william/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: william:master
Branches Tags
william:master
william:terranix
william:refactor
william:dms
william:vim
william:ansible
william:niri
william:hyprland
..
compare: william:vim
Branches Tags
william:master
william:terranix
william:refactor
william:dms
william:vim
william:ansible
william:niri
william:hyprland

1 commit
master ... vim

Author SHA1 Message Date
William
c17f8d9d87 somewhat minimal neovim config to match helix (incomplete) 2025-08-16 18:50:51 -03:00
139 changed files with 2374 additions and 4005 deletions
Download patch file Download diff file Expand all files Collapse all files

13
.gitignore vendored
View file

@ -1,13 +1,4 @@
# Nix build outputs
result/
result
result-*
.direnv/
oci-trantor/
tailscale-tailnet/
cloudflare-baduhaidev
# Personal notes and temporary files
todo.md
notes.md
scratch/
tmp/
.pre-commit-config.yaml

48
deploy.nix
View file

@ -1,48 +0,0 @@
{ inputs, self, ... }:
{
flake.deploy = {
remoteBuild = true;
nodes = {
alexandria = {
hostname = "alexandria";
profiles.system = {
sshUser = "user";
path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.alexandria;
user = "root";
};
};
trantor = {
hostname = "trantor";
profiles.system = {
sshUser = "user";
path = inputs.deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.trantor;
user = "root";
};
};
io = {
hostname = "io";
profiles = {
system = {
sshUser = "user";
path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.io;
user = "root";
remoteBuild = false;
};
user = {
sshUser = "user";
path = inputs.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurations."user@io";
user = "user";
remoteBuild = false;
};
};
};
};
};
perSystem =
{ system, ... }:
{
checks = inputs.deploy-rs.lib.${system}.deployChecks self.deploy;
};
}

16
devShells.nix
View file

@ -1,16 +0,0 @@
{ inputs, ... }:
{
perSystem =
{ pkgs, system, ... }:
{
devShells.default = pkgs.mkShell {
packages = with pkgs; [
inputs.agenix.packages.${system}.default
deploy-rs
nil
nixfmt-rfc-style
];
};
};
}

864
flake.lock generated
View file

File diff suppressed because it is too large Load diff

198
flake.nix
View file

@ -2,8 +2,6 @@
description = "My nix hosts";
inputs = {
flake-parts.url = "github:hercules-ci/flake-parts";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05";
@ -11,67 +9,183 @@
url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager-stable = {
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs-stable";
};
stylix = {
url = "github:danth/stylix";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs-stable";
};
disko.url = "github:nix-community/disko";
noctalia = {
url = "github:noctalia-dev/noctalia-shell";
inputs.nixpkgs.follows = "nixpkgs";
disko = {
url = "github:nix-community/disko?ref=v1.11.0";
inputs.nixpkgs.follows = "nixpkgs-stable";
};
stylix.url = "github:danth/stylix";
nixos-cli.url = "github:nix-community/nixos-cli";
nix-flatpak.url = "github:gmodena/nix-flatpak/main";
zen-browser.url = "github:0xc000022070/zen-browser-flake";
impermanence.url = "github:nix-community/impermanence";
deploy-rs.url = "github:serokell/deploy-rs";
niri-flake.url = "github:sodiboo/niri-flake";
niri.url = "github:baduhai/niri/auto-center-when-space-available";
nix-index-database = {
url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
terranix = {
url = "github:terranix/terranix";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-ai-tools.url = "github:numtide/nix-ai-tools";
vicinae.url = "github:vicinaehq/vicinae";
nixvim.url = "github:nix-community/nixvim";
};
outputs =
inputs@{ flake-parts, ... }:
flake-parts.lib.mkFlake { inherit inputs; } {
inputs@{
self,
nixpkgs,
nixpkgs-stable,
home-manager,
home-manager-stable,
stylix,
disko,
agenix,
nixos-cli,
nix-flatpak,
impermanence,
nixvim,
...
}:
let
systems = [
"x86_64-linux"
"aarch64-linux"
];
forAllSystems = nixpkgs.lib.genAttrs systems;
forAllSystemsWithPkgs =
f:
forAllSystems (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
f system pkgs
);
in
{
nixosConfigurations =
let
mkHost =
{
hostname,
type, # workstation|server
system ? "x86_64-linux",
extraModules ? [ ],
}:
let
pkgs = if type == "server" then nixpkgs-stable else nixpkgs;
hm = if type == "server" then home-manager-stable else home-manager;
hostTypeFlags = {
isServer = type == "server";
isWorkstation = type == "workstation";
};
defaultModules = [
./hosts/${hostname}.nix
agenix.nixosModules.default
disko.nixosModules.default
hm.nixosModules.default
impermanence.nixosModules.impermanence
nix-flatpak.nixosModules.nix-flatpak
stylix.nixosModules.stylix
nixvim.nixosModules.nixvim
nixos-cli.nixosModules.nixos-cli
{
nixpkgs.overlays = [
agenix.overlays.default
];
}
];
workstationModules = [
{
nixpkgs.overlays = [
self.overlays.workstationOverlay
];
}
];
serverModules = [
{
nixpkgs.overlays = [
self.overlays.serverOverlay
];
}
];
typeModules = if type == "server" then serverModules else workstationModules;
allModules = defaultModules ++ typeModules ++ extraModules;
in
pkgs.lib.nixosSystem {
inherit system;
specialArgs = {
inherit inputs;
hostType = hostTypeFlags;
};
modules = allModules;
};
in
{
rotterdam = mkHost {
hostname = "rotterdam";
type = "workstation";
};
io = mkHost {
hostname = "io";
type = "workstation";
};
alexandria = mkHost {
hostname = "alexandria";
type = "server";
extraModules = [
self.nixosModules.qbittorrent
];
};
trantor = mkHost {
hostname = "trantor";
type = "server";
system = "aarch64-linux";
};
};
imports = [
./deploy.nix
./devShells.nix
./homeConfigurations.nix
./nixosConfigurations.nix
./nixosModules.nix
./overlays.nix
./packages.nix
./terranixConfigurations.nix
];
devShells = forAllSystemsWithPkgs (
system: pkgs: {
default = pkgs.mkShell {
packages = with pkgs; [
nil
nixfmt-rfc-style
];
};
}
);
packages = forAllSystemsWithPkgs (
system: pkgs:
{
toggleaudiosink = pkgs.callPackage ./packages/toggleaudiosink.nix { };
}
// nixpkgs.lib.optionalAttrs (system == "x86_64-linux") {
plasticity = pkgs.callPackage ./packages/plasticity.nix { };
}
);
overlays = {
overlay = final: prev: {
};
workstationOverlay = final: prev: {
plasticity = self.packages.${final.system}.plasticity;
toggleaudiosink = self.packages.${final.system}.toggleaudiosink;
};
serverOverlay = final: prev: {
};
};
nixosModules = {
qbittorrent = import ./modules/qbittorrent.nix;
};
};
}

43
homeConfigurations.nix
View file

@ -1,43 +0,0 @@
{ inputs, ... }:
let
lib = inputs.nixpkgs.lib;
utils = import ./utils.nix { inherit inputs lib; };
inherit (utils) mkHome;
in
{
flake.homeConfigurations = {
"user@rotterdam" = mkHome {
username = "user";
hostname = "rotterdam";
tags = [
"desktop"
"btop"
"comma"
"direnv"
"gaming"
"helix"
"obs-studio"
"starship"
"stylix"
"tmux"
];
};
"user@io" = mkHome {
username = "user";
hostname = "io";
tags = [
"desktop"
"btop"
"comma"
"direnv"
"helix"
"starship"
"stylix"
"tmux"
];
};
};
}

12
hosts/alexandria.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
networking.hostName = "alexandria";
imports = [
./modules/alexandria
./modules
];
nix.nixPath = [ "nixos-config=${./alexandria.nix}" ];
}

15
hosts/alexandria/jellyfin.nix
View file

@ -1,15 +0,0 @@
{ lib, inputs, ... }:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts;
in
{
services.jellyfin = {
enable = true;
openFirewall = true;
};
services.nginx.virtualHosts = mkNginxVHosts {
domains."jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/";
};
}

83
hosts/alexandria/kanidm.nix
View file

@ -1,83 +0,0 @@
{
config,
lib,
inputs,
pkgs,
...
}:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts;
kanidmCertDir = "/var/lib/kanidm/certs";
in
{
services.kanidm = {
enableServer = true;
enableClient = true;
package = pkgs.kanidm;
serverSettings = {
domain = "auth.baduhai.dev";
origin = "https://auth.baduhai.dev";
bindaddress = "127.0.0.1:8443";
ldapbindaddress = "127.0.0.1:636";
trust_x_forward_for = true;
# Use self-signed certificates for internal TLS
tls_chain = "${kanidmCertDir}/cert.pem";
tls_key = "${kanidmCertDir}/key.pem";
};
clientSettings = {
uri = "https://auth.baduhai.dev";
};
};
services.nginx.virtualHosts = mkNginxVHosts {
domains."auth.baduhai.dev" = {
locations."/" = {
proxyPass = "https://127.0.0.1:8443";
extraConfig = ''
proxy_ssl_verify off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 636 ];
# Generate self-signed certificates for kanidm's internal TLS
systemd.services.kanidm-generate-certs = {
description = "Generate self-signed TLS certificates for Kanidm";
wantedBy = [ "multi-user.target" ];
before = [ "kanidm.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir -p ${kanidmCertDir}
if [ ! -f ${kanidmCertDir}/key.pem ]; then
${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 \
-keyout ${kanidmCertDir}/key.pem \
-out ${kanidmCertDir}/cert.pem \
-days 3650 -nodes \
-subj "/CN=localhost" \
-addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
chown -R kanidm:kanidm ${kanidmCertDir}
chmod 600 ${kanidmCertDir}/key.pem
chmod 644 ${kanidmCertDir}/cert.pem
fi
'';
};
# Ensure certificate generation runs before kanidm starts
systemd.services.kanidm = {
after = [ "kanidm-generate-certs.service" ];
wants = [ "kanidm-generate-certs.service" ];
};
}

