AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: AtaraxiaDev:da0daa174e4e4c5de36c3a720db18ba10181905b
Branches Tags
AtaraxiaDev:dev
AtaraxiaDev:master
..
compare: AtaraxiaDev:089cef5e37c222210e345e23d1a5c3af803394f5
Branches Tags
AtaraxiaDev:dev
AtaraxiaDev:master

No commits in common. "da0daa174e4e4c5de36c3a720db18ba10181905b" and "089cef5e37c222210e345e23d1a5c3af803394f5" have entirely different histories.
da0daa174e ... 089cef5e37

27 changed files with 361 additions and 1238 deletions
Show Stats Expand all files Collapse all files

872
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

8
flake.nix
View File

@ -42,7 +42,6 @@
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
hyprland.url = "github:hyprwm/Hyprland";
impermanence.url = "github:nix-community/impermanence";
lix = {
url = "https://git.lix.systems/lix-project/lix/archive/main.tar.gz";
@ -53,10 +52,6 @@
inputs.nixpkgs.follows = "nixpkgs";
inputs.lix.follows = "lix";
};
lsfg-vk = {
url = "github:pabloaul/lsfg-vk-flake/main";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-index-database = {
url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
@ -65,7 +60,6 @@
url = "github:nix-community/nix-vscode-extensions";
inputs.nixpkgs.follows = "nixpkgs";
};
prismlauncher.url = "github:AtaraxiaSjel/PrismLauncher";
quadlet-nix.url = "github:SEIAROTg/quadlet-nix";
sops-nix = {
url = "github:Mic92/sops-nix";
@ -255,7 +249,7 @@
hostname = "10.10.10.101";
};
redshift = {
hostname = "217.147.15.227";
hostname = "104.164.54.197";
fastConnection = false;
sshOpts = [
"-p"

32
hosts/andromedae/default.nix
View File

@ -8,16 +8,13 @@
let
inherit (lib) mkForce;
defaultUser = config.ataraxia.defaults.users.defaultUser;
hyprPkgs = inputs.hyprland.packages.${pkgs.hostPlatform.system};
in
{
imports = [
./hardware-configuration.nix
./boot.nix
./samba.nix
inputs.catppuccin.nixosModules.catppuccin
inputs.lsfg-vk.nixosModules.default
];
catppuccin.enable = true;
catppuccin.accent = "mauve";
@ -70,19 +67,17 @@ in
ataraxia.defaults.role = "desktop";
ataraxia.programs.lutris.enable = true;
ataraxia.programs.mangohud.enable = true;
ataraxia.programs.umu-launcher.enable = true;
ataraxia.services.modprobed-db.enable = true;
ataraxia.theme.catppuccin.enable = true;
wayland.windowManager.hyprland.settings = {
# TODO: Remove after flickering is fixed
# misc.vrr = lib.mkForce 0;
monitor = mkForce [
"DP-3,2560x1440@164.998993,0x0,1"
"HDMI-A-1,1920x1080@60,-1920x360,1"
",highres,auto,1"
];
env = {
WAYLANDDRV_PRIMARY_MONITOR = "DP-3";
};
exec-once = [
"${pkgs.xorg.xrandr}/bin/xrandr --output DP-3 --primary"
];
@ -90,7 +85,6 @@ in
home.packages = with pkgs; [
devenv
freerdp
llama-cpp
nh
nix-diff
@ -115,7 +109,7 @@ in
modprobed-db
# packwiz
# piper
prismlauncher
# prismlauncher
# radeontop
# streamrip
# wayvnc
@ -123,16 +117,10 @@ in
# yt-archivist
];
home.sessionVariables = {
WAYLANDDRV_PRIMARY_MONITOR = "DP-3";
};
persist.state.directories = [
".config/image-updater"
".config/lsfg-vk"
".config/sops/age"
".config/WarThunder"
".local/share/PrismLauncher"
"nixos-config"
"projects"
];
@ -147,7 +135,7 @@ in
wal_recycle = "off";
};
ataraxia.virtualisation.docker = true;
# ataraxia.virtualisation.docker = true;
ataraxia.virtualisation.libvirt = true;
ataraxia.virtualisation.podman = true;
@ -167,14 +155,10 @@ in
];
# Mesa from unstable channel
# hardware.graphics.package = pkgs.mesaUnstable;
# hardware.graphics.package32 = pkgs.mesaUnstablei686;
# programs.hyprland.package = pkgs.hyprlandUnstable;
# programs.hyprland.portalPackage = pkgs.hyprlandPortalUnstable;
programs.hyprland.package = hyprPkgs.hyprland;
programs.hyprland.portalPackage = hyprPkgs.xdg-desktop-portal-hyprland;
services.lsfg-vk.enable = true;
services.lsfg-vk.ui.enable = true;
hardware.graphics.package = pkgs.mesaUnstable;
hardware.graphics.package32 = pkgs.mesaUnstablei686;
programs.hyprland.package = pkgs.hyprlandUnstable;
programs.hyprland.portalPackage = pkgs.hyprlandPortalUnstable;
# Auto-mount lan nfs share
fileSystems = {

