william/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: william:master
Branches Tags
william:master
william:terranix
william:refactor
william:dms
william:vim
william:ansible
william:niri
william:hyprland
..
compare: william:hyprland
Branches Tags
william:master
william:terranix
william:refactor
william:dms
william:vim
william:ansible
william:niri
william:hyprland

6 commits
master ... hyprland

Author SHA1 Message Date
William
c683fb2571 sticking to plasma for a little longer 2025-02-06 21:41:48 -03:00
William
259a0b6118 Further steps to a usable hyprland session 2025-02-06 00:49:23 -03:00
William
b602e3ec1b fast animations, some other changes 2025-02-05 11:37:27 -03:00
William
78b6eaf05c added packages to hyprland 2025-02-05 10:11:29 -03:00
William
01589b30ad I'll com back to this every once in a while. I need a vertical panel 2025-02-05 00:24:19 -03:00
William
6291136770 this will eventually be the hyprland config. 
once hyprpanel has a vertical layout, imma bounce from plasma
 2025-02-03 18:08:06 -03:00
142 changed files with 2511 additions and 4055 deletions
Download patch file Download diff file Expand all files Collapse all files

14
.gitignore vendored
View file

@ -1,13 +1,3 @@
# Nix build outputs
result
result-*
result/
.direnv/
oci-trantor/
tailscale-tailnet/
cloudflare-baduhaidev
# Personal notes and temporary files
todo.md
notes.md
scratch/
tmp/
.pre-commit-config.yaml

48
deploy.nix
View file

@ -1,48 +0,0 @@
{ inputs, self, ... }:
{
flake.deploy = {
remoteBuild = true;
nodes = {
alexandria = {
hostname = "alexandria";
profiles.system = {
sshUser = "user";
path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.alexandria;
user = "root";
};
};
trantor = {
hostname = "trantor";
profiles.system = {
sshUser = "user";
path = inputs.deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.trantor;
user = "root";
};
};
io = {
hostname = "io";
profiles = {
system = {
sshUser = "user";
path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.io;
user = "root";
remoteBuild = false;
};
user = {
sshUser = "user";
path = inputs.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurations."user@io";
user = "user";
remoteBuild = false;
};
};
};
};
};
perSystem =
{ system, ... }:
{
checks = inputs.deploy-rs.lib.${system}.deployChecks self.deploy;
};
}

16
devShells.nix
View file

@ -1,16 +0,0 @@
{ inputs, ... }:
{
perSystem =
{ pkgs, system, ... }:
{
devShells.default = pkgs.mkShell {
packages = with pkgs; [
inputs.agenix.packages.${system}.default
deploy-rs
nil
nixfmt-rfc-style
];
};
};
}

1113
flake.lock generated
View file

File diff suppressed because it is too large Load diff

199
flake.nix
View file

@ -2,76 +2,191 @@
description = "My nix hosts";
inputs = {
flake-parts.url = "github:hercules-ci/flake-parts";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
home-manager = {
url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:ryantm/agenix";
home-manager-stable = {
url = "github:nix-community/home-manager/release-24.11";
inputs.nixpkgs.follows = "nixpkgs-stable";
};
disko.url = "github:nix-community/disko";
noctalia = {
url = "github:noctalia-dev/noctalia-shell";
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
stylix.url = "github:danth/stylix";
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-cli.url = "github:nix-community/nixos-cli";
nix-flatpak.url = "github:gmodena/nix-flatpak/main";
zen-browser.url = "github:0xc000022070/zen-browser-flake";
homepage = {
url = "github:AlexW00/StartTreeV2";
flake = false;
};
impermanence.url = "github:nix-community/impermanence";
deploy-rs.url = "github:serokell/deploy-rs";
nix-flatpak.url = "github:gmodena/nix-flatpak/?ref=v0.4.1";
niri-flake.url = "github:sodiboo/niri-flake";
niri.url = "github:baduhai/niri/auto-center-when-space-available";
nix-index-database = {
nix-index-db = {
url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
terranix = {
url = "github:terranix/terranix";
nix-minecraft = {
url = "github:Infinidoge/nix-minecraft";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-ai-tools.url = "github:numtide/nix-ai-tools";
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs-stable";
};
vicinae.url = "github:vicinaehq/vicinae";
stylix = {
url = "github:danth/stylix";
inputs.nixpkgs.follows = "nixpkgs-stable";
};
tritanium-shell.url = "github:baduhai/tritanium-shell";
};
outputs =
inputs@{ flake-parts, ... }:
flake-parts.lib.mkFlake { inherit inputs; } {
systems = [
"x86_64-linux"
"aarch64-linux"
];
inputs@{
self,
nixpkgs,
nixpkgs-stable,
home-manager,
home-manager-stable,
agenix,
deploy-rs,
homepage,
impermanence,
nix-flatpak,
nix-index-db,
nix-minecraft,
nixos-generators,
stylix,
tritanium-shell,
...
}:
{
nixosConfigurations = {
rotterdam = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
./hosts/desktops/rotterdam.nix
agenix.nixosModules.default
home-manager.nixosModules.default
impermanence.nixosModules.impermanence
nix-index-db.nixosModules.nix-index
nix-flatpak.nixosModules.nix-flatpak
stylix.nixosModules.stylix
{
nixpkgs.overlays = [
agenix.overlays.default
self.overlays.custom
];
}
];
};
imports = [
./deploy.nix
./devShells.nix
./homeConfigurations.nix
./nixosConfigurations.nix
./nixosModules.nix
./overlays.nix
./packages.nix
./terranixConfigurations.nix
];
io = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
./hosts/desktops/io.nix
agenix.nixosModules.default
home-manager.nixosModules.default
impermanence.nixosModules.impermanence
nix-index-db.nixosModules.nix-index
nix-flatpak.nixosModules.nix-flatpak
stylix.nixosModules.stylix
{
nixpkgs.overlays = [
agenix.overlays.default
self.overlays.custom
];
}
];
};
alexandria = nixpkgs-stable.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
./hosts/servers/alexandria.nix
agenix.nixosModules.default
home-manager-stable.nixosModules.default
self.nixosModules.qbittorrent
({
nixpkgs.overlays = [
agenix.overlays.default
nix-minecraft.overlay
];
imports = [ nix-minecraft.nixosModules.minecraft-servers ];
})
];
};
};
overlays = {
custom = final: prev: {
plasticity = nixpkgs.legacyPackages."x86_64-linux".callPackage ./packages/plasticity.nix { };
};
};
deploy = {
autoRollback = true;
magicRollback = false;
nodes = {
alexandria = {
hostname = "alexandria";
profiles = {
system = {
user = "root";
sshUser = "root";
remoteBuild = true;
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.alexandria;
};
};
};
io = {
hostname = "io";
profiles = {
system = {
user = "root";
sshUser = "root";
remoteBuild = false;
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.io;
};
};
};
};
};
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
devShells."x86_64-linux".default = nixpkgs.legacyPackages."x86_64-linux".mkShell {
packages = with nixpkgs.legacyPackages."x86_64-linux"; [
nil
nixfmt-rfc-style
];
};
nixosModules.qbittorrent = import ./modules/qbittorrent.nix;
};
}

43
homeConfigurations.nix
View file

@ -1,43 +0,0 @@
{ inputs, ... }:
let
lib = inputs.nixpkgs.lib;
utils = import ./utils.nix { inherit inputs lib; };
inherit (utils) mkHome;
in
{
flake.homeConfigurations = {
"user@rotterdam" = mkHome {
username = "user";
hostname = "rotterdam";
tags = [
"desktop"
"btop"
"comma"
"direnv"
"gaming"
"helix"
"obs-studio"
"starship"
"stylix"
"tmux"
];
};
"user@io" = mkHome {
username = "user";
hostname = "io";
tags = [
"desktop"
"btop"
"comma"
"direnv"
"helix"
"starship"
"stylix"
"tmux"
];
};
};
}

15
hosts/alexandria/jellyfin.nix
View file

@ -1,15 +0,0 @@
{ lib, inputs, ... }:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts;
in
{
services.jellyfin = {
enable = true;
openFirewall = true;
};
services.nginx.virtualHosts = mkNginxVHosts {
domains."jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/";
};
}

83
hosts/alexandria/kanidm.nix
View file

@ -1,83 +0,0 @@
{
config,
lib,
inputs,
pkgs,
...
}:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts;
kanidmCertDir = "/var/lib/kanidm/certs";
in
{
services.kanidm = {
enableServer = true;
enableClient = true;
package = pkgs.kanidm;
serverSettings = {
domain = "auth.baduhai.dev";
origin = "https://auth.baduhai.dev";
bindaddress = "127.0.0.1:8443";
ldapbindaddress = "127.0.0.1:636";
trust_x_forward_for = true;
# Use self-signed certificates for internal TLS
tls_chain = "${kanidmCertDir}/cert.pem";
tls_key = "${kanidmCertDir}/key.pem";
};
clientSettings = {
uri = "https://auth.baduhai.dev";
};
};
services.nginx.virtualHosts = mkNginxVHosts {
domains."auth.baduhai.dev" = {
locations."/" = {
proxyPass = "https://127.0.0.1:8443";
extraConfig = ''
proxy_ssl_verify off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 636 ];
# Generate self-signed certificates for kanidm's internal TLS
systemd.services.kanidm-generate-certs = {
description = "Generate self-signed TLS certificates for Kanidm";
wantedBy = [ "multi-user.target" ];
before = [ "kanidm.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir -p ${kanidmCertDir}
if [ ! -f ${kanidmCertDir}/key.pem ]; then
${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 \
-keyout ${kanidmCertDir}/key.pem \
-out ${kanidmCertDir}/cert.pem \
-days 3650 -nodes \
-subj "/CN=localhost" \
-addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
chown -R kanidm:kanidm ${kanidmCertDir}
chmod 600 ${kanidmCertDir}/key.pem
chmod 644 ${kanidmCertDir}/cert.pem
fi
'';
};
# Ensure certificate generation runs before kanidm starts
systemd.services.kanidm = {
after = [ "kanidm-generate-certs.service" ];
wants = [ "kanidm-generate-certs.service" ];
};
}

