diff --git a/flake.nix b/flake.nix index e7ef1b0..8508764 100644 --- a/flake.nix +++ b/flake.nix @@ -13,76 +13,81 @@ }; }; - outputs = { - self, - nixpkgs, - home-manager, - ... - } @ inputs: let - lib = nixpkgs.lib; - inherit (self) outputs; + outputs = + { + self, + nixpkgs, + home-manager, + ... + }@inputs: + let + lib = nixpkgs.lib; + inherit (self) outputs; - systems = ["x86_64-linux"]; - forEachSystem = f: lib.genAttrs systems (system: f pkgsFor.${system}); - pkgsFor = lib.genAttrs systems ( - system: + systems = [ "x86_64-linux" ]; + forEachSystem = f: lib.genAttrs systems (system: f pkgsFor.${system}); + pkgsFor = lib.genAttrs systems ( + system: import nixpkgs { inherit system; config = { allowUnfree = true; }; } - ); - in { - packages = forEachSystem (pkgs: import ./pkgs {inherit pkgs;}); - formatter = forEachSystem (pkgs: pkgs.alejandra); - devShells = forEachSystem (pkgs: import ./shells {inherit pkgs;}); - nixosModules = import ./modules/nixos; - homeManagerModules = import ./modules/home-manager; - overlays = import ./overlays {inherit inputs outputs;}; + ); + in + { + packages = forEachSystem (pkgs: import ./pkgs { inherit pkgs; }); + formatter = forEachSystem (pkgs: pkgs.nixfmt-rfc-style); + devShells = forEachSystem (pkgs: import ./shells { inherit pkgs; }); + nixosModules = import ./modules/nixos; + homeManagerModules = import ./modules/home-manager; + overlays = import ./overlays { inherit inputs outputs; }; - nixosConfigurations = let - pkgs = pkgsFor.x86_64-linux; - in { - ytnix = lib.nixosSystem { - specialArgs = {inherit inputs outputs;}; - modules = [ - { - nixpkgs = {inherit pkgs;}; - } - ./hosts/ytnix - inputs.sops-nix.nixosModules.sops - ]; - }; + nixosConfigurations = + let + pkgs = pkgsFor.x86_64-linux; + in + { + ytnix = lib.nixosSystem { + specialArgs = { inherit inputs outputs; }; + modules = [ + { + nixpkgs = { inherit pkgs; }; + } + ./hosts/ytnix + inputs.sops-nix.nixosModules.sops + ]; + }; - chunk = lib.nixosSystem { - specialArgs = {inherit inputs outputs;}; - modules = [ - { - nixpkgs = {inherit pkgs;}; - } - ./hosts/chunk - inputs.sops-nix.nixosModules.sops - ]; + chunk = lib.nixosSystem { + specialArgs = { inherit inputs outputs; }; + modules = [ + { + nixpkgs = { inherit pkgs; }; + } + ./hosts/chunk + inputs.sops-nix.nixosModules.sops + ]; + }; + }; + + homeConfigurations = { + "yt@ytnix" = home-manager.lib.homeManagerConfiguration { + pkgs = pkgsFor.x86_64-linux; + extraSpecialArgs = { inherit inputs outputs; }; + modules = [ + ./home/yt/ytnix.nix + ]; + }; + + "yt@chunk" = home-manager.lib.homeManagerConfiguration { + pkgs = pkgsFor.x86_64-linux; + extraSpecialArgs = { inherit inputs outputs; }; + modules = [ + ./home/yt/chunk.nix + ]; + }; }; }; - - homeConfigurations = { - "yt@ytnix" = home-manager.lib.homeManagerConfiguration { - pkgs = pkgsFor.x86_64-linux; - extraSpecialArgs = {inherit inputs outputs;}; - modules = [ - ./home/yt/ytnix.nix - ]; - }; - - "yt@chunk" = home-manager.lib.homeManagerConfiguration { - pkgs = pkgsFor.x86_64-linux; - extraSpecialArgs = {inherit inputs outputs;}; - modules = [ - ./home/yt/chunk.nix - ]; - }; - }; - }; } diff --git a/home/foot.nix b/home/foot.nix index a382532..928ee6c 100644 --- a/home/foot.nix +++ b/home/foot.