diff --git a/.gitignore b/.gitignore index 646051f..01c6686 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ private/ +home.nix *.swp result *.zip diff --git a/checks.nix b/checks.nix new file mode 100644 index 0000000..9505c35 --- /dev/null +++ b/checks.nix @@ -0,0 +1,20 @@ +{ + self, + flake-utils, + nixpkgs, + ... +}: +(flake-utils.lib.eachDefaultSystem ( + system: + let + pkgs = nixpkgs.legacyPackages.${system}; + formatter = self.formatter.${system}; + in + { + checks = { + format = pkgs.runCommand "check-format" { + buildInputs = [ formatter ]; + } "${formatter}/bin/nixpkgs-fmt --check ${./.} && touch $out"; + }; + } +)).checks diff --git a/devshell.nix b/devshell.nix index 3931494..1fbad07 100644 --- a/devshell.nix +++ b/devshell.nix @@ -6,6 +6,7 @@ packages = with pkgs; [ agenix + nixpkgs-fmt nixos-rebuild ]; diff --git a/flake.lock b/flake.lock index 94a8a44..8c964f5 100644 --- a/flake.lock +++ b/flake.lock @@ -12,11 +12,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1762618334, - "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", + "lastModified": 1750173260, + "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", "owner": "ryantm", "repo": "agenix", - "rev": "fcdea223397448d35d9b31f798479227e80183f6", + "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", "type": "github" }, "original": { @@ -69,11 +69,11 @@ ] }, "locked": { - "lastModified": 1762521437, - "narHash": "sha256-RXN+lcx4DEn3ZS+LqEJSUu/HH+dwGvy0syN7hTo/Chg=", + "lastModified": 1741473158, + "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", "owner": "numtide", "repo": "devshell", - "rev": "07bacc9531f5f4df6657c0a02a806443685f384a", + "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", "type": "github" }, "original": { @@ -89,11 +89,11 @@ ] }, "locked": { - "lastModified": 1762276996, - "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=", + "lastModified": 1753140376, + "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", "owner": "nix-community", "repo": "disko", - "rev": "af087d076d3860760b3323f6b583f4d828c1ac17", + "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", "type": "github" }, "original": { @@ -204,11 +204,11 @@ ] }, "locked": { - "lastModified": 1762661401, - "narHash": "sha256-SVmijc8t23UMwru5f/9X1Ak5bSwvYkm0OQ5SxR7hOB0=", + "lastModified": 1753470191, + "narHash": "sha256-hOUWU5L62G9sm8NxdiLWlLIJZz9H52VuFiDllHdwmVA=", "owner": "nix-community", "repo": "home-manager", - "rev": "c053d701d64f0727f62e0269c7940da5805bc9bc", + "rev": "a1817d1c0e5eabe7dfdfe4caa46c94d9d8f3fdb6", "type": "github" }, "original": { @@ -220,11 +220,11 @@ "homepage": { "flake": false, "locked": { - "lastModified": 1762696280, - "narHash": "sha256-ncxcwvRNbN/WaZzi1NjV5fgtqfw/wypRtM/y1ZoJKNg=", - "rev": "d75353b55e10775649954d789d432be61ff663bf", + "lastModified": 1727338449, + "narHash": "sha256-VwOGtT1WB+isk0z/D/Be05GgeaTFfsXTGt7aScCAfec=", + "rev": "60398d3d728a0057b4cad49879ef637c06b28371", "type": "tarball", - "url": "https://git.dadada.li/api/v1/repos/dadada/dadada.li/archive/d75353b55e10775649954d789d432be61ff663bf.tar.gz?rev=d75353b55e10775649954d789d432be61ff663bf" + "url": "https://git.dadada.li/api/v1/repos/dadada/dadada.li/archive/60398d3d728a0057b4cad49879ef637c06b28371.tar.gz?rev=60398d3d728a0057b4cad49879ef637c06b28371" }, "original": { "type": "tarball", @@ -240,9 +240,7 @@ "nixpkgs" ], "pre-commit-hooks-nix": "pre-commit-hooks-nix", - "rust-overlay": [ - "rust-overlay" - ] + "rust-overlay": "rust-overlay" }, "locked": { "lastModified": 1737639419, @@ -297,11 +295,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1762463231, - "narHash": "sha256-hv1mG5j5PTbnWbtHHomzTus77pIxsc4x8VrMjc7+/YE=", + "lastModified": 1753122741, + "narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "52113c4f5cfd1e823001310e56d9c8d0699a6226", + "rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22", "type": "github" }, "original": { @@ -313,11 +311,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1762596750, - "narHash": "sha256-rXXuz51Bq7DHBlfIjN7jO8Bu3du5TV+3DSADBX7/9YQ=", + "lastModified": 1753429684, + "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b6a8526db03f735b89dd5ff348f53f752e7ddc8e", + "rev": "7fd36ee82c0275fb545775cc5e4d30542899511d", "type": "github" }, "original": { @@ -327,6 +325,22 @@ "type": "github" } }, + "nixpkgs-small": { + "locked": { + "lastModified": 1753505055, + "narHash": "sha256-jQKnNATDGDeuIeUf7r0yHnmirfYkYPHeF0N2Lv8rjPE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7be0239edbf0783ff959f94f9728db414be73002", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1730741070, @@ -370,24 +384,6 @@ "type": "github" } }, - "repo-rs": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1756040506, - "narHash": "sha256-jH0uNN4pqHmIssXwWsIWlgfwdDILw4iFWRB0JUmuD/A=", - "rev": "2f5b2e0d9ecf96621971a2c13d998ceba6ea7096", - "type": "tarball", - "url": "https://git.dadada.li/api/v1/repos/dadada/repo-rs/archive/2f5b2e0d9ecf96621971a2c13d998ceba6ea7096.tar.gz?rev=2f5b2e0d9ecf96621971a2c13d998ceba6ea7096" - }, - "original": { - "type": "tarball", - "url": "https://git.dadada.li/dadada/repo-rs/archive/main.tar.gz" - } - }, "root": { "inputs": { "agenix": "agenix", @@ -401,8 +397,7 @@ "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", - "repo-rs": "repo-rs", - "rust-overlay": "rust-overlay", + "nixpkgs-small": "nixpkgs-small", "systems": "systems_2", "treefmt-nix": "treefmt-nix" } @@ -410,15 +405,16 @@ "rust-overlay": { "inputs": { "nixpkgs": [ + "lanzaboote", "nixpkgs" ] }, "locked": { - "lastModified": 1762655942, - "narHash": "sha256-hOM12KcQNQALrhB9w6KJmV5hPpm3GA763HRe9o7JUiI=", + "lastModified": 1731897198, + "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "6ac961b02d4235572692241e333d0470637f5492", + "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", "type": "github" }, "original": { @@ -464,11 +460,11 @@ ] }, "locked": { - "lastModified": 1762410071, - "narHash": "sha256-aF5fvoZeoXNPxT0bejFUBXeUjXfHLSL7g+mjR/p5TEg=", + "lastModified": 1753439394, + "narHash": "sha256-Bv9h1AJegLI8uAhiJ1sZ4XAndYxhgf38tMgCQwiEpmc=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "97a30861b13c3731a84e09405414398fbf3e109f", + "rev": "2673921c03d6e75fdf4aa93e025772608d1482cf", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5ae56ad..73686ce 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,7 @@ description = "dadada's nix flake"; inputs = { + nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; disko = { url = "github:nix-community/disko"; @@ -17,20 +18,13 @@ }; lanzaboote = { url = "github:nix-community/lanzaboote/v0.4.2"; - inputs = { - nixpkgs.follows = "nixpkgs"; - rust-overlay.follows = "rust-overlay"; - }; + inputs.nixpkgs.follows = "nixpkgs"; }; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; homepage = { url = "https://git.dadada.li/dadada/dadada.li/archive/main.tar.gz"; flake = false; }; - repo-rs = { - url = "https://git.dadada.li/dadada/repo-rs/archive/main.tar.gz"; - inputs.nixpkgs.follows = "nixpkgs"; - }; agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -53,10 +47,6 @@ url = "github:numtide/treefmt-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; - rust-overlay = { - url = "github:oxalica/rust-overlay"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; outputs = { ... }@args: import ./outputs.nix args; diff --git a/home/dconf.nix b/home/dconf.nix new file mode 100644 index 0000000..5238c97 --- /dev/null +++ b/home/dconf.nix @@ -0,0 +1,209 @@ +{ lib, pkgs, ... }: +with lib.hm.gvariant; +{ + home.packages = [ + pkgs.adwaita-icon-theme + pkgs.adwaita-qt + ]; + + dconf.settings = with lib.hm.gvariant; { + "org/gnome/shell" = { + favorite-apps = [ + "alacritty.desktop" + "element.desktop" + "evolution.desktop" + "firefox.desktop" + "spotify.desktop" + ]; + }; + + "org/gnome/shell" = { + disable-user-extensions = false; + enabled-extensions = [ + "system-monitor@gnome-shell-extensions.gcampax.github.com" + "switcher@landau.fi" + ]; + }; + + "org/gnome/desktop/calendar" = { + show-weekdate = true; + }; + + "org/gnome/desktop/input-sources" = { + current = mkUint32 0; + per-window = false; + show-all-sources = true; + sources = [ + (mkTuple [ + "xkb" + "eu" + ]) + (mkTuple [ + "xkb" + "de" + ]) + ]; + xkb-options = [ + "lv3:ralt_switch" + "caps:escape" + ]; + }; + + "org/gnome/desktop/interface" = { + clock-show-date = true; + clock-show-seconds = false; + clock-show-weekday = true; + cursor-theme = "Adwaita"; + enable-animations = true; + enable-hot-corners = false; + font-antialiasing = "grayscale"; + font-hinting = "slight"; + font-name = "Cantarell 10"; + gtk-enable-primary-paste = false; + gtk-key-theme = "Emacs"; + gtk-theme = "Adwaita"; + color-scheme = "prefer-light"; + icon-theme = "Adwaita"; + locate-pointer = false; + monospace-font-name = "JetBrains Mono 10"; + show-battery-percentage = false; + #text-scaling-factor = 1.0; + toolkit-accessibility = false; + }; + + "org/gnome/desktop/peripherals/keyboard" = { + numlock-state = false; + }; + + "org/gnome/desktop/peripherals/mouse" = { + accel-profile = "default"; + natural-scroll = true; + }; + + "org/gnome/desktop/peripherals/touchpad" = { + send-events = "enabled"; + tap-to-click = true; + two-finger-scrolling-enabled = true; + }; + + "org/gnome/desktop/privacy" = { + disable-microphone = false; + old-files-age = mkUint32 30; + recent-files-max-age = -1; + report-technical-problems = false; + }; + + "org/gnome/desktop/screensaver" = { + color-shading-type = "solid"; + lock-delay = mkUint32 30; + lock-enabled = true; + }; + + "org/gnome/desktop/session" = { + idle-delay = mkUint32 0; + }; + + "org/gnome/desktop/sound" = { + event-sounds = false; + theme-name = "__custom"; + }; + + "org/gnome/evince/default" = { + continuous = true; + dual-page = false; + dual-page-odd-left = false; + enable-spellchecking = true; + fullscreen = false; + inverted-colors = false; + show-sidebar = false; + sidebar-page = "links"; + sidebar-size = 132; + sizing-mode = "free"; + }; + + "org/gnome/evolution/calendar" = { + editor-show-timezone = true; + use-24hour-format = true; + week-start-day-name = "monday"; + work-day-friday = true; + work-day-monday = true; + work-day-saturday = false; + work-day-sunday = false; + work-day-thursday = true; + work-day-tuesday = true; + work-day-wednesday = true; + }; + + "org/gnome/evolution/mail" = { + browser-close-on-reply-policy = "always"; + composer-attribution-language = "de_DE"; + composer-reply-start-bottom = false; + composer-signature-in-new-only = true; + composer-spell-languages = [ + "de" + "en_US" + ]; + composer-top-signature = false; + composer-unicode-smileys = false; + composer-visually-wrap-long-lines = true; + composer-wrap-quoted-text-in-replies = false; + forward-style = 0; + forward-style-name = "attached"; + headers-collapsed = false; + image-loading-policy = "never"; + junk-check-custom-header = true; + junk-check-incoming = true; + junk-empty-on-exit-days = 0; + junk-lookup-addressbook = false; + notify-remote-content = true; + prompt-check-if-default-mailer = false; + prompt-on-composer-mode-switch = true; + prompt-on-empty-subject = true; + prompt-on-expunge = true; + prompt-on-mark-all-read = false; + prompt-on-mark-as-junk = true; + prompt-on-reply-close-browser = "always"; + prompt-on-unwanted-html = true; + reply-style = 0; + reply-style-name = "quoted"; + search-gravatar-for-photo = false; + }; + + "org/gnome/evolution/plugin/prefer-plain" = { + mode = "only_plain"; + show-suppressed = true; + }; + + "org/gnome/gnome-screenshot" = { + border-effect = "none"; + delay = 0; + include-border = true; + include-pointer = false; + last-save-directory = "file:///home/dadada/lib/pictures/Screenshots"; + }; + + "org/gnome/mutter" = { + attach-modal-dialogs = true; + center-new-windows = true; + dynamic-workspaces = true; + edge-tiling = true; + experimental-features = [ ]; + focus-change-on-pointer-rest = true; + overlay-key = "Super_L"; + workspaces-only-on-primary = true; + }; + + "org/gnome/settings-daemon/plugins/power" = { + idle-dim = true; + power-button-action = "interactive"; + power-saver-profile-on-low-battery = true; + sleep-inactive-ac-type = "blank"; + sleep-inactive-battery-timeout = 600; + sleep-inactive-battery-type = "suspend"; + }; + + "org/gnome/system/location" = { + enabled = false; + }; + }; +} diff --git a/home/default.nix b/home/default.nix index c886594..a21362c 100644 --- a/home/default.nix +++ b/home/default.nix @@ -1,9 +1,24 @@ { pkgs, + lib, ... }: let - colors_light = { + useFeatures = [ + "alacritty" + #"emacs" + "direnv" + "git" + "gpg" + #"gtk" + #"keyring" + "syncthing" + "tmux" + "xdg" + "zsh" + "helix" + ]; + colors = { background = "fdf6e3"; foreground = "657b83"; regular0 = "eee8d5"; # background darker @@ -23,65 +38,32 @@ let bright6 = "586e75"; # pretty dark grey bright7 = "002b36"; # dark navy blue }; - colors_dark = { - cursor = "002b36 93a1a1"; - background = "002b36"; - foreground = "839496"; - regular0 = "073642"; - regular1 = "dc322f"; - regular2 = "859900"; - regular3 = "b58900"; - regular4 = "268bd2"; - regular5 = "d33682"; - regular6 = "2aa198"; - regular7 = "eee8d5"; - bright0 = "002b36"; - bright1 = "cb4b16"; - bright2 = "586e75"; - bright3 = "657b83"; - bright4 = "839496"; - bright5 = "6c71c4"; - bright6 = "93a1a1"; - bright7 = "fdf6e3"; - selection-foreground = "93a1a1"; - selection-background = "073642"; - }; in { imports = [ - ./git.nix - ./helix - ./tmux.nix - ./xdg.nix - ./zsh.nix + ./dconf.nix ]; home.stateVersion = "20.09"; - home.sessionVariables = { - EDITOR = "hx"; - PAGER = "less"; - }; + programs.gpg.settings.default-key = "99658A3EB5CD7C13"; - programs.gpg = { - enable = true; - settings = { - default-key = "99658A3EB5CD7C13"; - fixed-list-mode = true; - keyid-format = "0xlong"; - verify-options = "show-uid-validity"; - list-options = "show-uid-validity"; - cert-digest-algo = "SHA256"; - use-agent = true; - keyserver = "hkps://keys.openpgp.org"; + dadada.home = + lib.attrsets.genAttrs useFeatures (useFeatures: { + enable = true; + }) + // { + session = { + enable = true; + sessionVars = { + EDITOR = "hx"; + PAGER = "less"; + MAILDIR = "\$HOME/.var/mail"; + MBLAZE = "\$HOME/.config/mblaze"; + NOTMUCH_CONFIG = "\$HOME/.config/notmuch/config"; + }; + }; }; - }; - - services.gpg-agent = { - enable = true; - defaultCacheTtl = 1800; - enableSshSupport = false; - }; # Languagetool server for web extension systemd.user.services."languagetool-http-server" = { @@ -102,6 +84,42 @@ in }; }; + programs.offlineimap.enable = false; + xdg.configFile."offlineimap/config".text = '' + [general] + accounts = tu-bs,mailbox + + [Account tu-bs] + localrepository = tu-bs-local + remoterepository = tu-bs-remote + + [Repository tu-bs-local] + type = Maildir + localfolders = ~/lib/backup/y0067212@tu-bs.de + + [Repository tu-bs-remote] + type = IMAP + remotehost = mail.tu-braunschweig.de + remoteuser = y0067212 + sslcacertfile = /etc/ssl/certs/ca-certificates.crt + + [Account mailbox] + localrepository = mailbox-local + remoterepository = mailbox-remote + + [Repository mailbox-local] + type = Maildir + localfolders = ~/lib/backup/mailbox.org + + [Repository mailbox-remote] + type = IMAP + remotehost = imap.mailbox.org + remoteuser = dadada@dadada.li + sslcacertfile = /etc/ssl/certs/ca-certificates.crt + ''; + + home.file.".jjconfig.toml".source = ./jjconfig.toml; + systemd.user.timers."backup-keepassxc" = { Unit.Description = "Backup password DB"; Timer = { @@ -138,13 +156,14 @@ in enable = true; server.enable = false; settings = { - colors = colors_dark; + inherit colors; main = { shell = "tmux"; + font = "Jetbrains Mono:size=8"; dpi-aware = false; }; mouse.hide-when-typing = true; - csd.preferred = "server"; + csd.preferred = "none"; cursor.color = "fdf6e3 586e75"; bell = { urgent = true; @@ -153,13 +172,267 @@ in }; }; - services.syncthing.enable = true; + home.file.".config/sway/config".text = with colors; '' + # Read `man 5 sway` for a complete reference. - programs.direnv = { - enable = true; - enableZshIntegration = true; - nix-direnv.enable = true; - }; + ### Variables + # + # Logo key. Use Mod1 for Alt. + set $mod Mod4 + # Home row direction keys, like vim + set $left h + set $down j + set $up k + set $right l + # Your preferred terminal emulator + set $term foot + # Your preferred application launcher + # Note: pass the final command to swaymsg so that the resulting window can be opened + # on the original workspace that the command was run on. + set $menu fuzzel + set $wallpaper "~/lib/pictures/wallpaper.jpg" + + ### Idle configuration + # + # Example configuration: + # + exec swayidle -w \ + timeout 300 'swaylock -f -i $wallpaper -s fill' \ + timeout 600 'swaymsg "output * power off"' resume 'swaymsg "output * power on"' \ + before-sleep 'swaylock -f -i $wallpaper -s fill' + # + # This will lock your screen after 300 seconds of inactivity, then turn off + # your displays after another 300 seconds, and turn your screens back on when + # resumed. It will also lock your screen before your computer goes to sleep. + + input * { + xkb_layout eu + xkb_model pc105+inet + xkb_options caps:escape + drag_lock enabled + drag enabled + dwt enabled + tap enabled + tap_button_map lrm + natural_scroll enabled + } + + ### Key bindings + # + # Basics: + # + # Start a terminal + bindsym $mod+Return exec $term + + # Kill focused window + bindsym $mod+Shift+q kill + + # Start your launcher + bindsym $mod+d exec $menu + + # Drag floating windows by holding down $mod and left mouse button. + # Resize them with right mouse button + $mod. + # Despite the name, also works for non-floating windows. + # Change normal to inverse to use left mouse button for resizing and right + # mouse button for dragging. + floating_modifier $mod normal + + # Lock the screen + bindsym XF86Sleep exec 'swaylock -f -c ${background}' + bindsym $mod+End exec 'swaylock -f -c ${background}' + + # Reload the configuration file + bindsym $mod+Shift+c reload + + # Exit sway (logs you out of your Wayland session) + bindsym $mod+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -B 'Yes, exit sway' 'swaymsg exit' + + # Brightness + bindsym --locked XF86MonBrightnessDown exec light -U 10 + bindsym --locked XF86MonBrightnessUp exec light -A 10 + + # Volume + bindsym --locked XF86AudioRaiseVolume exec 'pactl set-sink-volume @DEFAULT_SINK@ +1%' + bindsym --locked XF86AudioLowerVolume exec 'pactl set-sink-volume @DEFAULT_SINK@ -1%' + bindsym --locked XF86AudioMute exec 'pactl set-sink-mute @DEFAULT_SINK@ toggle' + + # + # Moving around: + # + # Move your focus around + bindsym $mod+$left focus left + bindsym $mod+$down focus down + bindsym $mod+$up focus up + bindsym $mod+$right focus right + # Or use $mod+[up|down|left|right] + bindsym $mod+Left focus left + bindsym $mod+Down focus down + bindsym $mod+Up focus up + bindsym $mod+Right focus right + + # Move the focused window with the same, but add Shift + bindsym $mod+Shift+$left move left + bindsym $mod+Shift+$down move down + bindsym $mod+Shift+$up move up + bindsym $mod+Shift+$right move right + # Ditto, with arrow keys + bindsym $mod+Shift+Left move left + bindsym $mod+Shift+Down move down + bindsym $mod+Shift+Up move up + bindsym $mod+Shift+Right move right + + # + # Workspaces: + # + # Switch to workspace + bindsym $mod+1 workspace number 1 + bindsym $mod+2 workspace number 2 + bindsym $mod+3 workspace number 3 + bindsym $mod+4 workspace number 4 + bindsym $mod+5 workspace number 5 + bindsym $mod+6 workspace number 6 + bindsym $mod+7 workspace number 7 + bindsym $mod+8 workspace number 8 + bindsym $mod+9 workspace number 9 + bindsym $mod+0 workspace number 10 + # Move focused container to workspace + bindsym $mod+Shift+1 move container to workspace number 1 + bindsym $mod+Shift+2 move container to workspace number 2 + bindsym $mod+Shift+3 move container to workspace number 3 + bindsym $mod+Shift+4 move container to workspace number 4 + bindsym $mod+Shift+5 move container to workspace number 5 + bindsym $mod+Shift+6 move container to workspace number 6 + bindsym $mod+Shift+7 move container to workspace number 7 + bindsym $mod+Shift+8 move container to workspace number 8 + bindsym $mod+Shift+9 move container to workspace number 9 + bindsym $mod+Shift+0 move container to workspace number 10 + # Note: workspaces can have any name you want, not just numbers. + # We just use 1-10 as the default. + + # + # Layout stuff: + # + # You can "split" the current object of your focus with + # $mod+b or $mod+v, for horizontal and vertical splits + # respectively. + bindsym $mod+b splith + bindsym $mod+v splitv + + # Switch the current container between different layout styles + bindsym $mod+s layout stacking + bindsym $mod+w layout tabbed + bindsym $mod+e layout toggle split + + # Make the current focus fullscreen + bindsym $mod+f fullscreen + + # Toggle the current focus between tiling and floating mode + bindsym $mod+Shift+space floating toggle + + # Swap focus between the tiling area and the floating area + bindsym $mod+space focus mode_toggle + + # Move focus to the parent container + bindsym $mod+a focus parent + + # + # Font + # + font "pango:Jetbrains Mono 8" + + # + # Scratchpad: + # + # Sway has a "scratchpad", which is a bag of holding for windows. + # You can send windows there and get them back later. + + # Move the currently focused window to the scratchpad + bindsym $mod+Shift+minus move scratchpad + + # Show the next scratchpad window or hide the focused scratchpad window. + # If there are multiple scratchpad windows, this command cycles through them. + bindsym $mod+minus scratchpad show + + # + # Resizing containers: + # + mode "resize" { + # left will shrink the containers width + # right will grow the containers width + # up will shrink the containers height + # down will grow the containers height + bindsym $left resize shrink width 10px + bindsym $down resize grow height 10px + bindsym $up resize shrink height 10px + bindsym $right resize grow width 10px + + # Ditto, with arrow keys + bindsym Left resize shrink width 10px + bindsym Down resize grow height 10px + bindsym Up resize shrink height 10px + bindsym Right resize grow width 10px + + # Return to default mode + bindsym Return mode "default" + bindsym Escape mode "default" + } + bindsym $mod+r mode "resize" + + # + # Status Bar: + # + # Read `man 5 sway-bar` for more information about this section. + bar { + position bottom + + # When the status_command prints a new line to stdout, swaybar updates. + # The default just shows the current date and time. + status_command ~/.config/sway/status + + colors { + statusline ${foreground} + background ${background} + inactive_workspace ${background}ee ${background}ee ${foreground}ee + } + } + + # Gaps between multiple tiling windows + gaps inner 10 + smart_gaps on + + bindsym $mod+grave exec busctl --user call org.keepassxc.KeePassXC.MainWindow /keepassxc org.keepassxc.KeePassXC.MainWindow lockAllDatabases && swaylock -c #fdf6e3 + + # class border backgr. text indicator child_border + client.focused #${bright6} #${foreground} #${background} #${bright5} #${regular4} + client.focused_inactive #${regular0} #${regular0} #${foreground} #${bright5} #${regular0} + client.unfocused #${regular0} #${background} #${bright2} #${bright5} #${regular0} + client.urgent #${bright1} #${bright0} #${regular4} #${background} #${bright0} + client.placeholder #${background} #${bright2} #${foreground} #${background} #${bright2} + + client.background #${foreground} + + include /etc/sway/config.d/* + + exec sleep 5; systemctl --user restart kanshi.service + exec sleep 5; swaymsg output '*' bg $wallpaper fill + ''; + home.file.".config/sway/status".source = ./status; + home.file.".config/kanshi/config".text = '' + profile Laptop { + output eDP-1 enable + } + + profile Docked { + output eDP-1 disable + output "LG Electronics LG HDR 4K 0x000354D1" { + enable + scale 1.4 + position 0,0 + } + } + ''; + + #services.poweralertd.enable = true; # Let Home Manager install and manage itself. programs.home-manager.enable = true; diff --git a/home/git.nix b/home/git.nix deleted file mode 100644 index 9fdb15b..0000000 --- a/home/git.