nekomimi.pet / nixcfg
my nix configs for my servers and desktop
fork atom

Compare changes

Choose any two refs to compare.

options
unified split
Changed files
+2491 -457
README.md
common
bluetooth.nix
desktop
core.nix
sway.nix
vnc.nix
nvidia.nix
python-cuda-dev.nix
services.nix
flake.lock
flake.nix
home
regent
home.nix
host-secrets.nix
hosts
baal
default.nix
hardware.nix
secrets.nix
buer
default.nix
focalor
backup.nix
default.nix
hardware.nix
scripts
vm-win11-hook.sh
vfio.nix
morax
default.nix
hardware.nix
secrets.nix
valefar
backup.nix
default.nix
hardware.nix
modules
caddy
default.nix
forgejo
default.nix
garage
default.nix
github-runners
default.nix
headscale
default.nix
immich
default.nix
monero
default.nix
seaweedfs
default.nix
secrets
build-token.age
garage-admin-token.age
garage-metrics-token.age
garage-rpc-secret.age
headscale-authkey.age
headscale-oidc-key.path
secrets.nix
-10
README.md
··· 35 35 - Vaultwarden password manager 36 36 - Beszel 37 37 38 - ### 🥧 Morax (Raspberry Pi 4) 39 - **Hardware**: Raspberry Pi 4 40 - 41 - **Services**: 42 - - Pi-hole DNS filtering 43 - - Speedtest monitoring (every 10 minutes) 44 - - Headscale connection 45 - 46 - **Notes**: Direct gigabit connection from router - looking to add more services to utilize bandwidth 47 - 48 38 ### 🍎 Gabriel 49 39 **Hardware**: M4 16gb Mac Mini 50 40
+8
common/bluetooth.nix
··· 1 + { config, lib ,... }: 2 + 3 + { 4 + hardware.bluetooth.enable = true; 5 + hardware.bluetooth.powerOnBoot = true; 6 + 7 + services.blueman.enable = true; 8 + }
+17 -2
common/desktop/core.nix
··· 5 5 #ghostty 6 6 kitty 7 7 vscode 8 - inputs.zen-browser.packages."${system}".default 9 8 fastfetch 10 9 hyfetch 11 10 sway-contrib.grimshot 12 - discord 11 + pamixer 12 + 13 + firefox 14 + chromium 15 + kpcli 16 + eyedropper 17 + krita 18 + xfce.thunar 19 + libreoffice 20 + signal-desktop 21 + haruna 22 + 23 + inputs.zen-browser.packages."${system}".default 24 + ]; 25 + 26 + fonts.packages = [ 27 + pkgs.nerd-fonts.fira-code 13 28 ]; 14 29 15 30 environment.sessionVariables.NIXOS_OZONE_WL = "1";
+3
common/desktop/sway.nix
··· 17 17 mako 18 18 ]; 19 19 20 + services.dbus.enable = true; 21 + 20 22 programs.sway = { 21 23 enable = true; 22 24 wrapperFeatures.gtk = true; 25 + package = pkgs.swayfx; 23 26 }; 24 27 25 28 environment.sessionVariables = {
+2 -2
common/desktop/vnc.nix
··· 2 2 3 3 { 4 4 services.xserver.enable = true; 5 - services.xserver.displayManager.sddm.enable = true; 6 - services.xserver.desktopManager.plasma5.enable = true; 5 + services.displayManager.sddm.enable = true; 6 + services.desktopManager.plasma6.enable = true; 7 7 8 8 services.xrdp.enable = true; 9 9 services.xrdp.defaultWindowManager = "startplasma-x11";
+1 -1
common/nvidia.nix
··· 31 31 # supported GPUs is at: 32 32 # https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus 33 33 # Only available from driver 515.43.04+ 34 - open = false; 34 + open = true; 35 35 36 36 # Enable the Nvidia settings menu, 37 37 # accessible via `nvidia-settings`.
+67
common/python-cuda-dev.nix
··· 1 + { 2 + description = "A Nix-flake-based PyTorch development environment"; 3 + 4 + # CUDA binaries are cached by the community. 5 + nixConfig = { 6 + extra-substituters = [ 7 + "https://nix-community.cachix.org" 8 + ]; 9 + extra-trusted-public-keys = [ 10 + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" 11 + ]; 12 + }; 13 + 14 + inputs.nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1.*.tar.gz"; 15 + 16 + outputs = { 17 + self, 18 + nixpkgs, 19 + }: let 20 + supportedSystems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"]; 21 + forEachSupportedSystem = f: 22 + nixpkgs.lib.genAttrs supportedSystems (system: 23 + f { 24 + pkgs = import nixpkgs { 25 + inherit system; 26 + config.allowUnfree = true; 27 + }; 28 + }); 29 + in { 30 + devShells = forEachSupportedSystem ({pkgs}: let 31 + libs = [ 32 + # PyTorch and Numpy depends on the following libraries. 33 + pkgs.cudaPackages.cudatoolkit 34 + pkgs.cudaPackages.cudnn 35 + pkgs.stdenv.cc.cc.lib 36 + pkgs.zlib 37 + 38 + # PyTorch also needs to know where your local "lib/libcuda.so" lives. 39 + # If you're not on NixOS, you should provide the right path (likely 40 + # another one). 41 + "/run/opengl-driver" 42 + ]; 43 + in { 44 + default = pkgs.mkShell { 45 + packages = [ 46 + pkgs.python312 47 + pkgs.python312Packages.venvShellHook 48 + ]; 49 + 50 + env = { 51 + CC = "${pkgs.gcc}/bin/gcc"; # For `torch.compile`. 52 + LD_LIBRARY_PATH = pkgs.lib.makeLibraryPath libs; 53 + }; 54 + 55 + venvDir = ".venv"; 56 + postVenvCreation = '' 57 + # This is run only when creating the virtual environment. 58 + pip install torch==2.5.1 numpy==2.2.2 59 + ''; 60 + postShellHook = '' 61 + # This is run every time you enter the devShell. 62 + python3 -c "import torch; print('CUDA available' if torch.cuda.is_available() else 'CPU only')" 63 + ''; 64 + }; 65 + }); 66 + }; 67 + }
+8 -1
common/services.nix
··· 1 - { config, pkgs, ... }: 1 + { config, pkgs, lib, ... }: 2 2 { 3 3 # system packages + services 4 4 environment.systemPackages = with pkgs; [ ··· 15 15 zfs 16 16 nixos-generators 17 17 sqlite 18 + bun 19 + unzip 18 20 ]; 19 21 20 22 services.openssh.enable = true; 21 23 services.printing.enable = true; 22 24 services.tailscale.enable = true; 23 25 services.tailscale.useRoutingFeatures = "both"; 26 + services.tailscale.authKeyFile = lib.mkIf (config ? age && config.age ? secrets) 27 + config.age.secrets."headscale-authkey".path; 28 + services.tailscale.extraUpFlags = [ 29 + "--login-server=https://headscale.nekomimi.pet" 30 + ]; 24 31 }
+253 -45
flake.lock
··· 8 8 "systems": "systems" 9 9 }, 10 10 "locked": { 11 - "lastModified": 1747575206, 12 - "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", 11 + "lastModified": 1760836749, 12 + "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", 13 13 "owner": "ryantm", 14 14 "repo": "agenix", 15 - "rev": "4835b1dc898959d8547a871ef484930675cb47f1", 15 + "rev": "2f0f812f69f3eb4140157fe15e12739adf82e32a", 16 16 "type": "github" 17 17 }, 18 18 "original": { ··· 26 26 "nixpkgs": "nixpkgs_2" 27 27 }, 28 28 "locked": { 29 - "lastModified": 1748080874, 30 - "narHash": "sha256-sUebEzAkrY8Aq5G0GHFyRddmRNGP/a2iTtV7ISNvi/c=", 29 + "lastModified": 1760953099, 30 + "narHash": "sha256-sOKx2YcHa+lWEvaEOIGqLN2WWk1Wf5z6KM02tdfhMtw=", 31 31 "owner": "catppuccin", 32 32 "repo": "nix", 33 - "rev": "0ba11b12be81f0849a89ed17ab635164ea8f0112", 33 + "rev": "f5b21876888265d2fee7fb0640d1b66a1c1c6503", 34 34 "type": "github" 35 35 }, 36 36 "original": { ··· 61 61 "type": "github" 62 62 } 63 63 }, 64 + "disko": { 65 + "inputs": { 66 + "nixpkgs": "nixpkgs_3" 67 + }, 68 + "locked": { 69 + "lastModified": 1736864502, 70 + "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=", 71 + "owner": "nix-community", 72 + "repo": "disko", 73 + "rev": "0141aabed359f063de7413f80d906e1d98c0c123", 74 + "type": "github" 75 + }, 76 + "original": { 77 + "owner": "nix-community", 78 + "ref": "v1.11.0", 79 + "repo": "disko", 80 + "type": "github" 81 + } 82 + }, 83 + "flake-compat": { 84 + "locked": { 85 + "lastModified": 1696426674, 86 + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", 87 + "owner": "edolstra", 88 + "repo": "flake-compat", 89 + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", 90 + "type": "github" 91 + }, 92 + "original": { 93 + "owner": "edolstra", 94 + "repo": "flake-compat", 95 + "type": "github" 96 + } 97 + }, 64 98 "flake-utils": { 65 99 "inputs": { 66 100 "systems": "systems_2" ··· 84 118 "systems": "systems_3" 85 119 }, 86 120 "locked": { 121 + "lastModified": 1731533236, 122 + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", 123 + "owner": "numtide", 124 + "repo": "flake-utils", 125 + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", 126 + "type": "github" 127 + }, 128 + "original": { 129 + "owner": "numtide", 130 + "repo": "flake-utils", 131 + "type": "github" 132 + } 133 + }, 134 + "flake-utils_3": { 135 + "inputs": { 136 + "systems": "systems_5" 137 + }, 138 + "locked": { 87 139 "lastModified": 1681202837, 88 140 "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", 89 141 "owner": "numtide", ··· 140 192 ] 141 193 }, 142 194 "locked": { 143 - "lastModified": 1748737919, 144 - "narHash": "sha256-5kvBbLYdp+n7Ftanjcs6Nv+UO6sBhelp6MIGJ9nWmjQ=", 195 + "lastModified": 1761235135, 196 + "narHash": "sha256-cux9xeceLIER1lBxUa1gMafkz7gg5ntcUmJBynWdBWI=", 145 197 "owner": "nix-community", 146 198 "repo": "home-manager", 147 - "rev": "5675a9686851d9626560052a032c4e14e533c1fa", 199 + "rev": "0adf9ba3f567da2d53af581a857aacf671aaa547", 148 200 "type": "github" 149 201 }, 150 202 "original": { ··· 161 213 ] 162 214 }, 163 215 "locked": { 164 - "lastModified": 1743604125, 165 - "narHash": "sha256-ZD61DNbsBt1mQbinAaaEqKaJk2RFo9R/j+eYWeGMx7A=", 216 + "lastModified": 1752603129, 217 + "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=", 166 218 "owner": "nix-community", 167 219 "repo": "home-manager", 168 - "rev": "180fd43eea296e62ae68e079fcf56aba268b9a1a", 220 + "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b", 169 221 "type": "github" 170 222 }, 171 223 "original": { ··· 177 229 "lix": { 178 230 "flake": false, 179 231 "locked": { 180 - "lastModified": 1746827285, 181 - "narHash": "sha256-hsFe4Tsqqg4l+FfQWphDtjC79WzNCZbEFhHI8j2KJzw=", 182 - "rev": "47aad376c87e2e65967f17099277428e4b3f8e5a", 232 + "lastModified": 1753223229, 233 + "narHash": "sha256-tkT4aCZZE6IEmjYotOzKKa2rV3pGpH3ZREeQn7ACgdU=", 234 + "rev": "7ac20fc47cf2f1b7469c7a2f379e5a3a51a6789a", 183 235 "type": "tarball", 184 - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?rev=47aad376c87e2e65967f17099277428e4b3f8e5a" 236 + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/7ac20fc47cf2f1b7469c7a2f379e5a3a51a6789a.tar.gz?rev=7ac20fc47cf2f1b7469c7a2f379e5a3a51a6789a" 185 237 }, 186 238 "original": { 187 239 "type": "tarball", 188 - "url": "https://git.lix.systems/lix-project/lix/archive/2.93.0.tar.gz" 240 + "url": "https://git.lix.systems/lix-project/lix/archive/release-2.93.tar.gz" 189 241 } 190 242 }, 191 243 "lix-module": { ··· 198 250 ] 199 251 }, 200 252 "locked": { 201 - "lastModified": 1746838955, 202 - "narHash": "sha256-11R4K3iAx4tLXjUs+hQ5K90JwDABD/XHhsM9nkeS5N8=", 203 - "rev": "cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc", 253 + "lastModified": 1753282722, 254 + "narHash": "sha256-KYMUrTV7H/RR5/HRnjV5R3rRIuBXMemyJzTLi50NFTs=", 255 + "rev": "46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873", 204 256 "type": "tarball", 205 - "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz" 257 + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873.tar.gz?rev=46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873" 206 258 }, 207 259 "original": { 208 260 "type": "tarball", 209 - "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz" 261 + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.3-1.tar.gz" 262 + } 263 + }, 264 + "microvm": { 265 + "inputs": { 266 + "flake-utils": "flake-utils_2", 267 + "nixpkgs": [ 268 + "nixpkgs" 269 + ], 270 + "spectrum": "spectrum" 271 + }, 272 + "locked": { 273 + "lastModified": 1760574296, 274 + "narHash": "sha256-S3gIp6Wd9vQ2RYDxcbHM2CIYgDtogbwzSdu38WABKaQ=", 275 + "owner": "astro", 276 + "repo": "microvm.nix", 277 + "rev": "42628f7c61b02d385ce2cb1f66f9be333ac20140", 278 + "type": "github" 279 + }, 280 + "original": { 281 + "owner": "astro", 282 + "repo": "microvm.nix", 283 + "type": "github" 210 284 } 211 285 }, 212 286 "nixos-hardware": { 213 287 "locked": { 214 - "lastModified": 1748942041, 215 - "narHash": "sha256-HEu2gTct7nY0tAPRgBtqYepallryBKR1U8B4v2zEEqA=", 288 + "lastModified": 1760958188, 289 + "narHash": "sha256-2m1S4jl+GEDtlt2QqeHil8Ny456dcGSKJAM7q3j/BFU=", 216 290 "owner": "nixos", 217 291 "repo": "nixos-hardware", 218 - "rev": "fc7c4714125cfaa19b048e8aaf86b9c53e04d853", 292 + "rev": "d6645c340ef7d821602fd2cd199e8d1eed10afbc", 219 293 "type": "github" 220 294 }, 221 295 "original": { ··· 227 301 }, 228 302 "nixpkgs": { 229 303 "locked": { 230 - "lastModified": 1745391562, 231 - "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", 304 + "lastModified": 1754028485, 305 + "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", 232 306 "owner": "NixOS", 233 307 "repo": "nixpkgs", 234 - "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", 308 + "rev": "59e69648d345d6e8fef86158c555730fa12af9de", 235 309 "type": "github" 236 310 }, 237 311 "original": { 238 312 "owner": "NixOS", 239 - "ref": "nixos-unstable", 313 + "ref": "nixos-25.05", 240 314 "repo": "nixpkgs", 241 315 "type": "github" 242 316 } 243 317 }, 318 + "nixpkgs-stable": { 319 + "locked": { 320 + "lastModified": 1748437600, 321 + "narHash": "sha256-hYKMs3ilp09anGO7xzfGs3JqEgUqFMnZ8GMAqI6/k04=", 322 + "owner": "NixOS", 323 + "repo": "nixpkgs", 324 + "rev": "7282cb574e0607e65224d33be8241eae7cfe0979", 325 + "type": "github" 326 + }, 327 + "original": { 328 + "id": "nixpkgs", 329 + "ref": "nixos-25.05", 330 + "type": "indirect" 331 + } 332 + }, 333 + "nixpkgs-unstable": { 334 + "locked": { 335 + "lastModified": 1723637854, 336 + "narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=", 337 + "owner": "NixOS", 338 + "repo": "nixpkgs", 339 + "rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9", 340 + "type": "github" 341 + }, 342 + "original": { 343 + "id": "nixpkgs", 344 + "ref": "nixos-unstable", 345 + "type": "indirect" 346 + } 347 + }, 244 348 "nixpkgs_2": { 245 349 "locked": { 246 - "lastModified": 1744463964, 247 - "narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=", 350 + "lastModified": 1760524057, 351 + "narHash": "sha256-EVAqOteLBFmd7pKkb0+FIUyzTF61VKi7YmvP1tw4nEw=", 248 352 "owner": "NixOS", 249 353 "repo": "nixpkgs", 250 - "rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650", 354 + "rev": "544961dfcce86422ba200ed9a0b00dd4b1486ec5", 251 355 "type": "github" 252 356 }, 253 357 "original": { ··· 259 363 }, 260 364 "nixpkgs_3": { 261 365 "locked": { 262 - "lastModified": 1748162331, 263 - "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=", 366 + "lastModified": 1736241350, 367 + "narHash": "sha256-CHd7yhaDigUuJyDeX0SADbTM9FXfiWaeNyY34FL1wQU=", 368 + "owner": "NixOS", 369 + "repo": "nixpkgs", 370 + "rev": "8c9fd3e564728e90829ee7dbac6edc972971cd0f", 371 + "type": "github" 372 + }, 373 + "original": { 374 + "owner": "NixOS", 375 + "ref": "nixpkgs-unstable", 376 + "repo": "nixpkgs", 377 + "type": "github" 378 + } 379 + }, 380 + "nixpkgs_4": { 381 + "locked": { 382 + "lastModified": 1761016216, 383 + "narHash": "sha256-G/iC4t/9j/52i/nm+0/4ybBmAF4hzR8CNHC75qEhjHo=", 264 384 "owner": "nixos", 265 385 "repo": "nixpkgs", 266 - "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334", 386 + "rev": "481cf557888e05d3128a76f14c76397b7d7cc869", 267 387 "type": "github" 268 388 }, 269 389 "original": { ··· 273 393 "type": "github" 274 394 } 275 395 }, 276 - "nixpkgs_4": { 396 + "nixpkgs_5": { 277 397 "locked": { 278 398 "lastModified": 1682134069, 279 399 "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=", ··· 287 407 "type": "indirect" 288 408 } 289 409 }, 410 + "proxmox-nixos": { 411 + "inputs": { 412 + "flake-compat": "flake-compat", 413 + "nixpkgs-stable": "nixpkgs-stable", 414 + "nixpkgs-unstable": "nixpkgs-unstable", 415 + "utils": "utils" 416 + }, 417 + "locked": { 418 + "lastModified": 1758650077, 419 + "narHash": "sha256-ZeRtJimtk0Faiq7DPZEQNGipda3TaR4QXp0TAzu934Q=", 420 + "owner": "SaumonNet", 421 + "repo": "proxmox-nixos", 422 + "rev": "ce8768f43b4374287cd8b88d8fa9c0061e749d9a", 423 + "type": "github" 424 + }, 425 + "original": { 426 + "owner": "SaumonNet", 427 + "repo": "proxmox-nixos", 428 + "type": "github" 429 + } 430 + }, 290 431 "root": { 291 432 "inputs": { 292 433 "agenix": "agenix", 293 434 "catppuccin": "catppuccin", 435 + "disko": "disko", 294 436 "home-manager": "home-manager_2", 295 437 "lix-module": "lix-module", 438 + "microvm": "microvm", 296 439 "nixos-hardware": "nixos-hardware", 297 - "nixpkgs": "nixpkgs_3", 440 + "nixpkgs": "nixpkgs_4", 441 + "proxmox-nixos": "proxmox-nixos", 298 442 "vscode-server": "vscode-server", 299 443 "zen-browser": "zen-browser" 300 444 } 301 445 }, 446 + "spectrum": { 447 + "flake": false, 448 + "locked": { 449 + "lastModified": 1759482047, 450 + "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=", 451 + "ref": "refs/heads/main", 452 + "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9", 453 + "revCount": 996, 454 + "type": "git", 455 + "url": "https://spectrum-os.org/git/spectrum" 456 + }, 457 + "original": { 458 + "type": "git", 459 + "url": "https://spectrum-os.org/git/spectrum" 460 + } 461 + }, 302 462 "systems": { 303 463 "locked": { 304 464 "lastModified": 1681028828, ··· 344 504 "type": "github" 345 505 } 346 506 }, 507 + "systems_4": { 508 + "locked": { 509 + "lastModified": 1681028828, 510 + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 511 + "owner": "nix-systems", 512 + "repo": "default", 513 + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 514 + "type": "github" 515 + }, 516 + "original": { 517 + "owner": "nix-systems", 518 + "repo": "default", 519 + "type": "github" 520 + } 521 + }, 522 + "systems_5": { 523 + "locked": { 524 + "lastModified": 1681028828, 525 + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 526 + "owner": "nix-systems", 527 + "repo": "default", 528 + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 529 + "type": "github" 530 + }, 531 + "original": { 532 + "owner": "nix-systems", 533 + "repo": "default", 534 + "type": "github" 535 + } 536 + }, 537 + "utils": { 538 + "inputs": { 539 + "systems": "systems_4" 540 + }, 541 + "locked": { 542 + "lastModified": 1710146030, 543 + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", 544 + "owner": "numtide", 545 + "repo": "flake-utils", 546 + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", 547 + "type": "github" 548 + }, 549 + "original": { 550 + "owner": "numtide", 551 + "repo": "flake-utils", 552 + "type": "github" 553 + } 554 + }, 347 555 "vscode-server": { 348 556 "inputs": { 349 - "flake-utils": "flake-utils_2", 350 - "nixpkgs": "nixpkgs_4" 557 + "flake-utils": "flake-utils_3", 558 + "nixpkgs": "nixpkgs_5" 351 559 }, 352 560 "locked": { 353 - "lastModified": 1729422940, 354 - "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=", 561 + "lastModified": 1753541826, 562 + "narHash": "sha256-foGgZu8+bCNIGeuDqQ84jNbmKZpd+JvnrL2WlyU4tuU=", 355 563 "owner": "nix-community", 356 564 "repo": "nixos-vscode-server", 357 - "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f", 565 + "rev": "6d5f074e4811d143d44169ba4af09b20ddb6937d", 358 566 "type": "github" 359 567 }, 360 568 "original": { ··· 371 579 ] 372 580 }, 373 581 "locked": { 374 - "lastModified": 1748742977, 375 - "narHash": "sha256-xacIevJ94ZOlNLOcFOAm3PiV7zXZr4G8FD7sJ9jKuz4=", 582 + "lastModified": 1761180075, 583 + "narHash": "sha256-V4WLeUQ4gCGZiVihlXWBOZ/1FNcL0jM4zgTY1haJLvY=", 376 584 "owner": "0xc000022070", 377 585 "repo": "zen-browser-flake", 378 - "rev": "a9d3d70bc49c513a6e48ab24e279e014ab463bc6", 586 + "rev": "771a2604606905d8c0ffe3b818dc2cc5bd1405d8", 379 587 "type": "github" 380 588 }, 381 589 "original": {
+36 -34
flake.nix
··· 4 4 nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; 5 5 nixos-hardware.url = "github:nixos/nixos-hardware/master"; 6 6 7 + proxmox-nixos.url = "github:SaumonNet/proxmox-nixos"; 8 + 7 9 lix-module = { 8 - url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz"; 10 + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.3-1.tar.gz"; 9 11 inputs.nixpkgs.follows = "nixpkgs"; 10 12 }; 11 13 ··· 15 17 url = "github:0xc000022070/zen-browser-flake"; 16 18 inputs.nixpkgs.follows = "nixpkgs"; 17 19 }; 18 - #microvm.url = "github:astro/microvm.nix"; 19 - #microvm.inputs.nixpkgs.follows = "nixpkgs"; 20 + microvm.url = "github:astro/microvm.nix"; 21 + microvm.inputs.nixpkgs.follows = "nixpkgs"; 22 + 23 + disko.url = "github:nix-community/disko/v1.11.0"; 20 24 21 25 catppuccin.url = "github:catppuccin/nix"; 22 26 home-manager = { ··· 45 49 system = "x86_64-linux"; 46 50 }; 47 51 modules = [ 52 + agenix.nixosModules.default 53 + 48 54 ./hosts/focalor 49 55 lix-module.nixosModules.default 50 - 51 - /*microvm.nixosModules.host 52 - { 53 - microvm.autostart = [ 54 - "windows" 55 - ]; 56 - }*/ 57 - 58 56 vscode-server.nixosModules.default 59 - agenix.nixosModules.default 60 - 61 57 catppuccin.nixosModules.catppuccin 62 - 63 58 home-manager.nixosModules.home-manager 64 59 { 65 60 home-manager.useGlobalPkgs = true; ··· 73 68 system = "x86_64-linux"; 74 69 }; 75 70 } 71 + 72 + { imports = builtins.attrValues nixosModules; } 76 73 ]; 77 74 }; 78 75 ··· 83 80 system = "x86_64-linux"; 84 81 }; 85 82 modules = [ 83 + agenix.nixosModules.default 84 + 86 85 ./hosts/valefar 87 86 lix-module.nixosModules.default 88 - 89 87 vscode-server.nixosModules.default 90 - agenix.nixosModules.default 88 + 89 + proxmox-nixos.nixosModules.proxmox-ve 90 + 91 + ({ pkgs, lib, ... }: { 92 + services.proxmox-ve = { 93 + enable = true; 94 + ipAddress = "10.0.0.30"; 95 + }; 96 + 97 + nixpkgs.overlays = [ 98 + proxmox-nixos.overlays.x86_64-linux 99 + ]; 100 + }) 91 101 92 102 { imports = builtins.attrValues nixosModules; } 93 103 ]; ··· 103 113 ./hosts/buer 104 114 105 115 agenix.nixosModules.default 116 + 117 + { imports = builtins.attrValues nixosModules; } 106 118 ]; 107 119 }; 108 120 109 - morax = nixpkgs.lib.nixosSystem { 121 + baal = nixpkgs.lib.nixosSystem { 110 122 system = "aarch64-linux"; 111 123 specialArgs = { 112 124 inherit inputs; 113 125 system = "aarch64-linux"; 114 126 }; 115 127 modules = [ 116 - ./hosts/morax 117 - nixos-hardware.nixosModules.raspberry-pi-4 118 - 128 + ./hosts/baal 129 + 119 130 agenix.nixosModules.default 131 + disko.nixosModules.disko 132 + 133 + { imports = builtins.attrValues nixosModules; } 134 + 120 135 ]; 121 136 }; 122 - 123 - 124 - # Easy to add more hosts 125 - /* 126 - server2 = nixpkgs.lib.nixosSystem { 127 - system = "x86_64-linux"; 128 - modules = [ 129 - ./hosts/server2 130 - agenix.nixosModules.default 131 - # different services for server2 132 - ]; 133 - }; 134 - */ 135 137 }; 136 138 }; 137 - } 139 + }
+81 -13
home/regent/home.nix
··· 1 - { config, pkgs, system, inputs, ... }: 1 + { config, pkgs, system, inputs, lib, ... }: 2 2 3 3 { 4 4 home.username = "regent"; ··· 13 13 };*/ 14 14 ghostty.enable = true; 15 15 ghostty.flavor = "mocha"; 16 + nvim.enable = true; 17 + nvim.flavor = "mocha"; 16 18 }; 17 19 18 20 programs.ghostty.enable = true; ··· 21 23 theme = "catppuccin-mocha"; 22 24 }; 23 25 24 - home.pointerCursor = { 26 + programs.neovim.enable = true; 27 + programs.neovim = { 28 + extraPackages = with pkgs; [ 29 + lua-language-server 30 + stylua 31 + ripgrep 32 + ]; 33 + 34 + plugins = with pkgs.vimPlugins; [ 35 + lazy-nvim 36 + ]; 37 + }; 38 + 39 + home.pointerCursor = { 25 40 gtk.enable = true; 26 41 package = pkgs.phinger-cursors; 27 42 name = "Phinger-cursors-light"; ··· 61 76 62 77 63 78 * { 64 - font-family: FantasqueSansMono Nerd Font; 79 + font-family: 'Fira Code', monospace; 65 80 font-size: 17px; 66 81 min-height: 0; 67 82 } ··· 71 86 margin: 0px; 72 87 border: 0px; 73 88 /*background-color:rgb(0, 0, 0);*/ 74 - background-color: rgba(0, 0, 0, 0.9); 89 + background-color: @base; 75 90 color: @text; 76 91 } 77 92 ··· 82 97 #workspaces { 83 98 border-radius: 1rem; 84 99 margin: 5px; 85 - background-color: @surface0; 86 100 margin-left: 1rem; 101 + background-color: rgba(0, 0, 0, 0.21); 87 102 } 88 - 89 103 90 104 #workspaces button { 91 105 color: @lavender; ··· 96 110 #workspaces button.active { 97 111 color: @sky; 98 112 border-radius: 1rem; 113 + background-color: rgba(255, 255, 255, 0.5); 99 114 } 100 115 101 116 #workspaces button:hover { ··· 111 126 #pulseaudio, 112 127 #custom-lock, 113 128 #custom-power { 114 - background-color: @surface0; 115 129 padding: 0.5rem 1rem; 116 130 margin: 5px 0; 131 + color: @text; 117 132 } 118 133 119 134 #clock { 120 - color: @blue; 135 + color: @text; 121 136 border-radius: 0px 1rem 1rem 0px; 122 137 margin-right: 1rem; 123 138 } 124 - 125 139 ''; 126 140 settings = { 127 141 mainBar = { 128 142 layer = "top"; 129 143 position = "top"; 130 - height = 34; 144 + mod = "dock"; 145 + exclusive = true; 146 + passthrough = false; 147 + #gtk-layer-shell = true; 148 + height = 0; 131 149 output = [ 132 150 "HDMI-A-1" 151 + "DP-3" 133 152 "DP-2" 134 153 ]; 135 - modules-left = [ "sway/workspaces" ]; 154 + modules-left = [ 155 + "sway/workspaces" 156 + ]; 136 157 modules-center = [ "sway/window" ]; 137 - modules-right = [ "clock" ]; 158 + modules-right = [ 159 + "pulseaudio" 160 + "clock" 161 + ]; 138 162 139 163 "sway/workspaces" = { 140 164 disable-scroll = true; 141 - sort-by-name = true; 165 + }; 166 + tray = { 167 + icon-size = 13; 168 + tooltip = false; 169 + spacing = 10; 170 + }; 171 + network = { 172 + format = "󰖩 {essid}"; 173 + format-disconnected = "󰖪 disconnected"; 174 + }; 175 + clock = { 176 + format = " {:%I:%M %p %m/%d} "; 177 + tooltip-format = '' 178 + <big>{:%Y %B}</big> 179 + <tt><small>{calendar}</small></tt>''; 180 + }; 181 + 182 + pulseaudio = { 183 + format = "{icon} {volume}%"; 184 + tooltip = false; 185 + format-muted = " Muted"; 186 + on-click = "pamixer -t"; 187 + on-scroll-up = "pamixer -i 5"; 188 + on-scroll-down = "pamixer -d 5"; 189 + scroll-step = 5; 190 + format-icons = { 191 + headphone = ""; 192 + hands-free = ""; 193 + headset = ""; 194 + phone = ""; 195 + portable = ""; 196 + car = ""; 197 + default = [ "" "" "" ]; 198 + }; 199 + }; 200 + 201 + "pulseaudio#microphone" = { 202 + format = "{format_source}"; 203 + tooltip = false; 204 + format-source = " {volume}%"; 205 + format-source-muted = " Muted"; 206 + on-click = "pamixer --default-source -t"; 207 + on-scroll-up = "pamixer --default-source -i 5"; 208 + on-scroll-down = "pamixer --default-source -d 5"; 209 + scroll-step = 5; 142 210 }; 143 211 }; 144 212 };
