cilly/flakes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Compare commits

base: cilly:master
Branches Tags
cilly:master
cilly:feat/immich
cilly:feat/restic
cilly:feat/cont
cilly:feat/smb
cilly:feat/soulbeet
cilly:opencloud
cilly:staging/dandelion_260528
cilly:bootstrap/alyssum
cilly:dev/slskd_envtest
cilly:feat/emerald
cilly:feat/diamond
cilly:dev/citrine
cilly:dev/tewst
cilly:staging_auto/20260316
cilly:up/dandelion_20260315
cilly:staging_auto/20260315
cilly:staging_auto/20260314
cilly:staging_auto/20260313
cilly:staging_auto/20260312
cilly:staging_auto/20260311
cilly:staging_auto/20260310
cilly:staging_auto/20260309
cilly:staging_auto/20260308
cilly:staging_auto/20260307
cilly:staging_auto/20260306
cilly:staging_auto/20260305
cilly:staging_auto/20260304
cilly:staging_auto/20260303
cilly:staging_auto/20260302
cilly:staging_auto/20260301
cilly:staging_auto/20260228
cilly:staging_auto/20260227
cilly:staging_auto/20260226
cilly:staging_auto/20260225
cilly:staging_auto/20260224
cilly:staging_auto/20260223
cilly:staging_auto/20260222
cilly:staging_auto/20260221
cilly:staging_auto/20260220
cilly:staging_auto/20260219
cilly:staging/20251122
cilly:staging/20250812
cilly:dev/unbound
cilly:dev/wg2
cilly:dev/dandelion2
cilly:test/git-crypt
cilly:dev/server
cilly:dev/options
cilly:dev/workflow
cilly:bootstrap/dandelion
cilly:bootstrap/anemone
cilly:tmp/sugarcane_raccoon
cilly:tmp/caramel_raccoon
cilly:tmp/caramel
cilly:tmp/jellyfin
cilly:temp/caramelgone
cilly:testing/linux-tkg
cilly:testing/wine2
..
compare: cilly:tmp/caramel_raccoon
Branches Tags
cilly:feat/immich
cilly:feat/restic
cilly:master
cilly:feat/cont
cilly:feat/smb
cilly:feat/soulbeet
cilly:opencloud
cilly:staging/dandelion_260528
cilly:bootstrap/alyssum
cilly:dev/slskd_envtest
cilly:feat/emerald
cilly:feat/diamond
cilly:dev/citrine
cilly:dev/tewst
cilly:staging_auto/20260316
cilly:up/dandelion_20260315
cilly:staging_auto/20260315
cilly:staging_auto/20260314
cilly:staging_auto/20260313
cilly:staging_auto/20260312
cilly:staging_auto/20260311
cilly:staging_auto/20260310
cilly:staging_auto/20260309
cilly:staging_auto/20260308
cilly:staging_auto/20260307
cilly:staging_auto/20260306
cilly:staging_auto/20260305
cilly:staging_auto/20260304
cilly:staging_auto/20260303
cilly:staging_auto/20260302
cilly:staging_auto/20260301
cilly:staging_auto/20260228
cilly:staging_auto/20260227
cilly:staging_auto/20260226
cilly:staging_auto/20260225
cilly:staging_auto/20260224
cilly:staging_auto/20260223
cilly:staging_auto/20260222
cilly:staging_auto/20260221
cilly:staging_auto/20260220
cilly:staging_auto/20260219
cilly:staging/20251122
cilly:staging/20250812
cilly:dev/unbound
cilly:dev/wg2
cilly:dev/dandelion2
cilly:test/git-crypt
cilly:dev/server
cilly:dev/options
cilly:dev/workflow
cilly:bootstrap/dandelion
cilly:bootstrap/anemone
cilly:tmp/sugarcane_raccoon
cilly:tmp/caramel_raccoon
cilly:tmp/caramel
cilly:tmp/jellyfin
cilly:temp/caramelgone
cilly:testing/linux-tkg
cilly:testing/wine2

No commits in common. "master" and "tmp/caramel_raccoon" have entirely different histories.
master ... tmp/carame

206 changed files with 3622 additions and 4560 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.git-crypt/.gitattributes vendored
View file

@ -1,4 +0,0 @@
# Do not edit this file. To specify the files to encrypt, create your own
# .gitattributes file in the directory where your files are.
* !filter !diff
*.gpg binary

BIN
.git-crypt/keys/default/0/059F098EBF0E9A13E10A46BF6500251E087653C9.gpg
View file

Binary file not shown.

1
.gitattributes vendored
View file

@ -1 +0,0 @@
secrets.gcrypt/** filter=git-crypt diff=git-crypt

50
.github/workflows/autoupdate.yml vendored
View file

@ -1,50 +0,0 @@
name: Auto update
on:
workflow_dispatch:
schedule:
- cron: "0 0 * * *"
jobs:
update:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
token: ${{ secrets.PAT_TOKEN }}
- name: Check for updates
id: check
run: |
local=$(cat flake.lock | jq ".nodes.nixpkgs.locked.rev")
remote=$(curl "https://api.github.com/repos/NixOS/nixpkgs/branches/nixos-unstable/commits?per_page=1" | jq ".commit.sha")
if [[ $local == $remote ]]; then
echo "skip=1" >> "$GITHUB_OUTPUT"
else
echo "skip=0" >> "$GITHUB_OUTPUT"
branch=$(TZ='Australia/Melbourne' date '+staging_auto/%Y%m%d')
echo "branch_name=${branch}" >> "$GITHUB_OUTPUT"
fi
- name: Install nix
if: steps.check.outputs.skip == 0
uses: cachix/install-nix-action@v31
- name: Configure git
if: steps.check.outputs.skip == 0
run: |
git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --local user.name "github-actions[bot]"
- name: Update
if: steps.check.outputs.skip == 0
run: ./update.sh
- name: Push
if: steps.check.outputs.skip == 0
uses: ad-m/github-push-action@master
with:
github_token: ${{ secrets.PAT_TOKEN }}
branch: ${{ steps.check.outputs.branch_name }}

34
.github/workflows/cachix.yml vendored
View file

@ -5,23 +5,35 @@ on:
workflow_dispatch:
jobs:
check:
name: Check flake
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: cachix/install-nix-action@v17
with:
install_url: https://github.com/numtide/nix-unstable-installer/releases/download/nix-2.12.0pre20220930_89ca75c/install
extra_nix_config: experimental-features = nix-command flakes
- uses: cachix/cachix-action@v10
with:
name: lava
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- run: nix flake check --keep-going --verbose
build:
name: Build linux-lava for x86_64-linux
runs-on: ubuntu-latest
steps:
# credits to https://github.com/easimon/maximize-build-space/issues/45
- name: Remove unneeded packages to maximise build space
shell: bash
run: |
df -h
sudo rm -rf /usr/share/dotnet
sudo rm -rf /usr/local/lib/android
df -h
- uses: actions/checkout@v4
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: cachix/install-nix-action@v31
- uses: cachix/cachix-action@v16
- uses: cachix/install-nix-action@v17
with:
install_url: https://github.com/numtide/nix-unstable-installer/releases/download/nix-2.12.0pre20220930_89ca75c/install
extra_nix_config: experimental-features = nix-command flakes
- uses: cachix/cachix-action@v10
with:
name: lava
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'

1
.gitignore vendored
View file

@ -1 +0,0 @@
result

9
README.md
View file

@ -14,18 +14,17 @@ to your liking. Open up `flake.nix`, add your new host config at the bottom, and
## Hosts
| Name | Description |
| ------- | ----------- |
| hyacinth | Main Desktop PC |
| anemone | Main Laptop |
| blossom | Laptop and main PC |
| caramel | Raspberry Pi 400, stateless |
| dandelion | ARM OCI VPS, stateless |
| sugarcane | OVHCloud VPS, stateless |
## Users
| Name | Description |
| ---- | ----------- |
| rin | Main user for general usage |
| rin | Main user for usage |
| hana | Lightweight user intended for inspecting stateless hosts |
## License
Licensed under CC0
Licensed under CC0; basically you can fork, modify, redistribute, or do whatever you want I don't really care.
Credit is appreciated but not necessary

47
containers/amethyst/configuration.nix
View file

@ -1,47 +0,0 @@
{ lib, pkgs, ... }: {
system.stateVersion = "23.11";
systemd.tmpfiles.rules = [
"d /persist/transmission 755 transmission transmission"
"d /persist/transmission/.config/transmission-daemon 750 transmission transmission"
"d /persist/transmission/.incomplete 750 transmission transmission"
"d /persist/transmission/Downloads 755 transmission transmission"
"d /persist/transmission/watchdir 755 transmission transmission"
];
networking.wg-quick.interfaces.wg0 = {
configFile = "/persist/vpn.conf";
preUp = ''
# Try to access the DNS for up to 300s
for i in {1..60}; do
${pkgs.iputils}/bin/ping -c1 'google.com' && break
echo "Attempt $i: DNS still not available"
sleep 5s
done
'';
};
# https://github.com/NixOS/nixpkgs/issues/258793
systemd.services.transmission.serviceConfig = {
BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ];
RootDirectoryStartOnly = lib.mkForce false;
RootDirectory = lib.mkForce "";
PrivateMounts = lib.mkForce false;
PrivateUsers = lib.mkForce false;
};
networking.firewall.allowedTCPPorts = [ 9091 ];
services.transmission = {
enable = true;
package = pkgs.transmission_4;
downloadDirPermissions = "775";
openFirewall = true;
home = "/persist/transmission";
settings = {
ratio-limit-enabled = true;
rpc-bind-address = "0.0.0.0";
rpc-enabled = true;
rpc-port = 9091;
rpc-host-whitelist-enabled = false;
rpc-whitelist-enabled = false;
};
};
}

27
containers/amethyst/flake.lock generated
View file

@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1773282481,
"narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

51
containers/amethyst/flake.nix
View file

@ -1,51 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { nixpkgs, ... }: {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
modules = [ ./configuration.nix ];
};
nixosModule = { ... }:
let
name = "amethyst";
fqdn = "amethyst.lava.moe";
subnet = "1";
in {
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "ve-${name}" ];
};
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
#locations."/".proxyPass = "http://[fd0d:1::${subnet}:2]:9091";
locations."/".proxyPass = "http://10.30.${subnet}.2:9091";
listenAddresses = [ "10.0.0.1" "[fd0d::1]" ];
};
systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.30.${subnet}.1";
localAddress = "10.30.${subnet}.2";
hostAddress6 = "fd0d:1::${subnet}:1";
localAddress6 = "fd0d:1::${subnet}:2";
# privateUsers = "pick";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = [ ./configuration.nix ]; };
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
# flake = "path:" + ./.;
};
};
};
}

23
containers/beryllium/configuration.nix
View file

@ -1,23 +0,0 @@
{ ... }: {
system.stateVersion = "25.11";
fileSystems."/var/lib/private" = {
device = "/persist";
fsType = "none";
options = [ "bind" ];
};
networking.firewall.allowedTCPPorts = [ 6167 ];
networking.firewall.allowedUDPPorts = [ 6167 ];
# TODO: this should be generically set
networking.useHostResolvConf = false;
networking.nameservers = [ "8.8.8.8" ];
services.matrix-continuwuity = {
enable = true;
settings.global = {
# TODO: link this with outer container's address
address = [ "10.30.2.2" ];
server_name = "lava.moe";
rocksdb_recovery_mode = 2;
};
};
}

27
containers/beryllium/flake.lock generated
View file

@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1773282481,
"narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

69
containers/beryllium/flake.nix
View file

@ -1,69 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { nixpkgs, ... }: {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
modules = [ ./configuration.nix ];
};
nixosModule = { ... }:
let
name = "beryllium";
fqdn = "beryllium.lava.moe";
subnet = "2";
in {
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "ve-${name}" ];
};
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".extraConfig = "return 302 'https://lava.moe';";
locations."/_matrix".proxyPass = "http://10.30.${subnet}.2:6167";
locations."/_conduwuit".proxyPass = "http://10.30.${subnet}.2:6167";
locations."/_continuwuity".proxyPass = "http://10.30.${subnet}.2:6167";
};
services.nginx.virtualHosts."lava.moe" = {
locations."= /.well-known/matrix/server".extraConfig =
let
server = { "m.server" = "${fqdn}:443"; };
in ''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
# "m.identity_server" = { "base_url" = "https://vector.im"; };
};
in ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.30.${subnet}.1";
localAddress = "10.30.${subnet}.2";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = [ ./configuration.nix ]; };
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
};
};
};
}

53
containers/citrine/configuration.nix
View file

@ -1,53 +0,0 @@
{ config, fqdn, lib, ... }: {
system.stateVersion = "25.11";
networking.firewall.allowedTCPPorts = [ 22 3000 ];
networking.firewall.allowedUDPPorts = [ 22 3000 ];
systemd.tmpfiles.rules = [
"L+ /persist/forgejo/custom/templates - - - - ${./templates}"
];
services.forgejo = {
enable = true;
lfs.enable = true;
settings = {
DEFAULT.APP_NAME = "cilly's botanical laboratory";
server = {
DOMAIN = fqdn;
ROOT_URL = "https://${fqdn}/";
HTTP_PORT = 3000;
START_SSH_SERVER = true;
BUILTIN_SSH_SERVER_USER = "git";
SSH_DOMAIN = "git.lava.moe";
SSH_SERVER_KEY_EXCHANGES = "mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256";
};
ui = lib.mkForce {
DEFAULT_THEME = "catppuccin-maroon-auto";
THEMES = lib.strings.concatMapStringsSep "," (x: "${x}-auto") [
"catppuccin-pink"
"catppuccin-maroon"
"catppuccin-flamingo"
"catppuccin-rosewater"
"forgejo"
"gitea"
];
};
api.ENABLE_SWAGGER = false;
other.SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
repository.ENABLE_PUSH_CREATE_USER = true;
repository.ENABLE_PUSH_CREATE_ORG = true;
service.DISABLE_REGISTRATION = true;
};
stateDir = "/persist/forgejo";
};
systemd.services.forgejo.serviceConfig = {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
PrivateUsers = lib.mkForce false;
};
catppuccin.forgejo.enable = true;
environment.systemPackages = [ config.services.forgejo.package ];
}

62
containers/citrine/flake.lock generated
View file

@ -1,62 +0,0 @@
{
"nodes": {
"catppuccin": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1773403535,
"narHash": "sha256-47MZaFrHxNO8tVUAmtVnerXUw2WWVluBOiU9MulN/yM=",
"owner": "catppuccin",
"repo": "nix",
"rev": "d45b5665cc638bad1b794350de02f4dd41b0bb47",
"type": "github"
},
"original": {
"owner": "catppuccin",
"repo": "nix",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1773122722,
"narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1773282481,
"narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"catppuccin": "catppuccin",
"nixpkgs": "nixpkgs_2"
}
}
},
"root": "root",
"version": 7
}

