commit ac76e6f10b165b7adb6809e73397a7d523a9dbb1 Author: m3tam3re Date: Wed May 15 09:25:27 2024 +0000 first commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..84c5e1d --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +/result +*.qcow2 +\# +# +.# diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..b337ffd --- /dev/null +++ b/flake.lock @@ -0,0 +1,367 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1715101957, + "narHash": "sha256-fs5uVQFTfgb4L9pnhldeyTHNcYwn1U4nKYoCBJ6W3W4=", + "owner": "ryantm", + "repo": "agenix", + "rev": "07479c2e7396acaaaac5925483498154034ea80a", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_2", + "utils": "utils" + }, + "locked": { + "lastModified": 1711973905, + "narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "dotfiles": { + "flake": false, + "locked": { + "lastModified": 1713941143, + "narHash": "sha256-xkjxhTUToZ5KOT46te2q+59k7hgMmVxlhomvYrWCD+Y=", + "ref": "refs/heads/master", + "rev": "9c79f4672bee385c7ae0c69153a60103627e12c2", + "revCount": 12, + "type": "git", + "url": "https://code.m3tam3re.com/m3tam3re/dotfiles.git" + }, + "original": { + "type": "git", + "url": "https://code.m3tam3re.com/m3tam3re/dotfiles.git" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "fh", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "narHash": "sha256-0dZpggYjjmWEk+rGixiBHOHuQfLzEzNfrtjSig04s6Q=", + "rev": "9ccae1754eec0341b640d5705302ac0923d22875", + "revCount": 1618, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/nix-community/fenix/0.1.1618%2Brev-9ccae1754eec0341b640d5705302ac0923d22875/018aea4c-03c9-7734-95d5-b84cc8881e3d/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/nix-community/fenix/0.1.1565.tar.gz" + } + }, + "fh": { + "inputs": { + "fenix": "fenix", + "flake-compat": "flake-compat_2", + "naersk": "naersk", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1711118970, + "narHash": "sha256-fRaKydMSwd1zl6ptBKvn5ej2pqtI8xi9dioFmR8QA+g=", + "rev": "73fed26f0231ae650122beb3ac1b7654b5cc682c", + "revCount": 425, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/fh/0.1.10/018e66b1-a218-7f23-949d-ace71c4e4c8b/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/fh/%2A.tar.gz" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "locked": { + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "revCount": 57, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/edolstra/flake-compat/1.0.1.tar.gz" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715077503, + "narHash": "sha256-AfHQshzLQfUqk/efMtdebHaQHqVntCMjhymQzVFLes0=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "6e277d9566de9976f47228dd8c580b97488734d4", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "naersk": { + "inputs": { + "nixpkgs": [ + "fh", + "nixpkgs" + ] + }, + "locked": { + "narHash": "sha256-TunvZMCxXHvU6fz5kq3XTLfojIvTDlbFGfPUFtwCU5o=", + "rev": "06a99941d72e2202ed62b8aa08b9869817fea56f", + "revCount": 332, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/nix-community/naersk/0.1.332%2Brev-06a99941d72e2202ed62b8aa08b9869817fea56f/018b61d4-48e5-77e8-8893-9f917732b11a/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/nix-community/naersk/0.1.332.tar.gz" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1714971268, + "narHash": "sha256-IKwMSwHj9+ec660l+I4tki/1NRoeGpyA2GdtdYpAgEw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "27c13997bf450a01219899f5a83bd6ffbfc70d3c", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1702272962, + "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "narHash": "sha256-9NJcFF9CEYPvHJ5ckE8kvINvI84SZZ87PvqMbH6pro0=", + "rev": "5e4c2ada4fcd54b99d56d7bd62f384511a7e2593", + "revCount": 534806, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.534806%2Brev-5e4c2ada4fcd54b99d56d7bd62f384511a7e2593/018b29e9-ae6d-72f2-993b-19cb9a64a3b5/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.514192.tar.gz" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1715087517, + "narHash": "sha256-CLU5Tsg24Ke4+7sH8azHWXKd0CFd4mhLWfhYgUiDBpQ=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b211b392b8486ee79df6cdfb1157ad2133427a29", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "deploy-rs": "deploy-rs", + "dotfiles": "dotfiles", + "fh": "fh", + "home-manager": "home-manager_2", + "nixpkgs": "nixpkgs_4", + "nixpkgs-stable": "nixpkgs-stable" + } + }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1696050837, + "narHash": "sha256-2K3Aq4gjPZBDnkAMJaMA4ElE+BNbmrqtSBWtt9kPGaM=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "0840038f02daec6ba3238f05d8caa037d28701a0", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..625b06b --- /dev/null +++ b/flake.nix @@ -0,0 +1,133 @@ +{ + description = '' + This i my basic NixOS system configuration. Feel free to reuse anything you find useful. + ''; + + inputs = { + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + agenix.url = "github:ryantm/agenix"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11"; + fh.url = "https://flakehub.com/f/DeterminateSystems/fh/*.tar.gz"; + deploy-rs.url = "github:serokell/deploy-rs"; + dotfiles.url = "git+https://code.m3tam3re.com/m3tam3re/dotfiles.git"; + dotfiles.flake = false; # Use this if your dotfiles repo is not a flake + }; + + outputs = { + self, + dotfiles, + nixpkgs, + fh, + home-manager, + agenix, + deploy-rs, + ... + } @ inputs: let + inherit (self) outputs; + lib = nixpkgs.lib; + systems = [ + "aarch64-linux" + "i686-linux" + "x86_64-linux" + "aarch64-darwin" + "x86_64-darwin" + ]; + forAllSystems = nixpkgs.lib.genAttrs systems; + in { + packages = + forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system}); + formatter = + forAllSystems (system: nixpkgs.legacyPackages.${system}.alejandra); + overlays = import ./overlays {inherit inputs;}; + nixosConfigurations = { + lkk-nix-1 = lib.nixosSystem rec { + specialArgs = {inherit inputs outputs;}; + modules = [./hosts/lkk-nix-1 agenix.nixosModules.default]; + }; + m3-r1 = lib.nixosSystem { + specialArgs = {inherit inputs outputs;}; + modules = [./hosts/m3-r1 agenix.nixosModules.default]; + }; + lkk-prod-1 = lib.nixosSystem { + specialArgs = {inherit inputs outputs;}; + modules = [./hosts/lkk-prod-1 agenix.nixosModules.default]; + }; + lkk-prod-2 = lib.nixosSystem { + specialArgs = {inherit inputs outputs;}; + modules = [./hosts/lkk-prod-2 agenix.nixosModules.default]; + }; + m3-nix = lib.nixosSystem { + specialArgs = {inherit inputs outputs;}; + modules = [./hosts/m3-nix agenix.nixosModules.default]; + }; + }; + homeConfigurations = { + # Laptop + "m3tam3re@m3-nix" = home-manager.lib.homeManagerConfiguration { + pkgs = nixpkgs.legacyPackages."x86_64-linux"; + extraSpecialArgs = {inherit inputs outputs;}; + modules = [./home/users/m3tam3re/m3-nix.nix]; + }; + "m3tam3re@lkk-nix-1" = home-manager.lib.homeManagerConfiguration { + pkgs = nixpkgs.legacyPackages."x86_64-linux"; + extraSpecialArgs = { + # pass things to t + }; + modules = [./home/users/m3tam3re/lkk-nix-1.nix]; + }; + "m3tam3re@m3-r1" = home-manager.lib.homeManagerConfiguration { + pkgs = nixpkgs.legacyPackages."x86_64-linux"; + extraSpecialArgs = { + # pass things to t + }; + modules = [./home/users/m3tam3re/m3-r1.nix]; + }; + }; + deploy.nodes.lkk-nix-1 = { + hostname = "lkk-nix-1"; + sshUser = "root"; + profiles.system = { + user = "root"; + path = + deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.lkk-nix-1; + }; + }; + deploy.nodes.m3-r1 = { + hostname = "m3-r1"; + sshUser = "root"; + activationTimeout = 600; + profiles.system = { + user = "root"; + path = + deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.m3-r1; + }; + }; + deploy.nodes.lkk-prod-1 = { + hostname = "lkk-prod-1"; + sshUser = "root"; + profiles.system = { + user = "root"; + path = + deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.lkk-prod-1; + }; + }; + deploy.nodes.lkk-prod-2 = { + hostname = "lkk-prod-2"; + sshUser = "root"; + profiles.system = { + user = "root"; + path = + deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.lkk-prod-2; + }; + }; + deploy.remoteBuild = true; + }; +} diff --git a/home/features/cli/default.nix b/home/features/cli/default.nix new file mode 100644 index 0000000..c0591d2 --- /dev/null +++ b/home/features/cli/default.nix @@ -0,0 +1,67 @@ +{ pkgs, ... }: { + imports = [ + ./fish.nix + ./neofetch.nix + ./secrets.nix + ./scripts.nix + ./starship.nix + ./zellij.nix + ]; + + programs.zoxide = { + enable = true; + enableFishIntegration = true; + }; + + programs.fzf = { + enable = true; + enableFishIntegration = true; + defaultOptions = [ "--preview='bat --color=always --style=numbers {}'" ]; + }; + + programs.neovim = { + enable = true; + defaultEditor = true; + viAlias = true; + vimAlias = true; + vimdiffAlias = true; + withNodeJs = true; + withPython3 = true; + }; + + programs.bat = { enable = true; }; + + programs.eza = { + enableFishIntegration = true; + enableBashIntegration = true; + git = true; + icons = true; + }; + + home.packages = with pkgs; [ + alejandra + bc + comma + coreutils + devenv + direnv + eza + fd + htop + httpie + jq + just + lf + nix-index + open-interpreter + procs + progress + ripgrep + tldr + trash-cli + tree + unzip + wttrbar + zip + ]; +} diff --git a/home/features/cli/fish.nix b/home/features/cli/fish.nix new file mode 100644 index 0000000..8d4b512 --- /dev/null +++ b/home/features/cli/fish.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: +with lib; +let cfg = config.features.cli.fish; +in { + options.features.cli.fish.enable = mkEnableOption "enable fish shell"; + + config = mkIf cfg.enable { + programs.fish = { + enable = true; + plugins = [{ + name = "foreign-env"; + src = pkgs.fetchFromGitHub { + owner = "oh-my-fish"; + repo = "plugin-foreign-env"; + rev = "dddd9213272a0ab848d474d0cbde12ad034e65bc"; + sha256 = "00xqlyl3lffc5l0viin1nyp819wf81fncqyz87jx8ljjdhilmgbs"; + }; + }]; + loginShellInit = '' + set -x TERMINAL alacritty + set -x XDG_DATA_HOME $HOME/.local/share + set -x FZF_CTRL_R_OPTS " + --preview='bat --color=always -n {}' + --preview-window up:3:hidden:wrap + --bind 'ctrl-/:toggle-preview' + --color header:bold + --header 'Press CTRL-Y to copy command into clipboard'" + set -x FZF_ALT_C_COMMAND fd --type d --exclude .git --follow --hidden + set -x FZF_DEFAULT_COMMAND fd --type f --exclude .git --follow --hidden + set -x FZF_CTRL_T_COMMAND "$FZF_DEFAULT_COMMAND" + set -x FZF_DEFAULT_OPTS " + --preview='bat --color=always -n {}' + --bind 'ctrl-/:toggle-preview' + --color=fg:#f8f8f2,bg:#282a36,hl:#bd93f9 + --color=fg+:#f8f8f2,bg+:#44475a,hl+:#bd93f9 + --color=info:#ffb86c,prompt:#50fa7b,pointer:#ff79c6 + --color=marker:#ff79c6,spinner:#ffb86c,header:#6272a4" + ''; + shellAbbrs = { + ".." = "cd .."; + ls = "eza"; + grep = "rg"; + ps = "procs"; + just = "just --unstable"; + fs = "du -ah . | sort -hr | head -n 10"; + + tsu = "sudo tailscale up"; + tsd = "sudo tailscale down"; + }; + }; + }; +} diff --git a/home/features/cli/neofetch.nix b/home/features/cli/neofetch.nix new file mode 100644 index 0000000..e4123da --- /dev/null +++ b/home/features/cli/neofetch.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.cli.neofetch; +in { + options.features.cli.neofetch.enable = mkEnableOption "enable neofetch"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [neofetch]; + }; +} diff --git a/home/features/cli/scripts.nix b/home/features/cli/scripts.nix new file mode 100644 index 0000000..acf64bb --- /dev/null +++ b/home/features/cli/scripts.nix @@ -0,0 +1 @@ +{pkgs, ...}: {home.packages = [pkgs.zellij-ps];} diff --git a/home/features/cli/secrets.nix b/home/features/cli/secrets.nix new file mode 100644 index 0000000..df4ca6f --- /dev/null +++ b/home/features/cli/secrets.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.cli.secrets; +in { + options.features.cli.secrets.enable = mkEnableOption "enable secrets"; + + config = mkIf cfg.enable { + programs.password-store = { + enable = true; + package = + pkgs.pass-wayland.withExtensions + (exts: [exts.pass-otp exts.pass-import]); + }; + home.packages = with pkgs; [pinentry]; + }; +} diff --git a/home/features/cli/starship.nix b/home/features/cli/starship.nix new file mode 100644 index 0000000..f3d53f6 --- /dev/null +++ b/home/features/cli/starship.nix @@ -0,0 +1,18 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.cli.starship; +in { + options.features.cli.starship.enable = mkEnableOption "enable starship prompt"; + + config = mkIf cfg.enable { + programs.starship = { + enable = true; + enableFishIntegration = true; + }; + }; +} diff --git a/home/features/cli/zellij.nix b/home/features/cli/zellij.nix new file mode 100644 index 0000000..e5c3d62 --- /dev/null +++ b/home/features/cli/zellij.nix @@ -0,0 +1,17 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.cli.zellij; +in { + options.features.cli.zellij.enable = mkEnableOption "enable tmux"; + + config = mkIf cfg.enable { + programs.zellij = { + enable = true; + }; + }; +} diff --git a/home/features/coding/default.nix b/home/features/coding/default.nix new file mode 100644 index 0000000..0f48295 --- /dev/null +++ b/home/features/coding/default.nix @@ -0,0 +1,13 @@ +{pkgs, ...}: { + imports = [./emacs.nix ./golang.nix ./nix.nix ./nodejs.nix ./rust.nix ./tools.nix]; + + home.packages = with pkgs; [ + cachix + cmake + gcc + ispell + guile_3_0 + tinyscheme + python3 + ]; +} diff --git a/home/features/coding/emacs.nix b/home/features/coding/emacs.nix new file mode 100644 index 0000000..27ff711 --- /dev/null +++ b/home/features/coding/emacs.nix @@ -0,0 +1,8 @@ +{pkgs, ...}: { + services.emacs.enable = true; + programs.emacs = { + enable = true; + package = pkgs.emacs29; + extraPackages = epkgs: [epkgs.vterm]; + }; +} diff --git a/home/features/coding/golang.nix b/home/features/coding/golang.nix new file mode 100644 index 0000000..59df1a0 --- /dev/null +++ b/home/features/coding/golang.nix @@ -0,0 +1,5 @@ +{pkgs, ...}: { + home.packages = with pkgs; [ + gopls + ]; +} diff --git a/home/features/coding/nix.nix b/home/features/coding/nix.nix new file mode 100644 index 0000000..ea98a2b --- /dev/null +++ b/home/features/coding/nix.nix @@ -0,0 +1,9 @@ +{pkgs, ...}: { + home.packages = with pkgs; [ + appimage-run + deploy-rs + nil + nix-prefetch-git + nixfmt + ]; +} diff --git a/home/features/coding/nodejs.nix b/home/features/coding/nodejs.nix new file mode 100644 index 0000000..4319bef --- /dev/null +++ b/home/features/coding/nodejs.nix @@ -0,0 +1 @@ +{pkgs, ...