qenya/nixfiles
1
0
Fork 0
Code Issues 4 Pull requests Activity Actions

Compare commits

base: qenya:main
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost
..
compare: qenya:lix
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost

1 commit
main ... lix

Author SHA1 Message Date
Katherina Walshe-Grey
a035d2613b switch from CppNix to Lix 2.90.0 
Closes #8
 2024-07-17 16:24:58 +01:00
121 changed files with 738 additions and 4948 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.envrc
View file

@ -1 +0,0 @@
use_nix

28
README.md
View file

@ -2,27 +2,19 @@
My NixOS configuration files.
The canonical location for this repository is https://git.unspecified.systems/qenya/nixfiles. If you're viewing it elsewhere, it is a mirror and may not be up-to-date.
The canonical location for this repository is https://git.qenya.tel/qenya/nixfiles. If you're viewing it elsewhere, it is a mirror and may not be up-to-date.
## Machines
### Managed
* `kilgharrah`: Custom-built personal desktop; also currently running Jellyfin, Navidrome and Audiobookshelf servers (and an FTP server, for shits and giggles)
* `tohru`: Dell Latitude 5300, personal laptop
* `elucredassa`: Acer Aspire A315-53, old laptop with a broken keyboard that now sits in a corner being a backup server
* `yevaud`: Oracle Cloud free AMD VM, hosts a Forgejo instance and WireGuard server for the other machines in the network
* `orm`: Oracle Cloud free AMD VM, hosts an instance of Actual Budget and a PostgreSQL server for other services that need one
* `kalessin`: Oracle Cloud free ARM VM, currently idling
### Referenced only
* `shaw`: [My girlfriend's NAS](https://github.com/randomnetcat/nix-configs/tree/main/hosts/shaw)
* `latias`: My Steam Deck
* `yevaud`: Oracle Cloud free AMD VM, hosts a Forgejo instance
* `orm`: Oracle Cloud free AMD VM, currently idling
## Usage
### Building
To build locally, run `nixos-rebuild switch --flake .#[hostname]` as root.
To build locally, run `colmena apply-local` as root.
To build the remote machines, run `colmena apply`. See the [colmena documentation](https://colmena.cli.rs/) for command-line options. Notable options include:
* `--on [hostname]`: build a specific machine only
@ -30,4 +22,14 @@ To build the remote machines, run `colmena apply`. See the [colmena documentatio
### Updating
`nix flake update --commit-lock-file`
Run `npins update` to update the dependencies within the currently selected upgrade channels.
To upgrade to a new major version of a dependency, simply re-add it and the old version will be overwritten, e.g.:
```sh
npins add --name nixpkgs channel nixos-unstable
```
In either case, commit the changes to `npins/sources.json`.
See the [npins documentation](https://github.com/andir/npins) for more details.

16
colmena/local.nix Normal file
View file

@ -0,0 +1,16 @@
{ name, nodes, config, lib, pkgs, ... }:
let sources = import ../npins;
in {
deployment = {
allowLocalDeployment = true;
targetHost = null;
tags = [ "local" ];
};
environment.systemPackages = with pkgs; [
agenix
colmena
npins
];
}

12
colmena/remote.nix Normal file
View file

@ -0,0 +1,12 @@
{ name, nodes, config, lib, pkgs, ... }:
{
deployment = {
targetHost = "${name}.birdsong.network";
targetUser = "qenya";
tags = [ "remote" ];
};
security.sudo.wheelNeedsPassword = false;
nix.settings.trusted-users = [ "@wheel" ];
}

29
common/base-graphical/default.nix
View file

@ -1,29 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.qenya.base-graphical;
in
{
imports = [
./gnome.nix
./sound.nix
];
options.qenya.base-graphical.enable = mkEnableOption "Base configuration for graphical environments";
config = mkIf cfg.enable {
services.xserver.enable = true;
services.libinput.enable = true;
services.printing.enable = true;
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
fonts.packages = with pkgs; [
corefonts
];
};
}

21
common/base-graphical/gnome.nix
View file

@ -1,21 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkMerge mkOption types;
cfg = config.qenya.base-graphical;
in
{
config = mkIf cfg.enable {
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
# TODO: agree on this with randomcat as it affects her too, since for some reason this is system-wide
# environment.gnome.excludePackages = with pkgs.gnome; [
# pkgs.gnome-tour
# epiphany # GNOME Web
# geary
# gnome-calendar
# gnome-contacts
# gnome-music
# ];
};
}

20
common/base-graphical/sound.nix
View file

@ -1,20 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.qenya.base-graphical;
in
{
config = mkIf cfg.enable {
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
services.pulseaudio.enable = false; # this theoretically defaults to false but something else seems to be flipping it
environment.systemPackages = with pkgs; [ helvum ]; # patchbay
};
}

17
common/base-server/default.nix
View file

@ -1,17 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.qenya.base-server;
in
{
options.qenya.base-server.enable = mkEnableOption "Base configuration for headless servers";
config = mkIf cfg.enable {
time.timeZone = "Etc/UTC";
# Allow remote deployment with colmena
deployment.targetUser = null;
security.sudo.wheelNeedsPassword = false;
};
}

22
common/boot.nix
View file

@ -1,22 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf;
in
{
boot.loader = {
systemd-boot.enable = true;
systemd-boot.editor = false;
systemd-boot.memtest86.enable = mkIf config.nixpkgs.hostPlatform.isx86 true;
efi.canTouchEfiVariables = true;
};
services.resolved = {
enable = true;
fallbackDns = [ ];
dnsovertls = "true";
extraConfig = ''
DNS=2a07:e340::4#base.dns.mullvad.net 194.242.2.4#base.dns.mullvad.net
'';
};
}

19
common/default.nix
View file

@ -1,19 +0,0 @@
{
imports = [
./base-graphical
./base-server
./users
./boot.nix
./gpg.nix
./home-manager.nix
./misc.nix
./nginx.nix
./nix.nix
./packages.nix
./sanoid.nix
./security.nix
./ssh.nix
./steam.nix
./tailscale.nix
];
}

7
common/fonts.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, lib, pkgs, ... }:
{
fonts.packages = with pkgs; [
corefonts
];
}

8
common/gpg.nix
View file

@ -1,8 +0,0 @@
{ config, lib, pkgs, ... }:
{
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
}

12
common/home-manager.nix
View file

@ -1,12 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
{
home-manager = {
useUserPackages = true;
useGlobalPkgs = true;
backupFileExtension = "backup";
extraSpecialArgs = {
inherit inputs;
};
};
}

12
common/misc.nix
View file

@ -1,12 +0,0 @@
{ config, lib, pkgs, ... }:
{
nix.gc = {
automatic = true;
dates = "weekly";
randomizedDelaySec = "45min";
options = "--delete-older-than 30d";
};
nix.optimise.automatic = true;
services.fstrim.enable = true;
}

14
common/nginx.nix
View file

@ -7,19 +7,23 @@
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
add_header Content-Security-Policy "default-src https: data: blob: ws: 'unsafe-inline' 'wasm-unsafe-eval'; object-src 'none'; base-uri 'self';" always;
add_header Referrer-Policy strict-origin-when-cross-origin;
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'strict-origin-when-cross-origin';
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
};
security.acme = {
acceptTerms = true;
defaults.email = "auto@qenya.tel";
defaults.email = "accounts@katherina.rocks"; # TODO: replace with more appropriate email
};
}

12
common/nix.nix
View file

@ -1,12 +0,0 @@
{ config, lib, pkgs, ... }:
{
nix.settings.experimental-features = "nix-command flakes";
nixpkgs.flake = {
source = lib.cleanSource pkgs.path;
setNixPath = true;
setFlakeRegistry = true;
};
nixpkgs.config.allowUnfree = true;
nix.settings.trusted-users = [ "@wheel" ];
}

35
common/sanoid.nix
View file

@ -1,35 +0,0 @@
{ config, pkgs, inputs, ... }:
{
config = {
services.sanoid = {
enable = true;
extraArgs = [ "--verbose" ];
# Local snapshots for important datasets
templates."production" = {
yearly = 0;
monthly = 3;
daily = 30;
hourly = 36;
autosnap = true;
autoprune = true;
};
# Reduced-retention version for datasets that are backed up to the NAS
templates."safe" = {
yearly = 0;
monthly = 0;
daily = 7;
hourly = 24;
autosnap = true;
autoprune = true;
};
# datasets."rpool_sggau1/reese/system" = {
# useTemplate = [ "safe" ];
# recursive = "zfs";
# };
};
};
}

12
common/ssh.nix
View file

@ -1,9 +1,5 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) concatMapAttrs;
keys = import ../keys.nix;
in
{
services.openssh = {
enable = true;
@ -13,9 +9,5 @@ in
};
};
programs.ssh.knownHosts = concatMapAttrs
(host: key: {
"${host}.birdsong.network".publicKey = key;
})
keys.machines;
}
services.fail2ban.enable = true;
}

20
common/steam.nix
View file

@ -1,17 +1,11 @@
{ config, lib, pkgs, ... }:
{
config = lib.mkIf config.programs.steam.enable {
programs.steam = {
package = pkgs.steam.override {
extraArgs = "-pipewire"; # for remote play with PipeWire
};
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
localNetworkGameTransfers.openFirewall = true;
};
services.joycond.enable = true;
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
};
}
services.joycond.enable = true;
}

0
common/security.nix → common/sudo.nix
View file

23
common/tailscale.nix
View file

@ -1,23 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.tailscale = {
enable = true;
openFirewall = true;
extraUpFlags = [ "--login-server" "https://headscale.unspecified.systems" ];
extraDaemonFlags = [ "--no-logs-no-support" ]; # disable telemetry
};
systemd.services.tailscaled-autoconnect = {
after = [ "tailscaled.service" "network-online.target" ];
wants = [ "tailscaled.service" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script = ''
sleep 2 # wait for tailscaled to settle
${lib.getExe config.services.tailscale.package} up --reset ${lib.escapeShellArgs config.services.tailscale.extraUpFlags}
'';
};
networking.domain = "birdsong.network";
}

29
common/users/default.nix
View file

@ -1,32 +1,7 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkOption types genAttrs;
cfg = config.fountain;
in
{
# TODO: consider DRY-ing these
imports = [
./gaelan.nix
./qenya.nix
./randomcat.nix
./trungle.nix
./richard.nix
];
options.fountain = {
admins = mkOption {
type = types.listOf types.str;
default = [ ];
description = "List of users who should have root on this system";
};
};
config = {
users.mutableUsers = false;
users.users = genAttrs cfg.admins
(name: {
extraGroups = [ "wheel" ];
});
};
}
}

