zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

nixpkgs-fmt everything

Browse Source
This commit is contained in:
Zuckerberg 2023-04-04 23:30:28 -06:00
parent 3c683e7b9e
commit f68a4f4431
67 changed files with 400 additions and 320 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
common/auto-update.nix
View File

@ -4,11 +4,12 @@
let
cfg = config.system.autoUpgrade;
in {
in
{
config = lib.mkIf cfg.enable {
system.autoUpgrade = {
flake = "git+https://git.neet.dev/zuckerberg/nix-config.git";
flags = [ "--recreate-lock-file" ]; # ignore lock file, just pull the latest
};
};
}
}

5
common/boot/bios.nix
View File

@ -3,7 +3,8 @@
with lib;
let
cfg = config.bios;
in {
in
{
options.bios = {
enable = mkEnableOption "enable bios boot";
device = mkOption {
@ -25,4 +26,4 @@ in {
};
};
};
}
}

2
common/boot/default.nix
View File

@ -7,4 +7,4 @@
./bios.nix
./remote-luks-unlock.nix
];
}
}

5
common/boot/efi.nix
View File

@ -3,7 +3,8 @@
with lib;
let
cfg = config.efi;
in {
in
{
options.efi = {
enable = mkEnableOption "enable efi boot";
};
@ -19,7 +20,7 @@ in {
version = 2;
efiSupport = true;
useOSProber = true;
# memtest86.enable = true;
# memtest86.enable = true;
configurationLimit = 20;
theme = pkgs.nixos-grub2-theme;
};

5
common/boot/firmware.nix
View File

@ -3,7 +3,8 @@
with lib;
let
cfg = config.firmware;
in {
in
{
options.firmware.x86_64 = {
enable = mkEnableOption "enable x86_64 firmware";
};
@ -14,4 +15,4 @@ in {
};
# services.fwupd.enable = true;
}
}

56
common/boot/remote-luks-unlock.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.remoteLuksUnlock;
in {
in
{
options.remoteLuksUnlock = {
enable = lib.mkEnableOption "enable luks root remote decrypt over ssh/tor";
enableTorUnlock = lib.mkOption {
@ -61,33 +62,38 @@ in {
copy_bin_and_libs ${pkgs.haveged}/bin/haveged
'';
boot.initrd.network.postCommands = lib.mkMerge [
(''
# Add nice prompt for giving LUKS passphrase over ssh
echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
'')
(let torRc = (pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 22 127.0.0.1:22
''); in lib.mkIf cfg.enableTorUnlock ''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
(
''
# Add nice prompt for giving LUKS passphrase over ssh
echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile
''
)
echo "make sure localhost is up"
ip a a 127.0.0.1/8 dev lo
ip link set lo up
(
let torRc = (pkgs.writeText "tor.rc" ''
DataDirectory /etc/tor
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
SOCKSPort 127.0.0.1:9063
HiddenServiceDir /etc/tor/onion/bootup
HiddenServicePort 22 127.0.0.1:22
''); in
lib.mkIf cfg.enableTorUnlock ''
echo "tor: preparing onion folder"
# have to do this otherwise tor does not want to start
chmod -R 700 /etc/tor
echo "haveged: starting haveged"
haveged -F &
echo "make sure localhost is up"
ip a a 127.0.0.1/8 dev lo
ip link set lo up
echo "tor: starting tor"
tor -f ${torRc} --verify-config
tor -f ${torRc} &
'')
echo "haveged: starting haveged"
haveged -F &
echo "tor: starting tor"
tor -f ${torRc} --verify-config
tor -f ${torRc} &
''
)
];
};
}

3
common/default.nix
View File

@ -40,7 +40,8 @@ in
wget
kakoune
htop
git git-lfs
git
git-lfs
dnsutils
tmux
nethogs

3
common/flakes.nix
View File

@ -2,7 +2,8 @@
with lib;
let
cfg = config.nix.flakes;
in {
in
{
options.nix.flakes = {
enable = mkEnableOption "use nix flakes";
};

2
common/network/default.nix
View File

@ -21,4 +21,4 @@ in
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
};
}
}

11
common/network/hosts.nix
View File

@ -22,7 +22,8 @@ let
ponyo = "cfamr6artx75qvt7ho3rrbsc7mkucmv5aawebwflsfuorusayacffryd.onion";
s0 = "r3zvf7f2ppaeithzswigma46pajt3hqytmkg3rshgknbl3jbni455fqd.onion";
};
in {
in
{
programs.ssh.knownHosts = {
ponyo = {
hostNames = [ "ponyo" "ponyo.neet.dev" "git.neet.dev" ];
@ -56,7 +57,7 @@ in {
# prebuilt cmds for easy ssh LUKS unlock
environment.shellAliases =
concatMapAttrs (host: addr: {"unlock-over-tor_${host}" = "torsocks ssh root@${addr}";}) unlock-onion-hosts
//
concatMapAttrs (host: addr: {"unlock_${host}" = "ssh root@${addr}";}) unlock-clearnet-hosts;
}
concatMapAttrs (host: addr: { "unlock-over-tor_${host}" = "torsocks ssh root@${addr}"; }) unlock-onion-hosts
//
concatMapAttrs (host: addr: { "unlock_${host}" = "ssh root@${addr}"; }) unlock-clearnet-hosts;
}

