commit b7cea98e9988750271dd1e296fbc699c3b5344b6 Author: Ittihadyya Date: Sun Nov 3 19:50:18 2024 +0200 initial commit. after fucking it up once diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4b08cfe --- /dev/null +++ b/.gitignore @@ -0,0 +1,14 @@ +# ---> Nix +# Ignore build outputs from performing a nix-build or `nix build` command +result +result-* + +# -*- mode: gitignore; -*- +*~ +\#*\# +/.emacs.desktop +/.emacs.desktop.lock +*.elc +auto-save-list +tramp +.\#* diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..67958a2 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &personal age12h0ekuyvy244etehyeymz2pt9xxjv7hpe2revateje00xrzj95fqvp2r82 +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *personal \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..aa5dd97 --- /dev/null +++ b/README.md @@ -0,0 +1,147 @@ +This is the configuration that Ittihadyya uses for their computers. It currently handles 5 computers. `capsaicin`, `menthol`, `glucose`, `fructose` and `aspartame`. The first is a custom-built PC, the second is a thinkpad T460s, the two following that are Lenovo Thinkcentre m92ps and the last one is a VPS hosted by contabo. + +### Capsaicin +``` + ▗▄▄▄ ▗▄▄▄▄ ▄▄▄▖ emv@capsaicin + ▜███▙ ▜███▙ ▟███▛ ------------- + ▜███▙ ▜███▙▟███▛ OS: NixOS 24.11.20240916.99dc878 (Vicuna) x86_64 + ▜███▙ ▜██████▛ Kernel: Linux 6.6.51 + ▟█████████████████▙ ▜████▛ ▟▙ Uptime: 1000 years + ▟███████████████████▙ ▜███▙ ▟██▙ Packages: 2203 (nix-system) + ▄▄▄▄▖ ▜███▙ ▟███▛ Shell: zsh 5.9 + ▟███▛ ▜██▛ ▟███▛ Display (LEN G34w-10): 3440x1440 @ 144 Hz in 34″ [External] + ▟███▛ ▜▛ ▟███▛ WM: Sway (Wayland) +▟███████████▛ ▟██████████▙ Theme: adw-gtk3 [GTK2/3/4] +▜██████████▛ ▟███████████▛ Font: Ubuntu Nerd Font (10pt) [GTK2/3/4] + ▟███▛ ▟▙ ▟███▛ Cursor: Afterglow-Recolored-Dracula-Green (24px) + ▟███▛ ▟██▙ ▟███▛ Terminal: - + ▟███▛ ▜███▙ ▝▀▀▀▀ CPU: Intel(R) Core(TM) i5-7600K (4) @ 4.20 GHz + ▜██▛ ▜███▙ ▜██████████████████▛ GPU: AMD Radeon RX 6650 XT [Discrete] + ▜▛ ▟████▙ ▜████████████████▛ Memory: 31.30 GiB + ▟██████▙ ▜███▙ Swap: 45.45 GiB + ▟███▛▜███▙ ▜███▙ Disk (/): 947.81 GiB - btrfs + ▟███▛ ▜███▙ ▜███▙ Disk (/mnt/decrypted): 131.50 GiB - btrfs + ▝▀▀▀ ▀▀▀▀▘ ▀▀▀▘ Disk (/mnt/hdd1tb): 800.00 GiB - btrfs + Disk (/mnt/hdd500gb): 457.38 GiB - ext4 + Local IP (enp5s0): - + Locale: en_US.UTF-8 +``` +There isn't much to say about it other than the fact that it is a desktop with a wifi module (that seldom gets used, usually that happens when the ethernet cable is connected to something else for tinkering purposes). +### Menthol +``` + ▗▄▄▄ ▗▄▄▄▄ ▄▄▄▖ emv@menthol + ▜███▙ ▜███▙ ▟███▛ ----------- + ▜███▙ ▜███▙▟███▛ OS: NixOS 24.11.20240916.99dc878 (Vicuna) x86_64 + ▜███▙ ▜██████▛ Host: ThinkPad T460s + ▟█████████████████▙ ▜████▛ ▟▙ Kernel: Linux 6.6.51 + ▟███████████████████▙ ▜███▙ ▟██▙ Uptime: A long long time + ▄▄▄▄▖ ▜███▙ ▟███▛ Shell: zsh 5.9 + ▟███▛ ▜██▛ ▟███▛ Display (LGD0514): 1920x1080 @ 60 Hz in 14″ + ▟███▛ ▜▛ ▟███▛ Theme: adw-gtk3 [GTK2/3/4] +▟███████████▛ ▟██████████▙ Font: Ubuntu Nerd Font (10pt) [GTK2/3/4] +▜██████████▛ ▟███████████▛ Cursor: Afterglow-Recolored-Dracula-Green (24px) + ▟███▛ ▟▙ ▟███▛ Terminal: - + ▟███▛ ▟██▙ ▟███▛ CPU: Intel(R) Core(TM) i5-6300U (4) @ 3.00 GHz + ▟███▛ ▜███▙ ▝▀▀▀▀ GPU: Intel HD Graphics 520 @ 1.00 GHz [Integrated] + ▜██▛ ▜███▙ ▜██████████████████▛ Memory: 11.11 GiB + ▜▛ ▟████▙ ▜████████████████▛ Swap: 7.45 GiB + ▟██████▙ ▜███▙ Disk (/): 231.02 GiB - btrfs + ▟███▛▜███▙ ▜███▙ Local IP (wlp4s0): - + ▟███▛ ▜███▙ ▜███▙ Battery 1 + ▝▀▀▀ ▀▀▀▀▘ ▀▀▀▘ Battery 2 + Locale: en_US.UTF-8 +``` +The only interesting thing about it is the fact that it has a touchscreen, bluetooth and is full of stickers. It gets used when not home and when we need *something* with bluetooth. +### Glucose and Fructose +``` + ▗▄▄▄ ▗▄▄▄▄ ▄▄▄▖ emv@glucose + ▜███▙ ▜███▙ ▟███▛ ----------- + ▜███▙ ▜███▙▟███▛ OS: NixOS 24.11.20240916.99dc878 (Vicuna) x86_64 + ▜███▙ ▜██████▛ Host: ThinkCentre M92p + ▟█████████████████▙ ▜████▛ ▟▙ Kernel: Linux 6.6.51 + ▟███████████████████▙ ▜███▙ ▟██▙ Uptime: A while. + ▄▄▄▄▖ ▜███▙ ▟███▛ Packages: 656 (nix-system) + ▟███▛ ▜██▛ ▟███▛ Shell: zsh 5.9 + ▟███▛ ▜▛ ▟███▛ Terminal: - +▟███████████▛ ▟██████████▙ CPU: Intel(R) Core(TM) i5-3470T (4) @ 3.60 GHz +▜██████████▛ ▟███████████▛ GPU: Intel Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller @ 1.10 GHz [Integrated] + ▟███▛ ▟▙ ▟███▛ Memory: 7.56 GiB + ▟███▛ ▟██▙ ▟███▛ Swap: 14.90 GiB + ▟███▛ ▜███▙ ▝▀▀▀▀ Disk (/): 938.97 GiB - btrfs + ▜██▛ ▜███▙ ▜██████████████████▛ Local IP (eno1): 10.12.96.4/24 + ▜▛ ▟████▙ ▜████████████████▛ Locale: en_US.UTF-8 + ▟██████▙ ▜███▙ + ▟███▛▜███▙ ▜███▙ + ▟███▛ ▜███▙ ▜███▙ + ▝▀▀▀ ▀▀▀▀▘ ▀▀▀▘ + + ▗▄▄▄ ▗▄▄▄▄ ▄▄▄▖ emv@fructose + ▜███▙ ▜███▙ ▟███▛ ------------ + ▜███▙ ▜███▙▟███▛ OS: NixOS 24.11.20240916.99dc878 (Vicuna) x86_64 + ▜███▙ ▜██████▛ Host: ThinkCentre M92p + ▟█████████████████▙ ▜████▛ ▟▙ Kernel: Linux 6.6.51 + ▟███████████████████▙ ▜███▙ ▟██▙ Uptime: A bit. + ▄▄▄▄▖ ▜███▙ ▟███▛ Packages: 647 (nix-system) + ▟███▛ ▜██▛ ▟███▛ Shell: zsh 5.9 + ▟███▛ ▜▛ ▟███▛ Terminal: - +▟███████████▛ ▟██████████▙ CPU: Intel(R) Core(TM) i5-3470 (4) @ 3.60 GHz +▜██████████▛ ▟███████████▛ GPU: Intel Xeon E3-1200 v2/3rd Gen Core processor Graphics Controller @ 1.10 GHz [Integrated] + ▟███▛ ▟▙ ▟███▛ Memory: 7.56 GiB + ▟███▛ ▟██▙ ▟███▛ Swap: 29.80 GiB + ▟███▛ ▜███▙ ▝▀▀▀▀ Disk (/): 924.07 GiB - btrfs + ▜██▛ ▜███▙ ▜██████████████████▛ Local IP (eno1): 10.12.96.9/24 + ▜▛ ▟████▙ ▜████████████████▛ Locale: en_US.UTF-8 + ▟██████▙ ▜███▙ + ▟███▛▜███▙ ▜███▙ + ▟███▛ ▜███▙ ▜███▙ + ▝▀▀▀ ▀▀▀▀▘ ▀▀▀▘ +``` +As can be seen, the only difference between the two is swap space and IP address, something which at the moment is inconsequential. They are going to be used as nodes in a kubernetes cluster ***soon*** (trust). +### Aspartame +``` + ▗▄▄▄ ▗▄▄▄▄ ▄▄▄▖ emv@aspartame + ▜███▙ ▜███▙ ▟███▛ ------------- + ▜███▙ ▜███▙▟███▛ OS: NixOS 24.11.20240916.99dc878 (Vicuna) x86_64 + ▜███▙ ▜██████▛ Host: kvm/qemu + ▟█████████████████▙ ▜████▛ ▟▙ Kernel: Linux 6.6.51 + ▟███████████████████▙ ▜███▙ ▟██▙ Uptime: At least 3 + ▄▄▄▄▖ ▜███▙ ▟███▛ Packages: 649 (nix-system) + ▟███▛ ▜██▛ ▟███▛ Shell: zsh 5.9 + ▟███▛ ▜▛ ▟███▛ Display (QEMU Monitor): 1280x800 @ 75 Hz in 15″ +▟███████████▛ ▟██████████▙ Terminal: - +▜██████████▛ ▟███████████▛ CPU: AMD EPYC 7282 (4) @ 2.79 GHz + ▟███▛ ▟▙ ▟███▛ GPU: Unknown Device 1111 (VGA compatible) + ▟███▛ ▟██▙ ▟███▛ Memory: 5.79 GiB + ▟███▛ ▜███▙ ▝▀▀▀▀ Swap: 2.90 GiB + ▜██▛ ▜███▙ ▜██████████████████▛ Disk (/): 587.54 GiB - ext4 + ▜▛ ▟████▙ ▜████████████████▛ Local IP (ens18): - + ▟██████▙ ▜███▙ Locale: en_US.UTF-8 + ▟███▛▜███▙ ▜███▙ + ▟███▛ ▜███▙ ▜███▙ + ▝▀▀▀ ▀▀▀▀▘ ▀▀▀▘ +``` +Not very interesting, besides the fact that it is a VPS. It was made using [`nixos-infect`](https://github.com/elitak/nixos-infect) on top of Contabo's Ubuntu 22 image. +## Files +Modules have a `*.mod.nix` extension, they are loaded in [`flake.nix`](./flake.nix) via magic. Ittihadyya's flake was built, foundationally - at the very least, with heavy inspiration from [sodiboo's flake](https://github.com/sodiboo/system), so the magic of the aforelinked `flake.nix` file is from faer. + +`` applies to every single computer, it contains stuff that we want available *everywhere*. `` applies to `capsaicin` and `menthol`. + +``, at the moment, applies to everything else (*this is called foreshadowing*). + +``, as of **Right Now**, only applies to `glucose`. + +`` applies to both glucose and fructose. + +Secrets are handled by [`sops-nix`](https://github.com/Mic92/sops-nix). How? Magic. Basically, the wanted secrets are declared in [`sops.mod.nix`](./sops.mod.nix) and added to [`secrets.yaml`](./secrets.yaml) via `sops edit secrets.yaml`. For this there is an age key stashed away, more can be grasped, probably, by looking at the aforelinked `sops.mod.nix`. + +All files within this repository have the possibility of: +- having eerie vibes. +- calling to the user. +- asking the user for directions to the nearest STUN server. +- spontaneously combusting. +- waging protracted war upon the user. +- telling the user any information in exchange for personal information, then, if it is wrong, it will smite the user. +- periodically altering the user's perception of time, eventually leading to exhaustion if no external stimuli interrupt this. +- reminding the user of the time before names. +- employing a birthday attack upon the Black Moon, to check if it is digitally howling. +- transporting the user into an alternate reality where physical constants are slightly off. \ No newline at end of file diff --git a/_inheritance.mod.nix b/_inheritance.mod.nix new file mode 100644 index 0000000..8d3cca6 --- /dev/null +++ b/_inheritance.mod.nix @@ -0,0 +1,19 @@ +{ + merge, + configs, + ... +}: +{ + #capsaicin is a custom-built PC + capsaicin = merge configs.universal configs.personal; + #menthol is a Lenovo Thinkpad T460s + menthol = merge configs.universal configs.personal; + #glucose and fructose are Lenovo Thinkcentres m92p + glucose = merge (merge configs.universal configs.sucrose) ( + merge configs.cluster configs.cluster-testing + ); + fructose = merge configs.universal (merge configs.sucrose configs.cluster); + #aspartame is a VPS from Contabo + aspartame = merge configs.universal configs.cluster; + +} diff --git a/adyya-pkgs/adyya_pkgs.mod.nix b/adyya-pkgs/adyya_pkgs.mod.nix new file mode 100644 index 0000000..1330481 --- /dev/null +++ b/adyya-pkgs/adyya_pkgs.mod.nix @@ -0,0 +1,72 @@ +{ + aspartame.modules = [ + ( + { pkgs, lib, ... }: + { + nixpkgs.overlays = [ + ( + final: prev: + let + caddy-custom = pkgs.callPackage ./caddy-custom.nix { }; + in + let + # Caddy Layer4 modules + l4CaddyModules = + lib.lists.map + (name: { + inherit name; + repo = "github.com/mholt/caddy-l4"; + version = "3d22d6da412883875f573ee4ecca3dbb3fdf0fd0"; + }) + [ + "layer4" + "modules/l4proxy" + "modules/l4tls" + "modules/l4proxyprotocol" + ]; + in + { + caddy-default = caddy-custom; + caddy-base = caddy-custom.withPlugins { caddyModules = [ ]; }; + caddy-l4 = caddy-custom.withPlugins { + caddyModules = l4CaddyModules; + vendorHash = "sha256-Bz2tR1/a2okARCWFEeSEeVUx2mdBe0QKUh5qzKUOF8s="; + }; + caddy-many = caddy-custom.withPlugins { + caddyModules = [ + { + name = "transform-encoder"; + repo = "github.com/caddyserver/transform-encoder"; + version = "f627fc4f76334b7aef8d4ed8c99c7e2bcf94ac7d"; + } + { + name = "connegmatcher"; + repo = "github.com/mpilhlt/caddy-conneg"; + version = "v0.1.4"; + } + ] ++ l4CaddyModules; + vendorHash = "sha256-OjyJdcbLMSvgkHKR4xMF0BgsuA5kdKgDgV+ocuNHUf4="; + }; + } + ) + ]; + } + ) + ({ + nixpkgs.overlays = [ + (final: prev: { + gts = final.callPackage ./gts.nix { }; + }) + ]; + }) + ]; + personal.modules = [ + ({ + nixpkgs.overlays = [ + (final: prev: { + beeref = final.callPackage ./beeref.nix { }; # I'M GOING TO TRUNCATE *YOU*, BEEREF. + }) + ]; + }) + ]; +} diff --git a/adyya-pkgs/beeref.nix b/adyya-pkgs/beeref.nix new file mode 100644 index 0000000..c8ac990 --- /dev/null +++ b/adyya-pkgs/beeref.nix @@ -0,0 +1,25 @@ +{ + appimageTools, + fetchurl, + lib, + ... +}: + +let + name = "beeref"; + version = "0.3.3"; + src = fetchurl { + url = "https://github.com/rbreu/beeref/releases/download/v${version}/${name}-${version}.appimage"; + hash = "sha256-pavXKtjOvKY2IUPp+UP0v8WkrpPeNEcNDhqoQtFYszo="; + }; +in +appimageTools.wrapType2 { + inherit name version src; + extraPkgs = pkgs: [ pkgs.python311 ]; + meta = with lib; { + description = "A Simple Reference Image Viewer"; + homepage = "https://github.com/rbreu/beeref"; + license = licenses.gpl3Only; + mainProgram = "beeref"; + }; +} diff --git a/adyya-pkgs/caddy-custom.nix b/adyya-pkgs/caddy-custom.nix new file mode 100644 index 0000000..0162095 --- /dev/null +++ b/adyya-pkgs/caddy-custom.nix @@ -0,0 +1,158 @@ +{ + lib, + buildGoModule, + fetchFromGitHub, + gnused, + installShellFiles, + nixosTests, + caddy, + testers, + stdenv, +}: +let + attrsToModule = map (plugin: plugin.repo); + attrsToVersionedModule = map ( + { + repo, + version, + ... + }: + lib.escapeShellArg "${repo}@${version}" + ); + + pname = "caddy"; + version = "2.8.4"; + + dist = fetchFromGitHub { + owner = "caddyserver"; + repo = "dist"; + rev = "v${version}"; + hash = "sha256-O4s7PhSUTXoNEIi+zYASx8AgClMC5rs7se863G6w+l0="; + }; + + src = fetchFromGitHub { + owner = "caddyserver"; + repo = "caddy"; + rev = "v${version}"; + hash = "sha256-CBfyqtWp3gYsYwaIxbfXO3AYaBiM7LutLC7uZgYXfkQ="; + }; + + subPackages = [ "cmd/caddy" ]; + + ldflags = [ + "-s" + "-w" + "-X github.com/caddyserver/caddy/v2.CustomVersion=${version}" + ]; + + # matches upstream since v2.8.0 + tags = [ "nobadger" ]; + + nativeBuildInputs = [ + gnused + installShellFiles + ]; + + postInstall = + '' + install -Dm644 ${dist}/init/caddy.service ${dist}/init/caddy-api.service -t $out/lib/systemd/system + + substituteInPlace $out/lib/systemd/system/caddy.service \ + --replace-fail "/usr/bin/caddy" "$out/bin/caddy" + substituteInPlace $out/lib/systemd/system/caddy-api.service \ + --replace-fail "/usr/bin/caddy" "$out/bin/caddy" + '' + + lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) '' + # Generating man pages and completions fail on cross-compilation + # https://github.com/NixOS/nixpkgs/issues/308283 + + $out/bin/caddy manpage --directory manpages + installManPage manpages/* + + installShellCompletion --cmd caddy \ + --bash <($out/bin/caddy completion bash) \ + --fish <($out/bin/caddy completion fish) \ + --zsh <($out/bin/caddy completion zsh) + ''; + + meta = with lib; { + homepage = "https://caddyserver.com"; + description = "Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS"; + license = licenses.asl20; + mainProgram = "caddy"; + maintainers = with maintainers; [ + Br1ght0ne + emilylange + techknowlogick + ]; + }; +in +buildGoModule { + inherit + pname + version + src + subPackages + ldflags + tags + nativeBuildInputs + postInstall + meta + ; + + vendorHash = "sha256-1Api8bBZJ1/oYk4ZGIiwWCSraLzK9L+hsKXkFtk6iVM="; + + passthru = { + withPlugins = + { + caddyModules, + vendorHash ? lib.fakeHash, + }: + buildGoModule { + pname = "${caddy.pname}-with-plugins"; + + inherit + version + src + subPackages + ldflags + tags + nativeBuildInputs + postInstall + meta + ; + + modBuildPhase = '' + for module in ${toString (attrsToModule caddyModules)}; do + sed -i "/standard/a _ \"$module\"" ./cmd/caddy/main.go + done + for plugin in ${toString (attrsToVersionedModule caddyModules)}; do + go get $plugin + done + go mod vendor + ''; + + modInstallPhase = '' + mv -t vendor go.mod go.sum + cp -r vendor "$out" + ''; + + preBuild = '' + chmod -R u+w vendor + [ -f vendor/go.mod ] && mv -t . vendor/go.{mod,sum} + for module in ${toString (attrsToModule caddyModules)}; do + sed -i "/standard/a _ \"$module\"" ./cmd/caddy/main.go + done + ''; + + inherit vendorHash; + }; + tests = { + inherit (nixosTests) caddy; + version = testers.testVersion { + command = "${caddy}/bin/caddy version"; + package = caddy; + }; + }; + }; +} diff --git a/adyya-pkgs/gts.nix b/adyya-pkgs/gts.nix new file mode 100644 index 0000000..d9b9d70 --- /dev/null +++ b/adyya-pkgs/gts.nix @@ -0,0 +1,78 @@ +{ + lib, + fetchurl, + fetchFromGitHub, + buildGoModule, + nixosTests, +}: +let + owner = "superseriousbusiness"; + repo = "gotosocial"; + + version = "0.17.1"; + + web-assets = fetchurl { + url = "https://github.com/${owner}/${repo}/releases/download/v${version}/${repo}_${version}_web-assets.tar.gz"; + hash = "sha256-rGntLlIbgfCtdqpD7tnvAY8qwF+BpYbQWfAGMhdOTgY="; + }; +in +buildGoModule rec { + inherit version; + pname = repo; + + src = fetchFromGitHub { + inherit owner repo; + rev = "refs/tags/v${version}"; + hash = "sha256-oWWsCs9jgd244yzWhgLkuHp7kY0BQ8+Ay6KpuBVG+U8="; + }; + + vendorHash = null; + + ldflags = [ + "-s" + "-w" + "-X main.Version=${version}" + ]; + + tags = [ + "kvformat" + ]; + + postInstall = '' + tar xf ${web-assets} + mkdir -p $out/share/gotosocial + mv web $out/share/gotosocial/ + ''; + + # tests are working only on x86_64-linux + # doCheck = stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isx86_64; + # checks are currently very unstable in our setup, so we should test manually for now + doCheck = false; + + checkFlags = + let + # flaky / broken tests + skippedTests = [ + # See: https://github.com/superseriousbusiness/gotosocial/issues/2651 + "TestPage/minID,_maxID_and_limit_set" + ]; + in + [ "-skip=^${builtins.concatStringsSep "$|^" skippedTests}$" ]; + + passthru.tests.gotosocial = nixosTests.gotosocial; + + meta = with lib; { + homepage = "https://gotosocial.org"; + changelog = "https://github.com/superseriousbusiness/gotosocial/releases/tag/v${version}"; + description = "Fast, fun, ActivityPub server, powered by Go"; + longDescription = '' + ActivityPub social network server, written in Golang. + You can keep in touch with your friends, post, read, and + share images and articles. All without being tracked or + advertised to! A light-weight alternative to Mastodon + and Pleroma, with support for clients! + ''; + maintainers = with maintainers; [ blakesmith ]; + license = licenses.agpl3Only; + }; +} diff --git a/apps.mod.nix b/apps.mod.nix new file mode 100644 index 0000000..f17ae0a --- /dev/null +++ b/apps.mod.nix @@ -0,0 +1,104 @@ +{ vscode-server, ... }: +{ + universal.home_modules = [ + ( + { pkgs, ... }: + { + home.packages = with pkgs; [ + ps + wget + libqalculate + magic-wormhole + ]; + programs = { + # For the love of Fucking please keep them in alphabetical order to soothe my brain + btop = { + enable = true; + }; + emacs = { + enable = true; + }; + eza = { + enable = true; + git = true; + }; + # fastfetch = { # removed from universal as this adds gtk3 and imagemagick to the closure, for some godforsaken reason. + # enable = true; + # }; + micro = { + enable = true; + }; + ripgrep = { + enable = true; + }; + }; + } + ) + ]; + universal.modules = [ + { + programs.screen.enable = true; + } + ]; + personal.modules = [ + ( + { pkgs, ... }: + { + users.users.emv.extraGroups = [ "video" ]; + } + ) + ]; + personal.home_modules = [ + ( + { pkgs, ... }: + { + home.packages = with pkgs; [ + emulsion + ffmpeg + vlc + signal-desktop + discord + obsidian + # calibre # still borked apparently, what the hell + ]; + + programs = { + librewolf = { + enable = true; + }; + terminator = { + enable = true; + }; + vscode = { + enable = true; + package = pkgs.vscodium; + mutableExtensionsDir = false; + extensions = with pkgs.vscode-extensions; [ + rust-lang.rust-analyzer + tuttieee.emacs-mcx + tamasfe.even-better-toml + vadimcn.vscode-lldb + jnoortheen.nix-ide + mkhl.direnv + ]; + }; + }; + } + ) + vscode-server.homeModules.default + { + services.vscode-server.enable = true; + } + ]; + capsaicin.home_modules = [ + ( + { pkgs, ... }: + { + home.packages = with pkgs; [ + cryptsetup + keepassxc + ]; + } + ) + ]; +} diff --git a/art.mod.nix b/art.mod.nix new file mode 100644 index 0000000..7371ef3 --- /dev/null +++ b/art.mod.nix @@ -0,0 +1,30 @@ +{ + + capsaicin.home_modules = [ + ( + { pkgs, ... }: + { + home.packages = with pkgs; [ + blender # this is because capsaicin is the only one of the two who can take rendering something without starting a forest fire + ]; + } + ) + ]; + personal.home_modules = [ + ( + { pkgs, ... }: + { + home.packages = with pkgs; [ + krita + inkscape + libresprite + darktable + obs-studio + # pureref # not updated on nixpkgs apparently + beeref + ]; + } + ) + ]; + +} diff --git a/audio.mod.nix b/audio.mod.nix new file mode 100644 index 0000000..2ff0549 --- /dev/null +++ b/audio.mod.nix @@ -0,0 +1,27 @@ +{ + personal.modules = [ + { + programs.noisetorch.