baduhai/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: baduhai:master
Branches Tags
baduhai:master
baduhai:dendritic-light
baduhai:dendritic
baduhai:terranix
baduhai:refactor
baduhai:dms
baduhai:vim
baduhai:ansible
baduhai:niri
baduhai:hyprland
..
compare: baduhai:dendritic
Branches Tags
baduhai:master
baduhai:dendritic-light
baduhai:dendritic
baduhai:terranix
baduhai:refactor
baduhai:dms
baduhai:vim
baduhai:ansible
baduhai:niri
baduhai:hyprland

1 commit
master ... dendritic

Author SHA1 Message Date
William
1a586c2d90 I tried going all in on dendritic, but I think I'm gonna go for a lighter approach 2026-02-05 22:07:51 -03:00
98 changed files with 747 additions and 4349 deletions
Download patch file Download diff file Expand all files Collapse all files

34
aspects/ai.nix
View file

@ -1,34 +0,0 @@
{ ... }:
{
flake.modules = {
nixos.ai =
{ inputs, pkgs, ... }:
{
environment.systemPackages =
(with pkgs; [ ])
++ (with inputs.nix-ai-tools.packages.${pkgs.stdenv.hostPlatform.system}; [
ccusage-opencode
opencode
]);
nix.settings = {
extra-substituters = [ "https://cache.numtide.com" ];
extra-trusted-public-keys = [
"niks3.numtide.com-1:DTx8wZduET09hRmMtKdQDxNNthLQETkc/yaX7M4qK0g="
];
};
};
homeManager.ai =
{ inputs, pkgs, ... }:
{
programs.opencode = {
enable = true;
package = inputs.nix-ai-tools.packages.${pkgs.stdenv.hostPlatform.system}.opencode;
settings = {
theme = "system";
autoupdate = false;
};
};
};
};
}

16
aspects/base/bash.nix
View file

@ -1,16 +0,0 @@
{ ... }:
{
flake.modules.homeManager.bash =
{
config,
lib,
pkgs,
...
}:
{
programs.bash = {
enable = true;
historyFile = "~/.cache/bash_history";
};
};
}

23
aspects/base/boot.nix
View file

@ -1,23 +0,0 @@
{ ... }:
{
flake.modules.nixos.boot =
{ pkgs, ... }:
{
boot = {
loader = {
timeout = 1;
efi.canTouchEfiVariables = true;
systemd-boot = {
enable = true;
editor = false;
consoleMode = "max";
sortKey = "aa";
netbootxyz = {
enable = true;
sortKey = "zz";
};
};
};
};
};
}

11
aspects/base/console.nix
View file

@ -1,11 +0,0 @@
{ ... }:
{
flake.modules.nixos.console =
{ ... }:
{
console = {
useXkbConfig = true;
earlySetup = true;
};
};
}

11
aspects/base/firewall.nix
View file

@ -1,11 +0,0 @@
{ ... }:
{
flake.modules.nixos.firewall =
{ ... }:
{
networking = {
firewall.enable = true;
nftables.enable = true;
};
};
}

47
aspects/base/fish.nix
View file

@ -1,47 +0,0 @@
{ ... }:
{
flake.modules = {
nixos.fish =
{ ... }:
{
programs.fish.enable = true;
};
homeManager.fish =
{
config,
lib,
pkgs,
...
}:
{
programs.fish = {
enable = true;
interactiveShellInit = ''
set fish_greeting
${lib.getExe pkgs.nix-your-shell} fish | source
'';
loginShellInit = "${lib.getExe pkgs.nix-your-shell} fish | source";
plugins = [
{
name = "bang-bang";
src = pkgs.fetchFromGitHub {
owner = "oh-my-fish";
repo = "plugin-bang-bang";
rev = "f969c618301163273d0a03d002614d9a81952c1e";
sha256 = "sha256-A8ydBX4LORk+nutjHurqNNWFmW6LIiBPQcxS3x4nbeQ=";
};
}
{
name = "z";
src = pkgs.fetchFromGitHub {
owner = "jethrokuan";
repo = "z";
rev = "067e867debee59aee231e789fc4631f80fa5788e";
sha256 = "sha256-emmjTsqt8bdI5qpx1bAzhVACkg0MNB/uffaRjjeuFxU=";
};
}
];
};
};
};
}

24
aspects/base/locale.nix
View file

@ -1,24 +0,0 @@
{ ... }:
{
flake.modules.nixos.locale =
{ ... }:
{
time.timeZone = "America/Bahia";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "pt_BR.utf8";
LC_COLLATE = "pt_BR.utf8";
LC_IDENTIFICATION = "pt_BR.utf8";
LC_MEASUREMENT = "pt_BR.utf8";
LC_MONETARY = "pt_BR.utf8";
LC_NAME = "pt_BR.utf8";
LC_NUMERIC = "pt_BR.utf8";
LC_PAPER = "pt_BR.utf8";
LC_TELEPHONE = "pt_BR.utf8";
LC_TIME = "en_IE.utf8";
};
};
};
}

63
aspects/base/nix.nix
View file

@ -1,63 +0,0 @@
{ ... }:
{
flake.modules.nixos.nix =
{
inputs,
pkgs,
lib,
...
}:
{
imports = [ inputs.nixos-cli.nixosModules.nixos-cli ];
nix = {
settings = {
auto-optimise-store = true;
connect-timeout = 10;
log-lines = 25;
min-free = 128000000;
max-free = 1000000000;
trusted-users = [ "@wheel" ];
};
extraOptions = "experimental-features = nix-command flakes";
gc = {
automatic = true;
options = "--delete-older-than 8d";
};
};
nixpkgs.config = {
allowUnfree = true;
enableParallelBuilding = true;
buildManPages = false;
buildDocs = false;
};
services.nixos-cli = {
enable = true;
config = {
ignore_dirty_tree = true;
apply = {
reexec_as_root = true;
use_nom = true;
};
confirmation.empty = "default-yes";
differ = {
command = [
"${lib.getExe pkgs.nvd}"
"diff"
];
tool = "command";
};
};
};
environment.systemPackages = with pkgs; [
nix-output-monitor
];
documentation.nixos.enable = false;
system.stateVersion = "22.11";
};
}

13
aspects/base/security.nix
View file

@ -1,13 +0,0 @@
{ ... }:
{
flake.modules.nixos.security =
{ ... }:
{
security.sudo = {
wheelNeedsPassword = false;
extraConfig = ''
Defaults lecture = never
'';
};
};
}

32
aspects/base/ssh.nix
View file

@ -1,32 +0,0 @@
{ ... }:
{
flake.modules.nixos.ssh =
{ ... }:
{
services.openssh = {
enable = true;
settings.PermitRootLogin = "no";
extraConfig = ''
PrintLastLog no
'';
};
programs = {
bash.interactiveShellInit = ''
if [ -n "$SSH_CONNECTION" ] && [ -z "$IN_NIX_SHELL" ] && [ -z "$TMUX" ]; then
export TERM=xterm-256color
clear
fastfetch
fi
'';
fish.interactiveShellInit = ''
set fish_greeting
if set -q SSH_CONNECTION; and not set -q IN_NIX_SHELL; and not set -q TMUX
export TERM=xterm-256color
clear
fastfetch
end
'';
};
};
}

66
aspects/base/zsh.nix
View file

@ -1,66 +0,0 @@
{ ... }:
{
flake.modules = {
nixos.zsh =
{ ... }:
{
programs.zsh.enable = true;
};
homeManager.zsh =
{
config,
lib,
pkgs,
...
}:
{
programs.zsh = {
enable = true;
dotDir = "${config.xdg.configHome}/zsh";
autosuggestion = {
enable = true;
strategy = [
"match_prev_cmd"
"completion"
];
};
enableCompletion = true;
syntaxHighlighting.enable = true;
initExtra = ''
unsetopt beep
${lib.getExe pkgs.nix-your-shell} zsh | source /dev/stdin
# Expand !! and !$ on space (Fish-style)
bindkey ' ' magic-space
setopt HIST_VERIFY
# Fish-style Ctrl+Backspace: delete one path segment at a time
function backward-kill-path-component() {
if [[ "$LBUFFER" == */ ]]; then
LBUFFER="''${LBUFFER%/}"
fi
if [[ "$LBUFFER" == */* ]]; then
LBUFFER="''${LBUFFER%/*}/"
else
zle backward-kill-word
fi
}
zle -N backward-kill-path-component
bindkey '^H' backward-kill-path-component
# Ctrl+Arrow Keys to move back and forward by a word
bindkey "^[[1;5D" backward-word
bindkey "^[[1;5C" forward-word
'';
loginExtra = "${lib.getExe pkgs.nix-your-shell} zsh | source /dev/stdin";
history = {
size = 10000;
save = 10000;
share = true;
};
initExtraBeforeCompInit = ''
zstyle ':completion:*' menu select
zstyle ':completion:*' matcher-list 'm:{a-zA-Z}={A-Za-z}'
'';
};
};
};
}

16
aspects/bluetooth.nix
View file

@ -1,16 +0,0 @@
{ ... }:
{
flake.modules.nixos.bluetooth =
{
config,
lib,
pkgs,
...
}:
{
hardware.bluetooth = {
enable = true;
powerOnBoot = false;
};
};
}

28
aspects/cli/btop.nix
View file

@ -1,28 +0,0 @@
{ ... }:
{
flake.modules = {
nixos.btop =
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ btop ];
};
homeManager.btop =
{
config,
lib,
pkgs,
...
}:
{
programs.btop = {
enable = true;
settings = {
theme_background = false;
proc_sorting = "cpu direct";
update_ms = 500;
};
};
};
};
}

16
aspects/cli/comma.nix
View file

@ -1,16 +0,0 @@
{ ... }:
{
flake.modules.homeManager.comma =
{
config,
lib,
pkgs,
inputs,
...
}:
{
imports = [ inputs.nix-index-database.homeModules.nix-index ];
programs.nix-index-database.comma.enable = true;
};
}

16
aspects/cli/direnv.nix
View file

@ -1,16 +0,0 @@
{ ... }:
{
flake.modules.homeManager.direnv =
{
config,
lib,
pkgs,
...
}:
{
programs.direnv = {
enable = true;
nix-direnv.enable = true;
};
};
}

74
aspects/cli/helix.nix
View file

@ -1,74 +0,0 @@
{ ... }:
{
flake.modules = {
nixos.helix =
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
helix
];
};
homeManager.helix =
{
config,
lib,
pkgs,
...
}:
{
home.sessionVariables = {
EDITOR = "hx";
};
programs.helix = {
enable = true;
themes = {
base16_terminal_transparent = {
inherits = "base16_terminal";
"ui.background" = { };
};
};
settings = {
theme = "base16_terminal_transparent";
editor = {
file-picker.hidden = false;
idle-timeout = 0;
line-number = "relative";
cursor-shape = {
normal = "underline";
insert = "bar";
select = "underline";
};
soft-wrap.enable = true;
auto-format = true;
indent-guides.render = true;
};
keys.normal = {
space = {
o = "file_picker_in_current_buffer_directory";
esc = [
"collapse_selection"
"keep_primary_selection"
];
};
};
};
languages = {
language = [
{
name = "nix";
auto-format = true;
formatter.command = "nixfmt";
}
{
name = "typst";
auto-format = true;
formatter.command = "typstyle -c 1000 -i";
}
];
};
};
};
};
}

18
aspects/cli/hm-cli.nix
View file

@ -1,18 +0,0 @@
{ ... }:
{
flake.modules.homeManager.hm-cli =
{
config,
lib,
pkgs,
...
}:
{
home = {
packages = with pkgs; [ hm-cli ];
sessionVariables = {
HM_PATH = "/etc/nixos";
};
};
};
}

48
aspects/cli/starship.nix
View file

@ -1,48 +0,0 @@
{ ... }:
{
flake.modules.homeManager.starship =
{
config,
lib,
pkgs,
...
}:
{
programs.starship = {
enable = true;
enableBashIntegration = true;
enableFishIntegration = true;
settings = {
add_newline = false;
format = ''
$hostname$directory$git_branch$git_status$nix_shell
[ ](bold green)
'';
right_format = "$cmd_duration$character";
hostname = {
ssh_symbol = "󰖟 ";
};
character = {
error_symbol = "[](red)";
success_symbol = "[󱐋](green)";
};
cmd_duration = {
format = "[󰄉 $duration ]($style)";
style = "yellow";
min_time = 500;
};
git_branch = {
symbol = " ";
style = "purple";
};
git_status.style = "red";
nix_shell = {
format = "via [$symbol$state]($style)";
heuristic = true;
style = "blue";
symbol = "󱄅 ";
};
};
};
};
}

