diff --git a/.gitignore b/.gitignore index b59fd44..73105bb 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,8 @@ result result-* .direnv/ oci-trantor/ +tailscale-tailnet/ +cloudflare-baduhaidev # Personal notes and temporary files todo.md diff --git a/devShells.nix b/devShells.nix index 72b2695..f7e9627 100644 --- a/devShells.nix +++ b/devShells.nix @@ -1,12 +1,12 @@ -{ ... }: +{ inputs, ... }: { perSystem = - { pkgs, ... }: + { pkgs, system, ... }: { devShells.default = pkgs.mkShell { packages = with pkgs; [ - agenix-cli + inputs.agenix.packages.${system}.default deploy-rs nil nixfmt-rfc-style diff --git a/diskoConfigurations.nix b/diskoConfigurations.nix deleted file mode 100644 index 511eddc..0000000 --- a/diskoConfigurations.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ inputs, ... }: - -{ - imports = [ - inputs.disko.flakeModule - ]; - - flake.diskoConfigurations = { - io.modules = [ ./disko/io.nix ]; - trantor.modules = [ ./disko/trantor.nix ]; - }; -} diff --git a/flake.lock b/flake.lock index 5993cdf..27c3580 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1760836749, - "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", + "lastModified": 1761656077, + "narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=", "owner": "ryantm", "repo": "agenix", - "rev": "2f0f812f69f3eb4140157fe15e12739adf82e32a", + "rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5", "type": "github" }, "original": { @@ -91,6 +91,28 @@ "type": "github" } }, + "blueprint": { + "inputs": { + "nixpkgs": [ + "nix-ai-tools", + "nixpkgs" + ], + "systems": "systems_3" + }, + "locked": { + "lastModified": 1763308703, + "narHash": "sha256-O9Y+Wer8wOh+N+4kcCK5p/VLrXyX+ktk0/s3HdZvJzk=", + "owner": "numtide", + "repo": "blueprint", + "rev": "5a9bba070f801d63e2af3c9ef00b86b212429f4f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "blueprint", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -186,11 +208,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", "owner": "edolstra", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", "type": "github" }, "original": { @@ -204,11 +226,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1760948891, - "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=", + "lastModified": 1762040540, + "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04", + "rev": "0010412d62a25d959151790968765a70c436598b", "type": "github" }, "original": { @@ -261,7 +283,25 @@ }, "flake-utils": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_8" }, "locked": { "lastModified": 1731533236, @@ -338,11 +378,11 @@ ] }, "locked": { - "lastModified": 1760929667, - "narHash": "sha256-nZh6uvc71nVNaf/y+wesnjwsmJ6IZZUnP2EzpZe48To=", + "lastModified": 1762178366, + "narHash": "sha256-I+8yE5HVR2SFcHnW0771psQ/zn0qVzsKHY/gUM0nEVM=", "owner": "nix-community", "repo": "home-manager", - "rev": "189c21cf879669008ccf06e78a553f17e88d8ef0", + "rev": "8c824254b1ed9e797f6235fc3c62f365893c561a", "type": "github" }, "original": { @@ -418,11 +458,11 @@ "xwayland-satellite-unstable": "xwayland-satellite-unstable" }, "locked": { - "lastModified": 1760950171, - "narHash": "sha256-E2ySTu/oK7cYBdAI3tlGP9zVjF4mZgWJ1OZInBCMb00=", + "lastModified": 1762152856, + "narHash": "sha256-U3SDbk7tIwLChpvb3FL66o8V0byaQ2RGMiy/3oLdxTI=", "owner": "sodiboo", "repo": "niri-flake", - "rev": "f851a923137c0a54719412146fd63d24b3214e60", + "rev": "df17789929ac80f4157b15724450db6a303a6dc9", "type": "github" }, "original": { @@ -451,11 +491,11 @@ "niri-unstable": { "flake": false, "locked": { - "lastModified": 1760940149, - "narHash": "sha256-KbM47vD6E0cx+v4jYQZ8mD5N186AKm2CQlyh34TW58U=", + "lastModified": 1762146685, + "narHash": "sha256-anRlNG6t7esBbF1+ALDeathVBSclA0PEL52Vo0WnN5g=", "owner": "YaLTeR", "repo": "niri", - "rev": "b3245b81a6ed8edfaf5388a74d2e0a23c24941e5", + "rev": "a2ca2b3c866bc781b12c334a9f949b3db6d7c943", "type": "github" }, "original": { @@ -464,6 +504,26 @@ "type": "github" } }, + "nix-ai-tools": { + "inputs": { + "blueprint": "blueprint", + "nixpkgs": "nixpkgs_5", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1763412165, + "narHash": "sha256-n6bChFrCf2/uHzTsZdABUt1+Ua3n0jinNfamHd5DmBA=", + "owner": "numtide", + "repo": "nix-ai-tools", + "rev": "a2dfa932ed37e5b6224b39b4982c85cd8ebcca14", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nix-ai-tools", + "type": "github" + } + }, "nix-flatpak": { "locked": { "lastModified": 1754777568, @@ -487,11 +547,11 @@ ] }, "locked": { - "lastModified": 1760846226, - "narHash": "sha256-xmU8kAsRprJiTGBTaGrwmjBP3AMA9ltlrxHKFuy5JWc=", + "lastModified": 1762055842, + "narHash": "sha256-Pu1v3mlFhRzZiSxVHb2/i/f5yeYyRNqr0RvEUJ4UgHo=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "5024e1901239a76b7bf94a4cd27f3507e639d49e", + "rev": "359ff6333a7b0b60819d4c20ed05a3a1f726771f", "type": "github" }, "original": { @@ -503,7 +563,7 @@ "nix-options-doc": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "rust-overlay": "rust-overlay_2" }, "locked": { @@ -525,14 +585,14 @@ "inputs": { "flake-compat": "flake-compat_2", "nix-options-doc": "nix-options-doc", - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_7" }, "locked": { - "lastModified": 1760856139, - "narHash": "sha256-N+F4n1WYE3AWc/kmdqIz67GNX7PgyKosnmGYYx8vR9k=", + "lastModified": 1761970410, + "narHash": "sha256-IUm2nkbKlDkG94ruTmIYLERpBn6gXydm3scZIKzpcKs=", "owner": "nix-community", "repo": "nixos-cli", - "rev": "c8f5ce1fd9bf151df74328795b6b2720e2e22d75", + "rev": "5c259f72ae1eaa00b99354d81130d8fddb7f9a7a", "type": "github" }, "original": { @@ -559,11 +619,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", + "lastModified": 1761765539, + "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", + "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc", "type": "github" }, "original": { @@ -574,11 +634,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1760862643, - "narHash": "sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0=", + "lastModified": 1761999846, + "narHash": "sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "33c6dca0c0cb31d6addcd34e90a63ad61826b28c", + "rev": "3de8f8d73e35724bf9abef41f1bdbedda1e14a31", "type": "github" }, "original": { @@ -590,11 +650,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1760862643, - "narHash": "sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0=", + "lastModified": 1761999846, + "narHash": "sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "33c6dca0c0cb31d6addcd34e90a63ad61826b28c", + "rev": "3de8f8d73e35724bf9abef41f1bdbedda1e14a31", "type": "github" }, "original": { @@ -604,13 +664,45 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_10": { "locked": { - "lastModified": 1761880412, - "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", + "lastModified": 1762111121, + "narHash": "sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386", + "rev": "b3d51a0365f6695e7dd5cdf3e180604530ed33b4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_11": { + "locked": { + "lastModified": 1755615617, + "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "20075955deac2583bb12f07151c2df830ef346b4", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1752596105, + "narHash": "sha256-lFNVsu/mHLq3q11MuGkMhUUoSXEdQjCHvpReaGP1S2k=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "dab3a6e781554f965bde3def0aa2fda4eb8f1708", "type": "github" }, "original": { @@ -638,11 +730,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1760878510, - "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=", + "lastModified": 1761907660, + "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67", + "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15", "type": "github" }, "original": { @@ -653,6 +745,22 @@ } }, "nixpkgs_5": { + "locked": { + "lastModified": 1763312402, + "narHash": "sha256-3YJkOBrFpmcusnh7i8GXXEyh7qZG/8F5z5+717550Hk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "85a6c4a07faa12aaccd81b36ba9bfc2bec974fa1", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1740695751, "narHash": "sha256-D+R+kFxy1KsheiIzkkx/6L63wEHBYX21OIwlFV8JvDs=", @@ -668,13 +776,13 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { - "lastModified": 1759070547, - "narHash": "sha256-JVZl8NaVRYb0+381nl7LvPE+A774/dRpif01FKLrYFQ=", + "lastModified": 1761880412, + "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "647e5c14cbd5067f44ac86b74f014962df460840", + "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386", "type": "github" }, "original": { @@ -684,13 +792,13 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { - "lastModified": 1760878510, - "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=", + "lastModified": 1761907660, + "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67", + "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15", "type": "github" }, "original": { @@ -700,7 +808,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1758690382, "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", @@ -716,36 +824,20 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1755615617, - "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "20075955deac2583bb12f07151c2df830ef346b4", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "noctalia": { "inputs": { "nixpkgs": [ "nixpkgs" ], "quickshell": "quickshell", - "systems": "systems_4" + "systems": "systems_5" }, "locked": { - "lastModified": 1761190730, - "narHash": "sha256-XAs/Q4zBJIfK/bwq9KjTUkTH15A+Pe2rIilyvalEHuM=", + "lastModified": 1762156721, + "narHash": "sha256-gHfzrTDSnNC5yRJwkZfP55fPHUc8DuB4OQEIBSQSs18=", "owner": "noctalia-dev", "repo": "noctalia-shell", - "rev": "c3439b262c7cb3d57c93197a93a3aa382582bdae", + "rev": "5ca5aa602f58a8e0e73fedbef351f1cdf8cbe981", "type": "github" }, "original": { @@ -787,11 +879,11 @@ ] }, "locked": { - "lastModified": 1753595452, - "narHash": "sha256-vqkSDvh7hWhPvNjMjEDV4KbSCv2jyl2Arh73ZXe274k=", + "lastModified": 1761821581, + "narHash": "sha256-nLuc6jA7z+H/6bHPEBSOYPbz7RtvNCZiTKmYItJuBmM=", "ref": "refs/heads/master", - "rev": "a5431dd02dc23d9ef1680e67777fed00fe5f7cda", - "revCount": 665, + "rev": "db1777c20b936a86528c1095cbcb1ebd92801402", + "revCount": 699, "type": "git", "url": "https://git.outfoxxed.me/outfoxxed/quickshell" }, @@ -810,14 +902,16 @@ "impermanence": "impermanence", "niri": "niri", "niri-flake": "niri-flake", + "nix-ai-tools": "nix-ai-tools", "nix-flatpak": "nix-flatpak", "nix-index-database": "nix-index-database", "nixos-cli": "nixos-cli", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "nixpkgs-stable": "nixpkgs-stable_2", "noctalia": "noctalia", "stylix": "stylix", "terranix": "terranix", + "vicinae": "vicinae", "zen-browser": "zen-browser" } }, @@ -873,9 +967,9 @@ "firefox-gnome-theme": "firefox-gnome-theme", "flake-parts": "flake-parts_2", "gnome-shell": "gnome-shell", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_9", "nur": "nur", - "systems": "systems_5", + "systems": "systems_6", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -883,11 +977,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1760472212, - "narHash": "sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx+MUkuE+E=", + "lastModified": 1762101397, + "narHash": "sha256-wGiL2K3kAyBBmIZpJEskaSIgyzzpg0zwfvri+Sy6/CI=", "owner": "danth", "repo": "stylix", - "rev": "8d008296a1b3be9b57ad570f7acea00dd2fc92db", + "rev": "8c0640d5722a02178c8ee80a62c5f019cab4b3c1", "type": "github" }, "original": { @@ -986,20 +1080,50 @@ "type": "github" } }, + "systems_7": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_8": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "terranix": { "inputs": { "flake-parts": "flake-parts_3", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_6" + "systems": "systems_7" }, "locked": { - "lastModified": 1757278723, - "narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=", + "lastModified": 1762161791, + "narHash": "sha256-J1L1yP29NVBJO04LA/JGM6kwhnjeNhEsX0tLFnuN3FI=", "owner": "terranix", "repo": "terranix", - "rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb", + "rev": "a79a47b4617dfb92184e2e5b8f5aa6fc06c659c8", "type": "github" }, "original": { @@ -1089,6 +1213,27 @@ "type": "github" } }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nix-ai-tools", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1762938485, + "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "utils": { "inputs": { "systems": "systems_2" @@ -1107,6 +1252,25 @@ "type": "github" } }, + "vicinae": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs_10" + }, + "locked": { + "lastModified": 1762709887, + "narHash": "sha256-8BoGGsWfkS/2ODBSCYd5HJNFGuLY8fFl27rXmWClXQw=", + "owner": "vicinaehq", + "repo": "vicinae", + "rev": "54722e36137d8273ef0a5db37776fb8302c79238", + "type": "github" + }, + "original": { + "owner": "vicinaehq", + "repo": "vicinae", + "type": "github" + } + }, "xwayland-satellite-stable": { "flake": false, "locked": { @@ -1127,11 +1291,11 @@ "xwayland-satellite-unstable": { "flake": false, "locked": { - "lastModified": 1759707084, - "narHash": "sha256-0pkftKs6/LReNvxw7DVTN2AJEheZVgyeK0Aarbagi70=", + "lastModified": 1761622056, + "narHash": "sha256-fBrUszJXmB4MY+wf3QsCnqWHcz7u7fLq0QMAWCltIQg=", "owner": "Supreeeme", "repo": "xwayland-satellite", - "rev": "a9188e70bd748118b4d56a529871b9de5adb9988", + "rev": "0728d59ff6463a502e001fb090f6eb92dbc04756", "type": "github" }, "original": { @@ -1143,14 +1307,14 @@ "zen-browser": { "inputs": { "home-manager": "home-manager_3", - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_11" }, "locked": { - "lastModified": 1760934351, - "narHash": "sha256-RehxVjBRC9EiBO36EPZROLHhVVSWFe3KEROhaEapboM=", + "lastModified": 1762131860, + "narHash": "sha256-sIPhzkDrfe6ptthZiwoxQyO6rKd9PgJnl+LOyythQkI=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "596c3ac14be576b93f5db9252a1b0581e453ec9f", + "rev": "10e69cb268b1d3dc91135e72f5462b2acfbcc3aa", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index c9d5076..c5c3880 100644 --- a/flake.nix +++ b/flake.nix @@ -49,6 +49,10 @@ url = "github:terranix/terranix"; inputs.nixpkgs.follows = "nixpkgs"; }; + + nix-ai-tools.url = "github:numtide/nix-ai-tools"; + + vicinae.url = "github:vicinaehq/vicinae"; }; outputs = @@ -62,7 +66,6 @@ imports = [ ./deploy.nix ./devShells.nix - ./diskoConfigurations.nix ./homeConfigurations.nix ./nixosConfigurations.nix ./nixosModules.nix diff --git a/hosts/alexandria/firewall.nix b/hosts/alexandria/firewall.nix deleted file mode 100644 index f6fded2..0000000 --- a/hosts/alexandria/firewall.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ ... }: - -{ - networking.firewall = { - allowedTCPPorts = [ - 80 - 443 - ]; - allowedUDPPorts = [ ]; - }; -} diff --git a/hosts/alexandria/forgejo.nix b/hosts/alexandria/forgejo.nix deleted file mode 100644 index 909d1d1..0000000 --- a/hosts/alexandria/forgejo.