42
hosts/andromedae/samba.nix
View File

@ -1,42 +0,0 @@
{ ... }:
{
services.samba = {
enable = true;
openFirewall = true;
settings = {
global = {
"workgroup" = "WORKGROUP";
"server string" = "smbnix";
"netbios name" = "smbnix";
"security" = "user";
#"use sendfile" = "yes";
#"max protocol" = "smb2";
# note: localhost is the ipv6 localhost ::1
"hosts allow" = "10.10.10. 127.0.0.1 localhost";
"hosts deny" = "0.0.0.0/0";
"guest account" = "ataraxia";
"map to guest" = "bad user";
};
"extra" = {
"path" = "/run/media/ataraxia/Extra/Anomaly";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "ataraxia";
"force group" = "users";
};
"gamma" = {
"path" = "/media/games/Anomaly-Gamma";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "ataraxia";
"force group" = "users";
};
};
};
}

2
hosts/blueshift/default.nix
View File

@ -154,8 +154,6 @@
};
};
};
ataraxia.services.tor.enableRelay = true;
ataraxia.services.tor.relayPort = 32910;
system.stateVersion = "24.11";
}

40
hosts/blueshift/services.nix
View File

@ -37,12 +37,12 @@ in
let
nginx = {
sopsFile = secretsDir + /blueshift/nginx.yaml;
restartUnits = [ "nginx.service" ];
restartUnits = [ "podman-nginx.service" ];
};
marzban = {
format = "dotenv";
sopsFile = secretsDir + /blueshift/marzban.env;
restartUnits = [ "marzban.service" ];
restartUnits = [ "podman-marzban.service" ];
};
in
{
@ -52,31 +52,27 @@ in
inherit marzban;
};
virtualisation.quadlet.containers = {
virtualisation.oci-containers.containers = {
marzban = {
autoStart = true;
containerConfig = {
# Tags: v0.8.4
image = "ghcr.io/gozargah/marzban@sha256:8e422c21997e5d2e3fa231eeff73c0a19193c20fc02fa4958e9368abb9623b8d";
environmentFiles = [ marzban-env ];
networks = [ "host" ];
volumes = [
"/srv/marzban:/var/lib/marzban"
];
};
# Tags: v0.8.4
image = "ghcr.io/gozargah/marzban@sha256:8e422c21997e5d2e3fa231eeff73c0a19193c20fc02fa4958e9368abb9623b8d";
environmentFiles = [ marzban-env ];
extraOptions = [ "--network=host" ];
volumes = [
"/srv/marzban:/var/lib/marzban"
];
};
nginx = {
autoStart = true;
containerConfig = {
# Tags: mainline-alpine3.21, mainline-alpine, alpine3.21
image = "docker.io/nginx@sha256:e4efffc3236305ae53fb54e5cd76c9ccac0cebf7a23d436a8f91bce6402c2665";
networks = [ "host" ];
volumes = [
"${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
"${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
"${nginx-conf}:/etc/nginx/nginx.conf:ro"
];
};
# Tags: mainline-alpine3.21, mainline-alpine, alpine3.21
image = "docker.io/nginx@sha256:e4efffc3236305ae53fb54e5cd76c9ccac0cebf7a23d436a8f91bce6402c2665";
extraOptions = [ "--network=host" ];
volumes = [
"${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
"${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
"${nginx-conf}:/etc/nginx/nginx.conf:ro"
];
};
};

