b12f/os
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Compare commits

merge into: b12f:feat/email
Branches Tags
b12f:main
b12f:feat/authelia
b12f:feat/email
b12f:b12f
...
pull from: b12f:main
Branches Tags
b12f:main
b12f:feat/authelia
b12f:feat/email
b12f:b12f

227 commits
feat/email ... main

Author SHA1 Message Date
b12f 196744c4b4
paperless: add state to hostingde invoice fetch script 2024-11-20 10:10:04 +01:00
b12f 01712acef7
ehex: add cloudflare-warp 2024-11-14 12:18:28 +01:00
b12f 9accabdc6a
ssh: separate mezza account for git.pub.solar 2024-11-12 22:30:16 +01:00
b12f dcfc8728b3
users/b12f: add momo emails 2024-11-12 22:15:12 +01:00
b12f 42ed7abf8a
modules/printing: add cups persistence back in 2024-11-12 22:12:12 +01:00
b12f 2fb9d847af
hosts/stroopwafel: use iwd for wireless networking 2024-11-12 22:11:29 +01:00
b12f d139443c59
users/b12f: add cat demo1-1 ssh host 2024-11-12 22:10:34 +01:00
b12f ecf15efb0e
modules/bluetooth: fix blueman-applet service config 2024-10-30 22:44:12 +01:00
b12f 757dceeec3
users/b12f: fix nextcloud-client service config 2024-10-30 22:43:50 +01:00
b12f 7f55c13245
users/b12f: add mezza ssh key 2024-10-30 22:43:29 +01:00
b12f cde6cb09fd
hosts/droppie: fix boot, remove unused services 2024-10-30 22:43:06 +01:00
b12f 06195facf3
modules/terminal-life: use new ts langserver 2024-10-30 18:17:05 +01:00
b12f d37db2b64f
modules/graphical: fix firefox idle-indicator on wayland 2024-10-26 22:07:27 +02:00
b12f 9a7d14a95f
modules/graphical: add wdisplay, bt config 2024-10-18 16:43:00 +02:00
b12f 3b2c24ab1e
flake: update nixpkgs inputs 
Includes fix for FF RCE https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
 2024-10-10 13:27:16 +02:00
b12f 0b8e4e2fab
modules/wireguard: use domain-specific DNS 2024-10-01 15:31:25 +02:00
b12f f721a54007
modules/wireguard: add momo network 2024-09-20 10:59:08 +02:00
b12f 67e5c533d9
modules/graphical: dedupe brightnessctl keybindings 2024-09-20 10:57:58 +02:00
b12f 32f46d4d7d
wireguard: add momo network 2024-09-13 15:45:20 +02:00
b12f edc1f68670
firefly: fix remote auth header config 2024-09-13 12:03:51 +02:00
b12f 3ed0b291f3
modules/terminal-life: improve neomutt theming 2024-09-12 17:05:20 +02:00
b12f ba78e0baf3
modules/terminal-life: remove unused base16 script 2024-09-12 13:59:25 +02:00
b12f 28933587b4
overlays: remove element-desktop electron 28 override 2024-09-12 13:59:05 +02:00
b12f 197f343bd5
hosts/pie: update authelia, firefly, invoiceplane 2024-09-12 13:58:32 +02:00
b12f fc71a1c816
pkgs: change invoice fetcher script to bash 2024-09-10 13:12:43 +02:00
b12f 01c0b30a98
frikandel: add disabled jellyfin and authelia forwards 2024-09-06 19:29:46 +02:00
b12f 7eb2b80e22
droppie: remove autostop 2024-09-06 19:29:34 +02:00
b12f f08bfc3145
pie/authelia: add jellyfin oidc config base 2024-09-06 19:29:08 +02:00
b12f ee324d57af
modules/terminal-life: use theme variables for fzf 2024-09-06 17:39:10 +02:00
b12f f015e9c6fa
pkgs/record-screen: hide wf-recorder 2024-09-06 17:38:43 +02:00
b12f 048e6a6bb4
hosts/frikandel: add jellyfin forward 2024-09-06 17:38:06 +02:00
b12f 451ed9928f
modules/graphical: move qt definition 2024-09-06 00:25:02 +02:00
b12f 3337c8665f
modules/graphical: fix sway screenrecord keybinding 2024-09-06 00:25:01 +02:00
b12f aca454bcfb
Merge branch 'main' of git.pub.solar:b12f/os 2024-09-05 17:30:39 +02:00
b12f 1cb9bd0cd3
modules/graphical: clean up sway config, fix screen recording 2024-09-05 01:22:56 +02:00
b12f cf857156cf
modules/graphical: add background to sway 2024-09-04 22:36:05 +02:00
b12f c62ed5a14b
modules/graphical: import sway theming file 2024-09-04 22:32:03 +02:00
b12f 165fa48bfa
style: improve theming with global variables 2024-09-04 22:28:41 +02:00
Benjamin Yule Bädorf 4fb46398d3
Merge branch 'main' of git.pub.solar:b12f/os 2024-08-30 14:58:47 +02:00
b12f 9fc9b6b5c8
modules/graphical: increase swaylock timings 2024-08-30 14:07:40 +02:00
b12f 286a0b32d1
mezza.biz: update website 2024-08-30 14:07:20 +02:00
b12f e3c1dca056
modules/wireguard: add new pub.solar hosts 2024-08-30 14:06:04 +02:00
b12f b0373ff19d
frikandel: deploy mezza.biz, update nixpkgs inputs 2024-08-24 21:39:20 +02:00
b12f 5d589621e8
graphical: add xbacklight 2024-08-24 21:12:05 +02:00
b12f b02770adea
modules/terminal-life: add nvim filetype handling for age secrets 2024-08-23 19:00:12 +02:00
b12f 483c486359
modules/terminal-life: update nvim keybindings 2024-08-23 18:59:52 +02:00
b12f 091767fbae
frikandel/email: make sure emails reach the right catch-all 2024-08-19 17:09:01 +02:00
b12f ddeed05da6
lint: lint with alejandra 2024-08-19 10:03:17 +02:00
b12f e630def7b6
overlays: use blesh from nixpkgs & lix instead of nix 2024-08-19 10:03:03 +02:00
b12f 8b860a4878
flake: update nixpkgs inputs 2024-08-19 10:02:42 +02:00
b12f 4ce7b4490c
cat: update hosts in ssh settings 2024-08-19 10:02:20 +02:00
b12f ff4af10e15
pkgs: update nvfetcher sources 2024-08-19 09:18:59 +02:00
b12f 50c182d827
terminal-life/nvim: lint vim files, add recent command telescope 2024-08-19 00:23:24 +02:00
b12f a1670dcb3d
lint: lint nix files with alejandra 2024-08-19 00:22:59 +02:00
b12f d67d75eda3
terminal-life: reduce nvim config, switch to telescope 2024-08-19 00:07:22 +02:00
b12f 6f3fce1d9f
user/b12f: don't use real name for all email addresses 2024-08-18 18:53:31 +02:00
b12f 9439ed4c44
email: add mail@b12f.io and mail@hzdomain 2024-08-16 21:33:49 +02:00
b12f 34050a14cc
pkgs: update nvfetcher packages 2024-08-16 19:03:16 +02:00
Benjamin Yule Bädorf 6bbc296337
wireguard: add tankstelle to pub.solar nodes 2024-08-16 10:54:55 +02:00
Benjamin Yule Bädorf 341491f7a7
networking: add frikandel initrd to hosts file 2024-08-16 10:54:06 +02:00
b12f b3800fb26f
terraform: halfway working DNS for hosting.de 2024-08-14 23:11:14 +02:00
b12f e712fd4515
deploy: take deploy-rs from cache 2024-08-14 10:35:17 +02:00
b12f b20b5d10b8
frikandel: rename wireguard secret 2024-08-14 10:35:03 +02:00
b12f 51e1b81040
yule: update email 2024-08-14 09:39:15 +02:00
b12f a3c77b42fb
terminal-life: use the user name instead of fullname for git 2024-08-14 09:38:05 +02:00
b12f fc64336279
printing: persist the right directory 2024-08-14 09:37:53 +02:00
b12f 1d1927d570
email: add hetzner email 2024-08-14 09:36:50 +02:00
Benjamin Yule Bädorf e64354a232
flake: update nixpkgs inputs 2024-08-09 16:14:27 +02:00
Benjamin Yule Bädorf 27f3ca7c0c
b12f: remove zoom 2024-07-16 10:26:18 +02:00
Benjamin Yule Bädorf 26e81588d6
wireguard: fix conflicting listening ports 2024-07-16 10:25:44 +02:00
Benjamin Yule Bädorf b5c30f5da7
boot: use hardened linux 6.6 LTS kernel 2024-07-02 09:42:57 +02:00
Benjamin Yule Bädorf 3d6c90a559
flake: update nixpkgs inputs 2024-07-01 18:38:53 +02:00
Benjamin Yule Bädorf c75a05d46a
printing: add cups directory to persistence 2024-07-01 18:38:28 +02:00
Benjamin Yule Bädorf eccda6cd08
osm: reenable openstreetmap on stroopwafel 2024-06-17 15:24:24 +02:00
Benjamin Yule Bädorf 45d6f56d1d
overlay: take ungoogled-chromium from 24.05 2024-06-17 15:24:09 +02:00
Benjamin Yule Bädorf ee611894f8
wireguard: remove with lib;, dedupe systemd service config 2024-06-17 15:23:32 +02:00
Benjamin Yule Bädorf 23af0457bb
flake: update nixpkgs inputs 2024-06-17 15:08:29 +02:00
Benjamin Yule Bädorf d016eee124
search: use search.pub.solar by default 2024-06-17 15:07:57 +02:00
Benjamin Yule Bädorf 9616093a21
wireguard: add ehex vpn 2024-06-11 14:57:33 +02:00
Benjamin Yule Bädorf b8a48cd704
nixos: more 24.05 fixes and updates 2024-06-03 12:30:14 +02:00
Benjamin Yule Bädorf 561361f771
email: update pub.solar mail host 2024-06-03 12:29:46 +02:00
Benjamin Yule Bädorf 46853a5bd2
dns: add stroopwafel and chocolatebar in wireguard 2024-06-03 12:29:05 +02:00
Benjamin Yule Bädorf dd16d7ddb7
nixos: update to 24.05 2024-06-02 23:47:00 +02:00
Benjamin Yule Bädorf 6c4990d40f
droppie: add /dev/sda1 2024-06-02 20:19:44 +02:00
Benjamin Yule Bädorf 3555a2a416
ssh: remove nistp SSH identity 2024-05-26 19:20:09 +02:00
Benjamin Yule Bädorf 6387f7a749
chocolatebar: don't use realtime kernel 2024-05-26 19:16:16 +02:00
Benjamin Yule Bädorf b9bc457494
secrets: add restic and rclone secret to chocolatebar 2024-05-26 19:11:26 +02:00
Benjamin Yule Bädorf 7e6dec32cc
yule: update password hash 2024-05-26 19:08:18 +02:00
Benjamin Yule Bädorf 948460ffc5
iso: open SSH port in firewall 2024-05-26 19:08:04 +02:00
Benjamin Yule Bädorf 6d62c706e9
public-keys: add id_bbcom as fallback 2024-05-26 19:07:14 +02:00
Benjamin Yule Bädorf 7ef1e0ec7b
flake: update nixpkgs inputs 2024-05-26 19:06:58 +02:00
Benjamin Yule Bädorf 7b4f1e0102
invoiceplane-templates: use https for fetching 2024-05-23 09:22:42 +02:00
Benjamin Yule Bädorf 70472a5c38
email: Add contact miom.space address 2024-05-19 14:18:08 +02:00
Benjamin Yule Bädorf 8b08a3afce
graphical: add wl-mirror 2024-05-16 11:36:55 +02:00
Benjamin Yule Bädorf 1bdbc70e98
flake: update nixpkgs inputs 2024-05-16 11:36:23 +02:00
Benjamin Yule Bädorf 1e40964857
home: reenable zoom :( 2024-04-26 15:22:48 +02:00
Benjamin Yule Bädorf ab956cf63a
nvim: show otherwise hidden characters 2024-04-19 10:56:31 +02:00
Benjamin Yule Bädorf 8ac837f481
desktop-extended: add nix-inspect 2024-04-15 16:22:06 +02:00
Benjamin Yule Bädorf 08eb16fc93
wireguard: make sure wg never blocks boot 2024-04-15 12:39:13 +02:00
Benjamin Yule Bädorf 54fc54285f
nvim: add filetypes for vto, add all treesitter grammars 2024-04-15 12:37:57 +02:00
Benjamin Yule Bädorf afa83a4e24
desktop-extended: add whalebird mastodon client 2024-04-15 12:37:31 +02:00
Benjamin Yule Bädorf 17ee75088a
email: add backups for local emails and maddy 2024-04-11 13:00:46 +02:00
Benjamin Yule Bädorf 5891c59c4f
paperless: add email creds to config 2024-04-09 20:15:39 +02:00
Benjamin Yule Bädorf cf485df2d2
firefly: fix auth proxying for importer 2024-04-09 20:15:14 +02:00
Benjamin Yule Bädorf e3fefc1cd1
Update invoiceplane template 2024-04-06 03:08:39 +02:00
Benjamin Yule Bädorf e79b99e3ed
authelia/invoiceplane: get working setup 2024-04-06 02:36:58 +02:00
Benjamin Yule Bädorf 9578d0fa1a
wireguard/ssh: add pub.solar wireguard config 2024-04-06 02:36:41 +02:00
Benjamin Yule Bädorf 3d2b5f7c78
desktop-extended: use ungoogled-chromium, multi-account matrix 2024-04-06 02:34:54 +02:00
Benjamin Yule Bädorf bc46a93be3
stroopwafel/openstreetmap: disable 2024-04-06 02:33:15 +02:00
Benjamin Yule Bädorf 6a9372853e
authelia: auth is working, but not the proxy 2024-04-03 21:56:48 +02:00
Benjamin Yule Bädorf 547bd4ca27
authelia: init 2024-04-03 21:56:47 +02:00
Benjamin Yule Bädorf 09d6f74e1a
wireguard: add pub.solar wireguard config 2024-04-03 21:56:03 +02:00
Benjamin Yule Bädorf 163e96c560
invoiceplane: make publicly available 2024-04-01 19:07:24 +02:00
Benjamin Yule Bädorf 5ee63e7e1c
firejail: remove chat apps 2024-04-01 17:17:36 +02:00
Benjamin Yule Bädorf e127ae6062
core/networking: harden all the things 2024-03-30 15:35:32 +01:00
Benjamin Yule Bädorf b3ff15b0a4
portable/check-battery: add DBUS env to fix notifications 2024-03-29 14:12:52 +01:00
Benjamin Yule Bädorf cb4c54ce38
email: badly obfuscate addresses 2024-03-28 17:18:18 +01:00
Benjamin Yule Bädorf b9f0063993
wireguard: let tunnel wait for private network 2024-03-27 15:22:46 +01:00
Benjamin Yule Bädorf e609bafe8b
home-manager: go back to 23.11 2024-03-27 15:22:24 +01:00
Benjamin Yule Bädorf 72aa907ebd
battery: set critical to 20% in waybar and check script 2024-03-27 11:37:07 +01:00
Benjamin Yule Bädorf 03b7e423cc
email/neomutt: improve keybindings, fix HTML emails 2024-03-27 10:25:39 +01:00
Benjamin Yule Bädorf bc06c14d98
graphical/waybar: improve styling 2024-03-27 00:06:53 +01:00
Benjamin Yule Bädorf 52bbd13a24
graphical: various improvements 
* Use mako home-manager module
* Use nextcloud-client home-manager module
* Urgent notifications go above fullscreen apps
* Add battery check with libnotify
* Increase waybar text sizing
 2024-03-26 23:58:04 +01:00
Benjamin Yule Bädorf 4bc5fd8ef2
email: enable imapnotify with automatic fetching 2024-03-26 22:20:39 +01:00
Benjamin Yule Bädorf 2924b5d1a0
email: use home-manager configuration options 2024-03-26 22:07:02 +01:00
Benjamin Yule Bädorf dd43281a4a
email: fix maddy email config for smtp submission 2024-03-25 19:13:19 +01:00
Benjamin Yule Bädorf f3804d23cc
initrd: take publicKeys from flake config 2024-03-25 19:12:45 +01:00
Benjamin Yule Bädorf 5c13335a52
graphical/sway: add option to only lock screen 2024-03-21 13:20:31 +01:00
Benjamin Yule Bädorf 429a6bf3e5
ssh: put gpg identity first, use pubkeys 2024-03-19 21:08:43 +01:00
Benjamin Yule Bädorf 6fb030837f
terraform: not-working update 2024-03-19 21:00:28 +01:00
Benjamin Yule Bädorf b0159584c5
crypto: remove yubikey-agent, use gpg-agent 2024-03-19 19:58:50 +01:00
Benjamin Yule Bädorf 9f655984a0
docs: update readme 2024-03-19 19:58:32 +01:00
Benjamin Yule Bädorf f6c357c6cb
ssh: centralize pubkey management 2024-03-19 19:29:57 +01:00
Benjamin Yule Bädorf 6a42fa725d
wireguard: add fp3 config 2024-03-19 18:39:14 +01:00
Benjamin Yule Bädorf 307ae5a370
b12f/session: update restic respository variable 2024-03-19 18:34:36 +01:00
Benjamin Yule Bädorf 9bbe723d7c
flake: update nixpkgs inputs 2024-03-19 18:34:11 +01:00
Benjamin Yule Bädorf 4fd587788b
paperless: update hostingde fetcher binary 2024-03-19 18:33:13 +01:00
Benjamin Yule Bädorf e54e5cbc54
update: update nixpkgs & nvfetcher, use nixd from flake 
nixd is using a version of nix marked as unsafe:
https://github.com/nix-community/nixd/issues/357
 2024-03-12 17:20:34 +01:00
Benjamin Yule Bädorf e135ac3e4d
paperless: add automated hostingde invoice fetching 2024-03-12 12:17:59 +01:00
Benjamin Yule Bädorf 7466d926b3
chocolatebar/vm: reduce memory size 2024-03-10 22:25:06 +01:00
Benjamin Yule Bädorf c12b2571d9
core: nvfetcher updates 2024-03-10 22:23:53 +01:00
Benjamin Yule Bädorf b51f20a512
flake: update nixpkgs inputs 2024-03-06 17:57:48 +01:00
Benjamin Yule Bädorf 28e9b35f6e
jellyfin: init jellyfin on droppie 2024-02-27 09:44:11 +01:00
Benjamin Yule Bädorf be7c29ecc0
stroopwafel/osm: init openstreetmap 2024-02-27 09:41:53 +01:00
Benjamin Yule Bädorf 48c7a5f072
user: remove unused mimeapps.list file 2024-02-24 19:13:56 +01:00
Benjamin Yule Bädorf 5c94031778
nvim: add leader shortcut for windows closing 2024-02-18 21:18:02 +01:00
Benjamin Yule Bädorf d5ce7067e1
pie/dns: fix b12f.io DNS 2024-02-16 11:18:35 +01:00
Benjamin Yule Bädorf a16a153e76
wireguard: fix routing w/ tunneled wireguard 2024-02-13 00:27:30 +01:00
Benjamin Yule Bädorf c8c32f5203
wireguard: add public network 2024-02-12 16:46:46 +01:00
Benjamin Yule Bädorf 540450fd6b
stroopwafel/sway: fix sway screen brightness keybinding 2024-02-09 14:12:26 +01:00
Benjamin Yule Bädorf 5ee143978f
ehex: update VPN settings, still not working 2024-02-08 23:30:27 +01:00
Benjamin Yule Bädorf 1169873bac
networking: remove pie from hosts file, add droppie-initrd 2024-02-08 23:29:44 +01:00
Benjamin Yule Bädorf c34577a7df
droppie/impermanence: use module 2024-02-08 23:28:41 +01:00
Benjamin Yule Bädorf f54229e68e
persistence: make /etc/nixos bind mount 2024-02-08 19:27:28 +01:00
Benjamin Yule Bädorf 5abeeb8751
wireguard: change network to 10.13.12.0/24 2024-02-08 19:23:22 +01:00
Benjamin Yule Bädorf 67e924f022
stroopwafel/bluetooth: fix bind mount with impermanence 2024-02-08 19:00:15 +01:00
Benjamin Yule Bädorf 5cbe522ba0
secrets/fwknoprc: fix secret 2024-02-06 19:23:13 +01:00
Benjamin Yule Bädorf b4e559155a
pie/wireguard: don't use wireguard DNS 2024-02-06 09:44:41 +01:00
Benjamin Yule Bädorf ee7d2cbf49
initrd/networking: manually set networking 2024-02-05 23:56:19 +01:00
Benjamin Yule Bädorf 3e0f8438c1
initrd/networking: manually set networking 2024-02-04 01:05:28 +01:00
Benjamin Yule Bädorf 5fe27940b4
b12f: enable u2f for login, update ssh keys 2024-02-04 01:04:42 +01:00
Benjamin Yule Bädorf af0d54a64d
ssh: add new gpg-based ssh keys 2024-02-04 01:03:52 +01:00
Benjamin Yule Bädorf 985f30c2b9
secrets: rekey for new droppie host key 2024-02-04 01:02:59 +01:00
Benjamin Yule Bädorf 6f75453e7c
droppie: reinstall droppie, update keys 2024-02-03 20:58:18 +01:00
Benjamin Yule Bädorf f197c7ec75
frikandel/b12f.io: update site with new gpg key 2024-02-03 15:57:00 +01:00
Benjamin Bädorf c5900580a9
b12f: improve user real name 2024-02-03 15:05:02 +01:00
Benjamin Bädorf 9e23f0bd65
ssh: fix ssh login with new yubi keys fido2 2024-02-03 15:02:24 +01:00
Benjamin Bädorf 5bc46fc64c
auth/sudo: enable u2f for sudo via pam module 2024-02-03 15:01:56 +01:00
Benjamin Bädorf 2f3397354f
gpg/ssh: remove ssh support for GPG agent 2024-02-03 14:57:26 +01:00
Benjamin Bädorf 118ec36c0e
desktop/social: add cinny-desktop for matrix 2024-02-03 14:56:33 +01:00
Benjamin Bädorf d6cd678e92
nvim: update tab and window keybindings, ag in hidden folders 2024-02-03 13:18:49 +01:00
Benjamin Bädorf 79f38313c6
email/clients: update gpg keys 2024-02-03 13:18:20 +01:00
Benjamin Bädorf 54c8651494
ssh/keys: add yubi ssh fido2 keys to user dir 2024-02-03 13:17:29 +01:00
Benjamin Bädorf a5d005247e
crypto/secrets: add yubikey identities 2024-02-03 12:21:27 +01:00
Benjamin Bädorf 2676777d37
stroopwafel/graphical: reduce screen zoom 2024-02-02 19:57:17 +01:00
Benjamin Bädorf 65cac0b1a4
pie/dhcp: make sure pie ip-address is reserved 2024-02-02 10:14:01 +01:00
Benjamin Bädorf 111301457f
biolimo/sway: remove useless screen config 2024-02-02 10:13:40 +01:00
Benjamin Bädorf f92644693a
stroopwafel: fix screens, inputs, and nm persistence 2024-02-02 10:00:51 +01:00
Benjamin Bädorf ce1e00d5b0
pie/networking: fix dns resolver collision 2024-02-01 22:37:47 +01:00
Benjamin Bädorf e694009287
secrets: add stroopwafel host key and rekey 2024-01-29 23:20:00 +01:00
Benjamin Bädorf 2ebc6d33a9
stroopwafel/networking: close ssh firewall 2024-01-29 23:19:49 +01:00
Benjamin Bädorf e2052d7edf
stroopwafel/persistence: add /etc/nixos repo 2024-01-29 23:19:24 +01:00
Benjamin Bädorf 6b6a925283
flake: remove nix config breaking direnv 2024-01-29 23:15:21 +01:00
Benjamin Bädorf 037f29dea8
desktop-extended: remove concourse pkgs 2024-01-29 23:04:56 +01:00
Benjamin Bädorf 39b340f825
core: use latest linux kernel by default 2024-01-29 23:04:30 +01:00
Benjamin Bädorf b029aea63a
biolimo/chocolatebar: small networking reshuffling 2024-01-29 23:03:27 +01:00
Benjamin Bädorf 6783226919
pie/paperless: align img2pdf versions 2024-01-29 23:02:05 +01:00
Benjamin Bädorf 37970d9b58
stroopwafel/disk: enable docker persistence 2024-01-28 00:56:49 +01:00
Benjamin Bädorf 3299b75f14
stroopwafel/dhcp: enable dhcp for wifi device 2024-01-28 00:56:27 +01:00
Benjamin Bädorf d34dac1a13
feat/stroopwafel: delete your darlings 2024-01-28 00:40:41 +01:00
Benjamin Bädorf 78b8300a80
stroopwafel/networking: enable wireguard 2024-01-28 00:02:58 +01:00
Benjamin Bädorf 0f7bbe153c
feat: stroopwafel 2024-01-27 23:53:36 +01:00
Benjamin Bädorf 1f8d502fa7
fix: also add zoom to allowed nonfree 2024-01-24 21:17:53 +01:00
Benjamin Bädorf 41387a3f38
feat: non-working ehex VPN 2024-01-24 21:17:31 +01:00
Benjamin Bädorf 71f442aeea
fix: remove unused v4l2loopback devices 2024-01-24 21:05:34 +01:00
Benjamin Bädorf d573f60ddd
fix: make element and signal work with wayland 2024-01-24 21:05:09 +01:00
Benjamin Bädorf 08f77c4641
feat: add verkstedt and ehex mail config 2024-01-24 21:04:46 +01:00
Benjamin Bädorf 8e98d807cb
feat: add zoom-us :r 2024-01-24 21:04:20 +01:00
Benjamin Bädorf d17bc480be
fix: don't make CaT VPN config user-readable 2024-01-24 21:03:04 +01:00
Benjamin Bädorf 28786af37b
feat: use systemd-resolved so VPN & WG DNS works 2024-01-24 21:02:10 +01:00
Benjamin Bädorf 099fd5a354
chore: update flake dependencies 2024-01-24 21:01:35 +01:00
Benjamin Bädorf 3a0358d0f8
feat: make full tunnel wireguard optional 2024-01-05 15:06:49 +01:00
Benjamin Bädorf 6e2798a0d4
fix: fix mail@b12f.io 2024-01-03 21:08:59 +01:00
Benjamin Bädorf 523837b276
chore: disable spotifyd 2024-01-03 19:56:43 +01:00
Benjamin Bädorf 30a97b1029
feat: use frikandel as vpn for everything 2024-01-03 19:56:24 +01:00
Benjamin Bädorf 33fce57409
fix: update pub.solar email server 2024-01-03 19:55:45 +01:00
Benjamin Bädorf f87d183cc4
chore: update to 23.11! 2023-12-17 17:14:19 +01:00
Benjamin Bädorf 0accd47e62
fix: enable smart autoident for nvim 2023-12-13 11:53:58 +01:00
Benjamin Bädorf 27b0ef55bb
chore: update nixpkgs 2023-12-13 11:53:58 +01:00
Benjamin Bädorf 6cf2598db4
chore/mailing: update signature data for git and web 2023-12-06 16:21:07 +01:00
Benjamin Bädorf b8f2c04583
chocolatebar/audio: move audio settings, add RT pipewire config 2023-12-05 22:43:03 +01:00
Benjamin Bädorf 4bca094b0e
fix/chocolatebar: increase swap size so hibernation fits 2023-12-05 22:42:34 +01:00
Benjamin Bädorf a71be80f25
feat: allow SFTP on pie 2023-12-05 22:42:23 +01:00
Benjamin Bädorf 52717da2db
fix: dedupe offlineimap python file 2023-12-01 15:12:59 +01:00
Benjamin Bädorf fa4c986d44
feat: add lipperschwabe.design ssh config 2023-11-22 12:57:16 +01:00
Benjamin Bädorf f9d15b8109
Merge branch 'main' of git.pub.solar:b12f/os 2023-11-22 12:20:21 +01:00
Benjamin Bädorf 8405999277
fix: use internal scan2paperless 2023-11-20 17:29:03 +01:00
Benjamin Bädorf e253a136a0
fix: use DHCP for droppie ipv4 2023-11-18 21:44:51 +01:00
Benjamin Bädorf 0730673921
chore: update b12f.io 2023-11-18 21:44:39 +01:00
Benjamin Bädorf 3ce15a1bef
chore: update b12f.io 2023-11-16 19:29:47 +01:00
Benjamin Bädorf 945bc6498c
chore: update b12f.io 2023-11-16 17:13:52 +01:00
Benjamin Bädorf 137a9f6ea2
chore: update website 2023-11-16 11:44:32 +01:00
Benjamin Bädorf 2814f8eb56
chore: add github token to env 2023-11-15 11:53:47 +01:00
Benjamin Bädorf ea93a58ae5
fix: use correct SSL cert for firefly importer 2023-11-14 22:52:43 +01:00
Benjamin Bädorf 3661395dff
fix: invoiceplane nginx config 2023-11-14 22:20:01 +01:00
Benjamin Bädorf 64320ce414
fix: update imap port for mail.b12f.io 2023-11-14 19:29:03 +01:00
Benjamin Bädorf 29e183b0c7
feat: use ACME and nginx instead of caddy 2023-11-14 18:44:46 +01:00
267 changed files with 6359 additions and 4682 deletions
Show stats Expand all files Collapse all files

