diff options
Diffstat (limited to 'config/nix.org')
| -rw-r--r-- | config/nix.org | 249 |
1 files changed, 124 insertions, 125 deletions
diff --git a/config/nix.org b/config/nix.org index a32c14d..dc2c823 100644 --- a/config/nix.org +++ b/config/nix.org @@ -202,7 +202,7 @@ and now for the main flake: fi echo "Merge to main detected. Building VM for ${hostname}..." if nix build .#nixosConfigurations.${hostname}.config.system.build.vm --no-link; then - echo "Build succeeded. Proceeding with merge." + echo "Build succeeded." exit 0 else echo "Build failed! Aborting." @@ -227,10 +227,6 @@ and now for the main flake: serviceName = "sshd"; enabled = super.services.openssh.enable; } - # { - # serviceName = "conduit"; - # enabled = super.services.matrix-conduit.enable; - # } { serviceName = "git-daemon"; enabled = super.services.gitDaemon.enable; @@ -333,14 +329,35 @@ and now for the main flake: devShell."${system}" = with pkgs; mkShell { buildInputs = [ fira-code - python3 - poetry statix deadnix + (python3.withPackages (ps: with ps; [ + octodns + octodns-providers.cloudflare + octodns-providers.bind + ])) ]; shellHook = '' ${pre-commit-check.shellHook} git config branch.main.mergeoptions "--no-ff" + + CURRENT_HOST="$(hostname)" + + TARGET_USER_RAW=$(nix eval .#nixosConfigurations."$CURRENT_HOST".config.home-manager.users --apply "u: builtins.head (builtins.attrNames u)" --raw 2>/dev/null) + + TARGET_USER=$(echo "$TARGET_USER_RAW" | xargs) + SOPS_BASE=$(nix eval .#nixosConfigurations."$CURRENT_HOST".config.home-manager.users."$TARGET_USER".sops.defaultSymlinkPath --raw 2>/dev/null) + + if [ -n "$SOPS_BASE" ] && [ -f "$SOPS_BASE/cloudflare-dns" ]; then + export CLOUDFLARE_TOKEN="$(cat "$SOPS_BASE/cloudflare-dns" | tr -d '\n')" + echo "Authenticated via sops-nix for host: $CURRENT_HOST" + else + echo "Could not resolve sops path for $CURRENT_HOST or secret is missing. Set CLOUDFLARE_TOKEN manually." + fi + + alias update-dns="octodns-sync --config-file ${self.packages."${system}".octodns} --doit --force" + alias fake-update-dns="octodns-sync --config-file ${self.packages."${system}".octodns} --force " + alias gprune='git branch --merged | grep -v -E "^\*|main|master|dev" | xargs -r git branch -d' ''; }; @@ -468,7 +485,7 @@ graph by running ~nix build .#topology.x86_64-linux.config.output~. Variables used for regular configuration in your system ~default.nix~ file. The options are largely self-documenting. #+begin_src nix :tangle ../nix/modules/vars.nix - { lib, ... }: + { config, lib, ... }: let vars = import ../flakevars.nix; in @@ -591,6 +608,13 @@ largely self-documenting. description = "Name of Ntfy secret for notification handling"; }; + ntfyUrl = lib.mkOption { + type = lib.types.str; + default = "ntfy.${config.monorepo.vars.remoteHost}"; + example = "ntfy.nullring.xyz"; + description = "Name of ntfy server"; + }; + monitors = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ @@ -612,11 +636,12 @@ Again, these are self documenting variables that you may see used below. These a under ~default.nix~ in the ~systems~ folder. #+begin_src nix :tangle ../nix/modules/default.nix { lib, config, pkgs, ... }: + let + dirContents = builtins.readDir ./.; + files = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".nix" name && name != "default.nix") dirContents; + in { - imports = [ - ./configuration.nix - ./vars.nix - ]; + imports = lib.mapAttrsToList (name: _: ./. + "/${name}") files; options = { monorepo = { @@ -708,14 +733,6 @@ to relevant places. templates = if config.monorepo.profiles.server.enable then { - "public-inbox-netrc" = { - owner = "public-inbox"; - group = "public-inbox"; - mode = "0400"; - content = (builtins.concatStringsSep "\n" (builtins.map (x: "machine mail.${config.monorepo.vars.orgHost} login ${x}@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"}") config.monorepo.vars.projects)) + '' - machine mail.