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ - lib, - pkgs, - ... -}: -with lib; -let - allowedSigners = pkgs.writeTextFile { - name = "allowed-signers"; - text = '' - dadada@dadada.li sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKu+pA5Vy0QPHJMjn2S5DCsqKg2UvDhOsBwvvJLf4HbyAAAABHNzaDo= dadada - dadada@dadada.li ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKRuecjbtDh4jyDZH3ccU9t0QFcAgZDBFO8ZWZBA9iT dadada@gorgon - ''; - }; -in -{ - programs.git = { - enable = true; - extraConfig = { - commit = { - gpgSign = true; - verbose = true; - }; - gpg = { - format = "ssh"; - ssh.allowedSignersFile = "${allowedSigners}"; - ssh.program = "ssh-keygen"; - }; - tag.gpgSign = true; - user = { - email = "dadada@dadada.li"; - name = "Tim Schubert"; - signingKey = "key::ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKRuecjbtDh4jyDZH3ccU9t0QFcAgZDBFO8ZWZBA9iT dadada@gorgon"; - }; - core = { - whitespace = { - tab-in-indent = true; - tabwidth = 4; - }; - alias = { }; - pager = "delta"; - }; - column.ui = "never"; - checkout.defaultRemote = "origin"; - delta = { - navigate = true; # use n and N to move between diff sections - side-by-side = false; - line-numbers = true; - light = false; - }; - diff = { - renames = "copies"; - algorithm = "histogram"; - colorMoved = "default"; - }; - interactive.diffFilter = "delta --color-only"; - merge = { - conflictstyle = "zdiff3"; - keepbackup = false; - tool = "meld"; - }; - status = { - short = true; - branch = true; - showUntrackedFiled = "all"; - }; - log.date = "iso8601-local"; - fetch.prune = true; - pull = { - prune = true; - ff = "only"; - rebase = "interactive"; - }; - push = { - default = "current"; - autoSetupRemote = true; - }; - rebase = { - abbreviateCommands = true; - # Automatically force-update any branches that point to commits that are being rebased. - updateRefs = true; - }; - rerere.enabled = true; - transfer.fsckobjects = true; - fetch.fsckobjects = true; - receive.fsckObjects = true; - branch.sort = "-committerdate"; - }; - }; - - home.packages = with pkgs; [ - delta - git-lfs - meld - ]; -} diff --git a/home/jjconfig.toml b/home/jjconfig.toml new file mode 100644 index 0000000..43fbcbd --- /dev/null +++ b/home/jjconfig.toml @@ -0,0 +1,8 @@ +[user] +name = "Tim Schubert" +email = "dadada@dadada.li" + +[ui] +diff-editor = ["scm-diff-editor", "--dir-diff", "$left", "$right"] +diff-instructions = false +merge-editor = ["meld"] diff --git a/home/modules.nix b/home/modules.nix new file mode 100644 index 0000000..0a6c961 --- /dev/null +++ b/home/modules.nix @@ -0,0 +1,13 @@ +{ lib, ... }: +with lib; +let + modules' = + dir: + filterAttrs (name: type: (hasSuffix ".nix" name) || (type == "directory")) (builtins.readDir dir); + modules = + dir: + mapAttrs' (name: _: nameValuePair (removeSuffix ".nix" name) (import (dir + "/${name}"))) ( + modules' dir + ); +in +(modules ./modules) diff --git a/home/modules/alacritty/colors.toml b/home/modules/alacritty/colors.toml new file mode 100644 index 0000000..3f7eb25 --- /dev/null +++ b/home/modules/alacritty/colors.toml @@ -0,0 +1,28 @@ +# Colors (Solarized Light) + +# Default colors +[colors.primary] +background = '#fdf6e3' +foreground = '#586e75' + +# Normal colors +[colors.normal] +black = '#073642' +red = '#dc322f' +green = '#859900' +yellow = '#b58900' +blue = '#268bd2' +magenta = '#d33682' +cyan = '#2aa198' +white = '#eee8d5' + +# Bright colors +[colors.bright] +black = '#002b36' +red = '#cb4b16' +green = '#586e75' +yellow = '#657b83' +blue = '#839496' +magenta = '#6c71c4' +cyan = '#93a1a1' +white = '#fdf6e3' diff --git a/home/modules/alacritty/default.nix b/home/modules/alacritty/default.nix new file mode 100644 index 0000000..da9f503 --- /dev/null +++ b/home/modules/alacritty/default.nix @@ -0,0 +1,49 @@ +{ + pkgs, + lib, + config, + ... +}: +with lib; +let + cfg = config.dadada.home.alacritty; +in +{ + options.dadada.home.alacritty = { + enable = mkEnableOption "Enable alacritty config"; + }; + config = mkIf cfg.enable { + home.packages = [ + pkgs.jetbrains-mono + ]; + programs.alacritty = { + enable = true; + settings = { + env.TERM = "xterm-256color"; + scrolling.history = 0; + font = { + size = 9; + normal = { + family = "Jetbrains Mono"; + style = "Regular"; + }; + bold = { + family = "Jetbrains Mono"; + style = "Bold"; + }; + italic = { + family = "Jetbrains Mono"; + style = "Italic"; + }; + bold_italic = { + family = "Jetbrains Mono"; + style = "Bold Italic"; + }; + }; + shell.program = "tmux"; + window.decorations = "none"; + colors = (lib.trivial.importTOML ./colors.toml).colors; + }; + }; + }; +} diff --git a/home/modules/colors.nix b/home/modules/colors.nix new file mode 100644 index 0000000..a4dc5c7 --- /dev/null +++ b/home/modules/colors.nix @@ -0,0 +1,44 @@ +{ + config, + lib, + ... +}: +with lib; +{ + options.dadada.home.colors = mkOption { + type = types.attrs; + description = "Color scheme"; + }; + + config = { + dadada.home.colors = { + foreground = "#a3a3a3"; + foregroundBold = "#e8e8e8"; + cursor = "#e8e8e8"; + cursorForeground = "#1f2022"; + background = "#292b2e"; + color0 = "#1f2022"; + color8 = "#585858"; + color7 = "#a3a3a3"; + color15 = "#f8f8f8"; + color1 = "#f2241f"; + color9 = "#f2241f"; + color2 = "#67b11d"; + color10 = "#67b11d"; + color3 = "#b1951d"; + color11 = "#b1951d"; + color4 = "#4f97d7"; + color12 = "#4f97d7"; + color5 = "#a31db1"; + color13 = "#a31db1"; + color6 = "#2d9574"; + color14 = "#2d9574"; + color16 = "#ffa500"; + color17 = "#b03060"; + color18 = "#282828"; + color19 = "#444155"; + color20 = "#b8b8b8"; + color21 = "#e8e8e8"; + }; + }; +} diff --git a/home/modules/direnv.nix b/home/modules/direnv.nix new file mode 100644 index 0000000..27a0907 --- /dev/null +++ b/home/modules/direnv.nix @@ -0,0 +1,22 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; +let + cfg = config.dadada.home.direnv; +in +{ + options.dadada.home.direnv = { + enable = mkEnableOption "Enable direnv config"; + }; + config = mkIf cfg.enable { + programs.direnv = { + enable = true; + enableZshIntegration = true; + nix-direnv.enable = true; + }; + }; +} diff --git a/home/modules/git.nix b/home/modules/git.nix new file mode 100644 index 0000000..92c4c12 --- /dev/null +++ b/home/modules/git.nix @@ -0,0 +1,107 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; +let + cfg = config.dadada.home.git; + allowedSigners = pkgs.writeTextFile { + name = "allowed-signers"; + text = '' + dadada@dadada.li sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKu+pA5Vy0QPHJMjn2S5DCsqKg2UvDhOsBwvvJLf4HbyAAAABHNzaDo= dadada + dadada@dadada.li ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKRuecjbtDh4jyDZH3ccU9t0QFcAgZDBFO8ZWZBA9iT dadada@gorgon + ''; + }; +in +{ + options.dadada.home.git = { + enable = mkEnableOption "Enable git config"; + }; + config = mkIf cfg.enable { + programs.git = { + enable = true; + extraConfig = { + commit = { + gpgSign = true; + verbose = true; + }; + gpg = { + format = "ssh"; + ssh.allowedSignersFile = "${allowedSigners}"; + ssh.program = "ssh-keygen"; + }; + tag.gpgSign = true; + user = { + email = "dadada@dadada.li"; + name = "Tim Schubert"; + signingKey = "key::ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKRuecjbtDh4jyDZH3ccU9t0QFcAgZDBFO8ZWZBA9iT dadada@gorgon"; + }; + core = { + whitespace = { + tab-in-indent = true; + tabwidth = 4; + }; + alias = { }; + pager = "delta"; + }; + column.ui = "never"; + checkout.defaultRemote = "origin"; + delta = { + navigate = true; # use n and N to move between diff sections + side-by-side = false; + line-numbers = true; + light = true; + }; + diff = { + renames = "copies"; + algorithm = "histogram"; + colorMoved = "default"; + }; + interactive.diffFilter = "delta --color-only"; + merge = { + conflictstyle = "zdiff3"; + keepbackup = false; + tool = "meld"; + }; + status = { + short = true; + branch = true; + showUntrackedFiled = "all"; + }; + log.date = "iso8601-local"; + fetch.prune = true; + pull = { + prune = true; + ff = "only"; + rebase = "interactive"; + }; + push = { + default = "current"; + autoSetupRemote = true; + }; + rebase = { + abbreviateCommands = true; + # Automatically force-update any branches that point to commits that are being rebased. + updateRefs = true; + }; + rerere.enabled = true; + transfer.fsckobjects = true; + fetch.fsckobjects = true; + receive.fsckObjects = true; + branch.sort = "-committerdate"; + }; + }; + + home.packages = with pkgs; [ + delta + git-branchless + git-lfs + gitAndTools.hub + gitAndTools.lab + gitAndTools.git-absorb + meld + ]; + }; +} diff --git a/home/modules/gpg.nix b/home/modules/gpg.nix new file mode 100644 index 0000000..baa17dd --- /dev/null +++ b/home/modules/gpg.nix @@ -0,0 +1,34 @@ +{ + config, + lib, + ... +}: +with lib; +let + cfg = config.dadada.home.gpg; +in +{ + options.dadada.home.gpg = { + enable = mkEnableOption "Enable GnuPG config"; + }; + config = mkIf cfg.enable { + programs.gpg = { + enable = true; + settings = { + fixed-list-mode = true; + keyid-format = "0xlong"; + verify-options = "show-uid-validity"; + list-options = "show-uid-validity"; + cert-digest-algo = "SHA256"; + use-agent = true; + keyserver = "hkps://keys.openpgp.org"; + }; + }; + + services.gpg-agent = { + enable = true; + defaultCacheTtl = 1800; + enableSshSupport = false; + }; + }; +} diff --git a/home/modules/gtk.nix b/home/modules/gtk.nix new file mode 100644 index 0000000..5dcd2e6 --- /dev/null +++ b/home/modules/gtk.