mynix/system
1
1
Fork 0
Code Issues Pull requests Activity

Compare commits

..

1 commit
main ... calendar

Author SHA1 Message Date
Dmitriy Pleshevskiy
7796baa7e5
host/home: add radicale calendar 2024-05-22 22:12:33 +03:00
159 changed files with 807 additions and 3141 deletions
.agenix_config.nix.envrcMakefile
disko
luks-btrfs.nix
flake.lockflake.nix
hosts
amstel
data.secret.nix
hardware-configuration
default.nixnetworking.secret.nix
services
default.nixdocker-registry-proxy.nix
forgejo-runners
default.nixforgejo-runner-token-istal-docker.age
nginx.nixprometheus.nixrenovate-gitea-token.agerenovate-github-token.agerenovate.nix
wireguard
wireguard-istal-private.age
asus-gl553vd
configs
boot.nixdefault.niximp.nixnetworking.nix
wireguard
wireguard-asus-gl553vd-private.age
configuration.nixdisk-config.nix
hardware-configuration
default.nixgenerated.nixmanual.nix
services
default.nix
forgejo-runners
default.nixforgejo-runner-token-asus-docker.age
users
jan.nixxmonad-projects.secret.nix
default.nix
home
configs
android.nixprinter.nix
wireguard
wireguard-home-private.age
configuration.nixdisk-config.nix
hardware-configuration
default.nixhibernation.nixnfs.nix
services
default.nix
forgejo-runners
default.nixforgejo-runner-token-home-docker.age
synergy.nix
users
default.nixjan.nixxmonad-projects.secret.nix
istal
configuration.nixdata.secret.nix
hardware-configuration
default.nixgenerated.nixnetworking.secret.nix
services
default.nix
wireguard
default.nixwireguard-istal-private.age
macbook-pro
configuration.nix
networking.secret.nix
tatos
configuration.nix
hardware-configuration
default.nixnetworking.secret.nix
services
default.nixgrafana.nixloki-basicauth.ageloki.nix
miniflux
miniflux-admin-credentials.age
prometheus-basicauth-password.ageprometheus.nixpromtail.nix
wireguard
default.nixsubnets_user_list.secret.txtupdate_ru_routes.nixwireguard-tatos-private.age
misc
wg-client-conf.nix
modules
home-manager
configs
keyboard.nix
window-manager
hyprland
default.nix
xmonad
default.nixxmonad_config.hs
games.nix
programs
aerc.nixargos-translate.nixcommunication.nixdefault.nixdev-tools.nix
file-managers
default.nixnautilus.nixnnn.nix
vifm
vifmrc
terminals
default.nixghostty.nixwezterm.nix
shell.nix
machine.nix
nixos/configs
fonts.nixkeyboard.nix
lockscreen
i3lock.nix
nix.nixsecurity.nix
Show more

BIN
.agenix_config.nix
View file

Binary file not shown.

2
.envrc Normal file
View file

@ -0,0 +1,2 @@
# nix
use flake

38
Makefile
View file

@ -1,4 +1,5 @@
NIX := nix --experimental-features "nix-command flakes"
NIX_RUN := nix run .\#
NIX_LOCK := nix flake lock
DEPS_EDITOR := \
nixeovim
@ -14,11 +15,10 @@ DEPS_SYSTEM := \
MACHINES := \
home \
asus-gl553vd \
macbook-pro
asus-gl553vd
VPS := \
amstel \
istal \
tatos
.PHONY: help
@ -32,13 +32,13 @@ help:
define machine_rule
.PHONY: $(1)
$(1): ;
# systemctl --user reset-failed
sudo $(NIX) run -L $(NIX_ARGS) .#switch/$(1) -- $(BUILD_ARGS)
systemctl --user reset-failed
sudo nix run $(NIX_ARGS) .#switch/$(1) -- $(BUILD_ARGS)
endef
define vps_rule
.PHONY: $(1)
$(1): ; $(NIX) run -L .#deploy/$(1) -- $(BUILD_ARGS)
$(1): ; nix run .#deploy/$(1) -- $(BUILD_ARGS)
endef
@ -47,7 +47,7 @@ $(foreach vps,$(VPS),$(eval $(call vps_rule,$(vps))))
.PHONY: rollback
rollback:
sudo nixos-rebuild switch --rollback
sudo nixos-rebuild --rollback
################################################################################
# Editor
@ -55,24 +55,24 @@ rollback:
.PHONY: neovim
neovim:
$(NIX) profile upgrade $(or $(NEOVIM_INDEX),$(shell $(NIX) profile list --json | jq '.elements | to_entries[] | select(.value.attrPath | endswith(".neovim-dev")) | .key'))
nix profile upgrade $(or $(NEOVIM_INDEX),$(shell nix profile list --json | jq '.elements | to_entries[] | select(.value.attrPath | endswith(".neovim-dev")) | .key'))
.PHONY: install/neovim
install/neovim:
$(NIX) profile install .#neovim-dev
.PHONY: init-neovim
init-neovim:
nix profile install .#neovim-dev
################################################################################
# Deps
################################################################################
.PHONY: deps/editor
deps/editor:
$(NIX) flake update $(DEPS_EDITOR)
.PHONY: deps-editor
deps-editor:
$(NIX_LOCK) $(foreach dep,$(DEPS_EDITOR),--update-input $(dep))
.PHONY: deps/system
deps/system:
$(NIX) flake update $(DEPS_SYSTEM)
.PHONY: deps-system
deps-system:
$(NIX_LOCK) $(foreach dep,$(DEPS_SYSTEM),--update-input $(dep))
.PHONY: deps
deps: deps/editor deps/system ;
deps: deps-editor deps-system ;

63
disko/luks-btrfs.nix
View file

@ -1,63 +0,0 @@
{ device, memSize ? 1024 * 5, swapSize ? "10G" }:
{
disko = {
inherit memSize;
devices = {
disk = {
main = {
type = "disk";
inherit device;
content = {
type = "gpt";
partitions = {
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
priority = 1;
};
cryptoroot = {
size = "100%";
content = {
type = "luks";
name = "luksroot";
settings.allowDiscards = true;
passwordFile = "/tmp/secret.key";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
subvolumes = {
root = {
mountpoint = "/";
mountOptions = [ "compress=zstd" ];
};
persistent = {
mountpoint = "/persistent";
mountOptions = [ "compress=zstd" "noatime" ];
};
nix = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" ];
};
swap = {
mountpoint = "/.swapvol";
mountOptions = [ "noatime" ];
swap.swapfile.size = swapSize;
};
};
};
};
};
};
};
};
};
};
};
}

