qbit/xin
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

all: switch to nixpkgs-fmt

Browse Source
This commit is contained in:
Aaron Bieber 2023-09-12 08:44:05 -06:00
parent dcd0acbdd7
commit a0228f4226
No known key found for this signature in database
143 changed files with 3151 additions and 2994 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
bin/fmt
View File

@ -2,11 +2,12 @@
set -e
find . -name \*.nix -exec nix fmt -- -q {} \+
find . -name \*.nix -exec nix fmt {} \+
find . -name \*.sh -exec shfmt -w {} \+
deadnix -f .
shfmt -w bin/deploy
shfmt -w bin/mkboot
# TODO: https://github.com/nerdypepper/statix/issues/68
statix check --ignore lib/default.nix .
#statix check --ignore lib/default.nix .
statix check .

2
bins/check-restart.nix
View File

@ -1,4 +1,4 @@
{perl}: ''
{ perl }: ''
#!${perl}/bin/perl
use strict;

25
bins/default.nix
View File

@ -1,25 +1,26 @@
{
pkgs,
isUnstable,
...
}: let
gosignify = pkgs.callPackage ../pkgs/gosignify.nix {inherit isUnstable;};
{ pkgs
, isUnstable
, ...
}:
let
gosignify = pkgs.callPackage ../pkgs/gosignify.nix { inherit isUnstable; };
ix = pkgs.writeScriptBin "ix" (import ./ix.nix {inherit (pkgs) perl;});
ix = pkgs.writeScriptBin "ix" (import ./ix.nix { inherit (pkgs) perl; });
checkRestart =
pkgs.writeScriptBin "check-restart"
(import ./check-restart.nix {inherit (pkgs) perl;});
(import ./check-restart.nix { inherit (pkgs) perl; });
xinStatus =
pkgs.writeScriptBin "xin-status"
(import ./xin-status.nix {inherit (pkgs) perl perlPackages;});
(import ./xin-status.nix { inherit (pkgs) perl perlPackages; });
tstart =
pkgs.writeScriptBin "tstart" (import ./tstart.nix {inherit (pkgs) tmux;});
pkgs.writeScriptBin "tstart" (import ./tstart.nix { inherit (pkgs) tmux; });
sfetch = pkgs.writeScriptBin "sfetch" (import ./sfetch.nix {
inherit gosignify;
inherit (pkgs) curl;
});
genPatches = pkgs.callPackage ./gen-patches.nix {};
in {
genPatches = pkgs.callPackage ./gen-patches.nix { };
in
{
environment.systemPackages = with pkgs; [
checkRestart
genPatches

18
bins/gen-patches.nix
View File

@ -1,13 +1,13 @@
{
writeShellApplication,
diffutils,
findutils,
coreutils,
...
}: let
{ writeShellApplication
, diffutils
, findutils
, coreutils
, ...
}:
let
genPatches = writeShellApplication {
name = "gen-patches";
runtimeInputs = [diffutils findutils coreutils];
runtimeInputs = [ diffutils findutils coreutils ];
text = ''
suffix=".orig"
srcdir=$PWD
@ -52,4 +52,4 @@
'';
};
in
genPatches
genPatches

6
bins/icb-irc-tunnel.nix
View File

@ -1,6 +1,6 @@
{
pkgs,
icbirc,
{ pkgs
, icbirc
,
}: ''
#!${pkgs.yash}/bin/yash
${pkgs.procps}/bin/pkill icbirc

2
bins/ix.nix
View File

@ -1,4 +1,4 @@
{perl}: ''
{ perl }: ''
#!${perl}/bin/perl
use strict;

6
bins/rage.nix
View File

@ -1,4 +1,5 @@
{pkgs}: let
{ pkgs }:
let
oathPkg = pkgs.oath-toolkit or pkgs.oathToolkit;
wlclip =
if pkgs.system == "aarch64-darwin"
@ -8,7 +9,8 @@
if pkgs.system == "aarch64-darwin"
then "pbcopy"
else "${pkgs.xclip}/bin/xclip";
in ''
in
''
#!${pkgs.yash}/bin/yash
set -e

14
bins/restic.nix
View File

@ -1,16 +1,16 @@
{
lib,
pkgs,
config,
...
{ lib
, pkgs
, config
, ...
}:
assert (builtins.length
(lib.mapAttrsToList (a: _: a) config.services.restic.backups))
<= 1; let
<= 1; let
resticBin = "${pkgs.restic}/bin/restic";
cfg = config.services.restic.backups;
bkp = lib.mapAttrs' (_: lib.nameValuePair "default") cfg;
in ''
in
''
#!/usr/bin/env sh
set -e

14
bins/rpr.nix
View File

@ -1,12 +1,14 @@
{
tea,
gh,
hut,
}: let
{ tea
, gh
, hut
,
}:
let
teaBin = "${tea}/bin/tea";
ghBin = "${gh}/bin/gh";
htBin = "${hut}/bin/hut";
in ''
in
''
#!/usr/bin/env sh
set -eu

6
bins/sfetch.nix
View File

@ -1,6 +1,6 @@
{
curl,
gosignify,
{ curl
, gosignify
,
}: ''
#!/usr/bin/env sh

6
bins/tstart.nix
View File

@ -1,6 +1,8 @@
{tmux}: let
{ tmux }:
let
tmuxBin = "${tmux}/bin/tmux";
in ''
in
''
#!/usr/bin/env sh
set -e

7
bins/xin-status.nix
View File

@ -1,7 +1,6 @@
{
perl,
perlPackages,
...
{ perl
, perlPackages
, ...
}: ''
#!${perl}/bin/perl

212
configs/ca.nix
View File

@ -1,118 +1,118 @@
{
config,
lib,
pkgs,
...
}: let
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.services.xinCA;
in
with lib; {
options = {
services.xinCA = {
enable = mkEnableOption "Configure host as a xin certificate authority.";
with lib; {
options = {
services.xinCA = {
enable = mkEnableOption "Configure host as a xin certificate authority.";
user = mkOption {
type = types.str;
default = "step-ca";
description = ''
User who will own the CA key material.
'';
};
user = mkOption {
type = types.str;
default = "step-ca";
description = ''
User who will own the CA key material.
'';
};
};
};
imports = [ ../modules/ts-rev-prox.nix ];
config = mkIf cfg.enable {
sops.secrets = {
ca_password = {
mode = "400";
owner = cfg.user;
sopsFile = config.xin-secrets.cert_authority;
};
"defaults.json" = {
mode = "400";
owner = cfg.user;
path = "/var/lib/step-ca/config/defaults.json";
sopsFile = config.xin-secrets.cert_authority;
};
"intermediate_ca.crt" = {
mode = "444";
owner = cfg.user;
path = "/var/lib/step-ca/certs/intermediate_ca.crt";
sopsFile = config.xin-secrets.cert_authority;
};
"intermediate_ca_key" = {
mode = "400";
owner = cfg.user;
path = "/var/lib/step-ca/secrets/intermediate_ca_key";
sopsFile = config.xin-secrets.cert_authority;
};
"root_ca.crt" = {
mode = "444";
owner = cfg.user;
path = "/var/lib/step-ca/certs/root_ca.crt";
sopsFile = config.xin-secrets.cert_authority;
};
"root_ca_key" = {
mode = "400";
owner = cfg.user;
path = "/var/lib/step-ca/secrets/root_ca_key";
sopsFile = config.xin-secrets.cert_authority;
};
"jwk_encryptedKey" = {
mode = "400";
owner = cfg.user;
path = "/var/lib/step-ca/secrets/jwk_encryptedKey";
sopsFile = config.xin-secrets.cert_authority;
};
};
imports = [../modules/ts-rev-prox.nix];
config = mkIf cfg.enable {
sops.secrets = {
ca_password = {
mode = "400";
owner = cfg.user;
sopsFile = config.xin-secrets.cert_authority;
};
"defaults.json" = {
mode = "400";
owner = cfg.user;
path = "/var/lib/step-ca/config/defaults.json";
sopsFile = config.xin-secrets.cert_authority;
};
"intermediate_ca.crt" = {
mode = "444";
owner = cfg.user;
path = "/var/lib/step-ca/certs/intermediate_ca.crt";
sopsFile = config.xin-secrets.cert_authority;
};
"intermediate_ca_key" = {
mode = "400";
owner = cfg.user;
path = "/var/lib/step-ca/secrets/intermediate_ca_key";
sopsFile = config.xin-secrets.cert_authority;
};
"root_ca.crt" = {
mode = "444";
owner = cfg.user;
path = "/var/lib/step-ca/certs/root_ca.crt";
sopsFile = config.xin-secrets.cert_authority;
};
"root_ca_key" = {
mode = "400";
owner = cfg.user;
path = "/var/lib/step-ca/secrets/root_ca_key";
sopsFile = config.xin-secrets.cert_authority;
};
"jwk_encryptedKey" = {
mode = "400";
owner = cfg.user;
path = "/var/lib/step-ca/secrets/jwk_encryptedKey";
sopsFile = config.xin-secrets.cert_authority;
};
};
networking.hosts = { "127.0.0.1" = [ "ca.bolddaemon.com" ]; };
networking.hosts = {"127.0.0.1" = ["ca.bolddaemon.com"];};
environment.sessionVariables = { STEPPATH = "/var/lib/step-ca"; };
environment.systemPackages = with pkgs; [
step-cli
step-kms-plugin
opensc
libressl
];
environment.sessionVariables = {STEPPATH = "/var/lib/step-ca";};
environment.systemPackages = with pkgs; [
step-cli
step-kms-plugin
opensc
libressl
];
services.step-ca = {
enable = true;
intermediatePasswordFile = "${config.sops.secrets.ca_password.path}";
address = "127.0.0.1";
port = 443;
settings = {
root = config.sops.secrets."root_ca.crt".path;
crt = config.sops.secrets."intermediate_ca.crt".path;
key = config.sops.secrets.intermediate_ca_key.path;
dnsNames = [ "ca.bolddaemon.com" ];
logger = { format = "text"; };
db = {
type = "badgerv2";
dataSource = "/var/lib/step-ca/db";
badgerFileLoadingMode = "";
};
authority = {
provisioners = [
{
type = "SSHPOP";
name = "sshpop";
claims = { enableSSHCA = true; };
}
];
};
services.step-ca = {
enable = true;
intermediatePasswordFile = "${config.sops.secrets.ca_password.path}";
address = "127.0.0.1";
port = 443;
settings = {
root = config.sops.secrets."root_ca.crt".path;
crt = config.sops.secrets."intermediate_ca.crt".path;
key = config.sops.secrets.intermediate_ca_key.path;
dnsNames = ["ca.bolddaemon.com"];
logger = {format = "text";};
db = {
type = "badgerv2";
dataSource = "/var/lib/step-ca/db";
badgerFileLoadingMode = "";
};
authority = {
provisioners = [
{
type = "SSHPOP";
name = "sshpop";
claims = {enableSSHCA = true;};
}
];
};
tls = {
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
];
minVersion = 1.2;
maxVersion = 1.3;
renegotiation = false;
};
tls = {
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
];
minVersion = 1.2;
maxVersion = 1.3;
renegotiation = false;
};
};
};
}
};
}

174
configs/ci.nix
View File

@ -1,11 +1,11 @@
{
config,
lib,
pkgs,
inputs,
xinlib,
...
}: let
{ config
, lib
, pkgs
, inputs
, xinlib
, ...
}:
let
#inherit (xinlib) prIsOpen;
jobs = [
{
@ -13,99 +13,99 @@
user = "qbit";
script = "cd ~/src/xin && ./bin/ci update";
startAt = "23:00";
path = [];
path = [ ];
}
{
name = "xin-ci";
user = "qbit";
script = "cd ~/src/xin && ./bin/ci";
startAt = "*:30:00";
path = [];
path = [ ];
}
];
in
with lib; {
options = {
xinCI = {
enable = mkEnableOption "Configure host as a xin CI host.";
with lib; {
options = {
xinCI = {
enable = mkEnableOption "Configure host as a xin CI host.";
user = mkOption {
type = types.str;
default = "root";
description = ''
User who will own the CI private key.
'';
};
user = mkOption {
type = types.str;
default = "root";
description = ''
User who will own the CI private key.
'';
};
};
};
imports = [../modules/ts-rev-prox.nix];
config = mkIf config.xinCI.enable {
sops.defaultSopsFile = config.xin-secrets.ci;
sops.secrets = {
po_env = {owner = config.xinCI.user;};
ci_ed25519_key = {
mode = "400";
owner = config.xinCI.user;
};
ci_ed25519_pub = {
mode = "444";
owner = config.xinCI.user;
};
ci_signing_ed25519_key = {
mode = "400";
owner = config.xinCI.user;
};
ci_signing_ed25519_pub = {
mode = "444";
owner = config.xinCI.user;
};
bin_cache_priv_key = {
mode = "400";
owner = "root";
group = "wheel";
};
bin_cache_pub_key = {
mode = "444";
owner = "root";
group = "wheel";
};
ts_proxy_env = {
mode = "400";
owner = config.services.tsrevprox.user;
};
imports = [ ../modules/ts-rev-prox.nix ];
config = mkIf config.xinCI.enable {
sops.defaultSopsFile = config.xin-secrets.ci;
sops.secrets = {
po_env = { owner = config.xinCI.user; };
ci_ed25519_key = {
mode = "400";
owner = config.xinCI.user;
};
environment.systemPackages = with pkgs; [
inputs.po.packages.${pkgs.system}.po
keychain
];
nix = {
#settings.allowed-users = [ "root" config.xinCI.user "nix-serve" ];
settings.allowed-users = ["root" config.xinCI.user "harmonia"];
ci_ed25519_pub = {
mode = "444";
owner = config.xinCI.user;
};
systemd.services = lib.listToAttrs (builtins.map xinlib.jobToService jobs);
services = {
tsrevprox = {
enable = true;
reverseName = "nix-binary-cache";
envFile = config.sops.secrets.ts_proxy_env.path;
};
harmonia = {
enable = true;
signKeyPath = config.sops.secrets.bin_cache_priv_key.path;
settings = {bind = "127.0.0.1:5000";};
};
#nix-serve = {
# package = pkgs.nix-serve-ng;
# enable = true;
# secretKeyFile = config.sops.secrets.bin_cache_priv_key.path;
# bindAddress = "127.0.0.1";
#};
ci_signing_ed25519_key = {
mode = "400";
owner = config.xinCI.user;
};
ci_signing_ed25519_pub = {
mode = "444";
owner = config.xinCI.user;
};
bin_cache_priv_key = {
mode = "400";
owner = "root";
group = "wheel";
};
bin_cache_pub_key = {
mode = "444";
owner = "root";
group = "wheel";
};
ts_proxy_env = {
mode = "400";
owner = config.services.tsrevprox.user;
};
boot.binfmt.emulatedSystems = ["aarch64-linux" "armv6l-linux"];
};
}
environment.systemPackages = with pkgs; [
inputs.po.packages.${pkgs.system}.po
keychain
];
nix = {
#settings.allowed-users = [ "root" config.xinCI.user "nix-serve" ];
settings.allowed-users = [ "root" config.xinCI.user "harmonia" ];
};
systemd.services = lib.listToAttrs (builtins.map xinlib.jobToService jobs);
services = {
tsrevprox = {
enable = true;
reverseName = "nix-binary-cache";
envFile = config.sops.secrets.ts_proxy_env.path;
};
harmonia = {
enable = true;
signKeyPath = config.sops.secrets.bin_cache_priv_key.path;
settings = { bind = "127.0.0.1:5000"; };
};
#nix-serve = {
# package = pkgs.nix-serve-ng;
# enable = true;
# secretKeyFile = config.sops.secrets.bin_cache_priv_key.path;
# bindAddress = "127.0.0.1";
#};
};
boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv6l-linux" ];
};
}

9
configs/colemak.nix
View File

@ -1,7 +1,6 @@
{
config,
lib,
...
{ config
, lib
, ...
}:
with lib; {
options = {
@ -16,7 +15,7 @@ with lib; {
};
config = mkIf config.colemak.enable {
console = {keyMap = "colemak";};
console = { keyMap = "colemak"; };
services.xserver = {
layout = "us";
xkbVariant = "colemak";

2
configs/default.nix
View File

@ -1,4 +1,4 @@
{...}: {
{ ... }: {
imports = [
./ca.nix
./ci.nix

9
configs/dns.nix
View File

@ -1,7 +1,6 @@
{
config,
lib,
...
{ config
, lib
, ...
}:
with lib; {
options = {
@ -22,7 +21,7 @@ with lib; {
enable = true;
dnssec = "allow-downgrade";
# TODO: Enable a toggle for ipv6
fallbackDns = ["9.9.9.9" "2620:fe::fe" "149.112.112.112" "2620:fe::9"];
fallbackDns = [ "9.9.9.9" "2620:fe::fe" "149.112.112.112" "2620:fe::9" ];
extraConfig = ''
[Resolve]
DNS=45.90.28.0#8436c6.dns1.nextdns.io

13
configs/doas.nix
View File

@ -1,23 +1,22 @@
{
config,
lib,
...
{ config
, lib
, ...
}:
with lib; {
options = {
doas = {enable = mkEnableOption "Enable doas for priv-escie";};
doas = { enable = mkEnableOption "Enable doas for priv-escie"; };
};
config = mkIf config.doas.enable {
nixpkgs.config.packageOverrides = pkgs: {
doas = pkgs.doas.override {withPAM = false;};
doas = pkgs.doas.override { withPAM = false; };
};
security = {
doas = {
enable = true;
extraRules = [
{
groups = ["wheel"];
groups = [ "wheel" ];
persist = true;
}
];

54
configs/emacs.nix
View File

@ -1,19 +1,19 @@
{
runCommand,
emacsWithPackagesFromUsePackage,
pkgs,
lib,
makeWrapper,
mu,
writeTextDir,
emacs,
emacsPkg ? pkgs.emacsPgtkNativeComp,
...
}: let
{ runCommand
, emacsWithPackagesFromUsePackage
, pkgs
, lib
, makeWrapper
, mu
, writeTextDir
, emacs
, emacsPkg ? pkgs.emacsPgtkNativeComp
, ...
}:
let
muDir = "${mu}/share/emacs/site-lisp/mu4e";
# Generate a .el file from our emacs.org.
emacsConfig = runCommand "emacsConfig" {} ''
emacsConfig = runCommand "emacsConfig" { } ''
mkdir -p $out
cp -v ${./emacs.org} $out/emacs.org
cd $out
@ -50,19 +50,19 @@
texlive.combined.scheme-full
];
in
emacsWithPackagesFromUsePackage {
config = ./emacs.org;
emacsWithPackagesFromUsePackage {
config = ./emacs.org;
alwaysEnsure = true;
alwaysTangle = true;
alwaysEnsure = true;
alwaysTangle = true;
package = emacsPkg.overrideAttrs (oa: {
nativeBuildInputs = oa.nativeBuildInputs ++ [makeWrapper emacsConfig];
postInstall = ''
${oa.postInstall}
wrapProgram $out/bin/emacs \
--prefix PATH : ${pkgs.lib.makeBinPath emacsDepList} \
--add-flags '--init-directory ${emacsInitDir}'
'';
});
}
package = emacsPkg.overrideAttrs (oa: {
nativeBuildInputs = oa.nativeBuildInputs ++ [ makeWrapper emacsConfig ];
postInstall = ''
${oa.postInstall}
wrapProgram $out/bin/emacs \
--prefix PATH : ${pkgs.lib.makeBinPath emacsDepList} \
--add-flags '--init-directory ${emacsInitDir}'
'';
});
}

2
configs/firefox.nix
View File

@ -1,4 +1,4 @@
{...}: {
{ ... }: {
programs = {
firefox = {
enable = true;

36
configs/git.nix
View File

@ -1,19 +1,21 @@
{config, ...}: let
{ config, ... }:
let
rewriteGitHub =
if config.networking.hostName != "stan"
then {
url = {"ssh://git@github.com/" = {insteadOf = "https://github.com/";};};
url = { "ssh://git@github.com/" = { insteadOf = "https://github.com/"; }; };
}
else {
url = {};
url = { };
};
in {
in
{
programs.git = {
enable = true;
lfs.enable = true;
config = [
{init = {defaultBranch = "main";};}
{advice.detachedHead = false;}
{ init = { defaultBranch = "main"; }; }
{ advice.detachedHead = false; }
{
user = {
name = "Aaron Bieber";
@ -22,7 +24,7 @@ in {
};
}
{branch = {sort = "-committerdate";};}
{ branch = { sort = "-committerdate"; }; }
{
alias = {
log = "log --color=never";
@ -32,10 +34,10 @@ in {
"!f() { git fetch $1 refs/pull/$2/head:refs/remotes/pr/$2; }; f"'';
};
}
{push = {default = "current";};}
{ push = { default = "current"; }; }
{gpg = {format = "ssh";};}
{commit = {gpgsign = true;};}
{ gpg = { format = "ssh"; }; }
{ commit = { gpgsign = true; }; }
{
color = {
@ -47,13 +49,13 @@ in {
};
}
{safe = {directory = "/home/qbit/src/nix-conf";};}
{ safe = { directory = "/home/qbit/src/nix-conf"; }; }
{transfer = {fsckobjects = true;};}
{fetch = {fsckobjects = true;};}
{github = {user = "qbit";};}
{ transfer = { fsckobjects = true; }; }
{ fetch = { fsckobjects = true; }; }
{ github = { user = "qbit"; }; }
{inherit (rewriteGitHub) url;}
{ inherit (rewriteGitHub) url; }
{
sendmail = {
@ -67,8 +69,8 @@ in {
};
}
{pull = {rebase = false;};}
{include = {path = "~/work/git/gitconfig";};}
{ pull = { rebase = false; }; }
{ include = { path = "~/work/git/gitconfig"; }; }
];
};
}

