LANAKK
/
nix-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

first commit

This commit is contained in:
m3tam3re 2024-05-15 09:25:27 +00:00
commit ac76e6f10b
145 changed files with 4378 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
/result
*.qcow2
\#
#
.#

367
flake.lock Normal file
View File

@ -0,0 +1,367 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1715101957,
"narHash": "sha256-fs5uVQFTfgb4L9pnhldeyTHNcYwn1U4nKYoCBJ6W3W4=",
"owner": "ryantm",
"repo": "agenix",
"rev": "07479c2e7396acaaaac5925483498154034ea80a",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_2",
"utils": "utils"
},
"locked": {
"lastModified": 1711973905,
"narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"dotfiles": {
"flake": false,
"locked": {
"lastModified": 1713941143,
"narHash": "sha256-xkjxhTUToZ5KOT46te2q+59k7hgMmVxlhomvYrWCD+Y=",
"ref": "refs/heads/master",
"rev": "9c79f4672bee385c7ae0c69153a60103627e12c2",
"revCount": 12,
"type": "git",
"url": "https://code.m3tam3re.com/m3tam3re/dotfiles.git"
},
"original": {
"type": "git",
"url": "https://code.m3tam3re.com/m3tam3re/dotfiles.git"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
"fh",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"narHash": "sha256-0dZpggYjjmWEk+rGixiBHOHuQfLzEzNfrtjSig04s6Q=",
"rev": "9ccae1754eec0341b640d5705302ac0923d22875",
"revCount": 1618,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/nix-community/fenix/0.1.1618%2Brev-9ccae1754eec0341b640d5705302ac0923d22875/018aea4c-03c9-7734-95d5-b84cc8881e3d/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/nix-community/fenix/0.1.1565.tar.gz"
}
},
"fh": {
"inputs": {
"fenix": "fenix",
"flake-compat": "flake-compat_2",
"naersk": "naersk",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1711118970,
"narHash": "sha256-fRaKydMSwd1zl6ptBKvn5ej2pqtI8xi9dioFmR8QA+g=",
"rev": "73fed26f0231ae650122beb3ac1b7654b5cc682c",
"revCount": 425,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/fh/0.1.10/018e66b1-a218-7f23-949d-ace71c4e4c8b/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/fh/%2A.tar.gz"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"locked": {
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"revCount": 57,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/edolstra/flake-compat/1.0.1.tar.gz"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1715077503,
"narHash": "sha256-AfHQshzLQfUqk/efMtdebHaQHqVntCMjhymQzVFLes0=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "6e277d9566de9976f47228dd8c580b97488734d4",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"naersk": {
"inputs": {
"nixpkgs": [
"fh",
"nixpkgs"
]
},
"locked": {
"narHash": "sha256-TunvZMCxXHvU6fz5kq3XTLfojIvTDlbFGfPUFtwCU5o=",
"rev": "06a99941d72e2202ed62b8aa08b9869817fea56f",
"revCount": 332,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/nix-community/naersk/0.1.332%2Brev-06a99941d72e2202ed62b8aa08b9869817fea56f/018b61d4-48e5-77e8-8893-9f917732b11a/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/nix-community/naersk/0.1.332.tar.gz"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1703013332,
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1714971268,
"narHash": "sha256-IKwMSwHj9+ec660l+I4tki/1NRoeGpyA2GdtdYpAgEw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "27c13997bf450a01219899f5a83bd6ffbfc70d3c",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1702272962,
"narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"narHash": "sha256-9NJcFF9CEYPvHJ5ckE8kvINvI84SZZ87PvqMbH6pro0=",
"rev": "5e4c2ada4fcd54b99d56d7bd62f384511a7e2593",
"revCount": 534806,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.534806%2Brev-5e4c2ada4fcd54b99d56d7bd62f384511a7e2593/018b29e9-ae6d-72f2-993b-19cb9a64a3b5/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.514192.tar.gz"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1715087517,
"narHash": "sha256-CLU5Tsg24Ke4+7sH8azHWXKd0CFd4mhLWfhYgUiDBpQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b211b392b8486ee79df6cdfb1157ad2133427a29",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"deploy-rs": "deploy-rs",
"dotfiles": "dotfiles",
"fh": "fh",
"home-manager": "home-manager_2",
"nixpkgs": "nixpkgs_4",
"nixpkgs-stable": "nixpkgs-stable"
}
},
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1696050837,
"narHash": "sha256-2K3Aq4gjPZBDnkAMJaMA4ElE+BNbmrqtSBWtt9kPGaM=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "0840038f02daec6ba3238f05d8caa037d28701a0",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

133
flake.nix Normal file
View File

@ -0,0 +1,133 @@
{
description = ''
This i my basic NixOS system configuration. Feel free to reuse anything you find useful.
'';
inputs = {
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix.url = "github:ryantm/agenix";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11";
fh.url = "https://flakehub.com/f/DeterminateSystems/fh/*.tar.gz";
deploy-rs.url = "github:serokell/deploy-rs";
dotfiles.url = "git+https://code.m3tam3re.com/m3tam3re/dotfiles.git";
dotfiles.flake = false; # Use this if your dotfiles repo is not a flake
};
outputs = {
self,
dotfiles,
nixpkgs,
fh,
home-manager,
agenix,
deploy-rs,
...
} @ inputs: let
inherit (self) outputs;
lib = nixpkgs.lib;
systems = [
"aarch64-linux"
"i686-linux"
"x86_64-linux"
"aarch64-darwin"
"x86_64-darwin"
];
forAllSystems = nixpkgs.lib.genAttrs systems;
in {
packages =
forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});
formatter =
forAllSystems (system: nixpkgs.legacyPackages.${system}.alejandra);
overlays = import ./overlays {inherit inputs;};
nixosConfigurations = {
lkk-nix-1 = lib.nixosSystem rec {
specialArgs = {inherit inputs outputs;};
modules = [./hosts/lkk-nix-1 agenix.nixosModules.default];
};
m3-r1 = lib.nixosSystem {
specialArgs = {inherit inputs outputs;};
modules = [./hosts/m3-r1 agenix.nixosModules.default];
};
lkk-prod-1 = lib.nixosSystem {
specialArgs = {inherit inputs outputs;};
modules = [./hosts/lkk-prod-1 agenix.nixosModules.default];
};
lkk-prod-2 = lib.nixosSystem {
specialArgs = {inherit inputs outputs;};
modules = [./hosts/lkk-prod-2 agenix.nixosModules.default];
};
m3-nix = lib.nixosSystem {
specialArgs = {inherit inputs outputs;};
modules = [./hosts/m3-nix agenix.nixosModules.default];
};
};
homeConfigurations = {
# Laptop
"m3tam3re@m3-nix" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages."x86_64-linux";
extraSpecialArgs = {inherit inputs outputs;};
modules = [./home/users/m3tam3re/m3-nix.nix];
};
"m3tam3re@lkk-nix-1" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages."x86_64-linux";
extraSpecialArgs = {
# pass things to t
};
modules = [./home/users/m3tam3re/lkk-nix-1.nix];
};
"m3tam3re@m3-r1" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages."x86_64-linux";
extraSpecialArgs = {
# pass things to t
};
modules = [./home/users/m3tam3re/m3-r1.nix];
};
};
deploy.nodes.lkk-nix-1 = {
hostname = "lkk-nix-1";
sshUser = "root";
profiles.system = {
user = "root";
path =
deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.lkk-nix-1;
};
};
deploy.nodes.m3-r1 = {
hostname = "m3-r1";
sshUser = "root";
activationTimeout = 600;
profiles.system = {
user = "root";
path =
deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.m3-r1;
};
};
deploy.nodes.lkk-prod-1 = {
hostname = "lkk-prod-1";
sshUser = "root";
profiles.system = {
user = "root";
path =
deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.lkk-prod-1;
};
};
deploy.nodes.lkk-prod-2 = {
hostname = "lkk-prod-2";
sshUser = "root";
profiles.system = {
user = "root";
path =
deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.lkk-prod-2;
};
};
deploy.remoteBuild = true;
};
}

67
home/features/cli/default.nix Normal file
View File

@ -0,0 +1,67 @@
{ pkgs, ... }: {
imports = [
./fish.nix
./neofetch.nix
./secrets.nix
./scripts.nix
./starship.nix
./zellij.nix
];
programs.zoxide = {
enable = true;
enableFishIntegration = true;
};
programs.fzf = {
enable = true;
enableFishIntegration = true;
defaultOptions = [ "--preview='bat --color=always --style=numbers {}'" ];
};
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
vimdiffAlias = true;
withNodeJs = true;
withPython3 = true;
};
programs.bat = { enable = true; };
programs.eza = {
enableFishIntegration = true;
enableBashIntegration = true;
git = true;
icons = true;
};
home.packages = with pkgs; [
alejandra
bc
comma
coreutils
devenv
direnv
eza
fd
htop
httpie
jq
just
lf
nix-index
open-interpreter
procs
progress
ripgrep
tldr
trash-cli
tree
unzip
wttrbar
zip
];
}

52
home/features/cli/fish.nix Normal file
View File

@ -0,0 +1,52 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.features.cli.fish;
in {
options.features.cli.fish.enable = mkEnableOption "enable fish shell";
config = mkIf cfg.enable {
programs.fish = {
enable = true;
plugins = [{
name = "foreign-env";
src = pkgs.fetchFromGitHub {
owner = "oh-my-fish";
repo = "plugin-foreign-env";
rev = "dddd9213272a0ab848d474d0cbde12ad034e65bc";
sha256 = "00xqlyl3lffc5l0viin1nyp819wf81fncqyz87jx8ljjdhilmgbs";
};
}];
loginShellInit = ''
set -x TERMINAL alacritty
set -x XDG_DATA_HOME $HOME/.local/share
set -x FZF_CTRL_R_OPTS "
--preview='bat --color=always -n {}'
--preview-window up:3:hidden:wrap
--bind 'ctrl-/:toggle-preview'
--color header:bold
--header 'Press CTRL-Y to copy command into clipboard'"
set -x FZF_ALT_C_COMMAND fd --type d --exclude .git --follow --hidden
set -x FZF_DEFAULT_COMMAND fd --type f --exclude .git --follow --hidden
set -x FZF_CTRL_T_COMMAND "$FZF_DEFAULT_COMMAND"
set -x FZF_DEFAULT_OPTS "
--preview='bat --color=always -n {}'
--bind 'ctrl-/:toggle-preview'
--color=fg:#f8f8f2,bg:#282a36,hl:#bd93f9
--color=fg+:#f8f8f2,bg+:#44475a,hl+:#bd93f9
--color=info:#ffb86c,prompt:#50fa7b,pointer:#ff79c6
--color=marker:#ff79c6,spinner:#ffb86c,header:#6272a4"
'';
shellAbbrs = {
".." = "cd ..";
ls = "eza";
grep = "rg";
ps = "procs";
just = "just --unstable";
fs = "du -ah . | sort -hr | head -n 10";
tsu = "sudo tailscale up";
tsd = "sudo tailscale down";
};
};
};
}

