mira/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

(auxin) changes

Browse source
This commit is contained in:
Mira 2024-07-31 13:40:07 -04:00
parent 4dd774316e
commit 9bacc4fb80
7 changed files with 279 additions and 132 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

211
auxin/configuration.nix
View file

@ -3,24 +3,69 @@
lib,
pkgs,
...
}: {
}: let
ports = [
22 # SSH
22000 # syncthing
2222 # Gitea SSH
2377
25565 # Minecraft
3001 # Gitea(->3000)
443 # HTTPS
445
7359 # jellyfin (dlna?)
7946
80 # HTTP
8080 # qbittorrent
8089 # traefik (->8080)
8096 # Jellyfin
8191 # flaresolverr
8420 # Website (->4321)
8842 # Crowdsec (-> 8842)
8888 # Kodi
9000 # Portainer (-> 9443)
2049 # NFS
4001 # Lockd
4002 # Mountd
];
in {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
# ./hardware-configuration.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
nixpkgs = {
config = {
allowUnfree = true;
kodi.enableAdvancedLauncher = true;
pulseaudio = true;
};
};
networking = {
hostName = "auxin"; # Define your hostname.
nameservers = ["192.168.1.208"];
networkmanager.enable = true; # Easiest to use and most distros use this by default.
# hostName = "auxin"; # Define your hostname.
nameservers = ["192.168.1.207"];
firewall = {
enable = true;
allowedUDPPorts = [22 80 443 2222 25565 8080 8842 8191 3001 8096 7359 8420 8888 9000 8089 445 2377 22000 7946];
allowedTCPPorts = [22 80 443 2222 25565 8080 8842 8191 3001 8096 7359 8420 8888 9000 8089 445 2377 22000 7946];
allowedUDPPorts = ports;
allowedTCPPorts = ports;
};
bridges = {
"br0" = {
interfaces = [
"enp9s0"
"enp0s20f0u4"
];
};
};
interfaces.br0.ipv4.addresses = [
{
address = "192.168.1.153";
prefixLength = 24;
}
];
defaultGateway = {
address = "192.168.1.1";
};
};
@ -30,46 +75,15 @@
gcc
go
hyperfine
sof-firmware
jellyfin-media-player
kodiPackages.jellyfin
kodiPackages.steam-controller
lazydocker
gamescope
lazygit
nil
nodePackages.nodejs
nodePackages.pnpm
python3
];
services = {
k3s = {
enable = true;
role = "server";
token = "uwubernetes"; # TODO: change this
extraFlags = toString [
"--write-kubeconfig-mode \"0644\""
"--cluster-init"
# "--disable localstorage"
];
};
# Enable the X11 windowing system.
xserver = {
enable = true;
desktopManager.xfce.enable = false;
# Kodi
desktopManager.kodi.enable = true;
};
displayManager.sddm = {
enable = true;
settings = {
Autologin = {
Session = "kodi.desktop";
User = "mira";
};
};
};
};
# Define a user account. Don't forget to set a password with passwd.
users = {
users = {
@ -92,11 +106,15 @@
};
};
};
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
programs = {
steam = {
gamescopeSession.enable = true;
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
localNetworkGameTransfers.openFirewall = true;
};
nh = {
enable = true;
clean.enable = true;
@ -122,10 +140,72 @@
};
};
# List services that you want to enable:
# Enable the OpenSSH daemon.
services = {
nfs.server = {
enable = true;
mountdPort = 4002;
lockdPort = 4001;
exports = ''
/raid/swarm 192.168.1.0/24(rw)
'';
};
gvfs.enable = true;
xrdp = {
enable = true;
openFirewall = true;
};
x2goserver.enable = true;
k3s = {
enable = false;
role = "server";
token = "uwubernetes"; # TODO: change this
extraFlags = toString [
"--write-kubeconfig-mode \"0644\""
"--cluster-init"
# "--disable localstorage"
];
};
# Enable the X11 windowing system.
xserver = {
enable = true;
desktopManager.xfce.enable = false;
# Kodi
desktopManager.kodi = {
enable = true;
package = pkgs.kodi.withPackages (pkgs:
with pkgs; [
jellyfin
jellycon
sendtokodi
sponsorblock
steam-library
youtube
libretro
libretro-mgba
steam-controller
steam-launcher
visualization-matrix
visualization-spectrum
visualization-waveform
inputstream-adaptive
]);
};
};
displayManager.sddm = {
enable = true;
settings = {
Autologin = {
Session = "kodi.desktop";
User = "mira";
};
};
};
btrbk = {}; # TODO:
caddy = {}; # TODO:
ceph = {}; # TODO:
fail2ban = {
enable = true;
ignoreIP = [
@ -135,6 +215,10 @@
];
bantime-increment.enable = true;
};
samba-wsdd = {
enable = true;
openFirewall = true;
};
# TODO: check security settings
samba = {
enable = true;
@ -146,6 +230,15 @@
};
};
};
pipewire = {
enable = false;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
audio.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
};
};
virtualisation.docker = {
storageDriver = "overlay2";
@ -153,15 +246,11 @@
enable = true;
autoPrune.enable = true;
extraOptions = "--userns-remap=default";
liveRestore = false;
liveRestore = false; # NOTE: Incompatible with swarm
};
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# TODO:
powerManagement.enable = false;
powerManagement.enable = lib.mkForce false;
systemd = {
targets = {
sleep.enable = false;
@ -177,7 +266,7 @@
services = {
"qbittorrent-healthcheck" = {
script = ''
${pkgs.docker} exec qbittorrent ping -c 1 -w 5 -I protonwire0 8.8.8.8 || ${pkgs.docker} restart qbittorrent
${pkgs.docker}/bin/docker exec qbittorrent ping -c 1 -w 5 -I protonwire0 8.8.8.8 || ${pkgs.docker}/bin/docker restart qbittorrent
'';
serviceConfig = {
Type = "oneshot";
@ -208,7 +297,9 @@
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
system = {
# copySystemConfiguration = true; # NOTE: Doesn't work with flakes
system.stateVersion = "23.11"; # Don't fuck with this
stateVersion = "23.11"; # NOTE: Don't fuck with this
};
}

