cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

Compare commits

base: cnst:068f47e9a26a2caf8622ff32c581e70df2b1b130
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken
..
compare: cnst:main
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken

66 Commits
068f47e9a2 ... main

Author SHA1 Message Date
cnst
f9f3abee19 fix(pkgs): moving some home.packages to system 2025-11-02 16:50:13 +01:00
cnst
15bc0f211f fix(fish): fixing nixpkgs module with lib.getExe 2025-11-02 16:30:56 +01:00
cnst
f0fb53b480 feat(tailscale): adding tailscale to bunk 2025-11-02 15:47:49 +01:00
cnst
1ae85bd66e feat(fish): disable gpg, its fking up fish atm 2025-11-02 12:14:31 +01:00
cnst
87b49d0f58 feat(fish): adding some abbrs for dry running and show trace 2025-11-02 10:14:05 +01:00
cnst
c5a1c2861c feat(kanata) adding pipe symbol 2025-11-02 10:07:07 +01:00
cnst
8dc67e2b54 chore(update): flake lock 2025-10-28 19:47:35 +01:00
cnst
322136e4f3 Merge pull request 'bunk things' (#8) from bunk into main 
Reviewed-on: #8
 2025-10-28 19:47:07 +01:00
cnst
300eb66afc bunk things 2025-10-28 19:25:34 +01:00
cnst
545888878e Merge pull request 'chore(update): flake up' (#7) from upd into main 
Reviewed-on: #7
 2025-10-26 19:16:27 +01:00
cnst
5042675e0b chore(update): flake up 2025-10-26 19:14:50 +01:00
cnst
ece5e89a84 feat(hyprlock): visuals 2025-10-26 00:31:45 +02:00
cnst
2933bcdf02 feat(unbound): adding manual traefik data 2025-10-25 18:48:20 +02:00
cnst
59e548f02e feat(headscale): remove for now 2025-10-25 14:13:30 +02:00
cnst
2ffc94161d chore(dead): remove obsolete code 2025-10-25 14:04:38 +02:00
cnst
ff5490194b feat(headscale): just an initial test 2025-10-25 14:03:34 +02:00
cnst
1dd06ef3f5 chore(git): fix deprecated settings 2025-10-23 19:13:12 +02:00
cnst
ec9a3bd845 feat(waybar) some visual updates 2025-10-20 20:15:26 +02:00
cnst
2c08f78586 feat(hypr): more keybindings 2025-10-20 18:22:52 +02:00
cnst
d22801168f feat(hypr): add swapping window bind 2025-10-20 18:16:59 +02:00
cnst
0c86dc56bd chore(update): flake up 2025-10-18 14:57:12 +02:00
cnst
3d8deae6f3 feat(llm): testing some local models 2025-10-16 21:20:40 +02:00
cnst
cd978f5eb6 feat(hypr): back to hyprland, and fix some clib importing stuffs 2025-10-15 20:00:31 +02:00
cnst
64df7abad5 feat(hypr): clean up 2025-10-15 19:38:47 +02:00
cnst
8efa649d47 feat(homepage-dashboard): change vaultwarden icon 2025-10-15 18:01:39 +02:00
cnst
2dc09e23a0 chore(jellyseerr): typo 2025-10-15 17:50:11 +02:00
cnst
8fd2a7d9ad feat(homepage-dashboard): reintroduce path option 2025-10-15 17:49:30 +02:00
cnst
113892b75d chore(update): flake lock 2025-10-14 22:43:59 +02:00
cnst
001dfbf27f chore(traefik): delete dead code 2025-10-14 22:00:16 +02:00
cnst
3deca06206 Merge pull request 'refactor' (#6) from refactor into main 
Reviewed-on: #6
 2025-10-14 21:56:13 +02:00
cnst
07333b4544 feat(refactor): ready for merge 2025-10-14 21:50:44 +02:00
cnst
63f495fa0d feat(refactor): WIP 2.0 some progress 2025-10-13 21:13:53 +02:00
cnst
d2bd385367 feat(refactor): WIP refactor server modules 2025-10-12 21:07:30 +02:00
cnst
57cb48a11c feat(gaming): cleaning up gaming related pkgs 2025-10-11 16:44:54 +02:00
cnst
6b7ca2b194 feat(update): new kernel, new container versions and temporarily moving to zfs_unstable in waiting for stable to catch up with new kernel 2025-10-11 11:04:15 +02:00
cnst
e578a280db chore(update): flake lock and removing unmaintained pkgs 2025-10-11 09:40:35 +02:00
cnst
01ca3d7ebe feat(gitea): integrate with authentik 2025-10-08 20:39:54 +02:00
cnst
46aa5a9deb fix(fail2ban): some hacky fix 2025-10-07 21:05:43 +02:00
cnst
549037fe69 chore(flake) lock 2025-10-06 21:00:09 +02:00
cnst
0cb6862dcd feat(sqlite): adding sqlite pkgs 2025-10-06 20:57:01 +02:00
cnst
9e4454ff57 feat(gitea): move to cnst.dev domain, cf tunnel 2025-10-06 20:55:31 +02:00
cnst
15a20dd8e0 feat(pkgs): adding some dev pkgs to sobotka and dig as default 2025-10-05 19:27:15 +02:00
cnst
3306598f8a feat(jellyfin): adding to tnet 2025-10-05 19:10:43 +02:00
cnst
93f227ba7e feat(network): adding options for dns and search 2025-10-05 15:40:52 +02:00
cnst
9d20eff7f9 feat(jellyfin): TS testing 2025-10-05 10:47:08 +02:00
cnst
94d3f2ad35 feat(jellyfin): will this break things? 2025-10-05 10:35:22 +02:00
cnst
1d5bc22274 Merge branch 'main' into working 2025-10-05 10:21:16 +02:00
cnst
f2386a851e working 1 2025-10-05 10:11:40 +02:00
cnst
c9edc99a85 chore(revert): slowly introducing changes 2025-10-05 09:27:51 +02:00
cnst
67e83e3e4e feat(authentik): fixing some fail2ban things 2025-10-02 05:45:35 +02:00
cnst
923c810972 feat(authentik): fixing some fail2ban things 2025-10-01 18:00:55 +02:00
cnst
6ab35f4e91 feat(www): fixing fail2ban and other minor tweaks 2025-09-30 18:16:49 +02:00
cnst
593f0e619c chore(ded): remove dead code 2025-09-29 19:31:23 +02:00
cnst
688e23d229 feat(pstate): opt in changes and sooooo 2025-09-29 19:28:33 +02:00
cnst
725a3ed27e chore(niri): go to nixpkgs niri release 2025-09-29 17:10:38 +02:00
cnst
e45dc0d223 feat(homelab): fixing cf tunnels, authentik and tailscale! 2025-09-28 18:27:17 +02:00
cnst
bc78dd7302 chore(?): hm 2025-09-28 16:24:32 +02:00
cnst
94c34f8675 chore(update): flake lock 2025-09-28 08:03:38 +02:00
cnst
fda7d972c4 chore(age): adding bunk credentials to agenix 2025-09-27 19:54:03 +02:00
cnst
f6bb6672bb chore(agenix): refactor some secrets 2025-09-27 14:35:04 +02:00
cnst
68f1cb9b09 chore(misc): removing dead code and small insignificant changes 2025-09-26 20:41:26 +02:00
cnst
e721a2088b feat(homepage-dashboard): adding some disk info 2025-09-26 17:41:19 +02:00
cnst
551a47989c Merge pull request 'feat(swaybg) adding swaybg and some script' (#5) from wutwut into main 
Reviewed-on: https://git.cnix.dev/cnst/cnix/pulls/5
 2025-09-25 17:30:37 +02:00
cnst
2cb07c45a7 Merge pull request 'feat(swaybg) adding bg script' (#4) from wut into main 
Reviewed-on: https://git.cnix.dev/cnst/cnix/pulls/4
 2025-09-25 17:26:09 +02:00
cnst
4666731676 feat(swaybg) adding swaybg and some script 2025-09-25 17:17:49 +02:00
cnst
8fe6382c48 feat(swaybg) adding bg script 2025-09-25 17:16:55 +02:00
118 changed files with 2795 additions and 3006 deletions
Expand all files Collapse all files

520
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

8
flake.nix
View File

@@ -53,11 +53,7 @@
};
authentik = {
url = "github:nix-community/authentik-nix";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-parts.follows = "flake-parts";
};
url = "github:nix-community/authentik-nix/version/2025.8.4";
};
flake-compat.url = "github:edolstra/flake-compat";
@@ -144,8 +140,6 @@
inputs.nixpkgs.follows = "nixpkgs";
};
niri.url = "github:sodiboo/niri-flake";
# Custom
tuirun = {
url = "git+https://git.sr.ht/~canasta/tuirun";

10
hosts/bunk/default.nix
View File

@@ -38,17 +38,11 @@ in
./settings.nix
];
boot.initrd.luks.devices."luks-0ad53967-bb38-4485-be75-ca55ae4c3b68".device = "/dev/disk/by-uuid/0ad53967-bb38-4485-be75-ca55ae4c3b68";
networking.hostName = "bunk";
swapDevices = [
{
device = "/var/lib/swapfile";
size = 32 * 1024;
}
];
environment.variables.NH_FLAKE = "/home/cnst/.nix-config";
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = lib.mkDefault "23.11";
system.stateVersion = lib.mkDefault "25.05";
}

56
hosts/bunk/hardware-configuration.nix
View File

@@ -1,48 +1,36 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
kernelModules = [ "amdgpu" ];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d15672b5-dc97-4f99-9ad2-70f9ddf20447";
fsType = "btrfs";
options = [ "subvol=@" ];
};
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
boot.initrd.luks.devices."luks-2f0dfe96-bc63-4f38-b190-3d9fa45dc560".device = "/dev/disk/by-uuid/2f0dfe96-bc63-4f38-b190-3d9fa45dc560";
fileSystems."/" = {
device = "/dev/disk/by-uuid/da41c89a-7ab8-4697-9a14-0d115b97cc2e";
fsType = "ext4";
};
boot.initrd.luks.devices."luks-e75ac560-748f-4071-bbe7-479678400be3".device =
"/dev/disk/by-uuid/e75ac560-748f-4071-bbe7-479678400be3";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7E84-D168";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/F3FC-3CDF";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/e6464248-0d1e-4950-bf48-4cebeabaf871"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction

24
hosts/bunk/modules.nix
View File

@@ -27,6 +27,13 @@
};
network = {
enable = true;
nameservers = [
"192.168.88.1"
"192.168.88.69"
];
search = [
"taila7448a.ts.net"
];
interfaces = {
"wlp6s0" = {
allowedTCPPorts = [
@@ -73,8 +80,8 @@
enable = false;
};
hyprland = {
enable = false;
withUWSM = false;
enable = true;
withUWSM = true;
};
inkscape = {
enable = false;
@@ -86,7 +93,7 @@
enable = true;
};
niri = {
enable = true;
enable = false;
};
pkgs = {
enable = true;
@@ -123,10 +130,10 @@
enable = false;
};
thunar = {
enable = true;
enable = false;
};
yubikey = {
enable = true;
enable = false;
};
zsh = {
enable = false;
@@ -168,7 +175,7 @@
enable = true;
};
mullvad = {
enable = true;
enable = false;
};
nix-ld = {
enable = false;
@@ -191,11 +198,14 @@
samba = {
enable = false;
};
tailscale = {
enable = true;
};
udisks = {
enable = true;
};
zram = {
enable = false;
enable = true;
};
};
system = {

6
hosts/bunk/settings.nix
View File

@@ -10,7 +10,7 @@
name = "DP-3";
width = 2560;
height = 1440;
refreshRate = 240;
refreshRate = "143.99";
position = "0x0";
transform = 0;
bitDepth = 10;
@@ -20,7 +20,7 @@
name = "HDMI-A-1";
width = 1920;
height = 1080;
refreshRate = 60;
refreshRate = "60";
position = "2560x0";
# transform = 3;
workspace = "5";
@@ -29,7 +29,7 @@
name = "eDP-1";
width = 1920;
height = 1200;
refreshRate = 60;
refreshRate = "60";
workspace = "1";
}
];

27
hosts/default.nix
View File

@@ -4,9 +4,11 @@
homeImports,
self,
...
}: {
flake.nixosConfigurations = let
cLib = import ../lib inputs.nixpkgs.lib;
}:
{
flake.nixosConfigurations =
let
clib = import ../lib inputs.nixpkgs.lib;
userConfig = "${self}/home";
systemConfig = "${self}/system";
hostConfig = "${self}/hosts";
@@ -22,7 +24,6 @@
specialArgs = {
inherit
cLib
inputs
outputs
self
@@ -35,16 +36,20 @@
smodPath
;
};
in {
specialArgsWithClib = specialArgs // {
inherit clib;
};
in
{
kima = nixosSystem {
inherit specialArgs;
specialArgs = specialArgsWithClib;
modules = [
./kima
"${self}/nix"
{
home-manager = {
users.cnst.imports = homeImports."cnst@kima";
extraSpecialArgs = specialArgs;
extraSpecialArgs = specialArgsWithClib;
};
}
self.nixosModules.nixos
@@ -54,14 +59,14 @@
];
};
bunk = nixosSystem {
inherit specialArgs;
specialArgs = specialArgsWithClib;
modules = [
./bunk
"${self}/nix"
{
home-manager = {
users.cnst.imports = homeImports."cnst@bunk";
extraSpecialArgs = specialArgs;
extraSpecialArgs = specialArgsWithClib;
};
}
self.nixosModules.nixos
@@ -94,14 +99,14 @@
];
};
toothpc = nixosSystem {
inherit specialArgs;
specialArgs = specialArgsWithClib;
modules = [
./toothpc
"${self}/nix"
{
home-manager = {
users.toothpick.imports = homeImports."toothpick@toothpc";
extraSpecialArgs = specialArgs;
extraSpecialArgs = specialArgsWithClib;
};
}
self.nixosModules.nixos

19
hosts/kima/modules.nix
View File

@@ -5,6 +5,7 @@
variant = "latest";
hardware = [ "amd" ];
extraKernelParams = [ ];
amdOverdrive.enable = true;
};
loader = {
default = {
@@ -28,6 +29,13 @@
};
network = {
enable = true;
nameservers = [
"192.168.88.1"
"192.168.88.69"
];
search = [
"taila7448a.ts.net"
];
interfaces = {
"eno1" = {
allowedTCPPorts = [
@@ -65,7 +73,7 @@
};
};
gamescope = {
enable = true;
enable = false;
};
gimp = {
enable = true;
@@ -74,8 +82,8 @@
enable = false;
};
hyprland = {
enable = false;
withUWSM = false;
enable = true;
withUWSM = true;
};
inkscape = {
enable = false;
@@ -90,7 +98,7 @@
enable = true;
};
niri = {
enable = true;
enable = false;
};
pkgs = {
enable = true;
@@ -214,6 +222,9 @@
scheduler = "scx_lavd";
flags = "--performance";
};
tailscale = {
enable = true;
};
udisks = {
enable = true;
};

