0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

delete legacy stuff and reformat

Browse source
This commit is contained in:
Grisha Shipunov 2025-01-11 03:55:19 +01:00
parent 595d4935de
commit 62e2519639
51 changed files with 714 additions and 1056 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

77
flake.nix
View file

@ -32,42 +32,43 @@
};
outputs =
inputs@{ self
, flake-utils
, lanzaboote
, microvm
, nixos-hardware
, nixpkgs-stable
, nixpkgs-unstable
, sops-nix
, ...
}:
inputs@{
self,
flake-utils,
lanzaboote,
microvm,
nixos-hardware,
nixpkgs-stable,
nixpkgs-unstable,
sops-nix,
...
}:
{
nixosConfigurations = {
toaster = nixpkgs-unstable.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [
sops-nix.nixosModules.sops
lanzaboote.nixosModules.lanzaboote
nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen3
{
nixosConfigurations = {
toaster = nixpkgs-unstable.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [
sops-nix.nixosModules.sops
lanzaboote.nixosModules.lanzaboote
nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen3
./hosts/toaster
./hosts/toaster
./modules/basic-tools
./modules/binary-caches.nix
./modules/devtools.nix
./modules/gnome.nix
./modules/gnupg.nix
./modules/radio.nix
./modules/science.nix
./modules/tlp.nix
./modules/virtualization.nix
./hosts/toaster/secure-boot.nix
./modules/chromium.nix
./modules/mail
./modules/wg
./modules/basic-tools
./modules/binary-caches.nix
./modules/devtools.nix
./modules/gnome.nix
./modules/gnupg.nix
./modules/radio.nix
./modules/science.nix
./modules/tlp.nix
./modules/virtualization.nix
./hosts/toaster/secure-boot.nix
./modules/chromium.nix
./modules/mail
./modules/wg
];
};
cloud = nixpkgs-stable.lib.nixosSystem {
@ -100,8 +101,12 @@
};
hydraJobs =
let
get-toplevel = (host: nixSystem: nixSystem.config.microvm.declaredRunner or nixSystem.config.system.build.toplevel);
get-toplevel = (
host: nixSystem: nixSystem.config.microvm.declaredRunner or nixSystem.config.system.build.toplevel
);
in
nixpkgs-stable.lib.mapAttrs get-toplevel self.nixosConfigurations;
};
}
formatter.x86_64-linux = nixpkgs-stable.legacyPackages.x86_64-linux.nixfmt-rfc-style;
};
}

7
hosts/cloud/configuration.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
imports = [
./hardware-configuration.nix
./networking.nix
@ -9,6 +10,8 @@
networking.hostName = "cloud";
networking.domain = "oxapentane.com";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK'' ];
users.users.root.openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK''
];
system.stateVersion = "24.11";
}

5
hosts/cloud/default.nix
View file

@ -1,5 +1,6 @@
{ ... }: {
imports= [
{ ... }:
{
imports = [
./configuration.nix
./hardware-configuration.nix
./networking.nix

14
hosts/cloud/hardware-configuration.nix
View file

@ -2,8 +2,16 @@
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
"vmw_pvscsi"
];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
}

5
hosts/cloud/networking.nix
View file

@ -1,11 +1,12 @@
{ lib, ... }: {
{ lib, ... }:
{
networking.dhcpcd.enable = false;
networking.useNetworkd = true;
systemd.network.enable = true;
systemd.network = {
networks."30-uplink" = {
matchConfig.Name="enp1s0";
matchConfig.Name = "enp1s0";
networkConfig = {
Address = [
"188.245.196.27/32"

17
hosts/minime/configuration.nix
View file

@ -2,23 +2,26 @@
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Enable the X11 windowing system.
services.xserver.enable = false;
system.stateVersion = "24.11"; # Did you read the comment?
}

3
hosts/minime/default.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
imports = [
./configuration.nix
./hardware-configuration.nix

93
hosts/minime/hardware-configuration.nix
View file

@ -1,59 +1,76 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "zpool/nixos/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/" = {
device = "zpool/nixos/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
fileSystems."/nix" =
{ device = "zpool/nixos/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix" = {
device = "zpool/nixos/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" =
{ device = "zpool/data/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" = {
device = "zpool/data/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var" =
{ device = "zpool/data/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var" = {
device = "zpool/data/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var/lib" =
{ device = "zpool/data/var/lib";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var/lib" = {
device = "zpool/data/var/lib";
fsType = "zfs";
options = [ "zfsutil" ];
};
swapDevices =
[ {
swapDevices = [
{
device = "/dev/disk/by-partuuid/7e7d0e0b-90b7-465c-a022-089b38e0f16d";
randomEncryption = true;
} ];
}
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

3
hosts/minime/networking.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
networking.hostName = "minime"; # Define your hostname.
networking.useNetworkd = true;
networking.firewall.enable = true;

48
hosts/minime/zfs.nix
View file

@ -1,4 +1,10 @@
{ pkgs, lib, config, ... }: {
{
pkgs,
lib,
config,
...
}:
{
services.fstrim.enable = true;
services.zfs = {
autoSnapshot.enable = true;
@ -12,19 +18,21 @@
};
networking.hostId = "41ba28ff";
boot = {
kernelPackages = let
zfsCompatibleKernelPackages = lib.filterAttrs (
name: kernelPackages:
(builtins.match "linux_[0-9]+_[0-9]+" name) != null
&& (builtins.tryEval kernelPackages).success
&& (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken)
kernelPackages =
let
zfsCompatibleKernelPackages = lib.filterAttrs (
name: kernelPackages:
(builtins.match "linux_[0-9]+_[0-9]+" name) != null
&& (builtins.tryEval kernelPackages).success
&& (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken)
) pkgs.linuxKernel.packages;
latestKernelPackage = lib.last (
lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) (
builtins.attrValues zfsCompatibleKernelPackages
)
);
in latestKernelPackage;
)
);
in
latestKernelPackage;
supportedFilesystems = [ "zfs" ];
kernelParams = [ "nohibernate" ];
plymouth.enable = false;
@ -38,14 +46,24 @@
enable = true;
port = 2222;
hostKeys = [ /etc/secrets/initrd/ssh_host_rsa_key ];
authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK 0xa@toaster 2024-12-31" ];
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK 0xa@toaster 2024-12-31"
];
};
postCommands = ''
zpool import -a
echo "zfs load-key -a; killall zfs" >> /root/.profile
zpool import -a
echo "zfs load-key -a; killall zfs" >> /root/.profile
'';
};
# support for network
boot.initrd.kernelModules = [ "igc" "i40e" "mt7921e" ];
boot.kernelModules = [ "igc" "i40e" "mt7921e" ];
boot.initrd.kernelModules = [
"igc"
"i40e"
"mt7921e"
];
boot.kernelModules = [
"igc"
"i40e"
"mt7921e"
];
}

