0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

revert toaster

Browse source
This commit is contained in:
Grisha Shipunov 2024-12-31 13:52:57 +00:00
parent 677abb7344
commit 50066a4d20
30 changed files with 1468 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -3,6 +3,7 @@ keys:
- &cirrus age1qm70jkg7us4ft4x3nh7kwxlul022kteescjj83ywvjhysj6nsq5sw7l6p8 - &cirrus age1qm70jkg7us4ft4x3nh7kwxlul022kteescjj83ywvjhysj6nsq5sw7l6p8
- &dishwasher age18t2dc53m7a53996fwcmuanwjtxxvvgkntpmdvd3q42pnkch6rajqnm4up8 - &dishwasher age18t2dc53m7a53996fwcmuanwjtxxvvgkntpmdvd3q42pnkch6rajqnm4up8
- &nextcloud age1ds7zgenz9a664jqx5308m6q5mgtavzmelg239xsj8mdh64pmqa9qtkffmk - &nextcloud age1ds7zgenz9a664jqx5308m6q5mgtavzmelg239xsj8mdh64pmqa9qtkffmk
- &toaster age1qyj95tsntreefqeetawqy5pf26456s9c0v3tzz8yzs706c0jsg6qv56jzk
- &music age1aj7mgq8jxv0n5rnpqtgu4l56ymqyq86qacn3jp7ve2emk0eheuaqgm4rtt - &music age1aj7mgq8jxv0n5rnpqtgu4l56ymqyq86qacn3jp7ve2emk0eheuaqgm4rtt
- &news age1dwem3slsm04jpmje2ru5n7fujkmz2kvhdat5htx2xnc2yqtyefeqchwx7f - &news age1dwem3slsm04jpmje2ru5n7fujkmz2kvhdat5htx2xnc2yqtyefeqchwx7f
creation_rules: creation_rules:
@ -24,6 +25,12 @@ creation_rules:
- *admin_oxa - *admin_oxa
age: age:
- *nextcloud - *nextcloud
- path_regex: secrets/toaster/[^/]+\.yaml$
key_groups:
- pgp:
- *admin_oxa
age:
- *toaster
- path_regex: secrets/music/[^/]+\.yaml$ - path_regex: secrets/music/[^/]+\.yaml$
key_groups: key_groups:
- pgp: - pgp:

15
flake.nix
View file

@ -32,7 +32,22 @@
, ... , ...
}: }:
flake-utils.lib.eachDefaultSystem
(system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
{ {
packages.slick = pkgs.callPackage "${self}/pkgs/slick.nix" { };
# packages.imhex = pkgs.libsForQt5.callPackage "${self}/pkgs/imhex.nix" { };
})
//
{
overlays.default = _final: prev: {
inherit (self.packages.${prev.system})
slick;
};
nixosConfigurations = { nixosConfigurations = {
cirrus = nixpkgs.lib.nixosSystem { cirrus = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";

5
hosts/toaster/amd-new-pstate.nix Normal file
View file

@ -0,0 +1,5 @@
{ ... }:
{
# use new amd pstate driver
boot.kernelParams = [ "amd_pstate=active" ];
}

16
hosts/toaster/amd.nix Normal file
View file

@ -0,0 +1,16 @@
{ pkgs, config, ... }: {
boot.initrd.kernelModules = [ "amdgpu" ];
hardware.opengl = {
driSupport = true;
driSupport32Bit = true;
extraPackages = with pkgs; [
rocm-opencl-icd
rocm-opencl-runtime
amdvlk
];
extraPackages32 = with pkgs; [
driversi686Linux.amdvlk
];
};
}

63
hosts/toaster/default.nix Normal file
View file

@ -0,0 +1,63 @@
{ pkgs, ... }: {
imports = [
./amd.nix
./amd-new-pstate.nix
./hardware-configuration.nix
./irc.nix
./stateful-network.nix
./secrets.nix
./secure-boot.nix
./zfs.nix
];
nixpkgs.config.allowUnfree = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.enableAllFirmware = true;
# update the firmware
services.fwupd.enable = true;
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# Select internationalisation properties.
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [ "all" ];
};
users.users.grue = {
extraGroups = [
"wheel"
"video"
"plugdev"
"dialout"
"bluetooth"
"libvirtd"
];
group = "users";
home = "/home/grue";
isNormalUser = true;
uid = 1000;
};
programs.steam.enable = true;
environment.systemPackages = with pkgs; [
factorio
];
services.emacs.defaultEditor = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

94
hosts/toaster/hardware-configuration.nix Normal file
View file

@ -0,0 +1,94 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "toasterpool/nixos/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix" =
{
device = "toasterpool/nixos/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var" =
{
device = "toasterpool/userdata/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var/lib" =
{
device = "toasterpool/userdata/var/lib";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var/log" =
{
device = "toasterpool/userdata/var/log";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" =
{
device = "toasterpool/userdata/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home/grue" =
{
device = "toasterpool/userdata/home/grue";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/7663-6239";
fsType = "vfat";
options = [ "X-mount.mkdir" ];
};
swapDevices = [
{
device = "/dev/disk/by-id/nvme-eui.ace42e002621ff2b2ee4ac0000000001-part2";
randomEncryption = true;
}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
#networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# services.fprintd.enable = true;
}