6
hosts/kima/settings.nix
View File

@@ -10,7 +10,7 @@
name = "DP-3";
width = 2560;
height = 1440;
refreshRate = 240;
refreshRate = "143.99";
position = "0x0";
transform = 0;
bitDepth = 10;
@@ -20,7 +20,7 @@
name = "HDMI-A-1";
width = 1920;
height = 1080;
refreshRate = 60;
refreshRate = "60";
position = "2560x0";
transform = 3;
workspace = "5";
@@ -29,7 +29,7 @@
name = "eDP-1";
width = 1920;
height = 1200;
refreshRate = 60;
refreshRate = "60";
workspace = "1";
}
];

6
hosts/sobotka/default.nix
View File

@@ -39,6 +39,7 @@ in {
"share"
"jellyfin"
"render"
"traefik"
];
};
@@ -67,7 +68,10 @@ in {
boot = {
supportedFilesystems = ["zfs"];
zfs.extraPools = ["data"];
zfs = {
package = pkgs.zfs_unstable;
extraPools = ["data"];
};
};
services.zfs = {

5
hosts/sobotka/modules.nix
View File

@@ -109,7 +109,7 @@
enable = true;
};
dev = {
enable = false;
enable = true;
};
};
mysql-workbench = {
@@ -213,6 +213,9 @@
scheduler = "scx_lavd";
flags = "--performance";
};
tailscale = {
enable = false;
};
udisks = {
enable = true;
};

281
hosts/sobotka/server.nix
View File

@@ -3,69 +3,31 @@
enable = true;
email = "adam@cnst.dev";
domain = "cnix.dev";
ip = "192.168.88.14";
user = "share";
group = "share";
uid = 994;
gid = 993;
infra = {
authentik = {
enable = true;
url = "auth.cnst.dev";
port = 9000;
cloudflared = {
tunnelId = "b66f9368-db9e-4302-8b48-527cda34a635";
credentialsFile = config.age.secrets.authentikCloudflared.path;
};
};
traefik = {
enable = true;
};
www = {
enable = true;
url = "cnst.dev";
};
gitea = {
tailscale = {
enable = true;
};
unbound = {
enable = true;
};
acme = {
enable = false;
};
homepage-dashboard = {
enable = true;
};
bazarr = {
enable = true;
};
prowlarr = {
enable = true;
};
lidarr = {
enable = true;
};
sonarr = {
enable = true;
};
radarr = {
enable = true;
};
jellyseerr = {
enable = true;
};
jellyfin = {
enable = true;
};
uptime-kuma = {
enable = true;
};
vaultwarden = {
enable = true;
url = "vault.cnst.dev";
cloudflared = {
tunnelId = "fdd98086-6a4c-44f2-bba0-eb86b833cce5";
credentialsFile = config.age.secrets.vaultwardenCloudflared.path;
};
};
nextcloud = {
enable = true;
adminpassFile = config.age.secrets.nextcloudAdminPass.path;
};
fail2ban = {
enable = true;
apiKeyFile = config.age.secrets.cloudflareFirewallApiKey.path;
@@ -75,19 +37,242 @@
enable = true;
interface = "enp6s0";
};
gluetun = {
enable = true;
};
podman = {
enable = true;
gluetun.enable = true;
};
www = {
enable = true;
url = "cnst.dev";
port = 8283;
cloudflared = {
tunnelId = "e5076186-efb7-405a-998c-6155af7fb221";
credentialsFile = config.age.secrets.wwwCloudflared.path;
};
};
};
services = {
homepage-dashboard = {
enable = true;
subdomain = "dash";
exposure = "local";
port = 8082;
};
n8n = {
enable = true;
subdomain = "n8n";
exposure = "local";
port = 5678;
homepage = {
name = "n8n";
description = "A workflow automation platform";
icon = "n8n.svg";
category = "Services";
};
};
ollama = {
enable = true;
subdomain = "ai";
exposure = "local";
port = 8001;
homepage = {
name = "ollama";
description = "AI platform";
icon = "ollama.svg";
category = "Services";
};
};
bazarr = {
enable = true;
subdomain = "bazarr";
exposure = "local";
port = 6767;
homepage = {
name = "Bazarr";
description = "Subtitle manager";
icon = "bazarr.svg";
category = "Arr";
};
};
prowlarr = {
enable = true;
subdomain = "prowlarr";
exposure = "local";
port = 9696;
homepage = {
name = "Prowlarr";
description = "PVR indexer";
icon = "prowlarr.svg";
category = "Arr";
};
};
flaresolverr = {
enable = true;
subdomain = "flaresolverr";
exposure = "local";
port = 8191;
homepage = {
name = "FlareSolverr";
description = "Proxy to bypass Cloudflare/DDoS-GUARD protection";
icon = "flaresolverr.svg";
category = "Arr";
};
};
lidarr = {
enable = true;
subdomain = "lidarr";
exposure = "local";
port = 8686;
homepage = {
name = "Lidarr";
description = "Music collection manager";
icon = "lidarr.svg";
category = "Arr";
};
};
sonarr = {
enable = true;
subdomain = "sonarr";
exposure = "local";
port = 8989;
homepage = {
name = "Sonarr";
description = "Internet PVR for Usenet and Torrents";
icon = "sonarr.svg";
category = "Arr";
};
};
radarr = {
enable = true;
subdomain = "radarr";
exposure = "local";
port = 7878;
homepage = {
name = "Radarr";
description = "Movie collection manager";
icon = "radarr.svg";
category = "Arr";
};
};
jellyseerr = {
enable = true;
subdomain = "jellyseerr";
exposure = "local";
port = 5055;
homepage = {
name = "Jellyseerr";
description = "Media request and discovery manager";
icon = "jellyseerr.svg";
category = "Arr";
};
};
jellyfin = {
enable = true;
subdomain = "fin";
exposure = "tailscale";
port = 8096;
homepage = {
name = "Jellyfin";
description = "The Free Software Media System";
icon = "jellyfin.svg";
category = "Media";
};
};
uptime-kuma = {
enable = true;
subdomain = "uptime";
exposure = "local";
port = 3001;
homepage = {
name = "Uptime Kuma";
description = "Service monitoring tool";
icon = "uptime-kuma.svg";
category = "Services";
};
};
gitea = {
enable = true;
subdomain = "git";
exposure = "tunnel";
port = 5003;
cloudflared = {
tunnelId = "33e2fb8e-ecef-4d42-b845-6d15e216e448";
credentialsFile = config.age.secrets.giteaCloudflared.path;
};
homepage = {
name = "Gitea";
description = "Git with a cup of tea";
icon = "gitea.svg";
category = "Services";
};
};
vaultwarden = {
enable = true;
subdomain = "vault";
exposure = "tunnel";
port = 8222;
cloudflared = {
tunnelId = "fdd98086-6a4c-44f2-bba0-eb86b833cce5";
credentialsFile = config.age.secrets.vaultwardenCloudflared.path;
};
homepage = {
name = "Vaultwarden";
description = "Password manager";
icon = "vaultwarden-light.svg";
category = "Services";
};
};
nextcloud = {
enable = true;
subdomain = "cloud";
exposure = "local";
port = 8182;
homepage = {
name = "Nextcloud";
description = "A safe home for all your data";
icon = "nextcloud.svg";
category = "Services";
};
};
qbittorrent = {
enable = true;
subdomain = "qbt";
exposure = "local";
port = 8080;
homepage = {
name = "qBittorrent";
description = "Torrent client";
icon = "qbittorrent.svg";
category = "Downloads";
};
};
slskd = {
enable = true;
subdomain = "slskd";
exposure = "local";
port = 5030;
homepage = {
name = "Soulseek";
description = "Web-based Soulseek client";
icon = "slskd.svg";
category = "Downloads";
};
};
pihole = {
enable = true;
subdomain = "pihole";
exposure = "local";
port = 8053;
homepage = {
name = "PiHole";
description = "Adblocking and DNS service";
icon = "pi-hole.svg";
category = "Services";
path = "/admin";
};
};
};
};

4
hosts/sobotka/settings.nix
View File

@@ -4,6 +4,10 @@
username = "cnst";
mail = "adam@cnst.dev";
sshUser = "sobotka";
domains = {
local = "cnix.dev";
public = "cnst.dev";
};
};
};
}

2
hosts/toothpc/settings.nix
View File

@@ -10,7 +10,7 @@
name = "DVI-D-1";
width = 1920;
height = 1080;
refreshRate = 144;
refreshRate = "144";
position = "0x0";
transform = 0;
workspace = "1";

3
hosts/ziggy/server.nix
View File

@@ -11,9 +11,6 @@
unbound = {
enable = true;
};
acme = {
enable = true;
};
homepage-dashboard = {
enable = false;
};

26
lib/server/default.nix Normal file
View File

@@ -0,0 +1,26 @@
{lib}: let
server = {
mkDomain = config: service: let
localDomain = config.settings.accounts.domains.local;
publicDomain = config.settings.accounts.domains.public;
tailscaleDomain = "ts.${publicDomain}";
in
if service.exposure == "tunnel"
then publicDomain
else if service.exposure == "tailscale"
then tailscaleDomain
else localDomain;
mkFullDomain = config: service: let
domain = server.mkDomain config service;
in "${service.subdomain}.${domain}";
mkHostDomain = config: service: let
domain = server.mkDomain config service;
in "${domain}";
mkSubDomain = config: service: "${service.subdomain}";
};
in {
server = server;
}

10
lib/theme/bgs.nix
View File

@@ -1,11 +1,11 @@
lib: {
bgs = rec {
files = {
wallpaper_1 = "~/media/images/bg_1.jpg";
wallpaper_2 = "~/media/images/bg_2.jpg";
wallpaper_3 = "~/media/images/bg_3.jpg";
wallpaper_4 = "~/media/images/waterwindow.jpg";
wallpaper_5 = "~/media/images/barngreet.png";
wallpaper_1 = "~/media/images/bgs/bg_1.jpg";
wallpaper_2 = "~/media/images/bgs/bg_2.jpg";
wallpaper_3 = "~/media/images/bgs/bg_3.jpg";
wallpaper_4 = "~/media/images/bgs/waterwindow.jpg";
wallpaper_5 = "~/media/images/bgs/barngreet.png";
};
list = builtins.attrNames files;

23
modules/default.nix
View File

@@ -100,7 +100,6 @@
./nixos/services/virtualisation
./nixos/services/locate
./nixos/services/mullvad
./nixos/services/mullvad-netns
./nixos/services/nfs
./nixos/services/nix-ld
./nixos/services/openssh
@@ -114,6 +113,7 @@
./nixos/services/udisks
./nixos/services/xserver
./nixos/services/zram
./nixos/services/tailscale
./nixos/system/fonts
./nixos/system/locale
@@ -123,27 +123,6 @@
server = {
imports = [
./server
./server/acme
./server/fail2ban
./server/homepage-dashboard
./server/nextcloud
./server/vaultwarden
./server/bazarr
./server/prowlarr
./server/lidarr
./server/radarr
./server/sonarr
./server/jellyseerr
./server/jellyfin
./server/podman
./server/unbound
./server/uptime-kuma
./server/keepalived
./server/gitea
./server/postgres
./server/traefik
./server/www
./server/authentik
];
};
settings = {

2
modules/home/programs/alacritty/default.nix
View File

@@ -74,7 +74,7 @@ in
];
window = {
dynamic_title = true;
opacity = 0.9;
opacity = 0.95;
padding = {
x = 5;
y = 5;

23
modules/home/programs/fish/default.nix
View File

@@ -6,8 +6,9 @@
}:
let
inherit (lib) mkIf mkEnableOption;
inherit (lib.meta) getExe;
inherit (pkgs) eza bat;
packageNames = map (p: p.pname or p.name or null) config.home.packages;
hasPackage = name: lib.any (x: x == name) packageNames;
hasEza = hasPackage "eza";
cfg = config.home.programs.fish;
in
{
@@ -28,7 +29,9 @@ in
nixclean = "nh clean all --keep 3";
nixdev = "nix develop ~/.nix-config -c $SHELL";
nixup = "nh os switch -H $hostname";
nixupv = "nh os switch -v -H $hostname";
nixupn = "nh os switch -n -H $hostname";
nixupv = "nh os switch -v --show-trace -H $hostname";
nixupvn = "nh os switch -n -v --show-trace -H $hostname";
flakeup = "nix flake update";
};
shellAliases = {
@@ -44,12 +47,8 @@ in
nset = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/settings.nix";
nixosmodules = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/modules.nix";
nmod = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/modules.nix";
tree = "${getExe eza} --tree --icons=always";
cat = "${getExe bat} --style=plain";
ls = "${getExe eza} -h --git --icons --color=auto --group-directories-first -s extension";
ll = "${getExe eza} -l --git --icons --color=auto --group-directories-first -s extension";
lat = "${getExe eza} -lah --tree --color=auto --group-directories-first -s extension";
la = "${getExe eza} -lah --color=auto --group-directories-first -s extension";
ls = mkIf hasEza "eza";
tree = mkIf hasEza "eza --tree --icons=always";
# Clear screen and scrollback
clear = "printf '\\033[2J\\033[3J\\033[1;1H'";
};
@@ -59,14 +58,12 @@ in
# Merge history when pressing up
up-or-search = lib.readFile ./up-or-search.fish;
# Check stuff in PATH
nix-inspect =
# fish
nix-inspect = # fish
''
set -s PATH | grep "PATH\[.*/nix/store" | cut -d '|' -f2 | grep -v -e "-man" -e "-terminfo" | perl -pe 's:^/nix/store/\w{32}-([^/]*)/bin$:\1:' | sort | uniq
'';
};
interactiveShellInit =
# fish
interactiveShellInit = # fish
''
# Open command buffer in vim when alt+e is pressed
bind \ee edit_command_buffer