23
common/users/gaelan.nix
View file

@ -1,23 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkEnableOption;
keys = import ../../keys.nix;
cfg = config.fountain.users.gaelan;
in
{
options.fountain.users.gaelan = {
enable = mkEnableOption "user gaelan";
};
config = mkIf cfg.enable {
users.users.gaelan = {
uid = 1003;
isNormalUser = true;
group = "gaelan";
openssh.authorizedKeys.keys = keys.users.gaelan;
};
users.groups.gaelan.gid = config.users.users.gaelan.uid;
};
}

39
common/users/qenya.nix
View file

@ -1,28 +1,29 @@
{ config, lib, pkgs, self, ... }:
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkEnableOption;
keys = import ../../keys.nix;
cfg = config.fountain.users.qenya;
let keys = import ../../keys.nix;
in
{
options.fountain.users.qenya = {
enable = mkEnableOption "user qenya";
users.users.qenya = {
isNormalUser = true;
home = "/home/qenya";
extraGroups = [
"wheel" # sudo
"networkmanager" # UI wifi configuration
"dialout" # access to serial ports
];
openssh.authorizedKeys.keys = keys.users.qenya;
uid = 1001;
};
config = mkIf cfg.enable {
users.users.qenya = {
uid = 1001;
isNormalUser = true;
group = "qenya";
shell = pkgs.zsh;
openssh.authorizedKeys.keys = keys.users.qenya;
home-manager.users.qenya = { config, lib, pkgs, osConfig, ... }: {
home.homeDirectory = osConfig.users.users.qenya.home;
programs.git = {
enable = true;
userName = "Katherina Walshe-Grey";
userEmail = "git@qenya.tel";
};
users.groups.qenya.gid = config.users.users.qenya.uid;
programs.zsh.enable = true;
home-manager.users."qenya" = self.homeManagerModules."qenya";
home.stateVersion = "23.11";
};
}

25
common/users/randomcat.nix
View file

@ -1,23 +1,12 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkEnableOption;
keys = import ../../keys.nix;
cfg = config.fountain.users.randomcat;
let keys = import ../../keys.nix;
in
{
options.fountain.users.randomcat = {
enable = mkEnableOption "user randomcat";
users.users.randomcat = {
isNormalUser = true;
home = "/home/randomcat";
openssh.authorizedKeys.keys = keys.users.randomcat;
uid = 1003;
};
config = mkIf cfg.enable {
users.users.randomcat = {
uid = 1000;
isNormalUser = true;
group = "randomcat";
openssh.authorizedKeys.keys = keys.users.randomcat;
};
users.groups.randomcat.gid = config.users.users.randomcat.uid;
};
}
}

12
common/users/richard.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
let keys = import ../../keys.nix;
in
{
users.users.richard = {
isNormalUser = true;
home = "/home/richard";
openssh.authorizedKeys.keys = keys.users.richard;
uid = 1002;
};
}

23
common/users/trungle.nix
View file

@ -1,23 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkEnableOption;
keys = import ../../keys.nix;
cfg = config.fountain.users.trungle;
in
{
options.fountain.users.trungle = {
enable = mkEnableOption "user trungle";
};
config = mkIf cfg.enable {
users.users.trungle = {
uid = 1002;
isNormalUser = true;
group = "trungle";
openssh.authorizedKeys.keys = keys.users.trungle;
};
users.groups.trungle.gid = config.users.users.trungle.uid;
};
}

15
common/packages.nix → common/utilities.nix
View file

@ -1,22 +1,13 @@
{ config, lib, pkgs, ... }:
{
# CLI utilities I get frustrated if I'm missing
environment.systemPackages = with pkgs; [
btop
git
wget
# hardware troubleshooting
inetutils
lshw
parted
smartmontools
# network troubleshooting
inetutils
lsof
tcpdump
netcat # <3
wireguard-tools
wget
];
environment.wordlist.enable = true;

405
flake.lock generated
View file

@ -1,405 +0,0 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": [],
"home-manager": [],
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1750173260,
"narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"colmena": {
"inputs": {
"flake-compat": [],
"flake-utils": "flake-utils",
"nix-github-actions": [],
"nixpkgs": [
"nixpkgs"
],
"stable": []
},
"locked": {
"lastModified": 1751144689,
"narHash": "sha256-cgIntaqhcm62V1KU6GmrAGpHpahT4UExEWW2ryS02ZU=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "3ceec72cfb396a8a8de5fe96a9d75a9ce88cc18e",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"repo": "colmena",
"type": "github"
}
},
"firefox-addons": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"dir": "pkgs/firefox-addons",
"lastModified": 1751256218,
"narHash": "sha256-WC1YSV4lFT41AaEhpiQZRuofe+2WLI9PNuuqgdRmjVM=",
"owner": "rycee",
"repo": "nur-expressions",
"rev": "fa40d85b15cbfb1a488ef9a119ff2d40a481c8da",
"type": "gitlab"
},
"original": {
"dir": "pkgs/firefox-addons",
"owner": "rycee",
"ref": "master",
"repo": "nur-expressions",
"type": "gitlab"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1749398372,
"narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
"narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
"owner": "lf-",
"repo": "flakey-profile",
"rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
"type": "github"
},
"original": {
"owner": "lf-",
"repo": "flakey-profile",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1750792728,
"narHash": "sha256-Lh3dopA8DdY+ZoaAJPrtkZOZaFEJGSYjOdAYYgOPgE4=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "366f00797b1efb70f2882d3da485e3c10fd3d557",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.05",
"repo": "home-manager",
"type": "github"
}
},
"home-manager-unstable": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1751239699,
"narHash": "sha256-zA1uUdAq3c26fHm26xMWMuF5COhI18EzaH7az/P2OWM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f6deff178cc4d6049d30785dbfc831e6c6e3a219",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"lix": {
"flake": false,
"locked": {
"lastModified": 1751235704,
"narHash": "sha256-J4ycLoXHPsoBoQtEXFCelL4xlq5pT8U9tNWNKm43+YI=",
"rev": "1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6.tar.gz?rev=1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/lix/archive/release-2.93.tar.gz"
}
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils_2",
"flakey-profile": "flakey-profile",
"lix": "lix",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1751240025,
"narHash": "sha256-SXUAlxpjPRkArRMHy5+Hdi+PiC+ND9yzzIjiaHmTvQU=",
"rev": "8b1094356f4723d6e89d3f8a95b333ee16d9ab02",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/8b1094356f4723d6e89d3f8a95b333ee16d9ab02.tar.gz?rev=8b1094356f4723d6e89d3f8a95b333ee16d9ab02"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.2-1.tar.gz"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1751211869,
"narHash": "sha256-1Cu92i1KSPbhPCKxoiVG5qnoRiKTgR5CcGSRyLpOd7Y=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b43c397f6c213918d6cfe6e3550abfe79b5d1c51",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1748740939,
"narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "656a64127e9d791a334452c6b6606d17539476e2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-small": {
"locked": {
"lastModified": 1751230698,
"narHash": "sha256-ANWE9dHPeACz3SIbUhbWZforTgfAvOS5Tg1l4yYa/B0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e410afb41ba16a2ceeaeff85c536d35f10bbbdcf",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1751011381,
"narHash": "sha256-krGXKxvkBhnrSC/kGBmg5MyupUUT5R6IBCLEzx9jhMM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "30e2e2857ba47844aa71991daa6ed1fc678bcbb7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable-small": {
"locked": {
"lastModified": 1751247197,
"narHash": "sha256-QSX8/v7sbRO/vX/1Cdb+ZI17bH+5EpnFi9OcfODNpgA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "cbb0f33478508488b2affe24a939dae57cb5a157",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"plasma-manager": {
"inputs": {
"home-manager": [
"home-manager-unstable"
],
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1748196248,
"narHash": "sha256-1iHjsH6/5UOerJEoZKE+Gx1BgAoge/YcnUsOA4wQ/BU=",
"owner": "nix-community",
"repo": "plasma-manager",
"rev": "b7697abe89967839b273a863a3805345ea54ab56",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "plasma-manager",
"type": "github"
}
},
"randomcat": {
"flake": false,
"locked": {
"lastModified": 1751261560,
"narHash": "sha256-IrT1jAtRE1BiwEQtqU+PyvwnE08mrf8xeIdGxDIE2zs=",
"owner": "randomnetcat",
"repo": "nix-configs",
"rev": "09459a091c79ead8efe75735da4f784f272e0f48",
"type": "github"
},
"original": {
"owner": "randomnetcat",
"repo": "nix-configs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"colmena": "colmena",
"firefox-addons": "firefox-addons",
"flake-parts": "flake-parts",
"home-manager": "home-manager",
"home-manager-unstable": "home-manager-unstable",
"lix-module": "lix-module",
"nixpkgs": "nixpkgs",
"nixpkgs-small": "nixpkgs-small",
"nixpkgs-unstable": "nixpkgs-unstable",
"nixpkgs-unstable-small": "nixpkgs-unstable-small",
"plasma-manager": "plasma-manager",
"randomcat": "randomcat",
"scoutshonour": "scoutshonour"
}
},
"scoutshonour": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1735301893,
"narHash": "sha256-d95MCTUYMCcOQv4LpmWxPuVnx7McezXYs2Idw8u8ngI=",
"ref": "main",
"rev": "f447cd380ea1fb81a0ff8f292b6bbdf0be9c9520",
"revCount": 23,
"type": "git",
"url": "https://git.qenya.tel/qenya/nix-scoutshonour"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.qenya.tel/qenya/nix-scoutshonour"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

