cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

use rfc-style formatter

Browse source
This commit is contained in:
cy 2024-12-19 02:32:58 -05:00
parent 993b457e0b
commit f57ed53bc5
30 changed files with 324 additions and 176 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

127
flake.nix
View file

@ -13,76 +13,81 @@
}; };
}; };
outputs = { outputs =
self, {
nixpkgs, self,
home-manager, nixpkgs,
... home-manager,
} @ inputs: let ...
lib = nixpkgs.lib; }@inputs:
inherit (self) outputs; let
lib = nixpkgs.lib;
inherit (self) outputs;
systems = ["x86_64-linux"]; systems = [ "x86_64-linux" ];
forEachSystem = f: lib.genAttrs systems (system: f pkgsFor.${system}); forEachSystem = f: lib.genAttrs systems (system: f pkgsFor.${system});
pkgsFor = lib.genAttrs systems ( pkgsFor = lib.genAttrs systems (
system: system:
import nixpkgs { import nixpkgs {
inherit system; inherit system;
config = { config = {
allowUnfree = true; allowUnfree = true;
}; };
} }
); );
in { in
packages = forEachSystem (pkgs: import ./pkgs {inherit pkgs;}); {
formatter = forEachSystem (pkgs: pkgs.alejandra); packages = forEachSystem (pkgs: import ./pkgs { inherit pkgs; });
devShells = forEachSystem (pkgs: import ./shells {inherit pkgs;}); formatter = forEachSystem (pkgs: pkgs.nixfmt-rfc-style);
nixosModules = import ./modules/nixos; devShells = forEachSystem (pkgs: import ./shells { inherit pkgs; });
homeManagerModules = import ./modules/home-manager; nixosModules = import ./modules/nixos;
overlays = import ./overlays {inherit inputs outputs;}; homeManagerModules = import ./modules/home-manager;
overlays = import ./overlays { inherit inputs outputs; };
nixosConfigurations = let nixosConfigurations =
pkgs = pkgsFor.x86_64-linux; let
in { pkgs = pkgsFor.x86_64-linux;
ytnix = lib.nixosSystem { in
specialArgs = {inherit inputs outputs;}; {
modules = [ ytnix = lib.nixosSystem {
{ specialArgs = { inherit inputs outputs; };
nixpkgs = {inherit pkgs;}; modules = [
} {
./hosts/ytnix nixpkgs = { inherit pkgs; };
inputs.sops-nix.nixosModules.sops }
]; ./hosts/ytnix
}; inputs.sops-nix.nixosModules.sops
];
};
chunk = lib.nixosSystem { chunk = lib.nixosSystem {
specialArgs = {inherit inputs outputs;}; specialArgs = { inherit inputs outputs; };
modules = [ modules = [
{ {
nixpkgs = {inherit pkgs;}; nixpkgs = { inherit pkgs; };
} }
./hosts/chunk ./hosts/chunk
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
]; ];
};
};
homeConfigurations = {
"yt@ytnix" = home-manager.lib.homeManagerConfiguration {
pkgs = pkgsFor.x86_64-linux;
extraSpecialArgs = { inherit inputs outputs; };
modules = [
./home/yt/ytnix.nix
];
};
"yt@chunk" = home-manager.lib.homeManagerConfiguration {
pkgs = pkgsFor.x86_64-linux;
extraSpecialArgs = { inherit inputs outputs; };
modules = [
./home/yt/chunk.nix
];
};
}; };
}; };
homeConfigurations = {
"yt@ytnix" = home-manager.lib.homeManagerConfiguration {
pkgs = pkgsFor.x86_64-linux;
extraSpecialArgs = {inherit inputs outputs;};
modules = [
./home/yt/ytnix.nix
];
};
"yt@chunk" = home-manager.lib.homeManagerConfiguration {
pkgs = pkgsFor.x86_64-linux;
extraSpecialArgs = {inherit inputs outputs;};
modules = [
./home/yt/chunk.nix
];
};
};
};
} }

3
home/foot.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
programs.foot = { programs.foot = {
enable = true; enable = true;
settings = { settings = {

3
home/tmux.nix
View file

@ -1,4 +1,5 @@
{pkgs, ...}: { { pkgs, ... }:
{
programs.tmux = { programs.tmux = {
enable = true; enable = true;
baseIndex = 1; baseIndex = 1;

