AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

deadnix, cleanup

Browse Source
This commit is contained in:
Dmitriy Kholkin 2024-02-08 23:21:10 +03:00
parent f7f371f106
commit 9034ae5060
Signed by: AtaraxiaDev
GPG Key ID: FD266B810DF48DF2
99 changed files with 129 additions and 990 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
flake.nix
View File

@ -118,7 +118,6 @@
"rustic-rs-0.7.0.patch"
"vaultwarden.patch"
"vscode-1.86.0.patch"
"webhooks.patch"
];
sharedOverlays = [ flake-utils-plus.overlay inputs.sops-nix.overlays.default ];
channelsConfig = {
@ -141,7 +140,6 @@
modules = __attrValues self.customModules ++ [
(import (./machines + "/${name}"))
{ device = name; mainuser = "ataraxia"; }
inputs.vscode-server.nixosModule
inputs.sops-nix.nixosModules.sops
];
specialArgs = { inherit inputs; };
@ -152,7 +150,6 @@
modules = __attrValues self.customModules ++ [
(import (./machines/Home-Hypervisor))
{ device = "Home-Hypervisor"; mainuser = "ataraxia"; }
inputs.vscode-server.nixosModule
inputs.sops-nix.nixosModules.sops
];
specialArgs = { inherit inputs; };

2
machines/AMD-Workstation/boot.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ pkgs, lib, ... }:
let
zfs_arc_max = toString (6 * 1024 * 1024 * 1024);
in {

2
machines/AMD-Workstation/hardware-configuration.nix
View File

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, modulesPath, ... }:
{
imports =

2
machines/Dell-Laptop/boot.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ pkgs, lib, ... }:
let
zfs_arc_max = toString (2 * 1024 * 1024 * 1024);
in {

2
machines/Dell-Laptop/default.nix
View File

@ -1,4 +1,4 @@
{ inputs, config, lib, pkgs, ... }: {
{ inputs, config, pkgs, ... }: {
imports = with inputs.self; [
./boot.nix
./hardware-configuration.nix

2
machines/Dell-Laptop/hardware-configuration.nix
View File

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, modulesPath, ... }:
{
imports =

2
machines/Home-Hypervisor/autoinstall.nix
View File

@ -1,4 +1,4 @@
{ lib, ... }: {
{ ... }: {
autoinstall."Home-Hypervisor" = {
debug = false;
mainuser = "ataraxia";

5
machines/Home-Hypervisor/default.nix
View File

@ -1,4 +1,4 @@
{ modulesPath, inputs, lib, pkgs, config, options, ... }:
{ inputs, lib, pkgs, config, ... }:
let persistRoot = config.autoinstall.persist.persistRoot or "/persist";
in {
imports = with inputs.self; [
@ -40,12 +40,11 @@ in {
customProfiles.yandex-db
(import customProfiles.blocky {
inherit config pkgs;
inherit (import ./dns-mapping.nix) dnsmasq-list;
})
(import customProfiles.headscale {
inherit config pkgs lib inputs;
inherit config lib inputs;
inherit (import ./dns-mapping.nix) headscale-list;
})
];

2
machines/Home-Hypervisor/hardware-configuration.nix
View File

@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, modulesPath, ... }:
{
imports =

2
machines/Home-Hypervisor/usb-hdd.nix
View File

@ -1,4 +1,4 @@
{ config, lib, ... }: {
{ ... }: {
boot.initrd = rec {
luks.devices = {
"crypt-nas" = {

2
machines/NixOS-VPS/services/synapse.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, ... }:
{ config, lib, inputs, ... }:
let
bridge = (import ../hardware/networks.nix).interfaces.main';
external-ip = "83.138.55.118";

2
machines/NixOS-VPS/services/tailscale.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, ... }:
let
bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName;
tailscalePort = config.services.tailscale.port;

2
machines/NixOS-VPS/services/tor-bridge.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ pkgs, ... }:
let
inherit (import ../hardware/networks.nix) interfaces;
bridgeName = interfaces.main'.bridgeName;

2
machines/NixOS-VPS/services/wireguard.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ lib, pkgs, ... }:
let
inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers;
wireguardIFName = interfaces.wireguard0.ifname;

4
modules/applications.nix
View File

@ -1,10 +1,10 @@
{ pkgs, config, lib, ... }:
{ config, lib, ... }:
with config.deviceSpecific;
{
options = with lib;
with types; {
defaultApplications = mkOption {
type = attrsOf (submodule ({ name, ... }: {
type = attrsOf (submodule ({ ... }: {
options = {
cmd = mkOption { type = path; };
desktop = mkOption { type = str; };

2
modules/devices.nix
View File

@ -1,4 +1,4 @@
{ pkgs, lib, config, ... }:
{ lib, config, ... }:
with lib;
with types; {
options = {

2
modules/headscale-auth.nix
View File

@ -5,7 +5,7 @@ with lib;
description = mdDoc ''
Request headscale auth key.
'';
type = types.attrsOf (types.submodule ({ cfg, name, ... }: {
type = types.attrsOf (types.submodule ({ ... }: {
options = {
autoStart = mkOption {
type = types.bool;

2
modules/libvirt-guests.nix
View File

@ -44,7 +44,7 @@ let
default = "virtiofs";
};
};
guestsOptions = { name, ... }: {
guestsOptions = { ... }: {
options = rec {
xmlFile = mkOption {
type = with types; nullOr path;

109
modules/persist.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, inputs, ... }:
{ config, lib, inputs, ... }:
let
cfg = config.persist;
@ -23,110 +23,22 @@ let
in {
options = let
inherit (lib) mkOption mkEnableOption;
inherit (lib.types) listOf path str either submodule enum;
# defaultPerms = {
# mode = "0755";
# user = "root";
# group = "root";
# };
# dirPermsOpts = { user, group, mode }: {
# user = mkOption {
# type = str;
# default = user;
# };
# group = mkOption {
# type = str;
# default = group;
# };
# mode = mkOption {
# type = str;
# default = mode;
# };
# };
# fileOpts = perms: {
# options = {
# file = mkOption {
# type = str;
# };
# parentDirectory = dirPermsOpts perms;
# };
# };
# dirOpts = perms: {
# options = {
# directory = mkOption {
# type = str;
# };
# } // (dirPermsOpts perms);
# };
# userDefaultPerms = {
# inherit (defaultPerms) mode;
# user = config.mainuser;
# group = config.users.${userDefaultPerms.user}.group;
# };
# rootFile = submodule [
# (fileOpts defaultPerms)
# ];
# rootDir = submodule [
# (dirOpts defaultPerms)
# ];
# userFile = submodule [
# (fileOpts userDefaultPerms)
# ];
# userDir = submodule [
# (dirOpts userDefaultPerms)
# ];
inherit (lib.types) listOf path str;
common = {
directories = mkOption {
# type = listOf (either str (submodule {
# options = {
# directory = mkOption {
# type = str;
# default = null;
# };
# user = mkOption {
# type = str;
# default = "root";
# };
# group = mkOption {
# type = str;
# default = "root";
# };
# mode = mkOption {
# type = str;
# default = "0755";
# };
# };
# }));
# type = listOf (either str rootDir);
type = listOf str;
default = [ ];
};
files = mkOption {
# type = listOf (either str rootFile);
type = listOf str;
default = [ ];
};
homeFiles = mkOption {
# type = listOf (either str userFile);
type = listOf str;
default = [ ];
};
homeDirectories = mkOption {
# type = listOf (either str (submodule {
# options = {
# directory = mkOption {
# type = str;
# default = null;
# };
# method = mkOption {
# type = enum [ "bindfs" "symlink" ];
# default = "bindfs";
# };
# };
# }));
# type = listOf (either str userDir);
type = listOf str;
default = [ ];
};
@ -186,23 +98,6 @@ in {
};
};
# fileSystems."/" = lib.mkIf (config.deviceSpecific.devInfo.fileSystem != "zfs") {
# device = "none";
# options = [ "defaults" "size=2G" "mode=755" ];
# fsType = "tmpfs";
# };
# boot.initrd = lib.mkIf (config.deviceSpecific.devInfo.fileSystem != "zfs") {
# postMountCommands =
# assert config.fileSystems
# ? ${cfg.persistRoot}
# && config.fileSystems.${cfg.persistRoot}.neededForBoot; ''
# mkdir -p /mnt-root/nix
# mount --bind /mnt-root${cfg.persistRoot}/nix /mnt-root/nix
# chmod 755 /mnt-root
# '';
# };
systemd.services.persist-cache-cleanup = lib.mkIf cfg.cache.clean.enable {
description = "Cleaning up cache files and directories";
script = ''