169
flake.nix
View file

@ -1,169 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-25.05-small";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small";
lix-module = {
# lix haven't figured out automatic updates yet: https://git.lix.systems/lix-project/nixos-module/issues/39
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.2-1.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager-unstable = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
plasma-manager = {
url = "github:nix-community/plasma-manager";
inputs.nixpkgs.follows = "nixpkgs-unstable";
inputs.home-manager.follows = "home-manager-unstable";
};
flake-parts.url = "github:hercules-ci/flake-parts";
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.darwin.follows = "";
inputs.home-manager.follows = "";
};
colmena = {
url = "github:zhaofengli/colmena";
inputs.nixpkgs.follows = "nixpkgs";
inputs.stable.follows = "";
inputs.nix-github-actions.follows = "";
inputs.flake-compat.follows = "";
};
randomcat = {
url = "github:randomnetcat/nix-configs";
flake = false;
};
firefox-addons = {
url = "gitlab:rycee/nur-expressions?ref=master&dir=pkgs/firefox-addons";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
scoutshonour = {
url = "git+https://git.qenya.tel/qenya/nix-scoutshonour?ref=main";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
};
outputs = inputs@{ self, nixpkgs, nixpkgs-small, nixpkgs-unstable, flake-parts, colmena, ... }:
flake-parts.lib.mkFlake { inherit inputs; } {
imports = [ ./flake ];
systems = [ "x86_64-linux" "aarch64-linux" ];
perSystem = { pkgs, system, ... }: {
devShells.default = pkgs.mkShell {
packages = [
inputs.colmena.packages.${system}.colmena
inputs.agenix.packages.${system}.default
inputs.plasma-manager.packages.${system}.rc2nix
];
};
};
flake.nixosConfigurations = self.outputs.colmenaHive.nodes;
flake.colmenaHive = colmena.lib.makeHive self.outputs.colmena;
# The name of this output type is not standardised. I have picked
# "homeManagerModules" as the discussion here suggests it's the most common:
# https://github.com/nix-community/home-manager/issues/1783
#
# However, note CppNix >= 2.22.3, >= 2.24 has blessed "homeModules":
# https://github.com/NixOS/nix/pull/10858
flake.homeManagerModules = {
"qenya".imports = [ ./home/qenya ];
"qenya@shaw".imports = [ ./hosts/shaw/home.nix ];
};
fountain.backup = {
keys = {
elucredassa = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFa3hjej6KGmS2aQ4s46Y7U8pN4yyR2FuMofpHRwXNk syncoid@elucredassa" ];
};
sync = {
"orm-state" = {
dataset = "state";
sourceHost = "orm";
targetHost = "elucredassa";
source = "rpool_orm";
target = "rpool_elucredassa/backup/orm";
};
"kalessin-state" = {
dataset = "state";
sourceHost = "kalessin";
targetHost = "elucredassa";
source = "rpool_kalessin";
target = "rpool_elucredassa/backup/kalessin";
};
};
};
flake.colmena =
let
home-manager = inputs.home-manager.nixosModules.home-manager;
home-manager-unstable = inputs.home-manager-unstable.nixosModules.home-manager;
in
{
meta = {
nixpkgs = import nixpkgs-unstable {
system = "x86_64-linux";
overlays = [
inputs.lix-module.overlays.default
];
};
nodeNixpkgs = {
kilgharrah = import nixpkgs-unstable { system = "x86_64-linux"; };
tohru = import nixpkgs { system = "x86_64-linux"; };
elucredassa = import nixpkgs-small { system = "x86_64-linux"; };
yevaud = import nixpkgs-small { system = "x86_64-linux"; };
orm = import nixpkgs-small { system = "x86_64-linux"; };
kalessin = import nixpkgs-small { system = "aarch64-linux"; };
tehanu = import nixpkgs-small { system = "aarch64-linux"; };
};
specialArgs = {
inherit self;
inherit inputs;
};
};
defaults = { config, lib, pkgs, ... }: {
deployment.targetHost = lib.mkDefault config.networking.fqdn;
deployment.buildOnTarget = lib.mkDefault true;
imports = [
inputs.lix-module.nixosModules.default
inputs.agenix.nixosModules.default
./common
./services
(builtins.toPath "${inputs.randomcat}/services/default.nix")
];
};
kilgharrah.deployment.targetHost = null; # disable remote deployment
tohru.deployment.targetHost = null; # disable remote deployment
elucredassa.deployment.targetHost = "100.73.34.182"; # TODO: no fqdn yet
kilgharrah.imports = [ ./hosts/kilgharrah home-manager-unstable ];
tohru.imports = [ ./hosts/tohru home-manager ];
elucredassa.imports = [ ./hosts/elucredassa home-manager ];
yevaud.imports = [ ./hosts/yevaud home-manager ];
orm.imports = [ ./hosts/orm home-manager ];
kalessin.imports = [ ./hosts/kalessin home-manager ];
tehanu.imports = [ ./hosts/tehanu home-manager ];
};
};
}

134
flake/backup.nix
View file

@ -1,134 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.fountain.backup;
keys = import ../keys.nix;
syncOptions = {
dataset = lib.mkOption {
type = lib.types.str;
description = ''
The name of the dataset to be synced (not including its parent
datasets, if any). This will be the same on the source and target.
It must already exist on the source, defined with the
{option}`randomcat.services.zfs` module, and not exist on the target.
'';
};
sourceHost = lib.mkOption {
type = lib.types.str;
description = ''
The host from which the dataset should be synced. Must be an entry in
{option}`flake.colmena`.
'';
};
targetHost = lib.mkOption {
type = lib.types.str;
description = ''
The host to which the dataset should be synced. Must be an entry in
{option}`flake.colmena`.
'';
};
source = lib.mkOption {
type = lib.types.str;
description = ''
The path to the synced dataset in the ZFS namespace on the source host,
excluding the component that is the name of the dataset itself.
'';
};
target = lib.mkOption {
type = lib.types.str;
description = ''
The path to the synced dataset in the ZFS namespace on the target host,
excluding the component that is the name of the dataset itself. It must
already exist, defined with the {option}`randomcat.services.zfs`
module.
'';
};
};
in
{
options.fountain.backup = {
keys = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf lib.types.singleLineStr);
default = { };
description = ''
Lists of verbatim OpenSSH public keys that may be used to identify the
syncoid user on each target host. The key to each list must be the
host's hostname, as listed in {option}`flake.colmena`.
'';
example = {
host = [ "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host" ];
bar = [ "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar" ];
};
};
sync = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule { options = syncOptions; });
default = { };
description = ''
Details of ZFS datasets whose snapshots should be synced from machine
to machine using syncoid. Syncoid will run hourly at 15 past the hour
and copy all ZFS snapshots from the source dataset to the target
dataset (recursing into child datasets).
See descriptions for the individual options for more details. The name
of each attribute in this set is arbitrary and used to generate systemd
unit names.
This module does not actually cause snapshots to be taken; sanoid must
be configured separately to do this.
'';
example = {
"orm-state" = {
dataset = "state";
sourceHost = "orm";
targetHost = "elucredassa";
source = "rpool_orm";
target = "rpool_elucredassa/backup/orm";
};
};
};
};
# TODO: add some assertions to verify the options
config.flake.colmena = lib.mkMerge (lib.mapAttrsToList
(name: sync:
let
inherit (sync) dataset sourceHost targetHost source target;
sourceFqdn = "${sourceHost}.birdsong.network";
in
{
${sourceHost} = { pkgs, ... }: {
randomcat.services.zfs.datasets."${source}/${dataset}".zfsPermissions.users.backup = [ "hold" "send" ];
users.users.backup = {
group = "backup";
isSystemUser = true;
useDefaultShell = true;
openssh.authorizedKeys.keys = cfg.keys.${targetHost};
packages = with pkgs; [ mbuffer lzop ]; # syncoid uses these if available but doesn't pull them in automatically
};
users.groups.backup = { };
};
${targetHost} = {
randomcat.services.zfs.datasets.${target}.zfsPermissions.users.syncoid = [ "mount" "create" "receive" "recordsize" ];
services.syncoid = {
enable = true;
interval = "*-*-* *:15:00";
commonArgs = [ "--no-sync-snap" ];
commands = {
${name} = {
source = "backup@${sourceFqdn}:${source}/${dataset}";
target = "${target}/${dataset}";
recursive = true;
recvOptions = "ux recordsize o compression=lz4";
};
};
};
};
})
cfg.sync
);
}

19
flake/colmena.nix
View file

@ -1,19 +0,0 @@
# https://git.lix.systems/the-distro/infra/src/commit/fbb23bf517206175764f154ddfd304b9ec501f87/colmena.nix
{ lib, ... }: {
options.flake.colmena = lib.mkOption {
type = lib.types.submodule {
freeformType = lib.types.attrsOf (lib.mkOptionType {
name = "NixOS module";
description = "module containing NixOS options and/or config";
descriptionClass = "noun";
check = value: builtins.isAttrs value || builtins.isFunction value || builtins.isPath value;
merge = loc: defs: {
imports = map (def: def.value) defs;
};
});
options.meta = lib.mkOption {
type = lib.types.attrs;
};
};
};
}

6
flake/default.nix
View file

@ -1,6 +0,0 @@
{
imports = [
./backup.nix
./colmena.nix
];
}

67
hive.nix Normal file
View file

@ -0,0 +1,67 @@
let sources = import ./npins;
in {
meta.nixpkgs = sources.nixpkgs;
defaults = { name, nodes, ... }: {
deployment.replaceUnknownProfiles = false;
networking.hostName = name;
nixpkgs.config = {
allowUnfree = true;
packageOverrides = pkgs: {
agenix = (import sources.agenix { inherit pkgs; }).agenix;
nur = (import sources.nur { inherit pkgs; });
vscode-extensions = (import sources.nix-vscode-extensions).extensions.x86_64-linux; # TODO: This should check the host architecture
};
};
home-manager = {
useUserPackages = true;
useGlobalPkgs = true;
};
imports = [
(import "${sources.home-manager}/nixos")
(import "${sources.agenix}/modules/age.nix")
# TODO: npins requires manual intervention to upgrade lix and lix-module (add the tarball URL to sources.json)
# See: https://github.com/andir/npins/issues/47
(import "${sources.lix-module}/module.nix" { lix = sources.lix; })
./pinning.nix
./common/nginx.nix
./common/ssh.nix
./common/sudo.nix
./common/utilities.nix
./common/users
];
};
tohru = { name, nodes, ... }: {
networking.hostId = "31da19c1";
time.timeZone = "Europe/London";
imports = [
./colmena/local.nix
./hosts/tohru/configuration.nix
];
};
yevaud = { name, nodes, ... }: {
networking.hostId = "09673d65";
time.timeZone = "Etc/UTC";
imports = [
./colmena/remote.nix
./hosts/yevaud/configuration.nix
];
};
orm = { name, nodes, ... }: {
networking.hostId = "00000000";
time.timeZone = "Etc/UTC";
imports = [
./colmena/remote.nix
./hosts/orm/configuration.nix
];
};
}

14
home/cli.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, pkgs, ... }:
{
home.packages = with pkgs; [
tree # like `ls -R` but nicer
# Extremely important
fortune
cowsay
lolcat
];
programs.btop.enable = true;
}

6
home/firefox.nix Normal file
View file

@ -0,0 +1,6 @@
{ config, lib, pkgs, ... }:
{
# TODO: nix-ify Firefox config
programs.firefox.enable = true;
}

12
home/git.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
{
programs.git = {
enable = true;
extraConfig = {
init = {
defaultBranch = "main";
};
};
};
}

25
home/gnome/appearance.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }:
{
dconf = {
enable = true;
settings =
let
backgroundOptions = {
color-shading-type = "solid";
picture-options = "zoom";
picture-uri = "${config.home.homeDirectory}/.background-image";
primary-color = "#3a4ba0";
secondary-color = "#2f302f";
};
in
{
"org/gnome/desktop/background" = backgroundOptions // {
picture-uri-dark = backgroundOptions.picture-uri;
};
"org/gnome/desktop/screensaver" = backgroundOptions;
"org/gnome/desktop/interface".color-scheme = "prefer-dark";
};
};
home.file.".background-image".source = ./background-image.jpg;
}

