AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

various updates

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-01-26 00:23:55 +03:00
parent e0f402134e
commit 3ed643bd1e
22 changed files with 293 additions and 216 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
machines/AMD-Workstation/default.nix
View File

@ -39,6 +39,8 @@
hardware.video.hidpi.enable = lib.mkForce false; hardware.video.hidpi.enable = lib.mkForce false;
hardware.firmware = [ pkgs.rtl8761b-firmware ]; hardware.firmware = [ pkgs.rtl8761b-firmware ];
networking.firewall.allowedTCPPorts = [ 52736 ];
secrets.files-veracrypt = {}; secrets.files-veracrypt = {};
environment.etc.crypttab = { environment.etc.crypttab = {
text = '' text = ''
@ -79,7 +81,7 @@
home.stateVersion = "21.11"; home.stateVersion = "21.11";
}; };
system.stateVersion = "21.11"; system.stateVersion = "22.11";
# VFIO Passthough # VFIO Passthough
# virtualisation = { # virtualisation = {

24
machines/Flakes-ISO/default.nix
View File

@ -1,10 +1,13 @@
{ modulesPath, lib, inputs, pkgs, ... }: { { modulesPath, lib, inputs, pkgs, config, ... }: {
imports = with inputs.self; [ imports = with inputs.self; [
"${toString modulesPath}/installer/cd-dvd/installation-cd-graphical-plasma5.nix" "${toString modulesPath}/installer/cd-dvd/installation-cd-graphical-plasma5.nix"
../../modules/autoinstall/default.nix
../Home-Hypervisor/autoinstall.nix
]; ];
options = { options = {
device = lib.mkOption { type = lib.types.str; }; device = lib.mkOption { type = lib.types.str; };
mainuser = lib.mkOption { type = lib.types.str; };
}; };
config = { config = {
@ -40,5 +43,24 @@
}; };
environment.etc.nixpkgs.source = inputs.nixpkgs; environment.etc.nixpkgs.source = inputs.nixpkgs;
environment.etc.self.source = inputs.self; environment.etc.self.source = inputs.self;
services.openssh = {
enable = true;
passwordAuthentication = true;
permitRootLogin = "yes";
forwardX11 = true;
extraConfig = "StreamLocalBindUnlink yes";
ports = [ 22 ];
};
users.users.nixos.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+xd8ClJPvJuAdYC9HlNnjiubEtYfvnKjYr9ROV+UmPVvI3ZITF24OaMI+fxgR0EqGfcUzSGom8528IB53Q3aFMIAaA0vKjW+jrByyB2l/k/+ttpLbH75c9WyOpAcUDTen8BhHKPyXOHoJ1jLu7GFmtPZ+mZo8thFB/VIRrwECHd8DnF0drsSCorkRp1bZC7bAHgztaYHNBUoAVGgJ7nLwW7DotlgbUEDiPJHXOxd/c/ZlXIB/cfUUqF+L5ThbMPhMcwRMspLy+nQdmHhih9k6SkvYqJoNqHT5/XeShb0RkIzvUWT2CYTPop5kAY5mMnatVTOY1FZPhHzk3G8MhOQ3r/elM/ecZxmjL8uozMN9kRGf1IL4DgQZfVqQRILdNSQGb0tfeiyirNZe1RlDw9UvMnZJOw0EkiC9lSSRhBWXXxAmxRrbNFTPQSp+/kiIGDmp2AsGhD11CfTDEU3wcLEUPBUqp1FYSzHncJyEKGy2Dpa5xaUJ0cuyGL4W3WHDXa4sTfY+AIXbQTD88Ujdsbfzyd6lrikG4D/crCurXissrh7q9DuYKWRI24cp5bw9lG33U1EXisnZqFyZNwMAmSj2QEGsHCwSevn0FgyRa2WYXgpZ9hfgY4le+ZSMo2JTosQ6DjGyxMDyQAHJ/ismTTzL67Q2p6U+73toYm62Qqdspw== (none)"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation"
];
# isoImage.contents = [{
# source = ../..;
# target = "/home/nixos/nixos-config";
# }];
}; };
} }

