jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests 3 Projects Releases Packages Wiki Activity Actions

statix

Browse source
This commit is contained in:
Joseph Hanson 2024-07-30 18:47:59 -05:00
parent b6132b689e
commit fb545ba987
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
16 changed files with 314 additions and 264 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

73
nixos/home/modules/shell/git/default.nix
View file

@ -18,45 +18,46 @@ in
config = lib.mkMerge [ config = lib.mkMerge [
(lib.mkIf cfg.enable { (lib.mkIf cfg.enable {
programs.gh.enable = true; programs = {
programs.gpg.enable = true; gh.enable = true;
gpg.enable = true;
git = {
enable = true;
programs.git = { userName = cfg.username;
enable = true; userEmail = cfg.email;
userName = cfg.username; extraConfig = {
userEmail = cfg.email; core.autocrlf = "input";
init.defaultBranch = "main";
extraConfig = { pull.rebase = true;
core.autocrlf = "input"; rebase.autoStash = true;
init.defaultBranch = "main"; # public key for signing commits
pull.rebase = true; user.signingKey = cfg.signingKey;
rebase.autoStash = true; # ssh instead of gpg
# public key for signing commits gpg.format = "ssh";
user.signingKey = cfg.signingKey; # 1password signing gui git signing
# ssh instead of gpg gpg.ssh.program = "${pkgs._1password-gui}/bin/op-ssh-sign";
gpg.format = "ssh"; # Auto sign commits without -S
# 1password signing gui git signing commit.gpgsign = true;
gpg.ssh.program = "${pkgs._1password-gui}/bin/op-ssh-sign"; };
# Auto sign commits without -S aliases = {
commit.gpgsign = true; co = "checkout";
};
ignores = [
# Mac OS X hidden files
".DS_Store"
# Windows files
"Thumbs.db"
# asdf
".tool-versions"
# Sops
".decrypted~*"
"*.decrypted.*"
# Python virtualenvs
".venv"
];
}; };
aliases = {
co = "checkout";
};
ignores = [
# Mac OS X hidden files
".DS_Store"
# Windows files
"Thumbs.db"
# asdf
".tool-versions"
# Sops
".decrypted~*"
"*.decrypted.*"
# Python virtualenvs
".venv"
];
}; };
home.packages = [ home.packages = [

31
nixos/hosts/durincore/default.nix
View file

@ -12,21 +12,26 @@
extraModulePackages = [ ]; extraModulePackages = [ ];
}; };
fileSystems."/" = fileSystems = {
{ device = "rpool/root"; "/" =
fsType = "zfs"; {
}; device = "rpool/root";
fsType = "zfs";
};
fileSystems."/home" = "/home" =
{ device = "rpool/home"; {
fsType = "zfs"; device = "rpool/home";
}; fsType = "zfs";
};
fileSystems."/boot" = "/boot" =
{ device = "/dev/disk/by-uuid/F1B9-CA7C"; {
fsType = "vfat"; device = "/dev/disk/by-uuid/F1B9-CA7C";
options = [ "fmask=0077" "dmask=0077" ]; fsType = "vfat";
}; options = [ "fmask=0077" "dmask=0077" ];
};
};
swapDevices = [ ]; swapDevices = [ ];

18
nixos/hosts/gandalf/default.nix
View file

@ -79,13 +79,17 @@ in
# NFS # NFS
nfs.enable = true; nfs.enable = true;
# Samba # Samba
samba.enable = true; samba = {
samba.shares = import ./config/samba-shares.nix { }; enable = true;
samba.extraConfig = import ./config/samba-config.nix { }; shares = import ./config/samba-shares.nix { };
resticBackup.local.enable = false; extraConfig = import ./config/samba-config.nix { };
resticBackup.remote.enable = false; };
resticBackup.local.noWarning = true; resticBackup = {
resticBackup.remote.noWarning = true; local.enable = false;
remote.enable = false;
local.noWarning = true;
remote.noWarning = true;
};
# Borg # Borg
borgbackup = { borgbackup = {
enable = true; enable = true;

