diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..42979e7 --- /dev/null +++ b/default.nix @@ -0,0 +1,31 @@ +{ lib, ... }: +with lib; +let + # Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype + getDir = + dir: + mapAttrs (file: type: if type == "directory" then getDir "${dir}/${file}" else type) ( + builtins.readDir dir + ); + + # Collects all files of a directory as a list of strings of paths + files = + dir: collect isString (mapAttrsRecursive (path: type: concatStringsSep "/" path) (getDir dir)); + + # Filters out directories that don't end with .nix or are this file or the flake, also makes the strings absolute + validFiles = + dir: + map (file: ./. + "/${file}") ( + filter ( + file: + hasSuffix ".nix" file + && file != "default.nix" + && file != "flake.nix" + && !hasPrefix "hosts" file + && !hasPrefix "disko" file + ) (files dir) + ); +in +{ + imports = validFiles ./.; +} diff --git a/shared/disko/hetzner-zfs-impermanence.nix b/disko/hetzner-zfs-impermanence.nix similarity index 100% rename from shared/disko/hetzner-zfs-impermanence.nix rename to disko/hetzner-zfs-impermanence.nix diff --git a/shared/disko/zfs-impermanence.nix b/disko/zfs-impermanence.nix similarity index 100% rename from shared/disko/zfs-impermanence.nix rename to disko/zfs-impermanence.nix diff --git a/flake.nix b/flake.nix index dc87d7d..e6e7286 100644 --- a/flake.nix +++ b/flake.nix @@ -32,9 +32,11 @@ nixosConfigurations = ( let - x86_64-hosts = builtins.filter (file: file != "aarch64-linux") ( - builtins.attrNames (builtins.readDir ./hosts) - ); + x86_64-hosts = + with builtins; + (map (file: nixpkgs.lib.removeSuffix ".nix" file) ( + filter (file: file != "aarch64-linux" && file != "installer") (attrNames (readDir ./hosts)) + )); in builtins.listToAttrs ( map ( @@ -49,8 +51,8 @@ system = "x86_64-linux"; modules = [ { networking.hostName = host; } - ./hosts/${host}/configuration.nix - ./hosts/${host}/state.nix + ./default.nix + ./hosts/${host}.nix disko.nixosModules.disko impermanence.nixosModules.impermanence @@ -63,7 +65,9 @@ ) // ( let - aarch64-linux-hosts = (builtins.attrNames (builtins.readDir ./hosts/aarch64-linux)); + aarch64-linux-hosts = + with builtins; + (map (file: nixpkgs.lib.removeSuffix ".nix" file) (attrNames (readDir ./hosts/aarch64-linux))); in builtins.listToAttrs ( map ( @@ -78,7 +82,8 @@ system = "aarch64-linux"; modules = [ { networking.hostName = host; } - ./hosts/aarch64-linux/${host}/configuration.nix + ./default.nix + ./hosts/aarch64-linux/${host}.nix disko.nixosModules.disko impermanence.nixosModules.impermanence diff --git a/hosts/aarch64-linux/wg-rpi/configuration.nix b/hosts/aarch64-linux/wg-rpi.nix similarity index 95% rename from hosts/aarch64-linux/wg-rpi/configuration.nix rename to hosts/aarch64-linux/wg-rpi.nix index 5dc0503..b082414 100644 --- a/hosts/aarch64-linux/wg-rpi/configuration.nix +++ b/hosts/aarch64-linux/wg-rpi.nix @@ -1,4 +1,8 @@ -{ config, pkgs, ... }: +{ + config, + pkgs, + ... +}: let # SSID = "ENTER_SSID"; # SSIDpassword = "ENTER_PASSWORD"; @@ -7,14 +11,12 @@ let hostname = "wg-rpi"; in { - imports = [ ../../../shared/base.nix ]; - sops.secrets = { priv-netflix-wg = { - sopsFile = ../../../secrets/wg-rpi.yaml; + sopsFile = ../../secrets/wg-rpi.yaml; restartUnits = [ "wg-quick-wg0.service" ]; }; - dd-pass.sopsFile = ../../../secrets/wg-rpi.yaml; + dd-pass.sopsFile = ../../secrets/wg-rpi.yaml; }; environment.systemPackages = with pkgs; [ diff --git a/hosts/cert-store.nix b/hosts/cert-store.nix new file mode 100644 index 0000000..3ec187c --- /dev/null +++ b/hosts/cert-store.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + imports = [ ../disko/zfs-impermanence.nix ]; + + custom = { + impermanence.enable = true; + vm.enable = true; + certStoreServer.enable = true; + }; + networking.hostId = "ba4814a6"; + system.stateVersion = "24.11"; +} diff --git a/hosts/cert-store/configuration.nix b/hosts/cert-store/configuration.nix deleted file mode 100644 index 45c3045..0000000 --- a/hosts/cert-store/configuration.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: -{ - imports = [ - ../../shared/base.nix - - ../../shared/disko/zfs-impermanence.nix - ../../shared/hardware/impermanence.nix - ../../shared/hardware/vm.nix - - ../../servers/acme-cert-store.nix - ]; -} diff --git a/hosts/cert-store/state.nix b/hosts/cert-store/state.nix deleted file mode 100644 index 2ff20e3..0000000 --- a/hosts/cert-store/state.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ ... }: -{ - networking.hostId = "ba4814a6"; - system.stateVersion = "24.11"; -} diff --git a/hosts/ci.nix b/hosts/ci.nix new file mode 100644 index 0000000..99790c3 --- /dev/null +++ b/hosts/ci.nix @@ -0,0 +1,13 @@ +{ ... }: +{ + imports = [ ../disko/zfs-impermanence.nix ]; + + custom = { + impermanence.enable = true; + vm.enable = true; + forgejoRunner.enable = true; + hydra.enable = true; + }; + networking.hostId = "45e785de"; + system.stateVersion = "25.05"; +} diff --git a/hosts/ci/configuration.nix b/hosts/ci/configuration.nix deleted file mode 100644 index 39ac56d..0000000 --- a/hosts/ci/configuration.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ ... }: -{ - imports = [ - ../../shared/base.nix - - ../../shared/disko/zfs-impermanence.nix - ../../shared/hardware/impermanence.nix - ../../shared/hardware/vm.nix - - ../../servers/forgejo-runner.nix - ../../servers/hydra.nix - ]; -} diff --git a/hosts/ci/state.nix b/hosts/ci/state.nix deleted file mode 100644 index e856557..0000000 --- a/hosts/ci/state.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ ... }: -{ - networking.hostId = "45e785de"; - system.stateVersion = "25.05"; -} diff --git a/hosts/forgejo.nix b/hosts/forgejo.nix new file mode 100644 index 0000000..26ab260 --- /dev/null +++ b/hosts/forgejo.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + imports = [ ../disko/zfs-impermanence.nix ]; + + custom = { + impermanence.enable = true; + vm.enable = true; + forgejo.enable = true; + }; + networking.hostId = "b5b67528"; + system.stateVersion = "25.05"; +} diff --git a/hosts/forgejo/configuration.nix b/hosts/forgejo/configuration.nix deleted file mode 100644 index 16b2136..0000000 --- a/hosts/forgejo/configuration.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: -{ - imports = [ - ../../shared/base.nix - - ../../shared/disko/zfs-impermanence.nix - ../../shared/hardware/impermanence.nix - ../../shared/hardware/vm.nix - - ../../servers/forgejo.nix - ]; -} diff --git a/hosts/forgejo/state.nix b/hosts/forgejo/state.nix deleted file mode 100644 index 447e437..0000000 --- a/hosts/forgejo/state.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ ... }: -{ - networking.hostId = "b5b67528"; - system.stateVersion = "25.05"; -} diff --git a/hosts/gaming.nix b/hosts/gaming.nix new file mode 100644 index 0000000..78abde8 --- /dev/null +++ b/hosts/gaming.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + imports = [ ../disko/zfs-impermanence.nix ]; + + custom = { + impermanence.enable = true; + vm.enable = true; + nvidia.enable = true; + desktop.enable = true; + i3.enable = true; + gamingServer.enable = true; + }; + networking.hostId = "48434cbd"; + system.stateVersion = "25.05"; +} diff --git a/hosts/gaming/configuration.nix b/hosts/gaming/configuration.nix deleted file mode 100644 index 0163fa2..0000000 --- a/hosts/gaming/configuration.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ ... }: -{ - imports = [ - ../../shared/base.nix - - ../../shared/disko/zfs-impermanence.nix - ../../shared/hardware/impermanence.nix - ../../shared/hardware/nvidia.nix - ../../shared/hardware/vm.nix - - ../../personal/desktop.nix - ../../personal/programs/i3.nix - - ../../servers/gaming-server.nix - ]; -} diff --git a/hosts/gaming/state.nix b/hosts/gaming/state.nix deleted file mode 100644 index f03a193..0000000 --- a/hosts/gaming/state.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ ... }: -{ - networking.hostId = "48434cbd"; - system.stateVersion = "25.05"; -} diff --git a/hosts/helium.nix b/hosts/helium.nix new file mode 100644 index 0000000..2df9e24 --- /dev/null +++ b/hosts/helium.nix @@ -0,0 +1,103 @@ +{ + config, + pkgs, + lib, + ... +}: +{ + custom = { + desktop.enable = true; + development.enable = true; + amdLaptop.enable = true; + hibernate.enable = true; + keychron.enable = true; + onlykey.enable = true; + trackball.enable = true; + homeWg = { + enable = true; + guaSuffix = "2"; + }; + printing.enable = true; + bitwarden.enable = true; + communication.enable = true; + firefox.enable = true; + i3.enable = true; + moonlight.enable = true; + redshift.enable = true; + study.enable = true; + usbAutoMount.enable = true; + syncthing.enable = true; + }; + custom = { + }; + system.autoUpgrade.allowReboot = lib.mkForce false; + + sops.secrets.priv-netflix-wg.sopsFile = ../secrets/helium/netflix-wg.yaml; + + networking = { + wg-quick.interfaces = { + wg1 = { + autostart = false; + address = [ "10.100.0.7/24" ]; + dns = [ "1.1.1.1" ]; + privateKeyFile = config.sops.secrets.priv-netflix-wg.path; + listenPort = 51820; + + peers = [ + { + publicKey = "XSYHg0utIR1j7kRsWFwuWNo4RPD47KP53cVa6qDPtRE="; + allowedIPs = [ + "0.0.0.0/0" + "192.168.0.0/24" + ]; + endpoint = "netflix.vsinerva.fi:51821"; + } + ]; + }; + }; + }; + + services.xserver.displayManager.setupCommands = '' + ${pkgs.xorg.xrandr}/bin/xrandr --output DP-1 --auto --pos 0x0 --primary --output eDP-1 --auto --pos 3840x360 + ''; + + system.stateVersion = "23.11"; + boot = { + resumeDevice = "/dev/mapper/luks-f6e1979b-0dee-4ee9-8170-10490019854b"; + kernelParams = [ "resume_offset=44537856" ]; + }; + + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "usbhid" + "usb_storage" + "sd_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/25115cdc-3b55-4dbf-a414-98a1a3c44f52"; + fsType = "ext4"; + }; + + boot.initrd.luks.devices."luks-f6e1979b-0dee-4ee9-8170-10490019854b".device = + "/dev/disk/by-uuid/f6e1979b-0dee-4ee9-8170-10490019854b"; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/6E23-00AF"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.enableRedistributableFirmware = lib.mkDefault true; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/helium/configuration.nix b/hosts/helium/configuration.nix deleted file mode 100644 index 0e9e7e6..0000000 --- a/hosts/helium/configuration.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -{ - custom.home_wg_suffix = "2"; - system.autoUpgrade.allowReboot = lib.mkForce false; - - sops.secrets.priv-netflix-wg.sopsFile = ../../secrets/helium/netflix-wg.yaml; - - networking = { - wg-quick.interfaces = { - wg1 = { - autostart = false; - address = [ "10.100.0.7/24" ]; - dns = [ "1.1.1.1" ]; - privateKeyFile = config.sops.secrets.priv-netflix-wg.path; - listenPort = 51820; - - peers = [ - { - publicKey = "XSYHg0utIR1j7kRsWFwuWNo4RPD47KP53cVa6qDPtRE="; - allowedIPs = [ - "0.0.0.0/0" - "192.168.0.0/24" - ]; - endpoint = "netflix.vsinerva.fi:51821"; - } - ]; - }; - }; - }; - - services.xserver.displayManager.setupCommands = '' - ${pkgs.xorg.xrandr}/bin/xrandr --output DP-1 --auto --pos 0x0 --primary --output eDP-1 --auto --pos 3840x360 - ''; - - imports = [ - ../../shared/base.nix - - ../../personal/desktop.nix - ../../personal/development.nix - - ../../personal/hardware/amd-laptop.nix - ../../personal/hardware/hibernate.nix - ../../personal/hardware/keychron-q11.nix - ../../personal/hardware/onlykey.nix - ../../personal/hardware/trackball.nix - - ../../personal/networking/home-wg.nix - ../../personal/networking/printing.nix - - ../../personal/programs/bitwarden.nix - ../../personal/programs/communication.nix - ../../personal/programs/firefox.nix - ../../personal/programs/i3.nix - ../../personal/programs/moonlight.nix - ../../personal/programs/redshift.nix - ../../personal/programs/study.nix - ../../personal/programs/usb-automount.nix - - ../../servers/syncthing.nix - ]; -} diff --git a/hosts/helium/state.nix b/hosts/helium/state.nix deleted file mode 100644 index 0a99093..0000000 --- a/hosts/helium/state.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ - config, - lib, - modulesPath, - ... -}: -{ - system.stateVersion = "23.11"; - boot = { - resumeDevice = "/dev/mapper/luks-f6e1979b-0dee-4ee9-8170-10490019854b"; - kernelParams = [ "resume_offset=44537856" ]; - }; - - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ - "nvme" - "xhci_pci" - "usbhid" - "usb_storage" - "sd_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/25115cdc-3b55-4dbf-a414-98a1a3c44f52"; - fsType = "ext4"; - }; - - boot.initrd.luks.devices."luks-f6e1979b-0dee-4ee9-8170-10490019854b".device = - "/dev/disk/by-uuid/f6e1979b-0dee-4ee9-8170-10490019854b"; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/6E23-00AF"; - fsType = "vfat"; - options = [ - "fmask=0022" - "dmask=0022" - ]; - }; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/idacloud/configuration.nix b/hosts/idacloud.nix similarity index 71% rename from hosts/idacloud/configuration.nix rename to hosts/idacloud.nix index d7e66a5..d8d9a52 100644 --- a/hosts/idacloud/configuration.nix +++ b/hosts/idacloud.nix @@ -1,27 +1,30 @@ { config, ... }: { - custom.nextcloud_domain = "idacloud.sinerva.eu"; - services.nextcloud.settings.trusted_domains = [ "idacloud.vsinerva.fi" ]; - custom.collabora_domain = "idacollab.sinerva.eu"; + imports = [ ../disko/zfs-impermanence.nix ]; - imports = [ - ../../shared/base.nix - - ../../shared/disko/zfs-impermanence.nix - ../../shared/hardware/impermanence.nix - ../../shared/hardware/vm.nix - - ../../servers/nextcloud.nix - ]; + custom = { + impermanence.enable = true; + vm.enable = true; + nextcloud = { + enable = true; + domain = "idacloud.sinerva.eu"; + collabora = { + enable = true; + domain = "idacollab.sinerva.eu"; + }; + }; + }; + networking.hostId = "43ce8e3f"; + system.stateVersion = "25.05"; sops = { secrets = { priv-idacloud-wg = { - sopsFile = ../../secrets/idacloud.yaml; + sopsFile = ../secrets/idacloud.yaml; restartUnits = [ "wg-quick-wg0.service" ]; }; psk-laptop-idacloud-wg = { - sopsFile = ../../secrets/idacloud.yaml; + sopsFile = ../secrets/idacloud.yaml; restartUnits = [ "wg-quick-wg0.service" ]; }; }; diff --git a/hosts/idacloud/state.nix b/hosts/idacloud/state.nix deleted file mode 100644 index b6bc12b..0000000 --- a/hosts/idacloud/state.