nix
/
System
2
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rewrite to be more module based

This commit is contained in:
Nathan McCarty 2022-06-23 02:57:41 -04:00
parent f62e627c5e
commit 43c78acc15
Signed by: thatonelutenist
GPG Key ID: D70DA3DD4D1E9F96
84 changed files with 1642 additions and 3325 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
applications/communications.nix
View File

@ -1,96 +0,0 @@
# Communications software
{ config, pkgs, unstable, ... }:
{
# Pull in personal overlay
# nixpkgs.overlays = [ (import ../../overlays/personal/overlay.nix) ];
environment.systemPackages = with pkgs;
let
enableWayland = drv: bin: drv.overrideAttrs (
old: {
nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ pkgs.makeWrapper ];
postFixup = (old.postFixup or "") + ''
wrapProgram $out/bin/${bin} \
--add-flags "--enable-features=UseOzonePlatform" \
--add-flags "--ozone-platform=wayland"
'';
}
);
## Wayland workaround chromium desktop items
# Facebook messenger
fbChromeDesktopItem = pkgs.makeDesktopItem {
name = "messenger-chrome";
desktopName = "Messenger (chrome)";
exec = "${pkgs.chromium}/bin/chromium --enable-features=UseOzonePlatform -ozone-platform=wayland --app=\"https://messenger.com\"";
terminal = false;
};
# Teams
teamsItem = pkgs.makeDesktopItem {
name = "teams-wayland";
desktopName = "Teams (Wayland)";
exec = "${pkgs.chromium}/bin/chromium --enable-features=UseOzonePlatform -ozone-platform=wayland --app=\"https://teams.microsoft.com\"";
terminal = false;
};
# Discord
discordWayland = pkgs.callPackage ../packages/discord/default.nix rec {
pname = "discord-electron";
binaryName = "Discord";
desktopName = "Discord (Wayland)";
version = "0.0.18";
src = fetchurl {
url = "https://dl.discordapp.net/apps/linux/${version}/discord-${version}.tar.gz";
hash = "sha256-BBc4n6Q3xuBE13JS3gz/6EcwdOWW57NLp2saOlwOgMI=";
};
electron = pkgs.electron_13;
};
## Pass wayland options to existing applications
signalWaylandItem = pkgs.makeDesktopItem {
name = "signal-desktop-wayland";
desktopName = "Signal (Wayland)";
exec = "${unstable.signal-desktop}/bin/signal-desktop --enable-features=UseOzonePlatform -ozone-platform=wayland";
terminal = false;
icon = "signal-desktop";
type = "Application";
};
zulipWayland = pkgs.makeDesktopItem {
name = "zulip-wayland";
desktopName = "Zulip (Wayland)";
exec = "${unstable.zulip}/bin/zulip --enable-features=UseOzonePlatform --ozone-platform=wayland";
terminal = false;
icon = "zulip";
type = "Application";
};
in
[
# Discord
discordWayland
unstable.betterdiscordctl
# Desktop matrix client
(enableWayland element-desktop "element-desktop")
# Desktop signal client
(enableWayland signal-desktop "signal-desktop")
# Desktop telegram client
tdesktop
# Desktop mastodon client
tootle
# zulip
unstable.zulip
zulipWayland
# Zoom (for work, sadly)
unstable.zoom-us
# Teams (also for work)
unstable.teams
# chromium
chromium
# Wayland workaround packages
fbChromeDesktopItem
teamsItem
];
# Work around for discord jank ugh
nixpkgs.config.permittedInsecurePackages = [
"electron-13.6.9"
];
}

10
applications/devel-core-linux.nix
View File

@ -1,10 +0,0 @@
# Linux Specific Core development libraries
{ config, pkgs, unstable, ... }:
{
environment.systemPackages = with pkgs; [
gcc
binutils
clang
unstable.mold
];
}

31
applications/devel-core.nix
View File

@ -1,31 +0,0 @@
# Core development libraries
{ config, pkgs, unstable, ... }:
{
environment.systemPackages = with pkgs; [
# Full version of git
unstable.gitFull
# Git addons
git-secret
unstable.git-lfs
delta
# General development requirements
python3Full
cmake
libtool
gnumake
nixpkgs-fmt
# jq for interacting with JSON
jq
jc
# Viewer for deeply nested JSON
fx
# Direnv for nix-shell niceness
direnv
# Sops for secrets
sops
# Just in case
neovim
# For python
nodePackages.pyright
];
}

10
applications/devel-js.nix
View File

@ -1,10 +0,0 @@
{ config, unstable, pkgs, ... }:
{
environment.systemPackages = with unstable; [
nodejs
yarn
nodePackages.typescript
deno
];
}

12
applications/devel-kotlin.nix
View File

@ -1,12 +0,0 @@
{ config, lib, pkgs, java, unstable, ... }:
{
environment.systemPackages = with unstable; [
java.packages.${system}.semeru-stable
gradle
kotlin
kotlin-native
kotlin-language-server
ktlint
];
}

8
applications/devel-raku.nix
View File

@ -1,8 +0,0 @@
{ config, lib, pkgs, unstable, ... }:
{
environment.systemPackages = with unstable; [
rakudo
zef
];
}

27
applications/devel-rust.nix
View File

@ -1,27 +0,0 @@
# Utilities for developing in rust
{ config, pkgs, unstable, fenix, ... }:
{
environment.systemPackages = with pkgs; [
# Use rustup to get the compiler
rustup
# Install the latest rust analyzer
fenix.packages."${system}".rust-analyzer
# Sccache for faster builds
sccache
# Misc cargo utilites
cargo-binutils # Allow invoking the llvm tools included with the toolchain
cargo-edit # Command line Cargo.toml manipulation
cargo-asm # Dump the generated assembly
cargo-fuzz # front end for fuzz testing rust
cargo-license # Audit the licenses of dependencies
cargo-criterion # Benchmarking front end
cargo-audit # Check dependencies for known CVEs
cargo-bloat # Find out what's taking up space in the executable
cargo-udeps # Find unused dependencies
cargo-expand # Dump expanded macros
unstable.cargo-tarpaulin # Code coverage
cargo-play # Quickly execute code outside of a crate
# For building stuff that uses protocol buffers
protobuf
];
}

28
applications/emacs.nix
View File

@ -1,28 +0,0 @@
{ config, pkgs, doomEmacs, ... }:
{
# Install emacs
environment.systemPackages = with pkgs; [
# For markdown rendering
python39Packages.grip
# For graph generation
graphviz
];
# Utilize home-manager
home-manager.users.nathan = {
# Nixify doomEmacs
# TODO:Reenable, currently off because of ghub
imports = [ doomEmacs ];
programs.doom-emacs = {
enable = true;
doomPrivateDir = ../doom.d;
emacsPackage = pkgs.emacsPgtkNativeComp;
};
# Startup service
services.emacs = {
enable = pkgs.stdenv.isLinux;
client.enable = true;
defaultEditor = true;
};
};
}

16
applications/image-editing.nix
View File

@ -1,16 +0,0 @@
# Image editing applications
{ config, pkgs, unstable, ... }:
{
environment.systemPackages = with pkgs; [
# RawTherapee for raw editing
unstable.rawtherapee
# Gimp for complex editing
unstable.gimp-with-plugins
# Krita for drawing
unstable.krita
# Pinta for basic image editing
unstable.pinta
# Command line tools for image conversion and handling
imagemagickBig
];
}

163
applications/media.nix
View File

@ -1,163 +0,0 @@
# Media players and other applications
{ config, pkgs, lib, unstable, ... }:
let
mopidyEnv = pkgs.buildEnv {
name = "mopidy-daemon-environment";
paths = with pkgs; [
mopidy-mpd
mopidy-iris
mopidy-scrobbler
mopidy-local
];
pathsToLink = [ "/${pkgs.mopidyPackages.python.sitePackages}" ];
buildInputs = [ pkgs.makeWrapper ];
postBuild = ''
makeWrapper ${pkgs.mopidy}/bin/mopidy $out/bin/mopidy \
--prefix PYTHONPATH : $out/${pkgs.mopidyPackages.python.sitePackages}
'';
};
mopidyConf = pkgs.writeText "mopidy.conf"
''
[core]
#cache_dir = $XDG_CACHE_DIR/mopidy
#config_dir = $XDG_CONFIG_DIR/mopidy
#data_dir = $XDG_DATA_DIR/mopidy
#max_tracklist_length = 10000
#restore_state = false
[logging]
#verbosity = 0
#format = %(levelname)-8s %(asctime)s [%(process)d:%(threadName)s] %(name)s\n %(message)s
#color = true
#config_file =
[audio]
#mixer = software
#mixer_volume =
#output = autoaudiosink
#buffer_time =
[proxy]
#scheme =
#hostname =
#port =
#username =
#password =
[file]
enabled = true
media_dirs =
~/Music
# $XDG_MUSIC_DIR|Music
#excluded_file_extensions =
# .directory
# .html
# .jpeg
# .jpg
# .log
# .nfo
# .pdf
# .png
# .txt
# .zip
#show_dotfiles = false
#follow_symlinks = false
#metadata_timeout = 1000
[local]
media_dir = /home/nathan/Music
[http]
#enabled = true
#hostname = 127.0.0.1
#port = 6680
#zeroconf = Mopidy HTTP server on $hostname
#allowed_origins =
#csrf_protection = true
#default_app = mopidy
[m3u]
#enabled = true
#base_dir = $XDG_MUSIC_DIR
#default_encoding = latin-1
#default_extension = .m3u8
#playlists_dir =
[softwaremixer]
#enabled = true
[stream]
#enabled = true
#protocols =
# http
# https
# mms
# rtmp
# rtmps
# rtsp
#metadata_blacklist =
#timeout = 5000
[mpd]
enabled = true
'';
in
{
environment.systemPackages =
let
## Wrapper around iris
irisDesktopItem = pkgs.makeDesktopItem {
name = "iris";
desktopName = "Iris";
exec = "${pkgs.chromium}/bin/chromium --enable-features=UseOzonePlatform -ozone-platform=wayland --app=\"http://localhost:6680/iris/\"";
terminal = false;
};
in
with pkgs; [
# Spotify
spotify
# Latest version of vlc
unstable.vlc
# Plex client
plex-media-player
# OBS studio for screen recording
unstable.obs-studio
# Soulseek client
nicotine-plus
# Mopidy + extensions
mopidyEnv
# Iris desktop client
irisDesktopItem
# Picard for sorting
unstable.picard
];
# Start mopidy as a user service, for sanity
systemd.user.services.mopidy = {
description = "Mopidy music server";
wantedBy = [ "graphical-session.target" ];
partOf = [ "graphical-session.target" ];
serviceConfig = {
ExecStart = "${mopidyEnv}/bin/mopidy --config ${lib.concatStringsSep ":" [mopidyConf config.sops.secrets.lastfm-conf.path]}";
};
wants = [ "rclone-music.service" ];
enable = true;
};
# Load up lastfm scrobbling secret
sops.secrets.lastfm-conf = {
owner = "nathan";
format = "binary";
sopsFile = ../secrets/lastfm.conf;
};
# Same for the scanning service
systemd.user.services.mopidy-scan = {
description = "Mopidy files local scanner";
serviceConfig = {
ExecStart = "${mopidyEnv}/bin/mopidy local scan";
Type = "oneshot";
};
wants = [ "rclone-music.service" ];
};
}

20
applications/syncthing.nix
View File

@ -1,20 +0,0 @@
{ config, pkgs, unstable, ... }:
{
# Install synthing and syncthing-tray
environment.systemPackages = with pkgs; [
syncthing
unstable.syncthingtray
];
# Home manager configuration
home-manager.users.nathan = {
# Enable the service for both syncthing and the tray
services.syncthing = {
enable = true;
tray = {
enable = true;
package = unstable.syncthingtray;
command = "syncthingtray --wait";
};
};
};
}

56
applications/utils-core.nix
View File

@ -1,56 +0,0 @@
# Basic, must have, command-line utilities
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
# Basic command line utilities
wget
tmux
nano
unzip
any-nix-shell
htop
# Spell check
hunspell
hunspellDicts.en-us
# Rust rewrites of common shell utilities
starship
exa
bat
fd
sd
du-dust
ripgrep
ripgrep-all
tokei
hyperfine
bottom
dogdns
duf
# CLI Markdown renderer
glow
# Command line file manager
broot
# Much better curl
httpie
# CLI spreadsheets
visidata
# User friendly cut
choose
# Cheatsheet manager
cheat
# Ping with a graph
gping
# Man but terse
tealdeer
# Pandoc for documentation
pandoc
# For nslookup
dnsutils
# Feh image viewer
feh
# Mosh for better high-latency ssh
mosh
# PV for viewing pipes
pv
];
}

10
common.nix
View File

@ -1,10 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./ssh.nix
./fish.nix
./git.nix
];
programs.home-manager.enable = true;
}

3
core.nix Normal file
View File

@ -0,0 +1,3 @@
{ config, lib, pkgs, ... }:
{ }

37
darwin-modules/base.nix
View File

@ -1,37 +0,0 @@
{ config, pkgs, ... }:
{
# List packages installed in system profile. To search by name, run:
# $ nix-env -qaP | grep wget
environment.systemPackages = with pkgs;
[
openssh
coreutils-full
];
# Use a custom configuration.nix location.
# $ darwin-rebuild switch -I darwin-config=$HOME/.config/nixpkgs/darwin/configuration.nix
# environment.darwinConfig = "$HOME/.config/nixpkgs/darwin/configuration.nix";
# Auto upgrade nix package and the daemon service.
services.nix-daemon.enable = true;
# Create /etc/bashrc that loads the nix-darwin environment.
programs.zsh.enable = true; # default shell on catalina
programs.fish.enable = true;
# Give nix packages higher priority than system packages in fish
programs.fish.shellInit = ''
for p in /run/current-system/sw/bin
if not contains $p $fish_user_paths
set -g fish_user_paths $p $fish_user_paths
end
end
'';
# Make nix managed fonts work on macos
fonts.fontDir.enable = true;
# Used for backwards compatibility, please read the changelog before changing.
# $ darwin-rebuild changelog
system.stateVersion = 4;
}

24
darwin-modules/gpg.nix
View File

@ -1,24 +0,0 @@
# Configure gpg with yubikey support
{ config, pkgs, ... }:
{
# Setup environment for gpg agent
environment.shellInit = ''
export GPG_TTY="$(tty)"
gpg-connect-agent /bye
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';
programs = {
# Enable gpg-agent with ssh support
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
# install gnupg and yubikey personalization
environment.systemPackages = with pkgs; [
gnupg
yubikey-personalization
];
}

40
desktop.nix
View File

@ -1,40 +0,0 @@
{ pkgs, lib, unstable, ... }: {
## Boot, drivers, and host name
# Use grub
boot.loader = {
grub = {
enable = true;
version = 2;
efiSupport = true;
# Go efi only
device = "nodev";
# Use os-prober
useOSProber = true;
};
efi = {
efiSysMountPoint = "/boot/";
canTouchEfiVariables = true;
};
};
# Enable AMD gpu drivers early
boot.initrd.kernelModules = [ "amdgpu" ];
# Use the zen kernel with muqss turned on
boot.kernelPackages =
let
linuxZenWMuQSS = pkgs.linuxPackagesFor (pkgs.linuxPackages_zen.kernel.override {
structuredExtraConfig = with lib.kernel; {
SCHED_MUQSS = yes;
};
ignoreConfigErrors = true;
}
);
in
linuxZenWMuQSS;
## Left over uncategorized packages
environment.systemPackages = with pkgs; [
unstable.firefox-beta-bin
wally-cli
];
# Enable ergodox udev rules
hardware.keyboard.zsa.enable = true;
}

115
droid.nix
View File

@ -1,115 +0,0 @@
{ config, lib, pkgs, unstable, fenix, ... }:
{
system.stateVersion = "21.11";
environment.sessionVariables = {
XDG_RUNTIME_DIR = "/data/data/com.termux.nix/files/home/run";
GDK_DPI_SCALE = "2";
GDK_SCALE = "2";
};
# Get home-manager up and running
home-manager.config = ./home-manager/common.nix;
# Have to put packages here, as it does not have environment.systemPackages
environment.packages = with pkgs;
[
###
## utils-core
###
# Basic command line utilities
wget
tmux
nano
unzip
any-nix-shell
htop
# Spell check
hunspell
hunspellDicts.en-us
# Rust rewrites of common shell utilities
starship
exa
bat
fd
sd
du-dust
ripgrep
ripgrep-all
tokei
hyperfine
unstable.bottom
dogdns
duf
# CLI Markdown renderer
glow
# Command line file manager
broot
# Much better curl
unstable.httpie
# CLI spreadsheets
visidata
# User friendly cut
choose
# Cheatsheet manager
cheat
# Ping with a graph
gping
# Man but terse
tealdeer
# Pandoc for documentation
unstable.pandoc
# For nslookup
dnsutils
# Feh image viewer
feh
# Mosh for better high-latency ssh
mosh
###
## devel-core
###
# Full version of git
git
# Git addons
git-secret
git-lfs
delta
# General development requirements
python3Full
cmake
libtool
gnumake
nixpkgs-fmt
# jq for interacting with JSON
jq
jc
# Viewer for deeply nested JSON
fx
# Direnv for nix-shell niceness
direnv
###
## devel-rust
###
# Use rustup to get the compiler
rustup
# Install the latest rust analyzer
fenix.rust-analyzer
# Sccache for faster builds
# sccache
# Misc cargo utilites
cargo-binutils # Allow invoking the llvm tools included with the toolchain
cargo-edit # Command line Cargo.toml manipulation
cargo-asm # Dump the generated assembly
cargo-fuzz # front end for fuzz testing rust
cargo-license # Audit the licenses of dependencies
cargo-criterion # Benchmarking front end
cargo-audit # Check dependencies for known CVEs
cargo-bloat # Find out what's taking up space in the executable
cargo-udeps # Find unused dependencies
cargo-expand # Dump expanded macros
cargo-play # Quickly execute code outside of a crate
# For building stuff that uses protocol buffers
protobuf
];
}