15
home/features/cli/neofetch.nix Normal file
View File

@ -0,0 +1,15 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.cli.neofetch;
in {
options.features.cli.neofetch.enable = mkEnableOption "enable neofetch";
config = mkIf cfg.enable {
home.packages = with pkgs; [neofetch];
};
}

1
home/features/cli/scripts.nix Normal file
View File

@ -0,0 +1 @@
{pkgs, ...}: {home.packages = [pkgs.zellij-ps];}

21
home/features/cli/secrets.nix Normal file
View File

@ -0,0 +1,21 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.cli.secrets;
in {
options.features.cli.secrets.enable = mkEnableOption "enable secrets";
config = mkIf cfg.enable {
programs.password-store = {
enable = true;
package =
pkgs.pass-wayland.withExtensions
(exts: [exts.pass-otp exts.pass-import]);
};
home.packages = with pkgs; [pinentry];
};
}

18
home/features/cli/starship.nix Normal file
View File

@ -0,0 +1,18 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.cli.starship;
in {
options.features.cli.starship.enable = mkEnableOption "enable starship prompt";
config = mkIf cfg.enable {
programs.starship = {
enable = true;
enableFishIntegration = true;
};
};
}

17
home/features/cli/zellij.nix Normal file
View File

@ -0,0 +1,17 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.cli.zellij;
in {
options.features.cli.zellij.enable = mkEnableOption "enable tmux";
config = mkIf cfg.enable {
programs.zellij = {
enable = true;
};
};
}

13
home/features/coding/default.nix Normal file
View File

@ -0,0 +1,13 @@
{pkgs, ...}: {
imports = [./emacs.nix ./golang.nix ./nix.nix ./nodejs.nix ./rust.nix ./tools.nix];
home.packages = with pkgs; [
cachix
cmake
gcc
ispell
guile_3_0
tinyscheme
python3
];
}

8
home/features/coding/emacs.nix Normal file
View File

@ -0,0 +1,8 @@
{pkgs, ...}: {
services.emacs.enable = true;
programs.emacs = {
enable = true;
package = pkgs.emacs29;
extraPackages = epkgs: [epkgs.vterm];
};
}

5
home/features/coding/golang.nix Normal file
View File

@ -0,0 +1,5 @@
{pkgs, ...}: {
home.packages = with pkgs; [
gopls
];
}

9
home/features/coding/nix.nix Normal file
View File

@ -0,0 +1,9 @@
{pkgs, ...}: {
home.packages = with pkgs; [
appimage-run
deploy-rs
nil
nix-prefetch-git
nixfmt
];
}

1
home/features/coding/nodejs.nix Normal file
View File

@ -0,0 +1 @@
{pkgs, ...}: {home.packages = with pkgs; [nodejs];}

1
home/features/coding/rust.nix Normal file
View File

@ -0,0 +1 @@
{pkgs, ...}: {home.packages = with pkgs; [];}

10
home/features/coding/tools.nix Normal file
View File

@ -0,0 +1,10 @@
{pkgs, ...}: {
programs = {
direnv = {
enable = true;
nix-direnv.enable = true;
};
};
home.packages = with pkgs; [insomnia hugo pandoc];
}

15
home/features/desktop/crypto.nix Normal file
View File

@ -0,0 +1,15 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.crypto;
in {
options.features.desktop.crypto.enable = mkEnableOption "Enable Crypto";
config = mkIf cfg.enable {
home.packages = with pkgs; [bisq-desktop monero-gui trezor-suite];
};
}

153
home/features/desktop/default.nix Normal file
View File

@ -0,0 +1,153 @@
{ pkgs, ... }: {
imports = [
./crypto.nix
./design.nix
./extrafonts.nix
./media.nix
./office.nix
./theme.nix
./syncthing.nix
./wayland.nix
./wofi.nix
];
xdg = {
enable = true;
configFile."mimeapps.list".force = true;
mimeApps = {
enable = true;
associations.added = {
"application/zip" = [ "org.gnome.FileRoller.desktop" ];
"application/csv" = [ "calc.desktop" ];
"application/pdf" = [ "okularApplication_pdf.desktop" ];
"x-scheme-handler/org-protocol" = [ "org-protocol.desktop" ];
};
defaultApplications = {
"application/zip" = [ "org.gnome.FileRoller.desktop" ];
"application/csv" = [ "calc.desktop" ];
"application/pdf" = [ "okularApplication_pdf.desktop" ];
"x-scheme-handler/org-protocol" = [ "org-protocol.desktop" ];
};
};
userDirs = {
enable = true;
createDirectories = true;
};
};
home.sessionVariables = {
WEBKIT_DISABLE_COMPOSITING_MODE = "1";
NIXOS_OZONE_WL = "1";
TERMINAL = "alacritty";
QT_QPA_PLATFORM = "wayland";
};
home.sessionPath =
[ "\${XDG_BIN_HOME}" "\${HOME}/.cargo/bin" "$HOME/.npm-global/bin" ];
fonts.fontconfig.enable = true;
services.mako = {
enable = true;
backgroundColor = "#282a36";
textColor = "#80FFEA";
borderColor = "#9742b5";
width = 400;
height = 150;
padding = "10,20";
borderRadius = 8;
borderSize = 1;
margin = "20,20";
};
programs.alacritty = {
enable = true;
settings = {
env.TERM = "xterm-256color";
font = {
size = 12;
#draw_bold_text_with_bright_colors = true;
};
scrolling.multiplier = 5;
selection.save_to_clipboard = true;
colors = {
primary = {
background = "0x22212c";
#foregound = "0xf8f8f2";
};
cursor = {
text = "0x454158";
cursor = "0xf8f8f2";
};
selection = {
text = "0xf8f8f2";
background = "0x454158";
};
normal = {
black = "0x22212c";
red = "0xff9580";
green = "0x8aff80";
yellow = "0xffff80";
blue = "0x9580ff";
magenta = "0xff80bf";
cyan = "0x80ffea";
white = "0xf8f8f2";
};
bright = {
black = "0x22212c";
red = "0xffaa99";
green = "0xa2ff99";
yellow = "0xffff99";
blue = "0xaa99ff";
magenta = "0xff99cc";
cyan = "0x99ffee";
white = "0xffffff";
};
};
};
};
home.pointerCursor = {
gtk.enable = true;
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Ice";
size = 20;
};
home.packages = with pkgs; [
appimage-run
anytype
blueberry
brave
brightnessctl
clipman
distrobox
eww
gnome.file-roller
gnome.seahorse
gnome.sushi
glib
gsettings-desktop-schemas
graphviz
hyprpaper
ksnip
nwg-look
pamixer
pavucontrol
libsForQt5.qtstyleplugins
nyxt
pcmanfm
qt5ct
qt6.qtwayland
rustdesk
socat
unrar
unzip
usbutils
v4l-utils
remmina
wl-clipboard
wlogout
wtype
xdg-utils
ydotool
zip
];
}

25
home/features/desktop/design.nix Normal file
View File

@ -0,0 +1,25 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.design;
in {
options.features.desktop.design.enable = mkEnableOption "enable design tools";
config = mkIf cfg.enable {
home.packages = with pkgs; [
argyllcms
cyan
gimp
gimpPlugins.gmic
gmic
gmic-qt
imagemagick
inkscape
lcms2
];
};
}

23
home/features/desktop/extrafonts.nix Normal file
View File

@ -0,0 +1,23 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.extrafonts;
in {
options.features.desktop.extrafonts.enable = mkEnableOption "install additional fonts for desktop apps";
config = mkIf cfg.enable {
home.packages = with pkgs; [
emacs-all-the-icons-fonts
fira-code
fira-code-symbols
fira-code-nerdfont
font-manager
font-awesome_5
noto-fonts
];
};
}

36
home/features/desktop/media.nix Normal file
View File

@ -0,0 +1,36 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.features.desktop.media;
in {
options.features.desktop.media.enable =
mkEnableOption "enable media features";
config = mkIf cfg.enable {
home.packages = with pkgs; [
audacity
ffmpeg_6-full
gphoto2
handbrake
stable.libsForQt5.kdenlive
makemkv
mediainfo
mpv
plexamp
spotify
uxplay
vlc
webcord
youtube-dl
unimatrix
];
programs.obs-studio = {
enable = true;
plugins = with pkgs.obs-studio-plugins; [
input-overlay
wlrobs
obs-vertical-canvas
];
};
};
}

16
home/features/desktop/office.nix Normal file
View File

@ -0,0 +1,16 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.desktop.office;
in {
options.features.desktop.office.enable =
mkEnableOption "enable office features";
config = mkIf cfg.enable {
home.packages = with pkgs; [libreoffice neomutt pdftk okular zathura];
};
}

21
home/features/desktop/plasma.nix Normal file
View File

@ -0,0 +1,21 @@
{
pkgs,
lib,
outputs,
...
}: {
imports = [
#
];
home.packages = with pkgs; [
alacritty
brave
libreoffice
nextcloud-client
xclip
libnotify
espanso
firefox
];
}

4
home/features/desktop/syncthing.nix Normal file
View File

@ -0,0 +1,4 @@
{pkgs, ...}: {
services.syncthing = {enable = true;};
home.packages = with pkgs; [syncthingtray-minimal];
}

17
home/features/desktop/theme.nix Normal file
View File

@ -0,0 +1,17 @@
{pkgs, ...}: {
qt = {
enable = true;
platformTheme = "gtk";
};
gtk = {
enable = true;
theme = {
name = "Dracula";
package = pkgs.dracula-theme;
};
iconTheme = {
name = "Dracula";
package = pkgs.dracula-icon-theme;
};
};
}

