diff --git a/certificates/id_ed25519_ext-julia.pub b/certificates/id_ed25519_ext-julia.pub new file mode 100644 index 0000000..facb9b4 --- /dev/null +++ b/certificates/id_ed25519_ext-julia.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtsLGI/S6473jzw4BlWTRfxVO7mhEhClRF0gzpexG9V game-luanti diff --git a/certificates/id_ed25519_game-luanti.pub b/certificates/id_ed25519_game-luanti.pub new file mode 100644 index 0000000..74077ab --- /dev/null +++ b/certificates/id_ed25519_game-luanti.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPydzO5SD6CwZUyiXYGleCGzGLdOqplPWSrJ8dAhs8J game-luanti diff --git a/tests/default.nix b/experiments/default.nix similarity index 100% rename from tests/default.nix rename to experiments/default.nix diff --git a/tests/glitchtip-container.nix b/experiments/glitchtip-container.nix similarity index 100% rename from tests/glitchtip-container.nix rename to experiments/glitchtip-container.nix diff --git a/flake.lock b/flake.lock index 63e5de6..c646fe8 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,205 @@ { "nodes": { + "base16": { + "inputs": { + "fromYaml": "fromYaml" + }, + "locked": { + "lastModified": 1746562888, + "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=", + "owner": "SenchoPens", + "repo": "base16.nix", + "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89", + "type": "github" + }, + "original": { + "owner": "SenchoPens", + "repo": "base16.nix", + "type": "github" + } + }, + "base16-fish": { + "flake": false, + "locked": { + "lastModified": 1622559957, + "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", + "owner": "tomyun", + "repo": "base16-fish", + "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", + "type": "github" + }, + "original": { + "owner": "tomyun", + "repo": "base16-fish", + "type": "github" + } + }, + "base16-helix": { + "flake": false, + "locked": { + "lastModified": 1736852337, + "narHash": "sha256-esD42YdgLlEh7koBrSqcT7p2fsMctPAcGl/+2sYJa2o=", + "owner": "tinted-theming", + "repo": "base16-helix", + "rev": "03860521c40b0b9c04818f2218d9cc9efc21e7a5", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-helix", + "type": "github" + } + }, + "base16-vim": { + "flake": false, + "locked": { + "lastModified": 1732806396, + "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=", + "owner": "tinted-theming", + "repo": "base16-vim", + "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-vim", + "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", + "type": "github" + } + }, + "firefox-gnome-theme": { + "flake": false, + "locked": { + "lastModified": 1744642301, + "narHash": "sha256-5A6LL7T0lttn1vrKsNOKUk9V0ittdW0VEqh6AtefxJ4=", + "owner": "rafaelmardojai", + "repo": "firefox-gnome-theme", + "rev": "59e3de00f01e5adb851d824cf7911bd90c31083a", + "type": "github" + }, + "original": { + "owner": "rafaelmardojai", + "repo": "firefox-gnome-theme", + "type": "github" + } + }, + "flake-compat": { + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "stylix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "fromYaml": { + "flake": false, + "locked": { + "lastModified": 1731966426, + "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=", + "owner": "SenchoPens", + "repo": "fromYaml", + "rev": "106af9e2f715e2d828df706c386a685698f3223b", + "type": "github" + }, + "original": { + "owner": "SenchoPens", + "repo": "fromYaml", + "type": "github" + } + }, + "git-hooks": { + "inputs": { + "flake-compat": [ + "stylix", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "stylix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1742649964, + "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "stylix", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gnome-shell": { + "flake": false, + "locked": { + "lastModified": 1744584021, + "narHash": "sha256-0RJ4mJzf+klKF4Fuoc8VN8dpQQtZnKksFmR2jhWE1Ew=", + "owner": "GNOME", + "repo": "gnome-shell", + "rev": "52c517c8f6c199a1d6f5118fae500ef69ea845ae", + "type": "github" + }, + "original": { + "owner": "GNOME", + "ref": "48.1", + "repo": "gnome-shell", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -7,27 +207,49 @@ ] }, "locked": { - "lastModified": 1746171682, - "narHash": "sha256-EyXUNSa+H+YvGVuQJP1nZskXAowxKYp79RNUsNdQTj4=", + "lastModified": 1749154018, + "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=", "owner": "nix-community", "repo": "home-manager", - "rev": "50eee705bbdbac942074a8c120e8194185633675", + "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-24.11", + "ref": "release-25.05", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "stylix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1747556831, + "narHash": "sha256-Qb84nbYFFk0DzFeqVoHltS2RodAYY5/HZQKE8WnBDsc=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "d0bbd221482c2713cccb80220f3c9d16a6e20a33", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-25.05", "repo": "home-manager", "type": "github" } }, "nix-flatpak": { "locked": { - "lastModified": 1744659587, - "narHash": "sha256-xJnbmRVte13akgn+Prg06IaRHJ5OX3uVltwsCP/mxoc=", + "lastModified": 1749394952, + "narHash": "sha256-WbWkzIvB0gqAdBLghdmUpGveY7MlAS2iMj3VEJnJ9yE=", "owner": "gmodena", "repo": "nix-flatpak", - "rev": "928d868a9141b48f152d3b2b00c433e688d4b106", + "rev": "64c6e53a3999957c19ab95cda78bde466d8374cc", "type": "github" }, "original": { @@ -59,11 +281,11 @@ ] }, "locked": { - "lastModified": 1742568034, - "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=", + "lastModified": 1747663185, + "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11", + "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc", "type": "github" }, "original": { @@ -74,11 +296,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1746621361, - "narHash": "sha256-T9vOxEqI1j1RYugV0b9dgy0AreiZ9yBDKZJYyclF0og=", + "lastModified": 1749195551, + "narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "2ea3ad8a1f26a76f8a8e23fc4f7757c46ef30ee5", + "rev": "4602f7e1d3f197b3cb540d5accf5669121629628", "type": "github" }, "original": { @@ -90,11 +312,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1746461020, - "narHash": "sha256-7+pG1I9jvxNlmln4YgnlW4o+w0TZX24k688mibiFDUE=", + "lastModified": 1749285348, + "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3730d8a308f94996a9ba7c7138ede69c1b9ac4ae", + "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f", "type": "github" }, "original": { @@ -106,20 +328,46 @@ }, "nixpkgs": { "locked": { - "lastModified": 1746557022, - "narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=", + "lastModified": 1749237914, + "narHash": "sha256-N5waoqWt8aMr/MykZjSErOokYH6rOsMMXu3UOVH5kiw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860", + "rev": "70c74b02eac46f4e4aa071e45a6189ce0f6d9265", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.11", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } }, + "nur": { + "inputs": { + "flake-parts": [ + "stylix", + "flake-parts" + ], + "nixpkgs": [ + "stylix", + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1746056780, + "narHash": "sha256-/emueQGaoT4vu0QjU9LDOG5roxRSfdY0K2KkxuzazcM=", + "owner": "nix-community", + "repo": "NUR", + "rev": "d476cd0972dd6242d76374fcc277e6735715c167", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, "root": { "inputs": { "home-manager": "home-manager", @@ -127,7 +375,164 @@ "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", "nixos-unstable": "nixos-unstable", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "stylix": "stylix" + } + }, + "stylix": { + "inputs": { + "base16": "base16", + "base16-fish": "base16-fish", + "base16-helix": "base16-helix", + "base16-vim": "base16-vim", + "firefox-gnome-theme": "firefox-gnome-theme", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "git-hooks": "git-hooks", + "gnome-shell": "gnome-shell", + "home-manager": "home-manager_2", + "nixpkgs": [ + "nixpkgs" + ], + "nur": "nur", + "systems": "systems", + "tinted-foot": "tinted-foot", + "tinted-kitty": "tinted-kitty", + "tinted-schemes": "tinted-schemes", + "tinted-tmux": "tinted-tmux", + "tinted-zed": "tinted-zed" + }, + "locked": { + "lastModified": 