reo101/rix101
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(flake)!: machines -> hosts

Browse source
This commit is contained in:
reo101 2024-07-27 13:04:48 +03:00
parent 703cd0264b
commit a881c5d7e1
Signed by: reo101
GPG key ID: 675AA7EF13964ACB
33 changed files with 52 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

101
hosts/nixos/x86_64-linux/__template__/configuration.nix Normal file
View file

@ -0,0 +1,101 @@
# This is your system's configuration file.
# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix)
{ inputs, outputs, lib, pkgs, config, ... }: {
# You can import other NixOS modules here
imports = [
# If you want to use modules your own flake exports (from modules/nixos):
# outputs.nixosModules.example
# Or modules from other flakes (such as nixos-hardware):
# inputs.hardware.nixosModules.common-cpu-amd
# inputs.hardware.nixosModules.common-ssd
# You can also split up your configuration and import pieces of it here:
# ./users.nix
# Import your generated (nixos-generate-config) hardware configuration
./hardware-configuration.nix
];
nixpkgs = {
# You can add overlays here
overlays = [
# If you want to use overlays your own flake exports (from overlays dir):
# outputs.overlays.modifications
# outputs.overlays.additions
# Or overlays exported from other flakes:
# neovim-nightly-overlay.overlays.default
# Or define it inline, for example:
# (final: prev: {
# hi = final.hello.overrideAttrs (oldAttrs: {
# patches = [ ./change-hello-to-hi.patch ];
# });
# })
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
};
};
nix = {
# This will add each flake input as a registry
# To make nix3 commands consistent with your flake
registry = lib.mapAttrs (_: value: { flake = value; }) inputs;
# This will additionally add your inputs to the system's legacy channels
# Making legacy nix commands consistent as well, awesome!
nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
settings = {
# Enable flakes and new 'nix' command
experimental-features = "nix-command flakes";
# Deduplicate and optimize nix store
auto-optimise-store = true;
};
};
# FIXME: Add the rest of your current configuration
# TODO: Set your hostname
networking.hostName = "your-hostname";
# TODO: This is just an example, be sure to use whatever bootloader you prefer
boot.loader.systemd-boot.enable = true;
# TODO: Configure your system-wide user settings (groups, etc), add more users as needed.
users.users = {
# FIXME: Replace with your username
your-username = {
# TODO: You can set an initial password for your user.
# If you do, you can skip setting a root password by passing '--no-root-passwd' to nixos-install.
# Be sure to change it (using passwd) after rebooting!
# initialPassword = "correcthorsebatterystaple";
isNormalUser = true;
openssh.authorizedKeys.keys = [
# TODO: Add your SSH public key(s) here, if you plan on using SSH to connect
];
# TODO: Be sure to add any other groups you need (such as networkmanager, audio, docker, etc)
extraGroups = [ "wheel" ];
};
};
# This setups a SSH server. Very important if you're setting up a headless system.
# Feel free to remove if you don't need it.
services.openssh = {
enable = true;
settings = {
# Forbid root login through SSH.
PermitRootLogin = "no";
# Use keys only. Remove if you want to SSH using password (not recommended)
PasswordAuthentication = false;
};
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "22.05";
}

42
hosts/nixos/x86_64-linux/__template__/deploy.nix Normal file
View file

@ -0,0 +1,42 @@
{
# This is the hostname by which you'll refer to this machine using reploy-rs
hostname = "server";
# This is the user that deploy-rs will use when connecting.
# This will default to your own username if not specified anywhere
sshUser = "admin";
# This is the user that the profile will be deployed to (will use sudo if not the same as above).
# If `sshUser` is specified, this will be the default (though it will _not_ default to your own username)
user = "root";
# Which sudo command to use. Must accept at least two arguments:
# the user name to execute commands as and the rest is the command to execute
# This will default to "sudo -u" if not specified anywhere.
sudo = "doas -u";
# This is an optional list of arguments that will be passed to SSH.
sshOpts = [ "-p" "2121" ];
# Fast connection to the node. If this is true, copy the whole closure instead of letting the node substitute.
# This defaults to `false`
fastConnection = false;
# If the previous profile should be re-activated if activation fails.
# This defaults to `true`
autoRollback = true;
# See the earlier section about Magic Rollback for more information.
# This defaults to `true`
magicRollback = true;
# The path which deploy-rs will use for temporary files, this is currently only used by `magicRollback` to create an inotify watcher in for confirmations
# If not specified, this will default to `/tmp`
# (if `magicRollback` is in use, this _must_ be writable by `user`)
tempPath = "/home/someuser/.deploy-rs";
# Build the derivation on the target system.
# Will also fetch all external dependencies from the target system's substituters.
# This default to `false`
remoteBuild = true;
}

