nx2/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://ssh.nx2.site:50022/nx2/dotfiles

Browse Source
This commit is contained in:
Lennart J. Kurzweg (Nx2)
2025-05-31 13:48:40 +02:00
parent c4052ec34d 88e73a3ea8
commit 272ae1cd55
77 changed files with 1144 additions and 882 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
system-modules/adb.nix
View File

@@ -1,5 +1,5 @@
{ pkgs, host, lib, ... }:
lib.mkIf (host != "NxACE")
{ pkgs, hyper, lib, ... }:
lib.mkIf (hyper.host != "NxACE")
{
environment.systemPackages = with pkgs; [
adbfs-rootless

16
system-modules/boot.nix
View File

@@ -1,7 +1,7 @@
{ config, pkgs, pkgs-unstable, lib, host, domain, inputs, ... }:
{ config, pkgs, hyper, inputs, ... }:
let
grub-theme-ascii-diana = (pkgs.fetchFromGitea {
domain = "git.${domain}";
domain = "git.${hyper.domain}";
owner = "nx2";
repo = "grub-theme-ascii-diana";
rev = "0.5.0";
@@ -9,10 +9,10 @@ let
});
in
{
imports = if host == "NxNORTH" then [
imports = if hyper.host == "NxNORTH" then [
inputs.lanzaboote.nixosModules.lanzaboote
] else [];
config = if host == "NxNORTH" then {
config = if hyper.host == "NxNORTH" then {
# I have to boot with secureboot becasue of the chinese spyware called Vanguard
environment.systemPackages = with pkgs; [ sbctl ];
@@ -22,7 +22,7 @@ in
in {
enable = true;
pkiBundle = "/etc/secureboot";
package = lib.mkForce (pkgs.writeShellApplication {
package = pkgs.lib.mkForce (pkgs.writeShellApplication {
name = "lzbt";
runtimeInputs = [
inputs.lanzaboote.packages.x86_64-linux.tool
@@ -74,13 +74,13 @@ in
# '';
# };
};
kernelPackages = pkgs-unstable.linuxPackages_zen;
kernelPackages = pkgs.linuxPackages_zen;
extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
kernelModules = [ "v4l2loopback" ];
extraModprobeConfig = ''options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1'';
};
security.polkit.enable = true;
} else if host == "NxXPS" then {
} else if hyper.host == "NxXPS" then {
boot = {
loader = {
efi.canTouchEfiVariables = true;
@@ -103,7 +103,7 @@ in
'';
};
};
kernelPackages = pkgs-unstable.linuxPackages_latest;
kernelPackages = pkgs.linuxPackages_latest;
extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
kernelModules = [ "v4l2loopback" ];
extraModprobeConfig = ''options v4l2loopback devices=1 video_nr=1 card_label="OBS VCam" exclusive_caps=1'';

6
system-modules/calendar-lec.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, user, domain, ... }:
{ config, pkgs, hyper, ... }:
{
systemd.timers."nx_cal_lec" = {
enable = true;
@@ -74,7 +74,7 @@ def fetch_and_save_ical_events(ical_url, save_path):
if __name__ == "__main__":
# Replace with your iCal URL and target file path
ICAL_URL = "https://zlypher.github.io/lol-events/cal/league-of-legends-lec.ical"
SAVE_PATH = "${config.services.nginx.virtualHosts."${domain}".root}/lec.ics"
SAVE_PATH = "${config.services.nginx.virtualHosts."${hyper.domain}".root}/lec.ics"
fetch_and_save_ical_events(ICAL_URL, SAVE_PATH)
'');
@@ -83,7 +83,7 @@ if __name__ == "__main__":
'';
serviceConfig = {
Type = "oneshot";
User = "nx2";
User = hyper.user;
};
};
}

6
system-modules/calendar-lr.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, domain, ... }:
{ config, pkgs, hyper, ... }:
{
systemd.timers."nx_cal_lr" = {
enable = true;
@@ -59,7 +59,7 @@ def fetch_and_save_ical_events(ical_url, save_path):
if __name__ == "__main__":
# Replace with your iCal URL and target file path
ICAL_URL = "https://zlypher.github.io/lol-events/cal/league-of-legends-nlc.ical"
SAVE_PATH = "${config.services.nginx.virtualHosts."${domain}".root}/lr.ics"
SAVE_PATH = "${config.services.nginx.virtualHosts."${hyper.domain}".root}/lr.ics"
fetch_and_save_ical_events(ICAL_URL, SAVE_PATH)
'');
@@ -68,7 +68,7 @@ if __name__ == "__main__":
'';
serviceConfig = {
Type = "oneshot";
User = "nx2";
User = hyper.user;
};
};
}