2
modules/rustic-postgresql.nix
View File

@ -5,7 +5,7 @@ with lib;
description = mdDoc ''
Periodic backups of postgresql database to create with Rustic.
'';
type = types.attrsOf (types.submodule ({ config, name, ... }: {
type = types.attrsOf (types.submodule ({ name, ... }: {
options = {
dbName = mkOption {
type = types.str;

2
modules/s3-sync.nix
View File

@ -7,7 +7,7 @@ in {
description = mdDoc ''
Sync buckets beetween two storages.
'';
type = types.attrsOf (types.submodule ({ config, name, ... }: {
type = types.attrsOf (types.submodule ({ ... }: {
options = {
rcloneConfigFile = mkOption {
type = with types; nullOr path;

2
modules/steam-compat-tools.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, lib, ... }:
with lib;
let cfg = config.programs.steam;
in {

6
modules/users.nix
View File

@ -1,7 +1,5 @@
{ config, lib, pkgs, ... }:
with lib;
with types; {
{ lib, ... }: {
options = {
mainuser = mkOption { type = str; };
mainuser = lib.mkOption { type = lib.types.str; };
};
}

314
patches/authentik-271885.patch
View File

@ -1,314 +0,0 @@
diff --git a/pkgs/by-name/au/authentik/ldap.nix b/pkgs/by-name/au/authentik/ldap.nix
new file mode 100644
index 000000000000..7945c3021dfd
--- /dev/null
+++ b/pkgs/by-name/au/authentik/ldap.nix
@@ -0,0 +1,18 @@
+{ lib, buildGoModule, authentik }:
+
+buildGoModule {
+ pname = "authentik-ldap-outpost";
+ inherit (authentik) version src;
+
+ vendorHash = "sha256-8F9emmQmbe7R+xtGrjV5ht0adGasU6WAvLa8Wxr+j8M=";
+
+ CGO_ENABLED = 0;
+
+ subPackages = [ "cmd/ldap" ];
+
+ meta = authentik.meta // {
+ description = "The authentik ldap outpost. Needed for the extendal ldap API.";
+ homepage = "https://goauthentik.io/docs/providers/ldap/";
+ mainProgram = "ldap";
+ };
+}
diff --git a/pkgs/by-name/au/authentik/outposts.nix b/pkgs/by-name/au/authentik/outposts.nix
new file mode 100644
index 000000000000..05649628b3e8
--- /dev/null
+++ b/pkgs/by-name/au/authentik/outposts.nix
@@ -0,0 +1,5 @@
+{ callPackage }:
+
+{
+ ldap = callPackage ./ldap.nix { };
+}
diff --git a/pkgs/by-name/au/authentik/package.nix b/pkgs/by-name/au/authentik/package.nix
new file mode 100644
index 000000000000..8fca47e7ec28
--- /dev/null
+++ b/pkgs/by-name/au/authentik/package.nix
@@ -0,0 +1,248 @@
+{ lib
+, stdenvNoCC
+, fetchFromGitHub
+, buildNpmPackage
+, buildGoModule
+, runCommand
+, openapi-generator-cli
+, nodejs
+, python3
+, codespell
+, makeWrapper }:
+
+let
+ version = "2023.10.6";
+
+ src = fetchFromGitHub {
+ owner = "goauthentik";
+ repo = "authentik";
+ rev = "version/${version}";
+ hash = "sha256-N6FeNUlenbBQPAAUSqC+2GWFfte3G+Zfu5KGVJOqNZQ=";
+ };
+
+ website = buildNpmPackage {
+ pname = "authentik-website";
+ inherit version src;
+ npmDepsHash = "sha256-4dgFxEvMnp+35nSQNsEchtN1qoS5X2KzEbLPvMnyR+k=";
+
+ NODE_ENV = "production";
+ NODE_OPTIONS = "--openssl-legacy-provider";
+
+ postPatch = ''
+ cd website
+ '';
+
+ installPhase = ''
+ cp -r help $out
+ '';
+
+ npmInstallFlags = [ "--include=dev" ];
+ npmBuildScript = "build-docs-only";
+ };
+
+ clientapi = stdenvNoCC.mkDerivation {
+ pname = "authentik-client-api";
+ inherit version src;
+
+ postPatch = ''
+ rm Makefile
+
+ substituteInPlace ./scripts/api-ts-config.yaml \
+ --replace '/local' "$(pwd)/"
+ '';
+
+ nativeBuildInputs = [ openapi-generator-cli ];
+ buildPhase = ''
+ runHook preBuild
+ openapi-generator-cli generate -i ./schema.yml \
+ -g typescript-fetch -o $out \
+ -c ./scripts/api-ts-config.yaml \
+ --additional-properties=npmVersion=${nodejs.pkgs.npm.version} \
+ --git-repo-id authentik --git-user-id goauthentik
+ runHook postBuild
+ '';
+ };
+
+ webui = buildNpmPackage {
+ pname = "authentik-webui";
+ inherit version;
+
+ src = runCommand "authentik-webui-source" {} ''
+ mkdir -p $out/web/node_modules/@goauthentik/
+ cp -r ${src}/web $out/
+ ln -s ${src}/website $out/
+ ln -s ${clientapi} $out/web/node_modules/@goauthentik/api
+ '';
+ npmDepsHash = "sha256-5aCKlArtoEijGqeYiY3zoV0Qo7/Xt5hSXbmy2uYZpok=";
+
+ postPatch = ''
+ cd web
+ '';
+
+ installPhase = ''
+ runHook preInstall
+ mkdir $out
+ cp -r dist $out/dist
+ cp -r authentik $out/authentik
+ runHook postInstall
+ '';
+
+ NODE_ENV = "production";
+ NODE_OPTIONS = "--openssl-legacy-provider";
+
+ npmInstallFlags = [ "--include=dev" ];
+ };
+
+ python = python3.override {
+ self = python;
+ packageOverrides = final: prev: {
+ authentik-django = prev.buildPythonPackage {
+ pname = "authentik-django";
+ inherit version src;
+ pyproject = true;
+
+ postPatch = ''
+ substituteInPlace authentik/root/settings.py \
+ --replace 'Path(__file__).absolute().parent.parent.parent' "\"$out\""
+ substituteInPlace authentik/lib/default.yml \
+ --replace '/blueprints' "$out/blueprints"
+ sed -i '/dumb-init/d' pyproject.toml
+ sed -i '/djangorestframework-guardian/d' pyproject.toml
+ '';
+
+ nativeBuildInputs = [ prev.poetry-core ];
+ propagatedBuildInputs = with prev; [
+ argon2-cffi
+ celery
+ channels
+ channels-redis
+ colorama
+ dacite
+ daphne
+ deepmerge
+ defusedxml
+ django
+ django-filter
+ django-guardian
+ django-model-utils
+ django-prometheus
+ django-redis
+ djangorestframework
+ djangorestframework-guardian2
+ docker
+ drf-spectacular
+ duo-client
+ facebook-sdk
+ flower
+ geoip2
+ gunicorn
+ httptools
+ kubernetes
+ ldap3
+ lxml
+ opencontainers
+ packaging
+ paramiko
+ psycopg
+ pycryptodome
+ pydantic
+ pydantic-scim
+ pyjwt
+ pyyaml
+ requests-oauthlib
+ sentry-sdk
+ structlog
+ swagger-spec-validator
+ twilio
+ twisted
+ ua-parser
+ urllib3
+ uvicorn
+ uvloop
+ watchdog
+ webauthn
+ websockets
+ wsproto
+ xmlsec
+ zxcvbn
+ jsonpatch
+ ] ++ [
+ codespell
+ ];
+
+ postInstall = ''
+ mkdir -p $out/web $out/website
+ cp -r lifecycle manage.py $out/${prev.python.sitePackages}/
+ cp -r blueprints $out/
+ cp -r ${webui}/dist ${webui}/authentik $out/web/
+ cp -r ${website} $out/website/help
+ ln -s $out/${prev.python.sitePackages}/lifecycle $out/lifecycle
+ '';
+ };
+ };
+ };
+
+ inherit (python.pkgs) authentik-django;
+
+ proxy = buildGoModule {
+ pname = "authentik-proxy";
+ inherit version src;
+
+ postPatch = ''
+ substituteInPlace internal/gounicorn/gounicorn.go \
+ --replace './lifecycle' "${authentik-django}/lifecycle"
+ substituteInPlace web/static.go \
+ --replace './web' "${authentik-django}/web"
+ substituteInPlace internal/web/static.go \
+ --replace './web' "${authentik-django}/web"
+ '';
+
+ CGO_ENABLED = 0;
+
+ vendorHash = "sha256-8F9emmQmbe7R+xtGrjV5ht0adGasU6WAvLa8Wxr+j8M=";
+
+ postInstall = ''
+ mv $out/bin/server $out/bin/authentik
+ '';
+
+ subPackages = [ "cmd/server" ];
+ };
+
+in stdenvNoCC.mkDerivation {
+ pname = "authentik";
+ inherit src version;
+
+ postPatch = ''
+ rm Makefile
+ patchShebangs lifecycle/ak
+
+ # This causes issues in systemd services
+ substituteInPlace lifecycle/ak \
+ --replace 'printf' '>&2 printf' \
+ --replace '> /dev/stderr' ""
+ '';
+
+ installPhase = ''
+ runHook preInstall
+ mkdir -p $out/bin
+ cp -r lifecycle/ak $out/bin/
+
+ wrapProgram $out/bin/ak \
+ --prefix PATH : ${lib.makeBinPath [ (python.withPackages (ps: [ps.authentik-django])) proxy ]} \
+ --set TMPDIR /dev/shm \
+ --set PYTHONDONTWRITEBYTECODE 1 \
+ --set PYTHONUNBUFFERED 1
+ runHook postInstall
+ '';
+
+ nativeBuildInputs = [ makeWrapper ];
+
+ meta = with lib; {
+ description = "The authentication glue you need";
+ changelog = "https://github.com/goauthentik/authentik/releases/tag/version%2F${version}";
+ homepage = "https://goauthentik.io/";
+ license = licenses.mit;
+ maintainers = with maintainers; [ jvanbruegge ];
+ mainProgram = "ak";
+ };
+}
diff --git a/pkgs/tools/networking/openapi-generator-cli/default.nix b/pkgs/tools/networking/openapi-generator-cli/default.nix
index 2edba9a26eb6..fed141f9c1e1 100644
--- a/pkgs/tools/networking/openapi-generator-cli/default.nix
+++ b/pkgs/tools/networking/openapi-generator-cli/default.nix
@@ -33,6 +33,7 @@ let this = stdenv.mkDerivation rec {
homepage = "https://github.com/OpenAPITools/openapi-generator";
changelog = "https://github.com/OpenAPITools/openapi-generator/releases/tag/v${version}";
sourceProvenance = with sourceTypes; [ binaryBytecode ];
+ mainProgram = "openapi-generator-cli";
license = licenses.asl20;
maintainers = with maintainers; [ shou ];
};
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index e0ca2d741d53..20687cbb509a 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -3374,6 +3374,8 @@ with pkgs;
authelia = callPackage ../servers/authelia { };
+ authentik-outposts = recurseIntoAttrs (callPackages ../by-name/au/authentik/outposts.nix { });
+
autoflake = with python3.pkgs; toPythonApplication autoflake;
autospotting = callPackage ../applications/misc/autospotting { };