15
home/features/desktop/wayland.nix Normal file
View File

@ -0,0 +1,15 @@
{ inputs, config, lib, pkgs, ... }: {
programs.waybar = { enable = true; };
home.packages = with pkgs; [
grim
hypridle
hyprlock
mimeo
pulseaudio
slurp
waypipe
wf-recorder
wl-mirror
ydotool
];
}

7
home/features/desktop/wofi.nix Normal file
View File

@ -0,0 +1,7 @@
{
pkgs,
outputs,
...
}: {
home.packages = [pkgs.wofi pkgs.bemoji pkgs.wofi-pass];
}

11
home/features/gaming/default.nix Normal file
View File

@ -0,0 +1,11 @@
{pkgs, ...}: {
imports = [./sunshine.nix];
home.packages = with pkgs; [
gamemode
gamescope
goverlay
mangohud
ryujinx
protonup-ng
];
}

15
home/features/gaming/sunshine.nix Normal file
View File

@ -0,0 +1,15 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.gaming.sunshine;
in {
options.features.gaming.sunshine.enable = mkEnableOption "enable Sunshine";
config = mkIf cfg.enable {
home.packages = with pkgs; [sunshine];
};
}

6
home/features/hardware/default.nix Normal file
View File

@ -0,0 +1,6 @@
{pkgs, ...}: {
home.packages = with pkgs; [
lm_sensors
powertop
];
}

5
home/features/privacy/default.nix Normal file
View File

@ -0,0 +1,5 @@
{pkgs, ...}: {
home.packages = with pkgs; [
i2p
];
}

1
home/features/virtualization/default.nix Normal file
View File

@ -0,0 +1 @@
{imports = [./podman.nix ./qemu.nix];}

14
home/features/virtualization/podman.nix Normal file
View File

@ -0,0 +1,14 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.virtualization.podman;
in {
options.features.virtualization.podman.enable =
mkEnableOption "install podman";
config = mkIf cfg.enable {home.packages = with pkgs; [fuse-overlayfs];};
}

14
home/features/virtualization/qemu.nix Normal file
View File

@ -0,0 +1,14 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.features.virtualization.qemu;
in {
options.features.virtualization.qemu.enable =
mkEnableOption "install qemu tools";
config =
mkIf cfg.enable {home.packages = with pkgs; [virt-manager virtiofsd];};
}

56
home/users/lkk-admin/base/default.nix Normal file
View File

@ -0,0 +1,56 @@
{ config, lib, pkgs, inputs, outputs, ... }:
let
in {
nixpkgs = {
# You can add overlays here
overlays = [
# Add overlays your own flake exports (from overlays and pkgs dir):
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.stable-packages
# You can also add overlays exported from other flakes:
# neovim-nightly-overlay.overlays.default
# Or define it inline, for example:
# (final: prev: {
# hi = final.hello.overrideAttrs (oldAttrs: {
# patches = [ ./change-hello-to-hi.patch ];
# });
# })
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
# Workaround for https://github.com/nix-community/home-manager/issues/2942
allowUnfreePredicate = _: true;
};
};
nix = {
package = lib.mkDefault pkgs.nix;
settings = {
experimental-features = [ "nix-command" "flakes" "repl-flake" ];
warn-dirty = false;
};
};
programs = {
home-manager.enable = true;
git.enable = true;
git = {
userName = "m3tam3re";
userEmail = "m@m3tam3re.com";
aliases = { st = "status"; };
extraConfig = {
core.excludesfile = "~/.gitignore_global";
init.defaultBranch = "master";
};
};
};
home = {
username = lib.mkDefault "lkk-admin";
homeDirectory = lib.mkDefault "/home/${config.home.username}";
};
}

16
home/users/lkk-admin/lkk-nix-1.nix Normal file
View File

@ -0,0 +1,16 @@
{
config,
pkgs,
...
}: {
imports = [./base ../../features/cli];
features = {
cli = {
fish.enable = true;
starship.enable = true;
};
};
home.stateVersion = "22.11";
}

62
home/users/m3tam3re/base/default.nix Normal file
View File

@ -0,0 +1,62 @@
{
config,
lib,
pkgs,
inputs,
outputs,
...
}: let
in {
nixpkgs = {
# You can add overlays here
overlays = [
# Add overlays your own flake exports (from overlays and pkgs dir):
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.stable-packages
# You can also add overlays exported from other flakes:
# neovim-nightly-overlay.overlays.default
# Or define it inline, for example:
# (final: prev: {
# hi = final.hello.overrideAttrs (oldAttrs: {
# patches = [ ./change-hello-to-hi.patch ];
# });
# })
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
# Workaround for https://github.com/nix-community/home-manager/issues/2942
allowUnfreePredicate = _: true;
};
};
nix = {
package = lib.mkDefault pkgs.nix;
settings = {
experimental-features = ["nix-command" "flakes" "repl-flake"];
warn-dirty = false;
};
};
programs = {
home-manager.enable = true;
git.enable = true;
git = {
userName = "m3tam3re";
userEmail = "m@m3tam3re.com";
aliases = {st = "status";};
extraConfig = {
core.excludesfile = "~/.gitignore_global";
init.defaultBranch = "master";
};
};
};
home = {
username = lib.mkDefault "m3tam3re";
homeDirectory = lib.mkDefault "/home/${config.home.username}";
};
}

22
home/users/m3tam3re/dotfiles/default.nix Normal file
View File

@ -0,0 +1,22 @@
{ pkgs, inputs, ... }: {
home.file.".config/bat" = {
source = "${inputs.dotfiles}/bat";
recursive = true;
};
home.file.".config/nyxt" = {
source = "${inputs.dotfiles}/nyxt";
recursive = true;
};
home.file.".config/hypr" = {
source = "${inputs.dotfiles}/hypr";
recursive = true;
};
home.file.".config/nvim" = {
source = "${inputs.dotfiles}/nvim";
recursive = true;
};
home.file.".config/zellij" = {
source = "${inputs.dotfiles}/zellij";
recursive = true;
};
}

227
home/users/m3tam3re/dotfiles/hyprland.nix Normal file
View File

@ -0,0 +1,227 @@
{ config, ... }: {
home.file.".config/hypr/hyprland.conf".text = ''
# See https://wiki.hyprland.org/Configuring/Monitors/
monitor=eDP-1,preferred,2560x0,1.25
monitor=DP-1,preferred,0x0,1
# See https://wiki.hyprland.org/Configuring/Keywords/ for more
xwayland {
force_zero_scaling = true
}
# Execute your favorite apps at launch
# exec-once = waybar & hyprpaper & firefox
exec-once = waybar
exec-once = hyprpaper
exec-once = wl-paste -p -t text --watch clipman store -P --histpath="~/.local/share/clipman-primary.json"
# Source a file (multi-file configs)
# source = ~/.config/hypr/myColors.conf
# Some default env vars.
env = LIBVA_DRIVER_NAME,nvidia
env = XDG_SESSION_TYPE,wayland
env = GBM_BACKEND,nvidia-drm
env = __GLX_VENDOR_LIBRARY_NAME,nvidia
env = XCURSOR_SIZE,32
env = WLR_NO_HARDWARE_CURSORS,1
env = GTK_THEME,Dracula
# For all categories, see https://wiki.hyprland.org/Configuring/Variables/
input {
kb_layout = de,us
kb_variant =
kb_model =
kb_rules =
kb_options=ctrl:nocaps
follow_mouse = 1
touchpad {
natural_scroll = yes
}
sensitivity = 0 # -1.0 - 1.0, 0 means no modification.
}
device {
name = zsa-technology-labs-moonlander-mark-i
kb_layout = us
}
general {
# See https://wiki.hyprland.org/Configuring/Variables/ for more
#col.active_border = rgb(44475a) rgb(bd93f9) 90deg
#col.inactive_border = rgba(44475aaa)
#col.group_border = rgba(282a36dd)
#col.group_border_active = rgb(bd93f9) rgb(44475a) 90deg
gaps_in = 5
gaps_out = 5
border_size = 1
col.active_border = rgba(9742b5ee) rgba(9742b5ee) 45deg
col.inactive_border = rgba(595959aa)
layout = dwindle
}
decoration {
# See https://wiki.hyprland.org/Configuring/Variables/ for more
col.shadow = rgba(1E202966)
drop_shadow = yes
shadow_range = 60
shadow_offset = 1 2
shadow_render_power = 3
shadow_scale = 0.97
rounding = 8
blur {
enabled = yes
size = 3
passes = 3
}
active_opacity = 0.9
inactive_opacity = 0.5
drop_shadow = yes
shadow_range = 4
shadow_render_power = 3
}
animations {
enabled = yes
# Some default animations, see https://wiki.hyprland.org/Configuring/Animations/ for more
bezier = myBezier, 0.05, 0.9, 0.1, 1.05
animation = windows, 1, 7, myBezier
animation = windowsOut, 1, 7, default, popin 80%
animation = border, 1, 10, default
animation = borderangle, 1, 8, default
animation = fade, 1, 7, default
animation = workspaces, 1, 6, default
}
dwindle {
# See https://wiki.hyprland.org/Configuring/Dwindle-Layout/ for more
pseudotile = yes # master switch for pseudotiling. Enabling is bound to mainMod + P in the keybinds section below
preserve_split = yes # you probably want this
}
master {
# See https://wiki.hyprland.org/Configuring/Master-Layout/ for more
new_is_master = true
}
gestures {
# See https://wiki.hyprland.org/Configuring/Variables/ for more
workspace_swipe = off
}
# Example per-device config
# See https://wiki.hyprland.org/Configuring/Keywords/#executing for more
device {
name = epic-mouse-v1
sensitivity = -0.5
}
# Example windowrule v1
# windowrule = float, ^(kitty)$
# Example windowrule v2
# windowrulev2 = float,class:^(kitty)$,title:^(kitty)$
# See https://wiki.hyprland.org/Configuring/Window-Rules/ for more
windowrule = float, file_progress
windowrule = float, confirm
windowrule = float, dialog
windowrule = float, download
windowrule = float, notification
windowrule = float, error
windowrule = float, splash
windowrule = float, confirmreset
windowrule = float, title:Open File
windowrule = float, title:branchdialog
windowrule = float, Lxappearance
windowrule = float, Wofi
windowrule = float, dunst
windowrule = animation none,Wofi
windowrule = float,viewnior
windowrule = float,feh
windowrule = float, pavucontrol-qt
windowrule = float, pavucontrol
windowrule = float, file-roller
windowrule = fullscreen, wlogout
windowrule = float, title:wlogout
windowrule = fullscreen, title:wlogout
windowrule = idleinhibit focus, mpv
windowrule = idleinhibit fullscreen, firefox
windowrule = float, title:^(Media viewer)$
windowrule = float, title:^(Volume Control)$
windowrule = float, title:^(Picture-in-Picture)$
windowrule = size 800 600, title:^(Volume Control)$
windowrule = move 75 44%, title:^(Volume Control)$
# See https://wiki.hyprland.org/Configuring/Keywords/ for more
$mainMod = SUPER
# Example binds, see https://wiki.hyprland.org/Configuring/Binds/ for more
bind = $mainMod, return, exec, alacritty -e zellij-ps
bind = $mainMod, t, exec, alacritty
bind = $mainMod SHIFT, e, exec, alacritty -e zellij_nvim
bind = $mainMod, o, exec, thunar
bind = $mainMod, Escape, exec, wlogout -p layer-shell
bind = $mainMod, Space, togglefloating
bind = $mainMod, q, killactive,
bind = $mainMod, M, exit,
bind= $mainMod, F, fullscreen
bind = $mainMod, V, togglefloating,
bind = $mainMod, D, exec, wofi --show drun --allow-images
bind = $mainMod SHIFT, S, exec, bemoji
bind = $mainMod, P, exec, wofi-pass
bind = $mainMod SHIFT, P, pseudo, # dwindle
bind = $mainMod, J, togglesplit, # dwindle
# Move focus with mainMod + arrow keys
bind = $mainMod, left, movefocus, l
bind = $mainMod, right, movefocus, r
bind = $mainMod, up, movefocus, u
bind = $mainMod, down, movefocus, d
workspace = 1, monitor:DP-1, default:true
workspace = 2, monitor:DP-1
workspace = 3, monitor:DP-1
workspace = 4, monitor:eDP-1
workspace = 5, monitor:eDP-1
windowrulev2 = workspace 1,class:(Emacs)
windowrulev2 = workspace 3,opacity 1.0, class:(brave-browser)
windowrulev2 = workspace 4,class:(com.obsproject.Studio)
# Switch workspaces with mainMod + [0-9]
bind = $mainMod, 1, workspace, 1
bind = $mainMod, 2, workspace, 2
bind = $mainMod, 3, workspace, 3
bind = $mainMod, 4, workspace, 4
bind = $mainMod, 5, workspace, 5
bind = $mainMod, 6, workspace, 6
bind = $mainMod, 7, workspace, 7
bind = $mainMod, 8, workspace, 8
bind = $mainMod, 9, workspace, 9
bind = $mainMod, 0, workspace, 10
# Move active window to a workspace with mainMod + SHIFT + [0-9]
bind = $mainMod SHIFT, 1, movetoworkspace, 1
bind = $mainMod SHIFT, 2, movetoworkspace, 2
bind = $mainMod SHIFT, 3, movetoworkspace, 3
bind = $mainMod SHIFT, 4, movetoworkspace, 4
bind = $mainMod SHIFT, 5, movetoworkspace, 5
bind = $mainMod SHIFT, 6, movetoworkspace, 6
bind = $mainMod SHIFT, 7, movetoworkspace, 7
bind = $mainMod SHIFT, 8, movetoworkspace, 8
bind = $mainMod SHIFT, 9, movetoworkspace, 9
bind = $mainMod SHIFT, 0, movetoworkspace, 10
# Scroll through existing workspaces with mainMod + scroll
bind = $mainMod, mouse_down, workspace, e+1
bind = $mainMod, mouse_up, workspace, e-1
# Move/resize windows with mainMod + LMB/RMB and dragging
bindm = $mainMod, mouse:272, movewindow
bindm = $mainMod, mouse:273, resizewindow
'';
}

