Lillian-Violet/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: Lillian-Violet:main
Branches Tags
Lillian-Violet:main
Lillian-Violet:stylix-fixed
Lillian-Violet:Desktop-changes
Lillian-Violet:bcachefs-update-broken-queen
Lillian-Violet:fcast
Lillian-Violet:2.0
Lillian-Violet:v1.0
..
compare: Lillian-Violet:stylix-fixed
Branches Tags
Lillian-Violet:main
Lillian-Violet:stylix-fixed
Lillian-Violet:Desktop-changes
Lillian-Violet:bcachefs-update-broken-queen
Lillian-Violet:fcast
Lillian-Violet:2.0
Lillian-Violet:v1.0

1 commit
main ... stylix-fix

Author SHA1 Message Date
Lillian-Violet
e4839e4d2e all the work to make stylix work again, just need to update the flake lock when it's time 2025-04-01 17:26:15 +02:00
107 changed files with 2304 additions and 4977 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.envrc Normal file
View file

@ -0,0 +1 @@
use flake "git+https://git.lillianviolet.dev/Lillian-Violet/dev-templates.git?dir=nix"

21
README.md
View file

@ -18,11 +18,11 @@ if you don't want to use [sops](https://github.com/Mic92/sops-nix) secret manage
Upon any of the above changes; also remove/replace the secret files, they can be found under the host configuration folders in Upon any of the above changes; also remove/replace the secret files, they can be found under the host configuration folders in
``hosts/<hostname>/secrets/sops.yaml`` ``hosts/<hostname>/secrets/sops.yaml``
For the hosts EDI and GLaDOS, [lanzaboote](https://github.com/nix-community/lanzaboote) has to be disabled (and re-enabled if you want secure boot after install). You can first replace enabling lanzaboot with systemd-boot. You can do this by commenting out the lanzaboote configuration, and replace the line For the hosts EDI and GLaDOS, [lanzaboot](https://github.com/nix-community/lanzaboote) has to be disabled (and re-enabled if you want secure boot after install). You can first replace enabling lanzaboot with systemd-boot. You can do this by commenting out the lanzaboot configuration, and replace the line
``boot.loader.systemd-boot.enable = lib.mkForce false;`` with ``boot.loader.systemd-boot.enable = true`` ``boot.loader.systemd-boot.enable = lib.mkForce false;`` with ``boot.loader.systemd-boot.enable = true``
To turn secure boot back on again you can look at the [lanzaboote](https://github.com/nix-community/lanzaboote) repository and follow the install steps. To turn secure boot back on again you can look at the [lanzaboot](https://github.com/nix-community/lanzaboote) repository and follow the install steps.
Then run this command with your cloned github repo (I put mine in /etc/nixos): Then run this command with your cloned github repo (I put mine in /etc/nixos):
@ -46,22 +46,8 @@ To test if your build succeeds the basic checks and can start building the artif
Note: this does not build the full configuration, and errors might still happen in deployment, especially for dependencies that rely on external services like webservers to be called. For obvious reasons the test building does not actually pull in all the artifacts, and does not make external calls aside from to the package files (You will need a built nix store, or a connection to the git repository that hosts your packages, like an internet connection to github, to make the test run) Note: this does not build the full configuration, and errors might still happen in deployment, especially for dependencies that rely on external services like webservers to be called. For obvious reasons the test building does not actually pull in all the artifacts, and does not make external calls aside from to the package files (You will need a built nix store, or a connection to the git repository that hosts your packages, like an internet connection to github, to make the test run)
## Post installation
I have made a few commands for post installation (and for an iso installer to use) that make life a bit easier, they are automatically added to the [$PATH](https://en.wikipedia.org/wiki/PATH_(variable)). The commands will automatically inhibit sleep and standby so you don't have to worry about them getting interrupted.
| Command | Effect |
| ------------- | ------------- |
| rebuild | Use the latest version of the repo and do a nixos-rebuild switch on it to upgrade your system. |
| update | Update the flake lock in the repo, run a test to see if nothing breaks, and then push the flake lock update done to the repo. |
| upgrade | Run update and rebuild one after the other, useful for a quick upgrade. |
| install | Run a script that automatically lets you select a host to format the disks with disko, install nixos on that disk, and deploy the entire configuration. (useful for instal USBs) |
## Technical details ## Technical details
### Project structure
The project is set up to
### [Home manager](https://github.com/nix-community/home-manager) ### [Home manager](https://github.com/nix-community/home-manager)
Home manager is imported as a module within the global configuration, it is therefor not needed to build home-manager packages separately in this configuration. On multi user systems it might be useful to pull the home-manager configurations from separate repos for different users, so you don't have to give your users access to the global configuration. Home manager is imported as a module within the global configuration, it is therefor not needed to build home-manager packages separately in this configuration. On multi user systems it might be useful to pull the home-manager configurations from separate repos for different users, so you don't have to give your users access to the global configuration.
@ -71,6 +57,3 @@ The secrets are managed in sops files within the hosts folders, there is only on
``nix-shell -p sops --run "sops ./nixos/hosts/<hostname>/secrets/sops.yaml"`` ``nix-shell -p sops --run "sops ./nixos/hosts/<hostname>/secrets/sops.yaml"``
This requires your system to have the keyfile available for sops to use, by default sops looks in the sops/age folder in your user folder for a keys.txt file with the private key. You can change this behaviour by setting the **\$SOPS_AGE_KEY_FILE** environment variable, or setting the **\$SOPS_AGE_KEY** environment variable to the key itself. This requires your system to have the keyfile available for sops to use, by default sops looks in the sops/age folder in your user folder for a keys.txt file with the private key. You can change this behaviour by setting the **\$SOPS_AGE_KEY_FILE** environment variable, or setting the **\$SOPS_AGE_KEY** environment variable to the key itself.
### [Just](https://github.com/casey/just)
This repo uses just as a command runner for setting up and building the nixos files more easily. The programs needed to run all the commands are nix, just, and nom (nix output monitor). The commands you can use can be found in the justfile (named justfile in the root of this repo). This is purely for convenience, it doesn't add anything you could not manually do, it just automates a lot of steps.

88
disko/GLaDOS/default.nix
View file

@ -1,9 +1,9 @@
{ {
disko.devices = { disko.devices = {
disk = { disk = {
main = { sda1 = {
type = "disk"; type = "disk";
device = "/dev/disk/by-path/pci-0000:01:00.0-nvme-1"; device = "/dev/disk/by-path/pci-0000:06:00.0-ata-6";
content = { content = {
type = "gpt"; type = "gpt";
partitions = { partitions = {
@ -14,14 +14,16 @@
type = "filesystem"; type = "filesystem";
format = "vfat"; format = "vfat";
mountpoint = "/boot"; mountpoint = "/boot";
mountOptions = ["umask=0077"]; mountOptions = [
"defaults"
];
}; };
}; };
nvme_luks = { luks = {
size = "100%"; size = "100%";
content = { content = {
type = "luks"; type = "luks";
name = "nvme_crypted"; name = "crypted";
extraOpenArgs = []; extraOpenArgs = [];
settings = { settings = {
# if you want to use the key for interactive login be sure there is no trailing newline # if you want to use the key for interactive login be sure there is no trailing newline
@ -29,37 +31,54 @@
#keyFile = "/tmp/secret.key"; #keyFile = "/tmp/secret.key";
allowDiscards = true; allowDiscards = true;
}; };
#additionalKeyFiles = ["/tmp/additionalSecret.key"];
content = { content = {
type = "btrfs"; type = "lvm_pv";
extraArgs = ["-f"]; vg = "pool";
subvolumes = { };
"/root" = { };
};
};
};
};
#sdc = {
#device = "/dev/disk/by-path/pci-0000:06:00.0-ata-2";
#type = "disk";
#content = {
#type = "gpt";
#partitions = {
#root = {
#size = "100%";
#content = {
#type = "filesystem";
#format = "ext4";
#mountpoint = "/media";
#};
#};
#};
#};
#};
};
lvm_vg = {
pool = {
type = "lvm_vg";
lvs = {
swap = {
size = "16G";
content = {
type = "swap";
resumeDevice = true; # resume from hiberation from this device
};
};
root = {
size = "100%FREE";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/"; mountpoint = "/";
mountOptions = ["subvol=root" "compress=zstd:1" "noatime" "ssd" "discard=async" "space_cache=v2" "commit=120"]; mountOptions = [
}; "defaults"
"/home" = { ];
mountpoint = "/home";
mountOptions = ["subvol=home" "compress=zstd:1" "noatime" "ssd" "discard=async" "space_cache=v2" "commit=120" "autodefrag"];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = ["subvol=nix" "compress=zstd:1" "noatime" "ssd" "discard=async" "space_cache=v2" "commit=120" "nodatacow" "nodatasum"];
};
"/persist" = {
mountpoint = "/persistent";
mountOptions = ["subvol=persistent" "compress=zstd:1" "noatime" "ssd" "discard=async" "space_cache=v2" "commit=120"];
};
"/log" = {
mountpoint = "/var/log";
mountOptions = ["subvol=log" "compress=zstd:1" "noatime" "ssd" "discard=async" "space_cache=v2" "commit=120" "nodatacow" "nodatasum"];
};
"/swap" = {
mountpoint = "/swap";
swap.swapfile.size = "8G";
};
};
};
};
}; };
}; };
}; };
@ -70,7 +89,6 @@
fsType = "tmpfs"; fsType = "tmpfs";
mountOptions = [ mountOptions = [
"size=4G" "size=4G"
"uid=1000"
]; ];
}; };
}; };

577
flake.lock generated
View file

File diff suppressed because it is too large Load diff

58
flake.nix
View file

@ -13,11 +13,11 @@
disko.url = "github:nix-community/disko"; disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs"; disko.inputs.nixpkgs.follows = "nixpkgs";
# bcachefs-tools = { bcachefs-tools = {
# url = "github:koverstreet/bcachefs-tools"; url = "github:koverstreet/bcachefs-tools";
# inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
# inputs.flake-parts.follows = "flake-parts"; inputs.flake-parts.follows = "flake-parts";
# }; };
flake-parts = { flake-parts = {
url = "github:hercules-ci/flake-parts"; # Flake parts for easy flake management url = "github:hercules-ci/flake-parts"; # Flake parts for easy flake management
@ -33,7 +33,11 @@
# catpuccin theme # catpuccin theme
catppuccin.url = "github:catppuccin/nix"; catppuccin.url = "github:catppuccin/nix";
# Conduwuit fork after it shut down # Conduit fork without all the fuss and drama
# conduwuit = {
# url = "github:girlbossceo/conduwuit";
# inputs.nixpkgs.follows = "nixpkgs";
# };
# Nix index database files # Nix index database files
nix-index-database.url = "github:nix-community/nix-index-database"; nix-index-database.url = "github:nix-community/nix-index-database";
@ -70,15 +74,12 @@
zjstatus.url = "github:dj95/zjstatus"; zjstatus.url = "github:dj95/zjstatus";
# preservation
preservation.url = "github:nix-community/preservation";
# Fix for steam cursor not being visible under wayland # Fix for steam cursor not being visible under wayland
# Add any other flake you might need # Add any other flake you might need
# hardware.url = "github:nixos/nixos-hardware"; # hardware.url = "github:nixos/nixos-hardware";
# Stylix theming engine # Stylix theming engine
stylix.url = "github:nix-community/stylix"; stylix.url = "github:danth/stylix";
}; };
outputs = { outputs = {
@ -98,16 +99,10 @@
jovian, jovian,
nixos-hardware, nixos-hardware,
nix-index-database, nix-index-database,
preservation, # conduwuit,
stylix, stylix,
... ...
} @ inputs: let } @ inputs: let
supportedSystems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"];
forEachSupportedSystem = f:
nixpkgs.lib.genAttrs supportedSystems (system:
f {
pkgs = import nixpkgs {inherit system;};
});
inherit (self) outputs; inherit (self) outputs;
inherit (inputs) nixpkgs-edge; inherit (inputs) nixpkgs-edge;
# Supported systems for your flake packages, shell, etc. # Supported systems for your flake packages, shell, etc.
@ -134,11 +129,9 @@
catppuccin.nixosModules.catppuccin catppuccin.nixosModules.catppuccin
stylix.nixosModules.stylix stylix.nixosModules.stylix
nix-index-database.nixosModules.nix-index nix-index-database.nixosModules.nix-index
preservation.nixosModules.preservation
{programs.nix-index-database.comma.enable = true;}
{ {
home-manager.sharedModules = [ home-manager.sharedModules = [
catppuccin.homeModules.catppuccin inputs.catppuccin.homeModules.catppuccin
./home-manager/shared ./home-manager/shared
sops-nix.homeManagerModules.sops sops-nix.homeManagerModules.sops
]; ];
@ -149,18 +142,12 @@
./nixos/desktop ./nixos/desktop
{ {
home-manager.sharedModules = [ home-manager.sharedModules = [
inputs.plasma-manager.homeModules.plasma-manager inputs.plasma-manager.homeManagerModules.plasma-manager
./home-manager/desktop ./home-manager/desktop
]; ];
} }
]; ];
in { in {
devShells = forEachSupportedSystem ({pkgs}: {
default = pkgs.mkShell {
packages = with pkgs; [nom just git];
};
});
# Your custom packages # Your custom packages
# Accessible through 'nix build', 'nix shell', etc # Accessible through 'nix build', 'nix shell', etc
packages = forAllSystems (system: packages = forAllSystems (system:
@ -185,18 +172,6 @@
# NixOS configuration entrypoint # NixOS configuration entrypoint
# Available through 'nixos-rebuild --flake .#your-hostname' # Available through 'nixos-rebuild --flake .#your-hostname'
nixosConfigurations = { nixosConfigurations = {
# nixIso = nixpkgs.lib.nixosSystem {
# system = "x86_64-linux";
# specialArgs = {inherit inputs outputs;};
# modules =
# sharedModules
# ++ desktopModules
# ++ [
# ./nixos/hosts/iso/configuration.nix
# "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-base.nix"
# ];
# };
EDI = nixpkgs.lib.nixosSystem { EDI = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = {inherit inputs outputs;}; specialArgs = {inherit inputs outputs;};
@ -220,6 +195,7 @@
++ desktopModules ++ desktopModules
++ [ ++ [
{_module.args = {inherit pkgs-edge;};} {_module.args = {inherit pkgs-edge;};}
jovian.nixosModules.jovian
# > Our main nixos configuration file < # > Our main nixos configuration file <
./nixos/hosts/GLaDOS/configuration.nix ./nixos/hosts/GLaDOS/configuration.nix
lanzaboote.nixosModules.lanzaboote lanzaboote.nixosModules.lanzaboote
@ -244,7 +220,6 @@
specialArgs = {inherit inputs outputs;}; specialArgs = {inherit inputs outputs;};
modules = modules =
sharedModules sharedModules
++ desktopModules
++ [ ++ [
{_module.args = {inherit pkgs-edge;};} {_module.args = {inherit pkgs-edge;};}
# > Our main nixos configuration file < # > Our main nixos configuration file <
@ -253,7 +228,7 @@
jovian.nixosModules.jovian jovian.nixosModules.jovian
{ {
home-manager.sharedModules = [ home-manager.sharedModules = [
inputs.plasma-manager.homeModules.plasma-manager inputs.plasma-manager.homeManagerModules.plasma-manager
]; ];
} }
]; ];
@ -265,7 +240,6 @@
modules = modules =
sharedModules sharedModules
++ [ ++ [
{_module.args = {inherit pkgs-edge;};}
./nixos/hosts/wheatley/configuration.nix ./nixos/hosts/wheatley/configuration.nix
]; ];
}; };

59
home-manager/desktop/default.nix
View file

@ -13,8 +13,8 @@
# You can also split up your configuration and import pieces of it here: # You can also split up your configuration and import pieces of it here:
# ./nvim.nix # ./nvim.nix
./package-configs/plasma-desktop ./package-configs/plasma-desktop.nix
./package-configs/firefox ./package-configs/firefox.nix
./package-configs/konsole ./package-configs/konsole
./package-configs/foot ./package-configs/foot
./package-configs/freetube ./package-configs/freetube
@ -60,6 +60,7 @@
# }) # })
]; ];
config = { config = {
permittedInsecurePackages = ["cinny-4.2.3" "cinny-unwrapped-4.2.3" "cinny-4.2.2" "cinny-unwrapped-4.2.2"];
# Configure your nixpkgs instance # Configure your nixpkgs instance
# Disable if you don't want unfree packages # Disable if you don't want unfree packages
@ -134,19 +135,6 @@
source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/.mozilla/firefox"; source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/.mozilla/firefox";
target = ".floorp"; target = ".floorp";
}; };
librewolf = {
source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/.mozilla/firefox";
target = ".librewolf";
};
steam = {
source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/.local/share/Steam/";
target = "Steam";
};
# instances = {
# source = config.lib.file.mkOutOfStoreSymlink "/home/lillian/Nextcloud/instances";
# target = ".local/share/PrismLauncher/instances";
# force = true;
# };
}; };
# Add stuff for your user as you see fit: # Add stuff for your user as you see fit:
@ -158,6 +146,7 @@
direnv direnv
git git
git-credential-manager git-credential-manager
git-credential-manager
ruff ruff
# Chat applications: # Chat applications:
@ -167,7 +156,8 @@
# Gaming: # Gaming:
prismlauncher prismlauncher
heroic steam
gamescope
# Multimedia: # Multimedia:
vlc vlc
@ -175,7 +165,7 @@
fcast-client fcast-client
# Office applications: # Office applications:
onlyoffice-desktopeditors onlyoffice-bin
gimp gimp
thunderbird thunderbird
@ -184,14 +174,31 @@
flameshot flameshot
fzf fzf
nextcloud-client nextcloud-client
# nitrokey-app nitrokey-app
# protonvpn-gui protonvpn-gui
virtualbox virtualbox
#watchmate #watchmate
qbittorrent qbittorrent
# Theming:
catppuccin-cursors
(catppuccin-kde.override {
flavour = ["macchiato"];
accents = ["mauve"];
})
catppuccin-sddm-corners
# Theming:
catppuccin-cursors
(catppuccin-kde.override {
flavour = ["macchiato"];
accents = ["mauve"];
})
catppuccin-sddm-corners
# Web browsing: # Web browsing:
firefoxpwa firefoxpwa
firefoxpwa
ungoogled-chromium ungoogled-chromium
]; ];
}; };
@ -216,12 +223,6 @@
# ]; # ];
# }; # };
chromium = {
extensions = [
{id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";}
];
};
obs-studio.enable = true; obs-studio.enable = true;
obs-studio.plugins = with pkgs.obs-studio-plugins; [ obs-studio.plugins = with pkgs.obs-studio-plugins; [
wlrobs wlrobs
@ -233,11 +234,9 @@
home-manager.enable = true; home-manager.enable = true;
git = { git = {
enable = true; enable = true;
settings = { userEmail = "git@lillianviolet.dev";
user = { userName = "Lillian-Violet";
name = "Lillian-Violet"; extraConfig = {
email = "git@lillianviolet.dev";
};
init = { init = {
defaultBranch = "main"; defaultBranch = "main";
}; };

50
home-manager/desktop/package-configs/firefox/default.nix → home-manager/desktop/package-configs/firefox.nix
View file

@ -1,16 +1,11 @@
{pkgs, ...}: { {pkgs, ...}: {
stylix.targets.firefox.profileNames = ["lillian"];
programs.firefox = { programs.firefox = {
enable = true; enable = true;
nativeMessagingHosts = [pkgs.firefoxpwa]; nativeMessagingHosts = [pkgs.firefoxpwa];
package = pkgs.librewolf; package = pkgs.floorp;
profiles.default = {isDefault = false;};
profiles.lillian = { profiles.lillian = {
isDefault = true; isDefault = true;
id = 1;
settings = { settings = {
"sidebar.verticalTabs" = true;
"sidebar.visibility" = "expand-on-hover";
"browser.aboutConfig.showWarning" = false; "browser.aboutConfig.showWarning" = false;
"browser.bookmarks.addedImportButton" = true; "browser.bookmarks.addedImportButton" = true;
"browser.bookmarks.restore_default_bookmarks" = false; "browser.bookmarks.restore_default_bookmarks" = false;
@ -81,7 +76,7 @@
bookmarks = [ bookmarks = [
{ {
name = "PoE2 build sorceres"; name = "PoE2 build sorceres";
tags = ["PoE" "PoE2" "path of exile" "path of exile 2" "games" "guides" "build" "sorcerer" "sorceress"]; tags = ["PoE" "PoE2" "path of exile" "path of exile 2" "games" "guides" "build" "sorcerer" "sorceres"];
url = "https://maxroll.gg/poe2/planner/caeye0hz"; url = "https://maxroll.gg/poe2/planner/caeye0hz";
} }
{ {
@ -91,47 +86,6 @@
} }
]; ];
} }
{
name = "Cooking";
toolbar = false;
bookmarks = [
{
name = "Maldivian chili paste";
tags = ["cooking" "maldives" "maldivian]" "chili paste" "chili" "spicy" "food" "sauce" "recipes"];
url = "https://maldivescook.com/recipe/lonumirus/";
}
{
name = "Samosas";
tags = ["cooking" "india" "fried" "baked" "snack" "pastry" "samosa"];
url = "https://www.indianhealthyrecipes.com/samosa-recipe-make-samosa/";
}
{
name = "Baojiang Tofu";
tags = ["lava tofu" "tofu" "China" "Yunnan" "vegan" "cooking" "oven" "baked"];
url = "https://tofu.theclubb.co/post/baojiang-tofu-test-kitchen-aka-lava-tofu";
}
{
name = "Sticky Toffee Pudding";
tags = ["baking" "UK" "England" "dessert" "treat" "snack" "baked" "sweet" "treacle" "dates"];
url = "https://www.latimes.com/recipe/sticky-toffee-pudding-moju";
}
{
name = "Vegan Pumpkin Cheesecake";
tags = ["baking" "vegan" "US" "cheesecake" "cake" "dessert" "sweet" "baked" "pumpkin" "cream cheese"];
url = "https://www.karissasvegankitchen.com/vegan-pumpkin-cheesecake/";
}
{
name = "Vegan Cheesecake";
tags = ["baking" "US" "vegan" "cheesecake" "cake" "dessert" "sweet" "baked" "nut free" "cream cheese"];
url = "https://www.noracooks.com/vegan-cheesecake/";
}
{
name = "Biscotti";
tags = ["baking" "Italian" "cookies" "sweet" "dessert" "fruits" "nuts" "almonds" "cranberries" "lemon"];
url = "https://italianchef.org/the-ultimate-guide-to-homemade-italian-biscotti-recipes-tips-and-variations/";
}
];
}
]; ];
}; };
}; };

1
home-manager/desktop/package-configs/foot/default.nix
View file

@ -4,6 +4,7 @@
# catppuccin.enable = true; # catppuccin.enable = true;
settings = { settings = {
main = { main = {
font = "Atkinson Monolegible:size=12";
}; };
mouse = { mouse = {

6
home-manager/desktop/package-configs/freetube/settings.db
View file

@ -1,6 +1,6 @@
{"_id":"allowDashAv1Formats","value":true} {"_id":"allowDashAv1Formats","value":true}
{"_id":"barColor","value":true} {"_id":"barColor","value":true}
{"_id":"baseTheme","value":"catppuccinMacchiatto"} {"_id":"baseTheme","value":"catppuccinMocha"}
{"_id":"bounds","value":{"x":0,"y":66,"width":2560,"height":1374,"maximized":true,"fullScreen":false}} {"_id":"bounds","value":{"x":0,"y":66,"width":2560,"height":1374,"maximized":true,"fullScreen":false}}
{"_id":"defaultQuality","value":"1080"} {"_id":"defaultQuality","value":"1080"}
{"_id":"fetchSubscriptionsAutomatically","value":false} {"_id":"fetchSubscriptionsAutomatically","value":false}
@ -14,10 +14,10 @@
{"_id":"hideSubscriptionsVideos","value":true} {"_id":"hideSubscriptionsVideos","value":true}
{"_id":"hideTrendingVideos","value":true} {"_id":"hideTrendingVideos","value":true}
{"_id":"landingPage","value":"history"} {"_id":"landingPage","value":"history"}
{"_id":"mainColor","value":"CatppuccinMacchiattoMauve"} {"_id":"mainColor","value":"CatppuccinMochaMauve"}
{"_id":"playNextVideo","value":false} {"_id":"playNextVideo","value":false}
{"_id":"quickBookmarkTargetPlaylistId","value":"favorites"} {"_id":"quickBookmarkTargetPlaylistId","value":"favorites"}
{"_id":"secColor","value":"CatppuccinMacchiattoMauve"} {"_id":"secColor","value":"CatppuccinMochaMauve"}
{"_id":"showDistractionFreeTitles","value":true} {"_id":"showDistractionFreeTitles","value":true}
{"_id":"useDeArrowThumbnails","value":true} {"_id":"useDeArrowThumbnails","value":true}
{"_id":"useDeArrowTitles","value":true} {"_id":"useDeArrowTitles","value":true}

4
home-manager/desktop/package-configs/konsole/Catppuccin.profile
View file

@ -6,7 +6,3 @@ Name=Catppuccin
Parent=FALLBACK/ Parent=FALLBACK/
StartInCurrentSessionDir=true StartInCurrentSessionDir=true
TerminalRows=30 TerminalRows=30
[Scrolling]
HistoryMode=2
ScrollBarPosition=2

4
home-manager/desktop/package-configs/konsole/konsolerc
View file

@ -15,7 +15,3 @@ ToolBarsMovable=Disabled
[UiSettings] [UiSettings]
ColorScheme= ColorScheme=
[Notification Messages]
CloseAllEmptyTabs=true
CloseAllTabs=true

1185
home-manager/desktop/package-configs/plasma-desktop.nix Normal file
View file