1749389855, + "narHash": "sha256-//wZBnlBJ7Ki5/ZdafiAZwVFZd/2HhKqEbOupo/HcRA=", + "owner": "danth", + "repo": "stylix", + "rev": "bf5ab9df57a3d77847289c39c3a537bd6e6ac6f4", + "type": "github" + }, + "original": { + "owner": "danth", + "ref": "release-25.05", + "repo": "stylix", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "tinted-foot": { + "flake": false, + "locked": { + "lastModified": 1726913040, + "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=", + "owner": "tinted-theming", + "repo": "tinted-foot", + "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-foot", + "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", + "type": "github" + } + }, + "tinted-kitty": { + "flake": false, + "locked": { + "lastModified": 1735730497, + "narHash": "sha256-4KtB+FiUzIeK/4aHCKce3V9HwRvYaxX+F1edUrfgzb8=", + "owner": "tinted-theming", + "repo": "tinted-kitty", + "rev": "de6f888497f2c6b2279361bfc790f164bfd0f3fa", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-kitty", + "type": "github" + } + }, + "tinted-schemes": { + "flake": false, + "locked": { + "lastModified": 1744974599, + "narHash": "sha256-Fg+rdGs5FAgfkYNCs74lnl8vkQmiZVdBsziyPhVqrlY=", + "owner": "tinted-theming", + "repo": "schemes", + "rev": "28c26a621123ad4ebd5bbfb34ab39421c0144bdd", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "schemes", + "type": "github" + } + }, + "tinted-tmux": { + "flake": false, + "locked": { + "lastModified": 1745111349, + "narHash": "sha256-udV+nHdpqgkJI9D0mtvvAzbqubt9jdifS/KhTTbJ45w=", + "owner": "tinted-theming", + "repo": "tinted-tmux", + "rev": "e009f18a01182b63559fb28f1c786eb027c3dee9", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-tmux", + "type": "github" + } + }, + "tinted-zed": { + "flake": false, + "locked": { + "lastModified": 1725758778, + "narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=", + "owner": "tinted-theming", + "repo": "base16-zed", + "rev": "122c9e5c0e6f27211361a04fae92df97940eccf9", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-zed", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "stylix", + "nur", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733222881, + "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "49717b5af6f80172275d47a418c9719a31a78b53", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 6ac302d..ef446c9 100644 --- a/flake.nix +++ b/flake.nix @@ -1,12 +1,13 @@ { inputs = { # Main nix package repository - nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; - home-manager = { - url = "github:nix-community/home-manager/release-24.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + # NixOS unstable + nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + + # ready made hardware configurations. e.G.: Power saving + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; # generating filesystems in different formats nixos-generators = { @@ -14,11 +15,17 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - # NixOS unstable channel - nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + # additional user specific nix modules + home-manager = { + url = "github:nix-community/home-manager/release-25.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; - # ready made hardware configurations. e.G.: Power saving - nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + # theming + stylix = { + url = "github:danth/stylix/release-25.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; # for managing flatpaks, like which ones are installed and which not nix-flatpak.url = "github:gmodena/nix-flatpak"; diff --git a/hosts/crocoite/default.nix b/hosts/crocoite/default.nix index 2b546da..9275f72 100644 --- a/hosts/crocoite/default.nix +++ b/hosts/crocoite/default.nix @@ -5,14 +5,15 @@ nixos-unstable, ... }: { - #nixpkgs.overlays = [ overlays.unstable-packages ]; + nixpkgs = { # You can add overlays here overlays = with inArgs.self.overlays; [ # Add overlays your own flake exports (from overlays and pkgs dir): + unstable-packages + #additions #modifications - unstable-packages # You can also add overlays exported from other flakes: # neovim-nightly-overlay.overlays.default @@ -27,34 +28,12 @@ }; imports = [ - # steam and other stuff seems to depend on perl - #"${modulesPath}/profiles/perlless.nix" - inArgs.nix-flatpak.nixosModules.nix-flatpak - - #nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1 ./hardware-configuration.nix ./boot.nix - ../../modules - ../../modules/users - - ../../modules/hardware - - ../../modules/sec_auth - - ../../modules/software - ../../modules/software/browser - ../../modules/software/nix-helper - ../../modules/software/shells - ../../modules/software/office - - ../../modules/wm_and_de - - ../../modules/pkg_mgrmnt - - ../../system_profiles/defaults.nix - # ../../tests + ../../system_profiles/desktop.nix + # ../../experiments ]; } diff --git a/hosts/crocoite/hardware-configuration.nix b/hosts/crocoite/hardware-configuration.nix index 99cf29f..50cf88e 100644 --- a/hosts/crocoite/hardware-configuration.nix +++ b/hosts/crocoite/hardware-configuration.nix @@ -10,6 +10,7 @@ }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") + #nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1 ]; boot.initrd.availableKernelModules = ["nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"]; diff --git a/hosts/ext-julia/boot.nix b/hosts/ext-julia/boot.nix new file mode 100644 index 0000000..82bde96 --- /dev/null +++ b/hosts/ext-julia/boot.nix @@ -0,0 +1,11 @@ +{ + # Use the GRUB 2 boot loader. + boot.loader.grub = { + enable = true; + # efiSupport = true; + # efiInstallAsRemovable = true; + # Define on which hard drive you want to install Grub. + device = "/dev/vda"; # or "nodev" for efi only + }; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; +} diff --git a/hosts/ext-julia/default.nix b/hosts/ext-julia/default.nix new file mode 100644 index 0000000..92c90f8 --- /dev/null +++ b/hosts/ext-julia/default.nix @@ -0,0 +1,37 @@ +{pkgs, ...}:{ + imports = [ + ./boot.nix + ./hardware-configuration.nix + + #../../modules/hosting/wordpress-simple/kiezpalme.nix + #../../modules/hosting/wordpress-simple/pertineo.nix + ../../modules/hosting/wordpress.nix + ../../modules/sec_auth/ssh-server.nix + + ../../system_profiles/server.nix + ]; + + #services.mysql = { + # enable = true; + # package = pkgs.mariadb; + #}; + + services.cWordpress."example-site" = { + enable = true; + sitePort = 80; + }; + + services.cWordpress."example-site2" = { + enable = true; + sitePort = 81; + }; + + services.openssh.ports = [11522]; + users = let + username = "root"; + in { + users."${username}".openssh.authorizedKeys.keyFiles = [ + ../../certificates/id_ed25519_ext-julia.pub + ]; + }; +} diff --git a/hosts/ext-julia/hardware-configuration.nix b/hosts/ext-julia/hardware-configuration.nix new file mode 100644 index 0000000..1e4a7ab --- /dev/null +++ b/hosts/ext-julia/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + lib, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + initrd.kernelModules = []; + kernelModules = []; + extraModulePackages = []; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/d290e12c-d93c-45f6-b737-135b551c1951"; + fsType = "ext4"; + }; + + swapDevices = [ + {device = "/dev/disk/by-uuid/8c56f52e-568a-4e03-b22c-6d1c7de7c118";} + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/factorio/hardware-configuration.nix b/hosts/factorio/hardware-configuration.nix index a458278..88e834a 100644 --- a/hosts/factorio/hardware-configuration.nix +++ b/hosts/factorio/hardware-configuration.nix @@ -1,13 +1,7 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { +{lib, ...