29
aspects/cli/tmux.nix
View file

@ -1,29 +0,0 @@
{ ... }:
{
flake.modules = {
nixos.tmux =
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
tmux
];
};
homeManager.tmux =
{
config,
lib,
pkgs,
...
}:
{
programs.tmux = {
enable = true;
clock24 = true;
terminal = "xterm-256color";
mouse = true;
keyMode = "vi";
};
};
};
}

217
aspects/constants.nix
View file

@ -1,217 +0,0 @@
{
inputs,
lib,
config,
...
}:
let
# Host submodule type
hostType = lib.types.submodule {
options = {
lanIP = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "LAN IP address for the host";
};
tailscaleIP = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Tailscale IP address for the host";
};
};
};
# Service submodule type
serviceType = lib.types.submodule {
options = {
name = lib.mkOption {
type = lib.types.str;
description = "Service name";
};
domain = lib.mkOption {
type = lib.types.str;
description = "Domain name for the service";
};
host = lib.mkOption {
type = lib.types.str;
description = "Host where the service runs";
};
public = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether the service is publicly accessible";
};
lanIP = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "LAN IP address (inherited from host)";
};
tailscaleIP = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Tailscale IP address (inherited from host)";
};
};
};
# Import shared data (also used by terranix)
sharedData = import ../data/services.nix;
# Enrich services with host IP information
enrichServices =
hosts: services:
map (
svc:
let
hostInfo = hosts.${svc.host} or { };
in
svc
// {
lanIP = hostInfo.lanIP or null;
tailscaleIP = hostInfo.tailscaleIP or null;
}
) services;
in
{
options.flake = {
hosts = lib.mkOption {
type = lib.types.attrsOf hostType;
default = { };
description = "Host definitions with IP addresses";
};
services = lib.mkOption {
type = lib.types.listOf serviceType;
default = [ ];
description = "Service definitions with enriched host information";
};
lib = lib.mkOption {
type = lib.types.attrsOf lib.types.raw;
default = { };
description = "Utility functions for flake configuration";
};
};
config.flake = {
hosts = sharedData.hosts;
services = enrichServices config.flake.hosts sharedData.services;
lib = {
# Nginx virtual host utilities
mkNginxVHosts =
{ domains }:
let
mkVHostConfig =
domain: vhostConfig:
lib.recursiveUpdate {
useACMEHost = domain;
forceSSL = true;
kTLS = true;
} vhostConfig;
in
lib.mapAttrs mkVHostConfig domains;
# Split DNS utilities for unbound
# Generates unbound view config from a list of DNS entries
mkSplitDNS =
entries:
let
tailscaleData = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') entries;
lanData = map (e: ''"${e.domain}. IN A ${e.lanIP}"'') entries;
in
[
{
name = "tailscale";
view-first = true;
local-zone = ''"baduhai.dev." transparent'';
local-data = tailscaleData;
}
{
name = "lan";
view-first = true;
local-zone = ''"baduhai.dev." transparent'';
local-data = lanData;
}
];
# Generates flake.homeConfigurations
mkHomeConfiguration =
{
user,
hostname,
system ? "x86_64-linux",
stateVersion ? "22.05",
nixpkgs ? inputs.nixpkgs, # override with e.g. inputs.nixpkgs-stable
userModules ? [ ],
overlays ? [ inputs.self.overlays.default ],
homeManagerModules ? with inputs.self.modules.homeManager; [
base
cli
],
userDirectory ? "/home/${user}",
}:
inputs.home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages.${system};
extraSpecialArgs = {
inherit inputs hostname;
};
modules = [
{ nixpkgs.overlays = overlays; }
{
home = {
username = user;
homeDirectory = userDirectory;
inherit stateVersion;
};
}
((inputs.import-tree.initFilter (p: lib.hasSuffix ".nix" p))
"/${inputs.self}/aspects/users/_${user}"
)
]
++ homeManagerModules
++ userModules;
};
# Generates flake.nixosConfigurations
mkHost =
{
hostname,
system ? "x86_64-linux",
nixpkgs ? inputs.nixpkgs,
overlays ? [
inputs.agenix.overlays.default
inputs.self.overlays.default
],
ephemeralRootDev ? null, # pass rootDevice string to enable, e.g. ephemeralephemeralRootDev = "/dev/mapper/cryptroot"
nixosModules ? with inputs.self.modules.nixos; [
base
cli
user
root
],
extraModules ? [ ],
}:
nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = { inherit inputs; };
modules = [
inputs.agenix.nixosModules.default
{ networking.hostName = hostname; }
{ nixpkgs.overlays = overlays; }
((inputs.import-tree.initFilter (p: lib.hasSuffix ".nix" p))
"${inputs.self}/aspects/hosts/_${hostname}"
)
]
++ (lib.optional (ephemeralRootDev != null) (
inputs.self.factory.ephemeral { rootDevice = ephemeralRootDev; }
))
++ nixosModules
++ extraModules;
};
};
};
}

25
aspects/desktop/graphics.nix
View file

@ -1,25 +0,0 @@
{ ... }:
{
flake.modules.nixos.graphics =
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
gimp
inkscape
plasticity
];
services.flatpak.packages = [
"com.boxy_svg.BoxySVG"
rec {
appId = "io.github.softfever.OrcaSlicer";
sha256 = "0hdx5sg6fknj1pfnfxvlfwb5h6y1vjr6fyajbsnjph5gkp97c6p1";
bundle = "${pkgs.fetchurl {
url = "https://github.com/SoftFever/OrcaSlicer/releases/download/v2.3.0/OrcaSlicer-Linux-flatpak_V2.3.0_x86_64.flatpak";
inherit sha256;
}}";
}
];
};
}

60
aspects/desktop/kde.nix
View file

@ -1,60 +0,0 @@
{ ... }:
{
flake.modules = {
nixos.kde =
{ pkgs, ... }:
{
services = {
displayManager = {
autoLogin = {
enable = true;
user = "user";
};
plasma-login-manager.enable = true;
};
desktopManager.plasma6.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
};
xdg.portal = {
enable = true;
xdgOpenUsePortal = true;
extraPortals = with pkgs; [
kdePackages.xdg-desktop-portal-kde
xdg-desktop-portal-gtk
xdg-desktop-portal-gnome
];
config.common.default = "*";
};
environment = {
systemPackages = with pkgs; [
kara
kdePackages.karousel
kde-rounded-corners
];
plasma6.excludePackages = with pkgs.kdePackages; [
elisa
gwenview
kate
khelpcenter
];
};
programs = {
kdeconnect.enable = true;
partition-manager.enable = true;
};
};
homeManager.kde =
{ pkgs, ... }:
{
};
};
}

28
aspects/desktop/media.nix
View file

@ -1,28 +0,0 @@
{ ... }:
{
flake.modules = {
nixos.media =
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
mpv
obs-studio
qview
];
};
homeManager.media =
{ pkgs, ... }:
{
programs.obs-studio = {
enable = true;
plugins = with pkgs.obs-studio-plugins; [
obs-vkcapture
obs-backgroundremoval
obs-pipewire-audio-capture
];
};
};
};
}

23
aspects/desktop/office.nix
View file

@ -1,23 +0,0 @@
{ ... }:
{
flake.modules.nixos.office =
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
aspell
aspellDicts.de
aspellDicts.en
aspellDicts.en-computers
aspellDicts.pt_BR
glow
kwrite
presenterm
rnote
];
services.flatpak.packages = [
"com.collabora.Office"
];
};
}

21
aspects/desktop/web.nix
View file

@ -1,21 +0,0 @@
{ ... }:
{
flake.modules.nixos.web =
{
inputs,
pkgs,
...
}:
{
environment.systemPackages = with pkgs; [
inputs.zen-browser.packages."${pkgs.stdenv.hostPlatform.system}".default
amnesiac-brave
beeper
bitwarden-desktop
qbittorrent
nextcloud-client
vesktop
];
};
}

23
aspects/dev.nix
View file

@ -1,23 +0,0 @@
{ ... }:
{
flake.modules.nixos.dev =
{
config,
lib,
pkgs,
...
}:
{
environment.systemPackages = with pkgs; [
android-tools
lazygit
fd
fzf
nixfmt
nix-init
ripgrep
];
users.users.user.extraGroups = [ "adbusers" ];
};
}

139
aspects/ephemeral.nix
View file

@ -1,139 +0,0 @@
# Ephemeral root aspect - provides automatic btrfs root subvolume rollover
# Exports both a base module with options and a factory function for easy configuration
{ inputs, ... }:
{
# Base module with options (for external flakes or direct use)
flake.modules.nixos.ephemeral =
{ lib, config, ... }:
let
cfg = config.ephemeral;
in
{
options.ephemeral = {
enable = lib.mkEnableOption "ephemeral root with automatic rollback";
rootDevice = lib.mkOption {
type = lib.types.str;
example = "/dev/mapper/cryptroot";
description = "Device path for the root btrfs filesystem";
};
rootSubvolume = lib.mkOption {
type = lib.types.str;
default = "@root";
description = "Name of the root btrfs subvolume";
};
oldRootRetentionDays = lib.mkOption {
type = lib.types.int;
default = 30;
description = "Number of days to keep old root snapshots before deletion";
};
};
config = lib.mkIf cfg.enable {
boot.initrd.systemd.services.recreate-root = {
description = "Rolling over and creating new filesystem root";
requires = [ "initrd-root-device.target" ];
after = [
"local-fs-pre.target"
"initrd-root-device.target"
];
requiredBy = [ "initrd-root-fs.target" ];
before = [ "sysroot.mount" ];
unitConfig = {
AssertPathExists = "/etc/initrd-release";
DefaultDependencies = false;
};
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
set -euo pipefail
mkdir /btrfs_tmp
if ! mount ${cfg.rootDevice} /btrfs_tmp; then
echo "ERROR: Failed to mount ${cfg.rootDevice}"
exit 1
fi
if [[ -e /btrfs_tmp/${cfg.rootSubvolume} ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/${cfg.rootSubvolume})" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/${cfg.rootSubvolume} "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +${toString cfg.oldRootRetentionDays}); do
delete_subvolume_recursively "$i"
done
if ! btrfs subvolume create /btrfs_tmp/${cfg.rootSubvolume}; then
echo "ERROR: Failed to create subvolume ${cfg.rootSubvolume}"
umount /btrfs_tmp
exit 1
fi
umount /btrfs_tmp
'';
};
};
};
# Factory function that generates configured modules
flake.factory.ephemeral =
{
rootDevice,
rootSubvolume ? "@root",
retentionDays ? 30,
persistentStoragePath ? "/persistent",
persistentFiles ? [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
],
persistentDirectories ? [
"/etc/NetworkManager/system-connections"
"/etc/nixos"
"/var/lib/bluetooth"
"/var/lib/flatpak"
"/var/lib/lxd"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/var/lib/systemd/timers"
"/var/lib/tailscale"
"/var/log"
],
}:
{ ... }:
{
imports = [
inputs.impermanence.nixosModules.impermanence
inputs.self.modules.nixos.ephemeral
];
ephemeral = {
enable = true;
inherit rootDevice rootSubvolume;
oldRootRetentionDays = retentionDays;
};
fileSystems."/persistent".neededForBoot = true;
environment.persistence.main = {
inherit persistentStoragePath;
files = persistentFiles;
directories = persistentDirectories;
};
};
}

13
aspects/fwupd.nix
View file

@ -1,13 +0,0 @@
{ ... }:
{
flake.modules.nixos.fwupd =
{
config,
lib,
pkgs,
...
}:
{
services.fwupd.enable = true;
};
}