9
hosts/toaster/irc.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, pkgs, ... }: {
environment.systemPackages = [ pkgs.senpai ];
sops.secrets = {
"irc/senpai" = {
owner = config.users.users.grue.name;
};
};
}

210
hosts/toaster/network-vpns.nix Normal file
View file

@ -0,0 +1,210 @@
{ config, ... }: {
systemd.network = {
# Wireguard
# Dump-dvb
netdevs."30-wg-dumpdvb" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-dumpdvb";
Description = "dvb.solutions enterprise network";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/dvb".path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
Endpoint = "academicstrokes.com:51820";
AllowedIPs = [ "10.13.37.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."30-wg-dumpdvb" = {
matchConfig.Name = "wg-dumpdvb";
networkConfig = {
Address = "10.13.37.3/24";
IPv6AcceptRA = true;
};
routes = [
{ routeConfig = { Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; }; }
];
};
# oxalab
netdevs."10-wg-oxalab" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-oxalab";
Description = "lab of oxa";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/oxalab".path;
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=";
Endpoint = "95.216.166.21:51820";
AllowedIPs = [ "10.66.66.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-wg-oxalab" = {
matchConfig.Name = "wg-oxalab";
networkConfig = {
Address = "10.66.66.10/24";
IPv6AcceptRA = true;
};
routes = [
{ routeConfig = { Gateway = "10.66.66.1"; Destination = "10.66.66.1/24"; }; }
];
};
# zentralwerk
netdevs."10-wg-zentralwerk" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-zentralwerk";
Description = "Tunnel to the best basement in Dresden";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/zw".path;
RouteTable = "off";
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
Endpoint = "81.201.149.152:1337";
AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-wg-zentralwerk" = {
matchConfig.Name = "wg-zentralwerk";
networkConfig = {
Address = "172.20.76.226/21";
IPv6AcceptRA = true;
DNS = "172.20.73.8";
Domains = [
"~hq.c3d2.de"
"~serv.zentralwerk.org"
"~hq.zentralwerk.org"
"~cluster.zentralwerk.org"
];
};
routes = [
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.20.72.0/21";
Metric = 1023;
};
}
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.20.90.0/24";
Metric = 1023;
};
}
{
routeConfig = {
Gateway = "172.20.76.225";
Destination = "172.22.99.0/24";
Metric = 1023;
};
}
];
};
# VPN
netdevs."10-wg-mullvad" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-mullvad";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/mullvad".path;
FirewallMark = 34952; # 0x8888
RouteTable = "off";
};
wireguardPeers = [
{
wireguardPeerConfig = {
PublicKey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk=";
Endpoint = "169.150.196.15:51820";
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
};
}
];
};
networks."10-wg-mullvad" = {
matchConfig.Name = "wg-mullvad";
address = [ "10.66.157.228/32" "fc00:bbbb:bbbb:bb01::3:9de3/128" ];
networkConfig = {
DNS = "10.64.0.1";
DNSDefaultRoute = true;
Domains = [ "~." ];
};
routes = map
(gate: {
routeConfig = {
Gateway = gate;
Table = 1000;
};
}) [
"0.0.0.0"
"::"
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
Family = "both";
FirewallMark = 34952; # 0x8888
InvertRule = true;
Table = "1000";
Priority = 100;
};
}
{
routingPolicyRuleConfig = {
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 90;
};
}
] ++ map
(net: {
# only route global addresses over VPN
routingPolicyRuleConfig = {
Priority = 80;
To = net;
};
}) [
# Mullvad endpoint
"169.150.196.15/32"
# "10.0.0.0/8"
"10.13.37.0/24"
"10.66.66.0/24"
# "172.16.0.0/12"
"172.16.0.0/12"
# "182.168.0.0/16"
"182.168.0.0/16"
# "fc00::/7"
];
};
};
}

57
hosts/toaster/network.nix Normal file
View file

@ -0,0 +1,57 @@
{ config, pkgs, ... }: {
environment.systemPackages = with pkgs; [ iwgtk ];
networking = {
hostName = "toaster";
firewall.enable = true;
networkmanager.enable = false;
useNetworkd = true;
wireguard.enable = true;
wireless.iwd.enable = true;
};
services.resolved = {
enable = true;
dnssec = "allow-downgrade";
fallbackDns = [
"9.9.9.9"
"2620:fe::fe"
"149.112.112.112"
"2620:fe::9"
];
};
# workaround for networkd waiting for shit
systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [
"" # clear old command
"${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any"
];
systemd.network = {
enable = true;
networks."10-ether" = {
matchConfig.MACAddress = "e8:80:88:2f:c6:70";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
networks."10-dock" = {
matchConfig.Name = "enp5s0f4u1u1";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
dhcpV4Config = { RouteMetric = 666; };
};
networks."10-wlan" = {
# matchConfig.MACAddress = "04:7b:cb:2a:aa:8c";
matchConfig.Name = "wlan0";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
};
}

