chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

tidy files, switch to alejandra for formatting, add private aliases to mailserver

Browse source
This commit is contained in:
Chaos 2022-12-04 13:45:43 +00:00
parent e2a2608a2b
commit 6f5832750a
No known key found for this signature in database
203 changed files with 3276 additions and 4001 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
data/usb_data.nix
View file

@ -1,4 +1,4 @@
{ ... }: rec {
{}: rec {
# Mountpoints
mountpoint = "/usb";

8
deployNodes.nix
View file

@ -1,5 +1,9 @@
{ nixosConfigurations, deploy-rs, ... }:
let activateNixOS_x64_64-linux = deploy-rs.lib.x86_64-linux.activate.nixos;
{
nixosConfigurations,
deploy-rs,
...
}: let
activateNixOS_x64_64-linux = deploy-rs.lib.x86_64-linux.activate.nixos;
in {
tablet = {
hostname = "tablet.internal.genderfucked.monster";

20
extras/mk-enc-usb.nix
View file

@ -1,6 +1,13 @@
{ stdenv, bash, parted, cryptsetup, e2fsprogs }:
let usb_data = import ../hosts/lappy/hardware/usb_data.nix { };
in stdenv.mkDerivation {
{
stdenv,
bash,
parted,
cryptsetup,
e2fsprogs,
}: let
usb_data = import ../hosts/lappy/hardware/usb_data.nix {};
in
stdenv.mkDerivation {
name = "mk-enc-usb";
src = ./mk-enc-usb.sh;
unpackPhase = ''
@ -9,18 +16,13 @@ in stdenv.mkDerivation {
done
'';
inherit bash;
inherit parted;
inherit cryptsetup;
inherit e2fsprogs;
inherit bash parted cryptsetup e2fsprogs;
patchPhase = ''
substituteAllInPlace mk-enc-usb.sh
substituteInPlace mk-enc-usb.sh \
--replace "@TEST@" "nyaaaaa" \
--replace "@USB_ENCRYPTED_PARTLABEL@" "${usb_data.encrypted_partlabel}" \
--replace "@USB_UNENCRYPTED_LABEL@" "${usb_data.unencrypted_label}"
'';
installPhase = ''

20
extras/mk-normal-enc-ssd.nix
View file

@ -1,6 +1,14 @@
{ stdenv, bash, parted, cryptsetup, e2fsprogs, dosfstools }:
let ssd_data = import ../hosts/normal-enc/hardware/ssd_data.nix { };
in stdenv.mkDerivation {
{
stdenv,
bash,
parted,
cryptsetup,
e2fsprogs,
dosfstools,
}: let
ssd_data = import ../hosts/normal-enc/hardware/ssd_data.nix {};
in
stdenv.mkDerivation {
name = "mk-normal-enc-ssd";
src = ./mk-normal-enc-ssd.sh;
unpackPhase = ''
@ -9,11 +17,7 @@ in stdenv.mkDerivation {
done
'';
inherit bash;
inherit parted;
inherit cryptsetup;
inherit e2fsprogs;
inherit dosfstools;
inherit bash parted cryptsetup e2fsprogs dosfstools;
patchPhase = ''
substituteAllInPlace mk-normal-enc-ssd.sh

25
extras/shenanigans-hotspot.nix
View file

@ -1,5 +1,11 @@
{ lib, pkgs, nixpkgs, config, tree, ... }:
let
{
lib,
pkgs,
nixpkgs,
config,
tree,
...
}: let
wifiInterface = "shenanigans0";
wifiMac = "00:0F:55:A8:2B:8E";
@ -21,15 +27,19 @@ in {
}", NAME="${usbethInterface}"
'';
networking.interfaces."${wifiInterface}".ipv4.addresses = [{
networking.interfaces."${wifiInterface}".ipv4.addresses = [
{
address = "192.168.2.1";
prefixLength = 24;
}];
}
];
networking.interfaces."${usbethInterface}".ipv4.addresses = [{
networking.interfaces."${usbethInterface}".ipv4.addresses = [
{
address = "192.168.2.1";
prefixLength = 24;
}];
}
];
networking.networkmanager.unmanaged = [
# Wifi
@ -39,7 +49,8 @@ in {
"mac:${usbethMac}"
];
systemd.services.wifi-relay = let inherit (pkgs) iptables gnugrep;
systemd.services.wifi-relay = let
inherit (pkgs) iptables gnugrep;
in {
description = "iptables rules for wifi-relay";
after = ["dhcpd4.service"];

18
flake.lock
View file

@ -138,11 +138,11 @@
"utils": "utils_4"
},
"locked": {
"lastModified": 1670058827,
"narHash": "sha256-T+yyncPpZWeIkFrG/Cgj21iopULY3BZGWIhcT5ZmCgM=",
"lastModified": 1670157315,
"narHash": "sha256-GMeuuDKTaqnYFGQA3ZqlLoeeWi30RdJZV+ukOnTCu+w=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "eb3598cf44aa10f2a16fe38488a102c0f474d766",
"rev": "17bbfcb82458ac2270dec71ce1f7044deb4f1ca3",
"type": "github"
},
"original": {
@ -191,11 +191,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1669791787,
"narHash": "sha256-KBfoA2fOI5+wCrm7PR+j7jHqXeTkVRPQ0m5fcKchyuU=",
"lastModified": 1670064435,
"narHash": "sha256-+ELoY30UN+Pl3Yn7RWRPabykwebsVK/kYE9JsIsUMxQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e76c78d20685a043d23f5f9e0ccd2203997f1fb1",
"rev": "61a8a98e6d557e6dd7ed0cdb54c3a3e3bbc5e25c",
"type": "github"
},
"original": {
@ -240,11 +240,11 @@
]
},
"locked": {
"lastModified": 1669922720,
"narHash": "sha256-xzoKL4RtKRECdrWHAM14OBaNdJRToc+AA9zmUWuo5eY=",
"lastModified": 1670085069,
"narHash": "sha256-IO9HcAjncPp/0sUGcCUWVwa0XoBVFQKx+oY+8EBRcTc=",
"owner": "kittywitch",
"repo": "tree",
"rev": "fbe8ae96d7f4fb369d32dbbe8434606b23354caf",
"rev": "501675588cb663a9bd18056002de697f4e91b667",
"type": "github"
},
"original": {

3
flake.nix
View file

@ -13,8 +13,7 @@
tree-input.inputs.nixpkgs.follows = "nixpkgs-unstable";
# update whenever
nixpkgs-fixed.url =
"github:nixos/nixpkgs/?branch=nixos-unstable&rev=e76c78d20685a043d23f5f9e0ccd2203997f1fb1";
nixpkgs-fixed.url = "github:nixos/nixpkgs/?branch=nixos-unstable&rev=e76c78d20685a043d23f5f9e0ccd2203997f1fb1";
nur.url = "github:nix-community/NUR";

7
home/apps/aegisub.nix
View file

@ -1,7 +0,0 @@
{ pkgs, ... }: {
home.packages = with pkgs;
[
# NOINLINE
aegisub
];
}

