Lillian-Violet/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

big refactor of a lot of files

Browse source
This commit is contained in:
Lillian Violet 2024-12-22 22:48:13 +01:00
parent 7ee9d954ce
commit 6c64a962f4
12 changed files with 875 additions and 893 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

185
flake.nix
View file

@ -120,6 +120,29 @@
allowUnfreePredicate = _: true; allowUnfreePredicate = _: true;
}; };
}; };
sharedModules = [
{_module.args = {inherit pkgs-edge;};}
sops-nix.nixosModules.sops
disko.nixosModules.disko
home-manager.nixosModules.home-manager
catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix
nix-index-database.nixosModules.nix-index
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
];
}
];
desktopModules = [
{
home-manager.sharedModules = [
inputs.plasma-manager.homeManagerModules.plasma-manager
];
}
];
in { in {
# Your custom packages # Your custom packages
# Accessible through 'nix build', 'nix shell', etc # Accessible through 'nix build', 'nix shell', etc
@ -148,152 +171,64 @@
EDI = nixpkgs.lib.nixosSystem { EDI = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = {inherit inputs outputs;}; specialArgs = {inherit inputs outputs;};
modules = [ modules =
{_module.args = {inherit pkgs-edge;};} sharedModules
nixos-hardware.nixosModules.dell-xps-13-7390 ++ desktopModules
# > Our main nixos configuration file < ++ [
./nixos/hosts/EDI/configuration.nix nixos-hardware.nixosModules.dell-xps-13-7390
sops-nix.nixosModules.sops lanzaboote.nixosModules.lanzaboote
lanzaboote.nixosModules.lanzaboote # > Our main nixos configuration file <
disko.nixosModules.disko ./nixos/hosts/EDI/configuration.nix
home-manager.nixosModules.home-manager ];
nix-index-database.nixosModules.nix-index
catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
inputs.plasma-manager.homeManagerModules.plasma-manager
];
}
];
}; };
GLaDOS = nixpkgs.lib.nixosSystem { GLaDOS = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = {inherit inputs outputs;}; specialArgs = {inherit inputs outputs;};
modules = [ modules =
{_module.args = {inherit pkgs-edge;};} sharedModules
# > Our main nixos configuration file < ++ desktopModules
./nixos/hosts/GLaDOS/configuration.nix ++ [
sops-nix.nixosModules.sops # > Our main nixos configuration file <
#lanzaboote.nixosModules.lanzaboote ./nixos/hosts/GLaDOS/configuration.nix
disko.nixosModules.disko ];
home-manager.nixosModules.home-manager
nix-index-database.nixosModules.nix-index
catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
inputs.plasma-manager.homeManagerModules.plasma-manager
];
}
];
}; };
queen = nixpkgs.lib.nixosSystem { queen = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = {inherit inputs outputs;}; specialArgs = {inherit inputs outputs;};
modules = [ modules =
{_module.args = {inherit pkgs-edge;};} sharedModules
# > Our main nixos configuration file < ++ [
./nixos/hosts/queen/configuration.nix simple-nixos-mailserver.nixosModule
sops-nix.nixosModules.sops # > Our main nixos configuration file <
disko.nixosModules.disko ./nixos/hosts/queen/configuration.nix
simple-nixos-mailserver.nixosModule ];
catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
];
}
];
}; };
shodan = nixpkgs.lib.nixosSystem { shodan = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = {inherit inputs outputs;}; specialArgs = {inherit inputs outputs;};
modules = [ modules =
{_module.args = {inherit pkgs-edge;};} sharedModules
# > Our main nixos configuration file < ++ desktopModules
./nixos/hosts/shodan/configuration.nix ++ [
sops-nix.nixosModules.sops # > Our main nixos configuration file <
lanzaboote.nixosModules.lanzaboote ./nixos/hosts/shodan/configuration.nix
disko.nixosModules.disko lanzaboote.nixosModules.lanzaboote
jovian.nixosModules.jovian jovian.nixosModules.jovian
home-manager.nixosModules.home-manager ];
catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
inputs.plasma-manager.homeManagerModules.plasma-manager
];
}
];
}; };
wheatley = nixpkgs.lib.nixosSystem { wheatley = nixpkgs.lib.nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
specialArgs = {inherit inputs outputs;}; specialArgs = {inherit inputs outputs;};
modules = [ modules =
./nixos/hosts/wheatley/configuration.nix sharedModules
sops-nix.nixosModules.sops ++ [
home-manager.nixosModules.home-manager ./nixos/hosts/wheatley/configuration.nix
nixos-hardware.nixosModules.raspberry-pi-4 ];
nix-index-database.nixosModules.nix-index
catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
];
}
];
}; };
# ISO = nixpkgs.lib.nixosSystem {
# system = "x86_64-linux";
# specialArgs = {inherit inputs outputs;};
# modules = [
# {_module.args = {inherit pkgs-edge;};}
# "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix"
# "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
# ./nixos/hosts/iso/configuration.nix
# sops-nix.nixosModules.sops
# home-manager.nixosModules.home-manager
# nix-index-database.nixosModules.nix-index
# catppuccin.nixosModules.catppuccin
# {
# home-manager.sharedModules = [
# inputs.plasma-manager.homeManagerModules.plasma-manager
# inputs.catppuccin.homeManagerModules.catppuccin
# ];
# }
# ];
# };
# iso_server = nixpkgs.lib.nixosSystem {
# system = "x86_64-linux";
# specialArgs = {inherit inputs outputs;};
# modules = [
# {_module.args = {inherit pkgs-edge;};}
# "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
# "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
# ./nixos/hosts/iso_server/configuration.nix
# sops-nix.nixosModules.sops
# home-manager.nixosModules.home-manager
# nix-index-database.nixosModules.nix-index
# catppuccin.nixosModules.catppuccin
# {
# home-manager.sharedModules = [
# inputs.catppuccin.homeManagerModules.catppuccin
# ];
# }
# ];
# };
}; };
}; };
} }