59
hosts/alexandria/nginx.nix
View file

@ -1,59 +0,0 @@
{
config,
lib,
inputs,
...
}:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts services;
# Get all unique domains from shared services that have LAN IPs (served by this host)
localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "alexandria") services));
# Generate ACME cert configs for all local domains
acmeCerts = lib.genAttrs localDomains (domain: {
group = "nginx";
});
in
{
security.acme = {
acceptTerms = true;
defaults = {
email = "baduhai@proton.me";
dnsResolver = "1.1.1.1:53";
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.cloudflare.path;
};
certs = acmeCerts;
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"_" = {
default = true;
locations."/".return = "444";
};
};
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall.allowedTCPPorts = [
80
443
];
age.secrets.cloudflare = {
file = ../../secrets/cloudflare.age;
owner = "nginx";
group = "nginx";
};
}

58
hosts/alexandria/unbound.nix
View file

@ -1,58 +0,0 @@
{ inputs, lib, ... }:
let
utils = import ../../utils.nix { inherit inputs lib; };
in
{
services.unbound = {
enable = true;
enableRootTrustAnchor = true;
settings = {
server = {
interface = [
"0.0.0.0"
"::"
];
access-control = [
"127.0.0.0/8 allow"
"192.168.0.0/16 allow"
"::1/128 allow"
];
num-threads = 2;
msg-cache-size = "50m";
rrset-cache-size = "100m";
cache-min-ttl = 300;
cache-max-ttl = 86400;
prefetch = true;
prefetch-key = true;
hide-identity = true;
hide-version = true;
so-rcvbuf = "1m";
so-sndbuf = "1m";
# LAN-only DNS records
local-zone = ''"baduhai.dev." transparent'';
local-data = map (e: ''"${e.domain}. IN A ${e.lanIP}"'')
(lib.filter (e: e ? lanIP) utils.services);
};
forward-zone = [
{
name = ".";
forward-addr = [
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
];
forward-tls-upstream = true;
}
];
};
};
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
}

26
hosts/alexandria/vaultwarden.nix
View file

@ -1,26 +0,0 @@
{
config,
lib,
inputs,
...
}:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts;
in
{
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://pass.baduhai.dev";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 58222;
};
};
services.nginx.virtualHosts = mkNginxVHosts {
domains."pass.baduhai.dev".locations."/".proxyPass =
"http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
};
}

2
hosts/modules/common/boot.nix → hosts/common/boot.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ ... }:
{
boot = {

0
hosts/modules/common/console.nix → hosts/common/console.nix
View file

17
hosts/common/default.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
imports = [
./boot.nix
./console.nix
./locale.nix
./networking.nix
./nix.nix
./packages.nix
./security.nix
./services.nix
./users.nix
./virtualisation.nix
./environment.nix
];
}

10
hosts/common/environment.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs, ... }:
{
environment.shellAliases = {
ls = "${pkgs.eza}/bin/eza --icons --group-directories-first";
neofetch = "fastfetch";
tree = "ls --tree";
syscleanup = "sudo nix-collect-garbage -d; sudo /run/current-system/bin/switch-to-configuration boot";
};
}

1
hosts/modules/common/locale.nix → hosts/common/locale.nix
View file

@ -7,7 +7,6 @@
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "pt_BR.utf8";
LC_COLLATE = "pt_BR.utf8";
LC_IDENTIFICATION = "pt_BR.utf8";
LC_MEASUREMENT = "pt_BR.utf8";
LC_MONETARY = "pt_BR.utf8";

2
hosts/modules/common/firewall.nix → hosts/common/networking.nix
View file

@ -2,7 +2,7 @@
{
networking = {
networkmanager.enable = true;
firewall.enable = true;
nftables.enable = true;
};
}

12
hosts/modules/common/nix.nix → hosts/common/nix.nix
View file

@ -1,8 +1,6 @@
{ inputs, ... }:
{ ... }:
{
imports = [ inputs.nixos-cli.nixosModules.nixos-cli ];
nix = {
settings = {
auto-optimise-store = true;
@ -26,13 +24,5 @@
buildDocs = false;
};
services.nixos-cli = {
enable = true;
config = {
use_nvd = true;
ignore_dirty_tree = true;
};
};
system.stateVersion = "22.11";
}

21
hosts/common/packages.nix Normal file
View file

@ -0,0 +1,21 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
agenix
bind
btop
fastfetch
git
helix
killall
sysz
tmux
wget
];
programs = {
fish.enable = true;
command-not-found.enable = false;
};
}

0
hosts/modules/common/security.nix → hosts/common/security.nix
View file

11
hosts/modules/desktop/services.nix → hosts/common/services.nix
View file

@ -1,9 +1,14 @@
{ pkgs, ... }:
{ ... }:
{
services = {
printing.enable = true;
udev.packages = with pkgs; [ yubikey-personalization ];
fwupd.enable = true;
fstrim.enable = true;
tailscale = {
enable = true;
extraUpFlags = [ "--operator=user" ];
};
openssh.enable = true;
keyd = {
enable = true;
keyboards.all = {

10
hosts/modules/common/users.nix → hosts/common/users.nix
View file

@ -7,17 +7,21 @@
shell = pkgs.fish;
extraGroups = [
"networkmanager"
"docker"
"wheel"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcwF1yuWEfYGScNocEbs0AmGxyTIzGc4/IhpU587SJE"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL"
];
hashedPassword = "$6$Pj7v/CpstyuWQQV0$cNujVDhfMBdwlGVEnnd8t71.kZPixbo0u25cd.874iaqLTH4V5fa1f98V5zGapjQCz5JyZmsR94xi00sUrntT0";
};
root = {
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcwF1yuWEfYGScNocEbs0AmGxyTIzGc4/IhpU587SJE"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL"
];
hashedPassword = "!";
};
};

1
hosts/modules/podman.nix → hosts/common/virtualisation.nix
View file

@ -3,6 +3,7 @@
{
virtualisation.podman = {
enable = true;
dockerCompat = true;
autoPrune.enable = true;
extraPackages = [ pkgs.podman-compose ];
};

0
hosts/modules/desktop/boot.nix → hosts/desktops/common/boot.nix
View file

16
hosts/desktops/common/default.nix Normal file
View file

@ -0,0 +1,16 @@
{ ... }:
{
imports = [
./boot.nix
./hardware.nix
./home-manager.nix
./impermanence.nix
./nix.nix
./packages.nix
./services.nix
./stylix.nix
./users.nix
./virtualisation.nix
];
}

13
hosts/desktops/common/hardware.nix Normal file
View file

@ -0,0 +1,13 @@
{ ... }:
{
hardware = {
xpadneo.enable = true;
bluetooth.enable = true;
steam-hardware.enable = true; # Allow steam client to manage controllers
graphics.enable32Bit = true; # For OpenGL games
i2c.enable = true;
};
security.rtkit.enable = true; # Needed for pipewire to acquire realtime priority
}

15
hosts/desktops/common/home-manager.nix Normal file
View file

@ -0,0 +1,15 @@
{ inputs, ... }:
{
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
backupFileExtension = "bkp";
users.user = {
imports = [
../../../users/desktops/user.nix
inputs.tritanium-shell.homeManagerModules.default
];
};
};
}

32
hosts/modules/ephemeral.nix → hosts/desktops/common/impermanence.nix
View file

@ -1,21 +1,6 @@
{ config, inputs, ... }:
{ ... }:
{
imports = [
inputs.impermanence.nixosModules.impermanence
inputs.self.nixosModules.ephemeral
];
ephemeral = {
enable = true;
rootDevice =
if config.networking.hostName == "trantor" then
"/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20-part2"
else
"/dev/mapper/cryptroot";
rootSubvolume = "@root";
};
environment.persistence.main = {
persistentStoragePath = "/persistent";
files = [
@ -26,16 +11,13 @@
"/etc/ssh/ssh_host_rsa_key.pub"
];
directories = [
"/etc/NetworkManager/system-connections"
"/etc/nixos"
"/var/lib/bluetooth"
"/var/lib/flatpak"
"/var/lib/lxd"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/var/lib/systemd/timers"
"/var/lib/tailscale"
"/var/log"
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/flatpak"
"/var/lib/tailscale"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
];
};
}

