pim/nixos-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: pim:master
Branches Tags
pim:master
pim:jellyseerr-test
pim:hyprland
pim:vuescan
..
compare: pim:jellyseerr-test
Branches Tags
pim:master
pim:jellyseerr-test
pim:hyprland
pim:vuescan

1 commit
master ... jellyseerr

Author SHA1 Message Date
Pim Kunis
c4d676c9f9 Test new jellyseerr version 2024-12-17 17:26:57 +01:00
50 changed files with 4147 additions and 2746 deletions
Download patch file Download diff file Expand all files Collapse all files

54
.sops.yaml
View file

@ -1,7 +1,7 @@
# Public keys are combination of host + user
keys:
- &laptop_root age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
- &laptop_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
- &sue_root age1w99m9klvc7m5qtmtmu3l0jx8ksdzp5c4p9rkvh5fdullfc6afemqv5py2q
- &sue_pim age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
- &gamepc_root age1y5wgcxmn37drmjtpgld3xc76mw8dckhred8hecusywjlvdyfedfse8y60u
- &gamepc_pim age1qlldg2c6kptvnmvlkpf9pae3wnczk6eklcmwdvnzyvvnur3aqdcq3c3trt
- &warwick_root age1th8rdw4fs3vmgy9gzc0k9xy88tddjj4vasepckfx9h4nlzsg3q3q4cjgwu
@ -11,36 +11,36 @@ keys:
- &lewis_root age108fn93z2c55g9dm9cv5v4w47pykf3khz7e3dmnpv5dhchwnaau0qs20stq
creation_rules:
- path_regex: secrets/blocktech/colmena.yaml
- path_regex: secrets/sue/colmena.yaml
key_groups:
- age:
- *laptop_root
- path_regex: secrets/blocktech/nixos.yaml
- *sue_root
- path_regex: secrets/sue/nixos.yaml
key_groups:
- age:
- *laptop_root
- path_regex: secrets/blocktech/pkunis.yaml
- *sue_root
- path_regex: secrets/sue/pim.yaml
key_groups:
- age:
- *laptop_pim
- *laptop_root
- *sue_pim
- *sue_root
- path_regex: secrets/gamepc/colmena.yaml
key_groups:
- age:
- *laptop_pim
- *laptop_root
- *sue_pim
- *sue_root
- path_regex: secrets/gamepc/pim.yaml
key_groups:
- age:
- *laptop_pim
- *laptop_root
- *sue_pim
- *sue_root
- *gamepc_root
- *gamepc_pim
- path_regex: secrets/warwick/colmena.yaml
key_groups:
- age:
- *laptop_pim
- *laptop_root
- *sue_pim
- *sue_root
- *niels
- path_regex: secrets/servers.yaml
key_groups:
@ -49,14 +49,14 @@ creation_rules:
- *atlas_root
- *jefke_root
- *lewis_root
- *laptop_pim
- *laptop_root
- *sue_pim
- *sue_root
- *niels
- path_regex: secrets/atlas/colmena.yaml
key_groups:
- age:
- *laptop_pim
- *laptop_root
- *sue_pim
- *sue_root
- *niels
- path_regex: secrets/kubernetes.yaml
key_groups:
@ -64,25 +64,25 @@ creation_rules:
- *atlas_root
- *jefke_root
- *lewis_root
- *laptop_pim
- *laptop_root
- *sue_pim
- *sue_root
- *niels
- path_regex: secrets/jefke/colmena.yaml
key_groups:
- age:
- *laptop_pim
- *laptop_root
- *sue_pim
- *sue_root
- *niels
- path_regex: secrets/lewis/colmena.yaml
key_groups:
- age:
- *laptop_pim
- *laptop_root
- *sue_pim
- *sue_root
- *niels
- path_regex: secrets/lewis/nixos.yaml
key_groups:
- age:
- *lewis_root
- *laptop_pim
- *laptop_root
- *sue_pim
- *sue_root
- *niels

26
README.md
View file

@ -3,33 +3,33 @@
NixOS configurations for the machines I manage.
Currently managed systems:
- **blocktech**: My current laptop, a ThinkPad P1 running GNOME.
- **sue**: My current laptop, a Dell XPS 9315. It has two flavours:
- Default running GNOME
- Specialisation running Cosmic
- **gamepc**: My gaming PC running Cinnamon
- **warwick**: A Raspberry Pi 4 Model B, which mostly does some monitoring
- **atlas**: A Gigabyte Brix, one of my Kubernetes nodes
- **jefke**: A Gigabyte Brix, one of my Kubernetes nodes
- **lewis**: A Gigabyte Brix, one of my Kubernetes nodes. Additionally, contains
my media collection and does backups.
- **lewis**: A Gigabyte Brix, one of my Kubernetes nodes. Additionally, contains my media collection and does backups.
## Deployment
I use [Colmena](https://colmena.cli.rs) for deploying my machines.
Create garbage collection roots like so:
```shell
colmena build --keep-result
```
colmena build --keep-result --experimental-flake-eval
```
To apply to the local machine:
```shell
sudo colmena apply-local --sudo
```
sudo colmena apply-local --sudo --experimental-flake-eval
```
To apply to all remotely managed systems:
```shell
colmena apply
```
colmena apply --experimental-flake-eval
```
> [!NOTE]
> Currently the `--experimental-flake-eval` flag is necessary to properly use Colmena with flakes. See [this PR](https://github.com/zhaofengli/colmena/pull/228).

4
colmena.nix
View file

@ -15,9 +15,9 @@ inputs @ {
};
};
blocktech = {
sue = {
imports = [
(import ./machines).blocktech.nixosModule
(import ./machines).sue.nixosModule
./nixos
];
};

760
flake.lock generated
View file

File diff suppressed because it is too large Load diff

27
flake.nix
View file

@ -2,26 +2,16 @@
description = "My NixOS configuration";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
nixpkgs-oldstable.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
nur.url = "github:nix-community/NUR";
stylix.url = "github:pizzapim/stylix/master";
treefmt-nix.url = "github:numtide/treefmt-nix";
nixos-facter-modules.url = "github:numtide/nixos-facter-modules";
flake-utils.url = "github:numtide/flake-utils";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
colmena.url = "github:zhaofengli/colmena";
stylix = {
url = "github:nix-community/stylix/release-25.05";
inputs.tinted-schemes.follows = "tinted-schemes";
};
nvf = {
url = "github:notashelf/nvf";
inputs.nixpkgs.follows = "nixpkgs";
};
git-hooks = {
url = "github:cachix/git-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -33,7 +23,7 @@
};
home-manager = {
url = "github:nix-community/home-manager?ref=release-25.05";
url = "github:nix-community/home-manager?ref=release-24.11";
inputs.nixpkgs.follows = "nixpkgs";
};
@ -53,17 +43,16 @@
flake = false;
};
tinted-schemes = {
type = "git";
url = "https://github.com/tinted-theming/schemes";
flake = false;
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-cosmic = {
url = "github:lilyinstarlight/nixos-cosmic";
inputs.nixpkgs-stable.follows = "nixpkgs-unstable";
};
nix-snapshotter = {
url = "github:pdtpartners/nix-snapshotter";
inputs.nixpkgs.follows = "nixpkgs-unstable";

2
formatter.nix
View file

@ -4,5 +4,5 @@
...
}:
flake-utils.lib.eachDefaultSystem (system: {
inherit (self.packages.${system}) formatter;
formatter = self.packages.${system}.formatter;
})

2
home-manager/default.nix
View file

@ -5,6 +5,7 @@
...