File diff suppressed because it is too large Load diff

321
home-manager/desktop/package-configs/plasma-desktop/default.nix
View file

@ -1,321 +0,0 @@
{
osConfig,
pkgs,
config,
lib,
...
}: {
#TODO remove this after the bug fixed
programs.plasma.startup.desktopScript."panels".preCommands = lib.mkForce ''
sleep 3
[ -f ${config.xdg.configHome}/plasma-org.kde.plasma.desktop-appletsrc ] && rm ${config.xdg.configHome}/plasma-org.kde.plasma.desktop-appletsrc
'';
#TODO: make the creation of the command file easier, for now this is a nice solution though
systemd.user.services."set-kde-connect-commands" = {
Install = {
WantedBy = ["default.target"];
};
Service = {
Type = "oneshot";
ExecStart = "${pkgs.writeShellScript "set-kde-connect-commands" ''
#!/run/current-system/sw/bin/bash
find ${config.home.homeDirectory}/.config/kdeconnect/ -type d -name 'kdeconnect_runcommand' -execdir cp -rf ${builtins.toPath ./kde-connect-commands} {}/ \; -execdir mv -f {}/kde-connect-commands {}/config \;
''}";
RemainAfterExit = true;
};
};
home.file = {
".config/kdeconnect/config" = {
text = ''
[General]
keyAlgorithm=EC
name=${osConfig.networking.hostName}
customDevices=10.0.0.2,10.0.0.3,10.0.0.4,10.0.0.5
'';
target = ".config/kdeconnect/config";
force = true;
};
"Games/.directory" = {
text = ''
[Desktop Entry]
Icon=folder-games
'';
target = "Games/.directory";
force = true;
};
"Code/.directory" = {
text = ''
[Desktop Entry]
Icon=folder-script
'';
target = "Code/.directory";
force = true;
};
"Writing/.directory" = {
text = ''
[Desktop Entry]
Icon=folder-notes
'';
target = "Writing/.directory";
force = true;
};
"mimeapps.list" = {
text = ''
[Added Associations]
x-scheme-handler/http=librewolf.desktop;
x-scheme-handler/https=librewolf.desktop;
[Default Applications]
x-scheme-handler/discord=vesktop.desktop
x-scheme-handler/http=librewolf.desktop;
x-scheme-handler/https=librewolf.desktop;
x-scheme-handler/sgnl=signal.desktop
x-scheme-handler/signalcaptcha=signal.desktop
x-scheme-handler/email=thunderbird.desktop
x-scheme-handler/text=helix.desktop
'';
target = ".config/mimeapps.list";
force = true;
};
"librewolf.desktop" = {
target = ".config/autostart/librewolf.desktop";
source = "${pkgs.librewolf}/share/applications/librewolf.desktop";
};
"signal.desktop" = {
target = ".config/autostart/signal.desktop";
source = "${pkgs.signal-desktop}/share/applications/signal.desktop";
};
"org.kde.konsole.desktop" = {
target = ".config/autostart/org.kde.konsole.desktop";
source = "${pkgs.kdePackages.konsole}/share/applications/org.kde.konsole.desktop";
};
"vesktop.desktop" = {
target = ".config/autostart/vesktop.desktop";
source = "${pkgs.vesktop}/share/applications/vesktop.desktop";
};
"thunderbird.desktop" = {
target = ".config/autostart/thunderbird.desktop";
source = "${pkgs.thunderbird}/share/applications/thunderbird.desktop";
};
"com.nextcloud.desktopclient.nextcloud.desktop" = {
target = ".config/autostart/com.nextcloud.desktopclient.nextcloud.desktop";
source = "${pkgs.nextcloud-client}/share/applications/com.nextcloud.desktopclient.nextcloud.desktop";
};
};
programs.plasma = {
# workspace = {
# lookAndFeel = "Catppuccin-Macchiato-Mauve";
# colorScheme = "CatppuccinMacchiatoMauve";
# cursor.theme = "catppuccin-macchiato-mauve-cursors";
# };
enable = true;
desktop.mouseActions.verticalScroll = "switchVirtualDesktop";
kscreenlocker.appearance.wallpaper = "${osConfig.stylix.image}";
input.keyboard.options = ["caps:none,compose:caps"];
kwin = {
nightLight = {
enable = true;
mode = "location";
location = {
longitude = "4.88969";
latitude = "52.37403";
};
temperature = {
night = 2400;
};
};
effects = {
wobblyWindows.enable = true;
zoom.mouseTracking = "centered";
};
virtualDesktops = {
number = 4;
rows = 2;
};
};
fonts = {
fixedWidth = {
pointSize = 11;
family = "${osConfig.stylix.fonts.monospace.name}";
};
general = {
pointSize = 11;
family = "${osConfig.stylix.fonts.serif.name}";
};
menu = {
pointSize = 11;
family = "${osConfig.stylix.fonts.sansSerif.name}";
};
small = {
pointSize = 11;
family = "${osConfig.stylix.fonts.sansSerif.name}";
};
toolbar = {
pointSize = 11;
family = "${osConfig.stylix.fonts.sansSerif.name}";
};
windowTitle = {
pointSize = 11;
family = "${osConfig.stylix.fonts.sansSerif.name}";
};
};
panels = [
{
alignment = "left";
floating = true;
height = 38;
location = "top";
screen = "all";
widgets = [
"org.kde.plasma.appmenu"
"org.kde.plasma.panelspacer"
"org.kde.milou"
"org.kde.plasma.panelspacer"
"org.kde.plasma.colorpicker"
{
systemTray.items = {
# We explicitly show bluetooth and battery
shown = [
"org.kde.plasma.volume"
"org.kde.plasma.bluetooth"
"org.kde.plasma.brightness"
"org.kde.plasma.devicenotifier"
"org.kde.kscreen"
"org.kde.kdeconnect"
"org.kde.plasma.networkmanagement"
"org.kde.plasma.battery"
"org.kde.plasma.clipboard"
"org.kde.plasma.mediacontroller"
"org.kde.plasma.notifications"
"org.kde.plasma.weather"
];
# And explicitly hide networkmanagement and volume
hidden = [
"Xwayland Video Bridge_pipewireToXProxy"
"org.kde.plasma.devicenotifier"
"org.kde.plasma.keyboardindicator"
"org.kde.plasma.keyboardlayout"
"org.kde.kscreen"
"org.kde.plasma.printmanager"
"chrome_status_icon_1"
"proton-vpn-app"
"Nitrokey App"
"qBittorrent"
"vlc"
"obs"
"steam"
"nitrokey-app"
];
};
}
{
digitalClock = {
calendar.firstDayOfWeek = "monday";
time.format = "24h";
date = {
enable = true;
format = "isoDate";
position = "belowTime";
};
timeZone.selected = ["Europe/Amsterdam"];
};
}
"org.kde.plasma.lock_logout"
];
}
{
alignment = "center";
floating = true;
height = 44;
hiding = "autohide";
maxLength = 1920;
minLength = 1200;
location = "bottom";
screen = "all";
widgets = [
"org.kde.plasma.kickoff"
"org.kde.plasma.panelspacer"
{
name = "org.kde.plasma.icontasks";
config = {
General = {
launchers = [
"applications:librewolf.desktop"
"applications:systemsettings.desktop"
"applications:org.kde.dolphin.desktop"
"applications:signal.desktop"
"applications:vesktop.desktop"
"applications:thunderbird.desktop"
"applications:steam.desktop"
"applications:noisetorch.desktop"
"applications:org.kde.plasma-systemmonitor.desktop"
"applications:org.kde.konsole.desktop"
"applications:freetube.desktop"
];
};
};
}
"org.kde.plasma.panelspacer"
"org.kde.plasma.minimizeall"
];
}
];
shortcuts = {
"kmix"."decrease_volume_small" = "Shift+Volume Down";
"kmix"."increase_volume_small" = "Shift+Volume Up";
"kwin"."Window One Desktop Down" = "Meta+Ctrl+Shift+Down";
"kwin"."Window One Desktop Up" = "Meta+Ctrl+Shift+Up";
"kwin"."Window One Desktop to the Left" = "Meta+Ctrl+Shift+Left";
"kwin"."Window One Desktop to the Right" = "Meta+Ctrl+Shift+Right";
"kwin"."Window Operations Menu" = "Alt+F3";
"kwin"."Window Quick Tile Bottom" = "Meta+Down";
"kwin"."Window Quick Tile Left" = "Meta+Left";
"kwin"."Window Quick Tile Right" = "Meta+Right";
"kwin"."Window Quick Tile Top" = "Meta+Up";
"kwin"."Window to Next Screen" = "Meta+Shift+Right";
"kwin"."Window to Previous Desktop" = "none,,Window to Previous Desktop";
"kwin"."Window to Previous Screen" = "Meta+Shift+Left";
"org_kde_powerdevil"."Decrease Screen Brightness" = ["Monitor Brightness Down" "Ctrl+Volume Down"];
"org_kde_powerdevil"."Decrease Screen Brightness Small" = ["Monitor Brightness Down" "Ctrl+Shift+Volume Down"];
"org_kde_powerdevil"."Increase Screen Brightness" = ["Monitor Brightness Up" "Ctrl+Volume Up"];
"org_kde_powerdevil"."Increase Screen Brightness Small" = ["Shift+Monitor Brightness Up" "Ctrl+Shift+Volume Up"];
"services/org.kde.krunner.desktop"."_launch" = ["Alt+Space" "Alt+F2" "Ctrl+Shift+Space" "Search"];
"services/org.kde.plasma-systemmonitor.desktop"."_launch" = "Ctrl+Esc";
"services/org.kde.spectacle.desktop"."ActiveWindowScreenShot" = ["Meta+Print" "Ctrl+!"];
"services/org.kde.spectacle.desktop"."CurrentMonitorScreenShot" = "Ctrl+#";
"services/org.kde.spectacle.desktop"."FullScreenScreenShot" = ["Ctrl+$" "Shift+Print"];
"services/org.kde.spectacle.desktop"."OpenWithoutScreenshot" = "Ctrl+^";
"services/org.kde.spectacle.desktop"."RectangularRegionScreenShot" = ["Ctrl+@" "Meta+Shift+Print"];
"services/org.kde.spectacle.desktop"."WindowUnderCursorScreenShot" = ["Meta+Ctrl+Print" "Ctrl+%"];
"services/org.kde.spectacle.desktop"."_launch" = "Print";
"services/services.org.kde.plasma-systemmonitor.desktop"."_launch" = "Ctrl+Esc";
"services/services.org.kde.spectacle.desktop"."ActiveWindowScreenShot" = ["" "" "" "" "" "" "Meta+Print" "Ctrl+!"];
"services/services.org.kde.spectacle.desktop"."CurrentMonitorScreenShot" = "Ctrl+#";
"services/services.org.kde.spectacle.desktop"."FullScreenScreenShot" = ["" "" "" "" "" "" "Ctrl+$" "Shift+Print"];
"services/services.org.kde.spectacle.desktop"."OpenWithoutScreenshot" = "Ctrl+^";
"services/services.org.kde.spectacle.desktop"."RecordWindow" = [];
"services/services.org.kde.spectacle.desktop"."RectangularRegionScreenShot" = ["" "" "" "" "" "" "Ctrl+@" "Meta+Shift+Print"];
"services/services.org.kde.spectacle.desktop"."WindowUnderCursorScreenShot" = ["" "" "" "" "" "" "Meta+Ctrl+Print" "Ctrl+%"];
"services/services.org.kde.spectacle.desktop"."_launch" = "Print";
"services/services.services.org.kde.plasma-systemmonitor.desktop"."_launch" = "Ctrl+Esc";
"services/services.services.org.kde.spectacle.desktop"."ActiveWindowScreenShot" = ["" "" "" "" "" "" "" "Meta+Print" "Ctrl+!"];
"services/services.services.org.kde.spectacle.desktop"."CurrentMonitorScreenShot" = "Ctrl+#";
"services/services.services.org.kde.spectacle.desktop"."FullScreenScreenShot" = ["" "" "" "" "" "" "" "Ctrl+$" "Shift+Print"];
"services/services.services.org.kde.spectacle.desktop"."OpenWithoutScreenshot" = "Ctrl+^";
"services/services.services.org.kde.spectacle.desktop"."RecordWindow" = [];
"services/services.services.org.kde.spectacle.desktop"."RectangularRegionScreenShot" = ["" "" "" "" "" "" "" "Ctrl+@" "Meta+Shift+Print"];
"services/services.services.org.kde.spectacle.desktop"."WindowUnderCursorScreenShot" = ["" "" "" "" "" "" "" "Meta+Ctrl+Print" "Ctrl+%"];
"services/services.services.org.kde.spectacle.desktop"."_launch" = "Print";
};
configFile = {
kwinrc = {
Plugins.rememberwindowpositionsEnabled = true;
Script-rememberwindowpositions = {
restoreType = 3;
whitelist = "org.mozilla.firefox\nfirefox\nlibrewolf\nkonsole\nvesktop\nsignal-dekstop\nthunderbird";
};
};
};
};
}

2
home-manager/desktop/package-configs/plasma-desktop/kde-connect-commands
View file

@ -1,2 +0,0 @@
[General]
commands="@ByteArray({\"2574d457_7a99_40a3_8239_24407c7a074d\":{\"command\":\"loginctl unlock-session\",\"name\":\"unlock\"},\"2bbbb9cc_892a_44a1_b097_27b149387511\":{\"command\":\"bluetoothctl disconnect 38:18:4C:11:56:99\",\"name\":\"disconnect headset\"},\"35ad74aa_c1f0_4dd7_a392_2b2676105b62\":{\"command\":\"systemctl hibernate\",\"name\":\"hibernate\"},\"5dd755de_e098_4907_982d_bedba5c3511d\":{\"command\":\"loginctl lock-session\",\"name\":\"lock\"},\"6423946a_b13e_4127_a0d0_0ca38e79fa0f\":{\"command\":\"bluetoothctl connect 38:18:4C:11:56:99\",\"name\":\"connect headset\"},\"690a4134_162b_4851_83a4_bf75722c699a\":{\"command\":\"systemctl suspend\",\"name\":\"suspend\"},\"99ae3913_1757_4ed0_ad7e_91c6f5d740ef\":{\"command\":\"qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \\\"mute\\\"\",\"name\":\"mute\"},\"b11480dd_19f7_49c0_9dcc_3065ddc5150b\":{\"command\":\"qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \\\"mic_mute\\\"\",\"name\":\"mute mic\"},\"bd36530a_9ed5_4345_989d_189c27b3ce00\":{\"command\":\"systemctl reboot\",\"name\":\"reboot\"},\"cf6180f7_e4bd_4f15_a9d1_19ed14e99913\":{\"command\":\"file=\\\"$HOME/Images/WebcamImage_$(date \\\"+%Y%m%d_%H%M%S\\\").jpg\\\"; ffmpeg -f video4linux2 -s 1280x720 -i /dev/video0 -ss 0:0:2 -frames 1 \\\"${file}\\\" && kdeconnect-cli -d $(kdeconnect-cli -a --id-only) --share \\\"${file}\\\"\",\"name\":\"webcam to phone\"},\"d31a3cab_bb6a_459d_89fb_533d0d8fec61\":{\"command\":\"systemctl poweroff\",\"name\":\"shutdown\"},\"f08e1a64_53be_41da_b942_e05e45f1d69c\":{\"command\":\"qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \\\"decrease_volume\\\"\",\"name\":\"volume down\"},\"fbd67152_2a58_4d5d_a210_982fa0eeb171\":{\"command\":\"qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \\\"increase_volume\\\"\",\"name\":\"volume up\"},\"fc3adde9_7049_4166_bcda_a74d13ec91eb\":{\"command\":\"file=/tmp/$(hostname)_$(date \\\"+%Y%m%d_%H%M%S\\\").png; spectacle -bo \\\"${file}\\\" && while ! [ -f \\\"${file}\\\" ]; do sleep 0.5; done && kdeconnect-cli -d $(kdeconnect-cli -a --id-only) --share \\\"${file}\\\"\",\"name\":\"screenshot to phone\"}})"

4
home-manager/hosts/EDI/lillian.nix
View file

@ -16,10 +16,8 @@
]; ];
home.packages = with pkgs; [ home.packages = with pkgs; [
lutris
android-tools
]; ];
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "26.05"; home.stateVersion = "25.05";
} }

38
home-manager/hosts/GLaDOS/lillian.nix
View file

@ -1,10 +1,6 @@
# This is your home-manager configuration file # This is your home-manager configuration file
# Use this to configure your home environment (it replaces ~/.config/nixpkgs/home.nix) # Use this to configure your home environment (it replaces ~/.config/nixpkgs/home.nix)
{ {pkgs, ...}: {
pkgs,
config,
...
}: {
# You can import other home-manager modules here # You can import other home-manager modules here
imports = [ imports = [
# If you want to use modules your own flake exports (from modules/home-manager): # If you want to use modules your own flake exports (from modules/home-manager):
@ -21,43 +17,15 @@
home.packages = with pkgs; [ home.packages = with pkgs; [
r2modman r2modman
ryubing ryujinx
lutris lutris
vscodium
unrar
intiface-central
]; ];
home.file = {
nextcloud = {
source = config.lib.file.mkOutOfStoreSymlink "/run/media/lillian/big-SSD/Nextcloud/";
target = "Nextcloud";
};
};
programs.mangohud = { programs.mangohud = {
enable = true; enable = true;
# enableSessionWide = true; # enableSessionWide = true;
}; };
programs.plasma.configFile.kwinrc = {
"Tiling/Desktop_1/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0;
"Tiling/Desktop_1/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_1/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0;
"Tiling/Desktop_1/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_2/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0;
"Tiling/Desktop_2/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_2/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0;
"Tiling/Desktop_2/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_3/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0;
"Tiling/Desktop_3/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_3/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0;
"Tiling/Desktop_3/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_4/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0;
"Tiling/Desktop_4/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
"Tiling/Desktop_4/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0;
"Tiling/Desktop_4/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}";
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "26.05"; home.stateVersion = "25.05";
} }

1
home-manager/hosts/iso/id_ed25519.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKeZHHAEoUh/Ly9F1xUSPZLPNE0Yh/wM2qWgKvlEBa8A lillian@GLaDOS

4
home-manager/hosts/iso/lillian.nix
View file

@ -11,11 +11,13 @@
# You can also split up your configuration and import pieces of it here: # You can also split up your configuration and import pieces of it here:
# ./nvim.nix # ./nvim.nix
../../desktop
../../shared
]; ];
home.packages = with pkgs; [ home.packages = with pkgs; [
]; ];
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "25.11"; home.stateVersion = "25.05";
} }

2
home-manager/hosts/queen/id_ed25519.pub
View file

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGtwcWXnwOOI8G3NqAMfTeuSuDk9ly5xqwQDH2Iey3u+ lillian@queen ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINl+QRyKBYm+sx0hUiD2u6FBdT7aXsZBGUxm4cb7r24k lillian@GLaDOS

2
home-manager/hosts/queen/lillian.nix
View file

@ -35,5 +35,5 @@
}; };
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "26.05"; home.stateVersion = "25.05";
} }

2
home-manager/hosts/shodan/id_ed25519.pub
View file

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL279XPFj1nzLDozFclntPh8rOcn3d1B5iJNGds9Ray6 lillian@shodan ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKRT5MqPrYUhhD5rJFp0PQbkTRtGcNaCaTxEkZw9RiVT lillian@GLaDOS

76
home-manager/hosts/shodan/lillian.nix
View file

@ -12,8 +12,13 @@
# You can also split up your configuration and import pieces of it here: # You can also split up your configuration and import pieces of it here:
# ./nvim.nix # ./nvim.nix
../../desktop/package-configs/plasma-desktop.nix
../../desktop/package-configs/firefox.nix
../../desktop/package-configs/konsole
../../desktop/package-configs/foot
../../desktop/package-configs/freetube
../../desktop/package-configs/vesktop
../../shared ../../shared
../../desktop
]; ];
nixpkgs = { nixpkgs = {
# You can add overlays here # You can add overlays here
@ -28,17 +33,82 @@
# }); # });
# }) # })
]; ];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
};
};
home = {
username = "lillian";
homeDirectory = "/home/lillian";
}; };
home.packages = with pkgs; [ home.packages = with pkgs; [
#Chat:
vesktop
#Gaming: #Gaming:
prismlauncher prismlauncher
r2modman r2modman
ryubing ryujinx
# Multimedia:
freetube
obs-studio
vlc
fcast-receiver
fcast-client
# System tools:
rage
flameshot
fzf
nextcloud-client
nitrokey-app
protonvpn-gui
sops
#watchmate
qbittorrent
zsh
# Theming:
catppuccin-cursors
(catppuccin-kde.override {
flavour = ["macchiato"];
accents = ["mauve"];
})
catppuccin-plymouth
catppuccin-sddm-corners
# Web browsing:
firefox
ungoogled-chromium
]; ];
programs = {
# # Automount services for user
# programs.bashmount.enable = true;
# services.udiskie = {
# enable = true;
# automount = true;
# notify = false;
# tray = "never";
# };
# Enable home-manager and git
home-manager.enable = true;
git = {
enable = true;
userEmail = "git@lillianviolet.dev";
userName = "Lillian-Violet";
signing.format = "ssh";
};
};
# Make the kde screenlock not require a password :) # Make the kde screenlock not require a password :)
programs.plasma.kscreenlocker.passwordRequired = false; programs.plasma.kscreenlocker.passwordRequired = false;
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "26.05"; home.stateVersion = "25.05";
} }

2
home-manager/hosts/wheatley/id_ed25519.pub
View file

@ -1 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxXVL6QAiMLwvUYBtXCbkHEh6ENgaEO/rkZWSPJrjLJ lillian@wheatley ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMrmRjLF2tVkWeV7EOgUiF77Q9t+rBziRAdOPo92pyvF lillian@GLaDOS

2
home-manager/hosts/wheatley/lillian.nix
View file

@ -35,5 +35,5 @@
}; };
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
home.stateVersion = "26.05"; home.stateVersion = "25.05";
} }

46
home-manager/kde-connect-commands.json Normal file
View file

@ -0,0 +1,46 @@
[
{
"command": "systemctl poweroff",
"name": "shutdown"
},
{
"command": "systemctl reboot",
"name": "reboot"
},
{
"command": "systemctl suspend",
"name": "suspend"
},
{
"command": "systemctl hibernate",
"name": "hibernate"
},
{
"command": "loginctl lock-session",
"name": "lock"
},
{
"command": "loginctl unlock-session",
"name": "unlock"
},
{
"command": "qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \"mute\"",
"name": "mute"
},
{
"command": "qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \"mic_mute\"",
"name": "mute mic"
},
{
"command": "file=/tmp/$(hostname)_$(date \"+%Y%m%d_%H%M%S\").png; spectacle -bo \"${file}\" && while ! [ -f \"${file}\" ]; do sleep 0.5; done && kdeconnect-cli -d $(kdeconnect-cli -a --id-only) --share \"${file}\"",
"name": "screenshot to phone"
},
{
"command": "file=\"$HOME/Images/WebcamImage_$(date \"+%Y%m%d_%H%M%S\").jpg\"; ffmpeg -f video4linux2 -s 1280x720 -i /dev/video0 -ss 0:0:2 -frames 1 \"${file}\" && kdeconnect-cli -d $(kdeconnect-cli -a --id-only) --share \"${file}\"",
"name": "webcam to phone"
},
{
"command": "",
"name": ""
}
]

85
home-manager/shared/default.nix
View file

@ -1,6 +1,7 @@
{ {
pkgs, pkgs,
osConfig, osConfig,
lib,
... ...
}: { }: {
imports = [ imports = [
@ -12,7 +13,6 @@
./shell/eza.nix ./shell/eza.nix
./shell/hyfetch.nix ./shell/hyfetch.nix
]; ];
home = { home = {
username = "lillian"; username = "lillian";
homeDirectory = "/home/lillian"; homeDirectory = "/home/lillian";
@ -21,8 +21,18 @@
target = ".ssh/id_ed25519.pub"; target = ".ssh/id_ed25519.pub";
force = true; force = true;
}; };
};
packages = with pkgs; [ catppuccin = {
flavor = "macchiato";
btop.enable = true;
cache.enable = true;
chromium.enable = true;
freetube.enable = true;
freetube.flavor = "macchiato";
};
home.packages = with pkgs; [
# System tools: # System tools:
vscode-langservers-extracted vscode-langservers-extracted
sops sops
@ -34,19 +44,7 @@
navi navi
nil nil
gh gh
starship
zellij
]; ];
};
catppuccin = {
flavor = "macchiato";
btop.enable = true;
cache.enable = true;
chromium.enable = true;
freetube.enable = true;
freetube.flavor = "macchiato";
};
programs = { programs = {
navi.enable = true; navi.enable = true;
yazi = { yazi = {
@ -56,36 +54,33 @@
# }; # };
}; };
}; };
# stylix.enable = true;
# qt.platformTheme.name = lib.mkForce "kvantum";
# qt.style.name = lib.mkForce "kvantum";
# stylix = { stylix = {
# enable = true; enable = true;
# autoEnable = true; autoEnable = true;
# base16Scheme = { base16Scheme = {
# scheme = "Catppuccin Macchiato"; scheme = "Catppuccin Macchiato";
# author = "https://github.com/catppuccin/catppuccin"; author = "https://github.com/catppuccin/catppuccin";
# base00 = "24273a"; base00 = "24273a";
# base01 = "1e2030"; base01 = "1e2030";
# base02 = "363a4f"; base02 = "363a4f";
# base03 = "494d64"; base03 = "494d64";
# base04 = "5b6078"; base04 = "5b6078";
# base05 = "cad3f5"; base05 = "cad3f5";
# base06 = "f4dbd6"; base06 = "f4dbd6";
# base07 = "b7bdf8"; base07 = "b7bdf8";
# base08 = "ed8796"; base08 = "ed8796";
# base09 = "f5a97f"; base09 = "f5a97f";
# base0A = "eed49f"; base0A = "eed49f";
# base0B = "a6da95"; base0B = "a6da95";
# base0C = "8bd5ca"; base0C = "8bd5ca";
# base0D = "8aadf4"; base0D = "8aadf4";
# base0E = "c6a0f6"; base0E = "c6a0f6";
# base0F = "f0c6c6"; base0F = "f0c6c6";
# }; };
# image = ./background.jpg; image = ./background.jpg;
# cursor.package = pkgs.catppuccin-cursors; cursor.package = pkgs.catppuccin-cursors;
# cursor.name = "catppuccin-macchiato-mauve-cursors"; cursor.name = "catppuccin-macchiato-mauve-cursors";
# cursor.size = 16; cursor.size = 16;
# }; };
} }

50
home-manager/shared/kde-connect-commands.json
View file

@ -1,50 +0,0 @@
[
{
"command": "systemctl poweroff",
"name": "shutdown"
},
{
"command": "systemctl reboot",
"name": "reboot"
},
{
"command": "systemctl suspend",
"name": "suspend"
},
{
"command": "systemctl hibernate",
"name": "hibernate"
},
{
"command": "loginctl lock-session",
"name": "lock"
},
{
"command": "loginctl unlock-session",
"name": "unlock"
},
{
"command": "qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \"mute\"",
"name": "mute"
},
{
"command": "qdbus org.kde.kglobalaccel /component/kmix invokeShortcut \"mic_mute\"",
"name": "mute mic"
},
{
"command": "file=/tmp/$(hostname)_$(date \"+%Y%m%d_%H%M%S\").png; spectacle -bo \"${file}\" && while ! [ -f \"${file}\" ]; do sleep 0.5; done && kdeconnect-cli -d $(kdeconnect-cli -a --id-only) --share \"${file}\"",
"name": "screenshot to phone"
},
{
"command": "file=\"$HOME/Images/WebcamImage_$(date \"+%Y%m%d_%H%M%S\").jpg\"; ffmpeg -f video4linux2 -s 1280x720 -i /dev/video0 -ss 0:0:2 -frames 1 \"${file}\" && kdeconnect-cli -d $(kdeconnect-cli -a --id-only) --share \"${file}\"",
"name": "webcam to phone"
},
{
"command": "bluetoothctl connect 38:18:4C:11:56:99",
"name": "connect headset"
},
{
"command": "bluetoothctl disconnect 38:18:4C:11:56:99",
"name": "disconnect headset"
}
]

3
home-manager/shared/shell/helix/helix.nix
View file

@ -7,7 +7,7 @@
}: }:
rustPlatform.buildRustPackage rec { rustPlatform.buildRustPackage rec {
pname = "helix"; pname = "helix";
version = "25.01.1"; version = "24.07";
# This release tarball includes source code for the tree-sitter grammars, # This release tarball includes source code for the tree-sitter grammars,
# which is not ordinarily part of the repository. # which is not ordinarily part of the repository.
@ -17,7 +17,6 @@ rustPlatform.buildRustPackage rec {
stripRoot = false; stripRoot = false;
}; };
useFetchCargoVendor = true;
cargoHash = ""; cargoHash = "";
nativeBuildInputs = [git installShellFiles]; nativeBuildInputs = [git installShellFiles];

1
home-manager/shared/shell/hyfetch.nix
View file

@ -10,7 +10,6 @@
mode = "horizontal"; mode = "horizontal";
}; };
backend = "neofetch"; backend = "neofetch";
pride_month_disable = false;
}; };
}; };
} }

6
home-manager/shared/shell/starship.nix
View file

@ -41,9 +41,9 @@
{ {
owner = "catppuccin"; owner = "catppuccin";
repo = "starship"; repo = "starship";
rev = "5906cc3"; # Replace with the latest commit hash rev = "5629d23"; # Replace with the latest commit hash
sha256 = "sha256-FLHjbClpTqaK4n2qmepCPkb8rocaAo3qeV4Zp1hia0g="; sha256 = "sha256-nsRuxQFKbQkyEI4TXgvAjcroVdG+heKX5Pauq/4Ota0=";
} }
+ /themes/${flavor}.toml)); + /palettes/${flavor}.toml));
}; };
} }