23
hosts/toaster/amd.nix
View file

@ -1,4 +1,5 @@
{ pkgs, config, ... }: {
{ pkgs, config, ... }:
{
boot.initrd.kernelModules = [ "amdgpu" ];
boot.kernelParams = [
@ -6,14 +7,14 @@
"amd_pstate=active"
];
# hardware.graphics = {
# extraPackages = with pkgs; [
# rocm-opencl-icd
# rocm-opencl-runtime
# amdvlk
# ];
# extraPackages32 = with pkgs; [
# driversi686Linux.amdvlk
# ];
# };
# hardware.graphics = {
# extraPackages = with pkgs; [
# rocm-opencl-icd
# rocm-opencl-runtime
# amdvlk
# ];
# extraPackages32 = with pkgs; [
# driversi686Linux.amdvlk
# ];
# };
}

3
hosts/toaster/default.nix
View file

@ -1,4 +1,5 @@
{ pkgs, ... }: {
{ pkgs, ... }:
{
imports = [
./amd.nix
./hardware-configuration.nix

104
hosts/toaster/hardware-configuration.nix
View file

@ -1,54 +1,70 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.zfs.extraPools = [ "zpool" ];
fileSystems."/" = {
device = "zpool/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix" = {
device = "zpool/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" = {
device = "zpool/data/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var" = {
device = "zpool/data/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/A170-F83D";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.zfs.extraPools = [ "zpool" ];
fileSystems."/" =
{ device = "zpool/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix" =
{ device = "zpool/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" =
{ device = "zpool/data/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var" =
{ device = "zpool/data/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A170-F83D";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-partuuid/037518f2-9fa0-44f0-9550-745e27bf1c1f";
randomEncryption = true;}
];
swapDevices = [
{
device = "/dev/disk/by-partuuid/037518f2-9fa0-44f0-9550-745e27bf1c1f";
randomEncryption = true;
}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

3
hosts/toaster/irc.nix
View file

@ -1,4 +1,5 @@
{ config, pkgs, ... }: {
{ config, pkgs, ... }:
{
environment.systemPackages = [ pkgs.senpai ];
sops.secrets = {

49
hosts/toaster/network/default.nix
View file

@ -1,4 +1,5 @@
{ lib, config, ... }: {
{ lib, config, ... }:
{
imports = [
./mullvad.nix
./dumpdvb.nix
@ -8,32 +9,34 @@
# Networkmanager shouldn't interfere with systemd managed interfaces
networking.networkmanager.unmanaged =
let
systemd_netdevs = lib.attrsets.attrValues (lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs);
systemd_netdevs = lib.attrsets.attrValues (
lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs
);
in
systemd_netdevs;
systemd.network = {
enable = true;
wait-online.enable = false; # uplink is managed by networkmanager
};
systemd.network = {
enable = true;
wait-online.enable = false; # uplink is managed by networkmanager
};
users.users."0xa".extraGroups = [ "networkmanager" ];
users.users."0xa".extraGroups = [ "networkmanager" ];
networking = {
hostName = "toaster";
firewall.enable = true;
wireguard.enable = true;
};
networking = {
hostName = "toaster";
firewall.enable = true;
wireguard.enable = true;
};
services.resolved = {
enable = true;
dnssec = "false";
fallbackDns = [
"9.9.9.9"
"2620:fe::fe"
"149.112.112.112"
"2620:fe::9"
];
};
services.resolved = {
enable = true;
dnssec = "false";
fallbackDns = [
"9.9.9.9"
"2620:fe::fe"
"149.112.112.112"
"2620:fe::9"
];
};
}
}

8
hosts/toaster/network/dumpdvb.nix
View file

@ -1,4 +1,5 @@
{ config, ... }: {
{ config, ... }:
{
systemd.network = {
# Wireguard
# Dump-dvb
@ -27,7 +28,10 @@
IPv6AcceptRA = true;
};
routes = [
{ Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; }
{
Gateway = "10.13.37.1";
Destination = "10.13.37.0/24";
}
];
};
};

99
hosts/toaster/network/mullvad.nix
View file

@ -1,10 +1,14 @@
{ config, lib, ... }: {
{ config, lib, ... }:
{
systemd.network =
let
pubkey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk=";
pubkey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk=";
endpoint = "169.150.196.15";
port = "51820";
addr = [ "10.74.16.48/32" "fc00:bbbb:bbbb:bb01::b:102f/128" ];
addr = [
"10.74.16.48/32"
"fc00:bbbb:bbbb:bb01::b:102f/128"
];
in
{
netdevs."10-wg-mullvad" = {
@ -21,7 +25,10 @@
{
PublicKey = pubkey;
Endpoint = "${endpoint}:${port}";
AllowedIPs = [ "0.0.0.0/0" "::0/0" ];
AllowedIPs = [
"0.0.0.0/0"
"::0/0"
];
}
];
};
@ -33,44 +40,52 @@
DNSDefaultRoute = true;
Domains = [ "~." ];
};
routes = map
(gate: {
Gateway = gate;
Table = 1000;
}) [
"0.0.0.0"
"::"
];
routes =
map
(gate: {
Gateway = gate;
Table = 1000;
})
[
"0.0.0.0"
"::"
];
routingPolicyRules = [ {
Family = "both";
FirewallMark = 34952; # 0x8888
InvertRule = true;
Table = "1000";
Priority = 100;
}
{
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 90;
} ] ++ map (net: {
# only route global addresses over VPN
Priority = 80;
To = net;
}) [
# Mullvad endpoint
"${endpoint}/32"
# "10.0.0.0/8"
"10.13.37.0/24"
# 0xa-mgmt
"10.89.87.0/24"
# "172.16.0.0/12"
"172.16.0.0/12"
# "182.168.0.0/16"
"182.168.0.0/16"
# "fc00::/7"
];
routingPolicyRules =
[
{
Family = "both";
FirewallMark = 34952; # 0x8888
InvertRule = true;
Table = "1000";
Priority = 100;
}
{
Family = "both";
SuppressPrefixLength = 0;
Table = "main";
Priority = 90;
}
]
++ map
(net: {
# only route global addresses over VPN
Priority = 80;
To = net;
})
[
# Mullvad endpoint
"${endpoint}/32"
# "10.0.0.0/8"
"10.13.37.0/24"
# 0xa-mgmt
"10.89.87.0/24"
# "172.16.0.0/12"
"172.16.0.0/12"
# "182.168.0.0/16"
"182.168.0.0/16"
# "fc00::/7"
];
};
};
};
}

