CaZzzer/nix-conf
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: CaZzzer:home/refactor
Branches Tags
CaZzzer:master CaZzzer:updates CaZzzer:router/home-assistant CaZzzer:router/keepalived CaZzzer:router/module-1 CaZzzer:router/module CaZzzer:router/desktop CaZzzer:router/wireguard CaZzzer:home/refactor CaZzzer:feature/glance CaZzzer:feature/router-4 CaZzzer:feature/router-3 CaZzzer:feature/router-1 CaZzzer:feature/router CaZzzer:feature/router-2 CaZzzer:feature/home-manager CaZzzer:feature/ollama
..
compare: CaZzzer:feature/router-3
Branches Tags
CaZzzer:updates CaZzzer:master CaZzzer:router/home-assistant CaZzzer:router/keepalived CaZzzer:router/module-1 CaZzzer:router/module CaZzzer:router/desktop CaZzzer:router/wireguard CaZzzer:home/refactor CaZzzer:feature/glance CaZzzer:feature/router-4 CaZzzer:feature/router-3 CaZzzer:feature/router-1 CaZzzer:feature/router CaZzzer:feature/router-2 CaZzzer:feature/home-manager CaZzzer:feature/ollama

1 Commits
home/refac ... feature/ro

Author SHA1 Message Date
Yuri Tatishchev
07b5990373 router: firewall: proper filtering for hosts proxied by cloudflare 2025-03-26 00:24:16 -07:00
34 changed files with 644 additions and 1007 deletions
Expand all files Collapse all files

1
.gitattributes vendored
View File

@@ -1 +0,0 @@
private.nix filter=crypt diff=crypt merge=crypt

47
flake.lock generated
View File

@@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1748529677, "lastModified": 1742957044,
"narHash": "sha256-MJEX3Skt5EAIs/aGHD8/aXXZPcceMMHheyIGSjvxZN0=", "narHash": "sha256-gwW0tBIA77g6qq45y220drTy0DmThF3fJMwVFUtYV9c=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "da282034f4d30e787b8a10722431e8b650a907ef", "rev": "ce287a5cd3ef78203bc78021447f937a988d9f6f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -43,11 +43,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747663185, "lastModified": 1742568034,
"narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=", "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc", "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -58,11 +58,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1748370509, "lastModified": 1742669843,
"narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=", "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4faa5f5321320e49a78ae7848582f684d64783e9", "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -82,11 +82,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1748196248, "lastModified": 1742765550,
"narHash": "sha256-1iHjsH6/5UOerJEoZKE+Gx1BgAoge/YcnUsOA4wQ/BU=", "narHash": "sha256-2vVIh2JrL6GAGfgCeY9e6iNKrBjs0Hw3bGQEAbwVs68=",
"owner": "nix-community", "owner": "nix-community",
"repo": "plasma-manager", "repo": "plasma-manager",
"rev": "b7697abe89967839b273a863a3805345ea54ab56", "rev": "b70be387276e632fe51232887f9e04e2b6ef8c16",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -100,28 +100,7 @@
"home-manager": "home-manager", "home-manager": "home-manager",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"plasma-manager": "plasma-manager", "plasma-manager": "plasma-manager"
"secrix": "secrix"
}
},
"secrix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1746643487,
"narHash": "sha256-dcB/DArJObCvqE/ZEdQSDW2BZMeDyF83Se5KPfJvz60=",
"owner": "Platonic-Systems",
"repo": "secrix",
"rev": "4c64203fa5b377953b1fb6d5388187df8b60c6d5",
"type": "github"
},
"original": {
"owner": "Platonic-Systems",
"repo": "secrix",
"type": "github"
} }
} }
}, },

65
flake.nix
View File

@@ -18,52 +18,27 @@
url = "github:nix-community/nixos-generators"; url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
secrix = {
url = "github:Platonic-Systems/secrix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators, secrix }: outputs = { self, nixpkgs, home-manager, plasma-manager, nixos-generators }: {
let
hmModule = file: {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.sharedModules = [ plasma-manager.homeManagerModules.plasma-manager ];
home-manager.users.cazzzer = import file;
# Optionally, use home-manager.extraSpecialArgs to pass
# arguments to home.nix
};
in
{
apps.x86_64-linux.secrix = secrix.secrix self;
nixosConfigurations = { nixosConfigurations = {
Yura-PC = nixpkgs.lib.nixosSystem { Yura-PC = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./modules ./modules
./hosts/common.nix ./hosts/common.nix
./hosts/common-desktop.nix
./hosts/Yura-PC ./hosts/Yura-PC
./users/cazzzer
# https://nix-community.github.io/home-manager/index.xhtml#sec-flakes-nixos-module # https://nix-community.github.io/home-manager/index.xhtml#sec-flakes-nixos-module
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
(hmModule ./home/cazzzer-pc.nix) {
]; home-manager.useGlobalPkgs = true;
}; home-manager.useUserPackages = true;
Yura-TPX13 = nixpkgs.lib.nixosSystem { home-manager.sharedModules = [ plasma-manager.homeManagerModules.plasma-manager ];
system = "x86_64-linux";
modules = [ home-manager.users.cazzzer = import ./home;
./modules # Optionally, use home-manager.extraSpecialArgs to pass
./hosts/common.nix # arguments to home.nix
./hosts/common-desktop.nix }
./hosts/Yura-TPX13
./users/cazzzer
# https://nix-community.github.io/home-manager/index.xhtml#sec-flakes-nixos-module
home-manager.nixosModules.home-manager
(hmModule ./home/cazzzer-laptop.nix)
]; ];
}; };
VM = nixpkgs.lib.nixosSystem { VM = nixpkgs.lib.nixosSystem {
@@ -71,19 +46,15 @@
modules = [ modules = [
./modules ./modules
./hosts/common.nix ./hosts/common.nix
./hosts/hw-vm.nix
./hosts/vm ./hosts/vm
./users/cazzzer
]; ];
}; };
router = nixpkgs.lib.nixosSystem { router = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
secrix.nixosModules.default
./modules ./modules
./hosts/common.nix ./hosts/common.nix
./hosts/router ./hosts/router
./users/cazzzer
]; ];
}; };
}; };
@@ -94,25 +65,11 @@
modules = [ modules = [
./modules ./modules
./hosts/common.nix ./hosts/common.nix
./hosts/hw-proxmox.nix ./hosts/vm/proxmox.nix
./hosts/vm ./hosts/vm
./users/cazzzer
]; ];
format = "proxmox"; format = "proxmox";
}; };
vm-proxmox = let
image = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./modules
./hosts/common.nix
./hosts/hw-proxmox.nix
./hosts/vm
./users/cazzzer
];
};
in
image.config.system.build.VMA;
}; };
}; };
} }

21
home/cazzzer-laptop.nix
View File

@@ -1,21 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./modules
];
programs.plasma = {
kwin.virtualDesktops.number = 6;
kwin.virtualDesktops.rows = 2;
shortcuts.kwin = {
"Switch to Desktop 1" = "Meta+F1";
"Switch to Desktop 2" = "Meta+F2";
"Switch to Desktop 3" = "Meta+F3";
"Switch to Desktop 4" = "Meta+Z";
"Switch to Desktop 5" = "Meta+X";
"Switch to Desktop 6" = "Meta+C";
};
};
}