}: { boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; # maybe instruct nix to just use available swap partition diff --git a/hosts/game-luanti/boot.nix b/hosts/game-luanti/boot.nix new file mode 100644 index 0000000..82bde96 --- /dev/null +++ b/hosts/game-luanti/boot.nix @@ -0,0 +1,11 @@ +{ + # Use the GRUB 2 boot loader. + boot.loader.grub = { + enable = true; + # efiSupport = true; + # efiInstallAsRemovable = true; + # Define on which hard drive you want to install Grub. + device = "/dev/vda"; # or "nodev" for efi only + }; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; +} diff --git a/hosts/game-luanti/default.nix b/hosts/game-luanti/default.nix index 9072876..c69c055 100644 --- a/hosts/game-luanti/default.nix +++ b/hosts/game-luanti/default.nix @@ -1,13 +1,26 @@ { - pkgs, - lib, - modulesPath, - ... -}: { imports = [ + ./boot.nix ./hardware-configuration.nix - ../../system_profiles/defaults.nix - ../../system_profiles/mini-container.nix + ../../modules/game/server/luanti + ../../modules/sec_auth/ssh-server.nix + ../../modules/pkg_mgrmnt/unattended-updates.nix + + ../../system_profiles/server.nix ]; + + users = let + username = "root"; + in { + users."${username}".openssh.authorizedKeys.keyFiles = [ + ../../certificates/id_ed25519_game-luanti.pub + ]; + }; + + services.journald.extraConfig = '' + Storage=persistent + SystemMaxUse=100M + SystemKeepFree=50M + ''; } diff --git a/hosts/game-luanti/hardware-configuration.nix b/hosts/game-luanti/hardware-configuration.nix index f8c86aa..6bbf7a7 100644 --- a/hosts/game-luanti/hardware-configuration.nix +++ b/hosts/game-luanti/hardware-configuration.nix @@ -1,3 +1,36 @@ -{lib, ...}: { +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + lib, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + boot = { + initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + initrd.kernelModules = []; + kernelModules = []; + extraModulePackages = []; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/d290e12c-d93c-45f6-b737-135b551c1951"; + fsType = "ext4"; + }; + + swapDevices = [ + {device = "/dev/disk/by-uuid/8c56f52e-568a-4e03-b22c-6d1c7de7c118";} + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/jitsi/default.nix b/hosts/jitsi/default.nix index 1893723..a13ea41 100644 --- a/hosts/jitsi/default.nix +++ b/hosts/jitsi/default.nix @@ -1,9 +1,4 @@ -{ - pkgs, - lib, - modulesPath, - ... -}: { +{...}: { nixpkgs.config = { # Disable if you don't want unfree packages allowUnfree = true; diff --git a/lib/debug.nix b/lib/debug.nix new file mode 100644 index 0000000..f17441d --- /dev/null +++ b/lib/debug.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + imports = [ + {lib, config, ... }: { + options.tempDebugVar = lib.mkOption { + type = lib.types.str; + default = ""; + description = "tempDebugVar"; + }; + } + ]; + + environment.etc."debugfile".text = '' + ${config.tempDebugVar} + ''; +} diff --git a/hostHelper.nix b/lib/hostHelper.nix similarity index 87% rename from hostHelper.nix rename to lib/hostHelper.nix index 3602016..e4ab867 100644 --- a/hostHelper.nix +++ b/lib/hostHelper.nix @@ -5,9 +5,13 @@ inArgs: hostname: hostOptions: let else inArgs.nixpkgs.lib.nixosSystem; in nixosSystem { - specialArgs = {inherit inArgs;}; + specialArgs = { + inArgs = inArgs; + rootPath = inArgs.self; + }; modules = [ - ./hosts/${hostname} + ../hosts/${hostname} + #./debug.nix { networking.hostName = hostname; diff --git a/modules/customisation.nix b/modules/customisation.nix index 65e1092..4a07150 100644 --- a/modules/customisation.nix +++ b/modules/customisation.nix @@ -1,10 +1,13 @@ {pkgs, ...}: { # install and set neovim as MANPAGER - environment.systemPackages = [pkgs.neovim]; - environment.variables = { - "MANPAGER" = "nvim +Man!"; + environment = { + systemPackages = [pkgs.neovim]; + variables = { + # set neovim as default editor + "EDITOR" = "nvim"; - # set neovim as default editor - "EDITOR" = "nvim"; + # use neovim as manpager! :3 + "MANPAGER" = "nvim +Man!"; + }; }; } diff --git a/modules/default.nix b/modules/default.nix index 3d82f4f..e1045b5 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,11 +1,17 @@ { imports = [ - #./plymouth.nix ./accessibility.nix ./customisation.nix + + # should only be imported directly or via system_profiles + #./dhcp-all-interfaces.nix + ./environment.nix + ./firewall.nix ./locale.nix ./networking.nix - ./firewall.nix + #./plymouth.nix # increases boot time too much + #./serial-console.nix # probably only for servers + ./theming.nix ]; } diff --git a/modules/dhcp-all-interfaces.nix b/modules/dhcp-all-interfaces.nix new file mode 100644 index 0000000..a009914 --- /dev/null +++ b/modules/dhcp-all-interfaces.nix @@ -0,0 +1,9 @@ +{ + # Enables DHCP on each ethernet and wireless interface. + # In case of scripted networking (the default) this is the recommended approach. + # When using systemd-networkd it's still possible to use this option, + # but it's recommended to use it in conjunction with + # explicit per-interface declarations with: + # `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; +} diff --git a/modules/environment.nix b/modules/environment.nix index d399d08..44215ab 100644 --- a/modules/environment.nix +++ b/modules/environment.nix @@ -1,33 +1,35 @@ {pkgs, ...}: { - environment.etc = { - "xdg/user-dirs.defaults".text = '' - DESKTOP=Desktop - DOWNLOAD=Downloads - TEMPLATES=Documents/Templates - PUBLICSHARE=Public - DOCUMENTS=Documents - MUSIC=Media/Music - PICTURES=Media/Pictures - VIDEOS=Media/Videos - ''; - }; - # This is using a rec (recursive) expression to set and access XDG_BIN_HOME within the expression - # For more on rec expressions see https://nix.dev/tutorials/first-steps/nix-language#recursive-attribute-set-rec - environment.sessionVariables = rec { - XDG_CACHE_HOME = "$HOME/.cache"; - XDG_CONFIG_HOME = "$HOME/.config"; - XDG_DATA_HOME = "$HOME/.local/share"; - XDG_STATE_HOME = "$HOME/.local/state"; + environment = { + etc = { + "xdg/user-dirs.defaults".text = '' + DESKTOP=Desktop + DOWNLOAD=Downloads + TEMPLATES=Documents/Templates + PUBLICSHARE=Public + DOCUMENTS=Documents + MUSIC=Media/Music + PICTURES=Media/Pictures + VIDEOS=Media/Videos + ''; + }; + # This is using a rec (recursive) expression to set and access XDG_BIN_HOME within the expression + # For more on rec expressions see https://nix.dev/tutorials/first-steps/nix-language#recursive-attribute-set-rec + sessionVariables = rec { + XDG_CACHE_HOME = "$HOME/.cache"; + XDG_CONFIG_HOME = "$HOME/.config"; + XDG_DATA_HOME = "$HOME/.local/share"; + XDG_STATE_HOME = "$HOME/.local/state"; - # Not officially in the specification - XDG_BIN_HOME = "$HOME/.local/mybin"; - PATH = [ - "${XDG_BIN_HOME}" + # Not officially in the specification + XDG_BIN_HOME = "$HOME/.local/mybin"; + PATH = [ + "${XDG_BIN_HOME}" + ]; + }; + + # XDG-USER-DIR package and config + systemPackages = with pkgs; [ + xdg-user-dirs ]; }; - - # XDG-USER-DIR package and config - environment.systemPackages = with pkgs; [ - xdg-user-dirs - ]; } diff --git a/modules/firewall.nix b/modules/firewall.nix index f8cb4bb..dfd6753 100644 --- a/modules/firewall.nix +++ b/modules/firewall.nix @@ -1,6 +1,6 @@ { networking.firewall = { - enable = false; + enable = true; # Open ports in the firewall. allowedTCPPorts = [8080 10001 10002]; diff --git a/modules/game/server/luanti/default.nix b/modules/game/server/luanti/default.nix index 06628ea..a6f8da3 100644 --- a/modules/game/server/luanti/default.nix +++ b/modules/game/server/luanti/default.nix @@ -1,5 +1,8 @@ -{...}: { - services.minetest = { - enable = true; - }; +{ + imports = [ + ./luanti.nix + #./mods.nix + ./olivetin.nix + ./postgresql.nix + ]; } diff --git a/modules/game/server/luanti/luanti.nix b/modules/game/server/luanti/luanti.nix new file mode 100644 index 0000000..b2f52c0 --- /dev/null +++ b/modules/game/server/luanti/luanti.nix @@ -0,0 +1,20 @@ +{pkgs, ...