47
aspects/gaming/mangohud.nix
View file

@ -1,47 +0,0 @@
{ ... }:
{
flake.modules = {
nixos.mangohud =
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
mangohud
];
};
homeManager.mangohud =
{ config, ... }:
{
programs.mangohud = {
enable = true;
enableSessionWide = true;
settings = {
position = "top-left";
fps = true;
frametime = false;
frame_timing = false;
gpu_stats = true;
gpu_temp = true;
gpu_power = true;
cpu_stats = true;
cpu_temp = true;
cpu_power = true;
ram = true;
vram = true;
gamemode = false;
vkbasalt = false;
version = false;
engine_version = false;
vulkan_driver = false;
wine = false;
time = false;
fps_sampling_period = 500;
toggle_hud = "Shift_L+F12";
toggle_logging = "Ctrl_L+F2";
output_folder = "${config.home.homeDirectory}/.local/share/mangohud";
};
};
};
};
}

24
aspects/gaming/steam.nix
View file

@ -1,24 +0,0 @@
{ ... }:
{
flake.modules.nixos.steam =
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
steam-run
];
programs = {
steam = {
enable = true;
extraCompatPackages = [ pkgs.proton-ge-bin ];
};
gamemode.enable = true;
};
services.flatpak.packages = [
"com.steamgriddb.SGDBoop"
"io.github.Foldex.AdwSteamGtk"
];
};
}

49
aspects/hosts/_alexandria/hardware-configuration.nix
View file

@ -1,49 +0,0 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/31289617-1d84-4432-a833-680b52e88525";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/4130-BE54";
fsType = "vfat";
};
};
swapDevices = [
{
device = "/swapfile";
size = 8192;
}
];
networking.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

14
aspects/hosts/_alexandria/jellyfin.nix
View file

@ -1,14 +0,0 @@
{ lib, inputs, ... }:
let
mkNginxVHosts = inputs.self.lib.mkNginxVHosts;
in
{
services.jellyfin = {
enable = true;
openFirewall = true;
};
services.nginx.virtualHosts = mkNginxVHosts {
domains."jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/";
};
}

31
aspects/hosts/_alexandria/miniflux.nix
View file

@ -1,31 +0,0 @@
{ config, inputs, ... }:
let
mkNginxVHosts = inputs.self.lib.mkNginxVHosts;
in
{
services = {
miniflux = {
enable = true;
config = {
LISTEN_ADDR = "localhost:8080";
CREATE_ADMIN = 1;
};
adminCredentialsFile = config.age.secrets.miniflux-admincreds.path;
createDatabaseLocally = true;
};
nginx.virtualHosts = mkNginxVHosts {
domains."rss.baduhai.dev" = {
locations."/".proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}/";
};
};
};
age.secrets.miniflux-admincreds = {
file = "${inputs.self}/secrets/miniflux-admincreds.age";
owner = "miniflux";
group = "miniflux";
};
}

95
aspects/hosts/_alexandria/nextcloud.nix
View file

@ -1,95 +0,0 @@
{
config,
inputs,
pkgs,
...
}:
let
mkNginxVHosts = inputs.self.lib.mkNginxVHosts;
in
{
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud32;
datadir = "/data/nextcloud";
hostName = "cloud.baduhai.dev";
configureRedis = true;
https = true;
secretFile = config.age.secrets."nextcloud-secrets.json".path;
database.createLocally = true;
maxUploadSize = "16G";
extraApps = {
inherit (config.services.nextcloud.package.packages.apps)
calendar
contacts
notes
tasks
user_oidc
;
};
extraAppsEnable = true;
caching = {
apcu = true;
redis = true;
};
settings = {
trusted_proxies = [ "127.0.0.1" ];
default_phone_region = "BR";
maintenance_window_start = "4";
allow_local_remote_servers = true;
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\EMF"
"OC\\Preview\\Font"
"OC\\Preview\\GIF"
"OC\\Preview\\HEIC"
"OC\\Preview\\Illustrator"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\Movie"
"OC\\Preview\\MP3"
"OC\\Preview\\MSOffice2003"
"OC\\Preview\\MSOffice2007"
"OC\\Preview\\MSOfficeDoc"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PDF"
"OC\\Preview\\Photoshop"
"OC\\Preview\\PNG"
"OC\\Preview\\Postscript"
"OC\\Preview\\SVG"
"OC\\Preview\\TIFF"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
];
};
config = {
dbtype = "pgsql";
adminpassFile = config.age.secrets.nextcloud-adminpass.path;
};
phpOptions = {
"opcache.interned_strings_buffer" = "16";
};
};
nginx.virtualHosts = mkNginxVHosts {
domains."cloud.baduhai.dev" = { };
};
};
age.secrets = {
"nextcloud-secrets.json" = {
file = "${inputs.self}/secrets/nextcloud-secrets.json.age";
owner = "nextcloud";
group = "nextcloud";
};
nextcloud-adminpass = {
file = "${inputs.self}/secrets/nextcloud-adminpass.age";
owner = "nextcloud";
group = "nextcloud";
};
};
}

58
aspects/hosts/_alexandria/nginx.nix
View file

@ -1,58 +0,0 @@
{
config,
lib,
inputs,
...
}:
let
services = inputs.self.services;
# Get all unique domains from shared services that have LAN IPs (served by this host)
localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "alexandria") services));
# Generate ACME cert configs for all local domains
acmeCerts = lib.genAttrs localDomains (domain: {
group = "nginx";
});
in
{
security.acme = {
acceptTerms = true;
defaults = {
email = "baduhai@proton.me";
dnsResolver = "1.1.1.1:53";
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.cloudflare.path;
};
certs = acmeCerts;
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"_" = {
default = true;
locations."/".return = "444";
};
};
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall.allowedTCPPorts = [
80
443
];
age.secrets.cloudflare = {
file = "${inputs.self}/secrets/cloudflare.age";
owner = "nginx";
group = "nginx";
};
}

57
aspects/hosts/_alexandria/unbound.nix
View file

@ -1,57 +0,0 @@
{ inputs, lib, ... }:
let
services = inputs.self.services;
in
{
services.unbound = {
enable = true;
enableRootTrustAnchor = true;
settings = {
server = {
interface = [
"0.0.0.0"
"::"
];
access-control = [
"127.0.0.0/8 allow"
"192.168.0.0/16 allow"
"::1/128 allow"
];
num-threads = 2;
msg-cache-size = "50m";
rrset-cache-size = "100m";
cache-min-ttl = 300;
cache-max-ttl = 86400;
prefetch = true;
prefetch-key = true;
hide-identity = true;
hide-version = true;
so-rcvbuf = "1m";
so-sndbuf = "1m";
# LAN-only DNS records
local-zone = ''"baduhai.dev." transparent'';
local-data = map (e: ''"${e.domain}. IN A ${e.lanIP}"'') (lib.filter (e: e.lanIP != null) services);
};
forward-zone = [
{
name = ".";
forward-addr = [
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
];
forward-tls-upstream = true;
}
];
};
};
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
}

25
aspects/hosts/_alexandria/vaultwarden.nix
View file

@ -1,25 +0,0 @@
{
config,
lib,
inputs,
...
}:
let
mkNginxVHosts = inputs.self.lib.mkNginxVHosts;
in
{
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://pass.baduhai.dev";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 58222;
};
};
services.nginx.virtualHosts = mkNginxVHosts {
domains."pass.baduhai.dev".locations."/".proxyPass =
"http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
};
}

14
aspects/hosts/_io/boot.nix
View file

@ -1,14 +0,0 @@
{
boot = {
# TODO check if future kernel versions fix boot issue with systemd initrd with tpm
initrd.systemd.tpm2.enable = false;
kernelParams = [
"nosgx"
"i915.fastboot=1"
"mem_sleep_default=deep"
];
extraModprobeConfig = ''
options snd-intel-dspcfg dsp_driver=3
'';
};
}

79
aspects/hosts/_io/disko.nix
View file

@ -1,79 +0,0 @@
{ inputs, ... }:
{
imports = [ inputs.disko.nixosModules.default ];
disko.devices.disk.main = {
type = "disk";
device = "/dev/disk/by-id/mmc-hDEaP3_0x1041b689";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1MiB";
end = "1GiB";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot/efi";
mountOptions = [
"noatime"
"fmask=0077"
"dmask=0077"
];
};
};
cryptroot = {
priority = 2;
name = "root";
size = "100%";
content = {
type = "luks";
name = "cryptroot";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"@root" = {
mountpoint = "/";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@root"
];
};
"@home" = {
mountpoint = "/home";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@home"
];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@nix"
];
};
"@persistent" = {
mountpoint = "/persistent";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@persistent"
];
};
};
};
};
};
};
};
};
}

37
aspects/hosts/_io/hardware-configuration.nix
View file

@ -1,37 +0,0 @@
{
config,
lib,
modulesPath,
inputs,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"ahci"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
};
kernelModules = [ "kvm-intel" ];
};
zramSwap = {
enable = true;
memoryPercent = 100;
};
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

27
aspects/hosts/_io/programs.nix
View file

@ -1,27 +0,0 @@
{ pkgs, ... }:
let
cml-ucm-conf = pkgs.alsa-ucm-conf.overrideAttrs {
wttsrc = pkgs.fetchFromGitHub {
owner = "WeirdTreeThing";
repo = "chromebook-ucm-conf";
rev = "b6ce2a7";
hash = "sha256-QRUKHd3RQmg1tnZU8KCW0AmDtfw/daOJ/H3XU5qWTCc=";
};
postInstall = ''
echo "v0.4.1" > $out/chromebook.patched
cp -R $wttsrc/{common,codecs,platforms} $out/share/alsa/ucm2
cp -R $wttsrc/{cml,sof-rt5682} $out/share/alsa/ucm2/conf.d
'';
};
in
{
environment = {
systemPackages = with pkgs; [
maliit-keyboard
sof-firmware
];
sessionVariables.ALSA_CONFIG_UCM2 = "${cml-ucm-conf}/share/alsa/ucm2";
};
}

61
aspects/hosts/_io/services.nix
View file

@ -1,61 +0,0 @@
{ pkgs, ... }:
{
services = {
keyd = {
enable = true;
keyboards.main = {
ids = [ "0001:0001" ];
settings = {
main = {
meta = "overload(meta, esc)";
f1 = "back";
f2 = "forward";
f3 = "refresh";
f4 = "M-f11";
f5 = "M-w";
f6 = "brightnessdown";
f7 = "brightnessup";
f8 = "timeout(mute, 200, micmute)";
f9 = "play";
f10 = "timeout(nextsong, 200, previoussong)";
f13 = "delete";
"102nd" = "layer(function)";
};
shift = {
leftshift = "capslock";
rightshift = "capslock";
};
function = {
escape = "f1";
f1 = "f2";
f2 = "f3";
f3 = "f4";
f4 = "f5";
f5 = "f6";
f6 = "f7";
f7 = "f8";
f8 = "f9";
f9 = "f10";
f10 = "f11";
f13 = "f12";
y = "sysrq";
k = "home";
l = "pageup";
"," = "end";
"." = "pagedown";
};
};
};
};
upower.enable = true;
power-profiles-daemon.enable = true;
};
# TODO: remove once gmodena/nix-flatpak/issues/45 fixed
systemd.services."flatpak-managed-install" = {
serviceConfig = {
ExecStartPre = "${pkgs.coreutils}/bin/sleep 5";
};
};
}

31
aspects/hosts/_rotterdam/boot.nix
View file

@ -1,31 +0,0 @@
{ pkgs, ... }:
let
qubesnsh = pkgs.writeTextFile {
name = "qubes.nsh";
text = "HD1f65535a1:EFI\\qubes\\grubx64.efi";
};
in
{
boot = {
kernelParams = [
"processor.max_cstate=1" # Fixes bug where ryzen cpus freeze when in highest C state
"clearcpuid=514"
"amdgpu.ppfeaturemask=0xfffd3fff" # Fixes amdgpu freezing
];
# QubesOS boot entry
loader.systemd-boot = {
extraFiles = {
"efi/edk2-shell/shell.efi" = "${pkgs.edk2-uefi-shell}/shell.efi";
"qubes.nsh" = qubesnsh;
};
extraEntries."qubes.conf" = ''
title Qubes OS
efi /efi/edk2-shell/shell.efi
options -nointerrupt qubes.nsh
sort-key ab
'';
};
};
}

