fuckwit/nix-config
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Activity

new beginning

Browse Source
This commit is contained in:
fuckwit
2024-06-30 23:27:40 +02:00
commit ec1513fbf3
52 changed files with 5459 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

435
nixos/celestia/configuration.nix Normal file
View File

@ -0,0 +1,435 @@
{
config,
lib,
pkgs,
...
}: let
makeVirtualHost = {
subdomain,
port,
}: {
name = "${subdomain}.fuckwit.dev";
value = {
forceSSL = true;
useACMEHost = "fuckwit.dev";
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
};
makeVirtualHosts = sites: builtins.listToAttrs (builtins.map makeVirtualHost sites);
disks = [
"/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL232MW7"
"/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL22L00W"
"/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL23J3P2"
"/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL22LCB4"
"/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL22PG6W"
"/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL20KVKP"
];
in {
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets."acme.env" = {};
sops.secrets."tailscale-auth-key" = {};
imports = [
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [
"initcall_blacklist=acpi_cpufreq_init"
"amd_pstate=passive"
"libata.force=noncq"
];
boot.kernelModules = ["amd-pstate"];
system.stateVersion = "23.11"; # Did you read the comment?
networking = {
hostName = "celestia";
interfaces.enp5s0f0 = {
useDHCP = false;
ipv4.addresses = [
{
address = "10.1.1.11";
prefixLength = 24;
}
];
};
firewall = {
enable = true;
allowedTCPPorts = [22 111 443 2049 4000 4001 4002 20048];
allowedUDPPorts = [53 111 2049 4000 4001 4002 20048];
};
};
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_US.UTF-8";
environment.systemPackages = with pkgs; [
vim
wget
htop
bash
zfs
lm_sensors
ffmpeg
];
users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick@NBG1-DC3-PC20-2017-10-24"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPflDQOANGhgtfo2psRwSFtY5ETHX/bsDmqrho3iX9jt root@arschlinux"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6oGHBFD3wo16buPtdYDat911gydOw2oFj80fTXL1xo batzi@DESKTOP-8A2VTHL"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICK3otGMe8umxxJX5BbbBQ/+PQg37Puh0qjH8IILL95T patrick@mi"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDl3vLxNpinilTJp1rGsSYlVi+hIa+oECtge1i8bwz33AAAACHNzaDptYWlu"
];
users.groups.nas.gid = 2000;
users.users.nginx.extraGroups = ["acme"];
environment = {
etc = {
"sysconfig/lm_sensors".text = ''
HWMON_MODULES="nct6775"
'';
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "acme@fuckwit.dev";
dnsProvider = "cloudflare";
environmentFile = config.sops.secrets."acme.env".path;
dnsPropagationCheck = true;
};
certs."fuckwit.dev" = {
extraDomainNames = ["*.fuckwit.dev"];
};
};
services = {
tailscale = {
enable = true;
openFirewall = true;
useRoutingFeatures = "both";
extraUpFlags = ["--advertise-routes=192.168.1.11/32"];
authKeyFile = config.sops.secrets."tailscale-auth-key".path;
};
dnscrypt-proxy2 = {
enable = true;
settings = {
listen_addresses = ["0.0.0.0:53"];
ipv6_servers = false;
dnscrypt_servers = true;
cloaking_rules = "/var/lib/dnscrypt-proxy/cloaking";
sources.dnscry-pt-resolvers = {
urls = ["https://www.dnscry.pt/resolvers.md"];
minisign_key = "RWQM31Nwkqh01x88SvrBL8djp1NH56Rb4mKLHz16K7qsXgEomnDv6ziQ";
cache_file = "/var/lib/dnscrypt-proxy/dnscry.pt-resolvers.md";
refresh_delay = 72;
prefix = "dnscry.pt-";
};
};
};
openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
};
};
nfs.server = {
enable = true;
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
extraNfsdConfig = '''';
};
samba = {
enable = true;
openFirewall = true;
extraConfig = "map to guest = bad user";
shares = {
dump = {
path = "/tank/dump";
browsable = "yes";
public = "yes";
"guest only" = "yes";
writable = "yes";
"force create mode" = "0666";
"force directory mode" = "0777";
};
video = {
path = "/tank/video";
browsable = "yes";
public = "yes";
"guest only" = "yes";
writable = "yes";
"force create mode" = "0666";
"force directory mode" = "0777";
};
};
};
zfs = {
autoScrub.enable = true;
};
nginx = {
enable = true;
virtualHosts = makeVirtualHosts [
{
subdomain = "jdownloader";
