cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

Compare commits

base: cnst:57cb48a11c11b933bda2ecbe9bc6679bbe3502bf
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken
..
compare: cnst:main
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken

33 Commits
57cb48a11c ... main

Author SHA1 Message Date
cnst
f9f3abee19 fix(pkgs): moving some home.packages to system 2025-11-02 16:50:13 +01:00
cnst
15bc0f211f fix(fish): fixing nixpkgs module with lib.getExe 2025-11-02 16:30:56 +01:00
cnst
f0fb53b480 feat(tailscale): adding tailscale to bunk 2025-11-02 15:47:49 +01:00
cnst
1ae85bd66e feat(fish): disable gpg, its fking up fish atm 2025-11-02 12:14:31 +01:00
cnst
87b49d0f58 feat(fish): adding some abbrs for dry running and show trace 2025-11-02 10:14:05 +01:00
cnst
c5a1c2861c feat(kanata) adding pipe symbol 2025-11-02 10:07:07 +01:00
cnst
8dc67e2b54 chore(update): flake lock 2025-10-28 19:47:35 +01:00
cnst
322136e4f3 Merge pull request 'bunk things' (#8) from bunk into main 
Reviewed-on: #8
 2025-10-28 19:47:07 +01:00
cnst
300eb66afc bunk things 2025-10-28 19:25:34 +01:00
cnst
545888878e Merge pull request 'chore(update): flake up' (#7) from upd into main 
Reviewed-on: #7
 2025-10-26 19:16:27 +01:00
cnst
5042675e0b chore(update): flake up 2025-10-26 19:14:50 +01:00
cnst
ece5e89a84 feat(hyprlock): visuals 2025-10-26 00:31:45 +02:00
cnst
2933bcdf02 feat(unbound): adding manual traefik data 2025-10-25 18:48:20 +02:00
cnst
59e548f02e feat(headscale): remove for now 2025-10-25 14:13:30 +02:00
cnst
2ffc94161d chore(dead): remove obsolete code 2025-10-25 14:04:38 +02:00
cnst
ff5490194b feat(headscale): just an initial test 2025-10-25 14:03:34 +02:00
cnst
1dd06ef3f5 chore(git): fix deprecated settings 2025-10-23 19:13:12 +02:00
cnst
ec9a3bd845 feat(waybar) some visual updates 2025-10-20 20:15:26 +02:00
cnst
2c08f78586 feat(hypr): more keybindings 2025-10-20 18:22:52 +02:00
cnst
d22801168f feat(hypr): add swapping window bind 2025-10-20 18:16:59 +02:00
cnst
0c86dc56bd chore(update): flake up 2025-10-18 14:57:12 +02:00
cnst
3d8deae6f3 feat(llm): testing some local models 2025-10-16 21:20:40 +02:00
cnst
cd978f5eb6 feat(hypr): back to hyprland, and fix some clib importing stuffs 2025-10-15 20:00:31 +02:00
cnst
64df7abad5 feat(hypr): clean up 2025-10-15 19:38:47 +02:00
cnst
8efa649d47 feat(homepage-dashboard): change vaultwarden icon 2025-10-15 18:01:39 +02:00
cnst
2dc09e23a0 chore(jellyseerr): typo 2025-10-15 17:50:11 +02:00
cnst
8fd2a7d9ad feat(homepage-dashboard): reintroduce path option 2025-10-15 17:49:30 +02:00
cnst
113892b75d chore(update): flake lock 2025-10-14 22:43:59 +02:00
cnst
001dfbf27f chore(traefik): delete dead code 2025-10-14 22:00:16 +02:00
cnst
3deca06206 Merge pull request 'refactor' (#6) from refactor into main 
Reviewed-on: #6
 2025-10-14 21:56:13 +02:00
cnst
07333b4544 feat(refactor): ready for merge 2025-10-14 21:50:44 +02:00
cnst
63f495fa0d feat(refactor): WIP 2.0 some progress 2025-10-13 21:13:53 +02:00
cnst
d2bd385367 feat(refactor): WIP refactor server modules 2025-10-12 21:07:30 +02:00
87 changed files with 2110 additions and 2319 deletions
Expand all files Collapse all files