10
hosts/nixos/x86_64-linux/__template__/hardware-configuration.nix Normal file
View file

@ -0,0 +1,10 @@
# This is just an example, you should generate yours with nixos-generate-config and put it in here.
{
fileSystems."/" = {
device = "/dev/sda1";
fsType = "ext4";
};
# Set your system kind (needed for flakes)
nixpkgs.hostPlatform = "x86_64-linux";
}

248
hosts/nixos/x86_64-linux/homix/configuration.nix Normal file
View file

@ -0,0 +1,248 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, outputs, lib, pkgs, config, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
### Set boot options
boot = {
# Use the systemd-boot boot loader.
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
# Enable running aarch64 binaries using qemu
binfmt = {
emulatedSystems = [
"aarch64-linux"
"wasm32-wasi"
"x86_64-windows"
];
};
# Clean temporary directory on boot
tmp = {
cleanOnBoot = true;
};
# Enable support for nfs and ntfs
supportedFilesystems = [
"cifs"
"ntfs"
"nfs"
];
};
networking.hostName = "homix"; # Define your hostname.
### Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
### Set your time zone.
time.timeZone = "Europe/Sofia";
### Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
### Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkbOptions in tty.
# };
nix = {
package = pkgs.nixVersions.stable;
# Enable flakes, the new `nix` commands and better support for flakes in it
extraOptions = ''
experimental-features = nix-command flakes
'';
# This will add each flake input as a registry
# To make nix3 commands consistent with your flake
registry = lib.mapAttrs (_: value: { flake = value; }) inputs;
# This will additionally add your inputs to the system's legacy channels
# Making legacy nix commands consistent as well, awesome!
nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
settings = {
trusted-users = [
"root"
"reo101"
];
# Add nix-community and rix101 cachix caches
substituters = [
"https://rix101.cachix.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"rix101.cachix.org-1:2u9ZGi93zY3hJXQyoHkNBZpJK+GiXQyYf9J5TLzCpFY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
};
};
### Fonts
fonts.fontconfig.enable = true;
### NVIDIA
services.xserver = {
videoDrivers = [ "nvidia" ];
};
hardware.graphics.enable = true;
hardware.nvidia = {
open = true;
# powerManagement.enable = true;
modesetting.enable = true;
package = config.boot.kernelPackages.nvidiaPackages.stable;
# package = config.boot.kernelPackages.nvidiaPackages.beta;
};
environment.sessionVariables = {
"_JAVA_AWT_WM_NONREPARENTING" = "1";
"LIBVA_DRIVER_NAME" = "nvidia";
"XDG_SESSION_TYPE" = "wayland";
"GBM_BACKEND" = "nvidia-drm";
"__GLX_VENDOR_LIBRARY_NAME" = "nvidia";
"WLR_NO_HARDWARE_CURSORS" = "1";
"MOZ_DISABLE_RDD_SANDBOX" = "1";
"MOZ_ENABLE_WAYLAND" = "1";
"EGL_PLATFORM" = "wayland";
"XDG_CURRENT_DESKTOP" = "sway"; # river
"XKB_DEFAULT_LAYOUT" = "us,bg";
"XKB_DEFAULT_VARIANT" = ",phonetic";
"XKB_DEFAULT_OPTIONS" = "caps:escape,grp:lalt_lshift_toggle";
# "WLR_RENDERER" = "vulkan"; # BUG: river crashes
};
### Wayland specific
services.xserver = {
enable = true;
displayManager = {
defaultSession = "river";
sessionPackages = with pkgs; [
river
];
gdm = {
enable = true;
wayland = true;
};
};
};
# Enable desktop portal
xdg.portal = {
enable = true;
wlr = {
enable = true;
};
extraPortals = [
pkgs.xdg-desktop-portal-gtk
pkgs.xdg-desktop-portal-wlr
];
# TODO: research <https://github.com/flatpak/xdg-desktop-portal/blob/1.18.1/doc/portals.conf.rst.in>
config.common.default = "*";
};
## X11 specific
services.xserver = {
layout = "us,bg";
xkbVariant = ",phonetic";
xkbOptions = "grp:lalt_lshift_toggle";
};
### Enable the OpenSSH daemon.
services.openssh.enable = true;
### Enable CUPS to print documents.
# services.printing.enable = true;
### Enable sound.
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse = {
enable = true;
};
jack = {
enable = true;
};
};
services.dbus = {
enable = true;
packages = [ pkgs.dconf ];
};
### Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Virtualisation
virtualisation.docker.enable = true;
### Define a user account. Don't forget to set a password with `passwd`.
users.users.reo101 = {
isNormalUser = true;
shell = pkgs.zsh;
extraGroups = [ "wheel" "docker" ];
};
programs.zsh = {
enable = true;
};
### Enable plymouth (bootscreen customizations)
boot.plymouth = {
enable = true;
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
river
xdg-desktop-portal
xdg-desktop-portal-wlr
neovim
wget
git
];
### Jellyfin
reo101.jellyfin = {
enable = true;
};
### Transmission
services.transmission = {
enable = true;
};
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.11"; # Did you read the comment?
}

