Lillian-Violet/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: Lillian-Violet:main
Branches Tags
Lillian-Violet:main
Lillian-Violet:stylix-fixed
Lillian-Violet:Desktop-changes
Lillian-Violet:bcachefs-update-broken-queen
Lillian-Violet:fcast
Lillian-Violet:2.0
Lillian-Violet:v1.0
..
compare: Lillian-Violet:Desktop-changes
Branches Tags
Lillian-Violet:main
Lillian-Violet:stylix-fixed
Lillian-Violet:Desktop-changes
Lillian-Violet:bcachefs-update-broken-queen
Lillian-Violet:fcast
Lillian-Violet:2.0
Lillian-Violet:v1.0

No commits in common. "main" and "Desktop-changes" have entirely different histories.
main ... Desktop-ch

128 changed files with 3733 additions and 7251 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.envrc Normal file
View file

@ -0,0 +1 @@
use flake "git+https://git.lillianviolet.dev/Lillian-Violet/dev-templates.git?dir=nix"

21
README.md
View file

@ -18,11 +18,11 @@ if you don't want to use [sops](https://github.com/Mic92/sops-nix) secret manage
Upon any of the above changes; also remove/replace the secret files, they can be found under the host configuration folders in
``hosts/<hostname>/secrets/sops.yaml``
For the hosts EDI and GLaDOS, [lanzaboote](https://github.com/nix-community/lanzaboote) has to be disabled (and re-enabled if you want secure boot after install). You can first replace enabling lanzaboot with systemd-boot. You can do this by commenting out the lanzaboote configuration, and replace the line
For the hosts EDI and GLaDOS, [lanzaboot](https://github.com/nix-community/lanzaboote) has to be disabled (and re-enabled if you want secure boot after install). You can first replace enabling lanzaboot with systemd-boot. You can do this by commenting out the lanzaboot configuration, and replace the line
``boot.loader.systemd-boot.enable = lib.mkForce false;`` with ``boot.loader.systemd-boot.enable = true``
To turn secure boot back on again you can look at the [lanzaboote](https://github.com/nix-community/lanzaboote) repository and follow the install steps.
To turn secure boot back on again you can look at the [lanzaboot](https://github.com/nix-community/lanzaboote) repository and follow the install steps.
Then run this command with your cloned github repo (I put mine in /etc/nixos):
@ -46,22 +46,8 @@ To test if your build succeeds the basic checks and can start building the artif
Note: this does not build the full configuration, and errors might still happen in deployment, especially for dependencies that rely on external services like webservers to be called. For obvious reasons the test building does not actually pull in all the artifacts, and does not make external calls aside from to the package files (You will need a built nix store, or a connection to the git repository that hosts your packages, like an internet connection to github, to make the test run)
## Post installation
I have made a few commands for post installation (and for an iso installer to use) that make life a bit easier, they are automatically added to the [$PATH](https://en.wikipedia.org/wiki/PATH_(variable)). The commands will automatically inhibit sleep and standby so you don't have to worry about them getting interrupted.
| Command | Effect |
| ------------- | ------------- |
| rebuild | Use the latest version of the repo and do a nixos-rebuild switch on it to upgrade your system. |
| update | Update the flake lock in the repo, run a test to see if nothing breaks, and then push the flake lock update done to the repo. |
| upgrade | Run update and rebuild one after the other, useful for a quick upgrade. |
| install | Run a script that automatically lets you select a host to format the disks with disko, install nixos on that disk, and deploy the entire configuration. (useful for instal USBs) |
## Technical details
### Project structure
The project is set up to
### [Home manager](https://github.com/nix-community/home-manager)
Home manager is imported as a module within the global configuration, it is therefor not needed to build home-manager packages separately in this configuration. On multi user systems it might be useful to pull the home-manager configurations from separate repos for different users, so you don't have to give your users access to the global configuration.
@ -71,6 +57,3 @@ The secrets are managed in sops files within the hosts folders, there is only on
``nix-shell -p sops --run "sops ./nixos/hosts/<hostname>/secrets/sops.yaml"``
This requires your system to have the keyfile available for sops to use, by default sops looks in the sops/age folder in your user folder for a keys.txt file with the private key. You can change this behaviour by setting the **\$SOPS_AGE_KEY_FILE** environment variable, or setting the **\$SOPS_AGE_KEY** environment variable to the key itself.
### [Just](https://github.com/casey/just)
This repo uses just as a command runner for setting up and building the nixos files more easily. The programs needed to run all the commands are nix, just, and nom (nix output monitor). The commands you can use can be found in the justfile (named justfile in the root of this repo). This is purely for convenience, it doesn't add anything you could not manually do, it just automates a lot of steps.

86
disko/GLaDOS/default.nix
View file

@ -1,9 +1,9 @@
{
disko.devices = {
disk = {
main = {
sda1 = {
type = "disk";
device = "/dev/disk/by-path/pci-0000:01:00.0-nvme-1";
device = "/dev/disk/by-path/pci-0000:06:00.0-ata-6";
content = {
type = "gpt";
partitions = {
@ -14,14 +14,16 @@
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["umask=0077"];
mountOptions = [
"defaults"
];
};
};
nvme_luks = {
luks = {
size = "100%";
content = {
type = "luks";
name = "nvme_crypted";
name = "crypted";
extraOpenArgs = [];
settings = {
# if you want to use the key for interactive login be sure there is no trailing newline
@ -29,48 +31,64 @@
#keyFile = "/tmp/secret.key";
allowDiscards = true;
};
#additionalKeyFiles = ["/tmp/additionalSecret.key"];
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = ["subvol=root" "compress=zstd:1" "noatime" "ssd" "discard=async" "space_cache=v2" "commit=120"];
};
"/home" = {
mountpoint = "/home";
mountOptions = ["subvol=home" "compress=zstd:1" "noatime" "ssd" "discard=async" "space_cache=v2" "commit=120" "autodefrag"];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = ["subvol=nix" "compress=zstd:1" "noatime" "ssd" "discard=async" "space_cache=v2" "commit=120" "nodatacow" "nodatasum"];
};
"/persist" = {
mountpoint = "/persistent";
mountOptions = ["subvol=persistent" "compress=zstd:1" "noatime" "ssd" "discard=async" "space_cache=v2" "commit=120"];
};
"/log" = {
mountpoint = "/var/log";
mountOptions = ["subvol=log" "compress=zstd:1" "noatime" "ssd" "discard=async" "space_cache=v2" "commit=120" "nodatacow" "nodatasum"];
};
"/swap" = {
mountpoint = "/swap";
swap.swapfile.size = "8G";
};
};
type = "lvm_pv";
vg = "pool";
};
};
};
};
};
};
#sdc = {
#device = "/dev/disk/by-path/pci-0000:06:00.0-ata-2";
#type = "disk";
#content = {
#type = "gpt";
#partitions = {
#root = {
#size = "100%";
#content = {
#type = "filesystem";
#format = "ext4";
#mountpoint = "/media";
#};
#};
#};
#};
#};
};
lvm_vg = {
pool = {
type = "lvm_vg";
lvs = {
swap = {
size = "16G";
content = {
type = "swap";
resumeDevice = true; # resume from hiberation from this device
};
};
root = {
size = "100%FREE";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = [
"defaults"
];
};
};
};
};
};
nodev = {
"/home/lillian/Downloads" = {
fsType = "tmpfs";
mountOptions = [
"size=4G"
"uid=1000"
];
};
};

47
disko/wheatley/default.nix
View file

@ -1,47 +0,0 @@
{
disko = {
devices = {
disk = {
disk1 = {
imageSize = "20G";
type = "disk";
device = "/dev/mmcblk0";
content = {
type = "gpt";
partitions = {
firmware = {
size = "30M";
priority = 1;
type = "0700";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/firmware";
};
};
boot = {
size = "1G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "filesystem";
extraArgs = [];
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
};
}

1347
flake.lock generated
View file

File diff suppressed because it is too large Load diff

238
flake.nix
View file

@ -13,11 +13,11 @@
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
# bcachefs-tools = {
# url = "github:koverstreet/bcachefs-tools";
# inputs.nixpkgs.follows = "nixpkgs";
# inputs.flake-parts.follows = "flake-parts";
# };
bcachefs-tools = {
url = "github:koverstreet/bcachefs-tools";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-parts.follows = "flake-parts";
};
flake-parts = {
url = "github:hercules-ci/flake-parts"; # Flake parts for easy flake management
@ -33,7 +33,11 @@
# catpuccin theme
catppuccin.url = "github:catppuccin/nix";
# Conduwuit fork after it shut down
# Conduit fork without all the fuss and drama
conduwuit = {
url = "github:girlbossceo/conduwuit";
inputs.nixpkgs.follows = "nixpkgs";
};
# Nix index database files
nix-index-database.url = "github:nix-community/nix-index-database";
@ -70,15 +74,10 @@
zjstatus.url = "github:dj95/zjstatus";
# preservation
preservation.url = "github:nix-community/preservation";
# Fix for steam cursor not being visible under wayland
# Add any other flake you might need
# hardware.url = "github:nixos/nixos-hardware";
# Stylix theming engine
stylix.url = "github:nix-community/stylix";
};
outputs = {
@ -98,22 +97,14 @@
jovian,
nixos-hardware,
nix-index-database,
preservation,
stylix,
conduwuit,
...
} @ inputs: let
supportedSystems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"];
forEachSupportedSystem = f:
nixpkgs.lib.genAttrs supportedSystems (system:
f {
pkgs = import nixpkgs {inherit system;};
});
inherit (self) outputs;
inherit (inputs) nixpkgs-edge;
# Supported systems for your flake packages, shell, etc.
systems = [
"x86_64-linux"
"aarch64-linux"
];
# This is a function that generates an attribute by calling a function you
# pass to it, with each system as an argument
@ -125,42 +116,7 @@
allowUnfreePredicate = _: true;
};
};
sharedModules = [
./nixos/shared
sops-nix.nixosModules.sops
disko.nixosModules.disko
home-manager.nixosModules.home-manager
catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix
nix-index-database.nixosModules.nix-index
preservation.nixosModules.preservation
{programs.nix-index-database.comma.enable = true;}
{
home-manager.sharedModules = [
catppuccin.homeModules.catppuccin
./home-manager/shared
sops-nix.homeManagerModules.sops
];
}
];
desktopModules = [
./nixos/desktop
{
home-manager.sharedModules = [
inputs.plasma-manager.homeModules.plasma-manager
./home-manager/desktop
];
}
];
in {
devShells = forEachSupportedSystem ({pkgs}: {
default = pkgs.mkShell {
packages = with pkgs; [nom just git];
};
});
# Your custom packages
# Accessible through 'nix build', 'nix shell', etc
packages = forAllSystems (system:
@ -177,7 +133,7 @@
nixosModules = import ./modules/nixos;
# Reusable home-manager modules you might want to export
# These are usually stuff you would upstream into home-manager
# homeManagerModules = import ./modules/home-manager;
homeManagerModules = import ./modules/home-manager;
# Your custom packages and modifications, exported as overlays
overlays = import ./overlays {inherit inputs;};
@ -185,90 +141,132 @@
# NixOS configuration entrypoint
# Available through 'nixos-rebuild --flake .#your-hostname'
nixosConfigurations = {
# nixIso = nixpkgs.lib.nixosSystem {
# system = "x86_64-linux";
# specialArgs = {inherit inputs outputs;};
# modules =
# sharedModules
# ++ desktopModules
# ++ [
# ./nixos/hosts/iso/configuration.nix
# "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-base.nix"
# ];
# };
EDI = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {inherit inputs outputs;};
modules =
sharedModules
++ desktopModules
++ [
{_module.args = {inherit pkgs-edge;};}
nixos-hardware.nixosModules.dell-xps-13-7390
lanzaboote.nixosModules.lanzaboote
# > Our main nixos configuration file <
./nixos/hosts/EDI/configuration.nix
];
modules = [
{_module.args = {inherit pkgs-edge;};}
nixos-hardware.nixosModules.dell-xps-13-7390
# > Our main nixos configuration file <
./nixos/hosts/EDI/configuration.nix
sops-nix.nixosModules.sops
lanzaboote.nixosModules.lanzaboote
disko.nixosModules.disko
home-manager.nixosModules.home-manager
nix-index-database.nixosModules.nix-index
catppuccin.nixosModules.catppuccin
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
inputs.plasma-manager.homeManagerModules.plasma-manager
];
}
];
};
GLaDOS = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {inherit inputs outputs;};
modules =
sharedModules
++ desktopModules
++ [
{_module.args = {inherit pkgs-edge;};}
# > Our main nixos configuration file <
./nixos/hosts/GLaDOS/configuration.nix
lanzaboote.nixosModules.lanzaboote
];
modules = [
{_module.args = {inherit pkgs-edge;};}
# > Our main nixos configuration file <
./nixos/hosts/GLaDOS/configuration.nix
sops-nix.nixosModules.sops
#lanzaboote.nixosModules.lanzaboote
disko.nixosModules.disko
home-manager.nixosModules.home-manager
nix-index-database.nixosModules.nix-index
catppuccin.nixosModules.catppuccin
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
inputs.plasma-manager.homeManagerModules.plasma-manager
];
}
];
};
queen = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {inherit inputs outputs;};
modules =
sharedModules
++ [
{_module.args = {inherit pkgs-edge;};}
simple-nixos-mailserver.nixosModule
# > Our main nixos configuration file <
./nixos/hosts/queen/configuration.nix
];
modules = [
{_module.args = {inherit pkgs-edge;};}
# > Our main nixos configuration file <
./nixos/hosts/queen/configuration.nix
sops-nix.nixosModules.sops
disko.nixosModules.disko
simple-nixos-mailserver.nixosModule
catppuccin.nixosModules.catppuccin
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
];
}
];
};
shodan = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {inherit inputs outputs;};
modules =
sharedModules
++ desktopModules
++ [
{_module.args = {inherit pkgs-edge;};}
# > Our main nixos configuration file <
./nixos/hosts/shodan/configuration.nix
lanzaboote.nixosModules.lanzaboote
jovian.nixosModules.jovian
{
home-manager.sharedModules = [
inputs.plasma-manager.homeModules.plasma-manager
];
}
];
modules = [
{_module.args = {inherit pkgs-edge;};}
# > Our main nixos configuration file <
./nixos/hosts/shodan/configuration.nix
sops-nix.nixosModules.sops
lanzaboote.nixosModules.lanzaboote
disko.nixosModules.disko
jovian.nixosModules.jovian
home-manager.nixosModules.home-manager
catppuccin.nixosModules.catppuccin
{
home-manager.sharedModules = [
inputs.catppuccin.homeManagerModules.catppuccin
inputs.plasma-manager.homeManagerModules.plasma-manager
];
}
];
};
wheatley = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = {inherit inputs outputs;};
modules =
sharedModules
++ [
{_module.args = {inherit pkgs-edge;};}
./nixos/hosts/wheatley/configuration.nix
];
};
# ISO = nixpkgs.lib.nixosSystem {
# system = "x86_64-linux";
# specialArgs = {inherit inputs outputs;};
# modules = [
# {_module.args = {inherit pkgs-edge;};}
# "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix"
# "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
# ./nixos/hosts/iso/configuration.nix
# sops-nix.nixosModules.sops
# home-manager.nixosModules.home-manager
# nix-index-database.nixosModules.nix-index
# catppuccin.nixosModules.catppuccin
# {
# home-manager.sharedModules = [
# inputs.plasma-manager.homeManagerModules.plasma-manager
# inputs.catppuccin.homeManagerModules.catppuccin
# ];
# }
# ];
# };
# iso_server = nixpkgs.lib.nixosSystem {
# system = "x86_64-linux";
# specialArgs = {inherit inputs outputs;};
# modules = [
# {_module.args = {inherit pkgs-edge;};}
# "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
# "${nixpkgs}/nixos/modules/installer/cd-dvd/channel.nix"
# ./nixos/hosts/iso_server/configuration.nix
# sops-nix.nixosModules.sops
# home-manager.nixosModules.home-manager
# nix-index-database.nixosModules.nix-index
# catppuccin.nixosModules.catppuccin
# {
# home-manager.sharedModules = [
# inputs.catppuccin.homeManagerModules.catppuccin
# ];
# }
# ];
# };
};
};
}

358
home-manager/desktop/default.nix
View file

@ -1,6 +1,9 @@
{
pkgs,
inputs,
outputs,
lib,
config,
pkgs,
...
}: {
# You can import other home-manager modules here
@ -13,14 +16,13 @@
# You can also split up your configuration and import pieces of it here:
# ./nvim.nix
./package-configs/plasma-desktop
./package-configs/firefox
./package-configs/plasma-desktop.nix
./package-configs/firefox.nix
./package-configs/konsole
./package-configs/foot
./package-configs/freetube
./package-configs/vesktop
];
nixpkgs = {
config.permittedInsecurePackages = ["cinny-4.2.2" "cinny-unwrapped-4.2.2" "cinny-4.2.1" "cinny-unwrapped-4.2.1"];
# You can add overlays here
overlays = [
# You can also add overlays exported from other flakes:
@ -32,240 +34,178 @@
# patches = [ ./change-hello-to-hi.patch ];
# });
# })
# (final: prev: {
# catppuccin-vsc = final.catppuccin-vsc.overrideAttrs (oldAttrs: {
# accent = "mauve";
# boldKeywords = true;
# italicComments = true;
# italicKeywords = true;
# extraBordersEnabled = false;
# workbenchMode = "default";
# bracketMode = "rainbow";
# colorOverrides = {};
# customUIColors = {};
# });
# })
# (final: prev: {
# catppuccin-vsc = final.catppuccin-vsc.overrideAttrs (oldAttrs: {
# accent = "mauve";
# boldKeywords = true;
# italicComments = true;
# italicKeywords = true;
# extraBordersEnabled = false;
# workbenchMode = "default";
# bracketMode = "rainbow";
# colorOverrides = {};
# customUIColors = {};
# });
# })
(final: prev: {
catppuccin-vsc = final.catppuccin-vsc.overrideAttrs (oldAttrs: {
accent = "mauve";
boldKeywords = true;
italicComments = true;
italicKeywords = true;
extraBordersEnabled = false;
workbenchMode = "default";
bracketMode = "rainbow";
colorOverrides = {};
customUIColors = {};
});
})
(final: prev: {
catppuccin-vsc = final.catppuccin-vsc.overrideAttrs (oldAttrs: {
accent = "mauve";
boldKeywords = true;
italicComments = true;
italicKeywords = true;
extraBordersEnabled = false;
workbenchMode = "default";
bracketMode = "rainbow";
colorOverrides = {};
customUIColors = {};
});
})
];
# Configure your nixpkgs instance
config = {
# Configure your nixpkgs instance
# Disable if you don't want unfree packages
allowUnfree = true;
};
};
systemd.user = {
# services."nextcloud-autosync@" = {
# Unit = {
# Description = "Auto sync Nextcloud";
# After = "network-online.target";
# PartOf = ["nextcloud-autosyncs.target"];
# };
# Service = {
# Type = "simple";
# ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path /%i /home/lillian/%i https://nextcloud.gladtherescake.eu";
# TimeoutStopSec = "180";
# KillMode = "process";
# KillSignal = "SIGINT";
# };
# Install.WantedBy = ["multi-user.target"];
# };
# targets.nextcloud-autosyncs = {
# Unit = {
# Description = "workers";
# Requires = ["nextcloud-autosync@Music" "nextcloud-autosync@Pictures" "nextcloud-autosync@Scripts" "nextcloud-autosync@Videos" "nextcloud-autosync@Documents"];
# PartOf = "nextcloud-autosyncs.target";
# };
# Install.WantedBy = ["multi-user.target"];
# };
# timers.nextcloud-autosyncs = {
# Unit.Description = "Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes";
# Timer.OnBootSec = "5min";
# Timer.OnUnitActiveSec = "60min";
# Install.WantedBy = ["multi-user.target" "timers.target"];
# };
# Nicely reload system units when changing configs
startServices = "sd-switch";
};
home = {
username = "lillian";
homeDirectory = "/home/lillian";
};
file = {
Music = {
source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/Nextcloud/Music";
target = "Music";
};
Pictures = {
source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/Nextcloud/Pictures";
target = "Pictures";
};
Screenshots = {
source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/Nextcloud/Pictures/Screenshots";
target = "Screenshots";
};
Scripts = {
source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/Nextcloud/Scripts";
target = "Scripts";
};
Videos = {
source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/Nextcloud/Videos";
target = "Videos";
};
Documents = {
source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/Nextcloud/Documents";
target = "Documents";
};
floorp = {
source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/.mozilla/firefox";
target = ".floorp";
};
librewolf = {
source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/.mozilla/firefox";
target = ".librewolf";
};
steam = {
source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/.local/share/Steam/";
target = "Steam";
};
# instances = {
# source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/Nextcloud/instances";
# target = ".local/share/PrismLauncher/instances";
# force = true;
# };
};
# Add stuff for your user as you see fit:
# programs.neovim.enable = true;
# home.packages = with pkgs; [ steam ];
qt.style.catppuccin.apply = true;
programs.freetube.catppuccin.flavor = "macchiato";
# Add stuff for your user as you see fit:
# programs.neovim.enable = true;
# home.packages = with pkgs; [ steam ];
home.packages = with pkgs; [
# Coding:
direnv
git
git-credential-manager
git-credential-manager
ruff
kate
packages = with pkgs; [
# Coding:
direnv
git
git-credential-manager
ruff
# Chat applications:
signal-desktop
vesktop
cinny-desktop
# Chat applications:
signal-desktop
vesktop
# cinny-desktop
# Gaming:
prismlauncher
steam
gamescope
# Gaming:
prismlauncher
heroic
# Multimedia:
freetube
vlc
# Multimedia:
vlc
fcast-receiver
fcast-client
# Office applications:
onlyoffice-bin
gimp
thunderbird
# Office applications:
onlyoffice-desktopeditors
gimp
thunderbird
# System tools:
rage
flameshot
fzf
nextcloud-client
nitrokey-app
protonvpn-gui
virtualbox
#watchmate
qbittorrent
# System tools:
rage
flameshot
fzf
nextcloud-client
# nitrokey-app
# protonvpn-gui
virtualbox
#watchmate
qbittorrent
# Theming:
catppuccin-cursors
(catppuccin-kde.override {
flavour = ["macchiato"];
accents = ["mauve"];
})
catppuccin-sddm-corners
# Web browsing:
firefoxpwa
ungoogled-chromium
# Theming:
catppuccin-cursors
(catppuccin-kde.override {
flavour = ["macchiato"];
accents = ["mauve"];
})
catppuccin-sddm-corners
# Web browsing:
firefoxpwa
firefoxpwa
ungoogled-chromium
];
programs.vscode = {
enable = true;
package = pkgs.vscodium;
extensions = with pkgs.vscode-extensions; [
catppuccin.catppuccin-vsc
catppuccin.catppuccin-vsc-icons
charliermarsh.ruff
eamodio.gitlens
github.vscode-pull-request-github
jnoortheen.nix-ide
kamadorueda.alejandra
mkhl.direnv
ms-toolsai.jupyter
ms-pyright.pyright
oderwat.indent-rainbow
rust-lang.rust-analyzer
yzhang.markdown-all-in-one
];
};
programs = {
# vscode = {
# enable = true;
# package = pkgs.vscodium;
# extensions = with pkgs.vscode-extensions; [
# catppuccin.catppuccin-vsc
# catppuccin.catppuccin-vsc-icons
# charliermarsh.ruff
# eamodio.gitlens
# github.vscode-pull-request-github
# jnoortheen.nix-ide
# kamadorueda.alejandra
# mkhl.direnv
# ms-toolsai.jupyter
# ms-pyright.pyright
# oderwat.indent-rainbow
# rust-lang.rust-analyzer
# yzhang.markdown-all-in-one
# ];
# };
chromium = {
extensions = [
{id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";}
];
};
obs-studio.enable = true;
obs-studio.plugins = with pkgs.obs-studio-plugins; [
programs.obs-studio = {
enable = true;
plugins = with pkgs.obs-studio-plugins; [
wlrobs
obs-backgroundremoval
obs-pipewire-audio-capture
];
};
# Enable home-manager and git
home-manager.enable = true;
git = {
enable = true;
settings = {
user = {
name = "Lillian-Violet";
email = "git@lillianviolet.dev";
};
init = {
defaultBranch = "main";
};
# Enable home-manager and git
programs.home-manager.enable = true;
programs.git = {
enable = true;
userEmail = "git@lillianviolet.dev";
userName = "Lillian-Violet";
extraConfig = {
init = {
defaultBranch = "main";
};
ignores = [
"*.direnv"
"*.vscode"
".envrc"
"venv"
"venv"
];
signing.format = "ssh";
};
ignores = [
"*.direnv"
"*.vscode"
".envrc"
"venv"
"venv"
];
};
gpg.enable = true;
gpg.settings = {
default-key = "0d43 5407 034c 2ad9 2d42 799d 280e 061d ff60 0f0d";
default-recipient-self = true;
auto-key-locate = "local,wkd,keyserver";
keyserver = "hkps://keys.openpgp.org";
auto-key-retrieve = true;
auto-key-import = true;
keyserver-options = "honor-keyserver-url";
no-autostart = true;
};
programs.gpg.enable = true;
programs.gpg.settings = {
default-key = "0d43 5407 034c 2ad9 2d42 799d 280e 061d ff60 0f0d";
default-recipient-self = true;
auto-key-locate = "local,wkd,keyserver";
keyserver = "hkps://keys.openpgp.org";
auto-key-retrieve = true;
auto-key-import = true;
keyserver-options = "honor-keyserver-url";
no-autostart = true;
};
services = {
kdeconnect.package = pkgs.kdePackages.kdeconnect-kde;
kdeconnect.enable = true;
services.kdeconnect = {
package = pkgs.kdePackages.kdeconnect-kde;
enable = true;
};
# Nicely reload system units when changing configs
systemd.user.startServices = "sd-switch";
}

135
home-manager/desktop/package-configs/firefox/default.nix → home-manager/desktop/package-configs/firefox.nix
View file