2
common/network/pia-openvpn.nix
View File

@ -110,4 +110,4 @@ in
};
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
};
}
}

7
common/network/pia-wireguard.nix
View File

@ -72,7 +72,8 @@ let
portForwarding = cfg.forwardPortForTransmission || cfg.forwardedPort != null;
containerServiceName = "container@${config.vpn-container.containerName}.service";
in {
in
{
options.pia.wireguard = {
enable = mkEnableOption "Enable private internet access";
badPortForwardPorts = mkOption {
@ -157,7 +158,7 @@ in {
# restart once a month; PIA forwarded port expires after two months
# because the container is "PartOf" this unit, it gets restarted too
RuntimeMaxSec="30d";
RuntimeMaxSec = "30d";
};
script = ''
@ -353,4 +354,4 @@ in {
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
};
}
}

33
common/network/ping.nix
View File

@ -11,34 +11,35 @@ let
cfg = config.keepalive-ping;
serviceTemplate = host:
{
"keepalive-ping@${host}" = {
description = "Periodic ping keep alive for ${host} connection";
{
"keepalive-ping@${host}" = {
description = "Periodic ping keep alive for ${host} connection";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Restart="always";
requires = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Restart = "always";
path = with pkgs; [ iputils ];
path = with pkgs; [ iputils ];
script = ''
ping -i ${cfg.delay} ${host} &>/dev/null
'';
script = ''
ping -i ${cfg.delay} ${host} &>/dev/null
'';
};
};
};
combineAttrs = foldl recursiveUpdate {};
combineAttrs = foldl recursiveUpdate { };
serviceList = map serviceTemplate cfg.hosts;
services = combineAttrs serviceList;
in {
in
{
options.keepalive-ping = {
enable = mkEnableOption "Enable keep alive ping task";
hosts = mkOption {
type = types.listOf types.str;
default = [];
default = [ ];
description = ''
Hosts to ping periodically
'';
@ -55,4 +56,4 @@ in {
config = mkIf cfg.enable {
systemd.services = services;
};
}
}

2
common/network/tailscale.nix
View File

@ -17,4 +17,4 @@ in
# exit node
config.networking.firewall.checkReversePath = mkIf cfg.exitNode "loose";
config.networking.ip_forward = mkIf cfg.exitNode true;
}
}

6
common/network/vpn.nix
View File

@ -30,7 +30,7 @@ in
config = mkOption {
type = types.anything;
default = {};
default = { };
example = ''
{
services.nginx.enable = true;
@ -70,7 +70,7 @@ in
localAddress = "172.16.100.2";
config = {
imports = allModules ++ [cfg.config];
imports = allModules ++ [ cfg.config ];
# speeds up evaluation
nixpkgs.pkgs = pkgs;
@ -106,4 +106,4 @@ in
networking.usePredictableInterfaceNames = false;
networking.nat.externalInterface = "eth0";
};
}
}

25
common/pc/audio.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.de;
in {
in
{
config = lib.mkIf cfg.enable {
# enable pulseaudio support for packages
nixpkgs.config.pulseaudio = true;
@ -28,29 +29,29 @@ in {
# properyty when no other driver is currently active. JACK clients need this.
factory = "spa-node-factory";
args = {
"factory.name" = "support.node.driver";
"node.name" = "Dummy-Driver";
"priority.driver" = 8000;
"factory.name" = "support.node.driver";
"node.name" = "Dummy-Driver";
"priority.driver" = 8000;
};
}
{
factory = "adapter";
args = {
"factory.name" = "support.null-audio-sink";
"node.name" = "Microphone-Proxy";
"factory.name" = "support.null-audio-sink";
"node.name" = "Microphone-Proxy";
"node.description" = "Microphone";
"media.class" = "Audio/Source/Virtual";
"audio.position" = "MONO";
"media.class" = "Audio/Source/Virtual";
"audio.position" = "MONO";
};
}
{
factory = "adapter";
args = {
"factory.name" = "support.null-audio-sink";
"node.name" = "Main-Output-Proxy";
"factory.name" = "support.null-audio-sink";
"node.name" = "Main-Output-Proxy";
"node.description" = "Main Output";
"media.class" = "Audio/Sink";
"audio.position" = "FL,FR";
"media.class" = "Audio/Sink";
"audio.position" = "FL,FR";
};
}
];

5
common/pc/chromium.nix
View File

@ -49,7 +49,8 @@ let
];
};
in {
in
{
config = lib.mkIf cfg.enable {
# chromium with specific extensions + settings
programs.chromium = {
@ -92,7 +93,7 @@ in {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
# vaapiVdpau
libvdpau-va-gl
nvidia-vaapi-driver