16
home/users/m3tam3re/lkk-nix-1.nix Normal file
View File

@ -0,0 +1,16 @@
{
config,
pkgs,
...
}: {
imports = [./base ../../features/cli];
features = {
cli = {
fish.enable = true;
starship.enable = true;
};
};
home.stateVersion = "22.11";
}

38
home/users/m3tam3re/m3-nix.nix Normal file
View File

@ -0,0 +1,38 @@
{
config,
pkgs,
...
}: {
imports = [
./base
./dotfiles
../../features/cli
../../features/coding
../../features/desktop
../../features/gaming
../../features/virtualization
];
features = {
cli = {
fish.enable = true;
neofetch.enable = true;
secrets.enable = true;
starship.enable = true;
zellij.enable = true;
};
gaming = {sunshine.enable = true;};
desktop = {
crypto.enable = true;
design.enable = true;
extrafonts.enable = true;
media.enable = true;
office.enable = true;
};
virtualization = {
podman.enable = true;
qemu.enable = true;
};
};
home.stateVersion = "24.05";
}

16
home/users/m3tam3re/m3-r1.nix Normal file
View File

@ -0,0 +1,16 @@
{
config,
pkgs,
...
}: {
imports = [./base ../../features/cli];
features = {
cli = {
fish.enable = true;
starship.enable = true;
};
};
home.stateVersion = "22.11";
}

52
home/users/produktion/base/default.nix Normal file
View File

@ -0,0 +1,52 @@
{
config,
lib,
pkgs,
outputs,
...
}: let
in {
nixpkgs = {
# You can add overlays here
overlays = [
# Add overlays your own flake exports (from overlays and pkgs dir):
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.stable-packages
# You can also add overlays exported from other flakes:
# neovim-nightly-overlay.overlays.default
# Or define it inline, for example:
# (final: prev: {
# hi = final.hello.overrideAttrs (oldAttrs: {
# patches = [ ./change-hello-to-hi.patch ];
# });
# })
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
# Workaround for https://github.com/nix-community/home-manager/issues/2942
allowUnfreePredicate = _: true;
};
};
nix = {
package = lib.mkDefault pkgs.nix;
settings = {
experimental-features = ["nix-command" "flakes" "repl-flake"];
warn-dirty = false;
};
};
programs = {
home-manager.enable = true;
git.enable = true;
};
home = {
username = lib.mkDefault "produktion";
homeDirectory = lib.mkDefault "/home/${config.home.username}";
};
}

21
home/users/produktion/lkk-prod-1.nix Normal file
View File

@ -0,0 +1,21 @@
{
config,
pkgs,
...
}: {
imports = [
./base
../../features/cli
../../features/desktop/plasma.nix
../../features/desktop/media.nix
];
features = {
cli = {
fish.enable = true;
starship.enable = true;
};
};
home.stateVersion = "24.05";
}

21
home/users/produktion/lkk-prod-2.nix Normal file
View File

@ -0,0 +1,21 @@
{
config,
pkgs,
...
}: {
imports = [
./base
../../features/cli
../../features/desktop/plasma.nix
../../features/desktop/media.nix
];
features = {
cli = {
fish.enable = true;
starship.enable = true;
};
};
home.stateVersion = "24.05";
}

21
hosts/common/base/default.nix Normal file
View File

@ -0,0 +1,21 @@
{
lib,
pkgs,
inputs,
outputs,
...
}:
with pkgs; {
imports = [inputs.home-manager.nixosModules.home-manager];
home-manager = {
useUserPackages = true;
extraSpecialArgs = {inherit inputs outputs;};
};
users.defaultUserShell = fish;
environment.systemPackages = [
inputs.agenix.packages."${pkgs.system}".default
inputs.fh.packages."${pkgs.system}".default
coreutils
];
}

26
hosts/common/users/lkk-admin/default.nix Normal file
View File

@ -0,0 +1,26 @@
{ config, pkgs, inputs, ... }: {
users.users.lkk-admin = {
initialHashedPassword =
"$y$j9T$wOKc3kLsQVtmmyLIN7ljV.$NvdWzwn6p8JNByHoXQqf6/GF3C0JOPHW/D0HgFLQXy4";
isNormalUser = true;
description = "lkk-admin";
extraGroups = [
"wheel"
"networkmanager"
"libvirtd"
"flatpak"
"audio"
"video"
"plugdev"
"input"
"kvm"
"qemu-libvirtd"
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDh8J7t25qJ5ibc1qmf5WOTWMSqbMQnCbAgdnTzCIJto6ybyRUqoKTr4Os1d1wf4SxzERApzqkBA9fKN2hsAoCi72agXZSpSgHNWZMH+qYXxiYQjNV1ueuCISCjFdDSeu8jQV8UMyEOfi1yNN0g3YXnt7KOnfcv5mdi7jZXmI6CpaHoVZo1xyozBFQj9AM7jP0J5RMXL5mxMfluULBjuR2rxa/74HHbxfxrireGgeW94nnyT0WD9vPxvLuiAufarCrwwh1kLS4COu9QshcVnu1tKH9vXJFIS0r6+vHf/Swo/gRf/AaHUNktFIi9rso+MGGFXozdoHligea6vxYU/3sV m3tam3re@m3-nix"
];
packages = [ inputs.home-manager.packages.${pkgs.system}.default ];
};
home-manager.users.lkk-admin =
import lkk-admin/${config.networking.hostName}.nix;
}

1
hosts/common/users/lkk-admin/lkk-admin Symbolic link
View File

@ -0,0 +1 @@
../../../../home/users/lkk-admin/

26
hosts/common/users/m3tam3re/default.nix Normal file
View File

@ -0,0 +1,26 @@
{ config, pkgs, inputs, ... }: {
users.users.m3tam3re = {
initialHashedPassword =
"$y$j9T$wOKc3kLsQVtmmyLIN7ljV.$NvdWzwn6p8JNByHoXQqf6/GF3C0JOPHW/D0HgFLQXy4";
isNormalUser = true;
description = "m3tam3re";
extraGroups = [
"wheel"
"networkmanager"
"libvirtd"
"flatpak"
"audio"
"video"
"plugdev"
"input"
"kvm"
"qemu-libvirtd"
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix"
];
packages = [ inputs.home-manager.packages.${pkgs.system}.default ];
};
home-manager.users.m3tam3re =
import m3tam3re/${config.networking.hostName}.nix;
}

