noah/dotfiles
1
0
Fork 0
mirror of https://github.com/nmasur/dotfiles synced 2025-07-06 17:50:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

initial refactoring

Browse Source
This commit is contained in:
Noah Masur
2025-01-20 22:35:40 -05:00
parent a4b5e05f8f
commit c7933f8502
209 changed files with 5998 additions and 5308 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
modules/nixos/applications/calendar.nix
View File

@ -1,37 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options = {
calendar = {
enable = lib.mkEnableOption {
description = "Enable calendar.";
default = false;
};
};
};
config = lib.mkIf (config.gui.enable && config.calendar.enable) {
home-manager.users.${config.user} = {
accounts.calendar.accounts.default = {
basePath = "other/calendars"; # Where to save calendars in ~ directory
name = "personal";
local.type = "filesystem";
primary = true;
remote = {
passwordCommand = [ "" ];
type = "caldav";
url = "https://${config.hostnames.content}/remote.php/dav/principals/users/${config.user}";
userName = config.user;
};
};
home.packages = with pkgs; [ gnome-calendar ];
};
};
}

29
modules/nixos/applications/calibre.nix
View File

@ -1,29 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options = {
calibre = {
enable = lib.mkEnableOption {
description = "Enable Calibre.";
default = false;
};
};
};
config = lib.mkIf (config.gui.enable && config.calibre.enable) {
home-manager.users.${config.user} = {
home.packages = with pkgs; [ calibre ];
# home.sessionVariables = { CALIBRE_USE_DARK_PALETTE = 1; };
};
# Forces Calibre to use dark mode
environment.sessionVariables = {
CALIBRE_USE_DARK_PALETTE = "1";
};
};
}

9
modules/nixos/applications/default.nix
View File

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./calendar.nix
./calibre.nix
./nautilus.nix
];
}

55
modules/nixos/applications/nautilus.nix
View File

@ -1,55 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options = {
nautilus = {
enable = lib.mkEnableOption {
description = "Enable Nautilus file manager.";
default = false;
};
};
};
# Install Nautilus file manager
config = lib.mkIf (config.gui.enable && config.nautilus.enable) {
# Quick preview with spacebar
services.gnome.sushi.enable = true;
environment.systemPackages = [ pkgs.nautilus ];
home-manager.users.${config.user} = {
# Quick button for launching nautilus
xsession.windowManager.i3.config.keybindings = {
"${
config.home-manager.users.${config.user}.xsession.windowManager.i3.config.modifier
}+n" = "exec --no-startup-id ${pkgs.nautilus}/bin/nautilus";
};
# Generates a QR code and previews it with sushi
programs.fish.functions = {
qr = {
body = "${pkgs.qrencode}/bin/qrencode $argv[1] -o /tmp/qr.png | ${pkgs.sushi}/bin/sushi /tmp/qr.png";
};
};
# Set Nautilus as default for opening directories
xdg.mimeApps = {
associations.added."inode/directory" = [ "org.gnome.Nautilus.desktop" ];
defaultApplications."inode/directory" = lib.mkBefore [ "org.gnome.Nautilus.desktop" ];
};
};
# Delete Trash files older than 1 week
systemd.user.services.empty-trash = {
description = "Empty Trash on a regular basis";
wantedBy = [ "default.target" ];
script = "${pkgs.trash-cli}/bin/trash-empty 7";
};
};
}

14
modules/nixos/gaming/chiaki.nix
View File

@ -1,14 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options.gaming.chiaki.enable = lib.mkEnableOption "Chiaki PlayStation remote play client.";
config = lib.mkIf config.gaming.chiaki.enable {
environment.systemPackages = with pkgs; [ chiaki ];
};
}

29
modules/nixos/gaming/default.nix
View File

@ -1,29 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
imports = [
./chiaki.nix
./dwarf-fortress.nix
./legendary.nix
./lutris.nix
./minecraft-server.nix
./moonlight.nix
./ryujinx.nix
./steam.nix
];
options.gaming.enable = lib.mkEnableOption "Enable gaming features.";
config = lib.mkIf (config.gaming.enable && pkgs.stdenv.isLinux) {
hardware.graphics = {
enable = true;
enable32Bit = true;
};
programs.gamemode.enable = true;
};
}

37
modules/nixos/gaming/dwarf-fortress.nix
View File

@ -1,37 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options.gaming.dwarf-fortress.enable = lib.mkEnableOption "Dwarf Fortress free edition.";
config = lib.mkIf config.gaming.dwarf-fortress.enable {
unfreePackages = [
"dwarf-fortress"
"phoebus-theme"
];
environment.systemPackages =
let
dfDesktopItem = pkgs.makeDesktopItem {
name = "dwarf-fortress";
desktopName = "Dwarf Fortress";
exec = "${pkgs.dwarf-fortress-packages.dwarf-fortress-full}/bin/dfhack";
terminal = false;
};
dtDesktopItem = pkgs.makeDesktopItem {
name = "dwarftherapist";
desktopName = "Dwarf Therapist";
exec = "${pkgs.dwarf-fortress-packages.dwarf-fortress-full}/bin/dwarftherapist";
terminal = false;
};
in
[
pkgs.dwarf-fortress-packages.dwarf-fortress-full
dfDesktopItem
dtDesktopItem
];
};
}

160
modules/nixos/gaming/minecraft-server.nix
View File

@ -1,160 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
localPort = 25564;
publicPort = 49732;
rconPort = 25575;
rconPassword = "thiscanbeanything";
in
{
config = lib.mkIf config.services.minecraft-server.enable {
unfreePackages = [ "minecraft-server" ];
services.minecraft-server = {
eula = true;
declarative = true;
whitelist = { };
openFirewall = false;
serverProperties = {
server-port = localPort;
difficulty = "normal";
gamemode = "survival";
white-list = false;
enforce-whitelist = false;
level-name = "world";
motd = "Welcome!";
pvp = true;
player-idle-timeout = 30;
generate-structures = true;
max-players = 20;
snooper-enabled = false;
spawn-npcs = true;
spawn-animals = true;
spawn-monsters = true;
allow-nether = true;
allow-flight = false;
enable-rcon = true;
"rcon.port" = rconPort;
"rcon.password" = rconPassword;
};
};
networking.firewall.allowedTCPPorts = [ publicPort ];
cloudflare.noProxyDomains = [ config.hostnames.minecraft ];
## Automatically start and stop Minecraft server based on player connections
# Adapted shamelessly from:
# https://dataswamp.org/~solene/2022-08-20-on-demand-minecraft-with-systemd.html
# Prevent Minecraft from starting by default
systemd.services.minecraft-server = {
wantedBy = pkgs.lib.mkForce [ ];
};
# Listen for connections on the public port, to trigger the actual
# listen-minecraft service.
systemd.sockets.listen-minecraft = {
wantedBy = [ "sockets.target" ];
requires = [ "network.target" ];
listenStreams = [ "${toString publicPort}" ];
};
# Proxy traffic to local port, and trigger hook-minecraft
systemd.services.listen-minecraft = {
path = [ pkgs.systemd ];
requires = [
"hook-minecraft.service"
"listen-minecraft.socket"
];
after = [
"hook-minecraft.service"
"listen-minecraft.socket"
];
serviceConfig.ExecStart = "${pkgs.systemd.out}/lib/systemd/systemd-socket-proxyd 127.0.0.1:${toString localPort}";
};
# Start Minecraft if required and wait for it to be available
# Then unlock the listen-minecraft.service
systemd.services.hook-minecraft = {
path = with pkgs; [
systemd
libressl
busybox
];
# Start Minecraft and the auto-shutdown timer
script = ''
systemctl start minecraft-server.service
systemctl start stop-minecraft.timer
'';
# Keep checking until the service is available
postStart = ''
for i in $(seq 60); do
if ${pkgs.libressl.nc}/bin/nc -z 127.0.0.1 ${toString localPort} > /dev/null ; then
exit 0
fi
${pkgs.busybox.out}/bin/sleep 1
done
exit 1
'';
};
# Run a player check on a schedule for auto-shutdown
systemd.timers.stop-minecraft = {
timerConfig = {
OnCalendar = "*-*-* *:*:0/20"; # Every 20 seconds
Unit = "stop-minecraft.service";
};
};
# If no players are connected, then stop services and prepare to resume again
systemd.services.stop-minecraft = {
serviceConfig.Type = "oneshot";
script = ''
# Check when service was launched
servicestartsec=$(
date -d \
"$(systemctl show \
--property=ActiveEnterTimestamp \
minecraft-server.service \
| cut -d= -f2)" \
+%s)
# Calculate elapsed time
serviceelapsedsec=$(( $(date +%s) - servicestartsec))
# Ignore if service just started
if [ $serviceelapsedsec -lt 180 ]
then
echo "Server was just started"
exit 0
fi
PLAYERS=$(
printf "list\n" \
| ${pkgs.rcon.out}/bin/rcon -m \
-H 127.0.0.1 -p ${builtins.toString rconPort} -P ${rconPassword} \
)
if echo "$PLAYERS" | grep "are 0 of a"
then
echo "Stopping server"
systemctl stop minecraft-server.service
systemctl stop hook-minecraft.service
systemctl stop stop-minecraft.timer
fi
'';
};
};
}

14
modules/nixos/gaming/moonlight.nix
View File

@ -1,14 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options.gaming.moonlight.enable = lib.mkEnableOption "Enable Moonlight game streaming client.";
config = lib.mkIf config.gaming.moonlight.enable {
environment.systemPackages = with pkgs; [ moonlight-qt ];
};
}

42
modules/nixos/gaming/steam.nix
View File

@ -1,42 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options.gaming.steam.enable = lib.mkEnableOption "Steam game launcher.";
config = lib.mkIf (config.gaming.steam.enable && pkgs.stdenv.isLinux) {
hardware.steam-hardware.enable = true;
unfreePackages = [
"steam"
"steam-original"
"steamcmd"
"steam-run"
"steam-unwrapped"
];
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
extraCompatPackages = [ pkgs.proton-ge-bin ];
gamescopeSession.enable = true;
};
environment.systemPackages = with pkgs; [
# Enable terminal interaction
steamcmd
steam-tui
# Overlay with performance monitoring
mangohud
];
# Seems like NetworkManager can help speed up Steam launch
# https://www.reddit.com/r/archlinux/comments/qguhco/steam_startup_time_arch_1451_seconds_fedora_34/hi8opet/
networking.networkmanager.enable = true;
};
}

17
modules/nixos/graphical/dmenu.nix
View File

@ -1,17 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options.gui.dmenu.enable = lib.mkEnableOption "dmenu launcher.";
config = lib.mkIf (config.services.xserver.enable && config.dmenu.enable) {
home-manager.users.${config.user}.home.packages = [ pkgs.dmenu ];
gui.launcherCommand = "${pkgs.dmenu}/bin/dmenu_run";
};
}

29
modules/nixos/graphical/dunst.nix
View File

@ -1,29 +0,0 @@
{ config, ... }:
{
config = {
home-manager.users.${config.user}.services.dunst = {
enable = false;
settings = {
global = {
width = 300;
height = 200;
offset = "30x50";
origin = "top-right";
transparency = 0;
padding = 20;
horizontal_padding = 20;
frame_color = config.theme.colors.base03;
};
urgency_normal = {
background = config.theme.colors.base00;
foreground = config.theme.colors.base05;
timeout = 10;
};
};
};
};
}

58
modules/nixos/graphical/gtk.nix
View File

@ -1,58 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options = {
gtk.theme = {
name = lib.mkOption {
type = lib.types.str;
description = "Theme name for GTK applications";
};
package = lib.mkOption {
type = lib.types.package;
description = "Theme package for GTK applications";
default = pkgs.gnome-themes-extra;
};
};
};
config = lib.mkIf config.gui.enable {
home-manager.users.${config.user} = {
gtk =
let
gtkExtraConfig = {
gtk-application-prefer-dark-theme = config.theme.dark;
};
in
{
enable = true;
theme = {
name = config.gtk.theme.name;
package = config.gtk.theme.package;
};
gtk3.extraConfig = gtkExtraConfig;
gtk4.extraConfig = gtkExtraConfig;
};
};
# Required for setting GTK theme (for preferred-color-scheme in browser)
services.dbus.packages = [ pkgs.dconf ];
programs.dconf.enable = true;
# Make the login screen dark
services.xserver.displayManager.lightdm.greeters.gtk.theme = {
name = config.gtk.theme.name;
package = config.gtk.theme.package;
};
environment.sessionVariables = {
GTK_THEME = config.gtk.theme.name;
};
};
}