0
hosts/modules/desktop/nix.nix → hosts/desktops/common/nix.nix
View file

139
hosts/desktops/common/packages.nix Normal file
View file

@ -0,0 +1,139 @@
{ pkgs, ... }:
let
kdepkgs = with pkgs.kdePackages; [
ark
dolphin-plugins
kolourpaint
];
kwrite = pkgs.symlinkJoin {
name = "kwrite";
paths = [ pkgs.kdePackages.kate ];
postBuild = ''
rm -rf $out/bin/kate \
$out/bin/.kate-wrapped \
$out/share/applications/org.kde.kate.desktop \
$out/share/man \
$out/share/icons/hicolor/*/apps/kate.png \
$out/share/icons/hicolor/scalable/apps/kate.svg \
$out/share/appdata/org.kde.kate.appdata.xml
'';
};
in
{
environment.systemPackages =
with pkgs;
[
adwaita-icon-theme
aspell
aspellDicts.de
aspellDicts.en
aspellDicts.en-computers
aspellDicts.pt_BR
bat
clonehero
deploy-rs
distrobox
fd
firefox
freecad-wayland
fzf
ghostty
gimp
heroic
inkscape
junction
kara
kde-rounded-corners
kwrite
libfido2
libreoffice-qt
# lilipod BROKEN
mangohud
microsoft-edge
mission-center
mpv
nextcloud-client
nixfmt-rfc-style
nixos-firewall-tool
nix-init
nix-output-monitor
obsidian
obs-studio
orca-slicer
p7zip
plasma-panel-colorizer
plasticity
protonup
quickemu
quickgui
qview
qbittorrent
ripgrep
rnote
steam-run
tor-browser
ungoogled-chromium
unrar
ventoy
vesktop
]
++ kdepkgs;
services.flatpak = {
enable = true;
packages = [
"com.github.k4zmu2a.spacecadetpinball"
"com.github.tchx84.Flatseal"
"com.modrinth.ModrinthApp"
"com.steamgriddb.SGDBoop"
"app.zen_browser.zen"
"io.github.Foldex.AdwSteamGtk"
"io.itch.itch"
"org.freedesktop.Platform.VulkanLayer.MangoHud/x86_64/24.08"
];
uninstallUnmanaged = true;
update.auto.enable = true;
};
programs = {
adb.enable = true;
steam.enable = true;
dconf.enable = true;
nix-ld.enable = true;
kdeconnect.enable = true;
partition-manager.enable = true;
gamemode.enable = true;
hyprland.enable = true;
nix-index-database.comma.enable = true;
appimage = {
enable = true;
binfmt = true;
};
nh = {
enable = true;
flake = "/home/user/Projects/personal/nix-config";
};
};
fonts = {
fontDir.enable = true;
packages = with pkgs; [
corefonts
noto-fonts-cjk-sans
roboto
nerd-fonts.jetbrains-mono
];
};
environment.plasma6.excludePackages = (
with pkgs.kdePackages;
[
discover
elisa
gwenview
kate
khelpcenter
oxygen
]
);
}

61
hosts/desktops/common/services.nix Normal file
View file

@ -0,0 +1,61 @@
{
inputs,
config,
pkgs,
...
}:
{
services = {
printing.enable = true;
udev.packages = with pkgs; [ yubikey-personalization ];
desktopManager.plasma6.enable = true;
tailscale.useRoutingFeatures = "client";
nginx = {
enable = true;
virtualHosts."localhost".root = inputs.homepage;
};
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
greetd = {
enable = true;
settings = {
default_session.command =
let
xSessions = "${config.services.displayManager.sessionData.desktops}/share/xsessions";
wlSessions = "${config.services.displayManager.sessionData.desktops}/share/wayland-sessions";
in
''
${pkgs.greetd.tuigreet}/bin/tuigreet \
--remember \
--asterisks \
--time \
--greeting "NixOS" \
--sessions ${xSessions}:${wlSessions}
'';
initial_session = {
command = ''
${pkgs.kdePackages.plasma-workspace}/bin/startplasma-wayland &> /dev/null
'';
user = "user";
};
};
};
};
xdg.portal = {
enable = true;
xdgOpenUsePortal = true;
extraPortals = with pkgs; [
xdg-desktop-portal-kde
xdg-desktop-portal-gtk
xdg-desktop-portal-gnome
];
};
}

42
users/modules/stylix.nix → hosts/desktops/common/stylix.nix
View file

@ -1,30 +1,17 @@
{
config,
inputs,
pkgs,
...
}:
{ config, pkgs, ... }:
{
imports = [
inputs.stylix.homeModules.stylix
inputs.zen-browser.homeModules.beta
];
stylix = {
enable = true;
polarity = "dark";
base16Scheme = "${pkgs.base16-schemes}/share/themes/tokyodark.yaml";
cursor = {
package = pkgs.kdePackages.breeze;
name = "breeze_cursors";
size = 24;
image = pkgs.fetchurl {
url = "https://w.wallhaven.cc/full/dp/wallhaven-dpwvl3.jpg";
sha256 = "sha256-h9UeYj8jSRgSv8XL+zgds4KtooLlJ+IqwxZbQEXdCh4=";
};
icons = {
enable = true;
package = pkgs.morewaita-icon-theme;
light = "MoreWaita";
dark = "MoreWaita";
base16Scheme = "${pkgs.base16-schemes}/share/themes/catppuccin-mocha.yaml";
cursor = {
package = pkgs.kdePackages.breeze-icons;
name = "Breeze_Light";
size = 24;
};
opacity = {
applications = 1.0;
@ -46,7 +33,7 @@
name = "FiraCode Nerd Font";
};
emoji = {
package = pkgs.noto-fonts-color-emoji;
package = pkgs.noto-fonts-emoji;
name = "Noto Color Emoji";
};
sizes = {
@ -56,14 +43,5 @@
terminal = 12;
};
};
targets.zen-browser = {
enable = true;
profileNames = [ "william" ];
};
};
programs.zen-browser = {
enable = true;
profiles.william = { };
};
}

20
hosts/desktops/common/users.nix Normal file
View file

@ -0,0 +1,20 @@
{ ... }:
{
environment.sessionVariables = rec {
KDEHOME = "$XDG_CONFIG_HOME/kde4"; # Stops kde from placing a .kde4 folder in the home dir
NIXOS_OZONE_WL = "1"; # Forces chromium and most electron apps to run in wayland
};
users.users.user = {
description = "William";
extraGroups = [
"uaccess" # Needed for HID dev
"dialout" # Needed for arduino dev
"libvirt"
"libvirtd"
"adbusers"
"i2c"
];
};
}

8
hosts/desktops/common/virtualisation.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
virtualisation = {
libvirtd.enable = true;
lxd.enable = true;
};
}

72
hosts/io/services.nix → hosts/desktops/io.nix
View file

@ -1,6 +1,67 @@
{ pkgs, ... }:
let
cml-ucm-conf = pkgs.alsa-ucm-conf.overrideAttrs {
wttsrc = pkgs.fetchFromGitHub {
owner = "WeirdTreeThing";
repo = "chromebook-ucm-conf";
rev = "b6ce2a7";
hash = "sha256-QRUKHd3RQmg1tnZU8KCW0AmDtfw/daOJ/H3XU5qWTCc=";
};
postInstall = ''
echo "v0.4.1" > $out/chromebook.patched
cp -R $wttsrc/{common,codecs,platforms} $out/share/alsa/ucm2
cp -R $wttsrc/{cml,sof-rt5682} $out/share/alsa/ucm2/conf.d
'';
};
in
{
imports = [
# Host-common imports
../common
# Desktop-common imports
./common
# Host-specific imports
./io
];
networking.hostName = "io";
nix.nixPath = [ "nixos-config=${./io.nix}" ];
zramSwap = {
enable = true;
memoryPercent = 100;
};
boot = {
# TODO check if future kernel versions fix boot issue with systemd initrd with tpm
initrd.systemd.tpm2.enable = false;
kernelParams = [
"nosgx"
"i915.fastboot=1"
"mem_sleep_default=deep"
];
extraModprobeConfig = ''
options snd-intel-dspcfg dsp_driver=3
'';
};
environment = {
systemPackages = with pkgs; [
maliit-keyboard
sof-firmware
];
sessionVariables.ALSA_CONFIG_UCM2 = "${cml-ucm-conf}/share/alsa/ucm2";
};
# TODO: remove once gmodena/nix-flatpak/issues/45 fixed
systemd.services."flatpak-managed-install" = {
serviceConfig = {
ExecStartPre = "${pkgs.coreutils}/bin/sleep 5";
};
};
services = {
keyd = {
enable = true;
@ -39,7 +100,7 @@
f9 = "f10";
f10 = "f11";
f13 = "f12";
y = "sysrq";
u = "sysrq";
k = "home";
l = "pageup";
"," = "end";
@ -48,14 +109,5 @@
};
};
};
upower.enable = true;
power-profiles-daemon.enable = true;
};
# TODO: remove once gmodena/nix-flatpak/issues/45 fixed
systemd.services."flatpak-managed-install" = {
serviceConfig = {
ExecStartPre = "${pkgs.coreutils}/bin/sleep 5";
};
};
}

8
hosts/desktops/io/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./ephermal.nix
./hardware-configuration.nix
];
}

