0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

delete legacy stuff and reformat

Browse source
This commit is contained in:
Grisha Shipunov 2025-01-11 03:55:19 +01:00
parent 595d4935de
commit 62e2519639
51 changed files with 714 additions and 1056 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

77
flake.nix
View file

@ -32,42 +32,43 @@
}; };
outputs = outputs =
inputs@{ self inputs@{
, flake-utils self,
, lanzaboote flake-utils,
, microvm lanzaboote,
, nixos-hardware microvm,
, nixpkgs-stable nixos-hardware,
, nixpkgs-unstable nixpkgs-stable,
, sops-nix nixpkgs-unstable,
, ... sops-nix,
}: ...
}:
{ {
nixosConfigurations = { nixosConfigurations = {
toaster = nixpkgs-unstable.lib.nixosSystem { toaster = nixpkgs-unstable.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { inherit inputs; }; specialArgs = { inherit inputs; };
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
lanzaboote.nixosModules.lanzaboote lanzaboote.nixosModules.lanzaboote
nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen3 nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen3
./hosts/toaster ./hosts/toaster
./modules/basic-tools ./modules/basic-tools
./modules/binary-caches.nix ./modules/binary-caches.nix
./modules/devtools.nix ./modules/devtools.nix
./modules/gnome.nix ./modules/gnome.nix
./modules/gnupg.nix ./modules/gnupg.nix
./modules/radio.nix ./modules/radio.nix
./modules/science.nix ./modules/science.nix
./modules/tlp.nix ./modules/tlp.nix
./modules/virtualization.nix ./modules/virtualization.nix
./hosts/toaster/secure-boot.nix ./hosts/toaster/secure-boot.nix
./modules/chromium.nix ./modules/chromium.nix
./modules/mail ./modules/mail
./modules/wg ./modules/wg
]; ];
}; };
cloud = nixpkgs-stable.lib.nixosSystem { cloud = nixpkgs-stable.lib.nixosSystem {
@ -100,8 +101,12 @@
}; };
hydraJobs = hydraJobs =
let let
get-toplevel = (host: nixSystem: nixSystem.config.microvm.declaredRunner or nixSystem.config.system.build.toplevel); get-toplevel = (
host: nixSystem: nixSystem.config.microvm.declaredRunner or nixSystem.config.system.build.toplevel
);
in in
nixpkgs-stable.lib.mapAttrs get-toplevel self.nixosConfigurations; nixpkgs-stable.lib.mapAttrs get-toplevel self.nixosConfigurations;
};
} formatter.x86_64-linux = nixpkgs-stable.legacyPackages.x86_64-linux.nixfmt-rfc-style;
};
}

7
hosts/cloud/configuration.nix
View file

@ -1,4 +1,5 @@
{ ... }: { { ... }:
{
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix ./networking.nix
@ -9,6 +10,8 @@
networking.hostName = "cloud"; networking.hostName = "cloud";
networking.domain = "oxapentane.com"; networking.domain = "oxapentane.com";
services.openssh.enable = true; services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK'' ]; users.users.root.openssh.authorizedKeys.keys = [
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK''
];
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

5
hosts/cloud/default.nix
View file

@ -1,5 +1,6 @@
{ ... }: { { ... }:
imports= [ {
imports = [
./configuration.nix ./configuration.nix
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix ./networking.nix

14
hosts/cloud/hardware-configuration.nix
View file

@ -2,8 +2,16 @@
{ {
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
"vmw_pvscsi"
];
boot.initrd.kernelModules = [ "nvme" ]; boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
} }

5
hosts/cloud/networking.nix
View file

@ -1,11 +1,12 @@
{ lib, ... }: { { lib, ... }:
{
networking.dhcpcd.enable = false; networking.dhcpcd.enable = false;
networking.useNetworkd = true; networking.useNetworkd = true;
systemd.network.enable = true; systemd.network.enable = true;
systemd.network = { systemd.network = {
networks."30-uplink" = { networks."30-uplink" = {
matchConfig.Name="enp1s0"; matchConfig.Name = "enp1s0";
networkConfig = { networkConfig = {
Address = [ Address = [
"188.245.196.27/32" "188.245.196.27/32"

17
hosts/minime/configuration.nix
View file

@ -2,23 +2,26 @@
# your system. Help is available in the configuration.nix(5) man page, on # your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
{ {
imports = imports = [
[ # Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
# Enable the X11 windowing system. # Enable the X11 windowing system.
services.xserver.enable = false; services.xserver.enable = false;
system.stateVersion = "24.11"; # Did you read the comment? system.stateVersion = "24.11"; # Did you read the comment?
} }

3
hosts/minime/default.nix
View file

@ -1,4 +1,5 @@
{ ... }: { { ... }:
{
imports = [ imports = [
./configuration.nix ./configuration.nix
./hardware-configuration.nix ./hardware-configuration.nix

93
hosts/minime/hardware-configuration.nix
View file

@ -1,59 +1,76 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: {
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = imports = [
[ (modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "zpool/nixos/root"; device = "zpool/nixos/root";
fsType = "zfs"; fsType = "zfs";
options = [ "zfsutil" ]; options = [ "zfsutil" ];
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/12CE-A600"; device = "/dev/disk/by-uuid/12CE-A600";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [
}; "fmask=0022"
"dmask=0022"
];
};
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "zpool/nixos/nix"; device = "zpool/nixos/nix";
fsType = "zfs"; fsType = "zfs";
options = [ "zfsutil" ]; options = [ "zfsutil" ];
}; };
fileSystems."/home" = fileSystems."/home" = {
{ device = "zpool/data/home"; device = "zpool/data/home";
fsType = "zfs"; fsType = "zfs";
options = [ "zfsutil" ]; options = [ "zfsutil" ];
}; };
fileSystems."/var" = fileSystems."/var" = {
{ device = "zpool/data/var"; device = "zpool/data/var";
fsType = "zfs"; fsType = "zfs";
options = [ "zfsutil" ]; options = [ "zfsutil" ];
}; };
fileSystems."/var/lib" = fileSystems."/var/lib" = {
{ device = "zpool/data/var/lib"; device = "zpool/data/var/lib";
fsType = "zfs"; fsType = "zfs";
options = [ "zfsutil" ]; options = [ "zfsutil" ];
}; };
swapDevices = swapDevices = [
[ { {
device = "/dev/disk/by-partuuid/7e7d0e0b-90b7-465c-a022-089b38e0f16d"; device = "/dev/disk/by-partuuid/7e7d0e0b-90b7-465c-a022-089b38e0f16d";
randomEncryption = true; randomEncryption = true;
} ]; }
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

3
hosts/minime/networking.nix
View file

@ -1,4 +1,5 @@
{ ... }: { { ... }:
{
networking.hostName = "minime"; # Define your hostname. networking.hostName = "minime"; # Define your hostname.
networking.useNetworkd = true; networking.useNetworkd = true;
networking.firewall.enable = true; networking.firewall.enable = true;