@ -1,16 +1,11 @@
{pkgs, ...}: {
stylix.targets.firefox.profileNames = ["lillian"];
programs.firefox = {
enable = true;
nativeMessagingHosts = [pkgs.firefoxpwa];
package = pkgs.librewolf;
profiles.default = {isDefault = false;};
package = pkgs.floorp;
profiles.lillian = {
isDefault = true;
id = 1;
settings = {
"sidebar.verticalTabs" = true;
"sidebar.visibility" = "expand-on-hover";
"browser.aboutConfig.showWarning" = false;
"browser.bookmarks.addedImportButton" = true;
"browser.bookmarks.restore_default_bookmarks" = false;
@ -29,111 +24,29 @@
"toolkit.legacyUserProfileCustomizations.stylesheets" = true;
"browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" = "DuckDuckGo";
};
bookmarks = {
force = true;
settings = [
{
name = "DIY HRT";
toolbar = false;
bookmarks = [
{
name = "estrogen production";
tags = ["chemistry" "oestrogen" "estrogen" "diy"];
url = "https://crimethinc.com/2022/12/15/producing-transdermal-estrogen-a-do-it-yourself-guide";
}
{
name = "DIY HRT info";
tags = ["guides" "wiki" "information" "DIY" "HRT" "estrogen" "testosterone"];
url = "https://diyhrt.info/";
}
];
}
{
name = "repair resources";
toolbar = false;
bookmarks = [
{
name = "manuals library";
tags = ["repair" "manuals" "documentation"];
url = "https://manualslib.com/";
}
];
}
{
name = "Nix sites";
toolbar = false;
bookmarks = [
{
name = "packages";
tags = ["packages" "basic" "nix"];
url = "https://search.nixos.org/";
}
{
name = "settings";
tags = ["settings" "services" "packages" "nix"];
url = "https://mynixos.com";
}
];
}
{
name = "Games";
toolbar = false;
bookmarks = [
{
name = "PoE2 build sorceres";
tags = ["PoE" "PoE2" "path of exile" "path of exile 2" "games" "guides" "build" "sorcerer" "sorceress"];
url = "https://maxroll.gg/poe2/planner/caeye0hz";
}
{
name = "PoE2 build ranger";
tags = ["PoE" "PoE2" "path of exile" "path of exile 2" "games" "guides" "build" "bow" "ranger"];
url = "https://maxroll.gg/poe2/build-guides/deadeye-gas-arrow-leveling-guide";
}
];
}
{
name = "Cooking";
toolbar = false;
bookmarks = [
{
name = "Maldivian chili paste";
tags = ["cooking" "maldives" "maldivian]" "chili paste" "chili" "spicy" "food" "sauce" "recipes"];
url = "https://maldivescook.com/recipe/lonumirus/";
}
{
name = "Samosas";
tags = ["cooking" "india" "fried" "baked" "snack" "pastry" "samosa"];
url = "https://www.indianhealthyrecipes.com/samosa-recipe-make-samosa/";
}
{
name = "Baojiang Tofu";
tags = ["lava tofu" "tofu" "China" "Yunnan" "vegan" "cooking" "oven" "baked"];
url = "https://tofu.theclubb.co/post/baojiang-tofu-test-kitchen-aka-lava-tofu";
}
{
name = "Sticky Toffee Pudding";
tags = ["baking" "UK" "England" "dessert" "treat" "snack" "baked" "sweet" "treacle" "dates"];
url = "https://www.latimes.com/recipe/sticky-toffee-pudding-moju";
}
{
name = "Vegan Pumpkin Cheesecake";
tags = ["baking" "vegan" "US" "cheesecake" "cake" "dessert" "sweet" "baked" "pumpkin" "cream cheese"];
url = "https://www.karissasvegankitchen.com/vegan-pumpkin-cheesecake/";
}
{
name = "Vegan Cheesecake";
tags = ["baking" "US" "vegan" "cheesecake" "cake" "dessert" "sweet" "baked" "nut free" "cream cheese"];
url = "https://www.noracooks.com/vegan-cheesecake/";
}
{
name = "Biscotti";
tags = ["baking" "Italian" "cookies" "sweet" "dessert" "fruits" "nuts" "almonds" "cranberries" "lemon"];
url = "https://italianchef.org/the-ultimate-guide-to-homemade-italian-biscotti-recipes-tips-and-variations/";
}
];
}
];
};
bookmarks = [
{
name = "estrogen production";
tags = ["chemistry" "oestrogen" "estrogen" "diy"];
url = "https://crimethinc.com/2022/12/15/producing-transdermal-estrogen-a-do-it-yourself-guide";
}
{
name = "Nix sites";
toolbar = false;
bookmarks = [
{
name = "packages";
tags = ["packages" "basic" "nix"];
url = "https://search.nixos.org/";
}
{
name = "settings";
tags = ["settings" "services" "packages" "nix"];
url = "https://mynixos.com";
}
];
}
];
};
};
}

3
home-manager/desktop/package-configs/foot/default.nix
View file

@ -1,9 +1,10 @@
{...}: {
programs.foot = {
enable = true;
# catppuccin.enable = true;
catppuccin.enable = true;
settings = {
main = {
font = "Fira Code:size=11";
};
mouse = {

7
home-manager/desktop/package-configs/freetube/default.nix
View file

@ -1,7 +0,0 @@
{...}: {
home.file."settings.db" = {
source = ./settings.db;
target = ".config/freetube/settings.db";
force = true;
};
}

24
home-manager/desktop/package-configs/freetube/settings.db
View file

@ -1,24 +0,0 @@
{"_id":"allowDashAv1Formats","value":true}
{"_id":"barColor","value":true}
{"_id":"baseTheme","value":"catppuccinMacchiatto"}
{"_id":"bounds","value":{"x":0,"y":66,"width":2560,"height":1374,"maximized":true,"fullScreen":false}}
{"_id":"defaultQuality","value":"1080"}
{"_id":"fetchSubscriptionsAutomatically","value":false}
{"_id":"generalAutoLoadMorePaginatedItemsEnabled","value":true}
{"_id":"hideActiveSubscriptions","value":true}
{"_id":"hidePopularVideos","value":true}
{"_id":"hideRecommendedVideos","value":true}
{"_id":"hideSubscriptionsCommunity","value":true}
{"_id":"hideSubscriptionsLive","value":true}
{"_id":"hideSubscriptionsShorts","value":true}
{"_id":"hideSubscriptionsVideos","value":true}
{"_id":"hideTrendingVideos","value":true}
{"_id":"landingPage","value":"history"}
{"_id":"mainColor","value":"CatppuccinMacchiattoMauve"}
{"_id":"playNextVideo","value":false}
{"_id":"quickBookmarkTargetPlaylistId","value":"favorites"}
{"_id":"secColor","value":"CatppuccinMacchiattoMauve"}
{"_id":"showDistractionFreeTitles","value":true}
{"_id":"useDeArrowThumbnails","value":true}
{"_id":"useDeArrowTitles","value":true}
{"_id":"useSponsorBlock","value":true}

4
home-manager/desktop/package-configs/konsole/Catppuccin.profile
View file

@ -6,7 +6,3 @@ Name=Catppuccin
Parent=FALLBACK/
StartInCurrentSessionDir=true
TerminalRows=30
[Scrolling]
HistoryMode=2
ScrollBarPosition=2

4
home-manager/desktop/package-configs/konsole/konsolerc
View file

@ -15,7 +15,3 @@ ToolBarsMovable=Disabled
[UiSettings]
ColorScheme=
[Notification Messages]
CloseAllEmptyTabs=true
CloseAllTabs=true

1270
home-manager/desktop/package-configs/plasma-desktop.nix Normal file
View file

File diff suppressed because it is too large Load diff

324
home-manager/desktop/package-configs/plasma-desktop/default.nix
View file

@ -1,324 +0,0 @@
{
osConfig,
pkgs,
config,
lib,
...
}: {
#TODO remove this after the bug fixed
programs.plasma.startup.desktopScript."panels".preCommands = lib.mkForce ''
sleep 3
[ -f ${config.xdg.configHome}/plasma-org.kde.plasma.desktop-appletsrc ] && rm ${config.xdg.configHome}/plasma-org.kde.plasma.desktop-appletsrc
'';
#TODO: make the creation of the command file easier, for now this is a nice solution though
systemd.user.services."set-kde-connect-commands" = {
Install = {
WantedBy = ["default.target"];
};
Service = {
Type = "oneshot";
ExecStart = "${pkgs.writeShellScript "set-kde-connect-commands" ''
#!/run/current-system/sw/bin/bash
find ${config.home.homeDirectory}/.config/kdeconnect/ -type d -name 'kdeconnect_runcommand' -execdir cp -rf ${builtins.toPath ./kde-connect-commands} {}/ \; -execdir mv -f {}/kde-connect-commands {}/config \;
''}";
RemainAfterExit = true;
};
};
home.file = {
".config/kdeconnect/config" = {
text = ''
[General]
keyAlgorithm=EC
name=${osConfig.networking.hostName}
customDevices=10.0.0.2,10.0.0.3,10.0.0.4,10.0.0.5
'';
target = ".config/kdeconnect/config";
force = true;
};
"Games/.directory" = {
text = ''
[Desktop Entry]
Icon=folder-games
'';
target = "Games/.directory";
force = true;
};
"Code/.directory" = {
text = ''
[Desktop Entry]
Icon=folder-script
'';
target = "Code/.directory";
force = true;
};
"Writing/.directory" = {
text = ''
[Desktop Entry]
Icon=folder-notes
'';
target = "Writing/.directory";
force = true;
};
"mimeapps.list" = {
text = ''
[Added Associations]
x-scheme-handler/http=librewolf.desktop;
x-scheme-handler/https=librewolf.desktop;
[Default Applications]
x-scheme-handler/discord=vesktop.desktop
x-scheme-handler/http=librewolf.desktop;
x-scheme-handler/https=librewolf.desktop;
x-scheme-handler/sgnl=signal.desktop
x-scheme-handler/signalcaptcha=signal.desktop
x-scheme-handler/email=thunderbird.desktop
x-scheme-handler/text=helix.desktop
'';
target = ".config/mimeapps.list";
force = true;
};
"librewolf.desktop" = {
target = ".config/autostart/librewolf.desktop";
source = "${pkgs.librewolf}/share/applications/librewolf.desktop";
};
"signal.desktop" = {
target = ".config/autostart/signal.desktop";
source = "${pkgs.signal-desktop}/share/applications/signal.desktop";
};
"org.kde.konsole.desktop" = {
target = ".config/autostart/org.kde.konsole.desktop";
source = "${pkgs.kdePackages.konsole}/share/applications/org.kde.konsole.desktop";
};
"vesktop.desktop" = {
target = ".config/autostart/vesktop.desktop";
source = "${pkgs.vesktop}/share/applications/vesktop.desktop";
};
"thunderbird.desktop" = {
target = ".config/autostart/thunderbird.desktop";
source = "${pkgs.thunderbird}/share/applications/thunderbird.desktop";
};
"com.nextcloud.desktopclient.nextcloud.desktop" = {
target = ".config/autostart/com.nextcloud.desktopclient.nextcloud.desktop";
source = "${pkgs.nextcloud-client}/share/applications/com.nextcloud.desktopclient.nextcloud.desktop";
};
};
programs.plasma = {
# workspace = {
# lookAndFeel = "Catppuccin-Macchiato-Mauve";
# colorScheme = "CatppuccinMacchiatoMauve";
# cursor.theme = "catppuccin-macchiato-mauve-cursors";
# };
enable = true;
desktop.mouseActions.verticalScroll = "switchVirtualDesktop";
kscreenlocker.appearance.wallpaper = "${osConfig.stylix.image}";
input.keyboard.options = ["caps:none,compose:caps"];
kwin = {
nightLight = {
enable = true;
mode = "location";
location = {
longitude = "4.88969";
latitude = "52.37403";
};
temperature = {
night = 2400;
};
};
effects = {
wobblyWindows.enable = true;
zoom.mouseTracking = "centered";
};
virtualDesktops = {
number = 4;
rows = 2;
};
};
fonts = {
fixedWidth = {
pointSize = 11;
family = "${osConfig.stylix.fonts.monospace.name}";
};
general = {
pointSize = 11;
family = "${osConfig.stylix.fonts.serif.name}";
};
menu = {
pointSize = 11;
family = "${osConfig.stylix.fonts.sansSerif.name}";
};
small = {
pointSize = 11;
family = "${osConfig.stylix.fonts.sansSerif.name}";
};
toolbar = {
pointSize = 11;
family = "${osConfig.stylix.fonts.sansSerif.name}";
};
windowTitle = {
pointSize = 11;
family = "${osConfig.stylix.fonts.sansSerif.name}";
};
};
panels = [
{
alignment = "left";
floating = true;
height = 38;
location = "top";
screen = "all";
widgets = [
"org.kde.plasma.appmenu"
"org.kde.plasma.panelspacer"
"org.kde.milou"
"org.kde.plasma.panelspacer"
"org.kde.plasma.colorpicker"
{
systemTray.items = {
# We explicitly show bluetooth and battery
shown = [
"org.kde.plasma.volume"
"org.kde.plasma.bluetooth"
"org.kde.plasma.brightness"
"org.kde.plasma.devicenotifier"
"org.kde.kscreen"
"org.kde.kdeconnect"
"org.kde.plasma.networkmanagement"
"org.kde.plasma.battery"
"org.kde.plasma.clipboard"
"org.kde.plasma.mediacontroller"
"org.kde.plasma.notifications"
"org.kde.plasma.weather"
];
# And explicitly hide networkmanagement and volume
hidden = [
"Xwayland Video Bridge_pipewireToXProxy"
"org.kde.plasma.devicenotifier"
"org.kde.plasma.keyboardindicator"
"org.kde.plasma.keyboardlayout"
"org.kde.kscreen"
"org.kde.plasma.printmanager"
"chrome_status_icon_1"
"proton-vpn-app"
"Nitrokey App"
"qBittorrent"
"vlc"
"obs"
"steam"
"nitrokey-app"
];
};
}
{
digitalClock = {
calendar.firstDayOfWeek = "monday";
time.format = "24h";
date = {
enable = true;
format = "isoDate";
position = "belowTime";
};
timeZone.selected = ["Europe/Amsterdam"];
};
}
"org.kde.plasma.lock_logout"
];
}
{
alignment = "center";
floating = true;
height = 44;
hiding = "autohide";
maxLength = 1920;
minLength = 1200;
location = "bottom";
screen = "all";
widgets = [
"org.kde.plasma.kickoff"
"org.kde.plasma.panelspacer"
{
name = "org.kde.plasma.icontasks";
config = {
General = {
launchers = [
"applications:librewolf.desktop"
"applications:systemsettings.desktop"
"applications:org.kde.dolphin.desktop"
"applications:signal.desktop"
"applications:vesktop.desktop"
"applications:thunderbird.desktop"
"applications:steam.desktop"
"applications:noisetorch.desktop"
"applications:org.kde.plasma-systemmonitor.desktop"
"applications:org.kde.konsole.desktop"
"applications:freetube.desktop"
];
};
};
}
"org.kde.plasma.panelspacer"
"org.kde.plasma.minimizeall"
];
}
];
shortcuts = {
"kmix"."decrease_volume_small" = "Shift+Volume Down";
"kmix"."increase_volume_small" = "Shift+Volume Up";
"kwin"."Window One Desktop Down" = "Meta+Ctrl+Shift+Down";
"kwin"."Window One Desktop Up" = "Meta+Ctrl+Shift+Up";
"kwin"."Window One Desktop to the Left" = "Meta+Ctrl+Shift+Left";
"kwin"."Window One Desktop to the Right" = "Meta+Ctrl+Shift+Right";
"kwin"."Window Operations Menu" = "Alt+F3";
"kwin"."Window Quick Tile Bottom" = "Meta+Down";
"kwin"."Window Quick Tile Left" = "Meta+Left";
"kwin"."Window Quick Tile Right" = "Meta+Right";
"kwin"."Window Quick Tile Top" = "Meta+Up";
"kwin"."Window to Next Screen" = "Meta+Shift+Right";
"kwin"."Window to Previous Desktop" = "none,,Window to Previous Desktop";
"kwin"."Window to Previous Screen" = "Meta+Shift+Left";
"org_kde_powerdevil"."Decrease Screen Brightness" = ["Monitor Brightness Down" "Ctrl+Volume Down"];
"org_kde_powerdevil"."Decrease Screen Brightness Small" = ["Monitor Brightness Down" "Ctrl+Shift+Volume Down"];
"org_kde_powerdevil"."Increase Screen Brightness" = ["Monitor Brightness Up" "Ctrl+Volume Up"];
"org_kde_powerdevil"."Increase Screen Brightness Small" = ["Shift+Monitor Brightness Up" "Ctrl+Shift+Volume Up"];
"services/org.kde.krunner.desktop"."_launch" = ["Alt+Space" "Alt+F2" "Ctrl+Shift+Space" "Search"];
"services/org.kde.plasma-systemmonitor.desktop"."_launch" = "Ctrl+Esc";
"services/org.kde.spectacle.desktop"."ActiveWindowScreenShot" = ["Meta+Print" "Ctrl+!"];
"services/org.kde.spectacle.desktop"."CurrentMonitorScreenShot" = "Ctrl+#";
"services/org.kde.spectacle.desktop"."FullScreenScreenShot" = ["Ctrl+$" "Shift+Print"];
"services/org.kde.spectacle.desktop"."OpenWithoutScreenshot" = "Ctrl+^";
"services/org.kde.spectacle.desktop"."RectangularRegionScreenShot" = ["Ctrl+@" "Meta+Shift+Print"];
"services/org.kde.spectacle.desktop"."WindowUnderCursorScreenShot" = ["Meta+Ctrl+Print" "Ctrl+%"];
"services/org.kde.spectacle.desktop"."_launch" = "Print";
"services/services.org.kde.plasma-systemmonitor.desktop"."_launch" = "Ctrl+Esc";
"services/services.org.kde.spectacle.desktop"."ActiveWindowScreenShot" = ["" "" "" "" "" "" "Meta+Print" "Ctrl+!"];
"services/services.org.kde.spectacle.desktop"."CurrentMonitorScreenShot" = "Ctrl+#";
"services/services.org.kde.spectacle.desktop"."FullScreenScreenShot" = ["" "" "" "" "" "" "Ctrl+$" "Shift+Print"];
"services/services.org.kde.spectacle.desktop"."OpenWithoutScreenshot" = "Ctrl+^";
"services/services.org.kde.spectacle.desktop"."RecordWindow" = [];
"services/services.org.kde.spectacle.desktop"."RectangularRegionScreenShot" = ["" "" "" "" "" "" "Ctrl+@" "Meta+Shift+Print"];
"services/services.org.kde.spectacle.desktop"."WindowUnderCursorScreenShot" = ["" "" "" "" "" "" "Meta+Ctrl+Print" "Ctrl+%"];
"services/services.org.kde.spectacle.desktop"."_launch" = "Print";
"services/services.services.org.kde.plasma-systemmonitor.desktop"."_launch" = "Ctrl+Esc";
"services/services.services.org.kde.spectacle.desktop"."ActiveWindowScreenShot" = ["" "" "" "" "" "" "" "Meta+Print" "Ctrl+!"];
"services/services.services.org.kde.spectacle.desktop"."CurrentMonitorScreenShot" = "Ctrl+#";
"services/services.services.org.kde.spectacle.desktop"."FullScreenScreenShot" = ["" "" "" "" "" "" "" "Ctrl+$" "Shift+Print"];
"services/services.services.org.kde.spectacle.desktop"."OpenWithoutScreenshot" = "Ctrl+^";
"services/services.services.org.kde.spectacle.desktop"."RecordWindow" = [];
"services/services.services.org.kde.spectacle.desktop"."RectangularRegionScreenShot" = ["" "" "" "" "" "" "" "Ctrl+@" "Meta+Shift+Print"];
"services/services.services.org.kde.spectacle.desktop"."WindowUnderCursorScreenShot" = ["" "" "" "" "" "" "" "Meta+Ctrl+Print" "Ctrl+%"];
"services/services.services.org.kde.spectacle.desktop"."_launch" = "Print";
};
configFile = {
kwinrc = {
Plugins.rememberwindowpositionsEnabled = true;
Script-rememberwindowpositions = {
restoreType = 3;
whitelist = "org.mozilla.firefox\nfirefox\nlibrewolf\nkonsole\nvesktop\nsignal-dekstop\nthunderbird";
};
};
plasmanotifyrc = {
DoNotDisturb.WhenFullscreen = false;
};
};
};
}

2
home-manager/desktop/package-configs/plasma-desktop/kde-connect-commands
View file

@ -1,2 +0,0 @@
[General]
commands="@ByteArray({\"2574d457_7a99_40a3_8239_24407c7a074d\":{\"command\":\"loginctl unlock-session\",\"name\":\"unlock\"},\"2bbbb9cc_892a_44a1_b097_27b149387511\":{\"command\":\"bluetoothctl disconnect 38:18:4C:11:56:99\",\"name\":\"disconnect headset\"},\"35ad74aa_c1f0_4dd7_a392_2b2676105b62\":{\"command\":\"systemctl hibernate\",\"name\":\"hibernate\"},\"5dd755de_e098_4907_982d_bedba5c3511d\":{\"command\":\"loginctl lock-session\",\"name\":\"lock\"},\"6423946a_b13e_4127_a0d0_0ca38e79fa0f\":{\"command\":\"bluetoothctl connect 38:18:4C:11:56:99\",\"name\":\"connect headset\"},\"690a4134_162b_4851_83a4_bf75722c699a\":{\"command\":\"systemctl suspend\",\"name\":\"suspend\"},\"99ae3913_1757_4ed0_ad7e_91c6f5d740ef\":{\"command\":\"qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \\\"mute\\\"\",\"name\":\"mute\"},\"b11480dd_19f7_49c0_9dcc_3065ddc5150b\":{\"command\":\"qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \\\"mic_mute\\\"\",\"name\":\"mute mic\"},\"bd36530a_9ed5_4345_989d_189c27b3ce00\":{\"command\":\"systemctl reboot\",\"name\":\"reboot\"},\"cf6180f7_e4bd_4f15_a9d1_19ed14e99913\":{\"command\":\"file=\\\"$HOME/Images/WebcamImage_$(date \\\"+%Y%m%d_%H%M%S\\\").jpg\\\"; ffmpeg -f video4linux2 -s 1280x720 -i /dev/video0 -ss 0:0:2 -frames 1 \\\"${file}\\\" && kdeconnect-cli -d $(kdeconnect-cli -a --id-only) --share \\\"${file}\\\"\",\"name\":\"webcam to phone\"},\"d31a3cab_bb6a_459d_89fb_533d0d8fec61\":{\"command\":\"systemctl poweroff\",\"name\":\"shutdown\"},\"f08e1a64_53be_41da_b942_e05e45f1d69c\":{\"command\":\"qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \\\"decrease_volume\\\"\",\"name\":\"volume down\"},\"fbd67152_2a58_4d5d_a210_982fa0eeb171\":{\"command\":\"qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \\\"increase_volume\\\"\",\"name\":\"volume up\"},\"fc3adde9_7049_4166_bcda_a74d13ec91eb\":{\"command\":\"file=/tmp/$(hostname)_$(date \\\"+%Y%m%d_%H%M%S\\\").png; spectacle -bo \\\"${file}\\\" && while ! [ -f \\\"${file}\\\" ]; do sleep 0.5; done && kdeconnect-cli -d $(kdeconnect-cli -a --id-only) --share \\\"${file}\\\"\",\"name\":\"screenshot to phone\"}})"

7
home-manager/desktop/package-configs/vesktop/default.nix
View file

@ -1,7 +0,0 @@
{...}: {
home.file."settings.json" = {
source = ./settings.json;
target = ".config/vesktop/settings/settings.json";
force = true;
};
}