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; +let + cfg = config.dadada.home.gtk; +in +{ + options.dadada.home.gtk = { + enable = mkEnableOption "Enable GTK config"; + }; + config = mkIf cfg.enable { + gtk = { + enable = true; + }; + }; +} diff --git a/home/helix/config/config.toml b/home/modules/helix/config/config.toml similarity index 84% rename from home/helix/config/config.toml rename to home/modules/helix/config/config.toml index 9f37e3f..41cf786 100644 --- a/home/helix/config/config.toml +++ b/home/modules/helix/config/config.toml @@ -1,4 +1,4 @@ -theme = "solarized_dark" +theme = "solarized_light" [editor] line-number = "relative" diff --git a/home/helix/config/languages.toml b/home/modules/helix/config/languages.toml similarity index 100% rename from home/helix/config/languages.toml rename to home/modules/helix/config/languages.toml diff --git a/home/helix/default.nix b/home/modules/helix/default.nix similarity index 81% rename from home/helix/default.nix rename to home/modules/helix/default.nix index 7061527..7717423 100644 --- a/home/helix/default.nix +++ b/home/modules/helix/default.nix @@ -9,6 +9,7 @@ let in { options.dadada.home.helix = { + enable = lib.mkEnableOption "Enable helix editor"; package = lib.mkOption { type = lib.types.package; description = "Helix editor package to use"; @@ -16,7 +17,7 @@ in }; }; - config = { + config = lib.mkIf cfg.enable { home.file.".config/helix".source = ./config; home.packages = [ cfg.package diff --git a/home/modules/keyring.nix b/home/modules/keyring.nix new file mode 100644 index 0000000..48b8b54 --- /dev/null +++ b/home/modules/keyring.nix @@ -0,0 +1,20 @@ +{ + config, + lib, + ... +}: +with lib; +let + cfg = config.dadada.home.keyring; +in +{ + options.dadada.home.keyring = { + enable = mkEnableOption "Enable keyring config"; + }; + config = mkIf cfg.enable { + services.gnome-keyring = { + enable = false; + components = [ "secrets" ]; + }; + }; +} diff --git a/home/modules/session.nix b/home/modules/session.nix new file mode 100644 index 0000000..ba5c941 --- /dev/null +++ b/home/modules/session.nix @@ -0,0 +1,27 @@ +{ + config, + lib, + ... +}: +with lib; +let + cfg = config.dadada.home.session; +in +{ + options.dadada.home.session = { + enable = mkEnableOption "Enable session variable management"; + sessionVars = mkOption { + description = "Session variables"; + type = types.attrs; + default = { }; + example = '' + EDITOR = "hx"; + PAGER = "less"; + ''; + }; + }; + config = mkIf cfg.enable { + home.sessionVariables = cfg.sessionVars; + systemd.user.sessionVariables = cfg.sessionVars; + }; +} diff --git a/home/modules/ssh.nix b/home/modules/ssh.nix new file mode 100644 index 0000000..b8aab54 --- /dev/null +++ b/home/modules/ssh.nix @@ -0,0 +1,19 @@ +{ + config, + lib, + ... +}: +with lib; +let + cfg = config.dadada.home.ssh; +in +{ + options.dadada.home.ssh = { + enable = mkEnableOption "Enable SSH config"; + }; + config = mkIf cfg.enable { + programs.ssh = { + enable = true; + }; + }; +} diff --git a/home/modules/syncthing.nix b/home/modules/syncthing.nix new file mode 100644 index 0000000..8095904 --- /dev/null +++ b/home/modules/syncthing.nix @@ -0,0 +1,21 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; +let + cfg = config.dadada.home.syncthing; +in +{ + options.dadada.home.syncthing = { + enable = mkEnableOption "Enable Syncthing config"; + }; + config = mkIf cfg.enable { + services.syncthing = { + enable = true; + tray = false; + }; + }; +} diff --git a/home/modules/tmux.nix b/home/modules/tmux.nix new file mode 100644 index 0000000..063b8f2 --- /dev/null +++ b/home/modules/tmux.nix @@ -0,0 +1,34 @@ +{ + config, + lib, + ... +}: +with lib; +let + cfg = config.dadada.home.tmux; +in +{ + options.dadada.home.tmux = { + enable = mkEnableOption "Enable tmux config"; + }; + config = mkIf cfg.enable { + programs.tmux = { + enable = true; + terminal = "tmux-256color"; + extraConfig = '' + setw -g mode-keys vi + set -g mouse on + set -g set-clipboard external + set -g set-titles on + set -g status on + set -ga terminal-overrides ',*256col*:Tc' + set-option -g status-interval 5 + set-option -g automatic-rename on + set-option -g automatic-rename-format '#{b:pane_current_path}' + bind '"' split-window -c "#{pane_current_path}" + bind % split-window -h -c "#{pane_current_path}" + bind c new-window -c "#{pane_current_path}" + ''; + }; + }; +} diff --git a/home/modules/xdg.nix b/home/modules/xdg.nix new file mode 100644 index 0000000..02cadaf --- /dev/null +++ b/home/modules/xdg.nix @@ -0,0 +1,55 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; +let + apps = { + "x-scheme-handler/mailto" = "evolution.desktop"; + "message/rfc822" = "evolution.desktop"; + "x-scheme-handler/http" = "firefox.desktop"; + "x-scheme-handler/https" = "firefox.desktop"; + "x-scheme-handler/ftp" = "firefox.desktop"; + "x-scheme-handler/chrome" = "firefox.desktop"; + "text/html" = "firefox.desktop"; + "application/x-extension-htm" = "firefox.desktop"; + "application/x-extension-html" = "firefox.desktop"; + "application/x-extension-shtml" = "firefox.desktop"; + "application/xhtml+xml" = "firefox.desktop"; + "application/x-extension-xhtml" = "firefox.desktop"; + "application/x-extension-xht" = "firefox.desktop"; + "application/pdf" = "evince.desktop"; + }; + cfg = config.dadada.home.xdg; +in +{ + options.dadada.home.xdg = { + enable = mkEnableOption "Enable XDG config"; + }; + config = mkIf cfg.enable { + xdg = { + enable = true; + configHome = "${config.home.homeDirectory}/.config"; + mimeApps = { + enable = false; + associations.added = apps; + defaultApplications = apps; + }; + userDirs = { + desktop = "\$HOME/.desktop"; + download = "\$HOME/tmp"; + music = "\$HOME/lib/music"; + videos = "\$HOME/lib/videos"; + pictures = "\$HOME/lib/pictures"; + documents = "\$HOME/lib"; + }; + }; + home.packages = with pkgs; [ + evince + firefox + xdg-utils + ]; + }; +} diff --git a/home/modules/zsh.nix b/home/modules/zsh.nix new file mode 100644 index 0000000..7a0cd6c --- /dev/null +++ b/home/modules/zsh.nix @@ -0,0 +1,83 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; +let + cfg = config.dadada.home.zsh; +in +{ + options.dadada.home.zsh = { + enable = mkEnableOption "Enable ZSH config"; + }; + config = mkIf cfg.enable { + programs.fzf.enableZshIntegration = true; + programs.zsh = { + enable = true; + enableCompletion = true; + enableVteIntegration = true; + autosuggestion.enable = true; + autocd = true; + sessionVariables = { + EDITOR = "hx"; + }; + history = { + extended = true; + ignoreDups = true; + ignoreSpace = true; + save = 100000; + # FIXME https://github.com/junegunn/fzf/issues/4061 + #share = true; + share = false; + }; + plugins = [ + ]; + initContent = '' + source ${pkgs.zsh-git-prompt}/share/zsh-git-prompt/zshrc.sh + source ${pkgs.fzf}/share/fzf/key-bindings.zsh + source ${pkgs.fzf}/share/fzf/completion.zsh + eval "$(${pkgs.h}/bin/h --setup ~/src)" + + bindkey -e '^n' autosuggest-accept + + preexec() { echo -n -e "\033]0;$1\007" } + + PROMPT="%F{red}%?%f %F{green}%m%f:%F{blue}%~%f"$'\n'"╰─> " + RPROMPT='$(git_super_status)' + ''; + profileExtra = ''''; + shellAliases = { + ga = "git add"; + gc = "git commit"; + gd = "git diff"; + gdw = "git diff --color-words"; + gf = "git fetch"; + gl = "git log"; + gpu = "git push"; + gpul = "git pull"; + grb = "git rebase"; + gre = "git reflog"; + gs = "git status"; + gsh = "git show"; + gst = "git status"; + gsta = "git stash"; + gstap = "git stash apply"; + exa = "eza"; + ls = "exa"; + la = "exa -a"; + ll = "exa -la --no-filesize --changed --time-style=long-iso --git --octal-permissions --no-permissions --no-user --ignore-glob=\".git\""; + mv = "mv -i"; + cp = "cp -i"; + }; + }; + + home.packages = with pkgs; [ + fzf + eza + zsh-git-prompt + tmux + ]; + }; +} diff --git a/home/nixpkgs-config.nix b/home/nixpkgs-config.nix new file mode 100644 index 0000000..6a29a63 --- /dev/null +++ b/home/nixpkgs-config.nix @@ -0,0 +1,7 @@ +{ pkgs }: +{ + allowUnfree = true; + allowUnfreePredicate = pkg: true; + allowBroken = false; + android_sdk.accept_license = true; +} diff --git a/home/pkgs.nix b/home/pkgs.nix index 71c9472..7a707e1 100644 --- a/home/pkgs.nix +++ b/home/pkgs.nix @@ -1,84 +1,152 @@ { pkgs }: with pkgs; [ + anki + aqbanking + aria2 + aspell + aspellDicts.de + aspellDicts.en + aspellDicts.en-computers + aspellDicts.en-science bash bat # cat with syntax highlighting and git integration binutils bluez-tools + btop # htop + choose # alternative to cut and awk with more readable syntax chromium + colordiff + darcs delta # feature-rich diff viewer dig direnv + duf # disk usage + dune3d + dyff # diff tool for YAML element-desktop + evince + evolution ffmpeg file + fuzzel + fx # themable json viewer + fzf fzf gdb gh + ghidra-bin gimp + glow glow # render markdown gnumake gnupg - halloy + gping # ping with graphs + graphviz + grim + gron # make json grepable + h # Manage git repos hexyl # hex viewer + htop httpie + hub hyperfine # A command-line benchmarking tool. + icdiff + imagemagick inkscape inotify-tools ioping # ping but for block devices iproute2 iputils # tracepath irssi + jameica + jc # convert output to json + josm jq + kanshi keepassxc + kubetail krita ldns + liboping # oping, ping multiple hosts at once libreoffice libvirt lsof + lynis man-pages + mblaze + mkpasswd mpv mtr mumble nix-output-monitor + ncurses + newsflash nixd nixfmt-rfc-style nfs-utils + niv + nix-index nmap + nmon + nodePackages.prettier map-cmd obs-studio - obsidian + offlineimap openscad openssl + p7zip pandoc # document converter and templater pass pavucontrol picocom + playerctl + procs # ps in rust prusa-slicer pv + pwgen (python3.withPackages (pkgs: [ pkgs.pandas pkgs.requests ])) ranger + reptyr + ripgrep ripgrep saleae-logic-2 + sd # search and displace like sed but with better syntax sieveshell signal-desktop + silver-searcher + skim # fzf in Rust + slurp socat + solvespace + spotify sqlite + sshfs-fuse + steam taplo tcpdump + tdesktop thunderbird tmux + ttyd unzip usbutils + vegur virt-manager + viu # view images from the terminal + vscodium whois wireshark xdg-utils xmlstarlet unixtools.xxd + xxh # portable shells yt-dlp + # zotero Marked as insecure + zeal + zk zsh ] diff --git a/home/status b/home/status new file mode 100755 index 0000000..e24816b --- /dev/null +++ b/home/status @@ -0,0 +1,138 @@ +#!/usr/bin/env python3 + +import json +import sys +import time +import requests +import logging +import subprocess + +from datetime import datetime + +logger = logging.getLogger(__name__) + + +class Status: + def status(self): + return None + + +class Cat(Status): + index = 0 + + def status(self): + cat_width = 200 + index = self.index + catwalk = "🐈🏳️‍🌈" + " " * index + self.index = (index + 1) % cat_width + + return {"full_text": catwalk} + + +class Space(Status): + backoff = 0 + c_status = None + + def status(self): + backoff = self.backoff + if self.backoff == 0: + self.update() + + return {"full_text": self.c_status} + + def update(self): + spacestatus_url = "https://status.stratum0.org/status.json" + resp = requests.get(url=spacestatus_url) + self.backoff = (self.backoff + 1) % 120 + data = resp.json() + if data["isOpen"]: + since = datetime.strptime(data["since"], "%Y-%m-%dT%H:%M:%S.