6
home/apps/aria2.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: {
{...}: {
programs.aria2 = {
enable = true;
settings = {
@ -10,9 +10,7 @@
dht-entry-point = "dht.transmissionbt.com:6881";
dht-entry-point6 = "dht.transmissionbt.com:6881";
enable-peer-exchange = true;
bt-tracker =
"udp://tracker.coppersurfer.tk:6969/announce,udp://tracker.leechers-paradise.org:6969/announce,udp://tracker.opentrackr.org:1337/announce,udp://9.rarbg.to:2710/announce,udp://exodus.desync.com:6969/announce,udp://tracker.openbittorrent.com:80/announce,udp://tracker.tiny-vps.com:6969/announce,udp://retracker.lanta-net.ru:2710/announce,udp://tracker.torrent.eu.org:451/announce,udp://tracker.cyberia.is:6969/announce,udp://torrentclub.tech:6969/announce,udp://open.stealth.si:80/announce,udp://denis.stalker.upeer.me:6969/announce,udp://tracker.moeking.me:6969/announce,udp://open.demonii.si:1337/announce,udp://ipv4.tracker.harry.lu:80/announce,udp://tracker3.itzmx.com:6961/announce,udp://explodie.org:6969/announce,udp://valakas.rollo.dnsabr.com:2710/announce,udp://tracker.nyaa.uk:6969/announce,udp://tracker.iamhansen.xyz:2000/announce,udp://tracker.filepit.to:6969/announce,udp://tracker-udp.gbitt.info:80/announce,udp://retracker.netbynet.ru:2710/announce,udp://retracker.akado-ural.ru:80/announce,udp://opentor.org:2710/announce,udp://tracker.yoshi210.com:6969/announce,udp://tracker.filemail.com:6969/announce,udp://tracker.ds.is:6969/announce,udp://newtoncity.org:6969/announce,udp://bt2.archive.org:6969/announce,udp://bt1.archive.org:6969/announce,https://tracker.fastdownload.xyz:443/announce,https://opentracker.xyz:443/announce,https://opentracker.co:443/announce,http://tracker.bt4g.com:2095/announce,http://opentracker.xyz:80/announce,http://open.trackerlist.xyz:80/announce,http://h4.trakx.nibba.trade:80/announce,udp://xxxtor.com:2710/announce,udp://tracker.uw0.xyz:6969/announce,udp://tracker.tvunderground.org.ru:3218/announce,udp://tracker.nextrp.ru:6969/announce,udp://tracker.msm8916.com:6969/announce,udp://tracker.lelux.fi:6969/announce,udp://retracker.sevstar.net:2710/announce,udp://npserver.intranet.pw:4201/announce,https://tracker.nanoha.org:443/announce,https://tracker.hama3.net:443/announce,http://www.proxmox.com:6969/announce,http://tracker.tvunderground.org.ru:3218/announce,http://tracker.opentrackr.org:1337/announce,http://tracker.bz:80/announce,http://torrentclub.tech:6969/announce,http://t.nyaatracker.com:80/announce,http://retracker.sevstar.net:2710/announce,http://open.acgtracker.com:1096/announce,http://explodie.org:6969/announce,udp://tracker4.itzmx.com:2710/announce,udp://tracker2.itzmx.com:6961/announce,udp://tracker.swateam.org.uk:2710/announce,udp://tr.bangumi.moe:6969/announce,udp://qg.lorzl.gq:2710/announce,udp://chihaya.toss.li:9696/announce,https://tracker.vectahosting.eu:2053/announce,https://tracker.lelux.fi:443/announce,https://tracker.gbitt.info:443/announce,https://opentracker.acgnx.se:443/announce,http://www.loushao.net:8080/announce,http://vps02.net.orel.ru:80/announce,http://tracker4.itzmx.com:2710/announce,http://tracker3.itzmx.com:6961/announce,http://tracker2.itzmx.com:6961/announce,http://tracker1.itzmx.com:8080/announce,http://tracker01.loveapp.com:6789/announce,http://tracker.yoshi210.com:6969/announce,http://tracker.torrentyorg.pl:80/announce,http://tracker.lelux.fi:80/announce,http://tracker.gbitt.info:80/announce,http://tracker.frozen-layer.net:6969/announce,http://sukebei.tracker.wf:8888/announce,http://pow7.com:80/announce,http://opentracker.acgnx.se:80/announce,http://open.acgnxtracker.com:80/announce,http://newtoncity.org:6969/announce,http://mail2.zelenaya.net:80/announce,http://bt-tracker.gamexp.ru:2710/announce,http://acg.rip:6699/announce";
bt-tracker = "udp://tracker.coppersurfer.tk:6969/announce,udp://tracker.leechers-paradise.org:6969/announce,udp://tracker.opentrackr.org:1337/announce,udp://9.rarbg.to:2710/announce,udp://exodus.desync.com:6969/announce,udp://tracker.openbittorrent.com:80/announce,udp://tracker.tiny-vps.com:6969/announce,udp://retracker.lanta-net.ru:2710/announce,udp://tracker.torrent.eu.org:451/announce,udp://tracker.cyberia.is:6969/announce,udp://torrentclub.tech:6969/announce,udp://open.stealth.si:80/announce,udp://denis.stalker.upeer.me:6969/announce,udp://tracker.moeking.me:6969/announce,udp://open.demonii.si:1337/announce,udp://ipv4.tracker.harry.lu:80/announce,udp://tracker3.itzmx.com:6961/announce,udp://explodie.org:6969/announce,udp://valakas.rollo.dnsabr.com:2710/announce,udp://tracker.nyaa.uk:6969/announce,udp://tracker.iamhansen.xyz:2000/announce,udp://tracker.filepit.to:6969/announce,udp://tracker-udp.gbitt.info:80/announce,udp://retracker.netbynet.ru:2710/announce,udp://retracker.akado-ural.ru:80/announce,udp://opentor.org:2710/announce,udp://tracker.yoshi210.com:6969/announce,udp://tracker.filemail.com:6969/announce,udp://tracker.ds.is:6969/announce,udp://newtoncity.org:6969/announce,udp://bt2.archive.org:6969/announce,udp://bt1.archive.org:6969/announce,https://tracker.fastdownload.xyz:443/announce,https://opentracker.xyz:443/announce,https://opentracker.co:443/announce,http://tracker.bt4g.com:2095/announce,http://opentracker.xyz:80/announce,http://open.trackerlist.xyz:80/announce,http://h4.trakx.nibba.trade:80/announce,udp://xxxtor.com:2710/announce,udp://tracker.uw0.xyz:6969/announce,udp://tracker.tvunderground.org.ru:3218/announce,udp://tracker.nextrp.ru:6969/announce,udp://tracker.msm8916.com:6969/announce,udp://tracker.lelux.fi:6969/announce,udp://retracker.sevstar.net:2710/announce,udp://npserver.intranet.pw:4201/announce,https://tracker.nanoha.org:443/announce,https://tracker.hama3.net:443/announce,http://www.proxmox.com:6969/announce,http://tracker.tvunderground.org.ru:3218/announce,http://tracker.opentrackr.org:1337/announce,http://tracker.bz:80/announce,http://torrentclub.tech:6969/announce,http://t.nyaatracker.com:80/announce,http://retracker.sevstar.net:2710/announce,http://open.acgtracker.com:1096/announce,http://explodie.org:6969/announce,udp://tracker4.itzmx.com:2710/announce,udp://tracker2.itzmx.com:6961/announce,udp://tracker.swateam.org.uk:2710/announce,udp://tr.bangumi.moe:6969/announce,udp://qg.lorzl.gq:2710/announce,udp://chihaya.toss.li:9696/announce,https://tracker.vectahosting.eu:2053/announce,https://tracker.lelux.fi:443/announce,https://tracker.gbitt.info:443/announce,https://opentracker.acgnx.se:443/announce,http://www.loushao.net:8080/announce,http://vps02.net.orel.ru:80/announce,http://tracker4.itzmx.com:2710/announce,http://tracker3.itzmx.com:6961/announce,http://tracker2.itzmx.com:6961/announce,http://tracker1.itzmx.com:8080/announce,http://tracker01.loveapp.com:6789/announce,http://tracker.yoshi210.com:6969/announce,http://tracker.torrentyorg.pl:80/announce,http://tracker.lelux.fi:80/announce,http://tracker.gbitt.info:80/announce,http://tracker.frozen-layer.net:6969/announce,http://sukebei.tracker.wf:8888/announce,http://pow7.com:80/announce,http://opentracker.acgnx.se:80/announce,http://open.acgnxtracker.com:80/announce,http://newtoncity.org:6969/announce,http://mail2.zelenaya.net:80/announce,http://bt-tracker.gamexp.ru:2710/announce,http://acg.rip:6699/announce";
};
};
}

2
home/apps/file-roller.nix
View file

@ -1 +1 @@
{ config, pkgs, ... }: { home.packages = with pkgs; [ gnome.file-roller ]; }
{pkgs, ...}: {home.packages = with pkgs; [gnome.file-roller];}

11
home/apps/firefox.nix
View file

@ -1,5 +1,9 @@
{ config, nixosConfig, pkgs, ... }:
let isGnome = nixosConfig.services.xserver.desktopManager.gnome.enable;
{
nixosConfig,
pkgs,
...
}: let
isGnome = nixosConfig.services.xserver.desktopManager.gnome.enable;
in {
programs.firefox = {
enable = true;
@ -107,8 +111,7 @@ in {
newElementCount = 22;
placements = {
PersonalToolbar = ["import-button" "personal-bookmarks"];
TabsToolbar =
[ "tabbrowser-tabs" "new-tab-button" "alltabs-button" ];
TabsToolbar = ["tabbrowser-tabs" "new-tab-button" "alltabs-button"];
nav-bar = [
"back-button"
"forward-button"

8
home/apps/kitty.nix
View file

@ -1,6 +1,4 @@
{ config, nixosConfig, ... }:
{
{nixosConfig, ...}: {
wayland.windowManager.sway.extraSessionCommands = ''
export KITTY_CACHE_DIRECTORY="/tmp/kitty";
'';
@ -9,7 +7,9 @@
font.name = "Comic Code";
settings = {
font_size =
if nixosConfig.networking.hostName == "tablet" then 12 else 20;
if nixosConfig.networking.hostName == "tablet"
then 12
else 20;
bold_font = "auto";
italic_font = "auto";
bold_italic_font = "auto";

11
home/apps/mpv.nix
View file

@ -1,9 +1,8 @@
{ config, pkgs, ... }:
let
listen-password-file = if pkgs.stdenv.isLinux then
"/secrets/music_stream_password"
else
"$HOME/.secrets/music_stream_password";
{pkgs, ...}: let
listen-password-file =
if pkgs.stdenv.isLinux
then "/secrets/music_stream_password"
else "$HOME/.secrets/music_stream_password";
in {
home.packages = with pkgs; [mpv ffmpeg yt-dlp];
programs.mpv = {

2
home/apps/musicutil.nix
View file

@ -1 +1 @@
{ inputs, pkgs, ... }: { home.packages = with pkgs; [ musicutil ]; }
{pkgs, ...}: {home.packages = with pkgs; [musicutil];}

2
home/apps/nautilus.nix
View file

@ -1 +1 @@
{ config, pkgs, ... }: { home.packages = with pkgs; [ gnome.nautilus ]; }
{pkgs, ...}: {home.packages = with pkgs; [gnome.nautilus];}

2
home/apps/nicotine-plus.nix
View file

@ -1 +1 @@
{ config, pkgs, ... }: { home.packages = with pkgs; [ nicotine-plus ]; }
{pkgs, ...}: {home.packages = with pkgs; [nicotine-plus];}

2
home/apps/rclone.nix
View file

@ -1 +1 @@
{ config, pkgs, ... }: { home.packages = with pkgs; [ rclone ]; }
{pkgs, ...}: {home.packages = with pkgs; [rclone];}

2
home/apps/restic.nix
View file

@ -1 +1 @@
{ config, pkgs, ... }: { home.packages = with pkgs; [ restic ]; }
{pkgs, ...}: {home.packages = with pkgs; [restic];}

2
home/apps/strawberry.nix
View file

@ -1 +1 @@
{ config, pkgs, ... }: { home.packages = with pkgs; [ strawberry ]; }
{pkgs, ...}: {home.packages = with pkgs; [strawberry];}

2
home/apps/telegram.nix
View file

@ -1 +1 @@
{ config, pkgs, ... }: { home.packages = with pkgs; [ kotatogram-desktop ]; }
{pkgs, ...}: {home.packages = with pkgs; [kotatogram-desktop];}

2
home/apps/vivaldi.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: {
{pkgs, ...}: {
home.packages = with pkgs; [
vivaldi
vivaldi-ffmpeg-codecs

5
home/base/ssh.nix
View file

@ -1,10 +1,11 @@
{lib, ...}: {
programs.ssh.enable = true;
programs.ssh.matchBlocks = (lib.mkMerge
programs.ssh.matchBlocks =
lib.mkMerge
(lib.forEach ["hetzner-vm" "storage" "vault" "buildbox"] (hostname: {
"${hostname}" = {
user = "root";
hostname = "${hostname}.servers.genderfucked.monster";
};
})));
}));
}

6
home/base/zsh.nix
View file

@ -1,5 +1,5 @@
{ config, pkgs, ... }:
let usb_data = import ../../data/usb_data.nix { };
{pkgs, ...}: let
usb_data = import ../../data/usb_data.nix {};
in {
home.packages = with pkgs; [exa bat ripgrep vault age];
programs.zsh = {
@ -12,7 +12,7 @@ in {
plugins = [];
};
shellAliases = {
nixdirfmt = "nixfmt $(fd -e nix)";
nixdirfmt = "alejandra .";
exa = "exa --time-style long-iso";
ls = "exa -G";
la = "exa -Ga";

2
home/bluetooth/bluetooth.nix
View file

@ -1,4 +1,4 @@
{ config, lib, ... }: {
{...}: {
services.blueman-applet.enable = true;
services.mpris-proxy.enable = true;
}

