diff options
84 files changed, 1475 insertions, 1104 deletions
@@ -21,60 +21,84 @@ }; }; - outputs = { self, nixpkgs, sops-nix, home-manager, nixos-hardware, alina }: let - lib = nixpkgs.lib; + outputs = + { + self, + nixpkgs, + sops-nix, + home-manager, + nixos-hardware, + alina, + }: + let + lib = nixpkgs.lib; - makeGlobalImports = host: [ - ./global/common - ] ++ lib.optional (builtins.pathExists ./global/${host}) - ./global/${host}; + makeGlobalImports = + host: + [ + ./global/common + ] + ++ lib.optional (builtins.pathExists ./global/${host}) ./global/${host}; - makeHomeImports = host: makeGlobalImports host ++ [ - ./home/common/home.nix - ] ++ lib.optional (builtins.pathExists ./home/${host}) - ./home/${host}/home.nix; + makeHomeImports = + host: + makeGlobalImports host + ++ [ + ./home/common/home.nix + ] + ++ lib.optional (builtins.pathExists ./home/${host}) ./home/${host}/home.nix; - makeNixos = host: system: lib.nixosSystem { - inherit system; - specialArgs = { inherit nixos-hardware; }; + makeNixos = + host: system: + lib.nixosSystem { + inherit system; + specialArgs = { inherit nixos-hardware; }; - modules = [ - alina.nixosModules.alina - sops-nix.nixosModules.sops + modules = [ + alina.nixosModules.alina + sops-nix.nixosModules.sops - ./os/${host}/configuration.nix - { - networking.hostName = host; - nix.nixPath = [ "nixpkgs=${nixpkgs}" ]; - } + ./os/${host}/configuration.nix + { + networking.hostName = host; + nix.nixPath = [ "nixpkgs=${nixpkgs}" ]; + } - home-manager.nixosModules.home-manager - ({ config, ... }: let - username = config.global.userdata.name; - in { - home-manager = { - useGlobalPkgs = true; - useUserPackages = false; - users.${username} = { ... }: { - imports = makeHomeImports host; - }; - }; - }) - ] ++ (makeGlobalImports host); - }; + home-manager.nixosModules.home-manager + ( + { config, ... }: + let + username = config.global.userdata.name; + in + { + home-manager = { + useGlobalPkgs = true; + useUserPackages = false; + users.${username} = + { ... }: + { + imports = makeHomeImports host; + }; + }; + } + ) + ] ++ (makeGlobalImports host); + }; - makeHome = host: system: home-manager.lib.homeManagerConfiguration { - pkgs = nixpkgs.legacyPackages.${system}; - modules = makeHomeImports host; - }; - in - { - nixosConfigurations = - lib.genAttrs [ "cez" "kay" "lia" "fscusat" "dspace" ] - (host: makeNixos host "x86_64-linux"); + makeHome = + host: system: + home-manager.lib.homeManagerConfiguration { + pkgs = nixpkgs.legacyPackages.${system}; + modules = makeHomeImports host; + }; + in + { + nixosConfigurations = lib.genAttrs [ "cez" "kay" "lia" "fscusat" "dspace" ] ( + host: makeNixos host "x86_64-linux" + ); - homeConfigurations = - lib.genAttrs [ "common" "wayland" "pc" "cez" ] - (host: makeHome host "x86_64-linux"); - }; + homeConfigurations = lib.genAttrs [ "common" "wayland" "pc" "cez" ] ( + host: makeHome host "x86_64-linux" + ); + }; } diff --git a/global/cez/default.nix b/global/cez/default.nix index 0463acb..9c80dc4 100644 --- a/global/cez/default.nix +++ b/global/cez/default.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ global.font = { sans.size = 10; monospace.size = 13; diff --git a/global/common/default.nix b/global/common/default.nix index 329963d..030fa2b 100644 --- a/global/common/default.nix +++ b/global/common/default.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ imports = [ ./modules/font.nix ./modules/userdata.nix diff --git a/global/common/modules/font.nix b/global/common/modules/font.nix index 476489f..4a261d1 100644 --- a/global/common/modules/font.nix +++ b/global/common/modules/font.nix @@ -1,4 +1,5 @@ -{ pkgs, lib, ... }: let +{ pkgs, lib, ... }: +let name = { type = lib.types.str; example = "Terminess Nerd Font"; @@ -11,26 +12,39 @@ type = with lib.types; listOf path; example = "[ pkgs.nerd-fonts.terminess-ttf ]"; }; -in { +in +{ options.global.font = { sans = { size = lib.mkOption size; - name = lib.mkOption (name // { - default = "DeepMind Sans"; - }); - packages = lib.mkOption (packages // { - default = [ pkgs.dm-sans ]; - }); + name = lib.mkOption ( + name + // { + default = "DeepMind Sans"; + } + ); + packages = lib.mkOption ( + packages + // { + default = [ pkgs.dm-sans ]; + } + ); }; monospace = { size = lib.mkOption size; - name = lib.mkOption (name // { - default = "Terminess Nerd Font"; - }); - packages = lib.mkOption (packages // { - default = [ pkgs.nerd-fonts.terminess-ttf ]; - }); + name = lib.mkOption ( + name + // { + default = "Terminess Nerd Font"; + } + ); + packages = lib.mkOption ( + packages + // { + default = [ pkgs.nerd-fonts.terminess-ttf ]; + } + ); }; }; } diff --git a/global/common/modules/userdata.nix b/global/common/modules/userdata.nix index d591920..74d8449 100644 --- a/global/common/modules/userdata.nix +++ b/global/common/modules/userdata.nix @@ -1,7 +1,9 @@ -{ config, lib, ... }: let +{ config, lib, ... }: +let cfg = config.global.userdata; -in { - options.global.userdata = { +in +{ + options.global.userdata = { name = lib.mkOption { type = lib.types.str; default = "sinan"; diff --git a/home/cez/home.nix b/home/cez/home.nix index 018c19c..f39ddff 100644 --- a/home/cez/home.nix +++ b/home/cez/home.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ imports = [ ../pc/home.nix ./modules/wayland.nix diff --git a/home/cez/modules/wayland.nix b/home/cez/modules/wayland.nix index bfba63e..1d63f76 100644 --- a/home/cez/modules/wayland.nix +++ b/home/cez/modules/wayland.nix @@ -1,7 +1,9 @@ -{ pkgs, ... }: let - wayland-scripts = pkgs.callPackage ../../wayland/pkgs/wayland-scripts {}; +{ pkgs, ... }: +let + wayland-scripts = pkgs.callPackage ../../wayland/pkgs/wayland-scripts { }; freezshot = "${wayland-scripts}/bin/freezshot"; -in { +in +{ wayland.windowManager.sway.settings = { # vendor hardcoded screenshot key bindsym."mod4+shift+s" = "exec ${freezshot}"; diff --git a/home/common/home.nix b/home/common/home.nix index 137a967..b2f4480 100644 --- a/home/common/home.nix +++ b/home/common/home.nix @@ -1,6 +1,8 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let username = config.global.userdata.name; -in { +in +{ imports = [ ./modules/git.nix ./modules/tmux.nix diff --git a/home/common/modules/git.nix b/home/common/modules/git.nix index 1f10da7..3f8a98e 100644 --- a/home/common/modules/git.nix +++ b/home/common/modules/git.nix @@ -1,7 +1,9 @@ -{ config, ... }: let +{ config, ... }: +let userName = config.global.userdata.nameFq; userEmail = config.global.userdata.email; -in { +in +{ programs.git = { enable = true; inherit userName; diff --git a/home/common/modules/mimeapps.nix b/home/common/modules/mimeapps.nix index 04e3bd9..8c128cf 100644 --- a/home/common/modules/mimeapps.nix +++ b/home/common/modules/mimeapps.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ xdg.mimeApps = { enable = true; diff --git a/home/common/modules/shell.nix b/home/common/modules/shell.nix index c1b31fd..02f188a 100644 --- a/home/common/modules/shell.nix +++ b/home/common/modules/shell.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ programs.bash.enable = true; home = { diff --git a/home/common/modules/ssh.nix b/home/common/modules/ssh.nix index 5c54f44..31df169 100644 --- a/home/common/modules/ssh.nix +++ b/home/common/modules/ssh.nix @@ -1,6 +1,8 @@ -{ config, ... }: let +{ config, ... }: +let domain = config.global.userdata.domain; -in { +in +{ programs.ssh = { enable = true; compression = true; diff --git a/home/common/modules/tmux.nix b/home/common/modules/tmux.nix index 20fecd5..6705f38 100644 --- a/home/common/modules/tmux.nix +++ b/home/common/modules/tmux.nix @@ -1,8 +1,8 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, ... }: +{ home.packages = with pkgs; [ tmux ]; - home.sessionVariables.TMUX_TMPDIR = - ''''${XDG_RUNTIME_DIR:-"/run/user/$(id -u)"}''; + home.sessionVariables.TMUX_TMPDIR = ''''${XDG_RUNTIME_DIR:-"/run/user/$(id -u)"}''; programs.bash.initExtra = lib.mkOrder 2000 '' if [ -z "$TMUX" ] && { [ -n "$WAYLAND_DISPLAY" ] || [ -n "$SSH_TTY" ]; }; then diff --git a/home/common/modules/xdg_ninja.nix b/home/common/modules/xdg_ninja.nix index 614454b..6bd4196 100644 --- a/home/common/modules/xdg_ninja.nix +++ b/home/common/modules/xdg_ninja.nix @@ -1,12 +1,13 @@ -{ config, lib, ... }: let +{ config, lib, ... }: +let bashHistory = config.xdg.stateHome + "/bash/history"; -in { +in +{ home.activation.init = lib.hm.dag.entryAfter [ "writeBoundary" ] '' run --silence mkdir -p ${builtins.dirOf bashHistory} ''; - gtk.gtk2.configLocation = - config.xdg.configHome + "/gtk-2.0/gtkrc"; + gtk.gtk2.configLocation = config.xdg.configHome + "/gtk-2.0/gtkrc"; home.sessionVariables = { HISTFILE = bashHistory; diff --git a/home/common/modules/xdgdirs.nix b/home/common/modules/xdgdirs.nix index 3073a10..a2dce4f 100644 --- a/home/common/modules/xdgdirs.nix +++ b/home/common/modules/xdgdirs.nix @@ -1,9 +1,11 @@ -{ config, ... }: let +{ config, ... }: +let home = config.home.homeDirectory; etc = home + "/etc"; dl = home + "/dl"; -in { +in +{ xdg = { enable = true; diff --git a/home/pc/home.nix b/home/pc/home.nix index cad5bd6..54a2e09 100644 --- a/home/pc/home.nix +++ b/home/pc/home.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ imports = [ ./modules/pass.nix ./modules/dev.nix diff --git a/home/pc/modules/dev.nix b/home/pc/modules/dev.nix index ee9e054..6488aa8 100644 --- a/home/pc/modules/dev.nix +++ b/home/pc/modules/dev.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ home.packages = with pkgs; [ git sops diff --git a/home/pc/modules/pass.nix b/home/pc/modules/pass.nix index 3387861..17122ec 100644 --- a/home/pc/modules/pass.nix +++ b/home/pc/modules/pass.nix @@ -1,7 +1,14 @@ -{ config, pkgs, lib, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let passStore = config.xdg.dataHome + "/pass"; GNUPGHome = config.xdg.dataHome + "/gnupg"; -in { +in +{ home = { file."${GNUPGHome}/gpg-agent.conf".text = '' pinentry-program ${lib.getExe pkgs.pinentry-bemenu} diff --git a/home/wayland/home.nix b/home/wayland/home.nix index bcea5f4..9c912f1 100644 --- a/home/wayland/home.nix +++ b/home/wayland/home.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ imports = [ ../common/home.nix ./modules/foot.nix diff --git a/home/wayland/modules/firefox.nix b/home/wayland/modules/firefox.nix index dac3fb5..4e69072 100644 --- a/home/wayland/modules/firefox.nix +++ b/home/wayland/modules/firefox.