feat: flesh out home manager gnome, firefox (#56)
* feat: add test node and spin up podman/cockpit * dev hack * bug: disable wayland temporarily #52 * feat: add nfs mount to nas * chore: add nas to sshconf * derp * hax * fix: hax * feat: firefox and gnome tweaks * chore: tweak nautilus --------- Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com>
This commit is contained in:
parent
74dcd8a683
commit
b447282c7a
45 changed files with 922 additions and 236 deletions
1
.github/workflows/diff-pr.yaml
vendored
1
.github/workflows/diff-pr.yaml
vendored
|
@ -54,6 +54,7 @@ jobs:
|
|||
extra_nix_config: |
|
||||
experimental-features = nix-command flakes
|
||||
extra-platforms = aarch64-linux
|
||||
- uses: DeterminateSystems/magic-nix-cache-action@main
|
||||
- name: Register binfmt
|
||||
run: |
|
||||
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
|
||||
|
|
1
.github/workflows/nix-lint.yaml
vendored
1
.github/workflows/nix-lint.yaml
vendored
|
@ -17,6 +17,7 @@ jobs:
|
|||
uses: cachix/install-nix-action@v26
|
||||
with:
|
||||
nix_path: nixpkgs=channel:nixos-unstable
|
||||
- uses: DeterminateSystems/magic-nix-cache-action@main
|
||||
|
||||
- name: Install Nix Linting and Formatting Tools
|
||||
run: nix-env -i statix nixpkgs-fmt -f '<nixpkgs>'
|
||||
|
|
|
@ -9,20 +9,19 @@
|
|||
# copying one key to each machine
|
||||
|
||||
keys:
|
||||
- &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
|
||||
- &nixosvm2 age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
|
||||
- &dns01 age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||
- &dns02 age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||
- &citadel age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||
- &rickenbacker age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||
- &shodan age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||
|
||||
creation_rules:
|
||||
- path_regex: .*\.sops\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *nixosvm
|
||||
- *nixosvm2
|
||||
|
||||
- *dns01
|
||||
- *dns02
|
||||
- *citadel
|
||||
- *rickenbacker
|
||||
- *shodan
|
||||
|
|
27
.vscode/module.code-snippets
vendored
Normal file
27
.vscode/module.code-snippets
vendored
Normal file
|
@ -0,0 +1,27 @@
|
|||
{
|
||||
"nix-module": {
|
||||
"prefix": "nm",
|
||||
"body": [
|
||||
"{ lib",
|
||||
", config",
|
||||
", pkgs",
|
||||
", ...",
|
||||
"}:",
|
||||
"with lib;",
|
||||
"let",
|
||||
" cfg = config.mySystem.${1}.${2};",
|
||||
"in",
|
||||
"{",
|
||||
" options.mySystem.${1}.${2}.enable = mkEnableOption \"${3}\";",
|
||||
"",
|
||||
" config = mkIf cfg.enable {",
|
||||
"",
|
||||
" $4{}",
|
||||
"",
|
||||
" };",
|
||||
"}",
|
||||
""
|
||||
],
|
||||
"description": "nix-module"
|
||||
}
|
||||
}
|
4
docs/tips.md
Normal file
4
docs/tips.md
Normal file
|
@ -0,0 +1,4 @@
|
|||
|
||||
* Dont make conditional imports (nix needs to resolve imports upfront)
|
||||
* can pass between nixos and home-manager with config.homemanager.users.<X>.<y> and osConfig.<x?
|
||||
* when adding home-manager to existing setup, the home-manager service may fail due to trying to over-write existing files in `~`. Deleting these should allow the service to start
|
16
flake.lock
16
flake.lock
|
@ -179,6 +179,21 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nur": {
|
||||
"locked": {
|
||||
"lastModified": 1712033433,
|
||||
"narHash": "sha256-iHEU6YnoQAA7odXmUjKzRBVh9Dwa/k9ptCDo4b0wQL8=",
|
||||
"owner": "nix-community",
|
||||
"repo": "NUR",
|
||||
"rev": "4c166e425d61650861a412af9afaae5b749d5781",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "NUR",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"deploy-rs": "deploy-rs",
|
||||
|
@ -187,6 +202,7 @@
|
|||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"nur": "nur",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
|
|
26
flake.nix
26
flake.nix
|
@ -6,6 +6,9 @@
|
|||
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
|
||||
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
|
||||
# nur
|
||||
nur.url = "github:nix-community/NUR";
|
||||
|
||||
# nix-community hardware quirks
|
||||
# https://github.com/nix-community
|
||||
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
|
||||
|
@ -177,6 +180,21 @@
|
|||
];
|
||||
};
|
||||
|
||||
"shodan" = mkNixosConfig {
|
||||
# Rpi for DNS and misc services
|
||||
|
||||
hostname = "shodan";
|
||||
system = "x86_64-linux";
|
||||
hardwareModules = [
|
||||
./nixos/profiles/hw-generic-x86.nix
|
||||
];
|
||||
profileModules = [
|
||||
./nixos/profiles/role-server.nix
|
||||
{ home-manager.users.truxnell = ./nixos/home/truxnell/server.nix; }
|
||||
];
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
|
||||
|
||||
|
@ -228,10 +246,9 @@
|
|||
};
|
||||
in
|
||||
{
|
||||
rickenbacker = mkDeployConfig "rickenbacker" self.nixosConfigurations.rickenbacker;
|
||||
dns01 = mkDeployConfig "10.8.10.11" self.nixosConfigurations.dns01;
|
||||
dns02 = mkDeployConfig "10.8.10.10" self.nixosConfigurations.dns02;
|
||||
|
||||
shodan = mkDeployConfig "10.8.20.33" self.nixosConfigurations.shodan;
|
||||
|
||||
# dns02 = mkDeployConfig "dns02.natallan.com" self.nixosConfigurations.dns02;
|
||||
};
|
||||
|
@ -246,11 +263,8 @@
|
|||
nixtop = nixpkgs.lib.genAttrs
|
||||
(builtins.attrNames inputs.self.nixosConfigurations)
|
||||
(attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel);
|
||||
hometop = nixpkgs.lib.genAttrs
|
||||
(builtins.attrNames inputs.self.homeConfigurations)
|
||||
(attr: inputs.self.homeManagerConfigurations.${attr}.activationPackage);
|
||||
in
|
||||
nixtop // hometop;
|
||||
nixtop;
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
imports = [
|
||||
./shell
|
||||
./programs
|
||||
./security
|
||||
];
|
||||
|
||||
options.myHome.username = lib.mkOption {
|
||||
|
|
|
@ -13,27 +13,33 @@ in
|
|||
{
|
||||
options.myHome.programs.firefox.enable = mkEnableOption "Firefox";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
config = mkIf cfg.enable
|
||||
{
|
||||
|
||||
programs.firefox = {
|
||||
enable = true;
|
||||
package = pkgs.firefox.override
|
||||
{
|
||||
extraPolicies = {
|
||||
DontCheckDefaultBrowser = true;
|
||||
DisablePocket = true;
|
||||
# See nixpkgs' firefox/wrapper.nix to check which options you can use
|
||||
nativeMessagingHosts = [
|
||||
# Gnome shell native connector
|
||||
pkgs.gnome-browser-connector
|
||||
# plasma connector
|
||||
# plasma5Packages.plasma-browser-integration
|
||||
];
|
||||
programs.firefox = {
|
||||
enable = true;
|
||||
package = pkgs.firefox.override
|
||||
{
|
||||
extraPolicies = {
|
||||
DontCheckDefaultBrowser = true;
|
||||
DisablePocket = true;
|
||||
# See nixpkgs' firefox/wrapper.nix to check which options you can use
|
||||
nativeMessagingHosts = [
|
||||
# Gnome shell native connector
|
||||
pkgs.gnome-browser-connector
|
||||
# plasma connector
|
||||
# plasma5Packages.plasma-browser-integration
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
policies = import ./policies.nix;
|
||||
|
||||
profiles.default = import ./profile-default.nix { inherit pkgs; };
|
||||
|
||||
|
||||
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
}
|
||||
|
|
20
nixos/home/modules/programs/browsers/firefox/policies.nix
Normal file
20
nixos/home/modules/programs/browsers/firefox/policies.nix
Normal file
|
@ -0,0 +1,20 @@
|
|||
{
|
||||
DisableTelemetry = true;
|
||||
DisableFirefoxStudies = true;
|
||||
EnableTrackingProtection = {
|
||||
Value = true;
|
||||
Locked = true;
|
||||
Cryptomining = true;
|
||||
Fingerprinting = true;
|
||||
};
|
||||
DisablePocket = true;
|
||||
# DisableFirefoxAccounts = true;
|
||||
# DisableAccounts = true;
|
||||
# DisableFirefoxScreenshots = true;
|
||||
# OverrideFirstRunPage = "";
|
||||
OverridePostUpdatePage = "";
|
||||
DontCheckDefaultBrowser = true;
|
||||
DisplayBookmarksToolbar = "never"; # alternatives: "always" or "newtab"
|
||||
DisplayMenuBar = "default-off"; # alternatives: "always", "never" or "default-on"
|
||||
SearchBar = "unified"; # alternative: "separate"
|
||||
}
|
|
@ -0,0 +1,39 @@
|
|||
{ pkgs }:
|
||||
{
|
||||
id = 0;
|
||||
name = "default";
|
||||
isDefault = true;
|
||||
settings = {
|
||||
