Compare commits

..

78 commits

Author SHA1 Message Date
7d3a471cf2
Merge pull request 'add missing kernel package' (#250) from feature/add-missing-kernel-module-for-initrd into momo/main
Reviewed-on: pub-solar/os#250
Reviewed-by: teutat3s <teutates@mailbox.org>
2023-10-13 11:27:06 +02:00
d91c70f097
chore: update blesh in nvfetcher to fix build 2023-10-09 21:09:47 +02:00
2231649de8
Fix formatting to make treefmt happy 2023-10-08 14:44:51 +02:00
be2109a0e9 add missing kernel package 2023-07-28 16:44:56 +02:00
552fb9a2a4
Merge pull request 'erpnext: Fix broken websockets' (#246) from momo/erpnext-fix-websockets into momo/main
Reviewed-on: pub-solar/os#246
2023-07-20 00:17:59 +02:00
38eb97c733
erpnext: Fix broken websockets
See: axeman/erpnext#66e6c685d0ea0d475cdbfbb77c9920c52a610c27
2023-07-20 00:13:49 +02:00
998d08863c
Merge pull request 'erpnext: fix premailer dependency' (#245) from momo/erpnext-fix-premailer into momo/main
Reviewed-on: pub-solar/os#245
2023-07-18 13:31:12 +02:00
9a05853839
erpnext: fix premailer dependency
See: e74f2d0f04
2023-07-18 13:26:59 +02:00
e9e3eba67f
Merge pull request 'erpnext: fix temporary failure in name resolution' (#244) from momo/erpnext-fix-dns into momo/main
Reviewed-on: pub-solar/os#244
2023-07-18 12:29:29 +02:00
fb38ecb073
erpnext: fix temporary failure in name resolution 2023-07-18 12:26:11 +02:00
04a21183bc
Merge pull request 'flake: Use nixos-23.05 for erpnext input' (#243) from momo/erpnext-nixpkgs-23.05 into momo/main
Reviewed-on: pub-solar/os#243
2023-07-18 02:47:46 +02:00
2f0b24b3a9
flake: Use nixos-23.05 for erpnext input
The override did not work and the resulting python penv was
broken (e.g. missing the bench, erpnext, frappe packages).
2023-07-18 02:38:34 +02:00
874c687fe2
Merge pull request 'flake: bump input erpnext' (#242) from momo/erpnext-fix-web into momo/main
Reviewed-on: pub-solar/os#242
2023-07-18 02:00:05 +02:00
99b039b50c
flake: bump input erpnext
• Updated input 'erpnext':
    'git+https://git.pub.solar/axeman/erpnext-nix?ref=main&rev=44a0598bd1e7533033cd9d1170de7d83dff80a2f' (2023-07-17)
  → 'git+https://git.pub.solar/axeman/erpnext-nix?ref=main&rev=9c8a36de8b9c1a379528ed35365f69fdca14677c' (2023-07-17)
2023-07-18 01:56:44 +02:00
e35e988371
Merge pull request 'flake: Bump erpnext input flake to fix systemd' (#241) from momo/erpnext-fix-module into momo/main
Reviewed-on: pub-solar/os#241
2023-07-18 01:44:06 +02:00
7b863263f5
flake: Bump erpnext input flake to fix systemd
dependencies

• Updated input 'erpnext':
    'git+https://git.pub.solar/axeman/erpnext-nix?ref=main&rev=28a47059b7b723f2709a4f81384015ae4e8f8562' (2023-07-17)
  → 'git+https://git.pub.solar/axeman/erpnext-nix?ref=main&rev=44a0598bd1e7533033cd9d1170de7d83dff80a2f' (2023-07-17)
• Updated input 'erpnext/devshell':
    'github:numtide/devshell/6b2554d28d46bfa6e24b941e999a145760dad0e1' (2023-06-05)
  → 'github:numtide/devshell/f9238ec3d75cefbb2b42a44948c4e8fb1ae9a205' (2023-07-03)
• Updated input 'erpnext/nixpkgs':
    'github:NixOS/nixpkgs/6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222' (2023-07-16)
  → 'github:NixOS/nixpkgs/6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222' (2023-07-16)
2023-07-18 01:40:12 +02:00
255fc27737
Merge pull request 'pioneer: Fix path to erpnext database secrets' (#240) from momo/erpnext-fix-secrets2 into momo/main
Reviewed-on: pub-solar/os#240
2023-07-17 23:08:34 +02:00
cd41d38b29
pioneer: Fix path to erpnext database secrets 2023-07-17 23:06:14 +02:00
6781fa356b
Merge pull request 'pioneer: Fix path to erpnext secrets' (#239) from momo/erpnext-fix-secrets into momo/main
Reviewed-on: pub-solar/os#239
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
2023-07-17 23:00:45 +02:00
4e91376386
pioneer: Fix path to erpnext secrets 2023-07-17 22:58:15 +02:00
ca9f2f60ea
Merge pull request 'momo/main [pioneer]: Add erpnext' (#238) from momo/erpnext into momo/main
Reviewed-on: pub-solar/os#238
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
2023-07-17 22:52:54 +02:00
437b841312
pioneer: Add erpnext 2023-07-17 22:40:52 +02:00
b00f13f490
Merge pull request 'chore/update-momo-main-07-23' (#237) from chore/update-momo-main-07-23 into momo/main
Reviewed-on: pub-solar/os#237
Reviewed-by: teutat3s <teutates@mailbox.org>
2023-07-15 03:08:43 +02:00
16b35e607f
Bump flake inputs nixos + latest in lockfile
• Updated input 'latest':
    'github:nixos/nixpkgs/645ff62e09d294a30de823cb568e9c6d68e92606' (2023-07-01)
  → 'github:nixos/nixpkgs/2de8efefb6ce7f5e4e75bdf57376a96555986841' (2023-07-12)
• Updated input 'nixos':
    'github:nixos/nixpkgs/b72aa95f7f096382bff3aea5f8fde645bca07422' (2023-06-30)
  → 'github:nixos/nixpkgs/fcc147b1e9358a8386b2c4368bd928e1f63a7df2' (2023-07-13)
2023-07-13 21:20:18 +02:00
1d3eadb471
Apply treefmt 2023-07-13 21:20:11 +02:00
c977bfba38
Merge branch 'main' into momo/main 2023-07-13 18:18:59 +02:00
e6b5fdf925
Merge pull request 'rename host-001' (#224) from feature/rename-host-001 into momo/main
Reviewed-on: pub-solar/os#224
Reviewed-by: teutat3s <teutates@mailbox.org>
2023-05-13 23:28:45 +02:00
be19dd7477 rename host-001 to pioneer 2023-04-26 21:38:36 +02:00
96df48c33a
Merge pull request '001_momo_koeln: Install caddy and keycloak' (#214) from momo/keycloak into momo/main
Reviewed-on: pub-solar/os#214
Reviewed-by: teutat3s <teutates@mailbox.org>
2023-04-25 18:02:43 +02:00
5c894c5265
Rekey agenix secrets 2023-04-25 12:10:02 +02:00
a5061b8947
secrets: add host keys for hensoko 2023-04-25 10:18:54 +02:00
41939956c5
secrets: add host keys for b12f + teutat3s 2023-04-25 10:14:46 +02:00
b55dace1ea
Merge branch 'momo/main' into momo/keycloak 2023-04-25 09:49:13 +02:00
9efce1619a
Merge pull request 'host_001_momo_koeln: fix swap UUID and initrd boot modules' (#223) from momo/fix-swap-uuid into momo/main
Reviewed-on: pub-solar/os#223
Reviewed-by: hensoko <hensoko@gssws.de>
2023-04-24 18:02:29 +02:00
db53f9f1be
host_001_momo_koeln: fix initrd kernelModules
boot.initrd.kernelModules overrides boot.initrd.availableKernelModules
and forces the initrd to load only those modules. This leads to the host
being unbootable in this case because of missing required modules.
availableKernelModules is the correct place for desired modules.

This got fixed during a debugging session of hensoko and teutat3s, but
not implemented in nix code until now.
2023-04-24 13:13:12 +02:00
2692b2dc20
host_001_momo_koeln: fix swap UUID
This got changed while debugging boot failures on this host, by

re-creating swap.
2023-04-24 13:05:05 +02:00
211f1d16d0
Merge pull request 'momo/main: merge main branch' (#219) from momo-merge-main into momo/main
Reviewed-on: pub-solar/os#219
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-04-24 12:50:47 +02:00
4faf4267a3
Merge branch 'main' into momo-merge-main 2023-04-18 10:45:27 +02:00
4c4c4cab0b
secrets: Add keycloak-database-password 2023-04-17 18:41:44 +02:00
8b8280d07e
secrets: Add keys for axeman and host_001_momo_koeln 2023-04-17 18:41:44 +02:00
a0a92d27c9
001_momo_koeln: Add caddy 2023-04-17 18:41:42 +02:00
6e6e5857fd
001_momo_koeln: Add keycloak 2023-04-17 18:41:26 +02:00
366d3b1278
Merge pull request '001_momo_koeln: Add @axeman's key to barkeeper's authorized_keys' (#213) from momo/add-axeman-key into momo/main
Reviewed-on: pub-solar/os#213
Reviewed-by: teutat3s <teutates@mailbox.org>
2023-03-31 16:44:25 +02:00
48d55417bd
001_momo_koeln: Add @axeman's key to barkeeper's authorized_keys 2023-03-31 16:40:13 +02:00
ea18402f21
Merge pull request 'main-to-momo-main' (#212) from main-to-momo-main into momo/main
Reviewed-on: pub-solar/os#212
Reviewed-by: teutat3s <teutates@mailbox.org>
2023-03-31 16:19:07 +02:00
3992ca0d5f
Merge branch 'main' into main-to-momo-main 2023-03-31 16:15:10 +02:00
43bd742150
Merge pull request 'ci: fix Host key verification failed' (#205) from momo/ci-deployment-known-hosts into momo/main
Reviewed-on: pub-solar/os#205
2023-03-08 14:13:03 +01:00
b21b98dadd
ci: fix Host key verification failed
- Fix missing SSH known_hosts in deploy pipeline
- SSH tries to use Trust-On-First-Use (TOFU) interactively to add a new
  host key
- Verbose SSH logs show:
debug1: Server host key: ssh-ed25519 SHA256:1bbksDNYBWSh/rIFP7MMfs557kWn1dM64bpXdnfBE5E
debug1: read_passphrase: can't open /dev/tty: No such device or address
- deploy-rs uses nix, which uses SSH which doesn't use the environment variable
HOME, but rather /etc/passwd to find a user's HOME
- To solve this, we override SSH options using UserKnownHostsFile and
  the -i flag
2023-03-08 14:10:19 +01:00
f5239c042b
Merge pull request 'ci: debug Host key verification failed error' (#204) from momo/ci-deployment-known-hosts into momo/main
Reviewed-on: pub-solar/os#204
2023-03-08 14:05:19 +01:00
51e84e9418
ci: debug Host key verification failed error 2023-03-08 14:04:06 +01:00
f6708d252e
Merge pull request 'ci: debug Host key verification failed error' (#203) from momo/ci-deployment-known-hosts into momo/main
Reviewed-on: pub-solar/os#203
2023-03-08 13:55:32 +01:00
0bd30c33d5
ci: debug Host key verification failed error 2023-03-08 13:54:50 +01:00
3f9b0f9a3b
Merge pull request 'ci: debug Host key verification failed error' (#202) from momo/ci-deployment-known-hosts into momo/main
Reviewed-on: pub-solar/os#202
2023-03-08 13:49:58 +01:00
09cdf6c390
ci: debug Host key verification failed error 2023-03-08 13:49:27 +01:00
30652571cf
Merge pull request 'ci: debug Host key verification failed error' (#201) from momo/ci-deployment-known-hosts into momo/main
Reviewed-on: pub-solar/os#201
2023-03-08 13:43:13 +01:00
9812687fb1
ci: debug Host key verification failed error 2023-03-08 13:42:29 +01:00
86ca4f6f54
Merge pull request 'ci: debug Host key verification failed error' (#200) from momo/ci-deployment-known-hosts into momo/main
Reviewed-on: pub-solar/os#200
2023-03-08 13:35:46 +01:00
1a16083510
ci: debug Host key verification failed error 2023-03-08 13:35:02 +01:00
8c4cc68bd6
Merge pull request 'ci: fix Host key verification failed' (#199) from momo/ci-deployment-known-hosts into momo/main
Reviewed-on: pub-solar/os#199
2023-03-08 13:30:24 +01:00
9dc77abfc8
ci: fix Host key verification failed
- missing SSH known_hosts in deploy pipeline
- SSH tries to use Trust-On-First-Use (TOFU) interactively to add a new
  host key
- verbose SSH logs:
debug1: Server host key: ssh-ed25519 SHA256:1bbksDNYBWSh/rIFP7MMfs557kWn1dM64bpXdnfBE5E
debug1: read_passphrase: can't open /dev/tty: No such device or address
- deploy-rs uses nix, which uses SSH which doesn't use the environment variable
HOME, but rather /etc/passwd to find a user's HOME
2023-03-08 13:25:49 +01:00
6192881ac1
Merge pull request 'ci: debug Host key verification failed error' (#198) from momo/ci-deployment-known-hosts into momo/main
Reviewed-on: pub-solar/os#198
2023-03-08 12:54:37 +01:00
3890494935
ci: debug Host key verification failed error 2023-03-08 12:53:56 +01:00
420a201f70
Merge pull request 'ci: debug Host key verification failed error' (#197) from momo/ci-deployment-known-hosts into momo/main
Reviewed-on: pub-solar/os#197
2023-03-08 12:26:33 +01:00
e2c601509a
ci: debug Host key verification failed error 2023-03-08 12:26:01 +01:00
3491fc2b74
Merge pull request 'ci: debug Host key verification failed error' (#196) from momo/ci-deployment-known-hosts into momo/main
Reviewed-on: pub-solar/os#196
2023-03-08 11:54:51 +01:00
40e967fb7d
ci: debug Host key verification failed error 2023-03-08 11:54:03 +01:00
503a40da11
Merge pull request 'ci: debug Host key verification failed error' (#195) from momo/ci-deployment-known-hosts into momo/main
Reviewed-on: pub-solar/os#195
2023-03-08 11:51:40 +01:00
6190795afa
ci: debug Host key verification failed error 2023-03-08 11:50:21 +01:00
8bf3b126de
Merge pull request 'ci: fix missing SSH known_hosts in deploy pipeline' (#194) from momo/ci-deployment-known-hosts into momo/main
Reviewed-on: pub-solar/os#194
Reviewed-by: hensoko <hensoko@gssws.de>
2023-03-08 11:33:02 +01:00
e3db9f51a6
ci: fix missing SSH known_hosts in deploy pipeline 2023-03-07 21:51:43 +01:00
6913d66458
Merge pull request 'ci: deploy host_001_momo_koeln on every push to momo/main' (#193) from momo/ci-deployment into momo/main
Reviewed-on: pub-solar/os#193
Reviewed-by: hensoko <hensoko@gssws.de>
2023-03-07 21:21:56 +01:00
716f22e32d
ci: deploy host_001_momo_koeln on every push to
momo/main

The branch momo/main is now protected from direct pushes and changes
should go through review before getting merged

Fix drone lint errors:
Pipeline stage 'Notification' declares invalid dependency 'Tests'
Pipeline stage 'Publish ISO' declares invalid dependency 'Check'
2023-03-07 17:33:01 +01:00
4b5955a164
Merge pull request 'barkeeper: add teutat3s SSH public key' (#191) from momo/teutat3s-ssh-public-key into momo/main
Reviewed-on: pub-solar/os#191
2023-03-07 10:54:47 +01:00
9ae94a6c4e
Remove unused bootstrap host 2023-03-07 01:19:46 +01:00
597594912c
Remove unused pub-solar user 2023-03-07 01:17:03 +01:00
2ae3276694
Remove unused PubSolarOS host, ci should builds
host_001_momo_koeln instead
2023-03-07 01:14:59 +01:00
9d7dfe52cb
barkeeper: add teutat3s SSH public key 2023-03-07 01:10:27 +01:00
0daf30fe09 add 001_momo_koeln 2023-03-07 00:48:42 +01:00
261 changed files with 4308 additions and 6959 deletions

View file

@ -1,7 +1,7 @@
---
kind: pipeline
type: exec
name: Check
name: Check and deploy
node:
hosttype: baremetal
@ -17,7 +17,27 @@ steps:
- nix $$NIX_FLAGS develop --command nix flake show
- nix $$NIX_FLAGS develop --command treefmt --fail-on-change
- nix $$NIX_FLAGS develop --command editorconfig-checker
- nix $$NIX_FLAGS build ".#nixosConfigurations.PubSolarOS.config.system.build.toplevel"
- nix $$NIX_FLAGS build ".#nixosConfigurations.pioneer-momo-koeln.config.system.build.toplevel"
- name: "Deploy"
when:
event:
- push
branch:
- momo/main
environment:
NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config"
PRIVATE_SSH_KEY:
from_secret: ci_private_ssh_key
SSH_HOST_KEY: "80.244.242.4 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7XTCHfX6ta8EtkdOcZLnpdhMmXDfTebVMs4NC8JEPj"
commands:
- mkdir $$HOME/.ssh && chmod 700 $$HOME/.ssh
- echo "$$PRIVATE_SSH_KEY" > $$HOME/.ssh/id_ed25519 && chmod 600 $$HOME/.ssh/id_ed25519
- echo "$$SSH_HOST_KEY" > $$HOME/.ssh/known_hosts
# SSH uses HOME from /etc/passwd, not from the environment, so override it
- export SSHOPTS="-o UserKnownHostsFile=$$HOME/.ssh/known_hosts -i $$HOME/.ssh/id_ed25519"
- "echo DEBUG: Using NIX_FLAGS: $$NIX_FLAGS"
- nix $$NIX_FLAGS develop --command deploy --magic-rollback false --skip-checks --targets '.#pioneer-momo-koeln' --ssh-opts="$$SSHOPTS"
---
kind: pipeline
@ -78,9 +98,6 @@ steps:
from_secret: matrix_password
template: "Test run triggered by tag: {{ build.tag }}. Test run exit status: {{ build.status }}. Artifacts uploaded to Manta: https://eu-central.manta.greenbaum.cloud/pub_solar/public/ci/{{ repo.Owner }}/{{ repo.Name }}/{{ build.number }}/foot_wayland_info.png"
depends_on:
- Tests
trigger:
ref:
- refs/tags/v*
@ -134,9 +151,6 @@ steps:
unlink_first: true
strip_components: 3
depends_on:
- Check
trigger:
branch:
- main
@ -149,6 +163,6 @@ volumes:
---
kind: signature
hmac: a116f78a0b22188052893bdb46aa40f8de66438826c10ced362ea183d7644d67
hmac: 5d46ef38857edc6476c89285db1583a0dbff7558ff9fb13befd8743bac94489b
...

