cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

Compare commits

base: cnst:0d447771ebf3f7c85dc41b43e1f7e95e169b0510
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken
...
compare: cnst:monitors
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken

61 Commits
0d447771eb ... monitors

Author SHA1 Message Date
cnst
b1a4574f17 feat(monitors): from int to str for more precision 2025-10-19 21:09:40 +02:00
cnst
3d8deae6f3 feat(llm): testing some local models 2025-10-16 21:20:40 +02:00
cnst
cd978f5eb6 feat(hypr): back to hyprland, and fix some clib importing stuffs 2025-10-15 20:00:31 +02:00
cnst
64df7abad5 feat(hypr): clean up 2025-10-15 19:38:47 +02:00
cnst
8efa649d47 feat(homepage-dashboard): change vaultwarden icon 2025-10-15 18:01:39 +02:00
cnst
2dc09e23a0 chore(jellyseerr): typo 2025-10-15 17:50:11 +02:00
cnst
8fd2a7d9ad feat(homepage-dashboard): reintroduce path option 2025-10-15 17:49:30 +02:00
cnst
113892b75d chore(update): flake lock 2025-10-14 22:43:59 +02:00
cnst
001dfbf27f chore(traefik): delete dead code 2025-10-14 22:00:16 +02:00
cnst
3deca06206 Merge pull request 'refactor' (#6) from refactor into main 
Reviewed-on: #6
 2025-10-14 21:56:13 +02:00
cnst
07333b4544 feat(refactor): ready for merge 2025-10-14 21:50:44 +02:00
cnst
63f495fa0d feat(refactor): WIP 2.0 some progress 2025-10-13 21:13:53 +02:00
cnst
d2bd385367 feat(refactor): WIP refactor server modules 2025-10-12 21:07:30 +02:00
cnst
57cb48a11c feat(gaming): cleaning up gaming related pkgs 2025-10-11 16:44:54 +02:00
cnst
6b7ca2b194 feat(update): new kernel, new container versions and temporarily moving to zfs_unstable in waiting for stable to catch up with new kernel 2025-10-11 11:04:15 +02:00
cnst
e578a280db chore(update): flake lock and removing unmaintained pkgs 2025-10-11 09:40:35 +02:00
cnst
01ca3d7ebe feat(gitea): integrate with authentik 2025-10-08 20:39:54 +02:00
cnst
46aa5a9deb fix(fail2ban): some hacky fix 2025-10-07 21:05:43 +02:00
cnst
549037fe69 chore(flake) lock 2025-10-06 21:00:09 +02:00
cnst
0cb6862dcd feat(sqlite): adding sqlite pkgs 2025-10-06 20:57:01 +02:00
cnst
9e4454ff57 feat(gitea): move to cnst.dev domain, cf tunnel 2025-10-06 20:55:31 +02:00
cnst
15a20dd8e0 feat(pkgs): adding some dev pkgs to sobotka and dig as default 2025-10-05 19:27:15 +02:00
cnst
3306598f8a feat(jellyfin): adding to tnet 2025-10-05 19:10:43 +02:00
cnst
93f227ba7e feat(network): adding options for dns and search 2025-10-05 15:40:52 +02:00
cnst
9d20eff7f9 feat(jellyfin): TS testing 2025-10-05 10:47:08 +02:00
cnst
94d3f2ad35 feat(jellyfin): will this break things? 2025-10-05 10:35:22 +02:00
cnst
1d5bc22274 Merge branch 'main' into working 2025-10-05 10:21:16 +02:00
cnst
f2386a851e working 1 2025-10-05 10:11:40 +02:00
cnst
c9edc99a85 chore(revert): slowly introducing changes 2025-10-05 09:27:51 +02:00
cnst
67e83e3e4e feat(authentik): fixing some fail2ban things 2025-10-02 05:45:35 +02:00
cnst
923c810972 feat(authentik): fixing some fail2ban things 2025-10-01 18:00:55 +02:00
cnst
6ab35f4e91 feat(www): fixing fail2ban and other minor tweaks 2025-09-30 18:16:49 +02:00
cnst
593f0e619c chore(ded): remove dead code 2025-09-29 19:31:23 +02:00
cnst
688e23d229 feat(pstate): opt in changes and sooooo 2025-09-29 19:28:33 +02:00
cnst
725a3ed27e chore(niri): go to nixpkgs niri release 2025-09-29 17:10:38 +02:00
cnst
e45dc0d223 feat(homelab): fixing cf tunnels, authentik and tailscale! 2025-09-28 18:27:17 +02:00
cnst
bc78dd7302 chore(?): hm 2025-09-28 16:24:32 +02:00
cnst
94c34f8675 chore(update): flake lock 2025-09-28 08:03:38 +02:00
cnst
fda7d972c4 chore(age): adding bunk credentials to agenix 2025-09-27 19:54:03 +02:00
cnst
f6bb6672bb chore(agenix): refactor some secrets 2025-09-27 14:35:04 +02:00
cnst
68f1cb9b09 chore(misc): removing dead code and small insignificant changes 2025-09-26 20:41:26 +02:00
cnst
e721a2088b feat(homepage-dashboard): adding some disk info 2025-09-26 17:41:19 +02:00
cnst
551a47989c Merge pull request 'feat(swaybg) adding swaybg and some script' (#5) from wutwut into main 
Reviewed-on: https://git.cnix.dev/cnst/cnix/pulls/5
 2025-09-25 17:30:37 +02:00
cnst
2cb07c45a7 Merge pull request 'feat(swaybg) adding bg script' (#4) from wut into main 
Reviewed-on: https://git.cnix.dev/cnst/cnix/pulls/4
 2025-09-25 17:26:09 +02:00
cnst
4666731676 feat(swaybg) adding swaybg and some script 2025-09-25 17:17:49 +02:00
cnst
8fe6382c48 feat(swaybg) adding bg script 2025-09-25 17:16:55 +02:00
cnst
068f47e9a2 chore(alacritty): fix cfg 2025-09-24 18:46:36 +02:00
cnst
27bd976a60 chore(alacritty): fix cfg 2025-09-24 06:30:48 +02:00
cnst
9adfb329af feat(theme): go to adwaita gtk theme 2025-09-23 20:04:08 +02:00
cnst
757c3081fd feat(alacritty): change theme and flake lock 2025-09-23 20:02:08 +02:00
cnst
1d2f934c98 chore(?): remove deader code 2025-09-23 18:14:43 +02:00
cnst
86624f362d feat(IP): migrate to traefik and authentik, remove dead code 2025-09-23 18:13:28 +02:00
cnst
b752781064 feat(nextcloud): switch from nginx to caddy 2025-09-21 13:27:02 +02:00
cnst
884b40c71d chore(?): remove dead code 2025-09-21 10:32:05 +02:00
cnst
f861d363ca feat(nextcloud): finishing touches and other chores 2025-09-21 10:28:54 +02:00
cnst
c63daec95c feat(nextcloud): tweaks to nextcloud 2025-09-20 12:31:12 +02:00
cnst
2e1d28450b Merge pull request 'feat(nextcloud): back to basics' (#3) from nextc into main 
Reviewed-on: https://git.cnix.dev/cnst/cnix/pulls/3
 2025-09-19 20:09:18 +02:00
cnst
1228c800a1 feat(nextcloud): back to basics 2025-09-19 20:08:45 +02:00
cnst
1c8ccb6405 feat(sh): niri spawning script for stacking two windows of same app vertically 2025-09-19 20:03:11 +02:00
cnst
3b7e566545 Merge pull request 'chore(update): remove lix patch, minor waybar changes' (#2) from update into main 
Reviewed-on: https://git.cnix.dev/cnst/cnix/pulls/2
 2025-09-18 20:00:32 +02:00
cnst
8c07f3642b chore(update): remove lix patch, minor waybar changes 2025-09-18 19:59:39 +02:00
130 changed files with 2980 additions and 2707 deletions
Expand all files Collapse all files

596
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

45
flake.nix
View File

@@ -1,9 +1,8 @@
{
description = "cnix nix";
outputs =
inputs:
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
outputs = inputs:
inputs.flake-parts.lib.mkFlake {inherit inputs;} {
systems = [
"x86_64-linux"
"aarch64-linux"
@@ -17,21 +16,23 @@
./fmt-hooks.nix
];
perSystem =
{ config, pkgs, ... }:
{
devShells.default = pkgs.mkShell {
packages = [
pkgs.git
config.packages.repl
];
name = "dots";
env.DIRENV_LOG_FORMAT = "";
shellHook = ''
${config.pre-commit.installationScript}
'';
};
perSystem = {
config,
pkgs,
...
}: {
devShells.default = pkgs.mkShell {
packages = [
pkgs.git
config.packages.repl
];
name = "dots";
env.DIRENV_LOG_FORMAT = "";
shellHook = ''
${config.pre-commit.installationScript}
'';
};
};
};
inputs = {
@@ -51,6 +52,14 @@
inputs.nixpkgs-lib.follows = "nixpkgs";
};
authentik = {
url = "github:nix-community/authentik-nix";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-parts.follows = "flake-parts";
};
};
flake-compat.url = "github:edolstra/flake-compat";
# Hyprland environment
@@ -135,8 +144,6 @@
inputs.nixpkgs.follows = "nixpkgs";
};
niri.url = "github:sodiboo/niri-flake";
# Custom
tuirun = {
url = "git+https://git.sr.ht/~canasta/tuirun";

10
hosts/bunk/modules.nix
View File

@@ -3,7 +3,7 @@
boot = {
kernel = {
variant = "latest";
hardware = [ "amd" ];
hardware = ["amd"];
};
loader = {
default = {
@@ -20,7 +20,7 @@
};
graphics = {
enable = true;
vendors = [ "amd" ];
vendors = ["amd"];
};
logitech = {
enable = false;
@@ -73,8 +73,8 @@
enable = false;
};
hyprland = {
enable = false;
withUWSM = false;
enable = true;
withUWSM = true;
};
inkscape = {
enable = false;
@@ -86,7 +86,7 @@
enable = true;
};
niri = {
enable = true;
enable = false;
};
pkgs = {
enable = true;

6
hosts/bunk/settings.nix
View File

@@ -10,7 +10,7 @@
name = "DP-3";
width = 2560;
height = 1440;
refreshRate = 240;
refreshRate = "240";
position = "0x0";
transform = 0;
bitDepth = 10;
@@ -20,7 +20,7 @@
name = "HDMI-A-1";
width = 1920;
height = 1080;
refreshRate = 60;
refreshRate = "60";
position = "2560x0";
# transform = 3;
workspace = "5";
@@ -29,7 +29,7 @@
name = "eDP-1";
width = 1920;
height = 1200;
refreshRate = 60;
refreshRate = "60";
workspace = "1";
}
];

19
hosts/default.nix
View File

@@ -8,7 +8,7 @@
{
flake.nixosConfigurations =
let
cLib = import ../lib inputs.nixpkgs.lib;
clib = import ../lib inputs.nixpkgs.lib;
userConfig = "${self}/home";
systemConfig = "${self}/system";
hostConfig = "${self}/hosts";
@@ -24,7 +24,6 @@
specialArgs = {
inherit
cLib
inputs
outputs
self
@@ -37,17 +36,20 @@
smodPath
;
};
specialArgsWithClib = specialArgs // {
inherit clib;
};
in
{
kima = nixosSystem {
inherit specialArgs;
specialArgs = specialArgsWithClib;
modules = [
./kima
"${self}/nix"
{
home-manager = {
users.cnst.imports = homeImports."cnst@kima";
extraSpecialArgs = specialArgs;
extraSpecialArgs = specialArgsWithClib;
};
}
self.nixosModules.nixos
@@ -57,14 +59,14 @@
];
};
bunk = nixosSystem {
inherit specialArgs;
specialArgs = specialArgsWithClib;
modules = [
./bunk
"${self}/nix"
{
home-manager = {
users.cnst.imports = homeImports."cnst@bunk";
extraSpecialArgs = specialArgs;
extraSpecialArgs = specialArgsWithClib;
};
}
self.nixosModules.nixos
@@ -82,6 +84,7 @@
self.nixosModules.settings
self.nixosModules.server
inputs.agenix.nixosModules.default
inputs.authentik.nixosModules.default
];
};
ziggy = nixosSystem {
@@ -96,14 +99,14 @@
];
};
toothpc = nixosSystem {
inherit specialArgs;
specialArgs = specialArgsWithClib;
modules = [
./toothpc
"${self}/nix"
{
home-manager = {
users.toothpick.imports = homeImports."toothpick@toothpc";
extraSpecialArgs = specialArgs;
extraSpecialArgs = specialArgsWithClib;
};
}
self.nixosModules.nixos

3
hosts/kima/hardware-configuration.nix
View File

@@ -21,8 +21,9 @@
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ "amdgpu" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [
"amdgpu"
"kvm-amd"
"i2c-dev"
];

25
hosts/kima/modules.nix
View File

@@ -4,7 +4,8 @@
kernel = {
variant = "latest";
hardware = [ "amd" ];
extraKernelParams = [ "amdgpu.dcdebugmask=0x10" ];
extraKernelParams = [ ];
amdOverdrive.enable = true;
};
loader = {
default = {
@@ -28,6 +29,13 @@
};
network = {
enable = true;
nameservers = [
"192.168.88.1"
"192.168.88.69"
];
search = [
"taila7448a.ts.net"
];
interfaces = {
"eno1" = {
allowedTCPPorts = [
@@ -65,7 +73,7 @@
};
};
gamescope = {
enable = true;
enable = false;
};
gimp = {
enable = true;
@@ -74,8 +82,8 @@
enable = false;
};
hyprland = {
enable = false;
withUWSM = false;
enable = true;
withUWSM = true;
};
inkscape = {
enable = false;
@@ -90,7 +98,7 @@
enable = true;
};
niri = {
enable = true;
enable = false;
};
pkgs = {
enable = true;
@@ -171,8 +179,8 @@
kanata = {
enable = true;
};
libvirtd = {
enable = true;
virtualisation = {
enable = false;
};
locate = {
enable = true;
@@ -214,6 +222,9 @@
scheduler = "scx_lavd";
flags = "--performance";
};
tailscale = {
enable = true;
};
udisks = {
enable = true;
};

