VSinerva/nixos-conf
1
0
Fork 0
Code Activity Actions

Massive refactoring into module-based approach

Browse source
This commit is contained in:
Vili Sinervä 2025-07-06 01:16:28 +03:00
parent 8d5c9be5b6
commit 9652d7c330
Signed by: Vili Sinervä
SSH key fingerprint: SHA256:FladqYjaE4scJY3Hi+gnShZ6ygnTJgixy0I6BAoHyos
118 changed files with 2586 additions and 2159 deletions
Download patch file Download diff file Expand all files Collapse all files

31
default.nix Normal file
View file

@ -0,0 +1,31 @@
{ lib, ... }:
with lib;
let
# Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype
getDir =
dir:
mapAttrs (file: type: if type == "directory" then getDir "${dir}/${file}" else type) (
builtins.readDir dir
);
# Collects all files of a directory as a list of strings of paths
files =
dir: collect isString (mapAttrsRecursive (path: type: concatStringsSep "/" path) (getDir dir));
# Filters out directories that don't end with .nix or are this file or the flake, also makes the strings absolute
validFiles =
dir:
map (file: ./. + "/${file}") (
filter (
file:
hasSuffix ".nix" file
&& file != "default.nix"
&& file != "flake.nix"
&& !hasPrefix "hosts" file
&& !hasPrefix "disko" file
) (files dir)
);
in
{
imports = validFiles ./.;
}

0
shared/disko/hetzner-zfs-impermanence.nix → disko/hetzner-zfs-impermanence.nix
View file

0
shared/disko/zfs-impermanence.nix → disko/zfs-impermanence.nix
View file

19
flake.nix
View file

@ -32,9 +32,11 @@
nixosConfigurations =
(
let
x86_64-hosts = builtins.filter (file: file != "aarch64-linux") (
builtins.attrNames (builtins.readDir ./hosts)
);
x86_64-hosts =
with builtins;
(map (file: nixpkgs.lib.removeSuffix ".nix" file) (
filter (file: file != "aarch64-linux" && file != "installer") (attrNames (readDir ./hosts))
));
in
builtins.listToAttrs (
map (
@ -49,8 +51,8 @@
system = "x86_64-linux";
modules = [
{ networking.hostName = host; }
./hosts/${host}/configuration.nix
./hosts/${host}/state.nix
./default.nix
./hosts/${host}.nix
disko.nixosModules.disko
impermanence.nixosModules.impermanence
@ -63,7 +65,9 @@
)
// (
let
aarch64-linux-hosts = (builtins.attrNames (builtins.readDir ./hosts/aarch64-linux));
aarch64-linux-hosts =
with builtins;
(map (file: nixpkgs.lib.removeSuffix ".nix" file) (attrNames (readDir ./hosts/aarch64-linux)));
in
builtins.listToAttrs (
map (
@ -78,7 +82,8 @@
system = "aarch64-linux";
modules = [
{ networking.hostName = host; }
./hosts/aarch64-linux/${host}/configuration.nix
./default.nix
./hosts/aarch64-linux/${host}.nix
disko.nixosModules.disko
impermanence.nixosModules.impermanence

12
hosts/aarch64-linux/wg-rpi/configuration.nix → hosts/aarch64-linux/wg-rpi.nix
View file

@ -1,4 +1,8 @@
{ config, pkgs, ... }:
{
config,
pkgs,
...
}:
let
# SSID = "ENTER_SSID";
# SSIDpassword = "ENTER_PASSWORD";
@ -7,14 +11,12 @@ let
hostname = "wg-rpi";
in
{
imports = [ ../../../shared/base.nix ];
sops.secrets = {
priv-netflix-wg = {
sopsFile = ../../../secrets/wg-rpi.yaml;
sopsFile = ../../secrets/wg-rpi.yaml;
restartUnits = [ "wg-quick-wg0.service" ];
};
dd-pass.sopsFile = ../../../secrets/wg-rpi.yaml;
dd-pass.sopsFile = ../../secrets/wg-rpi.yaml;
};
environment.systemPackages = with pkgs; [

12
hosts/cert-store.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
imports = [ ../disko/zfs-impermanence.nix ];
custom = {
impermanence.enable = true;
vm.enable = true;
certStoreServer.enable = true;
};
networking.hostId = "ba4814a6";
system.stateVersion = "24.11";
}

12
hosts/cert-store/configuration.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
imports = [
../../shared/base.nix
../../shared/disko/zfs-impermanence.nix
../../shared/hardware/impermanence.nix
../../shared/hardware/vm.nix
../../servers/acme-cert-store.nix
];
}

5
hosts/cert-store/state.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
networking.hostId = "ba4814a6";
system.stateVersion = "24.11";
}

13
hosts/ci.nix Normal file
View file

@ -0,0 +1,13 @@
{ ... }:
{
imports = [ ../disko/zfs-impermanence.nix ];
custom = {
impermanence.enable = true;
vm.enable = true;
forgejoRunner.enable = true;
hydra.enable = true;
};
networking.hostId = "45e785de";
system.stateVersion = "25.05";
}

13
hosts/ci/configuration.nix
View file

@ -1,13 +0,0 @@
{ ... }:
{
imports = [
../../shared/base.nix
../../shared/disko/zfs-impermanence.nix
../../shared/hardware/impermanence.nix
../../shared/hardware/vm.nix
../../servers/forgejo-runner.nix
../../servers/hydra.nix
];
}

5
hosts/ci/state.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
networking.hostId = "45e785de";
system.stateVersion = "25.05";
}

12
hosts/forgejo.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
imports = [ ../disko/zfs-impermanence.nix ];
custom = {
impermanence.enable = true;
vm.enable = true;
forgejo.enable = true;
};
networking.hostId = "b5b67528";
system.stateVersion = "25.05";
}

12
hosts/forgejo/configuration.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
imports = [
../../shared/base.nix
../../shared/disko/zfs-impermanence.nix
../../shared/hardware/impermanence.nix
../../shared/hardware/vm.nix
../../servers/forgejo.nix
];
}

5
hosts/forgejo/state.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
networking.hostId = "b5b67528";
system.stateVersion = "25.05";
}

15
hosts/gaming.nix Normal file
View file

@ -0,0 +1,15 @@
{ ... }:
{
imports = [ ../disko/zfs-impermanence.nix ];
custom = {
impermanence.enable = true;
vm.enable = true;
nvidia.enable = true;
desktop.enable = true;
i3.enable = true;
gamingServer.enable = true;
};
networking.hostId = "48434cbd";
system.stateVersion = "25.05";
}

16
hosts/gaming/configuration.nix
View file

@ -1,16 +0,0 @@
{ ... }:
{
imports = [
../../shared/base.nix
../../shared/disko/zfs-impermanence.nix
../../shared/hardware/impermanence.nix
../../shared/hardware/nvidia.nix
../../shared/hardware/vm.nix
../../personal/desktop.nix
../../personal/programs/i3.nix
../../servers/gaming-server.nix
];
}

5
hosts/gaming/state.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
networking.hostId = "48434cbd";
system.stateVersion = "25.05";
}

103
hosts/helium.nix Normal file
View file

@ -0,0 +1,103 @@
{
config,
pkgs,
lib,
...
}:
{
custom = {
desktop.enable = true;
development.enable = true;
amdLaptop.enable = true;
hibernate.enable = true;
keychron.enable = true;
onlykey.enable = true;
trackball.enable = true;
homeWg = {
enable = true;
guaSuffix = "2";
};
printing.enable = true;
bitwarden.enable = true;
communication.enable = true;
firefox.enable = true;
i3.enable = true;
moonlight.enable = true;
redshift.enable = true;
study.enable = true;
usbAutoMount.enable = true;
syncthing.enable = true;
};
custom = {
};
system.autoUpgrade.allowReboot = lib.mkForce false;
sops.secrets.priv-netflix-wg.sopsFile = ../secrets/helium/netflix-wg.yaml;
networking = {
wg-quick.interfaces = {
wg1 = {
autostart = false;
address = [ "10.100.0.7/24" ];
dns = [ "1.1.1.1" ];
privateKeyFile = config.sops.secrets.priv-netflix-wg.path;
listenPort = 51820;
peers = [
{
publicKey = "XSYHg0utIR1j7kRsWFwuWNo4RPD47KP53cVa6qDPtRE=";
allowedIPs = [
"0.0.0.0/0"
"192.168.0.0/24"
];
endpoint = "netflix.vsinerva.fi:51821";
}
];
};
};
};
services.xserver.displayManager.setupCommands = ''
${pkgs.xorg.xrandr}/bin/xrandr --output DP-1 --auto --pos 0x0 --primary --output eDP-1 --auto --pos 3840x360
'';
system.stateVersion = "23.11";
boot = {
resumeDevice = "/dev/mapper/luks-f6e1979b-0dee-4ee9-8170-10490019854b";
kernelParams = [ "resume_offset=44537856" ];
};
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/25115cdc-3b55-4dbf-a414-98a1a3c44f52";
fsType = "ext4";
};
boot.initrd.luks.devices."luks-f6e1979b-0dee-4ee9-8170-10490019854b".device =
"/dev/disk/by-uuid/f6e1979b-0dee-4ee9-8170-10490019854b";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/6E23-00AF";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.enableRedistributableFirmware = lib.mkDefault true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

66
hosts/helium/configuration.nix
View file

@ -1,66 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
custom.home_wg_suffix = "2";
system.autoUpgrade.allowReboot = lib.mkForce false;
sops.secrets.priv-netflix-wg.sopsFile = ../../secrets/helium/netflix-wg.yaml;
networking = {
wg-quick.interfaces = {
wg1 = {
autostart = false;
address = [ "10.100.0.7/24" ];
dns = [ "1.1.1.1" ];
privateKeyFile = config.sops.secrets.priv-netflix-wg.path;
listenPort = 51820;
peers = [
{
publicKey = "XSYHg0utIR1j7kRsWFwuWNo4RPD47KP53cVa6qDPtRE=";
allowedIPs = [
"0.0.0.0/0"
"192.168.0.0/24"
];
endpoint = "netflix.vsinerva.fi:51821";
}
];
};
};
};
services.xserver.displayManager.setupCommands = ''
${pkgs.xorg.xrandr}/bin/xrandr --output DP-1 --auto --pos 0x0 --primary --output eDP-1 --auto --pos 3840x360
'';
imports = [
../../shared/base.nix
../../personal/desktop.nix
../../personal/development.nix
../../personal/hardware/amd-laptop.nix
../../personal/hardware/hibernate.nix
../../personal/hardware/keychron-q11.nix
../../personal/hardware/onlykey.nix
../../personal/hardware/trackball.nix
../../personal/networking/home-wg.nix
../../personal/networking/printing.nix
../../personal/programs/bitwarden.nix
../../personal/programs/communication.nix
../../personal/programs/firefox.nix
../../personal/programs/i3.nix
../../personal/programs/moonlight.nix
../../personal/programs/redshift.nix
../../personal/programs/study.nix
../../personal/programs/usb-automount.nix
../../servers/syncthing.nix
];
}