14
system-modules/calendar-publish.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, user, ... }:
{ pkgs, hyper, ... }:
let
radicale-root = "/var/lib/radicale";
web-root = "/var/nginx/webroot";
@@ -115,11 +115,11 @@ def combine_ics_from_directories(directories, output_file):
if __name__ == "__main__":
# List of directories containing .ics files
DIRECTORIES = [
"${radicale-root}/collections/collection-root/${user}/preservation",
"${radicale-root}/collections/collection-root/${user}/effort",
"${radicale-root}/collections/collection-root/${user}/experience",
"${radicale-root}/collections/collection-root/${user}/exposure",
"${radicale-root}/collections/collection-root/${user}/engagement",
"${radicale-root}/collections/collection-root/${hyper.user}/preservation",
"${radicale-root}/collections/collection-root/${hyper.user}/effort",
"${radicale-root}/collections/collection-root/${hyper.user}/experience",
"${radicale-root}/collections/collection-root/${hyper.user}/exposure",
"${radicale-root}/collections/collection-root/${hyper.user}/engagement",
]
# Path to the output .ics file
@@ -132,7 +132,7 @@ if __name__ == "__main__":
'';
serviceConfig = {
Type = "oneshot";
User = "nx2";
User = hyper.user;
};
};
}

4
system-modules/dm.nix
View File

@@ -1,11 +1,11 @@
{ pkgs, user, ... }:
{ pkgs, hyper, ... }:
{
services.greetd = {
enable = true;
settings = rec {
hyprland = {
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --remember --cmd Hyprland --remember-user-session --window-padding 5";
user = user;
user = hyper.user;
};
default_session = hyprland;
vt = 2;

4
system-modules/docker.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, user, ... }:
{ pkgs, hyper, ... }:
{
environment.systemPackages = with pkgs; [
@@ -12,7 +12,7 @@
# vpnKitMaxPortIdleTime = 0;
# };
};
users.users."${user}".extraGroups = [ "docker" ];
users.users."${hyper.user}".extraGroups = [ "docker" ];
networking.firewall.allowedTCPPorts = [
80
443

15
system-modules/fonts.nix
View File

@@ -1,9 +1,4 @@
{
pkgs,
# pkgs-unstable,
rice,
...
}:
{ pkgs, rice, ... }:
{
fonts.packages = with pkgs; [
noto-fonts
@@ -12,10 +7,14 @@
noto-fonts-emoji
newcomputermodern
atkinson-hyperlegible
(nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
nerd-fonts.jetbrains-mono
nerd-fonts.zed-mono
nerd-fonts.profont
nerd-fonts.proggy-clean-tt
nerd-fonts.heavy-data
nerd-fonts._3270
] ++ (with rice.font; [
base.package
code.package
# ]) ++ (with pkgs-unstable; [
]);
}

5
system-modules/games.nix
View File

@@ -1,6 +1,5 @@
{ lib, host, ... }:
lib.mkIf (host == "NxNORTH" || host == "NxACE")
# lib.mkIf (host == "NxNORTH")
{ pkgs, hyper, ... }:
pkgs.lib.mkIf (hyper.host == "NxNORTH" || hyper.host == "NxACE")
{
programs = {
steam = {