}: {
imports = [
./neovim
./firefox
./tidal.nix
./gnome
@ -12,7 +13,6 @@
./vscode.nix
inputs.nix-index-database.hmModules.nix-index
inputs.sops-nix.homeManagerModules.sops
inputs.nvf.homeManagerModules.default
];
xsession.enable = true;

2
home-manager/firefox/default.nix
View file

@ -30,7 +30,7 @@ in {
id = 0;
isDefault = true;
settings = firefoxSettings;
extensions.packages = firefoxAddons;
extensions = firefoxAddons;
};
};
};

13
home-manager/neovim/bufferline.lua Normal file
View file

@ -0,0 +1,13 @@
require("bufferline").setup({
options = {
diagnostics = "nvim_lsp",
diagnostics_indicator = function(count, level, diagnostics_dict, context)
local icon = level:match("error") and "" or ""
return " " .. icon .. count
end,
separator_style = "slant",
hover = { enabled = true, reveal = { "close" } },
},
})
vim.keymap.set("n", "<leader>ft", ":BufferLinePick<CR>", {})

43
home-manager/neovim/cmp.lua Normal file
View file

@ -0,0 +1,43 @@
local cmp = require("cmp")
local luasnip = require("luasnip")
require("luasnip.loaders.from_vscode").lazy_load()
luasnip.config.setup({})
cmp.setup({
snippet = {
expand = function(args)
luasnip.lsp_expand(args.body)
end,
},
mapping = cmp.mapping.preset.insert({
["<C-n>"] = cmp.mapping.select_next_item(),
["<C-p>"] = cmp.mapping.select_prev_item(),
["<C-d>"] = cmp.mapping.scroll_docs(-4),
["<C-f>"] = cmp.mapping.scroll_docs(4),
["<C-Space>"] = cmp.mapping.complete({}),
["<CR>"] = cmp.mapping.confirm({
behavior = cmp.ConfirmBehavior.Replace,
select = true,
}),
["<Tab>"] = cmp.mapping(function(fallback)
if cmp.visible() then
cmp.select_next_item()
elseif luasnip.expand_or_locally_jumpable() then
luasnip.expand_or_jump()
else
fallback()
end
end, { "i", "s" }),
["<S-Tab>"] = cmp.mapping(function(fallback)
if cmp.visible() then
cmp.select_prev_item()
elseif luasnip.locally_jumpable(-1) then
luasnip.jump(-1)
else
fallback()
end
end, { "i", "s" }),
}),
sources = { { name = "nvim_lsp" }, { name = "luasnip" } },
})

2
home-manager/neovim/commentary.lua Normal file
View file

@ -0,0 +1,2 @@
vim.cmd([[autocmd FileType nix setlocal commentstring=#%s]])
vim.cmd([[autocmd FileType terraform setlocal commentstring=#%s]])

9
home-manager/neovim/core.lua Normal file
View file

@ -0,0 +1,9 @@
vim.o.background = "dark"
vim.cmd([[colorscheme gruvbox]])
vim.g.mapleader = ";"
vim.o.signcolumn = "yes"
vim.wo.number = true
vim.wo.relativenumber = true
vim.wo.cursorline = true
vim.opt.termguicolors = true
vim.o.mousemoveevent = true

91
home-manager/neovim/default.nix Normal file
View file

@ -0,0 +1,91 @@
{
pkgs,
config,
lib,
...
}: let
cfg = config.pim.neovim;
in {
options.pim.neovim.enable = lib.mkEnableOption "neovim";
config = lib.mkIf cfg.enable {
programs.neovim = {
enable = true;
viAlias = true;
vimAlias = true;
vimdiffAlias = true;
defaultEditor = true;
extraLuaConfig = builtins.readFile ./core.lua;
extraPackages = with pkgs; [
nil
pyright
gopls
terraform-ls
nixfmt-classic
stylua
black
nixpkgs-fmt
];
plugins = with pkgs.vimPlugins; [
{
plugin = nvim-lspconfig;
type = "lua";
config = builtins.readFile ./lspconfig.lua;
}
gruvbox-nvim
{
plugin = leap-nvim;
type = "lua";
config = builtins.readFile ./leap.lua;
}
{
plugin = telescope-nvim;
type = "lua";
config = builtins.readFile ./telescope.lua;
}
{
plugin = vim-commentary;
type = "lua";
config = builtins.readFile ./commentary.lua;
}
vim-sleuth
{
plugin = gitsigns-nvim;
type = "lua";
config = ''require("gitsigns").setup()'';
}
{
plugin = nvim-cmp;
type = "lua";
config = builtins.readFile ./cmp.lua;
}
cmp-nvim-lsp
friendly-snippets
neodev-nvim
luasnip
cmp_luasnip
{
plugin = nvim-treesitter.withAllGrammars;
type = "lua";
config = builtins.readFile ./treesitter.lua;
}
{
plugin = bufferline-nvim;
type = "lua";
config = builtins.readFile ./bufferline.lua;
}
nvim-web-devicons
lsp-format-nvim
{
plugin = pkgs.vimPlugins.none-ls-nvim;
type = "lua";
config = builtins.readFile ./none-ls.lua;
}
];
};
programs.git.extraConfig.core.editor = "nvim";
};
}

4
home-manager/neovim/leap.lua Normal file
View file

@ -0,0 +1,4 @@
require("leap").add_default_mappings()
-- Don't remap 'x' in visual mode.
vim.keymap.del({ "x", "o" }, "x")
vim.keymap.del({ "x", "o" }, "X")

65
home-manager/neovim/lspconfig.lua Normal file
View file

@ -0,0 +1,65 @@
require("lsp-format").setup({})
local on_attach = function(client, bufnr)
local bufmap = function(keys, func)
vim.keymap.set("n", keys, func, { buffer = bufnr })
end
bufmap("<leader>r", vim.lsp.buf.rename)
bufmap("<leader>a", vim.lsp.buf.code_action)
bufmap("gd", vim.lsp.buf.definition)
bufmap("gD", vim.lsp.buf.declaration)
bufmap("gI", vim.lsp.buf.implementation)
bufmap("<leader>D", vim.lsp.buf.type_definition)
bufmap("gr", require("telescope.builtin").lsp_references)
bufmap("<leader>s", require("telescope.builtin").lsp_document_symbols)
bufmap("<leader>S", require("telescope.builtin").lsp_dynamic_workspace_symbols)
bufmap("K", vim.lsp.buf.hover)
vim.api.nvim_buf_create_user_command(bufnr, "Format", function(_)
vim.lsp.buf.format()
end, {})
end
local capabilities = vim.lsp.protocol.make_client_capabilities()
capabilities = require("cmp_nvim_lsp").default_capabilities(capabilities)
require("neodev").setup()
require("lspconfig").nil_ls.setup({
on_attach = on_attach,
capabilities = capabilities,
})
require("lspconfig").pyright.setup({
on_attach = on_attach,
capabilities = capabilities,
})
require("lspconfig").gopls.setup({
on_attach = on_attach,
capabilities = capabilities,
})
require("lspconfig").terraformls.setup({
on_attach = on_attach,
capabilities = capabilities,
})
local function has_treefmt()
local git_root = vim.fn.systemlist("git rev-parse --show-toplevel")[1]
if vim.v.shell_error ~= 0 then
return false
end
local treefmt_path = git_root .. "/treefmt.nix"
return vim.fn.filereadable(treefmt_path) == 1
end
vim.api.nvim_create_autocmd("BufWritePost", {
pattern = "*",
callback = function()
if vim.fn.expand("%:p") ~= vim.fn.getcwd() .. "/.git/COMMIT_EDITMSG" and has_treefmt() then
vim.cmd("silent !treefmt > /dev/null 2>&1")
end
end,
group = vim.api.nvim_create_augroup("TreefmtAutoformat", { clear = true }),
})

53
home-manager/neovim/none-ls.lua Normal file
View file

@ -0,0 +1,53 @@
-- renamed to none-ls
local null_ls_status_ok, null_ls = pcall(require, "null-ls")
if not null_ls_status_ok then
return
end
local formatting = null_ls.builtins.formatting
local diagnostics = null_ls.builtins.diagnostics
local code_actions = null_ls.builtins.code_actions
-- to setup format on save
local augroup = vim.api.nvim_create_augroup("LspFormatting", {})
require("null-ls").setup({
sources = {
formatting.stylua,
formatting.black,
formatting.nixpkgs_fmt,
formatting.mix,
},
-- configure format on save
-- on_attach = function(current_client, bufnr)
-- if current_client.supports_method("textDocument/formatting") then
-- vim.api.nvim_clear_autocmds({ group = augroup, buffer = bufnr })
-- vim.api.nvim_create_autocmd("BufWritePre", {
-- group = augroup,
