big refactor of a lot of files

This commit is contained in:
Lillian Violet 2024-12-22 22:48:13 +01:00
parent 7ee9d954ce
commit 6c64a962f4
12 changed files with 875 additions and 893 deletions

151
flake.nix
View file

@ -120,6 +120,29 @@
allowUnfreePredicate = _: true;
};
};
sharedModules = [
{_module.args = {inherit pkgs-edge;};}
sops-nix.nixosModules.sops
disko.nixosModules.disko
home-manager.nixosModules.home-manager
catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix
nix-index-database.nixosModules.nix-index
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
];
}
];
desktopModules = [
{
home-manager.sharedModules = [
inputs.plasma-manager.homeManagerModules.plasma-manager
];
}
];
in {
# Your custom packages
# Accessible through 'nix build', 'nix shell', etc
@ -148,152 +171,64 @@
EDI = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {inherit inputs outputs;};
modules = [
{_module.args = {inherit pkgs-edge;};}
modules =
sharedModules
++ desktopModules
++ [
nixos-hardware.nixosModules.dell-xps-13-7390
lanzaboote.nixosModules.lanzaboote
# > Our main nixos configuration file <
./nixos/hosts/EDI/configuration.nix
sops-nix.nixosModules.sops
lanzaboote.nixosModules.lanzaboote
disko.nixosModules.disko
home-manager.nixosModules.home-manager
nix-index-database.nixosModules.nix-index
catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
inputs.plasma-manager.homeManagerModules.plasma-manager
];
}
];
};
GLaDOS = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {inherit inputs outputs;};
modules = [
{_module.args = {inherit pkgs-edge;};}
modules =
sharedModules
++ desktopModules
++ [
# > Our main nixos configuration file <
./nixos/hosts/GLaDOS/configuration.nix
sops-nix.nixosModules.sops
#lanzaboote.nixosModules.lanzaboote
disko.nixosModules.disko
home-manager.nixosModules.home-manager
nix-index-database.nixosModules.nix-index
catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
inputs.plasma-manager.homeManagerModules.plasma-manager
];
}
];
};
queen = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {inherit inputs outputs;};
modules = [
{_module.args = {inherit pkgs-edge;};}
modules =
sharedModules
++ [
simple-nixos-mailserver.nixosModule
# > Our main nixos configuration file <
./nixos/hosts/queen/configuration.nix
sops-nix.nixosModules.sops
disko.nixosModules.disko
simple-nixos-mailserver.nixosModule
catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
];
}
];
};
shodan = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {inherit inputs outputs;};
modules = [
{_module.args = {inherit pkgs-edge;};}
modules =
sharedModules
++ desktopModules
++ [
# > Our main nixos configuration file <
./nixos/hosts/shodan/configuration.nix
sops-nix.nixosModules.sops
lanzaboote.nixosModules.lanzaboote
disko.nixosModules.disko
jovian.nixosModules.jovian
home-manager.nixosModules.home-manager
catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
inputs.plasma-manager.homeManagerModules.plasma-manager
];
}
];
};
wheatley = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = {inherit inputs outputs;};
modules = [
modules =
sharedModules
++ [
./nixos/hosts/wheatley/configuration.nix
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
nixos-hardware.nixosModules.raspberry-pi-4
nix-index-database.nixosModules.nix-index
catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
];
}
];
};
# ISO = nixpkgs.lib.nixosSystem {
# system = "x86_64-linux";
# specialArgs = {inherit inputs outputs;};
# modules = [
# {_module.args = {inherit pkgs-edge;};}
# "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix"
# "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
# ./nixos/hosts/iso/configuration.nix
# sops-nix.nixosModules.sops
# home-manager.nixosModules.home-manager
# nix-index-database.nixosModules.nix-index
# catppuccin.nixosModules.catppuccin
# {
# home-manager.sharedModules = [
# inputs.plasma-manager.homeManagerModules.plasma-manager
# inputs.catppuccin.homeManagerModules.catppuccin
# ];
# }
# ];
# };
# iso_server = nixpkgs.lib.nixosSystem {
# system = "x86_64-linux";
# specialArgs = {inherit inputs outputs;};
# modules = [
# {_module.args = {inherit pkgs-edge;};}
# "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
# "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
# ./nixos/hosts/iso_server/configuration.nix
# sops-nix.nixosModules.sops
# home-manager.nixosModules.home-manager
# nix-index-database.nixosModules.nix-index
# catppuccin.nixosModules.catppuccin
# {
# home-manager.sharedModules = [
# inputs.catppuccin.homeManagerModules.catppuccin
# ];
# }
# ];
# };
};
};
}