View file

@ -20,14 +20,6 @@ indent_style = unset
indent_size = unset
[{.*,secrets}/**]
end_of_line = false
insert_final_newline = false
trim_trailing_whitespace = unset
charset = unset
indent_style = unset
indent_size = unset
[*.rom]
end_of_line = unset
insert_final_newline = unset
trim_trailing_whitespace = unset

View file

@ -1,4 +1,2 @@
# Formatted code using treefmt and alejandra
73bf158392a427d188b7aad36244b94506f57a15
# nixfmt-rfc-style
03e5a0ffdaab9b1331ab95ca3e730aaec1d7c151

2
.gitignore vendored
View file

@ -4,7 +4,7 @@ doc/index.html
# Result of bud commands
vm
/iso
iso
doi
pkgs/_sources/.shake*

View file

@ -8,17 +8,28 @@ let
"x86_64-linux"
];
filterSystems = lib.filterAttrs (system: _: lib.elem system ciSystems);
filterSystems =
lib.filterAttrs
(system: _: lib.elem system ciSystems);
recurseIntoAttrsRecursive = lib.mapAttrs (
_: v: if lib.isAttrs v then recurseIntoAttrsRecursive (lib.recurseIntoAttrs v) else v
_: v:
if lib.isAttrs v
then recurseIntoAttrsRecursive (lib.recurseIntoAttrs v)
else v
);
systemOutputs = lib.filterAttrs (
name: set:
lib.isAttrs set && lib.any (system: set ? ${system} && name != "legacyPackages") ciSystems
) default.outputs;
systemOutputs =
lib.filterAttrs
(
name: set:
lib.isAttrs set
&& lib.any
(system: set ? ${system} && name != "legacyPackages")
ciSystems
)
default.outputs;
ciDrvs = lib.mapAttrs (_: system: filterSystems system) systemOutputs;
in
(recurseIntoAttrsRecursive ciDrvs) // { shell = import ./shell.nix; }
(recurseIntoAttrsRecursive ciDrvs) // {shell = import ./shell.nix;}

527
flake.lock generated
View file

@ -3,22 +3,18 @@
"agenix": {
"inputs": {
"darwin": [
"nix-darwin"
],
"home-manager": [
"home-manager"
"darwin"
],
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
"nixos"
]
},
"locked": {
"lastModified": 1736955230,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
"lastModified": 1682101079,
"narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
"owner": "ryantm",
"repo": "agenix",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
"rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
"type": "github"
},
"original": {
@ -27,22 +23,42 @@
"type": "github"
}
},
"deploy-rs": {
"darwin": {
"inputs": {
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1688307440,
"narHash": "sha256-7PTjbN+/+b799YN7Tk2SS5Vh8A0L3gBo8hmB7Y0VXug=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "b06bab83bdf285ea0ae3c8e145a081eb95959047",
"type": "github"
},
"original": {
"owner": "LnL7",
"repo": "nix-darwin",
"type": "github"
}
},
"deploy": {
"inputs": {
"flake-compat": [
"flake-compat"
],
"nixpkgs": [
"nixpkgs"
"nixos"
],
"utils": "utils"
},
"locked": {
"lastModified": 1727447169,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
"lastModified": 1686747123,
"narHash": "sha256-XUQK9kwHpTeilHoad7L4LjMCCyY13Oq383CoFADecRE=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
"rev": "724463b5a94daa810abfc64a4f87faef4e00f984",
"type": "github"
},
"original": {
@ -51,14 +67,127 @@
"type": "github"
}
},
"devshell": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"digga",
"nixpkgs"
]
},
"locked": {
"lastModified": 1671489820,
"narHash": "sha256-qoei5HDJ8psd1YUPD7DhbHdhLIT9L2nadscp4Qk37uk=",
"owner": "numtide",
"repo": "devshell",
"rev": "5aa3a8039c68b4bf869327446590f4cdf90bb634",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"devshell_2": {
"inputs": {
"nixpkgs": [
"erpnext",
"nixpkgs"
],
"systems": [
"erpnext",
"systems"
]
},
"locked": {
"lastModified": 1688380630,
"narHash": "sha256-8ilApWVb1mAi4439zS3iFeIT0ODlbrifm/fegWwgHjA=",
"owner": "numtide",
"repo": "devshell",
"rev": "f9238ec3d75cefbb2b42a44948c4e8fb1ae9a205",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"digga": {
"inputs": {
"darwin": [
"darwin"
],
"deploy": [
"deploy"
],
"devshell": "devshell",
"flake-compat": [
"flake-compat"
],
"flake-utils": "flake-utils_2",
"flake-utils-plus": "flake-utils-plus",
"home-manager": [
"home"
],
"nixlib": [
"nixos"
],
"nixpkgs": [
"nixos"
],
"nixpkgs-unstable": "nixpkgs-unstable"
},
"locked": {
"lastModified": 1674947971,
"narHash": "sha256-6gKqegJHs72jnfFP9g2sihl4fIZgtKgKuqU2rCkIdGY=",
"owner": "pub-solar",
"repo": "digga",
"rev": "2da608bd8afb48afef82c6b1b6d852a36094a497",
"type": "github"
},
"original": {
"owner": "pub-solar",
"ref": "fix/bootstrap-iso",
"repo": "digga",
"type": "github"
}
},
"erpnext": {
"inputs": {
"agenix": [
"agenix"
],
"devshell": "devshell_2",
"nixpkgs": [
"nixos"
],
"systems": "systems"
},
"locked": {
"lastModified": 1689804718,
"narHash": "sha256-55XcyfO+jWDwQ09x4+DpoSXcVd8pDRTkyXEaT/Y82AY=",
"ref": "main",
"rev": "66e6c685d0ea0d475cdbfbb77c9920c52a610c27",
"revCount": 35,
"type": "git",
"url": "https://git.pub.solar/axeman/erpnext-nix"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pub.solar/axeman/erpnext-nix"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
@ -67,34 +196,13 @@
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1738453229,
"narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"lastModified": 1642700792,
"narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"rev": "846b2ae0fc4cc943637d3d1def4454213e203cba",
"type": "github"
},
"original": {
@ -103,152 +211,121 @@
"type": "github"
}
},
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
"narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
"owner": "lf-",
"repo": "flakey-profile",
"rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
"type": "github"
},
"original": {
"owner": "lf-",
"repo": "flakey-profile",
"type": "github"
}
},
"home-manager": {
"flake-utils-plus": {
"inputs": {
"nixpkgs": [
"nixpkgs"
"flake-utils": [
"digga",
"flake-utils"
]
},
"locked": {
"lastModified": 1739570999,
"narHash": "sha256-eCc0/Q4bPpe4/AS+uzIrHLJcR6BxPQ69q2kD0/Qe6rU=",
"lastModified": 1654029967,
"narHash": "sha256-my3GQ3mQIw/1f6GPV1IhUZrcYQSWh0YJAMPNBjhXJDw=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "6271cf3842ff9c8a9af9e3508c547f86bc77d199",
"type": "github"
},
"original": {
"owner": "gytis-ivaskevicius",
"ref": "refs/pull/120/head",
"repo": "flake-utils-plus",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1687171271,
"narHash": "sha256-BJlq+ozK2B1sJDQXS3tzJM5a+oVZmi1q0FlBK/Xqv7M=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "abfb11bd1aec8ced1c9bb9adfe68018230f4fb3c",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home": {
"inputs": {
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1687871164,
"narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "254d47082e23dbf72fdeca1da6fe1da420f478d8",
"rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.11",
"ref": "release-23.05",
"repo": "home-manager",
"type": "github"
}
},
"invoiceplane-template": {
"inputs": {
"flake-parts": [
"flake-parts"
],
"nixpkgs": [
"nixpkgs"
]
},
"latest": {
"locked": {
"lastModified": 1728398621,
"narHash": "sha256-cNCgW0g012t7lZ2gxBpc+Uu6GHV2sTEsOV50nSZ96FM=",
"ref": "refs/heads/main",
"rev": "a4f2aa76583b5dfa3f2db12ff360ba9f229cfb2f",
"revCount": 37,
"type": "git",
"url": "https://git.pub.solar/momo/invoiceplane-templates.git"
},
"original": {
"type": "git",
"url": "https://git.pub.solar/momo/invoiceplane-templates.git"
}
},
"lix": {
"flake": false,
"locked": {
"lastModified": 1729298361,
"narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
"rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
}
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils",
"flakey-profile": "flakey-profile",
"lix": "lix",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1729360442,
"narHash": "sha256-6U0CyPycIBc04hbYy2hBINnVso58n/ZyywY2BD3hu+s=",
"rev": "9098ac95768f7006d7e070b88bae76939f6034e6",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/9098ac95768f7006d7e070b88bae76939f6034e6.tar.gz?rev=9098ac95768f7006d7e070b88bae76939f6034e6"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-1.tar.gz"
}
},
"nix-darwin": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1739548217,
"narHash": "sha256-rlv64erpr36xdmMDPgf9rhRXBYZ0BZb5nrw2ZPSk1sQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "678b22642abde2ee77ae2218ab41d802f010e5b0",
"lastModified": 1689192006,
"narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nix-direnv": {
"inputs": {
"flake-parts": [
"flake-parts"
],
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": "treefmt-nix"
},
"nixos": {
"locked": {
"lastModified": 1739583861,
"narHash": "sha256-IOWna75ou7OGQwFRZ+5VOYECPlCmk0kq5WoGMvlQj+o=",
"owner": "nix-community",
"repo": "nix-direnv",
"rev": "2e82170f0689000d50ba5409fb139863f59ffd92",
"lastModified": 1689209875,
"narHash": "sha256-8AVcBV1DiszaZzHFd5iLc8HSLfxRAuqcU0QdfBEF3Ag=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "fcc147b1e9358a8386b2c4368bd928e1f63a7df2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-direnv",
"owner": "nixos",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1738816619,
"narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=",
"lastModified": 1686838567,
"narHash": "sha256-aqKCUD126dRlVSKV6vWuDCitfjFrZlkwNuvj5LtjRRU=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "2eccff41bab80839b1d25b303b53d339fbb07087",
"rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89",
"type": "github"
},
"original": {
@ -257,49 +334,59 @@
"type": "github"
}
},
"nixpkgs": {
"nixpkgs-unstable": {
"locked": {
"lastModified": 1739484910,
"narHash": "sha256-wjWLzdM7PIq4ZAe7k3vyjtgVJn6b0UeodtRFlM/6W5U=",
"lastModified": 1672791794,
"narHash": "sha256-mqGPpGmwap0Wfsf3o2b6qHJW1w2kk/I6cGCGIU+3t6o=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "0b73e36b1962620a8ac551a37229dd8662dac5c8",
"rev": "9813adc7f7c0edd738c6bdd8431439688bb0cb3d",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.11",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"nvfetcher": {
"inputs": {
"flake-compat": [
"flake-compat"
],
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1738452942,
"narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
"lastModified": 1687440270,
"narHash": "sha256-aOAXvfVn+MBSkU+xlQEiyoGpRaF6NvQdpWIhw5OH/Dc=",
"owner": "berberman",
"repo": "nvfetcher",
"rev": "44196458acc2c28c32e456c50277d6148e71e708",
"type": "github"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
"owner": "berberman",
"repo": "nvfetcher",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"deploy-rs": "deploy-rs",
"darwin": "darwin",
"deploy": "deploy",
"digga": "digga",
"erpnext": "erpnext",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"home-manager": "home-manager",
"invoiceplane-template": "invoiceplane-template",
"lix-module": "lix-module",
"nix-darwin": "nix-darwin",
"nix-direnv": "nix-direnv",
"home": "home",
"latest": "latest",
"nixos": "nixos",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"unstable": "unstable",
"watson": "watson"
"nvfetcher": "nvfetcher"
}
},
"systems": {
@ -332,68 +419,13 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nix-direnv",
"nixpkgs"
]
},
"locked": {
"lastModified": 1724833132,
"narHash": "sha256-F4djBvyNRAXGusJiNYInqR6zIMI3rvlp6WiKwsRISos=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "3ffd842a5f50f435d3e603312eefa4790db46af5",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"unstable": {
"locked": {
"lastModified": 1739446958,
"narHash": "sha256-+/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2ff53fe64443980e139eaa286017f53f88336dd0",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
@ -401,29 +433,6 @@
"repo": "flake-utils",
"type": "github"
}
},
"watson": {
"inputs": {
"flake-parts": [
"flake-parts"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1733302767,
"narHash": "sha256-UM6sX6lWXbJRPgSM+S1hgir/xt8xEdMYmLMZOiqrLg0=",
"owner": "pub-solar",
"repo": "watson",
"rev": "9e5685720ad4edca2c8643e95bf91258166e8f77",
"type": "github"
},
"original": {
"owner": "pub-solar",
"repo": "watson",
"type": "github"
}
}
},
"root": "root",

264
flake.nix
View file

@ -1,139 +1,193 @@
{
description = "teutat3s hosts in nix";
description = "A highly structured configuration database.";
nixConfig.extra-experimental-features = "nix-command flakes";
inputs = {
# Track channels with commits tested and built by hydra
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixos.url = "github:nixos/nixpkgs/nixos-23.05";
latest.url = "github:nixos/nixpkgs/nixos-unstable";
flake-compat.url = "github:edolstra/flake-compat";
flake-compat.flake = false;
nix-darwin.url = "github:lnl7/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
digga.url = "github:pub-solar/digga/fix/bootstrap-iso";
digga.inputs.nixpkgs.follows = "nixos";
digga.inputs.nixlib.follows = "nixos";
digga.inputs.home-manager.follows = "home";
digga.inputs.deploy.follows = "deploy";
digga.inputs.darwin.follows = "darwin";
digga.inputs.flake-compat.follows = "flake-compat";
home-manager.url = "github:nix-community/home-manager/release-24.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
home.url = "github:nix-community/home-manager/release-23.05";
home.inputs.nixpkgs.follows = "nixos";
flake-parts.url = "github:hercules-ci/flake-parts";
darwin.url = "github:LnL7/nix-darwin";
darwin.inputs.nixpkgs.follows = "nixos";
deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.inputs.flake-compat.follows = "flake-compat";
deploy.url = "github:serokell/deploy-rs";
deploy.inputs.nixpkgs.follows = "nixos";
deploy.inputs.flake-compat.follows = "flake-compat";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
agenix.inputs.darwin.follows = "nix-darwin";
agenix.inputs.home-manager.follows = "home-manager";
nix-direnv.url = "github:nix-community/nix-direnv";
nix-direnv.inputs.nixpkgs.follows = "nixpkgs";
nix-direnv.inputs.flake-parts.follows = "flake-parts";
agenix.inputs.nixpkgs.follows = "nixos";
agenix.inputs.darwin.follows = "darwin";
nixos-hardware.url = "github:nixos/nixos-hardware";
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-1.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
nvfetcher.url = "github:berberman/nvfetcher";
nvfetcher.inputs.nixpkgs.follows = "nixos";
nvfetcher.inputs.flake-compat.follows = "flake-compat";
invoiceplane-template.url = "git+https://git.pub.solar/momo/invoiceplane-templates.git";
invoiceplane-template.inputs.nixpkgs.follows = "nixpkgs";
invoiceplane-template.inputs.flake-parts.follows = "flake-parts";
watson.url = "github:pub-solar/watson";
watson.inputs.nixpkgs.follows = "nixpkgs";
watson.inputs.flake-parts.follows = "flake-parts";
erpnext.url = "git+https://git.pub.solar/axeman/erpnext-nix?ref=main";
erpnext.inputs.nixpkgs.follows = "nixos";
erpnext.inputs.agenix.follows = "agenix";
};
outputs =
inputs@{ self, ... }:
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
systems = [
"x86_64-linux"
"aarch64-linux"
"x86_64-darwin"
"aarch64-darwin"
outputs = {
self,
digga,
nixos,
home,
nixos-hardware,
agenix,
deploy,
nvfetcher,
erpnext,
...
} @ inputs:
digga.lib.mkFlake
{
inherit self inputs;
channelsConfig = {
# allowUnfree = true;
};
supportedSystems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin"];
channels = {
nixos = {
imports = [(digga.lib.importOverlays ./overlays)];
overlays = [
(self: super: {
deploy-rs = {
inherit (inputs.nixos.legacyPackages.x86_64-linux) deploy-rs;
lib = inputs.deploy.lib.x86_64-linux;
};
})
];
};
latest = {};
};
lib = import ./lib {lib = digga.lib // nixos.lib;};
sharedOverlays = [
(final: prev: {
__dontExport = true;
lib = prev.lib.extend (lfinal: lprev: {
our = self.lib;
});
})
agenix.overlays.default
erpnext.overlays.default
erpnext.overlays.pythonOverlay
nvfetcher.overlays.default
(import ./pkgs)
];
imports = [
./lib
./modules
./hosts
./users
./overlays
];
nixos = {
hostDefaults = {
system = "x86_64-linux";
channelName = "nixos";
imports = [(digga.lib.importExportableModules ./modules)];
modules = [
{lib.our = self.lib;}
# FIXME: upstream module causes a huge number of unnecessary
# dependencies to be pulled in for all systems -- many of them are
# graphical. should only be imported as needed.
# digga.nixosModules.bootstrapIso
digga.nixosModules.nixConfig
home.nixosModules.home-manager
agenix.nixosModules.age
];
};
perSystem =
args@{
system,
pkgs,
config,
...
}:
{
_module.args = {
inherit inputs;
pkgs = import inputs.nixpkgs {
inherit system;
overlays = [ inputs.agenix.overlays.default ];
};
unstable = import inputs.unstable { inherit system; };
master = import inputs.master { inherit system; };
imports = [(digga.lib.importHosts ./hosts)];
hosts = {
# Set host-specific properties here
bootstrap = {
modules = [
digga.nixosModules.bootstrapIso
];
};
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [
agenix
cachix
deploy-rs
nixd
nixos-generators
nvfetcher
editorconfig-checker
nodePackages.prettier
shellcheck
shfmt
treefmt
PubSolarOS = {
tests = [
#(import ./tests/first-test.nix {
# pkgs = nixos.legacyPackages.x86_64-linux;
# lib = nixos.lib;
#})
];
};
pioneer-momo-koeln = {
modules = [
erpnext.nixosModules.erpnext
];
};
};
flake = {
formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;
deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
#example = {
# hostname = "example.com:22";
# sshUser = "bartender";
# fastConnect = true;
# profilesOrder = ["system" "direnv"];
# profiles.direnv = {
# user = "bartender";
# path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.bartender;
# };
#};
fae = {
hostname = "192.168.13.35";
sshUser = "pub-solar";
};
powder = {
hostname = "80.71.153.194";
sshUser = "root";
profilesOrder = [
"system"
"direnv"
];
profiles.direnv = {
user = "pub-solar";
path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.pub-solar;
importables = rec {
profiles =
digga.lib.rakeLeaves ./profiles
// {
users = digga.lib.rakeLeaves ./users;
};
suites = with profiles; rec {
base = [base-user cachix users.root users.barkeeper];
pioneer-momo-koeln = base;
};
};
};
home = {
imports = [(digga.lib.importExportableModules ./users/modules)];
modules = [];
importables = rec {
profiles = digga.lib.rakeLeaves ./users/profiles;
suites = with profiles; rec {
base = [direnv git];
};
};
users = {
barkeeper = {suites, ...}: {
imports = suites.base;
home.stateVersion = "22.05";
};
}; # digga.lib.importers.rakeLeaves ./users/hm;
};
devshell = ./shell;
homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
pioneer-momo-koeln = {
hostname = "80.244.242.4";
sshUser = "barkeeper";
};
#example = {
# hostname = "example.com:22";
# sshUser = "bartender";
# fastConnect = true;
# profilesOrder = ["system" "direnv"];
# profiles.direnv = {
# user = "bartender";
# path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.bartender;
# };
#};
};
};
}

View file

@ -1,23 +0,0 @@
{ suites, ... }:
{
### root password is empty by default ###
### default password: pub-solar, optional: add your SSH keys
imports = suites.iso;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.networkmanager.enable = true;
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
}

View file

@ -1,59 +0,0 @@
{
config,
lib,
pkgs,
profiles,
...
}:
let
inherit (lib) mkForce;
# Gets hostname of host to be bundled inside iso
# Copied from https://github.com/divnix/digga/blob/30ffa0b02272dc56c94fd3c7d8a5a0f07ca197bf/modules/bootstrap-iso.nix#L3-L11
getFqdn =
config:
let
net = config.networking;
fqdn =
if (net ? domain) && (net.domain != null) then "${net.hostName}.${net.domain}" else net.hostName;
in
fqdn;
in
{
# build with: `nix build ".#nixosConfigurations.bootstrap.config.system.build.isoImage"`
imports = [
# profiles.networking
profiles.users.root # make sure to configure ssh keys
profiles.users.pub-solar
profiles.base-user
profiles.graphical
profiles.pub-solar-iso
];
config = {
boot.loader.systemd-boot.enable = true;
# will be overridden by the bootstrapIso instrumentation
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
};
system.nixos.label = "PubSolarOS-" + config.system.nixos.version;
# mkForce because a similar transformation gets double applied otherwise
# https://github.com/divnix/digga/blob/30ffa0b02272dc56c94fd3c7d8a5a0f07ca197bf/modules/bootstrap-iso.nix#L17
# https://github.com/NixOS/nixpkgs/blob/aecd4d8349b94f9bd5718c74a5b789f233f67326/nixos/modules/installer/cd-dvd/installation-cd-base.nix#L21-L22
isoImage = {
isoBaseName = mkForce (getFqdn config);
isoName = mkForce "${config.system.nixos.label}-${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso";
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
};
}

View file

@ -1,155 +0,0 @@
{
withSystem,
self,
inputs,
config,
...
}:
{
flake = {
nixosModules = {
home-manager = {
imports = [
inputs.home-manager.nixosModules.home-manager
({
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = {
flake = {
inherit self inputs config;
};
};
})
];
};
};
nixosConfigurations = {
dumpyourvms = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
self.nixosModules.base
./dumpyourvms
self.nixosModules.teutat3s
self.nixosModules.audio
self.nixosModules.bluetooth
self.nixosModules.desktop-extended
self.nixosModules.docker
self.nixosModules.graphical
self.nixosModules.nextcloud
self.nixosModules.office
self.nixosModules.printing
];
};
ryzensun = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
self.nixosModules.base
./ryzensun
self.nixosModules.teutat3s
self.nixosModules.audio
self.nixosModules.desktop-extended
self.nixosModules.docker
self.nixosModules.forgejo-actions-runner
self.nixosModules.graphical
self.nixosModules.office
self.nixosModules.printing
self.nixosModules.virtualisation
];
};
fae = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
self.nixosModules.base
inputs.nixos-hardware.nixosModules.raspberry-pi-4
./fae
self.nixosModules.pub-solar
self.nixosModules.acme
self.nixosModules.invoiceplane
self.nixosModules.actual
];
};
#powder = self.inputs.nixpkgs.lib.nixosSystem {
# specialArgs = {
# flake = {
# inherit self inputs config;
# };
# };
# modules = [
# self.nixosModules.base
# inputs.nixos-hardware.nixosModules.raspberry-pi-4
# ./powder
# self.nixosModules.teutat3s
# self.nixosModules.docker
# self.nixosModules.wireguard-client
# self.nixosModules.invoiceplane
# ];
#};
iso = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
"${inputs.nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
self.nixosModules.base
./iso
self.nixosModules.nixos
];
};
iso-arm = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
"${inputs.nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
self.nixosModules.base
./iso
self.nixosModules.nixos
];
};
iso-graphical = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
"${inputs.nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
self.nixosModules.base
./iso
self.nixosModules.nixos
self.nixosModules.graphical
self.nixosModules.audio
self.nixosModules.bluetooth
(
{ ... }:
{
pub-solar.graphical.wayland.software-renderer.enable = true;
}
)
];
};
};
};
}

