From 55a252b63274543d2d12bbc0be1ae2860a9d055e Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Thu, 8 May 2025 23:44:32 +0200 Subject: [PATCH 01/42] feat: added ssh-server --- modules/sec_auth/default.nix | 3 ++- modules/sec_auth/{ssh.nix => ssh-client.nix} | 0 modules/sec_auth/ssh-server.nix | 13 +++++++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) rename modules/sec_auth/{ssh.nix => ssh-client.nix} (100%) create mode 100644 modules/sec_auth/ssh-server.nix diff --git a/modules/sec_auth/default.nix b/modules/sec_auth/default.nix index 2bfd404..110b2ab 100644 --- a/modules/sec_auth/default.nix +++ b/modules/sec_auth/default.nix @@ -3,6 +3,7 @@ ./apparmor.nix ./firejail.nix ./login-manager.nix - ./ssh.nix + ./ssh-client.nix + #./ssh-server.nix ]; } diff --git a/modules/sec_auth/ssh.nix b/modules/sec_auth/ssh-client.nix similarity index 100% rename from modules/sec_auth/ssh.nix rename to modules/sec_auth/ssh-client.nix diff --git a/modules/sec_auth/ssh-server.nix b/modules/sec_auth/ssh-server.nix new file mode 100644 index 0000000..b3b5c8b --- /dev/null +++ b/modules/sec_auth/ssh-server.nix @@ -0,0 +1,13 @@ +{lib, ...}: { + services.openssh = { + enable = true; + + ports = lib.mkDefault [38742]; + + settings = { + PasswordAuthentication = false; + PermitRootLogin = "yes"; + X11Forwarding = true; + }; + }; +} From ddf81549332db3af30f0bb9cc29f89f122576a72 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Thu, 8 May 2025 23:45:04 +0200 Subject: [PATCH 02/42] feat: added proper hardware-configuration and sshd --- hosts/game-luanti/default.nix | 13 ++++--- hosts/game-luanti/hardware-configuration.nix | 36 +++++++++++++++++++- 2 files changed, 43 insertions(+), 6 deletions(-) diff --git a/hosts/game-luanti/default.nix b/hosts/game-luanti/default.nix index 9072876..6876f9d 100644 --- a/hosts/game-luanti/default.nix +++ b/hosts/game-luanti/default.nix @@ -1,13 +1,16 @@ { - pkgs, - lib, - modulesPath, - ... -}: { imports = [ ./hardware-configuration.nix ../../system_profiles/defaults.nix ../../system_profiles/mini-container.nix ]; + + users = let + username = "root"; + in { + users."${username}".openssh.authorizedKeys.keyFiles = [ + /etc/nixos/ssh/authorized_keys.d/${username} + ]; + }; } diff --git a/hosts/game-luanti/hardware-configuration.nix b/hosts/game-luanti/hardware-configuration.nix index f8c86aa..165d4c8 100644 --- a/hosts/game-luanti/hardware-configuration.nix +++ b/hosts/game-luanti/hardware-configuration.nix @@ -1,3 +1,37 @@ -{lib, ...}: { +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/d290e12c-d93c-45f6-b737-135b551c1951"; + fsType = "ext4"; + }; + + swapDevices = [ + {device = "/dev/disk/by-uuid/8c56f52e-568a-4e03-b22c-6d1c7de7c118";} + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } From 6922232ec5adfe517b74f8124fb407b0a01ccb9b Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Fri, 9 May 2025 19:38:05 +0200 Subject: [PATCH 03/42] feat: add luanti server --- hosts/game-luanti/boot.nix | 11 +++++++++++ hosts/game-luanti/default.nix | 9 +++++++-- modules/game/server/luanti/default.nix | 19 +++++++++++++++++-- modules/sec_auth/ssh-server.nix | 2 +- system_profiles/mini.nix | 2 +- system_profiles/server.nix | 18 ++++++++++++++++++ 6 files changed, 55 insertions(+), 6 deletions(-) create mode 100644 hosts/game-luanti/boot.nix create mode 100644 system_profiles/server.nix diff --git a/hosts/game-luanti/boot.nix b/hosts/game-luanti/boot.nix new file mode 100644 index 0000000..82bde96 --- /dev/null +++ b/hosts/game-luanti/boot.nix @@ -0,0 +1,11 @@ +{ + # Use the GRUB 2 boot loader. + boot.loader.grub = { + enable = true; + # efiSupport = true; + # efiInstallAsRemovable = true; + # Define on which hard drive you want to install Grub. + device = "/dev/vda"; # or "nodev" for efi only + }; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; +} diff --git a/hosts/game-luanti/default.nix b/hosts/game-luanti/default.nix index 6876f9d..e00303b 100644 --- a/hosts/game-luanti/default.nix +++ b/hosts/game-luanti/default.nix @@ -1,16 +1,21 @@ { imports = [ + ./boot.nix ./hardware-configuration.nix ../../system_profiles/defaults.nix - ../../system_profiles/mini-container.nix + ../../system_profiles/mini.nix + ../../system_profiles/server.nix + + ../../modules/game/server/luanti + ../../modules/sec_auth/ssh-server.nix ]; users = let username = "root"; in { users."${username}".openssh.authorizedKeys.keyFiles = [ - /etc/nixos/ssh/authorized_keys.d/${username} + ../../certificates/id_ed25519_game-luanti.pub ]; }; } diff --git a/modules/game/server/luanti/default.nix b/modules/game/server/luanti/default.nix index 06628ea..c8025fe 100644 --- a/modules/game/server/luanti/default.nix +++ b/modules/game/server/luanti/default.nix @@ -1,5 +1,20 @@ -{...}: { - services.minetest = { +{pkgs, ...}: let + port = 10523; +in { + services.minetest-server = { enable = true; + + gameId = "asuna"; + port = port; }; + + # open port since luanti does not do it by itself + networking.firewall = { + allowedUDPPorts = [port]; + }; + + # install luanti seperatly so it is available through the command line + environment.systemPackages = with pkgs; [ + luanti + ]; } diff --git a/modules/sec_auth/ssh-server.nix b/modules/sec_auth/ssh-server.nix index b3b5c8b..5d575a8 100644 --- a/modules/sec_auth/ssh-server.nix +++ b/modules/sec_auth/ssh-server.nix @@ -2,7 +2,7 @@ services.openssh = { enable = true; - ports = lib.mkDefault [38742]; + ports = lib.mkDefault [10522]; settings = { PasswordAuthentication = false; diff --git a/system_profiles/mini.nix b/system_profiles/mini.nix index 1df7357..e50e14a 100644 --- a/system_profiles/mini.nix +++ b/system_profiles/mini.nix @@ -5,7 +5,7 @@ }: { imports = [ (modulesPath + "/profiles/minimal.nix") - (modulesPath + "/profiles/perlless.nix") + #(modulesPath + "/profiles/perlless.nix") { environment.defaultPackages = lib.mkDefault []; diff --git a/system_profiles/server.nix b/system_profiles/server.nix new file mode 100644 index 0000000..f39d030 --- /dev/null +++ b/system_profiles/server.nix @@ -0,0 +1,18 @@ +{ + imports = let + packages = {pkgs, ...}: { + environment.systemPackages = with pkgs; [ + tmux + wget + ]; + }; + in [ + ./defaults.nix + ./mini.nix + + ../modules/customisation.nix + ../modules/software/neovim.nix + + packages + ]; +} From 9320bd758ac2fdf09bfb4dad9e8b782b74d82599 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Fri, 9 May 2025 22:08:43 +0200 Subject: [PATCH 04/42] feat: added postgresql --- hosts/game-luanti/default.nix | 2 +- modules/game/server/luanti/default.nix | 22 ++++------------------ modules/game/server/luanti/luanti.nix | 20 ++++++++++++++++++++ modules/game/server/luanti/postgresql.nix | 18 ++++++++++++++++++ 4 files changed, 43 insertions(+), 19 deletions(-) create mode 100644 modules/game/server/luanti/luanti.nix create mode 100644 modules/game/server/luanti/postgresql.nix diff --git a/hosts/game-luanti/default.nix b/hosts/game-luanti/default.nix index e00303b..aede8ff 100644 --- a/hosts/game-luanti/default.nix +++ b/hosts/game-luanti/default.nix @@ -2,12 +2,12 @@ imports = [ ./boot.nix ./hardware-configuration.nix + ../../modules/game/server/luanti ../../system_profiles/defaults.nix ../../system_profiles/mini.nix ../../system_profiles/server.nix - ../../modules/game/server/luanti ../../modules/sec_auth/ssh-server.nix ]; diff --git a/modules/game/server/luanti/default.nix b/modules/game/server/luanti/default.nix index c8025fe..65a595a 100644 --- a/modules/game/server/luanti/default.nix +++ b/modules/game/server/luanti/default.nix @@ -1,20 +1,6 @@ -{pkgs, ...}: let - port = 10523; -in { - services.minetest-server = { - enable = true; - - gameId = "asuna"; - port = port; - }; - - # open port since luanti does not do it by itself - networking.firewall = { - allowedUDPPorts = [port]; - }; - - # install luanti seperatly so it is available through the command line - environment.systemPackages = with pkgs; [ - luanti +{ + imports = [ + ./luanti.nix + ./postgresql.nix ]; } diff --git a/modules/game/server/luanti/luanti.nix b/modules/game/server/luanti/luanti.nix new file mode 100644 index 0000000..c8025fe --- /dev/null +++ b/modules/game/server/luanti/luanti.nix @@ -0,0 +1,20 @@ +{pkgs, ...}: let + port = 10523; +in { + services.minetest-server = { + enable = true; + + gameId = "asuna"; + port = port; + }; + + # open port since luanti does not do it by itself + networking.firewall = { + allowedUDPPorts = [port]; + }; + + # install luanti seperatly so it is available through the command line + environment.systemPackages = with pkgs; [ + luanti + ]; +} diff --git a/modules/game/server/luanti/postgresql.nix b/modules/game/server/luanti/postgresql.nix new file mode 100644 index 0000000..1755b1e --- /dev/null +++ b/modules/game/server/luanti/postgresql.nix @@ -0,0 +1,18 @@ +{pkgs, ...}: { + config.services.postgresql = { + enable = true; + + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method + local all all trust + ''; + + ensureDatabases = ["luanti_world"]; + ensureUsers = [ + { + name = "luanti_world"; + ensureDBOwnership = true; + } + ]; + }; +} From 6960c79fbda06f75cd448889fb1ccae9e5714f42 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sat, 10 May 2025 22:09:55 +0200 Subject: [PATCH 05/42] feat: differentiate between core and extended pkgs also use core packages in server system profile --- modules/software/default.nix | 2 +- modules/software/packages/core.nix | 13 +++++++++++++ modules/software/packages/default.nix | 6 ++++++ .../{packages.nix => packages/extended.nix} | 9 --------- system_profiles/server.nix | 11 ++--------- 5 files changed, 22 insertions(+), 19 deletions(-) create mode 100644 modules/software/packages/core.nix create mode 100644 modules/software/packages/default.nix rename modules/software/{packages.nix => packages/extended.nix} (90%) diff --git a/modules/software/default.nix b/modules/software/default.nix index 2ffa239..f7f8664 100644 --- a/modules/software/default.nix +++ b/modules/software/default.nix @@ -8,7 +8,7 @@ #./mpv.nix ./neovim.nix ./obs-studio.nix - ./packages.nix + ./packages ./programs.nix ./virt.nix ]; diff --git a/modules/software/packages/core.nix b/modules/software/packages/core.nix new file mode 100644 index 0000000..6e620a0 --- /dev/null +++ b/modules/software/packages/core.nix @@ -0,0 +1,13 @@ +{pkgs, ...}: { + environment.systemPackages = with pkgs; [ + file + git + htop + ncdu + p7zip + ripgrep + tmux + unzip + wget + ]; +} diff --git a/modules/software/packages/default.nix b/modules/software/packages/default.nix new file mode 100644 index 0000000..1941358 --- /dev/null +++ b/modules/software/packages/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./core.nix + ./extended.nix + ]; +} diff --git a/modules/software/packages.nix b/modules/software/packages/extended.nix similarity index 90% rename from modules/software/packages.nix rename to modules/software/packages/extended.nix index 8e7ea71..7e1b447 100644 --- a/modules/software/packages.nix +++ b/modules/software/packages/extended.nix @@ -16,7 +16,6 @@ unstable.neovim - git gitui lazygit @@ -31,21 +30,13 @@ rustc # tooling - htop btop - ncdu - wget unstable.yt-dlp miniserve - file - unzip - tmux fzf - ripgrep qemu home-manager dfc - p7zip sops # move to homemanager? diff --git a/system_profiles/server.nix b/system_profiles/server.nix index f39d030..b242b27 100644 --- a/system_profiles/server.nix +++ b/system_profiles/server.nix @@ -1,18 +1,11 @@ { - imports = let - packages = {pkgs, ...}: { - environment.systemPackages = with pkgs; [ - tmux - wget - ]; - }; - in [ + imports = [ ./defaults.nix ./mini.nix ../modules/customisation.nix ../modules/software/neovim.nix + ../modules/software/packages/core.nix - packages ]; } From c90c256097386d28a33fc7a872b6a04cd20a3f95 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sat, 10 May 2025 22:11:38 +0200 Subject: [PATCH 06/42] feat: use correct gameID --- modules/game/server/luanti/luanti.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/game/server/luanti/luanti.nix b/modules/game/server/luanti/luanti.nix index c8025fe..b2f52c0 100644 --- a/modules/game/server/luanti/luanti.nix +++ b/modules/game/server/luanti/luanti.nix @@ -4,7 +4,7 @@ in { services.minetest-server = { enable = true; - gameId = "asuna"; + gameId = "EinsDreiDreiSieben"; port = port; }; From 005c7590ec7ba8a65572d81284da055efd77f36d Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sat, 10 May 2025 22:39:05 +0200 Subject: [PATCH 07/42] feat: copy config to system --- system_profiles/defaults.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/system_profiles/defaults.nix b/system_profiles/defaults.nix index 8fb3c00..edc42a2 100644 --- a/system_profiles/defaults.nix +++ b/system_profiles/defaults.nix @@ -3,18 +3,21 @@ pkgs, ... }: { - nix.settings.experimental-features = lib.mkDefault ["nix-command" "flakes"]; + system.copySystemConfiguration = lib.mkDefault true; # Disable if you don't want unfree packages nixpkgs.config.allowUnfree = lib.mkDefault true; nix = { - # https://lix.systems/ Lix is a modern, delicious implementation of the Nix package manager, + # https://lix.systems/ + # Lix is a modern, delicious implementation of the Nix package manager, # focused on correctness, usability, and growth – # and committed to doing right by its community. package = lib.mkDefault pkgs.lix; channel.enable = lib.mkDefault false; + + settings.experimental-features = lib.mkDefault ["nix-command" "flakes"]; }; imports = [ From e827a97ead946ecf0f5aa8aba47b8bd05ad906fa Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sat, 10 May 2025 22:42:21 +0200 Subject: [PATCH 08/42] fix: remove uneeded imports --- hosts/game-luanti/default.nix | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/hosts/game-luanti/default.nix b/hosts/game-luanti/default.nix index aede8ff..1aafbcc 100644 --- a/hosts/game-luanti/default.nix +++ b/hosts/game-luanti/default.nix @@ -2,13 +2,11 @@ imports = [ ./boot.nix ./hardware-configuration.nix + ../../modules/game/server/luanti - - ../../system_profiles/defaults.nix - ../../system_profiles/mini.nix - ../../system_profiles/server.nix - ../../modules/sec_auth/ssh-server.nix + + ../../system_profiles/server.nix ]; users = let From 66072b1d6e35f47ad4f9875c25aa4ac5a0e0522d Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sun, 11 May 2025 10:33:57 +0200 Subject: [PATCH 09/42] fix: remove system.copySystemConfiguration system.copySystemConfiguration is not compatible with flakes --- certificates/id_ed25519_game-luanti.pub | 1 + system_profiles/defaults.nix | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) create mode 100644 certificates/id_ed25519_game-luanti.pub diff --git a/certificates/id_ed25519_game-luanti.pub b/certificates/id_ed25519_game-luanti.pub new file mode 100644 index 0000000..74077ab --- /dev/null +++ b/certificates/id_ed25519_game-luanti.