kopatz/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:Kropatz/dotfiles

Browse Source
This commit is contained in:
Kopatz
2024-04-02 09:04:58 +02:00
parent 97f8733d5d 3ed4d6262c
commit 1ebda6348b
54 changed files with 498 additions and 186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
modules/backup.nix
View File

@@ -1,6 +1,7 @@
{ config, pkgs, lib, inputs, ... }:
let
kavita = "/mnt/1tbssd/kavita";
gitolite = "/var/lib/gitolite";
in
{
age.secrets.restic-pw = {
@@ -31,6 +32,7 @@ in
"/mnt/250ssd/nextcloud"
"/mnt/250ssd/paperless"
kavita
gitolite
"/var/lib/palworld/Pal/Saved"
];
pruneOpts = [ "--keep-daily 7" "--keep-weekly 3" "--keep-monthly 3" "--keep-yearly 3" ];
@@ -53,6 +55,7 @@ in
"/mnt/250ssd/nextcloud"
"/mnt/250ssd/paperless"
kavita
gitolite
"/var/lib/palworld/Pal/Saved"
];
pruneOpts = [ "--keep-daily 7" "--keep-weekly 3" "--keep-monthly 3" "--keep-yearly 3" ];
@@ -68,6 +71,7 @@ in
"/mnt/250ssd/nextcloud"
"/mnt/250ssd/paperless"
kavita
gitolite
"/var/lib/palworld/Pal/Saved"
];
exclude = [
@@ -93,6 +97,7 @@ in
"/mnt/250ssd/matrix-synapse/media_store/"
"/mnt/250ssd/nextcloud"
"/mnt/250ssd/paperless"
gitolite
];
exclude = [
"/home/**/Cache"
@@ -127,6 +132,7 @@ in
"/home"
"/var/backup/postgresql"
"/var/lib/palworld/Pal/Saved"
gitolite
];
pruneOpts = [ "--keep-daily 5" "--keep-weekly 3" "--keep-monthly 3" "--keep-yearly 3" ];
timerConfig = {

1
modules/cli-tools.nix
View File

@@ -26,5 +26,6 @@
unzip
lsof
screen
tmux
];
}

38
modules/collections/desktop.nix Normal file
View File

@@ -0,0 +1,38 @@
{pkgs, ...}:
{
imports = [
### System modules ###
../cli-tools.nix
../docker.nix
../fh/scanning.nix
../flatpak.nix
../gpg.nix
../graphical/audio.nix
../graphical/code.nix
../graphical/emulators.nix
../graphical/gamemode.nix
../graphical/games.nix
../graphical/ime.nix
../graphical/obs.nix
#../graphical/lxqt.nix
../graphical/plasma.nix
../graphical/shared.nix
../hardware/firmware.nix
../hardware/nvidia.nix
../hardware/ssd.nix
../hardware/wooting.nix
../kernel.nix # use latest kernel
../nftables.nix
../nix/index.nix
../nix/ld.nix
../nix/settings.nix
../noise-supression.nix
../support/ntfs.nix
../tmpfs.nix
../virt-manager.nix
../wireshark.nix
#../fh/forensik.nix
#../graphical/hyprland.nix
#../hardware/vfio.nix too stupid for this
];
}

36
modules/collections/server.nix Normal file
View File

@@ -0,0 +1,36 @@
{pkgs, ...}:
{
imports = [
### Services ###
../services/acme.nix
../services/adguard.nix
../services/github-runner.nix
../services/gitolite.nix
../services/kavita.nix
../services/netdata.nix
../services/nextcloud.nix
../services/nginx.nix
../services/postgres.nix
../services/samba.nix
../services/ssh.nix
../services/step-ca.nix
../services/wireguard.nix
### Other Modules ###
#../games/palworld.nix
../backup.nix
../cli-tools.nix
../cron.nix
../docker.nix
../fail2ban.nix
../firewall.nix
../git.nix
../hdd-spindown.nix
../logging.nix
../motd.nix
../nix/settings.nix
../static-ip.nix
../tmpfs.nix
### Hardware ###
../hardware/ssd.nix
];
}