20
hosts/toaster/secrets.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, ... }:
{
sops.defaultSopsFile = ../../secrets/toaster/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets = {
"wg/zw" = {
owner = config.users.users.systemd-network.name;
};
"wg/dvb" = {
owner = config.users.users.systemd-network.name;
};
"wg/mullvad" = {
owner = config.users.users.systemd-network.name;
};
"wg/oxalab" = {
owner = config.users.users.systemd-network.name;
};
};
}

12
hosts/toaster/secure-boot.nix Normal file
View file

@ -0,0 +1,12 @@
{ pkgs, lib, ... }: {
boot = {
bootspec.enable = true;
loader.systemd-boot.enable = lib.mkForce false;
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
environment.systemPackages = [ pkgs.sbctl ];
}

39
hosts/toaster/stateful-network.nix Normal file
View file

@ -0,0 +1,39 @@
{ pkgs, ... }: {
users.users.grue.extraGroups = [ "networkmanager" ];
networking = {
hostName = "toaster";
firewall.enable = true;
wireguard.enable = true;
};
services.resolved = {
enable = true;
dnssec = "allow-downgrade";
fallbackDns = [
"9.9.9.9"
"2620:fe::fe"
"149.112.112.112"
"2620:fe::9"
];
};
# fixup the rpfilter fucking up the networkmanager wireguard
networking.firewall = {
# if packets are still dropped, they will show up in dmesg
logReversePathDrops = true;
# wireguard trips rpfilter up
extraCommands = ''
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1337 -j RETURN
ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1337 -j RETURN
'';
extraStopCommands = ''
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1337 -j RETURN || true
ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1337 -j RETURN || true
'';
};
}

19
hosts/toaster/zfs.nix Normal file
View file

@ -0,0 +1,19 @@
{ pkgs, ... }: {
services.fstrim.enable = true;
services.zfs = {
autoSnapshot.enable = true;
trim.enable = true;
autoScrub = {
enable = true;
pools = [ "toasterpool" ];
};
};
networking.hostId = "dca22577";
boot = {
kernelPackages = pkgs.zfs.latestCompatibleLinuxPackages;
supportedFilesystems = [ "zfs" ];
kernelParams = [ "nohibernate" ];
plymouth.enable = false;
tmp.useTmpfs = true;
};
}

34
modules/chromium.nix Normal file
View file

@ -0,0 +1,34 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
chromium
];
nixpkgs.config.chromium.commandLineArgs = "--enable-features=UseOzonePlatform --ozone-platform=wayland --force-dark-mode --ignore-gpu-blocklist --enable-gpu-rasterization --enable-zero-copy --enable-native-gpu-memory-buffers --enable-features=VaapiVideoDecoder,VaapiVideoEncoder,CanvasOopRasterization,WebUIDarkMode";
programs.chromium = {
enable = true;
extensions = [
"pkehgijcmpdhfbdbbnkijodmdjhbjlgp" # privacy badger
"ekhagklcjbdpajgpjgmbionohlpdbjgc" # zotero connector
"nngceckbapebfimnlniiiahkandclblb" # bitwarden
"cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
];
extraOpts = {
"BrowserSignin" = 0;
"SyncDisabled" = true;
"PasswordManagerEnabled" = false;
"TranslateEnabled" = false;
"AutofillAddressEnabled" = false;
"AutofillCreditCardEnabled" = false;
"AutoplayAllowed" = false;
"DefaultNotificationSetting" = 2;
"BackgroundModeEnabled" = false;
# "DefaultSearchProviderEnabled" = true;
# "DefaultSearchProviderSearchURL" = "https://google.com/search?q={searchTerms}";
# "DefaultSearchProviderSearchURL" = "https://duckduckgo.com/?q={searchTerms}";
"SearchSuggestEnable" = false;
};
};
}

19
modules/desktop-software.nix Normal file
View file

@ -0,0 +1,19 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
blender
dino
ffmpeg-full
firefox-wayland
fluffychat
gimp
inkscape
kicad
signal-desktop
tdesktop
tor-browser-bundle-bin
wl-clipboard
yt-dlp
libreoffice
];
}

26
modules/dvb-dump-nfs-automount.nix Normal file
View file

@ -0,0 +1,26 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = with pkgs; [ nfs-utils ];
services.rpcbind.enable = true;
systemd.mounts = [{
type = "nfs";
mountConfig = {
Options = "noatime";
};
what = "10.13.37.5:/";
where = "/mnt/dvb";
}];
systemd.automounts = [{
wantedBy = [ "multi-user.target" ];
requires = [ "wg-quick-wg-dvb.service" ];
automountConfig = {
TimeoutIdleSec = "600";
};
where = "/mnt/dvb";
}];
}