11
common/pc/default.nix
View File

@ -2,15 +2,16 @@
let
cfg = config.de;
in {
in
{
imports = [
./kde.nix
./xfce.nix
./yubikey.nix
./chromium.nix
# ./firefox.nix
# ./firefox.nix
./audio.nix
# ./torbrowser.nix
# ./torbrowser.nix
./pithos.nix
./spotify.nix
./vscodium.nix
@ -52,6 +53,10 @@ in {
jellyfin-media-player
joplin-desktop
config.inputs.deploy-rs.packages.${config.currentSystem}.deploy-rs
# For Nix IDE
nixpkgs-fmt
rnix-lsp
];
# Networking

5
common/pc/discord.nix
View File

@ -2,10 +2,11 @@
let
cfg = config.de;
in {
in
{
config = lib.mkIf cfg.enable {
users.users.googlebot.packages = [
pkgs.discord
];
};
}
}

8
common/pc/firefox.nix
View File

@ -20,7 +20,7 @@ let
};
firefox = pkgs.wrapFirefox somewhatPrivateFF {
desktopName = "Sneed Browser";
desktopName = "Sneed Browser";
nixExtensions = [
(pkgs.fetchFirefoxAddon {
@ -71,8 +71,8 @@ let
TopSites = false;
};
UserMessaging = {
ExtensionRecommendations = false;
SkipOnboarding = true;
ExtensionRecommendations = false;
SkipOnboarding = true;
};
WebsiteFilter = {
Block = [
@ -92,4 +92,4 @@ in
config = lib.mkIf cfg.enable {
users.users.googlebot.packages = [ firefox ];
};
}
}

5
common/pc/kde.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.de;
in {
in
{
config = lib.mkIf cfg.enable {
# kde plasma
services.xserver = {
@ -19,5 +20,5 @@ in {
# plasma5Packages.kmail-account-wizard
kate
];
};
};
}

17
common/pc/mount-samba.nix
View File

@ -14,22 +14,23 @@ let
version_opts = "vers=3.1.1";
opts = "${systemd_opts},${network_opts},${user_opts},${version_opts},${auth_opts}";
in {
in
{
options.services.mount-samba = {
enable = lib.mkEnableOption "enable mounting samba shares";
};
config = lib.mkIf (cfg.enable && config.services.tailscale.enable) {
fileSystems."/mnt/public" = {
device = "//s0.koi-bebop.ts.net/public";
fsType = "cifs";
options = [ opts ];
device = "//s0.koi-bebop.ts.net/public";
fsType = "cifs";
options = [ opts ];
};
fileSystems."/mnt/private" = {
device = "//s0.koi-bebop.ts.net/googlebot";
fsType = "cifs";
options = [ opts ];
device = "//s0.koi-bebop.ts.net/googlebot";
fsType = "cifs";
options = [ opts ];
};
age.secrets.smb-secrets.file = ../../secrets/smb-secrets.age;
@ -44,4 +45,4 @@ in {
vault_lock = "umount /mnt/vault/";
};
};
}
}

5
common/pc/pithos.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.de;
in {
in
{
config = lib.mkIf cfg.enable {
nixpkgs.overlays = [
(self: super: {
@ -11,7 +12,7 @@ in {
version = "1.5.1";
src = super.fetchFromGitHub {
owner = pname;
repo = pname;
repo = pname;
rev = version;
sha256 = "il7OAALpHFZ6wjco9Asp04zWHCD8Ni+iBdiJWcMiQA4=";
};

8
common/pc/spotify.nix
View File

@ -4,7 +4,7 @@ with lib;
let
cfg = config.services.spotifyd;
toml = pkgs.formats.toml {};
toml = pkgs.formats.toml { };
spotifydConf = toml.generate "spotify.conf" cfg.settings;
in
{
@ -17,7 +17,7 @@ in
enable = mkEnableOption "spotifyd, a Spotify playing daemon";
settings = mkOption {
default = {};
default = { };
type = toml.type;
example = { global.bitrate = 320; };
description = ''
@ -28,7 +28,7 @@ in
users = mkOption {
type = with types; listOf str;
default = [];
default = [ ];
description = ''
Usernames to be added to the "spotifyd" group, so that they
can start and interact with the userspace daemon.
@ -83,4 +83,4 @@ in
};
};
};
}
}

5
common/pc/steam.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.de;
in {
in
{
config = lib.mkIf cfg.enable {
programs.steam.enable = true;
hardware.steam-hardware.enable = true; # steam controller
@ -11,4 +12,4 @@ in {
pkgs.steam
];
};
}
}

3
common/pc/torbrowser.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.de;
in {
in
{
config = lib.mkIf cfg.enable {
nixpkgs.overlays = [
(self: super: {

3
common/pc/touchpad.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.de.touchpad;
in {
in
{
options.de.touchpad = {
enable = lib.mkEnableOption "enable touchpad";
};

4
common/pc/vscodium.nix
View File

@ -4,8 +4,8 @@ let
cfg = config.de;
extensions = with pkgs.vscode-extensions; [
# bbenoist.Nix # nix syntax support
# arrterian.nix-env-selector # nix dev envs
# bbenoist.Nix # nix syntax support
# arrterian.nix-env-selector # nix dev envs
];
vscodium-with-extensions = pkgs.vscode-with-extensions.override {