3
modules/docker.nix
View File

@@ -1,7 +1,8 @@
{ config, pkgs, lib, inputs, ... }:
{
virtualisation.docker.enable = true;
virtualisation.docker.daemon.settings = { ip = "127.0.0.1"; };
environment.systemPackages = with pkgs; [
docker-compose
];
}
}

9
modules/fh/scanning.nix Normal file
View File

@@ -0,0 +1,9 @@
{ pkgs, ...} :
{
environment.systemPackages = with pkgs; [
nmap
gobuster
thc-hydra
seclists
];
}

4
modules/graphical/docker.nix
View File

@@ -1,4 +0,0 @@
{
### docker
virtualisation.docker.enable = true;
}

6
modules/graphical/gnome.nix
View File

@@ -1,9 +1,9 @@
{ config, pkgs, ... }:
{ config, pkgs, mainUser, ... }:
{
services.xserver = {
layout = "at";
xkbVariant = "";
layout = mainUser.layout;
xkbVariant = mainUser.variant;
enable = true;
displayManager.gdm.enable = true;
desktopManager.gnome.enable = true;

10
modules/graphical/lxqt.nix Normal file
View File

@@ -0,0 +1,10 @@
{ config, pkgs, ...}:
{
services.xserver = {
xkb.layout = config.mainUser.layout;
xkb.variant = config.mainUser.variant;
enable = true;
displayManager.sddm.enable = true;
desktopManager.lxqt.enable = true;
};
}

5
modules/graphical/plasma.nix
View File

@@ -2,11 +2,12 @@
{
services.xserver = {
xkb.layout = "at";
xkb.variant = "";
xkb.layout = config.mainUser.layout;
xkb.variant = config.mainUser.variant;
enable = true;
displayManager.sddm.enable = true;
#displayManager.sddm.wayland.enable = true;
};
services.desktopManager.plasma6.enable = true;
environment.plasma6.excludePackages = with pkgs.kdePackages; [ ocean-sound-theme spectacle ];
}

9
modules/graphical/shared.nix
View File

@@ -4,13 +4,8 @@ let
screenshot = pkgs.writeShellScriptBin "screenshot.sh" ''
${pkgs.scrot}/bin/scrot -fs - | ${pkgs.xclip}/bin/xclip -selection clipboard -t image/png -i
'';
tetrioPlus = pkgs.unstable.tetrio-desktop.overrideAttrs (old: {
withTetrioPlus = true;
});
in
{
programs.dconf.enable = true;
programs.kdeconnect.enable = true;
@@ -25,7 +20,7 @@ in
];
networking.firewall = {
enable = false;
enable = true;
allowedTCPPorts = [ 53317 ]; #localsend
allowedUDPPorts = [ 1194 53317 ]; #openvpn, localsend
allowedTCPPortRanges = [
@@ -51,7 +46,7 @@ in
rofi
localsend
element-desktop
tetrioPlus
tetrio
krita
unstable.libreoffice-fresh
mangohud

