sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

Compare commits

base: sora:main
Branches Tags
sora:main sora:dev
..
compare: sora:2072b1be6f8155e25a7de381382c2579c52e4b92
Branches Tags
sora:dev sora:main

1 Commits
main ... 2072b1be6f

Author SHA1 Message Date
Renovate Bot
2072b1be6f Update DeterminateSystems/magic-nix-cache-action action to v12 2025-07-05 02:10:16 +00:00
66 changed files with 581 additions and 879 deletions
Expand all files Collapse all files

8
.gitea/workflows/build.yml
View File

@@ -12,17 +12,17 @@ jobs:
build-nixos:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v4
- name: "Install Nix ❄️"
uses: cachix/install-nix-action@v31
# - uses: DeterminateSystems/nix-installer-action@v4
- uses: DeterminateSystems/magic-nix-cache-action@v13
- uses: DeterminateSystems/flake-checker-action@v12
- uses: DeterminateSystems/magic-nix-cache-action@v12
- uses: DeterminateSystems/flake-checker-action@v11
- name: "Install Cachix ❄️"
uses: cachix/cachix-action@v17
uses: cachix/cachix-action@v16
with:
name: helcel
authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"

6
.gitea/workflows/update.yml
View File

@@ -13,15 +13,15 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@v4
- name: Install nix
uses: DeterminateSystems/nix-installer-action@v22
uses: DeterminateSystems/nix-installer-action@v17
with:
github-token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
extra_nix_config: |
experimental-features = nix-command flakes
- name: Update flake.lock
uses: DeterminateSystems/update-flake-lock@v28
uses: DeterminateSystems/update-flake-lock@v25
with:
token: ${{ secrets.GT_TOKEN_FOR_UPDATES }}
pr-title: "[chore] Update flake.lock"

70
.sops.yaml
View File

@@ -9,57 +9,55 @@ keys:
- &avalon age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
- &valinor age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
- &asgard age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
- &gateway age1lqvnzlendlmtwgstzrj4xzrwpatwx56k5az5au78fyg99yecwfzs3s6xn6
- &sandbox age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
creation_rules:
- path_regex: modules/shared/sops/private/iriy.[a-z]+
key_groups:
- age:
- *iriy
pgp:
- *sora
- age:
- *iriy
pgp:
- *sora
- path_regex: modules/shared/sops/private/avalon.[a-z]+
key_groups:
- age:
- *avalon
pgp:
- *sora
- age:
- *avalon
pgp:
- *sora
- path_regex: modules/shared/sops/private/valinor.[a-z]+
key_groups:
- age:
- *valinor
pgp:
- *sora
- age:
- *valinor
pgp:
- *sora
- path_regex: modules/shared/sops/private/asgard.[a-z]+
key_groups:
- age:
- *asgard
pgp:
- *sora
- age:
- *asgard
pgp:
- *sora
- path_regex: modules/shared/sops/common.[a-z]+
key_groups:
- age:
- *valinor
- *iriy
- *avalon
- *asgard
- *gateway
pgp:
- *sora
- age:
- *valinor
- *iriy
- *avalon
- *asgard
pgp:
- *sora
- path_regex: modules/shared/sops/mock.[a-z]+
key_groups:
- age:
- *ci
- *sandbox
- age:
- *ci
- path_regex: modules/server/sops/server.[a-z]+
key_groups:
- age:
- *avalon
- *sandbox
pgp:
- *sora
- age:
- *valinor
- *iriy
- *avalon
- *asgard
pgp:
- *sora

88
flake.lock generated
View File

@@ -9,11 +9,11 @@
]
},
"locked": {
"lastModified": 1770259557,
"narHash": "sha256-EvZ09k9+mzXAngPzU2K7oLLUDlKoT1numb4bDb3Gtl4=",
"lastModified": 1745165725,
"narHash": "sha256-OnHV8Us04vRsWM0uL1cQez8DumhRi6yE+4K4VLtH6Ws=",
"owner": "hercules-ci",
"repo": "arion",
"rev": "9b24cf65c72cb0e9616e437d55e1ac8e5c6bc715",
"rev": "4f59059633b14364b994503b179a701f5e6cfb90",
"type": "github"
},
"original": {
@@ -45,11 +45,11 @@
]
},
"locked": {
"lastModified": 1777780666,
"narHash": "sha256-8wURyQMdDkGUarSTKOGdCuFfYiwa3HbzwscUfn3STDE=",
"lastModified": 1750618568,
"narHash": "sha256-w9EG5FOXrjXGfbqCcQg9x1lMnTwzNDW5BMXp8ddy15E=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "8c62fba0854ba15c8917aed18894dbccb48a3777",
"rev": "1dd19f19e4b53a1fd2e8e738a08dd5fe635ec7e5",
"type": "github"
},
"original": {
@@ -67,11 +67,11 @@
]
},
"locked": {
"lastModified": 1769996383,
"narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
"lastModified": 1733312601,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"type": "github"
},
"original": {
@@ -103,11 +103,11 @@
},
"hardware": {
"locked": {
"lastModified": 1778143761,
"narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
"lastModified": 1750837715,
"narHash": "sha256-2m1ceZjbmgrJCZ2PuQZaK4in3gcg3o6rZ7WK6dr5vAA=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
"rev": "98236410ea0fe204d0447149537a924fb71a6d4f",
"type": "github"
},
"original": {
@@ -139,16 +139,16 @@
]
},
"locked": {
"lastModified": 1777851538,
"narHash": "sha256-Gp8qwTEYNoy2yvmErVGlvLOQvrtEECCAKbonW7VJef8=",
"lastModified": 1750792728,
"narHash": "sha256-Lh3dopA8DdY+ZoaAJPrtkZOZaFEJGSYjOdAYYgOPgE4=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "cc09c0f9b7eaa95c2d9827338a5eb03d32505ca5",
"rev": "366f00797b1efb70f2882d3da485e3c10fd3d557",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.11",
"ref": "release-25.05",
"repo": "home-manager",
"type": "github"
}
@@ -174,11 +174,11 @@
},
"nixUnstable": {
"locked": {
"lastModified": 1778274207,
"narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
"lastModified": 1750994206,
"narHash": "sha256-3u6rEbIX9CN/5A5/mc3u0wIO1geZ0EhjvPBXmRDHqWM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
"rev": "80d50fc87924c2a0d346372d242c27973cf8cdbf",
"type": "github"
},
"original": {
@@ -190,16 +190,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1778003029,
"narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
"lastModified": 1750969886,
"narHash": "sha256-zW/OFnotiz/ndPFdebpo3X0CrbVNf22n4DjN2vxlb58=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
"rev": "a676066377a2fe7457369dd37c31fd2263b662f4",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-25.11",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
@@ -221,11 +221,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1777954456,
"narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
"lastModified": 1751011381,
"narHash": "sha256-krGXKxvkBhnrSC/kGBmg5MyupUUT5R6IBCLEzx9jhMM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
"rev": "30e2e2857ba47844aa71991daa6ed1fc678bcbb7",
"type": "github"
},
"original": {
@@ -238,14 +238,15 @@
"nur": {
"inputs": {
"flake-parts": "flake-parts_2",
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_2",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1778376280,
"narHash": "sha256-pL2F2FF2FN7zWr5o/vG7GiYOSjp+DUNyPIYqNaLQFFs=",
"lastModified": 1751150016,
"narHash": "sha256-aaNJgaEXYMsdmLG38YyCO0eZdTf49Cj0TZsW4gpn9jg=",
"owner": "nix-community",
"repo": "nur",
"rev": "828688994167eb57628c98fd1d7e1223b079cda1",
"rev": "c3c9ee3b26349abe162df39499ec587f453ce089",
"type": "github"
},
"original": {
@@ -274,11 +275,11 @@
]
},
"locked": {
"lastModified": 1777944972,
"narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
"lastModified": 1750119275,
"narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
"rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2",
"type": "github"
},
"original": {
@@ -286,6 +287,27 @@
"repo": "sops-nix",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nur",
"nixpkgs"
]
},
"locked": {
"lastModified": 1733222881,
"narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "49717b5af6f80172275d47a418c9719a31a78b53",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
}
},
"root": "root",

5
flake.nix
View File

@@ -3,12 +3,12 @@
inputs = {
# Trick renovate into working: "github:NixOS/nixpkgs/nixpkgs-unstable"
nixUnstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
hardware.url = "github:nixos/nixos-hardware";
nur.url = "github:nix-community/nur";
home-manager = {
url = "github:nix-community/home-manager/release-25.11";
url = "github:nix-community/home-manager/release-25.05";
inputs.nixpkgs.follows = "nixpkgs";
};
@@ -44,7 +44,6 @@
avalon = gen.generate { host = "avalon"; };
ci = gen.generate { host = "ci"; };
sandbox = gen.generate { host = "sandbox"; };
gateway = gen.generate { host = "gateway"; };
};
darwinConfigurations = { asgard = gen.generate { host = "asgard"; }; };
homeConfigurations = {

14
modules/home/cli/git/default.nix
View File

@@ -1,17 +1,15 @@
{ config, lib, pkgs, ... }: {
{ config, pkgs, ... }: {
programs.git = {
enable = true;
signing = lib.mkIf (config.usercfg.git.key != null) {
key = config.usercfg.git.key;
userEmail = "${config.usercfg.git.email}";
userName = "${config.usercfg.git.username}";
signing = {
key = "${config.usercfg.git.key}";
signByDefault = true;
};
ignores = [ "*result*" ".direnv" "node_modules" ];
settings = {
core.hooksPath = "./.dev/hooks";
user.email = "${config.usercfg.git.email}";
user.name = "${config.usercfg.git.username}";
};
extraConfig = { core.hooksPath = "./.dev/hooks"; };
};
home.packages = with pkgs; [ tig ];