97
hosts/alexandria/nextcloud.nix
View file

@ -1,97 +0,0 @@
{
lib,
config,
pkgs,
inputs,
...
}:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts;
in
{
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud32;
datadir = "/data/nextcloud";
hostName = "cloud.baduhai.dev";
configureRedis = true;
https = true;
secretFile = config.age.secrets."nextcloud-secrets.json".path;
database.createLocally = true;
maxUploadSize = "16G";
extraApps = {
inherit (config.services.nextcloud.package.packages.apps)
calendar
contacts
notes
tasks
user_oidc
;
};
extraAppsEnable = true;
caching = {
apcu = true;
redis = true;
};
settings = {
trusted_proxies = [ "127.0.0.1" ];
default_phone_region = "BR";
maintenance_window_start = "4";
allow_local_remote_servers = true;
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\EMF"
"OC\\Preview\\Font"
"OC\\Preview\\GIF"
"OC\\Preview\\HEIC"
"OC\\Preview\\Illustrator"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\Movie"
"OC\\Preview\\MP3"
"OC\\Preview\\MSOffice2003"
"OC\\Preview\\MSOffice2007"
"OC\\Preview\\MSOfficeDoc"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PDF"
"OC\\Preview\\Photoshop"
"OC\\Preview\\PNG"
"OC\\Preview\\Postscript"
"OC\\Preview\\SVG"
"OC\\Preview\\TIFF"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
];
};
config = {
dbtype = "pgsql";
adminpassFile = config.age.secrets.nextcloud-adminpass.path;
};
phpOptions = {
"opcache.interned_strings_buffer" = "16";
};
};
nginx.virtualHosts = mkNginxVHosts {
domains."cloud.baduhai.dev" = { };
};
};
age.secrets = {
"nextcloud-secrets.json" = {
file = ../../secrets/nextcloud-secrets.json.age;
owner = "nextcloud";
group = "nextcloud";
};
nextcloud-adminpass = {
file = ../../secrets/nextcloud-adminpass.age;
owner = "nextcloud";
group = "nextcloud";
};
};
}

59
hosts/alexandria/nginx.nix
View file

@ -1,59 +0,0 @@
{
config,
lib,
inputs,
...
}:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts services;
# Get all unique domains from shared services that have LAN IPs (served by this host)
localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "alexandria") services));
# Generate ACME cert configs for all local domains
acmeCerts = lib.genAttrs localDomains (domain: {
group = "nginx";
});
in
{
security.acme = {
acceptTerms = true;
defaults = {
email = "baduhai@proton.me";
dnsResolver = "1.1.1.1:53";
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.cloudflare.path;
};
certs = acmeCerts;
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"_" = {
default = true;
locations."/".return = "444";
};
};
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall.allowedTCPPorts = [
80
443
];
age.secrets.cloudflare = {
file = ../../secrets/cloudflare.age;
owner = "nginx";
group = "nginx";
};
}

58
hosts/alexandria/unbound.nix
View file

@ -1,58 +0,0 @@
{ inputs, lib, ... }:
let
utils = import ../../utils.nix { inherit inputs lib; };
in
{
services.unbound = {
enable = true;
enableRootTrustAnchor = true;
settings = {
server = {
interface = [
"0.0.0.0"
"::"
];
access-control = [
"127.0.0.0/8 allow"
"192.168.0.0/16 allow"
"::1/128 allow"
];
num-threads = 2;
msg-cache-size = "50m";
rrset-cache-size = "100m";
cache-min-ttl = 300;
cache-max-ttl = 86400;
prefetch = true;
prefetch-key = true;
hide-identity = true;
hide-version = true;
so-rcvbuf = "1m";
so-sndbuf = "1m";
# LAN-only DNS records
local-zone = ''"baduhai.dev." transparent'';
local-data = map (e: ''"${e.domain}. IN A ${e.lanIP}"'')
(lib.filter (e: e ? lanIP) utils.services);
};
forward-zone = [
{
name = ".";
forward-addr = [
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
];
forward-tls-upstream = true;
}
];
};
};
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
}

26
hosts/alexandria/vaultwarden.nix
View file

@ -1,26 +0,0 @@
{
config,
lib,
inputs,
...
}:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts;
in
{
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://pass.baduhai.dev";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 58222;
};
};
services.nginx.virtualHosts = mkNginxVHosts {
domains."pass.baduhai.dev".locations."/".proxyPass =
"http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
};
}

12
hosts/io.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
networking.hostName = "io";
imports = [
./modules/io
./modules
];
nix.nixPath = [ "nixos-config=${./io.nix}" ];
}

79
hosts/io/disko.nix
View file

@ -1,79 +0,0 @@
{ inputs, ... }:
{
imports = [ inputs.disko.nixosModules.default ];
disko.devices.disk.main = {
type = "disk";
device = "/dev/disk/by-id/mmc-hDEaP3_0x1041b689";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1MiB";
end = "1GiB";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot/efi";
mountOptions = [
"noatime"
"fmask=0077"
"dmask=0077"
];
};
};
cryptroot = {
priority = 2;
name = "root";
size = "100%";
content = {
type = "luks";
name = "cryptroot";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"@root" = {
mountpoint = "/";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@root"
];
};
"@home" = {
mountpoint = "/home";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@home"
];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@nix"
];
};
"@persistent" = {
mountpoint = "/persistent";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@persistent"
];
};
};
};
};
};
};
};
};
}

10
hosts/modules/ai.nix
View file

@ -1,10 +0,0 @@
{ inputs, pkgs, ... }:
{
environment.systemPackages = with inputs.nix-ai-tools.packages.${pkgs.system}; [
claude-desktop
claude-code
claudebox
opencode
];
}

9
hosts/modules/alexandria/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
imports = [
./hardware-configuration.nix
./services.nix
./users.nix
];
}

0
hosts/alexandria/hardware-configuration.nix → hosts/modules/alexandria/hardware-configuration.nix
View file

16
hosts/modules/alexandria/networking.nix Normal file
View file

@ -0,0 +1,16 @@
{
networking = {
firewall = {
allowedTCPPorts = [
80
443
];
allowedUDPPorts = [ ];
};
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
}