6
hosts/kima/settings.nix
View File

@@ -10,7 +10,7 @@
name = "DP-3";
width = 2560;
height = 1440;
refreshRate = 240;
refreshRate = "143.99";
position = "0x0";
transform = 0;
bitDepth = 10;
@@ -20,7 +20,7 @@
name = "HDMI-A-1";
width = 1920;
height = 1080;
refreshRate = 60;
refreshRate = "60";
position = "2560x0";
transform = 3;
workspace = "5";
@@ -29,7 +29,7 @@
name = "eDP-1";
width = 1920;
height = 1200;
refreshRate = 60;
refreshRate = "60";
workspace = "1";
}
];

19
hosts/sobotka/default.nix
View File

@@ -3,11 +3,9 @@
config,
pkgs,
...
}:
let
}: let
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in
{
in {
users.users.cnst = {
isNormalUser = true;
shell = pkgs.fish;
@@ -41,6 +39,7 @@ in
"share"
"jellyfin"
"render"
"traefik"
];
};
@@ -51,8 +50,7 @@ in
./server.nix
];
boot.initrd.luks.devices."luks-47b35d4b-467a-4637-a5f9-45177da62897".device =
"/dev/disk/by-uuid/47b35d4b-467a-4637-a5f9-45177da62897";
boot.initrd.luks.devices."luks-47b35d4b-467a-4637-a5f9-45177da62897".device = "/dev/disk/by-uuid/47b35d4b-467a-4637-a5f9-45177da62897";
networking = {
hostName = "sobotka";
@@ -69,8 +67,11 @@ in
];
boot = {
supportedFilesystems = [ "zfs" ];
zfs.extraPools = [ "data" ];
supportedFilesystems = ["zfs"];
zfs = {
package = pkgs.zfs_unstable;
extraPools = ["data"];
};
};
services.zfs = {
@@ -78,6 +79,8 @@ in
autoScrub.enable = true;
};
environment.etc."nextcloud-admin-pass".text = "DeHKor3x8^eqqnBXjqhQ&QBl*3!sOLg8agfzOILihju#^0!2AfJ9W*vn";
environment.variables.NH_FLAKE = "/home/cnst/.nix-config";
# # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion

9
hosts/sobotka/modules.nix
View File

@@ -3,8 +3,8 @@
boot = {
kernel = {
variant = "latest";
hardware = [ "amd" ];
extraKernelParams = [ ];
hardware = ["amd"];
extraKernelParams = [];
};
loader = {
default = {
@@ -109,7 +109,7 @@
enable = true;
};
dev = {
enable = false;
enable = true;
};
};
mysql-workbench = {
@@ -213,6 +213,9 @@
scheduler = "scx_lavd";
flags = "--performance";
};
tailscale = {
enable = false;
};
udisks = {
enable = true;
};

323
hosts/sobotka/server.nix
View File

@@ -3,97 +3,276 @@
enable = true;
email = "adam@cnst.dev";
domain = "cnix.dev";
ip = "192.168.88.14";
user = "share";
group = "share";
uid = 994;
gid = 993;
gitea = {
enable = true;
};
unbound = {
enable = true;
};
caddy = {
enable = true;
};
homepage-dashboard = {
enable = true;
};
bazarr = {
enable = true;
};
prowlarr = {
enable = true;
};
lidarr = {
enable = true;
};
sonarr = {
enable = true;
};
radarr = {
enable = true;
};
jellyseerr = {
enable = true;
};
jellyfin = {
enable = true;
};
uptime-kuma = {
enable = true;
};
keycloak = {
enable = true;
url = "login.cnst.dev";
dbPasswordFile = config.age.secrets.keycloakDbPasswordFile.path;
cloudflared = {
tunnelId = "590f60f8-baaa-4106-b2d1-43740c79531e";
credentialsFile = config.age.secrets.keycloakCloudflared.path;
infra = {
authentik = {
enable = true;
url = "auth.cnst.dev";
port = 9000;
cloudflared = {
tunnelId = "b66f9368-db9e-4302-8b48-527cda34a635";
credentialsFile = config.age.secrets.authentikCloudflared.path;
};
};
traefik = {
enable = true;
};
tailscale = {
enable = true;
};
unbound = {
enable = true;
};
fail2ban = {
enable = true;
apiKeyFile = config.age.secrets.cloudflareFirewallApiKey.path;
zoneId = "0027acdfb8bbe010f55b676ad8698dfb";
};
keepalived = {
enable = true;
interface = "enp6s0";
};
gluetun = {
enable = true;
};
podman = {
enable = true;
};
www = {
enable = true;
url = "cnst.dev";
port = 8283;
cloudflared = {
tunnelId = "e5076186-efb7-405a-998c-6155af7fb221";
credentialsFile = config.age.secrets.wwwCloudflared.path;
};
};
};
vaultwarden = {
enable = true;
url = "vault.cnst.dev";
cloudflared = {
tunnelId = "fdd98086-6a4c-44f2-bba0-eb86b833cce5";
credentialsFile = config.age.secrets.vaultwardenCloudflared.path;
services = {
homepage-dashboard = {
enable = true;
subdomain = "dash";
exposure = "local";
port = 8082;
};
};
ocis = {
enable = true;
url = "cloud.cnst.dev";
cloudflared = {
tunnelId = "8871dad0-e6ff-424c-9a6b-222ef0f492df";
credentialsFile = config.age.secrets.ocisCloudflared.path;
n8n = {
enable = true;
subdomain = "n8n";
exposure = "local";
port = 5678;
homepage = {
name = "n8n";
description = "A workflow automation platform";
icon = "n8n.svg";
category = "Services";
};
};
ollama = {
enable = true;
subdomain = "ai";
exposure = "local";
port = 8001;
homepage = {
name = "ollama";
description = "AI platform";
icon = "ollama.svg";
category = "Services";
};
};
bazarr = {
enable = true;
subdomain = "bazarr";
exposure = "local";
port = 6767;
homepage = {
name = "Bazarr";
description = "Subtitle manager";
icon = "bazarr.svg";
category = "Arr";
};
};
prowlarr = {
enable = true;
subdomain = "prowlarr";
exposure = "local";
port = 9696;
homepage = {
name = "Prowlarr";
description = "PVR indexer";
icon = "prowlarr.svg";
category = "Arr";
};
};
flaresolverr = {
enable = true;
subdomain = "flaresolverr";
exposure = "local";
port = 8191;
homepage = {
name = "FlareSolverr";
description = "Proxy to bypass Cloudflare/DDoS-GUARD protection";
icon = "flaresolverr.svg";
category = "Arr";
};
};
lidarr = {
enable = true;
subdomain = "lidarr";
exposure = "local";
port = 8686;
homepage = {
name = "Lidarr";
description = "Music collection manager";
icon = "lidarr.svg";
category = "Arr";
};
};
sonarr = {
enable = true;
subdomain = "sonarr";
exposure = "local";
port = 8989;
homepage = {
name = "Sonarr";
description = "Internet PVR for Usenet and Torrents";
icon = "sonarr.svg";
category = "Arr";
};
};
radarr = {
enable = true;
subdomain = "radarr";
exposure = "local";
port = 7878;
homepage = {
name = "Radarr";
description = "Movie collection manager";
icon = "radarr.svg";
category = "Arr";
};
};
jellyseerr = {
enable = true;
subdomain = "jellyseerr";
exposure = "local";
port = 5055;
homepage = {
name = "Jellyseerr";
description = "Media request and discovery manager";
icon = "jellyseerr.svg";
category = "Arr";
};
};
jellyfin = {
enable = true;
subdomain = "fin";
exposure = "tailscale";
port = 8096;
homepage = {
name = "Jellyfin";
description = "The Free Software Media System";
icon = "jellyfin.svg";
category = "Media";
};
};
uptime-kuma = {
enable = true;
subdomain = "uptime";
exposure = "local";
port = 3001;
homepage = {
name = "Uptime Kuma";
description = "Service monitoring tool";
icon = "uptime-kuma.svg";
category = "Services";
};
};
gitea = {
enable = true;
subdomain = "git";
exposure = "tunnel";
port = 5003;
cloudflared = {
tunnelId = "33e2fb8e-ecef-4d42-b845-6d15e216e448";
credentialsFile = config.age.secrets.giteaCloudflared.path;
};
homepage = {
name = "Gitea";
description = "Git with a cup of tea";
icon = "gitea.svg";
category = "Services";
};
};
vaultwarden = {
enable = true;
subdomain = "vault";
exposure = "tunnel";
port = 8222;
cloudflared = {
tunnelId = "fdd98086-6a4c-44f2-bba0-eb86b833cce5";
credentialsFile = config.age.secrets.vaultwardenCloudflared.path;
};
homepage = {
name = "Vaultwarden";
description = "Password manager";
icon = "vaultwarden-light.svg";
category = "Services";
};
};
nextcloud = {
enable = true;
subdomain = "cloud";
exposure = "local";
port = 8182;
homepage = {
name = "Nextcloud";
description = "A safe home for all your data";
icon = "nextcloud.svg";
category = "Services";
};
};
};
fail2ban = {
enable = true;
apiKeyFile = config.age.secrets.cloudflareFirewallApiKey.path;
zoneId = "0027acdfb8bbe010f55b676ad8698dfb";
};
syncthing = {
enable = false;
};
keepalived = {
enable = true;
interface = "enp6s0";
};
podman = {
enable = true;
gluetun.enable = true;
qbittorrent = {
enable = true;
subdomain = "qbt";
exposure = "local";
port = 8080;
homepage = {
name = "qBittorrent";
description = "Torrent client";
icon = "qbittorrent.svg";
category = "Downloads";
};
};
slskd = {
enable = true;
subdomain = "slskd";
exposure = "local";
port = 5030;
homepage = {
name = "Soulseek";
description = "Web-based Soulseek client";
icon = "slskd.svg";
category = "Downloads";
};
};
pihole = {
enable = true;
subdomain = "pihole";
exposure = "local";
port = 8053;
homepage = {
name = "PiHole";
description = "Adblocking and DNS service";
icon = "pi-hole.svg";
category = "Services";
path = "/admin";
};
};
};
};

4
hosts/sobotka/settings.nix
View File

@@ -4,6 +4,10 @@
username = "cnst";
mail = "adam@cnst.dev";
sshUser = "sobotka";
domains = {
local = "cnix.dev";
public = "cnst.dev";
};
};
};
}

2
hosts/toothpc/settings.nix
View File

@@ -10,7 +10,7 @@
name = "DVI-D-1";
width = 1920;
height = 1080;
refreshRate = 144;
refreshRate = "144";
position = "0x0";
transform = 0;
workspace = "1";

6
hosts/ziggy/server.nix
View File

@@ -1,5 +1,4 @@
{ config, ... }:
{
{config, ...}: {
server = {
enable = true;
email = "adam@cnst.dev";
@@ -12,9 +11,6 @@
unbound = {
enable = true;
};
caddy = {
enable = true;
};
homepage-dashboard = {
enable = false;
};

26
lib/server/default.nix Normal file
View File

@@ -0,0 +1,26 @@
{lib}: let
server = {
mkDomain = config: service: let
localDomain = config.settings.accounts.domains.local;
publicDomain = config.settings.accounts.domains.public;
tailscaleDomain = "ts.${publicDomain}";
in
if service.exposure == "tunnel"
then publicDomain
else if service.exposure == "tailscale"
then tailscaleDomain
else localDomain;
mkFullDomain = config: service: let
domain = server.mkDomain config service;
in "${service.subdomain}.${domain}";
mkHostDomain = config: service: let
domain = server.mkDomain config service;
in "${domain}";
mkSubDomain = config: service: "${service.subdomain}";
};
in {
server = server;
}

10
lib/theme/bgs.nix
View File

@@ -1,11 +1,11 @@
lib: {
bgs = rec {
files = {
wallpaper_1 = "~/media/images/bg_1.jpg";
wallpaper_2 = "~/media/images/bg_2.jpg";
wallpaper_3 = "~/media/images/bg_3.jpg";
wallpaper_4 = "~/media/images/waterwindow.jpg";
wallpaper_5 = "~/media/images/barngreet.png";
wallpaper_1 = "~/media/images/bgs/bg_1.jpg";
wallpaper_2 = "~/media/images/bgs/bg_2.jpg";
wallpaper_3 = "~/media/images/bgs/bg_3.jpg";
wallpaper_4 = "~/media/images/bgs/waterwindow.jpg";
wallpaper_5 = "~/media/images/bgs/barngreet.png";
};
list = builtins.attrNames files;

24
modules/default.nix
View File

@@ -97,10 +97,9 @@
./nixos/services/greetd
./nixos/services/gvfs
./nixos/services/kanata
./nixos/services/libvirtd
./nixos/services/virtualisation
./nixos/services/locate
./nixos/services/mullvad
./nixos/services/mullvad-netns
./nixos/services/nfs
./nixos/services/nix-ld
./nixos/services/openssh
@@ -114,6 +113,7 @@
./nixos/services/udisks
./nixos/services/xserver
./nixos/services/zram
./nixos/services/tailscale
./nixos/system/fonts
./nixos/system/locale
@@ -123,26 +123,6 @@
server = {
imports = [
./server
./server/caddy
./server/fail2ban
./server/homepage-dashboard
./server/ocis
./server/keycloak
./server/vaultwarden
./server/bazarr
./server/prowlarr
./server/lidarr
./server/radarr
./server/sonarr
./server/syncthing
./server/jellyseerr
./server/jellyfin
./server/podman
./server/unbound
./server/uptime-kuma
./server/keepalived
./server/gitea
./server/postgres
];
};
settings = {

59
modules/home/programs/alacritty/default.nix
View File

@@ -14,36 +14,37 @@ in
config = mkIf cfg.enable {
programs.alacritty = {
enable = true;
theme = "gruvbox_material_hard_dark";
settings = {
# Default colors
colors.primary = {
background = "#282828";
foreground = "#d4be98";
};
colors = {
# Normal colors
normal = {
black = "#3c3836";
red = "#ea6962";
green = "#a9b665";
yellow = "#d8a657";
blue = "#7daea3";
magenta = "#d3869b";
cyan = "#89b482";
white = "#d4be98";
};
# Bright colors (same as normal colors)
bright = {
black = "#3c3836";
red = "#ea6962";
green = "#a9b665";
yellow = "#d8a657";
blue = "#7daea3";
magenta = "#d3869b";
cyan = "#89b482";
white = "#d4be98";
};
};
# colors = {
# primary = {
# background = "#282828";
# foreground = "#d4be98";
# };
# # Normal colors
# normal = {
# black = "#3c3836";
# red = "#ea6962";
# green = "#a9b665";
# yellow = "#d8a657";
# blue = "#7daea3";
# magenta = "#d3869b";
# cyan = "#89b482";
# white = "#d4be98";
# };
# # Bright colors (same as normal colors)
# bright = {
# black = "#3c3836";
# red = "#ea6962";
# green = "#a9b665";
# yellow = "#d8a657";
# blue = "#7daea3";
# magenta = "#d3869b";
# cyan = "#89b482";
# white = "#d4be98";
# };
# };
font = {
size = 12;
normal = {
@@ -73,7 +74,7 @@ in
];
window = {
dynamic_title = true;
opacity = 0.9;
opacity = 0.95;
padding = {
x = 5;
y = 5;