82
aspects/hosts/_rotterdam/hardware-configuration.nix
View file

@ -1,82 +0,0 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"amdgpu"
"nvme"
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/f7dd4142-7109-4493-834d-4a831777f08d";
keyFile = "/dev/disk/by-partuuid/add5fc14-e20f-48be-8b2a-0799ef04d3cb";
};
};
kernelModules = [ "kvm-amd" ];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/3287dbc3-c0fa-4096-a0b3-59b017cfecc8";
fsType = "btrfs";
options = [
"subvol=@root"
"noatime"
"compress=zstd"
];
};
"/home" = {
device = "/dev/disk/by-uuid/3287dbc3-c0fa-4096-a0b3-59b017cfecc8";
fsType = "btrfs";
options = [
"subvol=@home"
"noatime"
"compress=zstd"
];
};
"/boot/efi" = {
device = "/dev/disk/by-uuid/F2A2-CF5A";
fsType = "vfat";
options = [
"noatime"
"fmask=0077"
"dmask=0077"
];
};
"/nix" = {
device = "/dev/disk/by-uuid/3287dbc3-c0fa-4096-a0b3-59b017cfecc8";
fsType = "btrfs";
options = [
"subvol=@nix"
"noatime"
"compress=zstd"
];
};
"/persistent" = {
device = "/dev/disk/by-uuid/3287dbc3-c0fa-4096-a0b3-59b017cfecc8";
fsType = "btrfs";
options = [
"subvol=@persistent"
"noatime"
"compress=zstd"
];
};
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

8
aspects/hosts/_rotterdam/hardware.nix
View file

@ -1,8 +0,0 @@
{ pkgs, ... }:
{
hardware = {
amdgpu.opencl.enable = true;
graphics.extraPackages = with pkgs; [ rocmPackages.clr.icd ];
};
}

31
aspects/hosts/_rotterdam/programs.nix
View file

@ -1,31 +0,0 @@
{ pkgs, ... }:
let
reboot-into-qubes = pkgs.makeDesktopItem {
name = "reboot-into-qubes";
icon = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/vinceliuice/Qogir-icon-theme/31f267e1f5fd4e9596bfd78dfb41a03d3a9f33ee/src/scalable/apps/distributor-logo-qubes.svg";
sha256 = "sha256-QbHr7s5Wcs7uFtfqZctMyS0iDbMfiiZOKy2nHhDOfn0=";
};
desktopName = "Qubes OS";
genericName = "Reboot into Qubes OS";
categories = [ "System" ];
startupNotify = true;
exec = pkgs.writeShellScript "reboot-into-qubes" ''
${pkgs.yad}/bin/yad --form \
--title="Qubes OS" \
--image distributor-logo-qubes \
--text "Are you sure you want to reboot into Qubes OS?" \
--button="Yes:0" --button="Cancel:1"
if [ $? -eq 0 ]; then
systemctl reboot --boot-loader-entry=qubes.conf
fi
'';
};
in
{
environment.systemPackages = [ reboot-into-qubes ];
programs.steam.dedicatedServer.openFirewall = true;
}

6
aspects/hosts/_trantor/boot.nix
View file

@ -1,6 +0,0 @@
{
boot = {
initrd.systemd.enable = true;
loader.efi.efiSysMountPoint = "/boot/efi";
};
}

64
aspects/hosts/_trantor/disko.nix
View file

@ -1,64 +0,0 @@
{ inputs, ... }:
{
imports = [ inputs.disko.nixosModules.default ];
disko.devices.disk.main = {
type = "disk";
device = "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1MiB";
end = "512MiB";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot/efi";
mountOptions = [
"noatime"
"fmask=0077"
"dmask=0077"
];
};
};
root = {
priority = 2;
name = "root";
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"@root" = {
mountpoint = "/";
mountOptions = [
"noatime"
"compress=zstd"
];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = [
"noatime"
"compress=zstd"
];
};
"@persistent" = {
mountpoint = "/persistent";
mountOptions = [
"noatime"
"compress=zstd"
];
};
};
};
};
};
};
};
}

23
aspects/hosts/_trantor/fail2ban.nix
View file

@ -1,23 +0,0 @@
{ config, pkgs, ... }:
{
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
"127.0.0.0/8"
"::1"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
];
bantime = "1h";
bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64";
maxtime = "10000h";
overalljails = true;
};
};
}

76
aspects/hosts/_trantor/forgejo.nix
View file

@ -1,76 +0,0 @@
{
config,
lib,
inputs,
...
}:
let
mkNginxVHosts = inputs.self.lib.mkNginxVHosts;
in
{
services = {
forgejo = {
enable = true;
settings = {
session.COOKIE_SECURE = true;
server = {
PROTOCOL = "http+unix";
DOMAIN = "git.baduhai.dev";
ROOT_URL = "https://git.baduhai.dev";
OFFLINE_MODE = true; # disable use of CDNs
SSH_DOMAIN = "git.baduhai.dev";
SSH_USER = "forgejo";
SSH_PORT = lib.head config.services.openssh.ports;
};
log.LEVEL = "Warn";
mailer.ENABLED = false;
actions.ENABLED = false;
service.DISABLE_REGISTRATION = true;
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = true;
ACCOUNT_LINKING = "login";
USERNAME = "preferred_username";
};
};
};
nginx.virtualHosts = mkNginxVHosts {
domains."git.baduhai.dev".locations."/".proxyPass =
"http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
};
fail2ban.jails.forgejo = {
settings = {
enabled = true;
filter = "forgejo";
maxretry = 3;
findtime = "10m";
bantime = "1h";
};
};
};
environment = {
etc."fail2ban/filter.d/forgejo.conf".text = ''
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =
journalmatch = _SYSTEMD_UNIT=forgejo.service
'';
persistence.main.directories = [
{
directory = config.services.forgejo.stateDir;
inherit (config.services.forgejo) user group;
mode = "0700";
}
];
};
# Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
systemd.services.forgejo.serviceConfig = {
PrivateMounts = lib.mkForce false;
ProtectSystem = lib.mkForce false;
};
}

20
aspects/hosts/_trantor/hardware-configuration.nix
View file

@ -1,20 +0,0 @@
{
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"usbhid"
];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

8
aspects/hosts/_trantor/networking.nix
View file

@ -1,8 +0,0 @@
{
networking = {
firewall = {
allowedTCPPorts = [ 25566 ];
allowedUDPPorts = [ 25566 ];
};
};
}

56
aspects/hosts/_trantor/nginx.nix
View file

@ -1,56 +0,0 @@
{
config,
lib,
inputs,
...
}:
let
services = inputs.self.services;
localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "trantor") services));
acmeCerts = lib.genAttrs localDomains (domain: {
group = "nginx";
});
in
{
security.acme = {
acceptTerms = true;
defaults = {
email = "baduhai@proton.me";
dnsResolver = "1.1.1.1:53";
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.cloudflare.path;
};
certs = acmeCerts;
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"_" = {
default = true;
locations."/".return = "444";
};
};
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall.allowedTCPPorts = [
80
443
];
age.secrets.cloudflare = {
file = "${inputs.self}/secrets/cloudflare.age";
owner = "nginx";
group = "nginx";
};
}

23
aspects/hosts/_trantor/openssh.nix
View file

@ -1,23 +0,0 @@
{ ... }:
{
services = {
openssh = {
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
fail2ban.jails.sshd = {
settings = {
enabled = true;
port = "ssh";
filter = "sshd";
logpath = "/var/log/auth.log";
maxretry = 3;
findtime = "10m";
bantime = "1h";
};
};
};
}

58
aspects/hosts/_trantor/unbound.nix
View file

@ -1,58 +0,0 @@
{ inputs, lib, ... }:
let
services = inputs.self.services;
in
{
services.unbound = {
enable = true;
enableRootTrustAnchor = true;
settings = {
server = {
interface = [
"0.0.0.0"
"::"
];
access-control = [
"127.0.0.0/8 allow"
"100.64.0.0/10 allow" # Tailscale CGNAT range
"::1/128 allow"
"fd7a:115c:a1e0::/48 allow" # Tailscale IPv6
];
num-threads = 2;
msg-cache-size = "50m";
rrset-cache-size = "100m";
cache-min-ttl = 300;
cache-max-ttl = 86400;
prefetch = true;
prefetch-key = true;
hide-identity = true;
hide-version = true;
so-rcvbuf = "1m";
so-sndbuf = "1m";
# Tailnet DNS records from shared services
local-zone = ''"baduhai.dev." transparent'';
local-data = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') services;
};
forward-zone = [
{
name = ".";
forward-addr = [
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
];
forward-tls-upstream = true;
}
];
};
};
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
}

19
aspects/hosts/alexandria.nix
View file

@ -1,19 +0,0 @@
{ inputs, ... }:
let
mkHost = inputs.self.lib.mkHost;
in
{
flake.nixosConfigurations.alexandria = mkHost {
hostname = "alexandria";
nixpkgs = inputs.nixpkgs-stable;
extraModules = with inputs.self.modules.nixos; [
# base aspects
server
# other aspects
fwupd
podman
];
};
}

23
aspects/hosts/io.nix
View file

@ -1,23 +0,0 @@
{ inputs, ... }:
let
mkHost = inputs.self.lib.mkHost;
in
{
flake.nixosConfigurations.io = mkHost {
hostname = "io";
ephemeralRootDev = "/dev/mapper/cryptroot";
extraModules = with inputs.self.modules.nixos; [
# base aspects
desktop
# other aspects
ai
bluetooth
dev
kde
networkmanager
podman
];
};
}

25
aspects/hosts/rotterdam.nix
View file

@ -1,25 +0,0 @@
{ inputs, ... }:
let
mkHost = inputs.self.lib.mkHost;
in
{
flake.nixosConfigurations.rotterdam = mkHost {
hostname = "rotterdam";
ephemeralRootDev = "/dev/mapper/cryptroot";
extraModules = with inputs.self.modules.nixos; [
# base aspects
desktop
gaming
# other aspects
ai
bluetooth
dev
fwupd
kde
networkmanager
podman
];
};
}

18
aspects/hosts/trantor.nix
View file

@ -1,18 +0,0 @@
{ inputs, ... }:
let
mkHost = inputs.self.lib.mkHost;
in
{
flake.nixosConfigurations.trantor = mkHost {
hostname = "trantor";
system = "aarch64-linux";
nixpkgs = inputs.nixpkgs-stable;
ephemeralRootDev = "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20-part2";
extraModules = with inputs.self.modules.nixos; [
# base aspects
server
];
};
}

25
aspects/libvirtd.nix
View file

@ -1,25 +0,0 @@
{ ... }:
{
flake.modules.nixos.libvirtd =
{
config,
lib,
pkgs,
...
}:
{
virtualisation = {
libvirtd.enable = true;
spiceUSBRedirection.enable = true;
};
programs.virt-manager.enable = true;
networking.firewall.trustedInterfaces = [ "virbr0" ];
users.users.user.extraGroups = [
"libvirt"
"libvirtd"
];
};
}

22
aspects/lxc.nix
View file

@ -1,22 +0,0 @@
{ ... }:
{
flake.modules.nixos.lxc =
{
config,
lib,
pkgs,
...
}:
{
virtualisation = {
lxc = {
enable = true;
unprivilegedContainers = true;
};
incus.enable = true;
};
users.users.user.extraGroups = [ "incus-admin" ];
};
}

15
aspects/networkmanager.nix
View file

@ -1,15 +0,0 @@
{ ... }:
{
flake.modules.nixos.networkmanager =
{
config,
lib,
pkgs,
...
}:
{
networking.networkmanager.enable = true;
users.users.user.extraGroups = [ "networkmanager" ];
};
}

24
aspects/podman.nix
View file

@ -1,24 +0,0 @@
{ ... }:
{
flake.modules.nixos.podman =
{
config,
lib,
pkgs,
...
}:
{
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
extraPackages = [ pkgs.podman-compose ];
};
security.unprivilegedUsernsClone = true; # Needed for rootless podman
systemd = {
services.podman-auto-update.enable = true;
timers.podman-auto-update.enable = true;
};
};
}