4
.editorconfig
View file

@ -20,8 +20,8 @@ indent_style = unset
indent_size = unset
[{.*,secrets}/**]
end_of_line = unset
insert_final_newline = unset
end_of_line = false
insert_final_newline = false
trim_trailing_whitespace = unset
charset = unset
indent_style = unset

46
README.md
View file

@ -1,46 +1,4 @@
# PubSolarOS
# b12f's nix config
Welcome to PubSolarOS, a very opiniated Linux (NixOS) distribution for the nerdy.
This is my nix configuration. Questions? Ask me :)
We're creating this distribution for our own personal use and fun, but
take pride in our craft. As of 14.08.22 it's running on 14 physical devices,
both `x86_64` and `aarch64`.
At its core, it's a NixOS installation running our configuration. The UX
decisions and the way the project is structured are what make it
_PubSolarOS_:
- Reproducibility is king, and the future is with declarative and functional
programming. Even if Nix does not turn out to be the end-all-be-all of
reproducible package management (Guix looks good), it has a plethora
of packages, a very active and helpful community, and very solid
software engineering practices.
- Because reproducibility is king, we're using nix flakes for locking flake
dependencies. [Digga](https://github.com/divnix/digga) is our flake
utility library, made by the wonderful people of the Divnix community.
- Physical devices are not shared anymore nowadays. Only seldomly will you
find shared devices that need more than one user account. For this
reason, only one user (excluding `root`) is assumed.
- Keyboard navigation wins where it matters; ergonomics, programmability,
efficiency, and speed. We use a tiling window manager (`sway`) and
prioritize cli-based solutions where sensible. The editor is `neovim`
configured to be just as opiniated as the operating system it is a part
of. For mailing, `neomutt` is the default, but we're more divided on
that part.
- We like new and shiny things, so we've moved to Wayland and pipewire.
- SICHERHEIT is written in capital letters at pub.solar, so we have first-
class disk-encryption support. Currently in the works is a paranoid
mode where the device can only hibernate (no more sleep or lockscreen)
so your data is locked any time you leave the device.
- Free software is better. If we can avoid it, nonfree software is avoided.
By default, `allowUnfree` is `false` so we don't ship non-free software
in a basic PubSolarOS ISO. However, nothing prevents you from using
as much non-free software as you like.
- Automation is better. The reproducibility of nix feels so much more
powerful once you're deploying your new configuration from your laptop
to all your other devices with one command. [We have an automated CI using drone](https://ci.pub.solar/pub-solar/os).
- Community is important. We just like working on this together, and it
feels really good to see our progress at the end of a
[hakken.irl](https://pub.solar/hakken) session.
To get started, take a look at the quick start guide in our docs.

555
flake.lock
View file

@ -3,17 +3,17 @@
"adblock-unbound": {
"inputs": {
"adblockStevenBlack": "adblockStevenBlack",
"flake-utils": "flake-utils",
"lancache-domains": "lancache-domains",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1688055723,
"narHash": "sha256-8WtkSAr4qYA3o6kiOCESK3rHJmIsa6TMBrT3/Cbfvro=",
"lastModified": 1704832551,
"narHash": "sha256-6xS/ANMIh3b4Ia3Ubl9rtb3LVw9QldihnP3IvuG9zwQ=",
"owner": "MayNiklas",
"repo": "nixos-adblock-unbound",
"rev": "9356ccd526fdcf91bfee7f0ebebae831349d43cc",
"rev": "a5d3731836b1c2ca65834e07be03c02daca5b434",
"type": "github"
},
"original": {
@ -41,16 +41,18 @@
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
]
],
"systems": "systems"
},
"locked": {
"lastModified": 1682101079,
"narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
"lastModified": 1716561646,
"narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
"owner": "ryantm",
"repo": "agenix",
"rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
"rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
"type": "github"
},
"original": {
@ -67,11 +69,11 @@
]
},
"locked": {
"lastModified": 1696360011,
"narHash": "sha256-HpPv27qMuPou4acXcZ8Klm7Zt0Elv9dgDvSJaomWb9Y=",
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "8b6ea26d5d2e8359d06278364f41fbc4b903b28a",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
@ -84,22 +86,22 @@
"deno2nix": {
"inputs": {
"devshell": "devshell",
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_3"
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1686513235,
"narHash": "sha256-gVYRft/579iBC1J3gukn1CMIWrKksHm/GRA47+nvXRc=",
"ref": "refs/heads/main",
"rev": "193e1c9447d56fe434e4ab0983b2bb92f1c22255",
"revCount": 36,
"type": "git",
"url": "https://git.pub.solar/b12f/deno2.nix.git"
"lastModified": 1694341738,
"narHash": "sha256-zEosA90LiNd3/EFpZNKs7XPdY7PIsat19I6uJb/MuYU=",
"owner": "SnO2WMaN",
"repo": "deno2nix",
"rev": "38dcc186763ab930acd1d751b4bfe3c0bd606ef3",
"type": "github"
},
"original": {
"type": "git",
"url": "https://git.pub.solar/b12f/deno2.nix.git"
"owner": "SnO2WMaN",
"repo": "deno2nix",
"type": "github"
}
},
"deploy-rs": {
@ -113,11 +115,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1695052866,
"narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=",
"lastModified": 1715699772,
"narHash": "sha256-sKhqIgucN5sI/7UQgBwsonzR4fONjfMr9OcHK/vPits=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9",
"rev": "b3ea6f333f9057b77efd9091119ba67089399ced",
"type": "github"
},
"original": {
@ -128,19 +130,21 @@
},
"devshell": {
"inputs": {
"flake-utils": [
"deno2nix",
"flake-utils"
],
"nixpkgs": [
"scan2paperless",
"deno2nix",
"nixpkgs"
],
"systems": "systems"
]
},
"locked": {
"lastModified": 1685972731,
"narHash": "sha256-VpwVUthxs3AFgvWxGTHu+KVDnS/zT3xkCtmjX2PjNQs=",
"lastModified": 1667210711,
"narHash": "sha256-IoErjXZAkzYWHEpQqwu/DeRNJGFdR7X2OGbkhMqMrpw=",
"owner": "numtide",
"repo": "devshell",
"rev": "6b2554d28d46bfa6e24b941e999a145760dad0e1",
"rev": "96a9dd12b8a447840cc246e17a47b81a4268bba7",
"type": "github"
},
"original": {
@ -152,17 +156,16 @@
"devshell_2": {
"inputs": {
"nixpkgs": [
"scan2paperless",
"mezza-biz",
"nixpkgs"
],
"systems": "systems_3"
]
},
"locked": {
"lastModified": 1698410321,
"narHash": "sha256-MphuSlgpmKwtJncGMohryHiK55J1n6WzVQ/OAfmfoMc=",
"lastModified": 1722113426,
"narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=",
"owner": "numtide",
"repo": "devshell",
"rev": "1aed986e3c81a4f6698e85a7452cbfcc4b31a36e",
"rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae",
"type": "github"
},
"original": {
@ -174,11 +177,11 @@
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
@ -190,11 +193,11 @@
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -208,11 +211,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1693611461,
"narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=",
"lastModified": 1717285511,
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca",
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
"type": "github"
},
"original": {
@ -221,49 +224,82 @@
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
"lastModified": 1717285511,
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_3"
},
"locked": {
"lastModified": 1722555600,
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_4": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_4"
},
"locked": {
"lastModified": 1714606777,
"narHash": "sha256-bMkNmAXLj8iyTvxaaD/StcLSadbj1chPcJOjtuVnLmA=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "4d34ce6412bc450b1d4208c953dc97c7fc764f1a",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-root": {
"locked": {
"lastModified": 1713493429,
"narHash": "sha256-ztz8JQkI08tjKnsTpfLqzWoKFQF4JGu2LRz8bkdnYUk=",
"owner": "srid",
"repo": "flake-root",
"rev": "bc748b93b86ee76e2032eecda33440ceb2532fcd",
"type": "github"
},
"original": {
"owner": "srid",
"repo": "flake-root",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1685518550,
"narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
@ -275,32 +311,127 @@
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1695108154,
"narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=",
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "07682fff75d41f18327a871088d20af2710d4744",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-23.05",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1716736833,
"narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.05",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1708968331,
"narHash": "sha256-VUXLaPusCBvwM3zhGbRIJVeYluh2uWuqtj4WirQ1L9Y=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "a33ef102a02ce77d3e39c25197664b7a636f9c30",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"invoiceplane-template": {
"inputs": {
"flake-parts": "flake-parts_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1712364633,
"narHash": "sha256-BfdaBTDA07ijUrK47aa8AMDTBB3nWYm74CBAwd/mllg=",
"ref": "refs/heads/main",
"rev": "8056309d6cf694647262a11415aceac68015cfd2",
"revCount": 22,
"type": "git",
"url": "https://git.pub.solar/b12f/invoiceplane-templates.git"
},
"original": {
"type": "git",
"url": "https://git.pub.solar/b12f/invoiceplane-templates.git"
}
},
"lancache-domains": {
"flake": false,
"locked": {
"lastModified": 1679999806,
"narHash": "sha256-oDZ2pSf8IgofRS4HaRppGcd4kHQj48AC9dkS++avYy8=",
"owner": "uklans",
"repo": "cache-domains",
"rev": "31b2ba1e0a7c419327cb97f589b508d78b9aecbf",
"type": "github"
},
"original": {
"owner": "uklans",
"repo": "cache-domains",
"type": "github"
}
},
"mezza-biz": {
"inputs": {
"devshell": "devshell_2",
"flake-parts": "flake-parts_3",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1724541053,
"narHash": "sha256-bQiwF08H8GEi7lxNiJKc4Gu42K7zYeDPPqRCNYVnp7U=",
"ref": "refs/heads/main",
"rev": "0ee615488dec2685cee6ed558cbfcf9840e92b94",
"revCount": 10,
"type": "git",
"url": "https://git.pub.solar/b12f/mezza.biz.git"
},
"original": {
"type": "git",
"url": "https://git.pub.solar/b12f/mezza.biz.git"
}
},
"mobile-nixos": {
"flake": false,
"locked": {
"lastModified": 1696124168,
"narHash": "sha256-EzGHYAR7rozQQLZEHbKEcb5VpUFGoxwEsM0OWfW4wqU=",
"lastModified": 1715627339,
"narHash": "sha256-HJ6V7hc64iBqXlZ8kH4sXmUzPH+0Hn6wYURmZmL5LFk=",
"owner": "nixos",
"repo": "mobile-nixos",
"rev": "7cee346c3f8e73b25b1cfbf7a086a7652c11e0f3",
"rev": "655c8830d5fe2eae79c8fc0bab8033b34c8456eb",
"type": "github"
},
"original": {
@ -311,14 +442,14 @@
},
"musnix": {
"inputs": {
"nixpkgs": "nixpkgs"
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1690426816,
"narHash": "sha256-vvOrLE6LlBVYigA1gSrlkknFwfuq9qmLA4h6ubiJ22g=",
"lastModified": 1716767591,
"narHash": "sha256-e7mG0KhSnMkdgIGPKw6Bs2B6D44B/GB6Zo0NgxFxJTc=",
"owner": "musnix",
"repo": "musnix",
"rev": "e651b06f8a3ac7d71486984100e8a79334da8329",
"rev": "65f1b5863ff6157d4870ed177e8ccd82e21127ad",
"type": "github"
},
"original": {
@ -327,13 +458,34 @@
"type": "github"
}
},
"nixd": {
"inputs": {
"flake-parts": "flake-parts_4",
"flake-root": "flake-root",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1717293270,
"narHash": "sha256-twDibXDWwmySk6C/hFUpeBewB5heSyCDDHWOAeRSp40=",
"owner": "nix-community",
"repo": "nixd",
"rev": "be5ad5ec113595e2900e6391a08cf0e4784a9cfe",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "main",
"repo": "nixd",
"type": "github"
}
},
"nixos-flake": {
"locked": {
"lastModified": 1692742948,
"narHash": "sha256-19LQQFGshuQNrrXZYVt+mWY0O3NbhEXeMy3MZwzYZGo=",
"lastModified": 1716406291,
"narHash": "sha256-qHjJ6alc4o3p51hrPp3JGdC5Pbz5EjF+UZq1HbK8av0=",
"owner": "srid",
"repo": "nixos-flake",
"rev": "2c25190ceacdaaae7e8afbecfa87096bb499a431",
"rev": "aa9100167350cbdffaa272b0fd382d7c23606b86",
"type": "github"
},
"original": {
@ -344,11 +496,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1686838567,
"narHash": "sha256-aqKCUD126dRlVSKV6vWuDCitfjFrZlkwNuvj5LtjRRU=",
"lastModified": 1717248095,
"narHash": "sha256-e8X2eWjAHJQT82AAN+mCI0B68cIDBJpqJ156+VRrFO0=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89",
"rev": "7b49d3967613d9aacac5b340ef158d493906ba79",
"type": "github"
},
"original": {
@ -359,28 +511,64 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1690272529,
"narHash": "sha256-MakzcKXEdv/I4qJUtq/k/eG+rVmyOZLnYNC2w1mB59Y=",
"owner": "NixOS",
"lastModified": 1670332253,
"narHash": "sha256-O5SmhlIUt1s+vK4NXeGYqwcBIMwbBPAEZ3GHE3XT28c=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ef99fa5c5ed624460217c31ac4271cfb5cb2502c",
"rev": "1c9ffcf70786f0966982ce0fc76ec05df2e1dec2",
"type": "github"
},
"original": {
"owner": "NixOS",
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1717284937,
"narHash": "sha256-lIbdfCsf8LMFloheeE6N31+BMIeixqyQWbSr2vk79EQ=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
}
},
"nixpkgs-lib_2": {
"locked": {
"lastModified": 1717284937,
"narHash": "sha256-lIbdfCsf8LMFloheeE6N31+BMIeixqyQWbSr2vk79EQ=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
}
},
"nixpkgs-lib_3": {
"locked": {
"lastModified": 1722555339,
"narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
}
},
"nixpkgs-lib_4": {
"locked": {
"dir": "lib",
"lastModified": 1693471703,
"narHash": "sha256-0l03ZBL8P1P6z8MaSDS/MvuU8E75rVxe5eE1N6gxeTo=",
"lastModified": 1714253743,
"narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3e52e76b70d5508f3cec70b882a29199f4d1ee85",
"rev": "58a1abdbae3217ca6b702f03d3b35125d88a2994",
"type": "github"
},
"original": {
@ -393,11 +581,11 @@
},
"nixpkgs-master": {
"locked": {
"lastModified": 1699821893,
"narHash": "sha256-YYF1RM+gqwr2VXjRGGLQQdceOZCzseDMQKG0znCHg/M=",
"lastModified": 1728551786,
"narHash": "sha256-wO3aWtTYEdaDwUdbA2bj3PTBKu3idTolOOnrPnzRo8o=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b0e3e12d6c672ed87dd5a02501cc00c5412b1181",
"rev": "565db77725e0d5b0b448ecf4998239c3fddd374a",
"type": "github"
},
"original": {
@ -409,11 +597,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1699099776,
"narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=",
"lastModified": 1728492678,
"narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb",
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
"type": "github"
},
"original": {
@ -425,75 +613,94 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1699596684,
"narHash": "sha256-XSXP8zjBZJBVvpNb2WmY0eW8O2ce+sVyj1T0/iBRIvg=",
"owner": "nixos",
"lastModified": 1716509168,
"narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "da4024d0ead5d7820f6bd15147d3fe2a0c0cec73",
"rev": "bfb7a882678e518398ce9a31a881538679f6f092",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.05",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1686412476,
"narHash": "sha256-inl9SVk6o5h75XKC79qrDCAobTD1Jxh6kVYTZKHzewA=",
"lastModified": 1714562304,
"narHash": "sha256-Mr3U37Rh6tH0FbaDFu0aZDwk9mPAe7ASaqDOGgLqqLU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bcd44e224fd68ce7d269b4f44d24c2220fd821e7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1728500571,
"narHash": "sha256-dOymOQ3AfNI4Z337yEwHGohrVQb4yPODCW9MDUyAc4w=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "21951114383770f96ae528d0ae68824557768e81",
"rev": "d51c28603def282a24fa034bcb007e2bcb5b5dd0",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"openstreetmap": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1708750443,
"narHash": "sha256-fUIT9v5FGy9KbbPKBVcxw2rwxqLZUVElqTtZWM7FiNI=",
"owner": "tfc",
"repo": "nixos-openstreetmap",
"rev": "0fd30b016eb838395d85948b9ecf00ff59b4581d",
"type": "github"
},
"original": {
"owner": "tfc",
"repo": "nixos-openstreetmap",
"type": "github"
}
},
"root": {
"inputs": {
"adblock-unbound": "adblock-unbound",
"agenix": "agenix",
"deno2nix": "deno2nix",
"deploy-rs": "deploy-rs",
"flake-compat": "flake-compat",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts",
"home-manager": "home-manager",
"home-manager": "home-manager_2",
"impermanence": "impermanence",
"invoiceplane-template": "invoiceplane-template",
"mezza-biz": "mezza-biz",
"mobile-nixos": "mobile-nixos",
"musnix": "musnix",
"nixd": "nixd",
"nixos-flake": "nixos-flake",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs_4",
"nixpkgs-master": "nixpkgs-master",
"nixpkgs-unstable": "nixpkgs-unstable",
"scan2paperless": "scan2paperless"
}
},
"scan2paperless": {
"inputs": {
"deno2nix": "deno2nix",
"devshell": "devshell_2",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1699822578,
"narHash": "sha256-+HO37PHDfJ/pv6NSEE7Yk8b0X22bCZbdP1v2sFnEo9c=",
"ref": "refs/heads/main",
"rev": "8d2f814a0ab37e8af2abaf95c6776771603cfc88",
"revCount": 13,
"type": "git",
"url": "https://git.pub.solar/b12f/scan2paperless.git"
},
"original": {
"type": "git",
"url": "https://git.pub.solar/b12f/scan2paperless.git"
"openstreetmap": "openstreetmap",
"themes": "themes"
}
},
"systems": {
@ -526,43 +733,31 @@
"type": "github"
}
},
"systems_3": {
"themes": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"lastModified": 1715166503,
"narHash": "sha256-eG3+PTzJntnMrO9J2fCtshU+XX18uI8iIjDKU9NkJXA=",
"owner": "RGBCube",
"repo": "ThemeNix",
"rev": "c188d0d729841f71f576dfb544e70c0340bf52a8",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"owner": "RGBCube",
"repo": "ThemeNix",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {

58
flake.nix
View file

@ -1,20 +1,22 @@
{
description = "b12f hosts";
nixConfig.extra-experimental-features = "nix-command flakes";
inputs = {
# Track channels with commits tested and built by hydra
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-master.url = "github:nixos/nixpkgs/master";
nixd.url = "github:nix-community/nixd/main";
flake-compat.url = "github:edolstra/flake-compat";
flake-compat.flake = false;
home-manager.url = "github:nix-community/home-manager/release-23.05";
home-manager.url = "github:nix-community/home-manager/release-24.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
themes.url = "github:RGBCube/ThemeNix";
flake-parts.url = "github:hercules-ci/flake-parts";
nixos-flake.url = "github:srid/nixos-flake";
@ -27,16 +29,26 @@
nixos-hardware.url = "github:nixos/nixos-hardware";
impermanence.url = "github:nix-community/impermanence";
mobile-nixos.url = "github:nixos/mobile-nixos";
mobile-nixos.flake = false;
scan2paperless.url = "git+https://git.pub.solar/b12f/scan2paperless.git";
scan2paperless.inputs.nixpkgs.follows = "nixpkgs-unstable";
musnix.url = "github:musnix/musnix";
adblock-unbound.url = "github:MayNiklas/nixos-adblock-unbound";
adblock-unbound.inputs.nixpkgs.follows = "nixpkgs";
openstreetmap.url = "github:tfc/nixos-openstreetmap";
openstreetmap.inputs.nixpkgs.follows = "nixpkgs";
deno2nix.url = "github:SnO2WMaN/deno2nix";
invoiceplane-template.url = "git+https://git.pub.solar/b12f/invoiceplane-templates.git";
invoiceplane-template.inputs.nixpkgs.follows = "nixpkgs";
mezza-biz.url = "git+https://git.pub.solar/b12f/mezza.biz.git";
mezza-biz.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = inputs @ {self, ...}:
@ -48,6 +60,9 @@
imports = [
inputs.nixos-flake.flakeModule
inputs.flake-parts.flakeModules.easyOverlay
./public-keys.nix
./theme.nix
./lib
./modules
./hosts
@ -55,19 +70,33 @@
./overlays
];
perSystem = args@{ system, pkgs, lib, config, ... }: {
perSystem = args @ {
system,
pkgs,
config,
...
}: {
packages = import ./pkgs args;
overlayAttrs = config.packages;
_module.args = {
inherit inputs;
pkgs = import inputs.nixpkgs {
inherit system;
overlays = [ inputs.agenix.overlays.default ];
overlays = [
inputs.agenix.overlays.default
inputs.nixd.overlays.default
inputs.invoiceplane-template.overlays.default
];
};
};
devShells.default = pkgs.mkShell {
packages = with pkgs; [
nix
nixd
agenix
age-plugin-yubikey
cachix
nixos-generators
@ -82,8 +111,11 @@
deploy-rs
terraform
terraform-ls
opentofu
terraform-backend-git
deno
];
shellHook = ''
@ -91,7 +123,7 @@
export TF_BACKEND_GIT_GIT_REF=main
export TF_BACKEND_GIT_GIT_STATE=b12f.json
export TF_BACKEND_HTTP_ENCRYPTION_PROVIDER=sops
export TF_BACKEND_HTTP_SOPS_PGP_FP=4406E80E13CD656C
export TF_BACKEND_HTTP_SOPS_PGP_FP=FC623BBCBD2604D5CC9D90BAE77B0AAAF0D9B76B
export HOSTINGDE_AUTH_TOKEN=$(secret-tool lookup hosting-de terraform-auth-token)
'';
};
@ -107,6 +139,10 @@
sshUser = "b12f";
};
stroopwafel = {
sshUser = "b12f";
};
droppie = {
hostname = "droppie.b12f.io";
sshUser = "yule";

19
hosts/biolimo/.config/sway/config.d/custom-keybindings.conf
View file

@ -1,19 +0,0 @@
# Touchpad controls
#bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
# Screen brightness controls
bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ { print $4}')"
# Keyboard backlight brightness controls
bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
# Pulse Audio controls
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
# Media player controls
bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

15
hosts/biolimo/.config/sway/config.d/screens.conf
View file

@ -1,20 +1,5 @@
set $internal eDP-1
set $middle "Hewlett Packard HP E231 3CQ4290S5J"
set $standup "Hewlett Packard HP E231 3CQ4251F33"
output $internal {
scale 1
pos 1080 1080
}
output $middle {
scale 1
pos 1080 0
}
output $standup {
scale 1
transform 90
pos 0 0
}

4
hosts/biolimo/configuration.nix
View file

@ -20,15 +20,11 @@ in {
hardware.cpu.intel.updateMicrocode = true;
networking.hostName = "biolimo";
networking.networkmanager.wifi.backend = "wpa_supplicant";
home-manager.users."${psCfg.user.name}" = {
xdg.configFile = {
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
"sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
"sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
};
};

5
hosts/biolimo/hardware-configuration.nix
View file

@ -22,7 +22,10 @@
fsType = "ext4";
};
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/aed21f8d-8e15-4f43-8710-460cb36d488b";
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/aed21f8d-8e15-4f43-8710-460cb36d488b";
allowDiscards = true;
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/3B67-0CAB";

11
hosts/biolimo/networking.nix
View file

@ -5,15 +5,16 @@
lib,
...
}: {
config = {
networking.hostName = "biolimo";
networking.networkmanager.wifi.backend = "wpa_supplicant";
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-biolimo.age";
pub-solar.wireguard-client = {
pub-solar.wireguard.private = {
ownIPs = [
"10.0.1.6/32"
"10.13.12.6/32"
"fd00:b12f:acab:1312:acab:6::/96"
];
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
};
privateKeyFile = config.age.secrets.wg-private-key.path;
};
}

19
hosts/chocolatebar/.config/sway/config.d/custom-keybindings.conf
View file

@ -1,19 +0,0 @@
# Touchpad controls
#bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
# Screen brightness controls
bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ {print $4}')"
bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-; notify-send $(brightnessctl -d intel_backlight i | awk '/Current/ { print $4}')"
# Keyboard backlight brightness controls
bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%; notify-send $(brightnessctl -d smc::kbd_backlight i | awk '/Current/ { print $4}')"
# Pulse Audio controls
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. up' #increase sound volume
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 && notify-send 'Vol. down' #decrease sound volume
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle && notify-send 'Mute sound' # mute sound
# Media player controls
bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

34
hosts/chocolatebar/audio.nix Normal file
View file

@ -0,0 +1,34 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
musnix = {
enable = true;
kernel.realtime = false;
soundcardPciId = "0d:00.4";
};
users.users."${psCfg.user.name}".extraGroups = ["realtime"];
home-manager.users."${psCfg.user.name}" = {
home.packages = with pkgs; [
lmms
audacity
];
};
services.pipewire.extraConfig.pipewire."92-low-latency" = {
"context.properties" = {
"default.clock.rate" = 48000;
"default.clock.quantum" = 32;
"default.clock.min-quantum" = 32;
"default.clock.max-quantum" = 32;
};
};
}

8
hosts/chocolatebar/configuration.nix
View file

@ -28,10 +28,7 @@ in {
pub-solar.terminal-life.full = true;
networking.hostName = "chocolatebar";
environment.systemPackages = with pkgs; [
drone-docker-runner
stdenv.cc.cc.lib
hplip
uhk-agent
@ -58,11 +55,6 @@ in {
];
};
musnix = {
enable = true;
kernel.realtime = true;
};
# For OpenProject development with https
security.pki.certificates = [
(builtins.readFile ./step-roots.pem)

1
hosts/chocolatebar/default.nix
View file

@ -4,6 +4,7 @@
./hardware-configuration.nix
./networking.nix
./audio.nix
./virtualisation
# ./factorio
];

2
hosts/chocolatebar/factorio/default.nix
View file

@ -20,7 +20,6 @@ with lib; let
'';
};
in {
config = {
services.factorio = {
enable = true;
port = 34197; # The default, but make it explicit
@ -42,5 +41,4 @@ in {
networking.firewall.allowedUDPPorts = [34197];
networking.firewall.allowedTCPPorts = [34197];
};
}

10
hosts/chocolatebar/networking.nix
View file

@ -5,15 +5,15 @@
lib,
...
}: {
config = {
networking.hostName = "chocolatebar";
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-chocolatebar.age";
pub-solar.wireguard-client = {
pub-solar.wireguard.private = {
ownIPs = [
"10.0.1.5/32"
"10.13.12.5/32"
"fd00:b12f:acab:1312:acab:5::/96"
];
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
};
privateKeyFile = config.age.secrets.wg-private-key.path;
};
}

2
hosts/chocolatebar/virtualisation/default.nix
View file

@ -12,7 +12,7 @@ with lib; let
generateTailsXML = import ./tails-xml.nix;
isolateGPU = "rx550x";
memory = 112; # in GB
memory = 64; # in GB
handOverUSBDevices = false;
isolateAnyGPU = isolateGPU != null;

38
hosts/default.nix
View file

@ -1,7 +1,31 @@
{ withSystem, self, inputs, ...}:
{
self,
inputs,
...
}: {
flake = {
nixosConfigurations = {
stroopwafel = self.nixos-flake.lib.mkLinuxSystem {
nixpkgs.hostPlatform = "x86_64-linux";
imports = [
inputs.impermanence.nixosModules.impermanence
inputs.openstreetmap.nixosModules.openstreetmap
self.nixosModules.base
./stroopwafel
self.nixosModules.b12f
self.nixosModules.audio
self.nixosModules.bluetooth
self.nixosModules.desktop-extended
self.nixosModules.docker
self.nixosModules.graphical
self.nixosModules.office
self.nixosModules.persistence
self.nixosModules.portable
self.nixosModules.printing
];
};
biolimo = self.nixos-flake.lib.mkLinuxSystem {
nixpkgs.hostPlatform = "x86_64-linux";
imports = [
@ -13,10 +37,9 @@
self.nixosModules.desktop-extended
self.nixosModules.docker
self.nixosModules.graphical
self.nixosModules.nextcloud
self.nixosModules.office
self.nixosModules.portable
self.nixosModules.printing
self.nixosModules.wireguard-client
];
};
@ -32,11 +55,9 @@
self.nixosModules.docker
self.nixosModules.gaming
self.nixosModules.graphical
self.nixosModules.nextcloud
self.nixosModules.office
self.nixosModules.printing
self.nixosModules.virtualisation
self.nixosModules.wireguard-client
self.nixosModules.wireshark
];
};
@ -44,10 +65,11 @@
droppie = self.nixos-flake.lib.mkLinuxSystem {
nixpkgs.hostPlatform = "x86_64-linux";
imports = [
inputs.impermanence.nixosModules.impermanence
self.nixosModules.base
./droppie
self.nixosModules.yule
self.nixosModules.wireguard-client
self.nixosModules.persistence
];
};
@ -58,6 +80,8 @@
inputs.nixos-hardware.nixosModules.raspberry-pi-4
./pie
self.nixosModules.yule
self.nixosModules.acme
self.nixosModules.proxy
self.nixosModules.docker
self.nixosModules.invoiceplane
];
@ -69,6 +93,8 @@
self.nixosModules.base
./frikandel
self.nixosModules.yule
self.nixosModules.acme
self.nixosModules.proxy
self.nixosModules.docker
];
};

2
hosts/droppie/backup-autostop.nix
View file

@ -24,7 +24,7 @@ in {
};
systemd.timers."shutdown-after-backup" = {
enable = true;
enable = false;
timerConfig = {
OnCalendar = "*-*-* 02..11:05,15,25,35,45,55:00 Etc/UTC";
};

39
hosts/droppie/configuration.nix
View file

@ -9,24 +9,43 @@ with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub = {
enable = true;
efiSupport = true;
device = "nodev";
};
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
services.openssh.openFirewall = true;
pub-solar.core.disk-encryption-active = false;
pub-solar.user.publicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall"
];
boot.kernelParams = [
"boot.shell_on_fail=1"
"nomodeset"
# Hack so that network is considered up by boot.initrd.network and postCommands gets executed.
"ip=127.0.0.1:::::lo:none"
];
boot.initrd.availableKernelModules = ["tg3"];
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
authorizedKeys = flake.self.publicKeys;
hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
shell = "/bin/cryptsetup-askpass";
};
postCommands = ''
ip link set dev enp2s0f0 up
ip addr add 192.168.178.3/32 dev enp2s0f0
ip route add 192.168.178.1 dev enp2s0f0
ip route add default via 192.168.178.1 dev enp2s0f0
ip -6 addr add 2a02:908:5b1:e3c0:3::/128 dev enp2s0f0
ip -6 addr add fe80:b12f:acab:1312:acab:3::/128 dev enp2s0f0
'';
};
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
age.secrets."droppie-ssh-root.key" = {
file = "${flake.self}/secrets/droppie-ssh-root.key.age";

51
hosts/droppie/hardware-configuration.nix
View file

@ -12,30 +12,57 @@
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["ahci" "usbhid" "uas"];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "ehci_pci" "usbhid" "usb_storage" "uas" "sd_mod"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/1dca9d02-555c-4b23-9450-8f3413fa7694";
fsType = "xfs";
boot.initrd.luks.devices = {
"cryptroot" = {
device = "/dev/disk/by-uuid/08330ff9-581a-41e1-b8fa-757dc4c90b16";
allowDiscards = true;
};
"cryptdata".device = "/dev/disk/by-uuid/bc9f00ea-027e-409b-87c9-ab5628683378";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A24C-F252";
fsType = "vfat";
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
};
fileSystems."/media/internal" =
{ device = "/dev/disk/by-uuid/5cf314a8-82f4-4037-a724-62d2ff226cff";
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/837cc93f-6d9a-4bfd-b089-29ac6d68127c";
fsType = "ext4";
neededForBoot = true;
};
fileSystems."/persist" = {
device = "/dev/disk/by-uuid/a7711118-51b0-4d84-8f18-ef2e06084e05";
fsType = "ext4";
neededForBoot = true;
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/0965d496-ffad-4a8d-9de7-28af903baf16";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/0203b641-280f-4a3d-971d-fd32a666c852"; }
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/991E-79C1";
fsType = "vfat";
neededForBoot = true;
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/data" = {
device = "/dev/disk/by-uuid/391db8c4-5654-4a5c-a5c8-e34811f54786";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-uuid/0ef8dbbd-2832-4fb2-8a52-86682822f769";}
];
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

43
hosts/droppie/networking.nix
View file

@ -6,31 +6,42 @@
...
}: {
networking.hostName = "droppie";
networking.interfaces.enp2s0f0.useDHCP = true;
networking.interfaces.enp2s0f1.useDHCP = true;
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
#networking.useDHCP = true;
#networking.interfaces.enp2s0f0.useDHCP = true;
#networking.interfaces.enp2s0f1.useDHCP = true;
networking.useDHCP = false;
networking.interfaces.enp2s0f0 = {
ipv4.addresses = [ { address = "192.168.178.3"; prefixLength = 32; } ];
ipv6.addresses = [ { address = "2a02:908:5b1:e3c0:3::"; prefixLength = 128; } ];
ipv6.addresses = [
{
address = "2a02:908:5b1:e3c0:3::";
prefixLength = 64;
}
];
};
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age";
# Allow pub.solar restic backups
services.openssh.allowSFTP = true;
pub-solar.wireguard-client = {
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-droppie.age";
pub-solar.wireguard.private = {
ownIPs = [
"10.0.1.3/32"
"10.13.12.3/32"
"fd00:b12f:acab:1312:acab:3::/96"
];
wireguardPrivateKeyFile = "/run/agenix/wg-private-key";
privateKeyFile = config.age.secrets.wg-private-key.path;
};
age.secrets.wg-tunnel-key.file = "${flake.self}/secrets/wg-tunnel-droppie.age";
pub-solar.wireguard.tunnel = {
ownIPs = [
"10.69.139.214/32"
"fc00:bbbb:bbbb:bb01::6:8bd5/128"
];
privateKeyFile = config.age.secrets.wg-tunnel-key.path;
peer = {
publicKey = "m9w2Fr0rcN6R1a9HYrGnUTU176rTZIq2pcsovPd9sms=";
endpoint = "[2a02:6ea0:d406:1::a18f]:3019";
};
};
}

17
hosts/frikandel/authelia-forward.nix Normal file
View file

@ -0,0 +1,17 @@
{
flake,
config,
pkgs,
lib,
...
}: {
security.acme.certs = {
"auth.b12f.io" = {};
};
services.nginx.virtualHosts."auth.b12f.io" = {
forceSSL = true;
useACMEHost = "auth.b12f.io";
locations."/".proxyPass = "https://auth.b12f.io";
};
}

20
hosts/frikandel/configuration.nix
View file

@ -2,21 +2,23 @@
config,
pkgs,
lib,
flake,
...
}:
with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [
"boot.shell_on_fail=1"
"ip=128.140.109.213::172.31.1.1:255.255.255.255:frikandel-initrd.b12f.io::off"
# Hack so that network is considered up by boot.initrd.network and postCommands gets executed.
"ip=127.0.0.1:::::lo:none"
];
boot.initrd.availableKernelModules = ["virtio_pci" "virtio_net"];
boot.initrd.network = {
enable = true;
@ -24,9 +26,21 @@ in {
enable = true;
port = 2222;
hostKeys = [/boot/initrd-ssh-key];
authorizedKeys = psCfg.user.publicKeys;
authorizedKeys = flake.self.publicKeys;
shell = "/bin/cryptsetup-askpass";
};
postCommands = ''
ip link set dev enp1s0 up
ip addr add 128.140.109.213/32 dev enp1s0
ip route add 172.31.1.1 dev enp1s0
ip route add default via 172.31.1.1 dev enp1s0
ip -6 addr add 128.140.109.213/128 dev enp1s0
ip -6 addr add 2a01:4f8:c2c:b60::/64 dev enp1s0
ip -6 route add fe80::1 dev enp1s0
ip -6 route add default via fe80::1 dev enp1s0
'';
};
boot.supportedFilesystems = ["zfs"];

4
hosts/frikandel/default.nix
View file

@ -4,8 +4,12 @@
./configuration.nix
./networking.nix
./unbound.nix
./nginx.nix
./wireguard.nix
./email.nix
./website.nix
# ./jellyfin-forward.nix
# ./authelia-forward.nix
];
}