2
modules/home/programs/ghostty/default.nix
View File

@@ -28,7 +28,7 @@ in
enableFishIntegration = config.programs.fish.enable;
enableZshIntegration = config.programs.zsh.enable;
settings = {
theme = "GruvboxDarkHard";
theme = "Gruvbox Dark Hard";
focus-follows-mouse = true;
resize-overlay = "never";
background-opacity = 0.95;

18
modules/home/programs/hyprlock/default.nix
View File

@@ -1,26 +1,18 @@
{
inputs,
pkgs,
lib,
osConfig,
cLib,
clib,
...
}:
let
inherit (lib) mkIf mkEnableOption;
}: let
inherit (lib) mkIf;
cfg = osConfig.nixos.programs.hyprland;
hyprlockFlake = inputs.hyprlock.packages.${pkgs.system}.hyprlock;
# hyprlockPkg = pkgs.hyprlock;
#
bg = osConfig.settings.theme.background;
inherit (cLib.theme.bgs) resolve;
in
{
inherit (clib.theme.bgs) resolve;
in {
config = mkIf cfg.enable {
programs.hyprlock = {
enable = true;
package = hyprlockFlake;
settings = {
general = {
# disable_loading_bar = true;

70
modules/home/programs/mpv/default.nix
View File

@@ -7,6 +7,9 @@
let
inherit (lib) mkIf mkEnableOption;
cfg = config.home.programs.mpv;
inherit (config.xdg.userDirs) videos;
inherit (config.home) homeDirectory;
shaders_dir = "${pkgs.mpv-shim-default-shaders}/share/mpv-shim-default-shaders/shaders";
in
{
options = {
@@ -15,8 +18,71 @@ in
config = mkIf cfg.enable {
programs.mpv = {
enable = true;
defaultProfiles = [ "gpu-hq" ];
scripts = [ pkgs.mpvScripts.mpris ];
config = {
profile = "gpu-hq";
gpu-context = "wayland";
vo = "gpu-next";
video-sync = "display-resample";
interpolation = true;
tscale = "oversample";
fullscreen = false;
keep-open = true;
sub-auto = "fuzzy";
sub-font = "Noto Sans Medium";
sub-blur = 10;
screenshot-format = "png";
title = "\${filename} - mpv";
script-opts = "osc-title=\${filename},osc-boxalpha=150,osc-visibility=never,osc-boxvideo=yes";
ytdl-format = "bestvideo[height<=?1440]+bestaudio/best";
ao = "pipewire";
alang = "eng,en";
slang = "eng,en,enUS";
glsl-shader = "${homeDirectory}/.config/mpv/shaders/FSR.glsl";
scale = "lanczos";
cscale = "lanczos";
dscale = "mitchell";
deband = "yes";
scale-antiring = 1;
osc = "no";
osd-on-seek = "no";
osd-bar = "no";
osd-bar-w = 30;
osd-bar-h = "0.2";
osd-duration = 750;
really-quiet = "yes";
autofit = "65%";
};
bindings = {
"ctrl+a" = "script-message osc-visibility cycle";
};
scripts = with pkgs.mpvScripts; [
mpris
uosc
thumbfast
sponsorblock
autocrop
];
};
programs.yt-dlp = {
enable = true;
extraConfig = ''
-o ${videos}/youtube/%(title)s.%(ext)s
'';
};
home = {
file = {
".config/mpv/shaders/FSR.glsl".source = "${shaders_dir}/FSR.glsl";
};
packages = with pkgs; [
jellyfin-mpv-shim
];
};
};
}

2
modules/home/programs/pkgs/default.nix
View File

@@ -88,7 +88,7 @@ in
hyprpicker
libnotify
pamixer
oculante
loupe
adwaita-icon-theme
qt5.qtwayland
qt6.qtwayland

48
modules/home/programs/waybar/config/config.jsonc
View File

@@ -1,21 +1,26 @@
[
{
"height": 25,
"layer": "top",
"output": [
"DP-3",
"eDP-1"
],
"modules-left": [
"group/system"
],
"modules-center": [
"niri/workspaces"
"hyprland/workspaces"
],
"modules-right": [
"custom/progress",
"custom/systemd",
"group/tray",
"pulseaudio",
"backlight",
"battery",
"date",
"clock",
"custom/dunst"
"group/tray",
"custom/dunst",
"clock"
],
"backlight": {
"format": "<span foreground='#928374'>{icon}</span> {percent}%",
@@ -42,18 +47,9 @@
"clock": {
"interval": 60,
"format": "{:%H:%M}",
// "on-click": "calcurse-toggle.sh",
// "on-click-right": "calsync.sh",
"rotate": 0,
"tooltip": false
},
// "date": {
// "format": "<span foreground='#928374'></span> {%a, %d %b}",
// "on-click": "calcurse-toggle.sh",
// "on-click-right": "calsync.sh",
// "rotate": 0,
// "tooltip": false
// },
"cpu": {
"format": "<span foreground='#928374'></span> {usage}%",
"states": {
@@ -125,17 +121,18 @@
],
"orientation": "inherit"
},
"height": 25,
"hyprland/workspaces": {
"active-only": false,
"all-outputs": false,
"format": "{icon}",
"format-icons": {
"urgent": "",
"active": "",
"visible": "",
"default": "",
"empty": ""
"1": "1",
"2": "2",
"3": "3",
"4": "4",
"5": "5",
"active": "_",
"default": "_"
},
"on-click": "activate",
"show-special": false,
@@ -148,14 +145,11 @@
"niri/workspaces": {
"format": "{icon}",
"format-icons": {
// Named workspaces
// (you need to configure them in niri)
"browser": "",
"discord": "",
"chat": "<b></b>",
// Icons by state
"active": "",
"default": ""
"active": "",
"default": ""
}
},
"memory": {
@@ -173,10 +167,6 @@
"interval": 2,
"tooltip-format": "{ifname}: {ipaddr}/{cidr}\n {bandwidthDownBits}\n {bandwidthUpBits}"
},
"output": [
"DP-3",
"eDP-1"
],
"pulseaudio": {
"format": "<span foreground='#928374'>{icon}</span> {volume}% {format_source}",
"format-bluetooth": "<span foreground='#928374'>{icon}</span> {volume}% {format_source}",

41
modules/home/programs/waybar/config/style.css
View File

@@ -2,14 +2,25 @@
all: unset;
border: none;
border-radius: 0;
font-family: "DepartureMono Nerd Font", "Font Awesome 6 Free Solid";
font-size: 14px;
font-family:
"DepartureMono Nerd Font", "Input Sans Compressed",
"Font Awesome 6 Free Solid";
font-size: 15px;
min-height: 0;
}
window#waybar {
color: #fbf1c7;
background-color: rgba(43, 45, 50, 0.6);
background-color: rgba(43, 45, 50, 0.5);
}
tooltip {
background: rgba(50, 50, 50, 0.9);
border: 1px solid rgba(100, 114, 125, 0.6);
}
tooltip label {
color: #fbf1c7;
font-family: "Input Sans Compressed";
}
#workspaces button {
@@ -17,20 +28,16 @@ window#waybar {
margin: 0 0px;
background-color: transparent;
color: #fbf1c7;
border-top: 3px solid transparent;
border-bottom: 3px solid transparent;
border-top: 2px solid transparent;
border-bottom: 2px solid transparent;
}
#workspaces button:hover {
color: #ebdbb2;
animation: ws_active 0s ease-in-out 1;
transition: all 0.2s cubic-bezier(0.55, -0.68, 0.48, 1.682);
}
#workspaces button.active {
color: #fbf1c7;
animation: ws_active 0s ease-in-out 1;
transition: all 0.2s cubic-bezier(0.55, -0.68, 0.48, 1.682);
}
#custom-logo {
@@ -38,7 +45,7 @@ window#waybar {
background-image: url("assets/button.svg");
background-position: center;
background-repeat: no-repeat;
background-size: 18px 15px;
background-size: 24px 20px;
}
#custom-trayicon {
@@ -87,13 +94,14 @@ window#waybar {
#memory,
#backlight,
#battery,
#date,
#clock {
#date {
padding: 0 3px;
margin: 0 3px;
}
#clock {
padding: 0px 3px;
margin: 0px 6px 0px 0px;
font-family: "DepartureMono Nerd Font";
}
@@ -132,12 +140,17 @@ window#waybar {
}
#tray menu * {
background-color: rgba(50, 48, 47, 0.9);
background: rgba(50, 50, 50, 0.9);
color: #fbf1c7;
font-family: "Input Sans Compressed";
padding: 2px 2px;
}
#tray menu menuitem:hover {
#tray menu {
border: 1px solid rgba(100, 114, 125, 0.6);
}
#tray menu item:hover {
color: #4c7a5d;
}

8
modules/home/services/gtk/default.nix
View File

@@ -27,10 +27,10 @@ in
};
gtk = {
enable = true;
theme = {
package = pkgs.orchis-theme;
name = "Orchis-Grey-Dark-Compact";
};
# theme = {
# package = pkgs.orchis-theme;
# name = "Orchis-Grey-Dark-Compact";
# };
iconTheme = {
# package = pkgs.adwaita-icon-theme;
package = pkgs.papirus-icon-theme;

12
modules/home/services/hypridle/default.nix
View File

@@ -1,22 +1,14 @@
{
osConfig,
lib,
pkgs,
inputs,
...
}:
let
}: let
inherit (lib) mkIf;
cfg = osConfig.nixos.programs.hyprland;
hypridleFlake = inputs.hypridle.packages.${pkgs.system}.hypridle;
# hypridlePkg = pkgs.hypridle;
in
{
in {
config = mkIf cfg.enable {
services.hypridle = {
enable = true;
package = hypridleFlake;
settings = {
general = {
lock_cmd = "hyprlock";

14
modules/home/services/hyprpaper/default.nix
View File

@@ -1,18 +1,14 @@
{
lib,
pkgs,
inputs,
osConfig,
cLib,
clib,
...
}:
let
}: let
inherit (lib) mkIf;
cfg = osConfig.nixos.programs.hyprland;
hyprpaperFlake = inputs.hyprpaper.packages.${pkgs.system}.default;
bg = osConfig.settings.theme.background;
bgs = cLib.theme.bgs;
bgs = clib.theme.bgs;
monitorMappings = [
{
@@ -32,12 +28,10 @@ let
bg = bg.primary;
}
];
in
{
in {
config = mkIf cfg.enable {
services.hyprpaper = {
enable = true;
package = hyprpaperFlake;
settings = {
ipc = "on";

18
modules/home/services/xdg/default.nix
View File

@@ -84,15 +84,15 @@ in
"application/pdf" = "org.pwmt.zathura-pdf-mupdf.desktop";
"inode/directory" = "thunar.desktop";
"image/apng" = "oculante.desktop";
"image/avif" = "oculante.desktop";
"image/bmp" = "oculante.desktop";
"image/gif" = "oculante.desktop";
"image/jpeg" = "oculante.desktop";
"image/png" = "oculante.desktop";
"image/svg+xml" = "oculante.desktop";
"image/tiff" = "oculante.desktop";
"image/webp" = "oculante.desktop";
"image/apng" = "feh.desktop";
"image/avif" = "feh.desktop";
"image/bmp" = "feh.desktop";
"image/gif" = "feh.desktop";
"image/jpeg" = "feh.desktop";
"image/png" = "feh.desktop";
"image/svg+xml" = "feh.desktop";
"image/tiff" = "feh.desktop";
"image/webp" = "feh.desktop";
"video/H264" = [
"mpv.desktop"

13
modules/nixos/boot/kernel/default.nix
View File

@@ -5,7 +5,12 @@
...
}:
let
inherit (lib) mkOption types;
inherit (lib)
mkOption
types
mkEnableOption
mkIf
;
cfg = config.nixos.boot.kernel;
hasHardware = hw: builtins.elem hw cfg.hardware;
@@ -37,8 +42,11 @@ in
);
default = [ ];
description = "List of hardware types (e.g. GPU and CPU vendors) to configure kernel settings for.";
};
amdOverdrive.enable = mkEnableOption "Enable AMD pstate/overdrive";
extraKernelParams = mkOption {
type = types.listOf types.str;
default = [ ];
@@ -74,7 +82,7 @@ in
"quiet"
"splash"
]
++ (if hasHardware "amd" then [ "amd_pstate=active" ] else [ ])
++ (if hasHardware "amd" then [ ] else [ ])
++ (if hasHardware "intel" then [ ] else [ ])
++ (if hasHardware "nvidia" then [ ] else [ ])
++ cfg.extraKernelParams;
@@ -85,5 +93,6 @@ in
++ (if hasHardware "nvidia" then [ "nouveau" ] else [ ])
++ cfg.extraBlacklistedModules;
};
hardware.amdgpu.overdrive.enable = mkIf cfg.amdOverdrive.enable true;
};
}