3
common/pc/xfce.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.de;
in {
in
{
config = lib.mkIf cfg.enable {
services.xserver = {
enable = true;

3
common/pc/yubikey.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.de;
in {
in
{
config = lib.mkIf cfg.enable {
# yubikey
services.pcscd.enable = true;

10
common/server/ceph.nix
View File

@ -3,13 +3,13 @@
with lib;
let
cfg = config.ceph;
in {
options.ceph = {
};
in
{
options.ceph = { };
config = mkIf cfg.enable {
# ceph.enable = true;
## S3 Object gateway
#ceph.rgw.enable = true;
#ceph.rgw.daemons = [
@ -40,4 +40,4 @@ in {
ceph.global.fsid = "925773DC-D95F-476C-BBCD-08E01BF0865F";
};
}
}

2
common/server/default.nix
View File

@ -19,4 +19,4 @@
./iodine.nix
./searx.nix
];
}
}

5
common/server/gitea.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.services.gitea;
in {
in
{
options.services.gitea = {
hostname = lib.mkOption {
type = lib.types.str;
@ -40,4 +41,4 @@ in {
};
};
};
}
}

4
common/server/hydra.nix
View File

@ -20,6 +20,6 @@ in
hydraURL = "https://${domain}";
useSubstitutes = true;
notificationSender = notifyEmail;
buildMachinesFiles = [];
buildMachinesFiles = [ ];
};
}
}

3
common/server/icecast.nix
View File

@ -7,7 +7,8 @@
let
cfg = config.services.icecast;
in {
in
{
options.services.icecast = {
mount = lib.mkOption {
type = lib.types.str;

5
common/server/iodine.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.services.iodine.server;
in {
in
{
config = lib.mkIf cfg.enable {
# iodine DNS-based vpn
services.iodine.server = {
@ -17,4 +18,4 @@ in {
"dns0" # iodine
];
};
}
}

15
common/server/mailserver.nix
View File

@ -15,7 +15,8 @@ let
"bsd.ninja"
"bsd.rocks"
];
in {
in
{
config = lib.mkIf cfg.enable {
# kresd doesn't work with tailscale MagicDNS
mailserver.localDnsResolver = false;
@ -60,10 +61,12 @@ in {
sender_dependent_relayhost_maps = "hash:/var/lib/postfix/conf/sender_relay";
smtp_sender_dependent_authentication = "yes";
};
services.postfix.mapFiles.sender_relay = let
relayHost = "[smtp.mailgun.org]:587";
in pkgs.writeText "sender_relay"
(concatStringsSep "\n" (map (domain: "@${domain} ${relayHost}") domains));
services.postfix.mapFiles.sender_relay =
let
relayHost = "[smtp.mailgun.org]:587";
in
pkgs.writeText "sender_relay"
(concatStringsSep "\n" (map (domain: "@${domain} ${relayHost}") domains));
services.postfix.mapFiles.sasl_relay_passwd = "/run/agenix/sasl_relay_passwd";
age.secrets.sasl_relay_passwd.file = ../../secrets/sasl_relay_passwd.age;
@ -80,4 +83,4 @@ in {
'';
};
};
}
}

20
common/server/matrix.nix
View File

@ -3,7 +3,8 @@
let
cfg = config.services.matrix;
certs = config.security.acme.certs;
in {
in
{
options.services.matrix = {
enable = lib.mkEnableOption "enable matrix";
element-web = {
@ -62,15 +63,15 @@ in {
settings = {
server_name = cfg.host;
enable_registration = cfg.enable_registration;
listeners = [ {
bind_addresses = ["127.0.0.1"];
listeners = [{
bind_addresses = [ "127.0.0.1" ];
port = cfg.port;
tls = false;
resources = [ {
resources = [{
compress = true;
names = [ "client" "federation" ];
} ];
} ];
}];
}];
turn_uris = [
"turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=udp"
"turn:${cfg.turn.host}:${toString cfg.turn.port}?transport=tcp"
@ -120,7 +121,7 @@ in {
services.nginx = {
enable = true;
virtualHosts.${cfg.host} = {
virtualHosts.${cfg.host} = {
enableACME = true;
forceSSL = true;
listen = [
@ -137,7 +138,8 @@ in {
];
locations."/".proxyPass = "http://localhost:${toString cfg.port}";
};
virtualHosts.${cfg.turn.host} = { # get TLS cert for TURN server
virtualHosts.${cfg.turn.host} = {
# get TLS cert for TURN server
enableACME = true;
forceSSL = true;
};
@ -214,4 +216,4 @@ in {
openFirewall = true;
};
};
}
}

3
common/server/mumble.nix
View File

@ -3,7 +3,8 @@
let
cfg = config.services.murmur;
certs = config.security.acme.certs;
in {
in
{
options.services.murmur.domain = lib.mkOption {
type = lib.types.str;
};

5
common/server/nextcloud.nix
View File

@ -3,7 +3,8 @@
let
cfg = config.services.nextcloud;
in {
in
{
config = lib.mkIf cfg.enable {
services.nextcloud = {
https = true;
@ -24,4 +25,4 @@ in {
forceSSL = true;
};
};
}
}