26
system-modules/hardware-configuration.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, user, host, pkgs, modulesPath, ... }:
{ config, pkgs, hyper, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
@@ -13,10 +13,10 @@
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems = if host != "NxACE" then {
fileSystems = if hyper.host != "NxACE" then {
"/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; };
"/boot" = { device = "/dev/disk/by-label/EFI"; fsType = "vfat"; };
"/home/${user}/shared" = { device = "/dev/disk/by-label/shared"; fsType = "ntfs"; options = [ "uid=1000" "gid=100" ]; };
"/home/${hyper.user}/shared" = { device = "/dev/disk/by-label/shared"; fsType = "ntfs"; options = [ "uid=1000" "gid=100" ]; };
} else {
"/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; };
"/boot" = { device = "/dev/disk/by-label/EFI"; fsType = "vfat"; };
@@ -29,24 +29,24 @@
{ device = "/dev/disk/by-label/swap"; }
];
networking.useDHCP = lib.mkDefault true;
networking.useDHCP = pkgs.lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
nixpkgs.hostPlatform = pkgs.lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = pkgs.lib.mkDefault config.hardware.enableRedistributableFirmware;
# from nixos-hardware
services.thermald.enable = lib.mkDefault true;
boot.extraModprobeConfig = if host == "NxXPS" then ''
services.thermald.enable = pkgs.lib.mkDefault true;
boot.extraModprobeConfig = if hyper.host == "NxXPS" then ''
options iwlwifi 11n_disable=8
'' else "";
boot.initrd.kernelModules = if host == "NxXPS" then [ "i915" ] else [];
boot.initrd.kernelModules = if hyper.host == "NxXPS" then [ "i915" ] else [];
environment.variables = if host == "NxXPS" then {
VDPAU_DRIVER = lib.mkIf config.hardware.graphics.enable (lib.mkDefault "va_gl");
environment.variables = if hyper.host == "NxXPS" then {
VDPAU_DRIVER = pkgs.lib.mkIf config.hardware.graphics.enable (pkgs.lib.mkDefault "va_gl");
} else {};
hardware.graphics.extraPackages = if host == "NxXPS" then with pkgs; [
(if (lib.versionOlder (lib.versions.majorMinor lib.version) "24.11") then vaapiIntel else intel-vaapi-driver)
hardware.graphics.extraPackages = if hyper.host == "NxXPS" then with pkgs; [
(if (lib.versionOlder (lib.versions.majorMinor lib.version) "25.05") then vaapiIntel else intel-vaapi-driver)
libvdpau-va-gl
intel-media-driver
] else [];

6
system-modules/health_reminder.nix
View File

@@ -1,5 +1,5 @@
{ pkgs, lib, host, ... }:
lib.mkIf (host != "NxACE")
{ pkgs, hyper, ... }:
pkgs.lib.mkIf (hyper.host != "NxACE")
{
systemd.timers."health_reminder" = {
enable = true;
@@ -56,7 +56,7 @@ lib.mkIf (host != "NxACE")
'';
serviceConfig = {
Type = "oneshot";
User = "nx2";
User = hyper.user;
};
};
}

6
system-modules/hugo.nix
View File

@@ -1,5 +1,5 @@
{ pkgs-unstable, user, ... }:
let p = pkgs-unstable; in
{ pkgs, hyper, ... }:
let p = pkgs; in
{
environment.systemPackages = with p; [
hugo
@@ -11,7 +11,7 @@ let p = pkgs-unstable; in
"hugo".name = "hugo";
};
users = {
"${user}".extraGroups = [ "hugo" ];
"${hyper.user}".extraGroups = [ "hugo" ];
"nginx".extraGroups = [ "hugo" ];
"hugo" = {
isSystemUser = true;

14
system-modules/networking.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, lib, host, secrets, ... }:
{ pkgs, hyper, secrets, ... }:
{
# sops.secrets = {
# "wireless-networking.env" = {};
@@ -9,7 +9,7 @@
"1.1.1.1"
"8.8.8.8"
];
hostName = host;
hostName = hyper.host;
networkmanager = {
enable = true;
};
@@ -21,14 +21,4 @@
8080
];
};
environment.etc = {
"ssl/certs/tuda-eduroam-root.crt".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2:1.crt";
};
sops.secrets = {
"eduroam/tuda_nmconnection" = {
mode = "0600";
owner = "root";
path = "/etc/NetworkManager/system-connections/eduroam.nmconnection";
};
};
}

8
system-modules/nvidia.nix
View File

@@ -1,5 +1,5 @@
{ config, pkgs, lib, nvidia, ... }:
lib.mkIf nvidia.enable
{ config, pkgs, hyper, ... }:
pkgs.lib.mkIf hyper.nvidia.enable
{
environment.systemPackages = with pkgs; [
lshw
@@ -21,7 +21,7 @@ lib.mkIf nvidia.enable
hardware = {
nvidia = {
prime = lib.mkIf nvidia.prime {
prime = pkgs.lib.mkIf hyper.nvidia.prime {
intelBusId = "PCI:0:2:0";
nvidiaBusId = "PCI:1:0:0";
offload = {
@@ -41,7 +41,7 @@ lib.mkIf nvidia.enable
# Fine-grained power management. Turns off GPU when not in use.
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
powerManagement.finegrained = nvidia.prime;
powerManagement.finegrained = hyper.nvidia.prime;
# Use the NVidia open source kernel module (not to be confused with the
# independent third-party "nouveau" open source driver).