-- buffer = bufnr,
-- callback = function()
-- vim.lsp.buf.format({
-- filter = function(client)
-- -- only use null-ls for formatting instead of lsp server
-- return client.name == "null-ls"
-- end,
-- bufnr = bufnr,
-- })
-- end,
-- })
-- end
-- end,
})
-- formatting command
vim.api.nvim_create_user_command("Format", function()
vim.lsp.buf.format(nil, 10000)
end, {})
vim.keymap.set(
"n",
"<leader>fm",
":Format<CR>",
{ desc = "Format current buffer (also done on save)", noremap = true, silent = true }
)

17
home-manager/neovim/telescope.lua Normal file
View file

@ -0,0 +1,17 @@
local builtin = require("telescope.builtin")
vim.keymap.set("n", "<leader>ff", builtin.find_files, {})
vim.keymap.set("n", "<leader>fg", builtin.live_grep, {})
vim.keymap.set("n", "<leader>fb", builtin.buffers, {})
vim.keymap.set("n", "<leader>fr", builtin.lsp_references, {})
vim.keymap.set("n", "<leader>fs", builtin.lsp_document_symbols, {})
require("telescope").setup({
pickers = {
find_files = { theme = "dropdown" },
live_grep = { theme = "dropdown" },
buffers = { theme = "dropdown" },
lsp_references = { theme = "dropdown" },
lsp_document_symbols = { theme = "dropdown" },
},
})

9
home-manager/neovim/treesitter.lua Normal file
View file

@ -0,0 +1,9 @@
require("nvim-treesitter.configs").setup({
ensure_installed = {},
auto_install = false,
highlight = { enable = true },
indent = { enable = true },
})

28
home-manager/vscode.nix
View file

@ -12,22 +12,20 @@ in {
programs.vscode = {
enable = true;
package = pkgs.vscodium;
profiles.default = {
extensions = with pkgs.vscode-extensions; [
vscodevim.vim
marp-team.marp-vscode
jnoortheen.nix-ide
mkhl.direnv
];
extensions = with pkgs.vscode-extensions; [
vscodevim.vim
marp-team.marp-vscode
jnoortheen.nix-ide
mkhl.direnv
];
userSettings = {
"nix.enableLanguageServer" = true;
"nix.serverPath" = lib.getExe pkgs.nil;
"terminal.integrated.defaultProfile.linux" = "fish";
"explorer.confirmDragAndDrop" = false;
"explorer.confirmPasteNative" = false;
"explorer.confirmDelete" = false;
};
userSettings = {
"nix.enableLanguageServer" = true;
"nix.serverPath" = lib.getExe pkgs.nil;
"terminal.integrated.defaultProfile.linux" = "fish";
"explorer.confirmDragAndDrop" = false;
"explorer.confirmPasteNative" = false;
"explorer.confirmDelete" = false;
};
};
};

40
machines/atlas/configuration.nix
View file

@ -1,39 +1,27 @@
{config, ...}: {
{
config,
pkgs,
...
}: {
imports = [./jellyseerr-module.nix];
disabledModules = ["services/misc/jellyseerr.nix"];
config = {
facter.reportPath = ./facter.json;
system.stateVersion = "23.05";
users.users.root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim ++ config.pim.ssh.keys.niels;
pim.k3s.serverAddr = "https://jefke.dmz:6443";
pim.backups.borgBackups = {
freshrss = {
paths = ["/mnt/longhorn/persistent/volumes/freshrss"];
deploymentName = "server";
deploymentNamespace = "freshrss";
};
nextcloud = {
paths = ["/mnt/longhorn/persistent/volumes/nextcloud"];
deploymentName = "server";
deploymentNamespace = "nextcloud";
};
nextcloud-db = {
paths = ["/mnt/longhorn/persistent/volumes/nextcloud-db"];
deploymentName = "database";
deploymentNamespace = "nextcloud";
};
authentik = {
paths = ["/mnt/longhorn/persistent/volumes/authentik-db" "/mnt/longhorn/persistent/volumes/authentik-redis"];
scaleDeployments = false;
};
};
deployment = {
targetHost = "atlas";
targetUser = "root";
tags = ["server" "kubernetes"];
};
services.jellyseerr = {
enable = true;
package = pkgs.callPackage ./jellyseerr.nix {};
};
};
}

76
machines/atlas/jellyseerr-module.nix Normal file
View file

@ -0,0 +1,76 @@
{
config,
pkgs,
lib,
...
}: let
cfg = config.services.jellyseerr;
in {
meta.maintainers = with lib.maintainers; [camillemndn pizzapim];
options.services.jellyseerr = {
enable = lib.mkEnableOption ''Jellyseerr, a requests manager for Jellyfin'';
package = lib.mkPackageOption pkgs "jellyseerr" {};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''Open port in the firewall for the Jellyseerr web interface.'';
};
port = lib.mkOption {
type = lib.types.port;
default = 5055;
description = ''The port which the Jellyseerr web UI should listen to.'';
};
config_directory = lib.mkOption {
description = ''
The directory to save run-time configuration.
'';
type = lib.types.str;
example = "/jellyseerr";
default = "/var/lib/jellyseerr";
};
};
config = lib.mkIf cfg.enable {
systemd.services.jellyseerr = {
description = "Jellyseerr, a requests manager for Jellyfin";
after = ["network.target"];
wantedBy = ["multi-user.target"];
environment = {
PORT = toString cfg.port;
CONFIG_DIRECTORY = cfg.config_directory;
};
serviceConfig = {
Type = "exec";
StateDirectory = "jellyseerr";
# WorkingDirectory = "${cfg.package}/libexec/jellyseerr/deps/jellyseerr";
DynamicUser = true;
ExecStart = lib.getExe cfg.package;
# BindPaths = ["/var/lib/jellyseerr/:${cfg.package}/libexec/jellyseerr/deps/jellyseerr/config/"];
Restart = "on-failure";
ProtectHome = true;
ProtectSystem = "strict";
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
NoNewPrivileges = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
};
};
networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [cfg.port];
};
};
}

89
machines/atlas/jellyseerr.nix Normal file
View file

@ -0,0 +1,89 @@
{
lib,
fetchFromGitHub,
makeWrapper,
node-pre-gyp,
nodejs,
pnpm_9,
python3,
stdenv,
}:
stdenv.mkDerivation (finalAttrs: {
pname = "jellyseerr";
version = "2.1.0";
src = with finalAttrs;
fetchFromGitHub {
owner = "Fallenbagel";
repo = "jellyseerr";
rev = "v${version}";
hash = "sha256-5kaeqhjUy9Lgx4/uFcGRlAo+ROEOdTWc2m49rq8R8Hs=";
};
nativeBuildInputs = [
nodejs
makeWrapper
pnpm_9.configHook
# Needed for compiling sqlite3 and bcrypt from source
node-pre-gyp
python3
];
pnpmDeps = pnpm_9.fetchDeps {
inherit (finalAttrs) pname version src;
hash = "sha256-xu6DeaBArQmnqEnIgjc1DTZujQebSkjuai9tMHeQWCk=";
};
buildPhase = ''
runHook preBuild
pnpm build
# Fixes "SQLite package has not been found installed" at launch
pushd node_modules/sqlite3
export CPPFLAGS="-I${nodejs}/include/node"
npm run install --build-from-source --nodedir=${nodejs}/include/node
popd
pushd node_modules/bcrypt
export CPPFLAGS="-I${nodejs}/include/node"
npm run install --build-from-source --nodedir=${nodejs}/include/node
popd
runHook postBuild
'';
preInstall = ''
mkdir $out
cp ./package.json $out
rm -r .next/cache
cp -R ./.next $out
cp -R ./dist $out
cp ./overseerr-api.yml $out
cp -R ./node_modules $out
'';
postInstall = ''
makeWrapper '${nodejs}/bin/node' "$out/bin/jellyseerr" \
--chdir $out \
--add-flags "$out/dist/index.js" \
--set NODE_ENV production
'';
meta = with lib; {
description = "Fork of overseerr for jellyfin support";
homepage = "https://github.com/Fallenbagel/jellyseerr";
longDescription = ''
Jellyseerr is a free and open source software application for managing
requests for your media library. It is a a fork of Overseerr built to
bring support for Jellyfin & Emby media servers!