port = 8000;
}
{
subdomain = "jellyfin";
port = 8096;
}
{
subdomain = "sonarr";
port = 8989;
}
{
subdomain = "radarr";
port = 7878;
}
{
subdomain = "lidarr";
port = 8686;
}
{
subdomain = "paperless";
port = 28981;
}
{
subdomain = "homepage";
port = 8082;
}
];
};
paperless = {
enable = true;
mediaDir = "/tank/documents";
consumptionDir = "/tank/dump/paperless_consume";
consumptionDirIsPublic = true;
settings = {
PAPERLESS_URL = "https://paperless.fuckwit.dev";
PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [
".DS_STORE/*"
"desktop.ini"
];
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
optimize = 1;
pdfa_image_compression = "lossless";
};
};
};
lidarr = {
enable = true;
group = "nas";
dataDir = "/var/lib/lidarr";
};
radarr = {
enable = true;
group = "nas";
dataDir = "/var/lib/radarr";
};
sonarr = {
enable = true;
group = "nas";
dataDir = "/var/lib/sonarr";
# package = pkgs.sonarr.override {
# version = "4.0.0.748";
# src = lib.fetchurl {
# url = "https://download.sonarr.tv/v4/main/${version}/Sonarr.main.${version}.linux-x64.tar.gz";
# hash = "";
# };
# };
};
jellyfin.enable = true;
homepage-dashboard = {
enable = true;
settings = {
title = "Homelab";
theme = "dark";
layout = [
{
Media = {
style = "row";
columns = 4;
};
}
];
};
widgets = [
{
resources = {
cpu = true;
memory = true;
disk = "/tank";
};
}
{
search = {
provider = "duckduckgo";
target = "_blank";
};
}
];
services = [
{
Media = [
{
Jellyfin = {
icon = "jellyfin.png";
href = "https://jellyfin.fuckwit.dev";
siteMonitor = "https://jellyfin.fuckwit.dev";
description = "Media library";
widget = {
type = "jellyfin";
url = "https://jellyfin.fuckwit.dev";
key = "d6e4766cda6c412cb4a96626c0f0b51a";
enableBlocks = true;
enableNowPlaying = false;
};
};
}
{
Radarr = {
icon = "radarr.png";
href = "https://radarr.fuckwit.dev";
siteMonitor = "https://radarr.fuckwit.dev";
description = "Media library";
widget = {
type = "radarr";
url = "https://radarr.fuckwit.dev";
key = "01d93b03f6c64a0f9786598b611e58f9";
};
};
}
{
Sonarr = {
icon = "sonarr.png";
href = "https://sonarr.fuckwit.dev";
siteMonitor = "https://sonarr.fuckwit.dev";
description = "Media library";
widget = {
type = "sonarr";
url = "https://sonarr.fuckwit.dev";
key = "c6be6b2d78104a97a2c7df560b27bb5c";
};
};
}
{
Lidarr = {
icon = "lidarr.png";
href = "https://lidarr.fuckwit.dev";
siteMonitor = "https://lidarr.fuckwit.dev";
description = "Media library";
widget = {
type = "lidarr";
url = "https://lidarr.fuckwit.dev";
key = "e95e25ccd6f04ffe8e8ad0ff488231a8";
};
};
}
];
}
];
};
};
hardware = {
fancontrol = {
enable = true;
config = ''
# Configuration file generated by pwmconfig, changes will be lost
INTERVAL=10
DEVPATH=hwmon0=devices/platform/nct6775.656
DEVNAME=hwmon0=nct6779
FCTEMPS=hwmon0/pwm5=hwmon0/temp2_input hwmon0/pwm3=hwmon0/temp2_input
FCFANS=hwmon0/pwm5=hwmon0/fan5_input hwmon0/pwm3=hwmon0/fan3_input
MINTEMP=hwmon0/pwm5=40 hwmon0/pwm3=40
MAXTEMP=hwmon0/pwm5=80 hwmon0/pwm3=80
MINSTART=hwmon0/pwm5=150 hwmon0/pwm3=150
MINSTOP=hwmon0/pwm5=0 hwmon0/pwm3=0
MAXPWM=hwmon0/pwm5=150 hwmon0/pwm3=150
'';
};
};
virtualisation = {
podman = {
enable = true;
};
oci-containers = {
backend = "podman";
containers = {
jdownloader = {
image = "docker.io/jlesage/jdownloader-2:latest";
autoStart = true;
ports = ["0.0.0.0:8000:5800"];
volumes = [
"jdownloader_config:/config"
"/tank/dump:/output"
];
};
};
};
};
powerManagement = {
enable = true;
powerUpCommands = lib.strings.concatMapStringsSep "\n" (disk: "${pkgs.hdparm}/sbin/hdparm -S 241 " + disk) disks;
};
systemd.services = let
ensure-perms = path: user: group: {
enable = true;
description = "Ensures permissionsions and ownership of files in ${path}";
wantedBy = ["multi-user.target"];
script = ''
while read -r evt file; do
${pkgs.coreutils}/bin/chown ${user}:${group} "$file"
${pkgs.coreutils}/bin/chmod 755 "$file"
done < <(${pkgs.inotify-tools}/bin/inotifywait -e create,move -m -r --format '%e %w%f' ${path})
'';
};
in {
dnscrypt-proxy2.serviceConfig = {
StateDirectory = "dnscrypt-proxy";
};
ensure-radarr-perms = ensure-perms "/tank/video/movie" "radarr" "nas";
ensure-sonarr-perms = ensure-perms "/tank/video/series" "sonarr" "nas";
ensure-lidarr-perms = ensure-perms "/tank/audio" "lidarr" "nas";
};
}