1
hosts/common/users/m3tam3re/m3tam3re Symbolic link
View File

@ -0,0 +1 @@
../../../../home/users/m3tam3re/

19
hosts/common/users/produktion/default.nix Normal file
View File

@ -0,0 +1,19 @@
{
config,
pkgs,
lib,
outputs,
...
}: {
users.users.produktion = {
isNormalUser = true;
description = "Produktion";
extraGroups = ["tailscale" "networkmanager" "audio" "video"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@m3-nix"
];
packages = [pkgs.home-manager];
};
nixpkgs.config.allowUnfree = true;
home-manager.users.produktion = import produktion/${config.networking.hostName}.nix;
}

1
hosts/common/users/produktion/produktion Symbolic link
View File

@ -0,0 +1 @@
../../../../home/users/produktion

92
hosts/lkk-nix-1/default.nix Normal file
View File

@ -0,0 +1,92 @@
{ pkgs, ... }: {
imports = [
./hardware-configuration.nix
../common/users/lkk-admin
../common/users/m3tam3re
../common/base
./services
];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
networking = {
hostName = "lkk-nix-1";
firewall.enable = true;
firewall.allowedTCPPortRanges = [{
from = 3000;
to = 3100;
}];
firewall.allowedTCPPorts = [ 53 80 443 5432 3306 3478 ];
firewall.allowedUDPPorts = [ 53 51820 41641 ];
firewall.allowedUDPPortRanges = [{
from = 3478;
to = 3481;
}];
};
environment.systemPackages = with pkgs; [ podman-compose ];
programs.fish.enable = true;
age = {
secrets = {
mj-smtp-user.file = ../../secrets/mj-smtp-user.age;
mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age;
tailscale-key.file = ../../secrets/tailscale-key.age;
vaultwarden-env = {
file = ../../secrets/vaultwarden-env.age;
mode = "770";
};
metabase-env = {
file = ../../secrets/metabase-env.age;
mode = "770";
};
n8n-env = {
file = ../../secrets/n8n-env.age;
mode = "770";
};
ordercollector-env = {
file = ../../secrets/ordercollector-env.age;
mode = "770";
};
traefik-env = {
file = ../../secrets/traefik-env.age;
mode = "770";
owner = "traefik";
};
minio-root-cred = {
file = ../../secrets/minio-root-cred.age;
mode = "770";
};
baserow-env = {
file = ../../secrets/baserow-env.age;
mode = "770";
};
littlelink-lanakk-env = {
file = ../../secrets/littlelink-lanakk-env.age;
mode = "770";
};
pgadmin = {
file = ../../secrets/pgadmin.age;
mode = "770";
owner = "pgadmin";
};
};
identityPaths = [ "/root/.ssh/lkk-nix-1" ];
};
nix = {
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
optimise.automatic = true;
};
system.stateVersion = "22.11"; # Did you read the comment?
}

59
hosts/lkk-nix-1/hardware-configuration.nix Normal file
View File

@ -0,0 +1,59 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52";
fsType = "btrfs";
options = ["subvol=root"];
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52";
fsType = "btrfs";
options = ["subvol=home"];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52";
fsType = "btrfs";
options = ["subvol=nix"];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2550-EF31";
fsType = "vfat";
};
fileSystems."/var/backup" = {
device = "46.38.248.210:/voln527829a1";
fsType = "nfs";
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

13
hosts/lkk-nix-1/services/container.nix Normal file
View File

@ -0,0 +1,13 @@
{
config,
pkgs,
...
}: {
imports = [./containers];
virtualisation.podman = {
enable = true;
defaultNetwork.settings = {dns_enabled = true;};
};
virtualisation.oci-containers.backend = "podman";
}

9
hosts/lkk-nix-1/services/containers/baserow.nix Normal file
View File

@ -0,0 +1,9 @@
{ config, outputs, ... }: {
virtualisation.oci-containers.containers."baserow" = {
image = "docker.io/baserow/baserow:1.24.2";
environmentFiles = [ config.age.secrets.baserow-env.path ];
ports = [ "127.0.0.1:3001:80" ];
volumes = [ "baserow_data:/baserow/data" ];
extraOptions = [ "--add-host=postgres:10.88.0.1" "--ip=10.88.0.11" ];
};
}

13
hosts/lkk-nix-1/services/containers/default.nix Normal file
View File

@ -0,0 +1,13 @@
{
imports = [
./baserow.nix
./little-link.nix
./matomo.nix
./mautic.nix
./n8n.nix
./nextcloud.nix
./nginx.nix
./ordercollector.nix
./wordpress.nix
];
}

8
hosts/lkk-nix-1/services/containers/little-link.nix Normal file
View File

@ -0,0 +1,8 @@
{ config, outputs, ... }: {
virtualisation.oci-containers.containers."littlelink_lanakk" = {
image = "ghcr.io/techno-tim/littlelink-server";
environmentFiles = [ config.age.secrets.littlelink-lanakk-env.path ];
ports = [ "3010:3000" ];
extraOptions = [ "--ip=10.88.0.20" ];
};
}

19
hosts/lkk-nix-1/services/containers/matomo.nix Normal file
View File

@ -0,0 +1,19 @@
{
config,
outputs,
...
}: {
virtualisation.oci-containers.containers."matomo" = {
image = "docker.io/matomo";
environment = {
MATOMO_DATABASE_HOST = "mysql";
MATOMO_DATABASE_USERNAME = "matomo";
MATOMO_DATABASE_PASSWORD = "matomo";
MATOMO_DATABASE_DBNAME = "matomo";
PHP_MEMORY_LIMIT = "2048M";
};
ports = ["3003:80"];
volumes = ["matomo_data:/var/www/html"];
extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.13"];
};
}

20
hosts/lkk-nix-1/services/containers/mautic.nix Normal file
View File

@ -0,0 +1,20 @@
{
config,
outputs,
...
}: {
virtualisation.oci-containers.containers."mautic" = {
image = "docker.io/mautic/mautic:v4-apache";
environment = {
MAUTIC_DB_HOST = "mysql";
MAUTIC_DB_USER = "mautic";
MAUTIC_DB_PASSWORD = "mautic";
MAUTIC_DB_DBNAME = "mautic";
PHP_MEMORY_LIMIT = "2048M";
MAUTIC_RUN_CRON_JOBS = "true";
};
ports = ["127.0.0.1:3008:80"];
volumes = ["mautic_data:/var/www/html"];
extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.23"];
};
}

13
hosts/lkk-nix-1/services/containers/n8n.nix Normal file
View File

@ -0,0 +1,13 @@
{
config,
outputs,
...
}: {
virtualisation.oci-containers.containers."n8n" = {
image = "docker.n8n.io/n8nio/n8n";
environmentFiles = [config.age.secrets.n8n-env.path];
ports = ["127.0.0.1:5678:5678"];
volumes = ["/var/lib/n8n/.n8n:/home/node/.n8n"];
extraOptions = ["--ip=10.88.0.24"];
};
}

18
hosts/lkk-nix-1/services/containers/nextcloud.nix Normal file
View File

@ -0,0 +1,18 @@
{
config,
outputs,
...
}: {
virtualisation.oci-containers.containers."nextcloud" = {
image = "docker.io/nextcloud";
environment = {
TRUSTED_PROXIES = "10.88.0.1/16";
OVERWRITEPROTOCOL = "https";
OVERWRITECLIURL = "https://cloud.lanakk.com";
OVERWRITEHOST = "cloud.lanakk.com";
};
ports = ["127.0.0.1:3005:80"];
volumes = ["nextcloud_data:/var/www/html"];
extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.15"];
};
}

12
hosts/lkk-nix-1/services/containers/nginx.nix Normal file
View File

@ -0,0 +1,12 @@
{
config,
outputs,
...
}: {
virtualisation.oci-containers.containers."http-images" = {
image = "docker.io/nginx:alpine";
ports = ["127.0.0.1:3012:80"];
volumes = ["/opt/service-data/http-images:/usr/share/nginx/html"];
extraOptions = ["--ip=10.88.0.22"];
};
}

7
hosts/lkk-nix-1/services/containers/ordercollector.nix Normal file
View File

@ -0,0 +1,7 @@
{ config, outputs, ... }: {
virtualisation.oci-containers.containers."ordercollector" = {
image = "code.lanakk.com/lanakk/ordercollector:latest";
environmentFiles = [ config.age.secrets.ordercollector-env.path ];
ports = [ "127.0.0.1:3004:8080" ];
};
}

30
hosts/lkk-nix-1/services/containers/wordpress.nix Normal file
View File

@ -0,0 +1,30 @@
{
config,
outputs,
...
}: {
virtualisation.oci-containers.containers."lanakk_blog" = {
image = "docker.io/wordpress";
environment = {
WORDPRESS_DB_HOST = "mysql";
WORDPRESS_DB_USER = "wp";
WORDPRESS_DB_PASSWORD = "wp";
WORDPRESS_DB_NAME = "lanakk_blog";
};
ports = ["127.0.0.1:3002:80"];
volumes = ["lanakk_blog_data:/var/www/html"];
extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.12"];
};
virtualisation.oci-containers.containers."kk_blog" = {
image = "docker.io/wordpress";
environment = {
WORDPRESS_DB_HOST = "mysql";
WORDPRESS_DB_USER = "wp";
WORDPRESS_DB_PASSWORD = "wp";
WORDPRESS_DB_NAME = "kk_blog";
};
ports = ["3015:80"];
volumes = ["kk_blog_data:/var/www/html"];
extraOptions = ["--add-host=mysql:10.88.0.1" "--ip=10.88.0.16"];
};
}

13
hosts/lkk-nix-1/services/default.nix Normal file
View File

@ -0,0 +1,13 @@
{
imports = [
./container.nix
./gitea.nix
./mariadb.nix
./metabase.nix
./postgres.nix
./syncthing.nix
./tailscale.nix
./traefik.nix
./vaultwarden.nix
];
}

16
hosts/lkk-nix-1/services/gitea.nix Normal file
View File

@ -0,0 +1,16 @@
{
config,
pkgs,
...
}: {
services.gitea = {
enable = true;
settings.server.ROOT_URL = "https://code.lanakk.com";
lfs.enable = true;
dump = {
enable = true;
interval = "03:30:00";
backupDir = "/var/backup/gitea";
};
};
}