18
system-modules/nx2site.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, user, domain, secrets, ... }:
{ config, pkgs, hyper, secrets, ... }:
let dns-user = "cloudflare"; in
{
sops.secrets = {
@@ -15,7 +15,7 @@ let dns-user = "cloudflare"; in
isSystemUser = true;
group = dns-user;
};
"${user}".extraGroups = [ dns-user ];
"${hyper.user}".extraGroups = [ dns-user ];
};
groups."${dns-user}" = {};
};
@@ -85,14 +85,14 @@ def main():
# Perform DNS updates
# https://developers.cloudflare.com/api/operations/dns-records-for-a-zone-update-dns-record
print(f"${domain}: {update_record(record_id="${record_id.base}", record_name="${domain}", ip=my_ip, type="A", proxied=True, pw=pw).status_code}", end=", ")
print(f"*.${domain}: {update_record(record_id="${record_id.sub}", record_name="*.${domain}", ip=my_ip, type="A", proxied=True, pw=pw).status_code}", end=", ")
print(f"ssh.${domain}: {update_record(record_id="${record_id.ssh}", record_name="ssh.${domain}", ip=my_ip, type="A", proxied=False, pw=pw).status_code}", end=", ")
print(f"dev.${domain}: {update_record(record_id="${record_id.dev}", record_name="dev.${domain}", ip=my_ip, type="A", proxied=False, pw=pw).status_code}", end=", ")
print(f"${hyper.domain}: {update_record(record_id="${record_id.base}", record_name="${hyper.domain}", ip=my_ip, type="A", proxied=True, pw=pw).status_code}", end=", ")
print(f"*.${hyper.domain}: {update_record(record_id="${record_id.sub}", record_name="*.${hyper.domain}", ip=my_ip, type="A", proxied=True, pw=pw).status_code}", end=", ")
print(f"ssh.${hyper.domain}: {update_record(record_id="${record_id.ssh}", record_name="ssh.${hyper.domain}", ip=my_ip, type="A", proxied=False, pw=pw).status_code}", end=", ")
print(f"dev.${hyper.domain}: {update_record(record_id="${record_id.dev}", record_name="dev.${hyper.domain}", ip=my_ip, type="A", proxied=False, pw=pw).status_code}", end=", ")
print(f"${domain}: {update_record(record_id="${record_id.base6}", record_name="${domain}", ip=my_ip6, type="AAAA", proxied=True, pw=pw).status_code}", end=", ")
print(f"*.${domain}: {update_record(record_id="${record_id.sub6}", record_name="*.${domain}", ip=my_ip6, type="AAAA", proxied=True, pw=pw).status_code}", end=", ")
print(f"ssh.${domain}: {update_record(record_id="${record_id.ssh6}", record_name="ssh.${domain}", ip=my_ip6, type="AAAA", proxied=False, pw=pw).status_code}", end="")
print(f"${hyper.domain}: {update_record(record_id="${record_id.base6}", record_name="${hyper.domain}", ip=my_ip6, type="AAAA", proxied=True, pw=pw).status_code}", end=", ")
print(f"*.${hyper.domain}: {update_record(record_id="${record_id.sub6}", record_name="*.${hyper.domain}", ip=my_ip6, type="AAAA", proxied=True, pw=pw).status_code}", end=", ")
print(f"ssh.${hyper.domain}: {update_record(record_id="${record_id.ssh6}", record_name="ssh.${hyper.domain}", ip=my_ip6, type="AAAA", proxied=False, pw=pw).status_code}", end="")
if __name__ == "__main__":
main()

9
system-modules/nx2site/dyn_dns.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, domain, ... }:
{ config, pkgs, hyper, ... }:
{
sops.secrets = {
# "nx2site/namecheap.pw" = { };
@@ -8,13 +8,14 @@
};
};
services.cloudflare-dyndns = {
pkgs = pkgs.cloudflare-dyndns;
enable = true;
ipv4 = true;
ipv6 = config.networking.enableIPv6;
domains = [
"${domain}"
"*.${domain}"
"ssh.${domain}"
"${hyper.domain}"
"*.${hyper.domain}"
"ssh.${hyper.domain}"
];
proxied = true;
apiTokenFile = config.sops.secrets."nx2site/cloudflare/global-api-key-env".path;