View file

@ -1,12 +0,0 @@
# seahorse
for_window [title="seahorse"] floating enabled
# NetworkManager
for_window [app_id="nm-connection-editor"] floating enabled
# thunderbird
for_window [title="New Task:*"] floating enabled
for_window [title="Edit Task:*"] floating enabled
for_window [title="New Event:*"] floating enabled
for_window [title="Edit Event:*"] floating enabled

View file

@ -1,6 +0,0 @@
# Autostart applications
#
# Example:
# exec swayidle
exec qMasterPassword

View file

@ -1,3 +0,0 @@
# switch keyboard input language
bindsym $mod+tab exec swaymsg input "1452:628:Apple_Inc._Apple_Internal_Keyboard_/_Trackpad" xkb_switch_layout next

View file

@ -1,37 +0,0 @@
### Input configuration
#
# You can get the names of your inputs by running: swaymsg -t get_inputs
# Read `man 5 sway-input` for more information about this section.
input "type:keyboard" {
xkb_layout us(intl),de
xkb_model pc105
xkb_options ctrl:nocaps
}
input "type:touchpad" {
tap enabled
natural_scroll enabled
# Disable while typing
dwt enabled
}
# Touchpad controls
#bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
# Screen brightness controls
bindsym XF86MonBrightnessUp exec "brightnessctl -d acpi_video0 set +10%"
bindsym XF86MonBrightnessDown exec "brightnessctl -d acpi_video0 set 10%-"
# Keyboard backlight brightness controls
bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-"
bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%"
# Pulse Audio controls
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #increase sound volume
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #decrease sound volume
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle # mute sound
# Media player controls
bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

View file

@ -1,39 +0,0 @@
### Output configuration
#
# Example configuration:
#
# output HDMI-A-1 resolution 1920x1080 position 1920,0
#
# You can get the names of your outputs by running: swaymsg -t get_outputs
set $main_screen eDP-1
set $displayport DP-3
set $hmdi HDMI-A-1
output $main_screen scale 1.7
output $displayport scale 1
output $main_screen position 0 1440
output $displayport position 0 0 resolution 2560x1440@60Hz
#bindswitch lid:on output $main_screen disable
#bindswitch lid:off output $main_screen enable
bindsym $mod+Shift+x output $main_screen toggle
# TODO when using more monitors
## Manual management of external displays
# Set the shortcuts and what they do
#set $mode_display HDMI (i) top, (j) left, (k) bottom, (l) right, (o) off
#mode "$mode_display" {
# bindsym i output HDMI-A-1 enable; output HDMI-A-1 pos 0 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 1080, mode "default"
# bindsym j output HDMI-A-1 enable; output HDMI-A-1 pos 0 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 1920 0, mode "default"
# bindsym k output HDMI-A-1 enable; output HDMI-A-1 pos 0 900 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 0, mode "default"
# bindsym l output HDMI-A-1 enable; output HDMI-A-1 pos 1440 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 0, mode "default"
# bindsym o output HDMI-A-1 disable, mode "default"
#
# # back to normal: Enter or Escape
# bindsym Return mode "default"
# bindsym Escape mode "default"
#}
## Declare here the shortcut to bring the display selection menu
#bindsym $mod+x mode "$mode_display"

View file

@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDbzCCAxSgAwIBAgIRAMK20/fFF0YVThq8xm/YvBswCgYIKoZIzj0EAwIwgbkx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
IDI1ODgxOTUyODQyOTMwNjIxMjY4NDgwMTUxODE3OTM2NjUxNzc4NzAeFw0xOTEx
MDYwMDI3MzVaFw0yNDExMDQwMDI3MzVaMIG5MQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAkTETEwMSBTZWNv
bmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UEChMOSGFzaGlDb3JwIElu
Yy4xQDA+BgNVBAMTN0NvbnN1bCBBZ2VudCBDQSAyNTg4MTk1Mjg0MjkzMDYyMTI2
ODQ4MDE1MTgxNzkzNjY1MTc3ODcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQE
SZ2kc9rKUNX3czze+rFR/bZdLx3JEYrpcSXKkpv1wr68E1Jqhi/8Dm8b62Ei/Bc6
ZhoJvtB2Shtl+6LbjccUo4H6MIH3MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8E
BTADAQH/MGgGA1UdDgRhBF9hZjo4MzoyZTpiOToyZTozMzo5MDplOTpkMjpiNzpj
NjpjYzpkYToxODoyYTphNzpjMzo5ZTozMTpmNTpkZTo4Mzo4YzozMDo0Mjo3OTo4
ZDo0ZDpmZDozMjo2NzpiYjBqBgNVHSMEYzBhgF9hZjo4MzoyZTpiOToyZTozMzo5
MDplOTpkMjpiNzpjNjpjYzpkYToxODoyYTphNzpjMzo5ZTozMTpmNTpkZTo4Mzo4
YzozMDo0Mjo3OTo4ZDo0ZDpmZDozMjo2NzpiYjAKBggqhkjOPQQDAgNJADBGAiEA
zKCV25P6HqFEa1iUVQnsNAp/WHUwxNlR0OctZSdiuIkCIQDiRK03ZYSK/hmY9kXV
42nj6kO8MexfiYN4IE4URmzYnA==
-----END CERTIFICATE-----

View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./dumpyourvms.nix
./hardware-configuration.nix
./networking.nix
];
}

View file

@ -1,203 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
pub-solar = {
terminal-life.full = true;
core.hibernation = {
enable = true;
resumeDevice = "/dev/mapper/cryptroot";
resumeOffset = 47366144;
};
};
# Fix backlight for keyboard and brightness, adjust function key binding,
# intel_pstate for cpu schedutil
# For now, the radeon driver seems to work better than amdgpu with Radeon R9 M370X
# Explicitly set amdgpu support in place of radeon
# Source: https://github.com/NixOS/nixos-hardware/blob/master/common/gpu/amd/southern-islands/default.nix
# Try again after https://lists.freedesktop.org/archives/amd-gfx/2023-March/090096.html lands
boot.kernelParams = [
"acpi_backlight=video"
"hid_apple.fnmode=2"
"intel_pstate=passive"
"radeon.si_support=0"
"amdgpu.si_support=1"
];
boot.loader.efi.canTouchEfiVariables = true;
# Fix for Error switching console mode to 1: unsupported on startup
boot.loader.systemd-boot.consoleMode = lib.mkForce "0";
boot.loader.systemd-boot.configurationLimit = 5;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
systemd.sleep.extraConfig = ''
HibernateMode=shutdown
'';
hardware = {
cpu.intel.updateMicrocode = true;
facetimehd.enable = true;
graphics = {
extraPackages = with pkgs; [ intel-vaapi-driver ]; # i7-4870HQ older hardware like haswell (crystall well)
extraPackages32 = with pkgs.pkgsi686Linux; [ intel-vaapi-driver ];
};
};
services.fstrim.enable = true;
networking.hostName = "dumpyourvms";
services.resolved = {
enable = true;
extraConfig = ''
DNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 5.9.164.112#dns3.digitalcourage.de 89.233.43.71#unicast.censurfridns.dk 185.49.141.37#getdnsapi.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net 2a01:4f8:251:554::2#dns3.digitalcourage.de 2a01:3a0:53:53::0#unicast.censurfridns.dk 2a04:b900:0:100::38#getdnsapi.net
FallbackDNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
Domains=~.
DNSOverTLS=yes
'';
};
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
};
services.usbmuxd.enable = true;
#programs.droidcam.enable = true;
#services.mozillavpn.enable = true;
security.pki.certificateFiles = [ ./consul-agent-ca.pem ];
# Power off dedicated GPU, use only integrated Intel GPU to save battery
# https://github.com/NixOS/nixpkgs/pull/33915
# https://ubuntuforums.org/showthread.php?t=2409856
systemd.services."amd-hybrid-graphics-power-save" = {
path = [ pkgs.bash ];
description = "Power Off dedicated AMD Card to reduce power usage";
requires = [ "sys-kernel-debug.mount" ];
enable = true;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.bash}/bin/sh -c 'sleep 7 && if grep --quiet 'IGD:+' /sys/kernel/debug/vgaswitcheroo/switch; then echo -e \"IGD\\nOFF\" > /sys/kernel/debug/vgaswitcheroo/switch; fi'";
ExecStop = "${pkgs.bash}/bin/sh -c 'echo ON >/sys/kernel/debug/vgaswitcheroo/switch'";
};
wantedBy = [ "multi-user.target" ];
};
# Increase console font size for HiDPI display
console = {
earlySetup = true;
font = lib.mkForce "ter-i32b";
packages = [ pkgs.terminus_font ];
};
# Thunderbolt tools
services.hardware.bolt.enable = true;
# Enable udev rules for gnupg smart cards
hardware.gpgSmartcards.enable = true;
hardware.keyboard.uhk.enable = true;
powerManagement = {
# Use new schedutil govenor
# https://github.com/NixOS/nixpkgs/pull/42330
# https://www.kernel.org/doc/html/v5.10/admin-guide/pm/cpufreq.html#schedutil
cpuFreqGovernor = lib.mkDefault "schedutil";
# brcmfmac being loaded during hibernation would inhibit a successful resume
# https://bugzilla.kernel.org/show_bug.cgi?id=101681#c116.
# Also brcmfmac could randomly crash on resume from sleep.
# To hibernate successfully using the amdgpu driver, the dedicated GPU needs
# to be powered on.
powerUpCommands = lib.mkBefore (
"${pkgs.kmod}/bin/modprobe brcmfmac"
+ lib.optionalString (lib.versionAtLeast config.boot.kernelPackages.kernel.version "6.2") " brcmfmac_wcc"
);
powerDownCommands = lib.mkBefore (
lib.optionalString (lib.versionAtLeast config.boot.kernelPackages.kernel.version "6.2") "${pkgs.kmod}/bin/rmmod brcmfmac_wcc\n"
+ ''
${pkgs.kmod}/bin/rmmod brcmfmac
${pkgs.systemd}/bin/systemctl stop amd-hybrid-graphics-power-save.service
''
);
resumeCommands =
if config.systemd.services."amd-hybrid-graphics-power-save".enable == true then
''
${pkgs.systemd}/bin/systemctl start amd-hybrid-graphics-power-save.service
''
else
"";
};
# Change lid switch behaviour
services.logind.lidSwitch = "hibernate";
# TLP for power management
services.tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
CPU_BOOST_ON_AC = 1;
CPU_BOOST_ON_BAT = 0;
};
};
services.udev.extraRules =
# Disable XHC1 wakeup signal to avoid resume getting triggered some time
# after suspend. Reboot required for this to take effect.
lib.optionalString (lib.versionAtLeast config.boot.kernelPackages.kernel.version "3.13")
''SUBSYSTEM=="pci", KERNEL=="0000:00:14.0", ATTR{power/wakeup}="disabled"'';
home-manager =
pkgs.lib.setAttrByPath
[
"users"
psCfg.user.name
]
{
# Custom device sway configs
xdg.configFile = {
"sway/config.d/10-applications.conf".source = ./.config/sway/config.d/applications.conf;
"sway/config.d/autostart.conf".source = ./.config/sway/config.d/autostart.conf;
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
"sway/config.d/input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
"sway/config.d/screens.conf".source = ./.config/sway/config.d/screens.conf;
};
};
# WLAN frequency compliance (e.g. check for radar with DFS)
hardware.firmware = with pkgs; [ wireless-regdb ];
boot.extraModprobeConfig = ''
options cfg80211 ieee80211_regdom="DE"
# Enable the integrated GPU (iGPU) Intel i915 by default if present
options apple-gmux force_igd=y
# Enable HD-Audio Codec-Specific Models
# https://www.kernel.org/doc/html/latest/sound/hd-audio/models.html
options snd-hda-intel model=mbp11
# https://bbs.archlinux.org/viewtopic.php?pid=1445636#p1445636
#
options snd-hda-intel index=1
'';
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

View file

@ -1,48 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
#(modulesPath + "/hardware/network/broadcom-43xx.nix")
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/17bbb016-d27c-47da-8805-58c6395891e8";
fsType = "ext4";
};
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/c100b9a7-99d7-44d9-b7c2-3892a5f233c4";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/06B8-5414";
fsType = "vfat";
};
swapDevices = [
{
device = "/swapfile";
size = 18432;
}
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -1,286 +0,0 @@
{ pkgs, lib, ... }:
{
systemd.services.wg-quick-wg5.serviceConfig.Type = lib.mkForce "simple";
systemd.services.wg-quick-wg5.serviceConfig.Restart = "on-failure";
systemd.services.wg-quick-wg5.serviceConfig.RestartSec = "5s";
systemd.services.NetworkManager-wait-online.enable = true;
networking = {
networkmanager.dns = "systemd-resolved";
#networkmanager.dispatcherScripts = [
# { source = "${pkgs.prison-break}/bin/prison-break"; }
#];
hosts = {
"10.0.0.42" = [
"nomad.service.consul"
"nomad.service.cgn-1.consul"
];
"10.0.0.66" = [ "consul.service.cgn-1.consul" ];
"10.0.1.9" = [ "consul.service.lev-1.consul" ];
"10.0.0.70" = [
"vault.service.consul"
"vault.service.cgn-1.consul"
];
"10.0.0.200" = [ "headnode.cgn-1" ];
"10.0.0.201" = [ "cn01.cgn-1" ];
"10.0.0.202" = [ "cn02.cgn-1" ];
"10.0.0.205" = [ "cn05.cgn-1" ];
"10.0.0.206" = [ "cn06.cgn-1" ];
"10.0.0.207" = [ "cn07.cgn-1" ];
"10.0.0.208" = [ "cn08.cgn-1" ];
"10.0.1.200" = [ "headnode.lev-1" ];
"10.0.1.201" = [ "cn01.lev-1" ];
"10.0.1.202" = [ "cn02.lev-1" ];
"10.0.1.203" = [ "cn03.lev-1" ];
"10.0.1.204" = [ "cn04.lev-1" ];
"10.0.1.205" = [ "cn05.lev-1" ];
"10.0.1.206" = [ "cn00.lev-1" ];
"10.0.1.207" = [ "cn06.lev-1" ];
"10.0.1.208" = [ "cn07.lev-1" ];
"10.101.64.10" = [ "wifi.bahn.de" ];
"192.168.13.25" = [
"ryzensun.local"
"cloudapi.coal-1.mnx.io"
];
};
wireguard.enable = true;
wg-quick.interfaces = {
wg0 = {
autostart = false;
address = [ "10.8.8.6/32" ];
privateKeyFile = "/etc/wireguard/wg0.privatekey";
peers = [
{
publicKey = "l0DJLicCrcrixNP6zAWTXNSEaNM2jML253BXEZ1KpiU=";
allowedIPs = [
"10.8.8.16/32"
"10.0.0.0/24"
"10.88.88.0/24"
];
endpoint = "85.88.23.16:51820";
persistentKeepalive = 25;
}
];
};
wg1 = {
autostart = false;
address = [ "192.168.188.203/24" ];
privateKeyFile = "/etc/wireguard/wg1.privatekey";
peers = [
{
publicKey = "iZkgeA/mFxBRclCa5SJYdqffClly/uho5krebcUloCY=";
allowedIPs = [ "192.168.188.0/24" ];
presharedKeyFile = "/etc/wireguard/wg1.presharedkey";
#endpoint = "85.214.70.91:50163";
#endpoint = "u7dazg4ceu9dggxa.myfritz.net:50163";
endpoint = "[2a00:6020:1000:47::2ded]:50163";
persistentKeepalive = 25;
}
];
};
wg2 = {
autostart = false;
address = [ "10.6.6.4/32" ];
privateKeyFile = "/etc/wireguard/wg2.privatekey";
peers = [
{
publicKey = "nYMmaCIW8lZ7SokivN8HXxYDch+SS1G7ab1SC9meDAw=";
presharedKeyFile = "/etc/wireguard/wg2.presharedkey";
allowedIPs = [
"10.6.6.1/32"
"10.1.1.0/24"
];
endpoint = "85.88.23.127:51820";
persistentKeepalive = 16;
}
];
};
wg3 = {
autostart = false;
address = [ "10.11.11.2/32" ];
privateKeyFile = "/etc/wireguard/wg3.privatekey";
mtu = 1300;
peers = [
{
publicKey = "7RRgfZSneqAtAHBeI6+aaYLqz9e1jikg/lIK8mhW928=";
presharedKeyFile = "/etc/wireguard/wg3.presharedkey";
allowedIPs = [
"10.11.11.0/24"
"192.168.1.0/24"
"10.0.1.0/24"
];
endpoint = "80.71.153.1:51820";
persistentKeepalive = 16;
}
];
};
wg4 = {
address = [ "fdaa:1:3234:a7b:16a9:0:a:202/120" ];
privateKeyFile = "/etc/wireguard/wg4.privatekey";
postUp = "resolvectl dns wg4 fdaa:1:3234::3; resolvectl domain wg4 ~internal";
preDown = "resolvectl revert wg4";
#dns = [
# "fdaa:1:3234::3, internal"
#];
peers = [
{
publicKey = "yUyg63j5+17YeJ7gRhxoQuF6rvdX0JF59M6skytJFTQ=";
allowedIPs = [ "fdaa:1:3234::/48" ];
#endpoint = "ams1.gateway.6pn.dev:51820";
endpoint = "176.58.93.206:51820";
persistentKeepalive = 15;
}
];
};
wg5 = {
autostart = false;
address = [ "192.168.13.201/24" ];
privateKeyFile = "/etc/wireguard/wg5.privatekey";
postUp = "resolvectl dnsovertls wg5 no; resolvectl dns wg5 192.168.13.1; resolvectl domain wg5 ~fritz.box";
preDown = "resolvectl revert wg5";
peers = [
{
publicKey = "UhPW8jebAPaMYqjJfSFO9QAMhk0E+dq4i6lB4Wjg91Q=";
presharedKeyFile = "/etc/wireguard/wg5.presharedkey";
allowedIPs = [ "192.168.13.0/24" ];
endpoint = "svxqr7qjmk9beu7t.myfritz.net:59538";
#endpoint = "84.44.134.172:59538";
persistentKeepalive = 25;
}
];
};
wg6 = {
address = [
"10.7.6.201/32"
"fd00:fae:fae:fae:fae:201::/96"
];
privateKeyFile = "/etc/wireguard/wg6.privatekey";
peers = [
{
# nachtigall.pub.solar
publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
allowedIPs = [
"10.7.6.1/32"
"fd00:fae:fae:fae:fae:1::/96"
];
#endpoint = "138.201.80.102:51820";
endpoint = "[2a01:4f8:172:1c25::1]:51820";
persistentKeepalive = 15;
}
{
# metronom.pub.solar
publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo=";
allowedIPs = [
"10.7.6.3/32"
"fd00:fae:fae:fae:fae:3::/96"
];
endpoint = "49.13.236.167:51820";
#endpoint = "[2a01:4f8:c2c:7082::]:51820";
persistentKeepalive = 15;
}
{
# tankstelle.pub.solar
publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg=";
allowedIPs = [
"10.7.6.4/32"
"fd00:fae:fae:fae:fae:4::/96"
];
endpoint = "80.244.242.5:51820";
#endpoint = "[2001:4d88:1ffa:26::5]:51820";
persistentKeepalive = 15;
}
{
# trinkgenossin.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
allowedIPs = [
"10.7.6.5/32"
"fd00:fae:fae:fae:fae:5::/96"
];
#endpoint = "85.215.152.22:51820";
endpoint = "[2a01:239:35d:f500::1]:51820";
persistentKeepalive = 15;
}
{
# delite.pub.solar
publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k=";
allowedIPs = [
"10.7.6.6/32"
"fd00:fae:fae:fae:fae:6::/96"
];
#endpoint = "5.255.119.132:51820";
endpoint = "[2a04:52c0:124:9d8c::2]:51820";
persistentKeepalive = 15;
}
{
# blue-shell.pub.solar
publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8=";
allowedIPs = [
"10.7.6.7/32"
"fd00:fae:fae:fae:fae:7::/96"
];
#endpoint = "194.13.83.205:51820";
endpoint = "[2a03:4000:43:24e::1]:51820";
persistentKeepalive = 15;
}
];
};
wg7 = {
address = [
"10.30.30.201/32"
"fd00:3030:3030:3030:3030:201::/96"
];
privateKeyFile = "/etc/wireguard/wg7.privatekey";
peers = [
{
# pioneer.momo.koeln
publicKey = "W9Vn2yv+AZjOD7sqKp4DyMbIz5N++Vjlr+6J3BnXj3o=";
allowedIPs = [
"10.30.30.1/32"
"fd00:3030:3030:3030:3030:1::/96"
];
#endpoint = "80.244.242.4:51820";
endpoint = "[2001:4d88:1ffa:26::4]:51820";
persistentKeepalive = 15;
}
];
};
# mozillavpn
moz0 = {
autostart = false;
address = [
"10.142.131.196/32"
"fc00:bbbb:bbbb:bb01:d:0:e:83c4/128"
];
privateKeyFile = "/etc/wireguard/moz0.privatekey";
#postUp = "resolvectl dns wg4 fdaa:1:3234::3; resolvectl domain wg4 ~internal";
#preDown = "resolvectl revert wg4";
#dns = [
# "fdaa:1:3234::3, internal"
#];
peers = [
{
publicKey = "ku1NYeOAGbY65YL/JKZhrqVzDJKXQiVj9USXbfkOBA0=";
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "185.254.75.3:36294";
}
];
};
};
};
}