}: {home.packages = with pkgs; [nodejs];} diff --git a/home/features/coding/rust.nix b/home/features/coding/rust.nix new file mode 100644 index 0000000..9c8c9eb --- /dev/null +++ b/home/features/coding/rust.nix @@ -0,0 +1 @@ +{pkgs, ...}: {home.packages = with pkgs; [];} diff --git a/home/features/coding/tools.nix b/home/features/coding/tools.nix new file mode 100644 index 0000000..540b54e --- /dev/null +++ b/home/features/coding/tools.nix @@ -0,0 +1,10 @@ +{pkgs, ...}: { + programs = { + direnv = { + enable = true; + nix-direnv.enable = true; + }; + }; + + home.packages = with pkgs; [insomnia hugo pandoc]; +} diff --git a/home/features/desktop/crypto.nix b/home/features/desktop/crypto.nix new file mode 100644 index 0000000..4b7e6eb --- /dev/null +++ b/home/features/desktop/crypto.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.desktop.crypto; +in { + options.features.desktop.crypto.enable = mkEnableOption "Enable Crypto"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [bisq-desktop monero-gui trezor-suite]; + }; +} diff --git a/home/features/desktop/default.nix b/home/features/desktop/default.nix new file mode 100644 index 0000000..a77105a --- /dev/null +++ b/home/features/desktop/default.nix @@ -0,0 +1,153 @@ +{ pkgs, ... }: { + imports = [ + ./crypto.nix + ./design.nix + ./extrafonts.nix + ./media.nix + ./office.nix + ./theme.nix + ./syncthing.nix + ./wayland.nix + ./wofi.nix + ]; + + xdg = { + enable = true; + configFile."mimeapps.list".force = true; + mimeApps = { + enable = true; + associations.added = { + "application/zip" = [ "org.gnome.FileRoller.desktop" ]; + "application/csv" = [ "calc.desktop" ]; + "application/pdf" = [ "okularApplication_pdf.desktop" ]; + "x-scheme-handler/org-protocol" = [ "org-protocol.desktop" ]; + }; + defaultApplications = { + "application/zip" = [ "org.gnome.FileRoller.desktop" ]; + "application/csv" = [ "calc.desktop" ]; + "application/pdf" = [ "okularApplication_pdf.desktop" ]; + "x-scheme-handler/org-protocol" = [ "org-protocol.desktop" ]; + }; + }; + userDirs = { + enable = true; + createDirectories = true; + }; + }; + + home.sessionVariables = { + WEBKIT_DISABLE_COMPOSITING_MODE = "1"; + NIXOS_OZONE_WL = "1"; + TERMINAL = "alacritty"; + QT_QPA_PLATFORM = "wayland"; + }; + home.sessionPath = + [ "\${XDG_BIN_HOME}" "\${HOME}/.cargo/bin" "$HOME/.npm-global/bin" ]; + + fonts.fontconfig.enable = true; + + services.mako = { + enable = true; + backgroundColor = "#282a36"; + textColor = "#80FFEA"; + borderColor = "#9742b5"; + width = 400; + height = 150; + padding = "10,20"; + borderRadius = 8; + borderSize = 1; + margin = "20,20"; + }; + + programs.alacritty = { + enable = true; + settings = { + env.TERM = "xterm-256color"; + font = { + size = 12; + #draw_bold_text_with_bright_colors = true; + }; + scrolling.multiplier = 5; + selection.save_to_clipboard = true; + colors = { + primary = { + background = "0x22212c"; + #foregound = "0xf8f8f2"; + }; + cursor = { + text = "0x454158"; + cursor = "0xf8f8f2"; + }; + selection = { + text = "0xf8f8f2"; + background = "0x454158"; + }; + normal = { + black = "0x22212c"; + red = "0xff9580"; + green = "0x8aff80"; + yellow = "0xffff80"; + blue = "0x9580ff"; + magenta = "0xff80bf"; + cyan = "0x80ffea"; + white = "0xf8f8f2"; + }; + bright = { + black = "0x22212c"; + red = "0xffaa99"; + green = "0xa2ff99"; + yellow = "0xffff99"; + blue = "0xaa99ff"; + magenta = "0xff99cc"; + cyan = "0x99ffee"; + white = "0xffffff"; + }; + }; + }; + }; + home.pointerCursor = { + gtk.enable = true; + package = pkgs.bibata-cursors; + name = "Bibata-Modern-Ice"; + size = 20; + }; + home.packages = with pkgs; [ + appimage-run + anytype + blueberry + brave + brightnessctl + clipman + distrobox + eww + gnome.file-roller + gnome.seahorse + gnome.sushi + glib + gsettings-desktop-schemas + graphviz + hyprpaper + ksnip + nwg-look + pamixer + pavucontrol + libsForQt5.qtstyleplugins + nyxt + pcmanfm + qt5ct + qt6.qtwayland + rustdesk + socat + unrar + unzip + usbutils + v4l-utils + remmina + wl-clipboard + wlogout + wtype + xdg-utils + ydotool + zip + ]; +} diff --git a/home/features/desktop/design.nix b/home/features/desktop/design.nix new file mode 100644 index 0000000..9a72765 --- /dev/null +++ b/home/features/desktop/design.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.desktop.design; +in { + options.features.desktop.design.enable = mkEnableOption "enable design tools"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ + argyllcms + cyan + gimp + gimpPlugins.gmic + gmic + gmic-qt + imagemagick + inkscape + lcms2 + ]; + }; +} diff --git a/home/features/desktop/extrafonts.nix b/home/features/desktop/extrafonts.nix new file mode 100644 index 0000000..33f51e8 --- /dev/null +++ b/home/features/desktop/extrafonts.nix @@ -0,0 +1,23 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.desktop.extrafonts; +in { + options.features.desktop.extrafonts.enable = mkEnableOption "install additional fonts for desktop apps"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ + emacs-all-the-icons-fonts + fira-code + fira-code-symbols + fira-code-nerdfont + font-manager + font-awesome_5 + noto-fonts + ]; + }; +} diff --git a/home/features/desktop/media.nix b/home/features/desktop/media.nix new file mode 100644 index 0000000..6e30b82 --- /dev/null +++ b/home/features/desktop/media.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: +with lib; +let cfg = config.features.desktop.media; +in { + options.features.desktop.media.enable = + mkEnableOption "enable media features"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ + audacity + ffmpeg_6-full + gphoto2 + handbrake + stable.libsForQt5.kdenlive + makemkv + mediainfo + mpv + plexamp + spotify + uxplay + vlc + webcord + youtube-dl + unimatrix + ]; + + programs.obs-studio = { + enable = true; + plugins = with pkgs.obs-studio-plugins; [ + input-overlay + wlrobs + obs-vertical-canvas + ]; + }; + }; +} diff --git a/home/features/desktop/office.nix b/home/features/desktop/office.nix new file mode 100644 index 0000000..41be21a --- /dev/null +++ b/home/features/desktop/office.nix @@ -0,0 +1,16 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.desktop.office; +in { + options.features.desktop.office.enable = + mkEnableOption "enable office features"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [libreoffice neomutt pdftk okular zathura]; + }; +} diff --git a/home/features/desktop/plasma.nix b/home/features/desktop/plasma.nix new file mode 100644 index 0000000..34bf484 --- /dev/null +++ b/home/features/desktop/plasma.nix @@ -0,0 +1,21 @@ +{ + pkgs, + lib, + outputs, + ... +}: { + imports = [ + # + ]; + + home.packages = with pkgs; [ + alacritty + brave + libreoffice + nextcloud-client + xclip + libnotify + espanso + firefox + ]; +} diff --git a/home/features/desktop/syncthing.nix b/home/features/desktop/syncthing.nix new file mode 100644 index 0000000..3a8a041 --- /dev/null +++ b/home/features/desktop/syncthing.nix @@ -0,0 +1,4 @@ +{pkgs, ...}: { + services.syncthing = {enable = true;}; + home.packages = with pkgs; [syncthingtray-minimal]; +} diff --git a/home/features/desktop/theme.nix b/home/features/desktop/theme.nix new file mode 100644 index 0000000..d6f8874 --- /dev/null +++ b/home/features/desktop/theme.nix @@ -0,0 +1,17 @@ +{pkgs, ...}: { + qt = { + enable = true; + platformTheme = "gtk"; + }; + gtk = { + enable = true; + theme = { + name = "Dracula"; + package = pkgs.dracula-theme; + }; + iconTheme = { + name = "Dracula"; + package = pkgs.dracula-icon-theme; + }; + }; +} diff --git a/home/features/desktop/wayland.nix b/home/features/desktop/wayland.nix new file mode 100644 index 0000000..b88956c --- /dev/null +++ b/home/features/desktop/wayland.nix @@ -0,0 +1,15 @@ +{ inputs, config, lib, pkgs, ... }: { + programs.waybar = { enable = true; }; + home.packages = with pkgs; [ + grim + hypridle + hyprlock + mimeo + pulseaudio + slurp + waypipe + wf-recorder + wl-mirror + ydotool + ]; +} diff --git a/home/features/desktop/wofi.nix b/home/features/desktop/wofi.nix new file mode 100644 index 0000000..88b10c0 --- /dev/null +++ b/home/features/desktop/wofi.nix @@ -0,0 +1,7 @@ +{ + pkgs, + outputs, + ... +}: { + home.packages = [pkgs.wofi pkgs.bemoji pkgs.wofi-pass]; +} diff --git a/home/features/gaming/default.nix b/home/features/gaming/default.nix new file mode 100644 index 0000000..6cae595 --- /dev/null +++ b/home/features/gaming/default.nix @@ -0,0 +1,11 @@ +{pkgs, ...}: { + imports = [./sunshine.nix]; + home.packages = with pkgs; [ + gamemode + gamescope + goverlay + mangohud + ryujinx + protonup-ng + ]; +} diff --git a/home/features/gaming/sunshine.nix b/home/features/gaming/sunshine.nix new file mode 100644 index 0000000..c0bcee5 --- /dev/null +++ b/home/features/gaming/sunshine.nix @@ -0,0 +1,15 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.gaming.sunshine; +in { + options.features.gaming.sunshine.enable = mkEnableOption "enable Sunshine"; + + config = mkIf cfg.enable { + home.packages = with pkgs; [sunshine]; + }; +} diff --git a/home/features/hardware/default.nix b/home/features/hardware/default.nix new file mode 100644 index 0000000..0c17c09 --- /dev/null +++ b/home/features/hardware/default.nix @@ -0,0 +1,6 @@ +{pkgs, ...}: { + home.packages = with pkgs; [ + lm_sensors + powertop + ]; +} diff --git a/home/features/privacy/default.nix b/home/features/privacy/default.nix new file mode 100644 index 0000000..b5d380c --- /dev/null +++ b/home/features/privacy/default.nix @@ -0,0 +1,5 @@ +{pkgs, ...}: { + home.packages = with pkgs; [ + i2p + ]; +} diff --git a/home/features/virtualization/default.nix b/home/features/virtualization/default.nix new file mode 100644 index 0000000..c43eb43 --- /dev/null +++ b/home/features/virtualization/default.nix @@ -0,0 +1 @@ +{imports = [./podman.nix ./qemu.nix];} diff --git a/home/features/virtualization/podman.nix b/home/features/virtualization/podman.nix new file mode 100644 index 0000000..711678d --- /dev/null +++ b/home/features/virtualization/podman.nix @@ -0,0 +1,14 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.virtualization.podman; +in { + options.features.virtualization.podman.enable = + mkEnableOption "install podman"; + + config = mkIf cfg.enable {home.packages = with pkgs; [fuse-overlayfs];}; +} diff --git a/home/features/virtualization/qemu.nix b/home/features/virtualization/qemu.nix new file mode 100644 index 0000000..ca0088d --- /dev/null +++ b/home/features/virtualization/qemu.nix @@ -0,0 +1,14 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.features.virtualization.qemu; +in { + options.features.virtualization.qemu.enable = + mkEnableOption "install qemu tools"; + config = + mkIf cfg.enable {home.packages = with pkgs; [virt-manager virtiofsd];}; +} diff --git a/home/users/lkk-admin/base/default.nix b/home/users/lkk-admin/base/default.nix new file mode 100644 index 0000000..4a1db8d --- /dev/null +++ b/home/users/lkk-admin/base/default.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, inputs, outputs, ... }: +let +in { + nixpkgs = { + # You can add overlays here + overlays = [ + # Add overlays your own flake exports (from overlays and pkgs dir): + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + + # You can also add overlays exported from other flakes: + # neovim-nightly-overlay.overlays.default + + # Or define it inline, for example: + # (final: prev: { + # hi = final.hello.overrideAttrs (oldAttrs: { + # patches = [ ./change-hello-to-hi.patch ]; + # }); + # }) + ]; + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + # Workaround for https://github.com/nix-community/home-manager/issues/2942 + allowUnfreePredicate = _: true; + }; + }; + + nix = { + package = lib.mkDefault pkgs.nix; + settings = { + experimental-features = [ "nix-command" "flakes" "repl-flake" ]; + warn-dirty = false; + }; + }; + programs = { + home-manager.enable = true; + git.enable = true; + git = { + userName = "m3tam3re"; + userEmail = "m@m3tam3re.com"; + aliases = { st = "status"; }; + extraConfig = { + core.excludesfile = "~/.gitignore_global"; + init.defaultBranch = "master"; + }; + }; + }; + + home = { + username = lib.mkDefault "lkk-admin"; + homeDirectory = lib.mkDefault "/home/${config.home.username}"; + }; +} diff --git a/home/users/lkk-admin/lkk-nix-1.nix b/home/users/lkk-admin/lkk-nix-1.nix new file mode 100644 index 0000000..fcdfd71 --- /dev/null +++ b/home/users/lkk-admin/lkk-nix-1.nix @@ -0,0 +1,16 @@ +{ + config, + pkgs, + ... +}: { + imports = [./base ../../features/cli]; + + features = { + cli = { + fish.enable = true; + starship.enable = true; + }; + }; + + home.stateVersion = "22.11"; +} diff --git a/home/users/m3tam3re/base/default.nix b/home/users/m3tam3re/base/default.nix new file mode 100644 index 0000000..49d8e15 --- /dev/null +++ b/home/users/m3tam3re/base/default.nix @@ -0,0 +1,62 @@ +{ + config, + lib, + pkgs, + inputs, + outputs, + ... +}: let +in { + nixpkgs = { + # You can add overlays here + overlays = [ + # Add overlays your own flake exports (from overlays and pkgs dir): + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + + # You can also add overlays exported from other flakes: + # neovim-nightly-overlay.overlays.default + + # Or define it inline, for example: + # (final: prev: { + # hi = final.hello.overrideAttrs (oldAttrs: { + # patches = [ ./change-hello-to-hi.patch ]; + # }); + # }) + ]; + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + # Workaround for https://github.com/nix-community/home-manager/issues/2942 + allowUnfreePredicate = _: true; + }; + }; + + nix = { + package = lib.mkDefault pkgs.nix; + settings = { + experimental-features = ["nix-command" "flakes" "repl-flake"]; + warn-dirty = false; + }; + }; + programs = { + home-manager.enable = true; + git.enable = true; + git = { + userName = "m3tam3re"; + userEmail = "m@m3tam3re.com"; + aliases = {st = "status";}; + extraConfig = { + core.excludesfile = "~/.gitignore_global"; + init.defaultBranch = "master"; + }; + }; + }; + + home = { + username = lib.mkDefault "m3tam3re"; + homeDirectory = lib.mkDefault "/home/${config.home.username}"; + }; +} diff --git a/home/users/m3tam3re/dotfiles/default.nix