"browser.startup.homepage" = "https://search.trux.dev";
|
||||
"browser.search.defaultenginename" = "whoogle";
|
||||
"browser.search.order.1" = "whoogle";
|
||||
"browser.search.suggest.enabled.private" = false;
|
||||
# 0 => blank page
|
||||
# 1 => your home page(s) {default}
|
||||
# 2 => the last page viewed in Firefox
|
||||
# 3 => previous session windows and tabs
|
||||
"browser.startup.page" = "3";
|
||||
|
||||
"browser.send_pings" = false;
|
||||
# Do not track
|
||||
"privacy.donottrackheader.enabled" = "true";
|
||||
"privacy.donottrackheader.value" = 1;
|
||||
"browser.display.use_system_colors" = "true";
|
||||
|
||||
"browser.display.use_document_colors" = "false";
|
||||
"devtools.theme" = "dark";
|
||||
|
||||
"extensions.pocket.enabled" = false;
|
||||
};
|
||||
search = import ./search.nix { inherit pkgs; };
|
||||
extensions = with pkgs.nur.repos.rycee.firefox-addons; [
|
||||
ublock-origin
|
||||
bitwarden
|
||||
darkreader
|
||||
vimium
|
||||
languagetool # setup against my personal language-tools
|
||||
privacy-badger
|
||||
link-cleaner
|
||||
refined-github
|
||||
];
|
||||
}
|
60
nixos/home/modules/programs/browsers/firefox/search.nix
Normal file
60
nixos/home/modules/programs/browsers/firefox/search.nix
Normal file
|
@ -0,0 +1,60 @@
|
|||
{ pkgs }:
|
||||
{
|
||||
force = true;
|
||||
default = "whoogle";
|
||||
order = [ "whoogle" "Searx" "Google" ];
|
||||
engines = {
|
||||
"Nix Packages" = {
|
||||
urls = [{
|
||||
template = "https://search.nixos.org/packages";
|
||||
params = [
|
||||
{ name = "type"; value = "packages"; }
|
||||
{ name = "query"; value = "{searchTerms}"; }
|
||||
];
|
||||
}];
|
||||
icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
|
||||
definedAliases = [ "@np" ];
|
||||
};
|
||||
"Nix Options" = {
|
||||
urls = [{
|
||||
template = "https://search.nixos.org/options";
|
||||
params = [
|
||||
{ name = "query"; value = "{searchTerms}"; }
|
||||
];
|
||||
}];
|
||||
icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
|
||||
definedAliases = [ "@no" ];
|
||||
};
|
||||
"Home-Manager Options" = {
|
||||
urls = [{
|
||||
template = "https://home-manager-options.extranix.com/";
|
||||
params = [
|
||||
{ name = "query"; value = "{searchTerms}"; }
|
||||
];
|
||||
}];
|
||||
icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
|
||||
definedAliases = [ "@nhmo" ];
|
||||
};
|
||||
"NixOS Wiki" = {
|
||||
urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
|
||||
iconUpdateURL = "https://nixos.wiki/favicon.png";
|
||||
updateInterval = 24 * 60 * 60 * 1000; # every day
|
||||
definedAliases = [ "@nw" ];
|
||||
};
|
||||
"KubeSearch" = {
|
||||
urls = [{ template = "https://kubesearch.dev/#{searchTerms}"; }];
|
||||
iconUpdateURL = "https://kubernetes.io/images/wheel.svg";
|
||||
updateInterval = 24 * 60 * 60 * 1000; # every day
|
||||
definedAliases = [ "@ks" ];
|
||||
};
|
||||
|
||||
# "Searx" = {
|
||||
# urls = [{ template = "https://searx.trux.dev/?q={searchTerms}"; }];
|
||||
# iconUpdateURL = "https://nixos.wiki/favicon.png";
|
||||
# updateInterval = 24 * 60 * 60 * 1000; # every day
|
||||
# definedAliases = [ "@searx" ];
|
||||
# };
|
||||
"Bing".metaData.hidden = true;
|
||||
"Google".metaData.alias = "@g"; # builtin engines only support specifying one additional alias
|
||||
};
|
||||
}
|
5
nixos/home/modules/programs/de/default.nix
Normal file
5
nixos/home/modules/programs/de/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{ ... }: {
|
||||
imports = [
|
||||
./gnome
|
||||
];
|
||||
}
|
41
nixos/home/modules/programs/de/gnome/default.nix
Normal file
41
nixos/home/modules/programs/de/gnome/default.nix
Normal file
|
@ -0,0 +1,41 @@
|
|||
# Adjusted manually from generated output of dconf2nix
|
||||
# https://github.com/gvolpe/dconf2nix
|
||||
{ lib
|
||||
, pkgs
|
||||
, osConfig
|
||||
, ...
|
||||
}:
|
||||
with lib.hm.gvariant; {
|
||||
|
||||
config = lib.mkIf osConfig.mySystem.de.gnome.enable {
|
||||
# add user packages
|
||||
home.packages = with pkgs; [
|
||||
dconf2nix
|
||||
];
|
||||
|
||||
# worked out from dconf2nix
|
||||
# dconf dump / | dconf2nix > dconf.nix
|
||||
# can also dconf watch
|
||||
dconf.settings = {
|
||||
"org/gnome/mutter" = {
|
||||
edge-tiling = true;
|
||||
workspaces-only-on-primary = false;
|
||||
};
|
||||
"org/gnome/desktop/wm/preferences" = {
|
||||
workspace-names = [ "sys" "talk" "web" "edit" "run" ];
|
||||
};
|
||||
"org/gnome/shell" = {
|
||||
disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
|
||||
enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
|
||||
favorite-apps = [ "org.gnome.Nautilus.desktop" "firefox.desktop" "org.wezfurlong.wezterm.desktop" "PrusaGcodeviewer.desktop" "spotify.desktop" "org.gnome.Console.desktop" "codium.desktop" ];
|
||||
};
|
||||
"org/gnome/nautilus/preferences" = {
|
||||
default-folder-viewer = "icon-view";
|
||||
};
|
||||
"org/gnome/nautilus/icon-view" = {
|
||||
default-zoom-level = "small";
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,5 +1,6 @@
|
|||
{ ... }: {
|
||||
imports = [
|
||||
./browsers
|
||||
./de
|
||||
];
|
||||
}
|
||||
|
|
5
nixos/home/modules/security/default.nix
Normal file
5
nixos/home/modules/security/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{ ... }: {
|
||||
imports = [
|
||||
./ssh
|
||||
];
|
||||
}
|
25
nixos/home/modules/security/ssh/default.nix
Normal file
25
nixos/home/modules/security/ssh/default.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
{ config
|
||||
, pkgs
|
||||
, lib
|
||||
, ...
|
||||
}:
|
||||
with lib; let
|
||||
cfg = config.myHome.security.ssh;
|
||||
in
|
||||
{
|
||||
options.myHome.security.ssh = {
|
||||
enable = mkEnableOption "ssh";
|
||||
matchBlocks = mkOption {
|
||||
type = types.attrs;
|
||||
default = { };
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
programs.ssh = {
|
||||
inherit (cfg) matchBlocks;
|
||||
enable = true;
|
||||
# addKeysToAgent = "yes";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -23,7 +23,8 @@ in
|
|||
extraConfig = ''
|
||||
local wez = require('wezterm')
|
||||
return {
|
||||
|
||||
-- https://github.com/wez/wezterm/issues/2011
|
||||
enable_wayland = false,
|
||||
color_scheme = "Dracula (Official)",
|
||||
check_for_updates = false,
|
||||
window_background_opacity = .90,
|
||||
|
|
|
@ -10,6 +10,47 @@ with config;
|
|||
myHome.shell.fish.enable = true;
|
||||
myHome.shell.wezterm.enable = true;
|
||||
|
||||
myHome.security = {
|
||||
ssh = {
|
||||
enable = true;
|
||||
matchBlocks = {
|
||||
citadel = {
|
||||
hostname = "citadel";
|
||||
port = 22;
|
||||
identityFile = "~/.ssh/id_ed25519";
|
||||
};
|
||||
rickenbacker = {
|
||||
hostname = "rickenbacker";
|
||||
port = 22;
|
||||
identityFile = "~/.ssh/id_ed25519";
|
||||
};
|
||||
dns01 = {
|
||||
hostname = "dns01";
|
||||
port = 22;
|
||||
identityFile = "~/.ssh/id_ed25519";
|
||||
};
|
||||
dns02 = {
|
||||
hostname = "dns02";
|
||||
port = 22;
|
||||
identityFile = "~/.ssh/id_ed25519";
|
||||
};
|
||||
pikvm = {
|
||||
hostname = "pikvm";
|
||||
port = 22;
|
||||
user = "root";
|
||||
identityFile = "~/.ssh/id_ed25519";
|
||||
};
|
||||
helios = {
|
||||
hostname = "helios";
|
||||
user = "nat";
|
||||
port = 22;
|
||||
identityFile = "~/.ssh/id_ed25519";
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
home = {
|
||||
# Install these packages for my user
|
||||
packages = with pkgs; [
|
||||
|
@ -19,6 +60,8 @@ with config;
|
|||
brightnessctl
|
||||
prusa-slicer
|
||||
bitwarden
|
||||
yubioath-flutter
|
||||
yubikey-manager-qt
|
||||
|
||||
bat
|
||||
dbus
|
||||
|
@ -28,6 +71,7 @@ with config;
|
|||
python3
|
||||
fzf
|
||||
ripgrep
|
||||
flyctl # fly.io control line
|
||||
|
||||
];
|
||||
|
||||
|
|
|
@ -101,7 +101,7 @@
|
|||
# TODO Harden SSH
|
||||
services.openssh.enable = true;
|
||||
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
users.users.truxnell.openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home"
|
||||
];
|
||||
|
||||
|
|
|
@ -14,6 +14,11 @@
|
|||
security.wheelNeedsSudoPassword = false;
|
||||
};
|
||||
|
||||
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
networking.hostName = "citadel"; # Define your hostname.
