swap
# Case or switch for $ACTION
case $ACTION in
add)
echo "Plugged in USB device 0bda:8156 (Realtek 2.5gbe). Turning Wi-Fi off." | systemd-cat -t wifi_swap
${pkgs.networkmanager.outPath}/bin/nmcli radio wifi off
;;
remove)
echo "unplugged in USB device 0bda:8156 (Realtek 2.5gbe) Turning Wi-Fi on." | systemd-cat -t wifi_swap
${pkgs.networkmanager.outPath}/bin/nmcli radio wifi on
;;
*)
echo "Uknown ACTION: $ACTION" | systemd-cat -t wifi_swap
;;
esac
'';
in
{
options.mySystem.framework_wifi_swap = {
enable = mkEnableOption "framework_wifi_swap" // { default = false; };
enable = mkEnableOption "framework_wifi_swap" // {
default = false;
};
};
config = mkIf cfg.enable {
# Create bash script and add it to nix store

10
nixos/modules/nixos/system/zfs.nix
View file

@ -1,4 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}:
let
cfg = config.mySystem.system.zfs;
in
@ -25,7 +30,6 @@ with lib;
services.zfs = {
autoScrub.enable = true;
# Defaults to weekly and is a bit too regular for my NAS
autoScrub.interval = "weekly";
trim.enable = true;
};
@ -34,7 +38,7 @@ with lib;
environment.systemPackages = with pkgs; [
busybox
];
services.zfs.zed.settings = {
ZED_PUSHOVER_TOKEN = "$(${pkgs.busybox}/bin/cat ${config.sops.secrets.pushover-api-key.path})";
ZED_PUSHOVER_USER = "$(${pkgs.busybox}/bin/cat ${config.sops.secrets.pushover-user-key.path})";

5
nixos/overlays/charm-mods/default.nix
View file

@ -62,7 +62,10 @@ buildGoModule rec {
description = "AI on the command line";
homepage = "https://github.com/charmbracelet/mods";
license = licenses.mit;
maintainers = with maintainers; [ dit7ya caarlos0 ];
maintainers = with maintainers; [
dit7ya
caarlos0
];
mainProgram = "mods";
};
}

53
nixos/overlays/coder/default.nix
View file

@ -1,12 +1,13 @@
{ lib
, channel ? "stable"
, fetchurl
, installShellFiles
, makeBinaryWrapper
, terraform
, stdenvNoCC
, unzip
, nixosTests
{
lib,
channel ? "stable",
fetchurl,
installShellFiles,
makeBinaryWrapper,
terraform,
stdenvNoCC,
unzip,
nixosTests,
}:
let
@ -41,19 +42,23 @@ stdenvNoCC.mkDerivation (finalAttrs: {
url =
let
systemName = {
x86_64-linux = "linux_amd64";
aarch64-linux = "linux_arm64";
x86_64-darwin = "darwin_amd64";
aarch64-darwin = "darwin_arm64";
}.${system};
systemName =
{
x86_64-linux = "linux_amd64";
aarch64-linux = "linux_arm64";
x86_64-darwin = "darwin_amd64";
aarch64-darwin = "darwin_arm64";
}
.${system};
ext = {
x86_64-linux = "tar.gz";
aarch64-linux = "tar.gz";
x86_64-darwin = "zip";
aarch64-darwin = "zip";
}.${system};
ext =
{
x86_64-linux = "tar.gz";
aarch64-linux = "tar.gz";
x86_64-darwin = "zip";
aarch64-darwin = "zip";
}
.${system};
in
"https://github.com/coder/coder/releases/download/v${finalAttrs.version}/coder_${finalAttrs.version}_${systemName}.${ext}";
};
@ -96,7 +101,11 @@ stdenvNoCC.mkDerivation (finalAttrs: {
homepage = "https://coder.com";
license = lib.licenses.agpl3Only;
mainProgram = "coder";
maintainers = with lib.maintainers; [ ghuntley kylecarbs urandom ];
maintainers = with lib.maintainers; [
ghuntley
kylecarbs
urandom
];
};
passthru = {