58
nixos/celestia/hardware-configuration.nix Normal file
View File

@ -0,0 +1,58 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
boot.initrd = {
availableKernelModules = ["xhci_pci" "ahci" "usbhid" "uas"];
kernelModules = [];
};
boot.kernelModules = ["kvm-amd" "nct6775" "coretemp"];
boot.extraModulePackages = [];
boot.supportedFilesystems = ["zfs"];
boot.zfs = {
forceImportRoot = false;
extraPools = ["tank"];
};
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
fileSystems."/" = {
device = "/dev/disk/by-uuid/3652c231-d679-42dd-80f1-e9afccb4ca13";
fsType = "ext4";
};
boot.initrd.luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/6eafb3a6-a7b0-442f-b88c-a3f7021cf0e7";
allowDiscards = true;
keyFileSize = 4096;
keyFile = "/dev/disk/by-id/usb-Generic_Flash_Disk_D5A325A0-0:0";
};
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7F60-62AA";
fsType = "vfat";
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
networking.hostId = "c1309b62";
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

34
nixos/celestia/secrets.yaml Normal file
View File

@ -0,0 +1,34 @@
acme.env: ENC[AES256_GCM,data:VgSJO2Q32csfN0DEH6kTsaN0z/hRa0fRHLUleju+gqBPjoQmZGIQjlLKHzj1Ys3zS591iVRkeYExBGyCPakPIJo=,iv:sOIPofteCvO4Na+z8qw7EjfJ6CEr83kYaonhUCgFwA4=,tag:RhHGyTrmdY4f8QkQ0DhhJw==,type:str]
tailscale-auth-key: ENC[AES256_GCM,data:Rvq2wL9civCoH6acKk3lYIXbVAME+kUmeuQYOTl+rvdb5bFoI5i688qI58ceF47PGKi1jeXe46SkJGJe0iY=,iv:b0kavSFEG40Jxa3yAjttarN5N3nOLEbZYqP3LOXvBrU=,tag:cpgYzoX9L6+1IHnmjfZfQg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1vadwmwh8ckfal7j83gwrwn9324gqufwgkxskznhp9v867amndcwqgp2w6t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNWVpTlR4VXFGTDBzVmVx
RVdUaGE4T2ZrY2x6K1d5aXlPTGFsLzBUYkJFCjB2MDJPU3Fzd1I3Q0lOdmJ6UEYr
SHkyYlBCREVkRDgyVWV2WU1GMnBXTmMKLS0tICt1VTJkYU1wZDltSHJ0ZHN3L2sr
K0RaVVNSczZBcDNtaXhGem5iQnlVTDAK+XogkPQD2xYQ7sW8DwAXaaLA/ftw6vZM
wsNs0uun9dgGjZIXcU6AIsrJeUiWBl5zgc6CCd/ad/3QxpmKj1p9Mg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-21T19:42:27Z"
mac: ENC[AES256_GCM,data:1LZ/jcx2yOW5OgWYmGlu8ySpOLrvLTmyAc8CrK6gKDeoc/VN5RuRapwkGD6XfgDaUvMCccgcRpyL5QDPPdRw6zzwpW4Ce1hreOoC1zV23TNDuAbn1G+gFjlJ2l5IEY6EZeNoWsOC2ID16HRwls1Bau1+hcWKefFYNVjE3+3l16U=,iv:9FFP84Be7UzfuLz/FnFtvOXmudccMq1jFDGXJUN0t48=,tag:U9SOsMUbHm8hzZnS3yK1Lg==,type:str]
pgp:
- created_at: "2024-01-25T08:00:56Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DMGJRmcuHhnsSAQdASY7ZScb03Yf6R2hOwAhAiIhQIFuplUnWKePZ/x9tpSEw
fkoLDAvuFVVcZnYZ6wqoyhdpNI0XBcH7MIVkcTggVQ/qN2YhkkTpHlXtAmG2c0ML
1GYBCQIQso1f3sQcwGH9HwjhaZsj+mBO8U81kKZHFlfLXB7C52KPkqekzM9xvkhM
eB7+STUrQExBai7k1Um/RB4DcgE6L6127S5zIGDCxiK/9wKbZ5JOMv9K+J/G89ZD
q8Y7oXwCRl8=
=pbvo
-----END PGP MESSAGE-----
fp: 5FA64909521A5C85992F26E0F819AEFF941BB849
unencrypted_suffix: _unencrypted
version: 3.8.1