5
common/server/nginx-stream.nix
View File

@ -5,7 +5,8 @@ let
nginxWithRTMP = pkgs.nginx.override {
modules = [ pkgs.nginxModules.rtmp ];
};
in {
in
{
options.services.nginx.stream = {
enable = lib.mkEnableOption "enable nginx rtmp/hls/dash video streaming";
port = lib.mkOption {
@ -72,4 +73,4 @@ in {
cfg.port
];
};
}
}

5
common/server/nginx.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.services.nginx;
in {
in
{
config = lib.mkIf cfg.enable {
services.nginx = {
recommendedGzipSettings = true;
@ -13,4 +14,4 @@ in {
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}
}

5
common/server/owncast.nix
View File

@ -4,7 +4,8 @@ with lib;
let
cfg = config.services.owncast;
in {
in
{
options.services.owncast = {
hostname = lib.mkOption {
type = types.str;
@ -28,4 +29,4 @@ in {
};
};
};
}
}

7
common/server/privatebin/privatebin.nix
View File

@ -14,7 +14,8 @@ let
cp -ar $src $out
'';
};
in {
in
{
options.services.privatebin = {
enable = lib.mkEnableOption "enable privatebin";
host = lib.mkOption {
@ -30,7 +31,7 @@ in {
group = "privatebin";
isSystemUser = true;
};
users.groups.privatebin = {};
users.groups.privatebin = { };
services.nginx.enable = true;
services.nginx.virtualHosts.${cfg.host} = {
@ -53,7 +54,7 @@ in {
"d '/var/lib/privatebin' 0750 privatebin privatebin - -"
];
services.phpfpm.pools.privatebin = {
services.phpfpm.pools.privatebin = {
user = "privatebin";
group = "privatebin";
phpEnv = {

11
common/server/radio.nix
View File

@ -3,7 +3,8 @@
let
cfg = config.services.radio;
radioPackage = config.inputs.radio.packages.${config.currentSystem}.radio;
in {
in
{
options.services.radio = {
enable = lib.mkEnableOption "enable radio";
user = lib.mkOption {
@ -56,11 +57,11 @@ in {
home = cfg.dataDir;
createHome = true;
};
users.groups.${cfg.group} = {};
users.groups.${cfg.group} = { };
systemd.services.radio = {
enable = true;
after = ["network.target"];
wantedBy = ["multi-user.target"];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${radioPackage}/bin/radio ${config.services.icecast.listen.address}:${toString config.services.icecast.listen.port} ${config.services.icecast.mount} 5500";
serviceConfig.User = cfg.user;
serviceConfig.Group = cfg.group;
@ -71,4 +72,4 @@ in {
'';
};
};
}
}

4
common/server/samba.nix
View File

@ -110,6 +110,6 @@
# samba user for share
users.users.cris.isSystemUser = true;
users.users.cris.group = "cris";
users.groups.cris = {};
users.groups.cris = { };
};
}
}

9
common/server/searx.nix
View File

@ -2,19 +2,20 @@
let
cfg = config.services.searx;
in {
in
{
config = lib.mkIf cfg.enable {
services.searx = {
environmentFile = "/run/agenix/searx";
settings = {
server.port = 43254;
server.secret_key = "@SEARX_SECRET_KEY@";
engines = [ {
engines = [{
name = "wolframalpha";
shortcut = "wa";
api_key = "@WOLFRAM_API_KEY@";
engine = "wolframalpha_api";
} ];
}];
};
};
services.nginx.virtualHosts."search.neet.space" = {
@ -26,4 +27,4 @@ in {
};
age.secrets.searx.file = ../../secrets/searx.age;
};
}
}

5
common/server/thelounge.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.services.thelounge;
in {
in
{
options.services.thelounge = {
fileUploadBaseUrl = lib.mkOption {
type = lib.types.str;
@ -28,7 +29,7 @@ in {
reverseProxy = true;
maxHistory = -1;
https.enable = false;
# theme = "thelounge-theme-solarized";
# theme = "thelounge-theme-solarized";
prefetch = false;
prefetchStorage = false;
fileUpload = {