50
patches/mullvad-exclude-containers.patch Normal file
View File

@ -0,0 +1,50 @@
diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix
index e1e640c4474..1578f8680c8 100644
--- a/nixos/modules/virtualisation/nixos-containers.nix
+++ b/nixos/modules/virtualisation/nixos-containers.nix
@@ -445,6 +445,7 @@ let
localAddress = null;
localAddress6 = null;
tmpfs = null;
+ mullvadExclude = false;
};
in
@@ -691,6 +692,14 @@ in
'';
};
+ mullvadExclude = mkOption {
+ type = types.bool;
+ default = false;
+ description = lib.mdDoc ''
+ Start container with mullvad-exclude.
+ '';
+ };
+
# Removed option. See `checkAssertion` below for the accompanying error message.
pkgs = mkOption { visible = false; };
} // networkOptions;
@@ -767,6 +776,8 @@ in
postStart = postStartScript dummyConfig;
+ postStop = mkIf dummyConfig.mullvadExclude "";
+
restartIfChanged = false;
serviceConfig = serviceDirectives dummyConfig;
@@ -797,7 +808,12 @@ in
recursiveUpdate unit {
preStart = preStartScript containerConfig;
script = startScript containerConfig;
- postStart = postStartScript containerConfig;
+ postStart = (if containerConfig.mullvadExclude then ''
+ ${config.services.mullvad-vpn.package}/bin/mullvad split-tunnel pid add $MAINPID
+ '' else "") + postStartScript containerConfig;
+ postStop = mkIf containerConfig.mullvadExclude ''
+ ${config.services.mullvad-vpn.package}/bin/mullvad split-tunnel pid delete $MAINPID
+ '';
serviceConfig = serviceDirectives containerConfig;
unitConfig.RequiresMountsFor = lib.optional (!containerConfig.ephemeral) "${stateDirectory}/%i";
environment.root = if containerConfig.ephemeral then "/run/nixos-containers/%i" else "${stateDirectory}/%i";

64
patches/update.patch
View File

@ -1,64 +0,0 @@
diff --git a/pkgs/applications/networking/mullvad-vpn/default.nix b/pkgs/applications/networking/mullvad-vpn/default.nix
index 0d79f41..e463f70 100644
--- a/pkgs/applications/networking/mullvad-vpn/default.nix
+++ b/pkgs/applications/networking/mullvad-vpn/default.nix
@@ -43,11 +43,11 @@ in
stdenv.mkDerivation rec {
pname = "mullvad-vpn";
- version = "2022.4";
+ version = "2022.5";
src = fetchurl {
url = "https://github.com/mullvad/mullvadvpn-app/releases/download/${version}/MullvadVPN-${version}_amd64.deb";
- sha256 = "sha256-OwTtWzlZjHNFSN5/UjFJbcrPCv9+ucWYEL2idYjeozU=";
+ sha256 = "1sk7xizxs045r6b7wxdls6gvfyz3r1qxqir5nhcfk0mfpy8phw0v";
};
nativeBuildInputs = [
@@ -75,7 +75,6 @@ stdenv.mkDerivation rec {
mv opt/Mullvad\ VPN/* $out/share/mullvad
ln -s $out/share/mullvad/mullvad-{gui,vpn} $out/bin/
- ln -s $out/share/mullvad/resources/mullvad-daemon $out/bin/mullvad-daemon
ln -sf $out/share/mullvad/resources/mullvad-problem-report $out/bin/mullvad-problem-report
wrapProgram $out/bin/mullvad-vpn --set MULLVAD_DISABLE_UPDATE_NOTIFICATION 1
diff --git a/pkgs/applications/networking/mullvad/libwg.nix b/pkgs/applications/networking/mullvad/libwg.nix
index d54a2ca..287797f 100644
--- a/pkgs/applications/networking/mullvad/libwg.nix
+++ b/pkgs/applications/networking/mullvad/libwg.nix
@@ -13,7 +13,7 @@ buildGoModule {
sourceRoot = "source/wireguard/libwg";
- vendorSha256 = "qvymWCdJ+GY90W/Fpdp+r1+mTq6O4LyN2Yw/PjKdFm0=";
+ vendorSha256 = "QNde5BqkSuqp3VJQOhn7aG6XknRDZQ62PE3WGhEJ5LU=";
# XXX: hack to make the ar archive go to the correct place
# This is necessary because passing `-o ...` to `ldflags` does not work
diff --git a/pkgs/applications/networking/mullvad/mullvad.nix b/pkgs/applications/networking/mullvad/mullvad.nix
index 65aeab2..b047562 100644
--- a/pkgs/applications/networking/mullvad/mullvad.nix
+++ b/pkgs/applications/networking/mullvad/mullvad.nix
@@ -15,16 +15,16 @@
}:
rustPlatform.buildRustPackage rec {
pname = "mullvad";
- version = "2022.4";
+ version = "2022.5";
src = fetchFromGitHub {
owner = "mullvad";
repo = "mullvadvpn-app";
- rev = version;
- hash = "sha256-s0Cmeh10lQUB5BK4i1qxkDy/ylx/3c6V66dxH+kcnLs=";
+ rev = "2022.5";
+ sha256 = "1jd7wpz6pp1fa0y3cs99i7wdwcfwarp7zji6cv37y8h1w4nq89if";
};
- cargoHash = "sha256-HPURL+CFUVLWRq8nzLiZxDhckgH76b6JBUObLGtoEEw=";
+ cargoHash = "sha256-KpBhdZce8Ug3ws7f1qg+5LtOMQw2Mf/uJsBg/TZSYyk=";
nativeBuildInputs = [
pkg-config