113
home-manager/desktop/default.nix
View file

@ -15,7 +15,6 @@
./package-configs/foot ./package-configs/foot
]; ];
nixpkgs = { nixpkgs = {
config.permittedInsecurePackages = ["cinny-4.2.3" "cinny-unwrapped-4.2.3" "cinny-4.2.2" "cinny-unwrapped-4.2.2"];
# You can add overlays here # You can add overlays here
overlays = [ overlays = [
# You can also add overlays exported from other flakes: # You can also add overlays exported from other flakes:
@ -54,8 +53,10 @@
}); });
}) })
]; ];
# Configure your nixpkgs instance
config = { config = {
permittedInsecurePackages = ["cinny-4.2.3" "cinny-unwrapped-4.2.3" "cinny-4.2.2" "cinny-unwrapped-4.2.2"];
# Configure your nixpkgs instance
# Disable if you don't want unfree packages # Disable if you don't want unfree packages
allowUnfree = true; allowUnfree = true;
}; };
@ -132,71 +133,69 @@
firefoxpwa firefoxpwa
ungoogled-chromium ungoogled-chromium
]; ];
programs = {
# vscode = {
# enable = true;
# package = pkgs.vscodium;
# extensions = with pkgs.vscode-extensions; [
# catppuccin.catppuccin-vsc
# catppuccin.catppuccin-vsc-icons
# charliermarsh.ruff
# eamodio.gitlens
# github.vscode-pull-request-github
# jnoortheen.nix-ide
# kamadorueda.alejandra
# mkhl.direnv
# ms-toolsai.jupyter
# ms-pyright.pyright
# oderwat.indent-rainbow
# rust-lang.rust-analyzer
# yzhang.markdown-all-in-one
# ];
# };
# programs.vscode = { obs-studio.enable = true;
# enable = true; obs-studio.plugins = with pkgs.obs-studio-plugins; [
# package = pkgs.vscodium;
# extensions = with pkgs.vscode-extensions; [
# catppuccin.catppuccin-vsc
# catppuccin.catppuccin-vsc-icons
# charliermarsh.ruff
# eamodio.gitlens
# github.vscode-pull-request-github
# jnoortheen.nix-ide
# kamadorueda.alejandra
# mkhl.direnv
# ms-toolsai.jupyter
# ms-pyright.pyright
# oderwat.indent-rainbow
# rust-lang.rust-analyzer
# yzhang.markdown-all-in-one
# ];
# };
programs.obs-studio = {
enable = true;
plugins = with pkgs.obs-studio-plugins; [
wlrobs wlrobs
obs-backgroundremoval obs-backgroundremoval
obs-pipewire-audio-capture obs-pipewire-audio-capture
]; ];
};
# Enable home-manager and git # Enable home-manager and git
programs.home-manager.enable = true; home-manager.enable = true;
programs.git = { git = {
enable = true; enable = true;
userEmail = "git@lillianviolet.dev"; userEmail = "git@lillianviolet.dev";
userName = "Lillian-Violet"; userName = "Lillian-Violet";
extraConfig = { extraConfig = {
init = { init = {
defaultBranch = "main"; defaultBranch = "main";
};
}; };
ignores = [
"*.direnv"
"*.vscode"
".envrc"
"venv"
"venv"
];
}; };
ignores = [
"*.direnv"
"*.vscode"
".envrc"
"venv"
"venv"
];
};
programs.gpg.enable = true; gpg.enable = true;
programs.gpg.settings = { gpg.settings = {
default-key = "0d43 5407 034c 2ad9 2d42 799d 280e 061d ff60 0f0d"; default-key = "0d43 5407 034c 2ad9 2d42 799d 280e 061d ff60 0f0d";
default-recipient-self = true; default-recipient-self = true;
auto-key-locate = "local,wkd,keyserver"; auto-key-locate = "local,wkd,keyserver";
keyserver = "hkps://keys.openpgp.org"; keyserver = "hkps://keys.openpgp.org";
auto-key-retrieve = true; auto-key-retrieve = true;
auto-key-import = true; auto-key-import = true;
keyserver-options = "honor-keyserver-url"; keyserver-options = "honor-keyserver-url";
no-autostart = true; no-autostart = true;
};
}; };
services = {
services.kdeconnect = { kdeconnect.package = pkgs.kdePackages.kdeconnect-kde;
package = pkgs.kdePackages.kdeconnect-kde; kdeconnect.enable = true;
enable = true;
}; };
# Nicely reload system units when changing configs # Nicely reload system units when changing configs

31
home-manager/hosts/shodan/lillian.nix
View file

@ -84,22 +84,23 @@
firefox firefox
ungoogled-chromium ungoogled-chromium
]; ];
programs = {
# # Automount services for user
# programs.bashmount.enable = true;
# services.udiskie = {
# enable = true;
# automount = true;
# notify = false;
# tray = "never";
# };
# # Automount services for user # Enable home-manager and git
# programs.bashmount.enable = true; home-manager.enable = true;
# services.udiskie = { git = {
# enable = true; enable = true;
# automount = true; userEmail = "git@lillianviolet.dev";
# notify = false; userName = "Lillian-Violet";
# tray = "never"; };
# };
# Enable home-manager and git
programs.home-manager.enable = true;
programs.git = {
enable = true;
userEmail = "git@lillianviolet.dev";
userName = "Lillian-Violet";
}; };
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion

12
home-manager/shared/default.nix
View file

@ -32,11 +32,13 @@
navi navi
nil nil
]; ];
programs.navi.enable = true; programs = {
programs.yazi = { navi.enable = true;
enable = true; yazi = {
package = pkgs.yazi.override { enable = true;
_7zz = pkgs._7zz.override {useUasm = true;}; package = pkgs.yazi.override {
_7zz = pkgs._7zz.override {useUasm = true;};
};
}; };
}; };
stylix.enable = true; stylix.enable = true;

4
home-manager/shared/shell/zellij/default.nix
View file

@ -206,14 +206,12 @@ in {
}; };
}; };
}; };
home.file = { home.file = {
"layout" = { "layout" = {
source = "${layout}"; source = "${layout}";
target = ".config/zellij/layouts/default.kdl"; target = ".config/zellij/layouts/default.kdl";
}; };
};
home.file = {
"helix_zellij" = { "helix_zellij" = {
source = "${helix_zellij}"; source = "${helix_zellij}";
target = ".config/zellij/layouts/helix.kdl"; target = ".config/zellij/layouts/helix.kdl";