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPydzO5SD6CwZUyiXYGleCGzGLdOqplPWSrJ8dAhs8J game-luanti diff --git a/system_profiles/defaults.nix b/system_profiles/defaults.nix index edc42a2..892de39 100644 --- a/system_profiles/defaults.nix +++ b/system_profiles/defaults.nix @@ -3,8 +3,6 @@ pkgs, ... }: { - system.copySystemConfiguration = lib.mkDefault true; - # Disable if you don't want unfree packages nixpkgs.config.allowUnfree = lib.mkDefault true; From 3efa686d83e4337f7558416961fe01d0ef618235 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Mon, 12 May 2025 19:51:19 +0200 Subject: [PATCH 10/42] wild hacking --- debug.nix | 16 ++++++++++++++++ hostHelper.nix | 1 + modules/game/server/luanti/default.nix | 1 + modules/game/server/luanti/mods.nix | 11 +++++++++++ 4 files changed, 29 insertions(+) create mode 100644 debug.nix create mode 100644 modules/game/server/luanti/mods.nix diff --git a/debug.nix b/debug.nix new file mode 100644 index 0000000..f17441d --- /dev/null +++ b/debug.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + imports = [ + {lib, config, ... }: { + options.tempDebugVar = lib.mkOption { + type = lib.types.str; + default = ""; + description = "tempDebugVar"; + }; + } + ]; + + environment.etc."debugfile".text = '' + ${config.tempDebugVar} + ''; +} diff --git a/hostHelper.nix b/hostHelper.nix index 3602016..13e7f33 100644 --- a/hostHelper.nix +++ b/hostHelper.nix @@ -8,6 +8,7 @@ in specialArgs = {inherit inArgs;}; modules = [ ./hosts/${hostname} + #./debug.nix { networking.hostName = hostname; diff --git a/modules/game/server/luanti/default.nix b/modules/game/server/luanti/default.nix index 65a595a..2ec6fbe 100644 --- a/modules/game/server/luanti/default.nix +++ b/modules/game/server/luanti/default.nix @@ -1,6 +1,7 @@ { imports = [ ./luanti.nix + #./mods.nix ./postgresql.nix ]; } diff --git a/modules/game/server/luanti/mods.nix b/modules/game/server/luanti/mods.nix new file mode 100644 index 0000000..22c4748 --- /dev/null +++ b/modules/game/server/luanti/mods.nix @@ -0,0 +1,11 @@ +{ pkgs, config, ... }: let + GitMod = curl: pkgs.fetchgit rec { + url = curl; + fetchSubmodules = true; + deepClone = false; + leaveDotGit = false; + }; + this-variable-should-exist = GitMod "https://gitlab.com/rubenwardy/accountmgr"; +in { + config.tempDebugVar = break this-variable-should-exist; +} From e831b0f402a25146e7d5e754039b5ac23bc453c8 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Tue, 13 May 2025 19:02:56 +0200 Subject: [PATCH 11/42] wip: add julia server with wordpress --- certificates/id_ed25519_ext-julia.pub | 1 + hosts/ext-julia/boot.nix | 11 ++ hosts/ext-julia/default.nix | 20 ++++ hosts/ext-julia/hardware-configuration.nix | 37 +++++++ hosts/ext-julia/wordpress.nix | 116 +++++++++++++++++++++ modules/sec_auth/ssh-server.nix | 2 +- modules/serial-console.nix | 8 ++ outputs.nix | 5 +- 8 files changed, 198 insertions(+), 2 deletions(-) create mode 100644 certificates/id_ed25519_ext-julia.pub create mode 100644 hosts/ext-julia/boot.nix create mode 100644 hosts/ext-julia/default.nix create mode 100644 hosts/ext-julia/hardware-configuration.nix create mode 100644 hosts/ext-julia/wordpress.nix create mode 100644 modules/serial-console.nix diff --git a/certificates/id_ed25519_ext-julia.pub b/certificates/id_ed25519_ext-julia.pub new file mode 100644 index 0000000..facb9b4 --- /dev/null +++ b/certificates/id_ed25519_ext-julia.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtsLGI/S6473jzw4BlWTRfxVO7mhEhClRF0gzpexG9V game-luanti diff --git a/hosts/ext-julia/boot.nix b/hosts/ext-julia/boot.nix new file mode 100644 index 0000000..82bde96 --- /dev/null +++ b/hosts/ext-julia/boot.nix @@ -0,0 +1,11 @@ +{ + # Use the GRUB 2 boot loader. + boot.loader.grub = { + enable = true; + # efiSupport = true; + # efiInstallAsRemovable = true; + # Define on which hard drive you want to install Grub. + device = "/dev/vda"; # or "nodev" for efi only + }; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; +} diff --git a/hosts/ext-julia/default.nix b/hosts/ext-julia/default.nix new file mode 100644 index 0000000..be1e78f --- /dev/null +++ b/hosts/ext-julia/default.nix @@ -0,0 +1,20 @@ +{config, pkgs, ...}:{ + imports = [ + ./boot.nix + ./hardware-configuration.nix + + ((import ./wordpress.nix) {config=config; pkgs=pkgs; siteName="shop.kiezpalme.de"; port=80;}) + ../../modules/sec_auth/ssh-server.nix + + ../../system_profiles/server.nix + ]; + + services.openssh.ports = [11522]; + users = let + username = "root"; + in { + users."${username}".openssh.authorizedKeys.keyFiles = [ + ../../certificates/id_ed25519_ext-julia.pub + ]; + }; +} diff --git a/hosts/ext-julia/hardware-configuration.nix b/hosts/ext-julia/hardware-configuration.nix new file mode 100644 index 0000000..165d4c8 --- /dev/null +++ b/hosts/ext-julia/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + boot.initrd.kernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/d290e12c-d93c-45f6-b737-135b551c1951"; + fsType = "ext4"; + }; + + swapDevices = [ + {device = "/dev/disk/by-uuid/8c56f52e-568a-4e03-b22c-6d1c7de7c118";} + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/ext-julia/wordpress.nix b/hosts/ext-julia/wordpress.nix new file mode 100644 index 0000000..e9c2ec3 --- /dev/null +++ b/hosts/ext-julia/wordpress.nix @@ -0,0 +1,116 @@ +{ + config, + pkgs, + siteName ? "example-name", + sitePort ? 80, + ... +}: let + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; +in { + users = { + users = { + "${siteUser}" = { + isSystemUser = true; + group = siteGroup; + home = siteDataDir; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + ### 3) Service account for PHP-FPM pool + "${siteUserPhp}" = { + isSystemUser = true; + group = siteGroupPhp; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }; + + groups = { + "${siteGroup}" = {}; + "${siteGroupPhp}" = {}; + }; + }; + + services = { + mysql = { + enable = true; + package = pkgs.mariadb; + }; + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + extraConfig = '' + index index.php; + ''; + + # 6.2 Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; + system.activationScripts."setupWordpress-${siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; +} diff --git a/modules/sec_auth/ssh-server.nix b/modules/sec_auth/ssh-server.nix index 5d575a8..8deb4f9 100644 --- a/modules/sec_auth/ssh-server.nix +++ b/modules/sec_auth/ssh-server.nix @@ -7,7 +7,7 @@ settings = { PasswordAuthentication = false; PermitRootLogin = "yes"; - X11Forwarding = true; + X11Forwarding = false; }; }; } diff --git a/modules/serial-console.nix b/modules/serial-console.nix new file mode 100644 index 0000000..521887f --- /dev/null +++ b/modules/serial-console.nix @@ -0,0 +1,8 @@ +{ + boot.kernelParams = [ "console=ttyS0,115200n8" ]; + boot.loader.grub.extraConfig = " + serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1 + terminal_input serial + terminal_output serial + "; +} diff --git a/outputs.nix b/outputs.nix index aab3468..a5ea2ce 100644 --- a/outputs.nix +++ b/outputs.nix @@ -16,11 +16,14 @@ in { nixosConfigurations = builtins.mapAttrs (hostName: hostOptions: (hostHelper hostName hostOptions)) { crocoite = {stateVersion = "24.05";}; - jitsi = {stateVersion = "24.11";}; + #jitsi = {stateVersion = "24.11";}; + game-luanti = { stateVersion = "25.05"; unstable = true; }; + + ext-julia = {stateVersion = "24.11";}; }; # Your custom packages From 7de3e76509bff04a277f41663c3ddf5ddf557b13 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Wed, 14 May 2025 22:57:53 +0200 Subject: [PATCH 12/42] chore: update lock --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 63e5de6..714dcc0 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1746171682, - "narHash": "sha256-EyXUNSa+H+YvGVuQJP1nZskXAowxKYp79RNUsNdQTj4=", + "lastModified": 1747020534, + "narHash": "sha256-D/6rkiC6w2p+4SwRiVKrWIeYzun8FBg7NlMKMwQMxO0=", "owner": "nix-community", "repo": "home-manager", - "rev": "50eee705bbdbac942074a8c120e8194185633675", + "rev": "b4bbdc6fde16fc2051fcde232f6e288cd22007ca", "type": "github" }, "original": { @@ -74,11 +74,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1746621361, - "narHash": "sha256-T9vOxEqI1j1RYugV0b9dgy0AreiZ9yBDKZJYyclF0og=", + "lastModified": 1747129300, + "narHash": "sha256-L3clA5YGeYCF47ghsI7Tcex+DnaaN/BbQ4dR2wzoiKg=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "2ea3ad8a1f26a76f8a8e23fc4f7757c46ef30ee5", + "rev": "e81fd167b33121269149c57806599045fd33eeed", "type": "github" }, "original": { @@ -90,11 +90,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1746461020, - "narHash": "sha256-7+pG1I9jvxNlmln4YgnlW4o+w0TZX24k688mibiFDUE=", + "lastModified": 1746904237, + "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3730d8a308f94996a9ba7c7138ede69c1b9ac4ae", + "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956", "type": "github" }, "original": { @@ -106,11 +106,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1746557022, - "narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=", + "lastModified": 1746957726, + "narHash": "sha256-k9ut1LSfHCr0AW82ttEQzXVCqmyWVA5+SHJkS5ID/Jo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860", + "rev": "a39ed32a651fdee6842ec930761e31d1f242cb94", "type": "github" }, "original": { From 129d7ea780c19dd76c07fde55b2e260247fc682a Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Wed, 14 May 2025 22:59:09 +0200 Subject: [PATCH 13/42] feat: make it a module! --- hosts/ext-julia/default.nix | 7 +- hosts/ext-julia/wordpress.nix | 116 ----------------------------- modules/hosting/wordpress.nix | 133 ++++++++++++++++++++++++++++++++++ 3 files changed, 138 insertions(+), 118 deletions(-) delete mode 100644 hosts/ext-julia/wordpress.nix create mode 100644 modules/hosting/wordpress.nix diff --git a/hosts/ext-julia/default.nix b/hosts/ext-julia/default.nix index be1e78f..af92053 100644 --- a/hosts/ext-julia/default.nix +++ b/hosts/ext-julia/default.nix @@ -2,13 +2,16 @@ imports = [ ./boot.nix ./hardware-configuration.nix - - ((import ./wordpress.nix) {config=config; pkgs=pkgs; siteName="shop.kiezpalme.de"; port=80;}) + + ../../modules/hosting/wordpress.nix ../../modules/sec_auth/ssh-server.nix ../../system_profiles/server.nix ]; + services.cWordpress = { + enable = true; + }; services.openssh.ports = [11522]; users = let username = "root"; diff --git a/hosts/ext-julia/wordpress.nix b/hosts/ext-julia/wordpress.nix deleted file mode 100644 index e9c2ec3..0000000 --- a/hosts/ext-julia/wordpress.nix +++ /dev/null @@ -1,116 +0,0 @@ -{ - config, - pkgs, - siteName ? "example-name", - sitePort ? 80, - ... -}: let - siteDataDir = "/srv/http/${siteName}"; - siteUser = "user-${siteName}"; - siteGroup = config.services.nginx.user; - siteUserPhp = "${siteUser}-php"; - siteGroupPhp = siteUserPhp; - sitePhpPool = "wordpress-${siteName}"; -in { - users = { - users = { - "${siteUser}" = { - isSystemUser = true; - group = siteGroup; - home = siteDataDir; - createHome = false; - shell = "${pkgs.shadow}/bin/nologin"; - }; - - ### 3) Service account for PHP-FPM pool - "${siteUserPhp}" = { - isSystemUser = true; - group = siteGroupPhp; - home = "/var/empty"; - createHome = false; - shell = "${pkgs.shadow}/bin/nologin"; - }; - }; - - groups = { - "${siteGroup}" = {}; - "${siteGroupPhp}" = {}; - }; - }; - - services = { - mysql = { - enable = true; - package = pkgs.mariadb; - }; - - phpfpm.pools."${sitePhpPool}" = { - user = siteUserPhp; - group = siteGroupPhp; - - settings = { - # Socket ownership so Nginx can connect - "listen.owner" = config.services.nginx.user; - "listen.group" = siteGroupPhp; - "listen.mode" = "0660"; - - # Dynamic process management tuned for small sites - pm = "dynamic"; - "pm.max_children" = "5"; - "pm.start_servers" = "2"; - "pm.min_spare_servers" = "1"; - "pm.max_spare_servers" = "3"; - - # Logging - "catch_workers_output" = true; - "php_admin_flag[log_errors]" = true; - }; - }; - - nginx = { - enable = true; - virtualHosts."${siteName}" = { - default = true; - root = siteDataDir; - - listen = [ - { - addr = "0.0.0.0"; - port = sitePort; - ssl = false; - } - ]; - - # Fallback for pretty permalinks - locations."/" = { - tryFiles = "$uri $uri/ /index.php?$args"; - }; - extraConfig = '' - index index.php; - ''; - - # 6.2 Handle PHP scripts - locations."~ \\.php$" = { - extraConfig = '' - fastcgi_split_path_info ^(.+\\.php)(/.+)$; - fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - include ${pkgs.nginx}/conf/fastcgi_params; - ''; - }; - }; - }; - }; - - # Bootstrap WordPress on activation - environment.systemPackages = [pkgs.unzip]; - system.activationScripts."setupWordpress-${siteName}".text = '' - mkdir -p ${siteDataDir} - if [ ! -f ${siteDataDir}/wp-config.php ]; then - cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ - chown -R ${siteUser}:${siteGroup} ${siteDataDir} - chmod -R 755 ${siteDataDir} - fi - ''; -} diff --git a/modules/hosting/wordpress.nix b/modules/hosting/wordpress.nix new file mode 100644 index 0000000..efa46c6 --- /dev/null +++ b/modules/hosting/wordpress.nix @@ -0,0 +1,133 @@ +{config, pkgs, lib, ...