132
flake.lock
View File

@ -62,17 +62,16 @@
]
},
"locked": {
"lastModified": 1655120294,
"narHash": "sha256-e0IXVoxH3o1QbLtHxANAg2CHdVE3jZBi5ifhh+6Vpcs=",
"lastModified": 1656648158,
"narHash": "sha256-e4tPuEW8Uj8PEVAYNzr3DPqxY5mGEvnCNyDih8RPP5c=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "29dcfbc1b29ae7281e95367e0f2358b44224a46e",
"rev": "2724625945ddeaeffd94ca56e11b75b98b8bba8b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "29dcfbc1b29ae7281e95367e0f2358b44224a46e",
"type": "github"
}
},
@ -162,11 +161,11 @@
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1655619932,
"narHash": "sha256-/7L0/ymVXGL0FrQNLAP2P1Ch22RR0kt0N6jfdjm+WVc=",
"lastModified": 1656656878,
"narHash": "sha256-0rA054abuLVzv24nrk4rVWQIDl20T+570UZglPhXgzg=",
"owner": "nix-community",
"repo": "fenix",
"rev": "55987185def5cf3afc616d38907406293a170cfe",
"rev": "e172d625f705ca4013f93d3fe061d3ecf1fc3a34",
"type": "github"
},
"original": {
@ -191,29 +190,13 @@
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"lastModified": 1656065134,
"narHash": "sha256-oc6E6ByIw3oJaIyc67maaFcnjYOz1mMcOtHxbEf9NwQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"rev": "bee6a7250dd1b01844a2de7e02e4df7d8a0a206c",
"type": "github"
},
"original": {
@ -256,20 +239,17 @@
},
"home-manager": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
"nmd": "nmd",
"nmt": "nmt",
"utils": "utils"
},
"locked": {
"lastModified": 1655679417,
"narHash": "sha256-rUM/VDIQAMm0pLAVBizQoR9I8TELRmak7SsJLaO/NBg=",
"lastModified": 1656367977,
"narHash": "sha256-0hV17V9Up9pnAtPJ+787FhrsPnawxoTPA/VxgjRMrjc=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3d8265c5efd5e4d3ad8a90686bc81d49353fdb08",
"rev": "3bf16c0fd141c28312be52945d1543f9ce557bb1",
"type": "github"
},
"original": {
@ -286,11 +266,11 @@
"utils": "utils_2"
},
"locked": {
"lastModified": 1655182547,
"narHash": "sha256-gmkb6l13CVKtlRydDJ9O3sifKtamKLgLdUaEASdQ6Ls=",
"lastModified": 1656122108,
"narHash": "sha256-wJrVZLqvBhq+u2Mi3yc4oS8pOtzdxL6uMmmSt+1bNHE=",
"owner": "nathans-flakes",
"repo": "java",
"rev": "8e53bfead6195e4440aef47b2f08b0e7f89b1d4d",
"rev": "4ade2ae9e949b184ba2d47495ec348f385ab0300",
"type": "github"
},
"original": {
@ -390,11 +370,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1655400192,
"narHash": "sha256-49OBVVRgb9H/PSmNT9W61+NRdDbuSJVuDDflwXlaUKU=",
"lastModified": 1656461576,
"narHash": "sha256-rlmmw6lIlkMQIiB+NsnO8wQYWTfle8TA41UREPLP5VY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "3d7435c638baffaa826b85459df0fff47f12317d",
"rev": "cf3ab54b4afe2b7477faa1dd0b65bf74c055d70c",
"type": "github"
},
"original": {
@ -406,11 +386,11 @@
},
"nixpkgs-21_11": {
"locked": {
"lastModified": 1655562720,
"narHash": "sha256-OrN8DkBRZqZMzMuECuQNvSQ5gWoFBCxDvxYXjIQ/pH0=",
"lastModified": 1656198488,
"narHash": "sha256-xe81o3Kin6a0jXA3mTxcR+jeA1jLKw3TCar5LUo/B5c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "27dffce7eaa9648b4a13a461e786f169a17c0889",
"rev": "46af3303651699dc58cfc251d9b18c0f59d857da",
"type": "github"
},
"original": {
@ -422,11 +402,11 @@
},
"nixpkgs-22_05": {
"locked": {
"lastModified": 1655584987,
"narHash": "sha256-YmWxPm6ctu+9nV80DtYtMfOBosNymeTpj8+Z0JTDfhU=",
"lastModified": 1656199498,
"narHash": "sha256-/BCpM7j7y1G4het6Z3idlnv9A87/s0O1glVmH7fnWvk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "57622cb817210146b379adbbd036d3da0d1f367c",
"rev": "72a1f167077060a1a7b6e0104863245d0483fa7f",
"type": "github"
},
"original": {
@ -438,11 +418,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1655567057,
"narHash": "sha256-Cc5hQSMsTzOHmZnYm8OSJ5RNUp22bd5NADWLHorULWQ=",
"lastModified": 1656461576,
"narHash": "sha256-rlmmw6lIlkMQIiB+NsnO8wQYWTfle8TA41UREPLP5VY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e0a42267f73ea52adc061a64650fddc59906fc99",
"rev": "cf3ab54b4afe2b7477faa1dd0b65bf74c055d70c",
"type": "github"
},
"original": {
@ -454,11 +434,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1655456688,
"narHash": "sha256-j2trI5gv2fnHdfUQFBy957avCPxxzCqE8R+TOYHPSRE=",
"lastModified": 1656589841,
"narHash": "sha256-Kqd6r9aNIzjYGhMFYATdKwRbXBCGLcdqAJMLr4I8LG0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d17a56d90ecbd1b8fc908d49598fb854ef188461",
"rev": "dbb62c34bbb5cdf05f1aeab07638b24b0824d605",
"type": "github"
},
"original": {
@ -468,38 +448,6 @@
"type": "github"
}
},
"nmd": {
"flake": false,
"locked": {
"lastModified": 1653339422,
"narHash": "sha256-8nc7lcYOgih3YEmRMlBwZaLLJYpLPYKBlewqHqx8ieg=",
"owner": "rycee",
"repo": "nmd",
"rev": "9e7a20e6ee3f6751f699f79c0b299390f81f7bcd",
"type": "gitlab"
},
"original": {
"owner": "rycee",
"repo": "nmd",
"type": "gitlab"
}
},
"nmt": {
"flake": false,
"locked": {
"lastModified": 1648075362,
"narHash": "sha256-u36WgzoA84dMVsGXzml4wZ5ckGgfnvS0ryzo/3zn/Pc=",
"owner": "rycee",
"repo": "nmt",
"rev": "d83601002c99b78c89ea80e5e6ba21addcfe12ae",
"type": "gitlab"
},
"original": {
"owner": "rycee",
"repo": "nmt",
"type": "gitlab"
}
},
"nose": {
"flake": false,
"locked": {
@ -598,18 +546,18 @@
},
"polymc": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-compat": "flake-compat",
"libnbtplusplus": "libnbtplusplus",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1655285534,
"narHash": "sha256-g1WTrnRD1YtI2aCVUqatg7NlhmLJ7jIA4p0ke9Zpvx0=",
"lastModified": 1656582643,
"narHash": "sha256-TC7tkdgpvConambYP1yoVjxxixZkMhkrdfHDKMKIyKE=",
"owner": "PolyMC",
"repo": "PolyMC",
"rev": "03e454b71d83aebbb534c5734ccd9093842da28c",
"rev": "286f82cc99322398d720f2bbf88869c42960227d",
"type": "github"
},
"original": {
@ -668,11 +616,11 @@
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1655591884,
"narHash": "sha256-eBjsdPC5vudbUv4/i7AAggrrTATnCTzMfQetCiJndaQ=",
"lastModified": 1656601302,
"narHash": "sha256-8vlDMdGmccsFkDTM5O3RGRTZIGBEVIDjnXpxWGoVIQc=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "eb9b36075272013984ac5d27128e87a714b90c9a",
"rev": "ce36446943a33b01de50ca27d8d17e176af13cd5",
"type": "github"
},
"original": {
@ -691,11 +639,11 @@
"nixpkgs-22_05": "nixpkgs-22_05"
},
"locked": {
"lastModified": 1655665732,
"narHash": "sha256-Fe+evSlGbMOMNSI9dECLDJx6L3ZvYFxosfaDnaPwSK8=",
"lastModified": 1656399028,
"narHash": "sha256-re66+rVHGR3y+0QsaDAwoAHCfoi3BlGV24t2EqRZsAE=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "67af9b179c629dea211ebd83f92c77f5745043be",
"rev": "d26947f2d6252e2aae5ffddfe9b38b7c4b94e8f9",
"type": "github"
},
"original": {

350
flake.nix
View File

@ -9,7 +9,7 @@
inputs.nixpgks.follows = "nixpkgs";
};
emacs = {
url = "github:nix-community/emacs-overlay/29dcfbc1b29ae7281e95367e0f2358b44224a46e";
url = "github:nix-community/emacs-overlay";
inputs.nixpkgs.follows = "nixpkgs";
};
mozilla = {
@ -56,245 +56,131 @@
, polymc
, nix-doom-emacs
, java
}@attrs:
}@inputs:
let
baseModules = [
./applications/utils-core.nix
## Setup binary caches and other common nix config
({ pkgs, ... }: {
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# First install cachix, so we can discover new ones
environment.systemPackages = [ pkgs.cachix ];
# Then configure up the nix community cache
nix = {
binaryCaches = [
"https://nix-community.cachix.org"
];
binaryCachePublicKeys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
# Turn on flakes support (from within a flake, lamo)
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
# Setup overlays
nixpkgs.overlays = [ emacs.overlay polymc.overlay ];
})
];
sopsModules = [
sops-nix.nixosModules.sops
## Setup sops
({ pkgs, config, ... }: {
# Add default secrets
sops.defaultSopsFile = ./secrets/nathan.yaml;
# Use system ssh key as an age key
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
})
];
coreModules = baseModules ++ sopsModules ++ [
./modules/common.nix
./modules/ssh.nix
home-manager.nixosModules.home-manager
# Configure system state version for linux
({ pkgs, ... }: {
# System state version for compat
system.stateVersion = "21.11";
})
];
setHomeManagerVersions = ({ pkgs, config, unstable, ... }: {
home-manager.users.nathan.programs = {
starship.package = unstable.starship;
git.package = unstable.gitFull;
fish.package = unstable.fish;
makeNixosSystem = { system, hostName, extraModules ? [ ], ourNixpkgs ? nixpkgs }: ourNixpkgs.lib.nixosSystem {
inherit system;
specialArgs = {
inputs = inputs;
};
});
baseHomeModules = [
{
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
users.nathan = import ./home-manager/common.nix;
};
}
setHomeManagerVersions
./home.nix
];
desktopModules = baseHomeModules ++ coreModules ++ [
./modules/audio.nix
./modules/sway.nix
./modules/fonts.nix
./modules/gpg.nix
./modules/logitech.nix
./modules/qemu.nix
./modules/docker.nix
./modules/printing.nix
./modules/zt.nix
./modules/lxc.nix
./modules/tailscale.nix
./modules/protonmail.nix
./applications/communications.nix
./applications/devel-core.nix
./applications/devel-core-linux.nix
./applications/devel-rust.nix
./applications/devel-raku.nix
./applications/devel-kotlin.nix
./applications/devel-js.nix
./applications/emacs.nix
./applications/image-editing.nix
./applications/media.nix
./applications/syncthing.nix
./desktop.nix
];
serverModules = baseHomeModules ++ coreModules ++ [
./home-linux.nix
./modules/zt.nix
./modules/autoupdate.nix
./modules/tailscale.nix
./applications/devel-core.nix
./applications/devel-core-linux.nix
];
mozillaOverlay = import "${mozilla}";
in
{
nixosConfigurations = {
levitation = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
unstable = import nixpkgs-unstable {
config = { allowUnfree = true; };
overlays = [ mozillaOverlay ];
system = "x86_64-linux";
modules = [
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
./modules/default.nix
({ pkgs, lib, ... }: {
# Configure hostname
networking = {
hostName = hostName;
};
doomEmacs = nix-doom-emacs.hmModule;
} // attrs;
modules = [
./hardware/levitation.nix
./machines/levitation.nix
./modules/games.nix
./home-linux.nix
] ++ desktopModules;
};
oracles = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
unstable = import nixpkgs-unstable {
config = { allowUnfree = true; };
overlays = [ ];
system = "x86_64-linux";
# Setup sops
# Add default secrets
sops = {
defaultSopsFile = ./secrets/nathan.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
} // attrs;
modules = [
./hardware/oracles.nix
./machines/oracles.nix
./applications/devel-rust.nix
./modules/docker.nix
./system-specific/oracles/matrix.nix
./system-specific/oracles/gitlab-runner.nix
./system-specific/oracles/gitea.nix
./system-specific/oracles/minecraft.nix
] ++ serverModules;
};
perception = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
unstable = import nixpkgs-unstable {
config = { allowUnfree = true; };
overlays = [ ];
system = "x86_64-linux";
nixpkgs.config.allowUnfree = true;
nixpkgs.config.allowUnfreePredicate = (pkg: true);
# Home manager configuration
home-manager = {
useUserPackages = true;
useGlobalPkgs = true;
extraSpecialArgs = {
inputs = inputs;
};
sharedModules = [
./home-manager/default.nix
];
};
} // attrs;
modules = [
./hardware/perception.nix
./machines/perception.nix
./applications/devel-rust.nix
./modules/docker.nix
./system-specific/perception/plex.nix
] ++ serverModules;
};
shadowchild = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
unstable = import nixpkgs-unstable {
config = { allowUnfree = true; };
overlays = [ ];
system = "x86_64-linux";
};
} // attrs;
modules = [
./hardware/shadowchild.nix
./machines/shadowchild.nix
./modules/docker.nix
] ++ serverModules;
};
matrix = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
unstable = import nixpkgs-unstable {
config = { allowUnfree = true; };
overlays = [ ];
system = "x86_64-linux";
};
} // attrs;
modules = [
./hardware/matrix.nix
./machines/matrix.nix
./modules/docker.nix
./system-specific/matrix/matrix.nix
./system-specific/matrix/gitea.nix
] ++ serverModules;
};
x86vm = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
unstable = import nixpkgs-unstable {
config = { allowUnfree = true; };
overlays = [ ];
system = "x86_64-linux";
};
} // attrs;
modules = [ ./home-linux.nix ] ++ desktopModules;
};
})
] ++ extraModules;
};
darwinConfigurations = {
"Nathans-MacBook-Pro" = darwin.lib.darwinSystem {
system = "x86_64-darwin";
specialArgs = {
unstable = import nixpkgs-unstable {
config = { allowUnfree = true; };
overlays = [ ];
system = "x86_64-darwin";
};
doomEmacs = nix-doom-emacs.hmModule;
} // attrs;
modules = baseModules ++ baseHomeModules ++ [
./darwin-modules/base.nix
home-manager.darwinModules.home-manager
./modules/fonts.nix
./darwin-modules/gpg.nix
./applications/devel-core.nix
./applications/devel-rust.nix
./applications/emacs.nix
in
rec {
nixosConfigurations = {
levitation = makeNixosSystem {
system = "x86_64-linux";
hostName = "levitation";
extraModules = [
./hardware/levitation.nix
({ pkgs, config, lib, ... }: {
boot.loader = {
grub = {
enable = true;
version = 2;
efiSupport = true;
# Go efi only
devices = [ "nodev" ];
# Use os-prober
useOSProber = true;
};
efi = {
efiSysMountPoint = "/boot/";
canTouchEfiVariables = false;
};
};
# Setup system configuration
nathan = {
programs = {
games = true;
};
config = {
isDesktop = true;
nix.autoUpdate = false;
};
};
# Configure networking
networking = {
domain = "mccarty.io";
useDHCP = false;
interfaces.enp6s0.useDHCP = true;
nat.externalInterface = "enp6s0";
# Open ports for soulseek
# TODO add in soulseek
firewall = {
allowedTCPPorts = [ 61377 ];
allowedUDPPorts = [ 61377 ];
};
};
# FIXME borg backup module
# Setup home manager
home-manager.users.nathan = { config, lib, pkgs, ... }: {
# Module configuration
nathan = {
config = {
isDesktop = true;
};
};
};
})
];
};
x86vm = makeNixosSystem {
system = "x86_64-linux";
hostName = "x86vm";
extraModules = [
"${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
"${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix"
({ pkgs, config, lib, ... }: {
nathan = {
programs = {
games = true;
};
config = {
isDesktop = true;
nix.autoUpdate = false;
};
};
home-manager.users.nathan = import ./home-manager/machines/x86vm.nix;
# Workaround to get sway working in qemu
environment.variables = {
"WLR_RENDERER" = "pixman";
};
})
];
};
};
homeConfigurations.linux =
let
system = "x86_64-linux";
in
home-manager.lib.homeManagerConfiguration {
configuration = import ./home-manager/linux.nix;
inherit system;
username = "nathan";
homeDirectory = "/home/nathan";
stateVersion = "21.11";
};
};
}

80
home-linux.nix
View File

@ -1,80 +0,0 @@
{ pkgs, config, unstable, ... }:
{
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
## Linux specific user configuration
users = {
mutableUsers = false;
users.nathan = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "audio" "docker" "libvirtd" "uinput" "adbusers" "plugdev" ];
hashedPassword = "$6$ShBAPGwzKZuB7eEv$cbb3erUqtVGFo/Vux9UwT2NkbVG9VGCxJxPiZFYL0DIc3t4GpYxjkM0M7fFnh.6V8MoSKLM/TvOtzdWbYwI58.";
openssh.authorizedKeys.keys = [
# yubikey ssh key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRs6zVljIlQEZ8F+aEBqqbpeFJwCw3JdveZ8TQWfkev cardno:000615938515"
# Macbook pro key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBfkO7kq37RQMT8UE8zQt/vP4Ub7kizLw6niToJwAIe nathan@Nathans-MacBook-Pro.local"
# Phone key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILY7KmG/eFm3hgTx7GBB5jNrV/yryg5C6xcgCxFQhn+o JuiceSSH"
# Tablet key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd+LlxJnluU0xvIMRIz74iypKfcSpQ5/7y2SB4c6SFY JuiceSSH"
];
};
};
# enable sudo
security.sudo.enable = true;
home-manager = {
users.nathan = {
# Alacritty configuration
programs.alacritty = {
enable = true;
settings = {
env = {
TERM = "xterm-256color";
ALACRITTY = "1";
};
font = {
normal.family = "FiraCode Nerd Font";
bold.family = "FiraCode Nerd Font";
italic.family = "FiraCode Nerd Font";
bold_italic.family = "FiraCode Nerd Font";
size = 9.0;
};
colors = {
primary = {
background = "0x103c48";
foreground = "0xadbcbc";
};
normal = {
black = "0x184956";
red = "0xfa5750";
green = "0x75b938";
yellow = "0xdbb32d";
blue = "0x4695f7";
magenta = "0xf275be";
cyan = "0x41c7b9";
white = "0x72898f";
};
bright = {
black = "0x2d5b69";
red = "0xff665c";
green = "0x84c747";
yellow = "0xebc13d";
blue = "0x58a3ff";
magenta = "0xff84cd";
cyan = "0x53d6c7";
white = "0xcad8d9";
};
};
};
};
## Multimedia
# Easyeffects for the eq
services.easyeffects.enable = true;
};
};
}

20
home-manager/bat.nix
View File

@ -1,20 +0,0 @@
{ config, lib, pkgs, ... }:
{
options.nathans-home.bat = with lib; {
enable = mkOption {
type = types.bool;
default = true;
};
};
config = lib.mkIf config.nathans-home.bat.enable {
programs.bat = {
enable = true;
config = {
theme = "zenburn";
style = "header,rule,snip,changes";
};
};
};
}

11
home-manager/common.nix
View File

@ -1,11 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./ssh.nix
./git.nix
./fish.nix
./bat.nix
];
programs.home-manager.enable = true;
}

