nx2/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.nx2.site:20022/nx2/dotfiles

Browse Source
This commit is contained in:
Lennart J. Kurzweg (Nx2)
2024-08-28 14:36:15 +02:00
parent 69e2bed0ce 20f8ea51c6
commit 3cfcbc1e2a
36 changed files with 1649 additions and 1100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
system-modules/auto-mount.nix Normal file
View File

@@ -0,0 +1,4 @@
{ ... }:
{
services.udisks2.enable = true;
}

4
system-modules/boot.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, lib, host, inputs, ... }:
{ config, pkgs, pkgs-unstable, lib, host, inputs, ... }:
let
grub-theme-ascii-diana = (pkgs.fetchFromGitea {
domain = "git.nx2.site";
@@ -76,7 +76,7 @@ in
# '';
# };
};
# kernelPackages = pkgs.linuxPackages_latest;
kernelPackages = pkgs-unstable.linuxPackages_zen;
extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
kernelModules = [ "v4l2loopback" ];
extraModprobeConfig = ''options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1'';

4
system-modules/davmail.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, pkgs, user, allowed, secrets, ... }:
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
@@ -43,4 +43,4 @@
davmail.enableKerberos = false;
};
};
}
}

9
system-modules/hardware-configuration.nix
View File

@@ -4,12 +4,9 @@
(modulesPath + "/installer/scan/not-detected.nix")
];
environment.systemPackages = if host == "NxNORTH" then with pkgs; [
environment.systemPackages = with pkgs; [
ntfs3g
btrfs-progs
] else if host == "NxXPS" then with pkgs; [
ntfs3g
] else [];
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
# boot.initrd.kernelModules = [ ];
@@ -19,7 +16,7 @@
fileSystems = if host != "NxACE" then {
"/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; };
"/boot" = { device = "/dev/disk/by-label/EFI"; fsType = "vfat"; };
"/home/${user}/shared" = { device = "/dev/disk/by-label/shared"; fsType = if host == "NxXPS" then "ntfs" else "btrfs"; };
"/home/${user}/shared" = { device = "/dev/disk/by-label/shared"; fsType = "ntfs"; };
} else {
"/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; };
"/boot" = { device = "/dev/disk/by-label/EFI"; fsType = "vfat"; };

62
system-modules/hsmw.nix
View File

@@ -1,24 +1,30 @@
{ pkgs, lib, host, secrets, ... }:
lib.mkIf (host != "NxACE")
{
environment.systemPackages = [
pkgs.strongswanNM
environment.systemPackages = with pkgs; [
strongswanNM
];
environment.etc = {
# Easyroam
"ssl/certs/easyroam_client_cert.pem".source = ../secrets/easyroam-hsmw/easyroam_client_cert.pem;
"ssl/certs/easyroam_root_ca.pem".source = ../secrets/easyroam-hsmw/easyroam_root_ca.pem;