106
nixos/configurations.nix Normal file
View File

@ -0,0 +1,106 @@
{
self,
nixpkgs,
nixpkgs-stable,
sops-nix,
home-manager,
lanzaboote,
simple-nixos-mailserver,
inputs,
...
}: let
customModules = import ../modules/modules-list.nix;
customPkgs = self.packages;
baseModules = [
{_module.args.inputs = inputs;}
{
imports = [
({pkgs, ...}: {
nix = {
nixPath = ["nixpkgs=${pkgs.path}"];
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than +4";
};
package = pkgs.nixVersions.stable;
settings = {
auto-optimise-store = true;
experimental-features = ["nix-command" "flakes"];
keep-outputs = true;
keep-derivations = true;
};
};
})
];
}
sops-nix.nixosModules.sops
];
defaultModules = baseModules ++ customModules;
myNixosSystem = {
np,
ip,
system,
file,
remoteBuild ? true,
sshPort ? 22,
sshUser ? "root",
allowLocalDeployment ? false,
additionalModules ? [],
}:
np.lib.nixosSystem {
inherit system;
specialArgs = {mypkgs = customPkgs."${system}";};
modules =
defaultModules
++ [
{
remote = {
inherit ip sshUser sshPort allowLocalDeployment remoteBuild;
};
}
{nixpkgs.system = "${system}";}
]
++ additionalModules
++ [file];
};
in {
nixos = myNixosSystem {
np = nixpkgs;
system = "x86_64-linux";
ip = "127.0.0.1";
allowLocalDeployment = true;
file = ./laptop/configuration.nix;
};
framework = myNixosSystem {
np = nixpkgs;
system = "x86_64-linux";
ip = "127.0.0.1";
allowLocalDeployment = true;
file = ./framework/configuration.nix;
additionalModules = [
lanzaboote.nixosModules.lanzaboote
];
};
celestia = myNixosSystem {
np = nixpkgs;
system = "x86_64-linux";
ip = "192.168.1.11";
# remoteBuild = false;
file = ./celestia/configuration.nix;
};
primordial = myNixosSystem {
np = nixpkgs;
system = "aarch64-linux";
ip = "159.69.53.14";
file = ./primordial/configuration.nix;
additionalModules = [
simple-nixos-mailserver.nixosModules.mailserver
];
};
}

19
nixos/framework/5FA64909521A5C85992F26E0F819AEFF941BB849.asc Normal file
View File

@ -0,0 +1,19 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: 5FA6 4909 521A 5C85 992F 26E0 F819 AEFF 941B B849
Comment: Patrick Michl <me@fuckwit.dev>
xjMEZVznURYJKwYBBAHaRw8BAQdAY6kEvvqAX6UfHbBiOJu0GHbToHcC2zXWpV7G
u86g+5TNHlBhdHJpY2sgTWljaGwgPG1lQGZ1Y2t3aXQuZGV2PsKTBBMWCgA7FiEE
X6ZJCVIaXIWZLybg+Bmu/5QbuEkFAmVc51ECGwMFCwkIBwICIgIGFQoJCAsCBBYC
AwECHgcCF4AACgkQ+Bmu/5QbuElnEQD/SoMuzgedYlqAdbHTRh1ckGK62tJIXISo
hXC4tAVkAEkA/28Sc/eMdVHlQcMlBqDlmmIK8MbYQ5qD+5xh6Qf9+94EzjMEZVzn
URYJKwYBBAHaRw8BAQdAX8YZ1V9Yd0W15YkjxMaKYS0ZWmLXWcuUu4g/nOufxyDC
eAQYFgoAIBYhBF+mSQlSGlyFmS8m4PgZrv+UG7hJBQJlXOdRAhsgAAoJEPgZrv+U
G7hJVocA/1nNMexPp/+zvAO7vaAusdiZ+9gbFSuvNRRIj5+o53YaAP0Qa9UalO0X
qjhXRY27M7eS9lN9ZR+Bj2YOv0aZkNz9B844BGVc51ESCisGAQQBl1UBBQEBB0AW
CcU49wTZxSOZ3SvxcqZ6yQfwiu+MjfbHPkVlXv1qJQMBCAfCdwQYFgoAIBYhBF+m
SQlSGlyFmS8m4PgZrv+UG7hJBQJlXOdRAhsMAAoJEPgZrv+UG7hJd6MBAI20ZORk
PfJmDRcMaxKpfbqnfe/f2rFF9jtxc4200gE/APjH9sJAnaz6La70XDf0FpqjEavs
dPn9K5o/FCiNKroN
=u7c7
-----END PGP PUBLIC KEY BLOCK-----