48
hosts/minime/zfs.nix
View file

@ -1,4 +1,10 @@
{ pkgs, lib, config, ... }: { {
pkgs,
lib,
config,
...
}:
{
services.fstrim.enable = true; services.fstrim.enable = true;
services.zfs = { services.zfs = {
autoSnapshot.enable = true; autoSnapshot.enable = true;
@ -12,19 +18,21 @@
}; };
networking.hostId = "41ba28ff"; networking.hostId = "41ba28ff";
boot = { boot = {
kernelPackages = let kernelPackages =
zfsCompatibleKernelPackages = lib.filterAttrs ( let
name: kernelPackages: zfsCompatibleKernelPackages = lib.filterAttrs (
(builtins.match "linux_[0-9]+_[0-9]+" name) != null name: kernelPackages:
&& (builtins.tryEval kernelPackages).success (builtins.match "linux_[0-9]+_[0-9]+" name) != null
&& (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken) && (builtins.tryEval kernelPackages).success
&& (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken)
) pkgs.linuxKernel.packages; ) pkgs.linuxKernel.packages;
latestKernelPackage = lib.last ( latestKernelPackage = lib.last (
lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) ( lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) (
builtins.attrValues zfsCompatibleKernelPackages builtins.attrValues zfsCompatibleKernelPackages
) )
); );
in latestKernelPackage; in
latestKernelPackage;
supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];
kernelParams = [ "nohibernate" ]; kernelParams = [ "nohibernate" ];
plymouth.enable = false; plymouth.enable = false;
@ -38,14 +46,24 @@
enable = true; enable = true;
port = 2222; port = 2222;
hostKeys = [ /etc/secrets/initrd/ssh_host_rsa_key ]; hostKeys = [ /etc/secrets/initrd/ssh_host_rsa_key ];
authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK 0xa@toaster 2024-12-31" ]; authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJl9iYG5oHBq/poBn7Jf1/FGWWbAnbx+NKjs7qtT3uAK 0xa@toaster 2024-12-31"
];
}; };
postCommands = '' postCommands = ''
zpool import -a zpool import -a
echo "zfs load-key -a; killall zfs" >> /root/.profile echo "zfs load-key -a; killall zfs" >> /root/.profile
''; '';
}; };
# support for network # support for network
boot.initrd.kernelModules = [ "igc" "i40e" "mt7921e" ]; boot.initrd.kernelModules = [
boot.kernelModules = [ "igc" "i40e" "mt7921e" ]; "igc"
"i40e"
"mt7921e"
];
boot.kernelModules = [
"igc"
"i40e"
"mt7921e"
];
} }

23
hosts/toaster/amd.nix
View file

@ -1,4 +1,5 @@
{ pkgs, config, ... }: { { pkgs, config, ... }:
{
boot.initrd.kernelModules = [ "amdgpu" ]; boot.initrd.kernelModules = [ "amdgpu" ];
boot.kernelParams = [ boot.kernelParams = [
@ -6,14 +7,14 @@
"amd_pstate=active" "amd_pstate=active"
]; ];
# hardware.graphics = { # hardware.graphics = {
# extraPackages = with pkgs; [ # extraPackages = with pkgs; [
# rocm-opencl-icd # rocm-opencl-icd
# rocm-opencl-runtime # rocm-opencl-runtime
# amdvlk # amdvlk
# ]; # ];
# extraPackages32 = with pkgs; [ # extraPackages32 = with pkgs; [
# driversi686Linux.amdvlk # driversi686Linux.amdvlk
# ]; # ];
# }; # };
} }

3
hosts/toaster/default.nix
View file

@ -1,4 +1,5 @@
{ pkgs, ... }: { { pkgs, ... }:
{
imports = [ imports = [
./amd.nix ./amd.nix
./hardware-configuration.nix ./hardware-configuration.nix

104
hosts/toaster/hardware-configuration.nix
View file

@ -1,54 +1,70 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: {
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = imports = [
[ (modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.zfs.extraPools = [ "zpool" ];
fileSystems."/" = {
device = "zpool/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix" = {
device = "zpool/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" = {
device = "zpool/data/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var" = {
device = "zpool/data/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/A170-F83D";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
]; ];
};
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" ]; swapDevices = [
boot.initrd.kernelModules = [ ]; {
boot.kernelModules = [ "kvm-amd" ]; device = "/dev/disk/by-partuuid/037518f2-9fa0-44f0-9550-745e27bf1c1f";
boot.extraModulePackages = [ ]; randomEncryption = true;
boot.zfs.extraPools = [ "zpool" ]; }
];
fileSystems."/" =
{ device = "zpool/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/nix" =
{ device = "zpool/nix";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/home" =
{ device = "zpool/data/home";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/var" =
{ device = "zpool/data/var";
fsType = "zfs";
options = [ "zfsutil" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A170-F83D";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-partuuid/037518f2-9fa0-44f0-9550-745e27bf1c1f";
randomEncryption = true;}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

3
hosts/toaster/irc.nix
View file

@ -1,4 +1,5 @@
{ config, pkgs, ... }: { { config, pkgs, ... }:
{
environment.systemPackages = [ pkgs.senpai ]; environment.systemPackages = [ pkgs.senpai ];
sops.secrets = { sops.secrets = {

49
hosts/toaster/network/default.nix
View file

@ -1,4 +1,5 @@
{ lib, config, ... }: { { lib, config, ... }:
{
imports = [ imports = [
./mullvad.nix ./mullvad.nix
./dumpdvb.nix ./dumpdvb.nix
@ -8,32 +9,34 @@
# Networkmanager shouldn't interfere with systemd managed interfaces # Networkmanager shouldn't interfere with systemd managed interfaces
networking.networkmanager.unmanaged = networking.networkmanager.unmanaged =
let let
systemd_netdevs = lib.attrsets.attrValues (lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs); systemd_netdevs = lib.attrsets.attrValues (
lib.attrsets.mapAttrs (_name: value: value.netdevConfig.Name) config.systemd.network.netdevs
);
in in
systemd_netdevs; systemd_netdevs;
systemd.network = { systemd.network = {
enable = true; enable = true;
wait-online.enable = false; # uplink is managed by networkmanager wait-online.enable = false; # uplink is managed by networkmanager
}; };
users.users."0xa".extraGroups = [ "networkmanager" ]; users.users."0xa".extraGroups = [ "networkmanager" ];
networking = { networking = {
hostName = "toaster"; hostName = "toaster";
firewall.enable = true; firewall.enable = true;
wireguard.enable = true; wireguard.enable = true;
}; };
services.resolved = { services.resolved = {
enable = true; enable = true;
dnssec = "false"; dnssec = "false";
fallbackDns = [ fallbackDns = [
"9.9.9.9" "9.9.9.9"
"2620:fe::fe" "2620:fe::fe"
"149.112.112.112" "149.112.112.112"
"2620:fe::9" "2620:fe::9"
]; ];
}; };
} }

8
hosts/toaster/network/dumpdvb.nix
View file

@ -1,4 +1,5 @@
{ config, ... }: { { config, ... }:
{
systemd.network = { systemd.network = {
# Wireguard # Wireguard
# Dump-dvb # Dump-dvb
@ -27,7 +28,10 @@
IPv6AcceptRA = true; IPv6AcceptRA = true;
}; };
routes = [ routes = [
{ Gateway = "10.13.37.1"; Destination = "10.13.37.0/24"; } {
Gateway = "10.13.37.1";
Destination = "10.13.37.0/24";
}
]; ];
}; };
}; };