51
common/server/video-stream.nix
View File

@ -15,14 +15,14 @@ let
in
{
networking.firewall.allowedUDPPorts = [ rtp-port ];
networking.firewall.allowedTCPPortRanges = [ {
networking.firewall.allowedTCPPortRanges = [{
from = webrtc-peer-lower-port;
to = webrtc-peer-upper-port;
} ];
networking.firewall.allowedUDPPortRanges = [ {
}];
networking.firewall.allowedUDPPortRanges = [{
from = webrtc-peer-lower-port;
to = webrtc-peer-upper-port;
} ];
}];
virtualisation.docker.enable = true;
@ -49,12 +49,12 @@ in
ports = [
"${toStr ingest-port}:8084"
];
# imageFile = pkgs.dockerTools.pullImage {
# imageName = "projectlightspeed/ingest";
# finalImageTag = "version-0.1.4";
# imageDigest = "sha256:9fc51833b7c27a76d26e40f092b9cec1ac1c4bfebe452e94ad3269f1f73ff2fc";
# sha256 = "19kxl02x0a3i6hlnsfcm49hl6qxnq2f3hfmyv1v8qdaz58f35kd5";
# };
# imageFile = pkgs.dockerTools.pullImage {
# imageName = "projectlightspeed/ingest";
# finalImageTag = "version-0.1.4";
# imageDigest = "sha256:9fc51833b7c27a76d26e40f092b9cec1ac1c4bfebe452e94ad3269f1f73ff2fc";
# sha256 = "19kxl02x0a3i6hlnsfcm49hl6qxnq2f3hfmyv1v8qdaz58f35kd5";
# };
};
"lightspeed-react" = {
workdir = "/var/lib/lightspeed-react";
@ -62,12 +62,12 @@ in
ports = [
"${toStr web-port}:80"
];
# imageFile = pkgs.dockerTools.pullImage {
# imageName = "projectlightspeed/react";
# finalImageTag = "version-0.1.3";
# imageDigest = "sha256:b7c58425f1593f7b4304726b57aa399b6e216e55af9c0962c5c19333fae638b6";
# sha256 = "0d2jh7mr20h7dxgsp7ml7cw2qd4m8ja9rj75dpy59zyb6v0bn7js";
# };
# imageFile = pkgs.dockerTools.pullImage {
# imageName = "projectlightspeed/react";
# finalImageTag = "version-0.1.3";
# imageDigest = "sha256:b7c58425f1593f7b4304726b57aa399b6e216e55af9c0962c5c19333fae638b6";
# sha256 = "0d2jh7mr20h7dxgsp7ml7cw2qd4m8ja9rj75dpy59zyb6v0bn7js";
# };
};
"lightspeed-webrtc" = {
workdir = "/var/lib/lightspeed-webrtc";
@ -79,15 +79,18 @@ in
"${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}:${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}/udp"
];
cmd = [
"lightspeed-webrtc" "--addr=0.0.0.0" "--ip=${domain}"
"--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}" "run"
"lightspeed-webrtc"
"--addr=0.0.0.0"
"--ip=${domain}"
"--ports=${toStr webrtc-peer-lower-port}-${toStr webrtc-peer-upper-port}"
"run"
];
# imageFile = pkgs.dockerTools.pullImage {
# imageName = "projectlightspeed/webrtc";
# finalImageTag = "version-0.1.2";
# imageDigest = "sha256:ddf8b3dd294485529ec11d1234a3fc38e365a53c4738998c6bc2c6930be45ecf";
# sha256 = "1bdy4ak99fjdphj5bsk8rp13xxmbqdhfyfab14drbyffivg9ad2i";
# };
# imageFile = pkgs.dockerTools.pullImage {
# imageName = "projectlightspeed/webrtc";
# finalImageTag = "version-0.1.2";
# imageDigest = "sha256:ddf8b3dd294485529ec11d1234a3fc38e365a53c4738998c6bc2c6930be45ecf";
# sha256 = "1bdy4ak99fjdphj5bsk8rp13xxmbqdhfyfab14drbyffivg9ad2i";
# };
};
};
};

12
common/server/vscode/modules/vscode-server/default.nix
View File

@ -1,8 +1,8 @@
import ./module.nix ({ name, description, serviceConfig }:
{
systemd.user.services.${name} = {
inherit description serviceConfig;
wantedBy = [ "default.target" ];
};
})
{
systemd.user.services.${name} = {
inherit description serviceConfig;
wantedBy = [ "default.target" ];
};
})

20
common/server/vscode/modules/vscode-server/home.nix
View File

@ -1,15 +1,15 @@
import ./module.nix ({ name, description, serviceConfig }:
{
systemd.user.services.${name} = {
Unit = {
Description = description;
};
{
systemd.user.services.${name} = {
Unit = {
Description = description;
};
Service = serviceConfig;
Service = serviceConfig;
Install = {
WantedBy = [ "default.target" ];
Install = {
WantedBy = [ "default.target" ];
};
};
};
})
})

3
common/server/zerobin.nix
View File

@ -2,7 +2,8 @@
let
cfg = config.services.zerobin;
in {
in
{
options.services.zerobin = {
host = lib.mkOption {
type = lib.types.str;