9
home/cazzzer-pc.nix
View File

@@ -1,9 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./modules
];
programs.plasma.kwin.virtualDesktops.number = 2;
}

241
home/default.nix Normal file
View File

@@ -0,0 +1,241 @@
{ config, lib, pkgs, ... }:
let
defaultFont = {
family = "Noto Sans";
pointSize = 14;
};
in
{
# Home Manager needs a bit of information about you and the paths it should
# manage.
home.username = "cazzzer";
home.homeDirectory = "/home/cazzzer";
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
home.sessionVariables = {
EDITOR = "micro";
SHELL = "fish";
};
services.gnome-keyring = {
enable = true;
components = [ "pkcs11" "ssh" ];
};
services.darkman = {
enable = true;
settings = {
lat = 37.3387;
lng = -121.8853;
};
lightModeScripts = {
plasma-color = "plasma-apply-colorscheme BreezeLight";
};
darkModeScripts = {
plasma-color = "plasma-apply-colorscheme BreezeDark";
};
};
programs.fish = {
enable = true;
shellInit = "set fish_greeting";
shellAliases = {
# Replace ls with exa
ls = "exa -al --color=always --group-directories-first --icons"; # preferred listing
la = "exa -a --color=always --group-directories-first --icons"; # all files and dirs
ll = "exa -l --color=always --group-directories-first --icons"; # long format
lt = "exa -aT --color=always --group-directories-first --icons"; # tree listing
"l." = "exa -a | rg '^\.'"; # show only dotfiles
# Replace cat with bat
cat = "bat";
};
# alias for nix shell with flake packages
functions.add.body = ''
set -x packages 'nixpkgs#'$argv
nix shell $packages
'';
interactiveShellInit = ''
fastfetch
'';
};
programs.starship = {
enable = true;
enableFishIntegration = true;
settings = {
format = lib.concatStrings [
"$all"
"$time"
"$cmd_duration"
"$line_break"
"$jobs"
"$status"
"$character"
];
username = {
format = " [$user]($style)@";
style_user = "bold red";
style_root = "bold red";
show_always = true;
};
hostname = {
format = "[$hostname]($style) in ";
style = "bold dimmed red";
ssh_only = false;
};
directory = {
style = "purple";
truncation_length = 0;
truncate_to_repo = true;
truncation_symbol = "repo: ";
};
git_status = {
style = "white";
ahead = "\${count}";
diverged = "\${ahead_count}\${behind_count}";
behind = "\${count}";
deleted = "x";
};
cmd_duration = {
min_time = 1000;
format = "took [$duration]($style) ";
};
time = {
format = " 🕙 $time($style) ";
time_format = "%T";
style = "bright-white";
disabled = false;
};
character = {
success_symbol = " [λ](bold red)";
error_symbol = " [×](bold red)";
};
status = {
symbol = "🔴";
format = "[\\[$symbol$status_common_meaning$status_signal_name$status_maybe_int\\]]($style)";
map_symbol = true;
disabled = false;
};
};
};
programs.plasma = {
enable = true;
overrideConfig = true;
workspace.iconTheme = "Tela-circle";
fonts = {
general = defaultFont;
fixedWidth = defaultFont // { family = "Hack"; };
small = defaultFont // { pointSize = defaultFont.pointSize - 2; };
toolbar = defaultFont;
menu = defaultFont;
windowTitle = defaultFont;
};
input.keyboard.layouts = [
{ layout = "us"; displayName = "us"; }
{ layout = "minimak-4"; displayName = "us4"; }
{ layout = "ru"; displayName = "ru"; }
];
kwin.virtualDesktops.number = 2;
session.sessionRestore.restoreOpenApplicationsOnLogin = "startWithEmptySession";
shortcuts = {
# kmix.mic_mute = "ScrollLock";
kmix.mic_mute = ["Microphone Mute" "ScrollLock" "Meta+Volume Mute,Microphone Mute" "Meta+Volume Mute,Mute Microphone"];
plasmashell.show-barcode = "Meta+M";
kwin."Window Maximize" = [ "Meta+F" "Meta+PgUp,Maximize Window" ];
"KDE Keyboard Layout Switcher"."Switch to Next Keyboard Layout" = "Meta+Space";
};
hotkeys.commands."launch-konsole" = {
name = "Launch Konsole";
key = "Meta+Alt+C";
command = "konsole";
};
configFile = {
kdeglobals.KDE.AnimationDurationFactor = 0.5;
kdeglobals.General.accentColorFromWallpaper = true;
kwinrc.Wayland.InputMethod = {
value = "org.fcitx.Fcitx5.desktop";
shellExpand = true;
};
dolphinrc.General.ShowFullPath = true;
kactivitymanagerdrc = {
activities."809dc779-bf5b-49e6-8e3f-cbe283cb05b6" = "Default";
activities."b34a506d-ac4f-4797-8c08-6ef45bc49341" = "Fun";
activities-icons."809dc779-bf5b-49e6-8e3f-cbe283cb05b6" = "keyboard";
activities-icons."b34a506d-ac4f-4797-8c08-6ef45bc49341" = "preferences-desktop-gaming";
};
};
};
xdg.configFile = {
"fcitx5/conf/wayland.conf".text = "Allow Overriding System XKB Settings=False";
};
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "24.11"; # Please read the comment before changing.
# The home.packages option allows you to install Nix packages into your
# environment.
# home.packages = [
# # Adds the 'hello' command to your environment. It prints a friendly
# # "Hello, world!" when run.
# pkgs.hello
# # It is sometimes useful to fine-tune packages, for example, by applying
# # overrides. You can do that directly here, just don't forget the
# # parentheses. Maybe you want to install Nerd Fonts with a limited number of
# # fonts?
# (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
# # You can also create simple shell scripts directly inside your
# # configuration. For example, this adds a command 'my-hello' to your
# # environment:
# (pkgs.writeShellScriptBin "my-hello" ''
# echo "Hello, ${config.home.username}!"
# '')
# ];
# Home Manager is pretty good at managing dotfiles. The primary way to manage
# plain files is through 'home.file'.
# home.file = {
# # Building this configuration will create a copy of 'dotfiles/screenrc' in
# # the Nix store. Activating the configuration will then make '~/.screenrc' a
# # symlink to the Nix store copy.
# ".screenrc".source = dotfiles/screenrc;
# # You can also set the file content immediately.
# ".gradle/gradle.properties".text = ''
# org.gradle.console=verbose
# org.gradle.daemon.idletimeout=3600000
# '';
# };
# Home Manager can also manage your environment variables through
# 'home.sessionVariables'. These will be explicitly sourced when using a
# shell provided by Home Manager. If you don't want to manage your shell
# through Home Manager then you have to manually source 'hm-session-vars.sh'
# located at either
#
# ~/.nix-profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# /etc/profiles/per-user/cazzzer/etc/profile.d/hm-session-vars.sh
#
# home.sessionVariables = {
# EDITOR = "emacs";
# };
}