2
home/dev/all/deploy-rs.nix
View file

@ -1 +1 @@
{ pkgs, inputs, ... }: { home.packages = with pkgs.deploy-rs; [ deploy-rs ]; }
{pkgs, ...}: {home.packages = with pkgs.deploy-rs; [deploy-rs];}

2
home/dev/all/extra.nix
View file

@ -1,4 +1,4 @@
{ pkgs, inputs, ... }: {
{pkgs, ...}: {
home.packages = with pkgs; [
jq
ripgrep

1
home/dev/all/vcs.nix
View file

@ -1 +0,0 @@
{ pkgs, ... }: { home.packages = with pkgs; [ gitAndTools.gitFull ]; }

1
home/dev/small/small.nix
View file

@ -7,6 +7,5 @@
home.dev.all.git
home.dev.all.info
home.dev.all.network
home.dev.all.vcs
];
}

2
home/gaming/games/osu.nix
View file

@ -1 +1 @@
{ config, pkgs, ... }: { home.packages = with pkgs; [ osu-lazer ]; }
{pkgs, ...}: {home.packages = with pkgs; [osu-lazer];}

11
home/gui/base/gtk.nix
View file

@ -1,4 +1,8 @@
{ nixosConfig, pkgs, ... }: {
{
nixosConfig,
pkgs,
...
}: {
gtk = {
enable = true;
iconTheme = {
@ -11,7 +15,10 @@
};
font = {
name = "Comic Code";
size = if nixosConfig.networking.hostName == "tablet" then 10 else 16;
size =
if nixosConfig.networking.hostName == "tablet"
then 10
else 16;
package = pkgs.comic-code;
};
};

4
home/gui/base/qt.nix
View file

@ -1,6 +1,4 @@
{ config, pkgs, ... }:
{
{pkgs, ...}: {
qt = {
enable = true;
platformTheme = "gtk";

18
home/gui/environments/gnome/default.nix
View file

@ -1,5 +1,10 @@
{ tree, nixosConfig, pkgs, lib, inputs, ... }:
let
{
tree,
nixosConfig,
pkgs,
inputs,
...
}: let
hm = inputs.home-manager.lib.hm;
font-sizes-all = {
@ -13,11 +18,10 @@ let
};
};
font-sizes = if nixosConfig.networking.hostName == "tablet" then
font-sizes-all.tablet
else
font-sizes-all.default;
font-sizes =
if nixosConfig.networking.hostName == "tablet"
then font-sizes-all.tablet
else font-sizes-all.default;
in {
imports = with tree; [home.apps.kitty home.apps.rofi];

4
home/gui/environments/sway/gammastep.nix
View file

@ -1,6 +1,4 @@
{ config, lib, ... }:
{
{...}: {
services.gammastep = {
enable = true;
tray = true;

2
home/gui/environments/sway/mako.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: {
{...}: {
programs.mako = {
enable = true;
defaultTimeout = 3000;

33
home/gui/environments/sway/sway.nix
View file

@ -1,4 +1,10 @@
{ config, pkgs, lib, tree, ... }: {
{
config,
pkgs,
lib,
tree,
...
}: {
# import default terminal
imports = with tree; [home.apps.kitty home.apps.rofi];
@ -9,6 +15,7 @@
SDL_VIDEODRIVER = "wayland";
QT_QPA_PLATFORM = "wayland";
QT_WAYLAND_DISABLE_WINDOWDECORATION = 1;
# For Ghidra to make windows work properly
_JAVA_AWT_WM_NONREPARENTING = 1;
XCURSOR_SIZE = 64;
QT_AUTO_SCREEN_SCALE_FACTOR = 1;
@ -48,12 +55,10 @@
size = 14.0;
};
statusCommand = lib.escapeShellArgs [
#"/home/chaoticryptidz/Projects/gobar/gobar "
"${pkgs.gobar}/bin/gobar"
"-config"
"cpu\\|mem\\|weather\\(Leighton\\ Buzzard\\)\\|bat\\(BAT0\\)\\|time"
];
}
{command = "${pkgs.waybar}/bin/waybar";}
];
@ -98,7 +103,8 @@
titlebar = false;
};
keybindings = {
keybindings =
{
"${cfg.modifier}+Return" = "exec ${cfg.terminal}";
"${cfg.modifier}+Left" = "focus left";
@ -114,17 +120,13 @@
"${cfg.modifier}+Shift+space" = "floating toggle";
"${cfg.modifier}+space" = "focus mode_toggle";
"XF86AudioRaiseVolume" =
"exec ${pactl} set-sink-volume @DEFAULT_SINK@ +5%";
"XF86AudioLowerVolume" =
"exec ${pactl} set-sink-volume @DEFAULT_SINK@ -5%";
"XF86AudioRaiseVolume" = "exec ${pactl} set-sink-volume @DEFAULT_SINK@ +5%";
"XF86AudioLowerVolume" = "exec ${pactl} set-sink-volume @DEFAULT_SINK@ -5%";
"XF86AudioMute" = "exec ${pactl} set-sink-mute @DEFAULT_SINK@ toggle";
"XF86AudioMicMute" =
"exec ${pactl} set-source-mute @DEFAULT_SOURCE@ toggle";
"XF86AudioMicMute" = "exec ${pactl} set-source-mute @DEFAULT_SOURCE@ toggle";
"XF86MonBrightnessDown" = "exec sudo xbacklight -time 1 -dec +5";
"XF86MonBrightnessUp" = "exec sudo xbacklight -time 1 -inc +5";
"Print" =
"exec ${pkgs.grim}/bin/grim -t png - | ${pkgs.wl-clipboard}/bin/wl-copy -t image/png";
"Print" = "exec ${pkgs.grim}/bin/grim -t png - | ${pkgs.wl-clipboard}/bin/wl-copy -t image/png";
"Shift+Print" = ''
exec ${pkgs.grim}/bin/grim -t png -g "$(${pkgs.slurp}/bin/slurp -d)" - | ${pkgs.wl-clipboard}/bin/wl-copy -t image/png'';
@ -135,12 +137,11 @@
"${cfg.modifier}+Shift+c" = "reload";
"${cfg.modifier}+r" = "mode resize";
} // (lib.foldl lib.recursiveUpdate { } (map (workspace: {
}
// (lib.foldl lib.recursiveUpdate {} (map (workspace: {
"${cfg.modifier}+${workspace}" = "workspace ${workspace}";
"${cfg.modifier}+Shift+${workspace}" =
"move container to workspace ${workspace}";
"${cfg.modifier}+Shift+${workspace}" = "move container to workspace ${workspace}";
}) ["1" "2" "3" "4" "5" "6" "7" "8" "9"]));
};
};
}

9
home/gui/environments/sway/waybar-bottom.nix
View file

@ -1,12 +1,13 @@
_: {
{...}: {
programs.waybar = {
enable = true;
settings = [{
settings = [
{
position = "bottom";
modules-left = [];
modules-center = [];
modules-right = ["tray"];
}];
}
];
};
}

2
home/gui/environments/sway/zsh-autostart.nix
View file

@ -1,4 +1,4 @@
_: {
{...}: {
programs.zsh.profileExtra = ''
# If running from tty1 start sway
if [ "$(tty)" = "/dev/tty1" ]; then

12
home/home-folders.nix
View file

@ -1,6 +1,9 @@
{ config, lib, ... }: {
systemd.user.tmpfiles.rules = (map (dir:
"d ${config.home.homeDirectory}/${dir} - ${config.home.username} users") [
{
config,
lib,
...
}: {
systemd.user.tmpfiles.rules = map (dir: "d ${config.home.homeDirectory}/${dir} - ${config.home.username} users") [
"Projects"
"Temp"
"Music"
@ -10,7 +13,8 @@
"Mounts/Backups"
"Mounts/Backups-Crypt"
"Mounts/Photos-Crypt"
"Mounts/Public"
"Mounts/Temp1"
"Mounts/Temp2"
]);
];
}

18
home/programming/editors/vscode.nix
View file

@ -1,7 +1,17 @@
{ config, nixosConfig, pkgs, ... }:
let
font-size = if nixosConfig.networking.hostName == "tablet" then 18 else 24;
zoom-level = if nixosConfig.networking.hostName == "tablet" then -2 else 0;
{
config,
nixosConfig,
pkgs,
...
}: let
font-size =
if nixosConfig.networking.hostName == "tablet"
then 18
else 24;
zoom-level =
if nixosConfig.networking.hostName == "tablet"
then -2
else 0;
in {
programs.vscode-mod = {
enable = true;

4
home/programming/languages/go.nix
View file

@ -1,6 +1,4 @@
{ config, pkgs, ... }:
{
{pkgs, ...}: {
home.packages = with pkgs; [go gopls go-outline gotools];
programs.vscode-mod.extensions = with pkgs; [vscode-extensions.golang.go];
}

14
home/programming/languages/nix.nix
View file

@ -1,14 +1,16 @@
{ config, pkgs, ... }:
{
home.packages = with pkgs; [ nixfmt ];
{pkgs, ...}: {
home.packages = with pkgs; [alejandra];
programs.vscode-mod.extensions = with pkgs; [
vscode-extensions.bbenoist.nix
vscode-extensions.brettm12345.nixfmt-vscode
vscode-extensions.kamadorueda.alejandra
];
programs.vscode-mod.userSettings."[nix]" = {
"editor.defaultFormatter" = "brettm12345.nixfmt-vscode";
"editor.defaultFormatter" = "kamadorueda.alejandra";
"editor.formatOnSave" = true;
};
programs.vscode-mod.userSettings = {
"alejandra.program" = "alejandra";
};
}

3
home/programming/languages/rust.nix
View file

@ -1,6 +1,5 @@
{pkgs, ...}: {
programs.vscode-mod.extensions = with pkgs;
[ vscode-extensions.matklad.rust-analyzer ];
programs.vscode-mod.extensions = with pkgs; [vscode-extensions.matklad.rust-analyzer];
home.packages = with pkgs; [rustc cargo clippy rust-analyzer rustfmt];
home.sessionVariables = {RUST_SRC_PATH = pkgs.rustPlatform.rustLibSrc;};
}

2
home/reversing/reversing.nix
View file

@ -2,7 +2,7 @@
home.packages = with pkgs; [
binwalk
file
binutils # strings
binutils
diffoscope
];
}

4
home/ssh-usb.nix
View file

@ -1,5 +1,5 @@
{ ... }:
let usb_data = (import ../data/usb_data.nix { });
{...}: let
usb_data = import ../data/usb_data.nix {};
in {
programs.ssh.matchBlocks."*".identityFile = "${usb_data.ssh_priv_path}";
programs.git.extraConfig = {