50
hosts/helium/state.nix
View file

@ -1,50 +0,0 @@
{
config,
lib,
modulesPath,
...
}:
{
system.stateVersion = "23.11";
boot = {
resumeDevice = "/dev/mapper/luks-f6e1979b-0dee-4ee9-8170-10490019854b";
kernelParams = [ "resume_offset=44537856" ];
};
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/25115cdc-3b55-4dbf-a414-98a1a3c44f52";
fsType = "ext4";
};
boot.initrd.luks.devices."luks-f6e1979b-0dee-4ee9-8170-10490019854b".device =
"/dev/disk/by-uuid/f6e1979b-0dee-4ee9-8170-10490019854b";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/6E23-00AF";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

31
hosts/idacloud/configuration.nix → hosts/idacloud.nix
View file

@ -1,27 +1,30 @@
{ config, ... }:
{
custom.nextcloud_domain = "idacloud.sinerva.eu";
services.nextcloud.settings.trusted_domains = [ "idacloud.vsinerva.fi" ];
custom.collabora_domain = "idacollab.sinerva.eu";
imports = [ ../disko/zfs-impermanence.nix ];
imports = [
../../shared/base.nix
../../shared/disko/zfs-impermanence.nix
../../shared/hardware/impermanence.nix
../../shared/hardware/vm.nix
../../servers/nextcloud.nix
];
custom = {
impermanence.enable = true;
vm.enable = true;
nextcloud = {
enable = true;
domain = "idacloud.sinerva.eu";
collabora = {
enable = true;
domain = "idacollab.sinerva.eu";
};
};
};
networking.hostId = "43ce8e3f";
system.stateVersion = "25.05";
sops = {
secrets = {
priv-idacloud-wg = {
sopsFile = ../../secrets/idacloud.yaml;
sopsFile = ../secrets/idacloud.yaml;
restartUnits = [ "wg-quick-wg0.service" ];
};
psk-laptop-idacloud-wg = {
sopsFile = ../../secrets/idacloud.yaml;
sopsFile = ../secrets/idacloud.yaml;
restartUnits = [ "wg-quick-wg0.service" ];
};
};

5
hosts/idacloud/state.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
networking.hostId = "43ce8e3f";
system.stateVersion = "25.05";
}

1
hosts/installer/configuration.nix → hosts/installer.nix
View file

@ -1,7 +1,6 @@
{ nixpkgs-flake, lib, ... }:
{
imports = [
../../shared/base.nix
"${nixpkgs-flake}/nixos/modules/installer/cd-dvd/installation-cd-graphical-combined.nix"
];

1
hosts/installer/state.nix
View file

@ -1 +0,0 @@
{ }

36
hosts/lithium/state.nix → hosts/lithium.nix
View file

@ -1,15 +1,34 @@
{ config, lib, ... }:
{
config,
lib,
modulesPath,
...
}:
{
custom = {
desktop.enable = true;
development.enable = true;
hibernate.enable = true;
intelLaptop.enable = true;
keychron.enable = true;
onlykey.enable = true;
trackball.enable = true;
homeWg = {
enable = true;
guaSuffix = "3";
};
printing.enable = true;
bitwarden.enable = true;
communication.enable = true;
firefox.enable = true;
i3.enable = true;
moonlight.enable = true;
redshift.enable = true;
study.enable = true;
usbAutoMount.enable = true;
syncthing.enable = true;
};
system.autoUpgrade.allowReboot = lib.mkForce false;
system.stateVersion = "24.05";
boot.kernelParams = [ "resume_offset=39292928" ];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"xhci_pci"
"thunderbolt"
@ -41,5 +60,6 @@
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.enableRedistributableFirmware = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

30
hosts/lithium/configuration.nix
View file

@ -1,30 +0,0 @@
{ lib, ... }:
{
custom.home_wg_suffix = "3";
system.autoUpgrade.allowReboot = lib.mkForce false;
imports = [
../../shared/base.nix
../../personal/desktop.nix
../../personal/development.nix
../../personal/hardware/hibernate.nix
../../personal/hardware/intel-laptop.nix
../../personal/hardware/onlykey.nix
../../personal/networking/home-wg.nix
../../personal/networking/printing.nix
../../personal/programs/bitwarden.nix
../../personal/programs/communication.nix
../../personal/programs/firefox.nix
../../personal/programs/i3.nix
../../personal/programs/moonlight.nix
../../personal/programs/redshift.nix
../../personal/programs/study.nix
../../personal/programs/usb-automount.nix
../../servers/syncthing.nix
];
}

15
hosts/nextcloud.nix Normal file
View file

@ -0,0 +1,15 @@
{ ... }:
{
imports = [ ../disko/zfs-impermanence.nix ];
custom = {
impermanence.enable = true;
vm.enable = true;
nextcloud = {
enable = true;
domain = "nextcloud.vsinerva.fi";
};
};
networking.hostId = "ba0aeb92";
system.stateVersion = "25.05";
}

14
hosts/nextcloud/configuration.nix
View file

@ -1,14 +0,0 @@
{ ... }:
{
custom.nextcloud_domain = "nextcloud.vsinerva.fi";
imports = [
../../shared/base.nix
../../shared/disko/zfs-impermanence.nix
../../shared/hardware/impermanence.nix
../../shared/hardware/vm.nix
../../servers/nextcloud.nix
];
}

5
hosts/nextcloud/state.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
networking.hostId = "ba0aeb92";
system.stateVersion = "25.05";
}

7
hosts/siit-dc/state.nix → hosts/siit-dc.nix
View file

@ -1,5 +1,12 @@
{ lib, ... }:
{
imports = [ ../disko/hetzner-zfs-impermanence.nix ];
custom = {
impermanence.enable = true;
vm.enable = true;
siit.enable = true;
};
networking.hostId = "f1636fe0";
networking.networkmanager.enable = lib.mkForce false;
networking.useDHCP = false;

12
hosts/siit-dc/configuration.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
imports = [
../../shared/base.nix
../../shared/disko/hetzner-zfs-impermanence.nix
../../shared/hardware/impermanence.nix
../../shared/hardware/vm.nix
../../servers/siit-dc.nix
];
}

18
hosts/syncthing/state.nix → hosts/syncthing.nix
View file

@ -1,5 +1,21 @@
{ ... }:
{ lib, ... }:
{
custom = {
vm.enable = true;
users.vili.enable = true;
syncthing.enable = true;
};
swapDevices = [
{
device = "/var/lib/swapfile";
size = 2 * 1024;
}
];
users.users.vili.hashedPasswordFile = lib.mkForce null;
sops.secrets = lib.mkForce { };
system.stateVersion = "22.11";
fileSystems."/" = {

20
hosts/syncthing/configuration.nix
View file

@ -1,20 +0,0 @@
{ lib, ... }:
{
swapDevices = [
{
device = "/var/lib/swapfile";
size = 2 * 1024;
}
];
imports = [
../../shared/base.nix
../../shared/hardware/vm.nix
../../shared/users/vili.nix
../../servers/syncthing.nix
];
users.users.vili.hashedPasswordFile = lib.mkForce null;
sops.secrets = lib.mkForce { };
}

12
hosts/vaultwarden.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
imports = [ ../disko/zfs-impermanence.nix ];
custom = {
impermanence.enable = true;
vm.enable = true;
vaultwarden.enable = true;
};
networking.hostId = "2842298f";
system.stateVersion = "25.05";
}

12
hosts/vaultwarden/configuration.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
imports = [
../../shared/base.nix
../../shared/disko/zfs-impermanence.nix
../../shared/hardware/impermanence.nix
../../shared/hardware/vm.nix
../../servers/vaultwarden.nix
];
}

5
hosts/vaultwarden/state.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
networking.hostId = "2842298f";
system.stateVersion = "25.05";
}

16
shared/base.nix → modules/base.nix
View file

@ -5,14 +5,20 @@
...
}:
{
options.custom.gua_pref = lib.mkOption {
type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$");
default = null;
description = "IPv6 GUA Prefix to use in other confs";
options.custom = {
base.enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
guaPref = lib.mkOption {
type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$");
default = null;
description = "IPv6 GUA Prefix to use in other confs";
};
};
config = {
custom.gua_pref = "2001:14ba:a090:39";
custom.guaPref = "2001:14ba:a090:39";
######################################## Packages ###############################################
environment.systemPackages = with pkgs; [

64
modules/desktop.nix Normal file
View file

@ -0,0 +1,64 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.desktop;
in
{
options.custom.desktop.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
custom = {
symlinks.enable = true;
users.vili.enable = true;
};
environment.systemPackages = with pkgs; [
alacritty
vlc
flameshot
speedcrunch
];
services = {
displayManager = {
autoLogin.enable = true;
autoLogin.user = "vili";
};
xserver = {
enable = true;
displayManager = {
lightdm.enable = true;
sessionCommands = ''${pkgs.xorg.xrdb}/bin/xrdb -merge < ${
(import ./programs/embedded/xresources.conf { inherit pkgs; })
}'';
};
};
pipewire.enable = false;
pulseaudio.enable = true;
};
nixpkgs.config.pulseaudio = true;
security.polkit.enable = true;
xdg.mime.defaultApplications = {
"application/pdf" = "org.gnome.Evince.desktop";
"text/plain" = "org.xfce.mousepad.desktop";
"text/x-tex" = "org.kde.kile.desktop";
"inode/directory" = "pcmanfm.description";
};
qt = {
enable = true;
style = "adwaita-dark";
platformTheme = "gnome";
};
};
}

59
modules/development.nix Normal file
View file

@ -0,0 +1,59 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.development;
in
{
options.custom.development.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
custom.nvim.enable = true;
#################### Git configuration ####################
programs.git = {
enable = true;
lfs.enable = true;
config = {
user = {
email = "vili.m.sinerva@gmail.com";
name = "Vili Sinervä";
signingkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV";
};
merge = {
ff = "true";
};
pull = {
ff = "only";
};
commit = {
verbose = "true";
};
gpg.format = "ssh";
commit.gpgsign = "true";
};
};
#################### Packages ####################
environment.systemPackages = with pkgs; [
nixfmt-rfc-style
nixd
vagrant
nmap
metasploit
armitage
];
virtualisation.virtualbox.host.enable = true;
virtualisation.virtualbox.host.addNetworkInterface = false;
users.extraGroups.vboxusers.members = [ "vili" ];
fonts.packages = builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts);
};
}

