cilly/flakes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Compare commits

base: cilly:master
Branches Tags
cilly:master
cilly:feat/immich
cilly:feat/restic
cilly:feat/cont
cilly:feat/smb
cilly:feat/soulbeet
cilly:opencloud
cilly:staging/dandelion_260528
cilly:bootstrap/alyssum
cilly:dev/slskd_envtest
cilly:feat/emerald
cilly:feat/diamond
cilly:dev/citrine
cilly:dev/tewst
cilly:staging_auto/20260316
cilly:up/dandelion_20260315
cilly:staging_auto/20260315
cilly:staging_auto/20260314
cilly:staging_auto/20260313
cilly:staging_auto/20260312
cilly:staging_auto/20260311
cilly:staging_auto/20260310
cilly:staging_auto/20260309
cilly:staging_auto/20260308
cilly:staging_auto/20260307
cilly:staging_auto/20260306
cilly:staging_auto/20260305
cilly:staging_auto/20260304
cilly:staging_auto/20260303
cilly:staging_auto/20260302
cilly:staging_auto/20260301
cilly:staging_auto/20260228
cilly:staging_auto/20260227
cilly:staging_auto/20260226
cilly:staging_auto/20260225
cilly:staging_auto/20260224
cilly:staging_auto/20260223
cilly:staging_auto/20260222
cilly:staging_auto/20260221
cilly:staging_auto/20260220
cilly:staging_auto/20260219
cilly:staging/20251122
cilly:staging/20250812
cilly:dev/unbound
cilly:dev/wg2
cilly:dev/dandelion2
cilly:test/git-crypt
cilly:dev/server
cilly:dev/options
cilly:dev/workflow
cilly:bootstrap/dandelion
cilly:bootstrap/anemone
cilly:tmp/sugarcane_raccoon
cilly:tmp/caramel_raccoon
cilly:tmp/caramel
cilly:tmp/jellyfin
cilly:temp/caramelgone
cilly:testing/linux-tkg
cilly:testing/wine2
..
compare: cilly:dev/options
Branches Tags
cilly:feat/immich
cilly:feat/restic
cilly:master
cilly:feat/cont
cilly:feat/smb
cilly:feat/soulbeet
cilly:opencloud
cilly:staging/dandelion_260528
cilly:bootstrap/alyssum
cilly:dev/slskd_envtest
cilly:feat/emerald
cilly:feat/diamond
cilly:dev/citrine
cilly:dev/tewst
cilly:staging_auto/20260316
cilly:up/dandelion_20260315
cilly:staging_auto/20260315
cilly:staging_auto/20260314
cilly:staging_auto/20260313
cilly:staging_auto/20260312
cilly:staging_auto/20260311
cilly:staging_auto/20260310
cilly:staging_auto/20260309
cilly:staging_auto/20260308
cilly:staging_auto/20260307
cilly:staging_auto/20260306
cilly:staging_auto/20260305
cilly:staging_auto/20260304
cilly:staging_auto/20260303
cilly:staging_auto/20260302
cilly:staging_auto/20260301
cilly:staging_auto/20260228
cilly:staging_auto/20260227
cilly:staging_auto/20260226
cilly:staging_auto/20260225
cilly:staging_auto/20260224
cilly:staging_auto/20260223
cilly:staging_auto/20260222
cilly:staging_auto/20260221
cilly:staging_auto/20260220
cilly:staging_auto/20260219
cilly:staging/20251122
cilly:staging/20250812
cilly:dev/unbound
cilly:dev/wg2
cilly:dev/dandelion2
cilly:test/git-crypt
cilly:dev/server
cilly:dev/options
cilly:dev/workflow
cilly:bootstrap/dandelion
cilly:bootstrap/anemone
cilly:tmp/sugarcane_raccoon
cilly:tmp/caramel_raccoon
cilly:tmp/caramel
cilly:tmp/jellyfin
cilly:temp/caramelgone
cilly:testing/linux-tkg
cilly:testing/wine2

No commits in common. "master" and "dev/options" have entirely different histories.
master ... dev/option

129 changed files with 865 additions and 2770 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.git-crypt/.gitattributes vendored
View file

@ -1,4 +0,0 @@
# Do not edit this file. To specify the files to encrypt, create your own
# .gitattributes file in the directory where your files are.
* !filter !diff
*.gpg binary

BIN
.git-crypt/keys/default/0/059F098EBF0E9A13E10A46BF6500251E087653C9.gpg
View file

Binary file not shown.

1
.gitattributes vendored
View file

@ -1 +0,0 @@
secrets.gcrypt/** filter=git-crypt diff=git-crypt

16
.github/workflows/cachix.yml vendored
View file

@ -5,6 +5,20 @@ on:
workflow_dispatch: workflow_dispatch:
jobs: jobs:
check:
name: Check flake
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: cachix/install-nix-action@v31
- uses: cachix/cachix-action@v14
with:
name: lava
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- run: nix flake check --keep-going --verbose
build: build:
name: Build linux-lava for x86_64-linux name: Build linux-lava for x86_64-linux
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -21,7 +35,7 @@ jobs:
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: cachix/install-nix-action@v31 - uses: cachix/install-nix-action@v31
- uses: cachix/cachix-action@v16 - uses: cachix/cachix-action@v14
with: with:
name: lava name: lava
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

47
containers/amethyst/configuration.nix
View file

@ -1,47 +0,0 @@
{ lib, pkgs, ... }: {
system.stateVersion = "23.11";
systemd.tmpfiles.rules = [
"d /persist/transmission 755 transmission transmission"
"d /persist/transmission/.config/transmission-daemon 750 transmission transmission"
"d /persist/transmission/.incomplete 750 transmission transmission"
"d /persist/transmission/Downloads 755 transmission transmission"
"d /persist/transmission/watchdir 755 transmission transmission"
];
networking.wg-quick.interfaces.wg0 = {
configFile = "/persist/vpn.conf";
preUp = ''
# Try to access the DNS for up to 300s
for i in {1..60}; do
${pkgs.iputils}/bin/ping -c1 'google.com' && break
echo "Attempt $i: DNS still not available"
sleep 5s
done
'';
};
# https://github.com/NixOS/nixpkgs/issues/258793
systemd.services.transmission.serviceConfig = {
BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
RootDirectoryStartOnly = lib.mkForce false;
RootDirectory = lib.mkForce "";
PrivateMounts = lib.mkForce false;
PrivateUsers = lib.mkForce false;
};
networking.firewall.allowedTCPPorts = [ 9091 ];
services.transmission = {
enable = true;
package = pkgs.transmission_4;
downloadDirPermissions = "775";
openFirewall = true;
home = "/persist/transmission";
settings = {
ratio-limit-enabled = true;
rpc-bind-address = "0.0.0.0";
rpc-enabled = true;
rpc-port = 9091;
rpc-host-whitelist-enabled = false;
rpc-whitelist-enabled = false;
};
};
}

27
containers/amethyst/flake.lock generated
View file

@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1773282481,
"narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

51
containers/amethyst/flake.nix
View file

@ -1,51 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { nixpkgs, ... }: {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
modules = [ ./configuration.nix ];
};
nixosModule = { ... }:
let
name = "amethyst";
fqdn = "amethyst.lava.moe";
subnet = "1";
in {
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "ve-${name}" ];
};
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
#locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
};
systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.30.${subnet}.1";
localAddress = "10.30.${subnet}.2";
hostAddress6 = "fd0d:1::${subnet}:1";
localAddress6 = "fd0d:1::${subnet}:2";
# privateUsers = "pick";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = [ ./configuration.nix ]; };
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
# flake = "path:" + ./.;
};
};
};
}

23
containers/beryllium/configuration.nix
View file

@ -1,23 +0,0 @@
{ ... }: {
system.stateVersion = "25.11";
fileSystems."/var/lib/private" = {
device = "/persist";
fsType = "none";
options = [ "bind" ];
};
networking.firewall.allowedTCPPorts = [ 6167 ];
networking.firewall.allowedUDPPorts = [ 6167 ];
# TODO: this should be generically set
networking.useHostResolvConf = false;
networking.nameservers = [ "8.8.8.8" ];
services.matrix-continuwuity = {
enable = true;
settings.global = {
# TODO: link this with outer container's address
address = [ "10.30.2.2" ];
server_name = "lava.moe";
rocksdb_recovery_mode = 2;
};
};
}

27
containers/beryllium/flake.lock generated
View file

@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1773282481,
"narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

69
containers/beryllium/flake.nix
View file

@ -1,69 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { nixpkgs, ... }: {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
modules = [ ./configuration.nix ];
};
nixosModule = { ... }:
let
name = "beryllium";
fqdn = "beryllium.lava.moe";
subnet = "2";
in {
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "ve-${name}" ];
};
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".extraConfig = "return 302 'https://lava.moe';";
locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167";
locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167";
locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167";
};
services.nginx.virtualHosts."lava.moe" = {
locations."= /.well-known/matrix/server".extraConfig =
let
server = { "m.server" = "${fqdn}:443"; };
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
# "m.identity_server" = { "base_url" = "https://vector.im"; };
};
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.30.${subnet}.1";
localAddress = "10.30.${subnet}.2";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = [ ./configuration.nix ]; };
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
};
};
};
}

53
containers/citrine/configuration.nix
View file

@ -1,53 +0,0 @@
{ config, fqdn, lib, ... }: {
system.stateVersion = "25.11";
networking.firewall.allowedTCPPorts = [ 22 3000 ];
networking.firewall.allowedUDPPorts = [ 22 3000 ];
systemd.tmpfiles.rules = [
"L+ /persist/forgejo/custom/templates - - - - ${./templates}"
];
services.forgejo = {
enable = true;
lfs.enable = true;
settings = {
DEFAULT.APP_NAME = "cilly's botanical laboratory";
server = {
DOMAIN = fqdn;
ROOT_URL = "https://${fqdn}/";
HTTP_PORT = 3000;
START_SSH_SERVER = true;
BUILTIN_SSH_SERVER_USER = "git";
SSH_DOMAIN = "git.lava.moe";
SSH_SERVER_KEY_EXCHANGES = "mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256";
};
ui = lib.mkForce {
DEFAULT_THEME = "catppuccin-maroon-auto";
THEMES = lib.strings.concatMapStringsSep "," (x: "${x}-auto") [
"catppuccin-pink"
"catppuccin-maroon"
"catppuccin-flamingo"
"catppuccin-rosewater"
"forgejo"
"gitea"
];
};
api.ENABLE_SWAGGER = false;
other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
repository.ENABLE_PUSH_CREATE_USER = true;
repository.ENABLE_PUSH_CREATE_ORG = true;
service.DISABLE_REGISTRATION = true;
};
stateDir = "/persist/forgejo";
};
systemd.services.forgejo.serviceConfig = {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
PrivateUsers = lib.mkForce false;
};
catppuccin.forgejo.enable = true;
environment.systemPackages = [ config.services.forgejo.package ];
}

62
containers/citrine/flake.lock generated
View file

@ -1,62 +0,0 @@
{
"nodes": {
"catppuccin": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1773403535,
"narHash": "sha256-47MZaFrHxNO8tVUAmtVnerXUw2WWVluBOiU9MulN/yM=",
"owner": "catppuccin",
"repo": "nix",
"rev": "d45b5665cc638bad1b794350de02f4dd41b0bb47",
"type": "github"
},
"original": {
"owner": "catppuccin",
"repo": "nix",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1773122722,
"narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1773282481,
"narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"catppuccin": "catppuccin",
"nixpkgs": "nixpkgs_2"
}
}
},
"root": "root",
"version": 7
}