0
home/qenya/dconf/background-image.jpg → home/gnome/background-image.jpg
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.3 MiB

After

Width:  |  Height:  |  Size: 1.3 MiB

Before After
Before After

9
home/gnome/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, lib, pkgs, ... }:
{
imports = [
# TODO: nix-ify other parts of GNOME config
./appearance.nix
./keyboard.nix
];
}

15
home/gnome/keyboard.nix Normal file
View file

@ -0,0 +1,15 @@
# { config, lib, pkgs, ... }:
{
dconf = {
enable = true;
settings = {
"org/gnome/desktop/wm/keybindings" = {
# These are largely useless on most normal systems
# and conflict with VS Code's default keybinds for "Copy Line Up/Down"
move-to-workspace-up = [ ];
move-to-workspace-down = [ ];
};
};
};
}

9
home/libreoffice.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, lib, pkgs, ... }:
{
home.packages = with pkgs; [
libreoffice
hunspell
hunspellDicts.en_GB-ise
];
}

1832
home/qenya/.p10k.zsh
View file

File diff suppressed because it is too large Load diff

26
home/qenya/dconf/default.nix
View file

@ -1,26 +0,0 @@
{ config, lib, pkgs, osConfig, ... }:
# dconf is the configuration manager for GNOME.
let
isGnome = osConfig.services.xserver.desktopManager.gnome.enable;
in
{
dconf.enable = isGnome;
dconf.settings = {
"org/gnome/settings-daemon/plugins/color".night-light-enabled = true;
"org/gnome/desktop/sound".event-sounds = false;
"org/gnome/desktop/sound".allow-volume-above-100-percent = true;
"org/gnome/settings-daemon/plugins/power".power-saver-profile-on-low-battery = true;
};
imports = [
./desktop.nix
./keyboard.nix
./mouse-touchpad.nix
./multitasking.nix
./shell.nix
./wellbeing.nix
];
}

23
home/qenya/dconf/desktop.nix
View file

@ -1,23 +0,0 @@
{ config, lib, pkgs, ... }:
let inherit (lib) mkIf;
in {
dconf.settings = {
"org/gnome/desktop/background" = {
picture-options = "zoom";
picture-uri = "${config.home.homeDirectory}/.background-image";
picture-uri-dark = "${config.home.homeDirectory}/.background-image";
};
"org/gnome/desktop/screensaver" = {
picture-options = "zoom";
picture-uri = "${config.home.homeDirectory}/.background-image";
};
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
enable-hot-corners = false;
};
};
home.file.".background-image" = mkIf config.dconf.enable {
source = ./background-image.jpg;
};
}

12
home/qenya/dconf/keyboard.nix
View file

@ -1,12 +0,0 @@
# { config, lib, pkgs, ... }:
{
dconf.settings = {
"org/gnome/desktop/wm/keybindings" = {
# These are largely useless on most normal systems
# and conflict with VS Code's default keybinds for "Copy Line Up/Down"
move-to-workspace-up = [ ];
move-to-workspace-down = [ ];
};
};
}

16
home/qenya/dconf/mouse-touchpad.nix
View file

@ -1,16 +0,0 @@
{ config, lib, pkgs, ... }:
{
dconf.settings = {
"org/gnome/desktop/peripherals/mouse" = {
natural-scroll = false;
};
"org/gnome/desktop/peripherals/touchpad" = {
click-method = "fingers";
disable-while-typing = false;
natural-scroll = true; # the correct option, whatever Janet says
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
};
}

11
home/qenya/dconf/multitasking.nix
View file

@ -1,11 +0,0 @@
{ config, lib, pkgs, ... }:
{
dconf.settings = {
"org/gnome/mutter" = {
edge-tiling = true;
dynamic-workspaces = true;
workspaces-only-on-primary = true;
};
};
}

26
home/qenya/dconf/shell.nix
View file

@ -1,26 +0,0 @@
{ config, lib, pkgs, ... }:
{
dconf.settings = {
"org/gnome/shell" = {
disable-user-extensions = true;
# TODO: this is fine for now on tohru (the only GNOME system I use) but shouldn't depend on certain apps being installed
favorite-apps = [
"discord.desktop"
"org.gnome.Evolution.desktop"
"firefox.desktop"
"torbrowser.desktop"
"steam.desktop"
"codium.desktop"
"org.gnome.Console.desktop"
"org.gnome.Nautilus.desktop"
"org.gnome.SystemMonitor.desktop"
];
# TODO: fill this out (needs preinstalled stuff removing first)
# app-picker-layout = [
# ...
# ];
};
};
}

19
home/qenya/dconf/wellbeing.nix
View file

@ -1,19 +0,0 @@
{ config, lib, pkgs, ... }:
# These features are cool and I would like to keep trying them, but they are
# horribly bugged in GNOME 48.1. Consider re-enabling them when 48.2 is
# released. See, e.g.:
# https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/8289
# https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/8299
# https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/8305
# https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/8376
# https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/8398
{
dconf.settings = {
# "org/gnome/desktop/screen-time-limits".daily-limit-enabled = true;
# "org/gnome/desktop/break-reminders".selected-breaks = [ "eyesight" "movement" ];
"org/gnome/desktop/screen-time-limits".daily-limit-enabled = false;
"org/gnome/desktop/break-reminders".selected-breaks = [ ];
};
}

16
home/qenya/default.nix
View file

@ -1,16 +0,0 @@
{
imports = [
./dconf
./feishin.nix
./firefox.nix
./fonts.nix
./git.nix
./packages.nix
./tmux.nix
./vscode.nix
./xdg-mime-apps.nix
./zsh.nix
];
home.stateVersion = "23.11";
}

24
home/qenya/feishin.nix
View file

@ -1,24 +0,0 @@
{ config, lib, pkgs, osConfig, ... }:
# Feishin ideally wants to see mpv at runtime, but this isn't catered for by
# the derivation in nixpkgs as it isn't strictly necessary.
# An easier way to do this would be to write mpv's full nix store path to
# Feishin's config. But Feishin has one JSON file for config and state, and
# we'd rather not overwrite the latter. Until and unless home-manager grows
# support for partially patching files, we live with this.
let
inherit (lib) mkIf;
isGraphical = osConfig.services.xserver.enable;
in
{
home.packages = mkIf isGraphical [
(pkgs.feishin.overrideAttrs (originalAttrs: {
buildInputs = originalAttrs.buildInputs ++ [ pkgs.mpv ];
postFixup = ''
${originalAttrs.postFixup or ""}
wrapProgram $out/bin/feishin --prefix PATH : ${lib.makeBinPath [ pkgs.mpv ]}
'';
}))
];
}

59
home/qenya/firefox.nix
View file

@ -1,59 +0,0 @@
{ config, lib, pkgs, osConfig, inputs, ... }:
let
inherit (lib) mkIf;
isGraphical = osConfig.services.xserver.enable;
in
{
programs.firefox = lib.mkIf isGraphical {
enable = true;
languagePacks = [ "en-GB" ];
profiles.default = {
extensions.packages = with inputs.firefox-addons.packages.${pkgs.hostPlatform.system}; [
bitwarden
ublock-origin
];
settings = {
"browser.startup.page" = 3; # resume previous session
"browser.newtabpage.activity-stream.showSponsored" = false;
"browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
# disable telemetry
"datareporting.healthreport.uploadEnabled" = false;
"app.shield.optoutstudies.enabled" = false;
"browser.crashReports.unsubmittedCheck.autoSubmit2" = false;
# disable prefetch?
# DNS over HTTPS
"network.trr.custom_uri" = "https://base.dns.mullvad.net/dns-query";
"network.trr.excluded-domains" = "detectportal.firefox.com";
"network.trr.mode" = 3;
"network.trr.uri" = "https://base.dns.mullvad.net/dns-query";
"browser.search.suggest.enabled" = false;
"browser.urlbar.suggest.searches" = false;
"dom.security.https_only_mode" = true;
"browser.contentblocking.category" = "strict"; # Enhanced Tracking Protection
# I think these are implied by the above
# "privacy.donottrackheader.enabled" = true;
# "privacy.trackingprotection.enabled" = true;
# "privacy.trackingprotection.emailtracking.enabled" = true;
# "privacy.trackingprotection.socialtracking.enabled" = true;
"privacy.sanitize.sanitizeOnShutdown" = true;
"privacy.clearOnShutdown_v2.historyFormDataAndDownloads" = false;
"dom.private-attribution.submission.enabled" = false; # disable "Privacy-Preserving Attribution for Advertising"
"extensions.autoDisableScopes" = 0; # automatically enable extensions installed through nix
# external password manager
"signon.rememberSignons" = false;
"extensions.formautofill.creditCards.enabled" = false;
};
};
};
}

17
home/qenya/fonts.nix
View file

@ -1,17 +0,0 @@
{ config, lib, pkgs, osConfig, ... }:
let
inherit (lib) mkIf;
isGraphical = osConfig.services.xserver.enable;
in
mkIf isGraphical {
fonts.fontconfig = {
enable = true;
};
home.packages = with pkgs; [
meslo-lgs-nf
];
programs.vscode.profiles.default.userSettings."terminal.integrated.fontFamily" = "MesloLGS NF";
}

14
home/qenya/git.nix
View file

@ -1,14 +0,0 @@
{ config, lib, pkgs, ... }:
{
programs.git = {
enable = true;
userName = "Katherina Walshe-Grey";
userEmail = "git@qenya.tel";
extraConfig = {
init.defaultBranch = "main";
pull.rebase = true;
push.autoSetupRemote = true;
};
};
}

40
home/qenya/packages.nix
View file

@ -1,40 +0,0 @@
{ config, lib, pkgs, osConfig, ... }:
let
inherit (lib) optionals;
isGraphical = osConfig.services.xserver.enable;
isGnome = osConfig.services.xserver.desktopManager.gnome.enable;
isPlasma = osConfig.services.desktopManager.plasma6.enable || osConfig.services.xserver.desktopManager.plasma5.enable;
in
{
home.packages = with pkgs; [
eza # like `ls` but fancier
hexyl # like `xxd` but cooler
ripgrep # like `grep` but faster
tree # like `ls -R` but nicer
units
zip
unzip
# Extremely important
fortune
cowsay
lolcat
] ++ optionals isGraphical [
bitwarden
discord
gimp-with-plugins
jellyfin-media-player
tor-browser-bundle-bin
zoom-us
# libreoffice
libreoffice
hunspell
hunspellDicts.en_GB-ise
] ++ optionals isGnome [
celluloid
] ++ optionals isPlasma [
haruna
];
}