83
home/modules/default.nix
View File

@@ -1,83 +0,0 @@
{ config, lib, pkgs, ... }:
let
username = "cazzzer";
in
{
imports = [
./fish.nix
./starship.nix
./plasma.nix
];
# Home Manager needs a bit of information about you and the paths it should
# manage.
home.username = username;
home.homeDirectory = "/home/${username}";
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
home.sessionVariables = {
EDITOR = "micro";
SHELL = "fish";
};
services.darkman = {
enable = true;
settings = {
lat = 37.3387;
lng = -121.8853;
};
lightModeScripts = {
plasma-color = "plasma-apply-colorscheme BreezeLight";
};
darkModeScripts = {
plasma-color = "plasma-apply-colorscheme BreezeDark";
};
};
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "24.11"; # Please read the comment before changing.
# The home.packages option allows you to install Nix packages into your
# environment.
# home.packages = [
# # Adds the 'hello' command to your environment. It prints a friendly
# # "Hello, world!" when run.
# pkgs.hello
# # It is sometimes useful to fine-tune packages, for example, by applying
# # overrides. You can do that directly here, just don't forget the
# # parentheses. Maybe you want to install Nerd Fonts with a limited number of
# # fonts?
# (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
# # You can also create simple shell scripts directly inside your
# # configuration. For example, this adds a command 'my-hello' to your
# # environment:
# (pkgs.writeShellScriptBin "my-hello" ''
# echo "Hello, ${config.home.username}!"
# '')
# ];
# Home Manager is pretty good at managing dotfiles. The primary way to manage
# plain files is through 'home.file'.
# home.file = {
# # Building this configuration will create a copy of 'dotfiles/screenrc' in
# # the Nix store. Activating the configuration will then make '~/.screenrc' a
# # symlink to the Nix store copy.
# ".screenrc".source = dotfiles/screenrc;
# # You can also set the file content immediately.
# ".gradle/gradle.properties".text = ''
# org.gradle.console=verbose
# org.gradle.daemon.idletimeout=3600000
# '';
# };
}

27
home/modules/fish.nix
View File

@@ -1,27 +0,0 @@
{ config, lib, pkgs, ... }:
{
programs.fish = {
enable = true;
shellInit = "set fish_greeting";
shellAliases = {
# Replace ls with exa
ls = "exa -al --color=always --group-directories-first --icons"; # preferred listing
la = "exa -a --color=always --group-directories-first --icons"; # all files and dirs
ll = "exa -l --color=always --group-directories-first --icons"; # long format
lt = "exa -aT --color=always --group-directories-first --icons"; # tree listing
"l." = "exa -a | rg '^\.'"; # show only dotfiles
# Replace cat with bat
cat = "bat";
};
# alias for nix shell with flake packages
functions.add.body = ''
set -x packages 'nixpkgs#'$argv
nix shell $packages
'';
interactiveShellInit = ''
fastfetch
'';
};
}

64
home/modules/plasma.nix
View File

@@ -1,64 +0,0 @@
{ config, lib, pkgs, osConfig, ... }:
{
programs.plasma = {
enable = true;
overrideConfig = true;
resetFilesExclude = [
"plasma-org.kde.plasma.desktop-appletsrc"
];
# Use tela circle icon theme if installed in system packages
workspace.iconTheme = if builtins.elem pkgs.tela-circle-icon-theme osConfig.environment.systemPackages then "Tela-circle" else null;
fonts = let
defaultFont = {
family = "Noto Sans";
pointSize = 14;
};
in {
general = defaultFont;
fixedWidth = defaultFont // { family = "Hack"; };
small = defaultFont // { pointSize = defaultFont.pointSize - 2; };
toolbar = defaultFont;
menu = defaultFont;
windowTitle = defaultFont;
};
input.keyboard.layouts = [
{ layout = "us"; displayName = "us"; }
{ layout = "minimak-4"; displayName = "us4"; }
{ layout = "ru"; displayName = "ru"; }
];
session.sessionRestore.restoreOpenApplicationsOnLogin = "startWithEmptySession";
shortcuts = {
# kmix.mic_mute = "ScrollLock";
kmix.mic_mute = ["Microphone Mute" "ScrollLock" "Meta+Volume Mute,Microphone Mute" "Meta+Volume Mute,Mute Microphone"];
plasmashell.show-barcode = "Meta+M";
kwin."Window Maximize" = [ "Meta+F" "Meta+PgUp,Maximize Window" ];
"KDE Keyboard Layout Switcher"."Switch to Next Keyboard Layout" = "Meta+Space";
};
hotkeys.commands."launch-konsole" = {
name = "Launch Konsole";
key = "Meta+Alt+C";
command = "konsole";
};
configFile = {
kdeglobals.KDE.AnimationDurationFactor = 0.5;
kdeglobals.General.accentColorFromWallpaper = true;
kwinrc.Wayland.InputMethod = {
value = "org.fcitx.Fcitx5.desktop";
shellExpand = true;
};
dolphinrc.General.ShowFullPath = true;
dolphinrc.DetailsMode.PreviewSize.persistent = true;
kactivitymanagerdrc = {
activities."809dc779-bf5b-49e6-8e3f-cbe283cb05b6" = "Default";
activities."b34a506d-ac4f-4797-8c08-6ef45bc49341" = "Fun";
activities-icons."809dc779-bf5b-49e6-8e3f-cbe283cb05b6" = "keyboard";
activities-icons."b34a506d-ac4f-4797-8c08-6ef45bc49341" = "preferences-desktop-gaming";
};
};
};
xdg.configFile = {
"fcitx5/conf/wayland.conf".text = "Allow Overriding System XKB Settings=False";
};
}

63
home/modules/starship.nix
View File

@@ -1,63 +0,0 @@
{ config, lib, pkgs, ... }:
{
programs.starship = {
enable = true;
enableFishIntegration = true;
settings = {
format = lib.concatStrings [
"$all"
"$time"
"$cmd_duration"
"$line_break"
"$jobs"
"$status"
"$character"
];
username = {
format = " [$user]($style)@";
style_user = "bold red";
style_root = "bold red";
show_always = true;
};
hostname = {
format = "[$hostname]($style) in ";
style = "bold dimmed red";
ssh_only = false;
};
directory = {
style = "purple";
truncation_length = 0;
truncate_to_repo = true;
truncation_symbol = "repo: ";
};
git_status = {
style = "white";
ahead = "\${count}";
diverged = "\${ahead_count}\${behind_count}";
behind = "\${count}";
deleted = "x";
};
cmd_duration = {
min_time = 1000;
format = "took [$duration]($style) ";
};
time = {
format = " 🕙 $time($style) ";
time_format = "%T";
style = "bright-white";
disabled = false;
};
character = {
success_symbol = " [λ](bold red)";
error_symbol = " [×](bold red)";
};
status = {
symbol = "🔴";
format = "[\\[$symbol$status_common_meaning$status_signal_name$status_maybe_int\\]]($style)";
map_symbol = true;
disabled = false;
};
};
};
}