300
modules/nixos/graphical/i3.nix
View File

@ -1,300 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
lockCmd = "${pkgs.betterlockscreen}/bin/betterlockscreen --lock --display 1 --blur 0.5 --span";
lockUpdate = "${pkgs.betterlockscreen}/bin/betterlockscreen --update ${config.wallpaper} --display 1 --span";
terminal = "wezterm";
in
{
config = lib.mkIf pkgs.stdenv.isLinux {
services.xserver.windowManager = {
i3 = {
enable = config.services.xserver.enable;
};
};
environment.systemPackages = with pkgs; [
feh # Wallpaper
playerctl # Media control
];
home-manager.users.${config.user} = {
xsession.windowManager.i3 = {
enable = config.services.xserver.enable;
config =
let
modifier = "Mod4"; # Super key
ws1 = "1:I";
ws2 = "2:II";
ws3 = "3:III";
ws4 = "4:IV";
ws5 = "5:V";
ws6 = "6:VI";
ws7 = "7:VII";
ws8 = "8:VIII";
ws9 = "9:IX";
ws10 = "10:X";
in
{
modifier = modifier;
assigns = {
"${ws1}" = [ { class = "Firefox"; } ];
"${ws2}" = [
{ class = "aerc"; }
{ class = "kitty"; }
{ class = "obsidian"; }
{ class = "wezterm"; }
];
"${ws3}" = [ { class = "discord"; } ];
"${ws4}" = [
{ class = "steam"; }
{ class = "Steam"; }
];
};
bars = [ { command = "echo"; } ]; # Disable i3bar
colors =
let
background = config.theme.colors.base00;
inactiveBackground = config.theme.colors.base01;
border = config.theme.colors.base01;
inactiveBorder = config.theme.colors.base01;
text = config.theme.colors.base07;
inactiveText = config.theme.colors.base04;
urgentBackground = config.theme.colors.base08;
indicator = "#00000000";
in
{
background = config.theme.colors.base00;
focused = {
inherit
background
indicator
text
border
;
childBorder = background;
};
focusedInactive = {
inherit indicator;
background = inactiveBackground;
border = inactiveBorder;
childBorder = inactiveBackground;
text = inactiveText;
};
# placeholder = { };
unfocused = {
inherit indicator;
background = inactiveBackground;
border = inactiveBorder;
childBorder = inactiveBackground;
text = inactiveText;
};
urgent = {
inherit text indicator;
background = urgentBackground;
border = urgentBackground;
childBorder = urgentBackground;
};
};
floating.modifier = modifier;
focus = {
mouseWarping = true;
newWindow = "urgent";
followMouse = false;
};
keybindings = {
# Adjust screen brightness
"Shift+F12" =
# Disable dynamic sleep
# https://github.com/rockowitz/ddcutil/issues/323
"exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 + 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --disable-dynamic-sleep --display 2 setvcp 10 + 30";
"Shift+F11" = "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 - 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --disable-dynamic-sleep --display 2 setvcp 10 - 30";
"XF86MonBrightnessUp" = "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 + 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --disable-dynamic-sleep --display 2 setvcp 10 + 30";
"XF86MonBrightnessDown" = "exec ${pkgs.ddcutil}/bin/ddcutil --display 1 setvcp 10 - 30 && sleep 1; exec ${pkgs.ddcutil}/bin/ddcutil --disable-dynamic-sleep --display 2 setvcp 10 - 30";
# Media player controls
"XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause";
"XF86AudioStop" = "exec ${pkgs.playerctl}/bin/playerctl stop";
"XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
"XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
# Launchers
"${modifier}+Return" = "exec --no-startup-id ${
config.home-manager.users.${config.user}.programs.rofi.terminal
}; workspace ${ws2}; layout tabbed";
"${modifier}+space" = "exec --no-startup-id ${config.launcherCommand}";
"${modifier}+Shift+s" = "exec --no-startup-id ${config.systemdSearch}";
"${modifier}+Shift+a" = "exec --no-startup-id ${config.audioSwitchCommand}";
"Mod1+Tab" = "exec --no-startup-id ${config.altTabCommand}";
"${modifier}+Shift+period" = "exec --no-startup-id ${config.powerCommand}";
"${modifier}+Shift+m" = "exec --no-startup-id ${config.brightnessCommand}";
"${modifier}+c" = "exec --no-startup-id ${config.calculatorCommand}";
"${modifier}+Shift+c" = "reload";
"${modifier}+Shift+r" = "restart";
"${modifier}+Shift+q" = ''exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -B 'Yes, exit i3' 'i3-msg exit'"'';
"${modifier}+Shift+x" = "exec ${lockCmd}";
"${modifier}+Mod1+h" = "exec --no-startup-id ${
config.home-manager.users.${config.user}.programs.rofi.terminal
} -e sh -c '${pkgs.home-manager}/bin/home-manager switch --flake ${config.dotfilesPath}#${config.networking.hostName} || read'";
"${modifier}+Mod1+r" = "exec --no-startup-id ${
config.home-manager.users.${config.user}.programs.rofi.terminal
} -e sh -c 'doas nixos-rebuild switch --flake ${config.dotfilesPath}#${config.networking.hostName} || read'";
# Window options
"${modifier}+q" = "kill";
"${modifier}+b" = "exec ${config.toggleBarCommand}";
"${modifier}+f" = "fullscreen toggle";
"${modifier}+h" = "focus left";
"${modifier}+j" = "focus down";
"${modifier}+k" = "focus up";
"${modifier}+l" = "focus right";
"${modifier}+Left" = "focus left";
"${modifier}+Down" = "focus down";
"${modifier}+Up" = "focus up";
"${modifier}+Right" = "focus right";
"${modifier}+Shift+h" = "move left";
"${modifier}+Shift+j" = "move down";
"${modifier}+Shift+k" = "move up";
"${modifier}+Shift+l" = "move right";
"${modifier}+Shift+Left" = "move left";
"${modifier}+Shift+Down" = "move down";
"${modifier}+Shift+Up" = "move up";
"${modifier}+Shift+Right" = "move right";
# Tiling
"${modifier}+i" = "split h";
"${modifier}+v" = "split v";
"${modifier}+s" = "layout stacking";
"${modifier}+t" = "layout tabbed";
"${modifier}+e" = "layout toggle split";
"${modifier}+Shift+space" = "floating toggle";
"${modifier}+Control+space" = "focus mode_toggle";
"${modifier}+a" = "focus parent";
# Workspaces
"${modifier}+1" = "workspace ${ws1}";
"${modifier}+2" = "workspace ${ws2}";
"${modifier}+3" = "workspace ${ws3}";
"${modifier}+4" = "workspace ${ws4}";
"${modifier}+5" = "workspace ${ws5}";
"${modifier}+6" = "workspace ${ws6}";
"${modifier}+7" = "workspace ${ws7}";
"${modifier}+8" = "workspace ${ws8}";
"${modifier}+9" = "workspace ${ws9}";
"${modifier}+0" = "workspace ${ws10}";
# Move windows
"${modifier}+Shift+1" = "move container to workspace ${ws1}; workspace ${ws1}";
"${modifier}+Shift+2" = "move container to workspace ${ws2}; workspace ${ws2}";
"${modifier}+Shift+3" = "move container to workspace ${ws3}; workspace ${ws3}";
"${modifier}+Shift+4" = "move container to workspace ${ws4}; workspace ${ws4}";
"${modifier}+Shift+5" = "move container to workspace ${ws5}; workspace ${ws5}";
"${modifier}+Shift+6" = "move container to workspace ${ws6}; workspace ${ws6}";
"${modifier}+Shift+7" = "move container to workspace ${ws7}; workspace ${ws7}";
"${modifier}+Shift+8" = "move container to workspace ${ws8}; workspace ${ws8}";
"${modifier}+Shift+9" = "move container to workspace ${ws9}; workspace ${ws9}";
"${modifier}+Shift+0" = "move container to workspace ${ws10}; workspace ${ws10}";
# Move screens
"${modifier}+Control+l" = "move workspace to output right";
"${modifier}+Control+h" = "move workspace to output left";
# Resizing
"${modifier}+r" = ''mode "resize"'';
"${modifier}+Control+Shift+h" = "resize shrink width 10 px or 10 ppt";
"${modifier}+Control+Shift+j" = "resize grow height 10 px or 10 ppt";
"${modifier}+Control+Shift+k" = "resize shrink height 10 px or 10 ppt";
"${modifier}+Control+Shift+l" = "resize grow width 10 px or 10 ppt";
};
modes = { };
startup = [
{
command = "feh --bg-fill ${config.wallpaper}";
always = true;
notification = false;
}
{
command = "i3-msg workspace ${ws2}, move workspace to output right";
notification = false;
}
{
command = "i3-msg workspace ${ws1}, move workspace to output left";
notification = false;
}
];
window = {
border = 0;
hideEdgeBorders = "smart";
titlebar = false;
};
workspaceAutoBackAndForth = false;
workspaceOutputAssign = [ ];
# gaps = {
# bottom = 8;
# top = 8;
# left = 8;
# right = 8;
# horizontal = 15;
# vertical = 15;
# inner = 15;
# outer = 0;
# smartBorders = "off";
# smartGaps = false;
# };
};
extraConfig = "";
};
programs.fish.functions = {
update-lock-screen = lib.mkIf config.services.xserver.enable {
description = "Update lockscreen with wallpaper";
body = lockUpdate;
};
};
# Update lock screen cache only if cache is empty
home.activation.updateLockScreenCache =
let
cacheDir = "${config.homePath}/.cache/betterlockscreen/current";
in
lib.mkIf config.services.xserver.enable (
config.home-manager.users.${config.user}.lib.dag.entryAfter [ "writeBoundary" ] ''
if [ ! -d ${cacheDir} ] || [ -z "$(ls ${cacheDir})" ]; then
$DRY_RUN_CMD ${lockUpdate}
fi
''
);
};
# Ref: https://github.com/betterlockscreen/betterlockscreen/blob/next/system/betterlockscreen%40.service
systemd.services.lock = {
enable = config.services.xserver.enable;
description = "Lock the screen on resume from suspend";
before = [
"sleep.target"
"suspend.target"
];
serviceConfig = {
User = config.user;
Type = "simple";
Environment = "DISPLAY=:0";
TimeoutSec = "infinity";
ExecStart = lockCmd;
ExecStartPost = "${pkgs.coreutils-full}/bin/sleep 1";
};
wantedBy = [
"sleep.target"
"suspend.target"
];
};
};
}

57
modules/nixos/graphical/picom.nix
View File

@ -1,57 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
config = lib.mkIf (pkgs.stdenv.isLinux && config.services.xserver.enable) {
home-manager.users.${config.user} = {
services.picom = {
enable = true;
backend = "glx";
settings = {
blur = false;
blurExclude = [ ];
inactiveDim = "0.05";
noDNDShadow = false;
noDockShadow = false;
# shadow-radius = 20
# '';
# shadow-radius = 20
# corner-radius = 10
# blur-size = 20
# rounded-corners-exclude = [
# "window_type = 'dock'",
# "class_g = 'i3-frame'"
# ]
# '';
};
fade = false;
inactiveOpacity = 1.0;
menuOpacity = 1.0;
opacityRules = [
"0:_NET_WM_STATE@[0]:32a = '_NET_WM_STATE_HIDDEN'" # Hide tabbed windows
];
shadow = false;
shadowExclude = [ ];
shadowOffsets = [
(-10)
(-10)
];
shadowOpacity = 0.5;
vSync = true;
};
xsession.windowManager.i3.config.startup = [
{
command = "systemctl --user restart picom";
always = true;
notification = false;
}
];
};
};
}

235
modules/nixos/graphical/polybar.nix
View File

@ -1,235 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
config = lib.mkIf (pkgs.stdenv.isLinux && config.services.xserver.enable) {
toggleBarCommand = "polybar-msg cmd toggle";
home-manager.users.${config.user} = {
services.polybar = {
enable = true;
package = pkgs.polybar.override {
pulseSupport = true;
githubSupport = true;
i3Support = true;
};
script = "polybar &";
config = {
"bar/main" = {
bottom = false;
width = "100%";
height = "22pt";
radius = 0;
# offset-y = -5;
# offset-y = "5%";
# dpi = 96;
background = config.theme.colors.base01;
foreground = config.theme.colors.base05;
line-size = "3pt";
border-top-size = 0;
border-right-size = 0;
border-left-size = 0;
border-bottom-size = "4pt";
border-color = config.theme.colors.base00;
padding-left = 2;
padding-right = 2;
module-margin = 1;
modules-left = "i3";
modules-center = "xwindow";
modules-right = "mailcount network pulseaudio date power";
cursor-click = "pointer";
cursor-scroll = "ns-resize";
enable-ipc = true;
tray-position = "right";
# wm-restack = "generic";
# wm-restack = "bspwm";
# wm-restack = "i3";
# override-redirect = true;
};
"module/i3" =
let
padding = 2;
in
{
type = "internal/i3";
pin-workspaces = false;
show-urgent = true;
strip-wsnumbers = true;
index-sort = true;
enable-click = true;
wrapping-scroll = true;
fuzzy-match = true;
format = "<label-state> <label-mode>";
label-focused = "%name%";
label-focused-foreground = config.theme.colors.base01;
label-focused-background = config.theme.colors.base05;
label-focused-underline = config.theme.colors.base03;
label-focused-padding = padding;
label-unfocused = "%name%";
label-unfocused-padding = padding;
label-visible = "%name%";
label-visible-underline = config.theme.colors.base01;
label-visible-padding = padding;
label-urgent = "%name%";
label-urgent-foreground = config.theme.colors.base00;
label-urgent-background = config.theme.colors.base08;
label-urgent-underline = config.theme.colors.base0F;
label-urgent-padding = padding;
};
"module/xworkspaces" = {
type = "internal/xworkspaces";
label-active = "%name%";
label-active-background = config.theme.colors.base05;
label-active-foreground = config.theme.colors.base01;
label-active-underline = config.theme.colors.base03;
label-active-padding = 1;
label-occupied = "%name%";
label-occupied-padding = 1;
label-urgent = "%name%";
label-urgent-background = config.theme.colors.base08;
label-urgent-padding = 1;
label-empty = "%name%";
label-empty-foreground = config.theme.colors.base06;
label-empty-padding = 1;
};
"module/xwindow" = {
type = "internal/xwindow";
label = "%title:0:60:...%";
};
# "module/filesystem" = {
# type = "internal/fs";
# interval = 25;
# mount-0 = "/";
# label-mounted = "%{F#F0C674}%mountpoint%%{F-} %percentage_used%%";
# label-unmounted = "%mountpoint% not mounted";
# label-unmounted-foreground = colors.disabled;
# };
"module/mailcount" = {
type = "custom/script";
interval = 10;
format = "<label>";
exec = builtins.toString (
pkgs.writeShellScript "mailcount.sh" ''
${pkgs.notmuch}/bin/notmuch new --quiet 2>&1>/dev/null
UNREAD=$(
${pkgs.notmuch}/bin/notmuch count \
is:inbox and \
is:unread and \
folder:main/Inbox \
2>/dev/null
)
if [ $UNREAD = "0" ]; then
echo ""
else
echo "%{T2}%{T-} $UNREAD "
fi
''
);
click-left = "i3-msg 'exec --no-startup-id kitty --class aerc aerc'; sleep 0.15; i3-msg '[class=aerc] focus'";
};
"module/network" = {
type = "internal/network";
interface-type = "wired";
interval = 3;
accumulate-stats = true;
format-connected = "<label-connected>";
format-disconnected = "<label-disconnected>";
label-connected = "";
label-disconnected = "";
};
"module/pulseaudio" = {
type = "internal/pulseaudio";
# format-volume-prefix = "VOL ";
# format-volume-prefix-foreground = colors.primary;
format-volume = "<ramp-volume> <label-volume>";
# format-volume-background = colors.background;
# label-volume-background = colors.background;
format-volume-foreground = config.theme.colors.base04;
label-volume = "%percentage%%";
label-muted = "󰝟 ---";
label-muted-foreground = config.theme.colors.base03;
ramp-volume-0 = "";
ramp-volume-1 = "󰕾";
ramp-volume-2 = "";
click-right = config.audioSwitchCommand;
};
# "module/xkeyboard" = {
# type = "internal/xkeyboard";
# blacklist-0 = "num lock";
# label-layout = "%layout%";
# label-layout-foreground = colors.primary;
# label-indicator-padding = 2;
# label-indicator-margin = 1;
# label-indicator-foreground = colors.background;
# label-indicator-background = colors.secondary;
# };
# "module/memory" = {
# type = "internal/memory";
# interval = 2;
# format-prefix = "RAM ";
# format-prefix-foreground = colors.primary;
# label = "%percentage_used:2%%";
# };
# "module/cpu" = {
# type = "internal/cpu";
# interval = 2;
# format-prefix = "CPU ";
# format-prefix-foreground = colors.primary;
# label = "%percentage:2%%";
# };
# "network-base" = {
# type = "internal/network";
# interval = 5;
# format-connected = "<label-connected>";
# format-disconnected = "<label-disconnected>";
# label-disconnected = "%{F#F0C674}%ifname%%{F#707880} disconnected";
# };
# "module/wlan" = {
# "inherit" = "network-base";
# interface-type = "wireless";
# label-connected = "%{F#F0C674}%ifname%%{F-} %essid% %local_ip%";
# };
# "module/eth" = {
# "inherit" = "network-base";
# interface-type = "wired";
# label-connected = "%{F#F0C674}%ifname%%{F-} %local_ip%";
# };
"module/date" = {
type = "internal/date";
interval = 1;
date = "%d %b %l:%M %p";
date-alt = "%Y-%m-%d %H:%M:%S";
label = "%date%";
label-foreground = config.theme.colors.base06;
# format-background = colors.background;
};
"module/power" = {
type = "custom/text";
content = " ";
click-left = config.powerCommand;
click-right = "polybar-msg cmd restart";
content-foreground = config.theme.colors.base04;
};
"settings" = {
screenchange-reload = true;
pseudo-transparency = false;
};
};
};
xsession.windowManager.i3.config.startup = [
{
command = "pkill polybar; polybar -r main";
always = true;
notification = false;
}
];
};
};
}