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - config, - lib, - inputs, - ... -}: -let - utils = import ../../utils.nix { inherit inputs lib; }; - inherit (utils) mkNginxVHosts; -in -{ - services.forgejo = { - enable = true; - repositoryRoot = "/data/forgejo"; - settings = { - session.COOKIE_SECURE = true; - server = { - PROTOCOL = "http+unix"; - DOMAIN = "git.baduhai.dev"; - ROOT_URL = "https://git.baduhai.dev"; - OFFLINE_MODE = true; # disable use of CDNs - SSH_DOMAIN = "baduhai.dev"; - }; - log.LEVEL = "Warn"; - mailer.ENABLED = false; - actions.ENABLED = false; - }; - }; - - services.nginx.virtualHosts = mkNginxVHosts { - acmeHost = "baduhai.dev"; - domains."git.baduhai.dev".locations."/".proxyPass = - "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; - }; -} diff --git a/hosts/alexandria/jellyfin.nix b/hosts/alexandria/jellyfin.nix index 9555c89..6ceac09 100644 --- a/hosts/alexandria/jellyfin.nix +++ b/hosts/alexandria/jellyfin.nix @@ -10,7 +10,6 @@ in }; services.nginx.virtualHosts = mkNginxVHosts { - acmeHost = "baduhai.dev"; domains."jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/"; }; } diff --git a/hosts/alexandria/kanidm.nix b/hosts/alexandria/kanidm.nix new file mode 100644 index 0000000..eaaa9b9 --- /dev/null +++ b/hosts/alexandria/kanidm.nix @@ -0,0 +1,83 @@ +{ + config, + lib, + inputs, + pkgs, + ... +}: + +let + utils = import ../../utils.nix { inherit inputs lib; }; + inherit (utils) mkNginxVHosts; + kanidmCertDir = "/var/lib/kanidm/certs"; +in + +{ + services.kanidm = { + enableServer = true; + enableClient = true; + package = pkgs.kanidm; + + serverSettings = { + domain = "auth.baduhai.dev"; + origin = "https://auth.baduhai.dev"; + bindaddress = "127.0.0.1:8443"; + ldapbindaddress = "127.0.0.1:636"; + trust_x_forward_for = true; + # Use self-signed certificates for internal TLS + tls_chain = "${kanidmCertDir}/cert.pem"; + tls_key = "${kanidmCertDir}/key.pem"; + }; + + clientSettings = { + uri = "https://auth.baduhai.dev"; + }; + }; + + services.nginx.virtualHosts = mkNginxVHosts { + domains."auth.baduhai.dev" = { + locations."/" = { + proxyPass = "https://127.0.0.1:8443"; + extraConfig = '' + proxy_ssl_verify off; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + ''; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 636 ]; + + # Generate self-signed certificates for kanidm's internal TLS + systemd.services.kanidm-generate-certs = { + description = "Generate self-signed TLS certificates for Kanidm"; + wantedBy = [ "multi-user.target" ]; + before = [ "kanidm.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + mkdir -p ${kanidmCertDir} + if [ ! -f ${kanidmCertDir}/key.pem ]; then + ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 \ + -keyout ${kanidmCertDir}/key.pem \ + -out ${kanidmCertDir}/cert.pem \ + -days 3650 -nodes \ + -subj "/CN=localhost" \ + -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" + chown -R kanidm:kanidm ${kanidmCertDir} + chmod 600 ${kanidmCertDir}/key.pem + chmod 644 ${kanidmCertDir}/cert.pem + fi + ''; + }; + + # Ensure certificate generation runs before kanidm starts + systemd.services.kanidm = { + after = [ "kanidm-generate-certs.service" ]; + wants = [ "kanidm-generate-certs.service" ]; + }; +} diff --git a/hosts/alexandria/librespeed.nix b/hosts/alexandria/librespeed.nix deleted file mode 100644 index e36a81d..0000000 --- a/hosts/alexandria/librespeed.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - config, - lib, - inputs, - ... -}: - -let - utils = import ../../utils.nix { inherit inputs lib; }; - inherit (utils) mkNginxVHosts; -in - -{ - virtualisation.oci-containers.containers."librespeed" = { - image = "lscr.io/linuxserver/librespeed:latest"; - environment = { - TZ = "America/Bahia"; - }; - ports = [ "127.0.0.1:58080:80" ]; - extraOptions = [ - "--pull=newer" - "--label=io.containers.autoupdate=registry" - ]; - }; - - services.nginx.virtualHosts = mkNginxVHosts { - acmeHost = "baduhai.dev"; - domains."speedtest.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:58080/"; - }; -} diff --git a/hosts/alexandria/nextcloud.nix b/hosts/alexandria/nextcloud.nix index 68d4875..c449cce 100644 --- a/hosts/alexandria/nextcloud.nix +++ b/hosts/alexandria/nextcloud.nix @@ -24,7 +24,13 @@ in database.createLocally = true; maxUploadSize = "16G"; extraApps = { - inherit (config.services.nextcloud.package.packages.apps) calendar contacts notes; + inherit (config.services.nextcloud.package.packages.apps) + calendar + contacts + notes + tasks + user_oidc + ; }; extraAppsEnable = true; caching = { @@ -35,6 +41,7 @@ in trusted_proxies = [ "127.0.0.1" ]; default_phone_region = "BR"; maintenance_window_start = "4"; + allow_local_remote_servers = true; enabledPreviewProviders = [ "OC\\Preview\\BMP" "OC\\Preview\\EMF" @@ -71,7 +78,6 @@ in }; nginx.virtualHosts = mkNginxVHosts { - acmeHost = "baduhai.dev"; domains."cloud.baduhai.dev" = { }; }; }; diff --git a/hosts/alexandria/nginx.nix b/hosts/alexandria/nginx.nix index 0a0a261..274f645 100644 --- a/hosts/alexandria/nginx.nix +++ b/hosts/alexandria/nginx.nix @@ -7,7 +7,15 @@ let utils = import ../../utils.nix { inherit inputs lib; }; - inherit (utils) mkNginxVHosts; + inherit (utils) mkNginxVHosts services; + + # Get all unique domains from shared services that have LAN IPs (served by this host) + localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "alexandria") services)); + + # Generate ACME cert configs for all local domains + acmeCerts = lib.genAttrs localDomains (domain: { + group = "nginx"; + }); in { @@ -19,9 +27,7 @@ in dnsProvider = "cloudflare"; credentialsFile = config.age.secrets.cloudflare.path; }; - certs."baduhai.dev" = { - extraDomainNames = [ "*.baduhai.dev" ]; - }; + certs = acmeCerts; }; services.nginx = { @@ -30,14 +36,21 @@ in recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - virtualHosts = mkNginxVHosts { - acmeHost = "baduhai.dev"; - domains."_".locations."/".return = "444"; + virtualHosts = { + "_" = { + default = true; + locations."/".return = "444"; + }; }; }; users.users.nginx.extraGroups = [ "acme" ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + age.secrets.cloudflare = { file = ../../secrets/cloudflare.age; owner = "nginx"; diff --git a/hosts/alexandria/unbound.nix b/hosts/alexandria/unbound.nix new file mode 100644 index 0000000..31363aa --- /dev/null +++ b/hosts/alexandria/unbound.nix @@ -0,0 +1,58 @@ +{ inputs, lib, ... }: + +let + utils = import ../../utils.nix { inherit inputs lib; }; +in + +{ + services.unbound = { + enable = true; + enableRootTrustAnchor = true; + settings = { + server = { + interface = [ + "0.0.0.0" + "::" + ]; + access-control = [ + "127.0.0.0/8 allow" + "192.168.0.0/16 allow" + "::1/128 allow" + ]; + + num-threads = 2; + msg-cache-size = "50m"; + rrset-cache-size = "100m"; + cache-min-ttl = 300; + cache-max-ttl = 86400; + prefetch = true; + prefetch-key = true; + hide-identity = true; + hide-version = true; + so-rcvbuf = "1m"; + so-sndbuf = "1m"; + + # LAN-only DNS records + local-zone = ''"baduhai.dev." transparent''; + local-data = map (e: ''"${e.domain}. IN A ${e.lanIP}"'') + (lib.filter (e: e ? lanIP) utils.services); + }; + + forward-zone = [ + { + name = "."; + forward-addr = [ + "1.1.1.1@853#cloudflare-dns.com" + "1.0.0.1@853#cloudflare-dns.com" + ]; + forward-tls-upstream = true; + } + ]; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; +} diff --git a/hosts/alexandria/vaultwarden.nix b/hosts/alexandria/vaultwarden.nix index fd10d6b..2335ee0 100644 --- a/hosts/alexandria/vaultwarden.nix +++ b/hosts/alexandria/vaultwarden.nix @@ -20,7 +20,6 @@ in }; services.nginx.virtualHosts = mkNginxVHosts { - acmeHost = "baduhai.dev"; domains."pass.baduhai.dev".locations."