13
patches/tor-bridge.patch
View File

@ -1,13 +0,0 @@
diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix
index 4ff941251c99..32c9d8ae046c 100644
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@@ -854,7 +854,7 @@ in
BridgeRelay = true;
ExtORPort.port = mkDefault "auto";
ServerTransportPlugin.transports = mkDefault ["obfs4"];
- ServerTransportPlugin.exec = mkDefault "${pkgs.obfs4}/bin/obfs4proxy managed";
+ ServerTransportPlugin.exec = mkDefault "${lib.getExe pkgs.obfs4} managed";
} // optionalAttrs (cfg.relay.role == "private-bridge") {
ExtraInfoStatistics = false;
PublishServerDescriptor = false;

28
patches/webhooks.patch
View File

@ -1,28 +0,0 @@
diff --git a/nixos/modules/services/networking/webhook.nix b/nixos/modules/services/networking/webhook.nix
index 2a78491941c..9e3c816021f 100644
--- a/nixos/modules/services/networking/webhook.nix
+++ b/nixos/modules/services/networking/webhook.nix
@@ -158,6 +158,11 @@ in {
default = {};
description = mdDoc "Extra environment variables passed to webhook.";
};
+ environmentFiles = mkOption {
+ type = types.listOf types.str;
+ default = [];
+ description = mdDoc "Extra environment variables from files passed to webhook.";
+ };
};
};
@@ -201,7 +206,11 @@ in {
++ optional cfg.enableTemplates "-template"
++ optional cfg.verbose "-verbose"
++ cfg.extraArgs;
+ envFiles = concatMapStringsSep "\n" (envFile: "source " + envFile) cfg.environmentFiles;
in ''
+ set -a
+ ${envFiles}
+ set +a
${cfg.package}/bin/webhook ${escapeShellArgs args}
'';
serviceConfig = {

4
profiles/applications-setup.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: {
{ config, pkgs, ... }: {
defaultApplications = {
fm = {
cmd = "${pkgs.pcmanfm}/bin/pcmanfm";
@ -50,7 +50,7 @@
enable = true;
defaultApplications =
with config.defaultApplications;
builtins.mapAttrs (name: value:
builtins.mapAttrs (_name: value:
if value ? desktop then [ "${value.desktop}.desktop" ] else value) {
"text/html" = browser;
"inode/directory" = fm;

