xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: xin:d2013a50d43c2f9d1d134aeb0594ecf4c0d69971
Branches Tags
xin:master
xin:deploy
..
compare: xin:087b583dd261ac808b16b73e08068d27e3ccec6a
Branches Tags
xin:deploy
xin:master

7 commits
d2013a50d4 ... 087b583dd2

Author SHA1 Message Date
xinyangli
087b583dd2
raspite: rewrite 2024-06-11 18:24:42 +08:00
xinyangli
c21ce5dc81
massicot: fix cifs disk mount 2024-06-11 18:20:21 +08:00
xinyangli
9ac58819e6
dolmite: support bandwagon and lightsail 2024-06-11 18:19:43 +08:00
xinyangli
2ce1e1a65e
calcite: switch to btrfs root 2024-06-11 18:18:07 +08:00
xinyangli
436ca779a1
modules: drop wechat-uos (merged upstream) 2024-06-11 18:11:15 +08:00
xinyangli
74a6b82d37
home-manager: vscode refactor 2024-06-11 18:05:25 +08:00
xinyangli
59fe4dcbc2
home-manager: use catppuccin flake to manage themes 2024-06-11 18:02:55 +08:00
24 changed files with 432 additions and 485 deletions
Show stats Expand all files Collapse all files

106
flake.lock
View file

@ -1,5 +1,20 @@
{
"nodes": {
"catppuccin": {
"locked": {
"lastModified": 1717070887,
"narHash": "sha256-ZTEMINFqQL+m55kmoDYIKf3i2NGitSkjBnnLu99ezh0=",
"owner": "catppuccin",
"repo": "nix",
"rev": "2c7661c9fa26a920b8088300ef87d14179c71a27",
"type": "github"
},
"original": {
"owner": "catppuccin",
"repo": "nix",
"type": "github"
}
},
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
@ -14,11 +29,11 @@
]
},
"locked": {
"lastModified": 1706509311,
"narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=",
"lastModified": 1711386353,
"narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd",
"rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db",
"type": "github"
},
"original": {
@ -46,11 +61,11 @@
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -64,11 +79,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1709126324,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "d465f4819400de7c8d874d50b982301f28a84605",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
@ -84,11 +99,11 @@
]
},
"locked": {
"lastModified": 1709764752,
"narHash": "sha256-+lM4J4JoJeiN8V+3WSWndPHj1pJ9Jc1UMikGbXLqCTk=",
"lastModified": 1717052710,
"narHash": "sha256-LRhOxzXmOza5SymhOgnEzA8EAQp+94kkeUYWKKpLJ/U=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "cf111d1a849ddfc38e9155be029519b0e2329615",
"rev": "29c69d9a466e41d46fd3a7a9d0591ef9c113c2ae",
"type": "github"
},
"original": {
@ -104,11 +119,11 @@
]
},
"locked": {
"lastModified": 1709708644,
"narHash": "sha256-XAFOkZ6yexsqeJrCXWoHxopq0i+7ZqbwATXomMnGmr4=",
"lastModified": 1716772633,
"narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "94a1e46434736a40f976a454f8bd3ea2144f349b",
"rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac",
"type": "github"
},
"original": {
@ -128,11 +143,11 @@
]
},
"locked": {
"lastModified": 1709773506,
"narHash": "sha256-RK9D2rbN7usqlxogWSBA0EsKDScSF/Uyb8ATntC4juA=",
"lastModified": 1717032429,
"narHash": "sha256-1+87CE8xOUsJChiq9aNQqWPKoWMuyurW+aXrGbMWH7I=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"rev": "a17ea69caec11561e73c985360fb596c25f74131",
"rev": "0309d806a5431a46fb7fd81e20d7133ac8b1de55",
"type": "github"
},
"original": {
@ -141,36 +156,13 @@
"type": "github"
}
},
"nixos-cn": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1682818384,
"narHash": "sha256-l8jh9BQj6nfjPDYGyrZkZwX1GaOqBX+pBHU+7fFZU3w=",
"owner": "nixos-cn",
"repo": "flakes",
"rev": "2d475ec68cca251ef6c6c69a9224db5c264c5e5b",
"type": "github"
},
"original": {
"owner": "nixos-cn",
"repo": "flakes",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1709410583,
"narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=",
"lastModified": 1716987116,
"narHash": "sha256-uuEkErFVsFdg2K0cKbNQ9JlFSAm/xYqPr4rbPLI91Y8=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc",
"rev": "8251761f93d6f5b91cee45ac09edb6e382641009",
"type": "github"
},
"original": {
@ -182,11 +174,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1709479366,
"narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=",
"lastModified": 1716948383,
"narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "b8697e57f10292a6165a20f03d2f42920dfaf973",
"rev": "ad57eef4ef0659193044870c731987a6df5cf56b",
"type": "github"
},
"original": {
@ -214,11 +206,11 @@
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1709428628,
"narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=",
"lastModified": 1716655032,
"narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555",
"rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f",
"type": "github"
},
"original": {
@ -230,11 +222,11 @@
},
"nur": {
"locked": {
"lastModified": 1709780742,
"narHash": "sha256-mJXQZLSI/zgQ98nHMSdmJ0l0YL3n38FWsdE9OiKPcWk=",
"lastModified": 1717079713,
"narHash": "sha256-mvTQgi86WwALm6NGi9tvCx92zrNjSr8Mz+nCqbG0ZhE=",
"owner": "nix-community",
"repo": "NUR",
"rev": "3428e6cf4521df6254ff5b8bcf31df84fc1dd0d2",
"rev": "1a7bbb238afcada295aabc758941ce82e6b1d292",
"type": "github"
},
"original": {
@ -245,12 +237,12 @@
},
"root": {
"inputs": {
"catppuccin": "catppuccin",
"colmena": "colmena",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"nix-index-database": "nix-index-database",
"nix-vscode-extensions": "nix-vscode-extensions",
"nixos-cn": "nixos-cn",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable",
@ -266,11 +258,11 @@
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1709711091,
"narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=",
"lastModified": 1716692524,
"narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc",
"rev": "962797a8d7f15ed7033031731d0bb77244839960",
"type": "github"
},
"original": {