40
nixos/hosts/legiondary/default.nix
View file

@ -5,7 +5,8 @@
{ {
imports = imports =
[ (modulesPath + "/installer/scan/not-detected.nix") [
(modulesPath + "/installer/scan/not-detected.nix")
]; ];
networking.hostId = "2132e3bf"; networking.hostId = "2132e3bf";
@ -17,24 +18,31 @@
extraModulePackages = [ ]; extraModulePackages = [ ];
}; };
fileSystems."/" = fileSystems =
{ device = "zroot/root"; {
fsType = "zfs"; "/" =
}; {
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/nix" = "/nix" =
{ device = "zroot/nix"; {
fsType = "zfs"; device = "zroot/nix";
}; fsType = "zfs";
};
fileSystems."/var" = "/var" =
{ device = "zroot/var"; {
fsType = "zfs"; device = "zroot/var";
}; fsType = "zfs";
};
fileSystems."/home" = "/home" =
{ device = "zroot/home"; {
fsType = "zfs"; device = "zroot/home";
fsType = "zfs";
};
}; };
# fileSystems."/boot" = # fileSystems."/boot" =

40
nixos/hosts/telchar/default.nix
View file

@ -18,24 +18,26 @@
extraModulePackages = [ ]; extraModulePackages = [ ];
}; };
fileSystems."/" = { fileSystems = {
device = "zroot/root"; "/" = {
fsType = "zfs"; device = "zroot/root";
}; fsType = "zfs";
};
fileSystems."/nix" = { "/nix" = {
device = "zroot/nix"; device = "zroot/nix";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var" = { "/var" = {
device = "zroot/var"; device = "zroot/var";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/home" = { "/home" = {
device = "zroot/home"; device = "zroot/home";
fsType = "zfs"; fsType = "zfs";
};
}; };
swapDevices = [ ]; swapDevices = [ ];
@ -45,10 +47,12 @@
# System settings and services. # System settings and services.
mySystem = { mySystem = {
purpose = "Development"; purpose = "Development";
system.motd.networkInterfaces = [ "wlp1s0" ]; system = {
motd.networkInterfaces = [ "wlp1s0" ];
fingerprint-reader-on-laptop-lid.enable = true;
borg.pika-backup.enable = true;
};
security._1password.enable = true; security._1password.enable = true;
system.fingerprint-reader-on-laptop-lid.enable = true;
framework_wifi_swap.enable = true; framework_wifi_swap.enable = true;
system.borg.pika-backup.enable = true;
}; };
} }

47
nixos/hosts/telperion/default.nix
View file

@ -17,25 +17,26 @@
kernelModules = [ "kvm-intel" ]; kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ]; extraModulePackages = [ ];
}; };
fileSystems = {
"/" = {
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/" = { "/nix" = {
device = "zroot/root"; device = "zroot/nix";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/nix" = { "/var" = {
device = "zroot/nix"; device = "zroot/var";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var" = { "/home" = {
device = "zroot/var"; device = "zroot/home";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/home" = {
device = "zroot/home";
fsType = "zfs";
}; };
swapDevices = [ ]; swapDevices = [ ];
@ -65,11 +66,15 @@
# System settings and services. # System settings and services.
mySystem = { mySystem = {
purpose = "Production"; purpose = "Production";
system.motd.networkInterfaces = [ "enp2s0" "wlp3s0" ]; system = {
system.resticBackup.local.enable = false; motd.networkInterfaces = [ "enp2s0" "wlp3s0" ];
system.resticBackup.remote.enable = false; resticBackup = {
system.resticBackup.local.noWarning = true; local.enable = false;
system.resticBackup.remote.noWarning = true; remote.enable = false;
local.noWarning = true;
remote.noWarning = true;
};
};
services = { services = {
podman.enable = true; podman.enable = true;

25
nixos/hosts/varda/default.nix
View file

@ -3,20 +3,21 @@
networking.hostId = "cdab8473"; networking.hostId = "cdab8473";
networking.hostName = "varda"; # Define your hostname. networking.hostName = "varda"; # Define your hostname.
fileSystems = {
"/" = {
device = "rpool/root";
fsType = "zfs";
};
fileSystems."/" = { "/home" = {
device = "rpool/root"; device = "rpool/home";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/home" = { "/boot" = {
device = "rpool/home"; device = "/dev/disk/by-uuid/8091-E7F2";
fsType = "zfs"; fsType = "vfat";
}; };
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/8091-E7F2";
fsType = "vfat";
}; };
swapDevices = [ ]; swapDevices = [ ];