b/home/users/m3tam3re/dotfiles/default.nix new file mode 100644 index 0000000..5430ee6 --- /dev/null +++ b/home/users/m3tam3re/dotfiles/default.nix @@ -0,0 +1,22 @@ +{ pkgs, inputs, ... }: { + home.file.".config/bat" = { + source = "${inputs.dotfiles}/bat"; + recursive = true; + }; + home.file.".config/nyxt" = { + source = "${inputs.dotfiles}/nyxt"; + recursive = true; + }; + home.file.".config/hypr" = { + source = "${inputs.dotfiles}/hypr"; + recursive = true; + }; + home.file.".config/nvim" = { + source = "${inputs.dotfiles}/nvim"; + recursive = true; + }; + home.file.".config/zellij" = { + source = "${inputs.dotfiles}/zellij"; + recursive = true; + }; +} diff --git a/home/users/m3tam3re/dotfiles/hyprland.nix b/home/users/m3tam3re/dotfiles/hyprland.nix new file mode 100644 index 0000000..a4e4a41 --- /dev/null +++ b/home/users/m3tam3re/dotfiles/hyprland.nix @@ -0,0 +1,227 @@ +{ config, ... }: { + home.file.".config/hypr/hyprland.conf".text = '' + + # See https://wiki.hyprland.org/Configuring/Monitors/ + monitor=eDP-1,preferred,2560x0,1.25 + monitor=DP-1,preferred,0x0,1 + + # See https://wiki.hyprland.org/Configuring/Keywords/ for more + xwayland { + force_zero_scaling = true + } + # Execute your favorite apps at launch + # exec-once = waybar & hyprpaper & firefox + exec-once = waybar + exec-once = hyprpaper + exec-once = wl-paste -p -t text --watch clipman store -P --histpath="~/.local/share/clipman-primary.json" + # Source a file (multi-file configs) + # source = ~/.config/hypr/myColors.conf + + # Some default env vars. + env = LIBVA_DRIVER_NAME,nvidia + env = XDG_SESSION_TYPE,wayland + env = GBM_BACKEND,nvidia-drm + env = __GLX_VENDOR_LIBRARY_NAME,nvidia + env = XCURSOR_SIZE,32 + env = WLR_NO_HARDWARE_CURSORS,1 + env = GTK_THEME,Dracula + # For all categories, see https://wiki.hyprland.org/Configuring/Variables/ + input { + kb_layout = de,us + kb_variant = + kb_model = + kb_rules = + kb_options=ctrl:nocaps + follow_mouse = 1 + + touchpad { + natural_scroll = yes + } + + sensitivity = 0 # -1.0 - 1.0, 0 means no modification. + } + + device { + name = zsa-technology-labs-moonlander-mark-i + kb_layout = us + } + + general { + # See https://wiki.hyprland.org/Configuring/Variables/ for more + #col.active_border = rgb(44475a) rgb(bd93f9) 90deg + #col.inactive_border = rgba(44475aaa) + #col.group_border = rgba(282a36dd) + #col.group_border_active = rgb(bd93f9) rgb(44475a) 90deg + + gaps_in = 5 + gaps_out = 5 + border_size = 1 + col.active_border = rgba(9742b5ee) rgba(9742b5ee) 45deg + col.inactive_border = rgba(595959aa) + + layout = dwindle + } + + decoration { + # See https://wiki.hyprland.org/Configuring/Variables/ for more + col.shadow = rgba(1E202966) + drop_shadow = yes + shadow_range = 60 + shadow_offset = 1 2 + shadow_render_power = 3 + shadow_scale = 0.97 + rounding = 8 + blur { + enabled = yes + size = 3 + passes = 3 + } + active_opacity = 0.9 + inactive_opacity = 0.5 + drop_shadow = yes + shadow_range = 4 + shadow_render_power = 3 + } + + animations { + enabled = yes + + # Some default animations, see https://wiki.hyprland.org/Configuring/Animations/ for more + + bezier = myBezier, 0.05, 0.9, 0.1, 1.05 + + animation = windows, 1, 7, myBezier + animation = windowsOut, 1, 7, default, popin 80% + animation = border, 1, 10, default + animation = borderangle, 1, 8, default + animation = fade, 1, 7, default + animation = workspaces, 1, 6, default + } + + dwindle { + # See https://wiki.hyprland.org/Configuring/Dwindle-Layout/ for more + pseudotile = yes # master switch for pseudotiling. Enabling is bound to mainMod + P in the keybinds section below + preserve_split = yes # you probably want this + } + + master { + # See https://wiki.hyprland.org/Configuring/Master-Layout/ for more + new_is_master = true + } + + gestures { + # See https://wiki.hyprland.org/Configuring/Variables/ for more + workspace_swipe = off + } + + # Example per-device config + # See https://wiki.hyprland.org/Configuring/Keywords/#executing for more + device { + name = epic-mouse-v1 + sensitivity = -0.5 + } + + # Example windowrule v1 + # windowrule = float, ^(kitty)$ + # Example windowrule v2 + # windowrulev2 = float,class:^(kitty)$,title:^(kitty)$ + # See https://wiki.hyprland.org/Configuring/Window-Rules/ for more + windowrule = float, file_progress + windowrule = float, confirm + windowrule = float, dialog + windowrule = float, download + windowrule = float, notification + windowrule = float, error + windowrule = float, splash + windowrule = float, confirmreset + windowrule = float, title:Open File + windowrule = float, title:branchdialog + windowrule = float, Lxappearance + windowrule = float, Wofi + windowrule = float, dunst + windowrule = animation none,Wofi + windowrule = float,viewnior + windowrule = float,feh + windowrule = float, pavucontrol-qt + windowrule = float, pavucontrol + windowrule = float, file-roller + windowrule = fullscreen, wlogout + windowrule = float, title:wlogout + windowrule = fullscreen, title:wlogout + windowrule = idleinhibit focus, mpv + windowrule = idleinhibit fullscreen, firefox + windowrule = float, title:^(Media viewer)$ + windowrule = float, title:^(Volume Control)$ + windowrule = float, title:^(Picture-in-Picture)$ + windowrule = size 800 600, title:^(Volume Control)$ + windowrule = move 75 44%, title:^(Volume Control)$ + + # See https://wiki.hyprland.org/Configuring/Keywords/ for more + $mainMod = SUPER + + # Example binds, see https://wiki.hyprland.org/Configuring/Binds/ for more + bind = $mainMod, return, exec, alacritty -e zellij-ps + bind = $mainMod, t, exec, alacritty + bind = $mainMod SHIFT, e, exec, alacritty -e zellij_nvim + bind = $mainMod, o, exec, thunar + bind = $mainMod, Escape, exec, wlogout -p layer-shell + bind = $mainMod, Space, togglefloating + bind = $mainMod, q, killactive, + bind = $mainMod, M, exit, + bind= $mainMod, F, fullscreen + bind = $mainMod, V, togglefloating, + bind = $mainMod, D, exec, wofi --show drun --allow-images + bind = $mainMod SHIFT, S, exec, bemoji + bind = $mainMod, P, exec, wofi-pass + bind = $mainMod SHIFT, P, pseudo, # dwindle + bind = $mainMod, J, togglesplit, # dwindle + + # Move focus with mainMod + arrow keys + bind = $mainMod, left, movefocus, l + bind = $mainMod, right, movefocus, r + bind = $mainMod, up, movefocus, u + bind = $mainMod, down, movefocus, d + + workspace = 1, monitor:DP-1, default:true + workspace = 2, monitor:DP-1 + workspace = 3, monitor:DP-1 + workspace = 4, monitor:eDP-1 + workspace = 5, monitor:eDP-1 + + windowrulev2 = workspace 1,class:(Emacs) + windowrulev2 = workspace 3,opacity 1.0, class:(brave-browser) + windowrulev2 = workspace 4,class:(com.obsproject.Studio) + + # Switch workspaces with mainMod + [0-9] + bind = $mainMod, 1, workspace, 1 + bind = $mainMod, 2, workspace, 2 + bind = $mainMod, 3, workspace, 3 + bind = $mainMod, 4, workspace, 4 + bind = $mainMod, 5, workspace, 5 + bind = $mainMod, 6, workspace, 6 + bind = $mainMod, 7, workspace, 7 + bind = $mainMod, 8, workspace, 8 + bind = $mainMod, 9, workspace, 9 + bind = $mainMod, 0, workspace, 10 + + # Move active window to a workspace with mainMod + SHIFT + [0-9] + bind = $mainMod SHIFT, 1, movetoworkspace, 1 + bind = $mainMod SHIFT, 2, movetoworkspace, 2 + bind = $mainMod SHIFT, 3, movetoworkspace, 3 + bind = $mainMod SHIFT, 4, movetoworkspace, 4 + bind = $mainMod SHIFT, 5, movetoworkspace, 5 + bind = $mainMod SHIFT, 6, movetoworkspace, 6 + bind = $mainMod SHIFT, 7, movetoworkspace, 7 + bind = $mainMod SHIFT, 8, movetoworkspace, 8 + bind = $mainMod SHIFT, 9, movetoworkspace, 9 + bind = $mainMod SHIFT, 0, movetoworkspace, 10 + + # Scroll through existing workspaces with mainMod + scroll + bind = $mainMod, mouse_down, workspace, e+1 + bind = $mainMod, mouse_up, workspace, e-1 + + # Move/resize windows with mainMod + LMB/RMB and dragging + bindm = $mainMod, mouse:272, movewindow + bindm = $mainMod, mouse:273, resizewindow + ''; +} diff --git a/home/users/m3tam3re/lkk-nix-1.nix b/home/users/m3tam3re/lkk-nix-1.nix new file mode 100644 index 0000000..fcdfd71 --- /dev/null +++ b/home/users/m3tam3re/lkk-nix-1.nix @@ -0,0 +1,16 @@ +{ + config, + pkgs, + ... +}: { + imports = [./base ../../features/cli]; + + features = { + cli = { + fish.enable = true; + starship.enable = true; + }; + }; + + home.stateVersion = "22.11"; +} diff --git a/home/users/m3tam3re/m3-nix.nix b/home/users/m3tam3re/m3-nix.nix new file mode 100644 index 0000000..ed348f2 --- /dev/null +++ b/home/users/m3tam3re/m3-nix.nix @@ -0,0 +1,38 @@ +{ + config, + pkgs, + ... +}: { + imports = [ + ./base + ./dotfiles + ../../features/cli + ../../features/coding + ../../features/desktop + ../../features/gaming + ../../features/virtualization + ]; + + features = { + cli = { + fish.enable = true; + neofetch.enable = true; + secrets.enable = true; + starship.enable = true; + zellij.enable = true; + }; + gaming = {sunshine.enable = true;}; + desktop = { + crypto.enable = true; + design.enable = true; + extrafonts.enable = true; + media.enable = true; + office.enable = true; + }; + virtualization = { + podman.enable = true; + qemu.enable = true; + }; + }; + home.stateVersion = "24.05"; +} diff --git a/home/users/m3tam3re/m3-r1.nix b/home/users/m3tam3re/m3-r1.nix new file mode 100644 index 0000000..fcdfd71 --- /dev/null +++ b/home/users/m3tam3re/m3-r1.nix @@ -0,0 +1,16 @@ +{ + config, + pkgs, + ... +}: { + imports = [./base ../../features/cli]; + + features = { + cli = { + fish.enable = true; + starship.enable = true; + }; + }; + + home.stateVersion = "22.11"; +} diff --git a/home/users/produktion/base/default.nix b/home/users/produktion/base/default.nix new file mode 100644 index 0000000..5ac8b44 --- /dev/null +++ b/home/users/produktion/base/default.nix @@ -0,0 +1,52 @@ +{ + config, + lib, + pkgs, + outputs, + ... +}: let +in { + nixpkgs = { + # You can add overlays here + overlays = [ + # Add overlays your own flake exports (from overlays and pkgs dir): + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + + # You can also add overlays exported from other flakes: + # neovim-nightly-overlay.overlays.default + + # Or define it inline, for example: + # (final: prev: { + # hi = final.hello.overrideAttrs (oldAttrs: { + # patches = [ ./change-hello-to-hi.patch ]; + # }); + # }) + ]; + # Configure your nixpkgs instance + config = { + # Disable if you don't want unfree packages + allowUnfree = true; + # Workaround for https://github.com/nix-community/home-manager/issues/2942 + allowUnfreePredicate = _: true; + }; + }; + + nix = { + package = lib.mkDefault pkgs.nix; + settings = { + experimental-features = ["nix-command" "flakes" "repl-flake"]; + warn-dirty = false; + }; + }; + programs = { + home-manager.enable = true; + git.enable = true; + }; + + home = { + username = lib.mkDefault "produktion"; + homeDirectory = lib.mkDefault "/home/${config.home.username}"; + }; +} diff --git a/home/users/produktion/lkk-prod-1.nix b/home/users/produktion/lkk-prod-1.nix new file mode 100644 index 0000000..ab3329b --- /dev/null +++ b/home/users/produktion/lkk-prod-1.nix @@ -0,0 +1,21 @@ +{ + config, + pkgs, + ... +}: { + imports = [ + ./base + ../../features/cli + ../../features/desktop/plasma.nix + ../../features/desktop/media.nix + ]; + + features = { + cli = { + fish.enable = true; + starship.enable = true; + }; + }; + + home.stateVersion = "24.05"; +} diff --git a/home/users/produktion/lkk-prod-2.nix b/home/users/produktion/lkk-prod-2.nix new file mode 100644 index 0000000..ab3329b --- /dev/null +++ b/home/users/produktion/lkk-prod-2.nix @@ -0,0 +1,21 @@ +{ + config, + pkgs, + ... +}: { + imports = [ + ./base + ../../features/cli + ../../features/desktop/plasma.nix + ../../features/desktop/media.nix + ]; + + features = { + cli = { + fish.enable = true; + starship.enable = true; + }; + }; + + home.stateVersion = "24.05"; +} diff --git a/hosts/common/base/default.nix b/hosts/common/base/default.nix new file mode 100644 index 0000000..09e617e --- /dev/null +++ b/hosts/common/base/default.nix @@ -0,0 +1,21 @@ +{ + lib, + pkgs, + inputs, + outputs, + ... +}: +with pkgs; { + imports = [inputs.home-manager.nixosModules.home-manager]; + home-manager = { + useUserPackages = true; + extraSpecialArgs = {inherit inputs outputs;}; + }; + users.defaultUserShell = fish; + + environment.systemPackages = [ + inputs.agenix.packages."${pkgs.system}".default + inputs.fh.packages."${pkgs.system}".default + coreutils + ]; +} diff --git a/hosts/common/users/lkk-admin/default.nix b/hosts/common/users/lkk-admin/default.nix new file mode 100644 index 0000000..61113ae --- /dev/null +++ b/hosts/common/users/lkk-admin/default.nix @@ -0,0 +1,26 @@ +{ config, pkgs, inputs, ... }: { + users.users.lkk-admin = { + initialHashedPassword = + "$y$j9T$wOKc3kLsQVtmmyLIN7ljV.$NvdWzwn6p8JNByHoXQqf6/GF3C0JOPHW/D0HgFLQXy4"; + isNormalUser = true; + description = "lkk-admin"; + extraGroups = [ + "wheel" + "networkmanager" + "libvirtd" + "flatpak" + "audio" + "video" + "plugdev" + "input" + "kvm" + "qemu-libvirtd" + ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDh8J7t25qJ5ibc1qmf5WOTWMSqbMQnCbAgdnTzCIJto6ybyRUqoKTr4Os1d1wf4SxzERApzqkBA9fKN2hsAoCi72agXZSpSgHNWZMH+qYXxiYQjNV1ueuCISCjFdDSeu8jQV8UMyEOfi1yNN0g3YXnt7KOnfcv5mdi7jZXmI6CpaHoVZo1xyozBFQj9AM7jP0J5RMXL5mxMfluULBjuR2rxa/74HHbxfxrireGgeW94nnyT0WD9vPxvLuiAufarCrwwh1kLS4COu9QshcVnu1tKH9vXJFIS0r6+vHf/Swo/gRf/AaHUNktFIi9rso+MGGFXozdoHligea6vxYU/3sV m3tam3re@m3-nix" + ]; + packages = [ inputs.home-manager.packages.${pkgs.system}.default ]; + }; + home-manager.users.lkk-admin = + import lkk-admin/${config.networking.hostName}.nix; +} diff --git a/hosts/common/users/lkk-admin/lkk-admin b/hosts/common/users/lkk-admin/lkk-admin new file mode 120000 index 0000000..1511bb1 --- /dev/null +++ b/hosts/common/users/lkk-admin/lkk-admin @@ -0,0 +1 @@ +../../../../home/users/lkk-admin/ \ No newline at end of file diff --git a/hosts/common/users/m3tam3re/default.nix b/hosts/common/users/m3tam3re/default.nix new file mode 100644 index 0000000..204c8f9 --- /dev/null +++ b/hosts/common/users/m3tam3re/default.nix @@ -0,0 +1,26 @@ +{ config, pkgs, inputs, ... }: { + users.users.m3tam3re = { + initialHashedPassword = + "$y$j9T$wOKc3kLsQVtmmyLIN7ljV.