10
hosts/buildbox/buildbox.nix
View file

@ -1,5 +1,10 @@
{ modulesPath, tree, config, pkgs, lib, ... }:
let secrets = config.services.secrets.secrets;
{
tree,
config,
pkgs,
...
}: let
secrets = config.services.secrets.secrets;
in {
imports = with tree; [
users.root
@ -109,4 +114,3 @@ in {
system.stateVersion = "22.05";
}

5
hosts/buildbox/hardware.nix
View file

@ -1,7 +1,6 @@
{ config, lib, pkgs, modulesPath, ... }: {
{config, ...}: {
boot.initrd.kernelModules = ["dm-snapshot"];
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
boot.kernelModules = ["kvm-amd"];
boot.initrd.services.swraid.mdadmConf =

2
hosts/buildbox/secrets.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: {
{...}: {
services.secrets = {
enable = true;

22
hosts/darwin.nix
View file

@ -1,8 +1,16 @@
{ self, nixpkgs-unstable, nix-darwin-unstable, tree, ... }@inputs:
let
defaultSpecialArgs = defaults.defaultSpecialArgs // {
inputs = inputs // {
{
self,
nixpkgs-unstable,
nix-darwin-unstable,
tree,
...
} @ inputs: let
defaultSpecialArgs =
defaults.defaultSpecialArgs
// {
inputs =
inputs
// {
# set these to the correct versions from inputs
nixpkgs = inputs.nixpkgs-unstable;
home-manager = inputs.home-manager-unstable;
@ -10,7 +18,9 @@ let
};
};
defaultModules = defaults.defaultModules ++ [
defaultModules =
defaults.defaultModules
++ [
# NO_INLINE
tree.impure.profiles.base-darwin
inputs.home-manager-unstable.darwinModules.home-manager

11
hosts/hetzner-vm/hetzner-vm.nix
View file

@ -1,6 +1,11 @@
{ modulesPath, tree, config, pkgs, lib, ... }:
{
modulesPath,
tree,
config,
pkgs,
lib,
...
}: {
imports = with tree; [
users.root
@ -19,7 +24,6 @@
hosts.hetzner-vm.profiles.mpd
hosts.hetzner-vm.profiles.mailserver
hosts.hetzner-vm.profiles.gitlab-static-sites
#hosts.hetzner-vm.profiles.lappy-dev
hosts.hetzner-vm.profiles.misskey
hosts.hetzner-vm.profiles.wireguard
@ -40,4 +44,3 @@
system.stateVersion = "22.05";
}

44
hosts/hetzner-vm/modules/mailserver/default.nix
View file

@ -1,6 +1,10 @@
{ config, lib, ... }:
with lib;
let cfg = config.mailserver;
{
config,
lib,
...
}:
with lib; let
cfg = config.mailserver;
in {
options.mailserver = {
enable = mkEnableOption "mailserver";
@ -10,7 +14,7 @@ in {
domains = mkOption {type = types.listOf types.str;};
ssl_config = mkOption {
type = (types.submodule {
type = types.submodule {
options = {
useACME = mkOption {
type = types.bool;
@ -25,7 +29,7 @@ in {
default = "/var/lib/acme/${cfg.fqdn}/key.pem";
};
};
});
};
default = {};
};
@ -46,7 +50,11 @@ in {
accounts = mkOption {
# where name = email for login
type = types.attrsOf (types.submodule ({ config, name, ... }: {
type = types.attrsOf (types.submodule ({
config,
name,
...
}: {
options = {
name = mkOption {
type = types.str;
@ -59,10 +67,16 @@ in {
}));
};
extra_aliases_file = mkOption {
type = types.nullOr types.str;
default = null;
};
sieve_directory = mkOption {
type = types.str;
default = "/var/sieve";
};
dkim_directory = mkOption {
type = types.str;
default = "/var/dkim";
@ -79,22 +93,30 @@ in {
};
vmail_config = mkOption {
type = (types.submodule {
type = types.submodule {
options = {
user_group_name = mkOption {
user = mkOption {
type = types.str;
default = "vmail";
};
user_group_id = mkOption {
group = mkOption {
type = types.str;
default = "${cfg.vmail_config.user}";
};
user_id = mkOption {
type = types.number;
default = 5000;
};
group_id = mkOption {
type = types.number;
default = cfg.vmail_config.user_id;
};
directory = mkOption {
type = types.str;
default = "/home/${cfg.vmail_config.user_group_name}";
default = "/home/${cfg.vmail_config.user}";
};
};
};
});
default = {};
};
};

65
hosts/hetzner-vm/modules/mailserver/dovecot.nix
View file

@ -1,13 +1,20 @@
{ config, pkgs, lib, ... }:
let
{
config,
pkgs,
lib,
...
}: let
mail_config = config.mailserver;
vmail_config = mail_config.vmail_config;
passwdDir = "/run/dovecot2";
passwdFile = "${passwdDir}/passwd";
bool2int = x: if x then "1" else "0";
# maildir in format "/${domain}/${user}"
dovecotMaildir = "maildir:${mail_config.vmail_config.directory}/%d/%n";
bool2int = x:
if x
then "1"
else "0";
postfixCfg = config.services.postfix;
dovecot2Cfg = config.services.dovecot2;
@ -29,7 +36,7 @@ let
for f in ${
builtins.toString
(lib.mapAttrsToList (name: value: passwordFiles."${name}")
(lib.mapAttrsToList (name: value: value.passwordFile)
mail_config.accounts)
}; do
if [ ! -f "$f" ]; then
@ -39,13 +46,10 @@ let
done
cat <<EOF > ${passwdFile}
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
"${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}:${
builtins.toString mail_config.vmail_config.user_group_id
}:${
builtins.toString mail_config.vmail_config.user_group_id
}::${mail_config.vmail_config.directory}:/run/current-system/sw/bin/nologin:")
mail_config.accounts)}
${
lib.concatStringsSep "\n"
(lib.mapAttrsToList (name: value: "${name}:$(head -n 1 ${value.passwordFile})") mail_config.accounts)
}
EOF
chmod 600 ${passwdFile}
@ -68,20 +72,24 @@ let
'';
};
in {
config = (lib.mkIf (mail_config.enable) {
config = lib.mkIf (mail_config.enable) {
services.dovecot2 = {
enable = true;
enableImap = true;
enablePop3 = false;
enablePAM = false;
enableLmtp = true;
enableQuota = true;
mailGroup = mail_config.vmail_config.user_group_name;
mailUser = mail_config.vmail_config.user_group_name;
mailLocation = dovecotMaildir;
enablePop3 = false;
enablePAM = false; # Not using PAM for Auth
mailUser = vmail_config.user;
mailGroup = vmail_config.group;
mailLocation = "maildir:${vmail_config.directory}/%d/%n";
sslServerCert = mail_config.ssl_config.cert;
sslServerKey = mail_config.ssl_config.key;
enableLmtp = true;
modules = [ pkgs.dovecot_pigeonhole ];
# For Sieve
modules = with pkgs; [dovecot_pigeonhole];
protocols = ["sieve"];
sieveScripts = {
@ -136,7 +144,6 @@ in {
mail_plugins = $mail_plugins imap_sieve
}
mail_access_groups = "${mail_config.vmail_config.user_group_name}"
ssl = required
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
@ -156,12 +163,14 @@ in {
mail_plugins = $mail_plugins sieve
}
passdb {
driver = passwd-file
args = ${passwdFile}
}
mail_access_groups = "${vmail_config.group}"
userdb {
driver = static
args = uid=${toString vmail_config.user_id} gid=${toString vmail_config.group_id}
}
passdb {
driver = passwd-file
args = ${passwdFile}
}
@ -213,5 +222,5 @@ in {
};
systemd.services.postfix.restartTriggers = [genPasswdScript];
});
};
}

10
hosts/hetzner-vm/modules/mailserver/firewall.nix
View file

@ -1,4 +1,11 @@
{ ... }: {
{
lib,
config,
...
}: let
mail_config = config.mailserver;
in {
config = lib.mkIf config.mailserver.enable {
networking.firewall = {
allowedTCPPorts = [
# SMTP
@ -15,4 +22,5 @@
4190
];
};
};
}

47
hosts/hetzner-vm/modules/mailserver/opendkim.nix
View file

@ -1,5 +1,10 @@
{ config, lib, pkgs, ... }:
let
{
config,
lib,
pkgs,
...
}:
with lib; let
mail_config = config.mailserver;
dkimUser = config.services.opendkim.user;
dkimGroup = config.services.opendkim.group;
@ -9,8 +14,7 @@ let
domains = mail_config.domains;
createDomainDkimCert = dom:
let
createDomainDkimCert = dom: let
dkim_key = "${keyDir}/${dom}.${selector}.key";
dkim_txt = "${keyDir}/${dom}.${selector}.txt";
in ''
@ -27,20 +31,22 @@ let
'';
createAllCerts =
lib.concatStringsSep "\n" (map createDomainDkimCert mail_config.domains);
concatStringsSep "\n" (map createDomainDkimCert mail_config.domains);
keyTable = pkgs.writeText "opendkim-KeyTable" (lib.concatStringsSep "\n"
(lib.flip map domains
keyTable = pkgs.writeText "opendkim-KeyTable" (concatStringsSep "\n"
(flip map domains
(dom: "${dom} ${dom}:${selector}:${keyDir}/${dom}.${selector}.key")));
signingTable = pkgs.writeText "opendkim-SigningTable"
(lib.concatStringsSep "\n" (lib.flip map domains (dom: "${dom} ${dom}")));
signingTable =
pkgs.writeText "opendkim-SigningTable"
(concatStringsSep "\n" (flip map domains (dom: "${dom} ${dom}")));
dkim = config.services.opendkim;
args = [ "-f" "-l" ]
++ lib.optionals (dkim.configFile != null) [ "-x" dkim.configFile ];
args =
["-f" "-l"]
++ optionals (dkim.configFile != null) ["-x" dkim.configFile];
in {
config = (lib.mkIf (mail_config.enable) {
config = mkIf (mail_config.enable) {
services.opendkim = {
enable = true;
selector = selector;
@ -52,26 +58,27 @@ in {
Socket ${dkim.socket}
KeyTable file:${keyTable}
SigningTable file:${signingTable}
'' + (lib.optionalString mail_config.debug_mode ''
''
+ (optionalString mail_config.debug_mode ''
Syslog yes
SyslogSuccess yes
LogWhy yes
''));
};
users.users =
lib.optionalAttrs (config.services.postfix.user == "postfix") {
users.users = optionalAttrs (config.services.postfix.user == "postfix") {
postfix.extraGroups = ["${dkimGroup}"];
};
systemd.services.opendkim = {
preStart = lib.mkForce createAllCerts;
preStart = mkForce createAllCerts;
serviceConfig = {
ExecStart = lib.mkForce
"${pkgs.opendkim}/bin/opendkim ${lib.escapeShellArgs args}";
PermissionsStartOnly = lib.mkForce false;
ExecStart =
mkForce
"${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}";
PermissionsStartOnly = mkForce false;
};
};
systemd.tmpfiles.rules = ["d '${keyDir}' - ${dkimUser} ${dkimGroup} - -"];
});
};
}