29
modules/emacs.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, inputs, lib, ... }:
{
environment.systemPackages = with pkgs; [
direnv
];
nixpkgs.overlays = [
inputs.emacs-overlay.overlay
];
services.emacs = {
install = true;
enable = false;
package = with pkgs; ((emacsPackagesFor (emacs-pgtk.overrideAttrs (old: {
passthru = old.passthru // {
treeSitter = true;
};
}))).emacsWithPackages (epkgs: with epkgs; [
# treesitter bits
treesit-grammars.with-all-grammars
vterm
pdf-tools
]));
defaultEditor = lib.mkDefault true;
};
}

116
modules/gnome.nix Normal file
View file

@ -0,0 +1,116 @@
{ config, pkgs, ... }: {
imports = [
./desktop-software.nix
];
environment.systemPackages = with pkgs; [
amberol
celluloid
gnome-console
gnome-obfuscate
gnome.gnome-boxes
gnome.gnome-tweaks
nextcloud-client
qbittorrent
spotify
];
environment.gnome.excludePackages = with pkgs; [
gnome.totem
gnome.geary
gnome.gnome-music
gnome-console
];
services.gnome = {
evolution-data-server.enable = true;
gnome-keyring.enable = true;
gnome-online-accounts.enable = true;
};
programs = {
seahorse.enable = true;
gnupg.agent.pinentryFlavor = "gnome3";
evolution = {
enable = true;
plugins = [ pkgs.evolution-ews ];
};
};
qt = {
enable = true;
platformTheme = "gnome";
style = "adwaita-dark";
};
services.xserver = {
enable = true;
desktopManager.gnome.enable = true;
displayManager.gdm = {
enable = true;
wayland = true;
};
};
# Enable sound.
security.rtkit.enable = true;
hardware.pulseaudio = {
enable = false;
zeroconf.discovery.enable = true;
extraClientConf = ''
autospawn=yes
'';
};
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
};
programs.zsh.vteIntegration = true;
programs.bash.vteIntegration = true;
fonts.fonts = with pkgs; [
(nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" ]; })
monoid
font-awesome
dejavu_fonts
julia-mono
uw-ttyp0
gohufont
spleen
terminus_font
creep
corefonts
dina-font
fira
fira-mono
hack-font
liberation_ttf
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
noto-fonts-extra
proggyfonts
symbola
open-sans
twemoji-color-font
twitter-color-emoji
iosevka-bin
];
fonts.enableDefaultFonts = true;
fonts.fontconfig = {
enable = true;
allowBitmaps = true;
useEmbeddedBitmaps = true;
defaultFonts.emoji = [
"Twitter Color Emoji"
"Noto Color Emoji"
];
};
hardware.bluetooth.enable = true;
}

18
modules/gnupg.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
gnupg
opensc
yubikey-personalization-gui
];
# smartcard support
services.pcscd.enable = false;
hardware.gpgSmartcards.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
}

21
modules/hw-accel-intel.nix Normal file
View file

@ -0,0 +1,21 @@
# overrides to enable [sometimes] wonky intel acceleration
{ config, pkgs, ... }:
{
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
vaapiVdpau
vaapiIntel
libvdpau-va-gl
intel-media-driver
];
};
boot.initrd.kernelModules = [ "i915" ];
}

133
modules/mail/default.nix Normal file
View file

@ -0,0 +1,133 @@
{ config, pkgs, ... }:
let
mbsyncConf = ./mbsyncrc;
in
{
environment.systemPackages = with pkgs; [
isync
msmtp
neomutt
notmuch
alot
w3m
links2
];
environment.shellAliases = {
mutt = "neomutt";
};
sops.secrets = {
"mail/oxapentane.com" = {
owner = config.users.users.grue.name;
};
"mail/shipunov.xyz" = {
owner = config.users.users.grue.name;
};
"mail/dvb.solutions" = {
owner = config.users.users.grue.name;
};
"mail/tlm.solutions" = {
owner = config.users.users.grue.name;
};
};
programs.msmtp = {
enable = true;
setSendmail = true;
extraConfig = ''
account mail@oxapentane.com
host smtp.migadu.com
port 587
from *@oxapentane.com
user mail@oxapentane.com
passwordeval cat ${config.sops.secrets."mail/oxapentane.com".path}
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile ~/.msmtp.log
account grigory@shipunov.xyz
host smtp.migadu.com
port 587
from *@shipunov.xyz
user grigory@shipunov.xyz
passwordeval cat ${config.sops.secrets."mail/shipunov.xyz".path}
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile ~/.msmtp.log
account dump@dvb.solutions
host smtp.migadu.com
port 587
from dump@dvb.solutions
user dump@dvb.solutions
passwordeval cat ${config.sops.secrets."mail/dvb.solutions".path}
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile ~/.msmtp.log
account grigory@tlm.solutions
host smtp.migadu.com
port 587
from grigory@tlm.solutions
user grigory@tlm.solutions
passwordeval cat ${config.sops.secrets."mail/tlm.solutions".path}
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile ~/.msmtp.log
'';
};
systemd.user = {
# Service and timer to sync imap to local maildir
services.mbsync = {
enable = true;
after = [ "graphical.target" "network-online.target" ];
script = ''
${pkgs.isync}/bin/mbsync -q -a --config=${mbsyncConf}
'';
serviceConfig = {
Type = "oneshot";
};
};
timers.mbsync = {
enable = true;
wantedBy = [ "timers.target" ];
timerConfig = {
Unit = "mbsync.service";
OnBootSec = "5m";
OnUnitInactiveSec = "11m";
};
};
# service and timer to flush the msmtp queue
services.flush-msmtpq = {
enable = true;
after = [ "graphical.target" "network-online.target" ];
script = ''
${pkgs.msmtp}/bin/msmtp-queue -r
'';
serviceConfig = {
Type = "oneshot";
};
};
timers.flush-msmtpq = {
enable = true;
wantedBy = [ "timers.target" ];
timerConfig = {
Unit = "flush-msmtpq.service";
OnBootSec = "11m";
OnUnitInactiveSec = "13m";
};
};
};
}