}: + +let + cfg = config.services.cWordpress; +in { + options = { + services.cWordpress = { + enable = lib.mkEnableOption "custom WordPress service"; + + siteName = lib.mkOption { + type = lib.types.str; + default = "example-name"; + description = ""; # TODO: + }; + sitePort = lib.mkOption { + type = lib.types.port; + default = 80; + description = ""; # TODO: + }; + }; + }; + + config = let + siteDataDir = "/srv/http/${cfg.siteName}"; + siteUser = "user-${cfg.siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${cfg.siteName}"; + in lib.mkIf cfg.enable { + users = { + users = { + "${siteUser}" = { + isSystemUser = true; + group = siteGroup; + home = siteDataDir; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + ### 3) Service account for PHP-FPM pool + "${siteUserPhp}" = { + isSystemUser = true; + group = siteGroupPhp; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }; + + groups = { + "${siteGroup}" = {}; + "${siteGroupPhp}" = {}; + }; + }; + + services = { + mysql = { + enable = true; + package = pkgs.mariadb; + }; + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${cfg.siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = cfg.sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + extraConfig = '' + index index.php; + ''; + + # 6.2 Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + system.activationScripts."setupWordpress-${cfg.siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; + }; +} From b134344dd55643808b9d2d31180a1b4105ba66d3 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Wed, 14 May 2025 23:17:57 +0200 Subject: [PATCH 14/42] chore: activate game-lianti again --- outputs.nix | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/outputs.nix b/outputs.nix index a5ea2ce..98bff11 100644 --- a/outputs.nix +++ b/outputs.nix @@ -1,5 +1,4 @@ inArgs: let - lib = inArgs.nixpkgs.lib; hostHelper = import ./hostHelper.nix inArgs; # Supported systems for your flake packages, shell, etc. @@ -18,10 +17,10 @@ in { #jitsi = {stateVersion = "24.11";}; - game-luanti = { - stateVersion = "25.05"; - unstable = true; - }; + # game-luanti = { + # stateVersion = "25.05"; + # unstable = true; + # }; ext-julia = {stateVersion = "24.11";}; }; From 14a58c86d1b0b1188c584312dfe66a7f4ddf4791 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Thu, 15 May 2025 20:05:29 +0200 Subject: [PATCH 15/42] feat: added nvimdiff and nvimdiff --- modules/software/neovim.nix | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/modules/software/neovim.nix b/modules/software/neovim.nix index 8e9546e..6329185 100644 --- a/modules/software/neovim.nix +++ b/modules/software/neovim.nix @@ -1,4 +1,18 @@ -{ +{pkgs, ...}: let + makeDiff = name: + pkgs.writeShellScriptBin name '' + #!/usr/bin/env bash + if [ $# -lt 2 ]; then + echo "Usage: ${name} [more args…]" >&2 + exit 1 + fi + exec nvim -d "$@" + ''; +in { + environment.systemPackages = [ + (makeDiff "vimdiff") + (makeDiff "nvimdiff") + ]; programs.neovim = { enable = true; viAlias = true; From b76d8374720321fe6e4d5f38b7c52a369d5c4f72 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Thu, 15 May 2025 20:30:26 +0200 Subject: [PATCH 16/42] fix: refactor - make it beautiful! --- hosts/ext-julia/hardware-configuration.nix | 12 ++-- hosts/factorio/hardware-configuration.nix | 8 +-- hosts/game-luanti/hardware-configuration.nix | 13 ++--- hosts/jitsi/default.nix | 7 +-- modules/customisation.nix | 13 +++-- modules/environment.nix | 58 ++++++++++---------- modules/hardware/bluetooth.nix | 6 +- modules/hardware/default.nix | 5 +- modules/hardware/gpu.nix | 10 ++-- modules/hardware/print.nix | 4 ++ modules/hardware/scan.nix | 27 +++++++++ modules/hardware/scan_and_print.nix | 27 --------- modules/locale.nix | 42 +++++++------- modules/pkg_mgrmnt/default.nix | 2 +- modules/pkg_mgrmnt/podman.nix | 2 +- modules/pkg_mgrmnt/store_pkg_file.nix | 2 +- modules/sec_auth/apparmor.nix | 2 +- modules/software/fonts.nix | 1 + modules/software/obs-studio.nix | 23 +++++--- modules/software/virt.nix | 4 -- 20 files changed, 138 insertions(+), 130 deletions(-) create mode 100644 modules/hardware/print.nix create mode 100644 modules/hardware/scan.nix delete mode 100644 modules/hardware/scan_and_print.nix diff --git a/hosts/ext-julia/hardware-configuration.nix b/hosts/ext-julia/hardware-configuration.nix index 165d4c8..1e4a7ab 100644 --- a/hosts/ext-julia/hardware-configuration.nix +++ b/hosts/ext-julia/hardware-configuration.nix @@ -2,9 +2,7 @@ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. { - config, lib, - pkgs, modulesPath, ... }: { @@ -12,10 +10,12 @@ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; - boot.initrd.kernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; + boot = { + initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + initrd.kernelModules = []; + kernelModules = []; + extraModulePackages = []; + }; fileSystems."/" = { device = "/dev/disk/by-uuid/d290e12c-d93c-45f6-b737-135b551c1951"; diff --git a/hosts/factorio/hardware-configuration.nix b/hosts/factorio/hardware-configuration.nix index a458278..88e834a 100644 --- a/hosts/factorio/hardware-configuration.nix +++ b/hosts/factorio/hardware-configuration.nix @@ -1,13 +1,7 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: { +{lib, ...}: { boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"]; # maybe instruct nix to just use available swap partition diff --git a/hosts/game-luanti/hardware-configuration.nix b/hosts/game-luanti/hardware-configuration.nix index 165d4c8..6bbf7a7 100644 --- a/hosts/game-luanti/hardware-configuration.nix +++ b/hosts/game-luanti/hardware-configuration.nix @@ -2,20 +2,19 @@ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. { - config, lib, - pkgs, modulesPath, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; - boot.initrd.kernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; + boot = { + initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; + initrd.kernelModules = []; + kernelModules = []; + extraModulePackages = []; + }; fileSystems."/" = { device = "/dev/disk/by-uuid/d290e12c-d93c-45f6-b737-135b551c1951"; diff --git a/hosts/jitsi/default.nix b/hosts/jitsi/default.nix index 1893723..a13ea41 100644 --- a/hosts/jitsi/default.nix +++ b/hosts/jitsi/default.nix @@ -1,9 +1,4 @@ -{ - pkgs, - lib, - modulesPath, - ... -}: { +{...}: { nixpkgs.config = { # Disable if you don't want unfree packages allowUnfree = true; diff --git a/modules/customisation.nix b/modules/customisation.nix index 65e1092..4a07150 100644 --- a/modules/customisation.nix +++ b/modules/customisation.nix @@ -1,10 +1,13 @@ {pkgs, ...}: { # install and set neovim as MANPAGER - environment.systemPackages = [pkgs.neovim]; - environment.variables = { - "MANPAGER" = "nvim +Man!"; + environment = { + systemPackages = [pkgs.neovim]; + variables = { + # set neovim as default editor + "EDITOR" = "nvim"; - # set neovim as default editor - "EDITOR" = "nvim"; + # use neovim as manpager! :3 + "MANPAGER" = "nvim +Man!"; + }; }; } diff --git a/modules/environment.nix b/modules/environment.nix index d399d08..44215ab 100644 --- a/modules/environment.nix +++ b/modules/environment.nix @@ -1,33 +1,35 @@ {pkgs, ...}: { - environment.etc = { - "xdg/user-dirs.defaults".text = '' - DESKTOP=Desktop - DOWNLOAD=Downloads - TEMPLATES=Documents/Templates - PUBLICSHARE=Public - DOCUMENTS=Documents - MUSIC=Media/Music - PICTURES=Media/Pictures - VIDEOS=Media/Videos - ''; - }; - # This is using a rec (recursive) expression to set and access XDG_BIN_HOME within the expression - # For more on rec expressions see https://nix.dev/tutorials/first-steps/nix-language#recursive-attribute-set-rec - environment.sessionVariables = rec { - XDG_CACHE_HOME = "$HOME/.cache"; - XDG_CONFIG_HOME = "$HOME/.config"; - XDG_DATA_HOME = "$HOME/.local/share"; - XDG_STATE_HOME = "$HOME/.local/state"; + environment = { + etc = { + "xdg/user-dirs.defaults".text = '' + DESKTOP=Desktop + DOWNLOAD=Downloads + TEMPLATES=Documents/Templates + PUBLICSHARE=Public + DOCUMENTS=Documents + MUSIC=Media/Music + PICTURES=Media/Pictures + VIDEOS=Media/Videos + ''; + }; + # This is using a rec (recursive) expression to set and access XDG_BIN_HOME within the expression + # For more on rec expressions see https://nix.dev/tutorials/first-steps/nix-language#recursive-attribute-set-rec + sessionVariables = rec { + XDG_CACHE_HOME = "$HOME/.cache"; + XDG_CONFIG_HOME = "$HOME/.config"; + XDG_DATA_HOME = "$HOME/.local/share"; + XDG_STATE_HOME = "$HOME/.local/state"; - # Not officially in the specification - XDG_BIN_HOME = "$HOME/.local/mybin"; - PATH = [ - "${XDG_BIN_HOME}" + # Not officially in the specification + XDG_BIN_HOME = "$HOME/.local/mybin"; + PATH = [ + "${XDG_BIN_HOME}" + ]; + }; + + # XDG-USER-DIR package and config + systemPackages = with pkgs; [ + xdg-user-dirs ]; }; - - # XDG-USER-DIR package and config - environment.systemPackages = with pkgs; [ - xdg-user-dirs - ]; } diff --git a/modules/hardware/bluetooth.nix b/modules/hardware/bluetooth.nix index 900e469..cea96f4 100644 --- a/modules/hardware/bluetooth.nix +++ b/modules/hardware/bluetooth.nix @@ -1,6 +1,8 @@ { - hardware.bluetooth.enable = true; # enables support for Bluetooth - hardware.bluetooth.powerOnBoot = false; # powers up the default Bluetooth controller on boot + hardware = { + bluetooth.enable = true; # enables support for Bluetooth + bluetooth.powerOnBoot = false; # powers up the default Bluetooth controller on boot + }; services.blueman.enable = true; # provides blueman-applet and blueman-manager } diff --git a/modules/hardware/default.nix b/modules/hardware/default.nix index e24baff..c6ebe66 100644 --- a/modules/hardware/default.nix +++ b/modules/hardware/default.nix @@ -2,8 +2,9 @@ imports = [ ./bluetooth.nix ./fwupd.nix - ./scan_and_print.nix - #./trackpoint.nix ./gpu.nix + ./print.nix + ./scan.nix + #./trackpoint.nix ]; } diff --git a/modules/hardware/gpu.nix b/modules/hardware/gpu.nix index 13c2a0b..577529b 100644 --- a/modules/hardware/gpu.nix +++ b/modules/hardware/gpu.nix @@ -1,6 +1,8 @@ {pkgs, ...}: { - hardware.graphics.enable = true; - hardware.graphics.extraPackages = with pkgs; [ - libvdpau-va-gl - ]; + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + libvdpau-va-gl + ]; + }; } diff --git a/modules/hardware/print.nix b/modules/hardware/print.nix new file mode 100644 index 0000000..3697cf9 --- /dev/null +++ b/modules/hardware/print.nix @@ -0,0 +1,4 @@ +{ + # Enable CUPS to print documents. + services.printing.enable = true; +} diff --git a/modules/hardware/scan.nix b/modules/hardware/scan.nix new file mode 100644 index 0000000..949137b --- /dev/null +++ b/modules/hardware/scan.nix @@ -0,0 +1,27 @@ +{pkgs, ...}: { + services.ipp-usb.enable = true; # enable usb support + + hardware.sane = { + enable = true; # enables support for SANE scanners + + backends-package = pkgs.sane-backends.overrideAttrs (old: { + configureFlags = + (old.configureFlags or []) + ++ [ + # "--localstatedir=/var" # `sane-backends` puts e.g. lock files in here, must not be in /nix/store + # "--with-lockdir=/var/lock/sane" # `sane-backends` puts e.g. lock files in here, must not be in /nix/store + + # Ugly workaround for https://github.com/NixOS/nixpkgs/issues/273280#issuecomment-1848873028 + # Really we should make `sane-backends` be able to provide a real lock dir (e.g. `/var/lock/sane`). + "--disable-locking" + ]; + }); + }; + + users.users.ranomier.extraGroups = ["scanner" "lp"]; + + # only for the scan and maybe print clients + environment.systemPackages = with pkgs; [ + simple-scan + ]; +} diff --git a/modules/hardware/scan_and_print.nix b/modules/hardware/scan_and_print.nix deleted file mode 100644 index a83884c..0000000 --- a/modules/hardware/scan_and_print.nix +++ /dev/null @@ -1,27 +0,0 @@ -{pkgs, ...}: { - hardware.sane.enable = true; # enables support for SANE scanners - services.ipp-usb.enable = true; # enable usb support - - hardware.sane.backends-package = pkgs.sane-backends.overrideAttrs (old: { - configureFlags = - (old.configureFlags or []) - ++ [ - # "--localstatedir=/var" # `sane-backends` puts e.g. lock files in here, must not be in /nix/store - # "--with-lockdir=/var/lock/sane" # `sane-backends` puts e.g. lock files in here, must not be in /nix/store - - # Ugly workaround for https://github.com/NixOS/nixpkgs/issues/273280#issuecomment-1848873028 - # Really we should make `sane-backends` be able to provide a real lock dir (e.g. `/var/lock/sane`). - "--disable-locking" - ]; - }); - - users.users.ranomier.extraGroups = ["scanner" "lp"]; - - # only for the scan and maybe print clients - environment.systemPackages = with pkgs; [ - simple-scan - ]; - - # Enable CUPS to print documents. - services.printing.enable = true; -} diff --git a/modules/locale.nix b/modules/locale.nix index f4903ee..fbc9d55 100644 --- a/modules/locale.nix +++ b/modules/locale.nix @@ -1,26 +1,31 @@ { + # Configure console keymap + console.keyMap = "de"; + # Set your time zone. time.timeZone = "Europe/Berlin"; - # Select internationalisation properties. - i18n.defaultLocale = "en_GB.UTF-8"; + i18n = { + # Select internationalisation properties. + defaultLocale = "en_GB.UTF-8"; - #i18n.supportedLocales = [ - # "en_GB.UTF-8" - # "en_US.UTF-8" - # "de_DE.UTF-8" - #]; + #supportedLocales = [ + # "en_GB.UTF-8" + # "en_US.UTF-8" + # "de_DE.UTF-8" + #]; - i18n.extraLocaleSettings = { - LC_ADDRESS = "de_DE.UTF-8"; - LC_IDENTIFICATION = "de_DE.UTF-8"; - LC_MEASUREMENT = "de_DE.UTF-8"; - LC_MONETARY = "de_DE.UTF-8"; - LC_NAME = "de_DE.UTF-8"; - LC_NUMERIC = "de_DE.UTF-8"; - LC_PAPER = "de_DE.UTF-8"; - LC_TELEPHONE = "de_DE.UTF-8"; - LC_TIME = "de_DE.UTF-8"; + extraLocaleSettings = { + LC_ADDRESS = "de_DE.UTF-8"; + LC_IDENTIFICATION = "de_DE.UTF-8"; + LC_MEASUREMENT = "de_DE.UTF-8"; + LC_MONETARY = "de_DE.UTF-8"; + LC_NAME = "de_DE.UTF-8"; + LC_NUMERIC = "de_DE.UTF-8"; + LC_PAPER = "de_DE.UTF-8"; + LC_TELEPHONE = "de_DE.UTF-8"; + LC_TIME = "de_DE.UTF-8"; + }; }; # Configure keymap in X11 @@ -28,7 +33,4 @@ layout = "de"; variant = ""; }; - - # Configure console keymap - console.keyMap = "de"; } diff --git a/modules/pkg_mgrmnt/default.nix b/modules/pkg_mgrmnt/default.nix index 49732db..6567a47 100644 --- a/modules/pkg_mgrmnt/default.nix +++ b/modules/pkg_mgrmnt/default.nix @@ -1,8 +1,8 @@ { imports = [ ./flatpak.nix + ./garbage-collect.nix ./podman.nix ./store_pkg_file.nix - ./garbage-collect.nix ]; } diff --git a/modules/pkg_mgrmnt/podman.nix b/modules/pkg_mgrmnt/podman.nix index 96379cf..1299590 100644 --- a/modules/pkg_mgrmnt/podman.nix +++ b/modules/pkg_mgrmnt/podman.nix @@ -19,8 +19,8 @@ # Useful other development tools environment.systemPackages = with pkgs; [ dive # look into docker image layers - podman-tui # status of containers in the terminal #docker-compose # start group of containers for dev podman-compose # start group of containers for dev + podman-tui # status of containers in the terminal ]; } diff --git a/modules/pkg_mgrmnt/store_pkg_file.nix b/modules/pkg_mgrmnt/store_pkg_file.nix index 4f4e02b..da04794 100644 --- a/modules/pkg_mgrmnt/store_pkg_file.nix +++ b/modules/pkg_mgrmnt/store_pkg_file.nix @@ -10,5 +10,5 @@ formatted = builtins.concatStringsSep "\n" sortedUnique; in formatted; - # TODO: in the far future: add a little alias that greps throgh that file + # TODO: in the far future: add a little alias that greps through that file } diff --git a/modules/sec_auth/apparmor.nix b/modules/sec_auth/apparmor.nix index dad5775..25c70cd 100644 --- a/modules/sec_auth/apparmor.nix +++ b/modules/sec_auth/apparmor.nix @@ -4,9 +4,9 @@ # XDG-USER-DIR package and config environment.systemPackages = with pkgs; [ apparmor-pam - apparmor-utils apparmor-parser apparmor-profiles + apparmor-utils roddhjav-apparmor-rules ]; } diff --git a/modules/software/fonts.nix b/modules/software/fonts.nix index 1d1c26e..69b264d 100644 --- a/modules/software/fonts.nix +++ b/modules/software/fonts.nix @@ -12,6 +12,7 @@ fira-code fira-code-symbols #droid-sans-mono + (nerdfonts.override { fonts = [ "FiraCode" diff --git a/modules/software/obs-studio.nix b/modules/software/obs-studio.nix index a93ee14..1d6bef4 100644 --- a/modules/software/obs-studio.nix +++ b/modules/software/obs-studio.nix @@ -3,6 +3,9 @@ config, ... }: { + # The virtual camera requires the v4l2loopback kernel module to be installed, a loopback device configured, and polkit enabled so OBS can access the virtual device. + security.polkit.enable = true; + environment.systemPackages = [ (pkgs.wrapOBS { plugins = with pkgs.obs-studio-plugins; [ @@ -12,12 +15,16 @@ ]; }) ]; - boot.extraModulePackages = with config.boot.kernelPackages; [ - v4l2loopback - ]; - boot.kernelModules = ["v4l2loopback"]; - boot.extraModprobeConfig = '' - options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1 - ''; - security.polkit.enable = true; + + boot = { + kernelModules = ["v4l2loopback"]; + + extraModulePackages = with config.boot.kernelPackages; [ + v4l2loopback + ]; + + extraModprobeConfig = '' + options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1 + ''; + }; } diff --git a/modules/software/virt.nix b/modules/software/virt.nix index 29a6c8e..9f512f0 100644 --- a/modules/software/virt.nix +++ b/modules/software/virt.nix @@ -1,8 +1,4 @@ {pkgs, ...