macronova/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Clean branch

Browse source
This commit is contained in:
Invariantspace 2023-10-09 10:44:07 -07:00
commit de986accc2
42 changed files with 1959 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

17
linux/blitzar/audio.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }: {
security.rtkit.enable = true;
# Enable pipewire
services.pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse.enable = true;
};
# Enable noisetorch
programs.noisetorch.enable = true;
}

73
linux/blitzar/configuration.nix Normal file
View file

@ -0,0 +1,73 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ pkgs, ... }:
{
# Configure boot loader
boot.loader.grub = {
enable = true;
device = "nodev";
efiSupport = true;
efiInstallAsRemovable = true;
darkmatter-theme = {
enable = true;
style = "nixos";
resolution = "1440p";
};
};
# Set your time zone.
time.timeZone = "America/Los_Angeles";
# Enable bluetooth
hardware.bluetooth.enable = true;
# Enable hardware accelerated video decoding
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
vaapiVdpau
libvdpau-va-gl
];
};
# Enable firmware update
services.fwupd.enable = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

18
linux/blitzar/default.nix Normal file
View file

@ -0,0 +1,18 @@
{ inputs, ... }: {
imports = with inputs; [
darkmatter.nixosModule
disko.nixosModules.disko
hardware.nixosModules.asus-zephyrus-ga402
] ++ [
./audio.nix
./configuration.nix
./disko.nix
./gui.nix
./hardware-configuration.nix
./network.nix
./locale.nix
./syncthing.nix
./zfs.nix
../../common
];
}

88
linux/blitzar/disko.nix Normal file
View file

@ -0,0 +1,88 @@
{ ... }: {
disko.devices = {
# Partition the physical disk
disk = {
storage = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "esp";
start = "2MiB";
end = "2GiB";
fs-type = "fat32";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
}
{
name = "zfs";
start = "2GiB";
end = "100%";
content = {
type = "zfs";
pool = "zroot";
};
}
];
};
};
};
# Construct the primary zfs pool for this system.
zpool.zroot = {
type = "zpool";
options = {
ashift = "12";
autotrim = "on";
listsnapshots = "on";
};
rootFsOptions = {
acltype = "posix";
atime = "off";
compression = "zstd";
dnodesize = "auto";
mountpoint = "none";
normalization = "formD";
xattr = "sa";
};
datasets = {
# Encrypt main dataset
main = {
type = "zfs_fs";
options = {
encryption = "on";
keyformat = "passphrase";
};
};
# Create dataset for home
"main/home" = {
type = "zfs_fs";
mountpoint = "/home";
};
# Create dataset for nix store
"main/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
};
# Create dataset for root
"main/root" = {
type = "zfs_fs";
mountpoint = "/";
};
# Reserve space for performance
reservation = {
type = "zfs_fs";
options.refreservation = "256G";
};
};
};
};
}

67
linux/blitzar/gui.nix Normal file
View file

@ -0,0 +1,67 @@
{ config, inputs, pkgs, ... }: {
home-manager.users.${config.constants.userName} = {
home.packages = with pkgs; [
exactaudiocopy
haruna
jellyfin-media-player
lutris
nvtop-amd
mono
picard
qbittorrent
sweet
sweet-nova
telegram-desktop
thunderbird
wineWowPackages.waylandFull
winetricks
yuzu-mainline
] ++ (with pkgs.libsForQt5; [
kirigami-addons
qt5.qtwebsockets
]) ++ [
inputs.nix-custom.packages.${pkgs.system}.wallpaper-engine-kde-plugin-lib
(pkgs.python3.withPackages (ps: with ps; [
websockets
]))
];
programs = {
firefox.enable = true;
kitty = {
enable = true;
settings = {
background_opacity = "0.72";
remember_window_size = "no";
};
theme = "Tokyo Night Moon";
};
obs-studio.enable = true;
};
};
programs.clash-verge = {
enable = true;
tunMode = true;
autoStart = true;
};
programs.dconf.enable = true;
programs.steam.enable = true;
services.colord.enable = true;
services.xserver = {
enable = true;
displayManager = {
defaultSession = "plasmawayland";
autoLogin.user = "macronova";
sddm = {
enable = true;
autoLogin.relogin = true;
};
};
desktopManager.plasma5.enable = true;
videoDrivers = [ "amdgpu" ];
};
}