$NvdWzwn6p8JNByHoXQqf6/GF3C0JOPHW/D0HgFLQXy4"; + isNormalUser = true; + description = "m3tam3re"; + extraGroups = [ + "wheel" + "networkmanager" + "libvirtd" + "flatpak" + "audio" + "video" + "plugdev" + "input" + "kvm" + "qemu-libvirtd" + ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix" + ]; + packages = [ inputs.home-manager.packages.${pkgs.system}.default ]; + }; + home-manager.users.m3tam3re = + import m3tam3re/${config.networking.hostName}.nix; +} diff --git a/hosts/common/users/m3tam3re/m3tam3re b/hosts/common/users/m3tam3re/m3tam3re new file mode 120000 index 0000000..3ffe3fa --- /dev/null +++ b/hosts/common/users/m3tam3re/m3tam3re @@ -0,0 +1 @@ +../../../../home/users/m3tam3re/ \ No newline at end of file diff --git a/hosts/common/users/produktion/default.nix b/hosts/common/users/produktion/default.nix new file mode 100644 index 0000000..89acb3b --- /dev/null +++ b/hosts/common/users/produktion/default.nix @@ -0,0 +1,19 @@ +{ + config, + pkgs, + lib, + outputs, + ... +}: { + users.users.produktion = { + isNormalUser = true; + description = "Produktion"; + extraGroups = ["tailscale" "networkmanager" "audio" "video"]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix" + ]; + packages = [pkgs.home-manager]; + }; + nixpkgs.config.allowUnfree = true; + home-manager.users.produktion = import produktion/${config.networking.hostName}.nix; +} diff --git a/hosts/common/users/produktion/produktion b/hosts/common/users/produktion/produktion new file mode 120000 index 0000000..3ce91f9 --- /dev/null +++ b/hosts/common/users/produktion/produktion @@ -0,0 +1 @@ +../../../../home/users/produktion \ No newline at end of file diff --git a/hosts/lkk-nix-1/default.nix b/hosts/lkk-nix-1/default.nix new file mode 100644 index 0000000..9d96458 --- /dev/null +++ b/hosts/lkk-nix-1/default.nix @@ -0,0 +1,92 @@ +{ pkgs, ... }: { + imports = [ + ./hardware-configuration.nix + ../common/users/lkk-admin + ../common/users/m3tam3re + ../common/base + ./services + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + services.openssh.enable = true; + services.openssh.settings.PasswordAuthentication = false; + networking = { + hostName = "lkk-nix-1"; + firewall.enable = true; + firewall.allowedTCPPortRanges = [{ + from = 3000; + to = 3100; + }]; + firewall.allowedTCPPorts = [ 53 80 443 5432 3306 3478 ]; + firewall.allowedUDPPorts = [ 53 51820 41641 ]; + firewall.allowedUDPPortRanges = [{ + from = 3478; + to = 3481; + }]; + }; + environment.systemPackages = with pkgs; [ podman-compose ]; + programs.fish.enable = true; + age = { + secrets = { + mj-smtp-user.file = ../../secrets/mj-smtp-user.age; + mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age; + tailscale-key.file = ../../secrets/tailscale-key.age; + + vaultwarden-env = { + file = ../../secrets/vaultwarden-env.age; + mode = "770"; + }; + + metabase-env = { + file = ../../secrets/metabase-env.age; + mode = "770"; + }; + + n8n-env = { + file = ../../secrets/n8n-env.age; + mode = "770"; + }; + ordercollector-env = { + file = ../../secrets/ordercollector-env.age; + mode = "770"; + }; + + traefik-env = { + file = ../../secrets/traefik-env.age; + mode = "770"; + owner = "traefik"; + }; + + minio-root-cred = { + file = ../../secrets/minio-root-cred.age; + mode = "770"; + }; + + baserow-env = { + file = ../../secrets/baserow-env.age; + mode = "770"; + }; + littlelink-lanakk-env = { + file = ../../secrets/littlelink-lanakk-env.age; + mode = "770"; + }; + pgadmin = { + file = ../../secrets/pgadmin.age; + mode = "770"; + owner = "pgadmin"; + }; + }; + identityPaths = [ "/root/.ssh/lkk-nix-1" ]; + }; + + nix = { + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + optimise.automatic = true; + }; + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/hosts/lkk-nix-1/hardware-configuration.nix b/hosts/lkk-nix-1/hardware-configuration.nix new file mode 100644 index 0000000..6f09139 --- /dev/null +++ b/hosts/lkk-nix-1/hardware-configuration.nix @@ -0,0 +1,59 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52"; + fsType = "btrfs"; + options = ["subvol=root"]; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52"; + fsType = "btrfs"; + options = ["subvol=home"]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/2550-EF31"; + fsType = "vfat"; + }; + + fileSystems."/var/backup" = { + device = "46.38.248.210:/voln527829a1"; + fsType = "nfs"; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/lkk-nix-1/services/container.nix b/hosts/lkk-nix-1/services/container.nix new file mode 100644 index 0000000..3790e64 --- /dev/null +++ b/hosts/lkk-nix-1/services/container.nix @@ -0,0 +1,13 @@ +{ + config, + pkgs, + ... +}: { + imports = [./containers]; + + virtualisation.podman = { + enable = true; + defaultNetwork.settings = {dns_enabled = true;}; + }; + virtualisation.oci-containers.backend = "podman"; +} diff --git a/hosts/lkk-nix-1/services/containers/baserow.nix b/hosts/lkk-nix-1/services/containers/baserow.nix new file mode 100644 index 0000000..799ad45 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/baserow.nix @@ -0,0 +1,9 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."baserow" = { + image = "docker.io/baserow/baserow:1.24.2"; + environmentFiles = [ config.age.secrets.baserow-env.path ]; + ports = [ "127.0.0.1:3001:80" ]; + volumes = [ "baserow_data:/baserow/data" ]; + extraOptions = [ "--add-host=postgres:10.88.0.1" "--ip=10.88.0.11" ]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/default.nix b/hosts/lkk-nix-1/services/containers/default.nix new file mode 100644 index 0000000..0375948 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/default.nix @@ -0,0 +1,13 @@ +{ + imports = [ + ./baserow.nix + ./little-link.nix + ./matomo.nix + ./mautic.nix + ./n8n.nix + ./nextcloud.nix + ./nginx.nix + ./ordercollector.nix + ./wordpress.nix + ]; +} diff --git a/hosts/lkk-nix-1/services/containers/little-link.nix b/hosts/lkk-nix-1/services/containers/little-link.nix new file mode 100644 index 0000000..60f096c --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/little-link.nix @@ -0,0 +1,8 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."littlelink_lanakk" = { + image = "ghcr.io/techno-tim/littlelink-server"; + environmentFiles = [ config.age.secrets.littlelink-lanakk-env.path ]; + ports = [ "3010:3000" ]; + extraOptions = [ "--ip=10.88.0.20" ]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/matomo.nix b/hosts/lkk-nix-1/services/containers/matomo.nix new file mode 100644 index 0000000..326ee12 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/matomo.nix @@ -0,0 +1,19 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."matomo" = { + image = "docker.io/matomo"; + environment = { + MATOMO_DATABASE_HOST = "mysql"; + MATOMO_DATABASE_USERNAME = "matomo"; + MATOMO_DATABASE_PASSWORD = "matomo"; + MATOMO_DATABASE_DBNAME = "matomo"; + PHP_MEMORY_LIMIT = "2048M"; + }; + ports = ["3003:80"]; + volumes = ["matomo_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.13"]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/mautic.nix b/hosts/lkk-nix-1/services/containers/mautic.nix new file mode 100644 index 0000000..73b9639 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/mautic.nix @@ -0,0 +1,20 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."mautic" = { + image = "docker.io/mautic/mautic:v4-apache"; + environment = { + MAUTIC_DB_HOST = "mysql"; + MAUTIC_DB_USER = "mautic"; + MAUTIC_DB_PASSWORD = "mautic"; + MAUTIC_DB_DBNAME = "mautic"; + PHP_MEMORY_LIMIT = "2048M"; + MAUTIC_RUN_CRON_JOBS = "true"; + }; + ports = ["127.0.0.1:3008:80"]; + volumes = ["mautic_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.23"]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/n8n.nix b/hosts/lkk-nix-1/services/containers/n8n.nix new file mode 100644 index 0000000..e96d394 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/n8n.nix @@ -0,0 +1,13 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."n8n" = { + image = "docker.n8n.io/n8nio/n8n"; + environmentFiles = [config.age.secrets.n8n-env.path]; + ports = ["127.0.0.1:5678:5678"]; + volumes = ["/var/lib/n8n/.n8n:/home/node/.n8n"]; + extraOptions = ["--ip=10.88.0.24"]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/nextcloud.nix b/hosts/lkk-nix-1/services/containers/nextcloud.nix new file mode 100644 index 0000000..e506894 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/nextcloud.nix @@ -0,0 +1,18 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."nextcloud" = { + image = "docker.io/nextcloud"; + environment = { + TRUSTED_PROXIES = "10.88.0.1/16"; + OVERWRITEPROTOCOL = "https"; + OVERWRITECLIURL = "https://cloud.lanakk.com"; + OVERWRITEHOST = "cloud.lanakk.com"; + }; + ports = ["127.0.0.1:3005:80"]; + volumes = ["nextcloud_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.15"]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/nginx.nix b/hosts/lkk-nix-1/services/containers/nginx.nix new file mode 100644 index 0000000..9f9a241 --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/nginx.nix @@ -0,0 +1,12 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."http-images" = { + image = "docker.io/nginx:alpine"; + ports = ["127.0.0.1:3012:80"]; + volumes = ["/opt/service-data/http-images:/usr/share/nginx/html"]; + extraOptions = ["--ip=10.88.0.22"]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/ordercollector.nix b/hosts/lkk-nix-1/services/containers/ordercollector.nix new file mode 100644 index 0000000..d2c01bd --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/ordercollector.nix @@ -0,0 +1,7 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."ordercollector" = { + image = "code.lanakk.com/lanakk/ordercollector:latest"; + environmentFiles = [ config.age.secrets.ordercollector-env.path ]; + ports = [ "127.0.0.1:3004:8080" ]; + }; +} diff --git a/hosts/lkk-nix-1/services/containers/wordpress.nix b/hosts/lkk-nix-1/services/containers/wordpress.nix new file mode 100644 index 0000000..901550a --- /dev/null +++ b/hosts/lkk-nix-1/services/containers/wordpress.nix @@ -0,0 +1,30 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."lanakk_blog" = { + image = "docker.io/wordpress"; + environment = { + WORDPRESS_DB_HOST = "mysql"; + WORDPRESS_DB_USER = "wp"; + WORDPRESS_DB_PASSWORD = "wp"; + WORDPRESS_DB_NAME = "lanakk_blog"; + }; + ports = ["127.0.0.1:3002:80"]; + volumes = ["lanakk_blog_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.12"]; + }; + virtualisation.oci-containers.containers."kk_blog" = { + image = "docker.io/wordpress"; + environment = { + WORDPRESS_DB_HOST = "mysql"; + WORDPRESS_DB_USER = "wp"; + WORDPRESS_DB_PASSWORD = "wp"; + WORDPRESS_DB_NAME = "kk_blog"; + }; + ports = ["3015:80"]; + volumes = ["kk_blog_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.16"]; + }; +} diff --git a/hosts/lkk-nix-1/services/default.nix b/hosts/lkk-nix-1/services/default.nix new file mode 100644 index 0000000..9f761c8 --- /dev/null +++ b/hosts/lkk-nix-1/services/default.nix @@ -0,0 +1,13 @@ +{ + imports = [ + ./container.nix + ./gitea.nix + ./mariadb.nix + ./metabase.nix + ./postgres.nix + ./syncthing.nix + ./tailscale.nix + ./traefik.nix + ./vaultwarden.nix + ]; +} diff --git a/hosts/lkk-nix-1/services/gitea.nix b/hosts/lkk-nix-1/services/gitea.nix new file mode 100644 index 0000000..997f14a --- /dev/null +++ b/hosts/lkk-nix-1/services/gitea.nix @@ -0,0 +1,16 @@ +{ + config, + pkgs, + ... +}: { + services.gitea = { + enable = true; + settings.server.ROOT_URL = "https://code.lanakk.com"; + lfs.enable = true; + dump = { + enable = true; + interval = "03:30:00"; + backupDir = "/var/backup/gitea"; + }; + }; +} diff --git a/hosts/lkk-nix-1/services/mariadb.nix b/hosts/lkk-nix-1/services/mariadb.nix new file mode 100644 index 0000000..c9cbaae --- /dev/null +++ b/hosts/lkk-nix-1/services/mariadb.nix @@ -0,0 +1,11 @@ +{ pkgs, config, ... }: { + services.mysql = { + enable = true; + package = pkgs.mariadb; + }; + services.mysqlBackup = { + enable = true; + calendar = "03:00:00"; + databases = [ "lanakk_blog" "matomo" "mautic" ]; + }; +} diff --git a/hosts/lkk-nix-1/services/metabase.nix b/hosts/lkk-nix-1/services/metabase.nix new file mode 100644 index 0000000..34c5402 --- /dev/null +++ b/hosts/lkk-nix-1/services/metabase.nix @@ -0,0 +1,13 @@ +{ + config, + pkgs, + ... +}: { + services.metabase = { + enable = true; + listen.port = 3013; + }; + systemd.services.metabase.serviceConfig = { + EnvironmentFile = "${config.age.secrets.metabase-env.path}"; + }; +} diff --git a/hosts/lkk-nix-1/services/postgres.nix b/hosts/lkk-nix-1/services/postgres.nix new file mode 100644 index 0000000..f2f83eb --- /dev/null +++ b/hosts/lkk-nix-1/services/postgres.nix @@ -0,0 +1,29 @@ +{ pkgs, config, ... }: { + services.postgresql = { + enable = true; + enableTCPIP = true; + package = pkgs.postgresql_15; + authentication = pkgs.lib.mkOverride 10 '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host all all 10.88.0.1/16 trust + ''; + initialScript = pkgs.writeText "backend-initScript" '' + CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow'; + CREATE DATABASE baserow; + GRANT ALL PRIVILEGES ON DATABASE baserow TO baserow; + ALTER DATABASE baserow OWNER to baserow; + ''; + }; + services.postgresqlBackup = { + enable = true; + startAt = "03:10:00"; + databases = [ "baserow" "metabase" "postgres" "lanakk_data_warehouse" ]; + }; + services.pgadmin = { + enable = true; + initialPasswordFile = "${config.age.secrets.pgadmin.path}"; + initialEmail = "sascha@lanakk.com"; + }; +} diff --git a/hosts/lkk-nix-1/services/syncthing.nix b/hosts/lkk-nix-1/services/syncthing.nix new file mode 100644 index 0000000..c49d16e --- /dev/null +++ b/hosts/lkk-nix-1/services/syncthing.