99
hosts/toaster/network/mullvad.nix
View file

@ -1,10 +1,14 @@
{ config, lib, ... }: { { config, lib, ... }:
{
systemd.network = systemd.network =
let let
pubkey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk="; pubkey = "BChJDLOwZu9Q1oH0UcrxcHP6xxHhyRbjrBUsE0e07Vk=";
endpoint = "169.150.196.15"; endpoint = "169.150.196.15";
port = "51820"; port = "51820";
addr = [ "10.74.16.48/32" "fc00:bbbb:bbbb:bb01::b:102f/128" ]; addr = [
"10.74.16.48/32"
"fc00:bbbb:bbbb:bb01::b:102f/128"
];
in in
{ {
netdevs."10-wg-mullvad" = { netdevs."10-wg-mullvad" = {
@ -21,7 +25,10 @@
{ {
PublicKey = pubkey; PublicKey = pubkey;
Endpoint = "${endpoint}:${port}"; Endpoint = "${endpoint}:${port}";
AllowedIPs = [ "0.0.0.0/0" "::0/0" ]; AllowedIPs = [
"0.0.0.0/0"
"::0/0"
];
} }
]; ];
}; };
@ -33,44 +40,52 @@
DNSDefaultRoute = true; DNSDefaultRoute = true;
Domains = [ "~." ]; Domains = [ "~." ];
}; };
routes = map routes =
(gate: { map
Gateway = gate; (gate: {
Table = 1000; Gateway = gate;
}) [ Table = 1000;
"0.0.0.0" })
"::" [
]; "0.0.0.0"
"::"
];
routingPolicyRules = [ { routingPolicyRules =
Family = "both"; [
FirewallMark = 34952; # 0x8888 {
InvertRule = true; Family = "both";
Table = "1000"; FirewallMark = 34952; # 0x8888
Priority = 100; InvertRule = true;
} Table = "1000";
{ Priority = 100;
Family = "both"; }
SuppressPrefixLength = 0; {
Table = "main"; Family = "both";
Priority = 90; SuppressPrefixLength = 0;
} ] ++ map (net: { Table = "main";
# only route global addresses over VPN Priority = 90;
Priority = 80; }
To = net; ]
}) [ ++ map
# Mullvad endpoint (net: {
"${endpoint}/32" # only route global addresses over VPN
# "10.0.0.0/8" Priority = 80;
"10.13.37.0/24" To = net;
# 0xa-mgmt })
"10.89.87.0/24" [
# "172.16.0.0/12" # Mullvad endpoint
"172.16.0.0/12" "${endpoint}/32"
# "182.168.0.0/16" # "10.0.0.0/8"
"182.168.0.0/16" "10.13.37.0/24"
# "fc00::/7" # 0xa-mgmt
]; "10.89.87.0/24"
# "172.16.0.0/12"
"172.16.0.0/12"
# "182.168.0.0/16"
"182.168.0.0/16"
# "fc00::/7"
];
};
}; };
};
} }

0
hosts/toaster/network/oxalab.nix
View file

107
hosts/toaster/network/zw.nix
View file

@ -1,56 +1,61 @@
{ config, ... }: { { config, ... }:
# zentralwerk {
systemd.network = { # zentralwerk
netdevs."10-wg-zentralwerk" = { systemd.network = {
netdevConfig = { netdevs."10-wg-zentralwerk" = {
Kind = "wireguard"; netdevConfig = {
Name = "wg-zentralwerk"; Kind = "wireguard";
Description = "Tunnel to the best basement in Dresden"; Name = "wg-zentralwerk";
}; Description = "Tunnel to the best basement in Dresden";
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/zw".path;
RouteTable = "off";
};
wireguardPeers = [
{
PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
Endpoint = "81.201.149.152:1337";
AllowedIPs = [ "172.20.72.0/21" "172.22.90.0/24" "172.22.99.0/24" ];
PersistentKeepalive = 25;
}
];
}; };
networks."10-wg-zentralwerk" = { wireguardConfig = {
matchConfig.Name = "wg-zentralwerk"; PrivateKeyFile = config.sops.secrets."wg/zw".path;
networkConfig = { RouteTable = "off";
Address = "172.20.76.226/21"; };
IPv6AcceptRA = true; wireguardPeers = [
DNS = "172.20.73.8"; {
Domains = [ PublicKey = "PG2VD0EB+Oi+U5/uVMUdO5MFzn59fAck6hz8GUyLMRo=";
"~hq.c3d2.de" Endpoint = "81.201.149.152:1337";
"~serv.zentralwerk.org" AllowedIPs = [
"~hq.zentralwerk.org" "172.20.72.0/21"
"~cluster.zentralwerk.org" "172.22.90.0/24"
"172.22.99.0/24"
]; ];
}; PersistentKeepalive = 25;
routes = [ }
{ ];
Gateway = "172.20.76.225"; };
Destination = "172.20.72.0/21"; networks."10-wg-zentralwerk" = {
Metric = 1023; matchConfig.Name = "wg-zentralwerk";
} networkConfig = {
{ Address = "172.20.76.226/21";
Gateway = "172.20.76.225"; IPv6AcceptRA = true;
Destination = "172.20.90.0/24"; DNS = "172.20.73.8";
Metric = 1023; Domains = [
} "~hq.c3d2.de"
{ "~serv.zentralwerk.org"
Gateway = "172.20.76.225"; "~hq.zentralwerk.org"
Destination = "172.22.99.0/24"; "~cluster.zentralwerk.org"
Metric = 1023;
}
]; ];
}; };
routes = [
{
Gateway = "172.20.76.225";
Destination = "172.20.72.0/21";
Metric = 1023;
}
{
Gateway = "172.20.76.225";
Destination = "172.20.90.0/24";
Metric = 1023;
}
{
Gateway = "172.20.76.225";
Destination = "172.22.99.0/24";
Metric = 1023;
}
];
}; };
} };
}

3
hosts/toaster/secure-boot.nix
View file

@ -1,4 +1,5 @@
{ pkgs, lib, ... }: { { pkgs, lib, ... }:
{
boot = { boot = {
bootspec.enable = true; bootspec.enable = true;
loader.systemd-boot.enable = lib.mkForce false; loader.systemd-boot.enable = lib.mkForce false;

36
hosts/toaster/zfs.nix
View file

@ -1,4 +1,10 @@
{ pkgs, lib, config, ... }: { {
pkgs,
lib,
config,
...
}:
{
services.fstrim.enable = true; services.fstrim.enable = true;
services.zfs = { services.zfs = {
autoSnapshot.enable = true; autoSnapshot.enable = true;
@ -10,19 +16,21 @@
}; };
networking.hostId = "dca22577"; networking.hostId = "dca22577";
boot = { boot = {
kernelPackages = let kernelPackages =
zfsCompatibleKernelPackages = lib.filterAttrs ( let
name: kernelPackages: zfsCompatibleKernelPackages = lib.filterAttrs (
(builtins.match "linux_[0-9]+_[0-9]+" name) != null name: kernelPackages:
&& (builtins.tryEval kernelPackages).success (builtins.match "linux_[0-9]+_[0-9]+" name) != null
&& (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken) && (builtins.tryEval kernelPackages).success
) pkgs.linuxKernel.packages; && (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken)
latestKernelPackage = lib.last ( ) pkgs.linuxKernel.packages;
lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) ( latestKernelPackage = lib.last (
builtins.attrValues zfsCompatibleKernelPackages lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) (
) builtins.attrValues zfsCompatibleKernelPackages
); )
in latestKernelPackage; );
in
latestKernelPackage;
supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];
kernelParams = [ "nohibernate" ]; kernelParams = [ "nohibernate" ];
plymouth.enable = false; plymouth.enable = false;