83
profiles/applications/alacritty.nix
View File

@ -1,83 +0,0 @@
{ pkgs, lib, config, ... }:
let
thm = config.lib.base16.theme;
in
with config.deviceSpecific;
{
# defaultApplications.term = lib.mkIf (isDesktop) {
# cmd = "${pkgs.alacritty}/bin/alacritty";
# desktop = "alacritty";
# };
home-manager.users.${config.mainuser} = {
programs.alacritty = {
# enable = isDesktop;
enable = false;
settings = {
font = {
normal = {
family = "${thm.fonts.mono.family}";
style = "Regular";
};
bold = {
family = "${thm.fonts.mono.family}";
style = "Bold";
};
italic = {
family = "${thm.fonts.mono.family}";
style = "Italic";
};
bold_italic = {
family = "${thm.fonts.mono.family}";
style = "Bold Italic";
};
size = thm.fontSizes.small.int;
};
window.padding = {
x = 2;
y = 2;
};
shell.program = "${pkgs.zsh}/bin/zsh";
cursor.style = "Beam";
colors = {
primary = {
background = "#${thm.base00-hex}";
foreground = "#${thm.base05-hex}";
};
cursor = {
text = "#${thm.base02-hex}";
cursor = "#${thm.base00-hex}";
};
normal = {
black = "#${thm.base00-hex}";
red = "#${thm.base08-hex}";
green = "#${thm.base0B-hex}";
yellow = "#${thm.base0A-hex}";
blue = "#${thm.base0D-hex}";
magenta = "#${thm.base0E-hex}";
cyan = "#${thm.base0C-hex}";
white = "#${thm.base05-hex}";
};
bright = {
black = "#${thm.base03-hex}";
red = "#${thm.base09-hex}";
green = "#${thm.base01-hex}";
yellow = "#${thm.base02-hex}";
blue = "#${thm.base04-hex}";
magenta = "#${thm.base06-hex}";
cyan = "#${thm.base0F-hex}";
white = "#${thm.base07-hex}";
};
draw_bold_text_with_bright_colors = "false";
};
env = {
WINIT_X11_SCALE_FACTOR = "1.0";
};
};
};
};
}

11
profiles/applications/cassowary.nix
View File

@ -1,14 +1,7 @@
{ config, pkgs, lib, ... }: {
{ config, pkgs, ... }: {
home-manager.users.${config.mainuser} = {
home.packages = [
pkgs.cassowary-py
];
# xdg.configFile."casualrdh/config.json".text = toJson ''
# '';
# xdg.desktopEntries
home.packages = [ pkgs.cassowary-py ];
};
persist.state.homeDirectories = [
".config/casualrdh"
];

2
profiles/applications/element.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: {
{ config, pkgs, ... }: {
home-manager.users.${config.mainuser}.home.packages = [
pkgs.element-desktop
];

64
profiles/applications/email.nix
View File

@ -1,67 +1,8 @@
{ config, pkgs, lib, ... }: {
{ config, pkgs, ... }: {
home-manager.users.${config.mainuser} = {
home.packages = [
# pkgs.himalaya
pkgs.gnome.geary
];
# xdg.configFile."himalaya/config.toml".text = ''
# downloads-dir = "/home/${config.mainuser}/Downloads/mail"
# name = "Dmitriy Kholkin"
# signature = "Regards,"
# # email-reading-verify-cmd
# # email-reading-decrypt-cmd
# # email-writing-sign-cmd
# # email-writing-encrypt-cmd
# # notify-cmd
# # notify-query
# # sync
# [ataraxiadev]
# default = true
# email = "ataraxiadev@ataraxiadev.com"
# backend = "imap"
# imap-host = "mail.ataraxiadev.com"
# imap-port = 993
# imap-login = "ataraxiadev@ataraxiadev.com"
# imap-passwd-cmd = "${pkgs.pass}/bin/pass show email/ataraxiadev@ataraxiadev.com"
# imap-ssl = true
# imap-starttls = false
# imap-insecure = false
# sender = "smtp"
# smtp-host = "mail.ataraxiadev.com"
# smtp-port = 465
# smtp-login = "ataraxiadev@ataraxiadev.com"
# smtp-passwd-cmd = "${pkgs.pass}/bin/pass show email/ataraxiadev@ataraxiadev.com"
# smtp-ssl = true
# smtp-starttls = false
# smtp-insecure = false
# '';
home.packages = [ pkgs.gnome.geary ];
};
# systemd.user.services.himalaya-notify = {
# description = "Himalaya new messages notifier";
# after = [ "network.target" ];
# wantedBy = [ "default.target" ];
# script = "himalaya notify";
# environment = {
# PASSWORD_STORE_DIR = config.secretsConfig.password-store;
# GNUPGHOME = config.secretsConfig.gnupgHome;
# };
# # script = "echo $(pass show email/ataraxiadev@ataraxiadev.com) || echo lol";
# path = with pkgs; [ himalaya libnotify pass gnupg ];
# serviceConfig = {
# Restart = lib.mkForce "no";
# # Restart = "always";
# RestartSec = 10;
# # Type = "oneshot";
# };
# };
defaultApplications.mail = {
cmd = "${pkgs.gnome.geary}/bin/geary";
desktop = "geary";
@ -72,7 +13,6 @@
];
persist.state.homeDirectories = [
".config/himalaya"
".config/geary"
".local/share/geary"
];

7
profiles/applications/firefox.nix
View File

@ -3,8 +3,7 @@ with lib;
let
thm = config.lib.base16.theme;
fonts = config.lib.base16.theme.fonts;
profileName = config.mainuser;
homeDir = config.home-manager.users.${profileName}.home.homeDirectory;
homeDir = config.home-manager.users.${config.mainuser}.home.homeDirectory;
mkUserJs = { prefs ? {}, extraPrefs ? "" }: ''
${extraPrefs}
@ -12,10 +11,8 @@ let
user_pref("${name}", ${builtins.toJSON value});
'') prefs)}
'';
in {
services.dbus.packages = [ pkgs.firefox-wayland ];
services.dbus.packages = [ pkgs.firefox ];
environment.sessionVariables = {
MOZ_USE_XINPUT2 = "1";

2
profiles/applications/games/hoyo.nix
View File

@ -1,4 +1,4 @@
{ inputs, config, lib, pkgs, ... }: {
{ inputs, lib, ... }: {
imports = [ inputs.aagl.nixosModules.default ];
nix.settings = inputs.aagl.nixConfig;

22
profiles/applications/games/steam.nix
View File

@ -1,4 +1,4 @@
{ pkgs, lib, config, ... }: {
{ pkgs, ... }: {
programs.steam.enable = true;
programs.steam.extraCompatPackages = [
pkgs.proton-ge
@ -6,29 +6,13 @@
programs.gamescope.enable = true;
programs.gamescope.capSysNice = false;
# startupApplications = [ "steam" ];
startupApplications = let
gs = pkgs.writeShellScriptBin "gamescope-steam" ''
gamescope --steam --borderless -- steam
'';
in [
# "${gs}/bin/gamescope-steam"
"${pkgs.steam}/bin/steam"
];
systemd.user.services.x11-ownership = {
script = ''
doas chown ${config.mainuser} /tmp/.X11-unix
'';
after = [ "hyprland-session.target" ];
wantedBy = [ "hyprland-session.target" ];
};
startupApplications = [ "${pkgs.steam}/bin/steam" ];
persist.state.homeDirectories = [
".local/share/Steam"
".steam"
] ++ [
# Games configs
# Native games config
".config/WarThunder"
".local/share/BeamNG.drive"
];

5
profiles/applications/games/wine-games.nix
View File

@ -1,13 +1,10 @@
{ pkgs, lib, config, ... }: {
{ pkgs, config, ... }: {
home-manager.users.${config.mainuser}.home.packages = [
# pkgs.lutris
pkgs.bottles
pkgs.osu-lazer-bin
pkgs.realrtcw
];
persist.state.homeDirectories = [
# ".config/lutris"
# ".local/share/lutris"
".local/share/bottles"
".local/share/osu"
];

6
profiles/applications/kitty.nix
View File

@ -1,7 +1,7 @@
{ pkgs, lib, config, ... }:
{ pkgs, config, ... }:
let
thm = config.lib.base16.theme;
in with config.deviceSpecific;
in
{
defaultApplications.term = {
cmd = "${pkgs.kitty}/bin/kitty";
@ -11,8 +11,6 @@ in with config.deviceSpecific;
programs.kitty = {
enable = true;
font.name = "${thm.fonts.mono.family} ${thm.fontSizes.small.str}";
# keybindings = ''
# '';
settings = {
foreground = "#${thm.base05-hex}";
background = "#${thm.base00-hex}";

