diff --git a/flake.nix b/flake.nix index 6b0aef3..f318d3b 100644 --- a/flake.nix +++ b/flake.nix @@ -120,6 +120,29 @@ allowUnfreePredicate = _: true; }; }; + + sharedModules = [ + {_module.args = {inherit pkgs-edge;};} + sops-nix.nixosModules.sops + disko.nixosModules.disko + home-manager.nixosModules.home-manager + catppuccin.nixosModules.catppuccin + stylix.nixosModules.stylix + nix-index-database.nixosModules.nix-index + { + home-manager.sharedModules = [ + inputs.catppuccin.homeManagerModules.catppuccin + ]; + } + ]; + + desktopModules = [ + { + home-manager.sharedModules = [ + inputs.plasma-manager.homeManagerModules.plasma-manager + ]; + } + ]; in { # Your custom packages # Accessible through 'nix build', 'nix shell', etc @@ -148,152 +171,64 @@ EDI = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = {inherit inputs outputs;}; - modules = [ - {_module.args = {inherit pkgs-edge;};} - nixos-hardware.nixosModules.dell-xps-13-7390 - # > Our main nixos configuration file < - ./nixos/hosts/EDI/configuration.nix - sops-nix.nixosModules.sops - lanzaboote.nixosModules.lanzaboote - disko.nixosModules.disko - home-manager.nixosModules.home-manager - nix-index-database.nixosModules.nix-index - catppuccin.nixosModules.catppuccin - stylix.nixosModules.stylix - { - home-manager.sharedModules = [ - inputs.catppuccin.homeManagerModules.catppuccin - inputs.plasma-manager.homeManagerModules.plasma-manager - ]; - } - ]; + modules = + sharedModules + ++ desktopModules + ++ [ + nixos-hardware.nixosModules.dell-xps-13-7390 + lanzaboote.nixosModules.lanzaboote + # > Our main nixos configuration file < + ./nixos/hosts/EDI/configuration.nix + ]; }; GLaDOS = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = {inherit inputs outputs;}; - modules = [ - {_module.args = {inherit pkgs-edge;};} - # > Our main nixos configuration file < - ./nixos/hosts/GLaDOS/configuration.nix - sops-nix.nixosModules.sops - #lanzaboote.nixosModules.lanzaboote - disko.nixosModules.disko - home-manager.nixosModules.home-manager - nix-index-database.nixosModules.nix-index - catppuccin.nixosModules.catppuccin - stylix.nixosModules.stylix - { - home-manager.sharedModules = [ - inputs.catppuccin.homeManagerModules.catppuccin - inputs.plasma-manager.homeManagerModules.plasma-manager - ]; - } - ]; + modules = + sharedModules + ++ desktopModules + ++ [ + # > Our main nixos configuration file < + ./nixos/hosts/GLaDOS/configuration.nix + ]; }; queen = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = {inherit inputs outputs;}; - modules = [ - {_module.args = {inherit pkgs-edge;};} - # > Our main nixos configuration file < - ./nixos/hosts/queen/configuration.nix - sops-nix.nixosModules.sops - disko.nixosModules.disko - simple-nixos-mailserver.nixosModule - catppuccin.nixosModules.catppuccin - stylix.nixosModules.stylix - { - home-manager.sharedModules = [ - inputs.catppuccin.homeManagerModules.catppuccin - ]; - } - ]; + modules = + sharedModules + ++ [ + simple-nixos-mailserver.nixosModule + # > Our main nixos configuration file < + ./nixos/hosts/queen/configuration.nix + ]; }; shodan = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = {inherit inputs outputs;}; - modules = [ - {_module.args = {inherit pkgs-edge;};} - # > Our main nixos configuration file < - ./nixos/hosts/shodan/configuration.nix - sops-nix.nixosModules.sops - lanzaboote.nixosModules.lanzaboote - disko.nixosModules.disko - jovian.nixosModules.jovian - home-manager.nixosModules.home-manager - catppuccin.nixosModules.catppuccin - stylix.nixosModules.stylix - { - home-manager.sharedModules = [ - inputs.catppuccin.homeManagerModules.catppuccin - inputs.plasma-manager.homeManagerModules.plasma-manager - ]; - } - ]; + modules = + sharedModules + ++ desktopModules + ++ [ + # > Our main nixos configuration file < + ./nixos/hosts/shodan/configuration.nix + lanzaboote.nixosModules.lanzaboote + jovian.nixosModules.jovian + ]; }; wheatley = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; specialArgs = {inherit inputs outputs;}; - modules = [ - ./nixos/hosts/wheatley/configuration.nix - sops-nix.nixosModules.sops - home-manager.nixosModules.home-manager - nixos-hardware.nixosModules.raspberry-pi-4 - nix-index-database.nixosModules.nix-index - catppuccin.nixosModules.catppuccin - stylix.nixosModules.stylix - { - home-manager.sharedModules = [ - inputs.catppuccin.homeManagerModules.catppuccin - ]; - } - ]; + modules = + sharedModules + ++ [ + ./nixos/hosts/wheatley/configuration.nix + ]; }; - - # ISO = nixpkgs.lib.nixosSystem { - # system = "x86_64-linux"; - # specialArgs = {inherit inputs outputs;}; - # modules = [ - # {_module.args = {inherit pkgs-edge;};} - # "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix" - # "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix" - # ./nixos/hosts/iso/configuration.nix - # sops-nix.nixosModules.sops - # home-manager.nixosModules.home-manager - # nix-index-database.nixosModules.nix-index - # catppuccin.nixosModules.catppuccin - # { - # home-manager.sharedModules = [ - # inputs.plasma-manager.homeManagerModules.plasma-manager - # inputs.catppuccin.homeManagerModules.catppuccin - # ]; - # } - # ]; - # }; - - # iso_server = nixpkgs.lib.nixosSystem { - # system = "x86_64-linux"; - # specialArgs = {inherit inputs outputs;}; - # modules = [ - # {_module.args = {inherit pkgs-edge;};} - # "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix" - # "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix" - # ./nixos/hosts/iso_server/configuration.nix - # sops-nix.nixosModules.sops - # home-manager.nixosModules.home-manager - # nix-index-database.nixosModules.nix-index - # catppuccin.nixosModules.catppuccin - # { - # home-manager.sharedModules = [ - # inputs.catppuccin.homeManagerModules.catppuccin - # ]; - # } - # ]; - # }; }; }; } diff --git a/home-manager/desktop/default.nix b/home-manager/desktop/default.nix index 4b63c42..6f8ee60 100644 --- a/home-manager/desktop/default.nix +++ b/home-manager/desktop/default.nix @@ -15,7 +15,6 @@ ./package-configs/foot ]; nixpkgs = { - config.permittedInsecurePackages = ["cinny-4.2.3" "cinny-unwrapped-4.2.3" "cinny-4.2.2" "cinny-unwrapped-4.2.2"]; # You can add overlays here overlays = [ # You can also add overlays exported from other flakes: @@ -54,8 +53,10 @@ }); }) ]; - # Configure your nixpkgs instance config = { + permittedInsecurePackages = ["cinny-4.2.3" "cinny-unwrapped-4.2.3" "cinny-4.2.2" "cinny-unwrapped-4.2.2"]; + # Configure your nixpkgs instance + # Disable if you