26
linux/blitzar/hardware-configuration.nix Normal file
View file

@ -0,0 +1,26 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

82
linux/blitzar/locale.nix Normal file
View file

@ -0,0 +1,82 @@
{ pkgs, ... }: {
# Configure default fonts
fonts = {
packages = with pkgs; [
inter
iosevka
noto-fonts
noto-fonts-cjk-sans
noto-fonts-cjk-serif
noto-fonts-emoji
meslo-lgs-nf
];
fontconfig.defaultFonts = {
serif = [ "Noto Serif" "Noto Serif CJK SC" ];
sansSerif = [ "Inter" "Noto Sans CJK SC" ];
monospace = [ "Iosevka" "Noto Sans CJK SC" ];
};
};
# Configure input methods
i18n = {
defaultLocale = "en_US.UTF-8";
inputMethod = {
enabled = "fcitx5";
fcitx5.addons = with pkgs; [ fcitx5-rime ];
};
supportedLocales = [
"C.UTF-8/UTF-8"
"en_US.UTF-8/UTF-8"
"ja_JP.UTF-8/UTF-8"
"zh_CN.GB18030/GB18030"
"zh_CN.UTF-8/UTF-8"
];
};
# Configure keyboard mapping
services.kanata = {
enable = true;
keyboards.core = {
devices = [ "/dev/input/by-id/usb-ASUSTeK_Computer_Inc._N-KEY_Device-if02-event-kbd" ];
config = ''
(defsrc
esc f1 f2 f3 f4 f5 f6 f7 f8 f9 f10 f11 f12 del
grv 1 2 3 4 5 6 7 8 9 0 - = bspc
tab q w e r t y u i o p [ ] \
caps a s d f g h j k l ; ' ret
lsft z x c v b n m , . / rsft up
lctl lmet lalt spc ralt rctl left down rght
)
(deflayer base
_ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ @li _ _ _
)
(deflayer index
XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX @lb XX @lm XX XX XX XX XX
XX XX XX XX XX XX XX XX XX
)
(deflayer media
XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XX prev next XX XX XX
XX XX XX pp XX @li XX XX XX
)
(defalias
li (layer-toggle index)
lb (layer-switch base)
lm (layer-switch media)
)
'';
};
};
}

14
linux/blitzar/network.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, ... }: {
networking = {
domain = config.constants.domain;
hostId = "30f8f777";
hostName = "blitzar";
networkmanager = {
enable = true;
wifi.backend = "iwd";
};
nftables.enable = true;
wireless.iwd.enable = true;
};
services.resolved.enable = true;
}

27
linux/blitzar/syncthing.nix Normal file
View file

@ -0,0 +1,27 @@
{ config, ... }:
{
services.syncthing = {
enable = true;
dataDir = config.constants.homeDir;
openDefaultPorts = true;
overrideDevices = true;
overrideFolders = true;
settings = {
devices.nebula = {
name = "nebula";
id = "KCQSN3M-UWBEDE6-SCS5LS7-WFKFLDK-WT5ECNB-3Z47WAM-ZMA52UL-ZNJUYQ7";
};
folders.music = {
enable = true;
devices = [ "nebula" ];
id = "Music";
label = "Music";
path = "~/Music";
type = "sendonly";
};
};
user = config.constants.userName;
};
}