%f").strftime("%A at %H:%M") + spacestatus = f"Space is open since {since}" + else: + spacestatus = "Space is closed" + self.c_status = spacestatus + + +class Battery(Status): + capacity_file = open('/sys/class/power_supply/BAT0/capacity', 'r') + status_file = open('/sys/class/power_supply/BAT0/status', 'r') + + def status(self): + self.status_file.seek(0) + status = self.status_file.read().rstrip() + + self.capacity_file.seek(0) + capacity = self.capacity_file.read().rstrip() + + battery = f"{status} {capacity}%" + + return {"full_text": battery} + + +class Time(Status): + def status(self): + now = datetime.now() + match now.isocalendar().week % 10: + case 1: + th = "st" + case 2: + th = "nd" + case 3: + th = "rd" + case _: + th = "th" + return {"full_text": now.strftime(f"%V{th} %A %H:%M") } + + +class FailedUnits(Status): + def status(self): + proc = subprocess.run(["systemctl", "list-units", "--failed"], capture_output = True) + stdout = proc.stdout.decode('utf-8') + failed = 0 + for line in stdout: + if 'failed' in line: + failed += 1 + if failed == 0: + return {"full_text": f"No failed units"} + else: + return {"full_text": f"There are {failed} failed units", "color": "#ff0000"} + + +def print_header(): + header = { + "version": 1, + "click_events": False, + } + print(json.dumps(header)) + print("[") + + +def run(interval, widgets): + print_header() + + while True: + body = [] + + for widget in widgets: + try: + status = widget.status() + except Exception as e: + logger.error(e) + if status: + body += status, + + print(json.dumps(body), ",", flush=True) + + ts = interval - (time.time() % interval) + time.sleep(ts) + + +if __name__ == "__main__": + logging.basicConfig(level=logging.INFO) + + # Interval in seconds + interval = 1.0 + + widgets = [Cat(), FailedUnits(), Space(), Battery(), Time()] + + run(interval, widgets) diff --git a/home/tmux.nix b/home/tmux.nix deleted file mode 100644 index ca8e38c..0000000 --- a/home/tmux.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - ... -}: -{ - programs.tmux = { - enable = true; - terminal = "tmux-256color"; - extraConfig = '' - setw -g mode-keys vi - set -g mouse on - set -g set-clipboard external - set -g set-titles on - set -g status on - set -ga terminal-overrides ',*256col*:Tc' - set-option -g status-interval 5 - set-option -g automatic-rename on - set-option -g automatic-rename-format '#{b:pane_current_path}' - bind '"' split-window -c "#{pane_current_path}" - bind % split-window -h -c "#{pane_current_path}" - bind c new-window -c "#{pane_current_path}" - ''; - }; -} diff --git a/home/xdg.nix b/home/xdg.nix deleted file mode 100644 index 67b2b40..0000000 --- a/home/xdg.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ - config, - pkgs, - ... -}: -let - apps = { - "x-scheme-handler/mailto" = "thunderbird.desktop"; - "message/rfc822" = "thunderbird.desktop"; - "x-scheme-handler/http" = "firefox.desktop"; - "x-scheme-handler/https" = "firefox.desktop"; - "x-scheme-handler/ftp" = "firefox.desktop"; - "x-scheme-handler/chrome" = "firefox.desktop"; - "text/html" = "firefox.desktop"; - "application/x-extension-htm" = "firefox.desktop"; - "application/x-extension-html" = "firefox.desktop"; - "application/x-extension-shtml" = "firefox.desktop"; - "application/xhtml+xml" = "firefox.desktop"; - "application/x-extension-xhtml" = "firefox.desktop"; - "application/x-extension-xht" = "firefox.desktop"; - "application/pdf" = "okular.desktop"; - }; -in -{ - xdg = { - enable = true; - configHome = "${config.home.homeDirectory}/.config"; - mimeApps = { - enable = false; - associations.added = apps; - defaultApplications = apps; - }; - userDirs = { - desktop = "\$HOME/.desktop"; - download = "\$HOME/tmp"; - music = "\$HOME/lib/music"; - videos = "\$HOME/lib/videos"; - pictures = "\$HOME/lib/pictures"; - documents = "\$HOME/lib"; - }; - }; - home.packages = with pkgs; [ - evince - firefox - xdg-utils - ]; -} diff --git a/home/zsh.nix b/home/zsh.nix deleted file mode 100644 index daa65c7..0000000 --- a/home/zsh.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ - pkgs, - ... -}: -{ - programs.fzf.enableZshIntegration = true; - programs.zsh = { - enable = true; - enableCompletion = true; - enableVteIntegration = true; - autosuggestion.enable = true; - autocd = true; - sessionVariables = { - EDITOR = "hx"; - }; - history = { - extended = true; - ignoreDups = true; - ignoreSpace = true; - save = 100000; - # FIXME https://github.com/junegunn/fzf/issues/4061 - #share = true; - share = false; - }; - plugins = [ - ]; - initContent = '' - source ${pkgs.fzf}/share/fzf/key-bindings.zsh - source ${pkgs.fzf}/share/fzf/completion.zsh - eval "$(repo setup --root ~/src)" - - bindkey -e '^n' autosuggest-accept - - preexec() { echo -n -e "\033]0;$1\007" } - - PROMPT="%F{red}%?%f %F{green}%m%f:%F{blue}%~%f"$'\n'"╰─> " - ''; - profileExtra = ''''; - shellAliases = { - ga = "git add"; - gc = "git commit"; - gd = "git diff"; - gdw = "git diff --color-words"; - gf = "git fetch"; - gl = "git log"; - gpu = "git push"; - gpul = "git pull"; - grb = "git rebase"; - gre = "git reflog"; - gs = "git status"; - gsh = "git show"; - gst = "git status"; - gsta = "git stash"; - gstap = "git stash apply"; - exa = "eza"; - ls = "exa"; - la = "exa -a"; - ll = "exa -la --no-filesize --changed --time-style=long-iso --git --octal-permissions --no-permissions --no-user --ignore-glob=\".git\""; - mv = "mv -i"; - cp = "cp -i"; - }; - }; - - home.packages = with pkgs; [ - fzf - eza - tmux - ]; -} diff --git a/hydra-jobs.nix b/hydra-jobs.nix new file mode 100644 index 0000000..3369943 --- /dev/null +++ b/hydra-jobs.nix @@ -0,0 +1,4 @@ +{ self, nixpkgs, ... }: +(nixpkgs.lib.mapAttrs' ( + name: config: nixpkgs.lib.nameValuePair name config.config.system.build.toplevel +) self.nixosConfigurations) diff --git a/nixos/agares/configuration.nix b/nixos/agares/configuration.nix new file mode 100644 index 0000000..ba00c29 --- /dev/null +++ b/nixos/agares/configuration.nix @@ -0,0 +1,108 @@ +{ + config, + modulesPath, + pkgs, + ... +}: +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ./ddns.nix + ./dns.nix + ./firewall.nix + ../modules/profiles/server.nix + ./network.nix + ./ntp.nix + ./ppp.nix + ]; + + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; + + #fileSystems."/nix/store" = { + # device = "/dev/sda1"; + # fsType = "btrfs"; + # options = [ "subvol=/root/nix" "noatime" ]; + #}; + + fileSystems."/swap" = { + device = "/dev/sda1"; + fsType = "btrfs"; + options = [ + "subvol=/root/swap" + "noatime" + ]; + }; + + #swapDevices = [{ + # device = "/swap/swapfile"; + # size = 32 * 1024; # 32 GByte + #}]; + + hardware.cpu.amd.updateMicrocode = config.hardware.enableRedistributableFirmware; + + dadada = { + admin.enable = true; + }; + + services.smartd.enable = true; + + networking.hostName = "agares"; + networking.domain = "bs.dadada.li"; + + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "ehci_pci" + "usb_storage" + "sd_mod" + "sdhci_pci" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.extraConfig = " + serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1 + terminal_input serial + terminal_output serial + "; + + boot.kernelParams = [ + "console=ttyS0,115200" + "amd_iommu=on" + "iommu=pt" + ]; + + boot.kernelModules = [ + "kvm-amd" + "vfio" + "vfio_iommu_type1" + "vfio_pci" + "vfio_virqfd" + ]; + + environment.systemPackages = with pkgs; [ + curl + flashrom + dmidecode + tcpdump + ]; + + services.munin-node = { + enable = true; + extraConfig = '' + host_name ${config.networking.hostName} + cidr_allow 10.3.3.3/32 + ''; + }; + + # Running router VM. They have to be restarted in the right order, so network comes up cleanly. Not ideal. + system.autoUpgrade.allowReboot = false; + + system.stateVersion = "23.05"; +} diff --git a/nixos/agares/ddns.nix b/nixos/agares/ddns.nix new file mode 100644 index 0000000..9a5948f --- /dev/null +++ b/nixos/agares/ddns.nix @@ -0,0 +1,13 @@ +{ config, ... }: +{ + dadada.ddns = { + domains = [ "vpn.dadada.li" ]; + credentialsPath = config.age.secrets."ddns-credentials".path; + interface = "ppp0"; + }; + + age.secrets."ddns-credentials" = { + file = "${config.dadada.secrets.path}/ddns-credentials.age"; + mode = "400"; + }; +} diff --git a/nixos/agares/dns.nix b/nixos/agares/dns.nix new file mode 100644 index 0000000..fe2843f --- /dev/null +++ b/nixos/agares/dns.nix @@ -0,0 +1,81 @@ +{ ... }: +{ + services.unbound = { + enable = true; + localControlSocketPath = "/run/unbound/unbound.ctl"; + settings = { + server = { + access-control = [ + "127.0.0.0/8 allow" + "127.0.0.1/32 allow_snoop" + "192.168.96.0/19 allow" + "192.168.1.0/24 allow" + "172.16.128.0/24 allow" + "::1/128 allow_snoop" + "fd42:9c3b:f96d::/48 allow" + ]; + interface = [ + "127.0.0.1" + "192.168.1.1" + "192.168.100.1" + "192.168.101.1" + "192.168.102.1" + "192.168.103.1" + "192.168.120.1" + "::1" + "fd42:9c3b:f96d:100::1" + "fd42:9c3b:f96d:101::1" + "fd42:9c3b:f96d:102::1" + "fd42:9c3b:f96d:103::1" + "fd42:9c3b:f96d:120::1" + ]; + prefer-ip6 = true; + prefetch = true; + prefetch-key = true; + serve-expired = false; + aggressive-nsec = true; + hide-identity = true; + hide-version = true; + use-caps-for-id = true; + val-permissive-mode = true; + local-data = [ + "\"agares.bs.dadada.li. 10800 IN A 192.168.101.1\"" + "\"danjal.bs.dadada.li. 10800 IN A 192.168.100.108\"" + "\"legion.bs.dadada.li. 10800 IN A 192.168.100.107\"" + "\"ninurta.bs.dadada.li. 10800 IN A 192.168.101.184\"" + "\"agares.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101::1\"" + "\"ninurta.bs.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\"" + "\"backup1.dadada.li. 10800 IN AAAA fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe\"" + ]; + local-zone = [ + "\"168.192.in-addr.arpa.\" nodefault" + "\"d.f.ip6.arpa.\" nodefault" + ]; + }; + forward-zone = [ + { + name = "."; + forward-tls-upstream = "yes"; + forward-addr = [ + "2620:fe::fe@853#dns.quad9.net" + "2620:fe::9@853#dns.quad9.net" + "9.9.9.9@853#dns.quad9.net" + "149.112.112.112@853#dns.quad9.net" + ]; + } + ]; + stub-zone = + let + stubZone = name: addrs: { + name = "${name}"; + stub-addr = addrs; + }; + in + [ + #(stubZone "li.dadada.bs" ["192.168.128.220" "2a01:4f8:c010:a710::1"]) + #(stubZone "d.6.9.f.b.3.c.9.2.4.d.f.ip6.arpa" ["192.168.101.220" "2a01:4f8:c010:a710::1"]) + #(stubZone "168.192.in-addr.arpa" ["192.168.128.220" "2a01:4f8:c010:a710::1"]) + ]; + }; + }; +} diff --git a/nixos/agares/firewall.nix b/nixos/agares/firewall.nix new file mode 100644 index 0000000..569259f --- /dev/null +++ b/nixos/agares/firewall.nix @@ -0,0 +1,13 @@ +{ ... }: +{ + networking = { + useDHCP = false; + nat.enable = false; + firewall.enable = false; + nftables = { + enable = true; + checkRuleset = true; + ruleset = builtins.readFile ./rules.nft; + }; + }; +} diff --git a/nixos/agares/network.nix b/nixos/agares/network.nix new file mode 100644 index 0000000..6d86d22 --- /dev/null +++ b/nixos/agares/network.nix @@ -0,0 +1,323 @@ +{ config, lib, ... }: +let + ulaPrefix = "fd42:9c3b:f96d"; # fd42:9c3b:f96d::/48 + ipv4Prefix = "192.168"; # 192.168.96.0/19 + domain = "bs.dadada.li"; +in +{ + networking.useDHCP = false; + systemd.network = { + enable = true; + links = { + "10-persistent" = { + matchConfig.OriginalName = [ + "enp1s0" + "enp2s0" + ]; # takes search domains from the [Network] + linkConfig.MACAddressPolicy = "persistent"; + }; + }; + netdevs = { + # QoS concentrator + "ifb4ppp0" = { + netdevConfig = { + Kind = "ifb"; + Name = "ifb4ppp0"; + }; + }; + "20-lan" = { + netdevConfig = { + Kind = "vlan"; + Name = "lan.10"; + }; + vlanConfig = { + Id = 10; + }; + }; + "20-freifunk" = { + netdevConfig = { + Kind = "vlan"; + Name = "ff.11"; + }; + vlanConfig = { + Id = 11; + }; + }; + "20-roadw" = { + netdevConfig = { + Kind = "wireguard"; + Name = "roadw"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets."wg-privkey-vpn-dadada-li".path; + ListenPort = 51234; + }; + wireguardPeers = [ + { + wireguardPeerConfig = + let + peerAddresses = i: [ + "${ipv4Prefix}.120.