"ssl/certs/easyroam_client_key.pem".source = ../secrets/easyroam-hsmw/easyroam_client_key.pem;
"NetworkManager/system-connections/eduroam.nmconnection" = {
text = secrets.easyroamHSMW.nmconfig;
mode = "0600";
};
# # Easyroam
# "ssl/certs/easyroam_client_cert.pem".source = ../secrets/easyroam-hsmw/easyroam_client_cert.pem;
# "ssl/certs/easyroam_root_ca.pem".source = ../secrets/easyroam-hsmw/easyroam_root_ca.pem;
# "ssl/certs/easyroam_client_key.pem".source = ../secrets/easyroam-hsmw/easyroam_client_key.pem;
# "NetworkManager/system-connections/eduroam.nmconnection" = {
# text = secrets.easyroamHSMW.nmconfig;
# mode = "0600";
# };
"ipsec.d/hsmw.secrets".text = ''${secrets.email.hsmw.mail} : EAP "${secrets.email.hsmw.password}"'';
"ipsec.d/USERTrust-ECC.pem".source = ../secrets/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem;
"ipsec.d/USERTrust-RSA.pem".source = ../secrets/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem;
# "ipsec.d/hsmw.secrets".text = ''${secrets.email.hsmw.un}@hs-mittweida.de : EAP "megasecret"'';
# "ipsec.d/USERTrust-ECC.pem".source = ../secrets/vpn-hsmw/USERTrust-ECC-Certification-Authority.pem;
# "ipsec.d/USERTrust-RSA.pem".source = ../secrets/vpn-hsmw/USERTrust-RSA-Certification-Authority.pem;
};
sops.secrets = {
"USERTrust/ECC" = { path = "/etc/ipsec.d/USERTrust-ECC.pem"; };
"USERTrust/RSA" = { path = "/etc/ipsec.d/USERTrust-RSA.pem"; };
"hsmw-vpn-secret" = { path = "/etc/ipsec.d/hsmw.secret"; mode = "600"; };
};
networking.networkmanager.enableStrongSwan = true;
@@ -31,19 +37,19 @@ lib.mkIf (host != "NxACE")
};
connections = {
hsmw = {
keyexchange = "ikev2";
left = "%defaultroute";
leftid = "%any";
leftauth = "eap";
eap_identity = secrets.email.hsmw.mail;
leftsourceip = "%config";
leftdns = "%config4";
leftfirewall = "no";
right = "141.55.128.84";
rightid = "@vpn4.hs-mittweida.de";
rightsubnet = "0.0.0.0/0";
rightauth = "pubkey";
auto = "add";
keyexchange = "ikev2";
left = "%defaultroute";
leftid = "%any";
leftauth = "eap";
eap_identity = "${secrets.email.hsmw.un}@hs-mittweida.de";
leftsourceip = "%config";
leftdns = "%config4"; # Ensure that DNS resolution works as expected
leftfirewall = "no"; # Keep firewall disabled, but manually check rules
right = "141.55.128.84";
rightid = "@vpn4.hs-mittweida.de";
rightsubnet = "141.55.128.0/16"; # Split tunneling: Only route traffic for the VPN subnet
rightauth = "pubkey";
auto = "add";
};
};
managePlugins = true;
@@ -73,7 +79,7 @@ lib.mkIf (host != "NxACE")
"openssl"
"resolve"
];
secrets = [ "/etc/ipsec.d/hsmw.secrets" ];
secrets = [ "/etc/ipsec.d/hsmw.secret" ];
ca = {
hsmw = {
auto = "add";