317
hosts/frikandel/email.nix
View file

@ -5,16 +5,22 @@
lib,
...
}: let
restartMaddyOnCertRenewal = pkgs.writeShellScriptBin "restart-maddy-on-cert-renewal" ''
if [ "$1" == "mail.b12f.io"]; then
${pkgs.systemd}/bin/systemctl restart maddy.service;
fi
hzDomain = lib.concatStrings ["hw" "dz" "z." "net"];
dkimDNSb12fio = ''
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyla9hW3TvoXvZQxwzaJ4SZ9ict1HU3E6+FWlwNIgE6tIpTCyRJtiSIUDqB8TLTIBoxIs+QQBXZi+QUi3Agu6OSY2RiV0EwO8+oOOqOD9pERftc/aqe51cXuv4kPqwvpXEBwrXFWVM+VxivEubUJ7eKkFyXJpelv0LslXv/MmYbUyed6dF+reOGZCsvnbiRv74qdxbAL/25j62E8WrnxzJwhUtx/JhdBOjsHBvuw9hy6rZsVJL9eXayWyGRV6qmsLRzsRSBs+mDrgmKk4dugADd11+A03ics3i8hplRoWDkqnNKz1qy4f5TsV6v9283IANrAzRfHwX8EvNiFsBz+ZCQIDAQAB" ) ;
'';
dkimDNSmezzabiz = ''
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG8iuDq0eon2k7QlBJWGxwDiEv53iJQu2uqxOjr7Ul/nfQjuR6kVKs6oOVopnyFTGRpffrpSHHW1YUN5nF76p0fJphk4l+QmJP36/xweajsNU27PAkb88xG6yRKl28MCfPdMR96+Jobpei8S0UhqcskYs1aZybm7ci9ZuAMidziwIDAQAB" ) ;
'';
dkimDNShzDomain = ''
default._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDvVA2XZno6g6qBdmxoLgX2Qmd883M6yV4YkE/VaNH6xcR0AcTo4hEYoAOPryfKn4FE/TYvyk/k2cyBKpMBn2qbVhwUavYQh/e9bweS2FKQvdzCUUoqXk04o2MqSXb2ZFwkUCtfrPcckBgpF754PDL4HMZGPnkMSdDX7bmYe37CWQIDAQAB") ;
'';
in {
age.secrets."b12f.io-dkim-private-rsa" = {
file = "${flake.self}/secrets/b12f.io-dkim-private-rsa.age";
path = "/var/lib/maddy/dkim_keys/b12f.io_default.key";
mode = "400";
owner = "rspamd";
owner = "maddy";
};
age.secrets."mail@b12f.io-password" = {
@ -23,77 +29,281 @@ in {
owner = "maddy";
};
services.caddy = {
globalConfig = ''
events {
on cert_obtained exec ${restartMaddyOnCertRenewal}/bin/restart-maddy-on-cert-renewal {event.data.name}
}
'';
age.secrets."mezza.biz-dkim-private-rsa" = {
file = "${flake.self}/secrets/mezza.biz-dkim-private-rsa.age";
path = "/var/lib/maddy/dkim_keys/mezza.biz_default.key";
mode = "400";
owner = "maddy";
};
virtualHosts = {
"mail.b12f.io".extraConfig = ''
respond "404 Not Found"
'';
age.secrets."mail@mezza.biz-password" = {
file = "${flake.self}/secrets/mail@mezza.biz-password.age";
mode = "400";
owner = "maddy";
};
"mta-sts.b12f.io".extraConfig = ''
encode gzip
file_server
root * ${
pkgs.runCommand "testdir" {} ''
age.secrets."hzdomain-dkim-private-rsa" = {
file = "${flake.self}/secrets/hzdomain-dkim-private-rsa.age";
path = "/var/lib/maddy/dkim_keys/hzdomain_default.key";
mode = "400";
owner = "maddy";
};
age.secrets."mail@hzdomain-password" = {
file = "${flake.self}/secrets/mail@hzdomain-password.age";
mode = "400";
owner = "maddy";
};
users.users.maddy.extraGroups = ["nginx"];
security.acme.certs = {
"mail.b12f.io".reloadServices = ["maddy"];
"b12f.io".reloadServices = ["maddy"];
"mta-sts.b12f.io" = {};
"mail.mezza.biz".reloadServices = ["maddy"];
"mezza.biz".reloadServices = ["maddy"];
"mta-sts.mezza.biz" = {};
"mail.${hzDomain}".reloadServices = ["maddy"];
"${hzDomain}".reloadServices = ["maddy"];
"mta-sts.${hzDomain}" = {};
};
services.nginx.virtualHosts = builtins.foldl' (hosts: hostName:
hosts
// {
"mta-sts.${hostName}" = {
forceSSL = true;
useACMEHost = "mta-sts.${hostName}";
locations."/" = {
root = pkgs.runCommand "create-well-known-mta-sts" {} ''
mkdir -p "$out/.well-known"
echo "
version: STSv1
mode: enforce
max_age: 604800
mx: mail.b12f.io
mx: mail.${hostName}
" > "$out/.well-known/mta-sts.txt"
''
}
'';
tryFiles = "$uri $uri/ =404";
};
};
}) {} ["b12f.io" "mezza.biz" hzDomain];
services.maddy = {
enable = false;
openFirewall = true;
hostname = "mail.b12f.io";
primaryDomain = "b12f.io";
ensureAccounts = [
"mail@b12f.io"
systemd.tmpfiles.rules = [
"d '/run/maddy' 0750 maddy maddy - -"
];
system.activationScripts.makeMaddyDKIMDNS = lib.stringAfter ["var"] ''
mkdir -p /var/lib/maddy/dkim_keys
echo '${dkimDNSb12fio}' >> /var/lib/maddy/dkim_keys/b12f.io_default.dns
echo '${dkimDNSmezzabiz}' >> /var/lib/maddy/dkim_keys/mezza.biz_default.dns
echo '${dkimDNShzDomain}' >> /var/lib/maddy/dkim_keys/${hzDomain}_default.dns
chown -R maddy:maddy /var/lib/maddy
'';
networking.firewall.allowedTCPPorts = [25];
networking.firewall.interfaces.wg-private.allowedTCPPorts = [465 587 993];
services.maddy = {
enable = true;
openFirewall = false;
hostname = "mail.b12f.io";
primaryDomain = "b12f.io";
localDomains = [
"b12f.io"
"mail.b12f.io"
"mezza.biz"
"mail.mezza.biz"
hzDomain
"mail.${hzDomain}"
];
ensureAccounts = [
"mail@b12f.io"
"mail@mezza.biz"
"mail@${hzDomain}"
];
ensureCredentials = {
# Do not use this in production. This will make passwords world-readable
# in the Nix store
"mail@b12f.io".passwordFile = config.age.secrets."mail@b12f.io-password".path;
"mail@mezza.biz".passwordFile = config.age.secrets."mail@mezza.biz-password".path;
"mail@${hzDomain}".passwordFile = config.age.secrets."mail@hzdomain-password".path;
};
tls = {
loader = "file";
certificates = [
{
keyPath = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.b12f.io/mail.b12f.io.key";
certPath = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.b12f.io/mail.b12f.io.crt";
keyPath = "${config.security.acme.certs."mail.b12f.io".directory}/key.pem";
certPath = "${config.security.acme.certs."mail.b12f.io".directory}/cert.pem";
}
{
keyPath = "${config.security.acme.certs."b12f.io".directory}/key.pem";
certPath = "${config.security.acme.certs."b12f.io".directory}/cert.pem";
}
{
keyPath = "${config.security.acme.certs."mail.mezza.biz".directory}/key.pem";
certPath = "${config.security.acme.certs."mail.mezza.biz".directory}/cert.pem";
}
{
keyPath = "${config.security.acme.certs."mezza.biz".directory}/key.pem";
certPath = "${config.security.acme.certs."mezza.biz".directory}/cert.pem";
}
{
keyPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/key.pem";
certPath = "${config.security.acme.certs."mail.${hzDomain}".directory}/cert.pem";
}
{
keyPath = "${config.security.acme.certs."${hzDomain}".directory}/key.pem";
certPath = "${config.security.acme.certs."${hzDomain}".directory}/cert.pem";
}
];
};
config = ''
auth.pass_table local_authdb {
table sql_table {
driver sqlite3
dsn credentials.db
table_name passwords
}
}
config = (builtins.replaceStrings ["msgpipeline local_routing {"] [''msgpipeline local_routing {
storage.imapsql local_mailboxes {
driver sqlite3
dsn imapsql.db
}
table.chain local_rewrites {
optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
optional_step static {
entry postmaster postmaster@$(primary_domain)
}
optional_step file /etc/maddy/aliases
}
msgpipeline local_routing {
check {
rspamd {
api_path http://localhost:11334
}
}''] config.services.maddy.config.default) ++ ''
}
modify {
domains b12f.io
selector default
key_path ${config.age.secrets."b12f.io-dkim-private-rsa".path}
replace_rcpt &local_rewrites
}
# at this point rcpt was normalized to either:
# postmaster@$(primary_domain),
# local_mailbox_without_tag@$(local_domains),
# replacements with alias
# destination_in block takes priority over destinations
destination_in &local_mailboxes {
deliver_to &local_mailboxes
}
# if rcpt is not in local_mailboxes, but has our domains,
# replace rcpt to catchall and deliver it there
destination $(local_domains) {
modify {
replace_rcpt regexp "(.+)@(.+)" "mail@$2"
}
deliver_to &local_mailboxes
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
smtp tcp://0.0.0.0:25 {
limits {
all rate 20 1s
all concurrency 10
}
dmarc yes
check {
require_mx_record
dkim
spf
}
source $(local_domains) {
reject 501 5.1.8 "Use Submission for outgoing SMTP"
}
default_source {
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
}
submission tls://10.13.12.7:465 tls://[fd00:b12f:acab:1312:acab:7::]:465 tcp://10.13.12.7:587 tcp://[fd00:b12f:acab:1312:acab:7::]:587 {
limits {
all rate 50 1s
}
auth &local_authdb
source $(local_domains) {
check {
authorize_sender {
prepare_email &local_rewrites
user_to_email identity
}
}
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
modify {
dkim $(primary_domain) $(local_domains) default
}
deliver_to &remote_queue
}
}
default_source {
reject 501 5.1.8 "Non-local sender domain"
}
}
target.remote outbound_delivery {
limits {
destination rate 20 1s
destination concurrency 10
}
mx_auth {
dane
mtasts {
cache fs
fs_dir mtasts_cache/
}
local_policy {
min_tls_level encrypted
min_mx_level none
}
}
}
target.queue remote_queue {
target &outbound_delivery
autogenerated_msg_domain $(primary_domain)
bounce {
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
}
}
}
imap tls://10.13.12.7:993 tls://[fd00:b12f:acab:1312:acab:7::]:993 {
auth &local_authdb
storage &local_mailboxes
}
'';
};
services.rspamd = {
@ -104,4 +314,25 @@ in {
};
systemd.services.rspamd.serviceConfig.SupplementaryGroups = ["maddy"];
age.secrets."rclone-pubsolar.conf" = {
file = "${flake.self}/secrets/rclone-pubsolar.conf.age";
mode = "400";
};
age.secrets."restic-password" = {
file = "${flake.self}/secrets/restic-password.age";
mode = "400";
};
services.restic.backups = {
maddy = {
paths = ["/var/lib/maddy"];
initialize = true;
passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/Maddy";
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
};
};
}

19
hosts/frikandel/hardware-configuration.nix
View file

@ -1,8 +1,13 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
@ -19,18 +24,18 @@
};
};
fileSystems."/" =
{ device = "zroot/root";
fileSystems."/" = {
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/684A-5884";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/684A-5884";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/a7d1cbb8-7c9e-4c3d-841a-add867f47389"; }
swapDevices = [
{device = "/dev/disk/by-uuid/a7d1cbb8-7c9e-4c3d-841a-add867f47389";}
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

17
hosts/frikandel/jellyfin-forward.nix Normal file
View file

@ -0,0 +1,17 @@
{
flake,
config,
pkgs,
lib,
...
}: {
security.acme.certs = {
"media.b12f.io" = {};
};
services.nginx.virtualHosts."media.b12f.io" = {
forceSSL = true;
useACMEHost = "media.b12f.io";
locations."/".proxyPass = "https://media.b12f.io";
};
}

29
hosts/frikandel/networking.nix
View file

@ -8,19 +8,29 @@
networking.hostName = "frikandel";
networking.hostId = "44234773";
networking.nameservers = [
"10.13.12.7"
"fd00:b12f:acab:1312:acab:7::"
"193.110.81.0" #dns0.eu
"2a0f:fc80::" #dns0.eu
"185.253.5.0" #dns0.eu
"2a0f:fc81::" #dns0.eu
];
services.openssh.openFirewall = true;
# Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here)
networking.useDHCP = false;
networking.interfaces.enp1s0 = {
ipv4.addresses = [{ address = "128.140.109.213"; prefixLength = 32; }];
ipv6.addresses = [{ address = "2a01:4f8:c2c:b60::"; prefixLength = 64; }];
ipv4.addresses = [
{
address = "128.140.109.213";
prefixLength = 32;
}
];
ipv6.addresses = [
{
address = "2a01:4f8:c2c:b60::";
prefixLength = 64;
}
];
};
networking.defaultGateway = {
address = "172.31.1.1";
@ -32,15 +42,4 @@
};
networking.firewall.allowedTCPPorts = [80 443];
# Caddy reverse proxy for local services like cups
services.caddy = {
enable = true;
globalConfig = ''
default_bind 128.140.109.213 2a01:4f8:c2c:b60::
# auto_https off
email acme@benjaminbaedorf.eu
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
'';
};
}

16
hosts/frikandel/nginx.nix Normal file
View file

@ -0,0 +1,16 @@
{
flake,
config,
pkgs,
lib,
...
}: {
services.nginx = {
defaultListenAddresses = [
"10.13.12.7"
"[fd00:b12f:acab:1312:acab:7::]"
"128.140.109.213"
"[2a01:4f8:c2c:b60::]"
];
};
}

139
hosts/frikandel/unbound.nix Normal file
View file

@ -0,0 +1,139 @@
{
flake,
config,
pkgs,
lib,
...
}: {
age.secrets."unbound_control.key" = {
file = "${flake.self}/secrets/unbound_control.key.age";
mode = "400";
owner = "unbound";
};
age.secrets."unbound_control.pem" = {
file = "${flake.self}/secrets/unbound_control.pem.age";
mode = "400";
owner = "unbound";
};
age.secrets."unbound_server.key" = {
file = "${flake.self}/secrets/unbound_server.key.age";
mode = "400";
owner = "unbound";
};
age.secrets."unbound_server.pem" = {
file = "${flake.self}/secrets/unbound_server.pem.age";
mode = "400";
owner = "unbound";
};
networking.firewall.interfaces.wg-private.allowedUDPPorts = [53];
networking.firewall.interfaces.wg-private.allowedTCPPorts = [53];
services.resolved.enable = false;
services.unbound = {
enable = true;
settings = {
server = {
include = [
"\"${pkgs.adlist.unbound-adblockStevenBlack}\""
];
interface = [
"127.0.0.1"
"::1"
"10.13.12.7"
"fd00:b12f:acab:1312:acab:7::"
];
access-control = [
"127.0.0.1/32 allow"
# Allow from wireguard
"10.13.12.0/24 allow"
"fd00:b12f:acab:1312::/64 allow"
];
local-zone = [
"\"b12f.io\" transparent"
"\"pub.solar\" transparent"
];
local-data = [
"\"stroopwafel.b12f.io. 10800 IN A 10.13.12.5\""
"\"stroopwafel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:5::\""
"\"chocolatebar.b12f.io. 10800 IN A 10.13.12.8\""
"\"chocolatebar.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:8::\""
"\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
"\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
"\"droppie.b12f.io. 10800 IN A 10.13.12.3\""
"\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
"\"backup.b12f.io. 10800 IN A 10.13.12.3\""
"\"backup.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
"\"media.b12f.io. 10800 IN A 10.13.12.3\""
"\"media.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
"\"pie.b12f.io. 10800 IN A 10.13.12.2\""
"\"pie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"firefly.b12f.io. 10800 IN A 10.13.12.2\""
"\"firefly.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"firefly-importer.b12f.io. 10800 IN A 10.13.12.2\""
"\"firefly-importer.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"paperless.b12f.io. 10800 IN A 10.13.12.2\""
"\"paperless.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"invoicing.b12f.io. 10800 IN A 10.13.12.2\""
"\"invoicing.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"auth.b12f.io. 10800 IN A 10.13.12.2\""
"\"auth.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"vpn.b12f.io. 10800 IN A 128.140.109.213\""
"\"vpn.b12f.io. 10800 IN AAAA 2a01:4f8:c2c:b60::\""
"\"frikandel.b12f.io. 10800 IN A 10.13.12.7\""
"\"frikandel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"b12f.io. 10800 IN A 10.13.12.7\""
"\"b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mail.b12f.io. 10800 IN A 10.13.12.7\""
"\"mail.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mezza.biz. 10800 IN A 10.13.12.7\""
"\"mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mail.mezza.biz. 10800 IN A 10.13.12.7\""
"\"mail.mezza.biz. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"h${"w" + "dz" + "z.n"}et. 10800 IN A 10.13.12.7\""
"\"h${"w" + "dz" + "z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mail.h${"w" + "dz" + "z.n"}et. 10800 IN A 10.13.12.7\""
"\"mail.h${"w" + "dz" + "z.n"}et. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"mezza.git.pub.solar. 10800 IN CNAME git.pub.solar\""
];
tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
};
forward-zone = [
{
name = ".";
forward-addr = [
"193.110.81.0#dns0.eu"
"2a0f:fc80::#dns0.eu"
"185.253.5.0#dns0.eu"
"2a0f:fc81::#dns0.eu"
];
forward-tls-upstream = "yes";
}
];
remote-control = {
control-enable = true;
control-key-file = config.age.secrets."unbound_control.key".path;
server-cert-file = config.age.secrets."unbound_server.pem".path;
server-key-file = config.age.secrets."unbound_server.key".path;
control-cert-file = config.age.secrets."unbound_control.pem".path;
};
};
};
}

61
hosts/frikandel/website.nix
View file

@ -2,45 +2,40 @@
pkgs,
lib,
...
}: let
bbeu = pkgs.stdenv.mkDerivation {
name = "benjaminbaedorf.eu";
src = pkgs.fetchgit {
url = "https://git.pub.solar/b12f/benjaminbaedorf.eu.git";
sparseCheckout = [
"fonts"
"cows.jpg"
"fonts.css"
"index.html"
"public-pgp-benjamin-baedorf.asc"
];
hash = "sha256-c5nU9zqrHgD+dCXdXXcS9xJIaGueyXQpuwSqv0aSLM0=";
}: {
security.acme.certs = {
"benjaminbaedorf.eu" = {};
"b12f.io" = {};
"mezza.biz" = {};
};
installPhase = ''
mkdir -p $out
cp -r * $out/
'';
};
in {
services.caddy.virtualHosts = {
services.nginx.virtualHosts = {
"benjaminbaedorf.eu" = {
extraConfig = ''
redir https://b12f.io{uri} temporary
'';
forceSSL = true;
useACMEHost = "benjaminbaedorf.eu";
locations."/".return = "302 https://b12f.io$request_uri";
};
"b12f.io" = {
extraConfig = ''
handle {
root * ${bbeu}
try_files {path}.html {path}
file_server
}
forceSSL = true;
useACMEHost = "b12f.io";
handle_errors {
respond "{http.error.status_code} {http.error.status_text}"
}
'';
locations."/" = {
root = pkgs.b12f-io;
index = "index.html";
tryFiles = "$uri $uri/ =404";
};
};
"mezza.biz" = {
forceSSL = true;
useACMEHost = "mezza.biz";
locations."/" = {
root = pkgs.mezza-biz;
index = "index.html";
tryFiles = "$uri $uri/ =404";
};
};
};
}

97
hosts/frikandel/wireguard.nix
View file

@ -4,30 +4,31 @@
pkgs,
lib,
...
}: with lib; {
age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-frikandel-server.age";
}:
with lib; {
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.wg0.forwarding" = 1;
"net.ipv6.conf.wg0.accept_ra" = 1;
"net.ipv6.conf.wg0.accept_ra_pinfo" = 1;
"net.ipv6.conf.wg-private.forwarding" = 1;
"net.ipv6.conf.wg-private.accept_ra" = 1;
"net.ipv6.conf.wg-private.accept_ra_pinfo" = 1;
};
networking.nat = {
enable = true;
enableIPv6 = true;
internalInterfaces = [ "wg0" ];
externalInterface = "enp1s0";
internalInterfaces = ["wg-private"];
};
networking.firewall.allowedUDPPorts = [51899];
networking.firewall.extraForwardRules = [
"iifname { != wg0 } reject"
"iifname wg0 accept"
"iifname { != wg-private } reject"
"iifname wg-private accept"
];
systemd.services.wg-quick-wg0 = {
after = [
systemd.services.wireguard-wg-private = {
wantedBy = [
"network.target"
"network-online.target"
"nss-lookup.target"
@ -44,54 +45,78 @@
};
};
# Enable WireGuard
networking.wg-quick.interfaces = {
wg0 = {
listenPort = 51899;
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-frikandel.age";
address = [
"10.0.1.7/32"
# Enable WireGuard
networking.wireguard.interfaces = {
wg-private = {
listenPort = 51899;
mtu = 1300;
ips = [
"10.13.12.7/32"
"fd00:b12f:acab:1312:acab:7::/96"
];
privateKeyFile = "/run/agenix/wg-private-key-server";
privateKeyFile = config.age.secrets.wg-private-key.path;
peers = [
{ # pie
{
# pie
publicKey = "hPTXEqQ2GYEywdPNdZBacwB9KKcoFZ/heClxnqmizyw=";
allowedIPs = [
"10.0.1.2/32"
"10.13.12.2/32"
"fd00:b12f:acab:1312:acab:2::/96"
];
endpoint = "pie-wg.b12f.io:51899";
persistentKeepalive = 25;
persistentKeepalive = 30;
dynamicEndpointRefreshSeconds = 30;
}
{ # droppie
{
# droppie
publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
allowedIPs = [
"10.0.1.3/32"
"10.13.12.3/32"
"fd00:b12f:acab:1312:acab:3::/96"
];
persistentKeepalive = 25;
persistentKeepalive = 30;
dynamicEndpointRefreshSeconds = 30;
}
{ # chocolatebar
{
# chocolatebar
publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
allowedIPs = [
"10.0.1.5/32"
"10.13.12.5/32"
"fd00:b12f:acab:1312:acab:5::/96"
];
persistentKeepalive = 25;
persistentKeepalive = 30;
dynamicEndpointRefreshSeconds = 30;
}
{ # biolimo
{
# biolimo
publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
allowedIPs = [
"10.0.1.6/32"
"10.13.12.6/32"
"fd00:b12f:acab:1312:acab:6::/96"
];
persistentKeepalive = 25;
persistentKeepalive = 30;
dynamicEndpointRefreshSeconds = 30;
}
{
# stroopwafel
publicKey = "5iNRg13utOJ30pX2Z8SjwPNUFwfH2zonlbeYW2mKFkU=";
allowedIPs = [
"10.13.12.8/32"
"fd00:b12f:acab:1312:acab:8::/96"
];
persistentKeepalive = 30;
dynamicEndpointRefreshSeconds = 30;
}
{
# fp3
publicKey = "wQJXFibxhWkyUbRPrPt5y/YfDnH3gDQ5a/PWoyxDfDI=";
allowedIPs = [
"10.13.12.9/32"
# "fd00:b12f:acab:1312:acab:9::/96"
];
persistentKeepalive = 30;
dynamicEndpointRefreshSeconds = 30;
}
];
};

2
hosts/iso/default.nix
View file

@ -3,8 +3,8 @@
lib,
...
}: {
pub-solar.core.disk-encryption-active = false;
isoImage.squashfsCompression = "gzip -Xcompression-level 1";
systemd.services.sshd.wantedBy = lib.mkForce ["multi-user.target"];
networking.networkmanager.enable = false;
services.openssh.openFirewall = lib.mkForce true;
}

6
hosts/maoam/default.nix
View file

@ -1,4 +1,8 @@
{ flake, pkgs, ... }: {
{
flake,
pkgs,
...
}: {
imports = [
./configuration.nix
./hardware-configuration.nix

6
hosts/maoam/hardware-configuration.nix
View file

@ -1,6 +1,10 @@
# NOTE: this file was generated by the Mobile NixOS installer.
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/51a668b8-fa2e-4d3e-ac3f-73ca002d0004";

5
hosts/pie/.env.firefly
View file

@ -149,13 +149,12 @@ MAP_DEFAULT_ZOOM=6
#
# LDAP is no longer supported :(
#
AUTHENTICATION_GUARD=web
AUTHENTICATION_GUARD=remote_user_guard
#
# Remote user guard settings
#
AUTHENTICATION_GUARD_HEADER=REMOTE_USER
AUTHENTICATION_GUARD_EMAIL=
AUTHENTICATION_GUARD_HEADER=Remote-Email
#
# Firefly III supports webhooks. These are security sensitive and must be enabled manually first.

