diff --git a/flake.nix b/flake.nix index 5089f37..df2735f 100644 --- a/flake.nix +++ b/flake.nix @@ -52,28 +52,28 @@ catppuccin.url = "github:catppuccin/nix"; }; - outputs = - { self - , home-manager - , nixpkgs - , nixos-hardware - , flake-utils - , nur - , catppuccin - , my-nixvim - , ... + { + self, + home-manager, + nixpkgs, + nixos-hardware, + flake-utils, + nur, + catppuccin, + my-nixvim, + ... }@inputs: let - nixvimOverlay = (final: prev: { - nixvim = self.packages.${prev.stdenv.system}.nixvim; - }); - overlayModule = { ... }: { - nixpkgs.overlays = [ - nixvimOverlay - (import ./overlays/add-pkgs.nix) - ]; - }; + nixvimOverlay = (final: prev: { nixvim = self.packages.${prev.stdenv.system}.nixvim; }); + overlayModule = + { ... }: + { + nixpkgs.overlays = [ + nixvimOverlay + (import ./overlays/add-pkgs.nix) + ]; + }; deploymentModule = { deployment.targetUser = "xin"; }; @@ -87,20 +87,25 @@ catppuccin.homeManagerModules.catppuccin self.homeManagerModules ]; - mkHome = user: host: { ... }: { - imports = [ - home-manager.nixosModules.home-manager - { - home-manager = { - sharedModules = sharedHmModules; - useGlobalPkgs = true; - useUserPackages = true; - extraSpecialArgs = { inherit inputs; }; - }; - home-manager.users.${user} = (import ./home).${user}.${host}; - } - ]; - }; + mkHome = + user: host: + { ... }: + { + imports = [ + home-manager.nixosModules.home-manager + { + home-manager = { + sharedModules = sharedHmModules; + useGlobalPkgs = true; + useUserPackages = true; + extraSpecialArgs = { + inherit inputs; + }; + }; + home-manager.users.${user} = (import ./home).${user}.${host}; + } + ]; + }; mkHomeConfiguration = user: host: { name = user; value = home-manager.lib.homeManagerConfiguration { @@ -114,94 +119,109 @@ }; }; }; - mkNixos = { system, modules, specialArgs ? { } }: nixpkgs.lib.nixosSystem { - inherit system; - specialArgs = specialArgs // { inherit inputs system; }; - modules = [ - self.nixosModules.default - nur.nixosModules.nur - ] ++ modules; - }; + mkNixos = + { + system, + modules, + specialArgs ? { }, + }: + nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = specialArgs // { + inherit inputs system; + }; + modules = [ + self.nixosModules.default + nur.nixosModules.nur + ] ++ modules; + }; in { nixpkgs = nixpkgs; - nixosModules.default = { imports = [ ./modules/nixos overlayModule ]; }; + nixosModules.default = { + imports = [ + ./modules/nixos + overlayModule + ]; + }; homeManagerModules = import ./modules/home-manager; homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; colmenaHive = inputs.colmena.lib.makeHive { meta = { - nixpkgs = import nixpkgs { - system = "x86_64-linux"; - }; + nixpkgs = import nixpkgs { system = "x86_64-linux"; }; specialArgs = { inherit inputs; }; }; - massicot = { ... }: { - deployment.targetHost = "49.13.13.122"; - deployment.buildOnTarget = true; + massicot = + { ... }: + { + deployment.targetHost = "49.13.13.122"; + deployment.buildOnTarget = true; - imports = [ - { nixpkgs.system = "aarch64-linux"; } - machines/massicot - ] ++ sharedColmenaModules; - }; - - tok-00 = { ... }: { - imports = [ - machines/dolomite - ] ++ sharedColmenaModules; - nixpkgs.system = "x86_64-linux"; - networking.hostName = "tok-00"; - system.stateVersion = "23.11"; - deployment = { - targetHost = "video01.namely.icu"; - buildOnTarget = false; - tags = [ "proxy" ]; + imports = [ + { nixpkgs.system = "aarch64-linux"; } + machines/massicot + ] ++ sharedColmenaModules; }; - }; - la-00 = { ... }: { - imports = [ - machines/dolomite - ] ++ sharedColmenaModules; - nixpkgs.system = "x86_64-linux"; - networking.hostName = "la-00"; - system.stateVersion = "21.05"; - deployment = { - targetHost = "la-00.video.namely.icu"; - buildOnTarget = false; - tags = [ "proxy" ]; + tok-00 = + { ... }: + { + imports = [ machines/dolomite ] ++ sharedColmenaModules; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "tok-00"; + system.stateVersion = "23.11"; + deployment = { + targetHost = "video01.namely.icu"; + buildOnTarget = false; + tags = [ "proxy" ]; + }; }; - }; - raspite = { ... }: { - deployment = { - targetHost = "raspite.local"; - buildOnTarget = false; + la-00 = + { ... }: + { + imports = [ machines/dolomite ] ++ sharedColmenaModules; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "la-00"; + system.stateVersion = "21.05"; + deployment = { + targetHost = "la-00.video.namely.icu"; + buildOnTarget = false; + tags = [ "proxy" ]; + }; }; - nixpkgs.system = "aarch64-linux"; - imports = [ - "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" - nixos-hardware.nixosModules.raspberry-pi-4 - machines/raspite/configuration.nix - ] ++ sharedColmenaModules; - }; - weilite = { ... }: { - imports = [ - machines/weilite - ] ++ sharedColmenaModules; - deployment = { - targetHost = "weilite.coho-tet.ts.net"; - targetPort = 22; - buildOnTarget = false; + raspite = + { ... }: + { + deployment = { + targetHost = "raspite.local"; + buildOnTarget = false; + }; + nixpkgs.system = "aarch64-linux"; + imports = [ + "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" + nixos-hardware.nixosModules.raspberry-pi-4 + machines/raspite/configuration.nix + ] ++ sharedColmenaModules; + }; + + weilite = + { ... }: + { + imports = [ machines/weilite ] ++ sharedColmenaModules; + deployment = { + targetHost = "weilite.coho-tet.ts.net"; + targetPort = 22; + buildOnTarget = false; + }; + nixpkgs.system = "x86_64-linux"; }; - nixpkgs.system = "x86_64-linux"; - }; }; nixosConfigurations = { @@ -215,18 +235,30 @@ }; } // self.colmenaHive.nodes; - } // flake-utils.lib.eachDefaultSystem (system: - let pkgs = nixpkgs.legacyPackages.${system}; in - { - devShells = { - default = pkgs.mkShell { - packages = with pkgs; [ nix git colmena sops nix-output-monitor nil nvd ]; - }; - }; - - packages = { - nixvim = my-nixvim.packages.${system}.default; - }; } - ); + // flake-utils.lib.eachDefaultSystem ( + system: + let + pkgs = nixpkgs.legacyPackages.${system}; + in + { + devShells = { + default = pkgs.mkShell { + packages = with pkgs; [ + nix + git + colmena + sops + nix-output-monitor + nil + nvd + ]; + }; + }; + + packages = { + nixvim = my-nixvim.packages.${system}.default; + }; + } + ); } diff --git a/home/default.nix b/home/default.nix index 0c683f6..ddd31bf 100644 --- a/home/default.nix +++ b/home/default.nix @@ -2,4 +2,4 @@ xin = { calcite = import ./xin/calcite.nix; }; -} \ No newline at end of file +} diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index f39fe62..2de5642 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -1,8 +1,6 @@ { config, pkgs, ... }@inputs: { - imports = [ - ./common - ]; + imports = [ ./common ]; programs.nix-index-database.comma.enable = true; @@ -46,12 +44,38 @@ }; custom-hm = { - alacritty = { enable = true; }; - cosmic-term = { enable = true; }; - direnv = { enable = true; }; fish = { enable = true; }; git = { enable = true; signing.enable = true; }; - neovim = { enable = true; }; - vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; llm = true; }; - zellij = { enable = true; }; + alacritty = { + enable = true; + }; + cosmic-term = { + enable = true; + }; + direnv = { + enable = true; + }; + fish = { + enable = true; + }; + git = { + enable = true; + signing.enable = true; + }; + neovim = { + enable = true; + }; + vscode = { + enable = true; + languages = { + cxx = true; + python = true; + scala = true; + latex = true; + }; + llm = true; + }; + zellij = { + enable = true; + }; }; programs.gnome-shell.enable = true; diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index 6957c4d..8fbf3bb 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -1,4 +1,10 @@ -{ inputs, pkgs, lib, ... }: { +{ + inputs, + pkgs, + lib, + ... +}: +{ imports = [ ]; home.packages = with pkgs; [ diff --git a/home/xin/gold/default.nix b/home/xin/gold/default.nix index 192e11c..694b3c7 100644 --- a/home/xin/gold/default.nix +++ b/home/xin/gold/default.nix @@ -1,15 +1,15 @@ { pkgs, home-manager, ... }: - home-manager.lib.homeManagerConfiguration { - inherit pkgs; - modules = [ - ../common - { - home.username = "xin"; - home.homeDirectory = "/home/xin"; - home.stateVersion = "23.05"; +home-manager.lib.homeManagerConfiguration { + inherit pkgs; + modules = [ + ../common + { + home.username = "xin"; + home.homeDirectory = "/home/xin"; + home.stateVersion = "23.05"; - # Let Home Manager install and manage itself. - programs.home-manager.enable = true; - } - ]; - } + # Let Home Manager install and manage itself. + programs.home-manager.enable = true; + } + ]; +} diff --git a/home/xin/raspite/default.nix b/home/xin/raspite/default.nix index d09be89..888383c 100644 --- a/home/xin/raspite/default.nix +++ b/home/xin/raspite/default.nix @@ -1,9 +1,6 @@ - { config, pkgs, ... }: { - imports = [ - ../common - ]; + imports = [ ../common ]; home.username = "xin"; home.homeDirectory = "/home/xin"; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 0baea22..947f2d2 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -1,13 +1,17 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: { - imports = - [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ./network.nix - ../sops.nix - ]; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./network.nix + ../sops.nix + ]; commonSettings = { auth.enable = true; @@ -22,7 +26,11 @@ boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.efiSysMountPoint = "/boot/efi"; # boot.kernelPackages = pkgs.linuxPackages_latest; - boot.kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" ]; + boot.kernelModules = [ + "nvidia" + "nvidia_modeset" + "nvidia_uvm" + ]; boot.supportedFilesystems = [ "ntfs" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; @@ -45,7 +53,9 @@ programs.steam = { enable = true; - gamescopeSession = { enable = true; }; + gamescopeSession = { + enable = true; + }; }; programs.oidc-agent.enable = true; @@ -93,7 +103,6 @@ services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; - # Configure keymap in X11 services.xserver = { xkb.layout = "us"; @@ -135,7 +144,12 @@ users.users.xin = { isNormalUser = true; description = "xin"; - extraGroups = [ "networkmanager" "wheel" "wireshark" "tss" ]; + extraGroups = [ + "networkmanager" + "wheel" + "wireshark" + "tss" + ]; }; services.kanidm = { @@ -179,13 +193,14 @@ # reference: https://nixos.wiki/wiki/Python ( let - my-python-packages = python-packages: with python-packages; [ - pandas - requests - numpy - pyyaml - setuptools - ]; + my-python-packages = + python-packages: with python-packages; [ + pandas + requests + numpy + pyyaml + setuptools + ]; python-with-my-packages = python3.withPackages my-python-packages; in python-with-my-packages @@ -280,14 +295,19 @@ acceleration = "cuda"; }; - # MTP support services.gvfs.enable = true; # Fonts fonts = { packages = with pkgs; [ - (nerdfonts.override { fonts = [ "FiraCode" "FiraMono" "JetBrainsMono" ]; }) + (nerdfonts.override { + fonts = [ + "FiraCode" + "FiraMono" + "JetBrainsMono" + ]; + }) noto-fonts noto-fonts-emoji liberation_ttf @@ -305,9 +325,19 @@ ]; fontconfig = { defaultFonts = { - serif = [ "Noto Serif CJK SC" "Ubuntu" ]; - sansSerif = [ "Noto Sans CJK SC" "Ubuntu" ]; - monospace = [ "FiraCode NerdFont Mono" "Noto Sans Mono CJK SC" "Ubuntu" ]; + serif = [ + "Noto Serif CJK SC" + "Ubuntu" + ]; + sansSerif = [ + "Noto Sans CJK SC" + "Ubuntu" + ]; + monospace = [ + "FiraCode NerdFont Mono" + "Noto Sans Mono CJK SC" + "Ubuntu" + ]; }; }; enableDefaultPackages = true; diff --git a/machines/calcite/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix index 8a08bcd..0bfa83f 100644 --- a/machines/calcite/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -1,14 +1,23 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "nvme" + "ahci" + "usbhid" + ]; boot.initrd.kernelModules = [ ]; boot.initrd.luks.devices.cryptroot = { device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d"; @@ -16,26 +25,29 @@ boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { # device = "/dev/disk/by-label/NIXROOT"; - device = "/dev/mapper/cryptroot"; - fsType = "btrfs"; - }; + fileSystems."/" = { + # device = "/dev/disk/by-label/NIXROOT"; + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; + }; - fileSystems."/boot/efi" = - { device = "/dev/disk/by-label/EFIBOOT"; - fsType = "vfat"; - }; + fileSystems."/boot/efi" = { + device = "/dev/disk/by-label/EFIBOOT"; + fsType = "vfat"; + }; - fileSystems."/media/data" = - { device = "/dev/nvme0n1p7"; - fsType = "ntfs-3g"; - options = [ "rw" "uid=1000" "nofail" "x-systemd.device-timeout=2" ]; - }; - - swapDevices = - [ { device = "/dev/disk/by-label/NIXSWAP"; } + fileSystems."/media/data" = { + device = "/dev/nvme0n1p7"; + fsType = "ntfs-3g"; + options = [ + "rw" + "uid=1000" + "nofail" + "x-systemd.device-timeout=2" ]; + }; + + swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index 8d1f0ba..89e9255 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ...}: +{ config, pkgs, ... }: { imports = [ ]; @@ -38,10 +38,11 @@ # Open ports in the firewall. networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ 3389 ]; - networking.firewall.allowedUDPPorts = [ 3389 41641 ]; - networking.firewall.trustedInterfaces = [ - "tailscale0" + networking.firewall.allowedUDPPorts = [ + 3389 + 41641 ]; + networking.firewall.trustedInterfaces = [ "tailscale0" ]; # Use nftables to manager firewall networking.nftables.enable = true; diff --git a/machines/dolomite/bandwagon.nix b/machines/dolomite/bandwagon.nix index 32d2b9f..70daacf 100644 --- a/machines/dolomite/bandwagon.nix +++ b/machines/dolomite/bandwagon.nix @@ -1,30 +1,42 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: let cfg = config.isBandwagon; in { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - options = { isBandwagon = lib.mkEnableOption "Bandwagon instance"; }; config = lib.mkIf cfg { - boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "xhci_pci" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-label/NIXROOT"; - fsType = "xfs"; - }; + fileSystems."/" = { + device = "/dev/disk/by-label/NIXROOT"; + fsType = "xfs"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-label/NIXBOOT"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/NIXBOOT"; + fsType = "vfat"; + }; swapDevices = [ ]; diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 202edef..019867c 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: let - awsHosts = [ "tok-00"]; + awsHosts = [ "tok-00" ]; bwgHosts = [ "la-00" ]; in { @@ -10,7 +10,6 @@ in ./lightsail.nix ]; - config = { isBandwagon = builtins.elem config.networking.hostName bwgHosts; isLightsail = builtins.elem config.networking.hostName awsHosts; @@ -45,7 +44,10 @@ in reverse_proxy 127.0.0.1:30310 ''; - networking.firewall.allowedTCPPorts = [ 80 8080 ]; + networking.firewall.allowedTCPPorts = [ + 80 + 8080 + ]; networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); custom.prometheus = { @@ -80,119 +82,129 @@ in wheelNeedsPassword = false; }; - services.sing-box = let - singTls = { - enabled = true; - server_name = config.deployment.targetHost; - key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; - certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; - }; - password = { - _secret = config.sops.secrets.singbox_password.path; - }; - uuid = { - _secret = config.sops.secrets.singbox_uuid.path; - }; - in - { - enable = true; - settings = { - dns = { - servers = [ - { - tag = "warp"; - address = "1.1.1.1"; - detour = "wg-out"; - } - { - tag = "directdns"; - address = "h3://8.8.8.8/dns-query"; - } - ]; - rules = [ - { - outbound = "wg-out"; - server = "warp"; - } - { - outbound = "direct"; - server = "directdns"; - } - ]; + services.sing-box = + let + singTls = { + enabled = true; + server_name = config.deployment.targetHost; + key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; + certificate_path = + config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; }; - inbounds = [ - { - tag = "sg0"; - type = "trojan"; - listen = "::"; - listen_port = 8080; - users = [ - { name = "proxy"; - password = password; + password = { + _secret = config.sops.secrets.singbox_password.path; + }; + uuid = { + _secret = config.sops.secrets.singbox_uuid.path; + }; + in + { + enable = true; + settings = { + dns = { + servers = [ + { + tag = "warp"; + address = "1.1.1.1"; + detour = "wg-out"; + } + { + tag = "directdns"; + address = "h3://8.8.8.8/dns-query"; } ]; - tls = singTls; - } - ] ++ lib.forEach (lib.range 6311 6314) (port: { - tag = "sg" + toString (port - 6310); - type = "tuic"; - listen = "::"; - listen_port = port; - congestion_control = "bbr"; - users = [ - { name = "proxy"; - uuid = uuid; - password = password; + rules = [ + { + outbound = "wg-out"; + server = "warp"; + } + { + outbound = "direct"; + server = "directdns"; } ]; - tls = singTls; - }); - outbounds = [ - { - type = "wireguard"; - tag = "wg-out"; - private_key = { - _secret = config.sops.secrets.wg_private_key.path; - }; - local_address = [ - "172.16.0.2/32" - { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } - ]; - peers = [ - { public_key= "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; - allowed_ips = [ "0.0.0.0/0" "::/0" ]; - server = "162.159.192.1"; - server_port = 500; + }; + inbounds = + [ + { + tag = "sg0"; + type = "trojan"; + listen = "::"; + listen_port = 8080; + users = [ + { + name = "proxy"; + password = password; + } + ]; + tls = singTls; } - ]; - } - { - type = "direct"; - tag = "direct"; - } - { - type = "dns"; - tag = "dns-out"; - } - ]; - route = { - rules = [ + ] + ++ lib.forEach (lib.range 6311 6314) (port: { + tag = "sg" + toString (port - 6310); + type = "tuic"; + listen = "::"; + listen_port = port; + congestion_control = "bbr"; + users = [ + { + name = "proxy"; + uuid = uuid; + password = password; + } + ]; + tls = singTls; + }); + outbounds = [ { - outbound = "dns-out"; - protocol = "dns"; + type = "wireguard"; + tag = "wg-out"; + private_key = { + _secret = config.sops.secrets.wg_private_key.path; + }; + local_address = [ + "172.16.0.2/32" + { _secret = config.sops.secrets.wg_ipv6_local_addr.path; } + ]; + peers = [ + { + public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; + allowed_ips = [ + "0.0.0.0/0" + "::/0" + ]; + server = "162.159.192.1"; + server_port = 500; + } + ]; } { - inbound = "sg0"; - outbound = "direct"; + type = "direct"; + tag = "direct"; } { - inbound = "sg4"; - outbound = "direct"; + type = "dns"; + tag = "dns-out"; } ]; + route = { + rules = [ + { + outbound = "dns-out"; + protocol = "dns"; + } + { + inbound = "sg0"; + outbound = "direct"; + } + { + inbound = "sg4"; + outbound = "direct"; + } + ]; + }; }; }; - }; }; } diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix index bd8634c..18afeda 100644 --- a/machines/dolomite/lightsail.nix +++ b/machines/dolomite/lightsail.nix @@ -1,10 +1,16 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: with lib; let cfg = config.ec2; in { - imports = [ + imports = [ "${modulesPath}/profiles/headless.nix" # Note: While we do use the headless profile, we also explicitly # turn on the serial console on ttyS0 below. This is because @@ -39,18 +45,22 @@ in fsType = "vfat"; }; - boot.extraModulePackages = [ - config.boot.kernelPackages.ena - ]; + boot.extraModulePackages = [ config.boot.kernelPackages.ena ]; boot.initrd.kernelModules = [ "xen-blkfront" ]; boot.initrd.availableKernelModules = [ "nvme" ]; - boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ]; + boot.kernelParams = [ + "console=ttyS0,115200n8" + "random.trust_cpu=on" + ]; # Prevent the nouveau kernel module from being loaded, as it # interferes with the nvidia/nvidia-uvm modules needed for CUDA. # Also blacklist xen_fbfront to prevent a 30 second delay during # boot. - boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ]; + boot.blacklistedKernelModules = [ + "nouveau" + "xen_fbfront" + ]; boot.loader.grub.efiSupport = cfg.efi; boot.loader.grub.efiInstallAsRemovable = cfg.efi; @@ -64,7 +74,7 @@ in systemd.services.fetch-ec2-metadata = { wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ]; - after = ["network-online.target"]; + after = [ "network-online.target" ]; path = [ pkgs.curl ]; script = builtins.readFile ./ec2-metadata-fetcher.sh; serviceConfig.Type = "oneshot"; diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index bcdc5f7..4513a2b 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -1,4 +1,10 @@ -{ inputs, config, libs, pkgs, ... }: +{ + inputs, + config, + libs, + pkgs, + ... +}: { imports = [ diff --git a/machines/massicot/hardware-configuration.nix b/machines/massicot/hardware-configuration.nix index 89358f7..c67deb1 100644 --- a/machines/massicot/hardware-configuration.nix +++ b/machines/massicot/hardware-configuration.nix @@ -5,9 +5,19 @@ efiSupport = true; device = "nodev"; }; - fileSystems."/boot" = { device = "/dev/disk/by-uuid/AC27-D9D6"; fsType = "vfat"; }; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/AC27-D9D6"; + fsType = "vfat"; + }; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "xen_blkfront" + ]; boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; - + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; + } diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 71ca402..95c75df 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -21,7 +21,11 @@ members = [ "xin" ]; }; immich-users = { - members = [ "xin" "zhuo" "ycm" ]; + members = [ + "xin" + "zhuo" + "ycm" + ]; }; grafana-superadmins = { members = [ "xin" ]; @@ -65,7 +69,12 @@ originLanding = "https://git.xinyang.life/user/oauth2/kandim"; allowInsecureClientDisablePkce = true; scopeMaps = { - forgejo-access = [ "openid" "email" "profile" "groups" ]; + forgejo-access = [ + "openid" + "email" + "profile" + "groups" + ]; }; claimMaps = { forgejo_role = { @@ -83,7 +92,12 @@ originLanding = "https://xinyang.life/"; allowInsecureClientDisablePkce = true; scopeMaps = { - gts-users = [ "openid" "email" "profile" "groups" ]; + gts-users = [ + "openid" + "email" + "profile" + "groups" + ]; }; }; owncloud = { @@ -92,7 +106,11 @@ originLanding = "https://home.xinyang.life:9201/"; public = true; scopeMaps = { - ocis-users = [ "openid" "email" "profile" ]; + ocis-users = [ + "openid" + "email" + "profile" + ]; }; }; hedgedoc = { @@ -101,7 +119,11 @@ originLanding = "https://docs.xinyang.life/auth/oauth2"; allowInsecureClientDisablePkce = true; scopeMaps = { - hedgedoc-users = [ "openid" "email" "profile" ]; + hedgedoc-users = [ + "openid" + "email" + "profile" + ]; }; }; immich-mobile = { @@ -110,7 +132,11 @@ originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; allowInsecureClientDisablePkce = true; scopeMaps = { - immich-users = [ "openid" "email" "profile" ]; + immich-users = [ + "openid" + "email" + "profile" + ]; }; }; miniflux = { @@ -118,7 +144,11 @@ originUrl = "https://rss.xinyang.life/"; originLanding = "https://rss.xinyang.life/"; scopeMaps = { - miniflux-users = [ "openid" "email" "profile" ]; + miniflux-users = [ + "openid" + "email" + "profile" + ]; }; }; grafana = { @@ -126,7 +156,12 @@ originUrl = "https://grafana.xinyang.life/"; originLanding = "https://grafana.xinyang.life/"; scopeMaps = { - grafana-users = [ "openid" "email" "profile" "groups" ]; + grafana-users = [ + "openid" + "email" + "profile" + "groups" + ]; }; claimMaps = { grafana_role = { diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix index 9588be9..94be559 100644 --- a/machines/massicot/networking.nix +++ b/machines/massicot/networking.nix @@ -1,11 +1,14 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ networking = { interfaces = { eth0.useDHCP = true; - eth0.ipv6.addresses = [{ - address = "2a01:4f8:c17:345f::1"; - prefixLength = 64; - }]; + eth0.ipv6.addresses = [ + { + address = "2a01:4f8:c17:345f::1"; + prefixLength = 64; + } + ]; }; defaultGateway6 = { address = "fe80::1"; diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index fa263e5..336a039 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -1,10 +1,24 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let kanidm_listen_port = 5324; in { - networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ]; - networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + 2222 + 8448 + ]; + networking.firewall.allowedUDPPorts = [ + 80 + 443 + 8448 + ]; custom.vaultwarden = { enable = true; @@ -32,16 +46,23 @@ in exporters.miniflux.enable = true; }; - systemd.mounts = map - (share: { - what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; - where = "/mnt/storage/${share}"; - type = "cifs"; - options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; - before = [ "${share}.service" ]; - after = [ "cachefilesd.service" ]; - wantedBy = [ "${share}.service" ]; - }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ]; + systemd.mounts = + map + (share: { + what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; + where = "/mnt/storage/${share}"; + type = "cifs"; + options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; + before = [ "${share}.service" ]; + after = [ "cachefilesd.service" ]; + wantedBy = [ "${share}.service" ]; + }) + [ + "forgejo" + "gotosocial" + "conduit" + "hedgedoc" + ]; services.cachefilesd.enable = true; @@ -225,11 +246,14 @@ in allow_assign_grafana_admin = true; auto_login = true; }; - "auth" = { disable_login_form = true; }; + "auth" = { + disable_login_form = true; + }; }; }; - systemd.services.grafana.serviceConfig.EnvironmentFile = config.sops.secrets.grafana_oauth_secret.path; + systemd.services.grafana.serviceConfig.EnvironmentFile = + config.sops.secrets.grafana_oauth_secret.path; users.users.git = { isSystemUser = true; @@ -240,9 +264,7 @@ in users.groups.git = { }; users.users = { - ${config.services.caddy.user}.extraGroups = [ - config.services.ntfy-sh.group - ]; + ${config.services.caddy.user}.extraGroups = [ config.services.ntfy-sh.group ]; }; services.caddy = { diff --git a/machines/netdrives.nix b/machines/netdrives.nix index 8092196..2fedf53 100644 --- a/machines/netdrives.nix +++ b/machines/netdrives.nix @@ -1,7 +1,7 @@ { pkgs, config, ... }: { sops.secrets = { - autofs-nas = { + autofs-nas = { owner = "davfs2"; }; autofs-nas-secret = { @@ -19,4 +19,4 @@ ]; }; -} \ No newline at end of file +} diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index 71bc747..049e67e 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -1,17 +1,19 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: { - imports = [ - ./hass.nix - ]; + imports = [ ./hass.nix ]; commonSettings.nix.enableMirrors = true; nixpkgs.overlays = [ # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243 (final: super: { - makeModulesClosure = x: - super.makeModulesClosure (x // { allowMissing = true; }); + makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; }); }) ]; @@ -22,7 +24,7 @@ ]; system.stateVersion = "24.05"; - + networking = { hostName = "raspite"; useDHCP = false; diff --git a/machines/raspite/hass.nix b/machines/raspite/hass.nix index 8482129..68d161b 100644 --- a/machines/raspite/hass.nix +++ b/machines/raspite/hass.nix @@ -1,4 +1,5 @@ -{ config, pkgs, ... }: { +{ config, pkgs, ... }: +{ services.home-assistant = { enable = true; extraComponents = [ @@ -9,14 +10,12 @@ ]; openFirewall = false; config = { - default_config = {}; + default_config = { }; http = { server_host = "::1"; base_url = "raspite.local:1000"; use_x_forward_for = true; - trusted_proxies = [ - "::1" - ]; + trusted_proxies = [ "::1" ]; }; }; }; @@ -28,16 +27,17 @@ users.groups.dialout.members = config.users.groups.wheel.members; - environment.systemPackages = with pkgs; [ - zigbee2mqtt + environment.systemPackages = with pkgs; [ zigbee2mqtt ]; + + networking.firewall.allowedTCPPorts = [ + 1000 + 1001 ]; - networking.firewall.allowedTCPPorts = [ 1000 1001 ]; - services.caddy = { - enable = true; + enable = true; virtualHosts = { - # reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port} + # reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port} "raspite.local:1000".extraConfig = '' reverse_proxy http://[::1]:8123 ''; diff --git a/machines/sops.nix b/machines/sops.nix index de0cf5b..aeb99d9 100644 --- a/machines/sops.nix +++ b/machines/sops.nix @@ -1,4 +1,9 @@ -{ inputs, config, lib, ... }: +{ + inputs, + config, + lib, + ... +}: { imports = [ inputs.sops-nix.nixosModules.sops ]; config = { @@ -11,24 +16,22 @@ owner = "root"; }; singbox_sg_server = { - owner = "root"; + owner = "root"; }; singbox_jp_server = { - owner = "root"; + owner = "root"; }; singbox_password = { - owner = "root"; + owner = "root"; }; singbox_uuid = { - owner = "root"; + owner = "root"; }; private_dns_address = { - owner = "root"; + owner = "root"; }; }; - secrets.grafana_cloud_api = lib.mkIf config.services.prometheus.enable { - owner = "prometheus"; - }; + secrets.grafana_cloud_api = lib.mkIf config.services.prometheus.enable { owner = "prometheus"; }; }; }; } diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 0ad8822..5718b56 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -1,4 +1,11 @@ -{ inputs, config, pkgs, lib, modulesPath, ... }: +{ + inputs, + config, + pkgs, + lib, + modulesPath, + ... +}: with lib; @@ -19,17 +26,21 @@ with lib; }; boot = { - loader = { + loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; - initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; + initrd.availableKernelModules = [ + "uhci_hcd" + "ehci_pci" + "ahci" + "usb_storage" + "sd_mod" + ]; kernelModules = [ "kvm-intel" ]; }; - environment.systemPackages = [ - pkgs.virtiofsd - ]; + environment.systemPackages = [ pkgs.virtiofsd ]; sops = { defaultSopsFile = ./secrets.yaml; @@ -47,13 +58,15 @@ with lib; }; systemd.mounts = [ - { what = "immich"; + { + what = "immich"; where = "/mnt/XinPhotos/immich"; type = "virtiofs"; options = "rw"; wantedBy = [ "immich-server.service" ]; } - { what = "originals"; + { + what = "originals"; where = "/mnt/XinPhotos/originals"; type = "virtiofs"; options = "ro,nodev,nosuid"; @@ -61,7 +74,10 @@ with lib; } ]; - services.openssh.ports = [ 22 2222 ]; + services.openssh.ports = [ + 22 + 2222 + ]; services.immich = { enable = true; @@ -90,7 +106,10 @@ with lib; enable = true; package = pkgs.caddy.withPlugins { caddyModules = [ - { repo = "github.com/caddy-dns/cloudflare"; version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; } + { + repo = "github.com/caddy-dns/cloudflare"; + version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; + } ]; vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk="; }; @@ -115,7 +134,7 @@ with lib; }; time.timeZone = "Asia/Shanghai"; - + fileSystems."/" = { device = "/dev/disk/by-label/nixos"; fsType = "btrfs"; @@ -124,7 +143,10 @@ with lib; fileSystems."/boot" = { device = "/dev/sda1"; fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; + options = [ + "fmask=0022" + "dmask=0022" + ]; }; system.stateVersion = "24.11"; diff --git a/modules/home-manager/cosmic-term.nix b/modules/home-manager/cosmic-term.nix index 727a8c2..2d59b89 100644 --- a/modules/home-manager/cosmic-term.nix +++ b/modules/home-manager/cosmic-term.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let inherit (lib) mkEnableOption mkIf; @@ -10,7 +15,5 @@ in enable = mkEnableOption "cosmic-term"; }; - config = mkIf cfg.enable { - home.packages = [ pkgs.cosmic-term ]; - }; + config = mkIf cfg.enable { home.packages = [ pkgs.cosmic-term ]; }; } diff --git a/modules/home-manager/fish.nix b/modules/home-manager/fish.nix index a5dc2be..4d265d5 100644 --- a/modules/home-manager/fish.nix +++ b/modules/home-manager/fish.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: with lib; @@ -10,7 +15,12 @@ in enable = mkEnableOption "fish"; plugins = mkOption { type = types.listOf types.str; - default = [ "pisces" "done" "hydro" "grc" ]; + default = [ + "pisces" + "done" + "hydro" + "grc" + ]; }; functions = { enable = mkOption { @@ -30,41 +40,65 @@ in home.packages = [ pkgs.grc ]; programs.fish = { enable = true; - plugins = with pkgs; (filter ( - e: hasAttr e.name (builtins.listToAttrs # { "xxx" = true; } - (map (p: { name = p; value = true; }) cfg.plugins) # { name = "xxx"; value = true; } - )) [ - { name = "pisces"; - src = fishPlugins.pisces.src; - } - { name = "done"; - src = fishPlugins.done.src; - } - { name = "hydro"; - src = fishPlugins.hydro.src; - } - { name = "grc"; - src = fishPlugins.grc.src; - } - ]); - interactiveShellInit = let - extraInit = if cfg.functions.enable then '' - ${pkgs.nix-your-shell}/bin/nix-your-shell fish | source - function fish_right_prompt - if test -n "$IN_NIX_SHELL" - echo -n "" - else if test $SHLVL -ge 3 - echo -n "<🚀lv$SHLVL>" - end - end - function fish_command_not_found - ${pkgs.comma}/bin/comma $argv - end - set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha) - '' else ""; - in '' - fish_config prompt choose default - '' + extraInit; + plugins = + with pkgs; + (filter + ( + e: + hasAttr e.name ( + builtins.listToAttrs # { "xxx" = true; } + ( + map (p: { + name = p; + value = true; + }) cfg.plugins + ) # { name = "xxx"; value = true; } + ) + ) + [ + { + name = "pisces"; + src = fishPlugins.pisces.src; + } + { + name = "done"; + src = fishPlugins.done.src; + } + { + name = "hydro"; + src = fishPlugins.hydro.src; + } + { + name = "grc"; + src = fishPlugins.grc.src; + } + ] + ); + interactiveShellInit = + let + extraInit = + if cfg.functions.enable then + '' + ${pkgs.nix-your-shell}/bin/nix-your-shell fish | source + function fish_right_prompt + if test -n "$IN_NIX_SHELL" + echo -n "" + else if test $SHLVL -ge 3 + echo -n "<🚀lv$SHLVL>" + end + end + function fish_command_not_found + ${pkgs.comma}/bin/comma $argv + end + set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha) + '' + else + ""; + in + '' + fish_config prompt choose default + '' + + extraInit; functions = mkIf cfg.functions.enable { gitignore = "curl -sL https://www.gitignore.io/api/$argv"; }; diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix index 5b2bc63..66f1ceb 100644 --- a/modules/home-manager/git.nix +++ b/modules/home-manager/git.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: with lib; @@ -32,16 +37,12 @@ in d = "diff"; s = "status"; }; - signing = mkIf cfg.signing.enable { + signing = mkIf cfg.signing.enable { signByDefault = true; key = cfg.signing.keyFile; }; - extraConfig.user = mkIf cfg.signing.enable { - signingkey = cfg.signing.keyFile; - }; - extraConfig.gpg = mkIf cfg.signing.enable { - format = "ssh"; - }; + extraConfig.user = mkIf cfg.signing.enable { signingkey = cfg.signing.keyFile; }; + extraConfig.gpg = mkIf cfg.signing.enable { format = "ssh"; }; }; }; } diff --git a/modules/home-manager/tmux.nix b/modules/home-manager/tmux.nix index 9e26dfe..ffcd441 100644 --- a/modules/home-manager/tmux.nix +++ b/modules/home-manager/tmux.nix @@ -1 +1 @@ -{} \ No newline at end of file +{ } diff --git a/modules/home-manager/vim.nix b/modules/home-manager/vim.nix index f66535f..1bab02b 100644 --- a/modules/home-manager/vim.nix +++ b/modules/home-manager/vim.