131
home-manager/shared/shell/zsh.nix
View file

@ -1,70 +1,71 @@
{pkgs, ...}: { {pkgs, ...}: {
programs.zoxide = { programs = {
enable = true; zoxide = {
};
programs.zsh = {
enable = true;
shellAliases = {
cd = "z";
code = "codium ./";
ls = "eza";
lh = "ls -lah";
cat = "bat";
tree = "tre";
neofetch = "hyfetch";
shutdown = "shutdown 0";
reboot = "reboot 0";
};
plugins = [
{
name = "zsh-nix-shell";
file = "nix-shell.plugin.zsh";
src = pkgs.fetchFromGitHub {
owner = "chisui";
repo = "zsh-nix-shell";
rev = "v0.8.0";
sha256 = "sha256-Z6EYQdasvpl1P78poj9efnnLj7QQg13Me8x1Ryyw+dM=";
};
}
{
name = "terraform";
src = pkgs.fetchFromGitHub {
owner = "macunha1";
repo = "zsh-terraform";
rev = "fd1471d3757f8ed13f56c4426f88616111de2a87";
sha256 = "0z6i9wjjklb4lvr7zjhbphibsyx51psv50gm07mbb0kj9058j6kc";
};
}
];
autosuggestion.enable = true;
enableCompletion = true;
historySubstringSearch.enable = true;
syntaxHighlighting.enable = true;
#zsh-abbr.enable = true;
oh-my-zsh = {
enable = true; enable = true;
plugins = [
"git"
"colored-man-pages"
"colorize"
"dirhistory"
"dirpersist"
"history"
"history-substring-search"
"fancy-ctrl-z"
"git-flow"
"isodate"
"z"
"zsh-interactive-cd"
"zsh-navigation-tools"
];
}; };
# Extra commands that take more complex forms zsh = {
initExtra = '' enable = true;
eval "$(zoxide init --cmd cd zsh)" shellAliases = {
tre() { command tre "$@" -e && source "/tmp/tre_aliases_$USER" 2>/dev/null; } cd = "z";
zhx() { command zellij action new-tab --layout $HOME/.config/zellij/layouts/helix.kdl; } code = "codium ./";
''; ls = "eza";
lh = "ls -lah";
cat = "bat";
tree = "tre";
neofetch = "hyfetch";
shutdown = "shutdown 0";
reboot = "reboot 0";
};
plugins = [
{
name = "zsh-nix-shell";
file = "nix-shell.plugin.zsh";
src = pkgs.fetchFromGitHub {
owner = "chisui";
repo = "zsh-nix-shell";
rev = "v0.8.0";
sha256 = "sha256-Z6EYQdasvpl1P78poj9efnnLj7QQg13Me8x1Ryyw+dM=";
};
}
{
name = "terraform";
src = pkgs.fetchFromGitHub {
owner = "macunha1";
repo = "zsh-terraform";
rev = "fd1471d3757f8ed13f56c4426f88616111de2a87";
sha256 = "0z6i9wjjklb4lvr7zjhbphibsyx51psv50gm07mbb0kj9058j6kc";
};
}
];
autosuggestion.enable = true;
enableCompletion = true;
historySubstringSearch.enable = true;
syntaxHighlighting.enable = true;
#zsh-abbr.enable = true;
oh-my-zsh = {
enable = true;
plugins = [
"git"
"colored-man-pages"
"colorize"
"dirhistory"
"dirpersist"
"history"
"history-substring-search"
"fancy-ctrl-z"
"git-flow"
"isodate"
"z"
"zsh-interactive-cd"
"zsh-navigation-tools"
];
};
# Extra commands that take more complex forms
initExtra = ''
eval "$(zoxide init --cmd cd zsh)"
tre() { command tre "$@" -e && source "/tmp/tre_aliases_$USER" 2>/dev/null; }
zhx() { command zellij action new-tab --layout $HOME/.config/zellij/layouts/helix.kdl; }
'';
};
}; };
} }

193
nixos/desktop/default.nix
View file

@ -29,11 +29,6 @@
}; };
}; };
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
programs.command-not-found.enable = lib.mkForce false;
programs.nix-index.enable = true;
programs.nix-index-database.comma.enable = true;
environment.systemPackages = environment.systemPackages =
(with pkgs; [ (with pkgs; [
# Custom tools # Custom tools
@ -98,113 +93,125 @@
# list of latest packages from nixpkgs master # list of latest packages from nixpkgs master
# Can be used to install latest version of some packages # Can be used to install latest version of some packages
]); ]);
programs = {
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
command-not-found.enable = lib.mkForce false;
nix-index.enable = true;
nix-index-database.comma.enable = true;
programs.direnv = { direnv = {
enable = true; enable = true;
};
steam = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
extest.enable = true;
};
kdeconnect.enable = true;
noisetorch = {
enable = true;
};
}; };
# Enable networking # Enable networking
networking.networkmanager.enable = true; networking.networkmanager.enable = true; # Enables support for 32bit libs that steam uses
programs.steam = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
extest.enable = true;
};
hardware.graphics.enable32Bit = true; # Enables support for 32bit libs that steam uses
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
services = {
# Enable the X11 windowing system.
xserver.enable = true;
# Enable the X11 windowing system. # Enable the KDE Plasma Desktop Environment.
services.xserver.enable = true; displayManager.sddm = {
enable = true;
wayland.enable = true;
};
displayManager.defaultSession = "plasma";
desktopManager.plasma6.enable = true;
# Enable the KDE Plasma Desktop Environment. # Enable flatpak support
services.displayManager.sddm = { flatpak.enable = true;
enable = true; packagekit.enable = true;
wayland.enable = true;
# Configure keymap in X11
xserver.xkb = {
layout = "us";
variant = "";
options = "terminate:ctrl_alt_bksp,compose:caps_toggle";
};
# Enable CUPS to print documents.
printing.enable = true;
# Enable fwupd daemon and user space client
fwupd.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
avahi = {
nssmdns4 = true;
enable = true;
ipv4 = true;
ipv6 = true;
publish = {
enable = true;
addresses = true;
workstation = true;
};
};
}; };
services.displayManager.defaultSession = "plasma"; hardware = {
services.desktopManager.plasma6.enable = true; graphics.enable32Bit = true;
programs.kdeconnect.enable = true;
# Enable flatpak support # Enable bluetooth hardware
services.flatpak.enable = true; bluetooth.enable = true;
services.packagekit.enable = true;
# Configure keymap in X11 # Enable sound with pipewire.
services.xserver.xkb = { pulseaudio.enable = false;
layout = "us";
variant = "";
options = "terminate:ctrl_alt_bksp,compose:caps_toggle";
}; };
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable bluetooth hardware
hardware.bluetooth.enable = true;
# Enable fwupd daemon and user space client
services.fwupd.enable = true;
# Enable sound with pipewire.
hardware.pulseaudio.enable = false;
security.rtkit.enable = true; security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
programs.noisetorch = {
enable = true;
};
virtualisation.podman = { virtualisation.podman = {
enable = true; enable = true;
dockerCompat = true; dockerCompat = true;
}; };
security.tpm2 = {
services.avahi = {
nssmdns4 = true;
enable = true; enable = true;
ipv4 = true; pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
ipv6 = true; tctiEnvironment.enable = true;
publish = { }; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
enable = true; users.users.lillian.extraGroups = ["tss"];
addresses = true; boot = {
workstation = true; # tss group has access to TPM devices
}; # FIXME: re-enable virtual camera loopback when it build again.
bootspec.enable = true;
#boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
#boot.supportedFilesystems = ["bcachefs"];
extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out];
kernelModules = [
# Virtual Camera
"v4l2loopback"
# Virtual Microphone, built-in
"snd-aloop"
];
# Set initial kernel module settings
extraModprobeConfig = ''
# exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming
# card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams
# https://github.com/umlaeute/v4l2loopback
options v4l2loopback exclusive_caps=1 card_label="Virtual Camera"
'';
loader.systemd-boot.configurationLimit = 3;
loader.efi.canTouchEfiVariables = true;
}; };
security.tpm2.enable = true;
security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices
# FIXME: re-enable virtual camera loopback when it build again.
boot.bootspec.enable = true;
#boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
#boot.supportedFilesystems = ["bcachefs"];
boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out];
boot.kernelModules = [
# Virtual Camera
"v4l2loopback"
# Virtual Microphone, built-in
"snd-aloop"
];
# Set initial kernel module settings
boot.extraModprobeConfig = ''
# exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming
# card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams
# https://github.com/umlaeute/v4l2loopback
options v4l2loopback exclusive_caps=1 card_label="Virtual Camera"
'';
boot.loader.systemd-boot.configurationLimit = 3;
boot.loader.efi.canTouchEfiVariables = true;
} }