69
aspects/stylix.nix
View file

@ -1,69 +0,0 @@
{ ... }:
{
flake.modules = {
nixos.stylix =
{ inputs, ... }:
{
imports = [ inputs.stylix.nixosModules.stylix ];
};
homeManager.stylix =
{
config,
inputs,
pkgs,
...
}:
{
imports = [ inputs.stylix.homeModules.stylix ];
stylix = {
enable = true;
polarity = "dark";
base16Scheme = "${pkgs.base16-schemes}/share/themes/tokyodark.yaml";
cursor = {
package = pkgs.kdePackages.breeze;
name = "breeze_cursors";
size = 24;
};
icons = {
enable = true;
package = pkgs.morewaita-icon-theme;
light = "MoreWaita";
dark = "MoreWaita";
};
opacity = {
applications = 1.0;
desktop = 1.0;
popups = config.stylix.opacity.desktop;
terminal = 1.0;
};
fonts = {
serif = {
package = pkgs.source-serif;
name = "Source Serif 4 Display";
};
sansSerif = {
package = pkgs.inter;
name = "Inter";
};
monospace = {
package = pkgs.nerd-fonts.fira-code;
name = "FiraCode Nerd Font";
};
emoji = {
package = pkgs.noto-fonts-color-emoji;
name = "Noto Color Emoji";
};
sizes = {
applications = 10;
desktop = config.stylix.fonts.sizes.applications;
popups = config.stylix.fonts.sizes.applications;
terminal = 12;
};
};
};
};
};
}

57
aspects/systems/base.nix
View file

@ -1,57 +0,0 @@
{ inputs, ... }:
{
flake.modules = {
nixos.base =
{ lib, pkgs, ... }:
{
imports = with inputs.self.modules.nixos; [
boot
console
firewall
fish
locale
nix
security
ssh
zsh
];
environment = {
systemPackages = with pkgs; [
git
fastfetch
nixos-firewall-tool
sysz
wget
];
shellAliases = {
cat = "${lib.getExe pkgs.bat} --paging=never --style=plain";
ls = "${lib.getExe pkgs.eza} --git --icons --group-directories-first";
la = "ls -hal";
tree = "ls --tree";
};
};
programs.command-not-found.enable = false;
services = {
dbus.implementation = "broker";
irqbalance.enable = true;
fstrim.enable = true;
tailscale = {
enable = true;
extraUpFlags = [ "--operator=user" ];
};
};
};
homeManager.base =
{ ... }:
{
imports = with inputs.self.modules.homeManager; [
bash
fish
zsh
];
};
};
}

38
aspects/systems/cli.nix
View file

@ -1,38 +0,0 @@
{ inputs, ... }:
{
flake.modules = {
nixos.cli =
{ pkgs, ... }:
{
imports = with inputs.self.modules.nixos; [
btop
helix
tmux
];
environment.systemPackages = with pkgs; [
p7zip
rclone
];
};
homeManager.cli =
{ ... }:
{
imports = with inputs.self.modules.homeManager; [
btop
comma
direnv
helix
hm-cli
starship
tmux
];
programs.zoxide = {
enable = true;
enableBashIntegration = true;
enableZshIntegration = true;
};
};
};
}

165
aspects/systems/desktop.nix
View file

@ -1,165 +0,0 @@
{
inputs,
...
}:
{
flake.modules = {
nixos.desktop =
{
config,
lib,
pkgs,
...
}:
{
imports = [
inputs.nix-flatpak.nixosModules.nix-flatpak
]
++ (with inputs.self.modules.nixos; [
graphics
media
office
web
]);
boot = {
plymouth.enable = true;
initrd.systemd.enable = true;
loader.efi.efiSysMountPoint = "/boot/efi";
kernelPackages = pkgs.linuxPackages_xanmod_latest;
extraModprobeConfig = ''
options bluetooth disable_ertm=1
'';
kernel.sysctl = {
"net.ipv4.tcp_mtu_probing" = 1;
};
kernelParams = [
"quiet"
"splash"
"i2c-dev"
"i2c-piix4"
"loglevel=3"
"udev.log_priority=3"
"rd.udev.log_level=3"
"rd.systemd.show_status=false"
];
};
nix = {
registry.nixpkgs.flake = inputs.nixpkgs;
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"/nix/var/nix/profiles/per-user/root/channels"
];
};
environment = {
etc."channels/nixpkgs".source = inputs.nixpkgs.outPath;
sessionVariables = {
KDEHOME = "$XDG_CONFIG_HOME/kde4"; # Stops kde from placing a .kde4 folder in the home dir
NIXOS_OZONE_WL = "1"; # Forces chromium and most electron apps to run in wayland
};
systemPackages = with pkgs; [
libfido2
mission-center
toggleaudiosink
unrar
];
};
services = {
printing.enable = true;
udev.packages = with pkgs; [ yubikey-personalization ];
keyd = {
enable = true;
keyboards = {
all = {
ids = [ "*" ];
settings.main.capslock = "overload(meta, esc)";
};
corne = {
ids = [ "5653:0001" ];
settings.main = {
esc = "overload(meta, esc)";
};
};
};
};
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
displayManager.autoLogin = {
enable = true;
user = "user";
};
flatpak = {
enable = true;
packages = [
"com.github.tchx84.Flatseal"
"com.rustdesk.RustDesk"
];
uninstallUnmanaged = true;
update.auto.enable = true;
};
gvfs.enable = true;
};
security.rtkit.enable = true; # Needed for pipewire to acquire realtime priority
programs = {
dconf.enable = true;
appimage = {
enable = true;
binfmt = true;
};
};
fonts = {
fontDir.enable = true;
packages = with pkgs; [
corefonts
inter
nerd-fonts.fira-code
noto-fonts-cjk-sans
noto-fonts-color-emoji
roboto
];
};
};
homeManager.desktop =
{
config,
lib,
pkgs,
inputs,
...
}:
{
imports = [
inputs.vicinae.homeManagerModules.default
]
++ (with inputs.self.modules.homeManager; [ media ]);
fonts.fontconfig.enable = true;
services.vicinae = {
enable = true;
systemd = {
enable = true;
autoStart = true;
};
};
xdg = {
enable = true;
userDirs.enable = true;
};
};
};
}

48
aspects/systems/gaming.nix
View file

@ -1,48 +0,0 @@
{ inputs, ... }:
{
flake.modules = {
nixos.gaming =
{ pkgs, ... }:
{
imports = with inputs.self.modules.nixos; [
mangohud
steam
];
hardware = {
xpadneo.enable = true;
steam-hardware.enable = true; # Allow steam client to manage controllers
graphics.enable32Bit = true; # For OpenGL games
};
services.flatpak.packages = [
"com.github.k4zmu2a.spacecadetpinball"
"io.itch.itch"
"io.mrarm.mcpelauncher"
"net.retrodeck.retrodeck"
"org.freedesktop.Platform.VulkanLayer.MangoHud/x86_64/25.08"
rec {
appId = "com.hypixel.HytaleLauncher";
sha256 = "uu7FA36M4wSqDXRF1fFNla8S5MjL1N1kZi4gwbpw1oY=";
bundle = "${pkgs.fetchurl {
url = "https://launcher.hytale.com/builds/release/linux/amd64/hytale-launcher-latest.flatpak";
inherit sha256;
}}";
}
];
environment.systemPackages = with pkgs; [
clonehero
heroic
prismlauncher
];
};
homeManager.gaming =
{ ... }:
{
imports = with inputs.self.modules.homeManager; [
mangohud
];
};
};
}

36
aspects/systems/server.nix
View file

@ -1,36 +0,0 @@
{ inputs, ... }:
{
flake.modules.nixos.server =
{
config,
lib,
pkgs,
...
}:
{
boot = {
kernelPackages = pkgs.linuxPackages_hardened;
kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
};
environment.etc."channels/nixpkgs".source = inputs.nixpkgs-stable.outPath;
nix = {
registry.nixpkgs.flake = inputs.nixpkgs-stable;
nixPath = [
"nixpkgs=/etc/channels/nixpkgs"
"/nix/var/nix/profiles/per-user/root/channels"
];
};
services.tailscale = {
extraSetFlags = [ "--advertise-exit-node" ];
useRoutingFeatures = "server";
};
};
}

17
aspects/users/_user/git.nix
View file

@ -1,17 +0,0 @@
{ ... }:
{
programs = {
git = {
enable = true;
settings.user = {
name = "William";
email = "baduhai@proton.me";
};
};
diff-so-fancy = {
enable = true;
enableGitIntegration = true;
};
};
}

12
aspects/users/root.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
flake.modules.nixos.root =
{ pkgs, ... }:
{
users.users.root = {
shell = pkgs.fish;
hashedPassword = "!";
};
};
}

55
aspects/users/user.nix
View file

@ -1,55 +0,0 @@
{ inputs, ... }:
let
mkHomeConfiguration = inputs.self.lib.mkHomeConfiguration;
in
{
flake = {
modules.nixos.user =
{ pkgs, ... }:
{
users.users.user = {
isNormalUser = true;
shell = pkgs.zsh;
extraGroups = [
"networkmanager"
"wheel"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
];
hashedPassword = "$6$Pj7v/CpstyuWQQV0$cNujVDhfMBdwlGVEnnd8t71.kZPixbo0u25cd.874iaqLTH4V5fa1f98V5zGapjQCz5JyZmsR94xi00sUrntT0";
};
};
homeConfigurations = {
"user@rotterdam" = mkHomeConfiguration {
user = "user";
hostname = "rotterdam";
userModules = with inputs.self.modules.homeManager; [
# system aspects
desktop
gaming
# other aspects
ai
kde
];
};
"user@io" = mkHomeConfiguration {
user = "user";
hostname = "io";
userModules = with inputs.self.modules.homeManager; [
# system aspects
desktop
# other aspects
ai
kde
];
};
};
};
}

42
data/services.nix
View file

@ -1,42 +0,0 @@
# Shared service and host definitions
# This file can be imported directly (unlike aspects which use flake-parts)
{
hosts = {
alexandria = {
lanIP = "192.168.15.142";
tailscaleIP = "100.76.19.50";
};
trantor = {
tailscaleIP = "100.108.5.90";
};
};
services = [
{
name = "vaultwarden";
domain = "pass.baduhai.dev";
host = "alexandria";
}
{
name = "forgejo";
domain = "git.baduhai.dev";
host = "trantor";
public = true;
}
{
name = "nextcloud";
domain = "cloud.baduhai.dev";
host = "alexandria";
}
{
name = "jellyfin";
domain = "jellyfin.baduhai.dev";
host = "alexandria";
}
{
name = "miniflux";
domain = "rss.baduhai.dev";
host = "alexandria";
}
];
}

705
flake.lock generated
View file

File diff suppressed because it is too large Load diff

64
flake.nix
View file

@ -2,57 +2,57 @@
description = "My nix hosts";
inputs = {
# nix tools
flake-parts.url = "github:hercules-ci/flake-parts";
import-tree.url = "github:vic/import-tree";
# nixos/hm
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11";
home-manager = {
url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs";
};
# nixos/hm functionality modules
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs-stable";
};
disko.url = "github:nix-community/disko";
impermanence.url = "github:nix-community/impermanence";
nixos-cli.url = "github:nix-community/nixos-cli";
nix-flatpak.url = "github:gmodena/nix-flatpak/main";
stylix.url = "github:danth/stylix";
# nixos/hm program modules
nix-ai-tools.url = "github:numtide/llm-agents.nix";
nix-index-database = {
url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
disko.url = "github:nix-community/disko";
noctalia = {
url = "github:noctalia-dev/noctalia-shell";
inputs.nixpkgs.follows = "nixpkgs";
};
vicinae.url = "github:vicinaehq/vicinae";
nixos-cli.url = "github:nix-community/nixos-cli";
nix-flatpak.url = "github:gmodena/nix-flatpak/main";
zen-browser.url = "github:0xc000022070/zen-browser-flake";
# stand-alone tools
impermanence.url = "github:nix-community/impermanence";
deploy-rs.url = "github:serokell/deploy-rs";
niri-flake.url = "github:sodiboo/niri-flake";
nix-index-database = {
url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
terranix = {
url = "github:terranix/terranix";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-ai-tools.url = "github:numtide/llm-agents.nix";
vicinae.url = "github:vicinaehq/vicinae";
};
outputs =
inputs@{ flake-parts, import-tree, ... }:
let
aspectsModules = import-tree ./aspects;
packagesModules = import-tree ./packages;
shellsModules = import-tree ./shells;
terranixModules = import-tree ./terranix;
in
inputs@{ flake-parts, ... }:
flake-parts.lib.mkFlake { inherit inputs; } {
systems = [
"x86_64-linux"
@ -60,12 +60,14 @@
];
imports = [
flake-parts.flakeModules.modules
inputs.terranix.flakeModule
]
++ aspectsModules.imports
++ packagesModules.imports
++ shellsModules.imports
++ terranixModules.imports;
./deploy.nix
./devShells.nix
./homeConfigurations.nix
./nixosConfigurations.nix
./nixosModules.nix
./overlays.nix
./packages.nix
./terranixConfigurations.nix
];
};
}