46
hosts/desktops/io/ephermal.nix Normal file
View file

@ -0,0 +1,46 @@
{ ... }:
{
boot.initrd.systemd.services.recreate-root = {
description = "Rolling over and creating new filesystem root";
requires = [ "initrd-root-device.target" ];
after = [
"local-fs-pre.target"
"initrd-root-device.target"
];
requiredBy = [ "initrd-root-fs.target" ];
before = [ "sysroot.mount" ];
unitConfig = {
AssertPathExists = "/etc/initrd-release";
DefaultDependencies = false;
};
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir /btrfs_tmp
mount /dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f /btrfs_tmp
if [[ -e /btrfs_tmp/@root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/@root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/@root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/@root
umount /btrfs_tmp
'';
};
}

83
hosts/desktops/io/hardware-configuration.nix Normal file
View file

@ -0,0 +1,83 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"ahci"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
luks.devices."enc" = {
device = "/dev/disk/by-uuid/8018720e-42dd-453c-b374-adaa02eb48c9";
keyFile = "/dev/disk/by-partuuid/cbc7e305-d32d-4250-b6ae-6a8264ea096e";
};
};
kernelModules = [ "kvm-intel" ];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f";
fsType = "btrfs";
options = [
"subvol=@root"
"noatime"
"compress=zstd"
];
};
"/home" = {
device = "/dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f";
fsType = "btrfs";
options = [
"subvol=@home"
"noatime"
"compress=zstd"
];
};
"/nix" = {
device = "/dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f";
fsType = "btrfs";
options = [
"subvol=@nix"
"noatime"
"compress=zstd"
];
};
"/persistent" = {
device = "/dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f";
fsType = "btrfs";
options = [
"subvol=@persistent"
"noatime"
"compress=zstd"
];
};
"/boot/efi" = {
device = "/dev/disk/by-uuid/31C9-08FF";
fsType = "vfat";
options = [
"noatime"
"fmask=0077"
"dmask=0077"
];
};
};
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

90
hosts/desktops/rotterdam.nix Normal file
View file

@ -0,0 +1,90 @@
{ pkgs, ... }:
let
qubesnsh = pkgs.writeTextFile {
name = "qubes.nsh";
text = "HD1f65535a1:EFI\\qubes\\grubx64.efi";
};
reboot-into-qubes = pkgs.makeDesktopItem {
name = "reboot-into-qubes";
icon = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/vinceliuice/Qogir-icon-theme/31f267e1f5fd4e9596bfd78dfb41a03d3a9f33ee/src/scalable/apps/distributor-logo-qubes.svg";
sha256 = "sha256-QbHr7s5Wcs7uFtfqZctMyS0iDbMfiiZOKy2nHhDOfn0=";
};
desktopName = "Qubes OS";
genericName = "Reboot into Qubes OS";
categories = [ "System" ];
startupNotify = true;
exec = pkgs.writeShellScript "reboot-into-qubes" ''
${pkgs.yad}/bin/yad --form \
--title="Qubes OS" \
--image distributor-logo-qubes \
--text "Are you sure you want to reboot into Qubes OS?" \
--button="Yes:0" --button="Cancel:1"
if [ $? -eq 0 ]; then
systemctl reboot --boot-loader-entry=qubes.conf
fi
'';
};
in
{
imports = [
# Host-common imports
../common
# Desktop-common imports
./common
# Host-specific imports
./rotterdam
];
networking.hostName = "rotterdam";
services = {
flatpak.packages = [ "net.retrodeck.retrodeck" ];
keyd = {
enable = true;
keyboards.main = {
ids = [ "5653:0001" ];
settings.main = {
esc = "overload(meta, esc)";
};
};
};
};
environment.systemPackages = with pkgs; [ reboot-into-qubes ];
# hardware.graphics.extraPackages = with pkgs; [ rocmPackages.clr.icd ];
systemd.targets.hibernate.enable = false; # disable non-functional hibernate
nix.nixPath = [ "nixos-config=${./rotterdam.nix}" ];
boot = {
kernelParams = [
"processor.max_cstate=1" # Fixes bug where ryzen cpus freeze when in highest C state
"clearcpuid=514"
# Fixes amdgpu freezing
"amdgpu.noretry=0"
"amdgpu.ppfeaturemask=0xfffd3fff"
"amdgpu.gpu_recovery=1"
"amdgpu.lockup_timeout=1000"
];
# QubesOS boot entry
loader.systemd-boot = {
extraFiles = {
"efi/edk2-shell/shell.efi" = "${pkgs.edk2-uefi-shell}/shell.efi";
"qubes.nsh" = qubesnsh;
};
extraEntries."qubes.conf" = ''
title Qubes OS
efi /efi/edk2-shell/shell.efi
options -nointerrupt qubes.nsh
sort-key ab
'';
};
};
programs.steam.dedicatedServer.openFirewall = true;
}

8
hosts/desktops/rotterdam/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./hardware-configuration.nix
./ephermal.nix
];
}

47
hosts/desktops/rotterdam/ephermal.nix Normal file
View file

@ -0,0 +1,47 @@
{ ... }:
{
boot.initrd.systemd.services.recreate-root = {
description = "Rolling over and creating new filesystem root";
requires = [ "initrd-root-device.target" ];
after = [
"local-fs-pre.target"
"initrd-root-device.target"
];
requiredBy = [ "initrd-root-fs.target" ];
before = [ "sysroot.mount" ];
unitConfig = {
AssertPathExists = "/etc/initrd-release";
DefaultDependencies = false;
};
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir /btrfs_tmp
mount /dev/disk/by-uuid/3287dbc3-c0fa-4096-a0b3-59b017cfecc8 /btrfs_tmp
if [[ -e /btrfs_tmp/@root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/@root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/@root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/@root
umount /btrfs_tmp
'';
};
}

10
hosts/rotterdam/hardware-configuration.nix → hosts/desktops/rotterdam/hardware-configuration.nix
View file

@ -72,8 +72,18 @@
"compress=zstd"
];
};
"/swap" = {
device = "/dev/disk/by-uuid/3287dbc3-c0fa-4096-a0b3-59b017cfecc8";
fsType = "btrfs";
options = [
"subvol=@swap"
"noatime"
];
};
};
swapDevices = [ { device = "/swap/swapfile"; } ];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

14
hosts/io/boot.nix
View file

@ -1,14 +0,0 @@
{
boot = {
# TODO check if future kernel versions fix boot issue with systemd initrd with tpm
initrd.systemd.tpm2.enable = false;
kernelParams = [
"nosgx"
"i915.fastboot=1"
"mem_sleep_default=deep"
];
extraModprobeConfig = ''
options snd-intel-dspcfg dsp_driver=3
'';
};
}

79
hosts/io/disko.nix
View file

@ -1,79 +0,0 @@
{ inputs, ... }:
{
imports = [ inputs.disko.nixosModules.default ];
disko.devices.disk.main = {
type = "disk";
device = "/dev/disk/by-id/mmc-hDEaP3_0x1041b689";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1MiB";
end = "1GiB";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot/efi";
mountOptions = [
"noatime"
"fmask=0077"
"dmask=0077"
];
};
};
cryptroot = {
priority = 2;
name = "root";
size = "100%";
content = {
type = "luks";
name = "cryptroot";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"@root" = {
mountpoint = "/";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@root"
];
};
"@home" = {
mountpoint = "/home";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@home"
];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@nix"
];
};
"@persistent" = {
mountpoint = "/persistent";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@persistent"
];
};
};
};
};
};
};
};
};
}

37
hosts/io/hardware-configuration.nix
View file

@ -1,37 +0,0 @@
{
config,
lib,
modulesPath,
inputs,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"ahci"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
};
kernelModules = [ "kvm-intel" ];
};
zramSwap = {
enable = true;
memoryPercent = 100;
};
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

27
hosts/io/programs.nix
View file

@ -1,27 +0,0 @@
{ pkgs, ... }:
let
cml-ucm-conf = pkgs.alsa-ucm-conf.overrideAttrs {
wttsrc = pkgs.fetchFromGitHub {
owner = "WeirdTreeThing";
repo = "chromebook-ucm-conf";
rev = "b6ce2a7";
hash = "sha256-QRUKHd3RQmg1tnZU8KCW0AmDtfw/daOJ/H3XU5qWTCc=";
};
postInstall = ''
echo "v0.4.1" > $out/chromebook.patched
cp -R $wttsrc/{common,codecs,platforms} $out/share/alsa/ucm2
cp -R $wttsrc/{cml,sof-rt5682} $out/share/alsa/ucm2/conf.d
'';
};
in
{
environment = {
systemPackages = with pkgs; [
maliit-keyboard
sof-firmware
];
sessionVariables.ALSA_CONFIG_UCM2 = "${cml-ucm-conf}/share/alsa/ucm2";
};
}

10
hosts/modules/ai.nix
View file

@ -1,10 +0,0 @@
{ inputs, pkgs, ... }:
{
environment.systemPackages = with inputs.nix-ai-tools.packages.${pkgs.system}; [
claude-desktop
claude-code
claudebox
opencode
];
}

5
hosts/modules/bluetooth.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
hardware.bluetooth.enable = true;
}

11
hosts/modules/common/openssh.nix
View file

@ -1,11 +0,0 @@
{ ... }:
{
services.openssh = {
enable = true;
settings.PermitRootLogin = "no";
extraConfig = ''
PrintLastLog no
'';
};
}