229
flake.lock generated
View file

@ -10,11 +10,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1736955230,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
"lastModified": 1715290355,
"narHash": "sha256-2T7CHTqBXJJ3ZC6R/4TXTcKoXWHcvubKNj9SfomURnw=",
"owner": "ryantm",
"repo": "agenix",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
"rev": "8d37c5bdeade12b6479c85acd133063ab53187a0",
"type": "github"
},
"original": {
@ -23,26 +23,6 @@
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1740485968,
"narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=",
"owner": "nix-community",
"repo": "disko",
"rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"firefox-addons": {
"inputs": {
"flake-utils": "flake-utils",
@ -50,11 +30,11 @@
},
"locked": {
"dir": "repos/rycee/pkgs/firefox-addons",
"lastModified": 1738158299,
"narHash": "sha256-uPAqPb7ex89ujbjZDehBrRE9syTUpn21/E13uwERnK8=",
"lastModified": 1713127732,
"narHash": "sha256-07prd+in1ZUcxETxPyWtFjl7xPKwlXzk9a47Q3RnHXU=",
"owner": "nix-community",
"repo": "nur-combined",
"rev": "45a21d362e2d0d9f4c552de39f63faa7d1f515f2",
"rev": "6edb2a1a43dbd2f8b32876268a530ce82c64013f",
"type": "github"
},
"original": {
@ -70,11 +50,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1727826117,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"lastModified": 1714641030,
"narHash": "sha256-yzcRNDoyVP7+SCNX0wmuDju1NUCt8Dz9+lyUXEI0dbI=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"rev": "e5d10a24b66c3ea8f150e47dfdb0416ab7c3390e",
"type": "github"
},
"original": {
@ -99,15 +79,48 @@
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github"
},
"original": {
@ -118,11 +131,11 @@
},
"hardware": {
"locked": {
"lastModified": 1739798439,
"narHash": "sha256-GyipmjbbQEaosel/+wq1xihCKbv0/e1LU00x/8b/fP4=",
"lastModified": 1716173274,
"narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "3e2ea8a49d4d76276b0f4e2041df8ca5c0771371",
"rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
"type": "github"
},
"original": {
@ -160,11 +173,11 @@
]
},
"locked": {
"lastModified": 1738145391,
"narHash": "sha256-/9mfbWYN9HDQbKa2HdAe2T5e3FfY8e4eqc1FIvAyvLg=",
"lastModified": 1713818326,
"narHash": "sha256-aw3xbVPJauLk/bbrlakIYxKpeuMWzA2feGrkIpIuXd8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "1b4f2a48168b3d90e11365552d1e7e601a4be6b6",
"rev": "67de98ae6eed5ad6f91b1142356d71a87ba97f21",
"type": "github"
},
"original": {
@ -181,35 +194,20 @@
]
},
"locked": {
"lastModified": 1739757849,
"narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=",
"lastModified": 1715381426,
"narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe",
"rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.11",
"ref": "release-23.11",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1737831083,
"narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"lan-mouse": {
"inputs": {
"nixpkgs": [
@ -218,11 +216,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1737993085,
"narHash": "sha256-BlDrlzhQqRZH0Z6WRWxc2qi6L0NFthuAM8enQbGYcw0=",
"lastModified": 1713168888,
"narHash": "sha256-pNd6KbkLlZtXKQvHWYwQB/Wbqa7lQYVffpSq5uWJqzQ=",
"owner": "feschber",
"repo": "lan-mouse",
"rev": "3e1c3e95b73a26554154b0bf7387912e258ac74a",
"rev": "36855a1a1767f4a777bad580d5a76fec1be5d9d1",
"type": "github"
},
"original": {
@ -242,11 +240,11 @@
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1732053863,
"narHash": "sha256-DCIVdlb81Fct2uwzbtnawLBC/U03U2hqx8trqTJB7WA=",
"lastModified": 1714571717,
"narHash": "sha256-o4tqlTzi9kcVub167kTGXgCac9jM3kW4+v9MH/ue4Hk=",
"owner": "oxalica",
"repo": "nil",
"rev": "2e24c9834e3bb5aa2a3701d3713b43a6fb106362",
"rev": "2f3ed6348bbf1440fcd1ab0411271497a0fbbfa4",
"type": "github"
},
"original": {
@ -255,27 +253,6 @@
"type": "github"
}
},
"nix-darwin": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1741126078,
"narHash": "sha256-ng0a4cIq3c9E3iGKomlwqKzVYs2RLOzQho2U1Mc2sqU=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "c172f50b55b087f8e7801631de977461603bb976",
"type": "github"
},
"original": {
"owner": "LnL7",
"ref": "nix-darwin-24.11",
"repo": "nix-darwin",
"type": "github"
}
},
"nix2lua": {
"locked": {
"lastModified": 1716215210,
@ -302,11 +279,11 @@
]
},
"locked": {
"lastModified": 1735910408,
"narHash": "sha256-T2bMhG6Lc1gbhs4czCltGSPPmOUSYEHsIJfq9Lq0HaM=",
"lastModified": 1716244689,
"narHash": "sha256-tFsMxZcbg8WAmNmmL/WxFjp4wgCK2XzTDkM5PNZqCZQ=",
"ref": "refs/heads/main",
"rev": "94549da249ff14b7e786da5abf9009050c70fc54",
"revCount": 96,
"rev": "881339ef7077b5c1d07041a0024575a4170c0174",
"revCount": 83,
"type": "git",
"url": "https://git.pleshevski.ru/pleshevskiy/nixeovim"
},
@ -333,23 +310,23 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1727825735,
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
"lastModified": 1714640452,
"narHash": "sha256-QBx10+k6JWz6u7VsohfSw8g8hjdBZEf8CFzXH1/1Z94=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/50eb7ecf4cd0a5756d7275c8ba36790e5bd53e33.tar.gz"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1742800061,
"narHash": "sha256-oDJGK1UMArK52vcW9S5S2apeec4rbfNELgc50LqiPNs=",
"lastModified": 1716128955,
"narHash": "sha256-3DNg/PV+X2V7yn8b/fUR2ppakw7D9N4sjVBGk6nDwII=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1750f3c1c89488e2ffdd47cab9d05454dddfb734",
"rev": "f9256de8281f2ccd04985ac5c30d8f69aefadbe8",
"type": "github"
},
"original": {
@ -361,27 +338,27 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1739758141,
"narHash": "sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE=",
"lastModified": 1716061101,
"narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c618e28f70257593de75a7044438efc1c1fc0791",
"rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1728538411,
"narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=",
"lastModified": 1706487304,
"narHash": "sha256-LE8lVX28MV2jWJsidW13D2qrHU/RUUONendL2Q/WlJg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221",
"rev": "90f456026d284c22b3e3497be980b2e47d0b28ac",
"type": "github"
},
"original": {
@ -394,16 +371,13 @@
"root": {
"inputs": {
"agenix": "agenix",
"disko": "disko",
"firefox-addons": "firefox-addons",
"flake-utils": "flake-utils_2",
"hardware": "hardware",
"home-manager": "home-manager_2",
"home-manager-unstable": "home-manager-unstable",
"impermanence": "impermanence",
"lan-mouse": "lan-mouse",
"nil": "nil",
"nix-darwin": "nix-darwin",
"nixeovim": "nixeovim",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
@ -412,17 +386,18 @@
},
"rust-overlay": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixpkgs": [
"lan-mouse",
"nixpkgs"
]
},
"locked": {
"lastModified": 1728181869,
"narHash": "sha256-sQXHXsjIcGEoIHkB+RO6BZdrPfB+43V1TEpyoWRI3ww=",
"lastModified": 1710987136,
"narHash": "sha256-Q8GRdlAIKZ8tJUXrbcRO1pA33AdoPfTUirsSnmGQnOU=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "cd46aa3906c14790ef5cbe278d9e54f2c38f95c0",
"rev": "97596b54ac34ad8184ca1eef44b1ec2e5c2b5f9e",
"type": "github"
},
"original": {
@ -433,17 +408,21 @@
},
"rust-overlay_2": {
"inputs": {
"flake-utils": [
"nil",
"flake-utils"
],
"nixpkgs": [
"nil",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731983527,
"narHash": "sha256-JECaBgC0pQ91Hq3W4unH6K9to8s2Zl2sPNu7bLOv4ek=",
"lastModified": 1714529851,
"narHash": "sha256-YMKJW880f7LHXVRzu93xa6Ek+QLECIu0IRQbXbzZe38=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "71287228d96e9568e1e70c6bbfa3f992d145947b",
"rev": "9ca720fdcf7865385ae3b93ecdf65f1a64cb475e",
"type": "github"
},
"original": {
@ -454,14 +433,15 @@
},
"rust-overlay_3": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1730341826,
"narHash": "sha256-RFaeY7EWzXOmAL2IQEACbnrEza3TgD5UQApHR4hGHhY=",
"lastModified": 1715393623,
"narHash": "sha256-nSUFcUqyTQQ/aYFIB05mpCzytcKvfKMy3ZQAe0fP26A=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "815d1b3ee71716fc91a7bd149801e1f04d45fbc5",
"rev": "8eb8671512cb0c72c748058506e50c54fb5d8e2b",
"type": "github"
},
"original": {
@ -500,6 +480,21 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"wired": {
"inputs": {
"flake-parts": "flake-parts",
@ -509,11 +504,11 @@
"rust-overlay": "rust-overlay_3"
},
"locked": {
"lastModified": 1730615238,
"narHash": "sha256-u/ZGtyEUvAkFOBgLo2YldOx0GKjE3/esWpWruRD376E=",
"lastModified": 1715552757,
"narHash": "sha256-ZOgCSIcdvG8+RcZCXSAEmb/LZ2Ap9wU4nvbxNDA+QN0=",
"owner": "Toqozz",
"repo": "wired-notify",
"rev": "1632418aa15889343028261663e81d8b5595860e",
"rev": "18b44306b2636fc7f238a9d946c7b8aac217122d",
"type": "github"
},
"original": {

190
flake.nix
View file

@ -1,14 +1,9 @@
{
inputs = {
flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
hardware.url = "github:NixOS/nixos-hardware/master";
impermanence.url = "github:nix-community/impermanence";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
firefox-addons.url = "github:nix-community/nur-combined/master?dir=repos/rycee/pkgs/firefox-addons";
@ -19,7 +14,7 @@
};
home-manager = {
url = "github:nix-community/home-manager/release-24.11";
url = "github:nix-community/home-manager/release-23.11";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager-unstable = {
@ -27,11 +22,6 @@
inputs.nixpkgs.follows = "nixpkgs";
};
nix-darwin = {
url = "github:LnL7/nix-darwin/nix-darwin-24.11";
inputs.nixpkgs.follows = "nixpkgs";
};
wired = {
url = "github:Toqozz/wired-notify";
inputs.nixpkgs.follows = "nixpkgs";
@ -58,86 +48,17 @@
};
outputs = { self, flake-utils, nixpkgs, nixeovim, ... } @ inputs:
let
inherit (nixpkgs) lib;
inherit (flake-utils.lib) eachSystem;
inherit (flake-utils.lib.system) x86_64-linux x86_64-darwin;
hosts = (import ./hosts inputs);
linuxMachines = lib.filterAttrs
(hostname: { system, ... }: system == x86_64-linux)
hosts;
darwinMachines = lib.filterAttrs
(hostname: { system, ... }: system == x86_64-darwin)
hosts;
baseSpecialArgs = {
inherit inputs;
globalData = import ./data.nix;
usersPath = ./users;
hostsPath = ./hosts;
packagesPath = ./packages;
sharedPath = ./shared;
};
mkDeploymentModule = { targetHost, system, ... }: ({ lib, ... }: {
options.deployment = with lib; {
system = mkOption {
type = types.str;
readOnly = true;
internal = true;
};
targetHost = mkOption {
type = types.nullOr types.str;
readOnly = true;
internal = true;
};
};
config.deployment = { inherit targetHost system; };
});
baseHomeManagerModule = ({ ... }: {
home-manager.backupFileExtension = "backup";
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = baseSpecialArgs;
home-manager.sharedModules = [
{
imports = [
./modules/home-manager
inputs.wired.homeManagerModules.default
inputs.lan-mouse.homeManagerModules.default
];
}
];
});
baseDarwinModule = system: ({ ... }: {
system.stateVersion = 5;
system.configurationRevision = self.rev or self.dirtyRev or null;
nixpkgs.hostPlatform = system;
});
in
eachSystem [ x86_64-linux x86_64-darwin ]
let inherit (flake-utils.lib) eachSystem system; in
eachSystem [ system.x86_64-linux ]
(system:
let
pkgs = import nixpkgs { inherit system; };
machineRebuild = machine:
if machine.config.deployment.system == x86_64-linux
then pkgs.nixos-rebuild
else inputs.nix-darwin.packages.${x86_64-darwin}.darwin-rebuild;
inherit (pkgs) lib nixos-rebuild;
nixeovimPackage = config: nixeovim.lib.mkNixeovimPackage { inherit system config; };
localMachines = lib.filterAttrs
(h: m: m.config.deployment.targetHost == null)
(self.nixosConfigurations // self.darwinConfigurations);
vpsMachines = lib.filterAttrs
(h: m: m.config.deployment.targetHost != null)
self.nixosConfigurations;
localMachines = lib.filterAttrs (h: m: m.config.deployment.targetHost == null) self.nixosConfigurations;
vpsMachines = lib.filterAttrs (h: m: m.config.deployment.targetHost != null) self.nixosConfigurations;
in
{
packages = {
@ -149,20 +70,21 @@
(flake-utils.lib.flattenTree {
deploy = lib.recurseIntoAttrs (lib.mapAttrs
(hostname: machine: pkgs.writeShellScript "deploy/${hostname}" ''
${lib.getExe (machineRebuild machine)} switch \
${nixos-rebuild}/bin/nixos-rebuild switch \
--flake .#${hostname} \
${lib.optionalString (system != machine.config.deployment.system) "--build-host root@${machine.config.deployment.targetHost}"} \
--target-host root@${machine.config.deployment.targetHost} \
$@
'')
vpsMachines);
switch = lib.recurseIntoAttrs (lib.mapAttrs
(hostname: machine:
pkgs.writeShellScript "switch/${hostname}" ''
set -e
${lib.getExe (machineRebuild machine)} switch --flake .#${hostname} $@
'')
(hostname: machine: pkgs.writeShellScript "switch/${hostname}" ''
set -e
${nixos-rebuild}/bin/nixos-rebuild switch --flake .#${hostname} $@
${lib.optionalString machine.config.hardware.pulseaudio.systemWide ''
systemctl restart pulseaudio.service
''}
'')
localMachines);
});
@ -177,11 +99,6 @@
# Path to the agenix configuration file
RULES = "./.agenix_config.nix";
};
disk = pkgs.mkShell {
packages = [
inputs.disko.packages.${system}.disko
];
};
tools = pkgs.mkShell {
packages = with pkgs; [
mkpasswd
@ -193,7 +110,7 @@
})
// {
nixosConfigurations =
lib.mapAttrs
nixpkgs.lib.mapAttrs
(hostname: { system
, specialArgs ? { }
, extraModules ? [ ]
@ -203,53 +120,54 @@
nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = baseSpecialArgs // specialArgs;
specialArgs = {
inherit inputs;
globalData = import ./data.nix;
usersPath = ./users;
hostsPath = ./hosts;
packagesPath = ./packages;
} // specialArgs;
modules =
(with inputs; [
agenix.nixosModules.default
home-manager.nixosModules.default
disko.nixosModules.disko
impermanence.nixosModules.impermanence
home-manager.nixosModule
])
++ [
(mkDeploymentModule { inherit system targetHost; })
baseHomeManagerModule
# deployment settings
({ lib, ... }: {
options.deployment = with lib; {
targetHost = mkOption {
type = types.nullOr types.str;
readOnly = true;
internal = true;
};
};
config.deployment = { inherit targetHost; };
})
# base home manager settings
({ ... }: {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = {
packagesPath = ./packages;
};
home-manager.sharedModules = [
{
imports = [
./modules/home-manager
inputs.wired.homeManagerModules.default
inputs.lan-mouse.homeManagerModules.default
"${inputs.home-manager-unstable}/modules/services/window-managers/river.nix"
];
}
];
})
]
++ extraModules
++ [ ./modules/nixos ]
++ [ ./hosts/${hostname}/configuration.nix ];
})
linuxMachines;
darwinConfigurations =
lib.mapAttrs
(hostname: { system
, specialArgs ? { }
, extraModules ? [ ]
, targetHost ? null
}:
inputs.nix-darwin.lib.darwinSystem {
specialArgs = baseSpecialArgs // specialArgs;
modules =
(with inputs; [
agenix.darwinModules.default
home-manager.darwinModules.default
])
++ [
(baseDarwinModule system)
(mkDeploymentModule { inherit system targetHost; })
baseHomeManagerModule
]
++ extraModules
++ [ ./hosts/${hostname}/configuration.nix ];
})
darwinMachines;
diskoConfigurations = {
asus-gl553vd = import ./hosts/asus-gl553vd/disk-config.nix;
home = import ./hosts/home/disk-config.nix;
};
(import ./hosts inputs);
};
}