21
system-modules/kodi.nix
View File

@@ -1,12 +1,13 @@
{ pkgs, lib, host, ... }:
lib.mkIf (host == "NxACE")
{
services.xserver.desktopManager.kodi = {
enable = true;
};
services.cage = {
user = "kodi";
program = "${pkgs.kodi-wayland}/bin/kodi-standalone";
enable = true;
};
}
{}
# {
# services.xserver.desktopManager.kodi = {
# enable = true;
# };
# services.cage = {
# user = "kodi";
# program = "${pkgs.kodi-wayland}/bin/kodi-standalone";
# enable = true;
# };
# }

8
system-modules/networking.nix
View File

@@ -3,12 +3,16 @@
let
in
{
networking.nameservers = [
"1.1.1.1"
"8.8.8.8"
];
networking.hostName = host;
networking.networkmanager = {
enable = true;
};
networking.enableIPv6 = true;
networking.enableIPv6 = false;
}

121
system-modules/nvidia.nix
View File

@@ -1,69 +1,68 @@
{ config, pkgs, pkgs-unstable, lib, nvidia, ... }:
{ config, pkgs, lib, nvidia, ... }:
lib.mkIf nvidia.enable
{
config = lib.mkIf nvidia.enable {
environment.systemPackages = with pkgs; [
lshw
glxinfo
(pkgs.writeShellScriptBin "nvidia-offload" ''
export __NV_PRIME_RENDER_OFFLOAD=1
export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
export __GLX_VENDOR_LIBRARY_NAME=nvidia
export __VK_LAYER_NV_optimus=NVIDIA_only
exec "$@"
'')
] ++ [
# pkgs-unstable.nvtopPackages.intel
# pkgs-unstable.nvtopPackages.nvidia
];
environment.systemPackages = with pkgs; [
lshw
glxinfo
(pkgs.writeShellScriptBin "nvidia-offload" ''
export __NV_PRIME_RENDER_OFFLOAD=1
export __NV_PRIME_RENDER_OFFLOAD_PROVIDER=NVIDIA-G0
export __GLX_VENDOR_LIBRARY_NAME=nvidia
export __VK_LAYER_NV_optimus=NVIDIA_only
exec "$@"
'')
# ] ++ [
# pkgs-unstable.nvtopPackages.intel
# pkgs-unstable.nvtopPackages.nvidia
];
# Load nvidia driver for Xorg and Wayland
services.xserver.videoDrivers = [ "nvidia" ];
# Load nvidia driver for Xorg and Wayland
services.xserver.videoDrivers = [ "nvidia" ];
hardware = {
nvidia = {
prime = lib.mkIf nvidia.prime {
intelBusId = "PCI:0:2:0";
nvidiaBusId = "PCI:1:0:0";
offload = {
enable = true;
enableOffloadCmd = true;
};
hardware = {
nvidia = {
prime = lib.mkIf nvidia.prime {
intelBusId = "PCI:0:2:0";
nvidiaBusId = "PCI:1:0:0";
offload = {
enable = true;
enableOffloadCmd = true;
};
modesetting.enable = true;
# Modesetting is required.
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
# Enable this if you have graphical corruption issues or application crashes after waking
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
# of just the bare essentials.
powerManagement.enable = true;
# Fine-grained power management. Turns off GPU when not in use.
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
powerManagement.finegrained = true;
# Use the NVidia open source kernel module (not to be confused with the
# independent third-party "nouveau" open source driver).
# Support is limited to the Turing and later architectures. Full list of
# supported GPUs is at:
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
# Only available from driver 515.43.04+
# Currently alpha-quality/buggy, so false is currently the recommended setting.
open = false;
# Enable the Nvidia settings menu,
# accessible via `nvidia-settings`.
nvidiaSettings = true;
# Optionally, you may need to select the appropriate driver version for your specific GPU.
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
modesetting.enable = true;
# Modesetting is required.
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
# Enable this if you have graphical corruption issues or application crashes after waking
# up from sleep. This fixes it by saving the entire VRAM memory to /tmp/ instead
# of just the bare essentials.
powerManagement.enable = true;
# Fine-grained power management. Turns off GPU when not in use.
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
powerManagement.finegrained = nvidia.prime;
# Use the NVidia open source kernel module (not to be confused with the
# independent third-party "nouveau" open source driver).
# Support is limited to the Turing and later architectures. Full list of
# supported GPUs is at:
# https://github.com/NVIDIA/open-gpu-kernel-modules#compatible-gpus
# Only available from driver 515.43.04+
# Currently alpha-quality/buggy, so false is currently the recommended setting.
open = false;
# Enable the Nvidia settings menu,
# accessible via `nvidia-settings`.
nvidiaSettings = true;
# Optionally, you may need to select the appropriate driver version for your specific GPU.
package = config.boot.kernelPackages.nvidiaPackages.beta;
};
opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
};
}