/".proxyPass = "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; }; diff --git a/disko/io.nix b/hosts/io/disko.nix similarity index 96% rename from disko/io.nix rename to hosts/io/disko.nix index 37f3160..4e6c9d5 100644 --- a/disko/io.nix +++ b/hosts/io/disko.nix @@ -1,4 +1,8 @@ +{ inputs, ... }: + { + imports = [ inputs.disko.nixosModules.default ]; + disko.devices.disk.main = { type = "disk"; device = "/dev/disk/by-id/mmc-hDEaP3_0x1041b689"; diff --git a/hosts/io/hardware-configuration.nix b/hosts/io/hardware-configuration.nix index cb114a1..8e4dae4 100644 --- a/hosts/io/hardware-configuration.nix +++ b/hosts/io/hardware-configuration.nix @@ -2,15 +2,12 @@ config, lib, modulesPath, - self, + inputs, ... }: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - self.diskoConfigurations.io - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { initrd = { diff --git a/hosts/io/services.nix b/hosts/io/services.nix index 90fb737..df41a6f 100644 --- a/hosts/io/services.nix +++ b/hosts/io/services.nix @@ -49,6 +49,7 @@ }; }; upower.enable = true; + power-profiles-daemon.enable = true; }; # TODO: remove once gmodena/nix-flatpak/issues/45 fixed diff --git a/hosts/modules/ai.nix b/hosts/modules/ai.nix new file mode 100644 index 0000000..e2dd9d2 --- /dev/null +++ b/hosts/modules/ai.nix @@ -0,0 +1,10 @@ +{ inputs, pkgs, ... }: + +{ + environment.systemPackages = with inputs.nix-ai-tools.packages.${pkgs.system}; [ + claude-desktop + claude-code + claudebox + opencode + ]; +} diff --git a/hosts/modules/common/openssh.nix b/hosts/modules/common/openssh.nix index 63422b3..df70bdd 100644 --- a/hosts/modules/common/openssh.nix +++ b/hosts/modules/common/openssh.nix @@ -4,10 +4,8 @@ services.openssh = { enable = true; settings.PermitRootLogin = "no"; + extraConfig = '' + PrintLastLog no + ''; }; - programs.fish.interactiveShellInit = '' - if set -q SSH_CONNECTION - neofetch - end - ''; } diff --git a/hosts/modules/common/programs.nix b/hosts/modules/common/programs.nix index be57b69..fd10953 100644 --- a/hosts/modules/common/programs.nix +++ b/hosts/modules/common/programs.nix @@ -25,6 +25,16 @@ programs = { command-not-found.enable = false; - fish.enable = true; + fish = { + enable = true; + interactiveShellInit = '' + set fish_greeting + if set -q SSH_CONNECTION + export TERM=xterm-256color + clear + fastfetch + end + ''; + }; }; } diff --git a/hosts/modules/common/users.nix b/hosts/modules/common/users.nix index 0572153..7dd6490 100644 --- a/hosts/modules/common/users.nix +++ b/hosts/modules/common/users.nix @@ -10,8 +10,9 @@ "wheel" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam" ]; hashedPassword = "$6$Pj7v/CpstyuWQQV0$cNujVDhfMBdwlGVEnnd8t71.kZPixbo0u25cd.874iaqLTH4V5fa1f98V5zGapjQCz5JyZmsR94xi00sUrntT0"; }; diff --git a/hosts/modules/desktop/desktop.nix b/hosts/modules/desktop/desktop.nix index 5258442..03ec04b 100644 --- a/hosts/modules/desktop/desktop.nix +++ b/hosts/modules/desktop/desktop.nix @@ -20,7 +20,6 @@ systemPackages = with pkgs; [ ### Web ### bitwarden-desktop - brave fragments nextcloud-client tor-browser @@ -35,6 +34,7 @@ libreoffice onlyoffice-desktopeditors papers + presenterm rnote ### Graphics & Design ### gimp diff --git a/hosts/modules/dev.nix b/hosts/modules/dev.nix index 82908f2..c4cca78 100644 --- a/hosts/modules/dev.nix +++ b/hosts/modules/dev.nix @@ -3,7 +3,6 @@ { environment.systemPackages = with pkgs; [ bat - claude-code lazygit fd fzf diff --git a/hosts/modules/ephemeral.nix b/hosts/modules/ephemeral.nix index 8ed08bc..cad5f41 100644 --- a/hosts/modules/ephemeral.nix +++ b/hosts/modules/ephemeral.nix @@ -10,7 +10,7 @@ enable = true; rootDevice = if config.networking.hostName == "trantor" then - "/dev/disk/by-id/scsi-36067d367fe184830a89bbe708c7b1066" + "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20-part2" else "/dev/mapper/cryptroot"; rootSubvolume = "@root"; diff --git a/hosts/modules/gaming.nix b/hosts/modules/gaming.nix index cf6217f..5aef14e 100644 --- a/hosts/modules/gaming.nix +++ b/hosts/modules/gaming.nix @@ -6,7 +6,6 @@ heroic mangohud prismlauncher - protonup steam-run ]; diff --git a/hosts/trantor/boot.nix b/hosts/trantor/boot.nix index 67ac124..0498818 100644 --- a/hosts/trantor/boot.nix +++ b/hosts/trantor/boot.nix @@ -1,3 +1,6 @@ { - boot.initrd.systemd.enable = true; + boot = { + initrd.systemd.enable = true; + loader.efi.efiSysMountPoint = "/boot/efi"; + }; } diff --git a/disko/trantor.nix b/hosts/trantor/disko.nix similarity index 88% rename from disko/trantor.nix rename to hosts/trantor/disko.nix index db1397e..0e47058 100644 --- a/disko/trantor.nix +++ b/hosts/trantor/disko.nix @@ -1,7 +1,11 @@ +{ inputs, ... }: + { + imports = [ inputs.disko.nixosModules.default ]; + disko.devices.disk.main = { type = "disk"; - device = "/dev/disk/by-id/scsi-36067d367fe184830a89bbe708c7b1066"; + device = "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20"; content = { type = "gpt"; partitions = { @@ -27,8 +31,7 @@ name = "root"; size = "100%"; content = { - type = "filesystem"; - format = "btrfs"; + type = "btrfs"; extraArgs = [ "-f" ]; subvolumes = { "@root" = { diff --git a/hosts/trantor/fail2ban.nix b/hosts/trantor/fail2ban.nix new file mode 100644 index 0000000..bc05139 --- /dev/null +++ b/hosts/trantor/fail2ban.nix @@ -0,0 +1,23 @@ +{ config, pkgs, ... }: + +{ + services.fail2ban = { + enable = true; + maxretry = 5; + ignoreIP = [ + "127.0.0.0/8" + "::1" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "100.64.0.0/10" + ]; + bantime = "1h"; + bantime-increment = { + enable = true; + multipliers = "1 2 4 8 16 32 64"; + maxtime = "10000h"; + overalljails = true; + }; + }; +} diff --git a/hosts/trantor/forgejo.nix b/hosts/trantor/forgejo.nix new file mode 100644 index 0000000..fdfa64a --- /dev/null +++ b/hosts/trantor/forgejo.nix @@ -0,0 +1,72 @@ +{ + config, + lib, + inputs, + ... +}: + +let + utils = import ../../utils.nix { inherit inputs lib; }; + inherit (utils) mkNginxVHosts; +in + +{ + services = { + forgejo = { + enable = true; + settings = { + session.COOKIE_SECURE = true; + server = { + PROTOCOL = "http+unix"; + DOMAIN = "git.baduhai.dev"; + ROOT_URL = "https://git.baduhai.dev"; + OFFLINE_MODE = true; # disable use of CDNs + SSH_DOMAIN = "git.baduhai.dev"; + }; + log.LEVEL = "Warn"; + mailer.ENABLED = false; + actions.ENABLED = false; + service.DISABLE_REGISTRATION = true; + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = true; + ACCOUNT_LINKING = "login"; + USERNAME = "preferred_username"; + }; + }; + }; + nginx.virtualHosts = mkNginxVHosts { + domains."git.baduhai.dev".locations."