116
flake.nix
View file

@ -15,12 +15,6 @@
inputs.flake-utils.follows = "flake-utils";
};
nixos-cn = {
url = "github:nixos-cn/flakes";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
nur = {
url = "github:nix-community/NUR";
};
@ -49,38 +43,47 @@
url = "github:Mic92/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
catppuccin.url = "github:catppuccin/nix";
};
outputs = { self, ... }@inputs:
with inputs;
outputs =
{ self
, home-manager
, nixpkgs
, nixos-hardware
, flake-utils
, nur
, catppuccin
, ... }@inputs:
let
homeConfigurations = import ./home;
sharedModules = [
self.homeManagerModules
sharedHmModules = [
inputs.nix-index-database.hmModules.nix-index
catppuccin.homeManagerModules.catppuccin
self.homeManagerModules
];
mkHome = user: host: { config, system, ... }: {
mkHome = user: host: { ... }: {
imports = [
home-manager.nixosModules.home-manager
{
home-manager = {
inherit sharedModules;
sharedModules = sharedHmModules;
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = { inherit inputs; };
};
home-manager.users.${user} = homeConfigurations.${user}.${host};
home-manager.users.${user} = (import ./home).${user}.${host};
}
];
};
mkHomeConfiguration = user: settings: {
mkHomeConfiguration = user: host: {
name = user;
value = home-manager.lib.homeManagerConfiguration {
pkgs = import nixpkgs { system = "x86_64-linux"; };
modules = [
self.homeManagerModules
] ++ sharedModules;
(import ./home).${user}.${host}
] ++ sharedHmModules;
extraSpecialArgs = {
inherit inputs;
};
@ -92,9 +95,9 @@
modules = [
self.nixosModules.default
nur.nixosModules.nur
./overlays
] ++ modules;
};
evalSecrets = import ./eval_secrets.nix;
in
{
nixosModules.default = import ./modules/nixos;
@ -107,12 +110,12 @@
deploymentModule = {
deployment.targetUser = "xin";
};
sharedModules = [
sharedColmenaModules = [
self.nixosModules.default
deploymentModule
];
in
colmena.lib.makeHive {
inputs.colmena.lib.makeHive {
meta = {
nixpkgs = import nixpkgs {
system = "x86_64-linux";
@ -123,34 +126,20 @@
};
};
massicot = { name, nodes, pkgs, ... }: with inputs; {
massicot = { ... }: {
deployment.targetHost = "49.13.13.122";
deployment.buildOnTarget = true;
imports = [
{ nixpkgs.system = "aarch64-linux"; }
machines/massicot
] ++ sharedModules;
] ++ sharedColmenaModules;
};
sgp-00 = { name, nodes, pkgs, ... }: with inputs; {
tok-00 = { ... }: {
imports = [
machines/dolomite
] ++ sharedModules;
nixpkgs.system = "x86_64-linux";
networking.hostName = "sgp-00";
system.stateVersion = "23.11";
deployment = {
targetHost = "video.namely.icu";
buildOnTarget = false;
tags = [ "proxy" ];
};
};
tok-00 = { name, nodes, pkgs, ... }: with inputs; {
imports = [
machines/dolomite
] ++ sharedModules;
] ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux";
networking.hostName = "tok-00";
system.stateVersion = "23.11";
@ -160,6 +149,33 @@
tags = [ "proxy" ];
};
};
la-00 = { ... }: {
imports = [
machines/dolomite
] ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux";
networking.hostName = "la-00";
system.stateVersion = "21.05";
deployment = {
targetHost = "la-00.video.namely.icu";
buildOnTarget = false;
tags = [ "proxy" ];
};
};
raspite = { ... }: {
deployment = {
targetHost = "raspite.local";
buildOnTarget = false;
};
nixpkgs.system = "aarch64-linux";
imports = [
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
nixos-hardware.nixosModules.raspberry-pi-4
machines/raspite/configuration.nix
] ++ sharedColmenaModules;
};
};
nixosConfigurations = {
@ -169,38 +185,16 @@
nixos-hardware.nixosModules.asus-zephyrus-ga401
machines/calcite/configuration.nix
(mkHome "xin" "calcite")
(./overlays)
];
};
raspite = mkNixos {
system = "aarch64-linux";
modules = [
nixos-hardware.nixosModules.raspberry-pi-4
machines/raspite/configuration.nix
(mkHome "xin" "raspite")
];
};
} // self.colmenaHive.nodes;
images.raspite = (mkNixos {
system = "aarch64-linux";
modules = [
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
nixos-hardware.nixosModules.raspberry-pi-4
machines/raspite/configuration.nix
{
nixpkgs.config.allowUnsupportedSystem = true;
nixpkgs.hostPlatform.system = "aarch64-linux";
nixpkgs.buildPlatform.system = "x86_64-linux";
}
];
}).config.system.build.sdImage;
} // flake-utils.lib.eachDefaultSystem (system:
let pkgs = nixpkgs.legacyPackages.${system}; in
{
devShells = {
default = pkgs.mkShell {
packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp nvd ];
packages = with pkgs; [ git colmena sops nix-output-monitor nil nvd ];
};
};
}

17
home/xin/calcite.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, pkgs, ... }@inputs:
{
imports = [
./common
@ -17,6 +17,7 @@
primary = true;
address = "lixinyang411@gmail.com";
flavor = "gmail.com";
realName = "Xinyang Li";
};
accounts.email.accounts.whu = {
@ -32,13 +33,25 @@
remmina
];
# Theme
catppuccin = {
enable = true;
flavor = "mocha";
};
xdg.enable = true;
i18n.inputMethod = {
enabled = "fcitx5";
fcitx5.addons = with pkgs; [ fcitx5-rime ];
};
custom-hm = {
alacritty = { enable = true; };
direnv = { enable = true; };
fish = { enable = true; };
git = { enable = true; signing.enable = true; };
neovim = { enable = true; };
vscode = { enable = true; };
vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; };
zellij = { enable = true; };
};
}