128
system-modules/nx2site.nix
View File

@@ -1,6 +1,13 @@
{ pkgs, lib, user, host, ... }:
{ config, pkgs, lib, user, host, ... }:
# lib.mkIf false
lib.mkIf (host == "NxACE")
# ((import ./nx2site/proxy.nix { inherit config pkgs lib user; }) //
(
{
sops.secrets = {
"nx2site/namecheap.pw" = { };
};
systemd = {
timers."namecheap-dynamic-dns" = {
wantedBy = [ "timers.target" ];
@@ -10,46 +17,105 @@ lib.mkIf (host == "NxACE")
Unit = "namecheap-dynamic-dns.service";
};
};
services."namecheap-dynamic-dns" =
let
u = pkgs.writeScriptBin "update_namecheap" ''
my_ip=$(${pkgs.curl}/bin/curl -s https://ipinfo.io/ip)
dns_ip=$(${pkgs.dig}/bin/nslookup nx2.site | grep -E "Address: [0-9]" | cut -c 10-)
fdc="/home/nx2/nx2site/domain/count.txt"
services."namecheap-dynamic-dns" = let
u = let
domain = "nx2.site";
passord-file-path = config.sops.secrets."nx2site/namecheap.pw".path;
# passord-file-path = config.sops.secrets."nx2site/namecheap.pw".path;
log-file-path = "/var/log/update_namecheap.log";
count-file-path = "/var/log/update_namecheap-count.txt";
in pkgs.writers.writePython3Bin "update_namecheap" {
libraries = with pkgs.python311Packages; [ requests ];
flakeIgnore = [ "E501" "E305" "E701" "E704" "E302" "E114" "F841" ];
} ''
import requests
import argparse
import socket
from datetime import datetime
force_update=false
def get_public_ip(): return requests.get('https://ipinfo.io/ip').text.strip()
while getopts "f" opt; do
case $opt in
f)
force_update=true
;;
\?)
echo "Invalid option: -$OPTARG" >&2
exit 1
;;
esac
done
def get_dns_ip(): return socket.gethostbyname_ex('${domain}')[2][0]
if [ "$force_update" == true ] || [ "$my_ip" != "$dns_ip" ]; then
count=$(<$fdc)
echo [ $count times ] $(date) from $dns_ip to $my_ip >> /home/nx2/nx2site/domain/updates.log
pw=$(cat /home/nx2/nx2site/domain/pw.txt)
${pkgs.curl}/bin/curl -s "https://dynamicdns.park-your-domain.com/update?host=@&domain=nx2.site&password=$pw&ip=$my_ip"
${pkgs.curl}/bin/curl -s "https://dynamicdns.park-your-domain.com/update?host=*&domain=nx2.site&password=$pw&ip=$my_ip"
echo 0 > $fdc
fi
def main(force_update):
my_ip = get_public_ip()
dns_ip = get_dns_ip()
with open("${count-file-path}", "r") as f:
content = f.read()
if content == "": count = 0
else: count = int(content)
count += 1
with open("${count-file-path}", "w") as f:
f.write(str(count))
if not (force_update or my_ip != dns_ip):
print(f"Host IP and DNS response are both {my_ip} --> No Action")
exit(0)
else:
with open("${passord-file-path}", 'r') as pw_file: pw = pw_file.read().strip()
# Perform DNS updates
resp_base = requests.get(f"https://dynamicdns.park-your-domain.com/update?host=@&domain=${domain}&password={pw}&ip={my_ip}")
resp_subd = requests.get(f"https://dynamicdns.park-your-domain.com/update?host=*&domain=${domain}&password={pw}&ip={my_ip}")
# Reset the count file
with open("${count-file-path}", 'w') as f: f.write('0')
now_str = datetime.now().strftime('%Y/%m/%d-%R')
log_entry = f"At {now_str} - from {dns_ip} to {my_ip} - {count} times - Response {resp_base.status_code}{' - (forced)' if force_update else ' '}\n"
print(log_entry, end="")
with open("${log-file-path}", 'a') as log_file: log_file.write(log_entry)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-f', '--force', action='store_true', help='Force update')
args = parser.parse_args()
main(args.force)
'';
in
{
in {
script = ''
set -eu
${u}/bin/update_namecheap
'';
serviceConfig = {
Type = "oneshot";
User = "nx2";
};
};
};
}
# I can't use this becasue API Access for Namecheap needs a static whitelisted IP, which I don't have
# security.acme = {
# acceptTerms = true;
# certs."nx2site" = { };
# };
environment.systemPackages = with pkgs; [
certbot
(writeShellApplication {
name = "refresh_ssl_certificate";
runtimeInputs = [ certbot ];
# https://forum.endeavouros.com/t/tutorial-add-a-systemd-boot-loader-menu-entry-for-a-windows-installation-using-a-separate-esp-partition/37431
text = let
webroot = /home/nx2/nx2site/staticweb/content;
in /*bash*/ ''
cartbot
ls ${webroot}
'';
})
];
networking.hosts = { # docker network inspect nx2site_default | grep -E "Name|IPv4" | tr "\n" " " | sed -r 's- +- -g;s-\n?"Name": -\n-g' | sed -r '1d;2d;s-"(.+?)", "IPv4Address": "(.+)/16",- "\2" = [ "\1.docker" ];-g'
"172.1.2.1" = [ "staticweb.docker" ];
"172.1.3.1" = [ "matrix.docker" ];
# "172.1.0.9" = [ "matrixdb.docker" ];
"172.1.4.1" = [ "matrix-ss.docker" ];
# "172.1.0.7" = [ "matrix-ssdb.docker" ];
"172.1.5.1" = [ "pw.docker" ];
"172.1.6.1" = [ "git.docker" ];
# "172.1.0.10" = [ "gitdb.docker" ];
"172.1.7.1" = [ "nn.docker" ];
"172.1.8.1" = [ "llm.docker" ];
# "172.1.9.1" = [ "proxy.docker" ];
"172.1.10.1" = [ "share.docker" ];
"172.1.11.1" = [ "odq.docker" ];
};
})