View file

@ -1,52 +0,0 @@
{
enable = false;
localControlSocketPath = "/run/unbound/unbound.ctl";
settings = {
server = {
cache-max-ttl = 14400;
cache-min-ttl = 1200;
aggressive-nsec = true;
prefetch = false;
rrset-roundrobin = true;
use-caps-for-id = true;
do-ip6 = false;
hide-identity = true;
hide-version = true;
do-not-query-localhost = false;
tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
};
# fritz.box stub zone
stub-zone = {
name = "fritz.box";
stub-addr = "192.168.13.1";
};
# DNS over DLS forwarding
forward-zone = {
name = ".";
forward-tls-upstream = true;
forward-addr = [
"5.1.66.255@853#dot.ffmuc.net"
"185.150.99.255@853#dot.ffmuc.net"
"89.233.43.71@853#unicast.censurfridns.dk"
"94.130.110.185@853#ns1.dnsprivacy.at"
"2001:678:e68:f000::@853#dot.ffmuc.net"
"2001:678:ed0:f000::@853#dot.ffmuc.net"
"2a01:3a0:53:53::0@853#unicast.censurfridns.dk"
"2a01:4f8:c0c:3c03::2@853#ns1.dnsprivacy.at"
"2a01:4f8:c0c:3bfc::2@853#ns2.dnsprivacy.at"
"2001:610:1:40ba:145:100:185:15@853#dnsovertls.sinodun.com"
"2001:610:1:40ba:145:100:185:16@853#dnsovertls1.sinodun.com"
"2a04:b900:0:100::38@853#getdnsapi.net"
"145.100.185.15@853#dnsovertls.sinodun.com"
"145.100.185.16@853#dnsovertls1.sinodun.com"
"185.49.141.37@853#getdnsapi.net"
];
};
};
}

View file

@ -1,28 +0,0 @@
{
flake,
config,
pkgs,
lib,
...
}:
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
security.acme.certs = {
"actual.faenix.eu" = { };
};
services.nginx.virtualHosts = {
"actual.faenix.eu" = {
forceSSL = true;
useACMEHost = "actual.faenix.eu";
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.actual.settings.port}";
};
};
services.actual = {
enable = true;
};
}

View file

@ -1,10 +0,0 @@
{ ... }:
{
imports = [
./actual.nix
./paperless.nix
./invoiceplane.nix
./vikunja.nix
./fae.nix
];
}

View file

@ -1,71 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
config = {
pub-solar.core.disk-encryption-active = false;
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
};
};
networking.hostName = "paperless";
services.openssh = {
enable = true;
openFirewall = true;
allowSFTP = true;
};
boot.kernelParams = [ "boot.shell_on_fail=1" ];
# Would decrease closure size, but currenly broken (cairo)
#environment.noXlibs = true;
nix = {
gc.automatic = true;
optimise.automatic = true;
settings = {
auto-optimise-store = true;
sandbox = true;
allowed-users = [ "@wheel" ];
trusted-users = [
"root"
"@wheel"
];
};
extraOptions = ''
min-free = 536870912
keep-outputs = true
keep-derivations = true
fallback = true
'';
};
# custom raspi boot loader is already present
boot.loader.systemd-boot.enable = false;
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelPackages = pkgs.linuxPackages_6_6;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
};
}

View file

@ -1,80 +0,0 @@
{
flake,
config,
pkgs,
lib,
...
}:
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
backupDir = "/var/lib/invoiceplane/backup";
in
{
security.acme.certs = {
"billing.faenix.eu" = { };
};
services.nginx.virtualHosts = {
"billing.faenix.eu" = {
forceSSL = true;
useACMEHost = "billing.faenix.eu";
};
};
services.invoiceplane = {
webserver = "nginx";
sites."billing.faenix.eu" = {
enable = true;
invoiceTemplates = [
flake.self.inputs.invoiceplane-template.packages.${pkgs.system}.invoiceplane-template
];
settings = {
IP_URL = "https://billing.faenix.eu";
DISABLE_SETUP = true;
SETUP_COMPLETED = true;
# Useful for debugging, logs to
# /var/lib/invoiceplane/<domain>/logs/
#ENABLE_DEBUG=true;
};
poolConfig = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.max_spare_servers" = 4;
"pm.min_spare_servers" = 2;
"pm.start_servers" = 2;
"php_admin_value[date.timezone]" = "Europe/Berlin";
"php_admin_value[error_log]" = "/var/lib/invoiceplane/billing.faenix.eu/logs/php-error.log";
"php_admin_flag[display_errors]" = "off";
"php_admin_flag[log_errors]" = "on";
"catch_workers_output" = "yes";
};
};
};
systemd.tmpfiles.rules = [ "d '${backupDir}' 0700 root root - -" ];
services.restic.backups = {
invoiceplane = {
paths = [
backupDir
"/var/lib/invoiceplane/billing.faenix.eu"
];
timerConfig = {
OnCalendar = "*-*-* 00:00:00 Etc/UTC";
};
initialize = true;
passwordFile = config.age.secrets."restic-password.age".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/Backups/InvoicePlane";
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u invoiceplane ${pkgs.mariadb-client}/bin/mariadb-dump --all-databases --user=invoiceplane > "${backupDir}/invoiceplane-mariadb-dump.sql"
'';
rcloneConfigFile = config.age.secrets."fae-rclone.conf.age".path;
};
};
}

View file

@ -1,107 +0,0 @@
{
flake,
lib,
config,
pkgs,
...
}:
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
dataDir = "${xdg.dataHome}/Paperless";
backupDir = "${xdg.dataHome}/PaperlessBackup";
consumptionDir = "/home/${psCfg.user.name}/.local/share/scandir";
in
{
services.paperless = {
enable = true;
user = psCfg.user.name;
consumptionDir = consumptionDir;
dataDir = dataDir;
address = "127.0.0.1";
settings = {
PAPERLESS_ADMIN_USER = psCfg.user.name;
PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
PAPERLESS_URL = "https://paperless.faenix.eu";
};
};
hardware.sane = {
enable = true;
# No aarch64 support for now
#brscan5.enable = true;
};
home-manager.users."${psCfg.user.name}" = {
home.sessionVariables = {
SCANNER_OUTPUT_DIR = consumptionDir;
};
systemd.user.sessionVariables = {
SCANNER_OUTPUT_DIR = consumptionDir;
};
};
security.acme.certs = {
"paperless.faenix.eu" = { };
};
services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "256m";
virtualHosts = {
"paperless.faenix.eu" = {
#listenAddresses = [
# "192.168.13.35"
#];
forceSSL = true;
useACMEHost = "paperless.faenix.eu";
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.paperless.port}";
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
systemd.tmpfiles.rules = [
"d /home/${psCfg.user.name}/.local 0700 ${psCfg.user.name} users - -"
"d /home/${psCfg.user.name}/.local/share 0700 ${psCfg.user.name} users - -"
"d '${backupDir}' 0700 ${psCfg.user.name} users - -"
];
age.secrets."fae-rclone.conf.age" = {
file = "${flake.self}/secrets/fae-rclone.conf.age";
path = "/root/.config/rclone/rclone.conf";
mode = "400";
};
age.secrets."restic-password.age" = {
file = "${flake.self}/secrets/restic-password.age";
mode = "400";
};
services.restic.backups = {
paperless = {
paths = [ backupDir ];
timerConfig = {
OnCalendar = "*-*-* 01:00:00 Etc/UTC";
};
initialize = true;
passwordFile = config.age.secrets."restic-password.age".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/Backups/Paperless";
backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p";
rcloneConfigFile = config.age.secrets."fae-rclone.conf.age".path;
};
};
}

View file

@ -1,37 +0,0 @@
{
flake,
config,
pkgs,
lib,
...
}:
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
age.secrets.vikunja-secret-env = {
file = "${flake.self}/secrets/vikunja-secret-env.age";
mode = "400";
owner = "vikunja";
};
security.acme.certs = {
"viku.faenix.eu" = { };
};
services.nginx.virtualHosts = {
"viku.faenix.eu" = {
forceSSL = true;
useACMEHost = "viku.faenix.eu";
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.vikunja.port}";
};
};
services.vikunja = {
enable = true;
frontendScheme = "https";
frontendHostname = "viku.faenix.eu";
environmentFiles = [ config.age.secrets."vikunja-secret-env".path ];
};
}

View file

@ -1,8 +0,0 @@
{ pkgs, lib, ... }:
{
pub-solar.core.disk-encryption-active = false;
isoImage.squashfsCompression = "gzip -Xcompression-level 1";
systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
networking.networkmanager.enable = false;
nixpkgs.hostPlatform = "x86_64-linux";
}

View file

@ -0,0 +1,23 @@
{config, ...}: {
# Changing the Caddyfile should only trigger a reload, not a restart
systemd.services.caddy.reloadTriggers = [
config.services.caddy.configFile
];
services.caddy = {
enable = true;
email = "wg-tooling@list.momo.koeln";
virtualHosts = {
"auth.momo.koeln" = {
logFormat = ''
output discard
'';
extraConfig = ''
reverse_proxy :8080
'';
};
};
};
networking.firewall.allowedTCPPorts = [80 443];
}

View file

@ -0,0 +1,44 @@
{
config,
latestModulesPath,
lib,
pkgs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./caddy.nix
./keycloak.nix
./erpnext.nix
"${latestModulesPath}/services/web-servers/caddy/default.nix"
];
disabledModules = [
"services/web-servers/caddy/default.nix"
];
pub-solar.core.lite = true;
time.timeZone = "Europe/Berlin";
networking = {
useDHCP = false;
interfaces.enp1s0.ipv4.addresses = [
{
address = "80.244.242.4";
prefixLength = 29;
}
];
defaultGateway = "80.244.242.1";
nameservers = ["95.129.51.51" "80.244.244.244"];
};
# Enable the OpenSSH daemon.
services.openssh.enable = true;
system.stateVersion = "22.05";
}

View file

@ -0,0 +1,7 @@
{suites, ...}: {
imports =
[
./pioneer-momo-koeln.nix
]
++ suites.pioneer-momo-koeln;
}

View file

@ -0,0 +1,38 @@
{
config,
lib,
inputs,
pkgs,
self,
...
}: {
age.secrets.erpnext-admin-password = {
file = "${self}/secrets/erpnext-admin-password.age";
mode = "700";
owner = "erpnext";
};
age.secrets.erpnext-db-root-password = {
file = "${self}/secrets/erpnext-db-root-password.age";
mode = "700";
owner = "erpnext";
};
age.secrets.erpnext-db-user-password = {
file = "${self}/secrets/erpnext-db-user-password.age";
mode = "700";
owner = "erpnext";
};
# erpnext
services.erpnext = {
enable = true;
domain = "erp.momo.koeln";
# Secrets
adminPasswordFile = config.age.secrets.erpnext-admin-password.path;
database.rootPasswordFile = config.age.secrets.erpnext-db-root-password.path;
database.userPasswordFile = config.age.secrets.erpnext-db-user-password.path;
# Required to enable caddy
caddy = {};
};
}

View file

@ -0,0 +1,54 @@
{
config,
pkgs,
lib,
...
}: {
# Use the GRUB 2 boot loader.
boot.loader.systemd-boot.enable = false;
boot.loader.grub.enable = true;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" "dm-snapshot" "kvm-intel" "virtio_scsi" "uas"];
boot.extraModulePackages = [];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/531ee357-5777-498f-abbf-64bb4cff9a14";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/f5b3152a-a3bd-46d1-968f-53d50fca921e";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/1fd053f8-725b-418d-aed1-aee71dac2b62";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-uuid/967d1933-131d-4b56-8aa9-15c11ff940c9";}
];
networking = {
defaultGateway = "80.244.242.1";
nameservers = ["95.129.51.51" "80.244.244.244"];
interfaces."enp1s0" = {
ipv4.addresses = [
{
address = "80.244.242.4";
prefixLength = 29;
}
];
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,25 @@
{
config,
lib,
inputs,
pkgs,
self,
...
}: {
age.secrets.keycloak-database-password = {
file = "${self}/secrets/keycloak-database-password.age";
mode = "700";
};
# keycloak
services.keycloak = {
enable = true;
database.passwordFile = config.age.secrets.keycloak-database-password.path;
settings = {
hostname = "auth.momo.koeln";
http-host = "127.0.0.1";
http-port = 8080;
proxy = "edge";
};
};
}

View file

@ -0,0 +1,14 @@
{
config,
pkgs,
lib,
...
}:
with lib;
with pkgs; let
psCfg = config.pub-solar;
in {
imports = [
./configuration.nix
];
}

View file

@ -1,4 +0,0 @@
{ ... }:
{
imports = [ ./powder.nix ];
}

View file

@ -1,50 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ ];
boot.initrd.availableKernelModules = [
"ahci"
"virtio_pci"
"xhci_pci"
"sr_mod"
"virtio_blk"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
autoResize = true;
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
fileSystems."/data" = {
device = "/dev/disk/by-label/ephemeral0";
fsType = "ext4";
options = [
"defaults"
"nofail"
];
};
swapDevices = [ ];
networking.useDHCP = lib.mkDefault false;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -1,87 +0,0 @@
{
config,
inputs,
lib,
pkgs,
profiles,
...
}:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
profiles.users.root # make sure to configure ssh keys
profiles.users.pub-solar
profiles.base-user
];
config = {
pub-solar.core.iso-options.enable = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Force getting the hostname from cloud-init
networking.hostName = lib.mkDefault "";
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# Select internationalisation properties.
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
git
vim
wget
caddy
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
services.cloud-init.enable = true;
services.cloud-init.ext4.enable = true;
services.cloud-init.network.enable = true;
# use the default NixOS cloud-init config, but add some SmartOS customization to it
environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = ''
datasource_list: [ SmartOS ]
# Do not create the centos/ubuntu/debian user
users: [ ]
# mount second disk with label ephemeral0, gets formated by cloud-init
# this will fail to get added to /etc/fstab as it's read-only, but should
# mount at boot anyway
mounts:
- [ vdb, /data, auto, "defaults,nofail" ]
'';
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Triton manages firewall rules via the triton fwrule subcommand
networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
};
}

View file

@ -1,6 +0,0 @@
# Autostart applications
#
# Example:
# exec swayidle
exec qMasterPassword

View file

@ -1,3 +0,0 @@
# switch keyboard input language
#bindsym $mod+tab exec swaymsg input "1118:1896:Microsoft_Microsoft___SiderWinderTM_X4_Keyboard_Consumer_Control" xkb_switch_layout next
bindsym $mod+tab exec swaymsg input "7504:24868:Ultimate_Gadget_Laboratories_UHK_60_v2" xkb_switch_layout next

View file

@ -1,33 +0,0 @@
### Input configuration
#
# You can get the names of your inputs by running: swaymsg -t get_inputs
# Read `man 5 sway-input` for more information about this section.
input "type:keyboard" {
xkb_layout us(intl),de
xkb_options ctrl:nocaps
}
input "type:touchpad" {
natural_scroll enabled
}
# Touchpad controls
#bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
# Screen brightness controls
bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%"
bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-"
# Keyboard backlight brightness controls
bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-"
bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%"
# Pulse Audio controls
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #increase sound volume
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #decrease sound volume
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle # mute sound
# Media player controls
bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

View file

@ -1,33 +0,0 @@
### Output configuration
#
# Example configuration:
#
# output HDMI-A-1 resolution 1920x1080 position 1920,0
#
# You can get the names of your outputs by running: swaymsg -t get_outputs
set $main_screen HDMI-A-1
output $main_screen scale 1
#bindswitch lid:on output $main_screen disable
#bindswitch lid:off output $main_screen enable
bindsym $mod+Shift+x output $main_screen toggle
# TODO when using more monitors
## Manual management of external displays
# Set the shortcuts and what they do
#set $mode_display HDMI (i) top, (j) left, (k) bottom, (l) right, (o) off
#mode "$mode_display" {
# bindsym i output HDMI-A-1 enable; output HDMI-A-1 pos 0 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 1080, mode "default"
# bindsym j output HDMI-A-1 enable; output HDMI-A-1 pos 0 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 1920 0, mode "default"
# bindsym k output HDMI-A-1 enable; output HDMI-A-1 pos 0 900 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 0, mode "default"
# bindsym l output HDMI-A-1 enable; output HDMI-A-1 pos 1440 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 0, mode "default"
# bindsym o output HDMI-A-1 disable, mode "default"
#
# # back to normal: Enter or Escape
# bindsym Return mode "default"
# bindsym Escape mode "default"
#}
## Declare here the shortcut to bring the display selection menu
#bindsym $mod+x mode "$mode_display"

View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./ryzensun.nix
./hardware-configuration.nix
./networking.nix
];
}

View file

@ -1,41 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/bad2e49e-c8e7-4516-a6f8-77db999d12b0";
fsType = "ext4";
};
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/ef6c5bb0-0bcf-4af4-bbc9-02c849999e54";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2C62-C8B5";
fsType = "vfat";
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -1,175 +0,0 @@
{
networking = {
hosts = {
"10.0.0.42" = [
"nomad.service.consul"
"nomad.service.cgn-1.consul"
];
"10.0.0.66" = [ "consul.service.cgn-1.consul" ];
"10.0.1.9" = [ "consul.service.lev-1.consul" ];
"10.0.0.70" = [
"vault.service.consul"
"vault.service.cgn-1.consul"
];
"10.0.0.200" = [ "headnode.cgn-1" ];
"10.0.0.201" = [ "cn01.cgn-1" ];
"10.0.0.202" = [ "cn02.cgn-1" ];
"10.0.0.205" = [ "cn05.cgn-1" ];
"10.0.0.206" = [ "cn06.cgn-1" ];
"10.0.0.207" = [ "cn07.cgn-1" ];
"10.0.0.208" = [ "cn08.cgn-1" ];
"10.0.1.200" = [ "headnode.lev-1" ];
"10.0.1.201" = [ "cn01.lev-1" ];
"10.0.1.202" = [ "cn02.lev-1" ];
"10.0.1.203" = [ "cn03.lev-1" ];
"10.0.1.204" = [ "cn04.lev-1" ];
"10.0.1.205" = [ "cn05.lev-1" ];
"10.0.1.206" = [ "cn00.lev-1" ];
"10.0.1.207" = [ "cn06.lev-1" ];
"10.0.1.208" = [ "cn07.lev-1" ];
};
interfaces.enp4s0.wakeOnLan.enable = true;
wireguard.enable = true;
wg-quick.interfaces = {
wg0 = {
address = [ "10.8.8.7/32" ];
privateKeyFile = "/etc/wireguard/wg0.privatekey";
peers = [
{
publicKey = "l0DJLicCrcrixNP6zAWTXNSEaNM2jML253BXEZ1KpiU=";
allowedIPs = [
"10.8.8.16/32"
"10.0.0.0/24"
"10.88.88.0/24"
];
endpoint = "85.88.23.16:51820";
persistentKeepalive = 25;
}
];
};
wg1 = {
address = [ "10.11.11.6/32" ];
privateKeyFile = "/etc/wireguard/wg1.privatekey";
mtu = 1300;
peers = [
{
publicKey = "7RRgfZSneqAtAHBeI6+aaYLqz9e1jikg/lIK8mhW928=";
presharedKeyFile = "/etc/wireguard/wg1.presharedkey";
allowedIPs = [
"10.11.11.0/24"
"192.168.1.0/24"
"10.0.1.0/24"
];
endpoint = "80.71.153.1:51820";
#persistentKeepalive = 16;
}
];
};
wg2 = {
address = [ "10.7.6.204/32" ];
privateKeyFile = "/etc/wireguard/wg2.privatekey";
peers = [
{
# nachtigall.pub.solar
publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
allowedIPs = [
"10.7.6.1/32"
"fd00:fae:fae:fae:fae:1::/96"
];
#endpoint = "138.201.80.102:51820";
endpoint = "[2a01:4f8:172:1c25::1]:51820";
persistentKeepalive = 15;
}
{
# metronom.pub.solar
publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo=";
allowedIPs = [
"10.7.6.3/32"
"fd00:fae:fae:fae:fae:3::/96"
];
endpoint = "49.13.236.167:51820";
#endpoint = "[2a01:4f8:c2c:7082::]:51820";
persistentKeepalive = 15;
}
{
# tankstelle.pub.solar
publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg=";
allowedIPs = [
"10.7.6.4/32"
"fd00:fae:fae:fae:fae:4::/96"
];
#endpoint = "80.244.242.5:51820";
endpoint = "[2001:4d88:1ffa:26::5]:51820";
persistentKeepalive = 15;
}
{
# trinkgenossin.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
allowedIPs = [
"10.7.6.5/32"
"fd00:fae:fae:fae:fae:5::/96"
];
#endpoint = "85.215.152.22:51820";
endpoint = "[2a01:239:35d:f500::1]:51820";
persistentKeepalive = 15;
}
{
# delite.pub.solar
publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k=";
allowedIPs = [
"10.7.6.6/32"
"fd00:fae:fae:fae:fae:6::/96"
];
#endpoint = "80.244.242.5:51820";
endpoint = "[2a04:52c0:124:9d8c::2]:51820";
persistentKeepalive = 15;
}
{
# blue-shell.pub.solar
publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8=";
allowedIPs = [
"10.7.6.7/32"
"fd00:fae:fae:fae:fae:7::/96"
];
#endpoint = "80.244.242.5:51820";
endpoint = "[2a03:4000:43:24e::1]:51820";
persistentKeepalive = 15;
}
];
};
#wg1 = {
# address = [ "10.13.0.1/32" ];
# privateKeyFile = "/etc/wireguard/wg1.privatekey";
# mtu = 1412;
# peers = [
# {
# publicKey = "XS3TTIMU7Jp3JJANBpE14RsVDJk6/VUvZgjQgQP8kAs=";
# allowedIPs = [ "10.13.0.100/32" "192.168.188.0/24" ];
# endpoint = "[2a00:6020:48ad:dd00:dea6:32ff:fe85:3306]:51820";
# persistentKeepalive = 25;
# }
# ];
#};
#wg2 = {
# address = [ "10.6.6.4/32" ];
# privateKeyFile = "/etc/wireguard/wg2.privatekey";
# peers = [
# {
# publicKey = "nYMmaCIW8lZ7SokivN8HXxYDch+SS1G7ab1SC9meDAw=";
# presharedKeyFile = "/etc/wireguard/wg2.presharedkey";
# allowedIPs = [ "10.6.6.1/32" "10.1.1.0/24" ];
# endpoint = "85.88.23.127:51820";
# persistentKeepalive = 16;
# }
# ];
#};
};
};
}