/".proxyPass = + "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; + }; + fail2ban.jails.forgejo = { + settings = { + enabled = true; + filter = "forgejo"; + maxretry = 3; + findtime = "10m"; + bantime = "1h"; + }; + }; + }; + + environment = { + etc."fail2ban/filter.d/forgejo.conf".text = '' + [Definition] + failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from + ignoreregex = + journalmatch = _SYSTEMD_UNIT=forgejo.service + ''; + + persistence.main.directories = [ + { + directory = config.services.forgejo.stateDir; + inherit (config.services.forgejo) user group; + mode = "0700"; + } + ]; + }; + + # Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories + systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false; +} diff --git a/hosts/trantor/hardware-configuration.nix b/hosts/trantor/hardware-configuration.nix index 4a9503f..039129e 100644 --- a/hosts/trantor/hardware-configuration.nix +++ b/hosts/trantor/hardware-configuration.nix @@ -1,29 +1,18 @@ { lib, modulesPath, - self, ... }: { - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - self.diskoConfigurations.trantor - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot = { - kernelModules = [ ]; - extraModulePackages = [ ]; - initrd = { - availableKernelModules = [ - "xhci_pci" - "virtio_pci" - "virtio_scsi" - "usbhid" - ]; - kernelModules = [ ]; - }; - }; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "virtio_pci" + "virtio_scsi" + "usbhid" + ]; networking.useDHCP = lib.mkDefault true; diff --git a/hosts/trantor/nginx.nix b/hosts/trantor/nginx.nix new file mode 100644 index 0000000..56eed7c --- /dev/null +++ b/hosts/trantor/nginx.nix @@ -0,0 +1,61 @@ +{ + config, + lib, + inputs, + ... +}: + +let + utils = import ../../utils.nix { inherit inputs lib; }; + inherit (utils) mkNginxVHosts services; + + # Get all unique domains from shared services on trantor (host = "trantor") + localDomains = lib.unique ( + map (s: s.domain) (lib.filter (s: s.host == "trantor") services) + ); + + # Generate ACME cert configs for all local domains + acmeCerts = lib.genAttrs localDomains (domain: { + group = "nginx"; + }); +in + +{ + security.acme = { + acceptTerms = true; + defaults = { + email = "baduhai@proton.me"; + dnsResolver = "1.1.1.1:53"; + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.cloudflare.path; + }; + certs = acmeCerts; + }; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "_" = { + default = true; + locations."/".return = "444"; + }; + }; + }; + + users.users.nginx.extraGroups = [ "acme" ]; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + age.secrets.cloudflare = { + file = ../../secrets/cloudflare.age; + owner = "nginx"; + group = "nginx"; + }; +} diff --git a/hosts/trantor/openssh.nix b/hosts/trantor/openssh.nix new file mode 100644 index 0000000..704b3df --- /dev/null +++ b/hosts/trantor/openssh.nix @@ -0,0 +1,23 @@ +{ ... }: + +{ + services = { + openssh = { + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + fail2ban.jails.sshd = { + settings = { + enabled = true; + port = "ssh"; + filter = "sshd"; + logpath = "/var/log/auth.log"; + maxretry = 3; + findtime = "10m"; + bantime = "1h"; + }; + }; + }; +} diff --git a/hosts/trantor/unbound.nix b/hosts/trantor/unbound.nix new file mode 100644 index 0000000..46808c6 --- /dev/null +++ b/hosts/trantor/unbound.nix @@ -0,0 +1,58 @@ +{ inputs, lib, ... }: + +let + utils = import ../../utils.nix { inherit inputs lib; }; +in + +{ + services.unbound = { + enable = true; + enableRootTrustAnchor = true; + settings = { + server = { + interface = [ + "0.0.0.0" + "::" + ]; + access-control = [ + "127.0.0.0/8 allow" + "100.64.0.0/10 allow" # Tailscale CGNAT range + "::1/128 allow" + "fd7a:115c:a1e0::/48 allow" # Tailscale IPv6 + ]; + + num-threads = 2; + msg-cache-size = "50m"; + rrset-cache-size = "100m"; + cache-min-ttl = 300; + cache-max-ttl = 86400; + prefetch = true; + prefetch-key = true; + hide-identity = true; + hide-version = true; + so-rcvbuf = "1m"; + so-sndbuf = "1m"; + + # Tailnet DNS records from shared services + local-zone = ''"baduhai.dev." transparent''; + local-data = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') utils.services; + }; + + forward-zone = [ + { + name = "."; + forward-addr = [ + "1.1.1.1@853#cloudflare-dns.com" + "1.0.0.1@853#cloudflare-dns.com" + ]; + forward-tls-upstream = true; + } + ]; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; +} diff --git a/nixosConfigurations.nix b/nixosConfigurations.nix index ced8851..c4969c1 100644 --- a/nixosConfigurations.nix +++ b/nixosConfigurations.nix @@ -10,6 +10,7 @@ in hostname = "rotterdam"; tags = [ "desktop" + "ai" "bluetooth" "dev" "ephemeral" @@ -25,6 +26,7 @@ in hostname = "io"; tags = [ "desktop" + "ai" "bluetooth" "dev" "ephemeral" @@ -38,7 +40,6 @@ in tags = [ # "server" TODO: uncomment when 25.11 is out. "fwupd" - "podman" ]; }; diff --git a/readme.md b/readme.md index 2804237..a2b815f 100644 --- a/readme.md +++ b/readme.md @@ -1,123 +1,87 @@ -# NixOS Configuration +# Nix Configuration -A declarative, modular NixOS/Home Manager flake configuration managing multiple systems with a tag-based architecture for maximum code reuse and flexibility. +My personal Nix configuration for multiple NixOS hosts, home-manager users, miscellaneous resources... too many things to list. If I could put my life in a flake I would. ## Hosts -| Host | Type | System | Version | Description | -|------|------|--------|---------|-------------| -| **rotterdam** | Desktop | x86_64-linux | NixOS Unstable | Primary workstation with gaming, development | -| **io** | Laptop | x86_64-linux | NixOS Unstable | Mobile workstation | -| **alexandria** | Server/NAS | x86_64-linux | NixOS 25.05 | Personal server running Nextcloud, Forgejo, Jellyfin, Vaultwarden | -| **trantor** | VPS | aarch64-linux | NixOS 25.05 | Oracle Cloud instance | +### Desktop Systems +- **rotterdam** - Main desktop workstation (x86_64) + - Features: Desktop, AI tools, Bluetooth, Dev environment, Gaming, Virtualization (libvirtd), Podman + - Storage: Ephemeral root with LUKS encryption -## Key Features +- **io** - Laptop workstation (x86_64) + - Features: Desktop, AI tools, Bluetooth, Dev environment, Podman + - Storage: Ephemeral root with LUKS encryption -### Architecture -- **Tag-based module system** - Compose configurations using tags instead of traditional inheritance -- **Flake-based** - Fully reproducible builds with locked dependencies -- **Multi-platform** - Supports both x86_64 and aarch64 architectures -- **Deployment automation** - Remote deployment via deploy-rs +### Servers +- **alexandria** - Home server (x86_64) + - Hosts: Nextcloud, Vaultwarden, Jellyfin, Kanidm -### Desktop Experience -- **Niri compositor** - Custom fork with auto-centering window columns -- **Unified theming** - Stylix-based theming -- **Wayland-native** - Full Wayland support -- **Ephemeral root** - Impermanent filesystem using BTRFS for atomic rollback capability +- **trantor** - Cloud server (aarch64) + - Hosts: Forgejo + - Cloud provider: Oracle Cloud Infrastructure + - Storage: Ephemeral root with btrfs -### Self-Hosted Services -- **Nextcloud** - Cloud storage with calendar, contacts, and notes -- **Forgejo** - Self-hosted Git server -- **Jellyfin** - Media streaming -- **Vaultwarden** - Password manager backend -- **LibreSpeed** - Network speed testing -- All services behind Nginx and Tailscale with automatic SSL via Let's Encrypt +## Home Manager Configurations + +- **user@rotterdam** - Full desktop setup with gaming, OBS, and complete development environment +- **user@io** - Lightweight desktop setup + +Both configurations include: +- btop, direnv, helix, starship, tmux +- Stylix theme management +- Fish shell with custom configurations + +## Terranix Configurations + +Infrastructure as code using Terranix (NixOS + Terraform/OpenTofu): + +- **oci-trantor** - Oracle Cloud Infrastructure provisioning for Trantor server +- **cloudflare-baduhaidev** - DNS and CDN