602
home-manager/desktop/package-configs/vesktop/settings.json
View file

@ -1,602 +0,0 @@
{
"autoUpdate": true,
"autoUpdateNotification": false,
"useQuickCss": true,
"themeLinks": [],
"enabledThemes": [
"stylix.theme.css"
],
"enableReactDevtools": false,
"frameless": false,
"transparent": false,
"winCtrlQ": false,
"disableMinSize": false,
"winNativeTitleBar": false,
"plugins": {
"ChatInputButtonAPI": {
"enabled": true
},
"CommandsAPI": {
"enabled": true
},
"MemberListDecoratorsAPI": {
"enabled": false
},
"MessageAccessoriesAPI": {
"enabled": true
},
"MessageDecorationsAPI": {
"enabled": false
},
"MessageEventsAPI": {
"enabled": true
},
"MessagePopoverAPI": {
"enabled": false
},
"MessageUpdaterAPI": {
"enabled": false
},
"ServerListAPI": {
"enabled": false
},
"UserSettingsAPI": {
"enabled": true
},
"AccountPanelServerProfile": {
"enabled": false
},
"AlwaysAnimate": {
"enabled": false
},
"AlwaysExpandRoles": {
"enabled": false
},
"AlwaysTrust": {
"enabled": true,
"domain": true,
"file": true
},
"AnonymiseFileNames": {
"enabled": true,
"anonymiseByDefault": true,
"method": 0,
"randomisedLength": 7
},
"AppleMusicRichPresence": {
"enabled": false
},
"WebRichPresence (arRPC)": {
"enabled": false
},
"BANger": {
"enabled": false
},
"BetterFolders": {
"enabled": false
},
"BetterGifAltText": {
"enabled": false
},
"BetterGifPicker": {
"enabled": false
},
"BetterNotesBox": {
"enabled": false
},
"BetterRoleContext": {
"enabled": false
},
"BetterRoleDot": {
"enabled": false
},
"BetterSessions": {
"enabled": false
},
"BetterSettings": {
"enabled": false
},
"BetterUploadButton": {
"enabled": false
},
"BiggerStreamPreview": {
"enabled": false
},
"BlurNSFW": {
"enabled": false
},
"CallTimer": {
"enabled": false
},
"ClearURLs": {
"enabled": false
},
"ClientTheme": {
"enabled": false
},
"ColorSighted": {
"enabled": false
},
"ConsoleJanitor": {
"enabled": false
},
"ConsoleShortcuts": {
"enabled": false
},
"CopyEmojiMarkdown": {
"enabled": false
},
"CopyFileContents": {
"enabled": false
},
"CopyUserURLs": {
"enabled": false
},
"CrashHandler": {
"enabled": true
},
"CtrlEnterSend": {
"enabled": false
},
"CustomRPC": {
"enabled": false
},
"CustomIdle": {
"enabled": false
},
"Dearrow": {
"enabled": false
},
"Decor": {
"enabled": false
},
"DisableCallIdle": {
"enabled": false
},
"DontRoundMyTimestamps": {
"enabled": false
},
"EmoteCloner": {
"enabled": false
},
"Experiments": {
"enabled": false
},
"F8Break": {
"enabled": false
},
"FakeNitro": {
"enabled": true,
"enableEmojiBypass": true,
"emojiSize": 48,
"transformEmojis": true,
"enableStickerBypass": true,
"stickerSize": 160,
"transformStickers": true,
"transformCompoundSentence": false,
"enableStreamQualityBypass": true,
"useHyperLinks": true,
"hyperLinkText": "{{NAME}}",
"disableEmbedPermissionCheck": false
},
"FakeProfileThemes": {
"enabled": false
},
"FavoriteEmojiFirst": {
"enabled": false
},
"FavoriteGifSearch": {
"enabled": false
},
"FixCodeblockGap": {
"enabled": false
},
"FixSpotifyEmbeds": {
"enabled": false
},
"FixYoutubeEmbeds": {
"enabled": false
},
"ForceOwnerCrown": {
"enabled": false
},
"FriendInvites": {
"enabled": false
},
"FriendsSince": {
"enabled": false
},
"FullSearchContext": {
"enabled": false
},
"GameActivityToggle": {
"enabled": false
},
"GifPaste": {
"enabled": false
},
"GreetStickerPicker": {
"enabled": false
},
"HideAttachments": {
"enabled": false
},
"iLoveSpam": {
"enabled": false
},
"IgnoreActivities": {
"enabled": false
},
"ImageLink": {
"enabled": false
},
"ImageZoom": {
"enabled": false
},
"ImplicitRelationships": {
"enabled": false
},
"InvisibleChat": {
"enabled": false
},
"KeepCurrentChannel": {
"enabled": false
},
"LastFMRichPresence": {
"enabled": false
},
"LoadingQuotes": {
"enabled": false
},
"MemberCount": {
"enabled": true,
"memberList": true,
"toolTip": true
},
"MentionAvatars": {
"enabled": false
},
"MessageClickActions": {
"enabled": false
},
"MessageLatency": {
"enabled": false
},
"MessageLinkEmbeds": {
"enabled": false
},
"MessageLogger": {
"enabled": false
},
"MessageTags": {
"enabled": false
},
"MoreCommands": {
"enabled": false
},
"MoreKaomoji": {
"enabled": true
},
"MoreUserTags": {
"enabled": false
},
"Moyai": {
"enabled": false
},
"MutualGroupDMs": {
"enabled": false
},
"NewGuildSettings": {
"enabled": false
},
"NoBlockedMessages": {
"enabled": false
},
"NoDevtoolsWarning": {
"enabled": false
},
"NoF1": {
"enabled": false
},
"NoMaskedUrlPaste": {
"enabled": false
},
"NoMosaic": {
"enabled": false
},
"NoOnboardingDelay": {
"enabled": false
},
"NoPendingCount": {
"enabled": false
},
"NoProfileThemes": {
"enabled": false
},
"NoReplyMention": {
"enabled": false
},
"NoScreensharePreview": {
"enabled": false
},
"NoServerEmojis": {
"enabled": false
},
"NoTypingAnimation": {
"enabled": false
},
"NoUnblockToJump": {
"enabled": false
},
"NormalizeMessageLinks": {
"enabled": false
},
"NotificationVolume": {
"enabled": false
},
"NSFWGateBypass": {
"enabled": false
},
"OnePingPerDM": {
"enabled": false
},
"oneko": {
"enabled": false
},
"OpenInApp": {
"enabled": false
},
"OverrideForumDefaults": {
"enabled": false
},
"PartyMode": {
"enabled": false
},
"PauseInvitesForever": {
"enabled": false
},
"PermissionFreeWill": {
"enabled": false
},
"PermissionsViewer": {
"enabled": false
},
"petpet": {
"enabled": true
},
"PictureInPicture": {
"enabled": false
},
"PinDMs": {
"enabled": false
},
"PlainFolderIcon": {
"enabled": false
},
"PlatformIndicators": {
"enabled": false
},
"PreviewMessage": {
"enabled": false
},
"QuickMention": {
"enabled": false
},
"QuickReply": {
"enabled": false
},
"ReactErrorDecoder": {
"enabled": false
},
"ReadAllNotificationsButton": {
"enabled": false
},
"RelationshipNotifier": {
"enabled": false
},
"ReplaceGoogleSearch": {
"enabled": false
},
"ReplyTimestamp": {
"enabled": false
},
"RevealAllSpoilers": {
"enabled": false
},
"ReverseImageSearch": {
"enabled": false
},
"ReviewDB": {
"enabled": false
},
"RoleColorEverywhere": {
"enabled": false
},
"SecretRingToneEnabler": {
"enabled": false
},
"Summaries": {
"enabled": false
},
"SendTimestamps": {
"enabled": true,
"replaceMessageContents": true
},
"ServerInfo": {
"enabled": false
},
"ServerListIndicators": {
"enabled": false
},
"ShikiCodeblocks": {
"enabled": true,
"useDevIcon": "COLOR",
"theme": "https://raw.githubusercontent.com/shikijs/shiki/0b28ad8ccfbf2615f2d9d38ea8255416b8ac3043/packages/shiki/themes/dracula.json",
"tryHljs": "SECONDARY",
"bgOpacity": 100
},
"ShowAllMessageButtons": {
"enabled": false
},
"ShowConnections": {
"enabled": false
},
"ShowHiddenChannels": {
"enabled": false
},
"ShowHiddenThings": {
"enabled": false
},
"ShowMeYourName": {
"enabled": false
},
"ShowTimeoutDuration": {
"enabled": false
},
"SilentMessageToggle": {
"enabled": false
},
"SilentTyping": {
"enabled": false
},
"SortFriendRequests": {
"enabled": false
},
"SpotifyControls": {
"enabled": false
},
"SpotifyCrack": {
"enabled": false
},
"SpotifyShareCommands": {
"enabled": false
},
"StartupTimings": {
"enabled": false
},
"StickerPaste": {
"enabled": false
},
"StreamerModeOnStream": {
"enabled": false
},
"SuperReactionTweaks": {
"enabled": false
},
"TextReplace": {
"enabled": false
},
"ThemeAttributes": {
"enabled": false
},
"Translate": {
"enabled": false
},
"TypingIndicator": {
"enabled": false
},
"TypingTweaks": {
"enabled": false
},
"Unindent": {
"enabled": false
},
"UnlockedAvatarZoom": {
"enabled": false
},
"UnsuppressEmbeds": {
"enabled": false
},
"UserVoiceShow": {
"enabled": false
},
"USRBG": {
"enabled": false
},
"ValidReply": {
"enabled": false
},
"ValidUser": {
"enabled": false
},
"VoiceChatDoubleClick": {
"enabled": false
},
"VcNarrator": {
"enabled": false
},
"VencordToolbox": {
"enabled": false
},
"ViewIcons": {
"enabled": false
},
"ViewRaw": {
"enabled": false
},
"VoiceDownload": {
"enabled": false
},
"VoiceMessages": {
"enabled": false
},
"VolumeBooster": {
"enabled": false
},
"WebKeybinds": {
"enabled": true
},
"WebScreenShareFixes": {
"enabled": true
},
"WhoReacted": {
"enabled": false
},
"XSOverlay": {
"enabled": false
},
"YoutubeAdblock": {
"enabled": true
},
"NoTrack": {
"enabled": true,
"disableAnalytics": true
},
"WebContextMenus": {
"enabled": true,
"addBack": true
},
"Settings": {
"enabled": true,
"settingsLocation": "aboveNitro"
},
"SupportHelper": {
"enabled": true
},
"UserMessagesPronouns": {
"enabled": true,
"showInMessages": true,
"showSelf": true,
"pronounSource": 0,
"pronounsFormat": "LOWERCASE"
},
"DynamicImageModalAPI": {
"enabled": false
},
"FixImagesQuality": {
"enabled": false
}
},
"notifications": {
"timeout": 5000,
"position": "bottom-right",
"useNative": "not-focused",
"logLimit": 50
},
"cloud": {
"authenticated": false,
"url": "https://api.vencord.dev/",
"settingsSync": false,
"settingsSyncVersion": 1734993730812
}
}

1
home-manager/hosts/EDI/id_ed25519.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhwA+ZdP2tEBYQNdzLHZzFHxocyeqzhXI6tFpaZA3PZ lillian@EDI

4
home-manager/hosts/EDI/lillian.nix
View file

@ -16,10 +16,8 @@
];
home.packages = with pkgs; [
lutris
android-tools
];
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "26.05";
home.stateVersion = "24.11";
}

1
home-manager/hosts/GLaDOS/id_ed25519.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH30G2PJOnI6jnAtxOQV0SpLFUva0adarLZLvaoZvjGE lillian@GLaDOS

39
home-manager/hosts/GLaDOS/lillian.nix
View file

@ -1,10 +1,6 @@
# This is your home-manager configuration file
# Use this to configure your home environment (it replaces ~/.config/nixpkgs/home.nix)
{
pkgs,
config,
...
}: {
{pkgs, ...}: {
# You can import other home-manager modules here
imports = [
# If you want to use modules your own flake exports (from modules/home-manager):
@ -20,44 +16,15 @@
];
home.packages = with pkgs; [
heroic
r2modman
ryubing
lutris
vscodium
unrar
intiface-central
];
home.file = {
nextcloud = {
source = config.lib.file.mkOutOfStoreSymlink "/run/media/lillian/big-SSD/Nextcloud/";
target = "Nextcloud";
};
};
programs.mangohud = {
enable = true;
# enableSessionWide = true;
};
programs.plasma.configFile.kwinrc = {
"Tiling/Desktop_1/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0;
"Tiling/Desktop_1/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_1/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0;
"Tiling/Desktop_1/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_2/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0;
"Tiling/Desktop_2/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_2/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0;
"Tiling/Desktop_2/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_3/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0;
"Tiling/Desktop_3/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_3/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0;
"Tiling/Desktop_3/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_4/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0;
"Tiling/Desktop_4/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_4/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0;
"Tiling/Desktop_4/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "26.05";
home.stateVersion = "24.11";
}

1
home-manager/hosts/iso/id_ed25519.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKeZHHAEoUh/Ly9F1xUSPZLPNE0Yh/wM2qWgKvlEBa8A lillian@GLaDOS

4
home-manager/hosts/iso/lillian.nix
View file

@ -11,11 +11,13 @@
# You can also split up your configuration and import pieces of it here:
# ./nvim.nix
../../desktop
../../shared
];
home.packages = with pkgs; [
];
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "25.11";
home.stateVersion = "24.11";
}

2
home-manager/hosts/iso_server/lillian.nix
View file

@ -18,5 +18,5 @@
];
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "25.05";
home.stateVersion = "24.11";
}

1
home-manager/hosts/queen/id_ed25519.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtwcWXnwOOI8G3NqAMfTeuSuDk9ly5xqwQDH2Iey3u+ lillian@queen

2
home-manager/hosts/queen/lillian.nix
View file

@ -35,5 +35,5 @@
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "26.05";
home.stateVersion = "24.11";
}

1
home-manager/hosts/shodan/id_ed25519.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL279XPFj1nzLDozFclntPh8rOcn3d1B5iJNGds9Ray6 lillian@shodan

72
home-manager/hosts/shodan/lillian.nix
View file

@ -12,8 +12,11 @@
# You can also split up your configuration and import pieces of it here:
# ./nvim.nix
../../desktop/package-configs/plasma-desktop.nix
../../desktop/package-configs/firefox.nix
../../desktop/package-configs/konsole
../../desktop/package-configs/foot
../../shared
../../desktop
];
nixpkgs = {
# You can add overlays here
@ -28,17 +31,76 @@
# });
# })
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
};
};
home = {
username = "lillian";
homeDirectory = "/home/lillian";
};
home.packages = with pkgs; [
#Chat:
vesktop
#Gaming:
prismlauncher
r2modman
ryubing
ryujinx
# Multimedia:
freetube
obs-studio
vlc
# System tools:
rage
discover
flameshot
fzf
nextcloud-client
nitrokey-app
protonvpn-gui
sops
#watchmate
qbittorrent
zsh
# Theming:
catppuccin-cursors
(catppuccin-kde.override {
flavour = ["macchiato"];
accents = ["mauve"];
})
catppuccin-plymouth
catppuccin-sddm-corners
# Web browsing:
firefox
ungoogled-chromium
];
# Make the kde screenlock not require a password :)
programs.plasma.kscreenlocker.passwordRequired = false;
# # Automount services for user
# programs.bashmount.enable = true;
# services.udiskie = {
# enable = true;
# automount = true;
# notify = false;
# tray = "never";
# };
# Enable home-manager and git
programs.home-manager.enable = true;
programs.git = {
enable = true;
userEmail = "git@lillianviolet.dev";
userName = "Lillian-Violet";
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "26.05";
home.stateVersion = "24.11";
}

1
home-manager/hosts/wheatley/id_ed25519.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxXVL6QAiMLwvUYBtXCbkHEh6ENgaEO/rkZWSPJrjLJ lillian@wheatley

5
home-manager/hosts/wheatley/lillian.nix
View file

@ -11,7 +11,8 @@
# You can also split up your configuration and import pieces of it here:
# ./nvim.nix
../../shared
../../package-configs/zsh.nix
../../package-configs/helix.nix
];
nixpkgs = {
@ -35,5 +36,5 @@
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "26.05";
home.stateVersion = "24.05";
}

BIN
home-manager/shared/background.jpg
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 158 KiB

89
home-manager/shared/default.nix
View file

@ -1,10 +1,5 @@
{
pkgs,
osConfig,
...
}: {
{pkgs, ...}: {
imports = [
./ssh
./shell/helix
./shell/zellij
./shell/zsh.nix
@ -12,80 +7,28 @@
./shell/eza.nix
./shell/hyfetch.nix
];
home = {
username = "lillian";
homeDirectory = "/home/lillian";
file."id_ed25519.pub" = {
source = ../hosts/${osConfig.networking.hostName}/id_ed25519.pub;
target = ".ssh/id_ed25519.pub";
force = true;
};
packages = with pkgs; [
# System tools:
vscode-langservers-extracted
sops
zsh
bat
btop
broot
lazygit
navi
nil
gh
starship
zellij
];
};
catppuccin = {
enable = true;
flavor = "macchiato";
btop.enable = true;
cache.enable = true;
chromium.enable = true;
freetube.enable = true;
freetube.flavor = "macchiato";
};
programs = {
navi.enable = true;
yazi = {
enable = true;
# package = pkgs.yazi.override {
# _7zz = pkgs._7zz.override {useUasm = true;};
# };
};
};
# stylix.enable = true;
# qt.platformTheme.name = lib.mkForce "kvantum";
# qt.style.name = lib.mkForce "kvantum";
# stylix = {
# enable = true;
# autoEnable = true;
# base16Scheme = {
# scheme = "Catppuccin Macchiato";
# author = "https://github.com/catppuccin/catppuccin";
# base00 = "24273a";
# base01 = "1e2030";
# base02 = "363a4f";
# base03 = "494d64";
# base04 = "5b6078";
# base05 = "cad3f5";
# base06 = "f4dbd6";
# base07 = "b7bdf8";
# base08 = "ed8796";
# base09 = "f5a97f";
# base0A = "eed49f";
# base0B = "a6da95";
# base0C = "8bd5ca";
# base0D = "8aadf4";
# base0E = "c6a0f6";
# base0F = "f0c6c6";
# };
# image = ./background.jpg;
# cursor.package = pkgs.catppuccin-cursors;
# cursor.name = "catppuccin-macchiato-mauve-cursors";
# cursor.size = 16;
# };
home.packages = with pkgs; [
# System tools:
vscode-langservers-extracted
sops
zsh
bat
btop
broot
lazygit
navi
yazi
nil
];
programs.navi.enable = true;
}

50
home-manager/shared/kde-connect-commands.json
View file

@ -1,50 +0,0 @@
[
{
"command": "systemctl poweroff",
"name": "shutdown"
},
{
"command": "systemctl reboot",
"name": "reboot"
},
{
"command": "systemctl suspend",
"name": "suspend"
},
{
"command": "systemctl hibernate",
"name": "hibernate"
},
{
"command": "loginctl lock-session",
"name": "lock"
},
{
"command": "loginctl unlock-session",
"name": "unlock"
},
{
"command": "qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \"mute\"",
"name": "mute"
},
{
"command": "qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \"mic_mute\"",
"name": "mute mic"
},
{
"command": "file=/tmp/$(hostname)_$(date \"+%Y%m%d_%H%M%S\").png; spectacle -bo \"${file}\" && while ! [ -f \"${file}\" ]; do sleep 0.5; done && kdeconnect-cli -d $(kdeconnect-cli -a --id-only) --share \"${file}\"",
"name": "screenshot to phone"
},
{
"command": "file=\"$HOME/Images/WebcamImage_$(date \"+%Y%m%d_%H%M%S\").jpg\"; ffmpeg -f video4linux2 -s 1280x720 -i /dev/video0 -ss 0:0:2 -frames 1 \"${file}\" && kdeconnect-cli -d $(kdeconnect-cli -a --id-only) --share \"${file}\"",
"name": "webcam to phone"
},
{
"command": "bluetoothctl connect 38:18:4C:11:56:99",
"name": "connect headset"
},
{
"command": "bluetoothctl disconnect 38:18:4C:11:56:99",
"name": "disconnect headset"
}
]

2
home-manager/shared/shell/bat.nix
View file

@ -2,6 +2,6 @@
programs.bat = {
enable = true;
extraPackages = with pkgs.bat-extras; [batdiff batman batgrep batwatch];
# catppuccin.enable = true;
catppuccin.enable = true;
};
}

34
home-manager/shared/shell/helix/default.nix
View file

@ -16,21 +16,24 @@
''
#! ~/.nix-profile/bin/zsh
is_new() {
new=0;
mkdir -p /tmp/rjh;
if [[ -a "/tmp/rjh/$(pwd | tr \"/\" -).json" ]]; then
new=1
fi
return $new
new=1;
touch /tmp/rjh;
while IFS="" read -r p || [ -n "$p" ]; do
if [ $(pwd) = $p ]; then
new=0;
fi
done < /tmp/rjh
return $new
}
is_new && zellij run -f -n "jupyter console" -- direnv exec . jupyter console --kernel="$1" -f="/tmp/rjh/$(pwd | tr \"/\" -).json" --ZMQTerminalInteractiveShell.include_other_output=True --ZMQTerminalInteractiveShell.other_output_prefix=''' && sleep 3
rm -f /tmp/pipe-rjh
mkfifo /tmp/pipe-rjh
cat > /tmp/pipe-rjh
zellij run -f -n "REPL" -- direnv exec . just send < /tmp/pipe-rjh
rm /tmp/pipe-rjh
send_to_jupyter() {
is_new && zellij run -f -n "jupyter console" -- direnv exec . jupyter console --kernel="$1" -f="/tmp/rjh-$(pwd | tr \"/\" -).json" --ZMQTerminalInteractiveShell.include_other_output=True --ZMQTerminalInteractiveShell.other_output_prefix=''' && zellij action write 29 25 && zellij action write 17
pwd >> /tmp/rjh
zellij action write 29 25
zellij action write 17
cat | just send
}
send_to_jupyter
'';
in {
programs.helix = {
@ -48,11 +51,6 @@ in {
j = ":pipe-to just jupyter";
};
editor = {
auto-save = {
focus-lost = true;
after-delay.enable = true;
after-delay.timeout = 3000;
};
line-number = "relative";
lsp.display-messages = true;
lsp.display-inlay-hints = true;

46
home-manager/shared/shell/helix/helix.nix
View file

@ -1,46 +0,0 @@
{
fetchzip,
lib,
rustPlatform,
git,
installShellFiles,
}:
rustPlatform.buildRustPackage rec {
pname = "helix";
version = "25.01.1";
# This release tarball includes source code for the tree-sitter grammars,
# which is not ordinarily part of the repository.
src = fetchzip {
url = "https://github.com/helix-editor/helix/releases/download/${version}/helix-${version}-source.tar.xz";
hash = "";
stripRoot = false;
};
useFetchCargoVendor = true;
cargoHash = "";
nativeBuildInputs = [git installShellFiles];
env.HELIX_DEFAULT_RUNTIME = "${placeholder "out"}/lib/runtime";
postInstall = ''
# not needed at runtime
rm -r runtime/grammars/sources
mkdir -p $out/lib
cp -r runtime $out/lib
installShellCompletion contrib/completion/hx.{bash,fish,zsh}
mkdir -p $out/share/{applications,icons/hicolor/256x256/apps}
cp contrib/Helix.desktop $out/share/applications
cp contrib/helix.png $out/share/icons/hicolor/256x256/apps
'';
meta = with lib; {
description = "Post-modern modal text editor";
homepage = "https://helix-editor.com";
license = licenses.mpl20;
mainProgram = "hx";
maintainers = with maintainers; [danth yusdacra zowoq];
};
}

1
home-manager/shared/shell/hyfetch.nix
View file

@ -10,7 +10,6 @@
mode = "horizontal";
};
backend = "neofetch";
pride_month_disable = false;
};
};
}

7
home-manager/shared/shell/starship.nix
View file

@ -35,15 +35,16 @@
git_branch.style = "bold blue";
directory.style = "bold blue";
direnv.disabled = false;
palette = "catppuccin_${flavor}";
}
// builtins.fromTOML (builtins.readFile
(pkgs.fetchFromGitHub
{
owner = "catppuccin";
repo = "starship";
rev = "5906cc3"; # Replace with the latest commit hash
sha256 = "sha256-FLHjbClpTqaK4n2qmepCPkb8rocaAo3qeV4Zp1hia0g=";
rev = "5629d23"; # Replace with the latest commit hash
sha256 = "sha256-nsRuxQFKbQkyEI4TXgvAjcroVdG+heKX5Pauq/4Ota0=";
}
+ /themes/${flavor}.toml));
+ /palettes/${flavor}.toml));
};
}

40
home-manager/shared/shell/zellij/default.nix
View file

@ -55,23 +55,23 @@
default_tab_template {
pane size=1 borderless=true {
plugin location="file:${inputs.zjstatus.packages.${pkgs.stdenv.hostPlatform.system}.default}/bin/zjstatus.wasm" {
format_left "#[bg=#24273A,fg=#cad3f5,bold] {session} {mode} {tabs}"
format_right "#[bg=#cad3f5,fg=#24273A]#[bg=#cad3f5,fg=#cad3f5]#[bg=#cad3f5,fg=#1e2030,bold]{datetime}#[bg=#24273A,fg=#cad3f5]"
plugin location="file:${inputs.zjstatus.packages.${pkgs.system}.default}/bin/zjstatus.wasm" {
format_left "#[bg=#1D1D2E,fg=#C9D2F5,bold] {session} {mode} {tabs}"
format_right "#[bg=#C9D2F5,fg=#1D1D2E]#[bg=#C9D2F5,fg=#C9D2F5]#[bg=#C9D2F5,fg=#1D1D2E,bold]{datetime}#[bg=#1D1D2E,fg=#C9D2F5]"
mode_locked "#[fg=magenta,bold] {name} "
mode_normal "#[fg=green,bold] {name} "
mode_resize "#[fg=orange,bold] {name} "
mode_default_to_mode "resize"
tab_normal "#[bg=#cad3f5,fg=#24273A]#[bg=#cad3f5,fg=#cad3f5]#[bg=#cad3f5,fg=#24273A,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#cad3f5,fg=#cad3f5]#[bg=#24273A,fg=#cad3f5]"
tab_active "#[bg=#a6da95,fg=#24273A]#[bg=#a6da95,fg=#a6da95]#[bg=#a6da95,fg=#1e2030,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#a6da95,fg=#a6da95]#[bg=#24273A,fg=#a6da95]"
tab_normal "#[bg=#C9D2F5,fg=#1D1D2E]#[bg=#C9D2F5,fg=#C9D2F5]#[bg=#C9D2F5,fg=#1D1D2E,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#C9D2F5,fg=#C9D2F5]#[bg=#1D1D2E,fg=#C9D2F5]"
tab_active "#[bg=#A6DA95,fg=#1D1D2E]#[bg=#A6DA95,fg=#A6DA95]#[bg=#A6DA95,fg=#1D1D2E,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#A6DA95,fg=#A6DA95]#[bg=#1D1D2E,fg=#A6DA95]"
tab_sync_indicator " "
tab_fullscreen_indicator " "
tab_floating_indicator "󰉈 "
datetime "#[bg=#cad3f5,fg=#1e2030,bold]{format} "
datetime "#[bg=#C9D2F5,fg=#1D1D2E,bold]{format} "
datetime_format "%Y-%m-%d %H:%M"
datetime_timezone "Europe/Amsterdam"
}
@ -138,23 +138,23 @@
default_tab_template {
pane size=1 borderless=true {
plugin location="file:${inputs.zjstatus.packages.${pkgs.stdenv.hostPlatform.system}.default}/bin/zjstatus.wasm" {
format_left "#[bg=#24273A,fg=#cad3f5,bold] {session} {mode} {tabs}"
format_right "#[bg=#cad3f5,fg=#24273A]#[bg=#cad3f5,fg=#cad3f5]#[bg=#cad3f5,fg=#1e2030,bold]{datetime}#[bg=#24273A,fg=#cad3f5]"
plugin location="file:${inputs.zjstatus.packages.${pkgs.system}.default}/bin/zjstatus.wasm" {
format_left "#[bg=#1D1D2E,fg=#C9D2F5,bold] {session} {mode} {tabs}"
format_right "#[bg=#C9D2F5,fg=#1D1D2E]#[bg=#C9D2F5,fg=#C9D2F5]#[bg=#C9D2F5,fg=#1D1D2E,bold]{datetime}#[bg=#1D1D2E,fg=#C9D2F5]"
mode_locked "#[fg=magenta,bold] {name} "
mode_normal "#[fg=green,bold] {name} "
mode_resize "#[fg=orange,bold] {name} "
mode_default_to_mode "resize"
tab_normal "#[bg=#cad3f5,fg=#24273A]#[bg=#cad3f5,fg=#cad3f5]#[bg=#cad3f5,fg=#1e2030,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#cad3f5,fg=#cad3f5]#[bg=#24273A,fg=#cad3f5]"
tab_active "#[bg=#a6da95,fg=#24273A]#[bg=#a6da95,fg=#a6da95]#[bg=#a6da95,fg=#1e2030,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#a6da95,fg=#a6da95]#[bg=#24273A,fg=#a6da95]"
tab_normal "#[bg=#C9D2F5,fg=#1D1D2E]#[bg=#C9D2F5,fg=#C9D2F5]#[bg=#C9D2F5,fg=#1D1D2E,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#C9D2F5,fg=#C9D2F5]#[bg=#1D1D2E,fg=#C9D2F5]"
tab_active "#[bg=#A6DA95,fg=#1D1D2E]#[bg=#A6DA95,fg=#A6DA95]#[bg=#A6DA95,fg=#1D1D2E,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#A6DA95,fg=#A6DA95]#[bg=#1D1D2E,fg=#A6DA95]"
tab_sync_indicator " "
tab_fullscreen_indicator " "
tab_floating_indicator "󰉈 "
datetime "#[bg=#cad3f5,fg=#1e2030,bold]{format} "
datetime "#[bg=#C9D2F5,fg=#1D1D2E,bold]{format} "
datetime_format "%Y-%m-%d %H:%M"
datetime_timezone "Europe/Amsterdam"
}
@ -167,16 +167,6 @@
}
'';
in {
home.file."permissions.kdl" = {
target = ".cache/zellij/permissions.kdl";
text = ''
"${inputs.zjstatus.packages.${pkgs.stdenv.hostPlatform.system}.default}/bin/zjstatus.wasm" {
ReadApplicationState
RunCommands
ChangeApplicationState
}
'';
};
programs.zellij = {
# This autostarts zellij on zsh start
# TODO find specific settings for vscode to avoid
@ -184,7 +174,7 @@ in {
enableZshIntegration = true;
settings = {
session_serialization = true;
# theme = "catppuccin-macchiato";
theme = "catppuccin-macchiato";
themes = {
catppuccin-mocha = {
@ -216,12 +206,14 @@ in {
};
};
};
home.file = {
"layout" = {
source = "${layout}";
target = ".config/zellij/layouts/default.kdl";
};
};
home.file = {
"helix_zellij" = {
source = "${helix_zellij}";
target = ".config/zellij/layouts/helix.kdl";

