chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

updates, tidying, hetzner-vm container scripts, better cryptsetup unlock with plymouth

Browse source
This commit is contained in:
chaos 2023-09-01 01:46:14 +01:00
parent d65608c9b2
commit bd5db3c655
No known key found for this signature in database
27 changed files with 1711 additions and 1667 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
flake.lock
View file

@ -47,11 +47,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1689068808, "lastModified": 1692799911,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -73,11 +73,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1690567562, "lastModified": 1693523992,
"narHash": "sha256-a8oa6X4R5MXAW2ZlMTvRGknxFnyZtDSpT+LbQNiSRgU=", "narHash": "sha256-I2wtOLO6k1oAYx6V7qZZjELvPpk0ynY+dHFhyt8BieE=",
"owner": "ChaotiCryptidz", "owner": "ChaotiCryptidz",
"repo": "gitlab_archiver", "repo": "gitlab_archiver",
"rev": "a4e339868f7e33364892790e6b8384ed550f713c", "rev": "12fc4d1be08870134c58c4dec7e6ac1605d83c12",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -99,11 +99,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1690572151, "lastModified": 1693524103,
"narHash": "sha256-J2eueGHL1EiFI3/jtJ1d9gRLz28PiOkzwlquFmNDUg4=", "narHash": "sha256-FjrSp0Nr/4t/z1ABX90S1EHEPqmNWhx5/RGodX5TBMA=",
"owner": "ChaotiCryptidz", "owner": "ChaotiCryptidz",
"repo": "gitlab_artifacts_sync", "repo": "gitlab_artifacts_sync",
"rev": "99656b78ba1c97aedb23ee6bebb1f696f2bce781", "rev": "affa1e00a30ce3f5880a8bfd4e2ae30bda4a93a8",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -119,11 +119,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1692260837, "lastModified": 1693399033,
"narHash": "sha256-2FpkX1zl+7ni7djK7NeE1ZGupRUwZgjW+RPCSBgDf4k=", "narHash": "sha256-yXhiMo8MnE86sGtPIHAKaLHhmhe8v9tqGGotlUgKJvY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "6a94c1a59737783c282c4031555a289c28b961e4", "rev": "f5c15668f9842dd4d5430787d6aa8a28a07f7c10",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -145,11 +145,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1691616912, "lastModified": 1693522376,
"narHash": "sha256-Cez6EVjpD+imIYVJbDwg9RkT18eXvaVg+cPmLvuQrYs=", "narHash": "sha256-xufWyWSV7k31C3xm5cClyKczPG9w+2VGFgejSf7qTIo=",
"owner": "ChaotiCryptidz", "owner": "ChaotiCryptidz",
"repo": "musicutil", "repo": "musicutil",
"rev": "7ef7093eb794a89421a3743396a29ba4d8ae0363", "rev": "190f47d6efeb4b1b884ef437f0dbdd801c4e50dd",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -160,11 +160,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1692264070, "lastModified": 1693377291,
"narHash": "sha256-WepAkIL2UcHOj7JJiaFS/vxrA9lklQHv8p+xGL+7oQ0=", "narHash": "sha256-vYGY9bnqEeIncNarDZYhm6KdLKgXMS+HA2mTRaWEc80=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "42c25608aa2ad4e5d3716d8d63c606063513ba33", "rev": "e7f38be3775bab9659575f192ece011c033655f0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -176,11 +176,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1692376909, "lastModified": 1693508393,
"narHash": "sha256-fcwKrjaYBixuTP+fcxScag0ELfE3xunAbjcEsyPpb2o=", "narHash": "sha256-FagQkHWoo91Lm0oT2wMPHqVIg6/RGeJg5M/sL2glg90=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "5723f9666abf2a45d0972db5dd1f9a5b0ac90f1a", "rev": "2193de091ecd925af783069b8393a80cd6cc8a29",
"type": "github" "type": "github"
}, },
"original": { "original": {

4
home/gui/environments/gnome/default.nix
View file

@ -5,7 +5,7 @@
inputs, inputs,
... ...
}: let }: let
hm = inputs.home-manager.lib.hm; hm-lib = inputs.home-manager.lib.hm;
font-sizes-all = { font-sizes-all = {
default = { default = {
@ -56,7 +56,7 @@ in {
}; };
"org/gnome/desktop/input-sources" = { "org/gnome/desktop/input-sources" = {
# TODO: see if this changes when using gnome wayland? # TODO: see if this changes when using gnome wayland?
sources = [(hm.gvariant.mkTuple ["xkb" "gb"])]; sources = [(hm-lib.gvariant.mkTuple ["xkb" "gb"])];
per-window = false; per-window = false;
}; };
"org/gnome/desktop/media-handling" = { "org/gnome/desktop/media-handling" = {