132
nixos/framework/configuration.nix Normal file
View File

@ -0,0 +1,132 @@
{
config,
pkgs,
lib,
mypkgs,
...
}: {
imports = [./hardware-configuration.nix];
boot.bootspec.enable = true;
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_6_9;
nixpkgs.config.allowUnfree = true;
system.stateVersion = "23.11"; # Did you read the comment?
networking = {
hostName = "framework";
search = ["1.1.1.1" "1.0.0.1" "8.8.8.8"];
networkmanager.enable = true;
};
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_US.UTF-8";
hardware.graphics = {
enable = true;
extraPackages = [pkgs.vaapiVdpau];
};
hardware.bluetooth.enable = true;
security.pam.services.swaylock = {};
fonts.packages = with pkgs; [
font-awesome
(nerdfonts.override {fonts = ["FiraMono"];})
mypkgs.comic-mono
];
services = {
illum.enable = true;
fwupd.enable = true;
fprintd.enable = false; # currently broken
pcscd.enable = true;
tlp = {
enable = true;
settings = {
# AC
CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
CPU_MIN_PERF_ON_AC = 0;
CPU_MAX_PERF_ON_AC = 100;
# BAT
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
CPU_MIN_PERF_ON_BAT = 0;
CPU_MAX_PERF_ON_BAT = 50;
};
};
openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
};
};
xserver = {
enable = true;
xkb.layout = "us";
videoDrivers = ["amdgpu"];
desktopManager = {
xterm.enable = false;
gnome.enable = false;
plasma5.enable = false;
};
displayManager = {
gdm = {
enable = true;
wayland = true;
};
};
};
logind = {
lidSwitch = "suspend";
lidSwitchDocked = "ignore";
lidSwitchExternalPower = "ignore";
extraConfig = "HoldoffTimeoutSec=300s";
};
};
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
services.blueman.enable = true;
services.libinput.enable = true;
users.users.patrick = {
isNormalUser = true;
extraGroups = ["wheel"];
};
environment.systemPackages = with pkgs; [
vim
wget
curl
htop
podman
pinentry
qemu
OVMF
];
programs = {
hyprland.enable = true;
gnupg.agent.enable = true;
};
}

51
nixos/framework/hardware-configuration.nix Normal file
View File

@ -0,0 +1,51 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "thunderbolt" "uas" "sd_mod"];
boot.initrd.kernelModules = ["amdgpu"];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/87481706-b924-4987-b8c5-ab6a70b2c3c6";
fsType = "ext4";
};
boot.initrd.luks.gpgSupport = true;
boot.initrd.luks.devices.cryptroot = {
device = "/dev/disk/by-uuid/4b2ec3e2-2e6b-4a5a-923c-08ac3bf2d24e";
gpgCard = {
publicKey = ./5FA64909521A5C85992F26E0F819AEFF941BB849.asc;
gracePeriod = 15;
encryptedPass = ./key.gpg;
};
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/63B5-8D33";
fsType = "vfat";
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp193s0f3u1c2.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

BIN
nixos/framework/key.gpg Normal file
View File

Binary file not shown.