+7
host-secrets.nix
··· 31 31 group = "garage"; 32 32 mode = "0400"; 33 33 }; 34 + 35 + "headscale-authkey" = { 36 + file = ./secrets/headscale-authkey.age; 37 + owner = "regent"; 38 + group = "users"; 39 + mode = "0400"; 40 + }; 34 41 }; 35 42 }
+58
hosts/baal/default.nix
··· 1 + { config, lib, pkgs, modulesPath, inputs, ... }: 2 + { 3 + imports = [ 4 + ./hardware.nix 5 + ./secrets.nix 6 + 7 + ../../common/system.nix 8 + ../../common/users.nix 9 + ../../common/services.nix 10 + 11 + ../../host-secrets.nix 12 + ]; 13 + 14 + boot = { 15 + loader = { 16 + systemd-boot.enable = true; 17 + efi = { 18 + canTouchEfiVariables = true; 19 + efiSysMountPoint = "/boot"; 20 + }; 21 + }; 22 + initrd.systemd.enable = true; 23 + }; 24 + 25 + system.stateVersion = "24.11"; 26 + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; 27 + 28 + systemd.targets.multi-user.enable = true; 29 + 30 + networking = { 31 + hostName = "baal"; 32 + hostId = "aaaaaaaa"; 33 + networkmanager.enable = true; 34 + }; 35 + 36 + services.fail2ban = { 37 + enable = true; 38 + # Ban IP after 5 failures 39 + maxretry = 5; 40 + ignoreIP = [ 41 + "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" 42 + ]; 43 + bantime = "24h"; # Ban IPs for one day on the first ban 44 + bantime-increment = { 45 + enable = true; # Enable increment of bantime after each violation 46 + multipliers = "1 2 4 8 16 32 64"; 47 + maxtime = "168h"; # Do not ban for more than 1 week 48 + overalljails = true; # Calculate the bantime based on all the violations 49 + }; 50 + }; 51 + 52 + virtualisation.docker = { 53 + enable = true; 54 + enableOnBoot = true; 55 + }; 56 + 57 + documentation.enable = false; 58 + }
+55
hosts/baal/hardware.nix
··· 1 + # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 + # and may be overwritten by future invocations. Please make changes 3 + # to /etc/nixos/configuration.nix instead. 4 + { config, lib, pkgs, modulesPath, ... }: 5 + 6 + { 7 + imports = 8 + [ (modulesPath + "/profiles/qemu-guest.nix") 9 + ]; 10 + 11 + boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ]; 12 + boot.initrd.kernelModules = [ ]; 13 + boot.kernelModules = [ ]; 14 + boot.extraModulePackages = [ ]; 15 + 16 + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 17 + # (the default) this is the recommended approach. When using systemd-networkd it's 18 + # still possible to use this option, but it's recommended to use it in conjunction 19 + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. 20 + networking.useDHCP = lib.mkDefault true; 21 + # networking.interfaces.enp0s6.useDHCP = lib.mkDefault true; 22 + 23 + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; 24 + 25 + disko.devices = { 26 + disk = { 27 + main = { 28 + type = "disk"; 29 + device = "/dev/sda"; 30 + content = { 31 + type = "gpt"; 32 + partitions = { 33 + boot = { 34 + size = "512M"; 35 + type = "EF00"; 36 + content = { 37 + type = "filesystem"; 38 + format = "vfat"; 39 + mountpoint = "/boot"; 40 + }; 41 + }; 42 + root = { 43 + size = "100%"; 44 + content = { 45 + type = "filesystem"; 46 + format = "ext4"; 47 + mountpoint = "/"; 48 + }; 49 + }; 50 + }; 51 + }; 52 + }; 53 + }; 54 + }; 55 + }
+3
hosts/baal/secrets.nix
··· 1 + { 2 + 3 + }
+105 -44
hosts/buer/default.nix
··· 1 - # hosts/valefar/configuration.nix (or default.nix) 1 + # hosts/buer/configuration.nix (or default.nix) 2 2 { config, lib, pkgs, modulesPath, inputs, ... }: 3 - 4 3 { 4 + # ============================================================================= 5 + # IMPORTS 6 + # ============================================================================= 5 7 imports = [ 6 8 # Host-specific hardware 7 9 ./hardware.nix ··· 12 14 ../../common/users.nix 13 15 ../../common/services.nix 14 16 15 - 16 17 # Common secrets 17 18 ../../host-secrets.nix 18 19 ]; 19 20 21 + # ============================================================================= 22 + # SYSTEM CONFIGURATION 23 + # ============================================================================= 20 24 system.stateVersion = "24.11"; 25 + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 26 + 27 + # Intel microcode updates 28 + hardware.cpu.intel.updateMicrocode = lib.mkDefault 29 + config.hardware.enableRedistributableFirmware; 30 + 31 + # ============================================================================= 32 + # CUSTOM MODULES 33 + # ============================================================================= 21 34 modules.garage.enable = true; 35 + modules.seaweedfs.clusters.default = { 36 + package = pkgs.seaweedfs; 22 37 23 - # pin host platform & microcode 24 - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 25 - hardware.cpu.intel.updateMicrocode = lib.mkDefault 26 - config.hardware.enableRedistributableFirmware; 38 + masters.main = { 39 + openFirewall = true; 40 + ip = "fs.nkp.pet"; 41 + volumePreallocate = true; 42 + 43 + defaultReplication = { 44 + dataCenter = 0; 45 + rack = 0; 46 + server = 0; 47 + }; 48 + }; 49 + }; 50 + 51 + # ============================================================================= 52 + # BOOT CONFIGURATION 53 + # ============================================================================= 54 + boot.loader.grub = { 55 + enable = true; 56 + device = "/dev/vda"; 57 + }; 27 58 28 - boot.loader.grub.enable = true; 29 - boot.loader.grub.device = "/dev/vda"; 59 + # ============================================================================= 60 + # NETWORKING 61 + # ============================================================================= 62 + networking = { 63 + hostName = "buer"; 64 + hostId = "1418d29e"; 65 + firewall.enable = false; 66 + useDHCP = false; 67 + }; 30 68 31 - networking.hostName = "buer"; 32 - networking.hostId = "1418d29e"; 33 - networking.firewall.enable = false; 34 - networking.useDHCP = false; 35 - systemd.network.enable = true; 36 - systemd.network.networks."10-wan" = { 37 - matchConfig.Name = "ens3"; 38 - address = [ 39 - "103.251.165.107/24" 40 - "2a04:52c0:0135:48d1::2/48" 69 + services.fail2ban = { 70 + enable = true; 71 + # Ban IP after 5 failures 72 + maxretry = 5; 73 + ignoreIP = [ 74 + "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" 41 75 ]; 42 - gateway = [ 43 - "103.251.165.1" 44 - "2a04:52c0:0135::1" 45 - ]; 46 - dns = [ 47 - "2a01:6340:1:20:4::10" 48 - "2a04:52c0:130:2a5c::10" 49 - "185.31.172.240" 50 - "5.255.125.240" 51 - ]; 76 + bantime = "24h"; # Ban IPs for one day on the first ban 77 + bantime-increment = { 78 + enable = true; # Enable increment of bantime after each violation 79 + multipliers = "1 2 4 8 16 32 64"; 80 + maxtime = "168h"; # Do not ban for more than 1 week 81 + overalljails = true; # Calculate the bantime based on all the violations 82 + }; 52 83 }; 53 - 54 - #boot.supportedFilesystems = [ "zfs" ]; 55 - #boot.kernelModules = [ "nct6775" "coretemp" ]; 56 84 57 - #services.zfs.autoScrub.enable = true; 58 - #services.zfs.trim.enable = true; 59 - 60 - environment.systemPackages = with pkgs; [ 61 - #lm_sensors 62 - #code-server 63 - inputs.agenix.packages.x86_64-linux.default 64 - ]; 85 + # Static IP configuration via systemd-networkd 86 + systemd.network = { 87 + enable = true; 88 + networks."10-wan" = { 89 + matchConfig.Name = "ens3"; 90 + address = [ 91 + "103.251.165.107/24" 92 + "2a04:52c0:0135:48d1::2/48" 93 + ]; 94 + gateway = [ 95 + "103.251.165.1" 96 + "2a04:52c0:0135::1" 97 + ]; 98 + dns = [ 99 + "2a01:6340:1:20:4::10" 100 + "2a04:52c0:130:2a5c::10" 101 + "185.31.172.240" 102 + "5.255.125.240" 103 + ]; 104 + }; 105 + }; 65 106 107 + # ============================================================================= 108 + # VIRTUALIZATION 109 + # ============================================================================= 66 110 virtualisation.docker = { 67 111 enable = true; 68 112 enableOnBoot = true; 69 - package = pkgs.docker.override { 70 - buildGoModule = pkgs.buildGo123Module; 71 - }; 72 113 }; 73 - } 114 + 115 + # ============================================================================= 116 + # PACKAGES 117 + # ============================================================================= 118 + environment.systemPackages = with pkgs; [ 119 + inputs.agenix.packages.x86_64-linux.default 120 + ]; 121 + 122 + # ============================================================================= 123 + # COMMENTED OUT / DISABLED 124 + # ============================================================================= 125 + # ZFS support (not needed for this VPS) 126 + # boot.supportedFilesystems = [ "zfs" ]; 127 + # boot.kernelModules = [ "nct6775" "coretemp" ]; 128 + # services.zfs.autoScrub.enable = true; 129 + # services.zfs.trim.enable = true; 130 + 131 + # Additional packages (not needed) 132 + # lm_sensors 133 + # code-server 134 + }
-46
hosts/focalor/backup.nix
··· 1 - # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 - # and may be overwritten by future invocations. Please make changes 3 - # to /etc/nixos/configuration.nix instead. 4 - { config, lib, pkgs, modulesPath, ... }: 5 - 6 - { 7 - imports = 8 - [ (modulesPath + "/installer/scan/not-detected.nix") 9 - ]; 10 - 11 - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "sd_mod" ]; 12 - boot.initrd.kernelModules = [ 13 - "vfio" "vfio_iommu_type1" "vfio_pci" 14 - "nvidia" "nvidia-modeset" "nvidia_uvm" "nvidia_drm" 15 - ]; 16 - boot.kernelModules = [ "kvm-amd" ]; 17 - boot.kernelParams = [ 18 - "amd_iommu=on" 19 - "vfio-pci.ids=10de:2484,10de228b,1022:149c,15b7:5045" 20 - ]; 21 - boot.extraModulePackages = [ ]; 22 - 23 - fileSystems."/" = 24 - { device = "/dev/disk/by-uuid/2009b305-f22d-4d5c-a9d3-c49a2303232b"; 25 - fsType = "ext4"; 26 - }; 27 - 28 - fileSystems."/boot" = 29 - { device = "/dev/disk/by-uuid/E53C-502F"; 30 - fsType = "vfat"; 31 - options = [ "fmask=0077" "dmask=0077" ]; 32 - }; 33 - 34 - swapDevices = [ ]; 35 - 36 - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 37 - # (the default) this is the recommended approach. When using systemd-networkd it's 38 - # still possible to use this option, but it's recommended to use it in conjunction 39 - # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. 40 - networking.useDHCP = lib.mkDefault true; 41 - # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true; 42 - # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true; 43 - 44 - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 45 - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 46 - }
+108 -43
hosts/focalor/default.nix
··· 1 - # hosts/valefar/configuration.nix (or default.nix) 1 + # hosts/focalor/configuration.nix (or default.nix) 2 2 { config, lib, system, pkgs, modulesPath, inputs, ... }: 3 - 4 3 { 4 + # ============================================================================= 5 + # IMPORTS 6 + # ============================================================================= 5 7 imports = [ 6 8 # Host-specific hardware 7 9 ./hardware.nix 8 10 ./secrets.nix 9 - #./vfio.nix 11 + ./vfio.nix 10 12 11 13 # Common modules shared across hosts 12 14 ../../common/system.nix 13 15 ../../common/users.nix 14 16 ../../common/services.nix 15 17 ../../common/efi.nix 16 - 18 + ../../common/bluetooth.nix 19 + 17 20 # Desktop modules 18 21 ../../common/desktop/core.nix 19 22 ../../common/desktop/sway.nix 20 23 ../../common/desktop/vnc.nix 21 - 22 - # Nvidia 24 + 25 + # Hardware-specific 23 26 ../../common/nvidia.nix 24 27 25 28 # Common secrets 26 - #../../host-secrets.nix 29 + ../../host-secrets.nix 27 30 ]; 28 31 29 - system.stateVersion = "25.05"; 30 - 31 - # pin host platform & microcode 32 - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 32 + services.syncthing = { 33 + enable = true; 34 + openDefaultPorts = true; 35 + user = "regent"; 36 + dataDir = "/home/regent"; 37 + configDir = "/home/regent/.config/syncthing"; 38 + }; 33 39 40 + # ============================================================================= 41 + # SYSTEM CONFIGURATION 42 + # ============================================================================= 43 + system.stateVersion = "25.05"; 44 + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 45 + 46 + # Cross-compilation support 34 47 boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; 48 + nix.settings.extra-platforms = config.boot.binfmt.emulatedSystems; 35 49 36 - networking.hostName = "focalor"; 37 - networking.hostId = "84bdc587"; 50 + # ============================================================================= 