View file

@ -15,7 +15,6 @@
./package-configs/foot
];
nixpkgs = {
config.permittedInsecurePackages = ["cinny-4.2.3" "cinny-unwrapped-4.2.3" "cinny-4.2.2" "cinny-unwrapped-4.2.2"];
# You can add overlays here
overlays = [
# You can also add overlays exported from other flakes:
@ -54,8 +53,10 @@
});
})
];
# Configure your nixpkgs instance
config = {
permittedInsecurePackages = ["cinny-4.2.3" "cinny-unwrapped-4.2.3" "cinny-4.2.2" "cinny-unwrapped-4.2.2"];
# Configure your nixpkgs instance
# Disable if you don't want unfree packages
allowUnfree = true;
};
@ -132,8 +133,8 @@
firefoxpwa
ungoogled-chromium
];
# programs.vscode = {
programs = {
# vscode = {
# enable = true;
# package = pkgs.vscodium;
# extensions = with pkgs.vscode-extensions; [
@ -153,18 +154,16 @@
# ];
# };
programs.obs-studio = {
enable = true;
plugins = with pkgs.obs-studio-plugins; [
obs-studio.enable = true;
obs-studio.plugins = with pkgs.obs-studio-plugins; [
wlrobs
obs-backgroundremoval
obs-pipewire-audio-capture
];
};
# Enable home-manager and git
programs.home-manager.enable = true;
programs.git = {
home-manager.enable = true;
git = {
enable = true;
userEmail = "git@lillianviolet.dev";
userName = "Lillian-Violet";
@ -182,8 +181,8 @@
];
};
programs.gpg.enable = true;
programs.gpg.settings = {
gpg.enable = true;
gpg.settings = {
default-key = "0d43 5407 034c 2ad9 2d42 799d 280e 061d ff60 0f0d";
default-recipient-self = true;
auto-key-locate = "local,wkd,keyserver";
@ -193,10 +192,10 @@
keyserver-options = "honor-keyserver-url";
no-autostart = true;
};
services.kdeconnect = {
package = pkgs.kdePackages.kdeconnect-kde;
enable = true;
};
services = {
kdeconnect.package = pkgs.kdePackages.kdeconnect-kde;
kdeconnect.enable = true;
};
# Nicely reload system units when changing configs

View file

@ -84,7 +84,7 @@
firefox
ungoogled-chromium
];
programs = {
# # Automount services for user
# programs.bashmount.enable = true;
# services.udiskie = {
@ -95,12 +95,13 @@
# };
# Enable home-manager and git
programs.home-manager.enable = true;
programs.git = {
home-manager.enable = true;
git = {
enable = true;
userEmail = "git@lillianviolet.dev";
userName = "Lillian-Violet";
};
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "24.11";

View file

@ -32,13 +32,15 @@
navi
nil
];
programs.navi.enable = true;
programs.yazi = {
programs = {
navi.enable = true;
yazi = {
enable = true;
package = pkgs.yazi.override {
_7zz = pkgs._7zz.override {useUasm = true;};
};
};
};
stylix.enable = true;
# stylix = {
# enable = true;

View file

@ -206,14 +206,12 @@ in {
};
};
};
home.file = {
"layout" = {
source = "${layout}";
target = ".config/zellij/layouts/default.kdl";
};
};
home.file = {
"helix_zellij" = {
source = "${helix_zellij}";
target = ".config/zellij/layouts/helix.kdl";