2
modules/home/cli/zsh/default.nix
View File

@@ -9,8 +9,6 @@ in {
"sudo" = "sudo ";
"devsh" =
"nix develop --profile /tmp/devsh-env ${nixflake_url}#devsh -c zsh";
"cdevsh" =
"nix develop --profile /tmp/devsh-env -c zsh";
"nixb" = "(sudo nixos-rebuild switch --flake ${nixflake_url})";
"nixgc" = "sudo nix-collect-garbage -d && nix-collect-garbage -d";
"ssh" = "TERM=xterm-256color ${pkgs.openssh}/bin/ssh";

2
modules/home/gui/apps/develop/default.nix
View File

@@ -2,6 +2,6 @@
imports = [ ./vscodium ];
config = lib.mkIf (config.syscfg.make.develop) {
home.packages = with pkgs; [ blender godot_4 openscad-unstable orca-slicer pandoc claude-code];
home.packages = with pkgs; [ blender godot_4 openscad bambu-studio ];
};
}

1
modules/home/gui/apps/develop/vscodium/default.nix
View File

@@ -12,7 +12,6 @@
ms-python.vscode-pylance
ms-vscode.cpptools
dbaeumer.vscode-eslint
continue.continue
];
#};
};

14
modules/home/gui/apps/pipewire/default.nix
View File

@@ -25,20 +25,6 @@
}
}
}
{ name = "libpipewire-module-loopback"
args = {
node.description = "Virtual Loopback"
audio.position = [ FL FR ]
capture.props = {
media.class = "Audio/Sink"
node.name = "vloopback_sink"
}
playback.props = {
media.class = "Audio/Source"
node.name = "vloopback_source"
}
}
}
]
'';
};

1
modules/home/gui/base/default.nix
View File

@@ -16,6 +16,7 @@
nextcloud-client
gramps
sweethome3d.application
];
};
}

10
modules/home/gui/games/default.nix
View File

@@ -7,16 +7,16 @@
home.packages = with pkgs; [
#games
# steam
steam
gamemode
#gamescope
#mangohud
gamescope
mangohud
prismlauncher
openttd-jgrpp
#bottles
bottles
lutris
unstable.umu-launcher
# wine
wine
];
};

60
modules/home/gui/games/wow.nix
View File

@@ -5,7 +5,6 @@
home.packages = with pkgs;
[
# custom.simc
unstable.instawow
];
# templates buggy currently
@@ -19,5 +18,64 @@
"wago_addons": null
}
}'';
# curse:master-plan
# curse:raretrackercore-rt
# curse:raretrackerdragonflight-rtd
# curse:raretrackermaw-rtmw
# curse:raretrackermechagon-rtm
# curse:raretrackerthewarwithin-rtww
# curse:raretrackertimelessisle-rtti
# curse:raretrackeruldum-rtu
# curse:raretrackervale-rtv
# curse:raretrackerworldbosses-rtwb
# curse:raretrackerzerethmortis-rtz
# curse:venture-plan
# curse:war-plan
# github:nevcairiel/bartender4
# github:cidan/betterbags
# github:bigwigsmods/bigwigs
# github:bigwigsmods/bigwigs_battleforazeroth
# github:bigwigsmods/bigwigs_burningcrusade
# github:bigwigsmods/bigwigs_cataclysm
# github:bigwigsmods/bigwigs_classic
# github:bigwigsmods/bigwigs_dragonflight
# github:bigwigsmods/bigwigs_legion
# github:bigwigsmods/bigwigs_mistsofpandaria
# github:bigwigsmods/bigwigs_shadowlands
# github:bigwigsmods/bigwigs_warlordsofdraenor
# github:bigwigsmods/bigwigs_wrathofthelichking
# github:nezroy/demodal
# github:curseforge-mirror/details
# github:edusperoni/details_elitism
# github:curseforge-mirror/elitismhelper
# github:michaelnpsp/grid2
# github:jods-gh/groupfinderrio
# github:nevcairiel/handynotes
# github:hekili/hekili
# github:thekrowi/krowi_achievementfilter
# github:bigwigsmods/littlewigs
# github:nnoggie/mythicdungeontools
# github:tullamods/omnicc
# github:tercioo/plater-nameplates
# github:curseforge-mirror/quest_completist
# github:raiderio/raiderio-addon
# github:wowrarity/rarity
# github:nevcairiel/shadowedunitframes
# github:simulationcraft/simc-addon
# github:curseforge-mirror/tomcats
# github:weakauras/weakauras2
# github:kemayo/wow-handynotes-battleforazerothtreasures
# github:kemayo/wow-handynotes-dragonflight
# github:kemayo/wow-handynotes-legiontreasures
# github:kemayo/wow-handynotes-longforgottenhippogryph
# github:kemayo/wow-handynotes-lostandfound
# github:kemayo/wow-handynotes-secretfish
# github:kemayo/wow-handynotes-shadowlandstreasures
# github:kemayo/wow-handynotes-stygia
# github:kemayo/wow-handynotes-treasurehunter
# github:kemayo/wow-handynotes-warwithin
# wowi:7032-tomtom
};
}

2
modules/home/wayland/apps/eww/bar/eww.yuck
View File

@@ -48,7 +48,7 @@
(defwindow bar
:monitor 1
:monitor 0
:geometry (geometry
:x "0%"
:y "0%"

2
modules/home/wayland/apps/eww/bar/windows/calendar.yuck
View File

@@ -1,5 +1,5 @@
(defwindow calendar
:monitor 1
:monitor 0
:geometry (geometry
:x "0%"
:y "0%"

2
modules/home/wayland/apps/eww/bar/windows/powermenu.yuck
View File

@@ -34,7 +34,7 @@
)
(defwindow powermenu
:monitor 1
:monitor 0
:stacking "overlay"
:geometry (geometry
:anchor "center"

2
modules/home/wayland/apps/eww/bar/windows/radio.yuck
View File

@@ -2,7 +2,7 @@
(defvar radio_rev false)
(defwindow radio
:monitor 1
:monitor 0
:geometry (geometry
:x "0%"
:y "0%"

2
modules/home/wayland/apps/eww/bar/windows/sys.yuck
View File

@@ -129,7 +129,7 @@
)
(defwindow sys
:monitor 1
:monitor 0
:stacking "overlay"
:geometry (geometry
:x "0%"

61
modules/home/wayland/apps/kanshi/default.nix
View File

@@ -7,52 +7,43 @@
settings = [
{
profile.name = "tower_0";
profile.outputs = [
{
criteria = "AOC 24E1W1 GNSKCHA086899";
mode = "1920x1080@60.000";
position = "0,0";
status = "enable";
scale = 1.0;
adaptiveSync = true;
}
{
criteria = "AOC 24E1W1 GNSKBHA080346";
mode = "1920x1080@60.000";
position = "1920,0";
status = "enable";
scale = 1.0;
adaptiveSync = true;
}
];
profile.outputs = [{
criteria = "CEX CX133 0x00000001";
mode = "1920x1200@59.972";
position = "0,0";
scale = 1.0;
status = "enable";
}];
}
{
profile.name = "tower_1";
profile.outputs = [{
criteria = "AOC 16G3 1DDP7HA000348";
mode = "1920x1080@144.000";
position = "0,0";
status = "enable";
scale = 1.0;
adaptiveSync = true;
}];
}
{
profile.name = "tower_2";
profile.outputs = [
{
criteria = "AOC 24E1W1 GNSKCHA086899";
mode = "1920x1080@60.000";
position = "0,0";
status = "enable";
scale = 1.0;
adaptiveSync = true;
}
{
criteria = "AOC 24E1W1 GNSKBHA080346";
mode = "1920x1080@60.000";
position = "0,0";
status = "enable";
scale = 1.0;
adaptiveSync = true;
}
{
criteria = "LG UNKNOWN_TBD";
criteria = "AOC 16G3 1DDP7HA000348";
mode = "1920x1080@144.000";
position = "0,0";
status = "enable";
scale = 1.0;
adaptiveSync = true;
}
{
criteria = "CEX CX133 0x00000001";
mode = "1920x1200@59.972";
position = "0,1080";
scale = 1.0;
status = "enable";
}
];
}
{

6
modules/home/wayland/base/default.nix
View File

@@ -17,12 +17,8 @@ in {
dbus-hyprland-environment
wayland
hyprpicker
hyprshot
grim
slurp
satty
swappy
cliphist
wl-clipboard

6
modules/home/wayland/hyprland/config.nix
View File

@@ -89,7 +89,9 @@
new_status = master
}
gesture = 3, vertical, workspace
gestures {
workspace_swipe = off
}
exec-once = eww open bar
#exec-once = waybar
@@ -164,7 +166,7 @@
bind = SUPER SHIFT,D,exec, ~/.config/hypr/themes/apatheia/eww/launch_bar
bind = SUPER, V, exec, cliphist list | wofi -dmenu | cliphist decode | wl-copy
bind = , PRINT, exec, hyprshot -m region --raw | satty --filename - --early-exit --action-on-enter save-to-clipboard --copy-command 'wl-copy'
bind = , Print, exec, grim -g "$(slurp -d)" - | swappy -f -
bind = SUPER, L, exec, swaylock