10
nixos/modules/nixos/de/gnome.nix
View file

@ -4,12 +4,14 @@ let
cfg = config.mySystem.de.gnome; cfg = config.mySystem.de.gnome;
in in
{ {
options.mySystem.de.gnome.enable = mkEnableOption "GNOME"; options = {
options.mySystem.de.gnome.systrayicons = mkEnableOption "Enable systray icons" // { default = true; }; mySystem.de.gnome = {
options.mySystem.de.gnome.gsconnect = mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // { default = true; }; systrayicons = mkEnableOption "Enable systray icons" // { default = true; };
gsconnect = mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // { default = true; };
};
};
config = mkIf cfg.enable { config = mkIf cfg.enable {
# Ref: https://nixos.wiki/wiki/GNOME # Ref: https://nixos.wiki/wiki/GNOME
# GNOME plz # GNOME plz

72
nixos/modules/nixos/default.nix
View file

@ -13,43 +13,45 @@ with lib;
./system ./system
]; ];
options.mySystem.persistentFolder = mkOption { options.mySystem = {
type = types.str; persistentFolder = mkOption {
description = "persistent folder for nixos mutable files"; type = types.str;
default = "/persist"; description = "persistent folder for nixos mutable files";
default = "/persist";
};
nasFolder = mkOption {
type = types.str;
description = "folder where nas mounts reside";
default = "/mnt/nas";
};
nasAddress = mkOption {
type = types.str;
description = "NAS Address or name for the backup nas";
default = "10.1.1.13";
};
domain = mkOption {
type = types.str;
description = "domain for hosted services";
default = "";
};
internalDomain = mkOption {
type = types.str;
description = "domain for local devices";
default = "";
};
purpose = mkOption {
type = types.str;
description = "System purpose";
default = "Development";
};
}; };
options.mySystem.nasFolder = mkOption { monitoring.prometheus.scrapeConfigs = mkOption {
type = types.str;
description = "folder where nas mounts reside";
default = "/mnt/nas";
};
options.mySystem.nasAddress = mkOption {
type = types.str;
description = "NAS Address or name for the backup nas";
default = "10.1.1.13";
};
options.mySystem.domain = mkOption {
type = types.str;
description = "domain for hosted services";
default = "";
};
options.mySystem.internalDomain = mkOption {
type = types.str;
description = "domain for local devices";
default = "";
};
options.mySystem.purpose = mkOption {
type = types.str;
description = "System purpose";
default = "Development";
};
options.mySystem.monitoring.prometheus.scrapeConfigs = mkOption {
type = lib.types.listOf lib.types.attrs; type = lib.types.listOf lib.types.attrs;
description = "Prometheus scrape targets"; description = "Prometheus scrape targets";
default = [ ]; default = [ ];