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ programs.firefox = { enable = true; policies = { @@ -47,26 +48,22 @@ "uBlock0@raymondhill.net" = { installation_mode = "force_installed"; default_area = "menupanel"; - install_url = - "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; }; "jid1-MnnxcxisBPnSXQ@jetpack" = { installation_mode = "force_installed"; default_area = "menupanel"; - install_url = - "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi"; + install_url = "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi"; }; "{21f1ba12-47e1-4a9b-ad4e-3a0260bbeb26}" = { installation_mode = "force_installed"; default_area = "menupanel"; - install_url = - "https://addons.mozilla.org/firefox/downloads/latest/remove-youtube-s-suggestions/latest.xpi"; + install_url = "https://addons.mozilla.org/firefox/downloads/latest/remove-youtube-s-suggestions/latest.xpi"; }; "tridactyl.vim@cmcaine.co.uk" = { installation_mode = "force_installed"; default_area = "menupanel"; - install_url = - "https://addons.mozilla.org/firefox/downloads/latest/tridactyl-vim/latest.xpi"; + install_url = "https://addons.mozilla.org/firefox/downloads/latest/tridactyl-vim/latest.xpi"; }; }; }; @@ -78,8 +75,8 @@ currentVersion = 1337; placements = { - widget-overflow-fixed-list = []; - unified-extensions-area = []; + widget-overflow-fixed-list = [ ]; + unified-extensions-area = [ ]; nav-bar = [ "back-button" "forward-button" diff --git a/home/wayland/modules/foot.nix b/home/wayland/modules/foot.nix index ad8531a..9c0e76d 100644 --- a/home/wayland/modules/foot.nix +++ b/home/wayland/modules/foot.nix @@ -1,10 +1,12 @@ -{ config, lib, ... }: let - font = config.global.font.monospace.name - + lib.optionalString (config.global.font.monospace.size != null) - ":size=" + builtins.toString config.global.font.monospace.size; -in { - home.sessionVariables.TERMINAL = - lib.getExe config.programs.foot.package; +{ config, lib, ... }: +let + font = + config.global.font.monospace.name + + lib.optionalString (config.global.font.monospace.size != null) ":size=" + + builtins.toString config.global.font.monospace.size; +in +{ + home.sessionVariables.TERMINAL = lib.getExe config.programs.foot.package; programs.foot = { enable = true; diff --git a/home/wayland/modules/mango.nix b/home/wayland/modules/mango.nix index 31cd7d6..4606b64 100644 --- a/home/wayland/modules/mango.nix +++ b/home/wayland/modules/mango.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ programs.mangohud = { enable = true; diff --git a/home/wayland/modules/mimeapps.nix b/home/wayland/modules/mimeapps.nix index 9050cfe..f8b656d 100644 --- a/home/wayland/modules/mimeapps.nix +++ b/home/wayland/modules/mimeapps.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ xdg.mimeApps = { enable = true; defaultApplications = { diff --git a/home/wayland/modules/portal.nix b/home/wayland/modules/portal.nix index 5cb620c..d9a525f 100644 --- a/home/wayland/modules/portal.nix +++ b/home/wayland/modules/portal.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ xdg.portal = { enable = true; diff --git a/home/wayland/modules/sway/bemenu.nix b/home/wayland/modules/sway/bemenu.nix index ced6b2f..ed1094d 100644 --- a/home/wayland/modules/sway/bemenu.nix +++ b/home/wayland/modules/sway/bemenu.nix @@ -1,12 +1,15 @@ -{ config, lib, ... }: let +{ config, lib, ... }: +let background = "#000000"; foreground = "#FFFFFF"; swayYellow = "#d79921"; - font = config.global.font.sans.name - + lib.optionalString (config.global.font.sans.size != null) - " " + builtins.toString config.global.font.sans.size; -in { + font = + config.global.font.sans.name + + lib.optionalString (config.global.font.sans.size != null) " " + + builtins.toString config.global.font.sans.size; +in +{ programs.bemenu = { enable = true; diff --git a/home/wayland/modules/sway/home.nix b/home/wayland/modules/sway/home.nix index 776d26c..7dc24c2 100644 --- a/home/wayland/modules/sway/home.nix +++ b/home/wayland/modules/sway/home.nix @@ -1,4 +1,10 @@ -{ config, pkgs, lib, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let mod = "mod4"; left = "h"; right = "l"; @@ -6,7 +12,7 @@ up = "k"; background = "${config.xdg.dataHome}/wayland/desktop"; - wayland-scripts = pkgs.callPackage ../../pkgs/wayland-scripts {}; + wayland-scripts = pkgs.callPackage ../../pkgs/wayland-scripts { }; cwall = "${wayland-scripts}/bin/cwall"; daskpass = "${wayland-scripts}/bin/daskpass"; @@ -22,10 +28,12 @@ mako = lib.getExe config.services.mako.package; firefox = lib.getExe config.programs.firefox.finalPackage; - font = config.global.font.sans.name - + lib.optionalString (config.global.font.sans.size != null) - " " + builtins.toString config.global.font.sans.size; -in { + font = + config.global.font.sans.name + + lib.optionalString (config.global.font.sans.size != null) " " + + builtins.toString config.global.font.sans.size; +in +{ imports = [ ./mako.nix ./theme.nix @@ -66,107 +74,107 @@ in { settings = { bar = { - inherit font; - position = "top"; - status_command = i3status; - colors = { - background = "#000000"; - focused_workspace = "#000000 #000000 #ffba08"; - inactive_workspace = "#000000 #000000 #cde4e6"; - }; + inherit font; + position = "top"; + status_command = i3status; + colors = { + background = "#000000"; + focused_workspace = "#000000 #000000 #ffba08"; + inactive_workspace = "#000000 #000000 #cde4e6"; + }; }; bindgesture = { - "swipe:left" = "workspace next"; - "swipe:right" = "workspace prev"; - "swipe:down" = "exec ${swaylock}"; - "swipe:up" = "exec ${cwall}"; + "swipe:left" = "workspace next"; + "swipe:right" = "workspace prev"; + "swipe:down" = "exec ${swaylock}"; + "swipe:up" = "exec ${cwall}"; }; input = { - "type:touchpad" = { - dwt = "enabled"; - tap = "enabled"; - natural_scroll = "enabled"; - }; - "type:keyboard" = { - repeat_rate = 100; - repeat_delay = 250; - }; + "type:touchpad" = { + dwt = "enabled"; + tap = "enabled"; + natural_scroll = "enabled"; + }; + "type:keyboard" = { + repeat_rate = 100; + repeat_delay = 250; + }; }; bindsym = { - # basics - "${mod}+q" = "kill"; - "${mod}+shift+c" = "reload"; - "${mod}+shift+e" = '' - exec swaynag -t warning -m 'Do you really want to exit sway?' \ - -B 'Yes, exit sway' 'swaymsg exit' - ''; - - # workspaces - "${mod}+1" = "workspace number 1"; - "${mod}+2" = "workspace number 2"; - "${mod}+3" = "workspace number 3"; - "${mod}+4" = "workspace number 4"; - "${mod}+5" = "workspace number 5"; - "${mod}+6" = "workspace number 6"; - "${mod}+7" = "workspace number 7"; - "${mod}+8" = "workspace number 8"; - "${mod}+9" = "workspace number 9"; - "${mod}+tab" = "workspace back_and_forth"; - "${mod}+shift+1" = "move container to workspace number 1"; - "${mod}+shift+2" = "move container to workspace number 2"; - "${mod}+shift+3" = "move container to workspace number 3"; - "${mod}+shift+4" = "move container to workspace number 4"; - "${mod}+shift+5" = "move container to workspace number 5"; - "${mod}+shift+6" = "move container to workspace number 6"; - "${mod}+shift+7" = "move container to workspace number 7"; - "${mod}+shift+8" = "move container to workspace number 8"; - "${mod}+shift+9" = "move container to workspace number 9"; - "${mod}+c" = "splitv"; - "${mod}+v" = "splith"; - - # layout - "${mod}+${left}" = "focus left"; - "${mod}+${down}" = "focus down"; - "${mod}+${up}" = "focus up"; - "${mod}+${right}" = "focus right"; - "${mod}+shift+${left}" = "move left"; - "${mod}+shift+${right}" = "move right"; - "${mod}+shift+${down}" = "move down"; - "${mod}+shift+${up}" = "move up"; - "${mod}+f" = "fullscreen"; - "${mod}+s" = "layout stacking"; - "${mod}+t" = "layout tabbed"; - "${mod}+e" = "layout toggle split"; - "${mod}+shift+space" = "floating toggle"; - "${mod}+r" = "mode resize"; - - # scratchpad - "${mod}+shift+minus" = "move scratchpad"; - "${mod}+minus" = "scratchpad show"; - - # exec - "print" = "exec ${freezshot}"; - "${mod}+return" = "exec ${foot}"; - "${mod}+o" = "exec ${bemenu}"; - "${mod}+w" = "exec ${firefox}"; - "${mod}+n" = "exec ${foot} -- ${nnn} -decC"; - - XF86MonBrightnessDown = "exec ${brightnessctl} set 1%-"; - XF86MonBrightnessUp = "exec ${brightnessctl} set 1%+"; - XF86AudioLowerVolume = "exec ${wpctl} set-volume @DEFAULT_AUDIO_SINK@ 5%-"; - XF86AudioRaiseVolume = "exec ${wpctl} set-volume --limit 1.5 @DEFAULT_AUDIO_SINK@ 5%+"; - XF86AudioMute = "exec ${wpctl} set-mute @DEFAULT_AUDIO_SINK@ toggle"; - XF86AudioMicMute = "exec ${wpctl} set-mute @DEFAULT_AUDIO_SOURCE@ toggle"; + # basics + "${mod}+q" = "kill"; + "${mod}+shift+c" = "reload"; + "${mod}+shift+e" = '' + exec swaynag -t warning -m 'Do you really want to exit sway?' \ + -B 'Yes, exit sway' 'swaymsg exit' + ''; + + # workspaces + "${mod}+1" = "workspace number 1"; + "${mod}+2" = "workspace number 2"; + "${mod}+3" = "workspace number 3"; + "${mod}+4" = "workspace number 4"; + "${mod}+5" = "workspace number 5"; + "${mod}+6" = "workspace number 6"; + "${mod}+7" = "workspace number 7"; + "${mod}+8" = "workspace number 8"; + "${mod}+9" = "workspace number 9"; + "${mod}+tab" = "workspace back_and_forth"; + "${mod}+shift+1" = "move container to workspace number 1"; + "${mod}+shift+2" = "move container to workspace number 2"; + "${mod}+shift+3" = "move container to workspace number 3"; + "${mod}+shift+4" = "move container to workspace number 4"; + "${mod}+shift+5" = "move container to workspace number 5"; + "${mod}+shift+6" = "move container to workspace number 6"; + "${mod}+shift+7" = "move container to workspace number 7"; + "${mod}+shift+8" = "move container to workspace number 8"; + "${mod}+shift+9" = "move container to workspace number 9"; + "${mod}+c" = "splitv"; + "${mod}+v" = "splith"; + + # layout + "${mod}+${left}" = "focus left"; + "${mod}+${down}" = "focus down"; + "${mod}+${up}" = "focus up"; + "${mod}+${right}" = "focus right"; + "${mod}+shift+${left}" = "move left"; + "${mod}+shift+${right}" = "move right"; + "${mod}+shift+${down}" = "move down"; + "${mod}+shift+${up}" = "move up"; + "${mod}+f" = "fullscreen"; + "${mod}+s" = "layout stacking"; + "${mod}+t" = "layout tabbed"; + "${mod}+e" = "layout toggle split"; + "${mod}+shift+space" = "floating toggle"; + "${mod}+r" = "mode resize"; + + # scratchpad + "${mod}+shift+minus" = "move scratchpad"; + "${mod}+minus" = "scratchpad show"; + + # exec + "print" = "exec ${freezshot}"; + "${mod}+return" = "exec ${foot}"; + "${mod}+o" = "exec ${bemenu}"; + "${mod}+w" = "exec ${firefox}"; + "${mod}+n" = "exec ${foot} -- ${nnn} -decC"; + + XF86MonBrightnessDown = "exec ${brightnessctl} set 1%-"; + XF86MonBrightnessUp = "exec ${brightnessctl} set 1%+"; + XF86AudioLowerVolume = "exec ${wpctl} set-volume @DEFAULT_AUDIO_SINK@ 5%-"; + XF86AudioRaiseVolume = "exec ${wpctl} set-volume --limit 1.5 @DEFAULT_AUDIO_SINK@ 5%+"; + XF86AudioMute = "exec ${wpctl} set-mute @DEFAULT_AUDIO_SINK@ toggle"; + XF86AudioMicMute = "exec ${wpctl} set-mute @DEFAULT_AUDIO_SOURCE@ toggle"; }; mode.resize.bindsym = { - ${left} = "resize shrink width 10px"; - ${right} = "resize grow width 10px"; - ${down} = "resize grow height 10px"; - ${up} = "resize shrink height 10px"; - return = "mode default"; + ${left} = "resize shrink width 10px"; + ${right} = "resize grow width 10px"; + ${down} = "resize grow height 10px"; + ${up} = "resize shrink height 10px"; + return = "mode default"; }; exec = [ mako ]; diff --git a/home/wayland/modules/sway/i3status.nix b/home/wayland/modules/sway/i3status.nix index a7e4075..dbc8671 100644 --- a/home/wayland/modules/sway/i3status.nix +++ b/home/wayland/modules/sway/i3status.