51 + # NETWORKING 52 + # ============================================================================= 53 + networking = { 54 + hostName = "focalor"; 55 + hostId = "84bdc587"; 56 + firewall.enable = false; 57 + firewall.trustedInterfaces = [ "tailscale0" ]; 58 + nameservers = [ "10.0.0.210" "1.1.1.1" ]; 59 + }; 38 60 61 + # Systemd networking with bridge 39 62 systemd.network = { 40 63 enable = true; 64 + 41 65 netdevs."br0" = { 42 66 netdevConfig = { 43 67 Name = "br0"; 44 68 Kind = "bridge"; 45 69 }; 46 70 }; 71 + 47 72 networks = { 48 73 "10-lan" = { 49 74 matchConfig.Name = ["enp5s0" "vm-*"]; ··· 51 76 Bridge = "br0"; 52 77 }; 53 78 }; 79 + 54 80 "10-lan-bridge" = { 55 81 matchConfig.Name = "br0"; 56 82 networkConfig = { ··· 64 90 }; 65 91 }; 66 92 67 - /*networking = { 68 - firewall.enable = false; 69 - firewall.trustedInterfaces = [ 70 - "tailscale0" 71 - ]; 72 - nameservers = [ "10.0.0.210" "1.1.1.1" ]; 73 - useDHCP = true; 74 - firewall.allowedTCPPorts = [22 80 443 2456 2457 9000 9001 9002]; 75 - };*/ 76 - 93 + # DNS resolution 77 94 services.resolved = { 78 - enable = true; 79 - dnssec = "true"; 80 - domains = [ "~." ]; 95 + enable = true; 96 + dnssec = "true"; 97 + domains = [ "~." ]; 81 98 fallbackDns = [ "10.0.0.210" "1.0.0.1#one.one.one.one" ]; 82 - dnsovertls = "true"; 99 + dnsovertls = "true"; 83 100 }; 84 - 85 - #boot.supportedFilesystems = [ "zfs" ]; 86 - #boot.kernelModules = [ "nct6775" "coretemp" ]; 87 101 88 - #services.zfs.autoScrub.enable = true; 89 - #services.zfs.trim.enable = true; 102 + # ============================================================================= 103 + # FILESYSTEM & STORAGE 104 + # ============================================================================= 105 + boot.supportedFilesystems = [ "nfs" ]; 90 106 91 - services.vscode-server.enable = true; 92 - services.vscode-server.nodejsPackage = pkgs.nodejs_20; 107 + /*fileSystems."/mnt/storage" = { 108 + device = "valefar:/storage"; 109 + fsType = "nfs"; 110 + };*/ 93 111 94 - environment.systemPackages = with pkgs; [ 95 - #lm_sensors 96 - #code-server 97 - inputs.agenix.packages.x86_64-linux.default 98 - ]; 112 + # ============================================================================= 113 + # SERVICES 114 + # ============================================================================= 115 + services.vscode-server = { 116 + enable = true; 117 + nodejsPackage = pkgs.nodejs_20; 118 + }; 99 119 100 - environment.sessionVariables.WLR_RENDERER = "vulkan"; 120 + # ============================================================================= 121 + # PROGRAMS & APPLICATIONS 122 + # ============================================================================= 123 + programs.steam.enable = true; 124 + 125 + programs.obs-studio = { 126 + enable = true; 127 + enableVirtualCamera = true; 128 + plugins = with pkgs.obs-studio-plugins; [ 129 + droidcam-obs 130 + ]; 131 + }; 101 132 133 + # ============================================================================= 134 + # VIRTUALIZATION 135 + # ============================================================================= 102 136 virtualisation.docker = { 103 137 enable = true; 104 138 enableOnBoot = true; 105 - package = pkgs.docker.override { 106 - buildGoModule = pkgs.buildGo123Module; 107 - }; 108 139 }; 109 140 141 + # ============================================================================= 142 + # DESKTOP ENVIRONMENT 143 + # ============================================================================= 144 + # Vulkan renderer for Wayland 145 + environment.sessionVariables.WLR_RENDERER = "vulkan"; 146 + 147 + # XDG Portals 110 148 xdg.portal = { 111 149 enable = true; 112 150 wlr.enable = true; ··· 115 153 xdg-desktop-portal-gnome 116 154 ]; 117 155 }; 156 + 157 + # ============================================================================= 158 + # PACKAGES 159 + # ============================================================================= 160 + environment.systemPackages = with pkgs; [ 161 + inputs.agenix.packages.x86_64-linux.default 162 + prismlauncher 163 + temurin-bin 164 + signal-desktop 165 + ]; 166 + 167 + # ============================================================================= 168 + # COMMENTED OUT / DISABLED 169 + # ============================================================================= 170 + # ZFS support (disabled for this host) 171 + # boot.supportedFilesystems = [ "zfs" ]; 172 + # boot.kernelModules = [ "nct6775" "coretemp" ]; 173 + # services.zfs.autoScrub.enable = true; 174 + # services.zfs.trim.enable = true; 175 + 176 + # Additional packages (commented out) 177 + # lm_sensors 178 + # code-server 179 + 180 + # DHCP (disabled in favor of systemd-networkd) 181 + networking.useDHCP = false; 182 + # firewall.allowedTCPPorts = [22 80 443 2456 2457 9000 9001 9002]; 118 183 }
+5 -1
hosts/focalor/hardware.nix
··· 9 9 ]; 10 10 11 11 boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "uas" "usbhid" "sd_mod" ]; 12 - boot.initrd.kernelModules = [ ]; 12 + # boot.initrd.kernelModules = [ "vfio" "vfio_iommu_type1" "vfio_pci" ]; 13 13 boot.kernelModules = [ "kvm-amd" ]; 14 + boot.kernelParams = [ 15 + "amd_iommu=on" 16 + # "vfio-pci.ids=10de:2484,10de228b,1022:149c,15b7:5045,1dbe:5236,1022:149c" 17 + ]; 14 18 boot.extraModulePackages = [ ]; 15 19 16 20 fileSystems."/" =
+62
hosts/focalor/scripts/vm-win11-hook.sh
··· 1 + #!/run/current-system/sw/bin/bash 2 + 3 + echo "qemu-hook: ${1} ${2}" >> /tmp/qemu-hook.log 4 + 5 + set -x 6 + 7 + readonly GUEST_NAME="$1" 8 + readonly HOOK_NAME="$2" 9 + readonly STATE_NAME="$3" 10 + 11 + function start_hook() { 12 + # Stops GUI 13 + systemctl isolate multi-user.target 14 + 15 + # Avoids race condition 16 + sleep 2 17 + 18 + # Unloads the NVIDIA drivers 19 + modprobe -r nvidia_drm 20 + modprobe -r nvidia_uvm 21 + modprobe -r nvidia_modeset 22 + modprobe -r nvidia 23 + 24 + # Other code you might want to run 25 + } 26 + 27 + function revert_hook() { 28 + virsh nodedev-reattach pci_0000_0a_00_0 29 + virsh nodedev-reattach pci_0000_0a_00_1 30 + virsh nodedev-reattach pci_0000_06_00_1 31 + virsh nodedev-reattach pci_0000_06_00_3 32 + virsh nodedev-reattach pci_0000_0c_00_3 33 + 34 + modprobe -r vfio-pci 35 + 36 + # Loads the NVIDIA drivers 37 + modprobe nvidia_modeset 38 + modprobe nvidia_uvm 39 + modprobe nvidia_drm 40 + modprobe nvidia 41 + 42 + modprobe -r xhci_pci 43 + modprobe xhci_pci 44 + 45 + # Starts the UI again 46 + systemctl restart display-manager 47 + systemctl isolate graphical.target 48 + } 49 + 50 + # I am not using the script from Passthrough-Post 51 + # because hooks option saves it to /var/lib/libvirt/hooks/qemu.d. 52 + # It's simpler to just rewrite it for NixOS. 53 + if [[ "$GUEST_NAME" != "win11" ]]; then 54 + exit 0 55 + fi 56 + 57 + if [[ "$HOOK_NAME" == "prepare" && "$STATE_NAME" == "begin" ]]; then 58 + #start_hook 59 + echo "do nothing" 60 + elif [[ "$HOOK_NAME" == "release" && "$STATE_NAME" == "end" ]]; then 61 + revert_hook 62 + fi
+21 -8
hosts/focalor/vfio.nix
··· 9 9 package = pkgs.qemu_kvm; 10 10 runAsRoot = true; 11 11 swtpm.enable = true; 12 - ovmf = { 13 - enable = true; 14 - packages = [(pkgs.OVMF.override { 15 - secureBoot = true; 16 - tpmSupport = true; 17 - }).fd]; 12 + }; 13 + hooks.qemu = { 14 + win11 = ./scripts/vm-win11-hook.sh; 15 + }; 16 + }; 17 + 18 + systemd.services.libvirtd = { 19 + path = let 20 + env = pkgs.buildEnv { 21 + name = "qemu-hook-env"; 22 + paths = with pkgs; [ 23 + bash 24 + libvirt 25 + kmod 26 + systemd 27 + ripgrep 28 + sd 29 + ]; 18 30 }; 19 - }; 31 + in 32 + [ env ]; 20 33 }; 21 34 22 35 users.extraUsers.regent.extraGroups = [ "libvirtd" ]; 23 - } 36 + }
-45
hosts/morax/default.nix
··· 1 - { config, lib, pkgs, modulesPath, inputs, ... }: 2 - 3 - { 4 - imports = [ 5 - ./hardware.nix 6 - ./secrets.nix 7 - 8 - ../../common/system.nix 9 - ../../common/users.nix 10 - ../../common/services.nix 11 - ../../host-secrets.nix 12 - ]; 13 - 14 - system.stateVersion = "25.05"; 15 - 16 - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; 17 - hardware.enableRedistributableFirmware = true; 18 - hardware.enableAllHardware = lib.mkForce false; #https://github.com/NixOS/nixpkgs/issues/154163#issuecomment-2868994145 19 - 20 - networking = { 21 - hostName = "morax"; 22 - hostId = "2631a44a"; 23 - firewall.enable = false; 24 - defaultGateway = { 25 - address = "10.0.0.1"; 26 - interface = "eth0"; 27 - }; 28 - nameservers = [ "1.1.1.1" ]; 29 - interfaces.eth0 = { 30 - ipv4.addresses = [{ 31 - address = "10.0.0.210"; 32 - prefixLength = 24; 33 - }]; 34 - }; 35 - }; 36 - 37 - environment.systemPackages = with pkgs; [ 38 - inputs.agenix.packages.aarch64-linux.default 39 - ]; 40 - 41 - virtualisation.docker = { 42 - enable = true; 43 - enableOnBoot = true; 44 - }; 45 - }
-34
hosts/morax/hardware.nix
··· 1 - # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 - # and may be overwritten by future invocations. Please make changes 3 - # to /etc/nixos/configuration.nix instead. 4 - { config, lib, pkgs, modulesPath, ... }: 5 - 6 - { 7 - imports = 8 - [ (modulesPath + "/installer/scan/not-detected.nix") 9 - ]; 10 - 11 - boot.initrd.availableKernelModules = [ "xhci_pci" ]; 12 - boot.initrd.kernelModules = [ ]; 13 - boot.kernelModules = [ ]; 14 - boot.extraModulePackages = [ ]; 15 - 16 - fileSystems."/" = 17 - { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; 18 - fsType = "ext4"; 19 - }; 20 - 21 - swapDevices = [ ]; 22 - 23 - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 24 - # (the default) this is the recommended approach. When using systemd-networkd it's 25 - # still possible to use this option, but it's recommended to use it in conjunction 26 - # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. 27 - networking.useDHCP = lib.mkDefault true; 28 - # networking.interfaces.docker0.useDHCP = lib.mkDefault true; 29 - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; 30 - # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true; 31 - # networking.interfaces.wlan0.useDHCP = lib.mkDefault true; 32 - 33 - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; 34 - }
-3
hosts/morax/secrets.nix
··· 1 - { 2 - 3 - }
+64
hosts/valefar/backup.nix
··· 1 + # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 + # and may be overwritten by future invocations. Please make changes 3 + # to /etc/nixos/configuration.nix instead. 4 + { config, lib, pkgs, modulesPath, ... }: 5 + 6 + { 7 + imports = 8 + [ (modulesPath + "/installer/scan/not-detected.nix") 9 + ]; 10 + 11 + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "mpt3sas" "sd_mod" ]; 12 + boot.initrd.kernelModules = [ ]; 13 + boot.kernelModules = [ "kvm-amd" ]; 14 + boot.extraModulePackages = [ ]; 15 + 16 + fileSystems."/" = { 17 + device = "/dev/disk/by-uuid/17b399da-2210-4493-9ae3-c65b20b992a0"; 18 + fsType = "ext4"; 19 + }; 20 + 21 + fileSystems."/boot" = 22 + { device = "/dev/disk/by-uuid/6340-211B"; 23 + fsType = "vfat"; 24 + options = [ "fmask=0022" "dmask=0022" ]; 25 + }; 26 + 27 + /* fileSystems."/garage" = { 28 + device = "garage"; 29 + fsType = "zfs"; 30 + }; 31 + 32 + fileSystems."/storage" = { 33 + device = "storage"; 34 + fsType = "zfs"; 35 + };*/ 36 + 37 + swapDevices = [ ]; 38 + 39 + # Fan Control 40 + hardware.fancontrol = { 41 + enable = false; 42 + config = '' 43 + INTERVAL=10 44 + DEVPATH=hwmon1=devices/platform/nct6775.2592 hwmon2=devices/platform/coretemp.0 45 + DEVNAME=hwmon1=nct6795 hwmon2=coretemp 46 + FCTEMPS=hwmon1/pwm2=hwmon2/temp1_input hwmon1/pwm3=hwmon2/temp1_input 47 + FCFANS=hwmon1/pwm2=hwmon1/fan2_input hwmon1/pwm3=hwmon1/fan3_input 48 + MINTEMP=hwmon1/pwm2=20 hwmon1/pwm3=20 49 + MAXTEMP=hwmon1/pwm2=65 hwmon1/pwm3=60 50 + MINSTART=hwmon1/pwm2=38 hwmon1/pwm3=75 51 + MINSTOP=hwmon1/pwm2=28 hwmon1/pwm3=75 52 + MINPWM=hwmon1/pwm2=28 hwmon1/pwm3=75 53 + MAXPWM=hwmon1/pwm2=150 hwmon1/pwm3=105 54 + ''; 55 + }; 56 + 57 + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 58 + # (the default) this is the recommended approach. When using systemd-networkd it's 59 + # still possible to use this option, but it's recommended to use it in conjunction 60 + # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. 61 + networking.useDHCP = lib.mkDefault true; 62 + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 63 + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; 64 + }
+256 -73
hosts/valefar/default.nix