246
hosts/Yura-PC/default.nix
View File

@@ -10,9 +10,13 @@
./hardware-configuration.nix ./hardware-configuration.nix
# <nixpkgs/nixos/modules/profiles/qemu-guest.nix> # <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
]; ];
opts.kb-input.enable = true; mods.kb-input.enable = true;
# Bootloader. # Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# boot.plymouth.enable = true;
# boot.plymouth.theme = "breeze";
boot.kernelParams = [ boot.kernelParams = [
"amd_iommu=on" "amd_iommu=on"
"iommu=pt" "iommu=pt"
@@ -26,13 +30,251 @@
options kvm ignore_msrs=1 options kvm ignore_msrs=1
''; '';
boot.loader.timeout = 3;
boot.loader.systemd-boot.configurationLimit = 5;
boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
# https://nixos.wiki/wiki/Accelerated_Video_Playback # https://nixos.wiki/wiki/Accelerated_Video_Playback
hardware.graphics.extraPackages = with pkgs; [ hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD intel-media-driver # LIBVA_DRIVER_NAME=iHD
]; ];
};
environment.etc.hosts.mode = "0644";
networking.hostName = "Yura-PC"; # Define your hostname. networking.hostName = "Yura-PC"; # Define your hostname.
networking.hostId = "110a2814"; # Required for ZFS. networking.hostId = "110a2814"; # Required for ZFS.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Enable networking
networking.networkmanager.enable = true;
# Enable the X11 windowing system.
# You can disable this if you're only using the Wayland session.
services.xserver.enable = false;
# Enable the KDE Plasma Desktop Environment.
services.displayManager.sddm.enable = true;
services.displayManager.sddm.wayland.enable = true;
services.desktopManager.plasma6.enable = true;
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable sound with pipewire.
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};
# services.qemuGuest.enable = true;
# services.spice-vdagentd.enable = true;
services.openssh.enable = true;
services.flatpak.enable = true;
# services.geoclue2.enable = true;
location.provider = "geoclue2";
# services.gnome.gnome-keyring.enable = true;
security.pam.services.sddm.enableGnomeKeyring = true;
# security.pam.services.sddm.gnupg.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users.groups = {
cazzzer = {
gid = 1000;
};
};
users.users.cazzzer = {
isNormalUser = true;
description = "Yura";
uid = 1000;
group = "cazzzer";
extraGroups = [ "networkmanager" "wheel" "docker" "wireshark" "geoclue" ];
packages = with pkgs; [
# Python
python3
poetry
# Haskell
haskellPackages.ghc
haskellPackages.stack
# Node
nodejs_22
pnpm
bun
# Nix
nixd
# Gleam
gleam
beamMinimal26Packages.erlang
];
};
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = false;
# Install firefox.
# programs.firefox.enable = true;
programs.kdeconnect.enable = true;
programs.fish.enable = true;
programs.git.enable = true;
programs.git.lfs.enable = true;
# https://nixos.wiki/wiki/Git
programs.git.package = pkgs.git.override { withLibsecret = true; };
programs.lazygit.enable = true;
programs.neovim.enable = true;
programs.gnupg.agent.enable = true;
programs.gnupg.agent.pinentryPackage = pkgs.pinentry-qt;
# programs.starship.enable = true;
programs.wireshark.enable = true;
programs.wireshark.package = pkgs.wireshark; # wireshark-cli by default
programs.bat.enable = true;
programs.htop.enable = true;
# https://nixos.wiki/wiki/Docker
virtualisation.docker.enable = true;
virtualisation.docker.enableOnBoot = false;
virtualisation.docker.package = pkgs.docker_27;
# https://discourse.nixos.org/t/firefox-does-not-use-kde-window-decorations-and-cursor/32132/3
# programs.dconf.enable = true;
# programs.firefox = {
# enable = true;
# preferences = {
# "widget.use-xdg-desktop-portal.file-picker" = 1;
# "widget.use-xdg-desktop-portal.mime-handler" = 1;
# };
# };
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# List packages installed in system profile. To search, run:
# $ nix search wget
# https://github.com/flatpak/flatpak/issues/2861
xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
programs.nix-ld.enable = true;
programs.nix-ld.libraries = with pkgs; [
# Add any missing dynamic libraries for unpackaged
# programs here, NOT in environment.systemPackages
# For JetBrains stuff
# https://github.com/NixOS/nixpkgs/issues/240444
];
# attempt to fix flatpak firefox cjk fonts
# fonts.fontconfig.defaultFonts.serif = [
# "Noto Serif"
# "DejaVu Serif"
# ];
# fonts.fontconfig.defaultFonts.sansSerif = [
# "Noto Sans"
# "DejaVu Sans"
# ];
workarounds.flatpak.enable = true;
fonts.packages = with pkgs; [
fantasque-sans-mono
nerd-fonts.fantasque-sans-mono
noto-fonts
noto-fonts-emoji
noto-fonts-cjk-sans
noto-fonts-cjk-serif
jetbrains-mono
];
# fonts.fontDir.enable = true;
# fonts.fontconfig.allowBitmaps = false;
environment.systemPackages = with pkgs; [
dust
eza
fastfetch
fd
helix
micro
ripgrep
starship
tealdeer
] ++ [
efibootmgr
ffmpeg
file
fq
gnumake
ijq
jq
ldns
mediainfo
rbw
restic
resticprofile
rclone
ripgrep-all
rustscan
whois
yt-dlp
] ++ [
darkman
host-spawn # for flatpaks
kdePackages.filelight
kdePackages.flatpak-kcm
kdePackages.kate
kdePackages.yakuake
gcr
gnome-keyring # config for this and some others
mpv
nextcloud-client
lxqt.pavucontrol-qt
pinentry
tela-circle-icon-theme
virt-viewer
waypipe
] ++ [
# jetbrains.rust-rover
# jetbrains.goland
jetbrains.clion
jetbrains.idea-ultimate
jetbrains.pycharm-professional
jetbrains.webstorm
android-studio
rustup
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall. # Open ports in the firewall.
# networking.nftables.enable = true; # networking.nftables.enable = true;

44
hosts/Yura-TPX13/default.nix
View File

@@ -1,44 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
];
# Bootloader.
boot.kernelParams = [
"sysrq_always_enabled=1"
];
networking.hostName = "Yura-TPX13"; # Define your hostname.
networking.hostId = "8425e349"; # Required for ZFS.
services.fprintd.enable = true;
# Install firefox.
programs.firefox.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# Open ports in the firewall.
# networking.nftables.enable = true;
# networking.firewall.allowedTCPPorts = [ ];
# networking.firewall.allowedUDPPorts = [ ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.11"; # Did you read the comment?
}

