xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: xin:9a53ca1cea4bbf5b929306924a55a1f8f2589a79
Branches Tags
xin:master
xin:deploy
...
compare: xin:7a795e5ed9aba21216ca84ab5886c9df787359a3
Branches Tags
xin:deploy
xin:master

8 commits
9a53ca1cea ... 7a795e5ed9

Author SHA1 Message Date
xinyangli
7a795e5ed9
treewide: apply the new rfc nixfmt 2024-08-25 17:45:58 +08:00
xinyangli
e702d503b9
home-manager/direnv: enable evalutaion cache through nix-direnv 
(Forgot to enable nix-direnv all this time. How dumb am I.)
 2024-08-25 16:56:38 +08:00
xinyangli
1267f2b4e7
dolomite/acme: fix port conflict with caddy 2024-08-25 16:34:41 +08:00
xinyangli
30689a18b5
massicot/kanidm-server: enable local backups 2024-08-25 16:33:12 +08:00
xinyangli
44482b9e9e
calcite: fix nixos-rebuild wait for nm-online 2024-08-25 16:31:14 +08:00
xinyangli
6120ca25fb
home-manager/firefox: better sidebar 2024-08-25 16:30:22 +08:00
xinyangli
a2422d1f4e
home-manager/shell: add cosmic-term and change ls colors 2024-08-24 13:43:37 +08:00
xinyangli
553622ac66
bump nixvim version 2024-08-24 13:41:58 +08:00
57 changed files with 1492 additions and 907 deletions
Show stats Expand all files Collapse all files

8
flake.lock
View file

@ -293,11 +293,11 @@
"nixvim": "nixvim" "nixvim": "nixvim"
}, },
"locked": { "locked": {
"lastModified": 1724158316, "lastModified": 1724306750,
"narHash": "sha256-cz2N0vPfe0jmjxqKWh7dgVecLqmPLHQrvxGJk0atDbg=", "narHash": "sha256-mT8DXzj0zHfGJ+zuxFAnqnk+0bDEFgEk7TvEk59WbWQ=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "a5eb7fe89ee8ba654f339d8f75cecb39851743ec", "rev": "81990813485a580d69853d8429e3b8aece7f66a6",
"revCount": 4, "revCount": 11,
"type": "git", "type": "git",
"url": "https://git.xinyang.life/xin/nixvim" "url": "https://git.xinyang.life/xin/nixvim"
}, },

110
flake.nix
View file

@ -52,23 +52,23 @@
catppuccin.url = "github:catppuccin/nix"; catppuccin.url = "github:catppuccin/nix";
}; };
outputs = outputs =
{ self {
, home-manager self,
, nixpkgs home-manager,
, nixos-hardware nixpkgs,
, flake-utils nixos-hardware,
, nur flake-utils,
, catppuccin nur,
, my-nixvim catppuccin,
, ... my-nixvim,
...
}@inputs: }@inputs:
let let
nixvimOverlay = (final: prev: { nixvimOverlay = (final: prev: { nixvim = self.packages.${prev.stdenv.system}.nixvim; });
nixvim = self.packages.${prev.stdenv.system}.nixvim; overlayModule =
}); { ... }:
overlayModule = { ... }: { {
nixpkgs.overlays = [ nixpkgs.overlays = [
nixvimOverlay nixvimOverlay
(import ./overlays/add-pkgs.nix) (import ./overlays/add-pkgs.nix)
@ -87,7 +87,10 @@
catppuccin.homeManagerModules.catppuccin catppuccin.homeManagerModules.catppuccin
self.homeManagerModules self.homeManagerModules
]; ];
mkHome = user: host: { ... }: { mkHome =
user: host:
{ ... }:
{
imports = [ imports = [
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
@ -95,7 +98,9 @@
sharedModules = sharedHmModules; sharedModules = sharedHmModules;
useGlobalPkgs = true; useGlobalPkgs = true;
useUserPackages = true; useUserPackages = true;
extraSpecialArgs = { inherit inputs; }; extraSpecialArgs = {
inherit inputs;
};
}; };
home-manager.users.${user} = (import ./home).${user}.${host}; home-manager.users.${user} = (import ./home).${user}.${host};
} }
@ -114,9 +119,17 @@
}; };
}; };
}; };
mkNixos = { system, modules, specialArgs ? { } }: nixpkgs.lib.nixosSystem { mkNixos =
{
system,
modules,
specialArgs ? { },
}:
nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = specialArgs // { inherit inputs system; }; specialArgs = specialArgs // {
inherit inputs system;
};
modules = [ modules = [
self.nixosModules.default self.nixosModules.default
nur.nixosModules.nur nur.nixosModules.nur
@ -125,22 +138,27 @@
in in
{ {
nixpkgs = nixpkgs; nixpkgs = nixpkgs;
nixosModules.default = { imports = [ ./modules/nixos overlayModule ]; }; nixosModules.default = {
imports = [
./modules/nixos
overlayModule
];
};
homeManagerModules = import ./modules/home-manager; homeManagerModules = import ./modules/home-manager;
homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ]; homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ];
colmenaHive = inputs.colmena.lib.makeHive { colmenaHive = inputs.colmena.lib.makeHive {
meta = { meta = {
nixpkgs = import nixpkgs { nixpkgs = import nixpkgs { system = "x86_64-linux"; };
system = "x86_64-linux";
};
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
}; };
massicot = { ... }: { massicot =
{ ... }:
{
deployment.targetHost = "49.13.13.122"; deployment.targetHost = "49.13.13.122";
deployment.buildOnTarget = true; deployment.buildOnTarget = true;
@ -150,10 +168,10 @@
] ++ sharedColmenaModules; ] ++ sharedColmenaModules;
}; };
tok-00 = { ... }: { tok-00 =
imports = [ { ... }:
machines/dolomite {
] ++ sharedColmenaModules; imports = [ machines/dolomite ] ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux"; nixpkgs.system = "x86_64-linux";
networking.hostName = "tok-00"; networking.hostName = "tok-00";
system.stateVersion = "23.11"; system.stateVersion = "23.11";
@ -164,10 +182,10 @@
}; };
}; };
la-00 = { ... }: { la-00 =
imports = [ { ... }:
machines/dolomite {
] ++ sharedColmenaModules; imports = [ machines/dolomite ] ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux"; nixpkgs.system = "x86_64-linux";
networking.hostName = "la-00"; networking.hostName = "la-00";
system.stateVersion = "21.05"; system.stateVersion = "21.05";
@ -178,7 +196,9 @@
}; };
}; };
raspite = { ... }: { raspite =
{ ... }:
{
deployment = { deployment = {
targetHost = "raspite.local"; targetHost = "raspite.local";
buildOnTarget = false; buildOnTarget = false;
@ -191,10 +211,10 @@
] ++ sharedColmenaModules; ] ++ sharedColmenaModules;
}; };
weilite = { ... }: { weilite =
imports = [ { ... }:
machines/weilite {
] ++ sharedColmenaModules; imports = [ machines/weilite ] ++ sharedColmenaModules;
deployment = { deployment = {
targetHost = "weilite.coho-tet.ts.net"; targetHost = "weilite.coho-tet.ts.net";
targetPort = 22; targetPort = 22;
@ -215,12 +235,24 @@
}; };
} // self.colmenaHive.nodes; } // self.colmenaHive.nodes;
} // flake-utils.lib.eachDefaultSystem (system: }
let pkgs = nixpkgs.legacyPackages.${system}; in // flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
{ {
devShells = { devShells = {
default = pkgs.mkShell { default = pkgs.mkShell {
packages = with pkgs; [ nix git colmena sops nix-output-monitor nil nvd ]; packages = with pkgs; [
nix
git
colmena
sops
nix-output-monitor
nil
nvd
];
}; };
}; };