83
linux/blitzar/zfs.nix Normal file
View file

@ -0,0 +1,83 @@
{ config, lib, ... }: {
boot = {
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
loader.grub.zfsSupport = true;
zfs.enableUnstable = true;
};
services.zfs = {
autoScrub.enable = true;
trim.enable = true;
};
services.zrepl = {
enable = true;
settings = {
global = {
logging = [{
type = "syslog";
level = "info";
format = "human";
}];
};
jobs = [
{
name = "snapshot";
type = "snap";
filesystems = { "zroot/main/home" = true; };
snapshotting = {
type = "periodic";
prefix = "zrepl-";
interval = "1h";
};
pruning = {
keep = [{
type = "grid";
regex = "^zrepl-.*";
grid = lib.concatStringsSep " | " [ "1x1h(keep=all)" "24x1h" "7x1d" "4x1w" ];
}];
};
}
{
name = "push-to-local-drive";
type = "push";
send = { encrypted = true; };
connect = {
type = "local";
listener_name = "sink-to-local-drive";
client_identity = config.networking.hostName;
};
filesystems = { "zroot/main/home" = true; };
replication = {
protection = {
initial = "guarantee_resumability";
incremental = "guarantee_incremental";
};
};
snapshotting = { type = "manual"; };
pruning = {
keep_sender = [{ type = "regex"; regex = ".*"; }];
keep_receiver = [{
type = "grid";
regex = "^zrepl-.*";
grid = lib.concatStringsSep " | " [ "1x1h(keep=all)" "365x1d" "52x1w" ];
}];
};
}
{
name = "sink-to-local-drive";
type = "sink";
recv = { placeholder = { encryption = "off"; }; };
root_fs = "zbackup";
serve = {
type = "local";
listener_name = "sink-to-local-drive";
};
}
];
};
};
}

29
linux/nebula/caddy.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, pkgs, ... }:
{
services.caddy =
{
enable = true;
virtualHosts =
let
conduitCfg = config.services.matrix-conduit.settings.global;
forgejoCfg = config.services.gitea.settings.server;
dn = config.constants.domain;
lh = config.constants.localhost;
in
{
"forgejo.${dn}".extraConfig = ''
reverse_proxy ${forgejoCfg.HTTP_ADDR}:${toString forgejoCfg.HTTP_PORT}
'';
"jellyfin.${dn}".extraConfig = ''
reverse_proxy ${lh}:8096
'';
"matrix.${dn}".extraConfig = ''
reverse_proxy /_matrix/* ${conduitCfg.address}:${toString conduitCfg.port}
file_server {
root ${pkgs.cinny}
}
'';
};
};
}

11
linux/nebula/conduit.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, ... }:
{
services.matrix-conduit = {
enable = true;
settings.global = {
address = config.constants.localhost;
server_name = config.constants.domain;
};
};
}

33
linux/nebula/configuration.nix Normal file
View file

@ -0,0 +1,33 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).
{ ... }:
{
# Configure boot loader
boot.loader.grub = {
enable = true;
device = "nodev";
efiSupport = true;
efiInstallAsRemovable = true;
darkmatter-theme = {
enable = true;
style = "nixos";
};
};
# Set your time zone.
time.timeZone = "America/Los_Angeles";
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It's perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

22
linux/nebula/default.nix Normal file
View file

@ -0,0 +1,22 @@
{ inputs, ... }:
{
imports = with inputs; [
darkmatter.nixosModule
disko.nixosModules.disko
hardware.nixosModules.common-cpu-amd
hardware.nixosModules.common-cpu-amd-pstate
] ++ [
./caddy.nix
./conduit.nix
./configuration.nix
./disko.nix
./forgejo.nix
./hardware-configuration.nix
./jellyfin.nix
./network.nix
./syncthing.nix
./zfs.nix
../../common
];
}

88
linux/nebula/disko.nix Executable file
View file

@ -0,0 +1,88 @@
{ ... }: {
disko.devices = {
# Partition the physical disk
disk = {
storage = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "esp";
start = "1MiB";
end = "1GiB";
fs-type = "fat32";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
}
{
name = "zfs";
start = "1GiB";
end = "100%";
content = {
type = "zfs";
pool = "zroot";
};
}
];
};
};
};
# Construct the primary zfs pool for this system.
zpool.zroot = {
type = "zpool";
options = {
ashift = "12";
autotrim = "on";
listsnapshots = "on";
};
rootFsOptions = {
acltype = "posix";
atime = "off";
compression = "zstd";
dnodesize = "auto";
mountpoint = "none";
normalization = "formD";
xattr = "sa";
};
datasets = {
# Encrypt main dataset
main = {
type = "zfs_fs";
options = {
encryption = "on";
keyformat = "passphrase";
};
};
# Create dataset for home
"main/home" = {
type = "zfs_fs";
mountpoint = "/home";
};
# Create dataset for nix store
"main/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
};
# Create dataset for root
"main/root" = {
type = "zfs_fs";
mountpoint = "/";
};
# Reserve space for performance
reservation = {
type = "zfs_fs";
options.refreservation = "128G";
};
};
};
};
}