View file

@ -1,88 +0,0 @@
{
config,
pkgs,
lib,
flake,
...
}:
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
config = {
age.secrets.docker-ci-runner-secrets = {
file = "${flake.self}/secrets/docker-ci-runner-secrets.age";
mode = "600";
owner = "999";
};
pub-solar.terminal-life.full = true;
#pub-solar.docker-ci-runner = {
# enable = false;
# runnerEnvironment = {
# DRONE_RUNNER_CAPACITY = "1";
# DRONE_RUNNER_LABELS = "hosttype:baremetal";
# };
# runnerVarsFile = config.age.secrets.docker-ci-runner-secrets.path;
#};
boot.kernelParams = [ "amd_pstate=active" ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
# Required for WakeOnLan
boot.initrd = {
availableKernelModules = [ "r8169" ];
network = {
enable = true;
udhcpc.enable = true;
flushBeforeStage2 = true;
ssh = {
enable = true;
# To prevent ssh clients from freaking out because a different host key is used,
# a different port for ssh is useful (assuming the same host has also a regular sshd running)
port = 2222;
# Please create this manually the first time.
# sudo ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = psCfg.user.publicKeys;
};
postCommands = ''
# Automatically ask for the password on SSH login
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
'';
};
};
services.fstrim.enable = true;
services.tailscale.enable = true;
services.openssh = {
enable = true;
openFirewall = true;
allowSFTP = true;
};
networking.hostName = "ryzensun";
hardware.keyboard.uhk.enable = true;
hardware.cpu.amd.updateMicrocode = true;
home-manager.users."${psCfg.user.name}".xdg.configFile = {
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
"sway/config.d/autostart.conf".source = ./.config/sway/config.d/autostart.conf;
"sway/config.d/input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
"sway/config.d/screens.conf".source = ./.config/sway/config.d/screens.conf;
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
};
}

View file

@ -1,5 +0,0 @@
{ lib }:
hostnames: {
"127.0.0.1" = hostnames;
"::1" = hostnames;
}

View file

@ -1,21 +1,21 @@
let
lock = builtins.fromJSON (
builtins.readFile builtins.path {
path = ../../flake.lock;
name = "lockPath";
}
);
lock = builtins.fromJSON (builtins.readFile builtins.path {
path = ../../flake.lock;
name = "lockPath";
});
flake =
import
(fetchTarball {
(
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
})
{
src = builtins.path {
path = ../../.;
name = "projectRoot";
};
}
)
{
src = builtins.path {
path = ../../.;
name = "projectRoot";
};
};
in
flake
flake

View file

@ -1,5 +1,4 @@
{ ... }:
let
{...}: let
inherit (default.inputs.nixos) lib;
host = configs.${hostname} or configs.PubSolarOS;
@ -7,4 +6,4 @@ let
default = (import ../.).defaultNix;
hostname = lib.fileContents /etc/hostname;
in
host
host

View file

@ -1,20 +1,10 @@
{ lib, inputs, ... }:
{
# Configuration common to all Linux systems
flake = {
lib =
let
callLibs = file: import file { inherit lib; };
in
rec {
## Define your own library functions here!
#id = x: x;
## Or in files, containing functions that take {lib}
#foo = callLibs ./foo.nix;
## In configs, they can be used under "lib.our"
deploy = import ./deploy.nix { inherit inputs lib; };
addLocalHostname = callLibs ./add-local-hostname.nix;
};
};
}
{lib}:
lib.makeExtensible (self: let
callLibs = file: import file {lib = self;};
in rec {
## Define your own library functions here!
#id = x: x;
## Or in files, containing functions that take {lib}
#foo = callLibs ./foo.nix;
## In configs, they can be used under "lib.our"
})

View file

@ -1,80 +0,0 @@
/*
The contents of this file are adapted from digga
https://github.com/divnix/digga
Licensed under the MIT license
*/
{ lib, inputs }:
let
getFqdn =
c:
let
net = c.config.networking;
fqdn =
if (net ? domain) && (net.domain != null) then "${net.hostName}.${net.domain}" else net.hostName;
in
fqdn;
in
{
mkDeployNodes =
systemConfigurations: extraConfig:
/*
*
Synopsis: mkNodes _systemConfigurations_ _extraConfig_
Generate the `nodes` attribute expected by deploy-rs
where _systemConfigurations_ are `nodes`.
_systemConfigurations_ should take the form of a flake's
_nixosConfigurations_. Note that deploy-rs does not currently support
deploying to darwin hosts.
_extraConfig_, if specified, will be merged into each of the
nodes' configurations.
Example _systemConfigurations_ input:
```
{
hostname-1 = {
fastConnection = true;
sshOpts = [ "-p" "25" ];
};
hostname-2 = {
sshOpts = [ "-p" "19999" ];
sshUser = "root";
};
}
```
*
*/
lib.recursiveUpdate (lib.mapAttrs (_: c: {
hostname = getFqdn c;
profiles.system =
let
system = c.pkgs.system;
# Unmodified nixpkgs
pkgs = import inputs.nixpkgs { inherit system; };
# nixpkgs with deploy-rs overlay but force the nixpkgs package
deployPkgs = import inputs.nixpkgs {
inherit system;
overlays = [
inputs.deploy-rs.overlays.default
(self: super: {
deploy-rs = {
inherit (pkgs) deploy-rs;
lib = super.deploy-rs.lib;
};
})
];
};
in
{
user = "root";
path = deployPkgs.deploy-rs.lib.activate.nixos c;
};
}) systemConfigurations) extraConfig;
}

View file

@ -1,28 +0,0 @@
{
flake,
config,
pkgs,
lib,
...
}:
{
age.secrets."hosting-de-acme-secrets" = {
file = "${flake.self}/secrets/hosting-de-acme-secrets.age";
mode = "400";
owner = "acme";
};
security.acme = {
acceptTerms = true;
defaults = {
email = "jfw@miom.space";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
dnsProvider = "hostingde";
dnsPropagationCheck = true;
environmentFile = config.age.secrets."hosting-de-acme-secrets".path;
group = "nginx";
webroot = null;
};
};
}

View file

@ -1,121 +0,0 @@
{
lib,
pkgs,
config,
...
}:
let
inherit (lib)
getExe
mkDefault
mkEnableOption
mkIf
mkOption
mkPackageOption
types
;
cfg = config.services.actual;
configFile = formatType.generate "config.json" cfg.settings;
dataDir = "/var/lib/actual";
formatType = pkgs.formats.json { };
in
{
options.services.actual = {
enable = mkEnableOption "actual, a privacy focused app for managing your finances";
package = mkPackageOption pkgs "actual-server" { };
openFirewall = mkOption {
default = false;
type = types.bool;
description = "Whether to open the firewall for the specified port.";
};
settings = mkOption {
default = { };
description = "Server settings, refer to (the documentation)[https://actualbudget.org/docs/config/] for available options.";
type = types.submodule {
freeformType = formatType.type;
options = {
hostname = mkOption {
type = types.str;
description = "The address to listen on";
default = "::";
};
port = mkOption {
type = types.port;
description = "The port to listen on";
default = 3000;
};
};
config = {
serverFiles = mkDefault "${dataDir}/server-files";
userFiles = mkDefault "${dataDir}/user-files";
dataDir = mkDefault dataDir;
};
};
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.port ];
systemd.services.actual = {
description = "Actual server, a local-first personal finance app";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment.ACTUAL_CONFIG_PATH = configFile;
serviceConfig = {
ExecStart = getExe cfg.package;
DynamicUser = true;
User = "actual";
Group = "actual";
StateDirectory = "actual";
WorkingDirectory = dataDir;
LimitNOFILE = "1048576";
PrivateTmp = true;
PrivateDevices = true;
StateDirectoryMode = "0700";
Restart = "always";
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
#MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@pkey"
];
UMask = "0077";
};
};
};
meta.maintainers = [
lib.maintainers.oddlama
lib.maintainers.patrickdag
];
}

View file

@ -1,16 +0,0 @@
{
lib,
config,
pkgs,
...
}:
let
psCfg = config.pub-solar;
in
{
programs.adb.enable = true;
users.users."${psCfg.user.name}" = {
extraGroups = [ "adbusers" ];
};
}

View file

@ -4,15 +4,24 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
users.users."${psCfg.user.name}" = {
extraGroups = [ "dialout" ];
packages = with pkgs; [
arduino
arduino-cli
];
cfg = config.pub-solar.devops;
in {
options.pub-solar.arduino = {
enable = mkEnableOption "Life with home automation";
};
config = mkIf cfg.enable {
users.users = pkgs.lib.setAttrByPath [psCfg.user.name] {
extraGroups = ["dialout"];
};
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages = [
arduino
arduino-cli
];
};
};
}

View file

@ -4,52 +4,117 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.audio;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
users.users."${psCfg.user.name}" = {
extraGroups = [ "audio" ];
packages = with pkgs; [
# easyeffects, e.g. for microphone noise filtering
easyeffects
mu
pavucontrol
pa_applet
playerctl
# Needed for pactl cmd, until pw-cli is more mature (vol up/down hotkeys?)
pulseaudio
vimpc
];
in {
options.pub-solar.audio = {
enable = mkEnableOption "Life in highs and lows";
mopidy.enable = mkEnableOption "Life with mopidy";
spotify.enable = mkEnableOption "Life in DRM";
spotify.username = mkOption {
description = "Spotify login username or email";
type = types.str;
example = "yourname@example.com";
default = "";
};
bluetooth.enable = mkEnableOption "Life with bluetooth";
};
home-manager.users."${psCfg.user.name}" = {
xdg.configFile."vimpc/vimpcrc".source = ./.config/vimpc/vimpcrc;
systemd.user.services.easyeffects = import ./easyeffects.service.nix pkgs;
};
config = mkIf cfg.enable {
users.users = pkgs.lib.setAttrByPath [psCfg.user.name] {
extraGroups = ["audio"];
};
# rtkit is optional but recommended
security.rtkit.enable = true;
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages =
[
# easyeffects, e.g. for microphone noise filtering
easyeffects
mu
pavucontrol
pa_applet
playerctl
# Needed for pactl cmd, until pw-cli is more mature (vol up/down hotkeys?)
pulseaudio
vimpc
]
++ (
if cfg.spotify.enable
then [pkgs.spotify-tui]
else []
);
xdg.configFile."vimpc/vimpcrc".source = ./.config/vimpc/vimpcrc;
systemd.user.services.easyeffects = import ./easyeffects.service.nix pkgs;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-PipeWire#setting-sample-rates
extraConfig.pipewire = {
"10-clock-rate" = {
"context.properties" = {
default = {
"clock.rate" = 48000; # Pipewire default
"clock.allowed-rates" = [
44100
48000
];
services.spotifyd = mkIf cfg.spotify.enable {
enable = true;
settings = {
global = {
username = cfg.spotify.username;
password_cmd = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus ${pkgs.libsecret}/bin/secret-tool lookup spotify password";
bitrate = 320;
volume_normalisation = true;
no_audio_cache = false;
max_cache_size = 1000000000;
};
};
};
};
# rtkit is optional but recommended
security.rtkit.enable = true;
# Enable sound using pipewire-pulse, default config:
# https://gitlab.freedesktop.org/pipewire/pipewire/-/blob/master/src/daemon/pipewire.conf.in
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
# Make pulseaudio listen on port 4713 for mopidy, extending the default
# config: https://gitlab.freedesktop.org/pipewire/pipewire/-/blob/master/src/daemon/pipewire-pulse.conf.in
environment.etc = mkIf cfg.mopidy.enable {
"pipewire/pipewire-pulse.conf.d/99-custom.conf".text = ''
{
"context.modules": [
{
"name": "libpipewire-module-protocol-pulse",
"args": {
"server.address": ["unix:native", "tcp:4713"],
"vm.overrides": {
"pulse.min.quantum": "1024/48000"
}
}
}
]
}
'';
};
# Enable bluetooth
hardware.bluetooth = mkIf cfg.bluetooth.enable {
enable = true;
# Disable bluetooth on startup to save battery
powerOnBoot = false;
# Disable useless SIM Access Profile plugin
disabledPlugins = [
"sap"
];
settings = {
General = {
# Enables experimental features and interfaces.
# Makes BlueZ Battery Provider available
Experimental = true;
};
};
};
services.blueman.enable = mkIf cfg.bluetooth.enable true;
# Enable audio server & client
services.mopidy = mkIf cfg.mopidy.enable ((import ./mopidy.nix) pkgs);
};
}

18
modules/audio/mopidy.nix Normal file
View file

@ -0,0 +1,18 @@
pkgs: {
enable = true;
extensionPackages = with pkgs; [
mopidy-mpd
mopidy-soundcloud
mopidy-youtube
mopidy-local
mopidy-jellyfin
];
configuration = ''
[mpd]
hostname = ::
[audio]
output = pulsesink server=127.0.0.1:4713
'';
}

View file

@ -1,36 +0,0 @@
{
lib,
config,
pkgs,
...
}:
{
hardware.bluetooth = {
enable = true;
# Disable bluetooth on startup to save battery
powerOnBoot = false;
package = pkgs.bluez-experimental;
# Disable useless SIM Access Profile plugin
disabledPlugins = [ "sap" ];
settings = {
General = {
# Enables experimental features and interfaces.
# Makes BlueZ Battery Provider available
Experimental = true;
};
};
};
services.blueman.enable = true;
services.pipewire.wireplumber.configPackages = [
# https://pipewire.pages.freedesktop.org/wireplumber/daemon/configuration/bluetooth.html
(pkgs.writeTextDir "share/wireplumber/wireplumber.conf.d/10-bluez.conf" ''
monitor.bluez.properties = {
bluez5.enable-hw-volume = true
bluez5.enable-msbc = false
bluez5.enable-sbc-xq = true
bluez5.headset-roles = [ hsp_hs hsp_ag hfp_hf hfp_ag ]
}
'')
];
}

View file

@ -0,0 +1,45 @@
{
lib,
config,
pkgs,
self,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.ci-runner;
in {
options.pub-solar.ci-runner = {
enable = mkEnableOption "Enables a systemd service that runs drone-ci-runner";
};
config = mkIf cfg.enable {
systemd.user.services.ci-runner = {
enable = true;
description = "CI runner for the PubSolarOS repository that can run test VM instances with KVM.";
serviceConfig = {
Type = "simple";
Restart = "always";
};
path = [
pkgs.git
pkgs.nix
pkgs.libvirt
];
wantedBy = ["multi-user.target"];
after = ["network.target" "libvirtd.service"];
script = ''${pkgs.drone-runner-exec}/bin/drone-runner-exec daemon /run/agenix/drone-runner-exec-config'';
};
age.secrets."drone-runner-exec-config" = {
file = "${self}/secrets/drone-runner-exec-config";
mode = "700";
owner = psCfg.user.name;
};
};
}

View file

@ -4,21 +4,30 @@
lib,
...
}:
let
with lib; let
cfg = config.pub-solar.core;
in
{
options.pub-solar.core.disk-encryption-active = lib.mkOption {
type = lib.types.bool;
in {
options.pub-solar.core.iso-options.enable = mkOption {
type = types.bool;
default = false;
description = "Feature flag for iso builds";
};
options.pub-solar.core.disk-encryption-active = mkOption {
type = types.bool;
default = true;
description = "Whether it should be assumed that there is a cryptroot device";
};
config = {
boot = {
# Enable plymouth for better experience of booting
plymouth.enable = mkIf (!cfg.lite) (lib.mkDefault true);
# Mount / luks device in initrd
# Allow fstrim to work on it.
initrd = lib.mkIf cfg.disk-encryption-active {
# The ! makes this enabled by default
initrd = mkIf (!cfg.iso-options.enable && cfg.disk-encryption-active) {
luks.devices."cryptroot" = {
allowDiscards = true;
};
@ -27,10 +36,10 @@ in
loader.systemd-boot.enable = lib.mkDefault true;
# Use latest LTS linux kernel by default
kernelPackages = lib.mkDefault pkgs.linuxPackages_6_12;
kernelPackages = lib.mkDefault pkgs.linuxPackages_6_1;
# Support ntfs drives
supportedFilesystems = [ "ntfs" ];
supportedFilesystems = ["ntfs"];
};
};
}

View file

@ -1,35 +1,42 @@
{ config, lib, ... }:
let
cfg = config.pub-solar.core;
psCfg = config.pub-solar;
in
{
config,
lib,
...
}:
with lib; let
cfg = config.pub-solar.core;
in {
imports = [
./boot.nix
./hibernation.nix
./fonts.nix
./i18n.nix
./networking.nix
./nix.nix
./packages.nix
./services.nix
];
# Service that makes Out of Memory Killer more effective
services.earlyoom.enable = true;
services.logind.lidSwitch = "hibernate";
services.tor.settings = {
UseBridges = true;
options.pub-solar.core = {
lite = mkOption {
description = ''
Enable a lite edition of core with less default modules and a reduced package set.
'';
default = false;
type = types.bool;
};
};
# The options below are directly taken from or inspired by
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
config = {
pub-solar = {
audio.enable = mkIf (!cfg.lite) (mkDefault true);
crypto.enable = mkIf (!cfg.lite) (mkDefault true);
devops.enable = mkIf (!cfg.lite) (mkDefault true);
# Limit the use of sudo to the group wheel
security.sudo.execWheelOnly = true;
# Remove the complete default environment of packages like
# nano, perl and rsync
environment.defaultPackages = lib.mkForce [ ];
# fileSystems."/".options = [ "noexec" ];
terminal-life = {
enable = mkDefault true;
lite = cfg.lite;
};
};
};
}

14
modules/core/fonts.nix Normal file
View file

@ -0,0 +1,14 @@
{
config,
pkgs,
lib,
...
}: {
fonts = {
fonts = with pkgs; [powerline-fonts dejavu_fonts];
fontconfig.defaultFonts = {
monospace = ["DejaVu Sans Mono for Powerline"];
sansSerif = ["DejaVu Sans"];
};
};
}

View file

@ -4,11 +4,9 @@
lib,
...
}:
let
with lib; let
cfg = config.pub-solar.core.hibernation;
inherit (lib) mkOption types mkIf;
in
{
in {
options.pub-solar.core.hibernation = {
enable = mkOption {
type = types.bool;
@ -32,9 +30,7 @@ in
config = {
boot = mkIf cfg.enable {
resumeDevice = mkIf (cfg.resumeDevice != null) cfg.resumeDevice;
kernelParams = mkIf (cfg.resumeOffset != null) [
"resume_offset=${builtins.toString cfg.resumeOffset}"
];
kernelParams = mkIf (cfg.resumeOffset != null) ["resume_offset=${builtins.toString cfg.resumeOffset}"];
};
};
}

View file

@ -4,7 +4,7 @@
lib,
...
}:
{
with lib; {
config = {
# Set your time zone.
time.timeZone = "Europe/Berlin";
@ -15,11 +15,6 @@
};
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [
"C.UTF-8/UTF-8"
"en_US.UTF-8/UTF-8"
"de_DE.UTF-8/UTF-8"
];
};
};
}