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ programs.i3status = { enable = true; enableDefault = false; @@ -56,7 +57,7 @@ }; "wireless _first_" = { - position = 00; + position = 0; settings = { format_up = " %quality"; format_down = ""; diff --git a/home/wayland/modules/sway/mako.nix b/home/wayland/modules/sway/mako.nix index d545cd1..a0b4fc6 100644 --- a/home/wayland/modules/sway/mako.nix +++ b/home/wayland/modules/sway/mako.nix @@ -1,8 +1,16 @@ -{ config, pkgs, lib, ... }: let - font = config.global.font.sans.name - + lib.optionalString (config.global.font.sans.size != null) - " " + builtins.toString config.global.font.sans.size; -in { +{ + config, + pkgs, + lib, + ... +}: +let + font = + config.global.font.sans.name + + lib.optionalString (config.global.font.sans.size != null) " " + + builtins.toString config.global.font.sans.size; +in +{ home.packages = with pkgs; [ libnotify ]; services.mako = { diff --git a/home/wayland/modules/sway/swayidle.nix b/home/wayland/modules/sway/swayidle.nix index fd23f41..d9ff473 100644 --- a/home/wayland/modules/sway/swayidle.nix +++ b/home/wayland/modules/sway/swayidle.nix @@ -1,4 +1,10 @@ -{ config, lib, pkgs, ... }: let +{ + config, + lib, + pkgs, + ... +}: +let swaylock = lib.getExe config.programs.swaylock.package; brightnessctl = lib.getExe pkgs.brightnessctl; swaymsg = "${pkgs.sway}/bin/swaymsg"; @@ -7,34 +13,42 @@ suspend_timeout = minute * 60; suspend_on_battery = pkgs.writeShellApplication { name = "suspend_on_battery"; - runtimeInputs = with pkgs; [ gnugrep systemd sudo coreutils ]; - text = let - sudo = "/run/wrappers/bin/sudo"; - in '' - is_discharging() { - grep -qFx \ - 'POWER_SUPPLY_STATUS=Discharging' \ - /sys/class/power_supply/*/uevent - } + runtimeInputs = with pkgs; [ + gnugrep + systemd + sudo + coreutils + ]; + text = + let + sudo = "/run/wrappers/bin/sudo"; + in + '' + is_discharging() { + grep -qFx \ + 'POWER_SUPPLY_STATUS=Discharging' \ + /sys/class/power_supply/*/uevent + } - was_charging=false - while true; do - if is_discharging; then - if [ $was_charging = true ]; then - sleep ${builtins.toString suspend_timeout} - fi + was_charging=false + while true; do + if is_discharging; then + if [ $was_charging = true ]; then + sleep ${builtins.toString suspend_timeout} + fi - if is_discharging; then - ${sudo} systemctl suspend-then-hibernate - fi - fi + if is_discharging; then + ${sudo} systemctl suspend-then-hibernate + fi + fi - was_charging=true - sleep 10 - done - ''; + was_charging=true + sleep 10 + done + ''; }; -in { +in +{ systemd.user.services.suspend_on_battery = { Unit.Description = "Suspend on battery"; Service.ExecStart = lib.getExe suspend_on_battery; @@ -44,42 +58,40 @@ in { enable = true; systemdTarget = "sway-session.target"; - events = [{ - event = "before-sleep"; - command = swaylock; - }]; + events = [ + { + event = "before-sleep"; + command = swaylock; + } + ]; timeouts = [ { - timeout = minute * 30; - command = - "${brightnessctl} --save; " - + "${brightnessctl} set 10%-"; - resumeCommand = "${brightnessctl} --restore"; + timeout = minute * 30; + command = "${brightnessctl} --save; " + "${brightnessctl} set 10%-"; + resumeCommand = "${brightnessctl} --restore"; } { - timeout = minute * 31; - command = swaylock; + timeout = minute * 31; + command = swaylock; } { - timeout = minute * 32; - command = - "${swaymsg} --type command 'output * dpms off'; " - + "${brightnessctl} -c leds -d platform::kbd_backlight --save; " - + "${brightnessctl} -c leds -d platform::kbd_backlight set 0"; - resumeCommand = - "${brightnessctl} -c leds -d platform::kbd_backlight --restore; " - + "${swaymsg} --type command 'output * dpms on'"; + timeout = minute * 32; + command = + "${swaymsg} --type command 'output * dpms off'; " + + "${brightnessctl} -c leds -d platform::kbd_backlight --save; " + + "${brightnessctl} -c leds -d platform::kbd_backlight set 0"; + resumeCommand = + "${brightnessctl} -c leds -d platform::kbd_backlight --restore; " + + "${swaymsg} --type command 'output * dpms on'"; } { - timeout = suspend_timeout; - command = - "${pkgs.systemd}/bin/systemctl --user start suspend_on_battery"; - resumeCommand = - "${pkgs.systemd}/bin/systemctl --user stop suspend_on_battery"; + timeout = suspend_timeout; + command = "${pkgs.systemd}/bin/systemctl --user start suspend_on_battery"; + resumeCommand = "${pkgs.systemd}/bin/systemctl --user stop suspend_on_battery"; } ]; }; diff --git a/home/wayland/modules/sway/swaylock.nix b/home/wayland/modules/sway/swaylock.nix index 1d5a58f..d606167 100644 --- a/home/wayland/modules/sway/swaylock.nix +++ b/home/wayland/modules/sway/swaylock.nix @@ -1,6 +1,8 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let background = "${config.xdg.dataHome}/wayland/lockscreen"; -in { +in +{ programs.swaylock = { enable = true; package = pkgs.swaylock-effects; diff --git a/home/wayland/modules/sway/theme.nix b/home/wayland/modules/sway/theme.nix index b1673da..57bb314 100644 --- a/home/wayland/modules/sway/theme.nix +++ b/home/wayland/modules/sway/theme.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ dconf.enable = false; gtk = { diff --git a/home/wayland/modules/ttyasrt.nix b/home/wayland/modules/ttyasrt.nix index ba9a2c5..399770b 100644 --- a/home/wayland/modules/ttyasrt.nix +++ b/home/wayland/modules/ttyasrt.nix @@ -1,7 +1,9 @@ -{ pkgs, ... }: let - wayland-scripts = pkgs.callPackage ../pkgs/wayland-scripts {}; +{ pkgs, ... }: +let + wayland-scripts = pkgs.callPackage ../pkgs/wayland-scripts { }; ttyasrt = "${wayland-scripts}/bin/ttyasrt"; -in { +in +{ home.packages = [ wayland-scripts ]; xdg.desktopEntries = { diff --git a/home/wayland/modules/zathura.nix b/home/wayland/modules/zathura.nix index faec245..68ba875 100644 --- a/home/wayland/modules/zathura.nix +++ b/home/wayland/modules/zathura.nix @@ -1,9 +1,12 @@ -{ config, lib, ... }: let - font = config.global.font.sans.name - + lib.optionalString (config.global.font.sans.size != null) - " " + builtins.toString config.global.font.sans.size; -in { - programs.zathura = { +{ config, lib, ... }: +let + font = + config.global.font.sans.name + + lib.optionalString (config.global.font.sans.size != null) " " + + builtins.toString config.global.font.sans.size; +in +{ + programs.zathura = { enable = true; mappings = { diff --git a/home/wayland/pkgs/wayland-scripts/default.nix b/home/wayland/pkgs/wayland-scripts/default.nix index c96ad22..0e28487 100644 --- a/home/wayland/pkgs/wayland-scripts/default.nix +++ b/home/wayland/pkgs/wayland-scripts/default.nix @@ -37,13 +37,27 @@ stdenvNoCC.mkDerivation { postInstall = '' wrapProgram $out/bin/cwall \ - --prefix PATH : ${lib.makeBinPath [ ffmpeg libnotify sway ]} + --prefix PATH : ${ + lib.makeBinPath [ + ffmpeg + libnotify + sway + ] + } wrapProgram $out/bin/daskpass \ --prefix PATH : ${lib.makeBinPath [ bemenu ]} wrapProgram $out/bin/ttyasrt \ --prefix PATH : ${lib.makeBinPath [ libnotify ]} wrapProgram $out/bin/freezshot \ - --prefix PATH : ${lib.makeBinPath [ ffmpeg sway grim slurp imv ]} + --prefix PATH : ${ + lib.makeBinPath [ + ffmpeg + sway + grim + slurp + imv + ] + } ''; meta = { diff --git a/os/cez/configuration.nix b/os/cez/configuration.nix index af2d144..a069f21 100644 --- a/os/cez/configuration.nix +++ b/os/cez/configuration.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ imports = [ ../pc/configuration.nix ./hardware-configuration.nix diff --git a/os/cez/hardware-configuration.nix b/os/cez/hardware-configuration.nix index f1d5f32..3877852 100644 --- a/os/cez/hardware-configuration.nix +++ b/os/cez/hardware-configuration.nix @@ -1,4 +1,11 @@ -{ modulesPath, nixos-hardware, config, pkgs, lib, ... }: +{ + modulesPath, + nixos-hardware, + config, + pkgs, + lib, + ... +}: { imports = [ @@ -13,10 +20,12 @@ }; services.xserver.videoDrivers = [ "modesetting" ]; - swapDevices = [{ - device = "/swapfile"; - size = 14 * 1024; # 14GB - }]; + swapDevices = [ + { + device = "/swapfile"; + size = 14 * 1024; # 14GB + } + ]; boot = { kernelPackages = lib.mkForce pkgs.linuxPackages; @@ -24,8 +33,7 @@ blacklistedKernelModules = [ "k10temp" ]; extraModulePackages = with config.boot.kernelPackages; [ zenpower ]; - initrd.luks.devices."crypt".device = - "/dev/disk/by-uuid/84acd784-caad-41a1-a2e4-39468d01fefd"; + initrd.luks.devices."crypt".device = "/dev/disk/by-uuid/84acd784-caad-41a1-a2e4-39468d01fefd"; }; fileSystems = { diff --git a/os/cez/modules/specialisation.nix b/os/cez/modules/specialisation.nix index abc08e8..e401e1b 100644 --- a/os/cez/modules/specialisation.nix +++ b/os/cez/modules/specialisation.nix @@ -1,4 +1,5 @@ -{ lib, ... }: { +{ lib, ... }: +{ specialisation.nvidia.configuration = { boot = { kernelParams = [ "transparent_hugepage=always" ]; diff --git a/os/cez/modules/tlp.nix b/os/cez/modules/tlp.nix index 1ccd539..887dcec 100644 --- a/os/cez/modules/tlp.nix +++ b/os/cez/modules/tlp.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ services.tlp = { enable = true; diff --git a/os/cez/modules/wireguard.nix b/os/cez/modules/wireguard.nix index c52087a..47b857a 100644 --- a/os/cez/modules/wireguard.nix +++ b/os/cez/modules/wireguard.nix @@ -1,4 +1,5 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let domain = config.global.userdata.domain; wgIface = "kay"; @@ -21,8 +22,9 @@ fi ''; }; -in { - sops.secrets."misc/wireguard" = {}; +in +{ + sops.secrets."misc/wireguard" = { }; networking.wg-quick.interfaces.${wgIface} = { autostart = false; @@ -31,16 +33,18 @@ in { mtu = 1412; privateKeyFile = config.sops.secrets."misc/wireguard".path; - peers = [{ - publicKey = "wJMyQDXmZO4MjYRk6NK4+J6ZKWLTTZygAH+OwbPjOiw="; - allowedIPs = [ - "10.0.1.0/24" - "104.16.0.0/12" - "172.64.0.0/13" - ]; - endpoint = "${domain}:51820"; - persistentKeepalive = 25; - }]; + peers = [ + { + publicKey = "wJMyQDXmZO4MjYRk6NK4+J6ZKWLTTZygAH+OwbPjOiw="; + allowedIPs = [ + "10.0.1.0/24" + "104.16.0.0/12" + "172.64.0.0/13" + ]; + endpoint = "${domain}:51820"; + persistentKeepalive = 25; + } + ]; }; environment.systemPackages = [ helper ]; diff --git a/os/cez/modules/www.nix b/os/cez/modules/www.nix deleted file mode 100644 index 9ec20da..0000000 --- a/os/cez/modules/www.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - domain = config.global.userdata.domain; -in -{ - services.nginx = { - enable = true; - - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - recommendedBrotliSettings = true; - - virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - useACMEHost = domain; - locations."= /" = { - extraConfig = "add_header Content-Type text/html;"; - return = ''200 - '<!