BIN
hosts/amstel/data.secret.nix
View file

Binary file not shown.

15
hosts/amstel/hardware-configuration/default.nix
View file

@ -1,15 +0,0 @@
{ ... }:
{
imports = [
./generated.nix
./networking.secret.nix
];
swapDevices = [
{
device = "/var/lib/swapfile";
size = 2 * 1024;
}
];
}

BIN
hosts/amstel/hardware-configuration/networking.secret.nix
View file

Binary file not shown.

10
hosts/amstel/services/default.nix
View file

@ -1,10 +0,0 @@
{
imports = [
./forgejo-runners
./wireguard
# ./docker-registry-proxy.nix
./nginx.nix
./renovate.nix
./prometheus.nix
];
}

20
hosts/amstel/services/docker-registry-proxy.nix
View file

@ -1,20 +0,0 @@
{...}:
{
services.dockerRegistry = {
enable = true;
enableGarbageCollect = true;
extraConfig = {
proxy.remoteurl = "https://registry-1.docker.io";
};
};
services.nginx = {
upstreams.docker-hub-registry.servers."localhost:5000" = { };
virtualHosts."docker-hub.pleshevski.ru" = {
enableACME = true;
forceSSL = true;
locations."/v2/".proxyPass = "http://docker-hub-registry";
};
};
}

37
hosts/amstel/services/forgejo-runners/default.nix
View file

@ -1,37 +0,0 @@
{ config, pkgs, ... }:
let
NODE_OPTIONS = "--max_old_space_size=4096";
in
{
age.secrets.forgejo-runner-token-istal-docker.file = ./forgejo-runner-token-istal-docker.age;
virtualisation.docker.enable = true;
systemd.services.docker.serviceConfig = {
CPUQuota = "50%"; # Ограничение для всего Docker демона?
};
services.gitea-actions-runner = {
package = pkgs.unstable.forgejo-runner;
instances = {
amstel-docker = {
enable = true;
name = "amstel-docker";
url = "https://git.pleshevski.ru";
labels = [
"docker:docker://node:20-bullseye"
"ubuntu-22.04:docker://node:20-bullseye"
];
tokenFile = config.age.secrets.forgejo-runner-token-istal-docker.path;
settings = {
runner = {
envs = { inherit NODE_OPTIONS; };
timeout = "1h";
};
};
};
};
};
}

BIN
hosts/amstel/services/forgejo-runners/forgejo-runner-token-istal-docker.age
View file

Binary file not shown.

41
hosts/amstel/services/nginx.nix
View file

@ -1,41 +0,0 @@
{ ... }:
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "dmitriy@pleshevski.ru";
};
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
};
}

5
hosts/amstel/services/prometheus.nix
View file

@ -1,5 +0,0 @@
{ sharedPath, ... }:
{
imports = [ (sharedPath + "/prometheus/node.nix") ];
}

BIN
hosts/amstel/services/renovate-gitea-token.age
View file

Binary file not shown.

BIN
hosts/amstel/services/renovate-github-token.age
View file

Binary file not shown.

57
hosts/amstel/services/renovate.nix
View file

@ -1,57 +0,0 @@
{ config, pkgs, ... }:
{
age.secrets.renovate-gitea-token.file = ./renovate-gitea-token.age;
age.secrets.renovate-github-token.file = ./renovate-github-token.age;
systemd.services.renovate-clear-cache = {
script = ''
set -eu
${pkgs.coreutils}/bin/rm -rf /var/cache/private/renovate /var/lib/renovate
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
startAt = "3:00";
};
services.renovate = {
enable = true;
package = pkgs.unstable.renovate;
schedule = "0..2,10..23:00";
credentials = {
RENOVATE_TOKEN = config.age.secrets.renovate-gitea-token.path;
GITHUB_COM_TOKEN = config.age.secrets.renovate-github-token.path;
};
runtimePackages = with pkgs.unstable; [
pnpm_9
python312
poetry
gnumake
cargo
];
settings = {
platform = "gitea";
endpoint = "https://git.pleshevski.ru";
assignees = [ "pleshevskiy" ];
autodiscover = true;
automergeStrategy = "fast-forward";
onboardingConfig = {
"$schema" = "https://docs.renovatebot.com/renovate-schema.json";
};
globalExtends = [
"npm:unpublishSafe"
"config:best-practices"
":configMigration"
":automergeMinor"
":automergeRequireAllStatusChecks"
];
cacheHardTtlMinutes = 30;
httpCacheTtlDays = 1;
};
};
# systemd.services.renovate.environment.LOG_LEVEL = "debug";
}

BIN
hosts/amstel/services/wireguard/wireguard-istal-private.age
View file

Binary file not shown.

7
hosts/asus-gl553vd/configs/boot.nix
View file

@ -1,10 +1,13 @@
{ ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader = {
timeout = 1;
systemd-boot = {
enable = true;
configurationLimit = 20;
configurationLimit = 10;
};
efi.canTouchEfiVariables = true;
};
}

3
hosts/asus-gl553vd/configs/default.nix
View file

@ -1,7 +1,8 @@
{ ... }:
{
imports = [
./boot.nix
./imp.nix
./networking.nix
./wireguard
];

76
hosts/asus-gl553vd/configs/imp.nix
View file

@ -1,76 +0,0 @@
{ config, lib, ... }:
{
# A setup which would clean root subvolume between boots remove automatically removed roots that
# are older than one day:
#
# Source: https://github.com/nix-community/impermanence
boot.initrd.postDeviceCommands = lib.mkAfter ''
mkdir /btrfs_tmp
mount /dev/mapper/luksroot /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
delete_subvolume_recursively() {
IFS=$'\n'
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +1); do
delete_subvolume_recursively "$i"
done
echo 1 | tee /btrfs_tmp/root/sys/class/leds/asus\:\:kbd_backlight/brightness
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
rm -r /btrfs_tmp
'';
age.identityPaths = map (v: "/persistent/system/etc/ssh/${v}") [
"ssh_host_rsa_key"
"ssh_host_ed25519_key"
];
environment.persistence = {
"/persistent/system" = {
hideMounts = true;
directories = [
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
];
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
];
};
"/persistent/docker" = lib.mkIf config.virtualisation.docker.enable {
hideMounts = true;
directories = map (v: "/var/lib/docker/${v}") [
"containers"
"volumes"
"image"
"overlay2"
"network"
];
files = [ "/var/lib/docker/engine-id" ];
};
"/presistent/ollama" = lib.mkIf config.services.ollama.enable {
hideMounts = true;
directories = [
"/var/lib/private/ollama"
];
};
};
}

7
hosts/asus-gl553vd/configs/networking.nix
View file

@ -1,10 +1,13 @@
{ ... }:
{
networking = {
hostName = "laptop"; # Define your hostname.
networkmanager.enable = true;
useDHCP = false;
interfaces.wlp2s0.useDHCP = true;
firewall.allowedTCPPortRanges = [
{ from = 33000; to = 33999; }
];
};
}

BIN
hosts/asus-gl553vd/configs/wireguard/wireguard-asus-gl553vd-private.age
View file

Binary file not shown.