View file

@ -1,40 +1,85 @@
{
flake,
config,
pkgs,
lib,
...
}:
{
# disable NetworkManager and systemd-networkd -wait-online by default
systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;
with lib; let
cfg = config.pub-solar.core;
in {
options.pub-solar.core = {
enableCaddy = mkOption {
type = types.bool;
default = !cfg.lite;
};
enableHelp = mkOption {
type = types.bool;
default = !cfg.lite;
};
networking.networkmanager = {
# Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
enable = if config.programs.sway.enable then lib.mkDefault true else false;
# not as stable as wpa_supplicant yet, also more trouble with 5 GHz networks
#wifi.backend = "iwd";
binaryCaches = mkOption {
type = types.listOf types.str;
default = [];
description = "Binary caches to use.";
};
publicKeys = mkOption {
type = types.listOf types.str;
default = [];
description = "Public keys of binary caches.";
};
};
config = {
# disable NetworkManager and systemd-networkd -wait-online by default
systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;
networking.firewall.enable = true;
networking.networkmanager = {
# Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
enable = true;
wifi.backend = "iwd";
};
# For rage encryption, all hosts need a ssh key pair
services.openssh = {
enable = true;
allowSFTP = lib.mkDefault false;
networking.firewall.enable = true;
openFirewall = lib.mkDefault false;
# Customized binary caches list (with fallback to official binary cache)
nix.settings.substituters = cfg.binaryCaches;
nix.settings.trusted-public-keys = cfg.publicKeys;
settings.PasswordAuthentication = lib.mkDefault false;
settings.KbdInteractiveAuthentication = false;
# These entries get added to /etc/hosts
networking.hosts = {
"127.0.0.1" =
[]
++ lib.optionals cfg.enableCaddy ["caddy.local"]
++ lib.optionals config.pub-solar.printing.enable ["cups.local"]
++ lib.optionals cfg.enableHelp ["help.local"];
};
extraConfig = ''
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
# Caddy reverse proxy for local services like cups
services.caddy = {
enable = lib.mkDefault cfg.enableCaddy;
globalConfig = lib.mkDefault ''
default_bind 127.0.0.1
auto_https off
'';
extraConfig = lib.mkDefault (concatStringsSep "\n" [
(lib.optionalString
config.pub-solar.printing.enable
''
cups.local:80 {
request_header Host localhost:631
reverse_proxy unix//run/cups/cups.sock
}
'')
(lib.optionalString
cfg.enableHelp
''
help.local:80 {
root * ${pkgs.psos-docs}/lib/html
file_server
}
'')
]);
};
};
}

32
modules/core/nix.nix Normal file
View file

@ -0,0 +1,32 @@
{
config,
pkgs,
lib,
inputs,
...
}: {
nix = {
# Use default version alias for nix package
package = pkgs.nix;
gc.automatic = true;
optimise.automatic = true;
settings = {
# Improve nix store disk usage
auto-optimise-store = true;
# Prevents impurities in builds
sandbox = true;
# Give root and @wheel special privileges with nix
trusted-users = ["root" "@wheel"];
# Allow only group wheel to connect to the nix daemon
allowed-users = ["@wheel"];
};
# Generally useful nix option defaults
extraOptions = lib.mkForce ''
experimental-features = flakes nix-command
min-free = 536870912
keep-outputs = true
keep-derivations = true
fallback = true
'';
};
}

View file

@ -4,30 +4,76 @@
lib,
...
}:
let
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.core;
in
{
environment.systemPackages = with pkgs; [
# Core unix utility packages
coreutils-full
diffutils
dnsutils
exfat
file
findutils
inetutils
lsof
progress
pciutils
usbutils
in {
environment = {
systemPackages = with pkgs;
[
# Core unix utility packages
coreutils-full
dnsutils
inetutils
progress
pciutils
usbutils
gitMinimal
wget
openssl
openssh
curl
htop
btop
lsof
psmisc
file
btop
mtr
nmap
nload
];
# zippit
zip
unzip
# Modern modern utilities
p7zip
croc
jq
]
++ lib.optionals (!cfg.lite) [
mtr
gitFull
git-lfs
git-bug
xdg-utils
sysfsutils
renameutils
nfs-utils
moreutils
mailutils
keyutils
input-utils
elfutils
binutils
dateutils
diffutils
findutils
exfat
# Nix specific utilities
alejandra
niv
manix
nix-index
nix-tree
nixpkgs-review
# Build broken, python2.7-PyJWT-2.0.1.drv' failed
#nixops
psos
nvd
# Fun
neofetch
];
};
}

18
modules/core/services.nix Normal file
View file

@ -0,0 +1,18 @@
{
config,
pkgs,
lib,
...
}: {
# For rage encryption, all hosts need a ssh key pair
services.openssh = {
enable = true;
# If you don't want the host to have SSH actually opened up to the net,
# set `services.openssh.openFirewall` to false in your config.
openFirewall = lib.mkDefault true;
settings.PasswordAuthentication = lib.mkDefault false;
};
# Service that makes Out of Memory Killer more effective
services.earlyoom.enable = true;
}

View file

@ -4,29 +4,42 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
services.udev.packages = [ pkgs.yubikey-personalization ];
services.dbus.packages = [ pkgs.gcr ];
services.pcscd.enable = true;
cfg = config.pub-solar.crypto;
in {
options.pub-solar.crypto = {
enable = mkEnableOption "Life in private";
};
services.gnome.gnome-keyring.enable = true;
config = mkIf cfg.enable {
services.udev.packages = [pkgs.yubikey-personalization];
services.dbus.packages = [pkgs.gcr];
services.pcscd.enable = true;
users.users."${psCfg.user.name}".packages = with pkgs; [ libsecret ];
services.gnome.gnome-keyring.enable = true;
home-manager.users."${psCfg.user.name}" = {
systemd.user.services.polkit-gnome-authentication-agent = import ./polkit-gnome-authentication-agent.service.nix pkgs;
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
systemd.user.services.polkit-gnome-authentication-agent = import ./polkit-gnome-authentication-agent.service.nix pkgs;
services.gpg-agent = {
enable = true;
pinentryPackage = lib.mkDefault pkgs.pinentry-gnome3;
verbose = true;
};
services.gpg-agent = {
enable = true;
pinentryFlavor = "gnome3";
verbose = true;
};
programs.gpg = {
enable = true;
};
programs.gpg = {
enable = true;
};
home.packages = [
gnome.seahorse
keepassxc
libsecret
qMasterPassword
restic
];
};
};
}

View file

@ -1,15 +1,15 @@
pkgs: {
Unit = {
Description = "Legacy polkit authentication agent for GNOME";
Documentation = [ "https://gitlab.freedesktop.org/polkit/polkit/" ];
BindsTo = [ "sway-session.target" ];
After = [ "sway-session.target" ];
Documentation = ["https://gitlab.freedesktop.org/polkit/polkit/"];
BindsTo = ["sway-session.target"];
After = ["sway-session.target"];
};
Service = {
Type = "simple";
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
};
Install = {
WantedBy = [ "sway-session.target" ];
WantedBy = ["sway-session.target"];
};
}

View file

@ -1,285 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.ddclient;
boolToStr = bool: if bool then "yes" else "no";
dataDir = "/var/lib/ddclient";
StateDirectory = builtins.baseNameOf dataDir;
RuntimeDirectory = StateDirectory;
usev4 = if cfg.usev4 != "" then "usev4=${cfg.usev4}" else "";
usev6 = if cfg.usev6 != "" then "usev6=${cfg.usev6}" else "";
configFile' = pkgs.writeText "ddclient.conf" ''
# This file can be used as a template for configFile or is automatically generated by Nix options.
use=no
${usev4}
${usev6}
cache=${dataDir}/ddclient.cache
foreground=yes
login=${cfg.username}
password=${
if cfg.protocol == "nsupdate" then
"/run/${RuntimeDirectory}/ddclient.key"
else
"@password_placeholder@"
}
protocol=${cfg.protocol}
${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
${lib.optionalString (cfg.zone != "") "zone=${cfg.zone}"}
ssl=${boolToStr cfg.ssl}
wildcard=yes
quiet=${boolToStr cfg.quiet}
verbose=${boolToStr cfg.verbose}
${cfg.extraConfig}
${lib.concatStringsSep "," cfg.domains}
'';
configFile = if (cfg.configFile != null) then cfg.configFile else configFile';
preStart = ''
install --mode=600 --owner=$USER ${configFile} /run/${RuntimeDirectory}/ddclient.conf
${lib.optionalString (cfg.configFile == null) (
if (cfg.protocol == "nsupdate") then
''
install --mode=600 --owner=$USER ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key
''
else if (cfg.passwordFile != null) then
''
"${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "${cfg.passwordFile}" "/run/${RuntimeDirectory}/ddclient.conf"
''
else
''
sed -i '/^password=@password_placeholder@$/d' /run/${RuntimeDirectory}/ddclient.conf
''
)}
'';
in
with lib;
{
disabledModules = [ "services/networking/ddclient.nix" ];
imports = [
(mkChangedOptionModule
[
"services"
"ddclient"
"domain"
]
[
"services"
"ddclient"
"domains"
]
(
config:
let
value = getAttrFromPath [
"services"
"ddclient"
"domain"
] config;
in
if value != "" then [ value ] else [ ]
)
)
(mkRemovedOptionModule [
"services"
"ddclient"
"homeDir"
] "")
(mkRemovedOptionModule [
"services"
"ddclient"
"password"
] "Use services.ddclient.passwordFile instead.")
];
###### interface
options = {
services.ddclient = with lib.types; {
enable = mkOption {
default = false;
type = bool;
description = lib.mdDoc ''
Whether to synchronise your machine's IP address with a dynamic DNS provider (e.g. dyndns.org).
'';
};
package = mkOption {
type = package;
default = pkgs.ddclient;
defaultText = lib.literalExpression "pkgs.ddclient";
description = lib.mdDoc ''
The ddclient executable package run by the service.
'';
};
domains = mkOption {
default = [ "" ];
type = listOf str;
description = lib.mdDoc ''
Domain name(s) to synchronize.
'';
};
username = mkOption {
# For `nsupdate` username contains the path to the nsupdate executable
default = lib.optionalString (
config.services.ddclient.protocol == "nsupdate"
) "${pkgs.bind.dnsutils}/bin/nsupdate";
defaultText = "";
type = str;
description = lib.mdDoc ''
User name.
'';
};
passwordFile = mkOption {
default = null;
type = nullOr str;
description = lib.mdDoc ''
A file containing the password or a TSIG key in named format when using the nsupdate protocol.
'';
};
interval = mkOption {
default = "10min";
type = str;
description = lib.mdDoc ''
The interval at which to run the check and update.
See {command}`man 7 systemd.time` for the format.
'';
};
configFile = mkOption {
default = null;
type = nullOr path;
description = lib.mdDoc ''
Path to configuration file.
When set this overrides the generated configuration from module options.
'';
example = "/root/nixos/secrets/ddclient.conf";
};
protocol = mkOption {
default = "dyndns2";
type = str;
description = lib.mdDoc ''
Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols).
'';
};
server = mkOption {
default = "";
type = str;
description = lib.mdDoc ''
Server address.
'';
};
ssl = mkOption {
default = true;
type = bool;
description = lib.mdDoc ''
Whether to use SSL/TLS to connect to dynamic DNS provider.
'';
};
quiet = mkOption {
default = false;
type = bool;
description = lib.mdDoc ''
Print no messages for unnecessary updates.
'';
};
script = mkOption {
default = "";
type = str;
description = lib.mdDoc ''
script as required by some providers.
'';
};
usev4 = mkOption {
default = "webv4, webv4=checkip.dyndns.com/, webv4-skip='Current IP Address: '";
type = str;
description = lib.mdDoc ''
Method to determine the IP address to send to the dynamic DNS provider.
'';
};
usev6 = mkOption {
default = "";
type = str;
description = lib.mdDoc ''
Method to determine the IP address to send to the dynamic DNS provider.
'';
};
verbose = mkOption {
default = false;
type = bool;
description = lib.mdDoc ''
Print verbose information.
'';
};
zone = mkOption {
default = "";
type = str;
description = lib.mdDoc ''
zone as required by some providers.
'';
};
extraConfig = mkOption {
default = "";
type = lines;
description = lib.mdDoc ''
Extra configuration. Contents will be added verbatim to the configuration file.
::: {.note}
`daemon` should not be added here because it does not work great with the systemd-timer approach the service uses.
:::
'';
};
};
};
###### implementation
config = mkIf config.services.ddclient.enable {
systemd.services.ddclient = {
description = "Dynamic DNS Client";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
restartTriggers = optional (cfg.configFile != null) cfg.configFile;
serviceConfig = {
DynamicUser = true;
RuntimeDirectoryMode = "0700";
inherit RuntimeDirectory;
inherit StateDirectory;
Type = "oneshot";
ExecStartPre = "!${pkgs.writeShellScript "ddclient-prestart" preStart}";
ExecStart = "${lib.getBin cfg.package}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
};
};
systemd.timers.ddclient = {
description = "Run ddclient";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = cfg.interval;
OnUnitInactiveSec = cfg.interval;
};
};
};
}

View file

@ -1,43 +0,0 @@
{ self, inputs, ... }:
{
flake = {
nixosModules = rec {
acme = import ./acme;
actual = import ./actual;
audio = import ./audio;
bluetooth = import ./bluetooth;
core = import ./core;
crypto = import ./crypto;
desktop-extended = import ./desktop-extended;
docker = import ./docker;
#email = import ./email;
forgejo-actions-runner = import ./forgejo-actions-runner;
#gaming = import ./gaming;
graphical = import ./graphical;
invoiceplane = import ./invoiceplane;
nix = import ./nix;
nextcloud = import ./nextcloud;
office = import ./office;
printing = import ./printing;
terminal-life = import ./terminal-life;
user = import ./user;
virtualisation = import ./virtualisation;
#wireguard-client = import ./wireguard-client;
base.imports = [
self.nixosModules.home-manager
inputs.agenix.nixosModules.default
inputs.lix-module.nixosModules.default
self.nixosModules.overlays
self.nixosModules.core
self.nixosModules.crypto
self.nixosModules.nix
self.nixosModules.terminal-life
self.nixosModules.root
self.nixosModules.user
];
};
};
}

View file

@ -1,35 +0,0 @@
{ config, pkgs, ... }:
let
psCfg = config.pub-solar;
in
{
users.users."${psCfg.user.name}".packages = with pkgs; [
ungoogled-chromium
gimp
inkscape
tigervnc
nodejs_20
signal-desktop
tdesktop
element-desktop
];
fonts = {
packages = with pkgs; [
dejavu_fonts
fira-code
fira-code-symbols
#google-fonts
lato
montserrat
nerdfonts
noto-fonts
noto-fonts-cjk-sans
open-sans
powerline-fonts
source-sans-pro
];
};
}

View file

@ -0,0 +1,30 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.devops;
in {
options.pub-solar.devops = {
enable = mkEnableOption "Life automated";
};
config = mkIf cfg.enable {
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages = [
drone-cli
nmap
pgcli
ansible
ansible-lint
restic
shellcheck
terraform
];
};
};
}

View file

@ -0,0 +1,114 @@
{
lib,
config,
pkgs,
self,
...
}:
with lib; let
bootstrap = pkgs.writeScript "bootstrap.sh" ''
#!/usr/bin/env bash
set -e
apt update
apt install --yes curl git sudo xz-utils
adduser --system --uid 999 build
chown build /nix
sudo -u build curl -L https://nixos.org/nix/install > install
sudo -u build sh install
echo "export PATH=/nix/var/nix/profiles/per-user/build/profile/bin:''$PATH" >> /etc/profile
mkdir /etc/nix
echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf
export nix_user_config_file="/home/build/.local/share/nix/trusted-settings.json"
mkdir -p $(dirname \\$nix_user_config_file)
echo '{"extra-experimental-features":{"nix-command flakes":true}}' > \\$nix_user_config_file
chown -R build /home/build/
curl -L https://github.com/drone-runners/drone-runner-exec/releases/latest/download/drone_runner_exec_linux_amd64.tar.gz | tar xz
sudo install -t /usr/local/bin drone-runner-exec
if [ ! -f /run/vars ]; then
exit 1
fi
cp -a /run/vars /run/runtime-vars
env | grep "DRONE" >> /run/runtime-vars
su - -s /bin/bash build sh -c "/usr/local/bin/drone-runner-exec daemon /run/runtime-vars"
'';
psCfg = config.pub-solar;
cfg = config.pub-solar.docker-ci-runner;
in {
options.pub-solar.docker-ci-runner = {
enable = lib.mkEnableOption "Enables a docker container running a drone exec runner as unprivileged user.";
enableKvm = lib.mkOption {
description = ''
Enable kvm support.
'';
default = true;
type = types.bool;
};
nixCacheLocation = lib.mkOption {
description = ''
Location of nix cache that is shared between builds
'';
default = "/var/lib/docker-ci-runner";
type = types.path;
};
runnerEnvironment = lib.mkOption {
description = ''
Additional environment vars added to the vars file on container runtime
'';
default = {};
};
runnerVarsFile = lib.mkOption {
description = ''
Location of vars file passed to drone runner
'';
type = types.path;
};
};
config = lib.mkIf cfg.enable {
virtualisation = {
docker = {
enable = true; # sadly podman is not supported rightnow
};
oci-containers = {
backend = "docker";
containers."drone-exec-runner" = {
image = "debian";
autoStart = true;
entrypoint = "bash";
cmd = ["/bootstrap.sh"];
volumes = [
"${cfg.runnerVarsFile}:/run/vars"
"${cfg.nixCacheLocation}:/nix"
"${bootstrap}:/bootstrap.sh"
];
environment = cfg.runnerEnvironment;
extraOptions = lib.mkIf cfg.enableKvm ["--device=/dev/kvm"];
};
};
};
# Fix container not stopping correctly and holding the system 120s upon
# shutdown / reboot
systemd.services.docker-drone-exec-runner.preStop = ''
docker stop drone-exec-runner
'';
};
}

View file

@ -4,15 +4,23 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
virtualisation.docker.enable = true;
users.users."${psCfg.user.name}" = {
extraGroups = [ "docker" ];
cfg = config.pub-solar.docker;
in {
options.pub-solar.docker = {
enable = mkEnableOption "Life in metal boxes";
};
environment.systemPackages = with pkgs; [ docker-compose ];
config = mkIf cfg.enable {
virtualisation.docker.enable = true;
users.users = with pkgs;
pkgs.lib.setAttrByPath [psCfg.user.name] {
extraGroups = ["docker"];
};
environment.systemPackages = with pkgs; [
docker-compose
];
};
}

View file

@ -4,58 +4,30 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
users.users."${psCfg.user.name}".packages = with pkgs; [
w3m
urlscan
neomutt
offlineimap
msmtp
mailto-mutt
];
cfg = config.pub-solar.email;
in {
options.pub-solar.email = {
enable = mkEnableOption "Life in headers";
};
home-manager.users."${psCfg.user.name}" = {
programs.offlineimap = {
enable = true;
pythonFile = builtins.readFile ./offlineimap.py;
};
config = mkIf cfg.enable {
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages = [
w3m
urlscan
neomutt
offlineimap
msmtp
mailto-mutt
];
xdg.configFile."mutt/muttrc".source = ./.config/mutt/muttrc;
xdg.configFile."mutt/base16.muttrc".source = ./.config/mutt/base16.muttrc;
xdg.configFile."mutt/mailcap".source = ./.config/mutt/mailcap;
xdg.configFile."offlineimap/functions.py".source = ./.config/offlineimap/functions.py;
xdg.configFile."mutt/accounts.muttrc".text = ''
source ./hello@benjaminbaedorf.eu.muttrc
macro index <f1> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/hello@benjaminbaedorf.eu.muttrc<enter><change-folder>!<enter>'
macro index <f2> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/benjamin.baedorf@rwth-aachen.de.muttrc<enter><change-folder>!<enter>'
macro index <f3> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/byb@miom.space.muttrc<enter><change-folder>!<enter>'
macro index <f4> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/mail@b12f.io.muttrc<enter><change-folder>!<enter>'
macro index <f5> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/admins@pub.solar.muttrc<enter><change-folder>!<enter>'
macro index <f6> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/crew@pub.solar.muttrc<enter><change-folder>!<enter>'
'';
xdg.configFile."mutt/hello@benjaminbaedorf.eu.muttrc".source =
./.config/mutt + "/hello@benjaminbaedorf.eu.muttrc";
xdg.configFile."mutt/benjamin.baedorf@rwth-aachen.de.muttrc".source =
./.config/mutt + "/benjamin.baedorf@rwth-aachen.de.muttrc";
xdg.configFile."mutt/hello@benjaminbaedorf.eu.signature".source =
./.config/mutt + "/hello@benjaminbaedorf.eu.signature";
xdg.configFile."mutt/byb@miom.space.muttrc".source = ./.config/mutt + "/byb@miom.space.muttrc";
xdg.configFile."mutt/byb@miom.space.signature".source =
./.config/mutt + "/byb@miom.space.signature";
xdg.configFile."mutt/mail@b12f.io.muttrc".source = ./.config/mutt + "/mail@b12f.io.muttrc";
xdg.configFile."mutt/mail@b12f.io.signature".source = ./.config/mutt + "/mail@b12f.io.signature";
xdg.configFile."mutt/admins@pub.solar.muttrc".source = ./.config/mutt + "/admins@pub.solar.muttrc";
xdg.configFile."mutt/admins@pub.solar.signature".source =
./.config/mutt + "/admins@pub.solar.signature";
xdg.configFile."mutt/crew@pub.solar.muttrc".source = ./.config/mutt + "/crew@pub.solar.muttrc";
xdg.configFile."mutt/crew@pub.solar.signature".source =
./.config/mutt + "/crew@pub.solar.signature";
xdg.configFile."offlineimap/config".source = ./.config/offlineimap/config;
xdg.configFile."msmtp/config".source = ./.config/msmtp/config;
programs.offlineimap = {
enable = true;
pythonFile = builtins.readFile ./offlineimap.py;
};
};
};
}