4
modules/home/xorg/bspwm/config.nix
View File

@@ -110,7 +110,7 @@
telegram-desktop &
nextcloud &
jellyfin-mpv-shim &
#flameshot &
flameshot &
sleep 2
@@ -265,7 +265,7 @@
# Screenshots
Print
hyprshot -m region
flameshot gui
# Lock Desktop
super + l

2
modules/home/xorg/bspwm/default.nix
View File

@@ -5,7 +5,7 @@
config = lib.mkIf (config.usercfg.wm == "X11") {
xsession.windowManager.bspwm = { enable = true; };
services.sxhkd = { enable = true; };
home.packages = with pkgs; [ xrandr arandr hyprshot xtrlock i3lock ];
home.packages = with pkgs; [ xrandr arandr flameshot xtrlock i3lock ];
};
}

3
modules/nixos/gui/games/default.nix
View File

@@ -5,9 +5,6 @@ in {
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
extraCompatPackages = with pkgs; [proton-ge-bin];
};
programs.gamemode.enable = true;
};
}

2
modules/nixos/system/hw/boot/default.nix
View File

@@ -9,7 +9,7 @@ in {
};
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
efiSysMountPoint = "/boot/efi";
};
};
};

7
modules/nixos/system/hw/power/default.nix
View File

@@ -20,10 +20,11 @@
SuspendState=mem
'';
services.logind.settings.Login.HandleLidSwitch = "suspend-then-hibernate";
services.logind.lidSwitch = "suspend-then-hibernate";
# Hibernate on power button pressed
services.logind.settings.Login.HandlePowerKey = "hibernate";
services.logind.settings.Login.HandlePowerKeyLongPress = "poweroff";
services.logind.powerKey = "hibernate";
services.logind.powerKeyLongPress = "poweroff";
systemd.user.services.battery_monitor = {
wants = [ "display-manager.service" ];

7
modules/nixos/system/hw/virt/default.nix
View File

@@ -11,10 +11,9 @@
dockerSocket.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
#dnsname.enable = true;
dns_enabled = true;
#internal = true;
#name = "internal";
dnsname.enable = true;
internal = true;
name = "internal";
};
};
};

11
modules/nixos/system/network/base/default.nix
View File

@@ -4,15 +4,6 @@
useDHCP = true;
nameservers = [ "1.1.1.1" "9.9.9.9" ];
firewall = {
enable = true;
allowedUDPPorts =
(if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++
[ ];
allowedTCPPorts =
(if config.syscfg.server ? web then [ 80 443 22 ] else [ ]) ++
[ ];
};
firewall = { enable = true; };
};
}

34
modules/nixos/system/network/wireguard/default.nix
View File

@@ -1,12 +1,4 @@
{ config, lib, pkgs, ... }: let
isValidPeer = p:
(p ? syscfg.net.wg.enable) &&
(p.syscfg.net.wg.enable == true) &&
(p.syscfg.net.wg.pubkey != config.syscfg.net.wg.pubkey);
activePeers = builtins.filter isValidPeer config.syscfg.peers;
in
{
{ config, lib, ... }: {
config = lib.mkIf (config.syscfg.net.wg.enable) {
networking.wireguard = {
enable = true;
@@ -17,26 +9,14 @@ in
config.sops.secrets."${config.syscfg.hostname}_wg_priv".path;
listenPort = 1515;
mtu = 1340;
peers =
if (config.syscfg.server ? wireguard && config.syscfg.server.wireguard) then
map (p: {
name = p.syscfg.hostname;
publicKey = p.syscfg.net.wg.pubkey;
allowedIPs = [ p.syscfg.net.wg.ip4 p.syscfg.net.wg.ip6 ];
}) activePeers
else
[{
allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
endpoint = "vpn.helcel.net:1515";
publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
persistentKeepalive = 30;
}];
peers = [{
allowedIPs = [ "10.10.1.0/24" "fd10:10:10::0/64" ];
endpoint = "vpn.helcel.net:1515";
publicKey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
persistentKeepalive = 30;
}];
};
};
};
systemd.services."wireguard-wg0" = {
after = [ "network-online.target" "nss-lookup.target" ];
wants = [ "network-online.target" "nss-lookup.target" ];
};
};
}

3
modules/nixos/tools/debug/default.nix
View File

@@ -2,9 +2,6 @@
config = lib.mkIf (config.syscfg.make.develop) {
programs.adb.enable = true;
# services.udev.packages = [
# pkgs.android-udev-rules
# ];
programs.wireshark.enable = true;
environment.systemPackages = with pkgs; [ wget dconf wireshark ];

4
modules/nixos/tools/develop/default.nix
View File

@@ -6,13 +6,11 @@ let
includeEmulator = false;
};
in {
imports = [ ./ollama ];
config = lib.mkIf (config.syscfg.make.develop) {
environment.systemPackages = with pkgs;
[
# android-tools
unstable.androidStudioPackages.canary
# androidStudioPackages.canary
];
};
}

16
modules/nixos/tools/develop/ollama/default.nix
View File

@@ -1,16 +0,0 @@
{ lib, config, pkgs, ... }:
let
ollamaPkg = pkgs.ollama-rocm;
in{
config = lib.mkIf (config.syscfg.make.develop) {
services.ollama = {
enable = true;
package = ollamaPkg;
acceleration = "rocm";
loadModels = [ "deepseek-v2:lite" "qwen2.5-coder:7b" "qwen2.5-coder:1.5b" ];
syncModels = true;
};
environment.systemPackages = with pkgs; [ ollamaPkg ];
};
}

1
modules/nixos/users/default.nix
View File

@@ -22,7 +22,6 @@ in {
"docker"
"podman"
"wireshark"
"gamemode"
];
}) config.syscfg.users);
};

40
modules/server/containers/default.nix
View File

@@ -1,40 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.syscfg.server.containers;
enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg;
containerSetsList = lib.mapAttrsToList (name: containerCfg:
import (./defs + "/${name}.nix") {
inherit config pkgs lib containerCfg;
}
) enabledConfigs;
mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList);
allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList);
in
{
config = lib.mkIf ( enabledConfigs != {} ) {
virtualisation.oci-containers = {
backend = "podman";
containers = mergedContainers;
};
systemd.services.podman-gc = {
description = "Podman garbage collection";
serviceConfig.Type = "oneshot";
script = ''
${pkgs.podman}/bin/podman container prune -f
${pkgs.podman}/bin/podman image prune -f
'';
startAt = "weekly";
};
system.activationScripts.container-setup-dirs = {
deps = [ "users" "groups" ];
text = lib.concatStringsSep "\n" (map (cfg: ''
mkdir -p "${cfg.path}"
chown ${cfg.owner} "${cfg.path}"
chmod ${cfg.mode} "${cfg.path}"
'') allPathConfigs);
};
};
}

84
modules/server/containers/defs/authentik.nix
View File

@@ -1,84 +0,0 @@
{ config, containerCfg, pkgs, lib, ... }:
let
serverCfg = config.syscfg.server;
in {
paths = [{
path="${serverCfg.dataPath}/authentik/media";
owner = "1000:1000";
mode = "0755";
}{
path="${serverCfg.dataPath}/authentik/templates";
owner = "1000:1000";
mode = "0755";
}];
containers = {
auth_server = {
image = "ghcr.io/goauthentik/server:latest";
hostname = "auth_server";
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
];
environmentFiles = [
config.sops.secrets."AUTHENTIK".path
];
environment = {
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
"AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
"AUTHENTIK_EMAIL__PORT" = "587";
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
"AUTHENTIK_EMAIL__USE_TLS" = "true";
"AUTHENTIK_EMAIL__USE_SSL" = "false";
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.sso.entrypoints" = "web-secure";
"traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
"traefik.http.routers.sso.tls" = "true";
"traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}";
};
cmd = [ "server" ];
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
"--replace"
"--rm"
"--ip=${containerCfg.ip}"
];
ports = [
"9999:${toString containerCfg.port}"
];
};
auth_worker = {
image = "ghcr.io/goauthentik/server:latest";
hostname = "auth_worker";
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
"/var/run/docker.sock:/var/run/docker.sock"
];
environmentFiles = [
config.sops.secrets."AUTHENTIK".path
];
environment = {
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
};
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
"--replace"
"--rm"
];
cmd = [ "worker" ];
};
};
}

76
modules/server/database/default.nix
View File

@@ -1,76 +0,0 @@
{ config, lib, pkgs, ... }:
let
listNames = config.syscfg.server.db;
containerNames = lib.mapAttrsToList
(name: cfg: name)
(lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
allApps = lib.unique (listNames ++ containerNames);
in {
config = lib.mkIf ( builtins.length allApps > 0) {
services.postgresql = {
enable = true;
enableTCPIP = true; # Required to listen on network interfaces
settings = {
listen_addresses = lib.mkForce "*";
};
authentication = pkgs.lib.mkOverride 10 ''
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all 10.0.0.0/8 scram-sha-256
host all all 169.254.0.0/16 scram-sha-256
'';
ensureDatabases = map (name: "${name}_db") allApps;
ensureUsers = map (name: { name = "${name}_user"; }) allApps;
};
services.postgresqlBackup = {
enable = true;
location = "/var/lib/postgresql/backups";
startAt = "*-*-* 04:00:00"; # Runs every day at 4 AM
backupAll = true; # Backs up all databases and roles
};
services.redis.servers."main" = {
enable = true;
port = 6379;
bind = "*";
settings.protected-mode = "no";
};
systemd.services.postgresql-init = {
description = "Custom Postgres Setup (Ownership & Passwords)";
after = [ "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
User = "postgres";
RemainAfterExit = true;
};
script = ''
${pkgs.coreutils}/bin/sleep 2
PSQL="${pkgs.postgresql}/bin/psql"
${lib.concatMapStringsSep "\n" (name: ''
$PSQL -tAc "ALTER DATABASE ${name}_db OWNER TO ${name}_user;"
if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
echo $PASS
if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
echo " Successfully set password for ${name}_user"
else
echo " FAILED to set password for ${name}_user"
fi
fi
'') allApps}
'';
};
};
}