38
hosts/asus-gl553vd/configuration.nix
View file

@ -1,18 +1,13 @@
{ pkgs, ... }:
{ globalData, ... }:
{
imports = [
./hardware-configuration
./configs
./users
./services
];
local.yubikey = {
enable = false;
serial = "28058247";
unplug.enable = true;
};
local.yubikey.enable = true;
################################################################################
# Services
@ -27,33 +22,12 @@
################################################################################
# Programs
################################################################################
services.ollama = {
local.programs.browsers.tor-browser = {
enable = true;
package = pkgs.unstable.ollama;
};
services.plantuml-server = {
enable = true;
package = pkgs.unstable.plantuml-server;
listenPort = 33050;
};
# Fix boot issue
containers.telegram.bindMounts."/dev/dri/card1" = { };
local.programs.communication = {
telegram = {
container = {
enable = true;
package = pkgs.unstable.tdesktop;
};
simplex-chat = {
enable = true;
package = pkgs.unstable.simplex-chat-desktop;
openFirewall = true;
externalInterface = "wg0";
sshAuthorizedKeys = globalData.publicKeys.users.jan;
};
};
environment.shellInit = ''
[ -n "$DISPLAY" ] && ${pkgs.xorg.xhost}/bin/xhost +local: > /dev/null || true
'';
}

3
hosts/asus-gl553vd/disk-config.nix
View file

@ -1,3 +0,0 @@
import ../../disko/luks-btrfs.nix {
device = "/dev/disk/by-id/nvme-NE-256_2280_0015167003217";
}

22
hosts/asus-gl553vd/hardware-configuration/default.nix
View file

@ -1,7 +1,16 @@
{ ... }:
{
imports = [
./generated.nix # Include the results of the hardware scan.
./manual.nix
# Include the results of the hardware scan.
imports = [ ./generated.nix ];
# Enable keyboard on the boot
boot.initrd.availableKernelModules = [ "hid_asus" ];
boot.kernelModules = [
# Enable containers
# See: https://github.com/NixOS/nixpkgs/issues/38676
"veth"
];
@ -20,7 +29,7 @@
};
# configure mouse and touchpad
services.libinput = {
services.xserver.libinput = {
enable = true;
touchpad = {
accelSpeed = "0.5";
@ -30,11 +39,6 @@
hardware.bluetooth.enable = true;
hardware.graphics = {
enable = true;
enable32Bit = true;
};
services.logind.extraConfig = ''
# dont shutdown when power button is short-pressed
HandlePowerKey=ignore

46
hosts/asus-gl553vd/hardware-configuration/generated.nix
View file

@ -1,56 +1,36 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
kernelModules = [ ];
};
boot.initrd = {
availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ];
kernelModules = [ ];
luks.devices."luksroot".device = "/dev/disk/by-uuid/eb896c1c-f012-412e-86bd-48f663377129";
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
fsType = "btrfs";
options = [ "subvol=root" "compress=zstd" ];
};
"/persistent" = {
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
fsType = "btrfs";
options = [ "subvol=persistent" "compress=zstd" ];
neededForBoot = true;
};
"/nix" = {
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
fsType = "btrfs";
options = [ "subvol=nix" "compress=zstd" "noatime" ];
};
"/.swapvol" = {
device = "/dev/disk/by-uuid/45a33b08-0a15-4b47-9d8a-c58b7d62066a";
fsType = "btrfs";
options = [ "subvol=swap" "noatime" ];
device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/94EE-CA0D";
device = "/dev/disk/by-uuid/499C-4EBD";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
};
swapDevices = [{ device = "/.swapvol/swapfile"; }];
swapDevices = [{ device = "/dev/disk/by-uuid/fa457df9-cd48-4c81-90cb-a511a7689988"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
@ -60,6 +40,6 @@
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

24
hosts/asus-gl553vd/hardware-configuration/manual.nix
View file

@ -1,24 +0,0 @@
{ ... }:
{
boot.kernelModules = [
# Enable containers
# See: https://github.com/NixOS/nixpkgs/issues/38676
"veth"
];
# Enable keyboard on the boot
boot.initrd.availableKernelModules = [ "hid_asus" ];
boot.blacklistedKernelModules = [ "nouveau" ];
fileSystems."/home/jan" = {
device = "/dev/disk/by-uuid/e6c0cbba-7000-4b1e-ba53-e7b5f8ae11c0";
fsType = "ext4";
options = [
"defaults"
"X-mount.subdir=home/jan"
"X-mount.mkdir"
];
};
}

3
hosts/asus-gl553vd/services/default.nix
View file

@ -1,3 +0,0 @@
{
imports = [ ./forgejo-runners ];
}

33
hosts/asus-gl553vd/services/forgejo-runners/default.nix
View file

@ -1,33 +0,0 @@
{ config, pkgs, ... }:
let
NODE_OPTIONS = "--max_old_space_size=8192";
in
{
age.secrets.forgejo-runner-token-asus-docker.file = ./forgejo-runner-token-asus-docker.age;
virtualisation.docker.enable = true;
services.gitea-actions-runner = {
package = pkgs.unstable.forgejo-runner;
instances = {
asus-gl554vd-docker = {
enable = true;
name = "asus-gl554vd-docker";
url = "https://git.pleshevski.ru";
labels = [
"docker:docker://node:20-bullseye"
"ubuntu-22.04:docker://node:20-bullseye"
];
tokenFile = config.age.secrets.forgejo-runner-token-asus-docker.path;
settings = {
runner = {
envs = { inherit NODE_OPTIONS; };
timeout = "1h";
};
};
};
};
};
}

BIN
hosts/asus-gl553vd/services/forgejo-runners/forgejo-runner-token-asus-docker.age
View file

Binary file not shown.

4
hosts/asus-gl553vd/users/jan.nix
View file

@ -1,4 +1,4 @@
{ hostsPath, usersPath, lib, ... }:
{ hostsPath, usersPath, ... }:
let
asusData = import (hostsPath + "/asus-gl553vd/data.secret.nix");
@ -12,6 +12,8 @@ in
xmonad.projects = import ./xmonad-projects.secret.nix;
};
local.programs.dev-tools.k8s.enable = true;
local.programs.libreoffice.enable = true;
local.services.lan-mouse.settings = {

BIN
hosts/asus-gl553vd/users/xmonad-projects.secret.nix
View file

Binary file not shown.

21
hosts/default.nix
View file

@ -2,11 +2,10 @@
let
hardware = inputs.hardware.nixosModules;
inherit (inputs.flake-utils.lib.system) x86_64-linux x86_64-darwin;
in
{
home = {
system = x86_64-linux;
system = "x86_64-linux";
extraModules = [
hardware.common-gpu-amd
@ -16,7 +15,7 @@ in
};
asus-gl553vd = {
system = x86_64-linux;
system = "x86_64-linux";
extraModules = [
hardware.common-cpu-intel
@ -25,26 +24,18 @@ in
];
};
macbook-pro = {
system = x86_64-darwin;
extraModules = [
# ./networking.secret.nix
];
};
amstel = {
system = x86_64-linux;
istal = {
system = "x86_64-linux";
extraModules = [
../modules/vps.nix
];
targetHost = (import ./amstel/data.secret.nix).addr;
targetHost = (import ./istal/data.secret.nix).addr;
};
tatos = {
system = x86_64-linux;
system = "x86_64-linux";
extraModules = [
../modules/vps.nix

25
hosts/home/configs/android.nix
View file

@ -2,23 +2,20 @@
let
buildToolsVersion = "33.0.2";
androidComposition = pkgs.unstable.androidenv.composeAndroidPackages {
platformToolsVersion = "35.0.2";
buildToolsVersions = [
"33.0.2"
"34.0.0"
"35.0.1"
];
includeEmulator = true;
emulatorVersion = "35.3.11";
platformVersions = [ "29" "33" "34" ];
platformToolsVersion = "34.0.5";
buildToolsVersions = [ buildToolsVersion ];
includeEmulator = false;
emulatorVersion = "34.1.9";
platformVersions = [ "29" "30" "33" ];
includeSources = false;
includeSystemImages = true;
includeSystemImages = false;
systemImageTypes = [ "google_apis_playstore" ];
abiVersions = [ "armeabi-v7a" "arm64-v8a" ];
cmakeVersions = [ "3.10.2" ];
includeNDK = true;
ndkVersions = [ "27.0.12077973" ];
ndkVersions = [ "23.2.8568313" ];
useGoogleAPIs = false;
useGoogleTVAddOns = false;
includeExtras = [
@ -39,11 +36,6 @@ in
nixpkgs.config.android_sdk.accept_license = true;
environment.systemPackages = [
pkgs.unstable.androidenv.androidPkgs.platform-tools
(pkgs.unstable.android-studio.withSdk androidComposition.androidsdk)
];
environment.variables = rec {
ANDROID_SDK_ROOT = "${androidComposition.androidsdk}/libexec/android-sdk";
ANDROID_NDK_ROOT = "${ANDROID_SDK_ROOT}/ndk-bundle";
@ -53,7 +45,6 @@ in
# JAVA_HOME = pkgs.jdk17.home;
};
services.udev.extraRules = ''
SUBSYSTEM=="usb", ATTR{idVendor}=="12d1", MODE="0666", GROUP="plugdev"
'';

6
hosts/home/configs/printer.nix
View file

@ -5,11 +5,11 @@
services = {
avahi = {
enable = false;
nssmdns4 = true;
enable = true;
nssmdns = true;
};
printing = {
enable = false;
enable = true;
drivers = with pkgs; [ gutenprint cnijfilter2 ];
};
};

BIN
hosts/home/configs/wireguard/wireguard-home-private.age
View file

Binary file not shown.