225
hosts/modules/alexandria/services.nix Normal file
View file

@ -0,0 +1,225 @@
{
config,
lib,
pkgs,
...
}:
let
ports = {
jellyfin = "8096";
librespeed = "8000";
radicale = "8001";
vaultwarden = "8002";
};
rclone-webdav-start = pkgs.writeShellScript "rclone-webdav-start.sh" ''
#!/bin/bash
# Configuration
CREDS_FILE="/run/agenix/webdav"
SERVE_DIR="/data/webdav"
SOCKET_PATH="/run/rclone-webdav/webdav.sock"
# Check if credentials file exists
if [ ! -f "$CREDS_FILE" ]; then
echo "Error: Credentials file $CREDS_FILE not found"
exit 1
fi
# Read credentials from file (format: username:password)
CREDENTIALS=$(cat "$CREDS_FILE")
USERNAME=$(echo "$CREDENTIALS" | cut -d':' -f1)
PASSWORD=$(echo "$CREDENTIALS" | cut -d':' -f2)
# Validate credentials
if [ -z "$USERNAME" ] || [ -z "$PASSWORD" ]; then
echo "Error: Invalid credentials format. Expected username:password"
exit 1
fi
# Ensure serve directory exists
mkdir -p "$SERVE_DIR"
# Remove existing socket if it exists
rm -f "$SOCKET_PATH"
# Start rclone serve webdav
exec ${pkgs.rclone}/bin/rclone serve webdav "$SERVE_DIR" \
--addr unix://"$SOCKET_PATH" \
--user "$USERNAME" \
--pass "$PASSWORD" \
--config="" \
--baseurl "/webdav" \
--verbose
'';
in
{
services = {
forgejo = {
enable = true;
repositoryRoot = "/data/forgejo";
settings = {
session.COOKIE_SECURE = true;
server = {
PROTOCOL = "http+unix";
DOMAIN = "git.baduhai.dev";
ROOT_URL = "https://git.baduhai.dev";
OFFLINE_MODE = true; # disable use of CDNs
SSH_DOMAIN = "baduhai.dev";
};
log.LEVEL = "Warn";
mailer.ENABLED = false;
actions.ENABLED = false;
};
};
jellyfin = {
enable = true;
openFirewall = true;
};
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts =
let
commonVHostConfig = {
useACMEHost = "baduhai.dev";
forceSSL = true;
kTLS = true;
};
in
lib.mapAttrs (_: lib.recursiveUpdate commonVHostConfig) {
"_".locations."/".return = "444";
"dav.baduhai.dev".locations = {
"/caldav" = {
proxyPass = "http://127.0.0.1:${ports.radicale}/";
extraConfig = ''
proxy_set_header X-Script-Name /caldav;
proxy_pass_header Authorization;
'';
};
"/webdav" = {
proxyPass = "http://unix:/run/rclone-webdav/webdav.sock:/webdav/";
extraConfig = ''
proxy_set_header X-Script-Name /webdav;
proxy_pass_header Authorization;
proxy_connect_timeout 300; # Increase timeouts for large file uploads
proxy_send_timeout 300;
proxy_read_timeout 300;
client_max_body_size 10G; # Allow large file uploads
proxy_buffering off; # Buffer settings for better performance
proxy_request_buffering off;
'';
};
};
"git.baduhai.dev".locations."/".proxyPass =
"http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
"jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:${ports.jellyfin}/";
"pass.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:${ports.vaultwarden}/";
"speedtest.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:${ports.librespeed}/";
};
};
radicale = {
enable = true;
settings = {
server = {
hosts = [
"127.0.0.1:${ports.radicale}"
"[::]:${ports.radicale}"
];
};
auth = {
type = "htpasswd";
htpasswd_filename = "/etc/radicale/users";
htpasswd_encryption = "bcrypt";
};
};
};
vaultwarden = {
enable = true;
config = {
DOMAIN = "https://pass.baduhai.dev";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = "${ports.vaultwarden}";
};
};
};
virtualisation.oci-containers.containers."librespeed" = {
image = "lscr.io/linuxserver/librespeed:latest";
environment = {
TZ = "America/Bahia";
};
ports = [ "${ports.librespeed}:80" ];
extraOptions = [
"--pull=newer"
"--label=io.containers.autoupdate=registry"
];
};
security.acme = {
acceptTerms = true;
defaults = {
email = "baduhai@proton.me";
dnsResolver = "1.1.1.1:53";
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.cloudflare.path;
};
certs."baduhai.dev" = {
extraDomainNames = [ "*.baduhai.dev" ];
};
};
age.secrets = {
cloudflare = {
file = ../../../secrets/cloudflare.age;
owner = "nginx";
group = "nginx";
};
webdav = {
file = ../../../secrets/webdav.age;
owner = "user";
group = "users";
};
};
systemd.services = {
rclone-webdav = {
description = "RClone WebDAV Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "exec";
User = "user";
Group = "nginx";
ExecStart = "${rclone-webdav-start}";
Restart = "always";
RestartSec = "10";
NoNewPrivileges = true;
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
ReadWritePaths = [
"/data/webdav"
"/run"
];
RuntimeDirectory = "rclone-webdav";
RuntimeDirectoryMode = "0750";
UMask = "0002";
};
preStart = ''
mkdir -p /data/webdav
chown user:users /data/webdav
chmod 755 /data/webdav
'';
};
};
}

3
hosts/modules/alexandria/users.nix Normal file
View file

@ -0,0 +1,3 @@
{
users.users.nginx.extraGroups = [ "acme" ];
}

5
hosts/modules/bluetooth.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
hardware.bluetooth.enable = true;
}

61
hosts/modules/boot.nix Normal file
View file

@ -0,0 +1,61 @@
{
hostType,
lib,
pkgs,
...
}:
{
config = lib.mkMerge [
# Common configuration
{
boot = {
loader = {
timeout = 1;
efi.canTouchEfiVariables = true;
systemd-boot = {
enable = true;
editor = false;
consoleMode = "max";
sortKey = "aa";
netbootxyz = {
enable = true;
sortKey = "zz";
};
};
};
};
}
# Server specific configuration
(lib.mkIf hostType.isServer {
boot.kernelPackages = pkgs.linuxPackages_hardened;
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation {
boot = {
plymouth.enable = true;
initrd.systemd.enable = true;
loader.efi.efiSysMountPoint = "/boot/efi";
kernelPackages = pkgs.linuxPackages_xanmod;
extraModprobeConfig = ''
options bluetooth disable_ertm=1
'';
kernel.sysctl = {
"net.ipv4.tcp_mtu_probing" = 1;
};
kernelParams = [
"quiet"
"splash"
"i2c-dev"
"i2c-piix4"
"loglevel=3"
"udev.log_priority=3"
"rd.udev.log_level=3"
"rd.systemd.show_status=false"
];
};
})
];
}

20
hosts/modules/common/boot.nix
View file

@ -1,20 +0,0 @@
{ pkgs, ... }:
{
boot = {
loader = {
timeout = 1;
efi.canTouchEfiVariables = true;
systemd-boot = {
enable = true;
editor = false;
consoleMode = "max";
sortKey = "aa";
netbootxyz = {
enable = true;
sortKey = "zz";
};
};
};
};
}

8
hosts/modules/common/console.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
console = {
useXkbConfig = true;
earlySetup = true;
};
}

8
hosts/modules/common/firewall.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
networking = {
firewall.enable = true;
nftables.enable = true;
};
}

21
hosts/modules/common/locale.nix
View file

@ -1,21 +0,0 @@
{ ... }:
{
time.timeZone = "America/Bahia";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "pt_BR.utf8";
LC_COLLATE = "pt_BR.utf8";
LC_IDENTIFICATION = "pt_BR.utf8";
LC_MEASUREMENT = "pt_BR.utf8";
LC_MONETARY = "pt_BR.utf8";
LC_NAME = "pt_BR.utf8";
LC_NUMERIC = "pt_BR.utf8";
LC_PAPER = "pt_BR.utf8";
LC_TELEPHONE = "pt_BR.utf8";
LC_TIME = "en_IE.utf8";
};
};
}

38
hosts/modules/common/nix.nix
View file

@ -1,38 +0,0 @@
{ inputs, ... }:
{
imports = [ inputs.nixos-cli.nixosModules.nixos-cli ];
nix = {
settings = {
auto-optimise-store = true;
connect-timeout = 10;
log-lines = 25;
min-free = 128000000;
max-free = 1000000000;
trusted-users = [ "@wheel" ];
};
extraOptions = "experimental-features = nix-command flakes";
gc = {
automatic = true;
options = "--delete-older-than 8d";
};
};
nixpkgs.config = {
allowUnfree = true;
enableParallelBuilding = true;
buildManPages = false;
buildDocs = false;
};
services.nixos-cli = {
enable = true;
config = {
use_nvd = true;
ignore_dirty_tree = true;
};
};
system.stateVersion = "22.11";
}

11
hosts/modules/common/openssh.nix
View file

@ -1,11 +0,0 @@
{ ... }:
{
services.openssh = {
enable = true;
settings.PermitRootLogin = "no";
extraConfig = ''
PrintLastLog no
'';
};
}

40
hosts/modules/common/programs.nix
View file

@ -1,40 +0,0 @@
{ lib, pkgs, ... }:
{
environment = {
systemPackages = with pkgs; [
### Dev Tools ###
git
### System Utilities ###
btop
fastfetch
helix
nixos-firewall-tool
nvd
sysz
tmux
wget
yazi
];
shellAliases = {
cat = "${lib.getExe pkgs.bat} --paging=never --style=plain";
ls = "${lib.getExe pkgs.eza} --icons --group-directories-first";
tree = "ls --tree";
};
};
programs = {
command-not-found.enable = false;
fish = {
enable = true;
interactiveShellInit = ''
set fish_greeting
if set -q SSH_CONNECTION
export TERM=xterm-256color
clear
fastfetch
end
'';
};
};
}

13
hosts/modules/common/security.nix
View file

@ -1,13 +0,0 @@
{ ... }:
{
security = {
unprivilegedUsernsClone = true; # Needed for rootless podman
sudo = {
wheelNeedsPassword = false;
extraConfig = ''
Defaults lecture = never
'';
};
};
}

9
hosts/modules/common/services.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
services = {
dbus.implementation = "broker";
irqbalance.enable = true;
fstrim.enable = true;
};
}

8
hosts/modules/common/tailscale.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
services.tailscale = {
enable = true;
extraUpFlags = [ "--operator=user" ];
};
}

24
hosts/modules/common/users.nix
View file

@ -1,24 +0,0 @@
{ pkgs, ... }:
{
users.users = {
user = {
isNormalUser = true;
shell = pkgs.fish;
extraGroups = [
"networkmanager"
"wheel"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
];
hashedPassword = "$6$Pj7v/CpstyuWQQV0$cNujVDhfMBdwlGVEnnd8t71.kZPixbo0u25cd.874iaqLTH4V5fa1f98V5zGapjQCz5JyZmsR94xi00sUrntT0";
};
root = {
shell = pkgs.fish;
hashedPassword = "!";
};
};
}

21
hosts/modules/console.nix Normal file
View file

@ -0,0 +1,21 @@
{ hostType, lib, ... }:
{
config = lib.mkMerge [
# Common configuration
{
console = {
useXkbConfig = true;
earlySetup = true;
};
}
# Server specific configuration
(lib.mkIf hostType.isServer {
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation {
})
];
}

20
hosts/modules/default.nix Normal file
View file

@ -0,0 +1,20 @@
{ ... }:
{
imports = [
./boot.nix
./console.nix
./desktop.nix
./ephermal.nix
./impermanence.nix
./locale.nix
./networking.nix
./nix.nix
./programs.nix
./security.nix
./services.nix
./stylix.nix
./users.nix
./virtualisation.nix
];
}