}: let + port = 10523; +in { + services.minetest-server = { + enable = true; + + gameId = "EinsDreiDreiSieben"; + port = port; + }; + + # open port since luanti does not do it by itself + networking.firewall = { + allowedUDPPorts = [port]; + }; + + # install luanti seperatly so it is available through the command line + environment.systemPackages = with pkgs; [ + luanti + ]; +} diff --git a/modules/game/server/luanti/mods.nix b/modules/game/server/luanti/mods.nix new file mode 100644 index 0000000..22c4748 --- /dev/null +++ b/modules/game/server/luanti/mods.nix @@ -0,0 +1,11 @@ +{ pkgs, config, ... }: let + GitMod = curl: pkgs.fetchgit rec { + url = curl; + fetchSubmodules = true; + deepClone = false; + leaveDotGit = false; + }; + this-variable-should-exist = GitMod "https://gitlab.com/rubenwardy/accountmgr"; +in { + config.tempDebugVar = break this-variable-should-exist; +} diff --git a/modules/game/server/luanti/olivetin.nix b/modules/game/server/luanti/olivetin.nix new file mode 100644 index 0000000..e84a9c3 --- /dev/null +++ b/modules/game/server/luanti/olivetin.nix @@ -0,0 +1,64 @@ +{ pkgs, lib, ... }: let + _pull = pkgs.writeShellScript "pull" '' + export GIT_SSH_COMMAND='ssh -i /var/lib/minetest/.ssh/id_ed25519_temp -o IdentitiesOnly=yes' + git -C /var/lib/minetest/.minetest/games/EinsDreiDreiSieben pull + ''; + pull = _pull.outPath; + + _restart = pkgs.writeShellScript "restart" '' + echo "before" + systemctl restart minetest-server.service + echo "after" + ''; + restart = _restart.outPath; + +in { + users.users."minetest".linger = true; + services.olivetin = { + enable = true; + settings = { + actions = [ + { + title = "puuuull!"; + shell = "/run/wrappers/bin/sudo -u minetest - ${pull}"; + popupOnStart = "execution-dialog-stdout-only"; + icon = "⬇"; + } + { + title = "restart"; + shell = "/run/wrappers/bin/sudo -u minetest - ${restart}"; + popupOnStart = "execution-dialog-stdout-only"; + icon = "⬇"; + } + ]; + }; + + path = [ + pkgs.git + pkgs.openssh + ]; + }; + security.sudo-rs.extraRules = [ + { + users = [ "olivetin" ]; + runAs = "minetest"; + commands = [ + { + command = pull; + options = [ "NOPASSWD" ]; + } + ]; + } + { + + users = [ "olivetin" ]; + runAs = "root"; + commands = [ + { + command = restart; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; +} diff --git a/modules/game/server/luanti/postgresql.nix b/modules/game/server/luanti/postgresql.nix new file mode 100644 index 0000000..1755b1e --- /dev/null +++ b/modules/game/server/luanti/postgresql.nix @@ -0,0 +1,18 @@ +{pkgs, ...}: { + config.services.postgresql = { + enable = true; + + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method + local all all trust + ''; + + ensureDatabases = ["luanti_world"]; + ensureUsers = [ + { + name = "luanti_world"; + ensureDBOwnership = true; + } + ]; + }; +} diff --git a/modules/hardware/bluetooth.nix b/modules/hardware/bluetooth.nix index 900e469..cea96f4 100644 --- a/modules/hardware/bluetooth.nix +++ b/modules/hardware/bluetooth.nix @@ -1,6 +1,8 @@ { - hardware.bluetooth.enable = true; # enables support for Bluetooth - hardware.bluetooth.powerOnBoot = false; # powers up the default Bluetooth controller on boot + hardware = { + bluetooth.enable = true; # enables support for Bluetooth + bluetooth.powerOnBoot = false; # powers up the default Bluetooth controller on boot + }; services.blueman.enable = true; # provides blueman-applet and blueman-manager } diff --git a/modules/hardware/default.nix b/modules/hardware/default.nix index e24baff..c6ebe66 100644 --- a/modules/hardware/default.nix +++ b/modules/hardware/default.nix @@ -2,8 +2,9 @@ imports = [ ./bluetooth.nix ./fwupd.nix - ./scan_and_print.nix - #./trackpoint.nix ./gpu.nix + ./print.nix + ./scan.nix + #./trackpoint.nix ]; } diff --git a/modules/hardware/gpu.nix b/modules/hardware/gpu.nix index 13c2a0b..577529b 100644 --- a/modules/hardware/gpu.nix +++ b/modules/hardware/gpu.nix @@ -1,6 +1,8 @@ {pkgs, ...}: { - hardware.graphics.enable = true; - hardware.graphics.extraPackages = with pkgs; [ - libvdpau-va-gl - ]; + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + libvdpau-va-gl + ]; + }; } diff --git a/modules/hardware/print.nix b/modules/hardware/print.nix new file mode 100644 index 0000000..3697cf9 --- /dev/null +++ b/modules/hardware/print.nix @@ -0,0 +1,4 @@ +{ + # Enable CUPS to print documents. + services.printing.enable = true; +} diff --git a/modules/hardware/scan.nix b/modules/hardware/scan.nix new file mode 100644 index 0000000..949137b --- /dev/null +++ b/modules/hardware/scan.nix @@ -0,0 +1,27 @@ +{pkgs, ...}: { + services.ipp-usb.enable = true; # enable usb support + + hardware.sane = { + enable = true; # enables support for SANE scanners + + backends-package = pkgs.sane-backends.overrideAttrs (old: { + configureFlags = + (old.configureFlags or []) + ++ [ + # "--localstatedir=/var" # `sane-backends` puts e.g. lock files in here, must not be in /nix/store + # "--with-lockdir=/var/lock/sane" # `sane-backends` puts e.g. lock files in here, must not be in /nix/store + + # Ugly workaround for https://github.com/NixOS/nixpkgs/issues/273280#issuecomment-1848873028 + # Really we should make `sane-backends` be able to provide a real lock dir (e.g. `/var/lock/sane`). + "--disable-locking" + ]; + }); + }; + + users.users.ranomier.extraGroups = ["scanner" "lp"]; + + # only for the scan and maybe print clients + environment.systemPackages = with pkgs; [ + simple-scan + ]; +} diff --git a/modules/hardware/scan_and_print.nix b/modules/hardware/scan_and_print.nix deleted file mode 100644 index a83884c..0000000 --- a/modules/hardware/scan_and_print.nix +++ /dev/null @@ -1,27 +0,0 @@ -{pkgs, ...}: { - hardware.sane.enable = true; # enables support for SANE scanners - services.ipp-usb.enable = true; # enable usb support - - hardware.sane.backends-package = pkgs.sane-backends.overrideAttrs (old: { - configureFlags = - (old.configureFlags or []) - ++ [ - # "--localstatedir=/var" # `sane-backends` puts e.g. lock files in here, must not be in /nix/store - # "--with-lockdir=/var/lock/sane" # `sane-backends` puts e.g. lock files in here, must not be in /nix/store - - # Ugly workaround for https://github.com/NixOS/nixpkgs/issues/273280#issuecomment-1848873028 - # Really we should make `sane-backends` be able to provide a real lock dir (e.g. `/var/lock/sane`). - "--disable-locking" - ]; - }); - - users.users.ranomier.extraGroups = ["scanner" "lp"]; - - # only for the scan and maybe print clients - environment.systemPackages = with pkgs; [ - simple-scan - ]; - - # Enable CUPS to print documents. - services.printing.enable = true; -} diff --git a/modules/hosting/wordpress-simple/kiezpalme.nix b/modules/hosting/wordpress-simple/kiezpalme.nix new file mode 100644 index 0000000..636cc00 --- /dev/null +++ b/modules/hosting/wordpress-simple/kiezpalme.nix @@ -0,0 +1,113 @@ +{ + config, + pkgs, + lib, + ... +}: let + siteName = "shop.kiezpalme.de"; + sitePort = 80; + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; +in { + users = { + users = { + "${siteUser}" = { + isSystemUser = true; + group = siteGroup; + home = siteDataDir; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + "${siteUserPhp}" = { + isSystemUser = true; + group = siteGroupPhp; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }; + + groups = { + "${siteGroup}" = {}; + "${siteGroupPhp}" = {}; + }; + }; + + services = { + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + + extraConfig = '' + index index.php; + ''; + + # Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + system.activationScripts."setupWordpress-${siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; # TODO: tighten permissions (not 755) +} diff --git a/modules/hosting/wordpress-simple/pertineo.nix b/modules/hosting/wordpress-simple/pertineo.nix new file mode 100644 index 0000000..2a83ad5 --- /dev/null +++ b/modules/hosting/wordpress-simple/pertineo.nix @@ -0,0 +1,113 @@ +{ + config, + pkgs, + lib, + ... +}: let + siteName = "pertineo.de"; + sitePort = 81; + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; +in { + users = { + users = { + "${siteUser}" = { + isSystemUser = true; + group = siteGroup; + home = siteDataDir; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + "${siteUserPhp}" = { + isSystemUser = true; + group = siteGroupPhp; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }; + + groups = { + "${siteGroup}" = {}; + "${siteGroupPhp}" = {}; + }; + }; + + services = { + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + + extraConfig = '' + index index.php; + ''; + + # Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + system.activationScripts."setupWordpress-${siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; # TODO: tighten permissions (not 755) +} diff --git a/modules/hosting/wordpress.nix b/modules/hosting/wordpress.nix new file mode 100644 index 0000000..fb22fb9 --- /dev/null +++ b/modules/hosting/wordpress.nix @@ -0,0 +1,186 @@ +{ + config, + pkgs, + lib, + ... +}: let + siteOpts = lib.types.submodule ({ + options = { + enable = lib.mkEnableOption "custom WordPress service"; + + siteName = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + + sitePort = lib.mkOption { + type = lib.types.port; + default = 80; + description = ""; # TODO: + }; + + #siteDataDir = lib.mkOption { + # type = lib.types.str; + # default = "/srv/http/${siteName}"; + #}; + #siteUser = lib.mkOption { + # type = lib.types.str; + # default = "user-${siteName}"; + #}; + #siteGroup = lib.mkOption { + # type = lib.types.str; + # default = config.services.nginx.user; + #}; + #siteUserPhp = lib.mkOption { + # type = lib.types.str; + # default = "${siteUser}-php"; + #}; + #siteGroupPhp = lib.mkOption { + # type = lib.types.str; + # default = siteUserPhp; + #}; + #sitePhpPool = lib.mkOption { + # type = lib.types.str; + # default = "wordpress-${siteName}"; + #}; + }; + }); + #sites = builtins.mapAttrs (siteName2: siteConfig: + # let + # siteName = if siteConfig.siteName != null then siteConfig.siteName else siteName2; + # in siteConfig // {siteName = siteName;} + #) cfg; + # + #enabledSites = lib.filterAttrs (name: config: config.enable) cfg; + #magie = banana: builtins.mapAttrs (siteName: site: banana) enabledSites; + + mkMergeTopLevel = names: attrs: + lib.getAttrs names ( + lib.mapAttrs (k: v: lib.mkMerge v) (lib.foldAttrs (n: a: [n] ++ a) [] attrs) + ); + + cfg = config.services.cWordpress; +in { + options = { + services.cWordpress = lib.mkOption { + type = lib.types.attrsOf siteOpts; + + default = {}; + description = ""; # TODO: + }; + }; + + config = mkMergeTopLevel ["users" "services" "environment" "system"] (lib.mapAttrsToList ( + siteName: opts: let + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; + in { + users = { + users = { + "${siteUser}" = { + isSystemUser = true; + group = siteGroup; + home = siteDataDir; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + "${siteUserPhp}" = { + isSystemUser = true; + group = siteGroupPhp; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }; + + groups = { + "${siteGroup}" = {}; + "${siteGroupPhp}" = {}; + }; + }; + + services = { + mysql = { + enable = true; + package = pkgs.mariadb; + }; + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = opts.sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + + extraConfig = '' + index index.php; + ''; + + # Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + system.activationScripts."setupWordpress-${siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; # TODO: tighten permissions (not 755) + } + ) + cfg); +} diff --git a/modules/hosting/wordpress_from_krebs.nix b/modules/hosting/wordpress_from_krebs.nix new file mode 100644 index 0000000..28c143f --- /dev/null +++ b/modules/hosting/wordpress_from_krebs.nix @@ -0,0 +1,186 @@ +{ + config, + pkgs, + lib, + ... +}: let + siteOpts = lib.types.submodule ({name, ...}: { + options = { + enable = lib.mkEnableOption "custom WordPress service"; + + siteName = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + + sitePort = lib.mkOption { + type = lib.types.port; + default = 80; + description = ""; # TODO: + }; + + #siteDataDir = lib.mkOption { + # type = lib.types.str; + # default = "/srv/http/${siteName}"; + #}; + #siteUser = lib.mkOption { + # type = lib.types.str; + # default = "user-${siteName}"; + #}; + #siteGroup = lib.mkOption { + # type = lib.types.str; + # default = config.services.nginx.user; + #}; + #siteUserPhp = lib.mkOption { + # type = lib.types.str; + # default = "${siteUser}-php"; + #}; + #siteGroupPhp = lib.mkOption { + # type = lib.types.str; + # default = siteUserPhp; + #}; + #sitePhpPool = lib.mkOption { + # type = lib.types.str; + # default = "wordpress-${siteName}"; + #}; + }; + }); + #sites = builtins.mapAttrs (siteName2: siteConfig: + # let + # siteName = if siteConfig.siteName != null then siteConfig.siteName else siteName2; + # in siteConfig // {siteName = siteName;} + #) cfg; + # + #enabledSites = lib.filterAttrs (name: config: config.enable) cfg; + #magie = banana: builtins.mapAttrs (siteName: site: banana) enabledSites; + + mkMergeTopLevel = names: attrs: + lib.getAttrs names ( + lib.mapAttrs (k: v: lib.mkMerge v) (lib.foldAttrs (n: a: [n] ++ a) [] attrs) + ); + + cfg = config.services.cWordpress; + + opts = siteName: { + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; + }; +in { + options = { + services.cWordpress = lib.mkOption { + type = lib.types.attrsOf siteOpts; + + default = {}; + description = ""; # TODO: + }; + }; + + config = { + users.users = lib.mapAttrs' (siteName: siteConfig: { + "user-${siteName}" = { + isSystemUser = true; + group = config.services.nginx.user; + home = "/srv/http/${siteName}"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + "user-${siteName}-php" = { + isSystemUser = true; + group = "user-${siteName}-php"; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }) cfg; + + users.groups = lib.mapAttrs' (siteName: siteConfig: { + ${config.services.nginx.user} = {}; + "user-${siteName}-php" = {}; + }) cfg; + + services = { + mysql = { + enable = true; + package = pkgs.mariadb; + }; + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = opts.sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + + extraConfig = '' + index index.php; + ''; + + # Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + system.activationScripts."setupWordpress-${siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; # TODO: tighten permissions (not 755) + } + ) + cfg); +} + diff --git a/modules/hosting/wordpress_new.nix b/modules/hosting/wordpress_new.nix new file mode 100644 index 0000000..0bb7752 --- /dev/null +++ b/modules/hosting/wordpress_new.nix @@ -0,0 +1,138 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.services.cWordpress; +in { + options = { + services.cWordpress = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { + options.enable = lib.mkEnableOption "custom WordPress service"; + + options.sitePort = lib.mkOption { + type = lib.types.port; + default = 80; + description = ""; # TODO: + }; + }); + default = {}; + description = ""; # TODO: per-site WordPress configs + }; + }; + + config = lib.foldAttrs' (siteName: cfg: let + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp= siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; + in + lib.mkIf cfg.enable { + users = { + users = { + "${siteUser}" = { + isSystemUser = true; + group = siteGroup; + home = siteDataDir; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + ### 3) Service account for PHP-FPM pool + "${siteUserPhp}" = { + isSystemUser = true; + group = siteGroupPhp; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }; + + groups = { + "${siteGroup}" = {}; + "${siteGroupPhp}" = {}; + }; + }; + + services = { + mysql = { + enable = true; + package = pkgs.mariadb; + }; + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = cfg.sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + + extraConfig = '' + index index.php; + ''; + + # Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + system.activationScripts."setupWordpress-${siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; + }}) {} cfg; +} + diff --git a/modules/hosting/wordpress_refactor.nix b/modules/hosting/wordpress_refactor.nix new file mode 100644 index 0000000..953f5f9 --- /dev/null +++ b/modules/hosting/wordpress_refactor.nix @@ -0,0 +1,145 @@ +{ + config, + pkgs, + lib, + ... +}: let + siteOpts = lib.types.submodule ({...}: { + options = { + enable = lib.mkEnableOption "custom WordPress service"; + + siteName = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + + sitePort = lib.mkOption { + type = lib.types.port; + default = 80; + description = ""; # TODO: + }; + }; + }); + + cfg = config.services.cWordpress; + + opts = siteName: rec { + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; + }; +in { + options = { + services.cWordpress = lib.mkOption { + type = lib.types.attrsOf siteOpts; + + default = {}; + description = ""; # TODO: + }; + }; + + config = { + users.users = lib.mapAttrs' (siteName: siteConfig: { + "user-${siteName}" = { + isSystemUser = true; + group = config.services.nginx.user; + home = "/srv/http/${siteName}"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + "user-${siteName}-php" = { + isSystemUser = true; + group = "user-${siteName}-php"; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }) cfg; + + users.groups = lib.mapAttrs' (siteName: siteConfig: { + ${config.services.nginx.user} = {}; + "user-${siteName}-php" = {}; + }) cfg; + + # services = { + # mysql = { + # enable = true; + # package = pkgs.mariadb; + # }; + # + # phpfpm.pools."