0
hosts/toaster/network/oxalab.nix
View file

107
hosts/toaster/network/zw.nix
View file

@ -1,56 +1,61 @@
{ config, ... }: {
# zentralwerk
systemd.network = {
netdevs."10-wg-zentralwerk" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-zentralwerk";
Description = "Tunnel to the best basement in Dresden";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/zw".path;
RouteTable = "off";
};
wireguardPeers = [
{
PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
Endpoint = "81.201.149.152:1337";
AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ];
PersistentKeepalive = 25;
}
];
{ config, ... }:
{
# zentralwerk
systemd.network = {
netdevs."10-wg-zentralwerk" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg-zentralwerk";
Description = "Tunnel to the best basement in Dresden";
};
networks."10-wg-zentralwerk" = {
matchConfig.Name = "wg-zentralwerk";
networkConfig = {
Address = "172.20.76.226/21";
IPv6AcceptRA = true;
DNS = "172.20.73.8";
Domains = [
"~hq.c3d2.de"
"~serv.zentralwerk.org"
"~hq.zentralwerk.org"
"~cluster.zentralwerk.org"
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/zw".path;
RouteTable = "off";
};
wireguardPeers = [
{
PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
Endpoint = "81.201.149.152:1337";
AllowedIPs = [
"172.20.72.0/21"
"172.22.90.0/24"
"172.22.99.0/24"
];
};
routes = [
{
Gateway = "172.20.76.225";
Destination = "172.20.72.0/21";
Metric = 1023;
}
{
Gateway = "172.20.76.225";
Destination = "172.20.90.0/24";
Metric = 1023;
}
{
Gateway = "172.20.76.225";
Destination = "172.22.99.0/24";
Metric = 1023;
}
PersistentKeepalive = 25;
}
];
};
networks."10-wg-zentralwerk" = {
matchConfig.Name = "wg-zentralwerk";
networkConfig = {
Address = "172.20.76.226/21";
IPv6AcceptRA = true;
DNS = "172.20.73.8";
Domains = [
"~hq.c3d2.de"
"~serv.zentralwerk.org"
"~hq.zentralwerk.org"
"~cluster.zentralwerk.org"
];
};
routes = [
{
Gateway = "172.20.76.225";
Destination = "172.20.72.0/21";
Metric = 1023;
}
{
Gateway = "172.20.76.225";
Destination = "172.20.90.0/24";
Metric = 1023;
}
{
Gateway = "172.20.76.225";
Destination = "172.22.99.0/24";
Metric = 1023;
}
];
};
}
};
}

3
hosts/toaster/secure-boot.nix
View file

@ -1,4 +1,5 @@
{ pkgs, lib, ... }: {
{ pkgs, lib, ... }:
{
boot = {
bootspec.enable = true;
loader.systemd-boot.enable = lib.mkForce false;

36
hosts/toaster/zfs.nix
View file

@ -1,4 +1,10 @@
{ pkgs, lib, config, ... }: {
{
pkgs,
lib,
config,
...
}:
{
services.fstrim.enable = true;
services.zfs = {
autoSnapshot.enable = true;
@ -10,19 +16,21 @@
};
networking.hostId = "dca22577";
boot = {
kernelPackages = let
zfsCompatibleKernelPackages = lib.filterAttrs (
name: kernelPackages:
(builtins.match "linux_[0-9]+_[0-9]+" name) != null
&& (builtins.tryEval kernelPackages).success
&& (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken)
) pkgs.linuxKernel.packages;
latestKernelPackage = lib.last (
lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) (
builtins.attrValues zfsCompatibleKernelPackages
)
);
in latestKernelPackage;
kernelPackages =
let
zfsCompatibleKernelPackages = lib.filterAttrs (
name: kernelPackages:
(builtins.match "linux_[0-9]+_[0-9]+" name) != null
&& (builtins.tryEval kernelPackages).success
&& (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken)
) pkgs.linuxKernel.packages;
latestKernelPackage = lib.last (
lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) (
builtins.attrValues zfsCompatibleKernelPackages
)
);
in
latestKernelPackage;
supportedFilesystems = [ "zfs" ];
kernelParams = [ "nohibernate" ];
plymouth.enable = false;

1
microvms/dn42/default.nix
View file

@ -1 +0,0 @@
{ config, pkgs, lib, ... }: { }

40
microvms/music/default.nix
View file

@ -1,40 +0,0 @@
{ pkgs, lib, config, ... }: {
imports = [
./navidrome.nix
./oxaproxy.nix
./upload-user.nix
];
microvm = {
hypervisor = "qemu";
mem = 4 * 1024;
vcpu = 3;
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}] ++ map
(dir: {
source = "/var/lib/microvms/${config.networking.hostName}/${dir}";
mountPoint = "/${dir}";
tag = dir;
proto = "virtiofs";
socket = "${dir}.socket";
}) [ "etc" "var" "home" ];
interfaces = [{
type = "tap";
id = "vm-music";
mac = "02:00:00:00:00:01";
}];
};
networking = {
hostName = "music";
};
system.stateVersion = "22.11";
}