1
microvms/dn42/default.nix
View file

@ -1 +0,0 @@
{ config, pkgs, lib, ... }: { }

40
microvms/music/default.nix
View file

@ -1,40 +0,0 @@
{ pkgs, lib, config, ... }: {
imports = [
./navidrome.nix
./oxaproxy.nix
./upload-user.nix
];
microvm = {
hypervisor = "qemu";
mem = 4 * 1024;
vcpu = 3;
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}] ++ map
(dir: {
source = "/var/lib/microvms/${config.networking.hostName}/${dir}";
mountPoint = "/${dir}";
tag = dir;
proto = "virtiofs";
socket = "${dir}.socket";
}) [ "etc" "var" "home" ];
interfaces = [{
type = "tap";
id = "vm-music";
mac = "02:00:00:00:00:01";
}];
};
networking = {
hostName = "music";
};
system.stateVersion = "22.11";
}

16
microvms/music/navidrome.nix
View file

@ -1,16 +0,0 @@
{ config, ... }: {
networking.firewall.interfaces.oxaproxy.allowedTCPPorts = [ 4533 ];
services.navidrome = {
enable = true;
settings = {
Address = "10.34.45.101";
BaseUrl = "/";
EnableExternalServices = false;
MusicFolder = "/var/lib/music";
Port = 4533;
ScanSchedule = "@every 11m";
TranscondigCacheSize = "5GiB";
ReverseProxyWhitelist = "10.34.45.1/24";
};
};
}

68
microvms/music/oxaproxy.nix
View file

@ -1,68 +0,0 @@
{ config, ... }: {
networking.wireguard.enable = true;
networking.useNetworkd = true;
#oxaproxy secret
sops.defaultSopsFile = ../../secrets/music/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets."wg/oxaproxy-seckey" = {
owner = config.users.users.systemd-network.name;
};
systemd.network = {
enable = true;
netdevs."10-oxaproxy" = {
netdevConfig = {
Kind = "wireguard";
Name = "oxaproxy";
Description = "oxa's enterprise reverse-proxy network";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/oxaproxy-seckey".path;
#own pubkey: vQNkp51S9qLsu97dLPj0/EqFwvVtRFZpMHufgKhxum0=
};
wireguardPeers = [
{
# cirrus
wireguardPeerConfig = {
PublicKey = "0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM=";
AllowedIPs = [ "10.34.45.0/24" ];
Endpoint = [ "95.216.166.21:51821" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-oxaproxy" = {
matchConfig.Name = "oxaproxy";
networkConfig = {
Address = "10.34.45.101/24";
};
};
networks."111-host" = {
matchConfig.MACAddress = "02:00:00:00:00:01";
networkConfig = {
Address = "10.99.99.101/24";
};
routes = [
{
routeConfig = {
Gateway = "10.99.99.1";
Destination = "0.0.0.0/0";
Metric = 1024;
};
}
{
routeConfig = {
Gateway = "10.99.99.1";
Destination = "10.99.99.0/24";
Metric = 1024;
};
}
];
};
};
}

21
microvms/music/upload-user.nix
View file

@ -1,21 +0,0 @@
{ config, ... }: {
security.sudo.wheelNeedsPassword = false;
users.users.caretaker = {
isNormalUser = true;
home = "/home/caretaker";
createHome = true;
extraGroups = [
"wheel"
"navidrome"
];
openssh.authorizedKeys.keys = [
# melo
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMbUizElFyULDlpEE9XHWWOca4ZXepS18ljh4Fj4YnJOAs7sbYzzhfMUiD703FIgK5YObzOlheu/PBbwUOStgcmPDuRalZWLr+0kCUYERfjLHkgliFx96xEFw9dluvII6JpbzFI/uvkEkQ3ESKapRcYAuBTk2sRoit8za+HX9sLmMueqNtN4H92sFYYm1wWy3FFgz/NN+uTh7F5nmA7SrSS/fpbmugcgBdR/Zy1YwSA8Rl1pagEvgN9/qAnP7pssvXr9pTCUNxVSQ7FlTUOHmxzG16RybYRikgevQaHtFYvmS7AuRvRDlQWhHt1drREGOIwwZPXD1smfQAsvP66J85j9aeanZdoBoJcvvFNer3071QGmi+5NHDSiG+YvoWt7qgiKLF4lOfByzjdoRRSg01uuhdQLOHHt0hbfyGS6hx//1MtjiXTElXvOOiUJ6AqfCSwOTK+72W6VKhKYcO11+Ngym1dyF3TtVcoEYN3JpUdbNq+qctMzXFMGovPEEMh7s= mel@umbreon"
# revol-xut
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6NLB8EHnUgl2GO2uaojdf3p3YpsHH6px6CZleif8klhLN+ro5KeFK2OXC2SO3Vo4qgF/NySdsoInV9JEsssELZ2ttVbeKxI6f76V5dZgGI7qoSf4E0TXIgpS9n9K2AEmRKr65uC2jgkSJuo/T1mF+4/Nzyo706FT/GGVoiBktgq9umbYX0vIQkTMFAcw921NwFCWFQcMYRruaH01tLu6HIAdJ9FVG8MAt84hCr4D4PobD6b029bHXTzcixsguRtl+q4fQAl3WK3HAxT+txN91CDoP2eENo3gbmdTBprD2RcB/hz5iI6IaY3p1+8fTX2ehvI3loRA8Qjr/xzkzMUlpA/8NLKbJD4YxNGgFbauEmEnlC8Evq2vMrxdDr2SjnBAUwzZ63Nq+pUoBNYG/c+h+eO/s7bjnJVe0m2/2ZqPj1jWQp4hGoNzzU1cQmy6TdEWJcg2c8ints5068HN3o0gQKkp1EseNrdB8SuG+me/c/uIOX8dPASgo3Yjv9IGLhhx8GOGQxHEQN9QFC4QyZt/rrAyGmlX342PBNYmmStgVWHiYCcMVUWGlsG0XvG6bvGgmMeHNVsDf6WdMQuLj9luvxJzrd4FlKX6O0X/sIaqMVSkhIbD2+vvKNqrii7JdUTntUPs89L5h9DoDqQWkL13Plg1iQt4/VYeKTbUhYYz1lw== revo-xut@plank"
# 0xa gpg
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHv82n6F6kwJ3/EMYlOoCc1/NaYFW7QHC5F8jKVzdlio gshipunov@toaster"
];
};
}