0
modules/wooting.nix → modules/hardware/wooting.nix
View File

0
modules/wooting.rules → modules/hardware/wooting.rules
View File

99
modules/nix/ld.nix
View File

@@ -1,40 +1,67 @@
{ pkgs, ... }:
{
programs.nix-ld.enable = true;
# programs.nix-ld.libraries = with pkgs; [
# nspr
# xorg.libXrandr
# xorg.libX11
# xorg.libXcomposite
# xorg.libXdamage
# xorg.libXfixes
# xorg.libXrender
# xorg.libXtst
# xorg.libXau
# xorg.libXdmcp
# expat
# libgcc.lib
# libglvnd
# zlib
# zstd
# stdenv.cc.cc
# curl
# openssl
# attr
# libssh
# bzip2
# libxml2
# acl
# libsodium
# util-linux
# xz
# systemd
# libkrb5
# glib
# nss
# freetype
# fontconfig.lib
# dbus.lib
# alsa-lib
# ];
programs.nix-ld.libraries = with pkgs; [
acl
alsa-lib
at-spi2-atk
at-spi2-core
atk
attr
bzip2
cairo
cups
curl
dbus.lib
expat
fontconfig.lib
freetype
gdk-pixbuf
glib
gtk3
icu
libGL
libappindicator-gtk3
libdrm
libgcc.lib
libglvnd
libkrb5
libnotify
libpulseaudio
libsodium
libssh
libusb1
libuuid
libxkbcommon
libxml2
mesa
nspr
nspr
nss
openssl
pango
pipewire
stdenv.cc.cc
systemd
util-linux
xorg.libX11
xorg.libXScrnSaver
xorg.libXau
xorg.libXcomposite
xorg.libXcursor
xorg.libXdamage
xorg.libXdmcp
xorg.libXext
xorg.libXfixes
xorg.libXi
xorg.libXrandr
xorg.libXrender
xorg.libXtst
xorg.libxcb
xorg.libxkbfile
xorg.libxshmfence
xz
zlib
zstd
];
}

0
modules/acme.nix → modules/services/acme.nix
View File

0
modules/adguard.nix → modules/services/adguard.nix
View File

2
modules/coturn.nix → modules/services/coturn.nix
View File

@@ -1,7 +1,7 @@
{ config, pkgs, lib, inputs, ... }:
{
age.secrets.coturn-secret = {
file = ../secrets/coturn-secret.age;
file = ../../secrets/coturn-secret.age;
owner = "turnserver";
group = "turnserver";
};

4
modules/dyndns.nix → modules/services/dyndns.nix
View File

@@ -1,7 +1,7 @@
{ config, pkgs, lib, inputs, ... }:
{
age.secrets.duckdns = {
file = ../secrets/duckdns.age;
file = ../../secrets/duckdns.age;
};
services.ddclient = {
enable = true;
@@ -9,4 +9,4 @@
passwordFile = config.age.secrets.duckdns.path;
domains = ["wachbirn.duckdns.org"];
};
}
}

4
modules/github-runner.nix → modules/services/github-runner.nix
View File

@@ -12,12 +12,12 @@
extraGroups = [ "docker" ];
};
age.secrets.github-runner-token = {
file = ../secrets/github-runner-token.age;
file = ../../secrets/github-runner-token.age;
owner = "github-actions-runner";
group = "github-actions-runner";
};
age.secrets.github-runner-pw = {
file = ../secrets/github-runner-pw.age;
file = ../../secrets/github-runner-pw.age;
owner = "github-actions-runner";
group = "github-actions-runner";
};

9
modules/services/gitolite.nix Normal file
View File

@@ -0,0 +1,9 @@
{ config, ...}:
{
# configure git clone gitolite@server:gitolite-admin
# help ssh gitolite@server help
services.gitolite = {
enable = true;
adminPubkey = config.mainUser.sshKey;
};
}

0
modules/home-assistant.nix → modules/services/home-assistant.nix
View File

2
modules/invidious.nix → modules/services/invidious.nix
View File

@@ -5,7 +5,7 @@ let
in
{
age.secrets.invidious-extra-settings = {
file = ../secrets/invidious-extra-settings.age;
file = ../../secrets/invidious-extra-settings.age;
mode = "444";
};

