Compare commits

..

7 commits
main ... main

Author SHA1 Message Date
b12f c9b4b44b68
Merge pull request 'Update flake inputs' (#258) from main-update-flake-inputs into main
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: pub-solar/os#258
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-10-13 11:26:39 +02:00
teutat3s 2501d4a145
chore: update blesh in nvfetcher
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-10-09 21:11:31 +02:00
teutat3s 45edd17782
Update flake inputs
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
• Updated input 'latest':
    'github:nixos/nixpkgs/3a2786eea085f040a66ecde1bc3ddc7099f6dbeb' (2023-09-11)
  → 'github:nixos/nixpkgs/87828a0e03d1418e848d3dd3f3014a632e4a4f64' (2023-10-06)
• Updated input 'nixos':
    'github:nixos/nixpkgs/e5f018cf150e29aac26c61dac0790ea023c46b24' (2023-09-12)
  → 'github:nixos/nixpkgs/5a237aecb57296f67276ac9ab296a41c23981f56' (2023-10-07)
• Updated input 'darwin':
    'github:LnL7/nix-darwin/4496ab26628c5f43d2a5c577a06683c753e32fe2' (2023-09-12)
  → 'github:LnL7/nix-darwin/8b6ea26d5d2e8359d06278364f41fbc4b903b28a' (2023-10-03)
• Updated input 'deploy':
    'github:serokell/deploy-rs/31c32fb2959103a796e07bbe47e0a5e287c343a8' (2023-09-12)
  → 'github:serokell/deploy-rs/e3f41832680801d0ee9e2ed33eb63af398b090e9' (2023-09-18)
• Updated input 'home':
    'github:nix-community/home-manager/9787dffff5d315c9593d3f9fb0f9bf2097e1b57b' (2023-09-11)
  → 'github:nix-community/home-manager/07682fff75d41f18327a871088d20af2710d4744' (2023-09-19)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/3ccd87fcdae4732fe33773cefa4375c641a057e7' (2023-09-13)
  → 'github:nixos/nixos-hardware/bb2db418b616fea536b1be7f6ee72fb45c11afe0' (2023-10-06)
2023-10-09 19:15:11 +02:00
teutat3s 4a7b5f3bb2
Merge pull request 'Bump flake inputs in lock file' (#254) from feat/main-bump-flake-lock into main
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: pub-solar/os#254
2023-09-13 13:13:57 +02:00
teutat3s d83389b1dd
Use docker version 24
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-09-13 12:38:31 +02:00
teutat3s dfd80c0e95
Fix nvfetcher by using forked nixpkgs
See upstream issue: https://github.com/NixOS/nixpkgs/issues/249962
2023-09-13 12:38:12 +02:00
teutat3s 110e0aefad
Bump flake inputs in lock file
Some checks failed
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is failing
• Updated input 'latest':
    'github:nixos/nixpkgs/5df4d78d54f7a34e9ea1f84a22b4fd9baebc68d0' (2023-07-20)
  → 'github:nixos/nixpkgs/3a2786eea085f040a66ecde1bc3ddc7099f6dbeb' (2023-09-11)
• Updated input 'nixos':
    'github:nixos/nixpkgs/08700de174bc6235043cb4263b643b721d936bdb' (2023-07-18)
  → 'github:nixos/nixpkgs/e5f018cf150e29aac26c61dac0790ea023c46b24' (2023-09-12)
• Updated input 'darwin':
    'github:LnL7/nix-darwin/b06bab83bdf285ea0ae3c8e145a081eb95959047' (2023-07-02)
  → 'github:LnL7/nix-darwin/4496ab26628c5f43d2a5c577a06683c753e32fe2' (2023-09-12)
• Updated input 'deploy':
    'github:serokell/deploy-rs/724463b5a94daa810abfc64a4f87faef4e00f984' (2023-06-14)
  → 'github:serokell/deploy-rs/31c32fb2959103a796e07bbe47e0a5e287c343a8' (2023-09-12)
• Updated input 'home':
    'github:nix-community/home-manager/07c347bb50994691d7b0095f45ebd8838cf6bc38' (2023-06-27)
  → 'github:nix-community/home-manager/9787dffff5d315c9593d3f9fb0f9bf2097e1b57b' (2023-09-11)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/429f232fe1dc398c5afea19a51aad6931ee0fb89' (2023-06-15)
  → 'github:nixos/nixos-hardware/3ccd87fcdae4732fe33773cefa4375c641a057e7' (2023-09-13)
2023-09-13 12:12:25 +02:00
239 changed files with 3421 additions and 6769 deletions

View file

@ -20,14 +20,6 @@ indent_style = unset
indent_size = unset
[{.*,secrets}/**]
end_of_line = false
insert_final_newline = false
trim_trailing_whitespace = unset
charset = unset
indent_style = unset
indent_size = unset
[*.rom]
end_of_line = unset
insert_final_newline = unset
trim_trailing_whitespace = unset

View file

@ -1,4 +1,2 @@
# Formatted code using treefmt and alejandra
73bf158392a427d188b7aad36244b94506f57a15
# nixfmt-rfc-style
03e5a0ffdaab9b1331ab95ca3e730aaec1d7c151

2
.gitignore vendored
View file

@ -4,7 +4,7 @@ doc/index.html
# Result of bud commands
vm
/iso
iso
doi
pkgs/_sources/.shake*

View file

@ -8,17 +8,28 @@ let
"x86_64-linux"
];
filterSystems = lib.filterAttrs (system: _: lib.elem system ciSystems);
filterSystems =
lib.filterAttrs
(system: _: lib.elem system ciSystems);
recurseIntoAttrsRecursive = lib.mapAttrs (
_: v: if lib.isAttrs v then recurseIntoAttrsRecursive (lib.recurseIntoAttrs v) else v
_: v:
if lib.isAttrs v
then recurseIntoAttrsRecursive (lib.recurseIntoAttrs v)
else v
);
systemOutputs = lib.filterAttrs (
name: set:
lib.isAttrs set && lib.any (system: set ? ${system} && name != "legacyPackages") ciSystems
) default.outputs;
systemOutputs =
lib.filterAttrs
(
name: set:
lib.isAttrs set
&& lib.any
(system: set ? ${system} && name != "legacyPackages")
ciSystems
)
default.outputs;
ciDrvs = lib.mapAttrs (_: system: filterSystems system) systemOutputs;
in
(recurseIntoAttrsRecursive ciDrvs) // { shell = import ./shell.nix; }
(recurseIntoAttrsRecursive ciDrvs) // {shell = import ./shell.nix;}

View file

@ -3,22 +3,18 @@
"agenix": {
"inputs": {
"darwin": [
"nix-darwin"
],
"home-manager": [
"home-manager"
"darwin"
],
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
"nixos"
]
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"lastModified": 1682101079,
"narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
"type": "github"
},
"original": {
@ -27,22 +23,42 @@
"type": "github"
}
},
"deploy-rs": {
"darwin": {
"inputs": {
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1696360011,
"narHash": "sha256-HpPv27qMuPou4acXcZ8Klm7Zt0Elv9dgDvSJaomWb9Y=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "8b6ea26d5d2e8359d06278364f41fbc4b903b28a",
"type": "github"
},
"original": {
"owner": "LnL7",
"repo": "nix-darwin",
"type": "github"
}
},
"deploy": {
"inputs": {
"flake-compat": [
"flake-compat"
],
"nixpkgs": [
"nixpkgs"
"nixos"
],
"utils": "utils"
},
"locked": {
"lastModified": 1727447169,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
"lastModified": 1695052866,
"narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
"rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9",
"type": "github"
},
"original": {
@ -51,14 +67,76 @@
"type": "github"
}
},
"devshell": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"digga",
"nixpkgs"
]
},
"locked": {
"lastModified": 1671489820,
"narHash": "sha256-qoei5HDJ8psd1YUPD7DhbHdhLIT9L2nadscp4Qk37uk=",
"owner": "numtide",
"repo": "devshell",
"rev": "5aa3a8039c68b4bf869327446590f4cdf90bb634",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"digga": {
"inputs": {
"darwin": [
"darwin"
],
"deploy": [
"deploy"
],
"devshell": "devshell",
"flake-compat": [
"flake-compat"
],
"flake-utils": "flake-utils_2",
"flake-utils-plus": "flake-utils-plus",
"home-manager": [
"home"
],
"nixlib": [
"nixos"
],
"nixpkgs": [
"nixos"
],
"nixpkgs-unstable": "nixpkgs-unstable"
},
"locked": {
"lastModified": 1674947971,
"narHash": "sha256-6gKqegJHs72jnfFP9g2sihl4fIZgtKgKuqU2rCkIdGY=",
"owner": "pub-solar",
"repo": "digga",
"rev": "2da608bd8afb48afef82c6b1b6d852a36094a497",
"type": "github"
},
"original": {
"owner": "pub-solar",
"ref": "fix/bootstrap-iso",
"repo": "digga",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
@ -67,34 +145,13 @@
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1733312601,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"lastModified": 1642700792,
"narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"rev": "846b2ae0fc4cc943637d3d1def4454213e203cba",
"type": "github"
},
"original": {
@ -103,278 +160,87 @@
"type": "github"
}
},
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
"narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
"owner": "lf-",
"repo": "flakey-profile",
"rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
"type": "github"
},
"original": {
"owner": "lf-",
"repo": "flakey-profile",
"type": "github"
}
},
"home-manager": {
"flake-utils-plus": {
"inputs": {
"nixpkgs": [
"nixpkgs"
"flake-utils": [
"digga",
"flake-utils"
]
},
"locked": {
"lastModified": 1734366194,
"narHash": "sha256-vykpJ1xsdkv0j8WOVXrRFHUAdp9NXHpxdnn1F4pYgSw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "80b0fdf483c5d1cb75aaad909bd390d48673857f",
"lastModified": 1654029967,
"narHash": "sha256-my3GQ3mQIw/1f6GPV1IhUZrcYQSWh0YJAMPNBjhXJDw=",
"owner": "gytis-ivaskevicius",
"repo": "flake-utils-plus",
"rev": "6271cf3842ff9c8a9af9e3508c547f86bc77d199",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.11",
"repo": "home-manager",
"owner": "gytis-ivaskevicius",
"ref": "refs/pull/120/head",
"repo": "flake-utils-plus",
"type": "github"
}
},
"invoiceplane-template": {
"inputs": {
"flake-parts": [
"flake-parts"
],
"nixpkgs": [
"nixpkgs"
]
},
"flake-utils_2": {
"locked": {
"lastModified": 1728398621,
"narHash": "sha256-cNCgW0g012t7lZ2gxBpc+Uu6GHV2sTEsOV50nSZ96FM=",
"ref": "refs/heads/main",
"rev": "a4f2aa76583b5dfa3f2db12ff360ba9f229cfb2f",
"revCount": 37,
"type": "git",
"url": "https://git.pub.solar/momo/invoiceplane-templates.git"
},
"original": {
"type": "git",
"url": "https://git.pub.solar/momo/invoiceplane-templates.git"
}
},
"lix": {
"flake": false,
"locked": {
"lastModified": 1729298361,
"narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=",
"rev": "ad9d06f7838a25beec425ff406fe68721fef73be",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz"
}
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils",
"flakey-profile": "flakey-profile",
"lix": "lix",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1729360442,
"narHash": "sha256-6U0CyPycIBc04hbYy2hBINnVso58n/ZyywY2BD3hu+s=",
"rev": "9098ac95768f7006d7e070b88bae76939f6034e6",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/9098ac95768f7006d7e070b88bae76939f6034e6.tar.gz?rev=9098ac95768f7006d7e070b88bae76939f6034e6"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-1.tar.gz"
}
},
"nix-darwin": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1733570843,
"narHash": "sha256-sQJAxY1TYWD1UyibN/FnN97paTFuwBw3Vp3DNCyKsMk=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "a35b08d09efda83625bef267eb24347b446c80b8",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"nix-direnv": {
"inputs": {
"flake-parts": [
"flake-parts"
],
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1732689932,
"narHash": "sha256-dnB8nu6ozuflg7f887Udoujx284QI6FMCSuCYIiTCYQ=",
"owner": "nix-community",
"repo": "nix-direnv",
"rev": "0357fa09ff68323c472fc0362ddc141a6aa6c3b5",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-direnv",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1734352517,
"narHash": "sha256-mfv+J/vO4nqmIOlq8Y1rRW8hVsGH3M+I2ESMjhuebDs=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "b12e314726a4226298fe82776b4baeaa7bcf3dcd",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1734083684,
"narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1733096140,
"narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"deploy-rs": "deploy-rs",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"home-manager": "home-manager",
"invoiceplane-template": "invoiceplane-template",
"lix-module": "lix-module",
"nix-darwin": "nix-darwin",
"nix-direnv": "nix-direnv",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"unstable": "unstable",
"watson": "watson"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nix-direnv",
"nixpkgs"
]
},
"locked": {
"lastModified": 1724833132,
"narHash": "sha256-F4djBvyNRAXGusJiNYInqR6zIMI3rvlp6WiKwsRISos=",
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "3ffd842a5f50f435d3e603312eefa4790db46af5",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"repo": "flake-utils",
"type": "github"
}
},
"unstable": {
"fork": {
"locked": {
"lastModified": 1734119587,
"narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
"lastModified": 1692960587,
"narHash": "sha256-39SKGdhn8jKKkdqhULbCvQOpdUPE9NNJpy5HTB++Jvg=",
"owner": "teutat3s",
"repo": "nixpkgs",
"rev": "312709dd70684f52496580e533d58645526b1c90",
"type": "github"
},
"original": {
"owner": "teutat3s",
"ref": "nvfetcher-fix",
"repo": "nixpkgs",
"type": "github"
}
},
"home": {
"inputs": {
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1695108154,
"narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "07682fff75d41f18327a871088d20af2710d4744",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-23.05",
"repo": "home-manager",
"type": "github"
}
},
"latest": {
"locked": {
"lastModified": 1696604326,
"narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "3566ab7246670a43abd2ffa913cc62dad9cdf7d5",
"rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64",
"type": "github"
},
"original": {
@ -384,44 +250,79 @@
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_2"
},
"nixos": {
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"lastModified": 1696697597,
"narHash": "sha256-q26Qv4DQ+h6IeozF2o1secyQG0jt2VUT3V0K58jr3pg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5a237aecb57296f67276ac9ab296a41c23981f56",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"owner": "nixos",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"watson": {
"inputs": {
"flake-parts": [
"flake-parts"
],
"nixpkgs": [
"nixpkgs"
]
},
"nixos-hardware": {
"locked": {
"lastModified": 1733302767,
"narHash": "sha256-UM6sX6lWXbJRPgSM+S1hgir/xt8xEdMYmLMZOiqrLg0=",
"owner": "pub-solar",
"repo": "watson",
"rev": "9e5685720ad4edca2c8643e95bf91258166e8f77",
"lastModified": 1696614066,
"narHash": "sha256-nAyYhO7TCr1tikacP37O9FnGr2USOsVBD3IgvndUYjM=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "bb2db418b616fea536b1be7f6ee72fb45c11afe0",
"type": "github"
},
"original": {
"owner": "pub-solar",
"repo": "watson",
"owner": "nixos",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1672791794,
"narHash": "sha256-mqGPpGmwap0Wfsf3o2b6qHJW1w2kk/I6cGCGIU+3t6o=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "9813adc7f7c0edd738c6bdd8431439688bb0cb3d",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"darwin": "darwin",
"deploy": "deploy",
"digga": "digga",
"flake-compat": "flake-compat",
"fork": "fork",
"home": "home",
"latest": "latest",
"nixos": "nixos",
"nixos-hardware": "nixos-hardware"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}

250
flake.nix
View file

@ -1,139 +1,175 @@
{
description = "teutat3s hosts in nix";
description = "A highly structured configuration database.";
nixConfig.extra-experimental-features = "nix-command flakes";
inputs = {
# Track channels with commits tested and built by hydra
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixos.url = "github:nixos/nixpkgs/nixos-23.05";
latest.url = "github:nixos/nixpkgs/nixos-unstable";
fork.url = "github:teutat3s/nixpkgs/nvfetcher-fix";
flake-compat.url = "github:edolstra/flake-compat";
flake-compat.flake = false;
nix-darwin.url = "github:lnl7/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
digga.url = "github:pub-solar/digga/fix/bootstrap-iso";
digga.inputs.nixpkgs.follows = "nixos";
digga.inputs.nixlib.follows = "nixos";
digga.inputs.home-manager.follows = "home";
digga.inputs.deploy.follows = "deploy";
digga.inputs.darwin.follows = "darwin";
digga.inputs.flake-compat.follows = "flake-compat";
home-manager.url = "github:nix-community/home-manager/release-24.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
home.url = "github:nix-community/home-manager/release-23.05";
home.inputs.nixpkgs.follows = "nixos";
flake-parts.url = "github:hercules-ci/flake-parts";
darwin.url = "github:LnL7/nix-darwin";
darwin.inputs.nixpkgs.follows = "nixos";
deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.inputs.flake-compat.follows = "flake-compat";
deploy.url = "github:serokell/deploy-rs";
deploy.inputs.nixpkgs.follows = "nixos";
deploy.inputs.flake-compat.follows = "flake-compat";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
agenix.inputs.darwin.follows = "nix-darwin";
agenix.inputs.home-manager.follows = "home-manager";
nix-direnv.url = "github:nix-community/nix-direnv";
nix-direnv.inputs.nixpkgs.follows = "nixpkgs";
nix-direnv.inputs.flake-parts.follows = "flake-parts";
agenix.inputs.nixpkgs.follows = "nixos";
agenix.inputs.darwin.follows = "darwin";
nixos-hardware.url = "github:nixos/nixos-hardware";
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-1.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
invoiceplane-template.url = "git+https://git.pub.solar/momo/invoiceplane-templates.git";
invoiceplane-template.inputs.nixpkgs.follows = "nixpkgs";
invoiceplane-template.inputs.flake-parts.follows = "flake-parts";
watson.url = "github:pub-solar/watson";
watson.inputs.nixpkgs.follows = "nixpkgs";
watson.inputs.flake-parts.follows = "flake-parts";
};
outputs =
inputs@{ self, ... }:
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
systems = [
"x86_64-linux"
"aarch64-linux"
"x86_64-darwin"
"aarch64-darwin"
outputs = {
self,
digga,
nixos,
home,
nixos-hardware,
agenix,
deploy,
...
} @ inputs:
digga.lib.mkFlake
{
inherit self inputs;
channelsConfig = {
# allowUnfree = true;
};
supportedSystems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin"];
channels = {
nixos = {
imports = [(digga.lib.importOverlays ./overlays)];
overlays = [
(self: super: {
deploy-rs = {
inherit (inputs.nixos.legacyPackages.x86_64-linux) deploy-rs;
lib = inputs.deploy.lib.x86_64-linux;
};
})
];
};
latest = {};
fork = {};
};
lib = import ./lib {lib = digga.lib // nixos.lib;};
sharedOverlays = [
(final: prev: {
__dontExport = true;
lib = prev.lib.extend (lfinal: lprev: {
our = self.lib;
});
})
agenix.overlays.default
(import ./pkgs)
];
imports = [
./lib
./modules
./hosts
./users
./overlays
];
nixos = {
hostDefaults = {
system = "x86_64-linux";
channelName = "nixos";
imports = [(digga.lib.importExportableModules ./modules)];
modules = [
{lib.our = self.lib;}
# FIXME: upstream module causes a huge number of unnecessary
# dependencies to be pulled in for all systems -- many of them are
# graphical. should only be imported as needed.
# digga.nixosModules.bootstrapIso
digga.nixosModules.nixConfig
home.nixosModules.home-manager
agenix.nixosModules.age
];
};
perSystem =
args@{
system,
pkgs,
config,
...
}:
{
_module.args = {
inherit inputs;
pkgs = import inputs.nixpkgs {
inherit system;
overlays = [ inputs.agenix.overlays.default ];
};
unstable = import inputs.unstable { inherit system; };
master = import inputs.master { inherit system; };
imports = [(digga.lib.importHosts ./hosts)];
hosts = {
# Set host-specific properties here
bootstrap = {
modules = [
digga.nixosModules.bootstrapIso
];
};
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [
agenix
cachix
deploy-rs
nixd
nixos-generators
nvfetcher
editorconfig-checker
nodePackages.prettier
shellcheck
shfmt
treefmt
PubSolarOS = {
tests = [
#(import ./tests/first-test.nix {
# pkgs = nixos.legacyPackages.x86_64-linux;
# lib = nixos.lib;
#})
];
};
};
flake = {
formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;
deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
#example = {
# hostname = "example.com:22";
# sshUser = "bartender";
# fastConnect = true;
# profilesOrder = ["system" "direnv"];
# profiles.direnv = {
# user = "bartender";
# path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.bartender;
# };
#};
fae = {
hostname = "192.168.13.35";
sshUser = "pub-solar";
};
powder = {
hostname = "80.71.153.194";
sshUser = "root";
profilesOrder = [
"system"
"direnv"
];
profiles.direnv = {
user = "pub-solar";
path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.pub-solar;
importables = rec {
profiles =
digga.lib.rakeLeaves ./profiles
// {
users = digga.lib.rakeLeaves ./users;
};
suites = with profiles; rec {
base = [users.pub-solar users.root];
iso = base ++ [base-user graphical pub-solar-iso];
pubsolaros = [full-install base-user users.root];
anonymous = [pubsolaros users.pub-solar];
};
};
};
home = {
imports = [(digga.lib.importExportableModules ./users/modules)];
modules = [];
importables = rec {
profiles = digga.lib.rakeLeaves ./users/profiles;
suites = with profiles; rec {
base = [direnv git];
};
};
users = {
pub-solar = {suites, ...}: {
imports = suites.base;
home.stateVersion = "21.03";
};
}; # digga.lib.importers.rakeLeaves ./users/hm;
};
devshell = ./shell;
homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
#example = {
# hostname = "example.com:22";
# sshUser = "bartender";
# fastConnect = true;
# profilesOrder = ["system" "direnv"];
# profiles.direnv = {
# user = "bartender";
# path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.bartender;
# };
#};
};
};
}