180
system-modules/nx2site/proxy.nix Normal file
View File

@@ -0,0 +1,180 @@
{ config, pkgs, lib, user }:
lib.mkIf false
{
sops.secrets = {
"nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; };
"nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; };
"nx2site/dhparams.pem" = { owner = config.services.nginx.user; };
};
services.nginx = {
enable = true;
additionalModules = [];
# appendConfig = '''';
clientMaxBodySize = "20m";
defaultHTTPListenPort = 80;
defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]";
defaultListen = [ {
addr = "0.0.0.0";
ssl = true;
port = 443;
proxyProtocol = true;
}];
defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types";
defaultSSLListenPort = 443;
enableQuicBPF = true;
enableReload = true;
# eventsConfig = '''';
# logError = ;
# mapHashBucketSize = ;
# mapHashMaxSize = ;
package = pkgs.nginxQuic;
# preStart = true;
proxyResolveWhileRunning = false;
proxyTimeout = "20s";
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedZstdSettings = true;
serverTokens = false;
# sslCiphers = true;
sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path;
sslProtocols = "TLSv1.2 TLSv1.3";
statusPage = false;
streamConfig = ""; # udp config
validateConfigFile = true;
upstreams = {
"staticweb".servers = { "staticweb.docker:80" = {}; };
"matrix".servers = { "matrix.docker:80" = {}; };
"matrix-ss".servers = { "matrix-ss.docker:80" = {}; };
"pw".servers = { "pw.docker:80" = {}; };
"git".servers = { "git.docker:80" = {}; };
"nn".servers = { "nn.docker:80" = {}; };
"llm".servers = { "llm.docker:80" = {}; };
"share".servers = { "share.docker:80" = {}; };
"sync".servers = { "localhost:8384" = {}; };
};
virtualHosts = let
sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path;
sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path;
kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true;
in
{
"nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = {
proxyPass = "http://staticweb";
# extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
};
"/.well-known/matrix/client" = {
return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}' '';
extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
};
"/.well-known/matrix/server" = {
return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
};
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
proxyPass = "http://matrix-ss";
# extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ];
};
"~ ^(\/_matrix|\/_synapse\/client)" = {
return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
# extraConfig = [];
};
};
};
"matrix.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
listen = [
{ addr = "0.0.0.0"; port = 443; ssl = true; }
{ addr = "0.0.0.0"; port = 8448; ssl = true; }
];
locations = {
"/" = {
proxyPass = "http://matrix";
# extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
};
};
};
"matrix-ss.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# "resolver 1.1.1.1;"
# "client_max_body_size 500M;"
# ];
locations = {
"/" = { proxyPass = "http://pw"; };
};
};
# "dev.nx2.site" = {
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# locations = {
# "/" = {
# proxyPass = "http://dev";
# };
# };
# };
"pw.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://pw"; };
"/admin" = { proxyPass = "http://pw"; };
"/notifications/hub" = { proxyPass = "http://pw"; };
"/notifications/hub/negotiate" = { proxyPass = "http://pw"; };
};
};
"share.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;''
# ''proxy_set_header Content-Disposition $upstream_http_content_disposition;''
# ''proxy_set_header X-Real-IP $remote_addr;''
# ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;''
# ''proxy_set_header Host $http_host;''
# ];
};
"/socket.io" = {
proxyPass = "http://share/socket.io";
proxyWebsockets = true;
# extraConfig = [
# ''proxy_http_version 1.1;''
# ''proxy_set_header Upgrade $http_upgrade;''
# ''proxy_set_header Connection "upgrade";''
# ];
};
};
};
"sync.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://sync"; };
};
};
"git.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://git"; };
};
};
"~^(.*)\.nx2\.site$" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
root = "/home/nx2/nx2site/staticweb/xcontent/";
locations = {
"~.*" = { return = "502 /502.html"; };
};
};
};
};
}