22
nixos/overlays/default.nix
View file

@ -19,16 +19,22 @@ in
# The unstable nixpkgs set (declared in the flake inputs) will
# be accessible through 'pkgs.unstable'
unstable-packages = final: prev: {
unstable = import inputs.nixpkgs-unstable
{
unstable =
import inputs.nixpkgs-unstable {
inherit (final) system;
config.allowUnfree = true;
} // {
# Add talosctl to the unstable set
talosctl = final.unstable.callPackage ./talosctl {
inherit (final.unstable) lib buildGoModule fetchFromGitHub installShellFiles;
}
// {
# Add talosctl to the unstable set
talosctl = final.unstable.callPackage ./talosctl {
inherit (final.unstable)
lib
buildGoModule
fetchFromGitHub
installShellFiles
;
};
xpipe = final.unstable.callPackage ./xpipe/ptb.nix { };
};
xpipe = final.unstable.callPackage ./xpipe/ptb.nix {};
};
};
}

18
nixos/overlays/talosctl/default.nix
View file

@ -1,4 +1,10 @@
{ lib, buildGoModule, fetchFromGitHub, installShellFiles, git }:
{
lib,
buildGoModule,
fetchFromGitHub,
installShellFiles,
git,
}:
buildGoModule rec {
pname = "talosctl";
@ -13,7 +19,10 @@ buildGoModule rec {
vendorHash = "sha256-XvOMNyiHnemqnbOzWmzZXkr3+/ZgJDg8vjCtWFkCtLs=";
ldflags = [ "-s" "-w" ];
ldflags = [
"-s"
"-w"
];
subPackages = [ "cmd/talosctl" ];
@ -33,7 +42,10 @@ buildGoModule rec {
export GOFLAGS="-mod=vendor"
'';
nativeBuildInputs = [ installShellFiles git ];
nativeBuildInputs = [
installShellFiles
git
];
postInstall = ''
installShellCompletion --cmd talosctl \

37
nixos/overlays/termius/default.nix
View file

@ -1,15 +1,16 @@
{ autoPatchelfHook
, squashfsTools
, alsa-lib
, fetchurl
, makeDesktopItem
, makeWrapper
, stdenv
, lib
, libsecret
, mesa
, udev
, wrapGAppsHook3
{
autoPatchelfHook,
squashfsTools,
alsa-lib,
fetchurl,
makeDesktopItem,
makeWrapper,
stdenv,
lib,
libsecret,
mesa,
udev,
wrapGAppsHook3,
}:
stdenv.mkDerivation rec {
@ -45,7 +46,12 @@ stdenv.mkDerivation rec {
dontWrapGApps = true;
# TODO: migrate off autoPatchelfHook and use nixpkgs' electron
nativeBuildInputs = [ autoPatchelfHook squashfsTools makeWrapper wrapGAppsHook3 ];
nativeBuildInputs = [
autoPatchelfHook
squashfsTools
makeWrapper
wrapGAppsHook3
];
buildInputs = [
alsa-lib
@ -89,7 +95,10 @@ stdenv.mkDerivation rec {
downloadPage = "https://termius.com/linux/";
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
license = licenses.unfree;
maintainers = with maintainers; [ Br1ght0ne th0rgal ];
maintainers = with maintainers; [
Br1ght0ne
th0rgal
];
platforms = [ "x86_64-linux" ];
mainProgram = "termius-app";
};