89
hosts/hetzner-vm/modules/mailserver/postfix.nix
View file

@ -1,16 +1,18 @@
{ config, pkgs, lib, ... }:
let
{
config,
pkgs,
lib,
...
}: let
mail_config = config.mailserver;
submissionHeaderCleanupRules =
pkgs.writeText "submission_header_cleanup_rules" (''
submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
/^Received:/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^User-Agent:/ IGNORE
/^X-Enigmail:/ IGNORE
/^Message-ID:\s+<(.*?)@.*?>/ REPLACE Message-ID: <$1@${mail_config.fqdn}>
'');
'';
inetSocket = addr: port: "inet:[${toString port}@${addr}]";
unixSocket = sock: "unix:${sock}";
@ -22,30 +24,29 @@ let
# valiases_postfix :: Map String [String]
valiases_postfix = mergeLookupTables (lib.flatten (lib.mapAttrsToList
(name: value:
let to = name;
in map (from: { "${from}" = to; }) (value.aliases ++ lib.singleton name))
(name: value: let
to = name;
in
map (from: {"${from}" = to;}) (value.aliases ++ lib.singleton name))
mail_config.accounts));
# all_valiases_postfix :: Map String [String]
all_valiases_postfix = mergeLookupTables [valiases_postfix];
# lookupTableToString :: Map String [String] -> String
lookupTableToString = attrs:
let valueToString = value: lib.concatStringsSep ", " value;
in lib.concatStringsSep "\n"
lookupTableToString = attrs: let
valueToString = value: lib.concatStringsSep ", " value;
in
lib.concatStringsSep "\n"
(lib.mapAttrsToList (name: value: "${name} ${valueToString value}") attrs);
# valiases_file :: Path
valiases_file = let
content = lookupTableToString (mergeLookupTables [ all_valiases_postfix ]);
in builtins.toFile "valias" content;
# vhosts_file :: Path
vhosts_file =
builtins.toFile "vhosts" (lib.concatStringsSep "\n" mail_config.domains);
vaccounts_file =
builtins.toFile "vaccounts" (lookupTableToString all_valiases_postfix);
aliases_accounts_file = let
content = lookupTableToString (mergeLookupTables [all_valiases_postfix]);
in
builtins.toFile "aliases_accounts" content;
mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
@ -61,27 +62,42 @@ let
smtpd_client_restrictions = "permit_sasl_authenticated,reject";
smtpd_sender_login_maps = "hash:/etc/postfix/vaccounts";
smtpd_sender_restrictions = "reject_sender_login_mismatch";
smtpd_recipient_restrictions =
"reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
cleanup_service_name = "submission-header-cleanup";
};
tls_allowed = "TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3";
tls_disallow = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL";
in {
config = (lib.mkIf (mail_config.enable) {
config = lib.mkIf (mail_config.enable) {
systemd.tmpfiles.rules = lib.mkIf (mail_config.extra_aliases_file != null) [
# folder to store the extra aliases file
"f /run/postfix_extra_aliases 660 root root"
];
systemd.services.postfix-extra-aliases-setup = lib.mkIf (mail_config.extra_aliases_file != null) {
wantedBy = ["multi-user.target"];
partOf = ["postfix.service"];
before = ["postfix-setup.service"];
script = ''
cat ${aliases_accounts_file} ${mail_config.extra_aliases_file} > /run/postfix_extra_aliases
'';
};
services.postfix = {
enable = true;
hostname = "${mail_config.fqdn}";
networksStyle = "host";
mapFiles."valias" = valiases_file;
mapFiles."vaccounts" = vaccounts_file;
mapFiles."aliases_accounts" =
if (mail_config.extra_aliases_file == null)
then aliases_accounts_file
else "/run/postfix_extra_aliases";
sslCert = mail_config.ssl_config.cert;
sslKey = mail_config.ssl_config.key;
enableSubmission = true;
enableSubmissions = true;
virtual =
lookupTableToString (mergeLookupTables [ all_valiases_postfix ]);
config = {
# Extra Config
@ -91,13 +107,12 @@ in {
disable_vrfy_command = true;
message_size_limit = "20971520";
virtual_uid_maps =
"static:${toString mail_config.vmail_config.user_group_id}";
virtual_gid_maps =
"static:${toString mail_config.vmail_config.user_group_id}";
virtual_uid_maps = "static:${toString mail_config.vmail_config.user_id}";
virtual_gid_maps = "static:${toString mail_config.vmail_config.group_id}";
virtual_mailbox_base = "${mail_config.vmail_config.directory}";
virtual_mailbox_domains = vhosts_file;
virtual_mailbox_maps = mappedFile "valias";
virtual_mailbox_maps = mappedFile "aliases_accounts";
virtual_alias_maps = mappedFile "aliases_accounts";
virtual_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
lmtp_destination_recipient_limit = "1";
@ -118,11 +133,7 @@ in {
"check_policy_service unix:private/policy-spf"
];
# TLS settings, inspired by https://github.com/jeaye/nix-files
# Submission by mail clients is handled in submissionOptions
smtpd_tls_security_level = "may";
# strong might suffice and is computationally less expensive
smtpd_tls_eecdh_grade = "ultra";
# Only Alow Modern TLS
@ -158,9 +169,7 @@ in {
non_smtpd_milters = ["unix:/run/opendkim/opendkim.sock"];
milter_protocol = "6";
milter_mail_macros =
"i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}";
};
submissionOptions = submissionOptions;
@ -193,5 +202,5 @@ in {
};
};
};
});
};
}

29
hosts/hetzner-vm/modules/mailserver/rspamd.nix
View file

@ -1,16 +1,17 @@
{ config, pkgs, lib, ... }:
let
{
config,
lib,
...
}: let
mail_config = config.mailserver;
ports = (import ../../ports.nix { });
ports = import ../../ports.nix {};
postfixCfg = config.services.postfix;
rspamdCfg = config.services.rspamd;
rspamdSocket = "rspamd.service";
in {
config = (lib.mkIf (mail_config.enable) {
config = lib.mkIf (mail_config.enable) {
services.rspamd = {
enable = true;
debug = mail_config.debug_mode;
@ -51,10 +52,12 @@ in {
workers.rspamd_proxy = {
type = "rspamd_proxy";
bindSockets = [{
bindSockets = [
{
socket = "/run/rspamd/rspamd-milter.sock";
mode = "0664";
}];
}
];
count = 1;
extraConfig = ''
milter = yes;
@ -69,13 +72,14 @@ in {
workers.controller = {
type = "controller";
count = 1;
bindSockets = [{
bindSockets = [
{
socket = "/run/rspamd/worker-controller.sock";
mode = "0666";
}];
}
];
includes = [];
};
};
services.redis.servers.rspamd = {
@ -94,6 +98,5 @@ in {
};
users.extraUsers.${postfixCfg.user}.extraGroups = [rspamdCfg.group];
});
};
}

12
hosts/hetzner-vm/modules/mailserver/ssl.nix
View file

@ -1,10 +1,12 @@
{ config, pkgs, lib, ... }:
let
{
config,
lib,
...
}: let
mail_config = config.mailserver;
acmeRoot = "/var/lib/acme/acme-challenge";
in {
config = (lib.mkIf (mail_config.enable && mail_config.ssl_config.useACME) {
config = lib.mkIf (mail_config.enable && mail_config.ssl_config.useACME) {
services.nginx = {
enable = true;
virtualHosts."${mail_config.fqdn}" = {
@ -19,5 +21,5 @@ in {
security.acme.certs."${mail_config.fqdn}" = {
reloadServices = ["postfix.service" "dovecot2.service"];
};
});
};
}

51
hosts/hetzner-vm/modules/mailserver/vmail.nix
View file

@ -1,12 +1,18 @@
{ config, pkgs, lib, ... }:
let
{
config,
pkgs,
lib,
...
}: let
mail_config = config.mailserver;
v = mail_config.vmail_config;
vmail_config = mail_config.vmail_config;
vmail_user = vmail_config.user;
vmail_group = vmail_config.group;
sieve_directory = mail_config.sieve_directory;
virtualMailUsersActivationScript =
pkgs.writeScript "activate-virtual-mail-users" ''
virtualMailUsersActivationScript = pkgs.writeScript "activate-virtual-mail-users" ''
#!${pkgs.stdenv.shell}
set -euo pipefail
@ -14,24 +20,29 @@ let
# Create directory to store user sieve scripts if it doesn't exist
if (! test -d "${sieve_directory}"); then
mkdir "${sieve_directory}"
chown "${v.user_group_name}:${v.user_group_name}" "${sieve_directory}"
chown "${vmail_user}:${vmail_group}" "${sieve_directory}"
chmod 770 "${sieve_directory}"
fi
# Copy user's sieve script to the correct location (if it exists). If it
# is null, remove the file.
${lib.concatMapStringsSep "\n" ({ name, sieveScript }:
if lib.isString sieveScript then ''
${lib.concatMapStringsSep "\n" ({
name,
sieveScript,
}:
if lib.isString sieveScript
then ''
if (! test -d "${sieve_directory}/${name}"); then
mkdir -p "${sieve_directory}/${name}"
chown "${v.user_group_name}:${v.user_group_name}" "${sieve_directory}/${name}"
chown "${vmail_user}:${vmail_group}" "${sieve_directory}/${name}"
chmod 770 "${sieve_directory}/${name}"
fi
cat << 'EOF' > "${sieve_directory}/${name}/default.sieve"
${sieveScript}
EOF
chown "${v.user_group_name}:${v.user_group_name}" "${sieve_directory}/${name}/default.sieve"
'' else ''
chown "${vmail_user}:${vmail_group}" "${sieve_directory}/${name}/default.sieve"
''
else ''
if (test -f "${sieve_directory}/${name}/default.sieve"); then
rm "${sieve_directory}/${name}/default.sieve"
fi
@ -41,23 +52,23 @@ let
'') (map (user: {inherit (user) name sieveScript;})
(lib.attrValues mail_config.accounts))}
'';
in {
config = (lib.mkIf (mail_config.enable) {
users.users."${v.user_group_name}" = {
name = "${v.user_group_name}";
config = lib.mkIf (mail_config.enable) {
users.users."${vmail_user}" = {
isSystemUser = true;
uid = v.user_group_id;
home = v.directory;
home = vmail_config.directory;
createHome = true;
group = "${v.user_group_name}";
uid = vmail_config.user_id;
group = "${vmail_group}";
};
users.groups."${v.user_group_name}" = { gid = v.user_group_id; };
users.groups."${vmail_group}" = {gid = vmail_config.group_id;};
systemd.services.activate-virtual-mail-users = {
wantedBy = ["multi-user.target"];
before = ["dovecot2.service"];
serviceConfig = {ExecStart = virtualMailUsersActivationScript;};
enable = true;
};
});
};
}