31
auxin/hardware-configuration.nix
View file

@ -12,11 +12,17 @@
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
# Use the systemd-boot EFI boot loader.
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
initrd.kernelModules = [];
kernelModules = ["kvm-intel"];
extraModulePackages = [];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/b6931dc5-1ccb-4d81-abf6-38b6febc6176";
fsType = "btrfs";
@ -58,13 +64,14 @@
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0f1.useDHCP = lib.mkDefault true;
# networking.interfaces.enp9s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp7s0.useDHCP = lib.mkDefault true;
networking.networkmanager.enable = lib.mkDefault true; # Easiest to use and most distros use this by default.
# BTRFS scrub
services.btrfs.autoScrub.enable = true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware = {
cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
pulseaudio.enable = true;
pulseaudio.support32Bit = true; ## If compatibility with 32-bit applications is desired.
};
}

36
common.nix
View file

@ -62,7 +62,7 @@ in {
openssh = {
enable = true;
settings = {
PermitRootLogin = "prohibit-password";
PermitRootLogin = lib.mkForce "prohibit-password";
PasswordAuthentication = false;
};
allowSFTP = true;
@ -80,19 +80,8 @@ in {
nssmdns4 = true;
openFirewall = true;
};
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
};
# smartd
smartd.enable = true;
# BTRFS scrub
btrfs.autoScrub.enable = true;
}
# Mac Services
// lib.optionalAttrs ((builtins.match ".*-darwin" pkgs.stdenv.hostPlatform.system)
@ -107,7 +96,7 @@ in {
mira = {
isNormalUser = true;
group = "mira";
extraGroups = ["wheel" "docker" "dockremap"];
extraGroups = ["wheel" "docker" "dockremap" "audio"];
packages = with pkgs; [
firefox
tree
@ -139,24 +128,35 @@ in {
file
fzf
gdu
git
hyfetch
killall
lazygit
lsd
mcfly
neovim
nushell
starship
ripgrep
sheldon
starship
statix
tealdeer
tmux
viddy
wget
yazi
zoxide
zsh
];
programs = {
tmux.enable = true;
git = {
enable = true;
lfs.enable = true;
};
lazygit.enable = true;
yazi.enable = true;
zsh.enable = true;
thefuck.enable = true;
direnv.enable = true;
neovim.enable = true;
starship.enable = true;
fzf.fuzzyCompletion = true;
};
}