66
modules/nixos/hardware/graphics/default.nix
View File

@@ -89,37 +89,39 @@ in
config = mkIf cfg.enable (mkMerge [
{
hardware.graphics = {
enable = true;
enable32Bit = true;
extraPackages = flatten (
concatMap (
vendor:
if vendor == "amd" then
commonPackages ++ mesaVulkanPackages
else if vendor == "intel" then
commonPackages
++ mesaVulkanPackages
++ (with pkgs; [
vpl-gpu-rt
intel-media-driver
intel-compute-runtime
intel-vaapi-driver
])
else if vendor == "nvidia" then
commonPackages
++ (with pkgs; [
nvidiaOffloadScript
intel-media-driver
nvidia-vaapi-driver
vulkan-tools
])
else
[ ]
) cfg.vendors
);
hardware = {
graphics = {
enable = true;
enable32Bit = true;
extraPackages = flatten (
concatMap (
vendor:
if vendor == "amd" then
commonPackages ++ mesaVulkanPackages
else if vendor == "intel" then
commonPackages
++ mesaVulkanPackages
++ (with pkgs; [
vpl-gpu-rt
intel-media-driver
intel-compute-runtime
intel-vaapi-driver
])
else if vendor == "nvidia" then
commonPackages
++ (with pkgs; [
nvidiaOffloadScript
intel-media-driver
nvidia-vaapi-driver
vulkan-tools
])
else
[ ]
) cfg.vendors
);
extraPackages32 = flatten (concatMap (_: commonPackages32) cfg.vendors);
extraPackages32 = flatten (concatMap (_: commonPackages32) cfg.vendors);
};
};
environment.systemPackages = flatten (
@@ -145,10 +147,6 @@ in
);
}
(mkIf (hasVendor "amd") {
hardware.amdgpu.overdrive.enable = true;
})
(mkIf (hasVendor "nvidia") {
hardware.nvidia = {
package =

33
modules/nixos/hardware/network/default.nix
View File

@@ -2,38 +2,47 @@
config,
lib,
...
}:
let
inherit (lib)
}: let
inherit
(lib)
mkIf
mkEnableOption
mkOption
types
;
cfg = config.nixos.hardware.network;
in
{
in {
options = {
nixos.hardware.network = {
enable = mkEnableOption "Enable the custom networking module";
nameservers = mkOption {
type = types.listOf types.str;
default = [];
description = "The list of nameservers ";
};
search = mkOption {
type = types.listOf types.str;
default = [];
description = "Domain search paths";
};
interfaces = mkOption {
type = types.attrsOf (
types.submodule {
options = {
allowedTCPPorts = mkOption {
type = types.listOf types.int;
default = [ ];
default = [];
description = "List of allowed TCP ports for this interface.";
};
allowedUDPPorts = mkOption {
type = types.listOf types.int;
default = [ ];
default = [];
description = "List of allowed UDP ports for this interface.";
};
};
}
);
default = { };
default = {};
description = "Network interface configurations.";
};
extraHosts = mkOption {
@@ -47,7 +56,7 @@ in
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.interfaces != { } -> config.networking.networkmanager.enable;
assertion = cfg.interfaces != {} -> config.networking.networkmanager.enable;
message = "Network interfaces configured but NetworkManager is not enabled";
}
];
@@ -55,6 +64,8 @@ in
networking = {
networkmanager.enable = true;
nftables.enable = true;
nameservers = cfg.nameservers;
search = cfg.search;
firewall = {
enable = true;
inherit (cfg) interfaces;
@@ -63,8 +74,8 @@ in
};
systemd.services.NetworkManager = {
wants = [ "nftables.service" ];
after = [ "nftables.service" ];
wants = ["nftables.service"];
after = ["nftables.service"];
};
};
}

4
modules/nixos/programs/hyprland/appearance.nix
View File

@@ -18,9 +18,7 @@ in
gaps_in = 2;
gaps_out = "4, 4, 4, 4";
border_size = 3;
#col.active_border = rgba(33ccffee) rgba(00ff99ee) 45deg
#col.inactive_border = rgba(595959aa)
"col.active_border" = "rgb(4c7a5d)"; # rgba(b16286ee) 45deg
"col.active_border" = "rgb(4c7a5d)";
"col.inactive_border" = "rgb(504945)";
layout = "dwindle";
resize_on_border = true;

4
modules/nixos/programs/hyprland/inputs.nix
View File

@@ -37,9 +37,9 @@ in
};
gestures = {
workspace_swipe = true;
# workspace_swipe = true;
workspace_swipe_distance = 400;
workspace_swipe_fingers = 3;
# workspace_swipe_fingers = 3;
workspace_swipe_cancel_ratio = 0.2;
workspace_swipe_min_speed_to_force = 5;
workspace_swipe_direction_lock = true;

4
modules/nixos/programs/hyprland/keybinds.nix
View File

@@ -99,7 +99,7 @@ in
(mkIf (host == "kima") {
programs.hyprland.settings = {
"$terminal" = "ghostty";
"$terminal" = "alacritty";
"$browser" = "zen";
"$browserinc" = "zen --private-window";
"$mod" = "SUPER";
@@ -111,7 +111,7 @@ in
(mkIf (host == "bunk") {
programs.hyprland.settings = {
"$terminal" = "foot";
"$terminal" = "alacritty";
"$browser" = "zen";
"$browserinc" = "zen --private-window";
"$mod" = "ALT_L";

2
modules/nixos/programs/hyprland/layout.nix
View File

@@ -21,7 +21,7 @@ in
let
resolution =
if m.width != null && m.height != null then
"${toString m.width}x${toString m.height}@${toString m.refreshRate}"
"${toString m.width}x${toString m.height}@${m.refreshRate}"
else
"preferred";

7
modules/nixos/programs/niri/default.nix
View File

@@ -1,6 +1,5 @@
{
config,
inputs,
lib,
pkgs,
...
@@ -14,22 +13,22 @@ in
nixos.programs.niri.enable = mkEnableOption "Enables niri";
};
config = mkIf cfg.enable {
nixpkgs.overlays = [ inputs.niri.overlays.niri ];
environment = {
variables = {
DISPLAY = ":0";
NIXOS_OZONE_WL = "1";
QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
};
systemPackages = with pkgs; [
xwayland-satellite-unstable
xwayland-satellite
wl-clipboard
wayland-utils
xdg-utils
];
};
systemd.user.services.niri-flake-polkit.enable = false;
programs.niri = {
enable = true;
package = pkgs.niri-unstable;
};
};
}

9
modules/nixos/programs/pkgs/default.nix
View File

@@ -78,6 +78,7 @@ in
openssl
xmrig
ocl-icd
dig
]
(mkIf cfg.common.enable [
@@ -96,9 +97,6 @@ in
])
(mkIf cfg.desktop.enable [
protonup
winetricks
wine
geekbench
unigine-heaven
])
@@ -109,15 +107,13 @@ in
(mkIf cfg.server.enable [
nvtopPackages.intel
nvtopPackages.amd
dig
helix
zfs
zfstools
])
(mkIf cfg.dev.enable [
# lldb_20 # some biuld error atm
sqlite
gemini-cli
nfs-utils
gcc
@@ -144,7 +140,6 @@ in
prettierd
# php84Packages.php-cs-fixer
shfmt
luaformatter
black
])
];

15
modules/nixos/programs/steam/default.nix
View File

@@ -1,6 +1,7 @@
{
config,
lib,
pkgs,
...
}:
let
@@ -17,6 +18,20 @@ in
enable = true;
gamescopeSession.enable = true;
};
gamescope = {
enable = true;
capSysNice = true;
args = [
"--rt"
"--expose-wayland"
];
};
};
environment.systemPackages = with pkgs; [
protonup
wine
winetricks
wine-wayland
];
};
}

10
modules/nixos/services/agenix/default.nix
View File

@@ -74,21 +74,11 @@ in {
wgCredentials.file = "${self}/secrets/wgCredentials.age";
wgSobotkaPrivateKey.file = "${self}/secrets/wgSobotkaPrivateKey.age";
gluetunEnvironment.file = "${self}/secrets/gluetunEnvironment.age";
keycloakCloudflared.file = "${self}/secrets/keycloakCloudflared.age";
keycloakDbPasswordFile.file = "${self}/secrets/keycloakDbPasswordFile.age";
nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age";
ocisCloudflared.file = "${self}/secrets/ocisCloudflared.age";
vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
homepageEnvironment.file = "${self}/secrets/homepageEnvironment.age";
pihole.file = "${self}/secrets/pihole.age";
slskd.file = "${self}/secrets/slskd.age";
};
})
(mkIf cfg.ziggy.enable {
secrets = {
cloudflareDnsCredentialsZiggy.file = "${self}/secrets/cloudflareDnsCredentialsZiggy.age";
piholeZiggy.file = "${self}/secrets/piholeZiggy.age";
};
})
(mkIf cfg.toothpc.enable {

2
modules/nixos/services/greetd/default.nix
View File

@@ -63,7 +63,7 @@ in
settings = rec {
tuigreet_session =
let
session = "${pkgs.niri-unstable}/bin/niri-session";
session = "${pkgs.niri}/bin/niri-session";
tuigreet = "${lib.getExe pkgs.tuigreet}";
in
{

3
modules/nixos/services/kanata/default.nix
View File

@@ -19,6 +19,9 @@ in
keyboards.hhkbse = {
extraDefCfg = ''
process-unmapped-keys yes
linux-dev-names-include (
"HHKB-Hybrid_1 Keyboard"
)
'';
devices = [
"/dev/input/by-id/usb-PFU_Limited_HHKB-Hybrid-event-kbd"

50
modules/nixos/services/mullvad-netns/default.nix
View File

@@ -1,50 +0,0 @@
{ self, pkgs, ... }:
{
age.secrets.wgCredentials = {
file = "${self}/secrets/wgCredentials.age";
mode = "0400";
owner = "root";
group = "root";
path = "/etc/wireguard/mullvad.conf";
};
systemd.services.mullvad-netns = {
description = "WireGuard Mullvad netns for VMs";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.writeShellScript "mullvad-netns-up" ''
set -euo pipefail
ip netns add mullvad || true
ip link add veth0 type veth peer name veth1 || true
ip link set veth1 netns mullvad
ip addr add 10.250.0.1/24 dev veth0 || true
ip link set veth0 up
ip netns exec mullvad ip addr add 10.250.0.2/24 dev veth1 || true
ip netns exec mullvad ip link set veth1 up
ip netns exec mullvad wg-quick up /etc/wireguard/mullvad.conf
ip netns exec mullvad ip route add default dev wg0 || true
nft add table ip mullvad-nat || true
nft add chain ip mullvad-nat postrouting { type nat hook postrouting priority 100 \; } || true
nft add rule ip mullvad-nat postrouting ip saddr 10.250.0.0/24 oif "wg0" masquerade || true
''}";
ExecStop = "${pkgs.writeShellScript "mullvad-netns-down" ''
set -euo pipefail
ip netns exec mullvad wg-quick down /etc/wireguard/mullvad.conf || true
ip link delete veth0 || true
ip netns delete mullvad || true
nft delete table ip mullvad-nat || true
''}";
};
# no wantedBy here -> won't start at boot
};
}

16
modules/nixos/services/tailscale/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.nixos.services.tailscale;
in {
options.nixos.services.tailscale = {
enable = mkEnableOption "Enable tailscale";
};
config = mkIf cfg.enable {
services.tailscale.enable = true;
};
}

9
modules/nixos/services/libvirtd/default.nix → modules/nixos/services/virtualisation/default.nix
View File

@@ -6,12 +6,15 @@
}:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.nixos.services.libvirtd;
cfg = config.nixos.services.virtualisation;
in
{
options = {
nixos.services.libvirtd.enable = mkEnableOption "Enables libvirtd";
nixos.services.virtualisation.enable = mkEnableOption "Enables virtualisation";
};
imports = [
./vfio.nix
];
config = mkIf cfg.enable {
networking.firewall.trustedInterfaces = [ "virbr0" ];
@@ -21,7 +24,6 @@ in
];
virtualisation = {
kvmgt.enable = true;
spiceUSBRedirection.enable = true;
libvirtd = {
enable = true;
@@ -34,5 +36,6 @@ in
};
};
};
nixos.services.virtualisation.vfio.enable = true;
};
}

41
modules/nixos/services/virtualisation/vfio.nix Normal file
View File

@@ -0,0 +1,41 @@
{ lib, config, ... }:
let
gpuIDs = [
"1002:13c0"
"1002:1640"
];
vfioIds = "vfio-pci.ids=" + lib.concatStringsSep "," gpuIDs;
baseBootKernelParams = config.boot.kernelParams or [ ];
cfg = config.nixos.services.virtualisation.vfio;
in
{
options = {
nixos.services.virtualisation.vfio.enable =
lib.mkEnableOption "Enable VFIO passthrough for the iGPU";
};
config = lib.mkIf cfg.enable {
boot = {
initrd.kernelModules = [
"vfio_pci"
"vfio"
"vfio_iommu_type1"
];
kernelParams = [
"amd_iommu=on"
"iommu=pt"
]
++ [ vfioIds ];
};
specialisation.vfio.configuration = {
system.nixos.tags = [ "vfio" ];
boot = {
kernelParams = baseBootKernelParams ++ [ vfioIds ];
blacklistedKernelModules = [ "amdgpu:0f:00.0" ];
};
};
};
}

1
modules/nixos/system/devpkgs/default.nix
View File

@@ -45,7 +45,6 @@ in
# nodePackages_latest.sql-formatter
prettierd
shfmt
luaformatter
black
];
};

10
modules/nixos/system/xdg/default.nix
View File

@@ -30,13 +30,19 @@ in
enable = true;
xdgOpenUsePortal = cfg.xdgOpenUsePortal;
config = {
common.default = [ "gtk" ];
common.default = [
"gtk"
"gnome"
];
hyprland.default = [
"gtk"
"hyprland"
];
};
extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
extraPortals = with pkgs; [
xdg-desktop-portal-gtk
xdg-desktop-portal-gnome
];
};
};
}

54
modules/server/bazarr/default.nix
View File

@@ -1,54 +0,0 @@
{
config,
lib,
...
}:
let
unit = "bazarr";
srv = config.server;
cfg = config.server.${unit};
in
{
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Bazarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Subtitle manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "bazarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.caddy.virtualHosts."${cfg.url}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:${toString config.services.${unit}.listenPort}
'';
};
};
}