View file

@ -1,58 +0,0 @@
{
config,
pkgs,
lib,
flake,
...
}:
let
hostname = config.networking.hostName;
in
{
age.secrets."forgejo-actions-runner-token.age" = {
file = "${flake.self}/secrets/forgejo-actions-runner-token.age";
mode = "440";
};
# Trust docker bridge interface traffic
# Needed for the docker runner to communicate with the act_runner cache
networking.firewall.trustedInterfaces = [ "br-+" ];
users.users.gitea-runner = {
home = "/var/lib/gitea-runner/${hostname}";
useDefaultShell = true;
group = "gitea-runner";
# Required to interact with nix daemon
extraGroups = [ "wheel" ];
isSystemUser = true;
};
users.groups.gitea-runner = { };
systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ];
systemd.services."gitea-runner-${hostname}" = {
serviceConfig.DynamicUser = lib.mkForce false;
};
# forgejo actions runner
# https://forgejo.org/docs/latest/admin/actions/
# https://docs.gitea.com/usage/actions/quickstart
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances."${hostname}" = {
enable = true;
name = hostname;
url = "https://git.pub.solar";
tokenFile = config.age.secrets."forgejo-actions-runner-token.age".path;
labels = [
# provide a debian 12 bookworm base with Node.js for actions
"debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
# fake the ubuntu name, commonly used in actions examples
"ubuntu-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
# alpine with Node.js
"alpine-latest:docker://node:20-alpine"
];
};
};
}

View file

@ -4,17 +4,28 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
programs.steam.enable = true;
nixpkgs.config.packageOverrides = pkgs: { steam = pkgs.steam.override { }; };
cfg = config.pub-solar.gaming;
in {
options.pub-solar.gaming = {
enable = mkEnableOption "Life in shooters";
};
users.users."${psCfg.user.name}".packages = with pkgs; [
playonlinux
godot
obs-studio
obs-studio-plugins.wlrobs
];
config = mkIf cfg.enable {
programs.steam.enable = true;
nixpkgs.config.packageOverrides = pkgs: {
steam = pkgs.steam.override {};
};
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages = [
playonlinux
godot
obs-studio
obs-studio-plugins.wlrobs
];
};
};
}

View file

@ -1,12 +0,0 @@
{
"positionX": "right",
"positionY": "top",
"timeout": 10,
"timeout-low": 5,
"timeout-critical": 0,
"notification-window-width": 500,
"keyboard-shortcuts": true,
"image-visibility": "always",
"transition-time": 200,
"hide-on-clear": false
}

View file

@ -1,149 +0,0 @@
/*
* vim: ft=less
*/
@define-color border-color rgb(7, 7, 7);
@define-color bg rgb(58, 58, 58);
@define-color bg-hover rgb(68, 68, 68);
@define-color bg-focus rgba(68, 68, 68, 0.6);
@define-color bg-selected rgb(0, 128, 255);
.notification-row {
outline: none;
}
.notification-row:focus,
.notification-row:hover {
background: @bg-focus;
}
.notification {
border-radius: 10px;
margin: 6px 12px;
box-shadow: 0px 2px 4px 2px rgba(0, 0, 0, 0.3);
padding: 0;
}
.notification-content {
background: transparent;
padding: 6px;
border-radius: 10px;
}
.close-button {
background: black;
color: white;
text-shadow: none;
padding: 0 2px;
box-shadow: 0px 2px 4px 2px rgba(0, 0, 0, 0.3);
border-radius: 100%;
}
.close-button:hover {
background: rgb(30, 30, 30);
transition: all 0.15s ease-in-out;
}
.notification-default-action,
.notification-action {
padding: 4px;
margin: 0;
box-shadow: none;
background: @bg;
border: 1px solid @border-color;
}
.notification-default-action:hover,
.notification-action:hover {
background: @bg-hover;
}
.notification-default-action {
border-radius: 10px;
}
/* When alternative actions are visible */
.notification-default-action:not(:only-child) {
border-bottom-left-radius: 0px;
border-bottom-right-radius: 0px;
}
.notification-action {
border-radius: 0px;
border-top: none;
border-right: none;
}
/* add bottom border radius to eliminate clipping */
.notification-action:first-child {
border-bottom-left-radius: 10px;
}
.notification-action:last-child {
border-bottom-right-radius: 10px;
border-right: 1px solid @border-color;
}
.image {
}
.body-image {
margin-top: 6px;
background-color: white;
border-radius: 10px;
}
.summary {
color: white;
text-shadow: none;
}
.time {
color: white;
text-shadow: none;
}
.body {
background: transparent;
color: white;
text-shadow: none;
}
.top-action-title {
color: white;
text-shadow: none;
}
.control-center-clear-all {
color: white;
text-shadow: none;
background: @bg;
border: 1px solid @border-color;
box-shadow: none;
border-radius: 10px;
}
.control-center-clear-all:hover {
background: @bg-hover;
}
.control-center-dnd {
border-radius: 10px;
background: @bg;
border: 1px solid @border-color;
box-shadow: none;
}
.control-center-dnd:checked {
background: @bg-selected;
}
.control-center-dnd slider {
background: @bg-hover;
}
.control-center {
background: rgba(0, 0, 0, 0.7);
}
.control-center-list {
background: transparent;
}
.floating-notifications {
background: transparent;
}

View file

@ -1,149 +0,0 @@
{
"layer": "top", // Waybar at top layer
// "position": "bottom", // Waybar position (top|bottom|left|right)
"height": 26, // Waybar height
"modules-left": ["sway/workspaces", "sway/mode"],
"modules-center": ["network"],
"modules-right": [
"sway/language",
"pulseaudio",
"idle_inhibitor",
"backlight",
"battery",
"clock",
"tray"
],
"sway/workspaces": {
"disable-scroll": true
},
"sway/mode": {
"tooltip": false,
"format": "{}"
},
"sway/window": {
"tooltip": false,
"max-length": 96
},
"sway/language": {
"format": "{}",
"max-length": 50
},
"tray": {
"icon-size": 21,
"spacing": 10
},
"clock": {
"tooltip-format": "<tt><small>{calendar}</small></tt>",
"format": "{:%H:%M} ",
//"format-alt": "{:%a %d. %h %H:%M} ",
//"on-scroll": {
// "calendar": 1
//}
"format-alt": "{:%A, %d. %B %Y %R} ",
"locale": "de_DE.UTF-8",
"smooth-scrolling-threshold": 1.0,
"calendar": {
"mode-mon-col" : 3,
"on-scroll": -1,
"on-click-right": "mode",
"format": {
"months": "<span color='#ffead3'><b>{}</b></span>",
"days": "<span color='#ecc6d9'><b>{}</b></span>",
"weekdays": "<span color='#ffcc66'><b>{}</b></span>",
"today": "<span color='#ff6699'><b><u>{}</u></b></span>"
},
},
"actions": {
"on-click-right": "mode",
"on-click-forward": "tz_up",
"on-click-backward": "tz_down",
"on-scroll-up": "shift_up",
"on-scroll-down": "shift_down"
}
},
"backlight": {
"device": "acpi_video0",
"format": "<span font='10'>{percent}%</span> {icon}",
"format-icons": ["", ""]
},
"cpu": {
"format": "{}% "
},
"memory": {
"format": "{}% "
},
"idle_inhibitor": {
"format": "{icon} ",
"format-icons": {
"activated": "",
"deactivated": ""
}
},
"battery": {
"tooltip": false,
"states": {
"critical": 25
},
//"full-at": 84,
"format": "{icon}<span font='10'> {capacity}%</span>",
"format-full": "{icon}",
"format-icons": ["", "", "", "", ""],
},
"network": {
"interval": 3,
"tooltip": true,
//"interface": "wlp4s0", // (Optional) To force the use of this interface   \uF2E7,
"format-wifi": "<span font='10'></span> \uf062 {bandwidthUpBits} | \uf063 {bandwidthDownBits}",
"format-ethernet": "<span font='10'></span> \uf062 {bandwidthUpBits} | \uf063 {bandwidthDownBits}",
"format-disconnected": "",
"tooltip-format-wifi": "{essid} ({signalStrength}%)  {ipaddr}",
"tooltip-format-ethernet": "{ifname}  {ipaddr}"
},
//\ue04f{volume}%
"pulseaudio": {
"tooltip": false,
"format": "<span font='10'>{volume}%</span> {icon}",
"format-bluetooth": "{volume}%<span font='10'> {icon}</span>",
"format-muted": "",
"on-click": "pavucontrol",
"format-alt": "{volume}% <span font='10'>{icon}</span>",
"format-icons": {
"headphones": "",
"handsfree": "",
"headset": "",
"phone": "",
"portable": "",
"car": "",
"default": ["","", ""]
}
},
"mpd": {
"format": "{artist} - {title} <span color=\"#999999\">[<span color=\"#ffffff\">{elapsedTime:%M:%S}</span> / {totalTime:%M:%S}]</span>",
"format-disconnected": "",
"format-stopped": "",
"interval": 1,
"state-icons": {
"paused": "",
"playing": ""
},
"tooltip-format": "MPD (connected)",
"tooltip-format-disconnected": "MPD (disconnected)"
},
"custom/notification": {
"tooltip": false,
"format": " {icon}",
"format-icons": {
"notification": "<span foreground='red'><sup></sup></span>",
"none": "",
"dnd-notification": "<span foreground='red'><sup></sup></span>",
"dnd-none": ""
},
"return-type": "json",
"exec-if": "which swaync-client",
"exec": "swaync-client -swb",
"on-click": "swaync-client -t -sw",
"on-click-right": "swaync-client -d -sw",
"escape": true
},
}

View file

@ -30,6 +30,9 @@
multiplier = 3;
};
# When true, bold text is drawn using the bright variant of colors.
draw_bold_text_with_bright_colors = true;
font = {
# The normal (roman) font face to use.
normal = {
@ -52,7 +55,7 @@
style = "Italic";
};
size = 12.0;
size = 16.0;
offset = {
x = 0;
@ -65,17 +68,7 @@
};
};
keyboard.bindings = [
{
key = "V";
mods = "Control|Super";
action = "Paste";
}
{
key = "C";
mods = "Control|Super";
action = "Copy";
}
key_bindings = [
{
key = "V";
mods = "Control|Alt";
@ -94,6 +87,16 @@
key = "Copy";
action = "Copy";
}
{
key = "Q";
mods = "Command";
action = "Quit";
}
{
key = "W";
mods = "Command";
action = "Quit";
}
{
key = "Insert";
mods = "Shift";
@ -159,9 +162,6 @@
# Base16 Burn 256 - alacritty color config
# Benjamin Bädorf
colors = {
# When true, bold text is drawn using the bright variant of colors.
draw_bold_text_with_bright_colors = true;
# Default colors
primary = {
background = "0x1a181a";

Binary file not shown.

Before

Width:  |  Height:  |  Size: 168 KiB

View file

@ -4,30 +4,47 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
tomlFormat = pkgs.formats.toml { };
sessionVariables = {
WLR_RENDERER = if psCfg.graphical.wayland.software-renderer.enable then "pixman" else "";
# Fix KeepassXC rendering issue
# https://github.com/void-linux/void-packages/issues/23517
QT_AUTO_SCREEN_SCALE_FACTOR = "0";
};
in
{
imports = [ ./sway ];
cfg = config.pub-solar.graphical;
yamlFormat = pkgs.formats.yaml {};
recursiveMerge = attrList: let
f = attrPath:
zipAttrsWith (
n: values:
if tail values == []
then head values
else if all isList values
then unique (concatLists values)
else if all isAttrs values
then f (attrPath ++ [n]) values
else last values
);
in
f [] attrList;
in {
options.pub-solar.graphical = {
wayland.software-renderer.enable = lib.mkOption {
type = lib.types.bool;
enable = mkEnableOption "Life in color";
alacritty = {
settings = mkOption {
type = yamlFormat.type;
default = {};
};
};
autologin.enable = mkOption {
type = types.bool;
default = true;
description = "Feature flag enabling autologin after boot.";
};
wayland.software-renderer.enable = mkOption {
type = types.bool;
default = false;
description = "Feature flag enabling wlroots software renderer, useful in VMs";
};
};
config = {
hardware.graphics.enable = true;
config = mkIf cfg.enable {
hardware.opengl.enable = true;
environment = {
systemPackages = with pkgs; [
gtk-engine-murrine
@ -39,21 +56,15 @@ in
glib
];
etc = {
"xdg/PubSolar.conf".text = ''
[Qt]
style=GTK+
'';
};
variables = sessionVariables;
};
services.getty = {
autologinUser = psCfg.user.name;
autologinOnce = true;
};
services.getty.autologinUser = mkIf cfg.autologin.enable (mkForce "${psCfg.user.name}");
qt = {
enable = true;
@ -61,105 +72,88 @@ in
style = "gtk2";
};
services.udev.packages = with pkgs; [ gnome-settings-daemon ];
# Required for running Gnome apps outside the Gnome DE, see https://nixos.wiki/wiki/GNOME#Running_GNOME_programs_outside_of_GNOME
programs.dconf.enable = true;
services.udev.packages = with pkgs; [gnome3.gnome-settings-daemon];
# Enable Sushi, a quick previewer for nautilus
services.gnome.sushi.enable = true;
# Enable GVfs, a userspace virtual filesystem
services.gvfs.enable = true;
services.yubikey-agent.enable = true;
fonts = {
packages = with pkgs; [
dejavu_fonts
powerline-fonts
tt2020
];
enableDefaultPackages = true;
fontconfig.enable = true;
fontconfig.defaultFonts = {
monospace = [ "DejaVu Sans Mono for Powerline" ];
sansSerif = [ "DejaVu Sans" ];
};
};
users.users."${psCfg.user.name}".packages = with pkgs; [
alacritty
firefox-wayland
flameshot
adwaita-icon-theme
eog
nautilus
seahorse
yelp
hicolor-icon-theme
keepassxc
qMasterPassword-wayland
libnotify
vlc
fonts.enableDefaultFonts = true;
fonts.fonts = with pkgs; [
fira-code
fira-code-symbols
google-fonts
lato
montserrat
nerdfonts
noto-fonts
noto-fonts-cjk
open-sans
powerline-fonts
source-sans-pro
];
home-manager.users."${psCfg.user.name}" = {
home.file."xinitrc".source = ./.xinitrc;
xdg.configFile."alacritty/alacritty.toml".source = tomlFormat.generate "alacritty.toml" (import ./alacritty.nix);
xdg.configFile."xmodmap".source = ./.config/xmodmap;
xdg.configFile."user-dirs.dirs".source = ./.config/user-dirs.dirs;
xdg.configFile."user-dirs.locale".source = ./.config/user-dirs.locale;
xdg.configFile."xsettingsd/xsettingsd.conf".source = ./.config/xsettingsd/xsettingsd.conf;
xdg.configFile."mako/config".source = ./.config/mako/config;
xdg.configFile."libinput-gestures.conf".source = ./.config/libinput-gestures.conf;
xdg.configFile."swaync/config.json".source = ./.config/swaync/config.json;
xdg.configFile."swaync/style.css".source = ./.config/swaync/style.css;
xdg.configFile."waybar/config".source = ./.config/waybar/config;
xdg.configFile."waybar/style.css".source = ./.config/waybar/style.css;
xdg.configFile."waybar/colorscheme.css".source = ./.config/waybar/colorscheme.css;
xdg.configFile."wallpaper.jpg".source = ./assets/wallpaper.jpg;
home-manager = with pkgs;
setAttrByPath ["users" psCfg.user.name] {
home.packages = [
alacritty
foot
ungoogled-chromium
firefox-wayland
# Required for running Gnome apps outside the Gnome DE, see
# https://nixos.wiki/wiki/GNOME#Running_GNOME_programs_outside_of_GNOME
dconf = {
enable = true;
settings = {
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
flameshot
libnotify
gnome.adwaita-icon-theme
gnome.eog
gnome.nautilus
gnome.yelp
hicolor-icon-theme
wine
toggle-kbd-layout
wcwd
vlc
gimp
];
xdg.configFile."alacritty/alacritty.yml" = {
source = yamlFormat.generate "alacritty.yml" (recursiveMerge [(import ./alacritty.nix) cfg.alacritty.settings]);
};
gtk = {
enable = true;
font.name = "Lato";
iconTheme = {
package = pkgs.papirus-icon-theme;
name = "Papirus-Adapta-Nokto-Maia";
};
theme = {
package = pkgs.matcha-gtk-theme;
name = "Matcha-dark-aliz";
};
gtk3.extraConfig = {
gtk-xft-antialias = "1";
gtk-xft-hinting = "1";
gtk-xft-hintstyle = "hintfull";
gtk-xft-rgba = "rgb";
gtk-application-prefer-dark-theme = "true";
};
};
# Fix KeepassXC rendering issue
# https://github.com/void-linux/void-packages/issues/23517
systemd.user.sessionVariables.QT_AUTO_SCREEN_SCALE_FACTOR = "0";
xresources.extraConfig = builtins.readFile ./.Xdefaults;
systemd.user.services.network-manager-applet = import ./network-manager-applet.service.nix pkgs;
};
gtk = {
enable = true;
font.name = "Lato";
iconTheme = {
package = pkgs.papirus-icon-theme;
name = "Papirus-Adapta-Nokto-Maia";
};
theme = {
package = pkgs.matcha-gtk-theme;
name = "Matcha-dark-aliz";
};
gtk3.extraConfig = {
gtk-xft-antialias = "1";
gtk-xft-hinting = "1";
gtk-xft-hintstyle = "hintfull";
gtk-xft-rgba = "rgb";
gtk-application-prefer-dark-theme = "true";
};
gtk4.extraConfig = {
gtk-xft-antialias = "1";
gtk-xft-hinting = "1";
gtk-xft-hintstyle = "hintfull";
gtk-xft-rgba = "rgb";
gtk-application-prefer-dark-theme = "true";
};
};
xresources.extraConfig = builtins.readFile ./.Xdefaults;
systemd.user.services.network-manager-applet = import ./network-manager-applet.service.nix pkgs;
home.sessionVariables = sessionVariables;
systemd.user.sessionVariables = sessionVariables;
};
};
}

View file

@ -1,15 +1,15 @@
pkgs: {
Unit = {
Description = "Network Manager applet";
BindsTo = [ "sway-session.target" ];
After = [ "sway-session.target" ];
Description = "Lightweight Wayland notification daemon";
BindsTo = ["sway-session.target"];
After = ["sway-session.target"];
# ConditionEnvironment requires systemd v247 to work correctly
ConditionEnvironment = [ "WAYLAND_DISPLAY" ];
ConditionEnvironment = ["WAYLAND_DISPLAY"];
};
Service = {
ExecStart = "${pkgs.networkmanagerapplet}/bin/nm-applet --sm-disable --indicator";
};
Install = {
WantedBy = [ "sway-session.target" ];
WantedBy = ["sway-session.target"];
};
}

View file

@ -1,39 +0,0 @@
{ pkgs, psCfg, ... }:
''
# Set shut down, restart and locking features
''
+ (
if psCfg.core.hibernation.enable then
''
set $mode_system (e)xit, (h)ibernate, (l)ock, (s)uspend, (r)eboot, (Shift+s)hutdown
''
else
''
set $mode_system (e)xit, (l)ock, (s)uspend, (r)eboot, (Shift+s)hutdown
''
)
+ ''
bindsym $mod+Ctrl+0 mode "$mode_system"
mode "$mode_system" {
bindsym e exec swaymsg exit, mode "default"
''
+ (
if psCfg.core.hibernation.enable then
''
bindsym h exec systemctl hibernate, mode "default"
''
else
""
)
+ ''
bindsym l exec ${pkgs.swaylock-bg}/bin/swaylock-bg, mode "default"
bindsym s exec systemctl suspend, mode "default"
bindsym r exec systemctl reboot, mode "default"
bindsym Shift+s exec systemctl poweroff, mode "default"
# exit system mode: "Enter" or "Escape"
bindsym Return mode "default"
bindsym Escape mode "default"
}
''

View file

@ -1,9 +0,0 @@
{ psCfg, pkgs }:
"
address=0.0.0.0
enable_auth=true
username=${psCfg.user.name}
password=testtest
private_key_file=/run/agenix/vnc-key.pem
certificate_file=/run/agenix/vnc-cert.pem
"