342
flake.lock generated
View File

@@ -8,11 +8,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1754433428, "lastModified": 1761656077,
"narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=", "narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d", "rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -29,11 +29,11 @@
"systems": "systems_2" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1760083914, "lastModified": 1761806975,
"narHash": "sha256-I9IMO9d+z71oeqOz6gOre07tK2Du3vp2FcOW3x4FDXw=", "narHash": "sha256-GLGdVJSPH0LnsO64Biw0WFJaj1PlltYxgH13f+FGWgQ=",
"owner": "anyrun-org", "owner": "anyrun-org",
"repo": "anyrun", "repo": "anyrun",
"rev": "3050aa30e25957bbb9e1ac91a44d3979eccadf59", "rev": "329d31af9ba038ef65db9914eb94de695c738377",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -83,11 +83,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759499898, "lastModified": 1760101617,
"narHash": "sha256-UNzYHLWfkSzLHDep5Ckb5tXc0fdxwPIrT+MY4kpQttM=", "narHash": "sha256-8jf/3ZCi+B7zYpIyV04+3wm72BD7Z801IlOzsOACR7I=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "aquamarine", "repo": "aquamarine",
"rev": "655e067f96fd44b3f5685e17f566b0e4d535d798", "rev": "1826a9923881320306231b1c2090379ebf9fa4f8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -100,14 +100,10 @@
"inputs": { "inputs": {
"authentik-src": "authentik-src", "authentik-src": "authentik-src",
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-parts": [ "flake-parts": "flake-parts_2",
"flake-parts"
],
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"napalm": "napalm", "napalm": "napalm",
"nixpkgs": [ "nixpkgs": "nixpkgs_3",
"nixpkgs"
],
"pyproject-build-systems": "pyproject-build-systems", "pyproject-build-systems": "pyproject-build-systems",
"pyproject-nix": "pyproject-nix", "pyproject-nix": "pyproject-nix",
"systems": "systems_3", "systems": "systems_3",
@@ -123,6 +119,7 @@
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "version/2025.8.4",
"repo": "authentik-nix", "repo": "authentik-nix",
"type": "github" "type": "github"
} }
@@ -149,15 +146,15 @@
"flake-schemas": "flake-schemas", "flake-schemas": "flake-schemas",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"jovian": "jovian", "jovian": "jovian",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_4",
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1760148209, "lastModified": 1762036128,
"narHash": "sha256-ssMUeLk1cmLqzNMW6l9dgGoLtOY9F9dEGplJlWJmNis=", "narHash": "sha256-0VgVPYq5upSXc+LSn3ubxJhH+DLdakYW4QXeabo0Ivg=",
"owner": "chaotic-cx", "owner": "chaotic-cx",
"repo": "nyx", "repo": "nyx",
"rev": "b51bb724939dbfa264f08522efffce2bb47b6135", "rev": "499783c86e6e9436534d1a23b35da98c7f6af3f4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -212,11 +209,11 @@
"rust-analyzer-src": "rust-analyzer-src" "rust-analyzer-src": "rust-analyzer-src"
}, },
"locked": { "locked": {
"lastModified": 1760164678, "lastModified": 1762065744,
"narHash": "sha256-yxcfwZCysR6zPaFv7is3/FWd1h0h6kXME0vueSwTBhU=", "narHash": "sha256-c04mxJoCb8f6BBrdaREWmdQq+pfp395olXhC+B0G7DI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "fenix", "repo": "fenix",
"rev": "2579f163559b902959cc420a6d3bfbd98c46a323", "rev": "e0f24085a4a0da1c32adc308ec4c518ae886ff35",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -243,11 +240,11 @@
}, },
"flake-compat_2": { "flake-compat_2": {
"locked": { "locked": {
"lastModified": 1747046372, "lastModified": 1761588595,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -327,16 +324,14 @@
}, },
"flake-parts_2": { "flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": "nixpkgs-lib"
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1759362264, "lastModified": 1756770412,
"narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "758cf7296bee11f1706a574c77d072b8a7baa881", "rev": "4524271976b625a4a605beefd893f270620fd751",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -347,7 +342,27 @@
}, },
"flake-parts_3": { "flake-parts_3": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1762040540,
"narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "0010412d62a25d959151790968765a70c436598b",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_4": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_2"
}, },
"locked": { "locked": {
"lastModified": 1753121425, "lastModified": 1753121425,
@@ -363,7 +378,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_4": { "flake-parts_5": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"lanzaboote", "lanzaboote",
@@ -384,7 +399,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_5": { "flake-parts_6": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nvf", "nvf",
@@ -392,11 +407,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759362264, "lastModified": 1760948891,
"narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=", "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "758cf7296bee11f1706a574c77d072b8a7baa881", "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -405,7 +420,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_6": { "flake-parts_7": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"tuirun", "tuirun",
@@ -463,8 +478,8 @@
}, },
"fonts": { "fonts": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_3", "flake-parts": "flake-parts_4",
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_5"
}, },
"locked": { "locked": {
"lastModified": 1753431871, "lastModified": 1753431871,
@@ -491,11 +506,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759523803, "lastModified": 1760663237,
"narHash": "sha256-PTod9NG+i3XbbnBKMl/e5uHDBYpwIWivQ3gOWSEuIEM=", "narHash": "sha256-BflA6U4AM1bzuRMR8QqzPXqh8sWVCNDzOdsxXEguJIc=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "cfc9f7bb163ad8542029d303e599c0f7eee09835", "rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -571,11 +586,11 @@
}, },
"hardware": { "hardware": {
"locked": { "locked": {
"lastModified": 1760106635, "lastModified": 1761933221,
"narHash": "sha256-2GoxVaKWTHBxRoeUYSjv0AfSOx4qw5CWSFz2b+VolKU=", "narHash": "sha256-rNHeoG3ZrA94jczyLSjxCtu67YYPYIlXXr0uhG3wNxM=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "9ed85f8afebf2b7478f25db0a98d0e782c0ed903", "rev": "7467f155fcba189eb088a7601f44fbef7688669b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -586,15 +601,15 @@
}, },
"helix-flake": { "helix-flake": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_5", "nixpkgs": "nixpkgs_6",
"rust-overlay": "rust-overlay_2" "rust-overlay": "rust-overlay_2"
}, },
"locked": { "locked": {
"lastModified": 1759850138, "lastModified": 1762054696,
"narHash": "sha256-fYHIxjTvVIAEDWzenUROuzDPxy1rBCXZNPgh4b1dfgo=", "narHash": "sha256-4wyNPyycaPDS13OC+YPkQOrrf3ZCS/ipAh9lfo121Nw=",
"owner": "helix-editor", "owner": "helix-editor",
"repo": "helix", "repo": "helix",
"rev": "5b0563419eeeaf0595c848865c46be4abad246a7", "rev": "0b61e721aaae794c950c72f765388dcc5f9f32fa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -610,11 +625,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760130406, "lastModified": 1762087455,
"narHash": "sha256-GKMwBaFRw/C1p1VtjDz4DyhyzjKUWyi1K50bh8lgA2E=", "narHash": "sha256-hpbPma1eUKwLAmiVRoMgIHbHiIKFkcACobJLbDt6ABw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "d305eece827a3fe317a2d70138f53feccaf890a1", "rev": "43e205606aeb253bfcee15fd8a4a01d8ce8384ca",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -652,11 +667,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760061988, "lastModified": 1761878381,
"narHash": "sha256-CeuMo7fjWm3XaoK+b1PGyaVIlE1GHudoxk9jrJFvfbY=", "narHash": "sha256-lCRaipHgszaFZ1Cs8fdGJguVycCisBAf2HEFgip5+xU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "c7f4214faca2f196c551b767c12a70bfa0614510", "rev": "4ac96eb21c101a3e5b77ba105febc5641a8959aa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -710,11 +725,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759490292, "lastModified": 1760445448,
"narHash": "sha256-T6iWzDOXp8Wv0KQOCTHpBcmAOdHJ6zc/l9xaztW6Ivc=", "narHash": "sha256-fXGjL6dw31FPFRrmIemzGiNSlfvEJTJNsmadZi+qNhI=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprgraphics", "repo": "hyprgraphics",
"rev": "9431db625cd9bb66ac55525479dce694101d6d7a", "rev": "50fb9f069219f338a11cf0bcccb9e58357d67757",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -774,11 +789,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1757420192, "lastModified": 1762027241,
"narHash": "sha256-jVkY2ax7e+V+M4RwLZTJnOVTdjR5Bj10VstJuK60tl4=", "narHash": "sha256-w0NhWx95Xao6Dh3G1p7G1cHwGBknwPVPG5VRghk3LSg=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hypridle", "repo": "hypridle",
"rev": "f158b2fe9293f9b25f681b8e46d84674e7bc7f01", "rev": "f3d1f3b232a5e3267008568196397b03fab244d2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -797,17 +812,17 @@
"hyprlang": "hyprlang", "hyprlang": "hyprlang",
"hyprutils": "hyprutils", "hyprutils": "hyprutils",
"hyprwayland-scanner": "hyprwayland-scanner_2", "hyprwayland-scanner": "hyprwayland-scanner_2",
"nixpkgs": "nixpkgs_6", "nixpkgs": "nixpkgs_7",
"pre-commit-hooks": "pre-commit-hooks", "pre-commit-hooks": "pre-commit-hooks",
"systems": "systems_4", "systems": "systems_4",
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1760143218, "lastModified": 1761869718,
"narHash": "sha256-OhJPROcRcwBkjOKkXr/f3/7wuSjhAIqr8WfmEUF9Uuo=", "narHash": "sha256-jLfwwlPGpnGRAtVDyoGj9FgH2D9hWwyEu0yHkflG2EI=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprland", "repo": "hyprland",
"rev": "d599513d4a72d66ac62ffdedc41d6653fa81b39e", "rev": "8e9add2afda58d233a75e4c5ce8503b24fa59ceb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -874,11 +889,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1749046714, "lastModified": 1759610243,
"narHash": "sha256-kymV5FMnddYGI+UjwIw8ceDjdeg7ToDVjbHCvUlhn14=", "narHash": "sha256-+KEVnKBe8wz+a6dTLq8YDcF3UrhQElwsYJaVaHXJtoI=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprland-protocols", "repo": "hyprland-protocols",
"rev": "613878cb6f459c5e323aaafe1e6f388ac8a36330", "rev": "bd153e76f751f150a09328dbdeb5e4fab9d23622",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1006,11 +1021,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760023949, "lastModified": 1761675634,
"narHash": "sha256-fu0B4duamVdbkPio/czu1XhsPLRXUJpZLDrSk3nih4U=", "narHash": "sha256-Et1jNDB2d3e0b4okIKuyAMktECS+5hk+vMAA7X598ao=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprlock", "repo": "hyprlock",
"rev": "36ec73f166d9434a3f27c96c575198906f77644a", "rev": "98b86752fe4867bd14ef96a92ea788229af93130",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1191,11 +1206,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759815224, "lastModified": 1761748321,
"narHash": "sha256-HbdOyjqHm38j6o5mV24i0bn+r5ykS+VJBnWJuZ0fE+A=", "narHash": "sha256-hD5mVzmUeyVppjArdy2uVdQe/CQUR9i3WgZB05onE7A=",
"owner": "Jovian-Experiments", "owner": "Jovian-Experiments",
"repo": "Jovian-NixOS", "repo": "Jovian-NixOS",
"rev": "ee974f496a080c61b3164992c850f43741edcc52", "rev": "533db5857c9e00ca352558a928417116ee08a824",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1208,8 +1223,8 @@
"inputs": { "inputs": {
"crane": "crane", "crane": "crane",
"flake-compat": "flake-compat_4", "flake-compat": "flake-compat_4",
"flake-parts": "flake-parts_4", "flake-parts": "flake-parts_5",
"nixpkgs": "nixpkgs_7", "nixpkgs": "nixpkgs_8",
"pre-commit-hooks-nix": "pre-commit-hooks-nix", "pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay_3" "rust-overlay": "rust-overlay_3"
}, },
@@ -1278,11 +1293,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760146997, "lastModified": 1762088055,
"narHash": "sha256-x2sF8Q4tWz3DI166s+KFDXySrK+cN+/YEd3DfhnhBLQ=", "narHash": "sha256-zh7fDPmhmoXVTtODiDhOLlutwNLJmwOlLphVKuCCiZA=",
"owner": "fufexan", "owner": "fufexan",
"repo": "nix-gaming", "repo": "nix-gaming",
"rev": "ad505387568d024654da88fef03d9c5319cba92f", "rev": "d74c3702fdc737276baccab80c2053e8cde5dba5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1331,6 +1346,21 @@
} }
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": {
"lastModified": 1754788789,
"narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-lib_2": {
"locked": { "locked": {
"lastModified": 1751159883, "lastModified": 1751159883,
"narHash": "sha256-urW/Ylk9FIfvXfliA1ywh75yszAbiTEVgpPeinFyVZo=", "narHash": "sha256-urW/Ylk9FIfvXfliA1ywh75yszAbiTEVgpPeinFyVZo=",
@@ -1345,6 +1375,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_10": {
"locked": {
"lastModified": 1761880412,
"narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1758690382, "lastModified": 1758690382,
@@ -1363,11 +1409,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1760038930, "lastModified": 1757745802,
"narHash": "sha256-Oncbh0UmHjSlxO7ErQDM3KM0A5/Znfofj2BSzlHLeVw=", "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "0b4defa2584313f3b781240b29d61f6f9f7e0df3", "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1378,6 +1424,22 @@
} }
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": {
"lastModified": 1761907660,
"narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1753250450, "lastModified": 1753250450,
"narHash": "sha256-i+CQV2rPmP8wHxj0aq4siYyohHwVlsh40kV89f3nw1s=", "narHash": "sha256-i+CQV2rPmP8wHxj0aq4siYyohHwVlsh40kV89f3nw1s=",
@@ -1393,39 +1455,39 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_5": {
"locked": {
"lastModified": 1759381078,
"narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_6": { "nixpkgs_6": {
"locked": { "locked": {
"lastModified": 1759381078, "lastModified": 1759381078,
"narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
"owner": "NixOS", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "nixos",
"ref": "nixos-unstable", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_7": { "nixpkgs_7": {
"locked": {
"lastModified": 1761114652,
"narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_8": {
"locked": { "locked": {
"lastModified": 1754243818, "lastModified": 1754243818,
"narHash": "sha256-sEPw2W01UPf0xNGnMGNZIaE1XHkk7O+lLLetYEXVZHk=", "narHash": "sha256-sEPw2W01UPf0xNGnMGNZIaE1XHkk7O+lLLetYEXVZHk=",
@@ -1441,13 +1503,13 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_8": { "nixpkgs_9": {
"locked": { "locked": {
"lastModified": 1760038930, "lastModified": 1761907660,
"narHash": "sha256-Oncbh0UmHjSlxO7ErQDM3KM0A5/Znfofj2BSzlHLeVw=", "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "0b4defa2584313f3b781240b29d61f6f9f7e0df3", "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1457,36 +1519,20 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_9": {
"locked": {
"lastModified": 1759386674,
"narHash": "sha256-wg1Lz/1FC5Q13R+mM5a2oTV9TA9L/CHHTm3/PiLayfA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "625ad6366178f03acd79f9e3822606dd7985b657",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nvf": { "nvf": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_5", "flake-compat": "flake-compat_5",
"flake-parts": "flake-parts_5", "flake-parts": "flake-parts_6",
"mnw": "mnw", "mnw": "mnw",
"nixpkgs": "nixpkgs_9", "nixpkgs": "nixpkgs_10",
"systems": "systems_5" "systems": "systems_5"
}, },
"locked": { "locked": {
"lastModified": 1760153667, "lastModified": 1762093557,
"narHash": "sha256-F7KmXT/Izse6Q6CkD5GCImoGPaDJxl03Kd7eD+eY/bU=", "narHash": "sha256-esmyNNa8TvduITLfqYPSMroyZ9vxJr2nsvjYmHmO+Ag=",
"owner": "notashelf", "owner": "notashelf",
"repo": "nvf", "repo": "nvf",
"rev": "9df9d51fd9fc8f9a8fc377f984ea3b7ae796172d", "rev": "20d8fca94dceaf943686598da7fba31b37100e50",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1505,11 +1551,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1758108966, "lastModified": 1760663237,
"narHash": "sha256-ytw7ROXaWZ7OfwHrQ9xvjpUWeGVm86pwnEd1QhzawIo=", "narHash": "sha256-BflA6U4AM1bzuRMR8QqzPXqh8sWVCNDzOdsxXEguJIc=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "54df955a695a84cd47d4a43e08e1feaf90b1fd9b", "rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1602,7 +1648,7 @@
"chaotic": "chaotic", "chaotic": "chaotic",
"fenix": "fenix", "fenix": "fenix",
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_3",
"fonts": "fonts", "fonts": "fonts",
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"hardware": "hardware", "hardware": "hardware",
@@ -1615,7 +1661,7 @@
"hyprpaper": "hyprpaper", "hyprpaper": "hyprpaper",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"nix-gaming": "nix-gaming", "nix-gaming": "nix-gaming",
"nixpkgs": "nixpkgs_8", "nixpkgs": "nixpkgs_9",
"nvf": "nvf", "nvf": "nvf",
"systems": "systems_6", "systems": "systems_6",
"treefmt-nix": "treefmt-nix", "treefmt-nix": "treefmt-nix",
@@ -1626,11 +1672,11 @@
"rust-analyzer-src": { "rust-analyzer-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1760090851, "lastModified": 1762016333,
"narHash": "sha256-XGkBjf4Dzg6tXd0KGgKzeW4oVX/iLzLhD3rQ1cATpqM=", "narHash": "sha256-PT8hXDYyeRjh9BGyLF/nZWm9TqRwP2EzeKuqUFH0M3w=",
"owner": "rust-lang", "owner": "rust-lang",
"repo": "rust-analyzer", "repo": "rust-analyzer",
"rev": "b93180b4f2cb3c81ac7f17f46e3dfcb30ecc7843", "rev": "fca718c0f2074bdccf9a996bb37b0fcaff80dc97",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1648,11 +1694,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760063676, "lastModified": 1761964689,
"narHash": "sha256-s5Fjh43skH2L+avOGioLmEHoYZffDbg3abV5h0gjeew=", "narHash": "sha256-Zo3LQQDz+64EQ9zor/WmeNTFLoZkjmhp0UY3G0D3seE=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "897deed0923cc5a1d560c5176abe0d172ec9716d", "rev": "63d22578600f70d293aede6bc737efef60ebd97f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1815,11 +1861,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760120816, "lastModified": 1761311587,
"narHash": "sha256-gq9rdocpmRZCwLS5vsHozwB6b5nrOBDNc2kkEaTXHfg=", "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "761ae7aff00907b607125b2f57338b74177697ed", "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1830,7 +1876,7 @@
}, },
"tuirun": { "tuirun": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_6", "flake-parts": "flake-parts_7",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@@ -1903,11 +1949,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1755354946, "lastModified": 1760713634,
"narHash": "sha256-zdov5f/GcoLQc9qYIS1dUTqtJMeDqmBmo59PAxze6e4=", "narHash": "sha256-5HXelmz2x/uO26lvW7MudnadbAfoBnve4tRBiDVLtOM=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "xdg-desktop-portal-hyprland", "repo": "xdg-desktop-portal-hyprland",
"rev": "a10726d6a8d0ef1a0c645378f983b6278c42eaa0", "rev": "753bbbdf6a052994da94062e5b753288cef28dfb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1923,11 +1969,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759969704, "lastModified": 1762074512,
"narHash": "sha256-T7f/invcFIKHrBqD+FLf/C/HOGmpYfbZUzTDxFscpOA=", "narHash": "sha256-m8ZY0rmq9QXnIR08/vOyK9MnEbiziZG8mPGAVwoYEPQ=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "1173c777dc8daddcc4959260a7b00fd8abc884c5", "rev": "eb05f21bcf0f380e45537db6c5df13b50acaa4a6",
"revCount": 137, "revCount": 143,
"type": "git", "type": "git",
"url": "https://git.sr.ht/~canasta/zen-browser-flake" "url": "https://git.sr.ht/~canasta/zen-browser-flake"
}, },

45
flake.nix
View File

@@ -1,9 +1,8 @@
{ {
description = "cnix nix"; description = "cnix nix";
outputs = outputs = inputs:
inputs: inputs.flake-parts.lib.mkFlake {inherit inputs;} {
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
systems = [ systems = [
"x86_64-linux" "x86_64-linux"
"aarch64-linux" "aarch64-linux"
@@ -17,25 +16,23 @@
./fmt-hooks.nix ./fmt-hooks.nix
]; ];
perSystem = perSystem = {
{ config,
config, pkgs,
pkgs, ...
... }: {
}: devShells.default = pkgs.mkShell {
{ packages = [
devShells.default = pkgs.mkShell { pkgs.git
packages = [ config.packages.repl
pkgs.git ];
config.packages.repl name = "dots";
]; env.DIRENV_LOG_FORMAT = "";
name = "dots"; shellHook = ''
env.DIRENV_LOG_FORMAT = ""; ${config.pre-commit.installationScript}
shellHook = '' '';
${config.pre-commit.installationScript}
'';
};
}; };
};
}; };
inputs = { inputs = {
@@ -56,11 +53,7 @@
}; };
authentik = { authentik = {
url = "github:nix-community/authentik-nix"; url = "github:nix-community/authentik-nix/version/2025.8.4";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-parts.follows = "flake-parts";
};
}; };
flake-compat.url = "github:edolstra/flake-compat"; flake-compat.url = "github:edolstra/flake-compat";