3
home/yt/chunk.nix
View file

@ -5,7 +5,8 @@
inputs, inputs,
outputs, outputs,
... ...
}: { }:
{
imports = [ imports = [
./common.nix ./common.nix
]; ];

3
home/yt/common.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
imports = [ imports = [
../tmux.nix ../tmux.nix
../zsh ../zsh

3
home/yt/ytnix.nix
View file

@ -2,7 +2,8 @@
pkgs, pkgs,
inputs, inputs,
... ...
}: { }:
{
imports = [ imports = [
./common.nix ./common.nix
../foot.nix ../foot.nix

12
home/zsh/default.nix
View file

@ -1,13 +1,17 @@
{...}: { { ... }:
{
programs.zsh = { programs.zsh = {
enable = true; enable = true;
autosuggestion = { autosuggestion = {
enable = true; enable = true;
strategy = ["history" "completion"]; strategy = [
"history"
"completion"
];
}; };
syntaxHighlighting = { syntaxHighlighting = {
enable = true; enable = true;
highlighters = ["brackets"]; highlighters = [ "brackets" ];
}; };
autocd = true; autocd = true;
defaultKeymap = "emacs"; defaultKeymap = "emacs";
@ -85,7 +89,7 @@
programs.zoxide = { programs.zoxide = {
enable = true; enable = true;
enableZshIntegration = true; enableZshIntegration = true;
options = ["--cmd cd"]; options = [ "--cmd cd" ];
}; };
programs.eza = { programs.eza = {

3
hosts/chunk/adguard.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
services.adguardhome = { services.adguardhome = {
enable = true; enable = true;
host = "127.0.0.1"; host = "127.0.0.1";

30
hosts/chunk/borg.nix
View file

@ -2,11 +2,29 @@
pkgs, pkgs,
config, config,
... ...
}: { }:
{
services.borgbackup.jobs = { services.borgbackup.jobs = {
crashRsync = { crashRsync = {
paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"]; paths = [
exclude = ["**/.cache" "**/node_modules" "**/cache" "**/Cache" "/var/lib/docker" "/var/lib/containers/cache" "/var/lib/containers/overlay*"]; "/root"
"/home"
"/var/backup"
"/var/lib"
"/var/log"
"/opt"
"/etc"
"/vw-data"
];
exclude = [
"**/.cache"
"**/node_modules"
"**/cache"
"**/Cache"
"/var/lib/docker"
"/var/lib/containers/cache"
"/var/lib/containers/overlay*"
];
repo = "de3911@de3911.rsync.net:borg/crash"; repo = "de3911@de3911.rsync.net:borg/crash";
encryption = { encryption = {
mode = "repokey-blake2"; mode = "repokey-blake2";
@ -18,11 +36,13 @@
}; };
compression = "auto,zstd"; compression = "auto,zstd";
startAt = "hourly"; startAt = "hourly";
extraCreateArgs = ["--stats"]; extraCreateArgs = [ "--stats" ];
# warnings are often not that serious # warnings are often not that serious
failOnWarnings = false; failOnWarnings = false;
postHook = '' postHook = ''
${pkgs.curl}/bin/curl -u $(cat ${config.sops.secrets."services/ntfy".path}) -d "chunk: backup completed with exit code: $exitStatus ${pkgs.curl}/bin/curl -u $(cat ${
config.sops.secrets."services/ntfy".path
}) -d "chunk: backup completed with exit code: $exitStatus
$(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \ $(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \
https://ntfy.cything.io/chunk https://ntfy.cything.io/chunk
''; '';

7
hosts/chunk/conduit.nix
View file

@ -2,11 +2,12 @@
pkgs, pkgs,
config, config,
... ...
}: { }:
{
virtualisation.oci-containers.containers.conduit = { virtualisation.oci-containers.containers.conduit = {
image = "matrixconduit/matrix-conduit:latest"; image = "matrixconduit/matrix-conduit:latest";
autoStart = true; autoStart = true;
ports = ["127.0.0.1:8448:8448"]; ports = [ "127.0.0.1:8448:8448" ];
pull = "newer"; pull = "newer";
environment = { environment = {
CONDUIT_SERVER_NAME = "cything.io"; CONDUIT_SERVER_NAME = "cything.io";
@ -24,7 +25,7 @@
volumes = [ volumes = [
"/opt/conduit/db:/var/lib/matrix-conduit/" "/opt/conduit/db:/var/lib/matrix-conduit/"
]; ];
networks = ["conduit-net"]; networks = [ "conduit-net" ];
}; };
systemd.services.create-conduit-net = { systemd.services.create-conduit-net = {