16
microvms/music/navidrome.nix
View file

@ -1,16 +0,0 @@
{ config, ... }: {
networking.firewall.interfaces.oxaproxy.allowedTCPPorts = [ 4533 ];
services.navidrome = {
enable = true;
settings = {
Address = "10.34.45.101";
BaseUrl = "/";
EnableExternalServices = false;
MusicFolder = "/var/lib/music";
Port = 4533;
ScanSchedule = "@every 11m";
TranscondigCacheSize = "5GiB";
ReverseProxyWhitelist = "10.34.45.1/24";
};
};
}

68
microvms/music/oxaproxy.nix
View file

@ -1,68 +0,0 @@
{ config, ... }: {
networking.wireguard.enable = true;
networking.useNetworkd = true;
#oxaproxy secret
sops.defaultSopsFile = ../../secrets/music/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets."wg/oxaproxy-seckey" = {
owner = config.users.users.systemd-network.name;
};
systemd.network = {
enable = true;
netdevs."10-oxaproxy" = {
netdevConfig = {
Kind = "wireguard";
Name = "oxaproxy";
Description = "oxa's enterprise reverse-proxy network";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/oxaproxy-seckey".path;
#own pubkey: vQNkp51S9qLsu97dLPj0/EqFwvVtRFZpMHufgKhxum0=
};
wireguardPeers = [
{
# cirrus
wireguardPeerConfig = {
PublicKey = "0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM=";
AllowedIPs = [ "10.34.45.0/24" ];
Endpoint = [ "95.216.166.21:51821" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-oxaproxy" = {
matchConfig.Name = "oxaproxy";
networkConfig = {
Address = "10.34.45.101/24";
};
};
networks."111-host" = {
matchConfig.MACAddress = "02:00:00:00:00:01";
networkConfig = {
Address = "10.99.99.101/24";
};
routes = [
{
routeConfig = {
Gateway = "10.99.99.1";
Destination = "0.0.0.0/0";
Metric = 1024;
};
}
{
routeConfig = {
Gateway = "10.99.99.1";
Destination = "10.99.99.0/24";
Metric = 1024;
};
}
];
};
};
}

21
microvms/music/upload-user.nix
View file

@ -1,21 +0,0 @@
{ config, ... }: {
security.sudo.wheelNeedsPassword = false;
users.users.caretaker = {
isNormalUser = true;
home = "/home/caretaker";
createHome = true;
extraGroups = [
"wheel"
"navidrome"
];
openssh.authorizedKeys.keys = [
# melo
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMbUizElFyULDlpEE9XHWWOca4ZXepS18ljh4Fj4YnJOAs7sbYzzhfMUiD703FIgK5YObzOlheu/PBbwUOStgcmPDuRalZWLr+0kCUYERfjLHkgliFx96xEFw9dluvII6JpbzFI/uvkEkQ3ESKapRcYAuBTk2sRoit8za+HX9sLmMueqNtN4H92sFYYm1wWy3FFgz/NN+uTh7F5nmA7SrSS/fpbmugcgBdR/Zy1YwSA8Rl1pagEvgN9/qAnP7pssvXr9pTCUNxVSQ7FlTUOHmxzG16RybYRikgevQaHtFYvmS7AuRvRDlQWhHt1drREGOIwwZPXD1smfQAsvP66J85j9aeanZdoBoJcvvFNer3071QGmi+5NHDSiG+YvoWt7qgiKLF4lOfByzjdoRRSg01uuhdQLOHHt0hbfyGS6hx//1MtjiXTElXvOOiUJ6AqfCSwOTK+72W6VKhKYcO11+Ngym1dyF3TtVcoEYN3JpUdbNq+qctMzXFMGovPEEMh7s= mel@umbreon"
# revol-xut
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6NLB8EHnUgl2GO2uaojdf3p3YpsHH6px6CZleif8klhLN+ro5KeFK2OXC2SO3Vo4qgF/NySdsoInV9JEsssELZ2ttVbeKxI6f76V5dZgGI7qoSf4E0TXIgpS9n9K2AEmRKr65uC2jgkSJuo/T1mF+4/Nzyo706FT/GGVoiBktgq9umbYX0vIQkTMFAcw921NwFCWFQcMYRruaH01tLu6HIAdJ9FVG8MAt84hCr4D4PobD6b029bHXTzcixsguRtl+q4fQAl3WK3HAxT+txN91CDoP2eENo3gbmdTBprD2RcB/hz5iI6IaY3p1+8fTX2ehvI3loRA8Qjr/xzkzMUlpA/8NLKbJD4YxNGgFbauEmEnlC8Evq2vMrxdDr2SjnBAUwzZ63Nq+pUoBNYG/c+h+eO/s7bjnJVe0m2/2ZqPj1jWQp4hGoNzzU1cQmy6TdEWJcg2c8ints5068HN3o0gQKkp1EseNrdB8SuG+me/c/uIOX8dPASgo3Yjv9IGLhhx8GOGQxHEQN9QFC4QyZt/rrAyGmlX342PBNYmmStgVWHiYCcMVUWGlsG0XvG6bvGgmMeHNVsDf6WdMQuLj9luvxJzrd4FlKX6O0X/sIaqMVSkhIbD2+vvKNqrii7JdUTntUPs89L5h9DoDqQWkL13Plg1iQt4/VYeKTbUhYYz1lw== revo-xut@plank"
# 0xa gpg
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHv82n6F6kwJ3/EMYlOoCc1/NaYFW7QHC5F8jKVzdlio gshipunov@toaster"
];
};
}

39
microvms/news/default.nix
View file

@ -1,39 +0,0 @@
{ config, ... }: {
imports = [
./miniflux.nix
./oxaproxy.nix
];
microvm = {
hypervisor = "qemu";
mem = 1 * 1024;
vcpu = 1;
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}] ++ map
(dir: {
source = "/var/lib/microvms/${config.networking.hostName}/${dir}";
mountPoint = "/${dir}";
tag = dir;
proto = "virtiofs";
socket = "${dir}.socket";
}) [ "etc" "var" "home" ];
interfaces = [{
type = "tap";
id = "vm-news";
mac = "02:00:00:00:00:02";
}];
};
networking = {
hostName = "news";
};
system.stateVersion = "22.11";
}