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ ... }: -{ - networking.hostId = "43ce8e3f"; - system.stateVersion = "25.05"; -} diff --git a/hosts/installer/configuration.nix b/hosts/installer.nix similarity index 92% rename from hosts/installer/configuration.nix rename to hosts/installer.nix index 90609ca..7a4cb78 100644 --- a/hosts/installer/configuration.nix +++ b/hosts/installer.nix @@ -1,7 +1,6 @@ { nixpkgs-flake, lib, ... }: { imports = [ - ../../shared/base.nix "${nixpkgs-flake}/nixos/modules/installer/cd-dvd/installation-cd-graphical-combined.nix" ]; diff --git a/hosts/installer/state.nix b/hosts/installer/state.nix deleted file mode 100644 index ffcd441..0000000 --- a/hosts/installer/state.nix +++ /dev/null @@ -1 +0,0 @@ -{ } diff --git a/hosts/lithium/state.nix b/hosts/lithium.nix similarity index 56% rename from hosts/lithium/state.nix rename to hosts/lithium.nix index 3fd06a1..96e2ad5 100644 --- a/hosts/lithium/state.nix +++ b/hosts/lithium.nix @@ -1,15 +1,34 @@ +{ config, lib, ... }: { - config, - lib, - modulesPath, - ... -}: -{ + custom = { + desktop.enable = true; + development.enable = true; + hibernate.enable = true; + intelLaptop.enable = true; + keychron.enable = true; + onlykey.enable = true; + trackball.enable = true; + homeWg = { + enable = true; + guaSuffix = "3"; + }; + printing.enable = true; + bitwarden.enable = true; + communication.enable = true; + firefox.enable = true; + i3.enable = true; + moonlight.enable = true; + redshift.enable = true; + study.enable = true; + usbAutoMount.enable = true; + syncthing.enable = true; + }; + + system.autoUpgrade.allowReboot = lib.mkForce false; + system.stateVersion = "24.05"; boot.kernelParams = [ "resume_offset=39292928" ]; - imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" @@ -41,5 +60,6 @@ networking.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.enableRedistributableFirmware = lib.mkDefault true; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/hosts/lithium/configuration.nix b/hosts/lithium/configuration.nix deleted file mode 100644 index 6027f17..0000000 --- a/hosts/lithium/configuration.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ lib, ... }: -{ - custom.home_wg_suffix = "3"; - system.autoUpgrade.allowReboot = lib.mkForce false; - - imports = [ - ../../shared/base.nix - - ../../personal/desktop.nix - ../../personal/development.nix - - ../../personal/hardware/hibernate.nix - ../../personal/hardware/intel-laptop.nix - ../../personal/hardware/onlykey.nix - - ../../personal/networking/home-wg.nix - ../../personal/networking/printing.nix - - ../../personal/programs/bitwarden.nix - ../../personal/programs/communication.nix - ../../personal/programs/firefox.nix - ../../personal/programs/i3.nix - ../../personal/programs/moonlight.nix - ../../personal/programs/redshift.nix - ../../personal/programs/study.nix - ../../personal/programs/usb-automount.nix - - ../../servers/syncthing.nix - ]; -} diff --git a/hosts/nextcloud.nix b/hosts/nextcloud.nix new file mode 100644 index 0000000..31fc085 --- /dev/null +++ b/hosts/nextcloud.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + imports = [ ../disko/zfs-impermanence.nix ]; + + custom = { + impermanence.enable = true; + vm.enable = true; + nextcloud = { + enable = true; + domain = "nextcloud.vsinerva.fi"; + }; + }; + networking.hostId = "ba0aeb92"; + system.stateVersion = "25.05"; +} diff --git a/hosts/nextcloud/configuration.nix b/hosts/nextcloud/configuration.nix deleted file mode 100644 index 2089662..0000000 --- a/hosts/nextcloud/configuration.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ ... }: -{ - custom.nextcloud_domain = "nextcloud.vsinerva.fi"; - - imports = [ - ../../shared/base.nix - - ../../shared/disko/zfs-impermanence.nix - ../../shared/hardware/impermanence.nix - ../../shared/hardware/vm.nix - - ../../servers/nextcloud.nix - ]; -} diff --git a/hosts/nextcloud/state.nix b/hosts/nextcloud/state.nix deleted file mode 100644 index c539766..0000000 --- a/hosts/nextcloud/state.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ ... }: -{ - networking.hostId = "ba0aeb92"; - system.stateVersion = "25.05"; -} diff --git a/hosts/siit-dc/state.nix b/hosts/siit-dc.nix similarity index 80% rename from hosts/siit-dc/state.nix rename to hosts/siit-dc.nix index ce30adf..b15e00c 100644 --- a/hosts/siit-dc/state.nix +++ b/hosts/siit-dc.nix @@ -1,5 +1,12 @@ { lib, ... }: { + imports = [ ../disko/hetzner-zfs-impermanence.nix ]; + + custom = { + impermanence.enable = true; + vm.enable = true; + siit.enable = true; + }; networking.hostId = "f1636fe0"; networking.networkmanager.enable = lib.mkForce false; networking.useDHCP = false; diff --git a/hosts/siit-dc/configuration.nix b/hosts/siit-dc/configuration.nix deleted file mode 100644 index ace787b..0000000 --- a/hosts/siit-dc/configuration.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: -{ - imports = [ - ../../shared/base.nix - - ../../shared/disko/hetzner-zfs-impermanence.nix - ../../shared/hardware/impermanence.nix - ../../shared/hardware/vm.nix - - ../../servers/siit-dc.nix - ]; -} diff --git a/hosts/syncthing/state.nix b/hosts/syncthing.nix similarity index 59% rename from hosts/syncthing/state.nix rename to hosts/syncthing.nix index e2961fb..b22ad58 100644 --- a/hosts/syncthing/state.nix +++ b/hosts/syncthing.nix @@ -1,5 +1,21 @@ -{ ... }: +{ lib, ... }: { + custom = { + vm.enable = true; + users.vili.enable = true; + syncthing.enable = true; + }; + + swapDevices = [ + { + device = "/var/lib/swapfile"; + size = 2 * 1024; + } + ]; + + users.users.vili.hashedPasswordFile = lib.mkForce null; + sops.secrets = lib.mkForce { }; + system.stateVersion = "22.11"; fileSystems."/" = { diff --git a/hosts/syncthing/configuration.nix b/hosts/syncthing/configuration.nix deleted file mode 100644 index 47010d0..0000000 --- a/hosts/syncthing/configuration.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ lib, ... }: -{ - swapDevices = [ - { - device = "/var/lib/swapfile"; - size = 2 * 1024; - } - ]; - - imports = [ - ../../shared/base.nix - ../../shared/hardware/vm.nix - ../../shared/users/vili.nix - - ../../servers/syncthing.nix - ]; - - users.users.vili.hashedPasswordFile = lib.mkForce null; - sops.secrets = lib.mkForce { }; -} diff --git a/hosts/vaultwarden.nix b/hosts/vaultwarden.nix new file mode 100644 index 0000000..4d7d6be --- /dev/null +++ b/hosts/vaultwarden.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + imports = [ ../disko/zfs-impermanence.nix ]; + + custom = { + impermanence.enable = true; + vm.enable = true; + vaultwarden.enable = true; + }; + networking.hostId = "2842298f"; + system.stateVersion = "25.05"; +} diff --git a/hosts/vaultwarden/configuration.nix b/hosts/vaultwarden/configuration.nix deleted file mode 100644 index e438f3a..0000000 --- a/hosts/vaultwarden/configuration.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: -{ - imports = [ - ../../shared/base.nix - - ../../shared/disko/zfs-impermanence.nix - ../../shared/hardware/impermanence.nix - ../../shared/hardware/vm.nix - - ../../servers/vaultwarden.nix - ]; -} diff --git a/hosts/vaultwarden/state.nix b/hosts/vaultwarden/state.nix deleted file mode 100644 index f4e7524..0000000 --- a/hosts/vaultwarden/state.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ ... }: -{ - networking.hostId = "2842298f"; - system.stateVersion = "25.05"; -} diff --git a/shared/base.nix b/modules/base.nix similarity index 94% rename from shared/base.nix rename to modules/base.nix index 38d5574..1a5c091 100644 --- a/shared/base.nix +++ b/modules/base.nix @@ -5,14 +5,20 @@ ... }: { - options.custom.gua_pref = lib.mkOption { - type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$"); - default = null; - description = "IPv6 GUA Prefix to use in other confs"; + options.custom = { + base.enable = lib.mkOption { + type = lib.types.bool; + default = true; + }; + guaPref = lib.mkOption { + type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$"); + default = null; + description = "IPv6 GUA Prefix to use in other confs"; + }; }; config = { - custom.gua_pref = "2001:14ba:a090:39"; + custom.guaPref = "2001:14ba:a090:39"; ######################################## Packages ############################################### environment.systemPackages = with pkgs; [ diff --git a/modules/desktop.nix b/modules/desktop.nix new file mode 100644 index 0000000..2f565a1 --- /dev/null +++ b/modules/desktop.nix @@ -0,0 +1,64 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.desktop; +in +{ + options.custom.desktop.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + custom = { + symlinks.enable = true; + users.vili.enable = true; + }; + + environment.systemPackages = with pkgs; [ + alacritty + vlc + flameshot + speedcrunch + ]; + + services = { + displayManager = { + autoLogin.enable = true; + autoLogin.user = "vili"; + }; + xserver = { + enable = true; + displayManager = { + lightdm.enable = true; + sessionCommands = ''${pkgs.xorg.xrdb}/bin/xrdb -merge < ${ + (import ./programs/embedded/xresources.conf { inherit pkgs; }) + }''; + }; + }; + + pipewire.enable = false; + pulseaudio.enable = true; + }; + nixpkgs.config.pulseaudio = true; + + security.polkit.enable = true; + + xdg.mime.defaultApplications = { + "application/pdf" = "org.gnome.Evince.desktop"; + "text/plain" = "org.xfce.mousepad.desktop"; + "text/x-tex" = "org.kde.kile.desktop"; + "inode/directory" = "pcmanfm.description"; + }; + + qt = { + enable = true; + style = "adwaita-dark"; + platformTheme = "gnome"; + }; + }; +} diff --git a/modules/development.nix b/modules/development.nix new file mode 100644 index 0000000..f54b0b5 --- /dev/null +++ b/modules/development.nix @@ -0,0 +1,59 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.development; +in +{ + options.custom.development.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + custom.nvim.enable = true; + + #################### Git configuration #################### + programs.git = { + enable = true; + lfs.enable = true; + config = { + user = { + email = "vili.m.sinerva@gmail.com"; + name = "Vili Sinervä"; + signingkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV"; + }; + merge = { + ff = "true"; + }; + pull = { + ff = "only"; + }; + commit = { + verbose = "true"; + }; + gpg.format = "ssh"; + commit.gpgsign = "true"; + }; + }; + + #################### Packages #################### + environment.systemPackages = with pkgs; [ + nixfmt-rfc-style + nixd + + vagrant + nmap + metasploit + armitage + ]; + virtualisation.virtualbox.host.enable = true; + virtualisation.virtualbox.host.addNetworkInterface = false; + users.extraGroups.vboxusers.members = [ "vili" ]; + + fonts.packages = builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts); + }; +} diff --git a/modules/hardware/amd-laptop.nix b/modules/hardware/amd-laptop.nix new file mode 100644 index 0000000..b8c7a81 --- /dev/null +++ b/modules/hardware/amd-laptop.nix @@ -0,0 +1,60 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.amdLaptop; +in +{ + options.custom.amdLaptop.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = with pkgs; [ zenmonitor ]; + + hardware.graphics = { + enable = true; + enable32Bit = true; + extraPackages = with pkgs; [ rocmPackages.clr.icd ]; + }; + + hardware.amdgpu.initrd.enable = true; + + services = { + xserver = lib.mkIf config.services.xserver.enable { + videoDrivers = [ "modesetting" ]; + deviceSection = '' + Option "DRI" "2" + Option "TearFree" "true" + ''; + }; + + tlp = { + enable = true; + settings = { + CPU_SCALING_GOVERNOR_ON_AC = "performance"; + CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; + + CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; + CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; + + CPU_MIN_PERF_ON_AC = 0; + CPU_MAX_PERF_ON_AC = 100; + CPU_MIN_PERF_ON_BAT = 0; + CPU_MAX_PERF_ON_BAT = 40; + + #Optional helps save long term battery health + START_CHARGE_THRESH_BAT0 = 60; # 60 and bellow it starts to charge + STOP_CHARGE_THRESH_BAT0 = 80; # 80 and above it stops charging + + }; + }; + + logind.lidSwitch = if config.boot.resumeDevice != "" then "hibernate" else "suspend"; + }; + }; +} diff --git a/modules/hardware/hibernate.nix b/modules/hardware/hibernate.nix new file mode 100644 index 0000000..92f5f6c --- /dev/null +++ b/modules/hardware/hibernate.nix @@ -0,0 +1,23 @@ +{ config, lib, ... }: +let + cfg = config.custom.hibernate; +in +{ + options.custom.hibernate.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + swapDevices = [ + { + device = "/var/lib/swapfile"; + size = 16 * 1024; + } + ]; + + boot = { + resumeDevice = lib.mkDefault "/dev/mapper/nixos"; + }; + }; +} diff --git a/modules/hardware/intel-laptop.nix b/modules/hardware/intel-laptop.nix new file mode 100644 index 0000000..753c9e3 --- /dev/null +++ b/modules/hardware/intel-laptop.nix @@ -0,0 +1,49 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.intelLaptop; +in +{ + options.custom.intelLaptop.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + hardware.graphics = { + extraPackages = with pkgs; [ + intel-media-driver + intel-compute-runtime + ]; + }; + + services = { + tlp = { + enable = true; + settings = { + CPU_SCALING_GOVERNOR_ON_AC = "performance"; + CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; + + CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; + CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; + + CPU_MIN_PERF_ON_AC = 0; + CPU_MAX_PERF_ON_AC = 100; + CPU_MIN_PERF_ON_BAT = 0; + CPU_MAX_PERF_ON_BAT = 40; + + #Optional helps save long term battery health + START_CHARGE_THRESH_BAT0 = 60; # 60 and bellow it starts to charge + STOP_CHARGE_THRESH_BAT0 = 80; # 80 and above it stops charging + + }; + }; + + logind.lidSwitch = if config.boot.resumeDevice != "" then "hibernate" else "suspend"; + }; + }; +} diff --git a/modules/hardware/keychron-q11.nix b/modules/hardware/keychron-q11.nix new file mode 100644 index 0000000..763cd21 --- /dev/null +++ b/modules/hardware/keychron-q11.nix @@ -0,0 +1,24 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.keychron; +in +{ + options.custom.keychron.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = with pkgs; if config.services.xserver.enable then [ via ] else [ ]; + + # Keychron Q11 + services.udev.extraRules = '' + KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="3434", ATTRS{idProduct}=="01e0", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" + ''; + }; +} diff --git a/personal/hardware/moonlight-trackball-accel.patch b/modules/hardware/moonlight-trackball-accel.patch similarity index 100% rename from personal/hardware/moonlight-trackball-accel.patch rename to modules/hardware/moonlight-trackball-accel.patch diff --git a/modules/hardware/nvidia.nix b/modules/hardware/nvidia.nix new file mode 100644 index 0000000..12333d5 --- /dev/null +++ b/modules/hardware/nvidia.nix @@ -0,0 +1,38 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.nvidia; +in +{ + options.custom.nvidia.