174
hosts/home/configuration.nix
View file

@ -1,153 +1,63 @@
{ config, lib, pkgs, ... }:
{ globalData, ... }:
{
imports = [
./hardware-configuration
./configs
./users
./services
];
local.yubikey.enable = true;
services.radicale = {
enable = true;
settings = {
auth = {
# htpasswd -B -c /etc/radicale/users
type = "htpasswd";
htpasswd_filename = "/etc/radicale/users";
htpasswd_encryption = "bcrypt";
};
};
rights = {
root = {
user = ".+";
collection = "";
permissions = "R";
};
principal = {
user = ".+";
collection = "{user}";
permissions = "RW";
};
calendars = {
user = ".+";
collection = "{user}/[^/]+";
permissions = "rw";
};
};
};
################################################################################
# Programs
################################################################################
local.programs.browsers.tor-browser = {
enable = true;
container = {
enable = true;
externalInterface = "wg0";
sshAuthorizedKeys = globalData.publicKeys.users.jan;
};
};
################################################################################
# Services
################################################################################
local.services.byedpi = {
enable = true;
settings = {
ip = "127.0.0.1";
port = 1081;
debugLevel = 2;
};
groupSettings = [
{
name = "googlevideo";
hosts = "googlevideo.com";
disorder = 1;
split = 7;
}
{
name = "youtube";
hosts = "youtube.com";
disorder = 1;
}
{
name = "none";
}
];
};
# local.services.i2pd.enable = true;
# local.services.kubo.enable = true;
local.services.i2pd.enable = true;
local.services.octoprint.enable = true;
virtualisation.docker.enable = true;
# Torrent client
/*
services.transmission = {
enable = true;
settings = {
rpc-bind-address = "192.168.7.10";
rpc-port = 9091;
rpc-whitelist = "192.168.7.*";
};
};
*/
services.ollama = {
enable = true;
package = pkgs.unstable.ollama;
acceleration = "rocm";
};
programs.sniffnet.enable = true;
services.plantuml-server = {
enable = true;
package = pkgs.unstable.plantuml-server;
listenPort = 33050;
};
################################################################################
# Containers
################################################################################
environment.shellInit = ''
[ -n "$DISPLAY" ] && ${pkgs.xorg.xhost}/bin/xhost +local: > /dev/null || true
'';
local.programs.communication = {
telegram = {
enable = true;
package = pkgs.unstable.tdesktop;
};
simplex-chat = {
enable = true;
package = pkgs.unstable.simplex-chat-desktop;
openFirewall = true;
};
};
/*
containers.games = {
autoStart = true;
bindMounts = {
"${config.services.transmission.settings.download-dir}" = { };
"/tmp/.X11-unix" = { };
"/run/opengl-driver/lib" = { };
"/run/opengl-driver-32/lib" = { };
};
allowedDevices = [
{
modifier = "r";
node = "/dev/kfd";
}
{
modifier = "r";
node = "/dev/dri";
}
];
config = { pkgs, ... }: {
nixpkgs.config.allowUnfree = true;
system.stateVersion = "23.11";
users.groups.transmission = config.users.groups.transmission;
users.users.john = {
isNormalUser = true;
home = "/home/john";
password = "hello";
extraGroups = [ "pulse-access" "transmission" ];
packages = with pkgs; [
# wine
wineWowPackages.stable
winetricks
# community edition
fallout-ce
fallout2-ce
openmw
openxcom
# tools
innoextract
vim
unzip
p7zip
unrar-wrapper
wget
];
};
environment.sessionVariables = {
DISPLAY = ":0";
PULSE_SERVER = "tcp:127.0.0.1:4713";
XAUTHORITY = "/home/john/.Xauthority";
WINEPREFIX = "/home/john/.wine";
WINEARCH = "win32";
};
};
};
*/
services.transmission.enable = true;
}

3
hosts/home/disk-config.nix
View file

@ -1,3 +0,0 @@
import ../../disko/luks-btrfs.nix {
device = "/dev/disk/by-id/nvme-NE-256_2280_0014164009305";
}

23
hosts/home/hardware-configuration/default.nix
View file

@ -1,11 +1,8 @@
{ config, ... }:
{
imports = [
./generated.nix # Include the results of the hardware scan.
./hibernation.nix
./nfs.nix
];
# Include the results of the hardware scan.
imports = [ ./generated.nix ];
# Add support of usb
boot.initrd.availableKernelModules = [ "usb_storage" ];
@ -14,8 +11,6 @@
# See: https://github.com/NixOS/nixpkgs/issues/38676
boot.kernelModules = [ "veth" ];
# rtl88x2bu doesn't work on stable at the moment 🤔
local.system.kernel = "lts";
boot.extraModulePackages = with config.boot.kernelPackages; [
rtl88x2bu # wifi
];
@ -23,7 +18,7 @@
networking = {
useDHCP = false;
interfaces = {
wlp4s0.useDHCP = true;
wlp3s0.useDHCP = true;
# wlp11s0f3u2.useDHCP = true;
};
};
@ -31,23 +26,14 @@
# extra configs
hardware.bluetooth.enable = true;
hardware.graphics = {
enable = true;
enable32Bit = true;
};
# All monitors in the right order
# Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/x11/xserver.nix#L83
#
# To see references use the following command
# man xorg.conf
services.xserver.xrandrHeads = [
{
output = "DP-3";
monitorConfig = ''
Option "PreferredMode" "1920x1080"
# Option "Rotate" "right"
Option "Position" "0 361"
Option "Rotate" "right"
'';
}
{
@ -55,7 +41,6 @@
primary = true;
monitorConfig = ''
Option "PreferredMode" "2560x1440"
Option "Position" "1920 0"
'';
}
];

15
hosts/home/hardware-configuration/hibernation.nix
View file

@ -1,15 +0,0 @@
{...}:
{
swapDevices = [
{
device = "/var/lib/swapfile";
size = 64 * 1024;
}
];
boot.resumeDevice = "/dev/disk/by-uuid/969c5f68-631d-4429-b81b-0d81e050449b";
boot.kernelParams = [ "resume_offset=156735488" ];
powerManagement.enable = true;
}

29
hosts/home/hardware-configuration/nfs.nix
View file

@ -1,29 +0,0 @@
{ ... }:
{
fileSystems."/export/mynix" = {
device = "/home/jan/mynix";
options = [ "bind" ];
};
fileSystems."/export/projects" = {
device = "/home/jan/projects";
options = [ "bind" ];
};
services.nfs.server = {
enable = true;
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
exports = ''
/export 192.168.0.0/24(rw,fsid=0,no_subtree_check)
/export/mynix 192.168.0.0/24(rw,nohide,insecure,no_subtree_check,all_squash,anonuid=502,anongid=20)
/export/projects 192.168.0.0/24(rw,nohide,insecure,no_subtree_check,all_squash,anonuid=502,anongid=20)
'';
};
networking.firewall = {
allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
};
}

6
hosts/home/services/default.nix
View file

@ -1,6 +0,0 @@
{
imports = [
./forgejo-runners
./synergy.nix
];
}

33
hosts/home/services/forgejo-runners/default.nix
View file

@ -1,33 +0,0 @@
{ config, pkgs, ... }:
let
NODE_OPTIONS = "--max_old_space_size=8192";
in
{
age.secrets.forgejo-runner-token-home-docker.file = ./forgejo-runner-token-home-docker.age;
virtualisation.docker.enable = true;
services.gitea-actions-runner = {
package = pkgs.unstable.forgejo-runner;
instances = {
home-docker = {
enable = true;
name = "home-docker";
url = "https://git.pleshevski.ru";
labels = [
"docker:docker://node:20-bullseye"
"ubuntu-22.04:docker://node:20-bullseye"
];
tokenFile = config.age.secrets.forgejo-runner-token-home-docker.path;
settings = {
runner = {
envs = { inherit NODE_OPTIONS; };
timeout = "1h";
};
};
};
};
};
}

BIN
hosts/home/services/forgejo-runners/forgejo-runner-token-home-docker.age
View file

Binary file not shown.

25
hosts/home/services/synergy.nix
View file

@ -1,25 +0,0 @@
{ pkgs, ... }:
{
services.synergy.server = {
enable = true;
screenName = "home";
configFile = pkgs.writeText "synergy-server.conf" ''
section: screens
home:
macbook-pro:
end
section: links
home:
down(0,40) = macbook-pro(0,100)
macbook-pro:
up(1,99) = home(0,40)
end
section: options
clipboardSharing = true
clipboardSharingSize = 2048
end
'';
};
networking.firewall.allowedTCPPorts = [ 24800 ];
}

2
hosts/home/users/default.nix
View file

@ -8,7 +8,7 @@
home-manager.sharedModules = [
{
local.window-manager.polybar.wifiDevice = "wlp4s0";
local.window-manager.polybar.wifiDevice = "wlp3s0";
local.programs.terminals = {
wezterm.fontSize = 10.0;

37
hosts/home/users/jan.nix
View file

@ -21,7 +21,9 @@ in
};
};
# local.programs.editors.arduino-ide.enable = true;
local.programs.editors.arduino-ide.enable = true;
local.programs.dev-tools.k8s.enable = true;
local.programs.libreoffice = {
enable = true;
@ -31,31 +33,30 @@ in
];
};
local.games.endless-sky.enable = true;
# Extra packages
home.packages = with pkgs.unstable; [
## game dev
# blender-hip
# godot_4
# libresprite
# game dev
blender
godot_4
libresprite
## 3d printer
# Cannot build unstable Cura!
# See: https://github.com/NixOS/nixpkgs/issues/325896
# it's too old in the nixpkgs!
# See: https://github.com/NixOS/nixpkgs/issues/186570
# pkgs.cura
# 3d printer
cura
## electronics
# kicad-small
# electronics
kicad-small
# librepcb
## tools
# tools
bind.dnsutils
## remote desktop client
# remmina
kubo # ipfs
];
# games
local.games = {
mindustry.enable = true;
widelands.enable = true;
};
};
}

BIN
hosts/home/users/xmonad-projects.secret.nix
View file

Binary file not shown.

2
hosts/amstel/configuration.nix → hosts/istal/configuration.nix
View file

@ -6,7 +6,7 @@
./services
];
networking.hostName = "amstel";
networking.hostName = "istal";
networking.domain = "local";
users.users.root.openssh.authorizedKeys.keys = globalData.publicKeys.users.janistal;

BIN
hosts/istal/data.secret.nix Normal file
View file

Binary file not shown.

8
hosts/istal/hardware-configuration/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./generated.nix
./networking.secret.nix
];
}

0
hosts/amstel/hardware-configuration/generated.nix → hosts/istal/hardware-configuration/generated.nix
View file

BIN
hosts/istal/hardware-configuration/networking.secret.nix Normal file
View file

Binary file not shown.

5
hosts/istal/services/default.nix Normal file
View file

@ -0,0 +1,5 @@
{ ... }:
{
imports = [ ./wireguard ];
}

4
hosts/amstel/services/wireguard/default.nix → hosts/istal/services/wireguard/default.nix
View file

@ -2,8 +2,8 @@
let
tatosData = import (hostsPath + "/tatos/data.secret.nix");
amstelData = import (hostsPath + "/amstel/data.secret.nix");
inherit (amstelData.wireguard) port;
istalData = import (hostsPath + "/istal/data.secret.nix");
inherit (istalData.wireguard) port;
in
{
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

BIN
hosts/istal/services/wireguard/wireguard-istal-private.age Normal file
View file

Binary file not shown.

25
hosts/macbook-pro/configuration.nix
View file

@ -1,25 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
vim
git
git-crypt
];
nix.settings.experimental-features = "nix-command flakes";
services.synergy.client = {
enable = true;
serverAddress = "192.168.0.153";
screenName = "macbook-pro";
};
homebrew = {
enable = true;
casks = [
{ name = "eloston-chromium"; }
];
};
}

BIN
hosts/networking.secret.nix
View file

Binary file not shown.

2
hosts/tatos/configuration.nix
View file

@ -6,8 +6,6 @@
./services
];
local.system.kernel = "hardened";
networking.hostName = "tatos";
users.users.root.openssh.authorizedKeys.keys = globalData.publicKeys.users.jan;

7
hosts/tatos/hardware-configuration/default.nix
View file

@ -5,11 +5,4 @@
./generated.nix
./networking.secret.nix
];
swapDevices = [
{
device = "/var/lib/swapfile";
size = 2 * 1024;
}
];
}

BIN
hosts/tatos/hardware-configuration/networking.secret.nix
View file

Binary file not shown.