don't want unfree packages allowUnfree = true; }; @@ -132,71 +133,69 @@ firefoxpwa ungoogled-chromium ]; + programs = { + # vscode = { + # enable = true; + # package = pkgs.vscodium; + # extensions = with pkgs.vscode-extensions; [ + # catppuccin.catppuccin-vsc + # catppuccin.catppuccin-vsc-icons + # charliermarsh.ruff + # eamodio.gitlens + # github.vscode-pull-request-github + # jnoortheen.nix-ide + # kamadorueda.alejandra + # mkhl.direnv + # ms-toolsai.jupyter + # ms-pyright.pyright + # oderwat.indent-rainbow + # rust-lang.rust-analyzer + # yzhang.markdown-all-in-one + # ]; + # }; - # programs.vscode = { - # enable = true; - # package = pkgs.vscodium; - # extensions = with pkgs.vscode-extensions; [ - # catppuccin.catppuccin-vsc - # catppuccin.catppuccin-vsc-icons - # charliermarsh.ruff - # eamodio.gitlens - # github.vscode-pull-request-github - # jnoortheen.nix-ide - # kamadorueda.alejandra - # mkhl.direnv - # ms-toolsai.jupyter - # ms-pyright.pyright - # oderwat.indent-rainbow - # rust-lang.rust-analyzer - # yzhang.markdown-all-in-one - # ]; - # }; - - programs.obs-studio = { - enable = true; - plugins = with pkgs.obs-studio-plugins; [ + obs-studio.enable = true; + obs-studio.plugins = with pkgs.obs-studio-plugins; [ wlrobs obs-backgroundremoval obs-pipewire-audio-capture ]; - }; - # Enable home-manager and git - programs.home-manager.enable = true; - programs.git = { - enable = true; - userEmail = "git@lillianviolet.dev"; - userName = "Lillian-Violet"; - extraConfig = { - init = { - defaultBranch = "main"; + # Enable home-manager and git + home-manager.enable = true; + git = { + enable = true; + userEmail = "git@lillianviolet.dev"; + userName = "Lillian-Violet"; + extraConfig = { + init = { + defaultBranch = "main"; + }; }; + ignores = [ + "*.direnv" + "*.vscode" + ".envrc" + "venv" + "venv" + ]; }; - ignores = [ - "*.direnv" - "*.vscode" - ".envrc" - "venv" - "venv" - ]; - }; - programs.gpg.enable = true; - programs.gpg.settings = { - default-key = "0d43 5407 034c 2ad9 2d42 799d 280e 061d ff60 0f0d"; - default-recipient-self = true; - auto-key-locate = "local,wkd,keyserver"; - keyserver = "hkps://keys.openpgp.org"; - auto-key-retrieve = true; - auto-key-import = true; - keyserver-options = "honor-keyserver-url"; - no-autostart = true; + gpg.enable = true; + gpg.settings = { + default-key = "0d43 5407 034c 2ad9 2d42 799d 280e 061d ff60 0f0d"; + default-recipient-self = true; + auto-key-locate = "local,wkd,keyserver"; + keyserver = "hkps://keys.openpgp.org"; + auto-key-retrieve = true; + auto-key-import = true; + keyserver-options = "honor-keyserver-url"; + no-autostart = true; + }; }; - - services.kdeconnect = { - package = pkgs.kdePackages.kdeconnect-kde; - enable = true; + services = { + kdeconnect.package = pkgs.kdePackages.kdeconnect-kde; + kdeconnect.enable = true; }; # Nicely reload system units when changing configs diff --git a/home-manager/hosts/shodan/lillian.nix b/home-manager/hosts/shodan/lillian.nix index 264a93a..adb4ccd 100644 --- a/home-manager/hosts/shodan/lillian.nix +++ b/home-manager/hosts/shodan/lillian.nix @@ -84,22 +84,23 @@ firefox ungoogled-chromium ]; + programs = { + # # Automount services for user + # programs.bashmount.enable = true; + # services.udiskie = { + # enable = true; + # automount = true; + # notify = false; + # tray = "never"; + # }; - # # Automount services for user - # programs.bashmount.enable = true; - # services.udiskie = { - # enable = true; - # automount = true; - # notify = false; - # tray = "never"; - # }; - - # Enable home-manager and git - programs.home-manager.enable = true; - programs.git = { - enable = true; - userEmail = "git@lillianviolet.dev"; - userName = "Lillian-Violet"; + # Enable home-manager and git + home-manager.enable = true; + git = { + enable = true; + userEmail = "git@lillianviolet.dev"; + userName = "Lillian-Violet"; + }; }; # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion diff --git a/home-manager/shared/default.nix b/home-manager/shared/default.nix index 167672d..1d6907e 100644 --- a/home-manager/shared/default.nix +++ b/home-manager/shared/default.nix @@ -32,11 +32,13 @@ navi nil ]; - programs.navi.enable = true; - programs.yazi = { - enable = true; - package = pkgs.yazi.override { - _7zz = pkgs._7zz.override {useUasm = true;}; + programs = { + navi.enable = true; + yazi = { + enable = true; + package = pkgs.yazi.override { + _7zz = pkgs._7zz.override {useUasm = true;}; + }; }; }; stylix.enable = true; diff --git a/home-manager/shared/shell/zellij/default.nix b/home-manager/shared/shell/zellij/default.nix index 5ad5e0e..d8bebaf 100644 --- a/home-manager/shared/shell/zellij/default.nix +++ b/home-manager/shared/shell/zellij/default.nix @@ -206,14 +206,12 @@ in { }; }; }; - home.file = { "layout" = { source = "${layout}"; target = ".config/zellij/layouts/default.kdl"; }; - }; - home.file = { + "helix_zellij" = { source = "${helix_zellij}"; target = ".config/zellij/layouts/helix.kdl"; diff --git a/home-manager/shared/shell/zsh.nix b/home-manager/shared/shell/zsh.nix index 3c814c1..c6cd56c 100644 --- a/home-manager/shared/shell/zsh.nix +++ b/home-manager/shared/shell/zsh.nix @@ -1,70 +1,71 @@ {pkgs, ...}: { - programs.zoxide = { - enable = true; - }; - - programs.zsh = { - enable = true; - shellAliases = { - cd = "z"; - code = "codium ./"; - ls = "eza"; - lh = "ls -lah"; - cat = "bat"; - tree = "tre"; - neofetch = "hyfetch"; - shutdown = "shutdown 0"; - reboot = "reboot 0"; - }; - plugins = [ - { - name = "zsh-nix-shell"; - file = "nix-shell.plugin.zsh"; - src = pkgs.fetchFromGitHub { - owner = "chisui"; - repo = "zsh-nix-shell"; - rev = "v0.8.0"; - sha256 = "sha256-Z6EYQdasvpl1P78poj9efnnLj7QQg13Me8x1Ryyw+dM="; - }; - } - { - name = "terraform"; - src = pkgs.fetchFromGitHub { - owner = "macunha1"; - repo = "zsh-terraform"; - rev = "fd1471d3757f8ed13f56c4426f88616111de2a87"; - sha256 = "0z6i9wjjklb4lvr7zjhbphibsyx51psv50gm07mbb0kj9058j6kc"; - }; - } - ]; - autosuggestion.enable = true; - enableCompletion = true; - historySubstringSearch.enable = true; - syntaxHighlighting.enable = true; - #zsh-abbr.enable = true; - oh-my-zsh = { + programs = { + zoxide = { enable = true; - plugins = [ - "git" - "colored-man-pages" - "colorize" - "dirhistory" - "dirpersist" - "history" - "history-substring-search" - "fancy-ctrl-z" - "git-flow" - "isodate" - "z" - "zsh-interactive-cd" - "zsh-navigation-tools" - ]; }; - # Extra commands that take more complex forms - initExtra = '' - eval "$(zoxide init --cmd cd