12
hosts/hetzner-vm/modules/mailserver/webmail.nix
View file

@ -1,7 +1,11 @@
{ config, lib, ... }:
let mail_config = config.mailserver;
{
config,
lib,
...
}: let
mail_config = config.mailserver;
in {
config = (lib.mkIf (mail_config.enable && mail_config.enable_roundcube) {
config = lib.mkIf (mail_config.enable && mail_config.enable_roundcube) {
services.roundcube = {
enable = true;
hostName = "${mail_config.roundcube_url}";
@ -14,5 +18,5 @@ in {
${mail_config.extra_roundcube_config}
'';
};
});
};
}

55
hosts/hetzner-vm/modules/piped/backend.nix
View file

@ -1,9 +1,14 @@
{ config, lib, pkgs, ... }:
with lib;
let
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.piped;
backend_config = {
backend_config =
{
PORT = cfg.internalBackendPort;
HTTP_WORKERS = cfg.httpWorkers;
PROXY_PART = "https://${cfg.proxyDomain}";
@ -13,7 +18,7 @@ let
COMPROMISED_PASSWORD_CHECK = cfg.enableCompromisedPasswordCheck;
FEED_RETENTION = cfg.feedRetentionDays;
SUBSCRIPTIONS_EXPIRY = cfg.subscriptionRetentionDays;
SPONSORBLOCK_SERVERS = lib.concatStringsSep "," cfg.sponsorblockServers;
SPONSORBLOCK_SERVERS = concatStringsSep "," cfg.sponsorblockServers;
DISABLE_RYD = cfg.disableRYD;
DISABLE_LBRY = cfg.disableLBRYStreams;
RYD_PROXY_URL = cfg.rydAPIURL;
@ -23,27 +28,32 @@ let
"hibernate.dialect" = "org.hibernate.dialect.PostgreSQLDialect";
"hibernate.connection.username" = "piped";
"hibernate.connection.password" = "password";
} // (optionalAttrs cfg.enableCaptcha {
}
// (optionalAttrs cfg.enableCaptcha {
CAPTCHA_API_URL = cfg.captchaAPIURL;
# This is substituted in the PreStart of piped-backend.service
CAPTCHA_API_KEY = if cfg.captchaAPIKeyFile != "" then
"CAPTCHA_API_KEY_FILE"
else
cfg.captchaAPIKey;
}) // (optionalAttrs cfg.enableFederation {
CAPTCHA_API_KEY =
if cfg.captchaAPIKeyFile != ""
then "CAPTCHA_API_KEY_FILE"
else cfg.captchaAPIKey;
})
// (optionalAttrs cfg.enableFederation {
MATRIX_SERVER = cfg.matrixServerAddr;
# also substituted
MATRIX_TOKEN = if cfg.matrixTokenFile != "" then
"MATRIX_TOKEN_FILE"
else
cfg.matrixToken;
MATRIX_TOKEN =
if cfg.matrixTokenFile != ""
then "MATRIX_TOKEN_FILE"
else cfg.matrixToken;
});
cfgToString = v: if builtins.isBool v then boolToString v else toString v;
backend_config_file = pkgs.writeText "config.properties"
cfgToString = v:
if builtins.isBool v
then boolToString v
else toString v;
backend_config_file =
pkgs.writeText "config.properties"
(concatStringsSep "\n"
(mapAttrsToList (n: v: "${n}:${cfgToString v}") backend_config));
in {
config = lib.mkIf (cfg.enable && !cfg.disableBackend) {
systemd.tmpfiles.rules = ["d /run/piped-backend - piped piped"];
@ -52,7 +62,8 @@ in {
wantedBy = ["multi-user.target"];
serviceConfig = {
WorkingDirectory = "/run/piped-backend";
ExecStartPre = let confFile = "/run/piped-backend/config.properties";
ExecStartPre = let
confFile = "/run/piped-backend/config.properties";
in "${pkgs.writeShellScript "piped-backend-init" ''
[ -f "${confFile}" ] && rm ${confFile}
cp ${backend_config_file} ${confFile}
@ -96,10 +107,12 @@ in {
services.postgresql = {
enable = true;
ensureUsers = [{
ensureUsers = [
{
name = "piped";
ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
}];
}
];
ensureDatabases = ["piped"];
};

22
hosts/hetzner-vm/modules/piped/default.nix
View file

@ -1,6 +1,11 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.services.piped;
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.piped;
in {
options.services.piped = {
enable = mkEnableOption "piped";
@ -58,8 +63,7 @@ in {
sponsorblockServers = mkOption {
type = types.listOf types.str;
default =
[ "https://sponsor.ajay.app" "https://sponsorblock.kavin.rocks" ];
default = ["https://sponsor.ajay.app" "https://sponsorblock.kavin.rocks"];
description = "Days subscriptions are stored for unauthenticated users";
};
@ -72,15 +76,13 @@ in {
disableLBRYStreams = mkOption {
type = types.bool;
default = false;
description =
"Disable showing streams provided by LBRY Youtube Partnership";
description = "Disable showing streams provided by LBRY Youtube Partnership";
};
enableCompromisedPasswordCheck = mkOption {
type = types.bool;
default = true;
description =
"Use the haveibeenpwned API to check if user password have been compromised";
description = "Use the haveibeenpwned API to check if user password have been compromised";
};
enableCaptcha = mkOption {
@ -174,7 +176,7 @@ in {
};
};
config = lib.mkIf (cfg.enable && (!cfg.disableBackend || !cfg.disableProxy)) {
config = mkIf (cfg.enable && (!cfg.disableBackend || !cfg.disableProxy)) {
users.users."piped" = {
isSystemUser = true;
group = "piped";

14
hosts/hetzner-vm/modules/piped/frontend.nix
View file

@ -1,11 +1,15 @@
{ config, lib, pkgs, ... }:
with lib;
let
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.piped;
frontend-package =
(pkgs.piped-frontend.override { backendDomain = cfg.backendDomain; });
pkgs.piped-frontend.override {backendDomain = cfg.backendDomain;};
in {
config = lib.mkIf (cfg.enable && !cfg.disableFrontend) {
config = mkIf (cfg.enable && !cfg.disableFrontend) {
services.nginx.virtualHosts."${cfg.frontendDomain}" = {
forceSSL = true;
enableACME = true;

22
hosts/hetzner-vm/modules/piped/proxy.nix
View file

@ -1,6 +1,10 @@
{ config, lib, pkgs, ... }:
with lib;
let
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.piped;
proxy_nginx_extras = ''
@ -23,11 +27,11 @@ let
access_log off;
'';
in {
config = lib.mkIf (cfg.enable && !cfg.disableProxy) {
config = mkIf (cfg.enable && !cfg.disableProxy) {
systemd.services.piped-proxy = {
wantedBy = ["multi-user.target"];
environment.BIND = "0.0.0.0:${toString cfg.internalProxyPort}";
environment.IPV4_ONLY = lib.mkIf cfg.proxyIPv4Only "1";
environment.IPV4_ONLY = mkIf cfg.proxyIPv4Only "1";
serviceConfig = {
WorkingDirectory = "/run/piped-proxy";
ExecStart = "${pkgs.piped-proxy}/bin/piped-proxy";
@ -53,13 +57,17 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString cfg.internalProxyPort}";
extraConfig = proxy_nginx_extras + ''
extraConfig =
proxy_nginx_extras
+ ''
add_header Cache-Control "public, max-age=604800";
'';
};
locations."~ (/videoplayback|/api/v4/|/api/manifest/)" = {
proxyPass = "http://localhost:${toString cfg.internalProxyPort}";
extraConfig = proxy_nginx_extras + ''
extraConfig =
proxy_nginx_extras
+ ''
add_header Cache-Control private always;
'';
};

4
hosts/hetzner-vm/profiles/gitlab-static-sites.nix
View file

@ -1,5 +1,5 @@
{ config, ... }:
let secrets = config.services.secrets.secrets;
{config, ...}: let
secrets = config.services.secrets.secrets;
in {
services.gitlab_artifacts_sync = {
enable = true;

4
hosts/hetzner-vm/profiles/invidious.nix
View file

@ -1,5 +1,5 @@
{ inputs, pkgs, ... }:
let ports = (import ../ports.nix { });
{...}: let
ports = import ../ports.nix {};
in {
services.invidious = {
enable = true;

10
hosts/hetzner-vm/profiles/lappy-dev.nix
View file

@ -1,10 +0,0 @@
{ ... }: {
services.nginx.virtualHosts."lappy-dev.owo.monster" = {
forceSSL = true;
enableACME = true;
locations = {
"/".proxyPass =
"http://lappy.tailscale-internal.genderfucked.monster:8088";
};
};
}

6
hosts/hetzner-vm/profiles/mailserver.nix
View file

@ -1,5 +1,5 @@
{ config, ... }:
let secrets = config.services.secrets.secrets;
{config, ...}: let
secrets = config.services.secrets.secrets;
in {
config.mailserver = {
enable = true;
@ -14,6 +14,8 @@ in {
$config['username_domain_forced'] = true;
'';
extra_aliases_file = "/tmp/e";
accounts = {
"chaos@owo.monster" = {
name = "chaos@owo.monster";