4
hosts/tatos/services/default.nix
View file

@ -6,9 +6,5 @@
./wireguard
./nginx.nix
./dns.nix
./grafana.nix
./prometheus.nix
./loki.nix
./promtail.nix
];
}

51
hosts/tatos/services/grafana.nix
View file

@ -1,51 +0,0 @@
{ config, pkgs, ... }:
let
addr = "127.0.0.1";
port = 33002;
domain = "grafana.pleshevski.ru";
in
{
services.grafana = {
enable = true;
package = pkgs.unstable.grafana;
settings = {
server = {
http_addr = addr;
http_port = port;
inherit domain;
};
auth.token_rotation_interval_minutes = 60;
};
provision = {
enable = true;
datasources.settings = {
datasources =
[
{
name = "Prometheus";
type = "prometheus";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
}
{
name = "Loki";
type = "loki";
access = "proxy";
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
}
];
};
};
};
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${addr}:${toString port}";
proxyWebsockets = true;
};
};
}

BIN
hosts/tatos/services/loki-basicauth.age
View file

Binary file not shown.

85
hosts/tatos/services/loki.nix
View file

@ -1,85 +0,0 @@
{ config, lib, ... }:
let
cfg = config.services.loki;
nginxCfg = config.services.nginx;
basePath = "/var/lib/loki";
in
{
age.secrets.loki-basicauth = {
file = ./loki-basicauth.age;
owner = nginxCfg.user;
inherit (nginxCfg) group;
};
services.loki = {
enable = true;
configuration = {
auth_enabled = false;
server = {
http_listen_address = "127.0.0.1";
http_listen_port = 3100;
};
common = {
path_prefix = basePath;
};
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
};
compactor = {
working_directory = "${basePath}/compactor";
};
schema_config = {
configs = [
{
from = "2025-02-04";
store = "tsdb";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
filesystem = {
directory = "${basePath}/chunks";
};
tsdb_shipper = {
active_index_directory = "${basePath}/tsdb-index";
cache_location = "${basePath}/tsdb-cache";
};
};
# Лимиты
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h"; # Максимальный возраст логов (7 дней)
};
};
};
systemd.tmpfiles.rules = lib.mkIf cfg.enable [
"d ${basePath} 0755 ${cfg.user} ${cfg.group} -"
];
services.nginx.virtualHosts."loki.pleshevski.ru" = lib.mkIf cfg.enable {
enableACME = true;
forceSSL = true;
locations."/" = let inherit (cfg.configuration.server) http_listen_port http_listen_address; in {
proxyPass = "http://${http_listen_address}:${toString http_listen_port}";
proxyWebsockets = true;
basicAuthFile = config.age.secrets.loki-basicauth.path;
};
};
}

BIN
hosts/tatos/services/miniflux/miniflux-admin-credentials.age
View file

Binary file not shown.

BIN
hosts/tatos/services/prometheus-basicauth-password.age
View file

Binary file not shown.

69
hosts/tatos/services/prometheus.nix
View file

@ -1,69 +0,0 @@
{ config, sharedPath, ... }:
let
nodeExporterPort = 40000;
nginxExporterPort = 40001;
basic_auth = {
username = "jan";
password_file = config.age.secrets.prometheus-basicauth-password.path;
};
in
{
imports = [ (sharedPath + "/prometheus/node.nix") ];
age.secrets.prometheus-basicauth-password = {
file = ./prometheus-basicauth-password.age;
owner = "prometheus";
group = "prometheus";
};
# https://wiki.nixos.org/wiki/Prometheus
# https://nixos.org/manual/nixos/stable/#module-services-prometheus-exporters-configuration
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/default.nix
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
port = 33010;
globalConfig.scrape_interval = "15s"; # "1m"
scrapeConfigs = [
{
job_name = "node_dev";
inherit basic_auth;
static_configs = [
{
targets = [
"tatos:${toString nodeExporterPort}"
"amstel:${toString nodeExporterPort}"
];
}
];
}
{
job_name = "node_production";
inherit basic_auth;
static_configs = [
{
targets = [
"canigou:${toString nodeExporterPort}"
"magenta:${toString nodeExporterPort}"
"sm-sd1:${toString nodeExporterPort}"
];
}
];
}
{
job_name = "nginx_production";
inherit basic_auth;
static_configs = [
{
targets = [
"canigou:${toString nginxExporterPort}"
"magenta:${toString nginxExporterPort}"
];
}
];
}
];
};
}

33
hosts/tatos/services/promtail.nix
View file

@ -1,33 +0,0 @@
{ config, ... }:
{
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 9080;
grpc_listen_port = 0;
};
clients = [
{ url = "http://127.0.0.1:3100/loki/api/v1/push"; }
];
scrape_configs = [
{
job_name = "journal";
journal = {
labels = {
job = "systemd-journal";
host = "${config.networking.hostName}"; # Имя хоста как метка
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
];
}
];
};
};
}

54
hosts/tatos/services/wireguard/default.nix
View file

@ -3,11 +3,9 @@
# Source: https://habr.com/ru/companies/xakep/articles/699000/
let
amstelData = import (hostsPath + "/amstel/data.secret.nix");
istalData = import (hostsPath + "/istal/data.secret.nix");
tatosData = import (hostsPath + "/tatos/data.secret.nix");
port = tatosData.wireguard.port;
update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { };
in
{
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
@ -22,24 +20,16 @@ in
networking.firewall.allowedUDPPorts = [ port ];
systemd.services.geoip-update = {
script = ''
set -eu
${update_ru_routes}/bin/update_ru_routes > /root/update_routes.log
'';
serviceConfig = {
Type = "oneshot";
User = "root";
services.cron =
let update_ru_routes = pkgs.callPackage ./update_ru_routes.nix { }; in
let cmd = "${update_ru_routes}/bin/update_ru_routes > /root/update_routes.log 2>&1"; in
{
enable = true;
systemCronJobs = [
"@reboot root sleep 30 && ${cmd}"
"0 3 * * mon root ${cmd}"
];
};
restartTriggers = [ update_ru_routes ];
};
systemd.timers.geoip-update = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1m";
OnCalendar = "mon 3:00";
};
};
networking.wg-quick.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
@ -53,23 +43,23 @@ in
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postUp = ''
interface=`${pkgs.iproute2}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o $interface -j MASQUERADE
${pkgs.iproute2}/bin/ip rule add from ${tatosData.addr} table main
${pkgs.iproute}/bin/ip rule add from ${tatosData.addr} table main
'';
preDown = ''
interface=`${pkgs.iproute2}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
interface=`${pkgs.iproute}/bin/ip route | ${pkgs.gawk}/bin/awk '/default/ {print $5; exit}'`
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o $interface -j MASQUERADE
${pkgs.iproute2}/bin/ip rule del from ${tatosData.addr} table main
${pkgs.iproute}/bin/ip rule del from ${tatosData.addr} table main
'';
# Path to the private key file.
privateKeyFile = config.age.secrets.wireguard-tatos-private.path;
peers = [
# Amstel
# Istal
{
publicKey = amstelData.wireguard.publicKey;
publicKey = istalData.wireguard.publicKey;
allowedIPs = [ "10.20.30.2/32" "0.0.0.0/0" ];
}
# Home
@ -89,7 +79,7 @@ in
}
# Phone 2 m
{
publicKey = "p1GR0Ax2wrqnnd/coKYA4p0lvhdY9Mkk4iwhPxZfl3I=";
publicKey = "0+ejwId5JcTeMvoz+I/ACpmpUFjD7rl9wqz8H/OAHEw=";
allowedIPs = [ "10.20.30.6/32" ];
}
# Phone 3 n
@ -97,16 +87,6 @@ in
publicKey = "IUw38F1ik2y2XoPh3Nd1VVxHz9nfKDfNKyzBaEi0rjc=";
allowedIPs = [ "10.20.30.7/32" ];
}
# Laptop m
{
publicKey = "dF5YEeK1nw2V4GNLwg67M+r8NMA315KpueQMk+ZFO1M=";
allowedIPs = [ "10.20.30.8/32" ];
}
# Phone 4 b
{
publicKey = "29WekSFGenqbnXoux0kbI9mwx7X5oclEFNz3cMt1Rzc=";
allowedIPs = [ "10.20.30.9/32" ];
}
];
};
};

5
hosts/tatos/services/wireguard/subnets_user_list.secret.txt
View file

@ -6,3 +6,8 @@
34.77.14.97/32
# apollographql.com
147.75.40.150/32
# reddit.com
151.101.129.140/32
151.101.1.140/32
151.101.193.140/32
151.101.65.140/32

3
hosts/tatos/services/wireguard/update_ru_routes.nix
View file

@ -6,7 +6,6 @@
, iptables
, ipcalc
, jq
, iproute2
, gawk
, curl
}:
@ -20,7 +19,7 @@ in
symlinkJoin {
name = "update_ru_routes";
paths = [ update_ru_routes_unwrapped ] ++ [ bind.dnsutils iptables jq gawk curl ipcalc iproute2 ];
paths = [ update_ru_routes_unwrapped ] ++ [ bind.dnsutils iptables jq gawk curl ipcalc ];
buildInputs = [ makeWrapper ];
postBuild = ''

BIN
hosts/tatos/services/wireguard/wireguard-tatos-private.age
View file

Binary file not shown.