|
||||
|
||||
fileSystems."/" =
|
||||
|
|
|
@ -11,6 +11,7 @@
|
|||
services.openssh.enable = true;
|
||||
security.wheelNeedsSudoPassword = false;
|
||||
};
|
||||
mySystem.services.traefik.enable = true;
|
||||
|
||||
# TODO build this in from flake host names
|
||||
networking.hostName = "rickenbacker";
|
||||
|
|
59
nixos/hosts/shodan/default.nix
Normal file
59
nixos/hosts/shodan/default.nix
Normal file
|
@ -0,0 +1,59 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page, on
|
||||
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, ...
|
||||
}: {
|
||||
imports = [
|
||||
|
||||
|
||||
];
|
||||
|
||||
mySystem.services = {
|
||||
openssh.enable = true;
|
||||
cockpit.enable = true;
|
||||
podman.enable = true;
|
||||
};
|
||||
|
||||
boot = {
|
||||
|
||||
initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
initrd.kernelModules = [ ];
|
||||
kernelModules = [ ];
|
||||
extraModulePackages = [ ];
|
||||
|
||||
# for managing/mounting ntfs
|
||||
supportedFilesystems = [ "ntfs" ];
|
||||
|
||||
loader = {
|
||||
systemd-boot.enable = true;
|
||||
efi.canTouchEfiVariables = true;
|
||||
# why not ensure we can memtest workstatons easily?
|
||||
grub.memtest86.enable = true;
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
networking.hostName = "shodan"; # Define your hostname.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/2e843998-f409-4ccc-bc7c-07099ee0e936";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/12CE-A600";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[{ device = "/dev/disk/by-uuid/0ae2765b-f3f4-4b1a-8ea6-599f37504d70"; }];
|
||||
|
||||
|
||||
|
||||
}
|
49
nixos/modules/nixos/containers/default.nix
Normal file
49
nixos/modules/nixos/containers/default.nix
Normal file
|
@ -0,0 +1,49 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
# let
|
||||
# cfg = config.mySystem.xx.yy;
|
||||
# in
|
||||
{
|
||||
|
||||
imports = [
|
||||
./traefik
|
||||
];
|
||||
|
||||
options.myLab.containers.fileRoot = mkOption {
|
||||
type = lib.types.str;
|
||||
description = "root file path for containers";
|
||||
default = "/persistence/containers/";
|
||||
};
|
||||
|
||||
# Email
|
||||
options.myLab.email.adminFromAddr = mkOption {
|
||||
type = lib.types.str;
|
||||
description = "From address for admin emails";
|
||||
default = "";
|
||||
};
|
||||
options.myLab.email.adminToAddr = mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Address for admin emails to be sent to";
|
||||
default = "admin@trux.dev";
|
||||
};
|
||||
options.myLab.email.smtpServer = mkOption {
|
||||
type = lib.types.str;
|
||||
description = "SMTP server address";
|
||||
default = "";
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
# CONFIG HERE
|
||||
myLab.email.adminFromAddr = "admin@trux.dev";
|
||||
myLab.email.smtpServer = "dns02"; # forwards to maddy relay
|
||||
|
||||
};
|
||||
|
||||
|
||||
}
|
84
nixos/modules/nixos/containers/traefik/default.nix
Normal file
84
nixos/modules/nixos/containers/traefik/default.nix
Normal file
|
@ -0,0 +1,84 @@
|
|||
{ config, lib, vars, networksLocal, ... }:
|
||||
let
|
||||
internalIP = "0.0.0.0"; # TODO fix
|
||||
directories = [
|
||||
"${config.myLab.containers.fileRoot}/traefik"
|
||||
];
|
||||
files = [
|
||||
"${config.myLab.containers.fileRoot}/traefik/acme.json"
|
||||
];
|
||||
cfg = config.myLab.containers.traefik;
|
||||
in
|
||||
{
|
||||
|
||||
options.myLab.containers.traefik.enable = lib.mkEnableOption "Traefik container";
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 9091 ];
|
||||
|
||||
sops.secrets.authelia-jwt = { owner = config.systemd.services.authelia-default.serviceConfig.User; };
|
||||
sops.secrets.authelia-sek = { owner = config.systemd.services.authelia-default.serviceConfig.User; };
|
||||
|
||||
services.authelia.instances.default = {
|
||||
enable = true;
|
||||
secrets = {
|
||||
jwtSecretFile = config.sops.secrets.authelia-jwt.path;
|
||||
storageEncryptionKeyFile = config.sops.secrets.authelia-sek.path;
|
||||
};
|
||||
settings = {
|
||||
log.level = "debug";
|
||||
theme = "dark";
|
||||
default_2fa_method = "totp";
|
||||
default_redirection_url = "https://passport.notohh.dev/";
|
||||
authentication_backend = {
|
||||
file.path = "/var/lib/authelia-default/user.yml";
|
||||
};
|
||||
session = {
|
||||
domain = "notohh.dev";
|
||||
expiration = 3600;
|
||||
inactivity = 300;
|
||||
};
|
||||
totp = {
|
||||
issuer = "authelia.com";
|
||||
disable = false;
|
||||
algorithm = "sha1";
|
||||
digits = 6;
|
||||
period = 30;
|
||||
skew = 1;
|
||||
secret_size = 32;
|
||||
};
|
||||
server = {
|
||||
host = "0.0.0.0";
|
||||
port = 9091;
|
||||
};
|
||||
access_control = {
|
||||
default_policy = "deny";
|
||||
rules = [
|
||||
{
|
||||
domain = "notohh.dev";
|
||||
policy = "bypass";
|
||||
}
|
||||
];
|
||||
};
|
||||
regulation = {
|
||||
max_retries = 3;
|
||||
find_time = 120;
|
||||
ban_time = 300;
|
||||
};
|
||||
notifier.filesystem = {
|
||||
filename = "/var/lib/authelia-default/notif.txt";
|
||||
};
|
||||
storage.postgres = {
|
||||
host = "192.168.1.211";
|
||||
port = 5432;
|
||||
database = "authelia";
|
||||
schema = "public";
|
||||
username = "authelia";
|
||||
password = "authelia";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
|
@ -10,30 +10,70 @@ let
|
|||
in
|
||||
{
|
||||
options.mySystem.de.gnome.enable = mkEnableOption "GNOME";
|
||||
options.mySystem.de.gnome.systrayicons = mkEnableOption "Enable systray icons" // { default = true; };
|
||||
options.mySystem.de.gnome.gsconnect = mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // { default = true; };
|
||||
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
# Ref: https://nixos.wiki/wiki/GNOME
|
||||
|
||||
# GNOME plz
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
displayManager =
|
||||
{
|
||||
gdm.enable = true;
|
||||
defaultSession = "gnome"; # TODO move to config overlay
|
||||
services = {
|
||||
xserver = {
|
||||
enable = true;
|
||||
displayManager =
|
||||
{
|
||||
gdm.enable = true;
|
||||
defaultSession = "gnome"; # TODO move to config overlay
|
||||
|
||||
autoLogin.enable = true;
|
||||
autoLogin.user = "truxnell"; # TODO move to config overlay
|
||||
autoLogin.enable = true;
|
||||
autoLogin.user = "truxnell"; # TODO move to config overlay
|
||||
};
|
||||
desktopManager = {
|
||||
# GNOME
|
||||
gnome.enable = true;
|
||||
};
|
||||
desktopManager = {
|
||||
# GNOME
|
||||
gnome.enable = true;
|
||||
};
|
||||
|
||||
layout = "us"; # `localctl` will give you
|
||||
layout = "us"; # `localctl` will give you
|
||||
};
|
||||
udev.packages = optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
|
||||
|
||||
|
||||
};
|
||||
|
||||
# systyray icons
|
||||
|
||||
|
||||
# extra pkgs and extensions
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
|
||||
playerctl # gsconnect play/pause command
|
||||
pamixer # gcsconnect volume control
|
||||
gnome.gnome-tweaks
|
||||
gnome.dconf-editor
|
||||
|
||||
# This installs the extension packages, but
|
||||
# dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
|
||||
gnomeExtensions.vitals
|
||||
gnomeExtensions.caffeine
|
||||
gnomeExtensions.spotify-tray
|
||||
gnomeExtensions.dash-to-dock
|
||||
|
||||
]
|
||||
++ optionals cfg.systrayicons [ pkgs.gnomeExtensions.appindicator ];
|
||||
};
|
||||
|
||||
# enable gsconnect
|
||||
# this method also opens the firewall ports required when enable = true
|
||||
programs.kdeconnect = mkIf
|
||||
cfg.gsconnect
|
||||
{
|
||||
enable = true;
|
||||
package = pkgs.gnomeExtensions.gsconnect;
|
||||
};
|
||||
|
||||
# GNOME connection to browsers - requires flag on browser as well
|
||||
services.gnome.gnome-browser-connector.enable = lib.any
|
||||
(user: user.programs.firefox.enable)
|
||||
|
@ -48,6 +88,7 @@ in
|
|||
# TODO tidy this
|
||||
# port forward for GNOME when using RDP***REMOVED***
|
||||
|
||||
# for RDP TODO make this a flag if RDP is enabled per host
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
3389
|
||||
];
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
./browser
|
||||
./de
|
||||
./editor
|
||||
|
||||
./containers
|
||||
./hardware
|
||||
];
|
||||
}
|
||||
|
|
5
nixos/modules/nixos/hardware/default.nix
Normal file
5
nixos/modules/nixos/hardware/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
imports = [
|
||||
./nvidia
|
||||
];
|
||||
}
|
62
nixos/modules/nixos/hardware/nvidia/default.nix
Normal file
62
nixos/modules/nixos/hardware/nvidia/default.nix
Normal file
|
@ -0,0 +1,62 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.hardware.nvidia;
|
||||
in
|
||||
{
|
||||
options.mySystem.hardware.nvidia.enable = mkEnableOption "NVIDIA config";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
# ref: https://nixos.wiki/wiki/Nvidia
|
||||
# Enable OpenGL
|
||||
hardware.opengl = {
|
||||
enable = true;
|
||||
driSupport = true;
|
||||
driSupport32Bit = true;
|
||||
};
|
||||
|
||||
# This is for the benefit of VSCODE running natively in wayland
|
||||
environment.sessionVariables.NIXOS_OZONE_WL = "1";