68
containers/citrine/flake.nix
View file

@ -1,68 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
catppuccin.url = "github:catppuccin/nix";
};
outputs = { nixpkgs, catppuccin, ... }:
let
name = "citrine";
fqdn = "lab.lava.moe";
subnetId = "3";
subnet = x: "fd0d:1::${subnetId}:${toString x}";
host = subnet 1;
client = subnet 2;
subnet4 = x: "10.30.${subnetId}.${toString x}";
host4 = subnet4 1;
client4 = subnet4 2;
modules = [
./configuration.nix
catppuccin.nixosModules.catppuccin
{
networking.useHostResolvConf = false;
networking.nameservers = [ host ];
}
];
in {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
inherit modules;
};
nixosModule = { ... }: {
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "ve-${name}" ];
};
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".proxyPass = "http://[${client}]:3000";
};
systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = host4;
localAddress = client4;
hostAddress6 = host;
localAddress6 = client;
# privateUsers = "pick";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = modules; };
specialArgs = { inherit fqdn; };
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
# flake = "path:" + ./.;
};
};
};
}

31
containers/citrine/templates/base/footer_content.tmpl
View file

@ -1,31 +0,0 @@
<footer class="page-footer" role="group" aria-label="{{ctx.Locale.Tr "aria.footer"}}">
<div class="left-links" role="contentinfo" aria-label="{{ctx.Locale.Tr "aria.footer.software"}}">
{{if ShowFooterPoweredBy}}
<a target="_blank" rel="noopener noreferrer" href="https://forgejo.org">Forgejo</a>
{{end}}
{{if (or .ShowFooterVersion .PageIsAdmin)}}
{{if .IsAdmin}}
<a href="{{AppSubUrl}}/admin/config">{{AppVerNoMetadata}}</a>
{{else}}
{{AppVerNoMetadata}}
{{end}}
{{end}}
{{if and .TemplateLoadTimes ShowFooterTemplateLoadTime}}
{{ctx.Locale.Tr "page"}}: <strong>{{LoadTimes .PageStartTime}}</strong>
{{ctx.Locale.Tr "template"}}{{if .TemplateName}} {{.TemplateName}}{{end}}: <strong>{{call .TemplateLoadTimes}}</strong>
{{end}}
</div>
<div class="right-links" role="group" aria-label="{{ctx.Locale.Tr "aria.footer.links"}}">
<div class="ui dropdown upward language">
<span class="flex-text-inline">{{svg "octicon-globe" 14}} {{ctx.Locale.LangName}}</span>
<div class="menu language-menu">
{{range .AllLangs}}
<a lang="{{.Lang}}" data-url="{{AppSubUrl}}/?lang={{.Lang}}" class="item {{if eq ctx.Locale.Lang .Lang}}active selected{{end}}">{{.Name}}</a>
{{end}}
</div>
</div>
<a href="{{AssetUrlPrefix}}/licenses.txt">{{ctx.Locale.Tr "licenses"}}</a>
{{if .EnableSwagger}}<a href="{{AppSubUrl}}/api/swagger">API</a>{{end}}
{{template "custom/extra_links_footer" .}}
</div>
</footer>

19
containers/citrine/templates/home.tmpl
View file

@ -1,19 +0,0 @@
{{template "base/head" .}}
{{if not .IsSigned}}
<script>window.location.href = "/explore/repos";</script>
{{end}}
<div role="main" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home"}}{{end}}" class="page-content home">
<div class="tw-mb-8 tw-px-8">
<div class="center">
<img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg" alt="{{ctx.Locale.Tr "logo"}}">
<div class="hero">
<h1 class="ui icon header title">
{{AppDisplayName}}
</h1>
<h2>{{ctx.Locale.Tr "startpage.app_desc"}}</h2>
</div>
</div>
</div>
{{template "home_forgejo" .}}
</div>
{{template "base/footer" .}}

22
containers/diamond/configuration.nix
View file

@ -1,22 +0,0 @@
{ fqdn, ... }: {
system.stateVersion = "25.11";
systemd.tmpfiles.rules = [
"d /persist/vaultwarden 755 vaultwarden vaultwarden"
];
fileSystems."/var/lib/vaultwarden" = {
device = "/persist/vaultwarden";
fsType = "none";
options = [ "bind" ];
};
networking.firewall.allowedTCPPorts = [ 8000 ];
networking.firewall.allowedUDPPorts = [ 8000 ];
services.vaultwarden = {
enable = true;
domain = fqdn;
config = {
DOMAIN = "https://${fqdn}";
ROCKET_ADDRESS = "::";
};
};
}

27
containers/diamond/flake.lock generated
View file

@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1773282481,
"narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

51
containers/diamond/flake.nix
View file

@ -1,51 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { nixpkgs, ... }:
let
name = "diamond";
fqdn = "astransia.lava.moe";
subnetId = "4";
subnet = x: "fd0d:1::${subnetId}:${toString x}";
host = subnet 1;
client = subnet 2;
modules = [
./configuration.nix
];
in {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
inherit modules;
};
nixosModule = { ... }: {
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".proxyPass = "http://[${client}]:8000";
listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
};
systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress6 = host;
localAddress6 = client;
# privateUsers = "pick";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = modules; };
specialArgs = { inherit fqdn; };
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
# flake = "path:" + ./.;
};
};
};
}

23
containers/emerald/configuration.nix
View file

@ -1,23 +0,0 @@
{ fqdn, shareFqdn, ... }: {
system.stateVersion = "25.11";
systemd.tmpfiles.rules = [
"d /persist/navidrome 755 navidrome navidrome"
];
networking.firewall.allowedTCPPorts = [ 4533 ];
networking.firewall.allowedUDPPorts = [ 4533 ];
services.navidrome = {
enable = true;
environmentFile = "/binds/navidrome_env";
settings = {
Port = 4533;
Address = "[::]";
BaseUrl = "https://${fqdn}/";
ShareURL = "https://${shareFqdn}";
EnableSharing = true;
DataFolder = "/persist/navidrome";
MusicFolder = "/binds/music/main";
};
};
systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"];
}

27
containers/emerald/flake.lock generated
View file

@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1773282481,
"narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

78
containers/emerald/flake.nix
View file

@ -1,78 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { nixpkgs, ... }:
let
name = "emerald";
fqdn = "navia.lava.moe";
shareFqdn = "muse.lava.moe";
subnetId = "5";
subnet = x: "fd0d:2::${subnetId}:${toString x}";
host = subnet 1;
client = subnet 2;
subnet4 = x: "10.32.${subnetId}.${toString x}";
host4 = subnet4 1;
client4 = subnet4 2;
modules = [
./configuration.nix
{
networking.useHostResolvConf = false;
networking.nameservers = [ host ];
}
];
in {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
inherit modules;
};
nixosModule = { config, ... }: {
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "ve-${name}" ];
};
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".proxyPass = "http://[${client}]:4533";
listenAddresses = [ "100.67.2.1" ];
};
systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = host4;
localAddress = client4;
hostAddress6 = host;
localAddress6 = client;
# privateUsers = "pick";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = modules; };
specialArgs = { inherit fqdn shareFqdn; };
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
bindMounts."music" = {
hostPath = "/flower/media/music";
mountPoint = "/binds/music";
isReadOnly = true;
};
bindMounts."navidrome_env" = {
hostPath = config.age.secrets.navidrome_env.path;
mountPoint = "/binds/navidrome_env";
isReadOnly = true;
};
# flake = "path:" + ./.;
};
};
};
}

22
containers/fluorite/configuration.nix
View file

@ -1,22 +0,0 @@
{ ... }: {
system.stateVersion = "25.11";
systemd.tmpfiles.rules = [
"d /persist/slskd/Downloads 755 slskd slskd"
];
fileSystems."/var/lib/slskd" = {
device = "/persist/slskd";
fsType = "none";
options = [ "bind" ];
};
networking.firewall.allowedTCPPorts = [ 5030 50300 ];
networking.firewall.allowedUDPPorts = [ 5030 50300 ];
services.slskd = {
enable = true;
domain = null;
environmentFile = "/binds/slskd_env";
settings = {
shares.directories = [ "/binds/music/" ];
};
};
}

27
containers/fluorite/flake.lock generated
View file

@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1773282481,
"narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

89
containers/fluorite/flake.nix
View file

@ -1,89 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { nixpkgs, ... }:
let
name = "fluorite";
fqdn = "fluorite.lava.moe";
subnetId = "6";
subnet = x: "fd0d:1::${subnetId}:${toString x}";
host = subnet 1;
client = subnet 2;
subnet4 = x: "10.30.${subnetId}.${toString x}";
host4 = subnet4 1;
client4 = subnet4 2;
modules = [
./configuration.nix
{
networking.useHostResolvConf = false;
networking.nameservers = [ host ];
}
];
in {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
inherit modules;
};
nixosModule = { config, ... }: {
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "ve-${name}" ];
};
networking.firewall.allowedTCPPorts = [ 50300 ];
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".proxyPass = "http://[${client}]:5030";
listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
};
systemd.tmpfiles.rules = [
"d /persist/containers/${name} 755 root users"
"d /persist/media/music 075 nobody users"
];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = host4;
localAddress = client4;
hostAddress6 = host;
localAddress6 = client;
# privateUsers = "pick";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = modules; };
specialArgs = { inherit fqdn; };
forwardPorts = [
{
containerPort = 50300;
hostPort = 50300;
protocol = "tcp";
}
];
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
bindMounts."music" = {
hostPath = "/persist/media/music";
mountPoint = "/binds/music";
isReadOnly = true;
};
bindMounts."slskd_env" = {
hostPath = config.age.secrets.slskd_env.path;
mountPoint = "/binds/slskd_env";
isReadOnly = true;
};
# flake = "path:" + ./.;
};
};
};
}

36
containers/garnet/configuration.nix
View file

@ -1,36 +0,0 @@
{ ... }: {
system.stateVersion = "25.11";
fileSystems."/var/lib/opencloud" = {
device = "/flower/data";
fsType = "none";
options = [ "bind" ];
};
fileSystems."/etc/opencloud" = {
device = "/persist/cfg";
fsType = "none";
options = [ "bind" ];
};
# TODO: hardcoded address
networking.extraHosts = ''
100.67.2.1 cloud.lava.moe
'';
networking.firewall.allowedTCPPorts = [ 9200 ];
networking.firewall.allowedUDPPorts = [ 9200 ];
environment.etc."opencloud-admin-pass".text = ''
IDM_ADMIN_PASSWORD=supersillysecure
'';
services.opencloud = {
enable = true;
url = "https://cloud.lava.moe";
address = "10.30.7.2";
port = 9200;
environment = {
PROXY_TLS = "false";
IDP_ACCESS_TOKEN_EXPIRATION = "2592000";
IDP_ID_TOKEN_EXPIRATION = "2592000";
};
environmentFile = "/etc/opencloud-admin-pass";
};
}

27
containers/garnet/flake.lock generated
View file

@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1779560665,
"narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

84
containers/garnet/flake.nix
View file

@ -1,84 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { nixpkgs, ... }:
let
name = "garnet";
fqdn = "cloud.lava.moe";
subnetId = "7";
subnet = x: "fd0d:1::${subnetId}:${toString x}";
host = subnet 1;
client = subnet 2;
subnet4 = x: "10.30.${subnetId}.${toString x}";
host4 = subnet4 1;
client4 = subnet4 2;
modules = [
./configuration.nix
{
networking.useHostResolvConf = false;
networking.nameservers = [ host ];
}
];
in {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
inherit modules;
};
nixosModule = { config, ... }: {
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "ve-${name}" ];
};
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/" = {
proxyPass = "http://${client4}:9200";
proxyWebsockets = true;
};
extraConfig = ''
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
keepalive_requests 100000;
keepalive_timeout 5m;
http2_max_concurrent_streams 512;
'';
# TODO: hardcoded address
listenAddresses = [ "100.67.2.1" ];
};
systemd.tmpfiles.rules = [
"d /persist/containers/${name} 755 root users"
];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = host4;
localAddress = client4;
hostAddress6 = host;
localAddress6 = client;
# privateUsers = "pick";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = modules; };
specialArgs = { inherit fqdn; };
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
bindMounts."content" = {
hostPath = "/flower/opencloud";
mountPoint = "/flower";
isReadOnly = false;
};
};
};
};
}