166
hosts/common-desktop.nix
View File

@@ -1,166 +0,0 @@
{ config, lib, pkgs, ... }:
{
opts.kb-input.enable = true;
boot.kernelParams = [
"sysrq_always_enabled=1"
];
boot.kernelPackages = pkgs.linuxKernel.packages.linux_6_14;
boot.loader = {
efi.canTouchEfiVariables = true;
timeout = 3;
systemd-boot = {
enable = true;
configurationLimit = 5;
};
};
# https://nixos.wiki/wiki/Accelerated_Video_Playback
hardware.graphics.enable = true;
environment.etc.hosts.mode = "0644";
# Enable networking
networking.networkmanager.enable = true;
# Enable the X11 windowing system.
# You can disable this if you're only using the Wayland session.
services.xserver.enable = false;
# Enable the KDE Plasma Desktop Environment.
services.displayManager.sddm.enable = true;
services.displayManager.sddm.wayland.enable = true;
services.desktopManager.plasma6.enable = true;
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable sound with pipewire.
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
};
services.flatpak.enable = true;
hardware.bluetooth.enable = true;
hardware.bluetooth.powerOnBoot = false;
programs.kdeconnect.enable = true;
programs.fish.enable = true;
programs.git.enable = true;
programs.git.lfs.enable = true;
# https://nixos.wiki/wiki/Git
programs.git.package = pkgs.git.override { withLibsecret = true; };
programs.lazygit.enable = true;
programs.neovim.enable = true;
programs.wireshark.enable = true;
programs.wireshark.package = pkgs.wireshark; # wireshark-cli by default
programs.bat.enable = true;
programs.htop.enable = true;
# https://nixos.wiki/wiki/Docker
virtualisation.docker.enable = true;
virtualisation.docker.enableOnBoot = false;
virtualisation.docker.package = pkgs.docker_28;
# https://github.com/flatpak/flatpak/issues/2861
xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
workarounds.flatpak.enable = true;
fonts.packages = with pkgs; [
fantasque-sans-mono
nerd-fonts.fantasque-sans-mono
noto-fonts
noto-fonts-emoji
noto-fonts-cjk-sans
noto-fonts-cjk-serif
jetbrains-mono
];
environment.systemPackages = with pkgs; [
dust
eza
fastfetch
fd
helix
micro
openssl
ripgrep
starship
tealdeer
transcrypt
] ++ [
efibootmgr
ffmpeg
file
fq
gnumake
ijq
jq
ldns
mediainfo
rbw
restic
resticprofile
rclone
ripgrep-all
rustscan
whois
yt-dlp
] ++ [
bitwarden-desktop
darkman
host-spawn # for flatpaks
kdePackages.filelight
kdePackages.flatpak-kcm
kdePackages.kate
kdePackages.yakuake
mpv
nextcloud-client
lxqt.pavucontrol-qt
pinentry
tela-circle-icon-theme
virt-viewer
waypipe
] ++ [
# jetbrains.rust-rover
# jetbrains.goland
jetbrains.clion
jetbrains.idea-ultimate
jetbrains.pycharm-professional
jetbrains.webstorm
android-studio
rustup
zed-editor
] ++ [
# Python
python3
poetry
# Haskell
haskellPackages.ghc
haskellPackages.stack
# Node
nodejs_22
pnpm
bun
# Nix
nil
nixd
nixfmt-rfc-style
# Gleam
gleam
beamMinimal26Packages.erlang
];
}

4
hosts/common.nix
View File

@@ -28,8 +28,4 @@
formatted = builtins.concatStringsSep "\n" sortedUnique; formatted = builtins.concatStringsSep "\n" sortedUnique;
in in
formatted; formatted;
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
services.openssh.settings.KbdInteractiveAuthentication = false;
} }

16
hosts/hw-proxmox.nix
View File

@@ -1,16 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
"${modulesPath}/virtualisation/proxmox-image.nix"
];
# boot.kernelParams = [ "console=tty0" ];
proxmox.qemuConf.bios = "ovmf";
proxmox.qemuExtraConf = {
machine = "q35";
# efidisk0 = "local-lvm:vm-9999-disk-1";
cpu = "host";
};
proxmox.cloudInit.enable = false;
}

26
hosts/hw-vm.nix
View File

@@ -1,26 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }: {
imports = [
"${modulesPath}/profiles/qemu-guest.nix"
];
boot.initrd.availableKernelModules = lib.mkDefault [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
fileSystems."/" = lib.mkDefault {
device = "/dev/disk/by-label/nixos";
autoResize = true;
fsType = "ext4";
};
fileSystems."/boot" = lib.mkDefault {
device = "/dev/disk/by-label/ESP";
fsType = "vfat";
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
# nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

39
hosts/router/default.nix
View File

@@ -1,8 +1,5 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let
vars = import ./vars.nix;
enableDesktop = false;
in
{ {
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
@@ -11,11 +8,8 @@ in
./firewall.nix ./firewall.nix
./dns.nix ./dns.nix
./kea.nix ./kea.nix
./glance.nix
./services.nix ./services.nix
]; ];
# Secrix for secrets management
secrix.hostPubKey = vars.pubkey;
# Bootloader. # Bootloader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
@@ -37,19 +31,40 @@ in
# Enable the KDE Plasma Desktop Environment. # Enable the KDE Plasma Desktop Environment.
# Useful for debugging with wireshark. # Useful for debugging with wireshark.
# services.displayManager.sddm.enable = true;
hardware.graphics.enable = true; hardware.graphics.enable = true;
services.displayManager.sddm.enable = enableDesktop; services.displayManager.sddm.wayland.enable = true;
services.displayManager.sddm.wayland.enable = enableDesktop; services.desktopManager.plasma6.enable = true;
services.desktopManager.plasma6.enable = enableDesktop;
# No need for audio in VM # No need for audio in VM
services.pipewire.enable = false; services.pipewire.enable = false;
# VM services # VM services
services.qemuGuest.enable = true; services.qemuGuest.enable = true;
services.spice-vdagentd.enable = true; services.spice-vdagentd.enable = true;
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
services.openssh.settings.KbdInteractiveAuthentication = false;
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
users.groups = {
cazzzer = {
gid = 1000;
};
};
users.users.cazzzer = {
password = "";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWgEzbEjbbu96MVQzkiuCrw+UGYAXN4sRe2zM6FVopq cazzzer@Yura-PC"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApFeLVi3BOquL0Rt+gQK2CutNHaBDQ0m4PcGWf9Bc43 cazzzer@Yura-TPX13"
];
isNormalUser = true;
description = "Yura";
uid = 1000;
group = "cazzzer";
extraGroups = [ "wheel" "wireshark" ];
};
programs.firefox.enable = true; programs.firefox.enable = true;
programs.fish.enable = true; programs.fish.enable = true;
programs.git.enable = true; programs.git.enable = true;
@@ -64,17 +79,17 @@ in
eza eza
fastfetch fastfetch
fd fd
kdePackages.filelight
kdePackages.kate kdePackages.kate
kdePackages.yakuake
ldns ldns
lsof lsof
micro micro
mpv mpv
openssl
ripgrep ripgrep
rustscan rustscan
starship starship
tealdeer tealdeer
transcrypt
waypipe waypipe
whois whois
]; ];

4
hosts/router/dns.nix
View File

@@ -42,12 +42,8 @@ in
services.adguardhome.enable = true; services.adguardhome.enable = true;
services.adguardhome.mutableSettings = false; services.adguardhome.mutableSettings = false;
# https://github.com/AdguardTeam/Adguardhome/wiki/Configuration
services.adguardhome.settings = { services.adguardhome.settings = {
dns = { dns = {
# Disable rate limit, default of 20 is too low
# https://github.com/AdguardTeam/AdGuardHome/issues/6726
ratelimit = 0;
bootstrap_dns = [ "1.1.1.1" "9.9.9.9" ]; bootstrap_dns = [ "1.1.1.1" "9.9.9.9" ];
upstream_dns = [ upstream_dns = [
# Default upstreams # Default upstreams