··· 1 1 # hosts/valefar/configuration.nix (or default.nix) 2 - { config, lib, pkgs, modulesPath, inputs, ... }: 3 - 2 + { config, lib, pkgs, modulesPath, microvm, inputs, ... }: 4 3 { 4 + # ============================================================================= 5 + # IMPORTS 6 + # ============================================================================= 5 7 imports = [ 6 - # Host-specific hardware 7 8 ./hardware.nix 8 9 ./secrets.nix 9 - #../../common/nvidia.nix 10 + ../../common/nvidia.nix 11 + 12 + ../../host-secrets.nix 10 13 11 - # Common modules shared across hosts 12 14 ../../common/system.nix 13 15 ../../common/users.nix 14 16 ../../common/services.nix 15 17 ../../common/efi.nix 16 18 17 - # Common secrets 18 - ../../host-secrets.nix 19 + ../../common/nvidia.nix 19 20 ]; 20 21 21 - # Enable modules 22 + # ============================================================================= 23 + # SYSTEM CONFIGURATION 24 + # ============================================================================= 25 + system.stateVersion = "24.11"; 26 + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 27 + 28 + hardware.cpu.amd.updateMicrocode = lib.mkDefault 29 + config.hardware.enableRedistributableFirmware; 30 + 31 + # ============================================================================= 32 + # CUSTOM MODULES 33 + # ============================================================================= 22 34 modules.garage.enable = true; 23 35 modules.forgejo.enable = true; 36 + modules.immich.enable = true; 37 + modules.github-runners.enable = true; 24 38 25 - system.stateVersion = "24.11"; 39 + # ============================================================================= 40 + # NETWORKING 41 + # ============================================================================= 42 + /*networking = { 43 + hostName = "valefar"; 44 + hostId = "2a07da90"; 45 + firewall.enable = false; 46 + firewall.trustedInterfaces = [ "tailscale0" ]; 47 + nameservers = [ "10.0.0.210" "1.1.1.1" ]; 48 + useDHCP = true; 49 + firewall.allowedTCPPorts = [ 22 80 443 2049 2456 2457 9000 9001 9002 ]; 50 + firewall.allowedUDPPorts = [ 2049 ]; 51 + };*/ 52 + networking.useNetworkd = true; 53 + systemd.network.enable = true; 54 + networking.hostName = "valefar"; 55 + networking.hostId = "2a07da90"; 56 + networking.firewall.enable = false; 26 57 27 - # pin host platform & microcode 28 - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 29 - hardware.cpu.intel.updateMicrocode = lib.mkDefault 30 - config.hardware.enableRedistributableFirmware; 58 + services.proxmox-ve.bridges = [ "vmbr0" ]; 31 59 32 - networking.hostName = "valefar"; 33 - networking.hostId = "2a07da90"; 60 + systemd.network.networks."10-lan" = { 61 + matchConfig.Name = ["enp6s0"]; 62 + networkConfig = { 63 + Bridge = "vmbr0"; 64 + }; 65 + }; 66 + systemd.network.netdevs."br0" = { 67 + netdevConfig = { 68 + Name = "vmbr0"; 69 + Kind = "bridge"; 70 + }; 71 + }; 34 72 35 - networking = { 36 - firewall.enable = false; 37 - firewall.trustedInterfaces = [ 38 - "tailscale0" 39 - ]; 40 - nameservers = [ "10.0.0.210" "1.1.1.1" ]; 41 - useDHCP = true; 42 - firewall.allowedTCPPorts = [22 80 443 2456 2457 9000 9001 9002]; 73 + systemd.network.networks."10-lan-bridge" = { 74 + matchConfig.Name = "vmbr0"; 75 + networkConfig = { 76 + Address = ["10.0.0.30/24" "2601:5c2:8400:26c0::30/64"]; 77 + Gateway = "10.0.0.1"; 78 + DNS = ["10.0.0.210" "1.1.1.1" "1.0.0.1"]; 79 + IPv6AcceptRA = true; 80 + }; 81 + linkConfig.RequiredForOnline = "routable"; 43 82 }; 44 83 84 + # DNS resolution 45 85 services.resolved = { 46 - enable = true; 47 - dnssec = "false"; 48 - domains = [ "~." ]; 86 + enable = true; 87 + dnssec = "false"; 88 + domains = [ "~." ]; 49 89 fallbackDns = [ "10.0.0.210" "1.1.1.1" ]; 50 - dnsovertls = "false"; 90 + dnsovertls = "false"; 51 91 }; 52 - 53 - boot.supportedFilesystems = [ "zfs" ]; 54 - boot.kernelModules = [ "nct6775" "coretemp" ]; 55 92 56 - boot.zfs.extraPools = [ "garage" "storage" ]; 57 - boot.zfs.devNodes = "/dev/disk/by-id"; 58 - boot.zfs.forceImportAll = true; 59 - 60 - /*boot.kernelParams = [ "ip=dhcp" ]; 61 - boot.initrd = { 62 - availableKernelModules = [ "r8169" ]; 63 - network = { 64 - enable = true; 65 - ssh = { 66 - enable = true; 67 - port = 22; 68 - authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0pU82lV9dSjkgYbdh9utZ5CDM2dPN70S5fBqN1m3Pb" ]; 69 - hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ]; 70 - shell = "/bin/cryptsetup-askpass"; 71 - }; 93 + # ============================================================================= 94 + # BOOT & FILESYSTEMS 95 + # ============================================================================= 96 + boot = { 97 + supportedFilesystems = [ "zfs" ]; 98 + kernelModules = [ "nct6775" "coretemp" ]; 99 + 100 + zfs = { 101 + extraPools = [ "garage" "storage" ]; 102 + devNodes = "/dev/disk/by-id"; 103 + forceImportAll = true; 72 104 }; 73 - };*/ 105 + }; 74 106 107 + # ============================================================================= 108 + # ZFS CONFIGURATION 109 + # ============================================================================= 110 + # ZFS import services 75 111 systemd.services.zfs-import-cache.enable = false; 76 - systemd.services.zfs-import-scan.enable = true; 77 - 78 112 systemd.services.zfs-import-scan = { 113 + enable = true; 79 114 after = [ "systemd-udev-settle.service" ]; 80 115 wants = [ "systemd-udev-settle.service" ]; 81 116 }; 82 117 118 + # ZFS mount points 83 119 systemd.mounts = [ 84 - { 85 - what = "garage"; 86 - where = "/garage"; 87 - type = "zfs"; 88 - after = [ "zfs-import-scan.service" ]; 89 - wants = [ "zfs-import-scan.service" ]; 90 - } 91 - { 92 - what = "storage"; 93 - where = "/storage"; 94 - type = "zfs"; 95 - after = [ "zfs-import-scan.service" ]; 96 - wants = [ "zfs-import-scan.service" ]; 97 - } 98 - ]; 120 + { 121 + what = "garage"; 122 + where = "/garage"; 123 + type = "zfs"; 124 + after = [ "zfs-import-scan.service" ]; 125 + wants = [ "zfs-import-scan.service" ]; 126 + } 127 + { 128 + what = "storage"; 129 + where = "/storage"; 130 + type = "zfs"; 131 + after = [ "zfs-import-scan.service" ]; 132 + wants = [ "zfs-import-scan.service" ]; 133 + } 134 + ]; 135 + 136 + # ZFS maintenance 137 + services.zfs = { 138 + autoScrub.enable = true; 139 + trim.enable = true; 140 + }; 141 + 142 + # ============================================================================= 143 + # DIRECTORY STRUCTURE 144 + # ============================================================================= 145 + systemd.tmpfiles.rules = [ 146 + "d /storage/immich 0755 immich immich -" 147 + "d /storage/immich/photos 0755 immich immich -" 148 + "Z /storage/immich 0755 immich immich -" 149 + "d /storage/tm_share 0755 regent users" 150 + "Z /garage/ 0755 garage garage -" 151 + ]; 99 152 100 - services.zfs.autoScrub.enable = true; 101 - services.zfs.trim.enable = true; 153 + # ============================================================================= 154 + # NFS SERVER 155 + # ============================================================================= 156 + services.nfs.server = { 157 + enable = true; 158 + exports = '' 159 + /storage *(rw,sync,no_subtree_check,no_root_squash) 160 + ''; 161 + }; 102 162 103 - services.vscode-server.enable = true; 104 - services.vscode-server.nodejsPackage = pkgs.nodejs_20; 163 + services.samba = { 164 + enable = true; 165 + settings = { 166 + global = { 167 + "workgroup" = "WORKGROUP"; 168 + "server string" = "valefar"; 169 + "netbios name" = "valefar"; 170 + "security" = "user"; 105 171 172 + "hosts allow" = "100.64.0.0/10 10.0.0.0/24 127.0.0.1 localhost"; 173 + "hosts deny" = "0.0.0.0/0"; 174 + "guest account" = "nobody"; 175 + "map to guest" = "bad user"; 176 + }; 177 + 178 + "tm_share" = { 179 + "path" = "/storage/tm_share"; 180 + "valid users" = "regent"; 181 + "public" = "yes"; 182 + "writeable" = "yes"; 183 + "force user" = "regent"; 184 + "fruit:aapl" = "yes"; 185 + "fruit:time machine" = "yes"; 186 + "vfs objects" = "catia fruit streams_xattr"; 187 + }; 188 + }; 189 + }; 190 + 191 + services.netatalk = { 192 + enable = true; 193 + settings = { 194 + time-machine = { 195 + path = "/storage/timemachine"; 196 + "valid users" = "regent"; 197 + "time machine" = true; 198 + }; 199 + }; 200 + }; 201 + 202 + services.avahi = { 203 + enable = true; 204 + nssmdns = true; 205 + publish = { 206 + enable = true; 207 + userServices = true; 208 + }; 209 + 210 + extraServiceFiles = { 211 + timemachine = '' 212 + <?xml version="1.0" standalone='no'?> 213 + <!DOCTYPE service-group SYSTEM "avahi-service.dtd"> 214 + <service-group> 215 + <name replace-wildcards="yes">%h</name> 216 + <service> 217 + <type>_smb._tcp</type> 218 + <port>445</port> 219 + </service> 220 + <service> 221 + <type>_device-info._tcp</type> 222 + <port>0</port> 223 + <txt-record>model=TimeCapsule8,119</txt-record> 224 + </service> 225 + <service> 226 + <type>_adisk._tcp</type> 227 + <!-- 228 + change tm_share to share name, if you changed it. 229 + --> 230 + <txt-record>dk0=adVN=tm_share,adVF=0x82</txt-record> 231 + <txt-record>sys=waMa=0,adVF=0x100</txt-record> 232 + </service> 233 + </service-group> 234 + ''; 235 + }; 236 + }; 237 + 238 + # ============================================================================= 239 + # SERVICES 240 + # ============================================================================= 241 + services.vscode-server = { 242 + enable = true; 243 + nodejsPackage = pkgs.nodejs_20; 244 + }; 245 + 246 + services.ollama = { 247 + enable = true; 248 + loadModels = ["deepseek-r1:1.5b" "gemma3:12b"]; 249 + acceleration = "cuda"; 250 + }; 251 + 252 + services.open-webui.enable = true; 253 + 254 + # ============================================================================= 255 + # VIRTUALIZATION 256 + # ============================================================================= 257 + virtualisation.docker = { 258 + enable = true; 259 + enableOnBoot = true; 260 + }; 261 + 262 + services.fail2ban = { 263 + enable = true; 264 + # Ban IP after 5 failures 265 + maxretry = 5; 266 + ignoreIP = [ 267 + "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" 268 + ]; 269 + bantime = "24h"; # Ban IPs for one day on the first ban 270 + bantime-increment = { 271 + enable = true; # Enable increment of bantime after each violation 272 + multipliers = "1 2 4 8 16 32 64"; 273 + maxtime = "168h"; # Do not ban for more than 1 week 274 + overalljails = true; # Calculate the bantime based on all the violations 275 + }; 276 + }; 277 + 278 + # ============================================================================= 279 + # PACKAGES 280 + # ============================================================================= 106 281 environment.systemPackages = with pkgs; [ 107 282 lm_sensors 108 283 code-server 109 284 inputs.agenix.packages.x86_64-linux.default 110 285 ]; 111 286 112 - virtualisation.docker = { 113 - enable = true; 114 - enableOnBoot = true; 115 - package = pkgs.docker.override { 116 - buildGoModule = pkgs.buildGo123Module; 287 + 288 + # ============================================================================= 289 + # VIRTUAL MACHINES 290 + # ============================================================================= 291 + /*systemd.services."microvm@".after = [ "microvm-virtiofsd@%i.service" ]; 292 + 293 + microvm.vms = { 294 + gameservers = { 295 + config = import ./gamevm.nix; 117 296 }; 118 297 }; 298 + 299 + microvm.autostart = [ 300 + "gameservers" 301 + ];*/ 119 302 }
+12 -36
hosts/valefar/hardware.nix
··· 8 8 [ (modulesPath + "/installer/scan/not-detected.nix") 9 9 ]; 10 10 11 - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "mpt3sas" "sd_mod" ]; 11 + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "mpt3sas" "nvme" "usbhid" "uas" "sd_mod" ]; 12 12 boot.initrd.kernelModules = [ ]; 13 13 boot.kernelModules = [ "kvm-amd" ]; 14 14 boot.extraModulePackages = [ ]; 15 15 16 - fileSystems."/" = { 17 - device = "/dev/disk/by-uuid/17b399da-2210-4493-9ae3-c65b20b992a0"; 18 - fsType = "ext4"; 19 - }; 16 + fileSystems."/" = 17 + { device = "/dev/disk/by-uuid/e02d1d07-3bc8-4d1d-a301-6d589f4b4b6d"; 18 + fsType = "ext4"; 19 + }; 20 20 21 21 fileSystems."/boot" = 22 - { device = "/dev/disk/by-uuid/6340-211B"; 22 + { device = "/dev/disk/by-uuid/B3DE-0187"; 23 23 fsType = "vfat"; 24 24 options = [ "fmask=0022" "dmask=0022" ]; 25 25 }; 26 26 27 - /* fileSystems."/garage" = { 28 - device = "garage"; 29 - fsType = "zfs"; 30 - }; 31 - 32 - fileSystems."/storage" = { 33 - device = "storage"; 34 - fsType = "zfs"; 35 - };*/ 36 - 37 - swapDevices = [ ]; 38 - 39 - # Fan Control 40 - hardware.fancontrol = { 41 - enable = false; 42 - config = '' 43 - INTERVAL=10 44 - DEVPATH=hwmon1=devices/platform/nct6775.2592 hwmon2=devices/platform/coretemp.0 45 - DEVNAME=hwmon1=nct6795 hwmon2=coretemp 46 - FCTEMPS=hwmon1/pwm2=hwmon2/temp1_input hwmon1/pwm3=hwmon2/temp1_input 47 - FCFANS=hwmon1/pwm2=hwmon1/fan2_input hwmon1/pwm3=hwmon1/fan3_input 48 - MINTEMP=hwmon1/pwm2=20 hwmon1/pwm3=20 49 - MAXTEMP=hwmon1/pwm2=65 hwmon1/pwm3=60 50 - MINSTART=hwmon1/pwm2=38 hwmon1/pwm3=75 51 - MINSTOP=hwmon1/pwm2=28 hwmon1/pwm3=75 52 - MINPWM=hwmon1/pwm2=28 hwmon1/pwm3=75 53 - MAXPWM=hwmon1/pwm2=150 hwmon1/pwm3=105 54 - ''; 55 - }; 27 + swapDevices = 28 + [ { device = "/dev/disk/by-uuid/c8f24f31-49e0-486c-9f63-1d31b2e36ce9"; } 29 + ]; 56 30 57 31 # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 58 32 # (the default) this is the recommended approach. When using systemd-networkd it's 59 33 # still possible to use this option, but it's recommended to use it in conjunction 60 34 # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. 61 35 networking.useDHCP = lib.mkDefault true; 36 + # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true; 37 + 38 + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 62 39 hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 63 - # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; 64 40 }