20
profiles/applications/nnn.nix Normal file
View File

@ -0,0 +1,20 @@
{ config, pkgs, lib, ... }: {
home-manager.users.${config.mainuser} = {
programs.nnn = {
enable = true;
package = pkgs.nnn.override ({ withNerdIcons = true; });
# extraPackages = with pkgs; [ ffmpegthumbnailer mediainfo sxiv ];
# bookmarks = {
# d = "~/Documents";
# D = "~/Downloads";
# p = "~/Pictures";
# v = "~/Videos";
# };
# plugins = { };
};
programs.zsh.shellAliases = {
"n" = "nnn -deE";
};
};
}

18
profiles/applications/packages.nix
View File

@ -15,13 +15,10 @@ with config.deviceSpecific; {
glib.out glib.out
# gptfdisk # gptfdisk
jq jq
kitti3
libqalculate libqalculate
lm_sensors lm_sensors
lnav lnav
# nix-alien # nix-alien
nixfmt
nixpkgs-fmt
nix-prefetch-git nix-prefetch-git
nix-index-update nix-index-update
p7zip p7zip
@ -31,9 +28,8 @@ with config.deviceSpecific; {
ripgrep ripgrep
ripgrep-all ripgrep-all
sd sd
statix
tealdeer tealdeer
# tidal-dl translate-shell
unzip unzip
usbutils usbutils
wget wget
@ -42,13 +38,10 @@ with config.deviceSpecific; {
# tui # tui
bottom bottom
bpytop
micro micro
ncdu ncdu
nix-tree nix-tree
nnn
procs procs
ranger
# gui # gui
bitwarden bitwarden
@ -57,30 +50,23 @@ with config.deviceSpecific; {
discord discord
feh feh
foliate foliate
gparted
jellyfin-media-player jellyfin-media-player
joplin-desktop joplin-desktop
networkmanagerapplet
# persepolis
pinta pinta
qbittorrent qbittorrent
qimgv qimgv
# quodlibet
system-config-printer system-config-printer
tdesktop tdesktop
xarchiver xarchiver
youtube-to-mpv youtube-to-mpv
zathura zathura
# libsForQt5.networkmanager-qt
xdg-utils xdg-utils
# awesome-shell # awesome-shell
curlie curlie
duf duf
zsh-z zsh-z
inputs.webcord.packages.${pkgs.hostPlatform.system}.default
] ++ lib.optionals (!(isVM || isISO)) [ ] ++ lib.optionals (!(isVM || isISO)) [
audacity audacity
blueman blueman
@ -91,7 +77,6 @@ with config.deviceSpecific; {
scrcpy scrcpy
] ++ lib.optionals isGaming [ ] ++ lib.optionals isGaming [
ceserver ceserver
# ckan
gamescope gamescope
goverlay goverlay
lutris lutris
@ -101,6 +86,7 @@ with config.deviceSpecific; {
reshade-shaders reshade-shaders
(retroarch.override { cores = [ libretro.genesis-plus-gx libretro.dosbox ]; }) (retroarch.override { cores = [ libretro.genesis-plus-gx libretro.dosbox ]; })
parsec parsec
protonhax
protontricks protontricks
vkBasalt vkBasalt
wine wine