25
modules/home/programs/git/default.nix
View File

@@ -15,17 +15,16 @@ in
};
config = mkIf cfg.enable {
home.packages = [ pkgs.gh ];
programs.git = {
programs = {
git = {
enable = true;
userName = osConfig.settings.accounts.username;
userEmail = osConfig.settings.accounts.mail;
delta = {
enable = true;
options.dark = true;
};
extraConfig = {
settings = {
# user.signingkey = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
user.signingkey = "${config.home.homeDirectory}/.config/git/allowed_signers";
user = {
name = osConfig.settings.accounts.username;
email = osConfig.settings.accounts.mail;
signingkey = "${config.home.homeDirectory}/.config/git/allowed_signers";
};
signing = {
format = lib.mkDefault "ssh";
key = "${config.home.homeDirectory}/.ssh/id_ed25519";
@@ -56,6 +55,14 @@ in
".jj"
];
};
delta = {
enableGitIntegration = true;
enable = true;
options.dark = true;
};
};
xdg.configFile."git/allowed_signers".text = ''
${osConfig.settings.accounts.mail} namespaces="git" ${osConfig.settings.accounts.sshKey}
'';

17
modules/home/programs/hyprlock/default.nix
View File

@@ -1,26 +1,20 @@
{
inputs,
pkgs,
lib,
osConfig,
cLib,
clib,
...
}:
let
inherit (lib) mkIf mkEnableOption;
inherit (lib) mkIf;
cfg = osConfig.nixos.programs.hyprland;
hyprlockFlake = inputs.hyprlock.packages.${pkgs.system}.hyprlock;
# hyprlockPkg = pkgs.hyprlock;
#
bg = osConfig.settings.theme.background;
inherit (cLib.theme.bgs) resolve;
inherit (clib.theme.bgs) resolve;
in
{
config = mkIf cfg.enable {
programs.hyprlock = {
enable = true;
package = hyprlockFlake;
settings = {
general = {
# disable_loading_bar = true;
@@ -60,6 +54,7 @@ in
position = "0, 20";
halign = "center";
valign = "center";
font_family = "DepartureMono Nerd Font Mono Italic";
}
];
label = [
@@ -71,7 +66,7 @@ in
shadow_boost = 0.5;
color = "rgba(FFFFFFFF)";
font_size = 25;
font_family = "Input Mono Compressed";
font_family = "DepartureMono Nerd Font Mono Regular";
position = "0, 230";
halign = "center";
valign = "center";
@@ -84,7 +79,7 @@ in
shadow_boost = 0.5;
color = "rgba(FFFFFFFF)";
font_size = 85;
font_family = "Input Mono Compressed";
font_family = "DepartureMono Nerd Font Mono Regular";
position = "0, 300";
halign = "center";
valign = "center";

70
modules/home/programs/mpv/default.nix
View File

@@ -7,6 +7,9 @@
let
inherit (lib) mkIf mkEnableOption;
cfg = config.home.programs.mpv;
inherit (config.xdg.userDirs) videos;
inherit (config.home) homeDirectory;
shaders_dir = "${pkgs.mpv-shim-default-shaders}/share/mpv-shim-default-shaders/shaders";
in
{
options = {
@@ -15,8 +18,71 @@ in
config = mkIf cfg.enable {
programs.mpv = {
enable = true;
defaultProfiles = [ "gpu-hq" ];
scripts = [ pkgs.mpvScripts.mpris ];
config = {
profile = "gpu-hq";
gpu-context = "wayland";
vo = "gpu-next";
video-sync = "display-resample";
interpolation = true;
tscale = "oversample";
fullscreen = false;
keep-open = true;
sub-auto = "fuzzy";
sub-font = "Noto Sans Medium";
sub-blur = 10;
screenshot-format = "png";
title = "\${filename} - mpv";
script-opts = "osc-title=\${filename},osc-boxalpha=150,osc-visibility=never,osc-boxvideo=yes";
ytdl-format = "bestvideo[height<=?1440]+bestaudio/best";
ao = "pipewire";
alang = "eng,en";
slang = "eng,en,enUS";
glsl-shader = "${homeDirectory}/.config/mpv/shaders/FSR.glsl";
scale = "lanczos";
cscale = "lanczos";
dscale = "mitchell";
deband = "yes";
scale-antiring = 1;
osc = "no";
osd-on-seek = "no";
osd-bar = "no";
osd-bar-w = 30;
osd-bar-h = "0.2";
osd-duration = 750;
really-quiet = "yes";
autofit = "65%";
};
bindings = {
"ctrl+a" = "script-message osc-visibility cycle";
};
scripts = with pkgs.mpvScripts; [
mpris
uosc
thumbfast
sponsorblock
autocrop
];
};
programs.yt-dlp = {
enable = true;
extraConfig = ''
-o ${videos}/youtube/%(title)s.%(ext)s
'';
};
home = {
file = {
".config/mpv/shaders/FSR.glsl".source = "${shaders_dir}/FSR.glsl";
};
packages = with pkgs; [
jellyfin-mpv-shim
];
};
};
}

10
modules/home/programs/pkgs/default.nix
View File

@@ -62,16 +62,8 @@ in
[
cmatrix
xcur2png
ripgrep
file
fd
gnused
nix-tree
wireguard-tools
unzip
zip
gnutar
p7zip
]
(mkIf cfg.common.enable [
@@ -88,7 +80,7 @@ in
hyprpicker
libnotify
pamixer
oculante
loupe
adwaita-icon-theme
qt5.qtwayland
qt6.qtwayland

22
modules/home/programs/waybar/config/config.jsonc
View File

@@ -10,7 +10,7 @@
"group/system"
],
"modules-center": [
"niri/workspaces"
"hyprland/workspaces"
],
"modules-right": [
"custom/progress",
@@ -126,16 +126,28 @@
"all-outputs": false,
"format": "{icon}",
"format-icons": {
"urgent": "",
"visible": "",
"empty": ""
"1": "1",
"2": "2",
"3": "3",
"4": "4",
"5": "5",
"6": "6",
"7": "7",
"8": "8",
"9": "9",
"default": "_",
"active": "_"
},
"on-click": "activate",
"show-special": false,
"on-scroll-up": "hyprctl dispatch workspace r-1",
"on-scroll-down": "hyprctl dispatch workspace r+1",
"persistent-workspaces": {
"*": 3
"1": [],
"2": [],
"3": [],
"4": [],
"5": []
}
},
"niri/workspaces": {

6
modules/home/programs/waybar/config/style.css
View File

@@ -28,8 +28,8 @@ tooltip label {
margin: 0 0px;
background-color: transparent;
color: #fbf1c7;
border-top: 3px solid transparent;
border-bottom: 3px solid transparent;
border-top: 4px solid transparent;
border-bottom: 4px solid transparent;
}
#workspaces button:hover {
@@ -45,7 +45,7 @@ tooltip label {
background-image: url("assets/button.svg");
background-position: center;
background-repeat: no-repeat;
background-size: 18px 15px;
background-size: 21px 18px;
}
#custom-trayicon {

12
modules/home/services/hypridle/default.nix
View File

@@ -1,22 +1,14 @@
{
osConfig,
lib,
pkgs,
inputs,
...
}:
let
}: let
inherit (lib) mkIf;
cfg = osConfig.nixos.programs.hyprland;
hypridleFlake = inputs.hypridle.packages.${pkgs.system}.hypridle;
# hypridlePkg = pkgs.hypridle;
in
{
in {
config = mkIf cfg.enable {
services.hypridle = {
enable = true;
package = hypridleFlake;
settings = {
general = {
lock_cmd = "hyprlock";

14
modules/home/services/hyprpaper/default.nix
View File

@@ -1,18 +1,14 @@
{
lib,
pkgs,
inputs,
osConfig,
cLib,
clib,
...
}:
let
}: let
inherit (lib) mkIf;
cfg = osConfig.nixos.programs.hyprland;
hyprpaperFlake = inputs.hyprpaper.packages.${pkgs.system}.default;
bg = osConfig.settings.theme.background;
bgs = cLib.theme.bgs;
bgs = clib.theme.bgs;
monitorMappings = [
{
@@ -32,12 +28,10 @@ let
bg = bg.primary;
}
];
in
{
in {
config = mkIf cfg.enable {
services.hyprpaper = {
enable = true;
package = hyprpaperFlake;
settings = {
ipc = "on";

18
modules/home/services/xdg/default.nix
View File

@@ -84,15 +84,15 @@ in
"application/pdf" = "org.pwmt.zathura-pdf-mupdf.desktop";
"inode/directory" = "thunar.desktop";
"image/apng" = "oculante.desktop";
"image/avif" = "oculante.desktop";
"image/bmp" = "oculante.desktop";
"image/gif" = "oculante.desktop";
"image/jpeg" = "oculante.desktop";
"image/png" = "oculante.desktop";
"image/svg+xml" = "oculante.desktop";
"image/tiff" = "oculante.desktop";
"image/webp" = "oculante.desktop";
"image/apng" = "feh.desktop";
"image/avif" = "feh.desktop";
"image/bmp" = "feh.desktop";
"image/gif" = "feh.desktop";
"image/jpeg" = "feh.desktop";
"image/png" = "feh.desktop";
"image/svg+xml" = "feh.desktop";
"image/tiff" = "feh.desktop";
"image/webp" = "feh.desktop";
"video/H264" = [
"mpv.desktop"

13
modules/nixos/boot/kernel/default.nix
View File

@@ -5,7 +5,12 @@
...
}:
let
inherit (lib) mkOption types;
inherit (lib)
mkOption
types
mkEnableOption
mkIf
;
cfg = config.nixos.boot.kernel;
hasHardware = hw: builtins.elem hw cfg.hardware;
@@ -37,8 +42,11 @@ in
);
default = [ ];
description = "List of hardware types (e.g. GPU and CPU vendors) to configure kernel settings for.";
};
amdOverdrive.enable = mkEnableOption "Enable AMD pstate/overdrive";
extraKernelParams = mkOption {
type = types.listOf types.str;
default = [ ];
@@ -74,7 +82,7 @@ in
"quiet"
"splash"
]
++ (if hasHardware "amd" then [ "amd_pstate=active" ] else [ ])
++ (if hasHardware "amd" then [ ] else [ ])
++ (if hasHardware "intel" then [ ] else [ ])
++ (if hasHardware "nvidia" then [ ] else [ ])
++ cfg.extraKernelParams;
@@ -85,5 +93,6 @@ in
++ (if hasHardware "nvidia" then [ "nouveau" ] else [ ])
++ cfg.extraBlacklistedModules;
};
hardware.amdgpu.overdrive.enable = mkIf cfg.amdOverdrive.enable true;
};
}

12
modules/nixos/hardware/graphics/default.nix
View File

@@ -19,13 +19,13 @@ let
commonPackages = with pkgs; [
libva
vaapiVdpau
libva-vdpau-driver
libvdpau-va-gl
];
commonPackages32 = with pkgs.pkgsi686Linux; [
libva
vaapiVdpau
libva-vdpau-driver
libvdpau-va-gl
];
@@ -89,7 +89,8 @@ in
config = mkIf cfg.enable (mkMerge [
{
hardware.graphics = {
hardware = {
graphics = {
enable = true;
enable32Bit = true;
extraPackages = flatten (
@@ -121,6 +122,7 @@ in
extraPackages32 = flatten (concatMap (_: commonPackages32) cfg.vendors);
};
};
environment.systemPackages = flatten (
concatMap (
@@ -145,10 +147,6 @@ in
);
}
(mkIf (hasVendor "amd") {
hardware.amdgpu.overdrive.enable = true;
})
(mkIf (hasVendor "nvidia") {
hardware.nvidia = {
package =

21
modules/nixos/hardware/network/default.nix
View File

@@ -2,20 +2,29 @@
config,
lib,
...
}:
let
inherit (lib)
}: let
inherit
(lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.nixos.hardware.network;
in
{
in {
options = {
nixos.hardware.network = {
enable = mkEnableOption "Enable the custom networking module";
nameservers = mkOption {
type = types.listOf types.str;
default = [];
description = "The list of nameservers ";
};
search = mkOption {
type = types.listOf types.str;
default = [];
description = "Domain search paths";
};
interfaces = mkOption {
type = types.attrsOf (
types.submodule {
@@ -55,6 +64,8 @@ in
networking = {
networkmanager.enable = true;
nftables.enable = true;
nameservers = cfg.nameservers;
search = cfg.search;
firewall = {
enable = true;
inherit (cfg) interfaces;

22
modules/nixos/programs/fish/default.nix
View File

@@ -3,14 +3,11 @@
lib,
pkgs,
...
}:
let
inherit (lib.meta) getExe;
inherit (pkgs) eza bat;
}: let
inherit (lib) mkIf mkEnableOption mkMerge;
cfg = config.nixos.programs.fish;
in
{
in {
options = {
nixos.programs.fish = {
enable = mkEnableOption "Enables fish shell";
@@ -22,6 +19,7 @@ in
(mkIf cfg.enable {
programs.fish = {
enable = true;
useBabelfish = true;
vendor = {
completions.enable = true;
config.enable = true;
@@ -37,7 +35,9 @@ in
nixclean = "nh clean all --keep 3";
nixdev = "nix develop ~/.nix-config -c $SHELL";
nixup = "nh os switch -H $hostname";
nixupv = "nh os switch -v -H $hostname";
nixupn = "nh os switch -n -H $hostname";
nixupv = "nh os switch -v --show-trace -H $hostname";
nixupvn = "nh os switch -n -v --show-trace -H $hostname";
flakeup = "nix flake update";
};
shellAliases = {
@@ -53,12 +53,8 @@ in
nset = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/settings.nix";
nixosmodules = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/modules.nix";
nmod = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/modules.nix";
tree = "${getExe eza} --tree --icons=always";
cat = "${getExe bat} --style=plain";
ls = "${getExe eza} -h --git --icons --color=auto --group-directories-first -s extension";
ll = "${getExe eza} -l --git --icons --color=auto --group-directories-first -s extension";
lat = "${getExe eza} -lah --tree --color=auto --group-directories-first -s extension";
la = "${getExe eza} -lah --color=auto --group-directories-first -s extension";
ls = lib.getExe pkgs.eza;
tree = "${lib.getExe pkgs.eza} --tree --icons=always";
# Clear screen and scrollback
clear = "printf '\\033[2J\\033[3J\\033[1;1H'";
};

4
modules/nixos/programs/hyprland/inputs.nix
View File

@@ -37,9 +37,9 @@ in
};
gestures = {
workspace_swipe = true;
# workspace_swipe = true;
workspace_swipe_distance = 400;
workspace_swipe_fingers = 3;
# workspace_swipe_fingers = 3;
workspace_swipe_cancel_ratio = 0.2;
workspace_swipe_min_speed_to_force = 5;
workspace_swipe_direction_lock = true;