|
||||
|
||||
hardware.nvidia = {
|
||||
|
||||
# Modesetting is required.
|
||||
modesetting.enable = true;
|
||||
|
||||
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
|
||||
# Enable this if you have graphical corruption issues or application crashes after waking
|
||||
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
|
||||
# of just the bare essentials.
|
||||
powerManagement.enable = false;
|
||||
|
||||
# Fine-grained power management. Turns off GPU when not in use.
|
||||
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
|
||||
powerManagement.finegrained = false;
|
||||
|
||||
# Use the NVidia open source kernel module (not to be confused with the
|
||||
# independent third-party "nouveau" open source driver).
|
||||
# Support is limited to the Turing and later architectures. Full list of
|
||||
# supported GPUs is at:
|
||||
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
|
||||
# Only available from driver 515.43.04+
|
||||
# Currently alpha-quality/buggy, so false is currently the recommended setting.
|
||||
open = false;
|
||||
|
||||
# Enable the Nvidia settings menu,
|
||||
# accessible via `nvidia-settings`.
|
||||
nvidiaSettings = true;
|
||||
|
||||
# Optionally, you may need to select the appropriate driver version for your specific GPU.
|
||||
package = config.boot.kernelPackages.nvidiaPackages.stable;
|
||||
};
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
|
||||
|
||||
};
|
||||
}
|
|
@ -1,70 +1,61 @@
|
|||
system:
|
||||
networking:
|
||||
#ENC[AES256_GCM,data:y2k8WKDdMW/+lCc7OnJTPd21DZFkjXqRSDRuIHTvN3p8AZ0KB0ERjf5/Fzpgq9wRjktcGMfFRzl9AaLN0DNXLseV5hoeX8pzXrZddA==,iv:hMuTiccA2PSUKGK5bZ9YCGHYgj58+TMbid7/FOXqK6A=,tag:B9A3H4ssQsi3aD/bUvh8IA==,type:comment]
|
||||
#ENC[AES256_GCM,data:UGDccdo5xL48r9VxuaY9QR2jfIdVZ0EZ84SKRO8dyZe7SIhvFUpX2tCEzVUMNPuDgXqoBSvWOP9WTEveunH56GknlOQdhZOYMb7T9Q==,iv:PLaSHpZRCu5xNsmWtz5UY+nTGGPow1YLppKZiZJz/9c=,tag:cePl/udz3BNSjVPqGVpmLg==,type:comment]
|
||||
cloudflare-dyndns:
|
||||
apiTokenFile: ENC[AES256_GCM,data:AQA6X+GoPgudn+qwGpNnX3PmWNfgYFuvYGbthoOXPTiAs54oPrH6XGyFjGS5skqe9vypjPbl/Zj+z8q4rLGKrZt9cgF5JywoS2pyjscDW9QI74mAS6bcH8eJ/PMLopDYybKEMS8w1cMeGP5J46Uhg2HLJA==,iv:vjzMXBt9NbFcoqzpew/s/h1OXNWEnDLY0JuyASvbojM=,tag:8Ca+0ieZUZ9Wk9Q2UigF0A==,type:str]
|
||||
apiTokenFile: ENC[AES256_GCM,data:6CggP0liJTWfD9HnpD6ALf7a9smRNEbuOYsyU6HnFqDtZj4U/mYzG+9fAv/SM+DYl7eSCdF2xzINyAbAVl6j8g2utEkRiitGEVv29vaQSpIBUFrjl4vJgw/AyXdB9r5fR6XXpc6baeO3ctsjaUmlgRxGmQ==,iv:YYh5sZVwJVKKnuTEbNujm3yL16gfL98pEnwU9ZX8618=,tag:162cpSSAdAZoOiAwPbFlTg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eHR0VlFlL21SNzJJQ2F0
|
||||
UUJ3Vy9mem0veTJlV3FKbVNGd1htRHNOQkI4Ckd3QXk5bVR0WmNkaXZUZXBZY0px
|
||||
NTJJZ3NKRDBLZTRJd2xOZ0pBazk2SFEKLS0tIG1zQTlCcUFSUUthaUxLeHlyZWpQ
|
||||
NXBYeUx6bmYwSXFrZlNmZitYM1ZlK28KvKU5iig3qg1tGOX8jDsXjXJ9ly8cP+4y
|
||||
tcsCDuQWxiJ2v2U4FD47iRs2IfxZadYGJM2nOToOKHnuTTSpvNXAVQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZzEyRkZZbTcvOVRLU3JH
|
||||
bWZ4eXdUZlAxQjNkN2c1SzNiQVdkWU1FR24wClYwVjdGYm1xditOYWxIMGNmVDFr
|
||||
cXZLdHhqOS9yNHEzQ29aKzVCNU5uMWMKLS0tIHoveWJmcS80MENxSnVXNlpJN0lx
|
||||
bFNWU3dUTXFkMDZaWjUxWVlVd2x6dkUKKEBaUX/euYu9VEzhudWs4PUb+xVvpjQQ
|
||||
GoOcFJvp+A60X2pK5mDxzgyWWudr+ZjiQNn3A/6XE4KfLhzmmI5Bsg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSkNCTFZaSTYyYjRwN0lP
|
||||
Qzd4R3krZVJlREtueHlqUTBPRTNhcU5ORVNzCmdkYWFUQWRNajB4UEc3bzA2anIr
|
||||
cm92alRQUWI0UDR2T0c5OTVhZ1hRQ0UKLS0tIFkxUHl1c3psYU1CTUI2NEpmL1hR
|
||||
VnVacXZDQ3UyR1VoVGVQUzdteDRXRUUKkK9LP5sCjS2t2M+tftUqBh8jqwjmfKU6
|
||||
HsIaMzELohiV5/91iq5FlIArQe7F5KFQfY3vRfYuh26I6zgqvVUlrA==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORnZQZEI2VU9tdEQ1VkZw
|
||||
aFFxaThqS2VWVVljejNxNVovMHlNc2ZUdUNvCktyT1pTRGpSK1N3MXpMNFZuVVhL
|
||||
UCtINGo3SDhSNmwyRkEzVGNTVVFlTE0KLS0tIDhvaFk0SVdHNFlhRkxEb0hLdkdu
|
||||
QTFCVUg5VzJzOUlRcFBlR0puNGVGNlUKpdSYWZZPKq1Vw0pR8suOqqgzxDzKWaMx
|
||||
Aft/TpSuS8m6603HlTw3LUyBOnIYJCFFsGJqVBF6Q1z6U4FPAfNnlA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NEJjblpGK2dGMmJ6OHBu
|
||||
bnc0dUg0dXJROUMvQW1mOEcyWlpqb3BzUGc4CjdmT1FkaTdsRndGUXlod1cwSnpm
|
||||
OFNLcjc3NlpPY2ZOMm55Y0ZFSjVpelkKLS0tIDVZV2hmMG1Qd0g1dXFEY0x0ZmhC
|
||||
Y3NleUZ2azM0amdHRlplSGtvcWowd1kK+PNq8czpnC5zfwET60aQkNdcUwQopZ9W
|
||||
nUX+QutTCdFoWoCKGsoQK42uXWQheHNtoPT258s2+8SBtdwLIckHgQ==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUzNqQ1U2aWV3WUVUZDdD
|
||||
eXNhQUlBdGRndVJ1NXdXZlBNb0VvNzlFYnd3CjlRRm1FWTljL0VMbTB4M21HVDY3
|
||||
Y2oyTG50SUtIT29OZjhiZi83OCtpNm8KLS0tIFNYMkErVDFhTHhOVndQdUFHWUxZ
|
||||
bG0xMG9heitnUGFNdk5ITWhKNERZbDgKX23jlQyLus3FzDQ55hIyUqqwlLbPeKxV
|
||||
LJHaDfO4IOzIGrWFCwQZpCa8ZgQzUmnpqKZqvdTZuXibZEoyjV6GUA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0T25vdlB1VGFBVGdYd3k4
|
||||
em42STFmdU9tZW9vVCtTZlBqOFZnUzFHYlZJCnJuSGk0cGlOSkQ1VzlRZ0ZONmlx
|
||||
bXNkQ0hCaFBrMmt3dXZ2dXZzN09UVGsKLS0tIHo5bnVxcWEyQ2JkMk9qK1pxVW1S
|
||||
ZnJ0R0hDVDU4WDFVS1Jka0h3b0R4bjAKcJ88Yzxn2HTqEEu0ujVMZGXJpc9jbypI
|
||||
hlsDzMESTAlrZx7ZmI+nJw36RolDPRTfteHJFGI8LEx6zGXLcBp3LQ==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUFRMZHIyY3lFeVNnenky
|
||||
bG1hdXoxSXo2akR1bGlHSHNZbzFOMGE3cW1FCjdzZUYzRFZrcXZvcTNSc3V5TE5n