741
flake.lock generated
View file

File diff suppressed because it is too large Load diff

27
flake.nix
View file

@ -2,27 +2,24 @@
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
home-manager.url = "github:nix-community/home-manager"; home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; neovim-nightly.url = "github:nix-community/neovim-nightly-overlay";
agenix.url = "github:ryantm/agenix"; agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
aagl.url = "github:ezKEa/aagl-gtk-on-nix"; aagl.url = "github:ezKEa/aagl-gtk-on-nix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
catppuccin.url = "github:catppuccin/nix/8eada392fd6571a747e1c5fc358dd61c14c8704e"; catppuccin.url = "github:catppuccin/nix/8eada392fd6571a747e1c5fc358dd61c14c8704e";
catppuccin.inputs.nixpkgs.follows = "nixpkgs"; catppuccin.inputs.nixpkgs.follows = "nixpkgs";
catppuccin-palette = { url = "github:catppuccin/palette"; flake = false; }; catppuccin-palette = { url = "github:catppuccin/palette"; flake = false; };
neovim-nightly.url = "github:nix-community/neovim-nightly-overlay"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
neovim-nightly.inputs.nixpkgs.follows = "nixpkgs"; neovim-nightly.inputs.nixpkgs.follows = "nixpkgs";
nix-gaming.url = "github:fufexan/nix-gaming"; nix-gaming.url = "github:fufexan/nix-gaming";
nix-index-database.url = "github:nix-community/nix-index-database";
nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
spicetify-nix.url = "github:Gerg-L/spicetify-nix"; spicetify-nix.url = "github:Gerg-L/spicetify-nix";
spicetify-nix.inputs.nixpkgs.follows = "nixpkgs"; spicetify-nix.inputs.nixpkgs.follows = "nixpkgs";
# services # services
pastel.url = "github:cillynder/pastel"; # hosts-blocklists = { url = "github:notracking/hosts-blocklists"; flake = false; };
stevenblack-hosts = { url = "github:StevenBlack/hosts"; flake = false; }; # website = { url = "github:LavaDesu/lavadesu.github.io/master"; flake = false; };
website = { url = "github:cillynder/lavadesu.github.io/master"; flake = false; };
# zsh plugins # zsh plugins
zsh-abbr = { url = "git+https://github.com/olets/zsh-abbr?submodules=1"; flake = false; }; zsh-abbr = { url = "git+https://github.com/olets/zsh-abbr?submodules=1"; flake = false; };
@ -36,15 +33,6 @@
spotify-adblock = { url = "github:abba23/spotify-adblock"; flake = false; }; spotify-adblock = { url = "github:abba23/spotify-adblock"; flake = false; };
tree-sitter-jsonc = { url = "gitlab:WhyNotHugo/tree-sitter-jsonc"; flake = false; }; tree-sitter-jsonc = { url = "gitlab:WhyNotHugo/tree-sitter-jsonc"; flake = false; };
wine-discord-ipc-bridge = { url = "github:0e4ef622/wine-discord-ipc-bridge"; flake = false; }; wine-discord-ipc-bridge = { url = "github:0e4ef622/wine-discord-ipc-bridge"; flake = false; };
# containers
c-amethyst.url = "path:./containers/amethyst";
c-beryllium.url = "path:./containers/beryllium";
c-citrine.url = "path:./containers/citrine";
c-diamond.url = "path:./containers/diamond";
c-emerald.url = "path:./containers/emerald";
c-fluorite.url = "path:./containers/fluorite";
c-garnet.url = "path:./containers/garnet";
}; };
outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs: outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs:
@ -76,14 +64,11 @@
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
modules = import ./modules { lib = nixpkgs.lib; }; modules = import ./modules { lib = nixpkgs.lib; };
gcSecrets = builtins.fromJSON (builtins.readFile "${self}/secrets.gcrypt/shared.json");
}; };
}; };
in in
{ {
nixosConfigurations."alyssum" = mkSystem nixpkgs "alyssum" "x86_64-linux" [];
nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" []; nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" [];
nixosConfigurations."dandelion" = mkSystem nixpkgs "dandelion" "aarch64-linux" [];
nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" []; nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" [];
packages."x86_64-linux" = packages."x86_64-linux" =

45
hosts/alyssum/default.nix
View file

@ -1,45 +0,0 @@
{ inputs, lib, modules, modulesPath, ... }: {
networking.hostName = "alyssum";
system.stateVersion = "25.11";
time.timeZone = "Australia/Melbourne";
age.secrets = {
acme_dns.file = ../../secrets/acme_dns.age;
passwd.file = ../../secrets/passwd.age;
navidrome_env.file = ../../secrets/navidrome_env.age;
wpa_conf = {
file = ../../secrets/wpa_conf.age;
path = "/etc/wpa_supplicant/imperative.conf";
symlink = false;
};
};
imports = with modules.system; [
(modulesPath + "/profiles/qemu-guest.nix")
home-manager
base
kernel
nix-stable
packages
security
tailscale
modules.services.nginx
modules.services.syncthing
inputs.c-emerald.nixosModule
inputs.c-garnet.nixosModule
./filesystem.nix
./kernel.nix
./networking.nix
./home.syncthing.nix
./samba.nix
../../users/hana
];
me.environment = "headless";
services.syncthing.user = lib.mkForce "hana";
}

35
hosts/alyssum/filesystem.nix
View file

@ -1,35 +0,0 @@
{ ... }:
let
bind = src: {
depends = [ "/nix" ];
device = src;
fsType = "none";
neededForBoot = true;
options = [ "bind" ];
};
mkLabelMount = label: type: {
device = "/dev/disk/by-label/${label}";
fsType = type;
options = [ "defaults" "relatime" ];
};
mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
};
submount = mkBtrfsMount "alyssum";
in {
fileSystems = {
"/" = {
device = "rootfs";
fsType = "tmpfs";
options = [ "defaults" "size=8G" "mode=755" ];
};
"/boot" = mkLabelMount "stem" "vfat";
"/flower" = mkBtrfsMount "myosotis" "/@" true;
"/nix" = submount "/@/nix" false;
"/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
"/persist/.snapshots" = submount "/snap/persist" false;
"/var/log/journal" = bind "/persist/journal";
};
}

39
hosts/alyssum/home.syncthing.nix
View file

@ -1,39 +0,0 @@
{ config, lib, ... }:
let
configOn = user: port: {
me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config";
me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state";
systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ];
users.users.${user} = {
hashedPasswordFile = config.age.secrets.passwd.path;
isNormalUser = true;
linger = true;
};
home-manager.users.${user} = { ... }: {
home = {
username = "${user}";
homeDirectory = "/home/${user}";
stateVersion = "26.05";
};
services.syncthing = {
enable = true;
guiAddress = "[::]:${toString port}";
overrideDevices = false;
overrideFolders = false;
settings = {
options.listenAddresses = [
"tcp://0.0.0.0:2${toString port}"
"quic://0.0.0.0:2${toString port}"
"dynamic+https://relays.syncthing.net/endpoint"
];
defaults.folder.path = "/flower/syncthing/${user}";
};
};
};
};
in lib.mkMerge [
(configOn "kujira" 8385)
(configOn "cilly" 8386)
]

12
hosts/alyssum/kernel.nix
View file

@ -1,12 +0,0 @@
{ config, lib, ... }: {
boot = {
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
};
hardware.cpu.amd.updateMicrocode = true;
}

15
hosts/alyssum/networking.nix
View file

@ -1,15 +0,0 @@
{ config, ... }: {
networking = {
useDHCP = true;
wireless.enable = true;
interfaces.wlp1s0.useDHCP = false;
interfaces.wlp1s0.ipv4.addresses = [{
address = "192.168.1.167";
prefixLength = 24;
}];
defaultGateway = "192.168.1.1";
nameservers = [ "8.8.8.8" "8.8.4.4" ];
};
}

14
hosts/alyssum/packages.nix
View file

@ -1,14 +0,0 @@
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [
git
htop
jq
neovim
rsync
sshfs
wget
kitty.terminfo
];
environment.variables.EDITOR = "nvim";
}

84
hosts/alyssum/samba.nix
View file

@ -1,84 +0,0 @@
{ config, lib, pkgs, ... }:
let
configOn = user: let
passwd_fname = "passwd_smb${user}";
in {
age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age;
me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}";
me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}";
users.users.${user} = {
hashedPasswordFile = config.age.secrets.passwd.path;
isNormalUser = true;
};
system.activationScripts = {
init_smbpasswd.text = let
smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
in ''
printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user}
'';
};
services.samba.settings."${user}" = {
"path" = "/flower/smb/${user}";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = user;
"force group" = "users";
"valid users" = user;
};
};
in lib.mkMerge [
(configOn "cilly")
(configOn "kujira")
{
me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43";
networking.firewall.allowPing = true;
services.samba = {
enable = true;
package = pkgs.samba4Full;
openFirewall = true;
settings = {
global = {
"server smb encrypt" = "required";
"workgroup" = "WORKGROUP";
"server string" = "smbnix";
"netbios name" = "smbnix";
"security" = "user";
"hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
"hosts deny" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
"public" = {
"path" = "/flower/smb/public";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "hana";
"force group" = "users";
};
};
};
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
services.avahi = {
enable = true;
openFirewall = true;
nssmdns4 = true;
publish.enable = true;
publish.userServices = true;
};
}
]

14
hosts/anemone/default.nix
View file

@ -5,7 +5,6 @@
nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ]; nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
age.secrets = { age.secrets = {
wg_anemone.file = ../../secrets/wg_anemone.age;
passwd.file = ../../secrets/passwd.age; passwd.file = ../../secrets/passwd.age;
}; };
@ -17,7 +16,6 @@
bluetooth bluetooth
ccache ccache
corectrl corectrl
docker
flatpak flatpak
greetd greetd
gui gui
@ -28,16 +26,12 @@
printing printing
security security
snapper snapper
tailscale
wireguard
./filesystem.nix ./filesystem.nix
./kernel.nix ./kernel.nix
./networking.nix ./networking.nix
../../users/rin ../../users/rin
modules.services.syncthing
]; ];
me = { me = {
@ -45,9 +39,13 @@
batteryDevice = "BATT"; batteryDevice = "BATT";
kbBacklightDevice = "asus::kbd_backlight"; kbBacklightDevice = "asus::kbd_backlight";
hasFingerprint = true; hasFingerprint = true;
hidpi = true;
}; };
# For steam fhs-env
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
];
programs.wireshark = { programs.wireshark = {
enable = true; enable = true;
package = pkgs.wireshark; package = pkgs.wireshark;
@ -55,6 +53,4 @@
services.fprintd.enable = true; services.fprintd.enable = true;
services.tlp.enable = true; services.tlp.enable = true;
programs.kdeconnect.enable = true;
} }