17
hosts/orion/default.nix
View File

@ -1,13 +1,11 @@
{
config,
lib,
pkgs,
inputs,
...
}:
let
inherit (lib) concatLists unique recursiveUpdate;
nginx = config.ataraxia.services.nginx;
inherit (lib) concatLists unique;
in
{
imports = [
@ -115,9 +113,7 @@ in
ataraxia.containers.filestash.enable = true;
ataraxia.containers.media-stack.enable = true;
ataraxia.containers.sing-box-filter.enable = true;
ataraxia.containers.tinyproxy.enable = true;
ataraxia.containers.tor.enable = true;
ataraxia.security.acme.enable = true;
ataraxia.services.authentik.enable = true;
ataraxia.services.gitea.enable = true;
@ -170,15 +166,6 @@ in
)
);
services.nginx.virtualHosts = {
"incus.ataraxiadev.com" = recursiveUpdate nginx.defaultSettings {
locations."/" = {
proxyPass = "https://10.10.10.5:8443";
proxyWebsockets = true;
};
};
};
ataraxia.virtualisation.guests = {
omv = {
autoStart = true;
@ -188,7 +175,5 @@ in
};
};
networking.firewall.allowedTCPPorts = [ 9050 ];
system.stateVersion = "25.05";
}

10
hosts/redshift/default.nix
View File

@ -48,12 +48,12 @@
disableIPv6 = true;
domain = "wg.ataraxiadev.com";
ifname = "enp0s18";
mac = "bc:24:11:33:ea:74";
mac = "bc:24:11:99:d5:2f";
bridge.enable = true;
ipv4 = [
{
address = "217.147.15.227/24";
gateway = "217.147.15.1";
address = "104.164.54.197/24";
gateway = "104.164.54.1";
dns = [
"9.9.9.9"
"149.112.112.112"
@ -154,8 +154,6 @@
};
};
};
ataraxia.services.tor.enableRelay = true;
ataraxia.services.tor.relayPort = 18342;
system.stateVersion = "25.05";
system.stateVersion = "24.11";
}

40
hosts/redshift/services.nix
View File

@ -38,12 +38,12 @@ in
let
nginx = {
sopsFile = secretsDir + /redshift/nginx.yaml;
restartUnits = [ "nginx.service" ];
restartUnits = [ "podman-nginx.service" ];
};
marzban = {
format = "dotenv";
sopsFile = secretsDir + /redshift/marzban.env;
restartUnits = [ "marzban.service" ];
restartUnits = [ "podman-marzban.service" ];
};
in
{
@ -53,31 +53,27 @@ in
inherit marzban;
};
virtualisation.quadlet.containers = {
virtualisation.oci-containers.containers = {
marzban = {
autoStart = true;
containerConfig = {
# Tags: v0.8.4
image = "ghcr.io/gozargah/marzban@sha256:8e422c21997e5d2e3fa231eeff73c0a19193c20fc02fa4958e9368abb9623b8d";
environmentFiles = [ marzban-env ];
networks = [ "host" ];
volumes = [
"/srv/marzban:/var/lib/marzban"
];
};
# Tags: v0.8.4
image = "ghcr.io/gozargah/marzban@sha256:8e422c21997e5d2e3fa231eeff73c0a19193c20fc02fa4958e9368abb9623b8d";
environmentFiles = [ marzban-env ];
extraOptions = [ "--network=host" ];
volumes = [
"/srv/marzban:/var/lib/marzban"
];
};
nginx = {
autoStart = true;
containerConfig = {
# Tags: mainline-alpine3.21, mainline-alpine, alpine3.21
image = "docker.io/nginx@sha256:e4efffc3236305ae53fb54e5cd76c9ccac0cebf7a23d436a8f91bce6402c2665";
networks = [ "host" ];
volumes = [
"${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
"${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
"${nginx-conf}:/etc/nginx/nginx.conf:ro"
];
};
# Tags: mainline-alpine3.21, mainline-alpine, alpine3.21
image = "docker.io/nginx@sha256:e4efffc3236305ae53fb54e5cd76c9ccac0cebf7a23d436a8f91bce6402c2665";
extraOptions = [ "--network=host" ];
volumes = [
"${cert-key}:/etc/ssl/certs/cf-cert.key:ro"
"${cert-pem}:/etc/ssl/certs/cf-cert.pem:ro"
"${nginx-conf}:/etc/nginx/nginx.conf:ro"
];
};
};