125
home-manager/shared/shell/zsh.nix
View file

@ -1,71 +1,70 @@
{pkgs, ...}: {
programs = {
zoxide = {
enable = true;
programs.zoxide = {
enable = true;
};
programs.zsh = {
enable = true;
shellAliases = {
cd = "z";
code = "codium ./";
ls = "eza";
lh = "ls -lah";
cat = "bat";
tree = "tre";
neofetch = "hyfetch";
shutdown = "shutdown 0";
reboot = "reboot 0";
};
zsh = {
plugins = [
{
name = "zsh-nix-shell";
file = "nix-shell.plugin.zsh";
src = pkgs.fetchFromGitHub {
owner = "chisui";
repo = "zsh-nix-shell";
rev = "v0.8.0";
sha256 = "sha256-Z6EYQdasvpl1P78poj9efnnLj7QQg13Me8x1Ryyw+dM=";
};
}
{
name = "terraform";
src = pkgs.fetchFromGitHub {
owner = "macunha1";
repo = "zsh-terraform";
rev = "fd1471d3757f8ed13f56c4426f88616111de2a87";
sha256 = "0z6i9wjjklb4lvr7zjhbphibsyx51psv50gm07mbb0kj9058j6kc";
};
}
];
autosuggestion.enable = true;
enableCompletion = true;
historySubstringSearch.enable = true;
syntaxHighlighting.enable = true;
#zsh-abbr.enable = true;
oh-my-zsh = {
enable = true;
shellAliases = {
cd = "z";
code = "codium ./";
ls = "eza";
lh = "ls -lah";
cat = "bat";
tree = "tre";
neofetch = "hyfetch";
shutdown = "shutdown 0";
reboot = "reboot 0";
};
plugins = [
{
name = "zsh-nix-shell";
file = "nix-shell.plugin.zsh";
src = pkgs.fetchFromGitHub {
owner = "chisui";
repo = "zsh-nix-shell";
rev = "v0.8.0";
sha256 = "sha256-Z6EYQdasvpl1P78poj9efnnLj7QQg13Me8x1Ryyw+dM=";
};
}
# {
# name = "terraform";
# src = pkgs.fetchFromGitHub {
# owner = "macunha1";
# repo = "zsh-terraform";
# rev = "fd1471d3757f8ed13f56c4426f88616111de2a87";
# sha256 = "0z6i9wjjklb4lvr7zjhbphibsyx51psv50gm07mbb0kj9058j6kc";
# };
# }
"git"
"colored-man-pages"
"colorize"
"dirhistory"
"dirpersist"
"history"
"history-substring-search"
"fancy-ctrl-z"
"git-flow"
"isodate"
"z"
"zsh-interactive-cd"
"zsh-navigation-tools"
];
autosuggestion.enable = true;
enableCompletion = true;
historySubstringSearch.enable = true;
syntaxHighlighting.enable = true;
#zsh-abbr.enable = true;
oh-my-zsh = {
enable = true;
plugins = [
"git"
"colored-man-pages"
"colorize"
"dirhistory"
"dirpersist"
"history"
"history-substring-search"
"fancy-ctrl-z"
"git-flow"
"isodate"
"z"
"zsh-interactive-cd"
"zsh-navigation-tools"
];
};
# Extra commands that take more complex forms
initContent = ''
eval "$(zoxide init --cmd cd zsh)"
tre() { command tre "$@" -e && source "/tmp/tre_aliases_$USER" 2>/dev/null; }
zhx() { command zellij action new-tab --layout $HOME/.config/zellij/layouts/helix.kdl; }
'';
};
# Extra commands that take more complex forms
initExtra = ''
eval "$(zoxide init --cmd cd zsh)"
tre() { command tre "$@" -e && source "/tmp/tre_aliases_$USER" 2>/dev/null; }
zhx() { command zellij action new-tab --layout $HOME/.config/zellij/layouts/helix.kdl; }
'';
};
}

25
home-manager/shared/ssh/config
View file

@ -1,25 +0,0 @@
Host wheatley
HostName 10.0.0.1
User lillian
Port 22
Host GLaDOS
HostName 10.0.0.2
User lillian
Port 22
Host EDI
HostName 10.0.0.3
User lillian
Port 22
Host shodan
HostName 10.0.0.4
User lillian
Port 22
Host queen
HostName gladtherescake.eu
User lillian
Port 22

7
home-manager/shared/ssh/default.nix
View file

@ -1,7 +0,0 @@
{...}: {
home.file."sshconfig" = {
source = ./config;
target = ".config/ssh/config";
force = true;
};
}

37
justfile
View file

@ -1,46 +1,15 @@
# Build the nixos configuration and switch to it
build:
sudo echo "sudo check..." && sudo nixos-rebuild --fallback --log-format internal-json -v switch --flake .# --show-trace |& nom --json
sudo nixos-rebuild switch --flake .# --show-trace
# Build the nixos configuration bot don't switch to it until a reboot
boot:
sudo echo "sudo check..." && sudo nixos-rebuild --fallback --log-format internal-json -v boot --flake .# --show-trace |& nom --json
# Run the nix flake in the nix repl
run:
nix-repl -f flake:nixpkgs
# Check the nix configuration for errors
test:
sudo echo "sudo check..." && sudo nix flake check --show-trace --log-format internal-json -v |& nom --json
sudo nix flake check --show-trace
# Update the flake lock
update:
nix flake update --log-format internal-json -v |& nom --json && zsh
nix flake update
# Clean your nix store and optimize it
clean:
sudo nix-collect-garbage
sudo nix-store --optimise
# Set up the commit hook for testing before doing a commit
setup:
#!/run/current-system/sw/bin/bash -e
if [ -s ./.git/hooks/pre-commit ]; then
read -p $"This file already contains the following text:
$(<./.git/hooks/pre-commit)
Do you want to add the test hook (y/N)? (This will NOT delete data)" choice
case "$choice" in
y|Y ) echo "just test" >> ./.git/hooks/pre-commit && chmod +x ./.git/hooks/pre-commit && echo "Added test hook to pre-commit.";;
* ) echo "No test added to pre-commit.";;
esac
else
echo "just test" >> ./.git/hooks/pre-commit && chmod +x ./.git/hooks/pre-commit
fi
# Make sure all the git actions of pulling, adding all files, committing, and pushing are done in one command
push:
git pull
git add *
read -p "Commit message: " -r message && git commit -m "$message"
git push

3
modules/nixos/default.nix
View file

@ -1,5 +1,6 @@
# Add your reusable NixOS modules to this directory, on their own file (https://nixos.wiki/wiki/Module).
# These should be stuff you would like to share with others, not your personal configurations.
{
vpn-ip = import ./vpn-ip;
# List your module files here
contabo.wan = import ./contabo/wan;
}

218
modules/nixos/preservation/default.nix
View file

@ -1,218 +0,0 @@
{
lib,
config,
...
}: let
cfg = config.preservationSetup;
in {
options = {
preservationSetup.enable = lib.mkEnableOption "Enable setup of preservation of files in /persistent";
global.desktop = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether or not we should make desktop preservation files.";
};
global.server = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether or not we should make server preservation files.";
};
};
config = lib.mkIf cfg.enable {
preservation = {
# the module doesn't do anything unless it is enabled
enable = true;
preserveAt."/persistent" = {
# preserve system directories
directories =
[
#Shared
"/var/lib/sbctl"
"/var/lib/bluetooth"
"/var/lib/fprint"
"/var/lib/fwupd"
"/var/lib/libvirt"
"/var/lib/tpm2-tss"
"/var/lib/tpm2-udev-trigger"
"/var/lib/power-profiles-daemon"
"/var/lib/systemd/coredump"
"/var/lib/systemd/rfkill"
"/var/lib/systemd/timers"
"/var/log"
{
directory = "/var/lib/nixos";
inInitrd = true;
}
{
directory = "/var/secrets";
inInitrd = true;
}
]
++ lib.mkIf (cfg.desktop == true) [
#Desktop
"/var/lib/decky-loader"
"/var/lib/flatpak"
]
++ lib.mkIf (cfg.server == true) [
#Server
"/var/lib/continuwuity"
"/var/lib/dhcpcd"
"/var/lib/docker"
"/var/lib/dovecot"
"/var/lib/forgejo"
"/var/lib/gotosocial"
"/var/lib/grafana"
"/var/lib/jellyfin"
"/var/lib/media"
"/var/lib/mollysocket"
"/var/lib/private"
"/var/lib/mysql"
"/var/lib/nextcloud"
"/var/lib/onlyoffice"
"/var/lib/postfix"
"/var/lib/postgresql"
"/var/lib/prometheus2"
"/var/lib/rabbitmq"
"/var/lib/redis-nextcloud"
"/var/lib/redis-rspamd"
"/var/lib/secrets"
"/var/lib/writefreely"
"/var/db"
"/var/dkim"
"/var/secrets"
"/var/sieve"
"/var/vmail"
"/var/mysql"
];
# preserve system files
files = [
{
file = "/etc/machine-id";
inInitrd = true;
how = "symlink";
}
"/var/lib/usbguard/rules.conf"
# creates a symlink on the volatile root
# creates an empty directory on the persistent volume, i.e. /persistent/var/lib/systemd
# does not create an empty file at the symlink's target (would require `createLinkTarget = true`)
{
file = "/var/lib/systemd/random-seed";
how = "symlink";
inInitrd = true;
configureParent = true;
}
"/var/lib/systemd/tpm2-srk-public-key.pem"
"/var/lib/systemd/tpm2-srk-public-key.tpm2b_public"
];
# preserve user-specific files, implies ownership
users = {
lillian = {
commonMountOptions = [
"x-gvfs-hide"
];
directories =
[
{
directory = ".ssh";
mode = "0700";
}
]
++ lib.mkIf (cfg.desktop == true) [
#Desktop
".local/state/wireplumber"
".local/share/direnv"
".local/state/nix"
".local/state/comma"
".local/state/home-manager"
".local/share/PrismLauncher"
".local/share/qBittorrent"
".local/share/kwalletd"
".local/share/kwin" #TODO: add the window script via nix instead of saving it imperatively and keeping it
".local/share/lutris"
".local/share/Nextcloud"
".local/share/Steam"
".local/share/zoxide"
".local/share/flatpak"
".local/share/applications"
".local/share/firefoxpwa/"
".local/share/zoxide"
".mozilla"
".steam"
".zsh"
".pki"
".tldrc"
".thunderbird"
"Code"
"Writing"
"Games"
".config/kdeconnect"
".config/Nextcloud"
".config/noisetorch"
".config/qBittorrent"
".config/r2modman"
".config/r2modmanPlus-local"
".config/Ryujinx"
".config/Signal"
".config/sops"
".config/vesktop"
".config/kde.org"
".config/heroic"
];
#Shared
files = [
".z"
".zsh_history"
];
};
root = {
# specify user home when it is not `/home/${user}`
home = "/root";
directories = [
{
directory = ".ssh";
mode = "0700";
}
];
};
};
};
};
systemd.services.systemd-machine-id-commit = {
unitConfig.ConditionPathIsMountPoint = [
""
"/persistent/etc/machine-id"
];
serviceConfig.ExecStart = [
""
"systemd-machine-id-setup --commit --root /persistent"
];
};
systemd.tmpfiles.settings.preservation = {
"/home/lillian/.config".d = {
user = "lillian";
group = "users";
mode = "0755";
};
"/home/lillian/.local".d = {
user = "lillian";
group = "users";
mode = "0755";
};
"/home/lillian/.local/share".d = {
user = "lillian";
group = "users";
mode = "0755";
};
"/home/lillian/.local/state".d = {
user = "lillian";
group = "users";
mode = "0755";
};
};
};
}

159
modules/nixos/shared-packages/default.nix
View file

@ -1,159 +0,0 @@
{
outputs,
pkgs,
pkgs-edge,
lib,
config,
...
}:
let cfg = config.sharedPackages; in {
options = {
sharedPackages.enable = lib.mkEnableOption "Whether or not to install shared packages and settings";
global.desktopPackages = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether or not to install shared desktop packages and settings.";
};
global.serverPackages = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether or not to install shared server packages and settings.";
};
};
config = lib.mkIf cfg.enable {
imports = [] ++ lib.mkIf (cfg.desktopPackages == true) [
./desktop-settings
] ++ lib.mkIf (cfg.serverPackages == true) [
./server-settings
];
nixpkgs = {
# You can add overlays here
overlays = [
# Add overlays your own flake exports (from overlays and pkgs dir):
outputs.overlays.additions
outputs.overlays.modifications
];
};
environment.systemPackages =
(with pkgs; [
# Custom tools
rebuild
rebuild-no-inhibit
install-nix
install-nix-no-inhibit
update
upgrade
simple-completion-language-server
# System tools
age
alejandra
e2fsprogs
# uutils-findutils
git
git-filter-repo
pre-commit
helix
home-manager
htop
just
killall
oh-my-zsh
rsync
tre-command
wget
zsh
tldr
nmap
knot-dns
libressl
nettools
starship
# System libraries
] ++ lib.mkIf (cfg.desktop == true) [
# Custom tools
dvd
dvt
servo
restart
# System tools
aha
ttf-ms-win10
wineWow64Packages.stable
bottles
tpm2-abrmd
jdk21_headless
#bcachefs-tools
clinfo
direnv
exfat
exfatprogs
gamemode
git-filter-repo
gnupg
pciutils
podman
podman-compose
python3Minimal
sbctl
tpm2-tools
tpm2-tss
virtualgl
vulkan-tools
# waydroid
waypipe
wayland-utils
yubikey-personalization
zsh
# KDE/QT
kdePackages.plasma-desktop
kdePackages.plasma-wayland-protocols
kdePackages.libplasma
kdePackages.plasma-integration
kdePackages.plasma-activities
kdePackages.plasma-workspace
kdePackages.discover
kdePackages.filelight
kdePackages.kcalc
kdePackages.kdepim-addons
kdePackages.kirigami
kdePackages.kdeconnect-kde
kdePackages.konsole
# kdePackages.krunner-ssh
# kdePackages.krunner-symbols
kdePackages.packagekit-qt
kdePackages.plasma-pa
kdePackages.sddm-kcm
kdePackages.dolphin-plugins
kdePackages.qtstyleplugin-kvantum
kdePackages.krdc
kdePackages.krfb
kdePackages.kate
kdePackages.qrca
libportal-qt5
libportal
# User tools
freetube
noisetorch
qjackctl
wireplumber
intiface-central
#rustdesk
]
)
++ (with pkgs-edge; [
# list of latest packages from nixpkgs master
# Can be used to install latest version of some packages
] ++ lib.mkIf (cfg.desktop == true) [
kdePackages.plasma-vault
]
);
};
}

144
modules/nixos/shared-packages/desktop-settings/default.nix
View file

@ -1,144 +0,0 @@
{
pkgs,
lib,
config,
...
}: {
imports = [
./firefox
];
services.udev.extraRules = ''
KERNEL=="hidraw*", ATTRS{idVendor}=="057e", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*057e:*", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*2DC8:*", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", ATTRS{idProduct}=="6012", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*2DC8:6012*", MODE="0660", TAG+="uaccess"
'';
fonts.packages = [pkgs.ttf-ms-win10];
programs = {
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
command-not-found.enable = lib.mkForce false;
# nix-index.enable = true;
nix-index-database.comma.enable = true;
direnv = {
enable = true;
};
# steam = {
# enable = true;
# remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
# dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
# extest.enable = true;
# };
kdeconnect.enable = true;
noisetorch = {
enable = true;
};
};
xdg.portal.enable = true;
# Enable networking
networking.networkmanager.enable = true; # Enables support for 32bit libs that steam uses
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
services = {
# Enable the X11 windowing system.
xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
# displayManager.sddm = {
# enable = true;
# wayland.enable = true;
# };
displayManager.defaultSession = lib.mkDefault "plasma";
desktopManager.plasma6.enable = true;
desktopManager.plasma6.notoPackage = pkgs.atkinson-hyperlegible;
# Enable flatpak support
flatpak.enable = true;
packagekit.enable = true;
# Configure keymap in X11
xserver.xkb = {
layout = "us";
variant = "";
options = "terminate:ctrl_alt_bksp,compose:caps_toggle";
};
# Enable CUPS to print documents.
printing.enable = true;
# Enable fwupd daemon and user space client
fwupd.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
avahi = {
nssmdns4 = true;
enable = true;
ipv4 = true;
ipv6 = true;
publish = {
enable = true;
addresses = true;
workstation = true;
};
};
};
hardware = {
graphics.enable32Bit = true;
# Enable bluetooth hardware
bluetooth.enable = true;
};
security.rtkit.enable = true;
services.pulseaudio.enable = false;
virtualisation.podman = {
enable = true;
dockerCompat = true;
};
security.tpm2 = {
enable = true;
pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
tctiEnvironment.enable = true;
}; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
users.users.lillian.extraGroups = ["tss"];
boot = {
# tss group has access to TPM devices
bootspec.enable = true;
binfmt.emulatedSystems = ["aarch64-linux"];
#boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
#boot.supportedFilesystems = ["bcachefs"];
extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out];
kernelModules = [
# Virtual Camera
"v4l2loopback"
# Virtual Microphone, built-in
"snd-aloop"
];
# Set initial kernel module settings
extraModprobeConfig = ''
# exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming
# card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams
# https://github.com/umlaeute/v4l2loopback
options v4l2loopback exclusive_caps=1 card_label="Virtual Camera"
'';
loader.systemd-boot.configurationLimit = 3;
loader.efi.canTouchEfiVariables = true;
};
}

182
modules/nixos/shared-packages/desktop-settings/firefox/default.nix
View file

@ -1,182 +0,0 @@
{pkgs, ...}: {
programs.firefox = {
enable = true;
package = pkgs.librewolf;
policies = {
DisableTelemetry = true;
DisableFirefoxStudies = true;
DisablePocket = true;
DisableFirefoxAccounts = true;
DisableAccounts = true;
DisableProfileImport = true;
OverrideFirstRunPage = "";
OverridePostUpdatePage = "";
DontCheckDefaultBrowser = true;
DisplayBookmarksToolbar = "newtab";
ManualAppUpdateOnly = true;
OfferToSaveLogins = false;
PasswordManagerEnabled = false;
DownloadDirectory = "\${home}/Downloads";
EnableTrackingProtection = {
Value = true;
Cryptomining = true;
Fingerprinting = true;
};
ExtensionSettings = {
# "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
# Catppuccin Macchiato - Mauve theme:
"{55750c61-e5f3-4d9a-898d-0643b3093678}" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/catppuccin-macchiato-mauve/latest.xpi";
installation_mode = "force_installed";
};
# Sideberry:
#"{3c078156-979c-498b-8990-85f7987dd929}" = {
# install_url = "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi";
# installation_mode = "force_installed";
#};
# Privacy Badger:
"jid1-MnnxcxisBPnSXQ@jetpack" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi";
installation_mode = "force_installed";
};
# Bitwarden:
"{446900e4-71c2-419f-a6a7-df9c091e268b}" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi";
installation_mode = "force_installed";
};
# Libredirect:
"7esoorv3@alefvanoon.anonaddy.me" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/libredirect/latest.xpi";
installation_mode = "force_installed";
};
# DarkReader:
"addon@darkreader.org" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/darkreader/latest.xpi";
installation_mode = "force_installed";
};
# SimpleLogin:
"addon@simplelogin" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/simplelogin/latest.xpi";
installation_mode = "force_installed";
};
# Cookie Auto Delete:
"CookieAutoDelete@kennydo.com" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/cookie-autodelete/latest.xpi";
installation_mode = "force_installed";
};
# Don't fuck with paste:
"DontFuckWithPaste@raim.ist" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/don-t-fuck-with-paste/latest.xpi";
installation_mode = "force_installed";
};
# Firefox pwas:
"firefoxpwa@filips.si" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/pwas-for-firefox/latest.xpi";
installation_mode = "force_installed";
};
# Consent o matic:
"gdpr@cavi.au.dk" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/consent-o-matic/latest.xpi";
installation_mode = "force_installed";
};
# Mailvelope:
"jid1-AQqSMBYb0a8ADg@jetpack" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/mailvelope/latest.xpi";
installation_mode = "force_installed";
};
# KDE connect:
"kde-connect@0xc0dedbad.com" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/kde-connect/latest.xpi";
installation_mode = "force_installed";
};
# Plasma browser integration:
"plasma-browser-integration@kde.org" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/plasma-integration/latest.xpi";
installation_mode = "force_installed";
};
# Shinigami eyes:
"shinigamieyes@shinigamieyes" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/shinigami-eyes/latest.xpi";
installation_mode = "force_installed";
};
# uBlock Origin:
"uBlock0@raymondhill.net" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
installation_mode = "force_installed";
};
# uBlock Scope:
"uBO-Scope@raymondhill.net" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/ubo-scope/latest.xpi";
installation_mode = "force_installed";
};
# Wayback machine:
"wayback_machine@mozilla.org" = {
install_url = "https://addons.mozilla.org/firefox/downloads/file/4047136/wayback_machine_new-3.2.xpi";
installation_mode = "force_installed";
};
# Tree Style Tabs
# "treestyletab@piro.sakura.ne.jp" = {
# install_url = "https://addons.mozilla.org/firefox/downloads/latest/tree-style-tab/latest.xpi";
# installation_mode = "force_installed";
# };
# Adaptive Tab Bar Colour
"ATBC@EasonWong" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/Adaptive-Tab-Bar-Colour/latest.xpi";
installation_mode = "force_installed";
};
};
FirefoxHome = {
Search = true;
TopSites = false;
SponsoredTopSites = false;
Highlights = false;
Pocket = false;
SponsoredPocket = false;
Snippets = false;
};
FirefoxSuggest = {
WebSuggestions = false;
SponsoredSuggestions = false;
ImproveSuggest = false;
};
Preferences = {
"browser.compactmode.show" = true;
"browser.uidensity" = 0;
# "browser.newtabpage.activity-stream.feeds.topsites" = false;
"browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
"browser.newtabpage.activity-stream.showSponsored" = false;
"browser.newtabpage.activity-stream.system.showSponsored" = false;
"font.name.serif.x-western" = "Crimson";
"font.name.sans-serif.x-western" = "Atkinson Hyperlegible";
"font.name.monospace.x-western" = "FiraCode Nerd Font";
"font.size.variable.x-western" = 14;
"floorp.browser.sidebar.useIconProvider" = "duckduckgo";
"floorp.browser.tabbar.settings" = 2;
"floorp.browser.tabs.verticaltab" = true;
"floorp.tabbar.style" = 2;
"floorp.browser.user.interface" = 8;
"signon.rememberSignons" = true;
"browser.ml.chat.enabled" = false;
"browser.ml.chat.shortcuts" = false;
};
# TODO: switch to ManagedBookmarks as this will be dropped at some point https://mozilla.github.io/policy-templates/#managedbookmarks
# Bookmarks = [
# {
# Title = "NixOS wiki";
# Placement = "toolbar";
# URL = "https://nixos.wiki/";
# }
# {
# Title = "NixOS options";
# Placement = "toolbar";
# URL = "https://nixos.org/manual/nixos/stable/options";
# }
# {
# Title = "NixOS home-manager options";
# Placement = "toolbar";
# URL = "https://nix-community.github.io/home-manager/options.xhtml";
# }
# ];
};
};
}