60
modules/hardware/amd-laptop.nix Normal file
View file

@ -0,0 +1,60 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.amdLaptop;
in
{
options.custom.amdLaptop.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [ zenmonitor ];
hardware.graphics = {
enable = true;
enable32Bit = true;
extraPackages = with pkgs; [ rocmPackages.clr.icd ];
};
hardware.amdgpu.initrd.enable = true;
services = {
xserver = lib.mkIf config.services.xserver.enable {
videoDrivers = [ "modesetting" ];
deviceSection = ''
Option "DRI" "2"
Option "TearFree" "true"
'';
};
tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
CPU_MIN_PERF_ON_AC = 0;
CPU_MAX_PERF_ON_AC = 100;
CPU_MIN_PERF_ON_BAT = 0;
CPU_MAX_PERF_ON_BAT = 40;
#Optional helps save long term battery health
START_CHARGE_THRESH_BAT0 = 60; # 60 and bellow it starts to charge
STOP_CHARGE_THRESH_BAT0 = 80; # 80 and above it stops charging
};
};
logind.lidSwitch = if config.boot.resumeDevice != "" then "hibernate" else "suspend";
};
};
}

23
modules/hardware/hibernate.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, ... }:
let
cfg = config.custom.hibernate;
in
{
options.custom.hibernate.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
swapDevices = [
{
device = "/var/lib/swapfile";
size = 16 * 1024;
}
];
boot = {
resumeDevice = lib.mkDefault "/dev/mapper/nixos";
};
};
}

49
modules/hardware/intel-laptop.nix Normal file
View file

@ -0,0 +1,49 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.intelLaptop;
in
{
options.custom.intelLaptop.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
hardware.graphics = {
extraPackages = with pkgs; [
intel-media-driver
intel-compute-runtime
];
};
services = {
tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
CPU_MIN_PERF_ON_AC = 0;
CPU_MAX_PERF_ON_AC = 100;
CPU_MIN_PERF_ON_BAT = 0;
CPU_MAX_PERF_ON_BAT = 40;
#Optional helps save long term battery health
START_CHARGE_THRESH_BAT0 = 60; # 60 and bellow it starts to charge
STOP_CHARGE_THRESH_BAT0 = 80; # 80 and above it stops charging
};
};
logind.lidSwitch = if config.boot.resumeDevice != "" then "hibernate" else "suspend";
};
};
}

24
modules/hardware/keychron-q11.nix Normal file
View file

@ -0,0 +1,24 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.keychron;
in
{
options.custom.keychron.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; if config.services.xserver.enable then [ via ] else [ ];
# Keychron Q11
services.udev.extraRules = ''
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="3434", ATTRS{idProduct}=="01e0", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
'';
};
}

0
personal/hardware/moonlight-trackball-accel.patch → modules/hardware/moonlight-trackball-accel.patch
View file

38
modules/hardware/nvidia.nix Normal file
View file

@ -0,0 +1,38 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.nvidia;
in
{
options.custom.nvidia.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
hardware = {
nvidia = {
open = true; # Set to false to use the proprietary kernel module
forceFullCompositionPipeline = true;
};
graphics = {
enable = true;
extraPackages = with pkgs; [ nvidia-vaapi-driver ];
};
};
services.xserver.videoDrivers = [ "nvidia" ];
boot.kernelPackages = pkgs.linuxPackages_xanmod_latest;
nixpkgs.config.cudaSupport = true;
nix.settings = {
substituters = [ "https://nix-community.cachix.org" ];
trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];
};
};
}

33
modules/hardware/onlykey.nix Normal file
View file

@ -0,0 +1,33 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.onlykey;
in
{
options.custom.onlykey.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
(onlykey.override (prev: {
node_webkit = prev.node_webkit.overrideAttrs {
version = "0.71.1";
src = fetchurl {
url = "https://dl.nwjs.io/v0.71.1/nwjs-v0.71.1-linux-x64.tar.gz";
hash = "sha256-bnObpwfJ6SNJdOvzWTnh515JMcadH1+fxx5W9e4gl/4=";
};
};
}))
onlykey-cli
];
hardware.onlykey.enable = true;
};
}

84
modules/hardware/trackball.nix Normal file
View file

@ -0,0 +1,84 @@
{ config, lib, ... }:
let
cfg = config.custom.trackball;
in
{
options.custom.trackball.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
nixpkgs.overlays = [
(final: prev: {
moonlight-qt = prev.moonlight-qt.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [ ./moonlight-trackball-accel.patch ];
});
})
];
hardware.logitech.wireless = {
enable = true;
enableGraphical = true;
};
services.libinput.mouse = {
accelProfile = "custom";
accelStepMotion = 5.0e-2;
accelPointsMotion = [
0.0
2.0e-2
4.0e-2
6.0e-2
8.0e-2
0.1
0.12
0.14
0.16
0.18
0.2
0.2525
0.31
0.3725
0.44
0.5125
0.59
0.6725
0.76
0.8525
0.95
1.155
1.37
1.595
1.83
2.075
2.33
2.595
2.87
3.155
3.45
3.755
4.07
4.395
4.73
5.075
5.43
5.795
6.17
6.555
6.95
7.355
7.77
8.195
8.63
9.075
9.53
9.995
10.47
10.955
11.45
11.95
];
};
};
}

48
modules/hardware/vm.nix Normal file
View file

@ -0,0 +1,48 @@
{
config,
lib,
modulesPath,
...
}:
let
cfg = config.custom.vm;
in
{
options.custom.vm.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
services.qemuGuest.enable = true;
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
"virtio_net"
"virtio_pci"
"virtio_mmio"
"virtio_blk"
"virtio_scsi"
"9p"
"9pnet_virtio"
];
boot.initrd.kernelModules = [
"virtio_balloon"
"virtio_console"
"virtio_rng"
"virtio_gpu"
];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
};
}

49
modules/impermanence.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, lib, ... }:
let
cfg = config.custom.impermanence;
in
{
options.custom.impermanence.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
# Default set of directories we always want to persist
environment.persistence."/persist" = {
enable = true;
hideMounts = true;
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_ed25519_key"
];
directories = [
"/var/lib/systemd/timers"
"/var/lib/nixos"
"/var/log"
];
};
fileSystems."/persist".neededForBoot = true;
services = {
fstrim.interval = "daily";
zfs = {
autoScrub.enable = true;
autoSnapshot = {
enable = true;
flags = "-k -p --utc";
};
trim.interval = "daily";
};
};
boot.initrd.postResumeCommands = lib.mkAfter ''
zfs rollback -r zroot/root@blank
zfs rollback -r zroot/home@blank
'';
};
}

72
modules/networking/home-wg.nix Normal file
View file

@ -0,0 +1,72 @@
{ config, lib, ... }:
let
cfg = config.custom.homeWg;
host = config.networking.hostName;
in
{
options.custom = {
homeWg = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
guaSuffix = lib.mkOption {
type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$");
default = null;
description = "IPv6 GUA Suffix for Home WireGuard config";
};
};
};
config = lib.mkIf cfg.enable {
sops = {
secrets = {
priv-home-wg = {
sopsFile = ../../secrets/${host}/home-wg.yaml;
restartUnits = [ "wg-quick-wg0.service" ];
};
psk-home-wg = {
sopsFile = ../../secrets/${host}/home-wg.yaml;
restartUnits = [ "wg-quick-wg0.service" ];
};
};
};
networking = {
wg-quick.interfaces = {
wg0 = {
autostart = true;
address = [ "${config.custom.guaPref}ff::${cfg.guaSuffix}/64" ];
dns = [
"${config.custom.guaPref}ff::1"
"vsinerva.fi"
];
privateKeyFile = config.sops.secrets.priv-home-wg.path;
listenPort = 51820;
peers = [
{
publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
presharedKeyFile = config.sops.secrets.psk-home-wg.path;
allowedIPs = [ "::/0" ];
endpoint = "home.vsinerva.fi:51820";
}
];
};
};
};
services.clatd.settings.clat-v6-addr = "${config.custom.guaPref}ff::c${cfg.guaSuffix}";
systemd.services = {
"wg-quick-wg0" = {
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
};
clatd = {
wants = [ "wg-quick-wg0.service" ];
after = [ "wg-quick-wg0.service" ];
};
};
};
}

21
modules/networking/printing.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, lib, ... }:
let
cfg = config.custom.printing;
in
{
options.custom.printing.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
services = {
printing.enable = true;
avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
};
};
}

36
modules/programs/bitwarden.nix Normal file
View file

@ -0,0 +1,36 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.bitwarden;
in
{
options.custom.bitwarden.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
bitwarden
bitwarden-cli
];
programs.zsh.interactiveShellInit = "export SSH_AUTH_SOCK=/home/vili/.bitwarden-ssh-agent.sock";
security = {
pam = {
rssh.enable = true;
services = {
sudo.rssh = true;
};
};
sudo.execWheelOnly = true;
};
# We need SSH for the sudo, but generally don't want it open on machines with Bitwarden client
services.openssh.openFirewall = false;
};
}

23
modules/programs/communication.nix Normal file
View file

@ -0,0 +1,23 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.communication;
in
{
options.custom.communication.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
telegram-desktop
signal-desktop
discord
];
};
}

0
personal/programs/embedded/alacritty.nix → modules/programs/embedded/alacritty.conf
View file

2
personal/programs/embedded/i3-conf.nix → modules/programs/embedded/i3.conf
View file

@ -1,7 +1,7 @@
{ pkgs, ... }:
let
alacritty-conf = "${
(import ./alacritty.nix {
(import ./alacritty.conf {
inherit pkgs;
})
}";