67
nixos/hosts/EDI/configuration.nix
View file

@ -29,8 +29,12 @@
# Import your generated (nixos-generate-config) hardware configuration # Import your generated (nixos-generate-config) hardware configuration
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
sops = {
defaultSopsFile = ./secrets/sops.yaml;
sops.defaultSopsFile = ./secrets/sops.yaml; secrets."wg-private-key".mode = "0440";
secrets."wg-private-key".owner = config.users.users.root.name;
};
home-manager = { home-manager = {
extraSpecialArgs = {inherit inputs outputs;}; extraSpecialArgs = {inherit inputs outputs;};
@ -42,42 +46,41 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
]; ];
networking = {
hostName = "EDI";
networking.hostName = "EDI"; wireguard.enable = true;
sops.secrets."wg-private-key".mode = "0440"; wg-quick.interfaces = {
sops.secrets."wg-private-key".owner = config.users.users.root.name; wg0 = {
autostart = true;
networking.wireguard.enable = true; address = ["10.0.0.3/24" "fdc9:281f:04d7:9ee9::3/64"];
dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
networking.wg-quick.interfaces = { listenPort = 51821;
wg0 = { privateKeyFile = config.sops.secrets."wg-private-key".path;
autostart = true; peers = [
address = ["10.0.0.3/24" "fdc9:281f:04d7:9ee9::3/64"]; {
dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
listenPort = 51821; endpoint = "84.87.146.85:51821";
privateKeyFile = config.sops.secrets."wg-private-key".path; allowedIPs = ["0.0.0.0/0" "::/0"];
peers = [ persistentKeepalive = 25;
{ }
publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg="; ];
endpoint = "84.87.146.85:51821"; };
allowedIPs = ["0.0.0.0/0" "::/0"];
persistentKeepalive = 25;
}
];
}; };
}; };
boot = {
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
loader.systemd-boot.enable = lib.mkForce false;
initrd.systemd.enable = true;
# Lanzaboote currently replaces the systemd-boot module. lanzaboote = {
# This setting is usually set to true in configuration.nix enable = true;
# generated at installation time. So we force it to false pkiBundle = "/etc/secureboot";
# for now. };
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.initrd.systemd.enable = true;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
}; };
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion

93
nixos/hosts/GLaDOS/configuration.nix
View file

@ -28,26 +28,36 @@
# Import your generated (nixos-generate-config) hardware configuration # Import your generated (nixos-generate-config) hardware configuration
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
sops = {
defaultSopsFile = ./secrets/sops.yaml;
sops.defaultSopsFile = ./secrets/sops.yaml; secrets."wg-private-key".mode = "0440";
secrets."wg-private-key".owner = config.users.users.root.name;
secrets."ssh-private-key" = {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.ssh/id_ed25519";
};
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
]; ];
services.xserver.videoDrivers = ["amdgpu"]; services.xserver.videoDrivers = ["amdgpu"];
hardware = {
# Add vulkan support to GPU # Add vulkan support to GPU
hardware.graphics.extraPackages = with pkgs; [ graphics.extraPackages = with pkgs; [
amdvlk amdvlk
]; ];
# For 32 bit applications # For 32 bit applications
hardware.graphics.extraPackages32 = with pkgs; [ graphics.extraPackages32 = with pkgs; [
driversi686Linux.amdvlk driversi686Linux.amdvlk
]; ];
};
programs.gamemode = { programs = {
enable = true; gamemode.enable = true;
settings = { gamemode.settings = {
general = { general = {
renice = 10; renice = 10;
}; };
@ -65,9 +75,10 @@
}; };
}; };
}; };
boot = {
boot.loader.systemd-boot.enable = true; loader.systemd-boot.enable = true;
boot.binfmt.emulatedSystems = ["aarch64-linux"]; binfmt.emulatedSystems = ["aarch64-linux"];
};
# boot.lanzaboote = { # boot.lanzaboote = {
# enable = true; # enable = true;
@ -83,36 +94,28 @@
lillian = import ../../../home-manager/hosts/GLaDOS; lillian = import ../../../home-manager/hosts/GLaDOS;
}; };
}; };
networking = {
# virtualisation.waydroid.enable = false;
hostName = "GLaDOS";
# virtualisation.waydroid.enable = false; wireguard.enable = true;
networking.hostName = "GLaDOS";
sops.secrets."wg-private-key".mode = "0440"; wg-quick.interfaces = {
sops.secrets."wg-private-key".owner = config.users.users.root.name; wg0 = {
autostart = true;
sops.secrets."ssh-private-key" = { address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"];
mode = "0600"; dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
owner = config.users.users.lillian.name; listenPort = 51821;
path = "/home/lillian/.ssh/id_ed25519"; privateKeyFile = config.sops.secrets."wg-private-key".path;
}; peers = [
{
networking.wireguard.enable = true; publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
endpoint = "84.87.146.85:51821";
networking.wg-quick.interfaces = { allowedIPs = ["0.0.0.0/0" "::/0"];
wg0 = { persistentKeepalive = 25;
autostart = true; }
address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"]; ];
dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; };
listenPort = 51821;
privateKeyFile = config.sops.secrets."wg-private-key".path;
peers = [
{
publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
endpoint = "84.87.146.85:51821";
allowedIPs = ["0.0.0.0/0" "::/0"];
persistentKeepalive = 25;
}
];
}; };
}; };