2
profiles/applications/tor-browser.nix
View File

@ -4,7 +4,7 @@ let
mullvad-exclude ${pkgs.tor-browser-bundle-bin}/bin/tor-browser mullvad-exclude ${pkgs.tor-browser-bundle-bin}/bin/tor-browser
''; '';
in { in {
home-manager.users.${config.mainuser}.home.packages = if config.deviceSpecific.wireguard.enable then [ home-manager.users.${config.mainuser}.home.packages = if config.deviceSpecific.vpn.mullvad.enable then [
tor-browser tor-browser
] else [ ] else [
pkgs.tor-browser-bundle-bin pkgs.tor-browser-bundle-bin

97
profiles/applications/vscode/default.nix
View File

@ -23,65 +23,44 @@ in
package = pkgs.vscode; package = pkgs.vscode;
enableExtensionUpdateCheck = false; enableExtensionUpdateCheck = false;
enableUpdateCheck = false; enableUpdateCheck = false;
extensions = extensions = let
with inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode; vscode = inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode;
with inputs.nix-vscode-marketplace.packages.${pkgs.system}.open-vsx; open-vsx = inputs.nix-vscode-marketplace.packages.${pkgs.system}.open-vsx;
with pkgs.vscode-extensions; nixpkgs = pkgs.vscode-extensions;
let in [
vscode = inputs.nix-vscode-marketplace.packages.${pkgs.system}.vscode; (inputs.direnv-vscode.packages.${pkgs.system}.vsix.overrideAttrs (_: {
open-vsx = inputs.nix-vscode-marketplace.packages.${pkgs.system}.open-vsx; buildPhase = "yarn run build";
nixpkgs = pkgs.vscode-extensions; installPhase = ''
in [ mkdir -p $out/share/vscode/extensions/direnv.direnv-vscode
(inputs.direnv-vscode.packages.${pkgs.system}.vsix.overrideAttrs (_: { cp -R * $out/share/vscode/extensions/direnv.direnv-vscode
buildPhase = "yarn run build"; '';
installPhase = '' }))
mkdir -p $out/share/vscode/extensions/direnv.direnv-vscode (pkgs.callPackage ./theme.nix { mainuser = config.mainuser; } config.lib.base16.theme)
cp -R * $out/share/vscode/extensions/direnv.direnv-vscode
'';
}))
(pkgs.callPackage ./theme.nix { mainuser = config.mainuser; } config.lib.base16.theme)
vscode.aaron-bond.better-comments vscode.aaron-bond.better-comments
vscode.alefragnani.bookmarks vscode.alefragnani.bookmarks
vscode.alefragnani.project-manager vscode.alefragnani.project-manager
# vscode.arrterian.nix-env-selector vscode.bungcip.better-toml
# vscode.bbenoist.nix vscode.catppuccin.catppuccin-vsc
vscode.bungcip.better-toml vscode.christian-kohler.path-intellisense
vscode.catppuccin.catppuccin-vsc vscode.codezombiech.gitignore
vscode.christian-kohler.path-intellisense vscode.dart-code.dart-code
vscode.codezombiech.gitignore # dlasagno.wal-theme
vscode.dart-code.dart-code vscode.eamodio.gitlens-insiders
# dlasagno.wal-theme vscode.enkia.tokyo-night
vscode.eamodio.gitlens-insiders vscode.equinusocio.vsc-material-theme-icons
vscode.enkia.tokyo-night vscode.felixangelov.bloc
vscode.equinusocio.vsc-material-theme-icons vscode.github.vscode-pull-request-github
vscode.felixangelov.bloc vscode.irongeek.vscode-env
vscode.github.vscode-pull-request-github vscode.jebbs.plantuml
vscode.irongeek.vscode-env vscode.jnoortheen.nix-ide
vscode.jebbs.plantuml vscode.lucax88x.codeacejumper
vscode.jnoortheen.nix-ide vscode.marcelovelasquez.flutter-tree
vscode.lucax88x.codeacejumper vscode.mhutchie.git-graph