245
modules/programs/embedded/nvim.nix Normal file
View file

@ -0,0 +1,245 @@
{
config,
lib,
nixvim,
...
}:
let
cfg = config.custom.nvim;
in
{
options.custom.nvim.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
imports = [ nixvim.nixosModules.nixvim ];
config = lib.mkIf cfg.enable {
programs.nixvim = {
enable = true;
defaultEditor = true;
vimAlias = false;
colorschemes.vscode.enable = true;
globals.mapleader = " ";
opts = {
colorcolumn = "100";
cursorline = true;
number = true;
showcmd = true;
signcolumn = "yes";
scrolloff = 16;
shiftwidth = 3;
tabstop = 3;
};
keymaps = [
{
key = "T";
action = "<cmd>Neotree<cr>";
options.desc = "Open Neotree";
}
{
mode = [
"i"
"v"
];
key = "<C-c>";
action = "<Esc>";
options.desc = "Exit To Normal Mode";
}
{
key = "<leader>b";
action = "<cmd>Gitsigns toggle_current_line_blame<cr>";
options.desc = "Toggle Current Line Git Blame";
}
];
plugins = {
fugitive.enable = true;
gitsigns = {
enable = true;
settings = {
current_line_blame_opts.delay = 100;
numhl = true;
};
};
lualine.enable = true;
markdown-preview.enable = true;
neo-tree = {
enable = true;
buffers.followCurrentFile = {
enabled = true;
leaveDirsOpen = true;
};
};
nix.enable = true;
rainbow-delimiters.enable = true;
sleuth.enable = true;
tmux-navigator = {
enable = true;
settings.no_mappings = 1;
keymaps = [
{
key = "<C-h>";
action = "left";
options.desc = "Tmux Left";
}
{
key = "<C-j>";
action = "down";
options.desc = "Tmux Down";
}
{
key = "<C-k>";
action = "up";
options.desc = "Tmux Up";
}
{
key = "<C-l>";
action = "right";
options.desc = "Tmux Right";
}
];
};
treesitter = {
enable = true;
folding = true;
settings.indent.enable = true;
nixGrammars = true;
};
web-devicons.enable = true;
which-key = {
enable = true;
settings.delay.__raw = ''
function(ctx)
return ctx.plugin and 0 or 500
end
'';
};
cmp = {
enable = true;
settings = {
sources = [
{ name = "vim-vsnip"; }
{ name = "vim-lsp-signature-help"; }
{ name = "nvim-lsp"; }
{ name = "treesitter"; }
{ name = "buffer"; }
];
mapping = {
"<C-Space>" = "cmp.mapping.complete()";
"<C-e>" = "cmp.mapping.close()";
"<CR>" = "cmp.mapping.confirm({ select = true })";
"<C-Tab>" = "cmp.mapping(cmp.mapping.select_prev_item(), {'i', 's'})";
"<Tab>" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})";
};
};
};
friendly-snippets.enable = true;
nvim-autopairs.enable = true;
lsp = {
enable = true;
inlayHints = true;
keymaps = {
diagnostic = {
"<leader>dj" = {
action = "goto_next";
desc = "Next Diagnostic";
};
"<leader>dk" = {
action = "goto_prev";
desc = "Previous Diagnostic";
};
"<leader>dh" = {
action = "open_float";
desc = "Line Diagnostics";
};
};
lspBuf = {
"<leader>gd" = {
action = "definition";
desc = "Goto Definition";
};
"<leader>gr" = {
action = "references";
desc = "Goto References";
};
"<leader>gD" = {
action = "declaration";
desc = "Goto Declaration";
};
"<leader>gi" = {
action = "implementation";
desc = "Goto Implementation";
};
"<leader>gt" = {
action = "type_definition";
desc = "Type Definition";
};
"<leader>s" = {
action = "workspace_symbol";
desc = "Search Symbol";
};
"<leader>r" = {
action = "rename";
desc = "Rename Symbol";
};
"<leader>a" = {
action = "code_action";
desc = "Code Action";
};
H = {
action = "hover";
desc = "Hover";
};
};
extra = [
{
action = "<cmd>lua vim.lsp.inlay_hint.enable(not vim.lsp.inlay_hint.is_enabled())<cr>";
key = "<leader>h";
options.desc = "Toggle LSP Inlay Hints";
}
];
};
servers = {
clangd.enable = true;
cmake.enable = true;
dockerls.enable = true;
docker_compose_language_service.enable = true;
eslint.enable = true;
html.enable = true;
jsonls.enable = true;
nixd.enable = true;
pylsp.enable = true;
rust_analyzer = {
enable = true;
installCargo = false;
installRustc = false;
settings = {
completion = {
autoimport.enable = true;
autoself.enable = true;
fullFunctionSignatures.enable = true;
privateEditable.enable = true;
};
diagnostics = {
styleLints.enable = true;
};
hover.actions.references.enable = true;
};
};
yamlls.enable = true;
};
};
lsp-format.enable = true;
lsp-signature.enable = true;
};
};
};
}

0
personal/programs/embedded/xresources.nix → modules/programs/embedded/xresources.conf
View file

185
modules/programs/firefox.nix Normal file
View file

@ -0,0 +1,185 @@
{ config, lib, ... }:
let
cfg = config.custom.firefox;
lock-false = {
Value = false;
Status = "locked";
};
lock-true = {
Value = true;
Status = "locked";
};
in
{
options.custom.firefox.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
programs.firefox = {
enable = true;
# AutoConfig used for preferences not supported via policies
autoConfig = ''
lockPref("full-screen-api.warning.timeout", 500)
lockPref("privacy.fingerprintingProtection", true)
lockPref("privacy.donottrackheader.enabled", true)
'';
# ---- POLICIES ----
# Check about:policies#documentation for options.
policies = {
# ---- EXTENSIONS ----
# Check about:support for extension/add-on ID strings.
# Valid strings for installation_mode are "allowed", "blocked",
# "force_installed" and "normal_installed".
ExtensionSettings = {
"*".installation_mode = "blocked";
"{446900e4-71c2-419f-a6a7-df9c091e268b}" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi";
installation_mode = "force_installed";
};
"jsr@javascriptrestrictor" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/javascript-restrictor/latest.xpi";
installation_mode = "force_installed";
};
};
AutofillAddressEnabled = false;
AutofillCreditCardEnabled = false;
DisableFirefoxStudies = true;
DisableFormHistory = true;
DisablePocket = true;
DisableSecurityBypass = false;
DisableTelemetry = true;
DisplayBookmarksToolbar = "always"; # alternatives: "always" or "newtab"
DisplayMenuBar = "default-off"; # alternatives: "always", "never" or "default-on"
DontCheckDefaultBrowser = true;
DownloadDirectory = "\${home}/Downloads";
EnableTrackingProtection = {
Value = true;
Locked = true;
Cryptomining = true;
Fingerprinting = true;
EmailTracking = true;
};
FirefoxHome = {
Locked = true;
Search = true;
TopSites = true;
SponsoredTopSites = false;
Highlights = false;
Pocket = false;
SponsoredPocket = false;
};
FirefoxSuggest = {
Locked = true;
WebSuggestions = false;
SponsoredSuggestions = false;
ImproveSuggest = false;
};
HardwareAccelerations = true;
Homepage = {
Locked = true;
URL = "https://www.duckduckgo.com/";
StartPage = "previous-session";
};
HttpsOnlyMode = "force_enabled";
NetworkPrediction = false;
NoDefaultBookmarks = true;
OverrideFirstRunPage = "";
OverridePostUpdatePage = "";
PasswordManagerEnabled = false;
Permissions = {
Camera = {
Allow = [ ];
Block = [ ];
BlockNewRequests = false;
Locked = true;
};
Microphone = {
Allow = [ ];
Block = [ ];
BlockNewRequests = false;
Locked = true;
};
Location = {
Allow = [ ];
Block = [ ];
BlockNewRequests = false;
Locked = true;
};
Notifications = {
Allow = [ ];
Block = [ ];
BlockNewRequests = false;
Locked = true;
};
Autoplay = {
Allow = [ ];
Block = [ ];
BlockNewRequests = false;
Default = "block-audio-video";
Locked = true;
};
};
PictureInPicture = {
Enabled = true;
Locked = true;
};
PopupBlocking = {
Allow = [ ];
Default = true;
Locked = true;
};
PostQuantumKeyAgreementEnabled = true;
PrimaryPassword = false;
PrintingEnabled = true;
PromptForDownloadLocation = false;
RequestedLocales = [ "en-US" ];
SearchBar = "unified"; # alternative: "separate"
SearchEngines.PreventInstalls = true;
SearchSuggestEnabled = false;
UserMessaging = {
Locked = true;
ExtensionRecommendations = true;
FeatureRecommendations = false;
UrlbarInterventions = false;
SkipOnboarding = true;
MoreFromMozilla = false;
};
UseSystemPrintDialog = true;
# ---- PREFERENCES ----
# Check about:config for options.
Preferences = {
"browser.contentblocking.category" = {
Value = "strict";
Status = "locked";
};
"browser.safebrowsing.downloads.enabled" = lock-true;
"browser.safebrowsing.downloads.remote.block_potentially_unwanted" = lock-true;
"browser.safebrowsing.downloads.remote.block_uncommon" = lock-true;
"browser.safebrowsing.malware.enabled" = lock-true;
"browser.safebrowsing.phishing.enabled" = lock-true;
"browser.crashReports.unsubmittedCheck.autoSubmit2" = lock-false;
"browser.topsites.contile.enabled" = lock-false;
"browser.translations.automaticallyPopup" = lock-false;
"dom.private-attribution.submission.enabled" = lock-false;
"media.ffmpeg.vaapi.enabled" = lock-true;
"privacy.globalprivacycontrol.enabled" = lock-true;
"xpinstall.whitelist.required" = lock-true;
"network.trr.mode" = {
Value = 0;
Status = "locked";
};
"security.OCSP.enabled" = {
Value = 1;
Status = "locked";
};
};
};
};
};
}

43
modules/programs/i3.nix Normal file
View file

@ -0,0 +1,43 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.i3;
in
{
options.custom.i3.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
i3status
rofi
arandr
pavucontrol
viewnior
xfce.mousepad
pcmanfm
evince
brightnessctl
networkmanagerapplet
];
programs.i3lock.enable = true;
services = {
displayManager = {
defaultSession = "none+i3";
};
xserver.windowManager.i3 = {
enable = true;
extraPackages = [ ];
configFile = "${(import ./embedded/i3.conf { inherit pkgs; })}";
};
};
};
}

21
modules/programs/moonlight.nix Normal file
View file

@ -0,0 +1,21 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.moonlight;
in
{
options.custom.moonlight.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
moonlight-qt
];
};
}

30
modules/programs/redshift.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, lib, ... }:
let
cfg = config.custom.redshift;
in
{
options.custom.redshift.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
services.redshift = {
executable = "/bin/redshift-gtk";
enable = true;
temperature = {
night = 2800;
day = 6500;
};
brightness = {
night = "0.5";
day = "1";
};
};
location = {
latitude = 60.17;
longitude = 24.94;
};
};
}

27
modules/programs/study.nix Normal file
View file

@ -0,0 +1,27 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.study;
in
{
options.custom.study.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
libreoffice
zotero
kile
texliveFull
imagemagick
ghostscript
kdePackages.okular
];
};
}

0
personal/programs/symlinked/gtk-3-4-settings.ini → modules/programs/symlinked/gtk-3-4-settings.ini
View file

0
personal/programs/symlinked/gtk-bookmarks → modules/programs/symlinked/gtk-bookmarks
View file