66
hosts/modules/desktop.nix Normal file
View file

@ -0,0 +1,66 @@
{
hostType,
lib,
pkgs,
...
}:
{
config = lib.mkMerge [
# Common configuration
{
}
# Server specific configuration
(lib.mkIf hostType.isServer {
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation {
services = {
displayManager = {
autoLogin = {
enable = true;
user = "user";
};
sddm = {
enable = true;
wayland = {
enable = true;
compositor = "kwin";
};
};
};
desktopManager.plasma6.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
};
hardware = {
xpadneo.enable = true;
bluetooth.enable = true;
steam-hardware.enable = true; # Allow steam client to manage controllers
graphics.enable32Bit = true; # For OpenGL games
i2c.enable = true;
};
security.rtkit.enable = true; # Needed for pipewire to acquire realtime priority
xdg.portal = {
enable = true;
xdgOpenUsePortal = true;
extraPortals = with pkgs; [
kdePackages.xdg-desktop-portal-kde
xdg-desktop-portal-gtk
xdg-desktop-portal-gnome
];
};
})
];
}

26
hosts/modules/desktop/boot.nix
View file

@ -1,26 +0,0 @@
{ pkgs, ... }:
{
boot = {
plymouth.enable = true;
initrd.systemd.enable = true;
loader.efi.efiSysMountPoint = "/boot/efi";
kernelPackages = pkgs.linuxPackages_xanmod_latest;
extraModprobeConfig = ''
options bluetooth disable_ertm=1
'';
kernel.sysctl = {
"net.ipv4.tcp_mtu_probing" = 1;
};
kernelParams = [
"quiet"
"splash"
"i2c-dev"
"i2c-piix4"
"loglevel=3"
"udev.log_priority=3"
"rd.udev.log_level=3"
"rd.systemd.show_status=false"
];
};
}

163
hosts/modules/desktop/desktop.nix
View file

@ -1,163 +0,0 @@
{
config,
inputs,
lib,
pkgs,
...
}:
{
imports = [
inputs.niri-flake.nixosModules.niri
inputs.nix-flatpak.nixosModules.nix-flatpak
];
environment = {
sessionVariables = {
KDEHOME = "$XDG_CONFIG_HOME/kde4"; # Stops kde from placing a .kde4 folder in the home dir
NIXOS_OZONE_WL = "1"; # Forces chromium and most electron apps to run in wayland
};
systemPackages = with pkgs; [
### Web ###
bitwarden-desktop
fragments
nextcloud-client
tor-browser
vesktop
inputs.zen-browser.packages."${system}".default
### Office & Productivity ###
aspell
aspellDicts.de
aspellDicts.en
aspellDicts.en-computers
aspellDicts.pt_BR
libreoffice
onlyoffice-desktopeditors
papers
presenterm
rnote
### Graphics & Design ###
gimp
inkscape
plasticity
### System Utilities ###
adwaita-icon-theme
ghostty
gnome-disk-utility
junction
libfido2
mission-center
nautilus
p7zip
rclone
toggleaudiosink
unrar
### Media ###
decibels
loupe
obs-studio
showtime
];
};
services = {
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
greetd = {
enable = true;
settings = {
default_session = {
command = "${lib.getExe pkgs.tuigreet} --user-menu --time --remember --asterisks --cmd ${config.programs.niri.package}/bin/niri-session";
user = "greeter";
};
}
// lib.optionalAttrs (config.networking.hostName == "io") {
initial_session = {
command = "${config.programs.niri.package}/bin/niri-session";
user = "user";
};
};
};
flatpak = {
enable = true;
packages = [
### Graphics & Design ###
"com.boxy_svg.BoxySVG"
rec {
appId = "io.github.softfever.OrcaSlicer";
sha256 = "0hdx5sg6fknj1pfnfxvlfwb5h6y1vjr6fyajbsnjph5gkp97c6p1";
bundle = "${pkgs.fetchurl {
url = "https://github.com/SoftFever/OrcaSlicer/releases/download/v2.3.0/OrcaSlicer-Linux-flatpak_V2.3.0_x86_64.flatpak";
inherit sha256;
}}";
}
### System Utilities ###
"com.github.tchx84.Flatseal"
"com.rustdesk.RustDesk"
];
uninstallUnmanaged = true;
update.auto.enable = true;
};
gvfs.enable = true;
};
security.rtkit.enable = true; # Needed for pipewire to acquire realtime priority
users = {
users.greeter = {
isSystemUser = true;
group = "greeter";
};
groups.greeter = { };
};
programs = {
niri = {
enable = true;
package = inputs.niri.packages.${pkgs.system}.niri;
};
kdeconnect = {
enable = true;
package = pkgs.valent;
};
dconf.enable = true;
appimage = {
enable = true;
binfmt = true;
};
};
niri-flake.cache.enable = false;
fonts = {
fontDir.enable = true;
packages = with pkgs; [
corefonts
inter
nerd-fonts.fira-code
noto-fonts-cjk-sans
noto-fonts-color-emoji
roboto
];
};
xdg.portal = {
extraPortals = with pkgs; [
xdg-desktop-portal-gnome
xdg-desktop-portal-gtk
];
config = {
common.default = "*";
niri.default = [
"gtk"
"gnome"
];
};
};
}

13
hosts/modules/desktop/nix.nix
View file

@ -1,13 +0,0 @@
{ inputs, ... }:
{
environment.etc."channels/nixpkgs".source = inputs.nixpkgs.outPath;
nix = {
registry.nixpkgs.flake = inputs.nixpkgs;
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"/nix/var/nix/profiles/per-user/root/channels"
];
};
}

15
hosts/modules/desktop/services.nix
View file

@ -1,15 +0,0 @@
{ pkgs, ... }:
{
services = {
printing.enable = true;
udev.packages = with pkgs; [ yubikey-personalization ];
keyd = {
enable = true;
keyboards.all = {
ids = [ "*" ];
settings.main.capslock = "overload(meta, esc)";
};
};
};
}

19
hosts/modules/dev.nix
View file

@ -1,19 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
bat
lazygit
fd
fzf
glow
nixfmt-rfc-style
nix-init
nix-output-monitor
ripgrep
];
programs.adb.enable = true;
users.users.user.extraGroups = [ "adbusers" ];
}

4
hosts/modules/environment.nix Normal file
View file

@ -0,0 +1,4 @@
{ pkgs, ... }:
{
}

41
hosts/modules/ephemeral.nix
View file

@ -1,41 +0,0 @@
{ config, inputs, ... }:
{
imports = [
inputs.impermanence.nixosModules.impermanence
inputs.self.nixosModules.ephemeral
];
ephemeral = {
enable = true;
rootDevice =
if config.networking.hostName == "trantor" then
"/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20-part2"
else
"/dev/mapper/cryptroot";
rootSubvolume = "@root";
};
environment.persistence.main = {
persistentStoragePath = "/persistent";
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
directories = [
"/etc/NetworkManager/system-connections"
"/etc/nixos"
"/var/lib/bluetooth"
"/var/lib/flatpak"
"/var/lib/lxd"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/var/lib/systemd/timers"
"/var/lib/tailscale"
"/var/log"
];
};
}

64
hosts/modules/ephermal.nix Normal file
View file

@ -0,0 +1,64 @@
{
hostType,
lib,
...
}:
{
config = lib.mkMerge [
# Common configuration
{
}
# Server specific configuration
(lib.mkIf hostType.isServer {
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation {
boot.initrd.systemd.services.recreate-root = {
description = "Rolling over and creating new filesystem root";
requires = [ "initrd-root-device.target" ];
after = [
"local-fs-pre.target"
"initrd-root-device.target"
];
requiredBy = [ "initrd-root-fs.target" ];
before = [ "sysroot.mount" ];
unitConfig = {
AssertPathExists = "/etc/initrd-release";
DefaultDependencies = false;
};
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir /btrfs_tmp
mount /dev/mapper/cryptroot /btrfs_tmp
if [[ -e /btrfs_tmp/@root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/@root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/@root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
delete_subvolume_recursively "$i"
done
btrfs subvolume create /btrfs_tmp/@root
umount /btrfs_tmp
'';
};
})
];
}

5
hosts/modules/fwupd.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
services.fwupd.enable = true;
}

35
hosts/modules/gaming.nix
View file

@ -1,35 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
clonehero
heroic
mangohud
prismlauncher
steam-run
];
programs = {
steam = {
enable = true;
extraCompatPackages = [ pkgs.proton-ge-bin ];
};
gamemode.enable = true;
};
hardware = {
xpadneo.enable = true;
steam-hardware.enable = true; # Allow steam client to manage controllers
graphics.enable32Bit = true; # For OpenGL games
};
services.flatpak.packages = [
"com.github.k4zmu2a.spacecadetpinball"
"com.steamgriddb.SGDBoop"
"io.github.Foldex.AdwSteamGtk"
"io.itch.itch"
"io.mrarm.mcpelauncher"
"net.retrodeck.retrodeck"
"org.freedesktop.Platform.VulkanLayer.MangoHud/x86_64/24.08"
];
}

42
hosts/modules/impermanence.nix Normal file
View file

@ -0,0 +1,42 @@
{
hostType,
lib,
...
}:
{
config = lib.mkMerge [
# Common configuration
{
}
# Server specific configuration
(lib.mkIf hostType.isServer {
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation {
environment.persistence.main = {
persistentStoragePath = "/persistent";
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
directories = [
"/etc/NetworkManager/system-connections"
"/etc/nixos"
"/var/lib/bluetooth"
"/var/lib/flatpak"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/var/lib/systemd/timers"
"/var/lib/tailscale"
"/var/log"
];
};
})
];
}