98
home-manager/default.nix Normal file
View File

@ -0,0 +1,98 @@
{ config, lib, pkgs, inputs, ... }:
let
inherit (import ../modules/lib.nix { inherit lib; inherit pkgs; }) nLib;
in
with lib; with nLib; {
imports = [
./programs/sway.nix
./programs/core.nix
./programs/communications.nix
./programs/devel.nix
./programs/emacs.nix
./programs/image-editing.nix
./programs/media.nix
./programs/syncthing.nix
];
options = {
nathan = {
# Services
services = {
# Synthing, enabled by default on linux desktop
syncthing = mkDefaultOption "Syncthing" (config.nathan.config.isDesktop && pkgs.stdenv.isLinux);
};
# Programs
programs = {
util = {
# Ssh configuration, enabled by default
ssh = mkEnableOptionT "ssh";
# Fish configuration, enabled by default
fish = mkEnableOptionT "fish";
# Git configuration, enabled by default
git = {
enable = mkEnableOptionT "git";
gpgSign = mkEnableOptionT "git signatures";
};
# Bat configuration, enabled by default
bat = mkEnableOptionT "bat";
# JSON Utilities, enabled by default
json = mkEnableOptionT "json";
};
# Swaywm and supoorting application configuration
swaywm = {
enable = mkDefaultOption "swaywm" config.nathan.config.isDesktop;
};
# Communications applications
communications = {
# Enable by default if we are on a linux desktop
enable = mkDefaultOption "Communication applications" (config.nathan.config.isDesktop && pkgs.stdenv.isLinux);
};
# Development applications, enabled by default on desktop
devel = {
core = mkDefaultOption "Core Development Utilites" config.nathan.config.isDesktop;
rust = mkDefaultOption "Rust Development Utilites" config.nathan.config.isDesktop;
jvm = mkDefaultOption "JVM Development Utilites" config.nathan.config.isDesktop;
python = mkDefaultOption "Python Development Utilites" config.nathan.config.isDesktop;
js = mkDefaultOption "JavaScript/TypeScript Development Utilites" config.nathan.config.isDesktop;
raku = mkDefaultOption "Raku Development Utilites" config.nathan.config.isDesktop;
};
# Emacs, enabled by default on desktop
emacs = {
enable = mkDefaultOption "Emacs" config.nathan.config.isDesktop;
service = mkDefaultOption "Emacs Service" config.nathan.config.isDesktop;
package = mkOption {
description = "Emacs package to use";
default = inputs.emacs.packages."${pkgs.system}".emacsPgtkNativeComp;
};
};
# Image editing software, on by default on desktop
image-editing = mkDefaultOption "Image Editing Software" config.nathan.config.isDesktop;
# Media appilcations, on by default on linux desktop
media = {
enable = mkDefaultOption "Media Applications" (config.nathan.config.isDesktop && pkgs.stdenv.isLinux);
mopidyExtraConfig = mkOption {
description = "Extra config files for mopidy";
default = [ ];
};
};
# Firefox, enabled by default on linux desktop
firefox = mkDefaultOption "Firefox" (config.nathan.config.isDesktop && pkgs.stdenv.isLinux);
};
# General configuration options
config = {
# Is this system a desktop?
# false by default
isDesktop = mkEnableOption "Desktop specific settings";
};
};
};
config = {
home.stateVersion = "22.05";
programs.home-manager.enable = true;
programs.firefox = {
enable = config.nathan.programs.firefox;
package = pkgs.firefox-beta-bin;
};
};
}

65
home-manager/fish.nix
View File

@ -1,65 +0,0 @@
{ config, pkgs, lib, ... }:
{
options.nathans-home.fish = with lib; {
enable = mkOption {
type = types.bool;
default = true;
};
};
config = lib.mkIf config.nathans-home.fish.enable {
## Shell
# Shell proper
programs.fish = {
enable = true;
# Setup our aliases
shellAliases = {
ls = "exa --icons";
la = "exa --icons -a";
lg = "exa --icons --git";
cat = "bat";
dig = "dog";
df = "duf";
};
# Custom configuration
interactiveShellInit = ''
# Setup any-nix-shell
any-nix-shell fish --info-right | source
# Load logger function
source ~/.config/fish/functions/cmdlogger.fish
'';
functions = {
# Setup command logging to ~/.logs
cmdlogger = {
onEvent = "fish_preexec";
body = ''
mkdir -p ~/.logs
echo (date -u +"%Y-%m-%dT%H:%M:%SZ")" "(echo %self)" "(pwd)": "$argv >> ~/.logs/(hostname)-(date "+%Y-%m-%d").log
'';
};
};
};
# Starship, for the prompt
programs.starship = {
enable = true;
settings = {
directory = {
truncation_length = 3;
fish_style_pwd_dir_length = 1;
};
git_commit = {
commit_hash_length = 6;
only_detached = false;
};
package = {
symbol = "";
};
time = {
disabled = false;
format = "[$time]($style)";
time_format = "%I:%M %p";
};
};
};
};
}

90
home-manager/git.nix
View File

@ -1,90 +0,0 @@
{ config, lib, pkgs, ... }:
{
# Git configuration
programs.git = {
enable = true;
userName = "Nathan McCarty";
userEmail = "nathan@mccarty.io";
signing = {
key = "B7A40A5D78C08885";
signByDefault = pkgs.stdenv.isx86_64;
};
ignores = [
"**/*~"
"*~"
"*_archive"
"/auto/"
"auto-save-list"
".cask/"
".dir-locals.el"
"dist/"
"**/.DS_Store"
"*.elc"
"/elpa/"
"/.emacs.desktop"
"/.emacs.desktop.lock"
"/eshell/history"
"/eshell/lastdir"
"flycheck_*.el"
"*_flymake.*"
"/network-security.data"
".org-id-locations"
".persp"
".projectile"
"*.rel"
"/server/"
"tramp"
"\\#*\\#"
];
delta.enable = true;
extraConfig = {
init = {
defaultBranch = "trunk";
};
log = {
showSignature = true;
abbrevCommit = true;
follow = true;
decorate = false;
};
rerere = {
enable = true;
autoupdate = true;
};
merge = {
ff = "only";
conflictstyle = "diff3";
};
push = {
default = "simple";
followTags = true;
};
pull = {
rebase = true;
};
status = {
showUntrackedFiles = "all";
};
transfer = {
fsckobjects = true;
};
color = {
ui = "auto";
};
diff = {
mnemonicPrefix = true;
renames = true;
wordRegex = ".";
submodule = "log";
};
credential = {
helper = "cache";
};
# Disable annoying safe directory nonsense
safe = {
directory = "*";
};
};
};
}

12
home-manager/machines/x86vm.nix Normal file
View File

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
{
nathan = {
programs = {
util.git.gpgSign = false;
};
config = {
isDesktop = true;
};
};
}

78
home-manager/programs/communications.nix Normal file
View File

@ -0,0 +1,78 @@
{ config, lib, pkgs, inputs, ... }:
{
config = lib.mkIf config.nathan.programs.communications.enable {
home.packages = with pkgs;
let
unstable = import inputs.nixpkgs-unstable { config = { allowUnfree = true; }; inherit system; };
enableWayland = drv: bin: drv.overrideAttrs (
old: {
nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ pkgs.makeWrapper ];
postFixup = (old.postFixup or "") + ''
wrapProgram $out/bin/${bin} \
--add-flags "--enable-features=UseOzonePlatform" \
--add-flags "--ozone-platform=wayland"
'';
}
);
discordWayland = pkgs.callPackage ../../packages/discord/default.nix rec {
pname = "discord-electron";
binaryName = "Discord";
desktopName = "Discord (Wayland)";
version = "0.0.18";
src = fetchurl {
url = "https://dl.discordapp.net/apps/linux/${version}/discord-${version}.tar.gz";
hash = "sha256-BBc4n6Q3xuBE13JS3gz/6EcwdOWW57NLp2saOlwOgMI=";
};
electron = pkgs.electron_13;
};
zulipWayland = pkgs.makeDesktopItem {
name = "zulip-wayland";
desktopName = "Zulip (Wayland)";
exec = "${unstable.zulip}/bin/zulip --enable-features=UseOzonePlatform --ozone-platform=wayland";
terminal = false;
icon = "zulip";
type = "Application";
};
# Facebook messenger
fbChromeDesktopItem = pkgs.makeDesktopItem {
name = "messenger-chrome";
desktopName = "Messenger (chrome)";
exec = "${pkgs.chromium}/bin/chromium --enable-features=UseOzonePlatform -ozone-platform=wayland --app=\"https://messenger.com\"";
terminal = false;
};
# Teams
teamsItem = pkgs.makeDesktopItem {
name = "teams-wayland";
desktopName = "Teams (Wayland)";
exec = "${pkgs.chromium}/bin/chromium --enable-features=UseOzonePlatform -ozone-platform=wayland --app=\"https://teams.microsoft.com\"";
terminal = false;
};
in
[
# Discord
discordWayland
betterdiscordctl
# Desktop matrix client
(enableWayland element-desktop "element-desktop")
# Desktop signal client
(enableWayland signal-desktop "signal-desktop")
# Desktop telegram client
tdesktop
# Desktop mastodon client
tootle
# zulip
unstable.zulip
zulipWayland
# Zoom (for work, sadly)
unstable.zoom-us
# Teams (also for work)
unstable.teams
# chromium
(enableWayland chromium "chromium")
# Wayland workaround packages
fbChromeDesktopItem
teamsItem
];
};
}

215
home-manager/programs/core.nix Normal file
View File

@ -0,0 +1,215 @@
{ config, lib, pkgs, ... }:
let
nathan = config.nathan;
in
with lib;
{
config = {
#########################
## SSH Configuration
#########################
programs.ssh = mkIf nathan.programs.util.ssh {
# SSH configuration
enable = true;
# extra config to set the ciphers
extraConfig = ''
Ciphers aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
'';
# enable session reuse
controlMaster = "auto";
controlPersist = "10m";
# Configure known hosts
matchBlocks = {
"levitation" = {
forwardAgent = true;
user = "nathan";
hostname = "100.95.223.6";
};
"perception" = {
forwardAgent = true;
user = "nathan";
hostname = "100.67.146.101";
};
"oracles" = {
forwardAgent = true;
user = "nathan";
hostname = "100.66.15.34";
};
"tounge" = {
forwardAgent = true;
user = "nathan";
hostname = "172.23.98.121";
};
"shadowchild" = {
forwardAgent = true;
user = "nathan";
hostname = "172.23.217.149";
};
"matrix.community.rs" = {
forwardAgent = true;
user = "nathan";
hostname = "100.113.74.107";
};
"de1955" = {
user = "de1955";
hostname = "de1955.rsync.net";
};
};
};
#########################
## Fish Configuration
#########################
programs.fish = mkIf nathan.programs.util.fish {
enable = true;
# Setup our aliases
shellAliases = {
ls = "exa --icons";
la = "exa --icons -a";
lg = "exa --icons --git";
cat = "bat";
dig = "dog";
df = "duf";
};
# Custom configuration
interactiveShellInit = ''
# Setup any-nix-shell
any-nix-shell fish --info-right | source
# Load logger function
source ~/.config/fish/functions/cmdlogger.fish
'';
functions = {
# Setup command logging to ~/.logs
cmdlogger = {
onEvent = "fish_preexec";
body = ''
mkdir -p ~/.logs
echo (date -u +"%Y-%m-%dT%H:%M:%SZ")" "(echo %self)" "(pwd)": "$argv >> ~/.logs/(hostname)-(date "+%Y-%m-%d").log
'';
};
};
};
programs.starship = mkIf nathan.programs.util.fish {
enable = true;
settings = {
directory = {
truncation_length = 3;
fish_style_pwd_dir_length = 1;
};
git_commit = {
commit_hash_length = 6;
only_detached = false;
};
package = {
symbol = "";
};
time = {
disabled = false;
format = "[$time]($style)";
time_format = "%I:l%M %p";
};
};
};
#########################
## Git configuration
#########################
programs.git = mkIf nathan.programs.util.git.enable {
enable = true;
package = pkgs.gitAndTools.gitFull;
userName = "Nathan McCarty";
userEmail = "nathan@mccarty.io";
signing = {
key = "B7A40A5D78C08885";
signByDefault = nathan.programs.util.git.gpgSign;
};
ignores = [
"**/*~"
"*~"
"*_archive"
"/auto/"
"auto-save-list"
".cask/"
".dir-locals.el"
"dist/"
"**/.DS_Store"
"*.elc"
"/elpa/"
"/.emacs.desktop"
"/.emacs.desktop.lock"
"/eshell/history"
"/eshell/lastdir"
"flycheck_*.el"
"*_flymake.*"
"/network-security.data"
".org-id-locations"
".persp"
".projectile"
"*.rel"
"/server/"
"tramp"
"\\#*\\#"
];
delta.enable = true;
lfs.enable = true;
extraConfig = {
init = {
defaultBranch = "trunk";
};
log = {
showSignature = true;
abbrevCommit = true;
follow = true;
decorate = false;
};
rerere = {
enable = true;
autoupdate = true;
};
merge = {
ff = "only";
conflictstyle = "diff3";
};
push = {
default = "simple";
followTags = true;
};
pull = {
rebase = true;
};
status = {
showUntrackedFiles = "all";
};
transfer = {
fsckobjects = true;
};
color = {
ui = "auto";
};
diff = {
mnemonicPrefix = true;
renames = true;
wordRegex = ".";
submodule = "log";
};
credential = {
helper = "cache";
};
# Disable annoying safe directory nonsense
safe = {
directory = "*";
};
};
};
} // mkIf nathan.programs.util.json {
#########################
## JSON Utilities
#########################
programs.jq = mkIf nathan.programs.util.json {
enable = true;
};
home.packages = with pkgs; [
jc
fx
];
};
}

107
home-manager/programs/devel.nix Normal file
View File

@ -0,0 +1,107 @@
{ config, lib, pkgs, inputs, ... }:
let
devel = config.nathan.programs.devel;
unstable = inputs.nixpkgs-unstable.legacyPackages."${pkgs.system}";
inherit (import ../../modules/lib.nix { inherit lib; inherit pkgs; }) nLib;
in
with lib; with nLib; {
config =
# Core development utilites
(mkIf devel.core {
home.packages = with pkgs;
appendIf
pkgs.stdenv.isLinux
# General packages
[
# Git addons
git-secret
delta
# General development requirements
cmake
libtool
gnumake
nixpkgs-fmt
# sops for secrets management
sops
]
# Linux specific packages
[
gcc
binutils
unstable.mold
];
programs = {
direnv = {
enable = true;
};
# Neovim
# (I'm not abonding emacs I just want the tutor)
neovim = {
enable = true;
};
};
})
# Rust development
// (mkIf devel.rust {
home.packages = with pkgs; [
# Rustup for having the compiler around
rustup
# Install the latest rust analyzer
inputs.fenix.packages."${pkgs.system}".rust-analyzer
# Misc cargo utilites
cargo-binutils # Allow invoking the llvm tools included with the toolchain
cargo-edit # Command line Cargo.toml manipulation
cargo-asm # Dump the generated assembly
cargo-fuzz # front end for fuzz testing rust
cargo-license # Audit the licenses of dependencies
cargo-criterion # Benchmarking front end
cargo-audit # Check dependencies for known CVEs
cargo-bloat # Find out what's taking up space in the executable
cargo-udeps # Find unused dependencies
cargo-expand # Dump expanded macros
unstable.cargo-tarpaulin # Code coverage
cargo-play # Quickly execute code outside of a crate
# For building stuff that uses protocol buffers
protobuf
];
})
# JVM Development
// (mkIf devel.jvm {
home.packages = with unstable; [
inputs.java.packages."${pkgs.system}".semeru-stable
gradle
kotlin
kotlin-native
kotlin-language-server
ktlint
];
})
# Python Development
// (mkIf devel.python {
home.packages = with pkgs; [
python3Full
nodePackages.pyright
];
})
# JavaScript/TypeScript Development
// (mkIf devel.js {
home.packages = with unstable; [
nodejs
yarn
nodePackages.typescript
deno
];
})
# Raku Development
// (mkIf devel.raku {
home.packages = with pkgs; [
rakudo
zef
];
});
}
# TODO: Add pyright and python3Full under python module

44
home-manager/programs/emacs.nix Normal file
View File

@ -0,0 +1,44 @@
{ config, lib, pkgs, inputs, ... }:
{
imports = [ inputs.nix-doom-emacs.hmModule ];
config = lib.mkIf config.nathan.programs.emacs.enable {
# Dependencies of my emacs environment
home.packages = with pkgs; [
# For markdown rendering
python39Packages.grip
# For graph generation
graphviz
sqlite
# For latex editing
texlive.combined.scheme-medium
];
# Setup doom emacs
programs.doom-emacs = {
enable = true;
doomPrivateDir = ../../doom.d;
emacsPackage = config.nathan.programs.emacs.package;
emacsPackagesOverlay = self: super: {
org-protocol-capture-html = self.trivialBuild {
pname = "org-protocol-capture-html";
ename = "org-protocol-capture-html";
version = "0.0.0";
buildInputs = [ self.s ];
src = pkgs.fetchFromGitHub {
owner = "alphapapa";
repo = "org-protocol-capture-html";
rev = "3359ce9a2f3b48df26329adaee0c4710b1024250";
hash = "sha256-ueEHJCS+aHYCnd4Lm3NKgqg+m921nl5XijE9ZnSRQXI=";
};
};
};
};
# Setup service
services.emacs = {
enable = config.nathan.programs.emacs.service;
client.enable = true;
defaultEditor = true;
};
};
}

20
home-manager/programs/image-editing.nix Normal file
View File

@ -0,0 +1,20 @@
{ config, lib, pkgs, inputs, ... }:
let
unstable = inputs.nixpkgs-unstable.legacyPackages."${pkgs.system}";
in
{
config = lib.mkIf config.nathan.programs.image-editing {
home.packages = with pkgs; [
# RawTherapee for raw editing
unstable.rawtherapee
# Gimp for complex editing
unstable.gimp-with-plugins
# Krita for drawing
unstable.krita
# Pinta for basic image editing
unstable.pinta
# Command line tools for image conversion and handling
imagemagickBig
];
};
}

50
home-manager/programs/media.nix Normal file
View File

@ -0,0 +1,50 @@
{ config, lib, pkgs, inputs, ... }:
let
unstable = import inputs.nixpkgs-unstable { config = { allowUnfree = true; }; system = pkgs.system; };
irisDesktopItem = pkgs.makeDesktopItem {
name = "iris";
desktopName = "Iris";
exec = "${pkgs.chromium}/bin/chromium --enable-features=UseOzonePlatform -ozone-platform=wayland --app=\"http://localhost:6680/iris/\"";
terminal = false;
};
in
{
config = lib.mkIf config.nathan.programs.media.enable {
# General Packages
home.packages = with pkgs; [
unstable.spotify
unstable.vlc
unstable.plex-media-player
unstable.obs-studio
nicotine-plus
irisDesktopItem
picard
];
# Mopidy service
# TODO: Add scrobbling
services.mopidy = {
enable = true;
extensionPackages = with pkgs; [
mopidy-mpd
mopidy-iris
mopidy-scrobbler
mopidy-local
];
# extraConfigFiles = config.nathan.programs.media.mopidyExtraConfig;
settings = {
file = {
media_dirs = [
"~/Music"
];
};
local = {
enabled = true;
media_dir = "~/Music";
};
mpd = {
enabled = true;
};
};
};
};
}