${config.monorepo.vars.orgHost} login discussion@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"}''; - }; - "matterbridge" = { owner = "matterbridge"; content = '' @@ -1017,7 +1034,6 @@ This is an internet radio which will host a ton of music. </mount> ''; }; - admin.password = "changeme"; } #+end_src ** IRC @@ -1356,15 +1372,15 @@ This is a basic ActivityPub server. #+end_src ** TODO matrix-appservice-irc #+begin_src nix :tangle ../nix/modules/matrix-appservice-irc.nix - { lib, config, ... }: + { ... }: { - enable = lib.mkDefault config.monorepo.profiles.server.enable; - registrationUrl = "localhost"; + # enable = lib.mkDefault config.monorepo.profiles.server.enable; + # registrationUrl = "localhost"; - settings = { - homeserver.url = "https://matrix.nullring.xyz"; - homserver.domain = "matrix.nullring.xyz"; - }; + # settings = { + # homeserver.url = "https://matrix.nullring.xyz"; + # homserver.domain = "matrix.nullring.xyz"; + # }; } #+end_src ** Gitolite @@ -1598,7 +1614,7 @@ I want to have notifications on my phone, and run my own server to do this. #+begin_src nix :tangle ../nix/modules/ntfy-sh.nix { pkgs, lib, config, ... }: let - serverName = "ntfy.${config.monorepo.vars.remoteHost}"; + serverName = "${config.monorepo.vars.ntfyUrl}"; port = 2586; ntfySecret = config.monorepo.vars.ntfySecret; in @@ -1701,16 +1717,21 @@ to the outside world under a domain. enableACME = true; locations."/" = { extraConfig = '' - add_header Cache-Control "no-cache, must-revalidate"; - expires off; + add_header Cache-Control "no-cache, must-revalidate"; + expires off; ''; }; + locations."~* \\.(?:woff2|ttf|otf|eot|woff|ico|css|js|gif|jpe?g|png|svg|mp3|mp4|iso|webmanifest)$" = { extraConfig = '' - add_header Cache-Control "public, max-age=31536000, immutable"; - access_log off; + add_header Cache-Control "public, max-age=31536000, immutable"; + access_log off; ''; }; + extraConfig = '' + include ${monorepoSelf.packages.${pkgs.system}.website}/csp_headers.conf; + rewrite ^/graph_view/?(.*)$ https://graph.${config.monorepo.vars.remoteHost}/$1 permanent; + ''; }; # the port comes from ssh tunnelling @@ -1738,6 +1759,20 @@ to the outside world under a domain. addSSL = true; enableACME = true; }; + + "graph.${config.monorepo.vars.remoteHost}" = lib.mkIf (monorepoSelf != null) { + serverName = "graph.${config.monorepo.vars.remoteHost}"; + root = "${monorepoSelf.packages.${pkgs.system}.website}"; + addSSL = true; + enableACME = true; + locations."/" = { + extraConfig = "rewrite ^/$ /graph_view/index.html break;"; + }; + + extraConfig = '' + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none';"; + ''; + }; }; }; @@ -1747,6 +1782,8 @@ to the outside world under a domain. "${config.monorepo.vars.remoteHost}" = {}; "${config.monorepo.vars.orgHost}" = {}; "${config.monorepo.vars.internetName}.${config.monorepo.vars.orgHost}" = {}; + "music.${config.monorepo.vars.remoteHost}" = {}; + "graph.${config.monorepo.vars.remoteHost}" = {}; }; } #+end_src @@ -1837,10 +1874,21 @@ There is a non declarative part of setting dkims and spf. password_path = "mail_monorepo_password"; in { - sops.secrets = lib.mkIf config.services.maddy.enable { - "${password_path}" = lib.mkIf config.services.maddy.enable { - format = "yaml"; - owner = "maddy"; + sops = lib.mkIf config.services.maddy.enable { + secrets = { + "${password_path}" = { + format = "yaml"; + owner = "maddy"; + }; + }; + templates = lib.mkIf config.services.public-inbox.enable { + "public-inbox-netrc" = { + owner = "public-inbox"; + group = "public-inbox"; + mode = "0400"; + content = (builtins.concatStringsSep "\n" (builtins.map (x: "machine ${emailServerName} login ${x}@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"}") config.monorepo.vars.projects)) + '' + machine ${emailServerName} login discussion@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"}''; + }; }; }; @@ -1895,18 +1943,16 @@ There is a non declarative part of setting dkims and spf. ''; serviceConfig = { - # Allow the service to see the file it just created BindPaths = [ "/var/lib/public-inbox" "${config.users.users.git.home}" ]; ReadOnlyPaths = [ "/var/lib/public-inbox/style.css" ]; - # Ensure it can actually write to the directory during preStart ReadWritePaths = [ "/var/lib/public-inbox" ]; }; } else {}; - systemd.services.public-inbox-watch = if config.monorepo.profiles.server.enable then { + systemd.services.public-inbox-watch = if config.services.public-inbox.enable then { after = [ "sops-nix.service" ]; confinement.enable = lib.mkForce false; preStart = '' @@ -1936,7 +1982,7 @@ There