16
modules/server/default.nix
View File

@@ -1,3 +1,15 @@
{ config, pkgs, lib, ... }:{
imports = [ ./containers ./database ./nftables ./openssh ./sops ];
{ config, pkgs, lib, ... }:
let
in {
imports = [ ./sops ];
environment.systemPackages = with pkgs; [ arion ];
virtualisation.arion = {
backend = "podman-socket";
projects = {
cloud.settings = import ./docker/cloud.nix { inherit config pkgs lib; };
authentik.settings =
import ./docker/authentik.nix { inherit config pkgs lib; };
};
};
}

104
modules/server/docker/authentik.nix Normal file
View File

@@ -0,0 +1,104 @@
{ config, pkgs, lib, ... }:
let serverCfg = config.syscfg.server;
in {
project.name = "authentik";
networks = {
internal = {
name = lib.mkForce "internal";
internal = true;
};
external = {
name = lib.mkForce "external";
internal = false;
};
};
services = {
auth_postgresql.service = {
image = "postgres:14-alpine";
container_name = "auth_postgresql";
restart = "unless-stopped";
networks = [ "internal" ];
volumes = [ ];
environment = {
POSTGRES_PASSWORD = "/run/secrets/AUTHENTIK_POSTGRESQL__PASSWORD";
POSTGRES_USER = "authentik";
POSTGRES_DB = "authentik";
};
};
auth_redis.service = {
image = "redis:alpine";
container_name = "auth_redis";
restart = "unless-stopped";
networks = [ "internal" ];
volumes = [ ];
environment = { };
labels = { "traefik.enable" = "false"; };
};
auth_server.service = {
image = "ghcr.io/goauthentik/server:latest";
container_name = "auth_server";
restart = "unless-stopped";
networks = [ "internal" "external" ];
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
];
environment = {
"AUTHENTIK_REDIS__HOST" = "auth_redis";
"AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
"AUTHENTIK_POSTGRESQL__USER" = "authentik";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik";
"AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
"AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
"AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
"AUTHENTIK_EMAIL__PORT" = "587";
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
"AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD";
"AUTHENTIK_EMAIL__USE_TLS" = "true";
"AUTHENTIK_EMAIL__USE_SSL" = "false";
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.sso.entrypoints" = "web-secure";
"traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
"traefik.http.routers.sso.tls" = "true";
"traefik.http.services.sso.loadbalancer.server.port" = "9000";
"traefik.docker.network" = "external";
};
command = "server";
ports = [
"9999:9000" # host:container
];
};
auth_worker.service = {
image = "ghcr.io/goauthentik/server:latest";
container_name = "auth_worker";
restart = "unless-stopped";
networks = [ "internal" ];
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
"AUTHENTIK_REDIS__HOST" = "auth_redis";
"AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
"AUTHENTIK_POSTGRESQL__USER" = "authentik";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik";
"AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
"AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
};
labels = { "traefik.enable" = "false"; };
command = "worker";
user = "root";
};
};
}

0
modules/server/containers/defs/cloud.nix → modules/server/docker/cloud.nix
View File

0
modules/server/containers/defs/sample.nix → modules/server/docker/sample.nix
View File

0
modules/server/containers/defs/traefik.nix → modules/server/docker/traefik.nix
View File

47
modules/server/nftables/default.nix
View File

@@ -1,47 +0,0 @@
{ config, lib, ... }:{
config = lib.mkIf (config.syscfg.server.nftables.enable) {
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
networking.nftables.enable = true;
networking.nftables.ruleset = ''
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
}
}
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
${lib.concatMapStringsSep "\n" (rule:
let
srcInt = builtins.elemAt rule 0;
dstAddr4 = builtins.elemAt rule 1;
dstAddr6 = builtins.elemAt rule 2;
srcPort = toString (builtins.elemAt rule 3);
dstPort = toString (builtins.elemAt rule 4);
in ''
iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip to ${dstAddr4}:${dstPort}
iifname "${srcInt}" udp dport ${srcPort} counter dnat ip to ${dstAddr4}:${dstPort}
iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
''
) config.syscfg.server.nftables.ports}
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade
}
}
'';
};
}

27
modules/server/openssh/default.nix
View File

@@ -1,27 +0,0 @@
{ config, lib, ... }:
let
allUsers = lib.concatMap (peer: if peer.syscfg ? users then peer.syscfg.users else []) config.syscfg.peers;
groupedUsers = lib.groupBy (u: u.username) allUsers;
allowedUsernames = map (u: u.username) config.syscfg.users;
activeUsers = lib.filterAttrs (name: _: lib.elem name allowedUsernames) groupedUsers;
in {
config = lib.mkIf (config.syscfg.server.openssh) {
services.openssh = {
enable = true;
ports = [ 422 ];
banner = "";
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
ClientAliveInterval = 60;
ClientAliveCountMax = 3;
TCPKeepAlive = true;
};
};
users.users = lib.mapAttrs (name: userList: {
openssh.authorizedKeys.keys = lib.unique (
lib.concatMap (u: if u ? pubssh then [ u.pubssh ] else []) userList
);
}) activeUsers;
};
}

22
modules/server/sops/default.nix
View File

@@ -1,16 +1,10 @@
{ config, lib, pkgs, ... }:
let
listNames = config.syscfg.server.db;
containerNames = lib.mapAttrsToList (name: cfg: name)
(lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
allApps = lib.unique (listNames ++ containerNames);
in{
config = lib.mkIf (config.syscfg.server.sops) {
sops.secrets = {
INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
} // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: {
owner = "postgres";
sopsFile = ./server.yaml;
}));
{ config, pkgs, ... }: {
sops.secrets.INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
sops.secrets."${config.syscfg.hostname}_ssh_pub" = {
mode = "0400";
owner = config.users.users.${config.syscfg.defaultUser}.name;
group = config.users.users.${config.syscfg.defaultUser}.group;
};
sops.secrets."${config.syscfg.hostname}_wg_priv" = { };
sops.secrets."${config.syscfg.hostname}_wg_pub" = { };
}