23
hosts/hetzner-vm/profiles/misskey.nix
View file

@ -1,6 +1,9 @@
{ pkgs, tree, ... }:
let
ports = (import ../ports.nix { });
{
pkgs,
tree,
...
}: let
ports = import ../ports.nix {};
misskeyDomain = "social.owo.monster";
@ -41,9 +44,9 @@ let
outgoingAddressFamily = "dual";
};
misskeyConfigFile = builtins.toFile "default.yml"
misskeyConfigFile =
builtins.toFile "default.yml"
(pkgs.lib.generators.toYAML {} misskeyConfig);
in {
users.users."misskey" = {
isNormalUser = true;
@ -104,8 +107,7 @@ in {
User = "misskey";
WorkingDirectory = "/home/misskey/misskey";
ExecStartPre = "${pkgs.yarn}/bin/yarn migrate";
ExecStart =
"${pkgs.nodejs}/bin/node --experimental-json-modules packages/backend/built/index.js";
ExecStart = "${pkgs.nodejs}/bin/node --experimental-json-modules packages/backend/built/index.js";
#TimeoutSec = 60;
#StandardOutput = "syslog";
#StandardError = "syslog";
@ -127,10 +129,12 @@ in {
services.postgresql = {
enable = true;
ensureUsers = [{
ensureUsers = [
{
name = "misskey";
ensurePermissions."DATABASE misskey" = "ALL PRIVILEGES";
}];
}
];
ensureDatabases = ["misskey"];
initialScript = pkgs.writeText "init" ''
create user misskey with password 'password';
@ -143,4 +147,3 @@ in {
port = ports.misskey-redis;
};
}

4
hosts/hetzner-vm/profiles/mpd-broadcast/broadcast.nix
View file

@ -5,6 +5,6 @@
# to broadcast to all speakers over rtp
profiles.sound.pulseaudio.pulse-systemwide
profiles.sound.pulseaudio.pulse-recv-native-localhost
] ++ [ ./hosts/lappy.nix ./hosts/raspberry.nix ];
]
++ [./hosts/lappy.nix ./hosts/raspberry.nix];
}

4
hosts/hetzner-vm/profiles/mpd-broadcast/hosts/lappy.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
let
{pkgs, ...}: let
sink_name = "roc-lappy";
description = "Lappy ROC Output";
ip_addr = "100.115.10.34";
@ -12,4 +11,3 @@ in {
}
'';
}

3
hosts/hetzner-vm/profiles/mpd-broadcast/hosts/raspberry.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
let
{pkgs, ...}: let
sink_name = "roc-raspberry";
description = "Raspberry ROC Output";
ip_addr = "100.118.202.64";

15
hosts/hetzner-vm/profiles/mpd.nix
View file

@ -1,6 +1,9 @@
{ config, pkgs, lib, tree, ... }:
let
ports = (import ../ports.nix { });
{
config,
pkgs,
...
}: let
ports = import ../ports.nix {};
secrets = config.services.secrets.secrets;
in {
environment.systemPackages = with pkgs; [mpc_cli];
@ -9,10 +12,12 @@ in {
enable = true;
network.listenAddress = "0.0.0.0";
musicDirectory = "https://storage-webdav.owo.monster/music_ro/";
credentials = [{
credentials = [
{
passwordFile = "${secrets.mpd_control_password.path}";
permissions = ["read" "add" "control" "admin"];
}];
}
];
extraConfig = ''
host_permissions "127.0.0.1 read,add,control,admin"
samplerate_converter "0"

4
hosts/hetzner-vm/profiles/piped.nix
View file

@ -1,5 +1,5 @@
{ ... }:
let ports = (import ../ports.nix { });
{...}: let
ports = import ../ports.nix {};
in {
services.piped = {
enable = true;

8
hosts/hetzner-vm/profiles/quassel.nix
View file

@ -1,14 +1,16 @@
_: {
{...}: {
services.quassel = {
enable = true;
interfaces = ["0.0.0.0"];
};
services.postgresql.ensureDatabases = ["quassel"];
services.postgresql.ensureUsers = [{
services.postgresql.ensureUsers = [
{
name = "quassel";
ensurePermissions."DATABASE quassel" = "ALL PRIVILEGES";
}];
}
];
services.postgresql.authentication = "host quassel quassel localhost trust";
networking.firewall.allowedTCPPorts = [4242];
}

8
hosts/hetzner-vm/profiles/restic.nix
View file

@ -1,5 +1,9 @@
{ lib, config, pkgs, ... }:
let
{
lib,
config,
pkgs,
...
}: let
secrets = config.services.secrets.secrets;
mail_config = config.mailserver;

4
hosts/hetzner-vm/profiles/wireguard.nix
View file

@ -1,5 +1,5 @@
{ config, ... }:
let secrets = config.services.secrets.secrets;
{config, ...}: let
secrets = config.services.secrets.secrets;
in {
networking.wg-quick.interfaces = {
wg0 = {

10
hosts/hetzner-vm/secrets.nix
View file

@ -2,8 +2,7 @@
services.secrets = {
enable = true;
extraPackages = with pkgs;
[
extraPackages = with pkgs; [
# for music & mail passwd files
apacheHttpd
];
@ -16,6 +15,13 @@
simple_get "/api-keys/mpd" .password > $secretFile
'';
};
private_mail_aliases = {
user = "root";
group = "root";
fetchScript = ''
kv_get "/infra/private-mail-aliases" | jq .data.data | jq -r 'to_entries|map("\(.key) \(.value.to)")[]' > $secretFile
'';
};
music_stream_passwd = {
user = "nginx";
group = "nginx";

7
hosts/macmini/default.nix
View file

@ -1,4 +1,8 @@
{ pkgs, tree, ... }: {
{
pkgs,
tree,
...
}: {
users.users.chaos = {
name = "chaos";
home = "/Users/chaos";
@ -16,5 +20,4 @@
home.apps.mpv
];
};
}

10
hosts/nixos-live/nixos-live.nix
View file

@ -1,6 +1,12 @@
{ config, tree, modulesPath, pkgs, lib, ... }: {
{
config,
tree,
modulesPath,
pkgs,
lib,
...
}: {
imports = [
# (modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")

11
hosts/nixos.nix
View file

@ -1,10 +1,15 @@
{ self, nixpkgs-unstable, ... }@inputs:
let
{
self,
nixpkgs-unstable,
...
} @ inputs: let
mkTree = inputs.tree-input.tree;
metaTree = mkTree ((import ../treeConfig.nix {}) // {inherit inputs;});
tree = metaTree.impure;
patchedInputs = inputs // {
patchedInputs =
inputs
// {
# set these to the correct versions from inputs
nixpkgs = inputs.nixpkgs-unstable;
home-manager = inputs.home-manager-unstable;

7
hosts/raspberry/boot.nix
View file

@ -1,4 +1,9 @@
{ lib, pkgs, config, ... }: {
{
lib,
pkgs,
config,
...
}: {
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;

10
hosts/raspberry/raspberry.nix
View file

@ -1,6 +1,11 @@
{ tree, modulesPath, config, pkgs, lib, ... }:
{
tree,
modulesPath,
config,
pkgs,
lib,
...
}: {
imports = with tree; [
users.root
users.chaos
@ -34,4 +39,3 @@
system.stateVersion = "21.11";
}

6
hosts/raspberry/services/music-friend/bluetooth.nix
View file

@ -1,4 +1,8 @@
{ tree, pkgs, ... }: {
{
tree,
pkgs,
...
}: {
imports = with tree; [
profiles.connectivity.bluetooth
profiles.sound.pulseaudio.pulse-bluetooth

3
hosts/raspberry/services/music-friend/helper-scripts.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
let
{pkgs, ...}: let
mpd-server = "hetzner-vm.tailscale-internal.genderfucked.monster";
sync-with-mpd-server = pkgs.writeShellScriptBin "sync-with-mpd-server" ''
#!/usr/bin/env bash

9
hosts/raspberry/services/music-friend/process-media-controls.nix
View file

@ -1,6 +1,6 @@
{ pkgs, ... }:
let
process-media-controls = pkgs.writeText "process-media-controls"
{pkgs, ...}: let
process-media-controls =
pkgs.writeText "process-media-controls"
(builtins.readFile ./process-media-controls.py);
in {
systemd.services.process-media-controls = {
@ -9,7 +9,8 @@ in {
wantedBy = ["multi-user.target"];
path = [pkgs.pulseaudio];
script = let
python = pkgs.python39.withPackages
python =
pkgs.python39.withPackages
(ps: with ps; [pkgs.python39Packages.evdev]);
in ''
export PULSE_SERVER=127.0.0.1

10
hosts/raspberry/services/router.nix
View file

@ -1,5 +1,8 @@
{ lib, tree, ... }:
let
{
lib,
tree,
...
}: let
externalInterface = "eth0";
wifiInterface = "wlan0";
ssid = "Test Wifi";
@ -7,8 +10,7 @@ let
in {
imports = with tree; [profiles.dnscrypt];
services.dnscrypt-proxy2.settings."listen_addresses" =
[ "0.0.0.0:53" "[::]:53" ];
services.dnscrypt-proxy2.settings."listen_addresses" = ["0.0.0.0:53" "[::]:53"];
services.hostapd = {
enable = true;

10
hosts/rescue/rescue.nix
View file

@ -1,6 +1,11 @@
{ tree, modulesPath, config, pkgs, lib, ... }:
{
tree,
modulesPath,
config,
pkgs,
lib,
...
}: {
imports = with tree; [
users.root
users.chaos
@ -47,4 +52,3 @@
system.stateVersion = "21.11";
}

29
hosts/storage/profiles/rclone-serve.nix
View file

@ -1,7 +1,6 @@
{ config, ... }:
let
{config, ...}: let
secrets = config.services.secrets.secrets;
ports = (import ../ports.nix { });
ports = import ../ports.nix {};
in {
systemd.tmpfiles.rules = [
"d /caches - storage storage"
@ -122,12 +121,9 @@ in {
forceSSL = true;
enableACME = true;
locations = {
"/main/".proxyPass =
"http://localhost:${toString ports.rclone_serve_webdav_main}";
"/media/".proxyPass =
"http://localhost:${toString ports.rclone_serve_webdav_media}";
"/music_ro/".proxyPass =
"http://localhost:${toString ports.rclone_serve_webdav_music_ro}";
"/main/".proxyPass = "http://localhost:${toString ports.rclone_serve_webdav_main}";
"/media/".proxyPass = "http://localhost:${toString ports.rclone_serve_webdav_media}";
"/music_ro/".proxyPass = "http://localhost:${toString ports.rclone_serve_webdav_music_ro}";
};
};
@ -135,10 +131,8 @@ in {
forceSSL = true;
enableACME = true;
locations = {
"/Music/".proxyPass =
"http://localhost:${toString ports.rclone_serve_http_music}";
"/Public/".proxyPass =
"http://localhost:${toString ports.rclone_serve_http_public}";
"/Music/".proxyPass = "http://localhost:${toString ports.rclone_serve_http_music}";
"/Public/".proxyPass = "http://localhost:${toString ports.rclone_serve_http_public}";
};
};
@ -146,12 +140,9 @@ in {
forceSSL = true;
enableACME = true;
locations = {
"/HetznerVM/".proxyPass =
"http://localhost:${toString ports.rclone_serve_restic_hvm}";
"/Music/".proxyPass =
"http://localhost:${toString ports.rclone_serve_restic_music}";
"/Vault/".proxyPass =
"http://localhost:${toString ports.rclone_serve_restic_vault}";
"/HetznerVM/".proxyPass = "http://localhost:${toString ports.rclone_serve_restic_hvm}";
"/Music/".proxyPass = "http://localhost:${toString ports.rclone_serve_restic_music}";
"/Vault/".proxyPass = "http://localhost:${toString ports.rclone_serve_restic_vault}";
};
};
}