24
home-manager/shared/shell/zellij/default.nix
View file

@ -55,23 +55,23 @@
default_tab_template { default_tab_template {
pane size=1 borderless=true { pane size=1 borderless=true {
plugin location="file:${inputs.zjstatus.packages.${pkgs.stdenv.hostPlatform.system}.default}/bin/zjstatus.wasm" { plugin location="file:${inputs.zjstatus.packages.${pkgs.system}.default}/bin/zjstatus.wasm" {
format_left "#[bg=#24273A,fg=#cad3f5,bold] {session} {mode} {tabs}" format_left "#[bg=#1D1D2E,fg=#C9D2F5,bold] {session} {mode} {tabs}"
format_right "#[bg=#cad3f5,fg=#24273A]#[bg=#cad3f5,fg=#cad3f5]#[bg=#cad3f5,fg=#1e2030,bold]{datetime}#[bg=#24273A,fg=#cad3f5]" format_right "#[bg=#C9D2F5,fg=#1D1D2E]#[bg=#C9D2F5,fg=#C9D2F5]#[bg=#C9D2F5,fg=#1D1D2E,bold]{datetime}#[bg=#1D1D2E,fg=#C9D2F5]"
mode_locked "#[fg=magenta,bold] {name} " mode_locked "#[fg=magenta,bold] {name} "
mode_normal "#[fg=green,bold] {name} " mode_normal "#[fg=green,bold] {name} "
mode_resize "#[fg=orange,bold] {name} " mode_resize "#[fg=orange,bold] {name} "
mode_default_to_mode "resize" mode_default_to_mode "resize"
tab_normal "#[bg=#cad3f5,fg=#24273A]#[bg=#cad3f5,fg=#cad3f5]#[bg=#cad3f5,fg=#24273A,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#cad3f5,fg=#cad3f5]#[bg=#24273A,fg=#cad3f5]" tab_normal "#[bg=#C9D2F5,fg=#1D1D2E]#[bg=#C9D2F5,fg=#C9D2F5]#[bg=#C9D2F5,fg=#1D1D2E,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#C9D2F5,fg=#C9D2F5]#[bg=#1D1D2E,fg=#C9D2F5]"
tab_active "#[bg=#a6da95,fg=#24273A]#[bg=#a6da95,fg=#a6da95]#[bg=#a6da95,fg=#1e2030,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#a6da95,fg=#a6da95]#[bg=#24273A,fg=#a6da95]" tab_active "#[bg=#A6DA95,fg=#1D1D2E]#[bg=#A6DA95,fg=#A6DA95]#[bg=#A6DA95,fg=#1D1D2E,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#A6DA95,fg=#A6DA95]#[bg=#1D1D2E,fg=#A6DA95]"
tab_sync_indicator " " tab_sync_indicator " "
tab_fullscreen_indicator " " tab_fullscreen_indicator " "
tab_floating_indicator "󰉈 " tab_floating_indicator "󰉈 "
datetime "#[bg=#cad3f5,fg=#1e2030,bold]{format} " datetime "#[bg=#C9D2F5,fg=#1D1D2E,bold]{format} "
datetime_format "%Y-%m-%d %H:%M" datetime_format "%Y-%m-%d %H:%M"
datetime_timezone "Europe/Amsterdam" datetime_timezone "Europe/Amsterdam"
} }
@ -138,23 +138,23 @@
default_tab_template { default_tab_template {
pane size=1 borderless=true { pane size=1 borderless=true {
plugin location="file:${inputs.zjstatus.packages.${pkgs.stdenv.hostPlatform.system}.default}/bin/zjstatus.wasm" { plugin location="file:${inputs.zjstatus.packages.${pkgs.system}.default}/bin/zjstatus.wasm" {
format_left "#[bg=#24273A,fg=#cad3f5,bold] {session} {mode} {tabs}" format_left "#[bg=#1D1D2E,fg=#C9D2F5,bold] {session} {mode} {tabs}"
format_right "#[bg=#cad3f5,fg=#24273A]#[bg=#cad3f5,fg=#cad3f5]#[bg=#cad3f5,fg=#1e2030,bold]{datetime}#[bg=#24273A,fg=#cad3f5]" format_right "#[bg=#C9D2F5,fg=#1D1D2E]#[bg=#C9D2F5,fg=#C9D2F5]#[bg=#C9D2F5,fg=#1D1D2E,bold]{datetime}#[bg=#1D1D2E,fg=#C9D2F5]"
mode_locked "#[fg=magenta,bold] {name} " mode_locked "#[fg=magenta,bold] {name} "
mode_normal "#[fg=green,bold] {name} " mode_normal "#[fg=green,bold] {name} "
mode_resize "#[fg=orange,bold] {name} " mode_resize "#[fg=orange,bold] {name} "
mode_default_to_mode "resize" mode_default_to_mode "resize"
tab_normal "#[bg=#cad3f5,fg=#24273A]#[bg=#cad3f5,fg=#cad3f5]#[bg=#cad3f5,fg=#1e2030,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#cad3f5,fg=#cad3f5]#[bg=#24273A,fg=#cad3f5]" tab_normal "#[bg=#C9D2F5,fg=#1D1D2E]#[bg=#C9D2F5,fg=#C9D2F5]#[bg=#C9D2F5,fg=#1D1D2E,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#C9D2F5,fg=#C9D2F5]#[bg=#1D1D2E,fg=#C9D2F5]"
tab_active "#[bg=#a6da95,fg=#24273A]#[bg=#a6da95,fg=#a6da95]#[bg=#a6da95,fg=#1e2030,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#a6da95,fg=#a6da95]#[bg=#24273A,fg=#a6da95]" tab_active "#[bg=#A6DA95,fg=#1D1D2E]#[bg=#A6DA95,fg=#A6DA95]#[bg=#A6DA95,fg=#1D1D2E,bold]{name}{sync_indicator}{fullscreen_indicator}{floating_indicator}#[bg=#A6DA95,fg=#A6DA95]#[bg=#1D1D2E,fg=#A6DA95]"
tab_sync_indicator " " tab_sync_indicator " "
tab_fullscreen_indicator " " tab_fullscreen_indicator " "
tab_floating_indicator "󰉈 " tab_floating_indicator "󰉈 "
datetime "#[bg=#cad3f5,fg=#1e2030,bold]{format} " datetime "#[bg=#C9D2F5,fg=#1D1D2E,bold]{format} "
datetime_format "%Y-%m-%d %H:%M" datetime_format "%Y-%m-%d %H:%M"
datetime_timezone "Europe/Amsterdam" datetime_timezone "Europe/Amsterdam"
} }

20
home-manager/shared/shell/zsh.nix
View file

@ -27,15 +27,15 @@
sha256 = "sha256-Z6EYQdasvpl1P78poj9efnnLj7QQg13Me8x1Ryyw+dM="; sha256 = "sha256-Z6EYQdasvpl1P78poj9efnnLj7QQg13Me8x1Ryyw+dM=";
}; };
} }
# { {
# name = "terraform"; name = "terraform";
# src = pkgs.fetchFromGitHub { src = pkgs.fetchFromGitHub {
# owner = "macunha1"; owner = "macunha1";
# repo = "zsh-terraform"; repo = "zsh-terraform";
# rev = "fd1471d3757f8ed13f56c4426f88616111de2a87"; rev = "fd1471d3757f8ed13f56c4426f88616111de2a87";
# sha256 = "0z6i9wjjklb4lvr7zjhbphibsyx51psv50gm07mbb0kj9058j6kc"; sha256 = "0z6i9wjjklb4lvr7zjhbphibsyx51psv50gm07mbb0kj9058j6kc";
# }; };
# } }
]; ];
autosuggestion.enable = true; autosuggestion.enable = true;
enableCompletion = true; enableCompletion = true;
@ -61,7 +61,7 @@
]; ];
}; };
# Extra commands that take more complex forms # Extra commands that take more complex forms
initContent = '' initExtra = ''
eval "$(zoxide init --cmd cd zsh)" eval "$(zoxide init --cmd cd zsh)"
tre() { command tre "$@" -e && source "/tmp/tre_aliases_$USER" 2>/dev/null; } tre() { command tre "$@" -e && source "/tmp/tre_aliases_$USER" 2>/dev/null; }
zhx() { command zellij action new-tab --layout $HOME/.config/zellij/layouts/helix.kdl; } zhx() { command zellij action new-tab --layout $HOME/.config/zellij/layouts/helix.kdl; }

28
justfile
View file

@ -1,44 +1,22 @@
# Build the nixos configuration and switch to it
build: build:
sudo echo "sudo check..." && sudo nixos-rebuild --fallback --log-format internal-json -v switch --flake .# --show-trace |& nom --json sudo nixos-rebuild switch --flake .# --show-trace
# Build the nixos configuration bot don't switch to it until a reboot
boot:
sudo echo "sudo check..." && sudo nixos-rebuild --fallback --log-format internal-json -v boot --flake .# --show-trace |& nom --json
# Run the nix flake in the nix repl
run: run:
nix-repl -f flake:nixpkgs nix-repl -f flake:nixpkgs
# Check the nix configuration for errors
test: test:
sudo echo "sudo check..." && sudo nix flake check --show-trace --log-format internal-json -v |& nom --json sudo nix flake check --show-trace
# Update the flake lock
update: update:
nix flake update --log-format internal-json -v |& nom --json && zsh nix flake update
# Clean your nix store and optimize it
clean: clean:
sudo nix-collect-garbage sudo nix-collect-garbage
sudo nix-store --optimise sudo nix-store --optimise
# Set up the commit hook for testing before doing a commit
setup: setup:
#!/run/current-system/sw/bin/bash -e
if [ -s ./.git/hooks/pre-commit ]; then
read -p $"This file already contains the following text:
$(<./.git/hooks/pre-commit)
Do you want to add the test hook (y/N)? (This will NOT delete data)" choice
case "$choice" in
y|Y ) echo "just test" >> ./.git/hooks/pre-commit && chmod +x ./.git/hooks/pre-commit && echo "Added test hook to pre-commit.";;
* ) echo "No test added to pre-commit.";;
esac
else
echo "just test" >> ./.git/hooks/pre-commit && chmod +x ./.git/hooks/pre-commit echo "just test" >> ./.git/hooks/pre-commit && chmod +x ./.git/hooks/pre-commit
fi
# Make sure all the git actions of pulling, adding all files, committing, and pushing are done in one command
push: push:
git pull git pull
git add * git add *

218
modules/nixos/preservation/default.nix
View file

@ -1,218 +0,0 @@
{
lib,
config,
...
}: let
cfg = config.preservationSetup;
in {
options = {
preservationSetup.enable = lib.mkEnableOption "Enable setup of preservation of files in /persistent";
global.desktop = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether or not we should make desktop preservation files.";
};
global.server = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether or not we should make server preservation files.";
};
};
config = lib.mkIf cfg.enable {
preservation = {
# the module doesn't do anything unless it is enabled
enable = true;
preserveAt."/persistent" = {
# preserve system directories
directories =
[
#Shared
"/var/lib/sbctl"
"/var/lib/bluetooth"
"/var/lib/fprint"
"/var/lib/fwupd"
"/var/lib/libvirt"
"/var/lib/tpm2-tss"
"/var/lib/tpm2-udev-trigger"
"/var/lib/power-profiles-daemon"
"/var/lib/systemd/coredump"
"/var/lib/systemd/rfkill"
"/var/lib/systemd/timers"
"/var/log"
{
directory = "/var/lib/nixos";
inInitrd = true;
}
{
directory = "/var/secrets";
inInitrd = true;
}
]
++ lib.mkIf (cfg.desktop == true) [
#Desktop
"/var/lib/decky-loader"
"/var/lib/flatpak"
]
++ lib.mkIf (cfg.server == true) [
#Server
"/var/lib/continuwuity"
"/var/lib/dhcpcd"
"/var/lib/docker"
"/var/lib/dovecot"
"/var/lib/forgejo"
"/var/lib/gotosocial"
"/var/lib/grafana"
"/var/lib/jellyfin"
"/var/lib/media"
"/var/lib/mollysocket"
"/var/lib/private"
"/var/lib/mysql"
"/var/lib/nextcloud"
"/var/lib/onlyoffice"
"/var/lib/postfix"
"/var/lib/postgresql"
"/var/lib/prometheus2"
"/var/lib/rabbitmq"
"/var/lib/redis-nextcloud"
"/var/lib/redis-rspamd"
"/var/lib/secrets"
"/var/lib/writefreely"
"/var/db"
"/var/dkim"
"/var/secrets"
"/var/sieve"
"/var/vmail"
"/var/mysql"
];
# preserve system files
files = [
{
file = "/etc/machine-id";
inInitrd = true;
how = "symlink";
}
"/var/lib/usbguard/rules.conf"
# creates a symlink on the volatile root
# creates an empty directory on the persistent volume, i.e. /persistent/var/lib/systemd
# does not create an empty file at the symlink's target (would require `createLinkTarget = true`)
{
file = "/var/lib/systemd/random-seed";
how = "symlink";
inInitrd = true;
configureParent = true;
}
"/var/lib/systemd/tpm2-srk-public-key.pem"
"/var/lib/systemd/tpm2-srk-public-key.tpm2b_public"
];
# preserve user-specific files, implies ownership
users = {
lillian = {
commonMountOptions = [
"x-gvfs-hide"
];
directories =
[
{
directory = ".ssh";
mode = "0700";
}
]
++ lib.mkIf (cfg.desktop == true) [
#Desktop
".local/state/wireplumber"
".local/share/direnv"
".local/state/nix"
".local/state/comma"
".local/state/home-manager"
".local/share/PrismLauncher"
".local/share/qBittorrent"
".local/share/kwalletd"
".local/share/kwin" #TODO: add the window script via nix instead of saving it imperatively and keeping it
".local/share/lutris"
".local/share/Nextcloud"
".local/share/Steam"
".local/share/zoxide"
".local/share/flatpak"
".local/share/applications"
".local/share/firefoxpwa/"
".local/share/zoxide"
".mozilla"
".steam"
".zsh"
".pki"
".tldrc"
".thunderbird"
"Code"
"Writing"
"Games"
".config/kdeconnect"
".config/Nextcloud"
".config/noisetorch"
".config/qBittorrent"
".config/r2modman"
".config/r2modmanPlus-local"
".config/Ryujinx"
".config/Signal"
".config/sops"
".config/vesktop"
".config/kde.org"
".config/heroic"
];
#Shared
files = [
".z"
".zsh_history"
];
};
root = {
# specify user home when it is not `/home/${user}`
home = "/root";
directories = [
{
directory = ".ssh";
mode = "0700";
}
];
};
};
};
};
systemd.services.systemd-machine-id-commit = {
unitConfig.ConditionPathIsMountPoint = [
""
"/persistent/etc/machine-id"
];
serviceConfig.ExecStart = [
""
"systemd-machine-id-setup --commit --root /persistent"
];
};
systemd.tmpfiles.settings.preservation = {
"/home/lillian/.config".d = {
user = "lillian";
group = "users";
mode = "0755";
};
"/home/lillian/.local".d = {
user = "lillian";
group = "users";
mode = "0755";
};
"/home/lillian/.local/share".d = {
user = "lillian";
group = "users";
mode = "0755";
};
"/home/lillian/.local/state".d = {
user = "lillian";
group = "users";
mode = "0755";
};
};
};
}

159
modules/nixos/shared-packages/default.nix
View file

@ -1,159 +0,0 @@
{
outputs,
pkgs,
pkgs-edge,
lib,
config,
...
}:
let cfg = config.sharedPackages; in {
options = {
sharedPackages.enable = lib.mkEnableOption "Whether or not to install shared packages and settings";
global.desktopPackages = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether or not to install shared desktop packages and settings.";
};
global.serverPackages = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether or not to install shared server packages and settings.";
};
};
config = lib.mkIf cfg.enable {
imports = [] ++ lib.mkIf (cfg.desktopPackages == true) [
./desktop-settings
] ++ lib.mkIf (cfg.serverPackages == true) [
./server-settings
];
nixpkgs = {
# You can add overlays here
overlays = [
# Add overlays your own flake exports (from overlays and pkgs dir):
outputs.overlays.additions
outputs.overlays.modifications
];
};
environment.systemPackages =
(with pkgs; [
# Custom tools
rebuild
rebuild-no-inhibit
install-nix
install-nix-no-inhibit
update
upgrade
simple-completion-language-server
# System tools
age
alejandra
e2fsprogs
# uutils-findutils
git
git-filter-repo
pre-commit
helix
home-manager
htop
just
killall
oh-my-zsh
rsync
tre-command
wget
zsh
tldr
nmap
knot-dns
libressl
nettools
starship
# System libraries
] ++ lib.mkIf (cfg.desktop == true) [
# Custom tools
dvd
dvt
servo
restart
# System tools
aha
ttf-ms-win10
wineWow64Packages.stable
bottles
tpm2-abrmd
jdk21_headless
#bcachefs-tools
clinfo
direnv
exfat
exfatprogs
gamemode
git-filter-repo
gnupg
pciutils
podman
podman-compose
python3Minimal
sbctl
tpm2-tools
tpm2-tss
virtualgl
vulkan-tools
# waydroid
waypipe
wayland-utils
yubikey-personalization
zsh
# KDE/QT
kdePackages.plasma-desktop
kdePackages.plasma-wayland-protocols
kdePackages.libplasma
kdePackages.plasma-integration
kdePackages.plasma-activities
kdePackages.plasma-workspace
kdePackages.discover
kdePackages.filelight
kdePackages.kcalc
kdePackages.kdepim-addons
kdePackages.kirigami
kdePackages.kdeconnect-kde
kdePackages.konsole
# kdePackages.krunner-ssh
# kdePackages.krunner-symbols
kdePackages.packagekit-qt
kdePackages.plasma-pa
kdePackages.sddm-kcm
kdePackages.dolphin-plugins
kdePackages.qtstyleplugin-kvantum
kdePackages.krdc
kdePackages.krfb
kdePackages.kate
kdePackages.qrca
libportal-qt5
libportal
# User tools
freetube
noisetorch
qjackctl
wireplumber
intiface-central
#rustdesk
]
)
++ (with pkgs-edge; [
# list of latest packages from nixpkgs master
# Can be used to install latest version of some packages
] ++ lib.mkIf (cfg.desktop == true) [
kdePackages.plasma-vault
]
);
};
}

144
modules/nixos/shared-packages/desktop-settings/default.nix
View file

@ -1,144 +0,0 @@
{
pkgs,
lib,
config,
...
}: {
imports = [
./firefox
];
services.udev.extraRules = ''
KERNEL=="hidraw*", ATTRS{idVendor}=="057e", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*057e:*", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*2DC8:*", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", ATTRS{idProduct}=="6012", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*2DC8:6012*", MODE="0660", TAG+="uaccess"
'';
fonts.packages = [pkgs.ttf-ms-win10];
programs = {
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
command-not-found.enable = lib.mkForce false;
# nix-index.enable = true;
nix-index-database.comma.enable = true;
direnv = {
enable = true;
};
# steam = {
# enable = true;
# remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
# dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
# extest.enable = true;
# };
kdeconnect.enable = true;
noisetorch = {
enable = true;
};
};
xdg.portal.enable = true;
# Enable networking
networking.networkmanager.enable = true; # Enables support for 32bit libs that steam uses
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
services = {
# Enable the X11 windowing system.
xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
# displayManager.sddm = {
# enable = true;
# wayland.enable = true;
# };
displayManager.defaultSession = lib.mkDefault "plasma";
desktopManager.plasma6.enable = true;
desktopManager.plasma6.notoPackage = pkgs.atkinson-hyperlegible;
# Enable flatpak support
flatpak.enable = true;
packagekit.enable = true;
# Configure keymap in X11
xserver.xkb = {
layout = "us";
variant = "";
options = "terminate:ctrl_alt_bksp,compose:caps_toggle";
};
# Enable CUPS to print documents.
printing.enable = true;
# Enable fwupd daemon and user space client
fwupd.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
avahi = {
nssmdns4 = true;
enable = true;
ipv4 = true;
ipv6 = true;
publish = {
enable = true;
addresses = true;
workstation = true;
};
};
};
hardware = {
graphics.enable32Bit = true;
# Enable bluetooth hardware
bluetooth.enable = true;
};
security.rtkit.enable = true;
services.pulseaudio.enable = false;
virtualisation.podman = {
enable = true;
dockerCompat = true;
};
security.tpm2 = {
enable = true;
pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
tctiEnvironment.enable = true;
}; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
users.users.lillian.extraGroups = ["tss"];
boot = {
# tss group has access to TPM devices
bootspec.enable = true;
binfmt.emulatedSystems = ["aarch64-linux"];
#boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
#boot.supportedFilesystems = ["bcachefs"];
extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out];
kernelModules = [
# Virtual Camera
"v4l2loopback"
# Virtual Microphone, built-in
"snd-aloop"
];
# Set initial kernel module settings
extraModprobeConfig = ''
# exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming
# card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams
# https://github.com/umlaeute/v4l2loopback
options v4l2loopback exclusive_caps=1 card_label="Virtual Camera"
'';
loader.systemd-boot.configurationLimit = 3;
loader.efi.canTouchEfiVariables = true;
};
}

182
modules/nixos/shared-packages/desktop-settings/firefox/default.nix
View file

@ -1,182 +0,0 @@
{pkgs, ...}: {
programs.firefox = {
enable = true;
package = pkgs.librewolf;
policies = {
DisableTelemetry = true;
DisableFirefoxStudies = true;
DisablePocket = true;
DisableFirefoxAccounts = true;
DisableAccounts = true;
DisableProfileImport = true;
OverrideFirstRunPage = "";
OverridePostUpdatePage = "";
DontCheckDefaultBrowser = true;
DisplayBookmarksToolbar = "newtab";
ManualAppUpdateOnly = true;
OfferToSaveLogins = false;
PasswordManagerEnabled = false;
DownloadDirectory = "\${home}/Downloads";
EnableTrackingProtection = {
Value = true;
Cryptomining = true;
Fingerprinting = true;
};
ExtensionSettings = {
# "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
# Catppuccin Macchiato - Mauve theme:
"{55750c61-e5f3-4d9a-898d-0643b3093678}" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/catppuccin-macchiato-mauve/latest.xpi";
installation_mode = "force_installed";
};
# Sideberry:
#"{3c078156-979c-498b-8990-85f7987dd929}" = {
# install_url = "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi";
# installation_mode = "force_installed";
#};
# Privacy Badger:
"jid1-MnnxcxisBPnSXQ@jetpack" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi";
installation_mode = "force_installed";
};
# Bitwarden:
"{446900e4-71c2-419f-a6a7-df9c091e268b}" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi";
installation_mode = "force_installed";
};
# Libredirect:
"7esoorv3@alefvanoon.anonaddy.me" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/libredirect/latest.xpi";
installation_mode = "force_installed";
};
# DarkReader:
"addon@darkreader.org" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/darkreader/latest.xpi";
installation_mode = "force_installed";
};
# SimpleLogin:
"addon@simplelogin" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/simplelogin/latest.xpi";
installation_mode = "force_installed";
};
# Cookie Auto Delete:
"CookieAutoDelete@kennydo.com" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/cookie-autodelete/latest.xpi";
installation_mode = "force_installed";
};
# Don't fuck with paste:
"DontFuckWithPaste@raim.ist" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/don-t-fuck-with-paste/latest.xpi";
installation_mode = "force_installed";
};
# Firefox pwas:
"firefoxpwa@filips.si" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/pwas-for-firefox/latest.xpi";
installation_mode = "force_installed";
};
# Consent o matic:
"gdpr@cavi.au.dk" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/consent-o-matic/latest.xpi";
installation_mode = "force_installed";
};
# Mailvelope:
"jid1-AQqSMBYb0a8ADg@jetpack" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/mailvelope/latest.xpi";
installation_mode = "force_installed";
};
# KDE connect:
"kde-connect@0xc0dedbad.com" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/kde-connect/latest.xpi";
installation_mode = "force_installed";
};
# Plasma browser integration:
"plasma-browser-integration@kde.org" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/plasma-integration/latest.xpi";
installation_mode = "force_installed";
};
# Shinigami eyes:
"shinigamieyes@shinigamieyes" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/shinigami-eyes/latest.xpi";
installation_mode = "force_installed";
};
# uBlock Origin:
"uBlock0@raymondhill.net" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
installation_mode = "force_installed";
};
# uBlock Scope:
"uBO-Scope@raymondhill.net" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/ubo-scope/latest.xpi";
installation_mode = "force_installed";
};
# Wayback machine:
"wayback_machine@mozilla.org" = {
install_url = "https://addons.mozilla.org/firefox/downloads/file/4047136/wayback_machine_new-3.2.xpi";
installation_mode = "force_installed";
};
# Tree Style Tabs
# "treestyletab@piro.sakura.ne.jp" = {
# install_url = "https://addons.mozilla.org/firefox/downloads/latest/tree-style-tab/latest.xpi";
# installation_mode = "force_installed";
# };
# Adaptive Tab Bar Colour
"ATBC@EasonWong" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/Adaptive-Tab-Bar-Colour/latest.xpi";
installation_mode = "force_installed";
};
};
FirefoxHome = {
Search = true;
TopSites = false;
SponsoredTopSites = false;
Highlights = false;
Pocket = false;
SponsoredPocket = false;
Snippets = false;
};
FirefoxSuggest = {
WebSuggestions = false;
SponsoredSuggestions = false;
ImproveSuggest = false;
};
Preferences = {
"browser.compactmode.show" = true;
"browser.uidensity" = 0;
# "browser.newtabpage.activity-stream.feeds.topsites" = false;
"browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
"browser.newtabpage.activity-stream.showSponsored" = false;
"browser.newtabpage.activity-stream.system.showSponsored" = false;
"font.name.serif.x-western" = "Crimson";
"font.name.sans-serif.x-western" = "Atkinson Hyperlegible";
"font.name.monospace.x-western" = "FiraCode Nerd Font";
"font.size.variable.x-western" = 14;
"floorp.browser.sidebar.useIconProvider" = "duckduckgo";
"floorp.browser.tabbar.settings" = 2;
"floorp.browser.tabs.verticaltab" = true;
"floorp.tabbar.style" = 2;
"floorp.browser.user.interface" = 8;
"signon.rememberSignons" = true;
"browser.ml.chat.enabled" = false;
"browser.ml.chat.shortcuts" = false;
};
# TODO: switch to ManagedBookmarks as this will be dropped at some point https://mozilla.github.io/policy-templates/#managedbookmarks
# Bookmarks = [
# {
# Title = "NixOS wiki";
# Placement = "toolbar";
# URL = "https://nixos.wiki/";
# }
# {
# Title = "NixOS options";
# Placement = "toolbar";
# URL = "https://nixos.org/manual/nixos/stable/options";
# }
# {
# Title = "NixOS home-manager options";
# Placement = "toolbar";
# URL = "https://nix-community.github.io/home-manager/options.xhtml";
# }
# ];
};
};
}

48
modules/nixos/shared-packages/server-settings/akkoma/default.nix
View file

@ -1,48 +0,0 @@
{
config,
pkgs,
...
}: {
sops.secrets."releaseCookie".mode = "0440";
sops.secrets."releaseCookie".owner = config.users.users.akkoma.name;
users.groups.akkoma = {};
users.users = {
akkoma = {
isSystemUser = true;
group = "akkoma";
};
};
services.akkoma = {
enable = true;
package = pkgs.akkoma;
extraPackages = with pkgs; [ffmpeg exiftool imagemagick];
nginx = {
enableACME = true;
forceSSL = true;
serverName = "akkoma.gladtherescake.eu";
};
#dist.cookie._secret = config.sops.secrets."releaseCookie".path;
config = {
":pleroma".":instance" = {
name = "GLaDTheresCake Akkoma";
email = "akkoma@gladtherescake.eu";
notify_email = "no-reply@akkoma.gladtherescake.eu";
emails.mailer = {
enabled = true;
adapter = "Swoosh.Adapters.Sendmail";
cmd_path = "sendmail";
cmd_args = "-N delay,failure,success";
qmail = true;
};
description = "Lillian's Akkoma server!";
languages = ["en" "nl"];
registrations_open = true;
max_pinned_statuses = 10;
cleanup_attachments = true;
};
};
};
}

101
modules/nixos/shared-packages/server-settings/aria2/container.nix
View file

@ -1,101 +0,0 @@
{config, ...}: {
users.users.aria2.group = "aria2";
users.groups.aria2 = {};
users.users.aria2.isSystemUser = true;
sops.secrets."wg-private".mode = "0440";
sops.secrets."wg-private".owner = config.users.users.aria2.name;
containers.aria2 = {
forwardPorts = [
{
containerPort = 6969;
hostPort = 6969;
protocol = "udp";
}
];
bindMounts = {
"/var/lib/media" = {
hostPath = "/var/lib/media";
isReadOnly = false;
};
"/var/lib/wg/private-key" = {
hostPath = config.sops.secrets."wg-private".path;
isReadOnly = true;
};
};
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::2";
config = {
config,
pkgs,
...
}: {
system.stateVersion = "unstable";
networking.firewall.allowedTCPPorts = [6969];
networking.firewall.allowedUDPPorts = [6969 51820];
users.users = {
aria2.extraGroups = ["jellyfin" "nextcloud"];
};
services.aria2 = {
enable = true;
downloadDir = "/var/lib/media";
rpcListenPort = 6969;
};
networking.wg-quick.interfaces = {
wg0 = {
postUp = ''
# Mark packets on the wg0 interface
wg set wg0 fwmark 51820
# Forbid anything else which doesn't go through wireguard VPN on
# ipV4 and ipV6
${pkgs.iptables}/bin/iptables -A OUTPUT \
! -d 192.168.0.0/16 \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/ip6tables -A OUTPUT \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/iptables -I OUTPUT -o lo -p tcp \
--dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT
${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.100.10/24 -d 192.168.100.11/24 \
-j ACCEPT
'';
postDown = ''
${pkgs.iptables}/bin/iptables -D OUTPUT \
! -o wg0 \
-m mark ! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
${pkgs.iptables}/bin/ip6tables -D OUTPUT \
! -o wg0 -m mark \
! --mark $(wg show wg0 fwmark) \
-m addrtype ! --dst-type LOCAL \
-j REJECT
'';
address = ["10.2.0.2/32"];
dns = ["10.2.0.1"];
privateKeyFile = "/var/lib/wg/private-key";
peers = [
{
publicKey = "7A19/lMrfmpFZARivC7FS8DcGxMn5uUq9LcOqFjzlDo=";
allowedIPs = ["0.0.0.0/0"];
endpoint = "185.159.158.182:51820";
persistentKeepalive = 25;
}
];
};
};
};
};
}