18
linux/nebula/forgejo.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, pkgs, ... }:
{
services.gitea = {
enable = true;
appName = "Forgejo";
package = pkgs.forgejo;
settings = {
server = let dn = config.constants.domain; in {
DOMAIN = dn;
HTTP_ADDR = config.constants.localhost;
ROOT_URL = "https://forgejo.${dn}";
};
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
};
};
}

27
linux/nebula/hardware-configuration.nix Normal file
View file

@ -0,0 +1,27 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "uas" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

9
linux/nebula/jellyfin.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, ... }:
{
hardware.opengl.enable = true;
services.jellyfin = {
enable = true;
user = config.constants.userName;
};
}

43
linux/nebula/network.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, ... }:
let hn = "nebula"; in {
networking = {
domain = config.constants.domain;
firewall.allowedTCPPorts = [ 80 443 ];
hostId = "e6449321";
hostName = hn;
networkmanager = {
enable = true;
wifi.backend = "iwd";
};
nftables.enable = true;
tempAddresses = "disabled";
wireless.iwd.enable = true;
};
sops.secrets."cloudflare/${hn}" = { };
services.cloudflare-dyndns = {
enable = true;
apiTokenFile = config.sops.secrets."cloudflare/${hn}".path;
domains = builtins.attrNames config.services.caddy.virtualHosts;
ipv4 = false;
ipv6 = true;
};
services.openssh = {
enable = true;
hostKeys = [{
comment = "host@${hn}";
path = "/etc/ssh/host";
rounds = 100;
type = "ed25519";
}];
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
services.resolved.enable = true;
}

26
linux/nebula/syncthing.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, ... }:
{
services.syncthing = {
enable = true;
dataDir = config.constants.homeDir;
openDefaultPorts = true;
overrideDevices = true;
overrideFolders = true;
settings = {
devices.blitzar = {
name = "blitzar";
id = "JQQYTRP-GEJITYH-NSHUZ2T-YWS5XDC-7R6E47Z-NUXON4D-4QR77VU-AE4Q3AR";
};
folders.music = {
enable = true;
devices = [ "blitzar" ];
id = "Music";
label = "Music";
path = "~/Music";
type = "receiveonly";
};
};
user = config.constants.userName;
};
}

15
linux/nebula/zfs.nix Executable file
View file

@ -0,0 +1,15 @@
{ config, ... }: {
boot = {
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
loader.grub.zfsSupport = true;
zfs.enableUnstable = true;
};
services.zfs = {
autoScrub.enable = true;
trim.enable = true;
};
}

59
linux/singularity/caddy.nix Normal file
View file

@ -0,0 +1,59 @@
{ config, ... }:
{
services.caddy = {
enable = true;
email = config.constants.postMaster;
virtualHosts =
let
dn = config.constants.domain;
msfqdn = config.mailserver.fqdn;
mtfqdn = "matrix.${dn}";
vaultCfg = config.services.vaultwarden.config;
wn = s: "/.well-known/${s}";
in
{
"${dn}".extraConfig = let wnm = wn "matrix"; in ''
header ${wnm}/* Content-Type application/json
header ${wnm}/* Access-Control-Allow-Origin *
respond ${wnm}/server `{ "m.server": "${mtfqdn}:443" }`
respond ${wnm}/client `{
"m.homeserver": { "base_url": "https://${mtfqdn}" },
"m.identity_server": { "base_url": "https://${mtfqdn}" }
}`
'';
${msfqdn} = {
extraConfig = ''
file_server ${wn "acme-challenge"}/* {
root ${config.security.acme.defaults.webroot}/
}
'';
useACMEHost = msfqdn;
};
"vault.${dn}".extraConfig =
''
reverse_proxy /notifications/hub/negotiate ${vaultCfg.ROCKET_ADDRESS}:${
toString vaultCfg.ROCKET_PORT
}
reverse_proxy /notifications/hub ${vaultCfg.WEBSOCKET_ADDRESS}:${
toString vaultCfg.WEBSOCKET_PORT
}
reverse_proxy ${vaultCfg.ROCKET_ADDRESS}:${
toString vaultCfg.ROCKET_PORT
} {
header_up X-Real-IP {remote_host}
}
'';
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = config.constants.postMaster;
webroot = "/var/lib/acme/acme-challenge";
};
};
}