View file

@ -1,17 +1,15 @@
{ suites, ... }:
{
{suites, ...}: {
### root password is empty by default ###
### default password: pub-solar, optional: add your SSH keys
imports = suites.iso;
imports =
suites.iso;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.networkmanager.enable = true;
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
};
fileSystems."/" = {device = "/dev/disk/by-label/nixos";};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions

View file

@ -5,21 +5,18 @@
profiles,
...
}:
let
inherit (lib) mkForce;
with lib; let
# Gets hostname of host to be bundled inside iso
# Copied from https://github.com/divnix/digga/blob/30ffa0b02272dc56c94fd3c7d8a5a0f07ca197bf/modules/bootstrap-iso.nix#L3-L11
getFqdn =
config:
let
net = config.networking;
fqdn =
if (net ? domain) && (net.domain != null) then "${net.hostName}.${net.domain}" else net.hostName;
in
getFqdn = config: let
net = config.networking;
fqdn =
if (net ? domain) && (net.domain != null)
then "${net.hostName}.${net.domain}"
else net.hostName;
in
fqdn;
in
{
in {
# build with: `nix build ".#nixosConfigurations.bootstrap.config.system.build.isoImage"`
imports = [
# profiles.networking
@ -34,9 +31,7 @@ in
boot.loader.systemd-boot.enable = true;
# will be overridden by the bootstrapIso instrumentation
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
};
fileSystems."/" = {device = "/dev/disk/by-label/nixos";};
system.nixos.label = "PubSolarOS-" + config.system.nixos.version;

View file

@ -1,155 +0,0 @@
{
withSystem,
self,
inputs,
config,
...
}:
{
flake = {
nixosModules = {
home-manager = {
imports = [
inputs.home-manager.nixosModules.home-manager
({
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = {
flake = {
inherit self inputs config;
};
};
})
];
};
};
nixosConfigurations = {
dumpyourvms = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
self.nixosModules.base
./dumpyourvms
self.nixosModules.teutat3s
self.nixosModules.audio
self.nixosModules.bluetooth
self.nixosModules.desktop-extended
self.nixosModules.docker
self.nixosModules.graphical
self.nixosModules.nextcloud
self.nixosModules.office
self.nixosModules.printing
];
};
ryzensun = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
self.nixosModules.base
./ryzensun
self.nixosModules.teutat3s
self.nixosModules.audio
self.nixosModules.desktop-extended
self.nixosModules.docker
self.nixosModules.forgejo-actions-runner
self.nixosModules.graphical
self.nixosModules.office
self.nixosModules.printing
self.nixosModules.virtualisation
];
};
fae = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
self.nixosModules.base
inputs.nixos-hardware.nixosModules.raspberry-pi-4
./fae
self.nixosModules.pub-solar
self.nixosModules.acme
self.nixosModules.invoiceplane
self.nixosModules.actual
];
};
#powder = self.inputs.nixpkgs.lib.nixosSystem {
# specialArgs = {
# flake = {
# inherit self inputs config;
# };
# };
# modules = [
# self.nixosModules.base
# inputs.nixos-hardware.nixosModules.raspberry-pi-4
# ./powder
# self.nixosModules.teutat3s
# self.nixosModules.docker
# self.nixosModules.wireguard-client
# self.nixosModules.invoiceplane
# ];
#};
iso = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
"${inputs.nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
self.nixosModules.base
./iso
self.nixosModules.nixos
];
};
iso-arm = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
"${inputs.nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
self.nixosModules.base
./iso
self.nixosModules.nixos
];
};
iso-graphical = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
"${inputs.nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
self.nixosModules.base
./iso
self.nixosModules.nixos
self.nixosModules.graphical
self.nixosModules.audio
self.nixosModules.bluetooth
(
{ ... }:
{
pub-solar.graphical.wayland.software-renderer.enable = true;
}
)
];
};
};
};
}

View file

@ -1,12 +0,0 @@
# seahorse
for_window [title="seahorse"] floating enabled
# NetworkManager
for_window [app_id="nm-connection-editor"] floating enabled
# thunderbird
for_window [title="New Task:*"] floating enabled
for_window [title="Edit Task:*"] floating enabled
for_window [title="New Event:*"] floating enabled
for_window [title="Edit Event:*"] floating enabled

View file

@ -1,6 +0,0 @@
# Autostart applications
#
# Example:
# exec swayidle
exec qMasterPassword

View file

@ -1,3 +0,0 @@
# switch keyboard input language
bindsym $mod+tab exec swaymsg input "1452:628:Apple_Inc._Apple_Internal_Keyboard_/_Trackpad" xkb_switch_layout next

View file

@ -1,37 +0,0 @@
### Input configuration
#
# You can get the names of your inputs by running: swaymsg -t get_inputs
# Read `man 5 sway-input` for more information about this section.
input "type:keyboard" {
xkb_layout us(intl),de
xkb_model pc105
xkb_options ctrl:nocaps
}
input "type:touchpad" {
tap enabled
natural_scroll enabled
# Disable while typing
dwt enabled
}
# Touchpad controls
#bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
# Screen brightness controls
bindsym XF86MonBrightnessUp exec "brightnessctl -d acpi_video0 set +10%"
bindsym XF86MonBrightnessDown exec "brightnessctl -d acpi_video0 set 10%-"
# Keyboard backlight brightness controls
bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-"
bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%"
# Pulse Audio controls
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #increase sound volume
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #decrease sound volume
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle # mute sound
# Media player controls
bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

View file

@ -1,39 +0,0 @@
### Output configuration
#
# Example configuration:
#
# output HDMI-A-1 resolution 1920x1080 position 1920,0
#
# You can get the names of your outputs by running: swaymsg -t get_outputs
set $main_screen eDP-1
set $displayport DP-3
set $hmdi HDMI-A-1
output $main_screen scale 1.7
output $displayport scale 1
output $main_screen position 0 1440
output $displayport position 0 0 resolution 2560x1440@60Hz
#bindswitch lid:on output $main_screen disable
#bindswitch lid:off output $main_screen enable
bindsym $mod+Shift+x output $main_screen toggle
# TODO when using more monitors
## Manual management of external displays
# Set the shortcuts and what they do
#set $mode_display HDMI (i) top, (j) left, (k) bottom, (l) right, (o) off
#mode "$mode_display" {
# bindsym i output HDMI-A-1 enable; output HDMI-A-1 pos 0 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 1080, mode "default"
# bindsym j output HDMI-A-1 enable; output HDMI-A-1 pos 0 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 1920 0, mode "default"
# bindsym k output HDMI-A-1 enable; output HDMI-A-1 pos 0 900 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 0, mode "default"
# bindsym l output HDMI-A-1 enable; output HDMI-A-1 pos 1440 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 0, mode "default"
# bindsym o output HDMI-A-1 disable, mode "default"
#
# # back to normal: Enter or Escape
# bindsym Return mode "default"
# bindsym Escape mode "default"
#}
## Declare here the shortcut to bring the display selection menu
#bindsym $mod+x mode "$mode_display"

View file

@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDbzCCAxSgAwIBAgIRAMK20/fFF0YVThq8xm/YvBswCgYIKoZIzj0EAwIwgbkx
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj
bzEaMBgGA1UECRMRMTAxIFNlY29uZCBTdHJlZXQxDjAMBgNVBBETBTk0MTA1MRcw
FQYDVQQKEw5IYXNoaUNvcnAgSW5jLjFAMD4GA1UEAxM3Q29uc3VsIEFnZW50IENB
IDI1ODgxOTUyODQyOTMwNjIxMjY4NDgwMTUxODE3OTM2NjUxNzc4NzAeFw0xOTEx
MDYwMDI3MzVaFw0yNDExMDQwMDI3MzVaMIG5MQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAkTETEwMSBTZWNv
bmQgU3RyZWV0MQ4wDAYDVQQREwU5NDEwNTEXMBUGA1UEChMOSGFzaGlDb3JwIElu
Yy4xQDA+BgNVBAMTN0NvbnN1bCBBZ2VudCBDQSAyNTg4MTk1Mjg0MjkzMDYyMTI2
ODQ4MDE1MTgxNzkzNjY1MTc3ODcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQE
SZ2kc9rKUNX3czze+rFR/bZdLx3JEYrpcSXKkpv1wr68E1Jqhi/8Dm8b62Ei/Bc6
ZhoJvtB2Shtl+6LbjccUo4H6MIH3MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8E
BTADAQH/MGgGA1UdDgRhBF9hZjo4MzoyZTpiOToyZTozMzo5MDplOTpkMjpiNzpj
NjpjYzpkYToxODoyYTphNzpjMzo5ZTozMTpmNTpkZTo4Mzo4YzozMDo0Mjo3OTo4
ZDo0ZDpmZDozMjo2NzpiYjBqBgNVHSMEYzBhgF9hZjo4MzoyZTpiOToyZTozMzo5
MDplOTpkMjpiNzpjNjpjYzpkYToxODoyYTphNzpjMzo5ZTozMTpmNTpkZTo4Mzo4
YzozMDo0Mjo3OTo4ZDo0ZDpmZDozMjo2NzpiYjAKBggqhkjOPQQDAgNJADBGAiEA
zKCV25P6HqFEa1iUVQnsNAp/WHUwxNlR0OctZSdiuIkCIQDiRK03ZYSK/hmY9kXV
42nj6kO8MexfiYN4IE4URmzYnA==
-----END CERTIFICATE-----

View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./dumpyourvms.nix
./hardware-configuration.nix
./networking.nix
];
}

View file

@ -1,202 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
pub-solar = {
terminal-life.full = true;
core.hibernation = {
enable = true;
resumeDevice = "/dev/mapper/cryptroot";
resumeOffset = 47366144;
};
};
# Fix backlight for keyboard and brightness, adjust function key binding,
# intel_pstate for cpu schedutil
# For now, the radeon driver seems to work better than amdgpu with Radeon R9 M370X
# Explicitly set amdgpu support in place of radeon
# Source: https://github.com/NixOS/nixos-hardware/blob/master/common/gpu/amd/southern-islands/default.nix
# Try again after https://lists.freedesktop.org/archives/amd-gfx/2023-March/090096.html lands
boot.kernelParams = [
"acpi_backlight=video"
"hid_apple.fnmode=2"
"intel_pstate=passive"
"radeon.si_support=0"
"amdgpu.si_support=1"
];
boot.loader.efi.canTouchEfiVariables = true;
# Fix for Error switching console mode to 1: unsupported on startup
boot.loader.systemd-boot.consoleMode = lib.mkForce "0";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
systemd.sleep.extraConfig = ''
HibernateMode=shutdown
'';
hardware = {
cpu.intel.updateMicrocode = true;
facetimehd.enable = true;
graphics = {
extraPackages = with pkgs; [ intel-vaapi-driver ]; # i7-4870HQ older hardware like haswell (crystall well)
extraPackages32 = with pkgs.pkgsi686Linux; [ intel-vaapi-driver ];
};
};
services.fstrim.enable = true;
networking.hostName = "dumpyourvms";
services.resolved = {
enable = true;
extraConfig = ''
DNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 5.9.164.112#dns3.digitalcourage.de 89.233.43.71#unicast.censurfridns.dk 185.49.141.37#getdnsapi.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net 2a01:4f8:251:554::2#dns3.digitalcourage.de 2a01:3a0:53:53::0#unicast.censurfridns.dk 2a04:b900:0:100::38#getdnsapi.net
FallbackDNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
Domains=~.
DNSOverTLS=yes
'';
};
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
};
services.usbmuxd.enable = true;
#programs.droidcam.enable = true;
#services.mozillavpn.enable = true;
security.pki.certificateFiles = [ ./consul-agent-ca.pem ];
# Power off dedicated GPU, use only integrated Intel GPU to save battery
# https://github.com/NixOS/nixpkgs/pull/33915
# https://ubuntuforums.org/showthread.php?t=2409856
systemd.services."amd-hybrid-graphics-power-save" = {
path = [ pkgs.bash ];
description = "Power Off dedicated AMD Card to reduce power usage";
requires = [ "sys-kernel-debug.mount" ];
enable = true;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.bash}/bin/sh -c 'sleep 7 && if grep --quiet 'IGD:+' /sys/kernel/debug/vgaswitcheroo/switch; then echo -e \"IGD\\nOFF\" > /sys/kernel/debug/vgaswitcheroo/switch; fi'";
ExecStop = "${pkgs.bash}/bin/sh -c 'echo ON >/sys/kernel/debug/vgaswitcheroo/switch'";
};
wantedBy = [ "multi-user.target" ];
};
# Increase console font size for HiDPI display
console = {
earlySetup = true;
font = lib.mkForce "ter-i32b";
packages = [ pkgs.terminus_font ];
};
# Thunderbolt tools
services.hardware.bolt.enable = true;
# Enable udev rules for gnupg smart cards
hardware.gpgSmartcards.enable = true;
hardware.keyboard.uhk.enable = true;
powerManagement = {
# Use new schedutil govenor
# https://github.com/NixOS/nixpkgs/pull/42330
# https://www.kernel.org/doc/html/v5.10/admin-guide/pm/cpufreq.html#schedutil
cpuFreqGovernor = lib.mkDefault "schedutil";
# brcmfmac being loaded during hibernation would inhibit a successful resume
# https://bugzilla.kernel.org/show_bug.cgi?id=101681#c116.
# Also brcmfmac could randomly crash on resume from sleep.
# To hibernate successfully using the amdgpu driver, the dedicated GPU needs
# to be powered on.
powerUpCommands = lib.mkBefore (
"${pkgs.kmod}/bin/modprobe brcmfmac"
+ lib.optionalString (lib.versionAtLeast config.boot.kernelPackages.kernel.version "6.2") " brcmfmac_wcc"
);
powerDownCommands = lib.mkBefore (
lib.optionalString (lib.versionAtLeast config.boot.kernelPackages.kernel.version "6.2") "${pkgs.kmod}/bin/rmmod brcmfmac_wcc\n"
+ ''
${pkgs.kmod}/bin/rmmod brcmfmac
${pkgs.systemd}/bin/systemctl stop amd-hybrid-graphics-power-save.service
''
);
resumeCommands =
if config.systemd.services."amd-hybrid-graphics-power-save".enable == true then
''
${pkgs.systemd}/bin/systemctl start amd-hybrid-graphics-power-save.service
''
else
"";
};
# Change lid switch behaviour
services.logind.lidSwitch = "hibernate";
# TLP for power management
services.tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "performance";
CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
CPU_BOOST_ON_AC = 1;
CPU_BOOST_ON_BAT = 0;
};
};
services.udev.extraRules =
# Disable XHC1 wakeup signal to avoid resume getting triggered some time
# after suspend. Reboot required for this to take effect.
lib.optionalString (lib.versionAtLeast config.boot.kernelPackages.kernel.version "3.13")
''SUBSYSTEM=="pci", KERNEL=="0000:00:14.0", ATTR{power/wakeup}="disabled"'';
home-manager =
pkgs.lib.setAttrByPath
[
"users"
psCfg.user.name
]
{
# Custom device sway configs
xdg.configFile = {
"sway/config.d/10-applications.conf".source = ./.config/sway/config.d/applications.conf;
"sway/config.d/autostart.conf".source = ./.config/sway/config.d/autostart.conf;
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
"sway/config.d/input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
"sway/config.d/screens.conf".source = ./.config/sway/config.d/screens.conf;
};
};
# WLAN frequency compliance (e.g. check for radar with DFS)
hardware.firmware = with pkgs; [ wireless-regdb ];
boot.extraModprobeConfig = ''
options cfg80211 ieee80211_regdom="DE"
# Enable the integrated GPU (iGPU) Intel i915 by default if present
options apple-gmux force_igd=y
# Enable HD-Audio Codec-Specific Models
# https://www.kernel.org/doc/html/latest/sound/hd-audio/models.html
options snd-hda-intel model=mbp11
# https://bbs.archlinux.org/viewtopic.php?pid=1445636#p1445636
#
options snd-hda-intel index=1
'';
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}