1
hosts/buildbox/hardware.nix
View file

@ -19,7 +19,6 @@
boot.loader.grub = { boot.loader.grub = {
enable = true; enable = true;
efiSupport = false; efiSupport = false;
version = 2;
device = "nodev"; device = "nodev";
devices = ["/dev/sda" "/dev/sdb"]; devices = ["/dev/sda" "/dev/sdb"];
}; };

9
hosts/hetzner-vm/containers/piped/modules/piped/backend.nix
View file

@ -107,18 +107,13 @@ in {
wants = ["postgresql.service"]; wants = ["postgresql.service"];
after = ["postgresql.service"]; after = ["postgresql.service"];
script = '' script = ''
systemd-run \ ${pkgs.postgresql}/bin/psql -c "ALTER USER piped WITH PASSWORD '${
-u piped-password-psql.service \
-p Group=postgresql \
-p User=postgresql \
-q -t -G --wait --service-type=exec \
${pkgs.postgresql}/bin/psql -c "ALTER USER piped WITH PASSWORD '${
if cfg.postgresPasswordFile != null if cfg.postgresPasswordFile != null
then "$(cat ${cfg.postgresPasswordFile} | sed \"s#'#\\\'#\")" then "$(cat ${cfg.postgresPasswordFile} | sed \"s#'#\\\'#\")"
else cfg.postgresPassword else cfg.postgresPassword
}';" }';"
''; '';
serviceConfig.User = "root"; serviceConfig.User = "postgres";
}; };
services.postgresql = lib.mkIf (!cfg.disablePostgres) { services.postgresql = lib.mkIf (!cfg.disablePostgres) {

3
hosts/hetzner-vm/containers/storage/storage.nix
View file

@ -46,7 +46,8 @@ in {
profiles.rclone-configs profiles.rclone-configs
profiles.rclone-serve profiles.rclone-serve
profiles.rclone-sync profiles.rclone-sync
profiles.storage-mount # doesn't work in container
# profiles.storage-mount
profiles.users profiles.users
]); ]);

37
hosts/hetzner-vm/hetzner-vm.nix
View file

@ -30,14 +30,35 @@
./secrets.nix ./secrets.nix
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs;
(pkgs.writeShellScriptBin "journalctl-vaccum-all" '' [
journalctl --vacuum-size=100M (pkgs.writeShellScriptBin "journalctl-vaccum-all" ''
${lib.concatStringsSep "\n" (lib.forEach (lib.attrNames config.containers) (name: '' journalctl --vacuum-size=100M
journalctl --vacuum-size=100M --root /var/lib/nixos-containers/${name} ${lib.concatStringsSep "\n" (lib.forEach (lib.attrNames config.containers) (name: ''
''))} journalctl --vacuum-size=100M --root /var/lib/nixos-containers/${name}
'') ''))}
]; '')
(pkgs.writeShellScriptBin "systemctl-list-failed-all" ''
echo "Host: "
systemctl --failed
${lib.concatStringsSep "\n" (lib.forEach (lib.attrNames config.containers) (name: ''
echo "Container: "
systemctl -M ${name} --failed
''))}
'')
]
++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "journalctl-vaccum-${name}" ''
journalctl --vacuum-size=100M --root /var/lib/nixos-containers/${name}
''))
++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "systemctl-machine-${name}" ''
systemctl -M ${name} $@
''))
++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "journalctl-machine-${name}" ''
journalctl -M ${name} $@
''))
++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "shell-enter-${name}" ''
machinectl shell ${name}
''));
# For Containers # For Containers
networking.nat = { networking.nat = {

4
modules/nixos/rclone-serve.nix
View file

@ -10,7 +10,7 @@ with lib; let
makeNameSafe = name: builtins.replaceStrings ["/"] ["-"] name; makeNameSafe = name: builtins.replaceStrings ["/"] ["-"] name;
daemonService = serve_config: daemonService = serve_config:
lib.mkMerge [ mkMerge [
{ {
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
@ -28,7 +28,7 @@ with lib; let
else "root"; else "root";
ExecStart = "${pkgs.rclone}/bin/rclone serve ${serve_config.type} ${serve_config.remote} ${ ExecStart = "${pkgs.rclone}/bin/rclone serve ${serve_config.type} ${serve_config.remote} ${
lib.concatStringsSep " " serve_config.extraArgs concatStringsSep " " serve_config.extraArgs
}"; }";
}; };
} }