63
modules/server/caddy/default.nix
View File

@@ -1,63 +0,0 @@
{
config,
lib,
...
}: let
inherit (lib) mkIf mkEnableOption;
cfg = config.server.caddy;
getCloudflareCredentials = hostname:
if hostname == "ziggy"
then config.age.secrets.cloudflareDnsCredentialsZiggy.path
else if hostname == "sobotka"
then config.age.secrets.cloudflareDnsCredentials.path
else throw "Unknown hostname: ${hostname}";
in {
options = {
server.caddy.enable = mkEnableOption "Enables caddy";
};
config = mkIf cfg.enable {
networking.firewall = let
ports = [
80
443
];
in {
allowedTCPPorts = ports;
};
security.acme = {
acceptTerms = true;
defaults.email = config.server.email;
certs.${config.server.domain} = {
reloadServices = ["caddy.service"];
domain = "${config.server.domain}";
extraDomainNames = ["*.${config.server.domain}"];
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
dnsPropagationCheck = true;
group = config.services.caddy.group;
environmentFile = getCloudflareCredentials config.networking.hostName;
};
};
services.caddy = {
enable = true;
globalConfig = ''
auto_https off
'';
virtualHosts = {
"http://${config.server.domain}" = {
extraConfig = ''
redir https://{host}{uri}
'';
};
"http://*.${config.server.domain}" = {
extraConfig = ''
redir https://{host}{uri}
'';
};
};
};
};
}

105
modules/server/default.nix
View File

@@ -1,97 +1,16 @@
{
self,
lib,
config,
...
}:
let
inherit (lib) mkOption types;
cfg = config.server;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in
{
options.server = {
enable = lib.mkEnableOption "The server services and configuration variables";
email = mkOption {
default = "";
type = types.str;
description = ''
Email name to be used to access the server services via Caddy reverse proxy
'';
};
domain = mkOption {
default = "";
type = types.str;
description = ''
Domain name to be used to access the server services via Caddy reverse proxy
'';
};
user = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
User to run the server services as
'';
};
group = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
Group to run the server services as
'';
};
uid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
UID to run the server services as
'';
};
gid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
GID to run the server services as
'';
};
timeZone = lib.mkOption {
default = "Europe/Stockholm";
type = lib.types.str;
description = ''
Time zone to be used for the server services
'';
};
};
config = lib.mkIf cfg.enable {
users = {
groups.${cfg.group} = {
gid = cfg.gid;
};
users.${cfg.user} = {
uid = cfg.uid;
isSystemUser = true;
group = cfg.group;
extraGroups = ifTheyExist [
"audio"
"video"
"docker"
"libvirtd"
"qemu-libvirtd"
"rtkit"
"fail2ban"
"vaultwarden"
"qbittorrent"
"lidarr"
"prowlarr"
"bazarr"
"sonarr"
"radarr"
"media"
"share"
"render"
"input"
];
};
};
};
}: let
clib = import "${self}/lib/server" {inherit lib;};
in {
imports = [
{
_module.args.clib = clib;
}
./options.nix
./infra
./services
];
}

111
modules/server/fail2ban/default.nix
View File

@@ -1,111 +0,0 @@
# from @notthebee
{
lib,
config,
pkgs,
...
}:
let
cfg = config.server.fail2ban;
in
{
options.server.fail2ban = {
enable = lib.mkEnableOption {
description = "Enable cloudflare fail2ban";
};
apiKeyFile = lib.mkOption {
description = "File containing your API key, scoped to Firewall Rules: Edit";
type = lib.types.str;
example = lib.literalExpression ''
Authorization: Bearer Qj06My1wXJEzcW46QCyjFbSMgVtwIGfX63Ki3NOj79o=
'''
'';
};
zoneId = lib.mkOption {
type = lib.types.str;
};
jails = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
options = {
serviceName = lib.mkOption {
example = "vaultwarden";
type = lib.types.str;
};
failRegex = lib.mkOption {
type = lib.types.str;
example = "Login failed from IP: <HOST>";
};
ignoreRegex = lib.mkOption {
type = lib.types.str;
default = "";
};
maxRetry = lib.mkOption {
type = lib.types.int;
default = 3;
};
};
}
);
};
};
config = lib.mkIf cfg.enable {
services.fail2ban = {
enable = true;
extraPackages = [
pkgs.curl
pkgs.jq
];
jails = lib.attrsets.mapAttrs (name: value: {
settings = {
bantime = "30d";
findtime = "1h";
enabled = true;
backend = "systemd";
journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service";
port = "http,https";
filter = "${name}";
maxretry = 3;
action = "cloudflare-token-agenix";
};
}) cfg.jails;
};
environment.etc = lib.attrsets.mergeAttrsList [
(lib.attrsets.mapAttrs' (
name: value:
(lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
text = ''
[Definition]
failregex = ${value.failRegex}
ignoreregex = ${value.ignoreRegex}
'';
})
) cfg.jails)
{
"fail2ban/action.d/cloudflare-token-agenix.conf".text =
let
notes = "Fail2Ban on ${config.networking.hostName}";
cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules";
in
''
[Definition]
actionstart =
actionstop =
actioncheck =
actionunban = id=$(curl -s -X GET "${cfapi}" \
-H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
| jq -r '.result[] | select(.notes == "${notes}" and .configuration.target == "ip" and .configuration.value == "<ip>") | .id')
if [ -z "$id" ]; then echo "id for <ip> cannot be found"; exit 0; fi; \
curl -s -X DELETE "${cfapi}/$id" \
-H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
--data '{"cascade": "none"}'
actionban = curl -X POST "${cfapi}" -H @${cfg.apiKeyFile} -H "Content-Type: application/json" --data '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"${notes}"}'
[Init]
name = cloudflare-token-agenix
'';
}
];
};
}

117
modules/server/gitea/default.nix
View File

@@ -1,117 +0,0 @@
# taken from @jtojnar
{
config,
lib,
...
}:
let
unit = "gitea";
srv = config.server;
cfg = config.server.${unit};
in
{
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "git.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.int;
default = 5003;
description = "The port to host Gitea on.";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Gitea";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Git with a cup of tea";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "gitea.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
appName = "cnix code forge";
database = {
type = "postgres";
socket = "/run/postgresql";
name = "gitea";
user = "gitea";
createDatabase = false;
};
lfs = {
enable = true;
};
settings = {
cors = {
ENABLED = true;
SCHEME = "https";
ALLOW_DOMAIN = cfg.url;
};
log = {
MODE = "console";
};
mailer = {
ENABLED = false;
MAILER_TYPE = "sendmail";
FROM = "noreply+adam@cnst.dev";
SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
};
picture = {
DISABLE_GRAVATAR = true;
};
repository = {
DEFAULT_BRANCH = "main";
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
};
indexer = {
REPO_INDEXER_ENABLED = true;
};
server = {
DOMAIN = cfg.url;
LANDING_PAGE = "explore";
HTTP_PORT = cfg.port;
ROOT_URL = "https://${cfg.url}/";
};
security = {
DISABLE_GIT_HOOKS = false;
};
service = {
DISABLE_REGISTRATION = true;
};
session = {
COOKIE_SECURE = true;
};
};
};
services.caddy.virtualHosts."${cfg.url}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:5003
'';
};
server.postgresql.databases = [
{
database = "gitea";
}
];
};
}

233
modules/server/homepage-dashboard/default.nix
View File

@@ -1,233 +0,0 @@
{
config,
lib,
...
}:
let
unit = "homepage-dashboard";
cfg = config.server.homepage-dashboard;
srv = config.server;
in
{
options.server.homepage-dashboard = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
misc = lib.mkOption {
default = [ ];
type = lib.types.listOf (
lib.types.attrsOf (
lib.types.submodule {
options = {
description = lib.mkOption {
type = lib.types.str;
};
href = lib.mkOption {
type = lib.types.str;
};
siteMonitor = lib.mkOption {
type = lib.types.str;
};
icon = lib.mkOption {
type = lib.types.str;
};
};
}
)
);
};
};
config = lib.mkIf cfg.enable {
services.glances.enable = true;
services.${unit} = {
enable = true;
allowedHosts = srv.domain;
settings = {
layout = [
{
Glances = {
header = false;
style = "row";
columns = 4;
};
}
{
Arr = {
header = true;
style = "column";
};
}
{
Downloads = {
header = true;
style = "column";
};
}
{
Media = {
header = true;
style = "column";
};
}
{
Services = {
header = true;
style = "column";
};
}
];
headerStyle = "clean";
statusStyle = "dot";
hideVersion = "true";
};
widgets = [
{
openmeteo = {
label = "Kalmar";
timezone = "Europe/Stockholm";
units = "metric";
cache = 5;
latitude = 56.707262;
longitude = 16.324541;
};
}
{
datetime = {
text_size = "x1";
format = {
hour12 = false;
timeStyle = "short";
dateStyle = "long";
};
};
}
{
resources = {
label = "";
memory = true;
disk = [ "/" ];
};
}
];
services =
let
homepageCategories = [
"Arr"
"Media"
"Downloads"
"Services"
"Smart Home"
];
hl = config.server;
mergedServices = hl // hl.podman;
homepageServices =
x:
(lib.attrsets.filterAttrs (
name: value: value ? homepage && value.homepage.category == x
) mergedServices);
in
lib.lists.forEach homepageCategories (cat: {
"${cat}" =
lib.lists.forEach
(lib.attrsets.mapAttrsToList (name: value: {
inherit name;
url = value.url;
homepage = value.homepage;
}) (homepageServices "${cat}"))
(x: {
"${x.homepage.name}" = {
icon = x.homepage.icon;
description = x.homepage.description;
href = "https://${x.url}${x.homepage.path or ""}";
siteMonitor = "https://${x.url}${x.homepage.path or ""}";
};
});
})
++ [ { Misc = cfg.misc; } ]
++ [
{
Glances =
let
port = toString config.services.glances.port;
in
[
{
Info = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "info";
chart = false;
version = 4;
};
};
}
{
"CPU Temp" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:Tctl";
chart = false;
version = 4;
};
};
}
{
"GPU Radeon" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:junction";
chart = false;
version = 4;
};
};
}
{
"GPU Intel" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:pkg";
chart = false;
version = 4;
};
};
}
{
Processes = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "process";
chart = false;
version = 4;
};
};
}
{
Network = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "network:enp6s0";
chart = false;
version = 4;
};
};
}
];
}
];
};
services.caddy.virtualHosts."${srv.domain}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:${toString config.services.${unit}.listenPort}
'';
};
};
}

133
modules/server/infra/authentik/default.nix Normal file
View File

@@ -0,0 +1,133 @@
{
config,
lib,
self,
...
}: let
unit = "authentik";
cfg = config.server.infra.${unit};
srv = config.server.infra.www.domain;
in {
options.server.infra.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "auth.${srv.www.domain}";
};
port = lib.mkOption {
type = lib.types.port;
description = "The local port the service runs on";
};
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
homepage = {
name = "Authentik";
description = "An open-source IdP for modern SSO";
icon = "authentik.svg";
category = "Services";
};
};
config = lib.mkIf cfg.enable {
age.secrets = {
authentikEnv = {
file = "${self}/secrets/authentikEnv.age";
};
authentikCloudflared = {
file = "${self}/secrets/authentikCloudflared.age";
};
};
server.infra = {
fail2ban = {
jails = {
authentik = {
serviceName = "authentik";
failRegex = ''^.*Username or password is incorrect.*IP:\s*<HOST>'';
};
};
};
};
services = {
authentik = {
enable = true;
environmentFile = config.age.secrets.authentikEnv.path;
settings = {
email = {
};
disable_startup_analytics = true;
avatars = "initials";
};
};
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://127.0.0.1:9000";
};
};
traefik = {
dynamicConfigOptions = {
http = {
middlewares = {
authentik = {
forwardAuth = {
address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik";
trustForwardHeader = true;
authResponseHeaders = [
"X-authentik-username"
"X-authentik-groups"
"X-authentik-email"
"X-authentik-name"
"X-authentik-uid"
"X-authentik-jwt"
"X-authentik-meta-jwks"
"X-authentik-meta-outpost"
"X-authentik-meta-provider"
"X-authentik-meta-app"
"X-authentik-meta-version"
];
};
};
};
services = {
auth.loadBalancer.servers = [
{
url = "http://localhost:9000";
}
];
};
routers = {
auth = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`) && PathPrefix(`/outpost.goauthentik.io/`)";
service = "auth";
tls.certResolver = "letsencrypt";
};
};
};
};
};
};
};
}

13
modules/server/infra/default.nix Normal file
View File

@@ -0,0 +1,13 @@
{
imports = [
./authentik
./fail2ban
./keepalived
./podman
./postgres
./tailscale
./traefik
./unbound
./www
];
}

131
modules/server/infra/fail2ban/default.nix Normal file
View File

@@ -0,0 +1,131 @@
# from @notthebee
{
lib,
config,
pkgs,
...
}: let
cfg = config.server.infra.fail2ban;
in {
options.server.infra.fail2ban = {
enable = lib.mkEnableOption {
description = "Enable cloudflare fail2ban";
};
apiKeyFile = lib.mkOption {
description = "File containing your API key, scoped to Firewall Rules: Edit";
type = lib.types.str;
example = lib.literalExpression ''
Authorization: Bearer vH6-p0y=i4w3n7TjKqZ@x8D_lR!A9b2cOezXgUuJdE5F
'''
'';
};
zoneId = lib.mkOption {
type = lib.types.str;
};
jails = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
options = {
serviceName = lib.mkOption {
example = "vaultwarden";
type = lib.types.str;
};
_groupsre = lib.mkOption {
type = lib.types.lines;
example = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
default = "";
};
failRegex = lib.mkOption {
type = lib.types.lines;
example = ''
^Login failed from IP: <HOST>$
^Two-factor challenge failed from <HOST>$
'';
};
ignoreRegex = lib.mkOption {
type = lib.types.str;
default = "";
};
datePattern = lib.mkOption {
type = lib.types.str;
default = "";
example = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
description = "Optional datepattern line for the fail2ban filter.";
};
maxRetry = lib.mkOption {
type = lib.types.int;
default = 3;
};
};
}
);
};
};
config = lib.mkIf cfg.enable {
services.fail2ban = {
enable = true;
extraPackages = [
pkgs.curl
pkgs.jq
];
jails =
lib.attrsets.mapAttrs (name: value: {
settings = {
bantime = "24h";
findtime = "10m";
enabled = true;
backend = "systemd";
journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service";
port = "http,https";
filter = "${name}";
maxretry = 3;
action = "cloudflare-token-agenix";
};
})
cfg.jails;
};
environment.etc = lib.attrsets.mergeAttrsList [
(lib.attrsets.mapAttrs' (
name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
text =
''
[Definition]
failregex = ${value.failRegex}
ignoreregex = ${value.ignoreRegex}
''
+ lib.optionalString (value.datePattern != "") ''
datepattern = ${value.datePattern}
''
+ lib.optionalString (value._groupsre != "") ''
_groupsre = ${value._groupsre}
'';
})
)
cfg.jails)
{
"fail2ban/action.d/cloudflare-token-agenix.conf".text = let
notes = "Fail2Ban on ${config.networking.hostName}";
cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules";
in ''
[Definition]
actionstart =
actionstop =
actioncheck =
actionunban = id=$(curl -s -X GET "${cfapi}" \
-H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
| jq -r '.result[] | select(.notes == "${notes}" and .configuration.target == "ip" and .configuration.value == "<ip>") | .id')
if [ -z "$id" ]; then echo "id for <ip> cannot be found"; exit 0; fi; \
curl -s -X DELETE "${cfapi}/$id" \
-H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
--data '{"cascade": "none"}'
actionban = curl -X POST "${cfapi}" -H @${cfg.apiKeyFile} -H "Content-Type: application/json" --data '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"${notes}"}'
[Init]
name = cloudflare-token-agenix
'';
}
];
};
}