2
common/shell.nix
View File

@ -47,4 +47,4 @@
});
})
];
}
}

2
common/ssh.nix
View File

@ -37,4 +37,4 @@ rec {
storage = with system; [
s0
];
}
}

136
flake.nix
View File

@ -47,75 +47,78 @@
outputs = { self, nixpkgs, ... }@inputs: {
nixosConfigurations =
let
modules = system: with inputs; [
./common
simple-nixos-mailserver.nixosModule
agenix.nixosModules.default
dailybuild_modules.nixosModule
archivebox.nixosModule
nix-index-database.nixosModules.nix-index
({ lib, ... }: {
config.environment.systemPackages = [
agenix.packages.${system}.agenix
];
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
options.inputs = lib.mkOption { default = inputs; };
options.currentSystem = lib.mkOption { default = system; };
})
];
mkSystem = system: nixpkgs: path:
let
allModules = modules system;
# allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
name = "nixpkgs-patched";
src = nixpkgs;
patches = [
inputs.nixpkgs-hostapd-pr
let
modules = system: with inputs; [
./common
simple-nixos-mailserver.nixosModule
agenix.nixosModules.default
dailybuild_modules.nixosModule
archivebox.nixosModule
nix-index-database.nixosModules.nix-index
({ lib, ... }: {
config.environment.systemPackages = [
agenix.packages.${system}.agenix
];
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
options.inputs = lib.mkOption { default = inputs; };
options.currentSystem = lib.mkOption { default = system; };
})
];
mkSystem = system: nixpkgs: path:
let
allModules = modules system;
# allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
name = "nixpkgs-patched";
src = nixpkgs;
patches = [
inputs.nixpkgs-hostapd-pr
];
};
patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });
in
patchedNixpkgs.lib.nixosSystem {
inherit system;
modules = allModules ++ [ path ];
specialArgs = {
inherit allModules;
};
};
patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self=nixpkgs; });
in
{
"ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix;
# "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
"ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
"router" = mkSystem "x86_64-linux" nixpkgs ./machines/router/configuration.nix;
"s0" = mkSystem "x86_64-linux" nixpkgs ./machines/storage/s0/configuration.nix;
};
in patchedNixpkgs.lib.nixosSystem {
inherit system;
modules = allModules ++ [path];
packages =
let
mkKexec = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/kexec.nix ];
}).config.system.build.kexec_tarball;
mkIso = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/iso.nix ];
}).config.system.build.isoImage;
in
{
"x86_64-linux"."kexec" = mkKexec "x86_64-linux";
"x86_64-linux"."iso" = mkIso "x86_64-linux";
"aarch64-linux"."kexec" = mkKexec "aarch64-linux";
"aarch64-linux"."iso" = mkIso "aarch64-linux";
};
specialArgs = {
inherit allModules;
};
};
in
{
"ray" = mkSystem "x86_64-linux" nixpkgs ./machines/ray/configuration.nix;
# "nat" = mkSystem "aarch64-linux" nixpkgs ./machines/nat/configuration.nix;
"ponyo" = mkSystem "x86_64-linux" nixpkgs ./machines/ponyo/configuration.nix;
"router" = mkSystem "x86_64-linux" nixpkgs ./machines/router/configuration.nix;
"s0" = mkSystem "x86_64-linux" nixpkgs ./machines/storage/s0/configuration.nix;
};
packages = let
mkKexec = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/kexec.nix ];
}).config.system.build.kexec_tarball;
mkIso = system:
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [ ./machines/ephemeral/iso.nix ];
}).config.system.build.isoImage;
in {
"x86_64-linux"."kexec" = mkKexec "x86_64-linux";
"x86_64-linux"."iso" = mkIso "x86_64-linux";
"aarch64-linux"."kexec" = mkKexec "aarch64-linux";
"aarch64-linux"."iso" = mkIso "aarch64-linux";
};
deploy.nodes =
deploy.nodes =
let
mkDeploy = configName: hostname: {
inherit hostname;
@ -124,7 +127,8 @@
profiles.system.path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${configName};
};
in {
in
{
s0 = mkDeploy "s0" "s0";
router = mkDeploy "router" "router";
ponyo = mkDeploy "ponyo" "ponyo.neet.dev";

2
machines/ephemeral/iso.nix
View File

@ -9,4 +9,4 @@
isoImage.makeUsbBootable = true;
networking.hostName = "iso";
}
}

2
machines/ephemeral/kexec.nix
View File

@ -45,4 +45,4 @@
contents = [ ];
};
};
}
}

8
machines/ephemeral/minimal.nix
View File

@ -7,7 +7,8 @@
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "e1000" "e1000e" "virtio_pci" "r8169" ];
boot.kernelParams = [
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
"panic=30"
"boot.panic_on_fail" # reboot the machine upon fatal boot issues
"console=ttyS0,115200" # enable serial console
"console=tty1"
];
@ -21,7 +22,8 @@
environment.systemPackages = with pkgs; [
cryptsetup
btrfs-progs
git git-lfs
git
git-lfs
wget
htop
dnsutils
@ -42,4 +44,4 @@
services.getty.autologinUser = "root";
users.users.root.openssh.authorizedKeys.keys = (import ../../common/ssh.nix).users;
}
}

8
machines/nat/hardware-configuration.nix
View File

@ -12,14 +12,16 @@
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/02a8c0c7-fd4e-4443-a83c-2d0b63848779";
{
device = "/dev/disk/by-uuid/02a8c0c7-fd4e-4443-a83c-2d0b63848779";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0C95-1290";
{
device = "/dev/disk/by-uuid/0C95-1290";
fsType = "vfat";
};
swapDevices = [ ];
}
}

6
machines/ponyo/configuration.nix
View File

@ -1,7 +1,7 @@
{ config, pkgs, lib, ... }:
{
imports =[
imports = [
./hardware-configuration.nix
];
@ -61,7 +61,7 @@
host = "radio.runyan.org";
};
};
pia.wireguard.badPortForwardPorts = [];
pia.wireguard.badPortForwardPorts = [ ];
services.nginx.virtualHosts."radio.runyan.org" = {
enableACME = true;
forceSSL = true;
@ -135,4 +135,4 @@
# owncast live streaming
services.owncast.enable = true;
services.owncast.hostname = "live.neet.dev";
}
}