2
profiles/applications/mpv.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, ... }:
{
home-manager.users.${config.mainuser} = {
programs.mpv = {

2
profiles/applications/nicotine.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: {
{ config, pkgs, ... }: {
home-manager.users.${config.mainuser} = {
home.packages = [ pkgs.nicotine-plus ];
};

2
profiles/applications/nnn.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: {
{ config, pkgs, ... }: {
home-manager.users.${config.mainuser} = {
programs.nnn = {
enable = true;

37
profiles/applications/packages.nix
View File

@ -1,4 +1,4 @@
{ pkgs, config, lib, inputs, ... }:
{ pkgs, config, lib, ... }:
with config.deviceSpecific; {
programs.adb.enable = true;
@ -8,6 +8,8 @@ with config.deviceSpecific; {
bat
comma
curl
curlie
duf
eza
fd
glib.out
@ -16,8 +18,10 @@ with config.deviceSpecific; {
lm_sensors
lnav
nix-prefetch-git
nix-prefetch-github
p7zip
pciutils
rclone
ripgrep
ripgrep-all
sd
@ -26,7 +30,6 @@ with config.deviceSpecific; {
unrar
unzip
usbutils
wget
zip
# --- tui ---
bottom
@ -34,47 +37,37 @@ with config.deviceSpecific; {
ncdu
procs
# --- gui ---
deadbeef
feh
qimgv
xarchiver
zathura
xdg-utils
# --- awesome-shell ---
# curlie
# duf
# zsh-z
] ++ lib.optionals (!(isVM || isISO)) [
a2ln
# audacity
cachix
ffmpeg.bin
monero-gui
nodePackages.peerflix
nix-tree
yt-dlp
# ---- gui ----
bitwarden
# foliate
jellyfin-media-player
jellyfin-mpv-shim
joplin-desktop
# libreoffice
obs-studio
obs-studio-plugins.obs-vkcapture
obsidian
onlyoffice-bin_7_5
pinta
qbittorrent
sonixd
tdesktop
tidal-dl
tor-browser-bundle-bin
ungoogled-chromium
webcord-vencord
youtube-to-mpv
] ++ lib.optionals isGaming [
ceserver
gamescope
moonlight-qt
protonhax
protontricks
vkBasalt
@ -86,24 +79,24 @@ with config.deviceSpecific; {
persist.state.homeDirectories = [
".config/Bitwarden"
".config/chromium"
".config/deadbeef"
".config/jellyfin-mpv-shim"
".config/jellyfin.org"
".config/joplin-desktop"
".config/kdeconnect"
".config/libreoffice"
".config/monero-project"
".config/obs-studio"
".config/obsidian"
".config/pcmanfm"
# ".config/Pinta"
".config/Pinta"
".config/qBittorrent"
# ".config/qimgv"
".config/qimgv"
".config/rclone"
".config/Sonixd"
# ".config/xarchiver"
".local/share/jellyfinmediaplayer"
".config/WebCord"
".config/xarchiver"
".local/share/TelegramDesktop"
".local/share/tor-browser"
".android"
".anydesk"
".bitmonero"
".monero"
];

9
profiles/applications/rclone.nix
View File

@ -1,9 +0,0 @@
{ config, pkgs, lib, ... }: {
home-manager.users.${config.mainuser}.home.packages = [
pkgs.rclone
];
persist.state.homeDirectories = [
".config/rclone"
];
}

2
profiles/applications/rofi.nix
View File

@ -1,4 +1,4 @@
{ pkgs, config, lib, ... }:
{ pkgs, config, ... }:
let
thm = config.lib.base16.theme;
themeFile = config.lib.base16.templateFile { name = "rofi"; };

6
profiles/applications/spotify.nix
View File

@ -1,12 +1,12 @@
{ config, lib, pkgs, ... }: {
{ config, pkgs, ... }: {
home-manager.users.${config.mainuser}.home.packages = with pkgs; [
spotifywm
];
startupApplications = [
"${pkgs.spotifywm}/bin/spotify"
];
persist.state.homeDirectories = [
".config/spotify"
];

10
profiles/applications/sunshine.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: {
{ config, pkgs, ... }: {
boot.kernelModules = [ "uinput" ];
services.udev.extraRules = ''
@ -23,12 +23,8 @@
};
networking.firewall = {
allowedTCPPorts = [
47984 47989 47990 48010
];
allowedUDPPorts = [
47998 47999 48000 48002 48010
];
allowedTCPPorts = [ 47984 47989 47990 48010 ];
allowedUDPPorts = [ 47998 47999 48000 48002 48010 ];
};
persist.state.homeDirectories = [ ".config/sunshine" ];

14
profiles/applications/tor-browser.nix
View File

@ -1,14 +0,0 @@
{ config, pkgs, lib, ... }:
let
tor-browser = pkgs.writeShellScriptBin "tor-browser" ''
mullvad-exclude ${pkgs.tor-browser-bundle-bin}/bin/tor-browser
'';
in {
home-manager.users.${config.mainuser}.home.packages = if config.deviceSpecific.vpn.mullvad.enable then [
tor-browser
] else [
pkgs.tor-browser-bundle-bin
];
persist.state.homeDirectories = [ ".local/share/tor-browser" ];
}

19
profiles/applications/vscode/default.nix
View File

@ -177,24 +177,5 @@ in
];
};
};
home.file.".cache/wal/colors".text = ''
#${thm.base00-hex}
#${thm.base08-hex}
#${thm.base0B-hex}
#${thm.base0A-hex}
#${thm.base0D-hex}
#${thm.base0E-hex}
#${thm.base0C-hex}
#${thm.base05-hex}
#${thm.base03-hex}
#${thm.base08-hex}
#${thm.base0B-hex}
#${thm.base0A-hex}
#${thm.base0D-hex}
#${thm.base0E-hex}
#${thm.base0C-hex}
#${thm.base07-hex}
'';
};
}

2
profiles/applications/zathura.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, lib, ... }:
let
home = config.home-manager.users.${config.mainuser};
zathura-pkg = home.programs.zathura.package;

2
profiles/bluetooth.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: {
{ config, lib, ... }: {
config = lib.mkIf (!config.deviceSpecific.isServer) {
services.blueman.enable = true;
hardware.bluetooth = {

4
profiles/hardened.nix
View File

@ -1,4 +1,4 @@
{ modulesPath, config, pkgs, lib, ... }: {
{ modulesPath, config, lib, ... }: {
imports = [
(modulesPath + "/profiles/hardened.nix")
];
@ -91,7 +91,7 @@
# dhcpcd broken with scudo or graphene malloc
nixpkgs.overlays = lib.optionals (config.environment.memoryAllocator.provider != "libc") [
(final: prev: {
(_final: prev: {
dhcpcd = prev.dhcpcd.override { enablePrivSep = false; };
})
];

2
profiles/hardware.nix
View File

@ -1,4 +1,4 @@
{ pkgs, config, lib, ... }:
{ pkgs, config, ... }:
with config.deviceSpecific; {
hardware.cpu.${devInfo.cpu.vendor}.updateMicrocode = true;

2
profiles/network.nix
View File

@ -1,4 +1,4 @@
{ pkgs, lib, config, ... }:
{ lib, config, ... }:
{
networking = {
networkmanager.enable = true;

2
profiles/nix/default.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, ... }: {
{ config, lib, inputs, ... }: {
nix = {
nixPath = lib.mkForce [ "self=/etc/self/compat" "nixpkgs=/etc/nixpkgs" ];