211
nixos/laptop/configuration.nix Normal file
View File

@ -0,0 +1,211 @@
{
config,
lib,
pkgs,
mypkgs,
inputs,
...
}: {
imports = [./hardware-configuration.nix];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.luks.devices = {
cryptlvm = {
device = "/dev/disk/by-uuid/1b3b8818-6085-4dd3-ab5e-c97cc49d2773";
allowDiscards = true;
preLVM = true;
};
};
boot.kernelPackages = pkgs.linuxPackages_6_8;
i18n.defaultLocale = "en_US.UTF-8";
time.timeZone = "Europe/Berlin";
hardware = {
bluetooth.enable = true;
graphics.enable = true;
printers = {
ensureDefaultPrinter = "Kyocera_FS-1370DN";
ensurePrinters = [
{
name = "Kyocera_FS-1370DN";
location = "HWLAB_DC3";
deviceUri = "socket://10.3.32.10";
model = "Kyocera/Kyocera_FS-1370DN.ppd";
}
];
};
};
networking = {
useDHCP = false;
networkmanager = {
enable = true;
plugins = with pkgs; [
networkmanager-openvpn
];
};
};
environment.systemPackages = with pkgs; [
vim
wget
];
networking.firewall.enable = false;
services = {
blueman.enable = true;
fprintd.enable = true;
illum.enable = true;
tlp.enable = true;
libinput.enable = true;
udev.extraRules = ''
KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0664", GROUP="plugdev"
# Keymapp Flashing rules for the ZSA Voyager
SUBSYSTEMS=="usb", ATTRS{idVendor}=="3297", MODE:="0666", SYMLINK+="ignition_dfu"
'';
printing = {
enable = true;
drivers = [
mypkgs.cups-kyocera-fs1370dn
];
};
openssh = {
enable = true;
ports = [222];
openFirewall = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
KbdInteractiveAuthentication = false;
};
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
logind = {
lidSwitch = "suspend";
lidSwitchDocked = "ignore";
lidSwitchExternalPower = "ignore";
extraConfig = ''
HoldoffTimeoutSec=300s
'';
};
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
xserver = {
enable = true;
# windowManager.awesome = {
# enable = true;
# package = pkgs.callPackage ../../overrides/awesome.nix {};
# };
displayManager = {
# sddm.enable = true;
# defaultSession = "none+awesome";
gdm = {
enable = true;
wayland = true;
};
};
};
clamav = {
daemon.enable = true;
updater.enable = true;
};
};
# services.jupyter = {
# enable = true;
# package = pkgs.jupyter-all;
# command = "jupyter-lab";
# group = "users";
# password = "'$argon2i$v=19$m=4096,t=3,p=1$a2pzamhrdjgzaGtzZGZoZGY4NzcydWhkZnM$fuPanvCWOsPNpBjyLaBz3YRRzmSSdpp8kaYJAyEPtWA'";
# kernels = let
# juliaEnv = pkgs.julia_19-bin.withPackages ["IJulia" "Plots"];
# ijulia = builtins.readFile (
# pkgs.runCommand "${juliaEnv.name}-ijulia-pkgdir"
# {
# buildInputs = [juliaEnv];
# } ''
# ${juliaEnv}/bin/julia -e 'using IJulia; print(pkgdir(IJulia))' >$out
# ''
# );
# in {
# ijulia = {
# displayName = "Julia ${juliaEnv.julia.version}";
# argv = [
# "${juliaEnv}/bin/julia"
# "-i"
# "--color=yes"
# "${ijulia}/src/kernel.jl"
# "{connection_file}"
# ];
# language = "julia";
# interruptMode = "signal";
# logo32 = "${ijulia}/deps/logo-32x32.png";
# logo64 = "${ijulia}/deps/logo-64x64.png";
# };
# };
# };
# # systemd.services.jupyter.environment.JUPYTER_DATA_DIR = builtins.toString (pkgs.jupyter-kernel.create {
# # definitions = config.services.jupyter.kernels;
# # });
# systemd.services.jupyter.environment.JUPYTER_DATA_DIR = ".jupyter/data";
# systemd.services.jupyter.environment.JUPYTER_RUNTIME_DIR = "/var/lib/jupyter/.local/share/jupyter/runtime";
security.sudo.configFile = ''
Defaults lecture=always
Defaults lecture_file=${../../misc/sudo_lecture}
'';
security.pam.services.swaylock = {};
fonts.packages = with pkgs; [
font-awesome
(nerdfonts.override {fonts = ["FiraMono"];})
mypkgs.comic-mono
];
programs.fish.enable = true;
programs.hyprland.enable = true;
users.groups.plugdev = {};
users.users.patrick = {
isNormalUser = true;
extraGroups = ["networkmanager" "wheel" "plugdev" "jupyter"];
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick"
];
};
virtualisation.podman.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

46
nixos/laptop/hardware-configuration.nix Normal file
View File

@ -0,0 +1,46 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usbhid" "rtsx_pci_sdmmc"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/a43c3c5f-5d24-485a-a6a0-ae5c9f984e72";
fsType = "ext4";
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/9ea5cd0a-2b78-4bf1-a8b2-e00cf495271a";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/A060-5378";
fsType = "vfat";
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