View file

@ -1,9 +1,9 @@
{pkgs, ...}: {
programs.zoxide = {
programs = {
zoxide = {
enable = true;
};
programs.zsh = {
zsh = {
enable = true;
shellAliases = {
cd = "z";
@ -67,4 +67,5 @@
zhx() { command zellij action new-tab --layout $HOME/.config/zellij/layouts/helix.kdl; }
'';
};
};
}

View file

@ -29,11 +29,6 @@
};
};
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
programs.command-not-found.enable = lib.mkForce false;
programs.nix-index.enable = true;
programs.nix-index-database.comma.enable = true;
environment.systemPackages =
(with pkgs; [
# Custom tools
@ -98,61 +93,63 @@
# list of latest packages from nixpkgs master
# Can be used to install latest version of some packages
]);
programs = {
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
command-not-found.enable = lib.mkForce false;
nix-index.enable = true;
nix-index-database.comma.enable = true;
programs.direnv = {
direnv = {
enable = true;
};
# Enable networking
networking.networkmanager.enable = true;
programs.steam = {
steam = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
extest.enable = true;
};
hardware.graphics.enable32Bit = true; # Enables support for 32bit libs that steam uses
kdeconnect.enable = true;
noisetorch = {
enable = true;
};
};
# Enable networking
networking.networkmanager.enable = true; # Enables support for 32bit libs that steam uses
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
services = {
# Enable the X11 windowing system.
services.xserver.enable = true;
xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
services.displayManager.sddm = {
displayManager.sddm = {
enable = true;
wayland.enable = true;
};
services.displayManager.defaultSession = "plasma";
services.desktopManager.plasma6.enable = true;
programs.kdeconnect.enable = true;
displayManager.defaultSession = "plasma";
desktopManager.plasma6.enable = true;
# Enable flatpak support
services.flatpak.enable = true;
services.packagekit.enable = true;
flatpak.enable = true;
packagekit.enable = true;
# Configure keymap in X11
services.xserver.xkb = {
xserver.xkb = {
layout = "us";
variant = "";
options = "terminate:ctrl_alt_bksp,compose:caps_toggle";
};
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable bluetooth hardware
hardware.bluetooth.enable = true;
printing.enable = true;
# Enable fwupd daemon and user space client
services.fwupd.enable = true;
# Enable sound with pipewire.
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
fwupd.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
@ -161,16 +158,7 @@
wireplumber.enable = true;
};
programs.noisetorch = {
enable = true;
};
virtualisation.podman = {
enable = true;
dockerCompat = true;
};
services.avahi = {
avahi = {
nssmdns4 = true;
enable = true;
ipv4 = true;
@ -181,30 +169,49 @@
workstation = true;
};
};
};
hardware = {
graphics.enable32Bit = true;
security.tpm2.enable = true;
security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices
# Enable bluetooth hardware
bluetooth.enable = true;
# Enable sound with pipewire.
pulseaudio.enable = false;
};
security.rtkit.enable = true;
virtualisation.podman = {
enable = true;
dockerCompat = true;
};
security.tpm2 = {
enable = true;
pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
tctiEnvironment.enable = true;
}; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
users.users.lillian.extraGroups = ["tss"];
boot = {
# tss group has access to TPM devices
# FIXME: re-enable virtual camera loopback when it build again.
boot.bootspec.enable = true;
bootspec.enable = true;
#boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
#boot.supportedFilesystems = ["bcachefs"];
boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out];
boot.kernelModules = [
extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out];
kernelModules = [
# Virtual Camera
"v4l2loopback"
# Virtual Microphone, built-in
"snd-aloop"
];
# Set initial kernel module settings
boot.extraModprobeConfig = ''
extraModprobeConfig = ''
# exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming
# card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams
# https://github.com/umlaeute/v4l2loopback
options v4l2loopback exclusive_caps=1 card_label="Virtual Camera"
'';
boot.loader.systemd-boot.configurationLimit = 3;
boot.loader.efi.canTouchEfiVariables = true;
loader.systemd-boot.configurationLimit = 3;
loader.efi.canTouchEfiVariables = true;
};
}