40
hosts/modules/common/programs.nix
View file

@ -1,40 +0,0 @@
{ lib, pkgs, ... }:
{
environment = {
systemPackages = with pkgs; [
### Dev Tools ###
git
### System Utilities ###
btop
fastfetch
helix
nixos-firewall-tool
nvd
sysz
tmux
wget
yazi
];
shellAliases = {
cat = "${lib.getExe pkgs.bat} --paging=never --style=plain";
ls = "${lib.getExe pkgs.eza} --icons --group-directories-first";
tree = "ls --tree";
};
};
programs = {
command-not-found.enable = false;
fish = {
enable = true;
interactiveShellInit = ''
set fish_greeting
if set -q SSH_CONNECTION
export TERM=xterm-256color
clear
fastfetch
end
'';
};
};
}

9
hosts/modules/common/services.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
services = {
dbus.implementation = "broker";
irqbalance.enable = true;
fstrim.enable = true;
};
}

8
hosts/modules/common/tailscale.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
services.tailscale = {
enable = true;
extraUpFlags = [ "--operator=user" ];
};
}

163
hosts/modules/desktop/desktop.nix
View file

@ -1,163 +0,0 @@
{
config,
inputs,
lib,
pkgs,
...
}:
{
imports = [
inputs.niri-flake.nixosModules.niri
inputs.nix-flatpak.nixosModules.nix-flatpak
];
environment = {
sessionVariables = {
KDEHOME = "$XDG_CONFIG_HOME/kde4"; # Stops kde from placing a .kde4 folder in the home dir
NIXOS_OZONE_WL = "1"; # Forces chromium and most electron apps to run in wayland
};
systemPackages = with pkgs; [
### Web ###
bitwarden-desktop
fragments
nextcloud-client
tor-browser
vesktop
inputs.zen-browser.packages."${system}".default
### Office & Productivity ###
aspell
aspellDicts.de
aspellDicts.en
aspellDicts.en-computers
aspellDicts.pt_BR
libreoffice
onlyoffice-desktopeditors
papers
presenterm
rnote
### Graphics & Design ###
gimp
inkscape
plasticity
### System Utilities ###
adwaita-icon-theme
ghostty
gnome-disk-utility
junction
libfido2
mission-center
nautilus
p7zip
rclone
toggleaudiosink
unrar
### Media ###
decibels
loupe
obs-studio
showtime
];
};
services = {
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
greetd = {
enable = true;
settings = {
default_session = {
command = "${lib.getExe pkgs.tuigreet} --user-menu --time --remember --asterisks --cmd ${config.programs.niri.package}/bin/niri-session";
user = "greeter";
};
}
// lib.optionalAttrs (config.networking.hostName == "io") {
initial_session = {
command = "${config.programs.niri.package}/bin/niri-session";
user = "user";
};
};
};
flatpak = {
enable = true;
packages = [
### Graphics & Design ###
"com.boxy_svg.BoxySVG"
rec {
appId = "io.github.softfever.OrcaSlicer";
sha256 = "0hdx5sg6fknj1pfnfxvlfwb5h6y1vjr6fyajbsnjph5gkp97c6p1";
bundle = "${pkgs.fetchurl {
url = "https://github.com/SoftFever/OrcaSlicer/releases/download/v2.3.0/OrcaSlicer-Linux-flatpak_V2.3.0_x86_64.flatpak";
inherit sha256;
}}";
}
### System Utilities ###
"com.github.tchx84.Flatseal"
"com.rustdesk.RustDesk"
];
uninstallUnmanaged = true;
update.auto.enable = true;
};
gvfs.enable = true;
};
security.rtkit.enable = true; # Needed for pipewire to acquire realtime priority
users = {
users.greeter = {
isSystemUser = true;
group = "greeter";
};
groups.greeter = { };
};
programs = {
niri = {
enable = true;
package = inputs.niri.packages.${pkgs.system}.niri;
};
kdeconnect = {
enable = true;
package = pkgs.valent;
};
dconf.enable = true;
appimage = {
enable = true;
binfmt = true;
};
};
niri-flake.cache.enable = false;
fonts = {
fontDir.enable = true;
packages = with pkgs; [
corefonts
inter
nerd-fonts.fira-code
noto-fonts-cjk-sans
noto-fonts-color-emoji
roboto
];
};
xdg.portal = {
extraPortals = with pkgs; [
xdg-desktop-portal-gnome
xdg-desktop-portal-gtk
];
config = {
common.default = "*";
niri.default = [
"gtk"
"gnome"
];
};
};
}

19
hosts/modules/dev.nix
View file

@ -1,19 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
bat
lazygit
fd
fzf
glow
nixfmt-rfc-style
nix-init
nix-output-monitor
ripgrep
];
programs.adb.enable = true;
users.users.user.extraGroups = [ "adbusers" ];
}

5
hosts/modules/fwupd.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
services.fwupd.enable = true;
}

35
hosts/modules/gaming.nix
View file

@ -1,35 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
clonehero
heroic
mangohud
prismlauncher
steam-run
];
programs = {
steam = {
enable = true;
extraCompatPackages = [ pkgs.proton-ge-bin ];
};
gamemode.enable = true;
};
hardware = {
xpadneo.enable = true;
steam-hardware.enable = true; # Allow steam client to manage controllers
graphics.enable32Bit = true; # For OpenGL games
};
services.flatpak.packages = [
"com.github.k4zmu2a.spacecadetpinball"
"com.steamgriddb.SGDBoop"
"io.github.Foldex.AdwSteamGtk"
"io.itch.itch"
"io.mrarm.mcpelauncher"
"net.retrodeck.retrodeck"
"org.freedesktop.Platform.VulkanLayer.MangoHud/x86_64/24.08"
];
}

12
hosts/modules/libvirtd.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
virtualisation.libvirtd.enable = true;
programs.virt-manager.enable = true;
users.users.user.extraGroups = [
"libvirt"
"libvirtd"
];
}

10
hosts/modules/networkmanager.nix
View file

@ -1,10 +0,0 @@
{ ... }:
{
networking.networkmanager = {
enable = true;
wifi.backend = "iwd";
};
users.users.user.extraGroups = [ "networkmanager" ];
}

31
hosts/rotterdam/boot.nix
View file

@ -1,31 +0,0 @@
{ pkgs, ... }:
let
qubesnsh = pkgs.writeTextFile {
name = "qubes.nsh";
text = "HD1f65535a1:EFI\\qubes\\grubx64.efi";
};
in
{
boot = {
kernelParams = [
"processor.max_cstate=1" # Fixes bug where ryzen cpus freeze when in highest C state
"clearcpuid=514"
"amdgpu.ppfeaturemask=0xfffd3fff" # Fixes amdgpu freezing
];
# QubesOS boot entry
loader.systemd-boot = {
extraFiles = {
"efi/edk2-shell/shell.efi" = "${pkgs.edk2-uefi-shell}/shell.efi";
"qubes.nsh" = qubesnsh;
};
extraEntries."qubes.conf" = ''
title Qubes OS
efi /efi/edk2-shell/shell.efi
options -nointerrupt qubes.nsh
sort-key ab
'';
};
};
}

8
hosts/rotterdam/hardware.nix
View file

@ -1,8 +0,0 @@
{ pkgs, ... }:
{
hardware = {
amdgpu.opencl.enable = true;
graphics.extraPackages = with pkgs; [ rocmPackages.clr.icd ];
};
}

31
hosts/rotterdam/programs.nix
View file

@ -1,31 +0,0 @@
{ pkgs, ... }:
let
reboot-into-qubes = pkgs.makeDesktopItem {
name = "reboot-into-qubes";
icon = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/vinceliuice/Qogir-icon-theme/31f267e1f5fd4e9596bfd78dfb41a03d3a9f33ee/src/scalable/apps/distributor-logo-qubes.svg";
sha256 = "sha256-QbHr7s5Wcs7uFtfqZctMyS0iDbMfiiZOKy2nHhDOfn0=";
};
desktopName = "Qubes OS";
genericName = "Reboot into Qubes OS";
categories = [ "System" ];
startupNotify = true;
exec = pkgs.writeShellScript "reboot-into-qubes" ''
${pkgs.yad}/bin/yad --form \
--title="Qubes OS" \
--image distributor-logo-qubes \
--text "Are you sure you want to reboot into Qubes OS?" \
--button="Yes:0" --button="Cancel:1"
if [ $? -eq 0 ]; then
systemctl reboot --boot-loader-entry=qubes.conf
fi
'';
};
in
{
environment.systemPackages = [ reboot-into-qubes ];
programs.steam.dedicatedServer.openFirewall = true;
}

11
hosts/rotterdam/services.nix
View file

@ -1,11 +0,0 @@
{
services.keyd = {
enable = true;
keyboards.main = {
ids = [ "5653:0001" ];
settings.main = {
esc = "overload(meta, esc)";
};
};
};
}

34
hosts/servers/alexandria.nix Normal file
View file

@ -0,0 +1,34 @@
{ ... }:
{
imports = [
# Host-common imports
../common
# Server-common imports
./common
# Host-specific imports
./alexandria
];
nix.nixPath = [ "nixos-config=${./alexandria.nix}" ];
swapDevices = [
{
device = "/swapfile";
size = 8192;
}
];
networking = {
hostName = "alexandria";
firewall = {
allowedTCPPorts = [
80
443
8010
9666
];
allowedUDPPorts = [ 24454 ];
};
};
}