4
home/xin/common/default.nix
View file

@ -19,4 +19,8 @@
inetutils
];
nix.extraOptions = ''
extra-substituters = https://nix-community.cachix.org
extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
'';
}

39
machines/calcite/configuration.nix
View file

@ -66,11 +66,6 @@
LC_TIME = "en_US.utf8";
};
i18n.inputMethod = {
enabled = "fcitx5";
fcitx5.addons = with pkgs; [ fcitx5-rime ];
};
# Enable the X11 windowing system.
services.xserver.enable = true;
@ -78,6 +73,7 @@
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11
services.xserver = {
xkb.layout = "us";
@ -132,8 +128,8 @@
};
# Enable automatic login for the user.
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "xin";
services.displayManager.autoLogin.enable = true;
services.displayManager.autoLogin.user = "xin";
# Smart services
services.smartd.enable = true;
@ -145,10 +141,6 @@
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
# For wechat-uos
"electron-19.1.9"
"electron-25.9.0"
];
# List packages installed in system profile. To search, run:
# $ nix search wget
@ -157,10 +149,6 @@
owncloud-client
nfs-utils
winetricks
wineWowPackages.waylandFull
faudio
# tesseract5 # ocr
ocrmypdf # pdfocr
@ -174,6 +162,7 @@
requests
numpy
pyyaml
setuptools
];
python-with-my-packages = python3.withPackages my-python-packages;
in
@ -185,9 +174,11 @@
# Gnome tweaks
gnomeExtensions.paperwm
gnomeExtensions.search-light
gnomeExtensions.tray-icons-reloaded
gnomeExtensions.appindicator
gnome.gnome-tweaks
gnome.gnome-themes-extra
gnome.gnome-remote-desktop
bibata-cursors
gthumb
oculante
@ -195,29 +186,29 @@
vlc
obs-studio
spotify
rawtherapee
digikam
# IM
element-desktop
tdesktop
qq
wechat-uos
# Password manager
bitwarden
# Browser
firefox
chromium
(chromium.override {
commandLineArgs = [
"--ozone-platform-hint=auto"
"--enable-wayland-ime"
];
})
brave
# Writting
obsidian
zotero
onlyoffice-bin
# onlyoffice-bin
wpsoffice
zed-editor
config.nur.repos.linyinfeng.wemeet

8
machines/calcite/hardware-configuration.nix
View file

@ -10,12 +10,16 @@
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.initrd.luks.devices.cryptroot = {
device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d";
};
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "ext4";
{ # device = "/dev/disk/by-label/NIXROOT";
device = "/dev/mapper/cryptroot";
fsType = "btrfs";
};
fileSystems."/boot/efi" =

5
machines/calcite/network.nix
View file

@ -19,8 +19,11 @@
services.tailscale.enable = true;
# services.tailscale.useRoutingFeatures = "both";
services.dae.enable = true;
services.dae.configFile = "/var/lib/dae/config.dae";
custom.sing-box = {
enable = true;
enable = false;
configFile = {
urlFile = config.sops.secrets.sing_box_url.path;
hash = "6ca5bc8a16f8c413227690aceeee2c12c02cab09473c216b849af1e854b98588";

6
machines/calcite/secrets.yaml
View file

@ -1,7 +1,7 @@
restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str]
restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str]
sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str]
gitea_env: ENC[AES256_GCM,data:hENSYBo2Zp9s+dVv9CHkf1kDqa+AU5XQFUWfww/rwGqFeZW0aouHMSxdW7ORU2o=,iv:KmqU1VnZ6LeIflBJ2hyTvLDPN/CSdqyBd2600xIVSNQ=,tag:DkwVTLuYJG6kEzl5dyV8pw==,type:str]
gitea_env: ENC[AES256_GCM,data:ShKKQWSiIkQ4uaWBhN5uB3xSu/8u8LkDjZeFi3G5BZUj7Vy4hoMweyUXyMf7w9A=,iv:JK6NgIJlU8G7G/LrZtNyGC4K9jblImFXnzhUMdkFbUw=,tag:PYeafqgXaSpDNJ0oIENW4A==,type:str]
sops:
kms: []
gcp_kms: []
@ -26,8 +26,8 @@ sops:
WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-25T13:44:27Z"
mac: ENC[AES256_GCM,data:RPm7Y6R19Ygs2tptgQNap4AMZ2PgRwigGXVMpNcBT94L1YJoSGaJUDwukqHuzHGPvOqMZaEMIlorWQ5Ou7MSVhWZE2V8IsRCC5IWqcFI1FQjKc9WcImuIXPILKwCX+ScWrzbSmV0iYWxbeXTPU77pW4kAB7n4w/9CZfMP8BJcOw=,iv:sS0ttKYmaulWAY99awyBGCNpGxg8F0QCxeVmI2LbvP8=,tag:Av8VRPEmyeVV31S59sfPYA==,type:str]
lastmodified: "2024-04-05T04:32:32Z"
mac: ENC[AES256_GCM,data:esdTvjxnVP5t721ROLvMCvHMAkcpEFgTzHIQNyEkEaL1DKYDOJKFjufPPXDiEBX8+ni9RGYL4QHuDxlh89p0HAFHb3XCkE639NyHr6MD/DzFHbenaMJXEcWy/RSoWqroyHJA8XL7ymBGeDH7ERqyQaxc3oG653V/Uq5+/a++HQI=,iv:QvSee/Wes5RygpoCOJpVuatj+xij8EPUBayE1yUWM3g=,tag:8Un2qrflqAFB0iWz2Evi5Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