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ programs.foot = { enable = true; settings = { diff --git a/home/tmux.nix b/home/tmux.nix index 2d66ae2..360b243 100644 --- a/home/tmux.nix +++ b/home/tmux.nix @@ -1,4 +1,5 @@ -{pkgs, ...}: { +{ pkgs, ... }: +{ programs.tmux = { enable = true; baseIndex = 1; diff --git a/home/yt/chunk.nix b/home/yt/chunk.nix index 820a945..f444562 100644 --- a/home/yt/chunk.nix +++ b/home/yt/chunk.nix @@ -5,7 +5,8 @@ inputs, outputs, ... -}: { +}: +{ imports = [ ./common.nix ]; diff --git a/home/yt/common.nix b/home/yt/common.nix index cd904e6..dc828b2 100644 --- a/home/yt/common.nix +++ b/home/yt/common.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../tmux.nix ../zsh diff --git a/home/yt/ytnix.nix b/home/yt/ytnix.nix index 4c46dab..cc05bb8 100644 --- a/home/yt/ytnix.nix +++ b/home/yt/ytnix.nix @@ -2,7 +2,8 @@ pkgs, inputs, ... -}: { +}: +{ imports = [ ./common.nix ../foot.nix diff --git a/home/zsh/default.nix b/home/zsh/default.nix index e8aef67..ab3a09a 100644 --- a/home/zsh/default.nix +++ b/home/zsh/default.nix @@ -1,13 +1,17 @@ -{...}: { +{ ... }: +{ programs.zsh = { enable = true; autosuggestion = { enable = true; - strategy = ["history" "completion"]; + strategy = [ + "history" + "completion" + ]; }; syntaxHighlighting = { enable = true; - highlighters = ["brackets"]; + highlighters = [ "brackets" ]; }; autocd = true; defaultKeymap = "emacs"; @@ -85,7 +89,7 @@ programs.zoxide = { enable = true; enableZshIntegration = true; - options = ["--cmd cd"]; + options = [ "--cmd cd" ]; }; programs.eza = { diff --git a/hosts/chunk/adguard.nix b/hosts/chunk/adguard.nix index 7bab3ea..fe4b9bb 100644 --- a/hosts/chunk/adguard.nix +++ b/hosts/chunk/adguard.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ services.adguardhome = { enable = true; host = "127.0.0.1"; diff --git a/hosts/chunk/borg.nix b/hosts/chunk/borg.nix index 960f1ac..9e1acc8 100644 --- a/hosts/chunk/borg.nix +++ b/hosts/chunk/borg.nix @@ -2,11 +2,29 @@ pkgs, config, ... -}: { +}: +{ services.borgbackup.jobs = { crashRsync = { - paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"]; - exclude = ["**/.cache" "**/node_modules" "**/cache" "**/Cache" "/var/lib/docker" "/var/lib/containers/cache" "/var/lib/containers/overlay*"]; + paths = [ + "/root" + "/home" + "/var/backup" + "/var/lib" + "/var/log" + "/opt" + "/etc" + "/vw-data" + ]; + exclude = [ + "**/.cache" + "**/node_modules" + "**/cache" + "**/Cache" + "/var/lib/docker" + "/var/lib/containers/cache" + "/var/lib/containers/overlay*" + ]; repo = "de3911@de3911.rsync.net:borg/crash"; encryption = { mode = "repokey-blake2"; @@ -18,11 +36,13 @@ }; compression = "auto,zstd"; startAt = "hourly"; - extraCreateArgs = ["--stats"]; + extraCreateArgs = [ "--stats" ]; # warnings are often not that serious failOnWarnings = false; postHook = '' - ${pkgs.curl}/bin/curl -u $(cat ${config.sops.secrets."services/ntfy".path}) -d "chunk: backup completed with exit code: $exitStatus + ${pkgs.curl}/bin/curl -u $(cat ${ + config.sops.secrets."services/ntfy".path + }) -d "chunk: backup completed with exit code: $exitStatus $(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \ https://ntfy.cything.io/chunk ''; diff --git a/hosts/chunk/conduit.nix b/hosts/chunk/conduit.nix index a4546ba..de78c40 100644 --- a/hosts/chunk/conduit.nix +++ b/hosts/chunk/conduit.nix @@ -2,11 +2,12 @@ pkgs, config, ... -}: { +}: +{ virtualisation.oci-containers.containers.conduit = { image = "matrixconduit/matrix-conduit:latest"; autoStart = true; - ports = ["127.0.0.1:8448:8448"]; + ports = [ "127.0.0.1:8448:8448" ]; pull = "newer"; environment = { CONDUIT_SERVER_NAME = "cything.io"; @@ -24,7 +25,7 @@ volumes = [ "/opt/conduit/db:/var/lib/matrix-conduit/" ]; - networks = ["conduit-net"]; + networks = [ "conduit-net" ]; }; systemd.services.create-conduit-net = { diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index f7d7482..8691ff0 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -3,7 +3,8 @@ lib, pkgs, ... -}: { +}: +{ imports = [ ./hardware-configuration.nix ../common.nix @@ -91,9 +92,20 @@ networking.networkmanager.enable = true; networking.firewall = { enable = true; - allowedTCPPorts = [22 80 443 53 853]; - allowedUDPPorts = [443 51820 53 853]; # 51820 is wireguard - trustedInterfaces = ["wg0"]; + allowedTCPPorts = [ + 22 + 80 + 443 + 53 + 853 + ]; + allowedUDPPorts = [ + 443 + 51820 + 53 + 853 + ]; # 51820 is wireguard + trustedInterfaces = [ "wg0" ]; }; networking.interfaces.ens18 = { ipv6.addresses = [ @@ -117,7 +129,10 @@ address = "31.59.129.1"; interface = "ens18"; }; - networking.nameservers = ["127.0.0.1" "::1"]; + networking.nameservers = [ + "127.0.0.1" + "::1" + ]; time.timeZone = "America/Toronto"; @@ -129,12 +144,20 @@ users.users.yt = { isNormalUser = true; - extraGroups = ["wheel" "networkmanager" "podman"]; - openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"]; + extraGroups = [ + "wheel" + "networkmanager" + "podman" + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" + ]; shell = pkgs.zsh; }; programs.zsh.enable = true; - users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" + ]; environment.systemPackages = with pkgs; [ vim diff --git a/hosts/chunk/deluge.nix b/hosts/chunk/deluge.nix index ba5a275..638c728 100644 --- a/hosts/chunk/deluge.nix +++ b/hosts/chunk/deluge.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ services.deluge = { enable = true; web = { diff --git a/hosts/chunk/ghost.nix b/hosts/chunk/ghost.nix index 00274c7..b190cd0 100644 --- a/hosts/chunk/ghost.nix +++ b/hosts/chunk/ghost.nix @@ -2,11 +2,12 @@ pkgs, config, ... -}: { +}: +{ virtualisation.oci-containers.containers.ghost = { image = "ghost:5-alpine"; autoStart = true; - ports = ["127.0.0.1:8084:2368"]; + ports = [ "127.0.0.1:8084:2368" ]; pull = "newer"; environment = { database__client = "mysql"; @@ -20,8 +21,8 @@ volumes = [ "/opt/ghost/data:/var/lib/ghost/content" ]; - networks = ["ghost-net"]; - dependsOn = ["ghost-db"]; + networks = [ "ghost-net" ]; + dependsOn = [ "ghost-db" ]; }; virtualisation.oci-containers.containers.ghost-db = { @@ -34,7 +35,7 @@ volumes = [ "/opt/ghost/db:/var/lib/mysql" ]; - networks = ["ghost-net"]; + networks = [ "ghost-net" ]; }; systemd.services.create-ghost-net = { diff --git a/hosts/chunk/gitlab.nix b/hosts/chunk/gitlab.nix index 9a4b7a6..818d727 100644 --- a/hosts/chunk/gitlab.nix +++ b/hosts/chunk/gitlab.nix @@ -1,4 +1,5 @@ -{config, ...}: { +{ config, ... }: +{ services.gitlab = { enable = true; https = true; diff --git a/hosts/chunk/grafana.nix b/hosts/chunk/grafana.nix index 15e8223..0575f51 100644 --- a/hosts/chunk/grafana.nix +++ b/hosts/chunk/grafana.nix @@ -1,4 +1,5 @@ -{config, ...