View file

@ -1,48 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
#(modulesPath + "/hardware/network/broadcom-43xx.nix")
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/17bbb016-d27c-47da-8805-58c6395891e8";
fsType = "ext4";
};
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/c100b9a7-99d7-44d9-b7c2-3892a5f233c4";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/06B8-5414";
fsType = "vfat";
};
swapDevices = [
{
device = "/swapfile";
size = 18432;
}
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -1,286 +0,0 @@
{ pkgs, lib, ... }:
{
systemd.services.wg-quick-wg5.serviceConfig.Type = lib.mkForce "simple";
systemd.services.wg-quick-wg5.serviceConfig.Restart = "on-failure";
systemd.services.wg-quick-wg5.serviceConfig.RestartSec = "5s";
systemd.services.NetworkManager-wait-online.enable = true;
networking = {
networkmanager.dns = "systemd-resolved";
#networkmanager.dispatcherScripts = [
# { source = "${pkgs.prison-break}/bin/prison-break"; }
#];
hosts = {
"10.0.0.42" = [
"nomad.service.consul"
"nomad.service.cgn-1.consul"
];
"10.0.0.66" = [ "consul.service.cgn-1.consul" ];
"10.0.1.9" = [ "consul.service.lev-1.consul" ];
"10.0.0.70" = [
"vault.service.consul"
"vault.service.cgn-1.consul"
];
"10.0.0.200" = [ "headnode.cgn-1" ];
"10.0.0.201" = [ "cn01.cgn-1" ];
"10.0.0.202" = [ "cn02.cgn-1" ];
"10.0.0.205" = [ "cn05.cgn-1" ];
"10.0.0.206" = [ "cn06.cgn-1" ];
"10.0.0.207" = [ "cn07.cgn-1" ];
"10.0.0.208" = [ "cn08.cgn-1" ];
"10.0.1.200" = [ "headnode.lev-1" ];
"10.0.1.201" = [ "cn01.lev-1" ];
"10.0.1.202" = [ "cn02.lev-1" ];
"10.0.1.203" = [ "cn03.lev-1" ];
"10.0.1.204" = [ "cn04.lev-1" ];
"10.0.1.205" = [ "cn05.lev-1" ];
"10.0.1.206" = [ "cn00.lev-1" ];
"10.0.1.207" = [ "cn06.lev-1" ];
"10.0.1.208" = [ "cn07.lev-1" ];
"10.101.64.10" = [ "wifi.bahn.de" ];
"192.168.13.25" = [
"ryzensun.local"
"cloudapi.coal-1.mnx.io"
];
};
wireguard.enable = true;
wg-quick.interfaces = {
wg0 = {
autostart = false;
address = [ "10.8.8.6/32" ];
privateKeyFile = "/etc/wireguard/wg0.privatekey";
peers = [
{
publicKey = "l0DJLicCrcrixNP6zAWTXNSEaNM2jML253BXEZ1KpiU=";
allowedIPs = [
"10.8.8.16/32"
"10.0.0.0/24"
"10.88.88.0/24"
];
endpoint = "85.88.23.16:51820";
persistentKeepalive = 25;
}
];
};
wg1 = {
autostart = false;
address = [ "192.168.188.203/24" ];
privateKeyFile = "/etc/wireguard/wg1.privatekey";
peers = [
{
publicKey = "iZkgeA/mFxBRclCa5SJYdqffClly/uho5krebcUloCY=";
allowedIPs = [ "192.168.188.0/24" ];
presharedKeyFile = "/etc/wireguard/wg1.presharedkey";
#endpoint = "85.214.70.91:50163";
#endpoint = "u7dazg4ceu9dggxa.myfritz.net:50163";
endpoint = "[2a00:6020:1000:47::2ded]:50163";
persistentKeepalive = 25;
}
];
};
wg2 = {
autostart = false;
address = [ "10.6.6.4/32" ];
privateKeyFile = "/etc/wireguard/wg2.privatekey";
peers = [
{
publicKey = "nYMmaCIW8lZ7SokivN8HXxYDch+SS1G7ab1SC9meDAw=";
presharedKeyFile = "/etc/wireguard/wg2.presharedkey";
allowedIPs = [
"10.6.6.1/32"
"10.1.1.0/24"
];
endpoint = "85.88.23.127:51820";
persistentKeepalive = 16;
}
];
};
wg3 = {
autostart = false;
address = [ "10.11.11.2/32" ];
privateKeyFile = "/etc/wireguard/wg3.privatekey";
mtu = 1300;
peers = [
{
publicKey = "7RRgfZSneqAtAHBeI6+aaYLqz9e1jikg/lIK8mhW928=";
presharedKeyFile = "/etc/wireguard/wg3.presharedkey";
allowedIPs = [
"10.11.11.0/24"
"192.168.1.0/24"
"10.0.1.0/24"
];
endpoint = "80.71.153.1:51820";
persistentKeepalive = 16;
}
];
};
wg4 = {
address = [ "fdaa:1:3234:a7b:16a9:0:a:202/120" ];
privateKeyFile = "/etc/wireguard/wg4.privatekey";
postUp = "resolvectl dns wg4 fdaa:1:3234::3; resolvectl domain wg4 ~internal";
preDown = "resolvectl revert wg4";
#dns = [
# "fdaa:1:3234::3, internal"
#];
peers = [
{
publicKey = "yUyg63j5+17YeJ7gRhxoQuF6rvdX0JF59M6skytJFTQ=";
allowedIPs = [ "fdaa:1:3234::/48" ];
#endpoint = "ams1.gateway.6pn.dev:51820";
endpoint = "176.58.93.206:51820";
persistentKeepalive = 15;
}
];
};
wg5 = {
autostart = false;
address = [ "192.168.13.201/24" ];
privateKeyFile = "/etc/wireguard/wg5.privatekey";
postUp = "resolvectl dnsovertls wg5 no; resolvectl dns wg5 192.168.13.1; resolvectl domain wg5 ~fritz.box";
preDown = "resolvectl revert wg5";
peers = [
{
publicKey = "UhPW8jebAPaMYqjJfSFO9QAMhk0E+dq4i6lB4Wjg91Q=";
presharedKeyFile = "/etc/wireguard/wg5.presharedkey";
allowedIPs = [ "192.168.13.0/24" ];
endpoint = "svxqr7qjmk9beu7t.myfritz.net:59538";
#endpoint = "84.44.134.172:59538";
persistentKeepalive = 25;
}
];
};
wg6 = {
address = [
"10.7.6.201/32"
"fd00:fae:fae:fae:fae:201::/96"
];
privateKeyFile = "/etc/wireguard/wg6.privatekey";
peers = [
{
# nachtigall.pub.solar
publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
allowedIPs = [
"10.7.6.1/32"
"fd00:fae:fae:fae:fae:1::/96"
];
#endpoint = "138.201.80.102:51820";
endpoint = "[2a01:4f8:172:1c25::1]:51820";
persistentKeepalive = 15;
}
{
# metronom.pub.solar
publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo=";
allowedIPs = [
"10.7.6.3/32"
"fd00:fae:fae:fae:fae:3::/96"
];
endpoint = "49.13.236.167:51820";
#endpoint = "[2a01:4f8:c2c:7082::]:51820";
persistentKeepalive = 15;
}
{
# tankstelle.pub.solar
publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg=";
allowedIPs = [
"10.7.6.4/32"
"fd00:fae:fae:fae:fae:4::/96"
];
#endpoint = "80.244.242.5:51820";
endpoint = "[2001:4d88:1ffa:26::5]:51820";
persistentKeepalive = 15;
}
{
# trinkgenossin.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
allowedIPs = [
"10.7.6.5/32"
"fd00:fae:fae:fae:fae:5::/96"
];
#endpoint = "85.215.152.22:51820";
endpoint = "[2a01:239:35d:f500::1]:51820";
persistentKeepalive = 15;
}
{
# delite.pub.solar
publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k=";
allowedIPs = [
"10.7.6.6/32"
"fd00:fae:fae:fae:fae:6::/96"
];
#endpoint = "80.244.242.5:51820";
endpoint = "[2a04:52c0:124:9d8c::2]:51820";
persistentKeepalive = 15;
}
{
# blue-shell.pub.solar
publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8=";
allowedIPs = [
"10.7.6.7/32"
"fd00:fae:fae:fae:fae:7::/96"
];
#endpoint = "80.244.242.5:51820";
endpoint = "[2a03:4000:43:24e::1]:51820";
persistentKeepalive = 15;
}
];
};
wg7 = {
address = [
"10.30.30.201/32"
"fd00:3030:3030:3030:3030:201::/96"
];
privateKeyFile = "/etc/wireguard/wg7.privatekey";
peers = [
{
# pioneer.momo.koeln
publicKey = "W9Vn2yv+AZjOD7sqKp4DyMbIz5N++Vjlr+6J3BnXj3o=";
allowedIPs = [
"10.30.30.1/32"
"fd00:3030:3030:3030:3030:1::/96"
];
#endpoint = "80.244.242.4:51820";
endpoint = "[2001:4d88:1ffa:26::4]:51820";
persistentKeepalive = 15;
}
];
};
# mozillavpn
moz0 = {
autostart = false;
address = [
"10.142.131.196/32"
"fc00:bbbb:bbbb:bb01:d:0:e:83c4/128"
];
privateKeyFile = "/etc/wireguard/moz0.privatekey";
#postUp = "resolvectl dns wg4 fdaa:1:3234::3; resolvectl domain wg4 ~internal";
#preDown = "resolvectl revert wg4";
#dns = [
# "fdaa:1:3234::3, internal"
#];
peers = [
{
publicKey = "ku1NYeOAGbY65YL/JKZhrqVzDJKXQiVj9USXbfkOBA0=";
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "185.254.75.3:36294";
}
];
};
};
};
}

View file

@ -1,52 +0,0 @@
{
enable = false;
localControlSocketPath = "/run/unbound/unbound.ctl";
settings = {
server = {
cache-max-ttl = 14400;
cache-min-ttl = 1200;
aggressive-nsec = true;
prefetch = false;
rrset-roundrobin = true;
use-caps-for-id = true;
do-ip6 = false;
hide-identity = true;
hide-version = true;
do-not-query-localhost = false;
tls-cert-bundle = "/etc/ssl/certs/ca-certificates.crt";
};
# fritz.box stub zone
stub-zone = {
name = "fritz.box";
stub-addr = "192.168.13.1";
};
# DNS over DLS forwarding
forward-zone = {
name = ".";
forward-tls-upstream = true;
forward-addr = [
"5.1.66.255@853#dot.ffmuc.net"
"185.150.99.255@853#dot.ffmuc.net"
"89.233.43.71@853#unicast.censurfridns.dk"
"94.130.110.185@853#ns1.dnsprivacy.at"
"2001:678:e68:f000::@853#dot.ffmuc.net"
"2001:678:ed0:f000::@853#dot.ffmuc.net"
"2a01:3a0:53:53::0@853#unicast.censurfridns.dk"
"2a01:4f8:c0c:3c03::2@853#ns1.dnsprivacy.at"
"2a01:4f8:c0c:3bfc::2@853#ns2.dnsprivacy.at"
"2001:610:1:40ba:145:100:185:15@853#dnsovertls.sinodun.com"
"2001:610:1:40ba:145:100:185:16@853#dnsovertls1.sinodun.com"
"2a04:b900:0:100::38@853#getdnsapi.net"
"145.100.185.15@853#dnsovertls.sinodun.com"
"145.100.185.16@853#dnsovertls1.sinodun.com"
"185.49.141.37@853#getdnsapi.net"
];
};
};
}

View file

@ -1,28 +0,0 @@
{
flake,
config,
pkgs,
lib,
...
}:
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
security.acme.certs = {
"actual.faenix.eu" = { };
};
services.nginx.virtualHosts = {
"actual.faenix.eu" = {
forceSSL = true;
useACMEHost = "actual.faenix.eu";
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.actual.settings.port}";
};
};
services.actual = {
enable = true;
};
}

View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./actual.nix
./paperless.nix
./invoiceplane.nix
./fae.nix
];
}

View file

@ -1,71 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
config = {
pub-solar.core.disk-encryption-active = false;
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
};
};
networking.hostName = "paperless";
services.openssh = {
enable = true;
openFirewall = true;
allowSFTP = true;
};
boot.kernelParams = [ "boot.shell_on_fail=1" ];
# Would decrease closure size, but currenly broken (cairo)
#environment.noXlibs = true;
nix = {
gc.automatic = true;
optimise.automatic = true;
settings = {
auto-optimise-store = true;
sandbox = true;
allowed-users = [ "@wheel" ];
trusted-users = [
"root"
"@wheel"
];
};
extraOptions = ''
min-free = 536870912
keep-outputs = true
keep-derivations = true
fallback = true
'';
};
# custom raspi boot loader is already present
boot.loader.systemd-boot.enable = false;
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelPackages = pkgs.linuxPackages_6_6;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
};
}

View file

@ -1,80 +0,0 @@
{
flake,
config,
pkgs,
lib,
...
}:
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
backupDir = "/var/lib/invoiceplane/backup";
in
{
security.acme.certs = {
"billing.faenix.eu" = { };
};
services.nginx.virtualHosts = {
"billing.faenix.eu" = {
forceSSL = true;
useACMEHost = "billing.faenix.eu";
};
};
services.invoiceplane = {
webserver = "nginx";
sites."billing.faenix.eu" = {
enable = true;
invoiceTemplates = [
flake.self.inputs.invoiceplane-template.packages.${pkgs.system}.invoiceplane-template
];
settings = {
IP_URL = "https://billing.faenix.eu";
DISABLE_SETUP = true;
SETUP_COMPLETED = true;
# Useful for debugging, logs to
# /var/lib/invoiceplane/<domain>/logs/
#ENABLE_DEBUG=true;
};
poolConfig = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.max_spare_servers" = 4;
"pm.min_spare_servers" = 2;
"pm.start_servers" = 2;
"php_admin_value[date.timezone]" = "Europe/Berlin";
"php_admin_value[error_log]" = "/var/lib/invoiceplane/billing.faenix.eu/logs/php-error.log";
"php_admin_flag[display_errors]" = "off";
"php_admin_flag[log_errors]" = "on";
"catch_workers_output" = "yes";
};
};
};
systemd.tmpfiles.rules = [ "d '${backupDir}' 0700 root root - -" ];
services.restic.backups = {
invoiceplane = {
paths = [
backupDir
"/var/lib/invoiceplane/billing.faenix.eu"
];
timerConfig = {
OnCalendar = "*-*-* 00:00:00 Etc/UTC";
};
initialize = true;
passwordFile = config.age.secrets."restic-password.age".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/Backups/InvoicePlane";
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u invoiceplane ${pkgs.mariadb-client}/bin/mariadb-dump --all-databases --user=invoiceplane > "${backupDir}/invoiceplane-mariadb-dump.sql"
'';
rcloneConfigFile = config.age.secrets."fae-rclone.conf.age".path;
};
};
}

View file

@ -1,107 +0,0 @@
{
flake,
lib,
config,
pkgs,
...
}:
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
dataDir = "${xdg.dataHome}/Paperless";
backupDir = "${xdg.dataHome}/PaperlessBackup";
consumptionDir = "/home/${psCfg.user.name}/.local/share/scandir";
in
{
services.paperless = {
enable = true;
user = psCfg.user.name;
consumptionDir = consumptionDir;
dataDir = dataDir;
address = "127.0.0.1";
settings = {
PAPERLESS_ADMIN_USER = psCfg.user.name;
PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
PAPERLESS_URL = "https://paperless.faenix.eu";
};
};
hardware.sane = {
enable = true;
# No aarch64 support for now
#brscan5.enable = true;
};
home-manager.users."${psCfg.user.name}" = {
home.sessionVariables = {
SCANNER_OUTPUT_DIR = consumptionDir;
};
systemd.user.sessionVariables = {
SCANNER_OUTPUT_DIR = consumptionDir;
};
};
security.acme.certs = {
"paperless.faenix.eu" = { };
};
services.nginx = {
enable = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "256m";
virtualHosts = {
"paperless.faenix.eu" = {
#listenAddresses = [
# "192.168.13.35"
#];
forceSSL = true;
useACMEHost = "paperless.faenix.eu";
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.paperless.port}";
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
systemd.tmpfiles.rules = [
"d /home/${psCfg.user.name}/.local 0700 ${psCfg.user.name} users - -"
"d /home/${psCfg.user.name}/.local/share 0700 ${psCfg.user.name} users - -"
"d '${backupDir}' 0700 ${psCfg.user.name} users - -"
];
age.secrets."fae-rclone.conf.age" = {
file = "${flake.self}/secrets/fae-rclone.conf.age";
path = "/root/.config/rclone/rclone.conf";
mode = "400";
};
age.secrets."restic-password.age" = {
file = "${flake.self}/secrets/restic-password.age";
mode = "400";
};
services.restic.backups = {
paperless = {
paths = [ backupDir ];
timerConfig = {
OnCalendar = "*-*-* 01:00:00 Etc/UTC";
};
initialize = true;
passwordFile = config.age.secrets."restic-password.age".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/Backups/Paperless";
backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p";
rcloneConfigFile = config.age.secrets."fae-rclone.conf.age".path;
};
};
}

View file

@ -1,8 +0,0 @@
{ pkgs, lib, ... }:
{
pub-solar.core.disk-encryption-active = false;
isoImage.squashfsCompression = "gzip -Xcompression-level 1";
systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
networking.networkmanager.enable = false;
nixpkgs.hostPlatform = "x86_64-linux";
}

View file

@ -1,4 +0,0 @@
{ ... }:
{
imports = [ ./powder.nix ];
}

View file

@ -1,50 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ ];
boot.initrd.availableKernelModules = [
"ahci"
"virtio_pci"
"xhci_pci"
"sr_mod"
"virtio_blk"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
autoResize = true;
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
fileSystems."/data" = {
device = "/dev/disk/by-label/ephemeral0";
fsType = "ext4";
options = [
"defaults"
"nofail"
];
};
swapDevices = [ ];
networking.useDHCP = lib.mkDefault false;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -1,87 +0,0 @@
{
config,
inputs,
lib,
pkgs,
profiles,
...
}:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
profiles.users.root # make sure to configure ssh keys
profiles.users.pub-solar
profiles.base-user
];
config = {
pub-solar.core.iso-options.enable = true;
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Force getting the hostname from cloud-init
networking.hostName = lib.mkDefault "";
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# Select internationalisation properties.
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
git
vim
wget
caddy
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
services.cloud-init.enable = true;
services.cloud-init.ext4.enable = true;
services.cloud-init.network.enable = true;
# use the default NixOS cloud-init config, but add some SmartOS customization to it
environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = ''
datasource_list: [ SmartOS ]
# Do not create the centos/ubuntu/debian user
users: [ ]
# mount second disk with label ephemeral0, gets formated by cloud-init
# this will fail to get added to /etc/fstab as it's read-only, but should
# mount at boot anyway
mounts:
- [ vdb, /data, auto, "defaults,nofail" ]
'';
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Triton manages firewall rules via the triton fwrule subcommand
networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
};
}

View file

@ -1,6 +0,0 @@
# Autostart applications
#
# Example:
# exec swayidle
exec qMasterPassword

View file

@ -1,3 +0,0 @@
# switch keyboard input language
#bindsym $mod+tab exec swaymsg input "1118:1896:Microsoft_Microsoft___SiderWinderTM_X4_Keyboard_Consumer_Control" xkb_switch_layout next
bindsym $mod+tab exec swaymsg input "7504:24868:Ultimate_Gadget_Laboratories_UHK_60_v2" xkb_switch_layout next

View file

@ -1,33 +0,0 @@
### Input configuration
#
# You can get the names of your inputs by running: swaymsg -t get_inputs
# Read `man 5 sway-input` for more information about this section.
input "type:keyboard" {
xkb_layout us(intl),de
xkb_options ctrl:nocaps
}
input "type:touchpad" {
natural_scroll enabled
}
# Touchpad controls
#bindsym XF86TouchpadToggle exec $HOME/Workspace/ben/toggletouchpad.sh # toggle touchpad
# Screen brightness controls
bindsym XF86MonBrightnessUp exec "brightnessctl -d intel_backlight set +10%"
bindsym XF86MonBrightnessDown exec "brightnessctl -d intel_backlight set 10%-"
# Keyboard backlight brightness controls
bindsym XF86KbdBrightnessDown exec "brightnessctl -d smc::kbd_backlight set 10%-"
bindsym XF86KbdBrightnessUp exec "brightnessctl -d smc::kbd_backlight set +10%"
# Pulse Audio controls
bindsym XF86AudioRaiseVolume exec pactl set-sink-volume @DEFAULT_SINK@ +5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #increase sound volume
bindsym XF86AudioLowerVolume exec pactl set-sink-volume @DEFAULT_SINK@ -5%; exec pactl set-sink-mute @DEFAULT_SINK@ 0 #decrease sound volume
bindsym XF86AudioMute exec pactl set-sink-mute @DEFAULT_SINK@ toggle # mute sound
# Media player controls
bindsym XF86AudioPlay exec "playerctl play-pause; notify-send 'Play/Pause'"
bindsym XF86AudioNext exec "playerctl next; notify-send 'Next'"
bindsym XF86AudioPrev exec "playerctl previous; notify-send 'Prev.'"