40
hosts/nixos/x86_64-linux/homix/hardware-configuration.nix Normal file
View file

@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ lib, pkgs, config, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/7f720420-41d8-4efd-bdf2-f445e52db998";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/5BF4-74EF";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

124
hosts/nixos/x86_64-linux/homix/home/reo101.nix Normal file
View file

@ -0,0 +1,124 @@
{ inputs, outputs, lib, pkgs, config, ... }:
{
imports = [
inputs.wired.homeManagerModules.default
];
home = {
username = "reo101";
homeDirectory = "/home/reo101";
stateVersion = "22.11";
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
home.packages = with pkgs; [
## WM
# river
# swww # wallpaper deamon
# # wired-notify # dunst on wayland
# waybar # status bar
# xwayland
# wl-clipboard
# slurp # select regions from wayland
# grim # grap images from regions
# playerctl # music control
## Terminals
# wezterm
foot
## Core
neovim
fennel-language-server
git
gnupg
firefox
discord
armcord # modded discord
vifm # file editor
pciutils # lspci
usbutils # lsusb
(uutils-coreutils.override { prefix = ""; }) # coreutils in rust
## Shell
# zsh
# starship
# zoxide
ripgrep
## Dhall
dhall
# dhall-lsp-server
## Nix
nil
direnv
## Torrents
tremc
## Rust
rustc
cargo
rust-analyzer
clang
openssl
pkg-config
## Vim FMI
vim-fmi-cli
## Zig
# zigpkgs."0.10.1"
zigpkgs.master
# inputs.zls-overlay.packages.x86_64-linux.default
];
# Enable the GPG Agent daemon.
services.gpg-agent = {
enable = true;
defaultCacheTtl = 1800;
enableSshSupport = true;
};
programs.git = {
enable = true;
userName = "reo101";
userEmail = "pavel.atanasov2001@gmail.com";
};
reo101 = {
shell = {
enable = true;
direnv = true;
zoxide = true;
};
river = {
enable = true;
};
wezterm = {
enable = true;
};
};
home.file = {
".config/nvim" = {
source = config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/.local/src/reovim";
};
};
# home.file.".stack/config.yaml".text = lib.generators.toYAML {} {
# templates = {
# scm-init = "git";
# params = with config.programs.git; {
# author-name = userName;
# author-email = userEmail;
# github-username = userName;
# };
# };
# nix.enable = true;
# };
}