159
modules/nixos/graphical/rofi.nix
View File

@ -18,165 +18,6 @@ in
config = lib.mkIf (pkgs.stdenv.isLinux && config.services.xserver.enable) {
home-manager.users.${config.user} = {
home.packages = with pkgs; [
jq # Required for rofi-systemd
];
programs.rofi = {
enable = true;
cycle = true;
location = "center";
pass = { };
terminal = lib.mkIf pkgs.stdenv.isLinux config.terminal;
plugins = [
pkgs.rofi-calc
pkgs.rofi-emoji
pkgs.rofi-systemd
];
theme =
let
inherit (config.home-manager.users.${config.user}.lib.formats.rasi) mkLiteral;
in
{
# Inspired by https://github.com/sherubthakur/dotfiles/blob/master/users/modules/desktop-environment/rofi/launcher.rasi
"*" = {
background-color = mkLiteral config.theme.colors.base00;
foreground-color = mkLiteral config.theme.colors.base07;
text-color = mkLiteral config.theme.colors.base07;
border-color = mkLiteral config.theme.colors.base04;
};
# Holds the entire window
"#window" = {
transparency = "real";
background-color = mkLiteral config.theme.colors.base00;
text-color = mkLiteral config.theme.colors.base07;
border = mkLiteral "4px";
border-color = mkLiteral config.theme.colors.base04;
border-radius = mkLiteral "4px";
width = mkLiteral "850px";
padding = mkLiteral "15px";
};
# Wrapper around bar and results
"#mainbox" = {
background-color = mkLiteral config.theme.colors.base00;
border = mkLiteral "0px";
border-radius = mkLiteral "0px";
border-color = mkLiteral config.theme.colors.base04;
children = map mkLiteral [
"inputbar"
"message"
"listview"
];
spacing = mkLiteral "10px";
padding = mkLiteral "10px";
};
# Unknown
"#textbox-prompt-colon" = {
expand = false;
str = ":";
margin = mkLiteral "0px 0.3em 0em 0em";
text-color = mkLiteral config.theme.colors.base07;
};
# Command prompt left of the input
"#prompt" = {
enabled = false;
};
# Actual text box
"#entry" = {
placeholder-color = mkLiteral config.theme.colors.base03;
expand = true;
horizontal-align = "0";
placeholder = "";
padding = mkLiteral "0px 0px 0px 5px";
blink = true;
};
# Top bar
"#inputbar" = {
children = map mkLiteral [
"prompt"
"entry"
];
border = mkLiteral "1px";
border-radius = mkLiteral "4px";
padding = mkLiteral "6px";
};
# Results
"#listview" = {
background-color = mkLiteral config.theme.colors.base00;
padding = mkLiteral "0px";
columns = 1;
lines = 12;
spacing = "5px";
cycle = true;
dynamic = true;
layout = "vertical";
};
# Each result
"#element" = {
orientation = "vertical";
border-radius = mkLiteral "0px";
padding = mkLiteral "5px 0px 5px 5px";
};
"#element.selected" = {
border = mkLiteral "1px";
border-radius = mkLiteral "4px";
border-color = mkLiteral config.theme.colors.base07;
background-color = mkLiteral config.theme.colors.base04;
text-color = mkLiteral config.theme.colors.base00;
};
"#element-text" = {
expand = true;
# horizontal-align = mkLiteral "0.5";
vertical-align = mkLiteral "0.5";
margin = mkLiteral "0px 2.5px 0px 2.5px";
};
"#element-text.selected" = {
background-color = mkLiteral config.theme.colors.base04;
text-color = mkLiteral config.theme.colors.base00;
};
# Not sure how to get icons
"#element-icon" = {
size = mkLiteral "18px";
border = mkLiteral "0px";
padding = mkLiteral "2px 5px 2px 2px";
background-color = mkLiteral config.theme.colors.base00;
};
"#element-icon.selected" = {
background-color = mkLiteral config.theme.colors.base04;
text-color = mkLiteral config.theme.colors.base00;
};
};
xoffset = 0;
yoffset = -20;
extraConfig = {
show-icons = true;
kb-cancel = "Escape,Super+space";
modi = "window,run,ssh,emoji,calc,systemd";
sort = true;
# levenshtein-sort = true;
};
};
home.file.".local/share/rofi/themes" = {
recursive = true;
source = ./rofi/themes;
};
};
launcherCommand = ''${rofi}/bin/rofi -modes drun -show drun -theme-str '@import "launcher.rasi"' '';
systemdSearch = "${pkgs.rofi-systemd}/bin/rofi-systemd";
altTabCommand = "${rofi}/bin/rofi -show window -modi window";

45
modules/nixos/graphical/xorg.nix
View File

@ -1,45 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
config = lib.mkIf config.gui.enable {
# Enable touchpad support
services.libinput.enable = true;
# Enable the X11 windowing system.
services.xserver = {
enable = config.gui.enable;
# Login screen
displayManager = {
lightdm = {
enable = config.services.xserver.enable;
background = config.wallpaper;
# Show default user
# Also make sure /var/lib/AccountsService/users/<user> has SystemAccount=false
extraSeatDefaults = ''
greeter-hide-users = false
'';
};
};
};
environment.systemPackages = with pkgs; [
xclip # Clipboard
];
home-manager.users.${config.user} = {
programs.fish.shellAliases = {
pbcopy = "xclip -selection clipboard -in";
pbpaste = "xclip -selection clipboard -out";
};
};
};
}

82
modules/nixos/hardware/audio.nix
View File

@ -1,82 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
# These micro-scripts change the volume while also triggering the volume
# notification widget
increaseVolume = pkgs.writeShellScriptBin "increaseVolume" ''
${pkgs.pamixer}/bin/pamixer -i 2
volume=$(${pkgs.pamixer}/bin/pamixer --get-volume)
${pkgs.volnoti}/bin/volnoti-show $volume
'';
decreaseVolume = pkgs.writeShellScriptBin "decreaseVolume" ''
${pkgs.pamixer}/bin/pamixer -d 2
volume=$(${pkgs.pamixer}/bin/pamixer --get-volume)
${pkgs.volnoti}/bin/volnoti-show $volume
'';
toggleMute = pkgs.writeShellScriptBin "toggleMute" ''
${pkgs.pamixer}/bin/pamixer --toggle-mute
mute=$(${pkgs.pamixer}/bin/pamixer --get-mute)
if [ "$mute" == "true" ]; then
${pkgs.volnoti}/bin/volnoti-show --mute
else
volume=$(${pkgs.pamixer}/bin/pamixer --get-volume)
${pkgs.volnoti}/bin/volnoti-show $volume
fi
'';
in
{
config = lib.mkIf (pkgs.stdenv.isLinux && config.gui.enable) {
# Enable PipeWire
services.pipewire = {
enable = true;
pulse.enable = true;
};
# Provides audio source with background noise filtered
programs.noisetorch.enable = true;
# These aren't necessary, but helpful for the user
environment.systemPackages = with pkgs; [
pamixer # Audio control
volnoti # Volume notifications
];
home-manager.users.${config.user} = {
# Graphical volume notifications
services.volnoti.enable = true;
xsession.windowManager.i3.config = {
# Make sure that Volnoti actually starts (home-manager doesn't start
# user daemon's automatically)
startup = [
{
command = "systemctl --user restart volnoti --alpha 0.15 --radius 40 --timeout 0.2";
always = true;
notification = false;
}
];
# i3 keybinds for changing the volume
keybindings = {
"XF86AudioRaiseVolume" = "exec --no-startup-id ${increaseVolume}/bin/increaseVolume";
"XF86AudioLowerVolume" = "exec --no-startup-id ${decreaseVolume}/bin/decreaseVolume";
"XF86AudioMute" = "exec --no-startup-id ${toggleMute}/bin/toggleMute";
# We can mute the mic by adding "--default-source"
"XF86AudioMicMute" = "exec --no-startup-id ${pkgs.pamixer}/bin/pamixer --default-source --toggle-mute";
};
};
};
};
}

53
modules/nixos/hardware/boot.nix
View File

@ -1,53 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
boot.loader = lib.mkIf (config.physical && !config.server) {
grub = {
enable = true;
# Not sure what this does, but it involves the UEFI/BIOS
efiSupport = true;
# Check for other OSes and make them available
useOSProber = true;
# Attempt to display GRUB on widescreen monitor
gfxmodeEfi = "1920x1080";
# Limit the total number of configurations to rollback
configurationLimit = 25;
# Install GRUB onto the boot disk
# device = config.fileSystems."/boot".device;
# Don't install GRUB, required for UEFI?
device = "nodev";
# Display menu indefinitely if holding shift key
extraConfig = ''
if keystatus --shift ; then
set timeout=-1
else
set timeout=3
fi
'';
};
# Always display menu indefinitely; default is 5 seconds
# timeout = null;
# Allows GRUB to interact with the UEFI/BIOS I guess
efi.canTouchEfiVariables = true;
};
# Allow reading from Windows drives
boot.supportedFilesystems = lib.mkIf config.physical [ "ntfs" ];
# Use latest released Linux kernel by default
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
}

22
modules/nixos/hardware/default.nix
View File

@ -1,22 +0,0 @@
{ lib, ... }:
{
imports = [
./audio.nix
./boot.nix
./disk.nix
./keyboard.nix
./monitors.nix
./mouse.nix
./networking.nix
./server.nix
./sleep.nix
./wifi.nix
./zfs.nix
];
options = {
physical = lib.mkEnableOption "Whether this machine is a physical device.";
server = lib.mkEnableOption "Whether this machine is a server.";
};
}

7
modules/nixos/hardware/disk.nix
View File

@ -1,7 +0,0 @@
{ config, lib, ... }:
{
# Enable fstrim, which tracks free space on SSDs for garbage collection
# More info: https://www.reddit.com/r/NixOS/comments/rbzhb1/if_you_have_a_ssd_dont_forget_to_enable_fstrim/
services.fstrim.enable = lib.mkIf config.physical true;
}

22
modules/nixos/hardware/iso.nix
View File

@ -1,22 +0,0 @@
{
config,
lib,
modulesPath,
...
}:
{
# options.iso.enable = lib.mkEnableOption "Enable creating as an ISO.";
#
# imports = [ "${toString modulesPath}/installer/cd-dvd/iso-image.nix" ];
# config = lib.mkIf config.iso.enable {
#
# # EFI booting
# isoImage.makeEfiBootable = true;
#
# # USB booting
# isoImage.makeUsbBootable = true;
#
# };
}

42
modules/nixos/hardware/keyboard.nix
View File

@ -1,42 +0,0 @@
{ config, lib, ... }:
{
config = lib.mkIf config.physical {
services.xserver = {
xkb.layout = "us";
# Keyboard responsiveness
autoRepeatDelay = 250;
autoRepeatInterval = 40;
};
# Swap Caps-Lock with Escape when pressed or LCtrl when held/combined with others
# Inspired by: https://www.youtube.com/watch?v=XuQVbZ0wENE
services.kanata = {
enable = true;
keyboards.default = {
devices = [
"/dev/input/by-id/usb-Logitech_Logitech_G710_Keyboard-event-kbd"
"/dev/input/by-id/usb-Logitech_Logitech_G710_Keyboard-if01-event-kbd"
];
extraDefCfg = "process-unmapped-keys yes";
config = ''
(defsrc
caps
)
(defalias
escctrl (tap-hold-press 1000 1000 esc lctrl)
)
(deflayer base
@escctrl
)
'';
};
};
# Enable num lock on login
home-manager.users.${config.user}.xsession.numlock.enable = true;
};
}

53
modules/nixos/hardware/monitors.nix
View File

@ -1,53 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
config = lib.mkIf config.gui.enable {
environment.systemPackages = with pkgs; [
ddcutil # Monitor brightness control
];
# Reduce blue light at night
services.redshift = {
enable = true;
brightness = {
day = "1.0";
night = "1.0";
};
};
# Detect monitors (brightness) for ddcutil
hardware.i2c.enable = true;
# Grant main user access to external monitors
users.users.${config.user}.extraGroups = [ "i2c" ];
services.xserver.displayManager = {
# Put the login screen on the left monitor
lightdm.greeters.gtk.extraConfig = ''
active-monitor=0
'';
# Set up screen position and rotation
setupCommands = ''
${pkgs.xorg.xrandr}/bin/xrandr --output DisplayPort-1 \
--primary \
--rotate normal \
--mode 2560x1440 \
--rate 165 \
--output DisplayPort-2 \
--right-of DisplayPort-1 \
--rotate left \
--output DVI-0 --off \
--output DVI-1 --off \
|| echo "xrandr failed"
'';
};
};
}

35
modules/nixos/hardware/mouse.nix
View File

@ -1,35 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
config = lib.mkIf config.gui.enable {
# Mouse customization
services.ratbagd.enable = true;
environment.systemPackages = with pkgs; [
libratbag # Mouse adjustments
piper # Mouse adjustments GUI
];
services.libinput.mouse = {
# Disable mouse acceleration
accelProfile = "flat";
accelSpeed = "1.15";
};
# Cursor
home-manager.users.${config.user}.home.pointerCursor = {
name = "Adwaita";
package = pkgs.adwaita-icon-theme;
size = 24;
gtk.enable = true;
x11.enable = true;
};
};
}

34
modules/nixos/hardware/networking.nix
View File

@ -1,34 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
config = lib.mkIf config.physical {
networking.useDHCP = !config.networking.networkmanager.enable;
networking.firewall.allowPing = lib.mkIf config.server true;
# DNS service discovery
services.avahi = {
enable = true;
domainName = "local";
ipv6 = false; # Should work either way
# Resolve local hostnames using Avahi DNS
nssmdns4 = true;
publish = {
enable = true;
addresses = true;
domain = true;
workstation = true;
};
};
environment.systemPackages = [
(pkgs.writeShellScriptBin "wake-tempest" "${pkgs.wakeonlan}/bin/wakeonlan --ip=192.168.1.255 74:56:3C:40:37:5D")
];
};
}

10
modules/nixos/hardware/server.nix
View File

@ -1,10 +0,0 @@
{ config, lib, ... }:
{
config = lib.mkIf config.server {
# Servers need a bootloader or they won't start
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
};
}