View file

@ -1,33 +0,0 @@
### Output configuration
#
# Example configuration:
#
# output HDMI-A-1 resolution 1920x1080 position 1920,0
#
# You can get the names of your outputs by running: swaymsg -t get_outputs
set $main_screen HDMI-A-1
output $main_screen scale 1
#bindswitch lid:on output $main_screen disable
#bindswitch lid:off output $main_screen enable
bindsym $mod+Shift+x output $main_screen toggle
# TODO when using more monitors
## Manual management of external displays
# Set the shortcuts and what they do
#set $mode_display HDMI (i) top, (j) left, (k) bottom, (l) right, (o) off
#mode "$mode_display" {
# bindsym i output HDMI-A-1 enable; output HDMI-A-1 pos 0 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 1080, mode "default"
# bindsym j output HDMI-A-1 enable; output HDMI-A-1 pos 0 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 1920 0, mode "default"
# bindsym k output HDMI-A-1 enable; output HDMI-A-1 pos 0 900 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 0, mode "default"
# bindsym l output HDMI-A-1 enable; output HDMI-A-1 pos 1440 0 bg ~/Pictures/wallpapers/active.png fill; output eDP-1 pos 0 0, mode "default"
# bindsym o output HDMI-A-1 disable, mode "default"
#
# # back to normal: Enter or Escape
# bindsym Return mode "default"
# bindsym Escape mode "default"
#}
## Declare here the shortcut to bring the display selection menu
#bindsym $mod+x mode "$mode_display"

View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./ryzensun.nix
./hardware-configuration.nix
./networking.nix
];
}

View file

@ -1,41 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/bad2e49e-c8e7-4516-a6f8-77db999d12b0";
fsType = "ext4";
};
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/ef6c5bb0-0bcf-4af4-bbc9-02c849999e54";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2C62-C8B5";
fsType = "vfat";
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -1,175 +0,0 @@
{
networking = {
hosts = {
"10.0.0.42" = [
"nomad.service.consul"
"nomad.service.cgn-1.consul"
];
"10.0.0.66" = [ "consul.service.cgn-1.consul" ];
"10.0.1.9" = [ "consul.service.lev-1.consul" ];
"10.0.0.70" = [
"vault.service.consul"
"vault.service.cgn-1.consul"
];
"10.0.0.200" = [ "headnode.cgn-1" ];
"10.0.0.201" = [ "cn01.cgn-1" ];
"10.0.0.202" = [ "cn02.cgn-1" ];
"10.0.0.205" = [ "cn05.cgn-1" ];
"10.0.0.206" = [ "cn06.cgn-1" ];
"10.0.0.207" = [ "cn07.cgn-1" ];
"10.0.0.208" = [ "cn08.cgn-1" ];
"10.0.1.200" = [ "headnode.lev-1" ];
"10.0.1.201" = [ "cn01.lev-1" ];
"10.0.1.202" = [ "cn02.lev-1" ];
"10.0.1.203" = [ "cn03.lev-1" ];
"10.0.1.204" = [ "cn04.lev-1" ];
"10.0.1.205" = [ "cn05.lev-1" ];
"10.0.1.206" = [ "cn00.lev-1" ];
"10.0.1.207" = [ "cn06.lev-1" ];
"10.0.1.208" = [ "cn07.lev-1" ];
};
interfaces.enp4s0.wakeOnLan.enable = true;
wireguard.enable = true;
wg-quick.interfaces = {
wg0 = {
address = [ "10.8.8.7/32" ];
privateKeyFile = "/etc/wireguard/wg0.privatekey";
peers = [
{
publicKey = "l0DJLicCrcrixNP6zAWTXNSEaNM2jML253BXEZ1KpiU=";
allowedIPs = [
"10.8.8.16/32"
"10.0.0.0/24"
"10.88.88.0/24"
];
endpoint = "85.88.23.16:51820";
persistentKeepalive = 25;
}
];
};
wg1 = {
address = [ "10.11.11.6/32" ];
privateKeyFile = "/etc/wireguard/wg1.privatekey";
mtu = 1300;
peers = [
{
publicKey = "7RRgfZSneqAtAHBeI6+aaYLqz9e1jikg/lIK8mhW928=";
presharedKeyFile = "/etc/wireguard/wg1.presharedkey";
allowedIPs = [
"10.11.11.0/24"
"192.168.1.0/24"
"10.0.1.0/24"
];
endpoint = "80.71.153.1:51820";
#persistentKeepalive = 16;
}
];
};
wg2 = {
address = [ "10.7.6.204/32" ];
privateKeyFile = "/etc/wireguard/wg2.privatekey";
peers = [
{
# nachtigall.pub.solar
publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
allowedIPs = [
"10.7.6.1/32"
"fd00:fae:fae:fae:fae:1::/96"
];
#endpoint = "138.201.80.102:51820";
endpoint = "[2a01:4f8:172:1c25::1]:51820";
persistentKeepalive = 15;
}
{
# metronom.pub.solar
publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo=";
allowedIPs = [
"10.7.6.3/32"
"fd00:fae:fae:fae:fae:3::/96"
];
endpoint = "49.13.236.167:51820";
#endpoint = "[2a01:4f8:c2c:7082::]:51820";
persistentKeepalive = 15;
}
{
# tankstelle.pub.solar
publicKey = "iRTlY1lB7nPXf2eXzX8ZZDkfMmXyGjff5/joccbP8Cg=";
allowedIPs = [
"10.7.6.4/32"
"fd00:fae:fae:fae:fae:4::/96"
];
#endpoint = "80.244.242.5:51820";
endpoint = "[2001:4d88:1ffa:26::5]:51820";
persistentKeepalive = 15;
}
{
# trinkgenossin.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
allowedIPs = [
"10.7.6.5/32"
"fd00:fae:fae:fae:fae:5::/96"
];
#endpoint = "85.215.152.22:51820";
endpoint = "[2a01:239:35d:f500::1]:51820";
persistentKeepalive = 15;
}
{
# delite.pub.solar
publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k=";
allowedIPs = [
"10.7.6.6/32"
"fd00:fae:fae:fae:fae:6::/96"
];
#endpoint = "80.244.242.5:51820";
endpoint = "[2a04:52c0:124:9d8c::2]:51820";
persistentKeepalive = 15;
}
{
# blue-shell.pub.solar
publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8=";
allowedIPs = [
"10.7.6.7/32"
"fd00:fae:fae:fae:fae:7::/96"
];
#endpoint = "80.244.242.5:51820";
endpoint = "[2a03:4000:43:24e::1]:51820";
persistentKeepalive = 15;
}
];
};
#wg1 = {
# address = [ "10.13.0.1/32" ];
# privateKeyFile = "/etc/wireguard/wg1.privatekey";
# mtu = 1412;
# peers = [
# {
# publicKey = "XS3TTIMU7Jp3JJANBpE14RsVDJk6/VUvZgjQgQP8kAs=";
# allowedIPs = [ "10.13.0.100/32" "192.168.188.0/24" ];
# endpoint = "[2a00:6020:48ad:dd00:dea6:32ff:fe85:3306]:51820";
# persistentKeepalive = 25;
# }
# ];
#};
#wg2 = {
# address = [ "10.6.6.4/32" ];
# privateKeyFile = "/etc/wireguard/wg2.privatekey";
# peers = [
# {
# publicKey = "nYMmaCIW8lZ7SokivN8HXxYDch+SS1G7ab1SC9meDAw=";
# presharedKeyFile = "/etc/wireguard/wg2.presharedkey";
# allowedIPs = [ "10.6.6.1/32" "10.1.1.0/24" ];
# endpoint = "85.88.23.127:51820";
# persistentKeepalive = 16;
# }
# ];
#};
};
};
}

View file

@ -1,88 +0,0 @@
{
config,
pkgs,
lib,
flake,
...
}:
let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
config = {
age.secrets.docker-ci-runner-secrets = {
file = "${flake.self}/secrets/docker-ci-runner-secrets.age";
mode = "600";
owner = "999";
};
pub-solar.terminal-life.full = true;
#pub-solar.docker-ci-runner = {
# enable = false;
# runnerEnvironment = {
# DRONE_RUNNER_CAPACITY = "1";
# DRONE_RUNNER_LABELS = "hosttype:baremetal";
# };
# runnerVarsFile = config.age.secrets.docker-ci-runner-secrets.path;
#};
boot.kernelParams = [ "amd_pstate=active" ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
# Required for WakeOnLan
boot.initrd = {
availableKernelModules = [ "r8169" ];
network = {
enable = true;
udhcpc.enable = true;
flushBeforeStage2 = true;
ssh = {
enable = true;
# To prevent ssh clients from freaking out because a different host key is used,
# a different port for ssh is useful (assuming the same host has also a regular sshd running)
port = 2222;
# Please create this manually the first time.
# sudo ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = psCfg.user.publicKeys;
};
postCommands = ''
# Automatically ask for the password on SSH login
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
'';
};
};
services.fstrim.enable = true;
services.tailscale.enable = true;
services.openssh = {
enable = true;
openFirewall = true;
allowSFTP = true;
};
networking.hostName = "ryzensun";
hardware.keyboard.uhk.enable = true;
hardware.cpu.amd.updateMicrocode = true;
home-manager.users."${psCfg.user.name}".xdg.configFile = {
"sway/config.d/10-custom-keybindings.conf".source = ./.config/sway/config.d/custom-keybindings.conf;
"sway/config.d/autostart.conf".source = ./.config/sway/config.d/autostart.conf;
"sway/config.d/input-defaults.conf".source = ./.config/sway/config.d/input-defaults.conf;
"sway/config.d/screens.conf".source = ./.config/sway/config.d/screens.conf;
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
};
}

View file

@ -1,5 +0,0 @@
{ lib }:
hostnames: {
"127.0.0.1" = hostnames;
"::1" = hostnames;
}

View file

@ -1,21 +1,21 @@
let
lock = builtins.fromJSON (
builtins.readFile builtins.path {
path = ../../flake.lock;
name = "lockPath";
}
);
lock = builtins.fromJSON (builtins.readFile builtins.path {
path = ../../flake.lock;
name = "lockPath";
});
flake =
import
(fetchTarball {
(
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
})
{
src = builtins.path {
path = ../../.;
name = "projectRoot";
};
}
)
{
src = builtins.path {
path = ../../.;
name = "projectRoot";
};
};
in
flake
flake

View file

@ -1,5 +1,4 @@
{ ... }:
let
{...}: let
inherit (default.inputs.nixos) lib;
host = configs.${hostname} or configs.PubSolarOS;
@ -7,4 +6,4 @@ let
default = (import ../.).defaultNix;
hostname = lib.fileContents /etc/hostname;
in
host
host

View file

@ -1,20 +1,10 @@
{ lib, inputs, ... }:
{
# Configuration common to all Linux systems
flake = {
lib =
let
callLibs = file: import file { inherit lib; };
in
rec {
## Define your own library functions here!
#id = x: x;
## Or in files, containing functions that take {lib}
#foo = callLibs ./foo.nix;
## In configs, they can be used under "lib.our"
deploy = import ./deploy.nix { inherit inputs lib; };
addLocalHostname = callLibs ./add-local-hostname.nix;
};
};
}
{lib}:
lib.makeExtensible (self: let
callLibs = file: import file {lib = self;};
in rec {
## Define your own library functions here!
#id = x: x;
## Or in files, containing functions that take {lib}
#foo = callLibs ./foo.nix;
## In configs, they can be used under "lib.our"
})

View file

@ -1,80 +0,0 @@
/*
The contents of this file are adapted from digga
https://github.com/divnix/digga
Licensed under the MIT license
*/
{ lib, inputs }:
let
getFqdn =
c:
let
net = c.config.networking;
fqdn =
if (net ? domain) && (net.domain != null) then "${net.hostName}.${net.domain}" else net.hostName;
in
fqdn;
in
{
mkDeployNodes =
systemConfigurations: extraConfig:
/*
*
Synopsis: mkNodes _systemConfigurations_ _extraConfig_
Generate the `nodes` attribute expected by deploy-rs
where _systemConfigurations_ are `nodes`.
_systemConfigurations_ should take the form of a flake's
_nixosConfigurations_. Note that deploy-rs does not currently support
deploying to darwin hosts.
_extraConfig_, if specified, will be merged into each of the
nodes' configurations.
Example _systemConfigurations_ input:
```
{
hostname-1 = {
fastConnection = true;
sshOpts = [ "-p" "25" ];
};
hostname-2 = {
sshOpts = [ "-p" "19999" ];
sshUser = "root";
};
}
```
*
*/
lib.recursiveUpdate (lib.mapAttrs (_: c: {
hostname = getFqdn c;
profiles.system =
let
system = c.pkgs.system;
# Unmodified nixpkgs
pkgs = import inputs.nixpkgs { inherit system; };
# nixpkgs with deploy-rs overlay but force the nixpkgs package
deployPkgs = import inputs.nixpkgs {
inherit system;
overlays = [
inputs.deploy-rs.overlays.default
(self: super: {
deploy-rs = {
inherit (pkgs) deploy-rs;
lib = super.deploy-rs.lib;
};
})
];
};
in
{
user = "root";
path = deployPkgs.deploy-rs.lib.activate.nixos c;
};
}) systemConfigurations) extraConfig;
}

View file

@ -1,28 +0,0 @@
{
flake,
config,
pkgs,
lib,
...
}:
{
age.secrets."hosting-de-acme-secrets" = {
file = "${flake.self}/secrets/hosting-de-acme-secrets.age";
mode = "400";
owner = "acme";
};
security.acme = {
acceptTerms = true;
defaults = {
email = "jfw@miom.space";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
dnsProvider = "hostingde";
dnsPropagationCheck = true;
environmentFile = config.age.secrets."hosting-de-acme-secrets".path;
group = "nginx";
webroot = null;
};
};
}

View file

@ -1,121 +0,0 @@
{
lib,
pkgs,
config,
...
}:
let
inherit (lib)
getExe
mkDefault
mkEnableOption
mkIf
mkOption
mkPackageOption
types
;
cfg = config.services.actual;
configFile = formatType.generate "config.json" cfg.settings;
dataDir = "/var/lib/actual";
formatType = pkgs.formats.json { };
in
{
options.services.actual = {
enable = mkEnableOption "actual, a privacy focused app for managing your finances";
package = mkPackageOption pkgs "actual-server" { };
openFirewall = mkOption {
default = false;
type = types.bool;
description = "Whether to open the firewall for the specified port.";
};
settings = mkOption {
default = { };
description = "Server settings, refer to (the documentation)[https://actualbudget.org/docs/config/] for available options.";
type = types.submodule {
freeformType = formatType.type;
options = {
hostname = mkOption {
type = types.str;
description = "The address to listen on";
default = "::";
};
port = mkOption {
type = types.port;
description = "The port to listen on";
default = 3000;
};
};
config = {
serverFiles = mkDefault "${dataDir}/server-files";
userFiles = mkDefault "${dataDir}/user-files";
dataDir = mkDefault dataDir;
};
};
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.settings.port ];
systemd.services.actual = {
description = "Actual server, a local-first personal finance app";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment.ACTUAL_CONFIG_PATH = configFile;
serviceConfig = {
ExecStart = getExe cfg.package;
DynamicUser = true;
User = "actual";
Group = "actual";
StateDirectory = "actual";
WorkingDirectory = dataDir;
LimitNOFILE = "1048576";
PrivateTmp = true;
PrivateDevices = true;
StateDirectoryMode = "0700";
Restart = "always";
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
#MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@pkey"
];
UMask = "0077";
};
};
};
meta.maintainers = [
lib.maintainers.oddlama
lib.maintainers.patrickdag
];
}

View file

@ -1,16 +0,0 @@
{
lib,
config,
pkgs,
...
}:
let
psCfg = config.pub-solar;
in
{
programs.adb.enable = true;
users.users."${psCfg.user.name}" = {
extraGroups = [ "adbusers" ];
};
}

View file

@ -4,15 +4,24 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
users.users."${psCfg.user.name}" = {
extraGroups = [ "dialout" ];
packages = with pkgs; [
arduino
arduino-cli
];
cfg = config.pub-solar.devops;
in {
options.pub-solar.arduino = {
enable = mkEnableOption "Life with home automation";
};
config = mkIf cfg.enable {
users.users = pkgs.lib.setAttrByPath [psCfg.user.name] {
extraGroups = ["dialout"];
};
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages = [
arduino
arduino-cli
];
};
};
}

View file

@ -4,52 +4,117 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.audio;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in
{
users.users."${psCfg.user.name}" = {
extraGroups = [ "audio" ];
packages = with pkgs; [
# easyeffects, e.g. for microphone noise filtering
easyeffects
mu
pavucontrol
pa_applet
playerctl
# Needed for pactl cmd, until pw-cli is more mature (vol up/down hotkeys?)
pulseaudio
vimpc
];
in {
options.pub-solar.audio = {
enable = mkEnableOption "Life in highs and lows";
mopidy.enable = mkEnableOption "Life with mopidy";
spotify.enable = mkEnableOption "Life in DRM";
spotify.username = mkOption {
description = "Spotify login username or email";
type = types.str;
example = "yourname@example.com";
default = "";
};
bluetooth.enable = mkEnableOption "Life with bluetooth";
};
home-manager.users."${psCfg.user.name}" = {
xdg.configFile."vimpc/vimpcrc".source = ./.config/vimpc/vimpcrc;
systemd.user.services.easyeffects = import ./easyeffects.service.nix pkgs;
};
config = mkIf cfg.enable {
users.users = pkgs.lib.setAttrByPath [psCfg.user.name] {
extraGroups = ["audio"];
};
# rtkit is optional but recommended
security.rtkit.enable = true;
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages =
[
# easyeffects, e.g. for microphone noise filtering
easyeffects
mu
pavucontrol
pa_applet
playerctl
# Needed for pactl cmd, until pw-cli is more mature (vol up/down hotkeys?)
pulseaudio
vimpc
]
++ (
if cfg.spotify.enable
then [pkgs.spotify-tui]
else []
);
xdg.configFile."vimpc/vimpcrc".source = ./.config/vimpc/vimpcrc;
systemd.user.services.easyeffects = import ./easyeffects.service.nix pkgs;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Config-PipeWire#setting-sample-rates
extraConfig.pipewire = {
"10-clock-rate" = {
"context.properties" = {
default = {
"clock.rate" = 48000; # Pipewire default
"clock.allowed-rates" = [
44100
48000
];
services.spotifyd = mkIf cfg.spotify.enable {
enable = true;
settings = {
global = {
username = cfg.spotify.username;
password_cmd = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus ${pkgs.libsecret}/bin/secret-tool lookup spotify password";
bitrate = 320;
volume_normalisation = true;
no_audio_cache = false;
max_cache_size = 1000000000;
};
};
};
};
# rtkit is optional but recommended
security.rtkit.enable = true;
# Enable sound using pipewire-pulse, default config:
# https://gitlab.freedesktop.org/pipewire/pipewire/-/blob/master/src/daemon/pipewire.conf.in
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
# Make pulseaudio listen on port 4713 for mopidy, extending the default
# config: https://gitlab.freedesktop.org/pipewire/pipewire/-/blob/master/src/daemon/pipewire-pulse.conf.in
environment.etc = mkIf cfg.mopidy.enable {
"pipewire/pipewire-pulse.conf.d/99-custom.conf".text = ''
{
"context.modules": [
{
"name": "libpipewire-module-protocol-pulse",
"args": {
"server.address": ["unix:native", "tcp:4713"],
"vm.overrides": {
"pulse.min.quantum": "1024/48000"
}
}
}
]
}
'';
};
# Enable bluetooth
hardware.bluetooth = mkIf cfg.bluetooth.enable {
enable = true;
# Disable bluetooth on startup to save battery
powerOnBoot = false;
# Disable useless SIM Access Profile plugin
disabledPlugins = [
"sap"
];
settings = {
General = {
# Enables experimental features and interfaces.
# Makes BlueZ Battery Provider available
Experimental = true;
};
};
};
services.blueman.enable = mkIf cfg.bluetooth.enable true;
# Enable audio server & client
services.mopidy = mkIf cfg.mopidy.enable ((import ./mopidy.nix) pkgs);
};
}