20
hosts/servers/alexandria/changedetection.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, lib, ... }:
{
services = {
changedetection-io = {
enable = true;
behindProxy = true;
datastorePath = "/data/changedetection";
port = lib.toInt "${config.ports.changedetection-io}";
baseURL = "https://detect.baduhai.dev";
};
nginx.virtualHosts."detect.baduhai.dev" = {
useACMEHost = "baduhai.dev";
forceSSL = true;
kTLS = true;
locations."/".proxyPass = "http://127.0.0.1:${config.ports.changedetection-io}";
};
};
}

23
hosts/servers/alexandria/cinny.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, ... }:
{
virtualisation.oci-containers.containers."cinny" = {
image = "ghcr.io/cinnyapp/cinny:latest";
ports = [ "${config.ports.cinny}:80" ];
environment = {
TZ = "America/Bahia";
};
volumes = [ "/data/matrix/cinny-config.json:/app/config.json" ];
extraOptions = [
"--pull=newer"
"--label=io.containers.autoupdate=registry"
];
};
services.nginx.virtualHosts."matrix.baduhai.dev" = {
useACMEHost = "baduhai.dev";
forceSSL = true;
kTLS = true;
locations."/".proxyPass = "http://127.0.0.1:${config.ports.cinny}";
};
}

51
hosts/servers/alexandria/default.nix Normal file
View file

@ -0,0 +1,51 @@
{ lib, ... }:
let
mkStringOption =
default:
lib.mkOption {
inherit default;
type = lib.types.str;
};
in
{
imports = [
./changedetection.nix
./cinny.nix
./forgejo.nix
./hardware-configuration.nix
./jellyfin.nix
./librespeed.nix
./memos.nix
./minecraft.nix
./nextcloud.nix
./nginx.nix
./paperless.nix
./searx.nix
./services.nix
./users.nix
./vaultwarden.nix
];
options.ports = {
bazaar = mkStringOption "6767";
radarr = mkStringOption "7878";
vaultwarden = mkStringOption "8000";
changedetection-io = mkStringOption "8001";
cinny = mkStringOption "8002";
librespeed = mkStringOption "8003";
paperless = mkStringOption "8004";
yousable = mkStringOption "8005";
cinny2 = mkStringOption "8006";
searx = mkStringOption "8007";
qbittorrent = mkStringOption "8008";
actual = mkStringOption "8009";
memos = mkStringOption "8010";
collabora = mkStringOption "8011";
jellyfin = mkStringOption "8096";
sonarr = mkStringOption "8989";
jackett = mkStringOption "9117";
};
}

33
hosts/servers/alexandria/forgejo.nix Normal file
View file

@ -0,0 +1,33 @@
{ config, ... }:
let
domain = "git.baduhai.dev";
in
{
services = {
forgejo = {
enable = true;
repositoryRoot = "/data/forgejo";
settings = {
session.COOKIE_SECURE = true;
server = {
PROTOCOL = "http+unix";
DOMAIN = domain;
ROOT_URL = "https://${domain}";
OFFLINE_MODE = true; # disable use of CDNs
SSH_DOMAIN = "baduhai.dev";
};
log.LEVEL = "Warn";
mailer.ENABLED = false;
actions.ENABLED = false;
};
};
nginx.virtualHosts.${domain} = {
useACMEHost = "baduhai.dev";
forceSSL = true;
kTLS = true;
locations."/".proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
};
};
}

24
hosts/alexandria/hardware-configuration.nix → hosts/servers/alexandria/hardware-configuration.nix
View file

@ -23,23 +23,17 @@
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/31289617-1d84-4432-a833-680b52e88525";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/4130-BE54";
fsType = "vfat";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/31289617-1d84-4432-a833-680b52e88525";
fsType = "ext4";
};
swapDevices = [
{
device = "/swapfile";
size = 8192;
}
];
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/4130-BE54";
fsType = "vfat";
};
swapDevices = [ ];
networking.useDHCP = lib.mkDefault true;

19
hosts/servers/alexandria/jellyfin.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, ... }:
{
services = {
jellyfin = {
enable = true;
user = "user";
group = "hosted";
openFirewall = true;
};
nginx.virtualHosts."jellyfin.baduhai.dev" = {
useACMEHost = "baduhai.dev";
forceSSL = true;
kTLS = true;
locations."/".proxyPass = "http://127.0.0.1:${config.ports.jellyfin}";
};
};
}

22
hosts/servers/alexandria/librespeed.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, ... }:
{
virtualisation.oci-containers.containers."librespeed" = {
image = "lscr.io/linuxserver/librespeed:latest";
environment = {
TZ = "America/Bahia";
};
ports = [ "${config.ports.librespeed}:80" ];
extraOptions = [
"--pull=newer"
"--label=io.containers.autoupdate=registry"
];
};
services.nginx.virtualHosts."speed.baduhai.dev" = {
useACMEHost = "baduhai.dev";
forceSSL = true;
kTLS = true;
locations."/".proxyPass = "http://127.0.0.1:${config.ports.librespeed}";
};
}

23
hosts/servers/alexandria/memos.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, ... }:
{
virtualisation.oci-containers.containers."memos" = {
image = "docker.io/neosmemo/memos:stable";
ports = [ "${config.ports.memos}:5230" ];
environment = {
TZ = "America/Bahia";
};
volumes = [ "/data/memos/:/var/opt/memos" ];
extraOptions = [
"--pull=newer"
"--label=io.containers.autoupdate=registry"
];
};
services.nginx.virtualHosts."notes.baduhai.dev" = {
useACMEHost = "baduhai.dev";
forceSSL = true;
kTLS = true;
locations."/".proxyPass = "http://127.0.0.1:${config.ports.memos}";
};
}

73
hosts/servers/alexandria/minecraft.nix Normal file
View file

@ -0,0 +1,73 @@
{ pkgs, ... }:
{
services.minecraft-servers = {
enable = true;
eula = true;
dataDir = "/data/minecraft";
servers."kingdomcums" = {
enable = true;
package = pkgs.fabricServers.fabric-1_20_1;
openFirewall = true;
serverProperties = {
difficulty = "normal";
gamemode = "survival";
motd = "Kingdom Cums";
online-mode = false;
spawn-protection = false;
};
symlinks."mods" = pkgs.linkFarmFromDrvs "mods" (
builtins.attrValues {
villagerNames = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/gqRXDo8B/versions/rzXhJ2pH/villagernames-1.20.1-8.1.jar";
sha256 = "0hcbbp3zi3nnr12kian9l645f22jr7495bcrlbng46nxp9h08pg5";
};
lithium = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/ZSNsJrPI/lithium-fabric-mc1.20.1-0.11.2.jar";
sha256 = "1ycdvrs46bbdxsa6i38sfx70v47nvzzbmblfpy3hq3k8blsrbid0";
};
lootr = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/EltpO5cN/versions/fqmzdpE2/lootr-fabric-1.20-0.7.33.81.jar";
sha256 = "0db0472rb07nbc9i925qp3n7s7nmrq6q3alhprflgc9gqg0j0f14";
};
malilib = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/GcWjdA9I/versions/V7yLDtJV/malilib-fabric-1.20.1-0.16.3.jar";
sha256 = "129m1jnk58p0wid5fmagqx13wp6pw4gja01yx14aljdxgzr8kqas";
};
immersivePaintings = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/6txNkua3/versions/UjL11A4h/immersive_paintings-0.6.7%2B1.20.1-fabric.jar";
sha256 = "1di9a67q372z6lplnsa1kmh86armya83mimn61c8ai7izjlsfnid";
};
entityCulling = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/NNAgCjsB/versions/mahLIqpj/entityculling-fabric-1.6.7-mc1.20.1.jar";
sha256 = "01iz8rgljgzl0d8gcwpmr6wcvv3b0cf1siggp3dn8q5hv9przk9k";
};
fabricAPI = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/P7uGFii0/fabric-api-0.92.2%2B1.20.1.jar";
sha256 = "1z3hcxng2p9ymph1c0k729vxxaasi34n6fcdsqwx0wsmqi2gh025";
};
fallingTree = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/Fb4jn8m6/versions/NrtzFkZE/FallingTree-1.20.1-4.3.4.jar";
sha256 = "0sfv2laxzgmkhmr0kizi7g09r6fkccjhj9p5j0viqywnwx02r7fs";
};
carryOn = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/joEfVgkn/versions/Mkla4B3q/carryon-fabric-1.20.1-2.1.2.7.jar";
sha256 = "1pgbqrjrxw7bgwn6phpywgpjfmf5h341ba93j76ibk649wbgn9cd";
};
collective = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/e0M1UDsY/versions/jo7YkyNS/collective-1.20.1-7.84.jar";
sha256 = "01qvaqmd5kmxq7sins6703xq5ckc47qs5kd62gnjyfq1dbjp2y2b";
};
dynamicLights = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/7YjclEGc/versions/eU6PA0pr/dynamiclights-v1.8.3-mc1.17x-1.21x-mod.jar";
sha256 = "0vdv525gis1vj514iqh4rbl6byp7k0ls3lsyj0c3db8g58d784gm";
};
appleSkin = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/EsAfCjCV/versions/xcauwnEB/appleskin-fabric-mc1.20.1-2.5.1.jar";
sha256 = "1d9qmzjlk763ycmizqpmhcq0hhqw9j8hij6xk8p8l11ljr13mql5";
};
}
);
};
};
}