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + hardware = { + nvidia = { + open = true; # Set to false to use the proprietary kernel module + forceFullCompositionPipeline = true; + }; + + graphics = { + enable = true; + extraPackages = with pkgs; [ nvidia-vaapi-driver ]; + }; + }; + + services.xserver.videoDrivers = [ "nvidia" ]; + boot.kernelPackages = pkgs.linuxPackages_xanmod_latest; + + nixpkgs.config.cudaSupport = true; + nix.settings = { + substituters = [ "https://nix-community.cachix.org" ]; + trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; + }; + }; +} diff --git a/modules/hardware/onlykey.nix b/modules/hardware/onlykey.nix new file mode 100644 index 0000000..64ec75a --- /dev/null +++ b/modules/hardware/onlykey.nix @@ -0,0 +1,33 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.onlykey; +in +{ + options.custom.onlykey.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + (onlykey.override (prev: { + node_webkit = prev.node_webkit.overrideAttrs { + version = "0.71.1"; + src = fetchurl { + url = "https://dl.nwjs.io/v0.71.1/nwjs-v0.71.1-linux-x64.tar.gz"; + hash = "sha256-bnObpwfJ6SNJdOvzWTnh515JMcadH1+fxx5W9e4gl/4="; + }; + }; + })) + + onlykey-cli + ]; + + hardware.onlykey.enable = true; + }; +} diff --git a/modules/hardware/trackball.nix b/modules/hardware/trackball.nix new file mode 100644 index 0000000..83f7dd1 --- /dev/null +++ b/modules/hardware/trackball.nix @@ -0,0 +1,84 @@ +{ config, lib, ... }: +let + cfg = config.custom.trackball; +in +{ + options.custom.trackball.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + nixpkgs.overlays = [ + (final: prev: { + moonlight-qt = prev.moonlight-qt.overrideAttrs (old: { + patches = (old.patches or [ ]) ++ [ ./moonlight-trackball-accel.patch ]; + }); + }) + ]; + + hardware.logitech.wireless = { + enable = true; + enableGraphical = true; + }; + + services.libinput.mouse = { + accelProfile = "custom"; + accelStepMotion = 5.0e-2; + accelPointsMotion = [ + 0.0 + 2.0e-2 + 4.0e-2 + 6.0e-2 + 8.0e-2 + 0.1 + 0.12 + 0.14 + 0.16 + 0.18 + 0.2 + 0.2525 + 0.31 + 0.3725 + 0.44 + 0.5125 + 0.59 + 0.6725 + 0.76 + 0.8525 + 0.95 + 1.155 + 1.37 + 1.595 + 1.83 + 2.075 + 2.33 + 2.595 + 2.87 + 3.155 + 3.45 + 3.755 + 4.07 + 4.395 + 4.73 + 5.075 + 5.43 + 5.795 + 6.17 + 6.555 + 6.95 + 7.355 + 7.77 + 8.195 + 8.63 + 9.075 + 9.53 + 9.995 + 10.47 + 10.955 + 11.45 + 11.95 + ]; + }; + }; +} diff --git a/modules/hardware/vm.nix b/modules/hardware/vm.nix new file mode 100644 index 0000000..f9aa3ce --- /dev/null +++ b/modules/hardware/vm.nix @@ -0,0 +1,48 @@ +{ + config, + lib, + modulesPath, + ... +}: +let + cfg = config.custom.vm; +in +{ + options.custom.vm.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + services.qemuGuest.enable = true; + + boot.initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ahci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + "virtio_net" + "virtio_pci" + "virtio_mmio" + "virtio_blk" + "virtio_scsi" + "9p" + "9pnet_virtio" + ]; + boot.initrd.kernelModules = [ + "virtio_balloon" + "virtio_console" + "virtio_rng" + "virtio_gpu" + ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + }; +} diff --git a/modules/impermanence.nix b/modules/impermanence.nix new file mode 100644 index 0000000..77c5b42 --- /dev/null +++ b/modules/impermanence.nix @@ -0,0 +1,49 @@ +{ config, lib, ... }: +let + cfg = config.custom.impermanence; +in +{ + options.custom.impermanence.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + # Default set of directories we always want to persist + environment.persistence."/persist" = { + enable = true; + hideMounts = true; + + files = [ + "/etc/machine-id" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_ed25519_key" + ]; + + directories = [ + "/var/lib/systemd/timers" + "/var/lib/nixos" + "/var/log" + ]; + }; + + fileSystems."/persist".neededForBoot = true; + + services = { + fstrim.interval = "daily"; + zfs = { + autoScrub.enable = true; + autoSnapshot = { + enable = true; + flags = "-k -p --utc"; + }; + trim.interval = "daily"; + }; + }; + + boot.initrd.postResumeCommands = lib.mkAfter '' + zfs rollback -r zroot/root@blank + zfs rollback -r zroot/home@blank + ''; + }; +} diff --git a/modules/networking/home-wg.nix b/modules/networking/home-wg.nix new file mode 100644 index 0000000..43d5cc5 --- /dev/null +++ b/modules/networking/home-wg.nix @@ -0,0 +1,72 @@ +{ config, lib, ... }: +let + cfg = config.custom.homeWg; + host = config.networking.hostName; +in +{ + options.custom = { + homeWg = { + enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + guaSuffix = lib.mkOption { + type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$"); + default = null; + description = "IPv6 GUA Suffix for Home WireGuard config"; + }; + }; + }; + + config = lib.mkIf cfg.enable { + sops = { + secrets = { + priv-home-wg = { + sopsFile = ../../secrets/${host}/home-wg.yaml; + restartUnits = [ "wg-quick-wg0.service" ]; + }; + psk-home-wg = { + sopsFile = ../../secrets/${host}/home-wg.yaml; + restartUnits = [ "wg-quick-wg0.service" ]; + }; + }; + }; + + networking = { + wg-quick.interfaces = { + wg0 = { + autostart = true; + address = [ "${config.custom.guaPref}ff::${cfg.guaSuffix}/64" ]; + dns = [ + "${config.custom.guaPref}ff::1" + "vsinerva.fi" + ]; + privateKeyFile = config.sops.secrets.priv-home-wg.path; + listenPort = 51820; + + peers = [ + { + publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34="; + presharedKeyFile = config.sops.secrets.psk-home-wg.path; + allowedIPs = [ "::/0" ]; + endpoint = "home.vsinerva.fi:51820"; + } + ]; + }; + }; + }; + + services.clatd.settings.clat-v6-addr = "${config.custom.guaPref}ff::c${cfg.guaSuffix}"; + + systemd.services = { + "wg-quick-wg0" = { + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + }; + clatd = { + wants = [ "wg-quick-wg0.service" ]; + after = [ "wg-quick-wg0.service" ]; + }; + }; + }; +} diff --git a/modules/networking/printing.nix b/modules/networking/printing.nix new file mode 100644 index 0000000..1049986 --- /dev/null +++ b/modules/networking/printing.nix @@ -0,0 +1,21 @@ +{ config, lib, ... }: +let + cfg = config.custom.printing; +in +{ + options.custom.printing.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + services = { + printing.enable = true; + avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; + }; + }; +} diff --git a/modules/programs/bitwarden.nix b/modules/programs/bitwarden.nix new file mode 100644 index 0000000..b5774e7 --- /dev/null +++ b/modules/programs/bitwarden.nix @@ -0,0 +1,36 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.bitwarden; +in +{ + options.custom.bitwarden.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + bitwarden + bitwarden-cli + ]; + + programs.zsh.interactiveShellInit = "export SSH_AUTH_SOCK=/home/vili/.bitwarden-ssh-agent.sock"; + security = { + pam = { + rssh.enable = true; + services = { + sudo.rssh = true; + }; + }; + sudo.execWheelOnly = true; + }; + + # We need SSH for the sudo, but generally don't want it open on machines with Bitwarden client + services.openssh.openFirewall = false; + }; +} diff --git a/modules/programs/communication.nix b/modules/programs/communication.nix new file mode 100644 index 0000000..a432492 --- /dev/null +++ b/modules/programs/communication.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.communication; +in +{ + options.custom.communication.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + telegram-desktop + signal-desktop + discord + ]; + }; +} diff --git a/personal/programs/embedded/alacritty.nix b/modules/programs/embedded/alacritty.conf similarity index 100% rename from personal/programs/embedded/alacritty.nix rename to modules/programs/embedded/alacritty.conf diff --git a/personal/programs/embedded/i3-conf.nix b/modules/programs/embedded/i3.conf similarity index 99% rename from personal/programs/embedded/i3-conf.nix rename to modules/programs/embedded/i3.conf index 08ac961..7f2be0c 100644 --- a/personal/programs/embedded/i3-conf.nix +++ b/modules/programs/embedded/i3.conf @@ -1,7 +1,7 @@ { pkgs, ... }: let alacritty-conf = "${ - (import ./alacritty.nix { + (import ./alacritty.conf { inherit pkgs; }) }"; diff --git a/modules/programs/embedded/nvim.nix b/modules/programs/embedded/nvim.nix new file mode 100644 index 0000000..7c46c20 --- /dev/null +++ b/modules/programs/embedded/nvim.nix @@ -0,0 +1,245 @@ +{ + config, + lib, + nixvim, + ... +}: +let + cfg = config.custom.nvim; +in +{ + options.custom.nvim.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + imports = [ nixvim.nixosModules.nixvim ]; + + config = lib.mkIf cfg.enable { + programs.nixvim = { + enable = true; + defaultEditor = true; + vimAlias = false; + colorschemes.vscode.enable = true; + + globals.mapleader = " "; + + opts = { + colorcolumn = "100"; + cursorline = true; + number = true; + showcmd = true; + signcolumn = "yes"; + + scrolloff = 16; + shiftwidth = 3; + tabstop = 3; + }; + + keymaps = [ + { + key = "T"; + action = "Neotree"; + options.desc = "Open Neotree"; + } + { + mode = [ + "i" + "v" + ]; + key = ""; + action = ""; + options.desc = "Exit To Normal Mode"; + } + { + key = "b"; + action = "Gitsigns toggle_current_line_blame"; + options.desc = "Toggle Current Line Git Blame"; + } + ]; + + plugins = { + fugitive.enable = true; + gitsigns = { + enable = true; + settings = { + current_line_blame_opts.delay = 100; + numhl = true; + }; + }; + lualine.enable = true; + markdown-preview.enable = true; + neo-tree = { + enable = true; + buffers.followCurrentFile = { + enabled = true; + leaveDirsOpen = true; + }; + }; + nix.enable = true; + rainbow-delimiters.enable = true; + sleuth.enable = true; + tmux-navigator = { + enable = true; + settings.no_mappings = 1; + keymaps = [ + { + key = ""; + action = "left"; + options.desc = "Tmux Left"; + } + { + key = ""; + action = "down"; + options.desc = "Tmux Down"; + } + { + key = ""; + action = "up"; + options.desc = "Tmux Up"; + } + { + key = ""; + action = "right"; + options.desc = "Tmux Right"; + } + ]; + }; + treesitter = { + enable = true; + folding = true; + settings.indent.enable = true; + nixGrammars = true; + }; + web-devicons.enable = true; + which-key = { + enable = true; + settings.delay.__raw = '' + function(ctx) + return ctx.plugin and 0 or 500 + end + ''; + }; + + cmp = { + enable = true; + settings = { + sources = [ + { name = "vim-vsnip"; } + { name = "vim-lsp-signature-help"; } + { name = "nvim-lsp"; } + { name = "treesitter"; } + { name = "buffer"; } + ]; + mapping = { + "" = "cmp.mapping.complete()"; + "" = "cmp.mapping.close()"; + "" = "cmp.mapping.confirm({ select = true })"; + "" = "cmp.mapping(cmp.mapping.select_prev_item(), {'i', 's'})"; + "" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})"; + }; + }; + }; + friendly-snippets.enable = true; + nvim-autopairs.enable = true; + + lsp = { + enable = true; + inlayHints = true; + keymaps = { + diagnostic = { + "dj" = { + action = "goto_next"; + desc = "Next Diagnostic"; + }; + "dk" = { + action = "goto_prev"; + desc = "Previous Diagnostic"; + }; + "dh" = { + action = "open_float"; + desc = "Line Diagnostics"; + }; + }; + lspBuf = { + "gd" = { + action = "definition"; + desc = "Goto Definition"; + }; + "gr" = { + action = "references"; + desc = "Goto References"; + }; + "gD" = { + action = "declaration"; + desc = "Goto Declaration"; + }; + "gi" = { + action = "implementation"; + desc = "Goto Implementation"; + }; + "gt" = { + action = "type_definition"; + desc = "Type Definition"; + }; + "s" = { + action = "workspace_symbol"; + desc = "Search Symbol"; + }; + "r" = { + action = "rename"; + desc = "Rename Symbol"; + }; + "a" = { + action = "code_action"; + desc = "Code Action"; + }; + H = { + action = "hover"; + desc = "Hover"; + }; + }; + extra = [ + { + action = "lua vim.lsp.inlay_hint.enable(not vim.lsp.inlay_hint.is_enabled())"; + key = "h"; + options.desc = "Toggle LSP Inlay Hints"; + } + ]; + }; + servers = { + clangd.enable = true; + cmake.enable = true; + dockerls.enable = true; + docker_compose_language_service.enable = true; + eslint.enable = true; + html.enable = true; + jsonls.enable = true; + nixd.enable = true; + pylsp.enable = true; + rust_analyzer = { + enable = true; + installCargo = false; + installRustc = false; + settings = { + completion = { + autoimport.enable = true; + autoself.enable = true; + fullFunctionSignatures.enable = true; + privateEditable.enable = true; + }; + diagnostics = { + styleLints.enable = true; + }; + hover.actions.references.enable = true; + }; + }; + yamlls.enable = true; + }; + }; + lsp-format.enable = true; + lsp-signature.enable = true; + }; + }; + }; +} diff --git a/personal/programs/embedded/xresources.nix b/modules/programs/embedded/xresources.conf similarity index 100% rename from personal/programs/embedded/xresources.nix rename to modules/programs/embedded/xresources.conf diff --git a/modules/programs/firefox.nix b/modules/programs/firefox.nix new file mode 100644 index 0000000..6ea2936 --- /dev/null +++ b/modules/programs/firefox.nix @@ -0,0 +1,185 @@ +{ config, lib, ... }: +let + cfg = config.custom.firefox; + lock-false = { + Value = false; + Status = "locked"; + }; + lock-true = { + Value = true; + Status = "locked"; + }; +in +{ + options.custom.firefox.