18
modules/audio/mopidy.nix Normal file
View file

@ -0,0 +1,18 @@
pkgs: {
enable = true;
extensionPackages = with pkgs; [
mopidy-mpd
mopidy-soundcloud
mopidy-youtube
mopidy-local
mopidy-jellyfin
];
configuration = ''
[mpd]
hostname = ::
[audio]
output = pulsesink server=127.0.0.1:4713
'';
}

View file

@ -1,36 +0,0 @@
{
lib,
config,
pkgs,
...
}:
{
hardware.bluetooth = {
enable = true;
# Disable bluetooth on startup to save battery
powerOnBoot = false;
package = pkgs.bluez-experimental;
# Disable useless SIM Access Profile plugin
disabledPlugins = [ "sap" ];
settings = {
General = {
# Enables experimental features and interfaces.
# Makes BlueZ Battery Provider available
Experimental = true;
};
};
};
services.blueman.enable = true;
services.pipewire.wireplumber.configPackages = [
# https://pipewire.pages.freedesktop.org/wireplumber/daemon/configuration/bluetooth.html
(pkgs.writeTextDir "share/wireplumber/wireplumber.conf.d/10-bluez.conf" ''
monitor.bluez.properties = {
bluez5.enable-hw-volume = true
bluez5.enable-msbc = false
bluez5.enable-sbc-xq = true
bluez5.headset-roles = [ hsp_hs hsp_ag hfp_hf hfp_ag ]
}
'')
];
}

View file

@ -0,0 +1,45 @@
{
lib,
config,
pkgs,
self,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.ci-runner;
in {
options.pub-solar.ci-runner = {
enable = mkEnableOption "Enables a systemd service that runs drone-ci-runner";
};
config = mkIf cfg.enable {
systemd.user.services.ci-runner = {
enable = true;
description = "CI runner for the PubSolarOS repository that can run test VM instances with KVM.";
serviceConfig = {
Type = "simple";
Restart = "always";
};
path = [
pkgs.git
pkgs.nix
pkgs.libvirt
];
wantedBy = ["multi-user.target"];
after = ["network.target" "libvirtd.service"];
script = ''${pkgs.drone-runner-exec}/bin/drone-runner-exec daemon /run/agenix/drone-runner-exec-config'';
};
age.secrets."drone-runner-exec-config" = {
file = "${self}/secrets/drone-runner-exec-config";
mode = "700";
owner = psCfg.user.name;
};
};
}

View file

@ -4,21 +4,30 @@
lib,
...
}:
let
with lib; let
cfg = config.pub-solar.core;
in
{
options.pub-solar.core.disk-encryption-active = lib.mkOption {
type = lib.types.bool;
in {
options.pub-solar.core.iso-options.enable = mkOption {
type = types.bool;
default = false;
description = "Feature flag for iso builds";
};
options.pub-solar.core.disk-encryption-active = mkOption {
type = types.bool;
default = true;
description = "Whether it should be assumed that there is a cryptroot device";
};
config = {
boot = {
# Enable plymouth for better experience of booting
plymouth.enable = mkIf (!cfg.lite) (lib.mkDefault true);
# Mount / luks device in initrd
# Allow fstrim to work on it.
initrd = lib.mkIf cfg.disk-encryption-active {
# The ! makes this enabled by default
initrd = mkIf (!cfg.iso-options.enable && cfg.disk-encryption-active) {
luks.devices."cryptroot" = {
allowDiscards = true;
};
@ -27,10 +36,10 @@ in
loader.systemd-boot.enable = lib.mkDefault true;
# Use latest LTS linux kernel by default
kernelPackages = lib.mkDefault pkgs.linuxPackages_6_12;
kernelPackages = lib.mkDefault pkgs.linuxPackages_6_1;
# Support ntfs drives
supportedFilesystems = [ "ntfs" ];
supportedFilesystems = ["ntfs"];
};
};
}

View file

@ -1,35 +1,42 @@
{ config, lib, ... }:
let
cfg = config.pub-solar.core;
psCfg = config.pub-solar;
in
{
config,
lib,
...
}:
with lib; let
cfg = config.pub-solar.core;
in {
imports = [
./boot.nix
./hibernation.nix
./fonts.nix
./i18n.nix
./networking.nix
./nix.nix
./packages.nix
./services.nix
];
# Service that makes Out of Memory Killer more effective
services.earlyoom.enable = true;
services.logind.lidSwitch = "hibernate";
services.tor.settings = {
UseBridges = true;
options.pub-solar.core = {
lite = mkOption {
description = ''
Enable a lite edition of core with less default modules and a reduced package set.
'';
default = false;
type = types.bool;
};
};
# The options below are directly taken from or inspired by
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
config = {
pub-solar = {
audio.enable = mkIf (!cfg.lite) (mkDefault true);
crypto.enable = mkIf (!cfg.lite) (mkDefault true);
devops.enable = mkIf (!cfg.lite) (mkDefault true);
# Limit the use of sudo to the group wheel
security.sudo.execWheelOnly = true;
# Remove the complete default environment of packages like
# nano, perl and rsync
environment.defaultPackages = lib.mkForce [ ];
# fileSystems."/".options = [ "noexec" ];
terminal-life = {
enable = mkDefault true;
lite = cfg.lite;
};
};
};
}

14
modules/core/fonts.nix Normal file
View file

@ -0,0 +1,14 @@
{
config,
pkgs,
lib,
...
}: {
fonts = {
fonts = with pkgs; [powerline-fonts dejavu_fonts];
fontconfig.defaultFonts = {
monospace = ["DejaVu Sans Mono for Powerline"];
sansSerif = ["DejaVu Sans"];
};
};
}

View file

@ -4,11 +4,9 @@
lib,
...
}:
let
with lib; let
cfg = config.pub-solar.core.hibernation;
inherit (lib) mkOption types mkIf;
in
{
in {
options.pub-solar.core.hibernation = {
enable = mkOption {
type = types.bool;
@ -32,9 +30,7 @@ in
config = {
boot = mkIf cfg.enable {
resumeDevice = mkIf (cfg.resumeDevice != null) cfg.resumeDevice;
kernelParams = mkIf (cfg.resumeOffset != null) [
"resume_offset=${builtins.toString cfg.resumeOffset}"
];
kernelParams = mkIf (cfg.resumeOffset != null) ["resume_offset=${builtins.toString cfg.resumeOffset}"];
};
};
}

View file

@ -4,7 +4,7 @@
lib,
...
}:
{
with lib; {
config = {
# Set your time zone.
time.timeZone = "Europe/Berlin";
@ -15,11 +15,6 @@
};
i18n = {
defaultLocale = "en_US.UTF-8";
supportedLocales = [
"C.UTF-8/UTF-8"
"en_US.UTF-8/UTF-8"
"de_DE.UTF-8/UTF-8"
];
};
};
}

View file

@ -1,40 +1,85 @@
{
flake,
config,
pkgs,
lib,
...
}:
{
# disable NetworkManager and systemd-networkd -wait-online by default
systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;
with lib; let
cfg = config.pub-solar.core;
in {
options.pub-solar.core = {
enableCaddy = mkOption {
type = types.bool;
default = !cfg.lite;
};
enableHelp = mkOption {
type = types.bool;
default = !cfg.lite;
};
networking.networkmanager = {
# Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
enable = if config.programs.sway.enable then lib.mkDefault true else false;
# not as stable as wpa_supplicant yet, also more trouble with 5 GHz networks
#wifi.backend = "iwd";
binaryCaches = mkOption {
type = types.listOf types.str;
default = [];
description = "Binary caches to use.";
};
publicKeys = mkOption {
type = types.listOf types.str;
default = [];
description = "Public keys of binary caches.";
};
};
config = {
# disable NetworkManager and systemd-networkd -wait-online by default
systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;
networking.firewall.enable = true;
networking.networkmanager = {
# Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
enable = true;
wifi.backend = "iwd";
};
# For rage encryption, all hosts need a ssh key pair
services.openssh = {
enable = true;
allowSFTP = lib.mkDefault false;
networking.firewall.enable = true;
openFirewall = lib.mkDefault false;
# Customized binary caches list (with fallback to official binary cache)
nix.settings.substituters = cfg.binaryCaches;
nix.settings.trusted-public-keys = cfg.publicKeys;
settings.PasswordAuthentication = lib.mkDefault false;
settings.KbdInteractiveAuthentication = false;
# These entries get added to /etc/hosts
networking.hosts = {
"127.0.0.1" =
[]
++ lib.optionals cfg.enableCaddy ["caddy.local"]
++ lib.optionals config.pub-solar.printing.enable ["cups.local"]
++ lib.optionals cfg.enableHelp ["help.local"];
};
extraConfig = ''
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
# Caddy reverse proxy for local services like cups
services.caddy = {
enable = lib.mkDefault cfg.enableCaddy;
globalConfig = lib.mkDefault ''
default_bind 127.0.0.1
auto_https off
'';
extraConfig = lib.mkDefault (concatStringsSep "\n" [
(lib.optionalString
config.pub-solar.printing.enable
''
cups.local:80 {
request_header Host localhost:631
reverse_proxy unix//run/cups/cups.sock
}
'')
(lib.optionalString
cfg.enableHelp
''
help.local:80 {
root * ${pkgs.psos-docs}/lib/html
file_server
}
'')
]);
};
};
}

32
modules/core/nix.nix Normal file
View file

@ -0,0 +1,32 @@
{
config,
pkgs,
lib,
inputs,
...
}: {
nix = {
# Use default version alias for nix package
package = pkgs.nix;
gc.automatic = true;
optimise.automatic = true;
settings = {
# Improve nix store disk usage
auto-optimise-store = true;
# Prevents impurities in builds
sandbox = true;
# Give root and @wheel special privileges with nix
trusted-users = ["root" "@wheel"];
# Allow only group wheel to connect to the nix daemon
allowed-users = ["@wheel"];
};
# Generally useful nix option defaults
extraOptions = lib.mkForce ''
experimental-features = flakes nix-command
min-free = 536870912
keep-outputs = true
keep-derivations = true
fallback = true
'';
};
}

View file

@ -4,30 +4,76 @@
lib,
...
}:
let
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.core;
in
{
environment.systemPackages = with pkgs; [
# Core unix utility packages
coreutils-full
diffutils
dnsutils
exfat
file
findutils
inetutils
lsof
progress
pciutils
usbutils
in {
environment = {
systemPackages = with pkgs;
[
# Core unix utility packages
coreutils-full
dnsutils
inetutils
progress
pciutils
usbutils
gitMinimal
wget
openssl
openssh
curl
htop
btop
lsof
psmisc
file
btop
mtr
nmap
nload
];
# zippit
zip
unzip
# Modern modern utilities
p7zip
croc
jq
]
++ lib.optionals (!cfg.lite) [
mtr
gitFull
git-lfs
git-bug
xdg-utils
sysfsutils
renameutils
nfs-utils
moreutils
mailutils
keyutils
input-utils
elfutils
binutils
dateutils
diffutils
findutils
exfat
# Nix specific utilities
alejandra
niv
manix
nix-index
nix-tree
nixpkgs-review
# Build broken, python2.7-PyJWT-2.0.1.drv' failed
#nixops
psos
nvd
# Fun
neofetch
];
};
}

18
modules/core/services.nix Normal file
View file

@ -0,0 +1,18 @@
{
config,
pkgs,
lib,
...
}: {
# For rage encryption, all hosts need a ssh key pair
services.openssh = {
enable = true;
# If you don't want the host to have SSH actually opened up to the net,
# set `services.openssh.openFirewall` to false in your config.
openFirewall = lib.mkDefault true;
settings.PasswordAuthentication = lib.mkDefault false;
};
# Service that makes Out of Memory Killer more effective
services.earlyoom.enable = true;
}

View file

@ -4,29 +4,42 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
services.udev.packages = [ pkgs.yubikey-personalization ];
services.dbus.packages = [ pkgs.gcr ];
services.pcscd.enable = true;
cfg = config.pub-solar.crypto;
in {
options.pub-solar.crypto = {
enable = mkEnableOption "Life in private";
};
services.gnome.gnome-keyring.enable = true;
config = mkIf cfg.enable {
services.udev.packages = [pkgs.yubikey-personalization];
services.dbus.packages = [pkgs.gcr];
services.pcscd.enable = true;
users.users."${psCfg.user.name}".packages = with pkgs; [ libsecret ];
services.gnome.gnome-keyring.enable = true;
home-manager.users."${psCfg.user.name}" = {
systemd.user.services.polkit-gnome-authentication-agent = import ./polkit-gnome-authentication-agent.service.nix pkgs;
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
systemd.user.services.polkit-gnome-authentication-agent = import ./polkit-gnome-authentication-agent.service.nix pkgs;
services.gpg-agent = {
enable = true;
pinentryPackage = lib.mkDefault pkgs.pinentry-gnome3;
verbose = true;
};
services.gpg-agent = {
enable = true;
pinentryFlavor = "gnome3";
verbose = true;
};
programs.gpg = {
enable = true;
};
programs.gpg = {
enable = true;
};
home.packages = [
gnome.seahorse
keepassxc
libsecret
qMasterPassword
restic
];
};
};
}

View file

@ -1,15 +1,15 @@
pkgs: {
Unit = {
Description = "Legacy polkit authentication agent for GNOME";
Documentation = [ "https://gitlab.freedesktop.org/polkit/polkit/" ];
BindsTo = [ "sway-session.target" ];
After = [ "sway-session.target" ];
Documentation = ["https://gitlab.freedesktop.org/polkit/polkit/"];
BindsTo = ["sway-session.target"];
After = ["sway-session.target"];
};
Service = {
Type = "simple";
ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
};
Install = {
WantedBy = [ "sway-session.target" ];
WantedBy = ["sway-session.target"];
};
}

View file

@ -1,285 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.ddclient;
boolToStr = bool: if bool then "yes" else "no";
dataDir = "/var/lib/ddclient";
StateDirectory = builtins.baseNameOf dataDir;
RuntimeDirectory = StateDirectory;
usev4 = if cfg.usev4 != "" then "usev4=${cfg.usev4}" else "";
usev6 = if cfg.usev6 != "" then "usev6=${cfg.usev6}" else "";
configFile' = pkgs.writeText "ddclient.conf" ''
# This file can be used as a template for configFile or is automatically generated by Nix options.
use=no
${usev4}
${usev6}
cache=${dataDir}/ddclient.cache
foreground=yes
login=${cfg.username}
password=${
if cfg.protocol == "nsupdate" then
"/run/${RuntimeDirectory}/ddclient.key"
else
"@password_placeholder@"
}
protocol=${cfg.protocol}
${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
${lib.optionalString (cfg.zone != "") "zone=${cfg.zone}"}
ssl=${boolToStr cfg.ssl}
wildcard=yes
quiet=${boolToStr cfg.quiet}
verbose=${boolToStr cfg.verbose}
${cfg.extraConfig}
${lib.concatStringsSep "," cfg.domains}
'';
configFile = if (cfg.configFile != null) then cfg.configFile else configFile';
preStart = ''
install --mode=600 --owner=$USER ${configFile} /run/${RuntimeDirectory}/ddclient.conf
${lib.optionalString (cfg.configFile == null) (
if (cfg.protocol == "nsupdate") then
''
install --mode=600 --owner=$USER ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key
''
else if (cfg.passwordFile != null) then
''
"${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "${cfg.passwordFile}" "/run/${RuntimeDirectory}/ddclient.conf"
''
else
''
sed -i '/^password=@password_placeholder@$/d' /run/${RuntimeDirectory}/ddclient.conf
''
)}
'';
in
with lib;
{
disabledModules = [ "services/networking/ddclient.nix" ];
imports = [
(mkChangedOptionModule
[
"services"
"ddclient"
"domain"
]
[
"services"
"ddclient"
"domains"
]
(
config:
let
value = getAttrFromPath [
"services"
"ddclient"
"domain"
] config;
in
if value != "" then [ value ] else [ ]
)
)
(mkRemovedOptionModule [
"services"
"ddclient"
"homeDir"
] "")
(mkRemovedOptionModule [
"services"
"ddclient"
"password"
] "Use services.ddclient.passwordFile instead.")
];
###### interface
options = {
services.ddclient = with lib.types; {
enable = mkOption {
default = false;
type = bool;
description = lib.mdDoc ''
Whether to synchronise your machine's IP address with a dynamic DNS provider (e.g. dyndns.org).
'';
};
package = mkOption {
type = package;
default = pkgs.ddclient;
defaultText = lib.literalExpression "pkgs.ddclient";
description = lib.mdDoc ''
The ddclient executable package run by the service.
'';
};
domains = mkOption {
default = [ "" ];
type = listOf str;
description = lib.mdDoc ''
Domain name(s) to synchronize.
'';
};
username = mkOption {
# For `nsupdate` username contains the path to the nsupdate executable
default = lib.optionalString (
config.services.ddclient.protocol == "nsupdate"
) "${pkgs.bind.dnsutils}/bin/nsupdate";
defaultText = "";
type = str;
description = lib.mdDoc ''
User name.
'';
};
passwordFile = mkOption {
default = null;
type = nullOr str;
description = lib.mdDoc ''
A file containing the password or a TSIG key in named format when using the nsupdate protocol.
'';
};
interval = mkOption {
default = "10min";
type = str;
description = lib.mdDoc ''
The interval at which to run the check and update.
See {command}`man 7 systemd.time` for the format.
'';
};
configFile = mkOption {
default = null;
type = nullOr path;
description = lib.mdDoc ''
Path to configuration file.
When set this overrides the generated configuration from module options.
'';
example = "/root/nixos/secrets/ddclient.conf";
};
protocol = mkOption {
default = "dyndns2";
type = str;
description = lib.mdDoc ''
Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols).
'';
};
server = mkOption {
default = "";
type = str;
description = lib.mdDoc ''
Server address.
'';
};
ssl = mkOption {
default = true;
type = bool;
description = lib.mdDoc ''
Whether to use SSL/TLS to connect to dynamic DNS provider.
'';
};
quiet = mkOption {
default = false;
type = bool;
description = lib.mdDoc ''
Print no messages for unnecessary updates.
'';
};
script = mkOption {
default = "";
type = str;
description = lib.mdDoc ''
script as required by some providers.
'';
};
usev4 = mkOption {
default = "webv4, webv4=checkip.dyndns.com/, webv4-skip='Current IP Address: '";
type = str;
description = lib.mdDoc ''
Method to determine the IP address to send to the dynamic DNS provider.
'';
};
usev6 = mkOption {
default = "";
type = str;
description = lib.mdDoc ''
Method to determine the IP address to send to the dynamic DNS provider.
'';
};
verbose = mkOption {
default = false;
type = bool;
description = lib.mdDoc ''
Print verbose information.
'';
};
zone = mkOption {
default = "";
type = str;
description = lib.mdDoc ''
zone as required by some providers.
'';
};
extraConfig = mkOption {
default = "";
type = lines;
description = lib.mdDoc ''
Extra configuration. Contents will be added verbatim to the configuration file.
::: {.note}
`daemon` should not be added here because it does not work great with the systemd-timer approach the service uses.
:::
'';
};
};
};
###### implementation
config = mkIf config.services.ddclient.enable {
systemd.services.ddclient = {
description = "Dynamic DNS Client";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
restartTriggers = optional (cfg.configFile != null) cfg.configFile;
serviceConfig = {
DynamicUser = true;
RuntimeDirectoryMode = "0700";
inherit RuntimeDirectory;
inherit StateDirectory;
Type = "oneshot";
ExecStartPre = "!${pkgs.writeShellScript "ddclient-prestart" preStart}";
ExecStart = "${lib.getBin cfg.package}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
};
};
systemd.timers.ddclient = {
description = "Run ddclient";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = cfg.interval;
OnUnitInactiveSec = cfg.interval;
};
};
};
}