54
hosts/alexandria/nextcloud.nix → hosts/servers/alexandria/nextcloud.nix
View file

@ -2,37 +2,22 @@
lib,
config,
pkgs,
inputs,
...
}:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts;
in
{
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud32;
package = pkgs.nextcloud30;
datadir = "/data/nextcloud";
hostName = "cloud.baduhai.dev";
configureRedis = true;
https = true;
autoUpdateApps.enable = true;
secretFile = config.age.secrets."nextcloud-secrets.json".path;
database.createLocally = true;
maxUploadSize = "16G";
extraApps = {
inherit (config.services.nextcloud.package.packages.apps)
calendar
contacts
notes
tasks
user_oidc
;
};
extraAppsEnable = true;
caching = {
apcu = true;
redis = true;
@ -41,7 +26,6 @@ in
trusted_proxies = [ "127.0.0.1" ];
default_phone_region = "BR";
maintenance_window_start = "4";
allow_local_remote_servers = true;
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\EMF"
@ -77,21 +61,43 @@ in
};
};
nginx.virtualHosts = mkNginxVHosts {
domains."cloud.baduhai.dev" = { };
collabora-online = {
enable = true;
port = lib.strings.toInt config.ports.collabora;
settings.ssl = {
enable = false;
termination = true;
};
};
nginx.virtualHosts = {
${config.services.nextcloud.hostName} = {
useACMEHost = "baduhai.dev";
forceSSL = true;
kTLS = true;
};
"office.baduhai.dev" = {
useACMEHost = "baduhai.dev";
forceSSL = true;
kTLS = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${config.ports.collabora}";
proxyWebsockets = true;
};
};
};
};
age.secrets = {
"nextcloud-secrets.json" = {
file = ../../secrets/nextcloud-secrets.json.age;
file = ../../../secrets/nextcloud-secrets.json.age;
owner = "nextcloud";
group = "nextcloud";
group = "hosted";
};
nextcloud-adminpass = {
file = ../../secrets/nextcloud-adminpass.age;
file = ../../../secrets/nextcloud-adminpass.age;
owner = "nextcloud";
group = "nextcloud";
group = "hosted";
};
};
}

37
hosts/servers/alexandria/nginx.nix Normal file
View file

@ -0,0 +1,37 @@
{ config, ... }:
{
services.nginx = {
enable = true;
group = "hosted";
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
security.acme = {
acceptTerms = true;
defaults = {
email = "baduhai@proton.me";
dnsResolver = "1.1.1.1:53";
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.cloudflare.path;
};
certs."baduhai.dev" = {
extraDomainNames = [ "*.baduhai.dev" ];
};
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
age.secrets.cloudflare = {
file = ../../../secrets/cloudflare.age;
owner = "nginx";
group = "hosted";
};
}

30
hosts/servers/alexandria/paperless.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, lib, ... }:
{
services = {
paperless = {
enable = true;
dataDir = "/data/paperless/data";
mediaDir = "/data/paperless/media";
passwordFile = config.age.secrets.paperless.path;
port = lib.toInt "${config.ports.paperless}";
consumptionDirIsPublic = true;
settings = {
PAPERLESS_OCR_LANGUAGE = "eng+por+deu";
};
};
nginx.virtualHosts."docs.baduhai.dev" = {
useACMEHost = "baduhai.dev";
forceSSL = true;
kTLS = true;
locations."/".proxyPass = "http://127.0.0.1:${config.ports.paperless}";
};
};
age.secrets.paperless = {
file = ../../../secrets/paperless.age;
owner = "paperless";
group = "hosted";
};
}

28
hosts/servers/alexandria/searx.nix Normal file
View file

@ -0,0 +1,28 @@
{
config,
pkgs,
lib,
...
}:
{
services = {
searx = {
enable = true;
package = pkgs.searxng;
settings.server = {
port = lib.toInt "${config.ports.searx}";
bind_address = "0.0.0.0";
secret_key = "&yEf!xLA@y3FdJ5BjKnUnNAkqer$iW!9";
method = "GET";
};
};
nginx.virtualHosts."search.baduhai.dev" = {
useACMEHost = "baduhai.dev";
forceSSL = true;
kTLS = true;
locations."/".proxyPass = "http://127.0.0.1:${config.ports.searx}";
};
};
}

9
hosts/servers/alexandria/services.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
services.postgresql.enable = true;
# TODO: remove when bug fux
# Workaround for upstream bug in NetworkManager-wait-online.service
systemd.services.NetworkManager-wait-online.enable = false;
}

20
hosts/servers/alexandria/users.nix Normal file
View file

@ -0,0 +1,20 @@
{ ... }:
{
users = {
users = {
nginx.extraGroups = [ "acme" ];
};
groups = {
hosted = {
gid = 1005;
members = [
"user"
"minecraft"
"paperless"
"vaultwarden"
];
};
};
};
}

22
hosts/servers/alexandria/vaultwarden.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, ... }:
{
services = {
vaultwarden = {
enable = true;
config = {
DOMAIN = "https://pass.baduhai.dev";
SIGNUPS_ALLOWED = true;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = "${config.ports.vaultwarden}";
};
};
nginx.virtualHosts."pass.baduhai.dev" = {
useACMEHost = "baduhai.dev";
forceSSL = true;
kTLS = true;
locations."/".proxyPass = "http://127.0.0.1:${config.ports.vaultwarden}";
};
};
}

0
hosts/modules/server/boot.nix → hosts/servers/common/boot.nix
View file

10
hosts/servers/common/default.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
imports = [
./boot.nix
./home-manager.nix
./nix.nix
./services.nix
];
}

10
hosts/servers/common/home-manager.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
backupFileExtension = "bkp";
users.user = import ../../../users/servers/user.nix;
};
}

0
hosts/modules/server/nix.nix → hosts/servers/common/nix.nix
View file

5
hosts/modules/server/tailscale.nix → hosts/servers/common/services.nix
View file

@ -5,9 +5,4 @@
extraSetFlags = [ "--advertise-exit-node" ];
useRoutingFeatures = "server";
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
}

6
hosts/trantor/boot.nix
View file

@ -1,6 +0,0 @@
{
boot = {
initrd.systemd.enable = true;
loader.efi.efiSysMountPoint = "/boot/efi";
};
}

64
hosts/trantor/disko.nix
View file

@ -1,64 +0,0 @@
{ inputs, ... }:
{
imports = [ inputs.disko.nixosModules.default ];
disko.devices.disk.main = {
type = "disk";
device = "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1MiB";
end = "512MiB";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot/efi";
mountOptions = [
"noatime"
"fmask=0077"
"dmask=0077"
];
};
};
root = {
priority = 2;
name = "root";
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"@root" = {
mountpoint = "/";
mountOptions = [
"noatime"
"compress=zstd"
];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = [
"noatime"
"compress=zstd"
];
};
"@persistent" = {
mountpoint = "/persistent";
mountOptions = [
"noatime"
"compress=zstd"
];
};
};
};
};
};
};
};
}

23
hosts/trantor/fail2ban.nix
View file

@ -1,23 +0,0 @@
{ config, pkgs, ... }:
{
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
"127.0.0.0/8"
"::1"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
];
bantime = "1h";
bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64";
maxtime = "10000h";
overalljails = true;
};
};
}

72
hosts/trantor/forgejo.nix
View file

@ -1,72 +0,0 @@
{
config,
lib,
inputs,
...
}:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts;
in
{
services = {
forgejo = {
enable = true;
settings = {
session.COOKIE_SECURE = true;
server = {
PROTOCOL = "http+unix";
DOMAIN = "git.baduhai.dev";
ROOT_URL = "https://git.baduhai.dev";
OFFLINE_MODE = true; # disable use of CDNs
SSH_DOMAIN = "git.baduhai.dev";
};
log.LEVEL = "Warn";
mailer.ENABLED = false;
actions.ENABLED = false;
service.DISABLE_REGISTRATION = true;
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = true;
ACCOUNT_LINKING = "login";
USERNAME = "preferred_username";
};
};
};
nginx.virtualHosts = mkNginxVHosts {
domains."git.baduhai.dev".locations."/".proxyPass =
"http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
};
fail2ban.jails.forgejo = {
settings = {
enabled = true;
filter = "forgejo";
maxretry = 3;
findtime = "10m";
bantime = "1h";
};
};
};
environment = {
etc."fail2ban/filter.d/forgejo.conf".text = ''
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =
journalmatch = _SYSTEMD_UNIT=forgejo.service
'';
persistence.main.directories = [
{
directory = config.services.forgejo.stateDir;
inherit (config.services.forgejo) user group;
mode = "0700";
}
];
};
# Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false;
}

20
hosts/trantor/hardware-configuration.nix
View file

@ -1,20 +0,0 @@
{
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"usbhid"
];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

8
hosts/trantor/networking.nix
View file

@ -1,8 +0,0 @@
{
networking = {
firewall = {
allowedTCPPorts = [ 25566 ];
allowedUDPPorts = [ 25566 ];
};
};
}