|
||||
T01Tem9oVDdYRlBST2tNNUpZTENOTkkKLS0tIENUdmxBajZpbFRoNXZzRVlvOVpJ
|
||||
MnlaMHpGUGo1WmVMb2FsZ0o2Q3NuKzQK7n+HqB+7K6drnkNyc863wTfoohk90uWx
|
||||
ehuz7kmZcdnwxpMX6hV2ynUumcVEqfR+jiUuF/eBpuPRQy/eejVm4Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCbmdMeGUxaGN1cTFXVlFV
|
||||
dElYSkVMTm9DMGFLTDRLYzRGQ1dGaUFHSzNRCjk0bkprSHpsUjRRdnNaeWpTbG0y
|
||||
T3BKK1h6VWNCMC96Y3lyQ1ZRcW9mL0kKLS0tIG5GaTI5MVkwMkNEWWcvbmZGanYz
|
||||
VWIybGRha1dWWUdsaWIxOXRLZkVFNlUKLEQI3HO/7Ia7GoOJOKJVbYkDrevqh7m7
|
||||
hjMjnl4RnrcFwq46NuYyruTartHqRPBUHyXdoiMfeHNQQ7QP8A5ZHA==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSExpSE1hUldqSnJoRDBj
|
||||
L2xROXd3U2EvZ0xoek8ra1RqdVdaK2s5Q2dZCmdVWmJrZTc3Nis2L0NkSlJQK1pq
|
||||
RmZ3aHU4YVlNcUVEemJsWGNjbEVIdUkKLS0tIEJDcmFmRUtjL3ltUjZKRmMyWW1O
|
||||
VHZzVVZycld5alhKaC9BQ2dweVIweHMKF/qVYH7yvmFBVDyHb1PwJrHyP9Iq1HEg
|
||||
EfiDfZK2acYkW3GsUmH0qS5v55RswYnEg+iiSMNn+Ii6mfI65bVVYw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-03-30T01:29:21Z"
|
||||
mac: ENC[AES256_GCM,data:8Z5udmxrut2IxaP9kjP7px8CoQYNBIwIhafCWC8y1+LzOJWdITIfL3S/gW8O3xIH27gS0y2CsBSFf3fB9kF0JPapnCMLwNtA/oqNdSqx4p0Jev3mdtfaboF1kGShuDiYUIhMRVk/eiDtNojakVJiMxZzEtdo5YbgRXlfbYw6gTQ=,iv:UHOH6pAVf3VBtVvGn0HijmhbPWv6d64EESMRJkXC48o=,tag:EJfBjV6qZfGNxyCU9XzuHA==,type:str]
|
||||
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaTNSWHM1eU92T2VMOXZD
|
||||
b0R5Z2x3WloxOFhyMmkwQXp4U3lNM2xiZHhrCm9mcURMSmtUZ3VHd3lDbnp5dVVR
|
||||
dHJyMkFBODMvbkpzUVl4ZUtxWmIrS1kKLS0tIHJTZ1FaYmlzUEhHWHVaWTVIRC9o
|
||||
MGJLdkJpTkFGclRSZlBOOTVKd3BOa2sKbRf0BdD35bZpr8ESX1+NZ6rWxdI+x7fo
|
||||
A6cIx6j8fVXvsKEipO3r4wSTqWhnY+DMzH9ZPGE5J74sx98DYVm6ig==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-01T00:26:19Z"
|
||||
mac: ENC[AES256_GCM,data:U21XeE4vqc96mBq1qmjpMfDZVJZQEXwpHTEjVd4lmbam8XTv5kxK8zYWlDN8WTMqKeYHnInvEdmKnXL+NDt6lDjoDl/97/dUoWJ2xNTBOlJb6C2n11GE+ppzgZBQMj9oWr5IuQ8jiSfTYOF3/zT/sh8SSWmooQ2CrS/B3PyjmwA=,iv:9+Na88c3woPLZcawxH+mFg03Hf8oCaILdRya1CwRMEQ=,tag:eDuSLJtkLzvk+N1ncc/jwQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
21
nixos/modules/nixos/services/cockpit/default.nix
Normal file
21
nixos/modules/nixos/services/cockpit/default.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.services.cockpit;
|
||||
in
|
||||
{
|
||||
options.mySystem.services.cockpit.enable = mkEnableOption "Cockpit";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.cockpit.enable = true;
|
||||
services.cockpit.openFirewall = true;
|
||||
|
||||
};
|
||||
|
||||
|
||||
}
|
|
@ -5,5 +5,9 @@
|
|||
./cloudflare-dyndns
|
||||
./maddy
|
||||
./dnscrypt-proxy2
|
||||
./cockpit
|
||||
./podman
|
||||
./traefik
|
||||
./nfs
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,69 +1,60 @@
|
|||
system:
|
||||
networking:
|
||||
dnscrypt-proxy2:
|
||||
forwarding-rules: ENC[AES256_GCM,data:qM6Y19pynqVruwgV7KhRfS1klhsZChZqpVxx0mV1PXSAyTf+9uiVCmpst7ZYIOzOeri4DnG2Pi1L2aOs93tsH7UnbLyKMs0qHO0y5T30clzBclw+VmjGUXJ3iwX0vL9o3fYXZ/WEfZd1vclgKqJmjwNIhqXdf+iYwm/Vlhe6Ib1cb8qUh3H0QqSARwmPw+5ffPjTBRdp+MAu8ZH+9s0lbXipk1l/YoBsd0qs6ID1D8ahTXLaUKabuE4a462Qjat0cx7b88Psam/AxqQXTbujCxAbO9t6rzPgTW79GURoIVddoURPEfWUX+7125RH4bHHZd4dQWPee1d89ikmPIG65x6mGRlI073gGP07x+uNXyvcQVG4GabiJ1xOzlnzT5obySYuH/JKhYMR8meTCQGQKJyCaFjPfOWQYkEHt8xd4/hg3zlC8H+a44th9tNadif0rys3LSx+ltyyEbYyqU6U5vs=,iv:ApcoDgN5uLjqFmWbYZoL21GlKkUwkqRcVxXm20/q8GI=,tag:TxYTmEGcf+183CyzH5cfiQ==,type:str]
|
||||
forwarding-rules: ENC[AES256_GCM,data:I2MOqXfru2V2NDcrMfy8rwjIHKjt8ujk0GpGZRZgPRJv76P0jONja4Ft2b5j53CaM0A0dYHKc4A8ZbZgNzesVEvb5TK+wtQXziST7phRpJOpVPZjgHw3H8HD0l6mX7UmnIbv69e85UELG8Mv3DW7cRHCReelmec27+JNjhjhGUuyiNLdRxCS59D8P3p5Tdci1gMclbeXv+qv2VlWq8eIGMc5w6+0F4vVA9lhGUmWQLORtFOPLSmBn9xtx1R2Bm/itAzG+qJngAaF6o1Zm+lHvCydaddF/YJnsxk+EzwLS2RCb3+noE8cyS3S+eVCpSFmrtYB1MNREEZpBA+fXdkqSKVsNwCUgo2WJY78bPocNwQB9D/kuTnvILba8bC1pVdUH+xo0Ww7LS7j5+bp7xs9qwC9FRKgYKNReSoQn993R8n6VlqtJyqFLXtL55yIp+HSlu16jFiDP4rGjZtkxLQ21Y4=,iv:Jk4JLRzBYEIhoxgsRMXjvDNHVinuR0xjxTVTvED6lFo=,tag:4ILaKfjKM1r6MhYrOyU+Jg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2c2dSOEIrUUtpbFNUb3Rj
|
||||
TlIyOU9EQlJCVTB4WFNjWDAwVGVpMUluV25vCnpvaXVqckIrUit6Q2NGb3Q5bnF0
|
||||
ZG9JRy9VdVRLS0J3Vys4UEFZcndRU28KLS0tIGlIcFpMYXIzOEVBZ3cvbVJ2MFBl
|
||||
cWtPNHRmSDNUVXJ3NUVPN3crYUVRREEKQxhNUNBYizl6qNo/JKdHeOLAn6/V2xfA
|
||||
sHtn9fq0lhpWQ5oaSUOP9GHZVhEkP+fRJfK+QULEiR52zr2pYj8jMA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrajZoNzE4VWhCK0E3aHNq
|
||||
RUZ0TFFMejNjUmhSS2lZQnR0RHhZUzAwcERNCndUYnFPZnhuelptVUNaUWdkTWFk
|
||||
R05mcXE3REcrNEJndGphTXhESW8vam8KLS0tIFMzSXFBUEY4N0d5eWN3b3IvQnFV
|
||||
K21tS3FnbWZsRHVyZHI5d1NyN3c0b0kKfHq1QUZwgmIA/3cHOJuTWN99hwm2kI1p
|
||||
emBoeNukVvjOgqUCEBG/O4GMHlc6BmmimnSiULg65eIyFEAdLOsBOA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZVExakR2VUVCODVoZ0tm
|
||||
WnBsNXdjTXVRejFBUzVLN0s3aGgzV2pJb2pzCmpTdnhpb2h0c25TdDBSemxHS2xh
|
||||
ekR0QlJLUk9JY3VqTzJVSWdZa0UrYW8KLS0tIGFjVmxDbjdXdHptK1RxZCtxcDFR
|
||||
NUxNNUtkQzlvTHhadS9JelFOSWI4ODQKdFjY8uyoOrRXa37M3d6qqY5zsB6UxOLv
|
||||
d/hfiFATBbGGdj5B3AyQV8yIWTBt+k9og7wh8GVhzrkje5eJx3qMqA==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbkZmSGlyMTJ6RjlGWENX
|
||||
SUc3SU1MbGZMVmRuUWJIb2xQQlA5UFdGeDBZCmp3Y2o1Lzc4TnR4RXJTa1Rxdk5w
|
||||