}: { - # for running android apps - virtualisation.waydroid.enable = - true; # also starts the systemd service waydroid-container - # virt manager, for running VM's virtualisation.libvirtd.enable = true; programs.virt-manager.enable = true; From 2ef666ad65ae19bae66eb5277ae2f1d145fc9243 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Thu, 15 May 2025 20:30:49 +0200 Subject: [PATCH 17/42] fix: why did we disable the firewall? --- modules/firewall.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/firewall.nix b/modules/firewall.nix index f8cb4bb..dfd6753 100644 --- a/modules/firewall.nix +++ b/modules/firewall.nix @@ -1,6 +1,6 @@ { networking.firewall = { - enable = false; + enable = true; # Open ports in the firewall. allowedTCPPorts = [8080 10001 10002]; From 81979fccae11ab32fa1024ea8fec588e95a51647 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Tue, 20 May 2025 01:40:29 +0200 Subject: [PATCH 18/42] wip: interims solution --- hosts/ext-julia/default.nix | 11 +- .../hosting/wordpress-simple/kiezpalme.nix | 113 ++++++++++++++++++ modules/hosting/wordpress-simple/pertineo.nix | 113 ++++++++++++++++++ modules/software/audio_video/audio_video.nix | 1 + modules/software/packages/extended.nix | 1 + system_profiles/server.nix | 1 - 6 files changed, 235 insertions(+), 5 deletions(-) create mode 100644 modules/hosting/wordpress-simple/kiezpalme.nix create mode 100644 modules/hosting/wordpress-simple/pertineo.nix diff --git a/hosts/ext-julia/default.nix b/hosts/ext-julia/default.nix index af92053..f3953c0 100644 --- a/hosts/ext-julia/default.nix +++ b/hosts/ext-julia/default.nix @@ -1,17 +1,20 @@ -{config, pkgs, ...}:{ +{pkgs, ...}:{ imports = [ ./boot.nix ./hardware-configuration.nix - - ../../modules/hosting/wordpress.nix + + ../../modules/hosting/wordpress-simple/kiezpalme.nix + ../../modules/hosting/wordpress-simple/pertineo.nix ../../modules/sec_auth/ssh-server.nix ../../system_profiles/server.nix ]; - services.cWordpress = { + services.mysql = { enable = true; + package = pkgs.mariadb; }; + services.openssh.ports = [11522]; users = let username = "root"; diff --git a/modules/hosting/wordpress-simple/kiezpalme.nix b/modules/hosting/wordpress-simple/kiezpalme.nix new file mode 100644 index 0000000..636cc00 --- /dev/null +++ b/modules/hosting/wordpress-simple/kiezpalme.nix @@ -0,0 +1,113 @@ +{ + config, + pkgs, + lib, + ... +}: let + siteName = "shop.kiezpalme.de"; + sitePort = 80; + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; +in { + users = { + users = { + "${siteUser}" = { + isSystemUser = true; + group = siteGroup; + home = siteDataDir; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + "${siteUserPhp}" = { + isSystemUser = true; + group = siteGroupPhp; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }; + + groups = { + "${siteGroup}" = {}; + "${siteGroupPhp}" = {}; + }; + }; + + services = { + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + + extraConfig = '' + index index.php; + ''; + + # Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + system.activationScripts."setupWordpress-${siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; # TODO: tighten permissions (not 755) +} diff --git a/modules/hosting/wordpress-simple/pertineo.nix b/modules/hosting/wordpress-simple/pertineo.nix new file mode 100644 index 0000000..2a83ad5 --- /dev/null +++ b/modules/hosting/wordpress-simple/pertineo.nix @@ -0,0 +1,113 @@ +{ + config, + pkgs, + lib, + ... +}: let + siteName = "pertineo.de"; + sitePort = 81; + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; +in { + users = { + users = { + "${siteUser}" = { + isSystemUser = true; + group = siteGroup; + home = siteDataDir; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + "${siteUserPhp}" = { + isSystemUser = true; + group = siteGroupPhp; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }; + + groups = { + "${siteGroup}" = {}; + "${siteGroupPhp}" = {}; + }; + }; + + services = { + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + + extraConfig = '' + index index.php; + ''; + + # Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + system.activationScripts."setupWordpress-${siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; # TODO: tighten permissions (not 755) +} diff --git a/modules/software/audio_video/audio_video.nix b/modules/software/audio_video/audio_video.nix index e878b5a..a3b1784 100644 --- a/modules/software/audio_video/audio_video.nix +++ b/modules/software/audio_video/audio_video.nix @@ -16,6 +16,7 @@ }; }; + # only for more system kinda packages not editing and such environment.systemPackages = with pkgs; [ helvum pwvucontrol diff --git a/modules/software/packages/extended.nix b/modules/software/packages/extended.nix index 7e1b447..028ac4d 100644 --- a/modules/software/packages/extended.nix +++ b/modules/software/packages/extended.nix @@ -55,5 +55,6 @@ rustdesk-flutter timer unstable.prusa-slicer + tenacity ]; } diff --git a/system_profiles/server.nix b/system_profiles/server.nix index b242b27..65d54d6 100644 --- a/system_profiles/server.nix +++ b/system_profiles/server.nix @@ -6,6 +6,5 @@ ../modules/customisation.nix ../modules/software/neovim.nix ../modules/software/packages/core.nix - ]; } From 413726d3686e61caf1020d42c3c0e9667a440454 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Tue, 20 May 2025 01:40:54 +0200 Subject: [PATCH 19/42] chore: update flake.lock --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 714dcc0..ae187b1 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1747020534, - "narHash": "sha256-D/6rkiC6w2p+4SwRiVKrWIeYzun8FBg7NlMKMwQMxO0=", + "lastModified": 1747331121, + "narHash": "sha256-3MmiUN/jOHBHQUnjqzg6qKArc17j2OS6jisEppDY4g8=", "owner": "nix-community", "repo": "home-manager", - "rev": "b4bbdc6fde16fc2051fcde232f6e288cd22007ca", + "rev": "1eec32f0efe3b830927989767a9e6ece0d82d608", "type": "github" }, "original": { @@ -90,11 +90,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1746904237, - "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=", + "lastModified": 1747179050, + "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956", + "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e", "type": "github" }, "original": { @@ -106,11 +106,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1746957726, - "narHash": "sha256-k9ut1LSfHCr0AW82ttEQzXVCqmyWVA5+SHJkS5ID/Jo=", + "lastModified": 1747209494, + "narHash": "sha256-fLise+ys+bpyjuUUkbwqo5W/UyIELvRz9lPBPoB0fbM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a39ed32a651fdee6842ec930761e31d1f242cb94", + "rev": "5d736263df906c5da72ab0f372427814de2f52f8", "type": "github" }, "original": { From 7eb4cac5ff96568525432997a266fafb6880a642 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sat, 24 May 2025 12:17:49 +0200 Subject: [PATCH 20/42] wip: random expiriments --- hosts/ext-julia/default.nix | 19 +- .../game/server/luanti/cleanup-and-pull.nix | 3 + modules/hosting/wordpress.nix | 287 +++++++++++------- modules/hosting/wordpress_from_krebs.nix | 186 ++++++++++++ modules/hosting/wordpress_new.nix | 138 +++++++++ modules/hosting/wordpress_refactor.nix | 145 +++++++++ outputs.nix | 10 +- 7 files changed, 662 insertions(+), 126 deletions(-) create mode 100644 modules/game/server/luanti/cleanup-and-pull.nix create mode 100644 modules/hosting/wordpress_from_krebs.nix create mode 100644 modules/hosting/wordpress_new.nix create mode 100644 modules/hosting/wordpress_refactor.nix diff --git a/hosts/ext-julia/default.nix b/hosts/ext-julia/default.nix index f3953c0..92c90f8 100644 --- a/hosts/ext-julia/default.nix +++ b/hosts/ext-julia/default.nix @@ -3,16 +3,27 @@ ./boot.nix ./hardware-configuration.nix - ../../modules/hosting/wordpress-simple/kiezpalme.nix - ../../modules/hosting/wordpress-simple/pertineo.nix + #../../modules/hosting/wordpress-simple/kiezpalme.nix + #../../modules/hosting/wordpress-simple/pertineo.nix + ../../modules/hosting/wordpress.nix ../../modules/sec_auth/ssh-server.nix ../../system_profiles/server.nix ]; - services.mysql = { + #services.mysql = { + # enable = true; + # package = pkgs.mariadb; + #}; + + services.cWordpress."example-site" = { enable = true; - package = pkgs.mariadb; + sitePort = 80; + }; + + services.cWordpress."example-site2" = { + enable = true; + sitePort = 81; }; services.openssh.ports = [11522]; diff --git a/modules/game/server/luanti/cleanup-and-pull.nix b/modules/game/server/luanti/cleanup-and-pull.nix new file mode 100644 index 0000000..af5dd69 --- /dev/null +++ b/modules/game/server/luanti/cleanup-and-pull.nix @@ -0,0 +1,3 @@ +{pkgs, ...}: { + +} diff --git a/modules/hosting/wordpress.nix b/modules/hosting/wordpress.nix index efa46c6..fb22fb9 100644 --- a/modules/hosting/wordpress.nix +++ b/modules/hosting/wordpress.nix @@ -1,133 +1,186 @@ -{config, pkgs, lib, ...}: - -let - cfg = config.services.cWordpress; -in { - options = { - services.cWordpress = { +{ + config, + pkgs, + lib, + ... +}: let + siteOpts = lib.types.submodule ({ + options = { enable = lib.mkEnableOption "custom WordPress service"; siteName = lib.mkOption { - type = lib.types.str; - default = "example-name"; - description = ""; # TODO: + type = lib.types.nullOr lib.types.str; + default = null; }; + sitePort = lib.mkOption { - type = lib.types.port; - default = 80; - description = ""; # TODO: + type = lib.types.port; + default = 80; + description = ""; # TODO: }; + + #siteDataDir = lib.mkOption { + # type = lib.types.str; + # default = "/srv/http/${siteName}"; + #}; + #siteUser = lib.mkOption { + # type = lib.types.str; + # default = "user-${siteName}"; + #}; + #siteGroup = lib.mkOption { + # type = lib.types.str; + # default = config.services.nginx.user; + #}; + #siteUserPhp = lib.mkOption { + # type = lib.types.str; + # default = "${siteUser}-php"; + #}; + #siteGroupPhp = lib.mkOption { + # type = lib.types.str; + # default = siteUserPhp; + #}; + #sitePhpPool = lib.mkOption { + # type = lib.types.str; + # default = "wordpress-${siteName}"; + #}; + }; + }); + #sites = builtins.mapAttrs (siteName2: siteConfig: + # let + # siteName = if siteConfig.siteName != null then siteConfig.siteName else siteName2; + # in siteConfig // {siteName = siteName;} + #) cfg; + # + #enabledSites = lib.filterAttrs (name: config: config.enable) cfg; + #magie = banana: builtins.mapAttrs (siteName: site: banana) enabledSites; + + mkMergeTopLevel = names: attrs: + lib.getAttrs names ( + lib.mapAttrs (k: v: lib.mkMerge v) (lib.foldAttrs (n: a: [n] ++ a) [] attrs) + ); + + cfg = config.services.cWordpress; +in { + options = { + services.cWordpress = lib.mkOption { + type = lib.types.attrsOf siteOpts; + + default = {}; + description = ""; # TODO: }; }; - config = let - siteDataDir = "/srv/http/${cfg.siteName}"; - siteUser = "user-${cfg.siteName}"; - siteGroup = config.services.nginx.user; - siteUserPhp = "${siteUser}-php"; - siteGroupPhp = siteUserPhp; - sitePhpPool = "wordpress-${cfg.siteName}"; - in lib.mkIf cfg.enable { - users = { - users = { - "${siteUser}" = { - isSystemUser = true; - group = siteGroup; - home = siteDataDir; - createHome = false; - shell = "${pkgs.shadow}/bin/nologin"; - }; + config = mkMergeTopLevel ["users" "services" "environment" "system"] (lib.mapAttrsToList ( + siteName: opts: let + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; + in { + users = { + users = { + "${siteUser}" = { + isSystemUser = true; + group = siteGroup; + home = siteDataDir; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; - ### 3) Service account for PHP-FPM pool - "${siteUserPhp}" = { - isSystemUser = true; - group = siteGroupPhp; - home = "/var/empty"; - createHome = false; - shell = "${pkgs.shadow}/bin/nologin"; - }; - }; - - groups = { - "${siteGroup}" = {}; - "${siteGroupPhp}" = {}; - }; - }; - - services = { - mysql = { - enable = true; - package = pkgs.mariadb; - }; - - phpfpm.pools."${sitePhpPool}" = { - user = siteUserPhp; - group = siteGroupPhp; - - settings = { - # Socket ownership so Nginx can connect - "listen.owner" = config.services.nginx.user; - "listen.group" = siteGroupPhp; - "listen.mode" = "0660"; - - # Dynamic process management tuned for small sites - pm = "dynamic"; - "pm.max_children" = "5"; - "pm.start_servers" = "2"; - "pm.min_spare_servers" = "1"; - "pm.max_spare_servers" = "3"; - - # Logging - "catch_workers_output" = true; - "php_admin_flag[log_errors]" = true; - }; - }; - - nginx = { - enable = true; - virtualHosts."