}: { +{ config, ... }: +{ services.grafana = { enable = true; settings.server = { @@ -16,7 +17,7 @@ exporters = { node = { enable = true; - enabledCollectors = ["systemd"]; + enabledCollectors = [ "systemd" ]; }; }; scrapeConfigs = [ @@ -24,7 +25,7 @@ job_name = "chrysalis"; static_configs = [ { - targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; } ]; } diff --git a/hosts/chunk/hardware-configuration.nix b/hosts/chunk/hardware-configuration.nix index 7ee561f..7d327c5 100644 --- a/hosts/chunk/hardware-configuration.nix +++ b/hosts/chunk/hardware-configuration.nix @@ -7,22 +7,29 @@ pkgs, modulesPath, ... -}: { +}: +{ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel"]; - boot.extraModulePackages = []; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; fileSystems."/" = { device = "/dev/disk/by-uuid/6fff5dd4-8d7a-43fa-85be-eec74ef2089e"; fsType = "ext4"; }; - swapDevices = []; + swapDevices = [ ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/hosts/chunk/hedgedoc.nix b/hosts/chunk/hedgedoc.nix index 001bf37..1988520 100644 --- a/hosts/chunk/hedgedoc.nix +++ b/hosts/chunk/hedgedoc.nix @@ -1,4 +1,5 @@ -{config, ...}: { +{ config, ... }: +{ services.hedgedoc = { enable = true; environmentFile = config.sops.secrets."hedgedoc/env".path; diff --git a/hosts/chunk/immich.nix b/hosts/chunk/immich.nix index b008dd7..18bf0db 100644 --- a/hosts/chunk/immich.nix +++ b/hosts/chunk/immich.nix @@ -2,18 +2,20 @@ pkgs, config, ... -}: let +}: +let uploadLocation = "/mnt/photos/immich"; thumbsLocation = "/opt/immich/thumbs"; profileLocation = "/opt/immich/profile"; dbDataLocation = "/opt/immich/postgres"; modelCache = "/opt/immich-ml"; -in { +in +{ virtualisation.oci-containers.containers = { immich-server = { image = "ghcr.io/immich-app/immich-server:release"; autoStart = true; - ports = ["127.0.0.1:2283:2283"]; + ports = [ "127.0.0.1:2283:2283" ]; pull = "newer"; volumes = [ "${uploadLocation}:/usr/src/app/upload" @@ -24,15 +26,18 @@ in { REDIS_HOSTNAME = "immich-redis"; DB_HOSTNAME = "immich-db"; }; - networks = ["immich-net"]; - dependsOn = ["immich-db" "immich-redis"]; + networks = [ "immich-net" ]; + dependsOn = [ + "immich-db" + "immich-redis" + ]; }; immich-redis = { image = "redis:6.2-alpine"; autoStart = true; pull = "newer"; - networks = ["immich-net"]; + networks = [ "immich-net" ]; }; immich-db = { @@ -45,17 +50,23 @@ in { POSTGRES_DB = "immich"; POSTGRES_INITDB_ARGS = "--data-checksums"; }; - volumes = ["${dbDataLocation}:/var/lib/postgresql/data"]; + volumes = [ "${dbDataLocation}:/var/lib/postgresql/data" ]; cmd = [ "postgres" - "-c" "shared_preload_libraries=vectors.so" - "-c" ''search_path="$$user", public, vectors'' - "-c" "logging_collector=on" - "-c" "max_wal_size=2GB" - "-c" "shared_buffers=512MB" - "-c" "wal_compression=on" + "-c" + "shared_preload_libraries=vectors.so" + "-c" + ''search_path="$$user", public, vectors'' + "-c" + "logging_collector=on" + "-c" + "max_wal_size=2GB" + "-c" + "shared_buffers=512MB" + "-c" + "wal_compression=on" ]; - networks = ["immich-net"]; + networks = [ "immich-net" ]; }; immich-ml = { @@ -66,8 +77,8 @@ in { REDIS_HOSTNAME = "immich-redis"; DB_HOSTNAME = "immich-db"; }; - volumes = ["${modelCache}:/cache"]; - networks = ["immich-net"]; + volumes = [ "${modelCache}:/cache" ]; + networks = [ "immich-net" ]; }; }; diff --git a/hosts/chunk/jellyfin.nix b/hosts/chunk/jellyfin.nix index cb55204..c6e0dec 100644 --- a/hosts/chunk/jellyfin.nix +++ b/hosts/chunk/jellyfin.