23
profiles/nix/doas.patch
View File

@ -1,23 +0,0 @@
From 012a913fbc861029a0f4b100cfd57d3b505a455f Mon Sep 17 00:00:00 2001
From: ForeverNooob <106961997+ForeverNooob@users.noreply.github.com>
Date: Sun, 30 Oct 2022 08:13:19 +0000
Subject: [PATCH] Add doas support to the installation script.
Previously the install errored out and told you to manually add `/nix/` and set the perms if you had `doas` installed instead of `sudo`. Well, not any more!
---
scripts/install-nix-from-closure.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/install-nix-from-closure.sh b/scripts/install-nix-from-closure.sh
index d4eed2efe80..d8931e97015 100644
--- a/scripts/install-nix-from-closure.sh
+++ b/scripts/install-nix-from-closure.sh
@@ -137,7 +137,7 @@ echo "performing a single-user installation of Nix..." >&2
if ! [ -e "$dest" ]; then
cmd="mkdir -m 0755 $dest && chown $USER $dest"
echo "directory $dest does not exist; creating it by running '$cmd' using sudo" >&2
- if ! sudo sh -c "$cmd"; then
+ if ! (sudo sh -c "$cmd" || doas sh -c "$cmd") ; then
echo "$0: please manually run '$cmd' as root to create $dest" >&2
exit 1
fi

2
profiles/security/pass-secret-service.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: {
{ config, pkgs, ... }: {
environment.systemPackages = [ pkgs.pass-secret-service ];
services.dbus.packages = [ pkgs.pass-secret-service ];
xdg.portal.extraPortals = [ pkgs.pass-secret-service ];

2
profiles/security/user.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: {
{ config, pkgs, ... }: {
security.apparmor.enable = true;
programs.firejail.enable = true;

2
profiles/security/vlock.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: {
{ config, lib, ... }: {
# FIXME: completely remove sudo
security.sudo = {
enable = true;

2
profiles/servers/acme.nix
View File

@ -1,4 +1,4 @@
{ config, ... }: {
{ ... }: {
security.acme = {
acceptTerms = true;
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # staging

2
profiles/servers/atticd.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, ... }: {
{ config, lib, inputs, ... }: {
imports = [ inputs.attic.nixosModules.atticd ];
sops.secrets.atticd.sopsFile = inputs.self.secretsDir + /home-hypervisor/atticd.yaml;
sops.secrets.atticd.restartUnits = [ "atticd.service" ];

2
profiles/servers/battery-historian.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: {
{ ... }: {
virtualisation.oci-containers.containers.battery-historian = {
autoStart = true;
ports = [ "0.0.0.0:9999:9999" ];

4
profiles/servers/blocky.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, dnsmasq-list ? [], ... }:
{ dnsmasq-list ? [], ... }:
let
nodeAddress = "192.168.0.5";
upstream-dns = "100.64.0.1";
@ -17,7 +17,7 @@ in {
localAddress = "${nodeAddress}/24";
tmpfs = [ "/" ];
bindMounts."/tmp/blocky-authkey".hostPath = "/tmp/blocky-authkey";
config = { config, pkgs, lib, ... }:
config = { config, lib, ... }:
let
grafanaPort = config.services.grafana.settings.server.http_port;
blockyPort = config.services.blocky.settings.ports.dns;

2
profiles/servers/fail2ban.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: {
{ config, ... }: {
services.openssh.settings.LogLevel = "VERBOSE";
services.fail2ban = {

2
profiles/servers/gitea.nix
View File

@ -17,8 +17,6 @@ let
in {
sops.secrets.gitea = gitea-secret;
sops.secrets.gitea-mailer = gitea-secret;
# sops.secrets.gitea-secretkey = gitea-secret;
# sops.secrets.gitea-internaltoken = gitea-secret;
sops.secrets.gitea-runner-hypervisor = runner-secret [ "gitea-runner-hypervisor.service" ];
persist.state.directories = [

2
profiles/servers/headscale.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, headscale-list ? {}, ... }:
{ config, lib, inputs, headscale-list ? {}, ... }:
let
domain = "wg.ataraxiadev.com";
in {

2
profiles/servers/inpx-web.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: let
{ ... }: let
nas-path = "/media/nas/media-stack";
in {
virtualisation.oci-containers.containers.inpx-web = {

2
profiles/servers/it-tools.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: {
{ ... }: {
virtualisation.oci-containers.containers.it-tools = {
autoStart = true;
image = "docker.io/corentinth/it-tools:latest";

60
profiles/servers/joplin-server.nix
View File

@ -1,60 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
let
joplin-data = "/srv/joplin/data";
joplin-db-data = "/srv/joplin/postgres";
joplin-uid = "1001";
backend = config.virtualisation.oci-containers.backend;
pod-name = "joplin-pod";
open-ports = [ "127.0.0.1:22300:22300/tcp" ];
in {
sops.secrets.joplin-env.sopsFile = inputs.self.secretsDir + /home-hypervisor/joplin.yaml;
sops.secrets.joplin-db-env.sopsFile = inputs.self.secretsDir + /home-hypervisor/joplin.yaml;
sops.secrets.joplin-env.restartUnits = [ "${backend}-joplin.service" ];
sops.secrets.joplin-db-env.restartUnits = [ "${backend}-joplin-db.service" ];
# FIXMEL mailer
virtualisation.oci-containers.containers = {
joplin = {
autoStart = true;
dependsOn = [ "joplin-db" ];
environment = { MAX_TIME_DRIFT = "0"; };
environmentFiles = [ config.sops.secrets.joplin-env.path ];
extraOptions = [ "--pod=${pod-name}" ];
image = "docker.io/ataraxiadev/joplin-server:2.9.17";
volumes = [
"${joplin-data}:/home/joplin/data"
"/etc/localtime:/etc/localtime:ro"
];
};
joplin-db = {
autoStart = true;
environmentFiles = [ config.sops.secrets.joplin-db-env.path ];
extraOptions = [ "--pod=${pod-name}" ];
image = "docker.io/postgres:13";
volumes = [ "${joplin-db-data}:/var/lib/postgresql/data" ];
};
};
systemd.tmpfiles.rules = [
"d ${joplin-data} 0755 ${joplin-uid} ${joplin-uid} -"
"d ${joplin-db-data} 0700 dhcpcd dhcpcd -"
];
systemd.services."podman-create-${pod-name}" = let
portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports;
start = pkgs.writeShellScript "create-pod-${pod-name}" ''
podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping}
'';
stop = "podman pod rm -i -f ${pod-name}";
in rec {
path = [ pkgs.coreutils config.virtualisation.podman.package ];
before = [ "${backend}-joplin.service" "${backend}-joplin-db.service" ];
requiredBy = before;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStart = start;
ExecStop = stop;
};
};
}

3
profiles/servers/media-stack/caddy.nix
View File

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }:
{ pkgs, ... }:
let
backend = config.virtualisation.oci-containers.backend;
nas-path = "/media/nas/media-stack";
caddyconf = pkgs.writeText "Caddyfile" ''
{

3
profiles/servers/media-stack/jackett.nix
View File

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }:
{ ... }:
let
backend = config.virtualisation.oci-containers.backend;
nas-path = "/media/nas/media-stack";
in {
virtualisation.oci-containers.containers.jackett = {

3
profiles/servers/media-stack/jellyfin.nix
View File

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }:
{ config, ... }:
let
backend = config.virtualisation.oci-containers.backend;
nas-path = "/media/nas/media-stack";
renderGid = toString config.users.groups.render.gid;
videoGid = toString config.users.groups.video.gid;