15
modules/nixos/shared-packages/server-settings/aria2/default.nix
View file

@ -1,15 +0,0 @@
{config, ...}: {
users.users.aria2.group = "aria2";
users.groups.aria2 = {};
users.users.aria2.isSystemUser = true;
sops.secrets."rpcSecret".mode = "0440";
sops.secrets."rpcSecret".owner = config.users.users.aria2.name;
services.aria2 = {
enable = true;
downloadDir = "/var/lib/media";
rpcListenPort = 6969;
rpcSecretFile = config.sops.secrets."rpcSecret".path;
};
}

56
modules/nixos/shared-packages/server-settings/caddy/default.nix
View file

@ -1,56 +0,0 @@
{config, ...}: {
services.phpfpm.pools.nextcloud.settings = {
"listen.owner" = config.services.caddy.user;
"listen.group" = config.services.caddy.group;
};
users.users.caddy.extraGroups = ["nextcloud"];
services.caddy = {
enable = true;
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"${config.services.nextcloud.hostName}" = {
useACMEHost = "${config.services.nextcloud.hostName}";
extraConfig = ''
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/webfinger /index.php/.well-known/webfinger 301
redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
encode gzip
reverse_proxy localhost:9000
header Strict-Transport-Security max-age=31536000;
@forbidden {
path /.htaccess
path /data/*
path /config/*
path /db_structure
path /.xml
path /README
path /3rdparty/*
path /lib/*
path /templates/*
path /occ
path /console.php
}
handle @forbidden {
respond 404
}
handle {
root * /var/www/html
php_fastcgi 127.0.0.1:9000 {
# Tells nextcloud to remove /index.php from URLs in links
env front_controller_active true
}
file_server
}
'';
};
"onlyoffice.gladtherescake.eu" = {
};
};
};
}

17
modules/nixos/shared-packages/server-settings/cinny/default.nix
View file

@ -1,17 +0,0 @@
{pkgs, ...}: {
services.nginx = {
enable = true;
virtualHosts = {
"cinny.gladtherescake.eu" = {
root = "${pkgs.cinny}";
## Force HTTP redirect to HTTPS
forceSSL = true;
## LetsEncrypt
enableACME = true;
locations."/" = {
index = "index.html";
};
};
};
};
}

153
modules/nixos/shared-packages/server-settings/conduit/default.nix
View file

@ -1,153 +0,0 @@
{
config,
pkgs,
...
}: let
# You'll need to edit these values
# The hostname that will appear in your user and room IDs
server_name = "matrix.gladtherescake.eu";
# An admin email for TLS certificate notifications
admin_email = "letsencrypt@gladtherescake.eu";
# These ones you can leave alone
# Build a dervation that stores the content of `${server_name}/.well-known/matrix/server`
well_known_server = pkgs.writeText "well-known-matrix-server" ''
{
"m.server": "${server_name}"
}
'';
# Build a dervation that stores the content of `${server_name}/.well-known/matrix/client`
well_known_client = pkgs.writeText "well-known-matrix-client" ''
{
"m.homeserver": {
"base_url": "https://${server_name}"
}
}
'';
in {
# Configure continuwuity itself
services.matrix-continuwuity = {
enable = true;
settings.global = {
inherit server_name;
allow_registration = false;
# emergency_password = "testpassword";
turn_uris = ["turn:turn.gladtherescake.eu.url?transport=udp" "turn:turn.gladtherescake.eu?transport=tcp"];
turn_secret = "cPKWEn4Fo5TAJoE7iX3xeVOaMVE4afeRN1iRGWYfbkWbkaZMxTpnmazHyH6c6yXT";
well_known = {
server = "matrix.gladtherescake.eu:443";
client = "https://matrix.gladtherescake.eu";
};
};
};
# Configure automated TLS acquisition/renewal
security.acme = {
acceptTerms = true;
defaults = {
email = admin_email;
};
};
# ACME data must be readable by the NGINX user
users.users.nginx.extraGroups = [
"acme"
];
# Configure NGINX as a reverse proxy
services.nginx = {
enable = true;
virtualHosts = {
"${server_name}" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
{
addr = "[::]";
port = 8448;
ssl = true;
}
];
locations."/_matrix/" = {
proxyPass = "http://backend_continuwuity";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
locations."=/.well-known/matrix/server" = {
# Use the contents of the derivation built previously
alias = "${well_known_server}";
extraConfig = ''
# Set the header since by default NGINX thinks it's just bytes
default_type application/json;
'';
};
locations."=/.well-known/matrix/client" = {
# Use the contents of the derivation built previously
alias = "${well_known_client}";
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${server_name}\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://${server_name}\"}}'";
extraConfig = ''
# Set the header since by default NGINX thinks it's just bytes
default_type application/json;
# https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients
add_header Access-Control-Allow-Origin "*";
'';
};
locations."/_matrix/client/unstable/org.matrix.msc3575/sync" = {
proxyPass = "http://matrix.gladtherescake.eu/client/unstable/org.matrix.msc3575/sync";
proxyWebsockets = true;
recommendedProxySettings = false;
return = "200 '{\"contacts\": [{\"matrix_id\": \"@admin:server.name\", \"email_address\": \"admin@server.name\", \"role\": \"m.role.admin\"}]}'";
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
extraConfig = ''
merge_slashes off;
'';
};
};
upstreams = {
"backend_continuwuity" = {
servers = {
"[::1]:${toString config.services.matrix-continuwuity.settings.global.port}" = {};
};
};
};
};
# Open firewall ports for HTTP, HTTPS, and Matrix federation
networking.firewall.allowedTCPPorts = [80 443 8448];
networking.firewall.allowedUDPPorts = [80 443 8448];
}

44
modules/nixos/shared-packages/server-settings/coturn/default.nix
View file

@ -1,44 +0,0 @@
{config, ...}: {
sops.secrets."coturn-auth-secret".mode = "0440";
sops.secrets."coturn-auth-secret".owner = config.users.users.turnserver.name;
users.users.nginx.extraGroups = ["turnserver"];
services.coturn = {
enable = true;
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path;
realm = "turn.gladtherescake.eu";
relay-ips = [
"62.171.160.195"
"2a02:c207:2063:2448::1"
];
extraConfig = "
cipher-list=\"HIGH\"
no-loopback-peers
no-multicast-peers
";
secure-stun = true;
cert = "/var/lib/acme/turn.gladtherescake.eu/fullchain.pem";
pkey = "/var/lib/acme/turn.gladtherescake.eu/key.pem";
min-port = 49152;
max-port = 49999;
};
# setup certs
services.nginx = {
enable = true;
virtualHosts = {
"turn.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
};
};
};
# share certs with coturn and restart on renewal
security.acme.certs = {
"turn.gladtherescake.eu" = {
group = "turnserver";
postRun = "systemctl reload nginx.service; systemctl restart coturn.service";
};
};
}

8
modules/nixos/shared-packages/server-settings/dashboard/default.nix
View file

@ -1,8 +0,0 @@
{...}: {
imports = [
./grafana
#./loki
./prometheus
./telegraf
];
}

44
modules/nixos/shared-packages/server-settings/dashboard/grafana/default.nix
View file

@ -1,44 +0,0 @@
{config, ...}: {
# grafana configuration
services.grafana = {
enable = true;
settings.server = {
domain = "grafana.lillianviolet.dev";
http_port = 2342;
http_addr = "127.0.0.1";
};
provision = {
datasources.settings = {
apiVersion = 1;
datasources = [
{
name = "Prometheus";
type = "prometheus";
access = "proxy";
url = "http://localhost:${toString config.services.prometheus.port}";
isDefault = true;
}
{
name = "Loki";
type = "loki";
access = "proxy";
url = "http://localhost:3100";
isDefault = true;
}
];
};
};
};
# nginx reverse proxy
services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
## Force HTTP redirect to HTTPS
forceSSL = true;
## LetsEncrypt
enableACME = true;
locations."/" = {
proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
};
}

6
modules/nixos/shared-packages/server-settings/dashboard/loki/default.nix
View file

@ -1,6 +0,0 @@
{...}: {
services.loki = {
enable = true;
configFile = ./loki.yaml;
};
}

40
modules/nixos/shared-packages/server-settings/dashboard/loki/loki.yaml
View file

@ -1,40 +0,0 @@
# Enables authentication through the X-Scope-OrgID header, which must be present
# if true. If false, the OrgID will always be set to "fake".
auth_enabled: false
server:
http_listen_address: "0.0.0.0"
http_listen_port: 3100
ingester:
lifecycler:
address: "127.0.0.1"
ring:
kvstore:
store: inmemory
replication_factor: 1
final_sleep: 0s
chunk_idle_period: 5m
chunk_retain_period: 30s
schema_config:
configs:
- from: 2020-05-15
store: boltdb
object_store: filesystem
schema: v11
index:
prefix: index_
period: 168h
storage_config:
boltdb:
directory: /tmp/loki/index
filesystem:
directory: /tmp/loki/chunks
limits_config:
enforce_metric_name: false
reject_old_samples: true
reject_old_samples_max_age: 168h

34
modules/nixos/shared-packages/server-settings/dashboard/prometheus/default.nix
View file

@ -1,34 +0,0 @@
{config, ...}: {
services.prometheus = {
enable = true;
port = 9001;
# Export the current system metrics
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9002;
};
};
scrapeConfigs = [
# Scrape the current system
{
job_name = "GrafanaService system";
static_configs = [
{
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
}
];
}
# Scrape the Loki service
{
job_name = "Loki service";
static_configs = [
{
targets = ["127.0.0.1:3100"];
}
];
}
];
};
}

49
modules/nixos/shared-packages/server-settings/dashboard/telegraf/default.nix
View file

@ -1,49 +0,0 @@
{config, ...}: {
sops.secrets."grafana-telegraf-key".mode = "0440";
sops.secrets."grafana-telegraf-key".owner = config.users.users.telegraf.name;
services.telegraf = {
enable = true;
extraConfig = {
agent = {
interval = "10s";
round_interval = true;
metric_batch_size = 1000;
metric_buffer_limit = 10000;
collection_jitter = "0s";
flush_interval = "10s";
flush_jitter = "0s";
precision = "";
debug = false;
quiet = false;
logfile = "";
hostname = "queen";
omit_hostname = false;
};
inputs = {
cpu = {
percpu = true;
totalcpu = true;
collect_cpu_time = false;
report_active = false;
core_tags = false;
};
disk = {
ignore_fs = ["tmpfs" "devtmpfs" "devfs" "overlay" "aufs" "squashfs"];
};
diskio = {};
kernel = {};
mem = {};
system = {};
};
outputs = {
websocket = {
url = "ws://localhost:${toString config.services.prometheus.port}/api/live/push/telegraf";
data_format = "influx";
headers = {
Authorisation = "Bearer glsa_lqpcKV34Pp0d7eIhKN79E2HTwzWWwN4m_fe64e398";
};
};
};
};
};
}

19
modules/nixos/shared-packages/server-settings/default.nix
View file

@ -1,19 +0,0 @@
{...}: {
imports = [
./conduit
./forgejo
./gotosocial
./mail-server
./nextcloud
# ./phanpy
./postgres
./roundcube
./coturn
# ./dashboard
#./cinny
#./firefox-sync
./writefreely
./mollysocket
./jellyfin
];
}

30
modules/nixos/shared-packages/server-settings/firefox-sync/default.nix
View file

@ -1,30 +0,0 @@
{
config,
pkgs,
...
}: let
port = 5126;
in {
sops.secrets."sync-secrets".mode = "0440";
sops.secrets."sync-secrets".owner = config.users.users.firefox-syncserver.name;
users.groups.firefox-syncserver = {};
users.users.firefox-syncserver = {
isSystemUser = true;
group = "firefox-syncserver";
extraGroups = [config.users.groups.keys.name];
};
services.mysql.package = pkgs.mariadb;
services.firefox-syncserver = {
enable = true;
secrets = config.sops.secrets."sync-secrets".path;
singleNode = {
enable = true;
hostname = "sync.gladtherescake.eu";
url = "http://localhost:${toString port}";
enableNginx = true;
enableTLS = true;
};
};
}

71
modules/nixos/shared-packages/server-settings/forgejo/default.nix
View file

@ -1,71 +0,0 @@
{pkgs, ...}: {
imports = [];
#sops.secrets."mailpassunhash".mode = "0440";
#sops.secrets."mailpassunhash".owner = config.users.users.virtualMail.name;
services.forgejo = {
enable = true;
#TODO: different mail passwords for different services
#mailerPasswordFile = config.sops.secrets."mailpassunhash".path;
database = {
type = "postgres";
};
settings = {
"cron.sync_external_users" = {
RUN_AT_START = true;
SCHEDULE = "@every 24h";
UPDATE_EXISTING = true;
};
mailer = {
ENABLED = true;
PROTOCOL = "sendmail";
FROM = "no-reply@git.lillianviolet.dev";
SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
SENDMAIL_ARGS = "-bs";
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
};
federation = {
ENABLED = true;
};
other = {
SHOW_FOOTER_VERSION = false;
};
service.DISABLE_REGISTRATION = true;
server = {
DOMAIN = "git.lillianviolet.dev";
ROOT_URL = "https://git.lillianviolet.dev/";
HTTP_PORT = 3218;
};
"markup.jupyter" = {
ENABLED = true;
FILE_EXTENSIONS = ".ipynb";
RENDER_COMMAND = "${pkgs.jupyter}/bin/jupyter nbconvert --stdout --to html --template full";
IS_INPUT_FILE = true;
RENDER_CONTENT_MODE = "no-sanitizer";
};
"markup.sanitizer.jupyter0" = {
ELEMENT = "div";
ALLOW_ATTR = "class";
REGEXP = "";
};
"markup.sanitizer.jupyter0.img" = {
ALLOW_DATA_URI_IMAGES = true;
};
};
};
services.nginx = {
virtualHosts = {
"git.lillianviolet.dev" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:3218";
};
};
};
};
}

43
modules/nixos/shared-packages/server-settings/gotosocial/default.nix
View file

@ -1,43 +0,0 @@
{pkgs, ...}: {
users.users.gotosocial.extraGroups = ["virtualMail"];
services.nginx = {
virtualHosts = {
"social.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:4257";
};
};
};
};
services.gotosocial = {
enable = true;
package = pkgs.gotosocial;
setupPostgresqlDB = true;
settings = {
application-name = "gotosocial";
host = "social.gladtherescake.eu";
bind-address = "localhost";
port = 4257;
protocol = "https";
storage-local-base-path = "/var/lib/gotosocial/storage";
instance-languages = ["en-gb" "nl"];
media-image-max-size = 41943040;
media-video-max-size = 209715200;
media-description-max-chars = 2000;
#smtp-host = "localhost";
#smtp-port = 587;
#smtp-username = "no-reply@social.gladtherescake.eu";
#smtp-password = config.sops.secrets."mailpassunhash".path;
#smtp-from = "no-reply@social.gladtherescake.eu";
};
};
systemd.services."gotosocial" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
}

20
modules/nixos/shared-packages/server-settings/jellyfin/default.nix
View file

@ -1,20 +0,0 @@
{...}: {
services.nginx = {
virtualHosts = {
"video.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8096";
proxyWebsockets = true; # needed if you need to use WebSocket
};
};
};
};
services.jellyfin = {
enable = true;
user = "nextcloud";
group = "nextcloud";
};
}

108
modules/nixos/shared-packages/server-settings/mail-server/default.nix
View file

@ -1,108 +0,0 @@
{config, ...}: {
sops.secrets."mailpass".mode = "0440";
sops.secrets."mailpass".owner = config.users.users.virtualMail.name;
#Fix for the dovecot update
# services.dovecot2.sieve.extensions = ["fileinto"];
mailserver = {
stateVersion = 3;
enable = true;
enableImap = true;
enableSubmission = true;
fqdn = "mail.gladtherescake.eu";
domains = [
"nextcloud.gladtherescake.eu"
"akkoma.gladtherescake.eu"
"social.gladtherescake.eu"
"gladtherescake.eu"
"lillianviolet.dev"
"git.lillianviolet.dev"
];
loginAccounts = {
"me@gladtherescake.eu" = {
hashedPasswordFile = config.sops.secrets."mailpass".path;
aliases = [
"@gladtherescake.eu"
];
catchAll = [
"gladtherescake.eu"
];
};
"no-reply@nextcloud.gladtherescake.eu" = {
hashedPasswordFile = config.sops.secrets."mailpass".path;
};
"no-reply@akkoma.gladtherescake.eu" = {
hashedPasswordFile = config.sops.secrets."mailpass".path;
};
"no-reply@social.gladtherescake.eu" = {
hashedPasswordFile = config.sops.secrets."mailpass".path;
};
"info@lillianviolet.dev" = {
hashedPasswordFile = config.sops.secrets."mailpass".path;
aliases = [
"@lillianviolet.dev"
];
catchAll = [
"lillianviolet.dev"
];
};
"no-reply@git.lillianviolet.dev" = {
hashedPasswordFile = config.sops.secrets."mailpass".path;
};
};
mailboxes = {
All = {
auto = "subscribe";
specialUse = "All";
};
Archive = {
auto = "subscribe";
specialUse = "Archive";
};
Drafts = {
auto = "subscribe";
specialUse = "Drafts";
};
Junk = {
auto = "subscribe";
specialUse = "Junk";
};
Sent = {
auto = "subscribe";
specialUse = "Sent";
};
Trash = {
auto = "no";
specialUse = "Trash";
};
};
rejectRecipients = [
"no-reply@nextcloud.gladtherescake.eu"
"no-reply@akkoma.gladtherescake.eu"
"no-reply@social.gladtherescake.eu"
"no-reply@git.lillianviolet.dev"
"ongebonden@gladtherescake.eu"
"teluyep_canoja_52868396@gladtherescake.eu"
"me.belsimpel@gladtherescake.eu"
"me.tele2@gladtherescake.eu"
"me+tele2@gladtherescake.eu"
"me.archiveorg@gladtherescake.eu"
];
x509.useACMEHost = config.mailserver.fqdn;
};
security.acme.certs.${config.mailserver.fqdn} = {
webroot = "/var/lib/acme/acme-challenge/";
extraDomainNames = [
"imap.lillianviolet.dev"
"mail.lillianviolet.dev"
"pop3.lillianviolet.dev"
"lillianviolet.dev"
"gladtherescake.eu"
"mail.gladtherescake.eu"
];
};
}

25
modules/nixos/shared-packages/server-settings/mollysocket/default.nix
View file

@ -1,25 +0,0 @@
{config, ...}: {
sops.secrets."mollysocket-vapid-key".mode = "0440";
services.mollysocket = {
enable = true;
environmentFile = config.sops.secrets."mollysocket-vapid-key".path;
settings = {
port = 4381;
allowed_endpoints = ["https://molly.gladtherescake.eu" "https://nextcloud.gladtherescake.eu"];
allowed_uuids = ["db639f29-b7e7-431a-9c75-bcdcb87b6bdf"];
webserver = true;
};
};
services.nginx = {
virtualHosts = {
"molly.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:4381";
};
};
};
};
}

126
modules/nixos/shared-packages/server-settings/nextcloud/default.nix
View file

@ -1,126 +0,0 @@
{
config,
pkgs,
...
}: {
sops.secrets."nextcloudadmin".mode = "0440";
sops.secrets."nextcloudadmin".owner = config.users.users.nextcloud.name;
sops.secrets."nextclouddb".mode = "0440";
sops.secrets."nextclouddb".owner = config.users.users.nextcloud.name;
# sops.secrets."local.json".mode = "0440";
# sops.secrets."local.json".owner = config.users.users.onlyoffice.name;
users.users = {
# nextcloud.extraGroups = [config.users.groups.keys.name config.users.users.onlyoffice.name];
nextcloud.extraGroups = [config.users.groups.keys.name];
#aria2.extraGroups = ["nextcloud"];
# onlyoffice.extraGroups = [config.users.users.nextcloud.name];
};
# Enable Nginx
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"nextcloud.gladtherescake.eu" = {
## Force HTTP redirect to HTTPS
forceSSL = true;
## LetsEncrypt
enableACME = true;
};
"onlyoffice.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
};
};
};
# Actual Nextcloud Config
services.nextcloud = {
enable = true;
hostName = "nextcloud.gladtherescake.eu";
package = pkgs.nextcloud33;
# Use HTTPS for links
https = true;
# Auto-update Nextcloud Apps
autoUpdateApps.enable = true;
# Set what time makes sense for you
autoUpdateApps.startAt = "05:00:00";
configureRedis = true;
maxUploadSize = "16G";
#Increase opcache string buffer
phpOptions."opcache.interned_strings_buffer" = "23";
# Further forces Nextcloud to use HTTPS
settings = {
overwriteprotocol = "https";
default_phone_region = "NL";
maintenance_window_start = 3;
log_type = "file";
};
appstoreEnable = true;
extraAppsEnable = true;
#extraApps = with config.services.nextcloud.package.packages.apps; {
# List of apps we want to install and are already packaged in
# https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
# inherit calendar contacts deck forms notes onlyoffice polls twofactor_nextcloud_notification unsplash;
#};
config = {
# Nextcloud PostegreSQL database configuration, recommended over using SQLite
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
dbname = "nextcloud";
dbpassFile = config.sops.secrets."nextclouddb".path;
adminpassFile = config.sops.secrets."nextcloudadmin".path;
adminuser = "GLaDTheresCake";
};
};
# services.onlyoffice = {
# port = 16783;
# enable = true;
# hostname = "onlyoffice.gladtherescake.eu";
# #postgresHost = "/run/postgesql";
# #postgresUser = "onlyoffice";
# #postgresName = "onlyoffice";
# #jwtSecretFile = config.sops.secrets."local.json".path;
# };
# services.rabbitmq = {
# enable = true;
# };
systemd.services."sops-nix.service" = {
before = [
"nextcloud-setup.service"
"postgresql.service"
"onlyoffice-converter.service"
"onlyoffice-docservice.service"
"nginx.service"
"phpfpm-nextcloud.service"
"redis-nextcloud.service"
];
};
# Ensure that postgres is running before running the setup
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
}

55
modules/nixos/shared-packages/server-settings/ombi/default.nix
View file

@ -1,55 +0,0 @@
{...}: {
users.users = {
ombi.extraGroups = ["radarr" "sonarr" "aria2" "nextcloud"];
};
services.ombi = {
enable = true;
port = 2368;
};
users.users = {
radarr.extraGroups = ["aria2" "nextcloud"];
sonarr.extraGroups = ["aria2" "nextcloud"];
};
services = {
#uses port 7878
radarr.enable = true;
#uses port 8989
sonarr.enable = true;
prowlarr.enable = true;
};
services.nginx = {
virtualHosts = {
"ombi.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:2368";
};
};
"radarr.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:7878";
};
};
"sonarr.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8989";
};
};
"prowlarr.gladtherescake.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9696";
};
};
};
};
}

17
modules/nixos/shared-packages/server-settings/phanpy/default.nix
View file

@ -1,17 +0,0 @@
{pkgs, ...}: {
services.nginx = {
enable = true;
virtualHosts = {
"phanpy.gladtherescake.eu" = {
root = "${pkgs.phanpy}";
## Force HTTP redirect to HTTPS
forceSSL = true;
## LetsEncrypt
enableACME = true;
locations."/" = {
index = "index.html";
};
};
};
};
}

38
modules/nixos/shared-packages/server-settings/postgres/default.nix
View file

@ -1,38 +0,0 @@
{pkgs, ...}: {
services.postgresql = {
# https://nixos.org/manual/nixos/stable/#module-postgresql
package = pkgs.postgresql_16;
enable = true;
# Ensure the database, user, and ownership is set
ensureDatabases = [
"nextcloud"
"onlyoffice"
"akkoma"
"gotosocial"
"gitea"
];
ensureUsers = [
{
name = "nextcloud";
ensureDBOwnership = true;
}
{
name = "onlyoffice";
ensureDBOwnership = true;
}
{
name = "akkoma";
ensureDBOwnership = true;
}
{
name = "gotosocial";
ensureDBOwnership = true;
}
{
name = "gitea";
ensureDBOwnership = true;
}
];
};
}

36
modules/nixos/shared-packages/server-settings/postgres/upgrade.nix
View file

@ -1,36 +0,0 @@
{
config,
pkgs,
...
}: {
environment.systemPackages = [
(let
# XXX specify the postgresql package you'd like to upgrade to.
# Do not forget to list the extensions you need.
newPostgres = pkgs.postgresql_16.withPackages (pp: [
# pp.plv8
]);
in
pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux
# XXX it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql
export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
export NEWBIN="${newPostgres}/bin"
export OLDDATA="${config.services.postgresql.dataDir}"
export OLDBIN="${config.services.postgresql.package}/bin"
install -d -m 0700 -o postgres -g postgres "$NEWDATA"
cd "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
sudo -u postgres $NEWBIN/pg_upgrade \
--old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
--old-bindir $OLDBIN --new-bindir $NEWBIN \
"$@"
'')
];
}

39
modules/nixos/shared-packages/server-settings/roundcube/default.nix
View file

@ -1,39 +0,0 @@
{
config,
pkgs,
...
}: {
# TODO: Figure out how to create packages for some plugins for roundcube!
# https://packagist.org/search/?query=roundcube
# https://discourse.nixos.org/t/roundcube-with-plugins/28292/7
services.roundcube = {
enable = true;
package = pkgs.roundcube.withPlugins (
plugins: [
plugins.contextmenu
plugins.carddav
plugins.custom_from
plugins.persistent_login
plugins.thunderbird_labels
]
);
plugins = [
"contextmenu"
"carddav"
"custom_from"
"persistent_login"
"thunderbird_labels"
];
# this is the url of the vhost, not necessarily the same as the fqdn of
# the mailserver
hostName = "webmail.lillianviolet.dev";
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
}

39
modules/nixos/shared-packages/server-settings/writefreely/default.nix
View file

@ -1,39 +0,0 @@
{
config,
pkgs,
...
}: {
sops.secrets."writefreely".mode = "0440";
sops.secrets."writefreely".owner = config.users.users.writefreely.name;
sops.secrets."writefreelymysql".mode = "0440";
sops.secrets."writefreelymysql".owner = config.users.users.writefreely.name;
services.writefreely = {
enable = true;
host = "writefreely.gladtherescake.eu";
nginx.enable = true;
nginx.forceSSL = true;
acme.enable = true;
# database = {
# type = "mysql";
# createLocally = true;
# passwordFile = config.sops.secrets."writefreelymysql".path;
# };
admin = {
initialPasswordFile = config.sops.secrets."writefreely".path;
name = "GLaDTheresCake";
};
settings = {
app = {
min_username_len = 2;
max_blogs = 100;
default_visibility = "public";
federation = true;
local_timeline = true;
};
server.port = 1212;
};
};
systemd.services.writefreely = {
path = [pkgs.libressl];
};
}

49
modules/nixos/sops/default.nix
View file

@ -1,49 +0,0 @@
{
lib,
config,
...
}: let
cfg = config.sopsSetup;
in {
options = {
sopsSetup.enable = lib.mkEnableOption "Enable Module";
global.desktop = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether or not to install shared desktop secrets.";
};
};
config = lib.mkIf cfg.enable {
sops = {
age.keyFile = "/var/secrets/keys.txt";
secrets."lillian-password".neededForUsers = true;
defaultSopsFile = ../hosts/${config.networking.hostName}/secrets/sops.yaml;
secrets."wg-private-key".mode = "0440";
secrets."wg-private-key".owner = config.users.users.root.name;
secrets."ssh-private-key" = {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.ssh/id_ed25519";
};
};
secrets."nextcloud-password" = lib.mkIf (cfg.desktop == true) {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.netrc";
};
secrets."prod.keys" = lib.mkIf (cfg.desktop == true) {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.config/Ryujinx/system/prod.keys";
};
secrets."title.keys" = lib.mkIf (cfg.desktop == true) {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.config/Ryujinx/system/title.keys";
};
};
}

BIN
modules/nixos/stylix/background.jpg
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 158 KiB