97
modules/mail/mbsyncrc Normal file
View file

@ -0,0 +1,97 @@
IMAPStore mail@oxapentane.com-remote
Host imap.migadu.com
Port 993
User mail@oxapentane.com
PassCmd "cat /run/secrets/mail/oxapentane.com"
AuthMechs LOGIN
SSLType IMAPS
MaildirStore mail@oxapentane.com-local
Subfolders Verbatim
Path /home/grue/mail/mail@oxapentane.com/
Inbox /home/grue/mail/mail@oxapentane.com/INBOX
Channel mail@oxapentane.com
Expunge Both
Master :mail@oxapentane.com-remote:
Slave :mail@oxapentane.com-local:
Create Both
SyncState *
Patterns *
MaxMessages 0
ExpireUnread no
# End profile
IMAPStore grigory@shipunov.xyz-remote
Host imap.migadu.com
Port 993
User grigory@shipunov.xyz
PassCmd "cat /run/secrets/mail/shipunov.xyz"
AuthMechs LOGIN
SSLType IMAPS
MaildirStore grigory@shipunov.xyz-local
Subfolders Verbatim
Path /home/grue/mail/grigory@shipunov.xyz/
Inbox /home/grue/mail/grigory@shipunov.xyz/INBOX
Channel grigory@shipunov.xyz
Expunge Both
Master :grigory@shipunov.xyz-remote:
Slave :grigory@shipunov.xyz-local:
Create Both
SyncState *
Patterns *
MaxMessages 0
ExpireUnread no
# End profile
IMAPStore dump@dvb.solutions-remote
Host imap.migadu.com
Port 993
User dump@dvb.solutions
PassCmd "cat /run/secrets/mail/dvb.solutions"
AuthMechs LOGIN
SSLType IMAPS
MaildirStore dump@dvb.solutions-local
Subfolders Verbatim
Path /home/grue/mail/dump@dvb.solutions/
Inbox /home/grue/mail/dump@dvb.solutions/INBOX
Channel dump@dvb.solutions
Expunge Both
Master :dump@dvb.solutions-remote:
Slave :dump@dvb.solutions-local:
Create Both
SyncState *
Patterns *
MaxMessages 0
ExpireUnread no
# End profile
IMAPStore grigory@tlm.solutions-remote
Host imap.migadu.com
Port 993
User grigory@tlm.solutions
PassCmd "cat /run/secrets/mail/tlm.solutions"
AuthMechs LOGIN
SSLType IMAPS
MaildirStore grigory@tlm.solutions-local
Subfolders Verbatim
Path /home/grue/mail/grigory@tlm.solutions/
Inbox /home/grue/mail/grigory@tlm.solutions/INBOX
Channel grigory@tlm.solutions
Expunge Both
Master :grigory@tlm.solutions-remote:
Slave :grigory@tlm.solutions-local:
Create Both
SyncState *
Patterns *
MaxMessages 0
ExpireUnread no
# End profile

39
modules/radio.nix Normal file
View file

@ -0,0 +1,39 @@
{ lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
gnuradio
gqrx
cubicsdr
sdrangel
multimon-ng
sox
libusb1
rtl-sdr
hackrf
soapyhackrf
sigdigger
suscan
sigutils
];
hardware = {
rtl-sdr.enable = true;
hackrf.enable = true;
};
services.udev.extraRules = ''
# MCH2022 Badge
SUBSYSTEM=="usb", ATTR{idVendor}=="16d0", ATTR{idProduct}=="0f9a", MODE="0666"
#Flipper Zero serial port
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="5740", ATTRS{manufacturer}=="Flipper Devices Inc.", TAG+="uaccess"
#Flipper Zero DFU
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", ATTRS{manufacturer}=="STMicroelectronics", TAG+="uaccess"
#Flipper ESP32s2 BlackMagic
SUBSYSTEMS=="usb", ATTRS{idVendor}=="303a", ATTRS{idProduct}=="40??", ATTRS{manufacturer}=="Flipper Devices Inc.", TAG+="uaccess"
'';
}