10
hosts/bunk/default.nix
View File

@@ -38,17 +38,11 @@ in
./settings.nix ./settings.nix
]; ];
boot.initrd.luks.devices."luks-0ad53967-bb38-4485-be75-ca55ae4c3b68".device = "/dev/disk/by-uuid/0ad53967-bb38-4485-be75-ca55ae4c3b68";
networking.hostName = "bunk"; networking.hostName = "bunk";
swapDevices = [
{
device = "/var/lib/swapfile";
size = 32 * 1024;
}
];
environment.variables.NH_FLAKE = "/home/cnst/.nix-config"; environment.variables.NH_FLAKE = "/home/cnst/.nix-config";
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = lib.mkDefault "23.11"; system.stateVersion = lib.mkDefault "25.05";
} }

58
hosts/bunk/hardware-configuration.nix
View File

@@ -1,47 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
config, imports =
lib, [ (modulesPath + "/installer/scan/not-detected.nix")
modulesPath, ];
...
}: boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ];
{ boot.initrd.kernelModules = [ ];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot.kernelModules = [ "kvm-amd" ];
boot = { boot.extraModulePackages = [ ];
initrd = {
availableKernelModules = [ fileSystems."/" =
"nvme" { device = "/dev/disk/by-uuid/d15672b5-dc97-4f99-9ad2-70f9ddf20447";
"xhci_pci" fsType = "btrfs";
"ahci" options = [ "subvol=@" ];
"usbhid"
"usb_storage"
"sd_mod"
];
kernelModules = [ "amdgpu" ];
}; };
kernelModules = [ "kvm-amd" ]; boot.initrd.luks.devices."luks-2f0dfe96-bc63-4f38-b190-3d9fa45dc560".device = "/dev/disk/by-uuid/2f0dfe96-bc63-4f38-b190-3d9fa45dc560";
extraModulePackages = [ ];
};
fileSystems."/" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/da41c89a-7ab8-4697-9a14-0d115b97cc2e"; { device = "/dev/disk/by-uuid/F3FC-3CDF";
fsType = "ext4"; fsType = "vfat";
}; options = [ "fmask=0077" "dmask=0077" ];
};
boot.initrd.luks.devices."luks-e75ac560-748f-4071-bbe7-479678400be3".device = swapDevices =
"/dev/disk/by-uuid/e75ac560-748f-4071-bbe7-479678400be3"; [ { device = "/dev/disk/by-uuid/e6464248-0d1e-4950-bf48-4cebeabaf871"; }
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7E84-D168";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
]; ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

24
hosts/bunk/modules.nix
View File

@@ -27,6 +27,13 @@
}; };
network = { network = {
enable = true; enable = true;
nameservers = [
"192.168.88.1"
"192.168.88.69"
];
search = [
"taila7448a.ts.net"
];
interfaces = { interfaces = {
"wlp6s0" = { "wlp6s0" = {
allowedTCPPorts = [ allowedTCPPorts = [
@@ -73,8 +80,8 @@
enable = false; enable = false;
}; };
hyprland = { hyprland = {
enable = false; enable = true;
withUWSM = false; withUWSM = true;
}; };
inkscape = { inkscape = {
enable = false; enable = false;
@@ -86,7 +93,7 @@
enable = true; enable = true;
}; };
niri = { niri = {
enable = true; enable = false;
}; };
pkgs = { pkgs = {
enable = true; enable = true;
@@ -123,10 +130,10 @@
enable = false; enable = false;
}; };
thunar = { thunar = {
enable = true; enable = false;
}; };
yubikey = { yubikey = {
enable = true; enable = false;
}; };
zsh = { zsh = {
enable = false; enable = false;
@@ -168,7 +175,7 @@
enable = true; enable = true;
}; };
mullvad = { mullvad = {
enable = true; enable = false;
}; };
nix-ld = { nix-ld = {
enable = false; enable = false;
@@ -191,11 +198,14 @@
samba = { samba = {
enable = false; enable = false;
}; };
tailscale = {
enable = true;
};
udisks = { udisks = {
enable = true; enable = true;
}; };
zram = { zram = {
enable = false; enable = true;
}; };
}; };
system = { system = {

6
hosts/bunk/settings.nix
View File

@@ -10,7 +10,7 @@
name = "DP-3"; name = "DP-3";
width = 2560; width = 2560;
height = 1440; height = 1440;
refreshRate = 240; refreshRate = "143.99";
position = "0x0"; position = "0x0";
transform = 0; transform = 0;
bitDepth = 10; bitDepth = 10;
@@ -20,7 +20,7 @@
name = "HDMI-A-1"; name = "HDMI-A-1";
width = 1920; width = 1920;
height = 1080; height = 1080;
refreshRate = 60; refreshRate = "60";
position = "2560x0"; position = "2560x0";
# transform = 3; # transform = 3;
workspace = "5"; workspace = "5";
@@ -29,7 +29,7 @@
name = "eDP-1"; name = "eDP-1";
width = 1920; width = 1920;
height = 1200; height = 1200;
refreshRate = 60; refreshRate = "60";
workspace = "1"; workspace = "1";
} }
]; ];

18
hosts/default.nix
View File

@@ -8,7 +8,7 @@
{ {
flake.nixosConfigurations = flake.nixosConfigurations =
let let
cLib = import ../lib inputs.nixpkgs.lib; clib = import ../lib inputs.nixpkgs.lib;
userConfig = "${self}/home"; userConfig = "${self}/home";
systemConfig = "${self}/system"; systemConfig = "${self}/system";
hostConfig = "${self}/hosts"; hostConfig = "${self}/hosts";
@@ -24,7 +24,6 @@
specialArgs = { specialArgs = {
inherit inherit
cLib
inputs inputs
outputs outputs
self self
@@ -37,17 +36,20 @@
smodPath smodPath
; ;
}; };
specialArgsWithClib = specialArgs // {
inherit clib;
};
in in
{ {
kima = nixosSystem { kima = nixosSystem {
inherit specialArgs; specialArgs = specialArgsWithClib;
modules = [ modules = [
./kima ./kima
"${self}/nix" "${self}/nix"
{ {
home-manager = { home-manager = {
users.cnst.imports = homeImports."cnst@kima"; users.cnst.imports = homeImports."cnst@kima";
extraSpecialArgs = specialArgs; extraSpecialArgs = specialArgsWithClib;
}; };
} }
self.nixosModules.nixos self.nixosModules.nixos
@@ -57,14 +59,14 @@
]; ];
}; };
bunk = nixosSystem { bunk = nixosSystem {
inherit specialArgs; specialArgs = specialArgsWithClib;
modules = [ modules = [
./bunk ./bunk
"${self}/nix" "${self}/nix"
{ {
home-manager = { home-manager = {
users.cnst.imports = homeImports."cnst@bunk"; users.cnst.imports = homeImports."cnst@bunk";
extraSpecialArgs = specialArgs; extraSpecialArgs = specialArgsWithClib;
}; };
} }
self.nixosModules.nixos self.nixosModules.nixos
@@ -97,14 +99,14 @@
]; ];
}; };
toothpc = nixosSystem { toothpc = nixosSystem {
inherit specialArgs; specialArgs = specialArgsWithClib;
modules = [ modules = [
./toothpc ./toothpc
"${self}/nix" "${self}/nix"
{ {
home-manager = { home-manager = {
users.toothpick.imports = homeImports."toothpick@toothpc"; users.toothpick.imports = homeImports."toothpick@toothpc";
extraSpecialArgs = specialArgs; extraSpecialArgs = specialArgsWithClib;
}; };
} }
self.nixosModules.nixos self.nixosModules.nixos

6
hosts/kima/modules.nix
View File

@@ -82,8 +82,8 @@
enable = false; enable = false;
}; };
hyprland = { hyprland = {
enable = false; enable = true;
withUWSM = false; withUWSM = true;
}; };
inkscape = { inkscape = {
enable = false; enable = false;
@@ -98,7 +98,7 @@
enable = true; enable = true;
}; };
niri = { niri = {
enable = true; enable = false;
}; };
pkgs = { pkgs = {
enable = true; enable = true;

6
hosts/kima/settings.nix
View File

@@ -10,7 +10,7 @@
name = "DP-3"; name = "DP-3";
width = 2560; width = 2560;
height = 1440; height = 1440;
refreshRate = 240; refreshRate = "143.99";
position = "0x0"; position = "0x0";
transform = 0; transform = 0;
bitDepth = 10; bitDepth = 10;
@@ -20,7 +20,7 @@
name = "HDMI-A-1"; name = "HDMI-A-1";
width = 1920; width = 1920;
height = 1080; height = 1080;
refreshRate = 60; refreshRate = "60";
position = "2560x0"; position = "2560x0";
transform = 3; transform = 3;
workspace = "5"; workspace = "5";
@@ -29,7 +29,7 @@
name = "eDP-1"; name = "eDP-1";
width = 1920; width = 1920;
height = 1200; height = 1200;
refreshRate = 60; refreshRate = "60";
workspace = "1"; workspace = "1";
} }
]; ];

332
hosts/sobotka/server.nix
View File

@@ -3,108 +3,276 @@
enable = true; enable = true;
email = "adam@cnst.dev"; email = "adam@cnst.dev";
domain = "cnix.dev"; domain = "cnix.dev";
ip = "192.168.88.14";
user = "share"; user = "share";
group = "share"; group = "share";
uid = 994; uid = 994;
gid = 993; gid = 993;
traefik = { infra = {
enable = true; authentik = {
}; enable = true;
tailscale = { url = "auth.cnst.dev";
enable = true; port = 9000;
}; cloudflared = {
unbound = { tunnelId = "b66f9368-db9e-4302-8b48-527cda34a635";
enable = true; credentialsFile = config.age.secrets.authentikCloudflared.path;
}; };
homepage-dashboard = { };
enable = true; traefik = {
}; enable = true;
n8n = { };
enable = true; tailscale = {
}; enable = true;
bazarr = { };
enable = true; unbound = {
}; enable = true;
prowlarr = { };
enable = true; fail2ban = {
}; enable = true;
lidarr = { apiKeyFile = config.age.secrets.cloudflareFirewallApiKey.path;
enable = true; zoneId = "0027acdfb8bbe010f55b676ad8698dfb";
}; };
sonarr = { keepalived = {
enable = true; enable = true;
}; interface = "enp6s0";
radarr = { };
enable = true; gluetun = {
}; enable = true;
jellyseerr = { };
enable = true; podman = {
}; enable = true;
jellyfin = { };
enable = true; www = {
}; enable = true;
uptime-kuma = { url = "cnst.dev";
enable = true; port = 8283;
}; cloudflared = {
gitea = { tunnelId = "e5076186-efb7-405a-998c-6155af7fb221";
enable = true; credentialsFile = config.age.secrets.wwwCloudflared.path;
url = "git.cnst.dev"; };
cloudflared = {
tunnelId = "33e2fb8e-ecef-4d42-b845-6d15e216e448";
credentialsFile = config.age.secrets.giteaCloudflared.path;
}; };
}; };
vaultwarden = {
enable = true; services = {
url = "vault.cnst.dev"; homepage-dashboard = {
cloudflared = { enable = true;
tunnelId = "fdd98086-6a4c-44f2-bba0-eb86b833cce5"; subdomain = "dash";
credentialsFile = config.age.secrets.vaultwardenCloudflared.path; exposure = "local";
port = 8082;
}; };
}; n8n = {
www = { enable = true;
enable = true; subdomain = "n8n";
url = "cnst.dev"; exposure = "local";
cloudflared = { port = 5678;
tunnelId = "e5076186-efb7-405a-998c-6155af7fb221"; homepage = {
credentialsFile = config.age.secrets.wwwCloudflared.path; name = "n8n";
description = "A workflow automation platform";
icon = "n8n.svg";
category = "Services";
};
}; };
}; ollama = {
authentik = { enable = true;
enable = true; subdomain = "ai";
url = "auth.cnst.dev"; exposure = "local";
cloudflared = { port = 8001;
tunnelId = "b66f9368-db9e-4302-8b48-527cda34a635"; homepage = {
credentialsFile = config.age.secrets.authentikCloudflared.path; name = "ollama";
description = "AI platform";
icon = "ollama.svg";
category = "Services";
};
};
bazarr = {
enable = true;
subdomain = "bazarr";
exposure = "local";
port = 6767;
homepage = {
name = "Bazarr";
description = "Subtitle manager";
icon = "bazarr.svg";
category = "Arr";
};
};
prowlarr = {
enable = true;
subdomain = "prowlarr";
exposure = "local";
port = 9696;
homepage = {
name = "Prowlarr";
description = "PVR indexer";
icon = "prowlarr.svg";
category = "Arr";
};
};
flaresolverr = {
enable = true;
subdomain = "flaresolverr";
exposure = "local";
port = 8191;
homepage = {
name = "FlareSolverr";
description = "Proxy to bypass Cloudflare/DDoS-GUARD protection";
icon = "flaresolverr.svg";
category = "Arr";
};
};
lidarr = {
enable = true;
subdomain = "lidarr";
exposure = "local";
port = 8686;
homepage = {
name = "Lidarr";
description = "Music collection manager";
icon = "lidarr.svg";
category = "Arr";
};
};
sonarr = {
enable = true;
subdomain = "sonarr";
exposure = "local";
port = 8989;
homepage = {
name = "Sonarr";
description = "Internet PVR for Usenet and Torrents";
icon = "sonarr.svg";
category = "Arr";
};
};
radarr = {
enable = true;
subdomain = "radarr";
exposure = "local";
port = 7878;
homepage = {
name = "Radarr";
description = "Movie collection manager";
icon = "radarr.svg";
category = "Arr";
};
};
jellyseerr = {
enable = true;
subdomain = "jellyseerr";
exposure = "local";
port = 5055;
homepage = {
name = "Jellyseerr";
description = "Media request and discovery manager";
icon = "jellyseerr.svg";
category = "Arr";
};
};
jellyfin = {
enable = true;
subdomain = "fin";
exposure = "tailscale";
port = 8096;
homepage = {
name = "Jellyfin";
description = "The Free Software Media System";
icon = "jellyfin.svg";
category = "Media";
};
};
uptime-kuma = {
enable = true;
subdomain = "uptime";
exposure = "local";
port = 3001;
homepage = {
name = "Uptime Kuma";
description = "Service monitoring tool";
icon = "uptime-kuma.svg";
category = "Services";
};
};
gitea = {
enable = true;
subdomain = "git";
exposure = "tunnel";
port = 5003;
cloudflared = {
tunnelId = "33e2fb8e-ecef-4d42-b845-6d15e216e448";
credentialsFile = config.age.secrets.giteaCloudflared.path;
};
homepage = {
name = "Gitea";
description = "Git with a cup of tea";
icon = "gitea.svg";
category = "Services";
};
};
vaultwarden = {
enable = true;
subdomain = "vault";
exposure = "tunnel";
port = 8222;
cloudflared = {
tunnelId = "fdd98086-6a4c-44f2-bba0-eb86b833cce5";
credentialsFile = config.age.secrets.vaultwardenCloudflared.path;
};
homepage = {
name = "Vaultwarden";
description = "Password manager";
icon = "vaultwarden-light.svg";
category = "Services";
};
};
nextcloud = {
enable = true;
subdomain = "cloud";
exposure = "local";
port = 8182;
homepage = {
name = "Nextcloud";
description = "A safe home for all your data";
icon = "nextcloud.svg";
category = "Services";
};
}; };
};
nextcloud = {
enable = true;
adminpassFile = config.age.secrets.nextcloudAdminPass.path;
};
fail2ban = {
enable = true;
apiKeyFile = config.age.secrets.cloudflareFirewallApiKey.path;
zoneId = "0027acdfb8bbe010f55b676ad8698dfb";
};
keepalived = {
enable = true;
interface = "enp6s0";
};
podman = {
enable = true;
gluetun.enable = true;
qbittorrent = { qbittorrent = {
enable = true; enable = true;
subdomain = "qbt";
exposure = "local";
port = 8080; port = 8080;
homepage = {
name = "qBittorrent";
description = "Torrent client";
icon = "qbittorrent.svg";
category = "Downloads";
};
}; };
slskd = { slskd = {
enable = true; enable = true;
subdomain = "slskd";
exposure = "local";
port = 5030;
homepage = {
name = "Soulseek";
description = "Web-based Soulseek client";
icon = "slskd.svg";
category = "Downloads";
};
}; };
pihole = { pihole = {
enable = true; enable = true;
subdomain = "pihole";
exposure = "local";
port = 8053; port = 8053;
homepage = {
name = "PiHole";
description = "Adblocking and DNS service";
icon = "pi-hole.svg";
category = "Services";
path = "/admin";
};
}; };
}; };
}; };