14
system-modules/nx2site/gitea.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, secrets, user, domain, ... }:
{ config, pkgs, hyper, secrets, ... }:
let git-user = "git"; in
{
sops.secrets = {
@@ -7,13 +7,13 @@ let git-user = "git"; in
users = {
users = {
"${user}".extraGroups = [ git-user ];
"${hyper.user}".extraGroups = [ git-user ];
"${git-user}" = {
isSystemUser = true;
group = git-user;
useDefaultShell = true;
home = config.services.gitea.stateDir;
openssh.authorizedKeys.keys = config.users.users."${user}".openssh.authorizedKeys.keys;
openssh.authorizedKeys.keys = config.users.users."${hyper.user}".openssh.authorizedKeys.keys;
};
};
groups."${git-user}" = {};
@@ -63,12 +63,12 @@ let git-user = "git"; in
START_SSH_SERVER = false; # default
SSH_LISTEN_HOST = "0.0.0.0";
SSH_PORT = secrets.ssh.port;
DOMAIN = "git.${domain}";
SSH_DOMAIN = "ssh.${domain}";
DOMAIN = "git.${hyper.domain}";
SSH_DOMAIN = "ssh.${hyper.domain}";
# HTTP_ADDR = "${config.services.gitea.settings.server.DOMAIN}";
# HTTP_PORT = 3000; # default
# PROTOCOL = "http"; # default
ROOT_URL = "https://git.${domain}/"; # default
ROOT_URL = "https://git.${hyper.domain}/"; # default
};
session = {
COOKIE_SECURE = true;
@@ -90,7 +90,7 @@ let git-user = "git"; in
# hash = "sha256-Eibgoc3BJUXWdq8irgXea09fAvfKx2eQrJotp3P5DTg=";
# };
theme = pkgs.fetchFromGitea {
domain = "git.${domain}";
domain = "git.${hyper.domain}";
owner = "nx2";
repo = "Gitea-Pitch-Black";
rev = "0.1.1";

4
system-modules/nx2site/nextcloud.nix
View File

@@ -1,4 +1,4 @@
{ config, domain, ... }:
{ config, hyper, ... }:
{
sops.secrets = {
"nx2site/nextcloud/admin-pass" = { owner = "nextcloud"; };
@@ -9,7 +9,7 @@
services = {
nextcloud = {
enable = true;
hostName = "nc.${domain}";
hostName = "nc.${hyper.domain}";
https = true;
configureRedis = true;
config = {

7
system-modules/nx2site/open-web-calendar.nix
View File

@@ -1,15 +1,14 @@
{ pkgs, domain, ... }:
{ pkgs, hyper, ... }:
{
services = {
open-web-calendar = {
enable = true;
domain = "cal.${domain}";
domain = "cal.${hyper.domain}";
package = pkgs.open-web-calendar;
settings = {
# PORT = 21342;
};
calendarSettings = {
};
calendarSettings = { };
};
};
}

6
system-modules/nx2site/paperless.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, config, secrets, domain, user, ... }:
{ config, pkgs, hyper, secrets, ... }:
let paperless-user = "paperless"; in
{
sops.secrets = {
@@ -8,7 +8,7 @@ let paperless-user = "paperless"; in
};
users.users = {
"${user}".extraGroups = [ paperless-user ];
"${hyper.user}".extraGroups = [ paperless-user ];
"${paperless-user}".extraGroups = [ "redis-paperless" ];
};
@@ -64,7 +64,7 @@ let paperless-user = "paperless"; in
# PAPERLESS_LOGROTATE_MAX_SIZE= 1 MiB.
# PAPERLESS_LOGROTATE_MAX_BACKUPS= 20.
# PAPERLESS_SECRET_KEY=
PAPERLESS_URL = "https://doc.${domain}";
PAPERLESS_URL = "https://doc.${hyper.domain}";
# PAPERLESS_CSRF_TRUSTED_ORIGINS=
# PAPERLESS_ALLOWED_HOSTS=
# PAPERLESS_CORS_ALLOWED_HOSTS=