39
hosts/chunk/default.nix
View file

@ -3,7 +3,8 @@
lib, lib,
pkgs, pkgs,
... ...
}: { }:
{
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../common.nix ../common.nix
@ -91,9 +92,20 @@
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [22 80 443 53 853]; allowedTCPPorts = [
allowedUDPPorts = [443 51820 53 853]; # 51820 is wireguard 22
trustedInterfaces = ["wg0"]; 80
443
53
853
];
allowedUDPPorts = [
443
51820
53
853
]; # 51820 is wireguard
trustedInterfaces = [ "wg0" ];
}; };
networking.interfaces.ens18 = { networking.interfaces.ens18 = {
ipv6.addresses = [ ipv6.addresses = [
@ -117,7 +129,10 @@
address = "31.59.129.1"; address = "31.59.129.1";
interface = "ens18"; interface = "ens18";
}; };
networking.nameservers = ["127.0.0.1" "::1"]; networking.nameservers = [
"127.0.0.1"
"::1"
];
time.timeZone = "America/Toronto"; time.timeZone = "America/Toronto";
@ -129,12 +144,20 @@
users.users.yt = { users.users.yt = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["wheel" "networkmanager" "podman"]; extraGroups = [
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"]; "wheel"
"networkmanager"
"podman"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"
];
shell = pkgs.zsh; shell = pkgs.zsh;
}; };
programs.zsh.enable = true; programs.zsh.enable = true;
users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"]; users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"
];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
vim vim

3
hosts/chunk/deluge.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
services.deluge = { services.deluge = {
enable = true; enable = true;
web = { web = {

11
hosts/chunk/ghost.nix
View file

@ -2,11 +2,12 @@
pkgs, pkgs,
config, config,
... ...
}: { }:
{
virtualisation.oci-containers.containers.ghost = { virtualisation.oci-containers.containers.ghost = {
image = "ghost:5-alpine"; image = "ghost:5-alpine";
autoStart = true; autoStart = true;
ports = ["127.0.0.1:8084:2368"]; ports = [ "127.0.0.1:8084:2368" ];
pull = "newer"; pull = "newer";
environment = { environment = {
database__client = "mysql"; database__client = "mysql";
@ -20,8 +21,8 @@
volumes = [ volumes = [
"/opt/ghost/data:/var/lib/ghost/content" "/opt/ghost/data:/var/lib/ghost/content"
]; ];
networks = ["ghost-net"]; networks = [ "ghost-net" ];
dependsOn = ["ghost-db"]; dependsOn = [ "ghost-db" ];
}; };
virtualisation.oci-containers.containers.ghost-db = { virtualisation.oci-containers.containers.ghost-db = {
@ -34,7 +35,7 @@
volumes = [ volumes = [
"/opt/ghost/db:/var/lib/mysql" "/opt/ghost/db:/var/lib/mysql"
]; ];
networks = ["ghost-net"]; networks = [ "ghost-net" ];
}; };
systemd.services.create-ghost-net = { systemd.services.create-ghost-net = {

3
hosts/chunk/gitlab.nix
View file

@ -1,4 +1,5 @@
{config, ...}: { { config, ... }:
{
services.gitlab = { services.gitlab = {
enable = true; enable = true;
https = true; https = true;

7
hosts/chunk/grafana.nix
View file

@ -1,4 +1,5 @@
{config, ...}: { { config, ... }:
{
services.grafana = { services.grafana = {
enable = true; enable = true;
settings.server = { settings.server = {
@ -16,7 +17,7 @@
exporters = { exporters = {
node = { node = {
enable = true; enable = true;
enabledCollectors = ["systemd"]; enabledCollectors = [ "systemd" ];
}; };
}; };
scrapeConfigs = [ scrapeConfigs = [
@ -24,7 +25,7 @@
job_name = "chrysalis"; job_name = "chrysalis";
static_configs = [ static_configs = [
{ {
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
} }
]; ];
} }