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ services.jellyfin = { enable = true; dataDir = "/mnt/jellyfin"; diff --git a/hosts/chunk/miniflux.nix b/hosts/chunk/miniflux.nix index b6f2d59..9376ca6 100644 --- a/hosts/chunk/miniflux.nix +++ b/hosts/chunk/miniflux.nix @@ -1,4 +1,5 @@ -{config, ...}: { +{ config, ... }: +{ services.miniflux = { enable = true; adminCredentialsFile = config.sops.secrets."miniflux/env".path; diff --git a/hosts/chunk/ntfy.nix b/hosts/chunk/ntfy.nix index 0d26d6b..cc2cb47 100644 --- a/hosts/chunk/ntfy.nix +++ b/hosts/chunk/ntfy.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ services.ntfy-sh = { enable = true; settings = { diff --git a/hosts/chunk/postgres.nix b/hosts/chunk/postgres.nix index e600243..2571b28 100644 --- a/hosts/chunk/postgres.nix +++ b/hosts/chunk/postgres.nix @@ -2,7 +2,8 @@ pkgs, lib, ... -}: { +}: +{ services.postgresql = { enable = true; settings.port = 5432; diff --git a/hosts/chunk/rclone.nix b/hosts/chunk/rclone.nix index 74aada0..c006832 100644 --- a/hosts/chunk/rclone.nix +++ b/hosts/chunk/rclone.nix @@ -2,12 +2,13 @@ pkgs, config, ... -}: { +}: +{ systemd.services.immich-mount = { enable = true; description = "Mount the immich data remote"; - requires = ["network-online.target"]; - requiredBy = ["podman-immich-server.service"]; + requires = [ "network-online.target" ]; + requiredBy = [ "podman-immich-server.service" ]; serviceConfig = { Type = "notify"; ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos"; @@ -32,19 +33,19 @@ # }; # }; -# systemd.services.jellyfin-mount = { -# enable = true; -# description = "Mount the jellyfin data remote"; -# after = ["network-online.target"]; -# requires = ["network-online.target"]; -# requiredBy = ["jellyfin.service"]; -# serviceConfig = { -# Type = "notify"; -# ExecStartPre = "/usr/bin/env mkdir -p /mnt/jellyfin"; -# ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --allow-other --transfers=32 --dir-cache-time 72h --vfs-cache-mode writes --vfs-cache-max-size 2G jellyfin: /mnt/jellyfin"; -# ExecStop = "${pkgs.fuse}/bin/fusermount -u /mnt/jellyfin"; -# EnvironmentFile = config.sops.secrets."rclone/env".path; -# }; -# }; + # systemd.services.jellyfin-mount = { + # enable = true; + # description = "Mount the jellyfin data remote"; + # after = ["network-online.target"]; + # requires = ["network-online.target"]; + # requiredBy = ["jellyfin.service"]; + # serviceConfig = { + # Type = "notify"; + # ExecStartPre = "/usr/bin/env mkdir -p /mnt/jellyfin"; + # ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --allow-other --transfers=32 --dir-cache-time 72h --vfs-cache-mode writes --vfs-cache-max-size 2G jellyfin: /mnt/jellyfin"; + # ExecStop = "${pkgs.fuse}/bin/fusermount -u /mnt/jellyfin"; + # EnvironmentFile = config.sops.secrets."rclone/env".path; + # }; + # }; programs.fuse.userAllowOther = true; } diff --git a/hosts/chunk/redlib.nix b/hosts/chunk/redlib.nix index 74821ed..39585f1 100644 --- a/hosts/chunk/redlib.nix +++ b/hosts/chunk/redlib.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ services.redlib = { enable = true; port = 8087; diff --git a/hosts/chunk/tor.nix b/hosts/chunk/tor.nix index a5cadb1..a63db2f 100644 --- a/hosts/chunk/tor.nix +++ b/hosts/chunk/tor.