68
containers/citrine/flake.nix
View file

@ -1,68 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
catppuccin.url = "github:catppuccin/nix";
};
outputs = { nixpkgs, catppuccin, ... }:
let
name = "citrine";
fqdn = "lab.lava.moe";
subnetId = "3";
subnet = x: "fd0d:1::${subnetId}:${toString x}";
host = subnet 1;
client = subnet 2;
subnet4 = x: "10.30.${subnetId}.${toString x}";
host4 = subnet4 1;
client4 = subnet4 2;
modules = [
./configuration.nix
catppuccin.nixosModules.catppuccin
{
networking.useHostResolvConf = false;
networking.nameservers = [ host ];
}
];
in {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
inherit modules;
};
nixosModule = { ... }: {
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "ve-${name}" ];
};
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".proxyPass = "http://[${client}]:3000";
};
systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = host4;
localAddress = client4;
hostAddress6 = host;
localAddress6 = client;
# privateUsers = "pick";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = modules; };
specialArgs = { inherit fqdn; };
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
# flake = "path:" + ./.;
};
};
};
}

31
containers/citrine/templates/base/footer_content.tmpl
View file

@ -1,31 +0,0 @@
<footer class="page-footer" role="group" aria-label="{{ctx.Locale.Tr "aria.footer"}}">
<div class="left-links" role="contentinfo" aria-label="{{ctx.Locale.Tr "aria.footer.software"}}">
{{if ShowFooterPoweredBy}}
<a target="_blank" rel="noopener noreferrer" href="https://forgejo.org">Forgejo</a>
{{end}}
{{if (or .ShowFooterVersion .PageIsAdmin)}}
{{if .IsAdmin}}
<a href="{{AppSubUrl}}/admin/config">{{AppVerNoMetadata}}</a>
{{else}}
{{AppVerNoMetadata}}
{{end}}
{{end}}
{{if and .TemplateLoadTimes ShowFooterTemplateLoadTime}}
{{ctx.Locale.Tr "page"}}: <strong>{{LoadTimes .PageStartTime}}</strong>
{{ctx.Locale.Tr "template"}}{{if .TemplateName}} {{.TemplateName}}{{end}}: <strong>{{call .TemplateLoadTimes}}</strong>
{{end}}
</div>
<div class="right-links" role="group" aria-label="{{ctx.Locale.Tr "aria.footer.links"}}">
<div class="ui dropdown upward language">
<span class="flex-text-inline">{{svg "octicon-globe" 14}} {{ctx.Locale.LangName}}</span>
<div class="menu language-menu">
{{range .AllLangs}}
<a lang="{{.Lang}}" data-url="{{AppSubUrl}}/?lang={{.Lang}}" class="item {{if eq ctx.Locale.Lang .Lang}}active selected{{end}}">{{.Name}}</a>
{{end}}
</div>
</div>
<a href="{{AssetUrlPrefix}}/licenses.txt">{{ctx.Locale.Tr "licenses"}}</a>
{{if .EnableSwagger}}<a href="{{AppSubUrl}}/api/swagger">API</a>{{end}}
{{template "custom/extra_links_footer" .}}
</div>
</footer>

19
containers/citrine/templates/home.tmpl
View file

@ -1,19 +0,0 @@
{{template "base/head" .}}
{{if not .IsSigned}}
<script>window.location.href = "/explore/repos";</script>
{{end}}
<div role="main" aria-label="{{if .IsSigned}}{{ctx.Locale.Tr "dashboard"}}{{else}}{{ctx.Locale.Tr "home"}}{{end}}" class="page-content home">
<div class="tw-mb-8 tw-px-8">
<div class="center">
<img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg" alt="{{ctx.Locale.Tr "logo"}}">
<div class="hero">
<h1 class="ui icon header title">
{{AppDisplayName}}
</h1>
<h2>{{ctx.Locale.Tr "startpage.app_desc"}}</h2>
</div>
</div>
</div>
{{template "home_forgejo" .}}
</div>
{{template "base/footer" .}}

22
containers/diamond/configuration.nix
View file

@ -1,22 +0,0 @@
{ fqdn, ... }: {
system.stateVersion = "25.11";
systemd.tmpfiles.rules = [
"d /persist/vaultwarden 755 vaultwarden vaultwarden"
];
fileSystems."/var/lib/vaultwarden" = {
device = "/persist/vaultwarden";
fsType = "none";
options = [ "bind" ];
};
networking.firewall.allowedTCPPorts = [ 8000 ];
networking.firewall.allowedUDPPorts = [ 8000 ];
services.vaultwarden = {
enable = true;
domain = fqdn;
config = {
DOMAIN = "https://${fqdn}";
ROCKET_ADDRESS = "::";
};
};
}

27
containers/diamond/flake.lock generated
View file

@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1773282481,
"narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

51
containers/diamond/flake.nix
View file

@ -1,51 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { nixpkgs, ... }:
let
name = "diamond";
fqdn = "astransia.lava.moe";
subnetId = "4";
subnet = x: "fd0d:1::${subnetId}:${toString x}";
host = subnet 1;
client = subnet 2;
modules = [
./configuration.nix
];
in {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
inherit modules;
};
nixosModule = { ... }: {
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".proxyPass = "http://[${client}]:8000";
listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
};
systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress6 = host;
localAddress6 = client;
# privateUsers = "pick";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = modules; };
specialArgs = { inherit fqdn; };
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
# flake = "path:" + ./.;
};
};
};
}

23
containers/emerald/configuration.nix
View file

@ -1,23 +0,0 @@
{ fqdn, shareFqdn, ... }: {
system.stateVersion = "25.11";
systemd.tmpfiles.rules = [
"d /persist/navidrome 755 navidrome navidrome"
];
networking.firewall.allowedTCPPorts = [ 4533 ];
networking.firewall.allowedUDPPorts = [ 4533 ];
services.navidrome = {
enable = true;
environmentFile = "/binds/navidrome_env";
settings = {
Port = 4533;
Address = "[::]";
BaseUrl = "https://${fqdn}/";
ShareURL = "https://${shareFqdn}";
EnableSharing = true;
DataFolder = "/persist/navidrome";
MusicFolder = "/binds/music/main";
};
};
systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/binds/music"];
}

27
containers/emerald/flake.lock generated
View file

@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1773282481,
"narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

78
containers/emerald/flake.nix
View file

@ -1,78 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { nixpkgs, ... }:
let
name = "emerald";
fqdn = "navia.lava.moe";
shareFqdn = "muse.lava.moe";
subnetId = "5";
subnet = x: "fd0d:2::${subnetId}:${toString x}";
host = subnet 1;
client = subnet 2;
subnet4 = x: "10.32.${subnetId}.${toString x}";
host4 = subnet4 1;
client4 = subnet4 2;
modules = [
./configuration.nix
{
networking.useHostResolvConf = false;
networking.nameservers = [ host ];
}
];
in {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
inherit modules;
};
nixosModule = { config, ... }: {
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "ve-${name}" ];
};
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".proxyPass = "http://[${client}]:4533";
listenAddresses = [ "100.67.2.1" ];
};
systemd.tmpfiles.rules = [ "d /persist/containers/${name} 755 root users" ];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = host4;
localAddress = client4;
hostAddress6 = host;
localAddress6 = client;
# privateUsers = "pick";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = modules; };
specialArgs = { inherit fqdn shareFqdn; };
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
bindMounts."music" = {
hostPath = "/flower/media/music";
mountPoint = "/binds/music";
isReadOnly = true;
};
bindMounts."navidrome_env" = {
hostPath = config.age.secrets.navidrome_env.path;
mountPoint = "/binds/navidrome_env";
isReadOnly = true;
};
# flake = "path:" + ./.;
};
};
};
}

22
containers/fluorite/configuration.nix
View file

@ -1,22 +0,0 @@
{ ... }: {
system.stateVersion = "25.11";
systemd.tmpfiles.rules = [
"d /persist/slskd/Downloads 755 slskd slskd"
];
fileSystems."/var/lib/slskd" = {
device = "/persist/slskd";
fsType = "none";
options = [ "bind" ];
};
networking.firewall.allowedTCPPorts = [ 5030 50300 ];
networking.firewall.allowedUDPPorts = [ 5030 50300 ];
services.slskd = {
enable = true;
domain = null;
environmentFile = "/binds/slskd_env";
settings = {
shares.directories = [ "/binds/music/" ];
};
};
}

27
containers/fluorite/flake.lock generated
View file

@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1773282481,
"narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fe416aaedd397cacb33a610b33d60ff2b431b127",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

89
containers/fluorite/flake.nix
View file

@ -1,89 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { nixpkgs, ... }:
let
name = "fluorite";
fqdn = "fluorite.lava.moe";
subnetId = "6";
subnet = x: "fd0d:1::${subnetId}:${toString x}";
host = subnet 1;
client = subnet 2;
subnet4 = x: "10.30.${subnetId}.${toString x}";
host4 = subnet4 1;
client4 = subnet4 2;
modules = [
./configuration.nix
{
networking.useHostResolvConf = false;
networking.nameservers = [ host ];
}
];
in {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
inherit modules;
};
nixosModule = { config, ... }: {
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "ve-${name}" ];
};
networking.firewall.allowedTCPPorts = [ 50300 ];
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".proxyPass = "http://[${client}]:5030";
listenAddresses = [ "10.0.0.1" "[fd0d::1]" "100.67.1.1" ];
};
systemd.tmpfiles.rules = [
"d /persist/containers/${name} 755 root users"
"d /persist/media/music 075 nobody users"
];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = host4;
localAddress = client4;
hostAddress6 = host;
localAddress6 = client;
# privateUsers = "pick";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = modules; };
specialArgs = { inherit fqdn; };
forwardPorts = [
{
containerPort = 50300;
hostPort = 50300;
protocol = "tcp";
}
];
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
bindMounts."music" = {
hostPath = "/persist/media/music";
mountPoint = "/binds/music";
isReadOnly = true;
};
bindMounts."slskd_env" = {
hostPath = config.age.secrets.slskd_env.path;
mountPoint = "/binds/slskd_env";
isReadOnly = true;
};
# flake = "path:" + ./.;
};
};
};
}

36
containers/garnet/configuration.nix
View file

@ -1,36 +0,0 @@
{ ... }: {
system.stateVersion = "25.11";
fileSystems."/var/lib/opencloud" = {
device = "/flower/data";
fsType = "none";
options = [ "bind" ];
};
fileSystems."/etc/opencloud" = {
device = "/persist/cfg";
fsType = "none";
options = [ "bind" ];
};
# TODO: hardcoded address
networking.extraHosts = ''
100.67.2.1 cloud.lava.moe
'';
networking.firewall.allowedTCPPorts = [ 9200 ];
networking.firewall.allowedUDPPorts = [ 9200 ];
environment.etc."opencloud-admin-pass".text = ''
IDM_ADMIN_PASSWORD=supersillysecure
'';
services.opencloud = {
enable = true;
url = "https://cloud.lava.moe";
address = "10.30.7.2";
port = 9200;
environment = {
PROXY_TLS = "false";
IDP_ACCESS_TOKEN_EXPIRATION = "2592000";
IDP_ID_TOKEN_EXPIRATION = "2592000";
};
environmentFile = "/etc/opencloud-admin-pass";
};
}

27
containers/garnet/flake.lock generated
View file

@ -1,27 +0,0 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1779560665,
"narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

84
containers/garnet/flake.nix
View file

@ -1,84 +0,0 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs = { nixpkgs, ... }:
let
name = "garnet";
fqdn = "cloud.lava.moe";
subnetId = "7";
subnet = x: "fd0d:1::${subnetId}:${toString x}";
host = subnet 1;
client = subnet 2;
subnet4 = x: "10.30.${subnetId}.${toString x}";
host4 = subnet4 1;
client4 = subnet4 2;
modules = [
./configuration.nix
{
networking.useHostResolvConf = false;
networking.nameservers = [ host ];
}
];
in {
nixosConfigurations.container = nixpkgs.lib.nixosSystem {
inherit modules;
};
nixosModule = { config, ... }: {
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "ve-${name}" ];
};
services.nginx.virtualHosts."${fqdn}" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/" = {
proxyPass = "http://${client4}:9200";
proxyWebsockets = true;
};
extraConfig = ''
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
keepalive_requests 100000;
keepalive_timeout 5m;
http2_max_concurrent_streams 512;
'';
# TODO: hardcoded address
listenAddresses = [ "100.67.2.1" ];
};
systemd.tmpfiles.rules = [
"d /persist/containers/${name} 755 root users"
];
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = host4;
localAddress = client4;
hostAddress6 = host;
localAddress6 = client;
# privateUsers = "pick";
nixpkgs = nixpkgs;
ephemeral = true;
config = { imports = modules; };
specialArgs = { inherit fqdn; };
bindMounts."persist" = {
hostPath = "/persist/containers/${name}";
mountPoint = "/persist";
isReadOnly = false;
};
bindMounts."content" = {
hostPath = "/flower/opencloud";
mountPoint = "/flower";
isReadOnly = false;
};
};
};
};
}