8
hosts/storage/profiles/rclone-sync.nix
View file

@ -1,5 +1,9 @@
{ config, lib, ... }:
let secrets = config.services.secrets.secrets;
{
config,
lib,
...
}: let
secrets = config.services.secrets.secrets;
in {
services.rclone-sync = let
sync_defaults = {

4
hosts/storage/profiles/wireguard.nix
View file

@ -1,5 +1,5 @@
{ config, ... }:
let secrets = config.services.secrets.secrets;
{config, ...}: let
secrets = config.services.secrets.secrets;
in {
networking.wg-quick.interfaces = {
wg0 = {

1
hosts/storage/secrets.nix
View file

@ -1,5 +1,4 @@
{pkgs, ...}: {
services.secrets = {
enable = true;

14
hosts/storage/storage.nix
View file

@ -1,8 +1,13 @@
{ modulesPath, tree, config, pkgs, lib, ... }:
let
{
modulesPath,
tree,
config,
pkgs,
lib,
...
}: let
secrets = config.services.secrets.secrets;
ports = (import ./ports.nix { });
ports = import ./ports.nix {};
in {
imports = with tree; [
users.root
@ -85,4 +90,3 @@ in {
system.stateVersion = "22.05";
}

6
hosts/tablet/hardware.nix
View file

@ -1,5 +1,4 @@
{ tree, ... }:
let
{tree, ...}: let
usb_data = import ../../data/usb_data.nix {};
drive_data = import ../../data/normal_drive_data.nix {};
in {
@ -8,7 +7,8 @@ in {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd.availableKernelModules = [ # defaults from nixos-generate-config
initrd.availableKernelModules = [
# defaults from nixos-generate-config
"xhci_pci"
"nvme"
"usbhid"

14
hosts/tablet/profiles/harry-vpn.nix
View file

@ -1,5 +1,9 @@
{ config, pkgs, ... }:
let secrets = config.services.secrets.secrets;
{
config,
pkgs,
...
}: let
secrets = config.services.secrets.secrets;
in {
environment.systemPackages = with pkgs; [wireguard-tools];
networking.wg-quick.interfaces = {
@ -10,13 +14,15 @@ in {
mtu = 1280;
privateKeyFile = "${secrets.wg_harry_priv.path}";
peers = [{
peers = [
{
publicKey = "7B6KSFqTHM7A7Nv24GIeUhDDh2XnlT7UqG5U+Si+zmc=";
presharedKeyFile = "${secrets.wg_harry_preshared.path}";
allowedIPs = ["0.0.0.0/0" "::/0"];
endpoint = "185.186.9.1:8081";
persistentKeepalive = 25;
}];
}
];
};
};
}

7
hosts/tablet/profiles/misskey-dev.nix
View file

@ -1,12 +1,13 @@
{pkgs, ...}: {
services.postgresql = {
enable = true;
ensureUsers = [{
ensureUsers = [
{
name = "misskey";
ensurePermissions."DATABASE misskey" = "ALL PRIVILEGES";
}];
}
];
ensureDatabases = ["misskey"];
};
services.redis.servers."misskey" = {
enable = true;

5
hosts/tablet/profiles/wireguard.nix
View file

@ -1,7 +1,6 @@
{ config, ... }:
let secrets = config.services.secrets.secrets;
{config, ...}: let
secrets = config.services.secrets.secrets;
in {
networking.firewall.trustedInterfaces = ["wg0"];
networking.wg-quick.interfaces = {
wg0 = {

22
hosts/tablet/tablet.nix
View file

@ -1,4 +1,10 @@
{ tree, config, pkgs, lib, ... }: {
{
tree,
config,
pkgs,
lib,
...
}: {
imports = with tree; [
users.root
users.chaos
@ -9,6 +15,10 @@
presets.nixos.laptop
presets.nixos.encrypted-usb
hosts.tablet.profiles.wireguard
hosts.tablet.profiles.harry-vpn
hosts.tablet.profiles.misskey-dev
./secrets.nix
./profiles/wireguard.nix
./profiles/harry-vpn.nix
@ -36,7 +46,8 @@
networking.firewall.enable = true;
networking.firewall.allowPing = true;
nix.buildMachines = [{
nix.buildMachines = [
{
hostName = "buildbox.servers.genderfucked.monster";
system = "x86_64-linux";
# if the builder supports building for multiple architectures,
@ -44,13 +55,13 @@
# systems = ["x86_64-linux" "aarch64-linux"];
sshUser = "root";
sshKey = "/usb/ssh-keys/chaos.priv";
publicHostKey =
"c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpXZGI5SVl3dFBSRm9rK2JTWUpmSnlRTlJSSithVEtIT3VOTkNLY2FMUHggcm9vdEBuaXhvcwo=";
publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpXZGI5SVl3dFBSRm9rK2JTWUpmSnlRTlJSSithVEtIT3VOTkNLY2FMUHggcm9vdEBuaXhvcwo=";
maxJobs = 16;
speedFactor = 4;
supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
mandatoryFeatures = [];
}];
}
];
nix.distributedBuilds = true; # true;
nix.extraOptions = "builders-use-substitutes = true";
@ -94,4 +105,3 @@
system.stateVersion = "22.05";
}

29
hosts/vault/profiles/restic.nix Normal file
View file

@ -0,0 +1,29 @@
{
pkgs,
config,
...
}: let
secrets = config.services.secrets.secrets;
in {
services.restic.backups.vault = {
user = "root";
paths = ["/var/lib/vault" "/var/lib/acme"];
timerConfig = {
OnBootSec = "1m";
OnCalendar = "daily";
};
# env contains fixed repository with auth
repository = "rest:https://storage-restic.owo.monster/HetznerVM";
passwordFile = "${secrets.restic_password.path}";
environmentFile = "${secrets.restic_env.path}";
};
environment.systemPackages = [
(pkgs.writeShellScriptBin "restic-vault" ''
env \
RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
$(cat ${secrets.restic_env.path}) \
${pkgs.restic}/bin/restic $@
'')
];
}

19
hosts/vault/profiles/vault.nix Normal file
View file

@ -0,0 +1,19 @@
{pkgs, ...}: {
services.vault = {
enable = true;
package = pkgs.vault-bin;
address = "127.0.0.1:8200";
storageBackend = "file";
extraConfig = ''
ui = true
'';
};
networking.firewall.allowedTCPPorts = [80 443];
services.nginx.virtualHosts."vault.owo.monster" = {
forceSSL = true;
enableACME = true;
locations = {"/" = {proxyPass = "http://127.0.0.1:8200";};};
};
}

14
hosts/vault/profiles/wireguard.nix
View file

@ -1,17 +1,17 @@
{ ... }:
let secrets-db = (import ../secrets-db.nix { });
{config, ...}: let
secrets = config.services.secrets.secrets;
in {
networking.wg-quick.interfaces = {
wg0 = {
address = ["10.69.42.3/32"];
listenPort = 51820;
privateKeyFile = "${secrets-db.wg_priv.path}";
privateKeyFile = "${secrets.wg_priv.path}";
peers = [
# hetzner-vm
{
publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
presharedKeyFile = "${secrets-db.wg_preshared_hetzner-vm.path}";
presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
allowedIPs = ["10.69.42.1/32"];
endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
persistentKeepalive = 25;
@ -19,20 +19,20 @@ in {
# tablet
{
publicKey = "jXA0DeprEaL/ARQ3K81l8xWuUI5C/90DcY3bIfcIjz8=";
presharedKeyFile = "${secrets-db.wg_preshared_tablet.path}";
presharedKeyFile = "${secrets.wg_preshared_tablet.path}";
allowedIPs = ["10.69.42.2/32"];
}
# storage
{
publicKey = "biNNeCkjAWi2jUVoL5+1pBtXGa3OFZi4DltB2dqGjGg=";
presharedKeyFile = "${secrets-db.wg_preshared_storage.path}";
presharedKeyFile = "${secrets.wg_preshared_storage.path}";
endpoint = "storage.servers.genderfucked.monster:51820";
allowedIPs = ["10.69.42.4/32"];
}
# iphone8
{
publicKey = "2BgT08bDKh8WlFFSeRArI9a1GpFgUyqEApvJy4KgAmw=";
presharedKeyFile = "${secrets-db.wg_preshared_iphone8.path}";
presharedKeyFile = "${secrets.wg_preshared_iphone8.path}";
allowedIPs = ["10.69.42.5/32"];
}
];

44
hosts/vault/secrets-db.nix
View file

@ -1,44 +0,0 @@
{ }: {
restic_password = {
user = "root";
group = "root";
permissions = "660";
path = "/secrets/restic_password";
};
restic_env = {
user = "root";
group = "root";
permissions = "660";
path = "/secrets/restic_env";
};
wg_priv = {
user = "root";
group = "root";
permissions = "660";
path = "/secrets/wg_priv";
};
wg_preshared_hetzner-vm = {
user = "root";
group = "root";
permissions = "660";
path = "/secrets/wg_preshared_hetzner-vm";
};
wg_preshared_tablet = {
user = "root";
group = "root";
permissions = "660";
path = "/secrets/wg_preshared_tablet";
};
wg_preshared_storage = {
user = "root";
group = "root";
permissions = "660";
path = "/secrets/wg_preshared_storage";
};
wg_preshared_iphone8 = {
user = "root";
group = "root";
permissions = "660";
path = "/secrets/wg_preshared_iphone8";
};
}

Some files were not shown because too many files have changed in this diff Show more