11
hosts/lkk-nix-1/services/mariadb.nix Normal file
View File

@ -0,0 +1,11 @@
{ pkgs, config, ... }: {
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
services.mysqlBackup = {
enable = true;
calendar = "03:00:00";
databases = [ "lanakk_blog" "matomo" "mautic" ];
};
}

13
hosts/lkk-nix-1/services/metabase.nix Normal file
View File

@ -0,0 +1,13 @@
{
config,
pkgs,
...
}: {
services.metabase = {
enable = true;
listen.port = 3013;
};
systemd.services.metabase.serviceConfig = {
EnvironmentFile = "${config.age.secrets.metabase-env.path}";
};
}

29
hosts/lkk-nix-1/services/postgres.nix Normal file
View File

@ -0,0 +1,29 @@
{ pkgs, config, ... }: {
services.postgresql = {
enable = true;
enableTCPIP = true;
package = pkgs.postgresql_15;
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all 10.88.0.1/16 trust
'';
initialScript = pkgs.writeText "backend-initScript" ''
CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow';
CREATE DATABASE baserow;
GRANT ALL PRIVILEGES ON DATABASE baserow TO baserow;
ALTER DATABASE baserow OWNER to baserow;
'';
};
services.postgresqlBackup = {
enable = true;
startAt = "03:10:00";
databases = [ "baserow" "metabase" "postgres" "lanakk_data_warehouse" ];
};
services.pgadmin = {
enable = true;
initialPasswordFile = "${config.age.secrets.pgadmin.path}";
initialEmail = "sascha@lanakk.com";
};
}

26
hosts/lkk-nix-1/services/syncthing.nix Normal file
View File

@ -0,0 +1,26 @@
{
config,
pkgs,
...
}: {
services.syncthing = {
enable = true;
openDefaultPorts = true;
guiAddress = "0.0.0.0:8384";
overrideDevices = true;
overrideFolders = true;
settings = {
devices = {
"LK-DATA" = {
id = "BI7CMZF-2SGQMXW-RG47HRG-FEH454J-ZTCE544-BXNSCSJ-PXCE7A7-R4CX2Q3";
};
};
folders = {
"Bildvorschauen" = {
path = "/opt/service-data/http-images";
devices = ["LK-DATA"];
};
};
};
};
}

42
hosts/lkk-nix-1/services/tailscale.nix Normal file
View File

@ -0,0 +1,42 @@
{
config,
pkgs,
...
}: {
services.tailscale = {
enable = true;
useRoutingFeatures = "both";
};
networking.firewall = {
trustedInterfaces = ["tailscale0"];
};
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = ["network-pre.target" "tailscale.service"];
wants = ["network-pre.target" "tailscale.service"];
wantedBy = ["multi-user.target"];
# set this service as a oneshot job
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
};
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up --advertise-exit-node --authkey $TAILSCALE_KEY
'';
};
}

241
hosts/lkk-nix-1/services/traefik.nix Normal file
View File

@ -0,0 +1,241 @@
{ config, ... }: {
services.traefik = {
enable = true;
staticConfigOptions = {
log = { level = "WARN"; };
certificatesResolvers = {
godaddy = {
acme = {
email = "dev@lanakk.com";
storage = "/var/lib/traefik/acme.json";
dnsChallenge = { provider = "godaddy"; };
};
};
lets-encrypt = {
acme = {
email = "dev@lanakk.com";
storage = "/var/lib/traefik/acme.json";
tlsChallenge = { };
};
};
};
api = { };
entryPoints = {
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = { address = ":443"; };
};
};
dynamicConfigOptions = {
http = {
middlewares = {
auth = {
basicAuth = {
users = [ "m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh." ];
};
};
nextcloud_redirectregex = {
redirectRegex = {
permanent = true;
regex = "https://(.*)/.well-known/(?:card|cal)dav";
replacement = "https://\${1}/remote.php/dav";
};
};
nextcloud_headers = {
headers = {
referrerPolicy = "no-referrer";
stsSeconds = "31536000";
forceSTSHeader = true;
stsPreload = true;
stsIncludeSubdomains = true;
};
};
};
services = {
baserow.loadBalancer.servers = [{ url = "http://localhost:3001/"; }];
gitea.loadBalancer.servers = [{ url = "http://localhost:3000/"; }];
n8n.loadBalancer.servers = [{ url = "http://localhost:5678/"; }];
lanakk_blog.loadBalancer.servers =
[{ url = "http://localhost:3002/"; }];
matomo.loadBalancer.servers = [{ url = "http://localhost:3003/"; }];
ordercollector.loadBalancer.servers =
[{ url = "http://localhost:3004/"; }];
nextcloud.loadBalancer.servers =
[{ url = "http://localhost:3005/"; }];
mautic.loadBalancer.servers = [{ url = "http://localhost:3008/"; }];
littlelink-lanakk.loadBalancer.servers =
[{ url = "http://localhost:3010/"; }];
http-images.loadBalancer.servers =
[{ url = "http://localhost:3012/"; }];
syncthing.loadBalancer.servers =
[{ url = "http://localhost:8384/"; }];
metabase.loadBalancer.servers = [{ url = "http://localhost:3013/"; }];
pgadmin.loadBalancer.servers = [{ url = "http://localhost:5050/"; }];
vaultwarden.loadBalancer.servers =
[{ url = "http://localhost:3014/"; }];
kk_blog.loadBalancer.servers = [{ url = "http://localhost:3015/"; }];
};
routers = {
api = {
rule = "Host(`r.lanakk.com`)";
tls = { certResolver = "lets-encrypt"; };
service = "api@internal";
middlewares = "auth";
entrypoints = "websecure";
};
baserow = {
rule = "Host(`db.lanakk.com`)";
tls = { certResolver = "lets-encrypt"; };
service = "baserow";
entrypoints = "websecure";
};
gitea = {
rule = "Host(`code.lanakk.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "code.lanakk.com";
};
service = "gitea";
entrypoints = "websecure";
};
n8n = {
rule = "Host(`wf.lanakk.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "wf.lanakk.com";
};
service = "n8n";
entrypoints = "websecure";
};
ordercollector = {
rule = "Host(`api.lanakk.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "api.lanakk.com";
};
service = "ordercollector";
entrypoints = "websecure";
};
lanakk_blog = {
rule = "Host(`www.weltkarte-pinnwand.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "www.weltkarte-pinnwand.com";
};
service = "lanakk_blog";
entrypoints = "websecure";
};
kk_blog = {
rule = "Host(`kk.lanakk.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "kk.lanakk.com";
};
service = "kk_blog";
entrypoints = "websecure";
};
matomo = {
rule = "Host(`stats.lanakk.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "stats.lanakk.com";
};
service = "matomo";
entrypoints = "websecure";
};
matomo-weltkarte-pinnwand = {
rule = "Host(`stats.weltkarte-pinnwand.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "stats.weltkarte-pinnwand.com";
};
service = "matomo";
entrypoints = "websecure";
};
pgadmin = {
rule = "Host(`pg.lanakk.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "pg.lanakk.com";
};
service = "pgadmin";
entrypoints = "websecure";
};
nextcloud = {
rule = "Host(`cloud.lanakk.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "cloud.lanakk.com";
};
service = "nextcloud";
entrypoints = "websecure";
middlewares = "nextcloud_redirectregex,nextcloud_headers";
};
mautic = {
rule = "Host(`ma.lanakk.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "ma.lanakk.com";
};
service = "mautic";
entrypoints = "websecure";
};
littlelink-lanakk = {
rule = "Host(`links.lanakk.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "links.lanakk.com";
};
service = "littlelink-lanakk";
entrypoints = "websecure";
};
http-images = {
rule = "Host(`media.lanakk.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "media.lanakk.com";
};
service = "http-images";
entrypoints = "websecure";
};
syncthing = {
rule = "Host(`sync.lanakk.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "sync.lanakk.com";
};
service = "syncthing";
entrypoints = "websecure";
};
metabase = {
rule = "Host(`kpi.lanakk.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "kpi.lanakk.com";
};
service = "metabase";
entrypoints = "websecure";
};
vaultwarden = {
rule = "Host(`vw.lanakk.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "vw.lanakk.com";
};
service = "vaultwarden";
entrypoints = "websecure";
};
};
};
};
};
systemd.services.traefik.serviceConfig = {
EnvironmentFile = [ "${config.age.secrets.traefik-env.path}" ];
};
}

15
hosts/lkk-nix-1/services/vaultwarden.nix Normal file
View File

@ -0,0 +1,15 @@
{
config,
pkgs,
...
}: {
services.vaultwarden = {
enable = true;
backupDir = "/var/backup/vaultwarden";
config = {
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 3014;
};
environmentFile = "${config.age.secrets.vaultwarden-env.path}";
};
}

176
hosts/lkk-prod-1/default.nix Normal file
View File

@ -0,0 +1,176 @@
{
config,
pkgs,
outputs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../common/users/produktion
../common/base
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking = {
hostName = "lkk-prod-1";
networkmanager.enable = true;
firewall.enable = true;
};
programs.fish.enable = true;
age = {
secrets = {tailscale-key.file = ../../secrets/tailscale-key.age;};
identityPaths = ["/root/.ssh/lkk-nix-1"];
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
services.avahi.nssmdns4 = {
enable = true;
nssmdns = true;
};
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
};
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = ["network-pre.target" "tailscale.service"];
wants = ["network-pre.target" "tailscale.service"];
wantedBy = ["multi-user.target"];
# set this service as a oneshot job
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
};
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY
'';
};
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
i18n.defaultLocale = "de_DE.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "de_DE.UTF-8";
LC_IDENTIFICATION = "de_DE.UTF-8";
LC_MEASUREMENT = "de_DE.UTF-8";
LC_MONETARY = "de_DE.UTF-8";
LC_NAME = "de_DE.UTF-8";
LC_NUMERIC = "de_DE.UTF-8";
LC_PAPER = "de_DE.UTF-8";
LC_TELEPHONE = "de_DE.UTF-8";
LC_TIME = "de_DE.UTF-8";
};
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
# Configure keymap in X11
services.xserver = {xkb.layout = "de";};
# Configure console keymap
console.keyMap = "de";
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
nixpkgs = {
overlays = [
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.stable-packages
];
config = {allowUnfree = true;};
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [neovim];
nix = {
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
optimise.automatic = true;
};
system.stateVersion = "24.05"; # Did you read the comment?
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
}