81
modules/server/sops/server.yaml
View File

@@ -1,47 +1,68 @@
INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
AUTHENTIK: ENC[AES256_GCM,data:jNcqbLEMbaQ7mmn4dK4LFguecDDxrBsQZaqfQeQ+iGel6mD4jAC6rNdGC8H8NepRWmc0ZjNC6Fe4EaGllbjq/50SqlB47DtyuuCwOZFP6fiU4sD13B7t0Fg/7xMomqnRnJ+3UyVzt6PgEzzQNoPPpHxVGpR+TJnROhflcmCKi/JdAR6dspNqJEbrjp4LVk28Rp9Od6lbsOGphRb79z/DKA1QYRPuE7QU7Edzqqy09g5nKjGxIxjWNEYPt0WiD3537eBICfWm5krs8jxyf6TSiGasHSgSDyJSbnoNkPzSf9A5Jwtulu1jFgjvY/v+qhs9649USp1MzogSAfDZBNC4irge/lb5EPPIQ31EC/Dybza9dX/h6cR/KyQm5GsxBBJzm33rzC/4aCCRlcsAl5eO4JZn4MZta4yHss2UQHQ48i15OSdBwwTbTt240UbrIIje0hfOM6R+Uk3VOY/+VtBV/D+0ks2SUEKMvWgqJDhDh4FVqeR0a9dpLhOAvaWryAAETjlHljOrcF3Q3WooZbBDvLyMMtsHIeF1JDqwghI3,iv:8RdNbsnVVu4awW6yrpLGxAtM7o6uN5vgZIotmT6osW8=,tag:rNaCeG6STXINm42x1b2jcw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rzc3ak4vRVZiNWxNZEN3
N21rSjZqUm9XVWF5TUxNTXVybEMzNCtod0NnClNjODB6VWhzU1VHeVdlZ3hEaE5D
MW9WWWYvYmt5TmNzMzNudDhLSW12RnMKLS0tIDdjc2ZOK3QxaTFJMFdpTHFzcklr
clZnQXpPbWs5aXZJeUlxOWhJNmIrOFkKZfZ19Y4yfCJi1GrxLsv76JyBmuxW/glF
BCJCvmdSSOJx5JW26Y3Y3LwiIuL8yboKR+8ZAwU2fG5OQfs+2czFdQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZk1VY3NEZmRkS0J6dU03
OUtETWpHL2hLN09kRytNUEhmVnA5WW9yVXlNCmZaZnQ2YUlMMmlrZ2dEZDVFMHA5
OUpqOTJJbHVVREtpSFUyaDJDbXltaTgKLS0tIFY0ZkF3Ym5oeHViN3J4eW4vSVYz
QkhuU0NLWElyVXpZd2ZpOHhwam04R28KFuaI35e8pB25M2dlP19gApso12ZYJ3ld
BpMnp97ShX0I8bZRIYxSHpSrB/J+tt1V4pfGdJq7uWZM7XacPy666A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
- recipient: age1ms8f0ysv6vakxepvt69fejczs6tddexepesdv4rkgtheehj3nu4sc6290s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cEpsb2gvbDJ0aG5BRWNS
WXgydFo3ZkF3SmVIU1EvaHVjb3RvK3BxVDJrCis2ME9zUEVGQURFdmJXS2lTSklk
V3ZONHpTZVJqMUxOVkd5ZDlqVTRNdzgKLS0tIGwwR0k1Vll6bEdmZVZvVktzMTRN
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuZXNjRzJsdFpTdDZhSkRB
eW1qSStnZHN5Tzh3bFA1azZIRk42V1RzSTJJCi9MV0k5ZXNQOWJFYnlXdnB3azBL
NzNldkFLWlEyT01MeWlFU3RKODU4dWcKLS0tIFJXL1ZsNDgydTgxVGRMYWxyQTNT
K1M0TDd1eGd1V3pOcjl1M1VrdDUvbG8KpsWlrr14MOh/8mG+rXpswPPFE3VnpKGt
03DWUII3+MMEWLJPLxkNJ9BzCm4Kl1QNHSbJ7Ex6df0b7nB6Ed6Hvw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-06T01:10:20Z"
mac: ENC[AES256_GCM,data:O4RLfEE6z0uDRpZdL47Or+z/PTeJ+zgzXN9kJS6Nebs9Uhw0XUJUPGhAocLokiMin5sQcpxXG5Q8oc2rAkq2GDbtna4u26dtNkd2Q/vtly6DqUaIRXXt3TL5cfJwMNa76fp+ERKLwGbBG+/BFWajzYJtcE257I8t3X4UmAdqYmE=,iv:uYLh8LnGobf7t3Ur7drEiA6n3Vv0e0yhlja6Uww8jiU=,tag:ZK3OCCsiMPtKl28lrGKtqQ==,type:str]
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5U1VjTjlIMTdLRFQ5R1Av
SVBLMFZtV3ppK2VXWjdYelNGTGFOZUJaMndBCjYyZ0IveXFiVDlSUEtNOXk2L3g3
UmFIRE1GMEs2QVhUcFJkTHpCWmhhbG8KLS0tIG94NStMUnFZRTRsK2w4cDd4Rms5
M1MwTEtJNEFDdjRLVFRseThxNGJUQ0kKKN7QX9qUojNQBknbInaXslaKsAAhEj5y
QMXAU6TxlHMv+wZy2RQwMe/zE7RP24TypnX894iV0usTHujyxvfk3w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUHFYMWdVczRPdEFSbFR5
VmcxeEU4YWxwRTlDUkRkNVY0dFh5cjVUNjNnCkRSblNaS214dkdrd3JnNE5rZnR3
S0JVeXova1h2VnB2ODY0SUYxZm45TjAKLS0tIFN1QXFyTkt3SmV0UVhGMlMxTmpN
VW83cnd2TnQwWlVCUnpzZ29NRE1SekUKBGVCaijugxR6eSxvk19nncR9X6bmSSUq
VoxtHBkJbz/4mcQ/SUb4Wv1Rt5875tLWygS7qKmh8jzoP7JI4E9qWQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-08T16:05:46Z"
mac: ENC[AES256_GCM,data:X6AUVWJRcwH45W9NoQxI8Lp6l+5RFpgCNB6cdUZZODHDdTUMt9a6wr9YfU56C7QkdlxXdj6xCOCscJtw/WY2Y+XchWXaUVZZsoZ9xUo28aksUtHSyE9WJBHCeSqss79IW6k/GeDPiDOfz4om+udDvtdpyKbtvbw2a+K5st+62d4=,iv:REGTavU8DkalUbfO1J2+VccYnRRrOqstSFq/RU7Co5Q=,tag:2t8mwqa76kVQyeWS85zXsA==,type:str]
pgp:
- created_at: "2026-05-05T23:46:27Z"
- created_at: "2024-05-08T15:46:52Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6R3Y9nD7qMBAQ/+JdTDmQhL1+iX7yeyGs1kt9yQeMYkJ+bQD3LqlQVh6Xea
yPIdcMBjAf1CNlkJKeJ4QK3f8rsZkxHmUFVDz7yCXctsp81hNBMZ0sauBM50OU4W
gQsDailZHgG5qCqKx91qSyVLtzVy4zcoTXy8TWLrSwztCt9qqX9LFZTKyZzNTiHW
DHYSwaJdTteXY89pZjPAQ6UtIdoVWaVfvCgaSZAxr3K8IJmobvMhhk/Fgm3CoE6Y
mfQd4lQhoqxrn2M/FKc30vg0yKVsiW3qlfnJCVHCxYUtQLVs3cF05lmj7CYy+0Mu
7eZlfVj84hCLmd4ccOITkrOTqcBKWKQ5EpE8DGvWlLPEZt407MjaphEJ7dYhkfr/
x4HrahZoeVbYX2Va0++picut+cE/NL9F/QMfqP4QhdHQhe74FlQcxpGDtcUIQep5
8MvbEAhUpGL4sErg6afmIapxXi3euIXcBDYPatgoAlsH7E8rUTX1Sd4VOgV89kEJ
pkl4OOwcaiF+brqtDiTGZf5l6AOugiYTp2Rtq9KMcGEGEmXFLcFKVjNEkZIxNxt3
EtrXrNmOCVJm71yOn2ruD9n2EXzFULfeyOhup7eYVfynkEWYlCQNHeaqMy2q656m
LWVd89AUzWLcsmY8naWpfekU9K//hLHxRLBzqfouYXJ+Ji/HOvfRj7NZBg6UtgfS
XgFOJg3EaLAZEyvEZKWpnWlf3gBTRK3ffaLzs+eddSgzYUutzlOYUZb7v3iEdjta
4Ik4F1M+kOGieyVxxLHOHMrOn09+WMmFIiPpBtCIcZmtwOzXNdhbZdFWNx5qPhU=
=wXdG
hQIMA6R3Y9nD7qMBAQ//bYK5gdxv8fNvG6P4GrD27gQRQXhLGF2+hS54sqEqjeN8
NZpHVbNNRR3AggOkT7QY1JO8bOhWscefH1vvBmBuODzh5Fw42t4zNPEDjWZEetxa
rClbLEvo7Kz8UKCNb9JIeYx7cr8sPWCmg4GvV1wGjhjr+u5ovuheORnHl+qoLsqv
P12PV7VzwC52v92GWiu9LRJqfqZra5GjUXGVXzBcZ9i6CnUDejzssWjhO/fmzKum
GbGIi9sf3RmVYsUASDgRBmVAZC3KF7RLi0L6WY0etRocAaWSAgnU1lZ04E8ZtLjk
DlCtIpreJ1H0Ym+5EXB94PG0KZjayxKc20YDQ+yYwwSmiCVaUCLlYX2BOoncUYFF
MxVgWYwn14R5jyGbh4NyiBxPGHvIUx5RCIo70pMgS6W5ALZYTcNDLF82mj1xTOTy
bcuaa7FCuXJif457LCe5TcAa5WYDgKX8pUKzFRhWIckcGwgFCUB0Z7+L9L7F0yt/
YZd71cY0Lxlwi61CnWgZZMx2FFpHyBCEmF1A180KUtB1jSkS/AVmlM2z9I0QsR62
fTFIaqimPMjUzbuTs0QjUXf8OJZo0/cwo9XeGyCBtJTg7cLdsOFouqfvXhvkdCrR
xCLE2Ke5jwmoPKs1t+YpwMMzB57j/rluZCgiz45w7YDXKf4gEp2ra9siFiC/y9PS
XgEPymUiDZY0w9S5oGr94cNc6LQId16Zgt1vWHLzgg8QZqkxLTBjUXXc7aoCISQp
AwUE62KJucVvWjB3kcgDbNvaDWWC5O48zUavmzkmmP1sqKf0gO/XG52PDG/DF3Y=
=cs0r
-----END PGP MESSAGE-----
fp: 4E241635F8EDD2919D2FB44CA362EA0491E2EEA0
unencrypted_suffix: _unencrypted
version: 3.12.1
version: 3.8.1

115
modules/shared/sops/common.yaml
View File

File diff suppressed because one or more lines are too long

28
modules/shared/sops/default.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, pkgs, ... }:
let
isCI = builtins.elem config.syscfg.hostname [ "ci" "sandbox" ];
keyFilePath = (if isCI then
@@ -14,15 +14,19 @@ in {
sops.age.keyFile = keyFilePath;
sops.age.generateKey = true;
sops.secrets = lib.mkMerge [
{
wifi = { };
"${config.syscfg.hostname}_ssh_priv" = {
mode = "0400";
owner = config.users.users.${config.syscfg.defaultUser}.name;
group = config.users.users.${config.syscfg.defaultUser}.group;
};
"${config.syscfg.hostname}_wg_priv" = { };
}
];
sops.secrets.wifi = { };
sops.secrets."${config.syscfg.hostname}_ssh_priv" = {
mode = "0400";
owner = config.users.users.${config.syscfg.defaultUser}.name;
group = config.users.users.${config.syscfg.defaultUser}.group;
};
sops.secrets."${config.syscfg.hostname}_ssh_pub" = {
mode = "0400";
owner = config.users.users.${config.syscfg.defaultUser}.name;
group = config.users.users.${config.syscfg.defaultUser}.group;
};
sops.secrets."${config.syscfg.hostname}_wg_priv" = { };
sops.secrets."${config.syscfg.hostname}_wg_pub" = { };
}