42
modules/nixos/programs/hyprland/keybinds.nix
View File

@@ -49,20 +49,6 @@ in
"$mod, P, pseudo,"
"$mod, J, togglesplit,"
"$mod, C, exec, hyprctl dispatch exec copyq toggle"
"$mod, left, movefocus, l"
"$mod, right, movefocus, r"
"$mod, up, movefocus, u"
"$mod, down, movefocus, d"
"$mod, 1, workspace, 1"
"$mod, 2, workspace, 2"
"$mod, 3, workspace, 3"
"$mod, 4, workspace, 4"
"$mod, 5, workspace, 5"
"$mod, 6, workspace, 6"
"$mod, 7, workspace, 7"
"$mod, 8, workspace, 8"
"$mod, 9, workspace, 9"
"$mod, 0, workspace, 10"
"$mod SHIFT, 1, movetoworkspace, 1"
"$mod SHIFT, 2, movetoworkspace, 2"
"$mod SHIFT, 3, movetoworkspace, 3"
@@ -75,6 +61,30 @@ in
"$mod SHIFT, 0, movetoworkspace, 10"
"CTRL SHIFT, Escape, exec, ${runOnce "resources"}"
"$mod, 1, workspace, 1"
"$mod, 2, workspace, 2"
"$mod, 3, workspace, 3"
"$mod, 4, workspace, 4"
"$mod, 5, workspace, 5"
"$mod, 6, workspace, 6"
"$mod, 7, workspace, 7"
"$mod, 8, workspace, 8"
"$mod, 9, workspace, 9"
"$mod, 0, workspace, 10"
"$mod, left, movefocus, l"
"$mod, right, movefocus, r"
"$mod, up, movefocus, u"
"$mod, down, movefocus, d"
"$mod SHIFT, left, resizeactive, -20 0"
"$mod SHIFT, right, resizeactive, 20 0"
"$mod SHIFT, up, resizeactive, 0 -20"
"$mod SHIFT, down, resizeactive, 0 20"
"$mod CTRL, left, swapwindow, l"
"$mod CTRL, right, swapwindow, r"
"$mod CTRL, up, swapwindow, u"
"$mod CTRL, down, swapwindow, d"
",XF86AudioLowerVolume, exec, volume-control.sh --dec"
",XF86AudioRaiseVolume, exec, volume-control.sh --inc"
",XF86AudioMute, exec, volume-control.sh --toggle"
@@ -99,7 +109,7 @@ in
(mkIf (host == "kima") {
programs.hyprland.settings = {
"$terminal" = "ghostty";
"$terminal" = "alacritty";
"$browser" = "zen";
"$browserinc" = "zen --private-window";
"$mod" = "SUPER";
@@ -111,7 +121,7 @@ in
(mkIf (host == "bunk") {
programs.hyprland.settings = {
"$terminal" = "foot";
"$terminal" = "alacritty";
"$browser" = "zen";
"$browserinc" = "zen --private-window";
"$mod" = "ALT_L";

2
modules/nixos/programs/hyprland/layout.nix
View File

@@ -21,7 +21,7 @@ in
let
resolution =
if m.width != null && m.height != null then
"${toString m.width}x${toString m.height}@${toString m.refreshRate}"
"${toString m.width}x${toString m.height}@${m.refreshRate}"
else
"preferred";

7
modules/nixos/programs/niri/default.nix
View File

@@ -1,6 +1,5 @@
{
config,
inputs,
lib,
pkgs,
...
@@ -14,22 +13,22 @@ in
nixos.programs.niri.enable = mkEnableOption "Enables niri";
};
config = mkIf cfg.enable {
nixpkgs.overlays = [ inputs.niri.overlays.niri ];
environment = {
variables = {
DISPLAY = ":0";
NIXOS_OZONE_WL = "1";
QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
};
systemPackages = with pkgs; [
xwayland-satellite-unstable
xwayland-satellite
wl-clipboard
wayland-utils
xdg-utils
];
};
systemd.user.services.niri-flake-polkit.enable = false;
programs.niri = {
enable = true;
package = pkgs.niri-unstable;
};
};
}

17
modules/nixos/programs/pkgs/default.nix
View File

@@ -78,10 +78,17 @@ in
openssl
xmrig
ocl-icd
dig
unzip
zip
gnutar
gnused
p7zip
ripgrep
file
]
(mkIf cfg.common.enable [
qt6.full
swappy
wayfreeze
imagemagick
@@ -96,9 +103,6 @@ in
])
(mkIf cfg.desktop.enable [
protonup
winetricks
wine
geekbench
unigine-heaven
])
@@ -109,15 +113,13 @@ in
(mkIf cfg.server.enable [
nvtopPackages.intel
nvtopPackages.amd
dig
helix
zfs
zfstools
])
(mkIf cfg.dev.enable [
# lldb_20 # some biuld error atm
sqlite
gemini-cli
nfs-utils
gcc
@@ -144,7 +146,6 @@ in
prettierd
# php84Packages.php-cs-fixer
shfmt
luaformatter
black
])
];

15
modules/nixos/programs/steam/default.nix
View File

@@ -1,6 +1,7 @@
{
config,
lib,
pkgs,
...
}:
let
@@ -17,6 +18,20 @@ in
enable = true;
gamescopeSession.enable = true;
};
gamescope = {
enable = true;
capSysNice = true;
args = [
"--rt"
"--expose-wayland"
];
};
};
environment.systemPackages = with pkgs; [
protonup-ng
wine
winetricks
wine-wayland
];
};
}

8
modules/nixos/services/agenix/default.nix
View File

@@ -74,19 +74,11 @@ in {
wgCredentials.file = "${self}/secrets/wgCredentials.age";
wgSobotkaPrivateKey.file = "${self}/secrets/wgSobotkaPrivateKey.age";
gluetunEnvironment.file = "${self}/secrets/gluetunEnvironment.age";
nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age";
nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age";
vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
homepageEnvironment.file = "${self}/secrets/homepageEnvironment.age";
pihole.file = "${self}/secrets/pihole.age";
slskd.file = "${self}/secrets/slskd.age";
};
})
(mkIf cfg.ziggy.enable {
secrets = {
cloudflareDnsCredentialsZiggy.file = "${self}/secrets/cloudflareDnsCredentialsZiggy.age";
piholeZiggy.file = "${self}/secrets/piholeZiggy.age";
};
})
(mkIf cfg.toothpc.enable {

2
modules/nixos/services/greetd/default.nix
View File

@@ -63,7 +63,7 @@ in
settings = rec {
tuigreet_session =
let
session = "${pkgs.niri-unstable}/bin/niri-session";
session = "${pkgs.niri}/bin/niri-session";
tuigreet = "${lib.getExe pkgs.tuigreet}";
in
{

6
modules/nixos/services/kanata/default.nix
View File

@@ -16,14 +16,10 @@ in
services.kanata = {
enable = true;
package = pkgs.kanata-with-cmd;
keyboards.hhkbse = {
keyboards.default = {
extraDefCfg = ''
process-unmapped-keys yes
'';
devices = [
"/dev/input/by-id/usb-PFU_Limited_HHKB-Hybrid-event-kbd"
"/dev/input/event2"
];
config = builtins.readFile (./. + "/hhkbse.kbd");
};
};

4
modules/nixos/services/kanata/hhkbse.kbd
View File

@@ -18,6 +18,7 @@
2 3 4 5 6 7 8 9 0 + ´ ' §
e p ¨
l ö ä
-
z x rmet
)
@@ -25,13 +26,16 @@
_ _ _ _ _ _ _ _ _ _ pgdn pgup del
_ _ '
_ _ _
_
_ _ @level3
)
(deflayer level3
RA-2 RA-3 S-4 RA-5 S-¨ RA-7 RA-8 RA-9 RA-0 RA-+ ⇥ ⇤ S-'
RA-5 ▲ RA-¨
◀ ▼ ▶
RA-<
RA-S-z RA-S-x @level3
)

50
modules/nixos/services/mullvad-netns/default.nix
View File

@@ -1,50 +0,0 @@
{ self, pkgs, ... }:
{
age.secrets.wgCredentials = {
file = "${self}/secrets/wgCredentials.age";
mode = "0400";
owner = "root";
group = "root";
path = "/etc/wireguard/mullvad.conf";
};
systemd.services.mullvad-netns = {
description = "WireGuard Mullvad netns for VMs";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.writeShellScript "mullvad-netns-up" ''
set -euo pipefail
ip netns add mullvad || true
ip link add veth0 type veth peer name veth1 || true
ip link set veth1 netns mullvad
ip addr add 10.250.0.1/24 dev veth0 || true
ip link set veth0 up
ip netns exec mullvad ip addr add 10.250.0.2/24 dev veth1 || true
ip netns exec mullvad ip link set veth1 up
ip netns exec mullvad wg-quick up /etc/wireguard/mullvad.conf
ip netns exec mullvad ip route add default dev wg0 || true
nft add table ip mullvad-nat || true
nft add chain ip mullvad-nat postrouting { type nat hook postrouting priority 100 \; } || true
nft add rule ip mullvad-nat postrouting ip saddr 10.250.0.0/24 oif "wg0" masquerade || true
''}";
ExecStop = "${pkgs.writeShellScript "mullvad-netns-down" ''
set -euo pipefail
ip netns exec mullvad wg-quick down /etc/wireguard/mullvad.conf || true
ip link delete veth0 || true
ip netns delete mullvad || true
nft delete table ip mullvad-nat || true
''}";
};
# no wantedBy here -> won't start at boot
};
}

16
modules/nixos/services/tailscale/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.nixos.services.tailscale;
in {
options.nixos.services.tailscale = {
enable = mkEnableOption "Enable tailscale";
};
config = mkIf cfg.enable {
services.tailscale.enable = true;
};
}

1
modules/nixos/system/devpkgs/default.nix
View File

@@ -45,7 +45,6 @@ in
# nodePackages_latest.sql-formatter
prettierd
shfmt
luaformatter
black
];
};

2
modules/nixos/system/fonts/default.nix
View File

@@ -26,7 +26,7 @@ in
inputs.fonts.packages.${pkgs.system}.vcr-mono
noto-fonts
noto-fonts-cjk-sans
noto-fonts-emoji
noto-fonts-color-emoji
liberation_ttf
fira-code-symbols
font-awesome

10
modules/nixos/system/xdg/default.nix
View File

@@ -30,13 +30,19 @@ in
enable = true;
xdgOpenUsePortal = cfg.xdgOpenUsePortal;
config = {
common.default = [ "gtk" ];
common.default = [
"gtk"
"gnome"
];
hyprland.default = [
"gtk"
"hyprland"
];
};
extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
extraPortals = with pkgs; [
xdg-desktop-portal-gtk
xdg-desktop-portal-gnome
];
};
};
}

84
modules/server/acme/default.nix
View File

@@ -1,84 +0,0 @@
{
config,
lib,
...
}: let
inherit (lib) mkIf mkEnableOption;
cfg = config.server.acme;
getCloudflareCredentials = hostname:
if hostname == "ziggy"
then config.age.secrets.cloudflareDnsCredentialsZiggy.path
else if hostname == "sobotka"
then config.age.secrets.cloudflareDnsCredentials.path
else throw "Unknown hostname: ${hostname}";
in {
options = {
server.acme.enable = mkEnableOption "Enables ACME";
};
config = mkIf cfg.enable {
networking.firewall = let
ports = [
80
443
];
in {
allowedTCPPorts = ports;
};
security.acme = {
acceptTerms = true;
defaults.email = config.server.email;
certs.${config.server.domain} = {
reloadServices = ["caddy.service"];
domain = "${config.server.domain}";
extraDomainNames = ["*.${config.server.domain}"];
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
dnsPropagationCheck = true;
group = config.services.caddy.group;
environmentFile = getCloudflareCredentials config.networking.hostName;
};
certs.${config.server.www.url} = {
reloadServices = ["caddy.service"];
domain = "${config.server.www.url}";
extraDomainNames = ["*.${config.server.www.url}"];
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
dnsPropagationCheck = true;
group = config.services.caddy.group;
environmentFile = getCloudflareCredentials config.networking.hostName;
};
};
services.caddy = {
enable = true;
globalConfig = ''
auto_https off
'';
virtualHosts = {
"http://${config.server.domain}" = {
extraConfig = ''
redir https://{host}{uri}
'';
};
"http://*.${config.server.domain}" = {
extraConfig = ''
redir https://{host}{uri}
'';
};
"http://${config.server.www.url}" = {
extraConfig = ''
redir https://{host}{uri}
'';
};
"http://*.${config.server.www.url}" = {
extraConfig = ''
redir https://{host}{uri}
'';
};
};
};
};
}

62
modules/server/bazarr/default.nix
View File

@@ -1,62 +0,0 @@
{
config,
lib,
...
}: let
unit = "bazarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Bazarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Subtitle manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "bazarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.bazarr.loadBalancer.servers = [{url = "http://127.0.0.1:${toString config.services.${unit}.listenPort}";}];
routers = {
bazarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "bazarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

105
modules/server/default.nix
View File

@@ -1,101 +1,16 @@
{
self,
lib,
config,
pkgs,
...
}: let
hardDrives = [
"/dev/disk/by-label/data"
];
inherit (lib) mkOption types;
cfg = config.server;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
clib = import "${self}/lib/server" {inherit lib;};
in {
options.server = {
enable = lib.mkEnableOption "The server services and configuration variables";
email = mkOption {
default = "";
type = types.str;
description = ''
Email name to be used to access the server services via Caddy reverse proxy
'';
};
domain = mkOption {
default = "";
type = types.str;
description = ''
Domain name to be used to access the server services via Caddy reverse proxy
'';
};
user = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
User to run the server services as
'';
};
group = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
Group to run the server services as
'';
};
uid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
UID to run the server services as
'';
};
gid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
GID to run the server services as
'';
};
timeZone = lib.mkOption {
default = "Europe/Stockholm";
type = lib.types.str;
description = ''
Time zone to be used for the server services
'';
};
};
config = lib.mkIf cfg.enable {
users = {
groups.${cfg.group} = {
gid = cfg.gid;
};
users.${cfg.user} = {
uid = cfg.uid;
isSystemUser = true;
group = cfg.group;
extraGroups = ifTheyExist [
"audio"
"video"
"docker"
"libvirtd"
"qemu-libvirtd"
"rtkit"
"fail2ban"
"vaultwarden"
"qbittorrent"
"lidarr"
"prowlarr"
"bazarr"
"sonarr"
"radarr"
"media"
"share"
"render"
"input"
"authentik"
"traefik"
];
};
};
};
imports = [
{
_module.args.clib = clib;
}
./options.nix
./infra
./services
];
}