+63 -4
modules/caddy/default.nix
··· 8 8 let 9 9 cfg = config.modules.caddy; 10 10 caddyMetricsPort = 2019; 11 + 12 + # Generate Caddyfile content from the proxy configuration 13 + generateCaddyfile = proxies: 14 + let 15 + proxyEntries = mapAttrsToList (domain: upstreams: 16 + let 17 + upstreamList = if isList upstreams then upstreams else [upstreams]; 18 + upstreamStr = concatStringsSep " " upstreamList; 19 + in '' 20 + ${domain} { 21 + reverse_proxy ${upstreamStr} 22 + 23 + # Optional: Add some common headers for better proxying 24 + header_up Host {upstream_hostport} 25 + header_up X-Real-IP {remote_host} 26 + header_up X-Forwarded-For {remote_host} 27 + header_up X-Forwarded-Proto {scheme} 28 + } 29 + '') proxies; 30 + in 31 + concatStringsSep "\n\n" proxyEntries; 32 + 11 33 in 12 34 { 13 35 options = { 14 36 modules = { 15 - caddy = { enable = mkEnableOption "Deploy Caddy"; }; 37 + caddy = { 38 + enable = mkEnableOption "Deploy Caddy"; 39 + 40 + reverseProxies = mkOption { 41 + type = types.attrsOf (types.either types.str (types.listOf types.str)); 42 + default = {}; 43 + description = "Attribute set of domain to upstream mappings for reverse proxying. Upstreams can be a single string or a list of strings for load balancing."; 44 + example = { 45 + "notes.nekomimi.pet" = "valefar:3009"; 46 + "git.nekomimi.pet" = ["morax:3000" "valefar:3000"]; # Load balance between multiple upstreams 47 + "api.nekomimi.pet" = ["server1:8080" "server2:8080" "server3:8080"]; 48 + }; 49 + }; 50 + 51 + extraConfig = mkOption { 52 + type = types.lines; 53 + default = ""; 54 + description = "Extra Caddyfile configuration to append"; 55 + }; 56 + 57 + email = mkOption { 58 + type = types.nullOr types.str; 59 + default = null; 60 + description = "Email address for ACME certificate registration"; 61 + }; 62 + }; 16 63 }; 17 64 }; 18 65 ··· 29 76 30 77 services.caddy = { 31 78 enable = true; 32 - /* package = pkgs.caddy.withPlugins { 33 - plugins = [ "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"]; 34 - hash = "sha256-JVkUkDKdat4aALJHQCq1zorJivVCdyBT+7UhqTvaFLw="; 79 + /*package = pkgs.caddy.withPlugins { 80 + plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1"]; 81 + hash = "sha256-1niaf801sijvjrqvw998y8x7b43a0g162h3ry530qwl8lrgkapii"; 35 82 };*/ 83 + 84 + extraConfig = '' 85 + ${optionalString (cfg.email != null) '' 86 + { 87 + email ${cfg.email} 88 + } 89 + ''} 90 + 91 + ${generateCaddyfile cfg.reverseProxies} 92 + 93 + ${cfg.extraConfig} 94 + ''; 36 95 }; 37 96 38 97 systemd.services.caddy = {
+3 -2
modules/forgejo/default.nix
··· 37 37 SSH_LISTEN_PORT = 2222; 38 38 SSH_PORT = 2222; 39 39 START_SSH_SERVER = true; 40 + SSH_DOMAIN = "sgit.nekomimi.pet"; 40 41 }; 41 - # service.DISABLE_REGISTRATION = true; 42 + service.DISABLE_REGISTRATION = true; 42 43 actions = { 43 44 ENABLED = true; 44 45 DEFAULT_ACTIONS_URL = "github"; ··· 46 47 }; 47 48 }; 48 49 }; 49 - } 50 + }
+4 -4
modules/garage/default.nix
··· 16 16 config = mkIf cfg.enable { 17 17 services.garage = { 18 18 enable = true; 19 - package = pkgs.garage; 19 + package = pkgs.garage_2; 20 20 settings = { 21 21 metadata_dir = "/garage/metadata"; 22 22 data_dir = "/garage/data"; 23 23 db_engine = "lmdb"; 24 - replication_mode = "2"; 24 + replication_factor = 2; 25 25 rpc_bind_addr = "[::]:3901"; 26 26 rpc_public_addr = "${config.networking.hostName}:3901"; 27 27 rpc_secret_file = config.age.secrets."garage-rpc-secret".path; ··· 41 41 metrics_token_file = config.age.secrets."garage-metrics-token".path; 42 42 }; 43 43 bootstrap_peers = [ 44 - "d548d0c9ae9aec9e26fe0bd2ca3efe75f654fa350bad5cb02bc9aebc9850ba8f@[2a04:52c0:135:48d1::2]:3901" # buer 45 - "5504cb25910dcef4a4312006691d651c099cde7c3a88df9ca79aa350571e6e65@[2601:5c2:8400:26c0:4ecc:6aff:fef7:98ca]:3901" #valefar 44 + "d548d0c9ae9aec9e26fe0bd2ca3efe75f654fa350bad5cb02bc9aebc9850ba8f@[buer]:3901" 45 + "5504cb25910dcef4a4312006691d651c099cde7c3a88df9ca79aa350571e6e65@[valefar]:3901" 46 46 ]; 47 47 }; 48 48 };
+12 -3
modules/github-runners/default.nix
··· 34 34 services.github-runners = { 35 35 simplelink = { 36 36 enable = true; 37 - name = "simplelink"; 37 + name = "simplelink-" + config.networking.hostName; 38 38 url = "https://github.com/waveringana/simplelink"; 39 - token = config.age.secrets."build-token".path; 39 + tokenFile = config.age.secrets."build-token".path; 40 + user = "regent"; 41 + group = "docker"; 42 + extraPackages = extraPackages; 43 + }; 44 + embedder = { 45 + enable = true; 46 + name = "embedder-" + config.networking.hostName; 47 + url = "https://github.com/waveringana/embedder"; 48 + tokenFile = config.age.secrets."build-token".path; 40 49 user = "regent"; 41 50 group = "docker"; 42 51 extraPackages = extraPackages; 43 - }; 52 + }; 44 53 }; 45 54 }; 46 55 }
+229
modules/headscale/default.nix
··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + let 5 + cfg = config.modules.headscale; 6 + in 7 + { 8 + options = { 9 + modules = { 10 + headscale = { 11 + enable = mkEnableOption "Deploy headscale"; 12 + 13 + oidcClientSecretPath = mkOption { 14 + type = types.str; 15 + default = "/etc/headscale/oidc_client_secret.key"; 16 + description = "Path to OIDC client secret file"; 17 + example = "config.age.secrets.headscale-oidc-key.path"; 18 + }; 19 + 20 + litestream = { 21 + enable = mkEnableOption "Enable litestream for headscale database backups"; 22 + 23 + replicas = mkOption { 24 + type = types.listOf (types.attrsOf types.anything); 25 + default = []; 26 + description = "List of litestream replica configurations"; 27 + example = [ 28 + { 29 + url = "s3://your-backup-bucket/headscale/db"; 30 + access-key-id = "$LITESTREAM_ACCESS_KEY_ID"; 31 + secret-access-key = "$LITESTREAM_SECRET_ACCESS_KEY"; 32 + region = "us-east-1"; 33 + } 34 + ]; 35 + }; 36 + 37 + backupPath = mkOption { 38 + type = types.nullOr types.str; 39 + default = null; 40 + description = "Local backup path (alternative to S3)"; 41 + example = "/backup/headscale"; 42 + }; 43 + 44 + syncInterval = mkOption { 45 + type = types.str; 46 + default = "1s"; 47 + description = "How often to sync to replicas"; 48 + }; 49 + 50 + retention = mkOption { 51 + type = types.str; 52 + default = "72h"; 53 + description = "How long to retain snapshots"; 54 + }; 55 + 56 + environmentFile = mkOption { 57 + type = types.nullOr types.path; 58 + default = null; 59 + description = "Environment file containing S3 credentials (can be agenix secret)"; 60 + example = "config.age.secrets.litestream-env.path"; 61 + }; 62 + }; 63 + }; 64 + }; 65 + }; 66 + 67 + config = mkIf cfg.enable { 68 + services.headscale = { 69 + enable = true; 70 + address = "0.0.0.0"; 71 + port = 8080; 72 + 73 + settings = { 74 + server_url = "https://headscale.nekomimi.pet"; 75 + 76 + # Metrics and gRPC 77 + metrics_listen_addr = "127.0.0.1:9090"; 78 + grpc_listen_addr = "127.0.0.1:50443"; 79 + grpc_allow_insecure = false; 80 + 81 + # Prefixes 82 + prefixes = { 83 + v4 = "100.64.0.0/10"; 84 + v6 = "fd7a:115c:a1e0::/48"; 85 + allocation = "sequential"; 86 + }; 87 + 88 + # Database 89 + database = { 90 + type = "sqlite"; 91 + sqlite = { 92 + path = "/var/lib/headscale/db.sqlite"; 93 + write_ahead_log = true; 94 + }; 95 + }; 96 + 97 + # Noise 98 + noise = { 99 + private_key_path = "/var/lib/headscale/noise_private.key"; 100 + }; 101 + 102 + # DERP 103 + derp = { 104 + urls = [ 105 + "https://controlplane.tailscale.com/derpmap/default" 106 + ]; 107 + paths = []; 108 + auto_update_enabled = true; 109 + update_frequency = "24h"; 110 + server = { 111 + enabled = false; 112 + region_id = 999; 113 + region_code = "headscale"; 114 + region_name = "Headscale Embedded DERP"; 115 + stun_listen_addr = "0.0.0.0:3478"; 116 + private_key_path = "/var/lib/headscale/derp_server_private.key"; 117 + automatically_add_embedded_derp_region = true; 118 + ipv4 = "1.2.3.4"; 119 + ipv6 = "2001:db8::1"; 120 + }; 121 + }; 122 + 123 + # DNS 124 + dns = { 125 + magic_dns = true; 126 + base_domain = "dns.sharkgirl.pet"; 127 + nameservers = { 128 + global = [ 129 + "100.64.0.7" 130 + "1.1.1.1" 131 + "1.0.0.1" 132 + "2606:4700:4700::1111" 133 + "2606:4700:4700::1001" 134 + ]; 135 + }; 136 + search_domains = []; 137 + }; 138 + 139 + # OIDC with configurable secret path 140 + oidc = { 141 + only_start_if_oidc_is_available = true; 142 + issuer = "https://pocketid.nekomimi.pet"; 143 + client_id = "f345acad-3eac-45b7-9d91-57f388987a57"; 144 + client_secret_path = cfg.oidcClientSecretPath; 145 + pkce = { 146 + enabled = true; 147 + method = "S256"; 148 + }; 149 + }; 150 + 151 + # Policy 152 + policy = { 153 + mode = "database"; 154 + }; 155 + 156 + # TLS/ACME 157 + acme_url = "https://acme-v02.api.letsencrypt.org/directory"; 158 + acme_email = ""; 159 + tls_letsencrypt_hostname = ""; 160 + tls_letsencrypt_cache_dir = "/var/lib/headscale/cache"; 161 + tls_letsencrypt_challenge_type = "HTTP-01"; 162 + tls_letsencrypt_listen = ":http"; 163 + tls_cert_path = ""; 164 + tls_key_path = ""; 165 + 166 + # Logging 167 + log = { 168 + format = "text"; 169 + level = "info"; 170 + }; 171 + 172 + # Misc settings 173 + disable_check_updates = false; 174 + ephemeral_node_inactivity_timeout = "30m"; 175 + unix_socket = "/var/run/headscale/headscale.sock"; 176 + unix_socket_permission = "0770"; 177 + logtail = { 178 + enabled = false; 179 + }; 180 + randomize_client_port = false; 181 + }; 182 + }; 183 + 184 + # Configurable Litestream for SQLite database backups 185 + services.litestream = mkIf cfg.litestream.enable { 186 + enable = true; 187 + settings = { 188 + dbs = [ 189 + { 190 + path = "/var/lib/headscale/db.sqlite"; 191 + sync-interval = cfg.litestream.syncInterval; 192 + retention = cfg.litestream.retention; 193 + replicas = 194 + # Use custom replicas if provided 195 + if cfg.litestream.replicas != [] then 196 + cfg.litestream.replicas 197 + # Otherwise use local backup if path is provided 198 + else if cfg.litestream.backupPath != null then 199 + [{ path = cfg.litestream.backupPath; }] 200 + # Default empty (user must configure) 201 + else 202 + []; 203 + } 204 + ]; 205 + }; 206 + }; 207 + 208 + # Configure systemd service to use agenix secrets 209 + systemd.services.headscale.serviceConfig = mkMerge [ 210 + { 211 + SupplementaryGroups = [ "headscale-secrets" ]; 212 + } 213 + # Add environment file for litestream if specified 214 + (mkIf (cfg.litestream.enable && cfg.litestream.environmentFile != null) { 215 + EnvironmentFile = cfg.litestream.environmentFile; 216 + }) 217 + ]; 218 + 219 + # Configure litestream service with environment file if specified 220 + systemd.services.litestream = mkIf (cfg.litestream.enable && cfg.litestream.environmentFile != null) { 221 + serviceConfig = { 222 + EnvironmentFile = cfg.litestream.environmentFile; 223 + }; 224 + }; 225 + 226 + # Create a group for accessing secrets 227 + users.groups.headscale-secrets = {}; 228 + }; 229 + }
+28
modules/immich/default.nix
··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + let 5 + cfg = config.modules.immich; 6 + 7 + immichRoot = "/storage/immich"; #TODO make this configurable through nix 8 + immichPhotos = "${immichRoot}/photos"; 9 + in 10 + { 11 + options = { 12 + modules = { 13 + immich = { 14 + enable = mkEnableOption "Deploy immich"; 15 + }; 16 + }; 17 + }; 18 + 19 + config = mkIf cfg.enable { 20 + services.immich = { 21 + enable = true; 22 + port = 2283; 23 + host = "0.0.0.0"; 24 + mediaLocation = immichPhotos; 25 + settings = null; 26 + }; 27 + }; 28 + }
+42
modules/monero/default.nix