50
modules/shared/sops/mock.yaml
View File

@@ -1,34 +1,30 @@
ci_ssh_priv: ENC[AES256_GCM,data:OuWZVS+ul8ERoQHEH8Gq6GdHWY5E3spR0uRu7akTVHrr6vYPWZHdV/8fjqKvfHd+dAeymWXe2Li7NXfXQM+y4OH36r1z9DLstwD4ufUmoHZ/MIO6qlsugzYhMw==,iv:NbLyzilDIH5cT3SC0SLaOn0alxXSIyZ/4Tr1zSBjIjI=,tag:uOzoai0Rq6UthSkWHhw8Hg==,type:str]
ci_ssh_pub: ENC[AES256_GCM,data:Lu2Ec+HylJzt/IMu1b8AKgGsjpZT7X628pjOYQ==,iv:VZOA/Q9zmbMnf9DsXN90er+tSnJ+syg3QabDuDal92Q=,tag:lef6MRtvgyntMrxphatqmg==,type:str]
ci_wg_priv: ENC[AES256_GCM,data:IoCn7jrahiJBhKxPuGyexg==,iv:uHbrAq/mSQ6TtMqGhJez3d13u9ZK1S92w49ntXvbA3g=,tag:QrZghdiQbmC9pcjKtIuKug==,type:str]
ci_wg_pub: ENC[AES256_GCM,data:FB+DBkwDizA3C/s1TCkn,iv:GD3xmJEyD9yZaV72GubGCBi8BW74zmSr2hOl123g0mM=,tag:v189CtpJV7OX0sB9OJaWLA==,type:str]
sandbox_ssh_priv: ENC[AES256_GCM,data:Wj/M/0VEfY7Ruix7nwi09obpX+w6G+gfGK4ZFTKkbpEEM2JyFnRHhWYQiBvBQOXahTGQ+zAnibCNcHSTCBa66XjMhtY865Hs6FovVCfgx0awTZcns26w5vqJdg==,iv:2NbVjpKTyyiY4rtC/A6s2nABo5p0VAWtzC6b6TrHkvI=,tag:CVi4i9MNi/cU64cn9s0DRA==,type:str]
sandbox_ssh_pub: ENC[AES256_GCM,data:xbcGusta4qBO0hfmks+VCpN8N4dd/qGkGNREACVKxuSF,iv:/QMFyKaa3nOq1GrLNydq+Q8kS52fK6wsB3MioZN/qVM=,tag:WTZ2wlfBMmANw6EEWl5jew==,type:str]
sandbox_wg_priv: ENC[AES256_GCM,data:4trdnPhgjlUChATnNx9o3Q==,iv:3efDzVFVCqv6yCNgBEXfQ19oh2bZLPO8my33uBgviW0=,tag:Io1obSodHW/RWWIg8VS8Zg==,type:str]
sandbox_wg_pub: ENC[AES256_GCM,data:7L4SJdDMi5DZHpLfR6cs,iv:UULKRJvU0lktwmKGcIP/sRAZb0j2e0iL40o3DkSv/+U=,tag:irsolwnnfOjhYfiyanjxjw==,type:str]
PGP_KEY: ENC[AES256_GCM,data:lwwHWksY+ea8D3z9,iv:/tOEukP7LiNhhdSw870vPeUGhN2lse2v1pZ5fJQglc0=,tag:225sf9GjXc8/NZgcXJIxZA==,type:str]
wifi: ENC[AES256_GCM,data:Z+pbGAekk26GD3zg4TXVacP4Nrh93HPEMNcT0I1YaA==,iv:oiWZvnKvWmF/6cRZpCLsuf1uPJig6toNla5uT3t2kyM=,tag:iS3sq8JZsNUby9pSxYPw5g==,type:str]
ci_ssh_priv: ENC[AES256_GCM,data:3Fd7HtFzD+0Pm0qnmaNeivSrEJnH6A3CzLrSyYD4J1rpdHCYdFB2hbZAB5HF3yeCMlyqnApGHxi+9jN8FI54SzwqJQAgSZvKrkBhrs4JIQxPU0ZhOQHvneWYnA==,iv:NbLyzilDIH5cT3SC0SLaOn0alxXSIyZ/4Tr1zSBjIjI=,tag:xGfI8QRlkj4OZDVuV21Kcg==,type:str]
ci_ssh_pub: ENC[AES256_GCM,data:6BVY3GS9lMLR/dYNxyldcBJe1DrjG/yHjqfCIw==,iv:VZOA/Q9zmbMnf9DsXN90er+tSnJ+syg3QabDuDal92Q=,tag:+xwHADgq22cV5ai9xd6ceQ==,type:str]
ci_wg_priv: ENC[AES256_GCM,data:uA4eiEhQbbhLkrTyhRX4Tg==,iv:uHbrAq/mSQ6TtMqGhJez3d13u9ZK1S92w49ntXvbA3g=,tag:KwjiYrnuQxrydVKKV4xN4A==,type:str]
ci_wg_pub: ENC[AES256_GCM,data:MBIdTEkyJBvbTtYrQYS8,iv:GD3xmJEyD9yZaV72GubGCBi8BW74zmSr2hOl123g0mM=,tag:ekUniuYPCSxwlmB1yUbo4w==,type:str]
sandbox_ssh_priv: ENC[AES256_GCM,data:OG5ZsSQFEbUKLXtHF9MAHWYwnxBM0EyVyj54sPs9XEsFaRXq3WDa+ANnpVqBLtw6cPodLQHyJ5tY/Hr1rdINNGyLPEz/Zm3K7vz6iXUeThAKDhYaCH4vccFFtQ==,iv:2NbVjpKTyyiY4rtC/A6s2nABo5p0VAWtzC6b6TrHkvI=,tag:sO+SUMws8HncC9dmeiJPSg==,type:str]
sandbox_ssh_pub: ENC[AES256_GCM,data:6bwJAmLuN0dhC8OiBW8qL2Ejt70a2ar02YTAqimnhcez,iv:/QMFyKaa3nOq1GrLNydq+Q8kS52fK6wsB3MioZN/qVM=,tag:XxcTX/REbHl5MKtRecjM2g==,type:str]
sandbox_wg_priv: ENC[AES256_GCM,data:8d+WCtyGoEH3/4q1DZImUw==,iv:3efDzVFVCqv6yCNgBEXfQ19oh2bZLPO8my33uBgviW0=,tag:+WNPB7b6tVTzDlSVziDO2w==,type:str]
sandbox_wg_pub: ENC[AES256_GCM,data:rpxkijFKzyKx3uhEa/+j,iv:UULKRJvU0lktwmKGcIP/sRAZb0j2e0iL40o3DkSv/+U=,tag:OWHbfFPbTY6l3Bu/og78Bg==,type:str]
PGP_KEY: ENC[AES256_GCM,data:IVhL/l0JSPcefX1z,iv:/tOEukP7LiNhhdSw870vPeUGhN2lse2v1pZ5fJQglc0=,tag:++NUJeRhsDE9eRsbKu8Ldw==,type:str]
wifi: ENC[AES256_GCM,data:SV3yNB/0dBqggh0kOKU98Nodd0VS4K8kTqg7aLyeAg==,iv:w4nspNxswHl2CZ7diPUzupzotfjskzp91NIq4f0v0UM=,tag:7nUHijRlEgyliWn2ZuZo/Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age13qv9dn9806paqgpjwmmkwtdzvv4qpv0ulksq0epnn8ufaxeug5zskyas3z
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbHNVZjRzQi9ram1xNHk3
d3pTTStiMjBLZHgwL0cvUGRwRFFzWi9HS2dvCkQ0ZU5UK1owS0N5MHhxOXV1cGVy
RnFQbGlhVy9tSVZKYXBqbzZjZU9nd3cKLS0tIDdXdm1qVTYvdS9sQ0Z0aExpTzB1
WkNsWVpqaHRSWkl6YXVrN0NoemhiS1EKoDRocdztTLQ5LMwHdlszTFHy+rm+y4RE
f97a6Z2J87ZfObRbaap5adVD7qk/tTYHGshT/8G1JxjctsxRgdfsmA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZd0c5ZjZCb0Z6ZXlKaFph
S25LcnFaM3NueUdxOEkwQWRVYjZwNEx1TnpVCkJ1RnJsV2IwNWd5RVJBU2pOUnRa
UEcrdDVHUnZ3Zng4UVNWZjNhSzRmRGcKLS0tIEpMMGJCZmkrcnFwWjM4ZVF6VmJN
aFplU05pYXpPQWZRY202bVhFd3pHdHcKfauUQhzuUwpoaSlky+PlsOTrVQjyCSxi
NYlJ7ScbxzJsqTqJbZnD+lbSdWK2XVKXy1Vn4hR0C0WF7g2Y7CU7tg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pf4auk6u2tmefuqpuc6mntr26cp4wcsmlhnn98arzxsp3753ruqsj0jqk3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSHBpZGg0TlVtMFhjY2Ry
NzUrd1pPZFZNdFdLSUxrUUROaVNCTzdGR0hrCkVGUmpGemtFSDErRDArS0Y0WGZu
YkYzL2NGMTlnNW1NdStHOGpRN3A1VXcKLS0tIGs0MDIxTmpzSGtRWHZESFhNWXlS
Y3N0a2VPUHdoRlpUZ3BPVXROdDRHekEK2YN9ZgCaBPt/8kAkZNgsHp61SYqiFFXX
2lF0R1GNmYWm6T0YVCp/2ZN3z4GC+monctg1zoo5QsHfhIOpqIVoTA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-06T13:37:03Z"
mac: ENC[AES256_GCM,data:uI9yG3/jGNGn6yoN9W+9K/AUeSowe4Mb9vhh38pwkuKab9zXTFidCWyh1e0TEOsIHrhfK2GPc2fHwc309/la+CoiNxAIYtC4xmoCYxSGrDgbsZEONrusy9AEKpRCO8CqLYyLYaAG9sLqFyIz3GyEnS/j98V3LeemhFtS17J1VHI=,iv:x/7caaKnggoyEaCx5sf+zzSE+3d7atv+o9B1O3QX0Uc=,tag:Tzfs+ACx+4A6kxAZtVQ3KQ==,type:str]
lastmodified: "2024-04-14T21:03:55Z"
mac: ENC[AES256_GCM,data:W9kM3AaHcZcqVtT4qRpMRYKgmA9pBikAPhdKiPR/Y+0MSjY4c9LPeTBeS1vZzUaTgRHmNh/ns6I9SBO36Hio5qI6m/pjNdr9GfFbBpbnY+5mer6YTitq47TVySC9v+BRkES4A34h1Ky5yvJSDlz2kJfO/WVWllaQd0dxq8rgAU8=,iv:cRxgGKhD6KqXKpK4E12lWIIj99hBFSmGzSIv9LmYEyg=,tag:QXcswnB7GavGrBy1dFpQlQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.8.1