66
modules/nixos/stylix/default.nix
View file

@ -1,66 +0,0 @@
{
lib,
config,
pkgs,
...
}: let
cfg = config.stylixSetup;
in {
options = {
stylixSetup.enable = lib.mkEnableOption "Enable Module";
};
config = lib.mkIf cfg.enable {
stylix = {
# targets.qt.platform = lib.mkForce "kde";
enable = true;
# targets.qt.platform = "kde6";
autoEnable = true;
base16Scheme = {
scheme = "Catppuccin Macchiato Mauve";
author = "https://github.com/catppuccin/catppuccin";
base00 = "24273a";
base01 = "1e2030";
base02 = "363a4f";
base03 = "494d64";
base04 = "5b6078";
base05 = "cad3f5";
base06 = "f4dbd6";
base07 = "b7bdf8";
base08 = "ed8796";
base09 = "f5a97f";
base0A = "eed49f";
base0B = "a6da95";
base0C = "8bd5ca";
base0D = "c6a0f6";
base0E = "8aadf4";
base0F = "f0c6c6";
};
image = ./background.jpg;
cursor.package = pkgs.catppuccin-cursors.macchiatoMauve;
cursor.name = "catppuccin-macchiato-mauve-cursors";
cursor.size = 24;
homeManagerIntegration.followSystem = true;
fonts = {
serif = {
package = pkgs.atkinson-hyperlegible;
name = "Atkinson Hyperlegible Next";
};
monospace = {
package = pkgs.atkinson-hyperlegible-mono;
name = "Atkinson Hyperlegbile Mono";
};
sansSerif = {
package = pkgs.atkinson-hyperlegible;
name = "Atkinson Hyperlegible Next";
};
emoji = {
package = pkgs.noto-fonts-emoji-blob-bin;
name = "Blobmoji";
};
};
};
};
}

20
mount.sh
View file

@ -1,20 +0,0 @@
declare -a folders=( "/var/lib/sbctl" "/var/lib/bluetooth" "/var/lib/fprint" "/var/lib/fwupd" "/var/lib/libvirt" "/var/lib/tpm2-tss" "/var/lib/tpm2-udev-trigger" "/var/lib/power-profiles-daemon" "/var/lib/systemd/coredump" "/var/lib/systemd/rfkill" "/var/lib/systemd/timers" "/var/log" "/var/lib/decky-loader" "/var/lib/flatpak" "/var/lib/nixos" "/var/secrets" )
declare -a files=( "/etc/machine-id" "/var/lib/systemd/random-seed" "/var/secrets/keys.txt" "/var/lib/systemd/tpm2-srk-public-key.pem" "/var/lib/systemd/tpm2-srk-public-key.tpm2b_public" )
declare -a lillianfolders=( ".ssh" ".local/state/wireplumber" ".local/share/direnv" ".local/state/nix" ".local/state/comma" ".local/state/home-manager" ".local/share/PrismLauncher" ".local/share/qBittorrent" ".local/share/kwalletd" ".local/share/kwin" ".local/share/lutris" ".local/share/Nextcloud" ".local/share/Steam" ".local/share/zoxide" ".local/share/flatpak" ".local/share/applications" ".local/share/firefoxpwa/" ".local/share/com.nonpolynomial.intiface_central" ".mozilla" ".steam" ".zsh" ".pki" ".tldrc" ".thunderbird" "Code" "Writing" ".config/kdeconnect" ".config/Nextcloud" ".config/noisetorch" ".config/qBittorrent" ".config/r2modman" ".config/r2modmanPlus-local" ".config/Ryujinx" ".config/Signal" ".config/sops" ".config/vesktop" ".config/kde.org" )
for folder in "${folders[@]}"
do
mount --bind -o X-mount.mkdir "/mnt/persistent$folder" "/mnt$folder"
done
for lfolder in "${lillianfolders[@]}"
do
mount --bind -o X-mount.mkdir "/mnt/persistent/home/lillian/$lfolder" "/mnt/home/lillian/$lfolder"
done
for file in "${files[@]}"
do
mkdir -p "`dirname $file`"
ln -sf "/mnt/persistent$file" "/mnt$file"
done

75
nixos/desktop/default.nix
View file

@ -28,17 +28,9 @@
allowUnfree = true; allowUnfree = true;
}; };
}; };
services.udev.extraRules = ''
KERNEL=="hidraw*", ATTRS{idVendor}=="057e", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*057e:*", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*2DC8:*", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", ATTRS{idProduct}=="6012", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*2DC8:6012*", MODE="0660", TAG+="uaccess"
'';
environment.systemPackages = with pkgs; environment.systemPackages =
[ (with pkgs; [
# Custom tools # Custom tools
dvd dvd
dvt dvt
@ -47,23 +39,17 @@
# System tools # System tools
aha aha
ttf-ms-win10
wineWow64Packages.stable
bottles
tpm2-abrmd
jdk21_headless
#bcachefs-tools #bcachefs-tools
clinfo clinfo
comma
direnv direnv
exfat exfat
exfatprogs exfatprogs
gamemode
git-filter-repo git-filter-repo
gnupg gnupg
pciutils pciutils
podman podman
podman-compose podman-compose
python3Minimal
sbctl sbctl
tpm2-tools tpm2-tools
tpm2-tss tpm2-tss
@ -76,12 +62,7 @@
zsh zsh
# KDE/QT # KDE/QT
kdePackages.plasma-desktop krunner-translator
kdePackages.plasma-wayland-protocols
kdePackages.libplasma
kdePackages.plasma-integration
kdePackages.plasma-activities
kdePackages.plasma-workspace
kdePackages.discover kdePackages.discover
kdePackages.filelight kdePackages.filelight
kdePackages.kcalc kdePackages.kcalc
@ -99,57 +80,45 @@
kdePackages.krdc kdePackages.krdc
kdePackages.krfb kdePackages.krfb
kdePackages.kate kdePackages.kate
kdePackages.qrca kdePackages.xwaylandvideobridge
libportal-qt5 libportal-qt5
libportal libportal
# User tools # User tools
freetube
noisetorch noisetorch
qjackctl qjackctl
wireplumber wireplumber
intiface-central
#rustdesk #rustdesk
] ])
++ (with pkgs-edge; [ ++ (with pkgs-edge; [
kdePackages.plasma-vault freetube
# list of latest packages from nixpkgs master
# Can be used to install latest version of some packages
]); ]);
fonts.packages = [pkgs.ttf-ms-win10];
sops = { sops = {
secrets."nextcloud-password" = { secrets."nextcloud-password" = {
mode = "0600"; mode = "0600";
owner = config.users.users.lillian.name; owner = config.users.users.lillian.name;
path = "/home/lillian/.netrc"; path = "/home/lillian/.netrc";
}; };
secrets."prod.keys" = {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.config/Ryujinx/system/prod.keys";
};
secrets."title.keys" = {
mode = "0600";
owner = config.users.users.lillian.name;
path = "/home/lillian/.config/Ryujinx/system/title.keys";
};
}; };
programs = { programs = {
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently # Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
command-not-found.enable = lib.mkForce false; command-not-found.enable = lib.mkForce false;
# nix-index.enable = true; nix-index.enable = true;
nix-index-database.comma.enable = true; nix-index-database.comma.enable = true;
direnv = { direnv = {
enable = true; enable = true;
}; };
# steam = { steam = {
# enable = true; enable = true;
# remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
# dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
# extest.enable = true; extest.enable = true;
# }; };
kdeconnect.enable = true; kdeconnect.enable = true;
noisetorch = { noisetorch = {
@ -157,8 +126,6 @@
}; };
}; };
xdg.portal.enable = true;
# Enable networking # Enable networking
networking.networkmanager.enable = true; # Enables support for 32bit libs that steam uses networking.networkmanager.enable = true; # Enables support for 32bit libs that steam uses
@ -169,10 +136,12 @@
xserver.enable = true; xserver.enable = true;
# Enable the KDE Plasma Desktop Environment. # Enable the KDE Plasma Desktop Environment.
# displayManager.sddm = { displayManager.sddm = {
# enable = true; enable = true;
# wayland.enable = true; wayland.enable = true;
# }; };
displayManager.defaultSession = "plasma";
desktopManager.plasma6.enable = true;
desktopManager.plasma6.notoPackage = pkgs.atkinson-hyperlegible; desktopManager.plasma6.notoPackage = pkgs.atkinson-hyperlegible;
# Enable flatpak support # Enable flatpak support

18
nixos/desktop/package-configs/firefox/default.nix
View file

@ -1,7 +1,11 @@
{pkgs, ...}: { {
config,
pkgs,
...
}: {
programs.firefox = { programs.firefox = {
enable = true; enable = true;
package = pkgs.librewolf; package = pkgs.floorp;
policies = { policies = {
DisableTelemetry = true; DisableTelemetry = true;
DisableFirefoxStudies = true; DisableFirefoxStudies = true;
@ -115,10 +119,10 @@
installation_mode = "force_installed"; installation_mode = "force_installed";
}; };
# Tree Style Tabs # Tree Style Tabs
# "treestyletab@piro.sakura.ne.jp" = { "treestyletab@piro.sakura.ne.jp" = {
# install_url = "https://addons.mozilla.org/firefox/downloads/latest/tree-style-tab/latest.xpi"; install_url = "https://addons.mozilla.org/firefox/downloads/latest/tree-style-tab/latest.xpi";
# installation_mode = "force_installed"; installation_mode = "force_installed";
# }; };
# Adaptive Tab Bar Colour # Adaptive Tab Bar Colour
"ATBC@EasonWong" = { "ATBC@EasonWong" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/Adaptive-Tab-Bar-Colour/latest.xpi"; install_url = "https://addons.mozilla.org/firefox/downloads/latest/Adaptive-Tab-Bar-Colour/latest.xpi";
@ -156,8 +160,6 @@
"floorp.tabbar.style" = 2; "floorp.tabbar.style" = 2;
"floorp.browser.user.interface" = 8; "floorp.browser.user.interface" = 8;
"signon.rememberSignons" = true; "signon.rememberSignons" = true;
"browser.ml.chat.enabled" = false;
"browser.ml.chat.shortcuts" = false;
}; };
# TODO: switch to ManagedBookmarks as this will be dropped at some point https://mozilla.github.io/policy-templates/#managedbookmarks # TODO: switch to ManagedBookmarks as this will be dropped at some point https://mozilla.github.io/policy-templates/#managedbookmarks
# Bookmarks = [ # Bookmarks = [

56
nixos/hosts/EDI/configuration.nix
View file

@ -24,57 +24,11 @@
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
gparted
]; ];
programs.steam = { services.vpn-ip = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
extest.enable = true;
};
programs.virt-manager.enable = true;
users.groups.libvirtd.members = ["lillian"];
virtualisation.libvirtd.enable = true;
virtualisation.spiceUSBRedirection.enable = true;
services = {
displayManager.plasma-login-manager = {
enable = true;
};
displayManager.defaultSession = "plasma";
desktopManager.plasma6.enable = true;
samba = {
enable = true;
openFirewall = true;
settings = {
global = {
"invalid users" = [
"root"
];
"passwd program" = "/run/wrappers/bin/passwd %u";
security = "user";
};
public = {
browseable = "yes";
comment = "Public samba share.";
"guest ok" = "yes";
path = "/home/lillian/samba";
"read only" = "no";
};
};
};
vpn-ip = {
ip = "3"; ip = "3";
}; };
};
users.groups.samba.members = ["lillian"];
networking = { networking = {
hostName = "EDI"; hostName = "EDI";
@ -91,14 +45,10 @@
# for now. # for now.
loader.systemd-boot.enable = lib.mkForce false; loader.systemd-boot.enable = lib.mkForce false;
initrd.systemd.enable = true; initrd.systemd.enable = true;
kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems = ["btrfs" "bcachefs"];
binfmt.emulatedSystems = ["aarch64-linux"];
lanzaboote = { lanzaboote = {
enable = true; enable = true;
pkiBundle = "/var/lib/sbctl"; pkiBundle = "/etc/secureboot";
}; };
kernelModules = [ kernelModules = [
"iwlmvm" "iwlmvm"
@ -107,5 +57,5 @@
}; };
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "26.05"; system.stateVersion = "25.05";
} }

13
nixos/hosts/EDI/secrets/sops.yaml
View file

File diff suppressed because one or more lines are too long

123
nixos/hosts/GLaDOS/configuration.nix
View file

@ -4,7 +4,6 @@
inputs, inputs,
outputs, outputs,
pkgs, pkgs,
lib,
... ...
}: { }: {
# You can import other NixOS modules here # You can import other NixOS modules here
@ -12,6 +11,7 @@
# Import home-manager's NixOS module # Import home-manager's NixOS module
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
outputs.nixosModules.vpn-ip outputs.nixosModules.vpn-ip
inputs.jovian.nixosModules.jovian
# If you want to use modules your own flake exports (from modules/nixos): # If you want to use modules your own flake exports (from modules/nixos):
# outputs.nixosModules.example # outputs.nixosModules.example
@ -22,6 +22,8 @@
# You can also split up your configuration and import pieces of it here: # You can also split up your configuration and import pieces of it here:
# ./users.nix # ./users.nix
../../desktop
../../../disko/GLaDOS ../../../disko/GLaDOS
# Import your generated (nixos-generate-config) hardware configuration # Import your generated (nixos-generate-config) hardware configuration
@ -29,32 +31,26 @@
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
gparted
]; ];
services = {
displayManager.plasma-login-manager = {
enable = true;
};
displayManager.defaultSession = "plasma"; services.vpn-ip = {
desktopManager.plasma6.enable = true;
vpn-ip = {
ip = "2"; ip = "2";
}; };
xserver.videoDrivers = ["amdgpu"];
};
networking.hostName = "GLaDOS"; networking.hostName = "GLaDOS";
programs = {
steam = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
extest.enable = true;
};
services.xserver.videoDrivers = ["amdgpu"];
hardware = {
# Add vulkan support to GPU
graphics.extraPackages = with pkgs; [
amdvlk
];
# For 32 bit applications
graphics.extraPackages32 = with pkgs; [
driversi686Linux.amdvlk
];
};
programs = {
# gamemode.enable = false; # gamemode.enable = false;
# gamemode.settings = { # gamemode.settings = {
# general = { # general = {
@ -74,86 +70,33 @@
# }; # };
# }; # };
}; };
boot = {
initrd.systemd.services.rollback = {
description = "Rollback BTRFS root subvolume to a pristine state";
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
wantedBy = ["initrd.target"];
after = ["systemd-cryptsetup@nvme_crypted.service"];
before = ["sysroot.mount"];
script = '' jovian = {
echo "mounting btrfs volume to tmp..." steam = {
mkdir -p /btrfs_tmp enable = true;
mount /dev/mapper/nvme_crypted /btrfs_tmp autoStart = false;
echo "mount successful!" user = "lillian";
desktopSession = "plasma";
if [[ -e /btrfs_tmp/root ]]; then };
echo "copying root to backup..." decky-loader = {
mkdir -p /btrfs_tmp/old_roots enable = true;
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") package = pkgs.decky-loader-prerelease;
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" extraPackages = [pkgs.python3];
echo "copy complete!" };
fi hardware.has.amd.gpu = true;
if [[ -e /btrfs_tmp/home ]]; then
echo "copying home to backup..."
mkdir -p /btrfs_tmp/old_homes
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/home)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/home "/btrfs_tmp/old_homes/$timestamp"
echo "copy complete!"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
echo "recursively deleting root subvolumes older than five days..."
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +5); do
delete_subvolume_recursively "$i"
done
echo "subvolumes deleted!"
echo "recursively deleting home subvolumes older than five days..."
for i in $(find /btrfs_tmp/old_homes/ -maxdepth 1 -mtime +5); do
delete_subvolume_recursively "$i"
done
echo "subvolumes deleted!"
echo "creating new root and home subvolumes..."
btrfs subvolume create /btrfs_tmp/root
btrfs subvolume create /btrfs_tmp/home
mkdir /btrfs_tmp/home/lillian
chown 1000:100 /btrfs_tmp/home/lillian
echo "unmounting btrfs temporary mount..."
umount /btrfs_tmp
echo "disk clear complete!"
'';
}; };
boot = {
loader.systemd-boot.enable = false; loader.systemd-boot.enable = false;
initrd.systemd.enable = true; };
kernelPackages = pkgs.linuxPackages_latest;
supportedFilesystems = ["btrfs" "bcachefs"];
binfmt.emulatedSystems = ["aarch64-linux"]; boot.lanzaboote = {
lanzaboote = {
enable = true; enable = true;
pkiBundle = "/var/lib/sbctl"; pkiBundle = "/var/lib/sbctl";
}; };
extraModprobeConfig = ''
'';
};
users.users.lillian.extraGroups = ["gamemode"]; users.users.lillian.extraGroups = ["gamemode"];
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "26.05"; system.stateVersion = "25.05";
} }

17
nixos/hosts/GLaDOS/hardware-configuration.nix
View file

@ -15,23 +15,6 @@
boot.initrd.kernelModules = ["dm-snapshot" "amdgpu"]; boot.initrd.kernelModules = ["dm-snapshot" "amdgpu"];
boot.kernelModules = []; boot.kernelModules = [];
boot.extraModulePackages = []; boot.extraModulePackages = [];
fileSystems."/persistent".neededForBoot = true;
fileSystems."/run/media/lillian/big-SSD" = {
device = "/dev/disk/by-uuid/b12ee352-ca6d-47d5-8b5f-6e3002af12e7";
fsType = "ext4";
options = ["users" "nofail"];
};
fileSystems."/run/media/lillian/small-SSD" = {
device = "/dev/disk/by-uuid/237cc760-2b3b-41ec-aab4-deff9cc7c5a1";
fsType = "ext4";
options = ["users" "nofail"];
};
fileSystems."/run/media/lillian/Backup" = {
device = "/dev/disk/by-uuid/cb175f0e-a008-476d-b0eb-ba8d7873af66";
fsType = "ext4";
options = ["users" "nofail"];
};
# fileSystems."/" = # fileSystems."/" =
# { device = "UUID=166dc8d8-b77f-43fe-8bee-a0fc5b26aeb5"; # { device = "UUID=166dc8d8-b77f-43fe-8bee-a0fc5b26aeb5";

16
nixos/hosts/GLaDOS/secrets/sops.yaml
View file

File diff suppressed because one or more lines are too long

67
nixos/hosts/iso/configuration.nix
View file

@ -10,20 +10,20 @@
# outputs.homeManagerModules.example # outputs.homeManagerModules.example
# outputs.nixosModules.contabo.wan # outputs.nixosModules.contabo.wan
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
outputs.nixosModules.vpn-ip
# Or modules exported from other flakes (such as nix-colors): # Or modules exported from other flakes (such as nix-colors):
# inputs.nix-colors.homeManagerModules.defaults # inputs.nix-colors.homeManagerModules.defaults
# Import shared settings # Import shared settings
../../shared
]; ];
# programs.command-not-found.enable = lib.mkForce false; programs.command-not-found.enable = lib.mkForce false;
# programs.nix-index.enable = true; programs.nix-index.enable = true;
# programs.nix-index-database.comma.enable = true; programs.nix-index-database.comma.enable = true;
# boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
# zramSwap.enable = false; zramSwap.enable = false;
# networking.domain = ""; networking.domain = "";
services.openssh = { services.openssh = {
enable = true; enable = true;
# require public key authentication for better security # require public key authentication for better security
@ -45,9 +45,7 @@
#Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
sops.defaultSopsFile = ./secrets/sops.yaml; sops.defaultSopsFile = ./secrets/sops.yaml;
services.vpn-ip.enable = false; services.desktopManager.plasma6.enable = true;
# services.desktopManager.plasma6.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# Custom tools # Custom tools
@ -67,9 +65,11 @@
sbctl sbctl
tpm2-tools tpm2-tools
tpm2-tss tpm2-tss
waydroid
zsh zsh
# KDE/QT # KDE/QT
krunner-translator
kdePackages.discover kdePackages.discover
kdePackages.kcalc kdePackages.kcalc
kdePackages.kdepim-addons kdePackages.kdepim-addons
@ -81,14 +81,13 @@
kdePackages.plasma-pa kdePackages.plasma-pa
kdePackages.sddm-kcm kdePackages.sddm-kcm
kdePackages.dolphin-plugins kdePackages.dolphin-plugins
libportal-qt5
libportal libportal
]; ];
# Enable networking # Enable networking
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
networking.hostName = "iso";
# Contabo ipv6 nameservers: "2a02:c207::1:53" "2a02:c207::2:53" # Contabo ipv6 nameservers: "2a02:c207::1:53" "2a02:c207::2:53"
networking.firewall.enable = true; networking.firewall.enable = true;
@ -107,24 +106,24 @@
# Enable bluetooth hardware # Enable bluetooth hardware
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
# security.tpm2.enable = true; security.tpm2.enable = true;
# security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
# security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
# users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices
# Set your time zone. # Set your time zone.
time.timeZone = "Europe/Amsterdam"; time.timeZone = "Europe/Amsterdam";
# programs.git = { programs.git = {
# enable = true; enable = true;
# }; };
# programs.direnv = { programs.direnv = {
# enable = true; enable = true;
# }; };
# # Enable completion of system packages by zsh # Enable completion of system packages by zsh
# environment.pathsToLink = ["/share/zsh"]; environment.pathsToLink = ["/share/zsh"];
# kde power settings do not turn off screen # kde power settings do not turn off screen
systemd = { systemd = {
@ -137,17 +136,17 @@
}; };
}; };
# home-manager = { home-manager = {
# extraSpecialArgs = {inherit inputs outputs;}; extraSpecialArgs = {inherit inputs outputs;};
# users = { users = {
# # Import your home-manager configuration # Import your home-manager configuration
# lillian = import ../../../home-manager/hosts/iso; lillian = import ../../../home-manager/hosts/iso;
# }; };
# }; };
# boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
# boot.supportedFilesystems = lib.mkForce ["bcachefs" "btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs"]; boot.supportedFilesystems = lib.mkForce ["bcachefs" "btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs"];
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "25.11"; system.stateVersion = "24.11";
} }

14
nixos/hosts/iso/secrets/sops.yaml
View file

@ -1,8 +1,9 @@
lillian-password: ENC[AES256_GCM,data:eQzZwGxK9Lw2gc8HDNw57odxPzTH4sa/2O97h3VAghRwLClmCYKT91kxj2F3kQ4iEctBl0GxdS4WoL3H9eE4/CAPffXdTmkdYg==,iv:2ezB4DNHFv5ceJ2gtATV12Azm3vFFDLX1qSSy+cKuMY=,tag:zxb5agUCDpi92bYV7+DmoA==,type:str] lillian-password: ENC[AES256_GCM,data:eQzZwGxK9Lw2gc8HDNw57odxPzTH4sa/2O97h3VAghRwLClmCYKT91kxj2F3kQ4iEctBl0GxdS4WoL3H9eE4/CAPffXdTmkdYg==,iv:2ezB4DNHFv5ceJ2gtATV12Azm3vFFDLX1qSSy+cKuMY=,tag:zxb5agUCDpi92bYV7+DmoA==,type:str]
ssh-private-key: ENC[AES256_GCM,data:YQ+9aKpBL9XYl0IBxpPttUli6/E25alUhO36dZwPPSIBLI1ehyczocQMxNRYNtB2xKYx4wPaYIndLBhj9VdTUgaOWUd2C6aU6YgXgFAsjgEwqVDZWRp7TrTHojtrS5HnJgfopx6EqPf/uljD9yQsOkubDDUbpYkpWX/3vixm9LJ1eRXxTxXW8D3O5OM2Z1NsqA7meVa1xhvWJokqS4sD5ntp1HT78Xmu62EweHQVGaznUvWZupYh0uCQd0tr6GVTZLHdyCdaFUGHRbRddBcljpBIRWaWkhIrkjejvptUZ4Ht/UN5XM5z+zfU3DxsDOxeJ7m83om9I3WdZSdq1aDXe+VFEfMrx/0QTk2LtAmOvujcN6wO7a77SD4Rpuvq8KH2CeKrwMLlFf2BeGIcGhvAhRYUVxtypM38DEdbf/7xIcw0vQP2zNZN4QWdukUInDndnAxMfbIXKpYI5OPRaZMTVui41hkS86LBfbd5RhTjyzrtIpVSq9XkKRX7d5i8Gcjb4ORpQvrNNYMo+TXCiLNTg3/q0My/jEhfjfTF,iv:EpKC9judTZ1+0Y2LC1OK2YzGH/orRpZNtE7O+ZZyU1E=,tag:S6ju/FkwIBbBA8YU3dRo1A==,type:str]
nextcloud-password: ENC[AES256_GCM,data:5u8j1wau5FewTe+t3YZ365Acfcrt09XDgCUNpDbuVKaNZIEW3gdR60XACQeAvsyQeznynILJnz7/txV2,iv:l1xYhUkQGdWYNNy1lG9xB5SgL9cn2FdzAs19iVCohlA=,tag:rT0flG+v9wd8jSUm8DrCjg==,type:str]
wg-private-key: ENC[AES256_GCM,data:3JpyscuzK4LG1lfM3oyQNBHy7BQ2WeTaSyaZoaNfS4U7KkpEaCp5EVLBYiY=,iv:odDG8xp+d+O4FuECfeCJn/z2ka4KSzSBvgBCmcMZ0S0=,tag:iPwnqgtap+i44Mru/S7TyA==,type:str]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz - recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz
enc: | enc: |
@ -13,7 +14,8 @@ sops:
dXlaN3dWOUl4Mys2V0x3Z3F6UVU4MVUKEJYpX8XhSNcM+7aUuxnIwrokY0/29Cnh dXlaN3dWOUl4Mys2V0x3Z3F6UVU4MVUKEJYpX8XhSNcM+7aUuxnIwrokY0/29Cnh
yz0HAZkaj8FwvnPnafo5jmwVyi6WXECvX5E0NZfjKH4AF5vTu6Wukg== yz0HAZkaj8FwvnPnafo5jmwVyi6WXECvX5E0NZfjKH4AF5vTu6Wukg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-14T18:00:16Z" lastmodified: "2024-03-20T18:17:48Z"
mac: ENC[AES256_GCM,data:NnX0hMrfeKJucgqgVUIUS0WOHerkDtKe3P+4vvWRCMX3eXg4Tsju8pZySZP7RSZX7+2W3OUHMOUuAum0YrVasTXuhm6jPvlbqvRnVXaVzCNheIUvTCF7LFeJEOQYKS5m8AiVKFRrxz+dGn90DSeijjajSePBjo8AnKyAOQEt1S8=,iv:1iJiqJU0vdDiWnJAYDlbOBBa9lBOODjjdlsRH54aTGI=,tag:JZtgVeLvFN6vcCZkRnuNcQ==,type:str] mac: ENC[AES256_GCM,data:3UHIoYPHC6n56CHguOVuoFd9VwCjGiD9VCYy2d5W+4XQEZpjnONX8fhwwWRm42COymz89tmqDmpDp88BnSU8uE14IaCIUoxfCaRiZtjAiHjouua2jr50aUV56pwyan8ZiiOjP8oP1VY/tsv1w0jWI9TjSTHvCdNLR8XEcf6bCrk=,iv:/lBJdkQgwZyiztQ9vSoHgY+WxXJKHFI93dxtOSunHNo=,tag:lLwrSdzoN9CzmyIdLOe5ig==,type:str]
pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.8.1

58
nixos/hosts/queen/configuration.nix
View file

@ -3,7 +3,6 @@
outputs, outputs,
lib, lib,
pkgs, pkgs,
config,
... ...
}: { }: {
imports = [ imports = [
@ -29,24 +28,6 @@
# Import disko # Import disko
# ../../../disko/queen # ../../../disko/queen
]; ];
preservation.enable = lib.mkForce false;
# services.anubis.instances.default.settings.TARGET = "http://localhost:8123";
# # required due to unix socket permissions
# users.users.nginx.extraGroups = [config.users.groups.anubis.name];
# services.nginx.virtualHosts."*.gladtherescake.eu" = {
# locations = {
# "/".proxyPass = "http://unix:${config.services.anubis.instances.default.settings.BIND}";
# };
# };
# services.nginx.virtualHosts."*.lillianviolet.dev" = {
# locations = {
# "/".proxyPass = "http://unix:${config.services.anubis.instances.default.settings.BIND}";
# };
# };
zramSwap.enable = false; zramSwap.enable = false;
services = { services = {
openssh = { openssh = {
@ -74,6 +55,7 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
fzf fzf
matrix-conduit
docker docker
docker-compose docker-compose
gitea gitea
@ -86,53 +68,29 @@
#jellyfin #jellyfin
#jellyfin-web #jellyfin-web
#jellyfin-ffmpeg #jellyfin-ffmpeg
nextcloud-spreed-signaling
nats-server
nginx nginx
onlyoffice-documentserver onlyoffice-documentserver
libressl openssl
phanpy
postgresql_16 postgresql_16
# python310 python310
# python310Packages.nbconvert # python310Packages.nbconvert
janus-gateway
jupyter jupyter
# rabbitmq-server rabbitmq-server
roundcube roundcube
roundcubePlugins.contextmenu roundcubePlugins.contextmenu
roundcubePlugins.carddav roundcubePlugins.carddav
roundcubePlugins.custom_from roundcubePlugins.custom_from
roundcubePlugins.persistent_login roundcubePlugins.persistent_login
roundcubePlugins.thunderbird_labels roundcubePlugins.thunderbird_labels
youtube-dl
sqlite sqlite
rocksdb
]; ];
services.vpn-ip = { services.vpn-ip = {
enable = false; enable = false;
}; };
systemd = {
services."upgrade-nextcloud" = {
path = [config.services.nextcloud.package];
enable = true;
unitConfig = {
after = "nextcloud-setup.service";
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${config.services.nextcloud.occ}/bin/nextcloud-occ upgrade";
RemainAfterExit = "yes";
};
};
timers."upgrade-nextcloud" = {
wantedBy = ["timers.target"];
partOf = ["upgrade-nextcloud.service"];
timerConfig = {
OnCalendar = "daily";
Unit = "nextcloud-setup.service";
};
};
};
networking = { networking = {
domain = ""; domain = "";
@ -235,5 +193,5 @@
}; };
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "26.05"; system.stateVersion = "25.05";
} }