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + jack.enable = true; + pulse.enable = true; + }; + } + ]; + personal.home_modules = [ + ( + { pkgs, ... }: + { + home.packages = with pkgs; [ + pwvucontrol + pw-volume + pw-viz + ]; + } + ) + ]; +} diff --git a/cluster/cluster-firewall.mod.nix b/cluster/cluster-firewall.mod.nix new file mode 100644 index 0000000..b0f67cc --- /dev/null +++ b/cluster/cluster-firewall.mod.nix @@ -0,0 +1,19 @@ +{ + cluster-testing.modules = [ + # ({ + # networking.firewall = { + # allowedTCPPorts = [ + # 2379 # embedded etcd clients + # 2380 # idem peers + # 4240 # cilium health checks + # 6443 # k3s server + # + # 10250 # kumetrics server + # ]; + # allowedUDPPorts = [ + # 8472 # cilium vxlan + # ]; + # }; + # }) + ]; +} diff --git a/cluster/kernel.mod.nix b/cluster/kernel.mod.nix new file mode 100644 index 0000000..71909e5 --- /dev/null +++ b/cluster/kernel.mod.nix @@ -0,0 +1,29 @@ +{ + cluster-testing.modules = [ + ( + { pkgs, lib, ... }: + { + boot.kernelPatches = [ + { + name = "eBPF-cilium"; + patch = null; # the following are for ebpf, which is required by cilium + extraConfig = '' + BPF y + BPF_SYSCALL y + NET_CLS_BPF y + BPF_JIT y + NET_CLS_ACT y + NET_SCH_INGRESS y + CRYPTO_SHA1 y + CRYPTO_USER_API_HASH y + CGROUPS y + CGROUP_BPF y + PERF_EVENTS y + SCHEDSTATS y + ''; + } + ]; + } + ) + ]; +} diff --git a/cluster/kubernetes.mod.nix b/cluster/kubernetes.mod.nix new file mode 100644 index 0000000..3aeed0b --- /dev/null +++ b/cluster/kubernetes.mod.nix @@ -0,0 +1,44 @@ +{ + cluster-testing.modules = [ + ({ + services.k3s = { + enable = true; + role = "server"; + # token = ""; # Agent nodes are joined to the master node using a node-token which can be found on the master node at /var/lib/rancher/k3s/server/node-token. + clusterInit = true; + # allegedly you need different configs for non-starting nodes, including the ip of a server. you should handle this within nix, preferrably -e + # allegedly: " If you are configuring an HA cluster with an embedded etcd, the 1st server must have clusterInit = true and other servers must connect to it using serverAddr. " # I think you can get around this kinda by pointing to a domain, so that if the server with the address specified in the config fails, others take the request. i am not sure about the details of the implementation - i.e how to do it without giving authority to a specific node. This is more of a theoretical problem, i think, since this only matters when a node starts up and gets to be part of the cluster - after it's included i'm pretty sure it would be fine? Might need to do some testing -e + # this kinda makes sense? like otherwise how would the new clusters know where to connect to ? Because it uses raft, the serverAddr doesn't necessarily have to be the one with clusterInit, as, according to the Raft specification, calls to followers get forwarded to the leader node. -e + extraFlags = [ + # "--flannel-backend none" + # "--disable-network-policy" + # "--no-deploy traefik" + ]; # --flannel-backend-none and --disable-network-policy prepare the cluster for cillium, which, as far as i can see, i need to install imperatively because it isn't a service or packaged within nixpkgs. The command used is `cilium install --version 1.x.x --set=ipam.operator.clusterPoolIPv4PodCIDRList="10.42.0.0/16"`,replace the x's with whatever version you need, as of 2024.09.20 1.16.1 is the latest (released on the 14th of August 2024, according to their github). Godspeed to future addy if we decide to do package it ourselves or something. -e + # configPath = ./k3s.yaml; + }; # decided to try stock kubernetes since k3s doesn't seem to be working as i intend --- a week later --- YOU BUMBLING MORON YOU ARE ON UNSTABLE AND YOU WERE LOOKING AT 24.05 DOCS + /* + services.kubernetes = { + # flannel.enable = false; + roles = [ "master" "node" ]; + masterAddress = "10.12.96.4"; + #apiserverAddress = "10.12.96.4:6443"; + kubelet = { + enable = true; + extraOpts = "--fail-swap-on=false"; + }; + scheduler.enable = true; + apiserver ={ + enable = true; + advertiseAddress = "10.12.96.4"; + securePort = 6443; + }; + easyCerts = true; + pki.enable = true; + addons.dns.enable = true; + controllerManager.enable = true; + addonManager.enable = true; + }; #chat is this factual + */ + }) + ]; +} diff --git a/cluster/packages.mod.nix b/cluster/packages.mod.nix new file mode 100644 index 0000000..6a3ffd7 --- /dev/null +++ b/cluster/packages.mod.nix @@ -0,0 +1,19 @@ +{ + cluster-testing.modules = [ + ( + { pkgs, ... }: + { + environment.systemPackages = with pkgs; [ + clang # this is for cilium + llvm_18 # idem + openiscsi # this is for longhorn + kubernetes-helm + cilium-cli # might not need this after all, if i try to install it using helm -e + # kubernetes + # kubectl + # kompose + ]; + } + ) + ]; +} diff --git a/cluster/virtualisation.mod.nix b/cluster/virtualisation.mod.nix new file mode 100644 index 0000000..2d344b2 --- /dev/null +++ b/cluster/virtualisation.mod.nix @@ -0,0 +1,38 @@ +{ + cluster.modules = [ + ({ + users.users.emv.extraGroups = [ + "podman" + "docker" + ]; + }) + ]; + sucrose.modules = [ + ({ + virtualisation.docker = { + enable = true; + storageDriver = "btrfs"; + daemon.settings = { + userland-proxy = false; + ipv6 = false; + data-root = "/home/emv/docker-data-root/"; + }; + }; + }) + ( + { pkgs, ... }: + { + environment.systemPackages = [ pkgs.podman-compose ]; + virtualisation = { + containers.enable = true; + podman = { + enable = true; + dockerCompat = false; + defaultNetwork.settings.dns_enabled = true; + }; + oci-containers.backend = "podman"; + }; + } + ) + ]; +} diff --git a/dev.mod.nix b/dev.mod.nix new file mode 100644 index 0000000..5d7fd88 --- /dev/null +++ b/dev.mod.nix @@ -0,0 +1,36 @@ +{ + universal.home_modules = [ + { + programs.git = { + enable = true; + userName = "Ittihadyya"; + userEmail = "Ittihadyya@collective-conciousness.monster"; + delta.enable = true; + extraConfig = { + core = { + editor = "emacs"; + sshCommand = "ssh -i ~/.ssh/id_ed25519"; + }; + }; + }; + } + ]; + personal.modules = [ + ( + { pkgs, ... }: + { + environment.systemPackages = + with pkgs; + [ + ]; + programs = { + direnv = { + enable = true; + nix-direnv.enable = true; + enableZshIntegration = true; + }; + }; + } + ) + ]; +} diff --git a/emacs.mod.nix b/emacs.mod.nix new file mode 100644 index 0000000..8dde7d6 --- /dev/null +++ b/emacs.mod.nix @@ -0,0 +1,71 @@ +{ + personal.home_modules = [ + ( + { pkgs, ... }: + { + home.packages = with pkgs; [ + mupdf + ]; + programs.emacs = { + extraPackages = epkgs: [ + epkgs.org + epkgs.ob-asymptote + epkgs.auctex # latex + epkgs.preview-dvisvgm # in-line latex preview + epkgs.latex-preview-pane + epkgs.pdf-tools + epkgs.obsidian + epkgs.hydra # should be fun + ]; + extraConfig = '' + ;; disable splash screen + (setq inhibit-splash-screen t) + + ;; auctex stuff + (setq TeX-auto-save t) + (setq TeX-parse-self t) + (setq-default TeX-master nil) + + ;; to be able to view pdfs, i hope + (require 'doc-view) + (setq doc-view-resolution 144) + (setq doc-view-continuous t) ;; ugh, why isn't this the default + + ;; obsidian extension + + + (use-package obsidian + :ensure t + :demand t + :config + (obsidian-specify-path "~/notes/obsidian") + (global-obsidian-mode t) + :custom + ;; This directory will be used for `obsidian-capture' if set. + (obsidian-inbox-directory "Inbox") + ;; Create missing files in inbox? - when clicking on a wiki link + ;; t: in inbox, nil: next to the file with the link + ;; default: t + ;(obsidian-wiki-link-create-file-in-inbox nil) + ;; The directory for daily notes (file name is YYYY-MM-DD.md) + (obsidian-daily-notes-directory "daily_notes") + ;; Directory of note templates, unset (nil) by default + ;(obsidian-templates-directory "templates") + ;; Daily Note template name - requires a template directory. Default: Daily Note Template.md + ;(obsidian-daily-note-template "daily-note-template.md") + :bind (:map obsidian-mode-map + ;; Replace C-c C-o with Obsidian.el's implementation. It's ok to use another key binding. + ("C-c C-o" . obsidian-follow-link-at-point) + ;; Jump to backlinks + ("C-c C-b" . obsidian-backlink-jump) + ;; If you prefer you can use `obsidian-insert-link' + ("C-c C-l" . obsidian-insert-wikilink))) + + ;; obsidian hydra + (bind-key (kbd "C-c M-o") 'obsidian-hydra/body 'obsidian-mode-map) + ''; + }; + } + ) + ]; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..702b803 --- /dev/null +++ b/flake.lock @@ -0,0 +1,524 @@ +{ + "nodes": { + "base16": { + "inputs": { + "fromYaml": "fromYaml" + }, + "locked": { + "lastModified": 1708890466, + "narHash": "sha256-LlrC09LoPi8OPYOGPXegD72v+//VapgAqhbOFS3i8sc=", + "owner": "SenchoPens", + "repo": "base16.nix", + "rev": "665b3c6748534eb766c777298721cece9453fdae", + "type": "github" + }, + "original": { + "owner": "SenchoPens", + "repo": "base16.nix", + "type": "github" + } + }, + "base16-fish": { + "flake": false, + "locked": { + "lastModified": 1622559957, + "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", + "owner": "tomyun", + "repo": "base16-fish", + "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", + "type": "github" + }, + "original": { + "owner": "tomyun", + "repo": "base16-fish", + "type": "github" + } + }, + "base16-helix": { + "flake": false, + "locked": { + "lastModified": 1725860795, + "narHash": "sha256-Z2o8VBPW3I+KKTSfe25kskz0EUj7MpUh8u355Z1nVsU=", + "owner": "tinted-theming", + "repo": "base16-helix", + "rev": "7f795bf75d38e0eea9fed287264067ca187b88a9", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-helix", + "type": "github" + } + }, + "base16-vim": { + "flake": false, + "locked": { + "lastModified": 1716150083, + "narHash": "sha256-ZMhnNmw34ogE5rJZrjRv5MtG3WaqKd60ds2VXvT6hEc=", + "owner": "tinted-theming", + "repo": "base16-vim", + "rev": "6e955d704d046b0dc3e5c2d68a2a6eeffd2b5d3d", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-vim", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": [ + "stylix", + "systems" + ] + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "fromYaml": { + "flake": false, + "locked": { + "lastModified": 1689549921, + "narHash": "sha256-iX0pk/uB019TdBGlaJEWvBCfydT6sRq+eDcGPifVsCM=", + "owner": "SenchoPens", + "repo": "fromYaml", + "rev": "11fbbbfb32e3289d3c631e0134a23854e7865c84", + "type": "github" + }, + "original": { + "owner": "SenchoPens", + "repo": "fromYaml", + "type": "github" + } + }, + "gnome-shell": { + "flake": false, + "locked": { + "lastModified": 