58
system-modules/ollama.nix
View File

@@ -1,46 +1,22 @@
{ pkgs, lib, host, nvidia, ... }:
{
environment.systemPackages = with pkgs; [
ollama
];
{ pkgs, pkgs-unstable, pkgs-latest, lib, host, nvidia, ... }:
let
p = pkgs-latest.ollama;
# p = pkgs-unstable.ollama.overrideAttrs (oldAttrs: rec {
# inherit (oldAttrs) pname;
# version = "0.3.0";
# src = pkgs.fetchFromGitHub {
# owner = "ollama";
# repo = "ollama";
# rev = "v${version}";
# hash = "sha256-69CpRAggx6a1NJq+CA9QliXuUbDgC1ERRuA3y17KVAM=";
# fetchSubmodules = true;
# };
# });
in {
environment.systemPackages = [ p ];
# services.ollama.environmentVariables = {
# OLLAMA_ORIGINS = "*";
# };
# systemd.services.ollama = {
# environment.OLLAMA_ORIGINS = "*";
# description = "Ollama Service";
# after = [ "network-online.target" "ollama-doesnt-respect-xdg-data-home.service" ];
# serviceConfig = {
# Type = "simple";
# # Environment = "\"XDG_DATA_HOME=/run/current-system/sw/share\"";
# ExecStart = "${pkgs.ollama}/bin/ollama serve";
# User = "ollama";
# Group = "ollama";
# Restart = "always";
# RestartSec = "3";
# };
# wantedBy = [ "default.target" ];
# };
# users.users.ollama = {
# isSystemUser = true;
# home = "/usr/share/ollama";
# shell = "/bin/false";
# group = "ollama";
# };
# users.groups.ollama = {};
# systemd.services.ollama-doesnt-respect-xdg-data-home = {
# wantedBy = ["multi-user.target"];
# script = ''
# mkdir -p /usr/share/ollama/.ollama
# chown ollama:ollama -R /usr/share/ollama
# '';
# };
services.ollama = {
package = p;
enable = true;
acceleration = lib.mkIf nvidia.enable "cuda";
listenAddress = if host == "NxACE" then "0.0.0.0:11434" else "127.0.0.1:11434";

4
system-modules/sound.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, lib, system, user, allowed, secrets, ... }:
{ config, pkgs, lib, ... }:
{
services.pipewire = {
@@ -9,4 +9,4 @@
# If you want to use JACK applications, uncomment this
jack.enable = true;
};
}
}

32
system-modules/syncthing.nix
View File

@@ -17,7 +17,12 @@ let
};
dirs = {
default = { name = "sync"; path = "/home/${user}/sync"; };
default = { name = "sync"; path = "/home/${user}/sync"; };
s21u-dcim = { name = "s21u-dcim"; path = "/vault/Pictures/Lennart"; };
diane-dcim = { name = "diane-dcim"; path = "/vault/Pictures/Diane"; };
dianesd-dcim = { name = "dianesd-dcim"; path = "/vault/Pictures/Diane-SD"; };
daniel-dcim = { name = "daniel-dcim"; path = "/vault/Pictures/Daniel"; };
tessa-dcim = { name = "tessa-dcim"; path = "/vault/Pictures/Tessa"; };
};
in
lib.mkIf (user != "tv")
@@ -45,8 +50,7 @@ lib.mkIf (user != "tv")
) else if (host == "NxNORTH") then (
xps // ace // s21u
) else (
# north // xps // s21u // diane // daniel // tessa // georg
north // xps // s21u
north // xps // s21u // diane // daniel // tessa // georg
);
folders = with dirs; if (host == "NxXPS") then {
"${default.name}" = {
@@ -58,11 +62,31 @@ lib.mkIf (user != "tv")
path = default.path;
devices = with devices; (justname [ xps ace s21u ]);
};
} else {
} else { # NxACE
"${default.name}" = {
path = default.path;
devices = with devices; (justname [ xps north s21u ]);
};
"${s21u-dcim.name}" = {
path = s21u-dcim.path;
devices = with devices; (justname [ s21u ]);
};
"${diane-dcim.name}" = {
path = diane-dcim.path;
devices = with devices; (justname [ diane ]);
};
"${dianesd-dcim.name}" = {
path = dianesd-dcim.path;
devices = with devices; (justname [ diane ]);
};
"${daniel-dcim.name}" = {
path = daniel-dcim.path;
devices = with devices; (justname [ daniel ]);
};
"${tessa-dcim.name}" = {
path = tessa-dcim.path;
devices = with devices; (justname [ tessa ]);
};
};
gui = {
theme = "black";

4
system-modules/users.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, lib, system, host, user, allowed, secrets, ... }:
{ pkgs, lib, host, user, ... }:
{
users.defaultUserShell = pkgs.bash; # if interactive, itll switch to fish
@@ -10,13 +10,11 @@
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1RPCcS8DtIf75a2FEW4d8X6WTVeLlmretoLqppvZlJ" # From [A] GPG Sub Key
];
packages = with pkgs; []; # all in home.nix
};
users.users.tv = lib.mkIf (host == "NxACE") {
isNormalUser = true;
extraGroups = [ "networkmanager" "audio" "video" "uinput" ];
useDefaultShell = true;
packages = with pkgs; []; # all in home.nix
};