7
machines/dolomite/bandwagon.nix
View file

@ -10,7 +10,7 @@ in
isBandwagon = lib.mkEnableOption "Bandwagon instance";
};
config = lib.mkIf cfg.isBandwagon {
config = lib.mkIf cfg {
boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
@ -28,9 +28,8 @@ in
swapDevices = [ ];
boot.loader.grub.enable = lib.mkForce true;
boot.loader.grub.version = lib.mkForce 2;
boot.loader.grub.device = lib.mkForce "/dev/sda";
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.useDHCP = false;
networking.interfaces.ens18.useDHCP = true;
networking.interfaces.ens19.useDHCP = true;

8
machines/dolomite/default.nix
View file

@ -1,13 +1,13 @@
{ inputs, config, pkgs, lib, modulesPath, ... }:
{ config, lib, ... }:
let
awsHosts = [ "sgp-00" "tok-00 "];
awsHosts = [ "tok-00 "];
bwgHosts = [ "la-00" ];
in
{
imports = [
../sops.nix
./bandwagon.nix
./lightsail.nix
./bandwagon.nix
./lightsail.nix
];

103
machines/dolomite/lightsail.nix
View file

@ -1,13 +1,106 @@
{ config, lib, pkgs, modulesPath, ... }:
with lib;
let
cfg = config.isLightsail;
cfg = config.ec2;
in
{
imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ];
imports = [
"${modulesPath}/profiles/headless.nix"
# Note: While we do use the headless profile, we also explicitly
# turn on the serial console on ttyS0 below. This is because
# AWS does support accessing the serial console:
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html
"${modulesPath}/virtualisation/ec2-data.nix"
"${modulesPath}/virtualisation/amazon-init.nix"
];
options = {
isLightsail = lib.mkEnableOption "Lightsail instance";
isLightsail = mkEnableOption "Lightsail instance";
};
config = lib.mkIf cfg.isLightsail{
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
config = mkIf config.isLightsail {
boot.loader.grub.device = "/dev/nvme0n1";
# from nixpkgs amazon-image.nix
assertions = [ ];
boot.growPartition = true;
fileSystems."/" = mkIf (!cfg.zfs.enable) {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
autoResize = true;
};
fileSystems."/boot" = mkIf (cfg.efi || cfg.zfs.enable) {
# The ZFS image uses a partition labeled ESP whether or not we're
# booting with EFI.
device = "/dev/disk/by-label/ESP";
fsType = "vfat";
};
services.zfs.expandOnBoot = mkIf cfg.zfs.enable "all";
boot.zfs.devNodes = mkIf cfg.zfs.enable "/dev/";
boot.extraModulePackages = [
config.boot.kernelPackages.ena
];
boot.initrd.kernelModules = [ "xen-blkfront" ];
boot.initrd.availableKernelModules = [ "nvme" ];
boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ];
# Prevent the nouveau kernel module from being loaded, as it
# interferes with the nvidia/nvidia-uvm modules needed for CUDA.
# Also blacklist xen_fbfront to prevent a 30 second delay during
# boot.
boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ];
boot.loader.grub.efiSupport = cfg.efi;
boot.loader.grub.efiInstallAsRemovable = cfg.efi;
boot.loader.timeout = 1;
boot.loader.grub.extraConfig = ''
serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
terminal_output console serial
terminal_input console serial
'';
systemd.services.fetch-ec2-metadata = {
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = ["network-online.target"];
path = [ pkgs.curl ];
script = builtins.readFile ./ec2-metadata-fetcher.sh;
serviceConfig.Type = "oneshot";
serviceConfig.StandardOutput = "journal+console";
};
# Amazon-issued AMIs include the SSM Agent by default, so we do the same.
# https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html
services.amazon-ssm-agent.enable = true;
# Allow root logins only using the SSH key that the user specified
# at instance creation time.
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
# Enable the serial console on ttyS0
systemd.services."serial-getty@ttyS0".enable = true;
# Creates symlinks for block device names.
services.udev.packages = [ pkgs.amazon-ec2-utils ];
# Force getting the hostname from EC2.
# networking.hostName = mkDefault "";
# Always include cryptsetup so that Charon can use it.
environment.systemPackages = [ pkgs.cryptsetup ];
# EC2 has its own NTP server provided by the hypervisor
networking.timeServers = [ "169.254.169.123" ];
# udisks has become too bloated to have in a headless system
# (e.g. it depends on GTK).
services.udisks2.enable = false;
};
}

33
machines/massicot/services.nix
View file

@ -35,18 +35,23 @@ in
};
};
fileSystems = builtins.listToAttrs (map (share: {
name = "/mnt/storage/${share}";
value = {
device = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
fsType = "cifs";
options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},rw,x-systemd.automount"];
};
}) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ] );
systemd.mounts = map (share: {
what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
where = "/mnt/storage/${share}";
type = "cifs";
options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";
before = [ "${share}.service" ];
after = [ "cachefilesd.service" ];
wantedBy = [ "${share}.service" ];
}) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ];
services.cachefilesd.enable = true;
system.activationScripts = {
conduit-media-link.text = ''
ln -snf /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media
mkdir -m 700 -p /var/lib/private/matrix-conduit/media
chown conduit:conduit /var/lib/private/matrix-conduit/media
mount --bind --verbose /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media
'';
};
security.acme = {
@ -76,6 +81,8 @@ in
server_name = "xinyang.life";
port = 6167;
# database_path = "/var/lib/matrix-conduit/";
max_concurrent_requests = 100;
log = "info";
database_backend = "rocksdb";
allow_registration = false;
};
@ -153,22 +160,24 @@ in
virtualHosts."xinyang.life:443".extraConfig = ''
tls internal
encode zstd gzip
reverse_proxy /_matrix/* localhost:6167
handle_path /.well-known/matrix/client {
header Content-Type "application/json"
header Access-Control-Allow-Origin "*"
header Content-Disposition attachment; filename="client"
respond `{"m.homeserver":{"base_url":"https://xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://xinyang.life/"}}`
respond `{"m.homeserver":{"base_url":"https://msg.xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://msg.xinyang.life/"}}`
}
handle_path /.well-known/matrix/server {
header Content-Type "application/json"
header Access-Control-Allow-Origin "*"
respond `{"m.server": "xinyang.life:443"}`
respond `{"m.server": "msg.xinyang.life:443"}`
}
reverse_proxy * http://localhost:8080 {
flush_interval -1
}
'';
virtualHosts."https://msg.xinyang.life:443".extraConfig = ''
reverse_proxy /_matrix/* localhost:6167
'';
virtualHosts."https://git.xinyang.life:443".extraConfig = ''
reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}
'';