176
hosts/pie/authelia.nix Normal file
View file

@ -0,0 +1,176 @@
{
lib,
config,
pkgs,
flake,
...
}:
with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
disabledModules = [
"services/security/authelia.nix"
];
imports = [
"${flake.inputs.nixpkgs-master}/nixos/modules/services/security/authelia.nix"
];
age.secrets."authelia-storage-encryption-key" = {
file = "${flake.self}/secrets/authelia-storage-encryption-key.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."authelia-session-secret" = {
file = "${flake.self}/secrets/authelia-session-secret.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."authelia-jwt-secret" = {
file = "${flake.self}/secrets/authelia-jwt-secret.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."authelia-oidc-issuer-private-key" = {
file = "${flake.self}/secrets/authelia-oidc-issuer-private-key.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."authelia-oidc-hmac-secret" = {
file = "${flake.self}/secrets/authelia-oidc-hmac-secret.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."authelia-jwks-private-key" = {
file = "${flake.self}/secrets/authelia-jwks-private-key.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."authelia-users-file" = {
file = "${flake.self}/secrets/authelia-users-file.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."mail@b12f.io-password" = {
file = "${flake.self}/secrets/mail@b12f.io-password.age";
mode = "400";
owner = "authelia-b12f";
};
security.acme.certs = {
"auth.b12f.io" = {};
};
services.nginx.virtualHosts = {
"auth.b12f.io" = {
forceSSL = true;
useACMEHost = "auth.b12f.io";
locations."/".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}";
locations."/".extraConfig = "include /etc/nginx/conf-available/proxy.conf;";
locations."/api/verify".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}";
locations."/api/authz".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}";
};
};
services.authelia.instances.b12f = {
enable = true;
secrets = {
storageEncryptionKeyFile = config.age.secrets."authelia-storage-encryption-key".path;
sessionSecretFile = config.age.secrets."authelia-session-secret".path;
jwtSecretFile = config.age.secrets."authelia-jwt-secret".path;
oidcIssuerPrivateKeyFile = config.age.secrets."authelia-oidc-issuer-private-key".path;
oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path;
};
environmentVariables = {
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path;
};
settings = {
theme = "light";
default_2fa_method = "webauthn";
log.level = "debug";
server = {
address = "127.0.0.1:9092";
endpoints.authz.auth-request.implementation = "AuthRequest";
};
authentication_backend = {
refresh_interval = "disable";
password_reset.disable = true;
file = {
path = config.age.secrets."authelia-users-file".path;
watch = false;
};
};
duo_api.disable = true;
webauthn.user_verification = "required";
totp.issuer = "auth.b12f.io";
storage.local.path = "/var/lib/authelia-b12f/db.sqlite3";
access_control.default_policy = "two_factor";
session.cookies = [
{
domain = "b12f.io";
authelia_url = "https://auth.b12f.io";
}
];
notifier.smtp = {
address = "submission://mail.b12f.io:587";
username = "mail@b12f.io";
sender = "auth.b12f.io <mail@b12f.io>";
identifier = "auth@b12f.io";
subject = "[auth.b12f.io] {title}";
};
identity_providers.oidc = {
authorization_policies = {
admins = {
default_policy = "deny";
rules = [{
policy = "two_factor";
subject = "group:admins";
}];
};
};
clients = [
{
client_id = "jellyfin";
client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ";
public = false;
authorization_policy = "admins";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ];
scopes = [
"openid"
"profile"
"groups"
];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_post";
}
];
};
};
};
systemd.services.authelia-b12f.preStart = "env";
services.restic.backups = {
authelia = {
paths = ["/var/lib/authelia-b12f"];
initialize = true;
passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/Authelia";
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
};
};
}

4
hosts/pie/backup.nix
View file

@ -8,8 +8,8 @@
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
age.secrets."rclone-pie.conf" = {
file = "${flake.self}/secrets/rclone-pie.conf.age";
age.secrets."rclone-pubsolar.conf" = {
file = "${flake.self}/secrets/rclone-pubsolar.conf.age";
path = "/root/.config/rclone/rclone.conf";
mode = "400";
};

33
hosts/pie/configuration.nix
View file

@ -2,6 +2,7 @@
config,
pkgs,
lib,
flake,
...
}:
with lib; let
@ -13,31 +14,45 @@ in {
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.grub.device = "nodev";
boot.loader.timeout = 5;
boot.loader.grub.configurationLimit = 24;
boot.loader.efi.canTouchEfiVariables = false;
boot.loader.systemd-boot.enable = false;
boot.loader.generic-extlinux-compatible.enable = false;
boot.supportedFilesystems = ["zfs"];
boot.kernelPackages = pkgs.linuxPackages_6_1;
boot.kernelParams = [
"boot.shell_on_fail=1"
"ip=192.168.178.2::192.168.178.1:255.255.255.255:pie.b12f.io::off"
# Hack so that network is considered up by boot.initrd.network and postCommands gets executed.
"ip=127.0.0.1:::::lo:none"
];
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
# See https://discourse.nixos.org/t/ssh-and-network-in-initrd-on-raspberry-pi-4/6289/3
boot.initrd.availableKernelModules = ["genet"];
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
authorizedKeys = psCfg.user.publicKeys;
authorizedKeys = flake.self.publicKeys;
hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
shell = "/bin/cryptsetup-askpass";
};
# See https://discourse.nixos.org/t/ssh-and-network-in-initrd-on-raspberry-pi-4/6289/3
boot.initrd.availableKernelModules = [ "genet" ];
postCommands = ''
ip link set dev enabcm6e4ei0 up
pub-solar.core.disk-encryption-active = false;
ip addr add 192.168.178.2/32 dev enabcm6e4ei0
ip route add 192.168.178.1 dev enabcm6e4ei0
ip route add default via 192.168.178.1 dev enabcm6e4ei0
ip -6 addr add 2a02:908:5b1:e3c0:2::/128 dev enabcm6e4ei0
ip -6 addr add fe80:b12f:acab:1312:acab:2::/128 dev enabcm6e4ei0
'';
};
# Ran into this
# https://discourse.nixos.org/t/logrotate-config-fails-due-to-missing-group-30000/28501
services.logrotate.checkConfig = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions

44
hosts/pie/ddclient.nix
View file

@ -1,44 +0,0 @@
{
flake,
config,
pkgs,
lib,
...
}:
with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
getIP4 = with pkgs; writeShellScriptBin "getIP" ''
${curl}/bin/curl -4 https://ipcheck-ds.wieistmeineip.de/callback/ | ${coreutils}/bin/tail -c +2 | ${coreutils}/bin/head -c -1 | ${jq}/bin/jq '.ip' -r
'';
getIP6 = with pkgs; writeShellScriptBin "getIP" ''
echo "2a02:908:5b1:e3c0:2::"
'';
in {
imports = [
flake.self.nixosModules.ddclient
];
services.ddclient = {
enable = true;
protocol = "dyndns1";
domains = [
"pie.b12f.io"
"droppie.b12f.io"
];
server = "ddns.hosting.de";
username = "b12f";
usev4 = "cmdv4, cmdv4=${getIP4}/bin/getIP";
usev6 = "cmdv6, cmdv6=${getIP6}/bin/getIP";
verbose = true;
passwordFile = "/run/agenix/dyndns.key";
interval = "1min";
};
age.secrets."dyndns.key" = {
file = "${flake.self}/secrets/dyndns.key.age";
mode = "400";
owner = "root";
};
}

6
hosts/pie/default.nix
View file

@ -4,12 +4,12 @@
./configuration.nix
./networking.nix
./wireguard.nix
./nginx.nix
./backup.nix
./unbound.nix
./dhcpd.nix
./wake-droppie.nix
./ddclient.nix
# ./wake-droppie.nix
./authelia.nix
./paperless.nix
./firefly.nix
./invoiceplane.nix

9
hosts/pie/dhcpd.nix
View file

@ -1,5 +1,8 @@
{ pkgs, adblock-unbound, ... }:
{
pkgs,
adblock-unbound,
...
}: {
networking.firewall.allowedUDPPorts = [67 547];
networking.firewall.extraInputRules = ''
ip6 daddr ff02::1:2/128 udp dport 547 accept comment "DHCPv6 server"
@ -50,6 +53,10 @@
reservations = [
# Pie should set ip itself
{
hw-address = "dc:a6:32:5c:31:64";
ip-address = "192.168.178.2";
}
{
hw-address = "08:f1:ea:97:0f:0c";
ip-address = "192.168.178.3";

44
hosts/pie/firefly.nix
View file

@ -29,25 +29,35 @@ in {
mode = "400";
};
services.caddy = {
enable = true;
extraConfig = ''
firefly.b12f.io {
reverse_proxy 127.0.0.1:8080
security.acme.certs = {
"firefly.b12f.io" = {};
"firefly-importer.b12f.io" = {};
};
basicauth * {
b12f $2a$05$/xM7USOzLczswXmiacO6UOdg1YNPIw/KJMbMVerEkpsCtNUFwte4a
}
}
firefly-importer.b12f.io {
reverse_proxy 127.0.0.1:8081
basicauth * {
b12f $2a$05$/xM7USOzLczswXmiacO6UOdg1YNPIw/KJMbMVerEkpsCtNUFwte4a
}
}
services.nginx.virtualHosts = {
"firefly.b12f.io" = {
forceSSL = true;
useACMEHost = "firefly.b12f.io";
extraConfig = "include /etc/nginx/conf-available/authelia-location.conf;";
# Make api calls skip the nginx proxy auth
locations."/api/v1".proxyPass = "http://127.0.0.1:8080";
locations."/".proxyPass = "http://127.0.0.1:8080";
locations."/".extraConfig = ''
include /etc/nginx/conf-available/proxy.conf;
include /etc/nginx/conf-available/authelia-authrequest.conf;
'';
};
"firefly-importer.b12f.io" = {
forceSSL = true;
useACMEHost = "firefly-importer.b12f.io";
extraConfig = "include /etc/nginx/conf-available/authelia-location.conf;";
locations."/".proxyPass = "http://127.0.0.1:8081";
locations."/".extraConfig = ''
include /etc/nginx/conf-available/proxy.conf;
include /etc/nginx/conf-available/authelia-authrequest.conf;
'';
};
};
systemd.services."docker-network-firefly" = let
docker = config.virtualisation.oci-containers.backend;
@ -140,7 +150,7 @@ in {
backupPrepareCommand = ''
${pkgs.docker-client}/bin/docker exec -t firefly-db pg_dumpall -c -U firefly > "${backupDir}/postgres.sql"
'';
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
};
};
}

21
hosts/pie/hardware-configuration.nix
View file

@ -1,9 +1,13 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
@ -21,21 +25,20 @@
};
};
fileSystems."/" =
{ device = "zroot/root";
fileSystems."/" = {
device = "zroot/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0D5D-B809";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/0D5D-B809";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/af71e930-42ce-4174-a098-4ea5753b1ea9"; }
swapDevices = [
{device = "/dev/disk/by-uuid/af71e930-42ce-4174-a098-4ea5753b1ea9";}
];
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

22
hosts/pie/invoiceplane.nix
View file

@ -20,6 +20,18 @@ in {
mode = "400";
};
security.acme.certs = {
"invoicing.b12f.io" = {};
};
services.nginx.virtualHosts = {
"invoicing.b12f.io" = {
forceSSL = true;
useACMEHost = "invoicing.b12f.io";
};
};
services.invoiceplane.webserver = "nginx";
services.invoiceplane.sites."invoicing.b12f.io" = {
enable = true;
@ -32,6 +44,14 @@ in {
createLocally = false;
};
invoiceTemplates = [pkgs.invoiceplane-template];
extraConfig = ''
SETUP_COMPLETED=true
DISABLE_SETUP=true
IP_URL=https://invoicing.b12f.io
'';
poolConfig = {
"pm" = "dynamic";
"pm.max_children" = 32;
@ -81,7 +101,7 @@ in {
PW=$(cat ${config.age.secrets."invoiceplane-db-password".path})
${pkgs.docker-client}/bin/docker exec -t invoiceplane-db mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/postgres.sql"
'';
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
};
};
}

39
hosts/pie/networking.nix
View file

@ -6,7 +6,6 @@
...
}: {
networking.useDHCP = false;
networking.hostId = "34234773";
networking.hostName = "pie";
networking.defaultGateway = {
@ -16,25 +15,37 @@
networking.interfaces.enabcm6e4ei0 = {
ipv4.addresses = [
{ address = "192.168.178.2"; prefixLength = 32; }
{
address = "192.168.178.2";
prefixLength = 32;
}
];
ipv6.addresses = [
{ address = "2a02:908:5b1:e3c0:2::"; prefixLength = 128; }
{ address = "fe80:b12f:acab:1312:acab:2::"; prefixLength = 128; }
{
address = "2a02:908:5b1:e3c0:2::";
prefixLength = 128;
}
{
address = "fe80:b12f:acab:1312:acab:2::";
prefixLength = 128;
}
];
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.hosts = {
"192.168.178.3" = ["droppie-initrd.b12f.io"];
};
services.openssh.openFirewall = true;
services.openssh.allowSFTP = true;
# Caddy reverse proxy for local services like cups
services.caddy = {
globalConfig = ''
default_bind 192.168.178.2 2a02:908:5b1:e3c0:2:: 10.0.1.2 fd00:b12f:acab:1312:acab:2::
# auto_https off
email acme@benjaminbaedorf.eu
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
'';
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-pie.age";
pub-solar.wireguard.private = {
useDNS = false;
ownIPs = [
"10.13.12.2/32"
"fd00:b12f:acab:1312:acab:2::/96"
];
privateKeyFile = config.age.secrets.wg-private-key.path;
};
}

16
hosts/pie/nginx.nix Normal file
View file

@ -0,0 +1,16 @@
{
flake,
config,
pkgs,
lib,
...
}: {
services.nginx = {
defaultListenAddresses = [
"192.168.178.2"
# "2a02:908:5b1:e3c0:2::"
"10.13.12.2"
"[fd00:b12f:acab:1312:acab:2::]"
];
};
}

126
hosts/pie/paperless.nix
View file

@ -9,33 +9,94 @@ with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
dataDir = "${xdg.dataHome}/Paperless";
backupDir = "${xdg.dataHome}/PaperlessBackup";
consumptionDir = "/home/${psCfg.user.name}/.local/share/scandir";
dataDir = "/var/lib/paperless";
backupDir = "/var/lib/PaperlessBackup";
consumptionDir = "/var/lib/scandir";
scan2paperless = with pkgs;
writeShellScriptBin "scan2paperless" ''
DEVICE=$1
NUM_PAGES=$2
NAME=$3
if [ -z "''${DEVICE}" ] || [ -z "''${NUM_PAGES}" ] || [ -z "''${NAME}" ]; then
echo "Usage: scan2paperless <device> <num_pages> <name>"
exit 1
fi
tmpDir=$(${coreutils}/bin/mktemp -d)
files=()
for i in $(seq 1 $NUM_PAGES); do
fileName=$(${openssl}/bin/openssl rand -hex 12)
file="$tmpDir/$fileName.jpg"
echo "Start scanning page $i/$NUM_PAGES";
${sane-backends}/bin/scanimage -d $DEVICE --format=jpeg --resolution 300 --progress -o $file
echo "Finished scanning page $i";
files+=($file)
done
pdf="${consumptionDir}/$NAME.pdf"
${python3Packages.img2pdf}/bin/img2pdf --output $pdf ''${files[@]}
echo "PDF written to $pdf"
'';
in {
age.secrets."paperless.env" = {
file = "${flake.self}/secrets/paperless.env.age";
mode = "400";
owner = "paperless";
};
#################################
# Paperless service and proxy
#################################
security.acme.certs = {
"paperless.b12f.io" = {};
};
services.nginx.virtualHosts = {
"paperless.b12f.io" = {
forceSSL = true;
useACMEHost = "paperless.b12f.io";
extraConfig = "include /etc/nginx/conf-available/authelia-location.conf;";
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.paperless.port}";
locations."/".extraConfig = ''
include /etc/nginx/conf-available/proxy.conf;
include /etc/nginx/conf-available/authelia-authrequest.conf;
'';
};
};
services.paperless = {
enable = true;
user = psCfg.user.name;
consumptionDir = consumptionDir;
dataDir = dataDir;
address = "127.0.0.1";
extraConfig = {
settings = {
PAPERLESS_OCR_LANGUAGE = "nld+deu";
PAPERLESS_ADMIN_USER = psCfg.user.name;
PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
PAPERLESS_URL = "https://paperless.b12f.io";
PAPERLESS_DISABLE_REGULAR_LOGIN = "True";
PAPERLESS_ENABLE_HTTP_REMOTE_USER = "True";
PAPERLESS_EMAIL_TASK_CRON = "*/2 * * * *";
};
};
systemd.services.paperless-web.serviceConfig.EnvironmentFile = [config.age.secrets."paperless.env".path];
#################################
# Scanning
#################################
hardware.sane = {
enable = true;
extraBackends = [pkgs.hplipWithPlugin];
};
users.users."${psCfg.user.name}".packages = with pkgs; [
# scan2paperless
scan2paperless
sane-backends
python310Packages.img2pdf
];
home-manager.users."${psCfg.user.name}" = {
@ -47,27 +108,37 @@ in {
};
};
services.caddy = {
enable = true;
extraConfig = ''
paperless.b12f.io {
request_header Host localhost:${builtins.toString config.services.paperless.port}
reverse_proxy 127.0.0.1:${builtins.toString config.services.paperless.port}
#################################
# hosting.de invoice fetch
#################################
basicauth * {
b12f $2a$05$/xM7USOzLczswXmiacO6UOdg1YNPIw/KJMbMVerEkpsCtNUFwte4a
}
}
'';
age.secrets."hosting-de-invoice-sync-api-key" = {
file = "${flake.self}/secrets/hosting-de-invoice-sync-api-key.age";
mode = "400";
owner = "paperless";
};
services.cron = {
enable = true;
systemCronJobs = [
"30 1 * * * paperless ${pkgs.fetch-hostingde-invoices}/bin/fetch-hostingde-invoices '${config.age.secrets."hosting-de-invoice-sync-api-key".path}' '${consumptionDir}' /var/lib/fetch-hostingde-invoices/ids"
];
};
#################################
# Backups
#################################
systemd.tmpfiles.rules = [
"d '${backupDir}' 0700 ${psCfg.user.name} users - -"
"d '${dataDir}' 0700 paperless users - -"
"d '${backupDir}' 0700 paperless users - -"
"d '${consumptionDir}' 0700 paperless users - -"
"d /tmp/paperless 0700 paperless users - -"
"d /var/lib/fetch-hostingde-invoices 0700 paperless users - -"
];
age.secrets."rclone-pie.conf" = {
file = "${flake.self}/secrets/rclone-pie.conf.age";
path = "/root/.config/rclone/rclone.conf";
age.secrets."rclone-pubsolar.conf" = {
file = "${flake.self}/secrets/rclone-pubsolar.conf.age";
mode = "400";
};
@ -78,13 +149,16 @@ in {
services.restic.backups = {
paperless = {
paths = [ backupDir ];
paths = [
backupDir
"/var/lib/fetch-hostingde-invoices"
];
initialize = true;
passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/Paperless";
backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p";
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
};
};
}