2
configs/hardened.nix
View File

@ -1,4 +1,4 @@
{lib, ...}:
{ lib, ... }:
with lib; {
environment = {
memoryAllocator.provider = mkDefault "scudo";

24
configs/helix.nix
View File

@ -1,9 +1,9 @@
{
pkgs,
linkFarm,
...
}: let
tomlFmt = pkgs.formats.toml {};
{ pkgs
, linkFarm
, ...
}:
let
tomlFmt = pkgs.formats.toml { };
helixBin = "${pkgs.helix}/bin/hx";
helixConfig = tomlFmt.generate "config.toml" {
@ -15,7 +15,7 @@
normal = "block";
select = "underline";
};
lsp = {auto-signature-help = false;};
lsp = { auto-signature-help = false; };
};
};
@ -38,9 +38,9 @@
}
];
in
pkgs.writeScriptBin "hx" ''
# Conf: ${helixConfig}
# Theme: ${helixTheme}
pkgs.writeScriptBin "hx" ''
# Conf: ${helixConfig}
# Theme: ${helixTheme}
env XDG_CONFIG_HOME="${xdgDir}" ${helixBin} "$@"
''
env XDG_CONFIG_HOME="${xdgDir}" ${helixBin} "$@"
''

86
configs/manager.nix
View File

@ -1,57 +1,57 @@
{
config,
lib,
pkgs,
inputs,
...
}: let
{ config
, lib
, pkgs
, inputs
, ...
}:
let
microcaBin = "${pkgs.microca}/bin/microca";
microca = pkgs.writeScriptBin "microca" ''
#!/usr/bin/env sh
${microcaBin} -ca-key /run/secrets/ca_key -ca-cert /run/secrets/ca_cert $@
'';
in
with lib; {
options = {
nixManager = {
enable = mkEnableOption "Configure host as nix-conf manager.";
user = mkOption {
type = types.str;
default = "root";
description = ''
User who will own the private key.
'';
};
with lib; {
options = {
nixManager = {
enable = mkEnableOption "Configure host as nix-conf manager.";
user = mkOption {
type = types.str;
default = "root";
description = ''
User who will own the private key.
'';
};
};
};
imports = [./tailnet.nix];
imports = [ ./tailnet.nix ];
config = mkIf config.nixManager.enable {
sops.defaultSopsFile = config.xin-secrets.manager;
sops.secrets = {
xin_status_key = {owner = config.nixManager.user;};
xin_status_pubkey = {owner = config.nixManager.user;};
manager_key = {owner = config.nixManager.user;};
manager_pubkey = {owner = config.nixManager.user;};
ca_key = {owner = config.nixManager.user;};
ca_cert = {owner = config.nixManager.user;};
po_env = {owner = config.nixManager.user;};
};
config = mkIf config.nixManager.enable {
sops.defaultSopsFile = config.xin-secrets.manager;
sops.secrets = {
xin_status_key = { owner = config.nixManager.user; };
xin_status_pubkey = { owner = config.nixManager.user; };
manager_key = { owner = config.nixManager.user; };
manager_pubkey = { owner = config.nixManager.user; };
ca_key = { owner = config.nixManager.user; };
ca_cert = { owner = config.nixManager.user; };
po_env = { owner = config.nixManager.user; };
};
environment.systemPackages = [
microca
inputs.xintray.packages.${pkgs.system}.xintray
inputs.po.packages.${pkgs.system}.po
];
environment.systemPackages = [
microca
inputs.xintray.packages.${pkgs.system}.xintray
inputs.po.packages.${pkgs.system}.po
];
networking = {
hosts = {
"66.135.2.235" = ["ns1"];
"23.234.251.216" = ["ns2"];
"46.23.94.18" = ["ns3"];
"198.23.149.18" = ["ns4"];
};
networking = {
hosts = {
"66.135.2.235" = [ "ns1" ];
"23.234.251.216" = [ "ns2" ];
"46.23.94.18" = [ "ns3" ];
"198.23.149.18" = [ "ns4" ];
};
};
}
};
}

4
configs/neomutt.nix
View File

@ -1,5 +1,5 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [neomutt urlview];
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [ neomutt urlview ];
environment.etc."neomuttrc" = {
text = ''
ignore *

26
configs/neovim.nix
View File

@ -1,4 +1,4 @@
{pkgs, ...}:
{ pkgs, ... }:
with pkgs; let
parchment = pkgs.vimUtils.buildVimPluginFrom2Nix rec {
pname = "parchment";
@ -30,7 +30,7 @@ with pkgs; let
sha256 = "sha256-pMYvtNEYoVFaWlj35F1rDlfJkNY4y4S62RNpHBNBgto=";
fetchSubmodules = true;
};
dependencies = with vimPlugins; [nvim-cmp tabular];
dependencies = with vimPlugins; [ nvim-cmp tabular ];
};
neogen = pkgs.vimUtils.buildVimPluginFrom2Nix rec {
pname = "neogen";
@ -51,10 +51,10 @@ with pkgs; let
url = "mirror://cpan/authors/id/J/JA/JACQUESG/MsgPack-Raw-0.05.tar.gz";
sha256 = "8559e2b64cd98d99abc666edf2a4c8724c9534612616af11f4eb0bbd0d422dac";
};
buildInputs = with perlPackages; [TestPod TestPodCoverage];
buildInputs = with perlPackages; [ TestPod TestPodCoverage ];
meta = {
description = "Perl bindings to the msgpack C library";
license = with lib.licenses; [artistic1 gpl1Plus];
license = with lib.licenses; [ artistic1 gpl1Plus ];
};
};
@ -66,7 +66,7 @@ with pkgs; let
sha256 = "55a52c233e2dae86113f9f19b34f617edcfc8416f9bece671267bd1811b12111";
};
outputs = ["out" "dev"];
outputs = [ "out" "dev" ];
meta = {
description = "Simplified safe evaluation of Perl code";
@ -99,11 +99,11 @@ with pkgs; let
# Attempts to download stuff from the internet.
doCheck = false;
outputs = ["out" "dev"];
outputs = [ "out" "dev" ];
meta = {
description = "Perl bindings for neovim";
license = with lib.licenses; [artistic1 gpl1Plus];
license = with lib.licenses; [ artistic1 gpl1Plus ];
};
};
@ -139,13 +139,11 @@ with pkgs; let
parchment
vacme
];
myVimPackages =
if pkgs.system == "aarch64-linux"
then baseVimPackages
else baseVimPackages ++ [];
in {
myVimPackages = baseVimPackages;
in
{
environment.systemPackages = with pkgs; [
alejandra
nixpkgs-fmt
elmPackages.elm
elmPackages.elm-format
elmPackages.elm-language-server
@ -177,7 +175,7 @@ in {
enable = true;
defaultEditor = true;
configure = {
packages.myVimPackage = {start = myVimPackages;};
packages.myVimPackage = { start = myVimPackages; };
customRC = ''
" Restore cursor position
autocmd BufReadPost *

19
configs/net-overlay.nix
View File

@ -1,8 +1,7 @@
{
config,
lib,
pkgs,
...
{ config
, lib
, pkgs
, ...
}:
with lib; {
options = {
@ -32,7 +31,7 @@ with lib; {
config = mkMerge [
(mkIf config.tailscale.enable {
services = {tailscale = {enable = mkDefault true;};};
services = { tailscale = { enable = mkDefault true; }; };
networking.firewall.checkReversePath = mkDefault "loose";
})
(mkIf (config.tailscale.enable && config.tailscale.sshOnly) {
@ -45,8 +44,8 @@ with lib; {
};
systemd.services = {
"tailscale-ssh-init" = {
wantedBy = ["tailscaled.service"];
after = ["tailscaled.service"];
wantedBy = [ "tailscaled.service" ];
after = [ "tailscaled.service" ];
serviceConfig = {
ExecStart = "${pkgs.tailscale}/bin/tailscale up --auth-key file://${config.sops.secrets.ts_sshonly.path}";
};
@ -54,11 +53,11 @@ with lib; {
};
})
(mkIf config.zerotier.enable {
environment.systemPackages = with pkgs; [zerotierone];
environment.systemPackages = with pkgs; [ zerotierone ];
services = {
zerotierone = {
enable = true;
joinNetworks = ["db64858fedd3b256"];
joinNetworks = [ "db64858fedd3b256" ];
};
};
networking.firewall.checkReversePath = "loose";

26
configs/peerix.nix
View File

@ -1,8 +1,7 @@
{
config,
lib,
pkgs,
...
{ config
, lib
, pkgs
, ...
}:
with lib; {
options = {
@ -22,25 +21,25 @@ with lib; {
interfaces = mkOption {
description = "Interfaces to allow peerix to listen on.";
type = types.listOf types.str;
default = ["tailscale0"];
default = [ "tailscale0" ];
};
};
};
config = mkIf config.tsPeerix.enable {
users.groups.peerix = {name = "peerix";};
users.groups.peerix = { name = "peerix"; };
users.users.peerix = {
name = "peerix";
group = "peerix";
isSystemUser = true;
};
nix.settings.allowed-users = ["peerix"];
nix.settings.allowed-users = [ "peerix" ];
services = {
zerotierone = {
enable = true;
joinNetworks = ["db64858fedd3b256"];
joinNetworks = [ "db64858fedd3b256" ];
};
peerix = {
@ -53,13 +52,14 @@ with lib; {
};
};
environment.systemPackages = [pkgs.zerotierone];
environment.systemPackages = [ pkgs.zerotierone ];
networking.firewall.interfaces = listToAttrs (flatten (map (i: {
networking.firewall.interfaces = listToAttrs (flatten (map
(i: {
name = i;
value = {
allowedUDPPorts = [12304];
allowedTCPPorts = [12304];
allowedUDPPorts = [ 12304 ];
allowedTCPPorts = [ 12304 ];
};
})
config.tsPeerix.interfaces));

135
configs/tailnet.nix
View File

@ -1,59 +1,60 @@
{
config,
pkgs,
lib,
inputs,
xinlib,
...
}: let
tailnetACLs = let
acls = {
hosts = {
europa = "100.92.31.80";
startpage = "100.120.84.116";
startdev = "100.92.56.119";
go = "100.117.47.51";
nbc = "100.122.61.43"; # nix-binary-cache
console = "100.87.112.70";
box = "100.120.151.126";
};
{ config
, pkgs
, lib
, inputs
, xinlib
, ...
}:
let
tailnetACLs =
let
acls = {
hosts = {
europa = "100.92.31.80";
startpage = "100.120.84.116";
startdev = "100.92.56.119";
go = "100.117.47.51";
nbc = "100.122.61.43"; # nix-binary-cache
console = "100.87.112.70";
box = "100.120.151.126";
};
tagOwners = {
"tag:untrusted" = ["qbit@github"];
"tag:minservice" = ["qbit@github"];
"tag:sshonly" = ["qbit@github"];
"tag:apper" = ["qbit@github"];
"tag:golink" = ["qbit@github"];
"tag:lab" = ["qbit@github"];
};
tagOwners = {
"tag:untrusted" = [ "qbit@github" ];
"tag:minservice" = [ "qbit@github" ];
"tag:sshonly" = [ "qbit@github" ];
"tag:apper" = [ "qbit@github" ];
"tag:golink" = [ "qbit@github" ];
"tag:lab" = [ "qbit@github" ];
};
acls = [
{
action = "accept";
src = ["tag:untrusted"];
dst = [
"europa:22"
"europa:12304"
"startpage:443"
"startdev:443"
"go:80"
"tag:lab:22"
"nbc:443"
];
}
{
action = "accept";
src = ["tag:minservice" "tag:sshonly"];
dst = ["*:22" "box:3030" "nbc:443" "console:2222"];
}
{
action = "accept";
src = ["qbit@github"];
dst = ["*:*"];
}
];
};
in
acls = [
{
action = "accept";
src = [ "tag:untrusted" ];
dst = [
"europa:22"
"europa:12304"
"startpage:443"
"startdev:443"
"go:80"
"tag:lab:22"
"nbc:443"
];
}
{
action = "accept";
src = [ "tag:minservice" "tag:sshonly" ];
dst = [ "*:22" "box:3030" "nbc:443" "console:2222" ];
}
{
action = "accept";
src = [ "qbit@github" ];
dst = [ "*:*" ];
}
];
};
in
pkgs.writeTextFile {
name = "tailnet-acls.json";
text = builtins.toJSON acls;
@ -83,22 +84,22 @@
name = "update-talenet-acls";
script = "${aclUpdateScript}/bin/tailnet-acl-updater";
startAt = "*:30:00";
path = [];
path = [ ];
inherit (config.nixManager) user;
}
];
enabled = config.nixManager.enable;
in
with lib; {
sops.secrets = mkIf enabled {
tailnet_acl_manager = {
owner = config.nixManager.user;
sopsFile = config.xin-secrets.manager;
};
po_env = {
owner = config.nixManager.user;
sopsFile = config.xin-secrets.manager;
};
with lib; {
sops.secrets = mkIf enabled {
tailnet_acl_manager = {
owner = config.nixManager.user;
sopsFile = config.xin-secrets.manager;
};
systemd.services = mkIf enabled (listToAttrs (builtins.map xinlib.jobToService jobs));
}
po_env = {
owner = config.nixManager.user;
sopsFile = config.xin-secrets.manager;
};
};
systemd.services = mkIf enabled (listToAttrs (builtins.map xinlib.jobToService jobs));
}

2
configs/tmux.nix
View File

@ -1,4 +1,4 @@
{...}: {
{ ... }: {
programs.tmux = {
enable = true;
extraConfig = ''

2
configs/zsh.nix
View File

@ -1,4 +1,4 @@
{...}: {
{ ... }: {
config = {
programs.zsh.interactiveShellInit = ''
export NO_COLOR=1

41
dbuild/build-consumer.nix
View File

@ -1,17 +1,16 @@
{
config,
lib,
...
{ config
, lib
, ...
}:
with lib; {
options = {
buildConsumer = {enable = mkEnableOption "Use remote build machines";};
buildConsumer = { enable = mkEnableOption "Use remote build machines"; };
};
config = mkIf config.buildConsumer.enable {
programs.ssh.knownHosts = {
pcake = {
hostNames = ["pcake" "pcake.tapenet.org" "10.6.0.202"];
hostNames = [ "pcake" "pcake.tapenet.org" "10.6.0.202" ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgqVw3QWNG6Ty5o2HwW+25Eh59W3lZ30+wMqTEkUZVH";
};
};
@ -21,20 +20,22 @@ with lib; {
IdentitiesOnly yes
IdentityFile /root/.ssh/nix_remote
'';
nix.buildMachines = [
{
hostName = "pcake";
systems = ["x86_64-linux" "aarch64-linux"];
maxJobs = 2;
speedFactor = 4;
supportedFeatures = ["kvm" "big-parallel" "nixos-test" "benchmark"];
mandatoryFeatures = [];
}
];
nix = {
buildMachines = [
{
hostName = "pcake";
systems = [ "x86_64-linux" "aarch64-linux" ];
maxJobs = 2;
speedFactor = 4;
supportedFeatures = [ "kvm" "big-parallel" "nixos-test" "benchmark" ];
mandatoryFeatures = [ ];
}
];
nix.distributedBuilds = true;
nix.extraOptions = ''
builders-use-substitutes = true
'';
distributedBuilds = true;
extraOptions = ''
builders-use-substitutes = true
'';
};
};
}

9
dbuild/build-server.nix
View File

@ -1,7 +1,6 @@
{
config,
lib,
...
{ config
, lib
, ...
}:
with lib; {
options = {
@ -11,7 +10,7 @@ with lib; {
};
config = mkIf config.buildServer.enable {
boot.binfmt.emulatedSystems = ["aarch64-linux"];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEtoU6ObMP7wmglT7rXMg0HEnh7cGBo6COL7BpmRC/o"

2
dbuild/default.nix
View File

@ -1 +1 @@
{...}: {imports = [./build-consumer.nix ./build-server.nix];}
{ ... }: { imports = [ ./build-consumer.nix ./build-server.nix ]; }

110
default.nix
View File

@ -1,12 +1,12 @@
{
config,
lib,
options,
pkgs,
xinlib,
isUnstable,
...
}: let
{ config
, lib
, options
, pkgs
, xinlib
, isUnstable
, ...
}:
let
inherit (xinlib) todo;
caPubKeys = builtins.concatStringsSep "\n" [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5xMSYMwu6rjjLe2UYs1YGCIBVs35E9db2qAjNltCVPG5UoctxCDXxIz0PMOJrBbfqZzP/6qPU1WAhdGNTZ5eXq/ftnhI+2xFfMg1uzpXZ9vjy8lUCfXIObtoEdZ9h/7OUCN/BnL0ySqsamkcUo8SAj6wXoNCdwk6oncfyTmhPnoW5tCWCS9p7Q/LuWpYGsvW5nFDSxteP7re6SUe10eftIkFAPNhKA2lsrvzMgjxhnXqwIr1qJeY0otcuYA4V5V09FmElbnOWVuy4Pt8SqV4N9ykkAUXZN1Pi7Q4JnCUifRJVWpKHLoJe0mqwMDJbGtt2Akn3EwiGhyaVjq2FFgBKAb7w8UAE8gob8n4+DOx4TQAXlmWviYij2Xh6CvepbamxlJMvVdWgqk53+u4e+/oOQQ9QTmQvAuecg9dSO3m7+hNHEf+0TXjuTNlk9KHRg4s7ZAI+2Stfo1tBrvEeE2fAF//Mw7zaLPKmEbMiXdbDs816gvYtG6Y36fTGyzhowDQAMNm+zbg8YPz7xFukLdSCPt7RcpPnP1iJs/hGBnog5UaG/Cm4ftkm9zKvOaQKIoA/GQ3yQSyltczA+2h5fur6VQQGrQeVhAcXm9a6GaLPWxgvJX/og76CHps0rYzFM3QBlsiJ+Z0sstk5TtBex9nTjwRZ1U9+4DQes2TB4/uxnQ== SUAH CA"
@ -16,9 +16,10 @@
statusKey = ''
command="/run/current-system/sw/bin/xin-status",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9PIhQ+yWfBM2tEG+W8W8HXJXqISXif8BcPZHakKvLM xin-status
'';
gosignify = pkgs.callPackage ./pkgs/gosignify.nix {inherit isUnstable;};
myOpenSSH = pkgs.callPackage ./pkgs/openssh {};
in {
gosignify = pkgs.callPackage ./pkgs/gosignify.nix { inherit isUnstable; };
myOpenSSH = pkgs.callPackage ./pkgs/openssh { };
in
{
imports = [
./configs
./dbuild
@ -44,7 +45,7 @@ in {
options.myconf = {
managementPubKeys = lib.mkOption rec {
type = lib.types.listOf lib.types.str;
default = [managementKey statusKey breakGlassKey];
default = [ managementKey statusKey breakGlassKey ];
example = default;
description = "List of management public keys to use";
};
@ -63,7 +64,7 @@ in {
};
config = {
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
xin_secrets_deploy_key = {
@ -74,7 +75,7 @@ in {
};
};
security.pki.caCertificateBlacklist = ["TrustCor ECA-1" "TrustCor RootCert CA-1" "TrustCor RootCert CA-2"];
security.pki.caCertificateBlacklist = [ "TrustCor ECA-1" "TrustCor RootCert CA-1" "TrustCor RootCert CA-2" ];
security.pki.certificates = [
''
-----BEGIN CERTIFICATE-----
@ -130,7 +131,7 @@ in {
'';
boot = {
loader = {systemd-boot.configurationLimit = 15;};
loader = { systemd-boot.configurationLimit = 15; };
kernelPackages = lib.mkDefault pkgs.linuxPackages_hardened;
kernel.sysctl = {
"net.ipv4.tcp_keepalive_time" = 60;
@ -142,48 +143,51 @@ in {
nix = {
settings =
if config.xinCI.enable
then {}
then { }
else {
substituters = ["https://nix-binary-cache.humpback-trout.ts.net/"];
substituters = [ "https://nix-binary-cache.humpback-trout.ts.net/" ];
trusted-public-keys = [
"nix-binary-cache.humpback-trout.ts.net:e9fJhcRtNVp6miW2pffFyK/gZ2et4y6IDigBNrEsAa0="
];
};
};
environment.systemPackages = with pkgs;
[
age
apg
bind
btop
direnv
git-bug
git-sync
gosignify
got
jq
lz4
minisign
mosh
nb
nix-diff
nix-index
nix-top
pass
ripgrep
taskwarrior
tmux
]
++ (
if isUnstable
then [nil]
else []
);
environment = {
etc."ssh/ca.pub" = { text = caPubKeys; };
systemPackages = with pkgs;
[
age
apg
bind
btop
direnv
git-bug
git-sync
gosignify
got
jq
lz4
minisign
mosh
nb
nix-diff
nix-index
nix-top
pass
ripgrep
taskwarrior
tmux
]
++ (
if isUnstable
then [ nil ]
else [ ]
);
environment.interactiveShellInit = ''
alias vi=nvim
'';
interactiveShellInit = ''
alias vi=nvim
'';
};
time.timeZone = "US/Mountain";
@ -201,7 +205,7 @@ in {
"[namish.humpback-trout.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
"[git.tapenet.org]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkbSJWeWJyJjak/boaMTqzPVq91wfJz1P+I4rnBUsPW";
};
knownHostsFiles = [./configs/ssh_known_hosts];
knownHostsFiles = [ ./configs/ssh_known_hosts ];
startAgent = true;
agentTimeout = "100m";
extraConfig = ''
@ -216,8 +220,6 @@ in {
};
};
environment.etc."ssh/ca.pub" = {text = caPubKeys;};
services.logrotate.checkConfig =
todo "logrotate disabled: https://github.com/NixOS/nix/issues/8502" false;
@ -230,7 +232,7 @@ in {
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org"];
KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"