87
home/qenya/vscode.nix
View file

@ -1,87 +0,0 @@
{ config, lib, pkgs, osConfig, ... }:
let
inherit (lib) mkIf mkDefault;
isGraphical = osConfig.services.xserver.enable;
in
{
programs.vscode = mkIf isGraphical {
enable = true;
package = pkgs.vscodium;
mutableExtensionsDir = false;
profiles.default = {
enableExtensionUpdateCheck = false;
enableUpdateCheck = false;
extensions = with pkgs.vscode-extensions; [
charliermarsh.ruff
dbaeumer.vscode-eslint
eamodio.gitlens
golang.go
jdinhlife.gruvbox
jnoortheen.nix-ide
matangover.mypy
mkhl.direnv
ms-python.black-formatter
ms-python.python
rust-lang.rust-analyzer
vadimcn.vscode-lldb
];
userSettings = {
"css.format.spaceAroundSelectorSeparator" = true;
"css.format.newlineBetweenSelectors" = false;
"debug.allowBreakpointsEverywhere" = true;
"extensions.autoUpdate" = false;
"files.insertFinalNewline" = true;
"git.autofetch" = true;
"git.confirmSync" = false;
"git.enableSmartCommit" = true;
"git.inputValidation" = true;
"git.inputValidationSubjectLength" = null;
"javascript.updateImportsOnFileMove.enabled" = "always";
"nix.enableLanguageServer" = true;
"nix.serverPath" = "${pkgs.nil}/bin/nil";
"nix.serverSettings".nil = {
diagnostics.ignored = [ "unused_binding" "unused_with" ];
formatting.command = [ "${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt" ];
nix.flake.autoArchive = true;
};
"rust-analyzer.check.command" = "clippy";
"terminal.integrated.allowChords" = false;
"terminal.integrated.defaultProfile.linux" = "zsh";
"workbench.colorTheme" = "Gruvbox Dark Medium";
"[go]" = {
"editor.defaultFormatter" = "golang.go";
"editor.formatOnSave" = false;
};
"go.alternateTools" = {
"go" = "${pkgs.go}/bin/go";
"golangci-lint" = "${pkgs.golangci-lint}/bin/golangci-lint";
"gopls" = "${pkgs.gopls}/bin/gopls";
"dlv" = "${pkgs.delve}/bin/dlv";
"staticcheck" = "${pkgs.go-tools}/bin/staticcheck";
};
"go.lintTool" = "golangci-lint";
"go.toolsManagement.checkForUpdates" = "off";
"gopls" = {
"formatting.gofumpt" = true;
"ui.semanticTokens" = true;
};
"[python]" = {
"editor.defaultFormatter" = "ms-python.black-formatter";
"editor.formatOnSave" = true;
"editor.codeActionsOnSave" = {
"source.fixAll" = "explicit";
"source.organizeImports" = "explicit";
};
};
"python.createEnvironment.contentButton" = "show";
"python.defaultInterpreterPath" = "${pkgs.python3}/bin/python";
"ruff.nativeServer" = "on";
"ruff.path" = [ "${pkgs.ruff}/bin/ruff" ];
"mypy.dmypyExecutable" = "${pkgs.mypy}/bin/dmypy";
};
};
};
}

21
home/qenya/xdg-mime-apps.nix
View file

@ -1,21 +0,0 @@
{ config, lib, pkgs, osConfig, ... }:
let
isGraphical = osConfig.services.xserver.enable;
in
{
xdg.mimeApps = {
enable = isGraphical;
defaultApplications = {
"application/pdf" = [ "org.gnome.Evince.desktop" "org.kde.okular.desktop" ];
"application/zip" = [ "org.gnome.FileRoller.desktop" "org.kde.ark.desktop" ];
"image/gif" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ];
"image/jpeg" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ];
"image/png" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ];
"text/plain" = [ "org.gnome.TextEditor.desktop" "org.kde.kate.desktop" ];
"x-scheme-handler/http" = "firefox.desktop";
"x-scheme-handler/https" = "firefox.desktop";
"x-scheme-handler/mailto" = "org.gnome.Evolution.desktop"; # TODO: email on KDE - is Kontact any good?
};
};
}

43
home/qenya/zsh.nix
View file

@ -1,43 +0,0 @@
{ config, lib, pkgs, ... }:
{
home.packages = with pkgs; [ direnv ];
programs.zsh = {
enable = true;
enableCompletion = true;
autosuggestion.enable = true;
syntaxHighlighting.enable = true;
dotDir = ".config/zsh";
shellAliases = {
ll = "ls -l";
# don't clobber
mv = "mv -i";
rename = "rename -i";
nix-shell = ''nix-shell --command "zsh"'';
};
history = {
size = 10000;
path = "${config.xdg.dataHome}/zsh/history";
ignorePatterns = [ "rm *" "pkill *" ];
};
oh-my-zsh = {
enable = true;
plugins = [ "git" "sudo" "direnv" ];
theme = ""; # defer to powerlevel10k
};
initContent = ''
source ${pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k/powerlevel10k.zsh-theme
source ${./.p10k.zsh}
'';
envExtra = ''
DEFAULT_USER=qenya
'';
};
}

0
home/qenya/tmux.nix → home/tmux.nix
View file

39
home/vscode.nix Normal file
View file

@ -0,0 +1,39 @@
{ config, lib, pkgs, ... }:
{
programs.vscode = {
enable = true;
enableExtensionUpdateCheck = false;
enableUpdateCheck = false;
package = pkgs.vscodium;
extensions = with pkgs.vscode-extensions; [
open-vsx.jnoortheen.nix-ide
open-vsx.ms-python.python
open-vsx.robbowen.synthwave-vscode
];
mutableExtensionsDir = false;
userSettings = {
"extensions.autoUpdate" = false;
"git.autofetch" = true;
"git.confirmSync" = false;
"git.enableSmartCommit" = true;
"git.inputValidation" = true;
"git.inputValidationSubjectLength" = null;
"javascript.updateImportsOnFileMove.enabled" = "always";
"nix.enableLanguageServer" = true;
"nix.serverPath" = "nil";
"nix.serverSettings".nil = {
diagnostics.ignored = [ "unused_binding" "unused_with" ];
formatting.command = [ "nixpkgs-fmt" ];
};
"terminal.integrated.allowChords" = false;
"workbench.colorTheme" = "SynthWave '84";
};
};
# Language servers etc
home.packages = with pkgs; [
nil
nixpkgs-fmt
];
}

43
hosts/elucredassa/default.nix
View file

@ -1,43 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
let
inherit (lib) mkForce;
in
{
imports = [
./filesystems.nix
./hardware.nix
./networking.nix
];
nixpkgs.hostPlatform = "x86_64-linux";
networking.hostName = "elucredassa";
networking.hostId = "a8ec6755";
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
qenya.base-server.enable = true;
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "uk";
services.xserver.xkb.layout = "gb";
# These are populated by fountain.backup
randomcat.services.zfs.datasets = {
"rpool_elucredassa/backup" = { mountpoint = "none"; };
"rpool_elucredassa/backup/kalessin" = { mountpoint = "none"; };
"rpool_elucredassa/backup/orm" = { mountpoint = "none"; };
};
qenya.services.distributed-builds = {
enable = true;
keyFile = "/etc/ssh/ssh_host_ed25519_key";
builders = [ "kilgharrah" ];
};
fountain.users.qenya.enable = true;
fountain.admins = [ "qenya" ];
system.stateVersion = "24.11";
}

23
hosts/elucredassa/filesystems.nix
View file

@ -1,23 +0,0 @@
{ config, lib, pkgs, ... }:
{
boot.initrd.luks.devices = {
"luks-rpool-elucredassa".device = "/dev/disk/by-uuid/5ece5b58-c57a-41ae-b086-03707c39c9a7";
};
fileSystems = {
"/" = {
device = "rpool_elucredassa/root";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/2519-E2D6";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
};
swapDevices = [{ device = "/dev/disk/by-uuid/c7c48325-e90d-414d-b579-84cb45616ee9"; }];
boot.supportedFilesystems = [ "ntfs" ]; # for USB drives
}

11
hosts/elucredassa/hardware.nix
View file

@ -1,11 +0,0 @@
{ config, lib, pkgs, ... }:
{
hardware.enableAllFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
services.fwupd.enable = true;
# this is an old laptop
services.logind.lidSwitch = "ignore";
}

36
hosts/elucredassa/networking.nix
View file

@ -1,36 +0,0 @@
{ config, lib, pkgs, ... }:
{
systemd.network.enable = true;
networking.useDHCP = false;
systemd.network.networks."10-wan" = {
matchConfig.Name = "enp1s0f1";
networkConfig = {
DHCP = "ipv4";
IPv6AcceptRA = true;
Tunnel = "sit-he-ipv6";
};
linkConfig.RequiredForOnline = "routable";
};
systemd.network.netdevs."25-he-ipv6" = {
netdevConfig = {
Name = "sit-he-ipv6";
Kind = "sit";
Description = "Hurricane Electric IPv6 Tunnel";
MTUBytes = 1480;
};
tunnelConfig = {
Remote = "216.66.88.98";
TTL = 255;
};
};
systemd.network.networks."25-he-ipv6" = {
matchConfig.Name = "sit-he-ipv6";
networkConfig.Address = [ "2001:470:1f1c:3e::2/64" ];
routes = [{ Destination = [ "::/0" ]; }];
};
}

52
hosts/kalessin/default.nix
View file

@ -1,52 +0,0 @@
{ config, lib, pkgs, ... }:
let
keys = import ../../keys.nix;
in
{
imports = [
./hardware-configuration.nix
./networking.nix
];
nixpkgs.hostPlatform = "aarch64-linux";
networking.hostName = "kalessin";
networking.hostId = "534b538e";
fountain.users.qenya.enable = true;
fountain.users.randomcat.enable = true;
fountain.users.trungle.enable = true;
fountain.admins = [ "qenya" "randomcat" ];
qenya.base-server.enable = true;
qenya.services.remote-builder = {
enable = true;
authorizedKeys.keys = [ ];
};
randomcat.services.zfs.datasets = {
"rpool_kalessin/state" = { mountpoint = "none"; };
"rpool_kalessin/state/headscale" = { mountpoint = "/var/lib/headscale"; };
"rpool_kalessin/state/owncast" = { mountpoint = "/var/lib/owncast"; };
};
services.sanoid.datasets."rpool_kalessin/state" = {
useTemplate = [ "production" ];
recursive = "zfs";
};
qenya.services.owncast = {
enable = true;
domain = "live.qenya.tel";
dataDir = "/var/lib/owncast";
};
qenya.services.headscale = {
enable = true;
domain = "headscale.unspecified.systems";
dataDir = "/var/lib/headscale";
};
system.stateVersion = "23.11";
}