39
microvms/news/default.nix
View file

@ -1,39 +0,0 @@
{ config, ... }: {
imports = [
./miniflux.nix
./oxaproxy.nix
];
microvm = {
hypervisor = "qemu";
mem = 1 * 1024;
vcpu = 1;
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}] ++ map
(dir: {
source = "/var/lib/microvms/${config.networking.hostName}/${dir}";
mountPoint = "/${dir}";
tag = dir;
proto = "virtiofs";
socket = "${dir}.socket";
}) [ "etc" "var" "home" ];
interfaces = [{
type = "tap";
id = "vm-news";
mac = "02:00:00:00:00:02";
}];
};
networking = {
hostName = "news";
};
system.stateVersion = "22.11";
}

18
microvms/news/miniflux.nix
View file

@ -1,18 +0,0 @@
{ config, ... }:
let
listenport = 8080;
in
{
sops.secrets."miniflux-admin" = { };
networking.firewall.interfaces.oxaproxy.allowedTCPPorts = [ listenport ];
services.miniflux = {
enable = true;
config = {
LISTEN_ADDR = "10.34.45.102:${toString listenport}";
POLLING_FREQUENCY = "37";
CREATE_ADMIN = "1";
};
adminCredentialsFile = config.sops.secrets."miniflux-admin".path;
};
}

68
microvms/news/oxaproxy.nix
View file

@ -1,68 +0,0 @@
{ config, ... }: {
networking.wireguard.enable = true;
networking.useNetworkd = true;
#oxaproxy secret
sops.defaultSopsFile = ../../secrets/news/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets."oxaproxy-seckey" = {
owner = config.users.users.systemd-network.name;
};
systemd.network = {
enable = true;
netdevs."10-oxaproxy" = {
netdevConfig = {
Kind = "wireguard";
Name = "oxaproxy";
Description = "oxa's enterprise reverse-proxy network";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."oxaproxy-seckey".path;
#own pubkey: guzNmsPcQw4EGSLU3X0SP+WPKAcoMc+xv9SLWdHV1V0=
};
wireguardPeers = [
{
# cirrus
wireguardPeerConfig = {
PublicKey = "0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM=";
AllowedIPs = [ "10.34.45.0/24" ];
Endpoint = [ "95.216.166.21:51821" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-oxaproxy" = {
matchConfig.Name = "oxaproxy";
networkConfig = {
Address = "10.34.45.102/24";
};
};
networks."111-host" = {
matchConfig.MACAddress = (builtins.elemAt config.microvm.interfaces 0).mac;
networkConfig = {
Address = "10.99.99.102/24";
};
routes = [
{
routeConfig = {
Gateway = "10.99.99.1";
Destination = "0.0.0.0/0";
Metric = 1024;
};
}
{
routeConfig = {
Gateway = "10.99.99.1";
Destination = "10.99.99.0/24";
Metric = 1024;
};
}
];
};
};
}

115
microvms/nextcloud/default.nix
View file

@ -1,115 +0,0 @@
{ config, pkgs, ... }: {
imports = [
./oxaproxy.nix
./secrets.nix
];
# nextcloud goes here
networking.firewall.interfaces.oxaproxy.allowedTCPPorts = [ 8080 ];
services.postgresql = {
enable = true;
package = pkgs.postgresql_14;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [{
name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
}];
};
services.redis.servers.nextcloud.enable = true;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."nc.oxapentane.com" = {
extraConfig = ''
# HTTP response headers borrowed from Nextcloud .htaccess
add_header Referrer-Policy "no-referrer" always;
#add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
#add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
'';
listen = [{
# We are listening on wireguard interface only
addr = "10.34.45.100";
port = 8080;
ssl = false;
}];
};
};
services.nextcloud = {
enable = true;
hostName = "nc.oxapentane.com";
home = "/var/lib/nextcloud-oxa";
package = pkgs.nextcloud28;
maxUploadSize = "5000M";
caching.redis = true;
autoUpdateApps = {
enable = true;
startAt = "07:00:00";
};
config = {
overwriteProtocol = "https";
trustedProxies = [ "10.34.45.1" ];
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminuser = "admin";
adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
};
};
systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
microvm = {
hypervisor = "qemu";
mem = 4 * 1024;
vcpu = 3;
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "store";
proto = "virtiofs";
socket = "store.socket";
}] ++ map
(dir: {
source = "/var/lib/microvms/${config.networking.hostName}/${dir}";
mountPoint = "/${dir}";
tag = dir;
proto = "virtiofs";
socket = "${dir}.socket";
}) [ "etc" "var" "home" ];
interfaces = [{
type = "tap";
id = "vm-nextcloud";
mac = "02:00:00:00:00:00";
}];
};
networking = {
hostName = "nextcloud";
};
system.stateVersion = "22.05";
}

58
microvms/nextcloud/oxaproxy.nix
View file

@ -1,58 +0,0 @@
{ config, ... }: {
networking.wireguard.enable = true;
networking.useNetworkd = true;
systemd.network = {
enable = true;
netdevs."10-oxaproxy" = {
netdevConfig = {
Kind = "wireguard";
Name = "oxaproxy";
Description = "oxa's enterprise reverse-proxy network";
};
wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/oxaproxy-seckey".path;
#own pubkey: KCYoGx7TGei4X79EZo2NONCcmQjPzBUN1Ds6I9lQbz0=
};
wireguardPeers = [
{
# cirrus
wireguardPeerConfig = {
PublicKey = "0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM=";
AllowedIPs = [ "10.34.45.0/24" ];
Endpoint = [ "95.216.166.21:51821" ];
PersistentKeepalive = 25;
};
}
];
};
networks."10-oxaproxy" = {
matchConfig.Name = "oxaproxy";
networkConfig = {
Address = "10.34.45.100/24";
};
};
networks."111-host" = {
matchConfig.MACAddress = "02:00:00:00:00:00";
networkConfig = {
Address = "10.99.99.100/24";
};
routes = [
{
routeConfig = {
Gateway = "10.99.99.1";
Destination = "0.0.0.0/0";
Metric = 1024;
};
}
{
routeConfig = {
Gateway = "10.99.99.1";
Destination = "10.99.99.0/24";
Metric = 1024;
};
}
];
};
};
}

11
microvms/nextcloud/secrets.nix
View file

@ -1,11 +0,0 @@
{ config, ... }: {
sops.defaultSopsFile = ../../secrets/nextcloud/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets."wg/oxaproxy-seckey" = {
owner = config.users.users.systemd-network.name;
};
sops.secrets."nextcloud/adminpass" = {
owner = config.users.users.nextcloud.name;
};
}