59
machines/raspite/configuration.nix
View file

@ -1,6 +1,9 @@
{ config, libs, pkgs, ... }:
{ config, lib, pkgs, ... }:
{
imports = [
./hass.nix
];
nixpkgs.overlays = [
# Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243
(final: super: {
@ -8,29 +11,21 @@
super.makeModulesClosure (x // { allowMissing = true; });
})
];
imports = [
../sops.nix
];
environment.systemPackages = with pkgs; [
git
libraspberrypi
raspberrypi-eeprom
];
# Use mirror for binary cache
nix.settings.substituters = [
"https://mirrors.bfsu.edu.cn/nix-channels/store"
"https://mirrors.ustc.edu.cn/nix-channels/store"
"https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store"
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
sops = {
secrets.password = {
sopsFile = ./secrets.yaml;
};
};
system.stateVersion = "22.11";
system.stateVersion = "24.05";
networking = {
hostName = "raspite";
@ -38,23 +33,31 @@
interfaces.eth0.useDHCP = true;
};
networking.proxy = {
default = "http://127.0.0.1:7890/";
noProxy = "127.0.0.1,localhost,internal.domain,.coho-tet.ts.net";
# boot.kernelPackages = pkgs.linuxPackages_stable;
custom.kanidm-client = {
enable = true;
uri = "https://auth.xinyang.life";
asSSHAuth = {
enable = true;
allowedGroups = [ "linux_users" ];
hardening = true;
};
sudoers = [ "xin@auth.xinyang.life" ];
};
services.openssh = {
enable = true;
security.sudo = {
execWheelOnly = true;
wheelNeedsPassword = false;
};
systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
users.users.xin = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" ];
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd xin@nixos" ];
# passwordFile = config.sops.secrets.password.path;
hashedPassword = "$y$j9T$KEOMZBlXtudOYWq/elAdI.$Vd3X8rjEplbuRBeZPp.8/gpL3zthpBNjhBR47wFc8D4";
nix.settings = {
trusted-users = [ "@wheel" ];
};
# fileSystems."/".fsType = lib.mkForce "btrfs";
boot.supportedFilesystems.zfs = lib.mkForce false;
services.dae.enable = false;
services.dae.configFile = "/var/lib/dae/config.dae";
}

50
machines/raspite/hass.nix Normal file
View file

@ -0,0 +1,50 @@
{ config, pkgs, ... }: {
services.home-assistant = {
enable = true;
extraComponents = [
"default_config"
"esphome"
"met"
"radio_browser"
];
openFirewall = false;
config = {
default_config = {};
http = {
server_host = "::1";
base_url = "raspite.local:1000";
use_x_forward_for = true;
trusted_proxies = [
"::1"
];
};
};
};
services.esphome = {
enable = true;
openFirewall = false;
};
users.groups.dialout.members = config.users.groups.wheel.members;
environment.systemPackages = with pkgs; [
zigbee2mqtt
];
networking.firewall.allowedTCPPorts = [ 1000 1001 ];
services.caddy = {
enable = true;
virtualHosts = {
# reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
"raspite.local:1000".extraConfig = ''
reverse_proxy http://[::1]:8123
'';
"raspite.local:1001".extraConfig = ''
reverse_proxy ${config.services.esphome.address}:${toString config.services.esphome.port}
'';
};
};
}