0
personal/programs/symlinked/gtkrc-2.0 → modules/programs/symlinked/gtkrc-2.0
View file

0
personal/programs/symlinked/libfm.conf → modules/programs/symlinked/libfm.conf
View file

0
personal/programs/symlinked/pcmanfm.conf → modules/programs/symlinked/pcmanfm.conf
View file

64
modules/programs/symlinked/symlinks.nix Normal file
View file

@ -0,0 +1,64 @@
{ config, lib, ... }:
let
cfg = config.custom.symlinks;
in
{
options.custom.symlinks.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
system.userActivationScripts.mkDesktopSettingsSymlinks.text =
let
home = "/home/vili/";
paths = [
rec {
dir = "${home}.config/pcmanfm/default/";
file = "pcmanfm.conf";
full = "${dir}${file}";
source = "${./pcmanfm.conf}";
}
rec {
dir = "${home}.config/libfm/";
file = "libfm.conf";
full = "${dir}${file}";
source = "${./libfm.conf}";
}
rec {
dir = "${home}.config/gtk-3.0/";
file = "bookmarks";
full = "${dir}${file}";
source = "${./gtk-bookmarks}";
}
rec {
dir = "${home}";
file = ".gtkrc-2.0";
full = "${dir}${file}";
source = "${./gtkrc-2.0}";
}
rec {
dir = "${home}.config/gtk-3.0/";
file = "settings.ini";
full = "${dir}${file}";
source = "${./gtk-3-4-settings.ini}";
}
rec {
dir = "${home}.config/gtk-4.0/";
file = "settings.ini";
full = "${dir}${file}";
source = "${./gtk-3-4-settings.ini}";
}
];
in
toString (
map (path: ''
mkdir -p ${path.dir}
if test -e ${path.full} -a ! -L ${path.full}; then
mv -f ${path.full} ${path.full}.old
fi
ln -sf ${path.source} ${path.full}
'') paths
);
};
}

18
modules/programs/usb-automount.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, lib, ... }:
let
cfg = config.custom.usbAutoMount;
in
{
options.custom.usbAutoMount.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
services = {
devmon.enable = true;
gvfs.enable = true;
udisks2.enable = true;
};
};
}

104
modules/services/cert-store-server.nix Normal file
View file

@ -0,0 +1,104 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.custom.certStoreServer;
update-cert = pkgs.writeScriptBin "update-cert" ''
cd ${config.users.users."cert-store".home}
rm -rf nixos-conf
rm -rf ./-.vsinerva.fi
if [[ $SSH_ORIGINAL_COMMAND == ${pkgs.openssh}/libexec/sftp-server ]]; then
eval "$SSH_ORIGINAL_COMMAND"
fi
export SOPS_AGE_KEY_FILE='${config.sops.secrets.cert-age-key.path}'
export GIT_SSH_COMMAND='ssh -i ${config.sops.secrets.forgejo-deploy-key.path} -o IdentitiesOnly=yes'
git clone ssh://forgejo@forgejo.sinerva.eu/VSinerva/nixos-conf.git
cd nixos-conf
${pkgs.sops}/bin/sops -d --extract '["cert-fullchain"]' --output old-fullchain secrets/cert.yaml
${pkgs.sops}/bin/sops -d --extract '["cert-key"]' --output old-key secrets/cert.yaml
cp ${config.users.users."cert-store".home}/-.vsinerva.fi/fullchain.pem ./new-fullchain
cp ${config.users.users."cert-store".home}/-.vsinerva.fi/key.pem ./new-key
if ! ${pkgs.diffutils}/bin/cmp new-fullchain old-fullchain; then
${pkgs.sops}/bin/sops --set "[\"cert-fullchain\"] $(${pkgs.jq}/bin/jq -sR < new-fullchain)" secrets/cert.yaml
fi
if ! ${pkgs.diffutils}/bin/cmp new-key old-key; then
${pkgs.sops}/bin/sops --set "[\"cert-key\"] $(${pkgs.jq}/bin/jq -sR < new-key)" secrets/cert.yaml
fi
git commit -am "Automatically updated wildcard cert"
git push
cd ${config.users.users."cert-store".home}
rm -rf nixos-conf
rm -rf ./-.vsinerva.fi
'';
in
{
options.custom.certStoreServer.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
sops = {
secrets = {
forgejo-deploy-key = {
sopsFile = ../../secrets/cert-store.yaml;
owner = config.users.users."cert-store".name;
};
cert-age-key = {
sopsFile = ../../secrets/cert-store.yaml;
owner = config.users.users."cert-store".name;
};
};
};
systemd.tmpfiles.settings."cert-store-home"."/home/cert-store".d = {
user = "cert-store";
group = "users";
mode = "0700";
};
users.users."cert-store" = {
isNormalUser = true;
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsctvJR4JOVoTAas0+lb8662EXFsQVNozTntnR7o5R1 opnsense"
];
};
services.openssh.knownHosts."forgejo.sinerva.eu".publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG74oN4MnrCm/rm1WyYy7M7Lv1qMRgcy3sDCgj6YN2zE";
environment.systemPackages = [ update-cert ];
programs.git = {
enable = true;
config = {
user = {
email = "vili.m.sinerva@gmail.com";
name = "Vili Sinervä";
};
};
};
services.openssh.extraConfig = ''
Match User cert-store
AllowAgentForwarding no
AllowTcpForwarding no
PermitTTY no
PermitTunnel no
X11Forwarding no
ForceCommand ${update-cert}/bin/update-cert
Match All
'';
};
}

65
modules/services/forgejo-runner.nix Normal file
View file

@ -0,0 +1,65 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.custom.forgejoRunner;
in
{
options.custom.forgejoRunner.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
sops.secrets.forgejo-token = {
sopsFile = ../../secrets/ci.yaml;
restartUnits = [ "gitea-runner-forgejo.sinerva.eu.service" ];
};
networking.firewall.trustedInterfaces = [ "br-+" ];
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances.default = {
enable = true;
name = "ci.sinerva.eu";
url = "https://forgejo.sinerva.eu";
tokenFile = config.sops.secrets.forgejo-token.path;
labels = [
"ubuntu-24.04-lts:docker://ubuntu:24.04"
"ubuntu-22.04:docker://node:24-bullseye"
"nixos-latest:docker://nixos/nix"
];
settings = {
container = {
network = "";
enable_ipv6 = true;
};
};
};
};
virtualisation.docker = {
enable = true;
daemon.settings = {
fixed-cidr-v6 = "fd72:23ed:7025::/64";
ipv6 = true;
ip6tables = true;
experimental = true;
default-address-pools = [
{
base = "172.30.0.0/16";
size = 24;
}
{
base = "fd4e:cdc2:4c34::/64";
size = 96;
}
];
};
};
};
}

78
modules/services/forgejo.nix Normal file
View file

@ -0,0 +1,78 @@
{ config, lib, ... }:
let
cfg = config.custom.forgejo;
in
{
options.custom.forgejo.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
custom = {
nginxHttpsServer.enable = true;
acmeHttpClient.enable = true;
};
environment.persistence."/persist".directories = [
{
directory = config.services.forgejo.stateDir;
user = config.services.forgejo.user;
group = config.services.forgejo.group;
mode = "u=rwx,g=,o=";
}
];
sops.secrets.smtp-pass = {
sopsFile = ../../secrets/forgejo.yaml;
restartUnits = [ "forgejo.service" ];
};
services = {
forgejo = {
enable = true;
lfs.enable = true;
secrets.mailer.PASSWD = config.sops.secrets.smtp-pass.path;
settings = {
DEFAULT.APP_NAME = "Forgejo for Vili Sinervä";
repository = {
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
DEFAULT_REPO_UNITS = "repo.code,repo.releases";
};
ui.DEFAULT_SHOW_FULL_NAME = true;
"ui.meta".AUTHOR = "Forgeo, hosted by Vili Sinervä";
server = {
DOMAIN = "forgejo.sinerva.eu";
HTTP_ADDR = "::1";
HTTP_PORT = 8000;
ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}";
};
service = {
DISABLE_REGISTRATION = true; # Disable for initial setup
ENABLE_NOTIFY_MAIL = true;
};
session.COOKIE_SECURE = true;
mailer = {
ENABLED = true;
SMTP_ADDR = "smtp.gmail.com";
SMTP_PORT = 587;
USER = "vmsskv12@gmail.com"; # Password set in file
FROM = "forgejo@sinerva.eu";
ENVELOPE_FROM = "forgejo@sinerva.eu";
};
cron = {
ENABLED = true;
RUN_AT_START = true;
};
time.DEFAULT_UI_LOCATION = "Europe/Helsinki";
};
};
nginx.virtualHosts.${config.services.forgejo.settings.server.DOMAIN}.locations."/" = {
proxyPass = "http://localhost:8000";
};
};
};
}

99
modules/services/gaming-server.nix Normal file
View file

@ -0,0 +1,99 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.gamingServer;
in
{
options.custom.gamingServer.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
systemd.tmpfiles.settings."vili-home" = {
"/home/vili".d = {
user = "vili";
group = "users";
mode = "0700";
};
"/home/vili/.local".d = {
user = "vili";
group = "users";
mode = "0755";
};
"/home/vili/.local/share".d = {
user = "vili";
group = "users";
mode = "0755";
};
};
environment.persistence."/persist" = {
users.vili = {
directories = [
{
directory = ".cache";
mode = "u=rwx,g=rx,o=rx";
}
{
directory = ".local/share/feral-interactive";
mode = "u=rwx,g=rx,o=rx";
}
".local/share/Steam"
{
directory = ".local/share/vulkan";
mode = "u=rwx,g=rx,o=rx";
}
];
};
};
sops.secrets = {
sunshine-state = {
sopsFile = ../../secrets/gaming.yaml;
owner = config.users.users."vili".name;
};
sunshine-cakey = {
sopsFile = ../../secrets/gaming.yaml;
owner = config.users.users."vili".name;
};
sunshine-cacert = {
sopsFile = ../../secrets/gaming.yaml;
owner = config.users.users."vili".name;
};
};
programs.steam = {
enable = true;
extraCompatPackages = with pkgs; [ proton-ge-bin ];
};
services.sunshine = {
enable = true;
autoStart = true;
openFirewall = true;
settings = {
sunshine_name = "NixOS";
address_family = "both";
credentials_file = config.sops.secrets.sunshine-state.path;
pkey = config.sops.secrets.sunshine-cakey.path;
cert = config.sops.secrets.sunshine-cacert.path;
file_state = config.sops.secrets.sunshine-state.path;
};
applications = {
env = {
PATH = "$(PATH):$(HOME)/.local/bin";
};
apps = [
{
name = "Desktop";
image-path = "desktop.png";
}
];
};
};
};
}