${sitePhpPool}" = { + # user = siteUserPhp; + # group = siteGroupPhp; + # + # settings = { + # # Socket ownership so Nginx can connect + # "listen.owner" = config.services.nginx.user; + # "listen.group" = siteGroupPhp; + # "listen.mode" = "0660"; + # + # # Dynamic process management tuned for small sites + # pm = "dynamic"; + # "pm.max_children" = "5"; + # "pm.start_servers" = "2"; + # "pm.min_spare_servers" = "1"; + # "pm.max_spare_servers" = "3"; + # + # # Logging + # "catch_workers_output" = true; + # "php_admin_flag[log_errors]" = true; + # }; + # }; + # + # nginx = { + # enable = true; + # virtualHosts."${siteName}" = { + # default = true; + # root = siteDataDir; + # + # listen = [ + # { + # addr = "0.0.0.0"; + # port = opts.sitePort; + # ssl = false; + # } + # ]; + # + # # Fallback for pretty permalinks + # locations."/" = { + # tryFiles = "$uri $uri/ /index.php?$args"; + # }; + # + # extraConfig = '' + # index index.php; + # ''; + # + # # Handle PHP scripts + # locations."~ \\.php$" = { + # extraConfig = '' + # fastcgi_split_path_info ^(.+\\.php)(/.+)$; + # fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # include ${pkgs.nginx}/conf/fastcgi_params; + # ''; + # }; + # }; + # }; + # }; + # + # # Bootstrap WordPress on activation + # environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + # system.activationScripts."setupWordpress-${siteName}".text = '' + # mkdir -p ${siteDataDir} + # if [ ! -f ${siteDataDir}/wp-config.php ]; then + # cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + # chown -R ${siteUser}:${siteGroup} ${siteDataDir} + # chmod -R 755 ${siteDataDir} + # fi + # ''; # TODO: tighten permissions (not 755) + }; +} diff --git a/modules/locale.nix b/modules/locale.nix index f4903ee..fbc9d55 100644 --- a/modules/locale.nix +++ b/modules/locale.nix @@ -1,26 +1,31 @@ { + # Configure console keymap + console.keyMap = "de"; + # Set your time zone. time.timeZone = "Europe/Berlin"; - # Select internationalisation properties. - i18n.defaultLocale = "en_GB.UTF-8"; + i18n = { + # Select internationalisation properties. + defaultLocale = "en_GB.UTF-8"; - #i18n.supportedLocales = [ - # "en_GB.UTF-8" - # "en_US.UTF-8" - # "de_DE.UTF-8" - #]; + #supportedLocales = [ + # "en_GB.UTF-8" + # "en_US.UTF-8" + # "de_DE.UTF-8" + #]; - i18n.extraLocaleSettings = { - LC_ADDRESS = "de_DE.UTF-8"; - LC_IDENTIFICATION = "de_DE.UTF-8"; - LC_MEASUREMENT = "de_DE.UTF-8"; - LC_MONETARY = "de_DE.UTF-8"; - LC_NAME = "de_DE.UTF-8"; - LC_NUMERIC = "de_DE.UTF-8"; - LC_PAPER = "de_DE.UTF-8"; - LC_TELEPHONE = "de_DE.UTF-8"; - LC_TIME = "de_DE.UTF-8"; + extraLocaleSettings = { + LC_ADDRESS = "de_DE.UTF-8"; + LC_IDENTIFICATION = "de_DE.UTF-8"; + LC_MEASUREMENT = "de_DE.UTF-8"; + LC_MONETARY = "de_DE.UTF-8"; + LC_NAME = "de_DE.UTF-8"; + LC_NUMERIC = "de_DE.UTF-8"; + LC_PAPER = "de_DE.UTF-8"; + LC_TELEPHONE = "de_DE.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; }; # Configure keymap in X11 @@ -28,7 +33,4 @@ layout = "de"; variant = ""; }; - - # Configure console keymap - console.keyMap = "de"; } diff --git a/modules/pkg_mgrmnt/default.nix b/modules/pkg_mgrmnt/default.nix index 49732db..6567a47 100644 --- a/modules/pkg_mgrmnt/default.nix +++ b/modules/pkg_mgrmnt/default.nix @@ -1,8 +1,8 @@ { imports = [ ./flatpak.nix + ./garbage-collect.nix ./podman.nix ./store_pkg_file.nix - ./garbage-collect.nix ]; } diff --git a/modules/pkg_mgrmnt/flatpak.nix b/modules/pkg_mgrmnt/flatpak.nix index 023ed07..4fdf226 100644 --- a/modules/pkg_mgrmnt/flatpak.nix +++ b/modules/pkg_mgrmnt/flatpak.nix @@ -1,4 +1,5 @@ -{ +{inArgs, ...}: { + imports = [ inArgs.nix-flatpak.nixosModules.nix-flatpak ]; services.flatpak = { enable = true; update.auto = { diff --git a/modules/pkg_mgrmnt/podman.nix b/modules/pkg_mgrmnt/podman.nix index 96379cf..1299590 100644 --- a/modules/pkg_mgrmnt/podman.nix +++ b/modules/pkg_mgrmnt/podman.nix @@ -19,8 +19,8 @@ # Useful other development tools environment.systemPackages = with pkgs; [ dive # look into docker image layers - podman-tui # status of containers in the terminal #docker-compose # start group of containers for dev podman-compose # start group of containers for dev + podman-tui # status of containers in the terminal ]; } diff --git a/modules/pkg_mgrmnt/store_pkg_file.nix b/modules/pkg_mgrmnt/store_pkg_file.nix index 4f4e02b..da04794 100644 --- a/modules/pkg_mgrmnt/store_pkg_file.nix +++ b/modules/pkg_mgrmnt/store_pkg_file.nix @@ -10,5 +10,5 @@ formatted = builtins.concatStringsSep "\n" sortedUnique; in formatted; - # TODO: in the far future: add a little alias that greps throgh that file + # TODO: in the far future: add a little alias that greps through that file } diff --git a/modules/pkg_mgrmnt/unattended-updates.nix b/modules/pkg_mgrmnt/unattended-updates.nix new file mode 100644 index 0000000..0fe8f1c --- /dev/null +++ b/modules/pkg_mgrmnt/unattended-updates.nix @@ -0,0 +1,13 @@ +{inArgs, ...}: { + system.autoUpgrade = { + enable = true; + flake = inArgs.self.outPath; + flags = [ + "--update-input" + "nixpkgs" + "--print-build-logs" + ]; + dates = "07:00"; + randomizedDelaySec = "45min"; + }; +} diff --git a/modules/sec_auth/apparmor.nix b/modules/sec_auth/apparmor.nix index dad5775..25c70cd 100644 --- a/modules/sec_auth/apparmor.nix +++ b/modules/sec_auth/apparmor.nix @@ -4,9 +4,9 @@ # XDG-USER-DIR package and config environment.systemPackages = with pkgs; [ apparmor-pam - apparmor-utils apparmor-parser apparmor-profiles + apparmor-utils roddhjav-apparmor-rules ]; } diff --git a/modules/sec_auth/default.nix b/modules/sec_auth/default.nix index 2bfd404..27bdd07 100644 --- a/modules/sec_auth/default.nix +++ b/modules/sec_auth/default.nix @@ -3,6 +3,8 @@ ./apparmor.nix ./firejail.nix ./login-manager.nix - ./ssh.nix + ./ssh-client.nix + #./ssh-server.nix + ./sudo-rs.nix ]; } diff --git a/modules/sec_auth/firejail.nix b/modules/sec_auth/firejail.nix index 11f7836..07224c5 100644 --- a/modules/sec_auth/firejail.nix +++ b/modules/sec_auth/firejail.nix @@ -44,6 +44,21 @@ ]; }; + librewolf = { + executable = "${pkgs.librewolf}/bin/librewolf"; + profile = "${pkgs.firejail}/etc/firejail/librewolf.profile"; + extraArgs = [ + # Required for U2F USB stick + "--ignore=private-dev" + # Enforce dark mode + "--env=GTK_THEME=Adwaita:dark" + # Enable system notifications + "--dbus-user.talk=org.freedesktop.Notifications" + # For screen sharing + "--dbus-user.talk=org.freedesktop.portal.*" + ]; + }; + nyxt = { executable = "${pkgs.nyxt}/bin/nyxt"; profile = "${pkgs.firejail}/etc/firejail/chromium-browser.profile"; diff --git a/modules/sec_auth/ssh.nix b/modules/sec_auth/ssh-client.nix similarity index 100% rename from modules/sec_auth/ssh.nix rename to modules/sec_auth/ssh-client.nix diff --git a/modules/sec_auth/ssh-server.nix b/modules/sec_auth/ssh-server.nix new file mode 100644 index 0000000..8deb4f9 --- /dev/null +++ b/modules/sec_auth/ssh-server.nix @@ -0,0 +1,13 @@ +{lib, ...}: { + services.openssh = { + enable = true; + + ports = lib.mkDefault [10522]; + + settings = { + PasswordAuthentication = false; + PermitRootLogin = "yes"; + X11Forwarding = false; + }; + }; +} diff --git a/modules/sec_auth/sudo-rs.nix b/modules/sec_auth/sudo-rs.nix new file mode 100644 index 0000000..bb57d00 --- /dev/null +++ b/modules/sec_auth/sudo-rs.nix @@ -0,0 +1,3 @@ +{ + security.sudo-rs.enable = true; +} diff --git a/modules/serial-console.nix b/modules/serial-console.nix new file mode 100644 index 0000000..521887f --- /dev/null +++ b/modules/serial-console.nix @@ -0,0 +1,8 @@ +{ + boot.kernelParams = [ "console=ttyS0,115200n8" ]; + boot.loader.grub.extraConfig = " + serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1 + terminal_input serial + terminal_output serial + "; +} diff --git a/modules/software/audio_video/audio_video.nix b/modules/software/audio_video/audio_video.nix index e878b5a..810aa06 100644 --- a/modules/software/audio_video/audio_video.nix +++ b/modules/software/audio_video/audio_video.nix @@ -1,21 +1,24 @@ {pkgs, ...