43
system-modules/nx2site/proxy.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, lib, domain, ... }:
{ config, hyper, pkgs, ... }:
{
sops.secrets = {
"nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; };
@@ -8,13 +8,13 @@
security.acme = {
acceptTerms = true;
defaults = {
email = "acme@${domain}";
email = "acme@${hyper.domain}";
webroot = "/var/nginx/webroot";
group = "nginx";
};
certs = {
"${domain}" = {
extraDomainNames = builtins.map (subd: "${subd}.${domain}") [ "sync" ];
"${hyper.domain}" = {
extraDomainNames = builtins.map (subd: "${subd}.${hyper.domain}") [ "sync" ];
};
};
};
@@ -76,7 +76,7 @@
enableACME = true;
};
in {
"${domain}" = vh // {
"${hyper.domain}" = vh // {
root = "/var/nginx/webroot";
default = true;
listen = dl;
@@ -95,11 +95,11 @@
"/.well-known/matrix/server" = { return = "502"; };
};
};
"matrix.${domain}" = {
"matrix.${hyper.domain}" = {
listen = dl;
locations = { "~.*" = { return = "502"; }; };
};
# "pw.${domain}" = vh // {
# "pw.${hyper.domain}" = vh // {
# listen = dl;
# locations = let d = "pw.docker:80"; in {
# "/" = { proxyPass = "http://${d}"; };
@@ -108,7 +108,7 @@
# "/notifications/hub/negotiate" = { proxyPass = "http://${d}"; };
# };
# };
"pw.${domain}" = vh // {
"pw.${hyper.domain}" = vh // {
listen = dl;
locations = let
d = with config.services.vaultwarden.config; "${ROCKET_ADDRESS}:${builtins.toString ROCKET_PORT}";
@@ -119,49 +119,48 @@
"/notifications/hub/negotiate" = { proxyPass = "http://${d}"; };
};
};
"sync.${domain}" = vh // {
"sync.${hyper.domain}" = vh // {
listen = dl;
locations = { "/" = { proxyPass = "http://127.0.0.1:11434"; }; };
};
# "git.${domain}" = vh // {
# "git.${hyper.domain}" = vh // {
# listen = dl;
# locations = { "/" = { proxyPass = "http://git.docker:3000"; }; };
# };
"git.${domain}" = vh // {
"git.${hyper.domain}" = vh // {
http2 = false;
listen = dl;
locations = { "/" = { proxyPass = "http://127.0.0.1:3000"; }; };
};
"doc.${domain}" = vh // {
"doc.${hyper.domain}" = vh // {
listen = dl;
locations = { "/" = { proxyPass = "http://127.0.0.1:8441"; }; };
};
"dav.${domain}" = lib.mkIf config.services.radicale.enable (vh // {
"dav.${hyper.domain}" = pkgs.lib.mkIf config.services.radicale.enable (vh // {
listen = dl;
locations = { "/" = { proxyPass = "http://127.0.0.1:5232"; }; };
});
# "nc.${domain}" = vh // {
# "nc.${hyper.domain}" = vh // {
# # directly to nc
# };
"abs.${domain}" = vh // {
"abs.${hyper.domain}" = vh // {
listen = dl;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString config.services.audiobookshelf.port}";
proxyWebsockets = true;
};
};
"pnx.${domain}" = vh // {
"pnx.${hyper.domain}" = vh // {
listen = dl;
locations."/" = {
proxyPass = "http://127.0.0.1:8040";
proxyWebsockets = true;
};
};
"wip.${domain}" = vh // {
"wip.${hyper.domain}" = vh // {
listen = dl;
root = "/var/lib/hugo/nx2site/public";
};
"dev.${domain}" = vh // {
"dev.${hyper.domain}" = vh // {
listen = dl;
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
@@ -169,17 +168,17 @@
};
};
# is done atomatically
# "cal.${domain}" = vh // {
# "cal.${hyper.domain}" = vh // {
# listen = dl;
# locations = { "/" = {
# proxyPass = "http://unix:///run/open-web-calendar/socket";
# proxyWebsockets = true;
# }; };
# };
"~^(.*).${domain}$" = {
"~^(.*).${hyper.domain}$" = {
listen = dl;
root = "/var/nginx/webroot";
locations = { "~.*" = { return = "301 https://${domain}/502.html"; }; };
locations = { "~.*" = { return = "301 https://${hyper.domain}/502.html"; }; };
};
};
};