40
modules/server/keepalived/default.nix → modules/server/infra/keepalived/default.nix
View File

@@ -3,27 +3,24 @@
config,
self,
...
}:
let
}: let
unit = "keepalived";
cfg = config.server.${unit};
cfg = config.server.infra.${unit};
hostCfg =
hostname:
if hostname == "sobotka" then
{
ip = "192.168.88.14";
priority = 20;
state = "MASTER";
}
else if hostname == "ziggy" then
{
ip = "192.168.88.12";
priority = 10;
state = "BACKUP";
}
else
throw "No keepalived config defined for host ${hostname}";
hostCfg = hostname:
if hostname == "sobotka"
then {
ip = "192.168.88.14";
priority = 20;
state = "MASTER";
}
else if hostname == "ziggy"
then {
ip = "192.168.88.12";
priority = 10;
state = "BACKUP";
}
else throw "No keepalived config defined for host ${hostname}";
_self = hostCfg config.networking.hostName;
@@ -34,9 +31,8 @@ let
# Remove self from peers
peers = builtins.filter (ip: ip != _self.ip) allPeers;
in
{
options.server.${unit} = {
in {
options.server.infra.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};

6
modules/server/infra/podman/acquis.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
filenames:
- /var/log/traefik/access.log
poll_without_inotify: true
labels:
type: traefik

185
modules/server/podman/default.nix → modules/server/infra/podman/default.nix
View File

@@ -1,18 +1,11 @@
{
config,
lib,
pkgs,
self,
...
}: let
srv = config.server;
cfg = config.server.podman;
piholeUrl =
if config.networking.hostName == "sobotka"
then "pihole0"
else if config.networking.hostName == "ziggy"
then "pihole1"
else throw "Unknown hostname";
infra = config.server.infra;
cfg = config.server.services;
getPiholeSecret = hostname:
if hostname == "ziggy"
@@ -21,106 +14,16 @@
then [config.age.secrets.pihole.path]
else throw "Unknown hostname: ${hostname}";
in {
options.server.podman = {
enable = lib.mkEnableOption "Enables Podman";
options.server.infra = {
podman.enable = lib.mkEnableOption "Enables Podman";
gluetun.enable = lib.mkEnableOption "Enables gluetun";
qbittorrent = {
enable = lib.mkEnableOption "Enable qBittorrent";
url = lib.mkOption {
type = lib.types.str;
default = "qbt.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.int;
default = 8080;
description = "The port to host qBittorrent on.";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "qBittorrent";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Torrent client";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "qbittorrent.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Downloads";
};
};
slskd = {
enable = lib.mkEnableOption "Enable Soulseek";
url = lib.mkOption {
type = lib.types.str;
default = "slskd.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.int;
default = 5030;
description = "The port to host Soulseek webui on.";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "slskd";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Web-based Soulseek client";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "slskd.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Downloads";
};
};
pihole = {
enable = lib.mkEnableOption {
description = "Enable";
};
port = lib.mkOption {
type = lib.types.int;
default = 8053;
description = "The port to host PiHole on.";
};
url = lib.mkOption {
type = lib.types.str;
default = "${piholeUrl}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "PiHole";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Adblocking and DNS service";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "pi-hole.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
homepage.path = lib.mkOption {
type = lib.types.str;
default = "/admin";
description = "Optional path suffix for homepage links (e.g. /admin).";
};
};
};
config = lib.mkIf infra.podman.enable {
age.secrets = {
pihole.file = "${self}/secrets/${config.networking.hostName}Pihole.age";
slskd.file = "${self}/secrets/slskd.age";
};
config = lib.mkIf cfg.enable {
virtualisation = {
containers.enable = true;
podman.enable = true;
@@ -137,37 +40,8 @@ in {
];
};
services.caddy.virtualHosts = lib.mkMerge [
(lib.mkIf cfg.qbittorrent.enable {
"${cfg.qbittorrent.url}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:${toString cfg.qbittorrent.port}
'';
};
})
(lib.mkIf cfg.slskd.enable {
"${cfg.slskd.url}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:${toString cfg.slskd.port}
'';
};
})
(lib.mkIf cfg.pihole.enable {
"${cfg.pihole.url}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:${toString cfg.pihole.port}
'';
};
})
];
virtualisation.oci-containers.containers = lib.mkMerge [
(lib.mkIf cfg.gluetun.enable {
(lib.mkIf infra.gluetun.enable {
gluetun = {
image = "qmcgaw/gluetun";
ports = [
@@ -260,7 +134,7 @@ in {
(lib.mkIf cfg.pihole.enable {
pihole = {
autoStart = true;
image = "pihole/pihole:latest";
image = "pihole/pihole:2025.08.0";
volumes = [
"/var/lib/pihole:/etc/pihole/"
"/var/lib/dnsmasq.d:/etc/dnsmasq.d/"
@@ -268,9 +142,6 @@ in {
environment = {
TZ = "Europe/Stockholm";
CUSTOM_CACHE_SIZE = "0";
# PIHOLE_DNS_ = "10.88.0.1#5335";
# DNSSEC = "false";
# REV_SERVER = "true";
WEBTHEME = "default-darker";
};
environmentFiles = getPiholeSecret config.networking.hostName;
@@ -286,6 +157,38 @@ in {
];
};
})
(lib.mkIf cfg.ollama.enable {
intel-llm = {
autoStart = true;
image = "intelanalytics/ipex-llm-inference-cpp-xpu:latest";
devices = [
"/dev/dri:/dev/dri:rwm"
];
volumes = [
"/var/lib/ollama:/models"
];
environment = {
OLLAMA_ORIGINS = "http://192.168.*";
SYCL_PI_LEVEL_ZERO_USE_IMMEDIATE_COMMANDLISTS = "1";
ONEAPI_DEVICE_SELECTOR = "level_zero:0";
OLLAMA_HOST = "[::]:11434";
no_proxy = "localhost,127.0.0.1";
DEVICE = "Arc";
OLLAMA_NUM_GPU = "999";
ZES_ENABLE_SYSMAN = "1";
};
cmd = [
"/bin/sh"
"-c"
"/llm/scripts/start-ollama.sh && echo 'Startup script finished, container is now idling.' && sleep infinity"
];
extraOptions = [
"--net=host"
"--memory=32G"
"--shm-size=16g"
];
};
})
];
};
}

0
modules/server/postgres/default.nix → modules/server/infra/postgres/default.nix
View File

4
modules/server/postgres/postgres-upgrade.nix → modules/server/infra/postgres/postgres-upgrade.nix
View File

@@ -7,10 +7,10 @@
}: let
inherit (lib) types mkOption;
cfg = config.server.postgresql;
cfg = config.server.infra.postgresql;
in {
options = {
server.postgresql = {
server.infra.postgresql = {
upgradeTargetPackage = mkOption {
type = types.nullOr types.package;
default = null;

4
modules/server/postgres/postgres.nix → modules/server/infra/postgres/postgres.nix
View File

@@ -7,7 +7,7 @@
}: let
inherit (lib) types mkOption;
cfg = config.server.postgresql;
cfg = config.server.infra.postgresql;
database = {name, ...}: {
options = {
@@ -31,7 +31,7 @@
};
in {
options = {
server.postgresql = {
server.infra.postgresql = {
databases = mkOption {
type = types.listOf (types.submodule database);
default = [];

26
modules/server/infra/tailscale/default.nix Normal file
View File

@@ -0,0 +1,26 @@
{
config,
lib,
self,
...
}:
with lib; let
cfg = config.server.infra.tailscale;
in {
options.server.infra.tailscale = {
enable = mkEnableOption "Enable tailscale server configuration";
};
config = mkIf cfg.enable {
age.secrets.sobotkaTsAuth.file = "${self}/secrets/sobotkaTsAuth.age";
services.tailscale = {
enable = true;
openFirewall = true;
useRoutingFeatures = "server";
authKeyFile = config.age.secrets.sobotkaTsAuth.path;
extraSetFlags = [
"--advertise-exit-node"
];
};
};
}

183
modules/server/infra/traefik/default.nix Normal file
View File

@@ -0,0 +1,183 @@
{
lib,
clib,
config,
pkgs,
self,
...
}: let
inherit (lib) mkEnableOption mkIf types;
cfg = config.server.infra.traefik;
srv = config.server;
generateRouters = services: config:
lib.mapAttrs' (
name: service:
lib.nameValuePair name {
entryPoints = ["websecure"];
# FIX 3: Use backticks for the Host rule and interpolation
rule = "Host(`${clib.server.mkFullDomain config service}`)";
service = name;
tls.certResolver = "letsencrypt";
}
) (lib.filterAttrs (_: s: s.enable) services);
generateServices = services:
lib.mapAttrs' (name: service:
lib.nameValuePair name {
loadBalancer.servers = [{url = "http://localhost:${toString service.port}";}];
}) (lib.filterAttrs (name: service: service.enable) services);
getCloudflareCredentials = hostname:
if hostname == "ziggy"
then config.age.secrets.cloudflareDnsCredentialsZiggy.path
else if hostname == "sobotka"
then config.age.secrets.cloudflareDnsCredentials.path
else throw "Unknown hostname: ${hostname}";
in {
options.server.infra.traefik = {
enable = mkEnableOption "Enable global Traefik reverse proxy with ACME";
};
config = mkIf cfg.enable {
age.secrets = {
traefikEnv = {
file = "${self}/secrets/traefikEnv.age";
mode = "640";
owner = "traefik";
group = "traefik";
};
crowdsecApi.file = "${self}/secrets/crowdsecApi.age";
};
systemd.services.traefik = {
serviceConfig = {
EnvironmentFile = [config.age.secrets.traefikEnv.path];
};
};
networking.firewall.allowedTCPPorts = [80 443];
services = {
tailscale.permitCertUid = "traefik";
traefik = {
enable = true;
staticConfigOptions = {
log = {
level = "DEBUG";
};
accesslog = {filepath = "/var/lib/traefik/logs/access.log";};
tracing = {};
api = {
dashboard = true;
insecure = false;
};
certificatesResolvers = {
vpn.tailscale = {};
letsencrypt = {
acme = {
email = "adam@cnst.dev";
storage = "/var/lib/traefik/cert.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"1.0.0.1:53"
];
};
};
};
};
entryPoints = {
# redis = {
# address = "0.0.0.0:6381";
# };
# postgres = {
# address = "0.0.0.0:5433";
# };
web = {
address = ":80";
forwardedHeaders.insecure = true;
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
permanent = true;
};
# http.middlewares = "crowdsec@file";
};
websecure = {
address = ":443";
forwardedHeaders.insecure = true;
http.tls = {
certResolver = "letsencrypt";
domains = [
{
main = "cnix.dev";
sans = ["*.cnix.dev"];
}
{
main = "ts.cnst.dev";
sans = ["*ts.cnst.dev"];
}
];
};
# http.middlewares = "crowdsec@file";
};
experimental = {
address = ":1111";
forwardedHeaders.insecure = true;
};
};
experimental = {
# Install the Crowdsec Bouncer plugin
plugins = {
#enabled = "true";
bouncer = {
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
version = "v1.4.5";
};
};
};
};
dynamicConfigOptions = {
http = {
services = generateServices srv.services;
routers =
(generateRouters srv.services config)
// {
api = {
entryPoints = ["websecure"];
rule = "Host(`traefik.${srv.domain}`)";
service = "api@internal";
tls.certResolver = "letsencrypt";
};
};
# middlewares = {
# crowdsec = {
# plugin = {
# bouncer = {
# enabled = "true";
# logLevel = "DEBUG";
# crowdsecLapiKeyFile = config.age.secrets.crowdsecApi.path;
# crowdsecMode = "live";
# crowdsecLapiHost = ":4223";
# };
# };
# };
# };
};
};
};
};
};
}

27
modules/server/unbound/default.nix → modules/server/infra/unbound/default.nix
View File

@@ -5,7 +5,25 @@
...
}: let
unit = "unbound";
cfg = config.server.${unit};
cfg = config.server.infra.${unit};
srv = config.server;
svcNames = lib.attrNames srv.services;
localARecords = builtins.concatLists (map (
name: let
s = srv.services.${name};
in
if s != null && s.enable && s.subdomain != null
then [''"${s.subdomain}.${srv.domain}. A ${srv.ip}"'']
else []
)
svcNames);
revParts = lib.lists.reverseList (lib.splitString "." srv.ip);
revName = lib.concatStringsSep "." revParts;
localPTRs = ["${revName}.in-addr.arpa. PTR traefik.${srv.domain}"];
hostIp = hostname:
if hostname == "ziggy"
@@ -14,11 +32,12 @@
then "192.168.88.14"
else throw "No IP defined for host ${hostname}";
in {
options.server.${unit} = {
options.server.infra.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
};
config = lib.mkIf cfg.enable {
services = {
# resolved.enable = lib.mkForce false;
@@ -97,6 +116,10 @@ in {
"255.255.255.255/32"
"2001:db8::/32"
];
local-data = localARecords;
# Example PTR entry: "14.88.168.192.in-addr.arpa. PTR traefik.cnix.dev."
# local-data-ptr = localPTRs;
};
};
};