1713702291, + "narHash": "sha256-zYP1ehjtcV8fo+c+JFfkAqktZ384Y+y779fzmR9lQAU=", + "owner": "GNOME", + "repo": "gnome-shell", + "rev": "0d0aadf013f78a7f7f1dc984d0d812971864b934", + "type": "github" + }, + "original": { + "owner": "GNOME", + "ref": "46.1", + "repo": "gnome-shell", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730016908, + "narHash": "sha256-bFCxJco7d8IgmjfNExNz9knP8wvwbXU4s/d53KOK6U0=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "e83414058edd339148dc142a8437edb9450574c8", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "stylix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724435763, + "narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nix-index-database": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729999765, + "narHash": "sha256-LYsavZXitFjjyETZoij8usXjTa7fa9AIF3Sk3MJSX+Y=", + "owner": "nix-community", + "repo": "nix-index-database", + "rev": "0e3a8778c2ee218eff8de6aacf3d2fa6c33b2d4f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-index-database", + "type": "github" + } + }, + "nix-monitored": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1715016928, + "narHash": "sha256-JZx+enK1RlsMSJGmX/KTpADtxrCPDztQRKpO22LKZZM=", + "owner": "ners", + "repo": "nix-monitored", + "rev": "776e497a13b8b403065d59c45a3fdc07b76a0db1", + "type": "github" + }, + "original": { + "owner": "ners", + "repo": "nix-monitored", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1730368399, + "narHash": "sha256-F8vJtG389i9fp3k2/UDYHMed3PLCJYfxCqwiVP7b9ig=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "da14839ac5f38ee6adbdb4e6db09b5eef6d6ccdc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1714906307, + "narHash": "sha256-UlRZtrCnhPFSJlDQE7M0eyhgvuuHBTe1eJ9N9AQlJQ0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "25865a40d14b3f9cf19f19b924e2ab4069b09588", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1730137625, + "narHash": "sha256-9z8oOgFZiaguj+bbi3k4QhAD6JabWrnv7fscC/mt0KE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "64b80bfb316b57cdb8919a9110ef63393d74382a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1729973466, + "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1730200266, + "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1729951556, + "narHash": "sha256-bpb6r3GjzhNW8l+mWtRtLNg5PhJIae041sPyqcFNGb4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4e0eec54db79d4d0909f45a88037210ff8eaffee", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1725194671, + "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1682134069, + "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fd901ef4bf93499374c5af385b2943f5801c0833", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nix-index-database": "nix-index-database", + "nix-monitored": "nix-monitored", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable", + "sops-nix": "sops-nix", + "stylix": "stylix", + "vscode-server": "vscode-server" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_3", + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1729999681, + "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "stylix": { + "inputs": { + "base16": "base16", + "base16-fish": "base16-fish", + "base16-helix": "base16-helix", + "base16-vim": "base16-vim", + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "gnome-shell": "gnome-shell", + "home-manager": "home-manager_2", + "nixpkgs": "nixpkgs_4", + "systems": "systems", + "tinted-foot": "tinted-foot", + "tinted-kitty": "tinted-kitty", + "tinted-tmux": "tinted-tmux" + }, + "locked": { + "lastModified": 1729963473, + "narHash": "sha256-uGjTjvvlGQfQ0yypVP+at0NizI2nrb6kz4wGAqzRGbY=", + "owner": "danth", + "repo": "stylix", + "rev": "04afcfc0684d9bbb24bb1dc77afda7c1843ec93b", + "type": "github" + }, + "original": { + "owner": "danth", + "repo": "stylix", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "tinted-foot": { + "flake": false, + "locked": { + "lastModified": 1696725948, + "narHash": "sha256-65bz2bUL/yzZ1c8/GQASnoiGwaF8DczlxJtzik1c0AU=", + "owner": "tinted-theming", + "repo": "tinted-foot", + "rev": "eedbcfa30de0a4baa03e99f5e3ceb5535c2755ce", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-foot", + "type": "github" + } + }, + "tinted-kitty": { + "flake": false, + "locked": { + "lastModified": 1716423189, + "narHash": "sha256-2xF3sH7UIwegn+2gKzMpFi3pk5DlIlM18+vj17Uf82U=", + "owner": "tinted-theming", + "repo": "tinted-kitty", + "rev": "eb39e141db14baef052893285df9f266df041ff8", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-kitty", + "rev": "eb39e141db14baef052893285df9f266df041ff8", + "type": "github" + } + }, + "tinted-tmux": { + "flake": false, + "locked": { + "lastModified": 1696725902, + "narHash": "sha256-wDPg5elZPcQpu7Df0lI5O8Jv4A3T6jUQIVg63KDU+3Q=", + "owner": "tinted-theming", + "repo": "tinted-tmux", + "rev": "c02050bebb60dbb20cb433cd4d8ce668ecc11ba7", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-tmux", + "type": "github" + } + }, + "vscode-server": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1729422940, + "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=", + "owner": "nix-community", + "repo": "nixos-vscode-server", + "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-vscode-server", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..37cae75 --- /dev/null +++ b/flake.nix @@ -0,0 +1,127 @@ +{ + description = "The Ittihadyya Flake"; # adapted from dearest sodiboo's config and with xir help + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.05"; + + home-manager.url = "github:nix-community/home-manager"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-hardware.url = "github:NixOS/nixos-hardware"; + + nix-monitored.url = "github:ners/nix-monitored"; + + sops-nix.url = "github:Mic92/sops-nix"; + + stylix.url = "github:danth/stylix"; + + nix-index-database.url = "github:nix-community/nix-index-database"; + nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; + + vscode-server.url = "github:nix-community/nixos-vscode-server"; + + #niri.url = "github:sodiboo/niri-flake"; + }; + + outputs = + { + self, + nixpkgs, + ... + }@inputs: + with nixpkgs.lib; + let + match = flip getAttr; + read_dir_recursively = + dir: + concatMapAttrs ( + this: + match { + directory = mapAttrs' (subpath: nameValuePair "${this}/${subpath}") ( + read_dir_recursively "${dir}/${this}" + ); + regular = { + ${this} = "${dir}/${this}"; + }; + symlink = { }; + } + ) (builtins.readDir dir); + + # `const` helper function is used extensively: the function is constant in regards to the name of the attribute. + + params = inputs // { + configs = raw_configs; + molecules = { + # number via perfect squares for now, start from 15 squared for personal and 2 squared for others (use primes afterwards, in the same way) + capsaicin = 225; # pc + menthol = 196; # laptop + glucose = 4; # minipc functioning as server node + fructose = 9; # idem + aspartame = 16; # VPS + }; + inherit merge extras; + }; + + # It is important to note, that when adding a new `.mod.nix` file, you need to run `git add` on the file. + # If you don't, the file will not be included in the flake, and the modules defined within will not be loaded. + + read_all_modules = flip pipe [ + read_dir_recursively + (filterAttrs (flip (const (hasSuffix ".mod.nix")))) + (mapAttrs (const import)) + (mapAttrs (const (flip toFunction params))) + ]; + + merge = + prev: this: + { + modules = prev.modules or [ ] ++ this.modules or [ ]; + home_modules = prev.home_modules or [ ] ++ this.home_modules or [ ]; + } + // (optionalAttrs (prev ? system || this ? system) { + system = prev.system or this.system; + }); + + all_modules = attrValues (read_all_modules "${self}"); + + raw_configs' = builtins.zipAttrsWith ( + machine: if machine == "extras" then mergeAttrsList else builtins.foldl' merge { } + ) all_modules; + + raw_configs = builtins.removeAttrs raw_configs' [ "extras" ]; + + extras = raw_configs'.extras or { }; + + configs = builtins.mapAttrs (const ( + config: + nixpkgs.lib.nixosSystem { + inherit (config) system; + modules = config.modules ++ [ + { + _module.args.home_modules = config.home_modules; + } + ]; + } + )) raw_configs; + in + { + # for use in nix repl + p = s: builtins.trace "\n\n${s}\n" "---"; + + formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.alejandra; + nixosConfigurations = builtins.mapAttrs (name: const configs.${name}) params.molecules; + + # This is useful to rebuild all systems at once, for substitution + all-systems = nixpkgs.legacyPackages.x86_64-linux.runCommand "all-systems" { } ( + '' + mkdir $out + '' + + (builtins.concatStringsSep "\n" ( + mapAttrsToList (name: config: '' + ln -s ${config.config.system.build.toplevel} $out/${name} + '') self.nixosConfigurations + )) + ); + }; +} diff --git a/fonts.mod.nix b/fonts.mod.nix new file mode 100644 index 0000000..d937912 --- /dev/null +++ b/fonts.mod.nix @@ -0,0 +1,20 @@ +{ + personal.modules = [ + ( + { pkgs, ... }: + { + fonts.packages = with pkgs; [ + noto-fonts + noto-fonts-cjk-sans + noto-fonts-emoji + fira-code + fira-code-symbols # this is probably redundant, whatever + dina-font + proggyfonts + wqy_zenhei # this is so that hanzi doesn't look like pixel art + nerdfonts # all of them, apparently + ]; + } + ) + ]; +} diff --git a/games.mod.nix b/games.mod.nix new file mode 100644 index 0000000..81042e5 --- /dev/null +++ b/games.mod.nix @@ -0,0 +1,28 @@ +{ + personal.modules = [ + ( + { pkgs, ... }: + { + programs.steam = { + enable = true; + extraCompatPackages = with pkgs; [ + proton-ge-bin + ]; + }; + } + ) + ]; + + personal.home_modules = [ + ( + { pkgs, ... }: + { + home.packages = with pkgs; [ + lutris + heroic + ]; + programs.mangohud.enable = true; + } + ) + ]; +} diff --git a/hardware.mod.nix b/hardware.mod.nix new file mode 100644 index 0000000..26e7a1b --- /dev/null +++ b/hardware.mod.nix @@ -0,0 +1,153 @@ +{ nixos-hardware, ... }: +let + config = name: system: additional: { + inherit name; + value = { + inherit system; + modules = [ + { + networking.hostName = name; + nixpkgs.hostPlatform = system; + } + ] ++ additional; + }; + }; + + filesystem = fsType: path: device: options: { + fileSystems.${path} = { + inherit device fsType; + } // (if options == null then { } else { inherit options; }); + }; + + fs.mergerfs = filesystem "fuse.mergerfs"; + fs.btrfs = filesystem "btrfs"; + fs.ext4 = filesystem "ext4"; + fs.vfat = filesystem "vfat"; + swap = device: { swapDevices = [ { inherit device; } ]; }; + + cpu = brand: { hardware.cpu.