52
hosts/pie/unbound.nix
View file

@ -31,6 +31,7 @@
networking.firewall.allowedUDPPorts = [53];
networking.firewall.allowedTCPPorts = [53];
services.resolved.enable = false;
services.unbound = {
enable = true;
@ -44,9 +45,6 @@
"::1"
"192.168.178.2"
"2a02:908:5b1:e3c0:2::"
"10.0.1.2"
"fd00:b12f:acab:1312:acab:2::"
];
access-control = [
@ -54,47 +52,30 @@
# Allow from local network
"192.168.178.0/24 allow"
"2a02:908:5b1:e3c0::/64 allow"
"fd00:b12f:acab:1312:acab::/64 allow"
# Allow from wireguard
"10.0.1.0/24 allow"
"192.168.178.0/24 allow"
"fd00:b12f:acab:1312::/64 allow"
];
local-zone = [
"\"b12f.io\" static"
"\"local\" static"
"\"box\" static"
];
local-data = [
"\"brwb8763f64a364.local. 10800 IN A 192.168.178.4\""
"\"droppie.local. 10800 IN A 192.168.178.3\""
"\"droppie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:3::\""
"\"droppie.b12f.io. 10800 IN A 10.0.1.3\""
"\"droppie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
"\"backup.b12f.io. 10800 IN A 10.0.1.3\""
"\"backup.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:3::\""
"\"pie.local. 10800 IN A 192.168.178.2\""
"\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:2::\""
"\"pie.local. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"pie.b12f.io. 10800 IN A 192.168.178.2\""
"\"firefly.b12f.io. 10800 IN A 192.168.178.2\""
"\"firefly-importer.b12f.io. 10800 IN A 192.168.178.2\""
"\"paperless.b12f.io. 10800 IN A 192.168.178.2\""
"\"invoicing.b12f.io. 10800 IN A 192.168.178.2\""
"\"auth.b12f.io. 10800 IN A 192.168.178.2\""
"\"pie.b12f.io. 10800 IN A 10.0.1.2\""
"\"pie.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"firefly.b12f.io. 10800 IN A 10.0.1.2\""
"\"firefly.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"firefly-importer.b12f.io. 10800 IN A 10.0.1.2\""
"\"firefly-importer.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"paperless.b12f.io. 10800 IN A 10.0.1.2\""
"\"paperless.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"invoicing.b12f.io. 10800 IN A 10.0.1.2\""
"\"invoicing.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"vpn.b12f.io. 10800 IN A 128.140.109.213\""
"\"vpn.b12f.io. 10800 IN AAAA 2a01:4f8:c2c:b60::\""
"\"frikandel.b12f.io. 10800 IN A 10.0.1.7\""
"\"frikandel.b12f.io. 10800 IN AAAA fd00:b12f:acab:1312:acab:7::\""
"\"droppie.b12f.io. 10800 IN A 192.168.178.3\""
"\"media.b12f.io. 10800 IN A 192.168.178.3\""
"\"fritz.box. 10800 IN A 192.168.178.1\""
"\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""
@ -102,16 +83,14 @@
tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
};
forward-zone = [
{
name = ".";
forward-addr = [
"193.110.81.0#dns0.eu"
"2a0f:fc80::#dns0.eu"
"185.253.5.0#dns0.eu"
"2a0f:fc81::#dns0.eu"
"192.168.178.7"
"fd00:b12f:acab:1312:acab:7::"
];
# forward-tls-upstream = "yes";
}
];
@ -124,5 +103,4 @@
};
};
};
}

3
hosts/pie/wake-droppie.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
services.cron = {
enable = true;
systemCronJobs = [

82
hosts/pie/wireguard.nix
View file

@ -1,82 +0,0 @@
{
flake,
config,
pkgs,
lib,
...
}: with lib; {
age.secrets.wg-private-key-server.file = "${flake.self}/secrets/wg-private-pie.age";
networking.firewall.allowedUDPPorts = [ 51899 ];
systemd.services.wg-quick-wg0 = {
after = [
"network.target"
"network-online.target"
"nss-lookup.target"
];
serviceConfig = {
Type = mkForce "simple";
Restart = "on-failure";
RestartSec = "30";
};
environment = {
WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
};
};
# Enable WireGuard
networking.wg-quick.interfaces = {
wg0 = {
listenPort = 51899;
address = [
"10.0.1.2/32"
"fd00:b12f:acab:1312:acab:2::/96"
];
privateKeyFile = "/run/agenix/wg-private-key-server";
peers = [
{ # frikandel
publicKey = "p6YKNYBlySKfhTN+wbSsKdoNjzko/XSAiTAlCJzP1jA=";
allowedIPs = [
"10.0.1.0/24"
"fd00:b12f:acab:1312::/64"
];
endpoint = "vpn.b12f.io:51899";
persistentKeepalive = 25;
}
{ # droppie
publicKey = "qsnBMoj9Z16D8PJ5ummRtIfT5AiMpoF3SoOCo4sbyiw=";
allowedIPs = [
"10.0.1.3/32"
"fd00:b12f:acab:1312:acab:3::/96"
];
persistentKeepalive = 25;
}
{ # chocolatebar
publicKey = "nk8EtGE/QsnSEm1lhLS3/w83nOBD2OGYhODIf92G91A=";
allowedIPs = [
"10.0.1.5/32"
"fd00:b12f:acab:1312:acab:5::/96"
];
persistentKeepalive = 25;
}
{ # biolimo
publicKey = "4ymN7wwBuhF+h+5fFN0TqXmVyOe1AsWiTqRL0jJ3CDc=";
allowedIPs = [
"10.0.1.6/32"
"fd00:b12f:acab:1312:acab:6::/96"
];
persistentKeepalive = 25;
}
];
};
};
}

6
hosts/stroopwafel/.config/sway/config.d/autostart.conf Normal file
View file

@ -0,0 +1,6 @@
# Autostart applications
#
# Example:
# exec swayidle
exec keepassxc

9
hosts/stroopwafel/.config/sway/config.d/input-defaults.conf Normal file
View file

@ -0,0 +1,9 @@
input "2362:597:PNP0C50:00_093A:0255_Touchpad" {
dwt enabled
tap enabled
middle_emulation enabled
}
input * {
xkb_layout us(intl),de
xkb_options ctrl:nocaps
}

7
hosts/stroopwafel/.config/sway/config.d/screens.conf Normal file
View file

@ -0,0 +1,7 @@
set $internal eDP-1
set $middle "Hewlett Packard HP E231 3CQ4290S5J"
set $standup "Hewlett Packard HP E231 3CQ4251F33"
output $internal {
scale 1.4
}

45
hosts/stroopwafel/configuration.nix Normal file
View file

@ -0,0 +1,45 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
boot.plymouth.enable = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.preLVMCommands = "udevadm trigger --settle";
boot.swraid.enable = true;
boot.swraid.mdadmConf = ''
DEVICE /dev/nvme0n1p2 /dev/nvme1n1p2
ARRAY /dev/md/nixos:root metadata=1.2 name=nixos:root UUID=67d1aa81:1b348887:c17a75e8:f2edf2bd
MAILADDR ${psCfg.user.email}
'';
pub-solar.core.hibernation.enable = true;
pub-solar.core.hibernation.resumeDevice = "/dev/mapper/vg0-swap";
pub-solar.terminal-life.full = true;
home-manager.users."${psCfg.user.name}" = {
xdg.configFile = {
"sway/config.d/10-screens.conf".source = ./.config/sway/config.d/screens.conf;
"sway/config.d/10-autostart.conf".source = ./.config/sway/config.d/autostart.conf;
"sway/config.d/10-input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
}

9
hosts/stroopwafel/default.nix Normal file
View file

@ -0,0 +1,9 @@
{...}: {
imports = [
./configuration.nix
./hardware-configuration.nix
./networking.nix
./openstreetmap.nix
];
}

69
hosts/stroopwafel/hardware-configuration.nix Normal file
View file

@ -0,0 +1,69 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-id/md-name-nixos:root";
allowDiscards = true;
};
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/EC82-67F4";
fsType = "vfat";
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/0cc568f0-402d-4535-980a-ed3a1dc697b9";
fsType = "ext4";
# https://github.com/ryantm/agenix/issues/45#issuecomment-957865406
neededForBoot = true;
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/e203d629-4d34-4147-bee6-919f0bfa25de";
fsType = "ext4";
};
fileSystems."/persist" = {
device = "/dev/disk/by-uuid/a0855aaa-76bf-445e-b0d1-ab1552e5496f";
fsType = "ext4";
# https://github.com/ryantm/agenix/issues/45#issuecomment-957865406
neededForBoot = true;
};
swapDevices = [
{device = "/dev/disk/by-uuid/761507ab-479d-414b-ac3e-2149564ca470";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0f4u1u4.useDHCP = lib.mkDefault true;
networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

63
hosts/stroopwafel/networking.nix Normal file
View file

@ -0,0 +1,63 @@
{
flake,
config,
pkgs,
lib,
...
}: {
networking.hostName = "stroopwafel";
networking.wireless.iwd.enable = true;
age.secrets.wg-private-key.file = "${flake.self}/secrets/wg-private-stroopwafel.age";
pub-solar.wireguard.private = {
ownIPs = [
"10.13.12.8/32"
"fd00:b12f:acab:1312:acab:8::/96"
];
privateKeyFile = config.age.secrets.wg-private-key.path;
};
age.secrets.wg-tunnel-key.file = "${flake.self}/secrets/wg-tunnel-stroopwafel.age";
pub-solar.wireguard.tunnel = {
ownIPs = [
"10.65.141.174/32"
"fc00:bbbb:bbbb:bb01::2:8dad/128"
];
privateKeyFile = config.age.secrets.wg-tunnel-key.path;
peer = {
publicKey = "5FZW+fNA2iVBSY99HFl+KjGc9AFVNE+UFAedLNhu8lc=";
endpoint = "146.70.134.2:3565";
};
};
age.secrets.wg-pub-solar-key.file = "${flake.self}/secrets/wg-pub-solar-stroopwafel.age";
pub-solar.wireguard.pub-solar = {
ownIPs = [
"10.7.6.200/32"
"fd00:fae:fae:fae:fae:200::/96"
];
privateKeyFile = config.age.secrets.wg-pub-solar-key.path;
};
age.secrets.wg-momo-key.file = "${flake.self}/secrets/wg-momo-stroopwafel.age";
pub-solar.wireguard.momo = {
ownIPs = [
"10.30.30.200/32"
"fd00:3030:3030:3030:3030:200::/96"
];
privateKeyFile = config.age.secrets.wg-momo-key.path;
};
age.secrets.wg-ehex-key.file = "${flake.self}/secrets/wg-ehex-stroopwafel.age";
pub-solar.wireguard.ehex = {
ownIPs = [
"10.42.0.135/22"
];
privateKeyFile = config.age.secrets.wg-ehex-key.path;
};
}

24
hosts/stroopwafel/openstreetmap.nix Normal file
View file

@ -0,0 +1,24 @@
{
flake,
config,
pkgs,
lib,
...
}: {
services.openstreetmap = {
enable = true;
debug = true;
totalRamGb = 14;
};
environment.persistence."/persist" = {
directories = [
"/var/lib/renderd"
"/var/lib/postgresql"
];
};
systemd.tmpfiles.rules = [
"d /persist/var/lib/renderd 0700 renderd renderd"
];
}

12
hosts/stroopwafel/step-roots.pem Normal file
View file

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIB3DCCAYKgAwIBAgIRAKlV2S+BzAlsxoFGjtf8Bf8wCgYIKoZIzj0EAwIwTDEg
MB4GA1UEChMXT3BlblByb2plY3QgRGV2ZWxvcG1lbnQxKDAmBgNVBAMTH09wZW5Q
cm9qZWN0IERldmVsb3BtZW50IFJvb3QgQ0EwHhcNMjMwNzA1MTIwMjM1WhcNMzMw
NzAyMTIwMjM1WjBMMSAwHgYDVQQKExdPcGVuUHJvamVjdCBEZXZlbG9wbWVudDEo
MCYGA1UEAxMfT3BlblByb2plY3QgRGV2ZWxvcG1lbnQgUm9vdCBDQTBZMBMGByqG
SM49AgEGCCqGSM49AwEHA0IABICa0iNxImT7/HtI9Am8AowzFdPaLuDC1NJwKRnA
tglghS2HmAXkzxoUW8UZ91TTNEmesNGW/nT/rpvSfZt9FtmjRTBDMA4GA1UdDwEB
/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBTCCyuQg8z8pOxd
UGcsZDT4KzFS3DAKBggqhkjOPQQDAgNIADBFAiEA3+ZUCj3SJ1estz4kyQyoIXVb
gXk2rFHQQgIDSbRPoL0CIEu4u9YTxjRg7DdnARh4CPWi63VSZ5iwIbeuzEi4PO8q
-----END CERTIFICATE-----

3
lib/add-local-hostname.nix
View file

@ -1,5 +1,4 @@
{ lib }:
hostnames: {
{lib}: hostnames: {
"127.0.0.1" = hostnames;
"::1" = hostnames;
}

7
lib/default.nix
View file

@ -1,4 +1,8 @@
{ lib, inputs, ... }: {
{
lib,
inputs,
...
}: {
# Configuration common to all Linux systems
flake = {
lib = let
@ -13,6 +17,7 @@
deploy = import ./deploy.nix {inherit inputs lib;};
addLocalHostname = callLibs ./add-local-hostname.nix;
recursiveMerge = callLibs ./recursive-merge.nix;
mkEmailAddress = account: domain: account + "@" + domain;
};
};
}

27
lib/deploy.nix
View file

@ -4,8 +4,10 @@
*
* Licensed under the MIT license
*/
{ lib, inputs }: let
{
lib,
inputs,
}: let
getFqdn = c: let
net = c.config.networking;
fqdn =
@ -49,11 +51,28 @@ in {
lib.recursiveUpdate
(lib.mapAttrs
(
_: c: {
_: c: let
system = c.pkgs.stdenv.hostPlatform.system;
# Unmodified nixpkgs
pkgs = import inputs.nixpkgs {inherit system;};
# nixpkgs with deploy-rs overlay but force the nixpkgs package
deployPkgs = import inputs.nixpkgs {
inherit system;
overlays = [
inputs.deploy-rs.overlay # or deploy-rs.overlays.default
(self: super: {
deploy-rs = {
inherit (pkgs) deploy-rs;
lib = super.deploy-rs.lib;
};
})
];
};
in {
hostname = getFqdn c;
profiles.system = {
user = "root";
path = inputs.deploy-rs.lib.${c.pkgs.stdenv.hostPlatform.system}.activate.nixos c;
path = deployPkgs.deploy-rs.lib.activate.nixos c;
};
}
)

6
lib/recursive-merge.nix
View file

@ -1,6 +1,4 @@
{ lib }:
attrList:
let
{lib}: attrList: let
f = attrPath:
zipAttrsWith (
n: values:
@ -13,4 +11,4 @@ let
else last values
);
in
f [] attrList;
f [] attrList

29
modules/acme/default.nix Normal file
View file

@ -0,0 +1,29 @@
{
flake,
config,
pkgs,
lib,
...
}: {
age.secrets."hosting-de-acme-secrets" = {
file = "${flake.self}/secrets/hosting-de-acme-secrets.age";
mode = "400";
owner = "acme";
};
security.acme = {
acceptTerms = true;
defaults = {
email = "acme@benjaminbaedorf.eu";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
dnsProvider = "hostingde";
dnsPropagationCheck = true;
# We check via dns0 directly or unbound will be in our way
dnsResolver = "193.110.81.0";
credentialsFile = config.age.secrets."hosting-de-acme-secrets".path;
group = "nginx";
webroot = null;
};
};
}

3
modules/audio/default.nix
View file

@ -20,7 +20,6 @@ in {
# Needed for pactl cmd, until pw-cli is more mature (vol up/down hotkeys?)
pulseaudio
vimpc
spotify-tui
];
};
@ -29,7 +28,7 @@ in {
systemd.user.services.easyeffects = import ./easyeffects.service.nix pkgs;
services.spotifyd = {
enable = true;
enable = false;
settings = {
global = {
username = "spotify@benjaminbaedorf.eu";

13
modules/bluetooth/default.nix
View file

@ -17,11 +17,24 @@
# Enables experimental features and interfaces.
# Makes BlueZ Battery Provider available
Experimental = true;
AutoEnable = true;
};
};
};
services.blueman.enable = true;
home-manager.users."${config.pub-solar.user.name}" = {
services.blueman-applet.enable = true;
systemd.user.services.blueman-applet = {
Unit = {
BindsTo = ["sway-session.target"];
After = lib.mkForce ["sway-session.target"];
Requires = lib.mkForce [ ];
};
Install.WantedBy = [ "sway-session.target" ];
};
};
environment.etc."wireplumber/bluetooth.lua.d/51-bluez-config.lua" = {
text = ''
bluez_monitor.properties = {

17
modules/core/boot.nix
View file

@ -7,27 +7,12 @@
with lib; let
cfg = config.pub-solar.core;
in {
options.pub-solar.core.disk-encryption-active = mkOption {
type = types.bool;
default = true;
description = "Whether it should be assumed that there is a cryptroot device";
};
config = {
boot = {
# Mount / luks device in initrd
# Allow fstrim to work on it.
# The ! makes this enabled by default
initrd = mkIf cfg.disk-encryption-active {
luks.devices."cryptroot" = {
allowDiscards = true;
};
};
loader.systemd-boot.enable = lib.mkDefault true;
# Use latest LTS linux kernel by default
kernelPackages = lib.mkDefault pkgs.linuxPackages_6_1;
kernelPackages = pkgs.linuxPackages_6_6_hardened;
# Support ntfs drives
supportedFilesystems = ["ntfs"];

19
modules/core/default.nix
View file

@ -13,26 +13,9 @@ in {
./i18n.nix
./networking.nix
./packages.nix
./hardening.nix
];
# Service that makes Out of Memory Killer more effective
services.earlyoom.enable = true;
services.logind.lidSwitch = "hibernate";
services.tor.settings = {
UseBridges = true;
};
# The options below are directly taken from or inspired by
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
# Limit the use of sudo to the group wheel
security.sudo.execWheelOnly = true;
# Remove the complete default environment of packages like
# nano, perl and rsync
environment.defaultPackages = lib.mkForce [];
# fileSystems."/".options = [ "noexec" ];
}

41
modules/core/hardening.nix Normal file
View file

@ -0,0 +1,41 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.pub-solar.core;
psCfg = config.pub-solar;
in {
services.tor.settings = {
UseBridges = true;
};
# Always go to encrypted hibernation instead of sleep
services.logind.lidSwitch = "hibernate";
# The options below are directly taken from or inspired by
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
# Limit the use of sudo to the group wheel
security.sudo.execWheelOnly = true;
# Remove the complete default environment of packages like
# nano, perl and rsync
environment.defaultPackages = lib.mkForce [];
# fileSystems."/".options = [ "noexec" ];
# disable coredump that could be exploited later
# and also slow down the system when something crash
systemd.coredump.enable = false;
# required to run chromium
security.chromiumSuidSandbox.enable = true;
# enable antivirus clamav and
# keep the signatures' database updated
services.clamav.daemon.enable = true;
services.clamav.updater.enable = true;
}

24
modules/core/networking.nix
View file

@ -9,10 +9,9 @@
systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;
networking.hosts = (flake.self.lib.addLocalHostname ["caddy.local"]) // {
"128.140.109.213" = [ "vpn.b12f.io" ];
"2a01:4f8:c2c:b60::" = [ "vpn.b12f.io" ];
"2a02:908:5b1:e3c0:2::" = [ "pie-wg.b12f.io" ];
networking.hosts = {
"128.140.109.213" = [ "vpn.b12f.io" "frikandel-initrd.b12f.io" ];
"2a01:4f8:c2c:b60::" = [ "vpn.b12f.io" "frikandel-initrd.b12f.io" ];
};
networking.networkmanager = {
@ -24,6 +23,23 @@
networking.firewall.enable = true;
networking.nftables.enable = true;
services.resolved = {
enable = lib.mkDefault true;
fallbackDns = [
"193.110.81.0#dns0.eu"
"2a0f:fc80::#dns0.eu"
"185.253.5.0#dns0.eu"
"2a0f:fc81::#dns0.eu"
];
dnssec = "false";
extraConfig = ''
DNSOverTLS=opportunistic
'';
};
# Don't expose SSH via public interfaces
networking.firewall.interfaces.wg-private.allowedTCPPorts = [22];
# For rage encryption, all hosts need a ssh key pair
services.openssh = {
enable = true;

2
modules/core/packages.nix
View file

@ -23,6 +23,8 @@ in {
gitMinimal
rsync
btop
];
}

29
modules/crypto/default.nix
View file

@ -7,27 +7,30 @@
with lib; let
psCfg = config.pub-solar;
in {
services.udev.packages = [pkgs.yubikey-personalization];
services.dbus.packages = [pkgs.gcr];
services.pcscd.enable = true;
services.udev.packages = [pkgs.yubikey-personalization];
services.gnome.gnome-keyring.enable = true;
hardware.gpgSmartcards.enable = true; # for yubikey
users.users."${psCfg.user.name}".packages = with pkgs; [
libsecret
gnupg
];
programs.ssh.startAgent = false;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
enableExtraSocket = true;
pinentryPackage = pkgs.pinentry-gnome3;
};
home-manager.users."${psCfg.user.name}" = {
systemd.user.services.polkit-gnome-authentication-agent = import ./polkit-gnome-authentication-agent.service.nix pkgs;
services.gpg-agent = {
enable = true;
pinentryFlavor = "gnome3";
verbose = true;
};
programs.gpg = {
enable = true;
};
home.file.".gnupg/scdaemon.conf".text = ''
reader-port Yubico Yubi
disable-ccid
'';
};
}