View file

@ -29,8 +29,12 @@
# Import your generated (nixos-generate-config) hardware configuration
./hardware-configuration.nix
];
sops = {
defaultSopsFile = ./secrets/sops.yaml;
sops.defaultSopsFile = ./secrets/sops.yaml;
secrets."wg-private-key".mode = "0440";
secrets."wg-private-key".owner = config.users.users.root.name;
};
home-manager = {
extraSpecialArgs = {inherit inputs outputs;};
@ -42,15 +46,12 @@
environment.systemPackages = with pkgs; [
];
networking = {
hostName = "EDI";
networking.hostName = "EDI";
wireguard.enable = true;
sops.secrets."wg-private-key".mode = "0440";
sops.secrets."wg-private-key".owner = config.users.users.root.name;
networking.wireguard.enable = true;
networking.wg-quick.interfaces = {
wg-quick.interfaces = {
wg0 = {
autostart = true;
address = ["10.0.0.3/24" "fdc9:281f:04d7:9ee9::3/64"];
@ -67,18 +68,20 @@
];
};
};
};
boot = {
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.initrd.systemd.enable = true;
loader.systemd-boot.enable = lib.mkForce false;
initrd.systemd.enable = true;
boot.lanzaboote = {
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.11";

View file

@ -28,26 +28,36 @@
# Import your generated (nixos-generate-config) hardware configuration
./hardware-configuration.nix
];
sops = {
defaultSopsFile = ./secrets/sops.yaml;
sops.defaultSopsFile = ./secrets/sops.yaml;
secrets."wg-private-key".mode = "0440";
secrets."wg-private-key".owner = config.users.users.root.name;
secrets."ssh-private-key" = {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.ssh/id_ed25519";
};
};
environment.systemPackages = with pkgs; [
];
services.xserver.videoDrivers = ["amdgpu"];
hardware = {
# Add vulkan support to GPU
hardware.graphics.extraPackages = with pkgs; [
graphics.extraPackages = with pkgs; [
amdvlk
];
# For 32 bit applications
hardware.graphics.extraPackages32 = with pkgs; [
graphics.extraPackages32 = with pkgs; [
driversi686Linux.amdvlk
];
programs.gamemode = {
enable = true;
settings = {
};
programs = {
gamemode.enable = true;
gamemode.settings = {
general = {
renice = 10;
};
@ -65,9 +75,10 @@
};
};
};
boot.loader.systemd-boot.enable = true;
boot.binfmt.emulatedSystems = ["aarch64-linux"];
boot = {
loader.systemd-boot.enable = true;
binfmt.emulatedSystems = ["aarch64-linux"];
};
# boot.lanzaboote = {
# enable = true;
@ -83,22 +94,13 @@
lillian = import ../../../home-manager/hosts/GLaDOS;
};
};
networking = {
# virtualisation.waydroid.enable = false;
networking.hostName = "GLaDOS";
hostName = "GLaDOS";
sops.secrets."wg-private-key".mode = "0440";
sops.secrets."wg-private-key".owner = config.users.users.root.name;
wireguard.enable = true;
sops.secrets."ssh-private-key" = {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.ssh/id_ed25519";
};
networking.wireguard.enable = true;
networking.wg-quick.interfaces = {
wg-quick.interfaces = {
wg0 = {
autostart = true;
address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"];
@ -115,6 +117,7 @@
];
};
};
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.11";