32
modules/kavita.nix → modules/services/kavita.nix
View File

@@ -2,11 +2,17 @@
let
fqdn = "kavita.home.arpa";
useHttps = config.services.step-ca.enable;
baseDir = "/mnt/1tbssd/kavita";
mangal = "${pkgs.mangal}/bin/mangal";
in
{
networking.firewall.allowedTCPPorts = [ 5000 ];
systemd.tmpfiles.rules = [
"d ${baseDir} 0770 kavita kavita -"
"d ${baseDir}/manga 0770 kavita kavita -"
];
age.secrets.kavita = {
file = ../secrets/kavita.age;
file = ../../secrets/kavita.age;
owner = "kavita";
group = "kavita";
};
@@ -14,9 +20,10 @@ in
enable = true;
user = "kavita";
port = 5000;
dataDir = "/mnt/1tbssd/kavita";
dataDir = baseDir;
tokenKeyFile = config.age.secrets.kavita.path;
};
#todo: base url needs new kavita version
systemd.services.kavita = {
preStart = ''
@@ -32,6 +39,27 @@ in
'';
};
systemd.services.download-manga = {
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
startAt = "*-*-* 19:00:00";
script = ''
${mangal} inline -S Mangapill -q omniscient -m first -d
${mangal} inline -S Mangapill --query "oshi-no-ko" --manga first --download
${mangal} inline -S Mangapill --query "Frieren" --manga first --download
${mangal} inline -S Mangapill --query "Chainsaw" --manga first --download
'';
serviceConfig = {
PrivateTmp = true;
User = "kavita";
Group = "kavita";
Type = "oneshot";
WorkingDirectory = "${baseDir}/manga";
};
};
security.acme.certs."${fqdn}".server = "https://127.0.0.1:8443/acme/acme/directory";
services.nginx.virtualHosts."${fqdn}" = {
forceSSL = useHttps;

0
modules/minecraft-server.nix → modules/services/minecraft-server.nix
View File

0
modules/netdata.nix → modules/services/netdata.nix
View File

2
modules/nextcloud.nix → modules/services/nextcloud.nix
View File

@@ -33,7 +33,7 @@ in
};
age.secrets.nextcloud-admin = {
file = ../secrets/nextcloud-admin.age;
file = ../../secrets/nextcloud-admin.age;
owner = "nextcloud";
group = "nextcloud";
};

0
modules/nginx.nix → modules/services/nginx.nix
View File

2
modules/paperless.nix → modules/services/paperless.nix
View File

@@ -6,7 +6,7 @@ in
{
networking.firewall.allowedTCPPorts = [ 28981 ];
age.secrets.paperless = {
file = ../secrets/paperless.age;
file = ../../secrets/paperless.age;
owner = "paperless";
group = "paperless";
};

0
modules/postgres.nix → modules/services/postgres.nix
View File

0
modules/rdp.nix → modules/services/rdp.nix
View File

0
modules/samba.nix → modules/services/samba.nix
View File

8
modules/ssh.nix → modules/services/ssh.nix
View File

@@ -2,9 +2,15 @@
networking.firewall.allowedTCPPorts = [ 22 ];
services.openssh = {
enable = true;
allowSFTP = false;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.X11Forwarding = false;
settings.PermitRootLogin = "no";
settings.X11Forwarding = true;
extraConfig = ''
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
};
}

4
modules/step-ca.nix → modules/services/step-ca.nix
View File

@@ -34,12 +34,12 @@ in
{
security.pki.certificates = [ root_ca ];
age.secrets.step-ca-pw = {
file = ../secrets/step-ca-pw.age;
file = ../../secrets/step-ca-pw.age;
owner = "step-ca";
group = "step-ca";
};
age.secrets.step-ca-key = {
file = ../secrets/step-ca-key.age;
file = ../../secrets/step-ca-key.age;
owner = "step-ca";
group = "step-ca";
};

2
modules/synapse.nix → modules/services/synapse.nix
View File

@@ -59,7 +59,7 @@ in {
};
age.secrets.matrix-registration = {
file = ../secrets/matrix-registration.age;
file = ../../secrets/matrix-registration.age;
owner = "matrix-synapse";
group = "matrix-synapse";
};

2
modules/wireguard.nix → modules/services/wireguard.nix
View File

@@ -5,7 +5,7 @@ in
{
age.secrets.wireguard-private = {
file = ../secrets/wireguard-private.age;
file = ../../secrets/wireguard-private.age;
};
networking.nat.enable = true;