48
modules/nixos/shared-packages/server-settings/akkoma/default.nix
View file

@ -1,48 +0,0 @@
{
config,
pkgs,
...
}: {
sops.secrets."releaseCookie".mode = "0440";
sops.secrets."releaseCookie".owner = config.users.users.akkoma.name;
users.groups.akkoma = {};
users.users = {
akkoma = {
isSystemUser = true;
group = "akkoma";
};
};
services.akkoma = {
enable = true;
package = pkgs.akkoma;
extraPackages = with pkgs; [ffmpeg exiftool imagemagick];
nginx = {
enableACME = true;
forceSSL = true;
serverName = "akkoma.gladtherescake.eu";
};
#dist.cookie._secret = config.sops.secrets."releaseCookie".path;
config = {
":pleroma".":instance" = {
name = "GLaDTheresCake Akkoma";
email = "akkoma@gladtherescake.eu";
notify_email = "no-reply@akkoma.gladtherescake.eu";
emails.mailer = {
enabled = true;
adapter = "Swoosh.Adapters.Sendmail";
cmd_path = "sendmail";
cmd_args = "-N delay,failure,success";
qmail = true;
};
description = "Lillian's Akkoma server!";
languages = ["en" "nl"];
registrations_open = true;
max_pinned_statuses = 10;
cleanup_attachments = true;
};
};
};
}

101
modules/nixos/shared-packages/server-settings/aria2/container.nix
View file

@ -1,101 +0,0 @@
{config, ...}: {
users.users.aria2.group = "aria2";
users.groups.aria2 = {};
users.users.aria2.isSystemUser = true;
sops.secrets."wg-private".mode = "0440";
sops.secrets."wg-private".owner = config.users.users.aria2.name;
containers.aria2 = {
forwardPorts = [
{
containerPort = 6969;
hostPort = 6969;
protocol = "udp";
}
];
bindMounts = {
"/var/lib/media" = {
hostPath = "/var/lib/media";
isReadOnly = false;
};
"/var/lib/wg/private-key" = {
hostPath = config.sops.secrets."wg-private".path;
isReadOnly = true;
};
};
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::2";
config = {
config,
pkgs,
...
}: {
system.stateVersion = "unstable";
networking.firewall.allowedTCPPorts = [6969];
networking.firewall.allowedUDPPorts = [6969 51820];
users.users = {
aria2.extraGroups = ["jellyfin" "nextcloud"];
};
services.aria2 = {
enable = true;
downloadDir = "/var/lib/media";
rpcListenPort = 6969;
};
networking.wg-quick.interfaces = {
wg0 = {
postUp = ''
# Mark packets on the wg0 interface
wg set wg0 fwmark 51820
# Forbid anything else which doesn't go through wireguard VPN on
# ipV4 and ipV6
${pkgs.iptables}/bin/iptables -A OUTPUT \
! -d 192.168.0.0/16 \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/ip6tables -A OUTPUT \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/iptables -I OUTPUT -o lo -p tcp \
--dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT
${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.100.10/24 -d 192.168.100.11/24 \
-j ACCEPT
'';
postDown = ''
${pkgs.iptables}/bin/iptables -D OUTPUT \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/ip6tables -D OUTPUT \
! -o wg0 -m mark \
! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
'';
address = ["10.2.0.2/32"];
dns = ["10.2.0.1"];
privateKeyFile = "/var/lib/wg/private-key";
peers = [
{
publicKey = "7A19/lMrfmpFZARivC7FS8DcGxMn5uUq9LcOqFjzlDo=";
allowedIPs = ["0.0.0.0/0"];
endpoint = "185.159.158.182:51820";
persistentKeepalive = 25;
}
];
};
};
};
};
}

15
modules/nixos/shared-packages/server-settings/aria2/default.nix
View file

@ -1,15 +0,0 @@
{config, ...}: {
users.users.aria2.group = "aria2";
users.groups.aria2 = {};
users.users.aria2.isSystemUser = true;
sops.secrets."rpcSecret".mode = "0440";
sops.secrets."rpcSecret".owner = config.users.users.aria2.name;
services.aria2 = {
enable = true;
downloadDir = "/var/lib/media";
rpcListenPort = 6969;
rpcSecretFile = config.sops.secrets."rpcSecret".path;
};
}

56
modules/nixos/shared-packages/server-settings/caddy/default.nix
View file

@ -1,56 +0,0 @@
{config, ...}: {
services.phpfpm.pools.nextcloud.settings = {
"listen.owner" = config.services.caddy.user;
"listen.group" = config.services.caddy.group;
};
users.users.caddy.extraGroups = ["nextcloud"];
services.caddy = {
enable = true;
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"${config.services.nextcloud.hostName}" = {
useACMEHost = "${config.services.nextcloud.hostName}";
extraConfig = ''
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/webfinger /index.php/.well-known/webfinger 301
redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
encode gzip
reverse_proxy localhost:9000
header Strict-Transport-Security max-age=31536000;
@forbidden {
path /.htaccess
path /data/*
path /config/*
path /db_structure
path /.xml
path /README
path /3rdparty/*
path /lib/*
path /templates/*
path /occ
path /console.php
}
handle @forbidden {
respond 404
}
handle {
root * /var/www/html
php_fastcgi 127.0.0.1:9000 {
# Tells nextcloud to remove /index.php from URLs in links
env front_controller_active true
}
file_server
}
'';
};
"onlyoffice.gladtherescake.eu" = {
};
};
};
}

17
modules/nixos/shared-packages/server-settings/cinny/default.nix
View file

@ -1,17 +0,0 @@
{pkgs, ...}: {
services.nginx = {
enable = true;
virtualHosts = {
"cinny.gladtherescake.eu" = {
root = "${pkgs.cinny}";
## Force HTTP redirect to HTTPS
forceSSL = true;
## LetsEncrypt
enableACME = true;
locations."/" = {
index = "index.html";
};
};
};
};
}

153
modules/nixos/shared-packages/server-settings/conduit/default.nix
View file

@ -1,153 +0,0 @@
{
config,
pkgs,
...
}: let
# You'll need to edit these values
# The hostname that will appear in your user and room IDs
server_name = "matrix.gladtherescake.eu";
# An admin email for TLS certificate notifications
admin_email = "letsencrypt@gladtherescake.eu";
# These ones you can leave alone
# Build a dervation that stores the content of `${server_name}/.well-known/matrix/server`
well_known_server = pkgs.writeText "well-known-matrix-server" ''
{
"m.server": "${server_name}"
}
'';
# Build a dervation that stores the content of `${server_name}/.well-known/matrix/client`
well_known_client = pkgs.writeText "well-known-matrix-client" ''
{
"m.homeserver": {
"base_url": "https://${server_name}"
}
}
'';
in {
# Configure continuwuity itself
services.matrix-continuwuity = {
enable = true;
settings.global = {
inherit server_name;
allow_registration = false;
# emergency_password = "testpassword";
turn_uris = ["turn:turn.gladtherescake.eu.url?transport=udp" "turn:turn.gladtherescake.eu?transport=tcp"];
turn_secret = "cPKWEn4Fo5TAJoE7iX3xeVOaMVE4afeRN1iRGWYfbkWbkaZMxTpnmazHyH6c6yXT";
well_known = {
server = "matrix.gladtherescake.eu:443";
client = "https://matrix.gladtherescake.eu";
};
};
};
# Configure automated TLS acquisition/renewal
security.acme = {
acceptTerms = true;
defaults = {
email = admin_email;
};
};
# ACME data must be readable by the NGINX user
users.users.nginx.extraGroups = [
"acme"
];
# Configure NGINX as a reverse proxy
services.nginx = {
enable = true;
virtualHosts = {
"${server_name}" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
{
addr = "[::]";
port = 8448;
ssl = true;
}
];
locations."/_matrix/" = {
proxyPass = "http://backend_continuwuity";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
locations."=/.well-known/matrix/server" = {
# Use the contents of the derivation built previously
alias = "${well_known_server}";
extraConfig = ''
# Set the header since by default NGINX thinks it's just bytes
default_type application/json;
'';
};
locations."=/.well-known/matrix/client" = {
# Use the contents of the derivation built previously
alias = "${well_known_client}";
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${server_name}\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://${server_name}\"}}'";
extraConfig = ''
# Set the header since by default NGINX thinks it's just bytes
default_type application/json;
# https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients
add_header Access-Control-Allow-Origin "*";
'';
};
locations."/_matrix/client/unstable/org.matrix.msc3575/sync" = {
proxyPass = "http://matrix.gladtherescake.eu/client/unstable/org.matrix.msc3575/sync";
proxyWebsockets = true;
recommendedProxySettings = false;
return = "200 '{\"contacts\": [{\"matrix_id\": \"@admin:server.name\", \"email_address\": \"admin@server.name\", \"role\": \"m.role.admin\"}]}'";
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
extraConfig = ''
merge_slashes off;
'';
};
};
upstreams = {
"backend_continuwuity" = {
servers = {
"[::1]:${toString config.services.matrix-continuwuity.settings.global.port}" = {};
};
};
};
};
# Open firewall ports for HTTP, HTTPS, and Matrix federation
networking.firewall.allowedTCPPorts = [80 443 8448];
networking.firewall.allowedUDPPorts = [80 443 8448];
}

44
modules/nixos/shared-packages/server-settings/coturn/default.nix
View file

@ -1,44 +0,0 @@
{config, ...}: {
sops.secrets."coturn-auth-secret".mode = "0440";
sops.secrets."coturn-auth-secret".owner = config.users.users.turnserver.name;
users.users.nginx.extraGroups = ["turnserver"];
services.coturn = {
enable = true;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path;
realm = "turn.gladtherescake.eu";
relay-ips = [
"62.171.160.195"
"2a02:c207:2063:2448::1"
];
extraConfig = "
cipher-list=\"HIGH\"
no-loopback-peers
no-multicast-peers
";
secure-stun = true;
cert = "/var/lib/acme/turn.gladtherescake.eu/fullchain.pem";
pkey = "/var/lib/acme/turn.gladtherescake.eu/key.pem";
min-port = 49152;
max-port = 49999;
};
# setup certs
services.nginx = {
enable = true;
virtualHosts = {
"turn.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
};
};
};
# share certs with coturn and restart on renewal
security.acme.certs = {
"turn.gladtherescake.eu" = {
group = "turnserver";
postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
};
};
}

8
modules/nixos/shared-packages/server-settings/dashboard/default.nix
View file

@ -1,8 +0,0 @@
{...}: {
imports = [
./grafana
#./loki
./prometheus
./telegraf
];
}

44
modules/nixos/shared-packages/server-settings/dashboard/grafana/default.nix
View file

@ -1,44 +0,0 @@
{config, ...}: {
# grafana configuration
services.grafana = {
enable = true;
settings.server = {
domain = "grafana.lillianviolet.dev";
http_port = 2342;
http_addr = "127.0.0.1";
};
provision = {
datasources.settings = {
apiVersion = 1;
datasources = [
{
name = "Prometheus";
type = "prometheus";
access = "proxy";
url = "http://localhost:${toString config.services.prometheus.port}";
isDefault = true;
}
{
name = "Loki";
type = "loki";
access = "proxy";
url = "http://localhost:3100";
isDefault = true;
}
];
};
};
};
# nginx reverse proxy
services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
## Force HTTP redirect to HTTPS
forceSSL = true;
## LetsEncrypt
enableACME = true;
locations."/" = {
proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
};
}

6
modules/nixos/shared-packages/server-settings/dashboard/loki/default.nix
View file

@ -1,6 +0,0 @@
{...}: {
services.loki = {
enable = true;
configFile = ./loki.yaml;
};
}

40
modules/nixos/shared-packages/server-settings/dashboard/loki/loki.yaml
View file

@ -1,40 +0,0 @@
# Enables authentication through the X-Scope-OrgID header, which must be present
# if true. If false, the OrgID will always be set to "fake".
auth_enabled: false
server:
http_listen_address: "0.0.0.0"
http_listen_port: 3100
ingester:
lifecycler:
address: "127.0.0.1"
ring:
kvstore:
store: inmemory
replication_factor: 1
final_sleep: 0s
chunk_idle_period: 5m
chunk_retain_period: 30s
schema_config:
configs:
- from: 2020-05-15
store: boltdb
object_store: filesystem
schema: v11
index:
prefix: index_
period: 168h
storage_config:
boltdb:
directory: /tmp/loki/index
filesystem:
directory: /tmp/loki/chunks
limits_config:
enforce_metric_name: false
reject_old_samples: true
reject_old_samples_max_age: 168h

34
modules/nixos/shared-packages/server-settings/dashboard/prometheus/default.nix
View file

@ -1,34 +0,0 @@
{config, ...}: {
services.prometheus = {
enable = true;
port = 9001;
# Export the current system metrics
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9002;
};
};
scrapeConfigs = [
# Scrape the current system
{
job_name = "GrafanaService system";
static_configs = [
{
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
}
];
}
# Scrape the Loki service
{
job_name = "Loki service";
static_configs = [
{
targets = ["127.0.0.1:3100"];
}
];
}
];
};
}

49
modules/nixos/shared-packages/server-settings/dashboard/telegraf/default.nix
View file

@ -1,49 +0,0 @@
{config, ...}: {
sops.secrets."grafana-telegraf-key".mode = "0440";
sops.secrets."grafana-telegraf-key".owner = config.users.users.telegraf.name;
services.telegraf = {
enable = true;
extraConfig = {
agent = {
interval = "10s";
round_interval = true;
metric_batch_size = 1000;
metric_buffer_limit = 10000;
collection_jitter = "0s";
flush_interval = "10s";
flush_jitter = "0s";
precision = "";
debug = false;
quiet = false;
logfile = "";
hostname = "queen";
omit_hostname = false;
};
inputs = {
cpu = {
percpu = true;
totalcpu = true;
collect_cpu_time = false;
report_active = false;
core_tags = false;
};
disk = {
ignore_fs = ["tmpfs" "devtmpfs" "devfs" "overlay" "aufs" "squashfs"];
};
diskio = {};
kernel = {};
mem = {};
system = {};
};
outputs = {
websocket = {
url = "ws://localhost:${toString config.services.prometheus.port}/api/live/push/telegraf";
data_format = "influx";
headers = {
Authorisation = "Bearer glsa_lqpcKV34Pp0d7eIhKN79E2HTwzWWwN4m_fe64e398";
};
};
};
};
};
}

19
modules/nixos/shared-packages/server-settings/default.nix
View file

@ -1,19 +0,0 @@
{...}: {
imports = [
./conduit
./forgejo
./gotosocial
./mail-server
./nextcloud
# ./phanpy
./postgres
./roundcube
./coturn
# ./dashboard
#./cinny
#./firefox-sync
./writefreely
./mollysocket
./jellyfin
];
}

30
modules/nixos/shared-packages/server-settings/firefox-sync/default.nix
View file

@ -1,30 +0,0 @@
{
config,
pkgs,
...
}: let
port = 5126;
in {
sops.secrets."sync-secrets".mode = "0440";
sops.secrets."sync-secrets".owner = config.users.users.firefox-syncserver.name;
users.groups.firefox-syncserver = {};
users.users.firefox-syncserver = {
isSystemUser = true;
group = "firefox-syncserver";
extraGroups = [config.users.groups.keys.name];
};
services.mysql.package = pkgs.mariadb;
services.firefox-syncserver = {
enable = true;
secrets = config.sops.secrets."sync-secrets".path;
singleNode = {
enable = true;
hostname = "sync.gladtherescake.eu";
url = "http://localhost:${toString port}";
enableNginx = true;
enableTLS = true;
};
};
}

71
modules/nixos/shared-packages/server-settings/forgejo/default.nix
View file

@ -1,71 +0,0 @@
{pkgs, ...}: {
imports = [];
#sops.secrets."mailpassunhash".mode = "0440";
#sops.secrets."mailpassunhash".owner = config.users.users.virtualMail.name;
services.forgejo = {
enable = true;
#TODO: different mail passwords for different services
#mailerPasswordFile = config.sops.secrets."mailpassunhash".path;
database = {
type = "postgres";
};
settings = {
"cron.sync_external_users" = {
RUN_AT_START = true;
SCHEDULE = "@every 24h";
UPDATE_EXISTING = true;
};
mailer = {
ENABLED = true;
PROTOCOL = "sendmail";
FROM = "no-reply@git.lillianviolet.dev";
SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
SENDMAIL_ARGS = "-bs";
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
};
federation = {
ENABLED = true;
};
other = {
SHOW_FOOTER_VERSION = false;
};
service.DISABLE_REGISTRATION = true;
server = {
DOMAIN = "git.lillianviolet.dev";
ROOT_URL = "https://git.lillianviolet.dev/";
HTTP_PORT = 3218;
};
"markup.jupyter" = {
ENABLED = true;
FILE_EXTENSIONS = ".ipynb";
RENDER_COMMAND = "${pkgs.jupyter}/bin/jupyter nbconvert --stdout --to html --template full";
IS_INPUT_FILE = true;
RENDER_CONTENT_MODE = "no-sanitizer";
};
"markup.sanitizer.jupyter0" = {
ELEMENT = "div";
ALLOW_ATTR = "class";
REGEXP = "";
};
"markup.sanitizer.jupyter0.img" = {
ALLOW_DATA_URI_IMAGES = true;
};
};
};
services.nginx = {
virtualHosts = {
"git.lillianviolet.dev" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:3218";
};
};
};
};
}

43
modules/nixos/shared-packages/server-settings/gotosocial/default.nix
View file

@ -1,43 +0,0 @@
{pkgs, ...}: {
users.users.gotosocial.extraGroups = ["virtualMail"];
services.nginx = {
virtualHosts = {
"social.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:4257";
};
};
};
};
services.gotosocial = {
enable = true;
package = pkgs.gotosocial;
setupPostgresqlDB = true;
settings = {
application-name = "gotosocial";
host = "social.gladtherescake.eu";
bind-address = "localhost";
port = 4257;
protocol = "https";
storage-local-base-path = "/var/lib/gotosocial/storage";
instance-languages = ["en-gb" "nl"];
media-image-max-size = 41943040;
media-video-max-size = 209715200;
media-description-max-chars = 2000;
#smtp-host = "localhost";
#smtp-port = 587;
#smtp-username = "no-reply@social.gladtherescake.eu";
#smtp-password = config.sops.secrets."mailpassunhash".path;
#smtp-from = "no-reply@social.gladtherescake.eu";
};
};
systemd.services."gotosocial" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
}

20
modules/nixos/shared-packages/server-settings/jellyfin/default.nix
View file

@ -1,20 +0,0 @@
{...}: {
services.nginx = {
virtualHosts = {
"video.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8096";
proxyWebsockets = true; # needed if you need to use WebSocket
};
};
};
};
services.jellyfin = {
enable = true;
user = "nextcloud";
group = "nextcloud";
};
}

108
modules/nixos/shared-packages/server-settings/mail-server/default.nix
View file

@ -1,108 +0,0 @@
{config, ...}: {
sops.secrets."mailpass".mode = "0440";
sops.secrets."mailpass".owner = config.users.users.virtualMail.name;
#Fix for the dovecot update
# services.dovecot2.sieve.extensions = ["fileinto"];
mailserver = {
stateVersion = 3;
enable = true;
enableImap = true;
enableSubmission = true;
fqdn = "mail.gladtherescake.eu";
domains = [
"nextcloud.gladtherescake.eu"
"akkoma.gladtherescake.eu"
"social.gladtherescake.eu"
"gladtherescake.eu"
"lillianviolet.dev"
"git.lillianviolet.dev"
];
loginAccounts = {
"me@gladtherescake.eu" = {
hashedPasswordFile = config.sops.secrets."mailpass".path;
aliases = [
"@gladtherescake.eu"
];
catchAll = [
"gladtherescake.eu"
];
};
"no-reply@nextcloud.gladtherescake.eu" = {
hashedPasswordFile = config.sops.secrets."mailpass".path;
};
"no-reply@akkoma.gladtherescake.eu" = {
hashedPasswordFile = config.sops.secrets."mailpass".path;
};
"no-reply@social.gladtherescake.eu" = {
hashedPasswordFile = config.sops.secrets."mailpass".path;
};
"info@lillianviolet.dev" = {
hashedPasswordFile = config.sops.secrets."mailpass".path;
aliases = [
"@lillianviolet.dev"
];
catchAll = [
"lillianviolet.dev"
];
};
"no-reply@git.lillianviolet.dev" = {
hashedPasswordFile = config.sops.secrets."mailpass".path;
};
};
mailboxes = {
All = {
auto = "subscribe";
specialUse = "All";
};
Archive = {
auto = "subscribe";
specialUse = "Archive";
};
Drafts = {
auto = "subscribe";
specialUse = "Drafts";
};
Junk = {
auto = "subscribe";
specialUse = "Junk";
};
Sent = {
auto = "subscribe";
specialUse = "Sent";
};
Trash = {
auto = "no";
specialUse = "Trash";
};
};
rejectRecipients = [
"no-reply@nextcloud.gladtherescake.eu"
"no-reply@akkoma.gladtherescake.eu"
"no-reply@social.gladtherescake.eu"
"no-reply@git.lillianviolet.dev"
"ongebonden@gladtherescake.eu"
"teluyep_canoja_52868396@gladtherescake.eu"
"me.belsimpel@gladtherescake.eu"
"me.tele2@gladtherescake.eu"
"me+tele2@gladtherescake.eu"
"me.archiveorg@gladtherescake.eu"
];
x509.useACMEHost = config.mailserver.fqdn;
};
security.acme.certs.${config.mailserver.fqdn} = {
webroot = "/var/lib/acme/acme-challenge/";
extraDomainNames = [
"imap.lillianviolet.dev"
"mail.lillianviolet.dev"
"pop3.lillianviolet.dev"
"lillianviolet.dev"
"gladtherescake.eu"
"mail.gladtherescake.eu"
];
};
}

25
modules/nixos/shared-packages/server-settings/mollysocket/default.nix
View file

@ -1,25 +0,0 @@
{config, ...}: {
sops.secrets."mollysocket-vapid-key".mode = "0440";
services.mollysocket = {
enable = true;
environmentFile = config.sops.secrets."mollysocket-vapid-key".path;
settings = {
port = 4381;
allowed_endpoints = ["https://molly.gladtherescake.eu" "https://nextcloud.gladtherescake.eu"];
allowed_uuids = ["db639f29-b7e7-431a-9c75-bcdcb87b6bdf"];
webserver = true;
};
};
services.nginx = {
virtualHosts = {
"molly.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:4381";
};
};
};
};
}

126
modules/nixos/shared-packages/server-settings/nextcloud/default.nix
View file

@ -1,126 +0,0 @@
{
config,
pkgs,
...
}: {
sops.secrets."nextcloudadmin".mode = "0440";
sops.secrets."nextcloudadmin".owner = config.users.users.nextcloud.name;
sops.secrets."nextclouddb".mode = "0440";
sops.secrets."nextclouddb".owner = config.users.users.nextcloud.name;
# sops.secrets."local.json".mode = "0440";
# sops.secrets."local.json".owner = config.users.users.onlyoffice.name;
users.users = {
# nextcloud.extraGroups = [config.users.groups.keys.name config.users.users.onlyoffice.name];
nextcloud.extraGroups = [config.users.groups.keys.name];
#aria2.extraGroups = ["nextcloud"];
# onlyoffice.extraGroups = [config.users.users.nextcloud.name];
};
# Enable Nginx
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"nextcloud.gladtherescake.eu" = {
## Force HTTP redirect to HTTPS
forceSSL = true;
## LetsEncrypt
enableACME = true;
};
"onlyoffice.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
};
};
};
# Actual Nextcloud Config
services.nextcloud = {
enable = true;
hostName = "nextcloud.gladtherescake.eu";
package = pkgs.nextcloud33;
# Use HTTPS for links
https = true;
# Auto-update Nextcloud Apps
autoUpdateApps.enable = true;
# Set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
configureRedis = true;
maxUploadSize = "16G";
#Increase opcache string buffer
phpOptions."opcache.interned_strings_buffer" = "23";
# Further forces Nextcloud to use HTTPS
settings = {
overwriteprotocol = "https";
default_phone_region = "NL";
maintenance_window_start = 3;
log_type = "file";
};
appstoreEnable = true;
extraAppsEnable = true;
#extraApps = with config.services.nextcloud.package.packages.apps; {
# List of apps we want to install and are already packaged in
# https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
# inherit calendar contacts deck forms notes onlyoffice polls twofactor_nextcloud_notification unsplash;
#};
config = {
# Nextcloud PostegreSQL database configuration, recommended over using SQLite
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
dbname = "nextcloud";
dbpassFile = config.sops.secrets."nextclouddb".path;
adminpassFile = config.sops.secrets."nextcloudadmin".path;
adminuser = "GLaDTheresCake";
};
};
# services.onlyoffice = {
# port = 16783;
# enable = true;
# hostname = "onlyoffice.gladtherescake.eu";
# #postgresHost = "/run/postgesql";
# #postgresUser = "onlyoffice";
# #postgresName = "onlyoffice";
# #jwtSecretFile = config.sops.secrets."local.json".path;
# };
# services.rabbitmq = {
# enable = true;
# };
systemd.services."sops-nix.service" = {
before = [
"nextcloud-setup.service"
"postgresql.service"
"onlyoffice-converter.service"
"onlyoffice-docservice.service"
"nginx.service"
"phpfpm-nextcloud.service"
"redis-nextcloud.service"
];
};
# Ensure that postgres is running before running the setup
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
}

55
modules/nixos/shared-packages/server-settings/ombi/default.nix
View file

@ -1,55 +0,0 @@
{...}: {
users.users = {
ombi.extraGroups = ["radarr" "sonarr" "aria2" "nextcloud"];
};
services.ombi = {
enable = true;
port = 2368;
};
users.users = {
radarr.extraGroups = ["aria2" "nextcloud"];
sonarr.extraGroups = ["aria2" "nextcloud"];
};
services = {
#uses port 7878
radarr.enable = true;
#uses port 8989
sonarr.enable = true;
prowlarr.enable = true;
};
services.nginx = {
virtualHosts = {
"ombi.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:2368";
};
};
"radarr.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:7878";
};
};
"sonarr.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8989";
};
};
"prowlarr.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9696";
};
};
};
};
}