95
hosts/router/firewall.nix
View File

@@ -4,7 +4,13 @@ let
links = vars.links; links = vars.links;
ifs = vars.ifs; ifs = vars.ifs;
pdFromWan = vars.pdFromWan; pdFromWan = vars.pdFromWan;
nftIdentifiers = '' in
{
networking.firewall.enable = false;
networking.nftables.enable = true;
networking.nftables.tables.firewall = {
family = "inet";
content = ''
define ZONE_WAN_IFS = { ${ifs.wan.name} } define ZONE_WAN_IFS = { ${ifs.wan.name} }
define ZONE_LAN_IFS = { define ZONE_LAN_IFS = {
${ifs.lan.name}, ${ifs.lan.name},
@@ -14,9 +20,8 @@ let
${ifs.lan40.name}, ${ifs.lan40.name},
${ifs.lan50.name}, ${ifs.lan50.name},
} }
define OPNSENSE_NET6 = ${vars.extra.opnsense.net6} define OPNSENSE_NET6 = ${pdFromWan}d::/64
define ZONE_LAN_EXTRA_NET6 = { define ZONE_LAN_EXTRA_NET6 = {
# TODO: reevaluate this statement
${ifs.lan20.net6}, # needed since packets can come in from wan on these addrs ${ifs.lan20.net6}, # needed since packets can come in from wan on these addrs
$OPNSENSE_NET6, $OPNSENSE_NET6,
} }
@@ -24,7 +29,6 @@ let
define CLOUDFLARE_NET6 = { define CLOUDFLARE_NET6 = {
# https://www.cloudflare.com/ips-v6 # https://www.cloudflare.com/ips-v6
# TODO: figure out a better way to get addrs dynamically from url # TODO: figure out a better way to get addrs dynamically from url
# perhaps building a nixos module/package that fetches the ips?
2400:cb00::/32, 2400:cb00::/32,
2606:4700::/32, 2606:4700::/32,
2803:f800::/32, 2803:f800::/32,
@@ -33,67 +37,19 @@ let
2a06:98c0::/29, 2a06:98c0::/29,
2c0f:f248::/32, 2c0f:f248::/32,
} }
'';
in define ALLOWED_TCP_PORTS = { ssh, https }
{ define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain }
networking.firewall.enable = false;
networking.nftables.enable = true; map port_forward_v4 {
# networking.nftables.ruleset = nftIdentifiers; #doesn't work because it's appended to the end
networking.nftables.tables.nat4 = {
family = "ip";
content = ''
${nftIdentifiers}
map port_forward {
type inet_proto . inet_service : ipv4_addr . inet_service type inet_proto . inet_service : ipv4_addr . inet_service
elements = { elements = {
tcp . 8006 : ${ifs.lan50.p4}.10 . 8006 tcp . 8006 : ${ifs.lan50.p4}.10 . 8006
} }
} }
chain prerouting {
# Initial step, accept by default
type nat hook prerouting priority dstnat; policy accept;
# Port forwarding
fib daddr type local dnat ip to meta l4proto . th dport map @port_forward
}
chain postrouting {
# Last step, accept by default
type nat hook postrouting priority srcnat; policy accept;
# Masquerade LAN addrs
oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
}
'';
};
# Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
networking.nftables.tables.nat6 = {
family = "ip6";
enable = false;
content = ''
${nftIdentifiers}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
}
'';
};
networking.nftables.tables.firewall = {
family = "inet";
content = ''
${nftIdentifiers}
define ALLOWED_TCP_PORTS = { ssh, https }
define ALLOWED_UDP_PORTS = { bootps, dhcpv6-server, domain, https }
set port_forward_v6 { set port_forward_v6 {
type inet_proto . ipv6_addr . inet_service type inet_proto . ipv6_addr . inet_service
elements = { # elements = {}
# syncthing on alpina
tcp . ${ifs.lan.p6}::11:1 . 22000 ,
udp . ${ifs.lan.p6}::11:1 . 22000 ,
}
} }
set cloudflare_forward_v6 { set cloudflare_forward_v6 {
type ipv6_addr type ipv6_addr
@@ -136,7 +92,7 @@ in
# WAN zone input rules # WAN zone input rules
iifname $ZONE_WAN_IFS jump zone_wan_input iifname $ZONE_WAN_IFS jump zone_wan_input
# LAN zone input rules # LAN zone input rules
# iifname $ZONE_LAN_IFS accept iifname $ZONE_LAN_IFS accept
iifname $ZONE_LAN_IFS jump zone_lan_input iifname $ZONE_LAN_IFS jump zone_lan_input
ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_input ip6 saddr $ZONE_LAN_EXTRA_NET6 jump zone_lan_input
@@ -169,7 +125,7 @@ in
meta l4proto . ip6 daddr . th dport @port_forward_v6 accept meta l4proto . ip6 daddr . th dport @port_forward_v6 accept
# Allowed IPv6 from cloudflare # Allowed IPv6 from cloudflare
ip6 saddr $CLOUDFLARE_NET6 ip6 daddr @cloudflare_forward_v6 th dport https accept ip6 saddr $CLOUDFLARE_NET6 ip6 daddr @cloudflare_forward_v6 accept
} }
chain zone_lan_input { chain zone_lan_input {
@@ -202,6 +158,25 @@ in
# NAT reflection # NAT reflection
# oif lo ip daddr != 127.0.0.0/8 dnat ip to meta l4proto . th dport map @port_forward_v4 # oif lo ip daddr != 127.0.0.0/8 dnat ip to meta l4proto . th dport map @port_forward_v4
} }
chain prerouting {
# Initial step, accept by default
type nat hook prerouting priority dstnat; policy accept;
# Port forwarding
fib daddr type local dnat ip to meta l4proto . th dport map @port_forward_v4
}
chain postrouting {
# Last step, accept by default
type nat hook postrouting priority srcnat; policy accept;
# Masquerade LAN addrs
oifname $ZONE_WAN_IFS ip saddr $RFC1918 masquerade
# Optional IPv6 masquerading (big L if enabled, don't forget to allow forwarding)
# oifname $ZONE_WAN_IFS ip6 saddr fd00::/8 masquerade
}
''; '';
}; };
} }