37
modules/nix/agenix.nix Normal file
View file

@ -0,0 +1,37 @@
{
self,
inputs,
...
}:
{
flake-file.inputs = {
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.home-manager.follows = "home-manager";
};
secrets = {
url = "path:./secrets";
flake = false;
};
};
flake.modules = {
nixos.secrets =
{ pkgs, ... }:
{
imports = [
inputs.agenix.nixosModules.default
];
environment.systemPackages = [ inputs.agenix.packages.${pkgs.stdenv.hostPlatform.system}.default ];
};
# homeManager.secrets =
# { pkgs, ... }:
# {
# imports = [
# inputs.agenix.homeManagerModules.default
# ];
# };
};
}

25
modules/nix/dendritic-tools.nix Normal file
View file

@ -0,0 +1,25 @@
{
inputs,
...
}:
{
flake-file.inputs = {
flake-parts.url = "github:hercules-ci/flake-parts";
flake-file.url = "github:vic/flake-file";
import-tree.url = "github:vic/import-tree";
};
imports = [
inputs.flake-parts.flakeModules.modules
inputs.flake-file.flakeModules.default
];
flake-file.outputs = ''
inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } (inputs.import-tree ./modules)
'';
systems = [
"aarch64-linux"
"x86_64-linux"
];
}

12
modules/nix/factory.nix Normal file
View file

@ -0,0 +1,12 @@
{
lib,
...
}:
{
# factory: storage for factory aspect functions
options.flake.factory = lib.mkOption {
type = lib.types.attrsOf lib.types.unspecified;
default = { };
};
}

36
modules/nix/home-manager.nix Normal file
View file

@ -0,0 +1,36 @@
{
inputs,
config,
...
}:
let
home-manager-config =
{ lib, ... }:
{
home-manager = {
verbose = false;
useUserPackages = true;
useGlobalPkgs = true;
backupFileExtension = "backup";
backupCommand = "rm";
overwriteBackup = true;
};
};
in
{
flake-file.inputs = {
home-manager = {
url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs";
};
};
flake.modules.nixos.home-manager = {
imports = [
inputs.home-manager.nixosModules.home-manager
home-manager-config
];
};
}

54
modules/nix/impermanence.nix Normal file
View file

@ -0,0 +1,54 @@
{ inputs, ... }:
{
flake-file.inputs = {
impermanence.url = "github:nix-community/impermanence";
};
# convenience function to set persistence settings only, if impermanence module was imported
flake.lib = {
mkIfPersistence =
config: settings:
if config ? home then
(if config.home ? persistence then settings else { })
else
(if config.environment ? persistence then settings else { });
};
flake.modules.nixos.impermanence =
{ config, ... }:
{
imports = [
inputs.impermanence.nixosModules.impermanence
];
environment.persistence."/persistent" = {
hideMounts = true;
directories = [
"/var/log"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
];
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
};
# home-manager.sharedModules = [
# {
# home.persistence."/persistent" = {
# };
# }
# ];
fileSystems."/persistent".neededForBoot = true;
programs.fuse.userAllowOther = true;
};
}

34
modules/nix/lib.nix Normal file
View file

@ -0,0 +1,34 @@
{
inputs,
lib,
...
}:
{
# Helper functions for creating system & home-manager configurations
options.flake.lib = lib.mkOption {
type = lib.types.attrsOf lib.types.unspecified;
default = { };
};
config.flake.lib = {
mkNixos = system: name: {
${name} = inputs.nixpkgs.lib.nixosSystem {
modules = [
inputs.self.modules.nixos.${name}
{ nixpkgs.hostPlatform = lib.mkDefault system; }
];
};
};
mkHomeManager = system: name: {
${name} = inputs.home-manager.lib.homeManagerConfiguration {
pkgs = inputs.nixpkgs.legacyPackages.${system};
modules = [
inputs.self.modules.homeManager.${name}
{ nixpkgs.config.allowUnfree = true; }
];
};
};
};
}

42
modules/nix/pkgs-by-name.nix Normal file
View file

@ -0,0 +1,42 @@
{
inputs,
withSystem,
...
}:
{
flake-file.inputs = {
pkgs-by-name-for-flake-parts.url = "github:drupol/pkgs-by-name-for-flake-parts";
packages = {
url = "path:./packages";
flake = false;
};
};
imports = [
inputs.pkgs-by-name-for-flake-parts.flakeModule
];
perSystem =
{ system, ... }:
{
pkgsDirectory = inputs.packages;
};
flake = {
overlays.default = _final: prev: {
local = withSystem prev.stdenv.hostPlatform.system ({ config, ... }: config.packages);
};
modules.generic.pkgs-by-name =
{ pkgs, ... }:
{
nixpkgs.overlays = [
inputs.self.overlays.default
];
nixpkgs-stable.overlays = [
inputs.self.overlays.default
];
};
};
}

188
packages/amnesiac-brave.nix
View file

@ -1,188 +0,0 @@
{ ... }:
{
perSystem =
{
pkgs,
lib,
...
}:
let
# Managed policy (enforced, user cannot override)
brave-policy = pkgs.writeTextFile {
name = "brave-managed-policy.json";
destination = "/etc/brave/policies/managed/policy.json";
text = builtins.toJSON {
# ── Startup / UI ────────────────────────────────────────────────
DefaultBrowserSettingEnabled = false; # Never ask to set as default
PromotionalTabsEnabled = false; # No welcome/promo pages
RestoreOnStartup = 5; # Open new tab on startup
NewTabPageLocation = "about:blank"; # New tab = blank page
BookmarkBarEnabled = false; # Never show bookmarks bar
# ── Search engine ───────────────────────────────────────────────
DefaultSearchProviderEnabled = true;
DefaultSearchProviderName = "Google";
DefaultSearchProviderSearchURL = "https://www.google.com/search?q={searchTerms}";
DefaultSearchProviderSuggestURL = "https://www.google.com/complete/search?client=chrome&q={searchTerms}";
# ── HTTPS ────────────────────────────────────────────────────────
HttpsOnlyMode = "force_enabled"; # Strict HTTPS upgrade
# ── Cookies ──────────────────────────────────────────────────────
DefaultCookiesSetting = 1; # Allow all cookies
# ── Passwords / Autofill ─────────────────────────────────────────
PasswordManagerEnabled = false;
AutofillAddressEnabled = false;
AutofillCreditCardEnabled = false;
PaymentMethodQueryEnabled = false;
# ── Background running ───────────────────────────────────────────
BackgroundModeEnabled = false;
# ── Clear data on exit ───────────────────────────────────────────
ClearBrowsingDataOnExitList = [
"browsing_history"
"download_history"
"cookies_and_other_site_data"
"cached_images_and_files"
"password_signin"
"autofill"
"site_settings"
"hosted_app_data"
];
# ── Brave data collection / telemetry ────────────────────────────
BraveP3AEnabled = false; # Product analytics
BraveStatsPingEnabled = false; # Usage ping
BraveWebDiscoveryEnabled = false; # Web discovery project
MetricsReportingEnabled = false; # Chromium UMA metrics
SafeBrowsingEnabled = false;
SafeBrowsingExtendedReportingEnabled = false;
SafeBrowsingDeepScanningEnabled = false;
SearchSuggestEnabled = false;
# ── Web3 / Crypto ────────────────────────────────────────────────
BraveWalletDisabled = true;
BraveRewardsDisabled = true;
BraveVPNDisabled = true;
TorDisabled = true;
# ── Leo / AI ─────────────────────────────────────────────────────
BraveAIChatEnabled = false;
# ── Other Brave features ─────────────────────────────────────────
BraveTalkDisabled = true;
# ── Privacy Sandbox (Chromium) ───────────────────────────────────
PrivacySandboxPromptEnabled = false;
PrivacySandboxAdTopicsEnabled = false;
PrivacySandboxSiteEnabledAdsEnabled = false;
PrivacySandboxAdMeasurementEnabled = false;
# ── Misc Chromium ────────────────────────────────────────────────
WebRtcEventLogCollectionAllowed = false;
EnableMediaRouter = false;
};
};
# Seeded Preferences (first-run defaults, user can override)
# These keys have no policy or CLI equivalent. Brave writes over this
# file at runtime so this only sets the initial state on a fresh profile.
brave-prefs = pkgs.writeText "brave-initial-prefs.json" (
builtins.toJSON {
brave = {
tabs.vertical_tabs_enabled = true;
sidebar.sidebar_show_option = 3;
window_closing_confirm = false;
};
browser.custom_chrome_frame = true;
tab_hover_cards.tab_hover_card_images_enabled = true;
}
);
brave-launcher = pkgs.writeShellScriptBin "brave" ''
RUNTIME_DIR="/tmp/brave-$$"
CONFIG_DIR="$RUNTIME_DIR/config/BraveSoftware"
CACHE_DIR="$RUNTIME_DIR/cache/BraveSoftware"
POLICY="${brave-policy}/etc/brave/policies/managed/policy.json"
mkdir -p "$CONFIG_DIR/Brave-Browser/Default"
mkdir -p "$CACHE_DIR"
cp ${brave-prefs} "$CONFIG_DIR/Brave-Browser/Default/Preferences"
chmod 600 "$CONFIG_DIR/Brave-Browser/Default/Preferences"
trap 'rm -rf "$RUNTIME_DIR"' EXIT
${pkgs.bubblewrap}/bin/bwrap \
--ro-bind /nix/store /nix/store \
--ro-bind /etc/fonts /etc/fonts \
--bind "$CONFIG_DIR" "$HOME/.config/BraveSoftware" \
--bind "$CACHE_DIR" "$HOME/.cache/BraveSoftware" \
--ro-bind "$POLICY" /etc/brave/policies/managed/policy.json \
--dev /dev \
--proc /proc \
--tmpfs /tmp \
--bind /run /run \
--die-with-parent \
-- ${pkgs.brave}/bin/brave --no-first-run "$@"
'';
brave-desktop = pkgs.writeTextFile {
name = "amnesiac-brave.desktop";
destination = "/share/applications/amnesiac-brave.desktop";
text = "[Desktop Entry]
Version=1.0
Name=Amnesiac Brave
GenericName=Amnesiac Web Browser
Comment=Access the internet, leave no trace on your system
Exec=@BRAVE_WRAPPER@ %U
StartupNotify=true
Icon=amnesiac-brave
Type=Application
Categories=Network;WebBrowser;
MimeType=application/pdf;application/rdf+xml;application/rss+xml;application/xhtml+xml;application/xhtml_xml;application/xml;image/gif;image/jpeg;image/png;image/webp;text/html;text/xml;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/chromium;
Actions=new-window
[Desktop Action new-window]
Name=New Window
Exec=@BRAVE_WRAPPER@ %U
";
};
amnesiac-brave-icon =
pkgs.runCommand "amnesiac-brave-icon"
{
nativeBuildInputs = [ pkgs.imagemagick ];
}
''
mkdir -p "$out/share/icons/hicolor/256x256/apps"
convert ${pkgs.brave}/share/icons/hicolor/256x256/apps/brave-browser.png \
-modulate 100,100,270 \
"$out/share/icons/hicolor/256x256/apps/amnesiac-brave.png"
for size in 16 24 32 48 64; do
mkdir -p "$out/share/icons/hicolor/''${size}x''${size}/apps"
convert ${pkgs.brave}/share/icons/hicolor/''${size}x''${size}/apps/brave-browser.png \
-modulate 100,100,270 \
"$out/share/icons/hicolor/''${size}x''${size}/apps/amnesiac-brave.png"
done
'';
in
{
packages.amnesiac-brave = pkgs.symlinkJoin {
name = "amnesiac-brave";
paths = [
brave-launcher
brave-policy
brave-desktop
amnesiac-brave-icon
pkgs.brave
];
postBuild = ''
brave_bin="$(readlink -f "$out/bin/brave")"
amnesiac_desktop="$out/share/applications/amnesiac-brave.desktop"
if [ -L "$amnesiac_desktop" ]; then
cp --remove-destination "$(readlink "$amnesiac_desktop")" "$amnesiac_desktop"
fi
sed -i \
"s|@BRAVE_WRAPPER@|$brave_bin|g" \
"$amnesiac_desktop"
rm -f "$out/share/applications/brave-browser.desktop"
rm -f "$out/share/applications/com.brave.Browser.desktop"
rm -f "$out/share/icons/hicolor/"*/apps/brave-browser.png
'';
};
};
}