9
overlay/default.nix
View file

@ -22,9 +22,9 @@ final: prev: {
owner = "superseriousbusiness"; owner = "superseriousbusiness";
repo = "gotosocial"; repo = "gotosocial";
version = "0.11.0"; version = "0.11.1";
source-hash = "sha256-qbq5pDvG2L1s6BG+sh7eagcFNH/DWyANMQaAl2WcQzE="; source-hash = "sha256-qsgrHPQae1+LKF2y6e256ZfYR+a9ffe7oq1W3GJA1do=";
web-assets-hash = "sha256-NK5m+ERZQtl5Stq2+bWw0LS2SbmlhEJDZjTTxYciemE="; web-assets-hash = "sha256-xPdSwsXjyjodgEHlwl4X32Pb6TniwM9Q+u56xAoY7SQ=";
web-assets = final.fetchurl { web-assets = final.fetchurl {
url = "https://github.com/${owner}/${repo}/releases/download/v${version}/${repo}_${version}_web-assets.tar.gz"; url = "https://github.com/${owner}/${repo}/releases/download/v${version}/${repo}_${version}_web-assets.tar.gz";
@ -32,12 +32,15 @@ final: prev: {
}; };
in { in {
inherit version; inherit version;
src = final.fetchFromGitHub { src = final.fetchFromGitHub {
inherit owner repo; inherit owner repo;
rev = "refs/tags/v${version}"; rev = "refs/tags/v${version}";
hash = source-hash; hash = source-hash;
}; };
passthru.web-assets = web-assets;
ldflags = ["-s" "-w" "-X main.Version=${version}"]; ldflags = ["-s" "-w" "-X main.Version=${version}"];
doCheck = false; doCheck = false;

1095
overlay/piped/frontend/yarn.lock
View file

File diff suppressed because it is too large Load diff

1972
overlay/piped/frontend/yarn.nix
View file

File diff suppressed because it is too large Load diff

14
overlay/piped/meta.json
View file

@ -1,15 +1,15 @@
{ {
"frontend": { "frontend": {
"rev": "4de41cd819d4bf49723de03a70ff48b2e5972fde", "rev": "8bba3779df2e81bcc6b7fb37ac37eb60f64b90c1",
"sha256": "sha256-ehFJp2X8UMu4Y/i1TgT85fQPrBzet2896sDXKJc5A+A=" "sha256": "sha256-ijuVaD788K+zxEpuMp6mg7q45+qaPZC3NInD05M8+tw="
}, },
"backend": { "backend": {
"rev": "8e2564bc1d3acab50f4a0734f01b81447a716121", "rev": "3b1bef532b6548bdbdc34a570954af51db475a35",
"sha256": "sha256-TpIXwrkSbhU/w6suukiLQyajw59NvW0dqQWHoscpFio=", "sha256": "sha256-/XkXsSsWyqIuLPKaftD55ms9YtWbjyqnofg+ZaSA3dQ=",
"deps-sha256": "sha256-GUkweG2ftIdalX20mQ9xkHiDP5aQ5WYNkB8shblKC/M=" "deps-sha256": "sha256-CS6gu7U8loktSh5xLq98vnBFWHuuv9sLYmgAZtrdP4Y="
}, },
"proxy": { "proxy": {
"rev": "fe8fef85c63f9c54ef167fe77ef42e5fb52ef8a9", "rev": "b6bde9e31a312ff74ad70dc6c56b414a3570833b",
"sha256": "sha256-vlR+pbm8J32F/BKsmSlgEhb8JJ/8WNiF7cYXJKEmSsQ=" "sha256": "sha256-qHpi0h5gW2V4c+46rIPiOoGFaiy7eojAwQj3vHs3vMY="
} }
} }