69
machines/secrets.yaml
View file

@ -17,56 +17,65 @@ sops:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MUxIZHJTYk9YS0lPOGZK
VUJhQ1liNEtXZ3ZYaCtqQWVBTGVJclVVRER3CmJUcS9yY2x1TFFYMkpZOWxZeW5w
WFk0WTNoWmphdG12dTdHaW9tYVRjS1UKLS0tIHd4enVwalRDaHQwK0U1RFNHOEVI
N0UrRjRxTWJRanI4VnRjWlhzQS8zSGsKSJJnFuEp7yO8bIh2LpSvgjsYAK05u2TE
a+UBiu6xQQaUnL02CAau4xHqBn9GZxeqlVAjVSJITArLR/uQkkUM6g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdjlhNVZpUjYzRTVXNG9Y
S0lEUVdoM003YVZoeXYyOXdwY3Rla3VJSkZvCkl0a3FPeVpMY1JTWkdCb3NaeVBQ
dHVSVzg1cDNIS3JnMmYxbUlzbjFicG8KLS0tIHFENDNaZENzSzJQZDVLSVJ5VHBP
aVpJN1dkbEQ2djQyWVdRTUx4NGdaaTgKgfcGovmMgVFHkPLHT7C5bg75LXg8MFK0
s8IL8qhHif4uzMuFjdw9MzyuQc1bqGzazX5YC1MYLYCOWHRlLq9mXw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT3ZES3BHWWpDekt0VEYz
emUvUTQ3WUFWd0w2VlVSWHMrd3ZvZjYvYlJZCkcyRjBZWEdGTXJZVENyZ1U2YTV2
eU1MS3NCQzZ3Y3ZhOG4rRVByU1ZlRU0KLS0tIFdGVTliOFpSTWl0YlV6OTVUbk9O
SjBoUnNOVTB1QWFDYnVwWkhaN3d0VGMKjNiW597mLAogPyDBUhEDYd/VyePXesL7
kzyV/e8t/5zHs3/I17ZUd8bxdCjbrrXI1g4Swx31yCgZOk8uKAuLRQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQXdMdzMxNzE3SHpZR09w
OTFtNzJLdVk5bWlyNGl4RzA4NWFUQTlvbUQ4ClhGZHI3ekJWYnNwamJXWWVtc3do
TXpoWERqT24rMjRtQUJUb2RKSm9BUjQKLS0tIHd6QXUrWVJ5aU52VEtDL01Kd2d2
V3U4cTNoVzYzdmt5YkpNUmsyUWtCaEkKhxEQVVt2zvVGFGtlfPr0sQ7b0yUDRDOV
CN8nxyO0NiuvEKSkw+KCkcNWNQZDnHTQ3pwWyAohRZk3vB/RSuApCg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaTlNTjVXTHFzNS9GUk1S
bVMxeWdwSUlmN3B6QlovejI3SlNuc2dJMjFVClF2VFRVNjFrQldRcHNLeWhpWFE1
UDRvY3RTZHZCa2RDZ1RmVWRHb2ttUVUKLS0tIEI0QS9SL3lTeXVITVgvcHVCNmdW
cVl6T3NWWEVkWExuTldqQU5CUzFTM1UKFYD1jdEQfFRNBkRyL+1gZzCdpJHN7QqU
4CVOsIeVl6ufWG4D2FfP4Zow5uhnvDXmWqBCmpJ/iVKnu3klihlndA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdlh1Kyt4KzlFR2RkTmFo
S00zK1RDNnJwVzQ4Um93TDBEcnJZUjJLUG00CjloMFdaNm5LU2lRRVpnM0RpN3BR
Ly9pUkxuZHd3NHJRSG1Ha3ZVcE50RkUKLS0tIDN1K0xnb01EL2Q3aG5RV0grdmdl
TWh3ZStZQ3lNYkh2cjJ1RWhLRDJ0KzQK/+R6hFg8ErtT/rkSOCwRdArTPIE/J9Yv
2qZmREM7q99L5w6lEBTn9SRekowk0ncwIoTxRfn576wyl++b8gBv9Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRGZ5WVFJQzFSWlR6dDMv
bXJsNlZLeVVpK1RuaVpySkcreHE1SkNMSjA4CkxGMzVvZHZ4ZTdRdzh6K3V6OVQ0
RkI3bWg5ZUw5RFlQN05zdC9HVkdjYlUKLS0tIGdibTdwbnRhMmZEZ2VPelF6a3Aw
U1dGQmxOTklFTmFaMTc1MGQvRVB1TzgKkhxjImoj1lxpvBMjKJJOiM2eC2bQ73Ay
Rket8CjZnfRhYDD9YoOWBNswONQoVY8/dSXgLDObtfFxbnjZ1pj63A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJelptN09Oa0NRdTFER2du
clZGM09uMlhpMlZDQ2VvTTZOZ09VWGNwaWpjCmRuMjM3VTRpT3hRaWpEYW5HaWRr
K2pEM3dLYjhSS25hSUtrYkRvYXpCd2MKLS0tIHU2eDlXdVBlZUFTMjYxRTladVJV
cjZ0dGtmM29YdXI5Z1RpVVdRSktBU2MKdR5d6fb2EHX5j51qE5gg0GXKjy4fCpT0
Q+fZslCPDZqaOX/9kGT874TuW4CC1wttpsCDNIEzrX54SvIGfsVPgg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RWRsdXNTQkNJWXFTODY4
WVNYb2xKZHJWWTUvZmlMS3VkYnhWQkVaZHpFCjJjY2JzeFQza3llNHZFYWVVK0Ri
K2ZJNUlZMWxFbGdhQ2pxRlh4VjVITFkKLS0tIGFHSDI5aW5aTUdFTEJOMnNjVXlm
SVlDVk9Xdnc0WVpFN2VmSlZIajJielkKz8xnfxIArN9PLjUorYPzakmLx7/bsoq0
EfoiB6ZpuWMeNEmfHygTEUPTC7eWw42EIYk964vI6LySFQyO3Z8p5g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRUhOaVhSMFJFcC9qYytK
dHJ1ZUg1SWRBeTVSeFhDRW1VbG1HWUJaUEhvCnBOaENFUXlJWHAxQ0ZGVGFxQkpC
b3dwb0VJVTR1MUNDT3VQR0tsNE5vUDQKLS0tIEJkbWN5MWRtKzRveldvT2dMR2k1
djdBQzNvSFNPRDZwN1B1dG5sUzlRdzgK35bNxRGDQw+dtnXcXSXk67kJFce52vqn
srABR9FOYmSfesLKXOdKItLAGffkfB7kuiXO7CvyVTkgJOjBgK6Tnw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNb2JOOUlGL1pCVXVYZk1j
cWg0NE13WnBUWDA4VTNRdlNmWktRN0lJbkVBCkpHTklwbnFsd0NBOTY5V0JCTVJN
alVFeW41ajlZR2dHZDlrL2FtazB6QU0KLS0tIDhoTXppS0lnZmFJY1lhSDBudVB4
NHFLdnorOUtJSzVPWldYakppZFJwdlEKbZnT7m6R7H/yLG+tDbQECgQVGX0xT4jC
67z8k6xbnsT2srhhXk/NHi+/j7AcHhPG6cTO1z8MrxkMikk8ihU1Iw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2WFIzVEZPUmFBclpweDZR
WXZFb0FjcWxDRTNpQmFRaU9BY0lPTzAxNWhvClk5UmxFQllGQ29VOGIxeS9xMmV2
SUdEaFJ3bFZPSjVjQ1JnVS9jSWxXaWcKLS0tIGs0ZE0wMUZDeGNWNlhoN3JOMmlG
c1E1Sld1ejZhTStKTU5teEJKT2JwVXcKuEQnA6b1WJ+RNqmrZ8t3joiEZ57Oq9M1
P4tMGerB12A1myTJlt5Ss2OCTBUV7ooVRNsyPjyvJy/YTyjqZ5xmxg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaHFOa1ArRW5xWFAyWXlh
enpQUzZKbFFFUzN1cisrd2JGelpXSWppRnhvCmY5VDlSTFhJakt3aU8zYjRrZXVQ
b3o2NlpCeGZZU1ROeW5XOFVpdEZnZXcKLS0tIGZ5M2IxNHp0Qm8rckROdy96a0pG
NjVEaWN3cU1rRjQ2a29wV1g1NzE0UTAKNefzj+p+U735LHqm5lnWGHCARuqvFmgA
6bxJN9frAMZQIXZSwOTrfpYrTmKcBLcfWxq7LUPluw9HinQnkFpWqg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-07T13:13:50Z"
mac: ENC[AES256_GCM,data:cAc3Wp5KjuaKWv0e2ciPVzvsK2L6BgupYS2+5Vlr+Wn0RBsuLA0OEW2pQbm5hpUJaWO65qQk5IeMvK/h8otYLgGHGzz23NiZTNeAknw6z2mL5y+GgP22mBOMzPU2PtaJKXkt624T1sZzW4QTMo8TqBlzy7D10odyjkVn6Wd+OGE=,iv:zucnHwHjY4DX3jIKuuIGpa2no9svOEordGN0LsPKDuc=,tag:JQZMyBO3yZIW+ZTIKDUPCQ==,type:str]