301
nixos/overlays/vivaldi/default.nix
View file

@ -1,42 +1,92 @@
{ lib, stdenv, fetchurl, zlib, libX11, libXext, libSM, libICE, libxkbcommon, libxshmfence
, libXfixes, libXt, libXi, libXcursor, libXScrnSaver, libXcomposite, libXdamage, libXtst, libXrandr
, alsa-lib, dbus, cups, libexif, ffmpeg, systemd, libva, libGL
, freetype, fontconfig, libXft, libXrender, libxcb, expat
, libuuid
, libxml2
, glib, gtk3, pango, gdk-pixbuf, cairo, atk, at-spi2-atk, at-spi2-core
, qt5
, libdrm, mesa
, vulkan-loader
, nss, nspr
, patchelf, makeWrapper
, wayland, pipewire
, isSnapshot ? false
, proprietaryCodecs ? false, vivaldi-ffmpeg-codecs ? null
, enableWidevine ? false, widevine-cdm ? null
, commandLineArgs ? ""
, pulseSupport ? stdenv.isLinux, libpulseaudio
, kerberosSupport ? true, libkrb5
{
lib,
stdenv,
fetchurl,
zlib,
libX11,
libXext,
libSM,
libICE,
libxkbcommon,
libxshmfence,
libXfixes,
libXt,
libXi,
libXcursor,
libXScrnSaver,
libXcomposite,
libXdamage,
libXtst,
libXrandr,
alsa-lib,
dbus,
cups,
libexif,
ffmpeg,
systemd,
libva,
libGL,
freetype,
fontconfig,
libXft,
libXrender,
libxcb,
expat,
libuuid,
libxml2,
glib,
gtk3,
pango,
gdk-pixbuf,
cairo,
atk,
at-spi2-atk,
at-spi2-core,
qt5,
libdrm,
mesa,
vulkan-loader,
nss,
nspr,
patchelf,
makeWrapper,
wayland,
pipewire,
isSnapshot ? false,
proprietaryCodecs ? false,
vivaldi-ffmpeg-codecs ? null,
enableWidevine ? false,
widevine-cdm ? null,
commandLineArgs ? "",
pulseSupport ? stdenv.isLinux,
libpulseaudio,
kerberosSupport ? true,
libkrb5,
}:
let
branch = if isSnapshot then "snapshot" else "stable";
vivaldiName = if isSnapshot then "vivaldi-snapshot" else "vivaldi";
in stdenv.mkDerivation rec {
in
stdenv.mkDerivation rec {
pname = "vivaldi";
version = "6.9.3447.37";
suffix = {
aarch64-linux = "arm64";
x86_64-linux = "amd64";
}.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
suffix =
{
aarch64-linux = "arm64";
x86_64-linux = "amd64";
}
.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
src = fetchurl {
url = "https://downloads.vivaldi.com/${branch}/vivaldi-${branch}_${version}-1_${suffix}.deb";
hash = {
aarch64-linux = "sha256-kYTnWad/jrJt9z+AhjXzHYxVSIwIIO3RKD7szuPEg2s=";
x86_64-linux = "sha256-+h7SHci8gZ+epKFHD0PiXyME2xT+loD2KXpJGFCfIFg=";
}.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
hash =
{
aarch64-linux = "sha256-kYTnWad/jrJt9z+AhjXzHYxVSIwIIO3RKD7szuPEg2s=";
x86_64-linux = "sha256-+h7SHci8gZ+epKFHD0PiXyME2xT+loD2KXpJGFCfIFg=";
}
.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");
};
unpackPhase = ''
@ -44,92 +94,151 @@ in stdenv.mkDerivation rec {
tar -xvf data.tar.xz
'';
nativeBuildInputs = [ patchelf makeWrapper ];
nativeBuildInputs = [
patchelf
makeWrapper
];
dontWrapQtApps = true;
buildInputs = [
stdenv.cc.cc stdenv.cc.libc zlib libX11 libXt libXext libSM libICE libxcb libxkbcommon libxshmfence