17
modules/science.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
(rWrapper.override {
packages = with rPackages; [
ggplot2
swirl
dplyr
data_table
];
})
gnuplot
zotero
python3Full
paraview
];
}

166
modules/sway.nix Normal file
View file

@ -0,0 +1,166 @@
# General Desktop-related config
{ pkgs, ... }:
{
imports = [
./desktop-software.nix
];
environment.systemPackages = with pkgs; [
screen-message
qbittorrent
gajim
imv
swayimg
mpv
evince
brightnessctl
pulsemixer
cmus
termusic
gsettings-desktop-schemas
xdg-utils
nextcloud-client
foot
qt5.qtwayland
bashmount
gnome.nautilus
audacity
];
#on the desktop, we need nice fonts ^^
fonts.fonts = with pkgs; [
monoid
font-awesome
dejavu_fonts
julia-mono
uw-ttyp0
gohufont
spleen
terminus_font
creep
corefonts
dina-font
fira
fira-mono
hack-font
liberation_ttf
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
noto-fonts-extra
proggyfonts
symbola
open-sans
twemoji-color-font
twitter-color-emoji
iosevka
];
fonts.enableDefaultFonts = true;
fonts.fontconfig = {
enable = true;
allowBitmaps = true;
useEmbeddedBitmaps = true;
defaultFonts.emoji = [
"Noto Color Emoji"
"Twitter Color Emoji"
];
};
# Enable sound.
security.rtkit.enable = true;
services.avahi = {
enable = true;
nssmdns = true;
};
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
};
hardware.pulseaudio.zeroconf.discovery.enable = true;
hardware.bluetooth = {
enable = true;
package = pkgs.bluez;
};
programs.zsh.vteIntegration = true;
programs.bash.vteIntegration = true;
services.upower.enable = true;
services.acpid.enable = true;
programs.light.enable = true;
services.blueman.enable = true;
programs.xwayland.enable = true;
programs.sway = {
enable = true;
wrapperFeatures.gtk = true;
extraSessionCommands = ''
export SDL_VIDEODRIVER=wayland
export QT_QPA_PLATFORM=wayland-egl
export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
export QT_QPA_PLATFORMTHEME="gnome"
export QT_STYLE_OVERRIDE="adwaita-dark"
'';
extraPackages = with pkgs; [
alacritty
pamixer
swaylock
graphicsmagick
swayidle
wl-clipboard
mako
foot
rofi-wayland
grim
slurp
gnome.adwaita-icon-theme
i3status-rust
kanshi
wl-mirror
gammastep
];
};
environment.sessionVariables = { GTK_THEME = "Adwaita:dark"; };
xdg.portal = {
enable = true;
wlr.enable = true;
extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
};
services.udisks2.enable = true;
environment.shellAliases = {
# mounting shit
mnt = "udisksctl mount -b";
umnt = "udisksctl unmount -b";
unlock = "udisksctl unlock -b";
lock = "udisksctl lock -b";
# easier navigation
pwc = "pwd|wl-copy";
cdp = "cd $(wl-paste)";
};
qt = {
enable = true;
platformTheme = "gnome";
style = "adwaita-dark";
};
services.gnome.gnome-keyring.enable = true;
security.pam.services.greetd.enableGnomeKeyring = true;
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --greeting \"$(${pkgs.fortune}/bin/fortune -s)\" --cmd ${pkgs.sway}/bin/sway";
};
};
};
programs.gnupg.agent.pinentryFlavor = "curses";
}

14
modules/tlp.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, pkgs, ... }:
{
powerManagement.cpuFreqGovernor = null;
services.power-profiles-daemon.enable = false;
services.tlp = {
enable = true;
settings = {
USB_BLACKLIST = "1d50:604b 1d50:6089 1d50:cc15 1fc9:000c";
CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
};
};
}

22
modules/vscode.nix Normal file
View file

@ -0,0 +1,22 @@
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [
(vscode-with-extensions.override {
vscodeExtensions = with vscode-extensions; [
bbenoist.nix
ms-python.python
ms-vscode-remote.remote-ssh
rust-lang.rust-analyzer
vscodevim.vim
james-yu.latex-workshop
ms-toolsai.jupyter
] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
{
name = "remote-ssh-edit";
publisher = "ms-vscode-remote";
version = "0.86.0";
sha256 = "sha256-JsbaoIekUo2nKCu+fNbGlh5d1Tt/QJGUuXUGP04TsDI=";
}
];
})
];
}