127
home/xin/calcite.nix
View file

@ -1,8 +1,6 @@
{ config, pkgs, ... }@inputs: { config, pkgs, ... }@inputs:
{ {
imports = [ imports = [ ./common ];
./common
];
programs.nix-index-database.comma.enable = true; programs.nix-index-database.comma.enable = true;
@ -46,14 +44,41 @@
}; };
custom-hm = { custom-hm = {
alacritty = { enable = true; }; alacritty = {
direnv = { enable = true; }; enable = true;
fish = { enable = true; };
git = { enable = true; signing.enable = true; };
neovim = { enable = true; };
vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; llm = true; };
zellij = { enable = true; };
}; };
cosmic-term = {
enable = true;
};
direnv = {
enable = true;
};
fish = {
enable = true;
};
git = {
enable = true;
signing.enable = true;
};
neovim = {
enable = true;
};
vscode = {
enable = true;
languages = {
cxx = true;
python = true;
scala = true;
latex = true;
};
llm = true;
};
zellij = {
enable = true;
};
};
programs.gnome-shell.enable = true;
programs.atuin = { programs.atuin = {
enable = true; enable = true;
@ -68,10 +93,82 @@
programs.firefox.profiles.default = { programs.firefox.profiles.default = {
isDefault = true; isDefault = true;
userChrome = builtins.readFile "${pkgs.fetchgit { userChrome = ''
url = "https://gist.github.com/0ded98af9fe3da35f3688f81364d8c14.git"; #titlebar {
rev = "11bb4f428382052bcbbceb6cc3fef97f3c939481"; display: none;
hash = "sha256-J11indzEGdUA0HSW8eFe5AjesOxCL/G05KwkJk9GZSY="; }
}}/userChrome.css";
#sidebar-header {
display: none;
}
[titlepreface*="."] #sidebar-header {
visibility: collapse !important;
}
[titlepreface*="."] #titlebar {
visibility: collapse;
}
#sidebar-box{
--uc-sidebar-width: 33px;
--uc-sidebar-hover-width: 300px;
--uc-autohide-sidebar-delay: 90ms;
position: relative;
min-width: var(--uc-sidebar-width) !important;
width: var(--uc-sidebar-width) !important;
max-width: var(--uc-sidebar-width) !important;
z-index:1;
}
#sidebar-box[positionend]{ direction: rtl }
#sidebar-box[positionend] > *{ direction: ltr }
#sidebar-box[positionend]:-moz-locale-dir(rtl){ direction: ltr }
#sidebar-box[positionend]:-moz-locale-dir(rtl) > *{ direction: rtl }
#main-window[sizemode="fullscreen"] #sidebar-box{ --uc-sidebar-width: 1px; }
#sidebar-splitter{ display: none }
#sidebar-header{
overflow: hidden;
color: var(--chrome-color, inherit) !important;
padding-inline: 0 !important;
}
#sidebar-header::before,
#sidebar-header::after{
content: "";
display: -moz-box;
padding-left: 8px;
}
#sidebar-switcher-target{
-moz-box-pack: start !important;
}
#sidebar-header,
#sidebar{
transition: min-width 115ms linear var(--uc-autohide-sidebar-delay) !important;
min-width: var(--uc-sidebar-width) !important;
will-change: min-width;
}
#sidebar-box:hover > #sidebar-header,
#sidebar-box:hover > #sidebar{
min-width: var(--uc-sidebar-hover-width) !important;
transition-delay: 0ms !important;
}
.sidebar-panel{
background-color: transparent !important;
color: var(--newtab-text-primary-color) !important;
}
.sidebar-panel #search-box{
-moz-appearance: none !important;
background-color: rgba(249,249,250,0.1) !important;
color: inherit !important;
}
'';
}; };
} }

8
home/xin/common/default.nix
View file

@ -1,4 +1,10 @@
{ inputs, pkgs, lib, ... }: { {
inputs,
pkgs,
lib,
...
}:
{
imports = [ ]; imports = [ ];
home.packages = with pkgs; [ home.packages = with pkgs; [

4
home/xin/gold/default.nix
View file

@ -1,5 +1,5 @@
{ pkgs, home-manager, ... }: { pkgs, home-manager, ... }:
home-manager.lib.homeManagerConfiguration { home-manager.lib.homeManagerConfiguration {
inherit pkgs; inherit pkgs;
modules = [ modules = [
../common ../common
@ -12,4 +12,4 @@
programs.home-manager.enable = true; programs.home-manager.enable = true;
} }
]; ];
} }

5
home/xin/raspite/default.nix
View file

@ -1,9 +1,6 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = [ imports = [ ../common ];
../common
];
home.username = "xin"; home.username = "xin";
home.homeDirectory = "/home/xin"; home.homeDirectory = "/home/xin";

56
machines/calcite/configuration.nix
View file

@ -1,8 +1,12 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
{ {
imports = imports = [
[
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./network.nix ./network.nix
@ -22,7 +26,11 @@
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi"; boot.loader.efi.efiSysMountPoint = "/boot/efi";
# boot.kernelPackages = pkgs.linuxPackages_latest; # boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" ]; boot.kernelModules = [
"nvidia"
"nvidia_modeset"
"nvidia_uvm"
];
boot.supportedFilesystems = [ "ntfs" ]; boot.supportedFilesystems = [ "ntfs" ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
@ -45,7 +53,9 @@
programs.steam = { programs.steam = {
enable = true; enable = true;
gamescopeSession = { enable = true; }; gamescopeSession = {
enable = true;
};
}; };
programs.oidc-agent.enable = true; programs.oidc-agent.enable = true;
@ -93,7 +103,6 @@
services.xserver.displayManager.gdm.enable = true; services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true; services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11 # Configure keymap in X11
services.xserver = { services.xserver = {
xkb.layout = "us"; xkb.layout = "us";
@ -135,7 +144,12 @@
users.users.xin = { users.users.xin = {
isNormalUser = true; isNormalUser = true;
description = "xin"; description = "xin";
extraGroups = [ "networkmanager" "wheel" "wireshark" "tss" ]; extraGroups = [
"networkmanager"
"wheel"
"wireshark"
"tss"
];
}; };
services.kanidm = { services.kanidm = {
@ -179,7 +193,8 @@
# reference: https://nixos.wiki/wiki/Python # reference: https://nixos.wiki/wiki/Python
( (
let let
my-python-packages = python-packages: with python-packages; [ my-python-packages =
python-packages: with python-packages; [
pandas pandas
requests requests
numpy numpy
@ -280,14 +295,19 @@
acceleration = "cuda"; acceleration = "cuda";
}; };
# MTP support # MTP support
services.gvfs.enable = true; services.gvfs.enable = true;
# Fonts # Fonts
fonts = { fonts = {
packages = with pkgs; [ packages = with pkgs; [
(nerdfonts.override { fonts = [ "FiraCode" ]; }) (nerdfonts.override {
fonts = [
"FiraCode"
"FiraMono"
"JetBrainsMono"
];
})
noto-fonts noto-fonts
noto-fonts-emoji noto-fonts-emoji
liberation_ttf liberation_ttf
@ -305,9 +325,19 @@
]; ];
fontconfig = { fontconfig = {
defaultFonts = { defaultFonts = {
serif = [ "Noto Serif CJK SC" "Ubuntu" ]; serif = [
sansSerif = [ "Noto Sans CJK SC" "Ubuntu" ]; "Noto Serif CJK SC"
monospace = [ "FiraCode NerdFont Mono" "Noto Sans Mono CJK SC" "Ubuntu" ]; "Ubuntu"
];
sansSerif = [
"Noto Sans CJK SC"
"Ubuntu"
];
monospace = [
"FiraCode NerdFont Mono"
"Noto Sans Mono CJK SC"
"Ubuntu"
];
}; };
}; };
enableDefaultPackages = true; enableDefaultPackages = true;

42
machines/calcite/hardware-configuration.nix
View file

@ -1,14 +1,23 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: {
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ]; boot.initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"ahci"
"usbhid"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.initrd.luks.devices.cryptroot = { boot.initrd.luks.devices.cryptroot = {
device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d"; device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d";
@ -16,26 +25,29 @@
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ # device = "/dev/disk/by-label/NIXROOT"; # device = "/dev/disk/by-label/NIXROOT";
device = "/dev/mapper/cryptroot"; device = "/dev/mapper/cryptroot";
fsType = "btrfs"; fsType = "btrfs";
}; };
fileSystems."/boot/efi" = fileSystems."/boot/efi" = {
{ device = "/dev/disk/by-label/EFIBOOT"; device = "/dev/disk/by-label/EFIBOOT";
fsType = "vfat"; fsType = "vfat";
}; };
fileSystems."/media/data" = fileSystems."/media/data" = {
{ device = "/dev/nvme0n1p7"; device = "/dev/nvme0n1p7";
fsType = "ntfs-3g"; fsType = "ntfs-3g";
options = [ "rw" "uid=1000" "nofail" "x-systemd.device-timeout=2" ]; options = [
"rw"
"uid=1000"
"nofail"
"x-systemd.device-timeout=2"
];
}; };
swapDevices = swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ];
[ { device = "/dev/disk/by-label/NIXSWAP"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

10
machines/calcite/network.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ...}: { config, pkgs, ... }:
{ {
imports = [ ]; imports = [ ];
@ -10,6 +10,7 @@
dns = "systemd-resolved"; dns = "systemd-resolved";
}; };
}; };
systemd.services.NetworkManager-wait-online.enable = false;
services.resolved = { services.resolved = {
enable = true; enable = true;
@ -37,10 +38,11 @@
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 3389 ]; networking.firewall.allowedTCPPorts = [ 3389 ];
networking.firewall.allowedUDPPorts = [ 3389 41641 ]; networking.firewall.allowedUDPPorts = [
networking.firewall.trustedInterfaces = [ 3389
"tailscale0" 41641
]; ];
networking.firewall.trustedInterfaces = [ "tailscale0" ];
# Use nftables to manager firewall # Use nftables to manager firewall
networking.nftables.enable = true; networking.nftables.enable = true;

26
machines/dolomite/bandwagon.nix
View file

@ -1,28 +1,40 @@
{ config, lib, pkgs, modulesPath, ... }: {
config,
lib,
pkgs,
modulesPath,
...
}:
let let
cfg = config.isBandwagon; cfg = config.isBandwagon;
in in
{ {
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
options = { options = {
isBandwagon = lib.mkEnableOption "Bandwagon instance"; isBandwagon = lib.mkEnableOption "Bandwagon instance";
}; };
config = lib.mkIf cfg { config = lib.mkIf cfg {
boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = [
"ata_piix"
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "xfs"; fsType = "xfs";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-label/NIXBOOT"; device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat"; fsType = "vfat";
}; };