19
hosts/chunk/hardware-configuration.nix
View file

@ -7,22 +7,29 @@
pkgs, pkgs,
modulesPath, modulesPath,
... ...
}: { }:
{
imports = [ imports = [
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; boot.initrd.availableKernelModules = [
boot.initrd.kernelModules = []; "ata_piix"
boot.kernelModules = ["kvm-intel"]; "uhci_hcd"
boot.extraModulePackages = []; "virtio_pci"
"sr_mod"
"virtio_blk"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-uuid/6fff5dd4-8d7a-43fa-85be-eec74ef2089e"; device = "/dev/disk/by-uuid/6fff5dd4-8d7a-43fa-85be-eec74ef2089e";
fsType = "ext4"; fsType = "ext4";
}; };
swapDevices = []; swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

3
hosts/chunk/hedgedoc.nix
View file

@ -1,4 +1,5 @@
{config, ...}: { { config, ... }:
{
services.hedgedoc = { services.hedgedoc = {
enable = true; enable = true;
environmentFile = config.sops.secrets."hedgedoc/env".path; environmentFile = config.sops.secrets."hedgedoc/env".path;

43
hosts/chunk/immich.nix
View file

@ -2,18 +2,20 @@
pkgs, pkgs,
config, config,
... ...
}: let }:
let
uploadLocation = "/mnt/photos/immich"; uploadLocation = "/mnt/photos/immich";
thumbsLocation = "/opt/immich/thumbs"; thumbsLocation = "/opt/immich/thumbs";
profileLocation = "/opt/immich/profile"; profileLocation = "/opt/immich/profile";
dbDataLocation = "/opt/immich/postgres"; dbDataLocation = "/opt/immich/postgres";
modelCache = "/opt/immich-ml"; modelCache = "/opt/immich-ml";
in { in
{
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
immich-server = { immich-server = {
image = "ghcr.io/immich-app/immich-server:release"; image = "ghcr.io/immich-app/immich-server:release";
autoStart = true; autoStart = true;
ports = ["127.0.0.1:2283:2283"]; ports = [ "127.0.0.1:2283:2283" ];
pull = "newer"; pull = "newer";
volumes = [ volumes = [
"${uploadLocation}:/usr/src/app/upload" "${uploadLocation}:/usr/src/app/upload"
@ -24,15 +26,18 @@ in {
REDIS_HOSTNAME = "immich-redis"; REDIS_HOSTNAME = "immich-redis";
DB_HOSTNAME = "immich-db"; DB_HOSTNAME = "immich-db";
}; };
networks = ["immich-net"]; networks = [ "immich-net" ];
dependsOn = ["immich-db" "immich-redis"]; dependsOn = [
"immich-db"
"immich-redis"
];
}; };
immich-redis = { immich-redis = {
image = "redis:6.2-alpine"; image = "redis:6.2-alpine";
autoStart = true; autoStart = true;
pull = "newer"; pull = "newer";
networks = ["immich-net"]; networks = [ "immich-net" ];
}; };
immich-db = { immich-db = {
@ -45,17 +50,23 @@ in {
POSTGRES_DB = "immich"; POSTGRES_DB = "immich";
POSTGRES_INITDB_ARGS = "--data-checksums"; POSTGRES_INITDB_ARGS = "--data-checksums";
}; };
volumes = ["${dbDataLocation}:/var/lib/postgresql/data"]; volumes = [ "${dbDataLocation}:/var/lib/postgresql/data" ];
cmd = [ cmd = [
"postgres" "postgres"
"-c" "shared_preload_libraries=vectors.so" "-c"
"-c" ''search_path="$$user", public, vectors'' "shared_preload_libraries=vectors.so"
"-c" "logging_collector=on" "-c"
"-c" "max_wal_size=2GB" ''search_path="$$user", public, vectors''
"-c" "shared_buffers=512MB" "-c"
"-c" "wal_compression=on" "logging_collector=on"
"-c"
"max_wal_size=2GB"
"-c"
"shared_buffers=512MB"
"-c"
"wal_compression=on"
]; ];
networks = ["immich-net"]; networks = [ "immich-net" ];
}; };
immich-ml = { immich-ml = {
@ -66,8 +77,8 @@ in {
REDIS_HOSTNAME = "immich-redis"; REDIS_HOSTNAME = "immich-redis";
DB_HOSTNAME = "immich-db"; DB_HOSTNAME = "immich-db";
}; };
volumes = ["${modelCache}:/cache"]; volumes = [ "${modelCache}:/cache" ];
networks = ["immich-net"]; networks = [ "immich-net" ];
}; };
}; };