1219
flake.lock generated
View file

File diff suppressed because it is too large Load diff

103
flake.nix
View file

@ -1,101 +1,108 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs.url = "github:LavaDesu/nixpkgs/laba/remove-mono";
nixpkgs-porcupine.url = "github:NixOS/nixpkgs/nixos-21.11";
nixpkgs-raccoon.url = "github:NixOS/nixpkgs/nixos-22.11";
home-manager.url = "github:nix-community/home-manager";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
aagl.url = "github:ezKEa/aagl-gtk-on-nix";
catppuccin.url = "github:catppuccin/nix/8eada392fd6571a747e1c5fc358dd61c14c8704e";
catppuccin.inputs.nixpkgs.follows = "nixpkgs";
catppuccin-palette = { url = "github:catppuccin/palette"; flake = false; };
home-manager-porcupine.url = "github:LavaDesu/home-manager/backport/gpg-agent";
home-manager-raccoon.url = "github:nix-community/home-manager/release-22.11";
neovim-nightly.url = "github:nix-community/neovim-nightly-overlay";
nixos-hardware.url = "github:NixOS/nixos-hardware";
agenix.url = "github:ryantm/agenix";
nixos-generators.url = "github:nix-community/nixos-generators";
agenix.inputs.nixpkgs.follows = "nixpkgs";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
home-manager-porcupine.inputs.nixpkgs.follows = "nixpkgs-porcupine";
home-manager-raccoon.inputs.nixpkgs.follows = "nixpkgs-raccoon";
neovim-nightly.inputs.nixpkgs.follows = "nixpkgs";
nixos-generators.inputs.nixpkgs.follows = "nixpkgs";
nix-gaming.url = "github:fufexan/nix-gaming";
nix-index-database.url = "github:nix-community/nix-index-database";
nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
spicetify-nix.url = "github:Gerg-L/spicetify-nix";
spicetify-nix.inputs.nixpkgs.follows = "nixpkgs";
# services
pastel.url = "github:cillynder/pastel";
stevenblack-hosts = { url = "github:StevenBlack/hosts"; flake = false; };
website = { url = "github:cillynder/lavadesu.github.io/master"; flake = false; };
hosts-blocklists = { url = "github:notracking/hosts-blocklists"; flake = false; };
website = { url = "github:LavaDesu/lavadesu.github.io/master"; flake = false; };
# zsh plugins
zsh-abbr = { url = "git+https://github.com/olets/zsh-abbr?submodules=1"; flake = false; };
zsh-abbr = { url = "github:olets/zsh-abbr"; flake = false; };
zsh-history-substring-search = { url = "github:zsh-users/zsh-history-substring-search"; flake = false; };
fast-syntax-highlighting = { url = "github:zdharma-continuum/fast-syntax-highlighting"; flake = false; };
pure = { url = "github:sindresorhus/pure"; flake = false; };
# overlays
discord-tokyonight = { url = "github:DanisDGK/zelk-customizations"; flake = false; };
discover = { url = "github:trigg/Discover"; flake = false; };
linux-tkg = { url = "github:Frogging-Family/linux-tkg"; flake = false; };
nvim-treesitter = { url = "github:nvim-treesitter/nvim-treesitter"; flake = false; };
packwiz = { url = "github:comp500/packwiz"; flake = false; };
spotify-adblock = { url = "github:abba23/spotify-adblock"; flake = false; };
tree-sitter-glimmer = { url = "github:alexlafroscia/tree-sitter-glimmer"; flake = false; };
tree-sitter-jsonc = { url = "gitlab:WhyNotHugo/tree-sitter-jsonc"; flake = false; };
wine-discord-ipc-bridge = { url = "github:0e4ef622/wine-discord-ipc-bridge"; flake = false; };
# containers
c-amethyst.url = "path:./containers/amethyst";
c-beryllium.url = "path:./containers/beryllium";
c-citrine.url = "path:./containers/citrine";
c-diamond.url = "path:./containers/diamond";
c-emerald.url = "path:./containers/emerald";
c-fluorite.url = "path:./containers/fluorite";
c-garnet.url = "path:./containers/garnet";
# shells
rust-overlay.url = "github:oxalica/rust-overlay";
rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs:
outputs = { self, agenix, nixos-generators, nixpkgs, nixpkgs-porcupine, nixpkgs-raccoon, ... } @ inputs:
let
overlays = (import ./overlays)
++ [(final: prev: {
me = prev.callPackage ./packages { inherit inputs; } // { inherit inputs; };
})];
patchOverlaysWithLinuxLava = nixpkgs: arch: ([(self: super: {
linuxLavaNixpkgs = import nixpkgs {
overlays = [ (import ./overlays/linux-lava.nix) ] ++ overlays;
system = arch;
};
})] ++ overlays);
mkSystem =
if !(self ? rev) then throw "Dirty git tree detected." else
nixpkgs: name: arch: extraModules: nixpkgs.lib.nixosSystem {
nixpkgs: name: arch: enableGUI: extraModules: nixpkgs.lib.nixosSystem {
system = arch;
modules = [
({
nixpkgs.overlays = patchOverlaysWithLinuxLava nixpkgs arch;
})
{ nixpkgs.overlays = overlays; }
agenix.nixosModules.age
catppuccin.nixosModules.catppuccin
(./hosts + "/${name}")
] ++ extraModules;
specialArgs = {
inherit inputs;
inherit inputs enableGUI;
modules = import ./modules { lib = nixpkgs.lib; };
gcSecrets = builtins.fromJSON (builtins.readFile "${self}/secrets.gcrypt/shared.json");
};
};
in
{
nixosConfigurations."alyssum" = mkSystem nixpkgs "alyssum" "x86_64-linux" [];
nixosConfigurations."anemone" = mkSystem nixpkgs "anemone" "x86_64-linux" [];
nixosConfigurations."dandelion" = mkSystem nixpkgs "dandelion" "aarch64-linux" [];
nixosConfigurations."hyacinth" = mkSystem nixpkgs "hyacinth" "x86_64-linux" [];
nixosConfigurations."blossom" = mkSystem nixpkgs "blossom" "x86_64-linux" true [];
nixosConfigurations."caramel" = mkSystem nixpkgs-raccoon "caramel" "aarch64-linux" false [{
nixpkgs.overlays = [
(self: super: {
makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
})
];
}];
nixosConfigurations."sugarcane" = mkSystem nixpkgs-porcupine "sugarcane" "x86_64-linux" false [];
packages."x86_64-linux" =
let
pkgs = import nixpkgs rec {
overlays = patchOverlaysWithLinuxLava nixpkgs system;
pkgs = import nixpkgs {
inherit overlays;
system = "x86_64-linux";
};
in
{
inherit (pkgs.me) linux-lava spotify-adblock;
linux-lava-ccache = pkgs.me.linux-lava.override { useCcache = true; };
inherit (pkgs.me) linux-lava;
};
packages."aarch64-linux" =
let
pkgs = import nixpkgs-raccoon {
inherit overlays;
system = "aarch64-linux";
};
in
{
caramel-img = self.nixosConfigurations."caramel".config.system.build.sdImage;
};
# TODO: currently broken
# devShells.x86_64-linux = pkgs.callPackage ./shells { inherit inputs; };
};
}

45
hosts/alyssum/default.nix
View file

@ -1,45 +0,0 @@
{ inputs, lib, modules, modulesPath, ... }: {
networking.hostName = "alyssum";
system.stateVersion = "25.11";
time.timeZone = "Australia/Melbourne";
age.secrets = {
acme_dns.file = ../../secrets/acme_dns.age;
passwd.file = ../../secrets/passwd.age;
navidrome_env.file = ../../secrets/navidrome_env.age;
wpa_conf = {
file = ../../secrets/wpa_conf.age;
path = "/etc/wpa_supplicant/imperative.conf";
symlink = false;
};
};
imports = with modules.system; [
(modulesPath + "/profiles/qemu-guest.nix")
home-manager
base
kernel
nix-stable
packages
security
tailscale
modules.services.nginx
modules.services.syncthing
inputs.c-emerald.nixosModule
inputs.c-garnet.nixosModule
./filesystem.nix
./kernel.nix
./networking.nix
./home.syncthing.nix
./samba.nix
../../users/hana
];
me.environment = "headless";
services.syncthing.user = lib.mkForce "hana";
}

35
hosts/alyssum/filesystem.nix
View file

@ -1,35 +0,0 @@
{ ... }:
let
bind = src: {
depends = [ "/nix" ];
device = src;
fsType = "none";
neededForBoot = true;
options = [ "bind" ];
};
mkLabelMount = label: type: {
device = "/dev/disk/by-label/${label}";
fsType = type;
options = [ "defaults" "relatime" ];
};
mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
};
submount = mkBtrfsMount "alyssum";
in {
fileSystems = {
"/" = {
device = "rootfs";
fsType = "tmpfs";
options = [ "defaults" "size=8G" "mode=755" ];
};
"/boot" = mkLabelMount "stem" "vfat";
"/flower" = mkBtrfsMount "myosotis" "/@" true;
"/nix" = submount "/@/nix" false;
"/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
"/persist/.snapshots" = submount "/snap/persist" false;
"/var/log/journal" = bind "/persist/journal";
};
}

39
hosts/alyssum/home.syncthing.nix
View file

@ -1,39 +0,0 @@
{ config, lib, ... }:
let
configOn = user: port: {
me.binds."/home/${user}/.config/syncthing" = "${user}/syncthing/config";
me.binds."/home/${user}/.local/state/syncthing" = "${user}/syncthing/state";
systemd.tmpfiles.rules = [ "d /flower/syncthing/${user} 700 ${user} users" ];
users.users.${user} = {
hashedPasswordFile = config.age.secrets.passwd.path;
isNormalUser = true;
linger = true;
};
home-manager.users.${user} = { ... }: {
home = {
username = "${user}";
homeDirectory = "/home/${user}";
stateVersion = "26.05";
};
services.syncthing = {
enable = true;
guiAddress = "[::]:${toString port}";
overrideDevices = false;
overrideFolders = false;
settings = {
options.listenAddresses = [
"tcp://0.0.0.0:2${toString port}"
"quic://0.0.0.0:2${toString port}"
"dynamic+https://relays.syncthing.net/endpoint"
];
defaults.folder.path = "/flower/syncthing/${user}";
};
};
};
};
in lib.mkMerge [
(configOn "kujira" 8385)
(configOn "cilly" 8386)
]

12
hosts/alyssum/kernel.nix
View file

@ -1,12 +0,0 @@
{ config, lib, ... }: {
boot = {
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_usb_sdmmc" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
};
hardware.cpu.amd.updateMicrocode = true;
}

15
hosts/alyssum/networking.nix
View file

@ -1,15 +0,0 @@
{ config, ... }: {
networking = {
useDHCP = true;
wireless.enable = true;
interfaces.wlp1s0.useDHCP = false;
interfaces.wlp1s0.ipv4.addresses = [{
address = "192.168.1.167";
prefixLength = 24;
}];
defaultGateway = "192.168.1.1";
nameservers = [ "8.8.8.8" "8.8.4.4" ];
};
}

84
hosts/alyssum/samba.nix
View file

@ -1,84 +0,0 @@
{ config, lib, pkgs, ... }:
let
configOn = user: let
passwd_fname = "passwd_smb${user}";
in {
age.secrets.${passwd_fname}.file = ../../secrets/${passwd_fname}.age;
me.binds."/flower/smb/${user}/music" = "/flower/media/music/${user}";
me.binds."/flower/smb/${user}/syncthing" = "/flower/syncthing/${user}";
users.users.${user} = {
hashedPasswordFile = config.age.secrets.passwd.path;
isNormalUser = true;
};
system.activationScripts = {
init_smbpasswd.text = let
smbpasswd = "${config.services.samba.package}/bin/smbpasswd";
in ''
printf "$(cat ${config.age.secrets.${passwd_fname}.path})\n$(cat ${config.age.secrets.${passwd_fname}.path})\n" | ${smbpasswd} -sa ${user}
'';
};
services.samba.settings."${user}" = {
"path" = "/flower/smb/${user}";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = user;
"force group" = "users";
"valid users" = user;
};
};
in lib.mkMerge [
(configOn "cilly")
(configOn "kujira")
{
me.binds."/flower/smb/kujira/opencloud" = "/flower/opencloud/data/storage/users/users/a8e29fc0-673c-4c67-be00-2442904acb43";
networking.firewall.allowPing = true;
services.samba = {
enable = true;
package = pkgs.samba4Full;
openFirewall = true;
settings = {
global = {
"server smb encrypt" = "required";
"workgroup" = "WORKGROUP";
"server string" = "smbnix";
"netbios name" = "smbnix";
"security" = "user";
"hosts allow" = "100.64.0.0/10 127.0.0.1 alyssum localhost";
"hosts deny" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
"public" = {
"path" = "/flower/smb/public";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "hana";
"force group" = "users";
};
};
};
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
services.avahi = {
enable = true;
openFirewall = true;
nssmdns4 = true;
publish.enable = true;
publish.userServices = true;
};
}
]

60
hosts/anemone/default.nix
View file

@ -1,60 +0,0 @@
{ config, inputs, modules, overlays, pkgs, ... }: {
networking.hostName = "anemone";
system.stateVersion = "23.11";
time.timeZone = "Australia/Melbourne";
nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
age.secrets = {
wg_anemone.file = ../../secrets/wg_anemone.age;
passwd.file = ../../secrets/passwd.age;
};
imports = with modules.system; [
home-manager
audio
base
bluetooth
ccache
corectrl
docker
flatpak
greetd
gui
input
kernel
nix
packages
printing
security
snapper
tailscale
wireguard
./filesystem.nix
./kernel.nix
./networking.nix
../../users/rin
modules.services.syncthing
];
me = {
environment = "laptop";
batteryDevice = "BATT";
kbBacklightDevice = "asus::kbd_backlight";
hasFingerprint = true;
hidpi = true;
};
programs.wireshark = {
enable = true;
package = pkgs.wireshark;
};
services.fprintd.enable = true;
services.tlp.enable = true;
programs.kdeconnect.enable = true;
}

36
hosts/anemone/filesystem.nix
View file

@ -1,36 +0,0 @@
{ config, lib, ... }:
let
mkLabelMount = label: type: lazy: {
device = "/dev/disk/by-label/${label}";
fsType = type;
options = [ "defaults" "relatime" ] ++ lib.optionals lazy [ "nofail" ];
};
mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" false // {
options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
};
submount = mkBtrfsMount "Anemone";
in
{
fileSystems = {
"/" = {
device = "rootfs";
fsType = "tmpfs";
options = [ "defaults" "size=8G" "mode=755" ];
};
"/boot" = mkLabelMount "SYSTEM" "vfat" true;
"/mnt/butter" = submount "/" true;
"/nix" = submount "/current/snow" false;
"/home" = submount "/current/home" true;
"/home/.snapshots" = submount "/snapshot/home" false;
"/root" = submount "/current/root" false;
"/var" = submount "/current/var" false;
"/persist" = {
depends = [ "/var" ];
device = "/var/persist";
fsType = "none";
options = [ "bind" ];
neededForBoot = true;
};
};
}

62
hosts/anemone/kernel.nix
View file

@ -1,62 +0,0 @@
{ config, lib, pkgs, ... }: {
boot = {
consoleLogLevel = 0;
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
initrd = {
availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
systemd.enable = true;
verbose = false;
};
kernelModules = [ "kvm-amd" ];
kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava);
kernelParams = [
"quiet"
"console=tty2"
"systemd.show_status=0"
"rd.systemd.show_status=0"
"rd.udev.log_level=3"
"udev.log_level=3"
"udev.log_priority=3"
];
};
# swapDevices = [{
# device = "/persist/swapfile";
# size = 16 * 1024;
# }];
#
# systemd.sleep.extraConfig = ''
# HibernateMode=shutdown
# '';
/*
services.logind.lidSwitch = "suspend-then-hibernate";
systemd.sleep.extraConfig = ''
HibernateDelaySec=14400
SuspendEstimationSec=3600
HibernateOnACPower=true
'';
*/
powerManagement.cpufreq.min = 400000;
hardware.cpu.amd.updateMicrocode = true;
hardware.firmware = let
fw = "${pkgs.linux-firmware}/lib/firmware/cirrus/";
in [(
pkgs.runCommandNoCC "cs35l41-10431683" { } ''
mkdir -p $out/lib/firmware/cirrus
cd $out/lib/firmware/cirrus
cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid0-l0.bin
cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid0-r0.bin
cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid1-l0.bin
cp ${fw}/cs35l41-dsp1-spk-prot-10431e12-spkid0-l0.bin cs35l41-dsp1-spk-prot-10431683-spkid1-r0.bin
cp ${fw}/cs35l41-dsp1-spk-prot-10431e12.wmfw cs35l41-dsp1-spk-prot-10431683.wmfw
''
)];
}