37
linux/singularity/configuration.nix Normal file
View file

@ -0,0 +1,37 @@
{ config, pkgs, ... }:
{
boot = {
tmp.cleanOnBoot = true;
loader.grub.device = "/dev/sda";
};
constants.sopsFile = ../../common/auths.yaml;
environment.systemPackages = with pkgs; [
bat
bottom
helix
];
programs = {
fish.enable = true;
git.enable = true;
};
sops.secrets."users/root/password".neededForUsers = true;
system.stateVersion = "23.11";
users = {
mutableUsers = false;
users.root = {
openssh.authorizedKeys.keys = config.constants.publicKeys;
hashedPasswordFile = config.sops.secrets."users/root/password".path;
shell = pkgs.fish;
};
};
zramSwap.enable = true;
}

16
linux/singularity/default.nix Normal file
View file

@ -0,0 +1,16 @@
{ inputs, ... }: {
imports = with inputs; [
mailserver.nixosModule
sops-nix.nixosModules.sops
] ++ [
./caddy.nix
./configuration.nix
./hardware-configuration.nix
./mailserver.nix
./network.nix
./vaultwarden.nix
./xray.nix
../../common/constants.nix
../../common/secrets.nix
];
}

38
linux/singularity/hardware-configuration.nix Normal file
View file

@ -0,0 +1,38 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
# boot.initrd.availableKernelModules =
# [ "ata_piix" "virtio_pci" "virtio_scsi" "sd_mod" ];
# boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# fileSystems."/" = {
# device = "/dev/disk/by-uuid/6d3bf8cd-1996-45fb-";
# fsType = "ext4";
# };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; };
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
# networking.interfaces.ens19.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
}

25
linux/singularity/mailserver.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, ... }:
let
dn = config.constants.domain;
usr = config.constants.userName;
mailSecret = "mail/${usr}/password";
in
{
mailserver =
{
enable = true;
fqdn = "mail.${dn}";
domains = [ dn ];
loginAccounts = {
"${usr}@${dn}" = {
aliases = [ config.constants.postMaster ];
hashedPasswordFile = config.sops.secrets.${mailSecret}.path;
};
};
certificateScheme = "acme";
};
sops.secrets.${mailSecret} = { };
}

34
linux/singularity/network.nix Normal file
View file

@ -0,0 +1,34 @@
{ config, ... }:
let hn = "singularity"; in {
networking = {
domain = config.constants.domain;
firewall.allowedTCPPorts = [ 80 443 50051 ];
hostName = hn;
hostId = "2cadb253";
};
services.openssh = {
enable = true;
settings = {
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
};
hostKeys = [{
comment = "host@${hn}";
path = "/etc/ssh/host";
rounds = 100;
type = "ed25519";
}];
};
sops.secrets."cloudflare/${hn}" = { };
services.cloudflare-dyndns = {
enable = true;
apiTokenFile = config.sops.secrets."cloudflare/${hn}".path;
domains = builtins.attrNames config.services.caddy.virtualHosts;
};
services.resolved.enable = true;
}

18
linux/singularity/vaultwarden.nix Normal file
View file

@ -0,0 +1,18 @@
{ config, ... }:
{
services.vaultwarden = let lh = config.constants.localhost; in {
enable = true;
config = {
# Disable signup
SIGNUPS_ALLOWED = false;
# Specify service port
ROCKET_ADDRESS = lh;
ROCKET_PORT = 25487;
# Specify notification port
WEBSOCKET_ENABLED = true;
WEBSOCKET_ADDRESS = lh;
WEBSOCKET_PORT = 40513;
};
};
}

10
linux/singularity/xray.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, ... }:
let xrayCfg = "xray/config.json"; in {
services.xray = {
enable = true;
settingsFile = config.sops.secrets.${xrayCfg}.path;
};
sops.secrets.${xrayCfg}.mode = "0444";
}