38
hosts/kalessin/hardware-configuration.nix
View file

@ -1,38 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "rpool_kalessin/root";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "rpool_kalessin/nix";
fsType = "zfs";
};
fileSystems."/var" =
{ device = "rpool_kalessin/var";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2ADE-A033";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ];
}

6
hosts/kalessin/networking.nix
View file

@ -1,6 +0,0 @@
{ config, lib, pkgs, ... }:
{
networking.useNetworkd = true;
networking.interfaces.enp0s6.useDHCP = true;
}

8
hosts/kilgharrah/backup.nix
View file

@ -1,8 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.sanoid.datasets."rpool_albion/state" = {
useTemplate = [ "production" ];
recursive = "zfs";
};
}

66
hosts/kilgharrah/default.nix
View file

@ -1,66 +0,0 @@
{ config, lib, pkgs, ... }:
let
keys = import ../../keys.nix;
in
{
imports = [
./backup.nix
./filesystems.nix
./hardware.nix
./networking.nix
./plasma.nix
./ftp.nix
];
nixpkgs.hostPlatform = "x86_64-linux";
networking.hostName = "kilgharrah";
networking.hostId = "72885bb5";
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
qenya.base-graphical.enable = true;
time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "uk";
services.xserver.xkb.layout = "gb";
fountain.users.qenya.enable = true;
age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age;
users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path;
fountain.admins = [ "qenya" ];
home-manager.users.qenya = { pkgs, ... }: {
home.packages = with pkgs; [ obs-studio ];
};
qenya.services.remote-builder = {
enable = true;
authorizedKeys.keys = [
keys.machines.yevaud
keys.machines.orm
keys.machines.tohru
keys.machines.elucredassa
];
};
programs.steam.enable = true;
qenya.services.audiobookshelf = {
enable = true;
domain = "audiobookshelf.qenya.tel";
};
qenya.services.jellyfin = {
enable = true;
domain = "jellyfin.qenya.tel";
};
qenya.services.navidrome = {
enable = true;
domain = "music.qenya.tel";
dataDir = "/srv/music";
};
system.stateVersion = "24.05";
}

93
hosts/kilgharrah/filesystems.nix
View file

@ -1,93 +0,0 @@
{ config, lib, pkgs, ... }:
{
# SSD on board
boot.initrd.luks.devices = {
"cryptroot".device = "/dev/disk/by-uuid/b414aaba-0a36-4135-a7e1-dc9489286acd";
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b";
fsType = "btrfs";
options = [ "subvol=@" "compress=zstd" ];
};
"/home" = {
device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b";
fsType = "btrfs";
options = [ "subvol=@home" "compress=zstd" ];
};
"/nix" = {
device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b";
fsType = "btrfs";
options = [ "subvol=@nix" "compress=zstd" "noatime" ];
};
"/swap" = {
device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b";
fsType = "btrfs";
options = [ "subvol=@swap" "noatime" ];
};
"/root" = {
device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b";
fsType = "btrfs";
options = [ "subvol=@root" "compress=zstd" ];
};
"/srv" = {
device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b";
fsType = "btrfs";
options = [ "subvol=@srv" "compress=zstd" ];
};
"/var/cache" = {
device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b";
fsType = "btrfs";
options = [ "subvol=@cache" "compress=zstd" "noatime" ];
};
"/var/tmp" = {
device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b";
fsType = "btrfs";
options = [ "subvol=@tmp" "compress=zstd" "noatime" ];
};
"/var/log" = {
device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b";
fsType = "btrfs";
options = [ "subvol=@log" "compress=zstd" "noatime" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/9582-E78D";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
};
swapDevices = [{
device = "/swap/swapfile";
size = 32 * 1024;
}];
# HDD in bay
environment.etc.crypttab.text = ''
albion UUID=8a924f24-9b65-4f05-aeda-5b4080cc7aa1 /root/luks-albion.key
'';
randomcat.services.zfs.datasets = {
"rpool_albion/data" = { mountpoint = "none"; };
"rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; };
"rpool_albion/state" = { mountpoint = "none"; };
"rpool_albion/state/audiobookshelf" = { mountpoint = "/var/lib/audiobookshelf"; };
"rpool_albion/state/jellyfin" = { mountpoint = "/var/lib/jellyfin"; };
"rpool_albion/state/navidrome" = { mountpoint = "/var/lib/navidrome"; };
"rpool_albion/srv" = { mountpoint = "none"; };
"rpool_albion/srv/audiobookshelf" = { mountpoint = "/srv/audiobookshelf"; };
"rpool_albion/srv/ftp" = { mountpoint = "/srv/ftp"; };
"rpool_albion/srv/jellyfin" = { mountpoint = "/srv/jellyfin"; };
"rpool_albion/srv/music" = { mountpoint = "/srv/music"; };
};
# Other
boot.supportedFilesystems = [ "ntfs" "zfs" ];
}

70
hosts/kilgharrah/ftp.nix
View file

@ -1,70 +0,0 @@
{ config, lib, pkgs, ... }:
{
age.secrets.ftp-userDb-qenya = {
# To update this, see the nixos docs for services.vsftpd.userDbPath. Note
# that the command it gives to create a userDb, if applied to an *existing*
# userDb, will *add* the entries from the source file, overwriting any
# entries with the same username but leaving other existing entries intact.
# Also note the database format does not salt hashes.
file = ../../secrets/ftp-userDb-qenya.age;
# we have to specify this manually because pam_userdb strips the extension
path = "/etc/vsftpd/userDb.db";
};
services.vsftpd = {
enable = true;
localUsers = true;
forceLocalLoginsSSL = true;
forceLocalDataSSL = true;
rsaCertFile = "${config.security.acme.certs."ftp.qenya.tel".directory}/fullchain.pem";
rsaKeyFile = "${config.security.acme.certs."ftp.qenya.tel".directory}/key.pem";
enableVirtualUsers = true;
userlistDeny = false; # turn userlist from a denylist into an allowlist
userlist = [ "qenya" ]; # this is just a list of the users in the userDb
userDbPath = "/etc/vsftpd/userDb";
localRoot = "/srv/ftp";
extraConfig = ''
# nothing in the default cipher suite is enabled in modern ssl clients!
ssl_ciphers=HIGH
# set this to something firewallable
pasv_min_port=51000
pasv_max_port=51099
# don't bother with upgrading to TLS, just listen on FTPS only
implicit_ssl=YES
listen_port=990
'';
};
services.nginx = {
enable = true;
virtualHosts = {
"ftp.qenya.tel" = {
forceSSL = true;
useACMEHost = "ftp.qenya.tel";
locations."/".return = "503";
};
};
};
security.acme.certs = {
"ftp.qenya.tel" = {
webroot = "/var/lib/acme/acme-challenge";
group = "acme_ftp.qenya.tel";
};
};
users.groups."acme_ftp.qenya.tel".members = [
"vsftpd" # not configurable in the vsftpd nixos module
config.services.nginx.group
];
networking.firewall.allowedTCPPorts = [ 990 80 443 ];
networking.firewall.allowedTCPPortRanges = [{ from = 51000; to = 51099; }];
}

51
hosts/kilgharrah/hardware.nix
View file

@ -1,51 +0,0 @@
{ config, lib, pkgs, ... }:
{
hardware.enableAllFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
services.fwupd.enable = true;
services.xserver.videoDrivers = [ "nvidia" ];
hardware.nvidia.open = false;
# # Downgrade to driver version 535 as 550 has problems with Wayland
# hardware.nvidia.package =
# let
# rcu_patch = pkgs.fetchpatch {
# url = "https://github.com/gentoo/gentoo/raw/c64caf53/x11-drivers/nvidia-drivers/files/nvidia-drivers-470.223.02-gpl-pfn_valid.patch";
# hash = "sha256-eZiQQp2S/asE7MfGvfe6dA/kdCvek9SYa/FFGp24dVg=";
# };
# in
# config.boot.kernelPackages.nvidiaPackages.mkDriver {
# version = "535.154.05";
# sha256_64bit = "sha256-fpUGXKprgt6SYRDxSCemGXLrEsIA6GOinp+0eGbqqJg=";
# sha256_aarch64 = "sha256-G0/GiObf/BZMkzzET8HQjdIcvCSqB1uhsinro2HLK9k=";
# openSha256 = "sha256-wvRdHguGLxS0mR06P5Qi++pDJBCF8pJ8hr4T8O6TJIo=";
# settingsSha256 = "sha256-9wqoDEWY4I7weWW05F4igj1Gj9wjHsREFMztfEmqm10=";
# persistencedSha256 = "sha256-d0Q3Lk80JqkS1B54Mahu2yY/WocOqFFbZVBh+ToGhaE=";
# patches = [ rcu_patch ];
# };
services.printing.drivers = [ pkgs.hplip ];
# enable playing from bluray drive
boot.kernelModules = [ "sg" ];
environment.systemPackages = [
((pkgs.vlc.override {
libbluray = (pkgs.libbluray.override {
withJava = true;
withAACS = true;
withBDplus = true;
});
}).overrideAttrs (originalAttrs: {
buildInputs = originalAttrs.buildInputs ++ [ pkgs.libdvdcss ];
# TODO: nixpkgs bug: libbluray needs patching to look at the nix store path of jdk17 when searching for a jdk
# as a workaround, wrap vlc and set JAVA_HOME, which it uses instead of searching when specified
nativeBuildInputs = originalAttrs.nativeBuildInputs ++ [ pkgs.makeWrapper ];
postFixup = ''
${originalAttrs.postFixup or ""}
wrapProgram $out/bin/vlc --set JAVA_HOME ${pkgs.jdk17.home}
'';
}))
];
}

15
hosts/kilgharrah/networking.nix
View file

@ -1,15 +0,0 @@
{ config, lib, pkgs, ... }:
{
systemd.network.enable = true;
networking.useDHCP = false;
systemd.network.networks."10-wan" = {
matchConfig.Name = "enp2s0";
networkConfig = {
DHCP = "ipv4";
IPv6AcceptRA = true;
};
linkConfig.RequiredForOnline = "routable";
};
}