18
microvms/news/miniflux.nix
View file

@ -1,18 +0,0 @@
{ config, ... }:
let
listenport = 8080;
in
{
sops.secrets."miniflux-admin" = { };
networking.firewall.interfaces.oxaproxy.allowedTCPPorts = [ listenport ];
services.miniflux = {
enable = true;
config = {
LISTEN_ADDR = "10.34.45.102:${toString listenport}";
POLLING_FREQUENCY = "37";
CREATE_ADMIN = "1";
};
adminCredentialsFile = config.sops.secrets."miniflux-admin".path;
};
}

68
microvms/news/oxaproxy.nix
View file

@ -1,68 +0,0 @@
{ config, ... }: {
networking.wireguard.enable = true;
networking.useNetworkd = true;
#oxaproxy secret
sops.defaultSopsFile = ../../secrets/news/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets."oxaproxy-seckey" = {
owner = config.users.users.systemd-network.name;
};
systemd.network = {
enable = true;
netdevs."10-oxaproxy" = {
netdevConfig = {
Kind = "wireguard";
Name = "oxaproxy";
Description = "oxa's enterprise reverse-proxy network";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."oxaproxy-seckey".path;
#own pubkey: guzNmsPcQw4EGSLU3X0SP+WPKAcoMc+xv9SLWdHV1V0=
};
wireguardPeers = [
{
# cirrus
wireguardPeerConfig = {
PublicKey = "0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM=";
AllowedIPs = [ "10.34.45.0/24" ];
Endpoint = [ "95.216.166.21:51821" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-oxaproxy" = {
matchConfig.Name = "oxaproxy";
networkConfig = {
Address = "10.34.45.102/24";
};
};
networks."111-host" = {
matchConfig.MACAddress = (builtins.elemAt config.microvm.interfaces 0).mac;
networkConfig = {
Address = "10.99.99.102/24";
};
routes = [
{
routeConfig = {
Gateway = "10.99.99.1";
Destination = "0.0.0.0/0";
Metric = 1024;
};
}
{
routeConfig = {
Gateway = "10.99.99.1";
Destination = "10.99.99.0/24";
Metric = 1024;
};
}
];
};
};
}

115
microvms/nextcloud/default.nix
View file

@ -1,115 +0,0 @@
{ config, pkgs, ... }: {
imports = [
./oxaproxy.nix
./secrets.nix
];
# nextcloud goes here
networking.firewall.interfaces.oxaproxy.allowedTCPPorts = [ 8080 ];
services.postgresql = {
enable = true;
package = pkgs.postgresql_14;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}];
};
services.redis.servers.nextcloud.enable = true;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."nc.oxapentane.com" = {
extraConfig = ''
# HTTP response headers borrowed from Nextcloud .htaccess
add_header Referrer-Policy "no-referrer" always;
#add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
#add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
'';
listen = [{
# We are listening on wireguard interface only
addr = "10.34.45.100";
port = 8080;
ssl = false;
}];
};
};
services.nextcloud = {
enable = true;
hostName = "nc.oxapentane.com";
home = "/var/lib/nextcloud-oxa";
package = pkgs.nextcloud28;
maxUploadSize = "5000M";
caching.redis = true;
autoUpdateApps = {
enable = true;
startAt = "07:00:00";
};
config = {
overwriteProtocol = "https";
trustedProxies = [ "10.34.45.1" ];
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminuser = "admin";
adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
};
};
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
microvm = {
hypervisor = "qemu";
mem = 4 * 1024;
vcpu = 3;
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}] ++ map
(dir: {
source = "/var/lib/microvms/${config.networking.hostName}/${dir}";
mountPoint = "/${dir}";
tag = dir;
proto = "virtiofs";
socket = "${dir}.socket";
}) [ "etc" "var" "home" ];
interfaces = [{
type = "tap";
id = "vm-nextcloud";
mac = "02:00:00:00:00:00";
}];
};
networking = {
hostName = "nextcloud";
};
system.stateVersion = "22.05";
}

58
microvms/nextcloud/oxaproxy.nix
View file

@ -1,58 +0,0 @@
{ config, ... }: {
networking.wireguard.enable = true;
networking.useNetworkd = true;
systemd.network = {
enable = true;
netdevs."10-oxaproxy" = {
netdevConfig = {
Kind = "wireguard";
Name = "oxaproxy";
Description = "oxa's enterprise reverse-proxy network";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/oxaproxy-seckey".path;
#own pubkey: KCYoGx7TGei4X79EZo2NONCcmQjPzBUN1Ds6I9lQbz0=
};
wireguardPeers = [
{
# cirrus
wireguardPeerConfig = {
PublicKey = "0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM=";
AllowedIPs = [ "10.34.45.0/24" ];
Endpoint = [ "95.216.166.21:51821" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-oxaproxy" = {
matchConfig.Name = "oxaproxy";
networkConfig = {
Address = "10.34.45.100/24";
};
};
networks."111-host" = {
matchConfig.MACAddress = "02:00:00:00:00:00";
networkConfig = {
Address = "10.99.99.100/24";
};
routes = [
{
routeConfig = {
Gateway = "10.99.99.1";
Destination = "0.0.0.0/0";
Metric = 1024;
};
}
{
routeConfig = {
Gateway = "10.99.99.1";
Destination = "10.99.99.0/24";
Metric = 1024;
};
}
];
};
};
}

11
microvms/nextcloud/secrets.nix
View file

@ -1,11 +0,0 @@
{ config, ... }: {
sops.defaultSopsFile = ../../secrets/nextcloud/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets."wg/oxaproxy-seckey" = {
owner = config.users.users.systemd-network.name;
};
sops.secrets."nextcloud/adminpass" = {
owner = config.users.users.nextcloud.name;
};
}