14
nixos/hosts/queen/secrets/sops.yaml
View file

@ -8,8 +8,7 @@ mailpassunhash: ENC[AES256_GCM,data:q/P3nrNLy3hCISDmalw94nzWIFhoCdCTyflj27D2Ltr8
rpcSecret: ENC[AES256_GCM,data:gOuQSY2RI6rnSnG1,iv:xz1ueq4/UOKYBs5r9Tk4jL0+GyX8uo8I8ZymVgIMKLI=,tag:Fr8rWIttLz7X8Pri6FBJBQ==,type:str] rpcSecret: ENC[AES256_GCM,data:gOuQSY2RI6rnSnG1,iv:xz1ueq4/UOKYBs5r9Tk4jL0+GyX8uo8I8ZymVgIMKLI=,tag:Fr8rWIttLz7X8Pri6FBJBQ==,type:str]
wg-private-key: ENC[AES256_GCM,data:mq8QWoQ4tE4eYaFbwCzQnRREUFI2qrnmDnwurKMu6qdKkDylqc65E7jgGDI=,iv:r5RdcmfW4OaKlbbzUCPahONvpLcfZ7X7KcEEYFIYFDk=,tag:e93C4lByJV75JMHLJ02PfA==,type:str] wg-private-key: ENC[AES256_GCM,data:mq8QWoQ4tE4eYaFbwCzQnRREUFI2qrnmDnwurKMu6qdKkDylqc65E7jgGDI=,iv:r5RdcmfW4OaKlbbzUCPahONvpLcfZ7X7KcEEYFIYFDk=,tag:e93C4lByJV75JMHLJ02PfA==,type:str]
lillian-password: ENC[AES256_GCM,data:tc+Romv2fL+tdqLLmbwqaF4IHrNZ0VEpnECmW/66FW7IUpjHMyS7YP+pmmvDCzM9afIXMxyPFHGNRwiCmxqstiiNeSeLdo6rDw==,iv:sGeu9aNTgdpThv+0Z/nZKIrat1xNgM0t/KTGPaFbsdI=,tag:kZBHF4X0KO9znog61NwU+Q==,type:str] lillian-password: ENC[AES256_GCM,data:tc+Romv2fL+tdqLLmbwqaF4IHrNZ0VEpnECmW/66FW7IUpjHMyS7YP+pmmvDCzM9afIXMxyPFHGNRwiCmxqstiiNeSeLdo6rDw==,iv:sGeu9aNTgdpThv+0Z/nZKIrat1xNgM0t/KTGPaFbsdI=,tag:kZBHF4X0KO9znog61NwU+Q==,type:str]
coturn-auth-secret: ENC[AES256_GCM,data:1K7WX5FGhF7+CRZs4SEVKogsGv/93IJVvLeMe6/d1dg3g5/6fQkRCVl1KicMUOsqUxMweUn5hUXSO1h/ruWvPA==,iv:0U/JoeVin2zTkyk60x2boUQRzGW+9swlbxP1ENCbAFQ=,tag:ll8WCgMNtun5Va0VpC81Tw==,type:str] coturn-auth-secret: ENC[AES256_GCM,data:RYxyATuYIcrGd8h8Gc4CP9ZQ80ekuuwHehnOPYisHejmycgT8a2mWpk+5r3HkFmBNcLDeNlfnhIif5oLHGuHyw==,iv:M2GdNDxP4xpP35FJPTgljbcKpOm6DmEEnIYRItAxDVI=,tag:IiiNXeTi6Yja5PrnKRkhdA==,type:str]
hpb-secret: ENC[AES256_GCM,data:I/64j3nA0BWW5YY4STMFzxnSKQ+TmiHvweIIGOMJvV4=,iv:zezsPPnKlVBVlrJeG4pGbtuiz1GEWLmQaZl1isNa+pk=,tag:YbTWLAjIIMDn5Jo43U0QtA==,type:str]
grafana-telegraf-key: ENC[AES256_GCM,data:agpUzG1/n2NAKDt45IgelmDf0CUlC82fmD4f7JdcszNuUg7uCNA7XeaJ6PZtHQ==,iv:keo3i+qSbtXkA5fyCr2S5z9nJS9bXUn5WDiPgWocPU8=,tag:p/nDff10PRhi9pOszp1PnA==,type:str] grafana-telegraf-key: ENC[AES256_GCM,data:agpUzG1/n2NAKDt45IgelmDf0CUlC82fmD4f7JdcszNuUg7uCNA7XeaJ6PZtHQ==,iv:keo3i+qSbtXkA5fyCr2S5z9nJS9bXUn5WDiPgWocPU8=,tag:p/nDff10PRhi9pOszp1PnA==,type:str]
sync-secrets: ENC[AES256_GCM,data:AwCgqfSXmYVGnCV5PJ5Ql44IiutTS76F1H7Ow7gB4mQQ8PtiAsmArzpAXd7LzsXedm55X04U+GvkcbM9cwPcF+psyb3Zi8EnI/mjnI9MgFyySSEcosJZVAtCpXGIMyYgRXtF5OBh5CzupAG059d1TDAqrSpLXMuSDdypTaOMHxnlq5q1swfpzhhY3PVgUKVFXdjZLX8aF3JTE9ceVxFsB+traLzOQsl+QKty0x0mpuqR97zkMCchX7bTwgUgbl7phzTvmwV8Qw==,iv:gkZs5NB9+CLfz4kfV4ha2llZQPP81uuXRKqUlASgpiA=,tag:DXkiG0ZFHLHlVhwLwtv/XQ==,type:str] sync-secrets: ENC[AES256_GCM,data:AwCgqfSXmYVGnCV5PJ5Ql44IiutTS76F1H7Ow7gB4mQQ8PtiAsmArzpAXd7LzsXedm55X04U+GvkcbM9cwPcF+psyb3Zi8EnI/mjnI9MgFyySSEcosJZVAtCpXGIMyYgRXtF5OBh5CzupAG059d1TDAqrSpLXMuSDdypTaOMHxnlq5q1swfpzhhY3PVgUKVFXdjZLX8aF3JTE9ceVxFsB+traLzOQsl+QKty0x0mpuqR97zkMCchX7bTwgUgbl7phzTvmwV8Qw==,iv:gkZs5NB9+CLfz4kfV4ha2llZQPP81uuXRKqUlASgpiA=,tag:DXkiG0ZFHLHlVhwLwtv/XQ==,type:str]
writefreely: ENC[AES256_GCM,data:QOj5h/rHCxmgpPNhu3IS4eyruhQokHTJxW6yQM9YDgQ=,iv:qAd+/rAAanzL9FTIX22M+2kwI0WI2d3i86cJrn8MFBo=,tag:3zvpqnovDEoJdvK/qcFDuQ==,type:str] writefreely: ENC[AES256_GCM,data:QOj5h/rHCxmgpPNhu3IS4eyruhQokHTJxW6yQM9YDgQ=,iv:qAd+/rAAanzL9FTIX22M+2kwI0WI2d3i86cJrn8MFBo=,tag:3zvpqnovDEoJdvK/qcFDuQ==,type:str]
@ -17,6 +16,10 @@ writefreelymysql: ENC[AES256_GCM,data:1JZwIX04O3DBAo7JvEkeNrFcSdcmk/u4WUf/kkbr2J
ssh-private-key: ENC[AES256_GCM,data:DK/ggskAyhvotRkf36oZBoPw3hGvVlXneqaJZRPwX2a3YVMy4zgDE3iN65UeR6mfkp9J3OmLejOHeWFB/bRCHY3oTW6GUuZljTe2rI1/x/d2s4zX5UPPEWcy3cXH25d72DzElQBEMDKuZyDe0OZ0/NkR//vEeXgoA2Nr/NKHlTWrq/t26DMD2Vt+kQ+S9b0hh4tgh3OP1lwRu9/mTJOmInd/86gKB9+aD9V0oFvNbMEmgbwIah+ZjQBHB7GEIwjUc/lLmc+3RSn9J0rICIhnhL7NTzHUDHkYd93Tm0L9UHIyi9Oco2sK8tuV5mTDM1OK8CbDg/5FICTQ0H4sstCrDNZd2wE4E1kaZuwYOyxpzQpWJY8jOxxw5oIE0IccvvptM/9vp+0f1F2RIDrkIdHSLpFbGZGvXNVAWlXyv+0qOYS7BGzD0KAh9f74GcAvULq36vdzBahb5e+CqT3JXESne8qhkpsP0G9Z1I1Fy0xpADx/9cTnAm5RmXTw/KBPmBA5IZYZBRbR/C+N7Xyxr7u9RcwFJdIbSpAeT/ew,iv:pHT7DtX1ab7boPboXRaSg9w/4sMgNraEswtEf2tBPkw=,tag:Fbw2/Evf4ZsLFMBPflf9CA==,type:str] ssh-private-key: ENC[AES256_GCM,data:DK/ggskAyhvotRkf36oZBoPw3hGvVlXneqaJZRPwX2a3YVMy4zgDE3iN65UeR6mfkp9J3OmLejOHeWFB/bRCHY3oTW6GUuZljTe2rI1/x/d2s4zX5UPPEWcy3cXH25d72DzElQBEMDKuZyDe0OZ0/NkR//vEeXgoA2Nr/NKHlTWrq/t26DMD2Vt+kQ+S9b0hh4tgh3OP1lwRu9/mTJOmInd/86gKB9+aD9V0oFvNbMEmgbwIah+ZjQBHB7GEIwjUc/lLmc+3RSn9J0rICIhnhL7NTzHUDHkYd93Tm0L9UHIyi9Oco2sK8tuV5mTDM1OK8CbDg/5FICTQ0H4sstCrDNZd2wE4E1kaZuwYOyxpzQpWJY8jOxxw5oIE0IccvvptM/9vp+0f1F2RIDrkIdHSLpFbGZGvXNVAWlXyv+0qOYS7BGzD0KAh9f74GcAvULq36vdzBahb5e+CqT3JXESne8qhkpsP0G9Z1I1Fy0xpADx/9cTnAm5RmXTw/KBPmBA5IZYZBRbR/C+N7Xyxr7u9RcwFJdIbSpAeT/ew,iv:pHT7DtX1ab7boPboXRaSg9w/4sMgNraEswtEf2tBPkw=,tag:Fbw2/Evf4ZsLFMBPflf9CA==,type:str]
mollysocket-vapid-key: ENC[AES256_GCM,data:8N2hxY6WN6mCcjMIFsw/Vt1RoGvUbYxkVPOOn4WRjXZtEEkkVCIaNevozF4xCnBUEWIukNg8lZk8ake/pHAq,iv:+NHm3hSotcRPRjrwEe9xKnEeYbnUZqJEB1sd5B+tWIE=,tag:Pd2pnJqj771XqdqBREGzJQ==,type:str] mollysocket-vapid-key: ENC[AES256_GCM,data:8N2hxY6WN6mCcjMIFsw/Vt1RoGvUbYxkVPOOn4WRjXZtEEkkVCIaNevozF4xCnBUEWIukNg8lZk8ake/pHAq,iv:+NHm3hSotcRPRjrwEe9xKnEeYbnUZqJEB1sd5B+tWIE=,tag:Pd2pnJqj771XqdqBREGzJQ==,type:str]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz - recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz
enc: | enc: |
@ -27,7 +30,8 @@ sops:
KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz KzNBMCtUaS9sU21Xc1JUd1FSR29tSkEKyqaDM/WUWjK2l+ahE6sIFYsQ6Qtkf7yz
NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw== NWFTzsDZBmm9kpSIjchf+PuBuoRHeEKbEH8jnMlYB3J8boEnUnXMlw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-04T13:04:56Z" lastmodified: "2025-01-14T13:43:37Z"
mac: ENC[AES256_GCM,data:ppQgyWY/4Kr8/Ag5x7wBv1RZAxky6Itf4sBBRIzJj8njzSDOPm0blcDHjIGesu9PwmjnnJihZivmWXj43pAjxf6p4FmtlBAIqLUjRIV7fR16VINo7dPx4Pv6+sw1uwFvLliD/FfKwYo2S+Lx0eQnOzW1p7RROpbQJQ8k7AUngKE=,iv:Pk8sPdAMzITgeeaoZHJc77ywp47DuB5A1Lx5pjtHXM0=,tag:JkMDnjYMPTFkyOiikA7ejA==,type:str] mac: ENC[AES256_GCM,data:GK+WcmMgDbZ5xeqMK06CuquR6/ptd2oXzVJ9V74+n6lBx4XsyPu17puKGKgsGsIHeRYdbwtQh8tm42/XJ0tK8qJz1yGvfQxPasd+ibRBHatWWHzQ/czR3NIRWYqGF9/mxi2uHrftaKtku1/huxjzjb69blopMzn2LEH0vCzXCkc=,iv:K6Fbhmz9FAzLd8KcjDSriVre8MhCYrGTVXh+u6oGLaQ=,tag:4Ylrs+Mm54vAKFQyyo8Njg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.9.2

212
nixos/hosts/shodan/configuration.nix
View file

@ -17,7 +17,7 @@
outputs.nixosModules.vpn-ip outputs.nixosModules.vpn-ip
# Import the shared settings # Import the shared settings
../../desktop ../../desktop/package-configs/firefox
# You can also split up your configuration and import pieces of it here: # You can also split up your configuration and import pieces of it here:
# ./nvim.nix # ./nvim.nix
@ -46,43 +46,12 @@
lanzaboote = { lanzaboote = {
enable = true; enable = true;
pkiBundle = "/var/lib/sbctl"; pkiBundle = "/etc/secureboot";
}; };
consoleLogLevel = 0; consoleLogLevel = 0;
kernelParams = ["quiet" "udev.log_priority=0" "fbcon=vc:2-6" "console=tty0"]; kernelParams = ["quiet" "udev.log_priority=0" "fbcon=vc:2-6" "console=tty0"];
plymouth.enable = true; plymouth.enable = true;
}; };
services = {
udev.extraRules = ''
KERNEL=="hidraw*", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess"
KERNEL=="hidraw*", KERNELS=="*2DC8:*", MODE="0660", TAG+="uaccess"
SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2dc8", MODE="0666"
'';
vpn-ip = {
ip = "4";
};
openssh = {
enable = true;
settings = {
# require public key authentication for better security
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
};
};
desktopManager.plasma6.enable = true;
displayManager = {
# defaultSession = "plasma";
sddm.wayland.enable = lib.mkForce true;
sddm.settings = {
Autologin = {
Session = "plasma.desktop";
User = "lillian";
};
};
};
};
zramSwap.enable = false; zramSwap.enable = false;
networking = { networking = {
domain = ""; domain = "";
@ -91,25 +60,115 @@
networkmanager.enable = true; networkmanager.enable = true;
firewall.enable = true; firewall.enable = true;
firewall.interfaces."wg0".allowedTCPPorts = [8080];
firewall.interfaces."wg0".allowedUDPPorts = [8080]; firewall.allowedTCPPorts = [22];
firewall.allowedTCPPorts = [22 8080 8091 9090 9777 46899 46898];
firewall.allowedUDPPorts = [22 8080 8091 9090 9777 46899 46898];
hostName = "shodan"; hostName = "shodan";
}; };
services.vpn-ip = {
ip = "4";
};
xdg.portal.extraPortals = [pkgs.kdePackages.xdg-desktop-portal-kde]; services = {
openssh.enable = true; # Enables support for 32bit libs that steam uses
# Enable the X11 windowing system.
xserver.enable = true;
# Enable the KDE Plasma Desktop Environment.
desktopManager.plasma6.enable = true;
avahi = {
nssmdns4 = true;
enable = true;
ipv4 = true;
ipv6 = true;
publish = {
enable = true;
addresses = true;
workstation = true;
};
};
displayManager = {
defaultSession = "plasma";
sddm.wayland.enable = lib.mkForce true;
sddm.settings = {
Autologin = {
Session = "plasma.desktop";
User = "lillian";
};
};
};
# Enable flatpak support
flatpak.enable = true;
packagekit.enable = true;
# Configure keymap in X11
xserver = {
xkb.layout = "us";
xkb.variant = "";
};
# Enable CUPS to print documents.
printing.enable = true;
# Enable fwupd daemon and user space client
fwupd.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
};
nixpkgs = {
# You can add overlays here
overlays = [
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
};
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# Custom tools # Custom tools
auto-mount
#System: #System:
btrfs-progs
decky-loader decky-loader
jre8 efitools
# jellyfin-media-player jq
# noto-fonts
# noto-fonts-emoji-blob-bin
# noto-fonts-emoji
qjackctl
#rustdesk #rustdesk
sbctl
udisks
util-linux
waypipe
python3
protonup-qt
#KDE:
krunner-translator
# kdePackages.discover
kdePackages.kcalc
kdePackages.kdepim-addons
kdePackages.kirigami
kdePackages.kdeconnect-kde
# kdePackages.krunner-ssh
# kdePackages.krunner-symbols
kdePackages.qtvirtualkeyboard
kdePackages.packagekit-qt
kdePackages.krdc
kdePackages.krfb
libportal
#Gaming: #Gaming:
heroic heroic
@ -117,29 +176,6 @@
protontricks protontricks
rare rare
lutris lutris
(kodi.withPackages (kodiPkgs:
with kodiPkgs; [
steam-controller
invidious
youtube
netflix
upnext
sponsorblock
sendtokodi
jellyfin
inputstream-adaptive
inputstreamhelper
inputstream-ffmpegdirect
upnext
sponsorblock
sendtokodi
routing
requests-cache
requests
plugin-cache
a4ksubtitles
]))
]; ];
jovian = { jovian = {
@ -152,7 +188,7 @@
decky-loader = { decky-loader = {
enable = true; enable = true;
package = pkgs.decky-loader-prerelease; package = pkgs.decky-loader-prerelease;
extraPackages = [pkgs.python3 pkgs.flatpak pkgs.uutils-findutils]; extraPackages = [pkgs.python3];
}; };
devices.steamdeck = { devices.steamdeck = {
enable = true; enable = true;
@ -160,15 +196,59 @@
}; };
steamos = { steamos = {
enableAutoMountUdevRules = true; enableAutoMountUdevRules = true;
enableMesaPatches = true;
}; };
}; };
fonts.packages = [pkgs.ttf-ms-win10]; programs = {
steam = lib.mkForce {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
extest.enable = true;
};
kdeconnect.enable = true;
noisetorch = {
enable = true;
};
git = {
enable = true;
};
};
# # Enable automounting of removable media # # Enable automounting of removable media
# services.udisks2.enable = true; # services.udisks2.enable = true;
# services.devmon.enable = true; # services.devmon.enable = true;
# services.gvfs.enable = true; # services.gvfs.enable = true;
# environment.variables.GIO_EXTRA_MODULES = lib.mkForce ["${pkgs.gvfs}/lib/gio/modules"]; # environment.variables.GIO_EXTRA_MODULES = lib.mkForce ["${pkgs.gvfs}/lib/gio/modules"];
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
hardware = {
graphics.enable32Bit = true;
# Enable bluetooth hardware
bluetooth.enable = true;
# Enable sound with pipewire.
};
services.pulseaudio.enable = false;
users.users.lillian.extraGroups = ["decky" "tss" "input"];
# Enable completion of system packages by zsh
environment.pathsToLink = ["/share/zsh"];
security = {
rtkit.enable = true;
tpm2 = {
enable = true;
pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
tctiEnvironment.enable = true;
};
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "26.05"; system.stateVersion = "25.05";
} }

14
nixos/hosts/shodan/secrets/sops.yaml
View file

File diff suppressed because one or more lines are too long

100
nixos/hosts/wheatley/configuration.nix
View file

@ -14,11 +14,8 @@
./hardware-configuration.nix ./hardware-configuration.nix
# Import shared settings # Import shared settings
../../shared
]; ];
preservation.enable = lib.mkForce false;
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
powerManagement.cpuFreqGovernor = "ondemand"; powerManagement.cpuFreqGovernor = "ondemand";
hardware.graphics.enable = true; hardware.graphics.enable = true;
@ -32,7 +29,7 @@
programs = { programs = {
# Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently # Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently
command-not-found.enable = lib.mkForce false; command-not-found.enable = lib.mkForce false;
# nix-index.enable = true; nix-index.enable = true;
nix-index-database.comma.enable = true; nix-index-database.comma.enable = true;
}; };
services = { services = {
@ -165,38 +162,6 @@
enable = false; enable = false;
}; };
services.stubby = {
enable = true;
settings =
pkgs.stubby.passthru.settingsExample
// {
upstream_recursive_servers = [
# kdig -d @194.242.2.4 +tls-ca +tls-host=base.dns.mullvad.net example.com
{
address_data = "192.242.2.4";
tls_auth_name = "base.dns.mullvad.net";
tls_pubkey_pinset = [
{
digest = "sha256";
value = "vRABi3U719mJG1E/XyyrJ+3K43XdmJB+XuzaKESPRSs=";
}
];
}
# kdig -d @2a07:e340::4 +tls-ca +tls-host=base.dns.mullvad.net example.com
{
address_data = "2a07:e340::4";
tls_auth_name = "base.dns.mullvad.net";
tls_pubkey_pinset = [
{
digest = "sha256";
value = "1ABYdzvvAq7Ec7+Wl5KrRcgPeXsIGLBU7I+89u94bcw=";
}
];
}
];
};
};
networking = { networking = {
hostName = "wheatley"; hostName = "wheatley";
@ -212,8 +177,12 @@
# Configure DNS servers manually (this example uses Cloudflare and Google DNS) # Configure DNS servers manually (this example uses Cloudflare and Google DNS)
# IPv6 DNS servers can be used here as well. # IPv6 DNS servers can be used here as well.
nameservers = [ nameservers = [
"194.242.2.4" # "127.0.0.1"
"2a07:e340::4" # "::1"
"94.140.14.49"
"94.140.14.59"
"2a10:50c0:0:0:0:0:ded:ff"
"2a10:50c0:0:0:0:0:ded:ff"
]; ];
wireguard.enable = true; wireguard.enable = true;
@ -251,36 +220,6 @@
# wg public key for host: A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg= # wg public key for host: A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg=
# TODO: generate this dynamically based on other hosts # TODO: generate this dynamically based on other hosts
wg0 = {
address = ["10.73.141.73/32" "fc00:bbbb:bbbb:bb01::a:8d48/128"];
privateKeyFile = lib.mkForce config.sops.secrets."wg-private-key".path;
dns = ["100.64.0.7"];
extraOptions = {
FwMark = 51820;
};
listenPort = 51820;
postUp = ''
${pkgs.iproute2}/bin/ip rule add from 192.168.2.43 table main
${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -i end0 -j CONNMARK --set-mark 51820
${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -m connmark --mark 51820 -j MARK --set-mark 51820
'';
preDown = ''
${pkgs.iproute2}/bin/ip rule del from 192.168.2.43 table main
${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -i end0 -j CONNMARK --set-mark 51820
${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -m connmark --mark 51820 -j MARK --set-mark 51820
'';
peers = [
{
publicKey = "33BoONMGCm2vknq2eq72eozRsHmHQY6ZHEEZ4851TkY=";
allowedIPs = ["0.0.0.0/0" "::0/0"];
endpoint = "193.32.249.70:51820";
}
];
};
wg1 = { wg1 = {
# Determines the IP address and subnet of the server's end of the tunnel interface. # Determines the IP address and subnet of the server's end of the tunnel interface.
address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"]; address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
@ -290,26 +229,22 @@
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN # This allows the wireguard server to route your traffic to the internet and hence be like a VPN
postUp = '' postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg1 -j ACCEPT ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg1 -j ACCEPT ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -o wg0 -j MASQUERADE ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
''; '';
# Undo the above # Undo the above
preDown = '' preDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg1 -j ACCEPT ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg1 -j ACCEPT ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -o wg0 -j MASQUERADE ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE
''; '';
privateKeyFile = lib.mkForce config.sops.secrets."wg-private-key".path; privateKeyFile = lib.mkForce config.sops.secrets."wg-private-key".path;
extraOptions = {
FwMark = 51820;
};
peers = [ peers = [
{ {
#GLaDOS public key #GLaDOS public key
@ -339,7 +274,7 @@
# enable NAT # enable NAT
enable = true; enable = true;
externalInterface = "end0"; externalInterface = "end0";
internalInterfaces = ["wg1" "wg0"]; internalInterfaces = ["wg1"];
}; };
firewall = { firewall = {
enable = true; enable = true;
@ -351,7 +286,6 @@
80 # http 80 # http
443 # https 443 # https
51821 # wg 51821 # wg
51820 # wg-mullvad
7878 7878
53 # dnsmasq 53 # dnsmasq
]; ];
@ -417,6 +351,6 @@
services.cage.enable = true; services.cage.enable = true;
nixpkgs.config.kodi.enableAdvancedLauncher = true; nixpkgs.config.kodi.enableAdvancedLauncher = true;
system.stateVersion = "26.05"; system.stateVersion = "25.05";
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
} }