130
nixos/hosts/queen/configuration.nix
View file

@ -26,16 +26,17 @@
# Import disko # Import disko
# ../../../disko/queen # ../../../disko/queen
]; ];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = false; zramSwap.enable = false;
networking.domain = ""; services = {
services.openssh = { openssh = {
enable = true; enable = true;
# require public key authentication for better security settings = {
settings.PasswordAuthentication = false; # require public key authentication for better security
settings.KbdInteractiveAuthentication = false; PasswordAuthentication = false;
settings.PermitRootLogin = "no"; KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
};
};
}; };
nixpkgs = { nixpkgs = {
@ -88,58 +89,63 @@
sqlite sqlite
rocksdb rocksdb
]; ];
networking = {
domain = "";
# Create an auto-update systemd service that runs every day # Create an auto-update systemd service that runs every day
# system.autoUpgrade = { # system.autoUpgrade = {
# flake = "git+https://git.lillianviolet.dev/Lillian-Violet/NixOS-Config.git"; # flake = "git+https://git.lillianviolet.dev/Lillian-Violet/NixOS-Config.git";
# dates = "daily"; # dates = "daily";
# enable = true; # enable = true;
# }; # };
# systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug"; # systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug";
# Enable networking # Enable networking
# networking.networkmanager.enable = true; # networking.networkmanager.enable = true;
# networking.nat.enable = true; # networking.nat.enable = true;
# networking.nat.internalInterfaces = ["ve-+"]; # networking.nat.internalInterfaces = ["ve-+"];
# networking.nat.externalInterface = "ens18"; # networking.nat.externalInterface = "ens18";
networking.enableIPv6 = lib.mkForce true; enableIPv6 = lib.mkForce true;
networking.nameservers = ["2a02:c207::1:53" "2a02:c207::2:53"]; nameservers = ["2a02:c207::1:53" "2a02:c207::2:53"];
# networking.interfaces.ens18.ipv4.addresses = [ # networking.interfaces.ens18.ipv4.addresses = [
# { # {
# address = "62.171.160.195"; # address = "62.171.160.195";
# prefixLength = 32; # prefixLength = 32;
# } # }
# ]; # ];
networking.interfaces.ens18.ipv6.addresses = [ interfaces.ens18.ipv6.addresses = [
{
address = "2a02:c207:2063:2448::1";
prefixLength = 64;
}
];
networking.defaultGateway6 = {
address = "fe80::1";
interface = "ens18";
};
# Open ports in the firewall.
networking.firewall = {
enable = true;
allowPing = false;
allowedTCPPorts = [
22 # SSH
5349 # STUN tls
5350 # STUN tls alt
80 # http
443 # https
];
allowedUDPPortRanges = [
{ {
from = 49152; address = "2a02:c207:2063:2448::1";
to = 49999; prefixLength = 64;
} # TURN relay }
]; ];
defaultGateway6 = {
address = "fe80::1";
interface = "ens18";
};
firewall = {
# Open ports in the firewall.
enable = true;
allowPing = false;
allowedTCPPorts = [
22 # SSH
5349 # STUN tls
5350 # STUN tls alt
80 # http
443 # https
];
allowedUDPPortRanges = [
{
from = 49152;
to = 49999;
} # TURN relay
];
};
hostName = "queen";
}; };
# networking.useNetworkd = true; # networking.useNetworkd = true;
@ -179,12 +185,14 @@
lillian = import ../../../home-manager/hosts/queen; lillian = import ../../../home-manager/hosts/queen;
}; };
}; };
boot = {
networking.hostName = "queen"; tmp.cleanOnBoot = true;
loader.grub = {
boot.loader.grub.enable = true; enable = true;
boot.loader.grub.configurationLimit = 3; configurationLimit = 3;
boot.loader.efi.canTouchEfiVariables = true; };
loader.efi.canTouchEfiVariables = true;
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.11"; system.stateVersion = "24.11";