${brand}.updateMicrocode = true; }; + qemu = + { modulesPath, ... }: + { + imports = [ "${modulesPath}/profiles/qemu-guest.nix" ]; + }; +in +{ + universal.modules = [ + ( + { + pkgs, + lib, + ... + }: + { + environment.systemPackages = with pkgs; [ mergerfs ]; + hardware.enableRedistributableFirmware = true; + networking.useDHCP = lib.mkDefault true; + } + ) + ]; + + personal.modules = [ + { + services.fwupd.enable = true; + } + ]; +} +// builtins.listToAttrs [ + (config "capsaicin" "x86_64-linux" [ + (cpu "intel") + (fs.btrfs "/" "/dev/disk/by-uuid/a1a32f8b-847c-4349-8743-05d25950db1d" null) + (fs.btrfs "/mnt/hdd1tb" "/dev/disk/by-uuid/1b1451cd-89ce-4daa-afdb-37ceecbb9484" null) + (fs.ext4 "/mnt/hdd500gb" "/dev/disk/by-uuid/d7a35003-4b60-4a5e-b87a-af7c18eefe04" null) + (fs.vfat "/boot" "/dev/disk/by-uuid/5C2E-B6F1" null) + (swap "/dev/disk/by-uuid/16f09a9c-74ef-4a32-b9c0-d3948d76f3a0") + { + boot.loader.systemd-boot.enable = true; + zramSwap.enable = true; + boot.initrd.kernelModules = [ ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usbhid" + "sd_mod" + ]; + boot.kernelModules = [ + "usbmon" + "v4l2loopback" + ]; + boot.extraModulePackages = [ ]; + } + ]) + (config "menthol" "x86_64-linux" [ + (cpu "intel") + (fs.btrfs "/" "/dev/disk/by-uuid/1a254d99-6480-4557-b3e8-e8ee745f5832" null) + (swap "/dev/disk/by-uuid/455a7c78-fdc3-4dbb-b9f2-9518d960191b") + { + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.kernelModules = [ ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "sd_mod" + "rtsx_pci_sdmmc" + ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + } + ]) + (config "glucose" "x86_64-linux" [ + (cpu "intel") + (fs.btrfs "/" "/dev/disk/by-uuid/abbb549e-19b4-4855-b3c7-0b81ab784b74" null) + (swap "/dev/disk/by-uuid/dc948ee6-94fb-49b2-94d4-317aa41f1a9d") + { + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.kernelModules = [ ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ehci_pci" + "ahci" + "sd_mod" + ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + } + ]) + (config "fructose" "x86_64-linux" [ + (cpu "intel") + (fs.btrfs "/" "/dev/disk/by-uuid/e1b611e6-485f-4c2e-81fa-2fbcb3a7f1ba" null) + (swap "/dev/disk/by-uuid/83c561a1-08b9-4b48-bdfc-102098fd2059") + { + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.kernelModules = [ ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ehci_pci" + "ahci" + "sd_mod" + ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + } + ]) + (config "aspartame" "x86_64-linux" [ + qemu + (fs.ext4 "/" "/dev/disk/by-uuid/2def7bee-b1e3-49ea-b46c-33f272aaa5b2" null) + { + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + ]; + boot.initrd.kernelModules = [ ]; + } + ]) +] diff --git a/home.mod.nix b/home.mod.nix new file mode 100644 index 0000000..e0830b3 --- /dev/null +++ b/home.mod.nix @@ -0,0 +1,73 @@ +{ home-manager, ... }: +{ + universal.modules = [ + home-manager.nixosModules.home-manager + ( + { config, pkgs, ... }: + { + users.users.emv = { + isNormalUser = true; + description = "emv"; + # shell = pkgs.zsh; # this is scuffed as hell, please, for the love of fuck, make a zsh.mod.nix file sometime + # ignoreShellProgramCheck = true; + extraGroups = [ "wheel" ]; + }; + home-manager = { + backupFileExtension = "bak"; + useGlobalPkgs = true; + useUserPackages = true; + users.emv = { + home.username = "emv"; + home.homeDirectory = "/home/emv"; + + home.stateVersion = "24.05"; + imports = config._module.args.home_modules; + }; + }; + } + ) + ]; + personal.home_modules = [ + ( + { + lib, + config, + ... + }: + { + options.systemd-fuckery = { + auto-restart = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ ]; + }; + }; + + config = { + home.activation.restartSystemdFuckery = + let + ensureRuntimeDir = "XDG_RUNTIME_DIR=\${XDG_RUNTIME_DIR:-/run/user/$(id -u)}"; + + systemctl = "env ${ensureRuntimeDir} ${config.systemd.user.systemctlPath}"; + + each = f: builtins.concatStringsSep "\n" (map f config.systemd-fuckery.auto-restart); + in + lib.mkIf (config.systemd-fuckery.auto-restart != [ ]) ( + lib.hm.dag.entryAfter [ "reloadSystemd" ] '' + systemdStatus=$(${systemctl} --user is-system-running 2>&1 || true) + + if [[ $systemdStatus == 'running' || $systemdStatus == 'degraded' ]]; then + ${ + each (unit: '' + run ${systemctl} --user try-restart ${unit}.service + '') + } + else + echo "User systemd daemon not running. Skipping reload." + fi + '' + ); + }; + } + ) + ]; +} diff --git a/locale.mod.nix b/locale.mod.nix new file mode 100644 index 0000000..625d420 --- /dev/null +++ b/locale.mod.nix @@ -0,0 +1,11 @@ +{ + universal.modules = [ + ( + { config, ... }: + { + time.timeZone = "Europe/Bucharest"; + i18n.defaultLocale = "en_US.UTF-8"; + } + ) + ]; +} diff --git a/nerd.mod.nix b/nerd.mod.nix new file mode 100644 index 0000000..50e5d24 --- /dev/null +++ b/nerd.mod.nix @@ -0,0 +1,15 @@ +{ + personal.home_modules = [ + ( + { pkgs, ... }: + { + home.packages = with pkgs; [ + geogebra6 # geogebra5 currently does not work? + chemtool + avogadro2 + ]; + programs.sagemath.enable = true; + } + ) + ]; +} diff --git a/networking/firewall.mod.nix b/networking/firewall.mod.nix new file mode 100644 index 0000000..443ce93 --- /dev/null +++ b/networking/firewall.mod.nix @@ -0,0 +1,23 @@ +{ + universal.modules = [ + { + networking.firewall.enable = true; + networking.nftables.enable = true; + } + ]; + fructose.modules = [ + { + networking.firewall = { + allowedUDPPorts = [ + # 53 # pihole + # 5894 # couchdb + ]; + allowedTCPPorts = [ + 222 # forgejo ssh + 3000 # forgejo + # 5894 # couchdb + ]; + }; + } + ]; +} diff --git a/networking/general.mod.nix b/networking/general.mod.nix new file mode 100644 index 0000000..55d6ec1 --- /dev/null +++ b/networking/general.mod.nix @@ -0,0 +1,237 @@ +{ + # networking? I sure hope it is. (It was not) + universal.modules = [ + ( + { pkgs, lib, ... }: + { + networking.networkmanager = { + enable = true; + plugins = lib.mkForce [ ]; # networkmanager has a shit ton of vpn plugins by default. which we do not care about because we use wireguard. -e + }; + networking.usePredictableInterfaceNames = false; + users.users.emv.extraGroups = [ "networkmanager" ]; + environment.systemPackages = with pkgs; [ + busybox + tcpdump + nmap + ]; + networking.nameservers = [ + "10.24.1.9" + "9.9.9.9" + ]; # first is pihole (on fructose currently, after we get kubernetes set up we should figure out how to do it in a better way) second is quad9 + } + ) + ]; + + personal.modules = [ + ( + { pkgs, ... }: + { + environment.systemPackages = with pkgs; [ + toybox + ]; + programs.wireshark.enable = true; + users.users.emv.extraGroups = [ "wireshark" ]; + } + ) + ]; + + glucose.modules = [ + ( + { ... }: + { + networking = { + interfaces.eth0.ipv4.addresses = [ + { + address = "10.12.96.4"; + prefixLength = 24; + } + ]; + defaultGateway = { + address = "10.12.96.1"; + interface = "eth0"; + }; + }; + } + ) + ]; + + fructose.modules = [ + ( + { ... }: + { + networking = { + interfaces.eth0.ipv4.addresses = [ + { + address = "10.12.96.9"; + prefixLength = 24; + } + ]; + defaultGateway = { + address = "10.12.96.1"; + interface = "eth0"; + }; + }; + } + ) + ]; + + capsaicin.modules = [ + ( + { config, ... }: + { + networking.resolvconf.enable = false; + networking = { + interfaces.eth0.ipv4.addresses = [ + { + address = "192.168.88.225"; + prefixLength = 24; + } + ]; + defaultGateway = { + address = "192.168.88.1"; + interface = "eth0"; + }; + }; + /* + networking.networkmanager = { # should probably figure out a way to get the default wireless interface? -e --- https://www.networkmanager.dev/docs/api/latest/nm-settings-nmcli.html Godsend + ensureProfiles = { + environmentFiles = [ "${config.sops.templates."networkmanager.env.secrets.yaml".path}" ]; + profiles = { + home-wifi = { + connection = { + id = "home-wifi"; + permissions = ""; + type = "wifi"; + interface-name = "wlp4s0"; + }; + ipv4 = { + method = "manual"; + ignore-auto-dns = true; + addresses = "192.168.88.170/24, 10.12.96.226/24"; + }; + ipv6.method = "disabled"; + wifi = { + mode = "infrastructure"; + ssid = "$HOME1_SSID"; + }; + wifi-security = { + auth-alg = "open"; + key-mgmt = "wpa-psk"; + psk = "$HOME1_PSK"; + }; + }; + home1eth = { + connection = { + id = "home1eth"; + permissions = ""; + type = "ethernet"; + interface-name = "enp5s0"; + }; + ipv4 = { + method = "manual"; + ignore-auto-dns = true; + addresses = "192.168.88.169/24, 10.12.96.225/24"; + }; + ipv6.method = "disabled"; + ethernet = { + auto-negotiate = true; + mtu = "auto"; + }; + }; + }; + }; + }; + */ + # this doesn't work, for reasons unknown, so i'm commenting it out -e + } + ) + ]; + + menthol.modules = [ + ( + { config, ... }: + { + hardware.bluetooth = { + enable = true; # menthol is the only computer that actually has a bluetooth module. + powerOnBoot = true; # this will kill the battery, beware. + }; + networking.networkmanager = { + # should probably figure out a way to get the default wireless interface? + ensureProfiles = { + environmentFiles = [ "${config.sops.templates."networkmanager.env.secrets.yaml".path}" ]; + profiles = { + home2wireless = { + connection = { + id = "home2"; + permissions = ""; + type = "wifi"; + interface-name = "wlp4s0"; + }; + ipv4 = { + method = "auto"; + ignore-auto-dns = true; + }; + ipv6.method = "disabled"; + wifi = { + mode = "infrastructure"; + ssid = "$HOME2_SSID"; + }; + wifi-security = { + auth-alg = "open"; + key-mgmt = "wpa-psk"; + psk = "$HOME2_PSK"; + }; + }; + home1wireless = { + # i don't know if ensureProfiles appends or overwrites so i'm doing this -e + connection = { + id = "home1wireless"; + permissions = ""; + type = "wifi"; + interface-name = "wlp4s0"; + }; + ipv4 = { + method = "auto"; + ignore-auto-dns = true; + }; + ipv6.method = "disabled"; + wifi = { + mode = "infrastructure"; + ssid = "$HOME1_SSID"; + }; + wifi-security = { + auth-alg = "open"; + key-mgmt = "wpa-psk"; + psk = "$HOME1_PSK"; + }; + }; + phonehotspot = { + connection = { + id = "phonehotspot"; + permissions = ""; + type = "wifi"; + interface-name = "wlp4s0"; + }; + ipv4 = { + method = "auto"; + ignore-auto-dns = true; + }; + ipv6.method = "disabled"; + wifi = { + mode = "infrastructure"; + ssid = "$PHONE_HOTSPOT_SSID"; + }; + wifi-security = { + auth-alg = "open"; + keu-mgmt = "wpa-psk"; + psk = "$PHONE_HOTSPOT-PSK"; + }; + }; + }; + }; + }; + } + ) + ]; +} diff --git a/networking/ssh.mod.nix b/networking/ssh.mod.nix new file mode 100644 index 0000000..0e086ed --- /dev/null +++ b/networking/ssh.mod.nix @@ -0,0 +1,40 @@ +{ + universal.modules = [ + ({ + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; # english is a fake language, apparently it's not "authentification", literally go explode, it makes sense but i am still mad -e + # ports = [ 1295 ]; # can just do it on 22 bc of the preceding setting, i think. + openFirewall = true; + banner = "This place is not a place of honor... no highly esteemed deed is commemorated here... nothing valued is here.\nWhat is here was dangerous and repulsive to us.\nThis message is a warning about danger.\n"; + }; + users.users.emv.