111
modules/server/fail2ban/default.nix
View File

@@ -1,111 +0,0 @@
# from @notthebee
{
lib,
config,
pkgs,
...
}:
let
cfg = config.server.fail2ban;
in
{
options.server.fail2ban = {
enable = lib.mkEnableOption {
description = "Enable cloudflare fail2ban";
};
apiKeyFile = lib.mkOption {
description = "File containing your API key, scoped to Firewall Rules: Edit";
type = lib.types.str;
example = lib.literalExpression ''
Authorization: Bearer Qj06My1wXJEzcW46QCyjFbSMgVtwIGfX63Ki3NOj79o=
'''
'';
};
zoneId = lib.mkOption {
type = lib.types.str;
};
jails = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
options = {
serviceName = lib.mkOption {
example = "vaultwarden";
type = lib.types.str;
};
failRegex = lib.mkOption {
type = lib.types.str;
example = "Login failed from IP: <HOST>";
};
ignoreRegex = lib.mkOption {
type = lib.types.str;
default = "";
};
maxRetry = lib.mkOption {
type = lib.types.int;
default = 3;
};
};
}
);
};
};
config = lib.mkIf cfg.enable {
services.fail2ban = {
enable = true;
extraPackages = [
pkgs.curl
pkgs.jq
];
jails = lib.attrsets.mapAttrs (name: value: {
settings = {
bantime = "30d";
findtime = "1h";
enabled = true;
backend = "systemd";
journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service";
port = "http,https";
filter = "${name}";
maxretry = 3;
action = "cloudflare-token-agenix";
};
}) cfg.jails;
};
environment.etc = lib.attrsets.mergeAttrsList [
(lib.attrsets.mapAttrs' (
name: value:
(lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
text = ''
[Definition]
failregex = ${value.failRegex}
ignoreregex = ${value.ignoreRegex}
'';
})
) cfg.jails)
{
"fail2ban/action.d/cloudflare-token-agenix.conf".text =
let
notes = "Fail2Ban on ${config.networking.hostName}";
cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules";
in
''
[Definition]
actionstart =
actionstop =
actioncheck =
actionunban = id=$(curl -s -X GET "${cfapi}" \
-H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
| jq -r '.result[] | select(.notes == "${notes}" and .configuration.target == "ip" and .configuration.value == "<ip>") | .id')
if [ -z "$id" ]; then echo "id for <ip> cannot be found"; exit 0; fi; \
curl -s -X DELETE "${cfapi}/$id" \
-H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
--data '{"cascade": "none"}'
actionban = curl -X POST "${cfapi}" -H @${cfg.apiKeyFile} -H "Content-Type: application/json" --data '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"${notes}"}'
[Init]
name = cloudflare-token-agenix
'';
}
];
};
}

125
modules/server/gitea/default.nix
View File

@@ -1,125 +0,0 @@
# taken from @jtojnar
{
config,
lib,
...
}: let
unit = "gitea";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "git.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.int;
default = 5003;
description = "The port to host Gitea on.";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Gitea";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Git with a cup of tea";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "gitea.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
appName = "cnix code forge";
database = {
type = "postgres";
socket = "/run/postgresql";
name = "gitea";
user = "gitea";
createDatabase = false;
};
lfs = {
enable = true;
};
settings = {
cors = {
ENABLED = true;
SCHEME = "https";
ALLOW_DOMAIN = cfg.url;
};
log = {
MODE = "console";
};
mailer = {
ENABLED = false;
MAILER_TYPE = "sendmail";
FROM = "noreply+adam@cnst.dev";
SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
};
picture = {
DISABLE_GRAVATAR = true;
};
repository = {
DEFAULT_BRANCH = "main";
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
};
indexer = {
REPO_INDEXER_ENABLED = true;
};
server = {
DOMAIN = cfg.url;
LANDING_PAGE = "explore";
HTTP_PORT = cfg.port;
ROOT_URL = "https://${cfg.url}/";
};
security = {
DISABLE_GIT_HOOKS = false;
};
service = {
DISABLE_REGISTRATION = true;
};
session = {
COOKIE_SECURE = true;
};
};
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.gitea.loadBalancer.servers = [{url = "http://127.0.0.1:5003";}];
routers = {
gitea = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "gitea";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
server.postgresql.databases = [
{
database = "gitea";
}
];
};
}

119
modules/server/gitea/default.nix.bak
View File

@@ -1,119 +0,0 @@
# taken from @jtojnar
{
config,
lib,
...
}: let
unit = "gitea";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "git.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.int;
default = 5003;
description = "The port to host Gitea on.";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Gitea";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Git with a cup of tea";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "gitea.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
appName = "cnix code forge";
database = {
type = "postgres";
socket = "/run/postgresql";
name = "gitea";
user = "gitea";
createDatabase = false;
};
lfs = {
enable = true;
};
settings = {
cors = {
ENABLED = true;
SCHEME = "https";
ALLOW_DOMAIN = cfg.url;
};
log = {
MODE = "console";
};
mailer = {
ENABLED = false;
MAILER_TYPE = "sendmail";
FROM = "noreply+adam@cnst.dev";
SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
};
picture = {
DISABLE_GRAVATAR = true;
};
repository = {
DEFAULT_BRANCH = "main";
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
};
indexer = {
REPO_INDEXER_ENABLED = true;
};
server = {
DOMAIN = cfg.url;
LANDING_PAGE = "explore";
HTTP_PORT = cfg.port;
ROOT_URL = "https://${cfg.url}/";
};
security = {
DISABLE_GIT_HOOKS = false;
};
service = {
DISABLE_REGISTRATION = true;
};
session = {
COOKIE_SECURE = true;
};
};
};
services.traefik.dynamicConfigOptions.http.routers."${unit}" = {
rule = "Host(`" + cfg.url + "`)";
service = "${unit}-service";
entryPoints = ["websecure"];
tls = {};
};
services.traefik.dynamicConfigOptions.http.services."${unit}-service".loadBalancer.servers = [
{url = "http://127.0.0.1:${toString cfg.port}";}
];
server.postgresql.databases = [
{
database = "gitea";
}
];
};
}

240
modules/server/homepage-dashboard/default.nix
View File

@@ -1,240 +0,0 @@
{
config,
lib,
...
}: let
unit = "homepage-dashboard";
cfg = config.server.homepage-dashboard;
srv = config.server;
in {
options.server.homepage-dashboard = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
misc = lib.mkOption {
default = [];
type = lib.types.listOf (
lib.types.attrsOf (
lib.types.submodule {
options = {
description = lib.mkOption {
type = lib.types.str;
};
href = lib.mkOption {
type = lib.types.str;
};
siteMonitor = lib.mkOption {
type = lib.types.str;
};
icon = lib.mkOption {
type = lib.types.str;
};
};
}
)
);
};
};
config = lib.mkIf cfg.enable {
services = {
glances.enable = true;
${unit} = {
enable = true;
allowedHosts = srv.domain;
settings = {
layout = [
{
Glances = {
header = false;
style = "row";
columns = 4;
};
}
{
Arr = {
header = true;
style = "column";
};
}
{
Downloads = {
header = true;
style = "column";
};
}
{
Media = {
header = true;
style = "column";
};
}
{
Services = {
header = true;
style = "column";
};
}
];
headerStyle = "clean";
statusStyle = "dot";
hideVersion = "true";
};
widgets = [
{
openmeteo = {
label = "Kalmar";
timezone = "Europe/Stockholm";
units = "metric";
cache = 5;
latitude = 56.707262;
longitude = 16.324541;
};
}
{
datetime = {
text_size = "x1";
format = {
hour12 = false;
timeStyle = "short";
dateStyle = "long";
};
};
}
{
resources = {
label = "";
memory = true;
disk = ["/"];
};
}
];
services = let
homepageCategories = [
"Arr"
"Media"
"Downloads"
"Services"
"Smart Home"
];
hl = config.server;
mergedServices = hl // hl.podman;
homepageServices = x: (lib.attrsets.filterAttrs (
name: value: value ? homepage && value.homepage.category == x
)
mergedServices);
in
lib.lists.forEach homepageCategories (cat: {
"${cat}" =
lib.lists.forEach
(lib.attrsets.mapAttrsToList (name: value: {
inherit name;
url = value.url;
homepage = value.homepage;
}) (homepageServices "${cat}"))
(x: {
"${x.homepage.name}" = {
icon = x.homepage.icon;
description = x.homepage.description;
href = "https://${x.url}${x.homepage.path or ""}";
siteMonitor = "https://${x.url}${x.homepage.path or ""}";
};
});
})
++ [{Misc = cfg.misc;}]
++ [
{
Glances = let
port = toString config.services.glances.port;
in [
{
Info = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "info";
chart = false;
version = 4;
};
};
}
{
"CPU Temp" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:Tctl";
chart = false;
version = 4;
};
};
}
{
"GPU Radeon" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:junction";
chart = false;
version = 4;
};
};
}
{
"GPU Intel" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:pkg";
chart = false;
version = 4;
};
};
}
{
Processes = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "process";
chart = false;
version = 4;
};
};
}
{
Network = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "network:enp6s0";
chart = false;
version = 4;
};
};
}
];
}
];
};
traefik = {
dynamicConfigOptions = {
http = {
services.homepage.loadBalancer.servers = [{url = "http://127.0.0.1:${toString config.services.${unit}.listenPort}";}];
routers = {
homepage = {
entryPoints = ["websecure"];
rule = "Host(`cnix.dev`)";
service = "homepage";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
};
}

69
modules/server/authentik/default.nix → modules/server/infra/authentik/default.nix
View File

@@ -1,45 +1,68 @@
{
config,
lib,
pkgs,
self,
...
}: let
unit = "authentik";
cfg = config.server.${unit};
srv = config.server;
cfg = config.server.infra.${unit};
srv = config.server.infra;
in {
options.server.${unit} = {
options.server.infra.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "auth.${srv.domain}";
default = "auth.${srv.www.url}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Authentik";
port = lib.mkOption {
type = lib.types.port;
description = "The local port the service runs on";
};
homepage.description = lib.mkOption {
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
default = "Open Source Identity and Access Management";
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
homepage.icon = lib.mkOption {
tunnelId = lib.mkOption {
type = lib.types.str;
default = "authentik.svg";
example = "00000000-0000-0000-0000-000000000000";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
homepage = {
name = "Authentik";
description = "An open-source IdP for modern SSO";
icon = "authentik.svg";
category = "Services";
};
};
config = lib.mkIf cfg.enable {
age.secrets.authentikEnv = {
age.secrets = {
authentikEnv = {
file = "${self}/secrets/authentikEnv.age";
owner = "authentik";
};
authentikCloudflared = {
file = "${self}/secrets/authentikCloudflared.age";
};
};
server.infra = {
fail2ban = {
jails = {
authentik = {
serviceName = "authentik";
failRegex = ''^.*Username or password is incorrect.*IP:\s*<HOST>'';
};
};
};
};
services = {
authentik = {
enable = true;
@@ -52,13 +75,21 @@ in {
};
};
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://127.0.0.1:9000";
};
};
traefik = {
dynamicConfigOptions = {
http = {
middlewares = {
authentik = {
forwardAuth = {
tls.insecureSkipVerify = true;
address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik";
trustForwardHeader = true;
authResponseHeaders = [
@@ -89,7 +120,7 @@ in {
routers = {
auth = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`) || HostRegexp(`{subdomain:[a-z0-9]+}.${srv.domain}`) && PathPrefix(`/outpost.goauthentik.io/`)";
rule = "Host(`${cfg.url}`) && PathPrefix(`/outpost.goauthentik.io/`)";
service = "auth";
tls.certResolver = "letsencrypt";
};

13
modules/server/infra/default.nix Normal file
View File

@@ -0,0 +1,13 @@
{
imports = [
./authentik
./fail2ban
./keepalived
./podman
./postgres
./tailscale
./traefik
./unbound
./www
];
}

131
modules/server/infra/fail2ban/default.nix Normal file
View File

@@ -0,0 +1,131 @@
# from @notthebee
{
lib,
config,
pkgs,
...
}: let
cfg = config.server.infra.fail2ban;
in {
options.server.infra.fail2ban = {
enable = lib.mkEnableOption {
description = "Enable cloudflare fail2ban";
};
apiKeyFile = lib.mkOption {
description = "File containing your API key, scoped to Firewall Rules: Edit";
type = lib.types.str;
example = lib.literalExpression ''
Authorization: Bearer vH6-p0y=i4w3n7TjKqZ@x8D_lR!A9b2cOezXgUuJdE5F
'''
'';
};
zoneId = lib.mkOption {
type = lib.types.str;
};
jails = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
options = {
serviceName = lib.mkOption {
example = "vaultwarden";
type = lib.types.str;
};
_groupsre = lib.mkOption {
type = lib.types.lines;
example = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
default = "";
};
failRegex = lib.mkOption {
type = lib.types.lines;
example = ''
^Login failed from IP: <HOST>$
^Two-factor challenge failed from <HOST>$
'';
};
ignoreRegex = lib.mkOption {
type = lib.types.str;
default = "";
};
datePattern = lib.mkOption {
type = lib.types.str;
default = "";
example = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
description = "Optional datepattern line for the fail2ban filter.";
};
maxRetry = lib.mkOption {
type = lib.types.int;
default = 3;
};
};
}
);
};
};
config = lib.mkIf cfg.enable {
services.fail2ban = {
enable = true;
extraPackages = [
pkgs.curl
pkgs.jq
];
jails =
lib.attrsets.mapAttrs (name: value: {
settings = {
bantime = "24h";
findtime = "10m";
enabled = true;
backend = "systemd";
journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service";
port = "http,https";
filter = "${name}";
maxretry = 3;
action = "cloudflare-token-agenix";
};
})
cfg.jails;
};
environment.etc = lib.attrsets.mergeAttrsList [
(lib.attrsets.mapAttrs' (
name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
text =
''
[Definition]
failregex = ${value.failRegex}
ignoreregex = ${value.ignoreRegex}
''
+ lib.optionalString (value.datePattern != "") ''
datepattern = ${value.datePattern}
''
+ lib.optionalString (value._groupsre != "") ''
_groupsre = ${value._groupsre}
'';
})
)
cfg.jails)
{
"fail2ban/action.d/cloudflare-token-agenix.conf".text = let
notes = "Fail2Ban on ${config.networking.hostName}";
cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules";
in ''
[Definition]
actionstart =
actionstop =
actioncheck =
actionunban = id=$(curl -s -X GET "${cfapi}" \
-H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
| jq -r '.result[] | select(.notes == "${notes}" and .configuration.target == "ip" and .configuration.value == "<ip>") | .id')
if [ -z "$id" ]; then echo "id for <ip> cannot be found"; exit 0; fi; \
curl -s -X DELETE "${cfapi}/$id" \
-H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
--data '{"cascade": "none"}'
actionban = curl -X POST "${cfapi}" -H @${cfg.apiKeyFile} -H "Content-Type: application/json" --data '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"${notes}"}'
[Init]
name = cloudflare-token-agenix
'';
}
];
};
}