15
hosts/anemone/kernel.nix
View file

@ -23,22 +23,17 @@
]; ];
}; };
# swapDevices = [{ swapDevices = [{
# device = "/persist/swapfile"; device = "/persist/swapfile";
# size = 16 * 1024; size = 16 * 1024;
# }]; }];
#
# systemd.sleep.extraConfig = ''
# HibernateMode=shutdown
# '';
/*
services.logind.lidSwitch = "suspend-then-hibernate"; services.logind.lidSwitch = "suspend-then-hibernate";
systemd.sleep.extraConfig = '' systemd.sleep.extraConfig = ''
HibernateDelaySec=14400 HibernateDelaySec=14400
SuspendEstimationSec=3600 SuspendEstimationSec=3600
HibernateOnACPower=true HibernateOnACPower=true
''; '';
*/
powerManagement.cpufreq.min = 400000; powerManagement.cpufreq.min = 400000;

16
hosts/anemone/networking.nix
View file

@ -1,4 +1,18 @@
{ config, ... }: { { config, ... }: {
networking.wireless.iwd.enable = true; networking = {
#nameservers = [ "8.8.8.8" "8.8.4.4" ];
#wg-quick.interfaces.wg0.configFile = "/persist/vpn.conf";
networkmanager = {
enable = true;
#dns = "none";
};
extraHosts = ''
192.168.100.16 hyacinth
'';
};
environment.etc."NetworkManager/system-connections".source = "/persist/nm_system-connections"; environment.etc."NetworkManager/system-connections".source = "/persist/nm_system-connections";
} }

44
hosts/dandelion/default.nix
View file

@ -1,44 +0,0 @@
{ inputs, modules, modulesPath, ... }: {
networking.hostName = "dandelion";
system.stateVersion = "23.11";
time.timeZone = "Australia/Melbourne";
age.secrets = {
acme_dns.file = ../../secrets/acme_dns.age;
slskd_env.file = ../../secrets/slskd_env.age;
wg_dandelion.file = ../../secrets/wg_dandelion.age;
};
imports = with modules.system; [
(modulesPath + "/profiles/qemu-guest.nix")
home-manager
base
kernel
nix-stable
packages
security
tailscale
wireguard
modules.services.banksia
modules.services.nginx
modules.services.unbound
modules.services.website
inputs.c-amethyst.nixosModule
inputs.c-beryllium.nixosModule
inputs.c-citrine.nixosModule
inputs.c-diamond.nixosModule
inputs.c-fluorite.nixosModule
./filesystem.nix
./kernel.nix
./networking.nix
./nginx.nix
../../users/hana
];
me.environment = "headless";
}

34
hosts/dandelion/filesystem.nix
View file

@ -1,34 +0,0 @@
{ ... }:
let
bind = src: {
depends = [ "/nix" ];
device = src;
fsType = "none";
neededForBoot = true;
options = [ "bind" ];
};
mkLabelMount = label: type: {
device = "/dev/disk/by-label/${label}";
fsType = type;
options = [ "defaults" "relatime" ];
};
mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
};
submount = mkBtrfsMount "DANDELION";
in {
fileSystems = {
"/" = {
device = "rootfs";
fsType = "tmpfs";
options = [ "defaults" "size=6G" "mode=755" ];
};
"/boot" = mkLabelMount "UEFI" "vfat";
"/nix" = submount "/@/nix" false;
"/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
"/persist/.snapshots" = submount "/snap/persist" false;
"/var/log/journal" = bind "/persist/journal";
};
}

10
hosts/dandelion/kernel.nix
View file

@ -1,10 +0,0 @@
{ ... }: {
boot = {
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
initrd.kernelModules = [ "nvme" ];
};
}

4
hosts/dandelion/networking.nix
View file

@ -1,4 +0,0 @@
{ ... }: {
networking.useDHCP = true;
networking.interfaces.enp2s0.useDHCP = false;
}

8
hosts/dandelion/nginx.nix
View file

@ -1,8 +0,0 @@
{ ... }: {
services.nginx.virtualHosts."muse.lava.moe" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".return = "404";
locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533";
};
}

14
hosts/dandelion/packages.nix
View file

@ -1,14 +0,0 @@
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [
git
htop
jq
neovim
rsync
sshfs
wget
kitty.terminfo
];
environment.variables.EDITOR = "nvim";
}

15
hosts/hyacinth/default.nix
View file

@ -3,10 +3,11 @@
system.stateVersion = "21.11"; system.stateVersion = "21.11";
time.timeZone = "Australia/Melbourne"; time.timeZone = "Australia/Melbourne";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ]; nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
age.secrets = { age.secrets = {
passwd.file = ../../secrets/passwd.age; passwd.file = ../../secrets/passwd.age;
wg_hyacinth.file = ../../secrets/wg_hyacinth.age; wg_hyacinth.file = ../../secrets/wg_blossom.age;
wpa_conf.file = ../../secrets/wpa_conf.age; wpa_conf.file = ../../secrets/wpa_conf.age;
}; };
imports = with modules.system; [ imports = with modules.system; [
@ -18,7 +19,6 @@
bluetooth bluetooth
ccache ccache
corectrl corectrl
docker
flatpak flatpak
greetd greetd
gui gui
@ -29,10 +29,9 @@
printing printing
security security
snapper snapper
tailscale virtualisation
wireguard
modules.services.syncthing modules.services.postgres
./filesystem.nix ./filesystem.nix
./kernel.nix ./kernel.nix
@ -41,7 +40,11 @@
../../users/rin ../../users/rin
]; ];
services.postgresql.ensureDatabases = [ "barista" "barista-dev" ];
systemd.services.nix-daemon.environment.TMPDIR = "/nix/tmp"; systemd.services.nix-daemon.environment.TMPDIR = "/nix/tmp";
me.hasBluetooth = true; # For steam fhs-env
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
];
} }

2
hosts/hyacinth/filesystem.nix
View file

@ -15,7 +15,7 @@ in
"/" = { "/" = {
device = "rootfs"; device = "rootfs";
fsType = "tmpfs"; fsType = "tmpfs";
options = [ "defaults" "size=24G" "mode=755" ]; options = [ "defaults" "size=8G" "mode=755" ];
}; };
"/boot" = mkLabelMount "CUP" "vfat"; "/boot" = mkLabelMount "CUP" "vfat";

4
hosts/hyacinth/kernel.nix
View file

@ -13,8 +13,4 @@
]; ];
kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava); kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava);
}; };
hardware.amdgpu.overdrive = {
enable = true;
ppfeaturemask = "0xffffffff";
};
} }

5
hosts/hyacinth/networking.nix
View file

@ -3,13 +3,12 @@
networking = { networking = {
useDHCP = true; useDHCP = true;
interfaces.enp5s0.useDHCP = false; interfaces.enp5s0.useDHCP = false;
interfaces.enp5s0.wakeOnLan.enable = true;
interfaces.enp5s0.ipv4.addresses = [{ interfaces.enp5s0.ipv4.addresses = [{
address = "192.168.1.201"; address = "192.168.0.151";
prefixLength = 24; prefixLength = 24;
}]; }];
defaultGateway = "192.168.1.1"; defaultGateway = "192.168.0.1";
nameservers = [ "8.8.8.8" "8.8.4.4" ]; nameservers = [ "8.8.8.8" "8.8.4.4" ];
extraHosts = '' extraHosts = ''

4
hosts/hyacinth/packages.nix
View file

@ -1,7 +1,7 @@
{ pkgs, ... }: { { pkgs, ... }: {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
discord android-studio
jetbrains.idea jetbrains.idea-community-bin
texliveFull texliveFull
]; ];
} }

13
modules/binds.nix
View file

@ -1,13 +0,0 @@
{ config, lib, ...}: {
imports = [ ./options.nix ];
fileSystems = lib.mapAttrs (dest: key: let
target = if (lib.strings.hasPrefix "/" key)
then key
else "/persist/binds/${key}";
in {
depends = [ "/persist" ];
device = target;
fsType = "none";
options = [ "bind" ];
}) config.me.binds;
}

9
modules/default.nix
View file

@ -14,21 +14,16 @@ let
}) paths }) paths
); );
in { in {
binds = ./binds.nix;
options = ./options.nix; options = ./options.nix;
services = mkAttrsFromPaths [ services = mkAttrsFromPaths [
./services/banksia.nix
./services/jellyfin.nix ./services/jellyfin.nix
./services/nginx.nix ./services/nginx.nix
./services/postgres.nix ./services/postgres.nix
./services/sonarr.nix ./services/sonarr.nix
./services/synapse.nix ./services/synapse.nix
./services/syncthing.nix
./services/tmptsync.nix ./services/tmptsync.nix
./services/transmission.nix
./services/unbound.nix ./services/unbound.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
./services/website.nix
]; ];
system = mkAttrsFromPaths [ system = mkAttrsFromPaths [
./system/aagl.nix ./system/aagl.nix
@ -37,7 +32,6 @@ in {
./system/bluetooth.nix ./system/bluetooth.nix
./system/ccache.nix ./system/ccache.nix
./system/corectrl.nix ./system/corectrl.nix
./system/docker.nix
./system/flatpak.nix ./system/flatpak.nix
./system/greetd.nix ./system/greetd.nix
./system/gui.nix ./system/gui.nix
@ -50,13 +44,12 @@ in {
./system/printing.nix ./system/printing.nix
./system/security.nix ./system/security.nix
./system/snapper.nix ./system/snapper.nix
./system/tailscale.nix ./system/transmission.nix
./system/virtualisation.nix ./system/virtualisation.nix
./system/wireguard.nix ./system/wireguard.nix
]; ];
user = mkAttrsFromPaths [ user = mkAttrsFromPaths [
./user/catppuccin.nix ./user/catppuccin.nix
./user/comma.nix
./user/direnv.nix ./user/direnv.nix
./user/dunst.nix ./user/dunst.nix
./user/eww.nix ./user/eww.nix

10
modules/options.nix
View file

@ -39,15 +39,5 @@ in {
type = types.bool; type = types.bool;
default = config.me.environment == "laptop"; default = config.me.environment == "laptop";
}; };
hidpi = mkOption {
type = types.bool;
default = false;
};
binds = lib.mkOption {
type = with lib.types; attrsOf str;
default = {};
};
}; };
} }

11
modules/services/banksia.nix
View file

@ -1,11 +0,0 @@
# TODO ^^
{ ... }: {
services.nginx.virtualHosts = {
"banksia.lava.moe" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".return = "302 https://lab.lava.moe/cilly/Banksia";
locations."/api".proxyPass = "http://localhost:8080/";
};
};
}

38
modules/services/nginx.nix
View file

@ -1,21 +1,18 @@
{ config, ... }: { { config, inputs, ... }: {
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { email = "me@lava.moe";
email = "me@lava.moe";
group = "nginx";
dnsProvider = "cloudflare";
environmentFile = config.age.secrets."acme_dns".path;
};
certs."lava.moe" = { certs."lava.moe" = {
group = "nginx";
domain = "lava.moe";
extraDomainNames = [ extraDomainNames = [
"*.lava.moe" "*.lava.moe"
"*.local.lava.moe" "*.local.lava.moe"
]; ];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."acme_dns".path;
}; };
certs."cilly.moe" = {};
certs."cilly.dev" = {};
}; };
services.nginx = { services.nginx = {
@ -24,5 +21,28 @@
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
virtualHosts = {
"lava.moe" = {
useACMEHost = "lava.moe";
forceSSL = true;
root = inputs.website.outPath;
};
"cdn.lava.moe" = {
useACMEHost = "lava.moe";
forceSSL = true;
root = "/persist/cdn";
};
"_" = {
default = true;
addSSL = true;
# TODO generate this somewhere
sslCertificate = "/persist/fakeCerts/fake.crt";
sslCertificateKey = "/persist/fakeCerts/fake.key";
extraConfig = ''
return 444;
'';
};
};
}; };
} }