79
modules/shared/syscfg/default.nix
View File

@@ -1,21 +1,15 @@
{ inputs, lib, ... }:
let
systemsDir = ../../../systems;
systemNames = lib.attrNames (lib.filterAttrs
(name: type: type == "directory" && builtins.pathExists (systemsDir + "/${name}/cfg.nix"))
(builtins.readDir systemsDir));
userOpt = with lib; {
username = mkOption { type = types.str; };
pubssh = mkOption { type = types.str; default=""; };
wm = mkOption {
type = types.enum [ "Wayland" "X11" "-" ];
default = "-";
};
git = {
username = mkOption { type = types.str; default = "Anonymous";};
email = mkOption { type = types.str; default = "anonymous@domain"; };
key = mkOption { type = types.nullOr types.str; default=null; };
username = mkOption { type = types.str; };
email = mkOption { type = types.str; };
key = mkOption { type = types.str; };
};
};
netOpt = with lib; {
@@ -48,10 +42,6 @@ let
type = types.str;
default = "";
};
pubkey = mkOption {
type = types.str;
default = "";
};
};
};
makeOpt = with lib; {
@@ -65,7 +55,7 @@ let
};
virt = mkOption {
type = types.bool;
default = false;
default = true;
};
power = mkOption {
type = types.bool;
@@ -94,6 +84,7 @@ let
type = types.str;
default = "3306";
};
configPath = mkOption {
type = types.str;
default = "/media/config";
@@ -102,59 +93,6 @@ let
type = types.str;
default = "/media/data";
};
containers = mkOption {
type = types.attrsOf (types.submodule {
options = {
enable = mkOption { type = types.bool;default = false; };
db = mkOption { type = types.bool;default = false; };
ip = mkOption { type = types.str; };
port = mkOption { type = types.port; };
extraParam = mkOption { type = types.str; default = ""; };
};
});
default = {};
};
sops = mkOption {
type = types.bool;
default = false;
};
openssh = mkOption {
type = types.bool;
default = false;
};
wireguard = mkOption {
type = types.bool;
default = false;
};
web = mkOption {
type = types.bool;
default = false;
};
nftables = {
enable = mkOption {
type = types.bool;
default = false;
};
ifs = mkOption {
type = types.listOf types.str;
default = [ ];
};
ports = mkOption {
type = types.listOf (types.listOf (types.oneOf [ types.str types.int ]));
default = [];
description = "Forwarding rules: [ [srcInterface dstAddr srcPort dstPort] ... ]";
example = [
[ "ens3" "10.10.1.2" "IPV6" 22 2222 ]
[ "ens3" "10.10.1.2" "IPV6" 80 80 ]
[ "ens3" "10.10.1.2" "IPV6" 443 443 ]
];
};
};
db = mkOption {
type = types.listOf (types.str);
default = [ ];
};
};
in with lib; {
@@ -176,15 +114,12 @@ in with lib; {
type = types.listOf (types.submodule { options = userOpt; });
default = [ ];
};
peers = mkOption {
default = map (name: import (systemsDir + "/${name}/cfg.nix")) systemNames;
};
server = mkOption {
type = types.oneOf [
types.bool
(types.attrs)
(types.submodule { options = serverOpt; })
];
default = false;
default = { };
};
};
}

12
overlays/default.nix
View File

@@ -1,15 +1,13 @@
{ inputs, pkgs, ... }:
[
(final: prev: {
#openttd-jgrpp = import ./openttd-jgrpp { inherit final prev; };
#yarn-berry = import ./yarn-berry { inherit final prev; };
#eww = import ./eww { inherit final prev; };
#bambu-studio = import ./bambu-studio { inherit final prev; };
openttd-jgrpp = import ./openttd-jgrpp { inherit final prev; };
yarn-berry = import ./yarn-berry { inherit final prev; };
eww = import ./eww { inherit final prev; };
bambu-studio = import ./bambu-studio { inherit final prev; };
wine = final.unstable.wineWow64Packages.unstableFull;
unstable = import inputs.nixUnstable {
system = final.stdenv.hostPlatform.system;
stdenv.hostPlatform.system = final.stdenv.hostPlatform.system;
system = final.system;
config.allowUnfree = true;
};
})

5
shells/devsh/default.nix
View File

@@ -16,7 +16,10 @@ pkgs.mkShell {
yarn-berry
crystal
shards
(with python313Packages; [ pip pandas numpy matplotlib typer pillow reportlab python-barcode pypdf markdown requests ])
python311Full
virtualenv
(with python311Packages; [ pip ])
pipenv
scala
sbt
cargo

2
systems/asguard/cfg.nix
View File

@@ -1,6 +1,6 @@
{
syscfg = {
hostname = "asgard";
hostname = "asguard";
defaultUser = "sora";
type = "macos";
system = "x86_64-darwin";

19
systems/avalon/cfg.nix
View File

@@ -23,16 +23,21 @@
}
];
make = {
gui = false;
cli = true;
virt = true;
power = false;
game = false;
develop = false;
};
net = {
wg = {
enable = true;
ip4 = "10.10.1.2/32";
ip6 = "fd10:10:10::2/128";
pubkey = "QlvpTiK6s/lIha9vKmo+teSy2Nw52qWLYatYjxVan3U=";
};
wlp = {
enable = false;
nif = "";
};
wg = {
enable = true;
ip4 = "10.10.1.2/32";
ip6 = "fd10:10:10::2/128";
};
};
}

14
systems/avalon/server/docker/secrets.txt
View File

@@ -1,14 +0,0 @@
AUTHENTIK_DB_PASSWORD=NTQRO0rhPCd4L3HLNK4AT09Npz+ks1jyRC6AOyo5u+k=
AUTHENTIK_SECRET_KEY=9Zw8Sy8257iJmRdBhUKGiq3d7uYAkhC9smuDUClE8aR1iPdpHHds+K2D1Zy3lwj2Hjnasu5jnopkhwnABWDu8A==
AUTHENTIK_EMAIL_PASSWORD=w+g:cPU+e.<q,f<mj3DFPxXxo4h2SVS9.;,T<!Sra>y!mNcAsiAp4jPCLTmjte2d
ETHERPAD_DB_PASSWORD=d43352c3906516bf4c34d63316509cb4b1621167af84c81b60689779a62b2348
ETHERPAD_ADMIN_PASSWORD=Hackme55#
COLLABORA_USER=...
COLLABORA_PASSWORD=...

11
systems/ci/cfg.nix
View File

@@ -21,5 +21,16 @@
game = true;
develop = true;
};
net = {
wlp = {
enable = false;
nif = "NA";
};
wg = {
enable = false;
ip4 = "";
ip6 = "";
};
};
};
}

2
systems/ci/hardware.nix
View File

@@ -8,7 +8,7 @@
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "v4l2loopback" ];
boot.extraModulePackages = with config.boot.kernelPackages;
[ v4l2loopback ];
[ v4l2loopback.out ];
fileSystems."/" = {
device = "NA";

44
systems/gateway/cfg.nix
View File

@@ -1,44 +0,0 @@
{
syscfg = {
hostname = "gateway";
type = "nixos";
system = "x86_64-linux";
defaultUser = "sora";
users = [{
username = "sora";
pubssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrrUB0KBjeAKPVG2Bdcm4mI9AMab7y97SOCdEHGogYv sora@gateway";
wm = "-";
git = {
email = "soraefir+git@helcel";
username = "soraefir";
key = "4E241635F8EDD2919D2FB44CA362EA0491E2EEA0";
};
}];
make = {
cli = true;
};
net = {
wg = {
enable = true;
ip4 = "10.10.1.1/32";
ip6 = "fd10:10:10::1/128";
pubkey = "NFBJvYXZC+bd62jhrKnM7/pugidWhgR6+C5qIiUiq3Q=";
};
};
server = {
openssh = true;
wireguard = true;
web = true;
nftables = {
enable = true;
ifs = ["ens3" "wg0" ];
ports = [
[ "ens3" "10.10.1.2" "fd10:10:10::2" 22 2222 ] # SSH/GIT
[ "ens3" "10.10.1.2" "fd10:10:10::2" 80 80 ] # HTTP
[ "ens3" "10.10.1.2" "fd10:10:10::2" 443 443 ] # HTTPS
[ "ens3" "10.10.1.2" "fd10:10:10::2" 3979 3979 ] # OTTD
];
};
};
};
}