172
modules/sway.nix → home-manager/programs/sway.nix
View File

@ -1,105 +1,17 @@
## Enable and setup SwayWM
{ config, pkgs, lib, unstable, ... }:
{ config, lib, pkgs, inputs, ... }:
let
nathan = config.nathan;
in
with lib;
{
# Turn on GDM for login
services.xserver = {
enable = true;
autorun = true;
displayManager.gdm = {
enable = true;
wayland = true;
};
# Set swaywm as default
displayManager.defaultSession = "sway";
# Enable plasma for the applications
desktopManager.plasma5.enable = true;
};
# Setup drivers
hardware.opengl = {
# Enable vulkan
driSupport = true;
# Force vulkan drivers
extraPackages = [
pkgs.amdvlk
];
# Same as above, but enable 32 bit legacy support (for games)
driSupport32Bit = true;
extraPackages32 = [
pkgs.driversi686Linux.amdvlk
];
};
# Basic packages that are effectively required for a graphical system
environment.systemPackages = with pkgs; [
# GTK Theming
gtk-engine-murrine
gtk_engines
gsettings-desktop-schemas
lxappearance
kde-gtk-config
];
# Enable QT themeing
programs.qt5ct.enable = true;
# Enable and configure sway itself
programs.sway = {
enable = true;
# Enable the wrapper for gtk applications
wrapperFeatures.gtk = true;
# Install some applications required for sway to work how I want
extraPackages = with pkgs; [
# Unstable waybar, its a fast moving target
unstable.waybar
# Locking and display management
wdisplays
swaylock-effects
swayidle
# Clipboard
wl-clipboard
# Notifications
mako
# Terminal
alacritty
# glib for sound stuff
glib
# Glpaper for the background
(glpaper.overrideAttrs (old: {
src = fetchFromSourcehut {
owner = "~scoopta";
repo = "glpaper";
vc = "hg";
rev = "f89e60b7941fb60f1069ed51af9c5bb4917aab35";
hash = "sha256-E7FKjt3NL0aAEibfaq+YS2IVvpjNjInA+Rs8SU63/3M=";
};
}))
# Screenshots
sway-contrib.grimshot
# Albert for launcher
albert
];
};
environment.sessionVariables = {
MOZ_ENABLE_WAYLAND = "1";
};
# Enable the xdg-portal
xdg = {
portal = {
enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-wlr
xdg-desktop-portal-gtk
];
gtkUsePortal = true;
};
};
## Home manager stuff for sway
home-manager.users.nathan =
config = mkIf nathan.programs.swaywm.enable (
let
swaylock-command = "${pkgs.swaylock-effects}/bin/swaylock --screenshots --grace 30 --indicator --clock --timestr \"%-I:%M:%S %p\" --datestr \"%A %Y-%M-%d\" --effect-blur 20x3";
in
{
# Configure sway itself
#########################
## Sway
#########################
wayland.windowManager.sway = {
enable = true;
systemdIntegration = true;
@ -168,7 +80,9 @@
for_window [title=".*Minecraft.*"] opacity 1
'';
};
# Mako for notifications
#########################
## Mako (notifications)
#########################
programs.mako = {
enable = true;
# Selenized color scheme
@ -188,7 +102,9 @@
# Sort by time in descending order (newest first)
sort = "-time";
};
# Swayidle for automatic screen locking
#########################
## Swayidle
#########################
services.swayidle = {
enable = true;
timeouts = [
@ -205,10 +121,62 @@
}
];
};
# Waybar configuration
#########################
## Waybar
#########################
programs.waybar = {
enable = true;
package = unstable.waybar;
package = inputs.nixpkgs-unstable.legacyPackages."${pkgs.system}".waybar;
};
};
#########################
## Alacritty
#########################
programs.alacritty = {
enable = true;
settings = {
env = {
TERM = "xterm-256color";
ALACRITTY = "1";
};
font = {
normal.family = "FiraCode Nerd Font";
bold.family = "FiraCode Nerd Font";
italic.family = "FiraCode Nerd Font";
bold_italic.family = "FiraCode Nerd Font";
size = 9.0;
};
colors = {
primary = {
background = "0x103c48";
foreground = "0xadbcbc";
};
normal = {
black = "0x184956";
red = "0xfa5750";
green = "0x75b938";
yellow = "0xdbb32d";
blue = "0x4695f7";
magenta = "0xf275be";
cyan = "0x41c7b9";
white = "0x72898f";
};
bright = {
black = "0x2d5b69";
red = "0xff665c";
green = "0x84c747";
yellow = "0xebc13d";
blue = "0x58a3ff";
magenta = "0xff84cd";
cyan = "0x53d6c7";
white = "0xcad8d9";
};
};
};
};
#########################
## EasyEffects
#########################
services.easyeffects.enable = true;
}
);
}

12
home-manager/programs/syncthing.nix Normal file
View File

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
{
config = lib.mkIf config.nathan.services.syncthing {
services.syncthing = {
enable = true;
tray = {
enable = true;
};
};
};
}

61
home-manager/ssh.nix
View File

@ -1,61 +0,0 @@
{ config, lib, pkgs, ... }:
{
options.nathans-home.ssh = with lib; {
enable = mkOption {
type = types.bool;
default = true;
};
};
config = lib.mkIf config.nathans-home.ssh.enable {
programs.ssh = {
# SSH configuration
enable = true;
# extra config to set the ciphers
extraConfig = ''
Ciphers aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
'';
# enable session reuse
controlMaster = "auto";
controlPersist = "10m";
# Configure known hosts
matchBlocks = {
"levitation" = {
forwardAgent = true;
user = "nathan";
hostname = "100.95.223.6";
};
"perception" = {
forwardAgent = true;
user = "nathan";
hostname = "100.67.146.101";
};
"oracles" = {
forwardAgent = true;
user = "nathan";
hostname = "100.66.15.34";
};
"tounge" = {
forwardAgent = true;
user = "nathan";
hostname = "172.23.98.121";
};
"shadowchild" = {
forwardAgent = true;
user = "nathan";
hostname = "172.23.217.149";
};
"matrix.community.rs" = {
forwardAgent = true;
user = "nathan";
hostname = "100.113.74.107";
};
"de1955" = {
user = "de1955";
hostname = "de1955.rsync.net";
};
};
};
};
}

23
home.nix
View File

@ -1,23 +0,0 @@
{ pkgs, config, ... }:
{
## Some general settings that were in the user configuration
# Set time zone
time.timeZone = "America/New_York";
## Setup user first
users = {
users.nathan = {
# darwin is special
home = if pkgs.stdenv.isDarwin then "/Users/nathan" else "/home/nathan";
description = "Nathan McCarty";
shell = pkgs.fish;
};
};
## Misc packages that were in user.nix
# Install general use packages
environment.systemPackages = with pkgs; [
# Install our shell of choice
fish
# Install rclone
rclone
];
}

122
machines/levitation.nix
View File

@ -1,122 +0,0 @@
{ pkgs, lib, config, ... }: {
###
## Define the hostname, enable dhcp
###
networking = {
hostName = "levitation";
domain = "mccarty.io";
useDHCP = false;
interfaces.enp6s0.useDHCP = true;
nat.externalInterface = "enp6s0";
};
###
## Enable programs we don't want on every machine
###
programs = {
steam.enable = true;
adb.enable = true;
};
###
## Firewall ports
###
# 61377 - SoulSeek
# Enable firewall and pass some ports
networking.firewall = {
enable = true;
allowedTCPPorts = [ 61377 ];
allowedUDPPorts = [ 61377 ];
};
###
## Machine specific home-manager
###
home-manager.users.nathan = {
# Sway outputs
wayland.windowManager.sway.config = {
output = {
DP-1 = {
pos = "0 140";
scale = "1";
subpixel = "rgb";
};
DP-3 = {
pos = "2560 0";
scale = "1.25";
subpixel = "rgb";
};
HDMI-A-1 = {
pos = "5632 140";
scale = "1";
subpixel = "rgb";
};
};
startup = [
# GLPaper
{ command = "glpaper DP-1 ${../custom-files/sway/selen.frag} --fork"; }
{ command = "glpaper DP-3 ${../custom-files/sway/selen.frag} --fork"; }
{ command = "glpaper HDMI-A-1 ${../custom-files/sway/selen.frag} --fork"; }
];
};
# Mako output configuration
programs.mako = {
# Lock mako notifs to main display
output = "DP-3";
};
};
###
## Borg Backups
###
# Install borg
environment.systemPackages = with pkgs; [
borgbackup
];
# Setup sops
sops.secrets."borg-sshKey" = {
format = "yaml";
sopsFile = ../secrets/borg.yaml;
};
sops.secrets."borg-levitationPassword" = {
format = "yaml";
sopsFile = ../secrets/borg.yaml;
};
# Setup the job
services.borgbackup.jobs = {
remote_backup = {
paths = [
"/home"
"/var"
"/etc"
];
exclude = [
"*/.cache"
"*/.tmp"
"/home/nathan/Projects/*/target"
"/home/nathan/Work/*/target"
"/home/nathan/.local/share/Steam"
"/home/nathan/Downloads"
"/home/nathan/Music"
"/var/lib/docker"
"/var/log"
"/home/nathan/*/Cache"
];
repo = "de1955@de1955.rsync.net:computers/levitation";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg-levitationPassword".path}";
};
environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg-sshKey".path}";
compression = "auto,zstd";
startAt = "hourly";
prune.keep = {
within = "7d"; # Keep all archives for the past week
daily = 1; # Keep 1 snapshot a day for 2 weeks
weekly = 4; # Keep 1 snapshot a week for 4 weeks
monthly = -1; # Keep unlimited monthly backups
};
};
};
}

102
machines/matrix.nix
View File

@ -1,102 +0,0 @@
{ config, lib, pkgs, ... }:
{
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
# Grub configuration for linode
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
boot.loader.grub.forceInstall = true;
boot.loader.timeout = 10;
boot.loader.grub.extraConfig = ''
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
terminal_input serial;
terminal_output serial
'';
boot.kernelParams = [
"console=ttyS0"
];
networking.hostName = "matrix";
networking.domain = "community.rs";
networking.useDHCP = false;
networking.interfaces.enp0s5.useDHCP = true;
networking.enableIPv6 = false;
# Create www-html group
users.groups.www-html.gid = 6848;
# Add shaurya
users.users.shaurya = {
isNormalUser = true;
home = "/home/shaurya";
description = "Shaurya";
extraGroups = [ "www-html" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDA8BwFgWGrX5is2rQV+T0dy4MUWhfpE5EzYxjgLuH1V shauryashubham1234567890@gmail.com"
];
shell = pkgs.nushell;
};
# Add www-html for my self
users.users.nathan = {
extraGroups = [ "www-html" ];
};
###
## Borg Backup
###
# Install borg
environment.systemPackages = with pkgs; [
borgbackup
];
# Setup sops
sops.secrets."borg-sshKey" = {
format = "yaml";
sopsFile = ../secrets/borg.yaml;
};
sops.secrets."borg-matrixPassword" = {
format = "yaml";
sopsFile = ../secrets/borg.yaml;
};
# Setup the job
services.borgbackup.jobs = {
files = {
paths = [
"/home"
"/var"
"/etc"
];
exclude = [
"*/.cache"
"*/.tmp"
"/home/nathan/minecraft/server/backup"
"/var/lib/postgresql"
"/var/lib/redis"
"/var/lib/docker"
"/var/log"
];
repo = "de1955@de1955.rsync.net:computers/matrix";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg-matrixPassword".path}";
};
environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg-sshKey".path}";
compression = "auto,zstd";
startAt = "OnCalendar=00/4:30";
prune.keep = {
within = "7d"; # Keep all archives for the past week
daily = 1; # Keep 1 snapshot a day for 2 weeks
weekly = 4; # Keep 1 snapshot a week for 4 weeks
monthly = -1; # Keep unlimited monthly backups
};
};
};
# Backup postgres
services.postgresqlBackup = {
enable = true;
compression = "none";
backupAll = true;
startAt = "OnCalendar=00/2:00";
};
}

101
machines/oracles.nix
View File

@ -1,101 +0,0 @@
{ config, lib, pkgs, java, ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Configure networking
networking = {
hostName = "oracles";
domain = "mccarty.io";
useDHCP = false;
interfaces.enp1s0f1.ipv4.addresses = [{
address = "104.238.220.96";
prefixLength = 24;
}];
defaultGateway = "104.238.220.1";
nameservers = [ "172.23.98.121" "1.1.1.1" ];
};
# Open ports in firewall
networking.firewall.allowedTCPPorts = [ 22 80 443 25565 ];
networking.firewall.allowedUDPPorts = [ 22 80 443 25565 ];
networking.firewall.enable = true;
# Trust zerotier interface
networking.firewall.trustedInterfaces = [ "zt5u4uutwm" ];
# Add nginx and acme certs
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
};
security.acme = {
defaults.email = "nathan@mccarty.io";
acceptTerms = true;
};
# Redis
services.redis.servers.main = {
enable = true;
bind = "172.23.108.12";
};
# Install java
environment.systemPackages = with pkgs; [
java.packages.${system}.semeru-latest
borgbackup
];
# Setup sops
sops.secrets."borg-sshKey" = {
format = "yaml";
sopsFile = ../secrets/borg.yaml;
};
sops.secrets."borg-oraclesPassword" = {
format = "yaml";
sopsFile = ../secrets/borg.yaml;
};
# Setup the job
services.borgbackup.jobs = {
files = {
paths = [
"/home"
"/var"
"/etc"
];
exclude = [
"*/.cache"
"*/.tmp"
"/home/nathan/minecraft/server/backup"
"/var/lib/postgresql"
"/var/lib/redis"
"/var/lib/docker"
"/var/log"
];
repo = "de1955@de1955.rsync.net:computers/oracles";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg-oraclesPassword".path}";
};
environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg-sshKey".path}";
compression = "auto,zstd";
startAt = "OnCalendar=00/4:30";
prune.keep = {
within = "7d"; # Keep all archives for the past week
daily = 1; # Keep 1 snapshot a day for 2 weeks
weekly = 4; # Keep 1 snapshot a week for 4 weeks
monthly = -1; # Keep unlimited monthly backups
};
};
};
# Backup postgres
services.postgresqlBackup = {
enable = true;
compression = "none";
backupAll = true;
startAt = "OnCalendar=00/2:00";
};
}

57
machines/perception.nix
View File

@ -1,57 +0,0 @@
{ config, lib, pkgs, ... }:
{
networking = {
hostName = "perception";
domain = "mccarty.io";
useDHCP = false;
interfaces.eno1 = {
useDHCP = false;
ipv4.addresses = [
{
address = "10.0.0.11";
prefixLength = 21;
}
];
};
defaultGateway = "10.0.4.1";
nameservers = [ "10.0.0.10" ];
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Trust ZT interface
networking.firewall.trustedInterfaces = [ "zt5u4uutwm" ];
# add plex nfs mount
fileSystems."/var/plex" = {
device = "10.0.0.139:/mnt/tank/root/data/plex";
fsType = "nfs";
};
fileSystems."/var/scratch" = {
device = "10.0.0.139:/mnt/tank/root/scratch";
fsType = "nfs";
};
# Enable sabnzbd
services.sabnzbd = {
enable = true;
};
# Enable sonarr
services.sonarr = {
enable = true;
};
# Enable radarr
services.radarr = {
enable = true;
};
# Open firewall ports
networking.firewall = {
enable = false;
allowedTCPPorts = [ 8080 8989 9383 7878 ];
allowedUDPPorts = [ 8080 8989 9383 7878 ];
};
}

83
machines/shadowchild.nix
View File

@ -1,83 +0,0 @@
{ config, lib, pkgs, ... }:
{
boot.cleanTmpDir = true;
networking.hostName = "shadowchild";
networking.domain = "mccarty.io";
networking.firewall.allowPing = true;
# Turn on nginx so we can get a lets encrypt cert
security.acme.defaults.email = "nathan@mccarty.io";
security.acme.acceptTerms = true;
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts."turn.community.rs" = {
enableACME = true;
forceSSL = true;
};
};
services.coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret = "5C1rbLi5pPJhEGTzkVR1";
realm = "turn.community.rs";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
# open the firewall
networking.firewall = {
interfaces.enp2s0 =
let
range = with config.services.coturn; [{
from = min-port;
to = max-port;
}];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 ];
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 80 443 ];
}

48
modules/audio.nix
View File

@ -1,48 +0,0 @@
## Setup pipewire, including bluetooth audio
{ config, pkgs, ... }:
let new-noisetorch = pkgs.noisetorch.overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "noisetorch";
repo = "NoiseTorch";
rev = "fe3ace8cc7add2f3bd42dd767c8fc292bc2aeaad";
fetchSubmodules = true;
hash = "sha256-A6cX1ck47/ZIn9cnV/Ow4CxVFfOX5J0K0Q+B70jCFdQ=";
};
version = "0.12.0";
meta.insecure = false;
});
in
{
# Disable normal audio subsystem explicitly
sound.enable = false;
# Turn on rtkit, so that audio processes can be upgraded to real time
security.rtkit.enable = true;
# Turn on pipewire
services.pipewire = {
enable = true;
# Turn on all the emulation layers
alsa = {
enable = true;
support32Bit = true;
};
pulse.enable = true;
jack.enable = true;
};
# Turn on bluetooth services
services.blueman.enable = true;
hardware.bluetooth = {
enable = true;
package = pkgs.bluezFull;
};
# Add pulse audio packages, but do not enable them
environment.systemPackages = [
pkgs.pulseaudio
pkgs.pavucontrol
];
# Add noisetorch for microphone noise canceling
programs.noisetorch = {
enable = true; # TODO: https://github.com/noisetorch/NoiseTorch/releases/tag/0.11.6
# Use latest noisetorch, its a fast moving target
package = new-noisetorch;
};
}

13
modules/autoupdate.nix
View File

@ -1,13 +0,0 @@
{ config, lib, pkgs, ... }:
{
# Autoupdate the system
system.autoUpgrade = {
enable = true;
allowReboot = true;
# Update from the flake
flake = "github:nathans-flakes/system";
# Attempt to update daily at 2AM
dates = "2:00";
};
}

14
modules/base.nix Normal file
View File

@ -0,0 +1,14 @@
{ config, lib, pkgs, ... }:
with lib; {
config = {
nix = mkIf config.nathan.config.nix.autoGC {
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
};
};
}

18
modules/common.nix
View File

@ -1,18 +0,0 @@
{ config, pkgs, ... }:
{
# Turn on compressed memory swap
zramSwap = {
enable = true;
algorithm = "lz4";
memoryPercent = 25;
};
# Automatically optimize and garbage collect the store
nix = {
autoOptimiseStore = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
};
}