266
nixos/hosts/shodan/configuration.nix
View file

@ -27,11 +27,117 @@
./auto-mount.nix ./auto-mount.nix
]; ];
boot = {
tmp.cleanOnBoot = true;
loader = {
# TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
# tss group has access to TPM devices
boot.tmp.cleanOnBoot = true; # Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
systemd-boot.enable = lib.mkForce false;
systemd-boot.configurationLimit = 3;
timeout = 0;
efi.canTouchEfiVariables = true;
};
initrd.systemd.enable = true;
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
consoleLogLevel = 0;
kernelParams = ["quiet" "udev.log_priority=0" "fbcon=vc:2-6" "console=tty0"];
plymouth.enable = true;
};
zramSwap.enable = false; zramSwap.enable = false;
networking.domain = ""; networking = {
services.openssh.enable = true; domain = "";
# Enable networking
networkmanager.enable = true;
firewall.enable = true;
firewall.allowedTCPPorts = [22];
hostName = "shodan";
wireguard.enable = true;
wg-quick.interfaces = {
wg0 = {
autostart = true;
address = ["10.0.0.4/24" "fdc9:281f:04d7:9ee9::4/64"];
dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
listenPort = 51821;
privateKeyFile = config.sops.secrets."wg-private-key".path;
peers = [
{
publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
endpoint = "84.87.146.85:51821";
allowedIPs = ["0.0.0.0/0" "::/0"];
persistentKeepalive = 25;
}
];
};
};
};
services = {
openssh.enable = true; # Enables support for 32bit libs that steam uses
# Enable the X11 windowing system.
xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
desktopManager.plasma6.enable = true;
avahi = {
nssmdns4 = true;
enable = true;
ipv4 = true;
ipv6 = true;
publish = {
enable = true;
addresses = true;
workstation = true;
};
};
displayManager = {
defaultSession = "plasma";
sddm.wayland.enable = lib.mkForce true;
sddm.settings = {
Autologin = {
Session = "plasma.desktop";
User = "lillian";
};
};
};
# Enable flatpak support
flatpak.enable = true;
packagekit.enable = true;
# Configure keymap in X11
xserver = {
xkb.layout = "us";
xkb.variant = "";
};
# Enable CUPS to print documents.
printing.enable = true;
# Enable fwupd daemon and user space client
fwupd.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
};
nixpkgs = { nixpkgs = {
# You can add overlays here # You can add overlays here
@ -43,9 +149,13 @@
allowUnfree = true; allowUnfree = true;
}; };
}; };
sops = {
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
defaultSopsFile = ./secrets/sops.yaml;
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys secrets."wg-private-key".mode = "0440";
sops.defaultSopsFile = ./secrets/sops.yaml; secrets."wg-private-key".owner = config.users.users.root.name;
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# Custom tools # Custom tools
@ -109,60 +219,24 @@
enableGyroDsuService = true; enableGyroDsuService = true;
}; };
}; };
programs = {
programs.steam = lib.mkForce { steam = lib.mkForce {
enable = true; enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
extest.enable = true; extest.enable = true;
}; };
hardware.graphics.enable32Bit = true; # Enables support for 32bit libs that steam uses kdeconnect.enable = true;
# Enable the X11 windowing system. noisetorch = {
services.xserver.enable = true; enable = true;
};
# Enable the KDE Plasma Desktop Environment.
services.desktopManager.plasma6.enable = true; git = {
programs.kdeconnect.enable = true;
services.avahi = {
nssmdns4 = true;
enable = true;
ipv4 = true;
ipv6 = true;
publish = {
enable = true; enable = true;
addresses = true;
workstation = true;
}; };
}; };
services.displayManager.defaultSession = "plasma";
services.displayManager.sddm.wayland.enable = lib.mkForce true;
services.displayManager.sddm.settings = {
Autologin = {
Session = "plasma.desktop";
User = "lillian";
};
};
# Enable flatpak support
services.flatpak.enable = true;
services.packagekit.enable = true;
# Configure keymap in X11
services.xserver = {
xkb.layout = "us";
xkb.variant = "";
};
# Enable networking
networking.networkmanager.enable = true;
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [22];
# # Enable automounting of removable media # # Enable automounting of removable media
# services.udisks2.enable = true; # services.udisks2.enable = true;
# services.devmon.enable = true; # services.devmon.enable = true;
@ -171,32 +245,14 @@
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
hardware = {
graphics.enable32Bit = true;
# Enable CUPS to print documents. # Enable bluetooth hardware
services.printing.enable = true; bluetooth.enable = true;
# Enable bluetooth hardware # Enable sound with pipewire.
hardware.bluetooth.enable = true; pulseaudio.enable = false;
# Enable fwupd daemon and user space client
services.fwupd.enable = true;
# Enable sound with pipewire.
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
programs.noisetorch = {
enable = true;
};
programs.git = {
enable = true;
}; };
users.users.lillian.extraGroups = ["decky" "tss" "input"]; users.users.lillian.extraGroups = ["decky" "tss" "input"];
@ -211,55 +267,15 @@
lillian = import ../../../home-manager/hosts/shodan; lillian = import ../../../home-manager/hosts/shodan;
}; };
}; };
security = {
networking.hostName = "shodan"; rtkit.enable = true;
tpm2 = {
sops.secrets."wg-private-key".mode = "0440"; enable = true;
sops.secrets."wg-private-key".owner = config.users.users.root.name; pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
tctiEnvironment.enable = true;
networking.wireguard.enable = true;
networking.wg-quick.interfaces = {
wg0 = {
autostart = true;
address = ["10.0.0.4/24" "fdc9:281f:04d7:9ee9::4/64"];
dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
listenPort = 51821;
privateKeyFile = config.sops.secrets."wg-private-key".path;
peers = [
{
publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
endpoint = "84.87.146.85:51821";
allowedIPs = ["0.0.0.0/0" "::/0"];
persistentKeepalive = 25;
}
];
}; };
}; };
security.tpm2.enable = true;
security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
# tss group has access to TPM devices
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.initrd.systemd.enable = true;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
boot.loader.systemd-boot.configurationLimit = 3;
boot.loader.timeout = 0;
boot.loader.efi.canTouchEfiVariables = true;
boot.consoleLogLevel = 0;
boot.kernelParams = ["quiet" "udev.log_priority=0" "fbcon=vc:2-6" "console=tty0"];
boot.plymouth.enable = true;
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