4
hosts/sobotka/settings.nix
View File

@@ -4,6 +4,10 @@
username = "cnst"; username = "cnst";
mail = "adam@cnst.dev"; mail = "adam@cnst.dev";
sshUser = "sobotka"; sshUser = "sobotka";
domains = {
local = "cnix.dev";
public = "cnst.dev";
};
}; };
}; };
} }

2
hosts/toothpc/settings.nix
View File

@@ -10,7 +10,7 @@
name = "DVI-D-1"; name = "DVI-D-1";
width = 1920; width = 1920;
height = 1080; height = 1080;
refreshRate = 144; refreshRate = "144";
position = "0x0"; position = "0x0";
transform = 0; transform = 0;
workspace = "1"; workspace = "1";

26
lib/server/default.nix Normal file
View File

@@ -0,0 +1,26 @@
{lib}: let
server = {
mkDomain = config: service: let
localDomain = config.settings.accounts.domains.local;
publicDomain = config.settings.accounts.domains.public;
tailscaleDomain = "ts.${publicDomain}";
in
if service.exposure == "tunnel"
then publicDomain
else if service.exposure == "tailscale"
then tailscaleDomain
else localDomain;
mkFullDomain = config: service: let
domain = server.mkDomain config service;
in "${service.subdomain}.${domain}";
mkHostDomain = config: service: let
domain = server.mkDomain config service;
in "${domain}";
mkSubDomain = config: service: "${service.subdomain}";
};
in {
server = server;
}

22
modules/default.nix
View File

@@ -123,28 +123,6 @@
server = { server = {
imports = [ imports = [
./server ./server
./server/fail2ban
./server/homepage-dashboard
./server/nextcloud
./server/vaultwarden
./server/bazarr
./server/prowlarr
./server/lidarr
./server/radarr
./server/sonarr
./server/jellyseerr
./server/jellyfin
./server/n8n
./server/podman
./server/unbound
./server/uptime-kuma
./server/keepalived
./server/gitea
./server/postgres
./server/traefik
./server/www
./server/authentik
./server/tailscale
]; ];
}; };
settings = { settings = {

23
modules/home/programs/fish/default.nix
View File

@@ -6,8 +6,9 @@
}: }:
let let
inherit (lib) mkIf mkEnableOption; inherit (lib) mkIf mkEnableOption;
inherit (lib.meta) getExe; packageNames = map (p: p.pname or p.name or null) config.home.packages;
inherit (pkgs) eza bat; hasPackage = name: lib.any (x: x == name) packageNames;
hasEza = hasPackage "eza";
cfg = config.home.programs.fish; cfg = config.home.programs.fish;
in in
{ {
@@ -28,7 +29,9 @@ in
nixclean = "nh clean all --keep 3"; nixclean = "nh clean all --keep 3";
nixdev = "nix develop ~/.nix-config -c $SHELL"; nixdev = "nix develop ~/.nix-config -c $SHELL";
nixup = "nh os switch -H $hostname"; nixup = "nh os switch -H $hostname";
nixupv = "nh os switch -v -H $hostname"; nixupn = "nh os switch -n -H $hostname";
nixupv = "nh os switch -v --show-trace -H $hostname";
nixupvn = "nh os switch -n -v --show-trace -H $hostname";
flakeup = "nix flake update"; flakeup = "nix flake update";
}; };
shellAliases = { shellAliases = {
@@ -44,12 +47,8 @@ in
nset = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/settings.nix"; nset = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/settings.nix";
nixosmodules = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/modules.nix"; nixosmodules = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/modules.nix";
nmod = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/modules.nix"; nmod = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/modules.nix";
tree = "${getExe eza} --tree --icons=always"; ls = mkIf hasEza "eza";
cat = "${getExe bat} --style=plain"; tree = mkIf hasEza "eza --tree --icons=always";
ls = "${getExe eza} -h --git --icons --color=auto --group-directories-first -s extension";
ll = "${getExe eza} -l --git --icons --color=auto --group-directories-first -s extension";
lat = "${getExe eza} -lah --tree --color=auto --group-directories-first -s extension";
la = "${getExe eza} -lah --color=auto --group-directories-first -s extension";
# Clear screen and scrollback # Clear screen and scrollback
clear = "printf '\\033[2J\\033[3J\\033[1;1H'"; clear = "printf '\\033[2J\\033[3J\\033[1;1H'";
}; };
@@ -59,14 +58,12 @@ in
# Merge history when pressing up # Merge history when pressing up
up-or-search = lib.readFile ./up-or-search.fish; up-or-search = lib.readFile ./up-or-search.fish;
# Check stuff in PATH # Check stuff in PATH
nix-inspect = nix-inspect = # fish
# fish
'' ''
set -s PATH | grep "PATH\[.*/nix/store" | cut -d '|' -f2 | grep -v -e "-man" -e "-terminfo" | perl -pe 's:^/nix/store/\w{32}-([^/]*)/bin$:\1:' | sort | uniq set -s PATH | grep "PATH\[.*/nix/store" | cut -d '|' -f2 | grep -v -e "-man" -e "-terminfo" | perl -pe 's:^/nix/store/\w{32}-([^/]*)/bin$:\1:' | sort | uniq
''; '';
}; };
interactiveShellInit = interactiveShellInit = # fish
# fish
'' ''
# Open command buffer in vim when alt+e is pressed # Open command buffer in vim when alt+e is pressed
bind \ee edit_command_buffer bind \ee edit_command_buffer

79
modules/home/programs/git/default.nix
View File

@@ -15,47 +15,54 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
home.packages = [ pkgs.gh ]; home.packages = [ pkgs.gh ];
programs.git = { programs = {
enable = true; git = {
userName = osConfig.settings.accounts.username; enable = true;
userEmail = osConfig.settings.accounts.mail; settings = {
# user.signingkey = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
user = {
name = osConfig.settings.accounts.username;
email = osConfig.settings.accounts.mail;
signingkey = "${config.home.homeDirectory}/.config/git/allowed_signers";
};
signing = {
format = lib.mkDefault "ssh";
key = "${config.home.homeDirectory}/.ssh/id_ed25519";
signByDefault = true;
};
gpg = {
# format = lib.mkDefault "ssh";
ssh.allowedSignersFile =
config.home.homeDirectory + "/" + config.xdg.configFile."git/allowed_signers".target;
};
commit = {
verbose = true;
gpgSign = false;
};
init.defaultBranch = "main";
merge.conflictStyle = "diff3";
diff.algorithm = "histogram";
log.date = "iso";
column.ui = "auto";
branch.sort = "committerdate";
push.autoSetupRemote = true;
rerere.enabled = true;
};
lfs.enable = true;
ignores = [
".direnv"
"result"
".jj"
];
};
delta = { delta = {
enableGitIntegration = true;
enable = true; enable = true;
options.dark = true; options.dark = true;
}; };
extraConfig = {
# user.signingkey = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
user.signingkey = "${config.home.homeDirectory}/.config/git/allowed_signers";
signing = {
format = lib.mkDefault "ssh";
key = "${config.home.homeDirectory}/.ssh/id_ed25519";
signByDefault = true;
};
gpg = {
# format = lib.mkDefault "ssh";
ssh.allowedSignersFile =
config.home.homeDirectory + "/" + config.xdg.configFile."git/allowed_signers".target;
};
commit = {
verbose = true;
gpgSign = false;
};
init.defaultBranch = "main";
merge.conflictStyle = "diff3";
diff.algorithm = "histogram";
log.date = "iso";
column.ui = "auto";
branch.sort = "committerdate";
push.autoSetupRemote = true;
rerere.enabled = true;
};
lfs.enable = true;
ignores = [
".direnv"
"result"
".jj"
];
}; };
xdg.configFile."git/allowed_signers".text = '' xdg.configFile."git/allowed_signers".text = ''
${osConfig.settings.accounts.mail} namespaces="git" ${osConfig.settings.accounts.sshKey} ${osConfig.settings.accounts.mail} namespaces="git" ${osConfig.settings.accounts.sshKey}
''; '';

17
modules/home/programs/hyprlock/default.nix
View File

@@ -1,26 +1,20 @@
{ {
inputs,
pkgs,
lib, lib,
osConfig, osConfig,
cLib, clib,
... ...
}: }:
let let
inherit (lib) mkIf mkEnableOption; inherit (lib) mkIf;
cfg = osConfig.nixos.programs.hyprland; cfg = osConfig.nixos.programs.hyprland;
hyprlockFlake = inputs.hyprlock.packages.${pkgs.system}.hyprlock;
# hyprlockPkg = pkgs.hyprlock;
#
bg = osConfig.settings.theme.background; bg = osConfig.settings.theme.background;
inherit (cLib.theme.bgs) resolve; inherit (clib.theme.bgs) resolve;
in in
{ {
config = mkIf cfg.enable { config = mkIf cfg.enable {
programs.hyprlock = { programs.hyprlock = {
enable = true; enable = true;
package = hyprlockFlake;
settings = { settings = {
general = { general = {
# disable_loading_bar = true; # disable_loading_bar = true;
@@ -60,6 +54,7 @@ in
position = "0, 20"; position = "0, 20";
halign = "center"; halign = "center";
valign = "center"; valign = "center";
font_family = "DepartureMono Nerd Font Mono Italic";
} }
]; ];
label = [ label = [
@@ -71,7 +66,7 @@ in
shadow_boost = 0.5; shadow_boost = 0.5;
color = "rgba(FFFFFFFF)"; color = "rgba(FFFFFFFF)";
font_size = 25; font_size = 25;
font_family = "Input Mono Compressed"; font_family = "DepartureMono Nerd Font Mono Regular";
position = "0, 230"; position = "0, 230";
halign = "center"; halign = "center";
valign = "center"; valign = "center";
@@ -84,7 +79,7 @@ in
shadow_boost = 0.5; shadow_boost = 0.5;
color = "rgba(FFFFFFFF)"; color = "rgba(FFFFFFFF)";
font_size = 85; font_size = 85;
font_family = "Input Mono Compressed"; font_family = "DepartureMono Nerd Font Mono Regular";
position = "0, 300"; position = "0, 300";
halign = "center"; halign = "center";
valign = "center"; valign = "center";