137
modules/default.nix Normal file
View File

@ -0,0 +1,137 @@
{ config, lib, pkgs, ... }:
let
inherit (import ./lib.nix { inherit lib; inherit pkgs; }) nLib;
in
{
imports = [
./base.nix
./user.nix
./desktop.nix
./swaywm.nix
./hardware.nix
./programs/games.nix
./programs/gpg.nix
./programs/utils.nix
./services/ssh.nix
./services/tailscale.nix
./linux/base.nix
];
options = with lib; with nLib; {
nathan = {
# Control enabling of services
services = {
# Use zramSwap, enabled by default
zramSwap = mkDefaultOption "zram memory compression" config.nathan.config.isDesktop;
# Enable ssh and configure firewall
# On by default
ssh = mkEnableOptionT "ssh";
# Enable tailscale, on by default on linux
tailscale = {
enable = mkDefaultOption "tailscale" pkgs.stdenv.isLinux;
};
};
# Control enabling/configuratin of services
programs = {
# Install games
games = mkEnableOption "games";
# Install gpg with yubikey support
# Enabled by default if the system is a desktop
gpg = mkDefaultOption "gpg" config.nathan.config.isDesktop;
# Utility modules
utils = {
# Core utililtes I want on every system
# Enabled by default
core = mkEnableOptionT "utils-core";
# Productivity utilites that make sense for a desktop
# Enabled by default on desktop
productivity = mkDefaultOption "utils-productivity" config.nathan.config.isDesktop;
# Enable multi system emulation
# Enabled by default on desktop
binfmt = mkDefaultOption "utils-productivity" config.nathan.config.isDesktop;
};
};
# Control enabling of hardware support
hardware = {
# Logitech hardware support
# On by default if the system is a desktop
logitech = mkDefaultOption "logitech" config.nathan.config.isDesktop;
};
# General system configuration
config = {
# Wether or not to install the main user
installUser = mkOption {
default = pkgs.stdenv.isLinux;
example = true;
description = "Whether to install the 'nathan' user";
type = lib.types.bool;
};
# Name of the user to install
user = mkOption {
default = "nathan";
example = "nathan";
description = "Username to use for common configuration";
type = lib.types.str;
};
# Is this system a desktop?
# Off by default
isDesktop = mkEnableOption "Desktop specific settings";
# Should we harden this system?
# On by default
harden = mkEnableOptionT "Apply system hardening";
# Enable audio subsystem
# On by default if the system is a desktop
audio = mkDefaultOption "audio" config.nathan.conifg.isDesktop;
# Basic grub configuration
# Off by default
setupGrub = mkEnableOption "Setup grub";
# Install fonts
# On by default if the system is a desktop
fonts = mkDefaultOption "fonts" config.nathan.config.isDesktop;
# Enable unfree software
# On by default
enableUnfree = mkEnableOptionT "unfree software";
# Nix configuration
nix = {
# Automatic GC and optimization of the nix store
# On by default
autoGC = mkEnableOptionT "Nix store optimization and auto gc";
# Automatic updating of the system
# On by default
autoUpdate = mkEnableOptionT "Nix autoupdating";
};
# Swaywm configuration
# On by default if the system is a desktop
swaywm = {
enable = mkOption {
default = config.nathan.config.isDesktop;
example = true;
description = "Whether to setup swaywm";
type = lib.types.bool;
};
};
# Virtualization configuration
# All on by default if the system is a desktop
virtualization = {
qemu = mkDefaultOption "qemu" config.nathan.config.isDesktop;
docker = mkDefaultOption "docker" config.nathan.config.isDesktop;
lxc = mkDefaultOption "lxc" config.nathan.config.isDesktop;
nixos = mkDefaultOption "nixos containers" config.nathan.config.isDesktop;
};
};
};
};
config = {
# Enable the firewall
networking.firewall.enable = true;
# Enable unfree packages
nixpkgs.config.allowUnfree = config.nathan.config.enableUnfree;
# Work around for discord jank ugh
nixpkgs.config.permittedInsecurePackages = [
"electron-13.6.9"
];
# Set system state version
system.stateVersion = "22.05";
};
}

80
modules/desktop.nix Normal file
View File

@ -0,0 +1,80 @@
{ config, lib, pkgs, ... }:
let
nc = config.nathan.config;
in
with lib; {
# Generic desktop configuration
config = mkIf nc.isDesktop
{
# Ergodox
environment.systemPackages = with pkgs; [
wally-cli
];
hardware.keyboard.zsa.enable = true;
# Configure grub if configured
} // mkIf nc.setupGrub {
## Boot, drivers, and host name
# Use grub
boot.loader = {
grub = {
enable = true;
version = 2;
efiSupport = true;
# Go efi only
devices = [ "nodev" ];
# Use os-prober
useOSProber = true;
};
efi = {
efiSysMountPoint = "/boot/";
canTouchEfiVariables = false;
};
};
# Configure audio
} // mkIf nc.audio {
# Disable normal audio subsystem explicitly
sound.enable = false;
# Turn on rtkit, so that audio processes can be upgraded to real time
security.rtkit.enable = true;
# Turn on pipewire
services.pipewire = {
enable = true;
# Turn on all the emulation layers
alsa = {
enable = true;
support32Bit = true;
};
pulse.enable = true;
jack.enable = true;
};
# Turn on bluetooth services
services.blueman.enable = true;
hardware.bluetooth = {
enable = true;
package = pkgs.bluezFull;
};
# Add pulse audio packages, but do not enable them
environment.systemPackages = with pkgs;[
pulseaudio
pavucontrol
noisetorch
];
# Add noisetorch for microphone noise canceling
programs.noisetorch = {
enable = true; # TODO: https://github.com/noisetorch/NoiseTorch/releases/tag/0.11.6
};
# Configure fonts
} // mkIf nc.fonts {
fonts.fonts = with pkgs; [
## Monospace Fonts
# FiraCode with nerd-fonts patch, as well as fira-code symbols for emacs
(nerdfonts.override { fonts = [ "FiraCode" ]; })
fira-code-symbols
fira
# Proportional
roboto
liberation_ttf
noto-fonts
];
};
}

17
modules/docker.nix
View File

@ -1,17 +0,0 @@
{ config, pkgs, ... }:
{
# Enable docker and use unstable version
virtualisation.docker = {
enable = true;
package = pkgs.docker;
# Automatically prune to keep things lean
autoPrune.enable = true;
};
# Setup networking for nixos containers
networking = {
nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
};
};
}

14
modules/fonts.nix
View File

@ -1,14 +0,0 @@
{ config, pkgs, ... }:
{
fonts.fonts = with pkgs; [
## Monospace Fonts
# FiraCode with nerd-fonts patch, as well as fira-code symbols for emacs
(nerdfonts.override { fonts = [ "FiraCode" ]; })
fira-code-symbols
fira
# Proportional
roboto
liberation_ttf
noto-fonts
];
}

26
modules/games.nix
View File

@ -1,26 +0,0 @@
{ pkgs, nixpkgs-unstable, ... }: {
environment.systemPackages =
let
# https://github.com/Admicos/minecraft-wayland
glfw-patched = pkgs.glfw-wayland.overrideAttrs (attrs: {
patches = attrs.patches ++ [
../patches/minecraft/0003-Don-t-crash-on-calls-to-focus-or-icon.patch
../patches/minecraft/0004-wayland-fix-broken-opengl-screenshots-on-mutter.patch
];
});
stable-packages = with pkgs; [
# Dwarf fortress
(dwarf-fortress-packages.dwarf-fortress-full.override {
enableFPS = true;
})
# PolyMC minecraft stuff
polymc
glfw-patched
];
unstable-packages = with nixpkgs-unstable.legacyPackages."${pkgs.system}"; [
# Packwiz for maintaing modpacks
packwiz
];
in
stable-packages ++ unstable-packages;
}

36
modules/gpg.nix
View File

@ -1,36 +0,0 @@
# Configure gpg with yubikey support
{ config, pkgs, ... }:
{
# Setup environment for gpg agent
environment.shellInit = ''
export GPG_TTY="$(tty)"
gpg-connect-agent /bye
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';
environment.sessionVariables = {
SSH_AUTH_SOCK = "/run/user/1000/gnupg/S.gpg-agent.ssh";
};
programs = {
# Disable ssh-agent, the gpg-agent will fill in
ssh.startAgent = false;
# Enable gpg-agent with ssh support
gnupg.agent = {
enable = true;
enableSSHSupport = true;
enableExtraSocket = true;
};
};
# Enable ykpersonalize to work
services.udev.packages = [ pkgs.yubikey-personalization ];
# Enable smartcard service
services.pcscd.enable = true;
# install gnupg and yubikey personalization
environment.systemPackages = with pkgs; [
gnupg
yubikey-personalization
];
}

13
modules/hardware.nix Normal file
View File

@ -0,0 +1,13 @@
{ config, lib, pkgs, ... }:
let
nw = config.nathan.hardware;
in
with lib;
{
config = {
hardware.logitech.wireless = mkIf nw.logitech {
enable = true;
enableGraphical = true;
};
};
}

25
modules/lib.nix Normal file
View File

@ -0,0 +1,25 @@
{ lib, pkgs }:
{
nLib = {
# mkEnableOption, but defaults to true
mkEnableOptionT = name: lib.mkOption {
default = true;
example = false;
description = "Whether to enable ${name}.";
type = lib.types.bool;
};
# mkEnableOption, but with a default
mkDefaultOption = name: default: lib.mkOption {
default = default;
example = false;
description = "Whether to enable ${name}.";
type = lib.types.bool;
};
# Returns an empty list if the current system is not linux
ifLinux = value: if pkgs.stdenv.isLinux then value else [ ];
# Appends if the predicate is true
appendIf = predicate: input: append:
if predicate then input ++ append else input;
};
}

34
modules/linux/base.nix Normal file
View File

@ -0,0 +1,34 @@
{ config, lib, pkgs, inputs, ... }@attrs:
with lib;
{
config = mkIf pkgs.stdenv.isLinux
({
zramSwap = mkIf config.nathan.servics.zramSwap
{
enable = true;
algorithm = "lz4";
memoryPercent = 25;
};
nix = mkIf config.nathan.config.nix.autoGC {
autoOptimiseStore = true;
};
} // mkIf config.nathan.config.harden (import "${inputs.nixpkgs}/nixos/modules/profiles/hardened.nix" attrs))
// mkIf (config.nathan.config.installUser && pkgs.stdenv.isLinux)
{
# System must be for us :v
networking.domain = "mccarty.io";
}
// mkIf
(config.nathan.config.nix.autoUpdate && pkgs.stdenv.isLinux)
{
# Auto update daily at 2 am
system.autoUpgrade = {
enable = true;
allowReboot = true;
# Update from the flake
flake = "github:nathans-flakes/system";
# Attempt to update daily at 2AM
dates = "2:00";
};
};
}

7
modules/logitech.nix
View File

@ -1,7 +0,0 @@
{ config, pkgs, ... }:
{
hardware.logitech.wireless = {
enable = true;
enableGraphical = true;
};
}

11
modules/lxc.nix
View File

@ -1,11 +0,0 @@
{ config, lib, pkgs, ... }:
{
virtualisation.lxd = {
enable = true;
recommendedSysctlSettings = true;
};
users.users.nathan = {
extraGroups = [ "lxd" ];
};
}

23
modules/printing.nix
View File

@ -1,23 +0,0 @@
{ config, pkgs, ... }:
{
services.printing = {
enable = true;
drivers = with pkgs; [
canon-cups-ufr2
carps-cups
cnijfilter2
];
};
# Enable avahi for printer discovery
services.avahi = {
enable = true;
nssmdns = true;
};
environment.systemPackages = with pkgs; [
canon-cups-ufr2
cups
cups-filters
];
}

33
modules/programs/games.nix Normal file
View File

@ -0,0 +1,33 @@
{ config, lib, pkgs, inputs, ... }:
let
np = config.nathan.programs;
in
with lib;
{
config = mkIf np.games {
environment.systemPackages =
let
# https://github.com/Admicos/minecraft-wayland
glfw-patched = pkgs.glfw-wayland.overrideAttrs (attrs: {
patches = attrs.patches ++ [
../../patches/minecraft/0003-Don-t-crash-on-calls-to-focus-or-icon.patch
../../patches/minecraft/0004-wayland-fix-broken-opengl-screenshots-on-mutter.patch
];
});
stable-packages = with pkgs; [
# Dwarf fortress
(dwarf-fortress-packages.dwarf-fortress-full.override {
enableFPS = true;
})
# PolyMC minecraft stuff
inputs.polymc.packages."${system}".polymc
glfw-patched
];
unstable-packages = with inputs.nixpkgs-unstable.legacyPackages."${pkgs.system}"; [
# Packwiz for maintaing modpacks
packwiz
];
in
stable-packages ++ unstable-packages;
};
}

43
modules/programs/gpg.nix Normal file
View File

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
let
np = config.nathan.programs;
nc = config.nathan.config;
in
with lib;
{
config = mkIf np.gpg {
# Setup environment for gpg agent
environment.shellInit = ''
export GPG_TTY="$(tty)"
gpg-connect-agent /bye
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
'';
environment.sessionVariables = {
SSH_AUTH_SOCK =
"/run/user/1000/gnupg/S.gpg-agent.ssh";
};
programs = {
# Disable ssh-agent, the gpg-agent will fill in
ssh.startAgent = false;
# Enable gpg-agent with ssh support
gnupg.agent = {
enable = true;
enableSSHSupport = true;
enableExtraSocket = true;
};
};
# Enable ykpersonalize to work
services.udev.packages = [ pkgs.yubikey-personalization ];
# Enable smartcard service
services.pcscd.enable = true;
# install gnupg and yubikey personalization
environment.systemPackages = with pkgs; [
gnupg
yubikey-personalization
];
};
}

69
modules/programs/utils.nix Normal file
View File

@ -0,0 +1,69 @@
{ config, lib, pkgs, ... }:
let
nathan = config.nathan;
in
with lib;
{
config = mkIf nathan.programs.utils.core
{
environment.systemPackages = with pkgs; [
# Basic command line utilities
wget
tmux
nano
unzip
any-nix-shell
htop
# Rust rewrites of common shell utilities
starship
exa
bat
fd
sd
du-dust
ripgrep
ripgrep-all
hyperfine
bottom
dogdns
duf
# User friendly cut
choose
# Man but terse
tealdeer
# For nslookup
dnsutils
# Mosh for better high-latency ssh
mosh
# PV for viewing pipes
pv
];
} // mkIf nathan.programs.utils.productivity {
environment.systemPackages = with pkgs; [
# Feh image viewer
feh
tokei
# Spell check
hunspell
hunspellDicts.en-us
# CLI Markdown renderer
glow
# Command line file manager
broot
# Much better curl
httpie
# CLI spreadsheets
visidata
# Cheatsheet manager
cheat
# Ping with a graph
gping
# Pandoc for documentation
pandoc
];
} // mkIf nathan.programs.utils.binfmt {
boot.binfmt.emulatedSystems = [
"aarch64-linux"
];
};
}

9
modules/protonmail.nix
View File

@ -1,9 +0,0 @@
{ config, lib, pkgs, ... }:
{
# Install protonmail-bridge and pass
environment.systemPackages = with pkgs; [
protonmail-bridge
pass
];
}

12
modules/qemu.nix
View File

@ -1,12 +0,0 @@
# Setup quem/libvirt
{ config, pkgs, ... }:
{
# Enable the kernel modules
boot.kernelModules = [ "kvm-amd" "kvm-intel" ];
# Enable libvirt
virtualisation.libvirtd.enable = true;
# Install virt-manager
environment.systemPackages = with pkgs; [
virtmanager
];
}

31
modules/services/ssh.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }:
let
nathan = config.nathan;
in
with lib;
{
config = mkIf nathan.services.ssh {
networking.firewall = {
allowedTCPPorts = [ 22 ];
allowedUDPPorts = [ 22 ];
};
services.openssh = {
enable = true;
extraConfig = ''
StreamLocalBindUnlink yes
'';
listenAddresses = [
{
addr = "0.0.0.0";
port = 22;
}
];
permitRootLogin = "no";
passwordAuthentication = false;
};
# Enable mosh for connecting from phone or bad internet
programs.mosh.enable = true;
};
}

61
modules/services/tailscale.nix Normal file
View File

@ -0,0 +1,61 @@
{ config, lib, pkgs, ... }:
let
nathan = config.nathan;
in
with lib;
{
config = mkIf nathan.services.tailscale.enable {
environment.systemPackages = with pkgs; [
tailscale
];
# Enable the service
services.tailscale = {
enable = true;
};
# Setup sops
sops.secrets."tailscale-auth" = {
format = "yaml";
};
# Oneshot job to authenticate to tailscale
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey $(cat ${config.sops.secrets."tailscale-auth".path})
'';
};
# Configure firewall for tailscale
networking.firewall = {
checkReversePath = "loose";
trustedInterfaces = [ "tailscale0" ];
};
# Also enable zerotierone for now
# TODO: Get completely migrated away from this
services.zerotierone = {
enable = true;
joinNetworks = [ "c7c8172af15d643d" ];
};
};
}

25
modules/ssh.nix
View File

@ -1,25 +0,0 @@
{ config, pkgs, ... }:
{
networking.firewall = {
allowedTCPPorts = [ 22 ];
allowedUDPPorts = [ 22 ];
};
services.openssh = {
enable = true;
extraConfig = ''
StreamLocalBindUnlink yes
'';
listenAddresses = [
{
addr = "0.0.0.0";
port = 22;
}
];
permitRootLogin = "no";
passwordAuthentication = false;
};
# Enable mosh for connecting to phone
programs.mosh.enable = true;
}

101
modules/swaywm.nix Normal file
View File

@ -0,0 +1,101 @@
{ config, lib, pkgs, inputs, ... }:
let
nc = config.nathan.config;
in
with lib;
{
config = mkIf nc.swaywm.enable {
# Turn on GDM for login
services.xserver = {
enable = true;
autorun = true;
displayManager = {
gdm = {
enable = true;
};
defaultSession = "sway";
};
# Enable plasma for the applications
desktopManager.plasma5.enable = true;
};
# Setup drivers
hardware.opengl = {
# Enable vulkan
driSupport = true;
# Force vulkan drivers
extraPackages = [
pkgs.amdvlk
];
# Same as above, but enable 32 bit legacy support (for games)
driSupport32Bit = true;
extraPackages32 = [
pkgs.driversi686Linux.amdvlk
];
};
# Basic packages that are effectively required for a graphical system
environment.systemPackages = with pkgs; [
# GTK Theming
gtk-engine-murrine
gtk_engines
gsettings-desktop-schemas
lxappearance
kde-gtk-config
];
# Enable QT themeing
programs.qt5ct.enable = true;
# Enable and configure sway itself
programs.sway = {
enable = true;
# Enable the wrapper for gtk applications
wrapperFeatures.gtk = true;
# Install some applications required for sway to work how I want
extraPackages = with pkgs; [
# Unstable waybar, its a fast moving target
inputs.nixpkgs-unstable.legacyPackages.${system}.waybar
# Locking and display management
wdisplays
swaylock-effects
swayidle
# Clipboard
wl-clipboard
# Notifications
mako
# Terminal
alacritty
# glib for sound stuff
glib
# Glpaper for the background
(glpaper.overrideAttrs (old: {
src = fetchFromSourcehut {
owner = "~scoopta";
repo = "glpaper";
vc = "hg";
rev = "f89e60b7941fb60f1069ed51af9c5bb4917aab35";
hash = "sha256-E7FKjt3NL0aAEibfaq+YS2IVvpjNjInA+Rs8SU63/3M=";
};
}))
# Screenshots
sway-contrib.grimshot
# Albert for launcher
albert
];
};
environment.sessionVariables = {
MOZ_ENABLE_WAYLAND = "1";
};
# Enable the xdg-portal
xdg = {
portal = {
enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-wlr
xdg-desktop-portal-gtk
];
gtkUsePortal = true;
};
};
};
}

52
modules/tailscale.nix
View File

@ -1,52 +0,0 @@
{ config, lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
tailscale
];
# Enable the service
services.tailscale = {
enable = true;
};
# Setup sops
sops.secrets."tailscale-auth" = {
format = "yaml";
sopsFile = ../secrets/tailscale.yaml;
};
# Oneshot job to authenticate to tailscale
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey $(cat ${config.sops.secrets."tailscale-auth".path})
'';
};
# Configure firewall for tailscale
networking.firewall = {
checkReversePath = "loose";
trustedInterfaces = [ "tailscale0" ];
};
}