35
packages/base16-schemes.nix
View file

@ -1,35 +0,0 @@
{ ... }:
{
perSystem =
{ pkgs, ... }:
{
packages.base16-schemes = pkgs.stdenv.mkDerivation (finalAttrs: {
pname = "base16-schemes";
version = "0-unstable-2025-06-04";
src = pkgs.fetchFromGitHub {
owner = "tinted-theming";
repo = "schemes";
rev = "317a5e10c35825a6c905d912e480dfe8e71c7559";
hash = "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=";
};
installPhase = ''
runHook preInstall
mkdir -p $out/share/themes/
install base16/*.yaml $out/share/themes/
runHook postInstall
'';
meta = {
description = "All the color schemes for use in base16 packages";
homepage = "https://github.com/tinted-theming/schemes";
maintainers = [ pkgs.lib.maintainers.DamienCassou ];
license = pkgs.lib.licenses.mit;
};
});
};
}

88
packages/fastfetch.nix
View file

@ -1,88 +0,0 @@
{ ... }:
{
perSystem =
{ pkgs, lib, ... }:
let
fastfetch-logo = pkgs.fetchurl {
url = "https://discourse.nixos.org/uploads/default/original/3X/3/6/36954e6d6aa32c8b00f50ca43f142d898c1ff535.png";
hash = "sha256-aLHz8jSAFocrn+Pb4vRq0wtkYFJpBpZRevd+VoZC/PQ=";
};
fastfetch-config = pkgs.writeText "fastfetch-config.json" (
builtins.toJSON {
"$schema" = "https://github.com/fastfetch-cli/fastfetch/raw/dev/doc/json_schema.json";
modules = [
"title"
"separator"
{
type = "os";
keyWidth = 9;
}
{
type = "kernel";
keyWidth = 9;
}
{
type = "uptime";
keyWidth = 9;
}
{
type = "shell";
keyWidth = 9;
}
"break"
{
type = "cpu";
keyWidth = 11;
}
{
type = "gpu";
keyWidth = 11;
}
{
type = "memory";
keyWidth = 11;
}
{
type = "swap";
keyWidth = 11;
}
{
type = "disk";
folders = "/";
keyWidth = 11;
}
{
type = "command";
key = "Systemd";
keyWidth = 11;
text = "echo \"$(systemctl list-units --state=failed --no-legend | wc -l) failed units, $(systemctl list-jobs --no-legend | wc -l) queued jobs\"";
}
"break"
{
type = "command";
key = "Public IP";
keyWidth = 15;
text = "curl -s -4 ifconfig.me 2>/dev/null || echo 'N/A'";
}
{
type = "command";
key = "Tailscale IP";
keyWidth = 15;
text = "tailscale ip -4 2>/dev/null || echo 'N/A'";
}
{
type = "command";
key = "Local IP";
keyWidth = 15;
text = "ip -4 addr show scope global | grep inet | head -n1 | awk '{print $2}' | cut -d/ -f1";
}
];
}
);
in
{
packages.fastfetch = pkgs.writeShellScriptBin "fastfetch" ''exec ${lib.getExe pkgs.fastfetch} --config ${fastfetch-config} --logo-type auto --logo ${fastfetch-logo} --logo-padding-right 1 --logo-width 36 "$@" '';
};
}

107
packages/hm-cli.nix
View file

@ -1,107 +0,0 @@
{ ... }:
{
perSystem =
{ pkgs, ... }:
{
packages.hm-cli = pkgs.writeShellScriptBin "hm" ''
HM="${pkgs.lib.getExe pkgs.home-manager}"
FLAKE_PATH="''${HM_PATH:-$HOME/.config/home-manager}"
FLAKE_OUTPUT="''${HM_USER:-$(whoami)@$(hostname)}"
show_usage() {
cat <<EOF
Usage: hm <command> [args]
Commands:
apply Switch to a new generation
generation list List all generations
generation delete ID... Delete specified generation(s)
generation rollback Rollback to the previous generation
generation switch ID Switch to the specified generation
generation cleanup Delete all but the current generation
Environment Variables:
HM_PATH Override default flake path (~/.config/home-manager)
Currently set to "''${HM_PATH:-<not set>}"
HM_USER Override default user output ("$(whoami)@$(hostname)")
Currently set to "''${HM_USER:-<not set>}"
EOF
}
if [[ $# -eq 0 ]]; then
show_usage
exit 1
fi
case "$1" in
apply)
"$HM" switch --flake "$FLAKE_PATH#$FLAKE_OUTPUT" -b bkp
;;
generation)
if [[ $# -lt 2 ]]; then
echo "Error: generation command requires a subcommand"
show_usage
exit 1
fi
case "$2" in
list)
"$HM" generations
;;
delete)
if [[ $# -lt 3 ]]; then
echo "Error: delete requires at least one generation ID"
exit 1
fi
shift 2
"$HM" remove-generations "$@"
;;
rollback)
PREV_GEN=$("$HM" generations | \
sed -n 's/^[[:space:]]*id \([0-9]\+\).*/\1/p' | \
head -n 2 | tail -n 1)
if [[ -z "$PREV_GEN" ]]; then
echo "Error: could not determine previous generation (possibly only one generation exists)"
exit 1
fi
"$HM" switch --flake "$FLAKE_PATH" --switch-generation "$PREV_GEN" -b bkp
;;
switch)
if [[ $# -ne 3 ]]; then
echo "Error: switch requires exactly one generation ID"
exit 1
fi
"$HM" switch --flake "$FLAKE_PATH" --switch-generation "$3" -b bkp
;;
cleanup)
CURRENT_GEN=$("$HM" generations | sed -n 's/^.*id \([0-9]\+\) .* (current)$/\1/p')
if [[ -z "$CURRENT_GEN" ]]; then
echo "Error: could not determine current generation"
exit 1
fi
OLD_GENS=$("$HM" generations | sed -n 's/^.*id \([0-9]\+\) .*/\1/p' | grep -v "^$CURRENT_GEN$")
if [[ -z "$OLD_GENS" ]]; then
echo "No old generations to delete"
else
echo "Deleting generations: $(echo $OLD_GENS | tr '\n' ' ')"
echo "$OLD_GENS" | xargs "$HM" remove-generations
echo "Cleanup complete. Current generation $CURRENT_GEN preserved."
fi
;;
*)
echo "Error: unknown generation subcommand '$2'"
show_usage
exit 1
;;
esac
;;
*)
echo "Error: unknown command '$1'"
show_usage
exit 1
;;
esac
'';
};
}

10
packages/kwrite.nix
View file

@ -1,10 +1,6 @@
{ ... }:
{ pkgs }:
{
perSystem =
{ pkgs, ... }:
{
packages.kwrite = pkgs.symlinkJoin {
pkgs.symlinkJoin {
name = "kwrite";
paths = [ pkgs.kdePackages.kate ];
postBuild = ''
@ -16,6 +12,4 @@
$out/share/icons/hicolor/scalable/apps/kate.svg \
$out/share/appdata/org.kde.kate.appdata.xml
'';
};
};
}

23
packages/overlays.nix
View file

@ -1,23 +0,0 @@
{ inputs, ... }:
let
packageDir = builtins.readDir ./.;
# Filter to .nix files, excluding overlays.nix
isPackageFile = name: name != "overlays.nix" && builtins.match ".*\\.nix$" name != null;
# Extract package name from filename (e.g., "foo-bar.nix" -> "foo-bar")
toPackageName = filename: builtins.head (builtins.match "(.+)\\.nix$" filename);
packageNames = map toPackageName (builtins.filter isPackageFile (builtins.attrNames packageDir));
in
{
flake.overlays.default =
final: prev:
builtins.listToAttrs (
map (name: {
inherit name;
value = inputs.self.packages.${final.system}.${name};
}) packageNames
);
}

14
packages/toggleaudiosink.nix
View file

@ -1,10 +1,8 @@
{ ... }:
{
pkgs ? import <nixpkgs> { },
}:
{
perSystem =
{ pkgs, ... }:
{
packages.toggleaudiosink = pkgs.writeShellScriptBin "toggleaudiosink" ''
pkgs.writeShellScriptBin "toggleaudiosink" ''
#!/usr/bin/env bash
sound_server="pipewire"
@ -47,6 +45,4 @@
for app in $(${pkgs.pulseaudio}/bin/pactl list sink-inputs | sed -n -e 's/.*Sink Input #\([[:digit:]]\)/\1/p'); do
${pkgs.pulseaudio}/bin/pactl "move-sink-input $app $next_sink"
done
'';
};
}
''

73
readme.md
View file

@ -1,73 +0,0 @@
# NixOS Flake Configuration
Modular NixOS configuration using flake-parts with the [dendritic](https://github.com/gytis-ivaskevicius/dendritic) pattern.
## Structure
```
.
├── aspects/ # Reusable NixOS/home-manager modules (dendritic)
│ ├── base/ # Base system configuration
│ ├── hosts/ # Host-specific configurations
│ │ ├── _alexandria/
│ │ ├── _io/
│ │ ├── _rotterdam/
│ │ └── _trantor/
│ ├── systems/ # System type modules (desktop, server, cli, gaming)
│ └── users/ # User account configurations
├── data/ # Shared host/service definitions
├── packages/ # Custom packages and overlays
├── shells/ # Shell configurations
└── terranix/ # Terraform configurations for cloud resources
```
## Hosts
| Host | Architecture | Type | Description |
|------|--------------|------|-------------|
| trantor | aarch64-linux | server | ARM server running Forgejo |
| alexandria | x86_64-linux | server | x86 server (Kanidm, Vaultwarden, Nextcloud, Jellyfin) |
| rotterdam | x86_64-linux | desktop | Main workstation setup for gaming |
| io | x86_64-linux | desktop | Workstation |
## Services
- **git.baduhai.dev** (Forgejo) - Publicly accessible on trantor
Other services (LAN/Tailscale only): Vaultwarden, Nextcloud, Jellyfin
## Features
- **Ephemeral root**: Automatic btrfs subvolume rollover with impermanence
- **Secrets**: Managed via agenix with age encryption
- **Disk management**: disko for declarative disk partitioning
- **Modular architecture**: Each aspect is a separate module imported via import-tree
- **Dendritic pattern**: Aspects are imported as a unified flake module
## Building
```bash
# Build specific host
nix build .#nixosConfigurations.trantor.config.system.build.toplevel
# Rebuild host (if using nixos-cli on the host)
sudo nixos apply
```
## Terranix
Terraform configurations for cloud infrastructure managed via terranix:
- baduhai.dev DNS on CloudFlare
- VPS provisioning on OCI
- Tailscale subnet routers
## Key Dependencies
- nixpkgs (nixos-unstable for workstations, nixos for servers)
- home-manager
- agenix
- disko
- impermanence
- nix-flatpak
- nixos-cli

9
secrets/miniflux-admincreds.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 Kfdnog QEq4A011oVny6vo1+wOcQNnpkf77216PZXJqK4rGTGY
FPeASmXRirxeF2T2jXhA/tEaO0p1CZJ6D3lv3p2KTX0
-> ssh-ed25519 8YSAiw gxuXAt2nG6qXhWwAAiFwNCNYJV2VGKnDNkjU61NOJ2o
xncp+M4lVixiTmXQU5QrtdQ860t/1JpvOcO4YXAy3to
-> ssh-ed25519 J6tVTA Mr0XrEFP/o7nFWBKal+ehzMiejWpVDIBiiMqWzdOzEM
0DTqm2LyMMlVZlTk67Y3hTiVjcJG9gprnXj6QjYxrJw
--- FXUNp6O7vuibJj0RI3SZN3IBK1Hx5ouUij2ah05lCYA
ÔX*÷“µ¬0¬²øÇBŒ<42>3Îð«jbœÍ<C593>S§Vÿ΀Äb¹BcÈi—øD.ïÇ5\é`&`越-Ui"gХȊ`OÒ µG<C2B5>cõ¥øÊæ'»Îºø«@qn[