76
modules/basic-tools/default.nix
View file

@ -8,37 +8,48 @@
./nix-ld.nix ./nix-ld.nix
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages =
bat with pkgs;
fd [
file bat
gnupg fd
glow file
htop gnupg
irssi glow
killall htop
neovim irssi
ripgrep killall
tealdeer neovim
traceroute ripgrep
tcpdump tealdeer
tree traceroute
(aspellWithDicts (ps: with ps; [ en en-science en-computers ru nl ])) tcpdump
exfatprogs tree
nmap (aspellWithDicts (
bind ps: with ps; [
nnn en
lf en-science
man-pages en-computers
unzip ru
usbutils nl
pciutils ]
ouch ))
cryptsetup exfatprogs
sshfs nmap
whois bind
mtr nnn
] ++ (if config.networking.hostName == "toaster" then [ gitFull ] else [ git ]); lf
man-pages
unzip
usbutils
pciutils
ouch
cryptsetup
sshfs
whois
mtr
]
++ (if config.networking.hostName == "toaster" then [ gitFull ] else [ git ]);
environment.variables = environment.variables =
let let
@ -53,7 +64,8 @@
{ {
PAGER = "less"; PAGER = "less";
LESS = "-X -R -F"; LESS = "-X -R -F";
} // editorconf; }
// editorconf;
environment.shellAliases = { environment.shellAliases = {
ls = "ls --color=auto"; ls = "ls --color=auto";

26
modules/basic-tools/fzf.nix
View file

@ -1,4 +1,10 @@
{ lib, config, pkgs, ... }: { {
lib,
config,
pkgs,
...
}:
{
environment = { environment = {
systemPackages = [ pkgs.fzf ]; systemPackages = [ pkgs.fzf ];
@ -8,11 +14,15 @@
}; };
}; };
# integrate fzf into shell, >23.05 only # integrate fzf into shell, >23.05 only
programs = with lib; programs =
if (toInt (elemAt (splitVersion config.system.nixos.release) 0) >= 23) then { with lib;
fzf = { if (toInt (elemAt (splitVersion config.system.nixos.release) 0) >= 23) then
keybindings = true; {
fuzzyCompletion = true; fzf = {
}; keybindings = true;
} else { }; fuzzyCompletion = true;
};
}
else
{ };
} }

3
modules/basic-tools/multiplexers.nix
View file

@ -1,4 +1,5 @@
{ pkgs, inputs, ... }: { { pkgs, inputs, ... }:
{
programs.tmux = { programs.tmux = {
enable = true; enable = true;
keyMode = "vi"; keyMode = "vi";

10
modules/basic-tools/nix-ld.nix
View file

@ -1,10 +1,10 @@
{ pkgs, lib, ... }: { pkgs, lib, ... }:
{ {
programs.nix-ld ={ programs.nix-ld = {
enable = true; enable = true;
libraries = [ libraries = [
pkgs.stdenv.cc.cc pkgs.stdenv.cc.cc
]; ];
}; };
#environment.variables = { #environment.variables = {
# NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [ # NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [

18
modules/basic-tools/nix.nix
View file

@ -1,9 +1,15 @@
{ lib, pkgs, inputs, ... }: { {
lib,
pkgs,
inputs,
...
}:
{
nix = { nix = {
extraOptions = '' extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
narinfo-cache-negative-ttl = 0 narinfo-cache-negative-ttl = 0
''; '';
}; };
@ -12,8 +18,10 @@
# override default nix shell nixpkgs# behaviour to use current flake lock # override default nix shell nixpkgs# behaviour to use current flake lock
nix.registry = nix.registry =
let flakes = lib.filterAttrs (_name: value: value ? outputs) inputs.self.inputs; let
in builtins.mapAttrs (_name: v: { flake = v; }) flakes; flakes = lib.filterAttrs (_name: value: value ? outputs) inputs.self.inputs;
in
builtins.mapAttrs (_name: v: { flake = v; }) flakes;
nix.nixPath = lib.mapAttrsToList (name: value: "${name}=${value.outPath}") inputs.self.inputs; nix.nixPath = lib.mapAttrsToList (name: value: "${name}=${value.outPath}") inputs.self.inputs;

3
modules/binary-caches.nix
View file

@ -1,4 +1,5 @@
{ ... }: { { ... }:
{
nix = { nix = {
extraOptions = '' extraOptions = ''
builders-use-substitutes = true builders-use-substitutes = true

59
modules/devtools.nix
View file

@ -1,31 +1,36 @@
{ pkgs, inputs, ... }: { { pkgs, inputs, ... }:
{
environment.systemPackages = with pkgs; environment.systemPackages =
let with pkgs;
kicad = pkgs.kicad.override { let
addons = with pkgs.kicadAddons; [ kikit kikit-library ]; kicad = pkgs.kicad.override {
}; addons = with pkgs.kicadAddons; [
in kikit
[ kikit-library
# general ];
cmake };
gcc in
gef [
gdb # general
binutils cmake
binwalk gcc
clang gef
clang-tools gdb
direnv binutils
sops binwalk
nil clang
nixpkgs-fmt clang-tools
nix-index direnv
kicad sops
freecad-wayland nil
imhex nixpkgs-fmt
python313Full nix-index
]; kicad
freecad-wayland
imhex
python313Full
];
# Wireshark # Wireshark
programs.wireshark = { programs.wireshark = {

38
modules/dvb-dump-nfs-automount.nix
View file

@ -4,23 +4,25 @@
environment.systemPackages = with pkgs; [ nfs-utils ]; environment.systemPackages = with pkgs; [ nfs-utils ];
services.rpcbind.enable = true; services.rpcbind.enable = true;
systemd.mounts = [{ systemd.mounts = [
type = "nfs"; {
mountConfig = { type = "nfs";
Options = "noatime"; mountConfig = {
}; Options = "noatime";
what = "10.13.37.5:/"; };
where = "/mnt/dvb"; what = "10.13.37.5:/";
}]; where = "/mnt/dvb";
}
];
systemd.automounts = [{ systemd.automounts = [
wantedBy = [ "multi-user.target" ]; {
requires = [ "wg-quick-wg-dvb.service" ]; wantedBy = [ "multi-user.target" ];
automountConfig = { requires = [ "wg-quick-wg-dvb.service" ];
TimeoutIdleSec = "600"; automountConfig = {
}; TimeoutIdleSec = "600";
where = "/mnt/dvb"; };
}]; where = "/mnt/dvb";
}
];
} }

3
modules/gnome.nix
View file

@ -1,4 +1,5 @@
{ config, pkgs, ... }: { { config, pkgs, ... }:
{
imports = [ imports = [
./desktop-software.nix ./desktop-software.nix

11
modules/mail/default.nix
View file

@ -82,13 +82,15 @@ in
''; '';
}; };
systemd.user = { systemd.user = {
# Service and timer to sync imap to local maildir # Service and timer to sync imap to local maildir
services.mbsync = { services.mbsync = {
enable = true; enable = true;
after = [ "graphical.target" "network-online.target" ]; after = [
"graphical.target"
"network-online.target"
];
script = '' script = ''
${pkgs.isync}/bin/mbsync -q -a --config=${mbsyncConf} ${pkgs.isync}/bin/mbsync -q -a --config=${mbsyncConf}
''; '';
@ -110,7 +112,10 @@ in
# service and timer to flush the msmtp queue # service and timer to flush the msmtp queue
services.flush-msmtpq = { services.flush-msmtpq = {
enable = true; enable = true;
after = [ "graphical.target" "network-online.target" ]; after = [
"graphical.target"
"network-online.target"
];
script = '' script = ''
${pkgs.msmtp}/bin/msmtp-queue -r ${pkgs.msmtp}/bin/msmtp-queue -r
''; '';