44
modules/user.nix Normal file
View File

@ -0,0 +1,44 @@
{ config, lib, pkgs, ... }:
let
nc = config.nathan.config;
in
with lib; {
config = {
users = {
# If we install the user and the system is hardended, then disable mutable users
mutableUsers = !(nc.installUser && nc.harden);
# Configure our user, if enabled
users."${nc.user}" = mkIf nc.installUser
{
# Darwin is special
home = if pkgs.stdenv.isDarwin then "/Users/nathan" else "/home/nathan";
description = "Nathan McCarty";
shell = pkgs.fish;
# Linux specific configuration next
} // mkIf (nc.installUser && pkgs.stdenv.isLinux) {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "audio" "docker" "libvirtd" "uinput" "adbusers" "plugdev" ];
hashedPassword = "$6$ShBAPGwzKZuB7eEv$cbb3erUqtVGFo/Vux9UwT2NkbVG9VGCxJxPiZFYL0DIc3t4GpYxjkM0M7fFnh.6V8MoSKLM/TvOtzdWbYwI58.";
openssh.authorizedKeys.keys = [
# yubikey ssh key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRs6zVljIlQEZ8F+aEBqqbpeFJwCw3JdveZ8TQWfkev cardno:000615938515"
# Macbook pro key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBfkO7kq37RQMT8UE8zQt/vP4Ub7kizLw6niToJwAIe nathan@Nathans-MacBook-Pro.local"
# Phone key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILY7KmG/eFm3hgTx7GBB5jNrV/yryg5C6xcgCxFQhn+o JuiceSSH"
# Tablet key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMd+LlxJnluU0xvIMRIz74iypKfcSpQ5/7y2SB4c6SFY JuiceSSH"
];
};
};
# If we install the user, enable sudo
security.sudo.enable = mkDefault nc.installUser;
# If we setup the user, install the shell as well
environment.systemPackages =
if nc.installUser then [
pkgs.fish
] else [ ];
# Configure the timezone
time.timeZone = "America/New_York";
};
}

40
modules/virtualization.nix Normal file
View File

@ -0,0 +1,40 @@
{ config, lib, pkgs, ... }:
let
nc = config.nathan.config;
in
with lib;
{
config = mkIf nc.virtualization.qemu {
# Enable the kernel modules
boot.kernelModules = [ "kvm-amd" "kvm-intel" ];
# Enable libvirt
virtualisation.libvirtd.enable = true;
# Install virt-manager
environment.systemPackages = with pkgs; [
virtmanager
] // mkIf nc.virtualization.docker {
# Enable docker
virtualisation.docker = {
enable = true;
# Automatically prune to keep things lean
autoPrune.enable = true;
};
} // mkIf nc.virtualization.lxc {
virtualisation.lxd = {
enable = true;
recommendedSysctlSettings = true;
};
users.users.${nc.user} = mkIf nc.installUser {
extraGroups = [ "lxd" ];
};
} // mkIf nc.virtualization.nixos {
# Setup networking for nixos containers
networking = {
nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
};
};
};
};
}

8
modules/zt.nix
View File

@ -1,8 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.zerotierone = {
enable = true;
joinNetworks = [ "c7c8172af15d643d" ];
};
}

69
secrets/borg.yaml
View File

@ -1,69 +0,0 @@
borg-sshKey: ENC[AES256_GCM,data:rVDwCkDQbeYl8cAu/VlZzcW1XQERFVIhjGBigWZ1n0nSDga9812pJgnaIG6aoRVbuaiOVelSqZa0XJRlNU6yJtrT9sDulWb1nqFudSJ84cnhE3QzrgPzAGZJ60PcAQMI2/dqpb4pHGf0nyNBKf5OGCtOahwN3nqkAuiQkqE/XbGlPylHJ+3Hb+Q/RnmMrL5bhKQ9EvuauHwTczlII5JwkrrtZeuHiTZm1SzokQSTMgt71CUOOmDlKlSxXgHDn2g1C+rc+OHzZraWIFyOI0cMpYdfYOxkJM7Wh0/ByX5Iqlp6nTYAK3IbHr4bUUclw2QPMNtLebIaJzzZP8Hplg4sO1zxEWxG+moZzRT6rfd6FF+5EJ8KalgfTgIHVYVrwsQj3SoL258+IWbahQZI2Er1SixVwZQes46HuPaFn7Ydn+/RfJo33birUJ89H5ge/boEkaUT1cHKcbodxfvJsQJkbRUTzHqpRGIHRW9bF1m94/5D2LaaFmaFoJqondewwy1ZVzZIF0jePRhvF4lFtSmKP4jC1Z0xg2L/JnUo,iv:gHr+vtcY99MgSy9IiMmxy3mlOjcOJ4oN5NS3doNAXwo=,tag:AOaE2qHv5NalE7J/NVXQjw==,type:str]
borg-levitationPassword: ENC[AES256_GCM,data:nAtAlhmv6NAE88f81BeroMnMd/lr7ZnUTmLlAMtn4/ML8TuiZjijCJ4LiUSg5FLeWmDEALUN5g/T,iv:2qoF4mw/sbitLmticTsKndcYdV2B+6YjXjKHJr591nk=,tag:ENPk7gm3tmVOSgzfrn7Vag==,type:str]
borg-oraclesPassword: ENC[AES256_GCM,data:TRWn/vj3SpSrRc0HcNI9If7e5Q93hO/+eLKoTQULHTBZqZKdnN0Lq6xhUQQf0s7LhS9D2Q==,iv:/vdqnlR6DowmPNpNP8Q3n2cL/gv91heS0NLFth9Wpl0=,tag:peIs7WpNO56DiTkva71fDw==,type:str]
borg-matrixPassword: ENC[AES256_GCM,data:7dZh8G36PAhfVU4k4mdnWAMCRKme9nAd4GUkdwdZiIAd037Ou2n3wJfZLA==,iv:rPGFyAmHe2H0g0mPxSo84NT/wwBwMt1vV9DAenvwbW4=,tag:2Q4ID6jsA02AC4vvPmBTPw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrajVrQjRjemFTNTdBOTFn
bTN4TjVoT0hpd3RvUFRwSkdPZzhzNWJ4dWtVCkFSd2lvSE5BLzlGVmhYb3BFMXM1
dlZiOFdCUnZ5UExZMkpqSDFPemRITFkKLS0tIFdLZU96YjNZN1FiRTBpN3R6c0RJ
Z3JBZWM3RTdqcG44M0RBYXJDci9MUG8KKzI86Y2gYYyhKHK+H5U3aoJuU2a+RiRz
pulu06DWlL6R3e4HUDTpe0m1/RHwYxE8ap+WgVlq7jvG0STZV2a6pg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2b0M2WkNPRzI3YW15cHYz
TUcwUGt0bldSV3REKzF4dkk2anVLTjFCbGdvCnNJbWpONjJXU3dBaG1Za0tQS0Uw
engwS0RWRnVCRmdDaGx1UElsNVdZWjQKLS0tIGp2K1BsL0RlaFFzWTdKQmV3NnVa
c1ZONlRic2xBUzhTVVZYMWpGRWJ3bncK829TyEoxOAjmbdAJEZpmt+sW66bpVUgY
njlFpVrwAjLe49RezMelWbfI+ZIlL5+eKvoMzaG3te9daTxPjRoaVQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQkRtS3lyUG9xK3laNndP
V2hOVXMvSmpRKzBqeW43Y01vS2VBRWFQK2xJCk9zQXgzSUFEd1BkcjhicXFpQ3hI
KzhYMXlZaFcrcGx0VG05ZEl4eWttY0kKLS0tIE1saUV4WHNKVC9ocHIzV2JTWENs
M0FqdDF2TU5JY3RwM2lXZEg4SVlscG8KoPu3vxd5watGkeKBPcwnfY79n27RKtre
zZDkeCldJNaIsvX2PPjm3NKUdUjVG1m8m8bQrvq0e4IAWkBwOFjUrA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1r0aszjkyp4zlcw2w2vrk8hmcyvntshr8rew4ehlu5zad4eh6mspsatuczd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTTJ4Mm9rZklxWlcraW5C
TUl5UVp1eUxkd0Mxamh5YVpQN0ZxMU83TVRvCmlvMWd0MFc2c3htWllySVRZcWYz
UjNLQkUwVG1Kb0tMb1J0ZHpSMnJDU1kKLS0tIHVIR1cxTXRoSUJtRllsYlk5c3FS
dzNxQzl0VGVsZExhL05vcWJiSzk2c0kKsU5nsgBcKh8EdrTYco6FvVRkk+8tUVtu
gltw8yhYC3TmbdsW185KIDMCxaX8btWmtBKoQk7RiSlHNgcNn+ebbg==
-----END AGE ENCRYPTED FILE-----
- recipient: age10zd0y2zpty2z39sh2qe66yuu9jd6hrcd3ag2wqtjp8tc579nmphsymhdla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6QTl5blVHUjZYdGdLY00w
aCtYalhVNzFsYlJSZmRPTVpGSmRoSkg5YnhnCmVlbCtka2lUck42MmZIRGkyQ2RC
NWQ5OW5Wc1liOWplbGtXbWxDZHlQQUUKLS0tIG1nOEpjcHpaZjRpM3ZEa3hlSDZL
K2JPTDBMemdyZU9RU0JzRDZFQ2hLZ1EKJrV5DVDw/zqvZ3fzDPc2xcQjGzFy+2pn
Y5yO+fQJC6mrrIQiQG1Jhl6RZNXPgI02f/iJKodDZ33QTc1e9/916w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeUttdmhEalQ4R0EwbXVH
azZrMmx0Q1p5K2ZTTXM3RTQzWWZlNUV6cmhRCmppdGExTmU0aGF3Rk9lS3hnOHd4
cStBejlrZU42OHJJbEVKblppUUgvdmsKLS0tIGo5YkJGdkdFUGxta3k5aGVGRGRk
WmhzcngwekJ1UzJQNzBwNU9Kb3FLNzQKgWC/Pruek+lfMtyj8M1s88l46emKVqV/
nO3VxonQywOz1QaNEBODNTwly48MzNREwV1bUZy4DBAeraG4O3fRFg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-11T00:07:08Z"
mac: ENC[AES256_GCM,data:o71aJDP01oX/hzJKjkOkM185wgQ0YSCeYtkjGnGF7OLZ5v7EFIK7iszU4nXP5XdtVydHBXDIWGZPLg2pIzWwlOun3K2sxsy6oGrbgE0rB4+G8SSqO6vi7Lny6+RMI8jYmMEx5hUNOWEc/YWtyBxiQ2iXf7Lcj/Xg2adDDHXUJ4c=,iv:n1D/VapaoLD4qhGhj7xRaqYSkaTizNmNCVYUrfYHyqU=,tag:hZD2iH0YWntEMB9JoMYDXg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

66
secrets/gitlab-runner.yaml
View File

@ -1,66 +0,0 @@
nix-asuran: ENC[AES256_GCM,data:g5rLx9e8+YRVSEGR/zz2cf3XQ79um7iQgK6/5CA/15Xx+KBaPFi0CRsTyXpbMiHAVGJEqruNxEa5AE8VfOtPCjFp0Qed4bkmN23mGHDFTeXZ,iv:sX7ZkCxU6CGCPF+dhdfaZSqk6ADfsNgeNINzfqhEblo=,tag:eTj5BGN86qPNuauI0C6+Bw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eHpicnMreWNUbEVBNHdm
bVBKekVVdng4V1RpNGdKK2ZtQXJrOU12Vno4CldBZFlaREhnVVBaTERCQ3cyY1Y2
WjdLa2I4QnBvZGJpV25ZQXF2MHJtS28KLS0tIC9Oa0NydXFtR0diNGRxbXZHYmdK
Z2h4U0VlTmJPa1BCay9SRmhJSlhURXcK/s3wwTnokpnYJ2q5/NIX2BnJnKwpzBt6
C/8os7EZ3IYinL5Joz4BgN67yzvWNqrputVKmf+/WnL8utiosZBC/A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVUVyZkZOK2pId3BxeEFl
RW9RSllmWklpZEp6Y0ZObGZZMGFZZ3Z3SHlZCkNPZzNWdTVCNkxEVmFtRW5uRFFT
WmNTUGVXYzdxUVBRK0pNMHVjeDdINVEKLS0tIDJyOTQzLy8rckR1Ui80VTYrR3gz
VmkxTlJTRDZYZEVrYklkSU1EZHdWdUkKLwlC83gkZmtmUF6wXyleSDJ1FvfUlDjo
iwkFo+SSOUVsFWJw2FB4sSCFyZ1qmH+57nQsw5JDrk15MZ3xd4g3dw==
-----END AGE ENCRYPTED FILE-----
- recipient: age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORXhDU1NDQ3Q4cHhmMVlD
K2hnSWRtTGkybnlBajlFaU1vTnRSNFVTclRFClV5Y2dzTHZwOGpyM3NOZnppYUpp
OXVTZjFSMnd6WVRGakloRHd6NldFK28KLS0tIHJNditiZWxUclZuUVpqTi9DL2JG
T3FQWUJEbm9IZ2tvamtlNjBnQXVrb0EKQ8Bpa/DcIH55KoJFozOCZzOmMwtChbpk
X5sSK23aQdljSY8oLHaq4GxQVGkCukNPWDwRvcYKcS7N7e5pdXctFQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1r0aszjkyp4zlcw2w2vrk8hmcyvntshr8rew4ehlu5zad4eh6mspsatuczd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUHI3dUNRYld6RlhJdlZN
RGV1L3h4a3dHQ0JoQmRnUDRraVNrYmV3a2w4Cm9LK2lFMHJhOURld0tKS0NFT0NQ
WUZyQkNaUWhseHJ2djFxcFhzNkVXQlUKLS0tIEFxWlVFMWdha2VjQUhndWoraU1J
eG5QdkdFY2lRalZhTEJ1OVVXYU9RczgKGRBHEE4buclWmFEjAiMWFk8lYwNJkDdz
ssmH09J95uqKkdfob+mjBU4LVZqLzDRhw3s5xo6dHSAmjhkQSyHZxg==
-----END AGE ENCRYPTED FILE-----
- recipient: age10zd0y2zpty2z39sh2qe66yuu9jd6hrcd3ag2wqtjp8tc579nmphsymhdla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYL0lZclU3Y2RCQ0pXclVv
akVvZ29iSlZSQ1lKWHp6bmZVaTVoaDVKU1JJCitLVjZJMm5VZzhXeEZWdkFpcFJv
Vnp6STNpdWE0eUxyZUhZcFBra0xsQzAKLS0tIFNlRW5nejBNTzU2R0ZJV0hHaHFX
V2swZ3dTcHBMVXlGZGkrWWNZVWZlZFEKmwky7MF79rTZRrDTKp+ODICV5Ag18vfL
SAdgpt3fJgwOuNIZpE3zO1tA1K/amk4LS9pGN1jq9sch3Nkk7R6TvQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0bTl4aWNzUWVCSEdwR0wx
OWhLVmRYbWlwenpWTzRicEd3ZkdSZjdCRWhRCkxvbEhIVlRNRUZTNHM2RjFtazd6
MHRNejFJUnViUTF1Y3dqUFh5RjNuVnMKLS0tIE9UQ1lwRGpUT3JCb05iUnZCMFZB
R1BiNnFyUzhWcDhJd0JOV2xQRURUaWsKDZ8fr8YHgecqzZuMEGdXCe1MZHe5UP3x
C3CfnrprJWJCKh1EfVvycwcjSU66MdcoU3G12zdU1EiqlJdtfOzyqg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-05-28T03:19:17Z"
mac: ENC[AES256_GCM,data:pe8D02Uv4ALFmyZb52QZbPFLCYPddd1U3vGHmiPl1ZC/hiJcRZl5riB2GWrq5Eq/E6uoTl70Mbuk6FTT84iNkCPAOr/U95aPj/gUhP4B/7UGJiA49TI86gHRHBzvd5TPjpht6kQhlyU26Z/Z6JqYyCa1itTO2PAnzuaDYkxfpJc=,iv:83krP9E0ZWneX3e5YUS2srzNraU/vdQxKaO2RwNt810=,tag:g165SgajOR1tZmDmnACYtA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

24
secrets/lastfm.conf
View File

@ -1,24 +0,0 @@
{
"data": "ENC[AES256_GCM,data:oOtQy15abXSDyeokVMenOWgw6r0RRBiQ7YioT20Qacjd4WYWiBY3iKledcOSAVk/8sL2UJrxO5Jn0Jb/iEgxlpsRhZsBy+Ta,iv:ZHV/53GY9ItxfnelAz77+FPp7skXpZIEoGRTqaP3rr8=,tag:Ei3GD+Cm9spnx52OsBo0mw==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldk10aElCTUhnT1NnL2VE\ncmxVSjAvRW1ta0hzQ2RkL1p5eTZ1RHV1bUYwCnRBczk3K1RkK2hHWHh2UG5WeTFp\nKytSbFhORzJOeVJDMDhaUXNzV016K0UKLS0tIE0xVXBMQm50Tmo3UVBhakhuZHc1\nRVZxYUdKMExPdTRmN2NIME8zY3pXaDQKiKcFgWhJnkazqETFI+X0CF5MEztMLZJ7\nqLAqrPyCq048BMr+T2tuFsWnXDrQP9TdF4bKZbVu6bRERoFt1booLw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMelJQUTFMalV1Ni9uOHFx\nUm9COE5oMHpvNy9jZmhDaHpKU2tmR0FSSGxRCndibnN1QUNXNk5MMnoza2doOXBG\ndzBBMCtYbjg4WEZWV0pnVVcyMWo3a3cKLS0tIHNTZzZEMktESWF5dSs4ZW10Ykth\nZ1J5Y3lZbElJUGlJaU0zNTR6d2ZTVE0KkW+mJDTlMvt2tCoGeqgL50RU0PArH07q\nLCxoj/7MRV9BegKOrThJ+IfcfgLWnTB2XGGf8wIBAQbseb+H+Uq9Zw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-05-23T02:43:23Z",
"mac": "ENC[AES256_GCM,data:gMQTP8HpmdLO5/X7EMDWAhLy5TO+maOq7Kk53JBoVWJYR5kEU4bK2KN8rEArORICcs7MtfRAPRxsivlxGN+Erhe/IRUWwTMDBekppOh16iNw1leStwomHSe5nhJvBzEf8rRWynojp7WzfAalpfAD2b77cCOUviXh3VWmB2olcqc=,iv:hBHLKWPaEIrcCk6vkefgZQkkjSjN7x/bnajTf1D28LI=,tag:/W/WAAFON7U7M0yA/7Cxzg==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.1"
}
}