76
modules/basic-tools/default.nix
View file

@ -8,37 +8,48 @@
./nix-ld.nix
];
environment.systemPackages = with pkgs; [
bat
fd
file
gnupg
glow
htop
irssi
killall
neovim
ripgrep
tealdeer
traceroute
tcpdump
tree
(aspellWithDicts (ps: with ps; [ en en-science en-computers ru nl ]))
exfatprogs
nmap
bind
nnn
lf
man-pages
unzip
usbutils
pciutils
ouch
cryptsetup
sshfs
whois
mtr
] ++ (if config.networking.hostName == "toaster" then [ gitFull ] else [ git ]);
environment.systemPackages =
with pkgs;
[
bat
fd
file
gnupg
glow
htop
irssi
killall
neovim
ripgrep
tealdeer
traceroute
tcpdump
tree
(aspellWithDicts (
ps: with ps; [
en
en-science
en-computers
ru
nl
]
))
exfatprogs
nmap
bind
nnn
lf
man-pages
unzip
usbutils
pciutils
ouch
cryptsetup
sshfs
whois
mtr
]
++ (if config.networking.hostName == "toaster" then [ gitFull ] else [ git ]);
environment.variables =
let
@ -53,7 +64,8 @@
{
PAGER = "less";
LESS = "-X -R -F";
} // editorconf;
}
// editorconf;
environment.shellAliases = {
ls = "ls --color=auto";

26
modules/basic-tools/fzf.nix
View file

@ -1,4 +1,10 @@
{ lib, config, pkgs, ... }: {
{
lib,
config,
pkgs,
...
}:
{
environment = {
systemPackages = [ pkgs.fzf ];
@ -8,11 +14,15 @@
};
};
# integrate fzf into shell, >23.05 only
programs = with lib;
if (toInt (elemAt (splitVersion config.system.nixos.release) 0) >= 23) then {
fzf = {
keybindings = true;
fuzzyCompletion = true;
};
} else { };
programs =
with lib;
if (toInt (elemAt (splitVersion config.system.nixos.release) 0) >= 23) then
{
fzf = {
keybindings = true;
fuzzyCompletion = true;
};
}
else
{ };
}

3
modules/basic-tools/multiplexers.nix
View file

@ -1,4 +1,5 @@
{ pkgs, inputs, ... }: {
{ pkgs, inputs, ... }:
{
programs.tmux = {
enable = true;
keyMode = "vi";

10
modules/basic-tools/nix-ld.nix
View file

@ -1,10 +1,10 @@
{ pkgs, lib, ... }:
{
programs.nix-ld ={
enable = true;
libraries = [
pkgs.stdenv.cc.cc
];
programs.nix-ld = {
enable = true;
libraries = [
pkgs.stdenv.cc.cc
];
};
#environment.variables = {
# NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [

18
modules/basic-tools/nix.nix
View file

@ -1,9 +1,15 @@
{ lib, pkgs, inputs, ... }: {
{
lib,
pkgs,
inputs,
...
}:
{
nix = {
extraOptions = ''
experimental-features = nix-command flakes
narinfo-cache-negative-ttl = 0
experimental-features = nix-command flakes
narinfo-cache-negative-ttl = 0
'';
};
@ -12,8 +18,10 @@
# override default nix shell nixpkgs# behaviour to use current flake lock
nix.registry =
let flakes = lib.filterAttrs (_name: value: value ? outputs) inputs.self.inputs;
in builtins.mapAttrs (_name: v: { flake = v; }) flakes;
let
flakes = lib.filterAttrs (_name: value: value ? outputs) inputs.self.inputs;
in
builtins.mapAttrs (_name: v: { flake = v; }) flakes;
nix.nixPath = lib.mapAttrsToList (name: value: "${name}=${value.outPath}") inputs.self.inputs;

3
modules/binary-caches.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
nix = {
extraOptions = ''
builders-use-substitutes = true

59
modules/devtools.nix
View file

@ -1,31 +1,36 @@
{ pkgs, inputs, ... }: {
{ pkgs, inputs, ... }:
{
environment.systemPackages = with pkgs;
let
kicad = pkgs.kicad.override {
addons = with pkgs.kicadAddons; [ kikit kikit-library ];
};
in
[
# general
cmake
gcc
gef
gdb
binutils
binwalk
clang
clang-tools
direnv
sops
nil
nixpkgs-fmt
nix-index
kicad
freecad-wayland
imhex
python313Full
];
environment.systemPackages =
with pkgs;
let
kicad = pkgs.kicad.override {
addons = with pkgs.kicadAddons; [
kikit
kikit-library
];
};
in
[
# general
cmake
gcc
gef
gdb
binutils
binwalk
clang
clang-tools
direnv
sops
nil
nixpkgs-fmt
nix-index
kicad
freecad-wayland
imhex
python313Full
];
# Wireshark
programs.wireshark = {

38
modules/dvb-dump-nfs-automount.nix
View file

@ -4,23 +4,25 @@
environment.systemPackages = with pkgs; [ nfs-utils ];
services.rpcbind.enable = true;
systemd.mounts = [{
type = "nfs";
mountConfig = {
Options = "noatime";
};
what = "10.13.37.5:/";
where = "/mnt/dvb";
}];
systemd.mounts = [
{
type = "nfs";
mountConfig = {
Options = "noatime";
};
what = "10.13.37.5:/";
where = "/mnt/dvb";
}
];
systemd.automounts = [{
wantedBy = [ "multi-user.target" ];
requires = [ "wg-quick-wg-dvb.service" ];
automountConfig = {
TimeoutIdleSec = "600";
};
where = "/mnt/dvb";
}];
systemd.automounts = [
{
wantedBy = [ "multi-user.target" ];
requires = [ "wg-quick-wg-dvb.service" ];
automountConfig = {
TimeoutIdleSec = "600";
};
where = "/mnt/dvb";
}
];
}

3
modules/gnome.nix
View file

@ -1,4 +1,5 @@
{ config, pkgs, ... }: {
{ config, pkgs, ... }:
{
imports = [
./desktop-software.nix

11
modules/mail/default.nix
View file

@ -82,13 +82,15 @@ in
'';
};
systemd.user = {
# Service and timer to sync imap to local maildir
services.mbsync = {
enable = true;
after = [ "graphical.target" "network-online.target" ];
after = [
"graphical.target"
"network-online.target"
];
script = ''
${pkgs.isync}/bin/mbsync -q -a --config=${mbsyncConf}
'';
@ -110,7 +112,10 @@ in
# service and timer to flush the msmtp queue
services.flush-msmtpq = {
enable = true;
after = [ "graphical.target" "network-online.target" ];
after = [
"graphical.target"
"network-online.target"
];
script = ''
${pkgs.msmtp}/bin/msmtp-queue -r
'';