558
flake.nix
View File

@ -19,7 +19,7 @@
inputs.sops-nix.follows = "sops-nix";
};
nixos-hardware = {url = "github:NixOS/nixos-hardware/master";};
nixos-hardware = { url = "github:NixOS/nixos-hardware/master"; };
#emacs-overlay = {
# url = "github:nix-community/emacs-overlay/d54a1521619daa37c9aa8c9e3362abb34e676007";
@ -80,285 +80,297 @@
};
};
outputs = {
self,
darwin,
gostart,
nixos-hardware,
peerix,
po,
pots,
pr-status,
stable,
tsRevProx,
tsvnstat,
unstable,
unstableSmall,
xin-secrets,
xintray,
...
} @ inputs: let
xinlib = import ./lib {inherit (unstable) lib;};
supportedSystems = ["x86_64-linux"];
#[ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
forAllSystems = unstable.lib.genAttrs supportedSystems;
unstablePkgsFor = forAllSystems (system:
import unstable {
inherit system;
#imports = [ ./overlays ];
});
stablePkgsFor = forAllSystems (system:
import stable {
inherit system;
#imports = [ ./overlays ];
});
hostBase = {
modules = [
# Common config stuffs
(import ./default.nix)
outputs =
{ self
, darwin
, gostart
, nixos-hardware
, peerix
, po
, pots
, pr-status
, stable
, tsRevProx
, tsvnstat
, unstable
, unstableSmall
, xin-secrets
, xintray
, ...
} @ inputs:
let
xinlib = import ./lib { inherit (unstable) lib; };
supportedSystems = [ "x86_64-linux" ];
#[ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
forAllSystems = unstable.lib.genAttrs supportedSystems;
unstablePkgsFor = forAllSystems (system:
import unstable {
inherit system;
#imports = [ ./overlays ];
});
stablePkgsFor = forAllSystems (system:
import stable {
inherit system;
#imports = [ ./overlays ];
});
hostBase = {
modules = [
# Common config stuffs
(import ./default.nix)
xin-secrets.nixosModules.sops
xin-secrets.nixosModules.xin-secrets
xin-secrets.nixosModules.sops
xin-secrets.nixosModules.xin-secrets
peerix.nixosModules.peerix
peerix.nixosModules.peerix
];
};
overlays = [
#inputs.emacs-overlay.overlay
inputs.gostart.overlay
inputs.microca.overlay
inputs.peerix.overlay
inputs.pots.overlay
inputs.pr-status.overlay
inputs.taskobs.overlay
inputs.tsRevProx.overlay
];
};
overlays = [
#inputs.emacs-overlay.overlay
inputs.gostart.overlay
inputs.microca.overlay
inputs.peerix.overlay
inputs.pots.overlay
inputs.pr-status.overlay
inputs.taskobs.overlay
inputs.tsRevProx.overlay
];
buildSys = sys: sysBase: extraMods: name:
sysBase.lib.nixosSystem {
system = sys;
specialArgs = {
inherit inputs;
inherit xinlib;
buildSys = sys: sysBase: extraMods: name:
sysBase.lib.nixosSystem {
system = sys;
specialArgs = {
inherit inputs;
inherit xinlib;
};
modules =
hostBase.modules
++ extraMods
++ [
{
nix = {
registry = {
nixpkgs.flake = sysBase;
stable.flake = stable;
unstable.flake = unstable;
};
nixPath = [ "nixpkgs=${sysBase}" ];
};
}
]
++ [ (xinlib.buildVer self) (./. + "/hosts/${name}") ]
++ [{ nixpkgs.overlays = overlays; }];
};
modules =
hostBase.modules
++ extraMods
++ [
{
nix = {
registry.nixpkgs.flake = sysBase;
registry.stable.flake = stable;
registry.unstable.flake = unstable;
nixPath = ["nixpkgs=${sysBase}"];
};
}
]
++ [(xinlib.buildVer self) (./. + "/hosts/${name}")]
++ [{nixpkgs.overlays = overlays;}];
};
lpkgs = unstable.legacyPackages.x86_64-linux;
darwinPkgs = unstableSmall.legacyPackages.aarch64-darwin;
in {
darwinConfigurations = {
plq = darwin.lib.darwinSystem {
system = "aarch64-darwin";
specialArgs = {inherit xinlib;};
modules = [
xin-secrets.nixosModules.sops
./overlays
./hosts/plq
];
};
};
# Expose all of the overlays to unstable so we can test build
# everything before deploying
legacyPackages.x86_64-linux = import unstable {
system = "x86_64-linux";
overlays = let
overlayFn = import ./overlays;
stableList = overlayFn {
isUnstable = true;
inherit xinlib;
};
unstableList = overlayFn {
isUnstable = false;
inherit xinlib;
};
in
[] ++ stableList.nixpkgs.overlays ++ unstableList.nixpkgs.overlays;
};
formatter.x86_64-linux = stable.legacyPackages.x86_64-linux.alejandra;
formatter.aarch64-darwin = stable.legacyPackages.aarch64-darwin.alejandra;
devShells.x86_64-linux.default = xinlib.buildShell lpkgs;
devShells.aarch64-darwin.default = xinlib.buildShell darwinPkgs;
nixosConfigurations = {
europa = buildSys "x86_64-linux" unstable [
nixos-hardware.nixosModules.framework
] "europa";
pwntie = buildSys "x86_64-linux" stable [] "pwntie";
stan = buildSys "x86_64-linux" unstable [] "stan";
weather = buildSys "aarch64-linux" stable [] "weather";
faf = buildSys "x86_64-linux" stable [./configs/hardened.nix] "faf";
box = buildSys "x86_64-linux" stable [./configs/hardened.nix] "box";
#luna = buildSys "x86_64-linux" stable
# [ "${nixos-hardware}/common/cpu/intel" ] "luna";
h = buildSys "x86_64-linux" stable [
./configs/hardened.nix
gostart.nixosModule
pots.nixosModule
pr-status.nixosModule
] "h";
#router =
# buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "router";
arm64Install = stable.lib.nixosSystem {
system = "aarch64-linux";
modules = [
(import ./installer.nix)
xin-secrets.nixosModules.sops
"${stable}/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix"
];
};
#weatherzero = buildSys "armv6l" stable [
# "${stable}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix"
# {
# nixpkgs = {
# buildPlatform = {
# system = "x86_64-linux";
# config = "x86_64-unknown-linux-gnu";
# };
# hostPlatform = {
# system = "armv6l-linux";
# config = "armv6l-unknown-linux-gnueabihf";
# };
# };
# }
#] "weatherzero";
isoInstall = stable.lib.nixosSystem {
system = "x86_64-linux";
modules = [
(xinlib.buildVer self)
(import ./installer.nix)
xin-secrets.nixosModules.sops
"${stable}/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma5.nix"
];
};
};
packages = forAllSystems (system: let
upkgs = unstablePkgsFor.${system};
spkgs = stablePkgsFor.${system};
in {
ada_language_server =
spkgs.callPackage ./pkgs/ada_language_server.nix {inherit spkgs;};
alire = spkgs.callPackage ./pkgs/alire.nix {inherit spkgs;};
bearclaw = spkgs.callPackage ./pkgs/bearclaw.nix {inherit spkgs;};
rtlamr = spkgs.callPackage ./pkgs/rtlamr.nix {inherit spkgs;};
clilol = spkgs.callPackage ./pkgs/clilol.nix {inherit spkgs;};
gqrss = spkgs.callPackage ./pkgs/gqrss.nix {
inherit spkgs;
isUnstable = true;
};
iamb = upkgs.callPackage ./pkgs/iamb.nix {};
icbirc = spkgs.callPackage ./pkgs/icbirc.nix {
inherit spkgs;
isUnstable = true;
};
femtolisp = upkgs.callPackage ./pkgs/femtolisp.nix {};
fyne = upkgs.callPackage ./pkgs/fyne.nix {inherit upkgs;};
flake-warn =
spkgs.callPackage ./pkgs/flake-warn.nix {inherit spkgs;};
#kurinto = spkgs.callPackage ./pkgs/kurinto.nix {};
mcchunkie = spkgs.callPackage ./pkgs/mcchunkie.nix {inherit spkgs;};
yaegi = spkgs.callPackage ./pkgs/yaegi.nix {inherit spkgs;};
gen-patches =
spkgs.callPackage ./bins/gen-patches.nix {inherit spkgs;};
yarr = spkgs.callPackage ./pkgs/yarr.nix {
inherit spkgs;
isUnstable = true;
};
precursorupdater = spkgs.python3Packages.callPackage ./pkgs/precursorupdater.nix {
inherit spkgs;
};
rtlamr2mqtt = spkgs.python3Packages.callPackage ./pkgs/rtlamr2mqtt.nix {
inherit spkgs;
};
kobuddy = upkgs.python3Packages.callPackage ./pkgs/kobuddy.nix {
inherit upkgs;
};
ghexport = upkgs.python3Packages.callPackage ./pkgs/ghexport.nix {
inherit upkgs;
};
hpi =
upkgs.python3Packages.callPackage ./pkgs/hpi.nix {inherit upkgs;};
promnesia = upkgs.python3Packages.callPackage ./pkgs/promnesia.nix {
inherit upkgs;
};
sliding-sync =
spkgs.callPackage ./pkgs/sliding-sync.nix {inherit spkgs;};
golink = spkgs.callPackage ./pkgs/golink.nix {inherit spkgs;};
gokrazy = upkgs.callPackage ./pkgs/gokrazy.nix {inherit upkgs;};
gosignify = spkgs.callPackage ./pkgs/gosignify.nix {inherit spkgs;};
gotosocial =
spkgs.callPackage ./pkgs/gotosocial.nix {inherit spkgs;};
zutty = upkgs.callPackage ./pkgs/zutty.nix {
inherit upkgs;
};
mvoice = upkgs.callPackage ./pkgs/mvoice.nix {
inherit upkgs;
};
inherit (xintray.packages.${system}) xintray;
inherit (tsvnstat.packages.${system}) tsvnstat;
inherit (pots.packages.${system}) pots;
inherit (po.packages.${system}) po;
inherit (tsRevProx.packages.${system}) ts-reverse-proxy;
inherit (spkgs) matrix-synapse;
});
templates."ada" = {
path = ./templates/ada;
description = "Ada template.";
};
templates."go" = {
path = ./templates/go;
description = "Go template.";
};
templates."perl" = {
path = ./templates/perl;
description = "Perl template.";
};
templates."mojo" = {
path = ./templates/mojo;
description = "Perl MojoLicious template.";
};
templates."ocaml" = {
path = ./templates/ocaml;
description = "OCaml template.";
};
checks = let
buildList = ["europa" "stan" "h" "box" "faf" "weather"];
lpkgs = unstable.legacyPackages.x86_64-linux;
darwinPkgs = unstableSmall.legacyPackages.aarch64-darwin;
in
with unstable.lib;
foldl' recursiveUpdate {} (mapAttrsToList (name: system: {
{
darwinConfigurations = {
plq = darwin.lib.darwinSystem {
system = "aarch64-darwin";
specialArgs = { inherit xinlib; };
modules = [
xin-secrets.nixosModules.sops
./overlays
./hosts/plq
];
};
};
# Expose all of the overlays to unstable so we can test build
# everything before deploying
legacyPackages.x86_64-linux = import unstable {
system = "x86_64-linux";
overlays =
let
overlayFn = import ./overlays;
stableList = overlayFn {
isUnstable = true;
inherit xinlib;
};
unstableList = overlayFn {
isUnstable = false;
inherit xinlib;
};
in
stableList.nixpkgs.overlays ++ unstableList.nixpkgs.overlays;
};
formatter.x86_64-linux = stable.legacyPackages.x86_64-linux.nixpkgs-fmt;
formatter.aarch64-darwin = stable.legacyPackages.aarch64-darwin.nixpkgs-fmt;
devShells.x86_64-linux.default = xinlib.buildShell lpkgs;
devShells.aarch64-darwin.default = xinlib.buildShell darwinPkgs;
nixosConfigurations = {
europa = buildSys "x86_64-linux" unstable [
nixos-hardware.nixosModules.framework
] "europa";
pwntie = buildSys "x86_64-linux" stable [ ] "pwntie";
stan = buildSys "x86_64-linux" unstable [ ] "stan";
weather = buildSys "aarch64-linux" stable [ ] "weather";
faf = buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "faf";
box = buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "box";
#luna = buildSys "x86_64-linux" stable
# [ "${nixos-hardware}/common/cpu/intel" ] "luna";
h = buildSys "x86_64-linux" stable [
./configs/hardened.nix
gostart.nixosModule
pots.nixosModule
pr-status.nixosModule
] "h";
#router =
# buildSys "x86_64-linux" stable [ ./configs/hardened.nix ] "router";
arm64Install = stable.lib.nixosSystem {
system = "aarch64-linux";
modules = [
(import ./installer.nix)
xin-secrets.nixosModules.sops
"${stable}/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix"
];
};
#weatherzero = buildSys "armv6l" stable [
# "${stable}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix"
# {
# nixpkgs = {
# buildPlatform = {
# system = "x86_64-linux";
# config = "x86_64-unknown-linux-gnu";
# };
# hostPlatform = {
# system = "armv6l-linux";
# config = "armv6l-unknown-linux-gnueabihf";
# };
# };
# }
#] "weatherzero";
isoInstall = stable.lib.nixosSystem {
system = "x86_64-linux";
modules = [
(xinlib.buildVer self)
(import ./installer.nix)
xin-secrets.nixosModules.sops
"${stable}/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma5.nix"
];
};
};
packages = forAllSystems (system:
let
upkgs = unstablePkgsFor.${system};
spkgs = stablePkgsFor.${system};
in
{
ada_language_server =
spkgs.callPackage ./pkgs/ada_language_server.nix { inherit spkgs; };
alire = spkgs.callPackage ./pkgs/alire.nix { inherit spkgs; };
bearclaw = spkgs.callPackage ./pkgs/bearclaw.nix { inherit spkgs; };
rtlamr = spkgs.callPackage ./pkgs/rtlamr.nix { inherit spkgs; };
clilol = spkgs.callPackage ./pkgs/clilol.nix { inherit spkgs; };
gqrss = spkgs.callPackage ./pkgs/gqrss.nix {
inherit spkgs;
isUnstable = true;
};
iamb = upkgs.callPackage ./pkgs/iamb.nix { };
icbirc = spkgs.callPackage ./pkgs/icbirc.nix {
inherit spkgs;
isUnstable = true;
};
femtolisp = upkgs.callPackage ./pkgs/femtolisp.nix { };
fyne = upkgs.callPackage ./pkgs/fyne.nix { inherit upkgs; };
flake-warn =
spkgs.callPackage ./pkgs/flake-warn.nix { inherit spkgs; };
#kurinto = spkgs.callPackage ./pkgs/kurinto.nix {};
mcchunkie = spkgs.callPackage ./pkgs/mcchunkie.nix { inherit spkgs; };
yaegi = spkgs.callPackage ./pkgs/yaegi.nix { inherit spkgs; };
gen-patches =
spkgs.callPackage ./bins/gen-patches.nix { inherit spkgs; };
yarr = spkgs.callPackage ./pkgs/yarr.nix {
inherit spkgs;
isUnstable = true;
};
precursorupdater = spkgs.python3Packages.callPackage ./pkgs/precursorupdater.nix {
inherit spkgs;
};
rtlamr2mqtt = spkgs.python3Packages.callPackage ./pkgs/rtlamr2mqtt.nix {
inherit spkgs;
};
kobuddy = upkgs.python3Packages.callPackage ./pkgs/kobuddy.nix {
inherit upkgs;
};
ghexport = upkgs.python3Packages.callPackage ./pkgs/ghexport.nix {
inherit upkgs;
};
hpi =
upkgs.python3Packages.callPackage ./pkgs/hpi.nix { inherit upkgs; };
promnesia = upkgs.python3Packages.callPackage ./pkgs/promnesia.nix {
inherit upkgs;
};
sliding-sync =
spkgs.callPackage ./pkgs/sliding-sync.nix { inherit spkgs; };
golink = spkgs.callPackage ./pkgs/golink.nix { inherit spkgs; };
gokrazy = upkgs.callPackage ./pkgs/gokrazy.nix { inherit upkgs; };
gosignify = spkgs.callPackage ./pkgs/gosignify.nix { inherit spkgs; };
gotosocial =
spkgs.callPackage ./pkgs/gotosocial.nix { inherit spkgs; };
zutty = upkgs.callPackage ./pkgs/zutty.nix {
inherit upkgs;
};
mvoice = upkgs.callPackage ./pkgs/mvoice.nix {
inherit upkgs;
};
inherit (xintray.packages.${system}) xintray;
inherit (tsvnstat.packages.${system}) tsvnstat;
inherit (pots.packages.${system}) pots;
inherit (po.packages.${system}) po;
inherit (tsRevProx.packages.${system}) ts-reverse-proxy;
inherit (spkgs) matrix-synapse;
});
templates = {
"ada" = {
path = ./templates/ada;
description = "Ada template.";
};
"go" = {
path = ./templates/go;
description = "Go template.";
};
"perl" = {
path = ./templates/perl;
description = "Perl template.";
};
"mojo" = {
path = ./templates/mojo;
description = "Perl MojoLicious template.";
};
"ocaml" = {
path = ./templates/ocaml;
description = "OCaml template.";
};
};
checks =
let
buildList = [ "europa" "stan" "h" "box" "faf" "weather" ];
in
with unstable.lib;
foldl' recursiveUpdate { } (mapAttrsToList
(name: system: {
"${system.pkgs.stdenv.hostPlatform.system}"."${name}" =
system.config.system.build.toplevel;
}) (filterAttrs (n: _: (builtins.elem n buildList))
})
(filterAttrs (n: _: (builtins.elem n buildList))
self.nixosConfigurations));
};
};
}

13
gui/arcan.nix
View File

@ -1,15 +1,14 @@
{
config,
lib,
pkgs,
...
{ config
, lib
, pkgs
, ...
}:
with lib; {
options = {
arcan = {enable = mkEnableOption "Enable Arcan/Durden desktop.";};
arcan = { enable = mkEnableOption "Enable Arcan/Durden desktop."; };
};
config = mkIf config.arcan.enable {
environment.systemPackages = with pkgs; [arcanPackages.all-wrapped];
environment.systemPackages = with pkgs; [ arcanPackages.all-wrapped ];
};
}