${i}/32" + "${ulaPrefix}:120::${i}/128" + ]; + in + { + PublicKey = "0eWP1hzkyoXlrjPSOq+6Y1u8tnFH+SejBJs8f8lf+iU="; + AllowedIPs = peerAddresses "3"; + }; + } + ]; + }; + "20-wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = config.age.secrets."wg-privkey-wg0".path; + ListenPort = 51235; + }; + wireguardPeers = lib.singleton { + wireguardPeerConfig = { + PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE="; + AllowedIPs = [ + "10.3.3.3/32" + "fd42:9c3b:f96d:121::3/128" + "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128" + ]; + }; + }; + }; + }; + networks = + let + subnet = name: subnetId: { + matchConfig.Name = name; + addresses = [ + { addressConfig.Address = "${ipv4Prefix}.${subnetId}.1/24"; } + { addressConfig.Address = "${ulaPrefix}:${subnetId}::1/64"; } + ]; + dhcpPrefixDelegationConfig = { + SubnetId = "auto"; + }; + ipv6Prefixes = [ + { + ipv6PrefixConfig.Prefix = "${ulaPrefix}:${subnetId}::/64"; + } + ]; + dhcpServerConfig = { + DNS = "_server_address"; + NTP = "_server_address"; + EmitDNS = true; + EmitNTP = true; + EmitRouter = true; + PoolOffset = 100; + PoolSize = 100; + }; + ipv6SendRAConfig = { + EmitDNS = true; + DNS = "_link_local"; + EmitDomains = true; # takes search domains from the [Network] + }; + linkConfig = { + RequiredForOnline = false; + }; + networkConfig = { + Domains = domain; + EmitLLDP = "yes"; + IPv6SendRA = true; + IPv6AcceptRA = false; + DHCPPrefixDelegation = true; + DHCPServer = true; + }; + extraConfig = '' + [CAKE] + OverheadBytes = 38 + Bandwidth = 1G + RTT = lan + ''; + }; + in + { + "10-mgmt" = lib.mkMerge [ + (subnet "enp1s0" "100") + { + networkConfig.VLAN = [ + "lan.10" + "ff.11" + ]; + dhcpServerStaticLeases = [ + { + # legion + dhcpServerStaticLeaseConfig = { + Address = "192.168.100.107"; + MACAddress = "80:CC:9C:95:4A:60"; + }; + } + { + # danyal + dhcpServerStaticLeaseConfig = { + Address = "192.168.100.108"; + MACAddress = "c8:9e:43:a3:3d:7f"; + }; + } + ]; + } + ]; + "30-wg0" = { + matchConfig.Name = "wg0"; + address = [ + "10.3.3.2/32" + "fd42:9c3b:f96d:121::2/128" + ]; + DHCP = "no"; + networkConfig.IPv6AcceptRA = false; + linkConfig.RequiredForOnline = false; + routes = [ + { + routeConfig = { + Destination = "10.3.3.1/24"; + }; + } + { + routeConfig = { + Destination = "fd42:9c3b:f96d:121::1/64"; + }; + } + ]; + }; + "30-lan" = subnet "lan.10" "101" // { + dhcpServerStaticLeases = [ + { + # ninurta + dhcpServerStaticLeaseConfig = { + Address = "192.168.101.184"; + MACAddress = "48:21:0B:3E:9C:FE"; + }; + } + { + # crocell + dhcpServerStaticLeaseConfig = { + Address = "192.168.101.122"; + MACAddress = "9C:C9:EB:4F:3F:0E"; + }; + } + { + # gorgon + dhcpServerStaticLeaseConfig = { + Address = "192.168.101.205"; + MACAddress = "8C:C6:81:6A:39:2F"; + }; + } + ]; + }; + + "30-ff" = subnet "ff.11" "102"; + + "30-ifb4ppp0" = { + name = "ifb4ppp0"; + extraConfig = '' + [CAKE] + OverheadBytes = 65 + Bandwidth = 100M + FlowIsolationMode = triple + RTT = internet + ''; + linkConfig = { + RequiredForOnline = false; + }; + }; + + "30-ppp0" = { + name = "ppp*"; + linkConfig = { + RequiredForOnline = "routable"; + }; + networkConfig = { + KeepConfiguration = "static"; + DefaultRouteOnDevice = true; + LinkLocalAddressing = "ipv6"; + DHCP = "ipv6"; + }; + extraConfig = '' + [CAKE] + OverheadBytes = 65 + Bandwidth = 40M + FlowIsolationMode = triple + NAT=true + RTT = internet + + [DHCPv6] + PrefixDelegationHint= ::/56 + UseAddress = false + UseDelegatedPrefix = true + WithoutRA = solicit + + [DHCPPrefixDelegation] + UplinkInterface=:self + ''; + ipv6SendRAConfig = { + # Let networkd know that we would very much like to use DHCPv6 + # to obtain the "managed" information. Not sure why they can't + # just take that from the upstream RAs. + Managed = true; + }; + }; + # Talk to modem for management + "enp2s0" = { + name = "enp2s0"; + linkConfig = { + RequiredForOnline = false; + }; + networkConfig = { + Address = "192.168.1.254/24"; + EmitLLDP = "yes"; + }; + }; + "10-roadw" = { + matchConfig.Name = "roadw"; + addresses = [ + { addressConfig.Address = "${ipv4Prefix}.120.1/24"; } + { addressConfig.Address = "${ulaPrefix}:120::1/64"; } + ]; + DHCP = "no"; + networkConfig.IPv6AcceptRA = false; + linkConfig.RequiredForOnline = false; + routes = [ + { + routeConfig = { + Destination = "${ipv4Prefix}.120.1/24"; + }; + } + { + routeConfig = { + Destination = "${ulaPrefix}::120:1/64"; + }; + } + ]; + }; + }; + }; + + age.secrets."wg-privkey-vpn-dadada-li" = { + file = "${config.dadada.secrets.path}/wg-privkey-vpn-dadada-li.age"; + owner = "systemd-network"; + }; + + age.secrets."wg-privkey-wg0" = { + file = "${config.dadada.secrets.path}/agares-wg0-key.age"; + owner = "systemd-network"; + }; + + boot.kernel.sysctl = { + # Enable forwarding for interface + "net.ipv4.conf.all.forwarding" = "1"; + "net.ipv6.conf.all.forwarding" = "1"; + "net.ipv6.conf.all.accept_ra" = "0"; + "net.ipv6.conf.all.autoconf" = "0"; + # Set via systemd-networkd + #"net.ipv6.conf.${intf}.use_tempaddr" = "0"; + }; + + powerManagement.cpuFreqGovernor = lib.mkDefault "schedutil"; +} diff --git a/nixos/agares/ntp.nix b/nixos/agares/ntp.nix new file mode 100644 index 0000000..c3ec49b --- /dev/null +++ b/nixos/agares/ntp.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + services.chrony = { + enable = true; + extraConfig = '' + allow 192.168.1 + allow 192.168.100 + allow 192.168.101 + allow 192.168.102 + ''; + }; +} diff --git a/nixos/agares/ppp.nix b/nixos/agares/ppp.nix new file mode 100644 index 0000000..ffa5bc4 --- /dev/null +++ b/nixos/agares/ppp.nix @@ -0,0 +1,68 @@ +{ + pkgs, + lib, + config, + ... +}: +let + secretsPath = config.dadada.secrets.path; +in +{ + # PPPoE + services.pppd = { + enable = true; + peers = { + telekom = { + enable = true; + autostart = true; + config = '' + debug + + plugin pppoe.so enp2s0 + + noauth + hide-password + call telekom-secret + + linkname ppp0 + + persist + maxfail 0 + holdoff 5 + + noipdefault + defaultroute + + lcp-echo-interval 15 + lcp-echo-failure 3 + ''; + }; + }; + }; + + age.secrets."etc-ppp-telekom-secret" = { + file = "${secretsPath}/etc-ppp-telekom-secret.age"; + owner = "root"; + mode = "700"; + path = "/etc/ppp/peers/telekom-secret"; + }; + + age.secrets."etc-ppp-pap-secrets" = { + # format: client server passphrase + file = "${secretsPath}/etc-ppp-chap-secrets.age"; + owner = "root"; + mode = "700"; + path = "/etc/ppp/pap-secrets"; + }; + + # Hook for QoS via Intermediate Functional Block + environment.etc."ppp/ip-up" = { + mode = "755"; + text = with lib; '' + #!/usr/bin/env sh + ${getBin pkgs.iproute2}/bin/tc qdisc del dev $1 ingress + ${getBin pkgs.iproute2}/bin/tc qdisc add dev $1 handle ffff: ingress + ${getBin pkgs.iproute2}/bin/tc filter add dev $1 parent ffff: matchall action mirred egress redirect dev ifb4ppp0 + ''; + }; +} diff --git a/nixos/agares/rules.nft b/nixos/agares/rules.nft new file mode 100644 index 0000000..4b41bea --- /dev/null +++ b/nixos/agares/rules.nft @@ -0,0 +1,136 @@ +flush ruleset + +define IF_MGMT = "enp1s0" +define IF_FF = "ff.11" +define IF_LAN = "lan.10" +define IF_WAN = "ppp0" + +# Modem uses this for internet uplink via our WAN +define IF_MODEM = "enp2s0" + +define IF_ROADW = "roadw" + +table inet filter { + # Will give "no such file or directory if hardware does not support flow offloading" + # flowtable f { + # hook ingress priority 0; devices = { enp1s0, enp2s0 }; flags offload; + # } + + chain input_local { + ip6 saddr != ::1/128 log prefix "Dropped IPv6 nonlocalhost packet on loopback:" drop + accept comment "Accept traffic to loopback interface" + } + + chain input_icmp_untrusted { + # Allow ICMP echo + ip protocol icmp icmp type { echo-request } limit rate 1000/second burst 5 packets accept comment "Accept echo request" + + # Allow some ICMPv6 + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } limit rate 1000/second burst 5 packets accept comment "Allow some ICMPv6" + } + + chain input_modem { + jump input_icmp_untrusted + } + + chain input_wan { + # DHCPv6 client + meta nfproto ipv6 udp sport 547 accept comment "Allow DHCPv6 client" + + jump input_icmp_untrusted + + udp dport 51234 accept comment "Wireguard roadwarriors" + } + + chain input_lan { + counter accept comment "Accept all traffic from LAN" + } + + chain input_mgmt { + counter accept comment "Accept all traffic from MGMT" + } + + chain input_roadw { + counter accept comment "Accept all traffic from roadwarriors" + } + + chain input_ff { + jump input_icmp_untrusted + + # DHCP + meta nfproto ipv6 udp dport 547 accept comment "Allow DHCPv6 client" + + # Allow DNS and DHCP from Freifunk + udp dport { 53, 67 } accept comment "Allow DNS and DHCP from Freifunk" + } + + chain input_wg0 { + tcp dport 4949 accept comment "Munin node" + } + + chain input { + type filter hook input priority filter; policy drop; + + ct state {established, related} counter accept comment "Accept packets from established and related connections" + ct state invalid counter drop comment "Early drop of invalid packets" + + iifname vmap { lo : accept, $IF_WAN : jump input_wan, $IF_LAN : jump input_lan, $IF_FF : jump input_ff, $IF_ROADW : jump input_roadw, $IF_MODEM : jump input_modem, $IF_MGMT : jump input_mgmt, wg0 : jump input_wg0 } + } + +# Only works if hardware flow offloading is available +# chain offload { +# type filter hook forward priority -100; policy accept; +# ip protocol tcp flow add @f +# counter packets 0 bytes 0 +# } + + chain forward { + type filter hook forward priority filter; policy drop; + + # Accept connections tracked by destination NAT + ct status dnat counter accept comment "Accept connections tracked by DNAT" + + # TCP options + tcp flags syn tcp option maxseg size set rt mtu comment "Remove TCP maximum segment size and set a size based on route information" + + # ICMPv6 + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, parameter-problem } limit rate 5/second counter accept comment "Forward up to five ICMP messages of allowed types per second" + meta l4proto ipv6-icmp accept comment "Forward ICMP in IPv6" + + # mgmt <-> * + iifname { $IF_LAN, $IF_ROADW } oifname $IF_MGMT counter reject comment "Reject traffic from LAN and roadwarrior to MGMT" + iifname $IF_MGMT oifname { $IF_LAN, $IF_ROADW } counter reject comment "Reject traffic from MGMT to LAN and roadwarrior" + # drop (instead of reject) everything else to MGMT + + # LAN, ROADW -> * (except mgmt) + iifname { $IF_LAN, $IF_ROADW } counter accept comment "Allow all traffic forwarding from LAN and roadwarrior to all interfaces, except to mgmt" + + # FF -> WAN + iifname { $IF_FF } oifname $IF_WAN counter accept comment "Allow all traffic forwarding from Freifunk and services to WAN" + + # { WAN } -> { FF, LAN, RW } + iifname { $IF_WAN } oifname { $IF_FF, $IF_LAN, $IF_ROADW } ct state established,related counter accept comment "Allow established back from WAN" + } + + chain output { + type filter hook output priority 100; policy accept; + } +} + +table ip nat { + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + ip saddr { 192.168.96.0/19 } oifname { $IF_WAN } masquerade comment "Masquerade traffic from LANs" + } +} + +table arp filter { + chain input { + type filter hook input priority filter; policy drop; + iifname { $IF_MGMT, $IF_LAN, $IF_FF, $IF_MODEM } limit rate 1/second burst 2 packets accept comment "Limit number of ARP messages from LAN, FF, MGMT, modem" + } +} diff --git a/nixos/configurations.nix b/nixos/configurations.nix index f583b9f..95b894e 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -8,87 +8,127 @@ nixos-hardware, nixos-generators, nixpkgs, + nixpkgs-small, ... }@inputs: let - # create a new instance allowing some unfree packages - nixpkgsx86 = import nixpkgs { - system = "x86_64-linux"; - config.allowUnfreePredicate = - pkg: - builtins.elem (nixpkgs.lib.getName pkg) [ - "aspell-dict-en-science" - "brgenml1lpr" - "obsidian" - "saleae-logic-2" - "spotify" - "steam" - "steam-unwrapped" - ]; - }; - nixosSystem = nixpkgs.lib.nixosSystem; - baseModule = - { lib, ... }: + nixosSystem = { - _module.args.inputs = inputs; - imports = [ - inputs.agenix.nixosModules.age - inputs.disko.nixosModules.disko - inputs.home-manager.nixosModules.home-manager + nixpkgs, + system ? "x86_64-linux", + extraModules ? [ ], + }: + nixpkgs.lib.nixosSystem { + inherit system; + + modules = [ + { + nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; + } + ] + ++ (nixpkgs.lib.attrValues self.nixosModules) + ++ [ agenix.nixosModules.age ] + ++ extraModules; + }; +in +{ + stolas = + let + system = "x86_64-linux"; + in + nixosSystem { + inherit nixpkgs system; + + extraModules = [ + lanzaboote.nixosModules.lanzaboote + disko.nixosModules.disko + { + nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; + dadada.pkgs = self.packages.