108
modules/services/hydra.nix Normal file
View file

@ -0,0 +1,108 @@
{ config, lib, ... }:
let
cfg = config.custom.hydra;
hydraDomain = "ci.sinerva.eu";
cacheDomain = "cache.sinerva.eu";
in
{
options.custom.hydra.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
custom = {
nginxHttpsServer.enable = true;
acmeHttpClient.enable = true;
};
systemd.tmpfiles.settings."hydra-home"."/var/lib/hydra".d = {
user = "hydra";
group = "hydra";
mode = "0750";
};
environment.persistence."/persist" = {
directories = [
{
directory = "/var/lib/postgresql";
user = "postgresql";
group = "postgresql";
mode = "u=rwx,g=rx,o=";
}
];
files = [ "/var/lib/hydra/.db-created" ];
};
sops.secrets.priv-cache-key.sopsFile = ../../secrets/ci.yaml;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
systemd.services.hydra-server = {
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
};
services = {
hydra = {
enable = true;
hydraURL = "https://${hydraDomain}";
listenHost = "localhost";
notificationSender = "hydra@sinerva.eu";
port = 8080;
useSubstitutes = true;
extraConfig = ''
<dynamicruncommand>
enable = 1
</dynamicruncommand>
'';
};
nix-serve = {
enable = true;
bindAddress = "127.0.0.2";
port = 8081;
secretKeyFile = config.sops.secrets.priv-cache-key.path;
};
nginx.virtualHosts = {
${hydraDomain}.locations."/" = {
proxyPass = "http://localhost:8080";
};
${cacheDomain}.locations."/" = {
proxyPass = "http://127.0.0.2:8081";
};
};
};
nix = {
settings.allowed-uris = [
"github:"
"git+https://github.com/"
"git+ssh://github.com/"
];
buildMachines = [
{
hostName = "localhost";
protocol = null;
systems = [
"x86_64-linux"
"aarch64-linux"
];
supportedFeatures = [
"kvm"
"nixos-test"
"big-parallel"
"benchmark"
];
maxJobs = 6;
}
];
gc = {
options = lib.mkForce "--delete-older-than 1d";
dates = lib.mkForce "hourly";
randomizedDelaySec = lib.mkForce "0";
};
};
};
}

128
modules/services/nextcloud.nix Normal file
View file

@ -0,0 +1,128 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.custom.nextcloud;
in
{
options.custom = {
nextcloud = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
domain = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
};
collabora = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
domain = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
};
};
};
};
config = lib.mkIf cfg.enable (
lib.mkMerge [
{
custom = {
nginxHttpsServer.enable = true;
certStoreClient.enable = true;
};
environment.persistence."/persist".directories = [
{
directory = config.services.nextcloud.home;
user = "nextcloud";
group = "nextcloud";
mode = "u=rwx,g=rx,o=";
}
];
sops.secrets.admin-pass.sopsFile = ../../secrets/nextcloud.yaml;
services = {
nextcloud = {
package = pkgs.nextcloud31;
enable = true;
hostName = cfg.domain;
autoUpdateApps.enable = true;
https = true;
maxUploadSize = "512M"; # Default
config = {
dbtype = "sqlite";
adminpassFile = config.sops.secrets.admin-pass.path;
};
settings = {
overwriteprotocol = "https";
default_phone_region = "FI";
maintenance_window_start = 1;
};
phpOptions = {
"opcache.interned_strings_buffer" = 32;
};
};
nginx.virtualHosts.${config.services.nextcloud.hostName} = { };
};
}
(
# Optional Collabora Client
lib.mkIf cfg.collabora.enable {
services = {
collabora-online = {
enable = true;
port = 9980; # default
settings = {
ssl = {
enable = false;
termination = true;
};
net = {
listen = "loopback";
post_allow.host = [
"127.0.0.1"
"::1"
];
};
storage.wopi = {
"@allow" = true;
host = [ config.services.nextcloud.hostName ] ++ config.services.nextcloud.settings.trusted_domains;
};
server_name = cfg.collabora.domain;
};
};
nginx.virtualHosts.${config.services.collabora-online.settings.server_name} = {
locations."/" = {
proxyPass = "http://localhost:${toString config.services.collabora-online.port}";
proxyWebsockets = true; # collabora uses websockets
};
};
nextcloud = {
appstoreEnable = true;
extraAppsEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit
richdocuments
;
};
};
};
}
)
]
);
}

42
modules/services/siit-dc.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, lib, ... }:
let
cfg = config.custom.siit;
in
{
options.custom.siit.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
networking = {
jool = {
enable = true;
siit.default = {
global.pool6 = "2a01:4f9:c013:bd27:46::/96";
denylist4 = [ "157.180.86.116/32" ];
# Explicit address mappings
eamt = [
{
# Cache/CI
"ipv6 prefix" = "${config.custom.guaPref}d2:be24:11ff:fe7f:f84c/128";
"ipv4 prefix" = "95.217.30.123/32";
}
{
# Forgejo
"ipv6 prefix" = "${config.custom.guaPref}d2:be24:11ff:feee:9c55/128";
"ipv4 prefix" = "95.216.180.210/32";
}
{
# Idacloud
"ipv6 prefix" = "${config.custom.guaPref}d3:be24:11ff:fece:7d63/128";
"ipv4 prefix" = "95.217.26.243/32";
}
];
};
};
};
};
}

83
modules/services/syncthing.nix Normal file
View file

@ -0,0 +1,83 @@
{ config, lib, ... }:
let
cfg = config.custom.syncthing;
in
{
options.custom.syncthing.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
boot.kernel.sysctl."fs.inotify.max_user_watches" = 204800;
services.syncthing = {
enable = true;
user = "vili";
dataDir = config.users.users.${config.services.syncthing.user}.home;
settings = {
defaults.ignores = [
"/Projects/Programming"
];
options = {
urAccepted = -1;
localAnnounceEnabled = false;
globalAnnounceEnabled = false;
natEnabled = false;
relaysEnabled = false;
};
devices = lib.mkMerge [
{
"syncthing" = {
id = "J6GNM4Z-2TWASPT-3P3EW4V-KZEQYFF-TXL22QX-4YTZ3WO-WLM7GQ7-NUP66A4";
addresses = [ "tcp://syncthing.vsinerva.fi:22000" ];
};
}
(lib.mkIf (config.networking.hostName == "syncthing") {
"helium" = {
id = "2MRUBSY-NHXYMAW-SY22RHP-CNNMHKR-DPDKMM4-2XV5F6M-6KSNLQI-DD4EOAM";
addresses = [ "tcp://helium.vsinerva.fi:22000" ];
};
"lithium" = {
id = "S4ZORDV-QBY7QC7-FQHADMZ-NQSKJUA-7B7LQNS-CWJLSMG-JPMN7YJ-OVRDZQA";
addresses = [ "tcp://lithium.vsinerva.fi:22000" ];
};
})
];
folders =
let
default = {
devices = lib.mkMerge [
[ "syncthing" ]
(lib.mkIf (config.networking.hostName == "syncthing") [
"helium"
"lithium"
])
];
versioning = {
type = "trashcan";
params.cleanoutDays = "30";
};
fsWatcherDelayS = 1;
};
in
{
"~/Documents" = default;
"~/Music" = default;
"~/Pictures" = default;
"~/Projects" = default;
"~/School" = default;
"~/Videos" = default;
"~/Zotero" = default;
};
};
#TCP/UDP 22000 for transfers and UDP 21027 for discovery
openDefaultPorts = true;
};
};
}

42
modules/services/utils/acme-http-client.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, lib, ... }:
let
cfg = config.custom.acmeHttpClient;
in
{
options = {
custom.acmeHttpClient.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
services.nginx.virtualHosts = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
config = lib.mkIf cfg.enable (
lib.mkDefault {
enableACME = true;
}
);
}
);
};
};
config = lib.mkIf cfg.enable {
environment.persistence."/persist".directories = [
{
directory = "/var/lib/acme";
user = "acme";
group = "acme";
mode = "u=rwx,g=rx,o=rx";
}
];
networking.firewall.allowedTCPPorts = [ 80 ];
security.acme = {
acceptTerms = true;
defaults.email = "vili.m.sinerva@gmail.com";
};
};
}

44
modules/services/utils/cert-store-client.nix Normal file
View file

@ -0,0 +1,44 @@
{ config, lib, ... }:
let
cfg = config.custom.certStoreClient;
in
{
options = {
custom.certStoreClient.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
services.nginx.virtualHosts = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
config = lib.mkIf cfg.enable (
lib.mkDefault {
sslCertificate = config.sops.secrets.cert-fullchain.path;
sslCertificateKey = config.sops.secrets.cert-key.path;
}
);
}
);
};
};
config = lib.mkIf cfg.enable {
sops = {
secrets = {
cert-fullchain = {
sopsFile = ../../../secrets/cert.yaml;
restartUnits = [ "nginx.service" ];
owner = config.services.nginx.user;
group = config.services.nginx.user;
};
cert-key = {
sopsFile = ../../../secrets/cert.yaml;
restartUnits = [ "nginx.service" ];
owner = config.services.nginx.user;
group = config.services.nginx.user;
};
};
};
};
}

36
modules/services/utils/nginx-https-server.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, lib, ... }:
let
cfg = config.custom.nginxHttpsServer;
in
{
options = {
custom.nginxHttpsServer.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
services.nginx.virtualHosts = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
config = lib.mkIf cfg.enable (
lib.mkDefault {
forceSSL = true;
kTLS = true;
}
);
}
);
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 443 ];
services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
};
};
}