vscode.marcelovelasquez.flutter-tree vscode.ms-azuretools.vscode-docker
vscode.mhutchie.git-graph vscode.ms-vscode-remote.remote-ssh
vscode.ms-azuretools.vscode-docker nixpkgs.rust-lang.rust-analyzer
vscode.ms-vscode-remote.remote-ssh ];
# vscode.ms-vscode-remote.remote-ssh-edit
];
# ++ [ (import ./extensions.nix).extensions ];
# extensions = with pkgs.vscode-extensions;
# (map
# (extension: pkgs.vscode-utils.buildVscodeMarketplaceExtension {
# mktplcRef = {
# inherit (extension) name publisher version sha256;
# };
# })
# (import ./extensions.nix).extensions
# );
# ++ [
# arrterian.nix-env-selector
# (pkgs.callPackage ./theme.nix { } config.lib.base16.theme)
# ];
# mutableExtensionsDir = false; # mutableExtensionsDir = false;
userSettings = { userSettings = {
"update.mode" = "none"; "update.mode" = "none";
@ -146,7 +125,7 @@ in
"git.enableCommitSigning" = true; "git.enableCommitSigning" = true;
"git-graph.repository.sign.commits" = true; "git-graph.repository.sign.commits" = true;
"git-graph.repository.sign.tags" = true; "git-graph.repository.sign.tags" = true;
# "editor.bracketPairColorization.enabled" = true; # "editor.bracketPairColorization.enabled" = false;
"editor.guides.bracketPairs" = "active"; "editor.guides.bracketPairs" = "active";
"terminal.integrated.defaultProfile.linux" = "zsh"; "terminal.integrated.defaultProfile.linux" = "zsh";
"terminal.integrated.profiles.linux".zsh.path = "/run/current-system/sw/bin/zsh"; "terminal.integrated.profiles.linux".zsh.path = "/run/current-system/sw/bin/zsh";

47
profiles/mullvad.nix
View File

@ -1,47 +0,0 @@
{ pkgs, lib, config, ... }:
let
vpn = config.deviceSpecific.wireguard;
in {
config = lib.mkIf vpn.enable {
services.mullvad-vpn.enable = true;
services.mullvad-vpn.enableExcludeWrapper = true;
services.mullvad-vpn.package = pkgs.mullvad-vpn;
startupApplications = [ "${pkgs.mullvad-vpn}/share/mullvad/mullvad-gui" ];
services.tailscale = {
enable = true;
#interfaceName = "userspace-networking";
interfaceName = "tailscale0";
};
systemd.services.tailscaled.serviceConfig.ExecStart = lib.mkForce [
""
"${pkgs.mullvad}/bin/mullvad-exclude ${pkgs.tailscale}/bin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=\${PORT} $FLAGS"
];
# FIXME: allow mullvad custom dns
networking.nftables.ruleset = let
resolver_addrs = "100.100.100.100";
excluded_ipv4 = "100.64.0.1/10";
excluded_ipv6 = "fd7a:115c:a1e0::/48";
in ''
table inet mullvad-ts {
chain excludeOutgoing {
type route hook output priority 0; policy accept;
ip daddr ${excluded_ipv4} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
ip6 daddr ${excluded_ipv6} ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}
chain allow-incoming {
type filter hook input priority -100; policy accept;
iifname "${config.services.tailscale.interfaceName}" ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}
chain excludeDns {
type filter hook output priority -10; policy accept;
ip daddr ${resolver_addrs} udp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
ip daddr ${resolver_addrs} tcp dport 53 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
}
}
'';
persist.state.directories = [ "/var/lib/tailscale" ];
persist.state.homeDirectories = [ ".config/Mullvad VPN" ];
};
}