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + programs.firefox = { + enable = true; + + # AutoConfig used for preferences not supported via policies + autoConfig = '' + lockPref("full-screen-api.warning.timeout", 500) + lockPref("privacy.fingerprintingProtection", true) + lockPref("privacy.donottrackheader.enabled", true) + ''; + + # ---- POLICIES ---- + # Check about:policies#documentation for options. + policies = { + # ---- EXTENSIONS ---- + # Check about:support for extension/add-on ID strings. + # Valid strings for installation_mode are "allowed", "blocked", + # "force_installed" and "normal_installed". + ExtensionSettings = { + "*".installation_mode = "blocked"; + "{446900e4-71c2-419f-a6a7-df9c091e268b}" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi"; + installation_mode = "force_installed"; + }; + "jsr@javascriptrestrictor" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/javascript-restrictor/latest.xpi"; + installation_mode = "force_installed"; + }; + }; + + AutofillAddressEnabled = false; + AutofillCreditCardEnabled = false; + DisableFirefoxStudies = true; + DisableFormHistory = true; + DisablePocket = true; + DisableSecurityBypass = false; + DisableTelemetry = true; + DisplayBookmarksToolbar = "always"; # alternatives: "always" or "newtab" + DisplayMenuBar = "default-off"; # alternatives: "always", "never" or "default-on" + DontCheckDefaultBrowser = true; + DownloadDirectory = "\${home}/Downloads"; + EnableTrackingProtection = { + Value = true; + Locked = true; + Cryptomining = true; + Fingerprinting = true; + EmailTracking = true; + }; + FirefoxHome = { + Locked = true; + Search = true; + TopSites = true; + SponsoredTopSites = false; + Highlights = false; + Pocket = false; + SponsoredPocket = false; + }; + FirefoxSuggest = { + Locked = true; + WebSuggestions = false; + SponsoredSuggestions = false; + ImproveSuggest = false; + }; + HardwareAccelerations = true; + Homepage = { + Locked = true; + URL = "https://www.duckduckgo.com/"; + StartPage = "previous-session"; + }; + HttpsOnlyMode = "force_enabled"; + NetworkPrediction = false; + NoDefaultBookmarks = true; + OverrideFirstRunPage = ""; + OverridePostUpdatePage = ""; + PasswordManagerEnabled = false; + Permissions = { + Camera = { + Allow = [ ]; + Block = [ ]; + BlockNewRequests = false; + Locked = true; + }; + Microphone = { + Allow = [ ]; + Block = [ ]; + BlockNewRequests = false; + Locked = true; + }; + Location = { + Allow = [ ]; + Block = [ ]; + BlockNewRequests = false; + Locked = true; + }; + Notifications = { + Allow = [ ]; + Block = [ ]; + BlockNewRequests = false; + Locked = true; + }; + Autoplay = { + Allow = [ ]; + Block = [ ]; + BlockNewRequests = false; + Default = "block-audio-video"; + Locked = true; + }; + }; + PictureInPicture = { + Enabled = true; + Locked = true; + }; + PopupBlocking = { + Allow = [ ]; + Default = true; + Locked = true; + }; + PostQuantumKeyAgreementEnabled = true; + PrimaryPassword = false; + PrintingEnabled = true; + PromptForDownloadLocation = false; + RequestedLocales = [ "en-US" ]; + SearchBar = "unified"; # alternative: "separate" + SearchEngines.PreventInstalls = true; + SearchSuggestEnabled = false; + UserMessaging = { + Locked = true; + ExtensionRecommendations = true; + FeatureRecommendations = false; + UrlbarInterventions = false; + SkipOnboarding = true; + MoreFromMozilla = false; + }; + UseSystemPrintDialog = true; + + # ---- PREFERENCES ---- + # Check about:config for options. + Preferences = { + "browser.contentblocking.category" = { + Value = "strict"; + Status = "locked"; + }; + "browser.safebrowsing.downloads.enabled" = lock-true; + "browser.safebrowsing.downloads.remote.block_potentially_unwanted" = lock-true; + "browser.safebrowsing.downloads.remote.block_uncommon" = lock-true; + "browser.safebrowsing.malware.enabled" = lock-true; + "browser.safebrowsing.phishing.enabled" = lock-true; + "browser.crashReports.unsubmittedCheck.autoSubmit2" = lock-false; + "browser.topsites.contile.enabled" = lock-false; + "browser.translations.automaticallyPopup" = lock-false; + "dom.private-attribution.submission.enabled" = lock-false; + "media.ffmpeg.vaapi.enabled" = lock-true; + "privacy.globalprivacycontrol.enabled" = lock-true; + "xpinstall.whitelist.required" = lock-true; + "network.trr.mode" = { + Value = 0; + Status = "locked"; + }; + "security.OCSP.enabled" = { + Value = 1; + Status = "locked"; + }; + }; + }; + }; + }; +} diff --git a/modules/programs/i3.nix b/modules/programs/i3.nix new file mode 100644 index 0000000..17d4ac5 --- /dev/null +++ b/modules/programs/i3.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.i3; +in +{ + options.custom.i3.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + i3status + rofi + arandr + pavucontrol + viewnior + xfce.mousepad + pcmanfm + evince + brightnessctl + networkmanagerapplet + ]; + + programs.i3lock.enable = true; + + services = { + displayManager = { + defaultSession = "none+i3"; + }; + xserver.windowManager.i3 = { + enable = true; + extraPackages = [ ]; + configFile = "${(import ./embedded/i3.conf { inherit pkgs; })}"; + }; + }; + }; +} diff --git a/modules/programs/moonlight.nix b/modules/programs/moonlight.nix new file mode 100644 index 0000000..9a64749 --- /dev/null +++ b/modules/programs/moonlight.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.moonlight; +in +{ + options.custom.moonlight.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + moonlight-qt + ]; + }; +} diff --git a/modules/programs/redshift.nix b/modules/programs/redshift.nix new file mode 100644 index 0000000..64857b3 --- /dev/null +++ b/modules/programs/redshift.nix @@ -0,0 +1,30 @@ +{ config, lib, ... }: +let + cfg = config.custom.redshift; +in +{ + options.custom.redshift.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + services.redshift = { + executable = "/bin/redshift-gtk"; + enable = true; + temperature = { + night = 2800; + day = 6500; + }; + brightness = { + night = "0.5"; + day = "1"; + }; + }; + + location = { + latitude = 60.17; + longitude = 24.94; + }; + }; +} diff --git a/modules/programs/study.nix b/modules/programs/study.nix new file mode 100644 index 0000000..439b30c --- /dev/null +++ b/modules/programs/study.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.study; +in +{ + options.custom.study.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + libreoffice + zotero + kile + texliveFull + imagemagick + ghostscript + kdePackages.okular + ]; + }; +} diff --git a/personal/programs/symlinked/gtk-3-4-settings.ini b/modules/programs/symlinked/gtk-3-4-settings.ini similarity index 100% rename from personal/programs/symlinked/gtk-3-4-settings.ini rename to modules/programs/symlinked/gtk-3-4-settings.ini diff --git a/personal/programs/symlinked/gtk-bookmarks b/modules/programs/symlinked/gtk-bookmarks similarity index 100% rename from personal/programs/symlinked/gtk-bookmarks rename to modules/programs/symlinked/gtk-bookmarks diff --git a/personal/programs/symlinked/gtkrc-2.0 b/modules/programs/symlinked/gtkrc-2.0 similarity index 100% rename from personal/programs/symlinked/gtkrc-2.0 rename to modules/programs/symlinked/gtkrc-2.0 diff --git a/personal/programs/symlinked/libfm.conf b/modules/programs/symlinked/libfm.conf similarity index 100% rename from personal/programs/symlinked/libfm.conf rename to modules/programs/symlinked/libfm.conf diff --git a/personal/programs/symlinked/pcmanfm.conf b/modules/programs/symlinked/pcmanfm.conf similarity index 100% rename from personal/programs/symlinked/pcmanfm.conf rename to modules/programs/symlinked/pcmanfm.conf diff --git a/modules/programs/symlinked/symlinks.nix b/modules/programs/symlinked/symlinks.nix new file mode 100644 index 0000000..6614684 --- /dev/null +++ b/modules/programs/symlinked/symlinks.nix @@ -0,0 +1,64 @@ +{ config, lib, ... }: +let + cfg = config.custom.symlinks; +in +{ + options.custom.symlinks.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + system.userActivationScripts.mkDesktopSettingsSymlinks.text = + let + home = "/home/vili/"; + paths = [ + rec { + dir = "${home}.config/pcmanfm/default/"; + file = "pcmanfm.conf"; + full = "${dir}${file}"; + source = "${./pcmanfm.conf}"; + } + rec { + dir = "${home}.config/libfm/"; + file = "libfm.conf"; + full = "${dir}${file}"; + source = "${./libfm.conf}"; + } + rec { + dir = "${home}.config/gtk-3.0/"; + file = "bookmarks"; + full = "${dir}${file}"; + source = "${./gtk-bookmarks}"; + } + rec { + dir = "${home}"; + file = ".gtkrc-2.0"; + full = "${dir}${file}"; + source = "${./gtkrc-2.0}"; + } + rec { + dir = "${home}.config/gtk-3.0/"; + file = "settings.ini"; + full = "${dir}${file}"; + source = "${./gtk-3-4-settings.ini}"; + } + rec { + dir = "${home}.config/gtk-4.0/"; + file = "settings.ini"; + full = "${dir}${file}"; + source = "${./gtk-3-4-settings.ini}"; + } + ]; + in + toString ( + map (path: '' + mkdir -p ${path.dir} + if test -e ${path.full} -a ! -L ${path.full}; then + mv -f ${path.full} ${path.full}.old + fi + ln -sf ${path.source} ${path.full} + '') paths + ); + }; +} diff --git a/modules/programs/usb-automount.nix b/modules/programs/usb-automount.nix new file mode 100644 index 0000000..65f8ebb --- /dev/null +++ b/modules/programs/usb-automount.nix @@ -0,0 +1,18 @@ +{ config, lib, ... }: +let + cfg = config.custom.usbAutoMount; +in +{ + options.custom.usbAutoMount.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + services = { + devmon.enable = true; + gvfs.enable = true; + udisks2.enable = true; + }; + }; +} diff --git a/modules/services/cert-store-server.nix b/modules/services/cert-store-server.nix new file mode 100644 index 0000000..89218c3 --- /dev/null +++ b/modules/services/cert-store-server.nix @@ -0,0 +1,104 @@ +{ + config, + pkgs, + lib, + ... +}: +let + cfg = config.custom.certStoreServer; + update-cert = pkgs.writeScriptBin "update-cert" '' + cd ${config.users.users."cert-store".home} + + rm -rf nixos-conf + rm -rf ./-.vsinerva.fi + + if [[ $SSH_ORIGINAL_COMMAND == ${pkgs.openssh}/libexec/sftp-server ]]; then + eval "$SSH_ORIGINAL_COMMAND" + fi + + export SOPS_AGE_KEY_FILE='${config.sops.secrets.cert-age-key.path}' + export GIT_SSH_COMMAND='ssh -i ${config.sops.secrets.forgejo-deploy-key.path} -o IdentitiesOnly=yes' + + git clone ssh://forgejo@forgejo.sinerva.eu/VSinerva/nixos-conf.git + cd nixos-conf + + ${pkgs.sops}/bin/sops -d --extract '["cert-fullchain"]' --output old-fullchain secrets/cert.yaml + ${pkgs.sops}/bin/sops -d --extract '["cert-key"]' --output old-key secrets/cert.yaml + + cp ${config.users.users."cert-store".home}/-.vsinerva.fi/fullchain.pem ./new-fullchain + cp ${config.users.users."cert-store".home}/-.vsinerva.fi/key.pem ./new-key + + if ! ${pkgs.diffutils}/bin/cmp new-fullchain old-fullchain; then + ${pkgs.sops}/bin/sops --set "[\"cert-fullchain\"] $(${pkgs.jq}/bin/jq -sR < new-fullchain)" secrets/cert.yaml + fi + + if ! ${pkgs.diffutils}/bin/cmp new-key old-key; then + ${pkgs.sops}/bin/sops --set "[\"cert-key\"] $(${pkgs.jq}/bin/jq -sR < new-key)" secrets/cert.yaml + fi + + git commit -am "Automatically updated wildcard cert" + git push + cd ${config.users.users."cert-store".home} + rm -rf nixos-conf + rm -rf ./-.vsinerva.fi + ''; +in +{ + options.custom.certStoreServer.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + sops = { + secrets = { + forgejo-deploy-key = { + sopsFile = ../../secrets/cert-store.yaml; + owner = config.users.users."cert-store".name; + }; + cert-age-key = { + sopsFile = ../../secrets/cert-store.yaml; + owner = config.users.users."cert-store".name; + }; + }; + }; + + systemd.tmpfiles.settings."cert-store-home"."/home/cert-store".d = { + user = "cert-store"; + group = "users"; + mode = "0700"; + }; + users.users."cert-store" = { + isNormalUser = true; + openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense" + ]; + }; + + services.openssh.knownHosts."forgejo.sinerva.eu".publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE"; + + environment.systemPackages = [ update-cert ]; + + programs.git = { + enable = true; + config = { + user = { + email = "vili.m.sinerva@gmail.com"; + name = "Vili Sinervä"; + }; + }; + }; + + services.openssh.extraConfig = '' + Match User cert-store + AllowAgentForwarding no + AllowTcpForwarding no + PermitTTY no + PermitTunnel no + X11Forwarding no + ForceCommand ${update-cert}/bin/update-cert + Match All + ''; + }; +} diff --git a/modules/services/forgejo-runner.nix b/modules/services/forgejo-runner.nix new file mode 100644 index 0000000..4f23ad6 --- /dev/null +++ b/modules/services/forgejo-runner.nix @@ -0,0 +1,65 @@ +{ + config, + pkgs, + lib, + ... +}: +let + cfg = config.custom.forgejoRunner; +in +{ + options.custom.forgejoRunner.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + sops.secrets.forgejo-token = { + sopsFile = ../../secrets/ci.yaml; + restartUnits = [ "gitea-runner-forgejo.sinerva.eu.service" ]; + }; + + networking.firewall.trustedInterfaces = [ "br-+" ]; + + services.gitea-actions-runner = { + package = pkgs.forgejo-runner; + instances.default = { + enable = true; + name = "ci.sinerva.eu"; + url = "https://forgejo.sinerva.eu"; + tokenFile = config.sops.secrets.forgejo-token.path; + labels = [ + "ubuntu-24.04-lts:docker://ubuntu:24.04" + "ubuntu-22.04:docker://node:24-bullseye" + "nixos-latest:docker://nixos/nix" + ]; + settings = { + container = { + network = ""; + enable_ipv6 = true; + }; + }; + }; + }; + + virtualisation.docker = { + enable = true; + daemon.settings = { + fixed-cidr-v6 = "fd72:23ed:7025::/64"; + ipv6 = true; + ip6tables = true; + experimental = true; + default-address-pools = [ + { + base = "172.30.0.0/16"; + size = 24; + } + { + base = "fd4e:cdc2:4c34::/64"; + size = 96; + } + ]; + }; + }; + }; +} diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix new file mode 100644 index 0000000..f812135 --- /dev/null +++ b/modules/services/forgejo.nix @@ -0,0 +1,78 @@ +{ config, lib, ... }: +let + cfg = config.custom.forgejo; +in +{ + options.custom.forgejo.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + custom = { + nginxHttpsServer.enable = true; + acmeHttpClient.enable = true; + }; + + environment.persistence."/persist".directories = [ + { + directory = config.services.forgejo.stateDir; + user = config.services.forgejo.user; + group = config.services.forgejo.group; + mode = "u=rwx,g=,o="; + } + ]; + + sops.secrets.smtp-pass = { + sopsFile = ../../secrets/forgejo.yaml; + restartUnits = [ "forgejo.service" ]; + }; + + services = { + forgejo = { + enable = true; + lfs.enable = true; + + secrets.mailer.PASSWD = config.sops.secrets.smtp-pass.path; + settings = { + DEFAULT.APP_NAME = "Forgejo for Vili Sinervä"; + repository = { + ENABLE_PUSH_CREATE_USER = true; + ENABLE_PUSH_CREATE_ORG = true; + DEFAULT_REPO_UNITS = "repo.code,repo.releases"; + }; + ui.DEFAULT_SHOW_FULL_NAME = true; + "ui.meta".AUTHOR = "Forgeo, hosted by Vili Sinervä"; + server = { + DOMAIN = "forgejo.sinerva.eu"; + HTTP_ADDR = "::1"; + HTTP_PORT = 8000; + ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}"; + }; + service = { + DISABLE_REGISTRATION = true; # Disable for initial setup + ENABLE_NOTIFY_MAIL = true; + }; + session.COOKIE_SECURE = true; + mailer = { + ENABLED = true; + SMTP_ADDR = "smtp.gmail.com"; + SMTP_PORT = 587; + USER = "vmsskv12@gmail.com"; # Password set in file + FROM = "forgejo@sinerva.eu"; + ENVELOPE_FROM = "forgejo@sinerva.eu"; + }; + cron = { + ENABLED = true; + RUN_AT_START = true; + }; + time.DEFAULT_UI_LOCATION = "Europe/Helsinki"; + }; + }; + + nginx.virtualHosts.${config.services.forgejo.settings.server.DOMAIN}.locations."/" = { + proxyPass = "http://localhost:8000"; + }; + }; + }; +} diff --git a/modules/services/gaming-server.nix b/modules/services/gaming-server.nix new file mode 100644 index 0000000..e929c05 --- /dev/null +++ b/modules/services/gaming-server.nix @@ -0,0 +1,99 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.gamingServer; +in +{ + options.custom.gamingServer.