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="UTF-8"> - <title>Nix Cache</title> - </head> - <body> - <center> - <h1 style="font-size: 8em"> - ❄️ Nix Cache - </h1> - <p style="font-weight: bold"> - Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= - </p> - </center> - </body> - </html>' - ''; - }; - }; - - }; - }; -} diff --git a/os/common/configuration.nix b/os/common/configuration.nix index 17b8f2a..b1dd263 100644 --- a/os/common/configuration.nix +++ b/os/common/configuration.nix @@ -1,6 +1,13 @@ -{ config, pkgs, lib, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let host = config.networking.hostName; -in { +in +{ disabledModules = [ "services/networking/pppd.nix" ]; @@ -15,16 +22,20 @@ in { time.timeZone = "Asia/Kolkata"; networking.useDHCP = false; - swapDevices = lib.mkDefault [{ - device = "/swapfile"; - size = 2048; # 2GB - }]; + swapDevices = lib.mkDefault [ + { + device = "/swapfile"; + size = 2048; # 2GB + } + ]; - services.udev.extraRules = let - cmd = "${pkgs.systemd}/bin/systemctl hibernate"; - in '' - SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${cmd}" - ''; + services.udev.extraRules = + let + cmd = "${pkgs.systemd}/bin/systemctl hibernate"; + in + '' + SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${cmd}" + ''; sops = { defaultSopsFile = ../${host}/secrets.yaml; @@ -47,5 +58,10 @@ in { ''; nixpkgs.config.allowUnfreePredicate = - pkg: builtins.elem (lib.getName pkg) [ "nvidia-x11" "slack" "spotify" ]; + pkg: + builtins.elem (lib.getName pkg) [ + "nvidia-x11" + "slack" + "spotify" + ]; } diff --git a/os/common/modules/environment.nix b/os/common/modules/environment.nix index 38446f2..576d756 100644 --- a/os/common/modules/environment.nix +++ b/os/common/modules/environment.nix @@ -1,4 +1,5 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, ... }: +{ environment = { binsh = lib.getExe pkgs.dash; systemPackages = with pkgs; [ diff --git a/os/common/modules/nix.nix b/os/common/modules/nix.nix index f850e24..b733c9c 100644 --- a/os/common/modules/nix.nix +++ b/os/common/modules/nix.nix @@ -1,8 +1,12 @@ -{ ... }: { +{ ... }: +{ nix.settings = { auto-optimise-store = true; use-xdg-base-directories = true; - experimental-features = [ "flakes" "nix-command" ]; + experimental-features = [ + "flakes" + "nix-command" + ]; substituters = [ "https://nixbin.sinanmohd.com" diff --git a/os/common/modules/pppd.nix b/os/common/modules/pppd.nix index 772cb29..69c37b8 100644 --- a/os/common/modules/pppd.nix +++ b/os/common/modules/pppd.nix @@ -1,10 +1,20 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.services.pppd; - shTypes = [ "ip-up" "ip-down" "ipv6-up" "ipv6-down" ]; + shTypes = [ + "ip-up" + "ip-down" + "ipv6-up" + "ipv6-down" + ]; in { meta = { @@ -46,232 +56,249 @@ in }; script = mkOption { - default = {}; + default = { }; description = lib.mdoc '' script which is executed when the link is available for sending and receiving IP packets or when the link is no longer available for sending and receiving IP packets, see pppd(8) for more details ''; - type = types.attrsOf (types.submodule ( - { name, ... }: - { - options = { - name = mkOption { - type = types.str; - default = name; - example = "01-ddns.sh"; - description = lib.mdDoc "Name of the script."; - }; - type = mkOption { - default = "ip-up"; - type = types.enum shTypes; - description = lib.mdDoc "Type of the script."; - }; - text = mkOption { - type = types.lines; - default = ""; - description = lib.mdDoc "Shell commands to be executed."; - }; - runtimeInputs = mkOption { - type = types.listOf types.package; - default = []; - description = lib.mdDoc "dependencies of the shell script"; + type = types.attrsOf ( + types.submodule ( + { name, ... }: + { + options = { + name = mkOption { + type = types.str; + default = name; + example = "01-ddns.sh"; + description = lib.mdDoc "Name of the script."; + }; + type = mkOption { + default = "ip-up"; + type = types.enum shTypes; + description = lib.mdDoc "Type of the script."; + }; + text = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc "Shell commands to be executed."; + }; + runtimeInputs = mkOption { + type = types.listOf types.package; + default = [ ]; + description = lib.mdDoc "dependencies of the shell script"; + }; }; - }; - } - )); + } + ) + ); }; peers = mkOption { - default = {}; + default = { }; description = lib.mdDoc "pppd peers."; - type = types.attrsOf (types.submodule ( - { name, ... }: - { - options = { - name = mkOption { - type = types.str; - default = name; - example = "dialup"; - description = lib.mdDoc "Name of the PPP peer."; - }; + type = types.attrsOf ( + types.submodule ( + { name, ... }: + { + options = { + name = mkOption { + type = types.str; + default = name; + example = "dialup"; + description = lib.mdDoc "Name of the PPP peer."; + }; - enable = mkOption { - type = types.bool; - default = true; - example = false; - description = lib.mdDoc "Whether to enable this PPP peer."; - }; + enable = mkOption { + type = types.bool; + default = true; + example = false; + description = lib.mdDoc "Whether to enable this PPP peer."; + }; - autostart = mkOption { - type = types.bool; - default = true; - example = false; - description = lib.mdDoc "Whether the PPP session is automatically started at boot time."; - }; + autostart = mkOption { + type = types.bool; + default = true; + example = false; + description = lib.mdDoc "Whether the PPP session is automatically started at boot time."; + }; - config = mkOption { - type = types.lines; - default = ""; - description = lib.mdDoc "pppd configuration for this peer, see the pppd(8) man page."; - }; + config = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc "pppd configuration for this peer, see the pppd(8) man page."; + }; - configFile = mkOption { - type = types.nullOr types.path; - default = null; - example = literalExpression "/run/secrets/ppp/peer/options"; - description = lib.mdDoc "pppd configuration file for this peer, see the pppd(8) man page."; + configFile = mkOption { + type = types.nullOr types.path; + default = null; + example = literalExpression "/run/secrets/ppp/peer/options"; + description = lib.mdDoc "pppd configuration file for this peer, see the pppd(8) man page."; + }; }; - }; - } - )); + } + ) + ); }; }; - config = let - enabledConfigs = filter (f: f.enable) (attrValues cfg.peers); + config = + let + enabledConfigs = filter (f: f.enable) (attrValues cfg.peers); - defaultCfg = if (cfg.config != "") then { - "ppp/options".text = cfg.config; - } else {}; + defaultCfg = + if (cfg.config != "") then + { + "ppp/options".text = cfg.config; + } + else + { }; - mkPeers = peerCfg: with peerCfg; let - key = if (configFile == null) then "text" else "source"; - val = if (configFile == null) then peerCfg.config else configFile; - in - { - name = "ppp/peers/${name}"; - value.${key} = val; - }; - - enabledSh = filter (s: s.text != "") (attrValues cfg.script); - mkMsh = name : { - name = "ppp/${name}"; - value.mode = "0755"; - value.text = '' - #!/bin/sh + mkPeers = + peerCfg: + with peerCfg; + let + key = if (configFile == null) then "text" else "source"; + val = if (configFile == null) then peerCfg.config else configFile; + in + { + name = "ppp/peers/${name}"; + value.${key} = val; + }; - # see the pppd(8) man page - for s in /etc/ppp/${name}.d/*.sh; do - [ -x "$s" ] && "$s" "$@" - done - ''; - }; - mkUsh = shCfg : { - name = "ppp/${shCfg.type}.d/${shCfg.name}.sh"; - value.mode = "0755"; - value.text = '' - #!/bin/sh - export PATH="${makeBinPath shCfg.runtimeInputs}:$PATH" + enabledSh = filter (s: s.text != "") (attrValues cfg.script); + mkMsh = name: { + name = "ppp/${name}"; + value.mode = "0755"; + value.text = '' + #!/bin/sh - ${shCfg.text} - ''; - }; + # see the pppd(8) man page + for s in /etc/ppp/${name}.d/*.sh; do + [ -x "$s" ] && "$s" "$@" + done + ''; + }; + mkUsh = shCfg: { + name = "ppp/${shCfg.type}.d/${shCfg.name}.sh"; + value.mode = "0755"; + value.text = '' + #!/bin/sh + export PATH="${makeBinPath shCfg.runtimeInputs}:$PATH" - enabledSec = let - l = attrNames cfg.secret; - f = (s: cfg.secret.${s} != null); - in filter f l; - mkSec = sec : { - name = "ppp/${sec}-secrets"; - value.source = cfg.secret.${sec}; - }; + ${shCfg.text} + ''; + }; - mkSystemd = peerCfg: { - name = "pppd-${peerCfg.name}"; - value = { - restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ]; - before = [ "network.target" ]; - wants = [ "network.target" ]; - after = [ "network-pre.target" ]; - environment = { - # pppd likes to write directly into /var/run. This is rude - # on a modern system, so we use libredirect to transparently - # move those files into /run/pppd. - LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; - NIX_REDIRECTS = "/var/run=/run/pppd"; - }; - serviceConfig = let - capabilities = [ - "CAP_BPF" - "CAP_SYS_TTY_CONFIG" - "CAP_NET_ADMIN" - "CAP_NET_RAW" - ]; + enabledSec = + let + l = attrNames cfg.secret; + f = (s: cfg.secret.${s} != null); in - { - ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; - Restart = "always"; - RestartSec = 5; + filter f l; + mkSec = sec: { + name = "ppp/${sec}-secrets"; + value.source = cfg.secret.${sec}; + }; + + mkSystemd = peerCfg: { + name = "pppd-${peerCfg.name}"; + value = { + restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ]; + before = [ "network.target" ]; + wants = [ "network.target" ]; + after = [ "network-pre.target" ]; + environment = { + # pppd likes to write directly into /var/run. This is rude + # on a modern system, so we use libredirect to transparently + # move those files into /run/pppd. + LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; + NIX_REDIRECTS = "/var/run=/run/pppd"; + }; + serviceConfig = + let + capabilities = [ + "CAP_BPF" + "CAP_SYS_TTY_CONFIG" + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ]; + in + { + ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; + Restart = "always"; + RestartSec = 5; - AmbientCapabilities = capabilities; - CapabilityBoundingSet = capabilities; - KeyringMode = "private"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateMounts = true; - PrivateTmp = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelModules = true; - # pppd can be configured to tweak kernel settings. - ProtectKernelTunables = false; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_ATMPVC" - "AF_ATMSVC" - "AF_INET" - "AF_INET6" - "AF_IPX" - "AF_NETLINK" - "AF_PACKET" - "AF_PPPOX" - "AF_UNIX" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SecureBits = "no-setuid-fixup-locked noroot-locked"; - SystemCallFilter = "@system-service"; - SystemCallArchitectures = "native"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + KeyringMode = "private"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + # pppd can be configured to tweak kernel settings. + ProtectKernelTunables = false; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_ATMPVC" + "AF_ATMSVC" + "AF_INET" + "AF_INET6" + "AF_IPX" + "AF_NETLINK" + "AF_PACKET" + "AF_PPPOX" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SecureBits = "no-setuid-fixup-locked noroot-locked"; + SystemCallFilter = "@system-service"; + SystemCallArchitectures = "native"; - # All pppd instances on a system must share a runtime - # directory in order for PPP multilink to work correctly. So - # we give all instances the same /run/pppd directory to store - # things in. - # - # For the same reason, we can't set PrivateUsers=true, because - # all instances need to run as the same user to access the - # multilink database. - RuntimeDirectory = "pppd"; - RuntimeDirectoryPreserve = true; + # All pppd instances on a system must share a runtime + # directory in order for PPP multilink to work correctly. So + # we give all instances the same /run/pppd directory to store + # things in. + # + # For the same reason, we can't set PrivateUsers=true, because + # all instances need to run as the same user to access the + # multilink database. + RuntimeDirectory = "pppd"; + RuntimeDirectoryPreserve = true; + }; + wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ]; }; - wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ]; }; - }; - etcFiles = listToAttrs (map mkPeers enabledConfigs) // - listToAttrs (map mkMsh shTypes) // - listToAttrs (map mkUsh enabledSh) // - listToAttrs (map mkSec enabledSec) // - defaultCfg; + etcFiles = + listToAttrs (map mkPeers enabledConfigs) + // listToAttrs (map mkMsh shTypes) + // listToAttrs (map mkUsh enabledSh) + // listToAttrs (map mkSec enabledSec) + // defaultCfg; - systemdConfigs = listToAttrs (map mkSystemd enabledConfigs); + systemdConfigs = listToAttrs (map mkSystemd enabledConfigs); - in mkIf cfg.enable { - assertions = map (peerCfg: { - assertion = (peerCfg.configFile == null || peerCfg.config == ""); - message = '' - Please specify either - 'services.pppd.