245
modules/ddclient/default.nix
View file

@ -1,245 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.ddclient;
boolToStr = bool: if bool then "yes" else "no";
dataDir = "/var/lib/ddclient";
StateDirectory = builtins.baseNameOf dataDir;
RuntimeDirectory = StateDirectory;
usev4 = if cfg.usev4 != "" then "usev4=${cfg.usev4}" else "";
usev6 = if cfg.usev6 != "" then "usev6=${cfg.usev6}" else "";
configFile' = pkgs.writeText "ddclient.conf" ''
# This file can be used as a template for configFile or is automatically generated by Nix options.
use=no
${usev4}
${usev6}
cache=${dataDir}/ddclient.cache
foreground=yes
login=${cfg.username}
password=${if cfg.protocol == "nsupdate" then "/run/${RuntimeDirectory}/ddclient.key" else "@password_placeholder@"}
protocol=${cfg.protocol}
${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
${lib.optionalString (cfg.zone != "") "zone=${cfg.zone}"}
ssl=${boolToStr cfg.ssl}
wildcard=yes
quiet=${boolToStr cfg.quiet}
verbose=${boolToStr cfg.verbose}
${cfg.extraConfig}
${lib.concatStringsSep "," cfg.domains}
'';
configFile = if (cfg.configFile != null) then cfg.configFile else configFile';
preStart = ''
install --mode=600 --owner=$USER ${configFile} /run/${RuntimeDirectory}/ddclient.conf
${lib.optionalString (cfg.configFile == null) (if (cfg.protocol == "nsupdate") then ''
install --mode=600 --owner=$USER ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key
'' else if (cfg.passwordFile != null) then ''
"${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "${cfg.passwordFile}" "/run/${RuntimeDirectory}/ddclient.conf"
'' else ''
sed -i '/^password=@password_placeholder@$/d' /run/${RuntimeDirectory}/ddclient.conf
'')}
'';
in with lib; {
disabledModules = [
"services/networking/ddclient.nix"
];
imports = [
(mkChangedOptionModule [ "services" "ddclient" "domain" ] [ "services" "ddclient" "domains" ]
(config:
let value = getAttrFromPath [ "services" "ddclient" "domain" ] config;
in if value != "" then [ value ] else []))
(mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "")
(mkRemovedOptionModule [ "services" "ddclient" "password" ] "Use services.ddclient.passwordFile instead.")
];
###### interface
options = {
services.ddclient = with lib.types; {
enable = mkOption {
default = false;
type = bool;
description = lib.mdDoc ''
Whether to synchronise your machine's IP address with a dynamic DNS provider (e.g. dyndns.org).
'';
};
package = mkOption {
type = package;
default = pkgs.ddclient;
defaultText = lib.literalExpression "pkgs.ddclient";
description = lib.mdDoc ''
The ddclient executable package run by the service.
'';
};
domains = mkOption {
default = [ "" ];
type = listOf str;
description = lib.mdDoc ''
Domain name(s) to synchronize.
'';
};
username = mkOption {
# For `nsupdate` username contains the path to the nsupdate executable
default = lib.optionalString (config.services.ddclient.protocol == "nsupdate") "${pkgs.bind.dnsutils}/bin/nsupdate";
defaultText = "";
type = str;
description = lib.mdDoc ''
User name.
'';
};
passwordFile = mkOption {
default = null;
type = nullOr str;
description = lib.mdDoc ''
A file containing the password or a TSIG key in named format when using the nsupdate protocol.
'';
};
interval = mkOption {
default = "10min";
type = str;
description = lib.mdDoc ''
The interval at which to run the check and update.
See {command}`man 7 systemd.time` for the format.
'';
};
configFile = mkOption {
default = null;
type = nullOr path;
description = lib.mdDoc ''
Path to configuration file.
When set this overrides the generated configuration from module options.
'';
example = "/root/nixos/secrets/ddclient.conf";
};
protocol = mkOption {
default = "dyndns2";
type = str;
description = lib.mdDoc ''
Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols).
'';
};
server = mkOption {
default = "";
type = str;
description = lib.mdDoc ''
Server address.
'';
};
ssl = mkOption {
default = true;
type = bool;
description = lib.mdDoc ''
Whether to use SSL/TLS to connect to dynamic DNS provider.
'';
};
quiet = mkOption {
default = false;
type = bool;
description = lib.mdDoc ''
Print no messages for unnecessary updates.
'';
};
script = mkOption {
default = "";
type = str;
description = lib.mdDoc ''
script as required by some providers.
'';
};
usev4 = mkOption {
default = "webv4, webv4=checkip.dyndns.com/, webv4-skip='Current IP Address: '";
type = str;
description = lib.mdDoc ''
Method to determine the IP address to send to the dynamic DNS provider.
'';
};
usev6 = mkOption {
default = "";
type = str;
description = lib.mdDoc ''
Method to determine the IP address to send to the dynamic DNS provider.
'';
};
verbose = mkOption {
default = false;
type = bool;
description = lib.mdDoc ''
Print verbose information.
'';
};
zone = mkOption {
default = "";
type = str;
description = lib.mdDoc ''
zone as required by some providers.
'';
};
extraConfig = mkOption {
default = "";
type = lines;
description = lib.mdDoc ''
Extra configuration. Contents will be added verbatim to the configuration file.
::: {.note}
`daemon` should not be added here because it does not work great with the systemd-timer approach the service uses.
:::
'';
};
};
};
###### implementation
config = mkIf config.services.ddclient.enable {
systemd.services.ddclient = {
description = "Dynamic DNS Client";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
restartTriggers = optional (cfg.configFile != null) cfg.configFile;
serviceConfig = {
DynamicUser = true;
RuntimeDirectoryMode = "0700";
inherit RuntimeDirectory;
inherit StateDirectory;
Type = "oneshot";
ExecStartPre = "!${pkgs.writeShellScript "ddclient-prestart" preStart}";
ExecStart = "${lib.getBin cfg.package}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
};
};
systemd.timers.ddclient = {
description = "Run ddclient";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = cfg.interval;
OnUnitInactiveSec = cfg.interval;
};
};
};
}

9
modules/default.nix
View file

@ -5,26 +5,28 @@
}: {
flake = {
nixosModules = rec {
acme = import ./acme;
adb = import ./adb;
arduino = import ./arduino;
audio = import ./audio;
bluetooth = import ./bluetooth;
core = import ./core;
crypto = import ./crypto;
ddclient = import ./ddclient;
desktop-extended = import ./desktop-extended;
docker = import ./docker;
gaming = import ./gaming;
graphical = import ./graphical;
invoiceplane = import ./invoiceplane;
nix = import ./nix;
nextcloud = import ./nextcloud;
office = import ./office;
persistence = import ./persistence;
portable = import ./portable;
printing = import ./printing;
proxy = import ./proxy;
terminal-life = import ./terminal-life;
user = import ./user;
virtualisation = import ./virtualisation;
wireguard-client = import ./wireguard-client;
wireguard = import ./wireguard;
wireshark = import ./wireshark;
base.imports = [
@ -36,6 +38,7 @@
self.nixosModules.crypto
self.nixosModules.nix
self.nixosModules.terminal-life
self.nixosModules.wireguard
self.nixosModules.root
self.nixosModules.user

16
modules/desktop-extended/default.nix
View file

@ -11,36 +11,28 @@ in {
hardware.logitech.wireless.enable = true;
users.users."${psCfg.user.name}".packages = with pkgs; [
ungoogled-chromium
wine
ungoogled-chromium
gimp
present-md
inkscape
gpxsee
digikam
nix-output-monitor
tigervnc
nodejs
solaar
insomnia
concourse
signal-desktop
tdesktop
element-desktop
irssi
# Nix specific utilities
alejandra
manix
nix-index
nix-tree
nvd
element-b12f
element-mezza
];
fonts = {
fonts = with pkgs; [
packages = with pkgs; [
dejavu_fonts
fira-code
fira-code-symbols

2
modules/gaming/default.nix
View file

@ -14,7 +14,7 @@ in {
users.users."${psCfg.user.name}".packages = with pkgs; [
playonlinux
godot
godot3
obs-studio
obs-studio-plugins.wlrobs
];

22
modules/graphical/.config/mako/config
View file

@ -1,22 +0,0 @@
padding=10
margin=5,5,0
default-timeout=5000
## Base16 Burn
# Author: Benjamin Bädorf
#
# You can use these variables anywhere in the mako configuration file.
background-color=#1a181a
text-color=#e3e1e4
border-color=#ff5f5f
[urgency=low]
background-color=#1a181a
text-color=#e3e1e4
border-color=#ff5f5f
[urgency=high]
background-color=#ff5f5f
text-color=#1a181a
border-color=#1a181a

15
modules/graphical/.config/user-dirs.dirs
View file

@ -1,15 +0,0 @@
# This file is written by xdg-user-dirs-update
# If you want to change or add directories, just edit the line you're
# interested in. All local changes will be retained on the next run.
# Format is XDG_xxx_DIR="$HOME/yyy", where yyy is a shell-escaped
# homedir-relative path, or XDG_xxx_DIR="/yyy", where /yyy is an
# absolute path. No other format is supported.
XDG_DESKTOP_DIR="$HOME/"
XDG_DOWNLOAD_DIR="$HOME/Downloads"
XDG_TEMPLATES_DIR="$HOME/Templates"
XDG_PUBLICSHARE_DIR="$HOME/Public"
XDG_DOCUMENTS_DIR="$HOME/"
XDG_MUSIC_DIR="$HOME/"
XDG_PICTURES_DIR="$HOME/"
XDG_VIDEOS_DIR="$HOME/"

23
modules/graphical/.config/waybar/colorscheme.css
View file

@ -1,23 +0,0 @@
/*
*
* Base16 Burn
* Author: Benjamin Bädorf
*
*/
@define-color base00 #1a181a;
@define-color base01 #2d2a2e;
@define-color base02 #303030;
@define-color base03 #949494;
@define-color base04 #d3d1d4;
@define-color base05 #e3e1e4;
@define-color base06 #303030;
@define-color base07 #ff5f5f;
@define-color base08 #f85e84;
@define-color base09 #df5923;
@define-color base0A #e5c463;
@define-color base0B #9ecd6f;
@define-color base0C #ef9062;
@define-color base0D #7accd7;
@define-color base0E #ab9df2;
@define-color base0F #d70000;

116
modules/graphical/.config/waybar/config
View file

@ -1,116 +0,0 @@
{
"layer": "top", // Waybar at top layer
// "position": "bottom", // Waybar position (top|bottom|left|right)
"height": 26, // Waybar height
"modules-left": ["sway/workspaces", "sway/mode"],
//"modules-center": ["mpd"],
"modules-right": ["sway/language", "pulseaudio", "network", "idle_inhibitor", "battery", "clock", "tray"],
"sway/workspaces": {
"disable-scroll": true
},
"sway/mode": {
"tooltip": false,
"format": "{}"
},
"sway/window": {
"tooltip": false,
"max-length": 96
},
"sway/language": {
"format": "{}",
"max-length": 50
},
"tray": {
"icon-size": 21,
"spacing": 10
},
"clock": {
"tooltip-format": "<tt><small>{calendar}</small></tt>",
"format-alt": "{:%a %d. %h %H:%M}",
//"on-scroll": {
// "calendar": 1
//}
"calendar": {
"mode-mon-col" : 3,
"on-scroll": -1,
"on-click-right": "mode",
"format": {
"months": "<span color='#ffead3'><b>{}</b></span>",
"days": "<span color='#ecc6d9'><b>{}</b></span>",
"weekdays": "<span color='#ffcc66'><b>{}</b></span>",
"today": "<span color='#ff6699'><b><u>{}</u></b></span>"
},
},
},
"backlight": {
// "device": "acpi_video1",
"tooltip": true,
"tooltip-format": "Brightness: <big>{percent}%</big>",
"format": "<span font='10'>{icon}</span>",
"format-icons": ["", ""]
},
"cpu": {
"format": "{}% "
},
"memory": {
"format": "{}% "
},
"idle_inhibitor": {
"format": "<span font='10'>{icon} </span>",
"format-icons": {
"activated": "",
"deactivated": ""
}
},
"battery": {
"tooltip": false,
"states": {
"critical": 25
},
"full-at": 84,
"format": "<span font='10'>{icon}</span> {capacity}%",
"format-full": "<span font='10'>{icon}</span>",
"format-icons": ["", "", "", "", ""],
},
"network": {
"interval": 3,
"tooltip": true,
//"interface": "wlp4s0", // (Optional) To force the use of this interface   \uF2E7,
"format-wifi": "<span font='10'></span> \uf062 {bandwidthUpBits} | \uf063 {bandwidthDownBits}",
"format-ethernet": "<span font='10'></span> \uf062 {bandwidthUpBits} | \uf063 {bandwidthDownBits}",
"format-disconnected": "",
"tooltip-format-wifi": "{essid} ({signalStrength}%)  {ipaddr}",
"tooltip-format-ethernet": "{ifname}  {ipaddr}"
},
//\ue04f{volume}%
"pulseaudio": {
"tooltip": false,
"format": "{volume}% <span font='10'>{icon}</span>",
"format-bluetooth": "{volume}% <span font='10'>{icon}</span>",
"format-muted": "",
"on-click": "pavucontrol",
"format-alt": "{volume}% <span font='10'>{icon}</span>",
"format-icons": {
"headphones": "",
"handsfree": "",
"headset": "",
"phone": "",
"portable": "",
"car": "",
"default": ["","", ""]
}
},
"mpd": {
"format": "{artist} - {title} <span color=\"#999999\">[<span color=\"#ffffff\">{elapsedTime:%M:%S}</span> / {totalTime:%M:%S}]</span>",
"format-disconnected": "",
"format-stopped": "",
"interval": 1,
"state-icons": {
"paused": "",
"playing": ""
},
"tooltip-format": "MPD (connected)",
"tooltip-format-disconnected": "MPD (disconnected)"
}
}

22
modules/graphical/.config/waybar/style.css
View file

@ -1,5 +1,3 @@
@import "./colorscheme.css";
* {
min-height: 0;
border: none;
@ -8,7 +6,7 @@
window#waybar {
font-family: Hack, FontAwesome;
font-weight: 500;
font-size: 14px;
font-size: 16px;
background: rgba(11, 12, 13, 0.90);
border-bottom: 1px solid rgba(0, 0, 2, 0.53);
color: @base04;
@ -16,7 +14,7 @@ window#waybar {
#workspaces button {
font-size: 14px;
font-size: 16px;
box-shadow: none;
text-shadow: none;
padding: 0px 3px 0px 3px;
@ -36,18 +34,20 @@ window#waybar {
}
#clock, #backlight, #battery, #cpu, #memory, #network, #pulseaudio, #custom-spotify, #tray, #mode {
font-size: 14px;
margin: 0px 10px 0px 5px;
font-size: 16px;
}
#clock {
margin-right: 12px;
}
#pulseaudio {
/* border-top: 1px solid transparent; */
font-size: 12px;
margin-left: 15px;
font-size: 16px;
}
#battery {
font-size: 12px;
font-size: 16px;
}
#battery.critical {
@ -57,7 +57,7 @@ window#waybar {
color: @base0B;
}
#battery.full {
margin: 0px 0px 0px 0px;
color: @base0D;
}
@ -65,13 +65,11 @@ window#waybar {
border-top: 1px solid transparent;
}
#network.disconnected {
margin: 0px 0px 0px 0px;
color: rgba(75, 81, 98, 0);
}
#pulseaudio.muted {
margin: 0px 0px 0px 0px;
color: rgba(75, 81, 98, 0);
}

18
modules/graphical/.config/xsettingsd/xsettingsd.conf
View file

@ -1,18 +0,0 @@
Gtk/ButtonImages 1
Gtk/CanChangeAccels 1
Gtk/CursorThemeName "default"
Gtk/CursorThemeSize 0
Gtk/EnableEventSounds 0
Gtk/EnableInputFeedbackSounds 0
Gtk/FontName "Lato"
Gtk/ThemeName "Matcha-dark-aliz"
Gtk/IconThemeName "Papirus-Adapta-Nokto-Maia"
Gtk/MenuBarAccel "F10"
Gtk/MenuImages 1
Gtk/ToolbarIconSize 3
Gtk/ToolbarStyle "icons"
Xft/Antialias 1
Xft/DPI 102400
Xft/Hinting 1
Xft/HintStyle "hintslight"
Xft/RGBA "rgb"

19
modules/graphical/.xinitrc
View file

@ -9,8 +9,6 @@ usermodmap=$HOME/.config/xmodmap
sysresources=/etc/X11/xinit/.Xresources
sysmodmap=/etc/X11/xinit/.Xmodmap
DEFAULT_SESSION='i3 --shmlog-size 0'
xset -b
if [ -d $HOME/.fonts ]; then
@ -48,23 +46,8 @@ fi
get_session(){
local dbus_args=(--sh-syntax --exit-with-session)
case $1 in
awesome) dbus_args+=(awesome) ;;
bspwm) dbus_args+=(bspwm-session) ;;
budgie) dbus_args+=(budgie-desktop) ;;
cinnamon) dbus_args+=(cinnamon-session) ;;
deepin) dbus_args+=(startdde) ;;
enlightenment) dbus_args+=(enlightenment_start) ;;
fluxbox) dbus_args+=(startfluxbox) ;;
gnome) dbus_args+=(gnome-session) ;;
i3|i3wm) dbus_args+=(i3 --shmlog-size 0) ;;
jwm) dbus_args+=(jwm) ;;
kde) dbus_args+=(startkde) ;;
lxde) dbus_args+=(startlxde) ;;
lxqt) dbus_args+=(lxqt-session) ;;
mate) dbus_args+=(mate-session) ;;
xfce) dbus_args+=(xfce4-session) ;;
openbox) dbus_args+=(openbox-session) ;;
*) dbus_args+=($DEFAULT_SESSION) ;;
*) dbus_args+=(sway) ;;
esac
echo "dbus-launch ${dbus_args[*]}"

68
modules/graphical/alacritty.nix
View file

@ -1,6 +1,6 @@
{
{ flake, ...}: with flake.self.theme.with0x; {
env = {
TERM = "xterm-256color";
TERM = "xterm-direct";
};
window = {
@ -30,9 +30,6 @@
multiplier = 3;
};
# When true, bold text is drawn using the bright variant of colors.
draw_bold_text_with_bright_colors = true;
font = {
# The normal (roman) font face to use.
normal = {
@ -68,7 +65,7 @@
};
};
key_bindings = [
keyboard.bindings = [
{
key = "V";
mods = "Control|Alt";
@ -162,10 +159,13 @@
# Base16 Burn 256 - alacritty color config
# Benjamin Bädorf
colors = {
# When true, bold text is drawn using the bright variant of colors.
draw_bold_text_with_bright_colors = true;
# Default colors
primary = {
background = "0x1a181a";
foreground = "0xe3e1e4";
background = base00;
foreground = base05;
};
# Cursor colors
@ -184,8 +184,8 @@
# Allowed values are CellForeground/CellBackground, which reference the
# affected cell, or hexadecimal colors like #ff00ff.
matches = {
foreground = "0xe5c463";
background = "0x1a181a";
foreground = base0A;
background = base00;
};
focused_match = {
foreground = "CellBackground";
@ -203,58 +203,58 @@
# Allowed values are CellForeground/CellBackground, which reference the
# affected cell, or hexadecimal colors like #ff00ff.
selection = {
text = "0x1a181a";
background = "0xf85e84";
text = base00;
background = base08;
};
# Normal colors
normal = {
black = "0x1a181a";
red = "0xf85e84";
green = "0x9ecd6f";
yellow = "0xe5c463";
blue = "0x7accd7";
magenta = "0xab9df2";
cyan = "0xef9062";
white = "0xe3e1e4";
black = base00;
red = base09;
green = base0B;
yellow = base0A;
blue = base0D;
magenta = base0E;
cyan = base0C;
white = base05;
};
# Bright colors
bright = {
black = "0x949494";
red = "0xf85e84";
green = "0x9ecd6f";
yellow = "0xe5c463";
blue = "0x7accd7";
magenta = "0xab9df2";
cyan = "0xef9062";
white = "0xff5f5f";
black = base00;
red = base0F;
green = base0B;
yellow = base0A;
blue = base0D;
magenta = base0E;
cyan = base0C;
white = base05;
};
indexed_colors = [
{
index = 16;
color = "0xdf5923";
color = base09;
}
{
index = 17;
color = "0xd70000";
color = base0F;
}
{
index = 18;
color = "0x2d2a2e";
color = base01;
}
{
index = 19;
color = "0x303030";
color = base02;
}
{
index = 20;
color = "0xd3d1d4";
color = base04;
}
{
index = 21;
color = "0x303030";
color = base02;
}
];
};