LzFFbUx2Q25QZUk3bklDVEVOajdPYk0KLS0tIHlBalM2RlFKQ1NKNFZHVXFUQWtV
|
||||
VDNnQkp6ZTkwSW1peXJJTVN6TGtxYVkKDCpef2RICaAf1mSkW9V8i7siPP+gXa5r
|
||||
SNOlY5EDDU9wQ54GEWJHMz7kzaAAPQH4hXz1JdoO+Z2P2yr7pLdjAg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1OGxhc054cTh1VU55eUtE
|
||||
aklYUVI3RUhYdy9WdzhMV2dkU0FYZi9uakEwCkFPQ2lVeDNEcXVvRUV2czI5M1dS
|
||||
d3g2R29YRHJpMXRWMlZxT25JazBab2cKLS0tIExPYWhZUktycmtNMndXVFlHcnNH
|
||||
U2RXdlk0VThxb0hYOTR6U3dTZW5RNHcKy4iJe/O5O00Otvf7bh48+cCbhEhctu69
|
||||
zzrNyHgd7T1cCTd1YdgR+cuwqBLDW1br8ATh8w6Fj41gtvB8mrzXVw==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVk5jeklpdEhLTERqWnhO
|
||||
ZkZsRytWNk1MUlBrSW8xTlpOOW5xWUZlbnpZClhKNDRRTE0yWXNnRHljckIzM2tY
|
||||
OVlWWlYxVGNFcitORFdmbnlUTkJkZ2sKLS0tIEFETndzSktuYlpmK3NmL2Q1L3A5
|
||||
NzJLa2ZuUHppOExxZGhnandMRHR0N0kK/zHkmxJIFH5D88z92QkKrDrGApj2QGoU
|
||||
LkvIOSgGjEy2juzsGsjVJdu/61g7iaGO6IpHktuniyEgwnLwn+ApOw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNVFaYU1jZDhHbGRndWtZ
|
||||
aS9wNnpWanBxc3Jtc1lsNXZRVGR5bDhyRXprCkVhWEIzT3JHcjFueDM0emlobFVD
|
||||
dTBqUXNnaTBMUk1sZlJ2a09SWHhQbzAKLS0tIHV0WS9TcmYxR043S1ExZHhsc3pl
|
||||
ZFRDOWhGbmlwR2hqT0swVm5RQWdxZjQK/kWd22+oqeZ3jVgpFiJYJbdbhnOTVTSg
|
||||
lBw1CGoxXlHgXMjjbAQVdFk7n8uLxIjhcV3WZyFVAYdEQ+QQUmXUyw==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSDNpQ0ZBS3FqZlFKelVr
|
||||
NGRYdW9QNVA0THVLdGdQZElRVndmcmFoMzE4CmVUcVlLdGZuYi9XU0YydFNWLzBD
|
||||
M3pLWmlDV0Vld3k2SXoyRkJ6a1hIWVEKLS0tIHJQamFiZklzby9UQlROVTFPT0tt
|
||||
dnhReTcxeDE0NE1RNWRMN3JCOXVMTFkK8koum0Wlxgo52yDTRYCRFToQw16+iXFu
|
||||
+bzDHf9DjqvZzkZH2gEeS33meexZxyUcD/nWUQvyNcbhVO49tIb90w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZ2lWY0FiYytiM1YvRmox
|
||||
NDIwVlpNWWx4L0p5MTA4N214a0lqTGhjaHg0CmtwSGZxWTRrcDBiaEVNUUZNMmM4
|
||||
VFd2Tm95Z2dTemtkLzY1WmdSUllBRjAKLS0tIFpqTDhXTW1mZ1FwYVZxbEZNdjRL
|
||||
YTNLREliQjJudW4rZCt3VzZYMGhoUFUKvMQEXnUNDd/RBv/zo+05d/znEZqaWONj
|
||||
BjisOFvPYDodU/hUYGCxrdiKx4CxMhrtOjZjVxF25BMbH7m+XeNLHw==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSR3M5VG9GaDkyK21wOVda
|
||||
WnluaERvelJ6bS9raS9DLzBCMXc1S1g1djBRCmhWYVdFeEY0bmpKSnN2bjBOKzQ4
|
||||
ckpoNGNmY0hLSTRBT2txQnEyY0hBTGsKLS0tIHY3NWN4RjRJVkdlN3JrS2krZXdn
|
||||
UVNSN29uQlh4WEVRVWd0a1FBNGY4VjQKMG2zUS+jehQGNo1OI2gQF0InKDzd15PM
|
||||
wyyitNB3Lh5JViREQHbYe2DrDA15W6iV5bTIzzf9zToR6+ouRBgzFA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-03-30T01:29:21Z"
|
||||
mac: ENC[AES256_GCM,data:j/ofDZ5Ky8xGkQU5ciGDPWDO8WchRl7ii4aWKhLZsPRojCYDEq7uQEKVeXl8QRjeDpFiFsGVlapKpLKbdCnANxHFgwPDR4sM+cBgqP5IRagTYo+4PyXNz7gjeVDnboB0rI80TrSd9uWcBU+1mkSuzLlUiXZQ2Uo00Tnkf7xIcBk=,iv:HX4//Q5uNbLfUePXGQOjt+zuFqPL3iTl9zRD8tGZXWU=,tag:cQccCSJ2QRQA5hy/LQFgTQ==,type:str]
|
||||
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcnd3d2JoWWtldXVQc0sr
|
||||
bEkrYXN3OXVGZWFLNHlPenQ0eW1ISjNKK1ZRCjdxUWI0bUttRzlUOHRrZFhpd2Fq
|
||||
TjFmWTNBWFJFOWluam9vOEQwNEVHQ2sKLS0tIFJlTFp0Z2VVRm02OGp2R0IwTUdT
|
||||
dkEybVp1OEhZR0JURFJqRW5nSURxME0KZcZj9YFuSvqM5bXbZQy44t4630p2aaAw
|
||||
H/yhO37jNToYUpmsbpCEYcZPfjkHkc/gKPyTcKSsUFusQAds1q6/Cg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-01T00:26:19Z"
|
||||
mac: ENC[AES256_GCM,data:+bAkGkkh+sPnZlG+E8+5/tZxX3W6yBTB/mSUeHKsEjv2ymo4HU5Vdef3iw4xnLBK/Kh94R0AQLd/jRJ8034Z07qBjCHttl9k5tRWyG1qZeEzZX8OOggig3PuiLv9hE0fJ+D0MX7rDy6XMyUDmaB46/TKiYPmlh8WOCB4yjjRr+Q=,iv:CsRGS8swKLEy0x3njmY+ExICDp97P9xdg0ERLonRKoQ=,tag:GYJIMpWXnOcktIL8GMUYfQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
|
@ -1,69 +1,60 @@
|
|||
system:
|
||||
mail:
|
||||
maddy:
|
||||
envFile: ENC[AES256_GCM,data:Wo+iP0IzT71mtQwTX8u4klf+Jw126+ovm3neZKlRKDxXt2GT1TR7DTXzdUIskhfVyXSS5K8VbHb/+vZgDJ8jqoIGRxd3CSnH/f5zevHzPgz8LOpXc+4pVDqQzuTqS2XFI9JPLZpiXmcrJ0aSGeupTK1vkS+KvezJNbtRCar+uRVH0Cw=,iv:qK0mHWnpnDrYl+Ovc8HlmfWgLUvhHaTEXRqvkeWuMSk=,tag:Yh9jIlt2IxK68Mi2xOa0oA==,type:str]
|
||||
envFile: ENC[AES256_GCM,data:43LVInxptreur8lHPNz5494OrGhe2aKqy//bDd9n4Pb9bMYnmN2hru64TpOCeKb4b7KUDrp5kWXdy9Q0njpdbdBprgKFXygVw8JuB1aDYlv9+RN2JntIa3dAhsgL26d8VC67tjsMXZUcinR69I3SfIVp0o2T45WhG4IT1rnBWX0mGug=,iv:Uy6OaCzayAqMhvFCF4Ho5Om810Qxi2yFIqmz6NU3L8Q=,tag:WizECPn2ip3dQ0gidMaHyQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUGhnSDc3N3M0MjY4TGsv
|
||||
MkFtUGpGWGFZN1JiZ2VKTC8vUnlOd0s3bzFFCktCTDdmekhpUm1ZNzVYaUN6c1ht
|
||||
czVtVXdGSGU3T0FLNGJ2Y0cwY2cyWDgKLS0tIGZTRHBBeU1DN0xtYXpzcE5aczJr
|
||||
QVhRSXZOTHUvOWh0cGFOcTR5R2ZsK2cKD5fNP6Oa6W/OJck3FbYn6R5nYS2UoF8I
|
||||
aOUIN98e15BaSFaOc8kmqkNZC4mKMHKaBJH2NqpbwyDP4iwLbRtP4Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMUluUk41a25heEkyUm1U
|
||||
TDdPbHpvUi9hMG03RDBKTjVZSUY4K1p2ZkJNCmRqRWFDKzg0QVU0dGJtWUYzZThJ
|
||||
RCtNYWtyNEJyNHMybVlTc2FoMWtmMWsKLS0tIFEzVDQySmNLTlNONHJZVWlSbm5G
|
||||
cWE5bVZBN1ZmV0JkVXJXbzdldXU3ZnMK7EV7u1lewpEsurScWTKVscYMo9dmSoUl
|
||||
O0kLRmRR4NEzuYzCFJ3JVaxTrPlMJM9C3Mwo3LsSDLCXSQ71JWiOZQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXd1ZFcjhkNnJXRjZPY3FO
|
||||
UFVmT05CTWt1dXhjSit6QmlabHJOMTMyQW1VCjY3RTR2UGVJMFBYWlZnK29yejNw
|
||||
WjRXT2NpMC9ZL1pldHRhRGk4TlAyK3cKLS0tIFgyVUhxRVh5UFdPOTRHQ0ZMMjVy
|
||||
aUwyczEydHNnTG9KZEk2cjFNaFBOTmsKqd5MtgAJ1aKqk9Miq9ot2garqMxtFjdJ
|
||||
1IvxprhYiPCgvhYtEbPlyCKtM/kdEGCplX3BwVOvhAU8CbyNb8zyug==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcUtQcU56aGhOU3hDRis2