${system}; + dadada.inputs = inputs // { + dadada = self; + }; + } + nixos-hardware.nixosModules.framework-amd-ai-300-series + home-manager.nixosModules.home-manager ( { pkgs, ... }: { - dadada.homepage.package = homepage; - dadada.pkgs = inputs.self.packages.${pkgs.system}; - dadada.inputs = inputs // { - dadada = inputs.self; - }; + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.sharedModules = (nixpkgs.lib.attrValues self.hmModules) ++ [ + { dadada.home.helix.package = pkgs.helix; } + ]; + home-manager.users.dadada = import ../home; } ) - inputs.lanzaboote.nixosModules.lanzaboote - ] - ++ (lib.attrValues inputs.self.nixosModules); + ./stolas + ]; }; - homeModule = ./modules/profiles/home.nix; -in -{ - stolas = nixosSystem { - modules = [ - { nixpkgs.pkgs = nixpkgsx86; } - baseModule - nixos-hardware.nixosModules.framework-amd-ai-300-series - homeModule - ./stolas - ]; - }; - gorgon = nixosSystem { - modules = [ - { nixpkgs.pkgs = nixpkgsx86; } - baseModule - nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1 - homeModule - ./gorgon/configuration.nix - ]; - }; + gorgon = + let + system = "x86_64-linux"; + in + nixosSystem { + inherit nixpkgs system; + + extraModules = [ + { + nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays; + dadada.pkgs = self.packages.${system}; + dadada.inputs = inputs // { + dadada = self; + }; + } + nixos-hardware.nixosModules.lenovo-thinkpad-t14s-amd-gen1 + home-manager.nixosModules.home-manager + ( + { pkgs, ... }: + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.sharedModules = (nixpkgs.lib.attrValues self.hmModules) ++ [ + { dadada.home.helix.package = pkgs.helix; } + { manual.manpages.enable = false; } + ]; + home-manager.users.dadada = import ../home; + } + ) + ./gorgon/configuration.nix + ]; + }; surgat = nixosSystem { - modules = [ - { nixpkgs.pkgs = nixpkgsx86; } - baseModule + nixpkgs = nixpkgs-small; + system = "x86_64-linux"; + extraModules = [ + { + dadada.homepage.package = homepage; + } + ./modules/profiles/server.nix ./surgat/configuration.nix ]; }; - installer = nixosSystem { - modules = [ - nixos-generators.nixosModules.install-iso - inputs.self.nixosModules.admin - ( - { lib, ... }: + agares = nixosSystem { + nixpkgs = nixpkgs-small; + extraModules = [ + ./agares/configuration.nix + ]; + }; + + installer = + let + nixpkgs = nixpkgs-small; + in + nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + nixos-generators.nixosModules.install-iso + self.nixosModules.admin { - nixpkgs.pkgs = nixpkgs.legacyPackages."x86_64-linux"; - isoImage.isoName = lib.mkForce "dadada-nixos-installer.iso"; + isoImage.isoName = nixpkgs.lib.mkForce "dadada-nixos-installer.iso"; networking.tempAddresses = "disabled"; dadada.admin.enable = true; documentation.enable = true; @@ -99,14 +139,12 @@ in keyMap = "us"; }; } - ) - ]; - }; + ]; + }; ninurta = nixosSystem { - modules = [ - { nixpkgs.pkgs = nixpkgsx86; } - baseModule + nixpkgs = nixpkgs-small; + extraModules = [ ./ninurta/configuration.nix ]; }; diff --git a/nixos/gorgon/configuration.nix b/nixos/gorgon/configuration.nix index 69e7588..16f8130 100644 --- a/nixos/gorgon/configuration.nix +++ b/nixos/gorgon/configuration.nix @@ -52,6 +52,8 @@ in age.secrets."${config.networking.hostName}-backup-passphrase-gs".file = "${secretsPath}/${config.networking.hostName}-backup-passphrase-gs.age"; + nixpkgs.config.android_sdk.accept_license = true; + programs.ssh.startAgent = true; nix.extraOptions = '' @@ -83,7 +85,7 @@ in networking.hostName = "gorgon"; dadada = { - steam.enable = false; + steam.enable = true; yubikey.enable = true; }; @@ -152,6 +154,7 @@ in #]; environment.systemPackages = with pkgs; [ + android-studio ghostscript smartmontools @@ -261,7 +264,7 @@ in xdg.portal.wlr.enable = false; hardware.bluetooth.enable = true; - hardware.graphics = { + hardware.opengl = { enable = true; extraPackages = with pkgs; [ vaapiVdpau diff --git a/nixos/modules/backup.nix b/nixos/modules/backup.nix index 0ece03f..095fd35 100644 --- a/nixos/modules/backup.nix +++ b/nixos/modules/backup.nix @@ -11,7 +11,7 @@ let "/dev" "/efi" "/home/*/.cache" - "/home/*/.config/Element" + "/home/*/.config/Riot/Cache" "/home/iserv" "/lost+found" "/mnt" diff --git a/nixos/modules/element.nix b/nixos/modules/element.nix index 63bf02c..2fcefec 100644 --- a/nixos/modules/element.nix +++ b/nixos/modules/element.nix @@ -13,7 +13,7 @@ in }; config = lib.mkIf cfg.enable { services.nginx.virtualHosts."element.${config.networking.domain}" = { - useACMEHost = "dadada.li"; + enableACME = true; forceSSL = true; serverAliases = [ "element.${config.networking.domain}" diff --git a/nixos/modules/gitea.nix b/nixos/modules/gitea.nix index fe03ff3..783bf6f 100644 --- a/nixos/modules/gitea.nix +++ b/nixos/modules/gitea.nix @@ -82,7 +82,7 @@ in }; services.nginx.virtualHosts."git.${config.networking.domain}" = { - useACMEHost = "dadada.li"; + enableACME = true; forceSSL = true; locations."/".extraConfig = '' diff --git a/nixos/modules/homepage.nix b/nixos/modules/homepage.nix index 2d9a337..193e71e 100644 --- a/nixos/modules/homepage.nix +++ b/nixos/modules/homepage.nix @@ -19,7 +19,7 @@ with lib; services.nginx.enable = true; services.nginx.virtualHosts."dadada.li" = { - useACMEHost = "dadada.li"; + enableACME = true; forceSSL = true; root = "${cfg.package}"; }; diff --git a/nixos/modules/miniflux.nix b/nixos/modules/miniflux.nix index 685c355..6898f34 100644 --- a/nixos/modules/miniflux.nix +++ b/nixos/modules/miniflux.nix @@ -21,7 +21,7 @@ in }; services.nginx.virtualHosts.${domain} = { - useACMEHost = "dadada.li"; + enableACME = true; forceSSL = true; locations."/".extraConfig = '' diff --git a/nixos/modules/nixpkgs.nix b/nixos/modules/nixpkgs.nix new file mode 100644 index 0000000..2c5849f --- /dev/null +++ b/nixos/modules/nixpkgs.nix @@ -0,0 +1,3 @@ +{ + nixpkgs.config.allowUnfreePredicate = pkg: true; +} diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix index 5e6eb69..0976788 100644 --- a/nixos/modules/profiles/base.nix +++ b/nixos/modules/profiles/base.nix @@ -56,7 +56,7 @@ in networking.networkmanager.dns = mkDefault "systemd-resolved"; networking.hosts = { - "fd42:9c3b:f96d:101:9c17:3dff:fee5:cd5f" = [ "backup1.dadada.li" ]; + "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe" = [ "backup1.dadada.li" ]; }; services.resolved = { diff --git a/nixos/modules/profiles/cloud.nix b/nixos/modules/profiles/cloud.nix index 1ddbb1e..de57714 100644 --- a/nixos/modules/profiles/cloud.nix +++ b/nixos/modules/profiles/cloud.nix @@ -4,10 +4,6 @@ let initrdHostKey = "${config.networking.hostName}-ssh_host_ed25519_key"; in { - imports = [ - ./server.nix - ]; - boot.initrd.availableKernelModules = [ "virtio-pci" ]; boot.kernelParams = [ diff --git a/nixos/modules/profiles/home.nix b/nixos/modules/profiles/home.nix deleted file mode 100644 index 2276025..0000000 --- a/nixos/modules/profiles/home.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ pkgs, inputs, ... }: -{ - home-manager.useGlobalPkgs = true; - home-manager.users.dadada = inputs.self.hmConfigurations.dadada; -} diff --git a/nixos/modules/share.nix b/nixos/modules/share.nix index c7dcedc..7c7410b 100644 --- a/nixos/modules/share.nix +++ b/nixos/modules/share.nix @@ -16,7 +16,7 @@ in services.nginx.enable = true; services.nginx.virtualHosts."share.dadada.li" = { - useACMEHost = "dadada.li"; + enableACME = true; forceSSL = true; root = "/var/lib/share"; diff --git a/nixos/modules/steam.nix b/nixos/modules/steam.nix index 7204d6f..b6b0846 100644 --- a/nixos/modules/steam.nix +++ b/nixos/modules/steam.nix @@ -15,14 +15,14 @@ in }; }; config = mkIf cfg.enable { - programs.steam.enable = true; - hardware.graphics = { + nixpkgs.config.allowUnfree = true; + + hardware.opengl = { enable = true; - extraPackages32 = with pkgs.pkgsi686Linux; [ - libva - libvdpau-va-gl - ]; + driSupport32Bit = true; + extraPackages32 = with pkgs.pkgsi686Linux; [ libva ]; }; - services.pulseaudio.support32Bit = true; + + hardware.pulseaudio.support32Bit = true; }; } diff --git a/nixos/modules/weechat.nix b/nixos/modules/weechat.nix index 2353651..6ff0106 100644 --- a/nixos/modules/weechat.nix +++ b/nixos/modules/weechat.nix @@ -21,7 +21,7 @@ in services.nginx.enable = true; services.nginx.virtualHosts."webchat.dadada.li" = { - useACMEHost = "dadada.li"; + enableACME = true; forceSSL = true; root = pkgs.glowing-bear; @@ -36,7 +36,7 @@ in }; }; services.nginx.virtualHosts."weechat.dadada.li" = { - useACMEHost = "dadada.li"; + enableACME = true; forceSSL = true; root = "${pkgs.nginx}/html"; diff --git a/nixos/modules/yubikey.nix b/nixos/modules/yubikey.nix index 47699e1..4be4492 100644 --- a/nixos/modules/yubikey.nix +++ b/nixos/modules/yubikey.nix @@ -34,7 +34,7 @@ in }; u2f = { control = "sufficient"; - settings.cue = true; + cue = true; }; }; diff --git a/nixos/ninurta/configuration.nix b/nixos/ninurta/configuration.nix index d4a7bb9..39bdca7 100644 --- a/nixos/ninurta/configuration.nix +++ b/nixos/ninurta/configuration.nix @@ -14,6 +14,7 @@ let uwuPrivKey = "pruflas-wg0-key"; wgHydraPrivKey = "pruflas-wg-hydra-key"; uwuPresharedKey = "pruflas-wg0-preshared-key"; + hydraGitHubAuth = "hydra-github-authorization"; initrdSshKey = "/etc/ssh/ssh_initrd_ed25519_key"; softServePort = 23231; in @@ -153,6 +154,34 @@ in mode = "400"; }; + age.secrets.${hydraGitHubAuth} = { + file = "${secretsPath}/${hydraGitHubAuth}.age"; + mode = "440"; + owner = "hydra-www"; + group = "hydra"; + }; + + services.hydra = { + enable = false; + package = pkgs.hydra; + hydraURL = "https://hydra.dadada.li"; + notificationSender = "hydra@localhost"; + buildMachinesFiles = [ ]; + useSubstitutes = true; + port = 3000; + listenHost = "10.3.3.3"; + extraConfig = '' + Include ${config.age.secrets."${hydraGitHubAuth}".path} + + + jobs = nix-config:main.