0
hosts/io/boot.nix → hosts/modules/io/boot.nix
View file

11
hosts/modules/io/default.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }:
{
imports = [
./boot.nix
./disko.nix
./hardware-configuration.nix
./programs.nix
./services.nix
];
}

81
hosts/modules/io/disko.nix Normal file
View file

@ -0,0 +1,81 @@
{ ... }:
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/disk/by-id/mmc-hDEaP3_0x1041b689";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1MiB";
end = "1GiB";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot/efi";
mountOptions = [
"noatime"
"fmask=0077"
"dmask=0077"
];
};
};
cryptroot = {
priority = 2;
name = "root";
size = "100%";
content = {
type = "luks";
name = "cryptroot";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"@root" = {
mountpoint = "/";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@root"
];
};
"@home" = {
mountpoint = "/home";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@home"
];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@nix"
];
};
"@persistent" = {
mountpoint = "/persistent";
mountOptions = [
"noatime"
"compress=zstd"
"subvol=@persistent"
];
};
};
};
};
};
};
};
};
};
};
}

1
hosts/io/hardware-configuration.nix → hosts/modules/io/hardware-configuration.nix
View file

@ -2,7 +2,6 @@
config,
lib,
modulesPath,
inputs,
...
}:

10
hosts/io/programs.nix → hosts/modules/io/programs.nix
View file

@ -19,9 +19,19 @@ in
{
environment = {
systemPackages = with pkgs; [
arduino-ide
esptool
# fritzing
maliit-keyboard
sof-firmware
];
sessionVariables.ALSA_CONFIG_UCM2 = "${cml-ucm-conf}/share/alsa/ucm2";
};
# TODO: remove once gmodena/nix-flatpak/issues/45 fixed
systemd.services."flatpak-managed-install" = {
serviceConfig = {
ExecStartPre = "${pkgs.coreutils}/bin/sleep 5";
};
};
}

11
hosts/io/services.nix → hosts/modules/io/services.nix
View file

@ -1,5 +1,3 @@
{ pkgs, ... }:
{
services = {
keyd = {
@ -48,14 +46,5 @@
};
};
};
upower.enable = true;
power-profiles-daemon.enable = true;
};
# TODO: remove once gmodena/nix-flatpak/issues/45 fixed
systemd.services."flatpak-managed-install" = {
serviceConfig = {
ExecStartPre = "${pkgs.coreutils}/bin/sleep 5";
};
};
}

12
hosts/modules/libvirtd.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
virtualisation.libvirtd.enable = true;
programs.virt-manager.enable = true;
users.users.user.extraGroups = [
"libvirt"
"libvirtd"
];
}

33
hosts/modules/locale.nix Normal file
View file

@ -0,0 +1,33 @@
{ hostType, lib, ... }:
{
config = lib.mkMerge [
# Common configuration
{
time.timeZone = "America/Bahia";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "pt_BR.utf8";
LC_IDENTIFICATION = "pt_BR.utf8";
LC_MEASUREMENT = "pt_BR.utf8";
LC_MONETARY = "pt_BR.utf8";
LC_NAME = "pt_BR.utf8";
LC_NUMERIC = "pt_BR.utf8";
LC_PAPER = "pt_BR.utf8";
LC_TELEPHONE = "pt_BR.utf8";
LC_TIME = "en_IE.utf8";
};
};
}
# Server specific configuration
(lib.mkIf hostType.isServer {
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation {
})
];
}

29
hosts/modules/networking.nix Normal file
View file

@ -0,0 +1,29 @@
{
hostType,
lib,
...
}:
{
config = lib.mkMerge [
# Common configuration
{
networking = {
networkmanager.enable = true;
firewall.enable = true;
};
}
# Server specific configuration
(lib.mkIf hostType.isServer {
services.tailscale = {
extraSetFlags = [ "--advertise-exit-node" ];
useRoutingFeatures = "server";
};
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation {
})
];
}

10
hosts/modules/networkmanager.nix
View file

@ -1,10 +0,0 @@
{ ... }:
{
networking.networkmanager = {
enable = true;
wifi.backend = "iwd";
};
users.users.user.extraGroups = [ "networkmanager" ];
}

64
hosts/modules/nix.nix Normal file
View file

@ -0,0 +1,64 @@
{
inputs,
lib,
hostType,
...
}:
{
config = lib.mkMerge [
# Common configuration
{
nix = {
settings = {
auto-optimise-store = true;
connect-timeout = 10;
log-lines = 25;
min-free = 128000000;
max-free = 1000000000;
trusted-users = [ "@wheel" ];
};
extraOptions = "experimental-features = nix-command flakes";
gc = {
automatic = true;
options = "--delete-older-than 8d";
};
};
nixpkgs.config = {
allowUnfree = true;
enableParallelBuilding = true;
buildManPages = false;
buildDocs = false;
};
system.stateVersion = "22.11";
}
# Server specific configuration
(lib.mkIf hostType.isServer {
environment.etc."channels/nixpkgs".source = inputs.nixpkgs-stable.outPath;
nix = {
registry.nixpkgs.flake = inputs.nixpkgs-stable;
nixPath = [
"nixpkgs=/etc/channels/nixpkgs"
"/nix/var/nix/profiles/per-user/root/channels"
];
};
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation {
environment.etc."channels/nixpkgs".source = inputs.nixpkgs.outPath;
nix = {
registry.nixpkgs.flake = inputs.nixpkgs;
nixPath = [
"nixpkgs=${inputs.nixpkgs}"
"/nix/var/nix/profiles/per-user/root/channels"
];
};
})
];
}

14
hosts/modules/podman.nix
View file

@ -1,14 +0,0 @@
{ pkgs, ... }:
{
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
extraPackages = [ pkgs.podman-compose ];
};
systemd = {
services.podman-auto-update.enable = true;
timers.podman-auto-update.enable = true;
};
}

206
hosts/modules/programs.nix Normal file
View file

@ -0,0 +1,206 @@
{
hostType,
lib,
pkgs,
...
}:
{
config = lib.mkMerge [
# Common configuration
{
environment = {
systemPackages = with pkgs; [
### Dev Tools ###
agenix
git
evil-helix
### System Utilities ###
btop
nixos-firewall-tool
nvd
sysz
tmux
wget
];
shellAliases = {
ls = "${pkgs.eza}/bin/eza --icons --group-directories-first";
neofetch = "${pkgs.fastfetch}/bin/fastfetch";
tree = "ls --tree";
syscleanup = "sudo nix-collect-garbage -d; sudo /run/current-system/bin/switch-to-configuration boot";
};
};
programs = {
fish.enable = true;
command-not-found.enable = false;
};
}
# Server specific configuration
(lib.mkIf hostType.isServer {
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation (
let
kdepkgs = with pkgs.kdePackages; [
ark
dolphin-plugins
kolourpaint
];
kwrite = pkgs.symlinkJoin {
name = "kwrite";
paths = [ pkgs.kdePackages.kate ];
postBuild = ''
rm -rf $out/bin/kate \
$out/bin/.kate-wrapped \
$out/share/applications/org.kde.kate.desktop \
$out/share/man \
$out/share/icons/hicolor/*/apps/kate.png \
$out/share/icons/hicolor/scalable/apps/kate.svg \
$out/share/appdata/org.kde.kate.appdata.xml
'';
};
in
{
environment = {
systemPackages =
with pkgs;
[
### Dev Tools ###
bat
ciscoPacketTracer8
claude-code
fd
fzf
nixfmt-rfc-style
nix-init
nix-output-monitor
ripgrep
### Internet Browsers & Communication ###
beeper
brave
tor-browser
vesktop
### Office & Productivity ###
aspell
aspellDicts.de
aspellDicts.en
aspellDicts.en-computers
aspellDicts.pt_BR
kwrite
libreoffice-qt
obsidian
onlyoffice-desktopeditors
rnote
### Graphics & Design ###
gimp
inkscape
plasticity
### Gaming & Entertainment ###
clonehero
heroic
mangohud
prismlauncher
protonup
### System Utilities ###
adwaita-icon-theme
junction
kara
kde-rounded-corners
libfido2
mission-center
p7zip
qbittorrent
quickemu
quickgui
rclone
steam-run
toggleaudiosink
unrar
### Media ###
mpv
obs-studio
qview
]
++ kdepkgs;
plasma6.excludePackages = with pkgs.kdePackages; [
discover
elisa
gwenview
kate
khelpcenter
konsole
oxygen
];
};
programs = {
adb.enable = true;
steam = {
enable = true;
extraCompatPackages = [ pkgs.proton-ge-bin ];
};
dconf.enable = true;
nix-ld.enable = true;
kdeconnect.enable = true;
partition-manager.enable = true;
gamemode.enable = true;
appimage = {
enable = true;
binfmt = true;
};
nh = {
enable = true;
flake = "/home/user/Projects/personal/nix-config";
};
};
fonts = {
fontDir.enable = true;
packages = with pkgs; [
corefonts
inter
nerd-fonts.hack
noto-fonts-cjk-sans
roboto
];
};
services.flatpak = {
enable = true;
packages = [
### Dev Tools ###
### Internet Browsers & Communication ###
"app.zen_browser.zen"
### Office & Productivity ###
### Graphics & Design ###
"com.boxy_svg.BoxySVG"
rec {
appId = "io.github.softfever.OrcaSlicer";
sha256 = "0hdx5sg6fknj1pfnfxvlfwb5h6y1vjr6fyajbsnjph5gkp97c6p1";
bundle = "${pkgs.fetchurl {
url = "https://github.com/SoftFever/OrcaSlicer/releases/download/v2.3.0/OrcaSlicer-Linux-flatpak_V2.3.0_x86_64.flatpak";
inherit sha256;
}}";
}
### Gaming & Entertainment ###
"com.github.k4zmu2a.spacecadetpinball"
"io.itch.itch"
"io.mrarm.mcpelauncher"
"org.freedesktop.Platform.VulkanLayer.MangoHud/x86_64/24.08"
### System Utilities ###
"com.github.tchx84.Flatseal"
"com.rustdesk.RustDesk"
"com.steamgriddb.SGDBoop"
"io.github.Foldex.AdwSteamGtk"
### Media ###
];
uninstallUnmanaged = true;
update.auto.enable = true;
};
}
))
];
}