11
overlay/piped/update.sh
View file

@ -26,8 +26,7 @@ if [ "$new_frontend_rev" != "$old_frontend_rev" ] || [ "${FORCE_UPDATE-}" != ""
git clone https://github.com/TeamPiped/Piped git clone https://github.com/TeamPiped/Piped
pushd Piped pushd Piped
git reset --hard "$new_frontend_rev" git reset --hard "$new_frontend_rev"
# Missing from generated lockfile, #yarn install --no-lockfile
yarn install --no-lockfile
yarn install --mode update-lockfile yarn install --mode update-lockfile
nix run "github:NixOS/nixpkgs/nixos-unstable#yarn2nix" > "${BASE_DIR}/frontend/yarn.nix" nix run "github:NixOS/nixpkgs/nixos-unstable#yarn2nix" > "${BASE_DIR}/frontend/yarn.nix"
cp yarn.lock "${BASE_DIR}/frontend/yarn.lock" cp yarn.lock "${BASE_DIR}/frontend/yarn.lock"
@ -43,7 +42,7 @@ if [ "$new_backend_rev" != "$old_backend_rev" ] || [ "${FORCE_UPDATE-}" != "" ];
echo "Backend is out of date. Updating..." echo "Backend is out of date. Updating..."
json_set '.backend.rev' "$new_backend_rev" json_set '.backend.rev' "$new_backend_rev"
json_set '.backend.sha256' "" json_set '.backend.sha256' ""
json_set '.backend.deps-sha256' "" json_set '.backend."deps-sha256"' ""
fi fi
# Proxy # Proxy
@ -55,4 +54,10 @@ if [ "$new_proxy_rev" != "$old_proxy_rev" ] || [ "${FORCE_UPDATE-}" != "" ]; the
json_set '.proxy.sha256' "" json_set '.proxy.sha256' ""
fi fi
# gotta manually update shasums using output from these
echo "building frontend"
nix build .#piped-frontend || true
echo "building backend"
nix build .#piped-backend || true

26
presets/nixos/dual-encrypted-drive.nix
View file

@ -25,13 +25,33 @@ in {
while !(test -b ${usb_data.encrypted_path}) while !(test -b ${usb_data.encrypted_path})
do do
echo "Please Plug In USB" ${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB"
''
else ''
echo "Please Plug In USB"
''
}
sleep 1 sleep 1
done done
echo "Please Decrypt USB" ${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB"
cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name} ${pkgs.plymouth}/bin/plymouth ask-for-password \
--prompt="Please Decrypt USB" \
--command="cryptsetup -T1 open ${usb_data.encrypted_path} ${usb_data.mapper_name}" \
--number-of-tries=3
''
else ''
echo "Please Decrypt USB"
cryptsetup open ${usb_data.encrypted_path} ${usb_data.mapper_name}
''
}
mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint} mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}

26
presets/nixos/normal-encrypted-drive.nix
View file

@ -25,13 +25,33 @@ in {
while !(test -b ${usb_data.encrypted_path}) while !(test -b ${usb_data.encrypted_path})
do do
echo "Please Plug In USB" ${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB"
''
else ''
echo "Please Plug In USB"
''
}
sleep 1 sleep 1
done done
echo "Please Decrypt USB" ${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB"
cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name} ${pkgs.plymouth}/bin/plymouth ask-for-password \
--prompt="Please Decrypt USB" \
--command="cryptsetup -T1 open ${usb_data.encrypted_path} ${usb_data.mapper_name}" \
--number-of-tries=3
''
else ''
echo "Please Decrypt USB"
cryptsetup open ${usb_data.encrypted_path} ${usb_data.mapper_name}
''
}
mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint} mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}

1
presets/nixos/server-encrypted-drive.nix
View file

@ -11,7 +11,6 @@
loader.grub = { loader.grub = {
enable = true; enable = true;
efiSupport = false; efiSupport = false;
version = 2;
enableCryptodisk = true; enableCryptodisk = true;
device = "/dev/sda"; device = "/dev/sda";
}; };

6
profiles/base/access.nix
View file

@ -2,7 +2,9 @@
lib, lib,
pkgs, pkgs,
... ...
}: { }: let
inherit (lib.modules) mkForce;
in {
users.defaultUserShell = pkgs.zsh; users.defaultUserShell = pkgs.zsh;
security.sudo.wheelNeedsPassword = lib.mkForce false; security.sudo.wheelNeedsPassword = mkForce false;
} }