8
modules/home/programs/pkgs/default.nix
View File

@@ -62,16 +62,8 @@ in
[ [
cmatrix cmatrix
xcur2png xcur2png
ripgrep
file
fd
gnused
nix-tree nix-tree
wireguard-tools wireguard-tools
unzip
zip
gnutar
p7zip
] ]
(mkIf cfg.common.enable [ (mkIf cfg.common.enable [

22
modules/home/programs/waybar/config/config.jsonc
View File

@@ -10,7 +10,7 @@
"group/system" "group/system"
], ],
"modules-center": [ "modules-center": [
"niri/workspaces" "hyprland/workspaces"
], ],
"modules-right": [ "modules-right": [
"custom/progress", "custom/progress",
@@ -126,16 +126,28 @@
"all-outputs": false, "all-outputs": false,
"format": "{icon}", "format": "{icon}",
"format-icons": { "format-icons": {
"urgent": "", "1": "1",
"visible": "", "2": "2",
"empty": "" "3": "3",
"4": "4",
"5": "5",
"6": "6",
"7": "7",
"8": "8",
"9": "9",
"default": "_",
"active": "_"
}, },
"on-click": "activate", "on-click": "activate",
"show-special": false, "show-special": false,
"on-scroll-up": "hyprctl dispatch workspace r-1", "on-scroll-up": "hyprctl dispatch workspace r-1",
"on-scroll-down": "hyprctl dispatch workspace r+1", "on-scroll-down": "hyprctl dispatch workspace r+1",
"persistent-workspaces": { "persistent-workspaces": {
"*": 3 "1": [],
"2": [],
"3": [],
"4": [],
"5": []
} }
}, },
"niri/workspaces": { "niri/workspaces": {

6
modules/home/programs/waybar/config/style.css
View File

@@ -28,8 +28,8 @@ tooltip label {
margin: 0 0px; margin: 0 0px;
background-color: transparent; background-color: transparent;
color: #fbf1c7; color: #fbf1c7;
border-top: 3px solid transparent; border-top: 4px solid transparent;
border-bottom: 3px solid transparent; border-bottom: 4px solid transparent;
} }
#workspaces button:hover { #workspaces button:hover {
@@ -45,7 +45,7 @@ tooltip label {
background-image: url("assets/button.svg"); background-image: url("assets/button.svg");
background-position: center; background-position: center;
background-repeat: no-repeat; background-repeat: no-repeat;
background-size: 18px 15px; background-size: 21px 18px;
} }
#custom-trayicon { #custom-trayicon {

12
modules/home/services/hypridle/default.nix
View File

@@ -1,22 +1,14 @@
{ {
osConfig, osConfig,
lib, lib,
pkgs,
inputs,
... ...
}: }: let
let
inherit (lib) mkIf; inherit (lib) mkIf;
cfg = osConfig.nixos.programs.hyprland; cfg = osConfig.nixos.programs.hyprland;
in {
hypridleFlake = inputs.hypridle.packages.${pkgs.system}.hypridle;
# hypridlePkg = pkgs.hypridle;
in
{
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.hypridle = { services.hypridle = {
enable = true; enable = true;
package = hypridleFlake;
settings = { settings = {
general = { general = {
lock_cmd = "hyprlock"; lock_cmd = "hyprlock";

14
modules/home/services/hyprpaper/default.nix
View File

@@ -1,18 +1,14 @@
{ {
lib, lib,
pkgs,
inputs,
osConfig, osConfig,
cLib, clib,
... ...
}: }: let
let
inherit (lib) mkIf; inherit (lib) mkIf;
cfg = osConfig.nixos.programs.hyprland; cfg = osConfig.nixos.programs.hyprland;
hyprpaperFlake = inputs.hyprpaper.packages.${pkgs.system}.default;
bg = osConfig.settings.theme.background; bg = osConfig.settings.theme.background;
bgs = cLib.theme.bgs; bgs = clib.theme.bgs;
monitorMappings = [ monitorMappings = [
{ {
@@ -32,12 +28,10 @@ let
bg = bg.primary; bg = bg.primary;
} }
]; ];
in in {
{
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.hyprpaper = { services.hyprpaper = {
enable = true; enable = true;
package = hyprpaperFlake;
settings = { settings = {
ipc = "on"; ipc = "on";

4
modules/nixos/hardware/graphics/default.nix
View File

@@ -19,13 +19,13 @@ let
commonPackages = with pkgs; [ commonPackages = with pkgs; [
libva libva
vaapiVdpau libva-vdpau-driver
libvdpau-va-gl libvdpau-va-gl
]; ];
commonPackages32 = with pkgs.pkgsi686Linux; [ commonPackages32 = with pkgs.pkgsi686Linux; [
libva libva
vaapiVdpau libva-vdpau-driver
libvdpau-va-gl libvdpau-va-gl
]; ];

22
modules/nixos/programs/fish/default.nix
View File

@@ -3,14 +3,11 @@
lib, lib,
pkgs, pkgs,
... ...
}: }: let
let
inherit (lib.meta) getExe;
inherit (pkgs) eza bat;
inherit (lib) mkIf mkEnableOption mkMerge; inherit (lib) mkIf mkEnableOption mkMerge;
cfg = config.nixos.programs.fish; cfg = config.nixos.programs.fish;
in in {
{
options = { options = {
nixos.programs.fish = { nixos.programs.fish = {
enable = mkEnableOption "Enables fish shell"; enable = mkEnableOption "Enables fish shell";
@@ -22,6 +19,7 @@ in
(mkIf cfg.enable { (mkIf cfg.enable {
programs.fish = { programs.fish = {
enable = true; enable = true;
useBabelfish = true;
vendor = { vendor = {
completions.enable = true; completions.enable = true;
config.enable = true; config.enable = true;
@@ -37,7 +35,9 @@ in
nixclean = "nh clean all --keep 3"; nixclean = "nh clean all --keep 3";
nixdev = "nix develop ~/.nix-config -c $SHELL"; nixdev = "nix develop ~/.nix-config -c $SHELL";
nixup = "nh os switch -H $hostname"; nixup = "nh os switch -H $hostname";
nixupv = "nh os switch -v -H $hostname"; nixupn = "nh os switch -n -H $hostname";
nixupv = "nh os switch -v --show-trace -H $hostname";
nixupvn = "nh os switch -n -v --show-trace -H $hostname";
flakeup = "nix flake update"; flakeup = "nix flake update";
}; };
shellAliases = { shellAliases = {
@@ -53,12 +53,8 @@ in
nset = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/settings.nix"; nset = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/settings.nix";
nixosmodules = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/modules.nix"; nixosmodules = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/modules.nix";
nmod = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/modules.nix"; nmod = "$EDITOR /home/$USER/.nix-config/hosts/$hostname/modules.nix";
tree = "${getExe eza} --tree --icons=always"; ls = lib.getExe pkgs.eza;
cat = "${getExe bat} --style=plain"; tree = "${lib.getExe pkgs.eza} --tree --icons=always";
ls = "${getExe eza} -h --git --icons --color=auto --group-directories-first -s extension";
ll = "${getExe eza} -l --git --icons --color=auto --group-directories-first -s extension";
lat = "${getExe eza} -lah --tree --color=auto --group-directories-first -s extension";
la = "${getExe eza} -lah --color=auto --group-directories-first -s extension";
# Clear screen and scrollback # Clear screen and scrollback
clear = "printf '\\033[2J\\033[3J\\033[1;1H'"; clear = "printf '\\033[2J\\033[3J\\033[1;1H'";
}; };

4
modules/nixos/programs/hyprland/inputs.nix
View File

@@ -37,9 +37,9 @@ in
}; };
gestures = { gestures = {
workspace_swipe = true; # workspace_swipe = true;
workspace_swipe_distance = 400; workspace_swipe_distance = 400;
workspace_swipe_fingers = 3; # workspace_swipe_fingers = 3;
workspace_swipe_cancel_ratio = 0.2; workspace_swipe_cancel_ratio = 0.2;
workspace_swipe_min_speed_to_force = 5; workspace_swipe_min_speed_to_force = 5;
workspace_swipe_direction_lock = true; workspace_swipe_direction_lock = true;

42
modules/nixos/programs/hyprland/keybinds.nix
View File

@@ -49,20 +49,6 @@ in
"$mod, P, pseudo," "$mod, P, pseudo,"
"$mod, J, togglesplit," "$mod, J, togglesplit,"
"$mod, C, exec, hyprctl dispatch exec copyq toggle" "$mod, C, exec, hyprctl dispatch exec copyq toggle"
"$mod, left, movefocus, l"
"$mod, right, movefocus, r"
"$mod, up, movefocus, u"
"$mod, down, movefocus, d"
"$mod, 1, workspace, 1"
"$mod, 2, workspace, 2"
"$mod, 3, workspace, 3"
"$mod, 4, workspace, 4"
"$mod, 5, workspace, 5"
"$mod, 6, workspace, 6"
"$mod, 7, workspace, 7"
"$mod, 8, workspace, 8"
"$mod, 9, workspace, 9"
"$mod, 0, workspace, 10"
"$mod SHIFT, 1, movetoworkspace, 1" "$mod SHIFT, 1, movetoworkspace, 1"
"$mod SHIFT, 2, movetoworkspace, 2" "$mod SHIFT, 2, movetoworkspace, 2"
"$mod SHIFT, 3, movetoworkspace, 3" "$mod SHIFT, 3, movetoworkspace, 3"
@@ -75,6 +61,30 @@ in
"$mod SHIFT, 0, movetoworkspace, 10" "$mod SHIFT, 0, movetoworkspace, 10"
"CTRL SHIFT, Escape, exec, ${runOnce "resources"}" "CTRL SHIFT, Escape, exec, ${runOnce "resources"}"
"$mod, 1, workspace, 1"
"$mod, 2, workspace, 2"
"$mod, 3, workspace, 3"
"$mod, 4, workspace, 4"
"$mod, 5, workspace, 5"
"$mod, 6, workspace, 6"
"$mod, 7, workspace, 7"
"$mod, 8, workspace, 8"
"$mod, 9, workspace, 9"
"$mod, 0, workspace, 10"
"$mod, left, movefocus, l"
"$mod, right, movefocus, r"
"$mod, up, movefocus, u"
"$mod, down, movefocus, d"
"$mod SHIFT, left, resizeactive, -20 0"
"$mod SHIFT, right, resizeactive, 20 0"
"$mod SHIFT, up, resizeactive, 0 -20"
"$mod SHIFT, down, resizeactive, 0 20"
"$mod CTRL, left, swapwindow, l"
"$mod CTRL, right, swapwindow, r"
"$mod CTRL, up, swapwindow, u"
"$mod CTRL, down, swapwindow, d"
",XF86AudioLowerVolume, exec, volume-control.sh --dec" ",XF86AudioLowerVolume, exec, volume-control.sh --dec"
",XF86AudioRaiseVolume, exec, volume-control.sh --inc" ",XF86AudioRaiseVolume, exec, volume-control.sh --inc"
",XF86AudioMute, exec, volume-control.sh --toggle" ",XF86AudioMute, exec, volume-control.sh --toggle"
@@ -99,7 +109,7 @@ in
(mkIf (host == "kima") { (mkIf (host == "kima") {
programs.hyprland.settings = { programs.hyprland.settings = {
"$terminal" = "ghostty"; "$terminal" = "alacritty";
"$browser" = "zen"; "$browser" = "zen";
"$browserinc" = "zen --private-window"; "$browserinc" = "zen --private-window";
"$mod" = "SUPER"; "$mod" = "SUPER";
@@ -111,7 +121,7 @@ in
(mkIf (host == "bunk") { (mkIf (host == "bunk") {
programs.hyprland.settings = { programs.hyprland.settings = {
"$terminal" = "foot"; "$terminal" = "alacritty";
"$browser" = "zen"; "$browser" = "zen";
"$browserinc" = "zen --private-window"; "$browserinc" = "zen --private-window";
"$mod" = "ALT_L"; "$mod" = "ALT_L";

2
modules/nixos/programs/hyprland/layout.nix
View File

@@ -21,7 +21,7 @@ in
let let
resolution = resolution =
if m.width != null && m.height != null then if m.width != null && m.height != null then
"${toString m.width}x${toString m.height}@${toString m.refreshRate}" "${toString m.width}x${toString m.height}@${m.refreshRate}"
else else
"preferred"; "preferred";

8
modules/nixos/programs/pkgs/default.nix
View File

@@ -79,10 +79,16 @@ in
xmrig xmrig
ocl-icd ocl-icd
dig dig
unzip
zip
gnutar
gnused
p7zip
ripgrep
file
] ]
(mkIf cfg.common.enable [ (mkIf cfg.common.enable [
qt6.full
swappy swappy
wayfreeze wayfreeze
imagemagick imagemagick