36
modules/nixos/hardware/sleep.nix
View File

@ -1,36 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
config = lib.mkIf (config.physical && !config.server) {
# Use power button to sleep instead of poweroff
services.logind.powerKey = "suspend";
services.logind.powerKeyLongPress = "poweroff";
# Prevent wake from keyboard
powerManagement.powerDownCommands = ''
set +e
# Fix for Gigabyte motherboard
# /r/archlinux/comments/y7b97e/my_computer_wakes_up_immediately_after_i_suspend/isu99sr/
# Disable if enabled
if (grep "GPP0.*enabled" /proc/acpi/wakeup >/dev/null); then
echo GPP0 | ${pkgs.doas}/bin/doas tee /proc/acpi/wakeup
fi
sleep 2
set -e
'';
services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="usb", DRIVER=="usb", ATTR{power/wakeup}="disabled"
ACTION=="add", SUBSYSTEM=="i2c", ATTR{power/wakeup}="disabled"
'';
};
}

17
modules/nixos/hardware/wifi.nix
View File

@ -1,17 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
config = lib.mkIf (config.physical && pkgs.stdenv.isLinux) {
# Enables wireless support via wpa_supplicant.
networking.wireless.enable = !config.networking.networkmanager.enable;
# Allows the user to control the WiFi settings.
networking.wireless.userControlled.enable = true;
};
}

24
modules/nixos/hardware/zfs.nix
View File

@ -1,24 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options = {
zfs.enable = lib.mkEnableOption "ZFS file system.";
};
config = lib.mkIf (config.server && config.zfs.enable) {
# Only use compatible Linux kernel, since ZFS can be behind
boot.kernelPackages = pkgs.linuxPackages; # Defaults to latest LTS
boot.kernelParams = [ "nohibernate" ];
boot.supportedFilesystems = [ "zfs" ];
services.prometheus.exporters.zfs.enable = config.prometheus.exporters.enable;
prometheus.scrapeTargets = [
"127.0.0.1:${builtins.toString config.services.prometheus.exporters.zfs.port}"
];
};
}

74
modules/nixos/services/actualbudget.nix
View File

@ -1,74 +0,0 @@
{ config, lib, ... }:
{
options = {
services.actualbudget = {
enable = lib.mkEnableOption "ActualBudget budgeting service";
port = lib.mkOption {
type = lib.types.port;
description = "Port to use for the localhost";
default = 5006;
};
};
};
config = lib.mkIf config.services.actualbudget.enable {
virtualisation.podman.enable = lib.mkDefault true;
users.users.actualbudget = {
isSystemUser = true;
group = "shared";
uid = 980;
};
# Create budget directory, allowing others to manage it
systemd.tmpfiles.rules = [
"d /var/lib/actualbudget 0770 actualbudget shared"
];
virtualisation.oci-containers.containers.actualbudget = {
workdir = null;
volumes = [ "/var/lib/actualbudget:/data" ];
user = "${toString (builtins.toString config.users.users.actualbudget.uid)}";
pull = "missing";
privileged = false;
ports = [ "127.0.0.1:${builtins.toString config.services.actualbudget.port}:5006" ];
networks = [ ];
log-driver = "journald";
labels = {
app = "actualbudget";
};
image = "ghcr.io/actualbudget/actual-server:25.1.0";
hostname = null;
environmentFiles = [ ];
environment = {
DEBUG = "actual:config"; # Enable debug logging
ACTUAL_TRUSTED_PROXIES = builtins.concatStringsSep "," [ "127.0.0.1" ];
};
dependsOn = [ ];
autoStart = true;
};
# Allow web traffic to Caddy
caddy.routes = [
{
match = [ { host = [ config.hostnames.budget ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:${builtins.toString config.services.actualbudget.port}"; } ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.budget ];
# Backups
services.restic.backups.default.paths = [ "/var/lib/actualbudget" ];
};
}

285
modules/nixos/services/arr.nix
View File

@ -1,285 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
# This config specifies ports for Prometheus to scrape information
arrConfig = {
radarr = {
exportarrPort = "9707";
url = "localhost:7878";
apiKey = config.secrets.radarrApiKey.dest;
};
readarr = {
exportarrPort = "9711";
url = "localhost:8787";
apiKey = config.secrets.readarrApiKey.dest;
};
sonarr = {
exportarrPort = "9708";
url = "localhost:8989";
apiKey = config.secrets.sonarrApiKey.dest;
};
prowlarr = {
exportarrPort = "9709";
url = "localhost:9696";
apiKey = config.secrets.prowlarrApiKey.dest;
};
sabnzbd = {
exportarrPort = "9710";
url = "localhost:8085";
apiKey = config.secrets.sabnzbdApiKey.dest;
};
};
in
{
options = {
arrs.enable = lib.mkEnableOption "Arr services";
};
config = lib.mkIf config.arrs.enable {
# Broken on 2024-12-07
# https://discourse.nixos.org/t/solved-sonarr-is-broken-in-24-11-unstable-aka-how-the-hell-do-i-use-nixpkgs-config-permittedinsecurepackages/
insecurePackages = [
"aspnetcore-runtime-wrapped-6.0.36"
"aspnetcore-runtime-6.0.36"
"dotnet-sdk-wrapped-6.0.428"
"dotnet-sdk-6.0.428"
];
services = {
bazarr = {
enable = true;
group = "shared";
};
jellyseerr.enable = true;
prowlarr.enable = true;
sabnzbd = {
enable = true;
group = "shared";
# The config file must be editable within the application
# It contains server configs and credentials
configFile = "/data/downloads/sabnzbd/sabnzbd.ini";
};
sonarr = {
enable = true;
group = "shared";
};
radarr = {
enable = true;
group = "shared";
};
readarr = {
enable = true;
group = "shared";
};
};
# Allows shared group to read/write the sabnzbd directory
users.users.sabnzbd.homeMode = "0770";
unfreePackages = [ "unrar" ]; # Required as a dependency for sabnzbd
# Requires updating the base_url config value in each service
# If you try to rewrite the URL, the service won't redirect properly
caddy.routes = [
{
# Group means that routes with the same name are mutually exclusive,
# so they are split between the appropriate services.
group = "download";
match = [
{
host = [ config.hostnames.download ];
path = [ "/sonarr*" ];
}
];
handle = [
{
handler = "reverse_proxy";
# We're able to reference the url and port of the service dynamically
upstreams = [ { dial = arrConfig.sonarr.url; } ];
}
];
}
{
group = "download";
match = [
{
host = [ config.hostnames.download ];
path = [ "/radarr*" ];
}
];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = arrConfig.radarr.url; } ];
}
];
}
{
group = "download";
match = [
{
host = [ config.hostnames.download ];
path = [ "/readarr*" ];
}
];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = arrConfig.readarr.url; } ];
}
];
}
{
group = "download";
match = [
{
host = [ config.hostnames.download ];
path = [ "/prowlarr*" ];
}
];
handle = [
{
handler = "reverse_proxy";
# Prowlarr doesn't offer a dynamic config, so we have to hardcode it
upstreams = [ { dial = "localhost:9696"; } ];
}
];
}
{
group = "download";
match = [
{
host = [ config.hostnames.download ];
path = [ "/bazarr*" ];
}
];
handle = [
{
handler = "reverse_proxy";
upstreams = [
{
# Bazarr only dynamically sets the port, not the host
dial = "localhost:${builtins.toString config.services.bazarr.listenPort}";
}
];
}
];
}
{
group = "download";
match = [
{
host = [ config.hostnames.download ];
path = [ "/sabnzbd*" ];
}
];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = arrConfig.sabnzbd.url; } ];
}
];
}
{
group = "download";
match = [ { host = [ config.hostnames.download ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:${builtins.toString config.services.jellyseerr.port}"; } ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.download ];
# Enable Prometheus exporters
systemd.services = lib.mapAttrs' (name: attrs: {
name = "prometheus-${name}-exporter";
value = {
description = "Export Prometheus metrics for ${name}";
after = [ "network.target" ];
wantedBy = [ "${name}.service" ];
serviceConfig = {
Type = "simple";
DynamicUser = true;
ExecStart =
let
# Sabnzbd doesn't accept the URI path, unlike the others
url = if name != "sabnzbd" then "http://${attrs.url}/${name}" else "http://${attrs.url}";
in
# Exportarr is trained to pull from the arr services
''
${pkgs.exportarr}/bin/exportarr ${name} \
--url ${url} \
--port ${attrs.exportarrPort}'';
EnvironmentFile = lib.mkIf (builtins.hasAttr "apiKey" attrs) attrs.apiKey;
Restart = "on-failure";
ProtectHome = true;
ProtectSystem = "strict";
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
NoNewPrivileges = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
};
};
}) arrConfig;
# Secrets for Prometheus exporters
secrets.radarrApiKey = {
source = ../../../private/radarr-api-key.age;
dest = "/var/private/radarr-api";
prefix = "API_KEY=";
};
secrets.readarrApiKey = {
source = ../../../private/radarr-api-key.age;
dest = "/var/private/readarr-api";
prefix = "API_KEY=";
};
secrets.sonarrApiKey = {
source = ../../../private/sonarr-api-key.age;
dest = "/var/private/sonarr-api";
prefix = "API_KEY=";
};
secrets.prowlarrApiKey = {
source = ../../../private/prowlarr-api-key.age;
dest = "/var/private/prowlarr-api";
prefix = "API_KEY=";
};
secrets.sabnzbdApiKey = {
source = ../../../private/sabnzbd-api-key.age;
dest = "/var/private/sabnzbd-api";
prefix = "API_KEY=";
};
# Prometheus scrape targets (expose Exportarr to Prometheus)
prometheus.scrapeTargets = map (
key:
"127.0.0.1:${
lib.attrsets.getAttrFromPath [
key
"exportarrPort"
] arrConfig
}"
) (builtins.attrNames arrConfig);
};
}

29
modules/nixos/services/audiobookshelf.nix
View File

@ -1,29 +0,0 @@
{ config, lib, ... }:
{
config = lib.mkIf config.services.audiobookshelf.enable {
services.audiobookshelf = {
group = "shared";
dataDir = "audiobookshelf";
};
# Allow web traffic to Caddy
caddy.routes = [
{
match = [ { host = [ config.hostnames.audiobooks ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:${builtins.toString config.services.audiobookshelf.port}"; } ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.audiobooks ];
};
}

88
modules/nixos/services/bind.nix
View File

@ -1,88 +0,0 @@
# Bind is a DNS service. This allows me to resolve public domains locally so
# when I'm at home, I don't have to travel over the Internet to reach my
# server.
# To set this on all home machines, I point my router's DNS resolver to the
# local IP address of the machine running this service (swan).
{
config,
pkgs,
lib,
...
}:
let
localIp = "192.168.1.218";
localServices = [
config.hostnames.stream
config.hostnames.content
config.hostnames.books
config.hostnames.download
config.hostnames.photos
];
mkRecord = service: "${service} A ${localIp}";
localRecords = lib.concatLines (map mkRecord localServices);
in
{
config = lib.mkIf config.services.bind.enable {
# Normally I block all requests not coming from Cloudflare, so I have to also
# allow my local network.
caddy.cidrAllowlist = [ "192.168.0.0/16" ];
services.bind = {
# Allow requests coming from these IPs. This way I don't somehow get
# spammed with DNS requests coming from the Internet.
cacheNetworks = [
"127.0.0.0/24"
"192.168.0.0/16"
"::1/128" # Required because IPv6 loopback now added to resolv.conf
# (see: https://github.com/NixOS/nixpkgs/pull/302228)
];
# When making normal DNS requests, forward them to Cloudflare to resolve.
forwarders = [
"1.1.1.1"
"1.0.0.1"
];
ipv4Only = false;
# Use rpz zone as an override
extraOptions = ''response-policy { zone "rpz"; };'';
zones = {
rpz = {
master = true;
file = pkgs.writeText "db.rpz" ''
$TTL 60 ; 1 minute
@ IN SOA localhost. root.localhost. (
2023071800 ; serial
1h ; refresh
30m ; retry
1w ; expire
30m ; minimum ttl
)
IN NS localhost.
localhost A 127.0.0.1
${localRecords}
'';
};
};
};
# We must allow DNS traffic to hit our machine as well
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
# Set our own nameservers to ourselves
networking.nameservers = [
"127.0.0.1"
"::1"
];
};
}