48
flake.lock generated
View file

@ -155,11 +155,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1721108565,
"narHash": "sha256-/ZkI/yQtg3wg6GkLynAfsi6dy8cHzcOZWVBUl1muNbA=",
"lastModified": 1722232823,
"narHash": "sha256-TyBoea7IzssGHS/hn2qjqgHfrpRGdBwBj5JrzTk+LmE=",
"owner": "nix-community",
"repo": "neovim-nightly-overlay",
"rev": "384c3d1c1e7ae21931b75c99a787d6af91cf7abb",
"rev": "a53756a2ea77e55b662c68c9a6cf6472a10ae911",
"type": "github"
},
"original": {
@ -171,11 +171,11 @@
"neovim-src": {
"flake": false,
"locked": {
"lastModified": 1721082242,
"narHash": "sha256-qSsIx/IhwCBLxWJbOaHdOguz3UX05hBZViPfNLc0cmQ=",
"lastModified": 1722175991,
"narHash": "sha256-IlmC/5lLdIq+sLdTAPkSsVpnrMr6wOS79kXSXcowQII=",
"owner": "neovim",
"repo": "neovim",
"rev": "c2b51e6c41c5230af21dc4d978e896ef9e8b922a",
"rev": "5aa1a9532cbac835ad027ebdf04311c7e8fb7007",
"type": "github"
},
"original": {
@ -189,11 +189,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1721086468,
"narHash": "sha256-OF642LVDj5Icr0tXlY9P54vna4OP10IMhIhhiKwIRpw=",
"lastModified": 1722082646,
"narHash": "sha256-od8dBWVP/ngg0cuoyEl/w9D+TCNDj6Kh4tr151Aax7w=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "7522a30d328f885d20c2815bd05eb711bc69644c",
"rev": "0413754b3cdb879ba14f6e96915e5fdf06c6aab6",
"type": "github"
},
"original": {
@ -204,11 +204,11 @@
},
"nixos-unstable": {
"locked": {
"lastModified": 1720957393,
"narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=",
"lastModified": 1722062969,
"narHash": "sha256-QOS0ykELUmPbrrUGmegAUlpmUFznDQeR4q7rFhl8eQg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "693bc46d169f5af9c992095736e82c3488bf7dbb",
"rev": "b73c2221a46c13557b1b3be9c2070cc42cf01eb3",
"type": "github"
},
"original": {
@ -220,11 +220,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1721016451,
"narHash": "sha256-Cypl9ORr5UjtBsbjXMTJRepTe362yNVrPrntUvHiTaw=",
"lastModified": 1722141560,
"narHash": "sha256-Ul3rIdesWaiW56PS/Ak3UlJdkwBrD4UcagCmXZR9Z7Y=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a14c5d651cee9ed70f9cd9e83f323f1e531002db",
"rev": "038fb464fcfa79b4f08131b07f2d8c9a6bcc4160",
"type": "github"
},
"original": {
@ -236,11 +236,11 @@
},
"nixpkgs-darwin": {
"locked": {
"lastModified": 1721059467,
"narHash": "sha256-0Yx4eXowxw5TATf92DZu2qKbBYXPxYh849h9tL/TQR0=",
"lastModified": 1722153173,
"narHash": "sha256-S46RmS9WkBOTLORpnWsNth4Ae6TlfJS9TKXqB55YQy4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "be45415f0f321f030f8c76723fd15d4b0f3a02fb",
"rev": "7bba2df68503b68634e0070483ddaf6d59dc6530",
"type": "github"
},
"original": {
@ -252,11 +252,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1721080040,
"narHash": "sha256-USDsS90/88RJibP3gEcH1AaVt+JpnX4XCUD9bAJP5I4=",
"lastModified": 1722141560,
"narHash": "sha256-Ul3rIdesWaiW56PS/Ak3UlJdkwBrD4UcagCmXZR9Z7Y=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b2c1f10bfbb3f617ea8e8669ac13f3f56ceb2ea2",
"rev": "038fb464fcfa79b4f08131b07f2d8c9a6bcc4160",
"type": "github"
},
"original": {
@ -282,11 +282,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1720954236,
"narHash": "sha256-1mEKHp4m9brvfQ0rjCca8P1WHpymK3TOr3v34ydv9bs=",
"lastModified": 1722087241,
"narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "53e81e790209e41f0c1efa9ff26ff2fd7ab35e27",
"rev": "8c50662509100d53229d4be607f1a3a31157fa12",
"type": "github"
},
"original": {

32
flake.nix
View file

@ -31,6 +31,37 @@
overlays = [inputs.neovim-nightly-overlay.overlays.default];
in {
nixosConfigurations = {
auxin-iso = nixos-unstable.lib.nixosSystem {
modules = [
"${nixos-unstable}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
"${nixos-unstable}/nixos/modules/installer/cd-dvd/channel.nix"
./auxin/configuration.nix
./vm.nix
./common.nix
];
specialArgs = {
# inherit inputs;
meta = {
hostname = "auxin-iso";
};
};
};
auxin-vm = nixos-unstable.lib.nixosSystem {
modules = [
# "${nixos-unstable}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
# "${nixos-unstable}/nixos/modules/installer/cd-dvd/channel.nix"
"${nixos-unstable}/nixos/modules/virtualisation/virtualbox-image.nix"
./auxin/configuration.nix
./vm.nix
./common.nix
];
specialArgs = {
# inherit inputs;
meta = {
hostname = "auxin-vm";
};
};
};
auxin = nixos-unstable.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
@ -38,6 +69,7 @@
};
modules = [
./auxin/configuration.nix
./auxin/hardware-configuration.nix
./common.nix
];
};

40
gastrin/hardware-configuration.nix
View file

@ -1,29 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "usb_storage" "sd_mod" "sdhci_pci"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/f7af4335-148b-4428-877e-9ab01095ac07";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/f7af4335-148b-4428-877e-9ab01095ac07";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/5C76-EFCE";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/5C76-EFCE";
fsType = "vfat";
};
swapDevices = [ ];
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

13
vm.nix Normal file
View file

@ -0,0 +1,13 @@
{
config,
lib,
pkgs,
meta,
...
}: {
nixpkgs.hostPlatform = "x86_64-linux";
users.users.nixosvmtest.isSystemUser = true;
users.users.nixosvmtest.initialPassword = "test";
users.users.nixosvmtest.group = "nixosvmtest";
users.groups.nixosvmtest = {};
}