8
modules/home-manager/alacritty.nix
View file

@ -18,6 +18,7 @@ in
args = [
"attach"
"-c"
"alacritty-zellij"
];
};
font.size = 10.0;
@ -25,14 +26,7 @@ in
resize_increments = true;
dynamic_padding = true;
};
import = [
"${config.xdg.configHome}/alacritty/catppuccin-macchiato.toml"
];
};
};
xdg.configFile."alacritty/catppuccin-macchiato.toml".source = builtins.fetchurl {
url = "https://raw.githubusercontent.com/catppuccin/alacritty/main/catppuccin-macchiato.toml";
sha256 = "sha256:1iq187vg64h4rd15b8fv210liqkbzkh8sw04ykq0hgpx20w3qilv";
};
};
}

1
modules/home-manager/git.nix
View file

@ -36,7 +36,6 @@ in
signByDefault = true;
key = cfg.signing.keyFile;
};
extraConfig.user = mkIf cfg.signing.enable {
signingkey = cfg.signing.keyFile;
};

8
modules/home-manager/vscode.nix
View file

@ -22,11 +22,13 @@ let
llvm-vs-code-extensions.vscode-clangd
(ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; }))
twxs.cmake
ms-vscode.cpptools
];
settings = {
"cmake.configureOnEdit" = false;
"cmake.showOptionsMovedNotification" = false;
"cmake.showNotAllDocumentsSavedQuestion" = false;
"C_Cpp.intelliSenseEngine" = "Disabled";
};
};
pythonPackages = {
@ -37,7 +39,7 @@ let
settings = { };
};
scalaPackages = {
systemPackages = with pkgs; [ ];
systemPackages = with pkgs; [ coursier ];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
scala-lang.scala
scalameta.metals
@ -54,7 +56,7 @@ let
"latex-workshop.latex.tools" = [
{ "name" = "xelatex";
"command" = "xelatex";
"args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "-pdf" "%DOCFILE%" ];
"args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ];
}
{ "name" = "pdflatex";
"command" = "pdflatex";
@ -104,6 +106,7 @@ in
] ++ zipAttrsWithLanguageOption "systemPackages");
programs.vscode = {
enable = true;
package = pkgs.vscode.override { commandLineArgs = "--enable-wayland-ime"; };
enableUpdateCheck = false;
enableExtensionUpdateCheck = false;
mutableExtensionsDir = false;
@ -131,7 +134,6 @@ in
catppuccin.catppuccin-vsc
# Rust
rust-lang.rust-analyzer
# ]) ++ ;
])
] ++ zipAttrsWithLanguageOption "extension");
userSettings = lib.mkMerge ([

1
modules/home-manager/zellij.nix
View file

@ -20,7 +20,6 @@ in
"Ctrl n"
];
};
theme = "catppuccin-macchiato";
};
};
};

13
modules/nixos/kanidm-client.nix
View file

@ -16,6 +16,10 @@ in
type = types.listOf types.str;
example = [ "linux_users" ];
};
hardening = mkOption {
type = types.bool;
default = false;
};
};
};
};
@ -48,7 +52,15 @@ in
enable = true;
authorizedKeysCommand = "/etc/ssh/auth %u";
authorizedKeysCommandUser = "kanidm-ssh-runner";
settings = mkIf cfg.asSSHAuth.enable {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkForce "no";
GSSAPIAuthentication = "no";
KerberosAuthentication = "no";
};
};
environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable {
mode = "0555";
text = ''
@ -59,6 +71,7 @@ in
users.groups.wheel.members = cfg.sudoers;
users.groups.kanidm-ssh-runner = { };
users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; };
};
}

7
oci-images/nix-ci-base/flake.nix
View file

@ -29,6 +29,13 @@
extraPkgs = with pkgs; [
nodejs_20 # nodejs is needed for running most 3rdparty actions
# add any other pre-installed packages here
curl
xz
openssl
coreutils-full
cmake
gnumake
gcc
];
# change this is you want
channelURL = "https://nixos.org/channels/nixpkgs-23.11";

9
overlays/add-ime-electron.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, pkgs, lib, ... }:
{
nixpkgs.overlays = [
(self: super: {
element-desktop = super.element-desktop.override { commandLineArgs = "--enable-wayland-ime"; };
})
];
}

1
overlays/add-pkgs.nix
View file

@ -4,7 +4,6 @@
nixpkgs.overlays = [
(self: super: {
ssh-tpm-agent = pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { };
wechat-uos = pkgs.callPackage ./pkgs/wechat-uos.nix { };
})
];
}