13
nixos/hosts/wheatley/secrets/sops.yaml
View file

@ -1,11 +1,15 @@
wireless.env: ENC[AES256_GCM,data:a5sUW0Lc4GRd9aUJwHbmQvzvRB8WaRjMSQ==,iv:+3ncL38E3aqbejoCzzeBtMukLk4n/AQBJELlqhXDqSA=,tag:buY9Mp10DAEEEKqSyHwB3g==,type:str] wireless.env: ENC[AES256_GCM,data:a5sUW0Lc4GRd9aUJwHbmQvzvRB8WaRjMSQ==,iv:+3ncL38E3aqbejoCzzeBtMukLk4n/AQBJELlqhXDqSA=,tag:buY9Mp10DAEEEKqSyHwB3g==,type:str]
lillian-password: ENC[AES256_GCM,data:cr+Dix1YWrCDHjw0tj4Lnyy6X/bp+/tLSfHteBOsVHhwNRMK6IjZDZtuyFtrqtxfG2VQcFk7cPSkXaK8IQYzG4iYoDBxHxzWOQ==,iv:L1U+dT9eSMpE/WwSA3o9LoYaqv9aErqjXzsADdK2Gk0=,tag:onsOAyulyrbJvayVoGGfgg==,type:str] lillian-password: ENC[AES256_GCM,data:GY7WyfLRc/q4fecnazWzfoZsruN/F0ar7mJ9RaqTHSb9K6xhEmifmJeqpR5xGIJYW6MYciCsZ9YmRsJbuSHTIlo9PrCTYBGvXg==,iv:bzml3abPox3RdvtKBQiBAcVXHUdGAn0ETMsDpBtT8T0=,tag:2iaBJ4hFFBUbonslTvQH5Q==,type:str]
protonvpn-priv-key: ENC[AES256_GCM,data:s4LAq1Rqm+jGaK3OKcjIBCQYXPs3oEuTKJMAM+gFxIpZdwcJCIU7uyoCy6c=,iv:zoWv5u0xgJHldwdRGRv3bXI1kasaWQz1YD7wt0J890I=,tag:cFXnayZRq13UqP+XWuHnWw==,type:str] protonvpn-priv-key: ENC[AES256_GCM,data:s4LAq1Rqm+jGaK3OKcjIBCQYXPs3oEuTKJMAM+gFxIpZdwcJCIU7uyoCy6c=,iv:zoWv5u0xgJHldwdRGRv3bXI1kasaWQz1YD7wt0J890I=,tag:cFXnayZRq13UqP+XWuHnWw==,type:str]
rpcSecret: ENC[AES256_GCM,data:3tCZk2csB/ofxPc6,iv:NwT6k1hh73moH6eErT23/Dvwgb1wP/qIuoxXnCgNSao=,tag:nh0mFsh9I4R1baCL1oH+AA==,type:str] rpcSecret: ENC[AES256_GCM,data:3tCZk2csB/ofxPc6,iv:NwT6k1hh73moH6eErT23/Dvwgb1wP/qIuoxXnCgNSao=,tag:nh0mFsh9I4R1baCL1oH+AA==,type:str]
webdav-secret: ENC[AES256_GCM,data:SDFyHaE+HprkguOmDfnzwQ/n5OYgbTpxcVl4FGiLcsItefbSDOIQg5l01fqVB8zv+rRGlPcyRrIn7KTPrTpBx7X4RNHfFK4FKKvAANt6z0e5pu1+wnoObWxTShCFjfFoRCLkoh/j/CmLFyFIafrI7rzZUhs=,iv:stygLmNVWXkZL5A0J83CKPefRr7TqXeygQVLszr28eY=,tag:9hss2c77JELSASnwUyAF4w==,type:str] webdav-secret: ENC[AES256_GCM,data:SDFyHaE+HprkguOmDfnzwQ/n5OYgbTpxcVl4FGiLcsItefbSDOIQg5l01fqVB8zv+rRGlPcyRrIn7KTPrTpBx7X4RNHfFK4FKKvAANt6z0e5pu1+wnoObWxTShCFjfFoRCLkoh/j/CmLFyFIafrI7rzZUhs=,iv:stygLmNVWXkZL5A0J83CKPefRr7TqXeygQVLszr28eY=,tag:9hss2c77JELSASnwUyAF4w==,type:str]
wg-private-key: ENC[AES256_GCM,data:5WGAAst0qVqn1siX3snkAhsSDhZaS33XHT44BfViWLZqvzw+OhPB/jkSr4U=,iv:yXfN50SM3OWdycINB8iWXtvCSS01NBTrGBs1kxd1j0M=,tag:yhjDY1AM5aQ6DFeFEjo2Mw==,type:str] wg-private-key: ENC[AES256_GCM,data:5WGAAst0qVqn1siX3snkAhsSDhZaS33XHT44BfViWLZqvzw+OhPB/jkSr4U=,iv:yXfN50SM3OWdycINB8iWXtvCSS01NBTrGBs1kxd1j0M=,tag:yhjDY1AM5aQ6DFeFEjo2Mw==,type:str]
ssh-private-key: ENC[AES256_GCM,data:zbCR/+REHSN4BIQIXSOQjSRKYWhaXutdn4AE2zxmN44qHPzMI98c7/aX2KFhHOL+vKpgyhhR6JAGVTF5Jk72lmIHwDvwvwx+gLXgpZH1KEK3nTUdwUVcqBDsVB4Na5rTsHMWmRH+NxV7n+3nSQo/Byi0Jb602IPXRNREL+0toCbHon27/o2uIy4uzbsEWZu6N2hadzQCtXmHJM2dqmbKvpADt04TQ4wAcZ6wB0538g5WdtOSU6T1xcBBSDU7MNEVP7e7dUPKJWK79cI+RrzpGIh/da7cM6exSBRas711oL6woH4Hi3G6Yjd1rPxBPt1+/qq45gm/4UvjQywn/1s7BInCe9/5vJLn3TEzuUd96CsT36vEsxMeOekXf50Ntu6Xr02bnFRwUBm76BVGAggwGf/khRNJuLw0xHsCdeKzHsPD0efe5mHTJw8mB3M6vDhO6e3g6E3uRjjBaDnrPuHuD4NE1kCjQTTJh3NbuT2Ab55lhpSOEK+f0Ik2qZgKzALvJhn+MILjXSfP/hXgiwBeP4dkTY3fOcpmnPyS,iv:ojh2hzVzJFy1kvvo/WvaIpMpGT+b9aSC+L8L0iwhF1o=,tag:bHOj/fxDn/qUmp1eijLPuw==,type:str] ssh-private-key: ENC[AES256_GCM,data:zbCR/+REHSN4BIQIXSOQjSRKYWhaXutdn4AE2zxmN44qHPzMI98c7/aX2KFhHOL+vKpgyhhR6JAGVTF5Jk72lmIHwDvwvwx+gLXgpZH1KEK3nTUdwUVcqBDsVB4Na5rTsHMWmRH+NxV7n+3nSQo/Byi0Jb602IPXRNREL+0toCbHon27/o2uIy4uzbsEWZu6N2hadzQCtXmHJM2dqmbKvpADt04TQ4wAcZ6wB0538g5WdtOSU6T1xcBBSDU7MNEVP7e7dUPKJWK79cI+RrzpGIh/da7cM6exSBRas711oL6woH4Hi3G6Yjd1rPxBPt1+/qq45gm/4UvjQywn/1s7BInCe9/5vJLn3TEzuUd96CsT36vEsxMeOekXf50Ntu6Xr02bnFRwUBm76BVGAggwGf/khRNJuLw0xHsCdeKzHsPD0efe5mHTJw8mB3M6vDhO6e3g6E3uRjjBaDnrPuHuD4NE1kCjQTTJh3NbuT2Ab55lhpSOEK+f0Ik2qZgKzALvJhn+MILjXSfP/hXgiwBeP4dkTY3fOcpmnPyS,iv:ojh2hzVzJFy1kvvo/WvaIpMpGT+b9aSC+L8L0iwhF1o=,tag:bHOj/fxDn/qUmp1eijLPuw==,type:str]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz - recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz
enc: | enc: |
@ -16,7 +20,8 @@ sops:
Vm9mWk5JRGtZNVVhN1JQWTBlb2kySkEKoLI1MzS3uGNUbyn7kI5DylKZiPtc1div Vm9mWk5JRGtZNVVhN1JQWTBlb2kySkEKoLI1MzS3uGNUbyn7kI5DylKZiPtc1div
bKIboWoobTfDt0EURfmZ5+JrX6DlZxRyNQyl9dsKmZT6pLdaIppStA== bKIboWoobTfDt0EURfmZ5+JrX6DlZxRyNQyl9dsKmZT6pLdaIppStA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-08T19:47:05Z" lastmodified: "2024-12-22T22:37:02Z"
mac: ENC[AES256_GCM,data:G7YCN4C0fpNLoZLHqagDWqrnTSkWDOjNbs7F/P8Fn/s/U9HBC8gHWktAM41h8MT853t3kF38SoTOD59nno+an9EECoSkWJy66agdrNM3/NZHz7aTbDmlw1EsrFjh8HeleLIwrwrNkQiJuakPjbplvIhFAtNZsFoErDtd5xnHy6c=,iv:A5DCVRUa99xmeDnAoCQR15oIJOjkR/A1aqadLWZGbwg=,tag:YXvBLwXGoE64ZqUTEORX9A==,type:str] mac: ENC[AES256_GCM,data:T31z1/pngI6Wa3HMyOxS5ofb2Y5YqK0v5m96mn7n5dQ0d992ooEpoNyE7r8qHsD+tXiHvLIybWUMiMlDLI7Gq8op9GLEYYnFNDfc24k7lQPPuQK/iraJFUQwiRBbK063Rmfa6q6S3P2YN58+oxUJUiKuAy4yUIJTNaHeCCH8HMc=,iv:uLbAtSNbUcsejWdE1oBvCQVOtuaHL7A3R0sT/ispjhU=,tag:t3D7h0B0dDDZ18qo8G8wiA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.9.2

18
nixos/server/package-configs/conduit/default.nix
View file

@ -28,12 +28,18 @@
} }
''; '';
in { in {
# Configure continuwuity itself # Configure Conduit itself
services.matrix-continuwuity = { services.matrix-conduit = {
enable = true; enable = true;
# This causes NixOS to use the flake defined in this repository instead of
# the build of Conduit built into nixpkgs.
# package = inputs.conduwuit.packages.${pkgs.system}.default;
package = pkgs.conduwuit;
settings.global = { settings.global = {
inherit server_name; inherit server_name;
database_backend = "rocksdb";
allow_registration = false; allow_registration = false;
# emergency_password = "testpassword"; # emergency_password = "testpassword";
turn_uris = ["turn:turn.gladtherescake.eu.url?transport=udp" "turn:turn.gladtherescake.eu?transport=tcp"]; turn_uris = ["turn:turn.gladtherescake.eu.url?transport=udp" "turn:turn.gladtherescake.eu?transport=tcp"];
@ -91,7 +97,7 @@ in {
]; ];
locations."/_matrix/" = { locations."/_matrix/" = {
proxyPass = "http://backend_continuwuity"; proxyPass = "http://backend_conduit";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
proxy_set_header Host $host; proxy_set_header Host $host;
@ -111,7 +117,6 @@ in {
locations."=/.well-known/matrix/client" = { locations."=/.well-known/matrix/client" = {
# Use the contents of the derivation built previously # Use the contents of the derivation built previously
alias = "${well_known_client}"; alias = "${well_known_client}";
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${server_name}\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://${server_name}\"}}'";
extraConfig = '' extraConfig = ''
# Set the header since by default NGINX thinks it's just bytes # Set the header since by default NGINX thinks it's just bytes
@ -125,7 +130,6 @@ in {
proxyPass = "http://matrix.gladtherescake.eu/client/unstable/org.matrix.msc3575/sync"; proxyPass = "http://matrix.gladtherescake.eu/client/unstable/org.matrix.msc3575/sync";
proxyWebsockets = true; proxyWebsockets = true;
recommendedProxySettings = false; recommendedProxySettings = false;
return = "200 '{\"contacts\": [{\"matrix_id\": \"@admin:server.name\", \"email_address\": \"admin@server.name\", \"role\": \"m.role.admin\"}]}'";
extraConfig = '' extraConfig = ''
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_buffering off; proxy_buffering off;
@ -139,9 +143,9 @@ in {
}; };
upstreams = { upstreams = {
"backend_continuwuity" = { "backend_conduit" = {
servers = { servers = {
"[::1]:${toString config.services.matrix-continuwuity.settings.global.port}" = {}; "[::1]:${toString config.services.matrix-conduit.settings.global.port}" = {};
}; };
}; };
}; };

2
nixos/server/package-configs/coturn/default.nix
View file

@ -5,7 +5,7 @@
services.coturn = { services.coturn = {
enable = true; enable = true;
use-auth-secret = true; use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path; static-auth-secret = "cPKWEn4Fo5TAJoE7iX3xeVOaMVE4afeRN1iRGWYfbkWbkaZMxTpnmazHyH6c6yXT";
realm = "turn.gladtherescake.eu"; realm = "turn.gladtherescake.eu";
relay-ips = [ relay-ips = [
"62.171.160.195" "62.171.160.195"

5
nixos/server/package-configs/default.nix
View file

@ -5,15 +5,14 @@
./gotosocial ./gotosocial
./mail-server ./mail-server
./nextcloud ./nextcloud
# ./phanpy ./phanpy
./postgres ./postgres
./roundcube ./roundcube
./coturn ./coturn
# ./dashboard ./dashboard
#./cinny #./cinny
#./firefox-sync #./firefox-sync
./writefreely ./writefreely
./mollysocket ./mollysocket
./jellyfin
]; ];
} }

4
nixos/server/package-configs/jellyfin/default.nix
View file

@ -1,4 +1,6 @@
{...}: { {...}: {
users.users.jellyfin.extraGroups = ["nextcloud" "aria2"];
services.nginx = { services.nginx = {
virtualHosts = { virtualHosts = {
"video.gladtherescake.eu" = { "video.gladtherescake.eu" = {
@ -14,7 +16,5 @@
services.jellyfin = { services.jellyfin = {
enable = true; enable = true;
user = "nextcloud";
group = "nextcloud";
}; };
} }

13
nixos/server/package-configs/mail-server/default.nix
View file

@ -6,7 +6,6 @@
# services.dovecot2.sieve.extensions = ["fileinto"]; # services.dovecot2.sieve.extensions = ["fileinto"];
mailserver = { mailserver = {
stateVersion = 3;
enable = true; enable = true;
enableImap = true; enableImap = true;
enableSubmission = true; enableSubmission = true;
@ -86,17 +85,9 @@
"no-reply@social.gladtherescake.eu" "no-reply@social.gladtherescake.eu"
"no-reply@git.lillianviolet.dev" "no-reply@git.lillianviolet.dev"
"ongebonden@gladtherescake.eu" "ongebonden@gladtherescake.eu"
"teluyep_canoja_52868396@gladtherescake.eu"
"me.belsimpel@gladtherescake.eu"
"me.tele2@gladtherescake.eu"
"me+tele2@gladtherescake.eu"
"me.archiveorg@gladtherescake.eu"
]; ];
x509.useACMEHost = config.mailserver.fqdn; certificateScheme = "acme-nginx";
}; certificateDomains = [
security.acme.certs.${config.mailserver.fqdn} = {
webroot = "/var/lib/acme/acme-challenge/";
extraDomainNames = [
"imap.lillianviolet.dev" "imap.lillianviolet.dev"
"mail.lillianviolet.dev" "mail.lillianviolet.dev"
"pop3.lillianviolet.dev" "pop3.lillianviolet.dev"

9
nixos/server/package-configs/nextcloud/default.nix
View file

@ -50,7 +50,7 @@
enable = true; enable = true;
hostName = "nextcloud.gladtherescake.eu"; hostName = "nextcloud.gladtherescake.eu";
package = pkgs.nextcloud33; package = pkgs.nextcloud30;
# Use HTTPS for links # Use HTTPS for links
https = true; https = true;
@ -69,7 +69,6 @@
overwriteprotocol = "https"; overwriteprotocol = "https";
default_phone_region = "NL"; default_phone_region = "NL";
maintenance_window_start = 3; maintenance_window_start = 3;
log_type = "file";
}; };
appstoreEnable = true; appstoreEnable = true;
extraAppsEnable = true; extraAppsEnable = true;
@ -102,9 +101,9 @@
# #jwtSecretFile = config.sops.secrets."local.json".path; # #jwtSecretFile = config.sops.secrets."local.json".path;
# }; # };
# services.rabbitmq = { services.rabbitmq = {
# enable = true; enable = true;
# }; };
systemd.services."sops-nix.service" = { systemd.services."sops-nix.service" = {
before = [ before = [

2
nixos/server/package-configs/writefreely/default.nix
View file

@ -34,6 +34,6 @@
}; };
}; };
systemd.services.writefreely = { systemd.services.writefreely = {
path = [pkgs.libressl]; path = [pkgs.openssl];
}; };
} }

158
nixos/shared/default.nix
View file

@ -4,18 +4,16 @@
lib, lib,
config, config,
pkgs, pkgs,
pkgs-edge,
... ...
}: { }: {
imports = [ imports = [
./locale ./locale
./packages ./packages
./preservation.nix
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
#../hosts/${config.networking.hostName}/hardware-configuration.nix #../hosts/${config.networking.hostName}/hardware-configuration.nix
]; ];
sops = { sops = {
age.keyFile = "/var/secrets/keys.txt"; age.keyFile = ../../../../../../var/secrets/keys.txt;
secrets."lillian-password".neededForUsers = true; secrets."lillian-password".neededForUsers = true;
defaultSopsFile = ../hosts/${config.networking.hostName}/secrets/sops.yaml; defaultSopsFile = ../hosts/${config.networking.hostName}/secrets/sops.yaml;
@ -31,10 +29,11 @@
}; };
#TODO: remove this when unneeded for freetube #TODO: remove this when unneeded for freetube
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
"python3.12-youtube-dl-2021.12.17"
]; ];
nix = { nix = {
package = pkgs-edge.lix; package = pkgs.lix;
gc = { gc = {
automatic = true; automatic = true;
dates = "weekly"; dates = "weekly";
@ -68,56 +67,31 @@
]; ];
}; };
}; };
catppuccin = {
#TODO: ugly hardcoded delete, if it ever becomes a problem fix this, else just leave it I guess flavor = "macchiato";
system.userActivationScripts = { tty.enable = true;
removeConflictingFiles = { sddm.enable = true;
text = '' sddm.flavor = "macchiato";
rm -f /home/lillian/.config/gtk-3.0/settings.ini.backup forgejo.enable = true;
rm -f /home/lillian/.config/gtk-3.0/gtk.css.backup forgejo.flavor = "macchiato";
rm -f /home/lillian/.config/gtk-4.0/settings.ini.backup # plymouth.enable = false;
rm -f /home/lillian/.config/gtk-4.0/gtk.css.backup # grub.enable = false;
rm -r /home/lillian/.gtkrc-2.0.backup
'';
};
}; };
# catppuccin = { programs.zsh = {
# flavor = "macchiato";
# tty.enable = true;
# sddm.enable = true;
# sddm.flavor = "macchiato";
# forgejo.enable = true;
# forgejo.flavor = "macchiato";
# # plymouth.enable = false;
# # grub.enable = false;
# };
programs = {
zsh = {
enable = true; enable = true;
}; };
gnupg.agent = { programs.gnupg.agent = {
enable = true; enable = true;
enableBrowserSocket = true; enableBrowserSocket = true;
}; };
chromium = {
enable = true;
#Bet these options get renamed and put under a SearchProvider subheader...
defaultSearchProviderSearchURL = "https://noai.duckduckgo.com/?t=ftab&q={searchTerms}";
defaultSearchProviderEnabled = true;
extensions = ["cjpalhdlnbpafiamejdnhcphjbkeiagm" "gcbommkclmclpchllfjekcdonpmejbdp"];
};
};
stylix = { stylix = {
# targets.qt.platform = lib.mkForce "kde";
enable = true; enable = true;
# targets.qt.platform = "kde6";
autoEnable = true; autoEnable = true;
base16Scheme = { base16Scheme = {
scheme = "Catppuccin Macchiato Mauve"; scheme = "Catppuccin Macchiato";
author = "https://github.com/catppuccin/catppuccin"; author = "https://github.com/catppuccin/catppuccin";
base00 = "24273a"; base00 = "24273a";
base01 = "1e2030"; base01 = "1e2030";
@ -132,29 +106,29 @@
base0A = "eed49f"; base0A = "eed49f";
base0B = "a6da95"; base0B = "a6da95";
base0C = "8bd5ca"; base0C = "8bd5ca";
base0D = "c6a0f6"; base0D = "8aadf4";
base0E = "8aadf4"; base0E = "c6a0f6";
base0F = "f0c6c6"; base0F = "f0c6c6";
}; };
image = ./background.jpg; image = ./background.jpg;
cursor.package = pkgs.catppuccin-cursors.macchiatoMauve; cursor.package = pkgs.catppuccin-cursors.macchiatoMauve;
cursor.name = "catppuccin-macchiato-mauve-cursors"; cursor.name = "catppuccin-macchiato-mauve-cursors";
cursor.size = 24; cursor.size = 16;
homeManagerIntegration.followSystem = true; homeManagerIntegration.followSystem = true;
fonts = { fonts = {
serif = { serif = {
package = pkgs.atkinson-hyperlegible; package = pkgs.atkinson-hyperlegible;
name = "Atkinson Hyperlegible Next"; name = "Atkinson Hyperlegible";
}; };
monospace = { monospace = {
package = pkgs.atkinson-hyperlegible-mono; package = pkgs.atkinson-monolegible;
name = "Atkinson Hyperlegbile Mono"; name = "Atkinson Monolegible";
}; };
sansSerif = { sansSerif = {
package = pkgs.atkinson-hyperlegible; package = pkgs.atkinson-hyperlegible;
name = "Atkinson Hyperlegible Next"; name = "Atkinson Hyperlegible";
}; };
emoji = { emoji = {
@ -164,62 +138,19 @@
}; };
}; };
services.scx.enable = fonts.packages = [
if (pkgs.stdenv.hostPlatform.system == "aarch64-linux") pkgs.atkinson-hyperlegible
then false pkgs.atkinson-monolegible
else true; pkgs.noto-fonts-emoji-blob-bin
pkgs.noto-fonts
fonts.packages = with pkgs; [ pkgs.nerd-fonts.fira-mono
atkinson-hyperlegible-next
atkinson-hyperlegible-mono
dejavu_fonts
noto-fonts-emoji-blob-bin
noto-fonts
nerd-fonts.fira-mono
font-awesome
liberation_ttf
]; ];
fonts.fontconfig = { # fonts.fontconfig.defaultFonts = {
useEmbeddedBitmaps = true; # emoji = ["Blobmoji"];
defaultFonts = { # monospace = ["Atkinson Monolegible"];
emoji = ["Blobmoji"]; # sansSerif = ["Atkinson Hyperlegible"];
monospace = ["Atkinson Hyperlegible Mono" "dejaVu Sans Mono"]; # };
sansSerif = ["Atkinson Hyperlegible Next"];
serif = ["Atkinson Hyperlegible Next"];
};
};
systemd = {
services."shutdown-zellij-zsh" = {
path = with pkgs; [killall];
enable = true;
unitConfig = {
Before = "shutdown.target";
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.killall}/bin/killall -SIGKILL zellij zsh";
RemainAfterExit = "yes";
};
};
services."start-vpn-wg" =
if config.services.vpn-ip.enable
then {
path = with pkgs; [systemd];
enable = true;
unitConfig = {
Wants = "network-online.target";
After = "network-online.target";
};
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl start wg-quick-wg0.service";
RemainAfterExit = "yes";
};
}
else {};
};
networking = networking =
if config.services.vpn-ip.enable if config.services.vpn-ip.enable
@ -228,7 +159,7 @@
wg-quick.interfaces = { wg-quick.interfaces = {
wg0 = { wg0 = {
autostart = false; autostart = true;
address = ["10.0.0.${config.services.vpn-ip.ip}/24" "fdc9:281f:04d7:9ee9::${config.services.vpn-ip.ip}/64"]; address = ["10.0.0.${config.services.vpn-ip.ip}/24" "fdc9:281f:04d7:9ee9::${config.services.vpn-ip.ip}/64"];
dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"];
listenPort = 51821; listenPort = 51821;
@ -246,15 +177,8 @@
} }
else {}; else {};
environment = {
systemPackages = with pkgs; [
nix-output-monitor
usbutils
];
# Enable completion of system packages by zsh # Enable completion of system packages by zsh
pathsToLink = ["/share/zsh"]; environment.pathsToLink = ["/share/zsh"];
};
home-manager = { home-manager = {
backupFileExtension = "backup"; backupFileExtension = "backup";
@ -269,22 +193,20 @@
}; };
users = { users = {
users = { users.lillian = {
lillian = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf" "docker"]; extraGroups = ["sudo" "networkmanager" "wheel" "vboxsf" "docker"];
shell = pkgs.zsh; shell = pkgs.zsh;
hashedPasswordFile = config.sops.secrets."lillian-password".path; hashedPasswordFile = config.sops.secrets."lillian-password".path;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"${builtins.readFile ../../home-manager/hosts/GLaDOS/id_ed25519.pub}" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILhwA+ZdP2tEBYQNdzLHZzFHxocyeqzhXI6tFpaZA3PZ lillian@EDI"
"${builtins.readFile ../../home-manager/hosts/EDI/id_ed25519.pub}" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH30G2PJOnI6jnAtxOQV0SpLFUva0adarLZLvaoZvjGE lillian@GLaDOS"
]; ];
}; };
mutableUsers = false;
root = { users.root = {
hashedPassword = "*"; hashedPassword = "*";
}; };
}; };
mutableUsers = false;
};
} }

8
nixos/shared/packages/default.nix
View file

@ -22,13 +22,12 @@
install-nix-no-inhibit install-nix-no-inhibit
update update
upgrade upgrade
simple-completion-language-server # simple-completion-language-server
# System tools # System tools
age age
alejandra alejandra
e2fsprogs e2fsprogs
# uutils-findutils
git git
git-filter-repo git-filter-repo
pre-commit pre-commit
@ -43,11 +42,6 @@
wget wget
zsh zsh
tldr tldr
nmap
knot-dns
libressl
nettools
starship
# System libraries # System libraries
]) ])

5
nixos/shared/packages/package-configs/default.nix
View file

@ -1,5 +0,0 @@
{...}: {
imports = [
./firefox
];
}

182
nixos/shared/packages/package-configs/firefox/default.nix
View file

@ -1,182 +0,0 @@
{pkgs, ...}: {
programs.firefox = {
enable = true;
package = pkgs.librewolf;
policies = {
DisableTelemetry = true;
DisableFirefoxStudies = true;
DisablePocket = true;
DisableFirefoxAccounts = true;
DisableAccounts = true;
DisableProfileImport = true;
OverrideFirstRunPage = "";
OverridePostUpdatePage = "";
DontCheckDefaultBrowser = true;
DisplayBookmarksToolbar = "newtab";
ManualAppUpdateOnly = true;
OfferToSaveLogins = false;
PasswordManagerEnabled = false;
DownloadDirectory = "\${home}/Downloads";
EnableTrackingProtection = {
Value = true;
Cryptomining = true;
Fingerprinting = true;
};
ExtensionSettings = {
# "*".installation_mode = "blocked"; # blocks all addons except the ones specified below
# Catppuccin Macchiato - Mauve theme:
"{55750c61-e5f3-4d9a-898d-0643b3093678}" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/catppuccin-macchiato-mauve/latest.xpi";
installation_mode = "force_installed";
};
# Sideberry:
#"{3c078156-979c-498b-8990-85f7987dd929}" = {
# install_url = "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi";
# installation_mode = "force_installed";
#};
# Privacy Badger:
"jid1-MnnxcxisBPnSXQ@jetpack" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi";
installation_mode = "force_installed";
};
# Bitwarden:
"{446900e4-71c2-419f-a6a7-df9c091e268b}" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi";
installation_mode = "force_installed";
};
# Libredirect:
"7esoorv3@alefvanoon.anonaddy.me" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/libredirect/latest.xpi";
installation_mode = "force_installed";
};
# DarkReader:
"addon@darkreader.org" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/darkreader/latest.xpi";
installation_mode = "force_installed";
};
# SimpleLogin:
"addon@simplelogin" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/simplelogin/latest.xpi";
installation_mode = "force_installed";
};
# Cookie Auto Delete:
"CookieAutoDelete@kennydo.com" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/cookie-autodelete/latest.xpi";
installation_mode = "force_installed";
};
# Don't fuck with paste:
"DontFuckWithPaste@raim.ist" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/don-t-fuck-with-paste/latest.xpi";
installation_mode = "force_installed";
};
# Firefox pwas:
"firefoxpwa@filips.si" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/pwas-for-firefox/latest.xpi";
installation_mode = "force_installed";
};
# Consent o matic:
"gdpr@cavi.au.dk" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/consent-o-matic/latest.xpi";
installation_mode = "force_installed";
};
# Mailvelope:
"jid1-AQqSMBYb0a8ADg@jetpack" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/mailvelope/latest.xpi";
installation_mode = "force_installed";
};
# KDE connect:
"kde-connect@0xc0dedbad.com" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/kde-connect/latest.xpi";
installation_mode = "force_installed";
};
# Plasma browser integration:
"plasma-browser-integration@kde.org" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/plasma-integration/latest.xpi";
installation_mode = "force_installed";
};
# Shinigami eyes:
"shinigamieyes@shinigamieyes" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/shinigami-eyes/latest.xpi";
installation_mode = "force_installed";
};
# uBlock Origin:
"uBlock0@raymondhill.net" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi";
installation_mode = "force_installed";
};
# uBlock Scope:
"uBO-Scope@raymondhill.net" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/ubo-scope/latest.xpi";
installation_mode = "force_installed";
};
# Wayback machine:
"wayback_machine@mozilla.org" = {
install_url = "https://addons.mozilla.org/firefox/downloads/file/4047136/wayback_machine_new-3.2.xpi";
installation_mode = "force_installed";
};
# Tree Style Tabs
# "treestyletab@piro.sakura.ne.jp" = {
# install_url = "https://addons.mozilla.org/firefox/downloads/latest/tree-style-tab/latest.xpi";
# installation_mode = "force_installed";
# };
# Adaptive Tab Bar Colour
"ATBC@EasonWong" = {
install_url = "https://addons.mozilla.org/firefox/downloads/latest/Adaptive-Tab-Bar-Colour/latest.xpi";
installation_mode = "force_installed";
};
};
FirefoxHome = {
Search = true;
TopSites = false;
SponsoredTopSites = false;
Highlights = false;
Pocket = false;
SponsoredPocket = false;
Snippets = false;
};
FirefoxSuggest = {
WebSuggestions = false;
SponsoredSuggestions = false;
ImproveSuggest = false;
};
Preferences = {
"browser.compactmode.show" = true;
"browser.uidensity" = 0;
# "browser.newtabpage.activity-stream.feeds.topsites" = false;
"browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
"browser.newtabpage.activity-stream.showSponsored" = false;
"browser.newtabpage.activity-stream.system.showSponsored" = false;
"font.name.serif.x-western" = "Crimson";
"font.name.sans-serif.x-western" = "Atkinson Hyperlegible";
"font.name.monospace.x-western" = "FiraCode Nerd Font";
"font.size.variable.x-western" = 14;
"floorp.browser.sidebar.useIconProvider" = "duckduckgo";
"floorp.browser.tabbar.settings" = 2;
"floorp.browser.tabs.verticaltab" = true;
"floorp.tabbar.style" = 2;
"floorp.browser.user.interface" = 8;
"signon.rememberSignons" = true;
"browser.ml.chat.enabled" = false;
"browser.ml.chat.shortcuts" = false;
};
# TODO: switch to ManagedBookmarks as this will be dropped at some point https://mozilla.github.io/policy-templates/#managedbookmarks
# Bookmarks = [
# {
# Title = "NixOS wiki";
# Placement = "toolbar";
# URL = "https://nixos.wiki/";
# }
# {
# Title = "NixOS options";
# Placement = "toolbar";
# URL = "https://nixos.org/manual/nixos/stable/options";
# }
# {
# Title = "NixOS home-manager options";
# Placement = "toolbar";
# URL = "https://nix-community.github.io/home-manager/options.xhtml";
# }
# ];
};
};
}