20
systems/gateway/default.nix
View File

@@ -1,20 +0,0 @@
{ config, lib, inputs, ... }: {
imports = [ ./hardware.nix ../../modules/server ];
system.autoUpgrade = {
enable = true;
flake = "git+https://git.helcel.net/sora/nixconfig";
flags = [
"--no-write-lock-file"
];
dates = "04:00";
randomizedDelaySec = "30min";
allowReboot = false;
};
networking.extraHosts = ''
10.10.1.2 git.helcel.net
10.10.1.2 avalon.helcel.net
'';
}

27
systems/gateway/hardware.nix
View File

@@ -1,27 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }: {
imports = [ (modulesPath + "/profiles/qemu-guest.nix" ) ];
boot.kernelPackages = pkgs.linuxPackages_latest;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub = {
enable = true;
device = "/dev/sda";
efiSupport = true;
};
boot.initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/25df457a-21d0-41ab-9de5-88ffc00e3469";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/F24E-74FA";
fsType = "vfat";
options = [ "defaults" ];
};
}

3
systems/iriy/cfg.nix
View File

@@ -6,7 +6,6 @@
defaultUser = "sora";
users = [{
username = "sora";
pubssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGtotfQkclilrhEOzY3QUpOwYF+eOjHvqN6Of3NVg4x8NQLjx/X/gxC+GAllQxy9Zkz/N5wY0Fa4/6HoGheCRvWaN/nofz95VgtX8a1A/flrT8CGdBfRqXlcd4OEXhpFcbEm9VRXmxSKnsD4zySZr/151S+1PlQr8pJ1yyzxsIQx+RNo9P4gzpoJgkfZ3JIqLWb6B4aXallAg9Ha1WX0lx24voWNgg9AQt6/lccfmeoWAzBGUNq5a/mH59O+UCIM2y19ksEweY6URHpk6Ss597zp+0j2NYg8MS4rToYUb0Y7giNNBdKAzqNd+Wp6gjqBthuDIOfsXM082O5IarPKPJNVbx/Xpf3m1hYtxfL+LhEkdoE94iue601WqTltC0btS63LeZuoAZYji/GG/D8U7V77Lh3MV5/hJm5sK6wM6r7fCoenehgiy49z00NqtgM33rWNrpL9eXNKb//5Lxe7U58jPyteWpsL8+fJFcs/2uh4D5zN3d/I+yLZ1OMgUN6LM= sora@iriy";
wm = "Wayland";
git = {
email = "soraefir+git@helcel";
@@ -18,6 +17,7 @@
gui = true;
cli = true;
virt = true;
power = false;
game = true;
develop = true;
};
@@ -31,7 +31,6 @@
enable = true;
ip4 = "10.10.1.7/32";
ip6 = "fd10:10:10::7/128";
pubkey = "6d1bINFmH12ACAJLDOwfFIZgmNHV/FGGk0YJyDP50HQ=";
};
};
};

7
systems/iriy/hardware.nix
View File

@@ -7,10 +7,7 @@
boot.kernelModules = [ "v4l2loopback" "kvm-amd" ];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.extraModulePackages = with config.boot.kernelPackages;
[ v4l2loopback ];
boot.extraModprobeConfig = ''
options v4l2loopback devices=1 video_nr=1 card_label="VCam" exclusive_caps=1
'';
[ v4l2loopback.out ];
boot.loader.systemd-boot.extraEntries = {
"00-windows.conf" = ''
@@ -24,7 +21,7 @@
fsType = "ext4";
};
fileSystems."/boot" = {
fileSystems."/boot/efi" = {
device = "/dev/disk/by-uuid/349E-5086";
fsType = "vfat";
};

32
systems/sandbox/cfg.nix
View File

@@ -6,7 +6,6 @@
defaultUser = "sora";
users = [{
username = "sora";
pubssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrrUB0KBjeAKPVG2Bdcm4mI9AMab7y97SOCdEHGogYv sora@gateway";
wm = "-";
git = {
email = "soraefir+git@helcel";
@@ -15,30 +14,27 @@
};
}];
make = {
gui = false;
cli = true;
virt = true;
power = false;
game = false;
develop = false;
};
net = {
wlp = { enable = false; };
wg = { enable = false; };
};
server = {
openssh = true;
web = true;
sops = true;
hostDomain = "test.helcel.net";
shortName = "testcel";
mailDomain = "test@helcel";
mailServer = "infomaniak.ch";
mailDomain = "mail.helcel.net";
mailServer = "mail.helcel.net";
dbHost = "localhost";
containers = {
#cloud = {enable = true;};
authentik = {
enable = true;
db = true;
ip = "10.88.0.125";
port = 9000 ;
};
};
dbPort = "3306";
configPath = "/home/media/config";
dataPath = "/home/media/data";
};
};
}

5
systems/sandbox/default.nix
View File

@@ -1,4 +1,9 @@
{ config, inputs, ... }: {
imports = [ ./hardware.nix ../../modules/server ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0GpKd62XMlO410/iYkNG8MHdGGaeMG3Gmsf3Pv3u2BllUzR9Dpym1ZOz2lwo3iK0FimcQpOiJqSIahO59HJl8jQ9BoQrJMXH7l2kuq1T09cMNWGjlzowg0LWKWOzoBzOwcheyW68OJGgkSfvk9BdshkUYTLVBXjiI9jo/8Qkcv1WLJJvJmDBDwnbYDQpODXCEDQ/t3YVubb+ocLmh40sDUffJLWZQXN6OFW9N5XxnvY7K5x9ci9GU4Reei40K8yDw2Hgi0njzijRdzie3MJlKPPawJ2TATu9LsGuxfx8bJXVx+mNxP0lhO8dOOhP7p0ozTxlJJY9ZWaKgOz3SzYNCgJ1gH7NtTBtSruXd6pfmErUmuJEAeMD6+QF3yJ5tnVFNPoSHqjP+oL3CgSRpmuvn7ChSSI3J3UVhLux165VtwIL7UhosO2mCqmn0Yk2mSBkB/L4ZiWFmO3vYdagYNQX7xZHzCJ5my8vomiT+DUGb2h/o1NetKwIZJiFAuHxKt3k= sora@valinor"
];
}

21
systems/sandbox/hardware.nix
View File

@@ -1,27 +1,14 @@
{ config, lib, pkgs, modulesPath, ... }: {
imports = [ (modulesPath + "/profiles/qemu-guest.nix" ) ];
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.kernelPackages = pkgs.linuxPackages_latest;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub = {
enable = true;
device = "/dev/sda";
#efiSupport = true;
};
boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/abc944c6-484a-4abe-a675-906e3781d71f";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/C555-300B";
fsType = "vfat";
options = [ "defaults" ];
device = "/dev/sda3";
fsType = "btrfs";
};
}

2
systems/valinor/cfg.nix
View File

@@ -6,7 +6,6 @@
defaultUser = "sora";
users = [{
username = "sora";
pubssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCZibVYTvS4Dd+ZhGCpRpKfxs1fQeepNTzfzYk9I12Hyez25pQCeH+6ArrVhf6yX5Na1ffkvqTrNIDYJ1V2GHhemX0ruYp2B3xt229JszI7DeRC7YeG7v5uvsfTgicADCstGPSNorKXuNnHuBebSHpmWWbuKrYZdmcA/Az7H8uwF5+VQrnyASgZgwGV94MHinFVWsisB7o6iq4qxqpsUdtuZGbU0stDE5f9DLMDYuUxtx+jASRt+X60Bzjv3OFjU/b/YYzojTtuujkYXunNNTceCB4DTue5YMKQOlmd/IezL5nPAK9IsonPqojX9LPk2RvTCr4qalQ6AD92nq+xMW6FY1uJaKT81S8TvZcaqTm4FhEDkChuFq77biSUDhQkpcdNVOjUn5OtKpYl+0VkCaAx/8uyoylBacrn1XXLLg+gjwGCFHa2eeNu/BKIUa+5EK/FRwLpnEoPDkAHQ95JXQewChcUKG8A+Bz29XRKr9J64kbbGmwa+yjlVTPLSE6ZZE= sora@valinor";
wm = "Wayland";
git = {
email = "soraefir+git@helcel";
@@ -32,7 +31,6 @@
enable = true;
ip4 = "10.10.1.5/32";
ip6 = "fd10:10:10::5/128";
pubkey = "EUYd/dMdGcbxiWJXHhQhCXV00cr87pxiW1HExwCTGg0=";
};
};
};

7
systems/valinor/hardware.nix
View File

@@ -7,17 +7,14 @@
boot.kernelModules = [ "v4l2loopback" "kvm-amd" ];
#boot.kernelPackages = pkgs.linuxPackages_latest;
boot.extraModulePackages = with config.boot.kernelPackages;
[ v4l2loopback ];
boot.extraModprobeConfig = ''
options v4l2loopback devices=1 video_nr=1 card_label="VCam" exclusive_caps=1
'';
[ v4l2loopback.out ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/e9713f83-ee3a-4fb1-806f-594c3bab7006";
fsType = "ext4";
};
fileSystems."/boot" = {
fileSystems."/boot/efi" = {
device = "/dev/disk/by-uuid/F344-72E2";
fsType = "vfat";
};