zsh)" - tre() { command tre "$@" -e && source "/tmp/tre_aliases_$USER" 2>/dev/null; } - zhx() { command zellij action new-tab --layout $HOME/.config/zellij/layouts/helix.kdl; } - ''; + zsh = { + enable = true; + shellAliases = { + cd = "z"; + code = "codium ./"; + ls = "eza"; + lh = "ls -lah"; + cat = "bat"; + tree = "tre"; + neofetch = "hyfetch"; + shutdown = "shutdown 0"; + reboot = "reboot 0"; + }; + plugins = [ + { + name = "zsh-nix-shell"; + file = "nix-shell.plugin.zsh"; + src = pkgs.fetchFromGitHub { + owner = "chisui"; + repo = "zsh-nix-shell"; + rev = "v0.8.0"; + sha256 = "sha256-Z6EYQdasvpl1P78poj9efnnLj7QQg13Me8x1Ryyw+dM="; + }; + } + { + name = "terraform"; + src = pkgs.fetchFromGitHub { + owner = "macunha1"; + repo = "zsh-terraform"; + rev = "fd1471d3757f8ed13f56c4426f88616111de2a87"; + sha256 = "0z6i9wjjklb4lvr7zjhbphibsyx51psv50gm07mbb0kj9058j6kc"; + }; + } + ]; + autosuggestion.enable = true; + enableCompletion = true; + historySubstringSearch.enable = true; + syntaxHighlighting.enable = true; + #zsh-abbr.enable = true; + oh-my-zsh = { + enable = true; + plugins = [ + "git" + "colored-man-pages" + "colorize" + "dirhistory" + "dirpersist" + "history" + "history-substring-search" + "fancy-ctrl-z" + "git-flow" + "isodate" + "z" + "zsh-interactive-cd" + "zsh-navigation-tools" + ]; + }; + # Extra commands that take more complex forms + initExtra = '' + eval "$(zoxide init --cmd cd zsh)" + tre() { command tre "$@" -e && source "/tmp/tre_aliases_$USER" 2>/dev/null; } + zhx() { command zellij action new-tab --layout $HOME/.config/zellij/layouts/helix.kdl; } + ''; + }; }; } diff --git a/nixos/desktop/default.nix b/nixos/desktop/default.nix index db37969..c1f3e12 100644 --- a/nixos/desktop/default.nix +++ b/nixos/desktop/default.nix @@ -29,11 +29,6 @@ }; }; - # Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently - programs.command-not-found.enable = lib.mkForce false; - programs.nix-index.enable = true; - programs.nix-index-database.comma.enable = true; - environment.systemPackages = (with pkgs; [ # Custom tools @@ -98,113 +93,125 @@ # list of latest packages from nixpkgs master # Can be used to install latest version of some packages ]); + programs = { + # Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently + command-not-found.enable = lib.mkForce false; + nix-index.enable = true; + nix-index-database.comma.enable = true; - programs.direnv = { - enable = true; + direnv = { + enable = true; + }; + + steam = { + enable = true; + remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play + dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server + extest.enable = true; + }; + kdeconnect.enable = true; + + noisetorch = { + enable = true; + }; }; # Enable networking - networking.networkmanager.enable = true; - - programs.steam = { - enable = true; - remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play - dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server - extest.enable = true; - }; - hardware.graphics.enable32Bit = true; # Enables support for 32bit libs that steam uses + networking.networkmanager.enable = true; # Enables support for 32bit libs that steam uses # Set your time zone. time.timeZone = "Europe/Amsterdam"; + services = { + # Enable the X11 windowing system. + xserver.enable = true; - # Enable the X11 windowing system. - services.xserver.enable = true; + # Enable the KDE Plasma Desktop Environment. + displayManager.sddm = { + enable = true; + wayland.enable = true; + }; + displayManager.defaultSession = "plasma"; + desktopManager.plasma6.enable = true; - # Enable the KDE Plasma Desktop Environment. - services.displayManager.sddm = { - enable = true; - wayland.enable = true; + # Enable flatpak support + flatpak.enable = true; + packagekit.enable = true; + + # Configure keymap in X11 + xserver.xkb = { + layout = "us"; + variant = ""; + options = "terminate:ctrl_alt_bksp,compose:caps_toggle"; + }; + + # Enable CUPS to print documents. + printing.enable = true; + + # Enable fwupd daemon and user space client + fwupd.enable = true; + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + wireplumber.enable = true; + }; + + avahi = { + nssmdns4 = true; + enable = true; + ipv4 = true; + ipv6 = true; + publish = { + enable = true; + addresses = true; + workstation = true; + }; + }; }; - services.displayManager.defaultSession = "plasma"; - services.desktopManager.plasma6.enable = true; - programs.kdeconnect.enable = true; + hardware = { + graphics.enable32Bit = true; - # Enable flatpak support - services.flatpak.enable = true; - services.packagekit.enable = true; + # Enable bluetooth hardware + bluetooth.enable = true; - # Configure keymap in X11 - services.xserver.xkb = { - layout = "us"; - variant = ""; - options = "terminate:ctrl_alt_bksp,compose:caps_toggle"; + # Enable sound with pipewire. + pulseaudio.enable = false; }; - - # Enable CUPS to print documents. - services.printing.enable = true; - - # Enable bluetooth hardware - hardware.bluetooth.enable = true; - - # Enable fwupd daemon and user space client - services.fwupd.enable = true; - - # Enable sound with pipewire. - hardware.pulseaudio.enable = false; security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - jack.enable = true; - wireplumber.enable = true; - }; - - programs.noisetorch = { - enable = true; - }; virtualisation.podman = { enable = true; dockerCompat = true; }; - - services.avahi = { - nssmdns4 = true; + security.tpm2 = { enable = true; - ipv4 = true; - ipv6 = true; - publish = { - enable = true; - addresses = true; - workstation = true; - }; + pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so + tctiEnvironment.enable = true; + }; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables + users.users.lillian.extraGroups = ["tss"]; + boot = { + # tss group has access to TPM devices + # FIXME: re-enable virtual camera loopback when it build again. + bootspec.enable = true; + #boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + #boot.supportedFilesystems = ["bcachefs"]; + extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out]; + kernelModules = [ + # Virtual Camera + "v4l2loopback" + # Virtual Microphone, built-in + "snd-aloop" + ]; + # Set initial kernel module settings + extraModprobeConfig = '' + # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming + # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams + # https://github.com/umlaeute/v4l2loopback + options v4l2loopback exclusive_caps=1 card_label="Virtual Camera" + ''; + loader.systemd-boot.configurationLimit = 3; + loader.efi.canTouchEfiVariables = true; }; - - security.tpm2.enable = true; - security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so - security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables - users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices - - # FIXME: re-enable virtual camera loopback when it build again. - boot.bootspec.enable = true; - #boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - #boot.supportedFilesystems = ["bcachefs"]; - boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out]; - boot.kernelModules = [ - # Virtual Camera - "v4l2loopback" - # Virtual Microphone, built-in - "snd-aloop" - ]; - # Set initial kernel module settings - boot.extraModprobeConfig = '' - # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming - # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams - # https://github.com/umlaeute/v4l2loopback - options v4l2loopback exclusive_caps=1 card_label="Virtual Camera" - ''; - boot.loader.systemd-boot.configurationLimit = 3; - boot.loader.efi.canTouchEfiVariables = true; } diff --git a/nixos/hosts/EDI/configuration.nix b/nixos/hosts/EDI/configuration.nix index af72205..cf83571 100644 --- a/nixos/hosts/EDI/configuration.nix +++ b/nixos/hosts/EDI/configuration.nix @@ -29,8 +29,12 @@ # Import your generated (nixos-generate-config) hardware configuration ./hardware-configuration.nix ]; + sops = { + defaultSopsFile = ./secrets/sops.yaml; - sops.defaultSopsFile = ./secrets/sops.yaml; + secrets."wg-private-key".mode = "0440"; + secrets."wg-private-key".owner = config.users.users.root.name; + }; home-manager = { extraSpecialArgs = {inherit inputs outputs;}; @@ -42,42 +46,41 @@ environment.systemPackages = with pkgs; [ ]; + networking = { + hostName = "EDI"; - networking.hostName = "EDI"; + wireguard.enable = true; - sops.secrets."wg-private-key".mode = "0440"; - sops.secrets."wg-private-key".owner = config.users.users.root.name; - - networking.wireguard.enable = true; - - networking.wg-quick.interfaces = { - wg0 = { - autostart = true; - address = ["10.0.0.3/24" "fdc9:281f:04d7:9ee9::3/64"]; - dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; - listenPort = 51821; - privateKeyFile = config.sops.secrets."wg-private-key".path; - peers = [ - { - publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; - endpoint = "84.87.146.85:51821"; - allowedIPs = ["0.0.0.0/0" "::/0"]; - persistentKeepalive = 25; - } - ]; + wg-quick.interfaces = { + wg0 = { + autostart = true; + address = ["10.0.0.3/24" "fdc9:281f:04d7:9ee9::3/64"]; + dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; + listenPort = 51821; + privateKeyFile = config.sops.secrets."wg-private-key".path; + peers = [ + { + publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; + endpoint = "84.87.146.85:51821"; + allowedIPs = ["0.0.0.0/0" "::/0"]; + persistentKeepalive = 25; + } + ]; + }; }; }; + boot = { + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + loader.systemd-boot.enable = lib.mkForce false; + initrd.systemd.enable = true; - # Lanzaboote currently replaces the systemd-boot module. - # This setting is usually set to true in configuration.nix - # generated at installation time. So we force it to false - # for now. - boot.loader.systemd-boot.enable = lib.mkForce false; - boot.initrd.systemd.enable = true; - - boot.lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; }; # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion diff --git a/nixos/hosts/GLaDOS/configuration.nix b/nixos/hosts/GLaDOS/configuration.nix index 31b6431..bcf54e1 100644 --- a/nixos/hosts/GLaDOS/configuration.nix +++ b/nixos/hosts/GLaDOS/configuration.nix @@ -28,26 +28,36 @@ # Import your generated (nixos-generate-config) hardware configuration ./hardware-configuration.nix ]; + sops = { + defaultSopsFile = ./secrets/sops.yaml; - sops.defaultSopsFile = ./secrets/sops.yaml; + secrets."wg-private-key".mode = "0440"; + secrets."wg-private-key".owner = config.users.users.root.name; + + secrets."ssh-private-key" = { + mode = "0600"; + owner = config.users.users.lillian.name; + path = "/home/lillian/.ssh/id_ed25519"; + }; + }; environment.systemPackages = with pkgs; [ ]; services.xserver.videoDrivers = ["amdgpu"]; - - # Add vulkan support to GPU - hardware.graphics.extraPackages = with pkgs; [ - amdvlk - ]; - # For 32 bit applications - hardware.graphics.extraPackages32 = with pkgs; [ - driversi686Linux.amdvlk - ]; - - programs.gamemode = { - enable = true; - settings = { + hardware = { + # Add vulkan support to GPU + graphics.extraPackages = with pkgs; [ + amdvlk + ]; + # For 32 bit applications + graphics.extraPackages32 = with pkgs; [ + driversi686Linux.amdvlk + ]; + }; + programs = { + gamemode.enable = true; + gamemode.settings = { general = { renice = 10; }; @@ -65,9 +75,10 @@ }; }; }; - - boot.loader.systemd-boot.enable = true; - boot.binfmt.emulatedSystems = ["aarch64-linux"]; + boot = { + loader.systemd-boot.enable = true; + binfmt.emulatedSystems = ["aarch64-linux"]; + }; # boot.lanzaboote = { # enable = true; @@ -83,36 +94,28 @@ lillian = import ../../../home-manager/hosts/GLaDOS; }; }; + networking = { + # virtualisation.waydroid.enable = false; + hostName = "GLaDOS"; - # virtualisation.waydroid.enable = false; - networking.hostName = "GLaDOS"; + wireguard.enable = true; - sops.secrets."wg-private-key".mode = "0440"; - sops.secrets."wg-private-key".owner = config.users.users.root.name; - - sops.secrets."ssh-private-key" = { - mode = "0600"; - owner = config.users.users.lillian.name; - path = "/home/lillian/.ssh/id_ed25519"; - }; - - networking.wireguard.enable = true; - - networking.wg-quick.interfaces = { - wg0 = { - autostart = true; - address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"]; - dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; - listenPort = 51821; - privateKeyFile = config.sops.secrets."wg-private-key".path; - peers = [ - { - publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; - endpoint = "84.87.146.85:51821"; - allowedIPs = ["0.0.0.0/0" "::/0"]; - persistentKeepalive = 25; - } - ]; + wg-quick.interfaces = { + wg0 = { + autostart = true; + address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"]; + dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; + listenPort = 51821; + privateKeyFile = config.sops.secrets."wg-private-key".path; + peers = [ + { + publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; + endpoint = "84.87.146.85:51821"; + allowedIPs = ["0.0.0.0/0" "::/0"]; + persistentKeepalive = 25; + } + ]; + }; }; }; diff --git a/nixos/hosts/queen/configuration.nix b/nixos/hosts/queen/configuration.nix index 8ba1916..93500ba 100644 --- a/nixos/hosts/queen/configuration.nix +++ b/nixos/hosts/queen/configuration.nix @@ -26,16 +26,17 @@ # Import disko # ../../../disko/queen ]; - - boot.tmp.cleanOnBoot = true; zramSwap.enable = false; - networking.domain = ""; - services.openssh = { - enable = true; - # require public key authentication for better security - settings.PasswordAuthentication = false; - settings.KbdInteractiveAuthentication = false; - settings.PermitRootLogin = "no"; + services = { + openssh = { + enable = true; + settings = { + # require public key authentication for better security + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + }; + }; }; nixpkgs = { @@ -88,58 +89,63 @@ sqlite rocksdb ]; + networking = { + domain = ""; - # Create an auto-update systemd service that runs every day - # system.autoUpgrade = { - # flake = "git+https://git.lillianviolet.dev/Lillian-Violet/NixOS-Config.git"; - # dates = "daily"; - # enable = true; - # }; + # Create an auto-update systemd service that runs every day + # system.autoUpgrade = { + # flake = "git+https://git.lillianviolet.dev/Lillian-Violet/NixOS-Config.git"; + # dates = "daily"; + # enable = true; + # }; - # systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug"; - # Enable networking - # networking.networkmanager.enable = true; - # networking.nat.enable = true; - # networking.nat.internalInterfaces = ["ve-+"]; - # networking.nat.externalInterface = "ens18"; - networking.enableIPv6 = lib.mkForce true; - networking.nameservers = ["2a02:c207::1:53" "2a02:c207::2:53"]; + # systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug"; + # Enable networking + # networking.networkmanager.enable = true; + # networking.nat.enable = true; + # networking.nat.internalInterfaces = ["ve-+"]; + # networking.nat.externalInterface = "ens18"; + enableIPv6 = lib.mkForce true; + nameservers = ["2a02:c207::1:53" "2a02:c207::2:53"]; - # networking.interfaces.ens18.ipv4.addresses = [ - # { - # address = "62.171.160.195"; - # prefixLength = 32; - # } - # ]; + # networking.interfaces.ens18.ipv4.addresses = [ + # { + # address = "62.171.160.195"; + # prefixLength = 32; + # } + # ]; - networking.interfaces.ens18.ipv6.addresses = [ - { - address = "2a02:c207:2063:2448::1"; - prefixLength = 64; - } - ]; - networking.defaultGateway6 = { - address = "fe80::1"; - interface = "ens18"; - }; - - # Open ports in the firewall. - networking.firewall = { - enable = true; - allowPing = false; - allowedTCPPorts = [ - 22 # SSH - 5349 # STUN tls - 5350 # STUN tls alt - 80 # http - 443 # https - ]; - allowedUDPPortRanges = [ + interfaces.ens18.ipv6.addresses = [ { - from = 49152; - to = 49999; - } # TURN relay + address = "2a02:c207:2063:2448::1"; + prefixLength = 64; + } ]; + defaultGateway6 = { + address = "fe80::1"; + interface = "ens18"; + }; + firewall = { + # Open ports in the firewall. + + enable = true; + allowPing = false; + allowedTCPPorts = [ + 22 # SSH + 5349 # STUN tls + 5350 # STUN tls alt + 80 # http + 443 # https + ]; + allowedUDPPortRanges = [ + { + from = 49152; + to = 49999; + } # TURN relay + ]; + }; + + hostName = "queen"; }; # networking.useNetworkd = true; @@ -179,12 +185,14 @@ lillian = import ../../../home-manager/hosts/queen; }; }; - - networking.hostName = "queen"; - - boot.loader.grub.enable = true; - boot.loader.grub.configurationLimit = 3; - boot.loader.efi.canTouchEfiVariables = true; + boot = { + tmp.cleanOnBoot = true; + loader.grub = { + enable = true; + configurationLimit = 3; + }; + loader.efi.canTouchEfiVariables = true; + }; # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion system.stateVersion = "24.11"; diff --git a/nixos/hosts/shodan/configuration.nix b/nixos/hosts/shodan/configuration.nix index 1f0aadc..00abfb6 100644 --- a/nixos/hosts/shodan/configuration.nix +++ b/nixos/hosts/shodan/configuration.nix @@ -27,11 +27,117 @@ ./auto-mount.nix ]; + boot = { + tmp.cleanOnBoot = true; + loader = { + # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables + # tss group has access to TPM devices - boot.tmp.cleanOnBoot = true; + # Lanzaboote currently replaces the systemd-boot module. + # This setting is usually set to true in configuration.nix + # generated at installation time. So we force it to false + # for now. + systemd-boot.enable = lib.mkForce false; + systemd-boot.configurationLimit = 3; + timeout = 0; + efi.canTouchEfiVariables = true; + }; + initrd.systemd.enable = true; + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + consoleLogLevel = 0; + kernelParams = ["quiet" "udev.log_priority=0" "fbcon=vc:2-6" "console=tty0"]; + plymouth.enable = true; + }; zramSwap.enable = false; - networking.domain = ""; - services.openssh.enable = true; + networking = { + domain = ""; + + # Enable networking + networkmanager.enable = true; + + firewall.enable = true; + + firewall.allowedTCPPorts = [22]; + + hostName = "shodan"; + + wireguard.enable = true; + + wg-quick.interfaces = { + wg0 = { + autostart = true; + address = ["10.0.0.4/24" "fdc9:281f:04d7:9ee9::4/64"]; + dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; + listenPort = 51821; + privateKeyFile = config.sops.secrets."wg-private-key".path; + peers = [ + { + publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; + endpoint = "84.87.146.85:51821"; + allowedIPs = ["0.0.0.0/0" "::/0"]; + persistentKeepalive = 25; + } + ]; + }; + }; + }; + services = { + openssh.enable = true; # Enables support for 32bit libs that steam uses + + # Enable the X11 windowing system. + xserver.enable = true; + + # Enable the KDE Plasma Desktop Environment. + desktopManager.plasma6.enable = true; + + avahi = { + nssmdns4 = true; + enable = true; + ipv4 = true; + ipv6 = true; + publish = { + enable = true; + addresses = true; + workstation = true; + }; + }; + displayManager = { + defaultSession = "plasma"; + sddm.wayland.enable = lib.mkForce true; + sddm.settings = { + Autologin = { + Session = "plasma.desktop"; + User = "lillian"; + }; + }; + }; + + # Enable flatpak support + flatpak.enable = true; + packagekit.enable = true; + + # Configure keymap in X11 + xserver = { + xkb.layout = "us"; + xkb.variant = ""; + }; + + # Enable CUPS to print documents. + printing.enable = true; + + # Enable fwupd daemon and user space client + fwupd.enable = true; + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + }; nixpkgs = { # You can add