135
modules/server/infra/www/default.nix Normal file
View File

@@ -0,0 +1,135 @@
{
lib,
config,
self,
...
}: let
inherit (lib) mkIf mkEnableOption mkOption types;
cfg = config.server.infra.www;
in {
options.server.infra.www = {
enable = mkEnableOption {
description = "Enable personal website";
};
url = mkOption {
default = "";
type = types.str;
description = ''
Public domain name to be used to access the server services via Traefik reverse proxy
'';
};
port = lib.mkOption {
type = lib.types.int;
default = 8283;
description = "The port to host webservice on.";
};
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
config = mkIf cfg.enable {
age.secrets = {
wwwCloudflared.file = "${self}/secrets/wwwCloudflared.age";
};
server.infra = {
fail2ban = {
jails = {
nginx-404 = {
serviceName = "nginx";
failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$'';
ignoreRegex = '''';
maxRetry = 5;
};
};
};
};
services = {
nginx = {
enable = true;
defaultListen = [
{
addr = "127.0.0.1";
port = 8283;
}
];
virtualHosts."webfinger" = {
forceSSL = false;
serverName = cfg.url;
root = "/var/www/webfinger";
locations."= /.well-known/webfinger" = {
root = "/var/www/webfinger";
extraConfig = ''
default_type application/jrd+json;
try_files /.well-known/webfinger =404;
'';
};
locations."= /robots.txt" = {
root = "/var/www/webfinger";
extraConfig = ''
default_type text/plain;
try_files /robots.txt =404;
'';
};
};
};
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://127.0.0.1:8283";
};
};
};
environment.etc = {
"webfinger/.well-known/webfinger".text = ''
{
"subject": "acct:adam@${cfg.url}",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://auth.${cfg.url}/application/o/tailscale/"
}
]
}
'';
"webfinger/robots.txt".text = ''
User-agent: *
Disallow: /
'';
};
services.traefik.dynamicConfigOptions.http = {
routers.webfinger = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`) && Path(`/.well-known/webfinger`)";
service = "webfinger";
tls.certResolver = "letsencrypt";
};
services.webfinger.loadBalancer.servers = [
{url = "http://127.0.0.1:8283";}
];
};
};
}

58
modules/server/jellyfin/default.nix
View File

@@ -1,58 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
service = "jellyfin";
cfg = config.server.${service};
srv = config.server;
in
{
options.server.${service} = {
enable = lib.mkEnableOption {
description = "Enable ${service}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
};
url = lib.mkOption {
type = lib.types.str;
default = "jellyfin.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Jellyfin";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "The Free Software Media System";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "jellyfin.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Media";
};
};
config = lib.mkIf cfg.enable {
services.${service} = {
enable = true;
user = srv.user;
group = srv.group;
};
environment.systemPackages = with pkgs; [
jellyfin-ffmpeg
];
services.caddy.virtualHosts."${cfg.url}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:8096
'';
};
};
}

53
modules/server/jellyseerr/default.nix
View File

@@ -1,53 +0,0 @@
{
config,
lib,
...
}:
let
service = "jellyseerr";
srv = config.server;
cfg = config.server.${service};
in
{
options.server.${service} = {
enable = lib.mkEnableOption {
description = "Enable ${service}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.port;
default = 5055;
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Jellyseerr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Media request and discovery manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "jellyseerr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${service} = {
enable = true;
port = cfg.port;
};
services.caddy.virtualHosts."${cfg.url}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:${toString cfg.port}
'';
};
};
}

100
modules/server/keycloak/default.nix
View File

@@ -1,100 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
unit = "keycloak";
cfg = config.server.${unit};
srv = config.server;
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "login.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Keycloak";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Open Source Identity and Access Management";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "keycloak.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
dbPasswordFile = lib.mkOption {
type = lib.types.path;
};
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
config = lib.mkIf cfg.enable {
server.postgresql.databases = [
{
database = "keycloak";
}
];
services.cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://127.0.0.1:${
toString config.services.${unit}.settings.http-port
}";
};
};
environment.systemPackages = [
pkgs.keycloak
];
services.${unit} = {
enable = true;
initialAdminPassword = "pwpwpw";
database = {
type = "postgresql";
host = "127.0.0.1";
port = 5432;
name = "keycloak";
username = "keycloak";
passwordFile = cfg.dbPasswordFile;
useSSL = false;
};
settings = {
spi-theme-static-max-age = "-1";
spi-theme-cache-themes = false;
spi-theme-cache-templates = false;
http-port = 8821;
hostname = cfg.url;
hostname-strict = false;
hostname-strict-https = false;
proxy-headers = "xforwarded";
http-enabled = true;
};
};
};
}

54
modules/server/lidarr/default.nix
View File

@@ -1,54 +0,0 @@
{
config,
lib,
...
}:
let
unit = "lidarr";
srv = config.server;
cfg = config.server.${unit};
in
{
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Lidarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Music collection manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "lidarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.caddy.virtualHosts."${cfg.url}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:8686
'';
};
};
}

154
modules/server/ocis/default.nix
View File

@@ -1,154 +0,0 @@
{
config,
pkgs,
lib,
...
}: let
unit = "ocis";
cfg = config.server.${unit};
srv = config.server;
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
adminUser = lib.mkOption {
type = lib.types.str;
default = "cnst";
};
adminPass = lib.mkOption {
type = lib.types.path;
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "cloud.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "OCIS";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "A safe home for all your data";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "owncloud.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
config = lib.mkIf cfg.enable {
server = {
postgresql.databases = [
{
database = "ocis";
}
];
fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = {
nextcloud = {
serviceName = "phpfm-nextcloud";
failRegex = "^.*Login failed:.*(Remote IP: <HOST>).*$";
};
};
};
};
systemd.services.ocis.preStart = ''
${lib.getExe pkgs.ocis} init || true
'';
services = {
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://${config.services.ocis.address}:${toString config.services.ocis.port}";
};
};
${unit} = {
enable = true;
url = "https://${cfg.url}";
environment = let
cspFormat = pkgs.formats.yaml {};
cspConfig = {
directives = {
child-src = ["'self'"];
connect-src = [
"'self'"
"blob:"
"https://${srv.keycloak.url}"
];
default-src = ["'none'"];
font-src = ["'self'"];
frame-ancestors = ["'none'"];
frame-src = [
"'self'"
"blob:"
"https://embed.diagrams.net"
];
img-src = [
"'self'"
"data:"
"blob:"
];
manifest-src = ["'self'"];
media-src = ["'self'"];
object-src = [
"'self'"
"blob:"
];
script-src = [
"'self'"
"'unsafe-inline'"
];
style-src = [
"'self'"
"'unsafe-inline'"
];
};
};
in {
PROXY_AUTOPROVISION_ACCOUNTS = "true";
PROXY_ROLE_ASSIGNMENT_DRIVER = "oidc";
OCIS_OIDC_ISSUER = "https://${srv.keycloak.url}/realms/OpenCloud";
PROXY_OIDC_REWRITE_WELLKNOWN = "true";
WEB_OIDC_CLIENT_ID = "ocis";
OCIS_LOG_LEVEL = "error";
PROXY_TLS = "false";
PROXY_USER_OIDC_CLAIM = "preferred_username";
PROXY_USER_CS3_CLAIM = "username";
OCIS_ADMIN_USER_ID = "";
OCIS_INSECURE = "false";
OCIS_EXCLUDE_RUN_SERVICES = "idp";
GRAPH_ASSIGN_DEFAULT_USER_ROLE = "false";
PROXY_CSP_CONFIG_FILE_LOCATION = toString (cspFormat.generate "csp.yaml" cspConfig);
GRAPH_USERNAME_MATCH = "none";
PROXY_ROLE_ASSIGNMENT_ENABLED = "true";
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM = "realm_access.roles";
PROXY_ROLE_ASSIGNMENT_MAPPING = "ocisAdmin:admin,ocisUser:user";
};
};
};
};
}

180
modules/server/options.nix Normal file
View File

@@ -0,0 +1,180 @@
{
lib,
config,
...
}: let
inherit (lib) mkOption types;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
cfg = config.server;
in {
options.server = {
enable = lib.mkEnableOption "The server services and configuration variables";
email = mkOption {
default = "";
type = types.str;
description = ''
Email name to be used to access the server services via Caddy reverse proxy
'';
};
domain = mkOption {
default = "";
type = types.str;
description = ''
Domain name to be used to access the server services via Caddy reverse proxy
'';
};
ip = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = "The local IP of the service.";
};
user = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
User to run the server services as
'';
};
group = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
Group to run the server services as
'';
};
uid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
UID to run the server services as
'';
};
gid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
GID to run the server services as
'';
};
timeZone = lib.mkOption {
default = "Europe/Stockholm";
type = lib.types.str;
description = ''
Time zone to be used for the server services
'';
};
services = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
enable = lib.mkEnableOption "the service";
subdomain = lib.mkOption {
type = lib.types.str;
default = "";
description = "The subdomain for the service (e.g., 'jellyfin')";
};
exposure = lib.mkOption {
type = lib.types.enum ["local" "tunnel" "tailscale"];
default = "local";
description = "Controls where the service is exposed";
};
port = lib.mkOption {
type = lib.types.int;
default = 80;
description = "The port to host service on.";
};
configDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/${name}";
description = "Configuration directory for ${name}.";
};
cloudflared = lib.mkOption {
type = lib.types.submodule {
options = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret","TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
description = "Cloudflare tunnel configuration for this service.";
};
homepage = lib.mkOption {
type = lib.types.submodule {
options = {
name = lib.mkOption {
type = lib.types.str;
default = "";
description = "Display name on the homepage.";
};
description = lib.mkOption {
type = lib.types.str;
default = "";
description = "A short description for the homepage tile.";
};
icon = lib.mkOption {
type = lib.types.str;
default = "Zervices c00l stuff";
description = "Icon file name for the homepage tile.";
};
category = lib.mkOption {
type = lib.types.str;
default = "";
description = "Homepage category grouping.";
};
path = lib.mkOption {
type = lib.types.str;
default = "";
example = "/admin";
description = "Optional path suffix for homepage links (e.g. /admin).";
};
};
};
description = "Homepage metadata for this service.";
};
};
}));
};
};
config = lib.mkIf cfg.enable {
users = {
groups.${cfg.group} = {
gid = cfg.gid;
};
users.${cfg.user} = {
uid = cfg.uid;
isSystemUser = true;
group = cfg.group;
extraGroups = ifTheyExist [
"audio"
"video"
"docker"
"libvirtd"
"qemu-libvirtd"
"rtkit"
"fail2ban"
"vaultwarden"
"qbittorrent"
"lidarr"
"prowlarr"
"bazarr"
"sonarr"
"radarr"
"media"
"share"
"render"
"input"
"authentik"
"traefik"
];
};
};
};
}

66
modules/server/prowlarr/default.nix
View File

@@ -1,66 +0,0 @@
{
config,
lib,
...
}:
let
unit = "prowlarr";
srv = config.server;
cfg = config.server.${unit};
in
{
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Prowlarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "PVR indexer";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "prowlarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
flaresolverr = {
enable = true;
};
caddy = {
virtualHosts."${cfg.url}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:9696
'';
};
virtualHosts."flaresolverr.${srv.domain}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:8191
'';
};
};
};
};
}

54
modules/server/radarr/default.nix
View File

@@ -1,54 +0,0 @@
{
config,
lib,
...
}:
let
unit = "radarr";
srv = config.server;
cfg = config.server.${unit};
in
{
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Radarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Film collection manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "radarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.caddy.virtualHosts."${cfg.url}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:7878
'';
};
};
}

17
modules/server/services/bazarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "bazarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

19
modules/server/services/default.nix Normal file
View File

@@ -0,0 +1,19 @@
{
imports = [
./bazarr
./flaresolverr
./gitea
./homepage-dashboard
./jellyfin
./jellyseerr
./lidarr
./n8n
./nextcloud
./ollama
./prowlarr
./radarr
./sonarr
./uptime-kuma
./vaultwarden
];
}

16
modules/server/services/flaresolverr/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
unit = "flaresolverr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

94
modules/server/services/gitea/default.nix Normal file
View File

@@ -0,0 +1,94 @@
{
config,
lib,
self,
...
}: let
unit = "gitea";
cfg = config.server.services.${unit};
domain = "${cfg.subdomain}.${config.server.infra.www.url}";
in {
config = lib.mkIf cfg.enable {
age.secrets.giteaCloudflared.file = "${self}/secrets/giteaCloudflared.age";
server.infra = {
fail2ban.jails.${unit} = {
serviceName = "${unit}";
failRegex = ''.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>'';
};
postgresql.databases = [
{database = "gitea";}
];
};
services = {
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${domain}".service = "http://localhost:${toString cfg.port}";
};
};
gitea = {
enable = true;
appName = "cnix code forge";
database = {
type = "postgres";
socket = "/run/postgresql";
name = "gitea";
user = "gitea";
createDatabase = false;
};
lfs.enable = true;
settings = {
cors = {
ENABLED = true;
SCHEME = "https";
ALLOW_DOMAIN = domain;
};
log.MODE = "console";
mailer = {
ENABLED = false;
MAILER_TYPE = "sendmail";
FROM = "noreply+adam@cnst.dev";
SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
};
picture.DISABLE_GRAVATAR = true;
repository = {
DEFAULT_BRANCH = "main";
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
};
indexer.REPO_INDEXER_ENABLED = true;
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
ACCOUNT_LINKING = "auto";
};
server = {
DOMAIN = domain;
LANDING_PAGE = "explore";
HTTP_PORT = cfg.port;
ROOT_URL = "https://${domain}/";
};
security.DISABLE_GIT_HOOKS = false;
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
};
};
};
};
}