17
modules/nixos/shared-packages/server-settings/phanpy/default.nix
View file

@ -1,17 +0,0 @@
{pkgs, ...}: {
services.nginx = {
enable = true;
virtualHosts = {
"phanpy.gladtherescake.eu" = {
root = "${pkgs.phanpy}";
## Force HTTP redirect to HTTPS
forceSSL = true;
## LetsEncrypt
enableACME = true;
locations."/" = {
index = "index.html";
};
};
};
};
}

38
modules/nixos/shared-packages/server-settings/postgres/default.nix
View file

@ -1,38 +0,0 @@
{pkgs, ...}: {
services.postgresql = {
# https://nixos.org/manual/nixos/stable/#module-postgresql
package = pkgs.postgresql_16;
enable = true;
# Ensure the database, user, and ownership is set
ensureDatabases = [
"nextcloud"
"onlyoffice"
"akkoma"
"gotosocial"
"gitea"
];
ensureUsers = [
{
name = "nextcloud";
ensureDBOwnership = true;
}
{
name = "onlyoffice";
ensureDBOwnership = true;
}
{
name = "akkoma";
ensureDBOwnership = true;
}
{
name = "gotosocial";
ensureDBOwnership = true;
}
{
name = "gitea";
ensureDBOwnership = true;
}
];
};
}

36
modules/nixos/shared-packages/server-settings/postgres/upgrade.nix
View file

@ -1,36 +0,0 @@
{
config,
pkgs,
...
}: {
environment.systemPackages = [
(let
# XXX specify the postgresql package you'd like to upgrade to.
# Do not forget to list the extensions you need.
newPostgres = pkgs.postgresql_16.withPackages (pp: [
# pp.plv8
]);
in
pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux
# XXX it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql
export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
export NEWBIN="${newPostgres}/bin"
export OLDDATA="${config.services.postgresql.dataDir}"
export OLDBIN="${config.services.postgresql.package}/bin"
install -d -m 0700 -o postgres -g postgres "$NEWDATA"
cd "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
sudo -u postgres $NEWBIN/pg_upgrade \
--old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
--old-bindir $OLDBIN --new-bindir $NEWBIN \
"$@"
'')
];
}

39
modules/nixos/shared-packages/server-settings/roundcube/default.nix
View file

@ -1,39 +0,0 @@
{
config,
pkgs,
...
}: {
# TODO: Figure out how to create packages for some plugins for roundcube!
# https://packagist.org/search/?query=roundcube
# https://discourse.nixos.org/t/roundcube-with-plugins/28292/7
services.roundcube = {
enable = true;
package = pkgs.roundcube.withPlugins (
plugins: [
plugins.contextmenu
plugins.carddav
plugins.custom_from
plugins.persistent_login
plugins.thunderbird_labels
]
);
plugins = [
"contextmenu"
"carddav"
"custom_from"
"persistent_login"
"thunderbird_labels"
];
# this is the url of the vhost, not necessarily the same as the fqdn of
# the mailserver
hostName = "webmail.lillianviolet.dev";
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
}

39
modules/nixos/shared-packages/server-settings/writefreely/default.nix
View file

@ -1,39 +0,0 @@
{
config,
pkgs,
...
}: {
sops.secrets."writefreely".mode = "0440";
sops.secrets."writefreely".owner = config.users.users.writefreely.name;
sops.secrets."writefreelymysql".mode = "0440";
sops.secrets."writefreelymysql".owner = config.users.users.writefreely.name;
services.writefreely = {
enable = true;
host = "writefreely.gladtherescake.eu";
nginx.enable = true;
nginx.forceSSL = true;
acme.enable = true;
# database = {
# type = "mysql";
# createLocally = true;
# passwordFile = config.sops.secrets."writefreelymysql".path;
# };
admin = {
initialPasswordFile = config.sops.secrets."writefreely".path;
name = "GLaDTheresCake";
};
settings = {
app = {
min_username_len = 2;
max_blogs = 100;
default_visibility = "public";
federation = true;
local_timeline = true;
};
server.port = 1212;
};
};
systemd.services.writefreely = {
path = [pkgs.libressl];
};
}

49
modules/nixos/sops/default.nix
View file

@ -1,49 +0,0 @@
{
lib,
config,
...
}: let
cfg = config.sopsSetup;
in {
options = {
sopsSetup.enable = lib.mkEnableOption "Enable Module";
global.desktop = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether or not to install shared desktop secrets.";
};
};
config = lib.mkIf cfg.enable {
sops = {
age.keyFile = "/var/secrets/keys.txt";
secrets."lillian-password".neededForUsers = true;
defaultSopsFile = ../hosts/${config.networking.hostName}/secrets/sops.yaml;
secrets."wg-private-key".mode = "0440";
secrets."wg-private-key".owner = config.users.users.root.name;
secrets."ssh-private-key" = {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.ssh/id_ed25519";
};
};
secrets."nextcloud-password" = lib.mkIf (cfg.desktop == true) {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.netrc";
};
secrets."prod.keys" = lib.mkIf (cfg.desktop == true) {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.config/Ryujinx/system/prod.keys";
};
secrets."title.keys" = lib.mkIf (cfg.desktop == true) {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.config/Ryujinx/system/title.keys";
};
};
}

BIN
modules/nixos/stylix/background.jpg
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 158 KiB

66
modules/nixos/stylix/default.nix
View file

@ -1,66 +0,0 @@
{
lib,
config,
pkgs,
...
}: let
cfg = config.stylixSetup;
in {
options = {
stylixSetup.enable = lib.mkEnableOption "Enable Module";
};
config = lib.mkIf cfg.enable {
stylix = {
# targets.qt.platform = lib.mkForce "kde";
enable = true;
# targets.qt.platform = "kde6";
autoEnable = true;
base16Scheme = {
scheme = "Catppuccin Macchiato Mauve";
author = "https://github.com/catppuccin/catppuccin";
base00 = "24273a";
base01 = "1e2030";
base02 = "363a4f";
base03 = "494d64";
base04 = "5b6078";
base05 = "cad3f5";
base06 = "f4dbd6";
base07 = "b7bdf8";
base08 = "ed8796";
base09 = "f5a97f";
base0A = "eed49f";
base0B = "a6da95";
base0C = "8bd5ca";
base0D = "c6a0f6";
base0E = "8aadf4";
base0F = "f0c6c6";
};
image = ./background.jpg;
cursor.package = pkgs.catppuccin-cursors.macchiatoMauve;
cursor.name = "catppuccin-macchiato-mauve-cursors";
cursor.size = 24;
homeManagerIntegration.followSystem = true;
fonts = {
serif = {
package = pkgs.atkinson-hyperlegible;
name = "Atkinson Hyperlegible Next";
};
monospace = {
package = pkgs.atkinson-hyperlegible-mono;
name = "Atkinson Hyperlegbile Mono";
};
sansSerif = {
package = pkgs.atkinson-hyperlegible;
name = "Atkinson Hyperlegible Next";
};
emoji = {
package = pkgs.noto-fonts-emoji-blob-bin;
name = "Blobmoji";
};
};
};
};
}

18
modules/nixos/vpn-ip/default.nix
View file

@ -1,18 +0,0 @@
{lib, ...}:
with lib; {
# Declare what settings a user of this "hello.nix" module CAN SET.
options.services.vpn-ip = {
enable = mkOption {
type = types.bool;
default = true;
};
ip = mkOption {
type = types.str;
default = "0";
};
publicKey = mkOption {
type = types.str;
default = "";
};
};
}

20
mount.sh
View file

@ -1,20 +0,0 @@
declare -a folders=( "/var/lib/sbctl" "/var/lib/bluetooth" "/var/lib/fprint" "/var/lib/fwupd" "/var/lib/libvirt" "/var/lib/tpm2-tss" "/var/lib/tpm2-udev-trigger" "/var/lib/power-profiles-daemon" "/var/lib/systemd/coredump" "/var/lib/systemd/rfkill" "/var/lib/systemd/timers" "/var/log" "/var/lib/decky-loader" "/var/lib/flatpak" "/var/lib/nixos" "/var/secrets" )
declare -a files=( "/etc/machine-id" "/var/lib/systemd/random-seed" "/var/secrets/keys.txt" "/var/lib/systemd/tpm2-srk-public-key.pem" "/var/lib/systemd/tpm2-srk-public-key.tpm2b_public" )
declare -a lillianfolders=( ".ssh" ".local/state/wireplumber" ".local/share/direnv" ".local/state/nix" ".local/state/comma" ".local/state/home-manager" ".local/share/PrismLauncher" ".local/share/qBittorrent" ".local/share/kwalletd" ".local/share/kwin" ".local/share/lutris" ".local/share/Nextcloud" ".local/share/Steam" ".local/share/zoxide" ".local/share/flatpak" ".local/share/applications" ".local/share/firefoxpwa/" ".local/share/com.nonpolynomial.intiface_central" ".mozilla" ".steam" ".zsh" ".pki" ".tldrc" ".thunderbird" "Code" "Writing" ".config/kdeconnect" ".config/Nextcloud" ".config/noisetorch" ".config/qBittorrent" ".config/r2modman" ".config/r2modmanPlus-local" ".config/Ryujinx" ".config/Signal" ".config/sops" ".config/vesktop" ".config/kde.org" )
for folder in "${folders[@]}"
do
mount --bind -o X-mount.mkdir "/mnt/persistent$folder" "/mnt$folder"
done
for lfolder in "${lillianfolders[@]}"
do
mount --bind -o X-mount.mkdir "/mnt/persistent/home/lillian/$lfolder" "/mnt/home/lillian/$lfolder"
done
for file in "${files[@]}"
do
mkdir -p "`dirname $file`"
ln -sf "/mnt/persistent$file" "/mnt$file"
done

244
nixos/desktop/default.nix
View file

@ -28,17 +28,14 @@
allowUnfree = true;
};
};
services.udev.extraRules = ''
KERNEL=="hidraw*", ATTRS{idVendor}=="057e", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*057e:*", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*2DC8:*", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", ATTRS{idProduct}=="6012", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*2DC8:6012*", MODE="0660", TAG+="uaccess"
'';
environment.systemPackages = with pkgs;
[
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
programs.command-not-found.enable = lib.mkForce false;
programs.nix-index.enable = true;
programs.nix-index-database.comma.enable = true;
environment.systemPackages =
(with pkgs; [
# Custom tools
dvd
dvt
@ -47,23 +44,17 @@
# System tools
aha
ttf-ms-win10
wineWow64Packages.stable
bottles
tpm2-abrmd
jdk21_headless
#bcachefs-tools
clinfo
comma
direnv
exfat
exfatprogs
gamemode
git-filter-repo
gnupg
pciutils
podman
podman-compose
python3Minimal
sbctl
tpm2-tools
tpm2-tss
@ -72,16 +63,12 @@
# waydroid
waypipe
wayland-utils
xwaylandvideobridge
yubikey-personalization
zsh
# KDE/QT
kdePackages.plasma-desktop
kdePackages.plasma-wayland-protocols
kdePackages.libplasma
kdePackages.plasma-integration
kdePackages.plasma-activities
kdePackages.plasma-workspace
krunner-translator
kdePackages.discover
kdePackages.filelight
kdePackages.kcalc
@ -96,163 +83,114 @@
kdePackages.sddm-kcm
kdePackages.dolphin-plugins
kdePackages.qtstyleplugin-kvantum
kdePackages.krdc
kdePackages.krfb
kdePackages.kate
kdePackages.qrca
libportal-qt5
libportal
# User tools
freetube
noisetorch
qjackctl
wireplumber
intiface-central
#rustdesk
]
])
++ (with pkgs-edge; [
kdePackages.plasma-vault
# list of latest packages from nixpkgs master
# Can be used to install latest version of some packages
]);
fonts.packages = [pkgs.ttf-ms-win10];
sops = {
secrets."nextcloud-password" = {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.netrc";
};
secrets."prod.keys" = {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.config/Ryujinx/system/prod.keys";
};
secrets."title.keys" = {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.config/Ryujinx/system/title.keys";
};
programs.direnv = {
enable = true;
};
programs = {
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
command-not-found.enable = lib.mkForce false;
# nix-index.enable = true;
nix-index-database.comma.enable = true;
direnv = {
enable = true;
};
# steam = {
# enable = true;
# remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
# dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
# extest.enable = true;
# };
kdeconnect.enable = true;
noisetorch = {
enable = true;
};
};
xdg.portal.enable = true;
# Enable networking
networking.networkmanager.enable = true; # Enables support for 32bit libs that steam uses
networking.networkmanager.enable = true;
programs.steam = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
extest.enable = true;
};
hardware.graphics.enable32Bit = true; # Enables support for 32bit libs that steam uses
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
services = {
# Enable the X11 windowing system.
xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
# displayManager.sddm = {
# enable = true;
# wayland.enable = true;
# };
desktopManager.plasma6.notoPackage = pkgs.atkinson-hyperlegible;
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable flatpak support
flatpak.enable = true;
packagekit.enable = true;
# Configure keymap in X11
xserver.xkb = {
layout = "us";
variant = "";
options = "terminate:ctrl_alt_bksp,compose:caps_toggle";
};
# Enable CUPS to print documents.
printing.enable = true;
# Enable fwupd daemon and user space client
fwupd.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
avahi = {
nssmdns4 = true;
enable = true;
ipv4 = true;
ipv6 = true;
publish = {
enable = true;
addresses = true;
workstation = true;
};
};
# Enable the KDE Plasma Desktop Environment.
services.displayManager.sddm = {
enable = true;
wayland.enable = true;
};
hardware = {
graphics.enable32Bit = true;
services.displayManager.defaultSession = "plasma";
services.desktopManager.plasma6.enable = true;
programs.kdeconnect.enable = true;
# Enable bluetooth hardware
bluetooth.enable = true;
# Enable flatpak support
services.flatpak.enable = true;
services.packagekit.enable = true;
# Configure keymap in X11
services.xserver.xkb = {
layout = "us";
variant = "";
options = "terminate:ctrl_alt_bksp,compose:caps_toggle";
};
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable bluetooth hardware
hardware.bluetooth.enable = true;
# Enable fwupd daemon and user space client
services.fwupd.enable = true;
# Enable sound with pipewire.
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
programs.noisetorch = {
enable = true;
};
services.pulseaudio.enable = false;
virtualisation.podman = {
enable = true;
dockerCompat = true;
};
security.tpm2 = {
enable = true;
pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
tctiEnvironment.enable = true;
}; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
users.users.lillian.extraGroups = ["tss"];
boot = {
# tss group has access to TPM devices
bootspec.enable = true;
binfmt.emulatedSystems = ["aarch64-linux"];
#boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
#boot.supportedFilesystems = ["bcachefs"];
extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out];
kernelModules = [
# Virtual Camera
"v4l2loopback"
# Virtual Microphone, built-in
"snd-aloop"
];
# Set initial kernel module settings
extraModprobeConfig = ''
# exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming
# card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams
# https://github.com/umlaeute/v4l2loopback
options v4l2loopback exclusive_caps=1 card_label="Virtual Camera"
'';
loader.systemd-boot.configurationLimit = 3;
loader.efi.canTouchEfiVariables = true;
};
security.tpm2.enable = true;
security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices
# FIXME: re-enable virtual camera loopback when it build again.
boot.bootspec.enable = true;
#boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
#boot.supportedFilesystems = ["bcachefs"];
boot.extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out];
boot.kernelModules = [
# Virtual Camera
"v4l2loopback"
# Virtual Microphone, built-in
"snd-aloop"
];
# Set initial kernel module settings
boot.extraModprobeConfig = ''
# exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming
# card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams
# https://github.com/umlaeute/v4l2loopback
options v4l2loopback exclusive_caps=1 card_label="Virtual Camera"
'';
boot.loader.systemd-boot.configurationLimit = 3;
boot.loader.efi.canTouchEfiVariables = true;
}

20
nixos/desktop/package-configs/firefox/default.nix
View file

@ -1,7 +1,11 @@
{pkgs, ...}: {
{
config,
pkgs,
...
}: {
programs.firefox = {
enable = true;
package = pkgs.librewolf;
package = pkgs.floorp;
policies = {
DisableTelemetry = true;
DisableFirefoxStudies = true;
@ -114,16 +118,6 @@
install_url = "https://addons.mozilla.org/firefox/downloads/file/4047136/wayback_machine_new-3.2.xpi";
installation_mode = "force_installed";
};
# Tree Style Tabs
# "treestyletab@piro.sakura.ne.jp" = {
# install_url = "https://addons.mozilla.org/firefox/downloads/latest/tree-style-tab/latest.xpi";
# installation_mode = "force_installed";
# };
# Adaptive Tab Bar Colour
"ATBC@EasonWong" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/Adaptive-Tab-Bar-Colour/latest.xpi";
installation_mode = "force_installed";
};
};
FirefoxHome = {
Search = true;
@ -156,8 +150,6 @@
"floorp.tabbar.style" = 2;
"floorp.browser.user.interface" = 8;
"signon.rememberSignons" = true;
"browser.ml.chat.enabled" = false;
"browser.ml.chat.shortcuts" = false;
};
# TODO: switch to ManagedBookmarks as this will be dropped at some point https://mozilla.github.io/policy-templates/#managedbookmarks
# Bookmarks = [

108
nixos/hosts/EDI/configuration.nix
View file

@ -1,6 +1,7 @@
# This is your system's configuration file.
# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix)
{
inputs,
outputs,
lib,
pkgs,
@ -8,6 +9,8 @@
}: {
# You can import other NixOS modules here
imports = [
# Import home-manager's NixOS module
inputs.home-manager.nixosModules.home-manager
# If you want to use modules your own flake exports (from modules/nixos):
# outputs.nixosModules.example
@ -18,94 +21,41 @@
# You can also split up your configuration and import pieces of it here:
# ./users.nix
outputs.nixosModules.vpn-ip
../../desktop
../../../disko/EDI
# Import your generated (nixos-generate-config) hardware configuration
./hardware-configuration.nix
];
sops.defaultSopsFile = ./secrets/sops.yaml;
home-manager = {
extraSpecialArgs = {inherit inputs outputs;};
users = {
# Import your home-manager configuration
lillian = import ../../../home-manager/hosts/EDI;
};
};
environment.systemPackages = with pkgs; [
gparted
];
programs.steam = {
networking.hostName = "EDI";
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.initrd.systemd.enable = true;
boot.lanzaboote = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
extest.enable = true;
};
programs.virt-manager.enable = true;
users.groups.libvirtd.members = ["lillian"];
virtualisation.libvirtd.enable = true;
virtualisation.spiceUSBRedirection.enable = true;
services = {
displayManager.plasma-login-manager = {
enable = true;
};
displayManager.defaultSession = "plasma";
desktopManager.plasma6.enable = true;
samba = {
enable = true;
openFirewall = true;
settings = {
global = {
"invalid users" = [
"root"
];
"passwd program" = "/run/wrappers/bin/passwd %u";
security = "user";
};
public = {
browseable = "yes";
comment = "Public samba share.";
"guest ok" = "yes";
path = "/home/lillian/samba";
"read only" = "no";
};
};
};
vpn-ip = {
ip = "3";
};
};
users.groups.samba.members = ["lillian"];
networking = {
hostName = "EDI";
networkmanager.enable = true;
};
hardware.enableAllFirmware = true;
hardware.enableRedistributableFirmware = true;
boot = {
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
loader.systemd-boot.enable = lib.mkForce false;
initrd.systemd.enable = true;
kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems = ["btrfs" "bcachefs"];
binfmt.emulatedSystems = ["aarch64-linux"];
lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
kernelModules = [
"iwlmvm"
"iwlwifi"
];
pkiBundle = "/etc/secureboot";
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "26.05";
system.stateVersion = "24.11";
}

16
nixos/hosts/EDI/secrets/sops.yaml
View file

File diff suppressed because one or more lines are too long

171
nixos/hosts/GLaDOS/configuration.nix
View file

@ -4,14 +4,12 @@
inputs,
outputs,
pkgs,
lib,
...
}: {
# You can import other NixOS modules here
imports = [
# Import home-manager's NixOS module
inputs.home-manager.nixosModules.home-manager
outputs.nixosModules.vpn-ip
# If you want to use modules your own flake exports (from modules/nixos):
# outputs.nixosModules.example
@ -22,138 +20,71 @@
# You can also split up your configuration and import pieces of it here:
# ./users.nix
../../desktop
../../../disko/GLaDOS
# Import your generated (nixos-generate-config) hardware configuration
./hardware-configuration.nix
];
sops.defaultSopsFile = ./secrets/sops.yaml;
environment.systemPackages = with pkgs; [
gparted
];
services = {
displayManager.plasma-login-manager = {
enable = true;
services.xserver.videoDrivers = ["amdgpu"];
# Add vulkan support to GPU
hardware.graphics.extraPackages = with pkgs; [
amdvlk
];
# For 32 bit applications
hardware.graphics.extraPackages32 = with pkgs; [
driversi686Linux.amdvlk
];
programs.gamemode = {
enable = true;
settings = {
general = {
renice = 10;
};
# Warning: GPU optimisations have the potential to damage hardware
gpu = {
apply_gpu_optimisations = "accept-responsibility";
gpu_device = 0;
amd_performance_level = "high";
};
custom = {
start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
};
};
displayManager.defaultSession = "plasma";
desktopManager.plasma6.enable = true;
vpn-ip = {
ip = "2";
};
xserver.videoDrivers = ["amdgpu"];
};
networking.hostName = "GLaDOS";
programs = {
steam = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
extest.enable = true;
};
boot.loader.systemd-boot.enable = true;
# gamemode.enable = false;
# gamemode.settings = {
# general = {
# renice = 10;
# };
# # Warning: GPU optimisations have the potential to damage hardware
# # gpu = {
# # apply_gpu_optimisations = "accept-responsibility";
# # gpu_device = 0;
# # amd_performance_level = "high";
# # };
# custom = {
# start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
# end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
# };
# };
};
boot = {
initrd.systemd.services.rollback = {
description = "Rollback BTRFS root subvolume to a pristine state";
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
wantedBy = ["initrd.target"];
after = ["systemd-cryptsetup@nvme_crypted.service"];
before = ["sysroot.mount"];
script = ''
echo "mounting btrfs volume to tmp..."
mkdir -p /btrfs_tmp
mount /dev/mapper/nvme_crypted /btrfs_tmp
echo "mount successful!"
if [[ -e /btrfs_tmp/root ]]; then
echo "copying root to backup..."
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
echo "copy complete!"
fi
if [[ -e /btrfs_tmp/home ]]; then
echo "copying home to backup..."
mkdir -p /btrfs_tmp/old_homes
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/home)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/home "/btrfs_tmp/old_homes/$timestamp"
echo "copy complete!"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
echo "recursively deleting root subvolumes older than five days..."
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +5); do
delete_subvolume_recursively "$i"
done
echo "subvolumes deleted!"
echo "recursively deleting home subvolumes older than five days..."
for i in $(find /btrfs_tmp/old_homes/ -maxdepth 1 -mtime +5); do
delete_subvolume_recursively "$i"
done
echo "subvolumes deleted!"
echo "creating new root and home subvolumes..."
btrfs subvolume create /btrfs_tmp/root
btrfs subvolume create /btrfs_tmp/home
mkdir /btrfs_tmp/home/lillian
chown 1000:100 /btrfs_tmp/home/lillian
echo "unmounting btrfs temporary mount..."
umount /btrfs_tmp
echo "disk clear complete!"
'';
};
loader.systemd-boot.enable = false;
initrd.systemd.enable = true;
kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems = ["btrfs" "bcachefs"];
binfmt.emulatedSystems = ["aarch64-linux"];
lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
extraModprobeConfig = ''
'';
};
# boot.lanzaboote = {
# enable = true;
# pkiBundle = "/etc/secureboot";
# };
users.users.lillian.extraGroups = ["gamemode"];
home-manager = {
extraSpecialArgs = {inherit inputs outputs;};
users = {
# Import your home-manager configuration
lillian = import ../../../home-manager/hosts/GLaDOS;
};
};
# virtualisation.waydroid.enable = false;
networking.hostName = "GLaDOS";
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "26.05";
system.stateVersion = "24.11";
}

17
nixos/hosts/GLaDOS/hardware-configuration.nix
View file

@ -15,23 +15,6 @@
boot.initrd.kernelModules = ["dm-snapshot" "amdgpu"];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/persistent".neededForBoot = true;
fileSystems."/run/media/lillian/big-SSD" = {
device = "/dev/disk/by-uuid/b12ee352-ca6d-47d5-8b5f-6e3002af12e7";
fsType = "ext4";
options = ["users" "nofail"];
};
fileSystems."/run/media/lillian/small-SSD" = {
device = "/dev/disk/by-uuid/237cc760-2b3b-41ec-aab4-deff9cc7c5a1";
fsType = "ext4";
options = ["users" "nofail"];
};
fileSystems."/run/media/lillian/Backup" = {
device = "/dev/disk/by-uuid/cb175f0e-a008-476d-b0eb-ba8d7873af66";
fsType = "ext4";
options = ["users" "nofail"];
};
# fileSystems."/" =
# { device = "UUID=166dc8d8-b77f-43fe-8bee-a0fc5b26aeb5";