75
pkgs/imhex.nix Normal file
View file

@ -0,0 +1,75 @@
{ gcc12Stdenv
, lib
, cmake
, ccache
, glfw
, glm
, magic-vlsi
, mbedtls
, freetype
, dbus
, capstone
, openssl
, pkg-config
, lld
, libGL
, wrapQtAppsHook
, fetchFromGitHub
}:
gcc12Stdenv.mkDerivation rec {
pname = "imhex";
version = "1.26.2";
src = fetchFromGitHub {
owner = "WerWolv";
repo = "ImHex";
rev = "v${version}";
fetchSubmodules = true;
sha256 = "sha256-H2bnRByCUAltngmVWgPW4vW8k5AWecOAzwtBKsjbpTw=";
};
nativeBuildInputs = [
cmake
pkg-config
lld
];
cmakeFlags = [
"-DCMAKE_BUILD_TYPE=Release"
# "-DCMAKE_INSTALL_PREFIX="/usr""
"-DCMAKE_C_COMPILER_LAUNCHER=ccache"
"-DCMAKE_CXX_COMPILER_LAUNCHER=ccache"
"-DCMAKE_C_FLAGS=-fuse-ld=lld"
"-DCMAKE_CXX_FLAGS=-fuse-ld=lld"
"-DCMAKE_OBJC_COMPILER_LAUNCHER=ccache"
"-DCMAKE_OBJCXX_COMPILER_LAUNCHER=ccache"
# looks like the cmake here tries to be "helpful"...
"-DFREETYPE_LIBRARY=${freetype.dev}"
"-DFREETYPE_INCLUDE_DIRS=${freetype.dev}"
"-DOPENGL_opengl_LIBRARY=${libGL.dev}"
"-DOPENGL_glx_LIBRARY=${libGL.dev}"
"-DOPENGL_INCLUDE_DIR=${libGL.dev}"
"-DMBEDTLS_LIBRARY=${mbedtls}"
"-DMBEDTLS_INCLUDE_DIRS=${mbedtls}"
"-DMBEDX509_LIBRARY=${mbedtls}"
"-DMBEDCRYPTO_LIBRARY=${mbedtls}"
"-DCMAKE_PREFIX_PATH=${glfw}"
"-DCMAKE_LIBRARY_PATH=${magic-vlsi}"
"-DCMAKE_PREFIX_PATH=${dbus.dev}"
];
BuildInputs = [
ccache
glfw
glm
magic-vlsi
mbedtls
freetype
dbus
openssl
capstone
libGL
];
}

24
pkgs/slick.nix Normal file
View file

@ -0,0 +1,24 @@
{ stdenv, lib, openssl, pkgconfig, fetchFromGitHub, rustPlatform }:
rustPlatform.buildRustPackage rec {
pname = "slick";
version = "0.10.0";
src = fetchFromGitHub {
owner = "nbari";
repo = pname;
rev = version;
sha256 = "sha256-GM9OHnySc3RVkfaK7yMf1LqpGdz3emq2H/3tSAph4jw=";
};
buildInputs = [ openssl pkgconfig ];
nativeBuildInputs = [ pkgconfig ];
cargoSha256 = "sha256-2WxFprq+AcXGXDMjMQvqKTkeWQEWM/z2Fz6qYPtSFGw=";
meta = with lib; {
description = "Async ZSH prompt";
homepage = "https://github.com/nbari/slick";
license = licenses.bsd3;
};
}