4
system-modules/nx2site/radicale.nix
View File

@@ -1,4 +1,4 @@
{ config, domain, ... }:
{ config, hyper, ... }:
{
sops.secrets = {
"nx2site/radicale/htpasswd" = {
@@ -15,7 +15,7 @@
port = builtins.toString 5232;
in [
"0.0.0.0:${port}"
"${domain}:${port}"
"${hyper.domain}:${port}"
# "192.168.178.32:${port}"
];
auth = {

4
system-modules/nx2site/vaultwarden.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, secrets, domain, ... }:
{ config, pkgs, hyper, secrets, ... }:
{
sops.secrets = {
"nx2site/vaultwarden.env" = {
@@ -27,7 +27,7 @@
SMTP_PASSWORD = "@SMTP_PASSWORD@";
LOGIN_RATELIMIT_MAX_BURST = 10;
LOGIN_RATELIMIT_SECONDS = 60;
DOMAIN = "https://pw.${domain}";
DOMAIN = "https://pw.${hyper.domain}";
INVITATION_ORG_NAME = "NxPW";
INVITATIONS_ALLOWED = true;
ADMIN_TOKEN = "@ADMIN_TOKEN@";

14
system-modules/ollama.nix
View File

@@ -1,14 +1,10 @@
{ pkgs, lib, host, nvidia, ... }:
let
p = if nvidia.enable then pkgs.ollama-cuda else pkgs.ollama;
in {
environment.systemPackages = [ p ];
{ pkgs, hyper, ... }:
{
services.ollama = {
package = p;
package = if hyper.nvidia.enable then pkgs.ollama-cuda else pkgs.ollama;
enable = true;
acceleration = lib.mkIf nvidia.enable "cuda";
host = if host == "NxACE" then "0.0.0.0" else "127.0.0.1";
acceleration = pkgs.lib.mkIf hyper.nvidia.enable "cuda";
host = if hyper.host == "NxACE" then "0.0.0.0" else "127.0.0.1";
port = 11434;
environmentVariables = {
OLLAMA_ORIGINS = "*";

9
system-modules/sops.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, user, ... }:
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
age
@@ -8,15 +8,10 @@
sops = {
defaultSopsFile = ../sops-secrets.yaml;
defaultSopsFormat = "yaml";
# age = {
# sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# generateKey = true;
# };
# gnupg = {
# sshKeyPaths = [];
# home = "/home/${user}/.gnupg";
# home = "${hyper.user}/.gnupg";
# };
secrets.example = {};
};
}

8
system-modules/sshd.nix
View File

@@ -1,13 +1,13 @@
{ host, secrets, ... }:
{ hyper, secrets, ... }:
{
environment.etc."ssh/ssh_host_ed25519_key.pub".text = if (host == "NxNORTH") then
environment.etc."ssh/ssh_host_ed25519_key.pub".text = if (hyper.host == "NxNORTH") then
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF1r5gUQPPS/dGB0SsvWtP6WdNWoxMwhhHRrqlO19cJt root@NxNORTH"
else if ( host == "NxXPS" ) then
else if ( hyper.host == "NxXPS" ) then
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPf+08+t8a0lY2+nR1mhIU3vuksStiJOlojJjzCwFk7r root@NxXPS"
else
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFfZpWVPlujsz3FklSVAM+tuYn4pzDSijhp5CeYNOZk root@NxACE";
sops.secrets."ssh/${host}-ssh_host_ed25519_key" = {
sops.secrets."ssh/${hyper.host}-ssh_host_ed25519_key" = {
mode = "0600";
path = "/etc/ssh/ssh_host_ed25519_key.shadow";
};