2
modules/nixos/programs/steam/default.nix
View File

@@ -28,7 +28,7 @@ in
}; };
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
protonup protonup-ng
wine wine
winetricks winetricks
wine-wayland wine-wayland

6
modules/nixos/services/kanata/default.nix
View File

@@ -16,14 +16,10 @@ in
services.kanata = { services.kanata = {
enable = true; enable = true;
package = pkgs.kanata-with-cmd; package = pkgs.kanata-with-cmd;
keyboards.hhkbse = { keyboards.default = {
extraDefCfg = '' extraDefCfg = ''
process-unmapped-keys yes process-unmapped-keys yes
''; '';
devices = [
"/dev/input/by-id/usb-PFU_Limited_HHKB-Hybrid-event-kbd"
"/dev/input/event2"
];
config = builtins.readFile (./. + "/hhkbse.kbd"); config = builtins.readFile (./. + "/hhkbse.kbd");
}; };
}; };

4
modules/nixos/services/kanata/hhkbse.kbd
View File

@@ -18,6 +18,7 @@
2 3 4 5 6 7 8 9 0 + ´ ' § 2 3 4 5 6 7 8 9 0 + ´ ' §
e p ¨ e p ¨
l ö ä l ö ä
-
z x rmet z x rmet
) )
@@ -25,13 +26,16 @@
_ _ _ _ _ _ _ _ _ _ pgdn pgup del _ _ _ _ _ _ _ _ _ _ pgdn pgup del
_ _ ' _ _ '
_ _ _ _ _ _
_
_ _ @level3 _ _ @level3
) )
(deflayer level3 (deflayer level3
RA-2 RA-3 S-4 RA-5 S-¨ RA-7 RA-8 RA-9 RA-0 RA-+ ⇥ ⇤ S-' RA-2 RA-3 S-4 RA-5 S-¨ RA-7 RA-8 RA-9 RA-0 RA-+ ⇥ ⇤ S-'
RA-5 ▲ RA-¨ RA-5 ▲ RA-¨
◀ ▼ ▶ ◀ ▼ ▶
RA-<
RA-S-z RA-S-x @level3 RA-S-z RA-S-x @level3
) )

2
modules/nixos/system/fonts/default.nix
View File

@@ -26,7 +26,7 @@ in
inputs.fonts.packages.${pkgs.system}.vcr-mono inputs.fonts.packages.${pkgs.system}.vcr-mono
noto-fonts noto-fonts
noto-fonts-cjk-sans noto-fonts-cjk-sans
noto-fonts-emoji noto-fonts-color-emoji
liberation_ttf liberation_ttf
fira-code-symbols fira-code-symbols
font-awesome font-awesome

62
modules/server/bazarr/default.nix
View File

@@ -1,62 +0,0 @@
{
config,
lib,
...
}: let
unit = "bazarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Bazarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Subtitle manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "bazarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.bazarr.loadBalancer.servers = [{url = "http://127.0.0.1:${toString config.services.${unit}.listenPort}";}];
routers = {
bazarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "bazarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

105
modules/server/default.nix
View File

@@ -1,101 +1,16 @@
{ {
self,
lib, lib,
config,
pkgs,
... ...
}: let }: let
hardDrives = [ clib = import "${self}/lib/server" {inherit lib;};
"/dev/disk/by-label/data"
];
inherit (lib) mkOption types;
cfg = config.server;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in { in {
options.server = { imports = [
enable = lib.mkEnableOption "The server services and configuration variables"; {
email = mkOption { _module.args.clib = clib;
default = ""; }
type = types.str; ./options.nix
description = '' ./infra
Email name to be used to access the server services via Caddy reverse proxy ./services
''; ];
};
domain = mkOption {
default = "";
type = types.str;
description = ''
Domain name to be used to access the server services via Caddy reverse proxy
'';
};
user = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
User to run the server services as
'';
};
group = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
Group to run the server services as
'';
};
uid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
UID to run the server services as
'';
};
gid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
GID to run the server services as
'';
};
timeZone = lib.mkOption {
default = "Europe/Stockholm";
type = lib.types.str;
description = ''
Time zone to be used for the server services
'';
};
};
config = lib.mkIf cfg.enable {
users = {
groups.${cfg.group} = {
gid = cfg.gid;
};
users.${cfg.user} = {
uid = cfg.uid;
isSystemUser = true;
group = cfg.group;
extraGroups = ifTheyExist [
"audio"
"video"
"docker"
"libvirtd"
"qemu-libvirtd"
"rtkit"
"fail2ban"
"vaultwarden"
"qbittorrent"
"lidarr"
"prowlarr"
"bazarr"
"sonarr"
"radarr"
"media"
"share"
"render"
"input"
"authentik"
"traefik"
];
};
};
};
} }

170
modules/server/gitea/default.nix
View File

@@ -1,170 +0,0 @@
# "inspired" by @jtojnar <3
{
config,
lib,
self,
...
}: let
unit = "gitea";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "git.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.int;
default = 5003;
description = "The port to host Gitea on.";
};
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Gitea";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Git with a cup of tea";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "gitea.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
age.secrets = {
giteaCloudflared.file = "${self}/secrets/giteaCloudflared.age";
};
server = {
fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = {
gitea = {
serviceName = "gitea";
failRegex = ''.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>'';
};
};
};
};
services = {
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://localhost:${toString cfg.port}";
};
};
${unit} = {
enable = true;
appName = "cnix code forge";
database = {
type = "postgres";
socket = "/run/postgresql";
name = "gitea";
user = "gitea";
createDatabase = false;
};
lfs = {
enable = true;
};
settings = {
cors = {
ENABLED = true;
SCHEME = "https";
ALLOW_DOMAIN = cfg.url;
};
log = {
MODE = "console";
};
mailer = {
ENABLED = false;
MAILER_TYPE = "sendmail";
FROM = "noreply+adam@cnst.dev";
SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
};
picture = {
DISABLE_GRAVATAR = true;
};
repository = {
DEFAULT_BRANCH = "main";
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
};
indexer = {
REPO_INDEXER_ENABLED = true;
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
ACCOUNT_LINKING = "auto";
};
server = {
DOMAIN = cfg.url;
LANDING_PAGE = "explore";
HTTP_PORT = cfg.port;
ROOT_URL = "https://${cfg.url}/";
};
security = {
DISABLE_GIT_HOOKS = false;
};
service = {
DISABLE_REGISTRATION = true;
};
session = {
COOKIE_SECURE = true;
};
};
};
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.gitea.loadBalancer.servers = [{url = "http://127.0.0.1:5003";}];
routers = {
gitea = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "gitea";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
server.postgresql.databases = [
{
database = "gitea";
}
];
};
}

236
modules/server/homepage-dashboard/default.nix
View File

@@ -1,236 +0,0 @@
{
config,
lib,
self,
...
}: let
unit = "homepage-dashboard";
cfg = config.server.homepage-dashboard;
srv = config.server;
in {
options.server.homepage-dashboard = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
misc = lib.mkOption {
default = [];
type = lib.types.listOf (
lib.types.attrsOf (
lib.types.submodule {
options = {
description = lib.mkOption {
type = lib.types.str;
};
href = lib.mkOption {
type = lib.types.str;
};
siteMonitor = lib.mkOption {
type = lib.types.str;
};
icon = lib.mkOption {
type = lib.types.str;
};
};
}
)
);
};
};
config = lib.mkIf cfg.enable {
age.secrets = {
homepageEnvironment = {
file = "${self}/secrets/homepageEnvironment.age";
};
};
services = {
glances.enable = true;
${unit} = {
enable = true;
environmentFile = config.age.secrets.homepageEnvironment.path;
settings = {
layout = [
{
Glances = {
header = false;
style = "row";
columns = 4;
};
}
{
Arr = {
header = true;
style = "column";
};
}
{
Downloads = {
header = true;
style = "column";
};
}
{
Media = {
header = true;
style = "column";
};
}
{
Services = {
header = true;
style = "column";
};
}
];
headerStyle = "clean";
statusStyle = "dot";
hideVersion = "true";
};
widgets = [
{
openmeteo = {
label = "Kalmar";
timezone = "Europe/Stockholm";
units = "metric";
cache = 5;
latitude = 56.707262;
longitude = 16.324541;
};
}
{
resources = {
label = "SYSTEM";
memory = true;
cpu = true;
uptime = false;
};
}
];
services = let
homepageCategories = [
"Arr"
"Media"
"Downloads"
"Services"
];
hl = config.server;
mergedServices = hl // hl.podman;
homepageServices = x: (lib.attrsets.filterAttrs (
name: value: value ? homepage && value.homepage.category == x
)
mergedServices);
in
lib.lists.forEach homepageCategories (cat: {
"${cat}" =
lib.lists.forEach
(lib.attrsets.mapAttrsToList (name: value: {
inherit name;
url = value.url;
homepage = value.homepage;
}) (homepageServices "${cat}"))
(x: {
"${x.homepage.name}" = {
icon = x.homepage.icon;
description = x.homepage.description;
href = "https://${x.url}${x.homepage.path or ""}";
siteMonitor = "https://${x.url}${x.homepage.path or ""}";
};
});
})
++ [{Misc = cfg.misc;}]
++ [
{
Glances = let
port = toString config.services.glances.port;
in [
{
Info = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "info";
chart = false;
version = 4;
};
};
}
{
"CPU Temp" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:Tctl";
chart = false;
version = 4;
};
};
}
{
"GPU Radeon" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:junction";
chart = false;
version = 4;
};
};
}
{
"GPU Intel" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:pkg";
chart = false;
version = 4;
};
};
}
{
Processes = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "process";
chart = false;
version = 4;
};
};
}
{
Network = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "network:enp6s0";
chart = false;
version = 4;
};
};
}
];
}
];
};
traefik = {
dynamicConfigOptions = {
http = {
services.homepage.loadBalancer.servers = [
{url = "http://127.0.0.1:${toString config.services.${unit}.listenPort}";}
];
routers = {
homepage = {
entryPoints = ["websecure"];
rule = "Host(`cnix.dev`)";
service = "homepage";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
};
}

37
modules/server/authentik/default.nix → modules/server/infra/authentik/default.nix
View File

@@ -1,21 +1,24 @@
{ {
config, config,
lib, lib,
pkgs,
self, self,
... ...
}: let }: let
unit = "authentik"; unit = "authentik";
cfg = config.server.${unit}; cfg = config.server.infra.${unit};
srv = config.server; srv = config.server.infra;
in { in {
options.server.${unit} = { options.server.infra.${unit} = {
enable = lib.mkEnableOption { enable = lib.mkEnableOption {
description = "Enable ${unit}"; description = "Enable ${unit}";
}; };
url = lib.mkOption { url = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "auth.${srv.www.domain}"; default = "auth.${srv.www.url}";
};
port = lib.mkOption {
type = lib.types.port;
description = "The local port the service runs on";
}; };
cloudflared = { cloudflared = {
credentialsFile = lib.mkOption { credentialsFile = lib.mkOption {
@@ -31,21 +34,11 @@ in {
example = "00000000-0000-0000-0000-000000000000"; example = "00000000-0000-0000-0000-000000000000";
}; };
}; };
homepage.name = lib.mkOption { homepage = {
type = lib.types.str; name = "Authentik";
default = "Authentik"; description = "An open-source IdP for modern SSO";
}; icon = "authentik.svg";
homepage.description = lib.mkOption { category = "Services";
type = lib.types.str;
default = "An open-source IdP for modern SSO";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "authentik.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
}; };
}; };
@@ -59,8 +52,8 @@ in {
}; };
}; };
server = { server.infra = {
fail2ban = lib.mkIf cfg.enable { fail2ban = {
jails = { jails = {
authentik = { authentik = {
serviceName = "authentik"; serviceName = "authentik";

13
modules/server/infra/default.nix Normal file
View File

@@ -0,0 +1,13 @@
{
imports = [
./authentik
./fail2ban
./keepalived
./podman
./postgres
./tailscale
./traefik
./unbound
./www
];
}

5
modules/server/fail2ban/default.nix → modules/server/infra/fail2ban/default.nix
View File

@@ -5,9 +5,9 @@
pkgs, pkgs,
... ...
}: let }: let
cfg = config.server.fail2ban; cfg = config.server.infra.fail2ban;
in { in {
options.server.fail2ban = { options.server.infra.fail2ban = {
enable = lib.mkEnableOption { enable = lib.mkEnableOption {
description = "Enable cloudflare fail2ban"; description = "Enable cloudflare fail2ban";
}; };
@@ -61,6 +61,7 @@ in {
); );
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;

40
modules/server/keepalived/default.nix → modules/server/infra/keepalived/default.nix
View File