}: { # Enable sound with pipewire - hardware.pulseaudio.enable = false; security.rtkit.enable = true; - services.pipewire = { - enable = true; - - # If you want to use JACK applications, uncomment this - jack.enable = true; - pulse.enable = true; - - alsa = { + services = { + pulseaudio.enable = false; + pipewire = { enable = true; - support32Bit = true; + + # If you want to use JACK applications, uncomment this + jack.enable = true; + pulse.enable = true; + + alsa = { + enable = true; + support32Bit = true; + }; }; }; + # only for more system kinda packages not editing and such environment.systemPackages = with pkgs; [ helvum pwvucontrol diff --git a/modules/software/browser/default.nix b/modules/software/browser/default.nix index 9903eb0..ab10d64 100644 --- a/modules/software/browser/default.nix +++ b/modules/software/browser/default.nix @@ -1,7 +1,22 @@ -{ +{pkgs, ...}: let + package = pkgs.librewolf; +in { imports = [ ./brave.nix - ./firefox.nix + #./firefox.nix + ./librewolf.nix ./nyxt.nix ]; + + environment.sessionVariables.DEFAULT_BROWSER = + "${package}/bin/" + + builtins.replaceStrings [".desktop"] [""] package.desktopItem.name; + + xdg.mime.defaultApplications = let + browser_desktop_file = package.desktopItem.name; + in { + "text/html" = browser_desktop_file; + "x-scheme-handler/http" = browser_desktop_file; + "x-scheme-handler/https" = browser_desktop_file; + }; } diff --git a/modules/software/browser/firefox.nix b/modules/software/browser/firefox.nix index 3f4b90a..a27d896 100644 --- a/modules/software/browser/firefox.nix +++ b/modules/software/browser/firefox.nix @@ -1,13 +1,10 @@ -{pkgs, ...}: { +{pkgs, ...}: let + package = pkgs.firefox; +in { # The logical browser of choice - programs.firefox.enable = true; + programs.firefox = { + enable = true; - xdg.mime.defaultApplications = let - browser_desktop_file = "firefox.desktop"; - in { - "text/html" = browser_desktop_file; - "x-scheme-handler/http" = browser_desktop_file; - "x-scheme-handler/https" = browser_desktop_file; + package = package; }; - environment.sessionVariables.DEFAULT_BROWSER = "${pkgs.firefox}/bin/firefox"; } diff --git a/modules/software/browser/librewolf.nix b/modules/software/browser/librewolf.nix new file mode 100644 index 0000000..7e10a70 --- /dev/null +++ b/modules/software/browser/librewolf.nix @@ -0,0 +1,10 @@ +{pkgs, ...}: let + package = pkgs.librewolf; +in { + # The logical browser of choice + programs.firefox = { + enable = true; + + package = package; + }; +} diff --git a/modules/software/default.nix b/modules/software/default.nix index 2ffa239..f7f8664 100644 --- a/modules/software/default.nix +++ b/modules/software/default.nix @@ -8,7 +8,7 @@ #./mpv.nix ./neovim.nix ./obs-studio.nix - ./packages.nix + ./packages ./programs.nix ./virt.nix ]; diff --git a/modules/software/fonts.nix b/modules/software/fonts.nix index 1d1c26e..0530e20 100644 --- a/modules/software/fonts.nix +++ b/modules/software/fonts.nix @@ -12,12 +12,9 @@ fira-code fira-code-symbols #droid-sans-mono - (nerdfonts.override { - fonts = [ - "FiraCode" - "DroidSansMono" - "JetBrainsMono" - ]; - }) + + nerd-fonts.fira-code + nerd-fonts.droid-sans-mono + nerd-fonts.jetbrains-mono ]; } diff --git a/modules/software/neovim.nix b/modules/software/neovim.nix index 8e9546e..6329185 100644 --- a/modules/software/neovim.nix +++ b/modules/software/neovim.nix @@ -1,4 +1,18 @@ -{ +{pkgs, ...}: let + makeDiff = name: + pkgs.writeShellScriptBin name '' + #!/usr/bin/env bash + if [ $# -lt 2 ]; then + echo "Usage: ${name} [more args…]" >&2 + exit 1 + fi + exec nvim -d "$@" + ''; +in { + environment.systemPackages = [ + (makeDiff "vimdiff") + (makeDiff "nvimdiff") + ]; programs.neovim = { enable = true; viAlias = true; diff --git a/modules/software/obs-studio.nix b/modules/software/obs-studio.nix index a93ee14..1d6bef4 100644 --- a/modules/software/obs-studio.nix +++ b/modules/software/obs-studio.nix @@ -3,6 +3,9 @@ config, ... }: { + # The virtual camera requires the v4l2loopback kernel module to be installed, a loopback device configured, and polkit enabled so OBS can access the virtual device. + security.polkit.enable = true; + environment.systemPackages = [ (pkgs.wrapOBS { plugins = with pkgs.obs-studio-plugins; [ @@ -12,12 +15,16 @@ ]; }) ]; - boot.extraModulePackages = with config.boot.kernelPackages; [ - v4l2loopback - ]; - boot.kernelModules = ["v4l2loopback"]; - boot.extraModprobeConfig = '' - options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1 - ''; - security.polkit.enable = true; + + boot = { + kernelModules = ["v4l2loopback"]; + + extraModulePackages = with config.boot.kernelPackages; [ + v4l2loopback + ]; + + extraModprobeConfig = '' + options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1 + ''; + }; } diff --git a/modules/software/packages/core.nix b/modules/software/packages/core.nix new file mode 100644 index 0000000..6e620a0 --- /dev/null +++ b/modules/software/packages/core.nix @@ -0,0 +1,13 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + file + git + htop + ncdu + p7zip + ripgrep + tmux + unzip + wget + ]; +} diff --git a/modules/software/packages/default.nix b/modules/software/packages/default.nix new file mode 100644 index 0000000..1941358 --- /dev/null +++ b/modules/software/packages/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./core.nix + ./extended.nix + ]; +} diff --git a/modules/software/packages.nix b/modules/software/packages/extended.nix similarity index 90% rename from modules/software/packages.nix rename to modules/software/packages/extended.nix index 8e7ea71..028ac4d 100644 --- a/modules/software/packages.nix +++ b/modules/software/packages/extended.nix @@ -16,7 +16,6 @@ unstable.neovim - git gitui lazygit @@ -31,21 +30,13 @@ rustc # tooling - htop btop - ncdu - wget unstable.yt-dlp miniserve - file - unzip - tmux fzf - ripgrep qemu home-manager dfc - p7zip sops # move to homemanager? @@ -64,5 +55,6 @@ rustdesk-flutter timer unstable.prusa-slicer + tenacity ]; } diff --git a/modules/software/virt.nix b/modules/software/virt.nix index 29a6c8e..9f512f0 100644 --- a/modules/software/virt.nix +++ b/modules/software/virt.nix @@ -1,8 +1,4 @@ {pkgs, ...}: { - # for running android apps - virtualisation.waydroid.enable = - true; # also starts the systemd service waydroid-container - # virt manager, for running VM's virtualisation.libvirtd.enable = true; programs.virt-manager.enable = true; diff --git a/modules/theming.nix b/modules/theming.nix new file mode 100644 index 0000000..8e39278 --- /dev/null +++ b/modules/theming.nix @@ -0,0 +1,10 @@ +{pkgs, inArgs, ...}: { + imports = [ + inArgs.stylix.nixosModules.stylix + ]; + stylix = { + enable = true; + base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-dark.yaml"; + polarity = "dark"; + }; +} diff --git a/modules/users/default.nix b/modules/users/default.nix index dc0b97d..46e834e 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -1,5 +1,5 @@ { imports = [ - ./ranomier.nix + ./ranomier ]; } diff --git a/modules/users/ranomier/default.nix b/modules/users/ranomier/default.nix new file mode 100644 index 0000000..125fcee --- /dev/null +++ b/modules/users/ranomier/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./home-manager.nix + ./ranomier.nix + ]; +} diff --git a/modules/users/ranomier/home-manager.nix b/modules/users/ranomier/home-manager.nix new file mode 100644 index 0000000..f097950 --- /dev/null +++ b/modules/users/ranomier/home-manager.nix @@ -0,0 +1,16 @@ +{inArgs, pkgs, ...