* + inputs = nix-config + excludeBuildFromContext = 1 + useShortContext = 1 + + ''; + }; + nix.buildMachines = [ { hostName = "localhost"; @@ -270,10 +299,14 @@ in linkConfig.RequiredForOnline = false; routes = [ { - Destination = "10.3.3.1/24"; + routeConfig = { + Destination = "10.3.3.1/24"; + }; } { - Destination = "fd42:9c3b:f96d:121::1/64"; + routeConfig = { + Destination = "fd42:9c3b:f96d:121::1/64"; + }; } ]; }; @@ -290,10 +323,14 @@ in linkConfig.RequiredForOnline = false; routes = [ { - Destination = "10.11.0.0/22"; + routeConfig = { + Destination = "10.11.0.0/22"; + }; } { - Destination = "fc00:1337:dead:beef::10.11.0.0/118"; + routeConfig = { + Destination = "fc00:1337:dead:beef::10.11.0.0/118"; + }; } ]; }; @@ -333,21 +370,25 @@ in }; wireguardPeers = [ { - PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY="; - AllowedIPs = [ - "10.3.3.1/32" - "fd42:9c3b:f96d:121::1/128" - ]; - PersistentKeepalive = 25; - Endpoint = "surgat.dadada.li:51235"; + wireguardPeerConfig = { + PublicKey = "KzL+PKlv4LktIqqTqC9Esw8dkSZN2qSn/vq76UHbOlY="; + AllowedIPs = [ + "10.3.3.1/32" + "fd42:9c3b:f96d:121::1/128" + ]; + PersistentKeepalive = 25; + Endpoint = "surgat.dadada.li:51235"; + }; } { - PublicKey = "INfv++4R+Kd2jdh/3CooM70ZeeoN6aeU6mo+T4C8gWU="; - AllowedIPs = [ - "10.3.3.2/32" - "fd42:9c3b:f96d:121::2/128" - ]; - Endpoint = "192.168.101.1:51235"; + wireguardPeerConfig = { + PublicKey = "INfv++4R+Kd2jdh/3CooM70ZeeoN6aeU6mo+T4C8gWU="; + AllowedIPs = [ + "10.3.3.2/32" + "fd42:9c3b:f96d:121::2/128" + ]; + Endpoint = "192.168.101.1:51235"; + }; } ]; }; @@ -361,15 +402,17 @@ in }; wireguardPeers = [ { - PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8="; - AllowedIPs = [ - "10.11.0.0/22" - "fc00:1337:dead:beef::10.11.0.0/118" - "192.168.178.0/23" - ]; - PersistentKeepalive = 25; - PresharedKeyFile = config.age.secrets.${uwuPresharedKey}.path; - Endpoint = "53c70r.de:51820"; + wireguardPeerConfig = { + PublicKey = "tuoiOWqgHz/lrgTcLjX+xIhvxh9jDH6gmDw2ZMvX5T8="; + AllowedIPs = [ + "10.11.0.0/22" + "fc00:1337:dead:beef::10.11.0.0/118" + "192.168.178.0/23" + ]; + PersistentKeepalive = 25; + PresharedKeyFile = config.age.secrets.${uwuPresharedKey}.path; + Endpoint = "53c70r.de:51820"; + }; } ]; }; @@ -429,7 +472,7 @@ in }) ]; - services.pulseaudio.enable = false; + hardware.pulseaudio.enable = false; environment.systemPackages = with pkgs; [ smartmontools diff --git a/nixos/stolas/default.nix b/nixos/stolas/default.nix index 7b486f0..696f55f 100644 --- a/nixos/stolas/default.nix +++ b/nixos/stolas/default.nix @@ -12,20 +12,18 @@ ./paperless.nix ]; + nixpkgs = { + hostPlatform = "x86_64-linux"; + config.allowUnfree = true; + }; + boot = { lanzaboote = { enable = true; pkiBundle = "/var/lib/sbctl"; }; kernelModules = [ "kvm-amd" ]; - # Hopefully fixes suspend issues with wifi card - kernelPackages = pkgs.linuxPackages_latest; - kernelParams = [ - "resume=UUID=81dfbfa5-d578-479c-b11c-3ee5abd6848a" - "resume_offset=79859524" - "zswap.enabled=1" - ]; - extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; + extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ]; # Lanzaboote currently replaces the systemd-boot module. # This setting is usually set to true in configuration.nix # generated at installation time. So we force it to false @@ -45,46 +43,20 @@ }; environment.systemPackages = [ - config.dadada.pkgs.repo-rs # For debugging and troubleshooting Secure Boot. pkgs.sbctl - # Framework embedded controller interface - pkgs.fw-ectool ]; - fonts = { - enableDefaultPackages = true; - packages = with pkgs; [ - fira - fira-code - fira-code-symbols - fira-mono - font-awesome - uw-ttyp0 - ]; - fontconfig = { - enable = true; - allowBitmaps = true; - antialias = true; - useEmbeddedBitmaps = true; - defaultFonts.monospace = [ - "Ttyp0" - "Siji" - "Symbola" - ]; - }; - }; - hardware = { # NOTE: hardware.framework.enableKmod requires kernel patching, but enables access to some EC features bluetooth.enable = true; cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - enableRedistributableFirmware = true; + enableAllFirmware = true; framework.laptop13.audioEnhancement.enable = true; graphics = { enable = true; extraPackages = with pkgs; [ - libva-vdpau-driver + vaapiVdpau libvdpau-va-gl ]; }; @@ -93,6 +65,10 @@ powerManagement = { enable = true; cpuFreqGovernor = "schedutil"; + # TODO: Limit charge of battery, does this work without kernel patches from hardware.frameworkenableKmod? + powerUpCommands = '' + echo 80 > /sys/class/power_supply/BAT0/charge_control_stop_threshold + ''; }; networking = { @@ -109,7 +85,7 @@ }; nix = { - settings.max-jobs = "auto"; + settings.max-jobs = lib.mkDefault 16; }; dadada = { @@ -120,14 +96,13 @@ enable = true; repo = "u355513-sub5@u355513-sub5.your-storagebox.de:/home/backup"; }; - steam.enable = true; }; programs = { adb.enable = true; firefox = { enable = true; - package = pkgs.firefox; + package = pkgs.firefox-wayland; }; gnupg.agent.enable = true; ssh.startAgent = true; @@ -199,6 +174,10 @@ "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false; }; + systemd.sleep.extraConfig = '' + HibernateDelaySec=1h + ''; + systemd.tmpfiles.rules = [ "v /var/.snapshots 0755 root root - -" "v /var/paperless/.snapshots 0755 root root - -" @@ -226,7 +205,20 @@ "wireshark" "paperless" ]; + shell = "/run/current-system/sw/bin/zsh"; }; }; }; + + # TODO + # age.secrets = { + # paperless = { + # file = "${config.dadada.secrets.path}/paperless.age"; + # mode = "700"; + # owner = "paperless"; + # }; + # }; + + # Create compressing swap space in RAM + zramSwap.enable = true; } diff --git a/nixos/stolas/disks.nix b/nixos/stolas/disks.nix index eff5680..01cf635 100644 --- a/nixos/stolas/disks.nix +++ b/nixos/stolas/disks.nix @@ -86,7 +86,7 @@ }; "/swap" = { mountpoint = "/.swapvol"; - swap.swapfile.size = "128G"; + swap.swapfile.size = "64G"; }; }; }; diff --git a/nixos/surgat/configuration.nix b/nixos/surgat/configuration.nix index 0faf5ce..5cd9596 100644 --- a/nixos/surgat/configuration.nix +++ b/nixos/surgat/configuration.nix @@ -27,7 +27,7 @@ in }; services.nginx.virtualHosts."hydra.${config.networking.domain}" = { - useACMEHost = "dadada.li"; + enableACME = true; forceSSL = true; root = "${pkgs.nginx}/html"; @@ -74,10 +74,12 @@ in "2a01:4f8:c17:1d70::/64" ]; routes = [ - { Gateway = "fe80::1"; } + { routeConfig.Gateway = "fe80::1"; } { - Gateway = "172.31.1.1"; - GatewayOnLink = true; + routeConfig = { + Gateway = "172.31.1.1"; + GatewayOnLink = true; + }; } ]; linkConfig.RequiredForOnline = "routable"; @@ -93,13 +95,19 @@ in linkConfig.RequiredForOnline = "no"; routes = [ { - Destination = "10.3.3.3/24"; + routeConfig = { + Destination = "10.3.3.3/24"; + }; } { - Destination = "fd42:9c3b:f96d:121::/64"; + routeConfig = { + Destination = "fd42:9c3b:f96d:121::/64"; + }; } { - Destination = "fd42:9c3b:f96d:101::/64"; + routeConfig = { + Destination = "fd42:9c3b:f96d:101::/64"; + }; } ]; }; @@ -116,12 +124,14 @@ in }; wireguardPeers = [ { - PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE="; - AllowedIPs = [ - "10.3.3.3/32" - "fd42:9c3b:f96d:121::3/128" - "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128" - ]; + wireguardPeerConfig = { + PublicKey = "Kw2HVRb1zeA7NAzBvI3UzmOj45VqM358EBuZWdlAUDE="; + AllowedIPs = [ + "10.3.3.3/32" + "fd42:9c3b:f96d:121::3/128" + "fd42:9c3b:f96d:101:4a21:bff:fe3e:9cfe/128" + ]; + }; } ]; }; @@ -135,7 +145,6 @@ in 22 # SSH 80 443 # HTTPS - 1667 ]; allowedUDPPorts = [ 51234 # Wireguard @@ -174,49 +183,5 @@ in ''; }; - services.soju = { - enable = true; - listen = [ "unix:///run/soju/irc.sock" ]; - acceptProxyIP = [ "localhost" ]; - }; - - # For owning the socket the right group - systemd.services.soju.serviceConfig.Group = "nginx"; - - services.nginx.streamConfig = '' - server { - listen 1667 ssl; - proxy_pass unix:/run/soju/irc.sock; - proxy_protocol on; - proxy_connect_timeout 1s; - ssl_certificate /var/lib/acme/dadada.li/fullchain.pem; - ssl_certificate_key /var/lib/acme/dadada.li/key.pem; - ssl_trusted_certificate /var/lib/acme/dadada.li/chain.pem; - } - ''; - - services.nginx.virtualHosts."soju.dadada.li" = { - useACMEHost = "dadada.li"; - forceSSL = true; - }; - - users.groups.acme.members = [ - "nginx" - ]; - - security.acme.certs = { - "dadada.li" = { - webroot = "/var/lib/acme/acme-challenge"; - extraDomainNames = [ - "element.dadada.li" - "hydra.dadada.li" - "git.dadada.li" - "miniflux.dadada.li" - "share.dadada.li" - "soju.dadada.li" - ]; - }; - }; - system.stateVersion = "23.05"; } diff --git a/outputs.nix b/outputs.nix index 7b5b029..c860d3c 100644 --- a/outputs.nix +++ b/outputs.nix @@ -1,3 +1,4 @@ +# Adapted from Mic92/dotfiles { self, flake-utils, @@ -10,7 +11,7 @@ (flake-utils.lib.eachDefaultSystem ( system: let - pkgs = nixpkgs.legacyPackages.${system}; + pkgs = import nixpkgs { inherit system; }; treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix; in { @@ -27,21 +28,23 @@ in import ./devshell.nix { inherit pkgs extraModules; }; - checks = { - formatting = treefmtEval.config.build.check self; - }; - formatter = treefmtEval.config.build.wrapper; - packages = import ./pkgs { inherit pkgs inputs; } // { - installer-iso = inputs.self.nixosConfigurations.installer.config.system.build.isoImage; + packages = import ./pkgs { inherit pkgs; } // { + installer-iso = self.nixosConfigurations.installer.config.system.build.isoImage; }; } )) // { - hmConfigurations = { - dadada = import ./home; - }; + hmModules = import ./home/modules.nix { lib = nixpkgs.lib; }; + nixosConfigurations = import ./nixos/configurations.nix inputs; + nixosModules = import ./nixos/modules { lib = nixpkgs.lib; }; + + overlays = import ./overlays.nix; + + hydraJobs = import ./hydra-jobs.nix inputs; + + checks = import ./checks.nix inputs; } diff --git a/overlays.nix b/overlays.nix new file mode 100644 index 0000000..ffcd441 --- /dev/null +++ b/overlays.nix @@ -0,0 +1 @@ +{ } diff --git a/pkgs/default.nix b/pkgs/default.nix index c2f54db..9f52a8a 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -1,5 +1,4 @@ -{ pkgs, inputs }: +{ pkgs }: { citizen-cups = pkgs.callPackage ./citizen-cups.nix { }; - repo-rs = pkgs.callPackage inputs.repo-rs { }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 50dd263..f449646 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,6 +1,7 @@ let dadada = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+bBJptw2H35vMPV7Mfj9oaepR7cHCQH8ZsvL8qnj+r dadada (nix-config-secrets) "; systems = { + agares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcbuLtU9/VhFy5VAp/ZI0T+gr7kExG73hmjjvno10gP root@nixos"; gorgon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCcwG8BkqjZJ1bPdFbLYfXeBgaI10+gyVs1r1aNJ49H root@gorgon"; ifrit = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEYO4L5EvKRtVUB6YHtHN7R980fwH9kKVt0V3kj6rORS root@nixos"; ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos"; @@ -62,16 +63,24 @@ in dadada ]; "ddns-credentials.age".publicKeys = [ + systems.agares systems.ninurta dadada ]; "etc-ppp-chap-secrets.age".publicKeys = [ + systems.agares dadada ]; "etc-ppp-telekom-secret.age".publicKeys = [ + systems.agares dadada ]; "wg-privkey-vpn-dadada-li.age".publicKeys = [ + systems.agares + dadada + ]; + "agares-wg0-key.age".publicKeys = [ + systems.agares dadada ]; } @@ -80,4 +89,5 @@ in // backupSecrets "ifrit" // backupSecrets "pruflas" // backupSecrets "surgat" +// backupSecrets "agares" // backupSecrets "stolas"