${peerCfg.name}.config' or - 'services.pppd.${peerCfg.name}.configFile'. - ''; - }) enabledConfigs; + in + mkIf cfg.enable { + assertions = map (peerCfg: { + assertion = (peerCfg.configFile == null || peerCfg.config == ""); + message = '' + Please specify either + 'services.pppd.${peerCfg.name}.config' or + 'services.pppd.${peerCfg.name}.configFile'. + ''; + }) enabledConfigs; - environment.etc = etcFiles; - systemd.services = systemdConfigs; - }; + environment.etc = etcFiles; + systemd.services = systemdConfigs; + }; } diff --git a/os/common/modules/user.nix b/os/common/modules/user.nix index bdf258e..fa4e1c9 100644 --- a/os/common/modules/user.nix +++ b/os/common/modules/user.nix @@ -1,7 +1,9 @@ -{ config, ... }: let +{ config, ... }: +let user = config.global.userdata.name; email = config.global.userdata.email; -in { +in +{ users.users.${user} = { uid = 1000; isNormalUser = true; diff --git a/os/fscusat/configuration.nix b/os/fscusat/configuration.nix index 896e858..598ae8c 100644 --- a/os/fscusat/configuration.nix +++ b/os/fscusat/configuration.nix @@ -10,5 +10,8 @@ ./modules/mirror ]; - services.openssh.ports = [ 22 465 ]; + services.openssh.ports = [ + 22 + 465 + ]; } diff --git a/os/fscusat/modules/mirror/debian/default.nix b/os/fscusat/modules/mirror/debian/default.nix index c0a35cd..b80c6b8 100644 --- a/os/fscusat/modules/mirror/debian/default.nix +++ b/os/fscusat/modules/mirror/debian/default.nix @@ -1,7 +1,9 @@ -{ config, ... }: let +{ config, ... }: +let name = config.global.userdata.name; email = config.global.userdata.email; -in { +in +{ imports = [ ./ftpsync.nix ]; services.ftpsync = { diff --git a/os/fscusat/modules/mirror/debian/ftpsync.nix b/os/fscusat/modules/mirror/debian/ftpsync.nix index 29fb55b..d2394de 100644 --- a/os/fscusat/modules/mirror/debian/ftpsync.nix +++ b/os/fscusat/modules/mirror/debian/ftpsync.nix @@ -1,10 +1,15 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.ftpsync; - archvsync = pkgs.callPackage ../../../pkgs/archvsync {}; + archvsync = pkgs.callPackage ../../../pkgs/archvsync { }; - formatKeyValue = k: v: '' ${k}="${v}" ''; + formatKeyValue = k: v: ''${k}="${v}" ''; configFormat = pkgs.formats.keyValue { mkKeyValue = formatKeyValue; }; configFile = configFormat.generate "ftpsync.conf" cfg.settings; in @@ -16,7 +21,7 @@ in settings = lib.mkOption { inherit (configFormat) type; - default = {}; + default = { }; description = lib.mdDoc '' Configuration options for ftpsync. See ftpsync.conf(5) man page for available options. @@ -33,33 +38,35 @@ in LOGDIR = lib.mkDefault "$LOGS_DIRECTORY"; }; - systemd = let - name = "ftpsync"; - meta = { - description = "Mirror Debian repositories of packages"; - documentation = [ "man:ftpsync(1)" ]; - }; - in { - timers.${name} = meta // { - wantedBy = [ "timers.target" ]; + systemd = + let + name = "ftpsync"; + meta = { + description = "Mirror Debian repositories of packages"; + documentation = [ "man:ftpsync(1)" ]; + }; + in + { + timers.${name} = meta // { + wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "*-*-* 00,06,12,18:00:00"; - Unit="%i.service"; - Persistent = true; - FixedRandomDelay = true; - RandomizedDelaySec = "6h"; + timerConfig = { + OnCalendar = "*-*-* 00,06,12,18:00:00"; + Unit = "%i.service"; + Persistent = true; + FixedRandomDelay = true; + RandomizedDelaySec = "6h"; + }; }; - }; - services.${name} = meta // { - serviceConfig = { - LogsDirectory = name; - StateDirectory = name; + services.${name} = meta // { + serviceConfig = { + LogsDirectory = name; + StateDirectory = name; - ExecStart = "${archvsync}/bin/ftpsync sync:all"; + ExecStart = "${archvsync}/bin/ftpsync sync:all"; + }; }; }; - }; }; } diff --git a/os/fscusat/modules/mirror/default.nix b/os/fscusat/modules/mirror/default.nix index c5fd462..1648204 100644 --- a/os/fscusat/modules/mirror/default.nix +++ b/os/fscusat/modules/mirror/default.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ imports = [ ./debian ./www.nix diff --git a/os/fscusat/modules/network.nix b/os/fscusat/modules/network.nix index 53367f8..fefcd14 100644 --- a/os/fscusat/modules/network.nix +++ b/os/fscusat/modules/network.nix @@ -5,14 +5,19 @@ let in { networking = { - interfaces.${wan}.ipv4.addresses = [{ - address = "10.0.8.101"; - prefixLength = 16; - }]; + interfaces.${wan}.ipv4.addresses = [ + { + address = "10.0.8.101"; + prefixLength = 16; + } + ]; defaultGateway = { address = "10.0.0.1"; interface = wan; }; - nameservers = [ "10.0.0.2" "10.0.0.3" ]; + nameservers = [ + "10.0.0.2" + "10.0.0.3" + ]; }; } diff --git a/os/fscusat/modules/www.nix b/os/fscusat/modules/www.nix index 24398da..8392190 100644 --- a/os/fscusat/modules/www.nix +++ b/os/fscusat/modules/www.nix @@ -4,19 +4,24 @@ let domain = "foss.fscusat.ac.in"; in { - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; - sops.secrets = let - opts = { - owner = config.services.nginx.user; - group = config.services.nginx.group; + sops.secrets = + let + opts = { + owner = config.services.nginx.user; + group = config.services.nginx.group; + }; + in + { + "cusat.ac.in/key" = opts; + "cusat.ac.in/crt" = opts; }; - in{ - "cusat.ac.in/key" = opts; - "cusat.ac.in/crt" = opts; - }; - services.nginx = { + services.nginx = { enable = true; recommendedTlsSettings = true; recommendedZstdSettings = true; diff --git a/os/fscusat/pkgs/archvsync/default.nix b/os/fscusat/pkgs/archvsync/default.nix index bd3560e..7c31b1e 100644 --- a/os/fscusat/pkgs/archvsync/default.nix +++ b/os/fscusat/pkgs/archvsync/default.nix @@ -1,4 +1,5 @@ -{ lib, +{ + lib, stdenvNoCC, fetchFromGitLab, makeWrapper, @@ -22,15 +23,29 @@ stdenvNoCC.mkDerivation { }; strictDeps = true; - nativeBuildInputs = [ makeWrapper pandoc ]; - outputs = [ "out" "man" "doc" ]; + nativeBuildInputs = [ + makeWrapper + pandoc + ]; + outputs = [ + "out" + "man" + "doc" + ]; - patches = [ ./Makefile.patch ./common.patch ]; + patches = [ + ./Makefile.patch + ./common.patch + ]; postInstall = '' for s in $out/bin/*; do - wrapProgram $s --prefix PATH : ${lib.makeBinPath - [ rsync bash hostname ] + wrapProgram $s --prefix PATH : ${ + lib.makeBinPath [ + rsync + bash + hostname + ] } done ''; diff --git a/os/kay/modules/acme.nix b/os/kay/modules/acme.nix index 00819e7..60e40a8 100644 --- a/os/kay/modules/acme.nix +++ b/os/kay/modules/acme.nix @@ -1,10 +1,11 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let email = config.global.userdata.email; domain = config.global.userdata.domain; - environmentFile = - pkgs.writeText "acme-dns" "RFC2136_NAMESERVER='[2001:470:ee65::1]:53'"; -in { + environmentFile = pkgs.writeText "acme-dns" "RFC2136_NAMESERVER='[2001:470:ee65::1]:53'"; +in +{ security.acme = { acceptTerms = true; defaults.email = email; diff --git a/os/kay/modules/alina.nix b/os/kay/modules/alina.nix index ef6331b..6f8fac4 100644 --- a/os/kay/modules/alina.nix +++ b/os/kay/modules/alina.nix @@ -1,14 +1,18 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let domain = "alinafs.com"; -in { - sops.secrets."misc/alina" = {}; +in +{ + sops.secrets."misc/alina" = { }; services.postgresql = { ensureDatabases = [ "alina" ]; - ensureUsers = [{ - name = "alina"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "alina"; + ensureDBOwnership = true; + } + ]; }; services.alina = { @@ -17,7 +21,7 @@ in { environmentFile = config.sops.secrets."misc/alina".path; settings.server = { data = "/hdd/alina"; - file_size_limit = 1024 * 1024 * 1024; /* 1GB */ + file_size_limit = 1024 * 1024 * 1024; # 1GB public_url = "https://${domain}"; }; }; diff --git a/os/kay/modules/dns/default.nix b/os/kay/modules/dns/default.nix index 357cddd..6179527 100644 --- a/os/kay/modules/dns/default.nix +++ b/os/kay/modules/dns/default.nix @@ -1,5 +1,6 @@ -{ config, pkgs, ... }: let - listen_addr = [ +{ config, pkgs, ... }: +let + listen_addr = [ "137.59.84.126" "2001:470:ee65::1" ]; @@ -16,7 +17,8 @@ IN NS ns1.sinanmohd.com. ''; -in { +in +{ imports = [ ./ddns.nix ]; networking.firewall = { @@ -39,39 +41,55 @@ in { remote = [ { id = "ns1.he.net"; - address = [ "2001:470:100::2" "216.218.130.2" ]; + address = [ + "2001:470:100::2" + "216.218.130.2" + ]; via = "2001:470:ee65::1"; } { id = "m.gtld-servers.net"; - address = [ "2001:501:b1f9::30" "192.55.83.30" ]; + address = [ + "2001:501:b1f9::30" + "192.55.83.30" + ]; } ]; - submission = [{ - id = "gtld-servers.net"; - parent = "m.gtld-servers.net"; - }]; + submission = [ + { + id = "gtld-servers.net"; + parent = "m.gtld-servers.net"; + } + ]; - policy = [{ - id = "gtld-servers.net"; - algorithm = "ecdsap384sha384"; - ksk-lifetime = "365d"; - ksk-submission = "gtld-servers.net"; - }]; + policy = [ + { + id = "gtld-servers.net"; + algorithm = "ecdsap384sha384"; + ksk-lifetime = "365d"; + ksk-submission = "gtld-servers.net"; + } + ]; # generate TSIG key with keymgr -t name acl = [ { id = "ns1.he.net"; key = "ns1.he.net"; - address = [ "2001:470:600::2" "216.218.133.2" ]; + address = [ + "2001:470:600::2" + "216.218.133.2" + ]; action = "transfer"; } { id = "ddns"; address = listen_addr; - update-type = [ "A" "AAAA" ]; + update-type = [ + "A" + "AAAA" + ]; action = "update"; } { @@ -82,11 +100,13 @@ in { } ]; - mod-rrl = [{ - id = "default"; - rate-limit = 200; - slip = 2; - }]; + mod-rrl = [ + { + id = "default"; + rate-limit = 200; + slip = 2; + } + ]; template = [ { @@ -102,7 +122,10 @@ in { dnssec-policy = "gtld-servers.net"; notify = [ "ns1.he.net" ]; - acl = [ "ns1.he.net" "ddns" ]; + acl = [ + "ns1.he.net" + "ddns" + ]; zonefile-sync = "-1"; zonefile-load = "difference"; diff --git a/os/kay/modules/home-assistant.nix b/os/kay/modules/home-assistant.nix index 2376997..65807f7 100644 --- a/os/kay/modules/home-assistant.nix +++ b/os/kay/modules/home-assistant.nix @@ -1,21 +1,26 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ services.postgresql = { enable = true; ensureDatabases = [ "hass" ]; - ensureUsers = [{ - name = "hass"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "hass"; + ensureDBOwnership = true; + } + ]; }; services.home-assistant = { enable = true; - package = (pkgs.home-assistant.override { - extraPackages = py: with py; [ psycopg2 ]; - }).overrideAttrs (oldAttrs: { - doInstallCheck = false; - }); + package = + (pkgs.home-assistant.override { + extraPackages = py: with py; [ psycopg2 ]; + }).overrideAttrs + (oldAttrs: { + doInstallCheck = false; + }); extraComponents = [ "analytics" @@ -29,7 +34,7 @@ ]; config = { - default_config = {}; + default_config = { }; recorder.db_url = "postgresql://@/hass"; http = { diff --git a/os/kay/modules/hurricane.nix b/os/kay/modules/hurricane.nix index 511b213..e815136 100644 --- a/os/kay/modules/hurricane.nix +++ b/os/kay/modules/hurricane.