0
hosts/rotterdam/boot.nix → hosts/modules/rotterdam/boot.nix
View file

11
hosts/modules/rotterdam/default.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }:
{
imports = [
./boot.nix
./hardware-configuration.nix
./hardware.nix
./programs.nix
./services.nix
];
}

0
hosts/rotterdam/hardware-configuration.nix → hosts/modules/rotterdam/hardware-configuration.nix
View file

5
hosts/rotterdam/hardware.nix → hosts/modules/rotterdam/hardware.nix
View file

@ -2,7 +2,10 @@
{
hardware = {
amdgpu.opencl.enable = true;
amdgpu = {
opencl.enable = true;
amdvlk.enable = true;
};
graphics.extraPackages = with pkgs; [ rocmPackages.clr.icd ];
};
}

2
hosts/rotterdam/programs.nix → hosts/modules/rotterdam/programs.nix
View file

@ -27,5 +27,7 @@ in
{
environment.systemPackages = [ reboot-into-qubes ];
services.flatpak.packages = [ "net.retrodeck.retrodeck" ];
programs.steam.dedicatedServer.openFirewall = true;
}

0
hosts/rotterdam/services.nix → hosts/modules/rotterdam/services.nix
View file

26
hosts/modules/security.nix Normal file
View file

@ -0,0 +1,26 @@
{ hostType, lib, ... }:
{
config = lib.mkMerge [
# Common configuration
{
security = {
unprivilegedUsernsClone = true; # Needed for rootless podman
sudo = {
wheelNeedsPassword = false;
extraConfig = ''
Defaults lecture = never
'';
};
};
}
# Server specific configuration
(lib.mkIf hostType.isServer {
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation {
})
];
}

5
hosts/modules/server/boot.nix
View file

@ -1,5 +0,0 @@
{ pkgs, ... }:
{
boot.kernelPackages = pkgs.linuxPackages_hardened;
}

13
hosts/modules/server/nix.nix
View file

@ -1,13 +0,0 @@
{ inputs, ... }:
{
environment.etc."channels/nixpkgs".source = inputs.nixpkgs-stable.outPath;
nix = {
registry.nixpkgs.flake = inputs.nixpkgs-stable;
nixPath = [
"nixpkgs=/etc/channels/nixpkgs"
"/nix/var/nix/profiles/per-user/root/channels"
];
};
}

13
hosts/modules/server/tailscale.nix
View file

@ -1,13 +0,0 @@
{ ... }:
{
services.tailscale = {
extraSetFlags = [ "--advertise-exit-node" ];
useRoutingFeatures = "server";
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
}

52
hosts/modules/services.nix Normal file
View file

@ -0,0 +1,52 @@
{
hostType,
lib,
pkgs,
...
}:
{
config = lib.mkMerge [
# Common configuration
{
services = {
tailscale = {
enable = true;
extraUpFlags = [ "--operator=user" ];
};
openssh = {
enable = true;
settings.PermitRootLogin = "no";
};
nixos-cli = {
enable = true;
config = {
use_nvd = true;
ignore_dirty_tree = true;
};
};
fwupd.enable = true;
fstrim.enable = true;
};
}
# Server specific configuration
(lib.mkIf hostType.isServer {
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation {
services = {
printing.enable = true;
udev.packages = with pkgs; [ yubikey-personalization ];
keyd = {
enable = true;
keyboards.all = {
ids = [ "*" ];
settings.main.capslock = "overload(meta, esc)";
};
};
};
})
];
}

63
hosts/modules/stylix.nix Normal file
View file

@ -0,0 +1,63 @@
{
config,
hostType,
lib,
pkgs,
...
}:
{
config = lib.mkMerge [
# Common configuration
{
}
# Server specific configuration
(lib.mkIf hostType.isServer {
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation {
stylix = {
enable = true;
polarity = "dark";
base16Scheme = "${pkgs.base16-schemes}/share/themes/catppuccin-mocha.yaml";
cursor = {
package = pkgs.kdePackages.breeze-icons;
name = "Breeze_Light";
size = 24;
};
opacity = {
applications = 1.0;
desktop = 0.8;
popups = config.stylix.opacity.desktop;
terminal = 1.0;
};
fonts = {
serif = {
package = pkgs.source-serif;
name = "Source Serif 4 Display";
};
sansSerif = {
package = pkgs.inter;
name = "Inter";
};
monospace = {
package = pkgs.nerd-fonts.fira-code;
name = "FiraCode Nerd Font";
};
emoji = {
package = pkgs.noto-fonts-emoji;
name = "Noto Color Emoji";
};
sizes = {
applications = 11;
desktop = config.stylix.fonts.sizes.applications;
popups = config.stylix.fonts.sizes.applications;
terminal = 12;
};
};
};
})
];
}

7
hosts/modules/trantor/boot.nix Normal file
View file

@ -0,0 +1,7 @@
{
boot = {
loader.efi.efiSysMountPoint = "/boot";
initrd.systemd.enable = true;
kernel.sysctl."net.ipv4.ip_forward" = 1;
};
}

10
hosts/modules/trantor/default.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
imports = [
./boot.nix
./disko.nix
./hardware-configuration.nix
./networking.nix
];
}

34
hosts/modules/trantor/disko.nix Normal file
View file

@ -0,0 +1,34 @@
{ ... }:
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/disk/by-id/scsi-3605e4addb4c640319c8c03436205530b";
content = {
type = "gpt";
partitions = {
boot = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

27
hosts/modules/trantor/hardware-configuration.nix Normal file
View file

@ -0,0 +1,27 @@
{
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
kernelModules = [ ];
extraModulePackages = [ ];
initrd = {
availableKernelModules = [
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"usbhid"
];
kernelModules = [ ];
};
};
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

0
hosts/trantor/networking.nix → hosts/modules/trantor/networking.nix
View file

85
hosts/modules/users.nix Normal file
View file

@ -0,0 +1,85 @@
{
hostType,
inputs,
lib,
pkgs,
...
}:
{
config = lib.mkMerge [
# Common configuration
{
users.users = {
user = {
isNormalUser = true;
shell = pkgs.fish;
extraGroups = [
"networkmanager"
"docker"
"wheel"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
];
hashedPassword = "$6$Pj7v/CpstyuWQQV0$cNujVDhfMBdwlGVEnnd8t71.kZPixbo0u25cd.874iaqLTH4V5fa1f98V5zGapjQCz5JyZmsR94xi00sUrntT0";
};
root = {
shell = pkgs.fish;
hashedPassword = "!";
};
};
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
backupFileExtension = "bkp";
users = {
user = import ../../users/user.nix;
root = import ../../users/root.nix;
};
sharedModules = [
inputs.nixvim.homeModules.nixvim
];
extraSpecialArgs = {
inherit hostType;
inherit inputs;
};
};
}
# Server specific configuration
(lib.mkIf hostType.isServer {
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation {
environment.sessionVariables = {
KDEHOME = "$XDG_CONFIG_HOME/kde4"; # Stops kde from placing a .kde4 folder in the home dir
NIXOS_OZONE_WL = "1"; # Forces chromium and most electron apps to run in wayland
};
users.users = {
user = {
description = "William";
uid = 1000;
extraGroups = [
"uaccess" # Needed for HID dev
"dialout" # Needed for arduino dev
"libvirt"
"libvirtd"
"adbusers"
"i2c"
];
};
ewans = {
description = "Ewans";
isNormalUser = true;
uid = 1001;
hashedPassword = "$y$j9T$yHLUDvj6bDIP19dchU.aA/$OY4qeFNtx/GvI.VUYx4LapHiiVwi0MEvs8AT0HN7j58";
};
};
})
];
}

38
hosts/modules/virtualisation.nix Normal file
View file

@ -0,0 +1,38 @@
{
hostType,
lib,
pkgs,
...
}:
{
config = lib.mkMerge [
# Common configuration
{
virtualisation.podman = {
enable = true;
dockerCompat = true;
autoPrune.enable = true;
extraPackages = [ pkgs.podman-compose ];
};
systemd = {
services.podman-auto-update.enable = true;
timers.podman-auto-update.enable = true;
};
}
# Server specific configuration
(lib.mkIf hostType.isServer {
})
# Workstation specific configuration
(lib.mkIf hostType.isWorkstation {
virtualisation = {
libvirtd.enable = true;
lxd.enable = true;
};
})
];
}