13
profiles/base/home.nix
View file

@ -4,14 +4,17 @@
config, config,
lib, lib,
... ...
}: }: let
with lib; { inherit (lib.modules) mkIf;
inherit (lib.lists) flatten forEach;
inherit (lib.options) mkOption;
inherit (lib.types) attrsOf submoduleWith;
in {
options.home-manager.users = mkOption { options.home-manager.users = mkOption {
type = types.attrsOf (types.submoduleWith { type = attrsOf (submoduleWith {
modules = []; modules = [];
specialArgs = { specialArgs = {
inherit inputs tree; inherit inputs tree;
nixos = config;
}; };
}); });
}; };
@ -21,7 +24,7 @@ with lib; {
useUserPackages = true; useUserPackages = true;
sharedModules = with tree; [modules.home.vscode-mod-module]; sharedModules = with tree; [modules.home.vscode-mod-module];
}; };
systemd.tmpfiles.rules = lib.mkIf config.boot.isContainer (lib.flatten (lib.forEach (builtins.attrNames config.home-manager.users) (user: [ systemd.tmpfiles.rules = mkIf config.boot.isContainer (flatten (forEach (builtins.attrNames config.home-manager.users) (user: [
"d /nix/var/nix/profiles/per-user/${user} - ${config.users.users."${user}".group} - - -" "d /nix/var/nix/profiles/per-user/${user} - ${config.users.users."${user}".group} - - -"
"d /nix/var/nix/gcroots/per-user/${user} - ${config.users.users."${user}".group} - - -" "d /nix/var/nix/gcroots/per-user/${user} - ${config.users.users."${user}".group} - - -"
]))); ])));

8
profiles/base/nix.nix
View file

@ -3,12 +3,14 @@
config, config,
lib, lib,
... ...
}: { }: let
inherit (lib.strings) optionalString versionAtLeast;
in {
nix = { nix = {
nixPath = ["nixpkgs=${inputs.nixpkgs}"]; nixPath = ["nixpkgs=${inputs.nixpkgs}"];
extraOptions = extraOptions =
lib.optionalString optionalString
(lib.versionAtLeast config.nix.package.version "2.4") '' (versionAtLeast config.nix.package.version "2.4") ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
''; '';
settings.trusted-users = ["root" "@wheel"]; settings.trusted-users = ["root" "@wheel"];

7
profiles/connectivity/network_manager/nm.nix
View file

@ -1,9 +1,10 @@
{lib, ...}: { {lib, ...}: let
inherit (lib.modules) mkForce;
in {
networking = { networking = {
networkmanager = { networkmanager = {
enable = true; enable = true;
connectionConfig = {"ipv6.ip6-privacy" = lib.mkForce 1;}; connectionConfig = {"ipv6.ip6-privacy" = mkForce 1;};
}; };
}; };
programs.nm-applet.enable = true;
} }

6
profiles/cross/arm64.nix
View file

@ -2,11 +2,13 @@
pkgs, pkgs,
lib, lib,
... ...
}: { }: let
inherit (lib.modules) mkForce;
in {
boot.binfmt = { boot.binfmt = {
emulatedSystems = ["aarch64-linux"]; emulatedSystems = ["aarch64-linux"];
registrations.aarch64-linux = { registrations.aarch64-linux = {
interpreter = lib.mkForce "${pkgs.qemu}/bin/qemu-aarch64"; interpreter = mkForce "${pkgs.qemu}/bin/qemu-aarch64";
}; };
}; };
nix.settings.extra-sandbox-paths = ["/run/binfmt" "${pkgs.qemu}"]; nix.settings.extra-sandbox-paths = ["/run/binfmt" "${pkgs.qemu}"];

39
profiles/dnscrypt/dnscrypt.nix
View file

@ -1,39 +0,0 @@
{...}: {
networking = {
resolvconf.useLocalResolver = true;
networkmanager.dns = "none";
};
#networking.nameservers = lib.mkForce [ "127.0.0.1.5353" ];
services.dnscrypt-proxy2 = {
enable = true;
settings = {
#listen_addresses = ["127.0.0.1:5353" "[::1]:5353"];
ipv6_servers = true;
require_dnssec = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
server_names = [
"cloudflare"
#"acsacsar-ams-ipv4"
#"acsacsar-ams-ipv6"
#"dnscrypt.eu-dk"
#"dnscrypt.eu-dk-ipv6"
#"dnscrypt.eu-nl"
#"dnscrypt.eu-nl-ipv6"
#"meganerd"
#"meganerd-ipv6"
];
};
};
}