configuration for baduhai.dev domain +- **tailscale-tailnet** - Tailscale network ACL and device management + +## Services + +All services are accessible via custom domains under baduhai.dev: + +- **Kanidm** (auth.baduhai.dev) - Identity and access management +- **Vaultwarden** (pass.baduhai.dev) - Password manager +- **Forgejo** (git.baduhai.dev) - Git forge (publicly accessible) +- **Nextcloud** (cloud.baduhai.dev) - File sync and collaboration +- **Jellyfin** (jellyfin.baduhai.dev) - Media server + +Services are accessible via: +- LAN for alexandria-hosted services +- Tailscale VPN for all services +- Public internet for Forgejo only + +## Notable Features + +### Ephemeral Root +Rotterdam, io, and trantor use an ephemeral root filesystem that resets on every boot: +- Root filesystem is automatically rolled back using btrfs snapshots +- Old snapshots retained for 30 days +- Persistent data stored in dedicated subvolumes +- Implements truly stateless systems + +### Custom DNS Architecture +- Unbound DNS servers on both alexandria and trantor +- Service routing based on visibility flags (public/LAN/Tailscale) +- Split-horizon DNS for optimal access paths ### Security -- **Agenix** - Encrypted secrets management -- **Tailscale** - Zero-config VPN mesh network -- **Firewall** - Configured on all hosts -- SSH key-based authentication +- LUKS full-disk encryption on desktop systems +- Fail2ban on public-facing servers +- agenix for secrets management +- Tailscale for secure remote access -## Repository Structure +### Desktop Environment +- Custom Niri window manager (Wayland compositor) +- Using forked version with auto-centering feature +- Stylix for consistent theming -``` -. -├── flake.nix # Main flake definition -├── utils.nix # Tag-based module system utilities -├── nixosConfigurations.nix # Host definitions with tags -├── homeConfigurations.nix # User configurations -├── deploy.nix # Remote deployment configuration -├── hosts/ -│ ├── alexandria/ # Server-specific config -│ ├── io/ # Laptop-specific config -│ ├── rotterdam/ # Desktop-specific config -│ ├── trantor/ # VPS-specific config -│ └── modules/ -│ ├── common/ # Shared base configuration -│ ├── desktop/ # Desktop environment setup -│ ├── server/ # Server-specific modules -│ └── [tag].nix # Optional feature modules -├── users/ -│ └── modules/ # Home Manager configurations -│ └── [tag].nix # Optional feature modules -├── packages/ # Custom package definitions -└── secrets/ # Encrypted secrets (agenix) -``` - -## Tag System - -Configurations are composed using tags that map to modules: - -**Common Tags** (all hosts): -- `common` - Base system configuration (automatically applied) - -**General Tags**: -- `desktop` - *Mostly* full desktop environment with Niri WM -- `dev` - Development tools and environments -- `gaming` - Steam, Heroic, gamemode, controller support -- `ephemeral` - Impermanent root filesystem -- `networkmanager` - WiFi and network management -- `libvirtd` - KVM/QEMU virtualization -- `podman` - Container runtime -- `bluetooth` - Bluetooth support -- `fwupd` - Firmware update daemon - -**Server Tags**: -- `server` - Server-specific configuration - -## Usage - -### Rebuilding a Configuration - -```bash -# Local rebuild -sudo nixos-rebuild switch --flake .#hostname - -# Remote deployment -deploy .#hostname -``` - -### Updating Dependencies - -```bash -nix flake update -``` - -### Adding a New Host - -1. Create host directory in `hosts/` -2. Define configuration in `nixosConfigurations.nix` with appropriate tags -3. Add deployment profile in `deploy.nix` if needed - -## Dependencies - -- [nixpkgs](https://github.com/NixOS/nixpkgs) - Stable (25.05) and unstable channels -- [home-manager](https://github.com/nix-community/home-manager) - User configuration -- [agenix](https://github.com/ryantm/agenix) - Secrets management -- [disko](https://github.com/nix-community/disko) - Declarative disk partitioning -- [stylix](https://github.com/danth/stylix) - System-wide theming -- [niri-flake](https://github.com/sodiboo/niri-flake) - Wayland compositor (custom fork) -- [impermanence](https://github.com/nix-community/impermanence) - Ephemeral filesystem support -- [deploy-rs](https://github.com/serokell/deploy-rs) - Remote deployment -- [nix-flatpak](https://github.com/gmodena/nix-flatpak) - Declarative Flatpak management +### Development Setup +- Nix flakes for reproducible builds +- deploy-rs for automated deployments +- Podman for containerization +- Complete AI tooling integration diff --git a/secrets/cloudflare.age b/secrets/cloudflare.age index 9e989ec..028e964 100644 --- a/secrets/cloudflare.age +++ b/secrets/cloudflare.age @@ -1,9 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 Kfdnog gEZvRtLBhGslmS97VaRqoucgExvOopsHAAne4lCmEEY -NkIeFYuQFntDOBqd3k0/OVYMcM7h73uO0jPXaHzEcZc --> ssh-ed25519 8YSAiw bVV4jIDbBKxsr6mQ4Tv0rP6ylrAEOJWkqjpyvXjnQRU -6kUe5Syw7sd+aF2QEgr6Yj+fOPL5zSJN1PJvY9Kdhlg --> ssh-ed25519 J6tVTA 4JMlJmhHAYUgjiWwB1Q278TSjJypwecALmfnosxan0s -WIubcIFrjMV0GpyU1ZGc48YwrqOtSmJxweonw1KnR+U ---- 78A7re4LLB/0n5AXLRlVqiMNFMAQ2ZvjjK21YGRveRE -_4pkVCKm#~kI8Em3kp|0^tSk s/΅?=l,7~̈́c{ȞAݭ>ZlGTJsGY //B4e'IIc ,"< \ No newline at end of file +-> ssh-ed25519 Kfdnog IHXv4c5we36dCUsB1v8uEF23tIRlDQ/8WR1hX4GQ+Uc +Cwccw64BYBdSZUdkSqKESIU7E17cLNtiAZZ3Y1xV87A +-> ssh-ed25519 8YSAiw Ce3vdMG111ubjcFgd3+q2Qw2+7dsoUz7SiudtuLDr0Y +JUodwFsKfOTZXxFyRrEk/4gxJ4goPkwvYeThi893M0U +-> ssh-ed25519 J6tVTA bExFuITTGXkTvhW25nushN7zT/PJGDoezsqu7fLKemI +4a90v0F4wgcZeqWBQ/EpqOZ9OCgT7qruwVvlGZeFmN8 +-> ssh-ed25519 Qt3Q+A j1oo46pNh1+yPEtxpgj+QPQPf5m82jL0DHGMacY8UFA +vy52Hl1WLTdKNA8+4p7A48Sg9+QkMXbECf/uxVMCLYk +--- 429vzgFnmFbEqDMwdvC0/EYDJlKU64YEGgE0AqPqlBs +b/!8O3Df/&kNQhurt%&]ucjH]_5@D$>N8Ϧ >9:CvѦ69W'X]X^ƻ$}|c/ ߸={uɳs \ No newline at end of file diff --git a/secrets/forgejo-root-password.age b/secrets/forgejo-root-password.age new file mode 100644 index 0000000..90be612 Binary files /dev/null and b/secrets/forgejo-root-password.age differ diff --git a/secrets/nextcloud-adminpass.age b/secrets/nextcloud-adminpass.age index 3b6ff2a..b4a29fa 100644 Binary files a/secrets/nextcloud-adminpass.age and b/secrets/nextcloud-adminpass.age differ diff --git a/secrets/nextcloud-secrets.json.age b/secrets/nextcloud-secrets.json.age index 473f3cb..02d170d 100644 Binary files a/secrets/nextcloud-secrets.json.age and b/secrets/nextcloud-secrets.json.