227
modules/server/services/homepage-dashboard/default.nix Normal file
View File

@@ -0,0 +1,227 @@
{
config,
lib,
self,
clib,
...
}: let
unit = "homepage-dashboard";
cfg = config.server.services.${unit};
srv = config.server;
in {
config = lib.mkIf cfg.enable {
age.secrets = {
homepageEnvironment = {
file = "${self}/secrets/homepageEnvironment.age";
};
};
services = {
glances.enable = true;
${unit} = {
enable = true;
environmentFile = config.age.secrets.homepageEnvironment.path;
settings = {
color = "stone";
theme = "dark";
headerStyle = "clean";
statusStyle = "dot";
hideVersion = true;
useEqualHeights = true;
layout = [
{
Glances = {
header = false;
style = "row";
columns = 4;
};
}
{
Arr = {
header = true;
style = "column";
};
}
{
Downloads = {
header = true;
style = "column";
};
}
{
Media = {
header = true;
style = "column";
};
}
{
Services = {
header = true;
style = "column";
};
}
];
};
widgets = [
{
openmeteo = {
label = "Kalmar";
timezone = "Europe/Stockholm";
units = "metric";
cache = 5;
latitude = 56.707262;
longitude = 16.324541;
};
}
{
resources = {
label = "SYSTEM";
memory = true;
cpu = true;
uptime = false;
};
}
];
services = let
homepageCategories = [
"Arr"
"Media"
"Downloads"
"Services"
];
allServices = srv.services;
getDomain = s: clib.server.mkHostDomain config s;
homepageServicesFor = category:
lib.filterAttrs
(
name: value:
name
!= unit
&& value ? homepage
&& value.homepage.category == category
)
allServices;
in
lib.lists.forEach homepageCategories (cat: {
"${cat}" =
lib.lists.forEach
(lib.attrsets.mapAttrsToList (name: _value: name) (homepageServicesFor cat))
(x: let
service = allServices.${x};
domain = getDomain service;
in {
"${service.homepage.name}" = {
icon = service.homepage.icon;
description = service.homepage.description;
href = "https://${service.subdomain}.${domain}${service.homepage.path or ""}";
siteMonitor = "https://${service.subdomain}.${domain}${x.homepage.path or ""}";
};
});
})
++ [
{
Glances = let
glancesShared = {
type = "glances";
url = "http://localhost:${toString config.services.glances.port}";
chart = true;
version = 4;
};
in [
{
Memory = {
widget =
glancesShared
// {
metric = "memory";
refreshInterval = 2000;
pointsLimit = 30;
};
};
}
{
"CPU Usage" = {
widget =
glancesShared
// {
metric = "cpu";
refreshInterval = 2000;
pointsLimit = 30;
};
};
}
{
"CPU Temp" = {
widget =
glancesShared
// {
metric = "sensor:Tctl";
refreshInterval = 5000;
pointsLimit = 20;
};
};
}
{
"GPU Radeon" = {
widget =
glancesShared
// {
metric = "sensor:junction";
};
};
}
{
"GPU Intel" = {
widget =
glancesShared
// {
metric = "sensor:pkg";
};
};
}
{
"ZFS Pool" = {
widget =
glancesShared
// {
metric = "fs:/mnt/data";
refreshInterval = 30000;
pointsLimit = 20;
diskUnits = "bytes";
};
};
}
{
Processes = {
widget =
glancesShared
// {
metric = "process";
};
};
}
{
Network = {
widget =
glancesShared
// {
metric = "network:enp6s0";
};
};
}
];
}
];
};
};
};
}

21
modules/server/services/jellyfin/default.nix Normal file
View File

@@ -0,0 +1,21 @@
{
config,
lib,
pkgs,
...
}: let
unit = "jellyfin";
cfg = config.server.services.${unit};
srv = config.server;
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
environment.systemPackages = with pkgs; [
jellyfin-ffmpeg
];
};
}

15
modules/server/services/jellyseerr/default.nix Normal file
View File

@@ -0,0 +1,15 @@
{
config,
lib,
...
}: let
unit = "jellyseerr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
port = cfg.port;
};
};
}

17
modules/server/services/lidarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "lidarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

17
modules/server/services/n8n/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "n8n";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
n8n = {
enable = true;
openFirewall = true;
};
};
};
}

101
modules/server/services/nextcloud/default.nix Normal file
View File

@@ -0,0 +1,101 @@
{
config,
pkgs,
lib,
self,
...
}: let
unit = "nextcloud";
cfg = config.server.services.${unit};
srv = config.server;
in {
config = lib.mkIf cfg.enable {
age.secrets = {
nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age";
nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age";
};
server.infra.fail2ban.jails.nextcloud = {
serviceName = "${unit}";
_groupsre = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
failRegex = ''
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
'';
datePattern = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
};
services = {
${unit} = {
enable = true;
package = pkgs.nextcloud32;
hostName = "nextcloud";
configureRedis = true;
caching = {
redis = true;
};
phpOptions = {
"opcache.interned_strings_buffer" = "32";
};
maxUploadSize = "50G";
settings = {
maintenance_window_start = "1";
trusted_proxies = [
"127.0.0.1"
"::1"
];
trusted_domains = ["cloud.${srv.domain}"];
overwriteprotocol = "https";
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminuser = "cnst";
adminpassFile = config.age.secrets.nextcloudAdminPass.path;
};
};
nginx = {
defaultListen = [
{
addr = "127.0.0.1";
port = 8182;
}
{
addr = "127.0.0.1";
port = 8482;
}
];
virtualHosts.nextcloud = {
forceSSL = false;
};
};
};
server.infra.postgresql.databases = [
{
database = "nextcloud";
}
];
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
};
}

27
modules/server/services/ollama/default.nix Normal file
View File

@@ -0,0 +1,27 @@
{
config,
lib,
pkgs,
...
}: let
unit = "ollama";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
intel-compute-runtime
intel-graphics-compiler
level-zero
];
services.open-webui = {
enable = true;
host = "0.0.0.0";
port = 8001;
environment = {
ANONYMIZED_TELEMETRY = "False";
BYPASS_MODEL_ACCESS_CONTROL = "True";
OLLAMA_BASE_URL = "http://localhost:11434";
};
};
};
}

16
modules/server/services/prowlarr/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
unit = "prowlarr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

17
modules/server/services/radarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "radarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

17
modules/server/services/sonarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "sonarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

16
modules/server/services/uptime-kuma/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
unit = "uptime-kuma";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

59
modules/server/services/vaultwarden/default.nix Normal file
View File

@@ -0,0 +1,59 @@
# from @fufexan & @notthebee
{
config,
lib,
self,
...
}: let
unit = "vaultwarden";
cfg = config.server.services.${unit};
domain = "${cfg.subdomain}.${config.server.infra.www.url}";
in {
config = lib.mkIf cfg.enable {
age.secrets = {
vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
};
server.infra.fail2ban.jails.${unit} = {
serviceName = "${unit}";
failRegex = ''^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$'';
};
services = {
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${domain}".service = "http://localhost:${toString cfg.port}";
};
};
vaultwarden = {
enable = true;
environmentFile = config.age.secrets.vaultwardenEnvironment.path;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://${domain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = cfg.port;
IP_HEADER = "CF-Connecting-IP";
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = true;
showPasswordHint = false;
};
};
};
systemd.services.backup-vaultwarden.serviceConfig = {
User = "root";
Group = "root";
};
};
}

54
modules/server/sonarr/default.nix
View File

@@ -1,54 +0,0 @@
{
config,
lib,
...
}:
let
unit = "sonarr";
srv = config.server;
cfg = config.server.${unit};
in
{
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Sonarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Series collection manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "sonarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.caddy.virtualHosts."${cfg.url}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:8989
'';
};
};
}

62
modules/server/syncthing/default.nix
View File

@@ -1,62 +0,0 @@
{
config,
lib,
...
}: let
unit = "syncthing";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Syncthing";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Continuous file synchronization program";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "syncthing.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
networking.firewall = {
allowedTCPPorts = [
8384
22000
];
allowedUDPPorts = [
22000
21027
];
};
services.${unit} = {
enable = true;
user = srv.user;
guiAddress = "0.0.0.0:8384";
overrideFolders = false;
overrideDevices = false;
dataDir = "/home/${srv.user}/syncthing";
configDir = "/home/${srv.user}/syncthing/.config/syncthing";
};
services.caddy.virtualHosts."${cfg.url}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:8384
'';
};
};
}

52
modules/server/uptime-kuma/default.nix
View File

@@ -1,52 +0,0 @@
{
config,
lib,
...
}:
let
unit = "uptime-kuma";
cfg = config.server.${unit};
srv = config.server;
in
{
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/uptime-kuma";
};
url = lib.mkOption {
type = lib.types.str;
default = "uptime.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Uptime Kuma";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Service monitoring tool";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "uptime-kuma.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
};
services.caddy.virtualHosts."${cfg.url}" = {
useACMEHost = srv.domain;
extraConfig = ''
reverse_proxy http://127.0.0.1:3001
'';
};
};
}

85
modules/server/vaultwarden/default.nix
View File

@@ -1,85 +0,0 @@
# from @fufexan & @notthebee
{
config,
lib,
...
}:
let
inherit (lib) mkIf mkEnableOption;
vcfg = config.services.vaultwarden.config;
cfg = config.server.vaultwarden;
in
{
options = {
server.vaultwarden = {
enable = mkEnableOption "Enables vaultwarden";
url = lib.mkOption {
type = lib.types.str;
default = "${cfg.domain}";
};
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
};
config = mkIf cfg.enable {
server = {
fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = {
vaultwarden = {
serviceName = "vaultwarden";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
};
};
};
};
systemd.services.backup-vaultwarden.serviceConfig = {
User = "root";
Group = "root";
};
services = {
vaultwarden = {
enable = true;
environmentFile = config.age.secrets.vaultwardenEnvironment.path;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://${cfg.url}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
IP_HEADER = "CF-Connecting-IP";
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = false;
showPasswordHint = false;
};
};
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://${vcfg.ROCKET_ADDRESS}:${toString vcfg.ROCKET_PORT}";
};
};
};
};
}

31
modules/settings/accounts/default.nix
View File

@@ -2,8 +2,7 @@
lib,
config,
...
}:
let
}: let
inherit (lib) mkOption types;
sshKeys = {
@@ -16,14 +15,14 @@ let
keyName = config.settings.accounts.sshUser or null;
selectedKey =
if keyName != null then
if keyName != null
then
lib.attrByPath [
keyName
] (builtins.abort "No SSH key defined for hostname/key '${toString keyName}'") sshKeys
else
builtins.abort "No accounts.sshUser provided, cannot select SSH key.";
in
{
] (builtins.abort "No SSH key defined for hostname/key '${toString keyName}'")
sshKeys
else builtins.abort "No accounts.sshUser provided, cannot select SSH key.";
in {
options.settings.accounts = {
username = mkOption {
type = types.str;
@@ -46,5 +45,21 @@ in
default = null;
description = "Optional override for selecting an SSH key by name";
};
domains = lib.mkOption {
type = lib.types.submodule {
options = {
local = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = "The local domain of the host";
};
public = lib.mkOption {
type = lib.types.str;
default = "example.com";
description = "The public domain of the host";
};
};
};
};
};
}

4
modules/settings/monitors/default.nix
View File

@@ -21,8 +21,8 @@ in
example = 1080;
};
refreshRate = mkOption {
type = types.int;
default = 60;
type = types.str;
default = "60";
};
transform = mkOption {
type = types.int;

11
nix/default.nix
View File

@@ -22,16 +22,7 @@
flakeInputs = lib.filterAttrs (_: v: lib.isType "flake" v) inputs;
in
{
package = pkgs.lix.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [
(pkgs.fetchpatch2 {
name = "lix-lowdown-1.4.0.patch";
url = "https://git.lix.systems/lix-project/lix/commit/858de5f47a1bfd33835ec97794ece339a88490f1.patch";
hash = "sha256-FfLO2dFSWV1qwcupIg8dYEhCHir2XX6/Hs89eLwd+SY=";
})
];
});
package = pkgs.lix;
# pin the registry to avoid downloading and evaling a new nixpkgs version every time
registry = lib.mapAttrs (_: v: { flake = v; }) flakeInputs;

12
pkgs/default.nix
View File

@@ -5,12 +5,10 @@
"aarch64-linux"
];
perSystem =
{ pkgs, ... }:
{
packages = {
# instant repl with automatic flake loading
repl = pkgs.callPackage ./repl { };
};
perSystem = {pkgs, ...}: {
packages = {
# instant repl with automatic flake loading
repl = pkgs.callPackage ./repl {};
};
};
}

5
scripts/bin/choosepaper.sh Normal file
View File

@@ -0,0 +1,5 @@
export bg_dir="$HOME/media/images/bgs/"
find "$bg_dir" -type f | fzf --reverse --preview 'pistol {}' | while read -r img; do
pkill swaybg || true
swaybg -m fill -o '*' -i "$img" &
done

82
scripts/bin/spawn.sh Normal file
View File

@@ -0,0 +1,82 @@
# Spawn-or-focus logic for Niri:
# If no "app" windows exist, spawn one.
# If focused window is not "app", focus the first "app" instance.
# If "app" is focused and only one instance exists, spawn + consume into stack.
# If "app" is focused and two instances already exist, spawn a new separate one.
# Cycle repeats: focus first > allow stack of 2 > reset on 3rd.
if [ $# -lt 1 ]; then
echo "Usage: $0 <APP_ID> [APP_CMD]" >&2
exit 1
fi
APP_ID="$1"
APP_CMD="${2:-$1}"
WINDOW_DATA=$(niri msg -j windows)
readarray -t APP_IDS < <(
echo "$WINDOW_DATA" | jq -r --arg app_id "$APP_ID" '
[ .[] | select(.app_id == $app_id) ]
| sort_by(.layout.pos_in_scrolling_layout // [0,0])
| .[].id
'
)
COUNT=${#APP_IDS[@]}
FOCUSED_IS_APP=$(
echo "$WINDOW_DATA" | jq -r --arg app_id "$APP_ID" '
any(.[]; .app_id == $app_id and .is_focused)
'
)
spawn_normal() {
"$APP_CMD" &
}
spawn_and_consume() {
local initial_ids=("$@")
"$APP_CMD" &
local pid=$!
for _ in {1..50}; do
readarray -t after_ids < <(
niri msg -j windows | jq -r --arg app_id "$APP_ID" '
[ .[] | select(.app_id == $app_id) ]
| sort_by(.layout.pos_in_scrolling_layout // [0,0])
| .[].id
'
)
NEW_ID=""
for id in "${after_ids[@]}"; do
[[ " ${initial_ids[*]} " == *" $id "* ]] || NEW_ID="$id"
done
if [ -n "$NEW_ID" ]; then
niri msg action focus-window --id "${initial_ids[$((${#initial_ids[@]} - 1))]}"
niri msg action consume-window-into-column
break
fi
sleep 0.05
done
wait "$pid" 2>/dev/null || true
}
if ((COUNT == 0)); then
spawn_normal
exit 0
fi
if [ "$FOCUSED_IS_APP" != "true" ]; then
niri msg action focus-window --id "${APP_IDS[0]}"
exit 0
fi
if ((COUNT % 2 == 0)); then
spawn_normal
else
spawn_and_consume "${APP_IDS[@]}"
fi

Some files were not shown because too many files have changed in this diff Show More