View file

@ -26,16 +26,17 @@
# Import disko
# ../../../disko/queen
];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = false;
networking.domain = "";
services.openssh = {
services = {
openssh = {
enable = true;
settings = {
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
};
};
};
nixpkgs = {
@ -88,6 +89,8 @@
sqlite
rocksdb
];
networking = {
domain = "";
# Create an auto-update systemd service that runs every day
# system.autoUpgrade = {
@ -102,8 +105,8 @@
# networking.nat.enable = true;
# networking.nat.internalInterfaces = ["ve-+"];
# networking.nat.externalInterface = "ens18";
networking.enableIPv6 = lib.mkForce true;
networking.nameservers = ["2a02:c207::1:53" "2a02:c207::2:53"];
enableIPv6 = lib.mkForce true;
nameservers = ["2a02:c207::1:53" "2a02:c207::2:53"];
# networking.interfaces.ens18.ipv4.addresses = [
# {
@ -112,19 +115,19 @@
# }
# ];
networking.interfaces.ens18.ipv6.addresses = [
interfaces.ens18.ipv6.addresses = [
{
address = "2a02:c207:2063:2448::1";
prefixLength = 64;
}
];
networking.defaultGateway6 = {
defaultGateway6 = {
address = "fe80::1";
interface = "ens18";
};
firewall = {
# Open ports in the firewall.
networking.firewall = {
enable = true;
allowPing = false;
allowedTCPPorts = [
@ -142,6 +145,9 @@
];
};
hostName = "queen";
};
# networking.useNetworkd = true;
# networking.useDHCP = false;
@ -179,12 +185,14 @@
lillian = import ../../../home-manager/hosts/queen;
};
};
networking.hostName = "queen";
boot.loader.grub.enable = true;
boot.loader.grub.configurationLimit = 3;
boot.loader.efi.canTouchEfiVariables = true;
boot = {
tmp.cleanOnBoot = true;
loader.grub = {
enable = true;
configurationLimit = 3;
};
loader.efi.canTouchEfiVariables = true;
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.11";