4
modules/sway.nix
View file

@ -120,7 +120,9 @@
wl-mirror
];
};
environment.sessionVariables = { GTK_THEME = "Adwaita:dark"; };
environment.sessionVariables = {
GTK_THEME = "Adwaita:dark";
};
xdg.portal = {
enable = true;
wlr.enable = true;

2
modules/tlp.nix
View file

@ -9,7 +9,7 @@
USB_BLACKLIST = "1d50:604b 1d50:6089 1d50:cc15 1fc9:000c";
CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
WIFI_PWR_ON_BAT= "off";
WIFI_PWR_ON_BAT = "off";
};
};
}

7
modules/virtualization.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, inputs, ... }:
{
config,
pkgs,
inputs,
...
}:
{
environment.systemPackages = with pkgs; [
virt-manager

3
modules/wg/default.nix
View file

@ -1,4 +1,5 @@
{ ... }: {
{ ... }:
{
imports = [
# module
./module.nix

20
modules/wg/mgmt.nix
View file

@ -4,11 +4,17 @@
oxalab.wg = [
{
networkName = "0xa-mgmt";
CIDRs = [ "10.89.87.0/24" "fd31:185d:722e::/48" ];
CIDRs = [
"10.89.87.0/24"
"fd31:185d:722e::/48"
];
hosts = {
"cloud" = {
address = [ "10.89.87.1/24" "fd31:185d:722e::1/48" ];
address = [
"10.89.87.1/24"
"fd31:185d:722e::1/48"
];
publicKey = "zKSaw+SXzWgi/T7ByXHqPk1XNXXapoQYB8UPMTRmhm0=";
privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path;
endpoint = {
@ -20,12 +26,18 @@
};
"toaster" = {
address = [ "10.89.87.100/24" "fd31:185d:722e::100/48" ];
address = [
"10.89.87.100/24"
"fd31:185d:722e::100/48"
];
publicKey = "H+WeYIBdX7ZHwkgm4BGnF0HF0JULkxyNMcvCviHhmks=";
privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path;
};
"minime" = {
address = [ "10.89.87.10/24" "fd31:185d:722e::10/48" ];
address = [
"10.89.87.10/24"
"fd31:185d:722e::10/48"
];
publicKey = "zN2Dr/ZGMh1Ftparszp22Qnbz2ISJU12iDVatebOHUE=";
privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path;
};

85
modules/wg/module.nix
View file

@ -1,8 +1,11 @@
{ lib
, config
, self
, registry
, ... }: {
{
lib,
config,
self,
registry,
...
}:
{
config =
let
@ -17,10 +20,20 @@
name = "30-wg-${net.networkName}";
value = {
matchConfig.Name = "wg-${net.networkName}";
networkConfig = {
Address = net.hosts.${currenthost}.address;
IPv6AcceptRA = false; # for now static IPv6
} // (if net.hosts.${currenthost}.endpoint.enable then {IPv4Forwarding=true; IPv6Forwarding=true; } else {});
networkConfig =
{
Address = net.hosts.${currenthost}.address;
IPv6AcceptRA = false; # for now static IPv6
}
// (
if net.hosts.${currenthost}.endpoint.enable then
{
IPv4Forwarding = true;
IPv6Forwarding = true;
}
else
{ }
);
};
}) networks;
@ -45,8 +58,7 @@
wireguardPeers =
let
endpoint = lib.attrsets.filterAttrs (_k: v: v.endpoint.enable) net.hosts;
wg-peers-attrs = lib.attrsets.mapAttrs (_k: v:
{
wg-peers-attrs = lib.attrsets.mapAttrs (_k: v: {
PersistentKeepalive = 29;
PublicKey = v.publicKey;
Endpoint = "${v.endpoint.endpoint}:${toString v.endpoint.port}";
@ -55,19 +67,24 @@
wg-peers = lib.attrsets.attrValues wg-peers-attrs;
in
wg-peers;
};
}) net-client;
netdev-client = builtins.listToAttrs netdev-client-list;
};
}) net-client;
netdev-client = builtins.listToAttrs netdev-client-list;
maskip = (net: hostattrs:
if hostattrs.endpoint.enable then hostattrs.address else map (baseaddr:
if lib.strings.hasInfix "." baseaddr then "${baseaddr}/32" else "${baseaddr}/128"
) (map (addr: builtins.elemAt (lib.strings.splitString "/" addr) 0) hostattrs.address));
maskip = (
net: hostattrs:
if hostattrs.endpoint.enable then
hostattrs.address
else
map (baseaddr: if lib.strings.hasInfix "." baseaddr then "${baseaddr}/32" else "${baseaddr}/128") (
map (addr: builtins.elemAt (lib.strings.splitString "/" addr) 0) hostattrs.address
)
);
# endpoint
# TODO: this requires bit more logic for allowedIPs if we have more then
# 2 endpoints e.g. for routing client -> endpoint1 -> endpoint2 ->
# client2
netdev-endpoint-list = map (net: {
netdev-endpoint-list = map (net: {
name = "30-wg-${net.networkName}";
value = {
netdevConfig = {
@ -79,19 +96,27 @@
wireguardPeers =
let
peers = lib.attrsets.filterAttrs (k: _v: k != currenthost) net.hosts;
wg-peers-attrs = lib.attrsets.mapAttrs (_k: v:
{
PersistentKeepalive = 29;
PublicKey = v.publicKey;
# only route to /32 or /128, i.e. single client
AllowedIPs = maskip net v;
} // (if !isNull v.endpoint.endpoint then { Endpoint = "${v.endpoint.endpoint}:${toString v.endpoint.port}"; } else {})) peers;
wg-peers-attrs = lib.attrsets.mapAttrs (
_k: v:
{
PersistentKeepalive = 29;
PublicKey = v.publicKey;
# only route to /32 or /128, i.e. single client
AllowedIPs = maskip net v;
}
// (
if !isNull v.endpoint.endpoint then
{ Endpoint = "${v.endpoint.endpoint}:${toString v.endpoint.port}"; }
else
{ }
)
) peers;
wg-peers = lib.attrsets.attrValues wg-peers-attrs;
in
wg-peers;
};
}) net-endpoint;
netdev-endpoint = builtins.listToAttrs netdev-endpoint-list;
};
}) net-endpoint;
netdev-endpoint = builtins.listToAttrs netdev-endpoint-list;
in
{
@ -102,4 +127,4 @@
systemd.network.networks = systemd-networks;
systemd.network.netdevs = netdev-client // netdev-endpoint;
};
}
}