5
secrets/secrets.nix
View file

@ -32,9 +32,4 @@ in
rotterdam-user
trantor
];
"miniflux-admincreds.age".publicKeys = [
io-user
rotterdam-user
alexandria
];
}

15
shells/default.nix
View file

@ -1,15 +0,0 @@
{ inputs, ... }:
{
perSystem =
{ pkgs, system, ... }:
{
devShells.default = pkgs.mkShell {
packages = with pkgs; [
inputs.agenix.packages.${stdenv.hostPlatform.system}.default
nil
nixfmt
];
};
};
}

113
terranix/baduhai.dev.nix
View file

@ -1,113 +0,0 @@
# Required environment variables:
# CLOUDFLARE_API_TOKEN - API token with "Edit zone DNS" permissions
# AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage
# AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage
{ ... }:
{
perSystem =
{ pkgs, ... }:
{
terranix.terranixConfigurations.cloudflare-baduhaidev = {
terraformWrapper.package = pkgs.opentofu;
modules = [
(
{ config, lib, ... }:
let
sharedData = import ../data/services.nix;
# Enrich services with host IPs
services = map (
svc:
let
hostInfo = sharedData.hosts.${svc.host} or { };
in
svc
// {
lanIP = hostInfo.lanIP or null;
tailscaleIP = hostInfo.tailscaleIP or null;
}
) sharedData.services;
# Helper to extract subdomain from full domain (e.g., "git.baduhai.dev" -> "git")
getSubdomain = domain: lib.head (lib.splitString "." domain);
# Generate DNS records for services
# Public services point to trantor's public IP
# Private services point to their tailscale IP
mkServiceRecords = lib.listToAttrs (
lib.imap0 (
i: svc:
let
subdomain = getSubdomain svc.domain;
targetIP =
if svc.public or false then
config.data.terraform_remote_state.trantor "outputs.instance_public_ip"
else
svc.tailscaleIP;
in
{
name = "service_${toString i}";
value = {
zone_id = config.variable.zone_id.default;
name = subdomain;
type = "A";
content = targetIP;
proxied = false;
ttl = 3600;
};
}
) services
);
in
{
terraform.required_providers.cloudflare = {
source = "cloudflare/cloudflare";
version = "~> 5.0";
};
terraform.backend.s3 = {
bucket = "terraform-state";
key = "cloudflare/baduhai.dev.tfstate";
region = "auto";
endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com";
skip_credentials_validation = true;
skip_metadata_api_check = true;
skip_region_validation = true;
skip_requesting_account_id = true;
use_path_style = true;
};
variable = {
zone_id = {
default = "c63a8332fdddc4a8e5612ddc54557044";
type = "string";
};
};
data = {
terraform_remote_state.trantor = {
backend = "s3";
config = {
bucket = "terraform-state";
key = "oci/trantor.tfstate";
region = "auto";
endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com";
skip_credentials_validation = true;
skip_metadata_api_check = true;
skip_region_validation = true;
skip_requesting_account_id = true;
use_path_style = true;
};
};
};
resource.cloudflare_dns_record = mkServiceRecords;
}
)
];
};
};
}

20
terranix/kernelpanic.space.nix
View file

@ -1,20 +0,0 @@
# Cloudflare kernelpanic.space configuration placeholder
{ ... }:
{
perSystem =
{ pkgs, ... }:
{
terranix.terranixConfigurations.cloudflare-kernelpanicspace = {
terraformWrapper.package = pkgs.opentofu;
modules = [
(
{ config, ... }:
{
# Terraform config goes here
}
)
];
};
};
}

57
terranix/tailnet.nix
View file

@ -1,57 +0,0 @@
# Required environment variables:
# TAILSCALE_API_KEY - Tailscale API key with appropriate permissions
# TAILSCALE_TAILNET - Your tailnet name (e.g., "user@example.com" or "example.org.github")
# AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage
# AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage
{ ... }:
{
perSystem =
{ pkgs, ... }:
{
terranix.terranixConfigurations.tailscale-tailnet = {
terraformWrapper.package = pkgs.opentofu;
modules = [
(
{ config, ... }:
{
terraform.required_providers.tailscale = {
source = "tailscale/tailscale";
version = "~> 0.17";
};
terraform.backend.s3 = {
bucket = "terraform-state";
key = "tailscale/tailnet.tfstate";
region = "auto";
endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com";
skip_credentials_validation = true;
skip_metadata_api_check = true;
skip_region_validation = true;
skip_requesting_account_id = true;
use_path_style = true;
};
variable = {
trantor_tailscale_ip = {
default = "100.108.5.90";
type = "string";
};
};
resource = {
tailscale_dns_nameservers.global = {
nameservers = [
config.variable.trantor_tailscale_ip.default
"1.1.1.1"
"1.0.0.1"
];
};
};
}
)
];
};
};
}

20
terranix/terminus.nix
View file

@ -1,20 +0,0 @@
# OCI Terminus configuration placeholder
{ ... }:
{
perSystem =
{ pkgs, ... }:
{
terranix.terranixConfigurations.oci-terminus = {
terraformWrapper.package = pkgs.opentofu;
modules = [
(
{ config, ... }:
{
# Terraform config goes here
}
)
];
};
};
}

272
terranix/trantor.nix
View file

@ -1,272 +0,0 @@
# Required environment variables:
# instead of OCI variables, ~/.oci/config may also be used
# OCI_TENANCY_OCID - Oracle tenancy OCID (or use TF_VAR_* to override variables)
# OCI_USER_OCID - Oracle user OCID
# OCI_FINGERPRINT - API key fingerprint
# OCI_PRIVATE_KEY_PATH - Path to OCI API private key
# AWS variables are required
# AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage
# AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage
{ ... }:
{
perSystem =
{ pkgs, ... }:
{
terranix.terranixConfigurations.oci-trantor = {
terraformWrapper.package = pkgs.opentofu;
modules = [
(
{ config, ... }:
{
terraform.required_providers.oci = {
source = "oracle/oci";
version = "~> 7.0";
};
provider.oci.region = "sa-saopaulo-1";
terraform.backend.s3 = {
bucket = "terraform-state";
key = "oci/trantor.tfstate";
region = "auto";
endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com";
skip_credentials_validation = true;
skip_metadata_api_check = true;
skip_region_validation = true;
skip_requesting_account_id = true;
use_path_style = true;
};
variable = {
tenancy_ocid = {
default = "ocid1.tenancy.oc1..aaaaaaaap3vfdz4piygqza6e6zqunbcuso43ddqfo3ydmpmnomidyghh7rvq";
type = "string";
};
compartment_name = {
default = "trantor";
type = "string";
};
vcn_cidr = {
default = "10.0.0.0/24";
type = "string";
};
instance_name = {
default = "trantor";
type = "string";
};
ssh_public_keys = {
default = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
];
type = "list(string)";
};
};
data = {
oci_identity_availability_domains.ads = {
compartment_id = config.variable.tenancy_ocid.default;
};
oci_core_images.ubuntu_arm = {
compartment_id = config.variable.tenancy_ocid.default;
operating_system = "Canonical Ubuntu";
operating_system_version = "24.04";
shape = "VM.Standard.A1.Flex";
sort_by = "TIMECREATED";
sort_order = "DESC";
};
};
resource = {
oci_identity_compartment.trantor = {
compartment_id = config.variable.tenancy_ocid.default;
description = "trantor infrastructure compartment";
name = config.variable.compartment_name.default;
};
oci_core_vcn.vcn = {
compartment_id = config.resource.oci_identity_compartment.trantor "id";
cidr_blocks = [ config.variable.vcn_cidr.default ];
display_name = "trantor-vcn";
dns_label = "trantor";
};
oci_core_internet_gateway.ig = {
compartment_id = config.resource.oci_identity_compartment.trantor "id";
vcn_id = config.resource.oci_core_vcn.vcn "id";
display_name = "trantor-ig";
enabled = true;
};
oci_core_route_table.rt = {
compartment_id = config.resource.oci_identity_compartment.trantor "id";
vcn_id = config.resource.oci_core_vcn.vcn "id";
display_name = "trantor-rt";
route_rules = [
{
network_entity_id = config.resource.oci_core_internet_gateway.ig "id";
destination = "0.0.0.0/0";
destination_type = "CIDR_BLOCK";
}
];
};
oci_core_security_list.sl = {
compartment_id = config.resource.oci_identity_compartment.trantor "id";
vcn_id = config.resource.oci_core_vcn.vcn "id";
display_name = "trantor-sl";
egress_security_rules = [
{
destination = "0.0.0.0/0";
protocol = "all";
stateless = false;
}
];
ingress_security_rules = [
{
protocol = "6"; # TCP
source = "0.0.0.0/0";
stateless = false;
tcp_options = {
min = 22;
max = 22;
};
}
{
protocol = "6"; # TCP
source = "0.0.0.0/0";
stateless = false;
tcp_options = {
min = 80;
max = 80;
};
}
{
protocol = "6"; # TCP
source = "0.0.0.0/0";
stateless = false;
tcp_options = {
min = 443;
max = 443;
};
}
{
protocol = "6"; # TCP
source = "0.0.0.0/0";
stateless = false;
tcp_options = {
min = 25565;
max = 25565;
};
}
{
protocol = "6"; # TCP
source = "0.0.0.0/0";
stateless = false;
tcp_options = {
min = 19132;
max = 19133;
};
}
{
protocol = "17"; # UDP
source = "0.0.0.0/0";
stateless = false;
udp_options = {
min = 19132;
max = 19133;
};
}
];
};
oci_core_subnet.subnet = {
compartment_id = config.resource.oci_identity_compartment.trantor "id";
vcn_id = config.resource.oci_core_vcn.vcn "id";
cidr_block = config.variable.vcn_cidr.default;
display_name = "trantor-subnet";
dns_label = "subnet";
route_table_id = config.resource.oci_core_route_table.rt "id";
security_list_ids = [ (config.resource.oci_core_security_list.sl "id") ];
prohibit_public_ip_on_vnic = false;
};
oci_core_instance.trantor = {
availability_domain = config.data.oci_identity_availability_domains.ads "availability_domains[0].name";
compartment_id = config.resource.oci_identity_compartment.trantor "id";
display_name = config.variable.instance_name.default;
shape = "VM.Standard.A1.Flex";
shape_config = {
ocpus = 2;
memory_in_gbs = 12;
};
source_details = {
source_type = "image";
source_id = config.data.oci_core_images.ubuntu_arm "images[0].id";
boot_volume_size_in_gbs = 100;
};
create_vnic_details = {
subnet_id = config.resource.oci_core_subnet.subnet "id";
display_name = "trantor-vnic";
assign_public_ip = true;
hostname_label = config.variable.instance_name.default;
};
metadata = {
ssh_authorized_keys = builtins.concatStringsSep "\n" config.variable.ssh_public_keys.default;
};
preserve_boot_volume = false;
};
oci_budget_budget.trantor_budget = {
compartment_id = config.variable.tenancy_ocid.default;
targets = [ (config.resource.oci_identity_compartment.trantor "id") ];
amount = 1;
reset_period = "MONTHLY";
display_name = "trantor-budget";
description = "Monthly budget for trantor compartment";
target_type = "COMPARTMENT";
};
oci_budget_alert_rule.daily_spend_alert = {
budget_id = config.resource.oci_budget_budget.trantor_budget "id";
type = "ACTUAL";
threshold = 5;
threshold_type = "PERCENTAGE";
display_name = "daily-spend-alert";
recipients = "baduhai@proton.me";
description = "Alert when daily spending exceeds $0.05";
message = "Daily spending has exceeded $0.05 in the trantor compartment";
};
};
output = {
compartment_id = {
value = config.resource.oci_identity_compartment.trantor "id";
};
instance_public_ip = {
value = config.resource.oci_core_instance.trantor "public_ip";
};
};
}
)
];
};
};
}