'';
license = licenses.mit;
maintainers = with maintainers; [
camillemndn
pizzapim
];
platforms = platforms.linux;
mainProgram = "jellyseerr";
};
})

80
machines/blocktech/configuration.nix
View file

@ -1,80 +0,0 @@
{
self,
pkgs,
lib,
inputs,
config,
...
}: {
config = {
pim = {
lanzaboote.enable = false;
tidal.enable = false;
gnome.enable = true;
stylix.enable = true;
wireguard.enable = true;
sops-nix.usersWithSopsKeys = ["pkunis"];
};
users.users.pkunis = {
isNormalUser = true;
extraGroups = ["wheel" "docker" "input" "wireshark" "dialout"];
};
deployment = {
allowLocalDeployment = true;
targetHost = null;
tags = ["desktop"];
};
facter.reportPath = ./facter.json;
home-manager.users.pkunis.imports = [./pkunis.home.nix];
nix.settings.trusted-users = ["pkunis"];
system.stateVersion = "23.05";
sops.defaultSopsFile = "${self}/secrets/blocktech/nixos.yaml";
environment.systemPackages = with pkgs; [
borgbackup
kubectl
nmap
poppler_utils # For pdfunite
silicon
units
];
virtualisation = {
libvirtd.enable = true;
docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
};
swapDevices = [
{device = "/dev/disk/by-uuid/949815d4-cfc4-4cf3-bbbe-22516f91119c";}
];
fileSystems."/" = {
device = "/dev/disk/by-uuid/06710546-327b-402a-b221-8d88b75301d2";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/E547-7E6C";
fsType = "vfat";
options = ["fmask=0077" "dmask=0077"];
};
boot = {
initrd.luks.devices."luks-4cc1ad7c-a794-4c54-adc8-c9f666c9b781".device = "/dev/disk/by-uuid/4cc1ad7c-a794-4c54-adc8-c9f666c9b781";
initrd.luks.devices."luks-161f5109-c2d7-4307-91f6-27c655d6ab3e".device = "/dev/disk/by-uuid/161f5109-c2d7-4307-91f6-27c655d6ab3e";
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
};
}

4
machines/default.nix
View file

@ -1,7 +1,7 @@
{
blocktech = {
sue = {
system = "x86_64-linux";
nixosModule = import ./blocktech/configuration.nix;
nixosModule = import ./sue/configuration.nix;
};
gamepc = {

28
machines/gamepc/configuration.nix
View file

@ -5,6 +5,7 @@
}: {
config = {
pim = {
cinnamon.enable = true;
sops-nix.usersWithSopsKeys = ["pim"];
};
@ -31,24 +32,27 @@
services = {
openssh.enable = true;
displayManager.cosmic-greeter.enable = true;
desktopManager.cosmic.enable = true;
xserver.displayManager.lightdm.extraSeatDefaults = ''
autologin-user=pim
'';
sunshine = {
enable = true;
openFirewall = true;
settings = {
sunshine_name = config.networking.hostName;
origin_web_ui_allowed = "wan";
credentials_file = "/home/pim/.config/sunshine/sunshine_credentials.json";
};
};
};
boot = {
loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
};
swraid.mdadmConf = ''
MAILADDR pim@kunis.nl
'';
boot.loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
};
disko.devices.disk = lib.genAttrs ["0" "1"] (name: {

2
machines/gamepc/pim.home.nix
View file

@ -14,7 +14,6 @@
vlc
handbrake
lutris
chromium
];
};
@ -22,5 +21,6 @@
defaultSopsFile = "${self}/secrets/gamepc/pim.yaml";
# TODO: should be set automatically?
age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
secrets."sunshine_credentials".path = "${config.xdg.configHome}/sunshine/sunshine_credentials.json";
};
}

92
machines/jefke/configuration.nix
View file

@ -5,98 +5,6 @@
system.stateVersion = "23.05";
users.users.root.openssh.authorizedKeys.keys = config.pim.ssh.keys.pim ++ config.pim.ssh.keys.niels;
pim.backups.borgBackups = {
radicale = {
paths = ["/mnt/longhorn/persistent/volumes/radicale"];
deploymentName = "server";
deploymentNamespace = "radicale";
};
forgejo = {
paths = ["/mnt/longhorn/persistent/volumes/forgejo"];
deploymentName = "server";
deploymentNamespace = "forgejo";
};
syncthing = {
paths = ["/mnt/longhorn/persistent/volumes/syncthing" "/mnt/longhorn/persistent/volumes/keepassxc"];
deploymentName = "syncthing";
deploymentNamespace = "syncthing";
};
ntfy = {
paths = ["/mnt/longhorn/persistent/volumes/ntfy"];
deploymentName = "ntfy";
deploymentNamespace = "ntfy";
};
hedgedoc-uploads = {
paths = ["/mnt/longhorn/persistent/volumes/hedgedoc-uploads"];
deploymentName = "server";
deploymentNamespace = "hedgedoc";
};
hedgedoc-db = {
paths = ["/mnt/longhorn/persistent/volumes/hedgedoc-db"];
deploymentName = "database";
deploymentNamespace = "hedgedoc";
};
atuin-db = {
paths = ["/mnt/longhorn/persistent/volumes/atuin-db"];
deploymentName = "server";
deploymentNamespace = "atuin";
};
paperless-data = {
paths = ["/mnt/longhorn/persistent/volumes/paperless-data"];
deploymentName = "server";
deploymentNamespace = "paperless";
};
paperless-redisdata = {
paths = ["/mnt/longhorn/persistent/volumes/paperless-redisdata"];
deploymentName = "redis";
deploymentNamespace = "paperless";
};
paperless-db = {
paths = ["/mnt/longhorn/persistent/volumes/paperless-db"];
deploymentName = "database";
deploymentNamespace = "paperless";
};
immich = {
paths = ["/mnt/longhorn/persistent/volumes/immich"];
deploymentName = "immich";
deploymentNamespace = "immich";
};
immich-db = {
paths = ["/mnt/longhorn/persistent/volumes/immich-db"];
deploymentName = "database";
deploymentNamespace = "immich";
};
attic = {
paths = ["/mnt/longhorn/persistent/volumes/attic"];
deploymentName = "attic";
deploymentNamespace = "attic";
};
attic-db = {
paths = ["/mnt/longhorn/persistent/volumes/attic-db"];
deploymentName = "attic-db";
deploymentNamespace = "attic";
};
kitchenowl = {
paths = ["/mnt/longhorn/persistent/volumes/kitchenowl"];
deploymentName = "server";
deploymentNamespace = "kitchenowl";
};
};
deployment = {
targetHost = "jefke";
targetUser = "root";

96
machines/lewis/configuration.nix
View file

@ -2,7 +2,6 @@
self,
config,
pkgs,
lib,
...