38
system-modules/syncthing.nix
View File

@@ -1,10 +1,5 @@
{
config,
lib,
user,
host,
secrets,
... }: let
{ config, pkgs, hyper, secrets, ... }:
let
# helper funcitons
conv = _: device: with device; { "${name}" = {id = id;};};
justname = devices: (builtins.map (device: device.name)) devices;
@@ -22,7 +17,7 @@
};
dirs = {
default = { name = "sync"; path = "/home/${user}/sync"; };
default = { name = "sync"; path = "/home/${hyper.user}/sync"; };
s21u-dcim = { name = "s21u-dcim"; path = "/vault/Pictures/Lennart"; };
diane-dcim = { name = "diane-dcim"; path = "/vault/Pictures/Diane"; };
dianesd-dcim = { name = "dianesd-dcim"; path = "/vault/Pictures/Diane-SD"; };
@@ -31,34 +26,35 @@
};
in {
sops.secrets = {
"syncthing/${host}/cert.pem" = { owner = user; };
"syncthing/${host}/key.pem" = { owner = user; };
"syncthing/${hyper.host}/cert.pem" = { owner = hyper.user; };
"syncthing/${hyper.host}/key.pem" = { owner = hyper.user; };
};
services.syncthing = with (builtins.mapAttrs conv devices); {
enable = true;
user = "${user}";
dataDir = "/home/${user}/.local/share/syncthing"; # useless ?
configDir = "/home/${user}/.config/syncthing";
key = config.sops.secrets."syncthing/${host}/key.pem".path;
cert = config.sops.secrets."syncthing/${host}/cert.pem".path;
user = "${hyper.user}";
package = pkgs.syncthing;
dataDir = "/home/${hyper.user}/.local/share/syncthing"; # useless ?
configDir = "/home/${hyper.user}/.config/syncthing";
key = config.sops.secrets."syncthing/${hyper.host}/key.pem".path;
cert = config.sops.secrets."syncthing/${hyper.host}/cert.pem".path;
overrideDevices = true;
overrideFolders = true;
# guiAddress = "127.0.0.1:8384";
guiAddress = if ( host == "NxACE" ) then "0.0.0.0:8384" else "127.0.0.1:8384";
guiAddress = if ( hyper.host == "NxACE" ) then "0.0.0.0:8384" else "127.0.0.1:8384";
settings = {
devices = with (builtins.mapAttrs conv devices); if (host == "NxXPS") then (
devices = with (builtins.mapAttrs conv devices); if (hyper.host == "NxXPS") then (
north // ace // s21u
) else if (host == "NxNORTH") then (
) else if (hyper.host == "NxNORTH") then (
xps // ace // s21u
) else (
north // xps // s21u // diane // daniel // tessa // georg
);
folders = with dirs; if (host == "NxXPS") then {
folders = with dirs; if (hyper.host == "NxXPS") then {
"${default.name}" = {
path = default.path;
devices = with devices; (justname [ north ace s21u ]);
};
} else if (host == "NxNORTH") then {
} else if (hyper.host == "NxNORTH") then {
"${default.name}" = {
path = default.path;
devices = with devices; (justname [ xps ace s21u ]);
@@ -91,7 +87,7 @@ in {
};
gui = {
theme = "black";
user = user;
user = hyper.user;
password = secrets.syncthing.gui-password; # option to use a file is till in the works... https://github.com/NixOS/nixpkgs/issues/85336
};
};

13
system-modules/tuda.nix Normal file
View File

@@ -0,0 +1,13 @@
{ pkgs, ... }:
{
environment.etc = {
"ssl/certs/tuda-eduroam-root.crt".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2:1.crt";
};
sops.secrets = {
"eduroam/tuda_nmconnection" = {
mode = "0600";
owner = "root";
path = "/etc/NetworkManager/system-connections/eduroam.nmconnection";
};
};
}

5
system-modules/users.nix
View File

@@ -1,9 +1,8 @@
{ pkgs, user, ... }:
{ pkgs, hyper, ... }:
{
users.defaultUserShell = pkgs.bash; # if interactive, itll switch to fish
users.users."${user}" = {
users.users."${hyper.user}" = {
isNormalUser = true;
extraGroups = [
# TODO: actually put the groups into the relevant files

6
system-modules/virtualisation.nix
View File

@@ -1,12 +1,12 @@
{ config, pkgs, lib, user, host, ... }:
{ pkgs, hyper, ... }:
{
config = lib.mkIf (host == "NxNORTH") {
config = pkgs.lib.mkIf (hyper.host == "NxNORTH") {
environment.systemPackages = with pkgs; [
virtiofsd
];
virtualisation.libvirtd.enable = true;
programs.virt-manager.enable = true;
users.users."${user}".extraGroups = [ "libvirtd" ];
users.users."${hyper.user}".extraGroups = [ "libvirtd" ];
};
}

4
system-modules/ydotool.nix
View File

@@ -1,5 +1,5 @@
{ pkgs, lib, host, ... }:
lib.mkIf (host == "NxXPS")
{ pkgs, hyper, ... }:
pkgs.lib.mkIf (hyper.host == "NxXPS")
{
programs.ydotool.enable = true;
}