43
hosts/lkk-prod-1/hardware-configuration.nix Normal file
View File

@ -0,0 +1,43 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/hardware/network/broadcom-43xx.nix")
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/88887b78-5a75-49cf-991d-7a3c8f813799";
fsType = "ext4";
};
fileSystems."/boot/efi" = {
device = "/dev/disk/by-uuid/67E3-17ED";
fsType = "vfat";
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

176
hosts/lkk-prod-2/default.nix Normal file
View File

@ -0,0 +1,176 @@
{
config,
pkgs,
outputs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
../common/users/produktion
../common/base
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking = {
hostName = "lkk-prod-2";
networkmanager.enable = true;
firewall.enable = true;
};
programs.fish.enable = true;
age = {
secrets = {tailscale-key.file = ../../secrets/tailscale-key.age;};
identityPaths = ["/root/.ssh/lkk-nix-1"];
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
services.avahi.nssmdns4 = {
enable = true;
nssmdns = true;
};
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
};
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = ["network-pre.target" "tailscale.service"];
wants = ["network-pre.target" "tailscale.service"];
wantedBy = ["multi-user.target"];
# set this service as a oneshot job
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
};
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up --authkey $TAILSCALE_KEY
'';
};
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
i18n.defaultLocale = "de_DE.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "de_DE.UTF-8";
LC_IDENTIFICATION = "de_DE.UTF-8";
LC_MEASUREMENT = "de_DE.UTF-8";
LC_MONETARY = "de_DE.UTF-8";
LC_NAME = "de_DE.UTF-8";
LC_NUMERIC = "de_DE.UTF-8";
LC_PAPER = "de_DE.UTF-8";
LC_TELEPHONE = "de_DE.UTF-8";
LC_TIME = "de_DE.UTF-8";
};
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
# Configure keymap in X11
services.xserver = {xkb.layout = "de";};
# Configure console keymap
console.keyMap = "de";
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
nixpkgs = {
overlays = [
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.stable-packages
];
config = {allowUnfree = true;};
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [neovim];
nix = {
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
optimise.automatic = true;
};
system.stateVersion = "22.11"; # Did you read the comment?
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
}

43
hosts/lkk-prod-2/hardware-configuration.nix Normal file
View File

@ -0,0 +1,43 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/hardware/network/broadcom-43xx.nix")
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/73092ab4-3dcb-4b39-8fa2-44c0341c44c0";
fsType = "ext4";
};
fileSystems."/boot/efi" = {
device = "/dev/disk/by-uuid/67E3-17ED";
fsType = "vfat";
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

148
hosts/m3-nix/default.nix Normal file
View File

@ -0,0 +1,148 @@
{ config, inputs, outputs, pkgs, lib, ... }:
with pkgs; {
imports = [
./hardware.nix
./hardware-configuration.nix # Include the results of the hardware scan.
../common/users/m3tam3re
../common/base
./services
];
specialisation = {
"NVIDIA".configuration = {
boot.kernelParams = [ "nvidia.NVreg_PreserveVideoMemoryAllocations=1" ];
system.nixos.tags = [ "NVIDIA" ];
services.xserver.videoDrivers = [ "nvidia" ];
};
};
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.memtest86.enable = true;
boot.extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
boot.kernelModules = [ "v4l2loopback" ];
boot.extraModprobeConfig = ''
options kvm_intel nested=1
options kvm_intel emulate_invalid_guest_state=0
options kvm ignore_msrs=1
options v4l2loopback exclusive_caps=1 max_buffers=2
'';
networking = {
hostName = "m3-nix";
firewall.extraCommands =
"iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns";
networkmanager.enable = true;
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "no";
allowSFTP = true;
};
services.avahi = {
enable = true;
nssmdns4 = true;
publish = {
addresses = true;
workstation = true;
userServices = true;
};
};
programs.nix-ld.enable = true;
programs.nix-ld.libraries = with pkgs;
[
# Add any missing dynamic libraries for unpackaged programs
# here, NOT in environment.systemPackages
];
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
};
programs.fish.enable = true;
programs.thunar = {
enable = true;
plugins = with pkgs.xfce; [ thunar-archive-plugin thunar-volman ];
};
age = {
secrets = {
tailscale-key.file = ../../secrets/tailscale-key.age;
wg-key.file = ../../secrets/wg-key.age;
m3tam3re-secrets = {
file = ../../secrets/m3tam3re-secrets.age;
owner = "m3tam3re";
};
};
identityPaths = [ "/root/.ssh/lkk-nix-1" ];
};
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "de_DE.utf8";
console.keyMap = "de";
# NOTE: NIX related config
programs.nh = {
enable = true;
clean.enable = true;
clean.extraArgs = "--keep-since 4d --keep 3";
flake = "/home/m3tam3re/projects/nix-configurations";
};
nix.extraOptions = ''
experimental-features = nix-command
keep-outputs = true
keep-derivations = true
'';
nix = {
settings = {
experimental-features = "nix-command flakes";
trusted-users = [ "root" "m3tam3re" ];
};
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
optimise.automatic = true;
registry = (lib.mapAttrs (_: flake: { inherit flake; }))
((lib.filterAttrs (_: lib.isType "flake")) inputs);
nixPath = [ "/etc/nix/path" ];
};
environment.etc = lib.mapAttrs' (name: value: {
name = "nix/path/${name}";
value.source = value.flake;
}) config.nix.registry;
environment.systemPackages =
[ neovim nvd nix-output-monitor wally-cli nfs-utils restic sshfs ];
systemd.extraConfig = ''
DefaultTimeoutStopSec=10s
'';
nixpkgs = {
overlays = [
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.stable-packages
];
config = {
allowUnfree = true;
nvidia.acceptLicense = true;
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leavecatenate(variables, "bootdev", bootdev)
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
}

67
hosts/m3-nix/hardware-configuration.nix Normal file
View File

@ -0,0 +1,67 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
boot.initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "ahci" "nvme" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d";
fsType = "btrfs";
options = ["subvol=root" "compress=zstd"];
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd"];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/3a50bf0a-024b-488b-aa11-56b32f2fb54d";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd" "noatime"];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/4811-EA6E";
fsType = "vfat";
};
fileSystems."/opt" = {
device = "/dev/disk/by-uuid/3574df3a-2a90-4b54-9c21-128f1d01ff8f";
fsType = "btrfs";
options = ["noatime" "compress=zstd"];
};
fileSystems."/mnt/skynet-bkg" = {
device = "100.94.135.99:/volume3/bkg";
fsType = "nfs";
options = ["noauto" "x-systemd.automount"];
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp46s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
}

54
hosts/m3-nix/hardware.nix Normal file
View File

@ -0,0 +1,54 @@
{ config, pkgs, ... }: {
hardware.nvidia = {
package = let
rcu_patch = pkgs.fetchpatch {
url =
"https://github.com/gentoo/gentoo/raw/c64caf53/x11-drivers/nvidia-drivers/files/nvidia-drivers-470.223.02-gpl-pfn_valid.patch";
hash = "sha256-eZiQQp2S/asE7MfGvfe6dA/kdCvek9SYa/FFGp24dVg=";
};
in config.boot.kernelPackages.nvidiaPackages.mkDriver {
version = "535.154.05";
sha256_64bit = "sha256-fpUGXKprgt6SYRDxSCemGXLrEsIA6GOinp+0eGbqqJg=";
sha256_aarch64 = "sha256-G0/GiObf/BZMkzzET8HQjdIcvCSqB1uhsinro2HLK9k=";
openSha256 = "sha256-wvRdHguGLxS0mR06P5Qi++pDJBCF8pJ8hr4T8O6TJIo=";
settingsSha256 = "sha256-9wqoDEWY4I7weWW05F4igj1Gj9wjHsREFMztfEmqm10=";
persistencedSha256 =
"sha256-d0Q3Lk80JqkS1B54Mahu2yY/WocOqFFbZVBh+ToGhaE=";
#version = "550.40.07";
#sha256_64bit = "sha256-KYk2xye37v7ZW7h+uNJM/u8fNf7KyGTZjiaU03dJpK0=";
#sha256_aarch64 = "sha256-AV7KgRXYaQGBFl7zuRcfnTGr8rS5n13nGUIe3mJTXb4=";
#openSha256 = "sha256-mRUTEWVsbjq+psVe+kAT6MjyZuLkG2yRDxCMvDJRL1I=";
#settingsSha256 = "sha256-c30AQa4g4a1EHmaEu1yc05oqY01y+IusbBuq+P6rMCs=";
#persistencedSha256 = "sha256-11tLSY8uUIl4X/roNnxf5yS2PQvHvoNjnd2CB67e870=";
patches = [ rcu_patch ];
};
prime = {
offload.enable = false;
# Bus ID of the Intel GPU. You can find it using lspci, either under 3D or VGA
intelBusId = "PCI:0:2:0";
# Bus ID of the NVIDIA GPU. You can find it using lspci, either under 3D or VGA
nvidiaBusId = "PCI:1:0:0";
};
modesetting.enable = true;
powerManagement.finegrained = false;
powerManagement.enable = true;
open = false;
dynamicBoost.enable = true;
nvidiaSettings = true;
};
hardware.opengl.enable = true;
hardware.opengl.driSupport32Bit = true;
services.hardware.bolt.enable = true;
services.auto-cpufreq.enable = true;
services.tlp.enable = true;
services.fstrim.enable = true;
hardware.bluetooth.enable = true;
hardware.keyboard.zsa.enable = true;
hardware.tuxedo-rs.enable = true;
hardware.tuxedo-rs.tailor-gui.enable = true;
hardware.tuxedo-keyboard.enable = true;
}

6
hosts/m3-nix/services/cron.nix Normal file
View File

@ -0,0 +1,6 @@
{
services.cron = {
enable = true;
systemCronJobs = [""];
};
}

32
hosts/m3-nix/services/default.nix Normal file
View File

@ -0,0 +1,32 @@
{pkgs, ...}: {
imports = [
./cron.nix
./flatpak.nix
./prometheus-node.nix
./ollama.nix
./sound.nix
./udev.nix
./restic.nix
./tailscale.nix
./virtualization.nix
./wireguard.nix
#./xserver.nix
];
# services.gvfs = {
# enable = true;
# package = pkgs.gnome3.gvfs;
# };
# services.kubo = { enable = true; }; # IPFS
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-gnome3;
};
services.printing.enable = true;
services.sabnzbd.enable = true;
services.i2p.enable = true;
services.gvfs.enable = true;
services.trezord.enable = true;
services.logind.lidSwitchExternalPower = "ignore";
}