··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + let 5 + cfg = config.modules.monero; 6 + 7 + #TODO make this configurable through nix 8 + address = "46Ev6Vk4QeQZTr14tRjksTT2VPhi4jKB48mGz31rpUUci2Bvg9PHZj9GLK3VceWDc13tkUbzmqQz8eKR3hkD9bUKFKHLrzg"; 9 + dataDir = "/storage/monero"; 10 + miningThreads = 6; 11 + user = "regent"; 12 + password = "AnRPCPasswordChangedImperatively"; 13 + rpcAddress = "127.0.0.1"; 14 + rpcPort = 18081; 15 + in 16 + { 17 + options = { 18 + modules = { 19 + monero = { 20 + enable = mkEnableOption "Deploy monero node"; 21 + }; 22 + }; 23 + }; 24 + 25 + config = mkIf cfg.enable { 26 + services.monero = { 27 + enable = true; 28 + dataDir = dataDir; 29 + rpc = { 30 + user = user; 31 + password = password; 32 + address = rpcAddress; 33 + port = rpcPort; 34 + }; 35 + mining = { 36 + enable = true; 37 + threads = miningThreads; 38 + address = address; 39 + }; 40 + }; 41 + }; 42 + }
+858
modules/seaweedfs/default.nix
··· 1 + /*https://hg.sr.ht/~dermetfan/seaweedfs-nixos/browse/seaweedfs.nix?rev=tip*/ 2 + 3 + { config, lib, pkgs, ... }: 4 + 5 + with lib; 6 + 7 + let 8 + cfg = config.modules.seaweedfs; 9 + 10 + clusterModule = cluster: { 11 + options = { 12 + package = mkOption { 13 + type = types.package; 14 + default = pkgs.seaweedfs; 15 + }; 16 + 17 + security.grpc = let 18 + auth = mkOption { 19 + type = with types; nullOr (submodule { 20 + options = { 21 + cert = mkOption { type = path; }; 22 + key = mkOption { type = path; }; 23 + }; 24 + }); 25 + default = null; 26 + }; 27 + in { 28 + ca = mkOption { 29 + type = with types; nullOr str; 30 + default = null; 31 + }; 32 + 33 + master = auth; 34 + volume = auth; 35 + filer = auth; 36 + client = auth; 37 + msgBroker = auth; 38 + }; 39 + 40 + masters = mkOption { 41 + type = with types; attrsOf (submodule (masterModule cluster.config)); 42 + default = {}; 43 + description = "SeaweedFS masters"; 44 + }; 45 + 46 + volumes = mkOption { 47 + type = with types; attrsOf (submodule (volumeModule cluster.config)); 48 + default = {}; 49 + description = "SeaweedFS volumes"; 50 + }; 51 + 52 + filers = mkOption { 53 + type = with types; attrsOf (submodule (filerModule cluster.config)); 54 + default = {}; 55 + description = "SeaweedFS filers"; 56 + }; 57 + 58 + webdavs = mkOption { 59 + type = with types; attrsOf (submodule (webdavModule cluster.config)); 60 + default = {}; 61 + description = "SeaweedFS WebDAV servers"; 62 + }; 63 + 64 + instances = mkOption { 65 + type = with types; attrsOf (submodule instanceModule); 66 + description = "SeaweedFS instances"; 67 + default = 68 + mapAttrs' (name: master: nameValuePair 69 + "master-${name}" 70 + { 71 + inherit (master) cluster configs; 72 + 73 + command = "master"; 74 + 75 + args = with master; 76 + [ 77 + "-port=${toString port}" 78 + "-volumeSizeLimitMB=${toString volumeSizeLimitMB}" 79 + ] ++ 80 + optional (cpuprofile != "") "-cpuprofile=${cpuprofile}" ++ 81 + optional (defaultReplication != null) ("-defaultReplication=${defaultReplication.code}") ++ 82 + optional disableHttp "-disableHttp" ++ 83 + optional (garbageThreshold != "") "-garbageThreshold=${garbageThreshold}" ++ 84 + optional (ip != "") "-ip=${ip}" ++ 85 + optional (master."ip.bind" != "") "-ip.bind=${master."ip.bind"}" ++ 86 + optional (mdir != "") "-mdir=${mdir}" ++ 87 + optional (memprofile != "") "-memprofile=${memprofile}" ++ 88 + optional metrics.enable "-metrics.address=${metrics.address.text}" ++ 89 + optional (metrics.intervalSeconds != null) "-metrics.intervalSeconds=${toString metrics.intervalSeconds}" ++ 90 + optional (peers != []) ("-peers=" + (concatStringsSep "," (map (peer: peer.text) peers))) ++ 91 + optional resumeState "-resumeState" ++ 92 + optional volumePreallocate "-volumePreallocate" ++ 93 + optional (whiteList != []) ("-whiteList=" + (concatStringsSep "," whiteList)); 94 + } 95 + ) cluster.config.masters // 96 + mapAttrs' (name: volume: nameValuePair 97 + "volume-${name}" 98 + { 99 + inherit (volume) cluster configs; 100 + 101 + command = "volume"; 102 + 103 + args = with volume; 104 + [ 105 + "-port=${toString port}" 106 + "-dir=${concatStringsSep "," dir}" 107 + "-fileSizeLimitMB=${toString fileSizeLimitMB}" 108 + "-idleTimeout=${toString idleTimeout}" 109 + "-index=${index}" 110 + "-minFreeSpacePercent=${toString minFreeSpacePercent}" 111 + "-preStopSeconds=${toString preStopSeconds}" 112 + ] ++ 113 + optional (compactionMBps != null) ("-compactionMBps=${compactionMBps}") ++ 114 + optional (cpuprofile != "") "-cpuprofile=${cpuprofile}" ++ 115 + optional (dataCenter != "") "-dataCenter=${dataCenter}" ++ 116 + optional volume."images.fix.orientation" "-images.fix.orientation" ++ 117 + optional (ip != "") "-ip=${ip}" ++ 118 + optional (volume."ip.bind" != "") "-ip.bind=${volume."ip.bind"}" ++ 119 + optional (max != []) "-max=${concatStringsSep "," (map toString max)}" ++ 120 + optional (memprofile != "") "-memprofile=${memprofile}" ++ 121 + optional (metricsPort != null) "-metricsPort=${toString metricsPort}" ++ 122 + optional (mserver != []) ("-mserver=" + (concatStringsSep "," (map (mserver: mserver.text) mserver))) ++ 123 + optional (volume."port.public" != null) "-port.public=${toString volume."port.public"}" ++ 124 + optional pprof "-pprof" ++ 125 + optional (publicUrl != "") "-publicUrl=${publicUrl}" ++ 126 + optional (rack != "") "-rack=${rack}" ++ 127 + optional (!volume."read.redirect") "-read.redirect=false" ++ 128 + optional (whiteList != []) ("-whiteList=" + (concatStringsSep "," whiteList)); 129 + 130 + systemdService.preStart = "mkdir -p ${concatStringsSep " " volume.dir}"; 131 + } 132 + ) cluster.config.volumes // 133 + mapAttrs' (name: filer: nameValuePair 134 + "filer-${name}" 135 + { 136 + inherit (filer) cluster configs; 137 + 138 + command = "filer"; 139 + 140 + args = with filer; 141 + [ 142 + "-port=${toString port}" 143 + "-dirListLimit=${toString dirListLimit}" 144 + "-maxMB=${toString maxMB}" 145 + ] ++ 146 + optional (collection != "") "-collection=${collection}" ++ 147 + optional (dataCenter != "") "-dataCenter=${dataCenter}" ++ 148 + optional (defaultReplicaPlacement != null) ("-defaultReplicaPlacement=${defaultReplicaPlacement.code}") ++ 149 + optional disableDirListing "-disableDirListing" ++ 150 + optional disableHttp "-disableHttp" ++ 151 + optional encryptVolumeData "-encryptVolumeData" ++ 152 + optional (ip != "") "-ip=${ip}" ++ 153 + optional (filer."ip.bind" != "") "-ip.bind=${filer."ip.bind"}" ++ 154 + optional (master != []) ("-master=" + (concatStringsSep "," (map (master: master.text) master))) ++ 155 + optional (metricsPort != null) "-metricsPort=${toString metricsPort}" ++ 156 + optional (peers != []) ("-peers=" + (concatStringsSep "," (map (peer: peer.text) peers))) ++ 157 + optional (filer."port.readonly" != null) "-port.readonly=${toString filer."port.readonly"}" ++ 158 + optional (rack != "") "-rack=${rack}" ++ 159 + optionals s3.enable [ 160 + "-s3" 161 + "-s3.port=${toString filer.s3.port}" 162 + ] ++ 163 + optional (s3.enable && s3."cert.file" != "") "-s3.cert.file=${s3."cert.file"}" ++ 164 + optional (s3.enable && s3."key.file" != "") "-s3.key.file=${s3."key.file"}" ++ 165 + optional (s3.enable && s3.config != "") "-s3.config=${s3.config}" ++ 166 + optional (s3.enable && s3.domainName != []) "-s3.domainName=${concatStringsSep "," s3.domainName}"; 167 + 168 + systemdService.preStart = let 169 + conf = filer.configs.filer.leveldb2 or {}; 170 + in optionalString (conf ? "dir") "mkdir -p ${conf.dir}"; 171 + } 172 + ) cluster.config.filers // 173 + mapAttrs' (name: webdav: nameValuePair 174 + "webdav-${name}" 175 + { 176 + inherit (webdav) cluster; 177 + 178 + command = "webdav"; 179 + 180 + args = with webdav; 181 + [ 182 + "-port=${toString port}" 183 + "-filer=${filer.text}" 184 + "-cacheCapacityMB=${toString cacheCapacityMB}" 185 + ] ++ 186 + optional (collection != "") "-collection=${collection}" ++ 187 + optional (cacheDir != "") "-cacheDir=${cacheDir}"; 188 + } 189 + ) cluster.config.webdavs; 190 + }; 191 + }; 192 + }; 193 + 194 + commonModule = cluster: common: { 195 + options = { 196 + cluster = mkOption { 197 + type = types.submodule clusterModule; 198 + internal = true; 199 + }; 200 + 201 + openFirewall = mkEnableOption "open the firewall"; 202 + }; 203 + 204 + config = { inherit cluster; }; 205 + }; 206 + 207 + masterModule = cluster: master: { 208 + imports = [ (commonModule cluster) ]; 209 + 210 + options = { 211 + configs = mkOption { 212 + type = with types; attrsOf attrs; 213 + default.master.maintenance = { 214 + scripts = '' 215 + ec.encode -fullPercent=95 -quietFor=1h 216 + ec.rebuild -force 217 + ec.balance -force 218 + volume.balance -force 219 + volume.fix.replication 220 + ''; 221 + sleep_minutes = 17; 222 + }; 223 + }; 224 + 225 + cpuprofile = mkOption { 226 + type = types.str; 227 + default = ""; 228 + }; 229 + 230 + defaultReplication = mkOption { 231 + type = types.submodule replicationModule; 232 + default = {}; 233 + }; 234 + 235 + disableHttp = mkEnableOption "disable HTTP requests, gRPC only"; 236 + 237 + garbageThreshold = mkOption { 238 + type = types.str; 239 + default = ""; 240 + }; 241 + 242 + ip = mkOption { 243 + type = types.str; 244 + default = config.networking.hostName; 245 + }; 246 + 247 + "ip.bind" = mkOption { 248 + type = types.str; 249 + default = "0.0.0.0"; 250 + }; 251 + 252 + mdir = mkOption { 253 + type = types.str; 254 + default = "."; 255 + }; 256 + 257 + memprofile = mkOption { 258 + type = types.str; 259 + default = ""; 260 + }; 261 + 262 + metrics = { 263 + enable = mkEnableOption "Prometheus"; 264 + 265 + address = mkOption { 266 + type = types.submodule ipPortModule; 267 + default = {}; 268 + }; 269 + 270 + intervalSeconds = mkOption { 271 + type = types.ints.unsigned; 272 + default = 15; 273 + }; 274 + }; 275 + 276 + peers = mkOption { 277 + type = peersType; 278 + default = mapAttrsIpPort master.config.cluster.masters; 279 + }; 280 + 281 + port = mkOption { 282 + type = types.port; 283 + default = 9333; 284 + }; 285 + 286 + resumeState = mkEnableOption "resume previous state on master server"; 287 + 288 + volumePreallocate = mkEnableOption "preallocate disk space for volumes"; 289 + 290 + volumeSizeLimitMB = mkOption { 291 + type = types.ints.unsigned; 292 + default = 30000; 293 + }; 294 + 295 + whiteList = mkOption { 296 + type = with types; listOf str; 297 + default = []; 298 + }; 299 + }; 300 + }; 301 + 302 + volumeModule = cluster: volume: { 303 + imports = [ (commonModule cluster) ]; 304 + 305 + options = { 306 + configs = mkOption { 307 + type = with types; attrsOf attrs; 308 + default = {}; 309 + }; 310 + 311 + compactionMBps = mkOption { 312 + type = with types; nullOr ints.unsigned; 313 + default = null; 314 + }; 315 + 316 + cpuprofile = mkOption { 317 + type = types.str; 318 + default = ""; 319 + }; 320 + 321 + dataCenter = mkOption { 322 + type = types.str; 323 + default = ""; 324 + }; 325 + 326 + dir = mkOption { 327 + type = with types; listOf str; 328 + default = [ "/var/lib/seaweedfs/${cluster._module.args.name}/volume-${volume.config._module.args.name}" ]; 329 + }; 330 + 331 + fileSizeLimitMB = mkOption { 332 + type = types.ints.unsigned; 333 + default = 256; 334 + }; 335 + 336 + idleTimeout = mkOption{ 337 + type = types.ints.unsigned; 338 + default = 30; 339 + }; 340 + 341 + "images.fix.orientation" = mkEnableOption "adjustment of jpg orientation when uploading"; 342 + 343 + index = mkOption { 344 + type = types.enum [ 345 + "memory" 346 + "leveldb" 347 + "leveldbMedium" 348 + "leveldbLarge" 349 + ]; 350 + default = "memory"; 351 + }; 352 + 353 + ip = mkOption { 354 + type = types.str; 355 + default = config.networking.hostName; 356 + }; 357 + 358 + "ip.bind" = mkOption { 359 + type = types.str; 360 + default = "0.0.0.0"; 361 + }; 362 + 363 + max = mkOption { 364 + type = with types; listOf ints.unsigned; 365 + default = [ 8 ]; 366 + }; 367 + 368 + memprofile = mkOption { 369 + type = types.str; 370 + default = ""; 371 + }; 372 + 373 + metricsPort = mkOption { 374 + type = with types; nullOr port; 375 + default = null; 376 + }; 377 + 378 + minFreeSpacePercent = mkOption { 379 + type = types.ints.unsigned; 380 + default = 1; 381 + }; 382 + 383 + mserver = mkOption { 384 + type = peersType; 385 + default = mapAttrsIpPort volume.config.cluster.masters; 386 + }; 387 + 388 + port = mkOption { 389 + type = types.port; 390 + default = 8080; 391 + }; 392 + 393 + "port.public" = mkOption { 394 + type = with types; nullOr port; 395 + default = null; 396 + }; 397 + 398 + pprof = mkEnableOption "pprof http handlers. precludes -memprofile and -cpuprofile"; 399 + 400 + preStopSeconds = mkOption { 401 + type = types.int; 402 + default = 10; 403 + }; 404 + 405 + publicUrl = mkOption { 406 + type = types.str; 407 + default = ""; 408 + }; 409 + 410 + rack = mkOption { 411 + type = types.str; 412 + default = ""; 413 + }; 414 + 415 + "read.redirect" = mkOption { 416 + type = types.bool; 417 + default = true; 418 + }; 419 + 420 + whiteList = mkOption { 421 + type = with types; listOf str; 422 + default = []; 423 + }; 424 + }; 425 + }; 426 + 427 + filerModule = cluster: filer: { 428 + imports = [ (commonModule