${cfg.siteName}" = { - default = true; - root = siteDataDir; - - listen = [ - { - addr = "0.0.0.0"; - port = cfg.sitePort; - ssl = false; - } - ]; - - # Fallback for pretty permalinks - locations."/" = { - tryFiles = "$uri $uri/ /index.php?$args"; + "${siteUserPhp}" = { + isSystemUser = true; + group = siteGroupPhp; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; }; - extraConfig = '' - index index.php; - ''; - # 6.2 Handle PHP scripts - locations."~ \\.php$" = { - extraConfig = '' - fastcgi_split_path_info ^(.+\\.php)(/.+)$; - fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - include ${pkgs.nginx}/conf/fastcgi_params; - ''; + groups = { + "${siteGroup}" = {}; + "${siteGroupPhp}" = {}; }; }; - }; - }; - # Bootstrap WordPress on activation - environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? - system.activationScripts."setupWordpress-${cfg.siteName}".text = '' - mkdir -p ${siteDataDir} - if [ ! -f ${siteDataDir}/wp-config.php ]; then - cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ - chown -R ${siteUser}:${siteGroup} ${siteDataDir} - chmod -R 755 ${siteDataDir} - fi - ''; - }; + services = { + mysql = { + enable = true; + package = pkgs.mariadb; + }; + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = opts.sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + + extraConfig = '' + index index.php; + ''; + + # Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + system.activationScripts."setupWordpress-${siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; # TODO: tighten permissions (not 755) + } + ) + cfg); } diff --git a/modules/hosting/wordpress_from_krebs.nix b/modules/hosting/wordpress_from_krebs.nix new file mode 100644 index 0000000..28c143f --- /dev/null +++ b/modules/hosting/wordpress_from_krebs.nix @@ -0,0 +1,186 @@ +{ + config, + pkgs, + lib, + ... +}: let + siteOpts = lib.types.submodule ({name, ...}: { + options = { + enable = lib.mkEnableOption "custom WordPress service"; + + siteName = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + + sitePort = lib.mkOption { + type = lib.types.port; + default = 80; + description = ""; # TODO: + }; + + #siteDataDir = lib.mkOption { + # type = lib.types.str; + # default = "/srv/http/${siteName}"; + #}; + #siteUser = lib.mkOption { + # type = lib.types.str; + # default = "user-${siteName}"; + #}; + #siteGroup = lib.mkOption { + # type = lib.types.str; + # default = config.services.nginx.user; + #}; + #siteUserPhp = lib.mkOption { + # type = lib.types.str; + # default = "${siteUser}-php"; + #}; + #siteGroupPhp = lib.mkOption { + # type = lib.types.str; + # default = siteUserPhp; + #}; + #sitePhpPool = lib.mkOption { + # type = lib.types.str; + # default = "wordpress-${siteName}"; + #}; + }; + }); + #sites = builtins.mapAttrs (siteName2: siteConfig: + # let + # siteName = if siteConfig.siteName != null then siteConfig.siteName else siteName2; + # in siteConfig // {siteName = siteName;} + #) cfg; + # + #enabledSites = lib.filterAttrs (name: config: config.enable) cfg; + #magie = banana: builtins.mapAttrs (siteName: site: banana) enabledSites; + + mkMergeTopLevel = names: attrs: + lib.getAttrs names ( + lib.mapAttrs (k: v: lib.mkMerge v) (lib.foldAttrs (n: a: [n] ++ a) [] attrs) + ); + + cfg = config.services.cWordpress; + + opts = siteName: { + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; + }; +in { + options = { + services.cWordpress = lib.mkOption { + type = lib.types.attrsOf siteOpts; + + default = {}; + description = ""; # TODO: + }; + }; + + config = { + users.users = lib.mapAttrs' (siteName: siteConfig: { + "user-${siteName}" = { + isSystemUser = true; + group = config.services.nginx.user; + home = "/srv/http/${siteName}"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + "user-${siteName}-php" = { + isSystemUser = true; + group = "user-${siteName}-php"; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }) cfg; + + users.groups = lib.mapAttrs' (siteName: siteConfig: { + ${config.services.nginx.user} = {}; + "user-${siteName}-php" = {}; + }) cfg; + + services = { + mysql = { + enable = true; + package = pkgs.mariadb; + }; + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = opts.sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + + extraConfig = '' + index index.php; + ''; + + # Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + system.activationScripts."setupWordpress-${siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; # TODO: tighten permissions (not 755) + } + ) + cfg); +} + diff --git a/modules/hosting/wordpress_new.nix b/modules/hosting/wordpress_new.nix new file mode 100644 index 0000000..0bb7752 --- /dev/null +++ b/modules/hosting/wordpress_new.nix @@ -0,0 +1,138 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.services.cWordpress; +in { + options = { + services.cWordpress = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { + options.enable = lib.mkEnableOption "custom WordPress service"; + + options.sitePort = lib.mkOption { + type = lib.types.port; + default = 80; + description = ""; # TODO: + }; + }); + default = {}; + description = ""; # TODO: per-site WordPress configs + }; + }; + + config = lib.foldAttrs' (siteName: cfg: let + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp= siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; + in + lib.mkIf cfg.enable { + users = { + users = { + "${siteUser}" = { + isSystemUser = true; + group = siteGroup; + home = siteDataDir; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + ### 3) Service account for PHP-FPM pool + "${siteUserPhp}" = { + isSystemUser = true; + group = siteGroupPhp; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }; + + groups = { + "${siteGroup}" = {}; + "${siteGroupPhp}" = {}; + }; + }; + + services = { + mysql = { + enable = true; + package = pkgs.mariadb; + }; + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = cfg.sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + + extraConfig = '' + index index.php; + ''; + + # Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + system.activationScripts."setupWordpress-${siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; + }}) {} cfg; +} + diff --git a/modules/hosting/wordpress_refactor.nix b/modules/hosting/wordpress_refactor.nix new file mode 100644 index 0000000..953f5f9 --- /dev/null +++ b/modules/hosting/wordpress_refactor.nix @@ -0,0 +1,145 @@ +{ + config, + pkgs, + lib, + ... +}: let + siteOpts = lib.types.submodule ({...}: { + options = { + enable = lib.mkEnableOption "custom WordPress service"; + + siteName = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + + sitePort = lib.mkOption { + type = lib.types.port; + default = 80; + description = ""; # TODO: + }; + }; + }); + + cfg = config.services.cWordpress; + + opts = siteName: rec { + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; + }; +in { + options = { + services.cWordpress = lib.mkOption { + type = lib.types.attrsOf siteOpts; + + default = {}; + description = ""; # TODO: + }; + }; + + config = { + users.users = lib.mapAttrs' (siteName: siteConfig: { + "user-${siteName}" = { + isSystemUser = true; + group = config.services.nginx.user; + home = "/srv/http/${siteName}"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + "user-${siteName}-php" = { + isSystemUser = true; + group = "user-${siteName}-php"; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }) cfg; + + users.groups = lib.mapAttrs' (siteName: siteConfig: { + ${config.services.nginx.user} = {}; + "user-${siteName}-php" = {}; + }) cfg; + + # services = { + # mysql = { + # enable = true; + # package = pkgs.mariadb; + # }; + # + # phpfpm.pools."${sitePhpPool}" = { + # user = siteUserPhp; + # group = siteGroupPhp; + # + # settings = { + # # Socket ownership so Nginx can connect + # "listen.owner" = config.services.nginx.user; + # "listen.group" = siteGroupPhp; + # "listen.mode" = "0660"; + # + # # Dynamic process management tuned for small sites + # pm = "dynamic"; + # "pm.max_children" = "5"; + # "pm.start_servers" = "2"; + # "pm.min_spare_servers" = "1"; + # "pm.max_spare_servers" = "3"; + # + # # Logging + # "catch_workers_output" = true; + # "php_admin_flag[log_errors]" = true; + # }; + # }; + # + # nginx = { + # enable = true; + # virtualHosts."${siteName}" = { + # default = true; + # root = siteDataDir; + # + # listen = [ + # { + # addr = "0.0.0.0"; + # port = opts.sitePort; + # ssl = false; + # } + # ]; + # + # # Fallback for pretty permalinks + # locations."/" = { + # tryFiles = "$uri $uri/ /index.php?$args"; + # }; + # + # extraConfig = '' + # index index.php; + # ''; + # + # # Handle PHP scripts + # locations."~ \\.php$" = { + # extraConfig = '' + # fastcgi_split_path_info ^(.+\\.php)(/.+)$; + # fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # include ${pkgs.nginx}/conf/fastcgi_params; + # ''; + # }; + # }; + # }; + # }; + # + # # Bootstrap WordPress on activation + # environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + # system.activationScripts."setupWordpress-${siteName}".text = '' + # mkdir -p ${siteDataDir} + # if [ ! -f ${siteDataDir}/wp-config.php ]; then + # cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + # chown -R ${siteUser}:${siteGroup} ${siteDataDir} + # chmod -R 755 ${siteDataDir} + # fi + # ''; # TODO: tighten permissions (not 755) + }; +} diff --git a/outputs.nix b/outputs.nix index 98bff11..a4f6976 100644 --- a/outputs.nix +++ b/outputs.nix @@ -17,12 +17,12 @@ in { #jitsi = {stateVersion = "24.11";}; - # game-luanti = { - # stateVersion = "25.05"; - # unstable = true; - # }; + #game-luanti = { + # stateVersion = "25.05"; + # unstable = true; + #}; - ext-julia = {stateVersion = "24.11";}; + #ext-julia = {stateVersion = "24.11";}; }; # Your custom packages From 5274d24bef0bebe3de313974327992e95ff26600 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Wed, 28 May 2025 22:29:12 +0200 Subject: [PATCH 21/42] feat: updated to 25.05 (crocoite) --- flake.lock | 32 ++++++++++---------- flake.nix | 2 +- modules/software/audio_video/audio_video.nix | 22 ++++++++------ modules/software/fonts.nix | 10 ++---- 4 files changed, 32 insertions(+), 34 deletions(-) diff --git a/flake.lock b/flake.lock index ae187b1..1a83671 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1747331121, - "narHash": "sha256-3MmiUN/jOHBHQUnjqzg6qKArc17j2OS6jisEppDY4g8=", + "lastModified": 1747688870, + "narHash": "sha256-ypL9WAZfmJr5V70jEVzqGjjQzF0uCkz+AFQF7n9NmNc=", "owner": "nix-community", "repo": "home-manager", - "rev": "1eec32f0efe3b830927989767a9e6ece0d82d608", + "rev": "d5f1f641b289553927b3801580598d200a501863", "type": "github" }, "original": { @@ -59,11 +59,11 @@ ] }, "locked": { - "lastModified": 1742568034, - "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=", + "lastModified": 1747663185, + "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11", + "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc", "type": "github" }, "original": { @@ -74,11 +74,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1747129300, - "narHash": "sha256-L3clA5YGeYCF47ghsI7Tcex+DnaaN/BbQ4dR2wzoiKg=", + "lastModified": 1747900541, + "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "e81fd167b33121269149c57806599045fd33eeed", + "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06", "type": "github" }, "original": { @@ -90,11 +90,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1747179050, - "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=", + "lastModified": 1748026106, + "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e", + "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", "type": "github" }, "original": { @@ -106,16 +106,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1747209494, - "narHash": "sha256-fLise+ys+bpyjuUUkbwqo5W/UyIELvRz9lPBPoB0fbM=", + "lastModified": 1748162331, + "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5d736263df906c5da72ab0f372427814de2f52f8", + "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.11", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 6ac302d..161a320 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { inputs = { # Main nix package repository - nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; home-manager = { url = "github:nix-community/home-manager/release-24.11"; diff --git a/modules/software/audio_video/audio_video.nix b/modules/software/audio_video/audio_video.nix index a3b1784..810aa06 100644 --- a/modules/software/audio_video/audio_video.nix +++ b/modules/software/audio_video/audio_video.nix @@ -1,18 +1,20 @@ {pkgs, ...}: { # Enable sound with pipewire - hardware.pulseaudio.enable = false; security.rtkit.enable = true; - services.pipewire = { - enable = true; - - # If you want to use JACK applications, uncomment this - jack.enable = true; - pulse.enable = true; - - alsa = { + services = { + pulseaudio.enable = false; + pipewire = { enable = true; - support32Bit = true; + + # If you want to use JACK applications, uncomment this + jack.enable = true; + pulse.enable = true; + + alsa = { + enable = true; + support32Bit = true; + }; }; }; diff --git a/modules/software/fonts.nix b/modules/software/fonts.nix index 69b264d..0530e20 100644 --- a/modules/software/fonts.nix +++ b/modules/software/fonts.nix @@ -13,12 +13,8 @@ fira-code-symbols #droid-sans-mono - (nerdfonts.override { - fonts = [ - "FiraCode" - "DroidSansMono" - "JetBrainsMono" - ]; - }) + nerd-fonts.fira-code + nerd-fonts.droid-sans-mono + nerd-fonts.jetbrains-mono ]; } From 5c013cf4f85d1517bc012dec117a351ba39842a6 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Thu, 29 May 2025 23:28:22 +0200 Subject: [PATCH 22/42] chore: flake.lock update --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 1a83671..bcd6b68 100644 --- a/flake.lock +++ b/flake.lock @@ -90,11 +90,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1748026106, - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", + "lastModified": 1748370509, + "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", + "rev": "4faa5f5321320e49a78ae7848582f684d64783e9", "type": "github" }, "original": { @@ -106,11 +106,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1748162331, - "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=", + "lastModified": 1748302896, + "narHash": "sha256-ixMT0a8mM091vSswlTORZj93WQAJsRNmEvqLL+qwTFM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334", + "rev": "7848cd8c982f7740edf76ddb3b43d234cb80fc4d", "type": "github" }, "original": { From d2a57431d5a74b4e15953893f22bf41691e457de Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Thu, 29 May 2025 23:30:42 +0200 Subject: [PATCH 23/42] fix: nicer syntax --- hosts/crocoite/default.