166
hosts/router/glance.nix
View File

@@ -1,166 +0,0 @@
{ config, lib, pkgs, ... }:
let
vars = import ./vars.nix;
domain = vars.domain;
in
{
# Glance dashboard
services.glance.enable = true;
services.glance.settings.pages = [
{
name = "Home";
# hideDesktopNavigation = true; # Uncomment if needed
columns = [
{
size = "small";
widgets = [
{
type = "calendar";
firstDayOfWeek = "monday";
}
{
type = "rss";
limit = 10;
collapseAfter = 3;
cache = "12h";
feeds = [
{ url = "https://rtk0c.pages.dev/index.xml"; }
{ url = "https://www.yegor256.com/rss.xml"; }
{ url = "https://selfh.st/rss/"; title = "selfh.st"; }
{ url = "https://ciechanow.ski/atom.xml"; }
{ url = "https://www.joshwcomeau.com/rss.xml"; title = "Josh Comeau"; }
{ url = "https://samwho.dev/rss.xml"; }
{ url = "https://ishadeed.com/feed.xml"; title = "Ahmad Shadeed"; }
];
}
{
type = "twitch-channels";
channels = [
"theprimeagen"
"j_blow"
"piratesoftware"
"cohhcarnage"
"christitustech"
"EJ_SA"
];
}
];
}
{
size = "full";
widgets = [
{
type = "group";
widgets = [
{ type = "hacker-news"; }
{ type = "lobsters"; }
];
}
{
type = "videos";
channels = [
"UCXuqSBlHAE6Xw-yeJA0Tunw" # Linus Tech Tips
"UCR-DXc1voovS8nhAvccRZhg" # Jeff Geerling
"UCsBjURrPoezykLs9EqgamOA" # Fireship
"UCBJycsmduvYEL83R_U4JriQ" # Marques Brownlee
"UCHnyfMqiRRG1u-2MsSQLbXA" # Veritasium
];
}
{
type = "group";
widgets = [
{
type = "reddit";
subreddit = "technology";
showThumbnails = true;
}
{
type = "reddit";
subreddit = "selfhosted";
showThumbnails = true;
}
];
}
];
}
{
size = "small";
widgets = [
{
type = "weather";
location = "San Jose, California, United States";
units = "metric";
hourFormat = "12h";
# hideLocation = true; # Uncomment if needed
}
{
type = "markets";
markets = [
{ symbol = "SPY"; name = "S&P 500"; }
{ symbol = "BTC-USD"; name = "Bitcoin"; }
{ symbol = "NVDA"; name = "NVIDIA"; }
{ symbol = "AAPL"; name = "Apple"; }
{ symbol = "MSFT"; name = "Microsoft"; }
];
}
{
type = "releases";
cache = "1d";
# token = "..."; # Uncomment and set if needed
repositories = [
"glanceapp/glance"
"go-gitea/gitea"
"immich-app/immich"
"syncthing/syncthing"
];
}
];
}
];
}
{
name = "Infrastructure";
columns = [
{
size = "small";
widgets = [
{
type = "server-stats";
servers = [
{
type = "local";
name = "Router";
mountpoints."/nix/store".hide = true;
}
];
}
];
}
{
size = "full";
widgets = [
{
type = "iframe";
title = "Grafana";
title-url = "/grafana/";
source = "/grafana/d-solo/rYdddlPWk/node-exporter-full?orgId=1&from=1747211119196&to=1747297519196&timezone=browser&var-datasource=PBFA97CFB590B2093&var-job=node&var-node=localhost:9100&var-diskdevices=%5Ba-z%5D%2B%7Cnvme%5B0-9%5D%2Bn%5B0-9%5D%2B%7Cmmcblk%5B0-9%5D%2B&refresh=1m&panelId=74&__feature.dashboardSceneSolo";
height = 400;
}
];
}
{
size = "small";
widgets = [
{
type = "dns-stats";
service = "adguard";
url = "http://localhost:${toString config.services.adguardhome.port}";
username = "";
password = "";
}
];
}
];
}
];
}

7
hosts/router/ifconfig.nix
View File

@@ -46,12 +46,6 @@ let
}; };
in in
{ {
# By default, Linux will respond to ARP requests that belong to other interfaces.
# Normally this isn't a problem, but it causes issues
# since my WAN and LAN20 are technically bridged.
# https://networkengineering.stackexchange.com/questions/83071/why-linux-answers-arp-requests-for-ips-that-belong-to-different-network-interfac
boot.kernel.sysctl."net.ipv4.conf.default.arp_filter" = 1;
# It is impossible to do multiple prefix requests with networkd, # It is impossible to do multiple prefix requests with networkd,
# so I use dhcpcd for this # so I use dhcpcd for this
# https://github.com/systemd/systemd/issues/22571 # https://github.com/systemd/systemd/issues/22571
@@ -150,7 +144,6 @@ in
ifs.lan40.name ifs.lan40.name
ifs.lan50.name ifs.lan50.name
]; ];
routes = vars.extra.opnsense.routes;
}; };
"30-vlan10" = mkLanConfig ifs.lan10; "30-vlan10" = mkLanConfig ifs.lan10;
"30-vlan20" = mkLanConfig ifs.lan20; "30-vlan20" = mkLanConfig ifs.lan20;

2
hosts/router/private.nix
View File

@@ -1,2 +0,0 @@
U2FsdGVkX1/98w32OE1ppwT0I5A3UOTKCLJfvk+TQdrbf0TLfYNZ9TC9n8cH2hC9
ObKVuFlOLwHlzeBy7MXaLg==

39
hosts/router/services.nix
View File

@@ -4,10 +4,6 @@ let
domain = vars.domain; domain = vars.domain;
in in
{ {
# vnStat for tracking network interface stats
services.vnstat.enable = true;
# https://wiki.nixos.org/wiki/Prometheus # https://wiki.nixos.org/wiki/Prometheus
services.prometheus = { services.prometheus = {
enable = true; enable = true;
@@ -31,15 +27,7 @@ in
# https://wiki.nixos.org/wiki/Grafana#Declarative_configuration # https://wiki.nixos.org/wiki/Grafana#Declarative_configuration
services.grafana = { services.grafana = {
enable = true; enable = true;
settings = { settings.server.http_port = 3001;
security.allow_embedding = true;
server = {
http_port = 3001;
domain = "grouter.${domain}";
root_url = "https://%(domain)s/grafana/";
serve_from_sub_path = true;
};
};
provision = { provision = {
enable = true; enable = true;
datasources.settings.datasources = [ datasources.settings.datasources = [
@@ -52,34 +40,11 @@ in
}; };
}; };
secrix.system.secrets.cf-api-key.encrypted.file = ../../secrets/cf_api_key.age;
systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrix.system.secrets.cf-api-key.decrypted.path;
services.caddy = { services.caddy = {
enable = true; enable = true;
package = pkgs.caddy.withPlugins {
plugins = [ "github.com/caddy-dns/cloudflare@v0.2.1" ];
hash = "sha256-Gsuo+ripJSgKSYOM9/yl6Kt/6BFCA6BuTDvPdteinAI=";
};
virtualHosts."grouter.${domain}".extraConfig = '' virtualHosts."grouter.${domain}".extraConfig = ''
encode
tls {
dns cloudflare {env.CF_API_KEY}
resolvers 1.1.1.1
}
@grafana path /grafana /grafana/*
handle @grafana {
reverse_proxy localhost:${toString config.services.grafana.settings.server.http_port} reverse_proxy localhost:${toString config.services.grafana.settings.server.http_port}
} tls internal
redir /adghome /adghome/
handle_path /adghome/* {
reverse_proxy localhost:${toString config.services.adguardhome.port}
basic_auth {
Bob $2a$14$HsWmmzQTN68K3vwiRAfiUuqIjKoXEXaj9TOLUtG2mO1vFpdovmyBy
}
}
handle /* {
reverse_proxy localhost:${toString config.services.glance.settings.server.port}
}
''; '';
}; };
} }