1
misc/wg-client-conf.nix
View file

@ -1,3 +1,4 @@
# use nix-build -E (import <system>/misc/wg-client-conf.nix {})
{ pkgs ? import <nixpkgs> { }
, address
, privateKey

1
modules/home-manager/configs/keyboard.nix
View file

@ -18,6 +18,7 @@ in
model = "pc105";
layout = "us,ru";
variant = cfg.variant;
# variant = "dvorak,";
options = [ "grp:win_space_toggle" ];
};
};

2
modules/home-manager/configs/window-manager/hyprland/default.nix
View file

@ -108,7 +108,7 @@ in
force_zero_scaling = true;
};
"$terminal" = "ghostty";
"$terminal" = "wezterm start";
"$browser" = "librewolf";
"$menu" = "dmenu-wl_run";

14
modules/home-manager/configs/window-manager/xmonad/default.nix
View file

@ -63,22 +63,8 @@ in
xclip # access x clipboard from a console
dmenu # menu for x window system
nitrogen # wallpaper manager
rofimoji # emoji picker
];
programs.rofi.pass = {
enable = true;
extraConfig = ''
EDITOR='ghostty -e nvim'
URL_field='url'
USERNAME_field='login'
AUTOTYPE_field='autotype'
default_autotype='user :tab pass'
'';
};
xsession = {
enable = true;

28
modules/home-manager/configs/window-manager/xmonad/xmonad_config.hs
View file

@ -52,7 +52,7 @@ import XMonad.Util.Run
-- The preferred terminal program, which is used in a binding below and by
-- certain contrib modules.
--
myTerminal = "ghostty"
myTerminal = "wezterm start"
-- Whether focus follows the mouse pointer.
myFocusFollowsMouse = False
@ -83,9 +83,7 @@ comWs = "com"
devWs = ["dev", "dev2", "dev3"]
infraWs = "infra"
myWorkspaces = [webWs] <> devWs <> [infraWs, sysWs, comWs, finWs]
myWorkspaces = [webWs] <> devWs <> [finWs, sysWs, comWs]
main :: IO ()
main = mkDbusClient >>= main'
@ -235,24 +233,19 @@ myManageHook = manageApps
anyOf :: [Query Bool] -> Query Bool
anyOf = foldl (<||>) (pure False)
machine = stringProperty "WM_CLIENT_MACHINE"
role = stringProperty "WM_WINDOW_ROLE"
isPopup = role =? "pop-up"
isPinentry = anyOf [className =? "Gcr-promter", className =? "Pinentry"]
isGameMachine = machine =? "games"
isGhostty = className =? "com.mitchellh.ghostty"
isWezterm = className =? "org.wezfurlong.wezterm"
isAlacritty = className =? "Alacritty"
isTerminal = anyOf [isWezterm, isAlacritty, isGhostty]
isTerminal = anyOf [isWezterm, isAlacritty]
tileBelow = insertPosition Below Newer
manageApps =
composeOne
[ -- apps
className =? "Gimp" -?> doFloat,
isGameMachine -?> doFloat,
-- general
anyOf
[ resource =? "desktop_window",
@ -280,15 +273,10 @@ myKeys conf =
("M-S-<Return>", spawn $ XMonad.terminal conf),
-- launch a 'flameshot' to screenshot
("M-S-s", safeSpawn "flameshot" ["gui"]),
-- launch browsers
-- launch 'librewolf' browser
("M-S-b", spawn "librewolf"),
("M-S-t", spawn "tor-browser"),
-- launch 'dmenu_run' to choose applications
("M-r", spawn "dmenu_run"),
-- launch 'rofi-pass' to use password manager
("M-p", spawn "rofi-pass --last-used"),
-- launch 'rofimoji' to pick emoji
("M-e", spawn "rofimoji --action copy")
("M-p", spawn "dmenu_run")
-- Open calculator
-- ("<XF86Calculator>", spawn "gnome-calculator"),
]
@ -377,7 +365,7 @@ myKeys conf =
("<XF86KbdBrightnessUp>", spawn (kdbBrightness "up")),
("<XF86KbdBrightnessDown>", spawn (kdbBrightness "down"))
]
where kdbBrightness cmd = myTerminal ++ " -e @kdbBrightnessScriptPath@ " ++ cmd
where kdbBrightness cmd = myTerminal ++ " -- @kdbBrightnessScriptPath@ " ++ cmd
------------------------------------------------------------------------
-- Mouse bindings: default actions bound to mouse events
@ -405,9 +393,9 @@ myProjects =
terminal' wd' cmd' =
myTerminal ++ workdir ++ command
where
workdir = " --working-directory=" ++ wd'
workdir = " --cwd " ++ wd'
command = case cmd' of
Just c -> " -e " ++ c
Just c -> " -- " ++ c
_ -> ""
myPromptConfig :: XPConfig

6
modules/home-manager/games.nix
View file

@ -8,14 +8,10 @@ in
mindustry.enable = mkEnableOption "mindustry";
widelands.enable = mkEnableOption "widelands";
unciv.enable = mkEnableOption "unciv";
freeciv.enable = mkEnableOption "freeciv";
endless-sky.enable = mkEnableOption "endless-sky";
};
config.home.packages =
lib.optional cfg.mindustry.enable pkgs.unstable.mindustry
++ lib.optional cfg.widelands.enable pkgs.widelands
++ lib.optional cfg.unciv.enable pkgs.unstable.unciv
++ lib.optional cfg.freeciv.enable pkgs.unstable.freeciv
++ lib.optional cfg.endless-sky.enable pkgs.unstable.endless-sky;
++ lib.optional cfg.unciv.enable pkgs.unstable.unciv;
}

40
modules/home-manager/programs/aerc.nix
View file

@ -1,7 +1,19 @@
{ config, lib, pkgs, ... }:
let
aercPackage = pkgs.unstable.aerc;
aercPackage = pkgs.unstable.aerc.override {
# support .filename filter
buildGoModule = args: pkgs.unstable.buildGoModule (args // rec {
version = "6ffc0ed5991bef69a50cbc22647af0a6a0e0a895";
src = pkgs.fetchFromSourcehut {
owner = "~rjarry";
repo = "aerc";
rev = version;
hash = "sha256-IyAcTCDSjOmZ6KPr9nYKdxWA0qryeU4jTwxRWzt2NOY=";
};
vendorHash = "sha256-s7lt5amq6Zsn+1AM2SlNeXSZIRbJ+vYKZmdWEDC4Sp4=";
});
};
abaPackage = pkgs.unstable.aba;
abaExe = "${abaPackage}/bin/aba -a ${config.xdg.dataHome}/aerc/aba.toml";
@ -73,12 +85,9 @@ in
"text/plain" = "colorize";
"text/rfc822-headers" = "colorize";
# "text/*" = "${pkgs.bat}/bin/bat -fpp --file-name='$AERC_FILENAME'";
"message/*" = "cat | colorize";
"message/delivery-status" = "cat | colorize";
"application/pgp-keys" = "gpg";
".filename,~\\.gpg" = "gpg --decrypt";
".filename,~\\.xml\\.gz" = "${pkgs.gzip}/bin/gunzip |"
+ "${pkgs.xmlformat}/bin/xmlformat |"
+ "${pkgs.bat}/bin/bat -fpp --file-name='$AERC_FILENAME' --language xml";
};
openers = { };
@ -116,6 +125,10 @@ in
"\\" = fill "filter";
"n" = exec "next-result";
"N" = exec "prev-result";
#"D" = exec "modify-labels +deleted -inbox";
#"A" = exec "modify-labels -inbox";
#"ms" = exec "modify-labels +spam -inbox";
#"mS" = exec "modify-labels -spam +inbox";
}
];
@ -141,14 +154,15 @@ in
}
];
compose = {
"$ex" = "<C-x>";
"<C-k>" = exec "prev-field";
"<C-j>" = exec "next-field";
"<tab>" = exec "next-field";
"<C-l>" = exec "next-tab";
"<C-h>" = exec "prev-tab";
};
compose = lib.mkMerge [
globalBinds
{
"$ex" = "<C-x>";
"<C-k>" = exec "prev-field";
"<C-j>" = exec "next-field";
"<tab>" = exec "next-field";
}
];
"compose::editor" = {
"$noinherit" = "true";

18
modules/home-manager/programs/argos-translate.nix
View file

@ -1,18 +0,0 @@
{ config, lib, pkgs, ... }:
let cfg = config.local.programs.argos-translate; in
{
options.local.programs.argos-translate = with lib; {
enable = mkEnableOption "argostranslate";
package = mkPackageOption pkgs.python311Packages "argostranslate" {};
};
config = lib.mkIf cfg.enable {
home.packages = [ cfg.package ];
programs.zsh.shellAliases = lib.mkIf config.programs.zsh.enable {
en2ru = "${cfg.package}/bin/argos-translate --from en --to ru";
ru2en = "${cfg.package}/bin/argos-translate --from ru --to en";
};
};
}

22
modules/home-manager/programs/communication.nix
View file

@ -4,19 +4,15 @@
let cfg = config.local.programs.communication; in
{
options.local.programs.communication = with lib; {
matrix = {
enable = mkEnableOption "nheko. matrix client";
package = mkPackageOption pkgs "nheko" { };
};
tox = {
enable = mkEnableOption "tox";
package = mkPackageOption pkgs "qtox" { };
};
simplex-chat.enable = mkEnableOption "SimplexChat";
telegram.enable = mkEnableOption "tdesktop. telegram client";
matrix.enable = mkEnableOption "nheko. matrix client";
skype.enable = mkEnableOption "skype";
};
config = {
home.packages =
lib.optional cfg.matrix.enable cfg.matrix.package
++ lib.optional cfg.tox.enable cfg.tox.package;
};
config.home.packages = with pkgs.unstable;
lib.optional cfg.simplex-chat.enable simplex-chat-desktop
++ lib.optional cfg.telegram.enable tdesktop
++ lib.optional cfg.matrix.enable nheko
++ lib.optional cfg.skype.enable skypeforlinux;
}

1
modules/home-manager/programs/default.nix
View file

@ -3,7 +3,6 @@
{
imports = [
./aerc.nix
./argos-translate.nix
./communication.nix
./dev-tools.nix
./flameshot.nix

44
modules/home-manager/programs/dev-tools.nix
View file

@ -2,39 +2,11 @@
let
cfg = config.local.programs.dev-tools;
kubectlCompletionsZsh = pkgs.runCommand "kubectl-completion.zsh" {} ''
${lib.getExe pkgs.kubectl} completion zsh > $out
'';
# https://github.com/NixOS/nixpkgs/pull/384524/files
apacheDirectoryStudio = with pkgs.unstable; (apache-directory-studio.overrideAttrs (attrs: {
installPhase = ''
dest="$out/libexec/ApacheDirectoryStudio"
mkdir -p "$dest"
cp -r . "$dest"
mkdir -p "$out/bin"
patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
"$dest/ApacheDirectoryStudio"
# About `/tmp/SWT-GDBusServer`, see
# https://github.com/adoptium/adoptium-support/issues/785#issuecomment-1866680133
# and
# https://github.com/adoptium/adoptium-support/issues/785#issuecomment-2387481967.
makeWrapper "$dest/ApacheDirectoryStudio" \
"$out/bin/ApacheDirectoryStudio" \
--prefix PATH : "${jdk}/bin" \
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [ glib webkitgtk_4_0 ] } \
--run "mkdir -p /tmp/SWT-GDBusServer"
install -D icon.xpm "$out/share/pixmaps/apache-directory-studio.xpm"
install -D -t "$out/share/applications" ${attrs.desktopItem}/share/applications/*
'';
}));
in
{
options.local.programs.dev-tools = with lib; {
base.enable = mkEnableOption "base tools";
nix.enable = mkEnableOption "tools for nix developer";
erlang.enable = mkEnableOption "tools for erlang developer";
web.enable = mkEnableOption "tools for web developer";
k8s.enable = mkEnableOption "k8s tools";
psql = {
@ -48,7 +20,6 @@ in
eza.enable = mkEnableOption "eza. ls replacement";
direnv.enable = mkEnableOption "direnv";
zoxide.enable = mkEnableOption "zoxide";
ldap.enable = mkEnableOption "ldap";
};
config = lib.mkMerge [
@ -101,13 +72,6 @@ in
];
})
(lib.mkIf cfg.erlang.enable {
home.packages = with pkgs.unstable; [
erlang
erlfmt
];
})
(lib.mkIf cfg.nix.enable {
home.packages = with pkgs.unstable; [
nixpkgs-fmt # nix formatter
@ -124,18 +88,10 @@ in
]
))
];
programs.zsh.initExtra = ''
source ${kubectlCompletionsZsh}
'';
})
(lib.mkIf cfg.psql.enable {
home.packages = [ cfg.psql.package ];
})
(lib.mkIf cfg.ldap.enable {
home.packages = [ apacheDirectoryStudio ];
})
];
}