View file

@ -1,106 +0,0 @@
{
lib,
config,
pkgs,
flake,
...
}:
let
psCfg = config.pub-solar;
inherit (lib) mkIf mkOption types;
in
{
options.pub-solar.graphical = {
v4l2loopback.enable = mkOption {
type = types.bool;
default = false;
description = "WebCam streaming tool";
};
};
config = {
boot = mkIf psCfg.graphical.v4l2loopback.enable {
extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
kernelModules = [ "v4l2loopback" ];
extraModprobeConfig = ''
options v4l2loopback exclusive_caps=1 devices=3
'';
};
environment.systemPackages = mkIf psCfg.graphical.v4l2loopback.enable [
pkgs.linuxPackages.v4l2loopback
];
programs.sway.enable = true;
xdg.portal = {
enable = true;
wlr = {
enable = true;
settings = {
screencast = {
max_fps = 30;
chooser_type = "simple";
chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or";
};
};
};
extraPortals = with pkgs; [ xdg-desktop-portal-gtk ];
};
services.pipewire.enable = true;
users.users."${psCfg.user.name}".packages = with pkgs; [
sway
grim
kanshi
slurp
swaybg
swayidle
swaynotificationcenter
xwayland
libappindicator-gtk3
wl-clipboard
wl-mirror
wf-recorder
brightnessctl
gammastep
geoclue2
xsettingsd
ydotool
sway-launcher
record-screen
import-gtk-settings
# Unused on teutat3s hosts, see custom-keybindings.conf
#toggle-kbd-layout
s
wcwd
];
home-manager.users."${psCfg.user.name}" = {
programs.waybar.enable = true;
#programs.waybar.systemd.enable = true;
systemd.user.services.swaynotificationcenter = import ./swaynotificationcenter.service.nix pkgs;
systemd.user.services.sway = import ./sway.service.nix { inherit pkgs psCfg; };
systemd.user.services.swayidle = import ./swayidle.service.nix { inherit pkgs psCfg; };
systemd.user.services.xsettingsd = import ./xsettingsd.service.nix { inherit pkgs psCfg; };
systemd.user.services.waybar = import ./waybar.service.nix { inherit pkgs psCfg; };
systemd.user.targets.sway-session = import ./sway-session.target.nix { inherit pkgs psCfg; };
xdg.configFile."sway/config".text = import ./config/config.nix { inherit config pkgs; };
xdg.configFile."sway/config.d/colorscheme.conf".source = ./config/config.d/colorscheme.conf;
xdg.configFile."sway/config.d/theme.conf".source = ./config/config.d/theme.conf;
xdg.configFile."sway/config.d/gaps.conf".source = ./config/config.d/gaps.conf;
xdg.configFile."sway/config.d/custom-keybindings.conf".source = ./config/config.d/custom-keybindings.conf;
xdg.configFile."sway/config.d/mode_system.conf".text =
import ./config/config.d/mode_system.conf.nix
{ inherit pkgs psCfg; };
xdg.configFile."sway/config.d/applications.conf".source = ./config/config.d/applications.conf;
xdg.configFile."sway/config.d/systemd.conf".source = ./config/config.d/systemd.conf;
};
};
}

View file

@ -1,10 +0,0 @@
{ pkgs, ... }:
{
Unit = {
Description = "sway compositor session";
Documentation = [ "man:systemd.special(7)" ];
BindsTo = [ "graphical-session.target" ];
Wants = [ "graphical-session-pre.target" ];
After = [ "graphical-session-pre.target" ];
};
}

View file

@ -1,23 +0,0 @@
{ pkgs, psCfg, ... }:
{
Unit = {
Description = "Idle manager for Wayland";
Documentation = [ "man:swayidle(1)" ];
BindsTo = [ "graphical-session.target" ];
Wants = [ "graphical-session-pre.target" ];
After = [ "graphical-session-pre.target" ];
};
Service = {
Type = "simple";
ExecStart = ''
${pkgs.swayidle}/bin/swayidle -w \
timeout 300 '${pkgs.swaylock-bg}/bin/swaylock-bg' \
timeout 330 '${pkgs.sway}/bin/swaymsg "output * dpms off"' \
resume '${pkgs.sway}/bin/swaymsg "output * dpms on"' \
before-sleep '${pkgs.swaylock-bg}/bin/swaylock-bg'
'';
};
Install = {
WantedBy = [ "sway-session.target" ];
};
}

View file

@ -1,21 +0,0 @@
pkgs: {
Unit = {
Description = "Swaync notification daemon";
Documentation = "https://github.com/ErikReider/SwayNotificationCenter";
BindsTo = [ "sway-session.target" ];
After = [ "sway-session.target" ];
Requisite = [ "graphical-session.target" ];
# ConditionEnvironment requires systemd v247 to work correctly
ConditionEnvironment = [ "WAYLAND_DISPLAY" ];
};
Service = {
Type = "dbus";
BusName = "org.freedesktop.Notifications";
ExecStart = "${pkgs.swaynotificationcenter}/bin/swaync";
ExecReload = "${pkgs.swaynotificationcenter}/bin/swaync-client --reload-config ; ${pkgs.swaynotificationcenter}/bin/swaync-client --reload-css";
Restart = "on-failure";
};
Install = {
WantedBy = [ "sway-session.target" ];
};
}

View file

@ -1,11 +1,11 @@
{ config, ... }:
{
{config, ...}: {
home-manager.sharedModules = [
{
home.sessionVariables = {
inherit (config.environment.sessionVariables) NIX_PATH;
};
xdg.configFile."nix/registry.json".text = config.environment.etc."nix/registry.json".text;
xdg.configFile."nix/registry.json".text =
config.environment.etc."nix/registry.json".text;
}
];
}

View file

@ -1,481 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
inherit (lib)
any
attrValues
boolToString
concatMapStringsSep
concatStrings
concatStringsSep
escapeShellArg
flatten
isBool
isInt
isList
isString
literalExpression
mapAttrs'
mapAttrsToList
mkDefault
mkEnableOption
mkIf
mkMerge
mkOption
nameValuePair
optionalString
types
;
cfg = config.services.invoiceplane;
eachSite = cfg.sites;
user = "invoiceplane";
webserver = config.services.${cfg.webserver};
invoiceplane-config =
hostName: cfg:
pkgs.writeText "ipconfig.php" ''
IP_URL=http://${hostName}
ENABLE_DEBUG=false
DISABLE_SETUP=false
REMOVE_INDEXPHP=false
DB_HOSTNAME=${cfg.database.host}
DB_USERNAME=${cfg.database.user}
# NOTE: file_get_contents adds newline at the end of returned string
DB_PASSWORD=${
optionalString (
cfg.database.passwordFile != null
) "trim(file_get_contents('${cfg.database.passwordFile}'), \"\\r\\n\")"
}
DB_DATABASE=${cfg.database.name}
DB_PORT=${toString cfg.database.port}
SESS_EXPIRATION=864000
ENABLE_INVOICE_DELETION=false
DISABLE_READ_ONLY=false
ENCRYPTION_KEY=
ENCRYPTION_CIPHER=AES-256
SETUP_COMPLETED=false
REMOVE_INDEXPHP=true
'';
mkPhpValue =
v:
if isString v then
escapeShellArg v
# NOTE: If any value contains a , (comma) this will not get escaped
else if isList v && lib.strings.isConvertibleWithToString v then
escapeShellArg (concatMapStringsSep "," toString v)
else if isInt v then
toString v
else if isBool v then
boolToString v
else
abort "The Invoiceplane config value ${lib.generators.toPretty { } v} can not be encoded.";
extraConfig =
hostName: cfg:
let
settings = mapAttrsToList (k: v: "${k}=${mkPhpValue v}") cfg.settings;
in
pkgs.writeText "extraConfig.php" (concatStringsSep "\n" settings);
pkg =
hostName: cfg:
pkgs.stdenv.mkDerivation rec {
pname = "invoiceplane-${hostName}";
version = src.version;
src = pkgs.invoiceplane;
postPatch = ''
# Patch index.php file to load additional config file
substituteInPlace index.php \
--replace-fail "require('vendor/autoload.php');" "require('vendor/autoload.php'); \$dotenv = Dotenv\Dotenv::createImmutable(__DIR__, 'extraConfig.php'); \$dotenv->load();";
'';
installPhase = ''
mkdir -p $out
cp -r * $out/
# symlink uploads and log directories
rm -r $out/uploads $out/application/logs $out/vendor/mpdf/mpdf/tmp
ln -sf ${cfg.stateDir}/uploads $out/
ln -sf ${cfg.stateDir}/logs $out/application/
ln -sf ${cfg.stateDir}/tmp $out/vendor/mpdf/mpdf/
# symlink the InvoicePlane config
ln -s ${cfg.stateDir}/ipconfig.php $out/ipconfig.php
# symlink the extraConfig file
ln -s ${extraConfig hostName cfg} $out/extraConfig.php
# symlink additional templates
${concatMapStringsSep "\n" (
template: "cp -r ${template}/. $out/application/views/invoice_templates/pdf/"
) cfg.invoiceTemplates}
'';
};
siteOpts =
{ name, ... }:
{
options = {
enable = mkEnableOption "InvoicePlane web application";
stateDir = mkOption {
type = types.path;
default = "/var/lib/invoiceplane/${name}";
description = ''
This directory is used for uploads of attachments and cache.
The directory passed here is automatically created and permissions
adjusted as required.
'';
};
database = {
host = mkOption {
type = types.str;
default = "localhost";
description = "Database host address.";
};
port = mkOption {
type = types.port;
default = 3306;
description = "Database host port.";
};
name = mkOption {
type = types.str;
default = "invoiceplane";
description = "Database name.";
};
user = mkOption {
type = types.str;
default = "invoiceplane";
description = "Database user.";
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/keys/invoiceplane-dbpassword";
description = ''
A file containing the password corresponding to
{option}`database.user`.
'';
};
createLocally = mkOption {
type = types.bool;
default = true;
description = "Create the database and database user locally.";
};
};
invoiceTemplates = mkOption {
type = types.listOf types.path;
default = [ ];
description = ''
List of path(s) to respective template(s) which are copied from the 'invoice_templates/pdf' directory.
::: {.note}
These templates need to be packaged before use, see example.
:::
'';
example = literalExpression ''
let
# Let's package an example template
template-vtdirektmarketing = pkgs.stdenv.mkDerivation {
name = "vtdirektmarketing";
# Download the template from a public repository
src = pkgs.fetchgit {
url = "https://git.project-insanity.org/onny/invoiceplane-vtdirektmarketing.git";
sha256 = "1hh0q7wzsh8v8x03i82p6qrgbxr4v5fb05xylyrpp975l8axyg2z";
};
sourceRoot = ".";
# Installing simply means copying template php file to the output directory
installPhase = ""
mkdir -p $out
cp invoiceplane-vtdirektmarketing/vtdirektmarketing.php $out/
"";
};
# And then pass this package to the template list like this:
in [ template-vtdirektmarketing ]
'';
};
poolConfig = mkOption {
type =
with types;
attrsOf (oneOf [
str
int
bool
]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
description = ''
Options for the InvoicePlane PHP pool. See the documentation on `php-fpm.conf`
for details on configuration directives.
'';
};
settings = mkOption {
type = types.attrsOf types.anything;
default = { };
description = ''
Structural InvoicePlane configuration. Refer to
<https://github.com/InvoicePlane/InvoicePlane/blob/master/ipconfig.php.example>
for details and supported values.
'';
example = literalExpression ''
{
SETUP_COMPLETED = true;
DISABLE_SETUP = true;
IP_URL = "https://invoice.example.com";
}
'';
};
cron = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable cron service which periodically runs Invoiceplane tasks.
Requires key taken from the administration page. Refer to
<https://wiki.invoiceplane.com/en/1.0/modules/recurring-invoices>
on how to configure it.
'';
};
key = mkOption {
type = types.str;
description = "Cron key taken from the administration page.";
};
};
};
};
in
{
disabledModules = [ "services/web-apps/invoiceplane.nix" ];
# interface
options = {
services.invoiceplane = mkOption {
type = types.submodule {
options.sites = mkOption {
type = types.attrsOf (types.submodule siteOpts);
default = { };
description = "Specification of one or more WordPress sites to serve";
};
options.webserver = mkOption {
type = types.enum [
"caddy"
"nginx"
];
default = "caddy";
example = "nginx";
description = ''
Which webserver to use for virtual host management.
'';
};
};
default = { };
description = "InvoicePlane configuration.";
};
};
# implementation
config = mkIf (eachSite != { }) (mkMerge [
{
assertions = flatten (
mapAttrsToList (hostName: cfg: [
{
assertion = cfg.database.createLocally -> cfg.database.user == user;
message = ''services.invoiceplane.sites."${hostName}".database.user must be ${user} if the database is to be automatically provisioned'';
}
{
assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
message = ''services.invoiceplane.sites."${hostName}".database.passwordFile cannot be specified if services.invoiceplane.sites."${hostName}".database.createLocally is set to true.'';
}
{
assertion = cfg.cron.enable -> cfg.cron.key != null;
message = ''services.invoiceplane.sites."${hostName}".cron.key must be set in order to use cron service.'';
}
]) eachSite
);
services.mysql = mkIf (any (v: v.database.createLocally) (attrValues eachSite)) {
enable = true;
package = mkDefault pkgs.mariadb;
ensureDatabases = mapAttrsToList (hostName: cfg: cfg.database.name) eachSite;
ensureUsers = mapAttrsToList (hostName: cfg: {
name = cfg.database.user;
ensurePermissions = {
"${cfg.database.name}.*" = "ALL PRIVILEGES";
};
}) eachSite;
};
services.phpfpm = {
phpPackage = pkgs.php81;
pools = mapAttrs' (
hostName: cfg:
(nameValuePair "invoiceplane-${hostName}" {
inherit user;
group = webserver.group;
settings = {
"listen.owner" = webserver.user;
"listen.group" = webserver.group;
} // cfg.poolConfig;
})
) eachSite;
};
}
{
systemd.tmpfiles.rules = flatten (
mapAttrsToList (hostName: cfg: [
"d ${cfg.stateDir} 0750 ${user} ${webserver.group} - -"
"f ${cfg.stateDir}/ipconfig.php 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/logs 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/uploads 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/uploads/archive 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/uploads/customer_files 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/uploads/temp 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/uploads/temp/mpdf 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/tmp 0750 ${user} ${webserver.group} - -"
]) eachSite
);
systemd.services.invoiceplane-config = {
serviceConfig.Type = "oneshot";
script = concatStrings (
mapAttrsToList (hostName: cfg: ''
mkdir -p ${cfg.stateDir}/logs \
${cfg.stateDir}/uploads
if ! grep -q IP_URL "${cfg.stateDir}/ipconfig.php"; then
cp "${invoiceplane-config hostName cfg}" "${cfg.stateDir}/ipconfig.php"
fi
'') eachSite
);
wantedBy = [ "multi-user.target" ];
};
users.users.${user} = {
group = webserver.group;
isSystemUser = true;
};
}
{
# Cron service implementation
systemd.timers = mapAttrs' (
hostName: cfg:
(nameValuePair "invoiceplane-cron-${hostName}" (
mkIf cfg.cron.enable {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "5m";
OnUnitActiveSec = "5m";
Unit = "invoiceplane-cron-${hostName}.service";
};
}
))
) eachSite;
systemd.services = mapAttrs' (
hostName: cfg:
(nameValuePair "invoiceplane-cron-${hostName}" (
mkIf cfg.cron.enable {
serviceConfig = {
Type = "oneshot";
User = user;
ExecStart = "${pkgs.curl}/bin/curl --header 'Host: ${hostName}' http://localhost/invoices/cron/recur/${cfg.cron.key}";
};
}
))
) eachSite;
}
(mkIf (cfg.webserver == "caddy") {
services.caddy = {
enable = true;
virtualHosts = mapAttrs' (
hostName: cfg:
(nameValuePair "http://${hostName}" {
extraConfig = ''
root * ${pkg hostName cfg}
file_server
php_fastcgi unix/${config.services.phpfpm.pools."invoiceplane-${hostName}".socket}
'';
})
) eachSite;
};
})
(mkIf (cfg.webserver == "nginx") {
services.nginx = {
enable = true;
virtualHosts = mapAttrs' (
hostName: cfg:
(nameValuePair hostName {
root = pkg hostName cfg;
extraConfig = ''
index index.php index.html index.htm;
if (!-e $request_filename){
rewrite ^(.*)$ /index.php break;
}
'';
locations = {
"/setup".extraConfig =
let
scheme = if config.services.nginx.virtualHosts.${hostName}.forceSSL then "https" else "http";
in
''
rewrite ^(.*)$ ${scheme}://${hostName}/ redirect;
'';
"~ .php$" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:${config.services.phpfpm.pools."invoiceplane-${hostName}".socket};
include ${config.services.nginx.package}/conf/fastcgi_params;
include ${config.services.nginx.package}/conf/fastcgi.conf;
'';
};
};
})
) eachSite;
};
})
]);
}

View file

@ -4,11 +4,18 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
home-manager.users."${psCfg.user.name}" = {
systemd.user.services.nextcloud-client = import ./nextcloud.service.nix pkgs;
cfg = config.pub-solar.nextcloud;
in {
options.pub-solar.nextcloud = {
enable = mkEnableOption "Life in sync";
};
config = mkIf cfg.enable {
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
systemd.user.services.nextcloud-client = import ./nextcloud.service.nix pkgs;
};
};
}

View file

@ -1,11 +1,11 @@
pkgs: {
Unit = {
Description = "Nextcloud Client";
BindsTo = [ "sway-session.target" ];
Wants = [ "graphical-session-pre.target" ];
After = [ "graphical-session-pre.target" ];
BindsTo = ["sway-session.target"];
Wants = ["graphical-session-pre.target"];
After = ["graphical-session-pre.target"];
# ConditionEnvironment requires systemd v247 to work correctly
ConditionEnvironment = [ "WAYLAND_DISPLAY" ];
ConditionEnvironment = ["WAYLAND_DISPLAY"];
};
Service = {
Type = "simple";
@ -15,6 +15,6 @@ pkgs: {
Restart = "on-failure";
};
Install = {
WantedBy = [ "sway-session.target" ];
WantedBy = ["sway-session.target"];
};
}

11
modules/nix-path.nix Normal file
View file

@ -0,0 +1,11 @@
{
channel,
inputs,
...
}: {
nix.nixPath = [
"nixpkgs=${channel.input}"
"nixos-config=${../lib/compat/nixos}"
"home-manager=${inputs.home}"
];
}

View file

@ -1,83 +0,0 @@
{
config,
pkgs,
lib,
flake,
...
}:
{
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"1password"
"1password-cli"
"brscan5"
"brscan5-etc-files"
"facetimehd-firmware"
"notion-app"
"slack"
"terraform"
"uhk-agent"
"uhk-udev-rules"
"veracrypt"
"zoom"
];
system.activationScripts.diff-closures = {
text = ''
if [[ -e /run/current-system ]]; then
${config.nix.package}/bin/nix store diff-closures \
/run/current-system "$systemConfig" \
--extra-experimental-features nix-command
fi
'';
supportsDryActivation = true;
};
nix = {
# Use lix (forked nix)
# now set globally using lix-module
#package = pkgs.lix;
gc.automatic = true;
optimise.automatic = true;
registry = {
nixpkgs.flake = flake.inputs.nixpkgs;
unstable.flake = flake.inputs.unstable;
system.flake = flake.self;
};
settings = {
# Improve nix store disk usage
auto-optimise-store = true;
# Prevents impurities in builds
sandbox = true;
# Give root and @wheel special privileges with nix
trusted-users = [
"root"
"@wheel"
];
# Allow only group wheel to connect to the nix daemon
allowed-users = [ "@wheel" ];
substituters = [ "https://pub-solar.cachix.org/" ];
trusted-public-keys = [ "pub-solar.cachix.org-1:ZicXIxKgdxMtgSJECWR8iihZxHRvu8ObL4n2cuBmtos=" ];
};
# Generally useful nix option defaults
extraOptions = lib.mkForce ''
experimental-features = flakes nix-command
min-free = 536870912
keep-outputs = true
keep-derivations = true
fallback = true
'';
nixPath = [
"nixpkgs=${flake.inputs.nixpkgs}"
"nixos-config=${../../lib/compat/nixos}"
"home-manager=${flake.inputs.home-manager}"
];
};
}

View file

@ -4,16 +4,29 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
users.users."${psCfg.user.name}".packages = with pkgs; [
libreoffice-fresh
simple-scan
# Tools like pdfunite
poppler_utils
# tool for annotating PDFs
xournalpp
];
cfg = config.pub-solar.office;
in {
options.pub-solar.office = {
enable = mkEnableOption "Install office programs, also enables printing server";
};
config = mkIf cfg.enable {
pub-solar.printing.enable = true;
# Gnome PDF viewer
programs.evince.enable = true;
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages = [
libreoffice-fresh
gnome.simple-scan
# Tools like pdfunite
poppler_utils
# tool for annotating PDFs
xournalpp
];
};
};
}

View file

@ -0,0 +1,53 @@
{
config,
lib,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.paranoia;
in {
options.pub-solar.paranoia = {
enable = mkOption {
description = ''
Only offer hibernation instead of screen locking and sleeping. This only makes sense
if your hard drive is encrypted, and ensures that the contents of your drive are
encrypted if you are not actively using the device.
'';
default = false;
type = types.bool;
};
};
config = mkIf cfg.enable {
pub-solar.core.hibernation.enable = true;
services.logind.lidSwitch = "hibernate";
# The options below are directly taken from or inspired by
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
# Don't set this if you need sftp
services.openssh.allowSFTP = false;
services.openssh.openFirewall = false; # Lock yourself out
# Limit the use of sudo to the group wheel
security.sudo.execWheelOnly = true;
# Remove the complete default environment of packages like
# nano, perl and rsync
environment.defaultPackages = lib.mkForce [];
# fileSystems."/".options = [ "noexec" ];
services.openssh = {
kbdInteractiveAuthentication = false;
extraConfig = ''
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
};
};
}

Some files were not shown because too many files have changed in this diff Show more