164
gui/default.nix
View File

@ -1,24 +1,24 @@
{
config,
lib,
pkgs,
xinlib,
...
}: let
firefox = import ../configs/firefox.nix {inherit pkgs;};
rage = pkgs.writeScriptBin "rage" (import ../bins/rage.nix {inherit pkgs;});
{ config
, lib
, pkgs
, xinlib
, ...
}:
let
firefox = import ../configs/firefox.nix { inherit pkgs; };
rage = pkgs.writeScriptBin "rage" (import ../bins/rage.nix { inherit pkgs; });
rpr =
pkgs.writeScriptBin "rpr"
(import ../bins/rpr.nix {inherit (pkgs) hut gh tea;});
(import ../bins/rpr.nix { inherit (pkgs) hut gh tea; });
promnesia =
pkgs.python3Packages.callPackage ../pkgs/promnesia.nix {inherit pkgs;};
hpi = pkgs.python3Packages.callPackage ../pkgs/hpi.nix {inherit pkgs;};
pkgs.python3Packages.callPackage ../pkgs/promnesia.nix { inherit pkgs; };
hpi = pkgs.python3Packages.callPackage ../pkgs/hpi.nix { inherit pkgs; };
promnesiaService = {
promnesia = {
description = "Service for promnesia.server";
wantedBy = ["graphical-session.target"];
partOf = ["graphical-session.target"];
after = ["graphical-session.target"];
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
script = ''
${promnesia}/bin/promnesia serve
'';
@ -29,82 +29,82 @@
name = "promnesia-index";
script = "${promnesia}/bin/promnesia index";
startAt = "*:0/5";
path = [promnesia hpi];
path = [ promnesia hpi ];
}
];
in
with lib; {
imports = [./gnome.nix ./kde.nix ./xfce.nix ./arcan.nix];
with lib; {
imports = [ ./gnome.nix ./kde.nix ./xfce.nix ./arcan.nix ];
options = {
pulse = {
enable = mkOption {
description = "Enable PulseAudio";
default = false;
example = true;
type = types.bool;
};
};
pipewire = {
enable = mkOption {
description = "Enable PipeWire";
default = true;
example = true;
type = types.bool;
};
options = {
pulse = {
enable = mkOption {
description = "Enable PulseAudio";
default = false;
example = true;
type = types.bool;
};
};
pipewire = {
enable = mkOption {
description = "Enable PipeWire";
default = true;
example = true;
type = types.bool;
};
};
};
config = mkMerge [
(mkIf (config.kde.enable || config.gnome.enable || config.xfce.enable) {
services = {
xserver.enable = true;
pcscd.enable = true;
};
config = mkMerge [
(mkIf (config.kde.enable || config.gnome.enable || config.xfce.enable) {
services = {
xserver.enable = true;
pcscd.enable = true;
};
documentation.enable = true;
documentation.enable = true;
# TODO: TEMP FIX
systemd.services.NetworkManager-wait-online.serviceConfig.ExecStart =
lib.mkForce ["" "${pkgs.networkmanager}/bin/nm-online -q"];
fonts.fonts = with pkgs; [
go-font
#(callPackage ../pkgs/kurinto.nix {})
];
sound.enable = true;
environment.systemPackages = with pkgs; (xinlib.filterList [
arcanPackages.all-wrapped
bc
black
drawterm
exiftool
go-font
govulncheck
hpi
pcsctools
promnesia
rage
rpr
vlc
zeal
# TODO: TEMP FIX
systemd.services.NetworkManager-wait-online.serviceConfig.ExecStart =
lib.mkForce [ "" "${pkgs.networkmanager}/bin/nm-online -q" ];
fonts.fonts = with pkgs; [
go-font
#(callPackage ../pkgs/kurinto.nix {})
];
sound.enable = true;
environment.systemPackages = with pkgs; (xinlib.filterList [
arcanPackages.all-wrapped
bc
black
drawterm
exiftool
go-font
govulncheck
hpi
pcsctools
promnesia
rage
rpr
vlc
zeal
(callPackage ../configs/helix.nix {})
]);
(callPackage ../configs/helix.nix { })
]);
programs = {} // firefox.programs;
programs = { } // firefox.programs;
systemd.user.services =
(lib.listToAttrs (builtins.map xinlib.jobToUserService jobs))
// promnesiaService;
security.rtkit.enable = true;
})
(mkIf config.pipewire.enable {
services.pipewire = {
enable = true;
pulse.enable = true;
jack.enable = true;
alsa.enable = true;
};
})
];
}
systemd.user.services =
(lib.listToAttrs (builtins.map xinlib.jobToUserService jobs))
// promnesiaService;
security.rtkit.enable = true;
})
(mkIf config.pipewire.enable {
services.pipewire = {
enable = true;
pulse.enable = true;
jack.enable = true;
alsa.enable = true;
};
})
];
}

9
gui/gnome.nix
View File

@ -1,10 +1,9 @@
{
config,
lib,
...
{ config
, lib
, ...
}:
with lib; {
options = {gnome = {enable = mkEnableOption "Enable GNOME desktop.";};};
options = { gnome = { enable = mkEnableOption "Enable GNOME desktop."; }; };
config = mkIf config.gnome.enable {
services.xserver.displayManager.gdm.enable = true;

19
gui/kde.nix
View File

@ -1,12 +1,13 @@
{
config,
lib,
pkgs,
...
}: let
{ config
, lib
, pkgs
, ...
}:
let
inherit (pkgs.libsForQt5) callPackage;
in {
options = {kde = {enable = lib.mkEnableOption "Enable KDE desktop.";};};
in
{
options = { kde = { enable = lib.mkEnableOption "Enable KDE desktop."; }; };
config = lib.mkIf config.kde.enable {
services.xserver.displayManager.sddm.enable = true;
@ -21,7 +22,7 @@ in {
};
environment.systemPackages = with pkgs; [
(callPackage ../pkgs/tile-gaps.nix {})
(callPackage ../pkgs/tile-gaps.nix { })
libsForQt5.bismuth
plasma5Packages.kdeconnect-kde
waynergy

13
gui/xfce.nix
View File

@ -1,11 +1,10 @@
{
config,
lib,
pkgs,
...
{ config
, lib
, pkgs
, ...
}:
with lib; {
options = {xfce = {enable = mkEnableOption "Enable XFCE desktop.";};};
options = { xfce = { enable = mkEnableOption "Enable XFCE desktop."; }; };
config = mkIf config.xfce.enable {
security.pam.services = {
@ -23,6 +22,6 @@ with lib; {
];
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.xfce = {enable = true;};
services.xserver.desktopManager.xfce = { enable = true; };
};
}

272
hosts/box/default.nix
View File

@ -1,11 +1,11 @@
{
inputs,
config,
lib,
pkgs,
isUnstable,
...
}: let
{ inputs
, config
, lib
, pkgs
, isUnstable
, ...
}:
let
#photoPrismTag = "220901-bullseye";
httpCacheTime = "720m";
httpAllow = ''
@ -38,13 +38,14 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnaC1v+VoVNnK04D32H+euiCyWPXU8nX6w+4UoFfjA3 qbit@plq"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
];
userBase = {openssh.authorizedKeys.keys = pubKeys;};
userBase = { openssh.authorizedKeys.keys = pubKeys; };
mkNginxSecret = {
sopsFile = config.xin-secrets.box.certs;
owner = config.users.users.nginx.name;
mode = "400";
};
in {
in
{
_module.args.isUnstable = false;
imports = [
./hardware-configuration.nix
@ -65,41 +66,45 @@ in {
owner = config.users.users.gitea.name;
sopsFile = config.xin-secrets.box.services;
};
"bitwarden_rs.env" = {sopsFile = config.xin-secrets.box.services;};
"wireguard_private_key" = {sopsFile = config.xin-secrets.box.services;};
"bitwarden_rs.env" = { sopsFile = config.xin-secrets.box.services; };
"wireguard_private_key" = { sopsFile = config.xin-secrets.box.services; };
books_cert = mkNginxSecret;
books_key = mkNginxSecret;
jelly_cert = mkNginxSecret;
jelly_key = mkNginxSecret;
lidarr_cert = mkNginxSecret;
lidarr_key = mkNginxSecret;
nzb_cert = mkNginxSecret;
nzb_key = mkNginxSecret;
prowlarr_cert = mkNginxSecret;
prowlarr_key = mkNginxSecret;
radarr_cert = mkNginxSecret;
radarr_key = mkNginxSecret;
reddit_cert = mkNginxSecret;
reddit_key = mkNginxSecret;
sonarr_cert = mkNginxSecret;
sonarr_key = mkNginxSecret;
graph_cert = mkNginxSecret;
graph_key = mkNginxSecret;
bw_cert = mkNginxSecret;
bw_key = mkNginxSecret;
invidious_cert = mkNginxSecret;
invidious_key = mkNginxSecret;
readarr_cert = mkNginxSecret;
readarr_key = mkNginxSecret;
home_cert = mkNginxSecret;
home_key = mkNginxSecret;
};
sops.secrets.books_cert = mkNginxSecret;
sops.secrets.books_key = mkNginxSecret;
sops.secrets.jelly_cert = mkNginxSecret;
sops.secrets.jelly_key = mkNginxSecret;
sops.secrets.lidarr_cert = mkNginxSecret;
sops.secrets.lidarr_key = mkNginxSecret;
sops.secrets.nzb_cert = mkNginxSecret;
sops.secrets.nzb_key = mkNginxSecret;
sops.secrets.prowlarr_cert = mkNginxSecret;
sops.secrets.prowlarr_key = mkNginxSecret;
sops.secrets.radarr_cert = mkNginxSecret;
sops.secrets.radarr_key = mkNginxSecret;
sops.secrets.reddit_cert = mkNginxSecret;
sops.secrets.reddit_key = mkNginxSecret;
sops.secrets.sonarr_cert = mkNginxSecret;
sops.secrets.sonarr_key = mkNginxSecret;
sops.secrets.graph_cert = mkNginxSecret;
sops.secrets.graph_key = mkNginxSecret;
sops.secrets.bw_cert = mkNginxSecret;
sops.secrets.bw_key = mkNginxSecret;
sops.secrets.invidious_cert = mkNginxSecret;
sops.secrets.invidious_key = mkNginxSecret;
sops.secrets.readarr_cert = mkNginxSecret;
sops.secrets.readarr_key = mkNginxSecret;
sops.secrets.home_cert = mkNginxSecret;
sops.secrets.home_key = mkNginxSecret;
boot.supportedFilesystems = ["zfs"];
boot.loader.grub.copyKernels = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot = {
supportedFilesystems = [ "zfs" ];
loader = {
grub.copyKernels = true;
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
doas.enable = true;
@ -111,14 +116,14 @@ in {
enableIPv6 = false;
hosts = {
"127.0.0.1" = ["git.tapenet.org"];
"10.6.0.15" = ["jelly.bold.daemon"];
"100.122.61.43" = ["nix-binary-cache.humpback-trout.ts.net"];
"127.0.0.1" = [ "git.tapenet.org" ];
"10.6.0.15" = [ "jelly.bold.daemon" ];
"100.122.61.43" = [ "nix-binary-cache.humpback-trout.ts.net" ];
};
interfaces.enp7s0 = {useDHCP = true;};
interfaces.enp7s0 = { useDHCP = true; };
firewall = {
interfaces = {"tailscale0" = {allowedTCPPorts = [3030];};};
interfaces = { "tailscale0" = { allowedTCPPorts = [ 3030 ]; }; };
interfaces = {
"wg0" = {
allowedTCPPorts = [
@ -154,12 +159,12 @@ in {
interfaces = {
wg0 = {
listenPort = 7122;
ips = ["192.168.112.4/32"];
ips = [ "192.168.112.4/32" ];
peers = [
{
publicKey = "IMJ1gVK6KzRghon5Wg1dxv1JCB8IbdSqeFjwQAxJM10=";
endpoint = "23.29.118.127:7122";
allowedIPs = ["192.168.112.3/32"];
allowedIPs = [ "192.168.112.3/32" ];
persistentKeepalive = 25;
}
];
@ -192,7 +197,7 @@ in {
glowing-bear
rtl_433
(callPackage ../../pkgs/athens.nix {inherit isUnstable;})
(callPackage ../../pkgs/athens.nix { inherit isUnstable; })
];
security.acme = {
@ -200,35 +205,34 @@ in {
defaults.email = "aaron@bolddaemon.com";
};
users.groups.media = {
name = "media";
members = ["qbit" "sonarr" "radarr" "lidarr" "nzbget" "jellyfin" "headphones" "rtorrent" "readarr"];
};
users = {
groups = {
media = {
name = "media";
members = [ "qbit" "sonarr" "radarr" "lidarr" "nzbget" "jellyfin" "headphones" "rtorrent" "readarr" ];
};
users.groups.photos = {
name = "photos";
members = ["qbit"];
};
photos = {
name = "photos";
members = [ "qbit" ];
};
users.groups.photoprism = {
name = "photoprism";
gid = 986;
};
users.users.photoprism = {
uid = 991;
name = "photoprism";
isSystemUser = true;
hashedPassword = null;
group = "photoprism";
shell = "/bin/sh";
openssh.authorizedKeys.keys = pubKeys;
};
systemd.services.photoprism = {
serviceConfig = {
WorkingDirectory = lib.mkForce "/media/pictures/photoprism";
photoprism = {
name = "photoprism";
gid = 986;
};
};
users = {
photoprism = {
uid = 991;
name = "photoprism";
isSystemUser = true;
hashedPassword = null;
group = "photoprism";
shell = "/bin/sh";
openssh.authorizedKeys.keys = pubKeys;
};
};
preStart = lib.mkForce "";
};
hardware.rtl-sdr.enable = true;
@ -238,7 +242,7 @@ in {
enable = true;
listeners = [
{
acl = ["pattern readwrite #"];
acl = [ "pattern readwrite #" ];
omitPasswordAuth = true;
settings.allow_anonymous = true;
}
@ -311,7 +315,7 @@ in {
];
device_tracker = [
];
default_config = {};
default_config = { };
http = {
use_x_forwarded_for = true;
server_host = "127.0.0.1";
@ -382,23 +386,25 @@ in {
};
cron = {
enable = true;
systemCronJobs = let
tsCertsScript = pkgs.writeScriptBin "ts-certs.sh" ''
#!/usr/bin/env sh
. /etc/profile;
(
mkdir -p /etc/nixos/secrets;
chown root /etc/nixos/secrets/box.humpback-trout.ts.net.*;
tailscale cert \
--cert-file /etc/nixos/secrets/box.humpback-trout.ts.net.crt \
--key-file=/etc/nixos/secrets/box.humpback-trout.ts.net.key \
box.humpback-trout.ts.net;
chown nginx /etc/nixos/secrets/box.humpback-trout.ts.net.*
) >/dev/null 2>&1
'';
in ["@daily root ${tsCertsScript}/bin/ts-certs.sh"];
systemCronJobs =
let
tsCertsScript = pkgs.writeScriptBin "ts-certs.sh" ''
#!/usr/bin/env sh
. /etc/profile;
(
mkdir -p /etc/nixos/secrets;
chown root /etc/nixos/secrets/box.humpback-trout.ts.net.*;
tailscale cert \
--cert-file /etc/nixos/secrets/box.humpback-trout.ts.net.crt \
--key-file=/etc/nixos/secrets/box.humpback-trout.ts.net.key \
box.humpback-trout.ts.net;
chown nginx /etc/nixos/secrets/box.humpback-trout.ts.net.*
) >/dev/null 2>&1
'';
in
[ "@daily root ${tsCertsScript}/bin/ts-certs.sh" ];
};
openssh = {settings.X11Forwarding = true;};
openssh = { settings.X11Forwarding = true; };
tor.enable = true;
@ -424,7 +430,7 @@ in {
nzbget = {
enable = true;
group = "media";
settings = {MainDir = "/media/downloads";};
settings = { MainDir = "/media/downloads"; };
};
fwupd.enable = true;
@ -449,7 +455,7 @@ in {
calibre-web = {
enable = true;
group = "media";
options = {enableBookUploading = true;};
options = { enableBookUploading = true; };
listen.port = 8909;
listen.ip = "127.0.0.1";
};
@ -501,7 +507,7 @@ in {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {store = "inmemory";};
kvstore = { store = "inmemory"; };
replication_factor = 1;
};
};
@ -535,7 +541,7 @@ in {
shared_store = "filesystem";
};
filesystem = {directory = "/var/lib/loki/chunks";};
filesystem = { directory = "/var/lib/loki/chunks"; };
};
limits_config = {
@ -543,7 +549,7 @@ in {
reject_old_samples_max_age = "168h";
};
chunk_store_config = {max_look_back_period = "0s";};
chunk_store_config = { max_look_back_period = "0s"; };
table_manager = {
retention_deletes_enabled = false;
@ -553,7 +559,7 @@ in {
compactor = {
working_directory = "/var/lib/loki";
shared_store = "filesystem";
compactor_ring = {kvstore = {store = "inmemory";};};
compactor_ring = { kvstore = { store = "inmemory"; }; };
};
};
};
@ -565,7 +571,7 @@ in {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {filename = "/tmp/positions.yaml";};
positions = { filename = "/tmp/positions.yaml"; };
clients = [
{
url = "http://127.0.0.1:${
@ -586,7 +592,7 @@ in {
};
relabel_configs = [
{
source_labels = ["__journal__systemd_unit"];
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
];
@ -602,11 +608,11 @@ in {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
enabledCollectors = [ "systemd" ];
port = 9002;
};
nginx = {enable = true;};
nginx = { enable = true; };
rtl_433 = {
enable = true;
@ -648,27 +654,27 @@ in {
}
{
job_name = "greenhouse";
static_configs = [{targets = ["10.6.0.20:80"];}];
static_configs = [{ targets = [ "10.6.0.20:80" ]; }];
}
{
job_name = "house";
static_configs = [{targets = ["10.6.0.21:80"];}];
static_configs = [{ targets = [ "10.6.0.21:80" ]; }];
}
{
job_name = "outside";
static_configs = [{targets = ["10.6.0.22:8811"];}];
static_configs = [{ targets = [ "10.6.0.22:8811" ]; }];
}
{
job_name = "faf";
static_configs = [{targets = ["10.6.0.245:9002"];}];
static_configs = [{ targets = [ "10.6.0.245:9002" ]; }];
}
{
job_name = "h";
static_configs = [{targets = ["100.64.247.69:9002"];}];
static_configs = [{ targets = [ "100.64.247.69:9002" ]; }];
}
{
job_name = "namish";
static_configs = [{targets = ["10.200.0.100:9100"];}];
static_configs = [{ targets = [ "10.200.0.100:9100" ]; }];
}
{
job_name = "nginx";
@ -746,7 +752,7 @@ in {
backup root@suah.dev:/var/www/ suah.dev/
backup_exec date "+ backup of suah.dev ended at %c"
'';
cronIntervals = {daily = "50 21 * * *";};
cronIntervals = { daily = "50 21 * * *"; };
};
libreddit = {
@ -1031,7 +1037,7 @@ in {
# host all all ::1/128 trust
#'';
ensureDatabases = ["nextcloud" "gitea" "invidious"];
ensureDatabases = [ "nextcloud" "gitea" "invidious" ];
ensureUsers = [
{
name = "nextcloud";
@ -1049,24 +1055,36 @@ in {
};
};
systemd.services.nginx.serviceConfig = {
ReadWritePaths = ["/backups/nginx_cache"];
ReadOnlyPaths = ["/etc/nixos/secrets"];
systemd = {
services = {
photoprism = {
serviceConfig = {
WorkingDirectory = lib.mkForce "/media/pictures/photoprism";
};
preStart = lib.mkForce "";
};
nginx.serviceConfig = {
ReadWritePaths = [ "/backups/nginx_cache" ];
ReadOnlyPaths = [ "/etc/nixos/secrets" ];
};
gitea.environment = {
GIT_CONFIG_NOGLOBAL = "true";
GIT_CONFIG_NOSYSTEM = "true";
};
#"nextcloud-setup" = {
# requires = [ "postgresql.service" ];
# after = [ "postgresql.service" ];
#};
};
};
systemd.services.gitea.environment = {
GIT_CONFIG_NOGLOBAL = "true";
GIT_CONFIG_NOSYSTEM = "true";
users.users = {
qbit = userBase;
root = userBase;
};
#systemd.services."nextcloud-setup" = {
# requires = [ "postgresql.service" ];
# after = [ "postgresql.service" ];
#};
users.users.qbit = userBase;
users.users.root = userBase;
programs.zsh.enable = true;
system.stateVersion = "20.03";

134
hosts/box/hardware-configuration.nix
View File

@ -1,70 +1,76 @@
{...}: {
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel" "wireguard"];
boot.extraModulePackages = [];
{ ... }: {
boot = {
initrd = {
availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" "wireguard" ];
extraModulePackages = [ ];
};
hardware.enableRedistributableFirmware = true;
fileSystems."/" = {
device = "/dev/disk/by-uuid/248dfcf7-999b-4dba-bfbf-0b10dbb376b1";
fsType = "ext4";
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/248dfcf7-999b-4dba-bfbf-0b10dbb376b1";
fsType = "ext4";
};
"/home" = {
device = "rpool/home";
fsType = "zfs";
};
"/backups" = {
device = "rpool/backups";
fsType = "zfs";
};
"/media/music" = {
device = "rpool/media/music";
fsType = "zfs";
};
"/media/movies" = {
device = "rpool/media/movies";
fsType = "zfs";
};
"/media/pictures" = {
device = "rpool/pictures";
fsType = "zfs";
};
"/media/tv" = {
device = "rpool/media/tv";
fsType = "zfs";
};
"/media/nextcloud" = {
device = "rpool/nextcloud";
fsType = "zfs";
};
"/media/git" = {
device = "rpool/git";
fsType = "zfs";
};
"/media/downloads" = {
device = "rpool/downloads";
fsType = "zfs";
};
"/db/postgres" = {
device = "rpool/db/postgres";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/2AC3-DB6C";
fsType = "vfat";
};
};
fileSystems."/home" = {
device = "rpool/home";
fsType = "zfs";
};
fileSystems."/backups" = {
device = "rpool/backups";
fsType = "zfs";
};
fileSystems."/media/music" = {
device = "rpool/media/music";
fsType = "zfs";
};
fileSystems."/media/movies" = {
device = "rpool/media/movies";
fsType = "zfs";
};
fileSystems."/media/pictures" = {
device = "rpool/pictures";
fsType = "zfs";
};
fileSystems."/media/tv" = {
device = "rpool/media/tv";
fsType = "zfs";
};
fileSystems."/media/nextcloud" = {
device = "rpool/nextcloud";
fsType = "zfs";
};
fileSystems."/media/git" = {
device = "rpool/git";
fsType = "zfs";
};
fileSystems."/media/downloads" = {
device = "rpool/downloads";
fsType = "zfs";
};
fileSystems."/db/postgres" = {
device = "rpool/db/postgres";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2AC3-DB6C";
fsType = "vfat";
};
swapDevices = [{device = "/dev/disk/by-uuid/97d6ef56-ea18-493b-aac0-e58e773ced30";}];
swapDevices = [{ device = "/dev/disk/by-uuid/97d6ef56-ea18-493b-aac0-e58e773ced30"; }];
}