11
hosts/vega/default.nix
View File

@ -6,7 +6,6 @@
}:
let
defaultUser = config.ataraxia.defaults.users.defaultUser;
hyprPkgs = inputs.hyprland.packages.${pkgs.hostPlatform.system};
in
{
imports = [
@ -88,12 +87,10 @@ in
};
# Mesa from unstable channel
# hardware.graphics.package = pkgs.mesaUnstable;
# hardware.graphics.package32 = pkgs.mesaUnstablei686;
# programs.hyprland.package = pkgs.hyprlandUnstable;
# programs.hyprland.portalPackage = pkgs.hyprlandPortalUnstable;
programs.hyprland.package = hyprPkgs.hyprland;
programs.hyprland.portalPackage = hyprPkgs.xdg-desktop-portal-hyprland;
hardware.graphics.package = pkgs.mesaUnstable;
hardware.graphics.package32 = pkgs.mesaUnstablei686;
programs.hyprland.package = pkgs.hyprlandUnstable;
programs.hyprland.portalPackage = pkgs.hyprlandPortalUnstable;
# Auto-mount lan nfs share
fileSystems = {

20
modules/home/applications/games/umu-launcher.nix
View File

@ -1,20 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.programs.umu-launcher;
in
{
options.ataraxia.programs.umu-launcher = {
enable = mkEnableOption "Enable umu-launcher program";
};
config = mkIf cfg.enable {
home.packages = with pkgs; [ umu-launcher ];
persist.state.directories = [ ".local/share/umu" ];
};
}

34
modules/home/applications/vesktop.nix
View File

@ -1,34 +0,0 @@
{ config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.programs.vesktop;
in
{
options.ataraxia.programs.vesktop = {
enable = mkEnableOption "Enable vesktop program";
};
config = mkIf cfg.enable {
programs.vesktop.enable = true;
programs.vesktop.settings = {
# appBadge = false;
# arRPC = true;
# checkUpdates = false;
# customTitleBar = false;
# disableMinSize = true;
minimizeToTray = true;
# tray = false;
# splashBackground = "#000000";
# splashColor = "#ffffff";
# splashTheming = true;
# staticTitle = true;
hardwareAcceleration = true;
discordBranch = "canary";
};
# programs.vesktop.vencord.settings = {};
# programs.vesktop.vencord.themes = {};
# programs.vesktop.vencord.useSystem = false;
persist.state.directories = [ ".config/vesktop" ];
};
}

2
modules/home/applications/vscode.nix
View File

@ -49,7 +49,7 @@ in
with ext-market;
[
aaron-bond.better-comments
# catppuccin.catppuccin-vsc-icons
catppuccin.catppuccin-vsc-icons
christian-kohler.path-intellisense
codezombiech.gitignore
eamodio.gitlens

6
modules/home/applications/walker.nix
View File

@ -1,6 +1,7 @@
{
config,
lib,
pkgs,
inputs,
...
}:
@ -23,11 +24,14 @@ in
programs.walker = {
enable = true;
runAsService = true;
package = pkgs.walker;
runAsService = false;
config = {
websearch.prefix = "?";
switcher.prefix = "/";
};
};
startupApplications = [ "${getExe config.programs.walker.package} --gapplication-service" ];
};
}

1
modules/home/roles/default.nix
View File

@ -92,7 +92,6 @@ in
ataraxia.programs.spotify.enable = mkDefault true;
ataraxia.programs.telegram.enable = mkDefault true;
ataraxia.programs.thunderbird.enable = mkDefault true;
ataraxia.programs.vesktop.enable = mkDefault true;
ataraxia.programs.vscode.enable = mkDefault true;
ataraxia.programs.walker.enable = mkDefault true;
ataraxia.programs.zathura.enable = mkDefault true;