83
modules/services/vaultwarden.nix Normal file
View file

@ -0,0 +1,83 @@
{ config, lib, ... }:
let
cfg = config.custom.vaultwarden;
in
{
options.custom.vaultwarden.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
custom = {
nginxHttpsServer.enable = true;
certStoreClient.enable = true;
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/vaultwarden";
user = "vaultwarden";
group = "vaultwarden";
mode = "u=rwx,g=,o=";
}
];
sops = {
secrets = {
smtp-pass = {
sopsFile = ../../secrets/vaultwarden.yaml;
restartUnits = [ "vaultwarden.service" ];
};
admin-token = {
sopsFile = ../../secrets/vaultwarden.yaml;
restartUnits = [ "vaultwarden.service" ];
};
};
templates."vaultwarden.env" = {
owner = "vaultwarden";
content = ''
SMTP_FROM=vmsskv12@gmail.com
SMTP_USERNAME=vmsskv12@gmail.com
SMTP_PASSWORD=${config.sops.placeholder.smtp-pass}
ADMIN_TOKEN=${config.sops.placeholder.admin-token}
'';
};
};
services = {
vaultwarden = {
enable = true;
environmentFile = config.sops.templates."vaultwarden.env".path;
config = {
DOMAIN = "https://vaultwarden.vsinerva.fi";
LOGIN_RATELIMIT_MAX_BURST = 10;
LOGIN_RATELIMIT_SECONDS = 60;
ADMIN_RATELIMIT_MAX_BURST = 10;
ADMIN_RATELIMIT_SECONDS = 60;
SENDS_ALLOWED = true;
EMERGENCY_ACCESS_ALLOWED = true;
WEB_VAULT_ENABLED = true;
SIGNUPS_ALLOWED = true;
SIGNUPS_VERIFY = true;
SIGNUPS_VERIFY_RESEND_TIME = 3600;
SIGNUPS_VERIFY_RESEND_LIMIT = 5;
SMTP_HOST = "smtp.gmail.com";
SMTP_FROM_NAME = "Vaultwarden";
SMTP_SECURITY = "starttls";
SMTP_PORT = 587;
SMTP_AUTH_MECHANISM = "Login";
};
};
nginx = {
virtualHosts."vaultwarden.vsinerva.fi" = {
locations."/" = {
proxyPass = "http://localhost:8000";
};
};
};
};
};
}

45
modules/users/vili.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, lib, ... }:
let
cfg = config.custom.users.vili;
in
{
options.custom.users.vili.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf cfg.enable {
sops.secrets =
lib.mkIf
(builtins.elem config.networking.hostName [
"helium"
"lithium"
])
{
vili-password = {
sopsFile = ../../secrets/${config.networking.hostName}/vili.yaml;
neededForUsers = true;
};
};
users.users.vili = {
isNormalUser = true;
home = "/home/vili";
description = "Vili Sinervä";
uid = 1000;
extraGroups = [
"wheel"
"networkmanager"
"audio"
];
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
hashedPasswordFile =
if builtins.hasAttr "vili-password" config.sops.secrets then
config.sops.secrets.vili-password.path
else
null;
};
users.groups.vili.gid = 1000;
};
}

49
personal/desktop.nix
View file

@ -1,49 +0,0 @@
{ pkgs, ... }:
{
imports = [
./programs/symlinked/symlinks.nix
../shared/users/vili.nix
];
environment.systemPackages = with pkgs; [
alacritty
vlc
flameshot
speedcrunch
];
services = {
displayManager = {
autoLogin.enable = true;
autoLogin.user = "vili";
};
xserver = {
enable = true;
displayManager = {
lightdm.enable = true;
sessionCommands = ''${pkgs.xorg.xrdb}/bin/xrdb -merge < ${
(import ./programs/embedded/xresources.nix { inherit pkgs; })
}'';
};
};
pipewire.enable = false;
pulseaudio.enable = true;
};
nixpkgs.config.pulseaudio = true;
security.polkit.enable = true;
xdg.mime.defaultApplications = {
"application/pdf" = "org.gnome.Evince.desktop";
"text/plain" = "org.xfce.mousepad.desktop";
"text/x-tex" = "org.kde.kile.desktop";
"inode/directory" = "pcmanfm.description";
};
qt = {
enable = true;
style = "adwaita-dark";
platformTheme = "gnome";
};
}

44
personal/development.nix
View file

@ -1,44 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [ ./programs/embedded/nvim.nix ];
#################### Git configuration ####################
programs.git = {
enable = true;
lfs.enable = true;
config = {
user = {
email = "vili.m.sinerva@gmail.com";
name = "Vili Sinervä";
signingkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV";
};
merge = {
ff = "true";
};
pull = {
ff = "only";
};
commit = {
verbose = "true";
};
gpg.format = "ssh";
commit.gpgsign = "true";
};
};
#################### Packages ####################
environment.systemPackages = with pkgs; [
nixfmt-rfc-style
nixd
vagrant
nmap
metasploit
armitage
];
virtualisation.virtualbox.host.enable = true;
virtualisation.virtualbox.host.addNetworkInterface = false;
users.extraGroups.vboxusers.members = [ "vili" ];
fonts.packages = builtins.filter lib.attrsets.isDerivation (builtins.attrValues pkgs.nerd-fonts);
}

50
personal/hardware/amd-laptop.nix
View file

@ -1,50 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
environment.systemPackages = with pkgs; [ zenmonitor ];
hardware.graphics = {
enable = true;
enable32Bit = true;
extraPackages = with pkgs; [ rocmPackages.clr.icd ];
};
hardware.amdgpu.initrd.enable = true;
services = {
xserver = lib.mkIf config.services.xserver.enable {
videoDrivers = [ "modesetting" ];
deviceSection = ''
Option "DRI" "2"
Option "TearFree" "true"
'';
};
tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
CPU_MIN_PERF_ON_AC = 0;
CPU_MAX_PERF_ON_AC = 100;
CPU_MIN_PERF_ON_BAT = 0;
CPU_MAX_PERF_ON_BAT = 40;
#Optional helps save long term battery health
START_CHARGE_THRESH_BAT0 = 60; # 60 and bellow it starts to charge
STOP_CHARGE_THRESH_BAT0 = 80; # 80 and above it stops charging
};
};
logind.lidSwitch = if config.boot.resumeDevice != "" then "hibernate" else "suspend";
};
}

13
personal/hardware/hibernate.nix
View file

@ -1,13 +0,0 @@
{ lib, ... }:
{
swapDevices = [
{
device = "/var/lib/swapfile";
size = 16 * 1024;
}
];
boot = {
resumeDevice = lib.mkDefault "/dev/mapper/nixos";
};
}

34
personal/hardware/intel-laptop.nix
View file

@ -1,34 +0,0 @@
{ config, pkgs, ... }:
{
hardware.graphics = {
extraPackages = with pkgs; [
intel-media-driver
intel-compute-runtime
];
};
services = {
tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
CPU_MIN_PERF_ON_AC = 0;
CPU_MAX_PERF_ON_AC = 100;
CPU_MIN_PERF_ON_BAT = 0;
CPU_MAX_PERF_ON_BAT = 40;
#Optional helps save long term battery health
START_CHARGE_THRESH_BAT0 = 60; # 60 and bellow it starts to charge
STOP_CHARGE_THRESH_BAT0 = 80; # 80 and above it stops charging
};
};
logind.lidSwitch = if config.boot.resumeDevice != "" then "hibernate" else "suspend";
};
}

9
personal/hardware/keychron-q11.nix
View file

@ -1,9 +0,0 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; if config.services.xserver.enable then [ via ] else [ ];
# Keychron Q11
services.udev.extraRules = ''
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="3434", ATTRS{idProduct}=="01e0", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
'';
}

18
personal/hardware/onlykey.nix
View file

@ -1,18 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
(onlykey.override (prev: {
node_webkit = prev.node_webkit.overrideAttrs {
version = "0.71.1";
src = fetchurl {
url = "https://dl.nwjs.io/v0.71.1/nwjs-v0.71.1-linux-x64.tar.gz";
hash = "sha256-bnObpwfJ6SNJdOvzWTnh515JMcadH1+fxx5W9e4gl/4=";
};
};
}))
onlykey-cli
];
hardware.onlykey.enable = true;
}

74
personal/hardware/trackball.nix
View file

@ -1,74 +0,0 @@
{ ... }:
{
nixpkgs.overlays = [
(final: prev: {
moonlight-qt = prev.moonlight-qt.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [ ./moonlight-trackball-accel.patch ];
});
})
];
hardware.logitech.wireless = {
enable = true;
enableGraphical = true;
};
services.libinput.mouse = {
accelProfile = "custom";
accelStepMotion = 5.0e-2;
accelPointsMotion = [
0.0
2.0e-2
4.0e-2
6.0e-2
8.0e-2
0.1
0.12
0.14
0.16
0.18
0.2
0.2525
0.31
0.3725
0.44
0.5125
0.59
0.6725
0.76
0.8525
0.95
1.155
1.37
1.595
1.83
2.075
2.33
2.595
2.87
3.155
3.45
3.755
4.07
4.395
4.73
5.075
5.43
5.795
6.17
6.555
6.95
7.355
7.77
8.195
8.63
9.075
9.53
9.995
10.47
10.955
11.45
11.95
];
};
}

64
personal/networking/home-wg.nix
View file

@ -1,64 +0,0 @@
{ config, lib, ... }:
{
options.custom.home_wg_suffix = lib.mkOption {
type = with lib.types; nullOr (strMatching "^[0-9a-zA-Z:]+$");
default = null;
description = "IPv6 GUA Suffix for Home WireGuard config";
};
config =
let
host = config.networking.hostName;
in
{
sops = {
secrets = {
priv-home-wg = {
sopsFile = ../../secrets/${host}/home-wg.yaml;
restartUnits = [ "wg-quick-wg0.service" ];
};
psk-home-wg = {
sopsFile = ../../secrets/${host}/home-wg.yaml;
restartUnits = [ "wg-quick-wg0.service" ];
};
};
};
networking = {
wg-quick.interfaces = {
wg0 = {
autostart = true;
address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ];
dns = [
"${config.custom.gua_pref}ff::1"
"vsinerva.fi"
];
privateKeyFile = config.sops.secrets.priv-home-wg.path;
listenPort = 51820;
peers = [
{
publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
presharedKeyFile = config.sops.secrets.psk-home-wg.path;
allowedIPs = [ "::/0" ];
endpoint = "home.vsinerva.fi:51820";
}
];
};
};
};
services.clatd.settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}";
systemd.services = {
"wg-quick-wg0" = {
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
};
clatd = {
wants = [ "wg-quick-wg0.service" ];
after = [ "wg-quick-wg0.service" ];
};
};
};
}

12
personal/networking/printing.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
programs.i3lock.enable = true;
services = {
printing.enable = true;
avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
};
}

21
personal/programs/bitwarden.nix
View file

@ -1,21 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
bitwarden
bitwarden-cli
];
programs.zsh.interactiveShellInit = "export SSH_AUTH_SOCK=/home/vili/.bitwarden-ssh-agent.sock";
security = {
pam = {
rssh.enable = true;
services = {
sudo.rssh = true;
};
};
sudo.execWheelOnly = true;
};
# We need SSH for the sudo, but generally don't want it open on machines with Bitwarden client
services.openssh.openFirewall = false;
}

8
personal/programs/communication.nix
View file

@ -1,8 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
telegram-desktop
signal-desktop
discord
];
}