11
machines/ponyo/hardware-configuration.nix
View File

@ -2,7 +2,8 @@
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
[
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
@ -22,12 +23,14 @@
boot.initrd.luks.devices."enc-pv2".device = "/dev/disk/by-uuid/e52b01b3-81c8-4bb2-ae7e-a3d9c793cb00"; # expanded disk
fileSystems."/" =
{ device = "/dev/mapper/enc-pv";
{
device = "/dev/mapper/enc-pv";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/d3a3777d-1e70-47fa-a274-804dc70ee7fd";
{
device = "/dev/disk/by-uuid/d3a3777d-1e70-47fa-a274-804dc70ee7fd";
fsType = "ext4";
};
@ -39,4 +42,4 @@
];
networking.interfaces.eth0.useDHCP = true;
}
}

15
machines/ray/hardware-configuration.nix
View File

@ -5,7 +5,8 @@
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
[
(modulesPath + "/installer/scan/not-detected.nix")
];
# boot
@ -40,22 +41,24 @@
allowDiscards = true;
};
fileSystems."/" =
{ device = "/dev/vg/root";
{
device = "/dev/vg/root";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/vg/root";
{
device = "/dev/vg/root";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2C85-2B59";
{
device = "/dev/disk/by-uuid/2C85-2B59";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/vg/swap"; }
];
[{ device = "/dev/vg/swap"; }];
# high-resolution display
hardware.video.hidpi.enable = lib.mkDefault true;

2
machines/router/configuration.nix
View File

@ -37,4 +37,4 @@
# externalInterface = "eth0";
# internalIPs = [ "br0" ];
# };
}
}

12
machines/router/hardware-configuration.nix
View File

@ -10,7 +10,8 @@
# Enable serial output
boot.kernelParams = [
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
"panic=30"
"boot.panic_on_fail" # reboot the machine upon fatal boot issues
"console=ttyS0,115200n8" # enable serial console
];
boot.loader.grub.extraConfig = "
@ -33,16 +34,17 @@
remoteLuksUnlock.enable = true;
boot.initrd.luks.devices."enc-pv".device = "/dev/disk/by-uuid/9b090551-f78e-45ca-8570-196ed6a4af0c";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";
{
device = "/dev/disk/by-uuid/421c82b9-d67c-4811-8824-8bb57cb10fce";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/d97f324f-3a2e-4b84-ae2a-4b3d1209c689";
{
device = "/dev/disk/by-uuid/d97f324f-3a2e-4b84-ae2a-4b3d1209c689";
fsType = "ext3";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/45bf58dd-67eb-45e4-9a98-246e23fa7abd"; }
];
[{ device = "/dev/disk/by-uuid/45bf58dd-67eb-45e4-9a98-246e23fa7abd"; }];
nixpkgs.hostPlatform = "x86_64-linux";
}

10
machines/router/router.nix
View File

@ -97,11 +97,11 @@ in
channel = 6;
countryCode = "US";
wifi4 = {
capabilities = ["LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40+"];
capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40+" ];
};
wifi5 = {
operatingChannelWidth = "20or40";
capabilities = ["MAX-A-MPDU-LEN-EXP0"];
capabilities = [ "MAX-A-MPDU-LEN-EXP0" ];
};
wifi6 = {
enable = true;
@ -137,11 +137,11 @@ in
channel = 128;
countryCode = "US";
wifi4 = {
capabilities = ["LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40-"];
capabilities = [ "LDPC" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" "HT40-" ];
};
wifi5 = {
operatingChannelWidth = "160";
capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-3" "BF-ANTENNA-3" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"];
capabilities = [ "RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-3" "BF-ANTENNA-3" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7" ];
};
wifi6 = {
enable = true;
@ -202,4 +202,4 @@ in
})
];
};
}
}

2
machines/storage/s0/configuration.nix
View File

@ -1,7 +1,7 @@
{ config, pkgs, lib, ... }:
{
imports =[
imports = [
./hardware-configuration.nix
];

36
machines/storage/s0/hardware-configuration.nix
View File

@ -2,7 +2,8 @@
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
[
(modulesPath + "/installer/scan/not-detected.nix")
];
# boot
@ -31,28 +32,39 @@
# mounts
fileSystems."/" =
{ device = "rpool/nixos/root";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
{
device = "rpool/nixos/root";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/home" =
{ device = "rpool/nixos/home";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
{
device = "rpool/nixos/home";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/var/lib" =
{ device = "rpool/nixos/var/lib";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
{
device = "rpool/nixos/var/lib";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/var/log" =
{ device = "rpool/nixos/var/log";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
{
device = "rpool/nixos/var/log";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/data" =
{ device = "rpool/nixos/data";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
{
device = "rpool/nixos/data";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/4FB4-738E";
{
device = "/dev/disk/by-uuid/4FB4-738E";
fsType = "vfat";
};
swapDevices = [ ];