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hosts/crocoite/default.nix b/hosts/crocoite/default.nix index 2b546da..19d7884 100644 --- a/hosts/crocoite/default.nix +++ b/hosts/crocoite/default.nix @@ -5,14 +5,15 @@ nixos-unstable, ... }: { - #nixpkgs.overlays = [ overlays.unstable-packages ]; + nixpkgs = { # You can add overlays here overlays = with inArgs.self.overlays; [ # Add overlays your own flake exports (from overlays and pkgs dir): + unstable-packages + #additions #modifications - unstable-packages # You can also add overlays exported from other flakes: # neovim-nightly-overlay.overlays.default From cc466ff1e85470a5bde419c461eaf70aea023dba Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Thu, 29 May 2025 23:33:24 +0200 Subject: [PATCH 24/42] feat: 25.05 is now stable --- outputs.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/outputs.nix b/outputs.nix index a4f6976..00443e2 100644 --- a/outputs.nix +++ b/outputs.nix @@ -17,10 +17,7 @@ in { #jitsi = {stateVersion = "24.11";}; - #game-luanti = { - # stateVersion = "25.05"; - # unstable = true; - #}; + game-luanti = {stateVersion = "25.05";}; #ext-julia = {stateVersion = "24.11";}; }; From 022f6deec84406f383c7a746c0d4afbd009ba7f4 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Fri, 30 May 2025 00:59:17 +0200 Subject: [PATCH 25/42] feat: add unattended-updates --- hosts/game-luanti/default.nix | 1 + modules/pkg_mgrmnt/unattended-updates.nix | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 modules/pkg_mgrmnt/unattended-updates.nix diff --git a/hosts/game-luanti/default.nix b/hosts/game-luanti/default.nix index 1aafbcc..f5b0f39 100644 --- a/hosts/game-luanti/default.nix +++ b/hosts/game-luanti/default.nix @@ -5,6 +5,7 @@ ../../modules/game/server/luanti ../../modules/sec_auth/ssh-server.nix + ../../modules/pkg_mgrmnt/unattended-updates.nix ../../system_profiles/server.nix ]; diff --git a/modules/pkg_mgrmnt/unattended-updates.nix b/modules/pkg_mgrmnt/unattended-updates.nix new file mode 100644 index 0000000..0fe8f1c --- /dev/null +++ b/modules/pkg_mgrmnt/unattended-updates.nix @@ -0,0 +1,13 @@ +{inArgs, ...}: { + system.autoUpgrade = { + enable = true; + flake = inArgs.self.outPath; + flags = [ + "--update-input" + "nixpkgs" + "--print-build-logs" + ]; + dates = "07:00"; + randomizedDelaySec = "45min"; + }; +} From 09946b885a25305d1a167384e91ca83b297cd460 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Fri, 30 May 2025 00:59:59 +0200 Subject: [PATCH 26/42] feat: quota journald logs --- hosts/game-luanti/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hosts/game-luanti/default.nix b/hosts/game-luanti/default.nix index f5b0f39..c69c055 100644 --- a/hosts/game-luanti/default.nix +++ b/hosts/game-luanti/default.nix @@ -17,4 +17,10 @@ ../../certificates/id_ed25519_game-luanti.pub ]; }; + + services.journald.extraConfig = '' + Storage=persistent + SystemMaxUse=100M + SystemKeepFree=50M + ''; } From e4fabdb3cb0499cdee8a3f613235dfccebe2381d Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sun, 1 Jun 2025 22:11:55 +0200 Subject: [PATCH 27/42] wip: add first olivetin tests --- .../game/server/luanti/cleanup-and-pull.nix | 3 --- modules/game/server/luanti/default.nix | 1 + modules/game/server/luanti/olivetin.nix | 19 +++++++++++++++++++ 3 files changed, 20 insertions(+), 3 deletions(-) delete mode 100644 modules/game/server/luanti/cleanup-and-pull.nix create mode 100644 modules/game/server/luanti/olivetin.nix diff --git a/modules/game/server/luanti/cleanup-and-pull.nix b/modules/game/server/luanti/cleanup-and-pull.nix deleted file mode 100644 index af5dd69..0000000 --- a/modules/game/server/luanti/cleanup-and-pull.nix +++ /dev/null @@ -1,3 +0,0 @@ -{pkgs, ...}: { - -} diff --git a/modules/game/server/luanti/default.nix b/modules/game/server/luanti/default.nix index 2ec6fbe..a6f8da3 100644 --- a/modules/game/server/luanti/default.nix +++ b/modules/game/server/luanti/default.nix @@ -2,6 +2,7 @@ imports = [ ./luanti.nix #./mods.nix + ./olivetin.nix ./postgresql.nix ]; } diff --git a/modules/game/server/luanti/olivetin.nix b/modules/game/server/luanti/olivetin.nix new file mode 100644 index 0000000..a1c989e --- /dev/null +++ b/modules/game/server/luanti/olivetin.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: { + services.olivetin = { + enable = true; + settings = { + actions = [ + { + title = "Hello world!"; + shell = "echo 'Hello World!'"; + popupOnStart = "execution-dialog-stdout-only"; + } + ]; + }; + + path = with pkgs; [ + bash + git + ]; + }; +} From abdddf1ba46d2a018e73eec07cc7d06e9e094134 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Wed, 4 Jun 2025 22:41:22 +0200 Subject: [PATCH 28/42] feat: switch to sudo-rs! --- modules/sec_auth/default.nix | 1 + modules/sec_auth/sudo-rs.nix | 3 +++ system_profiles/defaults.nix | 1 + 3 files changed, 5 insertions(+) create mode 100644 modules/sec_auth/sudo-rs.nix diff --git a/modules/sec_auth/default.nix b/modules/sec_auth/default.nix index 110b2ab..27bdd07 100644 --- a/modules/sec_auth/default.nix +++ b/modules/sec_auth/default.nix @@ -5,5 +5,6 @@ ./login-manager.nix ./ssh-client.nix #./ssh-server.nix + ./sudo-rs.nix ]; } diff --git a/modules/sec_auth/sudo-rs.nix b/modules/sec_auth/sudo-rs.nix new file mode 100644 index 0000000..bb57d00 --- /dev/null +++ b/modules/sec_auth/sudo-rs.nix @@ -0,0 +1,3 @@ +{ + security.sudo-rs.enable = true; +} diff --git a/system_profiles/defaults.nix b/system_profiles/defaults.nix index 892de39..442281f 100644 --- a/system_profiles/defaults.nix +++ b/system_profiles/defaults.nix @@ -20,5 +20,6 @@ imports = [ ../modules/locale.nix + ../modules/sec_auth/sudo-rs.nix ]; } From 0b79642f7ed979ced00446733c46599b8534f153 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Wed, 4 Jun 2025 22:42:23 +0200 Subject: [PATCH 29/42] wip: let olivetin access specific things --- modules/game/server/luanti/olivetin.nix | 57 ++++++++++++++++++++++--- 1 file changed, 51 insertions(+), 6 deletions(-) diff --git a/modules/game/server/luanti/olivetin.nix b/modules/game/server/luanti/olivetin.nix index a1c989e..e84a9c3 100644 --- a/modules/game/server/luanti/olivetin.nix +++ b/modules/game/server/luanti/olivetin.nix @@ -1,19 +1,64 @@ -{ pkgs, ... }: { +{ pkgs, lib, ... }: let + _pull = pkgs.writeShellScript "pull" '' + export GIT_SSH_COMMAND='ssh -i /var/lib/minetest/.ssh/id_ed25519_temp -o IdentitiesOnly=yes' + git -C /var/lib/minetest/.minetest/games/EinsDreiDreiSieben pull + ''; + pull = _pull.outPath; + + _restart = pkgs.writeShellScript "restart" '' + echo "before" + systemctl restart minetest-server.service + echo "after" + ''; + restart = _restart.outPath; + +in { + users.users."minetest".linger = true; services.olivetin = { enable = true; settings = { actions = [ { - title = "Hello world!"; - shell = "echo 'Hello World!'"; + title = "puuuull!"; + shell = "/run/wrappers/bin/sudo -u minetest - ${pull}"; popupOnStart = "execution-dialog-stdout-only"; + icon = "⬇"; + } + { + title = "restart"; + shell = "/run/wrappers/bin/sudo -u minetest - ${restart}"; + popupOnStart = "execution-dialog-stdout-only"; + icon = "⬇"; } ]; }; - path = with pkgs; [ - bash - git + path = [ + pkgs.git + pkgs.openssh ]; }; + security.sudo-rs.extraRules = [ + { + users = [ "olivetin" ]; + runAs = "minetest"; + commands = [ + { + command = pull; + options = [ "NOPASSWD" ]; + } + ]; + } + { + + users = [ "olivetin" ]; + runAs = "root"; + commands = [ + { + command = restart; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; } From af0bb8743ee602fce4b908a838615f70459b60e2 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Wed, 4 Jun 2025 22:43:01 +0200 Subject: [PATCH 30/42] wip: switch to librewolf --- modules/sec_auth/firejail.nix | 15 +++++++++++++++ modules/software/browser/default.nix | 19 +++++++++++++++++-- modules/software/browser/firefox.nix | 15 ++++++--------- modules/software/browser/librewolf.nix | 10 ++++++++++ 4 files changed, 48 insertions(+), 11 deletions(-) create mode 100644 modules/software/browser/librewolf.nix diff --git a/modules/sec_auth/firejail.nix b/modules/sec_auth/firejail.nix index 11f7836..07224c5 100644 --- a/modules/sec_auth/firejail.nix +++ b/modules/sec_auth/firejail.nix @@ -44,6 +44,21 @@ ]; }; + librewolf = { + executable = "${pkgs.librewolf}/bin/librewolf"; + profile = "${pkgs.firejail}/etc/firejail/librewolf.profile"; + extraArgs = [ + # Required for U2F USB stick + "--ignore=private-dev" + # Enforce dark mode + "--env=GTK_THEME=Adwaita:dark" + # Enable system notifications + "--dbus-user.talk=org.freedesktop.Notifications" + # For screen sharing + "--dbus-user.talk=org.freedesktop.portal.*" + ]; + }; + nyxt = { executable = "${pkgs.nyxt}/bin/nyxt"; profile = "${pkgs.firejail}/etc/firejail/chromium-browser.profile"; diff --git a/modules/software/browser/default.nix b/modules/software/browser/default.nix index 9903eb0..ab10d64 100644 --- a/modules/software/browser/default.nix +++ b/modules/software/browser/default.nix @@ -1,7 +1,22 @@ -{ +{pkgs, ...}: let + package = pkgs.librewolf; +in { imports = [ ./brave.nix - ./firefox.nix + #./firefox.nix + ./librewolf.nix ./nyxt.nix ]; + + environment.sessionVariables.DEFAULT_BROWSER = + "${package}/bin/" + + builtins.replaceStrings [".desktop"] [""] package.desktopItem.name; + + xdg.mime.defaultApplications = let + browser_desktop_file = package.desktopItem.name; + in { + "text/html" = browser_desktop_file; + "x-scheme-handler/http" = browser_desktop_file; + "x-scheme-handler/https" = browser_desktop_file; + }; } diff --git a/modules/software/browser/firefox.nix b/modules/software/browser/firefox.nix index 3f4b90a..a27d896 100644 --- a/modules/software/browser/firefox.nix +++ b/modules/software/browser/firefox.nix @@ -1,13 +1,10 @@ -{pkgs, ...}: { +{pkgs, ...}: let + package = pkgs.firefox; +in { # The logical browser of choice - programs.firefox.enable = true; + programs.firefox = { + enable = true; - xdg.mime.defaultApplications = let - browser_desktop_file = "firefox.desktop"; - in { - "text/html" = browser_desktop_file; - "x-scheme-handler/http" = browser_desktop_file; - "x-scheme-handler/https" = browser_desktop_file; + package = package; }; - environment.sessionVariables.DEFAULT_BROWSER = "${pkgs.firefox}/bin/firefox"; } diff --git a/modules/software/browser/librewolf.nix b/modules/software/browser/librewolf.nix new file mode 100644 index 0000000..7e10a70 --- /dev/null +++ b/modules/software/browser/librewolf.nix @@ -0,0 +1,10 @@ +{pkgs, ...}: let + package = pkgs.librewolf; +in { + # The logical browser of choice + programs.firefox = { + enable = true; + + package = package; + }; +} From 68f44bcc3a863db8f1bf0ce662fb6dc92930efd4 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Wed, 4 Jun 2025 23:01:41 +0200 Subject: [PATCH 31/42] feat: create lib folder, for functions --- debug.nix => lib/debug.nix | 0 hostHelper.nix => lib/hostHelper.nix | 0 outputs.nix | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) rename debug.nix => lib/debug.nix (100%) rename hostHelper.nix => lib/hostHelper.nix (100%) diff --git a/debug.nix b/lib/debug.nix similarity index 100% rename from debug.nix rename to lib/debug.nix diff --git a/hostHelper.nix b/lib/hostHelper.nix similarity index 100% rename from hostHelper.nix rename to lib/hostHelper.nix diff --git a/outputs.nix b/outputs.nix index 00443e2..77cf49c 100644 --- a/outputs.nix +++ b/outputs.nix @@ -1,5 +1,5 @@ inArgs: let - hostHelper = import ./hostHelper.nix inArgs; + hostHelper = import ./lib/hostHelper.nix inArgs; # Supported systems for your flake packages, shell, etc. systems = [ From 924304c8ead07e4362f8acbbd1a3420bcf046408 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sun, 8 Jun 2025 03:32:28 +0200 Subject: [PATCH 32/42] fix: correct path --- lib/hostHelper.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/hostHelper.nix b/lib/hostHelper.nix index 13e7f33..48f46ac 100644 --- a/lib/hostHelper.nix +++ b/lib/hostHelper.nix @@ -7,7 +7,7 @@ in nixosSystem { specialArgs = {inherit inArgs;}; modules = [ - ./hosts/${hostname} + ../hosts/${hostname} #./debug.nix { networking.hostName = hostname; From c9e7080160ce594617c10e67736f6bc0edbffeb8 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sun, 8 Jun 2025 03:33:24 +0200 Subject: [PATCH 33/42] fix: rename tests to experiments --- {tests => experiments}/default.nix | 0 {tests => experiments}/glitchtip-container.nix | 0 hosts/crocoite/default.nix | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) rename {tests => experiments}/default.nix (100%) rename {tests => experiments}/glitchtip-container.nix (100%) diff --git a/tests/default.nix b/experiments/default.nix similarity index 100% rename from tests/default.nix rename to experiments/default.nix diff --git a/tests/glitchtip-container.nix b/experiments/glitchtip-container.nix similarity index 100% rename from tests/glitchtip-container.nix rename to experiments/glitchtip-container.nix diff --git a/hosts/crocoite/default.nix b/hosts/crocoite/default.nix index 19d7884..6bf6d0e 100644 --- a/hosts/crocoite/default.nix +++ b/hosts/crocoite/default.nix @@ -56,6 +56,6 @@ ../../modules/pkg_mgrmnt ../../system_profiles/defaults.nix - # ../../tests + # ../../experiments ]; } From 5618c615f3071f49c5f34b555b38a4333bda18c7 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sun, 8 Jun 2025 23:11:26 +0200 Subject: [PATCH 34/42] chore: update --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index bcd6b68..4fb75a7 100644 --- a/flake.lock +++ b/flake.lock @@ -74,11 +74,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1747900541, - "narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=", + "lastModified": 1749195551, + "narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06", + "rev": "4602f7e1d3f197b3cb540d5accf5669121629628", "type": "github" }, "original": { @@ -90,11 +90,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1748370509, - "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=", + "lastModified": 1749143949, + "narHash": "sha256-QuUtALJpVrPnPeozlUG/y+oIMSLdptHxb3GK6cpSVhA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4faa5f5321320e49a78ae7848582f684d64783e9", + "rev": "d3d2d80a2191a73d1e86456a751b83aa13085d7d", "type": "github" }, "original": { @@ -106,11 +106,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1748302896, - "narHash": "sha256-ixMT0a8mM091vSswlTORZj93WQAJsRNmEvqLL+qwTFM=", + "lastModified": 1749086602, + "narHash": "sha256-DJcgJMekoxVesl9kKjfLPix2Nbr42i7cpEHJiTnBUwU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7848cd8c982f7740edf76ddb3b43d234cb80fc4d", + "rev": "4792576cb003c994bd7cc1edada3129def20b27d", "type": "github" }, "original": { From 71487763a6243d638454913f92f33376de05b931 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sun, 8 Jun 2025 23:11:43 +0200 Subject: [PATCH 35/42] fix: sort and doc --- flake.nix | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/flake.nix b/flake.nix index 161a320..fd12532 100644 --- a/flake.nix +++ b/flake.nix @@ -3,10 +3,11 @@ # Main nix package repository nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; - home-manager = { - url = "github:nix-community/home-manager/release-24.