|
||||
bGFkUFhnT3BUSFhOWFFydnI4SmdkKzlJRlR3Cjh1MkRyS0tFeEM3bWhhNnFmSWNC
|
||||
UzhSRjJiN1VpTlNJUWkvcU54T0MyR0UKLS0tIHhNNHNBaXhvaGtIdE10YUo2MnZi
|
||||
VEdEczl3b2UxZldBWkVzRWZ2RzZkZHMKofrWTXa5aedNl7uVVQF3TbysG2L6mtb/
|
||||
5hYiKHsdgPyxQWL3V727GM7xhS5Jd/O/F3Nc8zGCgCCGmBe3Uf5+nA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSHp1K3UzMXRXV3ZMRDRI
|
||||
dllLWGF3NG5JOExac3BXamc3ZjRzWkFobGprCloxUzRZNU1kZ29GUWhZa2pXbUtl
|
||||
MDZpL3NPL1hpdGtsSjBqQWpHUndpMDAKLS0tIHJBYmJPTGRxV0V6TWJiSG9iNjNZ
|
||||
SWNQSkV2SHJHSHNFc1BIMGpabXlwLzAKQSI0Yo71Rt1eUHUKZZHsrTJenq3ooB3i
|
||||
7aLQqN6jp2ZwfOPh0/HBB1HWy6AWJoWkJZb+zKXTn0v+kx9NHU43ow==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bUFTeE9sMHVBN1RmNWhj
|
||||
czdaMjBjb2grTk1XWUp5emx4Q2ZsSHpIL0VjCnBVUnE2QjdTTUNON09qRkpnMEVs
|
||||
SmRoUFpmMmlZSGpyVGZIV3Q0MDMvUTAKLS0tIEI1ck5ySVhWemdpdnE1NUxCZ0Zt
|
||||
eWtodW5yeG9tR2xCSTNRcTFaNDRkMXMKmuIyJlHmU7gL/iqn0L55TfCZ32/LRnLz
|
||||
aZ9vqWGNvXjF4UsmhC1ChI3wUaAgXGvWl0roym/d3BTDV/rrIG31Hw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZ2ZaQU5waXFMRW9oOFZ4
|
||||
SHZwSzBVK3lGR3czUTJKbStWSTQvVjd1NVZzClF3L2ZDTDViQXhsZThKUXA0M0ZB
|
||||
SmZaYU1iTVJ3b1ZkekM0STdWZmlGSzgKLS0tIFY2a3lCUUlZM3pnRGdxSzVOSGdE
|
||||
bWRpL0lvMXRRNC93eFZEaEt3TE9vTnMKhzXsQiwzuxRLKAwsgn0GMyxNQHHJQpnJ
|
||||
R3dnLC5FjDnr2u4LFeMlgWVWb6sd08GlBTgBCzGujNFo+qgvTsyNUQ==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwcUxpSFR2WGNEMHQ0QTcz
|
||||
dTYzdWhRTEdwYW5sUTFMZkZPNTRnbmFnekJvCllTOFNMTk9MTGJRWFdGaGhBUlkx
|
||||
WVZDVGNWZ1BPRFVwLzVFbklyVzYzTGsKLS0tIEprLy9IQ3ZycGJySWoxRG5QdFU4
|
||||
azRaYnNhNzlHWFlpTGloc1JyS3dOWEUKcGY320t9R7z7wM1ebUF3QQdQzB0FMZtX
|
||||
W45AWV+CWVce9qBm9OFVwluiJQD+m1BxLVxM1EmaNBBsT7PUleserg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcEd4OWJGVjkzWVJLNGQw
|
||||
ZDkzNFd3a3VrQW9uMnIvS3ZwUmx5TGp2b0FrCkdjaEJRNVo3ZDM3TnFvRDlPRFph
|
||||
V2dkUUhvYUdlSDY1TG91dlZNeCtPYmMKLS0tIG1JOWRmbFd0b2xaQkJaNjlXcjJK
|
||||
KzNZbGVUVXdweTFmYXdxWm9Oa05GbDAKGB7SVhd13AukH44aGPMNx3aXxXI0iQNI
|
||||
UtAwlxSakIZ2OSb6A+BJNG68Joy8dEBp23JY+l5wGnKkPNbWIYSqbg==
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMUROaDE2NDhzUTJYTThj
|
||||
U0loNnpKUTJrWkVmeEI3Uk9tN2gzNm5ZYVVzCkhCNWcyL29SVTB5UjVnNHlrNy9Y
|
||||
Z2wrd1RudnRoYjRhZUJoUzdzVm9KemcKLS0tIFQvbzUwQ0lDcko0VHRPVDRFckFk
|
||||
T1RYa2J6V2FqRjUwb1ZpaHBBa2kvMncKwI9MAHNrZUD/3bEqYQ7bE65cZt9JAQ2p
|
||||
s0nPt+izl384aYuEeOP2uGW7GyaSvG8sVytpyxOZ4DIAWdjzoWLxbQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-03-30T01:29:20Z"
|
||||
mac: ENC[AES256_GCM,data:P7huPF/xSFJdbsM58kPaZqwA5LufakR9rHPQk7I4+WfKocJDxLDKknsTXvKqsEi/hnii2uFkahp+J8nTAGBjqENAdFx2ux+j++Z5dfOf/Ipl1PWZxjUKnB6SaflSja6PTsULLUl8ZiR0b6O0fitgyvaUdYsdQqVsi/VdCTTUxe8=,iv:BVmTyDkhYDW4hu5ebcytaLqAtau91KRjSg+jsHOwD5I=,tag:5sOALgUX8z0DqD0yRESerQ==,type:str]
|
||||
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTEZlUmlRSjRxNWdpSVY3
|
||||
TXl4SGZZYW1lVkRqa1VON3k5TWJCTjFacXhvCkxRR3RqbnBxemQzMUs1NW5EczVm
|
||||
OWtTQm9zWkdiWmFGdHZKdU52aG5jQU0KLS0tIFEzellhYWFnSFJaZmRlVjlpeWNX
|
||||
bTd2MExRU3Z5QzY5dEdEdzUvN2R4QzAKqOsV6f+NrCiOqELmJ5JJNnkxVKp3kQwy
|
||||
MEkudjQ3tj+iw8C5tlIsixnT2Azbj3FcSAdTwPc1yRQ5WCyf6VTA5w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-01T00:26:19Z"
|
||||
mac: ENC[AES256_GCM,data:e2S19cJ1yA3J7UAOdMR0zqUx5KMzNg+JZ46Ux21Ph/8d9CXfRo1avHwl6EtWdSaMdLUHDqwzR+7fp1NVcP/fYBOhjHLhOgV1IWBfqA1Vche2MffQyi2dPYiDX7idHsh2eW3PhhXi821YtWEqv2Rmiani9gQJTjyXJkghy5JbbHw=,iv:FNveFjSPp1byfvuKy43DUjELoUu+axuElSa3RXAdV/Y=,tag:B03Hpaib8dVcFMD16vkYmA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
38
nixos/modules/nixos/services/nfs/default.nix
Normal file
38
nixos/modules/nixos/services/nfs/default.nix
Normal file
|
@ -0,0 +1,38 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.nfs.nas;
|
||||
in
|
||||
{
|
||||
options.mySystem.nfs.nas.enable = mkEnableOption "Mount NAS";
|
||||
|
||||
config = mkIf cfg.enable
|
||||
{
|
||||
|
||||
services.rpcbind.enable = true; # needed for NFS
|
||||
|
||||
environment.systemPackages = with pkgs; [ nfs-utils ];
|
||||
|
||||
systemd.mounts = [{
|
||||
type = "nfs";
|
||||
mountConfig = {
|
||||
Options = "noatime";
|
||||
};
|
||||
what = "helios:/tank";
|
||||
where = "/mnt/nas";
|
||||
}];
|
||||
|
||||
systemd.automounts = [{
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
automountConfig = {
|
||||
TimeoutIdleSec = "600";
|
||||
};
|
||||
where = "/mnt/nas";
|
||||
}];
|
||||
|
||||
};
|
||||
}
|
30
nixos/modules/nixos/services/podman/default.nix
Normal file
30
nixos/modules/nixos/services/podman/default.nix
Normal file
|
@ -0,0 +1,30 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.services.podman;
|
||||
in
|
||||
{
|
||||
options.mySystem.services.podman.enable = mkEnableOption "Podman";
|
||||
|
||||
config = mkIf cfg.enable
|
||||
{
|
||||
virtualisation.podman = {
|
||||
enable = true;
|
||||
dockerCompat = true;
|
||||
extraPackages = [ pkgs.zfs ];
|
||||
defaultNetwork.settings = {
|
||||
dns_enabled = true;
|
||||
};
|
||||
};
|
||||
virtualisation.oci-containers = {
|
||||
backend = "podman";
|
||||
};
|
||||
networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];
|
||||
};
|