View file

@ -27,11 +27,117 @@
./auto-mount.nix
];
boot = {
tmp.cleanOnBoot = true;
loader = {
# TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
# tss group has access to TPM devices
boot.tmp.cleanOnBoot = true;
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
systemd-boot.enable = lib.mkForce false;
systemd-boot.configurationLimit = 3;
timeout = 0;
efi.canTouchEfiVariables = true;
};
initrd.systemd.enable = true;
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
consoleLogLevel = 0;
kernelParams = ["quiet" "udev.log_priority=0" "fbcon=vc:2-6" "console=tty0"];
plymouth.enable = true;
};
zramSwap.enable = false;
networking.domain = "";
services.openssh.enable = true;
networking = {
domain = "";
# Enable networking
networkmanager.enable = true;
firewall.enable = true;
firewall.allowedTCPPorts = [22];
hostName = "shodan";
wireguard.enable = true;
wg-quick.interfaces = {
wg0 = {
autostart = true;
address = ["10.0.0.4/24" "fdc9:281f:04d7:9ee9::4/64"];
dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
listenPort = 51821;
privateKeyFile = config.sops.secrets."wg-private-key".path;
peers = [
{
publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
endpoint = "84.87.146.85:51821";
allowedIPs = ["0.0.0.0/0" "::/0"];
persistentKeepalive = 25;
}
];
};
};
};
services = {
openssh.enable = true; # Enables support for 32bit libs that steam uses
# Enable the X11 windowing system.
xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
desktopManager.plasma6.enable = true;
avahi = {
nssmdns4 = true;
enable = true;
ipv4 = true;
ipv6 = true;
publish = {
enable = true;
addresses = true;
workstation = true;
};
};
displayManager = {
defaultSession = "plasma";
sddm.wayland.enable = lib.mkForce true;
sddm.settings = {
Autologin = {
Session = "plasma.desktop";
User = "lillian";
};
};
};
# Enable flatpak support
flatpak.enable = true;
packagekit.enable = true;
# Configure keymap in X11
xserver = {
xkb.layout = "us";
xkb.variant = "";
};
# Enable CUPS to print documents.
printing.enable = true;
# Enable fwupd daemon and user space client
fwupd.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
};
nixpkgs = {
# You can add overlays here
@ -43,9 +149,13 @@
allowUnfree = true;
};
};
sops = {
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
sops.defaultSopsFile = ./secrets/sops.yaml;
defaultSopsFile = ./secrets/sops.yaml;
secrets."wg-private-key".mode = "0440";
secrets."wg-private-key".owner = config.users.users.root.name;
};
environment.systemPackages = with pkgs; [
# Custom tools
@ -109,60 +219,24 @@
enableGyroDsuService = true;
};
};
programs.steam = lib.mkForce {
programs = {
steam = lib.mkForce {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
extest.enable = true;
};
hardware.graphics.enable32Bit = true; # Enables support for 32bit libs that steam uses
kdeconnect.enable = true;
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
services.desktopManager.plasma6.enable = true;
programs.kdeconnect.enable = true;
services.avahi = {
nssmdns4 = true;
noisetorch = {
enable = true;
ipv4 = true;
ipv6 = true;
publish = {
};
git = {
enable = true;
addresses = true;
workstation = true;
};
};
services.displayManager.defaultSession = "plasma";
services.displayManager.sddm.wayland.enable = lib.mkForce true;
services.displayManager.sddm.settings = {
Autologin = {
Session = "plasma.desktop";
User = "lillian";
};
};
# Enable flatpak support
services.flatpak.enable = true;
services.packagekit.enable = true;
# Configure keymap in X11
services.xserver = {
xkb.layout = "us";
xkb.variant = "";
};
# Enable networking
networking.networkmanager.enable = true;
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [22];
# # Enable automounting of removable media
# services.udisks2.enable = true;
# services.devmon.enable = true;
@ -171,32 +245,14 @@
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# Enable CUPS to print documents.
services.printing.enable = true;
hardware = {
graphics.enable32Bit = true;
# Enable bluetooth hardware
hardware.bluetooth.enable = true;
# Enable fwupd daemon and user space client
services.fwupd.enable = true;
bluetooth.enable = true;
# Enable sound with pipewire.
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
programs.noisetorch = {
enable = true;
};
programs.git = {
enable = true;
pulseaudio.enable = false;
};
users.users.lillian.extraGroups = ["decky" "tss" "input"];
@ -211,54 +267,14 @@
lillian = import ../../../home-manager/hosts/shodan;
};
};
networking.hostName = "shodan";
sops.secrets."wg-private-key".mode = "0440";
sops.secrets."wg-private-key".owner = config.users.users.root.name;
networking.wireguard.enable = true;
networking.wg-quick.interfaces = {
wg0 = {
autostart = true;
address = ["10.0.0.4/24" "fdc9:281f:04d7:9ee9::4/64"];
dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
listenPort = 51821;
privateKeyFile = config.sops.secrets."wg-private-key".path;
peers = [
{
publicKey = "A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=";
endpoint = "84.87.146.85:51821";
allowedIPs = ["0.0.0.0/0" "::/0"];
persistentKeepalive = 25;
}
];
};
};
security.tpm2.enable = true;
security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
# tss group has access to TPM devices
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.initrd.systemd.enable = true;
boot.lanzaboote = {
security = {
rtkit.enable = true;
tpm2 = {
enable = true;
pkiBundle = "/etc/secureboot";
pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
tctiEnvironment.enable = true;
};
};
boot.loader.systemd-boot.configurationLimit = 3;
boot.loader.timeout = 0;
boot.loader.efi.canTouchEfiVariables = true;
boot.consoleLogLevel = 0;
boot.kernelParams = ["quiet" "udev.log_priority=0" "fbcon=vc:2-6" "console=tty0"];
boot.plymouth.enable = true;
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.11";