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + ... +}: { + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; + overrideDevices = true; + overrideFolders = true; + settings = { + devices = { + "LK-DATA" = { + id = "BI7CMZF-2SGQMXW-RG47HRG-FEH454J-ZTCE544-BXNSCSJ-PXCE7A7-R4CX2Q3"; + }; + }; + folders = { + "Bildvorschauen" = { + path = "/opt/service-data/http-images"; + devices = ["LK-DATA"]; + }; + }; + }; + }; +} diff --git a/hosts/lkk-nix-1/services/tailscale.nix b/hosts/lkk-nix-1/services/tailscale.nix new file mode 100644 index 0000000..cbb3cee --- /dev/null +++ b/hosts/lkk-nix-1/services/tailscale.nix @@ -0,0 +1,42 @@ +{ + config, + pkgs, + ... +}: { + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; + networking.firewall = { + trustedInterfaces = ["tailscale0"]; + }; + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; + }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --advertise-exit-node --authkey $TAILSCALE_KEY + ''; + }; +} diff --git a/hosts/lkk-nix-1/services/traefik.nix b/hosts/lkk-nix-1/services/traefik.nix new file mode 100644 index 0000000..51a76c5 --- /dev/null +++ b/hosts/lkk-nix-1/services/traefik.nix @@ -0,0 +1,241 @@ +{ config, ... }: { + services.traefik = { + enable = true; + staticConfigOptions = { + log = { level = "WARN"; }; + certificatesResolvers = { + godaddy = { + acme = { + email = "dev@lanakk.com"; + storage = "/var/lib/traefik/acme.json"; + dnsChallenge = { provider = "godaddy"; }; + }; + }; + lets-encrypt = { + acme = { + email = "dev@lanakk.com"; + storage = "/var/lib/traefik/acme.json"; + tlsChallenge = { }; + }; + }; + }; + api = { }; + entryPoints = { + web = { + address = ":80"; + http.redirections.entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + websecure = { address = ":443"; }; + }; + }; + dynamicConfigOptions = { + http = { + middlewares = { + auth = { + basicAuth = { + users = [ "m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh." ]; + }; + }; + nextcloud_redirectregex = { + redirectRegex = { + permanent = true; + regex = "https://(.*)/.well-known/(?:card|cal)dav"; + replacement = "https://\${1}/remote.php/dav"; + }; + }; + nextcloud_headers = { + headers = { + referrerPolicy = "no-referrer"; + stsSeconds = "31536000"; + forceSTSHeader = true; + stsPreload = true; + stsIncludeSubdomains = true; + }; + }; + }; + services = { + baserow.loadBalancer.servers = [{ url = "http://localhost:3001/"; }]; + gitea.loadBalancer.servers = [{ url = "http://localhost:3000/"; }]; + n8n.loadBalancer.servers = [{ url = "http://localhost:5678/"; }]; + lanakk_blog.loadBalancer.servers = + [{ url = "http://localhost:3002/"; }]; + matomo.loadBalancer.servers = [{ url = "http://localhost:3003/"; }]; + ordercollector.loadBalancer.servers = + [{ url = "http://localhost:3004/"; }]; + nextcloud.loadBalancer.servers = + [{ url = "http://localhost:3005/"; }]; + mautic.loadBalancer.servers = [{ url = "http://localhost:3008/"; }]; + littlelink-lanakk.loadBalancer.servers = + [{ url = "http://localhost:3010/"; }]; + http-images.loadBalancer.servers = + [{ url = "http://localhost:3012/"; }]; + syncthing.loadBalancer.servers = + [{ url = "http://localhost:8384/"; }]; + metabase.loadBalancer.servers = [{ url = "http://localhost:3013/"; }]; + pgadmin.loadBalancer.servers = [{ url = "http://localhost:5050/"; }]; + vaultwarden.loadBalancer.servers = + [{ url = "http://localhost:3014/"; }]; + kk_blog.loadBalancer.servers = [{ url = "http://localhost:3015/"; }]; + }; + routers = { + api = { + rule = "Host(`r.lanakk.com`)"; + tls = { certResolver = "lets-encrypt"; }; + service = "api@internal"; + middlewares = "auth"; + entrypoints = "websecure"; + }; + baserow = { + rule = "Host(`db.lanakk.com`)"; + tls = { certResolver = "lets-encrypt"; }; + service = "baserow"; + entrypoints = "websecure"; + }; + gitea = { + rule = "Host(`code.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "code.lanakk.com"; + }; + service = "gitea"; + entrypoints = "websecure"; + }; + n8n = { + rule = "Host(`wf.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "wf.lanakk.com"; + }; + service = "n8n"; + entrypoints = "websecure"; + }; + ordercollector = { + rule = "Host(`api.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "api.lanakk.com"; + }; + service = "ordercollector"; + entrypoints = "websecure"; + }; + lanakk_blog = { + rule = "Host(`www.weltkarte-pinnwand.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "www.weltkarte-pinnwand.com"; + }; + service = "lanakk_blog"; + entrypoints = "websecure"; + }; + kk_blog = { + rule = "Host(`kk.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "kk.lanakk.com"; + }; + service = "kk_blog"; + entrypoints = "websecure"; + }; + matomo = { + rule = "Host(`stats.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "stats.lanakk.com"; + }; + service = "matomo"; + entrypoints = "websecure"; + }; + matomo-weltkarte-pinnwand = { + rule = "Host(`stats.weltkarte-pinnwand.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "stats.weltkarte-pinnwand.com"; + }; + service = "matomo"; + entrypoints = "websecure"; + }; + pgadmin = { + rule = "Host(`pg.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "pg.lanakk.com"; + }; + service = "pgadmin"; + entrypoints = "websecure"; + }; + nextcloud = { + rule = "Host(`cloud.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "cloud.lanakk.com"; + }; + service = "nextcloud"; + entrypoints = "websecure"; + middlewares = "nextcloud_redirectregex,nextcloud_headers"; + }; + mautic = { + rule = "Host(`ma.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "ma.lanakk.com"; + }; + service = "mautic"; + entrypoints = "websecure"; + }; + littlelink-lanakk = { + rule = "Host(`links.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "links.lanakk.com"; + }; + service = "littlelink-lanakk"; + entrypoints = "websecure"; + }; + http-images = { + rule = "Host(`media.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "media.lanakk.com"; + }; + service = "http-images"; + entrypoints = "websecure"; + }; + syncthing = { + rule = "Host(`sync.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "sync.lanakk.com"; + }; + service = "syncthing"; + entrypoints = "websecure"; + }; + metabase = { + rule = "Host(`kpi.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "kpi.lanakk.com"; + }; + service = "metabase"; + entrypoints = "websecure"; + }; + vaultwarden = { + rule = "Host(`vw.lanakk.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "vw.lanakk.com"; + }; + service = "vaultwarden"; + entrypoints = "websecure"; + }; + }; + }; + }; + }; + + systemd.services.traefik.serviceConfig = { + EnvironmentFile = [ "${config.age.secrets.traefik-env.path}" ]; + }; +} diff --git a/hosts/lkk-nix-1/services/vaultwarden.nix b/hosts/lkk-nix-1/services/vaultwarden.nix new file mode 100644 index 0000000..7c42524 --- /dev/null +++ b/hosts/lkk-nix-1/services/vaultwarden.nix @@ -0,0 +1,15 @@ +{ + config, + pkgs, + ... +}: { + services.vaultwarden = { + enable = true; + backupDir = "/var/backup/vaultwarden"; + config = { + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 3014; + }; + environmentFile = "${config.age.secrets.vaultwarden-env.path}"; + }; +} diff --git a/hosts/lkk-prod-1/default.nix b/hosts/lkk-prod-1/default.nix new file mode 100644 index 0000000..4947b54 --- /dev/null +++ b/hosts/lkk-prod-1/default.nix @@ -0,0 +1,176 @@ +{ + config, + pkgs, + outputs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ../common/users/produktion + ../common/base + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking = { + hostName = "lkk-prod-1"; + networkmanager.enable = true; + firewall.enable = true; + }; + programs.fish.enable = true; + age = { + secrets = {tailscale-key.file = ../../secrets/tailscale-key.age;}; + identityPaths = ["/root/.ssh/lkk-nix-1"]; + }; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + }; + services.avahi.nssmdns4 = { + enable = true; + nssmdns = true; + }; + + services.tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; + }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY + ''; + }; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # Select internationalisation properties. + i18n.defaultLocale = "de_DE.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "de_DE.UTF-8"; + LC_IDENTIFICATION = "de_DE.UTF-8"; + LC_MEASUREMENT = "de_DE.UTF-8"; + LC_MONETARY = "de_DE.UTF-8"; + LC_NAME = "de_DE.UTF-8"; + LC_NUMERIC = "de_DE.UTF-8"; + LC_PAPER = "de_DE.UTF-8"; + LC_TELEPHONE = "de_DE.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # Enable the KDE Plasma Desktop Environment. + services.xserver.displayManager.sddm.enable = true; + services.xserver.desktopManager.plasma5.enable = true; + + # Configure keymap in X11 + services.xserver = {xkb.layout = "de";}; + + # Configure console keymap + console.keyMap = "de"; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable sound with pipewire. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + nixpkgs = { + overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + ]; + config = {allowUnfree = true;}; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [neovim]; + nix = { + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + optimise.automatic = true; + }; + + system.stateVersion = "24.05"; # Did you read the comment? + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). +} diff --git a/hosts/lkk-prod-1/hardware-configuration.nix b/hosts/lkk-prod-1/hardware-configuration.nix new file mode 100644 index 0000000..44425dd --- /dev/null +++ b/hosts/lkk-prod-1/hardware-configuration.nix @@ -0,0 +1,43 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/hardware/network/broadcom-43xx.nix") + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/88887b78-5a75-49cf-991d-7a3c8f813799"; + fsType = "ext4"; + }; + + fileSystems."/boot/efi" = { + device = "/dev/disk/by-uuid/67E3-17ED"; + fsType = "vfat"; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/lkk-prod-2/default.nix b/hosts/lkk-prod-2/default.nix new file mode 100644 index 0000000..59ec80c --- /dev/null +++ b/hosts/lkk-prod-2/default.nix @@ -0,0 +1,176 @@ +{ + config, + pkgs, + outputs, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ../common/users/produktion + ../common/base + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking = { + hostName = "lkk-prod-2"; + networkmanager.enable = true; + firewall.enable = true; + }; + programs.fish.enable = true; + age = { + secrets = {tailscale-key.file = ../../secrets/tailscale-key.age;}; + identityPaths = ["/root/.ssh/lkk-nix-1"]; + }; + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + }; + services.avahi.nssmdns4 = { + enable = true; + nssmdns = true; + }; + services.tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; + }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY + ''; + }; + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + # Select internationalisation properties. + i18n.defaultLocale = "de_DE.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "de_DE.UTF-8"; + LC_IDENTIFICATION = "de_DE.UTF-8"; + LC_MEASUREMENT = "de_DE.UTF-8"; + LC_MONETARY = "de_DE.UTF-8"; + LC_NAME = "de_DE.UTF-8"; + LC_NUMERIC = "de_DE.UTF-8"; + LC_PAPER = "de_DE.UTF-8"; + LC_TELEPHONE = "de_DE.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # Enable the KDE Plasma Desktop Environment. + services.xserver.displayManager.sddm.enable = true; + services.xserver.desktopManager.plasma5.enable = true; + + # Configure keymap in X11 + services.xserver = {xkb.layout = "de";}; + + # Configure console keymap + console.keyMap = "de"; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Enable sound with pipewire. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + + # use the example session manager (no others are packaged yet so this is enabled by default, + # no need to redefine it in your config for now) + #media-session.enable = true; + }; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + nixpkgs = { + overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + ]; + config = {allowUnfree = true;}; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [neovim]; + + nix = { + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + optimise.automatic = true; + }; + + system.stateVersion = "22.11"; # Did you read the comment? + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + # services.openssh.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). +} diff --git a/hosts/lkk-prod-2/hardware-configuration.nix b/hosts/lkk-prod-2/hardware-configuration.nix new file mode 100644 index 0000000..a3edf65 --- /dev/null +++ b/hosts/lkk-prod-2/hardware-configuration.nix @@ -0,0 +1,43 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/hardware/network/broadcom-43xx.nix") + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/73092ab4-3dcb-4b39-8fa2-44c0341c44c0"; + fsType = "ext4"; + }; + + fileSystems."