||||
|
||||
}
|
28
nixos/modules/nixos/services/traefik/default.nix
Normal file
28
nixos/modules/nixos/services/traefik/default.nix
Normal file
|
@ -0,0 +1,28 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.services.traefik;
|
||||
in
|
||||
{
|
||||
options.mySystem.services.traefik.enable = mkEnableOption "Traefik reverse proxy";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
services.traefik = {
|
||||
enable = true;
|
||||
staticConfigOptions = {
|
||||
api.dashboard = true;
|
||||
api.insecure = true;
|
||||
|
||||
serversTransport = {
|
||||
# Disable backend certificate verification.
|
||||
insecureSkipVerify = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,21 +0,0 @@
|
|||
{ lib
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.xx.yy;
|
||||
in
|
||||
{
|
||||
options.mySystem.xx.yy.enable = mkEnableOption "<INSERT DESCRIPTION>";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
# CONFIG HERE
|
||||
|
||||
};
|
||||
|
||||
|
||||
}
|
|
@ -5,6 +5,8 @@
|
|||
# deploy-rs overlay
|
||||
deploy-rs = inputs.deploy-rs.overlays.default;
|
||||
|
||||
nur = inputs.nur.overlay;
|
||||
|
||||
# The unstable nixpkgs set (declared in the flake inputs) will
|
||||
# be accessible through 'pkgs.unstable'
|
||||
unstable-packages = final: _prev: {
|
||||
|
|
|
@ -29,7 +29,9 @@ with lib;
|
|||
# But wont enable plugins globally, leave them for workstations
|
||||
};
|
||||
|
||||
|
||||
# required for yubico
|
||||
services.udev.packages = [ pkgs.yubikey-personalization ];
|
||||
services.pcscd.enable = true;
|
||||
|
||||
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
|
|
|
@ -19,14 +19,14 @@ in
|
|||
"network"
|
||||
"samba-users"
|
||||
"docker"
|
||||
"audio" # pulseaudio
|
||||
];
|
||||
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home"
|
||||
];
|
||||
]; # TODO do i move to ingest github creds?
|
||||
|
||||
# packages = [ pkgs.home-manager ];
|
||||
};
|
||||
|
||||
# home-manager.users.taylor = import ../../../../../home-manager/taylor_${config.networking.hostName}.nix; TODO home-manager?
|
||||
}
|
||||
|
|
|
@ -3,6 +3,9 @@
|
|||
with lib;
|
||||
{
|
||||
|
||||
# Enable module for NVIDIA graphics
|
||||
mySystem.hardware.nvidia.enable = true;
|
||||
|
||||
mySystem.system.packages = with pkgs; [
|
||||
ntfs3g
|
||||
];
|
||||
|
@ -29,46 +32,5 @@ with lib;
|
|||
services.xserver.videoDrivers = [ "nvidia" ];
|
||||
|
||||
|
||||
# ref: https://nixos.wiki/wiki/Nvidia
|
||||
# Enable OpenGL
|
||||
hardware.opengl = {
|
||||
enable = true;
|
||||
driSupport = true;
|
||||
driSupport32Bit = true;
|
||||
};
|
||||
|
||||
hardware.nvidia = {
|
||||
|
||||
# Modesetting is required.
|
||||
modesetting.enable = true;
|
||||
|
||||
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
|
||||
# Enable this if you have graphical corruption issues or application crashes after waking
|
||||
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
|
||||
# of just the bare essentials.
|
||||
powerManagement.enable = false;
|
||||
|
||||
# Fine-grained power management. Turns off GPU when not in use.
|
||||
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
|
||||
powerManagement.finegrained = false;
|
||||
|
||||
# Use the NVidia open source kernel module (not to be confused with the
|
||||
# independent third-party "nouveau" open source driver).
|
||||
# Support is limited to the Turing and later architectures. Full list of
|
||||
# supported GPUs is at:
|
||||
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
|
||||
# Only available from driver 515.43.04+
|
||||
# Currently alpha-quality/buggy, so false is currently the recommended setting.
|
||||
open = false;
|
||||
|
||||
# Enable the Nvidia settings menu,
|
||||
# accessible via `nvidia-settings`.
|
||||
nvidiaSettings = true;
|
||||
|
||||
# Optionally, you may need to select the appropriate driver version for your specific GPU.
|
||||
package = config.boot.kernelPackages.nvidiaPackages.stable;
|
||||
};
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
|
||||
}
|
||||
|
|
30
nixos/profiles/hw-generic-x86.nix
Normal file
30
nixos/profiles/hw-generic-x86.nix
Normal file
|
@ -0,0 +1,30 @@
|
|||
{ config, lib, pkgs, imports, boot, ... }:
|
||||
|
||||
with lib;
|
||||
{
|
||||
|
||||
mySystem.system.packages = with pkgs; [
|
||||
ntfs3g
|
||||
];
|
||||
|
||||
boot = {
|
||||
|
||||
initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
kernelModules = [ ];
|
||||
extraModulePackages = [ ];
|
||||
|
||||
# for managing/mounting ntfs
|
||||
supportedFilesystems = [ "ntfs" ];
|
||||
|
||||
loader = {
|
||||
systemd-boot.enable = true;
|
||||
efi.canTouchEfiVariables = true;
|
||||
# why not ensure we can memtest workstatons easily?
|
||||
grub.memtest86.enable = true;
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
|
||||
}
|
|
@ -15,8 +15,8 @@ with config;
|
|||
# Lets see if fish everywhere is OK on the pi's
|
||||
# TODO decide if i drop to bash on pis?
|
||||
shell.fish.enable = true;
|
||||
# But wont enable plugins globally, leave them for workstations
|
||||
|
||||
nfs.nas.enable = true;
|
||||
};
|
||||
|
||||
boot = {
|
||||
|
|
Reference in a new issue