161
hosts/nixos/x86_64-linux/jeeves/configuration.nix Normal file
View file

@ -0,0 +1,161 @@
{ inputs, outputs, lib, pkgs, config, ... }:
{
imports = [
inputs.hardware.nixosModules.common-cpu-amd
inputs.hardware.nixosModules.common-gpu-amd
./disko.nix
./network.nix
./wireguard.nix
./nginx.nix
./jellyfin.nix
./transmission.nix
./mindustry.nix
# ./home-assistant
./samba.nix
# ./steam.nix
# ./ollama.nix
# ./sunshine.nix
# ./photoprism.nix
# ./immich.nix
# ./nextcloud.nix
];
# services.kanidm = { };
age.rekey = {
hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPopSTZ81UyKp9JSljCLp+Syk51zacjh9fLteqxQ6/aB";
# masterIdentities = [ "${inputs.self}/secrets/privkey.age" ];
# storageMode = "local";
# localStorageDir = "${inputs.self}/secrets/rekeyed/${config.networking.hostName}";
};
networking.hostName = "jeeves";
boot = {
loader.systemd-boot.enable = true;
kernelPackages = pkgs.linuxPackages_latest;
binfmt.emulatedSystems = [ "aarch64-linux" ];
initrd = {
availableKernelModules = [
"nvme"
];
# kernelModules = [
# "amdgpu"
# ];
};
};
hardware.enableRedistributableFirmware = true;
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
nix = let
flakeInputs = lib.filterAttrs (lib.const (lib.isType "flake")) inputs;
in {
# This will add each flake input as a registry
# To make nix3 commands consistent with your flake
registry = lib.mapAttrs (_: value: { flake = value; }) flakeInputs;
# This will additionally add your inputs to the system's legacy channels
# Making legacy nix commands consistent as well, awesome!
nixPath = lib.mapAttrsToList (key: value: "${key}=flake:${key}") flakeInputs;
settings = {
trusted-users = [
"root"
"jeeves"
];
experimental-features = "nix-command flakes";
auto-optimise-store = true;
};
};
programs.zsh.enable = true;
environment.systemPackages = with pkgs; [
git
neovim
];
# NOTE: made with `mkpasswd -m sha-512`
age.secrets."jeeves.user.password" = {
rekeyFile = "${inputs.self}/secrets/home/jeeves/user/password.age";
generator = {
script = { pkgs, ... }: ''
${pkgs.mkpasswd}/bin/mkpasswd -m sha-512
'';
};
};
users = {
mutableUsers = true;
users = {
jeeves = {
isNormalUser = true;
shell = pkgs.zsh;
hashedPasswordFile = config.age.secrets."jeeves.user.password".path;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBj8ZGcvI80WrJWV+dNy1a3L973ydSNqtwcVHzurDUaW (none)"
];
extraGroups = [
"wheel"
"networkmanager"
"audio"
"docker"
"transmission"
"input"
];
};
};
};
# reo101.jellyfin = {
# enable = true;
# image = "docker.io/jellyfin/jellyfin:latest";
# volumes = [
# "/var/cache/jellyfin/config:/config"
# "/var/cache/jellyfin/cache:/cache"
# "/var/log/jellyfin:/log"
# "/data/media/jellyfin:/media:ro"
# ];
# ports = [
# "8096:8096"
# ];
# };
# security.sudo-rs = {
# enable = !config.security.sudo.enable;
# inherit (config.security.sudo) extraRules;
# };
security.sudo = {
enable = true;
extraRules = [
{
users = [
"jeeves"
];
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea
}
];
}
];
};
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
boot.plymouth = {
enable = true;
};
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "23.05";
}

42
hosts/nixos/x86_64-linux/jeeves/deploy.nix Normal file
View file

@ -0,0 +1,42 @@
{
# This is the hostname by which you'll refer to this machine using reploy-rs
hostname = "jeeves.reo101.xyz";
# This is the user that deploy-rs will use when connecting.
# This will default to your own username if not specified anywhere
sshUser = "jeeves";
# This is the user that the profile will be deployed to (will use sudo if not the same as above).
# If `sshUser` is specified, this will be the default (though it will _not_ default to your own username)
user = "root";
# Which sudo command to use. Must accept at least two arguments:
# the user name to execute commands as and the rest is the command to execute
# This will default to "sudo -u" if not specified anywhere.
sudo = "sudo -u";
# This is an optional list of arguments that will be passed to SSH.
sshOpts = [ "-p" "727" ];
# Fast connection to the node. If this is true, copy the whole closure instead of letting the node substitute.
# This defaults to `false`
fastConnection = false;
# If the previous profile should be re-activated if activation fails.
# This defaults to `true`
autoRollback = true;
# See the earlier section about Magic Rollback for more information.
# This defaults to `true`
magicRollback = true;
# The path which deploy-rs will use for temporary files, this is currently only used by `magicRollback` to create an inotify watcher in for confirmations
# If not specified, this will default to `/tmp`
# (if `magicRollback` is in use, this _must_ be writable by `user`)
tempPath = "/tmp";
# Build the derivation on the target system
# Will also fetch all external dependencies from the target system's substituters.
# This default to `false`
remoteBuild = true;
}