3
hosts/chunk/jellyfin.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
services.jellyfin = { services.jellyfin = {
enable = true; enable = true;
dataDir = "/mnt/jellyfin"; dataDir = "/mnt/jellyfin";

3
hosts/chunk/miniflux.nix
View file

@ -1,4 +1,5 @@
{config, ...}: { { config, ... }:
{
services.miniflux = { services.miniflux = {
enable = true; enable = true;
adminCredentialsFile = config.sops.secrets."miniflux/env".path; adminCredentialsFile = config.sops.secrets."miniflux/env".path;

3
hosts/chunk/ntfy.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
services.ntfy-sh = { services.ntfy-sh = {
enable = true; enable = true;
settings = { settings = {

3
hosts/chunk/postgres.nix
View file

@ -2,7 +2,8 @@
pkgs, pkgs,
lib, lib,
... ...
}: { }:
{
services.postgresql = { services.postgresql = {
enable = true; enable = true;
settings.port = 5432; settings.port = 5432;

35
hosts/chunk/rclone.nix
View file

@ -2,12 +2,13 @@
pkgs, pkgs,
config, config,
... ...
}: { }:
{
systemd.services.immich-mount = { systemd.services.immich-mount = {
enable = true; enable = true;
description = "Mount the immich data remote"; description = "Mount the immich data remote";
requires = ["network-online.target"]; requires = [ "network-online.target" ];
requiredBy = ["podman-immich-server.service"]; requiredBy = [ "podman-immich-server.service" ];
serviceConfig = { serviceConfig = {
Type = "notify"; Type = "notify";
ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos"; ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos";
@ -32,19 +33,19 @@
# }; # };
# }; # };
# systemd.services.jellyfin-mount = { # systemd.services.jellyfin-mount = {
# enable = true; # enable = true;
# description = "Mount the jellyfin data remote"; # description = "Mount the jellyfin data remote";
# after = ["network-online.target"]; # after = ["network-online.target"];
# requires = ["network-online.target"]; # requires = ["network-online.target"];
# requiredBy = ["jellyfin.service"]; # requiredBy = ["jellyfin.service"];
# serviceConfig = { # serviceConfig = {
# Type = "notify"; # Type = "notify";
# ExecStartPre = "/usr/bin/env mkdir -p /mnt/jellyfin"; # ExecStartPre = "/usr/bin/env mkdir -p /mnt/jellyfin";
# ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --allow-other --transfers=32 --dir-cache-time 72h --vfs-cache-mode writes --vfs-cache-max-size 2G jellyfin: /mnt/jellyfin"; # ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --allow-other --transfers=32 --dir-cache-time 72h --vfs-cache-mode writes --vfs-cache-max-size 2G jellyfin: /mnt/jellyfin";
# ExecStop = "${pkgs.fuse}/bin/fusermount -u /mnt/jellyfin"; # ExecStop = "${pkgs.fuse}/bin/fusermount -u /mnt/jellyfin";
# EnvironmentFile = config.sops.secrets."rclone/env".path; # EnvironmentFile = config.sops.secrets."rclone/env".path;
# }; # };
# }; # };
programs.fuse.userAllowOther = true; programs.fuse.userAllowOther = true;
} }

3
hosts/chunk/redlib.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
services.redlib = { services.redlib = {
enable = true; enable = true;
port = 8087; port = 8087;

3
hosts/chunk/tor.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
services.tor = { services.tor = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;

3
hosts/chunk/vaultwarden.nix
View file

@ -1,4 +1,5 @@
{config, ...}: { { config, ... }:
{
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "postgresql"; dbBackend = "postgresql";