}: {
config = {
@ -20,99 +19,8 @@
pim = {
k3s.serverAddr = "https://jefke.dmz:6443";
backups.borgBackups = {
bazarr = {
paths = ["/mnt/longhorn/persistent/volumes/bazarr"];
deploymentName = "bazarr";
deploymentNamespace = "media";
};
deluge = {
paths = ["/mnt/longhorn/persistent/volumes/deluge"];
deploymentName = "deluge";
deploymentNamespace = "media";
};
jellyfin = {
paths = ["/mnt/longhorn/persistent/volumes/jellyfin"];
deploymentName = "jellyfin";
deploymentNamespace = "media";
};
jellyseerr = {
paths = ["/mnt/longhorn/persistent/volumes/jellyseerr"];
deploymentName = "jellyseerr";
deploymentNamespace = "media";
};
prowlarr = {
paths = ["/mnt/longhorn/persistent/volumes/prowlarr"];
deploymentName = "prowlarr";
deploymentNamespace = "media";
};
radarr = {
paths = ["/mnt/longhorn/persistent/volumes/radarr"];
deploymentName = "radarr";
deploymentNamespace = "media";
};
sonarr = {
paths = ["/mnt/longhorn/persistent/volumes/sonarr"];
deploymentName = "sonarr";
deploymentNamespace = "media";
};
};
data-sharing.enable = true;
backups.enable = true;
};
systemd = {
timers.read-dir-sizes = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "5m";
OnUnitActiveSec = "5m";
Unit = "read-dir-sizes.service";
};
};
services."read-dir-sizes" = {
script = let
script = pkgs.writeShellScriptBin "read-dir-sizes.sh" ''
DIRS=(
"/mnt/longhorn/persistent/media/movies"
"/mnt/longhorn/persistent/media/shows"
)
temp_file=$(mktemp)
trap 'rm -f "$temp_file"' EXIT
for DIR_PATH in "''${DIRS[@]}"; do
# Find all top-level subdirectories and calculate their size
find "$DIR_PATH" -mindepth 1 -maxdepth 1 -type d | while read -r subdir; do
# Calculate the size of the top-level subdirectory
du --block-size=1 -s "$subdir" | while read -r size path; do
# Print size in Prometheus format
echo "directory_size_bytes{dir=\"$path\"} $size" >> $temp_file
done
done
done
mkdir -p /var/lib/node_exporter/textfile_collector
cp $temp_file /var/lib/node_exporter/textfile_collector/dir_sizes.prom
chmod o=r /var/lib/node_exporter/textfile_collector/dir_sizes.prom
'';
in "${lib.getExe script}";
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
tmpfiles.rules = [
"d /mnt/longhorn/persistent/media/torrents 775 414 51 8d"
];
};
services.prometheus.exporters.node.extraFlags = ["--collector.textfile.directory=/var/lib/node_exporter/textfile_collector"];
};
}

97
machines/sue/configuration.nix Normal file
View file

@ -0,0 +1,97 @@
{
self,
pkgs,
lib,
inputs,
config,
...
}: {
options = {
pim.cosmic.enable = lib.mkEnableOption "cosmic";
};
config = {
pim = {
lanzaboote.enable = true;
tidal.enable = true;
gnome.enable = true;
stylix.enable = true;
wireguard.enable = true;
compliance.enable = true;
sops-nix.usersWithSopsKeys = ["pim"];
};
users.users.pim = {
isNormalUser = true;
extraGroups = ["wheel" "docker" "input" "wireshark" "dialout"];
};
deployment = {
allowLocalDeployment = true;
targetHost = null;
tags = ["desktop"];
};
facter.reportPath = ./facter.json;
home-manager.users.pim.imports = [./pim.home.nix];
nix.settings.trusted-users = ["pim"];
system.stateVersion = "23.05";
sops.defaultSopsFile = "${self}/secrets/sue/nixos.yaml";
environment.systemPackages = with pkgs; [
borgbackup
kubectl
nmap
poppler_utils # For pdfunite
silicon
units
];
virtualisation = {
libvirtd.enable = true;
docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
};
swapDevices = [{device = "/dev/disk/by-uuid/96a43c35-0174-4e92-81f0-168a5f601f0b";}];
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/31638735-5cc4-4013-8037-17e30edcbb0a";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/560E-F8A2";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
};
nix.settings = {
substituters = ["https://cosmic.cachix.org/"];
trusted-public-keys = ["cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE="];
};
boot.initrd.luks.devices."luks-8ffd3129-4908-4209-98c4-4eb68a35c494".device = "/dev/disk/by-uuid/8ffd3129-4908-4209-98c4-4eb68a35c494";
specialisation.cosmic = lib.mkIf config.pim.cosmic.enable {
configuration = {
imports = [
inputs.nixos-cosmic.nixosModules.default
];
services = {
desktopManager.cosmic.enable = true;
displayManager.cosmic-greeter.enable = true;
};
};
};
};
}

4520
machines/blocktech/facter.json → machines/sue/facter.json
View file

File diff suppressed because it is too large Load diff

31
machines/blocktech/pkunis.home.nix → machines/sue/pim.home.nix
View file

@ -1,54 +1,43 @@
{
lib,
self,
pkgs,
config,
...
}: let
inherit (self.packages.${pkgs.system}) neovim;
in {
}: {
config = {
pim = {
tidal.enable = false;
tidal.enable = true;
gnome.enable = true;
vscode.enable = true;
syncthing.enable = true;
neovim.enable = true;
firefox.enable = true;
};
programs = {
chromium.enable = true;
git.extraConfig.core.editor = lib.getExe neovim;
};
programs.chromium.enable = true;
home = {
username = "pkunis";
homeDirectory = "/home/pkunis";
username = "pim";
homeDirectory = "/home/pim";
stateVersion = "23.05";
sessionVariables = {
MANPAGER = "${lib.getExe neovim} +Man!";
EDITOR = lib.getExe neovim;
};
};
sops = {
defaultSopsFile = "${self}/secrets/blocktech/pkunis.yaml";
defaultSopsFile = "${self}/secrets/sue/pim.yaml";
age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt";
secrets."keepassxc".path = "${config.xdg.configHome}/keepassxc/keepassxc.ini";
};
home.packages =
[self.packages.${pkgs.system}.neovim]
++ (with pkgs; [
(with pkgs; [
jellyfin-media-player
virt-manager
bottles-unwrapped
feishin
])
++ (with pkgs.unstable; [
attic-client
dbeaver-bin
devenv
bottles-unwrapped
gimp
hexchat
impression
@ -57,6 +46,7 @@ in {
krita
libreoffice
# logseq # Has insecure electron dependency
moonlight-qt
nicotine-plus
qFlipper
signal-desktop
@ -67,6 +57,7 @@ in {
wireshark
# nheko # Has insecure olm dependency
handbrake
feishin
redfishtool
]);
};

2
nixos-configurations.nix
View file

@ -3,7 +3,7 @@ inputs @ {
self,
...
}: {
nixosConfigurations = nixpkgs.lib.mapAttrs (_: {
nixosConfigurations = nixpkgs.lib.mapAttrs (name: {
system,
nixosModule,
}:

75
nixos/backups-ng.nix
View file

@ -1,75 +0,0 @@
{
lib,
config,
pkgs,
...