223
modules/nixos/services/caddy.nix
View File

@ -1,223 +0,0 @@
# Caddy is a reverse proxy, like Nginx or Traefik. This creates an ingress
# point from my local network or the public (via Cloudflare). Instead of a
# Caddyfile, I'm using the more expressive JSON config file format. This means
# I can source routes from other areas in my config and build the JSON file
# using the result of the expression.
# Caddy helpfully provides automatic ACME cert generation and management, but
# it requires a form of validation. We are using a custom build of Caddy
# (compiled with an overlay) to insert a plugin for managing DNS validation
# with Cloudflare's DNS API.
{
config,
pkgs,
lib,
...
}:
{
options = {
caddy = {
tlsPolicies = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Caddy JSON TLS policies";
default = [ ];
};
routes = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Caddy JSON routes for http servers";
default = [ ];
};
blocks = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Caddy JSON error blocks for http servers";
default = [ ];
};
cidrAllowlist = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "CIDR blocks to allow for requests";
default = [ ];
};
};
};
config = lib.mkIf config.services.caddy.enable {
# Force Caddy to 403 if not coming from allowlisted source
caddy.cidrAllowlist = [ "127.0.0.1/32" ];
caddy.routes = lib.mkBefore [
{
match = [ { not = [ { remote_ip.ranges = config.caddy.cidrAllowlist; } ]; } ];
handle = [
{
handler = "static_response";
status_code = "403";
}
];
}
];
services.caddy =
let
default_logger_name = "other";
roll_size_mb = 25;
# Extract list of hostnames (fqdns) from current caddy routes
getHostnameFromMatch = match: if (lib.hasAttr "host" match) then match.host else [ ];
getHostnameFromRoute =
route:
if (lib.hasAttr "match" route) then (lib.concatMap getHostnameFromMatch route.match) else [ ];
hostnames_non_unique = lib.concatMap getHostnameFromRoute config.caddy.routes;
hostnames = lib.unique hostnames_non_unique;
# Create attrset of subdomains to their fqdns
hostname_map = builtins.listToAttrs (
map (hostname: {
name = builtins.head (lib.splitString "." hostname);
value = hostname;
}) hostnames
);
in
{
adapter = "''"; # Required to enable JSON
configFile = pkgs.writeText "Caddyfile" (
builtins.toJSON {
apps.http.servers.main = {
listen = [ ":443" ];
# These routes are pulled from the rest of this repo
routes = config.caddy.routes;
errors.routes = config.caddy.blocks;
# Uncommenting collects access logs
logs = {
inherit default_logger_name;
# Invert hostnames keys and values
logger_names = lib.mapAttrs' (name: value: {
name = value;
value = name;
}) hostname_map;
};
};
apps.http.servers.metrics = { }; # Enables Prometheus metrics
apps.tls.automation.policies = config.caddy.tlsPolicies;
# Setup logging to journal and files
logging.logs =
{
# System logs and catch-all
# Must be called `default` to override Caddy's built-in default logger
default = {
level = "INFO";
encoder.format = "console";
writer = {
output = "stderr";
};
exclude = (map (hostname: "http.log.access.${hostname}") (builtins.attrNames hostname_map)) ++ [
"http.log.access.${default_logger_name}"
];
};
# This is for the default access logs (anything not captured by hostname)
other = {
level = "INFO";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/other.log";
roll = true;
inherit roll_size_mb;
};
include = [ "http.log.access.${default_logger_name}" ];
};
# This is for using the Caddy API, which will probably never happen
admin = {
level = "INFO";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/admin.log";
roll = true;
inherit roll_size_mb;
};
include = [ "admin" ];
};
# This is for TLS cert management tracking
tls = {
level = "INFO";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/tls.log";
roll = true;
inherit roll_size_mb;
};
include = [ "tls" ];
};
# This is for debugging
debug = {
level = "DEBUG";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/debug.log";
roll = true;
roll_keep = 1;
inherit roll_size_mb;
};
};
}
# These are the access logs for individual hostnames
// (lib.mapAttrs (name: value: {
level = "INFO";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/${name}-access.log";
roll = true;
inherit roll_size_mb;
};
include = [ "http.log.access.${name}" ];
}) hostname_map)
# We also capture just the errors separately for easy debugging
// (lib.mapAttrs' (name: value: {
name = "${name}-error";
value = {
level = "ERROR";
encoder.format = "json";
writer = {
output = "file";
filename = "${config.services.caddy.logDir}/${name}-error.log";
roll = true;
inherit roll_size_mb;
};
include = [ "http.log.access.${name}" ];
};
}) hostname_map);
}
);
};
systemd.services.caddy.serviceConfig = {
# Allows Caddy to serve lower ports (443, 80)
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
# Prevent flooding of logs by rate-limiting
LogRateLimitIntervalSec = "5s"; # Limit period
LogRateLimitBurst = 100; # Limit threshold
};
# Required for web traffic to reach this machine
networking.firewall.allowedTCPPorts = [
80
443
];
# HTTP/3 QUIC uses UDP (not sure if being used)
networking.firewall.allowedUDPPorts = [ 443 ];
# Caddy exposes Prometheus metrics with the admin API
# https://caddyserver.com/docs/api
prometheus.scrapeTargets = [ "127.0.0.1:2019" ];
};
}

92
modules/nixos/services/calibre.nix
View File

@ -1,92 +0,0 @@
# Calibre-web is an E-Book library and management tool.
# - Exposed to the public via Caddy.
# - Hostname defined with config.hostnames.books
# - File directory backed up to S3 on a cron schedule.
{
config,
pkgs,
lib,
...
}:
let
libraryPath = "/data/books";
in
{
options = {
backups.calibre = lib.mkOption {
type = lib.types.bool;
description = "Whether to backup Calibre library";
default = true;
};
};
config = lib.mkIf config.services.calibre-web.enable {
services.calibre-web = {
group = "shared";
openFirewall = true;
options = {
reverseProxyAuth.enable = false;
enableBookConversion = true;
enableBookUploading = true;
calibreLibrary = libraryPath;
};
};
# Allow web traffic to Caddy
caddy.routes = [
{
match = [ { host = [ config.hostnames.books ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [
{ dial = "localhost:${builtins.toString config.services.calibre-web.listen.port}"; }
];
# This is required when calibre-web is behind a reverse proxy
# https://github.com/janeczku/calibre-web/issues/19
headers.request.add."X-Script-Name" = [ "/calibre-web" ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.books ];
# Grant user access to Calibre directories
users.users.${config.user}.extraGroups = [ "calibre-web" ];
# Run a backup on a schedule
systemd.timers.calibre-backup = lib.mkIf config.backups.calibre {
timerConfig = {
OnCalendar = "*-*-* 00:00:00"; # Once per day
Unit = "calibre-backup.service";
};
wantedBy = [ "timers.target" ];
};
# Backup Calibre data to object storage
systemd.services.calibre-backup = lib.mkIf config.backups.calibre {
description = "Backup Calibre data";
environment.AWS_ACCESS_KEY_ID = config.backup.s3.accessKeyId;
serviceConfig = {
Type = "oneshot";
User = "calibre-web";
Group = "backup";
EnvironmentFile = config.secrets.backup.dest;
};
script = ''
${pkgs.awscli2}/bin/aws s3 sync \
${libraryPath}/ \
s3://${config.backup.s3.bucket}/calibre/ \
--endpoint-url=https://${config.backup.s3.endpoint}
'';
};
};
}

99
modules/nixos/services/cloudflare-tunnel.nix
View File

@ -1,99 +0,0 @@
# Cloudflare Tunnel is a service for accessing the network even behind a
# firewall, through outbound-only requests. It works by installing an agent on
# our machines that exposes services through Cloudflare Access (Zero Trust),
# similar to something like Tailscale.
# In this case, we're using Cloudflare Tunnel to enable SSH access over a web
# browser even when outside of my network. This is probably not the safest
# choice but I feel comfortable enough with it anyway.
{ config, lib, ... }:
# First time setup:
# nix-shell -p cloudflared
# cloudflared tunnel login
# cloudflared tunnel create <host>
# nix run github:nmasur/dotfiles#encrypt-secret > private/cloudflared-<host>.age
# Paste ~/.cloudflared/<id>.json
# Set tunnel.id = "<id>"
# Remove ~/.cloudflared/
# For SSH access:
# Cloudflare Zero Trust -> Access -> Applications -> Create Application
# Service Auth -> SSH -> Select Application -> Generate Certificate
# Set ca = "<public key>"
{
options.cloudflareTunnel = {
enable = lib.mkEnableOption "Use Cloudflare Tunnel";
id = lib.mkOption {
type = lib.types.str;
description = "Cloudflare tunnel ID";
};
credentialsFile = lib.mkOption {
type = lib.types.path;
description = "Cloudflare tunnel credentials file (age-encrypted)";
};
ca = lib.mkOption {
type = lib.types.str;
description = "Cloudflare tunnel CA public key";
};
};
config = lib.mkIf config.cloudflareTunnel.enable {
services.cloudflared = {
enable = true;
tunnels = {
"${config.cloudflareTunnel.id}" = {
credentialsFile = config.secrets.cloudflared.dest;
# Catch-all if no match (should never happen anyway)
default = "http_status:404";
# Match from ingress of any valid server name to SSH access
ingress = {
"*.masu.rs" = "ssh://localhost:22";
};
};
};
};
# Grant Cloudflare access to SSH into this server
environment.etc = {
"ssh/ca.pub".text = ''
${config.cloudflareTunnel.ca}
'';
# Must match the username portion of the email address in Cloudflare
# Access
"ssh/authorized_principals".text = ''
${config.user}
'';
};
# Adjust SSH config to allow access from Cloudflare's certificate
services.openssh.extraConfig = ''
PubkeyAuthentication yes
TrustedUserCAKeys /etc/ssh/ca.pub
Match User '${config.user}'
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
# if there is no existing AuthenticationMethods
AuthenticationMethods publickey
'';
services.openssh.settings.Macs = [ "hmac-sha2-512" ]; # Fix for failure to find matching mac
# Create credentials file for Cloudflare
secrets.cloudflared = {
source = config.cloudflareTunnel.credentialsFile;
dest = "${config.secretsDirectory}/cloudflared";
owner = "cloudflared";
group = "cloudflared";
permissions = "0440";
};
systemd.services.cloudflared-secret = {
requiredBy = [ "cloudflared-tunnel-${config.cloudflareTunnel.id}.service" ];
before = [ "cloudflared-tunnel-${config.cloudflareTunnel.id}.service" ];
};
};
}

34
modules/nixos/services/cloudflare.nix
View File

@ -153,39 +153,5 @@ in
requires = [ "cloudflare-api-secret.service" ];
};
# Run a second copy of dyn-dns for non-proxied domains
# Adapted from: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/networking/cloudflare-dyndns.nix
systemd.services.cloudflare-dyndns-noproxy =
lib.mkIf ((builtins.length config.cloudflare.noProxyDomains) > 0)
{
description = "CloudFlare Dynamic DNS Client (no proxy)";
after = [
"network.target"
"cloudflare-api-secret.service"
];
requires = [ "cloudflare-api-secret.service" ];
wantedBy = [ "multi-user.target" ];
startAt = "*:0/5";
environment = {
CLOUDFLARE_DOMAINS = toString config.cloudflare.noProxyDomains;
};
serviceConfig = {
Type = "simple";
DynamicUser = true;
StateDirectory = "cloudflare-dyndns-noproxy";
EnvironmentFile = config.services.cloudflare-dyndns.apiTokenFile;
ExecStart =
let
args =
[ "--cache-file /var/lib/cloudflare-dyndns-noproxy/ip.cache" ]
++ (if config.services.cloudflare-dyndns.ipv4 then [ "-4" ] else [ "-no-4" ])
++ (if config.services.cloudflare-dyndns.ipv6 then [ "-6" ] else [ "-no-6" ])
++ lib.optional config.services.cloudflare-dyndns.deleteMissing "--delete-missing";
in
"${pkgs.cloudflare-dyndns}/bin/cloudflare-dyndns ${toString args}";
};
};
};
}

68
modules/nixos/services/filebrowser.nix
View File

@ -1,68 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
dataDir = "/var/lib/filebrowser";
settings = {
port = 8020;
baseURL = "";
address = "";
log = "stdout";
database = "${dataDir}/filebrowser.db";
root = "";
"auth.method" = "json";
username = config.user;
# Generate password: htpasswd -nBC 10 "" | tr -d ':\n'
password = "$2y$10$ze1cMob0k6pnXRjLowYfZOVZWg4G.dsPtH3TohbUeEbI0sdkG9.za";
};
in
{
options.filebrowser.enable = lib.mkEnableOption "Use Filebrowser.";
config = lib.mkIf config.filebrowser.enable {
environment.etc."filebrowser/.filebrowser.json".text = builtins.toJSON settings;
systemd.services.filebrowser = lib.mkIf config.filebrowser.enable {
description = "Filebrowser cloud file services";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
startLimitIntervalSec = 14400;
startLimitBurst = 10;
serviceConfig = {
ExecStart = "${pkgs.filebrowser}/bin/filebrowser";
DynamicUser = true;
Group = "shared";
ReadWritePaths = [ dataDir ];
StateDirectory = [ "filebrowser" ];
Restart = "on-failure";
RestartPreventExitStatus = 1;
RestartSec = "5s";
};
path = [ pkgs.getent ]; # Fix: getent not found in $PATH
};
caddy.routes = [
{
match = [ { host = [ config.hostnames.files ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:${builtins.toString settings.port}"; } ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.files ];
};
}

65
modules/nixos/services/gitea-runner.nix
View File

@ -1,65 +0,0 @@
# Gitea Actions is a CI/CD service for the Gitea source code server, meaning it
# allows us to run code operations (such as testing or deploys) when our git
# repositories are updated. Any machine can act as a Gitea Action Runner, so
# the Runners don't necessarily need to be running Gitea. All we need is an API
# key for Gitea to connect to it and register ourselves as a Runner.
{
config,
pkgs,
lib,
...
}:
{
options.giteaRunner.enable = lib.mkEnableOption "Enable Gitea Actions runner.";
config = lib.mkIf config.giteaRunner.enable {
services.gitea-actions-runner.instances.${config.networking.hostName} = {
enable = true;
labels = [
# Provide a Debian base with NodeJS for actions
# "debian-latest:docker://node:18-bullseye"
# Fake the Ubuntu name, because Node provides no Ubuntu builds
# "ubuntu-latest:docker://node:18-bullseye"
# Provide native execution on the host using below packages
"native:host"
];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
name = config.networking.hostName;
url = "https://${config.hostnames.git}";
tokenFile = config.secrets.giteaRunnerToken.dest;
};
# Make sure the runner doesn't start until after Gitea
systemd.services."gitea-runner-${config.networking.hostName}".after = [ "gitea.service" ];
# API key needed to connect to Gitea
secrets.giteaRunnerToken = {
source = ../../../private/gitea-runner-token.age; # TOKEN=xyz
dest = "${config.secretsDirectory}/gitea-runner-token";
};
systemd.services.giteaRunnerToken-secret = {
requiredBy = [
"gitea-runner-${
config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
}.service"
];
before = [
"gitea-runner-${
config.services.gitea-actions-runner.instances.${config.networking.hostName}.name
}.service"
];
};
};
}

153
modules/nixos/services/gitea.nix
View File

@ -1,153 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
giteaPath = "/var/lib/gitea"; # Default service directory
in
{
config = lib.mkIf config.services.gitea.enable {
services.gitea = {
database.type = "sqlite3";
settings = {
actions.ENABLED = true;
metrics.ENABLED = true;
repository = {
# Pushing to a repo that doesn't exist automatically creates one as
# private.
DEFAULT_PUSH_CREATE_PRIVATE = true;
# Allow git over HTTP.
DISABLE_HTTP_GIT = false;
# Allow requests hitting the specified hostname.
ACCESS_CONTROL_ALLOW_ORIGIN = config.hostnames.git;
# Automatically create viable users/orgs on push.
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
# Default when creating new repos.
DEFAULT_BRANCH = "main";
};
server = {
HTTP_PORT = 3001;
HTTP_ADDRESS = "127.0.0.1";
ROOT_URL = "https://${config.hostnames.git}/";
SSH_PORT = 22;
START_SSH_SERVER = false; # Use sshd instead
DISABLE_SSH = false;
};
# Don't allow public users to register accounts.
service.DISABLE_REGISTRATION = true;
# Force using HTTPS for all session access.
session.COOKIE_SECURE = true;
# Hide users' emails.
ui.SHOW_USER_EMAIL = false;
};
extraConfig = null;
};
users.users.${config.user}.extraGroups = [ "gitea" ];
caddy.routes = [
# Prevent public access to Prometheus metrics.
{
match = [
{
host = [ config.hostnames.git ];
path = [ "/metrics*" ];
}
];
handle = [
{
handler = "static_response";
status_code = "403";
}
];
}
# Allow access to primary server.
{
match = [ { host = [ config.hostnames.git ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [
{ dial = "localhost:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"; }
];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.git ];
# Scrape the metrics endpoint for Prometheus.
prometheus.scrapeTargets = [
"127.0.0.1:${builtins.toString config.services.gitea.settings.server.HTTP_PORT}"
];
## Backup config
# Open to groups, allowing for backups
systemd.services.gitea.serviceConfig.StateDirectoryMode = lib.mkForce "0770";
systemd.tmpfiles.rules = [ "f ${giteaPath}/data/gitea.db 0660 gitea gitea" ];
# Allow litestream and gitea to share a sqlite database
users.users.litestream.extraGroups = [ "gitea" ];
users.users.gitea.extraGroups = [ "litestream" ];
# Backup sqlite database with litestream
services.litestream = {
settings = {
dbs = [
{
path = "${giteaPath}/data/gitea.db";
replicas = [ { url = "s3://${config.backup.s3.bucket}.${config.backup.s3.endpoint}/gitea"; } ];
}
];
};
};
# Don't start litestream unless gitea is up
systemd.services.litestream = {
after = [ "gitea.service" ];
requires = [ "gitea.service" ];
};
# Run a repository file backup on a schedule
systemd.timers.gitea-backup = lib.mkIf (config.backup.s3.endpoint != null) {
timerConfig = {
OnCalendar = "*-*-* 00:00:00"; # Once per day
Unit = "gitea-backup.service";
};
wantedBy = [ "timers.target" ];
};
# Backup Gitea repos to object storage
systemd.services.gitea-backup = lib.mkIf (config.backup.s3.endpoint != null) {
description = "Backup Gitea data";
environment.AWS_ACCESS_KEY_ID = config.backup.s3.accessKeyId;
serviceConfig = {
Type = "oneshot";
User = "gitea";
Group = "backup";
EnvironmentFile = config.secrets.backup.dest;
};
script = ''
${pkgs.awscli2}/bin/aws s3 sync --exclude */gitea.db* \
${giteaPath}/ \
s3://${config.backup.s3.bucket}/gitea-data/ \
--endpoint-url=https://${config.backup.s3.endpoint}
'';
};
};
}