288
nixos/primordial/configuration.nix Normal file
View File

@ -0,0 +1,288 @@
{
config,
pkgs,
...
}: let
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets."gitea.env" = {};
sops.secrets."keycloak_db_pw" = {};
imports = [
./mail.nix
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking = {
hostName = "primordial";
interfaces.enp1s0 = {
ipv6.addresses = [
{
address = "2a01:4f8:c010:b448::";
prefixLength = 64;
}
];
};
defaultGateway6 = {
address = "fe80::1";
interface = "enp1s0";
};
firewall = {
enable = true;
allowedTCPPorts = [80 443];
};
};
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "en_US.UTF-8";
security.acme.acceptTerms = true;
security.acme.defaults.email = "huanzodev@gmail.com";
services = {
openssh = {
enable = true;
ports = [22];
openFirewall = true;
settings = {
PermitRootLogin = "yes";
PasswordAuthentication = false;
};
};
postgresql = {
enable = true;
ensureDatabases = ["matrix-synapse"];
ensureUsers = [
{
name = "matrix-synapse";
ensureDBOwnership = true;
}
];
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
host all all 127.0.0.1/32 md5
'';
};
matrix-synapse = {
enable = true;
settings.server_name = "fuckwit.dev";
# The public base URL value must match the `base_url` value set in `clientConfig` above.
# The default value here is based on `server_name`, so if your `server_name` is different
# from the value of `fqdn` above, you will likely run into some mismatched domain names
# in client applications.
settings.public_baseurl = "https://matrix.fuckwit.dev";
settings.listeners = [
{
port = 8005;
bind_addresses = ["127.0.0.1"];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = ["client" "federation"];
compress = true;
}
];
}
];
};
nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."fuckwit.dev" = let
serverConfig."m.server" = "matrix.fuckwit.dev:443";
clientConfig."m.homeserver".base_url = "https://matrix.fuckwit.dev:443";
in {
enableACME = true;
forceSSL = true;
# This section is not needed if the server_name of matrix-synapse is equal to
# the domain (i.e. example.org from @foo:example.org) and the federation port
# is 8448.
# Further reference can be found in the docs about delegation under
# https://element-hq.github.io/synapse/latest/delegate.html
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
# This is usually needed for homeserver discovery (from e.g. other Matrix clients).
# Further reference can be found in the upstream docs at
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
virtualHosts."matrix.fuckwit.dev" = {
enableACME = true;
forceSSL = true;
# It's also possible to do a redirect here or something else, this vhost is not
# needed for Matrix. It's recommended though to *not put* element
# here, see also the section about Element.
locations."/".extraConfig = ''
return 404;
'';
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
# *must not* be used here.
locations."/_matrix".proxyPass = "http://127.0.0.1:8005";
# Forward requests for e.g. SSO and password-resets.
locations."/_synapse/client".proxyPass = "http://127.0.0.1:8005";
};
virtualHosts."vault.fuckwit.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
};
};
virtualHosts."git.fuckwit.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8001";
};
};
virtualHosts."grafana.fuckwit.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8002";
proxyWebsockets = true;
};
};
virtualHosts."influx.fuckwit.dev" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8003";
proxyWebsockets = true;
};
};
virtualHosts."sso.fuckwit.dev" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8004";
proxyWebsockets = true;
};
};
# virtualHosts."drone.fuckwit.dev" = {
# enableACME = true;
# addSSL = true;
# locations."/" = {
# proxyPass = "http://127.0.0.1:8004";
# proxyWebsockets = true;
# };
# };
};
vaultwarden = {
enable = true;
config = {
DOMAIN = "https://vault.fuckwit.dev";
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8000;
SIGNUPS_ALLOWED = false;
};
};
gitea = {
enable = true;
settings.service.DISABLE_REGISTRATION = true;
settings.actions.ENABLED = true;
settings.server = {
DOMAIN = "git.fuckwit.dev";
ROOT_URL = "https://git.fuckwit.dev";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 8001;
};
lfs.enable = true;
};
grafana = {
enable = true;
settings.server = {
domain = "grafana.fuckwit.dev";
http_addr = "127.0.0.1";
http_port = 8002;
};
};
influxdb2 = {
enable = true;
settings = {
http-bind-address = "127.0.0.1:8003";
};
};
keycloak = {
enable = true;
database = {
type = "postgresql";
createLocally = true;
passwordFile = config.sops.secrets."keycloak_db_pw".path;
};
settings = {
hostname = "sso.fuckwit.dev";
http-host = "127.0.0.1";
http-port = 8004;
proxy = "edge";
};
};
# drone-server = {
# enable = true;
# config = {
# giteaServer = "https://git.fuckwit.dev";
# serverHost = "drone.fuckwit.dev";
# serverPort = ":8004";
# serverProto = "https";
# };
# environmentFile = config.sops.secrets."gitea.env".path;
# };
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick@NBG1-DC3-PC20-2017-10-24"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPflDQOANGhgtfo2psRwSFtY5ETHX/bsDmqrho3iX9jt root@arschlinux"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6oGHBFD3wo16buPtdYDat911gydOw2oFj80fTXL1xo batzi@DESKTOP-8A2VTHL"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICK3otGMe8umxxJX5BbbBQ/+PQg37Puh0qjH8IILL95T patrick@mi"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDl3vLxNpinilTJp1rGsSYlVi+hIa+oECtge1i8bwz33AAAACHNzaDptYWlu"
];
system.stateVersion = "23.05";
}

53
nixos/primordial/hardware-configuration.nix Normal file
View File

@ -0,0 +1,53 @@
# Do not modify this file! It was generated by nixos-generate-config
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [];
boot.initrd = {
availableKernelModules = ["virtio_pci" "usbhid" "sd_mod" "sr_mod" "virtio_scsi"];
kernelModules = ["dm-snapshot"];
network.enable = true;
network.ssh = {
enable = true;
port = 222;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick@NBG1-DC3-PC20-2017-10-24"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPflDQOANGhgtfo2psRwSFtY5ETHX/bsDmqrho3iX9jt root@arschlinux"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6oGHBFD3wo16buPtdYDat911gydOw2oFj80fTXL1xo batzi@DESKTOP-8A2VTHL"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICK3otGMe8umxxJX5BbbBQ/+PQg37Puh0qjH8IILL95T patrick@mi"
];
hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
};
luks.devices = {
cryptroot = {
device = "/dev/disk/by-uuid/9f88803e-558d-4819-a223-df88396071fe";
preLVM = true;
};
};
};
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/1837e2be-189b-49be-b518-8b2bbc49e27e";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7E04-4E21";
fsType = "vfat";
};
swapDevices = [];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