}: let
borgBackupOpts = {
options = {
paths = lib.mkOption {
type = with lib.types; listOf str;
};
scaleDeployments = lib.mkOption {
type = lib.types.bool;
default = true;
};
deploymentName = lib.mkOption {
type = lib.types.str;
};
deploymentNamespace = lib.mkOption {
type = lib.types.str;
};
replicaCount = lib.mkOption {
type = lib.types.int;
default = 1;
};
};
};
in {
options.pim.backups = {
borgBackups = lib.mkOption {
type = with lib.types; attrsOf (submodule borgBackupOpts);
default = {};
};
};
# TODO: should have some timeout and alerting?
config = {
services.borgbackup.jobs =
lib.mapAttrs (name: c: let
preHook = ''
${pkgs.k3s}/bin/kubectl scale deployment -n ${c.deploymentNamespace} ${c.deploymentName} --replicas=0
while [ -n "$(${pkgs.k3s}/bin/kubectl get deployment -n ${c.deploymentNamespace} ${c.deploymentName} -o jsonpath='{.status.replicas}')" ]; do
echo "Waiting for replicas to scale down to 0..."
sleep 2
done
'';
postHook = "${pkgs.k3s}/bin/kubectl scale deployment -n ${c.deploymentNamespace} ${c.deploymentName} --replicas=${toString c.replicaCount}";
in {
inherit (c) paths;
repo = "ssh://w553a7cb@w553a7cb.repo.borgbase.com/./repo";
startAt = "*-*-* 00:00:00";
# TODO: low benefit, but we could set borgbase's host keys here as they are published online.
environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no";
postHook = lib.mkIf c.scaleDeployments postHook;
archiveBaseName = name;
prune.keep = {
within = "7d";
weekly = 4;
monthly = 6;
};
preHook = lib.mkIf c.scaleDeployments preHook;
encryption = {
passCommand = "cat ${config.sops.secrets."borg/borgPassphrase".path}";
mode = "repokey-blake2";
};
})
config.pim.backups.borgBackups;
systemd.timers = lib.mapAttrs' (name: _c: lib.nameValuePair "borgbackup-job-${name}" {timerConfig.RandomizedDelaySec = "5h";}) config.pim.backups.borgBackups;
};
}

94
nixos/backups.nix Normal file
View file

@ -0,0 +1,94 @@
{
pkgs,
lib,
config,
...
}: let
cfg = config.pim.backups;
borgmaticConfig = pkgs.writeTextFile {
name = "borgmatic-config.yaml";
text = lib.generators.toYAML {} {
source_directories = ["/mnt/longhorn/persistent/longhorn-backup"];
repositories = [
{
path = cfg.repoLocation;
label = "nfs";
}
{
path = "ssh://s6969ym3@s6969ym3.repo.borgbase.com/./repo";
label = "borgbase";
}
];
ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no";
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = -1;
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/borgPassphrase".path}";
};
};
in {
options.pim.backups = {
enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to enable backups of persistent data on this machine.
'';
};
repoLocation = lib.mkOption {
default = "/mnt/longhorn/persistent/nfs.borg";
type = lib.types.str;
description = ''
Location of the Borg repository to back up to.
'';
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [borgbackup];
# Converted from:
# https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd
systemd.services.borgmatic = {
description = "borgmatic backup";
wants = ["network-online.target"];
after = ["network-online.target"];
unitConfig.ConditionACPower = true;
preStart = "${pkgs.coreutils}/bin/sleep 10s";
serviceConfig = {
Type = "oneshot";
Nice = 19;
CPUSchedulingPolicy = "batch";
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
IOWeight = 100;
Restart = "no";
LogRateLimitIntervalSec = 0;
Environment = "BORG_PASSPHRASE_FILE=${config.sops.secrets."borg/borgPassphrase".path}";
};
script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}";
};
systemd.timers.borgmatic = {
description = "Run borgmatic backup";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "*-*-* 3:00:00";
Persistent = true;
RandomizedDelaySec = "1h";
};
};
sops.secrets = {
"borg/borgPassphrase" = {};
"borg/borgbasePrivateKey" = {};
};
};
}

24
nixos/cinnamon.nix Normal file
View file

@ -0,0 +1,24 @@
{
pkgs,
config,
lib,
...
}: let
cfg = config.pim.cinnamon;
in {
options.pim.cinnamon.enable = lib.mkEnableOption "cinnamon";
config = lib.mkIf cfg.enable {
services = {
displayManager.defaultSession = "cinnamon";
libinput.enable = true;
xserver = {
desktopManager.cinnamon.enable = true;
displayManager.lightdm.enable = true;
};
};
environment.cinnamon.excludePackages = [
pkgs.gnome-terminal
];
};
}

14
nixos/compliance.nix Normal file
View file

@ -0,0 +1,14 @@
{
config,
lib,
...
}: let
cfg = config.pim.compliance;
in {
options.pim.compliance.enable = lib.mkEnableOption "compliance";
config = lib.mkIf cfg.enable {
services.clamav = {
daemon.enable = true;
};
};
}

47
nixos/data-sharing.nix Normal file
View file

@ -0,0 +1,47 @@
{
lib,
config,
...
}: let
cfg = config.pim.data-sharing;
nfsShares = [
"/mnt/longhorn/persistent/media"
"/mnt/longhorn/persistent/media/books"
"/mnt/longhorn/persistent/media/movies"
"/mnt/longhorn/persistent/media/music"
"/mnt/longhorn/persistent/media/shows"
"/mnt/longhorn/persistent/longhorn-backup"
];
nfsExports = lib.strings.concatLines (
builtins.map
(
share: "${share} 192.168.30.0/16(rw,sync,no_subtree_check,no_root_squash) 127.0.0.1/8(rw,sync,no_subtree_check,no_root_squash) 10.0.0.0/8(rw,sync,no_subtree_check,no_root_squash)"
)
nfsShares
);
in {
options.pim.data-sharing = {
enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Configure this server to serve our data using NFS.
'';
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [
2049 # NFS
111 # NFS
20048 # NFS
];
services.nfs.server = {
enable = true;
exports = nfsExports;
};
};
}

32
nixos/default.nix
View file

@ -18,12 +18,15 @@
./stylix.nix
./wireguard.nix
./gnome.nix
./compliance.nix
./cinnamon.nix
./ssh.nix
./desktop.nix
./server.nix
./prometheus.nix
./kubernetes
./backups-ng.nix
./data-sharing.nix
./backups.nix
];
options = {
@ -42,6 +45,7 @@
config = {
time.timeZone = "Europe/Amsterdam";
hardware.pulseaudio.enable = false;
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
i18n = {
@ -93,7 +97,6 @@
xserver.excludePackages = [pkgs.xterm];
printing.drivers = [pkgs.hplip pkgs.gutenprint];
tailscale.enable = true;
pulseaudio.enable = false;
pipewire = {
alsa.enable = true;
@ -125,8 +128,6 @@
ncdu
lshw
sops
nix-tree
fd
];
};
@ -145,7 +146,7 @@
};
nix = {
package = lib.mkDefault pkgs.nixVersions.stable;
package = pkgs.nixVersions.stable;
extraOptions = ''
experimental-features = nix-command flakes
@ -169,6 +170,8 @@
};
nixpkgs = {
# hostPlatform = lib.mkDefault "x86_64-linux";
config = {
allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
@ -178,16 +181,11 @@
"steam-run"
"steam-unwrapped"
];
permittedInsecurePackages = [
"electron-33.4.11"
];
};
overlays = [
inputs.nur.overlays.default
(_final: _prev: {
inherit (inputs.nixpkgs-oldstable.legacyPackages.x86_64-linux) containerd;
inputs.nur.overlay
(final: _prev: {
unstable = import inputs.nixpkgs-unstable {
inherit (pkgs) system;
config.allowUnfree = true;
@ -196,13 +194,9 @@
];
};
boot = {
kernelPackages = pkgs.linuxKernel.packages.linux_6_14;
kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
boot.kernel.sysctl = {
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
};
home-manager = {

5
nixos/desktop.nix
View file

@ -6,11 +6,6 @@
config = lib.mkIf (builtins.elem "desktop" config.deployment.tags) {
programs.ssh.startAgent = true;
hardware.graphics = {
enable = true;
enable32Bit = true;
};
services = {
xserver.enable = true;
printing.enable = true;

18
nixos/kubernetes/k3s/default.nix
View file

@ -46,6 +46,8 @@ in {
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
k3s
openiscsi # Required for Longhorn
nfs-utils # Required for Longhorn
];