4
hosts/anemone/networking.nix
View file

@ -1,4 +0,0 @@
{ config, ... }: {
networking.wireless.iwd.enable = true;
environment.etc."NetworkManager/system-connections".source = "/persist/nm_system-connections";
}

27
hosts/hyacinth/default.nix → hosts/blossom/default.nix
View file

@ -1,47 +1,40 @@
{ config, inputs, modules, overlays, pkgs, ... }: {
networking.hostName = "hyacinth";
networking.hostName = "blossom";
system.stateVersion = "21.11";
time.timeZone = "Australia/Melbourne";
time.timeZone = "Asia/Phnom_Penh";
nixpkgs.overlays = [ inputs.neovim-nightly.overlays.default ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
nixpkgs.overlays = [ inputs.neovim-nightly.overlay ];
age.secrets = {
passwd.file = ../../secrets/passwd.age;
wg_hyacinth.file = ../../secrets/wg_hyacinth.age;
wg_blossom.file = ../../secrets/wg_blossom.age;
wpa_conf.file = ../../secrets/wpa_conf.age;
};
imports = with modules.system; [
inputs.home-manager.nixosModule
home-manager
aagl
audio
base
bluetooth
ccache
corectrl
docker
flatpak
greetd
gui
input
kernel
nix
packages
printing
security
snapper
tailscale
wireguard
modules.services.syncthing
./filesystem.nix
./kernel.nix
./networking.nix
./packages.nix
../../users/rin
];
systemd.services.nix-daemon.environment.TMPDIR = "/nix/tmp";
me.hasBluetooth = true;
hardware.opengl.package = (pkgs.mesa.overrideAttrs(o: {
patches = o.patches ++ [ ./mesa_mr_17182.patch ];
})).drivers;
}

41
hosts/blossom/filesystem.nix Normal file
View file

@ -0,0 +1,41 @@
{ config, ... }:
let
mkMount = uuid: type: {
device = "/dev/disk/by-uuid/${uuid}";
fsType = type;
options = [ "defaults" "relatime" ];
};
mkBtrfsMount = subvolid: atime: mkMount "cf0f4302-f006-46a5-afc7-ada04d17f6f2" "btrfs" // {
options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvolid=${builtins.toString subvolid}" (if atime then "relatime" else "noatime") ];
};
in
{
fileSystems = {
"/" = {
device = "rootfs";
fsType = "tmpfs";
options = [ "defaults" "size=4G" "mode=755" ];
};
"/boot" = mkMount "186A-A42E" "vfat";
"/mnt/butter" = mkBtrfsMount 5 true;
"/nix" = mkBtrfsMount 257 false;
"/home" = mkBtrfsMount 259 true;
"/home/.snapshots" = mkBtrfsMount 262 false;
"/root" = mkBtrfsMount 260 false;
"/var" = mkBtrfsMount 258 false;
"/persist" = {
depends = [ "/var" ];
device = "/var/persist";
fsType = "none";
options = [ "bind" ];
neededForBoot = true;
};
# "/mnt/nfs" = {
# device = "192.168.100.11:/srv/nfs";
# fsType = "nfs";
# options = [ "defaults" ];
# };
};
}

25
hosts/blossom/kernel.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }: {
boot = {
loader = {
efi.canTouchEfiVariables = true;
grub = {
enable = true;
efiSupport = true;
device = "nodev";
useOSProber = lib.mkForce false;
};
};
initrd.kernelModules = [ "i915" ];
kernelParams = [
"amdgpu.gpu_recovery=1"
"amdgpu.si_support=1"
"radeon.si_support=0"
"intel_pstate=passive"
"msr.allow_writes=on"
];
kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava);
extraModulePackages = [ config.boot.kernelPackages.v4l2loopback.out ];
kernelModules = [ "v4l2loopback" ];
};
}