41
machines/dolomite/default.nix
View file

@ -1,6 +1,6 @@
{ config, lib, ... }: { config, lib, ... }:
let let
awsHosts = [ "tok-00"]; awsHosts = [ "tok-00" ];
bwgHosts = [ "la-00" ]; bwgHosts = [ "la-00" ];
in in
{ {
@ -10,7 +10,6 @@ in
./lightsail.nix ./lightsail.nix
]; ];
config = { config = {
isBandwagon = builtins.elem config.networking.hostName bwgHosts; isBandwagon = builtins.elem config.networking.hostName bwgHosts;
isLightsail = builtins.elem config.networking.hostName awsHosts; isLightsail = builtins.elem config.networking.hostName awsHosts;
@ -37,10 +36,18 @@ in
acceptTerms = true; acceptTerms = true;
certs.${config.deployment.targetHost} = { certs.${config.deployment.targetHost} = {
email = "me@namely.icu"; email = "me@namely.icu";
listenHTTP = ":80"; # Avoid port conflict
listenHTTP = if config.services.caddy.enable then ":30310" else ":80";
}; };
}; };
networking.firewall.allowedTCPPorts = [ 80 8080 ]; services.caddy.virtualHosts."http://${config.deployment.targetHost}:80".extraConfig = ''
reverse_proxy 127.0.0.1:30310
'';
networking.firewall.allowedTCPPorts = [
80
8080
];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
custom.prometheus = { custom.prometheus = {
@ -75,12 +82,14 @@ in
wheelNeedsPassword = false; wheelNeedsPassword = false;
}; };
services.sing-box = let services.sing-box =
let
singTls = { singTls = {
enabled = true; enabled = true;
server_name = config.deployment.targetHost; server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; certificate_path =
config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
}; };
password = { password = {
_secret = config.sops.secrets.singbox_password.path; _secret = config.sops.secrets.singbox_password.path;
@ -115,27 +124,31 @@ in
} }
]; ];
}; };
inbounds = [ inbounds =
[
{ {
tag = "sg0"; tag = "sg0";
type = "trojan"; type = "trojan";
listen = "::"; listen = "::";
listen_port = 8080; listen_port = 8080;
users = [ users = [
{ name = "proxy"; {
name = "proxy";
password = password; password = password;
} }
]; ];
tls = singTls; tls = singTls;
} }
] ++ lib.forEach (lib.range 6311 6314) (port: { ]
++ lib.forEach (lib.range 6311 6314) (port: {
tag = "sg" + toString (port - 6310); tag = "sg" + toString (port - 6310);
type = "tuic"; type = "tuic";
listen = "::"; listen = "::";
listen_port = port; listen_port = port;
congestion_control = "bbr"; congestion_control = "bbr";
users = [ users = [
{ name = "proxy"; {
name = "proxy";
uuid = uuid; uuid = uuid;
password = password; password = password;
} }
@ -154,8 +167,12 @@ in
{ _secret = config.sops.secrets.wg_ipv6_local_addr.path; } { _secret = config.sops.secrets.wg_ipv6_local_addr.path; }
]; ];
peers = [ peers = [
{ public_key= "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; {
allowed_ips = [ "0.0.0.0/0" "::/0" ]; public_key = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1"; server = "162.159.192.1";
server_port = 500; server_port = 500;
} }

24
machines/dolomite/lightsail.nix
View file

@ -1,4 +1,10 @@
{ config, lib, pkgs, modulesPath, ... }: {
config,
lib,
pkgs,
modulesPath,
...
}:
with lib; with lib;
let let
cfg = config.ec2; cfg = config.ec2;
@ -39,18 +45,22 @@ in
fsType = "vfat"; fsType = "vfat";
}; };
boot.extraModulePackages = [ boot.extraModulePackages = [ config.boot.kernelPackages.ena ];
config.boot.kernelPackages.ena
];
boot.initrd.kernelModules = [ "xen-blkfront" ]; boot.initrd.kernelModules = [ "xen-blkfront" ];
boot.initrd.availableKernelModules = [ "nvme" ]; boot.initrd.availableKernelModules = [ "nvme" ];
boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ]; boot.kernelParams = [
"console=ttyS0,115200n8"
"random.trust_cpu=on"
];
# Prevent the nouveau kernel module from being loaded, as it # Prevent the nouveau kernel module from being loaded, as it
# interferes with the nvidia/nvidia-uvm modules needed for CUDA. # interferes with the nvidia/nvidia-uvm modules needed for CUDA.
# Also blacklist xen_fbfront to prevent a 30 second delay during # Also blacklist xen_fbfront to prevent a 30 second delay during
# boot. # boot.
boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ]; boot.blacklistedKernelModules = [
"nouveau"
"xen_fbfront"
];
boot.loader.grub.efiSupport = cfg.efi; boot.loader.grub.efiSupport = cfg.efi;
boot.loader.grub.efiInstallAsRemovable = cfg.efi; boot.loader.grub.efiInstallAsRemovable = cfg.efi;
@ -64,7 +74,7 @@ in
systemd.services.fetch-ec2-metadata = { systemd.services.fetch-ec2-metadata = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
after = ["network-online.target"]; after = [ "network-online.target" ];
path = [ pkgs.curl ]; path = [ pkgs.curl ];
script = builtins.readFile ./ec2-metadata-fetcher.sh; script = builtins.readFile ./ec2-metadata-fetcher.sh;
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";

8
machines/massicot/default.nix
View file

@ -1,4 +1,10 @@
{ inputs, config, libs, pkgs, ... }: {
inputs,
config,
libs,
pkgs,
...
}:
{ {
imports = [ imports = [

16
machines/massicot/hardware-configuration.nix
View file

@ -5,9 +5,19 @@
efiSupport = true; efiSupport = true;
device = "nodev"; device = "nodev";
}; };
fileSystems."/boot" = { device = "/dev/disk/by-uuid/AC27-D9D6"; fsType = "vfat"; }; fileSystems."/boot" = {
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; device = "/dev/disk/by-uuid/AC27-D9D6";
fsType = "vfat";
};
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
];
boot.initrd.kernelModules = [ "nvme" ]; boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
} }

51
machines/massicot/kanidm-provision.nix
View file

@ -21,7 +21,11 @@
members = [ "xin" ]; members = [ "xin" ];
}; };
immich-users = { immich-users = {
members = [ "xin" "zhuo" "ycm" ]; members = [
"xin"
"zhuo"
"ycm"
];
}; };
grafana-superadmins = { grafana-superadmins = {
members = [ "xin" ]; members = [ "xin" ];
@ -65,7 +69,12 @@
originLanding = "https://git.xinyang.life/user/oauth2/kandim"; originLanding = "https://git.xinyang.life/user/oauth2/kandim";
allowInsecureClientDisablePkce = true; allowInsecureClientDisablePkce = true;
scopeMaps = { scopeMaps = {
forgejo-access = [ "openid" "email" "profile" "groups" ]; forgejo-access = [
"openid"
"email"
"profile"
"groups"
];
}; };
claimMaps = { claimMaps = {
forgejo_role = { forgejo_role = {
@ -83,7 +92,12 @@
originLanding = "https://xinyang.life/"; originLanding = "https://xinyang.life/";
allowInsecureClientDisablePkce = true; allowInsecureClientDisablePkce = true;
scopeMaps = { scopeMaps = {
gts-users = [ "openid" "email" "profile" "groups" ]; gts-users = [
"openid"
"email"
"profile"
"groups"
];
}; };
}; };
owncloud = { owncloud = {
@ -92,7 +106,11 @@
originLanding = "https://home.xinyang.life:9201/"; originLanding = "https://home.xinyang.life:9201/";
public = true; public = true;
scopeMaps = { scopeMaps = {
ocis-users = [ "openid" "email" "profile" ]; ocis-users = [
"openid"
"email"
"profile"
];
}; };
}; };
hedgedoc = { hedgedoc = {
@ -101,7 +119,11 @@
originLanding = "https://docs.xinyang.life/auth/oauth2"; originLanding = "https://docs.xinyang.life/auth/oauth2";
allowInsecureClientDisablePkce = true; allowInsecureClientDisablePkce = true;
scopeMaps = { scopeMaps = {
hedgedoc-users = [ "openid" "email" "profile" ]; hedgedoc-users = [
"openid"
"email"
"profile"
];
}; };
}; };
immich-mobile = { immich-mobile = {
@ -110,7 +132,11 @@
originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
allowInsecureClientDisablePkce = true; allowInsecureClientDisablePkce = true;
scopeMaps = { scopeMaps = {
immich-users = [ "openid" "email" "profile" ]; immich-users = [
"openid"
"email"
"profile"
];
}; };
}; };
miniflux = { miniflux = {
@ -118,7 +144,11 @@
originUrl = "https://rss.xinyang.life/"; originUrl = "https://rss.xinyang.life/";
originLanding = "https://rss.xinyang.life/"; originLanding = "https://rss.xinyang.life/";
scopeMaps = { scopeMaps = {
miniflux-users = [ "openid" "email" "profile" ]; miniflux-users = [
"openid"
"email"
"profile"
];
}; };
}; };
grafana = { grafana = {
@ -126,7 +156,12 @@
originUrl = "https://grafana.xinyang.life/"; originUrl = "https://grafana.xinyang.life/";
originLanding = "https://grafana.xinyang.life/"; originLanding = "https://grafana.xinyang.life/";
scopeMaps = { scopeMaps = {
grafana-users = [ "openid" "email" "profile" "groups" ]; grafana-users = [
"openid"
"email"
"profile"
"groups"
];
}; };
claimMaps = { claimMaps = {
grafana_role = { grafana_role = {