141
modules/wg/options.nix
View file

@ -1,79 +1,88 @@
{ lib
, ...}:
{
options.oxalab.wg = with lib;
lib.mkOption {
default = [];
type = types.listOf (types.submodule {
options = {
# general network stuff
networkName = mkOption {
type = types.nullOr types.str;
default = null;
};
CIDRs = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
};
lib,
...
}:
{
options.oxalab.wg =
with lib;
lib.mkOption {
default = [ ];
type = types.listOf (
types.submodule {
options = {
# general network stuff
networkName = mkOption {
type = types.nullOr types.str;
default = null;
};
CIDRs = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
};
hosts = mkOption {
default = {};
type = types.attrsOf (types.submodule {
options = {
enable = mkOption {
type = types.bool;
default = true;
};
address = mkOption {
type = types.listOf types.str;
default = null;
};
publicKey = mkOption {
type = types.str;
default = null;
};
privateKeyFile = mkOption {
type = types.path;
default = null;
};
endpoint.enable = mkOption {
type = types.bool;
default = false;
};
endpoint.endpoint = mkOption {
type = types.nullOr types.str;
default = null;
};
endpoint.port = mkOption {
type = types.nullOr types.int;
default = null;
};
endpoint.publicIface = mkOption {
type = types.nullOr types.str;
default = null;
};
endpoint.extraPeers = mkOption {
default = [];
type = types.listOf (types.submodule {
hosts = mkOption {
default = { };
type = types.attrsOf (
types.submodule {
options = {
enable = mkOption {
type = types.bool;
default = true;
};
address = mkOption {
type = types.listOf types.str;
default = [];
default = null;
};
publicKey = mkOption {
type = types.str;
default = null;
};
privateKeyFile = mkOption {
type = types.path;
default = null;
};
endpoint.enable = mkOption {
type = types.bool;
default = false;
};
endpoint.endpoint = mkOption {
type = types.nullOr types.str;
default = null;
};
endpoint.port = mkOption {
type = types.nullOr types.int;
default = null;
};
endpoint.publicIface = mkOption {
type = types.nullOr types.str;
default = null;
};
endpoint.extraPeers = mkOption {
default = [ ];
type = types.listOf (
types.submodule {
options = {
address = mkOption {
type = types.listOf types.str;
default = [ ];
};
publicKey = mkOption {
type = types.nullOr types.str;
default = null;
};
};
}
);
};
};
});
};
}
);
};
});
};
};
});
};
};
}
);
};
}

75
pkgs/imhex.nix
View file

@ -1,75 +0,0 @@
{ gcc12Stdenv
, lib
, cmake
, ccache
, glfw
, glm
, magic-vlsi
, mbedtls
, freetype
, dbus
, capstone
, openssl
, pkg-config
, lld
, libGL
, wrapQtAppsHook
, fetchFromGitHub
}:
gcc12Stdenv.mkDerivation rec {
pname = "imhex";
version = "1.26.2";
src = fetchFromGitHub {
owner = "WerWolv";
repo = "ImHex";
rev = "v${version}";
fetchSubmodules = true;
sha256 = "sha256-H2bnRByCUAltngmVWgPW4vW8k5AWecOAzwtBKsjbpTw=";
};
nativeBuildInputs = [
cmake
pkg-config
lld
];
cmakeFlags = [
"-DCMAKE_BUILD_TYPE=Release"
# "-DCMAKE_INSTALL_PREFIX="/usr""
"-DCMAKE_C_COMPILER_LAUNCHER=ccache"
"-DCMAKE_CXX_COMPILER_LAUNCHER=ccache"
"-DCMAKE_C_FLAGS=-fuse-ld=lld"
"-DCMAKE_CXX_FLAGS=-fuse-ld=lld"
"-DCMAKE_OBJC_COMPILER_LAUNCHER=ccache"
"-DCMAKE_OBJCXX_COMPILER_LAUNCHER=ccache"
# looks like the cmake here tries to be "helpful"...
"-DFREETYPE_LIBRARY=${freetype.dev}"
"-DFREETYPE_INCLUDE_DIRS=${freetype.dev}"
"-DOPENGL_opengl_LIBRARY=${libGL.dev}"
"-DOPENGL_glx_LIBRARY=${libGL.dev}"
"-DOPENGL_INCLUDE_DIR=${libGL.dev}"
"-DMBEDTLS_LIBRARY=${mbedtls}"
"-DMBEDTLS_INCLUDE_DIRS=${mbedtls}"
"-DMBEDX509_LIBRARY=${mbedtls}"
"-DMBEDCRYPTO_LIBRARY=${mbedtls}"
"-DCMAKE_PREFIX_PATH=${glfw}"
"-DCMAKE_LIBRARY_PATH=${magic-vlsi}"
"-DCMAKE_PREFIX_PATH=${dbus.dev}"
];
BuildInputs = [
ccache
glfw
glm
magic-vlsi
mbedtls
freetype
dbus
openssl
capstone
libGL
];
}

24
pkgs/slick.nix
View file

@ -1,24 +0,0 @@
{ stdenv, lib, openssl, pkgconfig, fetchFromGitHub, rustPlatform }:
rustPlatform.buildRustPackage rec {
pname = "slick";
version = "0.10.0";
src = fetchFromGitHub {
owner = "nbari";
repo = pname;
rev = version;
sha256 = "sha256-GM9OHnySc3RVkfaK7yMf1LqpGdz3emq2H/3tSAph4jw=";
};
buildInputs = [ openssl pkgconfig ];
nativeBuildInputs = [ pkgconfig ];
cargoSha256 = "sha256-2WxFprq+AcXGXDMjMQvqKTkeWQEWM/z2Fz6qYPtSFGw=";
meta = with lib; {
description = "Async ZSH prompt";
homepage = "https://github.com/nbari/slick";
license = licenses.bsd3;
};
}