# TODO!!!!!
@ -119,13 +121,27 @@ in {
serverFlags = builtins.concatStringsSep " " serverFlagList;
in {
enable = true;
inherit (cfg) role clusterInit;
role = cfg.role;
tokenFile = config.sops.secrets."k3s/serverToken".path;
extraFlags = lib.mkIf (cfg.role == "server") (lib.mkForce serverFlags);
clusterInit = cfg.clusterInit;
serverAddr = lib.mkIf (! (cfg.serverAddr == null)) cfg.serverAddr;
};
# Required for Longhorn
openiscsi = {
enable = true;
name = "iqn.2016-04.com.open-iscsi:${config.networking.fqdn}";
};
};
# HACK: Symlink binaries to /usr/local/bin such that Longhorn can find them
# when they use nsenter.
# https://github.com/longhorn/longhorn/issues/2166#issuecomment-1740179416
systemd.tmpfiles.rules = [
"L+ /usr/local/bin - - - - /run/current-system/sw/bin/"
];
system.activationScripts = {
k3s-bootstrap = lib.mkIf (cfg.role == "server") {
text = (

61
nixos/prometheus.nix
View file

@ -12,39 +12,42 @@
services.prometheus = {
enable = true;
scrapeConfigs = let
node = {
job_name = "node";
static_configs = [
{
targets = lib.pipe nodes [
(lib.filterAttrs (_name: node: node.config.services.prometheus.exporters.node.enable))
(lib.attrsets.mapAttrsToList
(_name: node: "${node.config.networking.fqdn}:${toString node.config.services.prometheus.exporters.node.port}"))
];
}
scrapeConfigs = (
let
generated = lib.pipe nodes [
(lib.filterAttrs (name: node: node.config.services.prometheus.exporters.node.enable))
(lib.attrsets.mapAttrsToList
(name: node: {
job_name = name;
static_configs = [
{
targets = ["${node.config.networking.fqdn}:${toString node.config.services.prometheus.exporters.node.port}"];
}
];
}))
];
};
pikvm = {
job_name = "pikvm";
metrics_path = "/api/export/prometheus/metrics";
scheme = "https";
tls_config.insecure_skip_verify = true;
pikvm = {
job_name = "pikvm";
metrics_path = "/api/export/prometheus/metrics";
scheme = "https";
tls_config.insecure_skip_verify = true;
# We don't care about security here, it's behind a VPN.
basic_auth = {
username = "admin";
password = "admin";
# We don't care about security here, it's behind a VPN.
basic_auth = {
username = "admin";
password = "admin";
};
static_configs = [
{
targets = ["pikvm.dmz"];
}
];
};
static_configs = [
{
targets = ["pikvm.dmz"];
}
];
};
in [node pikvm];
in
generated ++ [pikvm]
);
};
services.nginx = {

9
nixos/server.nix
View file

@ -2,7 +2,6 @@
lib,
config,
self,
pkgs,
...
}: {
options.pim.tailscale.advertiseExitNode = lib.mkOption {
@ -11,8 +10,6 @@
};
config = lib.mkIf (builtins.elem "server" config.deployment.tags) {
environment.systemPackages = [pkgs.unar];
networking = {
firewall.allowedTCPPorts = [config.services.prometheus.exporters.node.port];
domain = "dmz";
@ -63,10 +60,8 @@
};
};
sops.secrets = {
"tailscale/authKey".sopsFile = "${self}/secrets/servers.yaml";
"borg/borgPassphrase".sopsFile = "${self}/secrets/servers.yaml";
"borg/borgbasePrivateKey".sopsFile = "${self}/secrets/servers.yaml";
sops.secrets."tailscale/authKey" = {
sopsFile = "${self}/secrets/servers.yaml";
};
};
}

10
nixos/stylix.nix
View file

@ -19,11 +19,6 @@ in {
enable = true;
base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-dark-medium.yaml";
# targets = {
# firefox.profileNames = ["default"];
# librewolf.profileNames = ["default"];
# };
cursor = {
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Classic";
@ -31,7 +26,10 @@ in {
};
fonts = {
monospace.package = pkgs.nerd-fonts.jetbrains-mono;
monospace = {
package = pkgs.nerdfonts.override {fonts = ["JetBrainsMono"];};
name = "JetBrainsMono Nerd Font Mono";
};
sansSerif = {
package = pkgs.dejavu_fonts;

1
nixos/tidal.nix
View file

@ -5,7 +5,6 @@
}: let
cfg = config.pim.tidal;
in {
# TODO: this is bad and broken
options.pim.tidal.enable = lib.mkEnableOption "tidal";
config = lib.mkIf cfg.enable {

119
packages.nix
View file

@ -2,129 +2,12 @@
nixpkgs,
flake-utils,
treefmt-nix,
nvf,
...
}:
flake-utils.lib.eachDefaultSystem (system: let
pkgs = nixpkgs.legacyPackages.${system};
treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
treefmtWrapper = treefmtEval.config.build.wrapper;
neovimConfigured = nvf.lib.neovimConfiguration {
inherit pkgs;
modules = [
{
config.vim = {
preventJunkFiles = true;
telescope.enable = true;
autopairs.nvim-autopairs.enable = true;
autocomplete.nvim-cmp.enable = true;
snippets.luasnip.enable = true;
filetree.neo-tree.enable = true;
tabline.nvimBufferline.enable = true;
dashboard.alpha.enable = true;
notify.nvim-notify.enable = true;
projects.project-nvim.enable = true;
comments.comment-nvim.enable = true;
extraPlugins.vim-sleuth.package = pkgs.vimPlugins.vim-sleuth;
keymaps = [
{
key = "<C-e>";
mode = ["n"];
action = ":Neotree toggle<CR>";
silent = true;
desc = "Toggle Neotree";
}
];
lsp = {
enable = true;
formatOnSave = true;
lightbulb.enable = true;
trouble.enable = true;
lspSignature.enable = true;
otter-nvim.enable = true;
};
languages = {
enableFormat = true;
enableTreesitter = true;
enableExtraDiagnostics = true;
nix.enable = true;
markdown.enable = true;
bash.enable = true;
clang.enable = true;
css.enable = true;
html.enable = true;
sql.enable = true;