205
hosts/nixos/x86_64-linux/jeeves/disko.nix Normal file
View file

@ -0,0 +1,205 @@
{ inputs, outputs, lib, pkgs, config, ... }:
{
imports = [
inputs.disko.nixosModules.disko
];
environment.systemPackages = with pkgs; [
# `statfs` for btrfs commands
gocryptfs
];
# If on installer
disko.enableConfig = true;
# `head -c 8 /etc/machine-id`
networking.hostId = "1418566e";
# NOTE: needed for mounting `/key` (for LUKS)
boot.initrd.kernelModules = [
"uas"
"ext4"
];
# HACK: for troubleshooting
# see https://github.com/NixOS/nixpkgs/blob/9d6655c6222211adada5eeec4a91cb255b50dcb6/nixos/modules/system/boot/stage-1-init.sh#L45-L49
boot.initrd.preFailCommands = ''
export allowShell=1
'';
# NOTE: doesn't get mounted early enough, see below
# fileSystems."/key" = {
# device = "/dev/disk/by-partlabel/key";
# fsType = "ext4";
# neededForBoot = true;
# };
disko = {
devices = {
disk = {
# NOTE: we could do this to setup a usb for the keys
# but disko overrides it with no option of ignoring when partitioning
# (i.e. tell disko to only use this only for decalartion)
# key = {
# type = "disk";
# device = "/dev/disk/by-id/usb-USB2.0_Flash_Disk_1000000000001D8B-0";
# content = {
# type = "gpt";
# partitions = {
# key = {
# label = "key";
# size = "100%";
# content = {
# type = "filesystem";
# format = "ext4";
# mountpoint = "/key";
# };
# };
# };
# };
# };
ssd1 = {
type = "disk";
device = "/dev/disk/by-id/nvme-eui.e8238fa6bf530001001b448b4ebde3a6";
content = {
type = "gpt";
partitions = {
boot = {
label = "boot_mbr";
size = "1M";
type = "EF02"; # for grub MBR
priority = 1;
};
ESP = {
label = "boot";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
priority = 2;
};
root = {
label = "root";
size = "100%";
content = {
type = "luks";
name = "root";
extraOpenArgs = [ ];
settings = {
keyFile = "/key/root";
# HACK: we need to manually wait for and mount the partition containing the keys
preOpenCommands = ''
# Prepare (kernel modules and directory for mounting)
modprobe uas
modprobe ext4
mkdir -m "0755" -p "/key"
# Loop until mounted (+ initial wait)
sleep 5
until mount -n -t "ext4" -o "ro" "/dev/disk/by-partlabel/key" "/key" 2>&1 1>/dev/null; do
echo 'Could not find a partition with label `key` (at `/dev/disk/by-partlabel/key`), retrying...'
sleep 2
done
'';
};
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
subvolumes = {
"/root" = {
mountpoint = "/";
};
};
};
};
priority = 3;
};
};
};
};
hdd1 = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD8003FFBX-68B9AN0_VYJB5TUM";
content = {
type = "gpt";
partitions = {
mdadm = {
label = "hdd1";
size = "100%";
content = {
type = "mdraid";
name = "tank";
};
};
};
};
};
hdd2 = {
type = "disk";
device = "/dev/disk/by-id/ata-WDC_WD8003FFBX-68B9AN0_VYHZTWSM";
content = {
type = "gpt";
partitions = {
mdadm = {
label = "hdd2";
size = "100%";
content = {
type = "mdraid";
name = "tank";
};
};
};
};
};
};
mdadm = {
tank = {
type = "mdadm";
level = 1;
content = {
type = "luks";
name = "tank";
extraOpenArgs = [ "--allow-discards" ];
settings.keyFile = "/key/tank";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
subvolumes = {
"/home" = {
mountpoint = "/home";
mountOptions = [
"compress=zstd"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"compress=zstd"
"noatime"
];
};
"/data" = {
mountpoint = "/data";
mountOptions = [
"compress=zstd"
];
};
"/data/media" = { };
"/data/torrents" = { };
"/data/torrents/download" = { };
"/data/torrents/incomplete" = { };
"/data/media/jellyfin" = { };
"/data/samba" = { };
"/data/samba/private" = { };
"/data/samba/public" = { };
};
};
};
};
};
};
};
}