24
modules/server/keepalived/default.nix → modules/server/infra/keepalived/default.nix
View File

@@ -3,27 +3,24 @@
config,
self,
...
}:
let
}: let
unit = "keepalived";
cfg = config.server.${unit};
cfg = config.server.infra.${unit};
hostCfg =
hostname:
if hostname == "sobotka" then
{
hostCfg = hostname:
if hostname == "sobotka"
then {
ip = "192.168.88.14";
priority = 20;
state = "MASTER";
}
else if hostname == "ziggy" then
{
else if hostname == "ziggy"
then {
ip = "192.168.88.12";
priority = 10;
state = "BACKUP";
}
else
throw "No keepalived config defined for host ${hostname}";
else throw "No keepalived config defined for host ${hostname}";
_self = hostCfg config.networking.hostName;
@@ -34,9 +31,8 @@ let
# Remove self from peers
peers = builtins.filter (ip: ip != _self.ip) allPeers;
in
{
options.server.${unit} = {
in {
options.server.infra.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};

6
modules/server/infra/podman/acquis.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
filenames:
- /var/log/traefik/access.log
poll_without_inotify: true
labels:
type: traefik

194
modules/server/infra/podman/default.nix Normal file
View File

@@ -0,0 +1,194 @@
{
config,
lib,
self,
...
}: let
infra = config.server.infra;
cfg = config.server.services;
getPiholeSecret = hostname:
if hostname == "ziggy"
then [config.age.secrets.piholeZiggy.path]
else if hostname == "sobotka"
then [config.age.secrets.pihole.path]
else throw "Unknown hostname: ${hostname}";
in {
options.server.infra = {
podman.enable = lib.mkEnableOption "Enables Podman";
gluetun.enable = lib.mkEnableOption "Enables gluetun";
};
config = lib.mkIf infra.podman.enable {
age.secrets = {
pihole.file = "${self}/secrets/${config.networking.hostName}Pihole.age";
slskd.file = "${self}/secrets/slskd.age";
};
virtualisation = {
containers.enable = true;
podman.enable = true;
};
networking.firewall = lib.mkIf cfg.pihole.enable {
allowedTCPPorts = [
53
5335
];
allowedUDPPorts = [
53
5335
];
};
virtualisation.oci-containers.containers = lib.mkMerge [
(lib.mkIf infra.gluetun.enable {
gluetun = {
image = "qmcgaw/gluetun";
ports = [
"8388:8388"
"58846:58846"
"8080:8080"
"5030:5030"
"5031:5031"
"50300:50300"
];
devices = ["/dev/net/tun:/dev/net/tun"];
autoStart = true;
extraOptions = [
"--cap-add=NET_ADMIN"
];
volumes = ["/var:/gluetun"];
environmentFiles = [
config.age.secrets.gluetunEnvironment.path
];
environment = {
DEV_MODE = "false";
VPN_SERVICE_PROVIDER = "mullvad";
VPN_TYPE = "wireguard";
SERVER_CITIES = "Stockholm";
};
};
})
(lib.mkIf cfg.qbittorrent.enable {
qbittorrent = {
image = "ghcr.io/hotio/qbittorrent:latest";
autoStart = true;
dependsOn = ["gluetun"];
ports = [
"8080:8080"
"58846:58846"
];
extraOptions = [
"--network=container:gluetun"
];
volumes = [
"/var/lib/qbittorrent:/config:rw"
"/mnt/data/media/downloads:/downloads:rw"
];
environmentFiles = [
config.age.secrets.gluetunEnvironment.path
];
environment = {
PUID = "994";
PGID = "993";
TZ = "Europe/Stockholm";
WEBUI_PORT = "${builtins.toString cfg.qbittorrent.port}";
};
};
})
(lib.mkIf cfg.slskd.enable {
slskd = {
image = "slskd/slskd:latest";
autoStart = true;
dependsOn = ["gluetun"];
ports = [
"5030:5030"
"5031:5031"
"50300:50300"
];
extraOptions = [
"--network=container:gluetun"
];
volumes = [
"/var/lib/slskd:/app:rw"
"/mnt/data/media/downloads:/downloads:rw"
];
environmentFiles = [
config.age.secrets.gluetunEnvironment.path
config.age.secrets.slskd.path
];
environment = {
TZ = "Europe/Stockholm";
PUID = "981";
PGID = "982";
SLSKD_REMOTE_CONFIGURATION = "true";
SLSKD_REMOTE_FILE_MANAGEMENT = "true";
SLSKD_DOWNLOADS_DIR = "/downloads";
SLSKD_UMASK = "022";
};
};
})
(lib.mkIf cfg.pihole.enable {
pihole = {
autoStart = true;
image = "pihole/pihole:2025.08.0";
volumes = [
"/var/lib/pihole:/etc/pihole/"
"/var/lib/dnsmasq.d:/etc/dnsmasq.d/"
];
environment = {
TZ = "Europe/Stockholm";
CUSTOM_CACHE_SIZE = "0";
WEBTHEME = "default-darker";
};
environmentFiles = getPiholeSecret config.networking.hostName;
ports = [
"53:53/tcp"
"53:53/udp"
"8053:80/tcp"
];
extraOptions = [
"--cap-add=NET_ADMIN"
"--cap-add=SYS_NICE"
"--cap-add=SYS_TIME"
];
};
})
(lib.mkIf cfg.ollama.enable {
intel-llm = {
autoStart = true;
image = "intelanalytics/ipex-llm-inference-cpp-xpu:latest";
devices = [
"/dev/dri:/dev/dri:rwm"
];
volumes = [
"/var/lib/ollama:/models"
];
environment = {
OLLAMA_ORIGINS = "http://192.168.*";
SYCL_PI_LEVEL_ZERO_USE_IMMEDIATE_COMMANDLISTS = "1";
ONEAPI_DEVICE_SELECTOR = "level_zero:0";
OLLAMA_HOST = "[::]:11434";
no_proxy = "localhost,127.0.0.1";
DEVICE = "Arc";
OLLAMA_NUM_GPU = "999";
ZES_ENABLE_SYSMAN = "1";
};
cmd = [
"/bin/sh"
"-c"
"/llm/scripts/start-ollama.sh && echo 'Startup script finished, container is now idling.' && sleep infinity"
];
extraOptions = [
"--net=host"
"--memory=32G"
"--shm-size=16g"
];
};
})
];
};
}

0
modules/server/postgres/default.nix → modules/server/infra/postgres/default.nix
View File

4
modules/server/postgres/postgres-upgrade.nix → modules/server/infra/postgres/postgres-upgrade.nix
View File

@@ -7,10 +7,10 @@
}: let
inherit (lib) types mkOption;
cfg = config.server.postgresql;
cfg = config.server.infra.postgresql;
in {
options = {
server.postgresql = {
server.infra.postgresql = {
upgradeTargetPackage = mkOption {
type = types.nullOr types.package;
default = null;

4
modules/server/postgres/postgres.nix → modules/server/infra/postgres/postgres.nix
View File

@@ -7,7 +7,7 @@
}: let
inherit (lib) types mkOption;
cfg = config.server.postgresql;
cfg = config.server.infra.postgresql;
database = {name, ...}: {
options = {
@@ -31,7 +31,7 @@
};
in {
options = {
server.postgresql = {
server.infra.postgresql = {
databases = mkOption {
type = types.listOf (types.submodule database);
default = [];

26
modules/server/infra/tailscale/default.nix Normal file
View File

@@ -0,0 +1,26 @@
{
config,
lib,
self,
...
}:
with lib; let
cfg = config.server.infra.tailscale;
in {
options.server.infra.tailscale = {
enable = mkEnableOption "Enable tailscale server configuration";
};
config = mkIf cfg.enable {
age.secrets.sobotkaTsAuth.file = "${self}/secrets/sobotkaTsAuth.age";
services.tailscale = {
enable = true;
openFirewall = true;
useRoutingFeatures = "server";
authKeyFile = config.age.secrets.sobotkaTsAuth.path;
extraSetFlags = [
"--advertise-exit-node"
];
};
};
}

183
modules/server/infra/traefik/default.nix Normal file
View File

@@ -0,0 +1,183 @@
{
lib,
clib,
config,
pkgs,
self,
...
}: let
inherit (lib) mkEnableOption mkIf types;
cfg = config.server.infra.traefik;
srv = config.server;
generateRouters = services: config:
lib.mapAttrs' (
name: service:
lib.nameValuePair name {
entryPoints = ["websecure"];
# FIX 3: Use backticks for the Host rule and interpolation
rule = "Host(`${clib.server.mkFullDomain config service}`)";
service = name;
tls.certResolver = "letsencrypt";
}
) (lib.filterAttrs (_: s: s.enable) services);
generateServices = services:
lib.mapAttrs' (name: service:
lib.nameValuePair name {
loadBalancer.servers = [{url = "http://localhost:${toString service.port}";}];
}) (lib.filterAttrs (name: service: service.enable) services);
getCloudflareCredentials = hostname:
if hostname == "ziggy"
then config.age.secrets.cloudflareDnsCredentialsZiggy.path
else if hostname == "sobotka"
then config.age.secrets.cloudflareDnsCredentials.path
else throw "Unknown hostname: ${hostname}";
in {
options.server.infra.traefik = {
enable = mkEnableOption "Enable global Traefik reverse proxy with ACME";
};
config = mkIf cfg.enable {
age.secrets = {
traefikEnv = {
file = "${self}/secrets/traefikEnv.age";
mode = "640";
owner = "traefik";
group = "traefik";
};
crowdsecApi.file = "${self}/secrets/crowdsecApi.age";
};
systemd.services.traefik = {
serviceConfig = {
EnvironmentFile = [config.age.secrets.traefikEnv.path];
};
};
networking.firewall.allowedTCPPorts = [80 443];
services = {
tailscale.permitCertUid = "traefik";
traefik = {
enable = true;
staticConfigOptions = {
log = {
level = "DEBUG";
};
accesslog = {filepath = "/var/lib/traefik/logs/access.log";};
tracing = {};
api = {
dashboard = true;
insecure = false;
};
certificatesResolvers = {
vpn.tailscale = {};
letsencrypt = {
acme = {
email = "adam@cnst.dev";
storage = "/var/lib/traefik/cert.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"1.0.0.1:53"
];
};
};
};
};
entryPoints = {
# redis = {
# address = "0.0.0.0:6381";
# };
# postgres = {
# address = "0.0.0.0:5433";
# };
web = {
address = ":80";
forwardedHeaders.insecure = true;
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
permanent = true;
};
# http.middlewares = "crowdsec@file";
};
websecure = {
address = ":443";
forwardedHeaders.insecure = true;
http.tls = {
certResolver = "letsencrypt";
domains = [
{
main = "cnix.dev";
sans = ["*.cnix.dev"];
}
{
main = "ts.cnst.dev";
sans = ["*ts.cnst.dev"];
}
];
};
# http.middlewares = "crowdsec@file";
};
experimental = {
address = ":1111";
forwardedHeaders.insecure = true;
};
};
experimental = {
# Install the Crowdsec Bouncer plugin
plugins = {
#enabled = "true";
bouncer = {
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
version = "v1.4.5";
};
};
};
};
dynamicConfigOptions = {
http = {
services = generateServices srv.services;
routers =
(generateRouters srv.services config)
// {
api = {
entryPoints = ["websecure"];
rule = "Host(`traefik.${srv.domain}`)";
service = "api@internal";
tls.certResolver = "letsencrypt";
};
};
# middlewares = {
# crowdsec = {
# plugin = {
# bouncer = {
# enabled = "true";
# logLevel = "DEBUG";
# crowdsecLapiKeyFile = config.age.secrets.crowdsecApi.path;
# crowdsecMode = "live";
# crowdsecLapiHost = ":4223";
# };
# };
# };
# };
};
};
};
};
};
}

23
modules/server/unbound/default.nix → modules/server/infra/unbound/default.nix
View File

@@ -5,7 +5,20 @@
...
}: let
unit = "unbound";
cfg = config.server.${unit};
cfg = config.server.infra.${unit};
srv = config.server;
svcNames = lib.attrNames srv.services;
localARecords = builtins.concatLists (map (
name: let
s = srv.services.${name};
in
if s != null && s.enable && s.subdomain != null
then [''"${s.subdomain}.${srv.domain}. A ${srv.ip}"'']
else []
)
svcNames);
hostIp = hostname:
if hostname == "ziggy"
@@ -14,11 +27,12 @@
then "192.168.88.14"
else throw "No IP defined for host ${hostname}";
in {
options.server.${unit} = {
options.server.infra.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
};
config = lib.mkIf cfg.enable {
services = {
# resolved.enable = lib.mkForce false;
@@ -97,6 +111,11 @@ in {
"255.255.255.255/32"
"2001:db8::/32"
];
local-data =
[
''"traefik.${config.settings.accounts.domains.local}. A 192.168.88.14"''
]
++ localARecords;
};
};
};

135
modules/server/infra/www/default.nix Normal file
View File

@@ -0,0 +1,135 @@
{
lib,
config,
self,
...
}: let
inherit (lib) mkIf mkEnableOption mkOption types;
cfg = config.server.infra.www;
in {
options.server.infra.www = {
enable = mkEnableOption {
description = "Enable personal website";
};
url = mkOption {
default = "";
type = types.str;
description = ''
Public domain name to be used to access the server services via Traefik reverse proxy
'';
};
port = lib.mkOption {
type = lib.types.int;
default = 8283;
description = "The port to host webservice on.";
};
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
config = mkIf cfg.enable {
age.secrets = {
wwwCloudflared.file = "${self}/secrets/wwwCloudflared.age";
};
server.infra = {
fail2ban = {
jails = {
nginx-404 = {
serviceName = "nginx";
failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$'';
ignoreRegex = '''';
maxRetry = 5;
};
};
};
};
services = {
nginx = {
enable = true;
defaultListen = [
{
addr = "127.0.0.1";
port = 8283;
}
];
virtualHosts."webfinger" = {
forceSSL = false;
serverName = cfg.url;
root = "/var/www/webfinger";
locations."= /.well-known/webfinger" = {
root = "/var/www/webfinger";
extraConfig = ''
default_type application/jrd+json;
try_files /.well-known/webfinger =404;
'';
};
locations."= /robots.txt" = {
root = "/var/www/webfinger";
extraConfig = ''
default_type text/plain;
try_files /robots.txt =404;
'';
};
};
};
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://127.0.0.1:8283";
};
};
};
environment.etc = {
"webfinger/.well-known/webfinger".text = ''
{
"subject": "acct:adam@${cfg.url}",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://auth.${cfg.url}/application/o/tailscale/"
}
]
}
'';
"webfinger/robots.txt".text = ''
User-agent: *
Disallow: /
'';
};
services.traefik.dynamicConfigOptions.http = {
routers.webfinger = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`) && Path(`/.well-known/webfinger`)";
service = "webfinger";
tls.certResolver = "letsencrypt";
};
services.webfinger.loadBalancer.servers = [
{url = "http://127.0.0.1:8283";}
];
};
};
}