is a non declarative part of setting dkims and spf. } else {}; services.public-inbox = { - enable = lib.mkDefault config.monorepo.profiles.server.enable; + enable = lib.mkDefault config.services.maddy.enable; settings = { coderepo = lib.genAttrs config.monorepo.vars.projects (name: { dir = "${config.users.users.git.home}/${name}.git"; @@ -2333,35 +2379,6 @@ because they enhance security. vmHosts = map (dom: "127.0.0.1 ${dom}") allDomains; in { - imports = [ - ./cgit.nix - ./public_inbox.nix - ./matterbridge.nix - ./mautrix.nix - ./xserver.nix - ./ssh.nix - ./pipewire.nix - ./tor.nix - ./kubo.nix - ./nvidia.nix - ./cuda.nix - ./nginx.nix - ./secrets.nix - ./git-daemon.nix - ./ollama.nix - ./i2pd.nix - ./conduit.nix - ./bitcoin.nix - ./ngircd.nix - ./znc.nix - ./docker.nix - ./impermanence.nix - ./maddy.nix - ./ntfy-sh.nix - ./fail2ban.nix - ./nixpkgs-options.nix - ]; - environment.etc."wpa_supplicant.conf".text = '' country=CA ''; @@ -2925,10 +2942,13 @@ This is all configuration common to any GPT partitioned drive. I dynamically cho *** ESP Boot Partition #+begin_src nix :tangle ../nix/disko/esp-boot.nix { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; } #+end_src *** Btrfs @@ -2936,10 +2956,8 @@ This is a fully featured drive configuration and the recommended configuration t Btrfs enables you to enable impermanence and also encrypt the drive with ~/tmp/secret.key~. #+begin_src nix :tangle ../nix/disko/btrfs.nix { - ESP = { + ESP = (import ./esp-boot.nix) // { size = "512M"; - type = "EF00"; - content = import ./esp-boot.nix; }; luks = { size = "100%"; @@ -2993,11 +3011,9 @@ This configuration is used for simple partitioning schemes with EFI. A simple ex should be using EFI if you can. #+begin_src nix :tangle ../nix/disko/ext4.nix { - ESP = { - type = "EF00"; + ESP = (import ./esp-boot.nix) // { size = "500M"; priority = 1; - content = import ./esp-boot.nix; }; root = { size = "100%"; @@ -3042,31 +3058,14 @@ As you can see, I have my installed home packages installed based on the profile I have many imports that we'll go through next. #+begin_src nix :tangle ../nix/modules/home/default.nix { lib, config, pkgs, sops-nix, super, ... }: + let + dirContents = builtins.readDir ./.; + files = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".nix" name && name != "default.nix" && name != "emacs-packages.nix") dirContents; + in { imports = [ sops-nix.homeManagerModules.sops - ../vars.nix - ./fcitx.nix - ./emacs.nix - ./firefox.nix - ./git.nix - ./hyprland.nix - ./mpv.nix - ./yt-dlp.nix - ./wofi.nix - ./kitty.nix - ./waybar.nix - ./zsh.nix - ./mbsync.nix - ./msmtp.nix - ./gammastep.nix - ./mpd.nix - ./mako.nix - ./user.nix - ./gtk.nix - ./secrets.nix - ./pantalaimon.nix - ]; + ] ++ lib.mapAttrsToList (name: _: ./. + "/${name}") files; options = { monorepo.profiles = { @@ -3869,15 +3868,15 @@ just set the options to the ones you want in your system ~default.nix~. This mpd configuration uses pipewire by default, and it should just work if you place music in the ~~/music~ directory and then run ~mpc add /~ afterwards. #+begin_src nix :tangle ../nix/modules/home/mpd.nix - { lib, config, ... }: + { lib, config, super, ... }: { services.mpd = { enable = lib.mkDefault config.monorepo.profiles.music.enable; - dbFile = "/home/${config.monorepo.vars.userName}/.config/mpd/db"; - dataDir = "/home/${config.monorepo.vars.userName}/.config/mpd/"; + dbFile = "/home/${super.monorepo.vars.userName}/.config/mpd/db"; + dataDir = "/home/${super.monorepo.vars.userName}/.config/mpd/"; network.port = 6600; - musicDirectory = "/home/${config.monorepo.vars.userName}/music"; - playlistDirectory = "/home/${config.monorepo.vars.userName}/.config/mpd/playlists"; + musicDirectory = "/home/${super.monorepo.vars.userName}/music"; + playlistDirectory = "/home/${super.monorepo.vars.userName}/.config/mpd/playlists"; network.listenAddress = "0.0.0.0"; extraConfig = '' audio_output { @@ -3965,7 +3964,7 @@ here: This is the bar I use for my hyprland configuration. You will need to adjust the monitors field in the ~default.nix~ for it to really appear. #+begin_src nix :tangle ../nix/modules/home/waybar.nix - { lib, config, ... }: + { lib, config, super, ... }: { programs.waybar = { enable = lib.mkDefault config.monorepo.profiles.hyprland.enable; @@ -4221,7 +4220,7 @@ in the ~default.nix~ for it to really appear. position = "top"; height = 50; - output = config.monorepo.vars.monitors; + output = super.monorepo.vars.monitors; modules-left = [ "hyprland/workspaces" ]; modules-center = [ "hyprland/window" ]; @@ -4475,7 +4474,7 @@ A classic program that allows you to download from youtube. Also has integration My zsh config has some useful aliases that one should read through. Otherwise it is pretty standard. #+begin_src nix :tangle ../nix/modules/home/zsh.nix - { config, pkgs, systemHostName, ... }: + { pkgs, systemHostName, super, ... }: { programs.zsh = { enable = true; @@ -4510,9 +4509,9 @@ standard. build-installer = "nix build $HOME/monorepo/nix#nixosConfigurations.installer.config.system.build.isoImage"; rb = "sudo nixos-rebuild switch --flake $HOME/monorepo/nix#${systemHostName}"; nfu = "cd ~/monorepo/nix && git add . && git commit -m \"new flake lock\" && nix flake update"; - usync = "rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/monorepo/result/ root@${config.monorepo.vars.remoteHost}:/var/www/${config.monorepo.vars.internetName}-website/"; + usync = "rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/monorepo/result/ root@${super.monorepo.vars.remoteHost}:/var/www/${super.monorepo.vars.internetName}-website/"; usite - = "cd ~/src/publish-org-roam-ui && bash local.sh && rm -rf ~/website_html/graph_view; cp -r ~/src/publish-org-roam-ui/out ~/website_html/graph_view && rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/website_html/ root@${config.monorepo.vars.remoteHost}:/var/www/${config.monorepo.vars.internetName}-website/"; + = "cd ~/src/publish-org-roam-ui && bash local.sh && rm -rf ~/website_html/graph_view; cp -r ~/src/publish-org-roam-ui/out ~/website_html/graph_view && rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/website_html/ root@${super.monorepo.vars.remoteHost}:/var/www/${super.monorepo.vars.internetName}-website/"; sai = "eval \"$(ssh-agent -s)\" && ssh-add ~/.ssh/id_ed25519 && ssh-add -l"; }; loginExtra = '' @@ -4528,33 +4527,33 @@ This configuration is the backbone configuration for the default user. It specif generally useful packages and something every home should have, as well as some dependencies for these configurations. #+begin_src nix :tangle ../nix/modules/home/user.nix - { lib, config, pkgs, ... }: + { lib, config, pkgs, super, ... }: { home = { activation.startup-files = lib.hm.dag.entryAfter [ "installPackages" ] '' - if [ ! -d "/home/${config.monorepo.vars.userName}/email/${config.monorepo.vars.internetName}/" ]; then - mkdir -p /home/${config.monorepo.vars.userName}/email/${config.monorepo.vars.internetName}/ + if [ ! -d "/home/${super.monorepo.vars.userName}/email/${super.monorepo.vars.internetName}/" ]; then + mkdir -p /home/${super.monorepo.vars.userName}/email/${super.monorepo.vars.internetName}/ fi - if [ ! -d "/home/${config.monorepo.vars.userName}/music" ]; then - mkdir -p /home/${config.monorepo.vars.userName}/music + if [ ! -d "/home/${super.monorepo.vars.userName}/music" ]; then + mkdir -p /home/${super.monorepo.vars.userName}/music fi - if [ ! -d /home/${config.monorepo.vars.userName}/org ]; then - mkdir -p /home/${config.monorepo.vars.userName}/org + if [ ! -d /home/${super.monorepo.vars.userName}/org ]; then + mkdir -p /home/${super.monorepo.vars.userName}/org fi - if [ ! -d /home/${config.monorepo.vars.userName}/src ]; then - mkdir -p /home/${config.monorepo.vars.userName}/src + if [ ! -d /home/${super.monorepo.vars.userName}/src ]; then + mkdir -p /home/${super.monorepo.vars.userName}/src fi - touch /home/${config.monorepo.vars.userName}/org/agenda.org - touch /home/${config.monorepo.vars.userName}/org/notes.org + touch /home/${super.monorepo.vars.userName}/org/agenda.org + touch /home/${super.monorepo.vars.userName}/org/notes.org ''; enableNixpkgsReleaseCheck = false; - username = config.monorepo.vars.userName; - homeDirectory = "/home/${config.monorepo.vars.userName}"; + username = super.monorepo.vars.userName; + homeDirectory = "/home/${super.monorepo.vars.userName}"; stateVersion = "24.11"; packages = with pkgs; (if config.monorepo.profiles.graphics.enable then [ |