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ services.tor = { enable = true; openFirewall = true; diff --git a/hosts/chunk/vaultwarden.nix b/hosts/chunk/vaultwarden.nix index af2acce..dcb00e2 100644 --- a/hosts/chunk/vaultwarden.nix +++ b/hosts/chunk/vaultwarden.nix @@ -1,4 +1,5 @@ -{config, ...}: { +{ config, ... }: +{ services.vaultwarden = { enable = true; dbBackend = "postgresql"; diff --git a/hosts/chunk/wireguard.nix b/hosts/chunk/wireguard.nix index 37a0b00..4976fa6 100644 --- a/hosts/chunk/wireguard.nix +++ b/hosts/chunk/wireguard.nix @@ -2,16 +2,20 @@ pkgs, config, ... -}: { +}: +{ networking.nat = { enable = true; enableIPv6 = true; externalInterface = "ens18"; - internalInterfaces = ["wg0"]; + internalInterfaces = [ "wg0" ]; }; networking.wg-quick.interfaces.wg0 = { - address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"]; + address = [ + "10.0.0.1/24" + "fdc9:281f:04d7:9ee9::1/64" + ]; listenPort = 51820; privateKeyFile = config.sops.secrets."wireguard/private".path; postUp = '' @@ -33,12 +37,18 @@ peers = [ { publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g="; - allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"]; + allowedIPs = [ + "10.0.0.2/32" + "fdc9:281f:04d7:9ee9::2/128" + ]; presharedKeyFile = config.sops.secrets."wireguard/psk-yt".path; } { publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k="; - allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"]; + allowedIPs = [ + "10.0.0.3/32" + "fdc9:281f:04d7:9ee9::3/128" + ]; presharedKeyFile = config.sops.secrets."wireguard/psk-phone".path; } ]; diff --git a/hosts/common.nix b/hosts/common.nix index 7aaff01..bbd1718 100644 --- a/hosts/common.nix +++ b/hosts/common.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ nix = { settings = { experimental-features = "nix-command flakes"; @@ -8,7 +9,7 @@ channel.enable = false; optimise = { automatic = true; - dates = ["03:45"]; + dates = [ "03:45" ]; }; gc = { automatic = true; diff --git a/hosts/ytnix/default.nix b/hosts/ytnix/default.nix index b5cc7b3..2314f49 100644 --- a/hosts/ytnix/default.nix +++ b/hosts/ytnix/default.nix @@ -2,7 +2,8 @@ config, pkgs, ... -}: { +}: +{ imports = [ ./hardware-configuration.nix ../common.nix @@ -53,11 +54,14 @@ dns = "none"; wifi.backend = "iwd"; }; - nameservers = ["31.59.129.225" "2a0f:85c1:840:2bfb::1"]; + nameservers = [ + "31.59.129.225" + "2a0f:85c1:840:2bfb::1" + ]; resolvconf.enable = true; firewall = { - allowedUDPPorts = [51820]; # for wireguard - trustedInterfaces = ["wg0"]; + allowedUDPPorts = [ 51820 ]; # for wireguard + trustedInterfaces = [ "wg0" ]; }; }; programs.nm-applet.enable = true; @@ -76,7 +80,10 @@ "bluez5.enable-sbc-xq" = true; "bluez5.enable-msbc" = true; "bluez5.enable-hw-volume" = true; - "bluez5.roles" = ["a2dp_sink" "a2dp_source"]; + "bluez5.roles" = [ + "a2dp_sink" + "a2dp_source" + ]; }; }; # https://wiki.archlinux.org/title/Bluetooth_headset#Connecting_works,_sound_plays_fine_until_headphones_become_idle,_then_stutters @@ -100,7 +107,11 @@ users.users.yt = { isNormalUser = true; - extraGroups = ["wheel" "libvirtd" "docker"]; + extraGroups = [ + "wheel" + "libvirtd" + "docker" + ]; shell = pkgs.zsh; }; programs.zsh.enable = true; @@ -168,7 +179,14 @@ programs.sway.enable = true; services.borgbackup.jobs.ytnixRsync = { - paths = ["/root" "/home" "/var/lib" "/var/log" "/opt" "/etc"]; + paths = [ + "/root" + "/home" + "/var/lib" + "/var/log" + "/opt" + "/etc" + ]; exclude = [ "**/.cache" "**/node_modules" @@ -194,11 +212,13 @@ }; compression = "auto,zstd"; startAt = "daily"; - extraCreateArgs = ["--stats"]; + extraCreateArgs = [ "--stats" ]; # warnings are often not that serious failOnWarnings = false; postHook = '' - ${pkgs.curl}/bin/curl -u $(cat ${config.sops.secrets."services/ntfy".path}) -d "ytnixRsync: backup completed with exit code: $exitStatus + ${pkgs.curl}/bin/curl -u $(cat ${ + config.sops.secrets."services/ntfy".path + }) -d "ytnixRsync: backup completed with exit code: $exitStatus $(journalctl -u borgbackup-job-ytnixRsync.service|tail -n 5)" \ https://ntfy.cything.io/chunk ''; @@ -211,8 +231,8 @@ snapshot_preserve_min = "2d"; snapshot_dir = "/snapshots"; subvolume = { - "/home" = {}; - "/" = {}; + "/home" = { }; + "/" = { }; }; }; }; @@ -286,12 +306,18 @@ # wireguard setup networking.wg-quick.interfaces.wg0 = { - address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"]; + address = [ + "10.0.0.2/24" + "fdc9:281f:04d7:9ee9::2/64" + ]; privateKeyFile = config.sops.secrets."wireguard/private".path; peers = [ { publicKey = "a16/F/wP7HQIUtFywebqPSXQAktPsLgsMLH9ZfevMy0="; - allowedIPs = ["0.0.0.0/0" "::/0"]; + allowedIPs = [ + "0.0.0.0/0" + "::/0" + ]; endpoint = "31.59.129.225:51820"; persistentKeepalive = 25; presharedKeyFile = config.sops.secrets."wireguard/psk".path; diff --git a/hosts/ytnix/hardware-configuration.nix b/hosts/ytnix/hardware-configuration.nix index 6198b36..c91bb8d 100644 --- a/hosts/ytnix/hardware-configuration.nix +++ b/hosts/ytnix/hardware-configuration.nix @@ -7,42 +7,63 @@ pkgs, modulesPath, ... -}: { - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod"]; - boot.initrd.kernelModules = []; - boot.kernelModules = ["kvm-intel"]; - boot.extraModulePackages = []; +}: +{ + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "nvme" + "usb_storage" + "sd_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; fileSystems."/" = { device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3"; fsType = "btrfs"; - options = ["subvol=root" "compress=zstd"]; + options = [ + "subvol=root" + "compress=zstd" + ]; }; - boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/c6098a16-c8a6-4a97-8648-6f46ca919d13"; + boot.initrd.luks.devices."cryptroot".device = + "/dev/disk/by-uuid/c6098a16-c8a6-4a97-8648-6f46ca919d13"; fileSystems."/home" = { device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3"; fsType = "btrfs"; - options = ["subvol=home" "compress=zstd"]; + options = [ + "subvol=home" + "compress=zstd" + ]; }; fileSystems."/nix" = { device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3"; fsType = "btrfs"; - options = ["subvol=nix" "compress=zstd" "noatime"]; + options = [ + "subvol=nix" + "compress=zstd" + "noatime" + ]; }; fileSystems."/swap" = { device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3"; fsType = "btrfs"; - options = ["subvol=swap"]; + options = [ "subvol=swap" ]; }; fileSystems."/boot" = { device = "/dev/disk/by-uuid/29B7-F46D"; fsType = "vfat"; - options = ["fmask=0022" "dmask=0022"]; + options = [ + "fmask=0022" + "dmask=0022" + ]; }; swapDevices = [ @@ -52,7 +73,7 @@ ]; boot.resumeDevice = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3"; - boot.kernelParams = ["resume_offset=53224704"]; + boot.kernelParams = [ "resume_offset=53224704" ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's