/boot/efi" = { + device = "/dev/disk/by-uuid/67E3-17ED"; + fsType = "vfat"; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/m3-nix/default.nix b/hosts/m3-nix/default.nix new file mode 100644 index 0000000..1335169 --- /dev/null +++ b/hosts/m3-nix/default.nix @@ -0,0 +1,148 @@ +{ config, inputs, outputs, pkgs, lib, ... }: +with pkgs; { + imports = [ + ./hardware.nix + ./hardware-configuration.nix # Include the results of the hardware scan. + ../common/users/m3tam3re + ../common/base + ./services + ]; + + specialisation = { + "NVIDIA".configuration = { + boot.kernelParams = [ "nvidia.NVreg_PreserveVideoMemoryAllocations=1" ]; + system.nixos.tags = [ "NVIDIA" ]; + services.xserver.videoDrivers = [ "nvidia" ]; + }; + }; + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.systemd-boot.memtest86.enable = true; + + boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; + boot.kernelModules = [ "v4l2loopback" ]; + + boot.extraModprobeConfig = '' + options kvm_intel nested=1 + options kvm_intel emulate_invalid_guest_state=0 + options kvm ignore_msrs=1 + options v4l2loopback exclusive_caps=1 max_buffers=2 + ''; + + networking = { + hostName = "m3-nix"; + firewall.extraCommands = + "iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns"; + networkmanager.enable = true; + }; + + services.openssh = { + enable = true; + settings.PermitRootLogin = "no"; + allowSFTP = true; + }; + + services.avahi = { + enable = true; + nssmdns4 = true; + publish = { + addresses = true; + workstation = true; + userServices = true; + }; + }; + + programs.nix-ld.enable = true; + programs.nix-ld.libraries = with pkgs; + [ + # Add any missing dynamic libraries for unpackaged programs + # here, NOT in environment.systemPackages + ]; + programs.hyprland = { + enable = true; + xwayland.enable = true; + }; + programs.steam = { + enable = true; + remotePlay.openFirewall = true; + dedicatedServer.openFirewall = true; + }; + programs.fish.enable = true; + programs.thunar = { + enable = true; + plugins = with pkgs.xfce; [ thunar-archive-plugin thunar-volman ]; + }; + age = { + secrets = { + tailscale-key.file = ../../secrets/tailscale-key.age; + wg-key.file = ../../secrets/wg-key.age; + m3tam3re-secrets = { + file = ../../secrets/m3tam3re-secrets.age; + owner = "m3tam3re"; + }; + }; + identityPaths = [ "/root/.ssh/lkk-nix-1" ]; + }; + + time.timeZone = "Europe/Berlin"; + i18n.defaultLocale = "de_DE.utf8"; + console.keyMap = "de"; + + # NOTE: NIX related config + + programs.nh = { + enable = true; + clean.enable = true; + clean.extraArgs = "--keep-since 4d --keep 3"; + flake = "/home/m3tam3re/projects/nix-configurations"; + }; + nix.extraOptions = '' + experimental-features = nix-command + keep-outputs = true + keep-derivations = true + ''; + nix = { + settings = { + experimental-features = "nix-command flakes"; + trusted-users = [ "root" "m3tam3re" ]; + }; + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + optimise.automatic = true; + registry = (lib.mapAttrs (_: flake: { inherit flake; })) + ((lib.filterAttrs (_: lib.isType "flake")) inputs); + nixPath = [ "/etc/nix/path" ]; + }; + + environment.etc = lib.mapAttrs' (name: value: { + name = "nix/path/${name}"; + value.source = value.flake; + }) config.nix.registry; + environment.systemPackages = + [ neovim nvd nix-output-monitor wally-cli nfs-utils restic sshfs ]; + + systemd.extraConfig = '' + DefaultTimeoutStopSec=10s + ''; + nixpkgs = { + overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + ]; + config = { + allowUnfree = true; + nvidia.acceptLicense = true; + }; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leavecatenate(variables, "bootdev", bootdev) + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/m3-nix/hardware-configuration.nix b/hosts/m3-nix/hardware-configuration.nix new file mode 100644 index 0000000..4d6ac18 --- /dev/null +++ b/hosts/m3-nix/hardware-configuration.nix @@ -0,0 +1,67 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [(modulesPath + "/installer/scan/not-detected.nix")]; + + boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "ahci" "nvme" "usb_storage" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d"; + fsType = "btrfs"; + options = ["subvol=root" "compress=zstd"]; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d"; + fsType = "btrfs"; + options = ["subvol=home" "compress=zstd"]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d"; + fsType = "btrfs"; + options = ["subvol=home" "compress=zstd" "noatime"]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/4811-EA6E"; + fsType = "vfat"; + }; + + fileSystems."/opt" = { + device = "/dev/disk/by-uuid/3574df3a-2a90-4b54-9c21-128f1d01ff8f"; + fsType = "btrfs"; + options = ["noatime" "compress=zstd"]; + }; + + fileSystems."/mnt/skynet-bkg" = { + device = "100.94.135.99:/volume3/bkg"; + fsType = "nfs"; + options = ["noauto" "x-systemd.automount"]; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp46s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/m3-nix/hardware.nix b/hosts/m3-nix/hardware.nix new file mode 100644 index 0000000..8a7787e --- /dev/null +++ b/hosts/m3-nix/hardware.nix @@ -0,0 +1,54 @@ +{ config, pkgs, ... }: { + hardware.nvidia = { + package = let + rcu_patch = pkgs.fetchpatch { + url = + "https://github.com/gentoo/gentoo/raw/c64caf53/x11-drivers/nvidia-drivers/files/nvidia-drivers-470.223.02-gpl-pfn_valid.patch"; + hash = "sha256-eZiQQp2S/asE7MfGvfe6dA/kdCvek9SYa/FFGp24dVg="; + }; + in config.boot.kernelPackages.nvidiaPackages.mkDriver { + version = "535.154.05"; + sha256_64bit = "sha256-fpUGXKprgt6SYRDxSCemGXLrEsIA6GOinp+0eGbqqJg="; + sha256_aarch64 = "sha256-G0/GiObf/BZMkzzET8HQjdIcvCSqB1uhsinro2HLK9k="; + openSha256 = "sha256-wvRdHguGLxS0mR06P5Qi++pDJBCF8pJ8hr4T8O6TJIo="; + settingsSha256 = "sha256-9wqoDEWY4I7weWW05F4igj1Gj9wjHsREFMztfEmqm10="; + persistencedSha256 = + "sha256-d0Q3Lk80JqkS1B54Mahu2yY/WocOqFFbZVBh+ToGhaE="; + + #version = "550.40.07"; + #sha256_64bit = "sha256-KYk2xye37v7ZW7h+uNJM/u8fNf7KyGTZjiaU03dJpK0="; + #sha256_aarch64 = "sha256-AV7KgRXYaQGBFl7zuRcfnTGr8rS5n13nGUIe3mJTXb4="; + #openSha256 = "sha256-mRUTEWVsbjq+psVe+kAT6MjyZuLkG2yRDxCMvDJRL1I="; + #settingsSha256 = "sha256-c30AQa4g4a1EHmaEu1yc05oqY01y+IusbBuq+P6rMCs="; + #persistencedSha256 = "sha256-11tLSY8uUIl4X/roNnxf5yS2PQvHvoNjnd2CB67e870="; + + patches = [ rcu_patch ]; + }; + prime = { + offload.enable = false; + + # Bus ID of the Intel GPU. You can find it using lspci, either under 3D or VGA + intelBusId = "PCI:0:2:0"; + + # Bus ID of the NVIDIA GPU. You can find it using lspci, either under 3D or VGA + nvidiaBusId = "PCI:1:0:0"; + }; + modesetting.enable = true; + powerManagement.finegrained = false; + powerManagement.enable = true; + open = false; + dynamicBoost.enable = true; + nvidiaSettings = true; + }; + hardware.opengl.enable = true; + hardware.opengl.driSupport32Bit = true; + services.hardware.bolt.enable = true; + services.auto-cpufreq.enable = true; + services.tlp.enable = true; + services.fstrim.enable = true; + hardware.bluetooth.enable = true; + hardware.keyboard.zsa.enable = true; + hardware.tuxedo-rs.enable = true; + hardware.tuxedo-rs.tailor-gui.enable = true; + hardware.tuxedo-keyboard.enable = true; +} diff --git a/hosts/m3-nix/services/cron.nix b/hosts/m3-nix/services/cron.nix new file mode 100644 index 0000000..0820c0d --- /dev/null +++ b/hosts/m3-nix/services/cron.nix @@ -0,0 +1,6 @@ +{ + services.cron = { + enable = true; + systemCronJobs = [""]; + }; +} diff --git a/hosts/m3-nix/services/default.nix b/hosts/m3-nix/services/default.nix new file mode 100644 index 0000000..a14cb15 --- /dev/null +++ b/hosts/m3-nix/services/default.nix @@ -0,0 +1,32 @@ +{pkgs, ...}: { + imports = [ + ./cron.nix + ./flatpak.nix + ./prometheus-node.nix + ./ollama.nix + ./sound.nix + ./udev.nix + ./restic.nix + ./tailscale.nix + ./virtualization.nix + ./wireguard.nix + #./xserver.nix + ]; + + # services.gvfs = { + # enable = true; + # package = pkgs.gnome3.gvfs; + # }; + # services.kubo = { enable = true; }; # IPFS + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + pinentryPackage = pkgs.pinentry-gnome3; + }; + services.printing.enable = true; + services.sabnzbd.enable = true; + services.i2p.enable = true; + services.gvfs.enable = true; + services.trezord.enable = true; + services.logind.lidSwitchExternalPower = "ignore"; +} diff --git a/hosts/m3-nix/services/flatpak.nix b/hosts/m3-nix/services/flatpak.nix new file mode 100644 index 0000000..eb6ea2e --- /dev/null +++ b/hosts/m3-nix/services/flatpak.nix @@ -0,0 +1,8 @@ +{pkgs, ...}: { + services.flatpak.enable = true; + xdg.portal = { + # xdg desktop intergration (required for flatpak) + enable = true; + extraPortals = [pkgs.xdg-desktop-portal-gtk]; + }; +} diff --git a/hosts/m3-nix/services/ollama.nix b/hosts/m3-nix/services/ollama.nix new file mode 100644 index 0000000..7b28157 --- /dev/null +++ b/hosts/m3-nix/services/ollama.nix @@ -0,0 +1,7 @@ +{ + config, + pkgs, + ... +}: { + services.ollama = {enable = true;}; +} diff --git a/hosts/m3-nix/services/prometheus-node.nix b/hosts/m3-nix/services/prometheus-node.nix new file mode 100644 index 0000000..30aa66a --- /dev/null +++ b/hosts/m3-nix/services/prometheus-node.nix @@ -0,0 +1,10 @@ +{ + services.prometheus.exporters.node = { + enable = true; + port = 8081; + enabledCollectors = ["logind" "systemd"]; + disabledCollectors = ["textfile"]; + openFirewall = true; + firewallFilter = "-i br0 -p tcp -m tcp --dport 8081"; + }; +} diff --git a/hosts/m3-nix/services/restic.nix b/hosts/m3-nix/services/restic.nix new file mode 100644 index 0000000..3111a3a --- /dev/null +++ b/hosts/m3-nix/services/restic.nix @@ -0,0 +1,25 @@ +{ + services.restic.backups = { + skynet = { + repository = "/mnt/skynet-bkg/m3-nix"; + passwordFile = "/etc/nixos/restic-pass"; + initialize = true; + paths = ["/home/m3tam3re"]; + exclude = [ + "/home/m3tam3re/.cache" + "/home/m3tam3re/Bilder/" + "/home/m3tam3re/Videos/" + "/home/m3tam3re/Downloads" + "/home/m3tam3re/Library" + "/home/m3tam3re/Projekte" + "/home/m3tam3re/Sync" + "/home/m3tam3re/.local/share/Trash" + ]; + timerConfig = { + OnCalendar = "09:30"; + RandomizedDelaySec = "2h"; + Persistent = true; + }; + }; + }; +} diff --git a/hosts/m3-nix/services/sound.nix b/hosts/m3-nix/services/sound.nix new file mode 100644 index 0000000..207fe01 --- /dev/null +++ b/hosts/m3-nix/services/sound.nix @@ -0,0 +1,14 @@ +{ pkgs, ... }: { + sound.enable = true; + sound.mediaKeys.enable = true; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = false; + wireplumber.enable = true; + wireplumber.package = pkgs.stable.wireplumber; + }; +} diff --git a/hosts/m3-nix/services/tailscale.nix b/hosts/m3-nix/services/tailscale.nix new file mode 100644 index 0000000..7910806 --- /dev/null +++ b/hosts/m3-nix/services/tailscale.nix @@ -0,0 +1,40 @@ +{ + config, + pkgs, + ... +}: { + services.tailscale = { + enable = true; + useRoutingFeatures = "client"; + }; + + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; + }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY + ''; + }; +} diff --git a/hosts/m3-nix/services/udev.nix b/hosts/m3-nix/services/udev.nix new file mode 100644 index 0000000..13a692d --- /dev/null +++ b/hosts/m3-nix/services/udev.nix @@ -0,0 +1,5 @@ +{pkgs, ...}: { + services.udev.extraRules = '' + SUBSYSTEM=="usb", MODE="0666 + ''; +} diff --git a/hosts/m3-nix/services/virtualization.nix b/hosts/m3-nix/services/virtualization.nix new file mode 100644 index 0000000..7e7661b --- /dev/null +++ b/hosts/m3-nix/services/virtualization.nix @@ -0,0 +1,19 @@ +{pkgs, ...}: { + virtualisation = { + libvirtd = { + enable = true; + qemu = { + swtpm.enable = true; + ovmf = { + enable = true; + packages = [pkgs.OVMFFull]; + }; + }; + }; + containers.cdi.dynamic.nvidia.enable = true; + podman = { + enable = true; + defaultNetwork.settings.dns_enabled = true; + }; + }; +} diff --git a/hosts/m3-nix/services/wireguard.nix b/hosts/m3-nix/services/wireguard.nix new file mode 100644 index 0000000..f3a0603 --- /dev/null +++ b/hosts/m3-nix/services/wireguard.nix @@ -0,0 +1,8 @@ +{config, ...}: { + networking.wg-quick.interfaces = { + wg0 = { + configFile = config.age.secrets.wg-key.path; + autostart = false; + }; + }; +} diff --git a/hosts/m3-nix/services/xserver.nix b/hosts/m3-nix/services/xserver.nix new file mode 100644 index 0000000..17bff04 --- /dev/null +++ b/hosts/m3-nix/services/xserver.nix @@ -0,0 +1,19 @@ +{pkgs, ...}: { + services.xserver.videoDrivers = ["nvidia"]; + # services.xserver = { + # enable = true; + # videoDrivers = [ "nvidia" ]; + # displayManager = { + # defaultSession = "hyprland"; + # sddm = { enable = true; }; + # }; + # libinput.enable = true; # touchpad support + # layout = "de"; + # xkbOptions = "ctrl:nocaps"; + # }; + # services.xserver.screenSection = '' + # Option "metamodes" "nvidia-auto-select +0+0 {ForceFullCompositionPipeline=On}" + # Option "AllowIndirectGLXProtocol" "off" + # Option "TripleBuffer" "on" + # ''; +} diff --git a/hosts/m3-nix/vfio.nix b/hosts/m3-nix/vfio.nix new file mode 100644 index 0000000..34b14c9 --- /dev/null +++ b/hosts/m3-nix/vfio.nix @@ -0,0 +1,40 @@ +let + gpuIDs = [ + "10de:249d" # Graphics + "10de:228b" # Audio + ]; +in + { + pkgs, + lib, + config, + ... + }: { + options.vfio.enable = with lib; + mkEnableOption "Configure the machine for VFIO"; + + config = let + cfg = config.vfio; + in { + boot = { + initrd.kernelModules = [ + "vfio_pci" + "vfio" + "vfio_iommu_type1" + "vfio_virqfd" + ]; + + kernelParams = + [ + # enable IOMMU + "intel_iommu=on" + ] + ++ lib.optional cfg.enable + # isolate the GPU + ("vfio-pci.ids=" + lib.concatStringsSep "," gpuIDs); + }; + + hardware.opengl.enable = true; + virtualisation.spiceUSBRedirection.enable = true; + }; + } diff --git a/hosts/m3-r1/default.nix b/hosts/m3-r1/default.nix new file mode 100644 index 0000000..b1d5a98 --- /dev/null +++ b/hosts/m3-r1/default.nix @@ -0,0 +1,104 @@ +{ inputs, outputs, lib, config, pkgs, ... }: { + imports = [ + ./hardware-configuration.nix + ../common/users/m3tam3re + ../common/base + ./services + ]; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + services.openssh.enable = true; + services.openssh.settings.PasswordAuthentication = false; + networking = { + hostName = "m3-r1"; + firewall.enable = true; + firewall.allowedTCPPortRanges = [{ + from = 3000; + to = 3100; + }]; + firewall.allowedTCPPorts = [ 53 80 443 5432 3306 3478 ]; + firewall.allowedUDPPorts = [ 53 51820 41641 ]; + firewall.allowedUDPPortRanges = [{ + from = 3478; + to = 3481; + }]; + }; + programs.fish.enable = true; + age = { + secrets = { + mj-smtp-user.file = ../../secrets/mj-smtp-user.age; + mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age; + openai.file = ../../secrets/openai.age; + tailscale-key.file = ../../secrets/tailscale-key.age; + + vaultwarden-env = { + file = ../../secrets/vaultwarden-env.age; + mode = "770"; + }; + n8n-env = { + file = ../../secrets/n8n-m3r1.age; + mode = "770"; + }; + + traefik-env = { + file = ../../secrets/traefik-env.age; + mode = "770"; + owner = "traefik"; + }; + + searx-environmentFile = { + file = ../../secrets/searx-environmentFile.age; + mode = "770"; + owner = "searx"; + }; + + littlelink-m3tam3re-env = { + file = ../../secrets/littlelink-m3tam3re-env.age; + mode = "770"; + }; + }; + identityPaths = [ "/root/.ssh/lkk-nix-1" ]; + }; + + nix = { + extraOptions = '' + experimental-features = nix-command + keep-outputs = true + keep-derivations = true + ''; + + settings = { + experimental-features = "nix-command flakes"; + trusted-users = [ "root" "m3tam3re" ]; + }; + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + optimise.automatic = true; + registry = (lib.mapAttrs (_: flake: { inherit flake; })) + ((lib.filterAttrs (_: lib.isType "flake")) inputs); + nixPath = [ "/etc/nix/path" ]; + }; + + environment.etc = lib.mapAttrs' (name: value: { + name = "nix/path/${name}"; + value.source = value.flake; + }) config.nix.registry; + + systemd.extraConfig = '' + DefaultTimeoutStopSec=10s + ''; + nixpkgs = { + overlays = [ + outputs.overlays.additions + outputs.overlays.modifications + outputs.overlays.stable-packages + ]; + config = { allowUnfree = true; }; + }; + + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/hosts/m3-r1/hardware-configuration.nix b/hosts/m3-r1/hardware-configuration.nix new file mode 100644 index 0000000..2d69ed8 --- /dev/null +++ b/hosts/m3-r1/hardware-configuration.nix @@ -0,0 +1,53 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/5e3a0875-005c-49c4-9dbf-86e471e7e881"; + fsType = "btrfs"; + options = ["subvol=root" "compress=zstd"]; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/5e3a0875-005c-49c4-9dbf-86e471e7e881"; + fsType = "btrfs"; + options = ["subvol=home" "compress=zstd"]; + }; + + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/5e3a0875-005c-49c4-9dbf-86e471e7e881"; + fsType = "btrfs"; + options = ["subvol=nix" "compress=zstd"]; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/A79C-4B9F"; + fsType = "vfat"; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/m3-r1/services/container.nix b/hosts/m3-r1/services/container.nix new file mode 100644 index 0000000..3790e64 --- /dev/null +++ b/hosts/m3-r1/services/container.nix @@ -0,0 +1,13 @@ +{ + config, + pkgs, + ... +}: { + imports = [./containers]; + + virtualisation.podman = { + enable = true; + defaultNetwork.settings = {dns_enabled = true;}; + }; + virtualisation.oci-containers.backend = "podman"; +} diff --git a/hosts/m3-r1/services/containers/baserow.nix b/hosts/m3-r1/services/containers/baserow.nix new file mode 100644 index 0000000..1659668 --- /dev/null +++ b/hosts/m3-r1/services/containers/baserow.nix @@ -0,0 +1,25 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."baserow" = { + image = "docker.io/baserow/baserow:1.24.2"; + environment = { + BASEROW_PUBLIC_URL = "https://br.m3tam3re.com"; + + POSTGRES_USER = "baserow"; + POSTGRES_PASSWORD = "baserow"; + POSTGRES_DB = "baserow"; + DATABASE_HOST = "postgres"; + DATABASE_NAME = "baserow"; + DATABASE_USER = "baserow"; + DATABASE_PASSWORD = "baserow"; + + EMAIL_SMTP = "in-v3.mailjet.com"; + EMAIL_SMTP_HOST = "in-v3.mailjet.com"; + EMAIL_SMTP_PORT = "587"; + EMAIL_SMTP_USER = config.age.secrets.mj-smtp-user.path; + EMAIL_SMTP_PASSWORD = config.age.secrets.mj-smtp-pass.path; + }; + ports = [ "3001:80" ]; + volumes = [ "baserow_data:/baserow/data" ]; + extraOptions = [ "--add-host=postgres:10.88.0.1" "--ip=10.88.0.11" ]; + }; +} diff --git a/hosts/m3-r1/services/containers/briefkasten.nix b/hosts/m3-r1/services/containers/briefkasten.nix new file mode 100644 index 0000000..2671ab9 --- /dev/null +++ b/hosts/m3-r1/services/containers/briefkasten.nix @@ -0,0 +1,12 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."briefkasten" = { + image = "docker.io/ndom91/briefkasten"; + environmentFiles = [config.age.secrets.briefkasten-env.path]; + ports = ["3009:3000"]; + extraOptions = ["--add-host=postgres:10.88.0.1" "--ip=10.88.0.19"]; + }; +} diff --git a/hosts/m3-r1/services/containers/default.nix b/hosts/m3-r1/services/containers/default.nix new file mode 100644 index 0000000..76edb8c --- /dev/null +++ b/hosts/m3-r1/services/containers/default.nix @@ -0,0 +1,12 @@ +{ + imports = [ + ./baserow.nix + # ./briefkasten.nix + ./little-link.nix + ./matomo.nix + ./mautic.nix + # ./nextcloud.nix + ./nginx.nix + # ./wordpress.nix + ]; +} diff --git a/hosts/m3-r1/services/containers/little-link.nix b/hosts/m3-r1/services/containers/little-link.nix new file mode 100644 index 0000000..126c3b6 --- /dev/null +++ b/hosts/m3-r1/services/containers/little-link.nix @@ -0,0 +1,12 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."littlelink_m3tam3re" = { + image = "ghcr.io/techno-tim/littlelink-server"; + environmentFiles = [config.age.secrets.littlelink-m3tam3re-env.path]; + ports = ["3011:3000"]; + extraOptions = ["--ip=10.88.0.21"]; + }; +} diff --git a/hosts/m3-r1/services/containers/matomo.nix b/hosts/m3-r1/services/containers/matomo.nix new file mode 100644 index 0000000..326ee12 --- /dev/null +++ b/hosts/m3-r1/services/containers/matomo.nix @@ -0,0 +1,19 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."matomo" = { + image = "docker.io/matomo"; + environment = { + MATOMO_DATABASE_HOST = "mysql"; + MATOMO_DATABASE_USERNAME = "matomo"; + MATOMO_DATABASE_PASSWORD = "matomo"; + MATOMO_DATABASE_DBNAME = "matomo"; + PHP_MEMORY_LIMIT = "2048M"; + }; + ports = ["3003:80"]; + volumes = ["matomo_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.13"]; + }; +} diff --git a/hosts/m3-r1/services/containers/mautic.nix b/hosts/m3-r1/services/containers/mautic.nix new file mode 100644 index 0000000..73b9639 --- /dev/null +++ b/hosts/m3-r1/services/containers/mautic.nix @@ -0,0 +1,20 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."mautic" = { + image = "docker.io/mautic/mautic:v4-apache"; + environment = { + MAUTIC_DB_HOST = "mysql"; + MAUTIC_DB_USER = "mautic"; + MAUTIC_DB_PASSWORD = "mautic"; + MAUTIC_DB_DBNAME = "mautic"; + PHP_MEMORY_LIMIT = "2048M"; + MAUTIC_RUN_CRON_JOBS = "true"; + }; + ports = ["127.0.0.1:3008:80"]; + volumes = ["mautic_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.23"]; + }; +} diff --git a/hosts/m3-r1/services/containers/nextcloud.nix b/hosts/m3-r1/services/containers/nextcloud.nix new file mode 100644 index 0000000..e61191c --- /dev/null +++ b/hosts/m3-r1/services/containers/nextcloud.nix @@ -0,0 +1,18 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."nextcloud" = { + image = "docker.io/nextcloud"; + environment = { + TRUSTED_PROXIES = "10.88.0.1/16"; + OVERWRITEPROTOCOL = "https"; + OVERWRITECLIURL = "https://cloud.lanakk.com"; + OVERWRITEHOST = "cloud.lanakk.com"; + }; + ports = ["3005:80"]; + volumes = ["nextcloud_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.15"]; + }; +} diff --git a/hosts/m3-r1/services/containers/nginx.nix b/hosts/m3-r1/services/containers/nginx.nix new file mode 100644 index 0000000..c2da3d3 --- /dev/null +++ b/hosts/m3-r1/services/containers/nginx.nix @@ -0,0 +1,8 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."http-images" = { + image = "docker.io/nginx:alpine"; + ports = [ "3012:80" ]; + volumes = [ "/var/www/m3tam3re.com/www:/usr/share/nginx/html" ]; + extraOptions = [ "--ip=10.88.0.22" ]; + }; +} diff --git a/hosts/m3-r1/services/containers/wireguard.nix b/hosts/m3-r1/services/containers/wireguard.nix new file mode 100644 index 0000000..29d5b8b --- /dev/null +++ b/hosts/m3-r1/services/containers/wireguard.nix @@ -0,0 +1,22 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."wireguard" = { + image = "docker.io/weejewel/wg-easy"; + environment = { + WG_HOST = "wg.lanakk.com"; + WG_DEFAULT_DNS = "10.88.0.1:5353"; + }; + ports = ["3007:51821/tcp" "51820:51820/udp"]; + volumes = ["wireguard_data:/etc/wireguard"]; + extraOptions = [ + "--cap-add=NET_ADMIN" + "--cap-add=SYS_MODULE" + "--sysctl=net.ipv4.conf.all.src_valid_mark=1" + "--sysctl=net.ipv4.ip_forward=1" + "--ip=10.88.0.17" + ]; + }; +} diff --git a/hosts/m3-r1/services/containers/wordpress.nix b/hosts/m3-r1/services/containers/wordpress.nix new file mode 100644 index 0000000..45bcdd1 --- /dev/null +++ b/hosts/m3-r1/services/containers/wordpress.nix @@ -0,0 +1,18 @@ +{ + config, + outputs, + ... +}: { + virtualisation.oci-containers.containers."lanakk_blog" = { + image = "docker.io/wordpress"; + environment = { + WORDPRESS_DB_HOST = "mysql"; + WORDPRESS_DB_USER = "wp"; + WORDPRESS_DB_PASSWORD = "wp"; + WORDPRESS_DB_NAME = "lanakk_blog"; + }; + ports = ["3002:80"]; + volumes = ["lanakk_blog_data:/var/www/html"]; + extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.12"]; + }; +} diff --git a/hosts/m3-r1/services/default.nix b/hosts/m3-r1/services/default.nix new file mode 100644 index 0000000..bad37e3 --- /dev/null +++ b/hosts/m3-r1/services/default.nix @@ -0,0 +1,14 @@ +{ + imports = [ + ./container.nix + ./gitea.nix + ./mariadb.nix + # ./n8n.nix + ./postgres.nix + ./searx.nix + ./syncthing.nix + # ./tailscale.nix + ./traefik.nix + # ./vaultwarden.nix + ]; +} diff --git a/hosts/m3-r1/services/gitea.nix b/hosts/m3-r1/services/gitea.nix new file mode 100644 index 0000000..47fdd45 --- /dev/null +++ b/hosts/m3-r1/services/gitea.nix @@ -0,0 +1,16 @@ +{ + config, + pkgs, + ... +}: { + services.gitea = { + enable = true; + settings.server.ROOT_URL = "https://code.m3tam3re.com"; + lfs.enable = true; + dump = { + enable = true; + interval = "03:30:00"; + backupDir = "/var/backup/gitea"; + }; + }; +} diff --git a/hosts/m3-r1/services/mariadb.nix b/hosts/m3-r1/services/mariadb.nix new file mode 100644 index 0000000..2930f5e --- /dev/null +++ b/hosts/m3-r1/services/mariadb.nix @@ -0,0 +1,15 @@ +{ + pkgs, + config, + ... +}: { + services.mysql = { + enable = true; + package = pkgs.mariadb; + }; + services.mysqlBackup = { + enable = true; + calendar = "03:00:00"; + databases = ["matomo"]; + }; +} diff --git a/hosts/m3-r1/services/n8n.nix b/hosts/m3-r1/services/n8n.nix new file mode 100644 index 0000000..46e76c3 --- /dev/null +++ b/hosts/m3-r1/services/n8n.nix @@ -0,0 +1,18 @@ +{ + config, + pkgs, + ... +}: { + services.n8n = { + enable = true; + openFirewall = true; + settings = { + host = "wf.lanakk.com"; + protocol = "https"; + editorBaseUrl = "https://wf.lanakk.com"; + }; + }; + systemd.services.n8n.serviceConfig = { + EnvironmentFile = "${config.age.secrets.n8n-env.path}"; + }; +} diff --git a/hosts/m3-r1/services/postgres.nix b/hosts/m3-r1/services/postgres.nix new file mode 100644 index 0000000..1a5c584 --- /dev/null +++ b/hosts/m3-r1/services/postgres.nix @@ -0,0 +1,28 @@ +{ + pkgs, + config, + ... +}: { + services.postgresql = { + enable = true; + enableTCPIP = true; + package = pkgs.postgresql_15; + authentication = pkgs.lib.mkOverride 10 '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host all all 10.88.0.1/16 trust + ''; + initialScript = pkgs.writeText "backend-initScript" '' + CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow'; + CREATE DATABASE baserow; + GRANT ALL PRIVILEGES ON DATABASE baserow TO baserow; + ALTER DATABASE baserow OWNER to baserow; + ''; + }; + services.postgresqlBackup = { + enable = true; + startAt = "03:10:00"; + databases = ["baserow"]; + }; +} diff --git a/hosts/m3-r1/services/searx.nix b/hosts/m3-r1/services/searx.nix new file mode 100644 index 0000000..00795f0 --- /dev/null +++ b/hosts/m3-r1/services/searx.nix @@ -0,0 +1,10 @@ +{pkgs, ...}: { + services.searx = { + enable = true; + package = pkgs.searxng; + settings = { + server.port = 3004; + server.secret_key = "@SEARX_SECRET_KEY@"; + }; + }; +} diff --git a/hosts/m3-r1/services/syncthing.nix b/hosts/m3-r1/services/syncthing.nix new file mode 100644 index 0000000..c49d16e --- /dev/null +++ b/hosts/m3-r1/services/syncthing.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + ... +}: { + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; + overrideDevices = true; + overrideFolders = true; + settings = { + devices = { + "LK-DATA" = { + id = "BI7CMZF-2SGQMXW-RG47HRG-FEH454J-ZTCE544-BXNSCSJ-PXCE7A7-R4CX2Q3"; + }; + }; + folders = { + "Bildvorschauen" = { + path = "/opt/service-data/http-images"; + devices = ["LK-DATA"]; + }; + }; + }; + }; +} diff --git a/hosts/m3-r1/services/tailscale.nix b/hosts/m3-r1/services/tailscale.nix new file mode 100644 index 0000000..cbb3cee --- /dev/null +++ b/hosts/m3-r1/services/tailscale.nix @@ -0,0 +1,42 @@ +{ + config, + pkgs, + ... +}: { + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; + networking.firewall = { + trustedInterfaces = ["tailscale0"]; + }; + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; + }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --advertise-exit-node --authkey $TAILSCALE_KEY + ''; + }; +} diff --git a/hosts/m3-r1/services/traefik.nix b/hosts/m3-r1/services/traefik.nix new file mode 100644 index 0000000..a10085c --- /dev/null +++ b/hosts/m3-r1/services/traefik.nix @@ -0,0 +1,171 @@ +{ config, ... }: { + services.traefik = { + enable = true; + staticConfigOptions = { + log = { level = "WARN"; }; + certificatesResolvers = { + lets-encrypt = { + acme = { + email = "acc@m3tam3re.com"; + storage = "/var/lib/traefik/acme.json"; + tlsChallenge = { }; + }; + }; + }; + api = { }; + entryPoints = { + web = { + address = ":80"; + http.redirections.entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + websecure = { address = ":443"; }; + }; + }; + dynamicConfigOptions = { + http = { + middlewares = { + auth = { + basicAuth = { + users = [ "m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh." ]; + }; + }; + nextcloud_redirectregex = { + redirectRegex = { + permanent = true; + regex = "https://(.*)/.well-known/(?:card|cal)dav"; + replacement = "https://\${1}/remote.php/dav"; + }; + }; + nextcloud_headers = { + headers = { + referrerPolicy = "no-referrer"; + stsSeconds = "31536000"; + forceSTSHeader = true; + stsPreload = true; + stsIncludeSubdomains = true; + }; + }; + }; + services = { + baserow.loadBalancer.servers = [{ url = "http://localhost:3001/"; }]; + gitea.loadBalancer.servers = [{ url = "http://localhost:3000/"; }]; + n8n.loadBalancer.servers = [{ url = "http://localhost:5678/"; }]; + littlelink-m3tam3re.loadBalancer.servers = + [{ url = "http://localhost:3011/"; }]; + matomo.loadBalancer.servers = [{ url = "http://localhost:3003/"; }]; + searx.loadBalancer.servers = [{ url = "http://localhost:3004/"; }]; + mautic.loadBalancer.servers = [{ url = "http://localhost:3008/"; }]; + m3tam3re.loadBalancer.servers = [{ url = "http://localhost:3012/"; }]; + syncthing.loadBalancer.servers = + [{ url = "http://localhost:8384/"; }]; + vaultwarden.loadBalancer.servers = + [{ url = "http://localhost:3014/"; }]; + }; + routers = { + api = { + rule = "Host(`r.m3tam3re.com`)"; + tls = { certResolver = "lets-encrypt"; }; + service = "api@internal"; + middlewares = "auth"; + entrypoints = "websecure"; + }; + baserow = { + rule = "Host(`br.m3tam3re.com`)"; + tls = { certResolver = "lets-encrypt"; }; + service = "baserow"; + entrypoints = "websecure"; + }; + gitea = { + rule = "Host(`code.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "code.m3tam3re.com"; + }; + service = "gitea"; + entrypoints = "websecure"; + }; + littlelink-m3tm3re = { + rule = "Host(`links.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "links.m3tam3re.com"; + }; + service = "littlelink-m3tam3re"; + entrypoints = "websecure"; + }; + n8n = { + rule = "Host(`io.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "io.m3tam3re.com"; + }; + service = "n8n"; + entrypoints = "websecure"; + }; + m3tam3re = { + rule = "Host(`www.