From b447282c7ad859c9d072464db0597ce740c2cc18 Mon Sep 17 00:00:00 2001 From: Truxnell <19149206+truxnell@users.noreply.github.com> Date: Wed, 3 Apr 2024 12:09:39 +1100 Subject: [PATCH] feat: flesh out home manager gnome, firefox (#56) * feat: add test node and spin up podman/cockpit * dev hack * bug: disable wayland temporarily #52 * feat: add nfs mount to nas * chore: add nas to sshconf * derp * hax * fix: hax * feat: firefox and gnome tweaks * chore: tweak nautilus --------- Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com> --- .github/workflows/diff-pr.yaml | 1 + .github/workflows/nix-lint.yaml | 1 + .sops.yaml | 7 +- .vscode/module.code-snippets | 27 ++++++ docs/tips.md | 4 + .../{installing.md => installing-x86_64.md} | 0 flake.lock | 16 ++++ flake.nix | 26 ++++-- nixos/home/modules/default.nix | 1 + .../programs/browsers/firefox/default.nix | 46 +++++----- .../programs/browsers/firefox/policies.nix | 20 +++++ .../browsers/firefox/profile-default.nix | 39 +++++++++ .../programs/browsers/firefox/search.nix | 60 +++++++++++++ nixos/home/modules/programs/de/default.nix | 5 ++ .../modules/programs/de/gnome/default.nix | 41 +++++++++ nixos/home/modules/programs/default.nix | 1 + nixos/home/modules/security/default.nix | 5 ++ nixos/home/modules/security/ssh/default.nix | 25 ++++++ nixos/home/modules/shell/wezterm/default.nix | 3 +- nixos/home/truxnell/workstation.nix | 44 ++++++++++ nixos/hosts/bootstrap/configuration.nix | 2 +- nixos/hosts/citadel/default.nix | 5 ++ nixos/hosts/rickenbacker/default.nix | 1 + nixos/hosts/shodan/default.nix | 59 +++++++++++++ nixos/modules/nixos/containers/default.nix | 49 +++++++++++ .../nixos/containers/traefik/default.nix | 84 +++++++++++++++++++ nixos/modules/nixos/de/gnome.nix | 67 ++++++++++++--- nixos/modules/nixos/default.nix | 3 +- nixos/modules/nixos/hardware/default.nix | 5 ++ .../modules/nixos/hardware/nvidia/default.nix | 62 ++++++++++++++ .../cloudflare-dyndns.sops.yaml | 75 ++++++++--------- .../nixos/services/cockpit/default.nix | 21 +++++ nixos/modules/nixos/services/default.nix | 4 + .../dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml | 73 +++++++--------- .../nixos/services/maddy/maddy.sops.yaml | 73 +++++++--------- nixos/modules/nixos/services/nfs/default.nix | 38 +++++++++ .../modules/nixos/services/podman/default.nix | 30 +++++++ .../nixos/services/traefik/default.nix | 28 +++++++ nixos/modules/nixos/template.nix | 21 ----- nixos/overlays/default.nix | 2 + nixos/profiles/global.nix | 4 +- nixos/profiles/global/users.nix | 4 +- nixos/profiles/hw-gaming-desktop.nix | 44 +--------- nixos/profiles/hw-generic-x86.nix | 30 +++++++ nixos/profiles/role-worstation.nix | 2 +- 45 files changed, 922 insertions(+), 236 deletions(-) create mode 100644 .vscode/module.code-snippets create mode 100644 docs/tips.md rename docs/vm/{installing.md => installing-x86_64.md} (100%) create mode 100644 nixos/home/modules/programs/browsers/firefox/policies.nix create mode 100644 nixos/home/modules/programs/browsers/firefox/profile-default.nix create mode 100644 nixos/home/modules/programs/browsers/firefox/search.nix create mode 100644 nixos/home/modules/programs/de/default.nix create mode 100644 nixos/home/modules/programs/de/gnome/default.nix create mode 100644 nixos/home/modules/security/default.nix create mode 100644 nixos/home/modules/security/ssh/default.nix create mode 100644 nixos/hosts/shodan/default.nix create mode 100644 nixos/modules/nixos/containers/default.nix create mode 100644 nixos/modules/nixos/containers/traefik/default.nix create mode 100644 nixos/modules/nixos/hardware/default.nix create mode 100644 nixos/modules/nixos/hardware/nvidia/default.nix create mode 100644 nixos/modules/nixos/services/cockpit/default.nix create mode 100644 nixos/modules/nixos/services/nfs/default.nix create mode 100644 nixos/modules/nixos/services/podman/default.nix create mode 100644 nixos/modules/nixos/services/traefik/default.nix delete mode 100644 nixos/modules/nixos/template.nix create mode 100644 nixos/profiles/hw-generic-x86.nix diff --git a/.github/workflows/diff-pr.yaml b/.github/workflows/diff-pr.yaml index 48a9196..34863c6 100644 --- a/.github/workflows/diff-pr.yaml +++ b/.github/workflows/diff-pr.yaml @@ -54,6 +54,7 @@ jobs: extra_nix_config: | experimental-features = nix-command flakes extra-platforms = aarch64-linux + - uses: DeterminateSystems/magic-nix-cache-action@main - name: Register binfmt run: | docker run --rm --privileged multiarch/qemu-user-static --reset -p yes diff --git a/.github/workflows/nix-lint.yaml b/.github/workflows/nix-lint.yaml index 946a45a..c317ea3 100644 --- a/.github/workflows/nix-lint.yaml +++ b/.github/workflows/nix-lint.yaml @@ -17,6 +17,7 @@ jobs: uses: cachix/install-nix-action@v26 with: nix_path: nixpkgs=channel:nixos-unstable + - uses: DeterminateSystems/magic-nix-cache-action@main - name: Install Nix Linting and Formatting Tools run: nix-env -i statix nixpkgs-fmt -f '' diff --git a/.sops.yaml b/.sops.yaml index 6cfa9a9..7d68808 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,20 +9,19 @@ # copying one key to each machine keys: - - &nixosvm age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn - - &nixosvm2 age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz - &dns01 age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u - &dns02 age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c - &citadel age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk - &rickenbacker age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc + - &shodan age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw creation_rules: - path_regex: .*\.sops\.yaml$ key_groups: - age: - - *nixosvm - - *nixosvm2 + - *dns01 - *dns02 - *citadel - *rickenbacker + - *shodan diff --git a/.vscode/module.code-snippets b/.vscode/module.code-snippets new file mode 100644 index 0000000..7419595 --- /dev/null +++ b/.vscode/module.code-snippets @@ -0,0 +1,27 @@ +{ + "nix-module": { + "prefix": "nm", + "body": [ + "{ lib", + ", config", + ", pkgs", + ", ...", + "}:", + "with lib;", + "let", + " cfg = config.mySystem.${1}.${2};", + "in", + "{", + " options.mySystem.${1}.