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let iface = "hurricane"; @@ -10,12 +15,15 @@ let prefix64 = "2001:470:36:72a::/64"; prefix48 = "2001:470:ee65::/48"; - makeAddr = prefix: host: let - split = lib.strings.splitString "/" prefix; - in { - address = "${lib.head split}${host}"; - prefixLength = lib.toInt (lib.last split); - }; + makeAddr = + prefix: host: + let + split = lib.strings.splitString "/" prefix; + in + { + address = "${lib.head split}${host}"; + prefixLength = lib.toInt (lib.last split); + }; in { networking = { @@ -43,17 +51,15 @@ in }; firewall = { - extraCommands = - "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT"; - extraStopCommands = - "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT"; + extraCommands = "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT"; + extraStopCommands = "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT"; }; }; sops.secrets = { - "hurricane/username" = {}; - "hurricane/update_key" = {}; - "hurricane/tunnel_id" = {}; + "hurricane/username" = { }; + "hurricane/update_key" = { }; + "hurricane/tunnel_id" = { }; }; systemd.services."network-route-${iface}" = { @@ -64,7 +70,10 @@ in ]; before = [ "network-setup.service" ]; bindsTo = [ "network-addresses-hurricane.service" ]; - after = [ "network-pre.target" "network-addresses-hurricane.service" ]; + after = [ + "network-pre.target" + "network-addresses-hurricane.service" + ]; # restart rather than stop+start this unit to prevent the # network from dying during switch-to-configuration. stopIfChanged = false; @@ -95,9 +104,13 @@ in ''; }; - services.pppd.script."01-${iface}" = { - runtimeInputs = with pkgs; [ curl coreutils iproute2 iputils ]; + runtimeInputs = with pkgs; [ + curl + coreutils + iproute2 + iputils + ]; text = '' wan_ip="$4" username="$(cat ${config.sops.secrets."hurricane/username".path})" diff --git a/os/kay/modules/mail.nix b/os/kay/modules/mail.nix index a418a86..57912ac 100644 --- a/os/kay/modules/mail.nix +++ b/os/kay/modules/mail.nix @@ -1,4 +1,5 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let ipv6 = "2001:470:ee65::1337"; domain = config.global.userdata.domain; username = config.global.userdata.name; @@ -15,12 +16,13 @@ ]; credentials_directory = "/run/credentials/stalwart-mail.service"; -in { +in +{ security.acme.certs.${domain}.postRun = "systemctl restart stalwart-mail.service"; sops.secrets = { - "mail.${domain}/dkim_rsa" = {}; - "mail.${domain}/dkim_ed25519" = {}; - "mail.${domain}/password" = {}; + "mail.${domain}/dkim_rsa" = { }; + "mail.${domain}/dkim_ed25519" = { }; + "mail.${domain}/password" = { }; }; systemd.services.stalwart-mail.serviceConfig.LoadCredential = [ @@ -35,10 +37,12 @@ in { services.postgresql = { ensureDatabases = [ "stalwart" ]; - ensureUsers = [{ - name = "stalwart"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "stalwart"; + ensureDBOwnership = true; + } + ]; }; services.stalwart-mail = { @@ -70,7 +74,10 @@ in { server.listener = { smtp = { - bind = [ "[${ipv6}]:25" "0.0.0.0:25" ]; + bind = [ + "[${ipv6}]:25" + "0.0.0.0:25" + ]; protocol = "smtp"; }; submission = { @@ -98,7 +105,13 @@ in { private-key = "%{file:${credentials_directory}/dkim_rsa}%"; inherit domain; selector = "rsa"; - headers = ["From" "To" "Date" "Subject" "Message-ID"]; + headers = [ + "From" + "To" + "Date" + "Subject" + "Message-ID" + ]; algorithm = "rsa-sha-256"; canonicalization = "simple/simple"; @@ -110,7 +123,13 @@ in { private-key = "%{file:${credentials_directory}/dkim_ed25519}%"; inherit domain; selector = "ed25519"; - headers = ["From" "To" "Date" "Subject" "Message-ID"]; + headers = [ + "From" + "To" + "Date" + "Subject" + "Message-ID" + ]; algorithm = "ed25519-sha256"; canonicalization = "simple/simple"; @@ -152,7 +171,8 @@ in { secret = "%{file:${credentials_directory}/password}%"; inherit email; } - { # for mta-sts & dmarc reports + { + # for mta-sts & dmarc reports class = "individual"; name = "reports"; secret = "%{file:${credentials_directory}/password}%"; diff --git a/os/kay/modules/matrix/default.nix b/os/kay/modules/matrix/default.nix index f81d0d9..1b9564d 100644 --- a/os/kay/modules/matrix/default.nix +++ b/os/kay/modules/matrix/default.nix @@ -1,12 +1,14 @@ -{ config, ... }: let +{ config, ... }: +let domain = config.global.userdata.domain; -in { +in +{ imports = [ ./dendrite.nix ./matrix-sliding-sync.nix ]; - sops.secrets."matrix-${domain}/sliding_sync" = {}; + sops.secrets."matrix-${domain}/sliding_sync" = { }; services.matrix-sliding-sync-dirty = { enable = true; diff --git a/os/kay/modules/matrix/dendrite.nix b/os/kay/modules/matrix/dendrite.nix index 3f4a879..e66c5a5 100644 --- a/os/kay/modules/matrix/dendrite.nix +++ b/os/kay/modules/matrix/dendrite.nix @@ -10,16 +10,18 @@ let }; in { - sops.secrets."matrix-${domain}/key" = {}; + sops.secrets."matrix-${domain}/key" = { }; systemd.services.dendrite.after = [ "postgresql.service" ]; services = { postgresql = { ensureDatabases = [ "dendrite" ]; - ensureUsers = [{ - name = "dendrite"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "dendrite"; + ensureDBOwnership = true; + } + ]; }; dendrite = { @@ -43,10 +45,12 @@ in ]; inherit database; }; - logging = [{ - type = "std"; - level = "warn"; - }]; + logging = [ + { + type = "std"; + level = "warn"; + } + ]; mscs = { inherit database; mscs = [ "msc2836" ]; @@ -63,19 +67,21 @@ in federation_api = { inherit database; send_max_retries = 8; - key_perspectives = [{ - server_name = "matrix.org"; - keys = [ - { - key_id = "ed25519:auto"; - public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - } - { - key_id = "ed25519:a_RXGa"; - public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; - } - ]; - }]; + key_perspectives = [ + { + server_name = "matrix.org"; + keys = [ + { + key_id = "ed25519:auto"; + public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + } + { + key_id = "ed25519:a_RXGa"; + public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + } + ]; + } + ]; }; app_service_api = { diff --git a/os/kay/modules/matrix/matrix-sliding-sync.nix b/os/kay/modules/matrix/matrix-sliding-sync.nix index f4c1426..63d95ad 100644 --- a/os/kay/modules/matrix/matrix-sliding-sync.nix +++ b/os/kay/modules/matrix/matrix-sliding-sync.nix @@ -1,12 +1,20 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.matrix-sliding-sync-dirty; - matrix-sliding-sync = pkgs.callPackage ../../pkgs/matrix-sliding-sync.nix {}; + matrix-sliding-sync = pkgs.callPackage ../../pkgs/matrix-sliding-sync.nix { }; in { imports = [ - (lib.mkRenamedOptionModule [ "services" "matrix-synapse" "sliding-sync" ] [ "services" "matrix-sliding-sync" ]) + (lib.mkRenamedOptionModule + [ "services" "matrix-synapse" "sliding-sync" ] + [ "services" "matrix-sliding-sync" ] + ) ]; options.services.matrix-sliding-sync-dirty = { @@ -40,7 +48,14 @@ in }; SYNCV3_LOG_LEVEL = lib.mkOption { - type = lib.types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ]; + type = lib.types.enum [ + "trace" + "debug" + "info" + "warn" + "error" + "fatal" + ]; default = "info"; description = "The level of verbosity for messages logged."; }; @@ -77,10 +92,12 @@ in services.postgresql = lib.optionalAttrs cfg.createDatabase { enable = true; ensureDatabases = [ "matrix-sliding-sync" ]; - ensureUsers = [ { - name = "matrix-sliding-sync"; - ensureDBOwnership = true; - } ]; + ensureUsers = [ + { + name = "matrix-sliding-sync"; + ensureDBOwnership = true; + } + ]; }; systemd.services.matrix-sliding-sync = rec { diff --git a/os/kay/modules/network.nix b/os/kay/modules/network.nix index 22d132b..1315289 100644 --- a/os/kay/modules/network.nix +++ b/os/kay/modules/network.nix @@ -3,7 +3,10 @@ let inetVlan = 1003; wanInterface = "enp3s0"; - nameServer = [ "1.0.0.1" "1.1.1.1" ]; + nameServer = [ + "1.0.0.1" + "1.1.1.1" + ]; in { imports = [ @@ -12,9 +15,9 @@ in ]; sops.secrets = { - "ppp/chap-secrets" = {}; - "ppp/pap-secrets" = {}; - "ppp/username" = {}; + "ppp/chap-secrets" = { }; + "ppp/pap-secrets" = { }; + "ppp/username" = { }; }; networking = { diff --git a/os/kay/modules/observability/prometheus.nix b/os/kay/modules/observability/prometheus.nix index d9b6071..1810f9e 100644 --- a/os/kay/modules/observability/prometheus.nix +++ b/os/kay/modules/observability/prometheus.nix @@ -4,36 +4,38 @@ enable = true; port = 9001; - scrapeConfigs = [{ - job_name = "kay"; - scrape_interval = "1s"; - static_configs = [ - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.wireguard.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginxlog.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.snmp.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ]; - } - ]; - }]; + scrapeConfigs = [ + { + job_name = "kay"; + scrape_interval = "1s"; + static_configs = [ + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.wireguard.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginxlog.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.snmp.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ]; + } + ]; + } + ]; exporters = { node = { diff --git a/os/kay/modules/postgresql.nix b/os/kay/modules/postgresql.nix index 79d0b12..6ba5398 100644 --- a/os/kay/modules/postgresql.nix +++ b/os/kay/modules/postgresql.nix @@ -1,15 +1,21 @@ -{ config, lib, pkgs, ... }: { +{ + config, + lib, + pkgs, + ... +}: +{ services.postgresql = { enable = true; package = with pkgs; postgresql_15; authentication = lib.mkForce '' - #type database DBuser origin-address auth-method - # unix socket - local all all trust - # ipv4 - host all all 127.0.0.1/32 trust - # ipv6 - host all all ::1/128 trust + #type database DBuser origin-address auth-method + # unix socket + local all all trust + # ipv4 + host all all 127.0.0.1/32 trust + # ipv6 + host all all ::1/128 trust ''; settings.log_timezone = config.time.timeZone; diff --git a/os/kay/modules/router.nix b/os/kay/modules/router.nix index bb8cd3b..7280401 100644 --- a/os/kay/modules/router.nix +++ b/os/kay/modules/router.nix @@ -1,4 +1,5 @@ -{ ... }: let +{ ... }: +let wanInterface = "ppp0"; gponInterface = "enp3s0"; @@ -15,7 +16,8 @@ wapMac = "40:86:cb:d7:40:49"; wapIp = "192.168.43.2"; -in { +in +{ imports = [ ./wireguard.nix ./iperf3.nix @@ -30,17 +32,24 @@ in { internalInterfaces = [ bridgeInterface ]; }; interfaces = { - ${bridgeInterface}.ipv4.addresses = [{ + ${bridgeInterface}.ipv4.addresses = [ + { address = host; - prefixLength = prefix; - }]; - ${gponInterface}.ipv4.addresses = [{ + prefixLength = prefix; + } + ]; + ${gponInterface}.ipv4.addresses = [ + { address = gponHost; - prefixLength = gponPrefix; - }]; + prefixLength = gponPrefix; + } + ]; }; firewall = { - allowedUDPPorts = [ 53 67 ]; + allowedUDPPorts = [ + 53 + 67 + ]; allowedTCPPorts = [ 53 ]; extraCommands = '' iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ @@ -57,7 +66,7 @@ in { services.dnsmasq.settings = { dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ]; - dhcp-host= "${wapMac},${wapIp}"; + dhcp-host = "${wapMac},${wapIp}"; interface = [ bridgeInterface ]; }; diff --git a/os/kay/modules/sftp.nix b/os/kay/modules/sftp.nix index 45ed151..b740fd6 100644 --- a/os/kay/modules/sftp.nix +++ b/os/kay/modules/sftp.nix @@ -7,7 +7,7 @@ let in { users = { - groups."sftp".members = []; + groups."sftp".members = [ ]; users."sftp" = { group = "sftp"; @@ -42,7 +42,7 @@ in }; # sandboxing - extraConfig = '' + extraConfig = '' Match Group sftp # chroot dir should be owned by root # and sub dirs by %u diff --git a/os/kay/modules/sshfwd.nix b/os/kay/modules/sshfwd.nix index d70b893..fcafd17 100644 --- a/os/kay/modules/sshfwd.nix +++ b/os/kay/modules/sshfwd.nix @@ -1,21 +1,24 @@ -{ ... }: let +{ ... }: +let group = "sshfwd"; -in { +in +{ networking.firewall.allowedTCPPorts = [ 2222 ]; users = { - groups.