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let inherit (lib) mkIf mkEnableOption getExe; cfg = config.custom-hm.neovim; @@ -13,7 +18,10 @@ in enable = mkEnableOption "neovim configurations"; }; config = mkIf cfg.enable { - home.packages = with pkgs; [ nixvim neovide ]; + home.packages = with pkgs; [ + nixvim + neovide + ]; programs.neovim.enable = false; home.file.".config/neovide/config.toml" = { source = tomlFormat.generate "neovide-config" neovideConfig; diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index 9017f4c..5c801fc 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -1,4 +1,10 @@ -{ inputs, config, lib, pkgs, ... }: +{ + inputs, + config, + lib, + pkgs, + ... +}: with lib; let @@ -6,7 +12,10 @@ let packages = { nixPackages = { - systemPackages = with pkgs; [ nixd nixpkgs-fmt ]; + systemPackages = with pkgs; [ + nixd + nixpkgs-fmt + ]; extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ jnoortheen.nix-ide ]; @@ -17,10 +26,15 @@ let }; }; cxxPackages = { - systemPackages = with pkgs; [ clang-tools cmake-format ]; + systemPackages = with pkgs; [ + clang-tools + cmake-format + ]; extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ llvm-vs-code-extensions.vscode-clangd - (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; })) + (ms-vscode.cmake-tools.overrideAttrs (_: { + sourceRoot = "extension"; + })) twxs.cmake ms-vscode.cpptools ]; @@ -43,7 +57,10 @@ let settings = { }; }; scalaPackages = { - systemPackages = with pkgs; [ coursier metals ]; + systemPackages = with pkgs; [ + coursier + metals + ]; extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ scala-lang.scala scalameta.metals @@ -61,20 +78,56 @@ let { "name" = "xelatex"; "command" = "xelatex"; - "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ]; + "args" = [ + "-synctex=1" + "-interaction=nonstopmode" + "-file-line-error" + "%DOCFILE%" + ]; } { "name" = "pdflatex"; "command" = "pdflatex"; - "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ]; + "args" = [ + "-synctex=1" + "-interaction=nonstopmode" + "-file-line-error" + "%DOCFILE%" + ]; + } + { + "name" = "bibtex"; + "command" = "bibtex"; + "args" = [ "%DOCFILE%" ]; } - { "name" = "bibtex"; "command" = "bibtex"; "args" = [ "%DOCFILE%" ]; } ]; "latex-workshop.latex.recipes" = [ - { "name" = "xelatex"; "tools" = [ "xelatex" ]; } - { "name" = "pdflatex"; "tools" = [ "pdflatex" ]; } - { "name" = "xe->bib->xe->xe"; "tools" = [ "xelatex" "bibtex" "xelatex" "xelatex" ]; } - { "name" = "pdf->bib->pdf->pdf"; "tools" = [ "pdflatex" "bibtex" "pdflatex" "pdflatex" ]; } + { + "name" = "xelatex"; + "tools" = [ "xelatex" ]; + } + { + "name" = "pdflatex"; + "tools" = [ "pdflatex" ]; + } + { + "name" = "xe->bib->xe->xe"; + "tools" = [ + "xelatex" + "bibtex" + "xelatex" + "xelatex" + ]; + } + { + "name" = "pdf->bib->pdf->pdf"; + "tools" = [ + "pdflatex" + "bibtex" + "pdflatex" + "pdflatex" + ]; + } ]; "[latex]" = { "editor.formatOnPaste" = false; @@ -88,9 +141,15 @@ let }; llmExtensions = [ pkgs.vscode-extensions.continue.continue ]; - languages = [ "nix" "cxx" "python" "scala" "latex" ]; - zipAttrsWithLanguageOption = (attr: - (map (l: (lib.mkIf cfg.languages.${l} packages."${l}Packages".${attr})) languages) + languages = [ + "nix" + "cxx" + "python" + "scala" + "latex" + ]; + zipAttrsWithLanguageOption = ( + attr: (map (l: (lib.mkIf cfg.languages.${l} packages."${l}Packages".${attr})) languages) ); in { @@ -111,64 +170,71 @@ in config = mkIf cfg.enable { nixpkgs.config.allowUnfree = true; - home.packages = lib.mkMerge ([ - [ pkgs.clang-tools ] - (mkIf cfg.llm [ pkgs.ollama ]) - ] ++ zipAttrsWithLanguageOption "systemPackages"); + home.packages = lib.mkMerge ( + [ + [ pkgs.clang-tools ] + (mkIf cfg.llm [ pkgs.ollama ]) + ] + ++ zipAttrsWithLanguageOption "systemPackages" + ); programs.vscode = { enable = true; package = pkgs.vscode.override { commandLineArgs = "--enable-wayland-ime"; }; enableUpdateCheck = false; enableExtensionUpdateCheck = false; mutableExtensionsDir = false; - extensions = lib.mkMerge ([ - (with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ - mkhl.direnv + extensions = lib.mkMerge ( + [ + (with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ + mkhl.direnv - ms-azuretools.vscode-docker - ms-vscode-remote.remote-ssh - vscodevim.vim - github.vscode-pull-request-github - gruntfuggly.todo-tree # todo highlight + ms-azuretools.vscode-docker + ms-vscode-remote.remote-ssh + vscodevim.vim + github.vscode-pull-request-github + gruntfuggly.todo-tree # todo highlight - # Markdown - davidanson.vscode-markdownlint - # Latex - # Scale / chisel - sterben.fpga-support + # Markdown + davidanson.vscode-markdownlint + # Latex + # Scale / chisel + sterben.fpga-support - ms-vscode-remote.remote-ssh-edit - mushan.vscode-paste-image - ]) + ms-vscode-remote.remote-ssh-edit + mushan.vscode-paste-image + ]) - (with pkgs.vscode-extensions; [ - waderyan.gitblame - catppuccin.catppuccin-vsc - # Rust - rust-lang.rust-analyzer - ]) + (with pkgs.vscode-extensions; [ + waderyan.gitblame + catppuccin.catppuccin-vsc + # Rust + rust-lang.rust-analyzer + ]) - (mkIf cfg.llm llmExtensions) - ] ++ zipAttrsWithLanguageOption "extension"); - userSettings = lib.mkMerge ([ - { - "workbench.colorTheme" = "Catppuccin Macchiato"; - "terminal.integrated.sendKeybindingsToShell" = true; - "extensions.ignoreRecommendations" = true; - "files.autoSave" = "afterDelay"; - "editor.inlineSuggest.enabled" = true; - "editor.rulers" = [ - 80 - ]; - "editor.mouseWheelZoom" = true; - "git.autofetch" = false; - "window.zoomLevel" = -1; + (mkIf cfg.llm llmExtensions) + ] + ++ zipAttrsWithLanguageOption "extension" + ); + userSettings = lib.mkMerge ( + [ + { + "workbench.colorTheme" = "Catppuccin Macchiato"; + "terminal.integrated.sendKeybindingsToShell" = true; + "extensions.ignoreRecommendations" = true; + "files.autoSave" = "afterDelay"; + "editor.inlineSuggest.enabled" = true; + "editor.rulers" = [ 80 ]; + "editor.mouseWheelZoom" = true; + "git.autofetch" = false; + "window.zoomLevel" = -1; - "extensions.experimental.affinity" = { - "vscodevim.vim" = 1; - }; - } - ] ++ zipAttrsWithLanguageOption "settings"); + "extensions.experimental.affinity" = { + "vscodevim.vim" = 1; + }; + } + ] + ++ zipAttrsWithLanguageOption "settings" + ); }; home.file.".continue/config.json".text = lib.generators.toJSON { } { @@ -180,7 +246,7 @@ in } ]; tabAutocompleteModel = { - model ="deepseek-coder:6.7b-base"; + model = "deepseek-coder:6.7b-base"; provider = "ollama"; title = "codegemma"; }; diff --git a/modules/home-manager/zellij.nix b/modules/home-manager/zellij.nix index 1a3f737..be2d4fe 100644 --- a/modules/home-manager/zellij.nix +++ b/modules/home-manager/zellij.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, ... }: with lib; diff --git a/modules/nixos/common-settings/auth.nix b/modules/nixos/common-settings/auth.nix index f70d350..d0a54cb 100644 --- a/modules/nixos/common-settings/auth.nix +++ b/modules/nixos/common-settings/auth.nix @@ -1,7 +1,17 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let - inherit (lib) mkIf mkEnableOption mkOption types; + inherit (lib) + mkIf + mkEnableOption + mkOption + types + ; cfg = config.commonSettings.auth; in @@ -38,4 +48,3 @@ in }; }; } - diff --git a/modules/nixos/common-settings/nix-conf.nix b/modules/nixos/common-settings/nix-conf.nix index 5313b9f..96759bc 100644 --- a/modules/nixos/common-settings/nix-conf.nix +++ b/modules/nixos/common-settings/nix-conf.nix @@ -1,7 +1,17 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let - inherit (lib) mkIf mkEnableOption mkOption types; + inherit (lib) + mkIf + mkEnableOption + mkOption + types + ; cfg = config.commonSettings.nix; in @@ -33,7 +43,10 @@ in nix.optimise.automatic = true; nix.settings = { - experimental-features = [ "nix-command" "flakes" ]; + experimental-features = [ + "nix-command" + "flakes" + ]; auto-optimise-store = true; trusted-users = [ "root" ]; @@ -52,10 +65,7 @@ in "xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y=" ]; - secret-key-files = mkIf cfg.signing.enable [ - cfg.signing.keyFile - ]; + secret-key-files = mkIf cfg.signing.enable [ cfg.signing.keyFile ]; }; }; } - diff --git a/modules/nixos/forgejo-actions-runner.nix b/modules/nixos/forgejo-actions-runner.nix index 5b76c69..b0584c4 100644 --- a/modules/nixos/forgejo-actions-runner.nix +++ b/modules/nixos/forgejo-actions-runner.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.custom.forgejo-actions-runner; in @@ -6,9 +11,7 @@ in options = { custom.forgejo-actions-runner = { enable = lib.mkEnableOption "TPM supported ssh agent in go"; - tokenFile = lib.mkOption { - type = lib.types.path; - }; + tokenFile = lib.mkOption { type = lib.types.path; }; }; }; config = lib.mkIf cfg.enable { diff --git a/modules/nixos/hedgedoc.nix b/modules/nixos/hedgedoc.nix index 6aa5de2..a632a78 100644 --- a/modules/nixos/hedgedoc.nix +++ b/modules/nixos/hedgedoc.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: with lib; @@ -26,22 +31,12 @@ in }; oidc = { enable = mkEnableOption "OIDC support for HedgeDoc"; - baseURL = mkOption { - type = types.str; - }; - authorizationURL = mkOption { - type = types.str; - }; - tokenURL = mkOption { - type = types.str; - }; - userProfileURL = mkOption { - type = types.str; - }; - }; - environmentFile = mkOption { - type = types.path; + baseURL = mkOption { type = types.str; }; + authorizationURL = mkOption { type = types.str; }; + tokenURL = mkOption { type = types.str; }; + userProfileURL = mkOption { type = types.str; }; }; + environmentFile = mkOption { type = types.path; }; }; }; config = mkIf cfg.enable { diff --git a/modules/nixos/inbounds.nix b/modules/nixos/inbounds.nix index 0cbd33f..cd6fb9e 100644 --- a/modules/nixos/inbounds.nix +++ b/modules/nixos/inbounds.nix @@ -1,19 +1,16 @@ -{ config -, lib -, ... }: +{ config, lib, ... }: let cfg = config.custom.sing-box-server; - secretFileType = lib.types.submodule { - _secret = lib.types.path; - }; + secretFileType = lib.types.submodule { _secret = lib.types.path; }; singTls = { enabled = true; server_name = config.deployment.targetHost; key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; - certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; + certificate_path = + config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; }; -in +in { options = { enable = lib.mkEnableOption "sing-box