1
modules/services/postgres.nix
View file

@ -8,7 +8,6 @@ in {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
dataDir = dir; dataDir = dir;
# TODO: broken :3
package = pkgs.postgresql_13; package = pkgs.postgresql_13;
authentication = lib.mkOverride 10 '' authentication = lib.mkOverride 10 ''
#type database DBuser origin-address auth-method #type database DBuser origin-address auth-method

23
modules/services/syncthing.nix
View file

@ -1,23 +0,0 @@
{ config, ... }:
let
dir = "/persist/shared/.syncthing";
user = if config.me.gui then "rin" else "hana";
uid = toString config.users.users."${user}".uid;
gid = toString config.users.groups.users.gid;
in
{
systemd.tmpfiles.rules = [
"d ${dir}/config 700 ${uid} ${gid}"
"d ${dir}/data 700 ${uid} ${gid}"
];
systemd.services.syncthing.environment.STNODEFAULTFOLDER = "true";
services.syncthing = {
enable = true;
openDefaultPorts = true;
user = user;
group = "users";
dataDir = "/persist/shared/.syncthing/data";
configDir = "/persist/shared/.syncthing/config";
guiAddress = if config.me.gui then "127.0.0.1:8384" else ":8384";
};
}

27
modules/services/unbound.nix
View file

@ -1,17 +1,8 @@
{ inputs, pkgs, gcSecrets, ... }: { inputs, ... }:
let let
dir = "/persist/unbound"; dir = "/persist/unbound";
converted = pkgs.runCommand "stevenblack-hosts-unbound" {} ''
echo "server:" > "$out"
grep '^0\.0\.0\.0' "${inputs.stevenblack-hosts}/hosts" | awk '{print "local-zone: \""$2"\" always_refuse"}' | tail -n +2 >> "$out"
'';
in { in {
networking.firewall.interfaces."ve-+" = { networking.firewall.interfaces.wlan0 = {
allowedUDPPorts = [ 53 853 ];
allowedTCPPorts = [ 53 853 ];
};
networking.firewall.interfaces.wg0 = {
allowedUDPPorts = [ 53 853 ]; allowedUDPPorts = [ 53 853 ];
allowedTCPPorts = [ 53 853 ]; allowedTCPPorts = [ 53 853 ];
}; };
@ -25,27 +16,17 @@ in {
name = "."; name = ".";
forward-tls-upstream = true; forward-tls-upstream = true;
forward-addr = [ forward-addr = [
"2606:4700:4700::1111@853#cloudflare-dns.com"
"2606:4700:4700::1001@853#cloudflare-dns.com"
"2001:4860:4860::8888@853#dns.google"
"2001:4860:4860::8844@853#dns.google"
"1.1.1.1@853#cloudflare-dns.com" "1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com" "1.0.0.1@853#cloudflare-dns.com"
"8.8.8.8@853#dns.google"
"8.8.4.4@853#dns.google"
]; ];
}]; }];
server = { server = {
interface = [ "0.0.0.0" "::0" ]; interface = [ "0.0.0.0" ];
access-control = [ access-control = [
"127.0.0.1/8 allow" "127.0.0.1/8 allow"
"10.0.0.0/8 allow" "10.0.0.0/8 allow"
"100.64.0.0/10 allow"
"192.168.100.0/24 allow" "192.168.100.0/24 allow"
"fd0d::/16 allow"
"fd7a:115c:a1e0::/48 allow"
"${gcSecrets.wireguard.ipv6Subnet}:/80 allow"
]; ];
domain-insecure = [ "\"local.lava.moe\"" ]; domain-insecure = [ "\"local.lava.moe\"" ];
local-zone = [ "\"warden.local.lava.moe.\" redirect" ]; local-zone = [ "\"warden.local.lava.moe.\" redirect" ];
@ -54,7 +35,7 @@ in {
]; ];
}; };
include = "${converted}"; include = "${inputs.hosts-blocklists}/unbound/unbound.blacklist.conf";
}; };
}; };

43
modules/services/website.nix
View file

@ -1,43 +0,0 @@
{ inputs, pkgs, ... }: let
pastel = inputs.pastel.packages.${pkgs.system}.default;
in {
services.nginx.virtualHosts = {
"cilly.moe" = {
useACMEHost = "cilly.moe";
forceSSL = true;
root = pastel.outPath;
};
"cilly.dev" = {
useACMEHost = "cilly.dev";
forceSSL = true;
root = pastel.outPath;
};
"lava.moe" = {
useACMEHost = "lava.moe";
forceSSL = true;
root = inputs.website.outPath;
};
"cdn.lava.moe" = {
useACMEHost = "lava.moe";
forceSSL = true;
extraConfig = ''
return 301 https://sh.lava.moe$request_uri;
'';
};
"sh.lava.moe" = {
useACMEHost = "lava.moe";
forceSSL = true;
root = "/persist/cdn";
};
"_" = {
default = true;
addSSL = true;
# TODO generate this somewhere
sslCertificate = "/persist/fakeCerts/fake.crt";
sslCertificateKey = "/persist/fakeCerts/fake.key";
extraConfig = ''
return 444;
'';
};
};
}

5
modules/system/base.nix
View file

@ -1,5 +1,5 @@
{ config, inputs, modules, ... }: { { config, inputs, modules, ... }: {
imports = [ modules.binds modules.options ]; imports = [ modules.options ];
environment.etc = { environment.etc = {
"machine-id".source = "/persist/machine-id"; "machine-id".source = "/persist/machine-id";
@ -11,8 +11,6 @@
environment.pathsToLink = [ "/share/zsh" ]; environment.pathsToLink = [ "/share/zsh" ];
i18n.defaultLocale = "en_AU.UTF-8"; i18n.defaultLocale = "en_AU.UTF-8";
i18n.extraLocales = [ "en_GB.UTF-8/UTF-8" ];
users.mutableUsers = false; users.mutableUsers = false;
system = { system = {
@ -23,5 +21,6 @@
}; };
}; };
nix.registry.config.flake = inputs.self; nix.registry.config.flake = inputs.self;
nix.registry.nixpkgs.flake = inputs.nixpkgs;
nix.registry.shells.flake = inputs.self; nix.registry.shells.flake = inputs.self;
} }

4
modules/system/corectrl.nix
View file

@ -1,5 +1,9 @@
{ ... }: { { ... }: {
programs.corectrl = { programs.corectrl = {
enable = true; enable = true;
gpuOverclock = {
enable = true;
ppfeaturemask = "0xffffffff";
};
}; };
} }

13
modules/system/docker.nix
View file

@ -1,13 +0,0 @@
{ pkgs, ... }: {
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
# rootless = {
# enable = true;
# setSocketVariable = true;
# };
};
environment.systemPackages = [
pkgs.docker-compose
];
}

2
modules/system/greetd.nix
View file

@ -3,7 +3,7 @@
enable = true; enable = true;
settings = { settings = {
default_session = { default_session = {
command = "${pkgs.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && Hyprland > $XDG_RUNTIME_DIR/Hyprland.out\"'"; command = "${pkgs.greetd.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && Hyprland > $XDG_RUNTIME_DIR/Hyprland.out\"'";
user = "greeter"; user = "greeter";
}; };

1
modules/system/gui.nix
View file

@ -15,6 +15,7 @@
hanazono hanazono
noto-fonts noto-fonts
noto-fonts-cjk-sans noto-fonts-cjk-sans
noto-fonts-extra
open-sans open-sans
twemoji-color-font twemoji-color-font
unifont unifont

16
modules/system/input.nix
View file

@ -6,19 +6,7 @@
"-arinterval 15" "-arinterval 15"
]; ];
}; };
xkb.options = "caps:escape";
}; };
services.keyd = { console.useXkbConfig = true;
enable = true;
keyboards = {
default = {
ids = [ "*" ];
settings = {
main = {
capslock = "esc";
esc = "capslock";
};
};
};
};
};
} }

3
modules/system/nix-stable.nix
View file

@ -1,7 +1,5 @@
{ config, lib, pkgs, ... }: { { config, lib, pkgs, ... }: {
nix = { nix = {
package = pkgs.nixVersions.latest;
settings = rec { settings = rec {
substituters = [ substituters = [
"https://cache.nixos.org?priority=10" "https://cache.nixos.org?priority=10"
@ -19,5 +17,4 @@
''; '';
}; };
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
programs.nh.enable = true;
} }

6
modules/system/nix.nix
View file

@ -1,7 +1,6 @@
{ config, inputs, pkgs, ... }: { { config, lib, pkgs, ... }: {
nix = { nix = {
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; package = pkgs.nixVersions.git;
package = pkgs.nixVersions.latest;
settings = rec { settings = rec {
extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
@ -24,5 +23,4 @@
''; '';
}; };
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
programs.nh.enable = true;
} }

7
modules/system/packages-gui.nix
View file

@ -1,15 +1,16 @@
{ config, lib, pkgs, ... }: { { config, lib, pkgs, ... }: {
config = lib.mkIf config.me.gui { config = lib.mkIf config.me.gui {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
android-tools
gparted gparted
nautilus nautilus
]; ];
programs.adb.enable = true;
hardware.graphics.extraPackages = with pkgs; [ hardware.graphics.extraPackages = with pkgs; [
intel-vaapi-driver vaapiIntel
libva-vdpau-driver vaapiVdpau
libvdpau-va-gl libvdpau-va-gl
]; ];
programs.light.enable = true;
hardware.opentabletdriver.enable = true; hardware.opentabletdriver.enable = true;
hardware.keyboard.qmk.enable = true; hardware.keyboard.qmk.enable = true;
programs.steam = { programs.steam = {

9
modules/system/packages.nix
View file

@ -1,14 +1,12 @@
{ pkgs, ... }: { { pkgs, ... }: {
imports = [ ./packages-gui.nix ]; imports = [ ./packages-gui.nix ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# ecryptfs comma
ecryptfs
efibootmgr efibootmgr
fd
git git
git-crypt
htop htop
jq jq
kitty.terminfo
libarchive libarchive
lf lf
msr-tools msr-tools
@ -16,9 +14,8 @@
neovim neovim
nfs-utils nfs-utils
ntfs3g ntfs3g
ripgrep
rsync
sshfs sshfs
rsync
wget wget
]; ];
environment.variables.EDITOR = "nvim"; environment.variables.EDITOR = "nvim";

30
modules/system/security.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { { config, pkgs, ... }: {
networking.firewall = networking.firewall =
let let
iptables = "${pkgs.iptables}/bin/iptables"; iptables = "${pkgs.iptables}/bin/iptables";
@ -53,33 +53,5 @@
} }
]; ];
}; };
pam = lib.mkIf (config.me.environment != "headless") {
u2f = {
enable = true;
settings = {
cue = true;
pinverification = 1;
};
};
services.doas.rules.auth = {
u2f.settings.pinverification = lib.mkForce 0;
u2f_int = lib.mkMerge [
{
enable = true;
order = config.security.pam.services.doas.rules.auth.u2f.order + 1;
control = "sufficient";
modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so";
inherit (config.security.pam.u2f) settings;
}
{
settings = lib.mkForce {
interactive = true;
pinverification = 0;
userpresence = 0;
};
}
];
};
};
}; };
} }

13
modules/system/tailscale.nix
View file

@ -1,13 +0,0 @@
{ config, lib, ... }: {
age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age;
me.binds."/var/lib/tailscale" = "tailscale";
networking.firewall.trustedInterfaces = [ "tailscale0" ];
networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ];
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets.tailscale_auth.path;
openFirewall = true;
useRoutingFeatures = if config.me.environment == "headless" then "both" else "client";
};
}