25
modules/nixos/services/gnupg.nix
View File

@ -1,25 +0,0 @@
# GPG is an encryption tool. This isn't really in use for me at the moment.
{
config,
pkgs,
lib,
...
}:
{
options.gpg.enable = lib.mkEnableOption "GnuPG encryption.";
config.home-manager.users.${config.user} = lib.mkIf config.gpg.enable {
programs.gpg.enable = true;
services.gpg-agent = {
enable = true;
defaultCacheTtl = 86400; # Resets when used
defaultCacheTtlSsh = 86400; # Resets when used
maxCacheTtl = 34560000; # Can never reset
maxCacheTtlSsh = 34560000; # Can never reset
pinentryFlavor = "tty";
};
home = lib.mkIf config.gui.enable { packages = with pkgs; [ pinentry ]; };
};
}

2577
modules/nixos/services/grafana.nix
View File

File diff suppressed because it is too large Load Diff

22
modules/nixos/services/identity.nix
View File

@ -1,22 +0,0 @@
{ config, ... }:
{
# Wait for secret to be placed on the machine
systemd.services.wait-for-identity = {
description = "Wait until identity file exists on the machine";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
for i in $(seq 1 10); do
if [ -f ${config.identityFile} ]; then
echo "Identity file found."
exit 0
fi
sleep 6
done
'';
};
}

48
modules/nixos/services/immich.nix
View File

@ -1,48 +0,0 @@
{ config, lib, ... }:
{
config = lib.mkIf config.services.immich.enable {
services.immich = {
port = 2283;
group = "shared";
database.enable = true;
redis.enable = true;
machine-learning.enable = true;
machine-learning.environment = { };
mediaLocation = "/data/images";
secretsFile = null;
settings.server.externalDomain = "https://${config.hostnames.photos}";
environment = {
IMMICH_ENV = "production";
IMMICH_LOG_LEVEL = "log";
NO_COLOR = "false";
IMMICH_TRUSTED_PROXIES = "127.0.0.1";
};
};
caddy.routes = [
{
match = [ { host = [ config.hostnames.photos ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:${builtins.toString config.services.immich.port}"; } ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.photos ];
# Point localhost to the local domain
networking.hosts."127.0.0.1" = [ config.hostnames.photos ];
# Backups
services.restic.backups.default.paths = [ "/data/images" ];
};
}

65
modules/nixos/services/influxdb2.nix
View File

@ -1,65 +0,0 @@
# InfluxDB is a timeseries database similar to Prometheus. While
# VictoriaMetrics can also act as an InfluxDB, this version of it allows for
# infinite retention separate from our other metrics, which can be nice for
# recording health information, for example.
{ config, lib, ... }:
{
config = lib.mkIf config.services.influxdb2.enable {
services.influxdb2 = {
provision = {
enable = true;
initialSetup = {
bucket = "default";
organization = "main";
passwordFile = config.secrets.influxdb2Password.dest;
retention = 0; # Keep data forever
tokenFile = config.secrets.influxdb2Token.dest;
username = "admin";
};
};
settings = { };
};
# Create credentials file for InfluxDB admin
secrets.influxdb2Password = lib.mkIf config.services.influxdb2.enable {
source = ../../../private/influxdb2-password.age;
dest = "${config.secretsDirectory}/influxdb2-password";
owner = "influxdb2";
group = "influxdb2";
permissions = "0440";
};
systemd.services.influxdb2Password-secret = lib.mkIf config.services.influxdb2.enable {
requiredBy = [ "influxdb2.service" ];
before = [ "influxdb2.service" ];
};
secrets.influxdb2Token = lib.mkIf config.services.influxdb2.enable {
source = ../../../private/influxdb2-token.age;
dest = "${config.secretsDirectory}/influxdb2-token";
owner = "influxdb2";
group = "influxdb2";
permissions = "0440";
};
systemd.services.influxdb2Token-secret = lib.mkIf config.services.influxdb2.enable {
requiredBy = [ "influxdb2.service" ];
before = [ "influxdb2.service" ];
};
caddy.routes = lib.mkIf config.services.influxdb2.enable [
{
match = [ { host = [ config.hostnames.influxdb ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:8086"; } ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.influxdb ];
};
}

35
modules/nixos/services/irc.nix
View File

@ -1,35 +0,0 @@
{ config, lib, ... }:
{
config = lib.mkIf config.services.thelounge.enable {
services.thelounge = {
public = false;
port = 9000;
extraConfig = {
reverseProxy = true;
maxHistory = 10000;
};
};
# Adding new users:
# nix shell nixpkgs#thelounge
# sudo su - thelounge -s /bin/sh -c "thelounge add myuser"
# Allow web traffic to Caddy
caddy.routes = [
{
match = [ { host = [ config.hostnames.irc ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:${builtins.toString config.services.thelounge.port}"; } ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.irc ];
};
}

79
modules/nixos/services/jellyfin.nix
View File

@ -1,79 +0,0 @@
# Jellyfin is a self-hosted video streaming service. This means I can play my
# server's videos from a webpage, mobile app, or TV client.
{
config,
pkgs,
lib,
...
}:
{
config = lib.mkIf config.services.jellyfin.enable {
services.jellyfin.group = "shared";
users.users.jellyfin = {
isSystemUser = true;
};
caddy.routes = [
# Prevent public access to Prometheus metrics.
{
match = [
{
host = [ config.hostnames.stream ];
path = [ "/metrics*" ];
}
];
handle = [
{
handler = "static_response";
status_code = "403";
}
];
}
# Allow access to normal route.
{
match = [ { host = [ config.hostnames.stream ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:8096"; } ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.stream ];
# Create videos directory, allow anyone in Jellyfin group to manage it
systemd.tmpfiles.rules = [
"d /var/lib/jellyfin 0775 jellyfin shared"
"d /var/lib/jellyfin/library 0775 jellyfin shared"
];
# Enable VA-API for hardware transcoding
hardware.graphics = {
enable = true;
extraPackages = [ pkgs.libva ];
};
environment.systemPackages = [ pkgs.libva-utils ];
environment.variables = {
# VAAPI and VDPAU config for accelerated video.
# See https://wiki.archlinux.org/index.php/Hardware_video_acceleration
"VDPAU_DRIVER" = "radeonsi";
"LIBVA_DRIVER_NAME" = "radeonsi";
};
users.users.jellyfin.extraGroups = [
"render"
"video"
]; # Access to /dev/dri
# Fix issue where Jellyfin-created directories don't allow access for media group
systemd.services.jellyfin.serviceConfig.UMask = lib.mkForce "0007";
# Requires MetricsEnable is true in /var/lib/jellyfin/config/system.xml
prometheus.scrapeTargets = [ "127.0.0.1:8096" ];
};
}

40
modules/nixos/services/keybase.nix
View File

@ -1,40 +0,0 @@
# Keybase is an encrypted communications tool with a synchronized encrypted
# filestore that can be mounted onto a machine's filesystem.
{
config,
pkgs,
lib,
...
}:
{
options.keybase.enable = lib.mkEnableOption "Keybase.";
config = lib.mkIf config.keybase.enable {
home-manager.users.${config.user} = lib.mkIf config.keybase.enable {
services.keybase.enable = true;
services.kbfs = {
enable = true;
mountPoint = "keybase";
};
# https://github.com/nix-community/home-manager/issues/4722
systemd.user.services.kbfs.Service.PrivateTmp = lib.mkForce false;
home.packages = [ (lib.mkIf config.gui.enable pkgs.keybase-gui) ];
home.file =
let
ignorePatterns = ''
keybase/
kbfs/'';
in
{
".rgignore".text = ignorePatterns;
".fdignore".text = ignorePatterns;
};
};
};
}

18
modules/nixos/services/mullvad.nix
View File

@ -1,18 +0,0 @@
# Mullvad is a VPN service. This isn't currently in use for me at the moment.
{
config,
pkgs,
lib,
...
}:
{
options.mullvad.enable = lib.mkEnableOption "Mullvad VPN.";
config = lib.mkIf config.mullvad.enable {
services.mullvad-vpn.enable = true;
environment.systemPackages = [ pkgs.mullvad-vpn ];
};
}

40
modules/nixos/services/n8n.nix
View File

@ -1,40 +0,0 @@
# n8n is an automation integration tool for connecting data from services
# together with triggers.
{ config, lib, ... }:
{
config = lib.mkIf config.services.n8n.enable {
unfreePackages = [ "n8n" ];
services.n8n = {
webhookUrl = "https://${config.hostnames.n8n}";
settings = {
listen_address = "127.0.0.1";
port = 5678;
};
};
systemd.services.n8n.environment = {
N8N_EDITOR_BASE_URL = config.services.n8n.webhookUrl;
};
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.n8n ];
# Allow web traffic to Caddy
caddy.routes = [
{
match = [ { host = [ config.hostnames.n8n ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:${builtins.toString config.services.n8n.settings.port}"; } ];
}
];
}
];
};
}

20
modules/nixos/services/netdata.nix
View File

@ -1,20 +0,0 @@
# Netdata is an out-of-the-box monitoring tool that exposes many different
# metrics. Not currently in use, in favor of VictoriaMetrics and Grafana.
{ config, lib, ... }:
{
options.netdata.enable = lib.mkEnableOption "Netdata metrics.";
config = lib.mkIf config.netdata.enable {
services.netdata = {
enable = true;
# Disable local dashboard (unsecured)
config = {
web.mode = "none";
};
};
};
}

228
modules/nixos/services/nextcloud.nix
View File

@ -1,228 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
config = lib.mkIf config.services.nextcloud.enable {
services.nextcloud = {
package = pkgs.nextcloud30; # Required to specify
configureRedis = true;
datadir = "/data/nextcloud";
database.createLocally = true;
https = true;
hostName = "localhost";
maxUploadSize = "50G";
config = {
adminpassFile = config.secrets.nextcloud.dest;
dbtype = "pgsql";
};
settings = {
default_phone_region = "US";
# Allow access when hitting either of these hosts or IPs
trusted_domains = [ config.hostnames.content ];
trusted_proxies = [ "127.0.0.1" ];
maintenance_window_start = 4; # Run jobs at 4am UTC
log_type = "file";
loglevel = 1; # Include all actions in the log
};
extraAppsEnable = true;
extraApps = {
calendar = config.services.nextcloud.package.packages.apps.calendar;
contacts = config.services.nextcloud.package.packages.apps.contacts;
# These apps are defined and pinned by overlay in flake.
news = pkgs.nextcloudApps.news;
external = pkgs.nextcloudApps.external;
cookbook = pkgs.nextcloudApps.cookbook;
snappymail = pkgs.nextcloudApps.snappymail;
};
phpOptions = {
"opcache.interned_strings_buffer" = "16";
"output_buffering" = "0";
};
};
# Don't let Nginx use main ports (using Caddy instead)
services.nginx.enable = false;
services.phpfpm.pools.nextcloud.settings = {
"listen.owner" = config.services.caddy.user;
"listen.group" = config.services.caddy.group;
};
users.users.caddy.extraGroups = [ "nextcloud" ];
# Point Caddy to Nginx
caddy.routes = [
{
match = [ { host = [ config.hostnames.content ]; } ];
handle = [
{
handler = "subroute";
routes = [
# Sets variables and headers
{
handle = [
{
handler = "vars";
# Grab the webroot out of the written config
# The webroot is a symlinked combined Nextcloud directory
root = config.services.nginx.virtualHosts.${config.services.nextcloud.hostName}.root;
}
{
handler = "headers";
response.set.Strict-Transport-Security = [ "max-age=31536000;" ];
}
];
}
# Reroute carddav and caldav traffic
{
match = [
{
path = [
"/.well-known/carddav"
"/.well-known/caldav"
];
}
];
handle = [
{
handler = "static_response";
headers = {
Location = [ "/remote.php/dav" ];
};
status_code = 301;
}
];
}
# Block traffic to sensitive files
{
match = [
{
path = [
"/.htaccess"
"/data/*"
"/config/*"
"/db_structure"
"/.xml"
"/README"
"/3rdparty/*"
"/lib/*"
"/templates/*"
"/occ"
"/console.php"
];
}
];
handle = [
{
handler = "static_response";
status_code = 404;
}
];
}
# Redirect index.php to the homepage
{
match = [
{
file = {
try_files = [ "{http.request.uri.path}/index.php" ];
};
not = [ { path = [ "*/" ]; } ];
}
];
handle = [
{
handler = "static_response";
headers = {
Location = [ "{http.request.orig_uri.path}/" ];
};
status_code = 308;
}
];
}
# Rewrite paths to be relative
{
match = [
{
file = {
split_path = [ ".php" ];
try_files = [
"{http.request.uri.path}"
"{http.request.uri.path}/index.php"
"index.php"
];
};
}
];
handle = [
{
handler = "rewrite";
uri = "{http.matchers.file.relative}";
}
];
}
# Send all PHP traffic to Nextcloud PHP service
{
match = [ { path = [ "*.php" ]; } ];
handle = [
{
handler = "reverse_proxy";
transport = {
protocol = "fastcgi";
split_path = [ ".php" ];
};
upstreams = [ { dial = "unix//run/phpfpm/nextcloud.sock"; } ];
}
];
}
# Finally, send the rest to the file server
{ handle = [ { handler = "file_server"; } ]; }
];
}
];
terminal = true;
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.content ];
# Create credentials file for nextcloud
secrets.nextcloud = {
source = ../../../private/nextcloud.age;
dest = "${config.secretsDirectory}/nextcloud";
owner = "nextcloud";
group = "nextcloud";
permissions = "0440";
};
systemd.services.nextcloud-secret = {
requiredBy = [ "nextcloud-setup.service" ];
before = [ "nextcloud-setup.service" ];
};
# Grant user access to Nextcloud directories
users.users.${config.user}.extraGroups = [ "nextcloud" ];
# Open to groups, allowing for backups
systemd.services.phpfpm-nextcloud.serviceConfig.StateDirectoryMode = lib.mkForce "0770";
# Log metrics to prometheus
networking.hosts."127.0.0.1" = [ config.hostnames.content ];
services.prometheus.exporters.nextcloud = {
enable = config.prometheus.exporters.enable;
username = config.services.nextcloud.config.adminuser;
url = "https://${config.hostnames.content}";
passwordFile = config.services.nextcloud.config.adminpassFile;
};
prometheus.scrapeTargets = [
"127.0.0.1:${builtins.toString config.services.prometheus.exporters.nextcloud.port}"
];
# Allows nextcloud-exporter to read passwordFile
users.users.nextcloud-exporter.extraGroups =
lib.mkIf config.services.prometheus.exporters.nextcloud.enable
[ "nextcloud" ];
};
}