23
hosts/nixos/x86_64-linux/jeeves/home-assistant/android.nix Normal file
View file

@ -0,0 +1,23 @@
{
services.home-assistant.config = {
conversation.intents = {
FindAndroid = [
"(Find|Fight) my (phone|android|android phone)"
];
};
intent_script = {
FindAndroid = {
speech.text = "Send notification";
action = {
service = "notify.pushover";
data = {
message = "Phonefinderalert";
target = "android";
data.sound = "echo";
data.priority = 1;
};
};
};
};
};
}

39
hosts/nixos/x86_64-linux/jeeves/home-assistant/default.nix Normal file
View file

@ -0,0 +1,39 @@
{ inputs, outputs, lib, pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
];
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
];
services.home-assistant = {
enable = true;
extraComponents = [
# Components required to complete the onboarding
"esphome"
"met"
"radio_browser"
"tuya"
];
config = {
# Includes dependencies for a basic setup
# https://www.home-assistant.io/integrations/default_config/
default_config = { };
mobile_app = { };
map = { };
};
};
networking.firewall =
lib.pipe
[ "TCP" "UDP" ]
[
(builtins.map
(protocol:
lib.nameValuePair
"allowed${protocol}Ports"
[ 8123 ]))
builtins.listToAttrs
];
}

27
hosts/nixos/x86_64-linux/jeeves/home-assistant/jokes.nix Normal file
View file

@ -0,0 +1,27 @@
{
services.home-assistant.config = {
conversation.intents = {
TellJoke = [
"Tell [me] (a joke|something funny|a dad joke)"
];
};
sensor = [
{
name = "random_joke";
platform = "rest";
json_attributes = "joke";
resource = "https://icanhazdadjoke.com/";
scan_interval = "3600";
headers.Accept = "application/json";
}
];
intent_script.TellJoke = {
speech.text = ''{{ state_attr("sensor.random_joke", "joke") }}'';
action = {
service = "homeassistant.update_entity";
entity_id = "sensor.random_joke";
};
};
};
}

63
hosts/nixos/x86_64-linux/jeeves/home/jeeves.nix Normal file
View file

@ -0,0 +1,63 @@
{ inputs, outputs, lib, pkgs, config, ... }:
{
imports = [
inputs.wired.homeManagerModules.default
];
home = {
username = "jeeves";
homeDirectory = "/home/jeeves";
stateVersion = "23.05";
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
home.packages = with pkgs; [
## Core
neovim
git
gnupg
pciutils # lspci
usbutils # lsusb
## Shell
# zsh
# starship
# zoxide
ripgrep
## Nix
direnv
## Torrents
tremc
## Rust
rustc
cargo
rust-analyzer
clang
openssl
pkg-config
];
reo101 = {
shell = {
enable = true;
direnv = true;
zoxide = true;
shells = [
"zsh"
"nushell"
];
};
};
home.file = {
".config/nvim" = {
source = config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/.local/src/reovim";
};
};
}

49
hosts/nixos/x86_64-linux/jeeves/jellyfin.nix Normal file
View file

@ -0,0 +1,49 @@
{ lib, pkgs, config, ... }:
{
hardware.graphics = {
enable = true;
enable32Bit = true;
extraPackages = with pkgs; [
vaapiVdpau
libva1
vulkan-loader
vulkan-validation-layers
vulkan-extension-layer
];
};
services = {
nginx = {
virtualHosts."jellyfin.jeeves.local" = {
enableACME = false;
forceSSL = false;
locations."/".proxyPass = "http://127.0.0.1:8096";
};
};
jellyfin = {
enable = true;
openFirewall = true;
};
# sonarr = {
# enable = true;
# openFirewall = true;
# };
# radarr = {
# enable = true;
# openFirewall = true;
# };
# bazarr = {
# enable = true;
# openFirewall = true;
# };
# readarr = {
# enable = true;
# openFirewall = true;
# };
# prowlarr = {
# enable = true;
# openFirewall = true;
# };
};
}