9
machines/massicot/networking.nix
View file

@ -1,11 +1,14 @@
{ pkgs, ... }: { { pkgs, ... }:
{
networking = { networking = {
interfaces = { interfaces = {
eth0.useDHCP = true; eth0.useDHCP = true;
eth0.ipv6.addresses = [{ eth0.ipv6.addresses = [
{
address = "2a01:4f8:c17:345f::1"; address = "2a01:4f8:c17:345f::1";
prefixLength = 64; prefixLength = 64;
}]; }
];
}; };
defaultGateway6 = { defaultGateway6 = {
address = "fe80::1"; address = "fe80::1";

43
machines/massicot/services.nix
View file

@ -1,10 +1,24 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
kanidm_listen_port = 5324; kanidm_listen_port = 5324;
in in
{ {
networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ]; networking.firewall.allowedTCPPorts = [
networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; 80
443
2222
8448
];
networking.firewall.allowedUDPPorts = [
80
443
8448
];
custom.vaultwarden = { custom.vaultwarden = {
enable = true; enable = true;
@ -32,7 +46,8 @@ in
exporters.miniflux.enable = true; exporters.miniflux.enable = true;
}; };
systemd.mounts = map systemd.mounts =
map
(share: { (share: {
what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
where = "/mnt/storage/${share}"; where = "/mnt/storage/${share}";
@ -41,7 +56,13 @@ in
before = [ "${share}.service" ]; before = [ "${share}.service" ];
after = [ "cachefilesd.service" ]; after = [ "cachefilesd.service" ];
wantedBy = [ "${share}.service" ]; wantedBy = [ "${share}.service" ];
}) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ]; })
[
"forgejo"
"gotosocial"
"conduit"
"hedgedoc"
];
services.cachefilesd.enable = true; services.cachefilesd.enable = true;
@ -82,6 +103,7 @@ in
bindaddress = "[::]:${toString kanidm_listen_port}"; bindaddress = "[::]:${toString kanidm_listen_port}";
tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem''; tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem'';
tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
online_backup.versions = 7;
# db_path = "/var/lib/kanidm/kanidm.db"; # db_path = "/var/lib/kanidm/kanidm.db";
}; };
provision = import ./kanidm-provision.nix; provision = import ./kanidm-provision.nix;
@ -224,11 +246,14 @@ in
allow_assign_grafana_admin = true; allow_assign_grafana_admin = true;
auto_login = true; auto_login = true;
}; };
"auth" = { disable_login_form = true; }; "auth" = {
disable_login_form = true;
};
}; };
}; };
systemd.services.grafana.serviceConfig.EnvironmentFile = config.sops.secrets.grafana_oauth_secret.path; systemd.services.grafana.serviceConfig.EnvironmentFile =
config.sops.secrets.grafana_oauth_secret.path;
users.users.git = { users.users.git = {
isSystemUser = true; isSystemUser = true;
@ -239,9 +264,7 @@ in
users.groups.git = { }; users.groups.git = { };
users.users = { users.users = {
${config.services.caddy.user}.extraGroups = [ ${config.services.caddy.user}.extraGroups = [ config.services.ntfy-sh.group ];
config.services.ntfy-sh.group
];
}; };
services.caddy = { services.caddy = {

14
machines/raspite/configuration.nix
View file

@ -1,17 +1,19 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
{ {
imports = [ imports = [ ./hass.nix ];
./hass.nix
];
commonSettings.nix.enableMirrors = true; commonSettings.nix.enableMirrors = true;
nixpkgs.overlays = [ nixpkgs.overlays = [
# Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243 # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243
(final: super: { (final: super: {
makeModulesClosure = x: makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
super.makeModulesClosure (x // { allowMissing = true; });
}) })
]; ];

18
machines/raspite/hass.nix
View file

@ -1,4 +1,5 @@
{ config, pkgs, ... }: { { config, pkgs, ... }:
{
services.home-assistant = { services.home-assistant = {
enable = true; enable = true;
extraComponents = [ extraComponents = [
@ -9,14 +10,12 @@
]; ];
openFirewall = false; openFirewall = false;
config = { config = {
default_config = {}; default_config = { };
http = { http = {
server_host = "::1"; server_host = "::1";
base_url = "raspite.local:1000"; base_url = "raspite.local:1000";
use_x_forward_for = true; use_x_forward_for = true;
trusted_proxies = [ trusted_proxies = [ "::1" ];
"::1"
];
}; };
}; };
}; };
@ -28,11 +27,12 @@
users.groups.dialout.members = config.users.groups.wheel.members; users.groups.dialout.members = config.users.groups.wheel.members;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ zigbee2mqtt ];
zigbee2mqtt
];
networking.firewall.allowedTCPPorts = [ 1000 1001 ]; networking.firewall.allowedTCPPorts = [
1000
1001
];
services.caddy = { services.caddy = {
enable = true; enable = true;

11
machines/sops.nix
View file

@ -1,4 +1,9 @@
{ inputs, config, lib, ... }: {
inputs,
config,
lib,
...
}:
{ {
imports = [ inputs.sops-nix.nixosModules.sops ]; imports = [ inputs.sops-nix.nixosModules.sops ];
config = { config = {
@ -26,9 +31,7 @@
owner = "root"; owner = "root";
}; };
}; };
secrets.grafana_cloud_api = lib.mkIf config.services.prometheus.enable { secrets.grafana_cloud_api = lib.mkIf config.services.prometheus.enable { owner = "prometheus"; };
owner = "prometheus";
};
}; };
}; };
} }

42
machines/weilite/default.nix
View file

@ -1,4 +1,11 @@
{ inputs, config, pkgs, lib, modulesPath, ... }: {
inputs,
config,
pkgs,
lib,
modulesPath,
...
}:
with lib; with lib;
@ -23,13 +30,17 @@ with lib;
systemd-boot.enable = true; systemd-boot.enable = true;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
}; };
initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"usb_storage"
"sd_mod"
];
kernelModules = [ "kvm-intel" ]; kernelModules = [ "kvm-intel" ];
}; };
environment.systemPackages = [ environment.systemPackages = [ pkgs.virtiofsd ];
pkgs.virtiofsd
];
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
@ -47,13 +58,15 @@ with lib;
}; };
systemd.mounts = [ systemd.mounts = [
{ what = "immich"; {
what = "immich";
where = "/mnt/XinPhotos/immich"; where = "/mnt/XinPhotos/immich";
type = "virtiofs"; type = "virtiofs";
options = "rw"; options = "rw";
wantedBy = [ "immich-server.service" ]; wantedBy = [ "immich-server.service" ];
} }
{ what = "originals"; {
what = "originals";
where = "/mnt/XinPhotos/originals"; where = "/mnt/XinPhotos/originals";
type = "virtiofs"; type = "virtiofs";
options = "ro,nodev,nosuid"; options = "ro,nodev,nosuid";
@ -61,7 +74,10 @@ with lib;
} }
]; ];
services.openssh.ports = [ 22 2222 ]; services.openssh.ports = [
22
2222
];
services.immich = { services.immich = {
enable = true; enable = true;
@ -90,7 +106,10 @@ with lib;
enable = true; enable = true;
package = pkgs.caddy.withPlugins { package = pkgs.caddy.withPlugins {
caddyModules = [ caddyModules = [
{ repo = "github.com/caddy-dns/cloudflare"; version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; } {
repo = "github.com/caddy-dns/cloudflare";
version = "89f16b99c18ef49c8bb470a82f895bce01cbaece";
}
]; ];
vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk="; vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk=";
}; };
@ -124,7 +143,10 @@ with lib;
fileSystems."/boot" = { fileSystems."/boot" = {
device = "/dev/sda1"; device = "/dev/sda1";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [
"fmask=0022"
"dmask=0022"
];
}; };
system.stateVersion = "24.11"; system.stateVersion = "24.11";

3
modules/home-manager/alacritty.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { config, lib, ... }:
with lib; with lib;
let let
@ -25,6 +25,7 @@ in
window = { window = {
resize_increments = true; resize_increments = true;
dynamic_padding = true; dynamic_padding = true;
decorations = "none";
}; };
}; };
}; };

19
modules/home-manager/cosmic-term.nix Normal file
View file

@ -0,0 +1,19 @@
{
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.custom-hm.cosmic-term;
in
{
options.custom-hm.cosmic-term = {
enable = mkEnableOption "cosmic-term";
};
config = mkIf cfg.enable { home.packages = [ pkgs.cosmic-term ]; };
}

1
modules/home-manager/default.nix
View file

@ -1,6 +1,7 @@
{ {
imports = [ imports = [
./alacritty.nix ./alacritty.nix
./cosmic-term.nix
./direnv.nix ./direnv.nix
./fish.nix ./fish.nix
./git.nix ./git.nix

1
modules/home-manager/direnv.nix
View file

@ -24,6 +24,7 @@ in
direnv = { direnv = {
enable = true; enable = true;
stdlib = changeCacheDir; stdlib = changeCacheDir;
nix-direnv.enable = true;
}; };
}; };
}; };