543
nixos/hosts/wheatley/configuration.nix
View file

@ -23,20 +23,139 @@
super.makeModulesClosure (x // {allowMissing = true;}); super.makeModulesClosure (x // {allowMissing = true;});
}) })
]; ];
programs = {
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
command-not-found.enable = lib.mkForce false;
nix-index.enable = true;
nix-index-database.comma.enable = true;
};
services = {
automatic-timezoned.enable = true;
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently # stubby = {
programs.command-not-found.enable = lib.mkForce false; # enable = true;
programs.nix-index.enable = true; # settings =
programs.nix-index-database.comma.enable = true; # pkgs.stubby.passthru.settingsExample
# // {
# upstream_recursive_servers = [
# {
# address_data = "94.140.14.49";
# tls_auth_name = "4b921896.d.adguard-dns.com";
# tls_pubkey_pinset = [
# {
# digest = "sha256";
# value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U=";
# }
# ];
# }
# {
# address_data = "94.140.14.59";
# tls_auth_name = "4b921896.d.adguard-dns.com";
# tls_pubkey_pinset = [
# {
# digest = "sha256";
# value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U=";
# }
# ];
# }
# {
# address_data = "2a10:50c0:0:0:0:0:ded:ff";
# tls_auth_name = "4b921896.d.adguard-dns.com";
# tls_pubkey_pinset = [
# {
# digest = "sha256";
# value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U=";
# }
# ];
# }
# {
# address_data = "2a10:50c0:0:0:0:0:dad:ff";
# tls_auth_name = "4b921896.d.adguard-dns.com";
# tls_pubkey_pinset = [
# {
# digest = "sha256";
# value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U=";
# }
# ];
# }
# ];
# };
# };
services.automatic-timezoned.enable = true; openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "no";
};
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys davfs2.enable = true;
sops.defaultSopsFile = ./secrets/sops.yaml;
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; aria2 = {
enable = true;
settings = {
dir = "/var/lib/media";
rpc-listen-port = 6969;
};
rpcSecretFile = config.sops.secrets."rpcSecret".path;
};
boot.initrd.kernelModules = ["vc4" "bcm2835_dma" "i2c_bcm2835" "cma=256M" "console=tty0"]; dnsmasq = {
enable = true;
settings = {
interface = "wg1";
};
};
};
sops = {
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
defaultSopsFile = ./secrets/sops.yaml;
# users.users = {
# ombi.extraGroups = ["radarr" "sonarr" "aria2"];
# };
# services.ombi = {
# enable = true;
# port = 2368;
# };
# users.users = {
# radarr.extraGroups = ["aria2"];
# sonarr.extraGroups = ["aria2"];
# };
# services = {
# #uses port 7878
# radarr.enable = true;
# #uses port 8989
# sonarr.enable = true;
# prowlarr.enable = true;
# };
secrets."webdav-secret" = {
mode = "0600";
path = "/etc/davfs2/secrets";
};
secrets."rpcSecret".mode = "0440";
secrets."rpcSecret".owner = config.users.users.aria2.name;
secrets."protonvpn-priv-key".mode = "0440";
secrets."protonvpn-priv-key".owner = config.users.users.root.name;
secrets."wg-private-key".mode = "0440";
secrets."wg-private-key".owner = config.users.users.root.name;
};
boot = {
kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
initrd.kernelModules = ["vc4" "bcm2835_dma" "i2c_bcm2835" "cma=256M" "console=tty0"];
kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
};
sdImage.compressImage = false; sdImage.compressImage = false;
@ -47,114 +166,146 @@
lillian = import ../../../home-manager/hosts/wheatley; lillian = import ../../../home-manager/hosts/wheatley;
}; };
}; };
networking = {
hostName = "wheatley";
networking.hostName = "wheatley"; networkmanager.enable = true;
networking.networkmanager.enable = true; # Disable NetworkManager's internal DNS resolution
networkmanager.dns = "none";
# Disable NetworkManager's internal DNS resolution # These options are unnecessary when managing DNS ourselves
networking.networkmanager.dns = "none"; useDHCP = false;
dhcpcd.enable = false;
# These options are unnecessary when managing DNS ourselves # Configure DNS servers manually (this example uses Cloudflare and Google DNS)
networking.useDHCP = false; # IPv6 DNS servers can be used here as well.
networking.dhcpcd.enable = false; nameservers = [
# "127.0.0.1"
# "::1"
"94.140.14.49"
"94.140.14.59"
"2a10:50c0:0:0:0:0:ded:ff"
"2a10:50c0:0:0:0:0:ded:ff"
];
# Configure DNS servers manually (this example uses Cloudflare and Google DNS) wireguard.enable = true;
# IPv6 DNS servers can be used here as well.
networking.nameservers = [
# "127.0.0.1"
# "::1"
"94.140.14.49"
"94.140.14.59"
"2a10:50c0:0:0:0:0:ded:ff"
"2a10:50c0:0:0:0:0:ded:ff"
];
# services.stubby = { wg-quick.interfaces = {
# enable = true; # # "wg0" is the network interface name. You can name the interface arbitrarily.
# settings = # wg0 = {
# pkgs.stubby.passthru.settingsExample # autostart = true;
# // { # # Determines the IP address and subnet of the server's end of the tunnel interface.
# upstream_recursive_servers = [ # address = ["10.2.0.2/32"];
# {
# address_data = "94.140.14.49";
# tls_auth_name = "4b921896.d.adguard-dns.com";
# tls_pubkey_pinset = [
# {
# digest = "sha256";
# value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U=";
# }
# ];
# }
# {
# address_data = "94.140.14.59";
# tls_auth_name = "4b921896.d.adguard-dns.com";
# tls_pubkey_pinset = [
# {
# digest = "sha256";
# value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U=";
# }
# ];
# }
# {
# address_data = "2a10:50c0:0:0:0:0:ded:ff";
# tls_auth_name = "4b921896.d.adguard-dns.com";
# tls_pubkey_pinset = [
# {
# digest = "sha256";
# value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U=";
# }
# ];
# }
# {
# address_data = "2a10:50c0:0:0:0:0:dad:ff";
# tls_auth_name = "4b921896.d.adguard-dns.com";
# tls_pubkey_pinset = [
# {
# digest = "sha256";
# value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U=";
# }
# ];
# }
# ];
# };
# };
services.openssh = { # # The port that WireGuard listens to. Must be accessible by the client.
enable = true; # listenPort = 51820;
# require public key authentication for better security
settings.PasswordAuthentication = false; # dns = ["10.2.0.1"];
settings.KbdInteractiveAuthentication = false; # # Path to the private key file.
settings.PermitRootLogin = "no"; # #
# # Note: The private key can also be included inline via the privateKey option,
# # but this makes the private key world-readable; thus, using privateKeyFile is
# # recommended.
# privateKeyFile = config.sops.secrets."protonvpn-priv-key".path;
# peers = [
# # List of allowed peers.
# {
# # Feel free to give a meaning full name
# # Public key of the peer (not a file path).
# publicKey = "/i7jCNpcqVBUkY07gVlILN4nFdvZHmxvreAOgLGoZGg=";
# # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
# allowedIPs = ["0.0.0.0/0"];
# endpoint = "146.70.86.114:51820";
# }
# ];
# };
# wg public key for host: A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=
wg1 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51821;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