6
hosts/nixos/x86_64-linux/jeeves/mindustry.nix Normal file
View file

@ -0,0 +1,6 @@
{ lib, pkgs, config, ... }:
{
reo101.mindustry = {
enable = false;
};
}

58
hosts/nixos/x86_64-linux/jeeves/network.nix Normal file
View file

@ -0,0 +1,58 @@
{ inputs, outputs, lib, pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
];
networking.extraHosts = ''
127.0.0.1 jeeves.local
'';
# networking.nftables.enable = true;
age.secrets."home.wifi.env" = {
rekeyFile = "${inputs.self}/secrets/home/wifi/env.age";
};
networking.wireless = {
iwd.enable = true;
environmentFile = config.age.secrets."home.wifi.env".path;
networks = {
home = {
ssid = "@HOME_WIFI_SSID@";
psk = "@HOME_WIFI_PSK@";
};
};
};
networking.useNetworkd = true;
systemd.network = {
enable = true;
wait-online = {
enable = false;
anyInterface = true;
ignoredInterfaces = [
"eth0"
];
};
networks."10-eth0" = {
matchConfig.Name = "eth0";
networkConfig.DHCP = "yes";
networkConfig.DHCPServer = "yes";
};
links."10-eth0" = {
matchConfig.PermanentMACAddress = "04:7c:16:80:3c:2c";
linkConfig.Name = "eth0"; # "enp8s0";
};
networks."15-wan0" = {
matchConfig.Name = "wan0";
networkConfig.DHCP = "yes";
};
links."15-wan0" = {
matchConfig.PermanentMACAddress = "bc:f4:d4:40:5c:ed";
linkConfig.Name = "wan0"; # "wlp15s0";
};
};
# systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
}

32
hosts/nixos/x86_64-linux/jeeves/nginx.nix Normal file
View file

@ -0,0 +1,32 @@
{ inputs, outputs, lib, pkgs, config, ... }:
{
# age.secrets."nextcloud.adminpass" = {
# rekeyFile = "${inputs.self}/secrets/home/jeeves/nextcloud/adminpass.age";
# mode = "770";
# owner = "nextcloud";
# group = "nextcloud";
# };
environment.systemPackages = [
# config.services.nextcloud.package
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
package = pkgs.openresty;
# virtualHosts."_.${config.networking.hostName}.local" = {
# # listen = [
# # {
# # addr = "127.0.0.1";
# # port = 1234;
# # }
# # ];
# enableACME = false;
# forceSSL = false;
# locations."/".proxyPass = "http://127.0.0.1:1234";
# };
};
}

30
hosts/nixos/x86_64-linux/jeeves/ollama.nix Normal file
View file

@ -0,0 +1,30 @@
{ inputs, outputs, lib, pkgs, config, ... }:
{
networking.firewall.allowedTCPPorts = [11434];
services.ollama = {
enable = true;
host = "0.0.0.0";
port = 11434;
acceleration = "rocm";
environmentVariables = {
OLLAMA_ORIGINS = "*";
};
};
services.open-webui = {
enable = true;
host = "0.0.0.0";
port = 3000;
environment = {
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
TRANSFORMERS_CACHE = "${config.services.open-webui.stateDir}/cache";
OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
# Disable authentication
WEBUI_AUTH = "False";
};
openFirewall = true;
};
}

66
hosts/nixos/x86_64-linux/jeeves/samba.nix Normal file
View file

@ -0,0 +1,66 @@
{ lib, pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
];
# TODO: smbpasswd -a <USER>
services.samba-wsdd = {
# make shares visible for Windows clients
enable = true;
openFirewall = true;
};
services.samba = {
enable = true;
package = pkgs.sambaFull;
openFirewall = true;
securityType = "user";
extraConfig = ''
# Files
workgroup = WORKGROUP
server string = Jeeves
netbios name = jeeves
security = user
#use sendfile = yes
#max protocol = smb2
# NOTE: localhost is the ipv6 localhost ::1
hosts allow = 192.168.0. 192.168.1. 10.100.0. 127.0.0.1 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
# Symlinks
allow insecure wide links = yes
# Printers
load printers = yes
printing = cups
printcap name = cups
'';
shares = {
public = {
path = "/data/samba/public";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "jeeves";
"force group" = "users";
};
private = {
path = "/data/samba/private";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "jeeves";
"force group" = "users";
"follow symlinks" = "yes";
"wide links" = "yes";
};
};
};
}