20
hosts/chunk/wireguard.nix
View file

@ -2,16 +2,20 @@
pkgs, pkgs,
config, config,
... ...
}: { }:
{
networking.nat = { networking.nat = {
enable = true; enable = true;
enableIPv6 = true; enableIPv6 = true;
externalInterface = "ens18"; externalInterface = "ens18";
internalInterfaces = ["wg0"]; internalInterfaces = [ "wg0" ];
}; };
networking.wg-quick.interfaces.wg0 = { networking.wg-quick.interfaces.wg0 = {
address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"]; address = [
"10.0.0.1/24"
"fdc9:281f:04d7:9ee9::1/64"
];
listenPort = 51820; listenPort = 51820;
privateKeyFile = config.sops.secrets."wireguard/private".path; privateKeyFile = config.sops.secrets."wireguard/private".path;
postUp = '' postUp = ''
@ -33,12 +37,18 @@
peers = [ peers = [
{ {
publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g="; publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"]; allowedIPs = [
"10.0.0.2/32"
"fdc9:281f:04d7:9ee9::2/128"
];
presharedKeyFile = config.sops.secrets."wireguard/psk-yt".path; presharedKeyFile = config.sops.secrets."wireguard/psk-yt".path;
} }
{ {
publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k="; publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k=";
allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"]; allowedIPs = [
"10.0.0.3/32"
"fdc9:281f:04d7:9ee9::3/128"
];
presharedKeyFile = config.sops.secrets."wireguard/psk-phone".path; presharedKeyFile = config.sops.secrets."wireguard/psk-phone".path;
} }
]; ];

5
hosts/common.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
nix = { nix = {
settings = { settings = {
experimental-features = "nix-command flakes"; experimental-features = "nix-command flakes";
@ -8,7 +9,7 @@
channel.enable = false; channel.enable = false;
optimise = { optimise = {
automatic = true; automatic = true;
dates = ["03:45"]; dates = [ "03:45" ];
}; };
gc = { gc = {
automatic = true; automatic = true;

52
hosts/ytnix/default.nix
View file

@ -2,7 +2,8 @@
config, config,
pkgs, pkgs,
... ...
}: { }:
{
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../common.nix ../common.nix
@ -53,11 +54,14 @@
dns = "none"; dns = "none";
wifi.backend = "iwd"; wifi.backend = "iwd";
}; };
nameservers = ["31.59.129.225" "2a0f:85c1:840:2bfb::1"]; nameservers = [
"31.59.129.225"
"2a0f:85c1:840:2bfb::1"
];
resolvconf.enable = true; resolvconf.enable = true;
firewall = { firewall = {
allowedUDPPorts = [51820]; # for wireguard allowedUDPPorts = [ 51820 ]; # for wireguard
trustedInterfaces = ["wg0"]; trustedInterfaces = [ "wg0" ];
}; };
}; };
programs.nm-applet.enable = true; programs.nm-applet.enable = true;
@ -76,7 +80,10 @@
"bluez5.enable-sbc-xq" = true; "bluez5.enable-sbc-xq" = true;
"bluez5.enable-msbc" = true; "bluez5.enable-msbc" = true;
"bluez5.enable-hw-volume" = true; "bluez5.enable-hw-volume" = true;
"bluez5.roles" = ["a2dp_sink" "a2dp_source"]; "bluez5.roles" = [
"a2dp_sink"
"a2dp_source"
];
}; };
}; };
# https://wiki.archlinux.org/title/Bluetooth_headset#Connecting_works,_sound_plays_fine_until_headphones_become_idle,_then_stutters # https://wiki.archlinux.org/title/Bluetooth_headset#Connecting_works,_sound_plays_fine_until_headphones_become_idle,_then_stutters
@ -100,7 +107,11 @@
users.users.yt = { users.users.yt = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["wheel" "libvirtd" "docker"]; extraGroups = [
"wheel"
"libvirtd"
"docker"
];
shell = pkgs.zsh; shell = pkgs.zsh;
}; };
programs.zsh.enable = true; programs.zsh.enable = true;
@ -168,7 +179,14 @@
programs.sway.enable = true; programs.sway.enable = true;
services.borgbackup.jobs.ytnixRsync = { services.borgbackup.jobs.ytnixRsync = {
paths = ["/root" "/home" "/var/lib" "/var/log" "/opt" "/etc"]; paths = [
"/root"
"/home"
"/var/lib"
"/var/log"
"/opt"
"/etc"
];
exclude = [ exclude = [
"**/.cache" "**/.cache"
"**/node_modules" "**/node_modules"
@ -194,11 +212,13 @@
}; };
compression = "auto,zstd"; compression = "auto,zstd";
startAt = "daily"; startAt = "daily";
extraCreateArgs = ["--stats"]; extraCreateArgs = [ "--stats" ];
# warnings are often not that serious # warnings are often not that serious
failOnWarnings = false; failOnWarnings = false;
postHook = '' postHook = ''
${pkgs.curl}/bin/curl -u $(cat ${config.sops.secrets."services/ntfy".path}) -d "ytnixRsync: backup completed with exit code: $exitStatus ${pkgs.curl}/bin/curl -u $(cat ${
config.sops.secrets."services/ntfy".path
}) -d "ytnixRsync: backup completed with exit code: $exitStatus
$(journalctl -u borgbackup-job-ytnixRsync.service|tail -n 5)" \ $(journalctl -u borgbackup-job-ytnixRsync.service|tail -n 5)" \
https://ntfy.cything.io/chunk https://ntfy.cything.io/chunk
''; '';
@ -211,8 +231,8 @@
snapshot_preserve_min = "2d"; snapshot_preserve_min = "2d";
snapshot_dir = "/snapshots"; snapshot_dir = "/snapshots";
subvolume = { subvolume = {
"/home" = {}; "/home" = { };
"/" = {}; "/" = { };
}; };
}; };
}; };
@ -286,12 +306,18 @@
# wireguard setup # wireguard setup
networking.wg-quick.interfaces.wg0 = { networking.wg-quick.interfaces.wg0 = {
address = ["10.0.0.2/24" "fdc9:281f:04d7:9ee9::2/64"]; address = [
"10.0.0.2/24"
"fdc9:281f:04d7:9ee9::2/64"
];
privateKeyFile = config.sops.secrets."wireguard/private".path; privateKeyFile = config.sops.secrets."wireguard/private".path;
peers = [ peers = [
{ {
publicKey = "a16/F/wP7HQIUtFywebqPSXQAktPsLgsMLH9ZfevMy0="; publicKey = "a16/F/wP7HQIUtFywebqPSXQAktPsLgsMLH9ZfevMy0=";
allowedIPs = ["0.0.0.0/0" "::/0"]; allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "31.59.129.225:51820"; endpoint = "31.59.129.225:51820";
persistentKeepalive = 25; persistentKeepalive = 25;
presharedKeyFile = config.sops.secrets."wireguard/psk".path; presharedKeyFile = config.sops.secrets."wireguard/psk".path;