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDRf6PfZtcUN5GJ3hcxoxencU2EMRBeu4BIyBSOgKReD emv@capsaicin" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2r4QfMmGcPUs4mpYd1YgcLKwwNpBmuHbZVT5VC+8W7 emv@menthol" + ]; + }) + ]; + + personal.home_modules = [ + { + programs.ssh = { + enable = true; + matchBlocks = + let + to = hostname: { + inherit hostname; + user = "emv"; + identityFile = "~/.ssh/id_ed25519"; + }; + in + { + glucose = to "glucose.wg"; + fructose = to "fructose.wg"; + capsaicin = to "capsaicin.wg"; + menthol = to "menthol.wg"; + aspartame = to "aspartame.wg"; + }; + }; + } + ]; +} diff --git a/networking/tailscale.mod.nix b/networking/tailscale.mod.nix new file mode 100644 index 0000000..fa2a800 --- /dev/null +++ b/networking/tailscale.mod.nix @@ -0,0 +1,49 @@ +{ + # i am shameless, i know -e + aspartame.modules = [ + { + services.headscale = { + enable = true; + port = 6562; + settings = { + server_url = "https://vpn.collective-conciousness.monster"; + dns.magic_dns = false; + + log.level = "warn"; + logtail.enables = false; + metrics_listen_addr = "127.0.0.1:6563"; + + ip_prefixes = [ + "100.81.0.0/10" + "fd7a:115c:a1e0::/48" + ]; + + derp.server = { + enable = true; + region_id = 999; + stun_listen_addr = "0.0.0.0:6561"; + }; + }; + }; + networking.firewall.allowedUDPPorts = [ 6561 ]; + } + ]; + + universal.modules = [ + { + services.tailscale = { + enable = true; + openFirewall = true; + useRoutingFeatures = "both"; + }; + } + ]; + + sucrose.modules = [ + { + services.tailscale.extraSetFlags = [ + "--advertise-exit-node" + ]; + } + ]; +} diff --git a/networking/vpn.mod.nix b/networking/vpn.mod.nix new file mode 100644 index 0000000..b32dc21 --- /dev/null +++ b/networking/vpn.mod.nix @@ -0,0 +1,201 @@ +{ + self, + nixpkgs, + molecules, + ... +}: +let + public-keys = { + capsaicin = "Jn0yQV0qdi1oPdiMSmQSPk4IYbfR2THuiY5pTl7cLgs="; + menthol = "6cDCwXBSC0bpEtpRVtzAFrt+a4BYd2iPjCmQb4xpZnU="; + glucose = "V6oihsGbdxSWpq63jCZbKNfQ9xrMqFTxDDRHh/lQkSc="; + fructose = "mx/TUng1JCNgeUsBKq9mYS2wjOYyL/dACmRYCHbgGVg="; + aspartame = "hd/sxxRJ8vw9yyzN3/WJZN+vYrQCHDWNvd6QqqVobRU="; + }; + + ip = i: "10.24.1.${toString i}"; + subnet = "${ip 0}/24"; + + ips = builtins.mapAttrs (nixpkgs.lib.const ip) molecules; + ips' = builtins.mapAttrs (name: ip: "${ip}/32") ips; + + port-for = builtins.mapAttrs ( + machine: { config, ... }: toString config.networking.wireguard.interfaces.wg0.listenPort + ) self.nixosConfigurations; +in +{ + extras = { + wireguard-ips = ips; + }; + + universal.modules = [ + ( + { config, ... }: + { + networking = { + # i sure hope it is + nat = { + enable = true; + externalInterface = "eth0"; + internalInterfaces = [ "wg0" ]; + }; + firewall.allowedUDPPorts = [ config.networking.wireguard.interfaces.wg0.listenPort ]; + extraHosts = builtins.concatStringsSep "\n" ( + nixpkgs.lib.mapAttrsToList (name: ip: "${ip} ${name}.wg") ips + ); + wireguard.interfaces.wg0 = { + ips = [ "${ips.${config.networking.hostName}}/24" ]; + listenPort = 46656; + privateKeyFile = config.sops.secrets.wireguard-private-key.path; + }; + }; + } + ) + ]; + + glucose.modules = [ + ( + { pkgs, ... }: + { + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + networking.wireguard.interfaces.wg0 = { + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE + ''; + + peers = [ + { + publicKey = public-keys.capsaicin; + allowedIPs = [ ips'.capsaicin ]; + } + { + publicKey = public-keys.fructose; + allowedIPs = [ ips'.fructose ]; + endpoint = "10.12.96.9:${port-for.fructose}"; + persistentKeepalive = 25; + } + { + publicKey = public-keys.aspartame; + allowedIPs = [ subnet ]; + endpoint = "vps.collective-conciousness.monster:${port-for.aspartame}"; + persistentKeepalive = 25; + } + ]; + }; + } + ) + ]; + + fructose.modules = [ + ( + { pkgs, ... }: + { + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + networking.wireguard.interfaces.wg0 = { + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE + ''; + + peers = [ + { + publicKey = public-keys.capsaicin; + allowedIPs = [ ips'.capsaicin ]; + } + { + publicKey = public-keys.glucose; + allowedIPs = [ ips'.glucose ]; + endpoint = "10.12.96.4:${port-for.glucose}"; + persistentKeepalive = 25; + } + { + publicKey = public-keys.aspartame; + allowedIPs = [ subnet ]; + endpoint = "vps.collective-conciousness.monster:${port-for.aspartame}"; + persistentKeepalive = 25; + } + ]; + }; + } + ) + ]; + + aspartame.modules = [ + ( + { pkgs, ... }: + { + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + networking.wireguard.interfaces.wg0 = { + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s ${subnet} -o eth0 -j MASQUERADE + ''; + + peers = [ + { + publicKey = public-keys.capsaicin; + allowedIPs = [ ips'.capsaicin ]; + } + { + publicKey = public-keys.glucose; + allowedIPs = [ ips'.glucose ]; + } + { + publicKey = public-keys.fructose; + allowedIPs = [ ips'.fructose ]; + } + { + publicKey = public-keys.menthol; + allowedIPs = [ ips'.menthol ]; + } + ]; + }; + } + ) + ]; + + capsaicin.modules = [ + { + networking.wireguard.interfaces.wg0.peers = [ + { + publicKey = public-keys.aspartame; + allowedIPs = [ subnet ]; + endpoint = "vps.collective-conciousness.monster:${port-for.aspartame}"; + persistentKeepalive = 25; + } + { + publicKey = public-keys.glucose; + allowedIPs = [ ips'.glucose ]; + endpoint = "10.12.96.4:${port-for.glucose}"; + persistentKeepalive = 25; + } + { + publicKey = public-keys.fructose; + allowedIPs = [ ips'.fructose ]; + endpoint = "10.12.96.9:${port-for.fructose}"; + persistentKeepalive = 25; + } + ]; + } + ]; + + menthol.modules = [ + { + networking.wireguard.interfaces.wg0.peers = [ + { + publicKey = public-keys.aspartame; + allowedIPs = [ subnet ]; + endpoint = "vps.collective-conciousness.monster:${port-for.aspartame}"; + persistentKeepalive = 25; + } + ]; + } + ]; +} diff --git a/nix.mod.nix b/nix.mod.nix new file mode 100644 index 0000000..db3bc9f --- /dev/null +++ b/nix.mod.nix @@ -0,0 +1,242 @@ +{ + nix-monitored, + molecules, + ... +}: +let + garbage-collection-module = + { lib, ... }: + { + programs.nh.clean = { + enable = true; + extraArgs = "--keep 3 --keep-since 7d"; + dates = "Mon..Sun *-*-* 03:00:00"; + }; + + nix.optimise = { + automatic = true; + dates = [ "Mon..Sun *-*-* 04:00:00" ]; + }; + # there are very few circumstances in which we'd be awake at those times. + + systemd.timers = + let + fuck-off.timerConfig = { + Persistent = lib.mkForce false; + RandomizedDelaySec = lib.mkForce 0; + }; + in + { + nh-clean = fuck-off; + nix-optimise = fuck-off; + }; + }; + distributed-build-module = + { config, ... }: + { + nix.distributedBuilds = true; + nix.buildMachines = [ + { + hostName = "capsaicin"; + system = "x86_64-linux"; + + maxJobs = 2; + speedFactor = 3; + } + { + hostName = "glucose"; + system = "x86_64-linux"; + + maxJobs = 3; + speedFactor = 2; + } + { + hostName = "fructose"; + system = "x86_64-linux"; + + maxJobs = 2; + speedFactor = 1; + } + ]; + }; +in +{ + universal.modules = [ + { + system.stateVersion = "24.05"; + nixpkgs.config.allowUnfree = true; # this didn't work?? what. + nix.settings = { + show-trace = true; + + experimental-features = [ + "nix-command" + "flakes" + ]; + }; + } + ( + { pkgs, ... }: + { + nixpkgs.overlays = [ + nix-monitored.overlays.default + (final: prev: { + nix-monitored = prev.nix-monitored.override { + withNotify = true; + }; + }) + (final: prev: { + nixos-rebuild = prev.nixos-rebuild.override { + nix = prev.nix-monitored; + }; + nix-direnv = prev.nix-direnv.override { + nix = prev.nix-monitored; + }; + nixmon = prev.runCommand "nixmon" { } '' + mkdir -p $out/bin + ln -s ${prev.nix-monitored}/bin/nix $out/bin/nixmon + ''; + }) + ]; + nix.package = pkgs.nix-monitored; + environment.systemPackages = [ pkgs.nixmon ]; + programs.nh.enable = true; + } + ) + ( + { + config, + pkgs, + lib, + ... + }: + { + programs.ssh.extraConfig = '' + ${builtins.concatStringsSep "" ( + lib.mapAttrsToList (name: n: '' + Host ${name} + HostName ${name}.wg + User remote-builder + IdentityFile ${config.sops.secrets.remote-build-ssh-privkey.path} + '') molecules + )} + ''; + + users.users.remote-builder = { + isSystemUser = true; + group = "remote-builder"; + description = "trusted remote builder user"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMedtsko4nwE6u00hLmmm70yBAU9uJJWbzo87BIOfB/ remote-builder" + ]; + shell = pkgs.runtimeShell; + }; + + users.groups.remote-builder = { }; + + nix.settings.trusted-users = [ "remote-builder" ]; + } + ) + ( + { + config, + lib, + ... + }: + lib.mkIf + ( + # Don't make glucose a substitute for itself. Using glucose at the moment because it is not used for anything else. -e + config.networking.hostName != "glucose" + ) + { + nix.settings = { + substituters = [ "https://cache.collective-conciousness.monster" ]; + trusted-public-keys = [ "adyya-flake:PAbC0hnAiNj/kHcm9wIykmKIf25FDeXB6JusqlX2ghs=" ]; + }; + } + ) + ]; + personal.modules = [ + { + nixpkgs.config.rocmSupport = true; + } + ]; + glucose.modules = [ + ( + { + config, + pkgs, + lib, + ... + }: + { + # This is publicly served from https://cache.collective-conciousness.monster + # That's proxied through aspartame via caddy. + services.nix-serve = { + enable = true; + port = 5020; + openFirewall = true; + package = pkgs.nix-serve-ng; + secretKeyFile = config.sops.secrets.binary-cache-secret.path; + }; + + systemd.timers."auto-update-rebuild" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "5m"; + OnUnitInactiveSec = "1h"; + Unit = "auto-update-rebuild.service"; + }; + }; + + systemd.services."auto-update-rebuild" = { + script = '' + mkdir -p /tmp/auto-update-rebuild && cd /tmp/auto-update-rebuild + + export PATH=${ + lib.makeBinPath ( + with pkgs; + [ + nix + git + coreutils + ] + ) + } + + nix flake update --flake /home/emv/adyya-flake + ''; + + serviceConfig = { + Restart = "on-failure"; + RestartSec = "15m"; + Type = "oneshot"; + }; + }; + } + ) + garbage-collection-module + ]; + + menthol.modules = [ distributed-build-module ]; + aspartame.modules = [ distributed-build-module ]; + capsaicin.modules = [ garbage-collection-module ]; + + universal.home_modules = [ + ( + { pkgs, lib, ... }: + { + + home.packages = with pkgs; [ + cachix + nil + nurl + nix-diff + nh + nix-output-monitor + nvd + nixfmt-rfc-style + ]; + } + ) + ]; +} diff --git a/peripherals.mod.nix b/peripherals.mod.nix new file mode 100644 index 0000000..f257886 --- /dev/null +++ b/peripherals.mod.nix @@ -0,0 +1,12 @@ +{ + personal.modules = [ + ( + { pkgs, ... }: + { + programs.adb.enable = true; # #yeag that's it for now lol + users.users.emv.extraGroups = [ "adbusers" ]; + services.udev.packages = [ pkgs.android-udev-rules ]; + } + ) + ]; +} diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..5418c27 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,40 @@ +home1_ssid: ENC[AES256_GCM,data:dNyzJnFqz2Fq,iv:HihJ53fs1+KRGr3KqdMrsGW3ZzW1AHdBDuSEI3JQtfI=,tag:7KJqC4thzJLuXPHqbB4RXA==,type:str] +home2_ssid: ENC[AES256_GCM,data:GLZHRz36eIlp2so=,iv:/pOgsD/FreAaRgQTlYxemWECp+Tp0udI8Sz5MyPSbns=,tag:eK9JaDPhxZYDsd9lWbM7wQ==,type:str] +phone_ssid: ENC[AES256_GCM,data:paVFm6NK,iv:pz6N/gKjYbyk0iIq8YqcB296VUfp3ACbYKSOxEEk45c=,tag:ZZTm6QdtirZqjWcaKVfGpw==,type:str] +phone_psk: ENC[AES256_GCM,data:wFCQyutUmKw=,iv:u/68+6r16RVGZzr/GKLm7MgChamlAl6ddMpYVOW1yZw=,tag:yWGxvhqYbhdYShIB0aaiHA==,type:str] +home1_psk: ENC[AES256_GCM,data:T5sA/OaEobLakzc8R7nu7w==,iv:2WDvlzFxXd/jafRhuuHo177xNOYX0UNKrd1pfGKtKF4=,tag:vwwGp8KsfhIwSmKzLg/w0g==,type:str] +home2_psk: ENC[AES256_GCM,data:THRuWnu8o4g=,iv:TwpFxCNdk7nUdbhJIwEFCzNy04eXmBPble/3hrHSVqM=,tag:I9411LtlgFCIX7jTyxrgNg==,type:str] +wireguard-private-keys: + capsaicin: ENC[AES256_GCM,data:sZlnvVOhMMXFtadYnK3MgcsIKw0+SrEhnigc/hQNhSu69BmgYiURJBIoxGo=,iv:153TnW25jYXLlSXZv1ecPQwI2pLSBbaa9+f2sxqf9CM=,tag:Qc7SJH4ogQbGBwn2Tedh/g==,type:str] + menthol: ENC[AES256_GCM,data:YPn7su3JoAlwZ9YE66xOigJ3iuUEiW9u1azrow45CTg1U954cDpv1bVOu+0=,iv:22nxSieTOriWwl6WtUGlSqhV6ZF9Cy52rPj9c4sU3kg=,tag:m2pBaGg4WuP8VVbanYJP7g==,type:str] + glucose: ENC[AES256_GCM,data:2ODCGVxk07PZ//UwkQcE5ztA68qJ866ZDIKKzs++5pNxtc0/ypvUfeC/uTM=,iv:crKEO6GHlwaXfzfXn3fMZF4JjNBzVkFcN/zV5mXdKbU=,tag:IWrigVoM3s9oKIsJPUxBQw==,type:str] + fructose: ENC[AES256_GCM,data:jlQtaHKAM6SpBt6xxadDH+Vw/lW62KPntA9s1F4LDJ4yCLqAQNZ6Ms+HjXY=,iv:WPbYuFHdG8C6F4gEhK7u23/YqMfHtufUZehrImQCdkY=,tag:lJvNO31NCZZ3V4eB4iJiYg==,type:str] + aspartame: ENC[AES256_GCM,data:n9trmVH7w6OkQcXDCx/rAReB4HS0AT8om+QGOkg5VYrUIK6s55aMmsHwtbc=,iv:CGnN+Ogh5uiwr4MNL+xWnl7euotZos+9VDcHijBpgsQ=,tag:1FQRpQXmaHMo/tNeOJ8qoA==,type:str] +binary-cache-secret: ENC[AES256_GCM,data:oqO12mG6prQWZMDZATSypi6vqth7dmXh4CuXQbTN7dND9MyE4dbNaiN+1jT14Lb5+WSVedojhslfpOt5LIHFRPriJymgEnwlEOjduX1dq/PdLP6PbdgKC0p+MXEYE4OIKVQZaA==,iv:ZM93+Ow26y3/1EV5d30iP5v0pTW9bddeue61FKMfk6U=,tag:/6pxVrp5cv62+F9Dpy/I0w==,type:str] +remote-build-ssh-privkey: ENC[AES256_GCM,data:WuqJMvB5haPTBDpqwoMYN/QMJb0j4RFs8PFQ5x59jv4nOdyHv8AWWShR245ONeov8ax+uk/gcKTQcF9xWX8RyfByvenwcQXo46E1e1XJeU9lYR5HXandbtEeCOs0Se7viAodjk7HomuwDSPEL4RCvUABEUOR0oVyruVYuQUG9ZnDwOGfZ3wD4t4FCubwVZGq7B7cOTVK8ffwc4KJi1IGP1EwA1a0U6icxqFQAbkPRtX+/Fk7FQHWTCFlr/7P8q0eloKJLAiiPE7HA3y06XX0QxvRpmZYsXn4g2aqCOLwXSEYqVQCdBgY0jMCUkILOmUw1dqZNonWuqER8TtTRbT0mApwpeIzHQeeOq6JCA6oxqgcYYj9Cl68A9zVvKSA14Cz448mzegkTomw87useU8TuqtJlMUUlYLmkBAcFj3eRheu550T69WVqI/DuGiB+bA8JH/y19gmKB2COjjHVbwEVspdw0bwXT8xzpL4r5OSEbN/NsvpOoC7q68RNQ8gPU0Q6dFLpeNl3ck5BHYlEpEYFo4PQEhx8vzFUppK,iv:mxO+JHVQL+CAYRKgPsnJU0teIwzour1PIqu3eVke3TE=,tag:wijuKJFzukM27N+BgwUyew==,type:str] +pihole_webpassword: ENC[AES256_GCM,data:/0b14jl+e6S8ZR47ug==,iv:sPu4ctPArYW/dR/W5J+Cg/gOD2fXMh/JlNEa/YohEwk=,tag:KBemhvYYFLTKOTGSMqDYXg==,type:str] +couchdb_admin_pass: ENC[AES256_GCM,data:InV2vswI2um58ST8jTJG01wl,iv:D/VCM1CXJLNORyGJf8D2k8Db4xo2fovsNIMGgEkhIKE=,tag:f/y+D10cFdXXnvEpmLtdyg==,type:str] +couchdb_admin_account: ENC[AES256_GCM,data:iyl1SLoPlpZYUw==,iv:TaA+KmlGeexpEW0H/P1TTowlNbE9UtQC3sREcT7MWRU=,tag:hyfbZR1cfIYTR3CzC/VoEw==,type:str] +gts_db_pass: ENC[AES256_GCM,data:oEdBEFomImyOFiCLGYL3upJZ4yxAm/iACAZlr9AU0Wp9a60=,iv:VzcE8SM8rjkfdTddJVIohW5JLcJPxF2OSfM3T5KZiWQ=,tag:FKMaW+gB3Q4N72rE4kCmkw==,type:str] +forgejo_db_pass: ENC[AES256_GCM,data:/whBxapqWGNMynXCXVxrQv/XS6ivdTUE6YkuKZ2Rk9kIojKQQcg6t52OgC8lgA3TUlGgeUnn,iv:KAIB0z+QvWpErdWYNJllV1Pv3A5MDwZpYP/9ofZkSBI=,tag:BLAtl9XdHf2Aa1KFVRnLGg==,type:str] +postgresdb_admin_password: ENC[AES256_GCM,data:DopfWHTOAwihPa9+197pX3TE03dqWST/7+o=,iv:O9dzjYs9A1vBSp17Kyiz41KllUvpUORCmag0AYe8MNA=,tag:FS0v5us/ANMXweXrSIH2xQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12h0ekuyvy244etehyeymz2pt9xxjv7hpe2revateje00xrzj95fqvp2r82 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrbEJBYWRFRTUzRDJaN3d1 + OGJSTkx4SzJOaitybkt3eDVPZUpqVFZoWmprCkl0aTlpbDlXM1grQjN6UVcveXI4 + bi8yKzJIbWxjaTZLRHZOOHBiVm1kOFkKLS0tIEN1WGU0REw3b3VyN1ZZSTlFZUha + NHg3M2l5MWY2alpHdVhIbE5PQ3VxeW8Kr+o5K2EIrPSfIFBWK68mWl4lWJooZxF/ + vKsU99C2iIsbX/eTF2uNQqeDkOqy5egKCG42xikwycGFO/gbnCDIdw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-03T14:04:07Z" + mac: ENC[AES256_GCM,data:Ux+VhisWUcu9zouDmRi/w8kQQggsIx9PLbFd4FcfNXoYO14QonFd/9FmU7dndzjUYaE5EGHW2rf9uB6zPzAky9F86Nb++iE9yHUWH0VbrWP2hJ5EbjOV/JQcjkC0284T877CVHBN7/FLUiTnIqy2LfPcWER1s3sWo0pm5ia5x0I=,iv:DHhPsc4Ok+hHyNyo9ht1kaw38IzQ4bBjk7cyQFfYngU=,tag:rvJLx3+bd3ystaHd7FGhoA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/services/couchdb/couchdb.mod.nix b/services/couchdb/couchdb.mod.nix new file mode 100644 index 0000000..9ec1278 --- /dev/null +++ b/services/couchdb/couchdb.mod.nix @@ -0,0 +1,29 @@ +{ + glucose.modules = [ + ( + { config, ... }: + { + # services.couchdb = { + # enable = true; + # adminUser = "Admin"; + # adminPass = config.sops.secrets.couchdb_admin_pass + # }; # wanted to do this with the couchdb service. but it has no proper way to handle secrets. so i'm just going to use a container since i don't feel like writing my own couchdb package at the moment + virtualisation.oci-containers = { + containers.couchdb = { + image = "couchdb:3.4.2"; + ports = [ + "5894:5984" + ]; + environmentFiles = [ + "${config.sops.templates."couchdb.env.secrets.yaml".path}" + ]; + volumes = [ + "/var/services/couchdb/data/:/opt/couchdb/data/" + "/var/services/couchdb/etc:/opt/couchdb/etc/local.d/" + ]; + }; + }; + } + ) + ]; +} diff --git a/services/forgejo/forgejo.mod.nix b/services/forgejo/forgejo.mod.nix new file mode 100644 index 0000000..68eb20d --- /dev/null +++ b/services/forgejo/forgejo.mod.nix @@ -0,0 +1,41 @@ +{ + fructose.modules = [ + ( + { config, pkgs, ... }: + { + services.forgejo = { + enable = true; + package = pkgs.forgejo; + stateDir = "/var/services/forgejo"; + useWizard = false; + + database = { + createDatabase = false; + type = "postgres"; + name = "forgejodb"; + host = "127.0.0.1"; + port = 5432; + user = "forgejo"; + passwordFile = "${config.sops.secrets.forgejo_db_pass.path}"; + }; + + dump = { + enable = true; + interval = "02:50"; + type = "tar.gz"; + }; + + settings = { # this directly drops stuff in the forgejo app.ini + server = { + DOMAIN = "git.collective-conciousness.monster"; + PROTOCOL = "http"; + HTTP_PORT = 3000; + SSH_PORT = 222; + ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}:443"; + }; + }; + }; + } + ) + ]; +} diff --git a/services/gts/gts.mod.nix b/services/gts/gts.mod.nix new file mode 100644 index 0000000..5ecb843 --- /dev/null +++ b/services/gts/gts.mod.nix @@ -0,0 +1,104 @@ +{ + aspartame.modules = [ + ( + { pkgs, config, ... }: + { + services.gotosocial = { + enable = true; + package = pkgs.gts; + setupPostgresqlDB = false; + openFirewall = true; + + environmentFile = config.sops.templates."gts.env.secrets.yaml".path; + + settings = { + # # most of these are the defaults but i'm writing them here anyways + ### General config + log-level = "info"; + log-db-queries = "false"; + log-client-ip = "true"; + log-timestamp-format = "2006-01-02T15:04:05.000Z07:00"; + application-name = "RunFromSocial"; + landing-page-user = "root"; + host = "gts.collective-conciousness.monster"; + account-domain = ""; + protocol = "https"; + bind-address = "127.0.0.1"; + port = 8080; + trusted-proxies = [ + "127.0.0.1/32" + "::1" + ]; + + ### Database config - still have to set this up. + db-type = "postgres"; + db-address = "10.24.1.9"; + db-port = "5432"; + # db-password = ""; # commented out because it is being passed through env files. # GTS_DB_PASSWORD + db-database = "gtsdb"; + db-user = "gts"; + db-tls-mode = "disable"; # will probably want to change this at some point ? + db-tls-ca-cert = ""; + db-max-open-conns-multiplier = 8; + db-postgres-connection-string = ""; + cache.memory-target = "500MiB"; + + ### Web config + web-template-base-dir = "/var/gts/web/template/"; + web-asset-base-dir = "/var/gts/web/assets/"; + + ### Instance config + instance-languages = [ + "en" + "fr" + "ro" + "zh" + ]; + instance-federation-mode = "allowlist"; + instance-federation-spam-filter = false; + instance-expose-peers = false; + instance-expose-suspended = false; + instance-expose-suspended-web = false; + instance-expose-public-timeline = false; + instance-deliver-to-shared-inboxes = true; + instance-inject-mastodon-version = false; + + ### Accounts config + accounts-registration-open = false; + accounts-reason-required = true; + accounts-allow-custom-css = true; + accounts-custom-css-length = 10000; + + ### Media config + media-local-max-size = "1GiB"; + media-remote-max-size = "50MiB"; + media-description-min-chars = 36; + media-description-max-chars = 16200; + media-emoji-local-max-size = "128KiB"; # may need to increase this in the future. + media-emoji-remote-max-size = "256KiB"; + media-ffmpeg-pool-size = 2; + media-remote-cache-days = 7; + media-cleanup-from = "01:00"; + media-cleanup-every = "24h"; + + ### Storage config + storage-backend = "local"; + storage-local-base-path = "/var/gts/storage"; + # ommited settings related to s3 + + ### Statuses config + statuses-max-chars = 8000; + statuses-poll-max-options = 10; + statuses-poll-option-max-chars = 100; + statuses-media-max-files = 12; + + ### Syslog config + syslog-enabled = true; + syslog-protocol = ""; + syslog-address = ""; + }; + }; + } + ) + ]; +} diff --git a/services/pihole/pihole.mod.nix b/services/pihole/pihole.mod.nix new file mode 100644 index 0000000..706b086 --- /dev/null +++ b/services/pihole/pihole.mod.nix @@ -0,0 +1,29 @@ +{ + fructose.modules = [ + ( + { config, ... }: + { + virtualisation.oci-containers = { + containers.pihole = { + image = "pihole/pihole:latest"; + ports = [ + "53:53/tcp" + "53:53/udp" + "800:80" + ]; + environmentFiles = [ + "${config.sops.templates."pihole.env.secrets.yaml".path}" + ]; + environment = { + TZ = "Europe/Bucharest"; + }; + volumes = [ + "/var/services/pihole/etc-pihole/:/etc/pihole/" + "/var/services/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" + ]; + }; + }; + } + ) + ]; +} diff --git a/services/postgres/postgres.mod.nix b/services/postgres/postgres.mod.nix new file mode 100644 index 0000000..5a359b0 --- /dev/null +++ b/services/postgres/postgres.mod.nix @@ -0,0 +1,116 @@ +{ + fructose.modules = [ + /* + ( + { config, pkgs, lib, ... }: + { + systemd.services.postgresql.serviceConfig.TimeoutSec = lib.mkForce "infinity"; + services.postgresql = { + enable = true; + checkConfig = true; + package = pkgs.postgresql_17; + dataDir = "/var/services/postgres/"; + + ensureDatabases = [ + "forgejo" + "gts" + ]; + ensureUsers = [ + { + name = "forgejo"; + ensureDBOwnership = true; + ensureClauses = { + login = true; + }; + } + { + name = "gts"; + ensureDBOwnership = true; + ensureClauses = { + login = true; + }; + } + ]; + settings = { + # connection + listen_addresses = lib.mkForce "127.0.0.1"; + port = 5432; + unix_socket_directories = "/var/services/postgres/postgres.sock"; + + # auth + password_encryption = "scram-sha-256"; + + # ssl + ssl = false; + + #log + log_connections = true; + log_directory = "/var/services/postgres/log"; + logging_collector = true; + log_disconnections = true; + }; + }; + + services.postgresqlBackup = { + enable = true; + location = "/var/services/postgresbackup/"; + compression = "gzip"; + backupAll = true; + startAt = "*-*-* 3:20:00"; + }; + + # services.pgadmin = { + # enable = true; + # initialEmail = "pgadmin@collective-conciousness.monster"; + # initialPasswordFile = "${config.sops.secrets.pgadmin_pass.path}"; + # openFirewall = true; + # port = 5050; + + # settings = { + # STRICT_TRANSPORT_SECURITY_ENABLED = true; + # ALLOWED_HOSTS = [ + # "127.0.0.1" + # "10.24.1.225" + # "10.24.1.196" + # ]; + # }; + # }; + } + ) + */ + #doesn't seem to work so i'm just gonna make a container for it at the moment. + ( + { + config, + pkgs, + lib, + ... + }: + { + virtualisation.oci-containers = { + containers.postgres = { + image = "postgres:17"; + ports = [ + "5432:5432" + ]; + environmentFiles = [ + "${config.sops.templates."postgresdb.env.secrets.yaml".path}" + ]; + volumes = [ + "/var/services/postgresdb/data:/var/lib/postgresql/data/" + ]; + }; + containers.adminer = { + image = "adminer:latest"; + ports = [ + "5433:8080" + "5434:53" + ]; + dependsOn = [ "postgres" ]; + }; + }; + } + ) + + ]; +} diff --git a/services/website/Caddyfile b/services/website/Caddyfile new file mode 100644 index 0000000..3fd3386 --- /dev/null +++ b/services/website/Caddyfile @@ -0,0 +1,44 @@ +{ + layer4 { + :222 { + @a ssh + route @a { + proxy 10.24.1.9:222 + } + } + } +} + +https://collective-conciousness.monster { + encode zstd gzip + header { + Strict-Transport-Security "max-age=31536001; includeSubdomains; preload" + } + root * /var/www/public + file_server +} + +https://git.collective-conciousness.monster { + reverse_proxy 10.24.1.9:3000 +} + +https://obs.collective-conciousness.monster { + reverse_proxy 10.24.1.4:5894 +} + +https://gts.collective-conciousness.monster { + # Optional, but recommended, compress the traffic using proper protocols + encode zstd gzip + + # The actual proxy configuration to port 8080 (unless you've chosen another port number) + reverse_proxy 127.0.0.1:8080 { + # Flush immediately, to prevent buffered response to the client + flush_interval -1 + } +} + +https://cache.collective-conciousness.monster { + encode zstd gzip + + reverse_proxy 10.24.1.4:5020 +} \ No newline at end of file diff --git a/services/website/website-content.mod.nix b/services/website/website-content.mod.nix new file mode 100644 index 0000000..2fc5522 --- /dev/null +++ b/services/website/website-content.mod.nix @@ -0,0 +1,14 @@ +{ + aspartame.modules = [ + ( + { pkgs, lib, ... }: + { + services.caddy = { + enable = true; + package = pkgs.caddy-many; + configFile = ./Caddyfile; + }; + } + ) + ]; +} diff --git a/services/website/website-firewall.mod.nix b/services/website/website-firewall.mod.nix new file mode 100644 index 0000000..80cabb5 --- /dev/null +++ b/services/website/website-firewall.mod.nix @@ -0,0 +1,19 @@ +{ + aspartame.modules = [ + ({ + services.fail2ban.enable = true; + networking.firewall = { + interfaces.eth0.allowedTCPPorts = [ + 80 + 222 # this is for forgejo + 443 + ]; + }; + }) + ]; + fructose.modules = [ + { + networking.firewall.interfaces.eth0.allowedTCPPorts = [ 222 ]; # when someones tries to ssh to forgejo, it goes -> aspartame -> fructose -> forgejo-container --- so fructose also needs this port open. + } + ]; +} diff --git a/services/website/website.mod.nix b/services/website/website.mod.nix new file mode 100644 index 0000000..8d3f758 --- /dev/null +++ b/services/website/website.mod.nix @@ -0,0 +1,12 @@ +{ + aspartame.modules = [ + ( + { pkgs, ... }: + { + environment.systemPackages = with pkgs; [ + zola + ]; + } + ) + ]; +} diff --git a/sops.mod.nix b/sops.mod.nix new file mode 100644 index 0000000..7f5ae73 --- /dev/null +++ b/sops.mod.nix @@ -0,0 +1,104 @@ +{ sops-nix, ... }: +{ + universal.modules = [ + sops-nix.nixosModules.sops + { + sops.defaultSopsFile = ./secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + # sync ~/.ssh/sops out-of-band + # ssh-to-age -private-key -i ~/.ssh/sops > ~/.config/sops/age/keys.txt + sops.age.keyFile = "/home/emv/.config/sops/age/keys.txt"; + } + ( + { config, ... }: + { + sops.secrets.wireguard-private-key = { + key = "wireguard-private-keys/${config.networking.hostName}"; + }; + } + ) + ({ + sops.secrets.remote-build-ssh-privkey = { }; + }) + ]; + aspartame.modules = [ + ( + { config, ... }: + { + sops.secrets.gts_db_pass = { }; + sops.templates."gts.env.secrets.yaml".content = '' + GTS_DB_PASSWORD = "${config.sops.placeholder."gts_db_pass"}" + ''; + } + ) + ]; + glucose.modules = [ + ({ + sops.secrets.binary-cache-secret = { }; + }) + ( + { config, ... }: + { + sops.secrets.couchdb_admin_pass = { }; + sops.secrets.couchdb_admin_account = { }; + sops.templates."couchdb.env.secrets.yaml".content = '' + COUCHDB_PASSWORD = "${config.sops.placeholder."couchdb_admin_pass"}" + COUCHDB_USER = "${config.sops.placeholder."couchdb_admin_account"}" + ''; + } + ) + ]; + fructose.modules = [ + ( + { config, ... }: + { + sops.secrets.pihole_webpassword = { }; + sops.templates."pihole.env.secrets.yaml".content = '' + WEBPASSWORD="${config.sops.placeholder."pihole_webpassword"}" + ''; + } + ) + ( + {config, ...}: { + sops.secrets.postgresdb_admin_password = { }; + sops.secrets.forgejo_db_pass = { }; + sops.templates."postgresdb.env.secrets.yaml".content = '' + POSTGRES_PASSWORD="${config.sops.placeholder."postgresdb_admin_password"}" + ''; + } + ) + ]; + personal.modules = [ + ( + { config, ... }: + { + sops.secrets.home1_ssid = { }; + sops.secrets.home1_psk = { }; + sops.secrets.home2_ssid = { }; + sops.secrets.home2_psk = { }; + sops.secrets.phone_ssid = { }; + sops.secrets.phone_psk = { }; + sops.templates."networkmanager.env.secrets.yaml".content = '' + HOME1_SSID="${config.sops.placeholder."home1_ssid"}" + HOME2_SSID="${config.sops.placeholder."home2_ssid"}" + PHONE_HOTSPOT_SSID="${config.sops.placeholder."phone_ssid"}" + HOME1_PSK="${config.sops.placeholder."home1_psk"}" + HOME2_PSK="${config.sops.placeholder."home2_psk"}" + PHONE_HOTSPOT_PSK="${config.sops.placeholder."phone_psk"}" + ''; + } + ) + ]; + universal.home_modules = [ + ( + { pkgs, ... }: + { + home.packages = with pkgs; [ + sops + age + ]; + } + ) + ]; +} diff --git a/stylix.mod.nix b/stylix.mod.nix new file mode 100644 index 0000000..d1c3ae2 --- /dev/null +++ b/stylix.mod.nix @@ -0,0 +1,89 @@ +{ stylix, ... }: +let + wallpapers = + builtins.mapAttrs + ( + name: value: + { + lib, + pkgs, + ... + }: + { + stylix.image = pkgs.fetchurl { + url = value.url; + hash = value.hash or lib.fakeHash; + }; + } + ) + { + sekiro.url = "https://w.wallhaven.cc/full/vg/wallhaven-vgor6p.jpg"; + sekiro.hash = "sha256-pcNIr1yON9SsOhUAr//GGbijZayksBTYBu7l+/1+He8="; + }; +in +{ + personal.modules = [ + stylix.nixosModules.stylix + ( + { + pkgs, + config, + ... + }: + { + stylix.enable = true; + + stylix.polarity = "dark"; + + stylix.fonts.monospace.package = pkgs.nerdfonts; + stylix.fonts.monospace.name = "FiraCode Nerd Font"; + + stylix.fonts.sansSerif.package = pkgs.nerdfonts; + stylix.fonts.sansSerif.name = "Ubuntu Nerd Font"; + stylix.fonts.serif = config.stylix.fonts.sansSerif; + + stylix.fonts.sizes.applications = 10; + stylix.fonts.sizes.desktop = 12; + + stylix.cursor.package = pkgs.afterglow-cursors-recolored; + stylix.cursor.name = "Afterglow-Recolored-Dracula-Green"; + stylix.cursor.size = 24; + + stylix.opacity.terminal = 0.9; + } + ) + ]; + capsaicin.modules = [ + wallpapers.sekiro + ]; + menthol.modules = [ + wallpapers.sekiro + ]; + personal.home_modules = [ + { + stylix.targets.vscode.enable = false; + } + ( + { + lib, + pkgs, + config, + ... + }: + { + systemd-fuckery.auto-restart = [ "swaybg" ]; + systemd.user.services."swaybg" = { + Unit = { + Description = "wallpapers! brought to you by stylix! :3"; + PartOf = [ "graphical-session.target" ]; + }; + Install.WantedBy = [ "graphical-session.target" ]; + Service = { + ExecStart = "${lib.getExe pkgs.swaybg} -i ${config.stylix.image}"; + Restart = "on-failure"; + }; + }; + } + ) + ]; +} diff --git a/sway.mod.nix b/sway.mod.nix new file mode 100644 index 0000000..375b288 --- /dev/null +++ b/sway.mod.nix @@ -0,0 +1,31 @@ +{ + personal.modules = [ + ( + { pkgs, ... }: + { + programs.sway = { + enable = true; + package = pkgs.swayfx; + }; + environment.systemPackages = with pkgs; [ + swayrbar + ]; + } + ) + ]; + personal.home_modules = [ + + ( + { pkgs, ... }: + { + home.packages = with pkgs; [ + slurp + grim + rofi-wayland + swaybg + wl-clipboard + ]; + } + ) + ]; +} diff --git a/tex.mod.nix b/tex.mod.nix new file mode 100644 index 0000000..d9ad65c --- /dev/null +++ b/tex.mod.nix @@ -0,0 +1,33 @@ +{ + personal.home_modules = [ + ( + { pkgs, ... }: + { + programs.texlive = { + enable = true; + packageSet = pkgs.texlive; + extraPackages = tpkgs: { + inherit (tpkgs) + scheme-medium + dvisvgm + dvipng # in-place output + wrapfig + amsmath + ulem + hyperref + capt-of + etoolbox # various for the default config from emacs + latex-uni8 + mlmodern # annoying font stuff + asymptote + systeme + xstring + ; + #(setq org-latex-compiler "pdflatex") + #(setq org-preview-latex-default-process "dvisvgm") + }; + }; + } + ) + ]; +} diff --git a/zsh.mod.nix b/zsh.mod.nix new file mode 100644 index 0000000..83e5972 --- /dev/null +++ b/zsh.mod.nix @@ -0,0 +1,40 @@ +{ + universal.modules = [ + ( + { pkgs, ... }: + { + programs.zsh = { + enable = true; + }; + users.defaultUserShell = pkgs.zsh; + } + ) + ]; + universal.home_modules = [ + { + programs = { + zsh = { + enable = true; + shellAliases = { + l = "eza --long --all --icons --time-style long-iso"; + }; + }; + bash.enable = true; # just in case + }; + } + ]; + personal.home_modules = [ + { + programs.zsh.shellAliases = { + screenshot = "slurp | grim -g - - | wl-copy"; + }; + } + ]; + capsaicin.home_modules = [ + { + programs.zsh.shellAliases = { + decrypt = "sudo cryptsetup --verbose luksOpen /dev/disk/by-uuid/08affe8f-ca2e-4f87-9f08-31faeca92a17 decrypted-data && sudo cryptsetup --verbose status decrypted-data && sudo mount /dev/mapper/decrypted-data /mnt/decrypted"; + }; + } + ]; +}