'';
# Undo the above
preDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
'';
privateKeyFile = config.sops.secrets."wg-private-key".path;
peers = [
{
#GLaDOS public key
publicKey = "yieF2yQptaE3jStoaGytUnN+HLxyVhFBZIUOGUNAV38=";
allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
}
{
#EDI public key
publicKey = "i4nDZbU+a2k5C20tFJRNPVE1vhYKJwhoqGHEdeC4704=";
allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
}
{
#Shodan public key
publicKey = "Zah2nZDaHF8jpP5AtMA5bhE7t38fMB2UHzbXAc96/jw=";
allowedIPs = ["10.0.0.4/32" "fdc9:281f:04d7:9ee9::3/128"];
}
{
#ADA public key
publicKey = "SHu7xxRVWuqp4U4uipMoITKrFPWZATGsJevUeqBSzWo=";
allowedIPs = ["10.0.0.5/32" "fdc9:281f:04d7:9ee9::3/128"];
}
];
};
};
nat = {
# enable NAT
enable = true;
externalInterface = "end0";
internalInterfaces = ["wg1"];
};
firewall = {
enable = true;
allowPing = false;
allowedTCPPorts = [
22 # SSH
5349 # STUN tls
5350 # STUN tls alt
80 # http
443 # https
51821 # wg
7878
53 # dnsmasq
];
allowedUDPPorts = [
53 #dnsmasq
];
allowedUDPPortRanges = [
{
from = 51820;
to = 51822; # wg
}
{
from = 49152;
to = 49999;
} # TURN relay
];
};
}; };
# users.users = {
# ombi.extraGroups = ["radarr" "sonarr" "aria2"];
# };
# services.ombi = {
# enable = true;
# port = 2368;
# };
# users.users = {
# radarr.extraGroups = ["aria2"];
# sonarr.extraGroups = ["aria2"];
# };
# services = {
# #uses port 7878
# radarr.enable = true;
# #uses port 8989
# sonarr.enable = true;
# prowlarr.enable = true;
# };
sops.secrets."webdav-secret" = {
mode = "0600";
path = "/etc/davfs2/secrets";
};
services.davfs2.enable = true;
systemd.mounts = [ systemd.mounts = [
{ {
enable = true; enable = true;
@ -168,34 +319,25 @@
type = "davfs"; type = "davfs";
} }
]; ];
users = {
users.aria2 = {
# #uses port 8096
# services.jellyfin.enable = true;
# users.groups.jellyfinmediaplayer = {};
# users.users.jellyfinmediaplayer.group = "jellyfinmediaplayer";
# users.users.jellyfin.extraGroups = ["jellyfinmediaplayer"];
# #uses port 8096 # # Add stremio kiosk on wayland :)
# services.jellyfin.enable = true; # users.extraUsers.jellyfinmediaplayer.isNormalUser = true;
# users.groups.jellyfinmediaplayer = {}; # services.cage.user = "jellyfinmediaplayer";
# users.users.jellyfinmediaplayer.group = "jellyfinmediaplayer"; # services.cage.program = "${pkgs.jellyfin-media-player}/bin/jellyfinmediaplayer";
# users.users.jellyfin.extraGroups = ["jellyfinmediaplayer"]; # services.cage.enable = true;
# services.cage.extraArguments = ["-f"];
# # Add stremio kiosk on wayland :) group = "aria2";
# users.extraUsers.jellyfinmediaplayer.isNormalUser = true; isSystemUser = true;
# services.cage.user = "jellyfinmediaplayer";
# services.cage.program = "${pkgs.jellyfin-media-player}/bin/jellyfinmediaplayer";
# services.cage.enable = true;
# services.cage.extraArguments = ["-f"];
users.users.aria2.group = "aria2";
users.groups.aria2 = {};
users.users.aria2.isSystemUser = true;
sops.secrets."rpcSecret".mode = "0440";
sops.secrets."rpcSecret".owner = config.users.users.aria2.name;
services.aria2 = {
enable = true;
settings = {
dir = "/var/lib/media";
rpc-listen-port = 6969;
}; };
rpcSecretFile = config.sops.secrets."rpcSecret".path; groups.aria2 = {};
}; };
environment.systemPackages = [ environment.systemPackages = [
@ -212,139 +354,6 @@
pkgs.iptables pkgs.iptables
]; ];
sops.secrets."protonvpn-priv-key".mode = "0440";
sops.secrets."protonvpn-priv-key".owner = config.users.users.root.name;
sops.secrets."wg-private-key".mode = "0440";
sops.secrets."wg-private-key".owner = config.users.users.root.name;
networking.wireguard.enable = true;
networking.wg-quick.interfaces = {
# # "wg0" is the network interface name. You can name the interface arbitrarily.
# wg0 = {
# autostart = true;
# # Determines the IP address and subnet of the server's end of the tunnel interface.
# address = ["10.2.0.2/32"];
# # The port that WireGuard listens to. Must be accessible by the client.
# listenPort = 51820;
# dns = ["10.2.0.1"];
# # Path to the private key file.
# #
# # Note: The private key can also be included inline via the privateKey option,
# # but this makes the private key world-readable; thus, using privateKeyFile is
# # recommended.
# privateKeyFile = config.sops.secrets."protonvpn-priv-key".path;
# peers = [
# # List of allowed peers.
# {
# # Feel free to give a meaning full name
# # Public key of the peer (not a file path).
# publicKey = "/i7jCNpcqVBUkY07gVlILN4nFdvZHmxvreAOgLGoZGg=";
# # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
# allowedIPs = ["0.0.0.0/0"];
# endpoint = "146.70.86.114:51820";
# }
# ];
# };
# wg public key for host: A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=
wg1 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51821;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
'';
# Undo the above
preDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
'';
privateKeyFile = config.sops.secrets."wg-private-key".path;
peers = [
{
#GLaDOS public key
publicKey = "yieF2yQptaE3jStoaGytUnN+HLxyVhFBZIUOGUNAV38=";
allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
}
{
#EDI public key
publicKey = "i4nDZbU+a2k5C20tFJRNPVE1vhYKJwhoqGHEdeC4704=";
allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
}
{
#Shodan public key
publicKey = "Zah2nZDaHF8jpP5AtMA5bhE7t38fMB2UHzbXAc96/jw=";
allowedIPs = ["10.0.0.4/32" "fdc9:281f:04d7:9ee9::3/128"];
}
{
#ADA public key
publicKey = "SHu7xxRVWuqp4U4uipMoITKrFPWZATGsJevUeqBSzWo=";
allowedIPs = ["10.0.0.5/32" "fdc9:281f:04d7:9ee9::3/128"];
}
];
};
};
services.dnsmasq = {
enable = true;
settings = {
interface = "wg1";
};
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
# enable NAT
networking.nat.enable = true;
networking.nat.externalInterface = "end0";
networking.nat.internalInterfaces = ["wg1"];
networking.firewall = {
enable = true;
allowPing = false;
allowedTCPPorts = [
22 # SSH
5349 # STUN tls
5350 # STUN tls alt
80 # http
443 # https
51821 # wg
7878
53 # dnsmasq
];
allowedUDPPorts = [
53 #dnsmasq
];
allowedUDPPortRanges = [
{
from = 51820;
to = 51822; # wg
}
{
from = 49152;
to = 49999;
} # TURN relay
];
};
system.stateVersion = "25.05"; system.stateVersion = "25.05";
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
} }