@@ -3,27 +3,24 @@
config, config,
self, self,
... ...
}: }: let
let
unit = "keepalived"; unit = "keepalived";
cfg = config.server.${unit}; cfg = config.server.infra.${unit};
hostCfg = hostCfg = hostname:
hostname: if hostname == "sobotka"
if hostname == "sobotka" then then {
{ ip = "192.168.88.14";
ip = "192.168.88.14"; priority = 20;
priority = 20; state = "MASTER";
state = "MASTER"; }
} else if hostname == "ziggy"
else if hostname == "ziggy" then then {
{ ip = "192.168.88.12";
ip = "192.168.88.12"; priority = 10;
priority = 10; state = "BACKUP";
state = "BACKUP"; }
} else throw "No keepalived config defined for host ${hostname}";
else
throw "No keepalived config defined for host ${hostname}";
_self = hostCfg config.networking.hostName; _self = hostCfg config.networking.hostName;
@@ -34,9 +31,8 @@ let
# Remove self from peers # Remove self from peers
peers = builtins.filter (ip: ip != _self.ip) allPeers; peers = builtins.filter (ip: ip != _self.ip) allPeers;
in in {
{ options.server.infra.${unit} = {
options.server.${unit} = {
enable = lib.mkEnableOption { enable = lib.mkEnableOption {
description = "Enable ${unit}"; description = "Enable ${unit}";
}; };

6
modules/server/infra/podman/acquis.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
filenames:
- /var/log/traefik/access.log
poll_without_inotify: true
labels:
type: traefik

194
modules/server/infra/podman/default.nix Normal file
View File

@@ -0,0 +1,194 @@
{
config,
lib,
self,
...
}: let
infra = config.server.infra;
cfg = config.server.services;
getPiholeSecret = hostname:
if hostname == "ziggy"
then [config.age.secrets.piholeZiggy.path]
else if hostname == "sobotka"
then [config.age.secrets.pihole.path]
else throw "Unknown hostname: ${hostname}";
in {
options.server.infra = {
podman.enable = lib.mkEnableOption "Enables Podman";
gluetun.enable = lib.mkEnableOption "Enables gluetun";
};
config = lib.mkIf infra.podman.enable {
age.secrets = {
pihole.file = "${self}/secrets/${config.networking.hostName}Pihole.age";
slskd.file = "${self}/secrets/slskd.age";
};
virtualisation = {
containers.enable = true;
podman.enable = true;
};
networking.firewall = lib.mkIf cfg.pihole.enable {
allowedTCPPorts = [
53
5335
];
allowedUDPPorts = [
53
5335
];
};
virtualisation.oci-containers.containers = lib.mkMerge [
(lib.mkIf infra.gluetun.enable {
gluetun = {
image = "qmcgaw/gluetun";
ports = [
"8388:8388"
"58846:58846"
"8080:8080"
"5030:5030"
"5031:5031"
"50300:50300"
];
devices = ["/dev/net/tun:/dev/net/tun"];
autoStart = true;
extraOptions = [
"--cap-add=NET_ADMIN"
];
volumes = ["/var:/gluetun"];
environmentFiles = [
config.age.secrets.gluetunEnvironment.path
];
environment = {
DEV_MODE = "false";
VPN_SERVICE_PROVIDER = "mullvad";
VPN_TYPE = "wireguard";
SERVER_CITIES = "Stockholm";
};
};
})
(lib.mkIf cfg.qbittorrent.enable {
qbittorrent = {
image = "ghcr.io/hotio/qbittorrent:latest";
autoStart = true;
dependsOn = ["gluetun"];
ports = [
"8080:8080"
"58846:58846"
];
extraOptions = [
"--network=container:gluetun"
];
volumes = [
"/var/lib/qbittorrent:/config:rw"
"/mnt/data/media/downloads:/downloads:rw"
];
environmentFiles = [
config.age.secrets.gluetunEnvironment.path
];
environment = {
PUID = "994";
PGID = "993";
TZ = "Europe/Stockholm";
WEBUI_PORT = "${builtins.toString cfg.qbittorrent.port}";
};
};
})
(lib.mkIf cfg.slskd.enable {
slskd = {
image = "slskd/slskd:latest";
autoStart = true;
dependsOn = ["gluetun"];
ports = [
"5030:5030"
"5031:5031"
"50300:50300"
];
extraOptions = [
"--network=container:gluetun"
];
volumes = [
"/var/lib/slskd:/app:rw"
"/mnt/data/media/downloads:/downloads:rw"
];
environmentFiles = [
config.age.secrets.gluetunEnvironment.path
config.age.secrets.slskd.path
];
environment = {
TZ = "Europe/Stockholm";
PUID = "981";
PGID = "982";
SLSKD_REMOTE_CONFIGURATION = "true";
SLSKD_REMOTE_FILE_MANAGEMENT = "true";
SLSKD_DOWNLOADS_DIR = "/downloads";
SLSKD_UMASK = "022";
};
};
})
(lib.mkIf cfg.pihole.enable {
pihole = {
autoStart = true;
image = "pihole/pihole:2025.08.0";
volumes = [
"/var/lib/pihole:/etc/pihole/"
"/var/lib/dnsmasq.d:/etc/dnsmasq.d/"
];
environment = {
TZ = "Europe/Stockholm";
CUSTOM_CACHE_SIZE = "0";
WEBTHEME = "default-darker";
};
environmentFiles = getPiholeSecret config.networking.hostName;
ports = [
"53:53/tcp"
"53:53/udp"
"8053:80/tcp"
];
extraOptions = [
"--cap-add=NET_ADMIN"
"--cap-add=SYS_NICE"
"--cap-add=SYS_TIME"
];
};
})
(lib.mkIf cfg.ollama.enable {
intel-llm = {
autoStart = true;
image = "intelanalytics/ipex-llm-inference-cpp-xpu:latest";
devices = [
"/dev/dri:/dev/dri:rwm"
];
volumes = [
"/var/lib/ollama:/models"
];
environment = {
OLLAMA_ORIGINS = "http://192.168.*";
SYCL_PI_LEVEL_ZERO_USE_IMMEDIATE_COMMANDLISTS = "1";
ONEAPI_DEVICE_SELECTOR = "level_zero:0";
OLLAMA_HOST = "[::]:11434";
no_proxy = "localhost,127.0.0.1";
DEVICE = "Arc";
OLLAMA_NUM_GPU = "999";
ZES_ENABLE_SYSMAN = "1";
};
cmd = [
"/bin/sh"
"-c"
"/llm/scripts/start-ollama.sh && echo 'Startup script finished, container is now idling.' && sleep infinity"
];
extraOptions = [
"--net=host"
"--memory=32G"
"--shm-size=16g"
];
};
})
];
};
}

0
modules/server/postgres/default.nix → modules/server/infra/postgres/default.nix
View File

4
modules/server/postgres/postgres-upgrade.nix → modules/server/infra/postgres/postgres-upgrade.nix
View File

@@ -7,10 +7,10 @@
}: let }: let
inherit (lib) types mkOption; inherit (lib) types mkOption;
cfg = config.server.postgresql; cfg = config.server.infra.postgresql;
in { in {
options = { options = {
server.postgresql = { server.infra.postgresql = {
upgradeTargetPackage = mkOption { upgradeTargetPackage = mkOption {
type = types.nullOr types.package; type = types.nullOr types.package;
default = null; default = null;

4
modules/server/postgres/postgres.nix → modules/server/infra/postgres/postgres.nix
View File

@@ -7,7 +7,7 @@
}: let }: let
inherit (lib) types mkOption; inherit (lib) types mkOption;
cfg = config.server.postgresql; cfg = config.server.infra.postgresql;
database = {name, ...}: { database = {name, ...}: {
options = { options = {
@@ -31,7 +31,7 @@
}; };
in { in {
options = { options = {
server.postgresql = { server.infra.postgresql = {
databases = mkOption { databases = mkOption {
type = types.listOf (types.submodule database); type = types.listOf (types.submodule database);
default = []; default = [];

9
modules/server/tailscale/default.nix → modules/server/infra/tailscale/default.nix
View File

@@ -5,16 +5,11 @@
... ...
}: }:
with lib; let with lib; let
cfg = config.server.tailscale; cfg = config.server.infra.tailscale;
in { in {
options.server.tailscale = { options.server.infra.tailscale = {
enable = mkEnableOption "Enable tailscale server configuration"; enable = mkEnableOption "Enable tailscale server configuration";
url = lib.mkOption {
type = lib.types.str;
default = "ts.cnst.dev";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
age.secrets.sobotkaTsAuth.file = "${self}/secrets/sobotkaTsAuth.age"; age.secrets.sobotkaTsAuth.file = "${self}/secrets/sobotkaTsAuth.age";

183
modules/server/infra/traefik/default.nix Normal file
View File

@@ -0,0 +1,183 @@
{
lib,
clib,
config,
pkgs,
self,
...
}: let
inherit (lib) mkEnableOption mkIf types;
cfg = config.server.infra.traefik;
srv = config.server;
generateRouters = services: config:
lib.mapAttrs' (
name: service:
lib.nameValuePair name {
entryPoints = ["websecure"];
# FIX 3: Use backticks for the Host rule and interpolation
rule = "Host(`${clib.server.mkFullDomain config service}`)";
service = name;
tls.certResolver = "letsencrypt";
}
) (lib.filterAttrs (_: s: s.enable) services);
generateServices = services:
lib.mapAttrs' (name: service:
lib.nameValuePair name {
loadBalancer.servers = [{url = "http://localhost:${toString service.port}";}];
}) (lib.filterAttrs (name: service: service.enable) services);
getCloudflareCredentials = hostname:
if hostname == "ziggy"
then config.age.secrets.cloudflareDnsCredentialsZiggy.path
else if hostname == "sobotka"
then config.age.secrets.cloudflareDnsCredentials.path
else throw "Unknown hostname: ${hostname}";
in {
options.server.infra.traefik = {
enable = mkEnableOption "Enable global Traefik reverse proxy with ACME";
};
config = mkIf cfg.enable {
age.secrets = {
traefikEnv = {
file = "${self}/secrets/traefikEnv.age";
mode = "640";
owner = "traefik";
group = "traefik";
};
crowdsecApi.file = "${self}/secrets/crowdsecApi.age";
};
systemd.services.traefik = {
serviceConfig = {
EnvironmentFile = [config.age.secrets.traefikEnv.path];
};
};
networking.firewall.allowedTCPPorts = [80 443];
services = {
tailscale.permitCertUid = "traefik";
traefik = {
enable = true;
staticConfigOptions = {
log = {
level = "DEBUG";
};
accesslog = {filepath = "/var/lib/traefik/logs/access.log";};
tracing = {};
api = {
dashboard = true;
insecure = false;
};
certificatesResolvers = {
vpn.tailscale = {};
letsencrypt = {
acme = {
email = "adam@cnst.dev";
storage = "/var/lib/traefik/cert.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"1.0.0.1:53"
];
};
};
};
};
entryPoints = {
# redis = {
# address = "0.0.0.0:6381";
# };
# postgres = {
# address = "0.0.0.0:5433";
# };
web = {
address = ":80";
forwardedHeaders.insecure = true;
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
permanent = true;
};
# http.middlewares = "crowdsec@file";
};
websecure = {
address = ":443";
forwardedHeaders.insecure = true;
http.tls = {
certResolver = "letsencrypt";
domains = [
{
main = "cnix.dev";
sans = ["*.cnix.dev"];
}
{
main = "ts.cnst.dev";
sans = ["*ts.cnst.dev"];
}
];
};
# http.middlewares = "crowdsec@file";
};
experimental = {
address = ":1111";
forwardedHeaders.insecure = true;
};
};
experimental = {
# Install the Crowdsec Bouncer plugin
plugins = {
#enabled = "true";
bouncer = {
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
version = "v1.4.5";
};
};
};
};
dynamicConfigOptions = {
http = {
services = generateServices srv.services;
routers =
(generateRouters srv.services config)
// {
api = {
entryPoints = ["websecure"];
rule = "Host(`traefik.${srv.domain}`)";
service = "api@internal";
tls.certResolver = "letsencrypt";
};
};
# middlewares = {
# crowdsec = {
# plugin = {
# bouncer = {
# enabled = "true";
# logLevel = "DEBUG";
# crowdsecLapiKeyFile = config.age.secrets.crowdsecApi.path;
# crowdsecMode = "live";
# crowdsecLapiHost = ":4223";
# };
# };
# };
# };
};
};
};
};
};
}

23
modules/server/unbound/default.nix → modules/server/infra/unbound/default.nix
View File

@@ -5,7 +5,20 @@
... ...
}: let }: let
unit = "unbound"; unit = "unbound";
cfg = config.server.${unit}; cfg = config.server.infra.${unit};
srv = config.server;
svcNames = lib.attrNames srv.services;
localARecords = builtins.concatLists (map (
name: let
s = srv.services.${name};
in
if s != null && s.enable && s.subdomain != null
then [''"${s.subdomain}.${srv.domain}. A ${srv.ip}"'']
else []
)
svcNames);
hostIp = hostname: hostIp = hostname:
if hostname == "ziggy" if hostname == "ziggy"
@@ -14,11 +27,12 @@
then "192.168.88.14" then "192.168.88.14"
else throw "No IP defined for host ${hostname}"; else throw "No IP defined for host ${hostname}";
in { in {
options.server.${unit} = { options.server.infra.${unit} = {
enable = lib.mkEnableOption { enable = lib.mkEnableOption {
description = "Enable ${unit}"; description = "Enable ${unit}";
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services = { services = {
# resolved.enable = lib.mkForce false; # resolved.enable = lib.mkForce false;
@@ -97,6 +111,11 @@ in {
"255.255.255.255/32" "255.255.255.255/32"
"2001:db8::/32" "2001:db8::/32"
]; ];
local-data =
[
''"traefik.${config.settings.accounts.domains.local}. A 192.168.88.14"''
]
++ localARecords;
}; };
}; };
}; };