69
modules/home-manager/fish.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
with lib; with lib;
@ -10,7 +15,12 @@ in
enable = mkEnableOption "fish"; enable = mkEnableOption "fish";
plugins = mkOption { plugins = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ "pisces" "done" "hydro" "grc" ]; default = [
"pisces"
"done"
"hydro"
"grc"
];
}; };
functions = { functions = {
enable = mkOption { enable = mkOption {
@ -30,25 +40,45 @@ in
home.packages = [ pkgs.grc ]; home.packages = [ pkgs.grc ];
programs.fish = { programs.fish = {
enable = true; enable = true;
plugins = with pkgs; (filter ( plugins =
e: hasAttr e.name (builtins.listToAttrs # { "xxx" = true; } with pkgs;
(map (p: { name = p; value = true; }) cfg.plugins) # { name = "xxx"; value = true; } (filter
)) [ (
{ name = "pisces"; e:
hasAttr e.name (
builtins.listToAttrs # { "xxx" = true; }
(
map (p: {
name = p;
value = true;
}) cfg.plugins
) # { name = "xxx"; value = true; }
)
)
[
{
name = "pisces";
src = fishPlugins.pisces.src; src = fishPlugins.pisces.src;
} }
{ name = "done"; {
name = "done";
src = fishPlugins.done.src; src = fishPlugins.done.src;
} }
{ name = "hydro"; {
name = "hydro";
src = fishPlugins.hydro.src; src = fishPlugins.hydro.src;
} }
{ name = "grc"; {
name = "grc";
src = fishPlugins.grc.src; src = fishPlugins.grc.src;
} }
]); ]
interactiveShellInit = let );
extraInit = if cfg.functions.enable then '' interactiveShellInit =
let
extraInit =
if cfg.functions.enable then
''
${pkgs.nix-your-shell}/bin/nix-your-shell fish | source ${pkgs.nix-your-shell}/bin/nix-your-shell fish | source
function fish_right_prompt function fish_right_prompt
if test -n "$IN_NIX_SHELL" if test -n "$IN_NIX_SHELL"
@ -60,10 +90,15 @@ in
function fish_command_not_found function fish_command_not_found
${pkgs.comma}/bin/comma $argv ${pkgs.comma}/bin/comma $argv
end end
'' else ""; set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha)
in '' ''
fish_config prompt choose arrow else
'' + extraInit; "";
in
''
fish_config prompt choose default
''
+ extraInit;
functions = mkIf cfg.functions.enable { functions = mkIf cfg.functions.enable {
gitignore = "curl -sL https://www.gitignore.io/api/$argv"; gitignore = "curl -sL https://www.gitignore.io/api/$argv";
}; };

15
modules/home-manager/git.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
with lib; with lib;
@ -36,12 +41,8 @@ in
signByDefault = true; signByDefault = true;
key = cfg.signing.keyFile; key = cfg.signing.keyFile;
}; };
extraConfig.user = mkIf cfg.signing.enable { extraConfig.user = mkIf cfg.signing.enable { signingkey = cfg.signing.keyFile; };
signingkey = cfg.signing.keyFile; extraConfig.gpg = mkIf cfg.signing.enable { format = "ssh"; };
};
extraConfig.gpg = mkIf cfg.signing.enable {
format = "ssh";
};
}; };
}; };
} }

2
modules/home-manager/tmux.nix
View file

@ -1 +1 @@
{} { }

12
modules/home-manager/vim.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
inherit (lib) mkIf mkEnableOption getExe; inherit (lib) mkIf mkEnableOption getExe;
cfg = config.custom-hm.neovim; cfg = config.custom-hm.neovim;
@ -13,7 +18,10 @@ in
enable = mkEnableOption "neovim configurations"; enable = mkEnableOption "neovim configurations";
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
home.packages = with pkgs; [ nixvim neovide ]; home.packages = with pkgs; [
nixvim
neovide
];
programs.neovim.enable = false; programs.neovim.enable = false;
home.file.".config/neovide/config.toml" = { home.file.".config/neovide/config.toml" = {
source = tomlFormat.generate "neovide-config" neovideConfig; source = tomlFormat.generate "neovide-config" neovideConfig;

116
modules/home-manager/vscode.nix
View file

@ -1,4 +1,10 @@
{ inputs, config, lib, pkgs, ... }: {
inputs,
config,
lib,
pkgs,
...
}:
with lib; with lib;
let let
@ -6,7 +12,10 @@ let
packages = { packages = {
nixPackages = { nixPackages = {
systemPackages = with pkgs; [ nixd nixpkgs-fmt ]; systemPackages = with pkgs; [
nixd
nixpkgs-fmt
];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
jnoortheen.nix-ide jnoortheen.nix-ide
]; ];
@ -17,10 +26,15 @@ let
}; };
}; };
cxxPackages = { cxxPackages = {
systemPackages = with pkgs; [ clang-tools cmake-format ]; systemPackages = with pkgs; [
clang-tools
cmake-format
];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
llvm-vs-code-extensions.vscode-clangd llvm-vs-code-extensions.vscode-clangd
(ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; })) (ms-vscode.cmake-tools.overrideAttrs (_: {
sourceRoot = "extension";
}))
twxs.cmake twxs.cmake
ms-vscode.cpptools ms-vscode.cpptools
]; ];
@ -43,7 +57,10 @@ let
settings = { }; settings = { };
}; };
scalaPackages = { scalaPackages = {
systemPackages = with pkgs; [ coursier metals ]; systemPackages = with pkgs; [
coursier
metals
];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
scala-lang.scala scala-lang.scala
scalameta.metals scalameta.metals
@ -61,20 +78,56 @@ let
{ {
"name" = "xelatex"; "name" = "xelatex";
"command" = "xelatex"; "command" = "xelatex";
"args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ]; "args" = [
"-synctex=1"
"-interaction=nonstopmode"
"-file-line-error"
"%DOCFILE%"
];
} }
{ {
"name" = "pdflatex"; "name" = "pdflatex";
"command" = "pdflatex"; "command" = "pdflatex";
"args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ]; "args" = [
"-synctex=1"
"-interaction=nonstopmode"
"-file-line-error"
"%DOCFILE%"
];
}
{
"name" = "bibtex";
"command" = "bibtex";
"args" = [ "%DOCFILE%" ];
} }
{ "name" = "bibtex"; "command" = "bibtex"; "args" = [ "%DOCFILE%" ]; }
]; ];
"latex-workshop.latex.recipes" = [ "latex-workshop.latex.recipes" = [
{ "name" = "xelatex"; "tools" = [ "xelatex" ]; } {
{ "name" = "pdflatex"; "tools" = [ "pdflatex" ]; } "name" = "xelatex";
{ "name" = "xe->bib->xe->xe"; "tools" = [ "xelatex" "bibtex" "xelatex" "xelatex" ]; } "tools" = [ "xelatex" ];
{ "name" = "pdf->bib->pdf->pdf"; "tools" = [ "pdflatex" "bibtex" "pdflatex" "pdflatex" ]; } }
{
"name" = "pdflatex";
"tools" = [ "pdflatex" ];
}
{
"name" = "xe->bib->xe->xe";
"tools" = [
"xelatex"
"bibtex"
"xelatex"
"xelatex"
];
}
{
"name" = "pdf->bib->pdf->pdf";
"tools" = [
"pdflatex"
"bibtex"
"pdflatex"
"pdflatex"
];
}
]; ];
"[latex]" = { "[latex]" = {
"editor.formatOnPaste" = false; "editor.formatOnPaste" = false;
@ -88,9 +141,15 @@ let
}; };
llmExtensions = [ pkgs.vscode-extensions.continue.continue ]; llmExtensions = [ pkgs.vscode-extensions.continue.continue ];
languages = [ "nix" "cxx" "python" "scala" "latex" ]; languages = [
zipAttrsWithLanguageOption = (attr: "nix"
(map (l: (lib.mkIf cfg.languages.${l} packages."${l}Packages".${attr})) languages) "cxx"
"python"
"scala"
"latex"
];
zipAttrsWithLanguageOption = (
attr: (map (l: (lib.mkIf cfg.languages.${l} packages."${l}Packages".${attr})) languages)
); );
in in
{ {
@ -111,17 +170,21 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
home.packages = lib.mkMerge ([ home.packages = lib.mkMerge (
[
[ pkgs.clang-tools ] [ pkgs.clang-tools ]
(mkIf cfg.llm [ pkgs.ollama ]) (mkIf cfg.llm [ pkgs.ollama ])
] ++ zipAttrsWithLanguageOption "systemPackages"); ]
++ zipAttrsWithLanguageOption "systemPackages"
);
programs.vscode = { programs.vscode = {
enable = true; enable = true;
package = pkgs.vscode.override { commandLineArgs = "--enable-wayland-ime"; }; package = pkgs.vscode.override { commandLineArgs = "--enable-wayland-ime"; };
enableUpdateCheck = false; enableUpdateCheck = false;
enableExtensionUpdateCheck = false; enableExtensionUpdateCheck = false;
mutableExtensionsDir = false; mutableExtensionsDir = false;
extensions = lib.mkMerge ([ extensions = lib.mkMerge (
[
(with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ (with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
mkhl.direnv mkhl.direnv
@ -149,17 +212,18 @@ in
]) ])
(mkIf cfg.llm llmExtensions) (mkIf cfg.llm llmExtensions)
] ++ zipAttrsWithLanguageOption "extension"); ]
userSettings = lib.mkMerge ([ ++ zipAttrsWithLanguageOption "extension"
);
userSettings = lib.mkMerge (
[
{ {
"workbench.colorTheme" = "Catppuccin Macchiato"; "workbench.colorTheme" = "Catppuccin Macchiato";
"terminal.integrated.sendKeybindingsToShell" = true; "terminal.integrated.sendKeybindingsToShell" = true;
"extensions.ignoreRecommendations" = true; "extensions.ignoreRecommendations" = true;
"files.autoSave" = "afterDelay"; "files.autoSave" = "afterDelay";
"editor.inlineSuggest.enabled" = true; "editor.inlineSuggest.enabled" = true;
"editor.rulers" = [ "editor.rulers" = [ 80 ];
80
];
"editor.mouseWheelZoom" = true; "editor.mouseWheelZoom" = true;
"git.autofetch" = false; "git.autofetch" = false;
"window.zoomLevel" = -1; "window.zoomLevel" = -1;
@ -168,7 +232,9 @@ in
"vscodevim.vim" = 1; "vscodevim.vim" = 1;
}; };
} }
] ++ zipAttrsWithLanguageOption "settings"); ]
++ zipAttrsWithLanguageOption "settings"
);
}; };
home.file.".continue/config.json".text = lib.generators.toJSON { } { home.file.".continue/config.json".text = lib.generators.toJSON { } {
@ -180,7 +246,7 @@ in
} }
]; ];
tabAutocompleteModel = { tabAutocompleteModel = {
model ="deepseek-coder:6.7b-base"; model = "deepseek-coder:6.7b-base";
provider = "ollama"; provider = "ollama";
title = "codegemma"; title = "codegemma";
}; };