cluster) ]; 429 + 430 + options = { 431 + configs = mkOption { 432 + type = with types; attrsOf attrs; 433 + default.filer.leveldb2 = { 434 + enabled = true; 435 + dir = "/var/lib/seaweedfs/${cluster._module.args.name}/filer-${filer.config._module.args.name}/filerldb2"; 436 + }; 437 + }; 438 + 439 + collection = mkOption { 440 + type = types.str; 441 + default = ""; 442 + }; 443 + 444 + dataCenter = mkOption { 445 + type = types.str; 446 + default = ""; 447 + }; 448 + 449 + defaultReplicaPlacement = mkOption { 450 + type = with types; nullOr (submodule replicationModule); 451 + default = null; 452 + }; 453 + 454 + dirListLimit = mkOption { 455 + type = types.ints.unsigned; 456 + default = 100000; 457 + }; 458 + 459 + disableDirListing = mkEnableOption "turn off directory listing"; 460 + 461 + disableHttp = mkEnableOption "disable http request, only gRpc operations are allowed"; 462 + 463 + encryptVolumeData = mkEnableOption "encrypt data on volume servers"; 464 + 465 + ip = mkOption { 466 + type = types.str; 467 + default = config.networking.hostName; 468 + }; 469 + 470 + "ip.bind" = mkOption { 471 + type = types.str; 472 + default = "0.0.0.0"; 473 + }; 474 + 475 + master = mkOption { 476 + type = peersType; 477 + default = mapAttrsIpPort filer.config.cluster.masters; 478 + }; 479 + 480 + maxMB = mkOption { 481 + type = types.ints.unsigned; 482 + default = 32; 483 + }; 484 + 485 + metricsPort = mkOption { 486 + type = with types; nullOr port; 487 + default = null; 488 + }; 489 + 490 + peers = mkOption { 491 + type = peersType; 492 + default = mapAttrsIpPort filer.config.cluster.filers; 493 + }; 494 + 495 + port = mkOption { 496 + type = types.port; 497 + default = 8888; 498 + }; 499 + 500 + "port.readonly" = mkOption { 501 + type = with types; nullOr port; 502 + default = null; 503 + }; 504 + 505 + rack = mkOption { 506 + type = types.str; 507 + default = ""; 508 + }; 509 + 510 + s3 = { 511 + enable = mkEnableOption "whether to start S3 gateway"; 512 + 513 + "cert.file" = mkOption { 514 + type = types.path; 515 + default = ""; 516 + }; 517 + 518 + config = mkOption { 519 + type = types.path; 520 + default = ""; 521 + }; 522 + 523 + domainName = mkOption { 524 + type = with types; listOf str; 525 + default = []; 526 + }; 527 + 528 + "key.file" = mkOption { 529 + type = types.path; 530 + default = ""; 531 + }; 532 + 533 + port = mkOption { 534 + type = types.port; 535 + default = 8333; 536 + }; 537 + }; 538 + }; 539 + }; 540 + 541 + webdavModule = cluster: webdav: { 542 + imports = [ (commonModule cluster) ]; 543 + 544 + options = { 545 + cacheCapacityMB = mkOption { 546 + type = types.int; 547 + default = 1000; 548 + }; 549 + 550 + cacheDir = mkOption { 551 + type = types.str; 552 + default = "."; 553 + }; 554 + 555 + collection = mkOption { 556 + type = types.str; 557 + default = ""; 558 + }; 559 + 560 + filer = mkOption { 561 + type = types.submodule ipPortModule; 562 + default = { 563 + ip = "127.0.0.1"; 564 + port = 8888; 565 + }; 566 + }; 567 + 568 + port = mkOption { 569 + type = types.port; 570 + default = 7333; 571 + }; 572 + }; 573 + }; 574 + 575 + instanceModule = instance: { 576 + options = { 577 + cluster = mkOption { 578 + type = types.submodule clusterModule; 579 + internal = true; 580 + }; 581 + 582 + command = mkOption { 583 + type = types.enum [ 584 + "server" 585 + "master" 586 + "volume" 587 + "mount" 588 + "filer" 589 + "filer.replicate" 590 + "filer.sync" 591 + "s3" 592 + "msgBroker" 593 + "watch" 594 + "webdav" 595 + ]; 596 + }; 597 + 598 + logArgs = mkOption { 599 + type = with types; listOf str; 600 + default = []; 601 + }; 602 + 603 + args = mkOption { 604 + type = with types; listOf str; 605 + default = []; 606 + }; 607 + 608 + configs = mkOption { 609 + type = with types; attrsOf attrs; 610 + default = {}; 611 + }; 612 + 613 + package = mkOption { 614 + type = types.package; 615 + default = instance.config.cluster.package; 616 + }; 617 + 618 + systemdService = mkOption { 619 + type = types.attrs; 620 + default = {}; 621 + }; 622 + }; 623 + 624 + config = { 625 + logArgs = [ "-logtostderr" ]; 626 + 627 + systemdService.path = optional (instance.config.command == "mount") pkgs.fuse; 628 + }; 629 + }; 630 + 631 + replicationModule = replication: { 632 + options = { 633 + dataCenter = mkOption { 634 + type = types.ints.between 0 9; 635 + default = 0; 636 + }; 637 + 638 + rack = mkOption { 639 + type = types.ints.between 0 9; 640 + default = 0; 641 + }; 642 + 643 + server = mkOption { 644 + type = types.ints.between 0 9; 645 + default = 0; 646 + }; 647 + 648 + code = mkOption { 649 + readOnly = true; 650 + internal = true; 651 + type = types.str; 652 + default = with replication.config; "${toString dataCenter}${toString rack}${toString server}"; 653 + }; 654 + }; 655 + }; 656 + 657 + peersType = with types; listOf (submodule ipPortModule); 658 + 659 + ipPortModule = ipPort: { 660 + options = { 661 + ip = mkOption { 662 + type = types.str; 663 + }; 664 + 665 + port = mkOption { 666 + type = types.port; 667 + }; 668 + 669 + text = mkOption { 670 + internal = true; 671 + readOnly = true; 672 + type = types.str; 673 + default = with ipPort.config; "${ip}:${toString port}"; 674 + }; 675 + }; 676 + }; 677 + 678 + mapAttrsIpPort = attrs: mapAttrsToList (name: value: { inherit (value) ip port; }) attrs; 679 + 680 + toTOML = with generators; toINI { 681 + mkKeyValue = mkKeyValueDefault { 682 + mkValueString = v: 683 + if isString v 684 + then ( 685 + if hasInfix "\n" v 686 + then '' 687 + """ 688 + ${removeSuffix "\n" v} 689 + """ 690 + '' 691 + else ''"${v}"'' 692 + ) 693 + else mkValueStringDefault {} v; 694 + } "="; 695 + }; 696 + 697 + flattenAttrs = separator: attrs: let 698 + /* 699 + attrs = { 700 + a = { 701 + m1 = {}; 702 + m2 = {}; 703 + }; 704 + b = { 705 + m1 = {}; 706 + }; 707 + } 708 + */ 709 + 710 + /* 711 + step1 = { 712 + a = [ 713 + { name = "a-m1"; value = {}; } 714 + { name = "a-m2"; value = {}; } 715 + ]; 716 + b = [ 717 + { name = "b-m1"; value = {}; } 718 + ]; 719 + }; 720 + */ 721 + step1 = mapAttrs (outerName: outerValues: 722 + mapAttrsToList (innerName: innerValues: nameValuePair 723 + "${outerName}${separator}${innerName}" 724 + innerValues 725 + ) outerValues 726 + ) attrs; 727 + 728 + /* 729 + step2 = [ 730 + [ 731 + { name = "a-m1"; value = {}; } 732 + { name = "a-m2"; value = {}; } 733 + ] 734 + [ 735 + { name = "b-m1"; value = {}; } 736 + ] 737 + ]; 738 + */ 739 + step2 = mapAttrsToList (name: value: value) step1; 740 + 741 + /* 742 + step3 = [ 743 + { name = "a-m1"; value = {}; } 744 + { name = "a-m2"; value = {}; } 745 + { name = "b-m1"; value = {}; } 746 + ]; 747 + */ 748 + step3 = flatten step2; 749 + in 750 + /* 751 + { 752 + a-m1 = {}; 753 + a-m2 = {}; 754 + b-m1 = {}; 755 + }; 756 + */ 757 + builtins.listToAttrs step3; 758 + in { 759 + options.modules.seaweedfs = { 760 + clusters = mkOption { 761 + type = with types; attrsOf (submodule clusterModule); 762 + default = {}; 763 + description = "SeaweedFS clusters"; 764 + }; 765 + }; 766 + 767 + config = { 768 + systemd.services = mapAttrs' 769 + (name: instance: nameValuePair "seaweedfs-${name}" instance) 770 + (flattenAttrs "-" ( 771 + mapAttrs (clusterName: cluster: 772 + mapAttrs (instanceName: instance: with instance; recursiveUpdate systemdService rec { 773 + description = "SeaweedFS ${clusterName} ${instanceName}"; 774 + wants = [ "network.target" ]; 775 + after = wants; 776 + wantedBy = [ "multi-user.target" ]; 777 + preStart = with serviceConfig; '' 778 + ${ 779 + let securityFile = config.environment.etc."seaweedfs/${clusterName}/security.toml"; 780 + in optionalString securityFile.enable "ln -s /etc/${securityFile.target} ${WorkingDirectory}/" 781 + } 782 + 783 + # TODO replace find usage with statically known condition 784 + find -L /etc/${ConfigurationDirectory} -type f -exec ln -s '{}' ${WorkingDirectory}/ \; 785 + 786 + ${optionalString (systemdService ? preStart) systemdService.preStart} 787 + ''; 788 + serviceConfig = rec { 789 + ExecStart = "${package}/bin/weed ${concatStringsSep " " logArgs} ${command} ${concatStringsSep " " args}"; 790 + Restart = "on-failure"; 791 + Type = "exec"; 792 + ConfigurationDirectory = "seaweedfs/${clusterName}/${instanceName}"; 793 + RuntimeDirectory = ConfigurationDirectory; 794 + RuntimeDirectoryPreserve = "restart"; 795 + WorkingDirectory = "/run/${RuntimeDirectory}"; 796 + }; 797 + }) cluster.instances 798 + ) cfg.clusters 799 + )); 800 + 801 + environment.etc = 802 + (mapAttrs' (name: cluster: 803 + let file = "seaweedfs/${name}/security.toml"; 804 + in nameValuePair file { 805 + enable = config.environment.etc.${file}.text != ""; 806 + text = with cluster.security.grpc; toTOML ( 807 + (if ca == null then {} else { grpc.ca = ca; }) // 808 + (if master == null then {} else { "grpc.master" = { inherit (master) cert key; }; }) // 809 + (if volume == null then {} else { "grpc.volume" = { inherit (volume) cert key; }; }) // 810 + (if filer == null then {} else { "grpc.filer" = { inherit (filer) cert key; }; }) // 811 + (if client == null then {} else { "grpc.client" = { inherit (client) cert key; }; }) // 812 + (if msgBroker == null then {} else { "grpc.msg_broker" = { inherit (msgBroker) cert key; }; }) 813 + ); 814 + } 815 + ) cfg.clusters) // 816 + (mapAttrs' 817 + (name: config: nameValuePair 818 + "seaweedfs/${name}.toml" 819 + { text = toTOML config; } 820 + ) 821 + (flattenAttrs "/" ( 822 + mapAttrs (clusterName: cluster: 823 + flattenAttrs "/" ( 824 + mapAttrs 825 + (instanceName: instance: instance.configs) 826 + cluster.instances 827 + ) 828 + ) cfg.clusters 829 + )) 830 + ); 831 + 832 + networking.firewall.allowedTCPPorts = let 833 + modulesToPorts = extraPorts: mapAttrsToList (name: module: 834 + with module; 835 + optionals openFirewall ( 836 + [ port (port + 10000) ] ++ 837 + (filter (p: p != null) (extraPorts module)) 838 + ) 839 + ); 840 + in flatten (mapAttrsToList (clusterName: cluster: 841 + modulesToPorts 842 + (master: []) 843 + cluster.masters ++ 844 + 845 + modulesToPorts 846 + (volume: with volume; [ metricsPort volume."port.public" ]) 847 + cluster.volumes ++ 848 + 849 + modulesToPorts 850 + (filer: with filer; [ metricsPort filer."port.readonly" s3.port]) 851 + cluster.filers ++ 852 + 853 + modulesToPorts 854 + (webdav: []) 855 + cluster.webdavs 856 + ) cfg.clusters); 857 + }; 858 + }
secrets/build-token.age

This is a binary file and will not be displayed.

secrets/garage-admin-token.age

This is a binary file and will not be displayed.

secrets/garage-metrics-token.age

This is a binary file and will not be displayed.

secrets/garage-rpc-secret.age

This is a binary file and will not be displayed.

secrets/headscale-authkey.age

This is a binary file and will not be displayed.

+11
secrets/headscale-oidc-key.path
··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 i9wBeA Gtd2ftibBF2166KCpJiJt1W9kbwrTybKx4O561e7oQw 3 + 3ci7PJxYqoglIml6YiyJrffteIZN0aUWDN5z4sogcfs 4 + -> ssh-ed25519 du7llw zxlkrcUyO4q4CsRAYMr8vp7LzdK2E/O9fQrCi6TxYXs 5 + q3xdu3He3SXg29mKS8Fv3YWt2CkENucPtPYtXmw+dx4 6 + -> ssh-ed25519 YYzA7Q VQFwGeDchwrEiI3mPsNK1yGQKupTnh5jLxLhVlPbbzU 7 + tsPNihdGL/2VumVXuOKRnfPw7LBlr5xKOODAKY5ROyc 8 + -> ssh-ed25519 3RWqPQ YrxOoecRxIrNHq93LvFMgk2h83a0Z3UtsYeXKeQd1xo 9 + lUM0BU8KTBjR13TGQj88n5BA4b9JAjZALfu9fTSmpu8 10 + --- 8WCStyJ9IerfsQD3pL4ag8tnmt7hBXZxR+aCfv4BjS0 11 + 7�E�rY�)�GI���G�*K�b����b+��>�m�{����K�!��m�����J:���{��2/��
+9 -3
secrets/secrets.nix
··· 2 2 regent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0pU82lV9dSjkgYbdh9utZ5CDM2dPN70S5fBqN1m3Pb regent@orobas.local"; 3 3 users = [ regent ]; 4 4 5 - valefar = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJlXq2lSfiWwRwIxsxhffW5FDGmjt0QKYN+BaikmRR71"; 6 - buer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVhjwDcO8eleSoR8a37ZGGPvkHEgV+c8SYcy07SayPB root@nixos"; 7 - systems = [ valefar buer ]; 5 + valefar = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPu8CVFsnUxhvABEqv4+EBBOL8tva5HJFoV3hElAlD0"; 6 + buer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVhjwDcO8eleSoR8a37ZGGPvkHEgV+c8SYcy07SayPB"; 7 + focalor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA518oTmTp5VG60/dBrLu7rlV1hh8muhMattoiGfmrei"; 8 + baal = "AAAAC3NzaC1lZDI1NTE5AAAAILdjRWunQNFeTTdnw4GaqL9G34oo4QuvrRE/jvxLdK1C"; 9 + systems = [ valefar buer focalor]; 8 10 in 9 11 { 10 12 #"secret1.age".publicKeys = [ user1 system1 ]; 11 13 "build-token.age".publicKeys = users ++ systems; 14 + 12 15 "garage-rpc-secret.age".publicKeys = users ++ systems; 13 16 "garage-admin-token.age".publicKeys = users ++ systems; 14 17 "garage-metrics-token.age".publicKeys = users ++ systems; 18 + 19 + "headscale-authkey.age".publicKeys = users ++ systems; 20 + "headscale-oidc-key.path".publicKeys = users ++ systems; 15 21 }