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index d47309f..a90cd74 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,7 +7,7 @@ let alexandria = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK95QueW+jp1ZmF299Xr3XkgHJ6dL7aZVsfWxqbOKVKA root@alexandria"; - trantor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkGuGLZPnYJbCGY4BhJ9uTupp6ruuR1NZ7FEYEaLPA7 root@alexandria"; + trantor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIh/2u5pr/iPVeavlsor5hbTtsgUfP1JpzZVco2YQAo3 root@trantor"; in { @@ -15,6 +15,7 @@ in io-user rotterdam-user alexandria + trantor ]; "nextcloud-adminpass.age".publicKeys = [ io-user @@ -26,4 +27,9 @@ in rotterdam-user alexandria ]; + "forgejo-root-password.age".publicKeys = [ + io-user + rotterdam-user + trantor + ]; } diff --git a/shared/services.nix b/shared/services.nix new file mode 100644 index 0000000..44f9208 --- /dev/null +++ b/shared/services.nix @@ -0,0 +1,48 @@ +# Shared service definitions for cross-host configuration +# Used by: +# - alexandria: DNS server (LAN) + service hosting (vaultwarden, nextcloud, jellyfin, kanidm) +# - trantor: DNS server (Tailnet) + service hosting (forgejo) +{ + services = [ + { + name = "kanidm"; + domain = "auth.baduhai.dev"; + host = "alexandria"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + port = 8443; + } + { + name = "vaultwarden"; + domain = "pass.baduhai.dev"; + host = "alexandria"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + port = 8222; + } + { + name = "forgejo"; + domain = "git.baduhai.dev"; + host = "trantor"; + public = true; + tailscaleIP = "100.108.5.90"; + port = 3000; + } + { + name = "nextcloud"; + domain = "cloud.baduhai.dev"; + host = "alexandria"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + port = 443; + } + { + name = "jellyfin"; + domain = "jellyfin.baduhai.dev"; + host = "alexandria"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + port = 8096; + } + ]; +} diff --git a/terranix/cloudflare/baduhai.dev.nix b/terranix/cloudflare/baduhai.dev.nix index e69de29..1b456f3 100644 --- a/terranix/cloudflare/baduhai.dev.nix +++ b/terranix/cloudflare/baduhai.dev.nix @@ -0,0 +1,86 @@ +# Required environment variables: +# CLOUDFLARE_API_TOKEN - API token with "Edit zone DNS" permissions +# AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage +# AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage + +{ config, lib, ... }: + +let + inherit (import ../../shared/services.nix) services; + + # Helper to extract subdomain from full domain (e.g., "git.baduhai.dev" -> "git") + getSubdomain = domain: lib.head (lib.splitString "." domain); + + # Generate DNS records for services + # Public services point to trantor's public IP + # Private services point to their tailscale IP + mkServiceRecords = lib.listToAttrs ( + lib.imap0 ( + i: svc: + let + subdomain = getSubdomain svc.domain; + targetIP = + if svc.public or false then + config.data.terraform_remote_state.trantor "outputs.instance_public_ip" + else + svc.tailscaleIP; + in + { + name = "service_${toString i}"; + value = { + zone_id = config.variable.zone_id.default; + name = subdomain; + type = "A"; + content = targetIP; + proxied = false; + ttl = 3600; + }; + } + ) services + ); +in + +{ + terraform.required_providers.cloudflare = { + source = "cloudflare/cloudflare"; + version = "~> 5.0"; + }; + + terraform.backend.s3 = { + bucket = "terraform-state"; + key = "cloudflare/baduhai.dev.tfstate"; + region = "auto"; + endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com"; + skip_credentials_validation = true; + skip_metadata_api_check = true; + skip_region_validation = true; + skip_requesting_account_id = true; + use_path_style = true; + }; + + variable = { + zone_id = { + default = "c63a8332fdddc4a8e5612ddc54557044"; + type = "string"; + }; + }; + + data = { + terraform_remote_state.trantor = { + backend = "s3"; + config = { + bucket = "terraform-state"; + key = "oci/trantor.tfstate"; + region = "auto"; + endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com"; + skip_credentials_validation = true; + skip_metadata_api_check = true; + skip_region_validation = true; + skip_requesting_account_id = true; + use_path_style = true; + }; + }; + }; + + resource.cloudflare_dns_record = mkServiceRecords; +} diff --git a/terranix/oci/trantor.nix b/terranix/oci/trantor.nix index 37c12ae..170ad04 100644 --- a/terranix/oci/trantor.nix +++ b/terranix/oci/trantor.nix @@ -1,3 +1,13 @@ +# Required environment variables: +# instead of OCI variables, ~/.oci/config may also be used +# OCI_TENANCY_OCID - Oracle tenancy OCID (or use TF_VAR_* to override variables) +# OCI_USER_OCID - Oracle user OCID +# OCI_FINGERPRINT - API key fingerprint +# OCI_PRIVATE_KEY_PATH - Path to OCI API private key +# AWS variables are required +# AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage +# AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage + { config, ... }: { @@ -43,6 +53,7 @@ ssh_public_keys = { default = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam" ]; @@ -229,6 +240,7 @@ threshold = 5; threshold_type = "PERCENTAGE"; display_name = "daily-spend-alert"; + recipients = "baduhai@proton.me"; description = "Alert when daily spending exceeds $0.05"; message = "Daily spending has exceeded $0.05 in the trantor compartment"; }; diff --git a/terranix/tailscale/tailnet.nix b/terranix/tailscale/tailnet.nix index e69de29..929e79b 100644 --- a/terranix/tailscale/tailnet.nix +++ b/terranix/tailscale/tailnet.nix @@ -0,0 +1,43 @@ +# Required environment variables: +# TAILSCALE_API_KEY - Tailscale API key with appropriate permissions +# TAILSCALE_TAILNET - Your tailnet name (e.g., "user@example.com" or "example.org.github") +# AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage +# AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage + +{ config, ... }: + +{ + terraform.required_providers.tailscale = { + source = "tailscale/tailscale"; + version = "~> 0.17"; + }; + + terraform.backend.s3 = { + bucket = "terraform-state"; + key = "tailscale/tailnet.tfstate"; + region = "auto"; + endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com"; + skip_credentials_validation = true; + skip_metadata_api_check = true; + skip_region_validation = true; + skip_requesting_account_id = true; + use_path_style = true; + }; + + variable = { + trantor_tailscale_ip = { + default = "100.108.5.90"; + type = "string"; + }; + }; + + resource = { + tailscale_dns_nameservers.global = { + nameservers = [ + config.variable.trantor_tailscale_ip.default + "1.1.1.1" + "1.0.0.1" + ]; + }; + }; +} diff --git a/terranixConfigurations.nix b/terranixConfigurations.nix index fc84f17..12c90d1 100644 --- a/terranixConfigurations.nix +++ b/terranixConfigurations.nix @@ -14,6 +14,14 @@ modules = [ ./terranix/oci/trantor.nix ]; terraformWrapper.package = pkgs.opentofu; }; + cloudflare-baduhaidev = { + modules = [ ./terranix/cloudflare/baduhai.dev.nix ]; + terraformWrapper.package = pkgs.opentofu; + }; + tailscale-tailnet = { + modules = [ ./terranix/tailscale/tailnet.nix ]; + terraformWrapper.package = pkgs.opentofu; + }; }; }; } diff --git a/users/modules/common/fish.nix b/users/modules/common/fish.nix index d95db24..c753297 100644 --- a/users/modules/common/fish.nix +++ b/users/modules/common/fish.nix @@ -3,7 +3,10 @@ { programs.fish = { enable = true; - interactiveShellInit = "${lib.getExe pkgs.nix-your-shell} fish | source"; + interactiveShellInit = '' + set fish_greeting + ${lib.getExe pkgs.nix-your-shell} fish | source + ''; loginShellInit = "${lib.getExe pkgs.nix-your-shell} fish | source"; plugins = [ { diff --git a/users/modules/desktop/desktop.nix b/users/modules/desktop/desktop.nix index ba30852..6940e1f 100644 --- a/users/modules/desktop/desktop.nix +++ b/users/modules/desktop/desktop.nix @@ -1,15 +1,21 @@ { - config, inputs, pkgs, ... }: { + imports = [ inputs.vicinae.homeManagerModules.default ]; + fonts.fontconfig.enable = true; home.packages = with pkgs; [ xwayland-satellite ]; + services.vicinae = { + enable = true; + autoStart = true; + }; + programs = { ghostty = { @@ -22,7 +28,7 @@ url = "https://raw.githubusercontent.com/hackr-sh/ghostty-shaders/cb6eb4b0d1a3101c869c62e458b25a826f9dcde3/cursor_blaze.glsl"; sha256 = "sha256:0g2lgqjdrn3c51glry7x2z30y7ml0y61arl5ykmf4yj0p85s5f41"; }}"; - bell-features = "border"; + bell-features = ""; gtk-titlebar-style = "tabs"; keybind = [ "shift+enter=text:\\x1b\\r" ]; }; @@ -41,33 +47,28 @@ enable = true; defaultApplications = { "text/html" = [ - "com.github.timecraft.junction.desktop" + "re.sonny.Junction.desktop" "zen-browser.desktop" - "brave-browser.desktop" "torbrowser.desktop" ]; "x-scheme-handler/http" = [ - "com.github.timecraft.junction.desktop" + "re.sonny.Junction.desktop" "zen-browser.desktop" - "brave-browser.desktop" "torbrowser.desktop" ]; "x-scheme-handler/https" = [ - "com.github.timecraft.junction.desktop" + "re.sonny.Junction.desktop" "zen-browser.desktop" - "brave-browser.desktop" "torbrowser.desktop" ]; "x-scheme-handler/about" = [ - "com.github.timecraft.junction.desktop" + "re.sonny.Junction.desktop" "zen-browser.desktop" - "brave-browser.desktop" "torbrowser.desktop" ]; "x-scheme-handler/unknown" = [ - "com.github.timecraft.junction.desktop" + "re.sonny.Junction.desktop" "zen-browser.desktop" - "brave-browser.desktop" "torbrowser.desktop" ]; "image/jpeg" = "org.gnome.Loupe.desktop"; diff --git a/users/modules/desktop/niri.nix b/users/modules/desktop/niri.nix index 16955d9..0cb5db8 100644 --- a/users/modules/desktop/niri.nix +++ b/users/modules/desktop/niri.nix @@ -8,25 +8,35 @@ let isRotterdam = hostname == "rotterdam"; - noctalia = "${lib.getExe inputs.noctalia.packages.${pkgs.system}.default}"; in { imports = [ inputs.noctalia.homeModules.default ]; + services.kanshi = { + enable = true; + settings = [ + { + profile.name = "default"; + profile.outputs = [ + { + criteria = "*"; + scale = 1.0; + } + ]; + } + ]; + }; + home = { - packages = with pkgs; [ xwayland-satellite ]; + packages = with pkgs; [ + xwayland-satellite + inputs.noctalia.packages.${pkgs.system}.default + ]; sessionVariables.QT_QPA_PLATFORMTHEME = "gtk3"; }; xdg.configFile."niri/config.kdl".text = '' - output "eDP-1" { - scale 1.0 - } - output "DP-3" { - scale 1.0 - } - input { keyboard { xkb { @@ -83,23 +93,18 @@ in inactive-color "#505050" urgent-color "#9b0000" } - tab-indicator { - width 4 - gap 4 - place-within-column - } - ${lib.optionalString isRotterdam '' - struts { - left 8 - right 8 - }''} + tab-indicator { + width 4 + gap 4 + place-within-column + } } overview { zoom 0.65 } - spawn-at-startup "${noctalia}" + spawn-at-startup "noctalia-shell" "-d" layer-rule { match namespace="^wallpaper$" place-within-backdrop true @@ -135,18 +140,18 @@ in } binds { - Alt+Space { spawn "${noctalia}" "ipc" "call" "launcher" "toggle"; } - XF86AudioRaiseVolume allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "volume" "increase"; } - XF86AudioLowerVolume allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "volume" "decrease"; } - XF86AudioMute allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "volume" "muteOutput"; } - XF86MonBrightnessUp allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "brightness" "increase"; } - XF86MonBrightnessDown allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "brightness" "decrease"; } + Alt+Space repeat=false { spawn "vicinae" "toggle"; } + XF86AudioRaiseVolume allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "increase"; } + XF86AudioLowerVolume allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "decrease"; } + XF86AudioMute allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "muteOutput"; } + XF86MonBrightnessUp allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "brightness" "increase"; } + XF86MonBrightnessDown allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "brightness" "decrease"; } XF86AudioPlay allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "play-pause"; } XF86AudioStop allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "stop"; } XF86AudioPrev allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "previous"; } XF86AudioNext allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "next"; } - Mod+V { spawn "${noctalia}" "ipc" "call" "launcher" "clipboard"; } - Mod+Shift+L { spawn "${noctalia}" "ipc" "call" "lockScreen" "toggle"; } + Mod+V repeat=false { spawn "vicinae" "vicinae://extensions/vicinae/clipboard/history"; } + Mod+Shift+L repeat=false { spawn "noctalia-shell" "ipc" "call" "lockScreen" "lock"; } Mod+Return { spawn "ghostty"; } Ctrl+Alt+Shift+A allow-when-locked=true { spawn "toggleaudiosink"; } Mod+W repeat=false { toggle-overview; } @@ -155,17 +160,13 @@ in Mod+Shift+Q { close-window; } Alt+F4 { close-window; } Mod+Left { focus-column-left; } - Mod+Down { focus-window-down; } - Mod+Up { focus-window-up; } + Mod+Down { focus-window-or-workspace-down; } + Mod+Up { focus-window-or-workspace-up; } Mod+Right { focus-column-right; } Mod+H { focus-column-left; } Mod+L { focus-column-right; } - Mod+J { focus-window-down; } - Mod+K { focus-window-up; } - Ctrl+Alt+J { focus-workspace-down; } - Ctrl+Alt+K { focus-workspace-up; } - Ctrl+Alt+Down { focus-workspace-down; } - Ctrl+Alt+Up { focus-workspace-up; } + Mod+J { focus-window-or-workspace-down; } + Mod+K { focus-window-or-workspace-up; } Mod+Ctrl+Left { move-column-left; } Mod+Ctrl+Down { move-window-down-or-to-workspace-down; } Mod+Ctrl+Up { move-window-up-or-to-workspace-up; } @@ -220,8 +221,8 @@ in Mod+Print { screenshot; } Ctrl+Print { screenshot-window; } Mod+Backspace allow-inhibiting=false { toggle-keyboard-shortcuts-inhibit; } - Mod+Alt+E { spawn "${noctalia}" "ipc" "call" "sessionMenu" "toggle"; } - Ctrl+Alt+Delete { spawn "${noctalia}" "ipc" "call" "sessionMenu" "toggle"; } + Mod+Alt+E { spawn "noctalia-shell" "ipc" "call" "sessionMenu" "toggle"; } + Ctrl+Alt+Delete { spawn "noctalia-shell" "ipc" "call" "sessionMenu" "toggle"; } Mod+Ctrl+P { power-off-monitors; } } ''; diff --git a/users/modules/stylix.nix b/users/modules/stylix.nix index 13ba8b6..f1c7e44 100644 --- a/users/modules/stylix.nix +++ b/users/modules/stylix.nix @@ -46,7 +46,7 @@ name = "FiraCode Nerd Font"; }; emoji = { - package = pkgs.noto-fonts-emoji; + package = pkgs.noto-fonts-color-emoji; name = "Noto Color Emoji"; }; sizes = { diff --git a/utils.nix b/utils.nix index 38cf968..8c20ab9 100644 --- a/utils.nix +++ b/utils.nix @@ -8,9 +8,14 @@ let home-manager agenix ; + + # Import shared service definitions + sharedServices = import ./shared/services.nix; in { + # Re-export shared services for use in host configs + inherit (sharedServices) services; # Tag-based host configuration system mkHost = { @@ -178,16 +183,41 @@ in # Nginx virtual host utilities mkNginxVHosts = - { - acmeHost, - domains, - }: + { domains }: let - commonVHostConfig = { - useACMEHost = acmeHost; - forceSSL = true; - kTLS = true; - }; + # Extract domain name and apply it as useACMEHost + mkVHostConfig = domain: config: + lib.recursiveUpdate { + useACMEHost = domain; + forceSSL = true; + kTLS = true; + } config; in - lib.mapAttrs (_: lib.recursiveUpdate commonVHostConfig) domains; + lib.mapAttrs mkVHostConfig domains; + + # Split DNS utilities for unbound + # Generates unbound view config from a list of DNS entries + mkSplitDNS = + entries: + let + # Generate local-data entries for all domains + tailscaleData = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') entries; + lanData = map (e: ''"${e.domain}. IN A ${e.lanIP}"'') entries; + in + [ + # Single Tailscale view with all domains + { + name = "tailscale"; + view-first = true; + local-zone = ''"baduhai.dev." transparent''; + local-data = tailscaleData; + } + # Single LAN view with all domains + { + name = "lan"; + view-first = true; + local-zone = ''"baduhai.dev." transparent''; + local-data = lanData; + } + ]; }