proxy server"; @@ -22,17 +19,11 @@ in type = lib.types.str; default = "proxy"; }; - password = lib.mkOption { - type = secretFileType; - }; - uuid = lib.mkOption { - type = secretFileType; - }; + password = lib.mkOption { type = secretFileType; }; + uuid = lib.mkOption { type = secretFileType; }; }; wgOut = { - privKeyFile = lib.mkOption { - type = lib.types.path; - }; + privKeyFile = lib.mkOption { type = lib.types.path; }; pubkey = lib.mkOption { type = lib.types.str; default = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; @@ -73,17 +64,19 @@ in } ]; }; - inbounds = [ - # TODO: Trojan and tuic enable - { - tag = "trojan-in"; - type = "trojan"; - listen = "::"; - listen_port = 8080; - users = map (u: removeAttrs u [ "uuid" ]) cfg.users; - tls = singTls; - } - ] ++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: { + inbounds = + [ + # TODO: Trojan and tuic enable + { + tag = "trojan-in"; + type = "trojan"; + listen = "::"; + listen_port = 8080; + users = map (u: removeAttrs u [ "uuid" ]) cfg.users; + tls = singTls; + } + ] + ++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: { tag = "tuic-in" + toString port; type = "tuic"; listen = "::"; @@ -102,25 +95,40 @@ in "2606:4700:110:82ed:a443:3c62:6cbc:b59b/128" ]; peers = [ - { public_key= cfg.wgOut.pubkey; - allowed_ips = [ "0.0.0.0/0" "::/0" ]; + { + public_key = cfg.wgOut.pubkey; + allowed_ips = [ + "0.0.0.0/0" + "::/0" + ]; server = "162.159.192.1"; server_port = 500; } ]; } - { type = "direct"; tag = "direct-out"; } - { type = "dns"; tag = "dns-out"; } + { + type = "direct"; + tag = "direct-out"; + } + { + type = "dns"; + tag = "dns-out"; + } ]; route = { - rules = [ - { outbound = "dns-out"; protocol = "dns"; } - ] ++ lib.forEach cfg.tuic.directPorts (port: { - inbound = "tuic-in" + toString port; - outbound = "direct-out"; - }); + rules = + [ + { + outbound = "dns-out"; + protocol = "dns"; + } + ] + ++ lib.forEach cfg.tuic.directPorts (port: { + inbound = "tuic-in" + toString port; + outbound = "direct-out"; + }); }; }; }; }; -} \ No newline at end of file +} diff --git a/modules/nixos/kanidm-client.nix b/modules/nixos/kanidm-client.nix index 41d974d..80e2bf9 100644 --- a/modules/nixos/kanidm-client.nix +++ b/modules/nixos/kanidm-client.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: with lib; let @@ -27,31 +32,29 @@ in type = types.listOf types.str; default = [ ]; }; - uri = mkOption { - type = types.str; - }; + uri = mkOption { type = types.str; }; }; }; config = mkIf cfg.enable { - services.kanidm = mkMerge - [ (mkIf cfg.enable { - enableClient = true; - clientSettings = { - uri = cfg.uri; - }; - }) - (mkIf cfg.asSSHAuth.enable { - enablePam = true; - unixSettings = { - pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups; - default_shell = "/bin/sh"; - }; - }) - ]; + services.kanidm = mkMerge [ + (mkIf cfg.enable { + enableClient = true; + clientSettings = { + uri = cfg.uri; + }; + }) + (mkIf cfg.asSSHAuth.enable { + enablePam = true; + unixSettings = { + pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups; + default_shell = "/bin/sh"; + }; + }) + ]; services.openssh = mkIf cfg.asSSHAuth.enable { enable = true; authorizedKeysCommand = "/etc/ssh/auth %u"; - authorizedKeysCommandUser = "kanidm-ssh-runner"; + authorizedKeysCommandUser = "kanidm-ssh-runner"; settings = mkIf cfg.asSSHAuth.enable { PasswordAuthentication = false; KbdInteractiveAuthentication = false; @@ -70,8 +73,10 @@ in }; users.groups.wheel.members = cfg.sudoers; users.groups.kanidm-ssh-runner = { }; - users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; }; + users.users.kanidm-ssh-runner = { + isSystemUser = true; + group = "kanidm-ssh-runner"; + }; }; } - diff --git a/modules/nixos/miniflux.nix b/modules/nixos/miniflux.nix index 2d539e0..0653f41 100644 --- a/modules/nixos/miniflux.nix +++ b/modules/nixos/miniflux.nix @@ -1,6 +1,19 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let - inherit (lib) mkEnableOption mkPackageOption mkOption types literalExpression mkIf mkDefault; + inherit (lib) + mkEnableOption + mkPackageOption + mkOption + types + literalExpression + mkIf + mkDefault + ; cfg = config.custom.miniflux; defaultAddress = "localhost:8080"; @@ -18,12 +31,15 @@ in package = mkPackageOption pkgs "miniflux" { }; - oauth2SecretFile = mkOption { - type = types.path; - }; + oauth2SecretFile = mkOption { type = types.path; }; environment = mkOption { - type = with types; attrsOf (oneOf [ int str ]); + type = + with types; + attrsOf (oneOf [ + int + str + ]); }; createDatabaseLocally = mkOption { @@ -50,17 +66,22 @@ in services.postgresql = lib.mkIf cfg.createDatabaseLocally { enable = true; - ensureUsers = [{ - name = "miniflux"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "miniflux"; + ensureDBOwnership = true; + } + ]; ensureDatabases = [ "miniflux" ]; }; systemd.services.miniflux-dbsetup = lib.mkIf cfg.createDatabaseLocally { description = "Miniflux database setup"; requires = [ "postgresql.service" ]; - after = [ "network.target" "postgresql.service" ]; + after = [ + "network.target" + "postgresql.service" + ]; serviceConfig = { Type = "oneshot"; User = config.services.postgresql.superUser; @@ -72,8 +93,12 @@ in description = "Miniflux service"; wantedBy = [ "multi-user.target" ]; requires = lib.optional cfg.createDatabaseLocally "miniflux-dbsetup.service"; - after = [ "network.target" ] - ++ lib.optionals cfg.createDatabaseLocally [ "postgresql.service" "miniflux-dbsetup.service" ]; + after = + [ "network.target" ] + ++ lib.optionals cfg.createDatabaseLocally [ + "postgresql.service" + "miniflux-dbsetup.service" + ]; serviceConfig = { Type = "notify"; @@ -104,12 +129,19 @@ in ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged" ]; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; UMask = "0077"; }; diff --git a/modules/nixos/oidc-agent.nix b/modules/nixos/oidc-agent.nix index 35ce679..61eea1c 100644 --- a/modules/nixos/oidc-agent.nix +++ b/modules/nixos/oidc-agent.nix @@ -1,10 +1,20 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let - inherit (lib) mkIf mkEnableOption mkOption types; + inherit (lib) + mkIf + mkEnableOption + mkOption + types + ; cfg = config.programs.oidc-agent; - providerFormat = pkgs.formats.json {}; + providerFormat = pkgs.formats.json { }; in { options.programs.oidc-agent = { @@ -18,7 +28,7 @@ in }; providers = mkOption { type = providerFormat.type; - default = {}; + default = { }; description = '' Configuration of providers which contains a json array of json objects each describing an issuer, see https://indigo-dc.gitbook.io/oidc-agent/configuration/issuers diff --git a/modules/nixos/prometheus/blackbox.nix b/modules/nixos/prometheus/blackbox.nix index 7886b06..1bfd896 100644 --- a/modules/nixos/prometheus/blackbox.nix +++ b/modules/nixos/prometheus/blackbox.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.custom.prometheus; in @@ -8,7 +13,7 @@ in enable = true; listenAddress = "127.0.0.1"; configFile = pkgs.writeText "blackbox.config.yaml" ( - lib.generators.toYAML {} { + lib.generators.toYAML { } { modules = { tcp4_connect = { prober = "tcp"; @@ -25,7 +30,7 @@ in }; services.prometheus.scrapeConfigs = [ - { + { job_name = "blackbox"; scrape_interval = "1m"; metrics_path = "/probe"; @@ -73,8 +78,13 @@ in alert = "HighProbeLatency"; expr = "probe_duration_seconds > 0.5"; for = "2m"; - labels = { severity = "warning"; }; - annotations = { summary = "High request latency on {{ $labels.instance }}"; description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; }; + labels = { + severity = "warning"; + }; + annotations = { + summary = "High request latency on {{ $labels.instance }}"; + description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; + }; } ]; } diff --git a/modules/nixos/prometheus/caddy.nix b/modules/nixos/prometheus/caddy.nix index 96b7f43..98e6783 100644 --- a/modules/nixos/prometheus/caddy.nix +++ b/modules/nixos/prometheus/caddy.nix @@ -13,9 +13,7 @@ in services.prometheus.scrapeConfigs = [ { job_name = "caddy"; - static_configs = [ - { targets = [ "127.0.0.1:2019" ]; } - ]; + static_configs = [ { targets = [ "127.0.0.1:2019" ]; } ]; } ]; @@ -27,8 +25,12 @@ in alert = "UpstreamHealthy"; expr = "caddy_reverse_proxy_upstreams_healthy != 1"; for = "5m"; - labels = { severity = "critical"; }; - annotations = { summary = "Upstream {{ $labels.unstream }} not healthy"; }; + labels = { + severity = "critical"; + }; + annotations = { + summary = "Upstream {{ $labels.unstream }} not healthy"; + }; } ]; } diff --git a/modules/nixos/prometheus/default.nix b/modules/nixos/prometheus/default.nix index a560737..ed2544a 100644 --- a/modules/nixos/prometheus/default.nix +++ b/modules/nixos/prometheus/default.nix @@ -1,26 +1,31 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: with lib; let cfg = config.custom.prometheus; - mkExporterOption = enableOption: (mkOption { - type = types.bool; - default = enableOption; - description = "Enable this exporter"; - }); + mkExporterOption = + enableOption: + (mkOption { + type = types.bool; + default = enableOption; + description = "Enable this exporter"; + }); mkRulesOption = mkOption { - type = types.listOf (types.submodule { - options = { - name = mkOption { - type = lib.types.str; + type = types.listOf ( + types.submodule { + options = { + name = mkOption { type = lib.types.str; }; + rules = mkOption { type = lib.types.listOf lib.types.attrs; }; }; - rules = mkOption { - type = lib.types.listOf lib.types.attrs; - }; - }; - }); + } + ); }; in { @@ -54,153 +59,172 @@ in }; grafana = { enable = mkEnableOption "Grafana Cloud"; - password_file = mkOption { - type = types.path; - }; + password_file = mkOption { type = types.path; }; }; ruleModules = mkRulesOption; }; }; - config = mkIf cfg.enable - { - services.tailscale = { - enable = true; - permitCertUid = config.services.caddy.user; - openFirewall = true; - }; + config = mkIf cfg.enable { + services.tailscale = { + enable = true; + permitCertUid = config.services.caddy.user; + openFirewall = true; + }; - services.caddy = { - enable = true; - virtualHosts."