19
nixos/hosts/GLaDOS/secrets/sops.yaml
View file

File diff suppressed because one or more lines are too long

67
nixos/hosts/iso/configuration.nix
View file

@ -10,20 +10,20 @@
# outputs.homeManagerModules.example
# outputs.nixosModules.contabo.wan
inputs.home-manager.nixosModules.home-manager
outputs.nixosModules.vpn-ip
# Or modules exported from other flakes (such as nix-colors):
# inputs.nix-colors.homeManagerModules.defaults
# Import shared settings
../../shared
];
# programs.command-not-found.enable = lib.mkForce false;
# programs.nix-index.enable = true;
# programs.nix-index-database.comma.enable = true;
programs.command-not-found.enable = lib.mkForce false;
programs.nix-index.enable = true;
programs.nix-index-database.comma.enable = true;
# boot.tmp.cleanOnBoot = true;
# zramSwap.enable = false;
# networking.domain = "";
boot.tmp.cleanOnBoot = true;
zramSwap.enable = false;
networking.domain = "";
services.openssh = {
enable = true;
# require public key authentication for better security
@ -45,9 +45,7 @@
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
sops.defaultSopsFile = ./secrets/sops.yaml;
services.vpn-ip.enable = false;
# services.desktopManager.plasma6.enable = true;
services.desktopManager.plasma6.enable = true;
environment.systemPackages = with pkgs; [
# Custom tools
@ -67,9 +65,11 @@
sbctl
tpm2-tools
tpm2-tss
waydroid
zsh
# KDE/QT
krunner-translator
kdePackages.discover
kdePackages.kcalc
kdePackages.kdepim-addons
@ -81,14 +81,13 @@
kdePackages.plasma-pa
kdePackages.sddm-kcm
kdePackages.dolphin-plugins
libportal-qt5
libportal
];
# Enable networking
networking.networkmanager.enable = true;
networking.hostName = "iso";
# Contabo ipv6 nameservers: "2a02:c207::1:53" "2a02:c207::2:53"
networking.firewall.enable = true;
@ -107,24 +106,24 @@
# Enable bluetooth hardware
hardware.bluetooth.enable = true;
# security.tpm2.enable = true;
# security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
# security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
# users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices
security.tpm2.enable = true;
security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# programs.git = {
# enable = true;
# };
programs.git = {
enable = true;
};
# programs.direnv = {
# enable = true;
# };
programs.direnv = {
enable = true;
};
# # Enable completion of system packages by zsh
# environment.pathsToLink = ["/share/zsh"];
# Enable completion of system packages by zsh
environment.pathsToLink = ["/share/zsh"];
# kde power settings do not turn off screen
systemd = {
@ -137,17 +136,17 @@
};
};
# home-manager = {
# extraSpecialArgs = {inherit inputs outputs;};
# users = {
# # Import your home-manager configuration
# lillian = import ../../../home-manager/hosts/iso;
# };
# };
home-manager = {
extraSpecialArgs = {inherit inputs outputs;};
users = {
# Import your home-manager configuration
lillian = import ../../../home-manager/hosts/iso;
};
};
# boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
# boot.supportedFilesystems = lib.mkForce ["bcachefs" "btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs"];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
boot.supportedFilesystems = lib.mkForce ["bcachefs" "btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs"];
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "25.11";
system.stateVersion = "24.11";
}

14
nixos/hosts/iso/secrets/sops.yaml
View file

@ -1,8 +1,9 @@
lillian-password: ENC[AES256_GCM,data:eQzZwGxK9Lw2gc8HDNw57odxPzTH4sa/2O97h3VAghRwLClmCYKT91kxj2F3kQ4iEctBl0GxdS4WoL3H9eE4/CAPffXdTmkdYg==,iv:2ezB4DNHFv5ceJ2gtATV12Azm3vFFDLX1qSSy+cKuMY=,tag:zxb5agUCDpi92bYV7+DmoA==,type:str]
ssh-private-key: ENC[AES256_GCM,data:YQ+9aKpBL9XYl0IBxpPttUli6/E25alUhO36dZwPPSIBLI1ehyczocQMxNRYNtB2xKYx4wPaYIndLBhj9VdTUgaOWUd2C6aU6YgXgFAsjgEwqVDZWRp7TrTHojtrS5HnJgfopx6EqPf/uljD9yQsOkubDDUbpYkpWX/3vixm9LJ1eRXxTxXW8D3O5OM2Z1NsqA7meVa1xhvWJokqS4sD5ntp1HT78Xmu62EweHQVGaznUvWZupYh0uCQd0tr6GVTZLHdyCdaFUGHRbRddBcljpBIRWaWkhIrkjejvptUZ4Ht/UN5XM5z+zfU3DxsDOxeJ7m83om9I3WdZSdq1aDXe+VFEfMrx/0QTk2LtAmOvujcN6wO7a77SD4Rpuvq8KH2CeKrwMLlFf2BeGIcGhvAhRYUVxtypM38DEdbf/7xIcw0vQP2zNZN4QWdukUInDndnAxMfbIXKpYI5OPRaZMTVui41hkS86LBfbd5RhTjyzrtIpVSq9XkKRX7d5i8Gcjb4ORpQvrNNYMo+TXCiLNTg3/q0My/jEhfjfTF,iv:EpKC9judTZ1+0Y2LC1OK2YzGH/orRpZNtE7O+ZZyU1E=,tag:S6ju/FkwIBbBA8YU3dRo1A==,type:str]
nextcloud-password: ENC[AES256_GCM,data:5u8j1wau5FewTe+t3YZ365Acfcrt09XDgCUNpDbuVKaNZIEW3gdR60XACQeAvsyQeznynILJnz7/txV2,iv:l1xYhUkQGdWYNNy1lG9xB5SgL9cn2FdzAs19iVCohlA=,tag:rT0flG+v9wd8jSUm8DrCjg==,type:str]
wg-private-key: ENC[AES256_GCM,data:3JpyscuzK4LG1lfM3oyQNBHy7BQ2WeTaSyaZoaNfS4U7KkpEaCp5EVLBYiY=,iv:odDG8xp+d+O4FuECfeCJn/z2ka4KSzSBvgBCmcMZ0S0=,tag:iPwnqgtap+i44Mru/S7TyA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz
enc: |
@ -13,7 +14,8 @@ sops:
dXlaN3dWOUl4Mys2V0x3Z3F6UVU4MVUKEJYpX8XhSNcM+7aUuxnIwrokY0/29Cnh
yz0HAZkaj8FwvnPnafo5jmwVyi6WXECvX5E0NZfjKH4AF5vTu6Wukg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-14T18:00:16Z"
mac: ENC[AES256_GCM,data:NnX0hMrfeKJucgqgVUIUS0WOHerkDtKe3P+4vvWRCMX3eXg4Tsju8pZySZP7RSZX7+2W3OUHMOUuAum0YrVasTXuhm6jPvlbqvRnVXaVzCNheIUvTCF7LFeJEOQYKS5m8AiVKFRrxz+dGn90DSeijjajSePBjo8AnKyAOQEt1S8=,iv:1iJiqJU0vdDiWnJAYDlbOBBa9lBOODjjdlsRH54aTGI=,tag:JZtgVeLvFN6vcCZkRnuNcQ==,type:str]
lastmodified: "2024-03-20T18:17:48Z"
mac: ENC[AES256_GCM,data:3UHIoYPHC6n56CHguOVuoFd9VwCjGiD9VCYy2d5W+4XQEZpjnONX8fhwwWRm42COymz89tmqDmpDp88BnSU8uE14IaCIUoxfCaRiZtjAiHjouua2jr50aUV56pwyan8ZiiOjP8oP1VY/tsv1w0jWI9TjSTHvCdNLR8XEcf6bCrk=,iv:/lBJdkQgwZyiztQ9vSoHgY+WxXJKHFI93dxtOSunHNo=,tag:lLwrSdzoN9CzmyIdLOe5ig==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.8.1

210
nixos/hosts/queen/configuration.nix
View file

@ -3,7 +3,6 @@
outputs,
lib,
pkgs,
config,
...
}: {
imports = [
@ -14,8 +13,6 @@
# Or modules exported from other flakes (such as nix-colors):
# inputs.nix-colors.homeManagerModules.default
outputs.nixosModules.vpn-ip
# You can also split up your configuration and import pieces of it here:
# ./nvim.nix
./hardware-configuration.nix
@ -30,34 +27,15 @@
# ../../../disko/queen
];
preservation.enable = lib.mkForce false;
# services.anubis.instances.default.settings.TARGET = "http://localhost:8123";
# # required due to unix socket permissions
# users.users.nginx.extraGroups = [config.users.groups.anubis.name];
# services.nginx.virtualHosts."*.gladtherescake.eu" = {
# locations = {
# "/".proxyPass = "http://unix:${config.services.anubis.instances.default.settings.BIND}";
# };
# };
# services.nginx.virtualHosts."*.lillianviolet.dev" = {
# locations = {
# "/".proxyPass = "http://unix:${config.services.anubis.instances.default.settings.BIND}";
# };
# };
boot.tmp.cleanOnBoot = true;
zramSwap.enable = false;
services = {
openssh = {
enable = true;
settings = {
# require public key authentication for better security
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
};
};
networking.domain = "";
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "no";
};
nixpkgs = {
@ -72,8 +50,12 @@
};
};
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
sops.defaultSopsFile = ./secrets/sops.yaml;
environment.systemPackages = with pkgs; [
fzf
matrix-conduit
docker
docker-compose
gitea
@ -86,113 +68,78 @@
#jellyfin
#jellyfin-web
#jellyfin-ffmpeg
nextcloud-spreed-signaling
nats-server
nextcloud28
nginx
onlyoffice-documentserver
libressl
openssl
phanpy
postgresql_16
# python310
# python310Packages.nbconvert
janus-gateway
python310
python310Packages.nbconvert
jupyter
# rabbitmq-server
rabbitmq-server
roundcube
roundcubePlugins.contextmenu
roundcubePlugins.carddav
roundcubePlugins.custom_from
roundcubePlugins.persistent_login
roundcubePlugins.thunderbird_labels
youtube-dl
sqlite
rocksdb
];
services.vpn-ip = {
enable = false;
# Create an auto-update systemd service that runs every day
# system.autoUpgrade = {
# flake = "git+https://git.lillianviolet.dev/Lillian-Violet/NixOS-Config.git";
# dates = "daily";
# enable = true;
# };
# systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug";
# Enable networking
# networking.networkmanager.enable = true;
# networking.nat.enable = true;
# networking.nat.internalInterfaces = ["ve-+"];
# networking.nat.externalInterface = "ens18";
networking.enableIPv6 = lib.mkForce true;
networking.nameservers = ["2a02:c207::1:53" "2a02:c207::2:53"];
# networking.interfaces.ens18.ipv4.addresses = [
# {
# address = "62.171.160.195";
# prefixLength = 32;
# }
# ];
networking.interfaces.ens18.ipv6.addresses = [
{
address = "2a02:c207:2063:2448::1";
prefixLength = 64;
}
];
networking.defaultGateway6 = {
address = "fe80::1";
interface = "ens18";
};
systemd = {
services."upgrade-nextcloud" = {
path = [config.services.nextcloud.package];
enable = true;
unitConfig = {
after = "nextcloud-setup.service";
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${config.services.nextcloud.occ}/bin/nextcloud-occ upgrade";
RemainAfterExit = "yes";
};
};
timers."upgrade-nextcloud" = {
wantedBy = ["timers.target"];
partOf = ["upgrade-nextcloud.service"];
timerConfig = {
OnCalendar = "daily";
Unit = "nextcloud-setup.service";
};
};
};
networking = {
domain = "";
# Create an auto-update systemd service that runs every day
# system.autoUpgrade = {
# flake = "git+https://git.lillianviolet.dev/Lillian-Violet/NixOS-Config.git";
# dates = "daily";
# enable = true;
# };
# systemd.services.systemd-networkd.serviceConfig.Environment = "SYSTEMD_LOG_LEVEL=debug";
# Enable networking
# networking.networkmanager.enable = true;
# networking.nat.enable = true;
# networking.nat.internalInterfaces = ["ve-+"];
# networking.nat.externalInterface = "ens18";
enableIPv6 = lib.mkForce true;
nameservers = ["2a02:c207::1:53" "2a02:c207::2:53"];
# networking.interfaces.ens18.ipv4.addresses = [
# {
# address = "62.171.160.195";
# prefixLength = 32;
# }
# ];
interfaces.ens18.ipv6.addresses = [
{
address = "2a02:c207:2063:2448::1";
prefixLength = 64;
}
# Open ports in the firewall.
networking.firewall = {
enable = true;
allowPing = false;
allowedTCPPorts = [
22 # SSH
5349 # STUN tls
5350 # STUN tls alt
80 # http
443 # https
];
allowedUDPPortRanges = [
{
from = 49152;
to = 49999;
} # TURN relay
];
defaultGateway6 = {
address = "fe80::1";
interface = "ens18";
};
firewall = {
# Open ports in the firewall.
enable = true;
allowPing = false;
allowedTCPPorts = [
22 # SSH
5349 # STUN tls
5350 # STUN tls alt
80 # http
443 # https
];
allowedUDPPortRanges = [
{
from = 49152;
to = 49999;
} # TURN relay
];
};
hostName = "queen";
# Disable the server going through wireguard vpn for now
wireguard.enable = lib.mkForce false;
};
# networking.useNetworkd = true;
@ -225,15 +172,20 @@
# Enable completion of system packages by zsh
environment.pathsToLink = ["/share/zsh"];
boot = {
tmp.cleanOnBoot = true;
loader.grub = {
enable = true;
configurationLimit = 3;
home-manager = {
extraSpecialArgs = {inherit inputs outputs;};
users = {
# Import your home-manager configuration
lillian = import ../../../home-manager/hosts/queen;
};
loader.efi.canTouchEfiVariables = true;
};
networking.hostName = "queen";
boot.loader.grub.enable = true;
boot.loader.grub.configurationLimit = 3;
boot.loader.efi.canTouchEfiVariables = true;
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "26.05";
system.stateVersion = "24.11";
}

18
nixos/hosts/queen/secrets/sops.yaml
View file

@ -6,17 +6,18 @@ releaseCookie: ENC[AES256_GCM,data:oG8DcUP+gIm5xPzIJdmjrtX/TdrcS8IgeGJeu0oOmZb0/
mssqlpass: ENC[AES256_GCM,data:XEu4bQC5qM5Cm8UDVX3qAzTuL/t3xbx+qcEbZM4h3Hg=,iv:jgpZ93THYBlUvJDC5+YZiIxu/14e7nFSy76J0vc8Hek=,tag:iKsEDp/KZ5juqzmUgtP8iA==,type:str]
mailpassunhash: ENC[AES256_GCM,data:q/P3nrNLy3hCISDmalw94nzWIFhoCdCTyflj27D2Ltr8,iv:oAFna87l3sL/42ljUF1QsRL0xBrP82uYdKLxK/8HcQE=,tag:liFFGHbNPOpOHyMsjnvMOQ==,type:str]
rpcSecret: ENC[AES256_GCM,data:gOuQSY2RI6rnSnG1,iv:xz1ueq4/UOKYBs5r9Tk4jL0+GyX8uo8I8ZymVgIMKLI=,tag:Fr8rWIttLz7X8Pri6FBJBQ==,type:str]
wg-private-key: ENC[AES256_GCM,data:mq8QWoQ4tE4eYaFbwCzQnRREUFI2qrnmDnwurKMu6qdKkDylqc65E7jgGDI=,iv:r5RdcmfW4OaKlbbzUCPahONvpLcfZ7X7KcEEYFIYFDk=,tag:e93C4lByJV75JMHLJ02PfA==,type:str]
wg-private: ENC[AES256_GCM,data:6BEuNqqG//p5UhRmQ4RPEze6jZdvzK4PEXxlbX2ANYIhFpacj0aZnCr9o/A=,iv:tPlwYdV4I5oA8qG+bfVi1Dpbf7xedByantqsmylZXKQ=,tag:k1BqKqlayOWz5QW1XiAjqQ==,type:str]
lillian-password: ENC[AES256_GCM,data:tc+Romv2fL+tdqLLmbwqaF4IHrNZ0VEpnECmW/66FW7IUpjHMyS7YP+pmmvDCzM9afIXMxyPFHGNRwiCmxqstiiNeSeLdo6rDw==,iv:sGeu9aNTgdpThv+0Z/nZKIrat1xNgM0t/KTGPaFbsdI=,tag:kZBHF4X0KO9znog61NwU+Q==,type:str]
coturn-auth-secret: ENC[AES256_GCM,data:1K7WX5FGhF7+CRZs4SEVKogsGv/93IJVvLeMe6/d1dg3g5/6fQkRCVl1KicMUOsqUxMweUn5hUXSO1h/ruWvPA==,iv:0U/JoeVin2zTkyk60x2boUQRzGW+9swlbxP1ENCbAFQ=,tag:ll8WCgMNtun5Va0VpC81Tw==,type:str]
hpb-secret: ENC[AES256_GCM,data:I/64j3nA0BWW5YY4STMFzxnSKQ+TmiHvweIIGOMJvV4=,iv:zezsPPnKlVBVlrJeG4pGbtuiz1GEWLmQaZl1isNa+pk=,tag:YbTWLAjIIMDn5Jo43U0QtA==,type:str]
coturn-auth-secret: ENC[AES256_GCM,data:RYxyATuYIcrGd8h8Gc4CP9ZQ80ekuuwHehnOPYisHejmycgT8a2mWpk+5r3HkFmBNcLDeNlfnhIif5oLHGuHyw==,iv:M2GdNDxP4xpP35FJPTgljbcKpOm6DmEEnIYRItAxDVI=,tag:IiiNXeTi6Yja5PrnKRkhdA==,type:str]
grafana-telegraf-key: ENC[AES256_GCM,data:agpUzG1/n2NAKDt45IgelmDf0CUlC82fmD4f7JdcszNuUg7uCNA7XeaJ6PZtHQ==,iv:keo3i+qSbtXkA5fyCr2S5z9nJS9bXUn5WDiPgWocPU8=,tag:p/nDff10PRhi9pOszp1PnA==,type:str]
sync-secrets: ENC[AES256_GCM,data:AwCgqfSXmYVGnCV5PJ5Ql44IiutTS76F1H7Ow7gB4mQQ8PtiAsmArzpAXd7LzsXedm55X04U+GvkcbM9cwPcF+psyb3Zi8EnI/mjnI9MgFyySSEcosJZVAtCpXGIMyYgRXtF5OBh5CzupAG059d1TDAqrSpLXMuSDdypTaOMHxnlq5q1swfpzhhY3PVgUKVFXdjZLX8aF3JTE9ceVxFsB+traLzOQsl+QKty0x0mpuqR97zkMCchX7bTwgUgbl7phzTvmwV8Qw==,iv:gkZs5NB9+CLfz4kfV4ha2llZQPP81uuXRKqUlASgpiA=,tag:DXkiG0ZFHLHlVhwLwtv/XQ==,type:str]
writefreely: ENC[AES256_GCM,data:QOj5h/rHCxmgpPNhu3IS4eyruhQokHTJxW6yQM9YDgQ=,iv:qAd+/rAAanzL9FTIX22M+2kwI0WI2d3i86cJrn8MFBo=,tag:3zvpqnovDEoJdvK/qcFDuQ==,type:str]
writefreelymysql: ENC[AES256_GCM,data:1JZwIX04O3DBAo7JvEkeNrFcSdcmk/u4WUf/kkbr2JA=,iv:8H8MR8w1iLfl2r62EbxPnLzs4qWFmwB5gNKEaly8q6c=,tag:K01oKMXkeMOFs3u7frMs0Q==,type:str]
ssh-private-key: ENC[AES256_GCM,data:DK/ggskAyhvotRkf36oZBoPw3hGvVlXneqaJZRPwX2a3YVMy4zgDE3iN65UeR6mfkp9J3OmLejOHeWFB/bRCHY3oTW6GUuZljTe2rI1/x/d2s4zX5UPPEWcy3cXH25d72DzElQBEMDKuZyDe0OZ0/NkR//vEeXgoA2Nr/NKHlTWrq/t26DMD2Vt+kQ+S9b0hh4tgh3OP1lwRu9/mTJOmInd/86gKB9+aD9V0oFvNbMEmgbwIah+ZjQBHB7GEIwjUc/lLmc+3RSn9J0rICIhnhL7NTzHUDHkYd93Tm0L9UHIyi9Oco2sK8tuV5mTDM1OK8CbDg/5FICTQ0H4sstCrDNZd2wE4E1kaZuwYOyxpzQpWJY8jOxxw5oIE0IccvvptM/9vp+0f1F2RIDrkIdHSLpFbGZGvXNVAWlXyv+0qOYS7BGzD0KAh9f74GcAvULq36vdzBahb5e+CqT3JXESne8qhkpsP0G9Z1I1Fy0xpADx/9cTnAm5RmXTw/KBPmBA5IZYZBRbR/C+N7Xyxr7u9RcwFJdIbSpAeT/ew,iv:pHT7DtX1ab7boPboXRaSg9w/4sMgNraEswtEf2tBPkw=,tag:Fbw2/Evf4ZsLFMBPflf9CA==,type:str]
mollysocket-vapid-key: ENC[AES256_GCM,data:8N2hxY6WN6mCcjMIFsw/Vt1RoGvUbYxkVPOOn4WRjXZtEEkkVCIaNevozF4xCnBUEWIukNg8lZk8ake/pHAq,iv:+NHm3hSotcRPRjrwEe9xKnEeYbnUZqJEB1sd5B+tWIE=,tag:Pd2pnJqj771XqdqBREGzJQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz
enc: |
@ -27,7 +28,8 @@ sops:
KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz
NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-04T13:04:56Z"
mac: ENC[AES256_GCM,data:ppQgyWY/4Kr8/Ag5x7wBv1RZAxky6Itf4sBBRIzJj8njzSDOPm0blcDHjIGesu9PwmjnnJihZivmWXj43pAjxf6p4FmtlBAIqLUjRIV7fR16VINo7dPx4Pv6+sw1uwFvLliD/FfKwYo2S+Lx0eQnOzW1p7RROpbQJQ8k7AUngKE=,iv:Pk8sPdAMzITgeeaoZHJc77ywp47DuB5A1Lx5pjtHXM0=,tag:JkMDnjYMPTFkyOiikA7ejA==,type:str]
lastmodified: "2024-08-16T13:34:43Z"
mac: ENC[AES256_GCM,data:IdQmx7/Y2fdQ9gBgKYCUZQuAVRqbP5KWG4EplO6pYqA8b5xzGnmCSCwyYIXU+3NExEZCEKEfX68mdYlWPRTKUdamOBdN+fQrGXwr5lw5dpKe03ccGw7Hayi0B4O8WbLEjw1RU50v2eoK9MpD5FPrUu1AzGz3+txxzV3hoxg6Sp0=,iv:WXvxAvg+sAKYbzjaz1QKDgVrnMraO3EtIgC12zb9Xi0=,tag:FmH84rGBotouvjCOq+xL8w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.9.0

261
nixos/hosts/shodan/configuration.nix
View file

@ -14,10 +14,9 @@
# Or modules exported from other flakes (such as nix-colors):
# inputs.nix-colors.homeManagerModules.default
outputs.nixosModules.vpn-ip
# Import the shared settings
../../desktop
../../shared
../../desktop/package-configs/firefox
# You can also split up your configuration and import pieces of it here:
# ./nvim.nix
@ -25,121 +24,66 @@
../../../disko/shodan
# ./auto-mount.nix
./auto-mount.nix
];
boot = {
tmp.cleanOnBoot = true;
loader = {
# TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
# tss group has access to TPM devices
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
systemd-boot.enable = lib.mkForce false;
systemd-boot.configurationLimit = 3;
timeout = 0;
efi.canTouchEfiVariables = true;
};
initrd.systemd.enable = true;
lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
};
consoleLogLevel = 0;
kernelParams = ["quiet" "udev.log_priority=0" "fbcon=vc:2-6" "console=tty0"];
plymouth.enable = true;
};
services = {
udev.extraRules = ''
KERNEL=="hidraw*", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*2DC8:*", MODE="0660", TAG+="uaccess"
SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2dc8", MODE="0666"
'';
vpn-ip = {
ip = "4";
};
openssh = {
enable = true;
settings = {
# require public key authentication for better security
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
};
};
desktopManager.plasma6.enable = true;
displayManager = {
# defaultSession = "plasma";
# sddm.wayland.enable = lib.mkForce true;
# sddm.settings = {
# Autologin = {
# Session = "plasma.desktop";
# User = "lillian";
# };
# };
};
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = false;
networking = {
domain = "";
networking.domain = "";
services.openssh.enable = true;
# Enable networking
networkmanager.enable = true;
firewall.enable = true;
firewall.interfaces."wg0".allowedTCPPorts = [8080];
firewall.interfaces."wg0".allowedUDPPorts = [8080];
firewall.allowedTCPPorts = [22 8080 8091 9090 9777 46899 46898];
firewall.allowedUDPPorts = [22 8080 8091 9090 9777 46899 46898];
hostName = "shodan";
nixpkgs = {
# You can add overlays here
overlays = [
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
};
};
xdg.portal.extraPortals = [pkgs.kdePackages.xdg-desktop-portal-kde];
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
sops.defaultSopsFile = ./secrets/sops.yaml;
environment.systemPackages = with pkgs; [
# Custom tools
auto-mount
#System:
btrfs-progs
decky-loader
jre8
# jellyfin-media-player
efitools
jq
noto-fonts
noto-fonts-emoji-blob-bin
noto-fonts-emoji
#rustdesk
sbctl
udisks
util-linux
waypipe
python3
protonup-qt
#KDE:
krunner-translator
kdePackages.discover
kdePackages.kcalc
kdePackages.kdepim-addons
kdePackages.kirigami
kdePackages.kdeconnect-kde
# kdePackages.krunner-ssh
# kdePackages.krunner-symbols
kdePackages.qtvirtualkeyboard
kdePackages.packagekit-qt
libportal
#Gaming:
heroic
legendary-gl
protontricks
rare
lutris
(kodi.withPackages (kodiPkgs:
with kodiPkgs; [
steam-controller
invidious
youtube
netflix
upnext
sponsorblock
sendtokodi
jellyfin
inputstream-adaptive
inputstreamhelper
inputstream-ffmpegdirect
upnext
sponsorblock
sendtokodi
routing
requests-cache
requests
plugin-cache
a4ksubtitles
]))
];
jovian = {
@ -152,23 +96,130 @@
decky-loader = {
enable = true;
package = pkgs.decky-loader-prerelease;
extraPackages = [pkgs.python3 pkgs.flatpak pkgs.uutils-findutils];
extraPackages = [pkgs.python3];
};
devices.steamdeck = {
enable = true;
autoUpdate = true;
};
steamos = {
enableAutoMountUdevRules = true;
enableGyroDsuService = true;
};
};
fonts.packages = [pkgs.ttf-ms-win10];
programs.steam = lib.mkForce {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
extest.enable = true;
};
hardware.graphics.enable32Bit = true; # Enables support for 32bit libs that steam uses
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
services.desktopManager.plasma6.enable = true;
programs.kdeconnect.enable = true;
services.displayManager.defaultSession = "plasma";
services.displayManager.sddm.wayland.enable = lib.mkForce true;
services.displayManager.sddm.settings = {
Autologin = {
Session = "plasma.desktop";
User = "lillian";
};
};
# Enable flatpak support
services.flatpak.enable = true;
services.packagekit.enable = true;
# Configure keymap in X11
services.xserver = {
xkb.layout = "us";
xkb.variant = "";
};
# Enable networking
networking.networkmanager.enable = true;
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [22];
# # Enable automounting of removable media
# services.udisks2.enable = true;
# services.devmon.enable = true;
# services.gvfs.enable = true;
# environment.variables.GIO_EXTRA_MODULES = lib.mkForce ["${pkgs.gvfs}/lib/gio/modules"];
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable bluetooth hardware
hardware.bluetooth.enable = true;
# Enable fwupd daemon and user space client
services.fwupd.enable = true;
# Enable sound with pipewire.
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
programs.noisetorch = {
enable = true;
};
programs.git = {
enable = true;
};
users.users.lillian.extraGroups = ["decky" "tss" "input"];
# Enable completion of system packages by zsh
environment.pathsToLink = ["/share/zsh"];
home-manager = {
extraSpecialArgs = {inherit inputs outputs;};
users = {
# Import your home-manager configuration
lillian = import ../../../home-manager/hosts/shodan;
};
};
networking.hostName = "shodan";
security.tpm2.enable = true;
security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
# tss group has access to TPM devices
# Lanzaboote currently replaces the systemd-boot module.
# This setting is usually set to true in configuration.nix
# generated at installation time. So we force it to false
# for now.
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.initrd.systemd.enable = true;
boot.lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
boot.loader.systemd-boot.configurationLimit = 3;
boot.loader.timeout = 0;
boot.loader.efi.canTouchEfiVariables = true;
boot.consoleLogLevel = 0;
boot.kernelParams = ["quiet" "udev.log_priority=0" "fbcon=vc:2-6" "console=tty0"];
boot.plymouth.enable = true;
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "26.05";
system.stateVersion = "24.11";
}