libXi libXft libXcursor libXfixes libXScrnSaver libXcomposite libXdamage libXtst libXrandr
atk at-spi2-atk at-spi2-core alsa-lib dbus cups gtk3 gdk-pixbuf libexif ffmpeg systemd libva
qt5.qtbase
freetype fontconfig libXrender libuuid expat glib nss nspr libGL
libxml2 pango cairo
libdrm mesa vulkan-loader
wayland pipewire
] ++ lib.optional proprietaryCodecs vivaldi-ffmpeg-codecs
buildInputs =
[
stdenv.cc.cc
stdenv.cc.libc
zlib
libX11
libXt
libXext
libSM
libICE
libxcb
libxkbcommon
libxshmfence
libXi
libXft
libXcursor
libXfixes
libXScrnSaver
libXcomposite
libXdamage
libXtst
libXrandr
atk
at-spi2-atk
at-spi2-core
alsa-lib
dbus
cups
gtk3
gdk-pixbuf
libexif
ffmpeg
systemd
libva
qt5.qtbase
freetype
fontconfig
libXrender
libuuid
expat
glib
nss
nspr
libGL
libxml2
pango
cairo
libdrm
mesa
vulkan-loader
wayland
pipewire
]
++ lib.optional proprietaryCodecs vivaldi-ffmpeg-codecs
++ lib.optional pulseSupport libpulseaudio
++ lib.optional kerberosSupport libkrb5;
libPath = lib.makeLibraryPath buildInputs
+ lib.optionalString (stdenv.is64bit)
(":" + lib.makeSearchPathOutput "lib" "lib64" buildInputs)
libPath =
lib.makeLibraryPath buildInputs
+ lib.optionalString (stdenv.is64bit) (":" + lib.makeSearchPathOutput "lib" "lib64" buildInputs)
+ ":$out/opt/${vivaldiName}/lib";
buildPhase = ''
runHook preBuild
echo "Patching Vivaldi binaries"
for f in chrome_crashpad_handler vivaldi-bin vivaldi-sandbox ; do
patchelf \
--set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
--set-rpath "${libPath}" \
opt/${vivaldiName}/$f
done
buildPhase =
''
runHook preBuild
echo "Patching Vivaldi binaries"
for f in chrome_crashpad_handler vivaldi-bin vivaldi-sandbox ; do
patchelf \
--set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
--set-rpath "${libPath}" \
opt/${vivaldiName}/$f
done
for f in libGLESv2.so libqt5_shim.so ; do
patchelf --set-rpath "${libPath}" opt/${vivaldiName}/$f
done
'' + lib.optionalString proprietaryCodecs ''
ln -s ${vivaldi-ffmpeg-codecs}/lib/libffmpeg.so opt/${vivaldiName}/libffmpeg.so.''${version%\.*\.*}
'' + ''
echo "Finished patching Vivaldi binaries"
runHook postBuild
'';
for f in libGLESv2.so libqt5_shim.so ; do
patchelf --set-rpath "${libPath}" opt/${vivaldiName}/$f
done
''
+ lib.optionalString proprietaryCodecs ''
ln -s ${vivaldi-ffmpeg-codecs}/lib/libffmpeg.so opt/${vivaldiName}/libffmpeg.so.''${version%\.*\.*}
''
+ ''
echo "Finished patching Vivaldi binaries"
runHook postBuild
'';
dontPatchELF = true;
dontStrip = true;
dontStrip = true;
installPhase = ''
runHook preInstall
mkdir -p "$out"
cp -r opt "$out"
mkdir "$out/bin"
ln -s "$out/opt/${vivaldiName}/${vivaldiName}" "$out/bin/vivaldi"
mkdir -p "$out/share"
cp -r usr/share/{applications,xfce4} "$out"/share
substituteInPlace "$out"/share/applications/*.desktop \