73
modules/graphical/default.nix
View file

@ -1,4 +1,4 @@
{
args@{
lib,
config,
pkgs,
@ -6,7 +6,7 @@
}:
with lib; let
psCfg = config.pub-solar;
yamlFormat = pkgs.formats.yaml {};
tomlFormat = pkgs.formats.toml {};
sessionVariables = {
WLR_RENDERER =
if psCfg.graphical.wayland.software-renderer.enable
@ -19,6 +19,8 @@ with lib; let
in {
imports = [
./sway
./waybar.nix
./mako.nix
];
options.pub-solar.graphical = {
@ -43,26 +45,16 @@ in {
glib
xdg-utils
];
xorg.xbacklight
etc = {
"xdg/PubSolar.conf".text = ''
[Qt]
style=GTK+
'';
};
desktop-file-utils
];
variables = sessionVariables;
};
services.getty.autologinUser = psCfg.user.name;
qt = {
enable = true;
platformTheme = "gtk2";
style = "gtk2";
};
# Required for running Gnome apps outside the Gnome DE, see https://nixos.wiki/wiki/GNOME#Running_GNOME_programs_outside_of_GNOME
programs.dconf.enable = true;
services.udev.packages = with pkgs; [gnome3.gnome-settings-daemon];
@ -70,14 +62,17 @@ in {
services.gnome.sushi.enable = true;
# Enable GVfs, a userspace virtual filesystem
services.gvfs.enable = true;
services.yubikey-agent.enable = true;
# This actually lowers security and is
# required to run electron apps with the hardened kernel
boot.kernel.sysctl."kernel.unprivileged_userns_clone" = 1;
fonts = {
fonts = with pkgs; [
packages = with pkgs; [
dejavu_fonts
powerline-fonts
];
enableDefaultFonts = true;
enableDefaultPackages = true;
fontconfig.enable = true;
fontconfig.defaultFonts = {
monospace = ["DejaVu Sans Mono for Powerline"];
@ -87,35 +82,45 @@ in {
users.users."${psCfg.user.name}".packages = with pkgs; [
alacritty
firefox-wayland
flameshot
gnome.adwaita-icon-theme
gnome.eog
gnome.nautilus
gnome.seahorse
gnome.yelp
hicolor-icon-theme
keepassxc
libnotify
toggle-kbd-layout
vlc
wcwd
wdisplays
wl-mirror
];
qt = {
enable = true;
platformTheme = "gtk2";
style = "gtk2";
};
home-manager.users."${psCfg.user.name}" = {
home.file."xinitrc".source = ./.xinitrc;
xdg.configFile."alacritty/alacritty.yml".source = yamlFormat.generate "alacritty.yml" (import ./alacritty.nix);
xdg.configFile."alacritty/alacritty.toml".source = tomlFormat.generate "alacritty.toml" ((import ./alacritty.nix) args);
xdg.configFile."xmodmap".source = ./.config/xmodmap;
xdg.configFile."user-dirs.dirs".source = ./.config/user-dirs.dirs;
xdg.configFile."user-dirs.locale".source = ./.config/user-dirs.locale;
xdg.configFile."xsettingsd/xsettingsd.conf".source = ./.config/xsettingsd/xsettingsd.conf;
xdg.configFile."mako/config".source = ./.config/mako/config;
xdg.configFile."libinput-gestures.conf".source = ./.config/libinput-gestures.conf;
xdg.configFile."waybar/config".source = ./.config/waybar/config;
xdg.configFile."waybar/style.css".source = ./.config/waybar/style.css;
xdg.configFile."waybar/colorscheme.css".source = ./.config/waybar/colorscheme.css;
xdg.configFile."wallpaper.jpg".source = ./assets/wallpaper.jpg;
programs.firefox = {
enable = true;
package = pkgs.firefox-wayland;
};
dconf.settings = {
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
};
};
gtk = {
enable = true;
font.name = "Lato";
@ -133,13 +138,21 @@ in {
gtk-xft-hinting = "1";
gtk-xft-hintstyle = "hintfull";
gtk-xft-rgba = "rgb";
gtk-application-prefer-dark-theme = "true";
gtk-application-prefer-dark-theme = "1";
};
};
xresources.extraConfig = builtins.readFile ./.Xdefaults;
systemd.user.services.network-manager-applet = import ./network-manager-applet.service.nix pkgs;
services.network-manager-applet.enable = true;
systemd.user.services.network-manager-applet = {
Unit = {
BindsTo = ["sway-session.target"];
After = lib.mkForce ["sway-session.target"];
Requires = lib.mkForce [ ];
};
Install.WantedBy = [ "sway-session.target" ];
};
home.sessionVariables = sessionVariables;
systemd.user.sessionVariables = sessionVariables;

33
modules/graphical/mako.nix Normal file
View file

@ -0,0 +1,33 @@
{
lib,
config,
pkgs,
flake,
...
}:
with lib; let
psCfg = config.pub-solar;
in {
home-manager.users."${psCfg.user.name}" = {
services.mako = {
enable = true;
extraConfig = with flake.self.theme.withHashtag; ''
padding=10
margin=5,5,0
default-timeout=5000
background-color=${base00}
text-color=${base05}
border-color=${base07}
font=Hack 14
[urgency=high]
background-color=${base07}
text-color=${base00}
border-color=${base00}
layer=overlay
font=Hack 14
'';
};
};
}

19
modules/graphical/sway/config/config.d/colorscheme.conf
View file

@ -1,19 +0,0 @@
## Base16 Burn
# Author: Benjamin Bädorf
set $base00 #1a181a
set $base01 #2d2a2e
set $base02 #303030
set $base03 #949494
set $base04 #d3d1d4
set $base05 #e3e1e4
set $base06 #303030
set $base07 #ff5f5f
set $base08 #f85e84
set $base09 #df5923
set $base0A #e5c463
set $base0B #9ecd6f
set $base0C #ef9062
set $base0D #7accd7
set $base0E #ab9df2
set $base0F #d70000

54
modules/graphical/sway/config/config.d/custom-keybindings.conf
View file

@ -1,43 +1,33 @@
# launch categorized menu
bindsym $mod+z exec --no-startup-id morc_menu
# switch keyboard input language
bindsym $mod+tab exec toggle-kbd-layout
################################################################################################
## sound-section - ##
################################################################################################
bindsym $mod+Ctrl+m exec pavucontrol
################################################################################################
# Quickstart application shortcuts
bindsym $mod+F1 exec psos help
bindsym $mod+Shift+h exec psos help
bindsym $mod+F2 exec firefox
bindsym $mod+F4 exec nautilus -w
bindsym $mod+Shift+F4 exec signal-desktop --use-tray-icon
bindsym $mod+Shift+m exec qMasterPassword
# Screenshots and screen recordings
# Screen capturing
bindsym $mod+Ctrl+p exec grim -g "$(slurp -d -b \#ffffff11)" ~/Pictures/Screenshots/$(date +%Y%m%d_%Hh%Mm%Ss)_grim.png
bindsym $mod+Shift+p exec grim ~/Pictures/Screenshots/$(date +%Y%m%d_%Hh%Mm%Ss)_grim.png
bindsym $mod+Ctrl+f exec "( pkill flameshot || true && flameshot & ) && ( sleep 0.5s && flameshot gui )"
bindsym $mod+Shift+p exec grim -g "$(slurp -d -b \#ffffff11 -o)" ~/Pictures/Screenshots/$(date +%Y%m%d_%Hh%Mm%Ss)_grim.png
bindsym $mod+Ctrl+r exec record-screen
bindsym $mod+Shift+r exec record-screen fullscreen
# Launcher
set $menu exec alacritty --class launcher -e env TERMINAL_COMMAND="alacritty -e" sway-launcher
bindsym $mod+Space exec $menu
set $mode_vncclient In VNCClient mode. Press $mod+Num_Lock or $mod+Shift+Escape to return.
bindsym $mod+Num_Lock mode "$mode_vncclient"
bindsym $mod+Shift+Escape mode "$mode_vncclient"
mode "$mode_vncclient" {
bindsym $mod+Num_Lock mode "default"
bindsym $mod+Shift+Escape mode "default"
}
# Pulse Audio controls
bindsym $mod+Ctrl+m exec pavucontrol
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #increase sound volume
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #decrease sound volume
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle # mute sound
# Media player controls
bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"
# Screen brightness controls
bindsym XF86MonBrightnessUp exec "brightnessctl set +10%"
bindsym XF86MonBrightnessDown exec "brightnessctl set 10%-"
# Keyboard backlight brightness controls
bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 33%-"
bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +33%"

1
modules/graphical/sway/config/config.d/keepalive.conf Normal file
View file

@ -0,0 +1 @@
for_window [app_id=".*"] inhibit_idle fullscreen

22
modules/graphical/sway/config/config.d/mode_system.conf.nix
View file

@ -1,36 +1,36 @@
{
pkgs,
psCfg,
config,
...
}:
''
}: with pkgs; ''
# Set shut down, restart and locking features
''
+ (
if psCfg.core.hibernation.enable
if config.pub-solar.core.hibernation.enable
then ''
set $mode_system (e)xit, (h)ibernate, (r)eboot, (Shift+s)hutdown
set $mode_system (e)xit, (l)ock, (h)ibernate, (r)eboot, (Shift+s)hutdown
''
else ''
set $mode_system (e)xit, (r)eboot, (Shift+s)hutdown
set $mode_system (e)xit, (l)ock, (r)eboot, (Shift+s)hutdown
''
)
+ ''
bindsym $mod+0 mode "$mode_system"
mode "$mode_system" {
bindsym e exec swaymsg exit, mode "default"
bindsym e exec ${sway}/bin/swaymsg exit, mode "default"
bindsym l exec ${swaylock-bg}/bin/swaylock-bg, mode "default"
''
+ (
if psCfg.core.hibernation.enable
if config.pub-solar.core.hibernation.enable
then ''
bindsym h exec systemctl hibernate, mode "default"
bindsym h exec ${systemd}/bin/systemctl hibernate, mode "default"
''
else ""
)
+ ''
bindsym r exec systemctl reboot, mode "default"
bindsym Shift+s exec systemctl poweroff, mode "default"
bindsym r exec ${systemd}/bin/systemctl reboot, mode "default"
bindsym Shift+s exec ${systemd}/bin/systemctl poweroff, mode "default"
# exit system mode: "Enter" or "Escape"
bindsym Return mode "default"

21
modules/graphical/sway/config/config.d/theme.conf → modules/graphical/sway/config/config.d/theme.conf.nix
View file

@ -1,3 +1,21 @@
{ flake, ... }: with flake.self.theme.withHashtag; ''
set $base00 ${base00}
set $base01 ${base01}
set $base02 ${base02}
set $base03 ${base03}
set $base04 ${base04}
set $base05 ${base05}
set $base06 ${base06}
set $base07 ${base07}
set $base08 ${base08}
set $base09 ${base09}
set $base0A ${base0A}
set $base0B ${base0B}
set $base0C ${base0C}
set $base0D ${base0D}
set $base0E ${base0E}
set $base0F ${base0F}
# Border BG Text Ind Child Border
client.focused $base00 $base01 $base07 $base0D $base07
client.focused_inactive $base00 $base01 $base07 $base03 $base00
@ -14,3 +32,6 @@ exec_always import-gtk-settings \
# Workaround to fix cursor scaling, see https://github.com/swaywm/sway/issues/4112
seat seat0 xcursor_theme Adwaita
output * bg ~/.config/wallpaper.jpg fill
''

26
modules/graphical/sway/config/config.nix
View file

@ -1,8 +1,15 @@
{
args@{
config,
pkgs,
...
}: ''
}: let
applications = builtins.readFile ./config.d/applications.conf;
custom-keybindings = builtins.readFile ./config.d/custom-keybindings.conf;
gaps = builtins.readFile ./config.d/gaps.conf;
mode-system = import ./config.d/mode_system.conf.nix args;
systemd = builtins.readFile ./config.d/systemd.conf;
theme = import ./config.d/theme.conf.nix args;
in ''
# Default config for sway
#
# Copy this to ~/.config/sway/config and edit it to your liking.
@ -27,11 +34,6 @@
default_border pixel 1
### Output configuration
#
# Default wallpaper (more resolutions are available in @datadir@/backgrounds/sway/)
output * bg ~/.config/wallpaper.jpg fill
### Key bindings
#
# Basics:
@ -214,4 +216,12 @@
}
bindsym $mod+r mode "resize"
include ~/.config/sway/config.d/*''
${applications}
${gaps}
${custom-keybindings}
${mode-system}
${systemd}
${theme}
include ~/.config/sway/config.d/*
''

72
modules/graphical/sway/default.nix
View file

@ -1,4 +1,4 @@
{
args@{
lib,
config,
pkgs,
@ -10,7 +10,7 @@ in {
options.pub-solar.graphical = {
v4l2loopback.enable = mkOption {
type = types.bool;
default = true;
default = false;
description = "WebCam streaming tool";
};
};
@ -42,6 +42,18 @@ in {
};
};
};
config.sway = {
# https://alex.dandrea.io/2024/07/20/fixing-idle-inhibitor-behaviour-in-firefox-with-wayland/
# Use xdg-desktop-portal-gtk for every portal interface...
default = "gtk";
# ... except for the ScreenCast, Screenshot and Secret
"org.freedesktop.impl.portal.ScreenCast" = "wlr";
"org.freedesktop.impl.portal.Screenshot" = "wlr";
# ignore inhibit bc gtk portal always returns as success,
# despite sway/the wlr portal not having an implementation,
# stopping firefox from using wayland idle-inhibit
"org.freedesktop.impl.portal.Inhibit" = "none";
};
extraPortals = with pkgs; [xdg-desktop-portal-gtk];
};
@ -51,9 +63,7 @@ in {
sway
grim
kanshi
mako
slurp
swayidle
swaybg
xwayland
@ -62,8 +72,6 @@ in {
wl-clipboard
wf-recorder
brightnessctl
gammastep
geoclue2
xsettingsd
ydotool
@ -74,25 +82,45 @@ in {
wcwd
];
services.geoclue2.enable = true;
home-manager.users."${psCfg.user.name}" = {
programs.waybar.enable = true;
#programs.waybar.systemd.enable = true;
systemd.user.services.sway = import ./sway.service.nix args;
systemd.user.targets.sway-session = import ./sway-session.target.nix args;
systemd.user.services.mako = import ./mako.service.nix {inherit pkgs psCfg;};
systemd.user.services.sway = import ./sway.service.nix {inherit pkgs psCfg;};
systemd.user.services.swayidle = import ./swayidle.service.nix {inherit pkgs psCfg;};
systemd.user.services.xsettingsd = import ./xsettingsd.service.nix {inherit pkgs psCfg;};
systemd.user.services.waybar = import ./waybar.service.nix {inherit pkgs psCfg;};
systemd.user.targets.sway-session = import ./sway-session.target.nix {inherit pkgs psCfg;};
services.xsettingsd.enable = true;
services.gammastep = {
enable = true;
provider = "geoclue2";
};
xdg.configFile."sway/config".text = import ./config/config.nix {inherit config pkgs;};
xdg.configFile."sway/config.d/colorscheme.conf".source = ./config/config.d/colorscheme.conf;
xdg.configFile."sway/config.d/theme.conf".source = ./config/config.d/theme.conf;
xdg.configFile."sway/config.d/gaps.conf".source = ./config/config.d/gaps.conf;
xdg.configFile."sway/config.d/custom-keybindings.conf".source = ./config/config.d/custom-keybindings.conf;
xdg.configFile."sway/config.d/mode_system.conf".text = import ./config/config.d/mode_system.conf.nix {inherit pkgs psCfg;};
xdg.configFile."sway/config.d/applications.conf".source = ./config/config.d/applications.conf;
xdg.configFile."sway/config.d/systemd.conf".source = ./config/config.d/systemd.conf;
xdg.configFile."sway/config".text = import ./config/config.nix args;
services.swayidle = with pkgs; {
enable = true;
events = [
{
event = "before-sleep";
command = "${systemd}/bin/systemctl hibernate";
}
];
timeouts = [
{
timeout = 300;
command = "${swaylock-bg}/bin/swaylock-bg";
}
{
timeout = 180;
command = "${sway}/bin/swaymsg \"output * dpms off\"";
resumeCommand = "${sway}/bin/swaymsg \"output * dpms on\"";
}
{
timeout = 600;
command = "${systemd}/bin/systemctl hibernate";
}
];
systemdTarget = "sway-session.target";
};
};
};
}

17
modules/graphical/sway/gammastep.service.nix
View file

@ -1,17 +0,0 @@
{pkgs, ...}: {
Unit = {
Description = "set color temperature of display according to time of day";
Documentation = ["man:gammastep(1)"];
BindsTo = ["sway-session.target"];
After = ["sway-session.target"];
# ConditionEnvironment requires systemd v247 to work correctly
ConditionEnvironment = ["WAYLAND_DISPLAY"];
};
Service = {
Type = "simple";
ExecStart = "${pkgs.gammastep}/bin/gammastep -l geoclue2 -m wayland -v";
};
Install = {
WantedBy = ["sway-session.target"];
};
}

18
modules/graphical/sway/mako.service.nix
View file

@ -1,18 +0,0 @@
{pkgs, ...}: {
Unit = {
Description = "Lightweight Wayland notification daemon";
Documentation = ["man:mako(1)"];
BindsTo = ["sway-session.target"];
After = ["sway-session.target"];
ConditionEnvironment = ["WAYLAND_DISPLAY"];
};
Service = {
Type = "dbus";
BusName = "org.freedesktop.Notifications";
ExecStart = "${pkgs.mako}/bin/mako";
ExecReload = "${pkgs.mako}/bin/makoctl reload";
};
Install = {
WantedBy = ["sway-session.target"];
};
}

26
modules/graphical/sway/swayidle.service.nix
View file

@ -1,26 +0,0 @@
{
pkgs,
psCfg,
...
}: {
Unit = {
Description = "Idle manager for Wayland";
Documentation = ["man:swayidle(1)"];
BindsTo = ["graphical-session.target"];
Wants = ["graphical-session-pre.target"];
After = ["graphical-session-pre.target"];
};
Service = {
Type = "simple";
Environment = "PATH=/run/current-system/sw/bin:${pkgs.sway}/bin:${pkgs.swayidle}/bin";
ExecStart = ''
swayidle -w \
before-sleep 'systemctl hibernate'
timeout 120 'swaymsg "output * dpms off"' resume 'swaymsg "output * dpms on"' \
timeout 150 'systemctl hibernate'
'';
};
Install = {
WantedBy = ["sway-session.target"];
};
}

21
modules/graphical/sway/waybar.service.nix
View file

@ -1,21 +0,0 @@
{pkgs, ...}: {
Unit = {
Description = "Highly customizable Wayland bar for Sway and Wlroots based compositors.";
Documentation = "https://github.com/Alexays/Waybar/wiki/";
BindsTo = ["sway-session.target"];
After = ["sway-session.target" "network-online.target"];
Wants = ["graphical-session-pre.target" "network-online.target" "blueman-applet.service"];
ConditionEnvironment = ["WAYLAND_DISPLAY"];
};
Service = {
Type = "dbus";
Environment = "PATH=${pkgs.bash}/bin:${pkgs.pavucontrol}/bin";
BusName = "fr.arouillard.waybar";
ExecStart = "${pkgs.waybar}/bin/waybar";
};
Install = {
WantedBy = ["sway-session.target"];
};
}

18
modules/graphical/sway/xsettingsd.service.nix
View file

@ -1,18 +0,0 @@
{pkgs, ...}: {
Unit = {
Description = "X Settings Daemon";
Documentation = ["https://github.com/derat/xsettingsd/wiki/Installation"];
BindsTo = ["sway-session.target"];
After = ["sway-session.target"];
# ConditionEnvironment requires systemd v247 to work correctly
ConditionEnvironment = ["WAYLAND_DISPLAY"];
};
Service = {
Type = "simple";
ExecStart = "${pkgs.xsettingsd}/bin/xsettingsd";
ExecStop = "/run/current-system/sw/bin/env pkill xsettingsd";
};
Install = {
WantedBy = ["sway-session.target"];
};
}

115
modules/graphical/waybar.nix Normal file
View file

@ -0,0 +1,115 @@
{
lib,
config,
pkgs,
flake,
...
}:
with lib; let
psCfg = config.pub-solar;
in {
home-manager.users."${psCfg.user.name}" = {
programs.waybar = with flake.self.theme.withHashtag; {
enable = true;
settings.main = {
layer = "top";
position = "top";
height = 32;
spacing = 16;
modules-left = ["sway/workspaces"];
modules-center = ["sway/mode"];
modules-right = ["network" "tray" "sway/language" "pulseaudio" "battery" "clock"];
"sway/workspaces".disable-scroll = true;
"sway/mode" = {
tooltip = false;
format = "{}";
};
"sway/window" = {
tooltip = false;
max-length = 96;
};
"sway/language" = {
format = "{}";
max-length = 2;
on-click = "${pkgs.toggle-kbd-layout}/bin/toggle-kbd-layout";
};
tray = {
icon-size = 16;
spacing = 16;
};
clock = {
tooltip-format = "<tt><small>{calendar}</small></tt>";
format-alt = "{:%a %d. %h %H:%M}";
calendar = {
mode-mon-col = "3";
on-scroll = "-1";
on-click-right = "mode";
format = {
months = "<span color='#ffead3'><b>{}</b></span>";
days = "<span color='#ecc6d9'><b>{}</b></span>";
weekdays = "<span color='#ffcc66'><b>{}</b></span>";
today = "<span color='#ff6699'><b><u>{}</u></b></span>";
};
};
};
battery = {
tooltip = false;
states = {
critical = 20;
};
full-at = 90;
format = "<span font='12'>{icon}</span> {capacity}%";
format-icons = ["" "" "" "" ""];
};
network = {
interval = 3;
tooltip = true;
format-wifi = "{bandwidthUpBits} up | {bandwidthDownBits} down";
format-ethernet = "{bandwidthUpBits} up | {bandwidthDownBits} down";
format-disconnected = "no network";
tooltip-format-wifi = "{essid} ({signalStrength}%) {ipaddr}";
tooltip-format-ethernet = "{ifname} {ipaddr}";
};
pulseaudio = {
tooltip = false;
format = "<span font='12'>{icon}</span> {volume}%";
format-bluetooth = "<span font='12'>{icon}</span> {volume}%";
format-muted = "<span font='12'>{icon}x</span>";
on-click = "pavucontrol";
format-icons = {
headphones = "";
handsfree = "";
headset = "";
phone = "";
portable = "";
car = "";
default = ["" "" ""];
};
};
};
style = ''
@define-color base00 ${base00};
@define-color base01 ${base01};
@define-color base02 ${base02};
@define-color base03 ${base03};
@define-color base04 ${base04};
@define-color base05 ${base05};
@define-color base06 ${base06};
@define-color base07 ${base07};
@define-color base08 ${base08};
@define-color base09 ${base09};
@define-color base0A ${base0A};
@define-color base0B ${base0B};
@define-color base0C ${base0C};
@define-color base0D ${base0D};
@define-color base0E ${base0E};
@define-color base0F ${base0F};
''+ builtins.readFile ./.config/waybar/style.css;
systemd.enable = true;
systemd.target = "sway-session.target";
};
};
}

Some files were not shown because too many files have changed in this diff Show more