601
hosts/blossom/mesa_mr_17182.patch Normal file
View file

@ -0,0 +1,601 @@
diff --git a/src/gallium/drivers/zink/ci/zink-anv-tgl-fails.txt b/src/gallium/drivers/zink/ci/zink-anv-tgl-fails.txt
new file mode 100644
index 00000000000..c4dd948333e
--- /dev/null
+++ b/src/gallium/drivers/zink/ci/zink-anv-tgl-fails.txt
@@ -0,0 +1,215 @@
+# https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/17182
+KHR-GL46.buffer_storage.map_persistent_texture,Fail
+KHR-GL46.copy_image.incompatible_formats_compression,Fail
+KHR-GL46.copy_image.invalid_alignment,Fail
+KHR-GL46.copy_image.smoke_test,Fail
+KHR-GL46.direct_state_access.textures_compressed_subimage,Fail
+KHR-GL46.direct_state_access.textures_get_image,Fail
+KHR-GL46.direct_state_access.textures_image_query_errors,Fail
+KHR-GL46.direct_state_access.textures_subimage_errors,Fail
+KHR-GL46.get_texture_sub_image.errors_test,Fail
+KHR-GL46.get_texture_sub_image.functional_test,Fail
+KHR-GL46.internalformat.copy_tex_image.rgb9_e5,Fail
+KHR-GL46.internalformat.texture2d.rgba_unsigned_byte_rgb9_e5,Fail
+KHR-GL46.packed_pixels.pbo_rectangle.compressed_red,Fail
+KHR-GL46.packed_pixels.pbo_rectangle.compressed_red_rgtc1,Fail
+KHR-GL46.packed_pixels.pbo_rectangle.compressed_rg,Fail
+KHR-GL46.packed_pixels.pbo_rectangle.compressed_rg_rgtc2,Fail
+KHR-GL46.packed_pixels.pbo_rectangle.compressed_rgb,Fail
+KHR-GL46.packed_pixels.pbo_rectangle.compressed_rgba,Fail
+KHR-GL46.packed_pixels.pbo_rectangle.compressed_signed_red_rgtc1,Fail
+KHR-GL46.packed_pixels.pbo_rectangle.compressed_signed_rg_rgtc2,Fail
+KHR-GL46.packed_pixels.pbo_rectangle.compressed_srgb,Fail
+KHR-GL46.packed_pixels.pbo_rectangle.compressed_srgb_alpha,Fail
+KHR-GL46.packed_pixels.pbo_rectangle.rgb9_e5,Fail
+KHR-GL46.packed_pixels.rectangle.compressed_red,Fail
+KHR-GL46.packed_pixels.rectangle.compressed_red_rgtc1,Fail
+KHR-GL46.packed_pixels.rectangle.compressed_rg,Fail
+KHR-GL46.packed_pixels.rectangle.compressed_rg_rgtc2,Fail
+KHR-GL46.packed_pixels.rectangle.compressed_rgb,Fail
+KHR-GL46.packed_pixels.rectangle.compressed_rgba,Fail
+KHR-GL46.packed_pixels.rectangle.compressed_signed_red_rgtc1,Fail
+KHR-GL46.packed_pixels.rectangle.compressed_signed_rg_rgtc2,Fail
+KHR-GL46.packed_pixels.rectangle.compressed_srgb,Fail
+KHR-GL46.packed_pixels.rectangle.compressed_srgb_alpha,Fail
+KHR-GL46.packed_pixels.rectangle.rgb9_e5,Fail
+KHR-GL46.packed_pixels.varied_rectangle.compressed_red,Fail
+KHR-GL46.packed_pixels.varied_rectangle.compressed_red_rgtc1,Fail
+KHR-GL46.packed_pixels.varied_rectangle.compressed_rg,Fail
+KHR-GL46.packed_pixels.varied_rectangle.compressed_rg_rgtc2,Fail
+KHR-GL46.packed_pixels.varied_rectangle.compressed_rgb,Fail
+KHR-GL46.packed_pixels.varied_rectangle.compressed_rgba,Fail
+KHR-GL46.packed_pixels.varied_rectangle.compressed_signed_red_rgtc1,Fail
+KHR-GL46.packed_pixels.varied_rectangle.compressed_signed_rg_rgtc2,Fail
+KHR-GL46.packed_pixels.varied_rectangle.compressed_srgb,Fail
+KHR-GL46.packed_pixels.varied_rectangle.compressed_srgb_alpha,Fail
+KHR-GL46.packed_pixels.varied_rectangle.rgb9_e5,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.0_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.0_16,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.0_32,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.0_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.16_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.16_16,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.16_32,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.16_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.32_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.32_16,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.32_32,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.32_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.4_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.4_16,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.4_32,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgb_s3tc_dxt1.4_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.0_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.0_15,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.0_30,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.0_5,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.16_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.16_15,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.16_30,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.16_5,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.32_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.32_15,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.32_30,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.32_5,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.8_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.8_15,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.8_30,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage2d.rgba_astc_8x5.8_5,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_0_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_0_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_0_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_0_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_16_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_16_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_16_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_16_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_32_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_32_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_32_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_32_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_4_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_4_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_4_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.0_4_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_0_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_0_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_0_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_0_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_16_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_16_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_16_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_16_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_32_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_32_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_32_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_32_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_4_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_4_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_4_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.16_4_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_0_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_0_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_0_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_0_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_16_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_16_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_16_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_16_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_32_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_32_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_32_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_32_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_4_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_4_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_4_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.32_4_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_0_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_0_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_0_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_0_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_16_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_16_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_16_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_16_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_32_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_32_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_32_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_32_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_4_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_4_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_4_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgb_s3tc_dxt1.4_4_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_0_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_0_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_0_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_0_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_15_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_15_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_15_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_15_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_30_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_30_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_30_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_30_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_5_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_5_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_5_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.0_5_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_0_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_0_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_0_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_0_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_15_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_15_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_15_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_15_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_30_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_30_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_30_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_30_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_5_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_5_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_5_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.16_5_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_0_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_0_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_0_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_0_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_15_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_15_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_15_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_15_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_30_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_30_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_30_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_30_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_5_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_5_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_5_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.32_5_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_0_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_0_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_0_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_0_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_15_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_15_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_15_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_15_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_30_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_30_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_30_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_30_8,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_5_0,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_5_1,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_5_4,Fail
+KHR-GL46.pixelstoragemodes.compressedteximage3d.rgba_astc_8x5.8_5_8,Fail
+KHR-GL46.texture_border_clamp.Texture2DArrayCompressed,Fail
+KHR-GL46.texture_border_clamp.Texture2DArrayCompressedLinear,Fail
+KHR-GL46.texture_border_clamp.Texture2DCompressed,Fail
+KHR-GL46.texture_border_clamp.Texture2DCompressedLinear,Fail
+KHR-GL46.texture_cube_map_array.etc2_texture,Fail
+KHR-GL46.texture_filter_anisotropic.drawing,Fail
+KHR-GL46.texture_size_promotion.functional,Fail
+KHR-GL46.texture_view.errors,Fail
+KHR-GL46.texture_view.view_classes,Fail
diff --git a/src/intel/isl/isl_format.c b/src/intel/isl/isl_format.c
index e0c539bf935..0e4e5533c3c 100644
--- a/src/intel/isl/isl_format.c
+++ b/src/intel/isl/isl_format.c
@@ -952,7 +952,10 @@ isl_formats_have_same_bits_per_channel(enum isl_format format1,
return fmtl1->channels.r.bits == fmtl2->channels.r.bits &&
fmtl1->channels.g.bits == fmtl2->channels.g.bits &&
fmtl1->channels.b.bits == fmtl2->channels.b.bits &&
- fmtl1->channels.a.bits == fmtl2->channels.a.bits;
+ fmtl1->channels.a.bits == fmtl2->channels.a.bits &&
+ fmtl1->channels.l.bits == fmtl2->channels.l.bits &&
+ fmtl1->channels.i.bits == fmtl2->channels.i.bits &&
+ fmtl1->channels.p.bits == fmtl2->channels.p.bits;
}
/**
diff --git a/src/intel/vulkan/anv_formats.c b/src/intel/vulkan/anv_formats.c
index ec9ba0745e6..90812d305dd 100644
--- a/src/intel/vulkan/anv_formats.c
+++ b/src/intel/vulkan/anv_formats.c
@@ -988,6 +988,175 @@ void anv_GetPhysicalDeviceFormatProperties2(
}
}
+static bool
+anv_format_supports_usage(
+ VkFormatFeatureFlags2KHR format_feature_flags,
+ VkImageUsageFlags usage_flags)
+{
+ if (usage_flags & VK_IMAGE_USAGE_TRANSFER_SRC_BIT) {
+ if (!(format_feature_flags & (VK_FORMAT_FEATURE_2_TRANSFER_SRC_BIT |
+ VK_FORMAT_FEATURE_2_BLIT_SRC_BIT))) {
+ return false;
+ }
+ }
+
+ if (usage_flags & VK_IMAGE_USAGE_TRANSFER_DST_BIT) {
+ if (!(format_feature_flags & (VK_FORMAT_FEATURE_2_TRANSFER_DST_BIT |
+ VK_FORMAT_FEATURE_2_BLIT_DST_BIT))) {
+ return false;
+ }
+ }
+
+ if (usage_flags & VK_IMAGE_USAGE_SAMPLED_BIT) {
+ if (!(format_feature_flags & VK_FORMAT_FEATURE_2_SAMPLED_IMAGE_BIT)) {
+ return false;
+ }
+ }
+
+ if (usage_flags & VK_IMAGE_USAGE_STORAGE_BIT) {
+ if (!(format_feature_flags & VK_FORMAT_FEATURE_2_STORAGE_IMAGE_BIT)) {
+ return false;
+ }
+ }
+
+ if (usage_flags & VK_IMAGE_USAGE_COLOR_ATTACHMENT_BIT) {
+ if (!(format_feature_flags & VK_FORMAT_FEATURE_2_COLOR_ATTACHMENT_BIT)) {
+ return false;
+ }
+ }
+
+ if (usage_flags & VK_IMAGE_USAGE_DEPTH_STENCIL_ATTACHMENT_BIT) {
+ if (!(format_feature_flags & VK_FORMAT_FEATURE_2_DEPTH_STENCIL_ATTACHMENT_BIT)) {
+ return false;
+ }
+ }
+
+ if (usage_flags & VK_IMAGE_USAGE_TRANSIENT_ATTACHMENT_BIT) {
+ /* Nothing to check. */
+ }
+
+ if (usage_flags & VK_IMAGE_USAGE_INPUT_ATTACHMENT_BIT) {
+ /* Ignore this flag because it was removed from the
+ * provisional_I_20150910 header.
+ */
+ }
+
+ return true;
+}
+
+static bool
+anv_formats_are_compatible(
+ const struct anv_format *img_fmt, const struct anv_format *img_view_fmt,
+ const struct intel_device_info *devinfo, VkImageTiling tiling)
+{
+ if (img_view_fmt->vk_format == VK_FORMAT_UNDEFINED)
+ return false;
+
+ if (img_fmt == img_view_fmt)
+ return true;
+
+ /* TODO: Handle multi-planar images that can have view of a plane with
+ * possibly different type.
+ */
+ if (img_fmt->n_planes != 1 || img_view_fmt->n_planes != 1)
+ return false;
+
+ const enum isl_format img_isl_fmt =
+ anv_get_format_plane(devinfo, img_fmt->vk_format, 0, tiling).isl_format;
+ const enum isl_format img_view_isl_fmt =
+ anv_get_format_plane(devinfo, img_view_fmt->vk_format, 0, tiling).isl_format;
+ if (img_isl_fmt == ISL_FORMAT_UNSUPPORTED ||
+ img_view_isl_fmt == ISL_FORMAT_UNSUPPORTED)
+ return false;
+
+ /* TODO: Handle VK_IMAGE_CREATE_BLOCK_TEXEL_VIEW_COMPATIBLE_BIT. */
+ if (isl_format_is_compressed(img_isl_fmt) !=
+ isl_format_is_compressed(img_view_isl_fmt))
+ return false;
+
+ const struct isl_format_layout *img_fmt_layout =
+ isl_format_get_layout(img_isl_fmt);
+ const struct isl_format_layout *img_view_fmt_layout =
+ isl_format_get_layout(img_view_isl_fmt);
+
+ if (!isl_format_is_compressed(img_isl_fmt)) {
+ /* From the Vulkan 1.3.224 spec "43.1.6. Format Compatibility Classes":
+ *
+ * "Uncompressed color formats are compatible with each other if they
+ * occupy the same number of bits per texel block."
+ */
+ return img_fmt_layout->bpb == img_view_fmt_layout->bpb;
+ }
+
+ /* From the Vulkan 1.3.224 spec "43.1.6. Format Compatibility Classes":
+ *
+ * "Compressed color formats are compatible with each other if the only
+ * difference between them is the numerical type of the uncompressed
+ * pixels (e.g. signed vs. unsigned, or SRGB vs. UNORM encoding)."
+ */
+ return img_fmt_layout->txc == img_view_fmt_layout->txc &&
+ isl_formats_have_same_bits_per_channel(img_isl_fmt, img_view_isl_fmt);
+}
+
+/* Returns a set of feature flags supported by any of the VkFormat listed in
+ * format_list_info or any VkFormat compatible with format.
+ */
+static VkFormatFeatureFlags2
+anv_formats_gather_format_features(
+ const struct intel_device_info *devinfo,
+ const struct anv_format *format,
+ VkImageTiling tiling,
+ const struct isl_drm_modifier_info *isl_mod_info,
+ const VkImageFormatListCreateInfo *format_list_info)
+{
+ VkFormatFeatureFlags2KHR all_formats_feature_flags = 0;
+
+ /* We need to check that each of the usage bits are allowed for at least
+ * one of the potential formats.
+ */
+ if (!format_list_info || format_list_info->viewFormatCount == 0) {
+ /* If we specify no list of possible formats, we need to assume that
+ * every compatible format is possible and consider the features
+ * supported by each of them.
+ */
+ for (uint32_t fmt_arr_ind = 0;
+ fmt_arr_ind < ARRAY_SIZE(anv_formats);
+ ++fmt_arr_ind) {
+ for (uint32_t fmt_ind = 0;
+ fmt_ind < anv_formats[fmt_arr_ind].n_formats;
+ ++fmt_ind) {
+ const struct anv_format *possible_anv_format =
+ &(anv_formats[fmt_arr_ind].formats[fmt_ind]);
+
+ if (anv_formats_are_compatible(format, possible_anv_format,
+ devinfo, tiling)) {
+ VkFormatFeatureFlags2KHR view_format_features =
+ anv_get_image_format_features2(devinfo,
+ possible_anv_format->vk_format,
+ possible_anv_format, tiling,
+ isl_mod_info);
+ all_formats_feature_flags |= view_format_features;
+ }
+ }
+ }
+ } else {
+ /* If we provide the list of possible formats, then check just them. */
+ for (uint32_t i = 0; i < format_list_info->viewFormatCount; ++i) {
+ VkFormat vk_view_format = format_list_info->pViewFormats[i];
+ const struct anv_format *anv_view_format =
+ anv_get_format(vk_view_format);
+ VkFormatFeatureFlags2KHR view_format_features =
+ anv_get_image_format_features2(devinfo, vk_view_format,
+ anv_view_format, tiling,
+ isl_mod_info);
+ all_formats_feature_flags |= view_format_features;
+ }
+ }
+
+ return all_formats_feature_flags;
+}
+
+
static VkResult
anv_get_image_format_properties(
struct anv_physical_device *physical_device,
@@ -1019,29 +1188,6 @@ anv_get_image_format_properties(
}
assert(format->vk_format == info->format);
- format_feature_flags = anv_get_image_format_features2(devinfo, info->format,
- format, info->tiling,
- isl_mod_info);
-
- /* Remove the VkFormatFeatureFlags that are incompatible with any declared
- * image view format. (Removals are more likely to occur when a DRM format
- * modifier is present).
- */
- if ((info->flags & VK_IMAGE_CREATE_MUTABLE_FORMAT_BIT) && format_list_info) {
- for (uint32_t i = 0; i < format_list_info->viewFormatCount; ++i) {
- VkFormat vk_view_format = format_list_info->pViewFormats[i];
- const struct anv_format *anv_view_format = anv_get_format(vk_view_format);
- VkFormatFeatureFlags2KHR view_format_features =
- anv_get_image_format_features2(devinfo, vk_view_format,
- anv_view_format,
- info->tiling,
- isl_mod_info);
- format_feature_flags &= view_format_features;
- }
- }
-
- if (!format_feature_flags)
- goto unsupported;
switch (info->type) {
default:
@@ -1083,21 +1229,56 @@ anv_get_image_format_properties(
break;
}
- /* From the Vulkan 1.2.199 spec:
+ /* From the Vulkan 1.3.218 spec:
+ *
+ * "For images created without VK_IMAGE_CREATE_EXTENDED_USAGE_BIT a usage
+ * bit is valid if it is supported for the format the image is created with.
+ * For images created with VK_IMAGE_CREATE_EXTENDED_USAGE_BIT a usage bit
+ * is valid if it is supported for at least one of the formats
+ * a VkImageView created from the image can have."
*
- * "VK_IMAGE_CREATE_EXTENDED_USAGE_BIT specifies that the image can be
- * created with usage flags that are not supported for the format the
- * image is created with but are supported for at least one format a
- * VkImageView created from the image can have."
+ * "VK_IMAGE_CREATE_MUTABLE_FORMAT_BIT specifies that the image can be
+ * used to create a VkImageView with a different format from the image."
*
- * If VK_IMAGE_CREATE_EXTENDED_USAGE_BIT is set, views can be created with
- * different usage than the image so we can't always filter on usage.
+ * So, if both VK_IMAGE_CREATE_EXTENDED_USAGE_BIT and
+ * VK_IMAGE_CREATE_MUTABLE_FORMAT_BIT are set, views can be created with
+ * different usage than the image, so we can't always filter on usage.
* There is one exception to this below for storage.
+ *
+ * TODO: Handle VK_IMAGE_CREATE_BLOCK_TEXEL_VIEW_COMPATIBLE_BIT combined
+ * with those flags.
*/
- const VkImageUsageFlags image_usage = info->usage;
- VkImageUsageFlags view_usage = image_usage;
- if (info->flags & VK_IMAGE_CREATE_EXTENDED_USAGE_BIT)
- view_usage = 0;
+ format_feature_flags = anv_get_image_format_features2(devinfo, info->format,
+ format, info->tiling,
+ isl_mod_info);
+
+ if (!anv_format_supports_usage(format_feature_flags, info->usage)) {
+ /* If image format itself does not support the usage, and we don't allow
+ * views formats to support it, then we can't support this usage at all.
+ */
+ if (!(info->flags & VK_IMAGE_CREATE_MUTABLE_FORMAT_BIT) ||
+ !(info->flags & VK_IMAGE_CREATE_EXTENDED_USAGE_BIT))
+ goto unsupported;
+
+ /* From the Vulkan 1.3.224 spec "43.1.6. Format Compatibility Classes":
+ *
+ * "Each depth/stencil format is only compatible with itself."
+ *
+ * So, other formats also can't help.
+ */
+ if (vk_format_is_depth_or_stencil(info->format))
+ goto unsupported;
+
+ /* Gather all possible format feature flags for the formats listed in
+ * the format list or all the compatible formats.
+ */
+ VkFormatFeatureFlags2 all_formats_feature_flags = format_feature_flags |
+ anv_formats_gather_format_features(devinfo, format, info->tiling,
+ isl_mod_info, format_list_info);
+
+ if (!anv_format_supports_usage(all_formats_feature_flags, info->usage))
+ goto unsupported;
+ }
if (info->tiling == VK_IMAGE_TILING_DRM_FORMAT_MODIFIER_EXT) {
/* We support modifiers only for "simple" (that is, non-array
@@ -1116,7 +1297,7 @@ anv_get_image_format_properties(
if (isl_mod_info->aux_usage == ISL_AUX_USAGE_CCS_E &&
!anv_formats_ccs_e_compatible(devinfo, info->flags, info->format,
- info->tiling, image_usage,
+ info->tiling, info->usage,
format_list_info)) {
goto unsupported;
}
@@ -1138,32 +1319,12 @@ anv_get_image_format_properties(
(format_feature_flags & (VK_FORMAT_FEATURE_2_COLOR_ATTACHMENT_BIT_KHR |
VK_FORMAT_FEATURE_2_DEPTH_STENCIL_ATTACHMENT_BIT_KHR)) &&
!(info->flags & VK_IMAGE_CREATE_CUBE_COMPATIBLE_BIT) &&
- !(image_usage & VK_IMAGE_USAGE_STORAGE_BIT) &&
+ !(info->usage & VK_IMAGE_USAGE_STORAGE_BIT) &&
isl_format_supports_multisampling(devinfo, format->planes[0].isl_format)) {
sampleCounts = isl_device_get_sample_counts(&physical_device->isl_dev);
}
- if (view_usage & VK_IMAGE_USAGE_TRANSFER_SRC_BIT) {
- if (!(format_feature_flags & (VK_FORMAT_FEATURE_2_TRANSFER_SRC_BIT_KHR |
- VK_FORMAT_FEATURE_2_BLIT_SRC_BIT_KHR))) {
- goto unsupported;
- }
- }
-
- if (view_usage & VK_IMAGE_USAGE_TRANSFER_DST_BIT) {
- if (!(format_feature_flags & (VK_FORMAT_FEATURE_2_TRANSFER_DST_BIT_KHR |
- VK_FORMAT_FEATURE_2_BLIT_DST_BIT_KHR))) {
- goto unsupported;
- }
- }
-
- if (view_usage & VK_IMAGE_USAGE_SAMPLED_BIT) {
- if (!(format_feature_flags & VK_FORMAT_FEATURE_2_SAMPLED_IMAGE_BIT_KHR)) {
- goto unsupported;
- }
- }
-
- if (image_usage & VK_IMAGE_USAGE_STORAGE_BIT) {
+ if (info->usage & VK_IMAGE_USAGE_STORAGE_BIT) {
/* Non-power-of-two formats can never be used as storage images. We
* only check plane 0 because there are no YCbCr formats with
* non-power-of-two planes.
@@ -1174,24 +1335,6 @@ anv_get_image_format_properties(
goto unsupported;
}
- if (view_usage & VK_IMAGE_USAGE_STORAGE_BIT) {
- if (!(format_feature_flags & VK_FORMAT_FEATURE_2_STORAGE_IMAGE_BIT_KHR)) {
- goto unsupported;
- }
- }
-
- if (view_usage & VK_IMAGE_USAGE_COLOR_ATTACHMENT_BIT) {
- if (!(format_feature_flags & VK_FORMAT_FEATURE_2_COLOR_ATTACHMENT_BIT_KHR)) {
- goto unsupported;
- }
- }
-
- if (view_usage & VK_IMAGE_USAGE_DEPTH_STENCIL_ATTACHMENT_BIT) {
- if (!(format_feature_flags & VK_FORMAT_FEATURE_2_DEPTH_STENCIL_ATTACHMENT_BIT_KHR)) {
- goto unsupported;
- }
- }
-
if (info->flags & VK_IMAGE_CREATE_DISJOINT_BIT) {
/* From the Vulkan 1.2.149 spec, VkImageCreateInfo:
*
@@ -1243,16 +1386,6 @@ anv_get_image_format_properties(
}
}
- if (image_usage & VK_IMAGE_USAGE_TRANSIENT_ATTACHMENT_BIT) {
- /* Nothing to check. */
- }
-
- if (image_usage & VK_IMAGE_USAGE_INPUT_ATTACHMENT_BIT) {
- /* Ignore this flag because it was removed from the
- * provisional_I_20150910 header.
- */
- }
-
/* From the bspec section entitled "Surface Layout and Tiling",
* pre-gfx9 has a 2 GB limitation of the size in bytes,
* gfx9 and gfx10 have a 256 GB limitation and gfx11+

31
hosts/blossom/networking.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, ... }: {
environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path;
networking = {
wireless = {
enable = true;
interfaces = [ "wlp3s0" ];
};
useDHCP = false;
interfaces.eno1.useDHCP = false;
interfaces.wlp3s0.useDHCP = false;
interfaces.eno1.ipv4.addresses = [{
address = "10.0.0.2";
prefixLength = 24;
}];
interfaces.wlp3s0.ipv4.addresses = [{
address = "192.168.100.13";
prefixLength = 24;
}];
defaultGateway = "192.168.100.1";
nameservers = [ "192.168.100.15" ];
extraHosts = ''
192.168.100.12 strawberry
192.168.100.15 caramel
10.100.0.1 sugarcane
'';
};
}

43
hosts/caramel/default.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, inputs, modules, modulesPath, overlays, pkgs, ... }: {
networking.hostName = "caramel";
system.stateVersion = "22.11";
time.timeZone = "Asia/Phnom_Penh";
age.secrets = {
acme_dns.file = ../../secrets/acme_dns.age;
passwd.file = ../../secrets/passwd.age;
warden_admin.file = ../../secrets/warden_admin.age;
wpa_conf.file = ../../secrets/wpa_conf.age;
wg_caramel.file = ../../secrets/wg_caramel.age;
};
imports =
(with modules.system; [
"${builtins.toString modulesPath}/installer/sd-card/sd-image-aarch64.nix"
inputs.home-manager-raccoon.nixosModule
base
home-manager
input
nix-stable
security
transmission
wireguard
./filesystem.nix
./kernel.nix
./image.nix
./networking.nix
./packages.nix
../../users/hana
]) ++
(with modules.services; [
# nginx
# postgres
# synapse
jellyfin
sonarr
tmptsync
unbound
]);
}