--replace /usr/bin/${vivaldiName} "$out"/bin/vivaldi
substituteInPlace "$out"/share/applications/*.desktop \
--replace vivaldi-stable vivaldi
local d
for d in 16 22 24 32 48 64 128 256; do
mkdir -p "$out"/share/icons/hicolor/''${d}x''${d}/apps
ln -s \
"$out"/opt/${vivaldiName}/product_logo_''${d}.png \
"$out"/share/icons/hicolor/''${d}x''${d}/apps/vivaldi.png
done
wrapProgram "$out/bin/vivaldi" \
--add-flags ${lib.escapeShellArg commandLineArgs} \
--add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \
--set-default FONTCONFIG_FILE "${fontconfig.out}/etc/fonts/fonts.conf" \
--set-default FONTCONFIG_PATH "${fontconfig.out}/etc/fonts" \
--suffix XDG_DATA_DIRS : ${gtk3}/share/gsettings-schemas/${gtk3.name}/ \
${lib.optionalString enableWidevine "--suffix LD_LIBRARY_PATH : ${libPath}"}
'' + lib.optionalString enableWidevine ''
ln -sf ${widevine-cdm}/share/google/chrome/WidevineCdm $out/opt/${vivaldiName}/WidevineCdm
'' + ''
runHook postInstall
'';
installPhase =
''
runHook preInstall
mkdir -p "$out"
cp -r opt "$out"
mkdir "$out/bin"
ln -s "$out/opt/${vivaldiName}/${vivaldiName}" "$out/bin/vivaldi"
mkdir -p "$out/share"
cp -r usr/share/{applications,xfce4} "$out"/share
substituteInPlace "$out"/share/applications/*.desktop \
--replace /usr/bin/${vivaldiName} "$out"/bin/vivaldi
substituteInPlace "$out"/share/applications/*.desktop \
--replace vivaldi-stable vivaldi
local d
for d in 16 22 24 32 48 64 128 256; do
mkdir -p "$out"/share/icons/hicolor/''${d}x''${d}/apps
ln -s \
"$out"/opt/${vivaldiName}/product_logo_''${d}.png \
"$out"/share/icons/hicolor/''${d}x''${d}/apps/vivaldi.png
done
wrapProgram "$out/bin/vivaldi" \
--add-flags ${lib.escapeShellArg commandLineArgs} \
--add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \
--set-default FONTCONFIG_FILE "${fontconfig.out}/etc/fonts/fonts.conf" \
--set-default FONTCONFIG_PATH "${fontconfig.out}/etc/fonts" \
--suffix XDG_DATA_DIRS : ${gtk3}/share/gsettings-schemas/${gtk3.name}/ \
${lib.optionalString enableWidevine "--suffix LD_LIBRARY_PATH : ${libPath}"}
''
+ lib.optionalString enableWidevine ''
ln -sf ${widevine-cdm}/share/google/chrome/WidevineCdm $out/opt/${vivaldiName}/WidevineCdm
''
+ ''
runHook postInstall
'';
passthru.updateScript = ./update-vivaldi.sh;
meta = with lib; {
description = "Browser for our Friends, powerful and personal";
homepage = "https://vivaldi.com";
license = licenses.unfree;
homepage = "https://vivaldi.com";
license = licenses.unfree;
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
mainProgram = "vivaldi";
maintainers = with maintainers; [ otwieracz badmutex ];
platforms = [ "x86_64-linux" "aarch64-linux" ];
maintainers = with maintainers; [
otwieracz
badmutex
];
platforms = [
"x86_64-linux"
"aarch64-linux"
];
};
}