16
nixos/hosts/shodan/secrets/sops.yaml
View file

File diff suppressed because one or more lines are too long

503
nixos/hosts/wheatley/configuration.nix
View file

@ -1,422 +1,127 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
lib,
pkgs,
inputs,
outputs,
lib,
config,
modulesPath,
pkgs,
...
}: {
imports = [
# inputs.nixos-hardware.nixosModules.raspberry-pi-4
(modulesPath + "/installer/sd-card/sd-image-aarch64.nix")
outputs.nixosModules.vpn-ip
inputs.home-manager.nixosModules.home-manager
./armv7l.nix
./hardware-configuration.nix
# Import shared settings
# Import shared configurations
../../shared
];
preservation.enable = lib.mkForce false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.loader.generic-extlinux-compatible.configurationLimit = 5;
boot.loader.grub.enable = false;
boot.tmp.cleanOnBoot = true;
hardware.enableRedistributableFirmware = true;
powerManagement.cpuFreqGovernor = "ondemand";
hardware.graphics.enable = true;
nixpkgs.overlays = [
(final: super: {
makeModulesClosure = x:
super.makeModulesClosure (x // {allowMissing = true;});
})
];
programs = {
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
command-not-found.enable = lib.mkForce false;
# nix-index.enable = true;
nix-index-database.comma.enable = true;
};
services = {
automatic-timezoned.enable = true;
# stubby = {
# enable = true;
# settings =
# pkgs.stubby.passthru.settingsExample
# // {
# upstream_recursive_servers = [
# {
# address_data = "94.140.14.49";
# tls_auth_name = "4b921896.d.adguard-dns.com";
# tls_pubkey_pinset = [
# {
# digest = "sha256";
# value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U=";
# }
# ];
# }
# {
# address_data = "94.140.14.59";
# tls_auth_name = "4b921896.d.adguard-dns.com";
# tls_pubkey_pinset = [
# {
# digest = "sha256";
# value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U=";
# }
# ];
# }
# {
# address_data = "2a10:50c0:0:0:0:0:ded:ff";
# tls_auth_name = "4b921896.d.adguard-dns.com";
# tls_pubkey_pinset = [
# {
# digest = "sha256";
# value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U=";
# }
# ];
# }
# {
# address_data = "2a10:50c0:0:0:0:0:dad:ff";
# tls_auth_name = "4b921896.d.adguard-dns.com";
# tls_pubkey_pinset = [
# {
# digest = "sha256";
# value = "19HOzAWb2bgl7bo/b4Soag+5luf7bo6vlDN8W812k4U=";
# }
# ];
# }
# ];
# };
# };
openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "no";
};
davfs2.enable = true;
aria2 = {
enable = true;
settings = {
dir = "/var/lib/media";
rpc-listen-port = 6969;
};
rpcSecretFile = config.sops.secrets."rpcSecret".path;
};
dnsmasq = {
enable = true;
settings = {
interface = "wg1";
};
};
};
sops = {
# users.users = {
# ombi.extraGroups = ["radarr" "sonarr" "aria2"];
# };
# services.ombi = {
# enable = true;
# port = 2368;
# };
# users.users = {
# radarr.extraGroups = ["aria2"];
# sonarr.extraGroups = ["aria2"];
# };
# services = {
# #uses port 7878
# radarr.enable = true;
# #uses port 8989
# sonarr.enable = true;
# prowlarr.enable = true;
# };
secrets."webdav-secret" = {
mode = "0600";
path = "/etc/davfs2/secrets";
owner = config.users.users.root.name;
};
secrets."rpcSecret".mode = "0440";
secrets."rpcSecret".owner = config.users.users.aria2.name;
secrets."protonvpn-priv-key".mode = "0440";
secrets."protonvpn-priv-key".owner = config.users.users.root.name;
};
boot = {
kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
initrd.kernelModules = ["vc4" "bcm2835_dma" "i2c_bcm2835" "cma=256M" "console=tty0" "reset-raspberrypi"];
kernelParams = ["video=HDMI-A-1:1920x1080@60D"];
kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
};
};
sdImage.compressImage = false;
services.vpn-ip = {
enable = false;
};
services.stubby = {
enable = true;
settings =
pkgs.stubby.passthru.settingsExample
// {
upstream_recursive_servers = [
# kdig -d @194.242.2.4 +tls-ca +tls-host=base.dns.mullvad.net example.com
{
address_data = "192.242.2.4";
tls_auth_name = "base.dns.mullvad.net";
tls_pubkey_pinset = [
{
digest = "sha256";
value = "vRABi3U719mJG1E/XyyrJ+3K43XdmJB+XuzaKESPRSs=";
}
];
}
# kdig -d @2a07:e340::4 +tls-ca +tls-host=base.dns.mullvad.net example.com
{
address_data = "2a07:e340::4";
tls_auth_name = "base.dns.mullvad.net";
tls_pubkey_pinset = [
{
digest = "sha256";
value = "1ABYdzvvAq7Ec7+Wl5KrRcgPeXsIGLBU7I+89u94bcw=";
}
];
}
];
};
};
networking = {
hostName = "wheatley";
networkmanager.enable = true;
# Disable NetworkManager's internal DNS resolution
networkmanager.dns = "none";
# These options are unnecessary when managing DNS ourselves
useDHCP = false;
dhcpcd.enable = false;
# Configure DNS servers manually (this example uses Cloudflare and Google DNS)
# IPv6 DNS servers can be used here as well.
nameservers = [
"194.242.2.4"
"2a07:e340::4"
# boot.extraModulePackages = [
# (pkgs.callPackage ./rtl8189es.nix {
# kernel = config.boot.kernelPackages.kernel;
# })
# ];
nixpkgs = {
# You can add overlays here
overlays = [
];
wireguard.enable = true;
wg-quick.interfaces = {
# # "wg0" is the network interface name. You can name the interface arbitrarily.
# wg0 = {
# autostart = true;
# # Determines the IP address and subnet of the server's end of the tunnel interface.
# address = ["10.2.0.2/32"];
# # The port that WireGuard listens to. Must be accessible by the client.
# listenPort = 51820;
# dns = ["10.2.0.1"];
# # Path to the private key file.
# #
# # Note: The private key can also be included inline via the privateKey option,
# # but this makes the private key world-readable; thus, using privateKeyFile is
# # recommended.
# privateKeyFile = config.sops.secrets."protonvpn-priv-key".path;
# peers = [
# # List of allowed peers.
# {
# # Feel free to give a meaning full name
# # Public key of the peer (not a file path).
# publicKey = "/i7jCNpcqVBUkY07gVlILN4nFdvZHmxvreAOgLGoZGg=";
# # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
# allowedIPs = ["0.0.0.0/0"];
# endpoint = "146.70.86.114:51820";
# }
# ];
# };
# wg public key for host: A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=
# TODO: generate this dynamically based on other hosts
wg0 = {
address = ["10.73.141.73/32" "fc00:bbbb:bbbb:bb01::a:8d48/128"];
privateKeyFile = lib.mkForce config.sops.secrets."wg-private-key".path;
dns = ["100.64.0.7"];
extraOptions = {
FwMark = 51820;
};
listenPort = 51820;
postUp = ''
${pkgs.iproute2}/bin/ip rule add from 192.168.2.43 table main
${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -i end0 -j CONNMARK --set-mark 51820
${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -m connmark --mark 51820 -j MARK --set-mark 51820
'';
preDown = ''
${pkgs.iproute2}/bin/ip rule del from 192.168.2.43 table main
${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -i end0 -j CONNMARK --set-mark 51820
${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -m connmark --mark 51820 -j MARK --set-mark 51820
'';
peers = [
{
publicKey = "33BoONMGCm2vknq2eq72eozRsHmHQY6ZHEEZ4851TkY=";
allowedIPs = ["0.0.0.0/0" "::0/0"];
endpoint = "193.32.249.70:51820";
}
];
};
wg1 = {
# Determines the IP address and subnet of the server's end of the tunnel interface.
address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51821;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg1 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg1 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
'';
# Undo the above
preDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg1 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
'';
privateKeyFile = lib.mkForce config.sops.secrets."wg-private-key".path;
extraOptions = {
FwMark = 51820;
};
peers = [
{
#GLaDOS public key
publicKey = "yieF2yQptaE3jStoaGytUnN+HLxyVhFBZIUOGUNAV38=";
allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
}
{
#EDI public key
publicKey = "i4nDZbU+a2k5C20tFJRNPVE1vhYKJwhoqGHEdeC4704=";
allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
}
{
#Shodan public key
publicKey = "Zah2nZDaHF8jpP5AtMA5bhE7t38fMB2UHzbXAc96/jw=";
allowedIPs = ["10.0.0.4/32" "fdc9:281f:04d7:9ee9::3/128"];
}
{
#ADA public key
publicKey = "SHu7xxRVWuqp4U4uipMoITKrFPWZATGsJevUeqBSzWo=";
allowedIPs = ["10.0.0.5/32" "fdc9:281f:04d7:9ee9::3/128"];
}
#Queen public key: FVTrYM7S2Ev2rGrYrHsG2et1/SU3UjEBQH2AOen4+04=
];
};
};
nat = {
# enable NAT
enable = true;
externalInterface = "end0";
internalInterfaces = ["wg1" "wg0"];
};
firewall = {
enable = true;
allowPing = false;
allowedTCPPorts = [
22 # SSH
5349 # STUN tls
5350 # STUN tls alt
80 # http
443 # https
51821 # wg
51820 # wg-mullvad
7878
53 # dnsmasq
];
allowedUDPPorts = [
53 #dnsmasq
];
allowedUDPPortRanges = [
{
from = 51820;
to = 51822; # wg
}
{
from = 49152;
to = 49999;
} # TURN relay
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
};
};
systemd.mounts = [
{
enable = true;
description = "Webdav mount point";
after = ["network-online.target"];
wants = ["network-online.target"];
what = "https://nextcloud.gladtherescake.eu/remote.php/dav/files/GLaDTheresCake";
where = "/home/kodi/nextcloud";
options = "uid=1002,gid=100,file_mode=0664,dir_mode=2775";
type = "davfs";
}
sops.defaultSopsFile = ./secrets/sops.yaml;
sops.secrets."wireless.env".mode = "0440";
sops.secrets."wireless.env".owner = config.users.users.root.name;
environment.systemPackages = with pkgs; [
age
git
htop
];
environment.systemPackages = [
pkgs.mpv-unwrapped
# (pkgs.kodi.withPackages (kodiPkgs:
# with kodiPkgs; [
# steam-controller
# invidious
# youtube
# netflix
# upnext
# sponsorblock
# sendtokodi
# jellyfin
# inputstream-adaptive
# inputstreamhelper
# inputstream-ffmpegdirect
# upnext
# sponsorblock
# sendtokodi
# routing
# requests-cache
# requests
# plugin-cache
# a4ksubtitles
# ]))
pkgs.iptables
boot.kernelParams = [
"console=ttyS0,115200n8"
];
users.extraUsers.kodi.isNormalUser = true;
services.cage.user = "kodi";
services.cage.program = "${pkgs.kodi-wayland}/bin/kodi-standalone";
services.cage.enable = true;
nixpkgs.config.kodi.enableAdvancedLauncher = true;
nix = {
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
# This will add each flake input as a registry
# To make nix3 commands consistent with your flake
registry = lib.mapAttrs (_: value: {flake = value;}) inputs;
system.stateVersion = "26.05";
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
# This will additionally add your inputs to the system's legacy channels
# Making legacy nix commands consistent as well, awesome!
nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
settings = {
# Enable flakes and new 'nix' command
experimental-features = "nix-command flakes";
# Deduplicate and optimize nix store
auto-optimise-store = true;
};
};
networking.wireless.enable = true;
networking.wireless.environmentFile = config.sops.secrets."wireless.env".path;
networking.wireless.networks."KPNAA6306" = {
hidden = true;
auth = ''
key_mgmt=WPA-PSK
password="@PSK_HOME@"
'';
};
networking.firewall.enable = true;
networking.firewall = {
allowedTCPPorts = [22 80 443 5335 8080];
allowedUDPPorts = [5335];
};
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
programs.zsh = {
enable = true;
};
programs.git = {
enable = true;
};
home-manager = {
extraSpecialArgs = {inherit inputs outputs;};
users = {
# Import your home-manager configuration
lillian = import ../../../home-manager/hosts/wheatley;
};
};
networking.hostName = "wheatley"; # Define your hostname
networking.wireless.interfaces = ["enu1u1"];
# powerManagement.cpuFreqGovernor = "powersave";
powerManagement.cpufreq.max = 648000;
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "unstable"; # Did you read the comment?
}

34
nixos/hosts/wheatley/hardware-configuration.nix
View file

@ -10,26 +10,40 @@
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci"];
boot.initrd.availableKernelModules = ["usbhid"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.supportedFilesystems = lib.mkForce ["btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs"];
swapDevices = [
{
device = "/swapfile";
size = 16 * 1024;
}
];
fileSystems = {
# Prior to 19.09, the boot partition was hosted on the smaller first partition
# Starting with 19.09, the /boot folder is on the main bigger partition.
# The following is to be used only with older images. Note such old images should not be considered supported anymore whatsoever, but if you installed back then, this might be needed
# "/boot" = {
# device = "/dev/disk/by-label/FIRMWARE";
# fsType = "vfat";
# };
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
swapDevices = [{device = "/dev/disk/by-uuid/b299ad0d-37a0-43d6-9647-5f717aca7b3";}];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.end0.useDHCP = lib.mkDefault true;
# networking.interfaces.enu1u1.useDHCP = lib.mkDefault true;
# networking.interfaces.ip6tnl0.useDHCP = lib.mkDefault true;
# networking.interfaces.sit0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
nixpkgs.hostPlatform = lib.mkDefault "armv7l-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

18
nixos/hosts/wheatley/secrets/sops.yaml
View file

@ -1,11 +1,10 @@
wireless.env: ENC[AES256_GCM,data:a5sUW0Lc4GRd9aUJwHbmQvzvRB8WaRjMSQ==,iv:+3ncL38E3aqbejoCzzeBtMukLk4n/AQBJELlqhXDqSA=,tag:buY9Mp10DAEEEKqSyHwB3g==,type:str]
lillian-password: ENC[AES256_GCM,data:cr+Dix1YWrCDHjw0tj4Lnyy6X/bp+/tLSfHteBOsVHhwNRMK6IjZDZtuyFtrqtxfG2VQcFk7cPSkXaK8IQYzG4iYoDBxHxzWOQ==,iv:L1U+dT9eSMpE/WwSA3o9LoYaqv9aErqjXzsADdK2Gk0=,tag:onsOAyulyrbJvayVoGGfgg==,type:str]
protonvpn-priv-key: ENC[AES256_GCM,data:s4LAq1Rqm+jGaK3OKcjIBCQYXPs3oEuTKJMAM+gFxIpZdwcJCIU7uyoCy6c=,iv:zoWv5u0xgJHldwdRGRv3bXI1kasaWQz1YD7wt0J890I=,tag:cFXnayZRq13UqP+XWuHnWw==,type:str]
rpcSecret: ENC[AES256_GCM,data:3tCZk2csB/ofxPc6,iv:NwT6k1hh73moH6eErT23/Dvwgb1wP/qIuoxXnCgNSao=,tag:nh0mFsh9I4R1baCL1oH+AA==,type:str]
webdav-secret: ENC[AES256_GCM,data:SDFyHaE+HprkguOmDfnzwQ/n5OYgbTpxcVl4FGiLcsItefbSDOIQg5l01fqVB8zv+rRGlPcyRrIn7KTPrTpBx7X4RNHfFK4FKKvAANt6z0e5pu1+wnoObWxTShCFjfFoRCLkoh/j/CmLFyFIafrI7rzZUhs=,iv:stygLmNVWXkZL5A0J83CKPefRr7TqXeygQVLszr28eY=,tag:9hss2c77JELSASnwUyAF4w==,type:str]
wg-private-key: ENC[AES256_GCM,data:5WGAAst0qVqn1siX3snkAhsSDhZaS33XHT44BfViWLZqvzw+OhPB/jkSr4U=,iv:yXfN50SM3OWdycINB8iWXtvCSS01NBTrGBs1kxd1j0M=,tag:yhjDY1AM5aQ6DFeFEjo2Mw==,type:str]
ssh-private-key: ENC[AES256_GCM,data:zbCR/+REHSN4BIQIXSOQjSRKYWhaXutdn4AE2zxmN44qHPzMI98c7/aX2KFhHOL+vKpgyhhR6JAGVTF5Jk72lmIHwDvwvwx+gLXgpZH1KEK3nTUdwUVcqBDsVB4Na5rTsHMWmRH+NxV7n+3nSQo/Byi0Jb602IPXRNREL+0toCbHon27/o2uIy4uzbsEWZu6N2hadzQCtXmHJM2dqmbKvpADt04TQ4wAcZ6wB0538g5WdtOSU6T1xcBBSDU7MNEVP7e7dUPKJWK79cI+RrzpGIh/da7cM6exSBRas711oL6woH4Hi3G6Yjd1rPxBPt1+/qq45gm/4UvjQywn/1s7BInCe9/5vJLn3TEzuUd96CsT36vEsxMeOekXf50Ntu6Xr02bnFRwUBm76BVGAggwGf/khRNJuLw0xHsCdeKzHsPD0efe5mHTJw8mB3M6vDhO6e3g6E3uRjjBaDnrPuHuD4NE1kCjQTTJh3NbuT2Ab55lhpSOEK+f0Ik2qZgKzALvJhn+MILjXSfP/hXgiwBeP4dkTY3fOcpmnPyS,iv:ojh2hzVzJFy1kvvo/WvaIpMpGT+b9aSC+L8L0iwhF1o=,tag:bHOj/fxDn/qUmp1eijLPuw==,type:str]
lillian-password: ENC[AES256_GCM,data:GY7WyfLRc/q4fecnazWzfoZsruN/F0ar7mJ9RaqTHSb9K6xhEmifmJeqpR5xGIJYW6MYciCsZ9YmRsJbuSHTIlo9PrCTYBGvXg==,iv:bzml3abPox3RdvtKBQiBAcVXHUdGAn0ETMsDpBtT8T0=,tag:2iaBJ4hFFBUbonslTvQH5Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz
enc: |
@ -16,7 +15,8 @@ sops:
Vm9mWk5JRGtZNVVhN1JQWTBlb2kySkEKoLI1MzS3uGNUbyn7kI5DylKZiPtc1div
bKIboWoobTfDt0EURfmZ5+JrX6DlZxRyNQyl9dsKmZT6pLdaIppStA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-08T19:47:05Z"
mac: ENC[AES256_GCM,data:G7YCN4C0fpNLoZLHqagDWqrnTSkWDOjNbs7F/P8Fn/s/U9HBC8gHWktAM41h8MT853t3kF38SoTOD59nno+an9EECoSkWJy66agdrNM3/NZHz7aTbDmlw1EsrFjh8HeleLIwrwrNkQiJuakPjbplvIhFAtNZsFoErDtd5xnHy6c=,iv:A5DCVRUa99xmeDnAoCQR15oIJOjkR/A1aqadLWZGbwg=,tag:YXvBLwXGoE64ZqUTEORX9A==,type:str]
lastmodified: "2024-02-22T11:57:45Z"
mac: ENC[AES256_GCM,data:V9vscu55woZjJGFV3aDgdHKqmIopYw6cajdOHG1/45Qel6l5YJkt8VyLMzYlUOlFGatXBlfTB7VC9zhhaY4lduww2XLrARcTk61BT+GSHp5sawND+RIDghY6CJBuoPUbtsfmmlmg+J2DljBlSbrcVmvfjMV12Ql6Zb8PEPM9K68=,iv:TFrDt1XpuIFLUyDN6+8n+0OypBkr1OrZOmXWvnY9ApI=,tag:EfsFhToEGFCZJSXh0WBrIw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.11.0
version: 3.8.1

56
nixos/server/package-configs/caddy/default.nix
View file

@ -1,56 +0,0 @@
{config, ...}: {
services.phpfpm.pools.nextcloud.settings = {
"listen.owner" = config.services.caddy.user;
"listen.group" = config.services.caddy.group;
};
users.users.caddy.extraGroups = ["nextcloud"];
services.caddy = {
enable = true;
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"${config.services.nextcloud.hostName}" = {
useACMEHost = "${config.services.nextcloud.hostName}";
extraConfig = ''
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/webfinger /index.php/.well-known/webfinger 301
redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
encode gzip
reverse_proxy localhost:9000
header Strict-Transport-Security max-age=31536000;
@forbidden {
path /.htaccess
path /data/*
path /config/*
path /db_structure
path /.xml
path /README
path /3rdparty/*
path /lib/*
path /templates/*
path /occ
path /console.php
}
handle @forbidden {
respond 404
}
handle {
root * /var/www/html
php_fastcgi 127.0.0.1:9000 {
# Tells nextcloud to remove /index.php from URLs in links
env front_controller_active true
}
file_server
}
'';
};
"onlyoffice.gladtherescake.eu" = {
};
};
};
}

19
nixos/server/package-configs/conduit/default.nix
View file

@ -1,6 +1,7 @@
{
config,
pkgs,
inputs,
...
}: let
# You'll need to edit these values
@ -28,14 +29,18 @@
}
'';
in {
# Configure continuwuity itself
services.matrix-continuwuity = {
# Configure Conduit itself
services.matrix-conduit = {
enable = true;
# This causes NixOS to use the flake defined in this repository instead of
# the build of Conduit built into nixpkgs.
package = inputs.conduwuit.packages.${pkgs.system}.default;
settings.global = {
inherit server_name;
database_backend = "rocksdb";
allow_registration = false;
# emergency_password = "testpassword";
turn_uris = ["turn:turn.gladtherescake.eu.url?transport=udp" "turn:turn.gladtherescake.eu?transport=tcp"];
turn_secret = "cPKWEn4Fo5TAJoE7iX3xeVOaMVE4afeRN1iRGWYfbkWbkaZMxTpnmazHyH6c6yXT";
well_known = {
@ -91,7 +96,7 @@ in {
];
locations."/_matrix/" = {
proxyPass = "http://backend_continuwuity";
proxyPass = "http://backend_conduit";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
@ -111,7 +116,6 @@ in {
locations."=/.well-known/matrix/client" = {
# Use the contents of the derivation built previously
alias = "${well_known_client}";
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${server_name}\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://${server_name}\"}}'";
extraConfig = ''
# Set the header since by default NGINX thinks it's just bytes
@ -125,7 +129,6 @@ in {
proxyPass = "http://matrix.gladtherescake.eu/client/unstable/org.matrix.msc3575/sync";
proxyWebsockets = true;
recommendedProxySettings = false;
return = "200 '{\"contacts\": [{\"matrix_id\": \"@admin:server.name\", \"email_address\": \"admin@server.name\", \"role\": \"m.role.admin\"}]}'";
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
@ -139,9 +142,9 @@ in {
};
upstreams = {
"backend_continuwuity" = {
"backend_conduit" = {
servers = {
"[::1]:${toString config.services.matrix-continuwuity.settings.global.port}" = {};
"[::1]:${toString config.services.matrix-conduit.settings.global.port}" = {};
};
};
};

2
nixos/server/package-configs/coturn/default.nix
View file

@ -5,7 +5,7 @@
services.coturn = {
enable = true;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path;
static-auth-secret = "cPKWEn4Fo5TAJoE7iX3xeVOaMVE4afeRN1iRGWYfbkWbkaZMxTpnmazHyH6c6yXT";
realm = "turn.gladtherescake.eu";
relay-ips = [
"62.171.160.195"

Some files were not shown because too many files have changed in this diff Show more