45
hosts/ytnix/hardware-configuration.nix
View file

@ -7,42 +7,63 @@
pkgs, pkgs,
modulesPath, modulesPath,
... ...
}: { }:
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod"]; {
boot.initrd.kernelModules = []; boot.initrd.availableKernelModules = [
boot.kernelModules = ["kvm-intel"]; "xhci_pci"
boot.extraModulePackages = []; "ahci"
"nvme"
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3"; device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
fsType = "btrfs"; fsType = "btrfs";
options = ["subvol=root" "compress=zstd"]; options = [
"subvol=root"
"compress=zstd"
];
}; };
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/c6098a16-c8a6-4a97-8648-6f46ca919d13"; boot.initrd.luks.devices."cryptroot".device =
"/dev/disk/by-uuid/c6098a16-c8a6-4a97-8648-6f46ca919d13";
fileSystems."/home" = { fileSystems."/home" = {
device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3"; device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
fsType = "btrfs"; fsType = "btrfs";
options = ["subvol=home" "compress=zstd"]; options = [
"subvol=home"
"compress=zstd"
];
}; };
fileSystems."/nix" = { fileSystems."/nix" = {
device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3"; device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
fsType = "btrfs"; fsType = "btrfs";
options = ["subvol=nix" "compress=zstd" "noatime"]; options = [
"subvol=nix"
"compress=zstd"
"noatime"
];
}; };
fileSystems."/swap" = { fileSystems."/swap" = {
device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3"; device = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
fsType = "btrfs"; fsType = "btrfs";
options = ["subvol=swap"]; options = [ "subvol=swap" ];
}; };
fileSystems."/boot" = { fileSystems."/boot" = {
device = "/dev/disk/by-uuid/29B7-F46D"; device = "/dev/disk/by-uuid/29B7-F46D";
fsType = "vfat"; fsType = "vfat";
options = ["fmask=0022" "dmask=0022"]; options = [
"fmask=0022"
"dmask=0022"
];
}; };
swapDevices = [ swapDevices = [
@ -52,7 +73,7 @@
]; ];
boot.resumeDevice = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3"; boot.resumeDevice = "/dev/disk/by-uuid/17870658-6118-46af-837f-70c9175e09c3";
boot.kernelParams = ["resume_offset=53224704"]; boot.kernelParams = [ "resume_offset=53224704" ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's