89
hosts/europa/default.nix
View File

@ -1,11 +1,11 @@
{
inputs,
config,
pkgs,
lib,
xinlib,
...
}: let
{ inputs
, config
, pkgs
, lib
, xinlib
, ...
}:
let
inherit (inputs.stable.legacyPackages.${pkgs.system}) chirp;
restic = pkgs.writeScriptBin "restic" (import ../../bins/restic.nix {
inherit pkgs;
@ -25,25 +25,26 @@
name = "brain";
script = "cd ~/Brain && git sync";
startAt = "*:0/2";
path = [pkgs.git pkgs.git-sync];
path = [ pkgs.git pkgs.git-sync ];
}
{
name = "org";
script = "(cd ~/org && git sync)";
startAt = "*:0/5";
path = [pkgs.git pkgs.git-sync];
path = [ pkgs.git pkgs.git-sync ];
}
{
name = "taskobs";
script = "taskobs";
startAt = "*:0/30";
path = [pkgs.taskobs] ++ pkgs.taskobs.buildInputs;
path = [ pkgs.taskobs ] ++ pkgs.taskobs.buildInputs;
}
];
in {
in
{
_module.args.isUnstable = true;
imports = [./hardware-configuration.nix ../../pkgs ../../configs/neomutt.nix];
imports = [ ./hardware-configuration.nix ../../pkgs ../../configs/neomutt.nix ];
sops.secrets = {
fastmail = {
@ -94,7 +95,7 @@ in {
};
boot = {
binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
binfmt.emulatedSystems = [ "aarch64-linux" "riscv64-linux" ];
initrd.systemd.enable = true;
loader = {
systemd-boot.enable = true;
@ -103,7 +104,7 @@ in {
efiSysMountPoint = "/boot/efi";
};
};
kernelParams = ["boot.shell_on_fail" "mem_sleep_default=deep"];
kernelParams = [ "boot.shell_on_fail" "mem_sleep_default=deep" ];
kernelPackages = pkgs.linuxPackages_latest;
};
@ -122,21 +123,21 @@ in {
hostName = "europa";
hostId = "87703c3e";
hosts = {
"192.168.122.6" = ["chubs"];
"192.168.122.6" = [ "chubs" ];
};
wireless.userControlled.enable = true;
networkmanager.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [22];
allowedTCPPorts = [ 22 ];
};
};
tsPeerix = {
enable = false;
privateKeyFile = "${config.sops.secrets.peerix_private_key.path}";
interfaces = ["wlp170s0" "ztksevmpn3"];
interfaces = [ "wlp170s0" "ztksevmpn3" ];
};
programs = {
@ -144,7 +145,7 @@ in {
_1password.enable = true;
_1password-gui = {
enable = true;
polkitPolicyOwners = ["qbit"];
polkitPolicyOwners = [ "qbit" ];
};
dconf.enable = true;
zsh = {
@ -162,7 +163,7 @@ in {
};
};
services.xinCA = {enable = false;};
services.xinCA = { enable = false; };
services = {
avahi = {
@ -178,9 +179,9 @@ in {
environmentFile = "${config.sops.secrets.restic_env_file.path}";
passwordFile = "${config.sops.secrets.restic_password_file.path}";
paths = ["/home/qbit" "/var/lib/libvirt"];
paths = [ "/home/qbit" "/var/lib/libvirt" ];
pruneOpts = ["--keep-daily 7" "--keep-weekly 5" "--keep-yearly 5"];
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 5" ];
};
};
};
@ -231,17 +232,19 @@ in {
''
];
systemd.user.services =
lib.listToAttrs (builtins.map xinlib.jobToUserService jobs);
systemd.services."whytailscalewhy" = {
description = "Tailscale restart on resume";
wantedBy = ["post-resume.target"];
after = ["post-resume.target"];
script = ''
. /etc/profile;
${pkgs.systemd}/bin/systemctl restart tailscaled.service
'';
serviceConfig.Type = "oneshot";
systemd = {
user.services =
lib.listToAttrs (builtins.map xinlib.jobToUserService jobs);
services."whytailscalewhy" = {
description = "Tailscale restart on resume";
wantedBy = [ "post-resume.target" ];
after = [ "post-resume.target" ];
script = ''
. /etc/profile;
${pkgs.systemd}/bin/systemctl restart tailscaled.service
'';
serviceConfig.Type = "oneshot";
};
};
virtualisation.docker.enable = false;
@ -259,7 +262,7 @@ in {
XDG_DATA_HOME = "\${HOME}/.local/share";
STEAM_EXTRA_COMPAT_TOOLS_PATHS = "\${HOME}/.steam/root/compatibilitytools.d";
PATH = ["\${XDG_BIN_HOME}"];
PATH = [ "\${XDG_BIN_HOME}" ];
MUHOME = "\${HOME}/.config/mu";
};
@ -320,8 +323,8 @@ in {
#yubioath-flutter
zig
(callPackage ../../pkgs/clilol.nix {})
(callPackage ../../pkgs/iamb.nix {})
(callPackage ../../pkgs/clilol.nix { })
(callPackage ../../pkgs/iamb.nix { })
(callPackage ../../pkgs/kobuddy.nix {
inherit pkgs;
inherit
@ -335,9 +338,9 @@ in {
alembic
;
})
(callPackage ../../pkgs/gokrazy.nix {})
(callPackage ../../pkgs/mvoice.nix {})
(callPackage ../../pkgs/zutty.nix {})
(callPackage ../../pkgs/gokrazy.nix { })
(callPackage ../../pkgs/mvoice.nix { })
(callPackage ../../pkgs/zutty.nix { })
restic
];
@ -358,7 +361,9 @@ in {
}
];
system.autoUpgrade.allowReboot = false;
system.autoUpgrade.enable = false;
system.stateVersion = "21.11";
system = {
autoUpgrade.allowReboot = false;
autoUpgrade.enable = false;
stateVersion = "21.11";
};
}

27
hosts/europa/hardware-configuration.nix
View File

@ -1,15 +1,18 @@
{
config,
lib,
modulesPath,
...
{ config
, lib
, modulesPath
, ...
}: {
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "usbhid" "sd_mod" ];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
@ -25,14 +28,14 @@
};
boot.initrd.luks.devices."luks-1f16b568-7726-44b6-b082-6b9d5e4d1972".device = "/dev/disk/by-uuid/1f16b568-7726-44b6-b082-6b9d5e4d1972";
boot.initrd.luks.devices."luks-1f16b568-7726-44b6-b082-6b9d5e4d1972".crypttabExtraOpts = ["fido2-device=auto"];
boot.initrd.luks.devices."luks-1f16b568-7726-44b6-b082-6b9d5e4d1972".crypttabExtraOpts = [ "fido2-device=auto" ];
fileSystems."/boot/efi" = {
device = "/dev/disk/by-uuid/F0A2-4A56";
fsType = "vfat";
};
swapDevices = [{device = "/dev/disk/by-label/swap";}];
swapDevices = [{ device = "/dev/disk/by-label/swap"; }];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware = {

40
hosts/faf/default.nix
View File

@ -1,19 +1,25 @@
{config, ...}: let
{ config, ... }:
let
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPMaAm4rDxyU975Z54YiNw3itC2fGc3SaE2VaS1fai8 root@box"
];
userBase = {
openssh.authorizedKeys.keys = pubKeys ++ config.myconf.managementPubKeys;
};
in {
in
{
_module.args.isUnstable = false;
imports = [./hardware-configuration.nix];
imports = [ ./hardware-configuration.nix ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
boot.supportedFilesystems = ["zfs"];
boot.zfs.devNodes = "/dev/";
supportedFilesystems = [ "zfs" ];
zfs.devNodes = "/dev/";
};
networking = {
hostName = "faf";
@ -23,13 +29,17 @@ in {
interfaces.enp1s0.useDHCP = true;
interfaces.enp2s0.useDHCP = true;
firewall.allowedTCPPorts = [22 53 config.services.prometheus.exporters.node.port];
firewall.allowedUDPPorts = [53];
hosts = {"100.122.61.43" = ["nix-binary-cache.humpback-trout.ts.net"];};
firewall = {
allowedTCPPorts = [ 22 53 config.services.prometheus.exporters.node.port ];
allowedUDPPorts = [ 53 ];
};
hosts = { "100.122.61.43" = [ "nix-binary-cache.humpback-trout.ts.net" ]; };
};
users.users.root = userBase;
users.users.qbit = userBase;
users.users = {
root = userBase;
qbit = userBase;
};
services = {
prometheus = {
@ -39,7 +49,7 @@ in {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
@ -101,8 +111,8 @@ in {
enable = true;
settings = {
server = {
interface = ["100.64.130.122"];
access-control = ["100.64.0.0/10 allow"];
interface = [ "100.64.130.122" ];
access-control = [ "100.64.0.0/10 allow" ];
};
local-zone = ''"bold.daemon." static'';
local-data = [

127
hosts/faf/hardware-configuration.nix
View File

@ -1,74 +1,77 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
{ config
, lib
, modulesPath
, ...
}: {
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"xhci_pci"
"sata_sil24"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "tank/nixos";
fsType = "zfs";
boot = {
initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"xhci_pci"
"sata_sil24"
"usb_storage"
"usbhid"
"sd_mod"
];
initrd.kernelModules = [ ];
kernelModules = [ ];
extraModulePackages = [ ];
};
fileSystems."/nix" = {
device = "tank/nixos/nix";
fsType = "zfs";
fileSystems = {
"/" = {
device = "tank/nixos";
fsType = "zfs";
};
"/nix" = {
device = "tank/nixos/nix";
fsType = "zfs";
};
"/etc" = {
device = "tank/nixos/etc";
fsType = "zfs";
};
"/var" = {
device = "tank/nixos/var";
fsType = "zfs";
};
"/var/lib" = {
device = "tank/nixos/var/lib";
fsType = "zfs";
};
"/var/log" = {
device = "tank/nixos/var/log";
fsType = "zfs";
};
"/var/spool" = {
device = "tank/nixos/var/spool";
fsType = "zfs";
};
"/home" = {
device = "tank/userdata/home";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/5851-DEF2";
fsType = "vfat";
};
};
fileSystems."/etc" = {
device = "tank/nixos/etc";
fsType = "zfs";
};
fileSystems."/var" = {
device = "tank/nixos/var";
fsType = "zfs";
};
fileSystems."/var/lib" = {
device = "tank/nixos/var/lib";
fsType = "zfs";
};
fileSystems."/var/log" = {
device = "tank/nixos/var/log";
fsType = "zfs";
};
fileSystems."/var/spool" = {
device = "tank/nixos/var/spool";
fsType = "zfs";
};
fileSystems."/home" = {
device = "tank/userdata/home";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/5851-DEF2";
fsType = "vfat";
};
swapDevices = [];
swapDevices = [ ];
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;

217
hosts/h/default.nix
View File

@ -1,9 +1,8 @@
{
config,
pkgs,
isUnstable,
inputs,
...
{ config
, pkgs
, isUnstable
, inputs
, ...
}:
with pkgs; let
restic = pkgs.writeScriptBin "restic" (import ../../bins/restic.nix {
@ -11,24 +10,24 @@ with pkgs; let
inherit lib;
inherit config;
});
gqrss = callPackage ../../pkgs/gqrss.nix {inherit isUnstable;};
icbirc = callPackage ../../pkgs/icbirc.nix {inherit isUnstable;};
mcchunkie = callPackage ../../pkgs/mcchunkie.nix {inherit isUnstable;};
slidingSyncPkg = callPackage ../../pkgs/sliding-sync.nix {};
gqrss = callPackage ../../pkgs/gqrss.nix { inherit isUnstable; };
icbirc = callPackage ../../pkgs/icbirc.nix { inherit isUnstable; };
mcchunkie = callPackage ../../pkgs/mcchunkie.nix { inherit isUnstable; };
slidingSyncPkg = callPackage ../../pkgs/sliding-sync.nix { };
weepushover =
python3Packages.callPackage ../../pkgs/weepushover.nix {inherit pkgs;};
python3Packages.callPackage ../../pkgs/weepushover.nix { inherit pkgs; };
pgBackupDir = "/var/backups/postgresql";
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnaC1v+VoVNnK04D32H+euiCyWPXU8nX6w+4UoFfjA3 qbit@plq"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
];
userBase = {openssh.authorizedKeys.keys = pubKeys;};
userBase = { openssh.authorizedKeys.keys = pubKeys; };
icbIrcTunnel =
pkgs.writeScriptBin "icb-irc-tunnel"
(import ../../bins/icb-irc-tunnel.nix {
inherit pkgs;
inherit icbirc;
});
(import ../../bins/icb-irc-tunnel.nix {
inherit pkgs;
inherit icbirc;
});
goModuleHost = "https://codeberg.org/qbit"; # "https://git.sr.ht/~qbit";
httpAllow = ''
allow 10.6.0.0/24;
@ -44,9 +43,9 @@ with pkgs; let
matrixServer = "tapenet.org";
matrixClientConfig = {
"m.homeserver".base_url = "https://${matrixServer}:443";
"org.matrix.msc3575.proxy" = {url = "https://${matrixServer}";};
"org.matrix.msc3575.proxy" = { url = "https://${matrixServer}"; };
};
matrixServerConfig = {"m.server" = "${matrixServer}:443";};
matrixServerConfig = { "m.server" = "${matrixServer}:443"; };
mkMatrixWellKnown = p: ''
return 200 '${builtins.toJSON p}';
'';
@ -61,25 +60,30 @@ with pkgs; let
proxyWebsockets = true;
proxyPass = "http://${mtxCfg.address}:${toString mtxCfg.port}";
};
in {
in
{
_module.args.isUnstable = false;
imports = [
./hardware-configuration.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.configurationLimit = 15;
boot = {
loader.grub = {
enable = true;
device = "/dev/sda";
configurationLimit = 15;
};
boot.kernelParams = ["net.ifnames=0"];
kernelParams = [ "net.ifnames=0" ];
};
tailscale.sshOnly = true;
nixpkgs.overlays = [
(_: super: {
weechat = super.weechat.override {
configure = {...}: {
scripts = with super.weechatScripts; [highmon weepushover];
configure = { ... }: {
scripts = with super.weechatScripts; [ highmon weepushover ];
};
};
})
@ -129,7 +133,7 @@ in {
sopsFile = config.xin-secrets.h.services;
owner = config.users.users.gostart.name;
};
wireguard_private_key = {sopsFile = config.xin-secrets.h.services;};
wireguard_private_key = { sopsFile = config.xin-secrets.h.services; };
pots_env_file = {
owner = config.users.users.pots.name;
mode = "400";
@ -158,7 +162,7 @@ in {
useDHCP = false;
defaultGateway = "23.29.118.1";
defaultGateway6 = "2602:ff16:3::1";
nameservers = ["9.9.9.9"];
nameservers = [ "9.9.9.9" ];
interfaces.eth0 = {
ipv4.addresses = [
@ -182,11 +186,11 @@ in {
interfaces = {
wg0 = {
listenPort = 7122;
ips = ["192.168.112.3/32"];
ips = [ "192.168.112.3/32" ];
peers = [
{
publicKey = "gZ16FwqUgzKgEpJgVC9BngJ+Dd0e5LPsDhDuJby0VzY=";
allowedIPs = ["192.168.112.4/32"];
allowedIPs = [ "192.168.112.4/32" ];
persistentKeepalive = 25;
}
];
@ -196,9 +200,9 @@ in {
};
firewall = {
interfaces = {"tailscale0" = {allowedTCPPorts = [9002];};};
allowedTCPPorts = [22 80 443 2222 53589];
allowedUDPPorts = [7122];
interfaces = { "tailscale0" = { allowedTCPPorts = [ 9002 ]; }; };
allowedTCPPorts = [ 22 80 443 2222 53589 ];
allowedUDPPorts = [ 7122 ];
allowedUDPPortRanges = [
{
from = 60000;
@ -231,33 +235,39 @@ in {
defaults.email = "aaron@bolddaemon.com";
};
users.groups.mcchunkie = {};
users.users.mcchunkie = {
createHome = true;
isSystemUser = true;
home = "/var/lib/mcchunkie";
group = "mcchunkie";
};
systemd.services.icb-tunnel = {
wantedBy = ["network.target"];
after = ["network.target" "multi-user.target"];
serviceConfig = {
User = "qbit";
WorkingDirectory = "/home/qbit";
ExecStart = "${icbIrcTunnel}/bin/icb-irc-tunnel";
users = {
users = {
qbit = userBase;
mcchunkie = {
createHome = true;
isSystemUser = true;
home = "/var/lib/mcchunkie";
group = "mcchunkie";
};
};
groups.mcchunkie = { };
};
systemd.services.mcchunkie = {
wantedBy = ["multi-user.target"];
serviceConfig = {
User = "mcchunkie";
Group = "mcchunkie";
Restart = "always";
WorkingDirectory = "/var/lib/mcchunkie";
ExecStart = "${mcchunkie}/bin/mcchunkie";
systemd.services = {
icb-tunnel = {
wantedBy = [ "network.target" ];
after = [ "network.target" "multi-user.target" ];
serviceConfig = {
User = "qbit";
WorkingDirectory = "/home/qbit";
ExecStart = "${icbIrcTunnel}/bin/icb-irc-tunnel";
};
};
mcchunkie = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "mcchunkie";
Group = "mcchunkie";
Restart = "always";
WorkingDirectory = "/var/lib/mcchunkie";
ExecStart = "${mcchunkie}/bin/mcchunkie";
};
};
};
@ -277,8 +287,8 @@ in {
exclusive = true;
}
];
aliases = [];
rooms = [];
aliases = [ ];
rooms = [ ];
};
};
tsrevprox = {
@ -296,7 +306,7 @@ in {
enable = true;
envFile = "${config.sops.secrets.pots_env_file.path}";
};
pr-status = {enable = true;};
pr-status = { enable = true; };
gostart = {
enable = true;
keyPath = "${config.sops.secrets.gostart.path}";
@ -335,7 +345,7 @@ in {
protocol = "https";
storage-backend = "local";
storage-local-base-path = "/var/lib/gotosocial";
trusted-proxies = ["127.0.0.1/32" "23.29.118.0/24"];
trusted-proxies = [ "127.0.0.1/32" "23.29.118.0/24" ];
web-template-base-dir = "${config.services.gotosocial.package}/assets/web/template/";
web-asset-base-dir = "${config.services.gotosocial.package}/assets/web/assets/";
};
@ -347,8 +357,8 @@ in {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {filename = "/tmp/positions.yaml";};
clients = [{url = "http://box.humpback-trout.ts.net:3030/loki/api/v1/push";}];
positions = { filename = "/tmp/positions.yaml"; };
clients = [{ url = "http://box.humpback-trout.ts.net:3030/loki/api/v1/push"; }];
scrape_configs = [
{
job_name = "journal";
@ -361,7 +371,7 @@ in {
};
relabel_configs = [
{
source_labels = ["__journal__systemd_unit"];
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
];
@ -377,7 +387,7 @@ in {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
enabledCollectors = [ "systemd" ];
port = 9002;
};
};
@ -386,7 +396,7 @@ in {
enable = true;
fqdn = "tasks.suah.dev";
listenHost = "::";
organisations."bolddaemon".users = ["qbit"];
organisations."bolddaemon".users = [ "qbit" ];
openFirewall = false;
};
cron = {
@ -418,9 +428,9 @@ in {
"/var/lib/writefreely"
];
timerConfig = {OnCalendar = "00:05";};
timerConfig = { OnCalendar = "00:05"; };
pruneOpts = ["--keep-daily 7" "--keep-weekly 5" "--keep-yearly 10"];
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 10" ];
};
};
};
@ -480,7 +490,7 @@ in {
'';
upstreams = {
"ssh_gitea" = {servers = {"192.168.112.4:2222" = {};};};
"ssh_gitea" = { servers = { "192.168.112.4:2222" = { }; }; };
};
streamConfig = ''
@ -551,7 +561,7 @@ in {
forceSSL = true;
enableACME = true;
locations."/" = {root = "${pkgs.glowing-bear}";};
locations."/" = { root = "${pkgs.glowing-bear}"; };
};
"git.tapenet.org" = {
@ -569,15 +579,17 @@ in {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.112.4:8222";
proxyWebsockets = true;
};
locations."/admin" = {
extraConfig = ''
${httpAllow}
deny all;
'';
locations = {
"/" = {
proxyPass = "http://192.168.112.4:8222";
proxyWebsockets = true;
};
"/admin" = {
extraConfig = ''
${httpAllow}
deny all;
'';
};
};
};
@ -728,29 +740,33 @@ in {
forceSSL = true;
enableACME = true;
root = "/var/www/tapenet.org";
locations."/.well-known/matrix/client".extraConfig =
mkMatrixWellKnown matrixClientConfig;
locations."/.well-known/matrix/server".extraConfig =
mkMatrixWellKnown matrixServerConfig;
locations = {
"/.well-known/matrix/client".extraConfig =
mkMatrixWellKnown matrixClientConfig;
"/.well-known/matrix/server".extraConfig =
mkMatrixWellKnown matrixServerConfig;
locations."/client" = mkMatrixSliderLoc;
locations."/_matrix/client/unstable/org.matrix.msc3575/sync" =
mkMatrixSliderLoc;
"/client" = mkMatrixSliderLoc;
"/_matrix/client/unstable/org.matrix.msc3575/sync" =
mkMatrixSliderLoc;
locations."/_matrix" = mkMatrixLoc;
locations."/_synapse/client" = mkMatrixLoc;
"/_matrix" = mkMatrixLoc;
"/_synapse/client" = mkMatrixLoc;
};
}
else {
forceSSL = true;
enableACME = true;
root = "/var/www/tapenet.org";
locations."/.well-known/matrix/client".extraConfig =
mkMatrixWellKnown matrixClientConfig;
locations."/.well-known/matrix/server".extraConfig =
mkMatrixWellKnown matrixServerConfig;
locations = {
"/.well-known/matrix/client".extraConfig =
mkMatrixWellKnown matrixClientConfig;
"/.well-known/matrix/server".extraConfig =
mkMatrixWellKnown matrixServerConfig;
locations."/_matrix" = mkMatrixLoc;
locations."/_synapse/client" = mkMatrixLoc;
"/_matrix" = mkMatrixLoc;
"/_synapse/client" = mkMatrixLoc;
};
};
};
};
@ -764,7 +780,7 @@ in {
enable = true;
package = pkgs.postgresql_14;
settings = {};
settings = { };
enableTCPIP = true;
authentication = pkgs.lib.mkOverride 14 ''
@ -780,7 +796,7 @@ in {
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
ensureDatabases = ["synapse" "gotosocial" "syncv3"];
ensureDatabases = [ "synapse" "gotosocial" "syncv3" ];
ensureUsers = [
{
name = "synapse_user";
@ -834,7 +850,7 @@ in {
"porn"
"csam"
];
aditionalPrefixes = ["hammer"];
aditionalPrefixes = [ "hammer" ];
confirmWildcardBan = false;
};
};
@ -850,7 +866,7 @@ in {
server_name = "tapenet.org";
signing_key_path = "${config.sops.secrets.synapse_signing_key.path}";
url_preview_enabled = false;
plugins = with config.services.matrix-synapse.package.plugins; [matrix-synapse-mjolnir-antispam];
plugins = with config.services.matrix-synapse.package.plugins; [ matrix-synapse-mjolnir-antispam ];
app_service_config_files = [
"/var/lib/heisenbridge/registration.yml"
];
@ -864,15 +880,15 @@ in {
listeners = [
{
inherit (mtxCfg) port;
bind_addresses = [mtxCfg.address];
bind_addresses = [ mtxCfg.address ];
resources = [
{
compress = true;
names = ["client"];
names = [ "client" ];
}
{
compress = false;
names = ["federation"];
names = [ "federation" ];
}
];
tls = false;
@ -884,7 +900,6 @@ in {
};
};
users.users.qbit = userBase;
system.stateVersion = "22.11";
}