20
nixos/primordial/mail.nix Normal file
View File

@ -0,0 +1,20 @@
{
config,
pkgs,
...
}: {
mailserver = {
enable = true;
fqdn = "mail.fuckwit.dev";
domains = ["fuckwit.dev"];
loginAccounts = {
"me@fuckwit.dev" = {
hashedPassword = "$2b$05$Wl7pyRXrNBaUSuufqor9ZuJWeXxRaF.6kpbvHoxEp3i65Lnu5Yyg.";
catchAll = ["fuckwit.dev"];
};
};
certificateScheme = "acme-nginx";
};
}

34
nixos/primordial/secrets.yaml Normal file
View File

@ -0,0 +1,34 @@
gitea.env: ENC[AES256_GCM,data:wkSPzLQtL3vGNIjG+jG6I3+R7wLBBdXeaCHbKxMbpVOldo8zrPLu8HdoryneRro58d7D9Cao9x+n5SvYNfGwHPgDJG8saXTeyEffIWIKNC+5+8fjiWwIkAvstckmZjSLitVxcwhifs49jmZgW/xQBPEPiAHzVkjeueV7p/Jm9WgyD2ycPrKUvNEYJ6DWZqQq9r10Y/KsRZsvRzF2cp6YeX7YGjW7E2wuQz9yy8gOFHxmoJxAc4zM7XaKZWKtow1UPCjTtxiY7qRkWK7KQt21Xf3FCsU=,iv:qQv7hbqh3Kl6sE/XW37D9AbYt4gLJw5BnfbbLIkzOd4=,tag:g6Cecvdb67W01HvIULNzsQ==,type:str]
keycloak_db_pw: ENC[AES256_GCM,data:1oBqzpFokAmjkT770YKYwzCllaGTprtDR9W4B/+V6ZUXPhJ1R9DNWZHqpQ==,iv:dK36GBiDj12HVjUkZqTVk/rR6s1sf6dmQTk1ZJQwi+I=,tag:6Ix9QSf+A0U82sG0z8wSmw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12u7ayy2q5dps2pcpc6z7962pz07jxv3tt03hna6jyumlu4fdjvtqdg2n3e
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzdzZwcllIMEwwVXFlVDVi
WjJOUmlKbVRmWllpWnhtdWZJclBxM2o2bFRNCmo3citJUTFPS2x0ekVZSnIzRkRI
VFgrenZDbTZFbm1wS0pLU2swVnhVNlkKLS0tIGhTWnpEZElSc2RJTWNTaWV0TjhG
V1h2NGxyNVc3WnF2ZFBpQm1oK1AzeGcK4GoD2E8nwOl/WKtgMgs0Y1Q8abRX4mpy
GdHGDQUWvySCisJo4JXsooYkLjOyKvir+vcVbX4nDd4L1W2OMULkrg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-25T19:17:29Z"
mac: ENC[AES256_GCM,data:Qnou0/umwMX2XD7gDF6SceFI5tLjOO30OVhFSXhxc2yuFj/gB0R1bPplLm5j/wmxfRQDvvm2zLgGFMqt+8i4Z+6OYgbuwFcv4FR2E001aWVj1zh+F8pRZVTxqnsvegoKWQwoXkhZe5S/fjX9N09SMYhBkjLUh9fboGXajEpDws8=,iv:hTQgeyli/MPaUVxJSzhDK+ssxv78w7hRBtQ1pnZGASg=,tag:HDKQ2duHMYvGa74Vp0fIjw==,type:str]
pgp:
- created_at: "2024-01-25T11:10:44Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DMGJRmcuHhnsSAQdAzUIeSKtxy9kMAxDPoaY3n6avZ6DgxInoP3PjyrTgERww
7D6dPyaBVNIVKR54ZNYfMtPDescbDV4W3c3MI+eTsi76BqbFEdLHfShlKcWy9FZ1
1GgBCQIQRMPHNYC1ef7LAasDcVtWsSfakMk1RQ8FmOPPXLdRJQUAqBJ6gwJG6f+V
oXE5qUuvVjEvZzIxuhmVBb+mlLRq4UVW6brjH65Gfh8ofXWzHmLLXbEHI31HUc4e
7GBBHbB8U36bxQ==
=VHqv
-----END PGP MESSAGE-----
fp: 5FA64909521A5C85992F26E0F819AEFF941BB849
unencrypted_suffix: _unencrypted
version: 3.8.1