230
personal/programs/embedded/nvim.nix
View file

@ -1,230 +0,0 @@
{ nixvim, ... }:
{
imports = [ nixvim.nixosModules.nixvim ];
programs.nixvim = {
enable = true;
defaultEditor = true;
vimAlias = false;
colorschemes.vscode.enable = true;
globals.mapleader = " ";
opts = {
colorcolumn = "100";
cursorline = true;
number = true;
showcmd = true;
signcolumn = "yes";
scrolloff = 16;
shiftwidth = 3;
tabstop = 3;
};
keymaps = [
{
key = "T";
action = "<cmd>Neotree<cr>";
options.desc = "Open Neotree";
}
{
mode = [
"i"
"v"
];
key = "<C-c>";
action = "<Esc>";
options.desc = "Exit To Normal Mode";
}
{
key = "<leader>b";
action = "<cmd>Gitsigns toggle_current_line_blame<cr>";
options.desc = "Toggle Current Line Git Blame";
}
];
plugins = {
fugitive.enable = true;
gitsigns = {
enable = true;
settings = {
current_line_blame_opts.delay = 100;
numhl = true;
};
};
lualine.enable = true;
markdown-preview.enable = true;
neo-tree = {
enable = true;
buffers.followCurrentFile = {
enabled = true;
leaveDirsOpen = true;
};
};
nix.enable = true;
rainbow-delimiters.enable = true;
sleuth.enable = true;
tmux-navigator = {
enable = true;
settings.no_mappings = 1;
keymaps = [
{
key = "<C-h>";
action = "left";
options.desc = "Tmux Left";
}
{
key = "<C-j>";
action = "down";
options.desc = "Tmux Down";
}
{
key = "<C-k>";
action = "up";
options.desc = "Tmux Up";
}
{
key = "<C-l>";
action = "right";
options.desc = "Tmux Right";
}
];
};
treesitter = {
enable = true;
folding = true;
settings.indent.enable = true;
nixGrammars = true;
};
web-devicons.enable = true;
which-key = {
enable = true;
settings.delay.__raw = ''
function(ctx)
return ctx.plugin and 0 or 500
end
'';
};
cmp = {
enable = true;
settings = {
sources = [
{ name = "vim-vsnip"; }
{ name = "vim-lsp-signature-help"; }
{ name = "nvim-lsp"; }
{ name = "treesitter"; }
{ name = "buffer"; }
];
mapping = {
"<C-Space>" = "cmp.mapping.complete()";
"<C-e>" = "cmp.mapping.close()";
"<CR>" = "cmp.mapping.confirm({ select = true })";
"<C-Tab>" = "cmp.mapping(cmp.mapping.select_prev_item(), {'i', 's'})";
"<Tab>" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})";
};
};
};
friendly-snippets.enable = true;
nvim-autopairs.enable = true;
lsp = {
enable = true;
inlayHints = true;
keymaps = {
diagnostic = {
"<leader>dj" = {
action = "goto_next";
desc = "Next Diagnostic";
};
"<leader>dk" = {
action = "goto_prev";
desc = "Previous Diagnostic";
};
"<leader>dh" = {
action = "open_float";
desc = "Line Diagnostics";
};
};
lspBuf = {
"<leader>gd" = {
action = "definition";
desc = "Goto Definition";
};
"<leader>gr" = {
action = "references";
desc = "Goto References";
};
"<leader>gD" = {
action = "declaration";
desc = "Goto Declaration";
};
"<leader>gi" = {
action = "implementation";
desc = "Goto Implementation";
};
"<leader>gt" = {
action = "type_definition";
desc = "Type Definition";
};
"<leader>s" = {
action = "workspace_symbol";
desc = "Search Symbol";
};
"<leader>r" = {
action = "rename";
desc = "Rename Symbol";
};
"<leader>a" = {
action = "code_action";
desc = "Code Action";
};
H = {
action = "hover";
desc = "Hover";
};
};
extra = [
{
action = "<cmd>lua vim.lsp.inlay_hint.enable(not vim.lsp.inlay_hint.is_enabled())<cr>";
key = "<leader>h";
options.desc = "Toggle LSP Inlay Hints";
}
];
};
servers = {
clangd.enable = true;
cmake.enable = true;
dockerls.enable = true;
docker_compose_language_service.enable = true;
eslint.enable = true;
html.enable = true;
jsonls.enable = true;
nixd.enable = true;
pylsp.enable = true;
rust_analyzer = {
enable = true;
installCargo = false;
installRustc = false;
settings = {
completion = {
autoimport.enable = true;
autoself.enable = true;
fullFunctionSignatures.enable = true;
privateEditable.enable = true;
};
diagnostics = {
styleLints.enable = true;
};
hover.actions.references.enable = true;
};
};
yamlls.enable = true;
};
};
lsp-format.enable = true;
lsp-signature.enable = true;
};
};
}

177
personal/programs/firefox.nix
View file

@ -1,177 +0,0 @@
{ ... }:
let
lock-false = {
Value = false;
Status = "locked";
};
lock-true = {
Value = true;
Status = "locked";
};
in
{
programs.firefox = {
enable = true;
# AutoConfig used for preferences not supported via policies
autoConfig = ''
lockPref("full-screen-api.warning.timeout", 500)
lockPref("privacy.fingerprintingProtection", true)
lockPref("privacy.donottrackheader.enabled", true)
'';
# ---- POLICIES ----
# Check about:policies#documentation for options.
policies = {
# ---- EXTENSIONS ----
# Check about:support for extension/add-on ID strings.
# Valid strings for installation_mode are "allowed", "blocked",
# "force_installed" and "normal_installed".
ExtensionSettings = {
"*".installation_mode = "blocked";
"{446900e4-71c2-419f-a6a7-df9c091e268b}" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi";
installation_mode = "force_installed";
};
"jsr@javascriptrestrictor" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/javascript-restrictor/latest.xpi";
installation_mode = "force_installed";
};
};
AutofillAddressEnabled = false;
AutofillCreditCardEnabled = false;
DisableFirefoxStudies = true;
DisableFormHistory = true;
DisablePocket = true;
DisableSecurityBypass = false;
DisableTelemetry = true;
DisplayBookmarksToolbar = "always"; # alternatives: "always" or "newtab"
DisplayMenuBar = "default-off"; # alternatives: "always", "never" or "default-on"
DontCheckDefaultBrowser = true;
DownloadDirectory = "\${home}/Downloads";
EnableTrackingProtection = {
Value = true;
Locked = true;
Cryptomining = true;
Fingerprinting = true;
EmailTracking = true;
};
FirefoxHome = {
Locked = true;
Search = true;
TopSites = true;
SponsoredTopSites = false;
Highlights = false;
Pocket = false;
SponsoredPocket = false;
};
FirefoxSuggest = {
Locked = true;
WebSuggestions = false;
SponsoredSuggestions = false;
ImproveSuggest = false;
};
HardwareAccelerations = true;
Homepage = {
Locked = true;
URL = "https://www.duckduckgo.com/";
StartPage = "previous-session";
};
HttpsOnlyMode = "force_enabled";
NetworkPrediction = false;
NoDefaultBookmarks = true;
OverrideFirstRunPage = "";
OverridePostUpdatePage = "";
PasswordManagerEnabled = false;
Permissions = {
Camera = {
Allow = [ ];
Block = [ ];
BlockNewRequests = false;
Locked = true;
};
Microphone = {
Allow = [ ];
Block = [ ];
BlockNewRequests = false;
Locked = true;
};
Location = {
Allow = [ ];
Block = [ ];
BlockNewRequests = false;
Locked = true;
};
Notifications = {
Allow = [ ];
Block = [ ];
BlockNewRequests = false;
Locked = true;
};
Autoplay = {
Allow = [ ];
Block = [ ];
BlockNewRequests = false;
Default = "block-audio-video";
Locked = true;
};
};
PictureInPicture = {
Enabled = true;
Locked = true;
};
PopupBlocking = {
Allow = [ ];
Default = true;
Locked = true;
};
PostQuantumKeyAgreementEnabled = true;
PrimaryPassword = false;
PrintingEnabled = true;
PromptForDownloadLocation = false;
RequestedLocales = [ "en-US" ];
SearchBar = "unified"; # alternative: "separate"
SearchEngines.PreventInstalls = true;
SearchSuggestEnabled = false;
UserMessaging = {
Locked = true;
ExtensionRecommendations = true;
FeatureRecommendations = false;
UrlbarInterventions = false;
SkipOnboarding = true;
MoreFromMozilla = false;
};
UseSystemPrintDialog = true;
# ---- PREFERENCES ----
# Check about:config for options.
Preferences = {
"browser.contentblocking.category" = {
Value = "strict";
Status = "locked";
};
"browser.safebrowsing.downloads.enabled" = lock-true;
"browser.safebrowsing.downloads.remote.block_potentially_unwanted" = lock-true;
"browser.safebrowsing.downloads.remote.block_uncommon" = lock-true;
"browser.safebrowsing.malware.enabled" = lock-true;
"browser.safebrowsing.phishing.enabled" = lock-true;
"browser.crashReports.unsubmittedCheck.autoSubmit2" = lock-false;
"browser.topsites.contile.enabled" = lock-false;
"browser.translations.automaticallyPopup" = lock-false;
"dom.private-attribution.submission.enabled" = lock-false;
"media.ffmpeg.vaapi.enabled" = lock-true;
"privacy.globalprivacycontrol.enabled" = lock-true;
"xpinstall.whitelist.required" = lock-true;
"network.trr.mode" = {
Value = 0;
Status = "locked";
};
"security.OCSP.enabled" = {
Value = 1;
Status = "locked";
};
};
};
};
}

28
personal/programs/i3.nix
View file

@ -1,28 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
i3status
rofi
arandr
pavucontrol
viewnior
xfce.mousepad
pcmanfm
evince
brightnessctl
networkmanagerapplet
];
programs.i3lock.enable = true;
services = {
displayManager = {
defaultSession = "none+i3";
};
xserver.windowManager.i3 = {
enable = true;
extraPackages = [ ];
configFile = "${(import ./embedded/i3-conf.nix { inherit pkgs; })}";
};
};
}

6
personal/programs/moonlight.nix
View file

@ -1,6 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
moonlight-qt
];
}

20
personal/programs/redshift.nix
View file

@ -1,20 +0,0 @@
{ ... }:
{
services.redshift = {
executable = "/bin/redshift-gtk";
enable = true;
temperature = {
night = 2800;
day = 6500;
};
brightness = {
night = "0.5";
day = "1";
};
};
location = {
latitude = 60.17;
longitude = 24.94;
};
}

12
personal/programs/study.nix
View file

@ -1,12 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
libreoffice
zotero
kile
texliveFull
imagemagick
ghostscript
kdePackages.okular
];
}

Some files were not shown because too many files have changed in this diff Show more