3
profiles/servers/media-stack/lidarr.nix
View File

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }:
{ ... }:
let
backend = config.virtualisation.oci-containers.backend;
nas-path = "/media/nas/media-stack";
in {
virtualisation.oci-containers.containers.lidarr = {

3
profiles/servers/media-stack/medusa.nix
View File

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }:
{ ... }:
let
backend = config.virtualisation.oci-containers.backend;
nas-path = "/media/nas/media-stack";
in {
virtualisation.oci-containers.containers.medusa = {

3
profiles/servers/media-stack/qbittorrent.nix
View File

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }:
{ ... }:
let
backend = config.virtualisation.oci-containers.backend;
nas-path = "/media/nas/media-stack";
in {
virtualisation.oci-containers.containers.qbittorrent = {

3
profiles/servers/media-stack/radarr.nix
View File

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }:
{ ... }:
let
backend = config.virtualisation.oci-containers.backend;
nas-path = "/media/nas/media-stack";
in {
virtualisation.oci-containers.containers.radarr = {

3
profiles/servers/media-stack/recyclarr.nix
View File

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }:
{ ... }:
let
backend = config.virtualisation.oci-containers.backend;
nas-path = "/media/nas/media-stack";
in {
virtualisation.oci-containers.containers.recyclarr = {

3
profiles/servers/media-stack/sonarr.nix
View File

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }:
{ ... }:
let
backend = config.virtualisation.oci-containers.backend;
nas-path = "/media/nas/media-stack";
in {
virtualisation.oci-containers.containers.sonarr = {

2
profiles/servers/nginx.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, ... }:
{ config, pkgs, inputs, ... }:
let
authentik = { proxyPass ? null, proxyWebsockets ? false, root ? {}, rootExtraConfig ? "", locations ? {}, extraConfig ? "", ... }: {
extraConfig = ''

2
profiles/servers/openbooks.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ ... }:
let
nas-path = "/media/nas/media-stack";
in {

2
profiles/servers/spdf.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: let
{ ... }: let
nas-path = "/media/nas/media-stack";
in {
virtualisation.oci-containers.containers.spdf = {

6
profiles/servers/tinyproxy.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: {
{ ... }: {
containers.tinyproxy = {
extraFlags = [ "-U" ];
autoStart = true;
@ -6,8 +6,7 @@
privateNetwork = true;
hostBridge = "br0";
localAddress = "192.168.0.6/24";
# tmpfs = [ "/" ]; # not working with unprivilliged container
config = { config, pkgs, ... }: {
config = { ... }: {
services.privoxy = {
enable = true;
settings = {
@ -22,7 +21,6 @@
defaultGateway = "192.168.0.1";
hostName = "tinyproxy-node";
nameservers = [ "192.168.0.1" ];
# enableIPv6 = false;
useHostResolvConf = false;
firewall = {
enable = true;

2
profiles/servers/vaultwarden.nix
View File

@ -11,7 +11,6 @@
extendedLogging = true;
invitationsAllowed = false;
useSyslog = true;
# logFile = "/var/log/vaultwarden.log";
logLevel = "warn";
rocketAddress = "127.0.0.1";
rocketPort = 8812;
@ -29,7 +28,6 @@
websocketEnabled = true;
websocketPort = 3012;
webVaultEnabled = true;
# rocketWorkers = 10;
dataDir = "/var/lib/bitwarden_rs";
};
environmentFile = config.sops.secrets.vaultwarden.path;

3
profiles/servers/vscode-server.nix
View File

@ -1,4 +1,5 @@
{ pkgs, ... }: {
{ pkgs, inputs, ... }: {
imports = [ inputs.vscode-server.nixosModule ];
services.vscode-server = {
enable = true;
nodejsPackage = pkgs.nodejs_18;

4
profiles/servers/webhooks.nix
View File

@ -23,14 +23,12 @@ in {
home = "/var/lib/webhook";
};
systemd.services.webhook.serviceConfig.EnvironmentFile = config.sops.secrets.webhook-blog.path;
services.webhook = {
enable = true;
port = 9510;
group = "webhook";
user = "webhook";
environmentFiles = [
config.sops.secrets.webhook-blog.path
];
hooksTemplated = {
publish-ataraxiadev-blog = ''
{

2
profiles/servers/wiki.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: {
{ ... }: {
services.kiwix-serve = {
enable = true;
port = 8190;

4
profiles/themes.nix
View File

@ -1,6 +1,6 @@
{ config, lib, pkgs, inputs, ... }: {
{ pkgs, ... }: {
config.themes.base16 = with config.deviceSpecific.devInfo; {
config.themes.base16 = {
enable = true;
# customScheme = {
# enable = true;

2
profiles/vpn.nix
View File

@ -1,4 +1,4 @@
{ pkgs, lib, config, ... }:
{ lib, config, ... }:
let
isTailscale = config.deviceSpecific.vpn.tailscale.enable;
wg = config.deviceSpecific.vpn.wireguard;

23
profiles/workspace/aria2.nix
View File

@ -1,18 +1,17 @@
{ config, lib, pkgs, ... }:
{ config, ... }:
let
homeDir = config.home-manager.users.${config.mainuser}.home.homeDirectory;
in {
# TODO: enable websocket (--rpc-certificate)
services.aria2 = {
enable = true;
downloadDir = "/media/aria2";
rpcListenPort = 6800;
# FIXME: I can expose this, since i listen rpc only on localhost
# but in future it's better to implement read key from secrets before start daemon
rpcSecret = "secret";
# listenPortRange = {};
openPorts = false;
home-manager.users.${config.mainuser} = {
programs.aria2 = {
enable = true;
settings = {
dir = "${homeDir}/Downloads/aria2";
listen-port = "6881-6999";
rpc-listen-port = 6800;
};
};
};
# networking.firewall.allowedTCPPorts = [ config.services.aria2.rpcListenPort ];
persist.state.directories = [ "/media/aria2" ];
}

2
profiles/workspace/cursor.nix
View File

@ -1,4 +1,4 @@
{ pkgs, lib, config, ... }:
{ lib, config, ... }:
let
thm = config.lib.base16.theme;
in {

2
profiles/workspace/gtk.nix
View File

@ -3,7 +3,7 @@ let
thm = config.lib.base16.theme;
in {
nixpkgs.overlays = [
(self: super: {
(_self: _super: {
generated-gtk-theme =
pkgs.callPackage "${inputs.rycee}/pkgs/materia-theme" {
configBase16 = {

2
profiles/workspace/light.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: {
{ config, pkgs, ... }: {
programs.light.enable = config.deviceSpecific.isLaptop;
services.actkbd = {
enable = config.deviceSpecific.isLaptop;

2
profiles/workspace/locale.nix
View File

@ -1,4 +1,4 @@
{ pkgs, config, lib, ... }:
{ config, ... }:
let
en = "en_US.UTF-8";
ru = "ru_RU.UTF-8";

4
profiles/workspace/misc.nix
View File

@ -1,4 +1,4 @@
{ pkgs, lib, config, ... }:
{ lib, config, ... }:
with config.deviceSpecific; {
environment.sessionVariables =
@ -16,7 +16,7 @@ with config.deviceSpecific; {
services.upower.enable = isLaptop;
xdg.portal.enable = true;
xdg.portal.config.common.default = "*";
xdg.portal.xdgOpenUsePortal = true;
# xdg.portal.xdgOpenUsePortal = true;
home-manager.users.${config.mainuser} = {
news.display = "silent";

2
profiles/workspace/ssh.nix
View File

@ -1,4 +1,4 @@
{ pkgs, lib, config, ... }:
{ config, ... }:
with config.deviceSpecific; {
services.openssh = {
enable = true;

2
profiles/workspace/waybar/default.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, ... }:
{ config, pkgs, ... }:
with config.deviceSpecific; {
home-manager.users.${config.mainuser}.programs.waybar = {
enable = true;