40
secrets/matrix-community-recaptcha
View File

@ -1,40 +0,0 @@
{
"data": "ENC[AES256_GCM,data:3ZzrLItW8BjikdOUcxMgVRrEkM5jj9065T/x6EJrGKjoV3quznbAlWKRn5Tpa0UOq4c+PbcFeS7edJSQkqd7sTxH+noDfOdM1gIXrQbNHHWOrmqzYmppRYLxe+gkffhQDFJlGWMuKNiOx2eGtATCvgojsKIlWOI9npMT16Osx3mvEZ9TtmvKWsh2WK9C1SUJtj0TdTkctg2/qjW7yqQ/+JAY2/0oRJDz,iv:tBW7tRVRTS/ORV6A/yoP6x/yjGH6lNHKn0/sWjjBXgc=,tag:iBtwsr63lxwyjoHkXI4hyw==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5OU5mT0VJeEx6UkVYWVhJ\nMDNnOGlpaVhLUnlhTHVrcEtLQU9mamVrTEFzCkROMlgvUXNMVlR0aTNxQ1Qvc2lD\na1JEMXRYc0t2VWh6QXp6WUhmR2lQbHcKLS0tIGx5SjNEdmxETDlqZmF4ZjdLeUg3\ncGVabVVkTzg1bGJueVhSbnJzZC9sYzgKlzR7qCu3TB33cJEM9tWuXU7Mt3p+y2KK\nPQo6R/j+j6jeaqRe4TnB2oz3ZDvd8E6JxEFCEQMuIVwMs79qy2tyEg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0S3gwdmNiRURxRnAyVXZ5\nYkhBcmxZRDlkNWx5RDc3WnhidG1qWUt3cldBCm5JaENXUUplT1N5VlU0Y1U4UVk1\nVDlTcnlBTStxTEN4YmdlVEN2eWV3aEUKLS0tIEZxbG5JRUZUVi9Kd1Y1dnBQeXFF\nOGtvWFMwNjlybEZxZ0wrSDFEYlp5eTgKc6wUj1ZppA/DvgP+eB2pnwBYXVkEJJWb\nA9wqEvjAQjpktsFkjGH+la03RJftPZaQXP9Bx/3qFHmaZ2MKN2Ff9w==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxOTkxdExrby9BRVZ4L0kw\nQkVMZHhJVmgwbW5vVW9sU05jSE5yZ1psZ1JNClRIenlKNlRCWCtrKzY4TXpnaHpV\nZEVGWlNuaFpadW1TcElSVlkrYndvMHMKLS0tIDVXekwzQ0ViR1U3cW1vY3IweHpE\ndGNzVmRZQy9Ob2lvN0tFU200MkR2QVUKOxLB3N179MTmcEp3rLqcGkw1PvJUku3O\ntGHd8bu/egwNYExh3+9zrXjRjF7H8rj/aTOsfMrPg4HTEa0zunh0jQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1r0aszjkyp4zlcw2w2vrk8hmcyvntshr8rew4ehlu5zad4eh6mspsatuczd",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqeFQwcmtvcTRBcTJJeEJF\nOGdzL3RoME5PU1N1SERvMG1iTGRPazRJdWo4CmhoWHVha1BkWjA1ZG8rMGFXM01V\nMTlkUE9yOFF1RmZtbXNCeldwOEJTYUEKLS0tIHVhUkJJRGErVjdTS21Cd3pNY2w5\nMjhOTUFLQ3dZSGJRcDl4aitoeTgwTWsKvE0GMBacRdIuDfwdhS8+OsuCdXzHtM4b\no81euQF3qfoDhOs0TjhlT4qc8mvf5o6pQEyOiqCmcbbykW5JnIzUeg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age10zd0y2zpty2z39sh2qe66yuu9jd6hrcd3ag2wqtjp8tc579nmphsymhdla",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZFk0bVRvcmpBZlB4bFk2\nVVUyQW9NMm9oM3YwVk8yL1d2Q3RNRzVmNkdZCnZSTEhaVkVSWVpiY1ErTjdKcUpx\nTW0yRytSOUhLZzJ1RFk3K01kT1ZNd2MKLS0tIEZDa093c1BsYTA0Y2JaWjA3eEZQ\nelR1ODd0cVNCNTVwR3M1Q3QxalptZzQKsz0mPw8ZJ7am2FnOR7a6BRIVERhXMsCy\nNqRfpnlKPSpvCbuZqVWxyqweg2vYFsL5Z7kHIDSZBGbGtUSfToAykQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFRHR6VzlodzJxbHRxSGNV\nWGVQeTBkQS8xODF1aTN5YVZHZnNTSW9IUUVvCi9kZ1V2bHdjMkpNTDJaNk1MZS85\nWFg2Q0E0L3o2ekdmamM5ZzZWb0ljaGcKLS0tIGx6MWpPOGM0UzJCN2IyckM3OThQ\nQ3RlQzh5OWZtd1JRRmdRdlA1djErYTAK4H2//NN6irNZmTj/VVMfkbapOPeSutif\nVxtx5U9/1ors/yxoWdvkAfPD50IiPhfEq3FVUbbLoLIeA0cxIKX2tg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-05-23T05:09:47Z",
"mac": "ENC[AES256_GCM,data:ZoZ+H/bFSvvSQGbFcmIUXtXTZqWBCqOPX5lCQxm3HV6OJahgPxWf0j+9lWih3dsc2sroXX6EmXFG7r1TO38Kpzjn3PFQH938J++9xwTPshREPhXULRC6l+yIJir0mz/5/dw6ZIBRavXLJdVaM9WnnyEDMX+X1IsKdtZ7N5HoC3U=,iv:Zdv2Gr/nZxLMo1to11JwxDOpyv8PA2FtafT+lYlm/1s=,tag:DcYS9cKztNBXzrsPhCxBBg==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

65
secrets/nathan.yaml
View File

@ -1,5 +1,4 @@
lastfm-username: ENC[AES256_GCM,data:uzGMxSMjnUYLF0Mutg==,iv:9JSXwl+X5eKIoJFjOt7LntlK6iQcy/Fm1ViG/J3I1d8=,tag:MAsE2f3qxBTYS+gt783jow==,type:str]
lastfm-password: ENC[AES256_GCM,data:U+jEt8sY/kB7r1y0odqf0fs7jt5Jj2ra,iv:olko3/QHnNPoNpEMUeGL77qxphYLGhHSnn+ru5ANd2U=,tag:iXUy1CnZmI6cDj5dy5U3Kg==,type:str]
tailscale-auth: ENC[AES256_GCM,data:p/hDzRWFH13b0yFMpE2OkWU1KxPxCPhPSBcQlKy822P5D/K3lh8q2A==,iv:S+BDPc8vZc28EkO/XWgo3hyVRz6ap/Q/AqOGBr4DCzA=,tag:U0Ps+u7EpE/+wDoZmnfWgQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -9,23 +8,59 @@ sops:
- recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKVWh2dTZzZXE5SWtNVW9K
TFp3NGc5NndvdXZUVzVCOHhPQ0Q4TVRwVGt3CkREOFJkc3dyck0xTmQ1bnhzSHA2
dFdrVThwajMyeS9tODl5UHpUQWk1OEEKLS0tIGdsaFBKMDR3RDdSOUU0THFpbXJy
UGZ5dVljc3F1a080TnQ0UWpRQ0tVR0UKbMgZKAHeLWb/sgMNbjO/SUwAeiaSiwcy
TbMu1WJdG6CJKxpsYiYvSo5S6FcOp/xWYh3+893zkwoL31yf64NACA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwR3ZrbnhyOGlsd1FGNnlM
eWp2NVcydGtJL1pXSTZnYUhjY0JYNEJwUGlvCk82cnRNbFJnV2sxS2ZwVE8wWTIy
OGlzTGRKeEo1VmQybTlody9vSjhZd2cKLS0tIE44bkg4NVkyMnhsYnZoMUhvZkhs
Vk5vU2psN0FXM3YvbjZISGZnQk0zcEUK+XhL767U4VOHKtUpm0rvS2a0xZqqDPn0
lzpJJ/xy3sHwUVb4iLHGigcc78mefu2oecMP8bfDuZFp6DNoK9WP1Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwZ2R2N3p6K2J1ZW5oTUNr
WVNBS3A2T3o2WXhRU216L1F3WmE3V0tzNGdrCnh5OVVXV3YzTy9UVE9qWE4yNnlv
Ym5EN0QyU2xMMUw2TWlSU2QvdStPeFUKLS0tIFZpN1drNkwyWG5TRWlULzVFb1Bl
NW9lVmdFOS9KSFFld2F0VVdZcjRhR3MKpwRAfTUHogYp3XKdXyKih/DxWjEy6D2o
2a0cwtZ3+pHXxMTJd3wGvKpPNPO58YO4lgIUuwkR02upLzIre/KgRw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZ1lNdlk5UU9xUVhRRzFt
bThEbk5BUWtWSXptTmZLRjBMSjd3bzVjbXo4CjRTNUJZZ2h5ZnJTNXMwRkFMbGxs
S3dOZUtRbUxZSXJHb1E4QXNxSlBScEUKLS0tIFNqSVRIdXZUckVJanBTWTd3dHMv
Z3NvcmdrcjZtK3YyR3o0Znc5cmQ2YVkKFvRIQQoxZ7WYngPHJJPCYpUuAPRjxABV
iD8mJ2RJ+VStQONZZyhf9ZC+TprdNC5nD4GimA/AM5f5YxRAhRhXcA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-05-23T02:43:17Z"
mac: ENC[AES256_GCM,data:T/zhvzP6ziH0gKcy694VlX7KSQRlk559REAuR7NfkxvhFhi7WwOOnBE336q5s4ebfGWUqREOzt6MXTDILVcjwbBC8HZ8sDInx364KXfmcSo8C/Md4VgDIqFYBsLYqJNijY34gCtycVZYAc/UBoNztpdtZYMkhBFgzb1DLcaaS3g=,iv:0S2wpefnXpeK80QVbnoJ582BZbZA5CNg/hJd9lLV75k=,tag:Wzz7T9f06bCYirUmaawLMg==,type:str]
- recipient: age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4eWZ5Mzc2QVFZazRrZk4y
a214TW5EMkw3TDNGNlN4N25hekY0UGRXbzBFCnVaZU1MYThMeGRNNWY0WW5DNTFp
MUZFZkxJVDVWdjd2YXlXVkxwTFFyc0EKLS0tIHY5UWZ1akxBcUY4b0E3VUJwakt3
UytuYTZBZlhMNFNWeDkwdDl0YzR4YU0KOQPfVIBWGFyPbCJOe4yY4i9FwGYaAQRY
aIn9RtB5q84J4KvTXo8+l0XMqzq6AktYJtvuGmKDmoDg/ZoZLj15xg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1r0aszjkyp4zlcw2w2vrk8hmcyvntshr8rew4ehlu5zad4eh6mspsatuczd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzREZHQ2o4UnJweXR2bHVQ
R2R5VWtML2NITlNwOU5PYmZLZlRhYkNKd3pjClZCcitJSHBSdnhNVnZwVUYzY0Rn
UURIdFlUVEhLSkt2NGtDZi9tMzNOR1kKLS0tIFRCbW8rYjdMblNaa2NhZW00UzBV
ZUpXQjRPYjNVYVdlbHNlWE5hVDhJam8KyZHwn0y+KIu5J1g7oI6qsBsTWP589Lfd
bZgh/yo9CF9/iZO74I1a4eHYBGYGh/clNjLmKk63gsfxcqY6Ck2eqQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age10zd0y2zpty2z39sh2qe66yuu9jd6hrcd3ag2wqtjp8tc579nmphsymhdla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdHV1NXh1RmpPWXBGOVIw
U0I3NWEraWs4dUxLWXdoMTlYQ1d6blBhZ2pjCk1lY0pZM1VHaGFSZGYyeEZxOFFO
MzJwRHdTaCtZakJUNUxHeG40NnlFaHcKLS0tIDVzMzZPN3lQeUhlZ0thWWZLbkc2
UXNROW1Ub2VyT01jMUN4MUMrUU1mKzgKmf24d/VgivYC25yHJSdFkItt9SCtLNZb
0Rrh/N11pV24qWFXkFuX/ZKK5bV3JrUgS7K3KWOp4ur6dlI5rfMsUg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSOXdMcFJ5WVVBNEhtbkR0
a1JFczdsZDFpNnd2a0RTWjNoOXM4ZXpSQVM4Cjh0aHg2MCtMWmZPUnRpdEZoS3E2
NDJZZ3ZpNlh3VUQvQVZxSkJmd05TOXMKLS0tIDJwQW5nVStYSEROVnRJK0liRzR5
UWU2SXIyTkhRU1NCajZQUUd5MlBnT2MKMIgwTZWnrAKzqHP7EFslZ+HMD7ZtBilJ
+FgcIllwQV9XeIyhAuAeKjP95JgCwn1oQL32fYCyyqwykeb0wjQdzA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-24T00:21:52Z"
mac: ENC[AES256_GCM,data:92ibRrMnizSQrHIJtW+2KZSeUlU2/Oi18voZKBsC2xyODDh+iHWOBBlv62YUKODRBE2Ze/OklvcYME03NAvY4/wKOqjz/cFMU8PeEkxZvzCtnP55CCYYL6QJ0DSJPP+dKQQkfTV5Xy0JPyY9lZc+g22FB+/FZeo1o3N3lz9Nd1E=,iv:dTeHpQQWcm6cAh11csxR6Lgw3pdTTFWPqR6MozFP+fU=,tag:7WFZfd1D+twItx/xC/MHfA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.1
version: 3.7.3

66
secrets/tailscale.yaml
View File

@ -1,66 +0,0 @@
tailscale-auth: ENC[AES256_GCM,data:Xp3WPLuOkjgXa85Xtx5LqKSn3M4uRtPwVRJco0yctvdftsCh00NFzA==,iv:lVqOkksJha0tw3yZyeWdOhpB3omQ8WDya2OTeDcrP54=,tag:C3JOb7hG++wgJZSN2dFMmA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4OWM5NzlFd09POHJKZmVM
MFhqZFNiUUxBU3p1NHBBTERMd0tWak8zL2pBCjFldDdlUzd4TFI5b09PNFhtRHlT
Z1VuRVNnK0xlTFNEMjFxUmFqMWJIQlkKLS0tIExLaDBkdytZbTc0b2d1enlBUGQr
RzZJR3RmQ1haa25hZzNVVGpXdXcxczgK4NoVyME5fmgDV9sWg0GjB8bvlYFJtF+l
NM+gug2ZAxhx8AuRt89oYqhKLxzEDfEtGpX02kbLWZ0RTTDLlqmDKQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvL2UzdGM5a2FJbjhFYkdX
NHhzeGFTcXArV05nTmlBWjY4OUtDaldpYWdNCkl5aWZvRXhkTHNJdnBWa0tzY3Vy
eUZjanJybEVJeXBDOHpvRDVWM2NkTVUKLS0tIHB0UHQ4MFZpVVdKM2pYNkJkYTAz
MFlIdHJBN3FEVE5FR3Bud3dvcHhuQm8KiQSQ38odsEfJusja9/ouwxSNFeis3ISB
hvrkz6R0WPU22dcpJyFuVMlnTvtkKakabYhWuLlZLzBB8qwGsB1WRA==
-----END AGE ENCRYPTED FILE-----
- recipient: age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPUDZ3Zitodll4VXZoazRM
UXZ3N0FUVG9EMlIxVUlpS21UcXg1V3dPRGhRCjg5ekZ1UUErcitDMU5KeWlGK0Np
clhlMHk0WVc2MVBYNnZVN3NLKzV6Zk0KLS0tIFprYWVZbkFMYjQ0dlIwTWNDSzlj
ekdGVGFwL0NZakJzb0hEbDRKMmZkZDQKfxr3gdNKkF0x4WIVQweC3ZoV38YZCqUm
bzpfbkM0zpbL8+uNc4p6kqHhC3MktuV454FiS/UXpeazLa2s4VtM+Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1r0aszjkyp4zlcw2w2vrk8hmcyvntshr8rew4ehlu5zad4eh6mspsatuczd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJQ1BQSnduMmduTDd4S0Zx
WE5sL2wxRk9HQ2JmVTB6Vk9DN2k3MEhBWkdJCjU1b1FHb2lRL2Y2K0J5dE1zQ1Bm
YjE4eDZ1dWNEVXFoWndFNFloK3RiNmcKLS0tIElQNEt5c2tGNHpERHlBUDlrWGJq
K0RySWMyOEsyYUIxM0U0Z2FNNlVsMDgKRPckpbJeAnCJuKb0zaEPQFoQ9ScvPJHN
NEHeVV68iPKmNWrS8DAYaaeyYcADjxA/JuOUmrA6Uigbgl5rmWQR3A==
-----END AGE ENCRYPTED FILE-----
- recipient: age10zd0y2zpty2z39sh2qe66yuu9jd6hrcd3ag2wqtjp8tc579nmphsymhdla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWXB5Qm44dDBWNWMrWmNa
aWNOM2tIcVAxU0JqU282KzhGMG5FYWhEYW53CjRXSWxyVGVLVTRKMHJ5ejJ5eWJF
a1k1VTZUUW9ycmV5dEo2TU5FYWNTNTAKLS0tIDlYZ2ROYUtXYkhDTFBmRndzWnZ3
MmtaaEIvd2tlV3hRdGlVcmV3SXZaQ0EK78lpqMOPuyMh8NFdSCpPwQov6j0kVwKX
3pTSG7i9fduwOygCynn/Be6W+5G5iI448lxSCfHLoESACZpiFpc+nA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0R3BzM2p3SUp3R0ZLOG9R
V29ESE8zU1J2Q01vclRRSXUyOXNCeW8zK1JVClBxUDdqZkoybW8ydkpDTnZkY1Bo
OXNjR3NrZVRMbzUrMVBlS2VJTXlxRjAKLS0tIFBsa1NmdjdrT0VFd0ZRV3BIck1x
bnhDdUV4SGh4QXJIUEZDOWptNkxhUTgKGUGoazZzBYWpMqLJcrryJAYWe84ttGoP
6o0hlKQf4XlcouqxYoY754uO4Xrvr51aaNqmUGgToc0zlFcTRvrK5A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-14T17:48:23Z"
mac: ENC[AES256_GCM,data:z2CU/geAuYKDsdoASsxDK4trIVqsPfr2sHw5D92g6uiUoQDOUXf5/ihQxJvgcKWCxYixZnZ4zsNCkd11YU52oNUdY7LZqg9X8C941WGsqKLBzRTI875EYK50MFO22RaBKWSgJYHasWhh6OIgLjyw1VL1HWcKlN8kuTYV33Uo/2g=,iv:NFornFaSHy1aRBOWl0O6kmbvGcDJbZM0JOj3iagFNUM=,tag:V/AlMWy0Jk4V+ZC2XsTaBA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

92
system-specific/matrix/gitea.nix
View File

@ -1,92 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.gitea = {
enable = true;
appName = "Rust Community Matrix Homeserver";
domain = "gitea.community.rs";
rootUrl = "https://gitea.community.rs";
database = {
type = "sqlite3";
};
httpPort = 3001;
settings = {
ui = {
DEFAULT_THEME = "arc-green";
};
service = {
DISABLE_REGISTRATION = lib.mkForce true;
};
repository = {
DEFAULT_BRANCH = "trunk";
};
};
lfs.enable = true;
};
# Setup the docker networking for woodpecker
systemd.services.init-woodpecker-network-and-files = {
description = "Create the network bridge woodpecker-br for filerun.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
before = [ "docker-woodpecker-server.service" ];
serviceConfig.Type = "oneshot";
script =
let dockercli = "${config.virtualisation.docker.package}/bin/docker";
in
''
# Put a true at the end to prevent getting non-zero return code, which will
# crash the whole service.
check=$(${dockercli} network ls | grep "woodpecker-br" || true)
if [ -z "$check" ]; then
${dockercli} network create woodpecker-br
else
echo "woodpecker-br already exists in docker"
fi
'';
};
# Setup woodpecker
virtualisation.oci-containers.containers = {
woodpecker-server = {
image = "woodpeckerci/woodpecker-server:latest";
ports = [ "8000:8000" ];
volumes = [ "woodpecker-server-data:/var/lib/drone" ];
environment = {
WOODPECKER_OPEN = "true";
WOODPECKER_GITEA = "true";
WOODPECKER_HOST = "https://woodpecker.community.rs";
WOODPECKER_GITEA_URL = "https://gitea.community.rs";
WOODPECKER_LIMIT_CPU_QUOTA = "200001";
WOODPECKER_LIMIT_MEM = "2147483648";
WOODPECKER_ADMIN = "thatonelutenist";
WOODPECKER_ENVIRONMENT = "SCCACHE_REDIS:redis://172.23.108.12";
};
environmentFiles = [ "/var/lib/secret/woodpecker-server" ];
extraOptions = [ "--network=woodpecker-br" ];
};
woodpecker-agent = {
image = "woodpeckerci/woodpecker-agent:latest";
dependsOn = [ "woodpecker-server" ];
volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
environment = {
WOODPECKER_SERVER = "woodpecker-server:9000";
WOODPECKER_MAX_PROCS = "1";
};
environmentFiles = [ "/var/lib/secret/woodpecker-agent" ];
extraOptions = [ "--network=woodpecker-br" ];
};
};
services.nginx = {
virtualHosts."gitea.community.rs" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:3001";
};
virtualHosts."woodpecker.community.rs" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:8000";
};
};
}