109
hosts/kilgharrah/plasma.nix
View file

@ -1,109 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
let
inherit (lib) mkForce;
in
{
services.xserver.displayManager.gdm.enable = mkForce false;
services.xserver.desktopManager.gnome.enable = mkForce false;
services.displayManager.sddm.enable = true;
services.displayManager.sddm.wayland.enable = true;
services.desktopManager.plasma6.enable = true;
environment.systemPackages = with pkgs; [
(catppuccin-kde.override {
flavour = [ "mocha" ];
accents = [ "mauve" ];
winDecStyles = [ "modern" ];
})
];
home-manager.users.qenya = { pkgs, ... }: {
imports = [
inputs.plasma-manager.homeManagerModules.plasma-manager
];
programs.plasma = {
enable = true;
overrideConfig = true;
workspace = {
lookAndFeel = "Catppuccin-Mocha-Mauve";
colorScheme = "CatppuccinMochaMauve";
splashScreen.engine = "KSplashQML";
splashScreen.theme = "Catppuccin-Mocha-Mauve";
windowDecorations.library = "org.kde.kwin.aurorae";
windowDecorations.theme = "__aurorae__svg__CatppuccinMocha-Modern";
};
# For the moment, this hosts some network-accessible services, so we want it on 24/7
powerdevil.AC.autoSuspend.action = "nothing";
panels = [
# Dock
{
height = 49; # 41 * 1.2
lengthMode = "fit";
location = "bottom";
alignment = "center";
hiding = "dodgewindows";
widgets = [{
name = "org.kde.plasma.icontasks";
config.General = {
fill = false;
iconSpacing = 2;
launchers = lib.concatStringsSep "," [
"applications:firefox.desktop"
"applications:codium.desktop"
"applications:steam.desktop"
"applications:discord.desktop"
"applications:com.obsproject.Studio.desktop"
"applications:org.kde.dolphin.desktop"
"applications:org.kde.konsole.desktop"
"applications:org.kde.plasma-systemmonitor.desktop"
];
maxStripes = 1;
showOnlyCurrentDesktop = false;
showOnlyCurrentScreen = false;
};
}];
screen = "all";
}
# Top bar
{
height = 29; # 24 * 1.2
location = "top";
alignment = "left";
floating = false;
widgets = [
{
name = "org.kde.plasma.kickoff";
config.General = {
lengthFirstMargin = 7;
};
}
{ name = "org.kde.plasma.panelspacer"; }
{
name = "org.kde.plasma.digitalclock";
config.Appearance = {
autoFontAndSize = false;
customDateFormat = "dddd, d MMM";
dateDisplayFormat = "BesideTime";
dateFormat = "custom";
fontFamily = "Inter";
fontStyleName = "Bold";
fontWeight = 700;
boldText = true;
showWeekNumbers = true;
};
}
{ name = "org.kde.plasma.panelspacer"; }
{ name = "org.kde.plasma.systemtray"; }
];
screen = "all";
}
];
};
};
}

13
hosts/orm/configuration.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
./home.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
system.stateVersion = "23.11";
}

69
hosts/orm/default.nix
View file

@ -1,69 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
./networking.nix
];
nixpkgs.hostPlatform = "x86_64-linux";
networking.hostName = "orm";
networking.hostId = "00000000";
fountain.users.qenya.enable = true;
fountain.admins = [ "qenya" ];
qenya.base-server.enable = true;
qenya.services.distributed-builds = {
enable = true;
keyFile = "/etc/ssh/ssh_host_ed25519_key";
builders = [ "kilgharrah" ];
};
nix.settings.max-jobs = 0;
randomcat.services.zfs.datasets = {
"rpool_orm/state" = { mountpoint = "none"; };
"rpool_orm/state/actual" = { mountpoint = "/var/lib/private/actual"; };
"rpool_orm/state/postgresql" = { mountpoint = "/var/lib/postgresql"; };
};
services.sanoid.datasets."rpool_orm/state" = {
useTemplate = [ "production" ];
recursive = "zfs";
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_17;
dataDir = "/var/lib/postgresql/17";
# managing imperatively instead of using ensureDatabases/ensureUsers
enableTCPIP = true;
settings = {
port = 5432;
# TODO: fix SSL
# ssl = true;
};
# only allow remote connections from within Tailscale
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust # used by nixos for local monitoring
host sameuser all 100.64.0.0/10 scram-sha-256
host sameuser all fd7a:115c:a1e0::/48 scram-sha-256
'';
};
networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 5432 ];
qenya.services.actual = {
enable = true;
domain = "actual.unspecified.systems";
};
fountain.services.web-redirect = {
enable = true;
domains = {
"actual.qenya.tel" = "actual.unspecified.systems";
};
};
system.stateVersion = "23.11";
}

9
hosts/orm/hardware-configuration.nix
View file

@ -37,4 +37,13 @@
swapDevices =
[ { device = "/dev/disk/by-uuid/a0ac8f60-25f9-4dec-af70-e3f4cd36c575"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

12
hosts/orm/home.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
{
home-manager.users.qenya = { pkgs, ... }: {
imports = [
../../home/cli.nix
../../home/git.nix
];
home.stateVersion = "23.11";
};
}

6
hosts/orm/networking.nix
View file

@ -1,6 +0,0 @@
{ config, lib, pkgs, ... }:
{
networking.useNetworkd = true;
networking.interfaces.ens3.useDHCP = true;
}

11
hosts/shaw/home.nix
View file

@ -1,11 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.syncthing = {
enable = true;
extraOptions = [
"--gui-address=:8385"
"--home=/home/qenya/state/syncthing"
];
};
}

19
hosts/tehanu/default.nix
View file

@ -1,19 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
./networking.nix
];
nixpkgs.hostPlatform = "aarch64-linux";
networking.hostName = "tehanu";
networking.hostId = "8e1185ab";
fountain.users.qenya.enable = true;
fountain.admins = [ "qenya" ];
qenya.base-server.enable = true;
system.stateVersion = "23.11";
}

38
hosts/tehanu/hardware-configuration.nix
View file

@ -1,38 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "rpool_tehanu/root";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "rpool_tehanu/nix";
fsType = "zfs";
};
fileSystems."/var" =
{ device = "rpool_tehanu/var";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/629B-BA09";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ];
}

6
hosts/tehanu/networking.nix
View file

@ -1,6 +0,0 @@
{ config, lib, pkgs, ... }:
{
networking.useNetworkd = true;
networking.interfaces.enp0s6.useDHCP = true;
}

45
hosts/tohru/configuration.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, lib, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
./home.nix
../../common/fonts.nix
../../common/steam.nix
./syncthing.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.systemd-boot.editor = false;
networking.networkmanager.enable = true;
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "uk";
services.xserver.enable = true;
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
services.xserver.xkb.layout = "gb";
services.printing.enable = true;
sound.enable = true;
hardware.pulseaudio.enable = true;
# USB drives
boot.supportedFilesystems = [ "ntfs" ];
hardware.enableAllFirmware = true;
services.fwupd.enable = true;
services.fstrim.enable = true;
boot.initrd.luks.devices = {
"rpool".device = "/dev/nvme0n1p2";
};
system.stateVersion = "23.11";
}

69
hosts/tohru/default.nix
View file

@ -1,69 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
let
inherit (lib) mkForce;
in
{
imports = [
./filesystems.nix
./hardware.nix
./networking.nix
./syncthing.nix
];
nixpkgs.hostPlatform = "x86_64-linux";
networking.hostName = "tohru";
networking.hostId = "31da19c1";
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
qenya.base-graphical.enable = true;
time.timeZone = "Europe/London";
i18n.defaultLocale = "en_GB.UTF-8";
console.keyMap = "uk";
services.xserver.xkb.layout = "gb";
# tohru does not have the resources to run this under other load and is generally powered off when not in use.
# instead, just run `nix-store --optimise` every so often.
nix.optimise.automatic = mkForce false;
fountain.users.qenya.enable = true;
fountain.admins = [ "qenya" ];
age.secrets.user-password-tohru-qenya.file = ../../secrets/user-password-tohru-qenya.age;
users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-tohru-qenya.path;
users.users.qenya.extraGroups = [
"networkmanager" # UI wifi configuration
"dialout" # access to serial ports
];
nixpkgs.overlays = [ inputs.scoutshonour.overlays.default ];
home-manager.users.qenya = { pkgs, ... }: {
home.packages = with pkgs; [
keepassxc
apostrophe
foliate
nicotine-plus
tuba
# games
openttd
prismlauncher
scoutshonour.digital-a-love-story
scoutshonour.dont-take-it-personally-babe
];
};
qenya.services.distributed-builds = {
enable = true;
keyFile = "/etc/ssh/ssh_host_ed25519_key";
builders = [ "kilgharrah" ];
};
programs.evolution.enable = true; # not in home-manager yet; not declaratively configurable yet
programs.steam.enable = true;
system.stateVersion = "23.11";
}

51
hosts/tohru/filesystems.nix
View file

@ -1,51 +0,0 @@
{ config, lib, pkgs, ... }:
{
boot.initrd.luks.devices = {
"rpool".device = "/dev/nvme0n1p2";
};
boot.supportedFilesystems = [ "ntfs" ]; # for USB drives
fileSystems = {
"/" = {
device = "rpool/root";
fsType = "zfs";
};
"/nix" = {
device = "rpool/nix";
fsType = "zfs";
};
"/var" = {
device = "rpool/var";
fsType = "zfs";
};
"/config" = {
device = "rpool/config";
fsType = "zfs";
};
"/home" = {
device = "rpool/home";
fsType = "zfs";
};
"/data" = {
device = "rpool/data";
fsType = "zfs";
};
"/data/syncthing" = {
device = "rpool/data/syncthing";
fsType = "zfs";
};
"/data/steam" = {
device = "rpool/data/steam";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/7DD4-487E";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
};
swapDevices = [{ device = "/dev/disk/by-uuid/a066313e-2467-4e07-ad0c-aeb7ff3f8d97"; }];
}

76
hosts/tohru/hardware-configuration.nix Normal file
View file

@ -0,0 +1,76 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "rpool/root";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "rpool/nix";
fsType = "zfs";
};
fileSystems."/var" =
{ device = "rpool/var";
fsType = "zfs";
};
fileSystems."/config" =
{ device = "rpool/config";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "rpool/home";
fsType = "zfs";
};
fileSystems."/data" =
{ device = "rpool/data";
fsType = "zfs";
};
fileSystems."/data/syncthing" =
{ device = "rpool/data/syncthing";
fsType = "zfs";
};
fileSystems."/data/steam" =
{ device = "rpool/data/steam";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/7DD4-487E";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/a066313e-2467-4e07-ad0c-aeb7ff3f8d97"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno2.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

10
hosts/tohru/hardware.nix
View file

@ -1,10 +0,0 @@
{ config, lib, pkgs, ... }:
{
hardware.enableAllFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
services.fwupd.enable = true;
services.printing.drivers = [ pkgs.hplip ];
}

31
hosts/tohru/home.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }:
{
home-manager.users.qenya = { pkgs, ... }: {
imports = [
../../home/cli.nix
../../home/firefox.nix
../../home/git.nix
../../home/gnome
../../home/libreoffice.nix
../../home/vscode.nix
];
home.packages = (with pkgs; [
bitwarden
discord
foliate
gimp-with-plugins
keepassxc
openttd
thunderbird
tor-browser-bundle-bin
]) ++ (with pkgs.nur.repos.qenya; [
digital-a-love-story
dont-take-it-personally-babe
]);
programs.chromium.enable = true;
home.stateVersion = "23.11";
};
}