View file

@ -23,54 +23,16 @@
super.makeModulesClosure (x // {allowMissing = true;});
})
];
programs = {
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
programs.command-not-found.enable = lib.mkForce false;
programs.nix-index.enable = true;
programs.nix-index-database.comma.enable = true;
services.automatic-timezoned.enable = true;
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
sops.defaultSopsFile = ./secrets/sops.yaml;
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
boot.initrd.kernelModules = ["vc4" "bcm2835_dma" "i2c_bcm2835" "cma=256M" "console=tty0"];
sdImage.compressImage = false;
home-manager = {
extraSpecialArgs = {inherit inputs outputs;};
users = {
# Import your home-manager configuration
lillian = import ../../../home-manager/hosts/wheatley;
};
command-not-found.enable = lib.mkForce false;
nix-index.enable = true;
nix-index-database.comma.enable = true;
};
services = {
automatic-timezoned.enable = true;
networking.hostName = "wheatley";
networking.networkmanager.enable = true;
# Disable NetworkManager's internal DNS resolution
networking.networkmanager.dns = "none";
# These options are unnecessary when managing DNS ourselves
networking.useDHCP = false;
networking.dhcpcd.enable = false;
# Configure DNS servers manually (this example uses Cloudflare and Google DNS)
# IPv6 DNS servers can be used here as well.
networking.nameservers = [
# "127.0.0.1"
# "::1"
"94.140.14.49"
"94.140.14.59"
"2a10:50c0:0:0:0:0:ded:ff"
"2a10:50c0:0:0:0:0:ded:ff"
];
# services.stubby = {
# stubby = {
# enable = true;
# settings =
# pkgs.stubby.passthru.settingsExample
@ -120,7 +82,7 @@
# };
# };
services.openssh = {
openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
@ -128,6 +90,28 @@
settings.PermitRootLogin = "no";
};
davfs2.enable = true;
aria2 = {
enable = true;
settings = {
dir = "/var/lib/media";
rpc-listen-port = 6969;
};
rpcSecretFile = config.sops.secrets."rpcSecret".path;
};
dnsmasq = {
enable = true;
settings = {
interface = "wg1";
};
};
};
sops = {
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
defaultSopsFile = ./secrets/sops.yaml;
# users.users = {
# ombi.extraGroups = ["radarr" "sonarr" "aria2"];
# };
@ -149,77 +133,65 @@
# prowlarr.enable = true;
# };
sops.secrets."webdav-secret" = {
secrets."webdav-secret" = {
mode = "0600";
path = "/etc/davfs2/secrets";
};
services.davfs2.enable = true;
systemd.mounts = [
{
enable = true;
description = "Webdav mount point";
after = ["network-online.target"];
wants = ["network-online.target"];
secrets."rpcSecret".mode = "0440";
secrets."rpcSecret".owner = config.users.users.aria2.name;
what = "https://nextcloud.gladtherescake.eu/remote.php/dav/files/GLaDTheresCake";
where = "/home/jellyfinmediaplayer/nextcloud";
options = "uid=1003,gid=100,file_mode=0664,dir_mode=2775";
type = "davfs";
}
];
# #uses port 8096
# services.jellyfin.enable = true;
# users.groups.jellyfinmediaplayer = {};
# users.users.jellyfinmediaplayer.group = "jellyfinmediaplayer";
# users.users.jellyfin.extraGroups = ["jellyfinmediaplayer"];
# # Add stremio kiosk on wayland :)
# users.extraUsers.jellyfinmediaplayer.isNormalUser = true;
# services.cage.user = "jellyfinmediaplayer";
# services.cage.program = "${pkgs.jellyfin-media-player}/bin/jellyfinmediaplayer";
# services.cage.enable = true;
# services.cage.extraArguments = ["-f"];
users.users.aria2.group = "aria2";
users.groups.aria2 = {};
users.users.aria2.isSystemUser = true;
sops.secrets."rpcSecret".mode = "0440";
sops.secrets."rpcSecret".owner = config.users.users.aria2.name;
services.aria2 = {
enable = true;
settings = {
dir = "/var/lib/media";