61
hosts/trantor/nginx.nix
View file

@ -1,61 +0,0 @@
{
config,
lib,
inputs,
...
}:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts services;
# Get all unique domains from shared services on trantor (host = "trantor")
localDomains = lib.unique (
map (s: s.domain) (lib.filter (s: s.host == "trantor") services)
);
# Generate ACME cert configs for all local domains
acmeCerts = lib.genAttrs localDomains (domain: {
group = "nginx";
});
in
{
security.acme = {
acceptTerms = true;
defaults = {
email = "baduhai@proton.me";
dnsResolver = "1.1.1.1:53";
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.cloudflare.path;
};
certs = acmeCerts;
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"_" = {
default = true;
locations."/".return = "444";
};
};
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall.allowedTCPPorts = [
80
443
];
age.secrets.cloudflare = {
file = ../../secrets/cloudflare.age;
owner = "nginx";
group = "nginx";
};
}

23
hosts/trantor/openssh.nix
View file

@ -1,23 +0,0 @@
{ ... }:
{
services = {
openssh = {
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
fail2ban.jails.sshd = {
settings = {
enabled = true;
port = "ssh";
filter = "sshd";
logpath = "/var/log/auth.log";
maxretry = 3;
findtime = "10m";
bantime = "1h";
};
};
};
}

58
hosts/trantor/unbound.nix
View file

@ -1,58 +0,0 @@
{ inputs, lib, ... }:
let
utils = import ../../utils.nix { inherit inputs lib; };
in
{
services.unbound = {
enable = true;
enableRootTrustAnchor = true;
settings = {
server = {
interface = [
"0.0.0.0"
"::"
];
access-control = [
"127.0.0.0/8 allow"
"100.64.0.0/10 allow" # Tailscale CGNAT range
"::1/128 allow"
"fd7a:115c:a1e0::/48 allow" # Tailscale IPv6
];
num-threads = 2;
msg-cache-size = "50m";
rrset-cache-size = "100m";
cache-min-ttl = 300;
cache-max-ttl = 86400;
prefetch = true;
prefetch-key = true;
hide-identity = true;
hide-version = true;
so-rcvbuf = "1m";
so-sndbuf = "1m";
# Tailnet DNS records from shared services
local-zone = ''"baduhai.dev." transparent'';
local-data = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') utils.services;
};
forward-zone = [
{
name = ".";
forward-addr = [
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
];
forward-tls-upstream = true;
}
];
};
};
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
}

84
modules/ephemeral.nix
View file

@ -1,84 +0,0 @@
{ lib, config, ... }:
let
cfg = config.ephemeral;
in
{
options.ephemeral = {
enable = lib.mkEnableOption "ephemeral root with automatic rollback";
rootDevice = lib.mkOption {
type = lib.types.str;
example = "/dev/mapper/cryptroot";
description = "Device path for the root btrfs filesystem";
};
rootSubvolume = lib.mkOption {
type = lib.types.str;
example = "@root";
description = "Name of the root btrfs subvolume";
};
oldRootRetentionDays = lib.mkOption {
type = lib.types.int;
default = 30;
description = "Number of days to keep old root snapshots before deletion";
};
};
config = lib.mkIf cfg.enable {
boot.initrd.systemd.services.recreate-root = {
description = "Rolling over and creating new filesystem root";
requires = [ "initrd-root-device.target" ];
after = [
"local-fs-pre.target"
"initrd-root-device.target"
];
requiredBy = [ "initrd-root-fs.target" ];
before = [ "sysroot.mount" ];
unitConfig = {
AssertPathExists = "/etc/initrd-release";
DefaultDependencies = false;
};
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
set -euo pipefail
mkdir /btrfs_tmp
if ! mount ${cfg.rootDevice} /btrfs_tmp; then
echo "ERROR: Failed to mount ${cfg.rootDevice}"
exit 1
fi
if [[ -e /btrfs_tmp/${cfg.rootSubvolume} ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/${cfg.rootSubvolume})" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/${cfg.rootSubvolume} "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +${toString cfg.oldRootRetentionDays}); do
delete_subvolume_recursively "$i"
done
if ! btrfs subvolume create /btrfs_tmp/${cfg.rootSubvolume}; then
echo "ERROR: Failed to create subvolume ${cfg.rootSubvolume}"
umount /btrfs_tmp
exit 1
fi
umount /btrfs_tmp
'';
};
};
}

123
modules/qbittorrent.nix Normal file
View file

@ -0,0 +1,123 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.services.qbittorrent;
configDir = "${cfg.dataDir}/.config";
openFilesLimit = 4096;
in
{
options.services.qbittorrent = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Run qBittorrent headlessly as systemwide daemon
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/qbittorrent";
description = ''
The directory where qBittorrent will create files.
'';
};
user = mkOption {
type = types.str;
default = "qbittorrent";
description = ''
User account under which qBittorrent runs.
'';
};
group = mkOption {
type = types.str;
default = "qbittorrent";
description = ''
Group under which qBittorrent runs.
'';
};
port = mkOption {
type = types.port;
default = 8080;
description = ''
qBittorrent web UI port.
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Open services.qBittorrent.port to the outside network.
'';
};
openFilesLimit = mkOption {
default = openFilesLimit;
description = ''
Number of files to allow qBittorrent to open.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.qbittorrent ];
nixpkgs.overlays = [
(final: prev: {
qbittorrent = prev.qbittorrent.override { guiSupport = false; };
})
];
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.port ];
allowedUDPPorts = [ cfg.port ];
};
systemd.services.qbittorrent = {
after = [ "network.target" ];
description = "qBittorrent Daemon";
wantedBy = [ "multi-user.target" ];
path = [ pkgs.qbittorrent ];
serviceConfig = {
ExecStart = ''
${pkgs.qbittorrent}/bin/qbittorrent-nox \
--profile=${configDir} \
--webui-port=${toString cfg.port}
'';
# To prevent "Quit & shutdown daemon" from working; we want systemd to
# manage it!
Restart = "on-success";
User = cfg.user;
Group = cfg.group;
UMask = "0002";
LimitNOFILE = cfg.openFilesLimit;
};
};
users.users = mkIf (cfg.user == "qbittorrent") {
qbittorrent = {
group = cfg.group;
home = cfg.dataDir;
createHome = true;
description = "qBittorrent Daemon user";
};
};
users.groups = mkIf (cfg.group == "qbittorrent") {
qbittorrent = {
gid = null;
};
};
};
}

55
nixosConfigurations.nix
View file

@ -1,55 +0,0 @@
{ inputs, ... }:
let
lib = inputs.nixpkgs.lib;
utils = import ./utils.nix { inherit inputs lib; };
inherit (utils) mkHost;
in
{
flake.nixosConfigurations = {
rotterdam = mkHost {
hostname = "rotterdam";
tags = [
"desktop"
"ai"
"bluetooth"
"dev"
"ephemeral"
"fwupd"
"gaming"
"libvirtd"
"networkmanager"
"podman"
];
};
io = mkHost {
hostname = "io";
tags = [
"desktop"
"ai"
"bluetooth"
"dev"
"ephemeral"
"networkmanager"
"podman"
];
};
alexandria = mkHost {
hostname = "alexandria";
tags = [
# "server" TODO: uncomment when 25.11 is out.
"fwupd"
];
};
trantor = mkHost {
hostname = "trantor";
system = "aarch64-linux";
tags = [
"server"
"ephemeral"
];
};
};
}

7
nixosModules.nix
View file

@ -1,7 +0,0 @@
{ ... }:
{
flake.nixosModules = {
ephemeral = import ./modules/ephemeral.nix;
};
}

13
overlays.nix
View file

@ -1,13 +0,0 @@
{ inputs, ... }:
{
flake.overlays = {
default = final: prev: {
base16-schemes = inputs.self.packages.${final.system}.base16-schemes;
fastfetch = inputs.self.packages.${final.system}.fastfetch;
hm-cli = inputs.self.packages.${final.system}.hm-cli;
kwrite = inputs.self.packages.${final.system}.kwrite;
toggleaudiosink = inputs.self.packages.${final.system}.toggleaudiosink;
};
};
}

15
packages.nix
View file

@ -1,15 +0,0 @@
{ ... }:
{
perSystem =
{ pkgs, system, ... }:
{
packages = {
base16-schemes = pkgs.callPackage ./packages/base16-schemes.nix { };
fastfetch = pkgs.callPackage ./packages/fastfetch.nix { };
hm-cli = pkgs.callPackage ./packages/hm-cli.nix { };
kwrite = pkgs.callPackage ./packages/kwrite.nix { };
toggleaudiosink = pkgs.callPackage ./packages/toggleaudiosink.nix { };
};
};
}

32
packages/base16-schemes.nix
View file

@ -1,32 +0,0 @@
{
lib,
stdenv,
fetchFromGitHub,
}:
stdenv.mkDerivation (finalAttrs: {
pname = "base16-schemes";
version = "0-unstable-2025-06-04";
src = fetchFromGitHub {
owner = "tinted-theming";
repo = "schemes";
rev = "317a5e10c35825a6c905d912e480dfe8e71c7559";
hash = "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=";
};
installPhase = ''
runHook preInstall
mkdir -p $out/share/themes/
install base16/*.yaml $out/share/themes/
runHook postInstall
'';
meta = {
description = "All the color schemes for use in base16 packages";
homepage = "https://github.com/tinted-theming/schemes";
maintainers = [ lib.maintainers.DamienCassou ];
license = lib.licenses.mit;
};
})

Some files were not shown because too many files have changed in this diff Show more