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "www.m3tam3re.com"; + }; + service = "m3tam3re"; + entrypoints = "websecure"; + }; + matomo-m3tam3re = { + rule = "Host(`stats.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "stats.m3tam3re.com"; + }; + service = "matomo"; + entrypoints = "websecure"; + }; + searx = { + rule = "Host(`search.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "search.m3tam3re.com"; + }; + service = "searx"; + entrypoints = "websecure"; + }; + mautic = { + rule = "Host(`ma.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "ma.m3tam3re.com"; + }; + service = "mautic"; + entrypoints = "websecure"; + }; + syncthing = { + rule = "Host(`sync.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "sync.m3tam3re.com"; + }; + service = "syncthing"; + entrypoints = "websecure"; + }; + vaultwarden = { + rule = "Host(`vw.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "vw.m3tam3re.com"; + }; + service = "vaultwarden"; + middlewares = "auth"; + entrypoints = "websecure"; + }; + }; + }; + }; + }; + + systemd.services.traefik.serviceConfig = { + EnvironmentFile = [ "${config.age.secrets.traefik-env.path}" ]; + }; +} diff --git a/hosts/m3-r1/services/vaultwarden.nix b/hosts/m3-r1/services/vaultwarden.nix new file mode 100644 index 0000000..8f0ef03 --- /dev/null +++ b/hosts/m3-r1/services/vaultwarden.nix @@ -0,0 +1,11 @@ +{ + config, + pkgs, + ... +}: { + services.vaultwarden = { + enable = true; + backupDir = "/var/backup/vaultwarden"; + environmentFile = "${config.age.secrets.vaultwarden-env.path}"; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix new file mode 100644 index 0000000..ab08ee4 --- /dev/null +++ b/modules/nixos/default.nix @@ -0,0 +1 @@ +{ordercollect = import ./ordercollect.nix;} diff --git a/modules/nixos/ordercollect.nix b/modules/nixos/ordercollect.nix new file mode 100644 index 0000000..cc7c72a --- /dev/null +++ b/modules/nixos/ordercollect.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + ... +}: +with lib; let + cfg = config.services.ordercollect; +in { + options.services.ordercollect = { + enable = mkEnableOption "Enable Ordercollect"; + port = mkOption { + type = types.str; + description = "The http port to run on"; + default = ""; + }; + package = mkOption { + type = types.package; + default = pkgs.ordercollect; + description = '' + The package for ordercollect + ''; + }; + }; + config = mkIf cfg.enable { + environment.systemPackages = [cfg.package]; + + systemd.services.ordercollect = { + ExecStart = "${cfg.package}/bin/ordercollect --port ${cfg.port}"; + Restart = "on-failure"; + }; + }; +} diff --git a/overlays/default.nix b/overlays/default.nix new file mode 100644 index 0000000..afe22df --- /dev/null +++ b/overlays/default.nix @@ -0,0 +1,20 @@ +{inputs, ...}: { + # This one brings our custom packages from the 'pkgs' directory + additions = final: _prev: import ../pkgs {pkgs = final;}; + + # This one contains whatever you want to overlay + # You can change versions, add patches, set compilation flags, anything really. + # https://nixos.wiki/wiki/Overlays + modifications = final: prev: { + # example = prev.example.overrideAttrs (oldAttrs: rec { + # ... + # }); + }; + + stable-packages = final: _prev: { + stable = import inputs.nixpkgs-stable { + system = final.system; + config.allowUnfree = true; + }; + }; +} diff --git a/pkgs/default.nix b/pkgs/default.nix new file mode 100644 index 0000000..08af3e7 --- /dev/null +++ b/pkgs/default.nix @@ -0,0 +1,5 @@ +{pkgs, ...}: { + wofi-pass = pkgs.callPackage ./wofi-pass {}; + ordercollect = pkgs.callPackage ./ordercollect {}; + zellij-ps = pkgs.callPackage ./zellij-ps {}; +} diff --git a/pkgs/ordercollect/default.nix b/pkgs/ordercollect/default.nix new file mode 100644 index 0000000..4517eb9 --- /dev/null +++ b/pkgs/ordercollect/default.nix @@ -0,0 +1,26 @@ +{ + buildGoModule, + fetchFromGitea, + lib, +}: +buildGoModule rec { + pname = "ordercollect"; + version = "0.1.0"; + + src = fetchFromGitea { + domain = "code.lanakk.com"; + owner = "LANAKK"; + repo = "ordercollect"; + rev = "9ecbfa46f6758214aa2fcee7ad96aa7730301a06"; + hash = "sha256-n4njl7LwG6GuoTj7x3rWOjErZ/a1Fog0qAymYxvsR2w="; + }; + + vendorHash = "sha256-G6k331XRuVN/cM4sNcdUV9/BzdISQI7Ljc4tesJnmH0="; + + meta = with lib; { + description = "A simple Api for creating orders, written in Go"; + homepage = "https://code.lanakk.com/LANAKK/ordercollect"; + license = licenses.mit; + maintainers = with maintainers; [m3tam3re]; + }; +} diff --git a/pkgs/wofi-pass/default.nix b/pkgs/wofi-pass/default.nix new file mode 100644 index 0000000..ab77c5b --- /dev/null +++ b/pkgs/wofi-pass/default.nix @@ -0,0 +1,29 @@ +{ + stdenv, + lib, + fetchFromGitHub, + bash, + pkgs, + makeWrapper, +}: +with lib; +with pkgs; + stdenv.mkDerivation { + pname = "wofi-pass"; + version = "0.1"; + src = fetchFromGitHub { + owner = "TinfoilSubmarine"; + repo = "wofi-pass"; + rev = "869c545"; + sha256 = "gcfW8E/3/dqv0P3S4z9fDv8k4R7czcIKwpo/OHFFWj0="; + }; + buildInputs = [bash coreutils wl-clipboard wofi wtype]; + + nativeBuildInputs = [makeWrapper]; + installPhase = '' + mkdir -p $out/bin + cp wofi-pass $out/bin/wofi-pass + wrapProgram $out/bin/wofi-pass \ + --prefix PATH : ${makeBinPath [bash coreutils wl-clipboard wofi wtype]} + ''; + } diff --git a/pkgs/zellij-ps/default.nix b/pkgs/zellij-ps/default.nix new file mode 100644 index 0000000..2918fe6 --- /dev/null +++ b/pkgs/zellij-ps/default.nix @@ -0,0 +1,33 @@ +{ lib, stdenv, fetchFromGitea, fish, fd, fzf, pkgs, zellij, }: +with lib; +with pkgs; +stdenv.mkDerivation rec { + pname = "zellij-ps"; + version = "0.1.0"; + + src = fetchFromGitea { + domain = "code.m3tam3re.com"; + owner = "m3tam3re"; + repo = "helper-scripts"; + rev = "25cd4f662c2a7d1a5091ad30810c458627fdba5a"; + sha256 = "0lw1qmn18i1s21ljmsdy2x034x19gad8krml9iggksn3c31haz9m"; + }; + + buildInputs = [ fish fd fzf zellij ]; + + nativeBuildInputs = [ makeWrapper ]; + installPhase = '' + mkdir -p $out/bin + cp zellij-ps.fish $out/bin/zellij-ps + wrapProgram $out/bin/zellij-ps \ + --prefix PATH : ${lib.makeBinPath [ fish fd fzf zellij ]} + ''; + + meta = with lib; { + description = "A small project script for zellij"; + homepage = "https://code.m3tam3re.com/m3tam3re/helper-scripts"; + license = licenses.mit; + maintainers = with maintainers; [ m3tam3re ]; + platforms = platforms.unix; + }; +} diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..d7c9327 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,39 @@ +let + system = + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU="; +in { + "secrets/mj-smtp-user.age".publicKeys = [ system ]; + "secrets/mj-smtp-pass.age".publicKeys = [ system ]; + + "secrets/n8n-env.age".publicKeys = [ system ]; + "secrets/n8n-m3r1.age".publicKeys = [ system ]; + + "secrets/godaddy-api-key.age".publicKeys = [ system ]; + "secrets/godaddy-api-secret.age".publicKeys = [ system ]; + + "secrets/searx-environmentFile.age".publicKeys = [ system ]; + + "secrets/tailscale-key.age".publicKeys = [ system ]; + "secrets/wg-key.age".publicKeys = [ system ]; + + "secrets/briefkasten-env.age".publicKeys = [ system ]; + + "secrets/littlelink-lanakk-env.age".publicKeys = [ system ]; + "secrets/littlelink-m3tam3re-env.age".publicKeys = [ system ]; + + "secrets/m3tam3re-secrets.age".publicKeys = [ system ]; + + "secrets/traefik-env.age".publicKeys = [ system ]; + + "secrets/metabase-env.age".publicKeys = [ system ]; + "secrets/ordercollector-env.age".publicKeys = [ system ]; + + "secrets/baserow-env.age".publicKeys = [ system ]; + + "secrets/pgadmin.age".publicKeys = [ system ]; + + "secrets/minio-system-cred.age".publicKeys = [ system ]; + "secrets/openai.age".publicKeys = [ system ]; + + "secrets/vaultwarden-env.age".publicKeys = [ system ]; +} diff --git a/secrets/baserow-env.age b/secrets/baserow-env.age new file mode 100644 index 0000000..be441e4 Binary files /dev/null and b/secrets/baserow-env.age differ diff --git a/secrets/briefkasten-env.age b/secrets/briefkasten-env.age new file mode 100644 index 0000000..d434672 Binary files /dev/null and b/secrets/briefkasten-env.age differ diff --git a/secrets/littlelink-lanakk-env.age b/secrets/littlelink-lanakk-env.age new file mode 100644 index 0000000..b9176d3 Binary files /dev/null and b/secrets/littlelink-lanakk-env.age differ diff --git a/secrets/littlelink-m3tam3re-env.age b/secrets/littlelink-m3tam3re-env.age new file mode 100644 index 0000000..17fba3c Binary files /dev/null and b/secrets/littlelink-m3tam3re-env.age differ diff --git a/secrets/m3tam3re-secrets.age b/secrets/m3tam3re-secrets.age new file mode 100644 index 0000000..8363307 --- /dev/null +++ b/secrets/m3tam3re-secrets.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-rsa DQlE7w +XeGCNzawMOA9QxMCDine7KduqAmw+m9YGVDmMVKeOhFfsOU2ErbXbA3bt1F/shel +b7HNIDtH+H0u4nI6FjhGj2J/vhacIJfx8mcLms8dIsw+iBRxQyypjxPIaxmfpk5p +Pe6UqTopAinGF46DtsEpEYYEhQ0ELvVyfUZh6s5lA8mpqOYSpF7VkeyJNRxiy1Gy +DD0gA98EqPU4/mFWt/eAbu+KV7TNftiEfGNNEo8GQ9nTQC7VWPh32kE3Ld7JnhFf +xJx1HuO0mQ5U1g2T0FlRlU15vOLLbsUgumIPgw4h5jcj9/6igLU/EVvtE8ron6N2 +OTUos8ESqIMcNPWl8XZgVhQIa9yYXazbVbgo9xF+thxWGHphRznRGQsjA7HO28hL +CLgnCJoCyfWEmxynZL1tTA1atYkq6BTI5s6ratXniiRBglxWbnrfppooXgzA+zKe +vRQY3XDBhJbkyzkDw7yN2qI/K7Vwv47rlpVvf4qyRJ0orVUHhlkOmmywBjf8xIkw + +-> x?FdO-grease zSG1. =L Fe 7<"E +cBm3uuWGs/XbW+x2KSUl1GVJEAVSbf8Pb2NN9pud+LCIbkZ8Ps/oCZ3ZeUfd18K0 +hcpIRNX0SumXA7gM130ih7knGLyWeskqen5860EdbbM7qOkOGqDX4w +--- lG2ygn11D1m/YFNdEhigTXb887C9LFJr3ekMM44g29Q +[+~1x63:4rKhJ Mo+ v]RS?\4#W3lA/gjl;|%@w@ \ No newline at end of file diff --git a/secrets/metabase-env.age b/secrets/metabase-env.age new file mode 100644 index 0000000..cf227f2 Binary files /dev/null and b/secrets/metabase-env.age differ diff --git a/secrets/minio-root-cred.age b/secrets/minio-root-cred.age new file mode 100644 index 0000000..db79f28 Binary files /dev/null and b/secrets/minio-root-cred.age differ diff --git a/secrets/mj-smtp-pass.age b/secrets/mj-smtp-pass.age new file mode 100644 index 0000000..cbe88db --- /dev/null +++ b/secrets/mj-smtp-pass.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-rsa DQlE7w +TVcGTRFtB2aJ3Tq3S5k8jSSsF5DUq20hRlXFzi/SY2UczJjzPIO+Qax/7gBmPxGM +i9sp89CHAz1owTEzFkxsdj7AMoz6SMlvPL9Ixc3zrwKthhz2puv/JiKsmzycNQd1 +XvSzOKkJgZMG25Y7lBWjIy+SGTBDVUSaN1UUs2VRGhEBh0LW76+8dgJMdtzaFy4n +E2Yf3jj8MCjfBa6iX+G+ZTlWAl0ZhgBsJVmy9sN77AHQoUJVZ5FUllpy+sayV3iW +btwSlZMWlA4btbdZbV6PffGgHAMPCLu8OseIFDkLky12wt9ChK9A4OOZcFw4+bMb +YvDUOaQqtjqbZ8XSmokQVBNns9TxUcNcJ68cMz0qbm9Pj+gcY0k3zbsDfrpPNbpX +X3ZUWJVK594Uv2V9mKR6VVcYOrzvucD5iGqfO7SUTWJppldrB0/YGe3eGxmtG0D2 +4K0JntFoDRThSyyGx1/YvPxAJqKBWT7SARUxGjMaqnWM3OWppKDBYLGl/jRQQAqf + +-> VGV-grease OQ :S.YU\ +M4HB0MfSl0giX1GydEobdPW85+T6loiGtSWgzhWESbY28rwZulR83bUX8ftEzemT +LF9AKGIr50etdijB9uypYf9sQarujWXPsMyNQG/Xyfo +--- Ns60O8WsNVrAkDvDfoI/opMnBjlKrRiFehRcUDCPAXg +ZwTJ;=k7_U55YF&?.ۅU" > D~Ϟ qyD \ No newline at end of file diff --git a/secrets/mj-smtp-user.age b/secrets/mj-smtp-user.age new file mode 100644 index 0000000..7ddd890 --- /dev/null +++ b/secrets/mj-smtp-user.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-rsa DQlE7w +GZ5/RD7yNwlvFjNwv/rxjsl2GVF8lRm0qlXfOeQcYctyDo4xHFsIbhLpwV508rJf +zeLJpoQYFaqumEtgxBeZrQS+qYiOG3Ne2pO36MN3qq/wVVBPuWiupNBrZTUeHn2n +1BTENMzmPfqhuZL2D62NXKcIsbOiGADtdt/4h3Xk4CyroBuEfNFx0U9WTMGHx5mg +kUVC2jRzo0KbnFwFTeGYmUc90dgy/rciAqhkBOfbPpcYdUy6LTVrGbz0jxwutIq1 +SmkMW7pj/KSPAgVnX6p38gWobVxyRIFmC0wrFZ/NCy2Hq4ae0QdkX/I0TabEBtbj +vcacZDlfXEsV+n3gvl8qzOVJO1inc3ZV8QUgnK5QEaV6JF37XONeczi8/qFT7e9K +fCUw0gG5N7r6Ma3JcNctEtB5NsgBXJXe3Fy3j6yT5sQQayPW4eS2yYuClUcYaaIe +xwDLpuRESYx0oh9DJZqvmoSZriLpejsJ54ZUVDJ57NAd+Vl1iCFKKOyMr/aUDNSM + +-> r\&\-grease cT"t7WhI IM +LjM4kAZQbwNT8isi73f1V0PVVsJxWvjkSCLTaS8aD03LgYLYY9uCs6k/hyb3GdWw +1a/9BC907cyNGQ +--- ulEvcwLfcMfh78M+U9KeF1l39rdLG1NpVE9FLPCHOgI + ]SKֈU;NL[6( e+ WU L579LVy\ Gh "( \ No newline at end of file diff --git a/secrets/n8n-env.age b/secrets/n8n-env.age new file mode 100644 index 0000000..7819a2c Binary files /dev/null and b/secrets/n8n-env.age differ diff --git a/secrets/n8n-m3r1.age b/secrets/n8n-m3r1.age new file mode 100644 index 0000000..29a776b Binary files /dev/null and b/secrets/n8n-m3r1.age differ diff --git a/secrets/openai.age b/secrets/openai.age new file mode 100644 index 0000000..eab6f28 Binary files /dev/null and b/secrets/openai.age differ diff --git a/secrets/ordercollector-env.age b/secrets/ordercollector-env.age new file mode 100644 index 0000000..726da3a Binary files /dev/null and b/secrets/ordercollector-env.age differ diff --git a/secrets/pgadmin.age b/secrets/pgadmin.age new file mode 100644 index 0000000..60a5df7 Binary files /dev/null and b/secrets/pgadmin.age differ diff --git a/secrets/searx-environmentFile.age b/secrets/searx-environmentFile.age new file mode 100644 index 0000000..8ba1974 Binary files /dev/null and b/secrets/searx-environmentFile.age differ diff --git a/secrets/tailscale-key.age b/secrets/tailscale-key.age new file mode 100644 index 0000000..f1ab609 --- /dev/null +++ b/secrets/tailscale-key.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-rsa DQlE7w +b4/YbeFqzbMhKh0R1V5Kth0a6O9OMIGXZJWHeV4sYXAonybyc5yWFz05Mrm2Qo9E +xOEH7s8XpTPmyOPoUfFdzEJSQ/QFUOganfsO1YiTOTVOf7ARHI1WjPSiYH/pXaef +cksXjxLjGuiMZWGbIeU+xaxVsrbUPFtTb0nTvUrAdVMXPMM7TvLva7JO3DZa/7RA +tikR4fV2kMiD6yhoNedzDoRRWtuMLmHvtoJlKnAnhxAkRz8Poo77ZNVdrw+w5KuM +bDDVxvNJ76peGI7hx+LYlKQHf849iAjsa/e0C2zkOJROEMzhW9CgaJxNA829GqRM +96lluaJLtGvtxQuQSJcnTRWZQBg8513+LJGcIUT7gynCa8qChlDoxuwmhhGIDAQ5 +9QtO9scI39dMsgQeM+TJcpMYlgJCw2JLQ1j7en6xUXfUrV8hahV7Ul/rVFe5oU81 +KUBSBFJoli2R0P4PeoykNNLY897kfXWyjIyW1RZ4Z0g+9DwG8VMuYrxe3BbLSWBE + +-> V~^hk-grease :Y +1ROczYKXhky797kakoYTfMjB1YSjiEc0cMKI5wvb8PUwepSvv+IJ+H941XTr7qv9 +CD7hGgQO/gtHp9nI4/bguBaxZrGGg1p2o3Sb7j3ENz1Gyw +--- uyM+nfRla6Evb8kfnwNNWF1FvkPeQ333kOMCo0oCh+8 +AIQ4S,+T$1t_E%Z]`ra/G<'my#F#w"Dikj \ No newline at end of file diff --git a/secrets/traefik-env.age b/secrets/traefik-env.age new file mode 100644 index 0000000..4f4a03b Binary files /dev/null and b/secrets/traefik-env.age differ diff --git a/secrets/vaultwarden-env.age b/secrets/vaultwarden-env.age new file mode 100644 index 0000000..9f3f41f Binary files /dev/null and b/secrets/vaultwarden-env.age differ diff --git a/secrets/wg-key.age b/secrets/wg-key.age new file mode 100644 index 0000000..368419a Binary files /dev/null and b/secrets/wg-key.age differ