188
nixos/shared/preservation.nix
View file

@ -1,188 +0,0 @@
{...}: {
preservation = {
# the module doesn't do anything unless it is enabled
enable = true;
preserveAt."/persistent" = {
# preserve system directories
directories = [
#Shared
"/var/lib/sbctl"
"/var/lib/bluetooth"
"/var/lib/fprint"
"/var/lib/fwupd"
"/var/lib/libvirt"
"/var/lib/tpm2-tss"
"/var/lib/tpm2-udev-trigger"
"/var/lib/power-profiles-daemon"
"/var/lib/systemd/coredump"
"/var/lib/systemd/rfkill"
"/var/lib/systemd/timers"
"/var/log"
#Desktop
"/var/lib/decky-loader"
"/var/lib/flatpak"
#Server
"/var/lib/continuwuity"
"/var/lib/dhcpcd"
"/var/lib/docker"
"/var/lib/dovecot"
"/var/lib/forgejo"
"/var/lib/gotosocial"
"/var/lib/grafana"
"/var/lib/jellyfin"
"/var/lib/media"
"/var/lib/mollysocket"
"/var/lib/private"
"/var/lib/mysql"
"/var/lib/nextcloud"
"/var/lib/onlyoffice"
"/var/lib/postfix"
"/var/lib/postgresql"
"/var/lib/prometheus2"
"/var/lib/rabbitmq"
"/var/lib/redis-nextcloud"
"/var/lib/redis-rspamd"
"/var/lib/secrets"
"/var/lib/writefreely"
"/var/db"
"/var/dkim"
"/var/secrets"
"/var/sieve"
"/var/vmail"
"/var/mysql"
{
directory = "/var/lib/nixos";
inInitrd = true;
}
{
directory = "/var/secrets";
inInitrd = true;
}
];
# preserve system files
files = [
{
file = "/etc/machine-id";
inInitrd = true;
how = "symlink";
}
"/var/lib/usbguard/rules.conf"
# creates a symlink on the volatile root
# creates an empty directory on the persistent volume, i.e. /persistent/var/lib/systemd
# does not create an empty file at the symlink's target (would require `createLinkTarget = true`)
{
file = "/var/lib/systemd/random-seed";
how = "symlink";
inInitrd = true;
configureParent = true;
}
"/var/lib/systemd/tpm2-srk-public-key.pem"
"/var/lib/systemd/tpm2-srk-public-key.tpm2b_public"
];
# preserve user-specific files, implies ownership
users = {
lillian = {
commonMountOptions = [
"x-gvfs-hide"
];
directories = [
{
directory = ".ssh";
mode = "0700";
}
#Desktop
".local/state/wireplumber"
".local/share/direnv"
".local/state/nix"
".local/state/comma"
".local/state/home-manager"
".local/share/PrismLauncher"
".local/share/qBittorrent"
".local/share/kwalletd"
".local/share/kwin" #TODO: add the window script via nix instead of saving it imperatively and keeping it
".local/share/lutris"
".local/share/Nextcloud"
".local/share/Steam"
".local/share/zoxide"
".local/share/flatpak"
".local/share/applications"
".local/share/firefoxpwa/"
".local/share/zoxide"
".mozilla"
".steam"
".zsh"
".pki"
".tldrc"
".thunderbird"
"Code"
"Writing"
"Games"
".config/kdeconnect"
".config/Nextcloud"
".config/noisetorch"
".config/qBittorrent"
".config/r2modman"
".config/r2modmanPlus-local"
".config/Ryujinx"
".config/Signal"
".config/sops"
".config/vesktop"
".config/kde.org"
".config/heroic"
];
#Shared
files = [
".z"
".zsh_history"
];
};
root = {
# specify user home when it is not `/home/${user}`
home = "/root";
directories = [
{
directory = ".ssh";
mode = "0700";
}
];
};
};
};
};
systemd.services.systemd-machine-id-commit = {
unitConfig.ConditionPathIsMountPoint = [
""
"/persistent/etc/machine-id"
];
serviceConfig.ExecStart = [
""
"systemd-machine-id-setup --commit --root /persistent"
];
};
systemd.tmpfiles.settings.preservation = {
"/home/lillian/.config".d = {
user = "lillian";
group = "users";
mode = "0755";
};
"/home/lillian/.local".d = {
user = "lillian";
group = "users";
mode = "0755";
};
"/home/lillian/.local/share".d = {
user = "lillian";
group = "users";
mode = "0755";
};
"/home/lillian/.local/state".d = {
user = "lillian";
group = "users";
mode = "0755";
};
};
}

7
overlays/default.nix
View file

@ -7,13 +7,6 @@
# steam = prev.steam.override { # steam = prev.steam.override {
# extraProfile = ''export LD_PRELOAD=${inputs.extest}/lib/libextest.so:$LD_PRELOAD''; # extraProfile = ''export LD_PRELOAD=${inputs.extest}/lib/libextest.so:$LD_PRELOAD'';
# }; # };
continuwuity = prev.continuwuity.overrideAttrs (prev: {
version = "git";
src = builtins.fetchGit {
url = "https://forgejo.ellis.link/continuwuation/continuwuity.git";
ref = "/releases/latest";
};
});
}; };
# This one brings our custom packages from the 'pkgs' directory # This one brings our custom packages from the 'pkgs' directory

110
overlays/flake.nix
View file

@ -1,110 +0,0 @@
{
description = "An overlay to remove fascist artifacts";
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
outputs = { self, nixpkgs }: {
overlays.antifa = final: prev:
let
patchSystemd = d: d.overrideAttrs (old: {
# https://github.com/systemd/systemd/pull/39285
patches = old.patches ++ [ ./systemd-detect-fash.patch ];
});
disableAuthor = author: throw ''
This package was disabled by nixpkgs-antifa because: it is authored by ${author}
'';
disableCorp = corp: throw ''
This package was disabled by nixpkgs-antifa because: it exclusively integrates with offerings from ${corp}
'';
# NB: not listing out culture names in code -- yet
disablePropaganda = throw ''
This package was disabled by nixpkgs-antifa because: it is ethnonationalist propaganda
'';
in rec {
# https://lix.systems/add-to-config/#flake-based-configurations
inherit (prev.lixPackageSets.stable) lix nixpkgs-review nix-eval-jobs nix-fast-build colmena;
nix = lix;
certmgr = disableAuthor "Cloudflare";
cf-terraforming = disableAuthor "Cloudflare";
cf-vault = disableCorp "Cloudflare";
cfdyndns = disableCorp "Cloudflare";
cfssl = disableAuthor "Cloudflare";
cloudflare-cli = disableCorp "Cloudflare";
cloudflare-dynamic-dns = disableCorp "Cloudflare";
cloudflare-dyndns = disableCorp "Cloudflare";
cloudflare-utils = disableCorp "Cloudflare";
cloudflare-warp = disableAuthor "Cloudflare";
cloudflared = disableAuthor "Cloudflare";
flarectl = disableAuthor "Cloudflare";
gortr = disableAuthor "Cloudflare";
prometheus-cloudflare-exporter = disableCorp "Cloudflare";
proski = disableCorp "Cloudflare";
wgcf = disableCorp "Cloudflare";
worker-build = disableAuthor "Cloudflare";
wrangler = disableAuthor "Cloudflare";
wrangler_1 = disableAuthor "Cloudflare";
gnomeExtensions.warp-toggle = disableCorp "Cloudflare";
octodns-providers.cloudflare = disableCorp "Cloudflare";
pythonPackages.certbot-dns-cloudflare = disableCorp "Cloudflare";
pythonPackages.cloudflare = disableAuthor "Cloudflare";
pythonPackages.pycfdns = disableCorp "Cloudflare";
terraform-providers.cloudflare = disableCorp "Cloudflare";
brave = disableAuthor "Brendan Eich";
ladybird = disableAuthor "Andreas Kling";
palemoon = disableAuthor "Moonchild Straver";
_9base = disableAuthor "suckless";
dmenu = disableAuthor "suckless";
dwm = disableAuthor "suckless";
farbfeld = disableAuthor "suckless";
ii = disableAuthor "suckless";
libgrapheme = disableAuthor "suckless";
quark = disableAuthor "suckless";
sent = disableAuthor "suckless";
sic = disableAuthor "suckless";
sinit = disableAuthor "suckless";
slock = disableAuthor "suckless";
slstatus = disableAuthor "suckless";
sselp = disableAuthor "suckless";
st = disableAuthor "suckless";
surf = disableAuthor "suckless";
svkbd = disableAuthor "suckless";
tabbed = disableAuthor "suckless";
wmname = disableAuthor "suckless";
xssstate = disableAuthor "suckless";
blink = disableAuthor "Justine Tunney";
cosmopolitan = disableAuthor "Justine Tunney";
jart-jsoncpp = disableAuthor "Justine Tunney";
pythonPackages.fabulous = disableAuthor "Justine Tunney";
hyprland = disableAuthor "Vaxry";
tailwindcss = disableAuthor "Adam Wathan";
urbit = disableAuthor "Curtis Yarvin";
bibletime = disablePropaganda;
biblesync = disablePropaganda;
grb = disablePropaganda;
kjv = disablePropaganda;
lukesmithxyz-bible-kjv = disablePropaganda;
sword = disablePropaganda;
vul = disablePropaganda;
xiphos = disablePropaganda;
gnomeExtensions.quran-player = disablePropaganda;
emacsPackages.holy-books = disablePropaganda;
systemd = patchSystemd prev.systemd;
};
nixosModules.antifa = { lib, pkgs, ... }: {
nix.package = lib.mkForce pkgs.lix;
};
};
}

554
overlays/systemd-detect-fash.patch
View file

@ -1,554 +0,0 @@
From f09346dd2ceb30d0c7ea03bbd0099967e7e54be0 Mon Sep 17 00:00:00 2001
From: soscho2143 <mnovikov@mil.ru>
Date: Sun, 12 Oct 2025 13:52:36 -0400
Subject: [PATCH 1/2] detect-fash: implement systemd-detect-fash
---
man/systemd-detect-fash.xml | 131 +++++++++
shell-completion/bash/systemd-detect-fash | 40 +++
src/detect-fash/detect-fash.c | 312 ++++++++++++++++++++++
src/detect-fash/meson.build | 9 +
4 files changed, 492 insertions(+)
create mode 100644 man/systemd-detect-fash.xml
create mode 100644 shell-completion/bash/systemd-detect-fash
create mode 100644 src/detect-fash/detect-fash.c
create mode 100644 src/detect-fash/meson.build
diff --git a/man/systemd-detect-fash.xml b/man/systemd-detect-fash.xml
new file mode 100644
index 0000000000000..aaebf4e48650b
--- /dev/null
+++ b/man/systemd-detect-fash.xml
@@ -0,0 +1,131 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+
+<refentry id="systemd-detect-fash"
+ xmlns:xi="http://www.w3.org/2001/XInclude">
+
+ <refentryinfo>
+ <title>systemd-detect-fash</title>
+ <productname>systemd</productname>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>systemd-detect-fash</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>systemd-detect-fash</refname>
+ <refpurpose>Detect execution in a fascist environment</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>systemd-detect-fash</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para><command>systemd-detect-fash</command> detects execution in
+ a fascist environment. It identifies the fascist
+ technology and can distinguish full machine fascism from
+ installed fashware. <filename>systemd-detect-fash</filename>
+ exits with a return value of 0 (success) if a fascism
+ technology is detected, and non-zero (error) otherwise.
+
+ <para>When executed without <option>--quiet</option> will print a
+ short identifier for the detected fascist technology. The
+ following technologies are currently identified:</para>
+
+ <table>
+ <title>Known fascist technologies</title>
+ <tgroup cols='3' align='left' colsep='1' rowsep='1'>
+ <colspec colname="type" />
+ <colspec colname="id" />
+ <colspec colname="product" />
+ <thead>
+ <row>
+ <entry>Type</entry>
+ <entry>ID</entry>
+ <entry>Product</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><varname>omarchy</varname></entry>
+ <entry>Omarchy linux distro. Detected by checking os-release.</entry>
+ </row>
+
+ <row>
+ <entry><varname>ladybird</varname></entry>
+ <entry>Ladybird browser. Detected by checking for "ladybird" binary in path.</entry>
+ </row>
+
+ <row>
+ <entry><varname>hyprland</varname></entry>
+ <entry>Hyperland window manager. Detected by checking the existence of hyprland config files on disk.</entry>
+ </row>
+
+ <row>
+ <entry><varname>dhh</varname></entry>
+ <entry>Checks for DHH's public key on disk.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </refsect1>
+
+ <refsect1>
+ <title>Options</title>
+
+ <para>The following options are understood:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>-o</option></term>
+ <term><option>--omarchy</option></term>
+
+ <listitem><para>Only detects if os-release is Omarchy.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-y</option></term>
+ <term><option>--hyprland</option></term>
+
+ <listitem><para>Only detects Hyprland.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-l</option></term>
+ <term><option>--ladybird</option></term>
+
+ <listitem><para>Only detects Ladybird.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-d</option></term>
+ <term><option>--dhh</option></term>
+
+ <listitem><para>Only detects DHH.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-q</option></term>
+ <term><option>--quiet</option></term>
+
+ <listitem><para>Suppress output of the fascist technology identifier.</para></listitem>
+ </varlistentry>
+ </refsect1>
+
+ <refsect1>
+ <title>Exit status</title>
+
+ <para>If a fascist technology is detected, 0 is returned, a
+ non-zero code otherwise.</para>
+ </refsect1>
+</refentry>
diff --git a/shell-completion/bash/systemd-detect-fash b/shell-completion/bash/systemd-detect-fash
new file mode 100644
index 0000000000000..dc2a7f5f4774a
--- /dev/null
+++ b/shell-completion/bash/systemd-detect-fash
@@ -0,0 +1,40 @@
+# shellcheck shell=bash
+# systemd-detect-fash(1) completion -*- shell-script -*-
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+#
+# systemd is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with systemd; If not, see <https://www.gnu.org/licenses/>.
+
+__contains_word() {
+ local w word=$1; shift
+ for w in "$@"; do
+ [[ $w = "$word" ]] && return
+ done
+}
+
+_systemd_detect_fash() {
+ local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
+ local i verb comps
+
+ local -A OPTS=(
+ [STANDALONE]='-h --help --version -q --quiet -o --omarchy -l --ladybird -y --hyprland -d --dhh'
+ )
+
+ _init_completion || return
+
+ COMPREPLY=( $(compgen -W '${OPTS[*]}' -- "$cur") )
+}
+
+complete -F _systemd_detect_fash systemd-detect-fash
diff --git a/src/detect-fash/detect-fash.c b/src/detect-fash/detect-fash.c
new file mode 100644
index 0000000000000..311547ec6a619
--- /dev/null
+++ b/src/detect-fash/detect-fash.c
@@ -0,0 +1,312 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <stdlib.h>
+#include <getopt.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "alloc-util.h"
+#include "build.h"
+#include "log.h"
+#include "main-func.h"
+#include "pretty-print.h"
+#include "string-table.h"
+
+static bool arg_quiet = false;
+static enum {
+ ANY_FASCISM,
+ ONLY_LADYBIRD,
+ ONLY_OMARCHY,
+ ONLY_HYPRLAND,
+ ONLY_DHH
+} arg_mode = ANY_FASCISM;
+
+/* detects if os-release is omarchy */
+static int detect_omarchy(void) {
+ const char *term = "omarchy";
+ const int len = 256;
+
+ /* if we cannot access os-release we cannot check */
+ if (access("/etc/os-release", F_OK) != 0)
+ return -1;
+
+ FILE *osfile = fopen("/etc/os-release", "r");
+ char os[len];
+ fgets(os, len, osfile);
+ if (strcasestr(os, term) != NULL)
+ return 1;
+
+ return 0;
+}
+
+/*
+ detects if the LadyBird browser
+ has been built on this machine
+ or if the binary exists in $PATH
+*/
+static unsigned detect_ladybird(void) {
+
+ /* name of the ladybird binary */
+ const char* ladybird_bin = "/ladybird";
+
+ /* check if build variable is available */
+ char* LADYBIRD_SOURCE_DIR = getenv("LADYBIRD_SOURCE_DIR");
+ if (LADYBIRD_SOURCE_DIR != NULL)
+ return 1;
+
+ char* PATH = getenv("PATH");
+ if (PATH == NULL)
+ return 0;
+
+ /* this value will get mutated so we need to duplicate it */
+ char* path = strdup(PATH);
+ /* loop through PATH until we find a file named "ladybird" */
+ char* path_iter = strtok(path, ":");
+ char* abs_path = malloc(256);
+ while (path_iter != NULL) {
+ strncat(abs_path, path_iter, 128);
+ strncat(abs_path, ladybird_bin, 128);
+ /* if we do NOT find the binary at current path, keep going */
+ if (access(abs_path, F_OK) != 0){
+ path_iter = strtok(NULL, ":");
+ abs_path[0] = 0;
+ continue;
+ }
+ free(abs_path);
+ free(path);
+ return 1;
+ }
+ free(abs_path);
+ free(path);
+ return 0;
+}
+
+/* detects if hyprland is installed */
+static unsigned detect_hyprland(void) {
+ const char* hyprland_config = "/hypr/hyprland.conf";
+ const char* XDG_CONFIG_HOME = getenv("XDG_CONFIG_HOME");
+ const char* HOME = getenv("HOME");
+ int maxlen = 128;
+
+ char *hyprland_abs_path = malloc(maxlen);
+
+ if (XDG_CONFIG_HOME != NULL) {
+ strncat(hyprland_abs_path, XDG_CONFIG_HOME, maxlen - strlen(hyprland_config));
+ } else if (HOME != NULL) {
+ strncat(hyprland_abs_path, HOME, maxlen - strlen(hyprland_config));
+ strcat(hyprland_abs_path, "/.config");
+ } else {
+ return 0;
+ }
+ strcat(hyprland_abs_path, hyprland_config);
+ if (access(hyprland_abs_path, F_OK) == 0){
+ free(hyprland_abs_path);
+ return 1;
+ }
+ free(hyprland_abs_path);
+ return 0;
+}
+
+/* detects if this is dhh's computer using his ssh pubkey */
+static int detect_dhh(void) {
+ /* fingerprint of dhh's ssh public key */
+ const char *dhh_fingerprint = "SHA256:YCKX7xo5Hkihy/NVH5ang8Oty9q8Vvqu4sxI7EbDxPg";
+ /* path to ssh pubkey */
+ const char *ssh_pubkey = "/.ssh/id_ed25519.pub";
+ /* command to generate fingerprint */
+ const char *ssh_fingerpint_cmd = "ssh-keygen -E sha256 -lf ";
+
+ /* get the home directory */
+ char *HOME = getenv("HOME");
+
+ if (HOME == NULL)
+ return -1;
+ /* check if we have read access to the public key on disk */
+ char *ssh_pubkey_abs_path = (char *)malloc(strlen(HOME) + strlen(ssh_pubkey) + 1);
+ ssh_pubkey_abs_path[0] = 0;
+ strcat(ssh_pubkey_abs_path, HOME);
+ strcat(ssh_pubkey_abs_path, ssh_pubkey);
+ if (access(ssh_pubkey_abs_path, F_OK) != 0)
+ return 0;
+
+ /* generate a fingerprint of it */
+ char *get_fingerprint_cmd = (char *)malloc(strlen(ssh_fingerpint_cmd) + strlen(ssh_pubkey_abs_path) + 1);
+ get_fingerprint_cmd[0] = 0;
+ strcat(get_fingerprint_cmd, ssh_fingerpint_cmd);
+ strcat(get_fingerprint_cmd, ssh_pubkey_abs_path);
+
+ char fingerprint[70];
+ FILE *fingerprint_cmd_output = popen(get_fingerprint_cmd, "r");
+
+ if (fingerprint_cmd_output == NULL)
+ return -1;
+ fgets(fingerprint, 70, fingerprint_cmd_output);
+
+ /* free memory */
+ pclose(fingerprint_cmd_output);
+ free(ssh_pubkey_abs_path);
+ free(get_fingerprint_cmd);
+
+ /* comare it to DHH's fingerprint */
+ if (strstr(fingerprint, dhh_fingerprint) != NULL)
+ return 1;
+ return 0;
+}
+
+static int help(void) {
+ _cleanup_free_ char *link = NULL;
+ int r;
+
+ r = terminal_urlify_man("systemd-detect-fash", "1", &link);
+ if (r < 0)
+ return log_oom();
+
+ printf("%s [OPTIONS...]\n\n"
+ "Detect execution in a fascist environment.\n\n"
+ " -h --help Show this help\n"
+ " --version Show package version\n"
+ " -q --quiet Quiet mode\n"
+ " -o --omarchy Only detect omarchy\n"
+ " -l --ladybird Only detect ladybird\n"
+ " -y --hyprland Only detect hyprland\n"
+ " -d --dhh Only detect dhh\n"
+ "\nSee the %s for details.\n",
+ program_invocation_short_name,
+ link);
+
+ return 0;
+}
+
+static int parse_argv(int argc, char *argv[]) {
+
+ enum {
+ ARG_VERSION = 0x100,
+ ARG_OMARCHY,
+ ARG_LADYBIRD,
+ ARG_HYPRLAND,
+ ARG_DHH
+ };
+
+ static const struct option options[] = {
+ { "help", no_argument, NULL, 'h' },
+ { "version", no_argument, NULL, ARG_VERSION },
+ { "omarchy", no_argument, NULL, 'o' },
+ { "ladybird", no_argument, NULL, 'l' },
+ { "hyprland", no_argument, NULL, 'y' },
+ { "dhh", no_argument, NULL, 'd' },
+ {}
+ };
+
+ int c;
+
+ assert(argc >= 0);
+ assert(argv);
+
+ while ((c = getopt_long(argc, argv, "hqolyd", options, NULL)) >= 0)
+
+ switch (c) {
+
+ case 'h':
+ return help();
+
+ case ARG_VERSION:
+ return version();
+
+ case 'q':
+ arg_quiet = true;
+ break;
+
+ case 'l':
+ arg_mode = ONLY_LADYBIRD;
+ break;
+
+ case 'o':
+ arg_mode = ONLY_OMARCHY;
+ break;
+
+ case 'y':
+ arg_mode = ONLY_HYPRLAND;
+ break;
+
+ case 'd':
+ arg_mode = ONLY_DHH;
+ break;
+
+ case '?':
+ return -EINVAL;
+
+ default:
+ assert_not_reached();
+ }
+ return 1;
+}
+
+static int run(int argc, char *argv[]) {
+ int dhh = 0;
+ int hyprland = 0;
+ int ladybird = 0;
+ int omarchy = 0;
+ int fascism = 0;
+ int r;
+
+ /* This is mostly intended to be used for scripts which want
+ * to detect whether we are being run in a fascist
+ * environment or not */
+
+ log_setup();
+
+ r = parse_argv(argc, argv);
+ if (r <= 0)
+ return r;
+
+ switch (arg_mode) {
+ case ONLY_OMARCHY:
+ omarchy = detect_omarchy();
+ fascism = omarchy;
+ if (omarchy < 0)
+ return log_error_errno(fascism, "Failed to check for omarchy: %m");
+ break;
+
+ case ONLY_LADYBIRD:
+ ladybird = detect_ladybird();
+ fascism = ladybird;
+ if (ladybird < 0)
+ return log_error_errno(fascism, "Failed to check for ladybird: %m");
+ break;
+
+ case ONLY_HYPRLAND:
+ hyprland = detect_hyprland();
+ fascism = hyprland;
+ if (hyprland < 0)
+ return log_error_errno(fascism, "Failed to check for hyprland: %m");
+ break;
+
+ case ONLY_DHH:
+ dhh = detect_dhh();
+ fascism = dhh;
+ if (dhh < 0)
+ return log_error_errno(fascism, "Failed to check for dhh: %m");
+ break;
+
+ case ANY_FASCISM:
+ default:
+ ladybird = detect_ladybird();
+ omarchy = detect_omarchy();
+ hyprland = detect_hyprland();
+ dhh = detect_dhh();
+ fascism = (ladybird | omarchy | hyprland | dhh);
+ if (fascism < 0)
+ return log_error_errno(fascism, "Failed to check for fascism: %m");
+ }
+
+ if (!arg_quiet) {
+ if (ladybird) puts("ladybird");
+ if (omarchy) puts("omarchy");
+ if (dhh) puts("dhh");
+ if (hyprland) puts("hyprland");
+ }
+ return fascism;
+}
+
+DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run);
diff --git a/src/detect-fash/meson.build b/src/detect-fash/meson.build
new file mode 100644
index 0000000000000..f4cca34117e7b
--- /dev/null
+++ b/src/detect-fash/meson.build
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+executables += [
+ executable_template + {
+ 'name' : 'systemd-detect-fash',
+ 'public' : true,
+ 'sources' : files('detect-fash.c'),
+ },
+]
From 825072a331cb6d7464eb4479c4998ab0d020e32f Mon Sep 17 00:00:00 2001
From: soscho2143 <mnovikov@mil.ru>
Date: Sun, 12 Oct 2025 14:18:49 -0400
Subject: [PATCH 2/2] detect-fash: added to meson.build
---
meson.build | 1 +
1 file changed, 1 insertion(+)
diff --git a/meson.build b/meson.build
index c67e7b6c30de4..76c625d22080d 100644
--- a/meson.build
+++ b/meson.build
@@ -2353,6 +2353,7 @@ subdir('src/cryptenroll')
subdir('src/cryptsetup')
subdir('src/debug-generator')
subdir('src/delta')
+subdir('src/detect-fash')
subdir('src/detect-virt')
subdir('src/dissect')
subdir('src/environment-d-generator')

0
pkgs/altsendme/default.nix
View file

4
pkgs/default.nix
View file

@ -3,7 +3,7 @@
pkgs: { pkgs: {
dvd = pkgs.callPackage ./dvd {}; dvd = pkgs.callPackage ./dvd {};
dvt = pkgs.callPackage ./dvt {}; dvt = pkgs.callPackage ./dvt {};
# servo = pkgs.callPackage ./servo {}; servo = pkgs.callPackage ./servo {};
rebuild-no-inhibit = pkgs.callPackage ./rebuild-no-inhibit {}; rebuild-no-inhibit = pkgs.callPackage ./rebuild-no-inhibit {};
rebuild = pkgs.callPackage ./rebuild {}; rebuild = pkgs.callPackage ./rebuild {};
install-nix-no-inhibit = pkgs.callPackage ./install-nix-no-inhibit {}; install-nix-no-inhibit = pkgs.callPackage ./install-nix-no-inhibit {};
@ -14,6 +14,4 @@ pkgs: {
phanpy = pkgs.callPackage ./phanpy {}; phanpy = pkgs.callPackage ./phanpy {};
auto-mount = pkgs.callPackage ./auto-mount {}; auto-mount = pkgs.callPackage ./auto-mount {};
simple-completion-language-server = pkgs.callPackage ./simple-completion-language-server {}; simple-completion-language-server = pkgs.callPackage ./simple-completion-language-server {};
freetube-0236 = pkgs.callPackage ./freetube-0.23.6 {};
ttf-ms-win10 = pkgs.callPackage ./ttf-ms-win10 {};
} }

Some files were not shown because too many files have changed in this diff Show more