29
hosts/router/vars.nix
View File

@@ -1,6 +1,4 @@
let let
private = import ./private.nix;
mkIfConfig = { mkIfConfig = {
name_, name_,
domain_, domain_,
@@ -33,7 +31,6 @@ let
}; };
in in
rec { rec {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFobB87yYVwhuYrA+tfztLuks3s9jZOqEFktwGw1mo83 root@grouter";
domain = "cazzzer.com"; domain = "cazzzer.com";
ldomain = "l.${domain}"; ldomain = "l.${domain}";
sysdomain = "sys.${domain}"; sysdomain = "sys.${domain}";
@@ -45,7 +42,7 @@ rec {
}; };
p4 = "10.17"; # .0.0/16 p4 = "10.17"; # .0.0/16
pdFromWan = private.pdFromWan; # ::/60 pdFromWan = ""; # ::/60
ulaPrefix = "fdab:07d3:581d"; # ::/48 ulaPrefix = "fdab:07d3:581d"; # ::/48
ifs = rec { ifs = rec {
wan = rec { wan = rec {
@@ -98,28 +95,4 @@ rec {
ulaPrefix_ = "${ulaPrefix}:0050"; # ::/64 ulaPrefix_ = "${ulaPrefix}:0050"; # ::/64
}; };
}; };
extra = {
opnsense = rec {
addr4 = "${ifs.lan.p4}.250";
ulaAddr = "${ifs.lan.ulaPrefix}::250";
p6 = "${pdFromWan}d";
net6 = "${p6}::/64";
# VPN routes on opnsense
routes = [
{
Destination = "10.6.0.0/24";
Gateway = addr4;
}
{
Destination = "10.18.0.0/20";
Gateway = addr4;
}
{
Destination = net6;
Gateway = ulaAddr;
}
];
};
};
} }

31
hosts/vm/default.nix
View File

@@ -7,9 +7,9 @@
{ {
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
# ./hardware-configuration.nix # ./hardware-configuration-vm.nix
]; ];
opts.kb-input.enable = false; mods.kb-input.enable = false;
# Bootloader. # Bootloader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
@@ -47,13 +47,34 @@
services.flatpak.enable = true; services.flatpak.enable = true;
# VM services # VM services
# services.cloud-init.enable = false; services.cloud-init.enable = true;
# services.cloud-init.network.enable = false; # services.cloud-init.network.enable = false;
services.qemuGuest.enable = true; services.qemuGuest.enable = true;
services.spice-vdagentd.enable = true; services.spice-vdagentd.enable = true;
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
services.openssh.settings.KbdInteractiveAuthentication = false;
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
users.groups = {
cazzzer = {
gid = 1000;
};
};
users.users.cazzzer = {
password = "";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWgEzbEjbbu96MVQzkiuCrw+UGYAXN4sRe2zM6FVopq cazzzer@Yura-PC"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApFeLVi3BOquL0Rt+gQK2CutNHaBDQ0m4PcGWf9Bc43 cazzzer@Yura-TPX13"
];
isNormalUser = true;
description = "Yura";
uid = 1000;
group = "cazzzer";
extraGroups = [ "wheel" "docker" "wireshark" ];
};
# Install firefox. # Install firefox.
programs.firefox.enable = true; programs.firefox.enable = true;
programs.fish.enable = true; programs.fish.enable = true;
@@ -92,11 +113,9 @@
ldns ldns
micro micro
mpv mpv
openssl
ripgrep ripgrep
starship starship
tealdeer tealdeer
transcrypt
waypipe waypipe
whois whois
zfs zfs

16
hosts/Yura-TPX13/hardware-configuration.nix → hosts/vm/hardware-configuration.nix
View File

@@ -5,21 +5,21 @@
{ {
imports = imports =
[ (modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "zroot/e/ROOT/nixos/default"; { device = "/dev/disk/by-uuid/da85e220-e2b0-443a-9a0c-a9516b8e5030";
fsType = "zfs"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/C6A4-8931"; { device = "/dev/disk/by-uuid/3F96-8974";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = [ "fmask=0022" "dmask=0022" ];
}; };
@@ -31,9 +31,7 @@
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true; # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

11
hosts/vm/proxmox.nix Normal file
View File

@@ -0,0 +1,11 @@
{ ... }:
{
# boot.kernelParams = [ "console=tty0" ];
proxmox.qemuConf.bios = "ovmf";
proxmox.qemuExtraConf = {
machine = "q35";
# efidisk0 = "local-lvm:vm-9999-disk-1";
cpu = "host";
};
}

2
modules/default.nix
View File

@@ -1,6 +1,6 @@
{ ... }: { { ... }: {
imports = [ imports = [
./opts ./mods
./workarounds ./workarounds
]; ];
} }

2
modules/opts/default.nix → modules/mods/default.nix
View File

@@ -1,5 +1,5 @@
{ ... }: { { ... }: {
imports = [ imports = [
./kb-input ./kb-input.nix
]; ];
} }

4
modules/opts/kb-input/default.nix → modules/mods/kb-input.nix
View File

@@ -4,10 +4,10 @@
lib, lib,
... ...
}: let }: let
cfg = config.opts.kb-input; cfg = config.mods.kb-input;
in { in {
options = { options = {
opts.kb-input = { mods.kb-input = {
enable = lib.mkEnableOption "input method and custom keyboard layout"; enable = lib.mkEnableOption "input method and custom keyboard layout";
enableMinimak = lib.mkOption { enableMinimak = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;

0
modules/opts/kb-input/minimak → modules/mods/minimak
View File

12
renovate.json
View File

@@ -1,12 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended"
],
"lockFileMaintenance": {
"enabled": true
},
"nix": {
"enabled": true
}
}

5
secrets/cf_api_key.age
View File

@@ -1,5 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 D2MY/A Kj69kavxx+ATNHP5pX0JtGggU76f9uRwkZp2HbjwiWc
SbU3jIcQzUzaQjRHzVSoW1WKiUj+1ijbkUKqVb406fY
--- vMV0TcchFvxw1xetQQZ0xVi2KwjLFRfZBM1gl7BGbGI
<EFBFBD><EFBFBD>1<10><><EFBFBD><EFBFBD>K<EFBFBD><<3C>

18
users/cazzzer/default.nix
View File

@@ -1,18 +0,0 @@
{ config, lib, pkgs, ... }: {
users.groups.cazzzer.gid = 1000;
users.users.cazzzer = {
uid = 1000;
isNormalUser = true;
description = "Yura";
group = "cazzzer";
extraGroups = [ "wheel" ]
++ lib.optionals config.networking.networkmanager.enable [ "networkmanager" ]
++ lib.optionals config.virtualisation.docker.enable [ "docker" ]
++ lib.optionals config.programs.wireshark.enable [ "wireshark" ]
;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE02AhJIZtrtZ+5sZhna39LUUCEojQzmz2BDWguT9ZHG yuri@tati.sh"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHczlipzGWv8c6oYwt2/9ykes5ElfneywDXBTOYbfSfn Pixel7Pro"
];
};
}