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + systemd.tmpfiles.settings."vili-home" = { + "/home/vili".d = { + user = "vili"; + group = "users"; + mode = "0700"; + }; + "/home/vili/.local".d = { + user = "vili"; + group = "users"; + mode = "0755"; + }; + "/home/vili/.local/share".d = { + user = "vili"; + group = "users"; + mode = "0755"; + }; + }; + environment.persistence."/persist" = { + users.vili = { + directories = [ + { + directory = ".cache"; + mode = "u=rwx,g=rx,o=rx"; + } + { + directory = ".local/share/feral-interactive"; + mode = "u=rwx,g=rx,o=rx"; + } + ".local/share/Steam" + { + directory = ".local/share/vulkan"; + mode = "u=rwx,g=rx,o=rx"; + } + ]; + }; + }; + + sops.secrets = { + sunshine-state = { + sopsFile = ../../secrets/gaming.yaml; + owner = config.users.users."vili".name; + }; + sunshine-cakey = { + sopsFile = ../../secrets/gaming.yaml; + owner = config.users.users."vili".name; + }; + sunshine-cacert = { + sopsFile = ../../secrets/gaming.yaml; + owner = config.users.users."vili".name; + }; + }; + + programs.steam = { + enable = true; + extraCompatPackages = with pkgs; [ proton-ge-bin ]; + }; + + services.sunshine = { + enable = true; + autoStart = true; + openFirewall = true; + settings = { + sunshine_name = "NixOS"; + address_family = "both"; + credentials_file = config.sops.secrets.sunshine-state.path; + pkey = config.sops.secrets.sunshine-cakey.path; + cert = config.sops.secrets.sunshine-cacert.path; + file_state = config.sops.secrets.sunshine-state.path; + }; + applications = { + env = { + PATH = "$(PATH):$(HOME)/.local/bin"; + }; + apps = [ + { + name = "Desktop"; + image-path = "desktop.png"; + } + ]; + }; + }; + }; +} diff --git a/modules/services/hydra.nix b/modules/services/hydra.nix new file mode 100644 index 0000000..92e593c --- /dev/null +++ b/modules/services/hydra.nix @@ -0,0 +1,108 @@ +{ config, lib, ... }: +let + cfg = config.custom.hydra; + hydraDomain = "ci.sinerva.eu"; + cacheDomain = "cache.sinerva.eu"; +in +{ + options.custom.hydra.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + custom = { + nginxHttpsServer.enable = true; + acmeHttpClient.enable = true; + }; + + systemd.tmpfiles.settings."hydra-home"."/var/lib/hydra".d = { + user = "hydra"; + group = "hydra"; + mode = "0750"; + }; + environment.persistence."/persist" = { + directories = [ + { + directory = "/var/lib/postgresql"; + user = "postgresql"; + group = "postgresql"; + mode = "u=rwx,g=rx,o="; + } + ]; + files = [ "/var/lib/hydra/.db-created" ]; + }; + sops.secrets.priv-cache-key.sopsFile = ../../secrets/ci.yaml; + + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + systemd.services.hydra-server = { + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + }; + + services = { + hydra = { + enable = true; + hydraURL = "https://${hydraDomain}"; + listenHost = "localhost"; + notificationSender = "hydra@sinerva.eu"; + port = 8080; + useSubstitutes = true; + extraConfig = '' + + enable = 1 + + ''; + }; + + nix-serve = { + enable = true; + bindAddress = "127.0.0.2"; + port = 8081; + secretKeyFile = config.sops.secrets.priv-cache-key.path; + }; + + nginx.virtualHosts = { + ${hydraDomain}.locations."/" = { + proxyPass = "http://localhost:8080"; + }; + ${cacheDomain}.locations."/" = { + proxyPass = "http://127.0.0.2:8081"; + }; + }; + }; + + nix = { + settings.allowed-uris = [ + "github:" + "git+https://github.com/" + "git+ssh://github.com/" + ]; + + buildMachines = [ + { + hostName = "localhost"; + protocol = null; + systems = [ + "x86_64-linux" + "aarch64-linux" + ]; + supportedFeatures = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + ]; + maxJobs = 6; + } + ]; + + gc = { + options = lib.mkForce "--delete-older-than 1d"; + dates = lib.mkForce "hourly"; + randomizedDelaySec = lib.mkForce "0"; + }; + }; + }; +} diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix new file mode 100644 index 0000000..e4d826c --- /dev/null +++ b/modules/services/nextcloud.nix @@ -0,0 +1,128 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.custom.nextcloud; +in +{ + options.custom = { + nextcloud = { + enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + domain = lib.mkOption { + type = with lib.types; nullOr str; + default = null; + }; + collabora = { + enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + domain = lib.mkOption { + type = with lib.types; nullOr str; + default = null; + }; + }; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + custom = { + nginxHttpsServer.enable = true; + certStoreClient.enable = true; + }; + + environment.persistence."/persist".directories = [ + { + directory = config.services.nextcloud.home; + user = "nextcloud"; + group = "nextcloud"; + mode = "u=rwx,g=rx,o="; + } + ]; + sops.secrets.admin-pass.sopsFile = ../../secrets/nextcloud.yaml; + + services = { + nextcloud = { + package = pkgs.nextcloud31; + enable = true; + hostName = cfg.domain; + autoUpdateApps.enable = true; + https = true; + maxUploadSize = "512M"; # Default + config = { + dbtype = "sqlite"; + adminpassFile = config.sops.secrets.admin-pass.path; + }; + settings = { + overwriteprotocol = "https"; + default_phone_region = "FI"; + maintenance_window_start = 1; + }; + phpOptions = { + "opcache.interned_strings_buffer" = 32; + }; + }; + + nginx.virtualHosts.${config.services.nextcloud.hostName} = { }; + }; + } + ( + # Optional Collabora Client + lib.mkIf cfg.collabora.enable { + services = { + collabora-online = { + enable = true; + port = 9980; # default + settings = { + ssl = { + enable = false; + termination = true; + }; + + net = { + listen = "loopback"; + post_allow.host = [ + "127.0.0.1" + "::1" + ]; + }; + + storage.wopi = { + "@allow" = true; + host = [ config.services.nextcloud.hostName ] ++ config.services.nextcloud.settings.trusted_domains; + }; + + server_name = cfg.collabora.domain; + }; + }; + + nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = { + locations."/" = { + proxyPass = "http://localhost:${toString config.services.collabora-online.port}"; + proxyWebsockets = true; # collabora uses websockets + }; + }; + + nextcloud = { + appstoreEnable = true; + extraAppsEnable = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + inherit + richdocuments + ; + }; + }; + }; + } + ) + ] + ); +} diff --git a/modules/services/siit-dc.nix b/modules/services/siit-dc.nix new file mode 100644 index 0000000..f389537 --- /dev/null +++ b/modules/services/siit-dc.nix @@ -0,0 +1,42 @@ +{ config, lib, ... }: +let + cfg = config.custom.siit; +in +{ + options.custom.siit.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + networking = { + jool = { + enable = true; + siit.default = { + global.pool6 = "2a01:4f9:c013:bd27:46::/96"; + + denylist4 = [ "157.180.86.116/32" ]; + + # Explicit address mappings + eamt = [ + { + # Cache/CI + "ipv6 prefix" = "${config.custom.guaPref}d2:be24:11ff:fe7f:f84c/128"; + "ipv4 prefix" = "95.217.30.123/32"; + } + { + # Forgejo + "ipv6 prefix" = "${config.custom.guaPref}d2:be24:11ff:feee:9c55/128"; + "ipv4 prefix" = "95.216.180.210/32"; + } + { + # Idacloud + "ipv6 prefix" = "${config.custom.guaPref}d3:be24:11ff:fece:7d63/128"; + "ipv4 prefix" = "95.217.26.243/32"; + } + ]; + }; + }; + }; + }; +} diff --git a/modules/services/syncthing.nix b/modules/services/syncthing.nix new file mode 100644 index 0000000..bc29c7d --- /dev/null +++ b/modules/services/syncthing.nix @@ -0,0 +1,83 @@ +{ config, lib, ... }: +let + cfg = config.custom.syncthing; +in +{ + options.custom.syncthing.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + boot.kernel.sysctl."fs.inotify.max_user_watches" = 204800; + + services.syncthing = { + enable = true; + user = "vili"; + dataDir = config.users.users.${config.services.syncthing.user}.home; + + settings = { + defaults.ignores = [ + "/Projects/Programming" + ]; + + options = { + urAccepted = -1; + localAnnounceEnabled = false; + globalAnnounceEnabled = false; + natEnabled = false; + relaysEnabled = false; + }; + + devices = lib.mkMerge [ + { + "syncthing" = { + id = "J6GNM4Z-2TWASPT-3P3EW4V-KZEQYFF-TXL22QX-4YTZ3WO-WLM7GQ7-NUP66A4"; + addresses = [ "tcp://syncthing.vsinerva.fi:22000" ]; + }; + } + (lib.mkIf (config.networking.hostName == "syncthing") { + "helium" = { + id = "2MRUBSY-NHXYMAW-SY22RHP-CNNMHKR-DPDKMM4-2XV5F6M-6KSNLQI-DD4EOAM"; + addresses = [ "tcp://helium.vsinerva.fi:22000" ]; + }; + "lithium" = { + id = "S4ZORDV-QBY7QC7-FQHADMZ-NQSKJUA-7B7LQNS-CWJLSMG-JPMN7YJ-OVRDZQA"; + addresses = [ "tcp://lithium.vsinerva.fi:22000" ]; + }; + }) + ]; + + folders = + let + default = { + devices = lib.mkMerge [ + [ "syncthing" ] + (lib.mkIf (config.networking.hostName == "syncthing") [ + "helium" + "lithium" + ]) + ]; + versioning = { + type = "trashcan"; + params.cleanoutDays = "30"; + }; + fsWatcherDelayS = 1; + }; + in + { + "~/Documents" = default; + "~/Music" = default; + "~/Pictures" = default; + "~/Projects" = default; + "~/School" = default; + "~/Videos" = default; + "~/Zotero" = default; + }; + }; + + #TCP/UDP 22000 for transfers and UDP 21027 for discovery + openDefaultPorts = true; + }; + }; +} diff --git a/modules/services/utils/acme-http-client.nix b/modules/services/utils/acme-http-client.nix new file mode 100644 index 0000000..d445d92 --- /dev/null +++ b/modules/services/utils/acme-http-client.nix @@ -0,0 +1,42 @@ +{ config, lib, ... }: +let + cfg = config.custom.acmeHttpClient; +in +{ + options = { + custom.acmeHttpClient.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + services.nginx.virtualHosts = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.submodule { + config = lib.mkIf cfg.enable ( + lib.mkDefault { + enableACME = true; + } + ); + } + ); + }; + }; + + config = lib.mkIf cfg.enable { + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/acme"; + user = "acme"; + group = "acme"; + mode = "u=rwx,g=rx,o=rx"; + } + ]; + + networking.firewall.allowedTCPPorts = [ 80 ]; + + security.acme = { + acceptTerms = true; + defaults.email = "vili.m.sinerva@gmail.com"; + }; + }; +} diff --git a/modules/services/utils/cert-store-client.nix b/modules/services/utils/cert-store-client.nix new file mode 100644 index 0000000..d5536fa --- /dev/null +++ b/modules/services/utils/cert-store-client.nix @@ -0,0 +1,44 @@ +{ config, lib, ... }: +let + cfg = config.custom.certStoreClient; +in +{ + options = { + custom.certStoreClient.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + services.nginx.virtualHosts = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.submodule { + config = lib.mkIf cfg.enable ( + lib.mkDefault { + sslCertificate = config.sops.secrets.cert-fullchain.path; + sslCertificateKey = config.sops.secrets.cert-key.path; + } + ); + } + ); + }; + }; + + config = lib.mkIf cfg.enable { + sops = { + secrets = { + cert-fullchain = { + sopsFile = ../../../secrets/cert.yaml; + restartUnits = [ "nginx.service" ]; + owner = config.services.nginx.user; + group = config.services.nginx.user; + }; + cert-key = { + sopsFile = ../../../secrets/cert.yaml; + restartUnits = [ "nginx.service" ]; + owner = config.services.nginx.user; + group = config.services.nginx.user; + }; + }; + }; + }; +} diff --git a/modules/services/utils/nginx-https-server.nix b/modules/services/utils/nginx-https-server.nix new file mode 100644 index 0000000..77420d6 --- /dev/null +++ b/modules/services/utils/nginx-https-server.nix @@ -0,0 +1,36 @@ +{ config, lib, ... }: +let + cfg = config.custom.nginxHttpsServer; +in +{ + options = { + custom.nginxHttpsServer.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + services.nginx.virtualHosts = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.submodule { + config = lib.mkIf cfg.enable ( + lib.mkDefault { + forceSSL = true; + kTLS = true; + } + ); + } + ); + }; + }; + + config = lib.mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 443 ]; + + services.nginx = { + enable = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + }; + }; +} diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix new file mode 100644 index 0000000..280938e --- /dev/null +++ b/modules/services/vaultwarden.nix @@ -0,0 +1,83 @@ +{ config, lib, ... }: +let + cfg = config.custom.vaultwarden; +in +{ + options.custom.vaultwarden.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + custom = { + nginxHttpsServer.enable = true; + certStoreClient.enable = true; + }; + + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/vaultwarden"; + user = "vaultwarden"; + group = "vaultwarden"; + mode = "u=rwx,g=,o="; + } + ]; + + sops = { + secrets = { + smtp-pass = { + sopsFile = ../../secrets/vaultwarden.yaml; + restartUnits = [ "vaultwarden.service" ]; + }; + admin-token = { + sopsFile = ../../secrets/vaultwarden.yaml; + restartUnits = [ "vaultwarden.service" ]; + }; + }; + + templates."vaultwarden.env" = { + owner = "vaultwarden"; + content = '' + SMTP_FROM=vmsskv12@gmail.com + SMTP_USERNAME=vmsskv12@gmail.com + SMTP_PASSWORD=${config.sops.placeholder.smtp-pass} + ADMIN_TOKEN=${config.sops.placeholder.admin-token} + ''; + }; + }; + + services = { + vaultwarden = { + enable = true; + environmentFile = config.sops.templates."vaultwarden.env".path; + config = { + DOMAIN = "https://vaultwarden.vsinerva.fi"; + LOGIN_RATELIMIT_MAX_BURST = 10; + LOGIN_RATELIMIT_SECONDS = 60; + ADMIN_RATELIMIT_MAX_BURST = 10; + ADMIN_RATELIMIT_SECONDS = 60; + SENDS_ALLOWED = true; + EMERGENCY_ACCESS_ALLOWED = true; + WEB_VAULT_ENABLED = true; + SIGNUPS_ALLOWED = true; + SIGNUPS_VERIFY = true; + SIGNUPS_VERIFY_RESEND_TIME = 3600; + SIGNUPS_VERIFY_RESEND_LIMIT = 5; + SMTP_HOST = "smtp.gmail.com"; + SMTP_FROM_NAME = "Vaultwarden"; + SMTP_SECURITY = "starttls"; + SMTP_PORT = 587; + SMTP_AUTH_MECHANISM = "Login"; + }; + }; + + nginx = { + virtualHosts."vaultwarden.vsinerva.fi" = { + locations."/" = { + proxyPass = "http://localhost:8000"; + }; + }; + }; + }; + }; +} diff --git a/modules/users/vili.nix b/modules/users/vili.nix new file mode 100644 index 0000000..a1c2769 --- /dev/null +++ b/modules/users/vili.nix @@ -0,0 +1,45 @@ +{ config, lib, ... }: +let + cfg = config.custom.users.vili; +in +{ + options.custom.users.vili.enable = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + config = lib.mkIf cfg.enable { + sops.secrets = + lib.mkIf + (builtins.elem config.networking.hostName [ + "helium" + "lithium" + ]) + { + vili-password = { + sopsFile = ../../secrets/${config.networking.hostName}/vili.yaml; + neededForUsers = true; + }; + }; + + users.users.vili = { + isNormalUser = true; + home = "/home/vili"; + description = "Vili Sinervä"; + uid = 1000; + extraGroups = [ + "wheel" + "networkmanager" + "audio" + ]; + openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; + hashedPasswordFile = + if builtins.hasAttr "vili-password" config.sops.secrets then + config.sops.secrets.vili-password.path + else + null; + }; + + users.groups.vili.gid = 1000; + }; +} diff --git a/personal/desktop.nix b/personal/desktop.nix deleted file mode 100644 index 9385863..0000000 --- a/personal/desktop.