4
modules/sway.nix
View file

@ -120,7 +120,9 @@
wl-mirror wl-mirror
]; ];
}; };
environment.sessionVariables = { GTK_THEME = "Adwaita:dark"; }; environment.sessionVariables = {
GTK_THEME = "Adwaita:dark";
};
xdg.portal = { xdg.portal = {
enable = true; enable = true;
wlr.enable = true; wlr.enable = true;

2
modules/tlp.nix
View file

@ -9,7 +9,7 @@
USB_BLACKLIST = "1d50:604b 1d50:6089 1d50:cc15 1fc9:000c"; USB_BLACKLIST = "1d50:604b 1d50:6089 1d50:cc15 1fc9:000c";
CPU_SCALING_GOVERNOR_ON_AC = "performance"; CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
WIFI_PWR_ON_BAT= "off"; WIFI_PWR_ON_BAT = "off";
}; };
}; };
} }

7
modules/virtualization.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, inputs, ... }: {
config,
pkgs,
inputs,
...
}:
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
virt-manager virt-manager

3
modules/wg/default.nix
View file

@ -1,4 +1,5 @@
{ ... }: { { ... }:
{
imports = [ imports = [
# module # module
./module.nix ./module.nix

20
modules/wg/mgmt.nix
View file

@ -4,11 +4,17 @@
oxalab.wg = [ oxalab.wg = [
{ {
networkName = "0xa-mgmt"; networkName = "0xa-mgmt";
CIDRs = [ "10.89.87.0/24" "fd31:185d:722e::/48" ]; CIDRs = [
"10.89.87.0/24"
"fd31:185d:722e::/48"
];
hosts = { hosts = {
"cloud" = { "cloud" = {
address = [ "10.89.87.1/24" "fd31:185d:722e::1/48" ]; address = [
"10.89.87.1/24"
"fd31:185d:722e::1/48"
];
publicKey = "zKSaw+SXzWgi/T7ByXHqPk1XNXXapoQYB8UPMTRmhm0="; publicKey = "zKSaw+SXzWgi/T7ByXHqPk1XNXXapoQYB8UPMTRmhm0=";
privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path; privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path;
endpoint = { endpoint = {
@ -20,12 +26,18 @@
}; };
"toaster" = { "toaster" = {
address = [ "10.89.87.100/24" "fd31:185d:722e::100/48" ]; address = [
"10.89.87.100/24"
"fd31:185d:722e::100/48"
];
publicKey = "H+WeYIBdX7ZHwkgm4BGnF0HF0JULkxyNMcvCviHhmks="; publicKey = "H+WeYIBdX7ZHwkgm4BGnF0HF0JULkxyNMcvCviHhmks=";
privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path; privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path;
}; };
"minime" = { "minime" = {
address = [ "10.89.87.10/24" "fd31:185d:722e::10/48" ]; address = [
"10.89.87.10/24"
"fd31:185d:722e::10/48"
];
publicKey = "zN2Dr/ZGMh1Ftparszp22Qnbz2ISJU12iDVatebOHUE="; publicKey = "zN2Dr/ZGMh1Ftparszp22Qnbz2ISJU12iDVatebOHUE=";
privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path; privateKeyFile = config.sops.secrets."wg/0xa-mgmt".path;
}; };

85
modules/wg/module.nix
View file

@ -1,8 +1,11 @@
{ lib {
, config lib,
, self config,
, registry self,
, ... }: { registry,
...
}:
{
config = config =
let let
@ -17,10 +20,20 @@
name = "30-wg-${net.networkName}"; name = "30-wg-${net.networkName}";
value = { value = {
matchConfig.Name = "wg-${net.networkName}"; matchConfig.Name = "wg-${net.networkName}";
networkConfig = { networkConfig =
Address = net.hosts.${currenthost}.address; {
IPv6AcceptRA = false; # for now static IPv6 Address = net.hosts.${currenthost}.address;
} // (if net.hosts.${currenthost}.endpoint.enable then {IPv4Forwarding=true; IPv6Forwarding=true; } else {}); IPv6AcceptRA = false; # for now static IPv6
}
// (
if net.hosts.${currenthost}.endpoint.enable then
{
IPv4Forwarding = true;
IPv6Forwarding = true;
}
else
{ }
);
}; };
}) networks; }) networks;
@ -45,8 +58,7 @@
wireguardPeers = wireguardPeers =
let let
endpoint = lib.attrsets.filterAttrs (_k: v: v.endpoint.enable) net.hosts; endpoint = lib.attrsets.filterAttrs (_k: v: v.endpoint.enable) net.hosts;
wg-peers-attrs = lib.attrsets.mapAttrs (_k: v: wg-peers-attrs = lib.attrsets.mapAttrs (_k: v: {
{
PersistentKeepalive = 29; PersistentKeepalive = 29;
PublicKey = v.publicKey; PublicKey = v.publicKey;
Endpoint = "${v.endpoint.endpoint}:${toString v.endpoint.port}"; Endpoint = "${v.endpoint.endpoint}:${toString v.endpoint.port}";
@ -55,19 +67,24 @@
wg-peers = lib.attrsets.attrValues wg-peers-attrs; wg-peers = lib.attrsets.attrValues wg-peers-attrs;
in in
wg-peers; wg-peers;
}; };
}) net-client; }) net-client;
netdev-client = builtins.listToAttrs netdev-client-list; netdev-client = builtins.listToAttrs netdev-client-list;
maskip = (net: hostattrs: maskip = (
if hostattrs.endpoint.enable then hostattrs.address else map (baseaddr: net: hostattrs:
if lib.strings.hasInfix "." baseaddr then "${baseaddr}/32" else "${baseaddr}/128" if hostattrs.endpoint.enable then
) (map (addr: builtins.elemAt (lib.strings.splitString "/" addr) 0) hostattrs.address)); hostattrs.address
else
map (baseaddr: if lib.strings.hasInfix "." baseaddr then "${baseaddr}/32" else "${baseaddr}/128") (
map (addr: builtins.elemAt (lib.strings.splitString "/" addr) 0) hostattrs.address
)
);
# endpoint # endpoint
# TODO: this requires bit more logic for allowedIPs if we have more then # TODO: this requires bit more logic for allowedIPs if we have more then
# 2 endpoints e.g. for routing client -> endpoint1 -> endpoint2 -> # 2 endpoints e.g. for routing client -> endpoint1 -> endpoint2 ->
# client2 # client2
netdev-endpoint-list = map (net: { netdev-endpoint-list = map (net: {
name = "30-wg-${net.networkName}"; name = "30-wg-${net.networkName}";
value = { value = {
netdevConfig = { netdevConfig = {
@ -79,19 +96,27 @@
wireguardPeers = wireguardPeers =
let let
peers = lib.attrsets.filterAttrs (k: _v: k != currenthost) net.hosts; peers = lib.attrsets.filterAttrs (k: _v: k != currenthost) net.hosts;
wg-peers-attrs = lib.attrsets.mapAttrs (_k: v: wg-peers-attrs = lib.attrsets.mapAttrs (
{ _k: v:
PersistentKeepalive = 29; {
PublicKey = v.publicKey; PersistentKeepalive = 29;
# only route to /32 or /128, i.e. single client PublicKey = v.publicKey;
AllowedIPs = maskip net v; # only route to /32 or /128, i.e. single client
} // (if !isNull v.endpoint.endpoint then { Endpoint = "${v.endpoint.endpoint}:${toString v.endpoint.port}"; } else {})) peers; AllowedIPs = maskip net v;
}
// (
if !isNull v.endpoint.endpoint then
{ Endpoint = "${v.endpoint.endpoint}:${toString v.endpoint.port}"; }
else
{ }
)
) peers;
wg-peers = lib.attrsets.attrValues wg-peers-attrs; wg-peers = lib.attrsets.attrValues wg-peers-attrs;
in in
wg-peers; wg-peers;
}; };
}) net-endpoint; }) net-endpoint;
netdev-endpoint = builtins.listToAttrs netdev-endpoint-list; netdev-endpoint = builtins.listToAttrs netdev-endpoint-list;
in in
{ {
@ -102,4 +127,4 @@
systemd.network.networks = systemd-networks; systemd.network.networks = systemd-networks;
systemd.network.netdevs = netdev-client // netdev-endpoint; systemd.network.netdevs = netdev-client // netdev-endpoint;
}; };
} }