66
modules/server/jellyfin/default.nix
View File

@@ -1,66 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
service = "jellyfin";
cfg = config.server.${service};
srv = config.server;
in {
options.server.${service} = {
enable = lib.mkEnableOption {
description = "Enable ${service}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
};
url = lib.mkOption {
type = lib.types.str;
default = "jellyfin.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Jellyfin";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "The Free Software Media System";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "jellyfin.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Media";
};
};
config = lib.mkIf cfg.enable {
services.${service} = {
enable = true;
user = srv.user;
group = srv.group;
};
environment.systemPackages = with pkgs; [
jellyfin-ffmpeg
];
services.traefik = {
dynamicConfigOptions = {
http = {
services.jellyfin.loadBalancer.servers = [{url = "http://127.0.0.1:8096";}];
routers = {
jellyfin = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "jellyfin";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

61
modules/server/jellyseerr/default.nix
View File

@@ -1,61 +0,0 @@
{
config,
lib,
...
}: let
service = "jellyseerr";
srv = config.server;
cfg = config.server.${service};
in {
options.server.${service} = {
enable = lib.mkEnableOption {
description = "Enable ${service}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.port;
default = 5055;
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Jellyseerr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Media request and discovery manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "jellyseerr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${service} = {
enable = true;
port = cfg.port;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.jellyseerr.loadBalancer.servers = [{url = "http://127.0.0.1:${toString cfg.port}";}];
routers = {
jellyseerr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "jellyseerr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

62
modules/server/lidarr/default.nix
View File

@@ -1,62 +0,0 @@
{
config,
lib,
...
}: let
unit = "lidarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Lidarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Music collection manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "lidarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.lidarr.loadBalancer.servers = [{url = "http://127.0.0.1:8686";}];
routers = {
lidarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "lidarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

180
modules/server/options.nix Normal file
View File

@@ -0,0 +1,180 @@
{
lib,
config,
...
}: let
inherit (lib) mkOption types;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
cfg = config.server;
in {
options.server = {
enable = lib.mkEnableOption "The server services and configuration variables";
email = mkOption {
default = "";
type = types.str;
description = ''
Email name to be used to access the server services via Caddy reverse proxy
'';
};
domain = mkOption {
default = "";
type = types.str;
description = ''
Domain name to be used to access the server services via Caddy reverse proxy
'';
};
ip = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = "The local IP of the service.";
};
user = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
User to run the server services as
'';
};
group = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
Group to run the server services as
'';
};
uid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
UID to run the server services as
'';
};
gid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
GID to run the server services as
'';
};
timeZone = lib.mkOption {
default = "Europe/Stockholm";
type = lib.types.str;
description = ''
Time zone to be used for the server services
'';
};
services = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
enable = lib.mkEnableOption "the service";
subdomain = lib.mkOption {
type = lib.types.str;
default = "";
description = "The subdomain for the service (e.g., 'jellyfin')";
};
exposure = lib.mkOption {
type = lib.types.enum ["local" "tunnel" "tailscale"];
default = "local";
description = "Controls where the service is exposed";
};
port = lib.mkOption {
type = lib.types.int;
default = 80;
description = "The port to host service on.";
};
configDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/${name}";
description = "Configuration directory for ${name}.";
};
cloudflared = lib.mkOption {
type = lib.types.submodule {
options = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret","TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
description = "Cloudflare tunnel configuration for this service.";
};
homepage = lib.mkOption {
type = lib.types.submodule {
options = {
name = lib.mkOption {
type = lib.types.str;
default = "";
description = "Display name on the homepage.";
};
description = lib.mkOption {
type = lib.types.str;
default = "";
description = "A short description for the homepage tile.";
};
icon = lib.mkOption {
type = lib.types.str;
default = "Zervices c00l stuff";
description = "Icon file name for the homepage tile.";
};
category = lib.mkOption {
type = lib.types.str;
default = "";
description = "Homepage category grouping.";
};
path = lib.mkOption {
type = lib.types.str;
default = "";
example = "/admin";
description = "Optional path suffix for homepage links (e.g. /admin).";
};
};
};
description = "Homepage metadata for this service.";
};
};
}));
};
};
config = lib.mkIf cfg.enable {
users = {
groups.${cfg.group} = {
gid = cfg.gid;
};
users.${cfg.user} = {
uid = cfg.uid;
isSystemUser = true;
group = cfg.group;
extraGroups = ifTheyExist [
"audio"
"video"
"docker"
"libvirtd"
"qemu-libvirtd"
"rtkit"
"fail2ban"
"vaultwarden"
"qbittorrent"
"lidarr"
"prowlarr"
"bazarr"
"sonarr"
"radarr"
"media"
"share"
"render"
"input"
"authentik"
"traefik"
];
};
};
};
}

315
modules/server/podman/default.nix
View File

@@ -1,315 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
srv = config.server;
cfg = config.server.podman;
piholeUrl =
if config.networking.hostName == "sobotka"
then "pihole0"
else if config.networking.hostName == "ziggy"
then "pihole1"
else throw "Unknown hostname";
getPiholeSecret = hostname:
if hostname == "ziggy"
then [config.age.secrets.piholeZiggy.path]
else if hostname == "sobotka"
then [config.age.secrets.pihole.path]
else throw "Unknown hostname: ${hostname}";
in {
options.server.podman = {
enable = lib.mkEnableOption "Enables Podman";
gluetun.enable = lib.mkEnableOption "Enables gluetun";
qbittorrent = {
enable = lib.mkEnableOption "Enable qBittorrent";
url = lib.mkOption {
type = lib.types.str;
default = "qbt.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.int;
default = 8080;
description = "The port to host qBittorrent on.";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "qBittorrent";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Torrent client";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "qbittorrent.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Downloads";
};
};
slskd = {
enable = lib.mkEnableOption "Enable Soulseek";
url = lib.mkOption {
type = lib.types.str;
default = "slskd.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.int;
default = 5030;
description = "The port to host Soulseek webui on.";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "slskd";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Web-based Soulseek client";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "slskd.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Downloads";
};
};
pihole = {
enable = lib.mkEnableOption {
description = "Enable";
};
port = lib.mkOption {
type = lib.types.int;
default = 8053;
description = "The port to host PiHole on.";
};
url = lib.mkOption {
type = lib.types.str;
default = "${piholeUrl}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "PiHole";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Adblocking and DNS service";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "pi-hole.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
homepage.path = lib.mkOption {
type = lib.types.str;
default = "/admin";
description = "Optional path suffix for homepage links (e.g. /admin).";
};
};
};
config = lib.mkIf cfg.enable {
virtualisation = {
containers.enable = true;
podman.enable = true;
};
networking.firewall = lib.mkIf cfg.pihole.enable {
allowedTCPPorts = [
53
5335
];
allowedUDPPorts = [
53
5335
];
};
services.traefik = lib.mkMerge [
(lib.mkIf cfg.pihole.enable {
dynamicConfigOptions = {
http = {
services = {
pihole.loadBalancer.servers = [{url = "http://localhost:${toString cfg.pihole.port}";}];
};
routers = {
pihole = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.pihole.url}`)";
service = "pihole";
tls.certResolver = "letsencrypt";
};
};
};
};
})
(lib.mkIf cfg.qbittorrent.enable {
dynamicConfigOptions = {
http = {
services = {
qbittorrent.loadBalancer.servers = [{url = "http://localhost:${toString cfg.qbittorrent.port}";}];
};
routers = {
qbittorrent = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.qbittorrent.url}`)";
service = "qbittorrent";
tls.certResolver = "letsencrypt";
};
};
};
};
})
(lib.mkIf cfg.slskd.enable {
dynamicConfigOptions = {
http = {
services = {
slskd.loadBalancer.servers = [{url = "http://localhost:${toString cfg.slskd.port}";}];
};
routers = {
slskd = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.slskd.url}`)";
service = "slskd";
tls.certResolver = "letsencrypt";
};
};
};
};
})
];
virtualisation.oci-containers.containers = lib.mkMerge [
(lib.mkIf cfg.gluetun.enable {
gluetun = {
image = "qmcgaw/gluetun";
ports = [
"8388:8388"
"58846:58846"
"8080:8080"
"5030:5030"
"5031:5031"
"50300:50300"
];
devices = ["/dev/net/tun:/dev/net/tun"];
autoStart = true;
extraOptions = [
"--cap-add=NET_ADMIN"
];
volumes = ["/var:/gluetun"];
environmentFiles = [
config.age.secrets.gluetunEnvironment.path
];
environment = {
DEV_MODE = "false";
VPN_SERVICE_PROVIDER = "mullvad";
VPN_TYPE = "wireguard";
SERVER_CITIES = "Stockholm";
};
};
})
(lib.mkIf cfg.qbittorrent.enable {
qbittorrent = {
image = "ghcr.io/hotio/qbittorrent:latest";
autoStart = true;
dependsOn = ["gluetun"];
ports = [
"8080:8080"
"58846:58846"
];
extraOptions = [
"--network=container:gluetun"
];
volumes = [
"/var/lib/qbittorrent:/config:rw"
"/mnt/data/media/downloads:/downloads:rw"
];
environmentFiles = [
config.age.secrets.gluetunEnvironment.path
];
environment = {
PUID = "994";
PGID = "993";
TZ = "Europe/Stockholm";
WEBUI_PORT = "${builtins.toString cfg.qbittorrent.port}";
};
};
})
(lib.mkIf cfg.slskd.enable {
slskd = {
image = "slskd/slskd:latest";
autoStart = true;
dependsOn = ["gluetun"];
ports = [
"5030:5030"
"5031:5031"
"50300:50300"
];
extraOptions = [
"--network=container:gluetun"
];
volumes = [
"/var/lib/slskd:/app:rw"
"/mnt/data/media/downloads:/downloads:rw"
];
environmentFiles = [
config.age.secrets.gluetunEnvironment.path
config.age.secrets.slskd.path
];
environment = {
TZ = "Europe/Stockholm";
PUID = "981";
PGID = "982";
SLSKD_REMOTE_CONFIGURATION = "true";
SLSKD_REMOTE_FILE_MANAGEMENT = "true";
SLSKD_DOWNLOADS_DIR = "/downloads";
SLSKD_UMASK = "022";
};
};
})
(lib.mkIf cfg.pihole.enable {
pihole = {
autoStart = true;
image = "pihole/pihole:latest";
volumes = [
"/var/lib/pihole:/etc/pihole/"
"/var/lib/dnsmasq.d:/etc/dnsmasq.d/"
];
environment = {
TZ = "Europe/Stockholm";
CUSTOM_CACHE_SIZE = "0";
WEBTHEME = "default-darker";
};
environmentFiles = getPiholeSecret config.networking.hostName;
ports = [
"53:53/tcp"
"53:53/udp"
"8053:80/tcp"
];
extraOptions = [
"--cap-add=NET_ADMIN"
"--cap-add=SYS_NICE"
"--cap-add=SYS_TIME"
];
};
})
];
};
}

80
modules/server/prowlarr/default.nix
View File

@@ -1,80 +0,0 @@
{
config,
lib,
...
}: let
unit = "prowlarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Prowlarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "PVR indexer";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "prowlarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
flaresolverr = {
enable = true;
};
traefik = {
dynamicConfigOptions = {
http = {
services = {
prowlarr = {
loadBalancer.servers = [{url = "http://127.0.0.1:9696";}];
};
flaresolverr = {
loadBalancer.servers = [{url = "http://127.0.0.1:8191";}];
};
};
routers = {
prowlarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "prowlarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
flaresolverr = {
entryPoints = ["websecure"];
rule = "Host(`flaresolverr.${srv.domain}`)";
service = "flaresolverr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
};
}

62
modules/server/radarr/default.nix
View File

@@ -1,62 +0,0 @@
{
config,
lib,
...
}: let
unit = "radarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Radarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Film collection manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "radarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.radarr.loadBalancer.servers = [{url = "http://127.0.0.1:7878";}];
routers = {
radarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "radarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

17
modules/server/services/bazarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "bazarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

19
modules/server/services/default.nix Normal file
View File

@@ -0,0 +1,19 @@
{
imports = [
./bazarr
./flaresolverr
./gitea
./homepage-dashboard
./jellyfin
./jellyseerr
./lidarr
./n8n
./nextcloud
./ollama
./prowlarr
./radarr
./sonarr
./uptime-kuma
./vaultwarden
];
}

16
modules/server/services/flaresolverr/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
unit = "flaresolverr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

94
modules/server/services/gitea/default.nix Normal file
View File

@@ -0,0 +1,94 @@
{
config,
lib,
self,
...
}: let
unit = "gitea";
cfg = config.server.services.${unit};
domain = "${cfg.subdomain}.${config.server.infra.www.url}";
in {
config = lib.mkIf cfg.enable {
age.secrets.giteaCloudflared.file = "${self}/secrets/giteaCloudflared.age";
server.infra = {
fail2ban.jails.${unit} = {
serviceName = "${unit}";
failRegex = ''.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>'';
};
postgresql.databases = [
{database = "gitea";}
];
};
services = {
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${domain}".service = "http://localhost:${toString cfg.port}";
};
};
gitea = {
enable = true;
appName = "cnix code forge";
database = {
type = "postgres";
socket = "/run/postgresql";
name = "gitea";
user = "gitea";
createDatabase = false;
};
lfs.enable = true;
settings = {
cors = {
ENABLED = true;
SCHEME = "https";
ALLOW_DOMAIN = domain;
};
log.MODE = "console";
mailer = {
ENABLED = false;
MAILER_TYPE = "sendmail";
FROM = "noreply+adam@cnst.dev";
SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
};
picture.DISABLE_GRAVATAR = true;
repository = {
DEFAULT_BRANCH = "main";
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
};
indexer.REPO_INDEXER_ENABLED = true;
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
ACCOUNT_LINKING = "auto";
};
server = {
DOMAIN = domain;
LANDING_PAGE = "explore";
HTTP_PORT = cfg.port;
ROOT_URL = "https://${domain}/";
};
security.DISABLE_GIT_HOOKS = false;
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
};
};
};
};
}