12
hosts/rotterdam.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
networking.hostName = "rotterdam";
imports = [
./modules/rotterdam
./modules
];
nix.nixPath = [ "nixos-config=${./rotterdam.nix}" ];
}

13
hosts/trantor.nix Normal file
View file

@ -0,0 +1,13 @@
{ ... }:
{
networking.hostName = "trantor";
imports = [
./modules/trantor
./modules
];
nix.nixPath = [ "nixos-config=${./trantor.nix}" ];
}

6
hosts/trantor/boot.nix
View file

@ -1,6 +0,0 @@
{
boot = {
initrd.systemd.enable = true;
loader.efi.efiSysMountPoint = "/boot/efi";
};
}

64
hosts/trantor/disko.nix
View file

@ -1,64 +0,0 @@
{ inputs, ... }:
{
imports = [ inputs.disko.nixosModules.default ];
disko.devices.disk.main = {
type = "disk";
device = "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1MiB";
end = "512MiB";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot/efi";
mountOptions = [
"noatime"
"fmask=0077"
"dmask=0077"
];
};
};
root = {
priority = 2;
name = "root";
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
"@root" = {
mountpoint = "/";
mountOptions = [
"noatime"
"compress=zstd"
];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = [
"noatime"
"compress=zstd"
];
};
"@persistent" = {
mountpoint = "/persistent";
mountOptions = [
"noatime"
"compress=zstd"
];
};
};
};
};
};
};
};
}

23
hosts/trantor/fail2ban.nix
View file

@ -1,23 +0,0 @@
{ config, pkgs, ... }:
{
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
"127.0.0.0/8"
"::1"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
];
bantime = "1h";
bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64";
maxtime = "10000h";
overalljails = true;
};
};
}

72
hosts/trantor/forgejo.nix
View file

@ -1,72 +0,0 @@
{
config,
lib,
inputs,
...
}:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts;
in
{
services = {
forgejo = {
enable = true;
settings = {
session.COOKIE_SECURE = true;
server = {
PROTOCOL = "http+unix";
DOMAIN = "git.baduhai.dev";
ROOT_URL = "https://git.baduhai.dev";
OFFLINE_MODE = true; # disable use of CDNs
SSH_DOMAIN = "git.baduhai.dev";
};
log.LEVEL = "Warn";
mailer.ENABLED = false;
actions.ENABLED = false;
service.DISABLE_REGISTRATION = true;
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = true;
ACCOUNT_LINKING = "login";
USERNAME = "preferred_username";
};
};
};
nginx.virtualHosts = mkNginxVHosts {
domains."git.baduhai.dev".locations."/".proxyPass =
"http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
};
fail2ban.jails.forgejo = {
settings = {
enabled = true;
filter = "forgejo";
maxretry = 3;
findtime = "10m";
bantime = "1h";
};
};
};
environment = {
etc."fail2ban/filter.d/forgejo.conf".text = ''
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =
journalmatch = _SYSTEMD_UNIT=forgejo.service
'';
persistence.main.directories = [
{
directory = config.services.forgejo.stateDir;
inherit (config.services.forgejo) user group;
mode = "0700";
}
];
};
# Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false;
}

20
hosts/trantor/hardware-configuration.nix
View file

@ -1,20 +0,0 @@
{
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"usbhid"
];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

61
hosts/trantor/nginx.nix
View file

@ -1,61 +0,0 @@
{
config,
lib,
inputs,
...
}:
let
utils = import ../../utils.nix { inherit inputs lib; };
inherit (utils) mkNginxVHosts services;
# Get all unique domains from shared services on trantor (host = "trantor")
localDomains = lib.unique (
map (s: s.domain) (lib.filter (s: s.host == "trantor") services)
);
# Generate ACME cert configs for all local domains
acmeCerts = lib.genAttrs localDomains (domain: {
group = "nginx";
});
in
{
security.acme = {
acceptTerms = true;
defaults = {
email = "baduhai@proton.me";
dnsResolver = "1.1.1.1:53";
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.cloudflare.path;
};
certs = acmeCerts;
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"_" = {
default = true;
locations."/".return = "444";
};
};
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall.allowedTCPPorts = [
80
443
];
age.secrets.cloudflare = {
file = ../../secrets/cloudflare.age;
owner = "nginx";
group = "nginx";
};
}

23
hosts/trantor/openssh.nix
View file

@ -1,23 +0,0 @@
{ ... }:
{
services = {
openssh = {
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
fail2ban.jails.sshd = {
settings = {
enabled = true;
port = "ssh";
filter = "sshd";
logpath = "/var/log/auth.log";
maxretry = 3;
findtime = "10m";
bantime = "1h";
};
};
};
}

58
hosts/trantor/unbound.nix
View file

@ -1,58 +0,0 @@
{ inputs, lib, ... }:
let
utils = import ../../utils.nix { inherit inputs lib; };
in
{
services.unbound = {
enable = true;
enableRootTrustAnchor = true;
settings = {
server = {
interface = [
"0.0.0.0"
"::"
];
access-control = [
"127.0.0.0/8 allow"
"100.64.0.0/10 allow" # Tailscale CGNAT range
"::1/128 allow"
"fd7a:115c:a1e0::/48 allow" # Tailscale IPv6
];
num-threads = 2;
msg-cache-size = "50m";
rrset-cache-size = "100m";
cache-min-ttl = 300;
cache-max-ttl = 86400;
prefetch = true;
prefetch-key = true;
hide-identity = true;
hide-version = true;
so-rcvbuf = "1m";
so-sndbuf = "1m";
# Tailnet DNS records from shared services
local-zone = ''"baduhai.dev." transparent'';
local-data = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') utils.services;
};
forward-zone = [
{
name = ".";
forward-addr = [
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
];
forward-tls-upstream = true;
}
];
};
};
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
};
}

84
modules/ephemeral.nix
View file

@ -1,84 +0,0 @@
{ lib, config, ... }:
let
cfg = config.ephemeral;
in
{
options.ephemeral = {
enable = lib.mkEnableOption "ephemeral root with automatic rollback";
rootDevice = lib.mkOption {
type = lib.types.str;
example = "/dev/mapper/cryptroot";
description = "Device path for the root btrfs filesystem";
};
rootSubvolume = lib.mkOption {
type = lib.types.str;
example = "@root";
description = "Name of the root btrfs subvolume";
};
oldRootRetentionDays = lib.mkOption {
type = lib.types.int;
default = 30;
description = "Number of days to keep old root snapshots before deletion";
};
};
config = lib.mkIf cfg.enable {
boot.initrd.systemd.services.recreate-root = {
description = "Rolling over and creating new filesystem root";
requires = [ "initrd-root-device.target" ];
after = [
"local-fs-pre.target"
"initrd-root-device.target"
];
requiredBy = [ "initrd-root-fs.target" ];
before = [ "sysroot.mount" ];
unitConfig = {
AssertPathExists = "/etc/initrd-release";
DefaultDependencies = false;
};
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
set -euo pipefail
mkdir /btrfs_tmp
if ! mount ${cfg.rootDevice} /btrfs_tmp; then
echo "ERROR: Failed to mount ${cfg.rootDevice}"
exit 1
fi
if [[ -e /btrfs_tmp/${cfg.rootSubvolume} ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/${cfg.rootSubvolume})" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/${cfg.rootSubvolume} "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +${toString cfg.oldRootRetentionDays}); do
delete_subvolume_recursively "$i"
done
if ! btrfs subvolume create /btrfs_tmp/${cfg.rootSubvolume}; then
echo "ERROR: Failed to create subvolume ${cfg.rootSubvolume}"
umount /btrfs_tmp
exit 1
fi
umount /btrfs_tmp
'';
};
};
}

123
modules/qbittorrent.nix Normal file
View file

@ -0,0 +1,123 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.services.qbittorrent;
configDir = "${cfg.dataDir}/.config";
openFilesLimit = 4096;
in
{
options.services.qbittorrent = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Run qBittorrent headlessly as systemwide daemon
'';
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/qbittorrent";
description = ''
The directory where qBittorrent will create files.
'';
};
user = mkOption {
type = types.str;
default = "qbittorrent";
description = ''
User account under which qBittorrent runs.
'';
};
group = mkOption {
type = types.str;
default = "qbittorrent";
description = ''
Group under which qBittorrent runs.
'';
};
port = mkOption {
type = types.port;
default = 8080;
description = ''
qBittorrent web UI port.
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Open services.qBittorrent.port to the outside network.
'';
};
openFilesLimit = mkOption {
default = openFilesLimit;
description = ''
Number of files to allow qBittorrent to open.
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.qbittorrent ];
nixpkgs.overlays = [
(final: prev: {
qbittorrent = prev.qbittorrent.override { guiSupport = false; };
})
];
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.port ];
allowedUDPPorts = [ cfg.port ];
};
systemd.services.qbittorrent = {
after = [ "network.target" ];
description = "qBittorrent Daemon";
wantedBy = [ "multi-user.target" ];
path = [ pkgs.qbittorrent ];
serviceConfig = {
ExecStart = ''
${pkgs.qbittorrent}/bin/qbittorrent-nox \
--profile=${configDir} \
--webui-port=${toString cfg.port}
'';
# To prevent "Quit & shutdown daemon" from working; we want systemd to
# manage it!
Restart = "on-success";
User = cfg.user;
Group = cfg.group;
UMask = "0002";
LimitNOFILE = cfg.openFilesLimit;
};
};
users.users = mkIf (cfg.user == "qbittorrent") {
qbittorrent = {
inherit group;
home = cfg.dataDir;
createHome = true;
description = "qBittorrent Daemon user";
};
};
users.groups = mkIf (cfg.group == "qbittorrent") {
qbittorrent = {
gid = null;
};
};
};
}