141
modules/wg/options.nix
View file

@ -1,79 +1,88 @@
{ lib
, ...}:
{ {
options.oxalab.wg = with lib; lib,
lib.mkOption { ...
default = []; }:
type = types.listOf (types.submodule { {
options = { options.oxalab.wg =
# general network stuff with lib;
networkName = mkOption { lib.mkOption {
type = types.nullOr types.str; default = [ ];
default = null; type = types.listOf (
}; types.submodule {
CIDRs = mkOption { options = {
type = types.nullOr (types.listOf types.str); # general network stuff
default = null; networkName = mkOption {
}; type = types.nullOr types.str;
default = null;
};
CIDRs = mkOption {
type = types.nullOr (types.listOf types.str);
default = null;
};
hosts = mkOption { hosts = mkOption {
default = {}; default = { };
type = types.attrsOf (types.submodule { type = types.attrsOf (
options = { types.submodule {
enable = mkOption {
type = types.bool;
default = true;
};
address = mkOption {
type = types.listOf types.str;
default = null;
};
publicKey = mkOption {
type = types.str;
default = null;
};
privateKeyFile = mkOption {
type = types.path;
default = null;
};
endpoint.enable = mkOption {
type = types.bool;
default = false;
};
endpoint.endpoint = mkOption {
type = types.nullOr types.str;
default = null;
};
endpoint.port = mkOption {
type = types.nullOr types.int;
default = null;
};
endpoint.publicIface = mkOption {
type = types.nullOr types.str;
default = null;
};
endpoint.extraPeers = mkOption {
default = [];
type = types.listOf (types.submodule {
options = { options = {
enable = mkOption {
type = types.bool;
default = true;
};
address = mkOption { address = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = []; default = null;
}; };
publicKey = mkOption { publicKey = mkOption {
type = types.str;
default = null;
};
privateKeyFile = mkOption {
type = types.path;
default = null;
};
endpoint.enable = mkOption {
type = types.bool;
default = false;
};
endpoint.endpoint = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
}; };
endpoint.port = mkOption {
type = types.nullOr types.int;
default = null;
};
endpoint.publicIface = mkOption {
type = types.nullOr types.str;
default = null;
};
endpoint.extraPeers = mkOption {
default = [ ];
type = types.listOf (
types.submodule {
options = {
address = mkOption {
type = types.listOf types.str;
default = [ ];
};
publicKey = mkOption {
type = types.nullOr types.str;
default = null;
};
};
}
);
};
}; };
}); }
}; );
}; };
}); };
}; }
}; );
}); };
};
} }

75
pkgs/imhex.nix
View file

@ -1,75 +0,0 @@
{ gcc12Stdenv
, lib
, cmake
, ccache
, glfw
, glm
, magic-vlsi
, mbedtls
, freetype
, dbus
, capstone
, openssl
, pkg-config
, lld
, libGL
, wrapQtAppsHook
, fetchFromGitHub
}:
gcc12Stdenv.mkDerivation rec {
pname = "imhex";
version = "1.26.2";
src = fetchFromGitHub {
owner = "WerWolv";
repo = "ImHex";
rev = "v${version}";
fetchSubmodules = true;
sha256 = "sha256-H2bnRByCUAltngmVWgPW4vW8k5AWecOAzwtBKsjbpTw=";
};
nativeBuildInputs = [
cmake
pkg-config
lld
];
cmakeFlags = [
"-DCMAKE_BUILD_TYPE=Release"
# "-DCMAKE_INSTALL_PREFIX="/usr""
"-DCMAKE_C_COMPILER_LAUNCHER=ccache"
"-DCMAKE_CXX_COMPILER_LAUNCHER=ccache"
"-DCMAKE_C_FLAGS=-fuse-ld=lld"
"-DCMAKE_CXX_FLAGS=-fuse-ld=lld"
"-DCMAKE_OBJC_COMPILER_LAUNCHER=ccache"
"-DCMAKE_OBJCXX_COMPILER_LAUNCHER=ccache"
# looks like the cmake here tries to be "helpful"...
"-DFREETYPE_LIBRARY=${freetype.dev}"
"-DFREETYPE_INCLUDE_DIRS=${freetype.dev}"
"-DOPENGL_opengl_LIBRARY=${libGL.dev}"
"-DOPENGL_glx_LIBRARY=${libGL.dev}"
"-DOPENGL_INCLUDE_DIR=${libGL.dev}"
"-DMBEDTLS_LIBRARY=${mbedtls}"
"-DMBEDTLS_INCLUDE_DIRS=${mbedtls}"
"-DMBEDX509_LIBRARY=${mbedtls}"
"-DMBEDCRYPTO_LIBRARY=${mbedtls}"
"-DCMAKE_PREFIX_PATH=${glfw}"
"-DCMAKE_LIBRARY_PATH=${magic-vlsi}"
"-DCMAKE_PREFIX_PATH=${dbus.dev}"
];
BuildInputs = [
ccache
glfw
glm
magic-vlsi
mbedtls
freetype
dbus
openssl
capstone
libGL
];
}

24
pkgs/slick.nix
View file

@ -1,24 +0,0 @@
{ stdenv, lib, openssl, pkgconfig, fetchFromGitHub, rustPlatform }:
rustPlatform.buildRustPackage rec {
pname = "slick";
version = "0.10.0";
src = fetchFromGitHub {
owner = "nbari";
repo = pname;
rev = version;
sha256 = "sha256-GM9OHnySc3RVkfaK7yMf1LqpGdz3emq2H/3tSAph4jw=";
};
buildInputs = [ openssl pkgconfig ];
nativeBuildInputs = [ pkgconfig ];
cargoSha256 = "sha256-2WxFprq+AcXGXDMjMQvqKTkeWQEWM/z2Fz6qYPtSFGw=";
meta = with lib; {
description = "Async ZSH prompt";
homepage = "https://github.com/nbari/slick";
license = licenses.bsd3;
};
}