8
hosts/m3-nix/services/flatpak.nix Normal file
View File

@ -0,0 +1,8 @@
{pkgs, ...}: {
services.flatpak.enable = true;
xdg.portal = {
# xdg desktop intergration (required for flatpak)
enable = true;
extraPortals = [pkgs.xdg-desktop-portal-gtk];
};
}

7
hosts/m3-nix/services/ollama.nix Normal file
View File

@ -0,0 +1,7 @@
{
config,
pkgs,
...
}: {
services.ollama = {enable = true;};
}

10
hosts/m3-nix/services/prometheus-node.nix Normal file
View File

@ -0,0 +1,10 @@
{
services.prometheus.exporters.node = {
enable = true;
port = 8081;
enabledCollectors = ["logind" "systemd"];
disabledCollectors = ["textfile"];
openFirewall = true;
firewallFilter = "-i br0 -p tcp -m tcp --dport 8081";
};
}

25
hosts/m3-nix/services/restic.nix Normal file
View File

@ -0,0 +1,25 @@
{
services.restic.backups = {
skynet = {
repository = "/mnt/skynet-bkg/m3-nix";
passwordFile = "/etc/nixos/restic-pass";
initialize = true;
paths = ["/home/m3tam3re"];
exclude = [
"/home/m3tam3re/.cache"
"/home/m3tam3re/Bilder/"
"/home/m3tam3re/Videos/"
"/home/m3tam3re/Downloads"
"/home/m3tam3re/Library"
"/home/m3tam3re/Projekte"
"/home/m3tam3re/Sync"
"/home/m3tam3re/.local/share/Trash"
];
timerConfig = {
OnCalendar = "09:30";
RandomizedDelaySec = "2h";
Persistent = true;
};
};
};
}

14
hosts/m3-nix/services/sound.nix Normal file
View File

@ -0,0 +1,14 @@
{ pkgs, ... }: {
sound.enable = true;
sound.mediaKeys.enable = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = false;
wireplumber.enable = true;
wireplumber.package = pkgs.stable.wireplumber;
};
}

40
hosts/m3-nix/services/tailscale.nix Normal file
View File

@ -0,0 +1,40 @@
{
config,
pkgs,
...
}: {
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
};
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = ["network-pre.target" "tailscale.service"];
wants = ["network-pre.target" "tailscale.service"];
wantedBy = ["multi-user.target"];
# set this service as a oneshot job
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
};
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY
'';
};
}

5
hosts/m3-nix/services/udev.nix Normal file
View File

@ -0,0 +1,5 @@
{pkgs, ...}: {
services.udev.extraRules = ''
SUBSYSTEM=="usb", MODE="0666
'';
}

19
hosts/m3-nix/services/virtualization.nix Normal file
View File

@ -0,0 +1,19 @@
{pkgs, ...}: {
virtualisation = {
libvirtd = {
enable = true;
qemu = {
swtpm.enable = true;
ovmf = {
enable = true;
packages = [pkgs.OVMFFull];
};
};
};
containers.cdi.dynamic.nvidia.enable = true;
podman = {
enable = true;
defaultNetwork.settings.dns_enabled = true;
};
};
}

8
hosts/m3-nix/services/wireguard.nix Normal file
View File

@ -0,0 +1,8 @@
{config, ...}: {
networking.wg-quick.interfaces = {
wg0 = {
configFile = config.age.secrets.wg-key.path;
autostart = false;
};
};
}

19
hosts/m3-nix/services/xserver.nix Normal file
View File

@ -0,0 +1,19 @@
{pkgs, ...}: {
services.xserver.videoDrivers = ["nvidia"];
# services.xserver = {
# enable = true;
# videoDrivers = [ "nvidia" ];
# displayManager = {
# defaultSession = "hyprland";
# sddm = { enable = true; };
# };
# libinput.enable = true; # touchpad support
# layout = "de";
# xkbOptions = "ctrl:nocaps";
# };
# services.xserver.screenSection = ''
# Option "metamodes" "nvidia-auto-select +0+0 {ForceFullCompositionPipeline=On}"
# Option "AllowIndirectGLXProtocol" "off"
# Option "TripleBuffer" "on"
# '';
}

40
hosts/m3-nix/vfio.nix Normal file
View File

@ -0,0 +1,40 @@
let
gpuIDs = [
"10de:249d" # Graphics
"10de:228b" # Audio
];
in
{
pkgs,
lib,
config,
...
}: {
options.vfio.enable = with lib;
mkEnableOption "Configure the machine for VFIO";
config = let
cfg = config.vfio;
in {
boot = {
initrd.kernelModules = [
"vfio_pci"
"vfio"
"vfio_iommu_type1"
"vfio_virqfd"
];
kernelParams =
[
# enable IOMMU
"intel_iommu=on"
]
++ lib.optional cfg.enable
# isolate the GPU
("vfio-pci.ids=" + lib.concatStringsSep "," gpuIDs);
};
hardware.opengl.enable = true;
virtualisation.spiceUSBRedirection.enable = true;
};
}

104
hosts/m3-r1/default.nix Normal file
View File

@ -0,0 +1,104 @@
{ inputs, outputs, lib, config, pkgs, ... }: {
imports = [
./hardware-configuration.nix
../common/users/m3tam3re
../common/base
./services
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
networking = {
hostName = "m3-r1";
firewall.enable = true;
firewall.allowedTCPPortRanges = [{
from = 3000;
to = 3100;
}];
firewall.allowedTCPPorts = [ 53 80 443 5432 3306 3478 ];
firewall.allowedUDPPorts = [ 53 51820 41641 ];
firewall.allowedUDPPortRanges = [{
from = 3478;
to = 3481;
}];
};
programs.fish.enable = true;
age = {
secrets = {
mj-smtp-user.file = ../../secrets/mj-smtp-user.age;
mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age;
openai.file = ../../secrets/openai.age;
tailscale-key.file = ../../secrets/tailscale-key.age;
vaultwarden-env = {
file = ../../secrets/vaultwarden-env.age;
mode = "770";
};
n8n-env = {
file = ../../secrets/n8n-m3r1.age;
mode = "770";
};
traefik-env = {
file = ../../secrets/traefik-env.age;
mode = "770";
owner = "traefik";
};
searx-environmentFile = {
file = ../../secrets/searx-environmentFile.age;
mode = "770";
owner = "searx";
};
littlelink-m3tam3re-env = {
file = ../../secrets/littlelink-m3tam3re-env.age;
mode = "770";
};
};
identityPaths = [ "/root/.ssh/lkk-nix-1" ];
};
nix = {
extraOptions = ''
experimental-features = nix-command
keep-outputs = true
keep-derivations = true
'';
settings = {
experimental-features = "nix-command flakes";
trusted-users = [ "root" "m3tam3re" ];
};
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
optimise.automatic = true;
registry = (lib.mapAttrs (_: flake: { inherit flake; }))
((lib.filterAttrs (_: lib.isType "flake")) inputs);
nixPath = [ "/etc/nix/path" ];
};
environment.etc = lib.mapAttrs' (name: value: {
name = "nix/path/${name}";
value.source = value.flake;
}) config.nix.registry;
systemd.extraConfig = ''
DefaultTimeoutStopSec=10s
'';
nixpkgs = {
overlays = [
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.stable-packages
];
config = { allowUnfree = true; };
};
system.stateVersion = "23.05"; # Did you read the comment?
}

53
hosts/m3-r1/hardware-configuration.nix Normal file
View File

@ -0,0 +1,53 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/5e3a0875-005c-49c4-9dbf-86e471e7e881";
fsType = "btrfs";
options = ["subvol=root" "compress=zstd"];
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/5e3a0875-005c-49c4-9dbf-86e471e7e881";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd"];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/5e3a0875-005c-49c4-9dbf-86e471e7e881";
fsType = "btrfs";
options = ["subvol=nix" "compress=zstd"];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/A79C-4B9F";
fsType = "vfat";
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

13
hosts/m3-r1/services/container.nix Normal file
View File

@ -0,0 +1,13 @@
{
config,
pkgs,
...
}: {
imports = [./containers];
virtualisation.podman = {
enable = true;
defaultNetwork.settings = {dns_enabled = true;};
};
virtualisation.oci-containers.backend = "podman";
}

25
hosts/m3-r1/services/containers/baserow.nix Normal file
View File

@ -0,0 +1,25 @@
{ config, outputs, ... }: {
virtualisation.oci-containers.containers."baserow" = {
image = "docker.io/baserow/baserow:1.24.2";
environment = {
BASEROW_PUBLIC_URL = "https://br.m3tam3re.com";
POSTGRES_USER = "baserow";
POSTGRES_PASSWORD = "baserow";
POSTGRES_DB = "baserow";
DATABASE_HOST = "postgres";
DATABASE_NAME = "baserow";
DATABASE_USER = "baserow";
DATABASE_PASSWORD = "baserow";
EMAIL_SMTP = "in-v3.mailjet.com";
EMAIL_SMTP_HOST = "in-v3.mailjet.com";
EMAIL_SMTP_PORT = "587";
EMAIL_SMTP_USER = config.age.secrets.mj-smtp-user.path;
EMAIL_SMTP_PASSWORD = config.age.secrets.mj-smtp-pass.path;
};
ports = [ "3001:80" ];
volumes = [ "baserow_data:/baserow/data" ];
extraOptions = [ "--add-host=postgres:10.88.0.1" "--ip=10.88.0.11" ];
};
}

12
hosts/m3-r1/services/containers/briefkasten.nix Normal file
View File

@ -0,0 +1,12 @@
{
config,
outputs,
...
}: {
virtualisation.oci-containers.containers."briefkasten" = {
image = "docker.io/ndom91/briefkasten";
environmentFiles = [config.age.secrets.briefkasten-env.path];
ports = ["3009:3000"];
extraOptions = ["--add-host=postgres:10.88.0.1" "--ip=10.88.0.19"];
};
}

Some files were not shown because too many files have changed in this diff Show More