4
profiles/overlay.nix
View File

@ -31,9 +31,8 @@ with lib; {
kitti3 = pkgs.python3Packages.callPackage ./packages/kitti3.nix { }; kitti3 = pkgs.python3Packages.callPackage ./packages/kitti3.nix { };
microbin = pkgs.callPackage ./packages/microbin-pkg { }; microbin = pkgs.callPackage ./packages/microbin-pkg { };
mpris-ctl = pkgs.callPackage ./packages/mpris-ctl.nix { }; mpris-ctl = pkgs.callPackage ./packages/mpris-ctl.nix { };
mullvad = master.mullvad;
mullvad-vpn = master.mullvad-vpn;
parsec = pkgs.callPackage ./packages/parsec.nix { }; parsec = pkgs.callPackage ./packages/parsec.nix { };
protonhax = pkgs.callPackage ./packages/protonhax.nix { };
reshade-shaders = pkgs.callPackage ./packages/reshade-shaders.nix { }; reshade-shaders = pkgs.callPackage ./packages/reshade-shaders.nix { };
rosepine-gtk-theme = pkgs.callPackage ./packages/rosepine-gtk-theme.nix { }; rosepine-gtk-theme = pkgs.callPackage ./packages/rosepine-gtk-theme.nix { };
rosepine-icon-theme = pkgs.callPackage ./packages/rosepine-icon-theme.nix { }; rosepine-icon-theme = pkgs.callPackage ./packages/rosepine-icon-theme.nix { };
@ -44,7 +43,6 @@ with lib; {
vscode = master.vscode; vscode = master.vscode;
vscode-fhs = master.vscode-fhs; vscode-fhs = master.vscode-fhs;
xonar-fp = pkgs.callPackage ./packages/xonar-fp.nix { }; xonar-fp = pkgs.callPackage ./packages/xonar-fp.nix { };
# xray-core = pkgs.callPackage ./packages/xray-core.nix { };
youtube-to-mpv = pkgs.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; }; youtube-to-mpv = pkgs.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; };
vivaldi = master.vivaldi; vivaldi = master.vivaldi;
steam = prev.steam.override { steam = prev.steam.override {

27
profiles/packages/protonhax.nix Normal file
View File

@ -0,0 +1,27 @@
{ stdenv, fetchFromGitHub, tinycc }:
stdenv.mkDerivation rec {
pname = "protonhax";
version = "1.0.4";
src = fetchFromGitHub {
owner = "jcnils";
repo = pname;
rev = version;
hash = "sha256-3s1pmHcQy/xJS6ke0Td3tkXAhXcTuJ4mb3Dtpxb2/6o=";
};
buildPhase = ''
make
'';
installPhase = ''
install -d -m755 $out/bin
install -m755 protonhax $out/bin/protonhax
install -m755 envload $out/bin/envload
'';
nativeBuildInputs = [
tinycc
];
}