${2}.enable = mkEnableOption \"${3}\";", + "", + " config = mkIf cfg.enable {", + "", + " $4{}", + "", + " };", + "}", + "" + ], + "description": "nix-module" + } +} diff --git a/docs/tips.md b/docs/tips.md new file mode 100644 index 0000000..048e9f4 --- /dev/null +++ b/docs/tips.md @@ -0,0 +1,4 @@ + +* Dont make conditional imports (nix needs to resolve imports upfront) +* can pass between nixos and home-manager with config.homemanager.users.. and osConfig. blank page + # 1 => your home page(s) {default} + # 2 => the last page viewed in Firefox + # 3 => previous session windows and tabs + "browser.startup.page" = "3"; + + "browser.send_pings" = false; + # Do not track + "privacy.donottrackheader.enabled" = "true"; + "privacy.donottrackheader.value" = 1; + "browser.display.use_system_colors" = "true"; + + "browser.display.use_document_colors" = "false"; + "devtools.theme" = "dark"; + + "extensions.pocket.enabled" = false; + }; + search = import ./search.nix { inherit pkgs; }; + extensions = with pkgs.nur.repos.rycee.firefox-addons; [ + ublock-origin + bitwarden + darkreader + vimium + languagetool # setup against my personal language-tools + privacy-badger + link-cleaner + refined-github + ]; +} diff --git a/nixos/home/modules/programs/browsers/firefox/search.nix b/nixos/home/modules/programs/browsers/firefox/search.nix new file mode 100644 index 0000000..0c3d9de --- /dev/null +++ b/nixos/home/modules/programs/browsers/firefox/search.nix @@ -0,0 +1,60 @@ +{ pkgs }: +{ + force = true; + default = "whoogle"; + order = [ "whoogle" "Searx" "Google" ]; + engines = { + "Nix Packages" = { + urls = [{ + template = "https://search.nixos.org/packages"; + params = [ + { name = "type"; value = "packages"; } + { name = "query"; value = "{searchTerms}"; } + ]; + }]; + icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; + definedAliases = [ "@np" ]; + }; + "Nix Options" = { + urls = [{ + template = "https://search.nixos.org/options"; + params = [ + { name = "query"; value = "{searchTerms}"; } + ]; + }]; + icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; + definedAliases = [ "@no" ]; + }; + "Home-Manager Options" = { + urls = [{ + template = "https://home-manager-options.extranix.com/"; + params = [ + { name = "query"; value = "{searchTerms}"; } + ]; + }]; + icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; + definedAliases = [ "@nhmo" ]; + }; + "NixOS Wiki" = { + urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }]; + iconUpdateURL = "https://nixos.wiki/favicon.png"; + updateInterval = 24 * 60 * 60 * 1000; # every day + definedAliases = [ "@nw" ]; + }; + "KubeSearch" = { + urls = [{ template = "https://kubesearch.dev/#{searchTerms}"; }]; + iconUpdateURL = "https://kubernetes.io/images/wheel.svg"; + updateInterval = 24 * 60 * 60 * 1000; # every day + definedAliases = [ "@ks" ]; + }; + + # "Searx" = { + # urls = [{ template = "https://searx.trux.dev/?q={searchTerms}"; }]; + # iconUpdateURL = "https://nixos.wiki/favicon.png"; + # updateInterval = 24 * 60 * 60 * 1000; # every day + # definedAliases = [ "@searx" ]; + # }; + "Bing".metaData.hidden = true; + "Google".metaData.alias = "@g"; # builtin engines only support specifying one additional alias + }; +} diff --git a/nixos/home/modules/programs/de/default.nix b/nixos/home/modules/programs/de/default.nix new file mode 100644 index 0000000..4bf617f --- /dev/null +++ b/nixos/home/modules/programs/de/default.nix @@ -0,0 +1,5 @@ +{ ... }: { + imports = [ + ./gnome + ]; +} diff --git a/nixos/home/modules/programs/de/gnome/default.nix b/nixos/home/modules/programs/de/gnome/default.nix new file mode 100644 index 0000000..868912a --- /dev/null +++ b/nixos/home/modules/programs/de/gnome/default.nix @@ -0,0 +1,41 @@ +# Adjusted manually from generated output of dconf2nix +# https://github.com/gvolpe/dconf2nix +{ lib +, pkgs +, osConfig +, ... +}: +with lib.hm.gvariant; { + + config = lib.mkIf osConfig.mySystem.de.gnome.enable { + # add user packages + home.packages = with pkgs; [ + dconf2nix + ]; + + # worked out from dconf2nix + # dconf dump / | dconf2nix > dconf.nix + # can also dconf watch + dconf.settings = { + "org/gnome/mutter" = { + edge-tiling = true; + workspaces-only-on-primary = false; + }; + "org/gnome/desktop/wm/preferences" = { + workspace-names = [ "sys" "talk" "web" "edit" "run" ]; + }; + "org/gnome/shell" = { + disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ]; + enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ]; + favorite-apps = [ "org.gnome.Nautilus.desktop" "firefox.desktop" "org.wezfurlong.wezterm.desktop" "PrusaGcodeviewer.desktop" "spotify.desktop" "org.gnome.Console.desktop" "codium.desktop" ]; + }; + "org/gnome/nautilus/preferences" = { + default-folder-viewer = "icon-view"; + }; + "org/gnome/nautilus/icon-view" = { + default-zoom-level = "small"; + }; + + }; + }; +} diff --git a/nixos/home/modules/programs/default.nix b/nixos/home/modules/programs/default.nix index 232a70d..c941a17 100644 --- a/nixos/home/modules/programs/default.nix +++ b/nixos/home/modules/programs/default.nix @@ -1,5 +1,6 @@ { ... }: { imports = [ ./browsers + ./de ]; } diff --git a/nixos/home/modules/security/default.nix b/nixos/home/modules/security/default.nix new file mode 100644 index 0000000..327a590 --- /dev/null +++ b/nixos/home/modules/security/default.nix @@ -0,0 +1,5 @@ +{ ... }: { + imports = [ + ./ssh + ]; +} diff --git a/nixos/home/modules/security/ssh/default.nix b/nixos/home/modules/security/ssh/default.nix new file mode 100644 index 0000000..4b1e87c --- /dev/null +++ b/nixos/home/modules/security/ssh/default.nix @@ -0,0 +1,25 @@ +{ config +, pkgs +, lib +, ... +}: +with lib; let + cfg = config.myHome.security.ssh; +in +{ + options.myHome.security.ssh = { + enable = mkEnableOption "ssh"; + matchBlocks = mkOption { + type = types.attrs; + default = { }; + }; + }; + + config = mkIf cfg.enable { + programs.ssh = { + inherit (cfg) matchBlocks; + enable = true; + # addKeysToAgent = "yes"; + }; + }; +} diff --git a/nixos/home/modules/shell/wezterm/default.nix b/nixos/home/modules/shell/wezterm/default.nix index 86631ab..d05f6c0 100644 --- a/nixos/home/modules/shell/wezterm/default.nix +++ b/nixos/home/modules/shell/wezterm/default.nix @@ -23,7 +23,8 @@ in extraConfig = '' local wez = require('wezterm') return { - + -- https://github.com/wez/wezterm/issues/2011 + enable_wayland = false, color_scheme = "Dracula (Official)", check_for_updates = false, window_background_opacity = .90, diff --git a/nixos/home/truxnell/workstation.nix b/nixos/home/truxnell/workstation.nix index 13a2a37..fe537ef 100644 --- a/nixos/home/truxnell/workstation.nix +++ b/nixos/home/truxnell/workstation.nix @@ -10,6 +10,47 @@ with config; myHome.shell.fish.enable = true; myHome.shell.wezterm.enable = true; + myHome.security = { + ssh = { + enable = true; + matchBlocks = { + citadel = { + hostname = "citadel"; + port = 22; + identityFile = "~/.ssh/id_ed25519"; + }; + rickenbacker = { + hostname = "rickenbacker"; + port = 22; + identityFile = "~/.ssh/id_ed25519"; + }; + dns01 = { + hostname = "dns01"; + port = 22; + identityFile = "~/.ssh/id_ed25519"; + }; + dns02 = { + hostname = "dns02"; + port = 22; + identityFile = "~/.ssh/id_ed25519"; + }; + pikvm = { + hostname = "pikvm"; + port = 22; + user = "root"; + identityFile = "~/.ssh/id_ed25519"; + }; + helios = { + hostname = "helios"; + user = "nat"; + port = 22; + identityFile = "~/.ssh/id_ed25519"; + }; + + }; + }; + }; + home = { # Install these packages for my user packages = with pkgs; [ @@ -19,6 +60,8 @@ with config; brightnessctl prusa-slicer bitwarden + yubioath-flutter + yubikey-manager-qt bat dbus @@ -28,6 +71,7 @@ with config; python3 fzf ripgrep + flyctl # fly.io control line ]; diff --git a/nixos/hosts/bootstrap/configuration.nix b/nixos/hosts/bootstrap/configuration.nix index 6ba6aa7..cfc2294 100644 --- a/nixos/hosts/bootstrap/configuration.nix +++ b/nixos/hosts/bootstrap/configuration.nix @@ -101,7 +101,7 @@ # TODO Harden SSH services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ + users.users.truxnell.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home" ]; diff --git a/nixos/hosts/citadel/default.nix b/nixos/hosts/citadel/default.nix index 35e7ff2..eb5a2b9 100644 --- a/nixos/hosts/citadel/default.nix +++ b/nixos/hosts/citadel/default.nix @@ -14,6 +14,11 @@ security.wheelNeedsSudoPassword = false; }; + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + networking.hostName = "citadel"; # Define your hostname. fileSystems."/" = diff --git a/nixos/hosts/rickenbacker/default.nix b/nixos/hosts/rickenbacker/default.nix index 96771a6..c6db737 100644 --- a/nixos/hosts/rickenbacker/default.nix +++ b/nixos/hosts/rickenbacker/default.nix @@ -11,6 +11,7 @@ services.openssh.enable = true; security.wheelNeedsSudoPassword = false; }; + mySystem.services.traefik.enable = true; # TODO build this in from flake host names networking.hostName = "rickenbacker"; diff --git a/nixos/hosts/shodan/default.nix b/nixos/hosts/shodan/default.nix new file mode 100644 index 0000000..cf526d9 --- /dev/null +++ b/nixos/hosts/shodan/default.nix @@ -0,0 +1,59 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). +{ config +, lib +, pkgs +, ... +}: { + imports = [ + + + ]; + + mySystem.services = { + openssh.enable = true; + cockpit.enable = true; + podman.enable = true; + }; + + boot = { + + initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ ]; + kernelModules = [ ]; + extraModulePackages = [ ]; + + # for managing/mounting ntfs + supportedFilesystems = [ "ntfs" ]; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + # why not ensure we can memtest workstatons easily? + grub.memtest86.enable = true; + + }; + }; + + networking.hostName = "shodan"; # Define your hostname. + networking.useDHCP = lib.mkDefault true; + + fileSystems."/" = + { + device = "/dev/disk/by-uuid/2e843998-f409-4ccc-bc7c-07099ee0e936"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/12CE-A600"; + fsType = "vfat"; + }; + + swapDevices = + [{ device = "/dev/disk/by-uuid/0ae2765b-f3f4-4b1a-8ea6-599f37504d70"; }]; + + + +} diff --git a/nixos/modules/nixos/containers/default.nix b/nixos/modules/nixos/containers/default.nix new file mode 100644 index 0000000..bd2fdff --- /dev/null +++ b/nixos/modules/nixos/containers/default.nix @@ -0,0 +1,49 @@ +{ lib +, config +, pkgs +, ... +}: + +with lib; +# let +# cfg = config.mySystem.xx.yy; +# in +{ + + imports = [ + ./traefik + ]; + + options.myLab.containers.fileRoot = mkOption { + type = lib.types.str; + description = "root file path for containers"; + default = "/persistence/containers/"; + }; + + # Email + options.myLab.email.adminFromAddr = mkOption { + type = lib.types.str; + description = "From address for admin emails"; + default = ""; + }; + options.myLab.email.adminToAddr = mkOption { + type = lib.types.str; + description = "Address for admin emails to be sent to"; + default = "admin@trux.dev"; + }; + options.myLab.email.smtpServer = mkOption { + type = lib.types.str; + description = "SMTP server address"; + default = ""; + }; + + config = mkIf cfg.enable { + + # CONFIG HERE + myLab.email.adminFromAddr = "admin@trux.dev"; + myLab.email.smtpServer = "dns02"; # forwards to maddy relay + + }; + + +} diff --git a/nixos/modules/nixos/containers/traefik/default.nix b/nixos/modules/nixos/containers/traefik/default.nix new file mode 100644 index 0000000..5092d67 --- /dev/null +++ b/nixos/modules/nixos/containers/traefik/default.nix @@ -0,0 +1,84 @@ +{ config, lib, vars, networksLocal, ... }: +let + internalIP = "0.0.0.0"; # TODO fix + directories = [ + "${config.myLab.containers.fileRoot}/traefik" + ]; + files = [ + "${config.myLab.containers.fileRoot}/traefik/acme.json" + ]; + cfg = config.myLab.containers.traefik; +in +{ + + options.myLab.containers.traefik.enable = lib.mkEnableOption "Traefik container"; + + config = lib.mkIf cfg.enable { + + networking.firewall.allowedTCPPorts = [ 9091 ]; + + sops.secrets.authelia-jwt = { owner = config.systemd.services.authelia-default.serviceConfig.User; }; + sops.secrets.authelia-sek = { owner = config.systemd.services.authelia-default.serviceConfig.User; }; + + services.authelia.instances.default = { + enable = true; + secrets = { + jwtSecretFile = config.sops.secrets.authelia-jwt.path; + storageEncryptionKeyFile = config.sops.secrets.authelia-sek.path; + }; + settings = { + log.level = "debug"; + theme = "dark"; + default_2fa_method = "totp"; + default_redirection_url = "https://passport.notohh.dev/"; + authentication_backend = { + file.path = "/var/lib/authelia-default/user.yml"; + }; + session = { + domain = "notohh.dev"; + expiration = 3600; + inactivity = 300; + }; + totp = { + issuer = "authelia.com"; + disable = false; + algorithm = "sha1"; + digits = 6; + period = 30; + skew = 1; + secret_size = 32; + }; + server = { + host = "0.0.0.0"; + port = 9091; + }; + access_control = { + default_policy = "deny"; + rules = [ + { + domain = "notohh.dev"; + policy = "bypass"; + } + ]; + }; + regulation = { + max_retries = 3; + find_time = 120; + ban_time = 300; + }; + notifier.filesystem = { + filename = "/var/lib/authelia-default/notif.txt"; + }; + storage.postgres = { + host = "192.168.1.211"; + port = 5432; + database = "authelia"; + schema = "public"; + username = "authelia"; + password = "authelia"; + }; + }; + }; + + }; +} diff --git a/nixos/modules/nixos/de/gnome.nix b/nixos/modules/nixos/de/gnome.nix index c7563e8..18293b5 100644 --- a/nixos/modules/nixos/de/gnome.nix +++ b/nixos/modules/nixos/de/gnome.nix @@ -10,30 +10,70 @@ let in { options.mySystem.de.gnome.enable = mkEnableOption "GNOME"; + options.mySystem.de.gnome.systrayicons = mkEnableOption "Enable systray icons" // { default = true; }; + options.mySystem.de.gnome.gsconnect = mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // { default = true; }; + config = mkIf cfg.enable { # Ref: https://nixos.wiki/wiki/GNOME # GNOME plz - services.xserver = { - enable = true; - displayManager = - { - gdm.enable = true; - defaultSession = "gnome"; # TODO move to config overlay + services = { + xserver = { + enable = true; + displayManager = + { + gdm.enable = true; + defaultSession = "gnome"; # TODO move to config overlay - autoLogin.enable = true; - autoLogin.user = "truxnell"; # TODO move to config overlay + autoLogin.enable = true; + autoLogin.user = "truxnell"; # TODO move to config overlay + }; + desktopManager = { + # GNOME + gnome.enable = true; }; - desktopManager = { - # GNOME - gnome.enable = true; - }; - layout = "us"; # `localctl` will give you + layout = "us"; # `localctl` will give you + }; + udev.packages = optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator + + }; + # systyray icons + + + # extra pkgs and extensions + environment = { + systemPackages = with pkgs; [ + wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt + playerctl # gsconnect play/pause command + pamixer # gcsconnect volume control + gnome.gnome-tweaks + gnome.dconf-editor + + # This installs the extension packages, but + # dont forget to enable them per-user in dconf settings -> "org/gnome/shell" + gnomeExtensions.vitals + gnomeExtensions.caffeine + gnomeExtensions.spotify-tray + gnomeExtensions.dash-to-dock + + ] + ++ optionals cfg.systrayicons [ pkgs.gnomeExtensions.appindicator ]; + }; + + # enable gsconnect + # this method also opens the firewall ports required when enable = true + programs.kdeconnect = mkIf + cfg.gsconnect + { + enable = true; + package = pkgs.gnomeExtensions.gsconnect; + }; + # GNOME connection to browsers - requires flag on browser as well services.gnome.gnome-browser-connector.enable = lib.any (user: user.programs.firefox.enable) @@ -48,6 +88,7 @@ in # TODO tidy this # port forward for GNOME when using RDP***REMOVED*** + # for RDP TODO make this a flag if RDP is enabled per host networking.firewall.allowedTCPPorts = [ 3389 ]; diff --git a/nixos/modules/nixos/default.nix b/nixos/modules/nixos/default.nix index 08ba128..5c3ca35 100644 --- a/nixos/modules/nixos/default.nix +++ b/nixos/modules/nixos/default.nix @@ -6,6 +6,7 @@ ./browser ./de ./editor - + ./containers + ./hardware ]; } diff --git a/nixos/modules/nixos/hardware/default.nix b/nixos/modules/nixos/hardware/default.nix new file mode 100644 index 0000000..efa0833 --- /dev/null +++ b/nixos/modules/nixos/hardware/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./nvidia + ]; +} diff --git a/nixos/modules/nixos/hardware/nvidia/default.nix b/nixos/modules/nixos/hardware/nvidia/default.nix new file mode 100644 index 0000000..0d9a4e0 --- /dev/null +++ b/nixos/modules/nixos/hardware/nvidia/default.nix @@ -0,0 +1,62 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + cfg = config.mySystem.hardware.nvidia; +in +{ + options.mySystem.hardware.nvidia.enable = mkEnableOption "NVIDIA config"; + + config = mkIf cfg.enable { + + # ref: https://nixos.wiki/wiki/Nvidia + # Enable OpenGL + hardware.opengl = { + enable = true; + driSupport = true; + driSupport32Bit = true; + }; + + # This is for the benefit of VSCODE running natively in wayland + environment.sessionVariables.NIXOS_OZONE_WL = "1"; + + hardware.nvidia = { + + # Modesetting is required. + modesetting.enable = true; + + # Nvidia power management. Experimental, and can cause sleep/suspend to fail. + # Enable this if you have graphical corruption issues or application crashes after waking + # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead + # of just the bare essentials. + powerManagement.enable = false; + + # Fine-grained power management. Turns off GPU when not in use. + # Experimental and only works on modern Nvidia GPUs (Turing or newer). + powerManagement.finegrained = false; + + # Use the NVidia open source kernel module (not to be confused with the + # independent third-party "nouveau" open source driver). + # Support is limited to the Turing and later architectures. Full list of + # supported GPUs is at: + # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus + # Only available from driver 515.43.04+ + # Currently alpha-quality/buggy, so false is currently the recommended setting. + open = false; + + # Enable the Nvidia settings menu, + # accessible via `nvidia-settings`. + nvidiaSettings = true; + + # Optionally, you may need to select the appropriate driver version for your specific GPU. + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + + + }; +} diff --git a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml index 0116550..146fa65 100644 --- a/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml +++ b/nixos/modules/nixos/services/cloudflare-dyndns/cloudflare-dyndns.sops.yaml @@ -1,70 +1,61 @@ system: networking: - #ENC[AES256_GCM,data:y2k8WKDdMW/+lCc7OnJTPd21DZFkjXqRSDRuIHTvN3p8AZ0KB0ERjf5/Fzpgq9wRjktcGMfFRzl9AaLN0DNXLseV5hoeX8pzXrZddA==,iv:hMuTiccA2PSUKGK5bZ9YCGHYgj58+TMbid7/FOXqK6A=,tag:B9A3H4ssQsi3aD/bUvh8IA==,type:comment] + #ENC[AES256_GCM,data:UGDccdo5xL48r9VxuaY9QR2jfIdVZ0EZ84SKRO8dyZe7SIhvFUpX2tCEzVUMNPuDgXqoBSvWOP9WTEveunH56GknlOQdhZOYMb7T9Q==,iv:PLaSHpZRCu5xNsmWtz5UY+nTGGPow1YLppKZiZJz/9c=,tag:cePl/udz3BNSjVPqGVpmLg==,type:comment] cloudflare-dyndns: - apiTokenFile: ENC[AES256_GCM,data:AQA6X+GoPgudn+qwGpNnX3PmWNfgYFuvYGbthoOXPTiAs54oPrH6XGyFjGS5skqe9vypjPbl/Zj+z8q4rLGKrZt9cgF5JywoS2pyjscDW9QI74mAS6bcH8eJ/PMLopDYybKEMS8w1cMeGP5J46Uhg2HLJA==,iv:vjzMXBt9NbFcoqzpew/s/h1OXNWEnDLY0JuyASvbojM=,tag:8Ca+0ieZUZ9Wk9Q2UigF0A==,type:str] + apiTokenFile: ENC[AES256_GCM,data:6CggP0liJTWfD9HnpD6ALf7a9smRNEbuOYsyU6HnFqDtZj4U/mYzG+9fAv/SM+DYl7eSCdF2xzINyAbAVl6j8g2utEkRiitGEVv29vaQSpIBUFrjl4vJgw/AyXdB9r5fR6XXpc6baeO3ctsjaUmlgRxGmQ==,iv:YYh5sZVwJVKKnuTEbNujm3yL16gfL98pEnwU9ZX8618=,tag:162cpSSAdAZoOiAwPbFlTg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eHR0VlFlL21SNzJJQ2F0 - UUJ3Vy9mem0veTJlV3FKbVNGd1htRHNOQkI4Ckd3QXk5bVR0WmNkaXZUZXBZY0px - NTJJZ3NKRDBLZTRJd2xOZ0pBazk2SFEKLS0tIG1zQTlCcUFSUUthaUxLeHlyZWpQ - NXBYeUx6bmYwSXFrZlNmZitYM1ZlK28KvKU5iig3qg1tGOX8jDsXjXJ9ly8cP+4y - tcsCDuQWxiJ2v2U4FD47iRs2IfxZadYGJM2nOToOKHnuTTSpvNXAVQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZzEyRkZZbTcvOVRLU3JH - bWZ4eXdUZlAxQjNkN2c1SzNiQVdkWU1FR24wClYwVjdGYm1xditOYWxIMGNmVDFr - cXZLdHhqOS9yNHEzQ29aKzVCNU5uMWMKLS0tIHoveWJmcS80MENxSnVXNlpJN0lx - bFNWU3dUTXFkMDZaWjUxWVlVd2x6dkUKKEBaUX/euYu9VEzhudWs4PUb+xVvpjQQ - GoOcFJvp+A60X2pK5mDxzgyWWudr+ZjiQNn3A/6XE4KfLhzmmI5Bsg== - -----END AGE ENCRYPTED FILE----- - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSkNCTFZaSTYyYjRwN0lP - Qzd4R3krZVJlREtueHlqUTBPRTNhcU5ORVNzCmdkYWFUQWRNajB4UEc3bzA2anIr - cm92alRQUWI0UDR2T0c5OTVhZ1hRQ0UKLS0tIFkxUHl1c3psYU1CTUI2NEpmL1hR - VnVacXZDQ3UyR1VoVGVQUzdteDRXRUUKkK9LP5sCjS2t2M+tftUqBh8jqwjmfKU6 - HsIaMzELohiV5/91iq5FlIArQe7F5KFQfY3vRfYuh26I6zgqvVUlrA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORnZQZEI2VU9tdEQ1VkZw + aFFxaThqS2VWVVljejNxNVovMHlNc2ZUdUNvCktyT1pTRGpSK1N3MXpMNFZuVVhL + UCtINGo3SDhSNmwyRkEzVGNTVVFlTE0KLS0tIDhvaFk0SVdHNFlhRkxEb0hLdkdu + QTFCVUg5VzJzOUlRcFBlR0puNGVGNlUKpdSYWZZPKq1Vw0pR8suOqqgzxDzKWaMx + Aft/TpSuS8m6603HlTw3LUyBOnIYJCFFsGJqVBF6Q1z6U4FPAfNnlA== -----END AGE ENCRYPTED FILE----- - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NEJjblpGK2dGMmJ6OHBu - bnc0dUg0dXJROUMvQW1mOEcyWlpqb3BzUGc4CjdmT1FkaTdsRndGUXlod1cwSnpm - OFNLcjc3NlpPY2ZOMm55Y0ZFSjVpelkKLS0tIDVZV2hmMG1Qd0g1dXFEY0x0ZmhC - Y3NleUZ2azM0amdHRlplSGtvcWowd1kK+PNq8czpnC5zfwET60aQkNdcUwQopZ9W - nUX+QutTCdFoWoCKGsoQK42uXWQheHNtoPT258s2+8SBtdwLIckHgQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUzNqQ1U2aWV3WUVUZDdD + eXNhQUlBdGRndVJ1NXdXZlBNb0VvNzlFYnd3CjlRRm1FWTljL0VMbTB4M21HVDY3 + Y2oyTG50SUtIT29OZjhiZi83OCtpNm8KLS0tIFNYMkErVDFhTHhOVndQdUFHWUxZ + bG0xMG9heitnUGFNdk5ITWhKNERZbDgKX23jlQyLus3FzDQ55hIyUqqwlLbPeKxV + LJHaDfO4IOzIGrWFCwQZpCa8ZgQzUmnpqKZqvdTZuXibZEoyjV6GUA== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0T25vdlB1VGFBVGdYd3k4 - em42STFmdU9tZW9vVCtTZlBqOFZnUzFHYlZJCnJuSGk0cGlOSkQ1VzlRZ0ZONmlx - bXNkQ0hCaFBrMmt3dXZ2dXZzN09UVGsKLS0tIHo5bnVxcWEyQ2JkMk9qK1pxVW1S - ZnJ0R0hDVDU4WDFVS1Jka0h3b0R4bjAKcJ88Yzxn2HTqEEu0ujVMZGXJpc9jbypI - hlsDzMESTAlrZx7ZmI+nJw36RolDPRTfteHJFGI8LEx6zGXLcBp3LQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUFRMZHIyY3lFeVNnenky + bG1hdXoxSXo2akR1bGlHSHNZbzFOMGE3cW1FCjdzZUYzRFZrcXZvcTNSc3V5TE5n + T01Tem9oVDdYRlBST2tNNUpZTENOTkkKLS0tIENUdmxBajZpbFRoNXZzRVlvOVpJ + MnlaMHpGUGo1WmVMb2FsZ0o2Q3NuKzQK7n+HqB+7K6drnkNyc863wTfoohk90uWx + ehuz7kmZcdnwxpMX6hV2ynUumcVEqfR+jiUuF/eBpuPRQy/eejVm4Q== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCbmdMeGUxaGN1cTFXVlFV - dElYSkVMTm9DMGFLTDRLYzRGQ1dGaUFHSzNRCjk0bkprSHpsUjRRdnNaeWpTbG0y - T3BKK1h6VWNCMC96Y3lyQ1ZRcW9mL0kKLS0tIG5GaTI5MVkwMkNEWWcvbmZGanYz - VWIybGRha1dWWUdsaWIxOXRLZkVFNlUKLEQI3HO/7Ia7GoOJOKJVbYkDrevqh7m7 - hjMjnl4RnrcFwq46NuYyruTartHqRPBUHyXdoiMfeHNQQ7QP8A5ZHA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSExpSE1hUldqSnJoRDBj + L2xROXd3U2EvZ0xoek8ra1RqdVdaK2s5Q2dZCmdVWmJrZTc3Nis2L0NkSlJQK1pq + RmZ3aHU4YVlNcUVEemJsWGNjbEVIdUkKLS0tIEJDcmFmRUtjL3ltUjZKRmMyWW1O + VHZzVVZycld5alhKaC9BQ2dweVIweHMKF/qVYH7yvmFBVDyHb1PwJrHyP9Iq1HEg + EfiDfZK2acYkW3GsUmH0qS5v55RswYnEg+iiSMNn+Ii6mfI65bVVYw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-30T01:29:21Z" - mac: ENC[AES256_GCM,data:8Z5udmxrut2IxaP9kjP7px8CoQYNBIwIhafCWC8y1+LzOJWdITIfL3S/gW8O3xIH27gS0y2CsBSFf3fB9kF0JPapnCMLwNtA/oqNdSqx4p0Jev3mdtfaboF1kGShuDiYUIhMRVk/eiDtNojakVJiMxZzEtdo5YbgRXlfbYw6gTQ=,iv:UHOH6pAVf3VBtVvGn0HijmhbPWv6d64EESMRJkXC48o=,tag:EJfBjV6qZfGNxyCU9XzuHA==,type:str] + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaTNSWHM1eU92T2VMOXZD + b0R5Z2x3WloxOFhyMmkwQXp4U3lNM2xiZHhrCm9mcURMSmtUZ3VHd3lDbnp5dVVR + dHJyMkFBODMvbkpzUVl4ZUtxWmIrS1kKLS0tIHJTZ1FaYmlzUEhHWHVaWTVIRC9o + MGJLdkJpTkFGclRSZlBOOTVKd3BOa2sKbRf0BdD35bZpr8ESX1+NZ6rWxdI+x7fo + A6cIx6j8fVXvsKEipO3r4wSTqWhnY+DMzH9ZPGE5J74sx98DYVm6ig== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-01T00:26:19Z" + mac: ENC[AES256_GCM,data:U21XeE4vqc96mBq1qmjpMfDZVJZQEXwpHTEjVd4lmbam8XTv5kxK8zYWlDN8WTMqKeYHnInvEdmKnXL+NDt6lDjoDl/97/dUoWJ2xNTBOlJb6C2n11GE+ppzgZBQMj9oWr5IuQ8jiSfTYOF3/zT/sh8SSWmooQ2CrS/B3PyjmwA=,iv:9+Na88c3woPLZcawxH+mFg03Hf8oCaILdRya1CwRMEQ=,tag:eDuSLJtkLzvk+N1ncc/jwQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/cockpit/default.nix b/nixos/modules/nixos/services/cockpit/default.nix new file mode 100644 index 0000000..7c87ca2 --- /dev/null +++ b/nixos/modules/nixos/services/cockpit/default.nix @@ -0,0 +1,21 @@ +{ lib +, config +, pkgs +, ... +}: + +with lib; +let + cfg = config.mySystem.services.cockpit; +in +{ + options.mySystem.services.cockpit.enable = mkEnableOption "Cockpit"; + + config = mkIf cfg.enable { + services.cockpit.enable = true; + services.cockpit.openFirewall = true; + + }; + + +} diff --git a/nixos/modules/nixos/services/default.nix b/nixos/modules/nixos/services/default.nix index 7871bb5..ebc2007 100644 --- a/nixos/modules/nixos/services/default.nix +++ b/nixos/modules/nixos/services/default.nix @@ -5,5 +5,9 @@ ./cloudflare-dyndns ./maddy ./dnscrypt-proxy2 + ./cockpit + ./podman + ./traefik + ./nfs ]; } diff --git a/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml index 67436a2..50ea825 100644 --- a/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml +++ b/nixos/modules/nixos/services/dnscrypt-proxy2/dnscrypt-proxy2.sops.yaml @@ -1,69 +1,60 @@ system: networking: dnscrypt-proxy2: - forwarding-rules: ENC[AES256_GCM,data:qM6Y19pynqVruwgV7KhRfS1klhsZChZqpVxx0mV1PXSAyTf+9uiVCmpst7ZYIOzOeri4DnG2Pi1L2aOs93tsH7UnbLyKMs0qHO0y5T30clzBclw+VmjGUXJ3iwX0vL9o3fYXZ/WEfZd1vclgKqJmjwNIhqXdf+iYwm/Vlhe6Ib1cb8qUh3H0QqSARwmPw+5ffPjTBRdp+MAu8ZH+9s0lbXipk1l/YoBsd0qs6ID1D8ahTXLaUKabuE4a462Qjat0cx7b88Psam/AxqQXTbujCxAbO9t6rzPgTW79GURoIVddoURPEfWUX+7125RH4bHHZd4dQWPee1d89ikmPIG65x6mGRlI073gGP07x+uNXyvcQVG4GabiJ1xOzlnzT5obySYuH/JKhYMR8meTCQGQKJyCaFjPfOWQYkEHt8xd4/hg3zlC8H+a44th9tNadif0rys3LSx+ltyyEbYyqU6U5vs=,iv:ApcoDgN5uLjqFmWbYZoL21GlKkUwkqRcVxXm20/q8GI=,tag:TxYTmEGcf+183CyzH5cfiQ==,type:str] + forwarding-rules: ENC[AES256_GCM,data:I2MOqXfru2V2NDcrMfy8rwjIHKjt8ujk0GpGZRZgPRJv76P0jONja4Ft2b5j53CaM0A0dYHKc4A8ZbZgNzesVEvb5TK+wtQXziST7phRpJOpVPZjgHw3H8HD0l6mX7UmnIbv69e85UELG8Mv3DW7cRHCReelmec27+JNjhjhGUuyiNLdRxCS59D8P3p5Tdci1gMclbeXv+qv2VlWq8eIGMc5w6+0F4vVA9lhGUmWQLORtFOPLSmBn9xtx1R2Bm/itAzG+qJngAaF6o1Zm+lHvCydaddF/YJnsxk+EzwLS2RCb3+noE8cyS3S+eVCpSFmrtYB1MNREEZpBA+fXdkqSKVsNwCUgo2WJY78bPocNwQB9D/kuTnvILba8bC1pVdUH+xo0Ww7LS7j5+bp7xs9qwC9FRKgYKNReSoQn993R8n6VlqtJyqFLXtL55yIp+HSlu16jFiDP4rGjZtkxLQ21Y4=,iv:Jk4JLRzBYEIhoxgsRMXjvDNHVinuR0xjxTVTvED6lFo=,tag:4ILaKfjKM1r6MhYrOyU+Jg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2c2dSOEIrUUtpbFNUb3Rj - TlIyOU9EQlJCVTB4WFNjWDAwVGVpMUluV25vCnpvaXVqckIrUit6Q2NGb3Q5bnF0 - ZG9JRy9VdVRLS0J3Vys4UEFZcndRU28KLS0tIGlIcFpMYXIzOEVBZ3cvbVJ2MFBl - cWtPNHRmSDNUVXJ3NUVPN3crYUVRREEKQxhNUNBYizl6qNo/JKdHeOLAn6/V2xfA - sHtn9fq0lhpWQ5oaSUOP9GHZVhEkP+fRJfK+QULEiR52zr2pYj8jMA== - -----END AGE ENCRYPTED FILE----- - - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrajZoNzE4VWhCK0E3aHNq - RUZ0TFFMejNjUmhSS2lZQnR0RHhZUzAwcERNCndUYnFPZnhuelptVUNaUWdkTWFk - R05mcXE3REcrNEJndGphTXhESW8vam8KLS0tIFMzSXFBUEY4N0d5eWN3b3IvQnFV - K21tS3FnbWZsRHVyZHI5d1NyN3c0b0kKfHq1QUZwgmIA/3cHOJuTWN99hwm2kI1p - emBoeNukVvjOgqUCEBG/O4GMHlc6BmmimnSiULg65eIyFEAdLOsBOA== - -----END AGE ENCRYPTED FILE----- - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmZVExakR2VUVCODVoZ0tm - WnBsNXdjTXVRejFBUzVLN0s3aGgzV2pJb2pzCmpTdnhpb2h0c25TdDBSemxHS2xh - ekR0QlJLUk9JY3VqTzJVSWdZa0UrYW8KLS0tIGFjVmxDbjdXdHptK1RxZCtxcDFR - NUxNNUtkQzlvTHhadS9JelFOSWI4ODQKdFjY8uyoOrRXa37M3d6qqY5zsB6UxOLv - d/hfiFATBbGGdj5B3AyQV8yIWTBt+k9og7wh8GVhzrkje5eJx3qMqA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbkZmSGlyMTJ6RjlGWENX + SUc3SU1MbGZMVmRuUWJIb2xQQlA5UFdGeDBZCmp3Y2o1Lzc4TnR4RXJTa1Rxdk5w + LzFFbUx2Q25QZUk3bklDVEVOajdPYk0KLS0tIHlBalM2RlFKQ1NKNFZHVXFUQWtV + VDNnQkp6ZTkwSW1peXJJTVN6TGtxYVkKDCpef2RICaAf1mSkW9V8i7siPP+gXa5r + SNOlY5EDDU9wQ54GEWJHMz7kzaAAPQH4hXz1JdoO+Z2P2yr7pLdjAg== -----END AGE ENCRYPTED FILE----- - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1OGxhc054cTh1VU55eUtE - aklYUVI3RUhYdy9WdzhMV2dkU0FYZi9uakEwCkFPQ2lVeDNEcXVvRUV2czI5M1dS - d3g2R29YRHJpMXRWMlZxT25JazBab2cKLS0tIExPYWhZUktycmtNMndXVFlHcnNH - U2RXdlk0VThxb0hYOTR6U3dTZW5RNHcKy4iJe/O5O00Otvf7bh48+cCbhEhctu69 - zzrNyHgd7T1cCTd1YdgR+cuwqBLDW1br8ATh8w6Fj41gtvB8mrzXVw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVk5jeklpdEhLTERqWnhO + ZkZsRytWNk1MUlBrSW8xTlpOOW5xWUZlbnpZClhKNDRRTE0yWXNnRHljckIzM2tY + OVlWWlYxVGNFcitORFdmbnlUTkJkZ2sKLS0tIEFETndzSktuYlpmK3NmL2Q1L3A5 + NzJLa2ZuUHppOExxZGhnandMRHR0N0kK/zHkmxJIFH5D88z92QkKrDrGApj2QGoU + LkvIOSgGjEy2juzsGsjVJdu/61g7iaGO6IpHktuniyEgwnLwn+ApOw== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNVFaYU1jZDhHbGRndWtZ - aS9wNnpWanBxc3Jtc1lsNXZRVGR5bDhyRXprCkVhWEIzT3JHcjFueDM0emlobFVD - dTBqUXNnaTBMUk1sZlJ2a09SWHhQbzAKLS0tIHV0WS9TcmYxR043S1ExZHhsc3pl - ZFRDOWhGbmlwR2hqT0swVm5RQWdxZjQK/kWd22+oqeZ3jVgpFiJYJbdbhnOTVTSg - lBw1CGoxXlHgXMjjbAQVdFk7n8uLxIjhcV3WZyFVAYdEQ+QQUmXUyw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVSDNpQ0ZBS3FqZlFKelVr + NGRYdW9QNVA0THVLdGdQZElRVndmcmFoMzE4CmVUcVlLdGZuYi9XU0YydFNWLzBD + M3pLWmlDV0Vld3k2SXoyRkJ6a1hIWVEKLS0tIHJQamFiZklzby9UQlROVTFPT0tt + dnhReTcxeDE0NE1RNWRMN3JCOXVMTFkK8koum0Wlxgo52yDTRYCRFToQw16+iXFu + +bzDHf9DjqvZzkZH2gEeS33meexZxyUcD/nWUQvyNcbhVO49tIb90w== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPZ2lWY0FiYytiM1YvRmox - NDIwVlpNWWx4L0p5MTA4N214a0lqTGhjaHg0CmtwSGZxWTRrcDBiaEVNUUZNMmM4 - VFd2Tm95Z2dTemtkLzY1WmdSUllBRjAKLS0tIFpqTDhXTW1mZ1FwYVZxbEZNdjRL - YTNLREliQjJudW4rZCt3VzZYMGhoUFUKvMQEXnUNDd/RBv/zo+05d/znEZqaWONj - BjisOFvPYDodU/hUYGCxrdiKx4CxMhrtOjZjVxF25BMbH7m+XeNLHw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSR3M5VG9GaDkyK21wOVda + WnluaERvelJ6bS9raS9DLzBCMXc1S1g1djBRCmhWYVdFeEY0bmpKSnN2bjBOKzQ4 + ckpoNGNmY0hLSTRBT2txQnEyY0hBTGsKLS0tIHY3NWN4RjRJVkdlN3JrS2krZXdn + UVNSN29uQlh4WEVRVWd0a1FBNGY4VjQKMG2zUS+jehQGNo1OI2gQF0InKDzd15PM + wyyitNB3Lh5JViREQHbYe2DrDA15W6iV5bTIzzf9zToR6+ouRBgzFA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-30T01:29:21Z" - mac: ENC[AES256_GCM,data:j/ofDZ5Ky8xGkQU5ciGDPWDO8WchRl7ii4aWKhLZsPRojCYDEq7uQEKVeXl8QRjeDpFiFsGVlapKpLKbdCnANxHFgwPDR4sM+cBgqP5IRagTYo+4PyXNz7gjeVDnboB0rI80TrSd9uWcBU+1mkSuzLlUiXZQ2Uo00Tnkf7xIcBk=,iv:HX4//Q5uNbLfUePXGQOjt+zuFqPL3iTl9zRD8tGZXWU=,tag:cQccCSJ2QRQA5hy/LQFgTQ==,type:str] + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcnd3d2JoWWtldXVQc0sr + bEkrYXN3OXVGZWFLNHlPenQ0eW1ISjNKK1ZRCjdxUWI0bUttRzlUOHRrZFhpd2Fq + TjFmWTNBWFJFOWluam9vOEQwNEVHQ2sKLS0tIFJlTFp0Z2VVRm02OGp2R0IwTUdT + dkEybVp1OEhZR0JURFJqRW5nSURxME0KZcZj9YFuSvqM5bXbZQy44t4630p2aaAw + H/yhO37jNToYUpmsbpCEYcZPfjkHkc/gKPyTcKSsUFusQAds1q6/Cg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-01T00:26:19Z" + mac: ENC[AES256_GCM,data:+bAkGkkh+sPnZlG+E8+5/tZxX3W6yBTB/mSUeHKsEjv2ymo4HU5Vdef3iw4xnLBK/Kh94R0AQLd/jRJ8034Z07qBjCHttl9k5tRWyG1qZeEzZX8OOggig3PuiLv9hE0fJ+D0MX7rDy6XMyUDmaB46/TKiYPmlh8WOCB4yjjRr+Q=,iv:CsRGS8swKLEy0x3njmY+ExICDp97P9xdg0ERLonRKoQ=,tag:GYJIMpWXnOcktIL8GMUYfQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/maddy/maddy.sops.yaml b/nixos/modules/nixos/services/maddy/maddy.sops.yaml index 0eff13f..805b337 100644 --- a/nixos/modules/nixos/services/maddy/maddy.sops.yaml +++ b/nixos/modules/nixos/services/maddy/maddy.sops.yaml @@ -1,69 +1,60 @@ system: mail: maddy: - envFile: ENC[AES256_GCM,data:Wo+iP0IzT71mtQwTX8u4klf+Jw126+ovm3neZKlRKDxXt2GT1TR7DTXzdUIskhfVyXSS5K8VbHb/+vZgDJ8jqoIGRxd3CSnH/f5zevHzPgz8LOpXc+4pVDqQzuTqS2XFI9JPLZpiXmcrJ0aSGeupTK1vkS+KvezJNbtRCar+uRVH0Cw=,iv:qK0mHWnpnDrYl+Ovc8HlmfWgLUvhHaTEXRqvkeWuMSk=,tag:Yh9jIlt2IxK68Mi2xOa0oA==,type:str] + envFile: ENC[AES256_GCM,data:43LVInxptreur8lHPNz5494OrGhe2aKqy//bDd9n4Pb9bMYnmN2hru64TpOCeKb4b7KUDrp5kWXdy9Q0njpdbdBprgKFXygVw8JuB1aDYlv9+RN2JntIa3dAhsgL26d8VC67tjsMXZUcinR69I3SfIVp0o2T45WhG4IT1rnBWX0mGug=,iv:Uy6OaCzayAqMhvFCF4Ho5Om810Qxi2yFIqmz6NU3L8Q=,tag:WizECPn2ip3dQ0gidMaHyQ==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUGhnSDc3N3M0MjY4TGsv - MkFtUGpGWGFZN1JiZ2VKTC8vUnlOd0s3bzFFCktCTDdmekhpUm1ZNzVYaUN6c1ht - czVtVXdGSGU3T0FLNGJ2Y0cwY2cyWDgKLS0tIGZTRHBBeU1DN0xtYXpzcE5aczJr - QVhRSXZOTHUvOWh0cGFOcTR5R2ZsK2cKD5fNP6Oa6W/OJck3FbYn6R5nYS2UoF8I - aOUIN98e15BaSFaOc8kmqkNZC4mKMHKaBJH2NqpbwyDP4iwLbRtP4Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMUluUk41a25heEkyUm1U - TDdPbHpvUi9hMG03RDBKTjVZSUY4K1p2ZkJNCmRqRWFDKzg0QVU0dGJtWUYzZThJ - RCtNYWtyNEJyNHMybVlTc2FoMWtmMWsKLS0tIFEzVDQySmNLTlNONHJZVWlSbm5G - cWE5bVZBN1ZmV0JkVXJXbzdldXU3ZnMK7EV7u1lewpEsurScWTKVscYMo9dmSoUl - O0kLRmRR4NEzuYzCFJ3JVaxTrPlMJM9C3Mwo3LsSDLCXSQ71JWiOZQ== - -----END AGE ENCRYPTED FILE----- - recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXd1ZFcjhkNnJXRjZPY3FO - UFVmT05CTWt1dXhjSit6QmlabHJOMTMyQW1VCjY3RTR2UGVJMFBYWlZnK29yejNw - WjRXT2NpMC9ZL1pldHRhRGk4TlAyK3cKLS0tIFgyVUhxRVh5UFdPOTRHQ0ZMMjVy - aUwyczEydHNnTG9KZEk2cjFNaFBOTmsKqd5MtgAJ1aKqk9Miq9ot2garqMxtFjdJ - 1IvxprhYiPCgvhYtEbPlyCKtM/kdEGCplX3BwVOvhAU8CbyNb8zyug== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcUtQcU56aGhOU3hDRis2 + bGFkUFhnT3BUSFhOWFFydnI4SmdkKzlJRlR3Cjh1MkRyS0tFeEM3bWhhNnFmSWNC + UzhSRjJiN1VpTlNJUWkvcU54T0MyR0UKLS0tIHhNNHNBaXhvaGtIdE10YUo2MnZi + VEdEczl3b2UxZldBWkVzRWZ2RzZkZHMKofrWTXa5aedNl7uVVQF3TbysG2L6mtb/ + 5hYiKHsdgPyxQWL3V727GM7xhS5Jd/O/F3Nc8zGCgCCGmBe3Uf5+nA== -----END AGE ENCRYPTED FILE----- - recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArSHp1K3UzMXRXV3ZMRDRI - dllLWGF3NG5JOExac3BXamc3ZjRzWkFobGprCloxUzRZNU1kZ29GUWhZa2pXbUtl - MDZpL3NPL1hpdGtsSjBqQWpHUndpMDAKLS0tIHJBYmJPTGRxV0V6TWJiSG9iNjNZ - SWNQSkV2SHJHSHNFc1BIMGpabXlwLzAKQSI0Yo71Rt1eUHUKZZHsrTJenq3ooB3i - 7aLQqN6jp2ZwfOPh0/HBB1HWy6AWJoWkJZb+zKXTn0v+kx9NHU43ow== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bUFTeE9sMHVBN1RmNWhj + czdaMjBjb2grTk1XWUp5emx4Q2ZsSHpIL0VjCnBVUnE2QjdTTUNON09qRkpnMEVs + SmRoUFpmMmlZSGpyVGZIV3Q0MDMvUTAKLS0tIEI1ck5ySVhWemdpdnE1NUxCZ0Zt + eWtodW5yeG9tR2xCSTNRcTFaNDRkMXMKmuIyJlHmU7gL/iqn0L55TfCZ32/LRnLz + aZ9vqWGNvXjF4UsmhC1ChI3wUaAgXGvWl0roym/d3BTDV/rrIG31Hw== -----END AGE ENCRYPTED FILE----- - recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZ2ZaQU5waXFMRW9oOFZ4 - SHZwSzBVK3lGR3czUTJKbStWSTQvVjd1NVZzClF3L2ZDTDViQXhsZThKUXA0M0ZB - SmZaYU1iTVJ3b1ZkekM0STdWZmlGSzgKLS0tIFY2a3lCUUlZM3pnRGdxSzVOSGdE - bWRpL0lvMXRRNC93eFZEaEt3TE9vTnMKhzXsQiwzuxRLKAwsgn0GMyxNQHHJQpnJ - R3dnLC5FjDnr2u4LFeMlgWVWb6sd08GlBTgBCzGujNFo+qgvTsyNUQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwcUxpSFR2WGNEMHQ0QTcz + dTYzdWhRTEdwYW5sUTFMZkZPNTRnbmFnekJvCllTOFNMTk9MTGJRWFdGaGhBUlkx + WVZDVGNWZ1BPRFVwLzVFbklyVzYzTGsKLS0tIEprLy9IQ3ZycGJySWoxRG5QdFU4 + azRaYnNhNzlHWFlpTGloc1JyS3dOWEUKcGY320t9R7z7wM1ebUF3QQdQzB0FMZtX + W45AWV+CWVce9qBm9OFVwluiJQD+m1BxLVxM1EmaNBBsT7PUleserg== -----END AGE ENCRYPTED FILE----- - recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcEd4OWJGVjkzWVJLNGQw - ZDkzNFd3a3VrQW9uMnIvS3ZwUmx5TGp2b0FrCkdjaEJRNVo3ZDM3TnFvRDlPRFph - V2dkUUhvYUdlSDY1TG91dlZNeCtPYmMKLS0tIG1JOWRmbFd0b2xaQkJaNjlXcjJK - KzNZbGVUVXdweTFmYXdxWm9Oa05GbDAKGB7SVhd13AukH44aGPMNx3aXxXI0iQNI - UtAwlxSakIZ2OSb6A+BJNG68Joy8dEBp23JY+l5wGnKkPNbWIYSqbg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMUROaDE2NDhzUTJYTThj + U0loNnpKUTJrWkVmeEI3Uk9tN2gzNm5ZYVVzCkhCNWcyL29SVTB5UjVnNHlrNy9Y + Z2wrd1RudnRoYjRhZUJoUzdzVm9KemcKLS0tIFQvbzUwQ0lDcko0VHRPVDRFckFk + T1RYa2J6V2FqRjUwb1ZpaHBBa2kvMncKwI9MAHNrZUD/3bEqYQ7bE65cZt9JAQ2p + s0nPt+izl384aYuEeOP2uGW7GyaSvG8sVytpyxOZ4DIAWdjzoWLxbQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-30T01:29:20Z" - mac: ENC[AES256_GCM,data:P7huPF/xSFJdbsM58kPaZqwA5LufakR9rHPQk7I4+WfKocJDxLDKknsTXvKqsEi/hnii2uFkahp+J8nTAGBjqENAdFx2ux+j++Z5dfOf/Ipl1PWZxjUKnB6SaflSja6PTsULLUl8ZiR0b6O0fitgyvaUdYsdQqVsi/VdCTTUxe8=,iv:BVmTyDkhYDW4hu5ebcytaLqAtau91KRjSg+jsHOwD5I=,tag:5sOALgUX8z0DqD0yRESerQ==,type:str] + - recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGTEZlUmlRSjRxNWdpSVY3 + TXl4SGZZYW1lVkRqa1VON3k5TWJCTjFacXhvCkxRR3RqbnBxemQzMUs1NW5EczVm + OWtTQm9zWkdiWmFGdHZKdU52aG5jQU0KLS0tIFEzellhYWFnSFJaZmRlVjlpeWNX + bTd2MExRU3Z5QzY5dEdEdzUvN2R4QzAKqOsV6f+NrCiOqELmJ5JJNnkxVKp3kQwy + MEkudjQ3tj+iw8C5tlIsixnT2Azbj3FcSAdTwPc1yRQ5WCyf6VTA5w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-01T00:26:19Z" + mac: ENC[AES256_GCM,data:e2S19cJ1yA3J7UAOdMR0zqUx5KMzNg+JZ46Ux21Ph/8d9CXfRo1avHwl6EtWdSaMdLUHDqwzR+7fp1NVcP/fYBOhjHLhOgV1IWBfqA1Vche2MffQyi2dPYiDX7idHsh2eW3PhhXi821YtWEqv2Rmiani9gQJTjyXJkghy5JbbHw=,iv:FNveFjSPp1byfvuKy43DUjELoUu+axuElSa3RXAdV/Y=,tag:B03Hpaib8dVcFMD16vkYmA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/nixos/modules/nixos/services/nfs/default.nix b/nixos/modules/nixos/services/nfs/default.nix new file mode 100644 index 0000000..d9be7d7 --- /dev/null +++ b/nixos/modules/nixos/services/nfs/default.nix @@ -0,0 +1,38 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + cfg = config.mySystem.nfs.nas; +in +{ + options.mySystem.nfs.nas.enable = mkEnableOption "Mount NAS"; + + config = mkIf cfg.enable + { + + services.rpcbind.enable = true; # needed for NFS + + environment.systemPackages = with pkgs; [ nfs-utils ]; + + systemd.mounts = [{ + type = "nfs"; + mountConfig = { + Options = "noatime"; + }; + what = "helios:/tank"; + where = "/mnt/nas"; + }]; + + systemd.automounts = [{ + wantedBy = [ "multi-user.target" ]; + automountConfig = { + TimeoutIdleSec = "600"; + }; + where = "/mnt/nas"; + }]; + + }; +} diff --git a/nixos/modules/nixos/services/podman/default.nix b/nixos/modules/nixos/services/podman/default.nix new file mode 100644 index 0000000..ecfc260 --- /dev/null +++ b/nixos/modules/nixos/services/podman/default.nix @@ -0,0 +1,30 @@ +{ lib +, config +, pkgs +, ... +}: + +with lib; +let + cfg = config.mySystem.services.podman; +in +{ + options.mySystem.services.podman.enable = mkEnableOption "Podman"; + + config = mkIf cfg.enable + { + virtualisation.podman = { + enable = true; + dockerCompat = true; + extraPackages = [ pkgs.zfs ]; + defaultNetwork.settings = { + dns_enabled = true; + }; + }; + virtualisation.oci-containers = { + backend = "podman"; + }; + networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ]; + }; + +} diff --git a/nixos/modules/nixos/services/traefik/default.nix b/nixos/modules/nixos/services/traefik/default.nix new file mode 100644 index 0000000..9742677 --- /dev/null +++ b/nixos/modules/nixos/services/traefik/default.nix @@ -0,0 +1,28 @@ +{ lib +, config +, pkgs +, ... +}: +with lib; +let + cfg = config.mySystem.services.traefik; +in +{ + options.mySystem.services.traefik.enable = mkEnableOption "Traefik reverse proxy"; + + config = mkIf cfg.enable { + + services.traefik = { + enable = true; + staticConfigOptions = { + api.dashboard = true; + api.insecure = true; + + serversTransport = { + # Disable backend certificate verification. + insecureSkipVerify = true; + }; + }; + }; + }; +} diff --git a/nixos/modules/nixos/template.nix b/nixos/modules/nixos/template.nix deleted file mode 100644 index 2d643b4..0000000 --- a/nixos/modules/nixos/template.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ lib -, config -, pkgs -, ... -}: - -with lib; -let - cfg = config.mySystem.xx.yy; -in -{ - options.mySystem.xx.yy.enable = mkEnableOption ""; - - config = mkIf cfg.enable { - - # CONFIG HERE - - }; - - -} diff --git a/nixos/overlays/default.nix b/nixos/overlays/default.nix index 4d53b3e..21be2ad 100644 --- a/nixos/overlays/default.nix +++ b/nixos/overlays/default.nix @@ -5,6 +5,8 @@ # deploy-rs overlay deploy-rs = inputs.deploy-rs.overlays.default; + nur = inputs.nur.overlay; + # The unstable nixpkgs set (declared in the flake inputs) will # be accessible through 'pkgs.unstable' unstable-packages = final: _prev: { diff --git a/nixos/profiles/global.nix b/nixos/profiles/global.nix index 5dfc83b..03b51f5 100644 --- a/nixos/profiles/global.nix +++ b/nixos/profiles/global.nix @@ -29,7 +29,9 @@ with lib; # But wont enable plugins globally, leave them for workstations }; - + # required for yubico + services.udev.packages = [ pkgs.yubikey-personalization ]; + services.pcscd.enable = true; networking.useDHCP = lib.mkDefault true; diff --git a/nixos/profiles/global/users.nix b/nixos/profiles/global/users.nix index 676041b..b2a5f8d 100644 --- a/nixos/profiles/global/users.nix +++ b/nixos/profiles/global/users.nix @@ -19,14 +19,14 @@ in "network" "samba-users" "docker" + "audio" # pulseaudio ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZS9J1ydflZ4iJdJgO8+vnN8nNSlEwyn9tbWU9OcysW truxnell@home" - ]; + ]; # TODO do i move to ingest github creds? # packages = [ pkgs.home-manager ]; }; - # home-manager.users.taylor = import ../../../../../home-manager/taylor_${config.networking.hostName}.nix; TODO home-manager? } diff --git a/nixos/profiles/hw-gaming-desktop.nix b/nixos/profiles/hw-gaming-desktop.nix index 86cf9c7..8cc4049 100644 --- a/nixos/profiles/hw-gaming-desktop.nix +++ b/nixos/profiles/hw-gaming-desktop.nix @@ -3,6 +3,9 @@ with lib; { + # Enable module for NVIDIA graphics + mySystem.hardware.nvidia.enable = true; + mySystem.system.packages = with pkgs; [ ntfs3g ]; @@ -29,46 +32,5 @@ with lib; services.xserver.videoDrivers = [ "nvidia" ]; - # ref: https://nixos.wiki/wiki/Nvidia - # Enable OpenGL - hardware.opengl = { - enable = true; - driSupport = true; - driSupport32Bit = true; - }; - - hardware.nvidia = { - - # Modesetting is required. - modesetting.enable = true; - - # Nvidia power management. Experimental, and can cause sleep/suspend to fail. - # Enable this if you have graphical corruption issues or application crashes after waking - # up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead - # of just the bare essentials. - powerManagement.enable = false; - - # Fine-grained power management. Turns off GPU when not in use. - # Experimental and only works on modern Nvidia GPUs (Turing or newer). - powerManagement.finegrained = false; - - # Use the NVidia open source kernel module (not to be confused with the - # independent third-party "nouveau" open source driver). - # Support is limited to the Turing and later architectures. Full list of - # supported GPUs is at: - # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus - # Only available from driver 515.43.04+ - # Currently alpha-quality/buggy, so false is currently the recommended setting. - open = false; - - # Enable the Nvidia settings menu, - # accessible via `nvidia-settings`. - nvidiaSettings = true; - - # Optionally, you may need to select the appropriate driver version for your specific GPU. - package = config.boot.kernelPackages.nvidiaPackages.stable; - }; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/nixos/profiles/hw-generic-x86.nix b/nixos/profiles/hw-generic-x86.nix new file mode 100644 index 0000000..cbc3be9 --- /dev/null +++ b/nixos/profiles/hw-generic-x86.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, imports, boot, ... }: + +with lib; +{ + + mySystem.system.packages = with pkgs; [ + ntfs3g + ]; + + boot = { + + initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + kernelModules = [ ]; + extraModulePackages = [ ]; + + # for managing/mounting ntfs + supportedFilesystems = [ "ntfs" ]; + + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + # why not ensure we can memtest workstatons easily? + grub.memtest86.enable = true; + + }; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + +} diff --git a/nixos/profiles/role-worstation.nix b/nixos/profiles/role-worstation.nix index 7916a5c..a793560 100644 --- a/nixos/profiles/role-worstation.nix +++ b/nixos/profiles/role-worstation.nix @@ -15,8 +15,8 @@ with config; # Lets see if fish everywhere is OK on the pi's # TODO decide if i drop to bash on pis? shell.fish.enable = true; - # But wont enable plugins globally, leave them for workstations + nfs.nas.enable = true; }; boot = {