2
profiles/workspace/xdg.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, lib, ... }:
let
dirsToClean = [
"Downloads"

2
profiles/workspace/zsh/default.nix
View File

@ -1,4 +1,4 @@
{ pkgs, config, inputs, ... }: {
{ pkgs, config, ... }: {
environment.pathsToLink = [ "/share/zsh" ];
environment.sessionVariables.SHELL = "${pkgs.zsh}/bin/zsh";

3
roles/desktop.nix
View File

@ -9,7 +9,6 @@
themes
virtualisation
alacritty
corectrl
element
email
@ -19,11 +18,9 @@
mangohud
mpv
packages
rclone
rofi
spotify
steam
tor-browser
vscode
waydroid
zathura

2
roles/hypervisor.nix
View File

@ -1,4 +1,4 @@
{ inputs, pkgs, ... }: {
{ inputs, ... }: {
imports = with inputs.self.customProfiles; [
inputs.home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;

16
secrets/suomi-vps/marzban.env
View File

@ -1,16 +0,0 @@
SUDO_USERNAME=ENC[AES256_GCM,data:4QMSmmaPB10=,iv:KveMQ+EdfltGzQRRA+cm1MaRlsLypOhlWHdCumHLQS4=,tag:v30WjSutCxO9LDv3wFZHMA==,type:str]
SUDO_PASSWORD=ENC[AES256_GCM,data:IPJGUQiB6jMObUsUdw==,iv:N9cw9aGkmgIYmmrNkQYQ5PFdrmYKC8Tdgr4yb/96U5A=,tag:/yYIC/rKCttSgBBGvjCe2A==,type:str]
TELEGRAM_API_TOKEN=ENC[AES256_GCM,data:8PySjalQnpADCd+3Yt+Iax3DdGq6sxR0PHntgAzKpI+iXsB8TsMqsm6ElORoOw==,iv:y7tmr1jIs/JtMnBcEkGiCxrKkPcgUt6RBSq4GiKXNZ8=,tag:TcdxtPkO4Pvfcku72XCFIg==,type:str]
TELEGRAM_ADMIN_ID=ENC[AES256_GCM,data:nH/VUQNoRqwj,iv:AdBRZqyBVeze8SGn0pmxaBB8CWyo3D1TTaVx7NsEPHI=,tag:MyJwnQhuBCQ7XMS74TevRg==,type:str]
SQLALCHEMY_DATABASE_URL=ENC[AES256_GCM,data:bQJGB/c/pTuAPev2zxcLu1cNg2TmlHH9iY2kQH4qfqRwh/Fcjg==,iv:CeQZ8qcNLiVgtGI/4Egod6VaXamCfAKHi4jrgzXKl9Q=,tag:VX0J3r6RjnS5utJ/UDK1hQ==,type:str]
XRAY_JSON=ENC[AES256_GCM,data:28Wkv4CG4hpG9h51d2ge3AUO2MdVuRBjPuw1bxFwYqhT,iv:MooWqI5QCmk0JXWdKxA40UIFaaIxG3EakMQ1jBH8TVI=,tag:Fmnqdg9mvRVvm/0O7VNFGw==,type:str]
sops_lastmodified=2023-11-22T23:09:38Z
sops_mac=ENC[AES256_GCM,data:m9TLulK7igJtvtuu1Leag5Ky28qxKyELOKGTFZmX8O/VaVwu1EHC07awgf9HJjFlAcIWT6+fkRcnpwse6t4Thh//Yc4YIu8ryJjsRZBLezaR26SOWis41HR/uek/lSLLMMrdIyiU/5RX9i3/rhUjZwCDYzM1yg+rDsxfGIdERCM=,iv:+TXcgj9MsmQmZzYi4JKbgPVLcX0VLKtheq5/ckPRDcY=,tag:Ku+43ZiVCOeUxN3pimv7JQ==,type:str]
sops_pgp__list_0__map_created_at=2023-11-22T22:35:02Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQEMAwcagTG/Fm6AAQf9FyMBT+jm0pOjuw6aXQSv7Xc8ffKtXYAIUgKsHTTAnqfj\npoDoel7I1toENks/0flFxXjtzp6kBPPmb8aX+CelPv5orIyzMUdJbgZ2D6LINHTD\npW5DmGA7gkegk/gus4qMz+p/zxoJC0EBrr8eVbgIUMi3WVUtG1TofpeaKm+xf61r\nvVJLMn7dHxjmt3qe6RVBAD2bS/tTEUEfGubOWBLUrWq1MElnL0MLZy3936dmMJ5W\nLrurkBfJ7hCIIfJn/7VCBkY93Nk/NjZCF/EdYj2/Dgs0SOqIc5wXGC259/7HhVEJ\nlmBOKYWPzHp4c40AMHld3L3rJ0cOKenTBSfj8g7b1tJYAaB+dW//A/HaL8FrIpxx\nMjS1HyfsFfDM8D8Um+PCe4cktupMmlhuU898rOLwgAX90niRHvhm0IWbLISa1QDx\nPH4SjYB4NWIk5i1eunYm8jjMStNNbRABJg==\n=V9Pe\n-----END PGP MESSAGE-----
sops_pgp__list_0__map_fp=ad382d058c964607b7bbf01b071a8131bf166e80
sops_pgp__list_1__map_created_at=2023-11-22T22:35:02Z
sops_pgp__list_1__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMAyNex7x1cALKAQ//TN89prS2jIW3lvDFdOmFfNKSOo9oNqVJZPKbyRTG4gxL\ndwhPZnCoQd8Sg88TNexfgl/qkQJhU6k/dbx2/nebJXgkQz4GDpmNNVAHacH+A7Sv\n/ZPGDLMdivOF6JVIIBxjdj06KxRfyeTf3Cnb2JqaCjGc312POBOQMZBa/GvfQjC7\n8YhS6TqXu8+MhmWNP9bbTWE1kc7bNeH+1BzraZn5625OQN1kCNj2SEBaZPI1i/MS\nTQxHf0yfIES6lZ/NTB6H0xkxbwcKYbbY47o9dc5BG7uAKPGh9oBnAmH66XuSq260\nuWsRwfdfK8NOEy9nxSk2Yqfgatzx7WkNCEX6l6ztCbSDeruJ56X49vr+xLbw5NyX\n+rgvr1w85uiAzct8f/2QNBq/J0qjoinHvxbUUbLP3LkJzqOoxXV0YEqjx7LHMrEW\nCRn2oiLRZd5ElsbVvDGhpFAoMq2kYa2U3280YRQuH0zFGpUbhS8Q7FtyZOBuw2pz\nYNJwLwsRODNvCeeruYOzLF/ERfZteO7yzj0WWyGPvhIcIvz9mP6JgtDvR+0e15hi\nZ6zyzz5wvpBWEpQaVuNeXxHr4+UJe2iLZN1ATTCJW7dfJyKxBC1yimXPmrJJtQOI\nqUjqIiskgdph0DRPXwgE3sHKYEbUwHb2l1ospnN2AW3RRSyXYgvBo/N91ndazffS\nWAFwVCXJLn7n3BrM8CYozTHsrOHTtMMqRDHKZq2C8GHJMpPb3t6K07CIolmkjMHN\nivdG4dSds8uj4HYwFKlw1ZyMqZApSI/FnLoaOfw9Ur6xKI6U1Z2T2GU=\n=xUz4\n-----END PGP MESSAGE-----
sops_pgp__list_1__map_fp=d286fd9431753cb455537070235ec7bc757002ca
sops_unencrypted_suffix=_unencrypted
sops_version=3.8.1

49
secrets/suomi-vps/nginx.yaml
View File

File diff suppressed because one or more lines are too long