50
hosts/caramel/filesystem.nix Normal file
View file

@ -0,0 +1,50 @@
{ config, lib, ... }:
let
bind = src: {
depends = [ "/persist" ];
device = src;
fsType = "none";
neededForBoot = true;
options = [ "bind" ];
};
in {
fileSystems = {
"/" = lib.mkForce {
device = "rootfs";
fsType = "tmpfs";
options = [ "defaults" "size=1G" "mode=755" ];
};
# "/nix" = {
# device = "overlayfs";
# fsType = "overlay";
# options = [
# "lowerdir=/mnt/image/nix"
# "upperdir=/persist/nix-overlay"
# "workdir=/persist/.overlaytmp"
# ];
# noCheck = true;
# depends = [ "/mnt/image" "/persist" ];
# };
"/nix" = (bind "/mnt/image/nix") // { depends = [ "/mnt/image" ]; };
"/mnt/image" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "defaults" "noatime" ];
neededForBoot = true;
};
"/persist" = {
device = "/dev/disk/by-label/PI_HDD";
fsType = "ext4";
options = [ "defaults" "relatime" ];
neededForBoot = true;
};
"/var/lib/acme" = bind "/persist/acme";
"/var/log/journal" = bind "/persist/journal";
"/boot" = (bind "/mnt/image/boot") // { depends = [ "/mnt/image" ]; };
};
}

29
hosts/caramel/image.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }: {
sdImage.expandOnBoot = false;
boot.postBootCommands = ''
# On the first boot do some maintenance tasks
if [ -f /mnt/image/nix-path-registration ]; then
set -euo pipefail
set -x
# Figure out device names for the boot device and root filesystem.
rootPart=$(${pkgs.util-linux}/bin/findmnt -n -o SOURCE /mnt/image)
bootDevice=$(lsblk -npo PKNAME $rootPart)
partNum=$(lsblk -npo MAJ:MIN $rootPart | ${pkgs.gawk}/bin/awk -F: '{print $2}')
# Resize the root partition and the filesystem to fit the disk
echo ",+," | sfdisk -N$partNum --no-reread $bootDevice
${pkgs.parted}/bin/partprobe
${pkgs.e2fsprogs}/bin/resize2fs $rootPart
# Register the contents of the initial Nix store
${config.nix.package.out}/bin/nix-store --load-db < /mnt/image/nix-path-registration
# nixos-rebuild also requires a "system" profile and an /etc/NIXOS tag.
touch /etc/NIXOS
${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
# Prevents this from running on later boots.
rm -f /mnt/image/nix-path-registration
fi
'';
}

15
hosts/caramel/kernel.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, inputs, lib, pkgs, ... }: {
imports = [
inputs.nixos-hardware.nixosModules.raspberry-pi-4
];
hardware.raspberry-pi."4".fkms-3d.enable = true;
boot = {
initrd.kernelModules = [ "overlay" ];
supportedFilesystems = lib.mkForce [ "btrfs" "vfat" ];
kernel.sysctl = {
"kernel.core_pattern" = "|/bin/false";
"kernel.sysrq" = 1;
};
};
}

35
hosts/caramel/networking.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, ... }: {
environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path;
networking = {
firewall.allowedTCPPorts = [ 80 443 ];
wireless = {
enable = true;
interfaces = [ "wlan0" ];
};
useDHCP = false;
interfaces.wlan0.useDHCP = false;
interfaces.wlan0.ipv4.addresses = [{
address = "192.168.100.15";
prefixLength = 24;
}];
defaultGateway = "192.168.100.1";
nameservers = [ "8.8.8.8" ];
extraHosts = ''
192.168.100.12 strawberry
192.168.100.13 blossom
'';
};
# wait for ntp before connecting to wireguard
systemd = {
additionalUpstreamSystemUnits = [ "systemd-time-wait-sync.service" ];
services = {
"systemd-time-wait-sync".wantedBy = [ "multi-user.target" ];
"wireguard-wg0".after = [ "time-sync.target" ];
};
};
}

2
hosts/dandelion/packages.nix → hosts/caramel/packages.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: {
{ lib, pkgs, ... }: {
environment.systemPackages = with pkgs; [
git
htop

44
hosts/dandelion/default.nix
View file

@ -1,44 +0,0 @@
{ inputs, modules, modulesPath, ... }: {
networking.hostName = "dandelion";
system.stateVersion = "23.11";
time.timeZone = "Australia/Melbourne";
age.secrets = {
acme_dns.file = ../../secrets/acme_dns.age;
slskd_env.file = ../../secrets/slskd_env.age;
wg_dandelion.file = ../../secrets/wg_dandelion.age;
};
imports = with modules.system; [
(modulesPath + "/profiles/qemu-guest.nix")
home-manager
base
kernel
nix-stable
packages
security
tailscale
wireguard
modules.services.banksia
modules.services.nginx
modules.services.unbound
modules.services.website
inputs.c-amethyst.nixosModule
inputs.c-beryllium.nixosModule
inputs.c-citrine.nixosModule
inputs.c-diamond.nixosModule
inputs.c-fluorite.nixosModule
./filesystem.nix
./kernel.nix
./networking.nix
./nginx.nix
../../users/hana
];
me.environment = "headless";
}

34
hosts/dandelion/filesystem.nix
View file

@ -1,34 +0,0 @@
{ ... }:
let
bind = src: {
depends = [ "/nix" ];
device = src;
fsType = "none";
neededForBoot = true;
options = [ "bind" ];
};
mkLabelMount = label: type: {
device = "/dev/disk/by-label/${label}";
fsType = type;
options = [ "defaults" "relatime" ];
};
mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
};
submount = mkBtrfsMount "DANDELION";
in {
fileSystems = {
"/" = {
device = "rootfs";
fsType = "tmpfs";
options = [ "defaults" "size=6G" "mode=755" ];
};
"/boot" = mkLabelMount "UEFI" "vfat";
"/nix" = submount "/@/nix" false;
"/persist" = (submount "/@/persist" true) // { neededForBoot = true; };
"/persist/.snapshots" = submount "/snap/persist" false;
"/var/log/journal" = bind "/persist/journal";
};
}

10
hosts/dandelion/kernel.nix
View file

@ -1,10 +0,0 @@
{ ... }: {
boot = {
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
initrd.kernelModules = [ "nvme" ];
};
}

4
hosts/dandelion/networking.nix
View file

@ -1,4 +0,0 @@
{ ... }: {
networking.useDHCP = true;
networking.interfaces.enp2s0.useDHCP = false;
}

8
hosts/dandelion/nginx.nix
View file

@ -1,8 +0,0 @@
{ ... }: {
services.nginx.virtualHosts."muse.lava.moe" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".return = "404";
locations."/share/".proxyPass = "http://[fd0d:2::5:2]:4533";
};
}

50
hosts/hyacinth/filesystem.nix
View file

@ -1,50 +0,0 @@
{ config, lib, ... }:
let
mkLabelMount = label: type: {
device = "/dev/disk/by-label/${label}";
fsType = type;
options = [ "defaults" "relatime" ];
};
mkBtrfsMount = name: subvol: atime: mkLabelMount name "btrfs" // {
options = [ "autodefrag" "compress=zstd:3" "defaults" "discard=async" "space_cache=v2" "ssd" "subvol=${subvol}" (if atime then "relatime" else "noatime") ];
};
mkCakeMount = mkBtrfsMount "CAKE";
in
{
fileSystems = {
"/" = {
device = "rootfs";
fsType = "tmpfs";
options = [ "defaults" "size=24G" "mode=755" ];
};
"/boot" = mkLabelMount "CUP" "vfat";
"/mnt/butter" = mkCakeMount "/" true;
"/mnt/cream" = mkBtrfsMount "CREAM" "/" true;
"/mnt/cream/permanence/.snapshots" = mkBtrfsMount "CREAM" "/snapshot/permanence" false;
"/nix" = mkCakeMount "/current/snow" false;
"/home" = mkCakeMount "/current/home" true;
"/home/.snapshots" = mkCakeMount "/snapshot/home" false;
"/root" = mkCakeMount "/current/root" false;
"/var" = mkCakeMount "/current/var" false;
"/persist" = {
depends = [ "/var" ];
device = "/var/persist";
fsType = "none";
options = [ "bind" ];
neededForBoot = true;
};
};
services.snapper.configs.cream = {
FSTYPE = "btrfs";
SUBVOLUME = "/mnt/cream/permanence";
TIMELINE_CLEANUP = true;
TIMELINE_CREATE = true;
TIMELINE_MIN_AGE = "1800";
TIMELINE_LIMIT_HOURLY = "5";
TIMELINE_LIMIT_DAILY = "7";
TIMELINE_LIMIT_WEEKLY = "0";
TIMELINE_LIMIT_MONTHLY = "0";
TIMELINE_LIMIT_YEARLY = "0";
};
}

20
hosts/hyacinth/kernel.nix
View file

@ -1,20 +0,0 @@
{ config, lib, pkgs, ... }: {
boot = {
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
initrd.availableKernelModules = [ "xhci_pci" "nvme" ];
initrd.kernelModules = [ "amdgpu" ];
kernelParams = [
"amdgpu.gpu_recovery=1"
"intel_pstate=passive"
"split_lock_detect=off"
];
kernelPackages = lib.mkForce (pkgs.linuxPackagesFor pkgs.me.linux-lava);
};
hardware.amdgpu.overdrive = {
enable = true;
ppfeaturemask = "0xffffffff";
};
}

19
hosts/hyacinth/networking.nix
View file

@ -1,19 +0,0 @@
{ config, ... }: {
environment.etc."wpa_supplicant.conf".source = config.age.secrets.wpa_conf.path;
networking = {
useDHCP = true;
interfaces.enp5s0.useDHCP = false;
interfaces.enp5s0.wakeOnLan.enable = true;
interfaces.enp5s0.ipv4.addresses = [{
address = "192.168.1.201";
prefixLength = 24;
}];
defaultGateway = "192.168.1.1";
nameservers = [ "8.8.8.8" "8.8.4.4" ];
extraHosts = ''
10.100.0.1 sugarcane
'';
};
}

7
hosts/hyacinth/packages.nix
View file

@ -1,7 +0,0 @@
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [
discord
jetbrains.idea
texliveFull
];
}

28
hosts/sugarcane/default.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, inputs, modules, modulesPath, overlays, pkgs, ... }: {
networking.hostName = "sugarcane";
system.stateVersion = "21.11";
time.timeZone = "Asia/Singapore";
age.secrets = {
passwd.file = ../../secrets/passwd.age;
wg_sugarcane.file = ../../secrets/wg_sugarcane.age;
};
imports = with modules.system; [
(modulesPath + "/profiles/qemu-guest.nix")
inputs.home-manager-porcupine.nixosModule
base
home-manager
input
nix-stable
security
wireguard
./filesystem.nix
./kernel.nix
./networking.nix
./packages.nix
../../users/hana
];
}

29
hosts/sugarcane/filesystem.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, ... }:
let
bind = src: {
depends = [ "/nix" ];
device = src;
fsType = "none";
neededForBoot = true;
options = [ "bind" ];
};
in {
fileSystems = {
"/" = {
device = "rootfs";
fsType = "tmpfs";
options = [ "defaults" "size=1G" "mode=755" ];
};
"/nix" = {
device = "/dev/disk/by-uuid/19d572a8-1cf6-4b9c-94c6-3ce6be54f719";
fsType = "ext4";
options = [ "defaults" "noatime" ];
neededForBoot = true;
};
"/persist" = bind "/nix/persist";
"/var/log/journal" = bind "/nix/persist/journal";
"/boot" = bind "/nix/persist/boot";
};
}

17
hosts/sugarcane/kernel.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, inputs, pkgs, ... }: {
boot = {
loader = {
systemd-boot.enable = false;
efi.canTouchEfiVariables = true;
grub = {
enable = true;
device = "/dev/sda";
};
};
initrd.kernelModules = [ "nvme" ];
kernel.sysctl = {
"kernel.core_pattern" = "|/bin/false";
"kernel.sysrq" = 1;
};
};
}

11
hosts/sugarcane/networking.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, ... }: {
networking = {
useDHCP = false;
interfaces.ens3.useDHCP = true;
extraHosts = ''
10.100.0.3 blossom
10.100.0.4 strawberry
'';
};
}

2
hosts/alyssum/packages.nix → hosts/sugarcane/packages.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: {
{ lib, pkgs, ... }: {
environment.systemPackages = with pkgs; [
git
htop

13
modules/binds.nix
View file

@ -1,13 +0,0 @@
{ config, lib, ...}: {
imports = [ ./options.nix ];
fileSystems = lib.mapAttrs (dest: key: let
target = if (lib.strings.hasPrefix "/" key)
then key
else "/persist/binds/${key}";
in {
depends = [ "/persist" ];
device = target;
fsType = "none";
options = [ "bind" ];
}) config.me.binds;
}

29
modules/default.nix
View file

@ -14,31 +14,19 @@ let
}) paths
);
in {
binds = ./binds.nix;
options = ./options.nix;
services = mkAttrsFromPaths [
./services/banksia.nix
./services/jellyfin.nix
./services/nginx.nix
./services/postgres.nix
./services/sonarr.nix
./services/synapse.nix
./services/syncthing.nix
./services/tmptsync.nix
./services/transmission.nix
./services/unbound.nix
./services/vaultwarden.nix
./services/website.nix
];
system = mkAttrsFromPaths [
./system/aagl.nix
./system/audio.nix
./system/base.nix
./system/bluetooth.nix
./system/ccache.nix
./system/corectrl.nix
./system/docker.nix
./system/flatpak.nix
./system/greetd.nix
./system/gui.nix
./system/home-manager.nix
@ -47,34 +35,33 @@ in {
./system/nix.nix
./system/nix-stable.nix
./system/packages.nix
./system/printing.nix
./system/security.nix
./system/snapper.nix
./system/tailscale.nix
./system/virtualisation.nix
./system/transmission.nix
./system/wireguard.nix
];
user = mkAttrsFromPaths [
./user/catppuccin.nix
./user/comma.nix
./user/bspwm.nix
./user/direnv.nix
./user/dunst.nix
./user/eww.nix
./user/git.nix
./user/gpg.nix
./user/hypridle.nix
./user/hyprlock.nix
./user/kitty.nix
./user/mpv.nix
./user/neovim.nix
./user/neovim-minimal.nix
./user/npm.nix
./user/obs.nix
./user/packages-rin.nix
./user/pass.nix
./user/picom.nix
./user/polybar.nix
./user/rofi.nix
./user/sessionVariables.nix
./user/spicetify.nix
./user/sxhkd.nix
./user/theming.nix
./user/xdg.nix
./user/xorg.nix
./user/zsh.nix
];
}

53
modules/options.nix
View file

@ -1,53 +0,0 @@
{ config, lib, ... }:
let
inherit (lib)
mkOption
types;
in {
options.me = {
environment = mkOption {
type = types.enum [ "desktop" "laptop" "headless" ];
default = "desktop";
};
hasFingerprint = mkOption {
type = types.bool;
default = false;
};
gui = mkOption {
type = types.bool;
default = config.me.environment != "headless";
};
batteryDevice = mkOption {
type = with types; nullOr (uniq str);
default = null;
};
kbBacklightDevice = mkOption {
type = with types; nullOr (uniq str);
default = null;
};
hasBluetooth = mkOption {
type = types.bool;
default = config.me.environment == "laptop";
};
hasWifi = mkOption {
type = types.bool;
default = config.me.environment == "laptop";
};
hidpi = mkOption {
type = types.bool;
default = false;
};
binds = lib.mkOption {
type = with lib.types; attrsOf str;
default = {};
};
};
}