3
modules/home/theme/catppuccin.nix
View File

@ -8,7 +8,6 @@
let
inherit (lib)
mkEnableOption
mkForce
mkIf
mkMerge
mkOption
@ -116,7 +115,7 @@ in
};
iconTheme = {
name = "Papirus-Dark";
package = mkForce (pkgs.catppuccin-papirus-folders.override { inherit (cfg) accent flavor; });
package = pkgs.catppuccin-papirus-folders.override { inherit (cfg) accent flavor; };
};
font = {
package = config.theme.fonts.sans.package;

17
modules/home/workspace/wayland/waybar.nix
View File

@ -25,14 +25,15 @@ in
layer = "top";
position = "top";
# margin = "8 8 0 8";
modules-left = [
"hyprland/workspaces"
"wireplumber"
]
++ lib.optionals cfg.laptopWidgets [
"battery"
"backlight"
];
modules-left =
[
"hyprland/workspaces"
"wireplumber"
]
++ lib.optionals cfg.laptopWidgets [
"battery"
"backlight"
];
modules-center = [ "hyprland/window" ];
modules-right = [
"tray"

2
modules/nixos/applications/steam.nix
View File

@ -16,8 +16,6 @@ in
};
config = mkIf cfg.enable {
boot.kernelModules = [ "ntsync" ];
programs.gamemode.enable = true;
programs.gamescope.enable = true;
programs.gamescope.capSysNice = false;

157
modules/nixos/containers/sing-box-filter.nix
View File

@ -1,157 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkEnableOption mkIf;
inherit (config.virtualisation.quadlet) networks;
cfg = config.ataraxia.containers.sing-box-filter;
# Exclude almost all european countries (and some more)
filter-countries = "!EU,!AL,!AD,!BY,!BA,!GB,!CH,!IS,!LI,!MD,!MC,!ME,!MK,!NO,!RU,!SM,!RS,!UA,!VA,!XK,!US,!CN,!IR,!PK";
filter-protocols = "vless,ss";
geoip-db = "https://git.io/GeoLite2-Country.mmdb";
proxy-list = "https://raw.githubusercontent.com/ebrasha/free-v2ray-public-list/refs/heads/main/V2Ray-Config-By-EbraSha.txt";
dockerfile = pkgs.writeText "Dockerfile.sing-box" ''
ARG sing_box_ver="1.12.1"
ARG alpine_ver="3.22"
ARG processor_ver="0.1.1"
FROM ghcr.io/sagernet/sing-box:v''${sing_box_ver} AS sing-box
FROM ataraxiadev/proxy-processor:''${processor_ver} as proxy-filter
FROM alpine:''${alpine_ver}
COPY --from=sing-box /usr/local/bin/sing-box /bin/sing-box
COPY --from=proxy-filter /bin/proxy-filter-cli /bin/proxy-filter-cli
WORKDIR /app
ENTRYPOINT ["/app/entrypoint.sh"]
'';
entrypoint = pkgs.writeScript "singbox-entrypoint" ''
#!/bin/ash
set -euo pipefail
mkdir -p /etc/sing-box
mkdir -p /var/lib/sing-box
cp /app/sing-box.json /etc/sing-box/config.json
echo "0 * * * * /app/update.sh" > /var/spool/cron/crontabs/root
/app/update.sh &
crond -f
'';
sing-box-update = pkgs.writeScript "singbox-update" ''
#!/bin/ash
set -euo pipefail
if [ $(pgrep "update.sh" | wc -l) -gt 2 ]; then
exit 0
fi
echo "Update proxy list..."
proxy-filter-cli -i ${proxy-list} -o outbounds.json --geoip ${geoip-db} -t ${filter-protocols} -c '${filter-countries}' -f sing-box
cp outbounds.json /etc/sing-box/outbound.json
echo "Update proxy list finished..."
if pgrep "sing-box"; then
echo "Stopping sing-box process..."
pkill -f sing-box
fi
echo "Starting sing-box process..."
sing-box -D /var/lib/sing-box -C /etc/sing-box run &
'';
singbox-config = pkgs.writeText "singbox-entrypoint" ''
{
"log": {
"level": "warn",
"timestamp": true
},
"dns": {
"strategy": "ipv4_only",
"disable_cache": true,
"disable_expire": true,
"servers": [{
"tag": "local-dns",
"type": "udp",
"server": "10.10.10.1"
}]
},
"inbounds": [{
"type": "mixed",
"tag": "mixed-in",
"domain_strategy": "ipv4_only",
"listen": "0.0.0.0",
"listen_port": 2080,
"tcp_fast_open": false
}],
"outbounds": [{
"type": "direct",
"tag": "direct-out"
}],
"route": {
"rules": [{
"action": "resolve",
"strategy": "prefer_ipv4"
}, {
"action": "sniff"
}, {
"protocol": "dns",
"action": "hijack-dns"
}, {
"outbound": "direct-out",
"ip_is_private": true
}],
"final": "urltest-out",
"auto_detect_interface": true
},
"experimental": {
"clash_api": {
"external_controller": "0.0.0.0:9090",
"external_ui": "ui",
"external_ui_download_url": "https://github.com/MetaCubeX/Yacd-meta/archive/gh-pages.zip",
"external_ui_download_detour": "direct-out"
},
"cache_file": {
"enabled": true
}
}
}
'';
in
{
options.ataraxia.containers.sing-box-filter = {
enable = mkEnableOption "Enable sing-box-filter container";
};
config = mkIf cfg.enable {
virtualisation.quadlet = {
builds.sing-box-filter = {
autoStart = true;
buildConfig = {
file = toString dockerfile;
tag = "sing-box-filter:latest";
# globalArgs = [ "--build-args=" ];
};
};
containers.sing-box-filter = {
autoStart = true;
containerConfig = {
image = config.virtualisation.quadlet.builds.sing-box-filter.ref;
networks = [ networks.br-services.ref ];
publishPorts = [
"0.0.0.0:2080:2080/tcp"
"0.0.0.0:2081:9090/tcp"
];
volumes = [
"${entrypoint}:/app/entrypoint.sh:ro"
"${sing-box-update}:/app/update.sh:ro"
"${singbox-config}:/app/sing-box.json:ro"
];
};
};
};
networking.firewall.allowedTCPPorts = [
2080
2081
];
};
}