1
modules/home-manager/programs/file-managers/default.nix
View file

@ -3,7 +3,6 @@
{
imports = [
./nautilus.nix
./nnn.nix
./vifm
];
}

2
modules/home-manager/programs/file-managers/nautilus.nix
View file

@ -8,5 +8,5 @@ in
enable = mkEnableOption "nautilus";
};
config.home.packages = with pkgs.unstable; lib.optional cfg.enable nautilus;
config.home.packages = with pkgs.unstable; lib.optional cfg.enable gnome.nautilus;
}

13
modules/home-manager/programs/file-managers/nnn.nix
View file

@ -1,13 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.local.programs.file-managers.nnn;
in
{
options.local.programs.file-managers.nnn = with lib; {
enable = mkEnableOption "nnn";
package = mkPackageOption pkgs "nnn" {};
};
config.home.packages = lib.optional cfg.enable cfg.package;
}

13
modules/home-manager/programs/file-managers/vifm/vifmrc
View file

@ -11,7 +11,7 @@
" If you would like to use another vi clone such as Elvis or Vile
" you will need to change this setting.
set vicmd=nvim
set vicmd=vim
" This makes vifm perform file operations on its own instead of relying on
" standard utilities like `cp`. While using `cp` and alike is a more universal
@ -128,12 +128,12 @@ mark h ~/
" %m run the command in a menu window
command! df df -h %m 2> /dev/null
command! diff nvim -d %f %F
command! diff vim -d %f %F
command! zip zip -r %c.zip %f
command! run !! ./%f
command! make !!make %a
command! mkcd :mkdir %a | cd %a
command! vgrep nvim "+grep %a"
command! vgrep vim "+grep %a"
command! reload :write | restart full
" ------------------------------------------------------------------------------
@ -316,6 +316,11 @@ nnoremap S :sort<cr>
nnoremap w :view<cr>
vnoremap w :view<cr>gv
" Open file in existing instance of gvim
nnoremap o :!gvim --remote-tab-silent %f<cr>
" Open file in new instance of gvim
nnoremap O :!gvim %f<cr>
" Open file in the background using its default program
nnoremap gb :file &<cr>l
@ -349,6 +354,8 @@ nnoremap ,t :!xterm &<cr>
" Open editor to edit vifmrc and apply settings after returning to vifm
nnoremap ,c :write | edit $MYVIFMRC | restart full<cr>
" Open gvim to edit vifmrc
nnoremap ,C :!gvim --remote-tab-silent $MYVIFMRC &<cr>
" Toggle wrap setting on ,w key
nnoremap ,w :set wrap!<cr>

2
modules/home-manager/programs/terminals/default.nix
View file

@ -4,7 +4,7 @@
imports = [
./alacritty.nix
./foot.nix
./ghostty.nix
./wezterm.nix
];
}

66
modules/home-manager/programs/terminals/ghostty.nix
View file

@ -1,66 +0,0 @@
{ lib, config, pkgs, ... }:
let
cfg = config.local.programs.terminals.ghostty;
themeCfg = config.local.themes."${config.local.theme.name}";
in
{
options.local.programs.terminals.ghostty = with lib; {
enable = mkEnableOption "ghostty";
package = mkPackageOption pkgs "ghostty" { };
fontSize = mkOption {
type = types.number;
default = 10.0;
description = "Ghostty font size";
};
};
config = lib.mkIf cfg.enable {
programs.ghostty = {
enable = true;
package = cfg.package;
settings = {
theme = "nixos-theme";
font-family = "monospace";
font-size = cfg.fontSize;
window-decoration = false;
cursor-style-blink = false;
shell-integration-features = "no-cursor";
gtk-single-instance = false; # It required to provide working-directory
};
enableZshIntegration = config.programs.zsh.enable;
themes = {
"nixos-theme" = {
palette = [
"0=${themeCfg.window.regular.color0}"
"1=${themeCfg.window.regular.color1}"
"2=${themeCfg.window.regular.color2}"
"3=${themeCfg.window.regular.color3}"
"4=${themeCfg.window.regular.color4}"
"5=${themeCfg.window.regular.color5}"
"6=${themeCfg.window.regular.color6}"
"7=${themeCfg.window.regular.color7}"
"8=${themeCfg.window.bold.color8}"
"9=${themeCfg.window.bold.color9}"
"10=${themeCfg.window.bold.color10}"
"11=${themeCfg.window.bold.color11}"
"12=${themeCfg.window.bold.color12}"
"13=${themeCfg.window.bold.color13}"
"14=${themeCfg.window.bold.color14}"
"15=${themeCfg.window.bold.color15}"
"16=${themeCfg.window.extended.color16}"
"17=${themeCfg.window.extended.color17}"
"18=${themeCfg.window.extended.color18}"
"19=${themeCfg.window.extended.color19}"
];
background = themeCfg.window.background;
foreground = themeCfg.window.mainText;
cursor-color = themeCfg.window.cursor;
cursor-text = themeCfg.window.cursorText;
selection-background = themeCfg.window.selection;
selection-foreground = themeCfg.window.selectionText;
};
};
};
};
}

5
modules/home-manager/programs/terminals/wezterm.nix
View file

@ -18,7 +18,7 @@ in
programs.wezterm = {
enable = true;
colorSchemes = {
"nixos-theme" = {
myCoolTheme = {
ansi = [
themeCfg.window.regular.color0
themeCfg.window.regular.color1
@ -58,8 +58,7 @@ in
return {
font = wezterm.font("monospace"),
font_size = ${toString cfg.fontSize},
front_end = "WebGpu",
color_scheme = "nixos-theme",
color_scheme = "myCoolTheme",
hide_tab_bar_if_only_one_tab = true,
-- https://github.com/wez/wezterm/issues/4483
enable_wayland = false,

2
modules/home-manager/shell.nix
View file

@ -9,7 +9,7 @@
programs.zsh = {
enable = true;
autosuggestion.enable = true;
enableAutosuggestions = true;
enableCompletion = true;
defaultKeymap = "viins";
dotDir = ".config/zsh";

16
modules/machine.nix
View file

@ -35,19 +35,5 @@
################################################################################
local.programs.pass.enable = lib.mkDefault true;
local.programs.browsers = {
librewolf.enable = lib.mkDefault true;
tor-browser.enable = lib.mkDefault true;
ungoogled-chromium.enable = lib.mkDefault true;
};
security.sudo.extraRules = [{
commands = [
{
command = "/run/current-system/sw/bin/nixos-container";
options = [ "NOPASSWD" ];
}
];
groups = [ "wheel" ];
}];
local.programs.browsers.librewolf.enable = lib.mkDefault true;
}

2
modules/nixos/configs/fonts.nix
View file

@ -12,7 +12,7 @@
fira-code-symbols
(nerdfonts.override { fonts = [ "FiraCode" ]; })
noto-fonts
noto-fonts-cjk-sans
noto-fonts-cjk
noto-fonts-emoji
liberation_ttf
mplus-outline-fonts.githubRelease

8
modules/nixos/configs/keyboard.nix
View file

@ -9,11 +9,11 @@ in
};
config = lib.mkIf cfg.enable {
services.xserver.xkb = {
model = "pc105";
services.xserver = {
xkbModel = "pc105";
layout = "us,us";
variant = "dvorak,";
options = "grp:win_space_toggle";
xkbVariant = "dvorak,";
xkbOptions = "grp:win_space_toggle";
};
console.useXkbConfig = true;

2
modules/nixos/configs/lockscreen/i3lock.nix
View file

@ -11,7 +11,7 @@ in
config = lib.mkIf cfg.enable {
programs.i3lock = {
enable = true;
u2fSupport = lib.mkDefault config.security.pam.u2f.enable;
u2fSupport = lib.mkDefault config.local.yubikey.enable;
};
programs.xss-lock.enable = true;

10
modules/nixos/configs/nix.nix
View file

@ -1,4 +1,4 @@
{ lib, inputs, config, pkgs, ... }:
{ lib, inputs, config, ... }:
let
inherit (builtins) elem;
@ -24,9 +24,6 @@ in
};
config = {
environment.systemPackages =
lib.optional config.system.tools.nixos-option.enable pkgs.unstable.nixos-option;
nixpkgs.config.allowUnfreePredicate = lib.mkIf
(cfg.allowUnfreePackages != [ ])
(pkg: elem (lib.getName pkg) cfg.allowUnfreePackages);
@ -45,11 +42,6 @@ in
};
};
})
(final: prev: {
sniffnet = (import inputs.nixpkgs-unstable {
inherit (config.nixpkgs) config system;
}).sniffnet;
})
(final: prev: {
unstable = import inputs.nixpkgs-unstable {
inherit (config.nixpkgs) config overlays system;

36
modules/nixos/configs/security.nix
View file

@ -1,36 +0,0 @@
{ config, lib, ... }:
let
cfg = config.local.security.sudo;
in
{
options.local.security.sudo = with lib; {
nopasswd = mkOption {
type = types.listOf (types.submodule {
options = {
commands = mkOption {
type = with types; listOf (either str package);
};
groups = mkOption {
type = types.listOf types.str;
default = [ "wheel" ];
};
};
});
default = [ ];
};
};
config = lib.mkIf (cfg.nopasswd != [ ]) {
security.sudo.extraRules = lib.flip map cfg.nopasswd (rule: {
inherit (rule) groups;
commands = lib.flip map rule.commands (cmd:
{
command = "${cmd}";
options = [ "NOPASSWD" ];
}
);
});
};
}

Some files were not shown because too many files have changed in this diff Show more