33
modules/nixos/services/ntfy.nix
View File

@ -1,33 +0,0 @@
{ config, lib, ... }:
{
config = lib.mkIf config.services.ntfy-sh.enable {
services.ntfy-sh = {
settings = {
base-url = "https://${config.hostnames.notifications}";
upstream-base-url = "https://ntfy.sh";
listen-http = ":8333";
behind-proxy = true;
auth-default-access = "deny-all";
auth-file = "/var/lib/ntfy-sh/user.db";
};
};
caddy.routes = [
{
match = [ { host = [ config.hostnames.notifications ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost${config.services.ntfy-sh.settings.listen-http}"; } ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.notifications ];
};
}

65
modules/nixos/services/paperless.nix
View File

@ -1,65 +0,0 @@
# Paperless-ngx is a document scanning and management solution.
{ config, lib, ... }:
{
config = lib.mkIf config.services.paperless.enable {
services.paperless = {
mediaDir = "/data/generic/paperless";
passwordFile = config.secrets.paperless.dest;
settings = {
PAPERLESS_OCR_USER_ARGS = builtins.toJSON { invalidate_digital_signatures = true; };
# Enable if changing the path name in Caddy
# PAPERLESS_FORCE_SCRIPT_NAME = "/paperless";
# PAPERLESS_STATIC_URL = "/paperless/static/";
};
};
# Allow Nextcloud and user to see files
users.users.nextcloud.extraGroups = lib.mkIf config.services.nextcloud.enable [ "paperless" ];
users.users.${config.user}.extraGroups = [ "paperless" ];
caddy.routes = [
{
match = [
{
host = [ config.hostnames.paperless ];
# path = [ "/paperless*" ]; # Change path name in Caddy
}
];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:${builtins.toString config.services.paperless.port}"; } ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.paperless ];
secrets.paperless = {
source = ../../../private/prometheus.age;
dest = "${config.secretsDirectory}/paperless";
owner = "paperless";
group = "paperless";
permissions = "0440";
};
systemd.services.paperless-secret = {
requiredBy = [ "paperless.service" ];
before = [ "paperless.service" ];
};
# Fix paperless shared permissions
systemd.services.paperless-web.serviceConfig.UMask = lib.mkForce "0026";
systemd.services.paperless-scheduler.serviceConfig.UMask = lib.mkForce "0026";
systemd.services.paperless-task-queue.serviceConfig.UMask = lib.mkForce "0026";
# Backups
services.restic.backups.default.paths = [ "/data/generic/paperless/documents" ];
};
}

36
modules/nixos/services/postgresql.nix
View File

@ -1,36 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
services.postgresql = {
package = pkgs.postgresql_15;
settings = { };
authentication = ''
local all postgres peer map=root
local all admin peer map=admin
'';
identMap = ''
root postgres postgres
root root postgres
admin ${config.user} admin
'';
ensureUsers = [
{
name = "admin";
ensureClauses = {
createdb = true;
createrole = true;
login = true;
};
}
];
};
home-manager.users.${config.user}.home.packages = lib.mkIf config.services.postgresql.enable [
pkgs.pgcli # Postgres client with autocomplete
];
}

119
modules/nixos/services/prometheus.nix
View File

@ -1,119 +0,0 @@
# Prometheus is a timeseries database that exposes system and service metrics
# for use in visualizing, monitoring, and alerting (with Grafana).
# Instead of running traditional Prometheus, I generally run VictoriaMetrics as
# a more efficient drop-in replacement.
{
config,
pkgs,
lib,
...
}:
{
options.prometheus = {
exporters.enable = lib.mkEnableOption "Enable Prometheus exporters";
scrapeTargets = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "Prometheus scrape targets";
default = [ ];
};
};
config =
let
# If hosting Grafana, host local Prometheus and listen for inbound jobs. If
# not hosting Grafana, send remote Prometheus writes to primary host.
isServer = config.services.grafana.enable;
in
{
# Turn on exporters if any Prometheus scraper is running
prometheus.exporters.enable = builtins.any (x: x) [
config.services.prometheus.enable
config.services.victoriametrics.enable
config.services.vmagent.enable
];
prometheus.scrapeTargets = [
"127.0.0.1:${builtins.toString config.services.prometheus.exporters.node.port}"
"127.0.0.1:${builtins.toString config.services.prometheus.exporters.systemd.port}"
"127.0.0.1:${builtins.toString config.services.prometheus.exporters.process.port}"
];
services.prometheus = {
exporters.node.enable = config.prometheus.exporters.enable;
exporters.node.enabledCollectors = [ ];
exporters.node.disabledCollectors = [ "cpufreq" ];
exporters.systemd.enable = config.prometheus.exporters.enable;
exporters.process.enable = config.prometheus.exporters.enable;
exporters.process.settings.process_names = [
# Remove nix store path from process name
{
name = "{{.Matches.Wrapped}} {{ .Matches.Args }}";
cmdline = [ "^/nix/store[^ ]*/(?P<Wrapped>[^ /]*) (?P<Args>.*)" ];
}
];
extraFlags = lib.mkIf isServer [ "--web.enable-remote-write-receiver" ];
scrapeConfigs = [
{
job_name = config.networking.hostName;
static_configs = [ { targets = config.scrapeTargets; } ];
}
];
webExternalUrl = lib.mkIf isServer "https://${config.hostnames.prometheus}";
# Web config file: https://prometheus.io/docs/prometheus/latest/configuration/https/
webConfigFile = lib.mkIf isServer (
(pkgs.formats.yaml { }).generate "webconfig.yml" {
basic_auth_users = {
# Generate password: htpasswd -nBC 10 "" | tr -d ':\n'
# Encrypt and place in private/prometheus.age
"prometheus" = "$2y$10$r7FWHLHTGPAY312PdhkPEuvb05aGn9Nk1IO7qtUUUjmaDl35l6sLa";
};
}
);
remoteWrite = lib.mkIf (!isServer) [
{
name = config.networking.hostName;
url = "https://${config.hostnames.prometheus}/api/v1/write";
basic_auth = {
# Uses password hashed with bcrypt above
username = "prometheus";
password_file = config.secrets.prometheus.dest;
};
}
];
};
# Create credentials file for remote Prometheus push
secrets.prometheus = lib.mkIf (config.services.prometheus.enable && !isServer) {
source = ../../../private/prometheus.age;
dest = "${config.secretsDirectory}/prometheus";
owner = "prometheus";
group = "prometheus";
permissions = "0440";
};
systemd.services.prometheus-secret = lib.mkIf (config.services.prometheus.enable && !isServer) {
requiredBy = [ "prometheus.service" ];
before = [ "prometheus.service" ];
};
caddy.routes = lib.mkIf (config.services.prometheus.enable && isServer) [
{
match = [ { host = [ config.hostnames.prometheus ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:${config.services.prometheus.port}"; } ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains =
if (config.services.prometheus.enable && isServer) then [ config.hostnames.prometheus ] else [ ];
};
}

33
modules/nixos/services/samba.nix
View File

@ -1,33 +0,0 @@
# Samba is a Windows-compatible file-sharing service.
{ config, lib, ... }:
{
config = {
services.samba = lib.mkIf config.services.samba.enable {
openFirewall = true;
settings.data = {
path = "/data";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
comment = "NAS";
};
};
# Allows Windows clients to discover server
services.samba-wsdd.enable = true;
networking.firewall.allowedTCPPorts = [ 5357 ];
networking.firewall.allowedUDPPorts = [ 3702 ];
# Allow client browsing Samba and virtual filesystem shares
services.gvfs = lib.mkIf (config.gui.enable && config.nautilus.enable) { enable = true; };
# # Permissions required to mount Samba with GVFS, if not using desktop environment
# environment.systemPackages = lib.mkIf (config.gui.enable
# && config.nautilus.enable
# && config.services.xserver.windowManager.i3.enable)
# [ pkgs.lxqt.lxqt-policykit ];
};
}

102
modules/nixos/services/secrets.nix
View File

@ -1,102 +0,0 @@
# Secrets management method taken from here:
# https://xeiaso.net/blog/nixos-encrypted-secrets-2021-01-20
# In my case, I pre-encrypt my secrets and commit them to git.
{
config,
pkgs,
lib,
...
}:
{
options = {
secretsDirectory = lib.mkOption {
type = lib.types.str;
description = "Default path to place secrets.";
default = "/var/private";
};
secrets = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
options = {
source = lib.mkOption {
type = lib.types.path;
description = "Path to encrypted secret.";
};
dest = lib.mkOption {
type = lib.types.str;
description = "Resulting path for decrypted secret.";
};
owner = lib.mkOption {
default = "root";
type = lib.types.str;
description = "User to own the secret.";
};
group = lib.mkOption {
default = "root";
type = lib.types.str;
description = "Group to own the secret.";
};
permissions = lib.mkOption {
default = "0400";
type = lib.types.str;
description = "Permissions expressed as octal.";
};
prefix = lib.mkOption {
default = "";
type = lib.types.str;
description = "Prefix for secret value (for environment files).";
};
};
}
);
description = "Set of secrets to decrypt to disk.";
default = { };
};
};
config = lib.mkIf pkgs.stdenv.isLinux {
# Create a default directory to place secrets
systemd.tmpfiles.rules = [ "d ${config.secretsDirectory} 0755 root wheel" ];
# Declare oneshot service to decrypt secret using SSH host key
# - Requires that the secret is already encrypted for the host
# - Encrypt secrets: nix run github:nmasur/dotfiles#encrypt-secret
systemd.services = lib.mapAttrs' (name: attrs: {
name = "${name}-secret";
value = {
description = "Decrypt secret for ${name}";
wantedBy = [ "multi-user.target" ];
bindsTo = [ "wait-for-identity.service" ];
after = [ "wait-for-identity.service" ];
serviceConfig.Type = "oneshot";
script = ''
echo "${attrs.prefix}$(
${pkgs.age}/bin/age --decrypt \
--identity ${config.identityFile} ${attrs.source}
)" > ${attrs.dest}
chown '${attrs.owner}':'${attrs.group}' '${attrs.dest}'
chmod '${attrs.permissions}' '${attrs.dest}'
'';
};
}) config.secrets;
# Example declaration
# config.secrets.my-secret = {
# source = ../../private/my-secret.age;
# dest = "/var/lib/private/my-secret";
# owner = "my-app";
# group = "my-app";
# permissions = "0440";
# };
};
}

49
modules/nixos/services/sshd.nix
View File

@ -1,49 +0,0 @@
# SSHD service for allowing SSH access to my machines.
{
config,
pkgs,
lib,
...
}:
{
options = {
publicKeys = lib.mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.str);
description = "Public SSH key authorized for this system.";
default = null;
};
permitRootLogin = lib.mkOption {
type = lib.types.str;
description = "Root login settings.";
default = "no";
};
};
config = lib.mkIf config.services.openssh.enable {
services.openssh = {
ports = [ 22 ];
allowSFTP = true;
settings = {
GatewayPorts = "no";
X11Forwarding = false;
PasswordAuthentication = false;
PermitRootLogin = lib.mkDefault config.permitRootLogin;
};
};
users.users.${config.user}.openssh.authorizedKeys.keys = lib.mkIf (
config.publicKeys != null
) config.publicKeys;
# Implement a simple fail2ban service for sshd
services.sshguard.enable = true;
# Add terminfo for SSH from popular terminal emulators
# Fix: terminfo now installs contour, which is broken on ARM
# - https://github.com/NixOS/nixpkgs/pull/253334
# - Will disable until fixed
environment.enableAllTerminfo = pkgs.stdenv.isLinux && pkgs.stdenv.isx86_64;
};
}

103
modules/nixos/services/transmission.nix
View File

@ -1,103 +0,0 @@
# Transmission is a bittorrent client, which can run in the background for
# automated downloads with a web GUI.
{
config,
pkgs,
lib,
...
}:
{
config =
let
namespace = config.networking.wireguard.interfaces.wg0.interfaceNamespace;
vpnIp = lib.strings.removeSuffix "/32" (
builtins.head config.networking.wireguard.interfaces.wg0.ips
);
in
lib.mkIf config.services.transmission.enable {
# Setup transmission
services.transmission = {
settings = {
port-forwarding-enabled = false;
rpc-authentication-required = true;
rpc-port = 9091;
rpc-bind-address = "0.0.0.0";
rpc-username = config.user;
# This is a salted hash of the real password
# https://github.com/tomwijnroks/transmission-pwgen
rpc-password = "{c4c5145f6e18bcd3c7429214a832440a45285ce26jDOBGVW";
rpc-host-whitelist = config.hostnames.transmission;
rpc-host-whitelist-enabled = true;
rpc-whitelist = lib.mkDefault "127.0.0.1"; # Overwritten by Cloudflare
rpc-whitelist-enabled = true;
};
};
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.transmission ];
# Bind transmission to wireguard namespace
systemd.services.transmission = lib.mkIf config.wireguard.enable {
bindsTo = [ "netns@${namespace}.service" ];
requires = [
"network-online.target"
"transmission-secret.service"
];
after = [
"wireguard-wg0.service"
"transmission-secret.service"
];
unitConfig.JoinsNamespaceOf = "netns@${namespace}.service";
serviceConfig.NetworkNamespacePath = "/var/run/netns/${namespace}";
};
# Create reverse proxy for web UI
caddy.routes =
let
# Set if the download domain is the same as the Transmission domain
useDownloadDomain = config.hostnames.download == config.hostnames.transmission;
in
lib.mkAfter [
{
group = if useDownloadDomain then "download" else "transmission";
match = [
{
host = [ config.hostnames.transmission ];
path = if useDownloadDomain then [ "/transmission*" ] else null;
}
];
handle = [
{
handler = "reverse_proxy";
upstreams = [
{ dial = "localhost:${builtins.toString config.services.transmission.settings.rpc-port}"; }
];
}
];
}
];
# Caddy and Transmission both try to set rmem_max for larger UDP packets.
# We will choose Transmission's recommendation (4 MB).
boot.kernel.sysctl."net.core.rmem_max" = 4194304;
# Allow inbound connections to reach namespace
systemd.services.transmission-web-netns = lib.mkIf config.wireguard.enable {
description = "Forward to transmission in wireguard namespace";
requires = [ "transmission.service" ];
after = [ "transmission.service" ];
serviceConfig = {
Restart = "on-failure";
TimeoutStopSec = 300;
};
wantedBy = [ "multi-user.target" ];
script = ''
${pkgs.iproute2}/bin/ip netns exec ${namespace} ${pkgs.iproute2}/bin/ip link set dev lo up
${pkgs.socat}/bin/socat tcp-listen:9091,fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec ${namespace} ${pkgs.socat}/bin/socat STDIO "tcp-connect:${vpnIp}:9091"',nofork
'';
};
};
}