View file

@ -1,43 +0,0 @@
{ self, inputs, ... }:
{
flake = {
nixosModules = rec {
acme = import ./acme;
actual = import ./actual;
audio = import ./audio;
bluetooth = import ./bluetooth;
core = import ./core;
crypto = import ./crypto;
desktop-extended = import ./desktop-extended;
docker = import ./docker;
#email = import ./email;
forgejo-actions-runner = import ./forgejo-actions-runner;
#gaming = import ./gaming;
graphical = import ./graphical;
invoiceplane = import ./invoiceplane;
nix = import ./nix;
nextcloud = import ./nextcloud;
office = import ./office;
printing = import ./printing;
terminal-life = import ./terminal-life;
user = import ./user;
virtualisation = import ./virtualisation;
#wireguard-client = import ./wireguard-client;
base.imports = [
self.nixosModules.home-manager
inputs.agenix.nixosModules.default
inputs.lix-module.nixosModules.default
self.nixosModules.overlays
self.nixosModules.core
self.nixosModules.crypto
self.nixosModules.nix
self.nixosModules.terminal-life
self.nixosModules.root
self.nixosModules.user
];
};
};
}

View file

@ -1,35 +0,0 @@
{ config, pkgs, ... }:
let
psCfg = config.pub-solar;
in
{
users.users."${psCfg.user.name}".packages = with pkgs; [
ungoogled-chromium
gimp
inkscape
tigervnc
nodejs_20
signal-desktop
tdesktop
element-desktop
];
fonts = {
packages = with pkgs; [
dejavu_fonts
fira-code
fira-code-symbols
#google-fonts
lato
montserrat
nerdfonts
noto-fonts
noto-fonts-cjk-sans
open-sans
powerline-fonts
source-sans-pro
];
};
}

View file

@ -0,0 +1,30 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.devops;
in {
options.pub-solar.devops = {
enable = mkEnableOption "Life automated";
};
config = mkIf cfg.enable {
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages = [
drone-cli
nmap
pgcli
ansible
ansible-lint
restic
shellcheck
terraform
];
};
};
}

View file

@ -0,0 +1,114 @@
{
lib,
config,
pkgs,
self,
...
}:
with lib; let
bootstrap = pkgs.writeScript "bootstrap.sh" ''
#!/usr/bin/env bash
set -e
apt update
apt install --yes curl git sudo xz-utils
adduser --system --uid 999 build
chown build /nix
sudo -u build curl -L https://nixos.org/nix/install > install
sudo -u build sh install
echo "export PATH=/nix/var/nix/profiles/per-user/build/profile/bin:''$PATH" >> /etc/profile
mkdir /etc/nix
echo 'experimental-features = nix-command flakes' >> /etc/nix/nix.conf
export nix_user_config_file="/home/build/.local/share/nix/trusted-settings.json"
mkdir -p $(dirname \\$nix_user_config_file)
echo '{"extra-experimental-features":{"nix-command flakes":true}}' > \\$nix_user_config_file
chown -R build /home/build/
curl -L https://github.com/drone-runners/drone-runner-exec/releases/latest/download/drone_runner_exec_linux_amd64.tar.gz | tar xz
sudo install -t /usr/local/bin drone-runner-exec
if [ ! -f /run/vars ]; then
exit 1
fi
cp -a /run/vars /run/runtime-vars
env | grep "DRONE" >> /run/runtime-vars
su - -s /bin/bash build sh -c "/usr/local/bin/drone-runner-exec daemon /run/runtime-vars"
'';
psCfg = config.pub-solar;
cfg = config.pub-solar.docker-ci-runner;
in {
options.pub-solar.docker-ci-runner = {
enable = lib.mkEnableOption "Enables a docker container running a drone exec runner as unprivileged user.";
enableKvm = lib.mkOption {
description = ''
Enable kvm support.
'';
default = true;
type = types.bool;
};
nixCacheLocation = lib.mkOption {
description = ''
Location of nix cache that is shared between builds
'';
default = "/var/lib/docker-ci-runner";
type = types.path;
};
runnerEnvironment = lib.mkOption {
description = ''
Additional environment vars added to the vars file on container runtime
'';
default = {};
};
runnerVarsFile = lib.mkOption {
description = ''
Location of vars file passed to drone runner
'';
type = types.path;
};
};
config = lib.mkIf cfg.enable {
virtualisation = {
docker = {
enable = true; # sadly podman is not supported rightnow
};
oci-containers = {
backend = "docker";
containers."drone-exec-runner" = {
image = "debian";
autoStart = true;
entrypoint = "bash";
cmd = ["/bootstrap.sh"];
volumes = [
"${cfg.runnerVarsFile}:/run/vars"
"${cfg.nixCacheLocation}:/nix"
"${bootstrap}:/bootstrap.sh"
];
environment = cfg.runnerEnvironment;
extraOptions = lib.mkIf cfg.enableKvm ["--device=/dev/kvm"];
};
};
};
# Fix container not stopping correctly and holding the system 120s upon
# shutdown / reboot
systemd.services.docker-drone-exec-runner.preStop = ''
docker stop drone-exec-runner
'';
};
}

View file

@ -4,15 +4,24 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
virtualisation.docker.enable = true;
users.users."${psCfg.user.name}" = {
extraGroups = [ "docker" ];
cfg = config.pub-solar.docker;
in {
options.pub-solar.docker = {
enable = mkEnableOption "Life in metal boxes";
};
environment.systemPackages = with pkgs; [ docker-compose ];
config = mkIf cfg.enable {
virtualisation.docker.enable = true;
virtualisation.docker.package = pkgs.docker_24;
users.users = with pkgs;
pkgs.lib.setAttrByPath [psCfg.user.name] {
extraGroups = ["docker"];
};
environment.systemPackages = with pkgs; [
docker-compose
];
};
}

View file

@ -4,58 +4,30 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
users.users."${psCfg.user.name}".packages = with pkgs; [
w3m
urlscan
neomutt
offlineimap
msmtp
mailto-mutt
];
cfg = config.pub-solar.email;
in {
options.pub-solar.email = {
enable = mkEnableOption "Life in headers";
};
home-manager.users."${psCfg.user.name}" = {
programs.offlineimap = {
enable = true;
pythonFile = builtins.readFile ./offlineimap.py;
};
config = mkIf cfg.enable {
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages = [
w3m
urlscan
neomutt
offlineimap
msmtp
mailto-mutt
];
xdg.configFile."mutt/muttrc".source = ./.config/mutt/muttrc;
xdg.configFile."mutt/base16.muttrc".source = ./.config/mutt/base16.muttrc;
xdg.configFile."mutt/mailcap".source = ./.config/mutt/mailcap;
xdg.configFile."offlineimap/functions.py".source = ./.config/offlineimap/functions.py;
xdg.configFile."mutt/accounts.muttrc".text = ''
source ./hello@benjaminbaedorf.eu.muttrc
macro index <f1> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/hello@benjaminbaedorf.eu.muttrc<enter><change-folder>!<enter>'
macro index <f2> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/benjamin.baedorf@rwth-aachen.de.muttrc<enter><change-folder>!<enter>'
macro index <f3> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/byb@miom.space.muttrc<enter><change-folder>!<enter>'
macro index <f4> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/mail@b12f.io.muttrc<enter><change-folder>!<enter>'
macro index <f5> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/admins@pub.solar.muttrc<enter><change-folder>!<enter>'
macro index <f6> '<sync-mailbox><enter-command>source $XDG_CONFIG_HOME/mutt/crew@pub.solar.muttrc<enter><change-folder>!<enter>'
'';
xdg.configFile."mutt/hello@benjaminbaedorf.eu.muttrc".source =
./.config/mutt + "/hello@benjaminbaedorf.eu.muttrc";
xdg.configFile."mutt/benjamin.baedorf@rwth-aachen.de.muttrc".source =
./.config/mutt + "/benjamin.baedorf@rwth-aachen.de.muttrc";
xdg.configFile."mutt/hello@benjaminbaedorf.eu.signature".source =
./.config/mutt + "/hello@benjaminbaedorf.eu.signature";
xdg.configFile."mutt/byb@miom.space.muttrc".source = ./.config/mutt + "/byb@miom.space.muttrc";
xdg.configFile."mutt/byb@miom.space.signature".source =
./.config/mutt + "/byb@miom.space.signature";
xdg.configFile."mutt/mail@b12f.io.muttrc".source = ./.config/mutt + "/mail@b12f.io.muttrc";
xdg.configFile."mutt/mail@b12f.io.signature".source = ./.config/mutt + "/mail@b12f.io.signature";
xdg.configFile."mutt/admins@pub.solar.muttrc".source = ./.config/mutt + "/admins@pub.solar.muttrc";
xdg.configFile."mutt/admins@pub.solar.signature".source =
./.config/mutt + "/admins@pub.solar.signature";
xdg.configFile."mutt/crew@pub.solar.muttrc".source = ./.config/mutt + "/crew@pub.solar.muttrc";
xdg.configFile."mutt/crew@pub.solar.signature".source =
./.config/mutt + "/crew@pub.solar.signature";
xdg.configFile."offlineimap/config".source = ./.config/offlineimap/config;
xdg.configFile."msmtp/config".source = ./.config/msmtp/config;
programs.offlineimap = {
enable = true;
pythonFile = builtins.readFile ./offlineimap.py;
};
};
};
}

View file

@ -1,58 +0,0 @@
{
config,
pkgs,
lib,
flake,
...
}:
let
hostname = config.networking.hostName;
in
{
age.secrets."forgejo-actions-runner-token.age" = {
file = "${flake.self}/secrets/forgejo-actions-runner-token.age";
mode = "440";
};
# Trust docker bridge interface traffic
# Needed for the docker runner to communicate with the act_runner cache
networking.firewall.trustedInterfaces = [ "br-+" ];
users.users.gitea-runner = {
home = "/var/lib/gitea-runner/${hostname}";
useDefaultShell = true;
group = "gitea-runner";
# Required to interact with nix daemon
extraGroups = [ "wheel" ];
isSystemUser = true;
};
users.groups.gitea-runner = { };
systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ];
systemd.services."gitea-runner-${hostname}" = {
serviceConfig.DynamicUser = lib.mkForce false;
};
# forgejo actions runner
# https://forgejo.org/docs/latest/admin/actions/
# https://docs.gitea.com/usage/actions/quickstart
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances."${hostname}" = {
enable = true;
name = hostname;
url = "https://git.pub.solar";
tokenFile = config.age.secrets."forgejo-actions-runner-token.age".path;
labels = [
# provide a debian 12 bookworm base with Node.js for actions
"debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
# fake the ubuntu name, commonly used in actions examples
"ubuntu-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
# alpine with Node.js
"alpine-latest:docker://node:20-alpine"
];
};
};
}

View file

@ -4,17 +4,28 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
programs.steam.enable = true;
nixpkgs.config.packageOverrides = pkgs: { steam = pkgs.steam.override { }; };
cfg = config.pub-solar.gaming;
in {
options.pub-solar.gaming = {
enable = mkEnableOption "Life in shooters";
};
users.users."${psCfg.user.name}".packages = with pkgs; [
playonlinux
godot
obs-studio
obs-studio-plugins.wlrobs
];
config = mkIf cfg.enable {
programs.steam.enable = true;
nixpkgs.config.packageOverrides = pkgs: {
steam = pkgs.steam.override {};
};
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages = [
playonlinux
godot
obs-studio
obs-studio-plugins.wlrobs
];
};
};
}

View file

@ -1,12 +0,0 @@
{
"positionX": "right",
"positionY": "top",
"timeout": 10,
"timeout-low": 5,
"timeout-critical": 0,
"notification-window-width": 500,
"keyboard-shortcuts": true,
"image-visibility": "always",
"transition-time": 200,
"hide-on-clear": false
}

View file

@ -1,149 +0,0 @@
/*
* vim: ft=less
*/
@define-color border-color rgb(7, 7, 7);
@define-color bg rgb(58, 58, 58);
@define-color bg-hover rgb(68, 68, 68);
@define-color bg-focus rgba(68, 68, 68, 0.6);
@define-color bg-selected rgb(0, 128, 255);
.notification-row {
outline: none;
}
.notification-row:focus,
.notification-row:hover {
background: @bg-focus;
}
.notification {
border-radius: 10px;
margin: 6px 12px;
box-shadow: 0px 2px 4px 2px rgba(0, 0, 0, 0.3);
padding: 0;
}
.notification-content {
background: transparent;
padding: 6px;
border-radius: 10px;
}
.close-button {
background: black;
color: white;
text-shadow: none;
padding: 0 2px;
box-shadow: 0px 2px 4px 2px rgba(0, 0, 0, 0.3);
border-radius: 100%;
}
.close-button:hover {
background: rgb(30, 30, 30);
transition: all 0.15s ease-in-out;
}
.notification-default-action,
.notification-action {
padding: 4px;
margin: 0;
box-shadow: none;
background: @bg;
border: 1px solid @border-color;
}
.notification-default-action:hover,
.notification-action:hover {
background: @bg-hover;
}
.notification-default-action {
border-radius: 10px;
}
/* When alternative actions are visible */
.notification-default-action:not(:only-child) {
border-bottom-left-radius: 0px;
border-bottom-right-radius: 0px;
}
.notification-action {
border-radius: 0px;
border-top: none;
border-right: none;
}
/* add bottom border radius to eliminate clipping */
.notification-action:first-child {
border-bottom-left-radius: 10px;
}
.notification-action:last-child {
border-bottom-right-radius: 10px;
border-right: 1px solid @border-color;
}
.image {
}
.body-image {
margin-top: 6px;
background-color: white;
border-radius: 10px;
}
.summary {
color: white;
text-shadow: none;
}
.time {
color: white;
text-shadow: none;
}
.body {
background: transparent;
color: white;
text-shadow: none;
}
.top-action-title {
color: white;
text-shadow: none;
}
.control-center-clear-all {
color: white;
text-shadow: none;
background: @bg;
border: 1px solid @border-color;
box-shadow: none;
border-radius: 10px;
}
.control-center-clear-all:hover {
background: @bg-hover;
}
.control-center-dnd {
border-radius: 10px;
background: @bg;
border: 1px solid @border-color;
box-shadow: none;
}
.control-center-dnd:checked {
background: @bg-selected;
}
.control-center-dnd slider {
background: @bg-hover;
}
.control-center {
background: rgba(0, 0, 0, 0.7);
}
.control-center-list {
background: transparent;
}
.floating-notifications {
background: transparent;
}

View file

@ -1,149 +0,0 @@
{
"layer": "top", // Waybar at top layer
// "position": "bottom", // Waybar position (top|bottom|left|right)
"height": 26, // Waybar height
"modules-left": ["sway/workspaces", "sway/mode"],
"modules-center": ["network"],
"modules-right": [
"sway/language",
"pulseaudio",
"idle_inhibitor",
"backlight",
"battery",
"clock",
"tray"
],
"sway/workspaces": {
"disable-scroll": true
},
"sway/mode": {
"tooltip": false,
"format": "{}"
},
"sway/window": {
"tooltip": false,
"max-length": 96
},
"sway/language": {
"format": "{}",
"max-length": 50
},
"tray": {
"icon-size": 21,
"spacing": 10
},
"clock": {
"tooltip-format": "<tt><small>{calendar}</small></tt>",
"format": "{:%H:%M} ",
//"format-alt": "{:%a %d. %h %H:%M} ",
//"on-scroll": {
// "calendar": 1
//}
"format-alt": "{:%A, %d. %B %Y %R} ",
"locale": "de_DE.UTF-8",
"smooth-scrolling-threshold": 1.0,
"calendar": {
"mode-mon-col" : 3,
"on-scroll": -1,
"on-click-right": "mode",
"format": {
"months": "<span color='#ffead3'><b>{}</b></span>",
"days": "<span color='#ecc6d9'><b>{}</b></span>",
"weekdays": "<span color='#ffcc66'><b>{}</b></span>",
"today": "<span color='#ff6699'><b><u>{}</u></b></span>"
},
},
"actions": {
"on-click-right": "mode",
"on-click-forward": "tz_up",
"on-click-backward": "tz_down",
"on-scroll-up": "shift_up",
"on-scroll-down": "shift_down"
}
},
"backlight": {
"device": "acpi_video0",
"format": "<span font='10'>{percent}%</span> {icon}",
"format-icons": ["", ""]
},
"cpu": {
"format": "{}% "
},
"memory": {
"format": "{}% "
},
"idle_inhibitor": {
"format": "{icon} ",
"format-icons": {
"activated": "",
"deactivated": ""
}
},
"battery": {
"tooltip": false,
"states": {
"critical": 25
},
//"full-at": 84,
"format": "{icon}<span font='10'> {capacity}%</span>",
"format-full": "{icon}",
"format-icons": ["", "", "", "", ""],
},
"network": {
"interval": 3,
"tooltip": true,
//"interface": "wlp4s0", // (Optional) To force the use of this interface   \uF2E7,
"format-wifi": "<span font='10'></span> \uf062 {bandwidthUpBits} | \uf063 {bandwidthDownBits}",
"format-ethernet": "<span font='10'></span> \uf062 {bandwidthUpBits} | \uf063 {bandwidthDownBits}",
"format-disconnected": "",
"tooltip-format-wifi": "{essid} ({signalStrength}%)  {ipaddr}",
"tooltip-format-ethernet": "{ifname}  {ipaddr}"
},
//\ue04f{volume}%
"pulseaudio": {
"tooltip": false,
"format": "<span font='10'>{volume}%</span> {icon}",
"format-bluetooth": "{volume}%<span font='10'> {icon}</span>",
"format-muted": "",
"on-click": "pavucontrol",
"format-alt": "{volume}% <span font='10'>{icon}</span>",
"format-icons": {
"headphones": "",
"handsfree": "",
"headset": "",
"phone": "",
"portable": "",
"car": "",
"default": ["","", ""]
}
},
"mpd": {
"format": "{artist} - {title} <span color=\"#999999\">[<span color=\"#ffffff\">{elapsedTime:%M:%S}</span> / {totalTime:%M:%S}]</span>",
"format-disconnected": "",
"format-stopped": "",
"interval": 1,
"state-icons": {
"paused": "",
"playing": ""
},
"tooltip-format": "MPD (connected)",
"tooltip-format-disconnected": "MPD (disconnected)"
},
"custom/notification": {
"tooltip": false,
"format": " {icon}",
"format-icons": {
"notification": "<span foreground='red'><sup></sup></span>",
"none": "",
"dnd-notification": "<span foreground='red'><sup></sup></span>",
"dnd-none": ""
},
"return-type": "json",
"exec-if": "which swaync-client",
"exec": "swaync-client -swb",
"on-click": "swaync-client -t -sw",
"on-click-right": "swaync-client -d -sw",
"escape": true
},
}

View file

@ -30,6 +30,9 @@
multiplier = 3;
};
# When true, bold text is drawn using the bright variant of colors.
draw_bold_text_with_bright_colors = true;
font = {
# The normal (roman) font face to use.
normal = {
@ -52,7 +55,7 @@
style = "Italic";
};
size = 12.0;
size = 16.0;
offset = {
x = 0;
@ -65,17 +68,7 @@
};
};
keyboard.bindings = [
{
key = "V";
mods = "Control|Super";
action = "Paste";
}
{
key = "C";
mods = "Control|Super";
action = "Copy";
}
key_bindings = [
{
key = "V";
mods = "Control|Alt";
@ -94,6 +87,16 @@
key = "Copy";
action = "Copy";
}
{
key = "Q";
mods = "Command";
action = "Quit";
}
{
key = "W";
mods = "Command";
action = "Quit";
}
{
key = "Insert";
mods = "Shift";
@ -159,9 +162,6 @@
# Base16 Burn 256 - alacritty color config
# Benjamin Bädorf
colors = {
# When true, bold text is drawn using the bright variant of colors.
draw_bold_text_with_bright_colors = true;
# Default colors
primary = {
background = "0x1a181a";

Binary file not shown.