8
hosts/tohru/networking.nix
View file

@ -1,8 +0,0 @@
{ config, lib, pkgs, ... }:
{
networking.useNetworkd = true;
systemd.network.wait-online.enable = false;
networking.networkmanager.enable = true;
}

31
hosts/tohru/syncthing.nix
View file

@ -11,41 +11,12 @@
settings = {
devices = {
"kilgharrah" = { id = "RDT7IGD-76FZ6LY-37PPB2W-DWPQRPR-LZ4AXF7-4GIIHYJ-RVXUUSG-ZXPN3AZ"; };
"latias" = { id = "EN4W2SB-LB4AAZQ-6AQIE7G-S3BSCSP-V2EUNMM-KAQEHW3-PPAPGBO-PXRPWAL"; };
"shaw" = { id = "NC7WMZS-GQETJYR-IAYGD65-GHTSTVP-VAAG43K-W7N3LO5-C5OQMZ2-DTK6YA7"; };
};
folders = {
"Sync" = {
id = "uln2v-zwzwj";
path = "~/Sync";
devices = [ "kilgharrah" "shaw" ];
};
"Documents" = {
id = "alp59-7gs9s";
path = "~/Documents";
devices = [ "kilgharrah" "shaw" ];
};
"Music" = {
id = "7xvkf-y62s7";
path = "~/Music";
devices = [ "kilgharrah" "shaw" ];
};
"Pictures" = {
id = "tbmhx-ep7wk";
path = "~/Pictures";
devices = [ "kilgharrah" "shaw" ];
};
"ES-DE" = {
id = "c1cbh-llw94";
path = "~/ES-DE";
devices = [ "kilgharrah" "latias" "shaw" ];
};
"ROMs" = {
id = "dcze4-v6act";
path = "~/ROMs";
devices = [ "kilgharrah" "latias" "shaw" ];
devices = [ "kilgharrah" ];
};
};
};

15
hosts/yevaud/configuration.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
./home.nix
./forgejo.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
system.stateVersion = "23.11";
}

49
hosts/yevaud/default.nix
View file

@ -1,49 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
./networking.nix
./experiments/pennykettle.nix
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
networking.hostName = "yevaud";
networking.hostId = "09673d65";
fountain.users.qenya.enable = true;
fountain.admins = [ "qenya" ];
qenya.base-server.enable = true;
qenya.services.distributed-builds = {
enable = true;
keyFile = "/etc/ssh/ssh_host_ed25519_key";
builders = [ "kilgharrah" ];
};
nix.settings.max-jobs = 0;
randomcat.services.zfs.datasets = {
"rpool/state" = { mountpoint = "none"; };
"rpool/state/forgejo" = { mountpoint = "/var/lib/forgejo"; };
};
services.sanoid.datasets."rpool/state" = {
useTemplate = [ "production" ];
recursive = "zfs";
};
qenya.services.forgejo = {
enable = true;
domain = "git.unspecified.systems";
};
fountain.services.web-redirect = {
enable = true;
domains = {
"git.katherina.rocks" = "git.unspecified.systems";
"git.qenya.tel" = "git.unspecified.systems";
};
};
system.stateVersion = "23.11";
}

66
hosts/yevaud/experiments/pennykettle.nix
View file

@ -1,66 +0,0 @@
{ config, lib, pkgs, ... }:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
networking.firewall.interfaces."tailscale0".allowedTCPPorts = config.networking.firewall.allowedTCPPorts ++ [ 1080 ];
environment.systemPackages = [ pkgs.wireguard-tools ];
networking.wireguard.interfaces."wg-protonvpn" = {
ips = [ "10.2.0.2/32" ];
peers = [{
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "217.138.216.162:51820";
publicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s=";
}];
privateKeyFile = config.age.secrets.protonvpn-pennykettle1.path;
listenPort = 51820;
table = "957851094"; # randomly generated
};
networking.localCommands = ''
ip rule add from 10.2.0.2/32 table 957851094
'';
networking.firewall.checkReversePath = "loose";
age.secrets.protonvpn-pennykettle1 = {
file = ../../../secrets/protonvpn-pennykettle1.age;
owner = "root";
group = "systemd-network";
mode = "640";
};
services.dante = {
enable = true;
config = ''
debug: 2
internal: tailscale0
external: wg-protonvpn
# auth/tls handled by tailscale
clientmethod: none
socksmethod: none
# allow connections from tailscale
# "0/0" matches any v4 or v6 address
client pass {
from: 100.64.0.0/10 to: 0/0
log: error connect disconnect
}
client pass {
from: fd7a:115c:a1e0::/48 to: 0/0
log: error connect disconnect
}
socks pass {
from: 0/0 to: 0/0
protocol: tcp udp
log: error connect disconnect iooperation
}
'';
};
systemd.services.dante = {
wants = [ "tailscaled-autoconnect.service" ];
after = [ "tailscaled-autoconnect.service" ];
};
}

49
hosts/yevaud/forgejo.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
{
# TODO: email out
# TODO: interface customisation
services = {
nginx = {
enable = true;
virtualHosts = {
"git.qenya.tel" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://[::1]:3000/";
};
"git.katherina.rocks" = {
forceSSL = true;
enableACME = true;
locations."/".return = "301 https://git.qenya.tel$request_uri";
};
};
};
forgejo = {
enable = true;
stateDir = "/data/forgejo";
settings = {
DEFAULT.APP_NAME = "git.qenya.tel";
cache = {
ADAPTER = "twoqueue";
HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}'';
};
database = {
DB_TYPE = "sqlite3";
SQLITE_JOURNAL_MODE = "WAL";
};
security.LOGIN_REMEMBER_DAYS = 365;
server = {
DOMAIN = "git.qenya.tel";
HTTP_PORT = 3000;
ROOT_URL = "https://git.qenya.tel/";
};
service.DISABLE_REGISTRATION = true;
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

14
hosts/yevaud/hardware-configuration.nix
View file

@ -28,6 +28,11 @@
fsType = "zfs";
};
fileSystems."/data/forgejo" =
{ device = "rpool/forgejo";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/107D-5AB3";
fsType = "vfat";
@ -37,4 +42,13 @@
swapDevices =
[ { device = "/dev/disk/by-uuid/f8b6eb35-33ad-4e19-bf3d-cac5ec38a8dc"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

13
hosts/yevaud/home.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, lib, pkgs, ... }:
{
home-manager.users.qenya = { pkgs, ... }: {
imports = [
../../home/cli.nix
../../home/git.nix
../../home/tmux.nix
];
home.stateVersion = "23.11";
};
}

5
hosts/yevaud/networking.nix
View file

@ -1,5 +0,0 @@
{ config, lib, pkgs, ... }:
{
networking.interfaces.ens3.useDHCP = true;
}

17
keys.nix
View file

@ -1,34 +1,19 @@
{
machines = {
reese = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd0qGxvcMLDwX1bqYpwOUL5c/CIgBllMFr+bGkwiwAn root@reese";
bear = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZ9Kn1CIcDHaleKHf7zO6O30Rbxs/FwL0/Ie+mEjZJr root@bear";
shaw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMC0AomCZZiUV/BCpImiV4p/vGvFaz5QNc+fJLXmS5p root@shaw";
groves = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQNZ/Q+x7mDYfYXftpZpWkfPByyMBbYmVFobM4vSDW2 root@groves";
tohru = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru";
yevaud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T root@yevaud";
orm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc9rkcdOVWozBFj3kLVnSyUQQbyyH+UG+bLawanQkRQ root@orm";
kalessin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPt3iSSmgnlsv1/jafgZgI7o8UuXzcAL45hID2ThfS8 root@kalessin";
tehanu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1fNylfLo7Z8m/DroRlj7cHMLhYL7boP3r/upVrtMJQ root@tehanu";
kilgharrah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah";
elucredassa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+Y/vqGNc1wXUAg4XMAAcLupkggywj2LpYDwA16ONbH root@elucredassa";
carter = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHHHYG6A995Po05+JXQsvB79ZoIiSOJnW6AiJgVYPic root@carter";
};
users = {
qenya = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjBuuxo+w3yED0aPnsNb8S90p/GgBqFEG9K4ETZ5Wkq qenya@kilgharrah"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEmkV9arotms79lJPsLHkdzAac4eu3pYS08ym0sB/on qenya@tohru"
];
randomcat = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHagOaeTR+/7FL9sErciMw30cmV/VW8HU7J3ZFU5nj9 janet@randomcat.org"
];
trungle = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA57legzdIcYTVVri4Wc0CvgWefbRhmUqhu0F/5f8FB reuben@glenda-artix"
richard = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHAuYWPfYVKdjBY/gBMt2n11Seb+hMqjui1PQ6C4ph8i richard@tress"
];
gaelan = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFbDvPKnPXe+58QgdgK8yZ3Ac9dkJdtHJ3pQwWhszM7McwCzCEO/b940K0orLjfeUruC+hGJZO8heIh0J6JwSK907aS2wpHofU9q7bMT0PYeuHrSb2iFrOFIkTIWpO8hnWad8TGKOlOdNTKEdB9zwxXEKTFb9QW1Z27Zql79W44jUvaOTb7gKUps37O77lHEJDModaRsXS2523pSbrTZKDwZ73+S0ECeNUwwzLUyOOUHfENEXnM18hWm8mV0iU7kxFcmS33z9rWlWPNiCXnBnSi5LPgBarYOAqQf56f9OisafKqvc3uX+yn0kGCDWglVGUkbhfSIP9+w+yv/h/NJWIJlJC92ndbktAqAQW4gb7lXYxpbdoWcmqEy97q0e2vyBdhcVXwZ+0q+U8I74m8trq36ieHDtLKYkiFBX6zvrLP4I5OZU+EecdV2HcMoU8HNa5u1mvG+oHaEgkR70a5cQtrPzWLS/OMLqvWL39vO7RNskzwWCSuWScxDGitr+BunRRbL4aKNkkPjdDlIqb/SfSrFikOo75f5Ku4I32nbM7SNpIjA4cHe50rx1UB8lT+RwHdxL99OdoxIPCe6OLA5uT8VGPXkvqd/ZIFOL2HaM+uPLaYbjwLrHlwSOLgGbehmsSD369EXv6NAc5wbzsSLJQhJ66d5unnzGjn4dRt9sbDw== gbs@canishe.com"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHId+2dJYiZK++p8lu9Bax0J29JjeuU4qcIBdLwEz3lm gbs@canishe.com"
];
};
}

Some files were not shown because too many files have changed in this diff Show more