6
modules/nixos/containers/tinyproxy.nix
View File

@ -2,7 +2,6 @@
config,
lib,
secretsDir,
inputs,
...
}:
let
@ -32,11 +31,6 @@ in
config =
{ pkgs, ... }:
{
nixpkgs.overlays = [
(_final: _prev: {
sing-box = inputs.ataraxiasjel-nur.packages.${pkgs.hostPlatform.system}.sing-box-extended;
})
];
environment.systemPackages = with pkgs; [
dnsutils
kitty.terminfo

74
modules/nixos/containers/tor.nix
View File

@ -1,74 +0,0 @@
{
config,
lib,
pkgs,
secretsDir,
...
}:
let
inherit (lib) mkEnableOption mkIf;
inherit (config.virtualisation.quadlet) networks;
cfg = config.ataraxia.containers.tor;
dockerfile = pkgs.writeText "Dockerfile.tor" ''
FROM alpine:3
LABEL name="tor-socks-proxy"
LABEL version="latest"
RUN echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/community' >> /etc/apk/repositories && \
echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories && \
apk -U upgrade && \
apk -v add tor@edge lyrebird@edge curl && \
chmod 700 /var/lib/tor && \
rm -rf /var/cache/apk/* && \
tor --version
RUN echo -e "HardwareAccel 1\nLog notice stdout\nDNSPort 0.0.0.0:8853\nSocksPort 0.0.0.0:9150\nDataDirectory /var/lib/tor" > /etc/tor/torrc && \
chown tor:root /etc/tor/torrc
HEALTHCHECK --timeout=30s --start-period=60s \
CMD curl --fail --socks5-hostname localhost:9150 -I -L 'https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion' || exit 1
USER tor
EXPOSE 8853/udp 9150/tcp
CMD ["/usr/bin/tor", "-f", "/etc/tor/torrc"]
'';
in
{
options.ataraxia.containers.tor = {
enable = mkEnableOption "Enable tor client container";
};
config = mkIf cfg.enable {
sops.secrets.tor-container.sopsFile = secretsDir + /proxy.yaml;
sops.secrets.tor-container.mode = "0444";
virtualisation.quadlet = {
builds.tor-proxy = {
autoStart = true;
buildConfig = {
file = toString dockerfile;
tag = "tor-socks-proxy:latest";
};
};
containers.tor-proxy = {
autoStart = true;
containerConfig = {
exec = "sh -c 'cat /home/torrc-extra >> /etc/tor/torrc && /usr/bin/tor -f /etc/tor/torrc'";
image = config.virtualisation.quadlet.builds.tor-proxy.ref;
networks = [ networks.br-services.ref ];
publishPorts = [
"0.0.0.0:9150:9150/tcp"
"0.0.0.0:8853:8853/udp"
];
volumes = [
"${config.sops.secrets.tor-container.path}:/home/torrc-extra:ro"
];
};
};
};
networking.firewall.allowedTCPPorts = [ 9150 ];
networking.firewall.allowedUDPPorts = [ 8853 ];
};
}