7
modules/services/transmission.nix → modules/system/transmission.nix
View file

@ -5,6 +5,13 @@
downloadDirPermissions = "775"; downloadDirPermissions = "775";
openFirewall = true; openFirewall = true;
settings = { settings = {
alt-speed-down = 512;
alt-speed-enabled = true;
alt-speed-time-begin = 360;
alt-speed-time-day = 127;
alt-speed-time-enabled = true;
alt-speed-time-end = 1380;
alt-speed-up = 256;
download-dir = "/persist/transmission/Downloads"; download-dir = "/persist/transmission/Downloads";
incomplete-dir = "/persist/transmission/.incomplete"; incomplete-dir = "/persist/transmission/.incomplete";
ratio-limit-enabled = true; ratio-limit-enabled = true;

126
modules/system/wireguard.nix
View file

@ -1,11 +1,13 @@
{ config, lib, pkgs, gcSecrets, ... }: { config, lib, pkgs, ... }:
let let
port = 51801; port = 51820;
serverName = "dandelion"; serverName = "sugarcane";
serverInterface = "enp0s6"; serverInterface = "ens3";
serverIp = gcSecrets.wireguard.gateway; serverIp = "51.79.240.130";
forwarding = { forwarding = {
"80" = [ "10.100.0.2" "80" ];
"443" = [ "10.100.0.2" "443" ];
"22727" = [ "10.100.0.3" "7777" ]; "22727" = [ "10.100.0.3" "7777" ];
}; };
@ -18,61 +20,52 @@ let
in '' in ''
${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport} ${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport}
${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT ${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT
${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p udp --dport ${sport} -j DNAT --to ${dest}:${dport}
${pkgs.iptables}/bin/iptables -${type} FORWARD -p udp -d ${dest} --dport ${dport} -j ACCEPT
'') forwarding '') forwarding
); );
clients = { routeBypass = {
caramel = {
gateway = "192.168.100.1";
interface = "wlan0";
routes = [
serverIp
];
};
hyacinth = { hyacinth = {
publicKey = "6nVhazYdmC15A/nke9VrqIg3sOBVOmqj4GEsyBq7MVo="; gateway = "192.168.100.1";
allowedIPs = [ "10.100.0.3/32" "${gcSecrets.wireguard.ipv6Subnet}:3" "fd0d::3" ]; interface = "enp5s0";
interfaces = { routes = [
wg0 = { peers = [ server6OnlyPeer ]; }; serverIp
wg1 = { peers = [ serverPeer ]; autostart = false; }; ];
wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
};
};
anemone = {
publicKey = "px5+JNdAmqBvUC++DhiJrUBRAr+BYP6iYVt4sbhPTWY=";
allowedIPs = [ "10.100.0.4/32" "${gcSecrets.wireguard.ipv6Subnet}:4" "fd0d::4" ];
interfaces = {
wg0 = { peers = [ server6OnlyPeer ]; };
wg1 = { peers = [ serverPeer ]; autostart = false; };
wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
};
};
hibiscus = {
publicKey = "vQ5a2KMrwi7RCRsD0yvog+n35vQYFuvwiPn+W4lbRBw=";
allowedIPs = [ "10.100.0.5/32" "${gcSecrets.wireguard.ipv6Subnet}:5" "fd0d::5" ];
interfaces = {
wg0 = { peers = [ server6OnlyPeer ]; };
wg1 = { peers = [ serverPeer ]; autostart = false; };
wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
};
};
hazel = {
publicKey = "0zruTndObzHo+b1rbOuTsxCU97epygZycxXS/lgUHUc=";
allowedIPs = [ "10.100.0.21/32" "${gcSecrets.wireguard.ipv6Subnet}:21" "fd0d::21" ];
interfaces = {
wg0 = {
dns = [ "::1" "127.0.0.1" ];
peers = [ serverLocalOnlyPeer ];
};
};
}; };
}; };
clientPeers = builtins.map (client: builtins.removeAttrs client [ "interfaces" ]) (builtins.attrValues clients); clients = {
serverPeerWith = ips: { caramel = {
publicKey = "VDqcpS0lJzFgwikj61MJ1xc9P8Cuq0NXa+Hc+etn2iA=";
allowedIPs = [ "10.100.0.2/32" ];
};
hyacinth = {
publicKey = "6nVhazYdmC15A/nke9VrqIg3sOBVOmqj4GEsyBq7MVo=";
allowedIPs = [ "10.100.0.3/32" ];
};
strawberry = {
publicKey = "Fkcp/VSN4Dkhly8V4hskF4lnDviA7VZHCnWf7OliFCg=";
allowedIPs = [ "10.100.0.4/32" ];
};
maple = {
publicKey = "kPw8hpANygfz83Oi/l+iCVYalV2zfs7fhkccjoGG2Do=";
allowedIPs = [ "10.100.0.5/32" ];
};
};
clientPeers = builtins.attrValues clients;
serverPeer = {
publicKey = "3ugIk2tQZXjAH9/95s63ld2WNUHQrd4Mz5jzbln6oj0="; publicKey = "3ugIk2tQZXjAH9/95s63ld2WNUHQrd4Mz5jzbln6oj0=";
allowedIPs = ips; allowedIPs = [ "0.0.0.0/0" ];
endpoint = "${serverIp}:${toString port}"; endpoint = "${serverIp}:${toString port}";
persistentKeepalive = 25; persistentKeepalive = 25;
}; };
serverPeer = serverPeerWith [ "0.0.0.0/0" "::/0" ];
server6OnlyPeer = serverPeerWith [ "10.100.0.0/24" "::/0" ];
serverLocalOnlyPeer = serverPeerWith [ "10.100.0.0/24" "fd0d::/16" ];
serverConfig = { serverConfig = {
nat = { nat = {
@ -86,7 +79,7 @@ let
}; };
wireguard.interfaces.wg0 = { wireguard.interfaces.wg0 = {
ips = [ "10.100.0.1/24" "${gcSecrets.wireguard.ipv6Subnet}:1" "fd0d::1" ]; ips = [ "10.100.0.1/24" ];
listenPort = port; listenPort = port;
postSetup = '' postSetup = ''
@ -104,24 +97,33 @@ let
}; };
clientConfig = { clientConfig = {
wg-quick.interfaces = wireguard.interfaces.wg0 =
let let
client = clients."${config.networking.hostName}"; client = clients."${config.networking.hostName}";
in routes = routeBypass."${config.networking.hostName}";
builtins.mapAttrs (interface: conf: { mapRoutes = type: lib.concatMapStringsSep "\n" (r: "${pkgs.iproute2}/bin/ip route ${type} ${r} via ${routes.gateway} dev ${routes.interface}") routes.routes;
address = client.allowedIPs; in {
dns = [ "fd0d::1" "10.100.0.1" ]; ips = client.allowedIPs;
privateKeyFile = config.age.secrets."wg_${config.networking.hostName}".path; listenPort = port;
} // conf) client.interfaces;
postSetup = ''
${mapRoutes "add"}
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE
'';
postShutdown = ''
${mapRoutes "del"}
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE
'';
privateKeyFile = config.age.secrets."wg_${config.networking.hostName}".path;
peers = [ serverPeer ];
};
}; };
in { in {
boot.kernel.sysctl = lib.mkIf (config.networking.hostName == serverName) ({
"net.ipv6.conf.all.forwarding" = true;
"net.ipv6.conf.default.forwarding" = true;
});
networking = networking =
lib.mkMerge [ lib.mkMerge [
(lib.mkIf (config.networking.hostName == serverName) serverConfig) (lib.mkIf (config.networking.hostName == serverName) serverConfig)
(lib.mkIf (config.networking.hostName != serverName) clientConfig) (lib.mkIf (builtins.hasAttr config.networking.hostName clients) clientConfig)
]; ];
} }

4
modules/user/catppuccin.nix
View file

@ -14,7 +14,7 @@
config = { config = {
catppuccin = { catppuccin = {
accent = lib.mkDefault "pink"; accent = "maroon";
flavor = lib.mkDefault "mocha"; flavor = lib.mkDefault "mocha";
kitty.enable = true; kitty.enable = true;
gtk.enable = true; gtk.enable = true;
@ -53,7 +53,7 @@
echo "invalid theme, valid values: [dark, light, restore]" echo "invalid theme, valid values: [dark, light, restore]"
exit 1 exit 1
fi fi
current="$HOME/.local/state/home-manager/gcroots/current-home/" current="$HOME/.local/state/nix/profiles/home-manager"
cached="$HOME/.local/state/last-parent-specialisation" cached="$HOME/.local/state/last-parent-specialisation"
if [ -d "$current/specialisation" ]; then if [ -d "$current/specialisation" ]; then
if [ -d "$cached" ]; then if [ -d "$cached" ]; then

7
modules/user/comma.nix
View file

@ -1,7 +0,0 @@
{ inputs, ... }: {
imports = [
inputs.nix-index-database.homeModules.default
];
programs.nix-index.enable = true;
programs.nix-index-database.comma.enable = true;
}

2
modules/user/direnv.nix
View file

@ -5,7 +5,7 @@
enable = true; enable = true;
}; };
}; };
programs.git.settings.core.excludesFile = ".envrc"; programs.git.extraConfig.core.excludesFile = ".envrc";
# We can't use .source since hm manages this file too # We can't use .source since hm manages this file too
xdg.configFile."direnv/direnvrc".text = builtins.readFile ../../res/direnvrc; xdg.configFile."direnv/direnvrc".text = builtins.readFile ../../res/direnvrc;
home.activation = { home.activation = {

4
modules/user/eww.nix
View file

@ -21,9 +21,9 @@ let
''; '';
}; };
in { in {
home.packages = with pkgs; [ iw socat ]; home.packages = with pkgs; [ socat ];
programs.eww = { programs.eww = {
enable = true; enable = true;
configDir = res;
}; };
xdg.configFile."eww".source = res;
} }

7
modules/user/git.nix
View file

@ -1,16 +1,15 @@
{ ... }: { { ... }: {
programs.git = { programs.git = {
enable = true; enable = true;
userName = "LavaDesu";
userEmail = "me@lava.moe";
signing = { signing = {
key = "059F098EBF0E9A13E10A46BF6500251E087653C9"; key = "059F098EBF0E9A13E10A46BF6500251E087653C9";
signByDefault = true; signByDefault = true;
}; };
settings = { extraConfig = {
user.name = "Cilly Leang";
user.email = "mini@cilly.moe";
core.abbrev = 11; core.abbrev = 11;
safe.directory = "/home/rin/Projects/flakes"; safe.directory = "/home/rin/Projects/flakes";
init.defaultBranch = "master";
}; };
}; };
} }

2
modules/user/gpg.nix
View file

@ -5,6 +5,6 @@
}; };
services.gpg-agent = { services.gpg-agent = {
enable = true; enable = true;
pinentry.package = pkgs.pinentry-gnome3; pinentryPackage = pkgs.pinentry-gnome3;
}; };
} }

12
modules/user/hypridle.nix
View file

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
kblight = "brightnessctl -d ${config.me.kbBacklightDevice}"; kblight = "light -s sysfs/leds/${config.me.kbBacklightDevice}";
in in
{ {
home.packages = [ config.services.hypridle.package ]; home.packages = [ config.services.hypridle.package ];
@ -16,18 +16,18 @@ in
listener = lib.optionals (config.me.kbBacklightDevice != null) [ listener = lib.optionals (config.me.kbBacklightDevice != null) [
{ {
timeout = 120; timeout = 120;
on-timeout = "${kblight} -s && ${kblight} 0"; on-timeout = "${kblight} -O && ${kblight} -S 0";
on-resume = "${kblight} -r"; on-resume = "${kblight} -I";
} }
] ++ [ ] ++ [
{ {
timeout = 150; timeout = 150;
on-timeout = "brightnessctl -s && brightnessctl 50%-"; on-timeout = "light -O && light -T 0.5";
on-resume = "brightnessctl -r"; on-resume = "light -I";
} }
{ {
timeout = 180; timeout = 180;
on-timeout = "brightnessctl -r && loginctl lock-session"; on-timeout = "light -I && loginctl lock-session";
} }
{ {
timeout = 195; timeout = 195;