23
profiles/security.nix
View File

@ -35,7 +35,7 @@ with config.deviceSpecific; {
}; };
# Safe, because we using doas # Safe, because we using doas
users.allowNoPasswordLogin = true; users.allowNoPasswordLogin = true;
# FIXME # FIXME: completely remove sudo
security.sudo = { security.sudo = {
enable = true; enable = true;
extraRules = [{ extraRules = [{
@ -49,17 +49,13 @@ with config.deviceSpecific; {
} { } {
command = "/run/current-system/sw/bin/nix-shell"; command = "/run/current-system/sw/bin/nix-shell";
options = [ "SETENV" "NOPASSWD" ]; options = [ "SETENV" "NOPASSWD" ];
}]; }
# {
# command = "/run/current-system/sw/bin/deploy";
# options = [ "SETENV" "NOPASSWD" ];
# }
];
}]; }];
# extraConfig = lib.concatStrings [''
# ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/btrfs fi usage /
# ''
# (if (isLaptop) then ''
# ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp-stat
# ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp ac
# ${config.mainuser} ALL = (root) NOPASSWD: /run/current-system/sw/bin/tlp bat
# '' else "")
# ];
}; };
security.doas = { security.doas = {
enable = true; enable = true;
@ -83,6 +79,11 @@ with config.deviceSpecific; {
noPass = true; noPass = true;
keepEnv = true; keepEnv = true;
cmd = "/run/current-system/sw/bin/tlp-stat"; cmd = "/run/current-system/sw/bin/tlp-stat";
} {
users = [ config.mainuser ];
keepEnv = false;
cmd = "/run/current-system/sw/bin/podman";
args = [ "build" ];
}]; }];
}; };
systemd.services."user@" = { serviceConfig = { Restart = "always"; }; }; systemd.services."user@" = { serviceConfig = { Restart = "always"; }; };

27
profiles/servers/firefox-syncserver.nix Normal file
View File

@ -0,0 +1,27 @@
{ pkgs, config, lib, ... }: {
secrets.firefox-syncserver = {
# owner = config.services.firefox-syncserver.database.user;
};
services.mysql.package = pkgs.mariadb;
services.firefox-syncserver = {
enable = true;
database.createLocally = true;
secrets = config.secrets.firefox-syncserver.decrypted;
settings = {
port = 5000;
tokenserver.enabled = true;
};
singleNode = {
enable = true;
# enableTLS = false;
# enableNginx = false;
enableTLS = false;
enableNginx = true;
hostname = "localhost";
# hostname = "fsync.ataraxiadev.com";
# url = "https://fsync.ataraxiadev.com";
};
};
}

24
profiles/servers/headscale.nix Normal file
View File

@ -0,0 +1,24 @@
{ config, lib, pkgs, ... }: {
# secrets.headscale-db.owner = config.services.headscale.user;
# FIXME: https://github.com/juanfont/headscale/blob/main/config-example.yaml
services.headscale = {
enable = true;
serverUrl = "http://192.168.0.100:8080";
address = "192.168.0.100";
serverUrl = "http://tailscale.ataraxiadev.com:8080";
# address = "0.0.0.0";
port = 8080;
dns = {
magicDns = true;
nameservers = "192.168.0.1";
baseDomain = "ataraxiadev.com";
};
# database.passwordFile = config.secrets.headscale-db.decrypted;
# database.path = "/var/lib/headscale/db.sqlite";
# privateKeyFile = "/var/lib/headscale/private.key";
};
environment.systemPackages = [ config.services.headscale.package ];
networking.firewall.allowedTCPPorts = [ config.services.headscale.port ];
persist.state.directories = [ "/var/lib/headscale" ];
}