19
nixos/overlays/vivaldi/ffmpeg-codecs.nix
View file

@ -1,4 +1,9 @@
{ squashfsTools, fetchurl, lib, stdenv }:
{
squashfsTools,
fetchurl,
lib,
stdenv,
}:
# This derivation roughly follows the update-ffmpeg script that ships with the official Vivaldi
# downloads at https://vivaldi.com/download/
@ -23,10 +28,14 @@ stdenv.mkDerivation rec {
meta = with lib; {
description = "Additional support for proprietary codecs for Vivaldi";
homepage = "https://ffmpeg.org/";
homepage = "https://ffmpeg.org/";
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
license = licenses.lgpl21;
maintainers = with maintainers; [ betaboon cawilliamson fptje ];
platforms = [ "x86_64-linux" ];
license = licenses.lgpl21;
maintainers = with maintainers; [
betaboon
cawilliamson
fptje
];
platforms = [ "x86_64-linux" ];
};
}

140
nixos/overlays/xpipe/ptb.nix
View file

@ -1,48 +1,54 @@
{ stdenvNoCC
, lib
, fetchzip
, makeDesktopItem
, autoPatchelfHook
, zlib
, fontconfig
, udev
, gtk3
, freetype
, alsa-lib
, makeShellWrapper
, libX11
, libXext
, libXdamage
, libXfixes
, libxcb
, libXcomposite
, libXcursor
, libXi
, libXrender
, libXtst
, libXxf86vm
, util-linux
, socat
, hicolor-icon-theme
{
stdenvNoCC,
lib,
fetchzip,
makeDesktopItem,
autoPatchelfHook,
zlib,
fontconfig,
udev,
gtk3,
freetype,
alsa-lib,
makeShellWrapper,
libX11,
libXext,
libXdamage,
libXfixes,
libxcb,
libXcomposite,
libXcursor,
libXi,
libXrender,
libXtst,
libXxf86vm,
util-linux,
socat,
hicolor-icon-theme,
}:
let
inherit (stdenvNoCC.hostPlatform) system;
throwSystem = throw "Unsupported system: ${system}";
arch = {
x86_64-linux = "x86_64";
aarch64-linux = "arm64";
}.${system} or throwSystem;
arch =
{
x86_64-linux = "x86_64";
aarch64-linux = "arm64";
}
.${system} or throwSystem;
hash = {
x86_64-linux = "sha256-O4gl0WulhDyqL9lDwqR1oxNAzVjHn+3q0UB8KP0/sBk=";
aarch64-linux = "";
}.${system} or throwSystem;
hash =
{
x86_64-linux = "sha256-O4gl0WulhDyqL9lDwqR1oxNAzVjHn+3q0UB8KP0/sBk=";
aarch64-linux = "";
}
.${system} or throwSystem;
displayname = "XPipe PTB";
in stdenvNoCC.mkDerivation rec {
in
stdenvNoCC.mkDerivation rec {
pname = "xpipe-ptb";
version = "13.0-10";
@ -60,25 +66,25 @@ in stdenvNoCC.mkDerivation rec {
autoPatchelfIgnoreMissingDeps = true;
buildInputs = [
fontconfig
zlib
udev
freetype
gtk3
alsa-lib
libX11
libX11
libXext
libXdamage
libXfixes
libxcb
libXcomposite
libXcursor
libXi
libXrender
libXtst
libXxf86vm
];
fontconfig
zlib
udev
freetype
gtk3
alsa-lib
libX11
libX11
libXext
libXdamage
libXfixes
libxcb
libXcomposite
libXcursor
libXi
libXrender
libXtst
libXxf86vm
];
desktopItem = makeDesktopItem {
categories = [ "Network" ];
@ -114,9 +120,21 @@ in stdenvNoCC.mkDerivation rec {
mv "$out/opt/$pkg/app/scripts/xpiped_debug.sh" "$out/opt/$pkg/app/scripts/xpiped_debug_raw.sh"
makeShellWrapper "$out/opt/$pkg/app/bin/xpiped_raw" "$out/opt/$pkg/app/bin/xpiped" \
--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ fontconfig gtk3 udev ]}"
--prefix LD_LIBRARY_PATH : "${
lib.makeLibraryPath [
fontconfig
gtk3
udev
]
}"
makeShellWrapper "$out/opt/$pkg/app/scripts/xpiped_debug_raw.sh" "$out/opt/$pkg/app/scripts/xpiped_debug.sh" \
--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ fontconfig gtk3 udev ]}"
--prefix LD_LIBRARY_PATH : "${
lib.makeLibraryPath [
fontconfig
gtk3
udev
]
}"
runHook postInstall
'';
@ -127,9 +145,15 @@ in stdenvNoCC.mkDerivation rec {
downloadPage = "https://github.com/xpipe-io/${pname}/releases/latest";
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
changelog = "https://github.com/xpipe-io/${pname}/releases/tag/${version}";
license = [ licenses.asl20 licenses.unfree ];
license = [
licenses.asl20
licenses.unfree
];
maintainers = with maintainers; [ crschnick ];
platforms = [ "x86_64-linux" "aarch64-linux" ];
platforms = [
"x86_64-linux"
"aarch64-linux"
];
mainProgram = pname;
};
}