21
modules/nixos/persist/default.nix
View File

@ -109,16 +109,17 @@ in
"/var/cache"
];
persist.state = {
directories = [
"/var/lib/nixos"
"/var/lib/systemd"
]
++ lib.optionals config.services.mysql.enable [
config.services.mysql.dataDir
]
++ lib.optionals config.services.postgresql.enable [
"/var/lib/postgresql"
];
directories =
[
"/var/lib/nixos"
"/var/lib/systemd"
]
++ lib.optionals config.services.mysql.enable [
config.services.mysql.dataDir
]
++ lib.optionals config.services.postgresql.enable [
"/var/lib/postgresql"
];
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"

36
modules/nixos/services/tor.nix
View File

@ -1,36 +0,0 @@
{ config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf mkOption;
inherit (lib.types) int;
cfg = config.ataraxia.services.tor;
in
{
options.ataraxia.services.tor = {
enable = mkEnableOption "Enable tor service client";
enableRelay = mkEnableOption "Enable tor service bridge";
relayPort = mkOption {
type = int;
description = "Bridge listen port";
};
};
config = mkIf (cfg.enable || cfg.enableRelay) {
services.tor = {
enable = true;
client.enable = cfg.enable;
relay.enable = cfg.enableRelay;
relay.role = "private-bridge";
settings = mkIf cfg.enableRelay {
ContactInfo = "admin@ataraxiadev.com";
Nickname = config.networking.hostName;
ORPort = 42891;
ServerTransportListenAddr = "obfs4 0.0.0.0:${toString cfg.relayPort}";
};
};
networking.firewall.allowedTCPPorts = [ cfg.relayPort ];
persist.state.directories = [ "/var/lib/tor" ];
};
}

44
modules/nixos/virtualisation/virtualisation.nix
View File

@ -24,8 +24,6 @@ in
};
config = mkIf (cfg.docker || cfg.libvirt || cfg.podman) {
boot.enableContainers = true;
virtualisation = {
oci-containers.backend = if (!cfg.podman && cfg.docker) then "docker" else "podman";
docker = {
@ -40,7 +38,6 @@ in
podman = {
enable = cfg.podman;
defaultNetwork.settings.dns_enabled = true;
dockerCompat = !config.virtualisation.docker.enable;
dockerSocket.enable = !config.virtualisation.docker.enable;
};
containers.containersConf.settings = {
@ -101,6 +98,8 @@ in
};
};
boot.enableContainers = true;
environment.systemPackages =
[ ]
++ optionals cfg.docker [ pkgs.docker-compose ]
@ -117,18 +116,19 @@ in
networking.firewall = {
trustedInterfaces = mkIf cfg.libvirt [ "virbr0" ];
interfaces = {
"podman*".allowedUDPPorts = mkIf cfg.podman [
53
5353
];
}
// mapAttrs (_: _: {
allowedUDPPorts = [
53
5353
];
}) config.virtualisation.quadlet.networks;
interfaces =
{
"podman*".allowedUDPPorts = mkIf cfg.podman [
53
5353
];
}
// mapAttrs (_: _: {
allowedUDPPorts = [
53
5353
];
}) config.virtualisation.quadlet.networks;
};
security.unprivilegedUsernsClone = true;
@ -138,26 +138,18 @@ in
"/var/lib/libvirt"
"/var/lib/containers"
];
persist.state.files = [
"/etc/subuid"
"/etc/subgid"
];
home-manager = mkIf useHomeManager {
users.${defaultUser} = {
home.file.".config/containers/storage.conf".text = mkIf cfg.podman ''
home.file.".config/containers/storage.conf".text = ''
[storage]
driver = "overlay"
'';
home.file.".config/libvirt/libvirt.conf".text = mkIf cfg.libvirt ''
home.file.".config/libvirt/libvirt.conf".text = ''
uri_default = "qemu:///system"
'';
persist.state.directories = mkIf cfg.podman [
persist.state.directories = [
".config/containers"
{
directory = ".local/share/containers";
method = "symlink";
}
];
};
};