11
modules/services/banksia.nix
View file

@ -1,11 +0,0 @@
# TODO ^^
{ ... }: {
services.nginx.virtualHosts = {
"banksia.lava.moe" = {
useACMEHost = "lava.moe";
forceSSL = true;
locations."/".return = "302 https://lab.lava.moe/cilly/Banksia";
locations."/api".proxyPass = "http://localhost:8080/";
};
};
}

34
modules/services/nginx.nix
View file

@ -1,21 +1,17 @@
{ config, ... }: {
networking.firewall.allowedTCPPorts = [ 80 443 ];
{ config, inputs, ... }: {
security.acme = {
acceptTerms = true;
defaults = {
email = "me@lava.moe";
group = "nginx";
dnsProvider = "cloudflare";
environmentFile = config.age.secrets."acme_dns".path;
};
email = "me@lava.moe";
certs."lava.moe" = {
group = "nginx";
domain = "lava.moe";
extraDomainNames = [
"*.lava.moe"
"*.local.lava.moe"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."acme_dns".path;
};
certs."cilly.moe" = {};
certs."cilly.dev" = {};
};
services.nginx = {
@ -24,5 +20,23 @@
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"lava.moe" = {
useACMEHost = "lava.moe";
forceSSL = true;
root = inputs.website.outPath;
};
"_" = {
default = true;
addSSL = true;
# TODO generate this somewhere
sslCertificate = "/persist/fakeCerts/fake.crt";
sslCertificateKey = "/persist/fakeCerts/fake.key";
extraConfig = ''
return 444;
'';
};
};
};
}

10
modules/services/postgres.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
{ config, ... }:
let
dir = "/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
uid = toString config.ids.uids.postgres;
@ -8,13 +8,5 @@ in {
services.postgresql = {
enable = true;
dataDir = dir;
# TODO: broken :3
package = pkgs.postgresql_13;
authentication = lib.mkOverride 10 ''
#type database DBuser origin-address auth-method
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
};
}

23
modules/services/syncthing.nix
View file

@ -1,23 +0,0 @@
{ config, ... }:
let
dir = "/persist/shared/.syncthing";
user = if config.me.gui then "rin" else "hana";
uid = toString config.users.users."${user}".uid;
gid = toString config.users.groups.users.gid;
in
{
systemd.tmpfiles.rules = [
"d ${dir}/config 700 ${uid} ${gid}"
"d ${dir}/data 700 ${uid} ${gid}"
];
systemd.services.syncthing.environment.STNODEFAULTFOLDER = "true";
services.syncthing = {
enable = true;
openDefaultPorts = true;
user = user;
group = "users";
dataDir = "/persist/shared/.syncthing/data";
configDir = "/persist/shared/.syncthing/config";
guiAddress = if config.me.gui then "127.0.0.1:8384" else ":8384";
};
}

27
modules/services/unbound.nix
View file

@ -1,17 +1,8 @@
{ inputs, pkgs, gcSecrets, ... }:
{ inputs, ... }:
let
dir = "/persist/unbound";
converted = pkgs.runCommand "stevenblack-hosts-unbound" {} ''
echo "server:" > "$out"
grep '^0\.0\.0\.0' "${inputs.stevenblack-hosts}/hosts" | awk '{print "local-zone: \""$2"\" always_refuse"}' | tail -n +2 >> "$out"
'';
in {
networking.firewall.interfaces."ve-+" = {
allowedUDPPorts = [ 53 853 ];
allowedTCPPorts = [ 53 853 ];
};
networking.firewall.interfaces.wg0 = {
networking.firewall.interfaces.wlan0 = {
allowedUDPPorts = [ 53 853 ];
allowedTCPPorts = [ 53 853 ];
};
@ -25,27 +16,17 @@ in {
name = ".";
forward-tls-upstream = true;
forward-addr = [
"2606:4700:4700::1111@853#cloudflare-dns.com"
"2606:4700:4700::1001@853#cloudflare-dns.com"
"2001:4860:4860::8888@853#dns.google"
"2001:4860:4860::8844@853#dns.google"
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
"8.8.8.8@853#dns.google"
"8.8.4.4@853#dns.google"
];
}];
server = {
interface = [ "0.0.0.0" "::0" ];
interface = [ "0.0.0.0" ];
access-control = [
"127.0.0.1/8 allow"
"10.0.0.0/8 allow"
"100.64.0.0/10 allow"
"192.168.100.0/24 allow"
"fd0d::/16 allow"
"fd7a:115c:a1e0::/48 allow"
"${gcSecrets.wireguard.ipv6Subnet}:/80 allow"
];
domain-insecure = [ "\"local.lava.moe\"" ];
local-zone = [ "\"warden.local.lava.moe.\" redirect" ];
@ -54,7 +35,7 @@ in {
];
};
include = "${converted}";
include = "${inputs.hosts-blocklists}/unbound/unbound.blacklist.conf";
};
};

43
modules/services/website.nix
View file

@ -1,43 +0,0 @@
{ inputs, pkgs, ... }: let
pastel = inputs.pastel.packages.${pkgs.system}.default;
in {
services.nginx.virtualHosts = {
"cilly.moe" = {
useACMEHost = "cilly.moe";
forceSSL = true;
root = pastel.outPath;
};
"cilly.dev" = {
useACMEHost = "cilly.dev";
forceSSL = true;
root = pastel.outPath;
};
"lava.moe" = {
useACMEHost = "lava.moe";
forceSSL = true;
root = inputs.website.outPath;
};
"cdn.lava.moe" = {
useACMEHost = "lava.moe";
forceSSL = true;
extraConfig = ''
return 301 https://sh.lava.moe$request_uri;
'';
};
"sh.lava.moe" = {
useACMEHost = "lava.moe";
forceSSL = true;
root = "/persist/cdn";
};
"_" = {
default = true;
addSSL = true;
# TODO generate this somewhere
sslCertificate = "/persist/fakeCerts/fake.crt";
sslCertificateKey = "/persist/fakeCerts/fake.key";
extraConfig = ''
return 444;
'';
};
};
}

6
modules/system/aagl.nix
View file

@ -1,6 +0,0 @@
{ inputs, ... }: {
imports = [ inputs.aagl.nixosModules.default ];
nix.settings = inputs.aagl.nixConfig;
programs.anime-game-launcher.enable = true;
programs.sleepy-launcher.enable = true;
}

94
modules/system/audio.nix
View file

@ -17,6 +17,7 @@ let
rate = toString int.rate;
};
in {
sound.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
@ -24,32 +25,18 @@ in {
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
services.pipewire.extraConfig.pipewire = {
"context.properties" = {
"default.clock.rate" = int.rate;
"default.clock.quantum" = int.quantum.def;
"default.clock.min-quantum" = int.quantum.min;
"default.clock.max-quantum" = int.quantum.max;
};
"context.modules" = [
{
name = "libpipewire-module-rtkit";
args = {
"nice.level" = -15;
"rt.prio" = 88;
"rt.time.soft" = 200000;
"rt.time.hard" = 200000;
};
}
];
"stream.properties" = {
"node.latency" = "${str.quantum.min}/${str.rate}";
"resample.quality" = 1;
};
};
services.pipewire.extraConfig.pipewire-pulse = {
config.pipewire = {
"context.properties" = {
"link.max-buffers" = 16;
"default.clock.rate" = int.rate;
"default.clock.quantum" = int.quantum.def;
"default.clock.min-quantum" = int.quantum.min;
"default.clock.max-quantum" = int.quantum.max;
"core.daemon" = true;
"core.name" = "pipewire-0";
};
"context.modules" = [
{
name = "libpipewire-module-rtkit";
@ -59,15 +46,57 @@ in {
"rt.time.soft" = 200000;
"rt.time.hard" = 200000;
};
flags = [ "ifexists" "nofail" ];
}
{ name = "libpipewire-module-protocol-native"; }
{ name = "libpipewire-module-profiler"; }
{ name = "libpipewire-module-metadata"; }
{ name = "libpipewire-module-spa-device-factory"; }
{ name = "libpipewire-module-spa-node-factory"; }
{ name = "libpipewire-module-client-node"; }
{ name = "libpipewire-module-client-device"; }
{
name = "libpipewire-module-portal";
flags = [ "ifexists" "nofail" ];
}
{ name = "libpipewire-module-access"; args = {}; }
{ name = "libpipewire-module-adapter"; }
{ name = "libpipewire-module-link-factory"; }
{ name = "libpipewire-module-session-manager"; }
];
"stream.properties" = {
"node.latency" = "${str.quantum.min}/${str.rate}";
"resample.quality" = 1;
};
};
config.pipewire-pulse = {
"context.modules" = [
{
name = "libpipewire-module-rtkit";
args = {
"nice.level" = -15;
"rt.prio" = 88;
"rt.time.soft" = 200000;
"rt.time.hard" = 200000;
};
flags = [ "ifexists" "nofail" ];
}
{ name = "libpipewire-module-protocol-native"; }
{ name = "libpipewire-module-client-node"; }
{ name = "libpipewire-module-adapter"; }
{ name = "libpipewire-module-metadata"; }
{
name = "libpipewire-module-protocol-pulse";
args = {
"pulse.min.req" = "${str.quantum.min}/${str.rate}";
"pulse.default.req" = "${str.quantum.def}/${str.rate}";
"pulse.max.req" = "${str.quantum.max}/${str.rate}";
"pulse.min.quantum" = "${str.quantum.min}/${str.rate}";
"pulse.max.quantum" = "${str.quantum.max}/${str.rate}";
"server.address" = [ "unix:native" ];
};
}
];
"pulse.properties" = {
"pulse.min.req" = "${str.quantum.min}/${str.rate}";
"pulse.default.req" = "${str.quantum.def}/${str.rate}";
"pulse.max.req" = "${str.quantum.max}/${str.rate}";
"pulse.min.quantum" = "${str.quantum.min}/${str.rate}";
"pulse.max.quantum" = "${str.quantum.max}/${str.rate}";
};
"pulse.rules" = [
{
# Discord notification sounds fix
@ -83,6 +112,7 @@ in {
"node.latency" = "${str.quantum.min}/${str.rate}";
"resample.quality" = 1;
};
};
};
}

9
modules/system/base.nix
View file

@ -1,6 +1,4 @@
{ config, inputs, modules, ... }: {
imports = [ modules.binds modules.options ];
{ config, enableGUI, inputs, modules, overlays, ... }: {
environment.etc = {
"machine-id".source = "/persist/machine-id";
"ssh/ssh_host_rsa_key".source = "/persist/ssh_host_rsa_key";
@ -10,9 +8,7 @@
};
environment.pathsToLink = [ "/share/zsh" ];
i18n.defaultLocale = "en_AU.UTF-8";
i18n.extraLocales = [ "en_GB.UTF-8/UTF-8" ];
i18n.defaultLocale = "en_GB.UTF-8";
users.mutableUsers = false;
system = {
@ -23,5 +19,6 @@
};
};
nix.registry.config.flake = inputs.self;
nix.registry.nixpkgs.flake = inputs.nixpkgs;
nix.registry.shells.flake = inputs.self;
}

6
modules/system/bluetooth.nix
View file

@ -1,6 +0,0 @@
{ ... }: {
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
};
}

3
modules/system/ccache.nix
View file

@ -1,3 +0,0 @@
{ config, ... }: {
programs.ccache.enable = true;
}

5
modules/system/corectrl.nix
View file

@ -1,5 +0,0 @@
{ ... }: {
programs.corectrl = {
enable = true;
};
}

13
modules/system/docker.nix
View file

@ -1,13 +0,0 @@
{ pkgs, ... }: {
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
# rootless = {
# enable = true;
# setSocketVariable = true;
# };
};
environment.systemPackages = [
pkgs.docker-compose
];
}

8
modules/system/flatpak.nix
View file

@ -1,8 +0,0 @@
{ pkgs, ... }: {
services.flatpak.enable = true;
xdg.portal = {
enable = true;
extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
config.common.default = "*";
};
}

11
modules/system/greetd.nix
View file

@ -1,18 +1,11 @@
{ pkgs, ... }: {
{ pkgs, lib, ... }: {
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${pkgs.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && Hyprland > $XDG_RUNTIME_DIR/Hyprland.out\"'";
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --remember --asterisks --time --cmd 'zsh -c \"source $HOME/.config/zsh/.zshrc && startx\"'";
user = "greeter";
};
initial_session = {
command = "${pkgs.writeShellScript "launch.sh" ''
zsh -c "source $HOME/.config/zsh/.zshrc && Hyprland > \"$XDG_RUNTIME_DIR/Hyprland.out\""
''}";
user = "rin";
};
};
};
}

21
modules/system/gui.nix
View file

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }: {
fonts = {
enableDefaultPackages = true;
enableDefaultFonts = true;
fontconfig = {
defaultFonts = {
serif = [ "NotoSerif" ];
@ -8,13 +8,15 @@
monospace = [ "CascadiaCode" ];
};
};
packages = with pkgs; [
material-symbols
material-icons
fonts = with pkgs; [
cascadia-code
font-awesome
font-awesome_4
hanazono
material-icons
noto-fonts
noto-fonts-cjk-sans
noto-fonts-cjk
noto-fonts-extra
open-sans
twemoji-color-font
unifont
@ -22,10 +24,11 @@
};
services.xserver = {
enable = true;
displayManager.lightdm.enable = lib.mkForce false;
autorun = false;
displayManager = {
lightdm.enable = lib.mkForce false;
startx.enable = true;
};
desktopManager.xterm.enable = false;
};
programs.hyprland.enable = true;
security.pam.services.hyprlock = {};
}

13
modules/system/home-manager.nix
View file

@ -1,19 +1,10 @@
{ config, inputs, modules, ... }: {
imports = [
inputs.home-manager.nixosModules.home-manager
];
{ config, enableGUI, inputs, modules, ... }: {
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = {
inherit inputs modules;
inherit enableGUI inputs modules;
sysConfig = config;
};
sharedModules = [
{
imports = [ modules.options ];
config.me = config.me;
}
];
};
}

21
modules/system/input.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{ config, lib, pkgs, ... }: {
services.xserver = {
displayManager = {
xserverArgs = [
@ -6,19 +6,14 @@
"-arinterval 15"
];
};
};
services.keyd = {
enable = true;
keyboards = {
default = {
ids = [ "*" ];
settings = {
main = {
capslock = "esc";
esc = "capslock";
};
};
libinput = {
enable = true;
mouse = {
accelSpeed = "0";
accelProfile = "flat";
};
};
xkbOptions = "caps:escape";
};
console.useXkbConfig = true;
}