56
modules/user/hyprlock.nix
View file

@ -1,17 +1,4 @@
{ config, lib, ... }: { config, lib, ... }: {
let
scaling = if config.me.hidpi then 1 else 0.5;
s = value: if builtins.isInt value || builtins.isFloat value
then
builtins.floor (value * scaling)
else if builtins.isList value
then
lib.strings.concatMapStringsSep "," (v: builtins.toString (scaling * v)) value
else
builtins.throw "invalid scaled value type ${builtins.typeOf value} for ${value}";
sn = value: s (builtins.map (v: (-v)) value);
in
{
programs.hyprlock = { programs.hyprlock = {
enable = true; enable = true;
settings = { settings = {
@ -29,27 +16,26 @@ in
monitor = ""; monitor = "";
color = "$base"; color = "$base";
}; };
shape = lib.optionals (config.me.batteryDevice != null) [ shape = [
# Battery pill # Battery pill
{ {
monitor = ""; monitor = "";
size = s [165 65]; size = "165, 65";
color = "$crust"; color = "$crust";
rounding = -1; rounding = -1;
halign = "right"; halign = "right";
valign = "top"; valign = "top";
position = sn [595 10]; position = "-595,-10";
} }
] ++ [
# Time pill # Time pill
{ {
monitor = ""; monitor = "";
size = s [545 65]; size = "545, 65";
color = "$crust"; color = "$crust";
rounding = -1; rounding = -1;
halign = "right"; halign = "right";
valign = "top"; valign = "top";
position = sn [40 10]; position = "-40,-10";
} }
]; ];
label = lib.optionals config.me.hasFingerprint [ label = lib.optionals config.me.hasFingerprint [
@ -58,10 +44,10 @@ in
monitor = ""; monitor = "";
color = "$text"; color = "$text";
font_family = "Material Symbols Outlined"; font_family = "Material Symbols Outlined";
font_size = s 64; font_size = 64;
halign = "center"; halign = "center";
valign = "top"; valign = "top";
position = sn [0 100]; position = "0, -100";
text = ""; text = "";
} }
# Fingerprint text # Fingerprint text
@ -69,9 +55,9 @@ in
monitor = ""; monitor = "";
color = "$text"; color = "$text";
text = "$FPRINTPROMPT"; text = "$FPRINTPROMPT";
font_size = s 25; font_size = 25;
font_family = "Open Sans"; font_family = "Open Sans";
position = sn [0 235]; position = "0, -235";
halign = "center"; halign = "center";
valign = "top"; valign = "top";
} }
@ -82,8 +68,8 @@ in
text = ""; text = "";
color = "$accent"; color = "$accent";
font_family = "Material Symbols Outlined"; font_family = "Material Symbols Outlined";
font_size = s 27; font_size = 27;
position = sn [695 20]; position = "-695, -20";
halign = "right"; halign = "right";
valign = "top"; valign = "top";
} }
@ -92,9 +78,9 @@ in
monitor = ""; monitor = "";
text = ''cmd[update:60000] echo "<span weight='700'>$(cat /sys/class/power_supply/${config.me.batteryDevice}/capacity)%</span>"''; text = ''cmd[update:60000] echo "<span weight='700'>$(cat /sys/class/power_supply/${config.me.batteryDevice}/capacity)%</span>"'';
color = "$text"; color = "$text";
font_size = s 23; font_size = 23;
font_family = "Open Sans"; font_family = "Open Sans";
position = sn [625 20]; position = "-625, -20";
halign = "right"; halign = "right";
valign = "top"; valign = "top";
} }
@ -104,10 +90,10 @@ in
monitor = ""; monitor = "";
color = "$text"; color = "$text";
font_family = "Open Sans"; font_family = "Open Sans";
font_size = s 23; font_size = 23;
halign = "right"; halign = "right";
valign = "top"; valign = "top";
position = sn [70 20]; position = "-70, -20";
text = ''cmd[update:1000] echo "<span alpha='70%' weight='550'>$(date '+%A, %d %B %Y')</span> <span weight='700'>$(date +%H:%M)</span><span alpha='70%' weight='550'>$(date +:%S)</span>"''; text = ''cmd[update:1000] echo "<span alpha='70%' weight='550'>$(date '+%A, %d %B %Y')</span> <span weight='700'>$(date +%H:%M)</span><span alpha='70%' weight='550'>$(date +:%S)</span>"'';
} }
@ -116,17 +102,17 @@ in
monitor = ""; monitor = "";
color = "$red"; color = "$red";
font_family = "Open Sans"; font_family = "Open Sans";
font_size = s 25; font_size = 25;
text = "$FAIL $ATTEMPTS[]"; text = "$FAIL $ATTEMPTS[]";
position = sn [0 200]; position = "0, -200";
halign = "center"; halign = "center";
valign = "center"; valign = "center";
} }
]; ];
input-field = { input-field = {
monitor = ""; monitor = "";
size = s [600 120]; size = "600, 120";
outline_thickness = s 4; outline_thickness = 4;
check_color = "$peach"; check_color = "$peach";
dots_size = 0.2; dots_size = 0.2;
dots_spacing = 0.2; dots_spacing = 0.2;
@ -139,7 +125,7 @@ in
fade_on_empty = false; fade_on_empty = false;
hide_input = false; hide_input = false;
capslock_color = "$yellow"; capslock_color = "$yellow";
position = sn [0 47]; position = "0, -47";
halign = "center"; halign = "center";
valign = "center"; valign = "center";
}; };

5
modules/user/mpv.nix
View file

@ -1,7 +1,8 @@
{ pkgs, ... }: { { config, pkgs, ... }: {
programs.mpv = { programs.mpv = {
enable = true; enable = true;
package = pkgs.mpv.override { package = pkgs.mpv-unwrapped.wrapper {
mpv = pkgs.mpv-unwrapped;
youtubeSupport = true; youtubeSupport = true;
scripts = [ pkgs.mpvScripts.mpris ]; scripts = [ pkgs.mpvScripts.mpris ];
}; };

12
modules/user/neovim-minimal.nix
View file

@ -9,12 +9,11 @@
vimAlias = true; vimAlias = true;
vimdiffAlias = true; vimdiffAlias = true;
withNodeJs = false; withNodeJs = false;
withPython3 = false;
withRuby = false;
plugins = with pkgs.vimPlugins; [ plugins = with pkgs.vimPlugins; [
fzf-vim ctrlp-vim
lualine-nvim lualine-nvim
nerdtree
tokyonight-nvim tokyonight-nvim
vim-fugitive vim-fugitive
vim-nix vim-nix
@ -22,7 +21,14 @@
vim-signify vim-signify
vim-surround vim-surround
nvim-cmp
nvim-lspconfig
cmp-nvim-lsp
cmp_luasnip
luasnip
(nvim-treesitter.withPlugins (p: with p; [ (nvim-treesitter.withPlugins (p: with p; [
tree-sitter-comment
tree-sitter-json tree-sitter-json
tree-sitter-lua tree-sitter-lua
tree-sitter-nix tree-sitter-nix

37
modules/user/neovim.nix
View file

@ -1,9 +1,9 @@
{ config, lib, pkgs, sysConfig, ... }: { config, lib, pkgs, ... }:
let let
luaconf = pkgs.writeText "config.lua" luaconf = pkgs.writeText "config.lua"
(lib.replaceStrings (lib.replaceStrings
["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}" "{{USERNAME}}" "{{HOSTNAME}}"] ["{{OMNISHARP_PATH}}" "{{DART_PATH}}" "{{CATPPUCCIN_FLAVOUR}}"]
["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor config.home.username sysConfig.networking.hostName] ["${pkgs.omnisharp-roslyn}/bin/OmniSharp" "${pkgs.dart}/bin/dart" config.catppuccin.nvim.flavor]
(builtins.readFile ../../res/config.lua)); (builtins.readFile ../../res/config.lua));
in { in {
systemd.user.tmpfiles.rules = [ systemd.user.tmpfiles.rules = [
@ -17,35 +17,25 @@ in {
vimdiffAlias = true; vimdiffAlias = true;
#package = pkgs.neovim-nightly; #package = pkgs.neovim-nightly;
withNodeJs = true; withNodeJs = true;
withPython3 = true;
withRuby = false;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
nixd
rust-analyzer rust-analyzer
texlab nodePackages."@prisma/language-server"
astro-language-server nodePackages.diagnostic-languageserver
tailwindcss-language-server nodePackages.eslint_d
diagnostic-languageserver nodePackages.typescript-language-server
eslint_d nodePackages.vscode-langservers-extracted
typescript-language-server nodePackages.yaml-language-server
vscode-langservers-extracted
yaml-language-server
]; ];
plugins = with pkgs.vimPlugins; [ plugins = with pkgs.vimPlugins; [
autoclose-nvim
auto-save-nvim
flutter-tools-nvim flutter-tools-nvim
fzf-vim fzf-vim
fzf-lsp-nvim fzf-lsp-nvim
lualine-nvim lualine-nvim
nvim-ts-autotag
nvim-web-devicons
plenary-nvim plenary-nvim
tokyonight-nvim tokyonight-nvim
vim-fugitive vim-fugitive
vim-latex-live-preview
vim-nix vim-nix
vim-repeat vim-repeat
vim-signify vim-signify
@ -55,7 +45,6 @@ in {
nvim-cmp nvim-cmp
nvim-dap nvim-dap
nvim-highlight-colors
nvim-lspconfig nvim-lspconfig
cmp-nvim-lsp cmp-nvim-lsp
cmp_luasnip cmp_luasnip
@ -63,33 +52,27 @@ in {
#(pkgs.me.nvim-treesitter-nightly.withPlugins (p: with p; [ #(pkgs.me.nvim-treesitter-nightly.withPlugins (p: with p; [
(nvim-treesitter.withPlugins (p: with p; [ (nvim-treesitter.withPlugins (p: with p; [
tree-sitter-astro
tree-sitter-bash tree-sitter-bash
tree-sitter-c tree-sitter-c
tree-sitter-c-sharp tree-sitter-c-sharp
tree-sitter-cpp tree-sitter-cpp
tree-sitter-groovy
tree-sitter-html tree-sitter-html
tree-sitter-java
tree-sitter-javascript tree-sitter-javascript
tree-sitter-json tree-sitter-json
tree-sitter-kotlin
tree-sitter-latex
tree-sitter-lua tree-sitter-lua
tree-sitter-markdown tree-sitter-markdown
tree-sitter-nix tree-sitter-nix
tree-sitter-php tree-sitter-php
tree-sitter-prisma
tree-sitter-python tree-sitter-python
tree-sitter-query tree-sitter-query
tree-sitter-regex tree-sitter-regex
tree-sitter-rust tree-sitter-rust
tree-sitter-swift
tree-sitter-toml tree-sitter-toml
tree-sitter-tsx tree-sitter-tsx
tree-sitter-typescript tree-sitter-typescript
tree-sitter-vim tree-sitter-vim
tree-sitter-vimdoc tree-sitter-vimdoc
tree-sitter-xml
tree-sitter-yaml tree-sitter-yaml
])) ]))
]; ];