25
hosts/h/hardware-configuration.nix
View File

@ -1,25 +1,28 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
{ config
, lib
, modulesPath
, ...
}: {
imports = [(modulesPath + "/profiles/qemu-guest.nix")];
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["wireguard"];
boot.extraModulePackages = [];
boot = {
initrd = {
availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" ];
kernelModules = [ ];
};
kernelModules = [ "wireguard" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/b3caa6ff-5610-4ae2-999d-f8f0b1599c4f";
fsType = "ext4";
};
swapDevices = [{device = "/dev/disk/by-uuid/610a3dbc-59d5-4e5b-b5de-b31402135d44";}];
swapDevices = [{ device = "/dev/disk/by-uuid/610a3dbc-59d5-4e5b-b5de-b31402135d44"; }];
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;

28
hosts/luna/default.nix
View File

@ -1,24 +1,30 @@
{...}: let
{ ... }:
let
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPMaAm4rDxyU975Z54YiNw3itC2fGc3SaE2VaS1fai8 root@box"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnaC1v+VoVNnK04D32H+euiCyWPXU8nX6w+4UoFfjA3 qbit@plq"
];
userBase = {openssh.authorizedKeys.keys = pubKeys;};
in {
userBase = { openssh.authorizedKeys.keys = pubKeys; };
in
{
_module.args.isUnstable = false;
imports = [./hardware-configuration.nix];
imports = [ ./hardware-configuration.nix ];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sdb";
boot.loader.grub.useOSProber = true;
boot.loader.grub = {
enable = true;
device = "/dev/sdb";
useOSProber = true;
};
# The moon based shipyard
networking.hostName = "luna";
networking = {
hostName = "luna";
networking.networkmanager.enable = true;
networking.firewall.allowedTCPPorts = [22];
networkmanager.enable = true;
firewall.allowedTCPPorts = [ 22 ];
};
environment.systemPackages = [];
environment.systemPackages = [ ];
users.users.root = userBase;
users.users.qbit = userBase;

43
hosts/luna/hardware-configuration.nix
View File

@ -1,31 +1,34 @@
{
config,
lib,
modulesPath,
...
{ config
, lib
, modulesPath
, ...
}: {
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ata_piix"
"megaraid_sas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot = {
initrd = {
availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ata_piix"
"megaraid_sas"
"usb_storage"
"usbhid"
"sd_mod"
"sr_mod"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/caa1051c-f7c3-4809-9a63-b3908de9c27c";
fsType = "ext4";
};
swapDevices = [{device = "/dev/disk/by-uuid/53f8fb0f-1fd8-4785-9278-343b525a23be";}];
swapDevices = [{ device = "/dev/disk/by-uuid/53f8fb0f-1fd8-4785-9278-343b525a23be"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

25
hosts/plq/default.nix
View File

@ -1,17 +1,18 @@
{
pkgs,
lib,
isUnstable,
...
}: let
{ pkgs
, lib
, isUnstable
, ...
}:
let
secretAgent = "Contents/Library/LoginItems/SecretAgent.app/Contents/MacOS/SecretAgent";
rage =
pkgs.writeScriptBin "rage" (import ../../bins/rage.nix {inherit pkgs;});
in {
pkgs.writeScriptBin "rage" (import ../../bins/rage.nix { inherit pkgs; });
in
{
_module.args.isUnstable = false;
imports = [../../configs/tmux.nix ../../configs/zsh.nix ../../bins];
imports = [ ../../configs/tmux.nix ../../configs/zsh.nix ../../bins ];
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
networking.hostName = "plq";
@ -69,8 +70,8 @@ in {
};
environment.systemPackages = with pkgs; [
(callPackage ../../pkgs/secretive.nix {inherit isUnstable;})
(callPackage ../../pkgs/hammerspoon.nix {inherit isUnstable;})
(callPackage ../../pkgs/secretive.nix { inherit isUnstable; })
(callPackage ../../pkgs/hammerspoon.nix { inherit isUnstable; })
direnv
exiftool

48
hosts/pwntie/default.nix
View File

@ -1,13 +1,14 @@
{
pkgs,
config,
...
}: let
{ pkgs
, config
, ...
}:
let
#myEmacs = pkgs.callPackage ../../configs/emacs.nix { };
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
];
in {
in
{
_module.args.isUnstable = false;
imports = [
./hardware-configuration.nix
@ -16,12 +17,18 @@ in {
hardware.rtl-sdr.enable = true;
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.kernelPackages = pkgs.linuxPackages_latest;
boot = {
loader = {
systemd-boot.enable = true;
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot/efi";
};
};
kernelPackages = pkgs.linuxPackages_latest;
boot.binfmt.emulatedSystems = ["aarch64-linux" "riscv64-linux"];
binfmt.emulatedSystems = [ "aarch64-linux" "riscv64-linux" ];
};
nixpkgs.config.allowUnsupportedSystem = true;
networking = {
@ -29,7 +36,7 @@ in {
networkmanager.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [22];
allowedTCPPorts = [ 22 ];
checkReversePath = "loose";
};
};
@ -43,16 +50,14 @@ in {
XDG_DATA_HOME = "\${HOME}/.local/share";
STEAM_EXTRA_COMPAT_TOOLS_PATHS = "\${HOME}/.steam/root/compatibilitytools.d";
PATH = ["\${XDG_BIN_HOME}"];
PATH = [ "\${XDG_BIN_HOME}" ];
};
users.users.qbit.extraGroups = ["dialout" "libvirtd" "docker" "plugdev"];
#nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
rtl-sdr
direwolf
(callPackage ../../pkgs/rtlamr.nix {})
(callPackage ../../pkgs/rtlamr.nix { })
];
#programs = {
@ -116,8 +121,15 @@ in {
};
};
users.users.root = {openssh.authorizedKeys.keys = pubKeys;};
users.users.qbit = {openssh.authorizedKeys.keys = pubKeys;};
users = {
users = {
root = { openssh.authorizedKeys.keys = pubKeys; };
qbit = {
openssh.authorizedKeys.keys = pubKeys;
extraGroups = [ "dialout" "libvirtd" "docker" "plugdev" ];
};
};
};
system.stateVersion = "22.11";
}

39
hosts/pwntie/hardware-configuration.nix
View File

@ -1,30 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
{ config
, lib
, modulesPath
, ...
}: {
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/dd7f2225-4c7a-4f40-8452-0aebf1a75aec";
fsType = "ext4";
boot = {
initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems."/boot/efi" = {
device = "/dev/disk/by-uuid/2079-D1CE";
fsType = "vfat";
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/dd7f2225-4c7a-4f40-8452-0aebf1a75aec";
fsType = "ext4";
};
"/boot/efi" = {
device = "/dev/disk/by-uuid/2079-D1CE";
fsType = "vfat";
};
};
swapDevices = [{device = "/dev/disk/by-uuid/e14ac85b-d7b0-4a76-b9ab-a2c61fd67a5d";}];
swapDevices = [{ device = "/dev/disk/by-uuid/e14ac85b-d7b0-4a76-b9ab-a2c61fd67a5d"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

39
hosts/router/default.nix
View File

@ -1,9 +1,9 @@
{
config,
pkgs,
lib,
...
}: let
{ config
, pkgs
, lib
, ...
}:
let
inherit
(builtins)
head
@ -11,7 +11,7 @@
attrValues
mapAttrs
attrNames
; # hasAttr;
;# hasAttr;
inherit (lib.attrsets) filterAttrsRecursive filterAttrs;
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
@ -22,9 +22,9 @@
wan = "enp5s0f0";
trunk = "enp5s0f1";
dnsServers = ["45.90.28.147" "45.90.30.147"];
dnsServers = [ "45.90.28.147" "45.90.30.147" ];
interfaces = {
"${wan}" = {useDHCP = true;};
"${wan}" = { useDHCP = true; };
"${trunk}" = rec {
ipv4.addresses = [
{
@ -96,7 +96,7 @@
enable = true;
start = "10.99.1.100";
end = "10.99.1.155";
staticIPs = [];
staticIPs = [ ];
};
};
};
@ -118,7 +118,7 @@
enable = true;
start = "10.98.1.100";
end = "10.98.1.150";
staticIPs = [];
staticIPs = [ ];
};
};
};
@ -140,7 +140,7 @@
enable = true;
start = "10.10.0.100";
end = "10.10.0.155";
staticIPs = [];
staticIPs = [ ];
};
};
};
@ -162,7 +162,7 @@
enable = false;
start = "10.12.0.100";
end = "10.12.0.155";
staticIPs = [];
staticIPs = [ ];
};
};
};
@ -213,7 +213,7 @@
enable = false;
start = "10.20.30.100";
end = "10.20.30.155";
staticIPs = [];
staticIPs = [ ];
};
};
};
@ -294,14 +294,15 @@
enable = false;
start = "10.7.0.100";
end = "10.7.0.155";
staticIPs = [];
staticIPs = [ ];
};
};
};
};
in {
in
{
_module.args.isUnstable = false;
imports = [./hardware-configuration.nix ../../modules/tsvnstat.nix];
imports = [ ./hardware-configuration.nix ../../modules/tsvnstat.nix ];
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
@ -463,7 +464,7 @@ in {
{
name = "common";
advertise = true;
prefix = [{prefix = "::/64";}];
prefix = [{ prefix = "::/64"; }];
}
];
};
@ -514,7 +515,7 @@ in {
};
};
environment.systemPackages = with pkgs; [bmon termshark tcpdump];
environment.systemPackages = with pkgs; [ bmon termshark tcpdump ];
users.users.root = userBase;
users.users.qbit = userBase;

33
hosts/router/hardware-configuration.nix
View File

@ -1,29 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
{ config
, lib
, modulesPath
, ...
}: {
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.useOSProber = true;
boot.loader.grub = {
enable = true;
device = "/dev/sda";
useOSProber = true;
};
boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["nf_tables" "nf_tables_ipv6" "nf_conntrack_tftp"];
boot.extraModulePackages = [];
boot = {
initrd = {
availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ];
kernelModules = [ ];
};
kernelModules = [ "nf_tables" "nf_tables_ipv6" "nf_conntrack_tftp" ];
extraModulePackages = [ ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/4c84fd36-f143-4db8-bfe5-65de0287f894";
fsType = "ext4";
};
swapDevices = [];
swapDevices = [ ];
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;

50
hosts/stan/default.nix
View File

@ -1,9 +1,9 @@
{
config,
inputs,
pkgs,
...
}: let
{ config
, inputs
, pkgs
, ...
}:
let
pubKeys = [
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0= hosts@secretive.plq.local"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
@ -20,9 +20,10 @@
doom-emacs = inputs.nix-doom-emacs.packages.${pkgs.system}.default.override {
doomPrivateDir = ../../configs/doom.d;
};
in {
in
{
_module.args.isUnstable = true;
imports = [./hardware-configuration.nix];
imports = [ ./hardware-configuration.nix ];
boot = {
loader = {
@ -34,9 +35,9 @@ in {
initrd = {
luks.devices."luks-23b20980-eb1e-4390-b706-f0f42a623ddf".device = "/dev/disk/by-uuid/23b20980-eb1e-4390-b706-f0f42a623ddf";
luks.devices."luks-23b20980-eb1e-4390-b706-f0f42a623ddf".keyFile = "/crypto_keyfile.bin";
secrets = {"/crypto_keyfile.bin" = null;};
secrets = { "/crypto_keyfile.bin" = null; };
};
kernelParams = ["intel_idle.max_cstate=4"];
kernelParams = [ "intel_idle.max_cstate=4" ];
kernelPackages = pkgs.linuxPackages;
};
security.pki.certificates = [
@ -97,15 +98,15 @@ in {
hostName = "stan";
hosts = {
"172.16.30.253" = ["proxmox-02.vm.calyptix.local"];
"127.0.0.1" = ["borg.calyptix.dev" "localhost"];
"192.168.122.249" = ["arst.arst" "vm"];
"192.168.8.194" = ["router.arst" "router"];
"172.16.30.253" = [ "proxmox-02.vm.calyptix.local" ];
"127.0.0.1" = [ "borg.calyptix.dev" "localhost" ];
"192.168.122.249" = [ "arst.arst" "vm" ];
"192.168.8.194" = [ "router.arst" "router" ];
};
networkmanager.enable = true;
firewall = {
allowedTCPPorts = [22];
allowedTCPPorts = [ 22 ];
checkReversePath = "loose";
};
};
@ -138,8 +139,8 @@ in {
systemd.services = {
"tailscale-init" = {
wantedBy = ["tailscaled.service"];
after = ["tailscaled.service"];
wantedBy = [ "tailscaled.service" ];
after = [ "tailscaled.service" ];
serviceConfig = {
ExecStart = "${pkgs.tailscale}/bin/tailscale up --auth-key file://${config.sops.secrets.tskey.path}";
};
@ -152,7 +153,7 @@ in {
isNormalUser = true;
description = "Aaron Bieber";
shell = pkgs.zsh;
extraGroups = ["networkmanager" "wheel" "libvirtd"];
extraGroups = [ "networkmanager" "wheel" "libvirtd" ];
}
// userBase;
@ -184,22 +185,24 @@ in {
zig
rustdesk
(callPackage ../../pkgs/zutty.nix {})
(callPackage ../../pkgs/zutty.nix { })
];
virtualisation.libvirtd.enable = true;
programs.git.config.safe.directory = "/home/abieber/aef100";
programs = {
git.config.safe.directory = "/home/abieber/aef100";
dconf.enable = true;
zsh.enable = true;
ssh.knownHosts = {
"[192.168.122.249]:7022".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOzf2Rv6FZYuH758TlNBcq4CXAHTPJxe5qoQTRM3nRc";
};
};
tsPeerix = {
enable = false;
privateKeyFile = "${config.sops.secrets.peerix_private_key.path}";
interfaces = ["wlp170s0" "ztksevmpn3"];
interfaces = [ "wlp170s0" "ztksevmpn3" ];
};
services = {
@ -213,9 +216,6 @@ in {
};
};
programs.ssh.knownHosts = {
"[192.168.122.249]:7022".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOzf2Rv6FZYuH758TlNBcq4CXAHTPJxe5qoQTRM3nRc";
};
system.autoUpgrade.allowReboot = false;
system.stateVersion = "22.05"; # Did you read the comment?

33
hosts/stan/hardware-configuration.nix
View File

@ -1,18 +1,22 @@
{
pkgs,
config,
lib,
modulesPath,
...
{ pkgs
, config
, lib
, modulesPath
, ...
}: {
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ];
kernelModules = [ ];
luks.devices."luks-e12e4b82-6f9e-4f80-b3f4-7e9a248e7827".device = "/dev/disk/by-uuid/e12e4b82-6f9e-4f80-b3f4-7e9a248e7827";
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
system.fsPackages = [pkgs.sshfs];
system.fsPackages = [ pkgs.sshfs ];
fileSystems = {
"/" = {
@ -30,7 +34,7 @@
"_netdev"
"x-systemd.automount"
(builtins.replaceStrings [" "] ["\\040"]
(builtins.replaceStrings [ " " ] [ "\\040" ]
"ssh_command=${pkgs.openssh}/bin/ssh -F /home/abieber/.ssh/config")
"reconnect"
"allow_other"
@ -43,9 +47,8 @@
};
};
boot.initrd.luks.devices."luks-e12e4b82-6f9e-4f80-b3f4-7e9a248e7827".device = "/dev/disk/by-uuid/e12e4b82-6f9e-4f80-b3f4-7e9a248e7827";
swapDevices = [{device = "/dev/disk/by-uuid/85a3b559-0c0f-485d-9107-9f6ba5ad31da";}];
swapDevices = [{ device = "/dev/disk/by-uuid/85a3b559-0c0f-485d-9107-9f6ba5ad31da"; }];
networking.useDHCP = lib.mkDefault true;

35
hosts/weather/default.nix
View File

@ -1,9 +1,9 @@
{
config,
pkgs,
lib,
...
}: let
{ config
, pkgs
, lib
, ...
}:
let
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0= hosts@secretive.plq.local"
@ -11,19 +11,20 @@
userBase = {
openssh.authorizedKeys.keys = pubKeys ++ config.myconf.managementPubKeys;
};
firefox = import ../../configs/firefox.nix {inherit pkgs;};
in {
firefox = import ../../configs/firefox.nix { inherit pkgs; };
in
{
_module.args.isUnstable = false;
imports = [./hardware-configuration.nix];
imports = [ ./hardware-configuration.nix ];
defaultUsers.enable = false;
programs = {} // firefox.programs;
programs = { } // firefox.programs;
boot = {
initrd.availableKernelModules = ["usbhid" "usb_storage" "vc4" "rtc-ds3232" "rtc-ds1307"];
initrd.availableKernelModules = [ "usbhid" "usb_storage" "vc4" "rtc-ds3232" "rtc-ds1307" ];
kernelPackages = pkgs.linuxPackages_latest;
kernelModules = ["raspberrypi_ts" "rtc-ds3232" "rtc-ds1307"];
kernelModules = [ "raspberrypi_ts" "rtc-ds3232" "rtc-ds1307" ];
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
@ -32,21 +33,21 @@ in {
networking = {
hostName = "weather";
networkmanager = {enable = true;};
networkmanager = { enable = true; };
wireless.userControlled.enable = true;
hosts."100.120.151.126" = ["graph.tapenet.org"];
hosts."100.120.151.126" = [ "graph.tapenet.org" ];
};
users.users.weather = {
shell = pkgs.zsh;
isNormalUser = true;
description = "Weather";
extraGroups = ["wheel"];
extraGroups = [ "wheel" ];
};
preDNS.enable = false;
systemd.services.NetworkManager-wait-online.serviceConfig.ExecStart =
lib.mkForce ["" "${pkgs.networkmanager}/bin/nm-online -q"];
lib.mkForce [ "" "${pkgs.networkmanager}/bin/nm-online -q" ];
services.xserver = {
enable = true;
@ -54,7 +55,7 @@ in {
windowManager.xmonad = {
enable = true;
extraPackages = haskellPackages: [haskellPackages.xmonad-contrib];
extraPackages = haskellPackages: [ haskellPackages.xmonad-contrib ];
config = ''
{-# LANGUAGE QuasiQuotes #-}

2
hosts/weather/hardware-configuration.nix
View File

@ -1,4 +1,4 @@
{...}: {
{ ... }: {
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";

23
hosts/weatherzero/default.nix
View File

@ -1,9 +1,9 @@
{
config,
pkgs,
lib,
...
}: let
{ config
, pkgs
, lib
, ...
}:
let
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0= hosts@secretive.plq.local"
@ -11,7 +11,8 @@
userBase = {
openssh.authorizedKeys.keys = pubKeys ++ config.myconf.managementPubKeys;
};
in {
in
{
_module.args.isUnstable = false;
imports = [
./hardware-configuration.nix
@ -27,23 +28,23 @@ in {
"hid_microsoft"
];
supportedFilesystems = lib.mkForce ["vfat"];
supportedFilesystems = lib.mkForce [ "vfat" ];
kernelPackages = lib.mkForce pkgs.linuxPackages_rpi0;
};
networking = {
hostName = "wzero";
networkmanager = {enable = true;};
networkmanager = { enable = true; };
wireless.userControlled.enable = true;
hosts."100.120.151.126" = ["graph.tapenet.org"];
hosts."100.120.151.126" = [ "graph.tapenet.org" ];
};
users.users.weather = {
shell = pkgs.zsh;
isNormalUser = true;
description = "Weather";
extraGroups = ["wheel"];
extraGroups = [ "wheel" ];
};
preDNS.enable = false;