30
modules/home-manager/zellij.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { config, lib, ... }:
with lib; with lib;
@ -14,20 +14,22 @@ in
enable = true; enable = true;
settings = { settings = {
default_shell = "fish"; default_shell = "fish";
keybinds = {
unbind = [
"Ctrl p"
"Ctrl n"
];
shared_except = {
_args = [ "pane" "locked" ];
bind = {
_args = [ "Ctrl b"];
SwitchToMode = "Pane";
};
};
};
}; };
}; };
xdg.configFile."zellij/config.kdl".text = ''
keybinds {
shared_except "pane" "locked" {
bind "Ctrl b" { SwitchToMode "Pane"; }
}
shared_except "locked" {
bind "Ctrl h" { MoveFocusOrTab "Left"; }
bind "Ctrl l" { MoveFocusOrTab "Right"; }
bind "Ctrl j" { MoveFocus "Down"; }
bind "Ctrl k" { MoveFocus "Up"; }
unbind "Alt h" "Alt l" "Alt j" "Alt k"
}
unbind "Ctrl p" "Ctrl n"
}
'';
}; };
} }

15
modules/nixos/common-settings/auth.nix
View file

@ -1,7 +1,17 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
inherit (lib) mkIf mkEnableOption mkOption types; inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.commonSettings.auth; cfg = config.commonSettings.auth;
in in
@ -38,4 +48,3 @@ in
}; };
}; };
} }

24
modules/nixos/common-settings/nix-conf.nix
View file

@ -1,7 +1,17 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
inherit (lib) mkIf mkEnableOption mkOption types; inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.commonSettings.nix; cfg = config.commonSettings.nix;
in in
@ -33,7 +43,10 @@ in
nix.optimise.automatic = true; nix.optimise.automatic = true;
nix.settings = { nix.settings = {
experimental-features = [ "nix-command" "flakes" ]; experimental-features = [
"nix-command"
"flakes"
];
auto-optimise-store = true; auto-optimise-store = true;
trusted-users = [ "root" ]; trusted-users = [ "root" ];
@ -52,10 +65,7 @@ in
"xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y=" "xin-1:8/ul1IhdWLswERF/8RfeAw8VZqjwHrJ1x55y1yjxQ+Y="
]; ];
secret-key-files = mkIf cfg.signing.enable [ secret-key-files = mkIf cfg.signing.enable [ cfg.signing.keyFile ];
cfg.signing.keyFile
];
}; };
}; };
} }

11
modules/nixos/forgejo-actions-runner.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
cfg = config.custom.forgejo-actions-runner; cfg = config.custom.forgejo-actions-runner;
in in
@ -6,9 +11,7 @@ in
options = { options = {
custom.forgejo-actions-runner = { custom.forgejo-actions-runner = {
enable = lib.mkEnableOption "TPM supported ssh agent in go"; enable = lib.mkEnableOption "TPM supported ssh agent in go";
tokenFile = lib.mkOption { tokenFile = lib.mkOption { type = lib.types.path; };
type = lib.types.path;
};
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {

27
modules/nixos/hedgedoc.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
with lib; with lib;
@ -26,22 +31,12 @@ in
}; };
oidc = { oidc = {
enable = mkEnableOption "OIDC support for HedgeDoc"; enable = mkEnableOption "OIDC support for HedgeDoc";
baseURL = mkOption { baseURL = mkOption { type = types.str; };
type = types.str; authorizationURL = mkOption { type = types.str; };
}; tokenURL = mkOption { type = types.str; };
authorizationURL = mkOption { userProfileURL = mkOption { type = types.str; };
type = types.str;
};
tokenURL = mkOption {
type = types.str;
};
userProfileURL = mkOption {
type = types.str;
};
};
environmentFile = mkOption {
type = types.path;
}; };
environmentFile = mkOption { type = types.path; };
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {

58
modules/nixos/inbounds.nix
View file

@ -1,17 +1,14 @@
{ config { config, lib, ... }:
, lib
, ... }:
let let
cfg = config.custom.sing-box-server; cfg = config.custom.sing-box-server;
secretFileType = lib.types.submodule { secretFileType = lib.types.submodule { _secret = lib.types.path; };
_secret = lib.types.path;
};
singTls = { singTls = {
enabled = true; enabled = true;
server_name = config.deployment.targetHost; server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem"; key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem"; certificate_path =
config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
}; };
in in
{ {
@ -22,17 +19,11 @@ in
type = lib.types.str; type = lib.types.str;
default = "proxy"; default = "proxy";
}; };
password = lib.mkOption { password = lib.mkOption { type = secretFileType; };
type = secretFileType; uuid = lib.mkOption { type = secretFileType; };
};
uuid = lib.mkOption {
type = secretFileType;
};
}; };
wgOut = { wgOut = {
privKeyFile = lib.mkOption { privKeyFile = lib.mkOption { type = lib.types.path; };
type = lib.types.path;
};
pubkey = lib.mkOption { pubkey = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="; default = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
@ -73,7 +64,8 @@ in
} }
]; ];
}; };
inbounds = [ inbounds =
[
# TODO: Trojan and tuic enable # TODO: Trojan and tuic enable
{ {
tag = "trojan-in"; tag = "trojan-in";
@ -83,7 +75,8 @@ in
users = map (u: removeAttrs u [ "uuid" ]) cfg.users; users = map (u: removeAttrs u [ "uuid" ]) cfg.users;
tls = singTls; tls = singTls;
} }
] ++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: { ]
++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: {
tag = "tuic-in" + toString port; tag = "tuic-in" + toString port;
type = "tuic"; type = "tuic";
listen = "::"; listen = "::";
@ -102,20 +95,35 @@ in
"2606:4700:110:82ed:a443:3c62:6cbc:b59b/128" "2606:4700:110:82ed:a443:3c62:6cbc:b59b/128"
]; ];
peers = [ peers = [
{ public_key= cfg.wgOut.pubkey; {
allowed_ips = [ "0.0.0.0/0" "::/0" ]; public_key = cfg.wgOut.pubkey;
allowed_ips = [
"0.0.0.0/0"
"::/0"
];
server = "162.159.192.1"; server = "162.159.192.1";
server_port = 500; server_port = 500;
} }
]; ];
} }
{ type = "direct"; tag = "direct-out"; } {
{ type = "dns"; tag = "dns-out"; } type = "direct";
tag = "direct-out";
}
{
type = "dns";
tag = "dns-out";
}
]; ];
route = { route = {
rules = [ rules =
{ outbound = "dns-out"; protocol = "dns"; } [
] ++ lib.forEach cfg.tuic.directPorts (port: { {
outbound = "dns-out";
protocol = "dns";
}
]
++ lib.forEach cfg.tuic.directPorts (port: {
inbound = "tuic-in" + toString port; inbound = "tuic-in" + toString port;
outbound = "direct-out"; outbound = "direct-out";
}); });

21
modules/nixos/kanidm-client.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
with lib; with lib;
let let
@ -27,14 +32,12 @@ in
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [ ];
}; };
uri = mkOption { uri = mkOption { type = types.str; };
type = types.str;
};
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.kanidm = mkMerge services.kanidm = mkMerge [
[ (mkIf cfg.enable { (mkIf cfg.enable {
enableClient = true; enableClient = true;
clientSettings = { clientSettings = {
uri = cfg.uri; uri = cfg.uri;
@ -70,8 +73,10 @@ in
}; };
users.groups.wheel.members = cfg.sudoers; users.groups.wheel.members = cfg.sudoers;
users.groups.kanidm-ssh-runner = { }; users.groups.kanidm-ssh-runner = { };
users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; }; users.users.kanidm-ssh-runner = {
isSystemUser = true;
group = "kanidm-ssh-runner";
};
}; };
} }