7
modules/system/kernel.nix
View file

@ -9,10 +9,9 @@
"kernel.core_pattern" = "|/bin/false";
"kernel.sysrq" = 1;
};
loader.grub.useOSProber = true;
};
hardware.enableRedistributableFirmware = true;
zramSwap = {
enable = true;
priority = 100;
};
powerManagement.cpuFreqGovernor = "ondemand";
zramSwap.enable = true;
}

25
modules/system/nix-stable.nix
View file

@ -1,23 +1,18 @@
{ config, lib, pkgs, ... }: {
nix = {
package = pkgs.nixVersions.latest;
settings = rec {
substituters = [
"https://cache.nixos.org?priority=10"
"https://lava.cachix.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"lava.cachix.org-1:8lTWI/3IKWHByzzYHZySunMPYs2eAJw2duL+uLZkSy0="
];
trusted-substituters = substituters;
};
nix = rec {
binaryCaches = [
"https://cache.nixos.org?priority=10"
"https://lava.cachix.org"
];
binaryCachePublicKeys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"lava.cachix.org-1:8lTWI/3IKWHByzzYHZySunMPYs2eAJw2duL+uLZkSy0="
];
trustedBinaryCaches = binaryCaches;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
nixpkgs.config.allowUnfree = true;
programs.nh.enable = true;
}

8
modules/system/nix.nix
View file

@ -1,10 +1,8 @@
{ config, inputs, pkgs, ... }: {
{ config, lib, pkgs, ... }: {
nix = {
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
package = pkgs.nixVersions.latest;
package = pkgs.nixUnstable;
settings = rec {
extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
substituters = [
"https://cache.nixos.org?priority=10"
"https://lava.cachix.org"
@ -16,7 +14,6 @@
"nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
];
trusted-substituters = substituters;
trusted-users = [ "root" "rin" ];
};
extraOptions = ''
@ -24,5 +21,4 @@
'';
};
nixpkgs.config.allowUnfree = true;
programs.nh.enable = true;
}

26
modules/system/packages-gui.nix
View file

@ -1,26 +0,0 @@
{ config, lib, pkgs, ... }: {
config = lib.mkIf config.me.gui {
environment.systemPackages = with pkgs; [
android-tools
gparted
nautilus
];
hardware.graphics.extraPackages = with pkgs; [
intel-vaapi-driver
libva-vdpau-driver
libvdpau-va-gl
];
hardware.opentabletdriver.enable = true;
hardware.keyboard.qmk.enable = true;
programs.steam = {
enable = true;
package = pkgs.steam.override {
extraPkgs = pkgs: with pkgs; [
gsettings-desktop-schemas
];
};
};
services.dbus.packages = [ pkgs.dconf pkgs.gcr ];
services.gnome.sushi.enable = true;
};
}

28
modules/system/packages.nix
View file

@ -1,14 +1,9 @@
{ pkgs, ... }: {
imports = [ ./packages-gui.nix ];
{ config, enableGUI, lib, pkgs, ... }: {
environment.systemPackages = with pkgs; [
# ecryptfs
efibootmgr
fd
git
git-crypt
htop
jq
kitty.terminfo
libarchive
lf
msr-tools
@ -16,10 +11,27 @@
neovim
nfs-utils
ntfs3g
ripgrep
rsync
sshfs
rsync
wget
] ++ lib.optionals enableGUI [
gparted
gnome.nautilus
];
environment.variables.EDITOR = "nvim";
programs.adb.enable = true;
}
// (if !enableGUI then {} else {
hardware.opengl.extraPackages = with pkgs; [
vaapiIntel
vaapiVdpau
libvdpau-va-gl
rocm-opencl-icd
rocm-opencl-runtime
];
programs.light.enable = true;
hardware.opentabletdriver.enable = true;
programs.steam.enable = true;
services.dbus.packages = [ pkgs.dconf pkgs.gcr ];
services.gnome.sushi.enable = true;
})

9
modules/system/printing.nix
View file

@ -1,9 +0,0 @@
{ pkgs, ... }: {
services.printing = {
enable = true;
drivers = with pkgs; [
epson-escpr
#me.epson-201112j
];
};
}

51
modules/system/security.nix
View file

@ -1,29 +1,16 @@
{ config, lib, pkgs, ... }: {
networking.firewall =
let
iptables = "${pkgs.iptables}/bin/iptables";
genCmds = type: ''
${iptables} -${type} nixos-fw -p tcp --source 192.168.0.0/16 -j nixos-fw-accept ${if type == "D" then " || true" else ""}
${iptables} -${type} nixos-fw -p udp --source 192.168.0.0/16 -j nixos-fw-accept ${if type == "D" then " || true" else ""}
'';
in {
{ config, pkgs, ... }: {
networking.firewall = {
enable = true;
allowedUDPPortRanges = [ { from = 20000; to = 20100; } ];
allowedTCPPortRanges = [ { from = 20000; to = 20100; } ];
trustedInterfaces = [ "wg0" ];
logRefusedConnections = false;
extraCommands = genCmds "I";
extraStopCommands = genCmds "D";
};
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
X11Forwarding = true;
};
permitRootLogin = "no";
passwordAuthentication = false;
forwardX11 = true;
hostKeys = [
{
@ -53,33 +40,5 @@
}
];
};
pam = lib.mkIf (config.me.environment != "headless") {
u2f = {
enable = true;
settings = {
cue = true;
pinverification = 1;
};
};
services.doas.rules.auth = {
u2f.settings.pinverification = lib.mkForce 0;
u2f_int = lib.mkMerge [
{
enable = true;
order = config.security.pam.services.doas.rules.auth.u2f.order + 1;
control = "sufficient";
modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so";
inherit (config.security.pam.u2f) settings;
}
{
settings = lib.mkForce {
interactive = true;
pinverification = 0;
userpresence = 0;
};
}
];
};
};
};
}

22
modules/system/snapper.nix
View file

@ -2,16 +2,18 @@
services.snapper = {
cleanupInterval = "1h";
configs.home = {
FSTYPE = "btrfs";
SUBVOLUME = "/home";
TIMELINE_CLEANUP = true;
TIMELINE_CREATE = true;
TIMELINE_MIN_AGE = "1800";
TIMELINE_LIMIT_HOURLY = "5";
TIMELINE_LIMIT_DAILY = "7";
TIMELINE_LIMIT_WEEKLY = "0";
TIMELINE_LIMIT_MONTHLY = "0";
TIMELINE_LIMIT_YEARLY = "0";
fstype = "btrfs";
subvolume = "/home";
extraConfig = lib.concatStringsSep "\n" (lib.mapAttrsToList (k: v: "${k}=${v}") {
TIMELINE_CLEANUP = "yes";
TIMELINE_CREATE = "yes";
TIMELINE_MIN_AGE = "1800";
TIMELINE_LIMIT_HOURLY = "5";
TIMELINE_LIMIT_DAILY = "7";
TIMELINE_LIMIT_WEEKLY = "0";
TIMELINE_LIMIT_MONTHLY = "0";
TIMELINE_LIMIT_YEARLY = "0";
});
};
};
}

13
modules/system/tailscale.nix
View file

@ -1,13 +0,0 @@
{ config, lib, ... }: {
age.secrets.tailscale_auth.file = ../../secrets/tailscale_auth.age;
me.binds."/var/lib/tailscale" = "tailscale";
networking.firewall.trustedInterfaces = [ "tailscale0" ];
networking.firewall.allowedUDPPorts = lib.mkIf (config.me.environment == "headless") [ 123 ];
services.tailscale = {
enable = true;
authKeyFile = config.age.secrets.tailscale_auth.path;
openFirewall = true;
useRoutingFeatures = if config.me.environment == "headless" then "both" else "client";
};
}

7
modules/services/transmission.nix → modules/system/transmission.nix
View file

@ -5,6 +5,13 @@
downloadDirPermissions = "775";
openFirewall = true;
settings = {
alt-speed-down = 512;
alt-speed-enabled = true;
alt-speed-time-begin = 360;
alt-speed-time-day = 127;
alt-speed-time-enabled = true;
alt-speed-time-end = 1380;
alt-speed-up = 256;
download-dir = "/persist/transmission/Downloads";
incomplete-dir = "/persist/transmission/.incomplete";
ratio-limit-enabled = true;

9
modules/system/virtualisation.nix
View file

@ -1,9 +0,0 @@
{ pkgs, ... }: {
virtualisation = {
spiceUSBRedirection.enable = true;
libvirtd = {
enable = true;
qemu.package = pkgs.qemu_kvm.override { smbdSupport = true; };
};
};
}

122
modules/system/wireguard.nix
View file

@ -1,11 +1,13 @@
{ config, lib, pkgs, gcSecrets, ... }:
{ config, lib, pkgs, ... }:
let
port = 51801;
serverName = "dandelion";
serverInterface = "enp0s6";
serverIp = gcSecrets.wireguard.gateway;
port = 51820;
serverName = "sugarcane";
serverInterface = "ens3";
serverIp = "51.79.240.130";
forwarding = {
"80" = [ "10.100.0.2" "80" ];
"443" = [ "10.100.0.2" "443" ];
"22727" = [ "10.100.0.3" "7777" ];
};
@ -18,61 +20,48 @@ let
in ''
${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p tcp --dport ${sport} -j DNAT --to ${dest}:${dport}
${pkgs.iptables}/bin/iptables -${type} FORWARD -p tcp -d ${dest} --dport ${dport} -j ACCEPT
${pkgs.iptables}/bin/iptables -${type} PREROUTING -t nat -i ${serverInterface} -p udp --dport ${sport} -j DNAT --to ${dest}:${dport}
${pkgs.iptables}/bin/iptables -${type} FORWARD -p udp -d ${dest} --dport ${dport} -j ACCEPT
'') forwarding
);
clients = {
hyacinth = {
publicKey = "6nVhazYdmC15A/nke9VrqIg3sOBVOmqj4GEsyBq7MVo=";
allowedIPs = [ "10.100.0.3/32" "${gcSecrets.wireguard.ipv6Subnet}:3" "fd0d::3" ];
interfaces = {
wg0 = { peers = [ server6OnlyPeer ]; };
wg1 = { peers = [ serverPeer ]; autostart = false; };
wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
};
routeBypass = {
caramel = {
gateway = "192.168.100.1";
interface = "wlan0";
routes = [
serverIp
];
};
anemone = {
publicKey = "px5+JNdAmqBvUC++DhiJrUBRAr+BYP6iYVt4sbhPTWY=";
allowedIPs = [ "10.100.0.4/32" "${gcSecrets.wireguard.ipv6Subnet}:4" "fd0d::4" ];
interfaces = {
wg0 = { peers = [ server6OnlyPeer ]; };
wg1 = { peers = [ serverPeer ]; autostart = false; };
wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
};
};
hibiscus = {
publicKey = "vQ5a2KMrwi7RCRsD0yvog+n35vQYFuvwiPn+W4lbRBw=";
allowedIPs = [ "10.100.0.5/32" "${gcSecrets.wireguard.ipv6Subnet}:5" "fd0d::5" ];
interfaces = {
wg0 = { peers = [ server6OnlyPeer ]; };
wg1 = { peers = [ serverPeer ]; autostart = false; };
wg2 = { peers = [ serverLocalOnlyPeer ]; autostart = false; };
};
};
hazel = {
publicKey = "0zruTndObzHo+b1rbOuTsxCU97epygZycxXS/lgUHUc=";
allowedIPs = [ "10.100.0.21/32" "${gcSecrets.wireguard.ipv6Subnet}:21" "fd0d::21" ];
interfaces = {
wg0 = {
dns = [ "::1" "127.0.0.1" ];
peers = [ serverLocalOnlyPeer ];
};
};
blossom = {
gateway = "192.168.100.1";
interface = "wlp3s0";
routes = [
serverIp
];
};
};
clientPeers = builtins.map (client: builtins.removeAttrs client [ "interfaces" ]) (builtins.attrValues clients);
serverPeerWith = ips: {
clients = {
caramel = {
publicKey = "VDqcpS0lJzFgwikj61MJ1xc9P8Cuq0NXa+Hc+etn2iA=";
allowedIPs = [ "10.100.0.2/32" ];
};
blossom = {
publicKey = "6nVhazYdmC15A/nke9VrqIg3sOBVOmqj4GEsyBq7MVo=";
allowedIPs = [ "10.100.0.3/32" ];
};
strawberry = {
publicKey = "Fkcp/VSN4Dkhly8V4hskF4lnDviA7VZHCnWf7OliFCg=";
allowedIPs = [ "10.100.0.4/32" ];
};
};
clientPeers = builtins.attrValues clients;
serverPeer = {
publicKey = "3ugIk2tQZXjAH9/95s63ld2WNUHQrd4Mz5jzbln6oj0=";
allowedIPs = ips;
allowedIPs = [ "0.0.0.0/0" ];
endpoint = "${serverIp}:${toString port}";
persistentKeepalive = 25;
};
serverPeer = serverPeerWith [ "0.0.0.0/0" "::/0" ];
server6OnlyPeer = serverPeerWith [ "10.100.0.0/24" "::/0" ];
serverLocalOnlyPeer = serverPeerWith [ "10.100.0.0/24" "fd0d::/16" ];
serverConfig = {
nat = {
@ -86,7 +75,7 @@ let
};
wireguard.interfaces.wg0 = {
ips = [ "10.100.0.1/24" "${gcSecrets.wireguard.ipv6Subnet}:1" "fd0d::1" ];
ips = [ "10.100.0.1/24" ];
listenPort = port;
postSetup = ''
@ -104,24 +93,33 @@ let
};
clientConfig = {
wg-quick.interfaces =
wireguard.interfaces.wg0 =
let
client = clients."${config.networking.hostName}";
in
builtins.mapAttrs (interface: conf: {
address = client.allowedIPs;
dns = [ "fd0d::1" "10.100.0.1" ];
privateKeyFile = config.age.secrets."wg_${config.networking.hostName}".path;
} // conf) client.interfaces;
routes = routeBypass."${config.networking.hostName}";
mapRoutes = type: lib.concatMapStringsSep "\n" (r: "${pkgs.iproute2}/bin/ip route ${type} ${r} via ${routes.gateway} dev ${routes.interface}") routes.routes;
in {
ips = client.allowedIPs;
listenPort = port;
postSetup = ''
${mapRoutes "add"}
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE
'';
postShutdown = ''
${mapRoutes "del"}
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${serverInterface} -j MASQUERADE
'';
privateKeyFile = config.age.secrets."wg_${config.networking.hostName}".path;
peers = [ serverPeer ];
};
};
in {
boot.kernel.sysctl = lib.mkIf (config.networking.hostName == serverName) ({
"net.ipv6.conf.all.forwarding" = true;
"net.ipv6.conf.default.forwarding" = true;
});
networking =
lib.mkMerge [
(lib.mkIf (config.networking.hostName == serverName) serverConfig)
(lib.mkIf (config.networking.hostName != serverName) clientConfig)
(lib.mkIf (builtins.hasAttr config.networking.hostName clients) clientConfig)
];
}

Some files were not shown because too many files have changed in this diff Show more