106
nixos/modules/nixos/hardware/nvidia/default.nix
View file

@ -8,70 +8,72 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.sessionVariables.NIXOS_OZONE_WL = "1";
# ref: https://nixos.wiki/wiki/Nvidia # ref: https://nixos.wiki/wiki/Nvidia
# Enable OpenGL # Enable OpenGL
hardware.opengl = { hardware = {
enable = true; opengl = {
driSupport = true; enable = true;
driSupport32Bit = true; driSupport = true;
}; driSupport32Bit = true;
};
hardware.opengl.extraPackages = with pkgs; [ hardware.opengl.extraPackages = with pkgs; [
vaapiVdpau vaapiVdpau
]; ];
# This is for the benefit of VSCODE running natively in wayland # This is for the benefit of VSCODE running natively in wayland
environment.sessionVariables.NIXOS_OZONE_WL = "1";
hardware.nvidia = { hardware.nvidia = {
# Modesetting is required. # Modesetting is required.
modesetting.enable = true; modesetting.enable = true;
# Nvidia power management. Experimental, and can cause sleep/suspend to fail. # Nvidia power management. Experimental, and can cause sleep/suspend to fail.
# Enable this if you have graphical corruption issues or application crashes after waking # Enable this if you have graphical corruption issues or application crashes after waking
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
# of just the bare essentials. # of just the bare essentials.
powerManagement.enable = false; powerManagement.enable = false;
# Fine-grained power management. Turns off GPU when not in use. # Fine-grained power management. Turns off GPU when not in use.
# Experimental and only works on modern Nvidia GPUs (Turing or newer). # Experimental and only works on modern Nvidia GPUs (Turing or newer).
powerManagement.finegrained = false; powerManagement.finegrained = false;
# Use the NVidia open source kernel module (not to be confused with the # Use the NVidia open source kernel module (not to be confused with the
# independent third-party "nouveau" open source driver). # independent third-party "nouveau" open source driver).
# Support is limited to the Turing and later architectures. Full list of # Support is limited to the Turing and later architectures. Full list of
# supported GPUs is at: # supported GPUs is at:
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
# Only available from driver 515.43.04+ # Only available from driver 515.43.04+
# Currently alpha-quality/buggy, so false is currently the recommended setting. # Currently alpha-quality/buggy, so false is currently the recommended setting.
open = false; open = false;
# Enable the Nvidia settings menu, # Enable the Nvidia settings menu,
# accessible via `nvidia-settings`. # accessible via `nvidia-settings`.
nvidiaSettings = true; nvidiaSettings = true;
# Optionally, you may need to select the appropriate driver version for your specific GPU. # Optionally, you may need to select the appropriate driver version for your specific GPU.
# package = config.boot.kernelPackages.nvidiaPackages.stable; # package = config.boot.kernelPackages.nvidiaPackages.stable;
# manual build nvidia driver, works around some wezterm issues # manual build nvidia driver, works around some wezterm issues
# https://github.com/wez/wezterm/issues/2011 # https://github.com/wez/wezterm/issues/2011
package = package =
# let # let
# rcu_patch = pkgs.fetchpatch { # rcu_patch = pkgs.fetchpatch {
# url = "https://github.com/gentoo/gentoo/raw/c64caf53/x11-drivers/nvidia-drivers/files/nvidia-drivers-470.223.02-gpl-pfn_valid.patch"; # url = "https://github.com/gentoo/gentoo/raw/c64caf53/x11-drivers/nvidia-drivers/files/nvidia-drivers-470.223.02-gpl-pfn_valid.patch";
# hash = "sha256-eZiQQp2S/asE7MfGvfe6dA/kdCvek9SYa/FFGp24dVg="; # hash = "sha256-eZiQQp2S/asE7MfGvfe6dA/kdCvek9SYa/FFGp24dVg=";
# }; # };
# in # in
config.boot.kernelPackages.nvidiaPackages.mkDriver { config.boot.kernelPackages.nvidiaPackages.mkDriver {
version = "555.58"; version = "555.58";
sha256_64bit = "sha256-bXvcXkg2kQZuCNKRZM5QoTaTjF4l2TtrsKUvyicj5ew="; sha256_64bit = "sha256-bXvcXkg2kQZuCNKRZM5QoTaTjF4l2TtrsKUvyicj5ew=";
sha256_aarch64 = "sha256-7XswQwW1iFP4ji5mbRQ6PVEhD4SGWpjUJe1o8zoXYRE="; sha256_aarch64 = "sha256-7XswQwW1iFP4ji5mbRQ6PVEhD4SGWpjUJe1o8zoXYRE=";
openSha256 = "sha256-hEAmFISMuXm8tbsrB+WiUcEFuSGRNZ37aKWvf0WJ2/c="; openSha256 = "sha256-hEAmFISMuXm8tbsrB+WiUcEFuSGRNZ37aKWvf0WJ2/c=";
settingsSha256 = "sha256-vWnrXlBCb3K5uVkDFmJDVq51wrCoqgPF03lSjZOuU8M="; settingsSha256 = "sha256-vWnrXlBCb3K5uVkDFmJDVq51wrCoqgPF03lSjZOuU8M=";
persistencedSha256 = "sha256-lyYxDuGDTMdGxX3CaiWUh1IQuQlkI2hPEs5LI20vEVw="; persistencedSha256 = "sha256-lyYxDuGDTMdGxX3CaiWUh1IQuQlkI2hPEs5LI20vEVw=";
# patches = [ rcu_patch ]; # patches = [ rcu_patch ];
}; };
};
}; };
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

14
nixos/modules/nixos/services/podman/default.nix
View file

@ -34,17 +34,19 @@ in
programs.fish.shellAliases = { programs.fish.shellAliases = {
# lazydocker --> lazypodman # lazydocker --> lazypodman
lazypodman="sudo DOCKER_HOST=unix:///run/podman/podman.sock lazydocker"; lazypodman = "sudo DOCKER_HOST=unix:///run/podman/podman.sock lazydocker";
}; };
networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ]; networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];
# extra user for containers # extra user for containers
users.users.kah = { users = {
uid = 568; kah = {
group = "kah"; uid = 568;
group = "kah";
};
groups.kah = { };
jahanson.extraGroups = [ "kah" ];
}; };
users.groups.kah = { };
users.users.jahanson.extraGroups = [ "kah" ];
}; };
} }