overlays here @@ -43,9 +149,13 @@ allowUnfree = true; }; }; + sops = { + #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys + defaultSopsFile = ./secrets/sops.yaml; - #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys - sops.defaultSopsFile = ./secrets/sops.yaml; + secrets."wg-private-key".mode = "0440"; + secrets."wg-private-key".owner = config.users.users.root.name; + }; environment.systemPackages = with pkgs; [ # Custom tools @@ -109,60 +219,24 @@ enableGyroDsuService = true; }; }; - - programs.steam = lib.mkForce { - enable = true; - remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play - dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server - extest.enable = true; - }; - hardware.graphics.enable32Bit = true; # Enables support for 32bit libs that steam uses - - # Enable the X11 windowing system. - services.xserver.enable = true; - - # Enable the KDE Plasma Desktop Environment. - services.desktopManager.plasma6.enable = true; - programs.kdeconnect.enable = true; - - services.avahi = { - nssmdns4 = true; - enable = true; - ipv4 = true; - ipv6 = true; - publish = { + programs = { + steam = lib.mkForce { + enable = true; + remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play + dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server + extest.enable = true; + }; + kdeconnect.enable = true; + + noisetorch = { + enable = true; + }; + + git = { enable = true; - addresses = true; - workstation = true; }; }; - services.displayManager.defaultSession = "plasma"; - services.displayManager.sddm.wayland.enable = lib.mkForce true; - services.displayManager.sddm.settings = { - Autologin = { - Session = "plasma.desktop"; - User = "lillian"; - }; - }; - - # Enable flatpak support - services.flatpak.enable = true; - services.packagekit.enable = true; - - # Configure keymap in X11 - services.xserver = { - xkb.layout = "us"; - xkb.variant = ""; - }; - - # Enable networking - networking.networkmanager.enable = true; - - networking.firewall.enable = true; - - networking.firewall.allowedTCPPorts = [22]; - # # Enable automounting of removable media # services.udisks2.enable = true; # services.devmon.enable = true; @@ -171,32 +245,14 @@ # Set your time zone. time.timeZone = "Europe/Amsterdam"; + hardware = { + graphics.enable32Bit = true; - # Enable CUPS to print documents. - services.printing.enable = true; + # Enable bluetooth hardware + bluetooth.enable = true; - # Enable bluetooth hardware - hardware.bluetooth.enable = true; - - # Enable fwupd daemon and user space client - services.fwupd.enable = true; - - # Enable sound with pipewire. - hardware.pulseaudio.enable = false; - security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - }; - - programs.noisetorch = { - enable = true; - }; - - programs.git = { - enable = true; + # Enable sound with pipewire. + pulseaudio.enable = false; }; users.users.lillian.extraGroups = ["decky" "tss" "input"]; @@ -211,55 +267,15 @@ lillian = import ../../../home-manager/hosts/shodan; }; }; - - networking.hostName = "shodan"; - - sops.secrets."wg-private-key".mode = "0440"; - sops.secrets."wg-private-key".owner = config.users.users.root.name; - - networking.wireguard.enable = true; - - networking.wg-quick.interfaces = { - wg0 = { - autostart = true; - address = ["10.0.0.4/24" "fdc9:281f:04d7:9ee9::4/64"]; - dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; - listenPort = 51821; - privateKeyFile = config.sops.secrets."wg-private-key".path; - peers = [ - { - publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; - endpoint = "84.87.146.85:51821"; - allowedIPs = ["0.0.0.0/0" "::/0"]; - persistentKeepalive = 25; - } - ]; + security = { + rtkit.enable = true; + tpm2 = { + enable = true; + pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so + tctiEnvironment.enable = true; }; }; - security.tpm2.enable = true; - security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so - security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables - # tss group has access to TPM devices - - # Lanzaboote currently replaces the systemd-boot module. - # This setting is usually set to true in configuration.nix - # generated at installation time. So we force it to false - # for now. - boot.loader.systemd-boot.enable = lib.mkForce false; - boot.initrd.systemd.enable = true; - - boot.lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - boot.loader.systemd-boot.configurationLimit = 3; - boot.loader.timeout = 0; - boot.loader.efi.canTouchEfiVariables = true; - boot.consoleLogLevel = 0; - boot.kernelParams = ["quiet" "udev.log_priority=0" "fbcon=vc:2-6" "console=tty0"]; - boot.plymouth.enable = true; - # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion system.stateVersion = "24.11"; } diff --git a/nixos/hosts/wheatley/configuration.nix b/nixos/hosts/wheatley/configuration.nix index ae477f8..14c43c7 100644 --- a/nixos/hosts/wheatley/configuration.nix +++ b/nixos/hosts/wheatley/configuration.nix @@ -23,20 +23,139 @@ super.makeModulesClosure (x // {allowMissing = true;}); }) ]; + programs = { + # Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently + command-not-found.enable = lib.mkForce false; + nix-index.enable = true; + nix-index-database.comma.enable = true; + }; + services = { + automatic-timezoned.enable = true; - # Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently - programs.command-not-found.enable = lib.mkForce false; - programs.nix-index.enable = true; - programs.nix-index-database.comma.enable = true; + # stubby = { + # enable = true; + # settings = + # pkgs.stubby.passthru.settingsExample + # // { + # upstream_recursive_servers = [ + # { + # address_data = "94.140.14.49"; + # tls_auth_name = "4b921896.d.adguard-dns.com"; + # tls_pubkey_pinset = [ + # { + # digest = "sha256"; + # value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U="; + # } + # ]; + # } + # { + # address_data = "94.140.14.59"; + # tls_auth_name = "4b921896.d.adguard-dns.com"; + # tls_pubkey_pinset = [ + # { + # digest = "sha256"; + # value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U="; + # } + # ]; + # } + # { + # address_data = "2a10:50c0:0:0:0:0:ded:ff"; + # tls_auth_name = "4b921896.d.adguard-dns.com"; + # tls_pubkey_pinset = [ + # { + # digest = "sha256"; + # value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U="; + # } + # ]; + # } + # { + # address_data = "2a10:50c0:0:0:0:0:dad:ff"; + # tls_auth_name = "4b921896.d.adguard-dns.com"; + # tls_pubkey_pinset = [ + # { + # digest = "sha256"; + # value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U="; + # } + # ]; + # } + # ]; + # }; + # }; - services.automatic-timezoned.enable = true; + openssh = { + enable = true; + # require public key authentication for better security + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "no"; + }; - #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys - sops.defaultSopsFile = ./secrets/sops.yaml; + davfs2.enable = true; - boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + aria2 = { + enable = true; + settings = { + dir = "/var/lib/media"; + rpc-listen-port = 6969; + }; + rpcSecretFile = config.sops.secrets."rpcSecret".path; + }; - boot.initrd.kernelModules = ["vc4" "bcm2835_dma" "i2c_bcm2835" "cma=256M" "console=tty0"]; + dnsmasq = { + enable = true; + settings = { + interface = "wg1"; + }; + }; + }; + sops = { + #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys + defaultSopsFile = ./secrets/sops.yaml; + + # users.users = { + # ombi.extraGroups = ["radarr" "sonarr" "aria2"]; + # }; + # services.ombi = { + # enable = true; + # port = 2368; + # }; + + # users.users = { + # radarr.extraGroups = ["aria2"]; + # sonarr.extraGroups = ["aria2"]; + # }; + + # services = { + # #uses port 7878 + # radarr.enable = true; + # #uses port 8989 + # sonarr.enable = true; + # prowlarr.enable = true; + # }; + + secrets."webdav-secret" = { + mode = "0600"; + path = "/etc/davfs2/secrets"; + }; + + secrets."rpcSecret".mode = "0440"; + secrets."rpcSecret".owner = config.users.users.aria2.name; + + secrets."protonvpn-priv-key".mode = "0440"; + secrets."protonvpn-priv-key".owner = config.users.users.root.name; + secrets."wg-private-key".mode = "0440"; + secrets."wg-private-key".owner = config.users.users.root.name; + }; + boot = { + kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + + initrd.kernelModules = ["vc4" "bcm2835_dma" "i2c_bcm2835" "cma=256M" "console=tty0"]; + + kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.conf.all.forwarding" = 1; + }; + }; sdImage.compressImage = false; @@ -47,114 +166,146 @@ lillian = import ../../../home-manager/hosts/wheatley; }; }; + networking = { + hostName = "wheatley"; - networking.hostName = "wheatley"; + networkmanager.enable = true; - networking.networkmanager.enable = true; + # Disable NetworkManager's internal DNS resolution + networkmanager.dns = "none"; - # Disable NetworkManager's internal DNS resolution - networking.networkmanager.dns = "none"; + # These options are unnecessary when managing DNS ourselves + useDHCP = false; + dhcpcd.enable = false; - # These options are unnecessary when managing DNS ourselves - networking.useDHCP = false; - networking.dhcpcd.enable = false; + # Configure DNS servers manually (this example uses Cloudflare and Google DNS) + # IPv6 DNS servers can be used here as well. + nameservers = [ + # "127.0.0.1" + # "::1" + "94.140.14.49" + "94.140.14.59" + "2a10:50c0:0:0:0:0:ded:ff" + "2a10:50c0:0:0:0:0:ded:ff" + ]; - # Configure DNS servers manually (this example uses Cloudflare and Google DNS) - # IPv6 DNS servers can be used here as well. - networking.nameservers = [ - # "127.0.0.1" - # "::1" - "94.140.14.49" - "94.140.14.59" - "2a10:50c0:0:0:0:0:ded:ff" - "2a10:50c0:0:0:0:0:ded:ff" - ]; + wireguard.enable = true; - # services.stubby = { - # enable = true; - # settings = - # pkgs.stubby.passthru.settingsExample - # // { - # upstream_recursive_servers = [ - # { - # address_data = "94.140.14.49"; - # tls_auth_name = "4b921896.d.adguard-dns.com"; - # tls_pubkey_pinset = [ - # { - # digest = "sha256"; - # value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U="; - # } - # ]; - # } - # { - # address_data = "94.140.14.59"; - # tls_auth_name = "4b921896.d.adguard-dns.com"; - # tls_pubkey_pinset = [ - # { - # digest = "sha256"; - # value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U="; - # } - # ]; - # } - # { - # address_data = "2a10:50c0:0:0:0:0:ded:ff"; - # tls_auth_name = "4b921896.d.adguard-dns.com"; - # tls_pubkey_pinset = [ - # { - # digest = "sha256"; - # value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U="; - # } - # ]; - # } - # { - # address_data = "2a10:50c0:0:0:0:0:dad:ff"; - # tls_auth_name = "4b921896.d.adguard-dns.com"; - # tls_pubkey_pinset = [ - # { - # digest = "sha256"; - # value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U="; - # } - # ]; - # } - # ]; - # }; - # }; + wg-quick.interfaces = { + # # "wg0" is the network interface name. You can name the interface arbitrarily. + # wg0 = { + # autostart = true; + # # Determines the IP address and subnet of the server's end of the tunnel interface. + # address = ["10.2.0.2/32"]; - services.openssh = { - enable = true; - # require public key authentication for better security - settings.PasswordAuthentication = false; - settings.KbdInteractiveAuthentication = false; - settings.PermitRootLogin = "no"; + # # The port that WireGuard listens to. Must be accessible by the client. + # listenPort = 51820; + + # dns = ["10.2.0.1"]; + # # Path to the private key file. + # # + # # Note: The private key can also be included inline via the privateKey option, + # # but this makes the private key world-readable; thus, using privateKeyFile is + # # recommended. + # privateKeyFile = config.sops.secrets."protonvpn-priv-key".path; + + # peers = [ + # # List of allowed peers. + # { + # # Feel free to give a meaning full name + # # Public key of the peer (not a file path). + # publicKey = "/i7jCNpcqVBUkY07gVlILN4nFdvZHmxvreAOgLGoZGg="; + # # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. + # allowedIPs = ["0.0.0.0/0"]; + # endpoint = "146.70.86.114:51820"; + # } + # ]; + # }; + + # wg public key for host: A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg= + wg1 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"]; + + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = 51821; + + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + postUp = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE + ''; + + # Undo the above + preDown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE + ''; + + privateKeyFile = config.sops.secrets."wg-private-key".path; + + peers = [ + { + #GLaDOS public key + publicKey = "yieF2yQptaE3jStoaGytUnN+HLxyVhFBZIUOGUNAV38="; + allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"]; + } + { + #EDI public key + publicKey = "i4nDZbU+a2k5C20tFJRNPVE1vhYKJwhoqGHEdeC4704="; + allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"]; + } + { + #Shodan public key + publicKey = "Zah2nZDaHF8jpP5AtMA5bhE7t38fMB2UHzbXAc96/jw="; + allowedIPs = ["10.0.0.4/32" "fdc9:281f:04d7:9ee9::3/128"]; + } + { + #ADA public key + publicKey = "SHu7xxRVWuqp4U4uipMoITKrFPWZATGsJevUeqBSzWo="; + allowedIPs = ["10.0.0.5/32" "fdc9:281f:04d7:9ee9::3/128"]; + } + ]; + }; + }; + nat = { + # enable NAT + enable = true; + externalInterface = "end0"; + internalInterfaces = ["wg1"]; + }; + firewall = { + enable = true; + allowPing = false; + allowedTCPPorts = [ + 22 # SSH + 5349 # STUN tls + 5350 # STUN tls alt + 80 # http + 443 # https + 51821 # wg + 7878 + 53 # dnsmasq + ]; + allowedUDPPorts = [ + 53 #dnsmasq + ]; + allowedUDPPortRanges = [ + { + from = 51820; + to = 51822; # wg + } + { + from = 49152; + to = 49999; + } # TURN relay + ]; + }; }; - - # users.users = { - # ombi.extraGroups = ["radarr" "sonarr" "aria2"]; - # }; - # services.ombi = { - # enable = true; - # port = 2368; - # }; - - # users.users = { - # radarr.extraGroups = ["aria2"]; - # sonarr.extraGroups = ["aria2"]; - # }; - - # services = { - # #uses port 7878 - # radarr.enable = true; - # #uses port 8989 - # sonarr.enable = true; - # prowlarr.enable = true; - # }; - - sops.secrets."webdav-secret" = { - mode = "0600"; - path = "/etc/davfs2/secrets"; - }; - - services.davfs2.enable = true; systemd.mounts = [ { enable = true; @@ -168,34 +319,25 @@ type = "davfs"; } ]; + users = { + users.aria2 = { + # #uses port 8096 + # services.jellyfin.enable = true; + # users.groups.jellyfinmediaplayer = {}; + # users.users.jellyfinmediaplayer.group = "jellyfinmediaplayer"; + # users.users.jellyfin.extraGroups = ["jellyfinmediaplayer"]; - # #uses port 8096 - # services.jellyfin.enable = true; - # users.groups.jellyfinmediaplayer = {}; - # users.users.jellyfinmediaplayer.group = "jellyfinmediaplayer"; - # users.users.jellyfin.extraGroups = ["jellyfinmediaplayer"]; + # # Add stremio kiosk on wayland :) + # users.extraUsers.jellyfinmediaplayer.isNormalUser = true; + # services.cage.user = "jellyfinmediaplayer"; + # services.cage.program = "${pkgs.jellyfin-media-player}/bin/jellyfinmediaplayer"; + # services.cage.enable = true; + # services.cage.extraArguments = ["-f"]; - # # Add stremio kiosk on wayland :) - # users.extraUsers.jellyfinmediaplayer.isNormalUser = true; - # services.cage.user = "jellyfinmediaplayer"; - # services.cage.program = "${pkgs.jellyfin-media-player}/bin/jellyfinmediaplayer"; - # services.cage.enable = true; - # services.cage.extraArguments = ["-f"]; - - users.users.aria2.group = "aria2"; - users.groups.aria2 = {}; - users.users.aria2.isSystemUser = true; - - sops.secrets."rpcSecret".mode = "0440"; - sops.secrets."rpcSecret".owner = config.users.users.aria2.name; - - services.aria2 = { - enable = true; - settings = { - dir = "/var/lib/media"; - rpc-listen-port = 6969; + group = "aria2"; + isSystemUser = true; }; - rpcSecretFile = config.sops.secrets."rpcSecret".path; + groups.aria2 = {}; }; environment.systemPackages = [ @@ -212,139 +354,6 @@ pkgs.iptables ]; - sops.secrets."protonvpn-priv-key".mode = "0440"; - sops.secrets."protonvpn-priv-key".owner = config.users.users.root.name; - sops.secrets."wg-private-key".mode = "0440"; - sops.secrets."wg-private-key".owner = config.users.users.root.name; - - networking.wireguard.enable = true; - - networking.wg-quick.interfaces = { - # # "wg0" is the network interface name. You can name the interface arbitrarily. - # wg0 = { - # autostart = true; - # # Determines the IP address and subnet of the server's end of the tunnel interface. - # address = ["10.2.0.2/32"]; - - # # The port that WireGuard listens to. Must be accessible by the client. - # listenPort = 51820; - - # dns = ["10.2.0.1"]; - # # Path to the private key file. - # # - # # Note: The private key can also be included inline via the privateKey option, - # # but this makes the private key world-readable; thus, using privateKeyFile is - # # recommended. - # privateKeyFile = config.sops.secrets."protonvpn-priv-key".path; - - # peers = [ - # # List of allowed peers. - # { - # # Feel free to give a meaning full name - # # Public key of the peer (not a file path). - # publicKey = "/i7jCNpcqVBUkY07gVlILN4nFdvZHmxvreAOgLGoZGg="; - # # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. - # allowedIPs = ["0.0.0.0/0"]; - # endpoint = "146.70.86.114:51820"; - # } - # ]; - # }; - - # wg public key for host: A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg= - wg1 = { - # Determines the IP address and subnet of the server's end of the tunnel interface. - address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"]; - - # The port that WireGuard listens to. Must be accessible by the client. - listenPort = 51821; - - # This allows the wireguard server to route your traffic to the internet and hence be like a VPN - postUp = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE - ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE - ''; - - # Undo the above - preDown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE - ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE - ''; - - privateKeyFile = config.sops.secrets."wg-private-key".path; - - peers = [ - { - #GLaDOS public key - publicKey = "yieF2yQptaE3jStoaGytUnN+HLxyVhFBZIUOGUNAV38="; - allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"]; - } - { - #EDI public key - publicKey = "i4nDZbU+a2k5C20tFJRNPVE1vhYKJwhoqGHEdeC4704="; - allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"]; - } - { - #Shodan public key - publicKey = "Zah2nZDaHF8jpP5AtMA5bhE7t38fMB2UHzbXAc96/jw="; - allowedIPs = ["10.0.0.4/32" "fdc9:281f:04d7:9ee9::3/128"]; - } - { - #ADA public key - publicKey = "SHu7xxRVWuqp4U4uipMoITKrFPWZATGsJevUeqBSzWo="; - allowedIPs = ["10.0.0.5/32" "fdc9:281f:04d7:9ee9::3/128"]; - } - ]; - }; - }; - - services.dnsmasq = { - enable = true; - settings = { - interface = "wg1"; - }; - }; - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - "net.ipv6.conf.all.forwarding" = 1; - }; - - # enable NAT - networking.nat.enable = true; - networking.nat.externalInterface = "end0"; - networking.nat.internalInterfaces = ["wg1"]; - networking.firewall = { - enable = true; - allowPing = false; - allowedTCPPorts = [ - 22 # SSH - 5349 # STUN tls - 5350 # STUN tls alt - 80 # http - 443 # https - 51821 # wg - 7878 - 53 # dnsmasq - ]; - allowedUDPPorts = [ - 53 #dnsmasq - ]; - allowedUDPPortRanges = [ - { - from = 51820; - to = 51822; # wg - } - { - from = 49152; - to = 49999; - } # TURN relay - ]; - }; - system.stateVersion = "25.05"; nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; }