52
secrets/toaster/secrets.yaml Normal file
View file

@ -0,0 +1,52 @@
wg:
mullvad: ENC[AES256_GCM,data:9wgZKgcVGBIkNrfeurwDOCWLE6t2z7bN5KaUAeiRAcGRKO5uAkVCp0kpWZc=,iv:c1XM8GXEeAuDM47pTA5Pa6lPCI0fwau1uZdSaDcBykI=,tag:pSjmhHw7mt7hGTLpXFPsHQ==,type:str]
zw: ENC[AES256_GCM,data:CXrLvV+b9DUfmr+CwH8dBTHvDHtgVmiF9g+QpzFqMcc91yQDzQqT1d4AQSk=,iv:Wdj11qlGWGm2XSieFZ4csqdIyR0epzPCkeWyUUmjJbk=,tag:UO07WUwr138B5TtMGujvew==,type:str]
oxalab: ENC[AES256_GCM,data:YRN3fSzukqgDK3Bf5O7I8U3QmJAINCsjSseOZfzM/4xGXfGbBNeH3UmD0PI=,iv:U3kXH1HdT4OWcFZ+40a5W+jQ1hdS4UYYXxxyy+SqHEU=,tag:w65VyfylSKnM7c50BRCVgQ==,type:str]
dvb: ENC[AES256_GCM,data:1+IM6ORPtlIroeekaJSkOwYArh0fN6ycJNaXo680pE2Xv4DUBrIlh8q3V2A=,iv:btf3IpM4Wntkf3RYPwUdhH+4WUUqZp0zYp0aj2sdGM0=,tag:MDvS4CWYQLdp2YGs3/5Htw==,type:str]
mail:
oxapentane.com: ENC[AES256_GCM,data:HW1xcclr5CiUFVF8As79ZZH1c14sl4T0l18=,iv:leAVYaQkMuJewkCZc3fTUUNzZ9BDjV5CuT84bzvhrrs=,tag:Mm8OB8gLbmUwKSLugTR6GA==,type:str]
shipunov.xyz: ENC[AES256_GCM,data:cg+P+FrZ2icjfhwDGKGyUH9DejSZHpNs2bcSBPyz8g==,iv:XZFaSXnGmTL9j2sEyt5Q7+pe6rr+WA/0UGq/2Gl5DTI=,tag:oq+5EuJWJKwK3h0/e6Uozw==,type:str]
dvb.solutions: ENC[AES256_GCM,data:GSjPIPA5TGMWfhdRzTsiHPfXFVGLVSpJvJG+I++i,iv:EBlk00wqADCuYTzuVcuX9kSn6TVBfN12UlcXyps6TtE=,tag:G7rKTngN4v2FtuhQEMdUQQ==,type:str]
tlm.solutions: ENC[AES256_GCM,data:ncTMh/jw+YmcmcVU/c1I36vV1CwtmtYwfyDUx9w9,iv:vPnmdvDnEJ9FF4rDkSfPnLWebleSgI/yG7qOgJfq5ic=,tag:z4w4LOGf2v0TBSxrHULBsw==,type:str]
irc:
senpai: ENC[AES256_GCM,data:PvvYDSbmjeS2EUV8Jw2YVvFTBu/0fhuHFXXkkTUq,iv:e8toiG9ldrTfJc3ZrMO3qfSxmefiFgrD/o2x3EP3uis=,tag:QVdTuAEVFR6zoebJxeLyTw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1qyj95tsntreefqeetawqy5pf26456s9c0v3tzz8yzs706c0jsg6qv56jzk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVmx5T0ROT1ZPZ2JmUHhn
bWZ3UlZvQTR1Y0VOSXJsSy9makswR1VTSDBZCjZmOVZQdkF3b0tkWmo2aGcrOWZs
ZDBwRVFSK3BTdVlpWUpNVW5qWWFVZjQKLS0tIFJOdWxOSGR2SXdlWXBDTkMvUDlG
T3F6NXpBbEFxemVzM0lxbEdKMlVzYlEK9YPSglPYmsk3fH7qduK/FVFIWnHaQ6O1
ZJsgmz/5H7TPbSoy6mfyROQY+b7amJDSAAqhLazKYI22yP3Gnkmmbg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-02-09T19:44:17Z"
mac: ENC[AES256_GCM,data:zOB88rp+cjB+RFOrAnvdNEkKxYRKidmQOBwXI+cOwAfl/FBvGt68u08PjLEEABZvfrehLPgHQL9pnmTAuu6k49CezWCW/23F9GkswZlxji1qS40jl9XgeV7WfluWke78a9FW9MuAP2CpB5tZcAIcO6Q6Ngk1NVDBYX2R7D0fAeI=,iv:ETarRq0uwU3Kuoxf8lLgcLWm7MivFQ3W1EKIKFCho/s=,tag:V00p6PknQoV1t1R7UoiZOA==,type:str]
pgp:
- created_at: "2023-01-09T22:45:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA7zUOKwzpAE7AQ//SREB1bVNjocJIdu1OsRi/98r/Sq66jvfvv9qN4iarhX6
nULcylhQgxMAEaY2af1aWfzH8aVOQFfFWQaFLNCs44TkSa9MCPxPrqRI4qCPl9os
V6l9IVOhmv/HIDlHvTOfsFYZjE9LOtA5y3VrQqLBG4zjpTczcQxlrHgeSZyDrS9i
eqTiVVwdiZurFUMoety63S82u62YjtEwgHbFYdKnodEPygZvU5LFftmTRdDRNCII
i6tJRe70HTg2gNBxQEwh/DTcyQBaUkermhDaok0ABW6BFfrwzaxaUXexqFAqk7XK
fpWNGUX4w8ExtZ6XH/6vlu17yhej4VP9EuHzlZTPPjBPRcdPXETo3QShB+tH4hvw
aPgOfJaneVM+MpwgVW66qWmQt7NpaHLRo2tjvZnvuVXlg/AnuphaXpfafRja2DEj
hMH+FAIiQr5tFLf9ur8VltdeOsjWj7NbfWYEGm9UW0eHC5r/NuEZiQVt7BKWPU70
DcZdN9f3Scs9mpNuD/CGhf4Oj4L0tkgt/x2mirkSQcB0lui8s1/joCCV/7cZ30jB
/FHATHlo6RW1S8uGVcb1dkfsv4ki+4bvh1ZxZRuQg9rNlPWyHEIG6VJSMmgC7e9Y
P1NS/WF35BybvXFR3UVJca9qciRvPzcRo/4sEJtuPbwXpAqHR4OavHJhmb4ZDYfS
UQE6svFmutqwRPC2WSk0Knxh5o/bUYrliT6FU01xwkkIo5SgahDe0XJeXS3poQEs
htM7FZ7w0PjcRa66cul5j5FjDI4R7ZcFupv6RF84ImP5hw==
=3z9H
-----END PGP MESSAGE-----
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
unencrypted_suffix: _unencrypted
version: 3.7.3