31
hosts/nixos/x86_64-linux/jeeves/transmission.nix Normal file
View file

@ -0,0 +1,31 @@
{ lib, pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
tremc
];
services = {
transmission = {
enable = true;
package = pkgs.transmission_4;
openRPCPort = true;
webHome = pkgs.flood-for-transmission;
# TODO: `credentialsFile` for RPC password with agenix
settings = {
download-dir = "/data/torrents/download";
incomplete-dir = "/data/torrents/incomplete";
incomplete-dir-enabled = true;
rpc-bind-address = "0.0.0.0";
rpc-whitelist = "127.0.0.1,192.168.*.*,10.100.0.*,*.local";
};
};
nginx = {
virtualHosts."transmission.jeeves.local" = {
enableACME = false;
forceSSL = false;
locations."/".proxyPass = "http://127.0.0.1:9091";
};
};
};
}

111
hosts/nixos/x86_64-linux/jeeves/wireguard.nix Normal file
View file

@ -0,0 +1,111 @@
{ inputs, outputs, lib, pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
wireguard-tools
];
# NOTE: key generation
# umask 077
# wg genkey > key
# wg pubkey < key > key.pub
# Server
age.secrets."wireguard.privateKey" = {
mode = "077";
rekeyFile = "${inputs.self}/secrets/home/jeeves/wireguard/key.age";
generator = {
script = { lib, pkgs, file, ... }: /* bash */ ''
priv=$(${pkgs.wireguard-tools}/bin/wg genkey)
${pkgs.wireguard-tools}/bin/wg pubkey <<< "$priv" > ${lib.escapeShellArg (lib.removeSuffix ".age" file + ".pub")}
echo "$priv"
'';
};
};
# Enable NAT
networking.nat = {
enable = true;
enableIPv6 = true;
externalInterface = "eth0";
internalInterfaces = [ "wg0" ];
};
# Open ports in the firewall
networking.firewall = {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 51820 ];
};
systemd.network = {
netdevs = {
"50-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."wireguard.privateKey".path;
ListenPort = 51820;
};
wireguardPeers =
lib.mapAttrsToList
(host: peerConfig: peerConfig)
{
cheetah = {
PublicKey = "CFTGvBcly791ClwyS6PzTjmqztvYJW2eklR7it/QhxI=";
AllowedIPs = [
"10.100.0.2/32"
"0.0.0.0/0"
# "::/0"
];
};
limonka = {
PublicKey = "+x4cKc16KxhW/M3wv64FU1J0AkiLyXT5Oar6I1n1xk4=";
AllowedIPs = [
"10.100.0.3/32"
"0.0.0.0/0"
];
};
peshoDjam = {
PublicKey = "37QEe3Lsq5BTIzxqAh9z7clHYeaOaMH31oqi5YvAPBY=";
AllowedIPs = [
"10.100.0.4/32"
"192.168.1.134/32"
];
};
s42 = {
PublicKey = "pZF6M8TZ1FSBtTwFz4xzlMqwqRScEqgBfqHBk7ddixc=";
AllowedIPs = [
"10.100.0.5/32"
"0.0.0.0/0"
];
};
a41 = {
PublicKey = "/YEBfjDO+CfmYOKg9pO//ZAZQNutAS5z/Ggt2pX2gn0=";
AllowedIPs = [
"10.100.0.6/32"
"0.0.0.0/0"
];
};
t410 = {
PublicKey = "YSTgtHXcvbCwYrnBCNujsTkLy+umVZWLGECtV88NIW0=";
AllowedIPs = [
"10.100.0.7/32"
"0.0.0.0/0"
];
};
};
};
};
networks.wg0 = {
matchConfig.Name = "wg0";
address = [ "10.100.0.1/24" ];
networkConfig = {
IPMasquerade = "ipv4";
IPForward = true;
};
};
};
}