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + # NixOS unstable + nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + + # ready made hardware configurations. e.G.: Power saving + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; # generating filesystems in different formats nixos-generators = { @@ -14,11 +15,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - # NixOS unstable channel - nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; - - # ready made hardware configurations. e.G.: Power saving - nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + # additional user specific nix modules + home-manager = { + url = "github:nix-community/home-manager/release-24.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; # for managing flatpaks, like which ones are installed and which not nix-flatpak.url = "github:gmodena/nix-flatpak"; From 8af91887cadcc8537c31b56245c41d480becb723 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sun, 8 Jun 2025 23:16:20 +0200 Subject: [PATCH 36/42] feat: add stylix input --- flake.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/flake.nix b/flake.nix index fd12532..d151a54 100644 --- a/flake.nix +++ b/flake.nix @@ -21,6 +21,12 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + # theming + stylix = { + url = "github:danth/stylix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # for managing flatpaks, like which ones are installed and which not nix-flatpak.url = "github:gmodena/nix-flatpak"; }; From 6168b5e200625435d50a0524fc2f79dc3d732cf4 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Mon, 9 Jun 2025 17:24:09 +0200 Subject: [PATCH 37/42] fix: avoid inherit --- lib/hostHelper.nix | 2 +- outputs.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/hostHelper.nix b/lib/hostHelper.nix index 48f46ac..21eace4 100644 --- a/lib/hostHelper.nix +++ b/lib/hostHelper.nix @@ -5,7 +5,7 @@ inArgs: hostname: hostOptions: let else inArgs.nixpkgs.lib.nixosSystem; in nixosSystem { - specialArgs = {inherit inArgs;}; + specialArgs = {inArgs = inArgs;}; modules = [ ../hosts/${hostname} #./debug.nix diff --git a/outputs.nix b/outputs.nix index 77cf49c..67d0073 100644 --- a/outputs.nix +++ b/outputs.nix @@ -27,7 +27,7 @@ in { #packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system}); # Your custom packages and modifications, exported as overlays - overlays = import ./overlays {inherit inArgs;}; + overlays = import ./overlays {inArgs = inArgs;}; # Reusable nixos modules you might want to export # These are usually stuff you would upstream into nixpkgs From 6972221bda782c8ad1bc0a9788fa979d44797da0 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Mon, 9 Jun 2025 18:14:05 +0200 Subject: [PATCH 38/42] feat: add stylix without home-manager yet --- flake.lock | 417 +++++++++++++++++++++++++++++++-- flake.nix | 10 +- modules/default.nix | 5 +- modules/theming.nix | 10 + modules/wm_and_de/hyprland.nix | 10 +- 5 files changed, 423 insertions(+), 29 deletions(-) create mode 100644 modules/theming.nix diff --git a/flake.lock b/flake.lock index 4fb75a7..a257040 100644 --- a/flake.lock +++ b/flake.lock @@ -1,33 +1,234 @@ { "nodes": { - "home-manager": { + "base16": { "inputs": { - "nixpkgs": [ + "fromYaml": "fromYaml" + }, + "locked": { + "lastModified": 1746562888, + "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=", + "owner": "SenchoPens", + "repo": "base16.nix", + "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89", + "type": "github" + }, + "original": { + "owner": "SenchoPens", + "repo": "base16.nix", + "type": "github" + } + }, + "base16-fish": { + "flake": false, + "locked": { + "lastModified": 1622559957, + "narHash": "sha256-PebymhVYbL8trDVVXxCvZgc0S5VxI7I1Hv4RMSquTpA=", + "owner": "tomyun", + "repo": "base16-fish", + "rev": "2f6dd973a9075dabccd26f1cded09508180bf5fe", + "type": "github" + }, + "original": { + "owner": "tomyun", + "repo": "base16-fish", + "type": "github" + } + }, + "base16-helix": { + "flake": false, + "locked": { + "lastModified": 1736852337, + "narHash": "sha256-esD42YdgLlEh7koBrSqcT7p2fsMctPAcGl/+2sYJa2o=", + "owner": "tinted-theming", + "repo": "base16-helix", + "rev": "03860521c40b0b9c04818f2218d9cc9efc21e7a5", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-helix", + "type": "github" + } + }, + "base16-vim": { + "flake": false, + "locked": { + "lastModified": 1732806396, + "narHash": "sha256-e0bpPySdJf0F68Ndanwm+KWHgQiZ0s7liLhvJSWDNsA=", + "owner": "tinted-theming", + "repo": "base16-vim", + "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-vim", + "rev": "577fe8125d74ff456cf942c733a85d769afe58b7", + "type": "github" + } + }, + "firefox-gnome-theme": { + "flake": false, + "locked": { + "lastModified": 1744642301, + "narHash": "sha256-5A6LL7T0lttn1vrKsNOKUk9V0ittdW0VEqh6AtefxJ4=", + "owner": "rafaelmardojai", + "repo": "firefox-gnome-theme", + "rev": "59e3de00f01e5adb851d824cf7911bd90c31083a", + "type": "github" + }, + "original": { + "owner": "rafaelmardojai", + "repo": "firefox-gnome-theme", + "type": "github" + } + }, + "flake-compat": { + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "stylix", "nixpkgs" ] }, "locked": { - "lastModified": 1747688870, - "narHash": "sha256-ypL9WAZfmJr5V70jEVzqGjjQzF0uCkz+AFQF7n9NmNc=", + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "fromYaml": { + "flake": false, + "locked": { + "lastModified": 1731966426, + "narHash": "sha256-lq95WydhbUTWig/JpqiB7oViTcHFP8Lv41IGtayokA8=", + "owner": "SenchoPens", + "repo": "fromYaml", + "rev": "106af9e2f715e2d828df706c386a685698f3223b", + "type": "github" + }, + "original": { + "owner": "SenchoPens", + "repo": "fromYaml", + "type": "github" + } + }, + "git-hooks": { + "inputs": { + "flake-compat": [ + "stylix", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "stylix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1742649964, + "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "stylix", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gnome-shell": { + "flake": false, + "locked": { + "lastModified": 1744584021, + "narHash": "sha256-0RJ4mJzf+klKF4Fuoc8VN8dpQQtZnKksFmR2jhWE1Ew=", + "owner": "GNOME", + "repo": "gnome-shell", + "rev": "52c517c8f6c199a1d6f5118fae500ef69ea845ae", + "type": "github" + }, + "original": { + "owner": "GNOME", + "ref": "48.1", + "repo": "gnome-shell", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "stylix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1747556831, + "narHash": "sha256-Qb84nbYFFk0DzFeqVoHltS2RodAYY5/HZQKE8WnBDsc=", "owner": "nix-community", "repo": "home-manager", - "rev": "d5f1f641b289553927b3801580598d200a501863", + "rev": "d0bbd221482c2713cccb80220f3c9d16a6e20a33", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-24.11", + "ref": "release-25.05", "repo": "home-manager", "type": "github" } }, "nix-flatpak": { "locked": { - "lastModified": 1744659587, - "narHash": "sha256-xJnbmRVte13akgn+Prg06IaRHJ5OX3uVltwsCP/mxoc=", + "lastModified": 1749394952, + "narHash": "sha256-WbWkzIvB0gqAdBLghdmUpGveY7MlAS2iMj3VEJnJ9yE=", "owner": "gmodena", "repo": "nix-flatpak", - "rev": "928d868a9141b48f152d3b2b00c433e688d4b106", + "rev": "64c6e53a3999957c19ab95cda78bde466d8374cc", "type": "github" }, "original": { @@ -90,11 +291,11 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1749143949, - "narHash": "sha256-QuUtALJpVrPnPeozlUG/y+oIMSLdptHxb3GK6cpSVhA=", + "lastModified": 1749285348, + "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d3d2d80a2191a73d1e86456a751b83aa13085d7d", + "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f", "type": "github" }, "original": { @@ -106,11 +307,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1749086602, - "narHash": "sha256-DJcgJMekoxVesl9kKjfLPix2Nbr42i7cpEHJiTnBUwU=", + "lastModified": 1749237914, + "narHash": "sha256-N5waoqWt8aMr/MykZjSErOokYH6rOsMMXu3UOVH5kiw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4792576cb003c994bd7cc1edada3129def20b27d", + "rev": "70c74b02eac46f4e4aa071e45a6189ce0f6d9265", "type": "github" }, "original": { @@ -120,14 +321,196 @@ "type": "github" } }, + "nur": { + "inputs": { + "flake-parts": [ + "stylix", + "flake-parts" + ], + "nixpkgs": [ + "stylix", + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1746056780, + "narHash": "sha256-/emueQGaoT4vu0QjU9LDOG5roxRSfdY0K2KkxuzazcM=", + "owner": "nix-community", + "repo": "NUR", + "rev": "d476cd0972dd6242d76374fcc277e6735715c167", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, "root": { "inputs": { - "home-manager": "home-manager", "nix-flatpak": "nix-flatpak", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", "nixos-unstable": "nixos-unstable", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "stylix": "stylix" + } + }, + "stylix": { + "inputs": { + "base16": "base16", + "base16-fish": "base16-fish", + "base16-helix": "base16-helix", + "base16-vim": "base16-vim", + "firefox-gnome-theme": "firefox-gnome-theme", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "git-hooks": "git-hooks", + "gnome-shell": "gnome-shell", + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "nur": "nur", + "systems": "systems", + "tinted-foot": "tinted-foot", + "tinted-kitty": "tinted-kitty", + "tinted-schemes": "tinted-schemes", + "tinted-tmux": "tinted-tmux", + "tinted-zed": "tinted-zed" + }, + "locked": { + "lastModified": 1749389855, + "narHash": "sha256-//wZBnlBJ7Ki5/ZdafiAZwVFZd/2HhKqEbOupo/HcRA=", + "owner": "danth", + "repo": "stylix", + "rev": "bf5ab9df57a3d77847289c39c3a537bd6e6ac6f4", + "type": "github" + }, + "original": { + "owner": "danth", + "ref": "release-25.05", + "repo": "stylix", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "tinted-foot": { + "flake": false, + "locked": { + "lastModified": 1726913040, + "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=", + "owner": "tinted-theming", + "repo": "tinted-foot", + "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-foot", + "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", + "type": "github" + } + }, + "tinted-kitty": { + "flake": false, + "locked": { + "lastModified": 1735730497, + "narHash": "sha256-4KtB+FiUzIeK/4aHCKce3V9HwRvYaxX+F1edUrfgzb8=", + "owner": "tinted-theming", + "repo": "tinted-kitty", + "rev": "de6f888497f2c6b2279361bfc790f164bfd0f3fa", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-kitty", + "type": "github" + } + }, + "tinted-schemes": { + "flake": false, + "locked": { + "lastModified": 1744974599, + "narHash": "sha256-Fg+rdGs5FAgfkYNCs74lnl8vkQmiZVdBsziyPhVqrlY=", + "owner": "tinted-theming", + "repo": "schemes", + "rev": "28c26a621123ad4ebd5bbfb34ab39421c0144bdd", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "schemes", + "type": "github" + } + }, + "tinted-tmux": { + "flake": false, + "locked": { + "lastModified": 1745111349, + "narHash": "sha256-udV+nHdpqgkJI9D0mtvvAzbqubt9jdifS/KhTTbJ45w=", + "owner": "tinted-theming", + "repo": "tinted-tmux", + "rev": "e009f18a01182b63559fb28f1c786eb027c3dee9", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-tmux", + "type": "github" + } + }, + "tinted-zed": { + "flake": false, + "locked": { + "lastModified": 1725758778, + "narHash": "sha256-8P1b6mJWyYcu36WRlSVbuj575QWIFZALZMTg5ID/sM4=", + "owner": "tinted-theming", + "repo": "base16-zed", + "rev": "122c9e5c0e6f27211361a04fae92df97940eccf9", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "base16-zed", + "type": "github" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "stylix", + "nur", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733222881, + "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "49717b5af6f80172275d47a418c9719a31a78b53", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index d151a54..27fefb9 100644 --- a/flake.nix +++ b/flake.nix @@ -16,14 +16,14 @@ }; # additional user specific nix modules - home-manager = { - url = "github:nix-community/home-manager/release-24.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + #home-manager = { + # url = "github:nix-community/home-manager/release-25.05"; + # inputs.nixpkgs.follows = "nixpkgs"; + #}; # theming stylix = { - url = "github:danth/stylix"; + url = "github:danth/stylix/release-25.05"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/modules/default.nix b/modules/default.nix index 3d82f4f..745b4c0 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,11 +1,12 @@ { imports = [ - #./plymouth.nix ./accessibility.nix ./customisation.nix ./environment.nix + ./firewall.nix ./locale.nix ./networking.nix - ./firewall.nix + #./plymouth.nix + ./theming.nix ]; } diff --git a/modules/theming.nix b/modules/theming.nix new file mode 100644 index 0000000..8e39278 --- /dev/null +++ b/modules/theming.nix @@ -0,0 +1,10 @@ +{pkgs, inArgs, ...