239
overlays/pkgs/wechat-uos.nix
View file

@ -1,239 +0,0 @@
{ stdenvNoCC
, stdenv
, lib
, fetchurl
, requireFile
, dpkg
, nss
, nspr
, xorg
, pango
, zlib
, atkmm
, libdrm
, libxkbcommon
, xcbutilwm
, xcbutilimage
, xcbutilkeysyms
, xcbutilrenderutil
, mesa
, alsa-lib
, wayland
, openssl_1_1
, atk
, qt6
, at-spi2-atk
, at-spi2-core
, dbus
, cups
, gtk3
, libxml2
, cairo
, freetype
, fontconfig
, vulkan-loader
, gdk-pixbuf
, libexif
, ffmpeg
, pulseaudio
, systemd
, libuuid
, expat
, bzip2
, glib
, libva
, libGL
, libnotify
, buildFHSEnv
, writeShellScript
, /**
License for wechat-uos, packed in a gz archive named "license.tar.gz".
It should have the following files:
license.tar.gz
etc
lsb-release
os-release
var
lib
uos-license
.license.json
uos
.license.key
*/
uosLicense ? requireFile {
name = "license.tar.gz";
url = "https://www.uniontech.com";
sha256 = "53760079c1a5b58f2fa3d5effe1ed35239590b288841d812229ef4e55b2dbd69";
}
}:
let
wechat-uos-env = stdenvNoCC.mkDerivation {
meta.priority = 1;
name = "wechat-uos-env";
buildCommand = ''
mkdir -p $out/etc
mkdir -p $out/lib/license
mkdir -p $out/usr/bin
mkdir -p $out/usr/share
mkdir -p $out/opt
mkdir -p $out/var
ln -s ${wechat}/opt/* $out/opt/
ln -s ${wechat}/usr/lib/wechat-uos/license/etc/os-release $out/etc/os-release
ln -s ${wechat}/usr/lib/wechat-uos/license/etc/lsb-release $out/etc/lsb-release
ln -s ${wechat}/usr/lib/wechat-uos/license/var/* $out/var/
ln -s ${wechat}/usr/lib/wechat-uos/license/libuosdevicea.so $out/lib/license/
'';
preferLocalBuild = true;
};
wechat-uos-runtime = with xorg; [
stdenv.cc.cc
stdenv.cc.libc
pango
zlib
xcbutilwm
xcbutilimage
xcbutilkeysyms
xcbutilrenderutil
libX11
libXt
libXext
libSM
libICE
libxcb
libxkbcommon
libxshmfence
libXi
libXft
libXcursor
libXfixes
libXScrnSaver
libXcomposite
libXdamage
libXtst
libXrandr
libnotify
atk
atkmm
cairo
at-spi2-atk
at-spi2-core
alsa-lib
dbus
cups
gtk3
gdk-pixbuf
libexif
ffmpeg
libva
freetype
fontconfig
libXrender
libuuid
expat
glib
nss
nspr
libGL
libxml2
pango
libdrm
mesa
vulkan-loader
systemd
wayland
pulseaudio
qt6.qt5compat
openssl_1_1
bzip2
];
wechat = stdenvNoCC.mkDerivation
rec {
pname = "wechat-uos";
version = "1.0.0.238";
src = {
x86_64-linux = fetchurl {
url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_amd64.deb";
hash = "sha256-NxAmZ526JaAzAjtAd9xScFnZBuwD6i2wX2/AEqtAyWs=";
};
aarch64-linux = fetchurl {
url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_arm64.deb";
hash = "sha256-3ru6KyBYXiuAlZuWhyyvtQCWbOJhGYzker3FS0788RE=";
};
loongarch64-linux = fetchurl {
url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_loongarch64.deb";
hash = "sha256-iuJeLMKD6v8J8iKw3+cyODN7PZQrLpi9p0//mkI0ujE=";
};
}.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported.");
# Don't blame about this. WeChat requires some binary from here to work properly
uosSrc = {
x86_64-linux = fetchurl {
url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_amd64.deb";
hash = "sha256-vVN7w+oPXNTMJ/g1Rpw/AVLIytMXI+gLieNuddyyIYE=";
};
aarch64-linux = fetchurl {
url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_arm64.deb";
hash = "sha256-XvGFPYJlsYPqRyDycrBGzQdXn/5Da1AJP5LgRVY1pzI=";
};
loongarch64-linux = fetchurl {
url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_loongarch64.deb";
hash = "sha256-oa6rLE6QXMCPlbebto9Tv7xT3fFqYIlXL6WHpB2U35s=";
};
}.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported.");
inherit uosLicense;
nativeBuildInputs = [ dpkg ];
unpackPhase = ''
runHook preUnpack
dpkg -x $src ./wechat-uos
dpkg -x $uosSrc ./wechat-uos-old-source
tar -xvf $uosLicense
runHook postUnpack
'';
installPhase = ''
runHook preInstall
mkdir -p $out
cp -r wechat-uos/* $out
mkdir -pv $out/usr/lib/wechat-uos/license
cp -r license/* $out/usr/lib/wechat-uos/license
cp -r wechat-uos-old-source/usr/lib/license/libuosdevicea.so $out/usr/lib/wechat-uos/license/
runHook postInstall
'';
meta = with lib; {
description = "Messaging app";
homepage = "https://weixin.qq.com/";
license = licenses.unfree;
platforms = [ "x86_64-linux" "aarch64-linux" "loongarch64-linux" ];
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
maintainers = with maintainers; [ pokon548 ];
mainProgram = "wechat-uos";
};
};
in
buildFHSEnv {
inherit (wechat) name meta;
runScript = writeShellScript "wechat-uos-launcher" ''
export QT_QPA_PLATFORM=xcb
export LD_LIBRARY_PATH=${lib.makeLibraryPath wechat-uos-runtime}
${wechat.outPath}/opt/apps/com.tencent.wechat/files/wechat
'';
extraInstallCommands = ''
mkdir -p $out/share/applications
mkdir -p $out/share/icons
cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/applications/com.tencent.wechat.desktop $out/share/applications
cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/icons/* $out/share/icons/
mv $out/bin/$name $out/bin/wechat-uos
substituteInPlace $out/share/applications/com.tencent.wechat.desktop \
--replace-quiet 'Exec=/usr/bin/wechat' "Exec=$out/bin/wechat-uos --"
'';
targetPkgs = pkgs: [ wechat-uos-env ];
extraOutputsToInstall = [ "usr" "var/lib/uos" "var/uos" "etc" ];
}