6
profiles/force_dns/force_dns.nix
View file

@ -1,7 +1,9 @@
{lib, ...}: { {lib, ...}: let
inherit (lib.modules) mkForce;
in {
networking = { networking = {
resolvconf.useLocalResolver = false; resolvconf.useLocalResolver = false;
networkmanager.dns = "none"; networkmanager.dns = "none";
}; };
networking.nameservers = lib.mkForce ["1.1.1.1"]; networking.nameservers = mkForce ["1.1.1.1"];
} }

9
profiles/gui/base/default.nix
View file

@ -1,8 +1,15 @@
{pkgs, ...}: { {pkgs, lib, config, ...}: let
inherit (lib.modules) mkIf;
networkManagerEnabled = config.networking.networkmanager.enable;
in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
gnome3.adwaita-icon-theme gnome3.adwaita-icon-theme
(mkIf networkManagerEnabled pkgs.networkmanagerapplet)
]; ];
programs.nm-applet.enable = networkManagerEnabled;
fonts = { fonts = {
packages = with pkgs; [comic-sans comic-code]; packages = with pkgs; [comic-sans comic-code];
fontconfig = { fontconfig = {

6
profiles/gui/environments/gnome/default.nix
View file

@ -3,6 +3,8 @@
lib, lib,
... ...
}: let }: let
inherit (lib.modules) mkIf mkForce;
isWayland = true; isWayland = true;
in { in {
services.xserver = { services.xserver = {
@ -24,7 +26,7 @@ in {
if isWayland if isWayland
then "wayland" then "wayland"
else "x11"; else "x11";
_JAVA_AWT_WM_NONREPARENTING = lib.mkIf isWayland "1"; _JAVA_AWT_WM_NONREPARENTING = mkIf isWayland "1";
}; };
security.polkit.extraConfig = '' security.polkit.extraConfig = ''
@ -66,7 +68,7 @@ in {
services.udev.packages = with pkgs; [gnome3.gnome-settings-daemon]; services.udev.packages = with pkgs; [gnome3.gnome-settings-daemon];
services.power-profiles-daemon.enable = true; services.power-profiles-daemon.enable = true;
hardware.pulseaudio.enable = lib.mkForce false; hardware.pulseaudio.enable = mkForce false;
programs.dconf.enable = true; programs.dconf.enable = true;

12
profiles/nginx.nix
View file

@ -2,11 +2,15 @@
pkgs, pkgs,
lib, lib,
... ...
}: { }: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkDefault;
inherit (lib.types) submodule attrsOf;
in {
options = { options = {
services.nginx.virtualHosts = lib.mkOption { services.nginx.virtualHosts = mkOption {
type = lib.types.attrsOf (lib.types.submodule { type = attrsOf (submodule {
config.http3 = lib.mkDefault true; config.http3 = mkDefault true;
}); });
}; };
}; };

6
profiles/sound/pulseaudio/pulse-bluetooth.nix
View file

@ -3,12 +3,14 @@
tree, tree,
lib, lib,
... ...
}: { }: let
inherit (lib.modules) mkForce;
in {
imports = with tree; [profiles.connectivity.bluetooth]; imports = with tree; [profiles.connectivity.bluetooth];
hardware.pulseaudio = { hardware.pulseaudio = {
extraModules = with pkgs; [pkgs.pulseaudio-modules-bt]; extraModules = with pkgs; [pkgs.pulseaudio-modules-bt];
package = lib.mkForce pkgs.pulseaudioFull; package = mkForce pkgs.pulseaudioFull;
extraConfig = "load-module module-switch-on-connect"; extraConfig = "load-module module-switch-on-connect";
}; };
} }

6
profiles/sshd/sshd.nix
View file

@ -1,10 +1,12 @@
{lib, ...}: { {lib, ...}: let
inherit (lib.modules) mkDefault;
in {
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { settings = {
PermitRootLogin = "prohibit-password"; PermitRootLogin = "prohibit-password";
PasswordAuthentication = false; PasswordAuthentication = false;
KbdInteractiveAuthentication = lib.mkDefault false; KbdInteractiveAuthentication = mkDefault false;
StreamLocalBindUnlink = true; StreamLocalBindUnlink = true;
KexAlgorithms = ["curve25519-sha256@libssh.org"]; KexAlgorithms = ["curve25519-sha256@libssh.org"];
LogLevel = "VERBOSE"; LogLevel = "VERBOSE";