}: { + imports = [ + inArgs.stylix.nixosModules.stylix + ]; + stylix = { + enable = true; + base16Scheme = "${pkgs.base16-schemes}/share/themes/gruvbox-dark.yaml"; + polarity = "dark"; + }; +} diff --git a/modules/wm_and_de/hyprland.nix b/modules/wm_and_de/hyprland.nix index 112817c..8482832 100644 --- a/modules/wm_and_de/hyprland.nix +++ b/modules/wm_and_de/hyprland.nix @@ -41,11 +41,11 @@ # for mounting stuff, also needs a auth agent like lxqt.lxqt-policykit services.gvfs.enable = true; - qt = { - enable = true; - platformTheme = "qt5ct"; - style = "kvantum"; - }; + #qt = { + # enable = true; + # platformTheme = "qt5ct"; + # style = "kvantum"; + #}; environment.pathsToLink = ["/share/foot"]; From fb74976f82526dce6c185f99d593586a1c1ee746 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Mon, 9 Jun 2025 20:37:55 +0200 Subject: [PATCH 39/42] fix: move import --- hosts/crocoite/default.nix | 2 -- modules/pkg_mgrmnt/flatpak.nix | 3 ++- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/hosts/crocoite/default.nix b/hosts/crocoite/default.nix index 6bf6d0e..bd867fa 100644 --- a/hosts/crocoite/default.nix +++ b/hosts/crocoite/default.nix @@ -31,8 +31,6 @@ # steam and other stuff seems to depend on perl #"${modulesPath}/profiles/perlless.nix" - inArgs.nix-flatpak.nixosModules.nix-flatpak - #nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1 ./hardware-configuration.nix ./boot.nix diff --git a/modules/pkg_mgrmnt/flatpak.nix b/modules/pkg_mgrmnt/flatpak.nix index 023ed07..4fdf226 100644 --- a/modules/pkg_mgrmnt/flatpak.nix +++ b/modules/pkg_mgrmnt/flatpak.nix @@ -1,4 +1,5 @@ -{ +{inArgs, ...}: { + imports = [ inArgs.nix-flatpak.nixosModules.nix-flatpak ]; services.flatpak = { enable = true; update.auto = { From f9acc609b265e1a04d84505a2fc5bf45cb3fd8a4 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Mon, 9 Jun 2025 20:52:04 +0200 Subject: [PATCH 40/42] feat: reenable home-manager --- flake.lock | 24 +++++++++++++++++++++++- flake.nix | 8 ++++---- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index a257040..c646fe8 100644 --- a/flake.lock +++ b/flake.lock @@ -201,6 +201,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1749154018, + "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-25.05", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "stylix", @@ -349,6 +370,7 @@ }, "root": { "inputs": { + "home-manager": "home-manager", "nix-flatpak": "nix-flatpak", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", @@ -368,7 +390,7 @@ "flake-parts": "flake-parts", "git-hooks": "git-hooks", "gnome-shell": "gnome-shell", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "nixpkgs": [ "nixpkgs" ], diff --git a/flake.nix b/flake.nix index 27fefb9..ef446c9 100644 --- a/flake.nix +++ b/flake.nix @@ -16,10 +16,10 @@ }; # additional user specific nix modules - #home-manager = { - # url = "github:nix-community/home-manager/release-25.05"; - # inputs.nixpkgs.follows = "nixpkgs"; - #}; + home-manager = { + url = "github:nix-community/home-manager/release-25.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; # theming stylix = { From 116aaaacff27e8203d2262692312eb9cc9f214f8 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sat, 14 Jun 2025 12:40:08 +0200 Subject: [PATCH 41/42] wip: home-manager + stylix --- modules/users/default.nix | 2 +- modules/users/ranomier/default.nix | 6 ++++++ modules/users/ranomier/home-manager.nix | 16 ++++++++++++++++ modules/users/{ => ranomier}/ranomier.nix | 1 - 4 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 modules/users/ranomier/default.nix create mode 100644 modules/users/ranomier/home-manager.nix rename modules/users/{ => ranomier}/ranomier.nix (90%) diff --git a/modules/users/default.nix b/modules/users/default.nix index dc0b97d..46e834e 100644 --- a/modules/users/default.nix +++ b/modules/users/default.nix @@ -1,5 +1,5 @@ { imports = [ - ./ranomier.nix + ./ranomier ]; } diff --git a/modules/users/ranomier/default.nix b/modules/users/ranomier/default.nix new file mode 100644 index 0000000..125fcee --- /dev/null +++ b/modules/users/ranomier/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./home-manager.nix + ./ranomier.nix + ]; +} diff --git a/modules/users/ranomier/home-manager.nix b/modules/users/ranomier/home-manager.nix new file mode 100644 index 0000000..f097950 --- /dev/null +++ b/modules/users/ranomier/home-manager.nix @@ -0,0 +1,16 @@ +{inArgs, pkgs, ...}: { + imports = [ + inArgs.home-manager.nixosModules.home-manager + ]; + home-manager.useUserPackages = true; + home-manager.useGlobalPkgs = true; + home-manager.users."ranomier" = { + + stylix.iconTheme = { + enable = true; + package = pkgs.gruvbox-plus-icons; + dark = "Gruvbox-Plus-Dark"; + }; + home.stateVersion = "25.05"; + }; +} diff --git a/modules/users/ranomier.nix b/modules/users/ranomier/ranomier.nix similarity index 90% rename from modules/users/ranomier.nix rename to modules/users/ranomier/ranomier.nix index 9bd1e06..d93bc36 100644 --- a/modules/users/ranomier.nix +++ b/modules/users/ranomier/ranomier.nix @@ -6,6 +6,5 @@ extraGroups = ["networkmanager" "wheel" "podman"]; shell = pkgs.zsh; useDefaultShell = true; - #packages = with pkgs; []; }; } From 855b932cbd4a085d9418de60d96e2e599cddcd7b Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Sat, 14 Jun 2025 21:43:23 +0200 Subject: [PATCH 42/42] feat: introduction of system_profiles --- hosts/crocoite/default.nix | 22 +--------------- hosts/crocoite/hardware-configuration.nix | 1 + lib/hostHelper.nix | 5 +++- modules/default.nix | 7 ++++- modules/dhcp-all-interfaces.nix | 9 +++++++ readme.md | 23 ++++++++++++++++ .../container.nix} | 4 +-- system_profiles/components/minify.nix | 16 ++++++++++++ .../nix-defaults.nix} | 18 +++++-------- system_profiles/desktop.nix | 8 ++++++ system_profiles/importers/desktop.nix | 22 ++++++++++++++++ system_profiles/importers/general.nix | 7 +++++ system_profiles/importers/server.nix | 7 +++++ system_profiles/mini.nix | 26 ------------------- system_profiles/server.nix | 9 +++---- 15 files changed, 117 insertions(+), 67 deletions(-) create mode 100644 modules/dhcp-all-interfaces.nix create mode 100644 readme.md rename system_profiles/{mini-container.nix => components/container.nix} (54%) create mode 100644 system_profiles/components/minify.nix rename system_profiles/{defaults.nix => components/nix-defaults.nix} (68%) create mode 100644 system_profiles/desktop.nix create mode 100644 system_profiles/importers/desktop.nix create mode 100644 system_profiles/importers/general.nix create mode 100644 system_profiles/importers/server.nix delete mode 100644 system_profiles/mini.nix diff --git a/hosts/crocoite/default.nix b/hosts/crocoite/default.nix index bd867fa..9275f72 100644 --- a/hosts/crocoite/default.nix +++ b/hosts/crocoite/default.nix @@ -28,32 +28,12 @@ }; imports = [ - # steam and other stuff seems to depend on perl - #"${modulesPath}/profiles/perlless.nix" - #nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1 ./hardware-configuration.nix ./boot.nix - ../../modules - ../../modules/users - - ../../modules/hardware - - ../../modules/sec_auth - - ../../modules/software - ../../modules/software/browser - ../../modules/software/nix-helper - ../../modules/software/shells - ../../modules/software/office - - ../../modules/wm_and_de - - ../../modules/pkg_mgrmnt - - ../../system_profiles/defaults.nix + ../../system_profiles/desktop.nix # ../../experiments ]; } diff --git a/hosts/crocoite/hardware-configuration.nix b/hosts/crocoite/hardware-configuration.nix index 99cf29f..50cf88e 100644 --- a/hosts/crocoite/hardware-configuration.nix +++ b/hosts/crocoite/hardware-configuration.nix @@ -10,6 +10,7 @@ }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") + #nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1 ]; boot.initrd.availableKernelModules = ["nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"]; diff --git a/lib/hostHelper.nix b/lib/hostHelper.nix index 21eace4..e4ab867 100644 --- a/lib/hostHelper.nix +++ b/lib/hostHelper.nix @@ -5,7 +5,10 @@ inArgs: hostname: hostOptions: let else inArgs.nixpkgs.lib.nixosSystem; in nixosSystem { - specialArgs = {inArgs = inArgs;}; + specialArgs = { + inArgs = inArgs; + rootPath = inArgs.self; + }; modules = [ ../hosts/${hostname} #./debug.nix diff --git a/modules/default.nix b/modules/default.nix index 745b4c0..e1045b5 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,11 +2,16 @@ imports = [ ./accessibility.nix ./customisation.nix + + # should only be imported directly or via system_profiles + #./dhcp-all-interfaces.nix + ./environment.nix ./firewall.nix ./locale.nix ./networking.nix - #./plymouth.nix + #./plymouth.nix # increases boot time too much + #./serial-console.nix # probably only for servers ./theming.nix ]; } diff --git a/modules/dhcp-all-interfaces.nix b/modules/dhcp-all-interfaces.nix new file mode 100644 index 0000000..a009914 --- /dev/null +++ b/modules/dhcp-all-interfaces.nix @@ -0,0 +1,9 @@ +{ + # Enables DHCP on each ethernet and wireless interface. + # In case of scripted networking (the default) this is the recommended approach. + # When using systemd-networkd it's still possible to use this option, + # but it's recommended to use it in conjunction with + # explicit per-interface declarations with: + # `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; +} diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..6b38d20 --- /dev/null +++ b/readme.md @@ -0,0 +1,23 @@ +# My flake config + +Some awesome descriptive text here + +## folder structure + +### system_profiles + +This whole folder is for the most part just a system to clean up importing + +- In files in this (`system_profiles`) directory: + - should never import anything from parent directories + - can import things from the child directories +- The `importers` directory: + - Should only import things outside (above/parent) of the `system_profiles` directories. + - Probably only from the module directory or maybe a future nix-modules directory, + this rule is not set in stone yet + - should **not** import anything outside of this repository +- The `components` directory: + - Should never import anything from this repository + - It can import things from nixpkgs + - Should set only basic "system" settings + ("system" is not well defined) diff --git a/system_profiles/mini-container.nix b/system_profiles/components/container.nix similarity index 54% rename from system_profiles/mini-container.nix rename to system_profiles/components/container.nix index ce05d95..529d942 100644 --- a/system_profiles/mini-container.nix +++ b/system_profiles/components/container.nix @@ -1,6 +1,6 @@ +# For when to deploy to a container, +# can be used with minify to make things smaller {lib, ...}: { boot.isContainer = lib.mkDefault true; boot.kernel.enable = lib.mkDefault false; - - imports = [./mini.nix]; } diff --git a/system_profiles/components/minify.nix b/system_profiles/components/minify.nix new file mode 100644 index 0000000..429faa5 --- /dev/null +++ b/system_profiles/components/minify.nix @@ -0,0 +1,16 @@ +# This makes an installation smaller at the cost of +# features (and maybe even stability) +{lib, modulesPath, ...}: { + imports = [ + (modulesPath + "/profiles/minimal.nix") + #(modulesPath + "/profiles/perlless.nix") + ]; + + disabledModules = [ + (modulesPath + "/profiles/all-hardware.nix") + (modulesPath + "/profiles/base.nix") + ]; + + environment.defaultPackages = lib.mkDefault []; + nixpkgs.overlays = lib.mkDefault [(self: super: {})]; +} diff --git a/system_profiles/defaults.nix b/system_profiles/components/nix-defaults.nix similarity index 68% rename from system_profiles/defaults.nix rename to system_profiles/components/nix-defaults.nix index 442281f..13be0a2 100644 --- a/system_profiles/defaults.nix +++ b/system_profiles/components/nix-defaults.nix @@ -1,8 +1,6 @@ -{ - lib, - pkgs, - ... -}: { +# This loads some nix and nixpkgs specific settints +# i often need +{lib, pkgs, ...}: { # Disable if you don't want unfree packages nixpkgs.config.allowUnfree = lib.mkDefault true; @@ -15,11 +13,9 @@ channel.enable = lib.mkDefault false; - settings.experimental-features = lib.mkDefault ["nix-command" "flakes"]; + settings.experimental-features = lib.mkDefault [ + "nix-command" + "flakes" + ]; }; - - imports = [ - ../modules/locale.nix - ../modules/sec_auth/sudo-rs.nix - ]; } diff --git a/system_profiles/desktop.nix b/system_profiles/desktop.nix new file mode 100644 index 0000000..c2da4f2 --- /dev/null +++ b/system_profiles/desktop.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./components/nix-defaults.nix + + ./importers/desktop.nix + ./importers/general.nix + ]; +} diff --git a/system_profiles/importers/desktop.nix b/system_profiles/importers/desktop.nix new file mode 100644 index 0000000..6fc76ec --- /dev/null +++ b/system_profiles/importers/desktop.nix @@ -0,0 +1,22 @@ +# This basicly imports the whole modules folder +{rootPath, ...}: { + imports = [ + (rootPath + /modules) + + (rootPath + /modules/hardware) + + (rootPath + /modules/pkg_mgrmnt) + + (rootPath + /modules/sec_auth) + + (rootPath + /modules/software) + (rootPath + /modules/software/browser) + (rootPath + /modules/software/nix-helper) + (rootPath + /modules/software/office) + (rootPath + /modules/software/shells) + + (rootPath + /modules/users) + + (rootPath + /modules/wm_and_de) + ]; +} diff --git a/system_profiles/importers/general.nix b/system_profiles/importers/general.nix new file mode 100644 index 0000000..d9ccb24 --- /dev/null +++ b/system_profiles/importers/general.nix @@ -0,0 +1,7 @@ +# This loads some "general" defaults +{rootPath, ...}: { + imports = [ + (rootPath + /modules/locale.nix) + (rootPath + /modules/sec_auth/sudo-rs.nix) + ]; +} diff --git a/system_profiles/importers/server.nix b/system_profiles/importers/server.nix new file mode 100644 index 0000000..66f1e60 --- /dev/null +++ b/system_profiles/importers/server.nix @@ -0,0 +1,7 @@ +{rootPath, ...}: { + imports = [ + (rootPath + /modules/customisation.nix) + (rootPath + /modules/software/neovim.nix) + (rootPath + /modules/software/packages/core.nix) + ]; +} diff --git a/system_profiles/mini.nix b/system_profiles/mini.nix deleted file mode 100644 index e50e14a..0000000 --- a/system_profiles/mini.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - lib, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/profiles/minimal.nix") - #(modulesPath + "/profiles/perlless.nix") - - { - environment.defaultPackages = lib.mkDefault []; - nixpkgs.overlays = lib.mkDefault [(self: super: {})]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - } - ]; - - disabledModules = [ - (modulesPath + "/profiles/all-hardware.nix") - (modulesPath + "/profiles/base.nix") - ]; -} diff --git a/system_profiles/server.nix b/system_profiles/server.nix index 65d54d6..8810958 100644 --- a/system_profiles/server.nix +++ b/system_profiles/server.nix @@ -1,10 +1,9 @@ { imports = [ - ./defaults.nix - ./mini.nix + ./components/minify.nix + ./components/nix-defaults.nix - ../modules/customisation.nix - ../modules/software/neovim.nix - ../modules/software/packages/core.nix + ./importers/general.nix + ./importers/server.nix ]; }