85
overlays/default.nix
View File

@ -34,13 +34,9 @@ in
# nix-index-update = inputs.nix-alien.packages.${system}.nix-index-update;
osu-lazer = unstable.osu-lazer;
osu-lazer-bin = unstable.osu-lazer-bin;
prismlauncher = inputs.prismlauncher.packages.${system}.prismlauncher.override {
jdks = [
final.temurin-jre-bin
final.temurin-jre-bin-17
];
textToSpeechSupport = false;
};
# prismlauncher = inputs.prismlauncher.packages.${system}.prismlauncher.override {
# jdks = [ final.temurin-bin ];
# };
proton-ge-bin = unstable.proton-ge-bin;
xray = unstable.xray;
# youtube-to-mpv = prev.callPackage ./packages/youtube-to-mpv.nix { term = config.defaultApplications.term.cmd; };
@ -49,29 +45,64 @@ in
sing-box = final.sing-box-extended;
wine = prev.wineWow64Packages.stagingFull;
# Patch spotify with spotx
spotify = prev.spotify.overrideAttrs (
oa:
let
spotx = prev.fetchurl {
url = "https://raw.githubusercontent.com/SpotX-Official/SpotX-Bash/b1de24ec4c23c45da373dcb64a44e372253a0c16/spotx.sh";
hash = "sha256-/p6cJKzaZzjcLJISFudstQjs+lPXnXx4f0vxKbF9Sqw=";
};
in
{
nativeBuildInputs =
oa.nativeBuildInputs
++ (with prev; [
perl
unzip
util-linux
zip
]);
postUnpack =
oa.postUnpack or ""
+ ''
patchShebangs --build ${spotx}
'';
postInstall =
oa.postInstall or ""
+ ''
bash ${spotx} -f -h -P "$out/share/spotify"
'';
}
);
# Move modprobed config to subdir. Easier to use with impermanence
modprobed-db = prev.modprobed-db.overrideAttrs (oa: {
nativeBuildInputs = [ prev.makeWrapper ] ++ oa.nativeBuildInputs or [ ];
postPatch = (oa.postPatch or "") + ''
substituteInPlace ./common/modprobed-db.in \
--replace-fail "/modprobed-db.conf" "/modprobed-db/modprobed-db.conf"
substituteInPlace ./common/modprobed-db.skel \
--replace-fail "/.config" "/.config/modprobed-db"
'';
postInstall = (oa.postInstall or "") + ''
wrapProgram $out/bin/modprobed-db \
--set PATH ${
with final;
lib.makeBinPath [
gawk
getent
coreutils
gnugrep
gnused
kmod
]
}
'';
postPatch =
(oa.postPatch or "")
+ ''
substituteInPlace ./common/modprobed-db.in \
--replace-fail "/modprobed-db.conf" "/modprobed-db/modprobed-db.conf"
substituteInPlace ./common/modprobed-db.skel \
--replace-fail "/.config" "/.config/modprobed-db"
'';
postInstall =
(oa.postInstall or "")
+ ''
wrapProgram $out/bin/modprobed-db \
--set PATH ${
with final;
lib.makeBinPath [
gawk
getent
coreutils
gnugrep
gnused
kmod
]
}
'';
});
pass-secret-service = prev.pass-secret-service.overrideAttrs (_: {

6
secrets/blueshift/nginx.yaml
View File

File diff suppressed because one or more lines are too long

11
secrets/proxy.yaml
View File

File diff suppressed because one or more lines are too long