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - ./programs/symlinked/symlinks.nix - ../shared/users/vili.nix - ]; - - environment.systemPackages = with pkgs; [ - alacritty - vlc - flameshot - speedcrunch - ]; - - services = { - displayManager = { - autoLogin.enable = true; - autoLogin.user = "vili"; - }; - xserver = { - enable = true; - displayManager = { - lightdm.enable = true; - sessionCommands = ''${pkgs.xorg.xrdb}/bin/xrdb -merge < ${ - (import ./programs/embedded/xresources.nix { inherit pkgs; }) - }''; - }; - }; - - pipewire.enable = false; - pulseaudio.enable = true; - }; - nixpkgs.config.pulseaudio = true; - - security.polkit.enable = true; - - xdg.mime.defaultApplications = { - "application/pdf" = "org.gnome.Evince.desktop"; - "text/plain" = "org.xfce.mousepad.desktop"; - "text/x-tex" = "org.kde.kile.desktop"; - "inode/directory" = "pcmanfm.description"; - }; - - qt = { - enable = true; - style = "adwaita-dark"; - platformTheme = "gnome"; - }; -} diff --git a/personal/development.nix b/personal/development.nix deleted file mode 100644 index b18ef62..0000000 --- a/personal/development.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ pkgs, lib, ... }: -{ - imports = [ ./programs/embedded/nvim.nix ]; - - #################### Git configuration #################### - programs.git = { - enable = true; - lfs.enable = true; - config = { - user = { - email = "vili.m.sinerva@gmail.com"; - name = "Vili Sinervä"; - signingkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV"; - }; - merge = { - ff = "true"; - }; - pull = { - ff = "only"; - }; - commit = { - verbose = "true"; - }; - gpg.format = "ssh"; - commit.gpgsign = "true"; - }; - }; - - #################### Packages #################### - environment.systemPackages = with pkgs; [ - nixfmt-rfc-style - nixd - - vagrant - nmap - metasploit - armitage - ]; - virtualisation.virtualbox.host.enable = true; - virtualisation.virtualbox.host.addNetworkInterface = false; - users.extraGroups.vboxusers.members = [ "vili" ]; - - fonts.packages = builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts); -} diff --git a/personal/hardware/amd-laptop.nix b/personal/hardware/amd-laptop.nix deleted file mode 100644 index 73560d5..0000000 --- a/personal/hardware/amd-laptop.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -{ - environment.systemPackages = with pkgs; [ zenmonitor ]; - - hardware.graphics = { - enable = true; - enable32Bit = true; - extraPackages = with pkgs; [ rocmPackages.clr.icd ]; - }; - - hardware.amdgpu.initrd.enable = true; - - services = { - xserver = lib.mkIf config.services.xserver.enable { - videoDrivers = [ "modesetting" ]; - deviceSection = '' - Option "DRI" "2" - Option "TearFree" "true" - ''; - }; - - tlp = { - enable = true; - settings = { - CPU_SCALING_GOVERNOR_ON_AC = "performance"; - CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; - - CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; - CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; - - CPU_MIN_PERF_ON_AC = 0; - CPU_MAX_PERF_ON_AC = 100; - CPU_MIN_PERF_ON_BAT = 0; - CPU_MAX_PERF_ON_BAT = 40; - - #Optional helps save long term battery health - START_CHARGE_THRESH_BAT0 = 60; # 60 and bellow it starts to charge - STOP_CHARGE_THRESH_BAT0 = 80; # 80 and above it stops charging - - }; - }; - - logind.lidSwitch = if config.boot.resumeDevice != "" then "hibernate" else "suspend"; - }; -} diff --git a/personal/hardware/hibernate.nix b/personal/hardware/hibernate.nix deleted file mode 100644 index e79a68e..0000000 --- a/personal/hardware/hibernate.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, ... }: -{ - swapDevices = [ - { - device = "/var/lib/swapfile"; - size = 16 * 1024; - } - ]; - - boot = { - resumeDevice = lib.mkDefault "/dev/mapper/nixos"; - }; -} diff --git a/personal/hardware/intel-laptop.nix b/personal/hardware/intel-laptop.nix deleted file mode 100644 index 4e0fa9d..0000000 --- a/personal/hardware/intel-laptop.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, pkgs, ... }: -{ - hardware.graphics = { - extraPackages = with pkgs; [ - intel-media-driver - intel-compute-runtime - ]; - }; - - services = { - tlp = { - enable = true; - settings = { - CPU_SCALING_GOVERNOR_ON_AC = "performance"; - CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; - - CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; - CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; - - CPU_MIN_PERF_ON_AC = 0; - CPU_MAX_PERF_ON_AC = 100; - CPU_MIN_PERF_ON_BAT = 0; - CPU_MAX_PERF_ON_BAT = 40; - - #Optional helps save long term battery health - START_CHARGE_THRESH_BAT0 = 60; # 60 and bellow it starts to charge - STOP_CHARGE_THRESH_BAT0 = 80; # 80 and above it stops charging - - }; - }; - - logind.lidSwitch = if config.boot.resumeDevice != "" then "hibernate" else "suspend"; - }; -} diff --git a/personal/hardware/keychron-q11.nix b/personal/hardware/keychron-q11.nix deleted file mode 100644 index e29926b..0000000 --- a/personal/hardware/keychron-q11.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, pkgs, ... }: -{ - environment.systemPackages = with pkgs; if config.services.xserver.enable then [ via ] else [ ]; - - # Keychron Q11 - services.udev.extraRules = '' - KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="3434", ATTRS{idProduct}=="01e0", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl" - ''; -} diff --git a/personal/hardware/onlykey.nix b/personal/hardware/onlykey.nix deleted file mode 100644 index 4aa184d..0000000 --- a/personal/hardware/onlykey.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - (onlykey.override (prev: { - node_webkit = prev.node_webkit.overrideAttrs { - version = "0.71.1"; - src = fetchurl { - url = "https://dl.nwjs.io/v0.71.1/nwjs-v0.71.1-linux-x64.tar.gz"; - hash = "sha256-bnObpwfJ6SNJdOvzWTnh515JMcadH1+fxx5W9e4gl/4="; - }; - }; - })) - - onlykey-cli - ]; - - hardware.onlykey.enable = true; -} diff --git a/personal/hardware/trackball.nix b/personal/hardware/trackball.nix deleted file mode 100644 index 3035958..0000000 --- a/personal/hardware/trackball.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ ... }: -{ - nixpkgs.overlays = [ - (final: prev: { - moonlight-qt = prev.moonlight-qt.overrideAttrs (old: { - patches = (old.patches or [ ]) ++ [ ./moonlight-trackball-accel.patch ]; - }); - }) - ]; - - hardware.logitech.wireless = { - enable = true; - enableGraphical = true; - }; - - services.libinput.mouse = { - accelProfile = "custom"; - accelStepMotion = 5.0e-2; - accelPointsMotion = [ - 0.0 - 2.0e-2 - 4.0e-2 - 6.0e-2 - 8.0e-2 - 0.1 - 0.12 - 0.14 - 0.16 - 0.18 - 0.2 - 0.2525 - 0.31 - 0.3725 - 0.44 - 0.5125 - 0.59 - 0.6725 - 0.76 - 0.8525 - 0.95 - 1.155 - 1.37 - 1.595 - 1.83 - 2.075 - 2.33 - 2.595 - 2.87 - 3.155 - 3.45 - 3.755 - 4.07 - 4.395 - 4.73 - 5.075 - 5.43 - 5.795 - 6.17 - 6.555 - 6.95 - 7.355 - 7.77 - 8.195 - 8.63 - 9.075 - 9.53 - 9.995 - 10.47 - 10.955 - 11.45 - 11.95 - ]; - }; -} diff --git a/personal/networking/home-wg.nix b/personal/networking/home-wg.nix deleted file mode 100644 index 7893d93..0000000 --- a/personal/networking/home-wg.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ config, lib, ... }: -{ - options.custom.home_wg_suffix = lib.mkOption { - type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$"); - default = null; - description = "IPv6 GUA Suffix for Home WireGuard config"; - }; - - config = - let - host = config.networking.hostName; - in - { - sops = { - secrets = { - priv-home-wg = { - sopsFile = ../../secrets/${host}/home-wg.yaml; - restartUnits = [ "wg-quick-wg0.service" ]; - }; - psk-home-wg = { - sopsFile = ../../secrets/${host}/home-wg.yaml; - restartUnits = [ "wg-quick-wg0.service" ]; - }; - }; - }; - - networking = { - wg-quick.interfaces = { - wg0 = { - autostart = true; - address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ]; - dns = [ - "${config.custom.gua_pref}ff::1" - "vsinerva.fi" - ]; - privateKeyFile = config.sops.secrets.priv-home-wg.path; - listenPort = 51820; - - peers = [ - { - publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34="; - presharedKeyFile = config.sops.secrets.psk-home-wg.path; - allowedIPs = [ "::/0" ]; - endpoint = "home.vsinerva.fi:51820"; - } - ]; - }; - }; - }; - - services.clatd.settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}"; - - systemd.services = { - "wg-quick-wg0" = { - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - }; - clatd = { - wants = [ "wg-quick-wg0.service" ]; - after = [ "wg-quick-wg0.service" ]; - }; - }; - }; -} diff --git a/personal/networking/printing.nix b/personal/networking/printing.nix deleted file mode 100644 index a3bb01b..0000000 --- a/personal/networking/printing.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: -{ - programs.i3lock.enable = true; - services = { - printing.enable = true; - avahi = { - enable = true; - nssmdns4 = true; - openFirewall = true; - }; - }; -} diff --git a/personal/programs/bitwarden.nix b/personal/programs/bitwarden.nix deleted file mode 100644 index 1a9e90d..0000000 --- a/personal/programs/bitwarden.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - bitwarden - bitwarden-cli - ]; - - programs.zsh.interactiveShellInit = "export SSH_AUTH_SOCK=/home/vili/.bitwarden-ssh-agent.sock"; - security = { - pam = { - rssh.enable = true; - services = { - sudo.rssh = true; - }; - }; - sudo.execWheelOnly = true; - }; - - # We need SSH for the sudo, but generally don't want it open on machines with Bitwarden client - services.openssh.openFirewall = false; -} diff --git a/personal/programs/communication.nix b/personal/programs/communication.nix deleted file mode 100644 index f092628..0000000 --- a/personal/programs/communication.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - telegram-desktop - signal-desktop - discord - ]; -} diff --git a/personal/programs/embedded/nvim.nix b/personal/programs/embedded/nvim.nix deleted file mode 100644 index fbdd0d3..0000000 --- a/personal/programs/embedded/nvim.nix +++ /dev/null @@ -1,230 +0,0 @@ -{ nixvim, ... }: -{ - imports = [ nixvim.nixosModules.nixvim ]; - - programs.nixvim = { - enable = true; - defaultEditor = true; - vimAlias = false; - colorschemes.vscode.enable = true; - - globals.mapleader = " "; - - opts = { - colorcolumn = "100"; - cursorline = true; - number = true; - showcmd = true; - signcolumn = "yes"; - - scrolloff = 16; - shiftwidth = 3; - tabstop = 3; - }; - - keymaps = [ - { - key = "T"; - action = "Neotree"; - options.desc = "Open Neotree"; - } - { - mode = [ - "i" - "v" - ]; - key = ""; - action = ""; - options.desc = "Exit To Normal Mode"; - } - { - key = "b"; - action = "Gitsigns toggle_current_line_blame"; - options.desc = "Toggle Current Line Git Blame"; - } - ]; - - plugins = { - fugitive.enable = true; - gitsigns = { - enable = true; - settings = { - current_line_blame_opts.delay = 100; - numhl = true; - }; - }; - lualine.enable = true; - markdown-preview.enable = true; - neo-tree = { - enable = true; - buffers.followCurrentFile = { - enabled = true; - leaveDirsOpen = true; - }; - }; - nix.enable = true; - rainbow-delimiters.enable = true; - sleuth.enable = true; - tmux-navigator = { - enable = true; - settings.no_mappings = 1; - keymaps = [ - { - key = ""; - action = "left"; - options.desc = "Tmux Left"; - } - { - key = ""; - action = "down"; - options.desc = "Tmux Down"; - } - { - key = ""; - action = "up"; - options.desc = "Tmux Up"; - } - { - key = ""; - action = "right"; - options.desc = "Tmux Right"; - } - ]; - }; - treesitter = { - enable = true; - folding = true; - settings.indent.enable = true; - nixGrammars = true; - }; - web-devicons.enable = true; - which-key = { - enable = true; - settings.delay.__raw = '' - function(ctx) - return ctx.plugin and 0 or 500 - end - ''; - }; - - cmp = { - enable = true; - settings = { - sources = [ - { name = "vim-vsnip"; } - { name = "vim-lsp-signature-help"; } - { name = "nvim-lsp"; } - { name = "treesitter"; } - { name = "buffer"; } - ]; - mapping = { - "" = "cmp.mapping.complete()"; - "" = "cmp.mapping.close()"; - "" = "cmp.mapping.confirm({ select = true })"; - "" = "cmp.mapping(cmp.mapping.select_prev_item(), {'i', 's'})"; - "" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})"; - }; - }; - }; - friendly-snippets.enable = true; - nvim-autopairs.enable = true; - - lsp = { - enable = true; - inlayHints = true; - keymaps = { - diagnostic = { - "dj" = { - action = "goto_next"; - desc = "Next Diagnostic"; - }; - "dk" = { - action = "goto_prev"; - desc = "Previous Diagnostic"; - }; - "dh" = { - action = "open_float"; - desc = "Line Diagnostics"; - }; - }; - lspBuf = { - "gd" = { - action = "definition"; - desc = "Goto Definition"; - }; - "gr" = { - action = "references"; - desc = "Goto References"; - }; - "gD" = { - action = "declaration"; - desc = "Goto Declaration"; - }; - "gi" = { - action = "implementation"; - desc = "Goto Implementation"; - }; - "gt" = { - action = "type_definition"; - desc = "Type Definition"; - }; - "s" = { - action = "workspace_symbol"; - desc = "Search Symbol"; - }; - "r" = { - action = "rename"; - desc = "Rename Symbol"; - }; - "a" = { - action = "code_action"; - desc = "Code Action"; - }; - H = { - action = "hover"; - desc = "Hover"; - }; - }; - extra = [ - { - action = "lua vim.lsp.inlay_hint.enable(not vim.lsp.inlay_hint.is_enabled())"; - key = "h"; - options.desc = "Toggle LSP Inlay Hints"; - } - ]; - }; - servers = { - clangd.enable = true; - cmake.enable = true; - dockerls.enable = true; - docker_compose_language_service.enable = true; - eslint.enable = true; - html.enable = true; - jsonls.enable = true; - nixd.enable = true; - pylsp.enable = true; - rust_analyzer = { - enable = true; - installCargo = false; - installRustc = false; - settings = { - completion = { - autoimport.enable = true; - autoself.enable = true; - fullFunctionSignatures.enable = true; - privateEditable.enable = true; - }; - diagnostics = { - styleLints.enable = true; - }; - hover.actions.references.enable = true; - }; - }; - yamlls.enable = true; - }; - }; - lsp-format.enable = true; - lsp-signature.enable = true; - }; - }; -} diff --git a/personal/programs/firefox.nix b/personal/programs/firefox.nix deleted file mode 100644 index f2813ae..0000000 --- a/personal/programs/firefox.nix +++ /dev/null @@ -1,177 +0,0 @@ -{ ... }: -let - lock-false = { - Value = false; - Status = "locked"; - }; - lock-true = { - Value = true; - Status = "locked"; - }; -in -{ - programs.firefox = { - enable = true; - - # AutoConfig used for preferences not supported via policies - autoConfig = '' - lockPref("full-screen-api.warning.timeout", 500) - lockPref("privacy.fingerprintingProtection", true) - lockPref("privacy.donottrackheader.enabled", true) - ''; - - # ---- POLICIES ---- - # Check about:policies#documentation for options. - policies = { - # ---- EXTENSIONS ---- - # Check about:support for extension/add-on ID strings. - # Valid strings for installation_mode are "allowed", "blocked", - # "force_installed" and "normal_installed". - ExtensionSettings = { - "*".installation_mode = "blocked"; - "{446900e4-71c2-419f-a6a7-df9c091e268b}" = { - install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi"; - installation_mode = "force_installed"; - }; - "jsr@javascriptrestrictor" = { - install_url = "https://addons.mozilla.org/firefox/downloads/latest/javascript-restrictor/latest.xpi"; - installation_mode = "force_installed"; - }; - }; - - AutofillAddressEnabled = false; - AutofillCreditCardEnabled = false; - DisableFirefoxStudies = true; - DisableFormHistory = true; - DisablePocket = true; - DisableSecurityBypass = false; - DisableTelemetry = true; - DisplayBookmarksToolbar = "always"; # alternatives: "always" or "newtab" - DisplayMenuBar = "default-off"; # alternatives: "always", "never" or "default-on" - DontCheckDefaultBrowser = true; - DownloadDirectory = "\${home}/Downloads"; - EnableTrackingProtection = { - Value = true; - Locked = true; - Cryptomining = true; - Fingerprinting = true; - EmailTracking = true; - }; - FirefoxHome = { - Locked = true; - Search = true; - TopSites = true; - SponsoredTopSites = false; - Highlights = false; - Pocket = false; - SponsoredPocket = false; - }; - FirefoxSuggest = { - Locked = true; - WebSuggestions = false; - SponsoredSuggestions = false; - ImproveSuggest = false; - }; - HardwareAccelerations = true; - Homepage = { - Locked = true; - URL = "https://www.duckduckgo.com/"; - StartPage = "previous-session"; - }; - HttpsOnlyMode = "force_enabled"; - NetworkPrediction = false; - NoDefaultBookmarks = true; - OverrideFirstRunPage = ""; - OverridePostUpdatePage = ""; - PasswordManagerEnabled = false; - Permissions = { - Camera = { - Allow = [ ]; - Block = [ ]; - BlockNewRequests = false; - Locked = true; - }; - Microphone = { - Allow = [ ]; - Block = [ ]; - BlockNewRequests = false; - Locked = true; - }; - Location = { - Allow = [ ]; - Block = [ ]; - BlockNewRequests = false; - Locked = true; - }; - Notifications = { - Allow = [ ]; - Block = [ ]; - BlockNewRequests = false; - Locked = true; - }; - Autoplay = { - Allow = [ ]; - Block = [ ]; - BlockNewRequests = false; - Default = "block-audio-video"; - Locked = true; - }; - }; - PictureInPicture = { - Enabled = true; - Locked = true; - }; - PopupBlocking = { - Allow = [ ]; - Default = true; - Locked = true; - }; - PostQuantumKeyAgreementEnabled = true; - PrimaryPassword = false; - PrintingEnabled = true; - PromptForDownloadLocation = false; - RequestedLocales = [ "en-US" ]; - SearchBar = "unified"; # alternative: "separate" - SearchEngines.PreventInstalls = true; - SearchSuggestEnabled = false; - UserMessaging = { - Locked = true; - ExtensionRecommendations = true; - FeatureRecommendations = false; - UrlbarInterventions = false; - SkipOnboarding = true; - MoreFromMozilla = false; - }; - UseSystemPrintDialog = true; - - # ---- PREFERENCES ---- - # Check about:config for options. - Preferences = { - "browser.contentblocking.category" = { - Value = "strict"; - Status = "locked"; - }; - "browser.safebrowsing.downloads.enabled" = lock-true; - "browser.safebrowsing.downloads.remote.block_potentially_unwanted" = lock-true; - "browser.safebrowsing.downloads.remote.block_uncommon" = lock-true; - "browser.safebrowsing.malware.enabled" = lock-true; - "browser.safebrowsing.phishing.enabled" = lock-true; - "browser.crashReports.unsubmittedCheck.autoSubmit2" = lock-false; - "browser.topsites.contile.enabled" = lock-false; - "browser.translations.automaticallyPopup" = lock-false; - "dom.private-attribution.submission.enabled" = lock-false; - "media.ffmpeg.vaapi.enabled" = lock-true; - "privacy.globalprivacycontrol.enabled" = lock-true; - "xpinstall.whitelist.required" = lock-true; - "network.trr.mode" = { - Value = 0; - Status = "locked"; - }; - "security.OCSP.enabled" = { - Value = 1; - Status = "locked"; - }; - }; - }; - }; -} diff --git a/personal/programs/i3.nix b/personal/programs/i3.nix deleted file mode 100644 index 3806dda..0000000 --- a/personal/programs/i3.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - i3status - rofi - arandr - pavucontrol - viewnior - xfce.mousepad - pcmanfm - evince - brightnessctl - networkmanagerapplet - ]; - - programs.i3lock.enable = true; - - services = { - displayManager = { - defaultSession = "none+i3"; - }; - xserver.windowManager.i3 = { - enable = true; - extraPackages = [ ]; - configFile = "${(import ./embedded/i3-conf.nix { inherit pkgs; })}"; - }; - }; -} diff --git a/personal/programs/moonlight.nix b/personal/programs/moonlight.nix deleted file mode 100644 index 87244f0..0000000 --- a/personal/programs/moonlight.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - moonlight-qt - ]; -} diff --git a/personal/programs/redshift.nix b/personal/programs/redshift.nix deleted file mode 100644 index e0bb66d..0000000 --- a/personal/programs/redshift.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ ... }: -{ - services.redshift = { - executable = "/bin/redshift-gtk"; - enable = true; - temperature = { - night = 2800; - day = 6500; - }; - brightness = { - night = "0.5"; - day = "1"; - }; - }; - - location = { - latitude = 60.17; - longitude = 24.94; - }; -} diff --git a/personal/programs/study.nix b/personal/programs/study.nix deleted file mode 100644 index e77f59f..0000000 --- a/personal/programs/study.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - libreoffice - zotero - kile - texliveFull - imagemagick - ghostscript - kdePackages.okular - ]; -} diff --git a/personal/programs/symlinked/symlinks.nix b/personal/programs/symlinked/symlinks.nix deleted file mode 100644 index b723402..0000000 --- a/personal/programs/symlinked/symlinks.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ ... }: -{ - system.userActivationScripts.mkDesktopSettingsSymlinks.text = - let - home = "/home/vili/"; - paths = [ - rec { - dir = "${home}.config/pcmanfm/default/"; - file = "pcmanfm.conf"; - full = "${dir}${file}"; - source = "${./pcmanfm.conf}"; - } - rec { - dir = "${home}.config/libfm/"; - file = "libfm.conf"; - full = "${dir}${file}"; - source = "${./libfm.conf}"; - } - rec { - dir = "${home}.config/gtk-3.0/"; - file = "bookmarks"; - full = "${dir}${file}"; - source = "${./gtk-bookmarks}"; - } - rec { - dir = "${home}"; - file = ".gtkrc-2.0"; - full = "${dir}${file}"; - source = "${./gtkrc-2.0}"; - } - rec { - dir = "${home}.config/gtk-3.0/"; - file = "settings.ini"; - full = "${dir}${file}"; - source = "${./gtk-3-4-settings.ini}"; - } - rec { - dir = "${home}.config/gtk-4.0/"; - file = "settings.ini"; - full = "${dir}${file}"; - source = "${./gtk-3-4-settings.ini}"; - } - ]; - in - toString ( - map (path: '' - mkdir -p ${path.dir} - if test -e ${path.full} -a ! -L ${path.full}; then - mv -f ${path.full} ${path.full}.old - fi - ln -sf ${path.source} ${path.full} - '') paths - ); -} diff --git a/personal/programs/usb-automount.nix b/personal/programs/usb-automount.nix deleted file mode 100644 index fa6d0d1..0000000 --- a/personal/programs/usb-automount.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - services = { - devmon.enable = true; - gvfs.enable = true; - udisks2.enable = true; - }; -} diff --git a/servers/acme-cert-store.nix b/servers/acme-cert-store.nix deleted file mode 100644 index 36ed984..0000000 --- a/servers/acme-cert-store.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ config, pkgs, ... }: -let - update-cert = pkgs.writeScriptBin "update-cert" '' - cd ${config.users.users."cert-store".home} - - rm -rf nixos-conf - rm -rf ./-.vsinerva.fi - - if [[ $SSH_ORIGINAL_COMMAND == ${pkgs.openssh}/libexec/sftp-server ]]; then - eval "$SSH_ORIGINAL_COMMAND" - fi - - export SOPS_AGE_KEY_FILE='${config.sops.secrets.cert-age-key.path}' - export GIT_SSH_COMMAND='ssh -i ${config.sops.secrets.forgejo-deploy-key.path} -o IdentitiesOnly=yes' - - git clone ssh://forgejo@forgejo.sinerva.eu/VSinerva/nixos-conf.git - cd nixos-conf - - ${pkgs.sops}/bin/sops -d --extract '["cert-fullchain"]' --output old-fullchain secrets/cert.yaml - ${pkgs.sops}/bin/sops -d --extract '["cert-key"]' --output old-key secrets/cert.yaml - - cp ${config.users.users."cert-store".home}/-.vsinerva.fi/fullchain.pem ./new-fullchain - cp ${config.users.users."cert-store".home}/-.vsinerva.fi/key.pem ./new-key - - if ! ${pkgs.diffutils}/bin/cmp new-fullchain old-fullchain; then - ${pkgs.sops}/bin/sops --set "[\"cert-fullchain\"] $(${pkgs.jq}/bin/jq -sR < new-fullchain)" secrets/cert.yaml - fi - - if ! ${pkgs.diffutils}/bin/cmp new-key old-key; then - ${pkgs.sops}/bin/sops --set "[\"cert-key\"] $(${pkgs.jq}/bin/jq -sR < new-key)" secrets/cert.yaml - fi - - git commit -am "Automatically updated wildcard cert" - git push - cd ${config.users.users."cert-store".home} - rm -rf nixos-conf - rm -rf ./-.vsinerva.fi - ''; -in -{ - sops = { - secrets = { - forgejo-deploy-key = { - sopsFile = ../secrets/cert-store.yaml; - owner = config.users.users."cert-store".name; - }; - cert-age-key = { - sopsFile = ../secrets/cert-store.yaml; - owner = config.users.users."cert-store".name; - }; - }; - }; - - systemd.tmpfiles.settings."cert-store-home"."/home/cert-store".d = { - user = "cert-store"; - group = "users"; - mode = "0700"; - }; - users.users."cert-store" = { - isNormalUser = true; - openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense" - ]; - }; - - services.openssh.knownHosts."forgejo.sinerva.eu".publicKey = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE"; - - environment.systemPackages = [ update-cert ]; - - programs.git = { - enable = true; - config = { - user = { - email = "vili.m.sinerva@gmail.com"; - name = "Vili Sinervä"; - }; - }; - }; - - services.openssh.extraConfig = '' - Match User cert-store - AllowAgentForwarding no - AllowTcpForwarding no - PermitTTY no - PermitTunnel no - X11Forwarding no - ForceCommand ${update-cert}/bin/update-cert - Match All - ''; -} diff --git a/servers/forgejo-runner.nix b/servers/forgejo-runner.nix deleted file mode 100644 index 169ece8..0000000 --- a/servers/forgejo-runner.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, pkgs, ... }: -{ - sops.secrets.forgejo-token = { - sopsFile = ../secrets/ci.yaml; - restartUnits = [ "gitea-runner-forgejo.sinerva.eu.service" ]; - }; - - networking.firewall.trustedInterfaces = [ "br-+" ]; - - services.gitea-actions-runner = { - package = pkgs.forgejo-runner; - instances.default = { - enable = true; - name = "ci.sinerva.eu"; - url = "https://forgejo.sinerva.eu"; - tokenFile = config.sops.secrets.forgejo-token.path; - labels = [ - "ubuntu-24.04-lts:docker://ubuntu:24.04" - "ubuntu-22.04:docker://node:24-bullseye" - "nixos-latest:docker://nixos/nix" - ]; - settings = { - container = { - network = ""; - enable_ipv6 = true; - }; - }; - }; - }; - - virtualisation.docker = { - enable = true; - daemon.settings = { - fixed-cidr-v6 = "fd72:23ed:7025::/64"; - ipv6 = true; - ip6tables = true; - experimental = true; - default-address-pools = [ - { - base = "172.30.0.0/16"; - size = 24; - } - { - base = "fd4e:cdc2:4c34::/64"; - size = 96; - } - ]; - }; - }; -} diff --git a/servers/forgejo.nix b/servers/forgejo.nix deleted file mode 100644 index a21ca2a..0000000 --- a/servers/forgejo.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ config, ... }: -{ - imports = [ - ./utils/nginx-https-server.nix - ./utils/acme-http-client.nix - ]; - - environment.persistence."/persist".directories = [ - { - directory = config.services.forgejo.stateDir; - user = config.services.forgejo.user; - group = config.services.forgejo.group; - mode = "u=rwx,g=,o="; - } - ]; - - sops.secrets.smtp-pass = { - sopsFile = ../secrets/forgejo.yaml; - restartUnits = [ "forgejo.service" ]; - }; - - services = { - forgejo = { - enable = true; - lfs.enable = true; - - secrets.mailer.PASSWD = config.sops.secrets.smtp-pass.path; - settings = { - DEFAULT.APP_NAME = "Forgejo for Vili Sinervä"; - repository = { - ENABLE_PUSH_CREATE_USER = true; - ENABLE_PUSH_CREATE_ORG = true; - DEFAULT_REPO_UNITS = "repo.code,repo.releases"; - }; - ui.DEFAULT_SHOW_FULL_NAME = true; - "ui.meta".AUTHOR = "Forgeo, hosted by Vili Sinervä"; - server = { - DOMAIN = "forgejo.sinerva.eu"; - HTTP_ADDR = "::1"; - HTTP_PORT = 8000; - ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}"; - }; - service = { - DISABLE_REGISTRATION = true; # Disable for initial setup - ENABLE_NOTIFY_MAIL = true; - }; - session.COOKIE_SECURE = true; - mailer = { - ENABLED = true; - SMTP_ADDR = "smtp.gmail.com"; - SMTP_PORT = 587; - USER = "vmsskv12@gmail.com"; # Password set in file - FROM = "forgejo@sinerva.eu"; - ENVELOPE_FROM = "forgejo@sinerva.eu"; - }; - cron = { - ENABLED = true; - RUN_AT_START = true; - }; - time.DEFAULT_UI_LOCATION = "Europe/Helsinki"; - }; - }; - - nginx.virtualHosts.${config.services.forgejo.settings.server.DOMAIN}.locations."/" = { - proxyPass = "http://localhost:8000"; - }; - }; -} diff --git a/servers/gaming-server.nix b/servers/gaming-server.nix deleted file mode 100644 index a1f8887..0000000 --- a/servers/gaming-server.nix +++ /dev/null @@ -1,85 +0,0 @@ -{ config, pkgs, ... }: -{ - systemd.tmpfiles.settings."vili-home" = { - "/home/vili".d = { - user = "vili"; - group = "users"; - mode = "0700"; - }; - "/home/vili/.local".d = { - user = "vili"; - group = "users"; - mode = "0755"; - }; - "/home/vili/.local/share".d = { - user = "vili"; - group = "users"; - mode = "0755"; - }; - }; - environment.persistence."