58
modules/nixos/miniflux.nix
View file

@ -1,6 +1,19 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
inherit (lib) mkEnableOption mkPackageOption mkOption types literalExpression mkIf mkDefault; inherit (lib)
mkEnableOption
mkPackageOption
mkOption
types
literalExpression
mkIf
mkDefault
;
cfg = config.custom.miniflux; cfg = config.custom.miniflux;
defaultAddress = "localhost:8080"; defaultAddress = "localhost:8080";
@ -18,12 +31,15 @@ in
package = mkPackageOption pkgs "miniflux" { }; package = mkPackageOption pkgs "miniflux" { };
oauth2SecretFile = mkOption { oauth2SecretFile = mkOption { type = types.path; };
type = types.path;
};
environment = mkOption { environment = mkOption {
type = with types; attrsOf (oneOf [ int str ]); type =
with types;
attrsOf (oneOf [
int
str
]);
}; };
createDatabaseLocally = mkOption { createDatabaseLocally = mkOption {
@ -50,17 +66,22 @@ in
services.postgresql = lib.mkIf cfg.createDatabaseLocally { services.postgresql = lib.mkIf cfg.createDatabaseLocally {
enable = true; enable = true;
ensureUsers = [{ ensureUsers = [
{
name = "miniflux"; name = "miniflux";
ensureDBOwnership = true; ensureDBOwnership = true;
}]; }
];
ensureDatabases = [ "miniflux" ]; ensureDatabases = [ "miniflux" ];
}; };
systemd.services.miniflux-dbsetup = lib.mkIf cfg.createDatabaseLocally { systemd.services.miniflux-dbsetup = lib.mkIf cfg.createDatabaseLocally {
description = "Miniflux database setup"; description = "Miniflux database setup";
requires = [ "postgresql.service" ]; requires = [ "postgresql.service" ];
after = [ "network.target" "postgresql.service" ]; after = [
"network.target"
"postgresql.service"
];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = config.services.postgresql.superUser; User = config.services.postgresql.superUser;
@ -72,8 +93,12 @@ in
description = "Miniflux service"; description = "Miniflux service";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = lib.optional cfg.createDatabaseLocally "miniflux-dbsetup.service"; requires = lib.optional cfg.createDatabaseLocally "miniflux-dbsetup.service";
after = [ "network.target" ] after =
++ lib.optionals cfg.createDatabaseLocally [ "postgresql.service" "miniflux-dbsetup.service" ]; [ "network.target" ]
++ lib.optionals cfg.createDatabaseLocally [
"postgresql.service"
"miniflux-dbsetup.service"
];
serviceConfig = { serviceConfig = {
Type = "notify"; Type = "notify";
@ -104,12 +129,19 @@ in
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" ]; SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077"; UMask = "0077";
}; };

18
modules/nixos/oidc-agent.nix
View file

@ -1,10 +1,20 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
inherit (lib) mkIf mkEnableOption mkOption types; inherit (lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.programs.oidc-agent; cfg = config.programs.oidc-agent;
providerFormat = pkgs.formats.json {}; providerFormat = pkgs.formats.json { };
in in
{ {
options.programs.oidc-agent = { options.programs.oidc-agent = {
@ -18,7 +28,7 @@ in
}; };
providers = mkOption { providers = mkOption {
type = providerFormat.type; type = providerFormat.type;
default = {}; default = { };
description = '' description = ''
Configuration of providers which contains a json array of json objects Configuration of providers which contains a json array of json objects
each describing an issuer, see https://indigo-dc.gitbook.io/oidc-agent/configuration/issuers each describing an issuer, see https://indigo-dc.gitbook.io/oidc-agent/configuration/issuers

18
modules/nixos/prometheus/blackbox.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
cfg = config.custom.prometheus; cfg = config.custom.prometheus;
in in
@ -8,7 +13,7 @@ in
enable = true; enable = true;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
configFile = pkgs.writeText "blackbox.config.yaml" ( configFile = pkgs.writeText "blackbox.config.yaml" (
lib.generators.toYAML {} { lib.generators.toYAML { } {
modules = { modules = {
tcp4_connect = { tcp4_connect = {
prober = "tcp"; prober = "tcp";
@ -73,8 +78,13 @@ in
alert = "HighProbeLatency"; alert = "HighProbeLatency";
expr = "probe_duration_seconds > 0.5"; expr = "probe_duration_seconds > 0.5";
for = "2m"; for = "2m";
labels = { severity = "warning"; }; labels = {
annotations = { summary = "High request latency on {{ $labels.instance }}"; description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes."; }; severity = "warning";
};
annotations = {
summary = "High request latency on {{ $labels.instance }}";
description = "95th percentile of request latency is above 0.5 seconds for the last 2 minutes.";
};
} }
]; ];
} }

12
modules/nixos/prometheus/caddy.nix
View file

@ -13,9 +13,7 @@ in
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [
{ {
job_name = "caddy"; job_name = "caddy";
static_configs = [ static_configs = [ { targets = [ "127.0.0.1:2019" ]; } ];
{ targets = [ "127.0.0.1:2019" ]; }
];
} }
]; ];
@ -27,8 +25,12 @@ in
alert = "UpstreamHealthy"; alert = "UpstreamHealthy";
expr = "caddy_reverse_proxy_upstreams_healthy != 1"; expr = "caddy_reverse_proxy_upstreams_healthy != 1";
for = "5m"; for = "5m";
labels = { severity = "critical"; }; labels = {
annotations = { summary = "Upstream {{ $labels.unstream }} not healthy"; }; severity = "critical";
};
annotations = {
summary = "Upstream {{ $labels.unstream }} not healthy";
};
} }
]; ];
} }

86
modules/nixos/prometheus/default.nix
View file

@ -1,26 +1,31 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
with lib; with lib;
let let
cfg = config.custom.prometheus; cfg = config.custom.prometheus;
mkExporterOption = enableOption: (mkOption { mkExporterOption =
enableOption:
(mkOption {
type = types.bool; type = types.bool;
default = enableOption; default = enableOption;
description = "Enable this exporter"; description = "Enable this exporter";
}); });
mkRulesOption = mkOption { mkRulesOption = mkOption {
type = types.listOf (types.submodule { type = types.listOf (
types.submodule {
options = { options = {
name = mkOption { name = mkOption { type = lib.types.str; };
type = lib.types.str; rules = mkOption { type = lib.types.listOf lib.types.attrs; };
}; };
rules = mkOption { }
type = lib.types.listOf lib.types.attrs; );
};
};
});
}; };
in in
{ {
@ -54,16 +59,13 @@ in
}; };
grafana = { grafana = {
enable = mkEnableOption "Grafana Cloud"; enable = mkEnableOption "Grafana Cloud";
password_file = mkOption { password_file = mkOption { type = types.path; };
type = types.path;
};
}; };
ruleModules = mkRulesOption; ruleModules = mkRulesOption;
}; };
}; };
config = mkIf cfg.enable config = mkIf cfg.enable {
{
services.tailscale = { services.tailscale = {
enable = true; enable = true;
permitCertUid = config.services.caddy.user; permitCertUid = config.services.caddy.user;
@ -77,11 +79,12 @@ in
''; '';
}; };
services.prometheus = mkIf cfg.enable services.prometheus = mkIf cfg.enable {
{
enable = true; enable = true;
port = 9091; port = 9091;
globalConfig.external_labels = { hostname = config.networking.hostName; }; globalConfig.external_labels = {
hostname = config.networking.hostName;
};
remoteWrite = mkIf cfg.grafana.enable [ remoteWrite = mkIf cfg.grafana.enable [
{ {
name = "grafana"; name = "grafana";
@ -107,9 +110,7 @@ in
scrapeConfigs = [ scrapeConfigs = [
{ {
job_name = "prometheus"; job_name = "prometheus";
static_configs = [ static_configs = [ { targets = [ "localhost:${toString config.services.prometheus.port}" ]; } ];
{ targets = [ "localhost:${toString config.services.prometheus.port}" ]; }
];
} }
{ {
job_name = "node"; job_name = "node";
@ -168,36 +169,59 @@ in
alert = "SystemdFailedUnits"; alert = "SystemdFailedUnits";
expr = "node_systemd_unit_state{state=\"failed\"} > 0"; expr = "node_systemd_unit_state{state=\"failed\"} > 0";
for = "5m"; for = "5m";
labels = { severity = "critical"; }; labels = {
annotations = { summary = "Systemd has failed units on {{ $labels.instance }}"; description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!"; }; severity = "critical";
};
annotations = {
summary = "Systemd has failed units on {{ $labels.instance }}";
description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!";
};
} }
{ {
alert = "HighLoadAverage"; alert = "HighLoadAverage";
expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})"; expr = "node_load1 > 0.8 * count without (cpu) (node_cpu_seconds_total{mode=\"idle\"})";
for = "1m"; for = "1m";
labels = { severity = "warning"; }; labels = {
annotations = { summary = "High load average detected on {{ $labels.instance }}"; description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; }; severity = "warning";
};
annotations = {
summary = "High load average detected on {{ $labels.instance }}";
description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs.";
};
} }
{ {
alert = "HighTransmitTraffic"; alert = "HighTransmitTraffic";
expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000"; expr = "rate(node_network_transmit_bytes_total{device!=\"lo\"}[5m]) > 100000000";
for = "1m"; for = "1m";
labels = { severity = "warning"; }; labels = {
annotations = { summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})"; description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute."; }; severity = "warning";
};
annotations = {
summary = "High network transmit traffic on {{ $labels.instance }} ({{ $labels.device }})";
description = "The network interface {{ $labels.device }} on {{ $labels.instance }} is transmitting data at a rate exceeding 100 MB/s for the last 1 minute.";
};
} }
{ {
alert = "NetworkTrafficExceedLimit"; alert = "NetworkTrafficExceedLimit";
expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200''; expr = ''increase(node_network_transmit_bytes_total{device!="lo",device!~"tailscale.*",device!~"wg.*",device!~"br.*"}[30d]) > 322122547200'';
for = "0m"; for = "0m";
labels = { severity = "critical"; }; labels = {
annotations = { summary = "Outbound network traffic exceed 300GB for last 30 day"; }; severity = "critical";
};
annotations = {
summary = "Outbound network traffic exceed 300GB for last 30 day";
};
} }
{ {
alert = "JobDown"; alert = "JobDown";
expr = "up == 0"; expr = "up == 0";
for = "1m"; for = "1m";
labels = { severity = "critical"; }; labels = {
annotations = { summary = "Job {{ $labels.job }} down for 1m."; }; severity = "critical";
};
annotations = {
summary = "Job {{ $labels.job }} down for 1m.";
};
} }
]; ];
} }