32
modules/nixos/services/uptime-kuma.nix
View File

@ -1,32 +0,0 @@
{ config, lib, ... }:
{
config = lib.mkIf config.services.uptime-kuma.enable {
services.uptime-kuma = {
settings = {
PORT = "3033";
};
};
# Allow web traffic to Caddy
caddy.routes = [
{
match = [ { host = [ config.hostnames.status ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [
{ dial = "localhost:${config.services.uptime-kuma.settings.PORT}"; }
];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.status ];
};
}

129
modules/nixos/services/vaultwarden.nix
View File

@ -1,129 +0,0 @@
# Vaultwarden is an implementation of the Bitwarden password manager backend
# service, which allows for self-hosting the synchronization of a Bitwarden
# password manager client.
{
config,
pkgs,
lib,
...
}:
let
vaultwardenPath = "/var/lib/bitwarden_rs"; # Default service directory
in
{
config = lib.mkIf config.services.vaultwarden.enable {
services.vaultwarden = {
config = {
DOMAIN = "https://${config.hostnames.secrets}";
SIGNUPS_ALLOWED = false;
SIGNUPS_VERIFY = true;
INVITATIONS_ALLOWED = true;
WEB_VAULT_ENABLED = true;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
WEBSOCKET_ENABLED = true;
WEBSOCKET_ADDRESS = "0.0.0.0";
WEBSOCKET_PORT = 3012;
LOGIN_RATELIMIT_SECONDS = 60;
LOGIN_RATELIMIT_MAX_BURST = 10;
ADMIN_RATELIMIT_SECONDS = 300;
ADMIN_RATELIMIT_MAX_BURST = 3;
};
environmentFile = config.secrets.vaultwarden.dest;
dbBackend = "sqlite";
};
secrets.vaultwarden = {
source = ../../../private/vaultwarden.age;
dest = "${config.secretsDirectory}/vaultwarden";
owner = "vaultwarden";
group = "vaultwarden";
};
networking.firewall.allowedTCPPorts = [ 3012 ];
caddy.routes = [
{
match = [ { host = [ config.hostnames.secrets ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [
{ dial = "localhost:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}"; }
];
headers.request.add."X-Real-IP" = [ "{http.request.remote.host}" ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains = [ config.hostnames.secrets ];
## Backup config
# Open to groups, allowing for backups
systemd.services.vaultwarden.serviceConfig.StateDirectoryMode = lib.mkForce "0770";
systemd.tmpfiles.rules = [
"f ${vaultwardenPath}/db.sqlite3 0660 vaultwarden vaultwarden"
"f ${vaultwardenPath}/db.sqlite3-shm 0660 vaultwarden vaultwarden"
"f ${vaultwardenPath}/db.sqlite3-wal 0660 vaultwarden vaultwarden"
];
# Allow litestream and vaultwarden to share a sqlite database
users.users.litestream.extraGroups = [ "vaultwarden" ];
users.users.vaultwarden.extraGroups = [ "litestream" ];
# Backup sqlite database with litestream
services.litestream = {
settings = {
dbs = [
{
path = "${vaultwardenPath}/db.sqlite3";
replicas = [
{ url = "s3://${config.backup.s3.bucket}.${config.backup.s3.endpoint}/vaultwarden"; }
];
}
];
};
};
# Don't start litestream unless vaultwarden is up
systemd.services.litestream = {
after = [ "vaultwarden.service" ];
requires = [ "vaultwarden.service" ];
};
# Run a separate file backup on a schedule
systemd.timers.vaultwarden-backup = {
timerConfig = {
OnCalendar = "*-*-* 06:00:00"; # Once per day
Unit = "vaultwarden-backup.service";
};
wantedBy = [ "timers.target" ];
};
# Backup other Vaultwarden data to object storage
systemd.services.vaultwarden-backup = {
description = "Backup Vaultwarden files";
environment.AWS_ACCESS_KEY_ID = config.backup.s3.accessKeyId;
serviceConfig = {
Type = "oneshot";
User = "vaultwarden";
Group = "backup";
EnvironmentFile = config.secrets.backup.dest;
};
script = ''
${pkgs.awscli2}/bin/aws s3 sync \
${vaultwardenPath}/ \
s3://${config.backup.s3.bucket}/vaultwarden/ \
--endpoint-url=https://${config.backup.s3.endpoint} \
--exclude "*db.sqlite3*" \
--exclude ".db.sqlite3*"
'';
};
};
}

110
modules/nixos/services/victoriametrics.nix
View File

@ -1,110 +0,0 @@
# VictoriaMetrics is a more efficient drop-in replacement for Prometheus and
# InfluxDB (timeseries databases built for monitoring system metrics).
{
config,
pkgs,
lib,
pkgs-stable,
...
}:
let
username = "prometheus";
prometheusConfig = {
scrape_configs = [
{
job_name = config.networking.hostName;
stream_parse = true;
static_configs = [ { targets = config.prometheus.scrapeTargets; } ];
}
];
};
authConfig = (pkgs.formats.yaml { }).generate "auth.yml" {
users = [
{
username = username;
password = "%{PASSWORD}";
url_prefix = "http://localhost${config.services.victoriametrics.listenAddress}";
}
];
};
authPort = "8427";
in
{
config = {
services.victoriametrics.extraOptions = [
"-promscrape.config=${(pkgs.formats.yaml { }).generate "scrape.yml" prometheusConfig}"
];
systemd.services.vmauth = lib.mkIf config.services.victoriametrics.enable {
description = "VictoriaMetrics basic auth proxy";
after = [ "network.target" ];
startLimitBurst = 5;
serviceConfig = {
Restart = "on-failure";
RestartSec = 1;
DynamicUser = true;
EnvironmentFile = config.secrets.vmauth.dest;
ExecStart = ''
${pkgs.victoriametrics}/bin/vmauth \
-auth.config=${authConfig} \
-httpListenAddr=:${authPort}'';
};
wantedBy = [ "multi-user.target" ];
};
secrets.vmauth = lib.mkIf config.services.victoriametrics.enable {
source = ../../../private/prometheus.age;
dest = "${config.secretsDirectory}/vmauth";
prefix = "PASSWORD=";
};
systemd.services.vmauth-secret = lib.mkIf config.services.victoriametrics.enable {
requiredBy = [ "vmauth.service" ];
before = [ "vmauth.service" ];
};
caddy.routes = lib.mkIf config.services.victoriametrics.enable [
{
match = [ { host = [ config.hostnames.prometheus ]; } ];
handle = [
{
handler = "reverse_proxy";
upstreams = [ { dial = "localhost:${authPort}"; } ];
}
];
}
];
# Configure Cloudflare DNS to point to this machine
services.cloudflare-dyndns.domains =
if config.services.victoriametrics.enable then [ config.hostnames.prometheus ] else [ ];
# VMAgent
services.vmagent = {
package = pkgs-stable.vmagent;
prometheusConfig = prometheusConfig;
remoteWrite = {
url = "https://${config.hostnames.prometheus}/api/v1/write";
basicAuthUsername = username;
basicAuthPasswordFile = config.secrets.vmagent.dest;
};
};
secrets.vmagent = lib.mkIf config.services.vmagent.enable {
source = ../../../private/prometheus.age;
dest = "${config.secretsDirectory}/vmagent";
};
systemd.services.vmagent-secret = lib.mkIf config.services.vmagent.enable {
requiredBy = [ "vmagent.service" ];
before = [ "vmagent.service" ];
};
};
}

54
modules/nixos/services/wireguard.nix
View File

@ -1,54 +0,0 @@
# Wireguard is a VPN protocol that can be setup to create a mesh network
# between machines on different LANs. This is currently not in use in my setup.
{
config,
pkgs,
lib,
...
}:
{
options.wireguard.enable = lib.mkEnableOption "Wireguard VPN setup.";
config = lib.mkIf (pkgs.stdenv.isLinux) {
networking.wireguard = {
enable = config.wireguard.enable;
interfaces = {
wg0 = {
# Something to use as a default value
ips = lib.mkDefault [ "127.0.0.1/32" ];
# Establishes identity of this machine
generatePrivateKeyFile = false;
privateKeyFile = config.secrets.wireguard.dest;
# Move to network namespace for isolating programs
interfaceNamespace = "wg";
};
};
};
# Create namespace for Wireguard
# This allows us to isolate specific programs to Wireguard
systemd.services."netns@" = {
enable = config.wireguard.enable;
description = "%I network namespace";
before = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
};
};
# Create private key file for wireguard
secrets.wireguard = lib.mkIf config.wireguard.enable {
source = ../../../private/wireguard.age;
dest = "${config.secretsDirectory}/wireguard";
};
};
}

54
modules/nixos/system/auto-upgrade.nix
View File

@ -1,54 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
# This setting only applies to NixOS, different on Darwin
nix.gc.dates = "09:03"; # Run every morning (but before upgrade)
# Update the system daily by pointing it at the flake repository
system.autoUpgrade = {
enable = lib.mkDefault false; # Don't enable by default
dates = "09:33";
flake = "git+${config.dotfilesRepo}";
randomizedDelaySec = "25min";
operation = "switch";
allowReboot = true;
rebootWindow = {
lower = "09:01";
upper = "11:00";
};
};
# Create an email notification service for failed jobs
systemd.services."notify-email@" =
let
address = "system@${config.mail.server}";
in
{
enable = config.mail.enable;
environment.SERVICE_ID = "%i";
script = ''
TEMPFILE=$(mktemp)
echo "From: ${address}" > $TEMPFILE
echo "To: ${address}" >> $TEMPFILE
echo "Subject: Failure in $SERVICE_ID" >> $TEMPFILE
echo -e "\nGot an error with $SERVICE_ID\n\n" >> $TEMPFILE
set +e
systemctl status $SERVICE_ID >> $TEMPFILE
set -e
${pkgs.msmtp}/bin/msmtp \
--file=${config.homePath}/.config/msmtp/config \
--account=system \
${address} < $TEMPFILE
'';
};
# Send an email whenever auto upgrade fails
systemd.services.nixos-upgrade.onFailure = lib.mkIf config.systemd.services."notify-email@".enable [
"notify-email@%i.service"
];
}

23
modules/nixos/system/default.nix
View File

@ -1,23 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
imports = [
./auto-upgrade.nix
./doas.nix
./journald.nix
./shared.nix
./user.nix
./timezone.nix
];
config = lib.mkIf pkgs.stdenv.isLinux {
# Pin a state version to prevent warnings
system.stateVersion = config.home-manager.users.${config.user}.home.stateVersion;
};
}

48
modules/nixos/system/doas.nix
View File

@ -1,48 +0,0 @@
# Replace sudo with doas
{
config,
pkgs,
lib,
...
}:
{
config = lib.mkIf pkgs.stdenv.isLinux {
security = {
# Remove sudo
sudo.enable = false;
# Add doas
doas = {
enable = true;
# No password required for trusted users
wheelNeedsPassword = false;
# Pass environment variables from user to root
# Also requires specifying that we are removing password here
extraRules = [
{
groups = [ "wheel" ];
noPass = true;
keepEnv = true;
}
];
};
};
home-manager.users.${config.user}.programs = {
# Alias sudo to doas for convenience
fish.shellAliases = {
sudo = "doas";
};
# Disable overriding our sudo alias with a TERMINFO alias
kitty.settings.shell_integration = "no-sudo";
};
};
}

14
modules/nixos/system/journald.nix
View File

@ -1,14 +0,0 @@
{ ... }:
{
# How long to keep journalctl entries
# This helps to make sure log disk usage doesn't grow too unwieldy
services.journald.extraConfig = ''
SystemMaxUse=4G
SystemKeepFree=10G
SystemMaxFileSize=128M
SystemMaxFiles=500
MaxFileSec=1month
MaxRetentionSec=2month
'';
}

14
modules/nixos/system/shared.nix
View File

@ -1,14 +0,0 @@
{ config, lib, ... }:
{
config = lib.mkIf config.server {
# Create a shared group for many services
users.groups.shared = { };
# Give the human user access to the shared group
users.users.${config.user}.extraGroups = [ config.users.groups.shared.name ];
};
}

21
modules/nixos/system/timezone.nix
View File

@ -1,21 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
config = lib.mkIf pkgs.stdenv.isLinux {
services.tzupdate.enable = true;
# Service to determine location for time zone
# This is required for redshift which depends on the location provider
services.geoclue2.enable = true;
services.geoclue2.enableWifi = false; # Breaks when it can't connect
location = {
provider = "geoclue2";
};
};
}

72
modules/nixos/system/user.nix
View File

@ -1,72 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
options = {
passwordHash = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Password created with mkpasswd -m sha-512";
default = null;
# Test it by running: mkpasswd -m sha-512 --salt "PZYiMGmJIIHAepTM"
};
};
config = {
# Allows us to declaritively set password
users.mutableUsers = false;
# Define a user account. Don't forget to set a password with passwd.
users.users.${config.user} = {
# Create a home directory for human user
isNormalUser = true;
# Automatically create a password to start
hashedPassword = config.passwordHash;
extraGroups = [
"wheel" # Sudo privileges
];
};
# Allow writing custom scripts outside of Nix
# Probably shouldn't make this a habit
environment.localBinInPath = true;
home-manager.users.${config.user}.xdg = {
# Allow Nix to manage the default applications list
mimeApps.enable = true;
# Create a desktop option for Burp
desktopEntries.burp = lib.mkIf pkgs.stdenv.isLinux {
name = "Burp";
exec = "${config.homePath}/.local/bin/burp.sh";
categories = [ "Application" ];
};
# Set directories for application defaults
userDirs = {
enable = true;
createDirectories = true;
documents = "$HOME/documents";
download = config.userDirs.download;
music = "$HOME/media/music";
pictures = "$HOME/media/images";
videos = "$HOME/media/videos";
desktop = "$HOME/other/desktop";
publicShare = "$HOME/other/public";
templates = "$HOME/other/templates";
extraConfig = {
XDG_DEV_DIR = "$HOME/dev";
};
};
};
};
}