/persist" = { - users.vili = { - directories = [ - { - directory = ".cache"; - mode = "u=rwx,g=rx,o=rx"; - } - { - directory = ".local/share/feral-interactive"; - mode = "u=rwx,g=rx,o=rx"; - } - ".local/share/Steam" - { - directory = ".local/share/vulkan"; - mode = "u=rwx,g=rx,o=rx"; - } - ]; - }; - }; - - sops.secrets = { - sunshine-state = { - sopsFile = ../secrets/gaming.yaml; - owner = config.users.users."vili".name; - }; - sunshine-cakey = { - sopsFile = ../secrets/gaming.yaml; - owner = config.users.users."vili".name; - }; - sunshine-cacert = { - sopsFile = ../secrets/gaming.yaml; - owner = config.users.users."vili".name; - }; - }; - - programs.steam = { - enable = true; - extraCompatPackages = with pkgs; [ proton-ge-bin ]; - }; - - services.sunshine = { - enable = true; - autoStart = true; - openFirewall = true; - settings = { - sunshine_name = "NixOS"; - address_family = "both"; - credentials_file = config.sops.secrets.sunshine-state.path; - pkey = config.sops.secrets.sunshine-cakey.path; - cert = config.sops.secrets.sunshine-cacert.path; - file_state = config.sops.secrets.sunshine-state.path; - }; - applications = { - env = { - PATH = "$(PATH):$(HOME)/.local/bin"; - }; - apps = [ - { - name = "Desktop"; - image-path = "desktop.png"; - } - ]; - }; - }; - -} diff --git a/servers/hydra.nix b/servers/hydra.nix deleted file mode 100644 index 8cd588c..0000000 --- a/servers/hydra.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ config, lib, ... }: -let - hydra_domain = "ci.sinerva.eu"; - cache_domain = "cache.sinerva.eu"; -in -{ - imports = [ - ./utils/nginx-https-server.nix - ./utils/acme-http-client.nix - ]; - - systemd.tmpfiles.settings."hydra-home"."/var/lib/hydra".d = { - user = "hydra"; - group = "hydra"; - mode = "0750"; - }; - environment.persistence."/persist" = { - directories = [ - { - directory = "/var/lib/postgresql"; - user = "postgresql"; - group = "postgresql"; - mode = "u=rwx,g=rx,o="; - } - ]; - files = [ "/var/lib/hydra/.db-created" ]; - }; - sops.secrets.priv-cache-key.sopsFile = ../secrets/ci.yaml; - - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; - - systemd.services.hydra-server = { - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - }; - - services = { - hydra = { - enable = true; - hydraURL = "https://${hydra_domain}"; - listenHost = "localhost"; - notificationSender = "hydra@sinerva.eu"; - port = 8080; - useSubstitutes = true; - extraConfig = '' - - enable = 1 - - ''; - }; - - nix-serve = { - enable = true; - bindAddress = "127.0.0.2"; - port = 8081; - secretKeyFile = config.sops.secrets.priv-cache-key.path; - }; - - nginx.virtualHosts = { - ${hydra_domain}.locations."/" = { - proxyPass = "http://localhost:8080"; - }; - ${cache_domain}.locations."/" = { - proxyPass = "http://127.0.0.2:8081"; - }; - }; - }; - - nix = { - settings.allowed-uris = [ - "github:" - "git+https://github.com/" - "git+ssh://github.com/" - ]; - - buildMachines = [ - { - hostName = "localhost"; - protocol = null; - systems = [ - "x86_64-linux" - "aarch64-linux" - ]; - supportedFeatures = [ - "kvm" - "nixos-test" - "big-parallel" - "benchmark" - ]; - maxJobs = 6; - } - ]; - - gc = { - options = lib.mkForce "--delete-older-than 1d"; - dates = lib.mkForce "hourly"; - randomizedDelaySec = lib.mkForce "0"; - }; - }; -} diff --git a/servers/nextcloud.nix b/servers/nextcloud.nix deleted file mode 100644 index da07b66..0000000 --- a/servers/nextcloud.nix +++ /dev/null @@ -1,113 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -{ - imports = [ - ./utils/nginx-https-server.nix - ./utils/cert-store-client.nix - ]; - - options.custom = { - nextcloud_domain = lib.mkOption { - type = lib.types.str; - description = "Domain used by Nextcloud"; - }; - - collabora_domain = lib.mkOption { - type = with lib.types; nullOr str; - default = null; - description = "Domain used by Collabora Online"; - }; - }; - - config = lib.mkMerge [ - { - environment.persistence."/persist".directories = [ - { - directory = config.services.nextcloud.home; - user = "nextcloud"; - group = "nextcloud"; - mode = "u=rwx,g=rx,o="; - } - ]; - sops.secrets.admin-pass.sopsFile = ../secrets/nextcloud.yaml; - - services = { - nextcloud = { - package = pkgs.nextcloud31; - enable = true; - hostName = config.custom.nextcloud_domain; - autoUpdateApps.enable = true; - https = true; - maxUploadSize = "512M"; # Default - config = { - dbtype = "sqlite"; - adminpassFile = config.sops.secrets.admin-pass.path; - }; - settings = { - overwriteprotocol = "https"; - default_phone_region = "FI"; - maintenance_window_start = 1; - }; - phpOptions = { - "opcache.interned_strings_buffer" = 32; - }; - }; - - nginx.virtualHosts.${config.services.nextcloud.hostName} = { }; - }; - } - ( - # Optional Collabora Client - lib.mkIf (config.custom.collabora_domain != null) { - services = { - collabora-online = { - enable = true; - port = 9980; # default - settings = { - ssl = { - enable = false; - termination = true; - }; - - net = { - listen = "loopback"; - post_allow.host = [ - "127.0.0.1" - "::1" - ]; - }; - - storage.wopi = { - "@allow" = true; - host = [ config.services.nextcloud.hostName ] ++ config.services.nextcloud.settings.trusted_domains; - }; - - server_name = config.custom.collabora_domain; - }; - }; - - nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = { - locations."/" = { - proxyPass = "http://localhost:${toString config.services.collabora-online.port}"; - proxyWebsockets = true; # collabora uses websockets - }; - }; - - nextcloud = { - appstoreEnable = true; - extraAppsEnable = true; - extraApps = with config.services.nextcloud.package.packages.apps; { - inherit - richdocuments - ; - }; - }; - }; - } - ) - ]; -} diff --git a/servers/siit-dc.nix b/servers/siit-dc.nix deleted file mode 100644 index defd722..0000000 --- a/servers/siit-dc.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ config, ... }: -{ - networking = { - jool = { - enable = true; - siit.default = { - global.pool6 = "2a01:4f9:c013:bd27:46::/96"; - - denylist4 = [ "157.180.86.116/32" ]; - - # Explicit address mappings - eamt = [ - { - # Cache/CI - "ipv6 prefix" = "${config.custom.gua_pref}d2:be24:11ff:fe7f:f84c/128"; - "ipv4 prefix" = "95.217.30.123/32"; - } - { - # Forgejo - "ipv6 prefix" = "${config.custom.gua_pref}d2:be24:11ff:feee:9c55/128"; - "ipv4 prefix" = "95.216.180.210/32"; - } - { - # Idacloud - "ipv6 prefix" = "${config.custom.gua_pref}d3:be24:11ff:fece:7d63/128"; - "ipv4 prefix" = "95.217.26.243/32"; - } - ]; - }; - }; - }; -} diff --git a/servers/syncthing.nix b/servers/syncthing.nix deleted file mode 100644 index cbdcf8a..0000000 --- a/servers/syncthing.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ config, lib, ... }: -{ - boot.kernel.sysctl."fs.inotify.max_user_watches" = 204800; - - services.syncthing = { - enable = true; - user = "vili"; - dataDir = config.users.users.${config.services.syncthing.user}.home; - - settings = { - defaults.ignores = [ - "/Projects/Programming" - ]; - - options = { - urAccepted = -1; - localAnnounceEnabled = false; - globalAnnounceEnabled = false; - natEnabled = false; - relaysEnabled = false; - }; - - devices = lib.mkMerge [ - { - "syncthing" = { - id = "J6GNM4Z-2TWASPT-3P3EW4V-KZEQYFF-TXL22QX-4YTZ3WO-WLM7GQ7-NUP66A4"; - addresses = [ "tcp://syncthing.vsinerva.fi:22000" ]; - }; - } - (lib.mkIf (config.networking.hostName == "syncthing") { - "helium" = { - id = "2MRUBSY-NHXYMAW-SY22RHP-CNNMHKR-DPDKMM4-2XV5F6M-6KSNLQI-DD4EOAM"; - addresses = [ "tcp://helium.vsinerva.fi:22000" ]; - }; - "lithium" = { - id = "S4ZORDV-QBY7QC7-FQHADMZ-NQSKJUA-7B7LQNS-CWJLSMG-JPMN7YJ-OVRDZQA"; - addresses = [ "tcp://lithium.vsinerva.fi:22000" ]; - }; - }) - ]; - - folders = - let - default = { - devices = lib.mkMerge [ - [ "syncthing" ] - (lib.mkIf (config.networking.hostName == "syncthing") [ - "helium" - "lithium" - ]) - ]; - versioning = { - type = "trashcan"; - params.cleanoutDays = "30"; - }; - fsWatcherDelayS = 1; - }; - in - { - "~/Documents" = default; - "~/Music" = default; - "~/Pictures" = default; - "~/Projects" = default; - "~/School" = default; - "~/Videos" = default; - "~/Zotero" = default; - }; - }; - - #TCP/UDP 22000 for transfers and UDP 21027 for discovery - openDefaultPorts = true; - }; -} diff --git a/servers/utils/acme-http-client.nix b/servers/utils/acme-http-client.nix deleted file mode 100644 index 9231c2c..0000000 --- a/servers/utils/acme-http-client.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ lib, ... }: -{ - options.services.nginx.virtualHosts = lib.mkOption { - type = lib.types.attrsOf ( - lib.types.submodule { - config = lib.mkDefault { - enableACME = true; - }; - } - ); - }; - - config = { - environment.persistence."/persist".directories = [ - { - directory = "/var/lib/acme"; - user = "acme"; - group = "acme"; - mode = "u=rwx,g=rx,o=rx"; - } - ]; - - networking.firewall.allowedTCPPorts = [ 80 ]; - - security.acme = { - acceptTerms = true; - defaults.email = "vili.m.sinerva@gmail.com"; - }; - }; -} diff --git a/servers/utils/cert-store-client.nix b/servers/utils/cert-store-client.nix deleted file mode 100644 index 6bdf0e4..0000000 --- a/servers/utils/cert-store-client.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ config, lib, ... }: -{ - options.services.nginx.virtualHosts = lib.mkOption { - type = lib.types.attrsOf ( - lib.types.submodule { - config = lib.mkDefault { - sslCertificate = config.sops.secrets.cert-fullchain.path; - sslCertificateKey = config.sops.secrets.cert-key.path; - }; - } - ); - }; - - config = { - sops = { - secrets = { - cert-fullchain = { - sopsFile = ../../secrets/cert.yaml; - restartUnits = [ "nginx.service" ]; - owner = config.services.nginx.user; - group = config.services.nginx.user; - }; - cert-key = { - sopsFile = ../../secrets/cert.yaml; - restartUnits = [ "nginx.service" ]; - owner = config.services.nginx.user; - group = config.services.nginx.user; - }; - }; - }; - }; -} diff --git a/servers/utils/nginx-https-server.nix b/servers/utils/nginx-https-server.nix deleted file mode 100644 index b41f500..0000000 --- a/servers/utils/nginx-https-server.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ lib, ... }: -{ - options.services.nginx.virtualHosts = lib.mkOption { - type = lib.types.attrsOf ( - lib.types.submodule { - config = lib.mkDefault { - forceSSL = true; - kTLS = true; - }; - } - ); - }; - - config = { - networking.firewall.allowedTCPPorts = [ 443 ]; - - services.nginx = { - enable = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - }; - }; -} diff --git a/servers/vaultwarden.nix b/servers/vaultwarden.nix deleted file mode 100644 index 1635003..0000000 --- a/servers/vaultwarden.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ config, ... }: -{ - imports = [ - ./utils/nginx-https-server.nix - ./utils/cert-store-client.nix - ]; - - environment.persistence."/persist".directories = [ - { - directory = "/var/lib/vaultwarden"; - user = "vaultwarden"; - group = "vaultwarden"; - mode = "u=rwx,g=,o="; - } - ]; - - sops = { - secrets = { - smtp-pass = { - sopsFile = ../secrets/vaultwarden.yaml; - restartUnits = [ "vaultwarden.service" ]; - }; - admin-token = { - sopsFile = ../secrets/vaultwarden.yaml; - restartUnits = [ "vaultwarden.service" ]; - }; - }; - - templates."vaultwarden.env" = { - owner = "vaultwarden"; - content = '' - SMTP_FROM=vmsskv12@gmail.com - SMTP_USERNAME=vmsskv12@gmail.com - SMTP_PASSWORD=${config.sops.placeholder.smtp-pass} - ADMIN_TOKEN=${config.sops.placeholder.admin-token} - ''; - }; - }; - - services = { - vaultwarden = { - enable = true; - environmentFile = config.sops.templates."vaultwarden.env".path; - config = { - DOMAIN = "https://vaultwarden.vsinerva.fi"; - LOGIN_RATELIMIT_MAX_BURST = 10; - LOGIN_RATELIMIT_SECONDS = 60; - ADMIN_RATELIMIT_MAX_BURST = 10; - ADMIN_RATELIMIT_SECONDS = 60; - SENDS_ALLOWED = true; - EMERGENCY_ACCESS_ALLOWED = true; - WEB_VAULT_ENABLED = true; - SIGNUPS_ALLOWED = true; - SIGNUPS_VERIFY = true; - SIGNUPS_VERIFY_RESEND_TIME = 3600; - SIGNUPS_VERIFY_RESEND_LIMIT = 5; - SMTP_HOST = "smtp.gmail.com"; - SMTP_FROM_NAME = "Vaultwarden"; - SMTP_SECURITY = "starttls"; - SMTP_PORT = 587; - SMTP_AUTH_MECHANISM = "Login"; - }; - }; - - nginx = { - virtualHosts."vaultwarden.vsinerva.fi" = { - locations."/" = { - proxyPass = "http://localhost:8000"; - }; - }; - }; - }; -} diff --git a/shared/hardware/impermanence.nix b/shared/hardware/impermanence.nix deleted file mode 100644 index 9d5b115..0000000 --- a/shared/hardware/impermanence.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ lib, ... }: -{ - # Default set of directories we always want to persist - environment.persistence."/persist" = { - enable = true; - hideMounts = true; - - files = [ - "/etc/machine-id" - "/etc/ssh/ssh_host_rsa_key" - "/etc/ssh/ssh_host_ed25519_key" - ]; - - directories = [ - "/var/lib/systemd/timers" - "/var/lib/nixos" - "/var/log" - ]; - }; - - fileSystems."/persist".neededForBoot = true; - - services = { - fstrim.interval = "daily"; - zfs = { - autoScrub.enable = true; - autoSnapshot = { - enable = true; - flags = "-k -p --utc"; - }; - trim.interval = "daily"; - }; - }; - - boot.initrd.postResumeCommands = lib.mkAfter '' - zfs rollback -r zroot/root@blank - zfs rollback -r zroot/home@blank - ''; -} diff --git a/shared/hardware/nvidia.nix b/shared/hardware/nvidia.nix deleted file mode 100644 index fd56e59..0000000 --- a/shared/hardware/nvidia.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ pkgs, ... }: -{ - hardware = { - nvidia = { - open = true; # Set to false to use the proprietary kernel module - forceFullCompositionPipeline = true; - }; - - graphics = { - enable = true; - extraPackages = with pkgs; [ nvidia-vaapi-driver ]; - }; - }; - - services.xserver.videoDrivers = [ "nvidia" ]; - boot.kernelPackages = pkgs.linuxPackages_xanmod_latest; - - nixpkgs.config.cudaSupport = true; - nix.settings = { - substituters = [ "https://nix-community.cachix.org" ]; - trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; - }; -} diff --git a/shared/hardware/vm.nix b/shared/hardware/vm.nix deleted file mode 100644 index 7433547..0000000 --- a/shared/hardware/vm.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ lib, modulesPath, ... }: -{ - services.qemuGuest.enable = true; - - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ - "uhci_hcd" - "ehci_pci" - "ahci" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - networking.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/shared/users/vili.nix b/shared/users/vili.nix deleted file mode 100644 index 4d398b5..0000000 --- a/shared/users/vili.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ config, lib, ... }: -{ - sops.secrets = - lib.mkIf - (builtins.elem config.networking.hostName [ - "helium" - "lithium" - ]) - { - vili-password = { - sopsFile = ../../secrets/${config.networking.hostName}/vili.yaml; - neededForUsers = true; - }; - }; - - users.users.vili = { - isNormalUser = true; - home = "/home/vili"; - description = "Vili Sinervä"; - uid = 1000; - extraGroups = [ - "wheel" - "networkmanager" - "audio" - ]; - openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys; - hashedPasswordFile = - if builtins.hasAttr "vili-password" config.sops.secrets then - config.sops.secrets.vili-password.path - else - null; - }; - - users.groups.vili.gid = 1000; -}