33
profiles/servers/joplin-server.nix
View File

@ -29,17 +29,28 @@ in {
volumes = [ "/srv/joplin/postgres:/var/lib/postgresql/data" ]; volumes = [ "/srv/joplin/postgres:/var/lib/postgresql/data" ];
}; };
}; };
systemd.services.create-joplin-network = { # systemd.services.create-joplin-network = with config.virtualisation.oci-containers; {
serviceConfig.Type = "oneshot"; # serviceConfig.Type = "oneshot";
wantedBy = [ # wantedBy = [
"${backend}-joplin.service" # "${backend}-joplin.service"
"${backend}-joplin-db.service" # "${backend}-joplin-db.service"
]; # ];
script = '' # script = ''
${pkgs.docker}/bin/docker network inspect joplin || \ # ${pkgs.podman}/bin/podman network inspect joplin || \
${pkgs.docker}/bin/docker network create -d bridge joplin # ${pkgs.podman}/bin/podman network create -d bridge joplin || true
exit 0 # '';
''; # };
systemd.services.podman-joplin = {
path = [ "/run/wrappers" ];
serviceConfig.User = config.mainuser;
preStart = "${pkgs.podman}/bin/podman network create -d bridge joplin || true";
postStop = "${pkgs.podman}/bin/podman network rm joplin || true";
};
systemd.services.podman-joplin-db = {
path = [ "/run/wrappers" ];
serviceConfig.User = config.mainuser;
preStart = "${pkgs.podman}/bin/podman network create -d bridge joplin || true";
postStop = "${pkgs.podman}/bin/podman network rm joplin || true";
}; };
systemd.services.create-joplin-folder = { systemd.services.create-joplin-folder = {
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";

18
profiles/virtualisation.nix
View File

@ -13,7 +13,23 @@ with config.deviceSpecific; {
else else
"overlay2"; "overlay2";
}; };
virtualisation.oci-containers.backend = "docker"; virtualisation.oci-containers.backend = "podman";
virtualisation.podman = {
enable = true;
extraPackages = [ pkgs.zfs ];
defaultNetwork.dnsname.enable = true;
};
virtualisation.containers.registries.search = [
"docker.io" "gcr.io" "quay.io"
];
virtualisation.containers.storage.settings =
lib.mkIf (devInfo.fileSystem == "zfs") {
storage = {
driver = "zfs";
graphroot = "/var/lib/containers/storage";
runroot = "/run/containers/storage";
};
};
virtualisation.libvirtd = { virtualisation.libvirtd = {
enable = true; enable = true;

17
profiles/workspace/aria2.nix Normal file
View File

@ -0,0 +1,17 @@
{ config, lib, pkgs, ... }:
let
homeDir = config.home-manager.users.${config.mainuser}.home.homeDirectory;
in {
# TODO: enable websocket (--rpc-certificate)
services.aria2 = {
enable = true;
downloadDir = "${homeDir}/Downloads/aria2";
rpcListenPort = 6800;
# FIXME: I can expose this, since i listen rpc only on localhost
# but in future it's better to implement read key from secrets before start daemon
rpcSecret = "secret";
# listenPortRange = {};
openPorts = false;
};
# networking.firewall.allowedTCPPorts = [ config.services.aria2.rpcListenPort ];
}

1
profiles/workspace/nix-index.nix
View File

@ -5,6 +5,7 @@
enableZshIntegration = true; enableZshIntegration = true;
}; };
}; };
programs.command-not-found.enable = lib.mkForce false;
persist.derivative.homeDirectories = [ ".cache/nix-index" ]; persist.derivative.homeDirectories = [ ".cache/nix-index" ];
} }

1
roles/base.nix
View File

@ -14,6 +14,7 @@
misc misc
network network
nix nix
nnn
overlay overlay
persist persist
secrets secrets

2
roles/container.nix
View File

@ -12,7 +12,9 @@
misc misc
network network
nix nix
nnn
overlay overlay
persist
secrets secrets
secrets-envsubst secrets-envsubst
security security

3
roles/desktop.nix
View File

@ -8,11 +8,11 @@
applications-setup applications-setup
hardware hardware
mullvad
services services
sound sound
themes themes
virtualisation virtualisation
vpn
alacritty alacritty
corectrl corectrl
@ -32,6 +32,7 @@
vscode vscode
waydroid waydroid
aria2
copyq copyq
cursor cursor
direnv direnv

3
roles/hypervisor.nix
View File

@ -7,13 +7,16 @@
applications applications
devices devices
direnv
git git
gpg gpg
locale locale
misc misc
nix nix
nix-index nix-index
nnn
overlay overlay
persist
secrets secrets
secrets-envsubst secrets-envsubst
security security