227
modules/server/services/homepage-dashboard/default.nix Normal file
View File

@@ -0,0 +1,227 @@
{
config,
lib,
self,
clib,
...
}: let
unit = "homepage-dashboard";
cfg = config.server.services.${unit};
srv = config.server;
in {
config = lib.mkIf cfg.enable {
age.secrets = {
homepageEnvironment = {
file = "${self}/secrets/homepageEnvironment.age";
};
};
services = {
glances.enable = true;
${unit} = {
enable = true;
environmentFile = config.age.secrets.homepageEnvironment.path;
settings = {
color = "stone";
theme = "dark";
headerStyle = "clean";
statusStyle = "dot";
hideVersion = true;
useEqualHeights = true;
layout = [
{
Glances = {
header = false;
style = "row";
columns = 4;
};
}
{
Arr = {
header = true;
style = "column";
};
}
{
Downloads = {
header = true;
style = "column";
};
}
{
Media = {
header = true;
style = "column";
};
}
{
Services = {
header = true;
style = "column";
};
}
];
};
widgets = [
{
openmeteo = {
label = "Kalmar";
timezone = "Europe/Stockholm";
units = "metric";
cache = 5;
latitude = 56.707262;
longitude = 16.324541;
};
}
{
resources = {
label = "SYSTEM";
memory = true;
cpu = true;
uptime = false;
};
}
];
services = let
homepageCategories = [
"Arr"
"Media"
"Downloads"
"Services"
];
allServices = srv.services;
getDomain = s: clib.server.mkHostDomain config s;
homepageServicesFor = category:
lib.filterAttrs
(
name: value:
name
!= unit
&& value ? homepage
&& value.homepage.category == category
)
allServices;
in
lib.lists.forEach homepageCategories (cat: {
"${cat}" =
lib.lists.forEach
(lib.attrsets.mapAttrsToList (name: _value: name) (homepageServicesFor cat))
(x: let
service = allServices.${x};
domain = getDomain service;
in {
"${service.homepage.name}" = {
icon = service.homepage.icon;
description = service.homepage.description;
href = "https://${service.subdomain}.${domain}${service.homepage.path or ""}";
siteMonitor = "https://${service.subdomain}.${domain}${x.homepage.path or ""}";
};
});
})
++ [
{
Glances = let
glancesShared = {
type = "glances";
url = "http://localhost:${toString config.services.glances.port}";
chart = true;
version = 4;
};
in [
{
Memory = {
widget =
glancesShared
// {
metric = "memory";
refreshInterval = 2000;
pointsLimit = 30;
};
};
}
{
"CPU Usage" = {
widget =
glancesShared
// {
metric = "cpu";
refreshInterval = 2000;
pointsLimit = 30;
};
};
}
{
"CPU Temp" = {
widget =
glancesShared
// {
metric = "sensor:Tctl";
refreshInterval = 5000;
pointsLimit = 20;
};
};
}
{
"GPU Radeon" = {
widget =
glancesShared
// {
metric = "sensor:junction";
};
};
}
{
"GPU Intel" = {
widget =
glancesShared
// {
metric = "sensor:pkg";
};
};
}
{
"ZFS Pool" = {
widget =
glancesShared
// {
metric = "fs:/mnt/data";
refreshInterval = 30000;
pointsLimit = 20;
diskUnits = "bytes";
};
};
}
{
Processes = {
widget =
glancesShared
// {
metric = "process";
};
};
}
{
Network = {
widget =
glancesShared
// {
metric = "network:enp6s0";
};
};
}
];
}
];
};
};
};
}

21
modules/server/services/jellyfin/default.nix Normal file
View File

@@ -0,0 +1,21 @@
{
config,
lib,
pkgs,
...
}: let
unit = "jellyfin";
cfg = config.server.services.${unit};
srv = config.server;
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
environment.systemPackages = with pkgs; [
jellyfin-ffmpeg
];
};
}

15
modules/server/services/jellyseerr/default.nix Normal file
View File

@@ -0,0 +1,15 @@
{
config,
lib,
...
}: let
unit = "jellyseerr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
port = cfg.port;
};
};
}

17
modules/server/services/lidarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "lidarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

17
modules/server/services/n8n/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "n8n";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
n8n = {
enable = true;
openFirewall = true;
};
};
};
}

76
modules/server/nextcloud/default.nix → modules/server/services/nextcloud/default.nix
View File

@@ -2,62 +2,34 @@
config,
pkgs,
lib,
self,
...
}: let
unit = "nextcloud";
cfg = config.server.${unit};
cfg = config.server.services.${unit};
srv = config.server;
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
adminpassFile = lib.mkOption {
type = lib.types.path;
};
adminuser = lib.mkOption {
type = lib.types.str;
default = "cnst";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "cloud.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Nextcloud";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "A safe home for all your data";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "nextcloud.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
server.fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = {
nextcloud = {
serviceName = "phpfpm-nextcloud";
failRegex = "^.*Login failed:.*(Remote IP: <HOST>).*$";
};
age.secrets = {
nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age";
nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age";
};
server.infra.fail2ban.jails.nextcloud = {
serviceName = "${unit}";
_groupsre = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
failRegex = ''
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
'';
datePattern = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
};
services = {
${unit} = {
enable = true;
package = pkgs.nextcloud31;
package = pkgs.nextcloud32;
hostName = "nextcloud";
configureRedis = true;
caching = {
@@ -95,7 +67,7 @@ in {
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminuser = "cnst";
adminpassFile = cfg.adminpassFile;
adminpassFile = config.age.secrets.nextcloudAdminPass.path;
};
};
@@ -114,21 +86,9 @@ in {
forceSSL = false;
};
};
traefik.dynamicConfigOptions.http = {
routers.nextcloud = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "nextcloud";
tls.certResolver = "letsencrypt";
};
services.nextcloud.loadBalancer.servers = [
{url = "http://127.0.0.1:8182";}
];
};
};
server.postgresql.databases = [
server.infra.postgresql.databases = [
{
database = "nextcloud";
}

28
modules/server/services/ollama/default.nix Normal file
View File

@@ -0,0 +1,28 @@
{
config,
lib,
pkgs,
...
}: let
unit = "ollama";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
ollama
intel-compute-runtime
intel-graphics-compiler
level-zero
];
services.open-webui = {
enable = true;
host = "0.0.0.0";
port = 8001;
environment = {
ANONYMIZED_TELEMETRY = "False";
BYPASS_MODEL_ACCESS_CONTROL = "True";
OLLAMA_BASE_URL = "http://localhost:11434";
};
};
};
}

16
modules/server/services/prowlarr/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
unit = "prowlarr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

17
modules/server/services/radarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "radarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

17
modules/server/services/sonarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "sonarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

16
modules/server/services/uptime-kuma/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
unit = "uptime-kuma";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

59
modules/server/services/vaultwarden/default.nix Normal file
View File

@@ -0,0 +1,59 @@
# from @fufexan & @notthebee
{
config,
lib,
self,
...
}: let
unit = "vaultwarden";
cfg = config.server.services.${unit};
domain = "${cfg.subdomain}.${config.server.infra.www.url}";
in {
config = lib.mkIf cfg.enable {
age.secrets = {
vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
};
server.infra.fail2ban.jails.${unit} = {
serviceName = "${unit}";
failRegex = ''^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$'';
};
services = {
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${domain}".service = "http://localhost:${toString cfg.port}";
};
};
vaultwarden = {
enable = true;
environmentFile = config.age.secrets.vaultwardenEnvironment.path;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://${domain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = cfg.port;
IP_HEADER = "CF-Connecting-IP";
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = true;
showPasswordHint = false;
};
};
};
systemd.services.backup-vaultwarden.serviceConfig = {
User = "root";
Group = "root";
};
};
}

62
modules/server/sonarr/default.nix
View File

@@ -1,62 +0,0 @@
{
config,
lib,
...
}: let
unit = "sonarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Sonarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Series collection manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "sonarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.sonarr.loadBalancer.servers = [{url = "http://127.0.0.1:8989";}];
routers = {
sonarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "sonarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

100
modules/server/traefik/default.nix
View File

@@ -1,100 +0,0 @@
{
lib,
config,
pkgs,
self,
...
}: let
inherit (lib) mkEnableOption mkIf types;
cfg = config.server.traefik;
getCloudflareCredentials = hostname:
if hostname == "ziggy"
then config.age.secrets.cloudflareDnsCredentialsZiggy.path
else if hostname == "sobotka"
then config.age.secrets.cloudflareDnsCredentials.path
else throw "Unknown hostname: ${hostname}";
in {
options.server.traefik = {
enable = mkEnableOption "Enable global Traefik reverse proxy with ACME";
};
config = mkIf cfg.enable {
age.secrets.traefikEnv = {
file = "${self}/secrets/traefikEnv.age";
mode = "640";
owner = "root";
group = "traefik";
};
systemd.services.traefik = {
serviceConfig = {
EnvironmentFile = [config.age.secrets.traefikEnv.path];
};
};
networking.firewall.allowedTCPPorts = [80 443];
services = {
tailscale.permitCertUid = "traefik";
traefik = {
enable = true;
staticConfigOptions = {
log = {
level = "DEBUG";
};
tracing = {};
api = {
dashboard = true;
};
certificatesResolvers = {
tailscale.tailscale = {};
letsencrypt = {
acme = {
email = "adam@cnst.dev";
storage = "/var/lib/traefik/cert.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"1.0.0.1:53"
];
};
};
};
};
entryPoints = {
redis = {
address = "0.0.0.0:6381";
};
postgres = {
address = "0.0.0.0:5433";
};
web = {
address = "0.0.0.0:80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
permanent = true;
};
};
websecure = {
address = "0.0.0.0:443";
http.tls = {
certResolver = "letsencrypt";
domains = [
{
main = "cnix.dev";
sans = ["*.cnix.dev"];
}
];
};
};
};
};
};
};
};
}

62
modules/server/uptime-kuma/default.nix
View File

@@ -1,62 +0,0 @@
{
config,
lib,
...
}: let
unit = "uptime-kuma";
cfg = config.server.${unit};
srv = config.server;
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/uptime-kuma";
};
url = lib.mkOption {
type = lib.types.str;
default = "uptime.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Uptime Kuma";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Service monitoring tool";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "uptime-kuma.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
traefik = {
dynamicConfigOptions = {
http = {
services.uptime-kuma.loadBalancer.servers = [{url = "http://127.0.0.1:3001";}];
routers = {
uptime-kuma = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "uptime-kuma";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
};
}

85
modules/server/vaultwarden/default.nix
View File

@@ -1,85 +0,0 @@
# from @fufexan & @notthebee
{
config,
lib,
...
}:
let
inherit (lib) mkIf mkEnableOption;
vcfg = config.services.vaultwarden.config;
cfg = config.server.vaultwarden;
in
{
options = {
server.vaultwarden = {
enable = mkEnableOption "Enables vaultwarden";
url = lib.mkOption {
type = lib.types.str;
default = "${cfg.domain}";
};
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
};
config = mkIf cfg.enable {
server = {
fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = {
vaultwarden = {
serviceName = "vaultwarden";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
};
};
};
};
systemd.services.backup-vaultwarden.serviceConfig = {
User = "root";
Group = "root";
};
services = {
vaultwarden = {
enable = true;
environmentFile = config.age.secrets.vaultwardenEnvironment.path;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://${cfg.url}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
IP_HEADER = "CF-Connecting-IP";
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = false;
showPasswordHint = false;
};
};
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://${vcfg.ROCKET_ADDRESS}:${toString vcfg.ROCKET_PORT}";
};
};
};
};
}

44
modules/server/www/default.nix
View File

@@ -1,44 +0,0 @@
{
lib,
config,
pkgs,
...
}: let
inherit (lib) mkOption mkEnableOption mkIf types;
cfg = config.server.www;
srv = config.server;
in {
options.server.www = {
enable = mkEnableOption {
description = "Enable personal website";
};
url = mkOption {
default = "";
type = types.str;
description = ''
Public domain name to be used to access the server services via Caddy reverse proxy
'';
};
};
config = mkIf cfg.enable {
services.caddy.virtualHosts."${cfg.url}" = {
useACMEHost = cfg.url;
extraConfig = ''
handle_path /.well-known/webfinger {
header Content-Type application/jrd+json
respond `{
"subject": "acct:adam@${cfg.url}",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://login.${cfg.url}/realms/cnix"
}
]
}`
}
reverse_proxy http://127.0.0.1:8283
'';
};
};
}

31
modules/settings/accounts/default.nix
View File

@@ -2,8 +2,7 @@
lib,
config,
...
}:
let
}: let
inherit (lib) mkOption types;
sshKeys = {
@@ -16,14 +15,14 @@ let
keyName = config.settings.accounts.sshUser or null;
selectedKey =
if keyName != null then
if keyName != null
then
lib.attrByPath [
keyName
] (builtins.abort "No SSH key defined for hostname/key '${toString keyName}'") sshKeys
else
builtins.abort "No accounts.sshUser provided, cannot select SSH key.";
in
{
] (builtins.abort "No SSH key defined for hostname/key '${toString keyName}'")
sshKeys
else builtins.abort "No accounts.sshUser provided, cannot select SSH key.";
in {
options.settings.accounts = {
username = mkOption {
type = types.str;
@@ -46,5 +45,21 @@ in
default = null;
description = "Optional override for selecting an SSH key by name";
};
domains = lib.mkOption {
type = lib.types.submodule {
options = {
local = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = "The local domain of the host";
};
public = lib.mkOption {
type = lib.types.str;
default = "example.com";
description = "The public domain of the host";
};
};
};
};
};
}

4
modules/settings/monitors/default.nix
View File

@@ -21,8 +21,8 @@ in
example = 1080;
};
refreshRate = mkOption {
type = types.int;
default = 60;
type = types.str;
default = "60";
};
transform = mkOption {
type = types.int;

3
nix/nixpkgs/default.nix
View File

@@ -4,5 +4,8 @@
allowUnfree = true;
input-fonts.acceptLicense = true;
};
overlays = [
];
};
}

4
pkgs/default.nix
View File

@@ -5,9 +5,7 @@
"aarch64-linux"
];
perSystem =
{ pkgs, ... }:
{
perSystem = {pkgs, ...}: {
packages = {
# instant repl with automatic flake loading
repl = pkgs.callPackage ./repl {};

Some files were not shown because too many files have changed in this diff Show More