4
hosts/weatherzero/hardware-configuration.nix
View File

@ -1,8 +1,8 @@
{pkgs, ...}: {
{ pkgs, ... }: {
hardware = {
deviceTree = {
enable = true;
overlays = ["${pkgs.device-tree_rpi.overlays}/hifiberry-dac.dtbo"];
overlays = [ "${pkgs.device-tree_rpi.overlays}/hifiberry-dac.dtbo" ];
};
enableRedistributableFirmware = true;

44
install_template.nix
View File

@ -1,4 +1,5 @@
{pkgs, ...}: let
{ pkgs, ... }:
let
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDM2k2C6Ufx5RNf4qWA9BdQHJfAkskOaqEWf8yjpySwH Nix Manager"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB1cBO17AFcS2NtIT+rIxR2Fhdu3HD4de4+IsFyKKuGQAAAACnNzaDpsZXNzZXI="
@ -6,12 +7,17 @@
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBB/V8N5fqlSGgRCtLJMLDJ8Hd3JcJcY8skI0l+byLNRgQLZfTQRxlZ1yymRs36rXj+ASTnyw5ZDv+q2aXP7Lj0="
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHrYWbbgBkGcOntDqdMaWVZ9xn+dHM+Ap6s1HSAalL28AAAACHNzaDptYWlu"
];
in {
imports = [./hardware-configuration.nix];
in
{
imports = [ ./hardware-configuration.nix ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.loader = {
systemd-boot.enable = true;
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot/efi";
};
};
nix = {
package = pkgs.nixUnstable;
@ -20,9 +26,10 @@ in {
'';
};
networking.hostName = "changeme";
networking.networkmanager.enable = true;
networking = {
hostName = "changeme";
networkmanager.enable = true;
};
time.timeZone = "America/Denver";
@ -32,24 +39,25 @@ in {
layout = "us";
xkbVariant = "colemak";
};
console = {keyMap = "colemak";};
console = { keyMap = "colemak"; };
users.users.qbit = {
isNormalUser = true;
description = "Aaron Bieber";
extraGroups = ["networkmanager" "wheel"];
packages = [];
users.users = {
qbit = {
isNormalUser = true;
description = "Aaron Bieber";
extraGroups = [ "networkmanager" "wheel" ];
packages = [ ];
};
root = { openssh.authorizedKeys.keys = pubKeys; };
};
# neovim will overwrite my neovim!!
environment.systemPackages = with pkgs; [neovim jq];
environment.systemPackages = with pkgs; [ neovim jq ];
services.openssh = {
enable = true;
permitRootLogin = "prohibit-password";
};
users.users.root = {openssh.authorizedKeys.keys = pubKeys;};
system.stateVersion = "22.05"; # Did you read the comment?
}

38
installer.nix
View File

@ -1,13 +1,13 @@
{
config,
lib,
options,
pkgs,
...
}: let
{ config
, lib
, pkgs
, ...
}:
let
managementKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDM2k2C6Ufx5RNf4qWA9BdQHJfAkskOaqEWf8yjpySwH Nix Manager";
in {
imports = [./configs/colemak.nix ./configs/tmux.nix ./configs/neovim.nix];
in
{
imports = [ ./configs/colemak.nix ./configs/tmux.nix ./configs/neovim.nix ];
options.myconf = {
hwPubKeys = lib.mkOption rec {
@ -74,7 +74,7 @@ in {
};
config = {
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# from https://github.com/dylanaraps/neofetch
users.motd = ''
@ -102,11 +102,13 @@ in {
'';
boot.tmp.cleanOnBoot = true;
environment.systemPackages = with pkgs; [apg inetutils];
environment = {
systemPackages = with pkgs; [ apg inetutils ];
environment.interactiveShellInit = ''
alias vi=nvim
'';
interactiveShellInit = ''
alias vi=nvim
'';
};
time.timeZone = "US/Mountain";
@ -114,15 +116,15 @@ in {
if pkgs.system == "aarch64-linux"
then {
description = "Set date on boot";
wantedBy = ["network-online.target"];
after = ["network-online.target"];
wantedBy = [ "network-online.target" ];
after = [ "network-online.target" ];
script = ''
. /etc/profile;
${pkgs.outils}/bin/rdate pool.ntp.org
'';
serviceConfig.Type = "oneshot";
}
else {};
else { };
programs = {
zsh.enable = true;
@ -149,7 +151,7 @@ in {
settings = {
PermitRootLogin = lib.mkForce "prohibit-password";
PasswordAuthentication = false;
KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org"];
KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"

60
lib/default.nix
View File

@ -1,36 +1,42 @@
{lib, ...}: let
{ lib, ... }:
let
inherit (builtins) toString readFile fromJSON filter;
getPrStatus = pr: let
prstr = toString pr;
prStatus = fromJSON (readFile ../pull_requests/${prstr}.json);
in
getPrStatus = pr:
let
prstr = toString pr;
prStatus = fromJSON (readFile ../pull_requests/${prstr}.json);
in
prStatus;
prIsOpen = {
option = pr: a: let
prStatus = getPrStatus pr;
in
option = pr: a:
let
prStatus = getPrStatus pr;
in
if prStatus.status == "open"
then a
else {};
pkg = pr: localPkg: upstreamPkg: let
prStatus = getPrStatus pr;
in
else { };
pkg = pr: localPkg: upstreamPkg:
let
prStatus = getPrStatus pr;
in
if prStatus.status == "open"
then localPkg
else
lib.warn
"PR: ${toString pr} (${prStatus.title}) is complete, ignoring pkg..."
upstreamPkg;
"PR: ${toString pr} (${prStatus.title}) is complete, ignoring pkg..."
upstreamPkg;
overlay = pr: overlay: let
prStatus = getPrStatus pr;
in
overlay = pr: overlay:
let
prStatus = getPrStatus pr;
in
if pr == 0 || prStatus.status == "open"
then overlay
else
lib.warn "PR: ${
toString pr
} (${prStatus.title}) is complete, ignoring overlay..." (_: _: {});
} (${prStatus.title}) is complete, ignoring overlay..."
(_: _: { });
};
todo = msg: lib.warn "TODO: ${msg}";
@ -48,7 +54,7 @@
value = {
script = mkCronScript "${job.name}_script" job.script;
inherit (job) startAt path;
serviceConfig = {Type = "oneshot";};
serviceConfig = { Type = "oneshot"; };
};
};
jobToService = job: {
@ -91,12 +97,14 @@
# Set our configurationRevison based on the status of our git repo.
# If the repo is dirty, disable autoUpgrade as it means we are
# testing something.
buildVer = self: let
state = self.rev or "DIRTY";
in {
system.configurationRevision = state;
system.autoUpgrade.enable = lib.mkDefault (state != "DIRTY");
};
buildVer = self:
let
state = self.rev or "DIRTY";
in
{
system.configurationRevision = state;
system.autoUpgrade.enable = lib.mkDefault (state != "DIRTY");
};
xinlib = {
inherit
@ -111,4 +119,4 @@
;
};
in
xinlib
xinlib

2
modules/default.nix
View File

@ -1,4 +1,4 @@
{...}: {
{ ... }: {
imports = [
./golink.nix
./gotosocial.nix

26
modules/golink.nix
View File

@ -1,19 +1,19 @@
{
config,
lib,
pkgs,
...
{ config
, lib
, pkgs
, ...
}:
with pkgs; let
cfg = config.services.golink;
golink = callPackage ../pkgs/golink.nix {};
in {
golink = callPackage ../pkgs/golink.nix { };
in
{
options = with lib; {
services.golink = {
enable = mkEnableOption "Enable golink";
user = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "golink";
description = ''
The user the service will use.
@ -37,7 +37,7 @@ in {
};
group = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "golink";
description = ''
The user the service will use.
@ -53,7 +53,7 @@ in {
};
};
config = lib.mkIf cfg.enable {
users.groups.${cfg.group} = {};
users.groups.${cfg.group} = { };
users.users.${cfg.user} = {
description = "golink service user";
isSystemUser = true;
@ -65,10 +65,10 @@ in {
systemd.services.golink = {
enable = true;
description = "golink server";
wantedBy = ["network-online.target"];
after = ["network-online.target"];
wantedBy = [ "network-online.target" ];
after = [ "network-online.target" ];
path = [pkgs.vnstat];
path = [ pkgs.vnstat ];
environment = {
HOME = cfg.dataDir;

28
modules/gotosocial.nix
View File

@ -1,27 +1,27 @@
{
config,
lib,
pkgs,
...
{ config
, lib
, pkgs
, ...
}:
with pkgs; let
cfg = config.services.gotosocial;
gotosocial = callPackage ../pkgs/gotosocial.nix {};
settingsFormat = pkgs.formats.json {};
gotosocial = callPackage ../pkgs/gotosocial.nix { };
settingsFormat = pkgs.formats.json { };
settingsType = settingsFormat.type;
prettyJSON = conf:
pkgs.runCommandLocal "gotosocial-config.json" {} ''
pkgs.runCommandLocal "gotosocial-config.json" { } ''
echo '${
builtins.toJSON conf
}' | ${pkgs.buildPackages.jq}/bin/jq 'del(._module)' > $out
'';
in {
in
{
options = with lib; {
services.gotosocial = {
enable = mkEnableOption "Enable gotosocial";
user = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "gotosocial";
description = ''
The user the service will use.
@ -29,7 +29,7 @@ in {
};
group = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "gotosocial";
description = ''
The user the service will use.
@ -53,7 +53,7 @@ in {
};
config = lib.mkIf cfg.enable {
users.groups.gotosocial = {};
users.groups.gotosocial = { };
users.users.gotosocial = {
description = "Gotosocial service user";
isSystemUser = true;
@ -65,8 +65,8 @@ in {
systemd.services.gotosocial = {
enable = true;
description = "GoToSocial server";
wantedBy = ["multi-user.target"];
after = ["postgresql.service"];
wantedBy = [ "multi-user.target" ];
after = [ "postgresql.service" ];
serviceConfig = {
User = cfg.user;

28
modules/rtlamr2mqtt.nix
View File

@ -1,27 +1,27 @@
{
config,
lib,
pkgs,
...
{ config
, lib
, pkgs
, ...
}:
with pkgs; let
cfg = config.services.rtlamr2mqtt;
rtlamr2mqtt = pkgs.python3Packages.callPackage ../pkgs/rtlamr2mqtt.nix {};
settingsFormat = pkgs.formats.json {};
rtlamr2mqtt = pkgs.python3Packages.callPackage ../pkgs/rtlamr2mqtt.nix { };
settingsFormat = pkgs.formats.json { };
settingsType = settingsFormat.type;
prettyJSON = conf:
pkgs.runCommandLocal "rtlamr2mqtt-config.json" {} ''
pkgs.runCommandLocal "rtlamr2mqtt-config.json" { } ''
echo '${
builtins.toJSON conf
}' | ${pkgs.buildPackages.jq}/bin/jq 'del(._module)' > $out
'';
in {
in
{
options = with lib; {
services.rtlamr2mqtt = {
enable = mkEnableOption "Enable rtlamr2mqtt";
user = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "rtlamr2mqtt";
description = ''
The user the service will use.
@ -29,7 +29,7 @@ in {
};
group = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "rtlamr2mqtt";
description = ''
The user the service will use.
@ -53,20 +53,20 @@ in {
};
config = lib.mkIf cfg.enable {
users.groups.rtlamr2mqtt = {};
users.groups.rtlamr2mqtt = { };
users.users.rtlamr2mqtt = {
description = "rtlamr2mqtt service user";
isSystemUser = true;
home = "/var/lib/rtlamr2mqtt";
createHome = true;
group = "rtlamr2mqtt";
extraGroups = ["plugdev"];
extraGroups = [ "plugdev" ];
};
systemd.services.rtlamr2mqtt = {
enable = true;
description = "rtlamr2mqtt server";
wantedBy = ["multi-user.target"];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = cfg.user;

25
modules/sliding-sync.nix
View File

@ -1,17 +1,18 @@
{
lib,
config,
pkgs,
...
}: let
{ lib
, config
, pkgs
, ...
}:
let
cfg = config.services.sliding-sync;
in {
in
{
options = with lib; {
services.sliding-sync = {
enable = lib.mkEnableOption "Enable sliding-sync";
user = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "syncv3";
description = ''
The user the service will use.
@ -19,7 +20,7 @@ in {
};
group = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "syncv3";
description = ''
The group the service will use.
@ -68,7 +69,7 @@ in {
};
config = lib.mkIf cfg.enable {
users.groups.${cfg.group} = {};
users.groups.${cfg.group} = { };
users.users.${cfg.user} = {
description = "sliding-sync service user";
isSystemUser = true;
@ -80,8 +81,8 @@ in {
systemd.services.sliding-sync = {
enable = true;
description = "sliding-sync server";
wantedBy = ["network-online.target"];
after = ["network-online.target" "matrix-synapse.service"];
wantedBy = [ "network-online.target" ];
after = [ "network-online.target" "matrix-synapse.service" ];
environment = {
HOME = "${cfg.dataDir}";

23
modules/ssh-fido-agent.nix
View File

@ -1,9 +1,9 @@
{
config,
lib,
pkgs,
...
}: let
{ config
, lib
, pkgs
, ...
}:
let
perl = "${pkgs.perl}/bin/perl";
sshAdd = "${pkgs.openssh}/bin/ssh-add";
pKill = "${pkgs.procps}/bin/pkill";
@ -45,7 +45,8 @@
export SSH_AUTH_SOCK="$(echo $XDG_RUNTIME_DIR/ssh-agent)";
exec ${config.programs.ssh.askPassword} "$@"
'';
in {
in
{
options = {
sshFidoAgent = {
enable = lib.mkEnableOption "Add FIDO keys to ssh-agent when attached.";
@ -53,14 +54,14 @@ in {
};
config = lib.mkIf config.sshFidoAgent.enable {
environment.systemPackages = [fidoAddDevice];
environment.systemPackages = [ fidoAddDevice ];
systemd.user.services.sshfidoagent = {
script = ''
${fidoAddDevice}/bin/fido-add-device
'';
wantedBy = ["graphical-session.target"];
partOf = ["graphical-session.target"];
after = ["graphical-session.target"];
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
environment.DISPLAY = "fake";
environment.SSH_ASKPASS = askPassWrapper;
#serviceConfig = { Restart = "on-failure"; };

27
modules/ts-rev-prox.nix
View File

@ -1,11 +1,12 @@
{
lib,
config,
pkgs,
...
}: let
{ lib
, config
, pkgs
, ...
}:
let
cfg = config.services.tsrevprox;
in {
in
{
options = with lib; {
services.tsrevprox = {
enable = lib.mkEnableOption "Enable tsrevprox";
@ -35,7 +36,7 @@ in {
};
user = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "tsrevprox";
description = ''
The user the service will use.
@ -43,7 +44,7 @@ in {
};
group = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "tsrevprox";
description = ''
The group the service will use.
@ -74,7 +75,7 @@ in {
};
config = lib.mkIf cfg.enable {
users.groups.${cfg.group} = {};
users.groups.${cfg.group} = { };
users.users.${cfg.user} = {
description = "tsrevprox service user";
isSystemUser = true;
@ -86,10 +87,10 @@ in {
systemd.services.tsrevprox = {
enable = true;
description = "tsrevprox server";
wantedBy = ["network-online.target"];
after = ["network-online.target"];
wantedBy = [ "network-online.target" ];
after = [ "network-online.target" ];
environment = {HOME = "${cfg.dataDir}";};
environment = { HOME = "${cfg.dataDir}"; };
serviceConfig = {
User = cfg.user;

26
modules/tsvnstat.nix
View File

@ -1,20 +1,20 @@
{
config,
lib,
pkgs,
inputs,
...
{ config
, lib
, pkgs
, inputs
, ...
}:
with pkgs; let
cfg = config.services.tsvnstat;
inherit (inputs.tsvnstat.packages.${pkgs.system}) tsvnstat;
in {
in
{
options = with lib; {
services.tsvnstat = {
enable = mkEnableOption "Enable tsvnstat";
user = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "tsvnstat";
description = ''
The user the service will use.
@ -38,7 +38,7 @@ in {
};
group = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "tsvnstat";
description = ''
The user the service will use.
@ -53,7 +53,7 @@ in {
};
};
config = lib.mkIf cfg.enable {
users.groups.${cfg.group} = {};
users.groups.${cfg.group} = { };
users.users.${cfg.user} = {
description = "tsvnstat service user";
isSystemUser = true;
@ -67,10 +67,10 @@ in {
systemd.services.tsvnstat = {
enable = true;
description = "tsvnstat server";
wantedBy = ["network-online.target"];
after = ["network-online.target"];
wantedBy = [ "network-online.target" ];
after = [ "network-online.target" ];
path = [pkgs.vnstat];
path = [ pkgs.vnstat ];
environment = {
HOME = "/var/lib/tsvnstat";

26
modules/veilid-server.nix
View File

@ -1,23 +1,23 @@
{
config,
lib,
pkgs,
...
{ config
, lib
, pkgs
, ...
}:
with pkgs; let
cfg = config.services.veilid-server;
in {
in
{
options = with lib; {
services.veilid-server = {
enable = mkEnableOption "Enable velid-server";
user = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "veilid";
description = "The user veilid-server will run as.";
};
group = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "veilid";
description = "The group veilid-server will run with.";
};
@ -42,7 +42,7 @@ in {
};
config = lib.mkIf cfg.enable {
users.groups.${cfg.group} = {};
users.groups.${cfg.group} = { };
users.users.${cfg.user} = {
inherit (cfg) group;
description = "veilid-server user";
@ -52,15 +52,15 @@ in {
};
networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [5150];
allowedUDPPorts = [5150];
allowedTCPPorts = [ 5150 ];
allowedUDPPorts = [ 5150 ];
};
systemd.services.veilid-server = {
enable = true;
description = "veilid-server";
wantedBy = ["network-online.target"];
after = ["network-online.target"];
wantedBy = [ "network-online.target" ];
after = [ "network-online.target" ];
environment = {
HOME = cfg.dataDir;

24
modules/yarr.nix
View File

@ -1,13 +1,13 @@
{
config,
lib,
pkgs,
...
{ config
, lib
, pkgs
, ...
}:
with pkgs; let
cfg = config.services.yarr;
yarr = callPackage ../pkgs/yarr.nix {};
in {
yarr = callPackage ../pkgs/yarr.nix { };
in
{
options = with lib; {
services.yarr = {
enable = mkEnableOption "Enable yarr";
@ -51,7 +51,7 @@ in {
};
user = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "yarr";
description = ''
The user the service will use.
@ -59,7 +59,7 @@ in {
};
group = mkOption {
type = with types; oneOf [str int];
type = with types; oneOf [ str int ];
default = "yarr";
description = ''
The user the service will use.
@ -76,7 +76,7 @@ in {
};
config = lib.mkIf cfg.enable {
users.groups.yarr = {};
users.groups.yarr = { };
users.users.yarr = {
description = "Yarr service user";
isSystemUser = true;
@ -88,8 +88,8 @@ in {
systemd.services.yarr = {
enable = true;
description = "Yet Another Rss Reader server";
wantedBy = ["multi-user.target"];
after = ["networking.service"];
wantedBy = [ "multi-user.target" ];
after = [ "networking.service" ];
serviceConfig = {
User = cfg.user;

32
monitoring/default.nix
View File

@ -1,7 +1,6 @@
{
config,
lib,
...
{ config
, lib
, ...
}:
with lib; let
cfg = config.services.xin-monitoring;
@ -15,16 +14,18 @@ with lib; let
;
nginxCfg = config.services.nginx;
buildFSChecker = fsList: (concatStringsSep "\n" (attrValues (mapAttrs (f: v:
if v.fsType != "sshfs"
then ''
check filesystem ${replaceStrings ["/"] ["_"] f} with path ${f}
if space usage > 90% then alert
if inode usage > 90% then alert
''
else "")
fsList)));
buildNginxChecker = vhostList: (concatStringsSep "\n" (attrValues (mapAttrs (f: v: ''
buildFSChecker = fsList: (concatStringsSep "\n" (attrValues (mapAttrs
(f: v:
if v.fsType != "sshfs"
then ''
check filesystem ${replaceStrings ["/"] ["_"] f} with path ${f}
if space usage > 90% then alert
if inode usage > 90% then alert
''
else "")
fsList)));
buildNginxChecker = vhostList: (concatStringsSep "\n" (attrValues (mapAttrs
(f: v: ''
check host ${f} with address ${f}
if failed port 80 protocol http then alert
${
@ -41,7 +42,8 @@ with lib; let
then (buildNginxChecker nginxCfg.virtualHosts)
else ""
else "";
in {
in
{
options = {
services.xin-monitoring = {
enable = mkOption {