${group}.members = []; + groups.${group}.members = [ ]; users."lia" = { inherit group; isSystemUser = true; - openssh.authorizedKeys.keys - = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe7fJlh9L+9JSq0+hK7jNZjszmZqNXwzqcZ+zx0yJyU lia" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe7fJlh9L+9JSq0+hK7jNZjszmZqNXwzqcZ+zx0yJyU lia" + ]; }; }; - services.openssh.extraConfig = '' + services.openssh.extraConfig = '' Match Group ${group} ForceCommand echo 'this account is only usable for remote forwarding' PermitTunnel no diff --git a/os/kay/modules/wireguard.nix b/os/kay/modules/wireguard.nix index 21cec06..ae42930 100644 --- a/os/kay/modules/wireguard.nix +++ b/os/kay/modules/wireguard.nix @@ -1,4 +1,10 @@ -{ config, pkgs, lib, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let wgInterface = "wg"; wanInterface = "ppp0"; subnet = "10.0.1.0"; @@ -10,13 +16,17 @@ Address = 10.0.1.1/24 MTU = 1412 ListenPort = 51820 - PostUp = ${lib.getExe (pkgs.writeShellApplication { - name = "wg_set_key"; - runtimeInputs = with pkgs; [ wireguard-tools ]; - text = '' - wg set ${wgInterface} private-key <(cat ${config.sops.secrets."misc/wireguard".path}) - ''; - })} + PostUp = ${ + lib.getExe ( + pkgs.writeShellApplication { + name = "wg_set_key"; + runtimeInputs = with pkgs; [ wireguard-tools ]; + text = '' + wg set ${wgInterface} private-key <(cat ${config.sops.secrets."misc/wireguard".path}) + ''; + } + ) + } [Peer] # friendly_name = cez @@ -43,8 +53,9 @@ PublicKey = U6+PzFuM6lKVx0TnDWuWJMsP6Tj8o1a9zjRcD7gV53o= AllowedIPs = 10.0.1.6/32 ''; -in { - sops.secrets."misc/wireguard" = {}; +in +{ + sops.secrets."misc/wireguard" = { }; networking = { nat = { @@ -59,7 +70,7 @@ in { services.dnsmasq.settings = { no-dhcp-interface = wgInterface; - interface = [ wgInterface ]; + interface = [ wgInterface ]; }; services.prometheus.exporters.wireguard = { diff --git a/os/kay/modules/www.nix b/os/kay/modules/www.nix index 54ff8d2..4f894c5 100644 --- a/os/kay/modules/www.nix +++ b/os/kay/modules/www.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let domain = config.global.userdata.domain; @@ -12,7 +17,10 @@ in security.acme.certs.${domain}.postRun = "systemctl reload nginx.service"; networking.firewall = { - allowedTCPPorts = [ 80 443 ]; + allowedTCPPorts = [ + 80 + 443 + ]; allowedUDPPorts = [ 443 ]; }; @@ -27,7 +35,7 @@ in }; }; - services.nginx = { + services.nginx = { enable = true; statusPage = true; package = pkgs.nginxQuic; @@ -48,218 +56,216 @@ in add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1'; ''; - virtualHosts = let - defaultOpts = { - # reuseport = true; - quic = true; - http3 = true; - forceSSL = true; - useACMEHost = domain; - }; - in { - "${domain}" = defaultOpts // { - default = true; - globalRedirect = "www.${domain}"; + virtualHosts = + let + defaultOpts = { + # reuseport = true; + quic = true; + http3 = true; + forceSSL = true; + useACMEHost = domain; + }; + in + { + "${domain}" = defaultOpts // { + default = true; + globalRedirect = "www.${domain}"; + + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; + locations = { + "/.well-known/matrix/server".return = '' + 200 '{ "m.server": "${domain}:443" }' + ''; - locations = { - "/.well-known/matrix/server".return = '' - 200 '{ "m.server": "${domain}:443" }' - ''; + "/.well-known/matrix/client".return = '' + 200 '${ + builtins.toJSON { + "m.homeserver".base_url = "https://${domain}"; + "org.matrix.msc3575.proxy".url = "https://sliding.${domain}"; + "m.identity_server".base_url = "https://vector.im"; + } + }' + ''; + + "~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = + "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; + }; + }; - "/.well-known/matrix/client".return = '' - 200 '${builtins.toJSON { - "m.homeserver".base_url = "https://${domain}"; - "org.matrix.msc3575.proxy".url = "https://sliding.${domain}"; - "m.identity_server".base_url = "https://vector.im"; - }}' + "sliding.${domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; ''; - "~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = "http://127.0.0.1:${toString - config.services.dendrite.httpPort - }"; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.matrix-sliding-sync-dirty.settings.SYNCV3_BINDADDR}"; + }; }; - }; - "sliding.${domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; + "${config.services.grafana.settings.server.domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; - locations."/" = { - proxyWebsockets = true; - proxyPass = - "http://${config.services.matrix-sliding-sync-dirty.settings.SYNCV3_BINDADDR}"; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + }; }; - }; - "${config.services.grafana.settings.server.domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; + "www.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; - locations."/" = { - proxyWebsockets = true; - proxyPass = - "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + root = "/var/www/${domain}"; }; - }; - - "www.${domain}" = defaultOpts // { - extraConfig = '' - ssl_early_data on; - ''; - root = "/var/www/${domain}"; - }; + "git.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + }; - "git.${domain}" = defaultOpts // { - extraConfig = '' - ssl_early_data on; - ''; - }; + "bin.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + root = "${storage}/bin"; + locations."= /".return = "307 https://www.${domain}"; + }; - "bin.${domain}" = defaultOpts // { - extraConfig = '' - ssl_early_data on; - ''; - root = "${storage}/bin"; - locations."= /".return = "307 https://www.${domain}"; - }; + "static.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + root = "${storage}/static"; + locations."= /".return = "301 https://www.${domain}"; + }; - "static.${domain}" = defaultOpts // { - extraConfig = '' - ssl_early_data on; - ''; - root = "${storage}/static"; - locations."= /".return = "301 https://www.${domain}"; - }; + "home.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${builtins.toString config.services.home-assistant.config.http.server_port}"; + }; + }; - "home.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:${ - builtins.toString config.services.home-assistant.config.http.server_port - }"; + "mail.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:8085"; + }; }; - }; - "mail.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:8085"; + "mta-sts.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + locations."= /.well-known/mta-sts.txt".return = ''200 "${ + lib.strings.concatStringsSep "\\n" [ + "version: STSv1" + "mode: enforce" + "mx: mail.${domain}" + "max_age: 86400" + ] + }"''; }; - }; - "mta-sts.${domain}" = defaultOpts // { - extraConfig = '' - ssl_early_data on; - ''; - locations."= /.well-known/mta-sts.txt".return = ''200 "${ - lib.strings.concatStringsSep "\\n" [ - "version: STSv1" - "mode: enforce" - "mx: mail.${domain}" - "max_age: 86400" - ] - }"''; - }; + "immich.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.immich.host}:${builtins.toString config.services.immich.port}"; + }; - "immich.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://${config.services.immich.host}:${builtins.toString config.services.immich.port}"; + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; }; - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - - "nixbin.${domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; + "nixbin.${domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; - locations = { - "= /files".return = "301 https://nixbin.${domain}/files/"; - "/files/" = { + locations = { + "= /files".return = "301 https://nixbin.${domain}/files/"; + "/files/" = { alias = "/nix/store/"; extraConfig = "autoindex on;"; + }; + + "= /" = { + extraConfig = '' + add_header Content-Type text/html; + add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1'; + ''; + return = '' + 200 + '<!DOCTYPE html> + <html lang="en"> + <head> + <meta charset="UTF-8"> + <title>Nix Cache</title> + </head> + <body> + <center> + <h1 style="font-size: 8em"> + ❄️ Nix Cache + </h1> + <p style="font-weight: bold"> + Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= + </p> + </center> + </body> + </html>' + ''; + }; + + "/".proxyPass = + "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; }; - - "= /" = { - extraConfig = '' - add_header Content-Type text/html; - add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1'; - ''; - return = ''200 - '<!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="UTF-8"> - <title>Nix Cache</title> - </head> - <body> - <center> - <h1 style="font-size: 8em"> - ❄️ Nix Cache - </h1> - <p style="font-weight: bold"> - Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= - </p> - </center> - </body> - </html>' - ''; - }; - - "/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${ - toString config.services.nix-serve.port - }"; }; - }; - - - "www.alinafs.com" = defaultOpts // { - useACMEHost = null; - enableACME = true; - globalRedirect = "alinafs.com/home"; - extraConfig = '' - ssl_early_data on; - ''; - }; - "alinafs.com" = defaultOpts // { - useACMEHost = null; - enableACME = true; - locations = { - "/metrics".return = "307 /home/"; - "/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:${builtins.toString config.services.alina.port}"; - }; + "www.alinafs.com" = defaultOpts // { + useACMEHost = null; + enableACME = true; + globalRedirect = "alinafs.com/home"; + extraConfig = '' + ssl_early_data on; + ''; }; + "alinafs.com" = defaultOpts // { + useACMEHost = null; + enableACME = true; + + locations = { + "/metrics".return = "307 /home/"; + "/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${builtins.toString config.services.alina.port}"; + }; + }; - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + }; }; - }; }; } diff --git a/os/kay/pkgs/matrix-sliding-sync.nix b/os/kay/pkgs/matrix-sliding-sync.nix index 17051dc..2095817 100644 --- a/os/kay/pkgs/matrix-sliding-sync.nix +++ b/os/kay/pkgs/matrix-sliding-sync.nix @@ -1,6 +1,7 @@ -{ lib -, buildGoModule -, fetchFromGitHub +{ + lib, + buildGoModule, + fetchFromGitHub, }: buildGoModule rec { diff --git a/os/lia/configuration.nix b/os/lia/configuration.nix index e720cb0..6e5323e 100644 --- a/os/lia/configuration.nix +++ b/os/lia/configuration.nix @@ -11,4 +11,3 @@ ./modules/sshfwd.nix ]; } - diff --git a/os/lia/modules/lxc.nix b/os/lia/modules/lxc.nix index 259c316..012695d 100644 --- a/os/lia/modules/lxc.nix +++ b/os/lia/modules/lxc.