rpc-listen-port = 6969;
secrets."protonvpn-priv-key".mode = "0440";
secrets."protonvpn-priv-key".owner = config.users.users.root.name;
secrets."wg-private-key".mode = "0440";
secrets."wg-private-key".owner = config.users.users.root.name;
};
boot = {
kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
initrd.kernelModules = ["vc4" "bcm2835_dma" "i2c_bcm2835" "cma=256M" "console=tty0"];
kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
rpcSecretFile = config.sops.secrets."rpcSecret".path;
};
environment.systemPackages = [
# (pkgs.kodi.withPackages (kodiPkgs:
# with kodiPkgs; [
# steam-controller
# invidious
# netflix
# upnext
# sponsorblock
# sendtokodi
# jellyfin
# ]))
pkgs.iptables
sdImage.compressImage = false;
home-manager = {
extraSpecialArgs = {inherit inputs outputs;};
users = {
# Import your home-manager configuration
lillian = import ../../../home-manager/hosts/wheatley;
};
};
networking = {
hostName = "wheatley";
networkmanager.enable = true;
# Disable NetworkManager's internal DNS resolution
networkmanager.dns = "none";
# These options are unnecessary when managing DNS ourselves
useDHCP = false;
dhcpcd.enable = false;
# Configure DNS servers manually (this example uses Cloudflare and Google DNS)
# IPv6 DNS servers can be used here as well.
nameservers = [
# "127.0.0.1"
# "::1"
"94.140.14.49"
"94.140.14.59"
"2a10:50c0:0:0:0:0:ded:ff"
"2a10:50c0:0:0:0:0:ded:ff"
];
sops.secrets."protonvpn-priv-key".mode = "0440";
sops.secrets."protonvpn-priv-key".owner = config.users.users.root.name;
sops.secrets."wg-private-key".mode = "0440";
sops.secrets."wg-private-key".owner = config.users.users.root.name;
wireguard.enable = true;
networking.wireguard.enable = true;
networking.wg-quick.interfaces = {
wg-quick.interfaces = {
# # "wg0" is the network interface name. You can name the interface arbitrarily.
# wg0 = {
# autostart = true;
@ -300,24 +272,13 @@
];
};
};
services.dnsmasq = {
enable = true;
settings = {
interface = "wg1";
};
};
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
nat = {
# enable NAT
networking.nat.enable = true;
networking.nat.externalInterface = "end0";
networking.nat.internalInterfaces = ["wg1"];
networking.firewall = {
enable = true;
externalInterface = "end0";
internalInterfaces = ["wg1"];
};
firewall = {
enable = true;
allowPing = false;
allowedTCPPorts = [
@ -344,6 +305,54 @@
} # TURN relay
];
};
};
systemd.mounts = [
{
enable = true;
description = "Webdav mount point";
after = ["network-online.target"];
wants = ["network-online.target"];
what = "https://nextcloud.gladtherescake.eu/remote.php/dav/files/GLaDTheresCake";
where = "/home/jellyfinmediaplayer/nextcloud";
options = "uid=1003,gid=100,file_mode=0664,dir_mode=2775";
type = "davfs";
}
];
users = {
users.aria2 = {
# #uses port 8096
# services.jellyfin.enable = true;
# users.groups.jellyfinmediaplayer = {};
# users.users.jellyfinmediaplayer.group = "jellyfinmediaplayer";
# users.users.jellyfin.extraGroups = ["jellyfinmediaplayer"];
# # Add stremio kiosk on wayland :)
# users.extraUsers.jellyfinmediaplayer.isNormalUser = true;
# services.cage.user = "jellyfinmediaplayer";
# services.cage.program = "${pkgs.jellyfin-media-player}/bin/jellyfinmediaplayer";
# services.cage.enable = true;
# services.cage.extraArguments = ["-f"];
group = "aria2";
isSystemUser = true;
};
groups.aria2 = {};
};
environment.systemPackages = [
# (pkgs.kodi.withPackages (kodiPkgs:
# with kodiPkgs; [
# steam-controller
# invidious
# netflix
# upnext
# sponsorblock
# sendtokodi
# jellyfin
# ]))
pkgs.iptables
];
system.stateVersion = "25.05";
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";