1
modules/user/rofi.nix
View file

@ -16,6 +16,7 @@ let
in { in {
programs.rofi = { programs.rofi = {
enable = true; enable = true;
package = pkgs.rofi-wayland;
theme = "theme"; theme = "theme";
}; };
xdg.configFile."rofi/theme.rasi".source = theme; xdg.configFile."rofi/theme.rasi".source = theme;

1
modules/user/spicetify.nix
View file

@ -40,6 +40,7 @@ in
shuffle shuffle
hidePodcasts hidePodcasts
skipStats
songStats songStats
history history
volumePercentage volumePercentage

44
modules/user/zsh.nix
View file

@ -38,8 +38,7 @@ let
jf = "doas journalctl -f"; jf = "doas journalctl -f";
fl = "cd ~/Projects/flakes"; fl = "cd ~/Projects/flakes";
nr = "nh os switch"; nr = "doas nixos-rebuild switch --flake .#${sysConfig.networking.hostName} -v -L";
nb = "nh os boot";
gs = "git status"; gs = "git status";
ga = "git add"; ga = "git add";
@ -102,9 +101,10 @@ let
bindkey -a -r ':' bindkey -a -r ':'
''; '';
in { in {
programs.command-not-found.enable = true;
programs.zsh = { programs.zsh = {
enable = true; enable = true;
dotDir = "${config.xdg.configHome}/zsh"; dotDir = ".config/zsh";
autocd = true; autocd = true;
defaultKeymap = "viins"; defaultKeymap = "viins";
@ -117,6 +117,14 @@ in {
}; };
enableCompletion = true; enableCompletion = true;
initExtraBeforeCompInit = ''
fpath+=(/run/current-system/sw/share/zsh/site-functions)
zstyle ':completion:*' completer _complete
zstyle ':completion:*' matcher-list "" 'm:{[:lower:][:upper:]-_}={[:upper:][:lower:]_-}' '+l:|=* r:|=*'
zstyle ':completion:*' menu select
_comp_options+=(globdots)
zmodload zsh/complist
'';
localVariables = { localVariables = {
KEYTIMEOUT = "1"; KEYTIMEOUT = "1";
@ -130,26 +138,16 @@ in {
ls = "ls --color=auto --group-directories-first -v"; ls = "ls --color=auto --group-directories-first -v";
diff = "diff -Naur --color=auto"; diff = "diff -Naur --color=auto";
}; };
initContent = lib.mkMerge [ initExtraFirst = ''
(lib.mkBefore '' autoload -U colors && colors
autoload -U colors && colors '';
'') initExtra = lib.concatStringsSep "\n" [
(lib.mkOrder 550 '' pure
fpath+=(/run/current-system/sw/share/zsh/site-functions) cursorShape
zstyle ':completion:*' completer _complete direnv
zstyle ':completion:*' matcher-list "" 'm:{[:lower:][:upper:]-_}={[:upper:][:lower:]_-}' '+l:|=* r:|=*' genAbbrs
zstyle ':completion:*' menu select viExtraNav
_comp_options+=(globdots) disableExecute
zmodload zsh/complist
'')
(lib.concatStringsSep "\n" [
pure
cursorShape
direnv
genAbbrs
viExtraNav
disableExecute
])
]; ];
plugins = builtins.map (e: pluginFromInput e) [ plugins = builtins.map (e: pluginFromInput e) [

27
overlays/android-studio.nix Normal file
View file

@ -0,0 +1,27 @@
self: { bash, buildFHSEnv, cacert, ncurses5, runCommand, ... } @ super:
let
drvName = super.android-studio.name;
fhsEnv = buildFHSEnv {
name = "${drvName}-fhs-env";
# google's analytics calls jdk's getOperatingSystemMXBean which tries to parse cgroups and ultimately fails for whatever reason with an npe
unshareCgroup = false;
multiPkgs = pkgs: [
ncurses5
(runCommand "fedoracert" {}
''
mkdir -p $out/etc/pki/tls/
ln -s ${cacert}/etc/ssl/certs $out/etc/pki/tls/certs
'')
];
};
startScript = ''
#!${bash}/bin/bash
${fhsEnv}/bin/${drvName}-fhs-env ${super.android-studio.passthru.unwrapped}/bin/studio.sh "$@"
'';
in {
android-studio = super.android-studio.overrideAttrs(_: {
inherit startScript;
});
}

19
overlays/bitwarden-desktop.nix
View file

@ -1,19 +0,0 @@
# https://github.com/NixOS/nixpkgs/pull/374068
self: super: {
bitwarden-desktop = super.bitwarden-desktop.overrideAttrs (o: {
preBuild = o.preBuild + ''
pushd apps/desktop/desktop_native/proxy
cargo build --offline --bin desktop_proxy --release
popd
'';
installPhase = builtins.replaceStrings ["runHook preInstall"] [''
runHook preInstall
install -Dm755 -t $out/bin apps/desktop/desktop_native/target/release/desktop_proxy
mkdir -p $out/lib/mozilla/native-messaging-hosts
substituteAll ${./patches/firefox-native-messaging-host.json} $out/lib/mozilla/native-messaging-hosts/com.8bit.bitwarden.json
''] o.installPhase;
});
}

6
overlays/default.nix
View file

@ -1,12 +1,10 @@
builtins.map (path: import path) [ builtins.map (path: import path) [
./bitwarden-desktop.nix ./android-studio.nix
./cascadia-code.nix ./cascadia-code.nix
./ccache.nix ./ccache.nix
./eww.nix ./eww.nix
./jetbrains.nix
./material-icons.nix ./material-icons.nix
./openldap.nix ./rofi.nix
./steam.nix ./steam.nix
./utillinux.nix ./utillinux.nix
./wpa-supplicant.nix
] ]

22
overlays/jetbrains.nix
View file

@ -1,22 +0,0 @@
# https://github.com/NixOS/nixpkgs/issues/375254
self: super: {
jetbrains = super.jetbrains // {
gateway = let
unwrapped = super.jetbrains.gateway;
in super.buildFHSEnv {
name = "gateway";
inherit (unwrapped) version;
runScript = super.writeScript "gateway-wrapper" ''
unset JETBRAINS_CLIENT_JDK
exec ${unwrapped}/bin/gateway "$@"
'';
meta = unwrapped.meta;
passthru = {
inherit unwrapped;
};
};
};
}

6
overlays/linux-lava.nix
View file

@ -1,16 +1,12 @@
self: super: let self: super: let
llvmPackages = super.llvmPackages_19; llvmPackages = super.llvmPackages_19;
clangVersion = super.lib.versions.major llvmPackages.libclang.version; clangVersion = super.lib.versions.major llvmPackages.libclang.version;
addFlagsScript = "$out/nix-support/add-local-cc-cflags-before.sh";
cc = llvmPackages.stdenv.cc.override { cc = llvmPackages.stdenv.cc.override {
# :sob: see https://github.com/NixOS/nixpkgs/issues/142901 # :sob: see https://github.com/NixOS/nixpkgs/issues/142901
bintools = llvmPackages.bintools; bintools = llvmPackages.bintools;
# https://github.com/NixOS/nixpkgs/issues/368850
extraBuildCommands = '' extraBuildCommands = ''
cat <(echo "NIX_CC_WRAPPER_SUPPRESS_TARGET_WARNING=1") "${addFlagsScript}" > "${addFlagsScript}.new"
mv "${addFlagsScript}.new" "${addFlagsScript}"
substituteInPlace "$out/nix-support/cc-cflags" --replace " -nostdlibinc" "" substituteInPlace "$out/nix-support/cc-cflags" --replace " -nostdlibinc" ""
substituteInPlace "$out/nix-support/add-local-cc-cflags-before.sh" --replace 'echo "Warning: supplying the --target argument to a nix-wrapped compiler may not work correctly - cc-wrapper is currently not designed with multi-target compilers in mind. You may want to use an un-wrapped compiler instead." >&2' ""
echo " -resource-dir=${llvmPackages.libclang.lib}/lib/clang/${clangVersion}" >> $out/nix-support/cc-cflags echo " -resource-dir=${llvmPackages.libclang.lib}/lib/clang/${clangVersion}" >> $out/nix-support/cc-cflags
''; '';
}; };

9
overlays/openldap.nix
View file

@ -1,9 +0,0 @@
self: super: {
# openldap i686 fails checks
# issue: https://github.com/NixOS/nixpkgs/issues/514113
# workaround: https://github.com/NixOS/nixpkgs/issues/513245#issuecomment-4320293674
# fix: https://github.com/NixOS/nixpkgs/pull/515956
openldap = super.openldap.overrideAttrs {
doCheck = !self.stdenv.hostPlatform.isi686;
};
}

7
overlays/patches/firefox-native-messaging-host.json
View file

@ -1,7 +0,0 @@
{
"name": "com.8bit.bitwarden",
"description": "Bitwarden desktop <-> browser bridge",
"path": "@out@/bin/desktop_proxy",
"type": "stdio",
"allowed_extensions": ["{446900e4-71c2-419f-a6a7-df9c091e268b}"]
}

13
overlays/patches/wpa-supplicant.patch
View file

@ -1,13 +0,0 @@
diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in
index 58a6228..fbe7de3 100644
--- a/wpa_supplicant/systemd/wpa_supplicant.service.in
+++ b/wpa_supplicant/systemd/wpa_supplicant.service.in
@@ -7,7 +7,7 @@ Wants=network.target
[Service]
Type=dbus
BusName=fi.w1.wpa_supplicant1
-ExecStart=@BINDIR@/wpa_supplicant -u
+ExecStart=@BINDIR@/wpa_supplicant -u -q
[Install]
WantedBy=multi-user.target

13
overlays/rofi.nix Normal file
View file

@ -0,0 +1,13 @@
self: super: {
rofi-unwrapped = super.rofi-unwrapped.overrideAttrs (_: rec {
version = "1.7.2";
src = super.fetchFromGitHub {
owner = "davatorium";
repo = "rofi";
rev = version;
fetchSubmodules = true;
sha256 = "0yarkzhn7vxqxafmz196kvklzwdxygbhd0d29gxm7lrfba8brdxy";
};
});
}

4
overlays/steam.nix
View file

@ -5,5 +5,9 @@ self: super: {
keyutils keyutils
gamescope gamescope
]; ];
extraLibraries = pkgs: with pkgs; [
openssl_1_1
];
}; };
} }

6
overlays/wpa-supplicant.nix
View file

@ -1,6 +0,0 @@
self: super: {
# Thanks https://discourse.nixos.org/t/journal-logs-spammed-with-ctrl-event-scan-failed/56316/5
wpa_supplicant = super.wpa_supplicant.overrideAttrs(o: {
patches = o.patches ++ [ ./patches/wpa-supplicant.patch ];
});
}

13
packages/linux-lava/bluetooth.patch
View file

@ -1,13 +0,0 @@
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index ef9689f8776..aabbc031b5f 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -759,6 +759,8 @@ static const struct usb_device_id quirks_table[] = {
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x2b89, 0x8761), .driver_info = BTUSB_REALTEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x2c4e, 0x0115), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
/* Additional Realtek 8821AE Bluetooth devices */
{ USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },

4
packages/linux-lava/default.nix
View file

@ -56,10 +56,6 @@ let
INIT_STACK_ALL_ZERO = yes; INIT_STACK_ALL_ZERO = yes;
INIT_STACK_NONE = no; INIT_STACK_NONE = no;
# bore
SCHED_BORE = yes;
MIN_BASE_SLICE_NS = freeform "2000000";
# tickless timers # tickless timers
HZ_PERIODIC = no; HZ_PERIODIC = no;
NO_HZ = yes; NO_HZ = yes;

Some files were not shown because too many files have changed in this diff Show more