Before

Width:  |  Height:  |  Size: 168 KiB

View file

@ -4,30 +4,47 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
tomlFormat = pkgs.formats.toml { };
sessionVariables = {
WLR_RENDERER = if psCfg.graphical.wayland.software-renderer.enable then "pixman" else "";
# Fix KeepassXC rendering issue
# https://github.com/void-linux/void-packages/issues/23517
QT_AUTO_SCREEN_SCALE_FACTOR = "0";
};
in
{
imports = [ ./sway ];
cfg = config.pub-solar.graphical;
yamlFormat = pkgs.formats.yaml {};
recursiveMerge = attrList: let
f = attrPath:
zipAttrsWith (
n: values:
if tail values == []
then head values
else if all isList values
then unique (concatLists values)
else if all isAttrs values
then f (attrPath ++ [n]) values
else last values
);
in
f [] attrList;
in {
options.pub-solar.graphical = {
wayland.software-renderer.enable = lib.mkOption {
type = lib.types.bool;
enable = mkEnableOption "Life in color";
alacritty = {
settings = mkOption {
type = yamlFormat.type;
default = {};
};
};
autologin.enable = mkOption {
type = types.bool;
default = true;
description = "Feature flag enabling autologin after boot.";
};
wayland.software-renderer.enable = mkOption {
type = types.bool;
default = false;
description = "Feature flag enabling wlroots software renderer, useful in VMs";
};
};
config = {
hardware.graphics.enable = true;
config = mkIf cfg.enable {
hardware.opengl.enable = true;
environment = {
systemPackages = with pkgs; [
gtk-engine-murrine
@ -39,21 +56,15 @@ in
glib
];
etc = {
"xdg/PubSolar.conf".text = ''
[Qt]
style=GTK+
'';
};
variables = sessionVariables;
};
services.getty = {
autologinUser = psCfg.user.name;
autologinOnce = true;
};
services.getty.autologinUser = mkIf cfg.autologin.enable (mkForce "${psCfg.user.name}");
qt = {
enable = true;
@ -61,105 +72,88 @@ in
style = "gtk2";
};
services.udev.packages = with pkgs; [ gnome-settings-daemon ];
# Required for running Gnome apps outside the Gnome DE, see https://nixos.wiki/wiki/GNOME#Running_GNOME_programs_outside_of_GNOME
programs.dconf.enable = true;
services.udev.packages = with pkgs; [gnome3.gnome-settings-daemon];
# Enable Sushi, a quick previewer for nautilus
services.gnome.sushi.enable = true;
# Enable GVfs, a userspace virtual filesystem
services.gvfs.enable = true;
services.yubikey-agent.enable = true;
fonts = {
packages = with pkgs; [
dejavu_fonts
powerline-fonts
tt2020
];
enableDefaultPackages = true;
fontconfig.enable = true;
fontconfig.defaultFonts = {
monospace = [ "DejaVu Sans Mono for Powerline" ];
sansSerif = [ "DejaVu Sans" ];
};
};
users.users."${psCfg.user.name}".packages = with pkgs; [
alacritty
firefox-wayland
flameshot
adwaita-icon-theme
eog
nautilus
seahorse
yelp
hicolor-icon-theme
keepassxc
qMasterPassword-wayland
libnotify
vlc
fonts.enableDefaultFonts = true;
fonts.fonts = with pkgs; [
fira-code
fira-code-symbols
google-fonts
lato
montserrat
nerdfonts
noto-fonts
noto-fonts-cjk
open-sans
powerline-fonts
source-sans-pro
];
home-manager.users."${psCfg.user.name}" = {
home.file."xinitrc".source = ./.xinitrc;
xdg.configFile."alacritty/alacritty.toml".source = tomlFormat.generate "alacritty.toml" (import ./alacritty.nix);
xdg.configFile."xmodmap".source = ./.config/xmodmap;
xdg.configFile."user-dirs.dirs".source = ./.config/user-dirs.dirs;
xdg.configFile."user-dirs.locale".source = ./.config/user-dirs.locale;
xdg.configFile."xsettingsd/xsettingsd.conf".source = ./.config/xsettingsd/xsettingsd.conf;
xdg.configFile."mako/config".source = ./.config/mako/config;
xdg.configFile."libinput-gestures.conf".source = ./.config/libinput-gestures.conf;
xdg.configFile."swaync/config.json".source = ./.config/swaync/config.json;
xdg.configFile."swaync/style.css".source = ./.config/swaync/style.css;
xdg.configFile."waybar/config".source = ./.config/waybar/config;
xdg.configFile."waybar/style.css".source = ./.config/waybar/style.css;
xdg.configFile."waybar/colorscheme.css".source = ./.config/waybar/colorscheme.css;
xdg.configFile."wallpaper.jpg".source = ./assets/wallpaper.jpg;
home-manager = with pkgs;
setAttrByPath ["users" psCfg.user.name] {
home.packages = [
alacritty
foot
ungoogled-chromium
firefox-wayland
# Required for running Gnome apps outside the Gnome DE, see
# https://nixos.wiki/wiki/GNOME#Running_GNOME_programs_outside_of_GNOME
dconf = {
enable = true;
settings = {
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
flameshot
libnotify
gnome.adwaita-icon-theme
gnome.eog
gnome.nautilus
gnome.yelp
hicolor-icon-theme
wine
toggle-kbd-layout
wcwd
vlc
gimp
];
xdg.configFile."alacritty/alacritty.yml" = {
source = yamlFormat.generate "alacritty.yml" (recursiveMerge [(import ./alacritty.nix) cfg.alacritty.settings]);
};
gtk = {
enable = true;
font.name = "Lato";
iconTheme = {
package = pkgs.papirus-icon-theme;
name = "Papirus-Adapta-Nokto-Maia";
};
theme = {
package = pkgs.matcha-gtk-theme;
name = "Matcha-dark-aliz";
};
gtk3.extraConfig = {
gtk-xft-antialias = "1";
gtk-xft-hinting = "1";
gtk-xft-hintstyle = "hintfull";
gtk-xft-rgba = "rgb";
gtk-application-prefer-dark-theme = "true";
};
};
# Fix KeepassXC rendering issue
# https://github.com/void-linux/void-packages/issues/23517
systemd.user.sessionVariables.QT_AUTO_SCREEN_SCALE_FACTOR = "0";
xresources.extraConfig = builtins.readFile ./.Xdefaults;
systemd.user.services.network-manager-applet = import ./network-manager-applet.service.nix pkgs;
};
gtk = {
enable = true;
font.name = "Lato";
iconTheme = {
package = pkgs.papirus-icon-theme;
name = "Papirus-Adapta-Nokto-Maia";
};
theme = {
package = pkgs.matcha-gtk-theme;
name = "Matcha-dark-aliz";
};
gtk3.extraConfig = {
gtk-xft-antialias = "1";
gtk-xft-hinting = "1";
gtk-xft-hintstyle = "hintfull";
gtk-xft-rgba = "rgb";
gtk-application-prefer-dark-theme = "true";
};
gtk4.extraConfig = {
gtk-xft-antialias = "1";
gtk-xft-hinting = "1";
gtk-xft-hintstyle = "hintfull";
gtk-xft-rgba = "rgb";
gtk-application-prefer-dark-theme = "true";
};
};
xresources.extraConfig = builtins.readFile ./.Xdefaults;
systemd.user.services.network-manager-applet = import ./network-manager-applet.service.nix pkgs;
home.sessionVariables = sessionVariables;
systemd.user.sessionVariables = sessionVariables;
};
};
}

View file

@ -1,15 +1,15 @@
pkgs: {
Unit = {
Description = "Network Manager applet";
BindsTo = [ "sway-session.target" ];
After = [ "sway-session.target" ];
BindsTo = ["sway-session.target"];
After = ["sway-session.target"];
# ConditionEnvironment requires systemd v247 to work correctly
ConditionEnvironment = [ "WAYLAND_DISPLAY" ];
ConditionEnvironment = ["WAYLAND_DISPLAY"];
};
Service = {
ExecStart = "${pkgs.networkmanagerapplet}/bin/nm-applet --sm-disable --indicator";
};
Install = {
WantedBy = [ "sway-session.target" ];
WantedBy = ["sway-session.target"];
};
}

View file

@ -1,39 +0,0 @@
{ pkgs, psCfg, ... }:
''
# Set shut down, restart and locking features
''
+ (
if psCfg.core.hibernation.enable then
''
set $mode_system (e)xit, (h)ibernate, (l)ock, (s)uspend, (r)eboot, (Shift+s)hutdown
''
else
''
set $mode_system (e)xit, (l)ock, (s)uspend, (r)eboot, (Shift+s)hutdown
''
)
+ ''
bindsym $mod+Ctrl+0 mode "$mode_system"
mode "$mode_system" {
bindsym e exec swaymsg exit, mode "default"
''
+ (
if psCfg.core.hibernation.enable then
''
bindsym h exec systemctl hibernate, mode "default"
''
else
""
)
+ ''
bindsym l exec ${pkgs.swaylock-bg}/bin/swaylock-bg, mode "default"
bindsym s exec systemctl suspend, mode "default"
bindsym r exec systemctl reboot, mode "default"
bindsym Shift+s exec systemctl poweroff, mode "default"
# exit system mode: "Enter" or "Escape"
bindsym Return mode "default"
bindsym Escape mode "default"
}
''

View file

@ -1,9 +0,0 @@
{ psCfg, pkgs }:
"
address=0.0.0.0
enable_auth=true
username=${psCfg.user.name}
password=testtest
private_key_file=/run/agenix/vnc-key.pem
certificate_file=/run/agenix/vnc-cert.pem
"

View file

@ -1,106 +0,0 @@
{
lib,
config,
pkgs,
flake,
...
}:
let
psCfg = config.pub-solar;
inherit (lib) mkIf mkOption types;
in
{
options.pub-solar.graphical = {
v4l2loopback.enable = mkOption {
type = types.bool;
default = false;
description = "WebCam streaming tool";
};
};
config = {
boot = mkIf psCfg.graphical.v4l2loopback.enable {
extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
kernelModules = [ "v4l2loopback" ];
extraModprobeConfig = ''
options v4l2loopback exclusive_caps=1 devices=3
'';
};
environment.systemPackages = mkIf psCfg.graphical.v4l2loopback.enable [
pkgs.linuxPackages.v4l2loopback
];
programs.sway.enable = true;
xdg.portal = {
enable = true;
wlr = {
enable = true;
settings = {
screencast = {
max_fps = 30;
chooser_type = "simple";
chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or";
};
};
};
extraPortals = with pkgs; [ xdg-desktop-portal-gtk ];
};
services.pipewire.enable = true;
users.users."${psCfg.user.name}".packages = with pkgs; [
sway
grim
kanshi
slurp
swaybg
swayidle
swaynotificationcenter
xwayland
libappindicator-gtk3
wl-clipboard
wl-mirror
wf-recorder
brightnessctl
gammastep
geoclue2
xsettingsd
ydotool
sway-launcher
record-screen
import-gtk-settings
# Unused on teutat3s hosts, see custom-keybindings.conf
#toggle-kbd-layout
s
wcwd
];
home-manager.users."${psCfg.user.name}" = {
programs.waybar.enable = true;
#programs.waybar.systemd.enable = true;
systemd.user.services.swaynotificationcenter = import ./swaynotificationcenter.service.nix pkgs;
systemd.user.services.sway = import ./sway.service.nix { inherit pkgs psCfg; };
systemd.user.services.swayidle = import ./swayidle.service.nix { inherit pkgs psCfg; };
systemd.user.services.xsettingsd = import ./xsettingsd.service.nix { inherit pkgs psCfg; };
systemd.user.services.waybar = import ./waybar.service.nix { inherit pkgs psCfg; };
systemd.user.targets.sway-session = import ./sway-session.target.nix { inherit pkgs psCfg; };
xdg.configFile."sway/config".text = import ./config/config.nix { inherit config pkgs; };
xdg.configFile."sway/config.d/colorscheme.conf".source = ./config/config.d/colorscheme.conf;
xdg.configFile."sway/config.d/theme.conf".source = ./config/config.d/theme.conf;
xdg.configFile."sway/config.d/gaps.conf".source = ./config/config.d/gaps.conf;
xdg.configFile."sway/config.d/custom-keybindings.conf".source = ./config/config.d/custom-keybindings.conf;
xdg.configFile."sway/config.d/mode_system.conf".text =
import ./config/config.d/mode_system.conf.nix
{ inherit pkgs psCfg; };
xdg.configFile."sway/config.d/applications.conf".source = ./config/config.d/applications.conf;
xdg.configFile."sway/config.d/systemd.conf".source = ./config/config.d/systemd.conf;
};
};
}

View file

@ -1,10 +0,0 @@
{ pkgs, ... }:
{
Unit = {
Description = "sway compositor session";
Documentation = [ "man:systemd.special(7)" ];
BindsTo = [ "graphical-session.target" ];
Wants = [ "graphical-session-pre.target" ];
After = [ "graphical-session-pre.target" ];
};
}

View file

@ -1,23 +0,0 @@
{ pkgs, psCfg, ... }:
{
Unit = {
Description = "Idle manager for Wayland";
Documentation = [ "man:swayidle(1)" ];
BindsTo = [ "graphical-session.target" ];
Wants = [ "graphical-session-pre.target" ];
After = [ "graphical-session-pre.target" ];
};
Service = {
Type = "simple";
ExecStart = ''
${pkgs.swayidle}/bin/swayidle -w \
timeout 300 '${pkgs.swaylock-bg}/bin/swaylock-bg' \
timeout 600 '${pkgs.sway}/bin/swaymsg "output * dpms off"' \
resume '${pkgs.sway}/bin/swaymsg "output * dpms on"' \
before-sleep '${pkgs.swaylock-bg}/bin/swaylock-bg'
'';
};
Install = {
WantedBy = [ "sway-session.target" ];
};
}

View file

@ -1,21 +0,0 @@
pkgs: {
Unit = {
Description = "Swaync notification daemon";
Documentation = "https://github.com/ErikReider/SwayNotificationCenter";
BindsTo = [ "sway-session.target" ];
After = [ "sway-session.target" ];
Requisite = [ "graphical-session.target" ];
# ConditionEnvironment requires systemd v247 to work correctly
ConditionEnvironment = [ "WAYLAND_DISPLAY" ];
};
Service = {
Type = "dbus";
BusName = "org.freedesktop.Notifications";
ExecStart = "${pkgs.swaynotificationcenter}/bin/swaync";
ExecReload = "${pkgs.swaynotificationcenter}/bin/swaync-client --reload-config ; ${pkgs.swaynotificationcenter}/bin/swaync-client --reload-css";
Restart = "on-failure";
};
Install = {
WantedBy = [ "sway-session.target" ];
};
}

View file

@ -1,11 +1,11 @@
{ config, ... }:
{
{config, ...}: {
home-manager.sharedModules = [
{
home.sessionVariables = {
inherit (config.environment.sessionVariables) NIX_PATH;
};
xdg.configFile."nix/registry.json".text = config.environment.etc."nix/registry.json".text;
xdg.configFile."nix/registry.json".text =
config.environment.etc."nix/registry.json".text;
}
];
}