4
modules/nixos/prometheus/gotosocial.nix
View file

@ -10,9 +10,7 @@ in
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [
{ {
job_name = "gotosocial"; job_name = "gotosocial";
static_configs = [ static_configs = [ { targets = [ "localhost:8080" ]; } ];
{ targets = [ "localhost:8080" ]; }
];
} }
]; ];
}; };

11
modules/nixos/prometheus/immich.nix
View file

@ -3,9 +3,10 @@ let
cfg = config.custom.prometheus; cfg = config.custom.prometheus;
immichEnv = config.services.immich.environment; immichEnv = config.services.immich.environment;
metricPort = metricPort =
if builtins.hasAttr "IMMICH_API_METRICS_PORT" immichEnv if builtins.hasAttr "IMMICH_API_METRICS_PORT" immichEnv then
then immichEnv.IMMICH_API_METRICS_PORT immichEnv.IMMICH_API_METRICS_PORT
else 8081; else
8081;
in in
{ {
config = lib.mkIf (cfg.enable && cfg.exporters.immich.enable) { config = lib.mkIf (cfg.enable && cfg.exporters.immich.enable) {
@ -16,9 +17,7 @@ in
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [
{ {
job_name = "immich"; job_name = "immich";
static_configs = [ static_configs = [ { targets = [ "127.0.0.1:${toString metricPort}" ]; } ];
{ targets = [ "127.0.0.1:${toString metricPort}" ]; }
];
} }
]; ];
}; };

4
modules/nixos/prometheus/miniflux.nix
View file

@ -8,9 +8,7 @@ in
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [
{ {
job_name = "miniflux"; job_name = "miniflux";
static_configs = [ static_configs = [ { targets = [ config.systemd.services.miniflux.environment.LISTEN_ADDR ]; } ];
{ targets = [ config.systemd.services.miniflux.environment.LISTEN_ADDR ]; }
];
} }
]; ];
}; };

4
modules/nixos/prometheus/ntfy-sh.nix
View file

@ -8,9 +8,7 @@ in
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [
{ {
job_name = "ntfy-sh"; job_name = "ntfy-sh";
static_configs = [ static_configs = [ { targets = [ "ntfy.xinyang.life" ]; } ];
{ targets = [ "ntfy.xinyang.life" ]; }
];
} }
]; ];
}; };

22
modules/nixos/prometheus/restic.nix
View file

@ -9,9 +9,7 @@ in
services.prometheus.scrapeConfigs = [ services.prometheus.scrapeConfigs = [
(lib.mkIf cfg.exporters.restic.enable { (lib.mkIf cfg.exporters.restic.enable {
job_name = "restic"; job_name = "restic";
static_configs = [ static_configs = [ { targets = [ config.services.restic.server.listenAddress ]; } ];
{ targets = [ config.services.restic.server.listenAddress ]; }
];
}) })
]; ];
@ -23,15 +21,25 @@ in
alert = "ResticCheckFailed"; alert = "ResticCheckFailed";
expr = "restic_check_success == 0"; expr = "restic_check_success == 0";
for = "5m"; for = "5m";
labels = { severity = "critical"; }; labels = {
annotations = { summary = "Restic check failed (instance {{ $labels.instance }})"; description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; }; severity = "critical";
};
annotations = {
summary = "Restic check failed (instance {{ $labels.instance }})";
description = "Restic check failed\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}";
};
} }
{ {
alert = "ResticOutdatedBackup"; alert = "ResticOutdatedBackup";
expr = "time() - restic_backup_timestamp > 518400"; expr = "time() - restic_backup_timestamp > 518400";
for = "0m"; for = "0m";
labels = { severity = "critical"; }; labels = {
annotations = { summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated"; description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}"; }; severity = "critical";
};
annotations = {
summary = "Restic {{ $labels.client_hostname }} / {{ $labels.client_username }} backup is outdated";
description = "Restic backup is outdated\\n VALUE = {{ $value }}\\n LABELS = {{ $labels }}";
};
} }
]; ];
} }

8
modules/nixos/restic.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
cfg = config.custom.restic; cfg = config.custom.restic;
in in
@ -45,4 +50,3 @@ in
}; };
}; };
} }

13
modules/nixos/sing-box.nix
View file

@ -1,4 +1,10 @@
{ config, pkgs, lib, utils, ... }: {
config,
pkgs,
lib,
utils,
...
}:
let let
cfg = config.custom.sing-box; cfg = config.custom.sing-box;
settingsFormat = pkgs.formats.json { }; settingsFormat = pkgs.formats.json { };
@ -16,9 +22,7 @@ in
}; };
configFile = { configFile = {
urlFile = lib.mkOption { urlFile = lib.mkOption { type = lib.types.path; };
type = lib.types.path;
};
name = lib.mkOption { name = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "config.json"; default = "config.json";
@ -81,4 +85,3 @@ in
}; };
}; };
} }

7
modules/nixos/ssh-tpm-agent.nix
View file

@ -1,5 +1,10 @@
# Temporary workaround # Temporary workaround
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
cfg = config.services.ssh-tpm-agent; cfg = config.services.ssh-tpm-agent;
in in

8
modules/nixos/vaultwarden.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
with lib; with lib;
@ -44,4 +49,3 @@ in
}; };
}; };
} }

26
oci-images/nix-ci-base/flake.nix
View file

@ -6,19 +6,21 @@
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
}; };
outputs = { outputs =
{
self, self,
flake-utils, flake-utils,
nix, nix,
nixpkgs, nixpkgs,
... ...
}: }:
flake-utils.lib.eachDefaultSystem (system: let flake-utils.lib.eachDefaultSystem (
pkgs = (import nixpkgs) { system:
inherit system; let
}; pkgs = (import nixpkgs) { inherit system; };
lib = pkgs.lib; lib = pkgs.lib;
in rec { in
rec {
packages = rec { packages = rec {
# a modified version of the nixos/nix image # a modified version of the nixos/nix image
# re-using the upstream nix docker image generation code # re-using the upstream nix docker image generation code
@ -54,7 +56,10 @@
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
]; ];
# allow using the new flake commands in our workflows # allow using the new flake commands in our workflows
experimental-features = ["nix-command" "flakes"]; experimental-features = [
"nix-command"
"flakes"
];
}; };
}; };
# make /bin/sleep available on the image # make /bin/sleep available on the image
@ -68,10 +73,11 @@
copyToRoot = pkgs.buildEnv { copyToRoot = pkgs.buildEnv {
name = "image-root"; name = "image-root";
paths = [pkgs.coreutils-full]; paths = [ pkgs.coreutils-full ];
pathsToLink = ["/bin"]; # add coreutuls (which includes sleep) to /bin pathsToLink = [ "/bin" ]; # add coreutuls (which includes sleep) to /bin
}; };
}; };
}; };
}); }
);
} }

7
overlays/add-ime-electron.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
{ {
nixpkgs.overlays = [ nixpkgs.overlays = [

4
overlays/add-pkgs.nix
View file

@ -1,3 +1 @@
(final: prev: { (final: prev: { oidc-agent = prev.callPackage ./pkgs/oidc-agent { }; })
oidc-agent = prev.callPackage ./pkgs/oidc-agent { };
})

28
overlays/pkgs/oidc-agent/default.nix
View file

@ -1,14 +1,15 @@
{ lib {
, stdenv lib,
, fetchFromGitHub stdenv,
, curl fetchFromGitHub,
, webkitgtk curl,
, libmicrohttpd webkitgtk,
, libsecret libmicrohttpd,
, qrencode libsecret,
, libsodium qrencode,
, pkg-config libsodium,
, help2man pkg-config,
help2man,
}: }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
@ -19,8 +20,7 @@ stdenv.mkDerivation rec {
owner = "indigo-dc"; owner = "indigo-dc";
repo = "oidc-agent"; repo = "oidc-agent";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-cOK/rZ/jnyALLuhDM3+qvwwe4Fjkv8diQBkw7NfVo0c=" sha256 = "sha256-cOK/rZ/jnyALLuhDM3+qvwwe4Fjkv8diQBkw7NfVo0c=";
;
}; };
buildInputs = [ buildInputs = [
@ -47,7 +47,6 @@ stdenv.mkDerivation rec {
make install_man PREFIX=$out make install_man PREFIX=$out
''; '';
meta = with lib; { meta = with lib; {
description = "oidc-agent for managing OpenID Connect tokens on the command line"; description = "oidc-agent for managing OpenID Connect tokens on the command line";
homepage = "https://github.com/indigo-dc/oidc-agent"; homepage = "https://github.com/indigo-dc/oidc-agent";
@ -55,4 +54,3 @@ stdenv.mkDerivation rec {
license = licenses.mit; license = licenses.mit;
}; };
} }