2
overlays/1password-gui.nix
View File

@ -9,4 +9,4 @@ let
});
};
in
_1password-gui
_1password-gui

13
overlays/default.nix
View File

@ -1,8 +1,8 @@
{
isUnstable,
xinlib,
...
}: let
{ isUnstable
, xinlib
, ...
}:
let
inherit (xinlib) prIsOpen;
#_1password-gui = prIsOpen.overlay 235900 (import ./1password-gui.nix);
#openssh = import ./openssh.nix;
@ -13,7 +13,8 @@
#nixd = prIsOpen.overlay 238779 (import ./nixd.nix);
heisenbridge = prIsOpen.overlay 0 (import ./heisenbridge.nix);
#rex = prIsOpen.overlay 0 (import ./rex.nix);
in {
in
{
nixpkgs.overlays =
if isUnstable
then [

2
overlays/heisenbridge.nix
View File

@ -14,4 +14,4 @@ let
});
};
in
heisenbridge
heisenbridge

2
overlays/matrix-synapse.nix
View File

@ -20,4 +20,4 @@ let
});
};
in
matrix-synapse
matrix-synapse

2
overlays/nixd.nix
View File

@ -18,4 +18,4 @@ let
});
};
in
nixd
nixd

2
overlays/obsidian.nix
View File

@ -16,4 +16,4 @@ let
});
};
in
obsidian
obsidian

2
overlays/openssh.nix
View File

@ -15,4 +15,4 @@ let
});
};
in
openssh
openssh

2
overlays/rex.nix
View File

@ -7,4 +7,4 @@ let
});
};
in
rex
rex

2
overlays/tailscale.nix
View File

@ -28,4 +28,4 @@ let
# };
#};
in
tailscale
tailscale

2
overlays/tidal-hifi.nix
View File

@ -10,4 +10,4 @@ let
});
};
in
tidal-hifi
tidal-hifi

66
pkgs/ada_language_server.nix
View File

@ -1,10 +1,10 @@
{
lib,
stdenv,
fetchFromGitHub,
pkgs,
...
}: let
{ lib
, stdenv
, fetchFromGitHub
, pkgs
, ...
}:
let
libadalang = stdenv.mkDerivation rec {
pname = "libadalang";
version = "22.0.0";
@ -25,7 +25,7 @@
gnatcoll-gmp
];
makeFlags = ["PREFIX=$(out)"];
makeFlags = [ "PREFIX=$(out)" ];
};
vss = stdenv.mkDerivation rec {
pname = "vss";
@ -38,9 +38,9 @@
sha256 = "sha256-IDPcIJfavlqMsxLOGrvXYv98FdYVWkCiimLcMFp3ees=";
};
buildInputs = with pkgs; [gnat12 gprbuild];
buildInputs = with pkgs; [ gnat12 gprbuild ];
makeFlags = ["PREFIX=$(out)"];
makeFlags = [ "PREFIX=$(out)" ];
};
gnatdoc = stdenv.mkDerivation rec {
pname = "gnatdoc";
@ -53,32 +53,32 @@
sha256 = "sha256-kA5yOd3NDkRl08o38F5CyeFrihBZktNF6di3PC+/ZLU=";
};
buildInputs = with pkgs; [gnat12 gprbuild libadalang];
buildInputs = with pkgs; [ gnat12 gprbuild libadalang ];
makeFlags = ["PREFIX=$(out)"];
makeFlags = [ "PREFIX=$(out)" ];
};
in
stdenv.mkDerivation rec {
pname = "ada_language_server";
version = "23.0.10";
stdenv.mkDerivation rec {
pname = "ada_language_server";
version = "23.0.10";
src = fetchFromGitHub {
owner = "AdaCore";
repo = pname;
rev = version;
sha256 = "sha256-ZUzym0aMjq14W9h/lDL5hVCF/i+1SFu6kccGqzmGO3E=";
};
src = fetchFromGitHub {
owner = "AdaCore";
repo = pname;
rev = version;
sha256 = "sha256-ZUzym0aMjq14W9h/lDL5hVCF/i+1SFu6kccGqzmGO3E=";
};
buildInputs = with pkgs; [gnat12 gprbuild python3 vss gnatdoc];
buildInputs = with pkgs; [ gnat12 gprbuild python3 vss gnatdoc ];
meta = with lib; {
description = "Language server for Ada and SPARK";
longDescription = ''
Server implementing the Microsoft Language Protocol for Ada and SPARk
'';
homepage = "https://github.com/AdaCore/ada_language_server";
license = licenses.gpl3;
platforms = platforms.linux;
maintainers = with maintainers; [qbit];
};
}
meta = with lib; {
description = "Language server for Ada and SPARK";
longDescription = ''
Server implementing the Microsoft Language Protocol for Ada and SPARk
'';
homepage = "https://github.com/AdaCore/ada_language_server";
license = licenses.gpl3;
platforms = platforms.linux;
maintainers = with maintainers; [ qbit ];
};
}

59
pkgs/alire.nix
View File

@ -1,37 +1,36 @@
{
stdenv,
lib,
fetchurl,
unzip,
autoPatchelfHook,
...
{ stdenv
, lib
, fetchurl
, unzip
, autoPatchelfHook
, ...
}:
with lib;
stdenv.mkDerivation rec {
pname = "alire";
version = "1.2.1";
stdenv.mkDerivation rec {
pname = "alire";
version = "1.2.1";
src = fetchurl {
url = "https://github.com/alire-project/alire/releases/download/v1.2.1/alr-1.2.1-bin-x86_64-linux.zip";
sha256 = "sha256-bN/H5CPN7uvUH9+p+y/sg01qTJI3asToxVSVnKVNHuM=";
};
src = fetchurl {
url = "https://github.com/alire-project/alire/releases/download/v1.2.1/alr-1.2.1-bin-x86_64-linux.zip";
sha256 = "sha256-bN/H5CPN7uvUH9+p+y/sg01qTJI3asToxVSVnKVNHuM=";
};
nativeBuildInputs = [unzip autoPatchelfHook];
nativeBuildInputs = [ unzip autoPatchelfHook ];
dontBuild = true;
doCheck = false;
dontBuild = true;
doCheck = false;
installPhase = ''
runHook preInstall
mkdir -p $out/bin
install -D alr $out/bin/
runHook postInstall
'';
installPhase = ''
runHook preInstall
mkdir -p $out/bin
install -D alr $out/bin/
runHook postInstall
'';
meta = {
description = "ALIRE: Ada LIbrary REpository.";
homepage = "https://github.com/alire-project/alire";
license = licenses.gpl3;
maintainers = with maintainers; [qbit];
};
}
meta = {
description = "ALIRE: Ada LIbrary REpository.";
homepage = "https://github.com/alire-project/alire";
license = licenses.gpl3;
maintainers = with maintainers; [ qbit ];
};
}

76
pkgs/athens.nix
View File

@ -1,52 +1,52 @@
{
stdenv,
lib,
buildGoModule,
fetchFromGitHub,
isUnstable,
makeWrapper,
go,
git,
...
}: let
{ stdenv
, lib
, buildGoModule
, fetchFromGitHub
, isUnstable
, makeWrapper
, go
, git
, ...
}:
let
vendorHash =
if isUnstable
then ""
else "sha256-7CnkKMZ1so1lflmp4D9EAESR6/u9ys5CTuVOsYetp0I=";
in
with lib;
buildGoModule rec {
pname = "athens";
version = "0.11.0";
with lib;
buildGoModule rec {
pname = "athens";
version = "0.11.0";
src = fetchFromGitHub {
owner = "gomods";
repo = pname;
rev = "v${version}";
sha256 = "sha256-hkewZ21ElkoDsbPPiCZNmWu4MBlKTlnrK72/xCX06Sk=";
};
src = fetchFromGitHub {
owner = "gomods";
repo = pname;
rev = "v${version}";
sha256 = "sha256-hkewZ21ElkoDsbPPiCZNmWu4MBlKTlnrK72/xCX06Sk=";
};
doCheck = false;
doCheck = false;
ldflags = ["-X github.com/gomods/athens/pkg/build.version=${version}"];
ldflags = [ "-X github.com/gomods/athens/pkg/build.version=${version}" ];
nativeBuildInputs = lib.optionals stdenv.isLinux [makeWrapper go];
nativeBuildInputs = lib.optionals stdenv.isLinux [ makeWrapper go ];
proxyVendor = true;
proxyVendor = true;
subPackages = ["cmd/proxy"];
subPackages = [ "cmd/proxy" ];
vendorSha256 = vendorHash;
vendorSha256 = vendorHash;
postInstall = lib.optionalString stdenv.isLinux ''
mv $out/bin/proxy $out/bin/athens
wrapProgram $out/bin/athens --prefix PATH : ${lib.makeBinPath [git]}
'';
postInstall = lib.optionalString stdenv.isLinux ''
mv $out/bin/proxy $out/bin/athens
wrapProgram $out/bin/athens --prefix PATH : ${lib.makeBinPath [git]}
'';
meta = {
description = "A Go module datastore and proxy";
homepage = "https://github.com/gomods/athens";
license = licenses.mit;
maintainers = with maintainers; [qbit];
};
}
meta = {
description = "A Go module datastore and proxy";
homepage = "https://github.com/gomods/athens";
license = licenses.mit;
maintainers = with maintainers; [ qbit ];
};
}

43
pkgs/bearclaw.nix
View File

@ -1,27 +1,26 @@
{
lib,
buildGoModule,
fetchFromGitHub,
...
{ lib
, buildGoModule
, fetchFromGitHub
, ...
}:
with lib;
buildGoModule rec {
pname = "bearclaw";
version = "1.1.0";
buildGoModule rec {
pname = "bearclaw";
version = "1.1.0";
src = fetchFromGitHub {
owner = "donuts-are-good";
repo = pname;
rev = "${version}";
sha256 = "sha256-AhqW+AAEBbAPJO0hnZnC5a/u4IKyLII6OWYEQzoX0C8=";
};
src = fetchFromGitHub {
owner = "donuts-are-good";
repo = pname;
rev = "${version}";
sha256 = "sha256-AhqW+AAEBbAPJO0hnZnC5a/u4IKyLII6OWYEQzoX0C8=";
};
vendorSha256 = "sha256-7XFvghT411YE+Y9bYEFOKR655EaFS4GZiDzUYiYRbMY=";
vendorSha256 = "sha256-7XFvghT411YE+Y9bYEFOKR655EaFS4GZiDzUYiYRbMY=";
meta = {
description = "tiny static site generator";
homepage = "https://github.com/donuts-are-good/bearclaw";
license = licenses.mit;
maintainers = with maintainers; [qbit];
};
}
meta = {
description = "tiny static site generator";
homepage = "https://github.com/donuts-are-good/bearclaw";
license = licenses.mit;
maintainers = with maintainers; [ qbit ];
};
}

17
pkgs/cachew.nix
View File

@ -1,20 +1,19 @@
{
buildPythonPackage,
fetchPypi,
setuptools-scm,
appdirs,
sqlalchemy,
...
{ buildPythonPackage
, fetchPypi
, setuptools-scm
, appdirs
, sqlalchemy
, ...
}:
buildPythonPackage rec {
pname = "cachew";
version = "0.11.0";
nativeBuildInputs = [setuptools-scm];
nativeBuildInputs = [ setuptools-scm ];
doCheck = true;
propagatedBuildInputs = [appdirs sqlalchemy];
propagatedBuildInputs = [ appdirs sqlalchemy ];
src = fetchPypi {
inherit pname version;

88
pkgs/cinny-desktop.nix
View File

@ -1,9 +1,9 @@
{
fetchurl,
appimageTools,
desktop-file-utils,
...
}: let
{ fetchurl
, appimageTools
, desktop-file-utils
, ...
}:
let
name = "cinny-desktop";
version = "2.0.4";
@ -13,47 +13,47 @@
sha256 = "sha256-9ZQyVcTsHja67DhuIyniTK/xr0C6qN7fiCmjt8enUd8=";
};
appimageContents = appimageTools.extract {inherit name src;};
appimageContents = appimageTools.extract { inherit name src; };
in
appimageTools.wrapType2 rec {
inherit name src;
appimageTools.wrapType2 rec {
inherit name src;
extraInstallCommands = ''
cp -r ${appimageContents}/* $out
cd $out
chmod -R +w $out
extraInstallCommands = ''
cp -r ${appimageContents}/* $out
cd $out
chmod -R +w $out
${desktop-file-utils}/bin/desktop-file-install --dir $out/share/applications \
--set-key Exec --set-value ${name} "cinny.desktop"
${desktop-file-utils}/bin/desktop-file-install --dir $out/share/applications \
--set-key Exec --set-value ${name} "cinny.desktop"
mv usr/bin/cinny $out/${name}
#mv usr/share share
mv usr/bin/cinny $out/${name}
#mv usr/share share
rm -rf usr/lib/* AppRun* *.desktop
'';
rm -rf usr/lib/* AppRun* *.desktop
'';
extraPkgs = pkgs:
with pkgs; [
atk
avahi
brotli
cairo
fontconfig
freetype
fribidi
glew-egl
gobject-introspection
gst_all_1.gstreamer
harfbuzz
icu
libdrm
libGLU
libgpg-error
librsvg
libthai
pango
xorg.libX11
xorg.libxcb
zlib
];
}
extraPkgs = pkgs:
with pkgs; [
atk
avahi
brotli
cairo
fontconfig
freetype
fribidi
glew-egl
gobject-introspection
gst_all_1.gstreamer
harfbuzz
icu
libdrm
libGLU
libgpg-error
librsvg
libthai
pango
xorg.libX11
xorg.libxcb
zlib
];
}

11
pkgs/clilol.nix
View File

@ -1,8 +1,7 @@
{
lib,
buildGoModule,
fetchgit,
...
{ lib
, buildGoModule
, fetchgit
, ...
}:
buildGoModule rec {
pname = "clilol";
@ -24,6 +23,6 @@ buildGoModule rec {
homepage = "https://mcornick.dev/clilol/";
changelog = "https://git.mcornick.dev/mcornick/clilol/releases/tag/${version}";
license = licenses.mpl20;
maintainers = [maintainers.qbit];
maintainers = [ maintainers.qbit ];
};
}

2
pkgs/default.nix
View File

@ -1,4 +1,4 @@
{...}: {
{ ... }: {
environment.systemPackages = [
#(callPackage ./cinny-desktop.nix { inherit isUnstable; })
#(callPackage ./mudita-center.nix { inherit isUnstable; })

14
pkgs/femtolisp.nix
View File

@ -1,8 +1,8 @@
{
stdenv,
lib,
fetchgit,
gnumake,
{ stdenv
, lib
, fetchgit
, gnumake
,
}:
stdenv.mkDerivation {
pname = "femtolisp";
@ -14,7 +14,7 @@ stdenv.mkDerivation {
hash = "sha256-mh7upbCmWXLhudtaaebBf1XTIv4nYPSh0OAJDOqaQnk=";
};
buildInputs = [gnumake];
buildInputs = [ gnumake ];
installPhase = ''
mkdir -p $out/bin
@ -25,7 +25,7 @@ stdenv.mkDerivation {
description = "A compact interpreter for a minimal lisp/scheme dialect.";
homepage = "https://git.sr.ht/~ft/femtolisp";
license = lib.licenses.bsd3;
maintainer = with lib.maintainers; [qbit];
maintainer = with lib.maintainers; [ qbit ];
mainProgram = "flisp";
};
}

17
pkgs/flake-warn.nix
View File

@ -1,11 +1,10 @@
{
stdenv,
lib,
substituteAll,
jq,
nix,
coreutils,
...
{ stdenv
, lib
, substituteAll
, jq
, nix
, coreutils
, ...
}:
stdenv.mkDerivation rec {
pname = "flake-warn";
@ -26,7 +25,7 @@ stdenv.mkDerivation rec {
description = "script to warn when flake inputs are out of date";
homepage = "https://github.com/qbit/xin";
license = lib.licenses.isc;
maintainer = with lib.maintainers; [qbit];
maintainer = with lib.maintainers; [ qbit ];
mainProgram = "flake-warn";
};
}

47
pkgs/fyne.nix
View File

@ -1,31 +1,30 @@
{
lib,
buildGoModule,
fetchFromGitHub,
...
{ lib
, buildGoModule
, fetchFromGitHub
, ...
}:
with lib;
buildGoModule rec {
pname = "fyne";
version = "2.3.5";
buildGoModule rec {
pname = "fyne";
version = "2.3.5";
src = fetchFromGitHub {
owner = "fyne-io";
repo = pname;
rev = "v${version}";
sha256 = "sha256-iSQ1oqUePxDyjQTKNazX0IZyHAoz50bqukV2CmQjrAk=";
};
src = fetchFromGitHub {
owner = "fyne-io";
repo = pname;
rev = "v${version}";
sha256 = "sha256-iSQ1oqUePxDyjQTKNazX0IZyHAoz50bqukV2CmQjrAk=";
};
vendorHash = null;
vendorHash = null;
proxyVendor = true;
proxyVendor = true;
subPackages = ["cmd/fyne"];
subPackages = [ "cmd/fyne" ];
meta = {
description = "Fyne command line tool";
homepage = "https://github.com/fyne-io/fyne";
license = licenses.bsd3;
maintainers = with maintainers; [qbit];
};
}
meta = {
description = "Fyne command line tool";
homepage = "https://github.com/fyne-io/fyne";
license = licenses.bsd3;
maintainers = with maintainers; [ qbit ];
};
}

19
pkgs/ghexport.nix
View File

@ -1,21 +1,20 @@
{
buildPythonPackage,
setuptools-scm,
fetchFromGitHub,
PyGithub,
pytz,
...
{ buildPythonPackage
, setuptools-scm
, fetchFromGitHub
, PyGithub
, pytz
, ...
}:
buildPythonPackage rec {
pname = "ghexport";
version = "20220828";
nativeBuildInputs = [setuptools-scm];
propagatedBuildInputs = [PyGithub pytz];
nativeBuildInputs = [ setuptools-scm ];
propagatedBuildInputs = [ PyGithub pytz ];
doCheck = true;
buildInputs = [];
buildInputs = [ ];
preCheck = ''
export HOME=$(mktemp -d)

47
pkgs/gokrazy.nix
View File

@ -1,31 +1,30 @@
{
lib,
buildGoModule,
fetchFromGitHub,
...
{ lib
, buildGoModule
, fetchFromGitHub
, ...
}:
with lib;
buildGoModule {
pname = "gokrazy";
version = "0.0.0";
buildGoModule {
pname = "gokrazy";
version = "0.0.0";
src = fetchFromGitHub {
owner = "gokrazy";
repo = "tools";
rev = "b89d9dc6e09742ea23492bb84021da70b2965bff";
sha256 = "sha256-1nWpLQMDvtV83HFvmrNdN31DVENq3HUqk/6+zuavoTU=";
};
src = fetchFromGitHub {
owner = "gokrazy";
repo = "tools";
rev = "b89d9dc6e09742ea23492bb84021da70b2965bff";
sha256 = "sha256-1nWpLQMDvtV83HFvmrNdN31DVENq3HUqk/6+zuavoTU=";
};
vendorSha256 = "sha256-d6je2aRHlgP4r/Yg55zezRMTul1p5aLEpxfLb3V6BFg=";
vendorSha256 = "sha256-d6je2aRHlgP4r/Yg55zezRMTul1p5aLEpxfLb3V6BFg=";
proxyVendor = true;
proxyVendor = true;
doCheck = false;
doCheck = false;
meta = {
description = "CLI tools for gokrazy";
homepage = "https://github.com/gokrazy/tools";
license = licenses.bsd3;
maintainers = with maintainers; [qbit];
};
}
meta = {
description = "CLI tools for gokrazy";
homepage = "https://github.com/gokrazy/tools";
license = licenses.bsd3;
maintainers = with maintainers; [ qbit ];
};
}

45
pkgs/golink.nix
View File

@ -1,29 +1,28 @@
{
lib,
buildGoModule,
fetchFromGitHub,
...
{ lib
, buildGoModule
, fetchFromGitHub
, ...
}:
with lib;
buildGoModule rec {
pname = "golink";
version = "0.0.0";
buildGoModule rec {
pname = "golink";
version = "0.0.0";
src = fetchFromGitHub {
owner = "tailscale";
repo = pname;
rev = "cada6f65af471470f85092a7152023e956ce0fb4";
sha256 = "sha256-YApJezFbihypIZx8UHqqhXQ/fw1Zz/XL6P6Z3gTFtrA=";
};
src = fetchFromGitHub {
owner = "tailscale";
repo = pname;
rev = "cada6f65af471470f85092a7152023e956ce0fb4";
sha256 = "sha256-YApJezFbihypIZx8UHqqhXQ/fw1Zz/XL6P6Z3gTFtrA=";
};
vendorSha256 = "sha256-0k+1G+ox9+NZI4GaHm2Ba2Q4Eybz20gTAPnGKkU5Iec=";
vendorSha256 = "sha256-0k+1G+ox9+NZI4GaHm2Ba2Q4Eybz20gTAPnGKkU5Iec=";
proxyVendor = true;
proxyVendor = true;
meta = {
description = "A private shortlink service for tailnets";
homepage = "https://github.com/tailscale/golink";
license = licenses.bsd3;
maintainers = with maintainers; [qbit];
};
}
meta = {
description = "A private shortlink service for tailnets";
homepage = "https://github.com/tailscale/golink";
license = licenses.bsd3;
maintainers = with maintainers; [ qbit ];
};
}

Some files were not shown because too many files have changed in this diff Show More