55
nixosConfigurations.nix
View file

@ -1,55 +0,0 @@
{ inputs, ... }:
let
lib = inputs.nixpkgs.lib;
utils = import ./utils.nix { inherit inputs lib; };
inherit (utils) mkHost;
in
{
flake.nixosConfigurations = {
rotterdam = mkHost {
hostname = "rotterdam";
tags = [
"desktop"
"ai"
"bluetooth"
"dev"
"ephemeral"
"fwupd"
"gaming"
"libvirtd"
"networkmanager"
"podman"
];
};
io = mkHost {
hostname = "io";
tags = [
"desktop"
"ai"
"bluetooth"
"dev"
"ephemeral"
"networkmanager"
"podman"
];
};
alexandria = mkHost {
hostname = "alexandria";
tags = [
# "server" TODO: uncomment when 25.11 is out.
"fwupd"
];
};
trantor = mkHost {
hostname = "trantor";
system = "aarch64-linux";
tags = [
"server"
"ephemeral"
];
};
};
}

7
nixosModules.nix
View file

@ -1,7 +0,0 @@
{ ... }:
{
flake.nixosModules = {
ephemeral = import ./modules/ephemeral.nix;
};
}

13
overlays.nix
View file

@ -1,13 +0,0 @@
{ inputs, ... }:
{
flake.overlays = {
default = final: prev: {
base16-schemes = inputs.self.packages.${final.system}.base16-schemes;
fastfetch = inputs.self.packages.${final.system}.fastfetch;
hm-cli = inputs.self.packages.${final.system}.hm-cli;
kwrite = inputs.self.packages.${final.system}.kwrite;
toggleaudiosink = inputs.self.packages.${final.system}.toggleaudiosink;
};
};
}

15
packages.nix
View file

@ -1,15 +0,0 @@
{ ... }:
{
perSystem =
{ pkgs, system, ... }:
{
packages = {
base16-schemes = pkgs.callPackage ./packages/base16-schemes.nix { };
fastfetch = pkgs.callPackage ./packages/fastfetch.nix { };
hm-cli = pkgs.callPackage ./packages/hm-cli.nix { };
kwrite = pkgs.callPackage ./packages/kwrite.nix { };
toggleaudiosink = pkgs.callPackage ./packages/toggleaudiosink.nix { };
};
};
}

32
packages/base16-schemes.nix
View file

@ -1,32 +0,0 @@
{
lib,
stdenv,
fetchFromGitHub,
}:
stdenv.mkDerivation (finalAttrs: {
pname = "base16-schemes";
version = "0-unstable-2025-06-04";
src = fetchFromGitHub {
owner = "tinted-theming";
repo = "schemes";
rev = "317a5e10c35825a6c905d912e480dfe8e71c7559";
hash = "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=";
};
installPhase = ''
runHook preInstall
mkdir -p $out/share/themes/
install base16/*.yaml $out/share/themes/
runHook postInstall
'';
meta = {
description = "All the color schemes for use in base16 packages";
homepage = "https://github.com/tinted-theming/schemes";
maintainers = [ lib.maintainers.DamienCassou ];
license = lib.licenses.mit;
};
})

81
packages/fastfetch.nix
View file

@ -1,81 +0,0 @@
{
lib,
pkgs ? import <nixpkgs> { },
}:
let
fastfetch-logo = pkgs.fetchurl {
url = "https://discourse.nixos.org/uploads/default/original/3X/3/6/36954e6d6aa32c8b00f50ca43f142d898c1ff535.png";
hash = "sha256-aLHz8jSAFocrn+Pb4vRq0wtkYFJpBpZRevd+VoZC/PQ=";
};
fastfetch-config = pkgs.writeText "fastfetch-config.json" (
builtins.toJSON {
"$schema" = "https://github.com/fastfetch-cli/fastfetch/raw/dev/doc/json_schema.json";
modules = [
"title"
"separator"
{
type = "os";
keyWidth = 9;
}
{
type = "kernel";
keyWidth = 9;
}
{
type = "uptime";
keyWidth = 9;
}
{
type = "shell";
keyWidth = 9;
}
"break"
{
type = "cpu";
keyWidth = 11;
}
{
type = "memory";
keyWidth = 11;
}
{
type = "swap";
keyWidth = 11;
}
{
type = "disk";
folders = "/";
keyWidth = 11;
}
{
type = "command";
key = "Systemd";
keyWidth = 11;
text = "echo \"$(systemctl list-units --state=failed --no-legend | wc -l) failed units, $(systemctl list-jobs --no-legend | wc -l) queued jobs\"";
}
"break"
{
type = "command";
key = "Public IP";
keyWidth = 15;
text = "curl -s -4 ifconfig.me 2>/dev/null || echo 'N/A'";
}
{
type = "command";
key = "Tailscale IP";
keyWidth = 15;
text = "tailscale ip -4 2>/dev/null || echo 'N/A'";
}
{
type = "command";
key = "Local IP";
keyWidth = 15;
text = "ip -4 addr show scope global | grep inet | head -n1 | awk '{print $2}' | cut -d/ -f1";
}
];
}
);
in
pkgs.writeShellScriptBin "fastfetch" ''exec ${lib.getExe pkgs.fastfetch} --config ${fastfetch-config} --logo-type kitty --logo ${fastfetch-logo} --logo-padding-right 1 --logo-width 36 "$@" ''

105
packages/hm-cli.nix
View file

@ -1,105 +0,0 @@
{
pkgs ? import <nixpkgs> { },
}:
pkgs.writeShellScriptBin "hm" ''
set -e
HM="${pkgs.lib.getExe pkgs.home-manager}"
FLAKE_PATH="''${HM_PATH:-$HOME/.config/home-manager}"
FLAKE_OUTPUT="''${HM_USER:-$(whoami)@$(hostname)}"
show_usage() {
cat <<EOF
Usage: hm <command> [args]
Commands:
apply Switch to a new generation
generation list List all generations
generation delete ID... Delete specified generation(s)
generation rollback Rollback to the previous generation
generation switch ID Switch to the specified generation
generation cleanup Delete all but the current generation
Environment Variables:
HM_PATH Override default flake path (~/.config/home-manager)
Currently set to "''${HM_PATH:-<not set>}"
HM_USER Override default user output ("$(whoami)@$(hostname)")
Currently set to "''${HM_USER:-<not set>}"
EOF
}
if [[ $# -eq 0 ]]; then
show_usage
exit 1
fi
case "$1" in
apply)
"$HM" switch --flake "$FLAKE_PATH#$FLAKE_OUTPUT" -b bkp
;;
generation)
if [[ $# -lt 2 ]]; then
echo "Error: generation command requires a subcommand"
show_usage
exit 1
fi
case "$2" in
list)
"$HM" generations
;;
delete)
if [[ $# -lt 3 ]]; then
echo "Error: delete requires at least one generation ID"
exit 1
fi
shift 2
"$HM" remove-generations "$@"
;;
rollback)
PREV_GEN=$("$HM" generations | \
sed -n 's/^[[:space:]]*id \([0-9]\+\).*/\1/p' | \
head -n 2 | tail -n 1)
if [[ -z "$PREV_GEN" ]]; then
echo "Error: could not determine previous generation (possibly only one generation exists)"
exit 1
fi
"$HM" switch --flake "$FLAKE_PATH" --switch-generation "$PREV_GEN" -b bkp
;;
switch)
if [[ $# -ne 3 ]]; then
echo "Error: switch requires exactly one generation ID"
exit 1
fi
"$HM" switch --flake "$FLAKE_PATH" --switch-generation "$3" -b bkp
;;
cleanup)
CURRENT_GEN=$("$HM" generations | sed -n 's/^.*id \([0-9]\+\) .* (current)$/\1/p')
if [[ -z "$CURRENT_GEN" ]]; then
echo "Error: could not determine current generation"
exit 1
fi
OLD_GENS=$("$HM" generations | sed -n 's/^.*id \([0-9]\+\) .*/\1/p' | grep -v "^$CURRENT_GEN$")
if [[ -z "$OLD_GENS" ]]; then
echo "No old generations to delete"
else
echo "Deleting generations: $(echo $OLD_GENS | tr '\n' ' ')"
echo "$OLD_GENS" | xargs "$HM" remove-generations
echo "Cleanup complete. Current generation $CURRENT_GEN preserved."
fi
;;
*)
echo "Error: unknown generation subcommand '$2'"
show_usage
exit 1
;;
esac
;;
*)
echo "Error: unknown command '$1'"
show_usage
exit 1
;;
esac
''

15
packages/kwrite.nix
View file

@ -1,15 +0,0 @@
{ pkgs }:
pkgs.symlinkJoin {
name = "kwrite";
paths = [ pkgs.kdePackages.kate ];
postBuild = ''
rm -rf $out/bin/kate \
$out/bin/.kate-wrapped \
$out/share/applications/org.kde.kate.desktop \
$out/share/man \
$out/share/icons/hicolor/*/apps/kate.png \
$out/share/icons/hicolor/scalable/apps/kate.svg \
$out/share/appdata/org.kde.kate.appdata.xml
'';
}

Some files were not shown because too many files have changed in this diff Show more