${config.networking.hostName}.coho-tet.ts.net".extraConfig = '' - reverse_proxy 127.0.0.1:${toString config.services.prometheus.port} - ''; - }; + services.caddy = { + enable = true; + virtualHosts."${config.networking.hostName}.coho-tet.ts.net".extraConfig = '' + reverse_proxy 127.0.0.1:${toString config.services.prometheus.port} + ''; + }; - services.prometheus = mkIf cfg.enable + services.prometheus = mkIf cfg.enable { + enable = true; + port = 9091; + globalConfig.external_labels = { + hostname = config.networking.hostName; + }; + remoteWrite = mkIf cfg.grafana.enable [ { + name = "grafana"; + url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push"; + basic_auth = { + username = "1340065"; + password_file = cfg.grafana.password_file; + }; + } + ]; + exporters = { + node = { enable = true; - port = 9091; - globalConfig.external_labels = { hostname = config.networking.hostName; }; - remoteWrite = mkIf cfg.grafana.enable [ - { - name = "grafana"; - url = "https://prometheus-prod-24-prod-eu-west-2.grafana.net/api/prom/push"; - basic_auth = { - username = "1340065"; - password_file = cfg.grafana.password_file; - }; - } + enabledCollectors = [ + "loadavg" + "time" + "systemd" ]; - exporters = { - node = { - enable = true; - enabledCollectors = [ - "loadavg" - "time" - "systemd" - ]; - listenAddress = "127.0.0.1"; - port = 9100; - }; - }; - scrapeConfigs = [ - { - job_name = "prometheus"; - static_configs = [ - { targets = [ "localhost:${toString config.services.prometheus.port}" ]; } - ]; - } - { - job_name = "node"; - static_configs = [ - { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } - ]; - } - ]; - - alertmanager = { - enable = true; - listenAddress = "127.0.0.1"; - logLevel = "debug"; - configuration = { - route = { - receiver = "ntfy"; - }; - receivers = [ - { - name = "ntfy"; - webhook_configs = [ - { - url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL '' - Alert {{.status}} - {{range .alerts}}-----{{range $k,$v := .labels}} - {{$k}}={{$v}}{{end}} - {{end}} - ''}"; - send_resolved = true; - } - ]; - } - ]; - }; - }; - - alertmanagers = [ - { - scheme = "http"; - static_configs = [ - { - targets = [ - "${config.services.prometheus.alertmanager.listenAddress}:${toString config.services.prometheus.alertmanager.port}" - ]; - } - ]; - } - ]; - rules = [ (lib.generators.toYAML { } { groups = cfg.ruleModules; }) ]; + listenAddress = "127.0.0.1"; + port = 9100; }; - custom.prometheus.ruleModules = [ + }; + scrapeConfigs = [ { - name = "system_alerts"; - rules = [ + job_name = "prometheus"; + static_configs = [ { targets = [ "localhost:${toString config.services.prometheus.port}" ]; } ]; + } + { + job_name = "node"; + static_configs = [ + { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } + ]; + } + ]; + + alertmanager = { + enable = true; + listenAddress = "127.0.0.1"; + logLevel = "debug"; + configuration = { + route = { + receiver = "ntfy"; + }; + receivers = [ { - alert = "SystemdFailedUnits"; - expr = "node_systemd_unit_state{state=\"failed\"} > 0"; - for = "5m"; - labels = { severity = "critical"; }; - annotations = { summary = "Systemd has failed units on {{ $labels.instance }}"; description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!"; }; + name = "ntfy"; + webhook_configs = [ + { + url = "https://ntfy.xinyang.life/prometheus-alerts?tpl=yes&m=${lib.escapeURL '' + Alert {{.status}} + {{range .alerts}}-----{{range $k,$v := .labels}} + {{$k}}={{$v}}{{end}} + {{end}} + ''}"; + send_resolved = true; + } + ]; } + ]; + }; + }; + + alertmanagers = [ + { + scheme = "http"; + static_configs = [ { - alert = "HighLoadAverage"; - expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})"; - for = "1m"; - labels = { severity = "warning"; }; - annotations = { summary = "High load average detected on {{ $labels.instance }}"; description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; }; - } - { - alert = "HighTransmitTraffic"; - expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000"; - for = "1m"; - labels = { severity = "warning"; }; - annotations = { summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})"; description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute."; }; - } - { - alert = "NetworkTrafficExceedLimit"; - expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200''; - for = "0m"; - labels = { severity = "critical"; }; - annotations = { summary = "Outbound network traffic exceed 300GB for last 30 day"; }; - } - { - alert = "JobDown"; - expr = "up == 0"; - for = "1m"; - labels = { severity = "critical"; }; - annotations = { summary = "Job {{ $labels.job }} down for 1m."; }; + targets = [ + "${config.services.prometheus.alertmanager.listenAddress}:${toString config.services.prometheus.alertmanager.port}" + ]; } ]; } ]; + rules = [ (lib.generators.toYAML { } { groups = cfg.ruleModules; }) ]; }; + custom.prometheus.ruleModules = [ + { + name = "system_alerts"; + rules = [ + { + alert = "SystemdFailedUnits"; + expr = "node_systemd_unit_state{state=\"failed\"} > 0"; + for = "5m"; + labels = { + severity = "critical"; + }; + annotations = { + summary = "Systemd has failed units on {{ $labels.instance }}"; + description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!"; + }; + } + { + alert = "HighLoadAverage"; + expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})"; + for = "1m"; + labels = { + severity = "warning"; + }; + annotations = { + summary = "High load average detected on {{ $labels.instance }}"; + description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; + }; + } + { + alert = "HighTransmitTraffic"; + expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000"; + for = "1m"; + labels = { + severity = "warning"; + }; + annotations = { + summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})"; + description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute."; + }; + } + { + alert = "NetworkTrafficExceedLimit"; + expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200''; + for = "0m"; + labels = { + severity = "critical"; + }; + annotations = { + summary = "Outbound network traffic exceed 300GB for last 30 day"; + }; + } + { + alert = "JobDown"; + expr = "up == 0"; + for = "1m"; + labels = { + severity = "critical"; + }; + annotations = { + summary = "Job {{ $labels.job }} down for 1m."; + }; + } + ]; + } + ]; + }; } diff --git a/modules/nixos/prometheus/gotosocial.nix b/modules/nixos/prometheus/gotosocial.nix index a643d19..e5da05e 100644 --- a/modules/nixos/prometheus/gotosocial.nix +++ b/modules/nixos/prometheus/gotosocial.nix @@ -10,9 +10,7 @@ in services.prometheus.scrapeConfigs = [ { job_name = "gotosocial"; - static_configs = [ - { targets = [ "localhost:8080" ]; } - ]; + static_configs = [ { targets = [ "localhost:8080" ]; } ]; } ]; }; diff --git a/modules/nixos/prometheus/immich.nix b/modules/nixos/prometheus/immich.nix index 095075d..4b92500 100644 --- a/modules/nixos/prometheus/immich.nix +++ b/modules/nixos/prometheus/immich.nix @@ -3,9 +3,10 @@ let cfg = config.custom.prometheus; immichEnv = config.services.immich.environment; metricPort = - if builtins.hasAttr "IMMICH_API_METRICS_PORT" immichEnv - then immichEnv.IMMICH_API_METRICS_PORT - else 8081; + if builtins.hasAttr "IMMICH_API_METRICS_PORT" immichEnv then + immichEnv.IMMICH_API_METRICS_PORT + else + 8081; in { config = lib.mkIf (cfg.enable && cfg.exporters.immich.enable) { @@ -16,9 +17,7 @@ in services.prometheus.scrapeConfigs = [ { job_name = "immich"; - static_configs = [ - { targets = [ "127.0.0.1:${toString metricPort}" ]; } - ]; + static_configs = [ { targets = [ "127.0.0.1:${toString metricPort}" ]; } ]; } ]; }; diff --git a/modules/nixos/prometheus/miniflux.nix b/modules/nixos/prometheus/miniflux.nix index 5339de3..b437b00 100644 --- a/modules/nixos/prometheus/miniflux.nix +++ b/modules/nixos/prometheus/miniflux.nix @@ -8,9 +8,7 @@ in services.prometheus.scrapeConfigs = [ { job_name = "miniflux"; - static_configs = [ - { targets = [ config.systemd.services.miniflux.environment.LISTEN_ADDR ]; } - ]; + static_configs = [ { targets = [ config.systemd.services.miniflux.environment.LISTEN_ADDR ]; } ]; } ]; }; diff --git a/modules/nixos/prometheus/ntfy-sh.nix b/modules/nixos/prometheus/ntfy-sh.nix index 513f130..94e81f7 100644 --- a/modules/nixos/prometheus/ntfy-sh.nix +++ b/modules/nixos/prometheus/ntfy-sh.nix @@ -8,9 +8,7 @@ in services.prometheus.scrapeConfigs = [ { job_name = "ntfy-sh"; - static_configs = [ - { targets = [ "ntfy.xinyang.life" ]; } - ]; + static_configs = [ { targets = [ "ntfy.xinyang.life" ]; } ]; } ]; }; diff --git a/modules/nixos/prometheus/restic.nix b/modules/nixos/prometheus/restic.nix index 750b61a..a3ab710 100644 --- a/modules/nixos/prometheus/restic.nix +++ b/modules/nixos/prometheus/restic.nix @@ -9,9 +9,7 @@ in services.prometheus.scrapeConfigs = [ (lib.mkIf cfg.exporters.restic.enable { job_name = "restic"; - static_configs = [ - { targets = [ config.services.restic.server.listenAddress ]; } - ]; + static_configs = [ { targets = [ config.services.restic.server.listenAddress ]; } ]; }) ]; @@ -23,15 +21,25 @@ in alert = "ResticCheckFailed"; expr = "restic_check_success == 0"; for = "5m"; - labels = { severity = "critical"; }; - annotations = { summary = "Restic check failed (instance {{ $labels.instance }})"; description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; }; + labels = { + severity = "critical"; + }; + annotations = { + summary = "Restic check failed (instance {{ $labels.instance }})"; + description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; + }; } { alert = "ResticOutdatedBackup"; expr = "time() - restic_backup_timestamp > 518400"; for = "0m"; - labels = { severity = "critical"; }; - annotations = { summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated"; description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; }; + labels = { + severity = "critical"; + }; + annotations = { + summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated"; + description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; + }; } ]; } diff --git a/modules/nixos/restic.nix b/modules/nixos/restic.nix index 07a8dad..1d6685c 100644 --- a/modules/nixos/restic.nix +++ b/modules/nixos/restic.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.custom.restic; in @@ -45,4 +50,3 @@ in }; }; } - diff --git a/modules/nixos/sing-box.nix b/modules/nixos/sing-box.nix index 572291b..695356e 100644 --- a/modules/nixos/sing-box.nix +++ b/modules/nixos/sing-box.nix @@ -1,4 +1,10 @@ -{ config, pkgs, lib, utils, ... }: +{ + config, + pkgs, + lib, + utils, + ... +}: let cfg = config.custom.sing-box; settingsFormat = pkgs.formats.json { }; @@ -16,9 +22,7 @@ in }; configFile = { - urlFile = lib.mkOption { - type = lib.types.path; - }; + urlFile = lib.mkOption { type = lib.types.path; }; name = lib.mkOption { type = lib.types.str; default = "config.json"; @@ -62,10 +66,10 @@ in systemd.packages = [ cfg.package ]; - systemd.services.sing-box = - let - configFile = cfg.stateDir + "/${cfg.configFile.name}"; - in + systemd.services.sing-box = + let + configFile = cfg.stateDir + "/${cfg.configFile.name}"; + in { preStart = '' umask 0077 @@ -81,4 +85,3 @@ in }; }; } - diff --git a/modules/nixos/ssh-tpm-agent.nix b/modules/nixos/ssh-tpm-agent.nix index f368c46..1465bce 100644 --- a/modules/nixos/ssh-tpm-agent.nix +++ b/modules/nixos/ssh-tpm-agent.nix @@ -1,5 +1,10 @@ # Temporary workaround -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.services.ssh-tpm-agent; in diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix index b4c7d04..82c0e41 100644 --- a/modules/nixos/vaultwarden.nix +++ b/modules/nixos/vaultwarden.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: with lib; @@ -23,7 +28,7 @@ in }; }; config = mkIf cfg.enable { - services.vaultwarden = { + services.vaultwarden = { enable = true; dbBackend = "sqlite"; config = { @@ -44,4 +49,3 @@ in }; }; } - diff --git a/oci-images/nix-ci-base/flake.nix b/oci-images/nix-ci-base/flake.nix index 8e6b882..9ef4fc0 100644 --- a/oci-images/nix-ci-base/flake.nix +++ b/oci-images/nix-ci-base/flake.nix @@ -6,72 +6,78 @@ flake-utils.url = "github:numtide/flake-utils"; }; - outputs = { - self, - flake-utils, - nix, - nixpkgs, - ... - }: - flake-utils.lib.eachDefaultSystem (system: let - pkgs = (import nixpkgs) { - inherit system; - }; - lib = pkgs.lib; - in rec { - packages = rec { - # a modified version of the nixos/nix image - # re-using the upstream nix docker image generation code - base = import (nix + "/docker.nix") { - inherit pkgs; - name = "nix-ci-base"; - maxLayers = 10; - extraPkgs = with pkgs; [ - nodejs_20 # nodejs is needed for running most 3rdparty actions - # add any other pre-installed packages here - curl - xz - openssl - coreutils-full - cmake - gnumake - gcc - ]; - # change this is you want - channelURL = "https://nixos.org/channels/nixpkgs-23.11"; - nixConf = { - substituters = [ - "https://mirrors.bfsu.edu.cn/nix-channels/store" - "https://mirrors.ustc.edu.cn/nix-channels/store" - "https://cache.nixos.org/" + outputs = + { + self, + flake-utils, + nix, + nixpkgs, + ... + }: + flake-utils.lib.eachDefaultSystem ( + system: + let + pkgs = (import nixpkgs) { inherit system; }; + lib = pkgs.lib; + in + rec { + packages = rec { + # a modified version of the nixos/nix image + # re-using the upstream nix docker image generation code + base = import (nix + "/docker.nix") { + inherit pkgs; + name = "nix-ci-base"; + maxLayers = 10; + extraPkgs = with pkgs; [ + nodejs_20 # nodejs is needed for running most 3rdparty actions + # add any other pre-installed packages here + curl + xz + openssl + coreutils-full + cmake + gnumake + gcc + ]; + # change this is you want + channelURL = "https://nixos.org/channels/nixpkgs-23.11"; + nixConf = { + substituters = [ + "https://mirrors.bfsu.edu.cn/nix-channels/store" + "https://mirrors.ustc.edu.cn/nix-channels/store" + "https://cache.nixos.org/" - "https://nix-community.cachix.org" - ]; - accept-flake-config = "true"; - log-lines = "300"; - trusted-public-keys = [ - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - # allow using the new flake commands in our workflows - experimental-features = ["nix-command" "flakes"]; + "https://nix-community.cachix.org" + ]; + accept-flake-config = "true"; + log-lines = "300"; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + # allow using the new flake commands in our workflows + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + }; + # make /bin/sleep available on the image + runner = pkgs.dockerTools.buildImage { + name = "nix-runner"; + tag = "2.21.0-pkgs-23.11"; + + fromImage = base; + fromImageName = null; + fromImageTag = "latest"; + + copyToRoot = pkgs.buildEnv { + name = "image-root"; + paths = [ pkgs.coreutils-full ]; + pathsToLink = [ "/bin" ]; # add coreutuls (which includes sleep) to /bin + }; }; }; - # make /bin/sleep available on the image - runner = pkgs.dockerTools.buildImage { - name = "nix-runner"; - tag = "2.21.0-pkgs-23.11"; - - fromImage = base; - fromImageName = null; - fromImageTag = "latest"; - - copyToRoot = pkgs.buildEnv { - name = "image-root"; - paths = [pkgs.coreutils-full]; - pathsToLink = ["/bin"]; # add coreutuls (which includes sleep) to /bin - }; - }; - }; - }); + } + ); } diff --git a/overlays/add-ime-electron.nix b/overlays/add-ime-electron.nix index 74e94c6..fe54704 100644 --- a/overlays/add-ime-electron.nix +++ b/overlays/add-ime-electron.nix @@ -1,8 +1,13 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: { nixpkgs.overlays = [ - (self: super: { + (self: super: { element-desktop = super.element-desktop.override { commandLineArgs = "--enable-wayland-ime"; }; }) ]; diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix index 35b6981..e423f43 100644 --- a/overlays/add-pkgs.nix +++ b/overlays/add-pkgs.nix @@ -1,3 +1 @@ -(final: prev: { - oidc-agent = prev.callPackage ./pkgs/oidc-agent { }; -}) +(final: prev: { oidc-agent = prev.callPackage ./pkgs/oidc-agent { }; }) diff --git a/overlays/pkgs/oidc-agent/default.nix b/overlays/pkgs/oidc-agent/default.nix index 42f398e..9634c4c 100644 --- a/overlays/pkgs/oidc-agent/default.nix +++ b/overlays/pkgs/oidc-agent/default.nix @@ -1,14 +1,15 @@ -{ lib -, stdenv -, fetchFromGitHub -, curl -, webkitgtk -, libmicrohttpd -, libsecret -, qrencode -, libsodium -, pkg-config -, help2man +{ + lib, + stdenv, + fetchFromGitHub, + curl, + webkitgtk, + libmicrohttpd, + libsecret, + qrencode, + libsodium, + pkg-config, + help2man, }: stdenv.mkDerivation rec { @@ -19,8 +20,7 @@ stdenv.mkDerivation rec { owner = "indigo-dc"; repo = "oidc-agent"; rev = "v${version}"; - sha256 = "sha256-cOK/rZ/jnyALLuhDM3+qvwwe4Fjkv8diQBkw7NfVo0c=" - ; + sha256 = "sha256-cOK/rZ/jnyALLuhDM3+qvwwe4Fjkv8diQBkw7NfVo0c="; }; buildInputs = [ @@ -47,7 +47,6 @@ stdenv.mkDerivation rec { make install_man PREFIX=$out ''; - meta = with lib; { description = "oidc-agent for managing OpenID Connect tokens on the command line"; homepage = "https://github.com/indigo-dc/oidc-agent"; @@ -55,4 +54,3 @@ stdenv.mkDerivation rec { license = licenses.mit; }; } -