View file

@ -1,481 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
inherit (lib)
any
attrValues
boolToString
concatMapStringsSep
concatStrings
concatStringsSep
escapeShellArg
flatten
isBool
isInt
isList
isString
literalExpression
mapAttrs'
mapAttrsToList
mkDefault
mkEnableOption
mkIf
mkMerge
mkOption
nameValuePair
optionalString
types
;
cfg = config.services.invoiceplane;
eachSite = cfg.sites;
user = "invoiceplane";
webserver = config.services.${cfg.webserver};
invoiceplane-config =
hostName: cfg:
pkgs.writeText "ipconfig.php" ''
IP_URL=http://${hostName}
ENABLE_DEBUG=false
DISABLE_SETUP=false
REMOVE_INDEXPHP=false
DB_HOSTNAME=${cfg.database.host}
DB_USERNAME=${cfg.database.user}
# NOTE: file_get_contents adds newline at the end of returned string
DB_PASSWORD=${
optionalString (
cfg.database.passwordFile != null
) "trim(file_get_contents('${cfg.database.passwordFile}'), \"\\r\\n\")"
}
DB_DATABASE=${cfg.database.name}
DB_PORT=${toString cfg.database.port}
SESS_EXPIRATION=864000
ENABLE_INVOICE_DELETION=false
DISABLE_READ_ONLY=false
ENCRYPTION_KEY=
ENCRYPTION_CIPHER=AES-256
SETUP_COMPLETED=false
REMOVE_INDEXPHP=true
'';
mkPhpValue =
v:
if isString v then
escapeShellArg v
# NOTE: If any value contains a , (comma) this will not get escaped
else if isList v && lib.strings.isConvertibleWithToString v then
escapeShellArg (concatMapStringsSep "," toString v)
else if isInt v then
toString v
else if isBool v then
boolToString v
else
abort "The Invoiceplane config value ${lib.generators.toPretty { } v} can not be encoded.";
extraConfig =
hostName: cfg:
let
settings = mapAttrsToList (k: v: "${k}=${mkPhpValue v}") cfg.settings;
in
pkgs.writeText "extraConfig.php" (concatStringsSep "\n" settings);
pkg =
hostName: cfg:
pkgs.stdenv.mkDerivation rec {
pname = "invoiceplane-${hostName}";
version = src.version;
src = pkgs.invoiceplane;
postPatch = ''
# Patch index.php file to load additional config file
substituteInPlace index.php \
--replace-fail "require('vendor/autoload.php');" "require('vendor/autoload.php'); \$dotenv = Dotenv\Dotenv::createImmutable(__DIR__, 'extraConfig.php'); \$dotenv->load();";
'';
installPhase = ''
mkdir -p $out
cp -r * $out/
# symlink uploads and log directories
rm -r $out/uploads $out/application/logs $out/vendor/mpdf/mpdf/tmp
ln -sf ${cfg.stateDir}/uploads $out/
ln -sf ${cfg.stateDir}/logs $out/application/
ln -sf ${cfg.stateDir}/tmp $out/vendor/mpdf/mpdf/
# symlink the InvoicePlane config
ln -s ${cfg.stateDir}/ipconfig.php $out/ipconfig.php
# symlink the extraConfig file
ln -s ${extraConfig hostName cfg} $out/extraConfig.php
# symlink additional templates
${concatMapStringsSep "\n" (
template: "cp -r ${template}/. $out/application/views/invoice_templates/pdf/"
) cfg.invoiceTemplates}
'';
};
siteOpts =
{ name, ... }:
{
options = {
enable = mkEnableOption "InvoicePlane web application";
stateDir = mkOption {
type = types.path;
default = "/var/lib/invoiceplane/${name}";
description = ''
This directory is used for uploads of attachments and cache.
The directory passed here is automatically created and permissions
adjusted as required.
'';
};
database = {
host = mkOption {
type = types.str;
default = "localhost";
description = "Database host address.";
};
port = mkOption {
type = types.port;
default = 3306;
description = "Database host port.";
};
name = mkOption {
type = types.str;
default = "invoiceplane";
description = "Database name.";
};
user = mkOption {
type = types.str;
default = "invoiceplane";
description = "Database user.";
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/keys/invoiceplane-dbpassword";
description = ''
A file containing the password corresponding to
{option}`database.user`.
'';
};
createLocally = mkOption {
type = types.bool;
default = true;
description = "Create the database and database user locally.";
};
};
invoiceTemplates = mkOption {
type = types.listOf types.path;
default = [ ];
description = ''
List of path(s) to respective template(s) which are copied from the 'invoice_templates/pdf' directory.
::: {.note}
These templates need to be packaged before use, see example.
:::
'';
example = literalExpression ''
let
# Let's package an example template
template-vtdirektmarketing = pkgs.stdenv.mkDerivation {
name = "vtdirektmarketing";
# Download the template from a public repository
src = pkgs.fetchgit {
url = "https://git.project-insanity.org/onny/invoiceplane-vtdirektmarketing.git";
sha256 = "1hh0q7wzsh8v8x03i82p6qrgbxr4v5fb05xylyrpp975l8axyg2z";
};
sourceRoot = ".";
# Installing simply means copying template php file to the output directory
installPhase = ""
mkdir -p $out
cp invoiceplane-vtdirektmarketing/vtdirektmarketing.php $out/
"";
};
# And then pass this package to the template list like this:
in [ template-vtdirektmarketing ]
'';
};
poolConfig = mkOption {
type =
with types;
attrsOf (oneOf [
str
int
bool
]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
description = ''
Options for the InvoicePlane PHP pool. See the documentation on `php-fpm.conf`
for details on configuration directives.
'';
};
settings = mkOption {
type = types.attrsOf types.anything;
default = { };
description = ''
Structural InvoicePlane configuration. Refer to
<https://github.com/InvoicePlane/InvoicePlane/blob/master/ipconfig.php.example>
for details and supported values.
'';
example = literalExpression ''
{
SETUP_COMPLETED = true;
DISABLE_SETUP = true;
IP_URL = "https://invoice.example.com";
}
'';
};
cron = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable cron service which periodically runs Invoiceplane tasks.
Requires key taken from the administration page. Refer to
<https://wiki.invoiceplane.com/en/1.0/modules/recurring-invoices>
on how to configure it.
'';
};
key = mkOption {
type = types.str;
description = "Cron key taken from the administration page.";
};
};
};
};
in
{
disabledModules = [ "services/web-apps/invoiceplane.nix" ];
# interface
options = {
services.invoiceplane = mkOption {
type = types.submodule {
options.sites = mkOption {
type = types.attrsOf (types.submodule siteOpts);
default = { };
description = "Specification of one or more WordPress sites to serve";
};
options.webserver = mkOption {
type = types.enum [
"caddy"
"nginx"
];
default = "caddy";
example = "nginx";
description = ''
Which webserver to use for virtual host management.
'';
};
};
default = { };
description = "InvoicePlane configuration.";
};
};
# implementation
config = mkIf (eachSite != { }) (mkMerge [
{
assertions = flatten (
mapAttrsToList (hostName: cfg: [
{
assertion = cfg.database.createLocally -> cfg.database.user == user;
message = ''services.invoiceplane.sites."${hostName}".database.user must be ${user} if the database is to be automatically provisioned'';
}
{
assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
message = ''services.invoiceplane.sites."${hostName}".database.passwordFile cannot be specified if services.invoiceplane.sites."${hostName}".database.createLocally is set to true.'';
}
{
assertion = cfg.cron.enable -> cfg.cron.key != null;
message = ''services.invoiceplane.sites."${hostName}".cron.key must be set in order to use cron service.'';
}
]) eachSite
);
services.mysql = mkIf (any (v: v.database.createLocally) (attrValues eachSite)) {
enable = true;
package = mkDefault pkgs.mariadb;
ensureDatabases = mapAttrsToList (hostName: cfg: cfg.database.name) eachSite;
ensureUsers = mapAttrsToList (hostName: cfg: {
name = cfg.database.user;
ensurePermissions = {
"${cfg.database.name}.*" = "ALL PRIVILEGES";
};
}) eachSite;
};
services.phpfpm = {
phpPackage = pkgs.php81;
pools = mapAttrs' (
hostName: cfg:
(nameValuePair "invoiceplane-${hostName}" {
inherit user;
group = webserver.group;
settings = {
"listen.owner" = webserver.user;
"listen.group" = webserver.group;
} // cfg.poolConfig;
})
) eachSite;
};
}
{
systemd.tmpfiles.rules = flatten (
mapAttrsToList (hostName: cfg: [
"d ${cfg.stateDir} 0750 ${user} ${webserver.group} - -"
"f ${cfg.stateDir}/ipconfig.php 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/logs 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/uploads 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/uploads/archive 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/uploads/customer_files 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/uploads/temp 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/uploads/temp/mpdf 0750 ${user} ${webserver.group} - -"
"d ${cfg.stateDir}/tmp 0750 ${user} ${webserver.group} - -"
]) eachSite
);
systemd.services.invoiceplane-config = {
serviceConfig.Type = "oneshot";
script = concatStrings (
mapAttrsToList (hostName: cfg: ''
mkdir -p ${cfg.stateDir}/logs \
${cfg.stateDir}/uploads
if ! grep -q IP_URL "${cfg.stateDir}/ipconfig.php"; then
cp "${invoiceplane-config hostName cfg}" "${cfg.stateDir}/ipconfig.php"
fi
'') eachSite
);
wantedBy = [ "multi-user.target" ];
};
users.users.${user} = {
group = webserver.group;
isSystemUser = true;
};
}
{
# Cron service implementation
systemd.timers = mapAttrs' (
hostName: cfg:
(nameValuePair "invoiceplane-cron-${hostName}" (
mkIf cfg.cron.enable {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "5m";
OnUnitActiveSec = "5m";
Unit = "invoiceplane-cron-${hostName}.service";
};
}
))
) eachSite;
systemd.services = mapAttrs' (
hostName: cfg:
(nameValuePair "invoiceplane-cron-${hostName}" (
mkIf cfg.cron.enable {
serviceConfig = {
Type = "oneshot";
User = user;
ExecStart = "${pkgs.curl}/bin/curl --header 'Host: ${hostName}' http://localhost/invoices/cron/recur/${cfg.cron.key}";
};
}
))
) eachSite;
}
(mkIf (cfg.webserver == "caddy") {
services.caddy = {
enable = true;
virtualHosts = mapAttrs' (
hostName: cfg:
(nameValuePair "http://${hostName}" {
extraConfig = ''
root * ${pkg hostName cfg}
file_server
php_fastcgi unix/${config.services.phpfpm.pools."invoiceplane-${hostName}".socket}
'';
})
) eachSite;
};
})
(mkIf (cfg.webserver == "nginx") {
services.nginx = {
enable = true;
virtualHosts = mapAttrs' (
hostName: cfg:
(nameValuePair hostName {
root = pkg hostName cfg;
extraConfig = ''
index index.php index.html index.htm;
if (!-e $request_filename){
rewrite ^(.*)$ /index.php break;
}
'';
locations = {
"/setup".extraConfig =
let
scheme = if config.services.nginx.virtualHosts.${hostName}.forceSSL then "https" else "http";
in
''
rewrite ^(.*)$ ${scheme}://${hostName}/ redirect;
'';
"~ .php$" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:${config.services.phpfpm.pools."invoiceplane-${hostName}".socket};
include ${config.services.nginx.package}/conf/fastcgi_params;
include ${config.services.nginx.package}/conf/fastcgi.conf;
'';
};
};
})
) eachSite;
};
})
]);
}

View file

@ -4,11 +4,18 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
home-manager.users."${psCfg.user.name}" = {
systemd.user.services.nextcloud-client = import ./nextcloud.service.nix pkgs;
cfg = config.pub-solar.nextcloud;
in {
options.pub-solar.nextcloud = {
enable = mkEnableOption "Life in sync";
};
config = mkIf cfg.enable {
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
systemd.user.services.nextcloud-client = import ./nextcloud.service.nix pkgs;
};
};
}

View file

@ -1,11 +1,11 @@
pkgs: {
Unit = {
Description = "Nextcloud Client";
BindsTo = [ "sway-session.target" ];
Wants = [ "graphical-session-pre.target" ];
After = [ "graphical-session-pre.target" ];
BindsTo = ["sway-session.target"];
Wants = ["graphical-session-pre.target"];
After = ["graphical-session-pre.target"];
# ConditionEnvironment requires systemd v247 to work correctly
ConditionEnvironment = [ "WAYLAND_DISPLAY" ];
ConditionEnvironment = ["WAYLAND_DISPLAY"];
};
Service = {
Type = "simple";
@ -15,6 +15,6 @@ pkgs: {
Restart = "on-failure";
};
Install = {
WantedBy = [ "sway-session.target" ];
WantedBy = ["sway-session.target"];
};
}

11
modules/nix-path.nix Normal file
View file

@ -0,0 +1,11 @@
{
channel,
inputs,
...
}: {
nix.nixPath = [
"nixpkgs=${channel.input}"
"nixos-config=${../lib/compat/nixos}"
"home-manager=${inputs.home}"
];
}

View file

@ -1,81 +0,0 @@
{
config,
pkgs,
lib,
flake,
...
}:
{
nixpkgs.config.allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"1password"
"1password-cli"
"brscan5"
"brscan5-etc-files"
"facetimehd-firmware"
"slack"
"uhk-agent"
"uhk-udev-rules"
"veracrypt"
"zoom"
];
system.activationScripts.diff-closures = {
text = ''
if [[ -e /run/current-system ]]; then
${config.nix.package}/bin/nix store diff-closures \
/run/current-system "$systemConfig" \
--extra-experimental-features nix-command
fi
'';
supportsDryActivation = true;
};
nix = {
# Use lix (forked nix)
# now set globally using lix-module
#package = pkgs.lix;
gc.automatic = true;
optimise.automatic = true;
registry = {
nixpkgs.flake = flake.inputs.nixpkgs;
unstable.flake = flake.inputs.unstable;
system.flake = flake.self;
};
settings = {
# Improve nix store disk usage
auto-optimise-store = true;
# Prevents impurities in builds
sandbox = true;
# Give root and @wheel special privileges with nix
trusted-users = [
"root"
"@wheel"
];
# Allow only group wheel to connect to the nix daemon
allowed-users = [ "@wheel" ];
substituters = [ "https://pub-solar.cachix.org/" ];
trusted-public-keys = [ "pub-solar.cachix.org-1:ZicXIxKgdxMtgSJECWR8iihZxHRvu8ObL4n2cuBmtos=" ];
};
# Generally useful nix option defaults
extraOptions = lib.mkForce ''
experimental-features = flakes nix-command
min-free = 536870912
keep-outputs = true
keep-derivations = true
fallback = true
'';
nixPath = [
"nixpkgs=${flake.inputs.nixpkgs}"
"nixos-config=${../../lib/compat/nixos}"
"home-manager=${flake.inputs.home-manager}"
];
};
}

View file

@ -4,16 +4,29 @@
pkgs,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
users.users."${psCfg.user.name}".packages = with pkgs; [
libreoffice-fresh
simple-scan
# Tools like pdfunite
poppler_utils
# tool for annotating PDFs
xournalpp
];
cfg = config.pub-solar.office;
in {
options.pub-solar.office = {
enable = mkEnableOption "Install office programs, also enables printing server";
};
config = mkIf cfg.enable {
pub-solar.printing.enable = true;
# Gnome PDF viewer
programs.evince.enable = true;
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages = [
libreoffice-fresh
gnome.simple-scan
# Tools like pdfunite
poppler_utils
# tool for annotating PDFs
xournalpp
];
};
};
}

View file

@ -0,0 +1,53 @@
{
config,
lib,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.paranoia;
in {
options.pub-solar.paranoia = {
enable = mkOption {
description = ''
Only offer hibernation instead of screen locking and sleeping. This only makes sense
if your hard drive is encrypted, and ensures that the contents of your drive are
encrypted if you are not actively using the device.
'';
default = false;
type = types.bool;
};
};
config = mkIf cfg.enable {
pub-solar.core.hibernation.enable = true;
services.logind.lidSwitch = "hibernate";
# The options below are directly taken from or inspired by
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
# Don't set this if you need sftp
services.openssh.allowSFTP = false;
services.openssh.openFirewall = false; # Lock yourself out
# Limit the use of sudo to the group wheel
security.sudo.execWheelOnly = true;
# Remove the complete default environment of packages like
# nano, perl and rsync
environment.defaultPackages = lib.mkForce [];
# fileSystems."/".options = [ "noexec" ];
services.openssh = {
kbdInteractiveAuthentication = false;
extraConfig = ''
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
};
};
}

View file

@ -1,56 +1,33 @@
{
flake,
lib,
config,
pkgs,
lib,
...
}:
let
with lib; let
psCfg = config.pub-solar;
in
{
services.avahi.enable = true;
services.avahi.ipv6 = true;
services.avahi.nssmdns4 = true;
services.avahi.publish.enable = true;
services.avahi.publish.userServices = true;
services.printing.enable = true;
services.printing.browsing = true;
services.printing.browsed.enable = true;
services.printing.listenAddresses = [ "localhost:631" ];
services.printing.defaultShared = lib.mkDefault false;
services.printing.drivers = [
pkgs.gutenprint
pkgs.brlaser
];
hardware.sane = {
enable = true;
brscan5.enable = true;
cfg = config.pub-solar.printing;
in {
options.pub-solar.printing = {
enable = mkEnableOption "CUPSSSss";
};
users.users."${psCfg.user.name}" = {
extraGroups = [
"lp"
"scanner"
config = mkIf cfg.enable {
services.avahi.enable = true;
services.avahi.nssmdns = true;
services.avahi.publish.enable = true;
services.avahi.publish.userServices = true;
services.printing.enable = true;
services.printing.browsing = true;
services.printing.listenAddresses = ["localhost:631"];
services.printing.allowFrom = ["all"];
services.printing.defaultShared = false;
services.printing.drivers = [
pkgs.gutenprint
];
};
networking.hosts = flake.self.lib.addLocalHostname [ "cups.local" ];
# Allow port 8612, used by sane-pixma(5) for scanner detection
networking.firewall.allowedTCPPorts = [ 8612 ];
services.caddy = {
enable = true;
extraConfig = ''
cups.local {
request_header Host localhost:631
reverse_proxy unix//run/cups/cups.sock
}
'';
hardware.sane = {
enable = true;
brscan4.enable = true;
};
};
}

View file

@ -0,0 +1,26 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.social;
in {
options.pub-solar.social = {
enable = mkEnableOption "Life with others";
};
config = mkIf cfg.enable {
home-manager = with pkgs;
pkgs.lib.setAttrByPath ["users" psCfg.user.name] {
home.packages = [
signal-desktop
tdesktop
element-desktop
irssi
];
};
};
}

View file

@ -2,7 +2,7 @@
bindsym $mod+z exec --no-startup-id morc_menu
# switch keyboard input language
#bindsym $mod+tab exec toggle-kbd-layout
bindsym $mod+tab exec toggle-kbd-layout
################################################################################################
## sound-section - ##
@ -19,11 +19,7 @@ bindsym $mod+Shift+h exec psos help
bindsym $mod+F2 exec firefox
bindsym $mod+F4 exec nautilus -w
bindsym $mod+Shift+F4 exec signal-desktop
# Notifications with swaynotificationcenter
# Toggle control center
bindsym $mod+Shift+n exec swaync-client -t -sw
bindsym $mod+Shift+F4 exec signal-desktop --use-tray-icon
bindsym $mod+Shift+m exec qMasterPassword
@ -37,11 +33,3 @@ bindsym $mod+Ctrl+r exec record-screen
# Launcher
set $menu exec alacritty --class launcher -e env TERMINAL_COMMAND="alacritty -e" sway-launcher
bindsym $mod+Space exec $menu
set $mode_vncclient In VNCClient mode. Press $mod+Num_Lock or $mod+Shift+Escape to return.
bindsym $mod+Num_Lock mode "$mode_vncclient"
bindsym $mod+Shift+Escape mode "$mode_vncclient"
mode "$mode_vncclient" {
bindsym $mod+Num_Lock mode "default"
bindsym $mod+Shift+Escape mode "default"
}

View file

@ -0,0 +1,50 @@
{
pkgs,
psCfg,
...
}:
''
# Set shut down, restart and locking features
''
+ (
if psCfg.core.hibernation.enable && !psCfg.paranoia.enable
then ''
set $mode_system (e)xit, (h)ibernate, (l)ock, (s)uspend, (r)eboot, (Shift+s)hutdown
''
else if psCfg.paranoia.enable
then ''
set $mode_system (e)xit, (h)ibernate, (r)eboot, (Shift+s)hutdown
''
else ''
set $mode_system (e)xit, (l)ock, (s)uspend, (r)eboot, (Shift+s)hutdown
''
)
+ ''
bindsym $mod+0 mode "$mode_system"
mode "$mode_system" {
bindsym e exec swaymsg exit, mode "default"
''
+ (
if psCfg.core.hibernation.enable
then ''
bindsym h exec systemctl hibernate, mode "default"
''
else ""
)
+ (
if !psCfg.paranoia.enable
then ''
bindsym l exec ${pkgs.swaylock-bg}/bin/swaylock-bg, mode "default"
bindsym s exec systemctl suspend, mode "default"
''
else ""
)
+ ''
bindsym r exec systemctl reboot, mode "default"
bindsym Shift+s exec systemctl poweroff, mode "default"
# exit system mode: "Enter" or "Escape"
bindsym Return mode "default"
bindsym Escape mode "default"
}
''

View file

@ -5,5 +5,4 @@
# https://github.com/swaywm/sway/wiki/Systemd-integration
# Also, import the most important environment variables into the D-Bus and systemd
# user environments (e.g. required for screen sharing and Pinentry prompts):
exec "systemctl --user import-environment DISPLAY WAYLAND_DISPLAY SWAYSOCK XDG_CURRENT_DESKTOP; systemctl --user start sway-session.target; dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK XDG_CURRENT_DESKTOP"
exec swaymsg -t subscribe '["shutdown"]' && systemctl --user stop sway-session.target
exec "systemctl --user import-environment; systemctl --user start sway-session.target; exec dbus-update-activation-environment --systemd $IMPORT_ENVIRONMENT_ENV_LIST DISPLAY WAYLAND_DISPLAY SWAYSOCK XDG_CURRENT_DESKTOP; systemd-cat --identifier=sway sway"

Some files were not shown because too many files have changed in this diff Show more