45
nixos/modules/nixos/services/radicale/default.nix
View file

@ -52,29 +52,32 @@ in
directories = [ "/var/lib/radicale/" ]; directories = [ "/var/lib/radicale/" ];
}; };
## service
services.radicale = {
enable = true;
settings = {
server.hosts = [ "0.0.0.0:${builtins.toString port}" ];
auth = {
type = "htpasswd";
htpasswd_filename = config.sops.secrets."${category}/${app}/htpasswd".path;
htpasswd_encryption = "plain";
realm = "Radicale - Password Required";
};
storage.filesystem_folder = "/var/lib/radicale/collections";
};
};
### Ingress services =
services.nginx.virtualHosts.${host} = { {
useACMEHost = config.networking.domain; ## service
forceSSL = true; nginx.virtualHosts.${host} = {
locations."/" = { useACMEHost = config.networking.domain;
proxyPass = "http://127.0.0.1:${builtins.toString port}"; forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
};
};
### Ingress
radicale = {
enable = true;
settings = {
server.hosts = [ "0.0.0.0:${builtins.toString port}" ];
auth = {
type = "htpasswd";
htpasswd_filename = config.sops.secrets."${category}/${app}/htpasswd".path;
htpasswd_encryption = "plain";
realm = "Radicale - Password Required";
};
storage.filesystem_folder = "/var/lib/radicale/collections";
};
};
}; };
};
### firewall config ### firewall config

14
nixos/modules/nixos/system/samba/default.nix
View file

@ -9,7 +9,7 @@ in
type = lib.types.str; type = lib.types.str;
default = ""; default = "";
}; };
shares = lib.mkOption { shares = lib.mkOption {
type = lib.types.attrsOf (lib.types.attrsOf lib.types.unspecified); type = lib.types.attrsOf (lib.types.attrsOf lib.types.unspecified);
default = ""; default = "";
@ -17,9 +17,13 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.samba.enable = true; services = {
services.samba.extraConfig = cfg.extraConfig; samaba = {
services.samba.shares = cfg.shares; enable = true;
services.samba.openFirewall = true; inherit (cfg) extraConfig;
inherit (cfg) shares;
openFirewall = true;
};
};
}; };
} }

18
nixos/profiles/global/sops.nix
View file

@ -2,13 +2,15 @@
{ {
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# Secret for machine-specific pushover # Secret for machine-specific pushover
sops.secrets."services/pushover/env" = { sops.secrets = {
sopsFile = ./secrets.sops.yaml; "services/pushover/env" = {
}; sopsFile = ./secrets.sops.yaml;
sops.secrets.pushover-user-key = { };
sopsFile = ./secrets.sops.yaml; pushover-user-key = {
}; sopsFile = ./secrets.sops.yaml;
sops.secrets.pushover-api-key = { };
sopsFile = ./secrets.sops.yaml; pushover-api-key = {
sopsFile = ./secrets.sops.yaml;
};
}; };
} }

14
nixos/profiles/hw-hetzner-cax.nix
View file

@ -1,12 +1,14 @@
{ lib, ... }: { { lib, ... }: {
imports = [ ]; imports = [ ];
boot.loader.systemd-boot.enable = true; boot = {
boot.loader.efi.canTouchEfiVariables = true; loader.systemd-boot.enable = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ]; loader.efi.canTouchEfiVariables = true;
boot.initrd.kernelModules = [ ]; initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
boot.kernelModules = [ ]; initrd.kernelModules = [ ];
boot.extraModulePackages = [ ]; kernelModules = [ ];
extraModulePackages = [ ];
};
mySystem = { mySystem = {
services.openssh.enable = true; services.openssh.enable = true;

11
nixos/profiles/role-server.nix
View file

@ -6,10 +6,13 @@ with lib;
{ {
config = { config = {
# Enable monitoring for remote scraping # Enable monitoring for remote scraping
mySystem.services.rebootRequiredCheck.enable = true; mySystem = {
mySystem.security.wheelNeedsSudoPassword = false; services.rebootRequiredCheck.enable = true;
mySystem.services.cockpit.enable = true; security.wheelNeedsSudoPassword = false;
mySystem.system.motd.enable = true; services.cockpit.enable = true;
system.motd.enable = true;
};
nix.settings = { nix.settings = {
# TODO factor out into mySystem # TODO factor out into mySystem
# Avoid disk full issues # Avoid disk full issues