439
system-specific/matrix/matrix.nix
View File

@ -1,439 +0,0 @@
{ pkgs, lib, config, unstable, ... }:
let
fqdn =
let
join = hostName: domain: hostName + lib.optionalString (domain != null) ".${domain}";
in
join config.networking.hostName config.networking.domain;
in
{
# Punch a hole in the firewall
networking.firewall.allowedTCPPorts = [ 80 443 ];
# Enable postgresql
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
# configure cert email
security.acme.defaults.email = "thatonelutenist@protonmail.com";
security.acme.acceptTerms = true;
# Enable nginx
services.nginx = {
enable = true;
# only recommendedProxySettings and recommendedGzipSettings are strictly required,
# but the rest make sense as well
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
# This host section can be placed on a different host than the rest,
# i.e. to delegate from the host being accessible as ${config.networking.domain}
# to another host actually running the Matrix homeserver.
"${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig =
let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; };
in
''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
in
''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
locations."/".extraConfig = ''
rewrite ^(.*)$ http://www.community.rs$1 redirect;
'';
};
# Reverse proxy for Matrix client-server and server-server communication
${fqdn} = {
enableACME = true;
forceSSL = true;
# Or do a redirect instead of the 404, or whatever is appropriate for you.
# But do not put a Matrix Web client here! See the Element web section below.
locations."/".extraConfig = ''
rewrite ^(.*)$ http://element.community.rs$1 redirect;
'';
# forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = {
proxyPass = "http://127.0.0.1:8008"; # without a trailing /
};
};
# Main domain
"www.community.rs" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig =
let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; };
in
''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
# ACAO required to allow element-web on any URL to request this json file
in
''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
root = "/var/www";
};
};
};
# Enable element web
services.nginx.virtualHosts."element.${fqdn}" = {
enableACME = true;
forceSSL = true;
serverAliases = [
"element.${config.networking.domain}"
];
root = unstable.element-web.override {
conf = {
default_server_config."m.homeserver" = {
"base_url" = "https://${fqdn}";
"server_name" = "${fqdn}";
};
showLabsSettings = true;
settingDefaults.custom_themes = [
{
"name" = "Discord Dark";
"is_dark" = true;
"colors" = {
"accent-color" = "#747ff4";
"primary-color" = "#00aff4";
"warning-color" = "#ed4245d9";
"sidebar-color" = "#202225";
"roomlist-background-color" = "#2f3136";
"roomlist-text-color" = "#dcddde";
"roomlist-text-secondary-color" = "#8e9297";
"roomlist-highlights-color" = "#4f545c52";
"roomlist-separator-color" = "#40444b";
"timeline-background-color" = "#36393f";
"timeline-text-color" = "#dcddde";
"timeline-text-secondary-color" = "#b9bbbe";
"timeline-highlights-color" = "#04040512";
"reaction-row-button-selected-bg-color" = "#b9bbbe";
};
}
{
"name" = "Dracula Flat";
"is_dark" = true;
"colors" = {
"accent-color" = "#bd93f9";
"primary-color" = "#bd93f9";
"warning-color" = "#bd93f9";
"sidebar-color" = "#1e1f29";
"roomlist-background-color" = "#1e1f29";
"roomlist-text-color" = "#eeeeee";
"roomlist-text-secondary-color" = "#eeeeee";
"roomlist-highlights-color" = "#00000030";
"roomlist-separator-color" = "#00000000";
"timeline-background-color" = "#1e1f29";
"timeline-text-color" = "#eeeeee";
"timeline-text-secondary-color" = "#dddddd";
"timeline-highlights-color" = "#00000030";
"reaction-row-button-selected-bg-color" = "#b9bbbe";
};
}
{
"name" = "Dracula";
"is_dark" = true;
"colors" = {
"accent-color" = "#bd93f9";
"primary-color" = "#bd93f9";
"warning-color" = "#bd93f9";
"sidebar-color" = "#1e1f29";
"roomlist-background-color" = "#1e1f29";
"roomlist-text-color" = "#eeeeee";
"roomlist-text-secondary-color" = "#eeeeee";
"roomlist-highlights-color" = "#00000030";
"roomlist-separator-color" = "#4d4d4d90";
"timeline-background-color" = "#282A36";
"timeline-text-color" = "#eeeeee";
"timeline-text-secondary-color" = "#dddddd";
"timeline-highlights-color" = "#00000030";
"reaction-row-button-selected-bg-color" = "#b9bbbe";
};
}
{
"name" = "Geeko dark theme";
"is_dark" = true;
"colors" = {
"accent-color" = "#73ba25";
"primary-color" = "#35b9ab";
"warning-color" = "#bf616a";
"sidebar-color" = "#2a2a2a";
"roomlist-background-color" = "#4a4a4a";
"roomlist-text-color" = "#fff";
"roomlist-text-secondary-color" = "#ddd";
"roomlist-highlights-color" = "#2a2a2a";
"roomlist-separator-color" = "#3a3a3a";
"timeline-background-color" = "#3a3a3a";
"timeline-text-color" = "#eee";
"timeline-text-secondary-color" = "#6da741";
"timeline-highlights-color" = "#bf616a";
"reaction-row-button-selected-bg-color" = "#bf616a";
};
}
{
"name" = "Luxury Dark theme";
"is_dark" = true;
"colors" = {
"accent-color" = "#D9BC00";
"primary-color" = "#FFDD00";
"warning-color" = "#FBC403";
"sidebar-color" = "#020F1B";
"roomlist-background-color" = "#011223";
"roomlist-highlights-color" = "#1E354A";
"roomlist-separator-color" = "#05192D";
"roomlist-text-color" = "#FFEC70";
"roomlist-text-secondary-color" = "#FFF3A4";
"timeline-background-color" = "#05192D";
"timeline-highlights-color" = "#011223";
"timeline-text-color" = "#FFF3A4";
"timeline-text-secondary-color" = "#A79000";
"reaction-row-button-selected-bg-color" = "#FFEC70";
};
}
{
"name" = "Nord dark theme";
"is_dark" = true;
"colors" = {
"accent-color" = "#a3be8c";
"primary-color" = "#88c0d0";
"warning-color" = "#bf616a";
"sidebar-color" = "#2e3440";
"roomlist-background-color" = "#3b4252";
"roomlist-text-color" = "#ebcb8b";
"roomlist-text-secondary-color" = "#e5e9f0";
"roomlist-highlights-color" = "#2e3440";
"roomlist-separator-color" = "#434c5e";
"timeline-background-color" = "#434c5e";
"timeline-text-color" = "#eceff4";
"timeline-text-secondary-color" = "#81a1c1";
"timeline-highlights-color" = "#3b4252";
"reaction-row-button-selected-bg-color" = "#bf616a";
};
}
{
"name" = "Nord light theme";
"is_dark" = false;
"colors" = {
"accent-color" = "#a3be8c";
"primary-color" = "#5e81ac";
"warning-color" = "#bf616a";
"sidebar-color" = "#d8dee9";
"roomlist-background-color" = "#e5e9f0";
"roomlist-text-color" = "#d08770";
"roomlist-text-secondary-color" = "#3b4252";
"roomlist-highlights-color" = "#eceff4";
"roomlist-separator-color" = "#eceff4";
"timeline-background-color" = "#eceff4";
"timeline-text-color" = "#2e3440";
"timeline-text-secondary-color" = "#3b4252";
"timeline-highlights-color" = "#e5e9f0";
"reaction-row-button-selected-bg-color" = "#bf616a";
};
}
{
"name" = "Selenized black theme";
"is_dark" = true;
"colors" = {
"accent-color" = "#70b433";
"primary-color" = "#4695f7";
"warning-color" = "#ed4a46";
"sidebar-color" = "#181818";
"roomlist-background-color" = "#252525";
"roomlist-text-color" = "#ffffff";
"roomlist-text-secondary-color" = "#b9b9b9";
"roomlist-highlights-color" = "#3b3b3b";
"roomlist-separator-color" = "#121212";
"timeline-background-color" = "#181818";
"timeline-text-color" = "#FFFFFF";
"timeline-text-secondary-color" = "#777777";
"timeline-highlights-color" = "#252525";
"reaction-row-button-selected-bg-color" = "#4695f7";
};
}
{
"name" = "Selenized dark theme";
"is_dark" = true;
"colors" = {
"accent-color" = "#41c7b9";
"primary-color" = "#4695f7";
"warning-color" = "#fa5750";
"sidebar-color" = "#103c48";
"roomlist-background-color" = "#184956";
"roomlist-text-color" = "#dbb32d";
"roomlist-text-secondary-color" = "#FFFFFF";
"roomlist-highlights-color" = "#2d5b69";
"roomlist-separator-color" = "#2d5b69";
"timeline-background-color" = "#2d5b69";
"timeline-text-color" = "#FFFFFF";
"timeline-text-secondary-color" = "#72898f";
"timeline-highlights-color" = "#184956";
"reaction-row-button-selected-bg-color" = "#4695f7";
};
}
{
"name" = "Selenized light theme";
"is_dark" = false;
"colors" = {
"accent-color" = "#ad8900";
"primary-color" = "#009c8f";
"warning-color" = "#d2212d";
"sidebar-color" = "#d5cdb6";
"roomlist-background-color" = "#ece3cc";
"roomlist-text-color" = "#c25d1e";
"roomlist-text-secondary-color" = "#000000";
"roomlist-highlights-color" = "#fbf3db";
"roomlist-separator-color" = "#fbf3db";
"timeline-background-color" = "#fbf3db";
"timeline-text-color" = "#000000";
"timeline-text-secondary-color" = "#777777";
"timeline-highlights-color" = "#ece3cc";
"reaction-row-button-selected-bg-color" = "#4695f7";
};
}
{
"name" = "Solarized Dark";
"is_dark" = true;
"colors" = {
"accent-color" = "#b58900";
"primary-color" = "#268bd2";
"warning-color" = "#dc322f";
"sidebar-color" = "#002b36";
"roomlist-background-color" = "#073642";
"roomlist-text-color" = "#839496";
"roomlist-text-secondary-color" = "#93a1a1";
"roomlist-highlights-color" = "#586e75";
"timeline-background-color" = "#002b36";
"timeline-text-color" = "#839496";
"timeline-text-secondary-color" = "#586e75";
"timeline-highlights-color" = "#073642";
"reaction-row-button-selected-bg-color" = "#268bd2";
};
}
{
"name" = "ThomCat black theme";
"is_dark" = true;
"colors" = {
"accent-color" = "#cc7b19";
"primary-color" = "#9F8652";
"warning-color" = "#f9c003";
"sidebar-color" = "#000000";
"roomlist-background-color" = "#191919";
"roomlist-text-color" = "#cc7b19";
"roomlist-text-secondary-color" = "#e5e5e5";
"roomlist-highlights-color" = "#323232";
"roomlist-separator-color" = "#4c4c4c";
"timeline-background-color" = "#000000";
"timeline-text-color" = "#e5e5e5";
"timeline-text-secondary-color" = "#b2b2b2";
"timeline-highlights-color" = "#212121";
"reaction-row-button-selected-bg-color" = "#cc7b19";
};
}
];
};
};
};
# Matrix recaptcha keys
sops.secrets."matrix-secrets.yaml" = {
owner = "matrix-synapse";
format = "binary";
sopsFile = ../../secrets/matrix-community-recaptcha;
};
services.matrix-synapse = {
enable = true;
settings = {
server_name = config.networking.domain;
public_baseurl = "https://matrix.community.rs";
listeners = [
{
port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = false;
}
];
}
];
enable_registration = true;
enable_registration_captcha = true;
allow_guest_access = false;
extraConfig = ''
allow_public_rooms_over_federation: true
experimental_features: { spaces_enabled: true }
auto_join_rooms: [ "#space:community.rs" , "#rust:community.rs" , "#rules:community.rs" , "#info:community.rs" ]
'';
turn_uris = [ "turn:turn.community.rs:3478?transport=udp" "turn:turn.community.rs:3478?transport=tcp" ];
turn_user_lifetime = "1h";
# Configure secrets
extraConfigFiles = [ config.sops.secrets."matrix-secrets.yaml".path ];
};
};
}

91
system-specific/oracles/gitea.nix
View File

@ -1,91 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Setup gitea
services.gitea = {
enable = true;
appName = "Nathan's Git";
database = {
type = "sqlite3";
};
domain = "git.mccarty.io";
rootUrl = "https://git.mccarty.io";
httpPort = 3001;
settings = {
ui = {
DEFAULT_THEME = "arc-green";
};
service = {
DISABLE_REGISTRATION = lib.mkForce true;
};
repository = {
DEFAULT_BRANCH = "main";
};
};
lfs.enable = true;
};
# Setup the docker networking for woodpecker
systemd.services.init-woodpecker-network-and-files = {
description = "Create the network bridge woodpecker-br for filerun.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
before = [ "docker-woodpecker-server.service" ];
serviceConfig.Type = "oneshot";
script =
let dockercli = "${config.virtualisation.docker.package}/bin/docker";
in
''
# Put a true at the end to prevent getting non-zero return code, which will
# crash the whole service.
check=$(${dockercli} network ls | grep "woodpecker-br" || true)
if [ -z "$check" ]; then
${dockercli} network create woodpecker-br
else
echo "woodpecker-br already exists in docker"
fi
'';
};
# Setup woodpecker
virtualisation.oci-containers.containers = {
woodpecker-server = {
image = "woodpeckerci/woodpecker-server:latest";
ports = [ "8000:8000" ];
volumes = [ "woodpecker-server-data:/var/lib/drone" ];
environment = {
WOODPECKER_OPEN = "true";
WOODPECKER_GITEA = "true";
WOODPECKER_HOST = "https://ci.mccarty.io";
WOODPECKER_GITEA_URL = "https://git.mccarty.io";
WOODPECKER_LIMIT_CPU_QUOTA = "400000";
WOODPECKER_LIMIT_MEM = "2147483648";
};
environmentFiles = [ "/var/lib/secret/woodpecker-server" ];
extraOptions = [ "--network=woodpecker-br" ];
};
woodpecker-agent = {
image = "woodpeckerci/woodpecker-agent:latest";
dependsOn = [ "woodpecker-server" ];
volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
environment = {
WOODPECKER_SERVER = "woodpecker-server:9000";
WOODPECKER_MAX_PROCS = "2";
};
environmentFiles = [ "/var/lib/secret/woodpecker-agent" ];
extraOptions = [ "--network=woodpecker-br" ];
};
};
services.nginx = {
virtualHosts."git.mccarty.io" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:3001";
};
virtualHosts."ci.mccarty.io" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:8000";
};
};
}

49
system-specific/oracles/gitlab-runner.nix
View File

@ -1,49 +0,0 @@
{ config, pkgs, lib, ... }:
{
# setup sops for secrets
sops.secrets."nix-asuran" = {
format = "yaml";
sopsFile = ../../secrets/gitlab-runner.yaml;
};
# Make sure docker containers can reach the network
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
# Make sure docker is enabled
virtualisation.docker.enable = true;
# Enable binfmt-misc so we can run aarch64 containers
boot.binfmt.emulatedSystems = [ "wasm32-wasi" "aarch64-linux" ];
services.gitlab-runner =
let
nix-shared = with lib; {
dockerImage = "nixpkgs/nix-flakes";
dockerVolumes = [
"/var/sharedstore:/sharedstore"
];
dockerDisableCache = true;
dockerPrivileged = true;
};
in
{
enable = true;
concurrent = 4;
checkInterval = 1;
services = {
# default-asuran = {
# registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-default";
# dockerImage = "debian:stable";
# dockerVolumes = [
# "/var/run/docker.sock:/var/run/docker.sock"
# ];
# dockerPrivileged = true;
# tagList = [ "linux-own" ];
# };
nix-asuran = nix-shared // {
registrationConfigFile = config.sops.secrets.nix-asuran.path;
tagList = [ "nix" ];
requestConcurrency = 8;
limit = 4;
runUntagged = true;
};
};
};
}

69
system-specific/oracles/matrix.nix
View File

@ -1,69 +0,0 @@
{ pkgs, lib, config, unstable, ... }:
{
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'matrix-synapse';
CREATE DATABASE "synapse" WITH OWNER "synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.nginx = {
virtualHosts = {
"matrix.mccarty.io" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
rewrite ^(.*)$ http://element.mccarty.io$1 redirect;
'';
# forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = {
proxyPass = "http://[::1]:8008"; # without a trailing /
};
locations."/_synapse" = {
proxyPass = "http://[::1]:8008"; # without a trailing /
};
};
"element.mccarty.io" = {
enableACME = true;
forceSSL = true;
root = unstable.element-web;
};
};
};
services.matrix-synapse = {
enable = true;
settings = {
enable_registration = false;
server_name = "mccarty.io";
listeners = [
{
port = 8008;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = false;
}
];
}
];
extraConfig = ''
ip_range_whitelist:
- '172.23.0.0/16'
registration_requires_token: true
'';
database.args = {
user = "matrix-synapse";
database = "synapse";
};
};
};
}

11
system-specific/oracles/minecraft.nix
View File

@ -1,11 +0,0 @@
{ config, lib, pkgs, ... }:
{
# Webserver for hosting pack
services.nginx.virtualHosts."pack.forward-progress.net" = {
enableACME = true;
forceSSL = true;
locations."/".root = "/var/www/pack.forward-progress.net";
root = "/var/www/pack.forward-progress.net";
};
}

31
system-specific/perception/plex.nix
View File

@ -1,31 +0,0 @@
{ config, pkgs, ... }:
{
services.plex =
let
myPlexRaw = pkgs.plexRaw.overrideAttrs (x:
let
# see https://www.plex.tv/media-server-downloads/ for 64bit rpm
version = "1.26.1.5798-99a4a6ac9";
hash = "sha256-Chu4IULIvkmfMEV0LSg50i6usZJZI3UWOgCHQakbhaY=";
in
{
name = "plex-${version}";
src = pkgs.fetchurl {
url = "https://downloads.plex.tv/plex-media-server-new/${version}/debian/plexmediaserver_${version}_amd64.deb";
inherit hash;
};
}
);
myPlex = pkgs.plex.override (x: { plexRaw = myPlexRaw; });
in
{
enable = true;
openFirewall = true;
dataDir = "/var/lib/plex";
user = "nathan";
group = "users";
package = myPlex;
};
services.tautulli.enable = true;
}