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: let +{ pkgs, ... }: +let container = { name = "ubu"; distro = "ubuntu"; @@ -6,7 +7,8 @@ }; bridge = "lan"; -in { +in +{ virtualisation.lxc.enable = true; environment.systemPackages = with pkgs; [ wget ]; @@ -22,7 +24,14 @@ in { RemainAfterExit = true; }; - path = with pkgs; [ wget lxc util-linux gnutar xz gawk ]; + path = with pkgs; [ + wget + lxc + util-linux + gnutar + xz + gawk + ]; script = '' if ! lxc-ls | grep -q ${container.name}; then lxc-create -n ${container.name} -t download -- \ diff --git a/os/lia/modules/network/default.nix b/os/lia/modules/network/default.nix index c8d9059..3d58636 100644 --- a/os/lia/modules/network/default.nix +++ b/os/lia/modules/network/default.nix @@ -1,4 +1,5 @@ -{ ... }: let +{ ... }: +let wan = "enp9s0"; in { @@ -7,10 +8,12 @@ in ]; networking = { - interfaces.${wan}.ipv4.addresses = [{ - address = "172.16.148.20"; - prefixLength = 22; - }]; + interfaces.${wan}.ipv4.addresses = [ + { + address = "172.16.148.20"; + prefixLength = 22; + } + ]; defaultGateway = { address = "172.16.148.1"; interface = wan; diff --git a/os/lia/modules/network/router.nix b/os/lia/modules/network/router.nix index b8cac8c..4f22e31 100644 --- a/os/lia/modules/network/router.nix +++ b/os/lia/modules/network/router.nix @@ -1,6 +1,10 @@ -{ ... }: let +{ ... }: +let wanInterface = "enp9s0"; - lanInterfaces = [ "enp1s0f0" "enp1s0f1" ]; + lanInterfaces = [ + "enp1s0f0" + "enp1s0f1" + ]; prefix = 24; subnet = "192.168.1.0"; @@ -8,7 +12,10 @@ leaseRangeStart = "192.168.1.100"; leaseRangeEnd = "192.168.1.254"; - nameServer = [ "10.0.0.2" "10.0.0.3" ]; + nameServer = [ + "10.0.0.2" + "10.0.0.3" + ]; in { networking = { @@ -21,17 +28,21 @@ in }; interfaces.lan = { - ipv4.addresses = [{ - address = host; - prefixLength = prefix; - }]; + ipv4.addresses = [ + { + address = host; + prefixLength = prefix; + } + ]; }; firewall = { - allowedUDPPorts = [ 53 67 ]; + allowedUDPPorts = [ + 53 + 67 + ]; allowedTCPPorts = [ 53 ]; - extraCommands = - "iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE"; + extraCommands = "iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE"; }; }; diff --git a/os/lia/modules/sshfwd.nix b/os/lia/modules/sshfwd.nix index 3c7c006..b7e8d17 100644 --- a/os/lia/modules/sshfwd.nix +++ b/os/lia/modules/sshfwd.nix @@ -1,53 +1,57 @@ -{ pkgs, config, ... }: let - mkFwdSrv = { - local_port, - remote_port, - remote_user, - remote ? "sinanmohd.com", - ssh_port ? 22, - key ? config.sops.secrets."sshfwd/${remote}".path, - }: { - "sshfwd-${toString local_port}-${remote}:${toString remote_port}" = { - description = "Forwarding port ${toString local_port} to ${remote}"; +{ pkgs, config, ... }: +let + mkFwdSrv = + { + local_port, + remote_port, + remote_user, + remote ? "sinanmohd.com", + ssh_port ? 22, + key ? config.sops.secrets."sshfwd/${remote}".path, + }: + { + "sshfwd-${toString local_port}-${remote}:${toString remote_port}" = { + description = "Forwarding port ${toString local_port} to ${remote}"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - # restart rather than stop+start this unit to prevent - # the ssh from dying during switch-to-configuration. - stopIfChanged = false; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + # restart rather than stop+start this unit to prevent + # the ssh from dying during switch-to-configuration. + stopIfChanged = false; - serviceConfig = { - ExecStart = '' - ${pkgs.openssh}/bin/ssh -N ${remote_user}@${remote} -p ${toString ssh_port} \ - -R '[::]:${toString remote_port}:127.0.0.1:${toString local_port}' \ - -o ServerAliveInterval=15 \ - -o ExitOnForwardFailure=yes \ - -i ${key} - ''; + serviceConfig = { + ExecStart = '' + ${pkgs.openssh}/bin/ssh -N ${remote_user}@${remote} -p ${toString ssh_port} \ + -R '[::]:${toString remote_port}:127.0.0.1:${toString local_port}' \ + -o ServerAliveInterval=15 \ + -o ExitOnForwardFailure=yes \ + -i ${key} + ''; - RestartSec = 3; - Restart = "always"; - }; + RestartSec = 3; + Restart = "always"; + }; + }; }; - }; -in { - sops.secrets."sshfwd/sinanmohd.com" = {}; - sops.secrets."sshfwd/lia.sinanmohd.com" = {}; +in +{ + sops.secrets."sshfwd/sinanmohd.com" = { }; + sops.secrets."sshfwd/lia.sinanmohd.com" = { }; environment.systemPackages = with pkgs; [ openssh ]; - systemd.services - = (mkFwdSrv { - local_port = 22; - remote_user = "lia"; - remote_port = 2222; - }) // - (mkFwdSrv { - local_port = 22; - remote_port = 22; - ssh_port = 23; - remote_user = "root"; - remote = "lia.sinanmohd.com"; - }); + systemd.services = + (mkFwdSrv { + local_port = 22; + remote_user = "lia"; + remote_port = 2222; + }) + // (mkFwdSrv { + local_port = 22; + remote_port = 22; + ssh_port = 23; + remote_user = "root"; + remote = "lia.sinanmohd.com"; + }); } diff --git a/os/lia/modules/users.nix b/os/lia/modules/users.nix index 26f5dc8..3a44104 100644 --- a/os/lia/modules/users.nix +++ b/os/lia/modules/users.nix @@ -1,18 +1,24 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ users.users = { "rohit" = { isNormalUser = true; extraGroups = [ "wheel" ]; - packages = with pkgs; [ git htop ]; - openssh.authorizedKeys.keys = - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZcWF1zVyxsCdZ/j+h+RlHZlyhgY2Bky03847bxFNSH rohit@victus" ]; + packages = with pkgs; [ + git + htop + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZcWF1zVyxsCdZ/j+h+RlHZlyhgY2Bky03847bxFNSH rohit@victus" + ]; }; "sharu" = { isNormalUser = true; - openssh.authorizedKeys.keys = - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAAaAUTiM3YY7E/7lq44aX+2U0IYhp2Qntu7hINcTjF sharu@lappie" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAAaAUTiM3YY7E/7lq44aX+2U0IYhp2Qntu7hINcTjF sharu@lappie" + ]; }; }; } diff --git a/os/pc/configuration.nix b/os/pc/configuration.nix index 7e7218a..33f38cd 100644 --- a/os/pc/configuration.nix +++ b/os/pc/configuration.nix @@ -1,6 +1,8 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let user = config.global.userdata.name; -in { +in +{ imports = [ ../common/configuration.nix @@ -19,8 +21,8 @@ in { }; services.pipewire = { - enable = true; - pulse.enable = true; + enable = true; + pulse.enable = true; }; documentation.dev.enable = true; diff --git a/os/pc/modules/firejail.nix b/os/pc/modules/firejail.nix index 920607e..f915d07 100644 --- a/os/pc/modules/firejail.nix +++ b/os/pc/modules/firejail.nix @@ -1,4 +1,5 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, ... }: +{ programs.firejail = { enable = true; diff --git a/os/pc/modules/getty.nix b/os/pc/modules/getty.nix index 8c7f57e..c0d5d1c 100644 --- a/os/pc/modules/getty.nix +++ b/os/pc/modules/getty.nix @@ -1,6 +1,8 @@ -{ config, ... }: let +{ config, ... }: +let user = config.global.userdata.name; -in { +in +{ systemd.services."getty@".serviceConfig.TTYVTDisallocate = "no"; services.getty = { diff --git a/os/pc/modules/network.nix b/os/pc/modules/network.nix index 6e07963..029822f 100644 --- a/os/pc/modules/network.nix +++ b/os/pc/modules/network.nix @@ -1,5 +1,6 @@ -{ ... }: { - networking.wireless.iwd = { +{ ... }: +{ + networking.wireless.iwd = { enable = true; settings = { diff --git a/os/pc/modules/nocodb.nix b/os/pc/modules/nocodb.nix index 6b26bf2..9bd1d75 100644 --- a/os/pc/modules/nocodb.nix +++ b/os/pc/modules/nocodb.nix @@ -1,6 +1,13 @@ -{ config, pkgs, lib, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let user = config.global.userdata.name; -in { +in +{ programs.firejail.wrappedBinaries.slack = { executable = lib.getExe pkgs.slack; profile = "${pkgs.firejail}/etc/firejail/slack.profile"; diff --git a/os/pc/modules/nopolkit.nix b/os/pc/modules/nopolkit.nix index 0c45f41..f7148aa 100644 --- a/os/pc/modules/nopolkit.nix +++ b/os/pc/modules/nopolkit.nix @@ -1,26 +1,33 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let user = config.global.userdata.name; -in { +in +{ security.sudo = { enable = true; - extraRules = [{ - commands = [ - { - command = "${pkgs.systemd}/bin/systemctl suspend-then-hibernate"; - options = [ "SETENV" "NOPASSWD" ]; - } - { - command = "${pkgs.systemd}/bin/reboot"; - options = [ "NOPASSWD" ]; - } - { - command = "${pkgs.systemd}/bin/poweroff"; - options = [ "NOPASSWD" ]; - } - ]; + extraRules = [ + { + commands = [ + { + command = "${pkgs.systemd}/bin/systemctl suspend-then-hibernate"; + options = [ + "SETENV" + "NOPASSWD" + ]; + } + { + command = "${pkgs.systemd}/bin/reboot"; + options = [ "NOPASSWD" ]; + } + { + command = "${pkgs.systemd}/bin/poweroff"; + options = [ "NOPASSWD" ]; + } + ]; - users = [ user ]; - }]; + users = [ user ]; + } + ]; }; } diff --git a/os/pc/modules/sshfs.nix b/os/pc/modules/sshfs.nix index 2dbccce..b173d7c 100644 --- a/os/pc/modules/sshfs.nix +++ b/os/pc/modules/sshfs.nix @@ -1,9 +1,11 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let domain = config.global.userdata.domain; user = config.global.userdata.name; uid = config.users.users.${user}.uid; gid = config.users.groups.users.gid; -in { +in +{ sops.secrets."misc/sftp".sopsFile = ../secrets.yaml; system.fsPackages = with pkgs; [ sshfs ]; @@ -12,12 +14,12 @@ in { fsType = "sshfs"; options = [ - "allow_other" # for non-root access + "allow_other" # for non-root access "uid=${toString uid}" "gid=${toString gid}" - "_netdev" # this is a network fs + "_netdev" # this is a network fs "x-systemd.automount" # mount on demand - "reconnect" # handle connection drops + "reconnect" # handle connection drops "ServerAliveInterval=15" # keep connections alive "IdentityFile=${config.sops.secrets."misc/sftp".path}" ]; diff --git a/os/pc/modules/wayland.nix b/os/pc/modules/wayland.nix index 33f25c8..6787e9a 100644 --- a/os/pc/modules/wayland.nix +++ b/os/pc/modules/wayland.nix @@ -1,11 +1,12 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let user = config.global.userdata.name; fontSans = config.global.font.sans.name; fontMonospace = config.global.font.monospace.name; - fontPackages = config.global.font.monospace.packages - ++ config.global.font.sans.packages; -in { + fontPackages = config.global.font.monospace.packages ++ config.global.font.sans.packages; +in +{ fonts = { packages = fontPackages; enableDefaultPackages = true; @@ -32,7 +33,10 @@ in { }; systemd.services.swaynag_battery = { - path = [ pkgs.sway pkgs.systemd ]; + path = [ + pkgs.sway + pkgs.systemd + ]; environment = { # TODO: don't hardcode them WAYLAND_DISPLAY = "wayland-1"; @@ -46,19 +50,21 @@ in { systemctl hibernate ''; }; - services.udev.extraRules = let - start = "${pkgs.systemd}/bin/systemctl start swaynag_battery"; - stop = "${pkgs.systemd}/bin/systemctl stop swaynag_battery"; - in '' - SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-9]", RUN+="${start}" - SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${stop}" - SUBSYSTEM=="power_supply", ATTR{status}=="Charging", RUN+="${stop}" - ''; + services.udev.extraRules = + let + start = "${pkgs.systemd}/bin/systemctl start swaynag_battery"; + stop = "${pkgs.systemd}/bin/systemctl stop swaynag_battery"; + in + '' + SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-9]", RUN+="${start}" + SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${stop}" + SUBSYSTEM=="power_supply", ATTR{status}=="Charging", RUN+="${stop}" + ''; hardware.graphics = { enable = true; enable32Bit = true; }; - security.pam.services.swaylock = {}; + security.pam.services.swaylock = { }; } |