go.enable = true;
python.enable = true;
rust = {
enable = true;
crates.enable = true;
};
};
visuals = {
nvim-web-devicons.enable = true;
cinnamon-nvim.enable = true;
fidget-nvim.enable = true;
highlight-undo.enable = true;
cellular-automaton.enable = true;
};
statusline.lualine = {
enable = true;
theme = "gruvbox";
};
theme = {
enable = true;
name = "gruvbox";
style = "dark";
transparent = false;
};
binds = {
whichKey.enable = true;
cheatsheet.enable = true;
};
git = {
enable = true;
gitsigns.enable = true;
};
utility = {
surround.enable = true;
diffview-nvim.enable = true;
motion = {
hop.enable = true;
leap.enable = true;
};
};
terminal.toggleterm = {
enable = true;
lazygit.enable = true;
};
ui = {
borders.enable = true;
noice.enable = true;
colorizer.enable = true;
smartcolumn.enable = true;
fastaction.enable = true;
};
};
}
];
};
in {
packages = {
formatter = treefmtWrapper;
inherit (neovimConfigured) neovim;
};
packages.formatter = treefmtWrapper;
})

1
secrets/gamepc/pim.yaml
View file

@ -1,3 +1,4 @@
sunshine_credentials: ENC[AES256_GCM,data:P1sttD3H65DQje+Cs5CVLqvhtXWtoBgu/TBZ3WFIWqErRKtKa31V2lLrgixrty4TVM5qq06zE5z3lQ78ZAHLNh80jMPvoAcCqTXXoWwIYwdHJT0iG09f0ZfpiVTZU4MuCn0uuaJ6873AYe60siZW8uFntu3v230izoAqY9Ex+BzIOOliuqrnIRzdw06TCrrBTJUr,iv:WZqkSZOsiCWx7VPuTDA1Js1DcHZLK9YLDxTQ2nVlFQ8=,tag:iJ6bSofnPWWm7B+VPm+MyQ==,type:str]
sops:
kms: []
gcp_kms: []

9
secrets/servers.yaml
View file

@ -1,8 +1,5 @@
tailscale:
authKey: ENC[AES256_GCM,data:3eXxQBY6AVqU4R1NlsyhGCfXW5wL58ODRH/f+zo5YFRad/ys1vB9JeKagq0SJSj/w4zxRAEpCf1o47Ypww==,iv:QklyIFuXlbH6cM/I0gqDH/Xeay9gqxqeyulQ7W/dbig=,tag:E/3UqtsfSVOi6otSlReO0Q==,type:str]
borg:
borgPassphrase: ENC[AES256_GCM,data:UWA2sBLPi63MRVOPTYPWYLujF2M=,iv:FQq/IsZK7LWo30gZc7oT2E9feCLn7Oeg6wDGuezkhu8=,tag:fWYaZUwJrM8x6cemXzz6xg==,type:str]
borgbasePrivateKey: ENC[AES256_GCM,data:O7eIY1yvbnBTS96tt5a8vcOEOzit4tEbIHmxnSbNsowC7YNk2g6MShQ6ll86GDiunLY33/Px0bqq9+4z/dk4N3FWQ1v5KQjr/gh+CS8VpIrv9zLv+Ru9UzeWQusbYxqnCu/IAQ1aB8UGV2LSCesQ0r/B6XEe51Phi65uWkbUYa/8voSiws3T3hnNrUDqiHdzfBgWZIQszz7zD92Q+aXu/kGNSxVKbXjWVfqBiyDEtuLEWoC1eENeEs41Ov5YT0Lm6+CUWadPqEwkDSvZWnBhoPwPLTZ/+ftZ/nizXUujsTdRwjcbOwJER+ObhgWDxbJE2WifxFOmHt3ggfSmAN842u5PjfT5gqpXMlTdCwYAYEJvDMqGsADe4p7+vPWJbetaahFrFGN8uBw7rs7W2wIiUKB5bAbAG0o6hdTpWfysuzMOFK/fROvCJsNhhKbbdiQbI0+SogtCkwv69+3uaRTFi33uqKCO6PQ6rMIahjo1lutm9iWq2nX4oI40W1KPC6EU/wF2,iv:rzkjjSnyrs58ZEO8XLsCSFsPHbtnL39SF6NJ6lUg3Ww=,tag:q0sunVc+9bLFoSdeykuT6g==,type:str]
sops:
kms: []
gcp_kms: []
@ -72,8 +69,8 @@ sops:
Y2cwK05uWXFhbndyRlhrSFNjYUlmZ1UKZ1vFRu1QhGGf7BIP8TxK2BIlMZlP3muA
R3qLr1lEQmob4O0ilwn65nSCEd1/9W6dUWqeSlJ6CavjG59AvSHfIA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-25T14:53:30Z"
mac: ENC[AES256_GCM,data:jzjF+qjdptTI0Y1wNteZgYBGwF5dFWEBIFY3+k4Ty0YU/WB5AyUL6A8v0+PyoxoJK3pL+NAJEmLmAPFVh3+ExDlU9g3TAgpkOs7EsbJtWcjo8Ah08Hl8zoWqcMFcQhZ+aLnVKAE+tIBT4dWyV0AvOWmU8luvarsCp2tQ2OoBH20=,iv:PmbLg91onGz3kjxXMua/Thb904qDkWjHJcBY2dMAios=,tag:e0+fQqNysdiGvaodcimMVQ==,type:str]
lastmodified: "2024-11-30T18:44:29Z"
mac: ENC[AES256_GCM,data:SG6a5pWa3gMaSz9d9fOchUXtXbRTpMOXmbOjZo5Fdx8Es1MEDwezwscQaj9p1dzmGa+7U8UUUzMYxlg2SmGgGdPgCs0a5RQVYvQFNdgpRiuknflFMcdgXLv7XFsTqsqSmbN0O662YDvCcz4DWRKjNCZAimlLym8pwDihj1D8dcU=,iv:JmCbcazDK2KPyYsoVy39sr4IbfiGfmGoopit5ojVADk=,tag:6tKYfMkJBjsThaa4qLqobw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4
version: 3.9.1

6
secrets/blocktech/colmena.yaml → secrets/sue/colmena.yaml
View file

@ -1,6 +1,6 @@
sops_nix_keys:
root: ENC[AES256_GCM,data:CxF2wjcQ2OFuS7Pgjnc8zc7sqGEz3dcHt4NXkL+V6w7kGPP+b4wBhOlT7b+bEESNslpK2htLY7x+IZWIA8JQpeRKHAKymAUK86I=,iv:5qNFDb86/Vr9Iqzx1eES4wUVY5XTq3iOR4VQliuP1lg=,tag:gx/Q7t52l9kMhPRXdpsB6A==,type:str]
pkunis: ENC[AES256_GCM,data:192vkgOdMoDEhPU6yilatIfaFS/1LJFvteEMYI1/3SBP773lN62pWoDiJDiBtjBCisA/3yHriL3Dpvs1PwbV0BChmbL+svwKrFE=,iv:/YyZ+NSyZwyGp4NJYUSeYOOUfGaH5jOiVUH8QeWnFUA=,tag:sWN0bQvm8Ejw5+XST0pAEQ==,type:str]
pim: ENC[AES256_GCM,data:PWFlRBaqImbCpj3IXU+BtNIRvwru+GRwxDQO4QwINRvxRqC36LE6JpMqaJNrTdCPy+aQ01brTN8y99qXTDlrul32cZnopc37r78=,iv:1tG7rDB5D7D2myes6Ro8hXC140ugjXpiwNpivWFw/xw=,tag:BNm/Ep55tt7xBWZFyzTR5g==,type:str]
sops:
kms: []
gcp_kms: []
@ -16,8 +16,8 @@ sops:
NkJzL3JSN2sxbnF6NGNhQlJqTHpHRTAKK+3FqqBAGxdlMtnbsySEcZT1lkQwJWvK
GFB+6CtH9UtyIGrdK8Pm/0ahsolYGAim2OjeiKBbs3Q8kLm5WAsgRg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-25T13:53:06Z"
mac: ENC[AES256_GCM,data:lLojNOq2QtdeqiCHOg6+Kssfa+Ey6JefPQulFkgnr1Onrt60ds2qWg5TTMHMlUaa6vB1S78WqyquTRBLv9Ek/alOae+CgdDi+vVX8hG5Mc2Edcfl+z8rRNFB+2mOEl1gJwKntyxySx6YBiDhZsH0p+Xflw9WGm/lL/FyRCJCwq0=,iv:8PqXupgwdfgdfIzsymVSrjQACoMODR+XYPgLMvASjos=,tag:rLGJlL3alm/qy+3qeS637g==,type:str]
lastmodified: "2024-11-30T23:42:51Z"
mac: ENC[AES256_GCM,data:fo856uaz54nxHDJVDpMOPc6GHAzMdVJTfqBiMtJkEwm3AVICtRcI8ucceBnmfKZf9DM2MC2DffU1tvJd5iqpqFZMXCElRnBxWVZGhvrZqIZtmoAin5zBgwOudf1o6msmdNGmZk1ECq/HpHNO/QMQ3rnFdBvOZwL0zu6iZm9XwC0=,iv:T6Tv1ukk0CWbTRVWYdfn/bWQoETk8DRVMOzpJE9mCWE=,tag:eICIYTBvAJLUTpRcMYqc5Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

0
secrets/blocktech/nixos.yaml → secrets/sue/nixos.yaml
View file

0
secrets/blocktech/pkunis.yaml → secrets/sue/pim.yaml
View file