}: { + imports = [ + inArgs.home-manager.nixosModules.home-manager + ]; + home-manager.useUserPackages = true; + home-manager.useGlobalPkgs = true; + home-manager.users."ranomier" = { + + stylix.iconTheme = { + enable = true; + package = pkgs.gruvbox-plus-icons; + dark = "Gruvbox-Plus-Dark"; + }; + home.stateVersion = "25.05"; + }; +} diff --git a/modules/users/ranomier.nix b/modules/users/ranomier/ranomier.nix similarity index 90% rename from modules/users/ranomier.nix rename to modules/users/ranomier/ranomier.nix index 9bd1e06..d93bc36 100644 --- a/modules/users/ranomier.nix +++ b/modules/users/ranomier/ranomier.nix @@ -6,6 +6,5 @@ extraGroups = ["networkmanager" "wheel" "podman"]; shell = pkgs.zsh; useDefaultShell = true; - #packages = with pkgs; []; }; } diff --git a/modules/wm_and_de/hyprland.nix b/modules/wm_and_de/hyprland.nix index 112817c..8482832 100644 --- a/modules/wm_and_de/hyprland.nix +++ b/modules/wm_and_de/hyprland.nix @@ -41,11 +41,11 @@ # for mounting stuff, also needs a auth agent like lxqt.lxqt-policykit services.gvfs.enable = true; - qt = { - enable = true; - platformTheme = "qt5ct"; - style = "kvantum"; - }; + #qt = { + # enable = true; + # platformTheme = "qt5ct"; + # style = "kvantum"; + #}; environment.pathsToLink = ["/share/foot"]; diff --git a/outputs.nix b/outputs.nix index aab3468..67d0073 100644 --- a/outputs.nix +++ b/outputs.nix @@ -1,6 +1,5 @@ inArgs: let - lib = inArgs.nixpkgs.lib; - hostHelper = import ./hostHelper.nix inArgs; + hostHelper = import ./lib/hostHelper.nix inArgs; # Supported systems for your flake packages, shell, etc. systems = [ @@ -16,11 +15,11 @@ in { nixosConfigurations = builtins.mapAttrs (hostName: hostOptions: (hostHelper hostName hostOptions)) { crocoite = {stateVersion = "24.05";}; - jitsi = {stateVersion = "24.11";}; - game-luanti = { - stateVersion = "25.05"; - unstable = true; - }; + #jitsi = {stateVersion = "24.11";}; + + game-luanti = {stateVersion = "25.05";}; + + #ext-julia = {stateVersion = "24.11";}; }; # Your custom packages @@ -28,7 +27,7 @@ in { #packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system}); # Your custom packages and modifications, exported as overlays - overlays = import ./overlays {inherit inArgs;}; + overlays = import ./overlays {inArgs = inArgs;}; # Reusable nixos modules you might want to export # These are usually stuff you would upstream into nixpkgs diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..6b38d20 --- /dev/null +++ b/readme.md @@ -0,0 +1,23 @@ +# My flake config + +Some awesome descriptive text here + +## folder structure + +### system_profiles + +This whole folder is for the most part just a system to clean up importing + +- In files in this (`system_profiles`) directory: + - should never import anything from parent directories + - can import things from the child directories +- The `importers` directory: + - Should only import things outside (above/parent) of the `system_profiles` directories. + - Probably only from the module directory or maybe a future nix-modules directory, + this rule is not set in stone yet + - should **not** import anything outside of this repository +- The `components` directory: + - Should never import anything from this repository + - It can import things from nixpkgs + - Should set only basic "system" settings + ("system" is not well defined) diff --git a/system_profiles/mini-container.nix b/system_profiles/components/container.nix similarity index 54% rename from system_profiles/mini-container.nix rename to system_profiles/components/container.nix index ce05d95..529d942 100644 --- a/system_profiles/mini-container.nix +++ b/system_profiles/components/container.nix @@ -1,6 +1,6 @@ +# For when to deploy to a container, +# can be used with minify to make things smaller {lib, ...}: { boot.isContainer = lib.mkDefault true; boot.kernel.enable = lib.mkDefault false; - - imports = [./mini.nix]; } diff --git a/system_profiles/components/minify.nix b/system_profiles/components/minify.nix new file mode 100644 index 0000000..429faa5 --- /dev/null +++ b/system_profiles/components/minify.nix @@ -0,0 +1,16 @@ +# This makes an installation smaller at the cost of +# features (and maybe even stability) +{lib, modulesPath, ...}: { + imports = [ + (modulesPath + "/profiles/minimal.nix") + #(modulesPath + "/profiles/perlless.nix") + ]; + + disabledModules = [ + (modulesPath + "/profiles/all-hardware.nix") + (modulesPath + "/profiles/base.nix") + ]; + + environment.defaultPackages = lib.mkDefault []; + nixpkgs.overlays = lib.mkDefault [(self: super: {})]; +} diff --git a/system_profiles/defaults.nix b/system_profiles/components/nix-defaults.nix similarity index 51% rename from system_profiles/defaults.nix rename to system_profiles/components/nix-defaults.nix index 8fb3c00..13be0a2 100644 --- a/system_profiles/defaults.nix +++ b/system_profiles/components/nix-defaults.nix @@ -1,23 +1,21 @@ -{ - lib, - pkgs, - ... -}: { - nix.settings.experimental-features = lib.mkDefault ["nix-command" "flakes"]; - +# This loads some nix and nixpkgs specific settints +# i often need +{lib, pkgs, ...}: { # Disable if you don't want unfree packages nixpkgs.config.allowUnfree = lib.mkDefault true; nix = { - # https://lix.systems/ Lix is a modern, delicious implementation of the Nix package manager, + # https://lix.systems/ + # Lix is a modern, delicious implementation of the Nix package manager, # focused on correctness, usability, and growth – # and committed to doing right by its community. package = lib.mkDefault pkgs.lix; channel.enable = lib.mkDefault false; - }; - imports = [ - ../modules/locale.nix - ]; + settings.experimental-features = lib.mkDefault [ + "nix-command" + "flakes" + ]; + }; } diff --git a/system_profiles/desktop.nix b/system_profiles/desktop.nix new file mode 100644 index 0000000..c2da4f2 --- /dev/null +++ b/system_profiles/desktop.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./components/nix-defaults.nix + + ./importers/desktop.nix + ./importers/general.nix + ]; +} diff --git a/system_profiles/importers/desktop.nix b/system_profiles/importers/desktop.nix new file mode 100644 index 0000000..6fc76ec --- /dev/null +++ b/system_profiles/importers/desktop.nix @@ -0,0 +1,22 @@ +# This basicly imports the whole modules folder +{rootPath, ...}: { + imports = [ + (rootPath + /modules) + + (rootPath + /modules/hardware) + + (rootPath + /modules/pkg_mgrmnt) + + (rootPath + /modules/sec_auth) + + (rootPath + /modules/software) + (rootPath + /modules/software/browser) + (rootPath + /modules/software/nix-helper) + (rootPath + /modules/software/office) + (rootPath + /modules/software/shells) + + (rootPath + /modules/users) + + (rootPath + /modules/wm_and_de) + ]; +} diff --git a/system_profiles/importers/general.nix b/system_profiles/importers/general.nix new file mode 100644 index 0000000..d9ccb24 --- /dev/null +++ b/system_profiles/importers/general.nix @@ -0,0 +1,7 @@ +# This loads some "general" defaults +{rootPath, ...}: { + imports = [ + (rootPath + /modules/locale.nix) + (rootPath + /modules/sec_auth/sudo-rs.nix) + ]; +} diff --git a/system_profiles/importers/server.nix b/system_profiles/importers/server.nix new file mode 100644 index 0000000..66f1e60 --- /dev/null +++ b/system_profiles/importers/server.nix @@ -0,0 +1,7 @@ +{rootPath, ...}: { + imports = [ + (rootPath + /modules/customisation.nix) + (rootPath + /modules/software/neovim.nix) + (rootPath + /modules/software/packages/core.nix) + ]; +} diff --git a/system_profiles/mini.nix b/system_profiles/mini.nix deleted file mode 100644 index 1df7357..0000000 --- a/system_profiles/mini.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - lib, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/profiles/minimal.nix") - (modulesPath + "/profiles/perlless.nix") - - { - environment.defaultPackages = lib.mkDefault []; - nixpkgs.overlays = lib.mkDefault [(self: super: {})]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - } - ]; - - disabledModules = [ - (modulesPath + "/profiles/all-hardware.nix") - (modulesPath + "/profiles/base.nix") - ]; -} diff --git a/system_profiles/server.nix b/system_profiles/server.nix new file mode 100644 index 0000000..8810958 --- /dev/null +++ b/system_profiles/server.nix @@ -0,0 +1,9 @@ +{ + imports = [ + ./components/minify.nix + ./components/nix-defaults.nix + + ./importers/general.nix + ./importers/server.nix + ]; +}