19
nixos/overlays/zed-editor/default.nix
View file

@ -3,14 +3,13 @@ let
finalVersion = "0.149.3";
in
final: prev: {
zed-editor = prev.zed-editor.overrideAttrs
(oldAttrs: {
version = finalVersion;
src = prev.fetchFromGithub {
hash = "sha256-ed6/QQObmclSA36g+civhii1aFKTBSjqB+LOyp2LUPg=";
};
cargoLock = prev.outputHashes {
"blade-graphics-0.4.0" = "sha256-sGXhXmgtd7Wx/Gf7HCWro4RsQOGS4pQt8+S3T+2wMfY=";
};
});
zed-editor = prev.zed-editor.overrideAttrs (oldAttrs: {
version = finalVersion;
src = prev.fetchFromGithub {
hash = "sha256-ed6/QQObmclSA36g+civhii1aFKTBSjqB+LOyp2LUPg=";
};
cargoLock = prev.outputHashes {
"blade-graphics-0.4.0" = "sha256-sGXhXmgtd7Wx/Gf7HCWro4RsQOGS4pQt8+S3T+2wMfY=";
};
});
}

6
nixos/profiles/disko-nixos.nix
View file

@ -1,4 +1,8 @@
{ disks ? [ "/dev/sda" ], ... }: {
{
disks ? [ "/dev/sda" ],
...
}:
{
disko.devices = {
disk = {
main = {

5
nixos/profiles/global/nix.nix
View file

@ -42,7 +42,10 @@
connect-timeout = 25;
# Avoid copying unnecessary stuff over SSH
builders-use-substitutes = true;
trusted-users = [ "root" "@wheel" ];
trusted-users = [
"root"
"@wheel"
];
warn-dirty = false;
# The default at 10 is rarely enough.
log-lines = lib.mkDefault 25;

7
nixos/profiles/global/system.nix
View file

@ -3,7 +3,12 @@
system = {
# Enable printing changes on nix build etc with nvd
activationScripts.report-changes = ''
PATH=$PATH:${lib.makeBinPath [ pkgs.nvd pkgs.nix ]}
PATH=$PATH:${
lib.makeBinPath [
pkgs.nvd
pkgs.nix
]
}
profiles=$(${pkgs.coreutils}/bin/ls -dv /nix/var/nix/profiles/system-*-link | tail -2)
profile_count=$(echo "$profiles" | ${pkgs.coreutils}/bin/wc -l)
if [ $profile_count -gt 1 ]; then

9
nixos/profiles/hw-generic-x86.nix
View file

@ -3,7 +3,14 @@ with lib;
{
boot = {
initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
];
kernelModules = [ ];
extraModulePackages = [ ];

11
nixos/profiles/hw-hetzner-cax.nix
View file

@ -1,10 +1,17 @@
{ lib, ... }: {
{ lib, ... }:
{
imports = [ ];
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
initrd.availableKernelModules = [
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"usbhid"
"sr_mod"
];
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];

5
nixos/profiles/hw-supermicro.nix
View file

@ -10,7 +10,10 @@
efiSupport = true;
efiInstallAsRemovable = true;
mirroredBoots = [
{ devices = [ "nodev" ]; path = "/boot"; }
{
devices = [ "nodev" ];
path = "/boot";
}
];
};
};

12
nixos/profiles/hw-threadripperpro.nix
View file

@ -1,10 +1,18 @@
{ lib, ... }: {
{ lib, ... }:
{
imports = [ ];
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];

1
nixos/profiles/role-dev.nix
View file

@ -38,6 +38,7 @@
shfmt
statix
tmux
unstable.mise
unstable.bottom
unstable.cyme
unstable.go-task