18
modules/server/www/default.nix → modules/server/infra/www/default.nix
View File

@@ -1,15 +1,13 @@
{ {
lib, lib,
config, config,
pkgs,
self, self,
... ...
}: let }: let
inherit (lib) mkOption mkEnableOption mkIf types; inherit (lib) mkIf mkEnableOption mkOption types;
cfg = config.server.www; cfg = config.server.infra.www;
srv = config.server;
in { in {
options.server.www = { options.server.infra.www = {
enable = mkEnableOption { enable = mkEnableOption {
description = "Enable personal website"; description = "Enable personal website";
}; };
@@ -20,6 +18,12 @@ in {
Public domain name to be used to access the server services via Traefik reverse proxy Public domain name to be used to access the server services via Traefik reverse proxy
''; '';
}; };
port = lib.mkOption {
type = lib.types.int;
default = 8283;
description = "The port to host webservice on.";
};
cloudflared = { cloudflared = {
credentialsFile = lib.mkOption { credentialsFile = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@@ -41,8 +45,8 @@ in {
wwwCloudflared.file = "${self}/secrets/wwwCloudflared.age"; wwwCloudflared.file = "${self}/secrets/wwwCloudflared.age";
}; };
server = { server.infra = {
fail2ban = lib.mkIf config.server.www.enable { fail2ban = {
jails = { jails = {
nginx-404 = { nginx-404 = {
serviceName = "nginx"; serviceName = "nginx";

65
modules/server/jellyfin/default.nix
View File

@@ -1,65 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
unit = "jellyfin";
cfg = config.server.${unit};
srv = config.server;
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "fin.${srv.tailscale.url}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Jellyfin";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "The Free Software Media System";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "jellyfin.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Media";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
environment.systemPackages = with pkgs; [
jellyfin-ffmpeg
];
services.traefik = {
dynamicConfigOptions = {
http = {
services.${unit}.loadBalancer.servers = [{url = "http://localhost:8096";}];
routers = {
jellyfinRouter = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "${unit}";
tls.certResolver = "letsencrypt";
};
};
};
};
};
};
}

61
modules/server/jellyseerr/default.nix
View File

@@ -1,61 +0,0 @@
{
config,
lib,
...
}: let
unit = "jellyseerr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
url = lib.mkOption {
type = lib.types.str;
# default = "seer.${srv.tailscale.url}";
default = "jellyseerr.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.port;
default = 5055;
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Jellyseerr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Media request and discovery manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "jellyseerr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
port = cfg.port;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.jellyseerr.loadBalancer.servers = [{url = "http://localhost:${toString cfg.port}";}];
routers = {
jellyseerr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "${unit}";
tls.certResolver = "letsencrypt";
};
};
};
};
};
};
}

62
modules/server/lidarr/default.nix
View File

@@ -1,62 +0,0 @@
{
config,
lib,
...
}: let
unit = "lidarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Lidarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Music collection manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "lidarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.lidarr.loadBalancer.servers = [{url = "http://127.0.0.1:8686";}];
routers = {
lidarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "lidarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

64
modules/server/n8n/default.nix
View File

@@ -1,64 +0,0 @@
{
config,
lib,
...
}: let
unit = "n8n";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "n8n";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "A workflow automation platform";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "n8n.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
services = {
n8n = {
enable = true;
openFirewall = true;
};
traefik = {
dynamicConfigOptions = {
http = {
services.n8n.loadBalancer.servers = [{url = "http://127.0.0.1:5678";}];
routers = {
n8n = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "n8n";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
};
}

153
modules/server/nextcloud/default.nix
View File

@@ -1,153 +0,0 @@
{
config,
pkgs,
lib,
self,
...
}: let
unit = "nextcloud";
cfg = config.server.${unit};
srv = config.server;
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
adminpassFile = lib.mkOption {
type = lib.types.path;
};
adminuser = lib.mkOption {
type = lib.types.str;
default = "cnst";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "cloud.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Nextcloud";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "A safe home for all your data";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "nextcloud.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
age.secrets = {
nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age";
nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age";
};
server.fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = {
nextcloud = {
serviceName = "${unit}";
_groupsre = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
failRegex = ''
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
'';
datePattern = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
};
};
};
services = {
${unit} = {
enable = true;
package = pkgs.nextcloud32;
hostName = "nextcloud";
configureRedis = true;
caching = {
redis = true;
};
phpOptions = {
"opcache.interned_strings_buffer" = "32";
};
maxUploadSize = "50G";
settings = {
maintenance_window_start = "1";
trusted_proxies = [
"127.0.0.1"
"::1"
];
trusted_domains = ["cloud.${srv.domain}"];
overwriteprotocol = "https";
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminuser = "cnst";
adminpassFile = cfg.adminpassFile;
};
};
nginx = {
defaultListen = [
{
addr = "127.0.0.1";
port = 8182;
}
{
addr = "127.0.0.1";
port = 8482;
}
];
virtualHosts.nextcloud = {
forceSSL = false;
};
};
traefik.dynamicConfigOptions.http = {
routers.nextcloud = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "nextcloud";
tls.certResolver = "letsencrypt";
};
services.nextcloud.loadBalancer.servers = [
{url = "http://127.0.0.1:8182";}
];
};
};
server.postgresql.databases = [
{
database = "nextcloud";
}
];
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
};
}

180
modules/server/options.nix Normal file
View File

@@ -0,0 +1,180 @@
{
lib,
config,
...
}: let
inherit (lib) mkOption types;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
cfg = config.server;
in {
options.server = {
enable = lib.mkEnableOption "The server services and configuration variables";
email = mkOption {
default = "";
type = types.str;
description = ''
Email name to be used to access the server services via Caddy reverse proxy
'';
};
domain = mkOption {
default = "";
type = types.str;
description = ''
Domain name to be used to access the server services via Caddy reverse proxy
'';
};
ip = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = "The local IP of the service.";
};
user = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
User to run the server services as
'';
};
group = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
Group to run the server services as
'';
};
uid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
UID to run the server services as
'';
};
gid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
GID to run the server services as
'';
};
timeZone = lib.mkOption {
default = "Europe/Stockholm";
type = lib.types.str;
description = ''
Time zone to be used for the server services
'';
};
services = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
enable = lib.mkEnableOption "the service";
subdomain = lib.mkOption {
type = lib.types.str;
default = "";
description = "The subdomain for the service (e.g., 'jellyfin')";
};
exposure = lib.mkOption {
type = lib.types.enum ["local" "tunnel" "tailscale"];
default = "local";
description = "Controls where the service is exposed";
};
port = lib.mkOption {
type = lib.types.int;
default = 80;
description = "The port to host service on.";
};
configDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/${name}";
description = "Configuration directory for ${name}.";
};
cloudflared = lib.mkOption {
type = lib.types.submodule {
options = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret","TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
description = "Cloudflare tunnel configuration for this service.";
};
homepage = lib.mkOption {
type = lib.types.submodule {
options = {
name = lib.mkOption {
type = lib.types.str;
default = "";
description = "Display name on the homepage.";
};
description = lib.mkOption {
type = lib.types.str;
default = "";
description = "A short description for the homepage tile.";
};
icon = lib.mkOption {
type = lib.types.str;
default = "Zervices c00l stuff";
description = "Icon file name for the homepage tile.";
};
category = lib.mkOption {
type = lib.types.str;
default = "";
description = "Homepage category grouping.";
};
path = lib.mkOption {
type = lib.types.str;
default = "";
example = "/admin";
description = "Optional path suffix for homepage links (e.g. /admin).";
};
};
};
description = "Homepage metadata for this service.";
};
};
}));
};
};
config = lib.mkIf cfg.enable {
users = {
groups.${cfg.group} = {
gid = cfg.gid;
};
users.${cfg.user} = {
uid = cfg.uid;
isSystemUser = true;
group = cfg.group;
extraGroups = ifTheyExist [
"audio"
"video"
"docker"
"libvirtd"
"qemu-libvirtd"
"rtkit"
"fail2ban"
"vaultwarden"
"qbittorrent"
"lidarr"
"prowlarr"
"bazarr"
"sonarr"
"radarr"
"media"
"share"
"render"
"input"
"authentik"
"traefik"
];
};
};
};
}

323
modules/server/podman/default.nix
View File

@@ -1,323 +0,0 @@
{
config,
lib,
pkgs,
self,
...
}: let
srv = config.server;
cfg = config.server.podman;
piholeUrl =
if config.networking.hostName == "sobotka"
then "pihole0"
else if config.networking.hostName == "ziggy"
then "pihole1"
else throw "Unknown hostname";
getPiholeSecret = hostname:
if hostname == "ziggy"
then [config.age.secrets.piholeZiggy.path]
else if hostname == "sobotka"
then [config.age.secrets.pihole.path]
else throw "Unknown hostname: ${hostname}";
in {
options.server.podman = {
enable = lib.mkEnableOption "Enables Podman";
gluetun.enable = lib.mkEnableOption "Enables gluetun";
qbittorrent = {
enable = lib.mkEnableOption "Enable qBittorrent";
url = lib.mkOption {
type = lib.types.str;
default = "qbt.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.int;
default = 8080;
description = "The port to host qBittorrent on.";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "qBittorrent";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Torrent client";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "qbittorrent.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Downloads";
};
};
slskd = {
enable = lib.mkEnableOption "Enable Soulseek";
url = lib.mkOption {
type = lib.types.str;
default = "slskd.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.int;
default = 5030;
description = "The port to host Soulseek webui on.";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "slskd";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Web-based Soulseek client";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "slskd.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Downloads";
};
};
pihole = {
enable = lib.mkEnableOption {
description = "Enable";
};
port = lib.mkOption {
type = lib.types.int;
default = 8053;
description = "The port to host PiHole on.";
};
url = lib.mkOption {
type = lib.types.str;
default = "${piholeUrl}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "PiHole";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Adblocking and DNS service";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "pi-hole.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
homepage.path = lib.mkOption {
type = lib.types.str;
default = "/admin";
description = "Optional path suffix for homepage links (e.g. /admin).";
};
};
};
config = lib.mkIf cfg.enable {
age.secrets = {
pihole.file = "${self}/secrets/${config.networking.hostName}Pihole.age";
slskd.file = "${self}/secrets/slskd.age";
};
virtualisation = {
containers.enable = true;
podman.enable = true;
};
networking.firewall = lib.mkIf cfg.pihole.enable {
allowedTCPPorts = [
53
5335
];
allowedUDPPorts = [
53
5335
];
};
services = {
traefik = lib.mkMerge [
(lib.mkIf cfg.pihole.enable {
dynamicConfigOptions = {
http = {
services = {
pihole.loadBalancer.servers = [{url = "http://localhost:${toString cfg.pihole.port}";}];
};
routers = {
pihole = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.pihole.url}`)";
service = "pihole";
tls.certResolver = "letsencrypt";
};
};
};
};
})
(lib.mkIf cfg.qbittorrent.enable {
dynamicConfigOptions = {
http = {
services = {
qbittorrent.loadBalancer.servers = [{url = "http://localhost:${toString cfg.qbittorrent.port}";}];
};
routers = {
qbittorrent = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.qbittorrent.url}`)";
service = "qbittorrent";
tls.certResolver = "letsencrypt";
};
};
};
};
})
(lib.mkIf cfg.slskd.enable {
dynamicConfigOptions = {
http = {
services = {
slskd.loadBalancer.servers = [{url = "http://localhost:${toString cfg.slskd.port}";}];
};
routers = {
slskd = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.slskd.url}`)";
service = "slskd";
tls.certResolver = "letsencrypt";
};
};
};
};
})
];
};
virtualisation.oci-containers.containers = lib.mkMerge [
(lib.mkIf cfg.gluetun.enable {
gluetun = {
image = "qmcgaw/gluetun";
ports = [
"8388:8388"
"58846:58846"
"8080:8080"
"5030:5030"
"5031:5031"
"50300:50300"
];
devices = ["/dev/net/tun:/dev/net/tun"];
autoStart = true;
extraOptions = [
"--cap-add=NET_ADMIN"
];
volumes = ["/var:/gluetun"];
environmentFiles = [
config.age.secrets.gluetunEnvironment.path
];
environment = {
DEV_MODE = "false";
VPN_SERVICE_PROVIDER = "mullvad";
VPN_TYPE = "wireguard";
SERVER_CITIES = "Stockholm";
};
};
})
(lib.mkIf cfg.qbittorrent.enable {
qbittorrent = {
image = "ghcr.io/hotio/qbittorrent:latest";
autoStart = true;
dependsOn = ["gluetun"];
ports = [
"8080:8080"
"58846:58846"
];
extraOptions = [
"--network=container:gluetun"
];
volumes = [
"/var/lib/qbittorrent:/config:rw"
"/mnt/data/media/downloads:/downloads:rw"
];
environmentFiles = [
config.age.secrets.gluetunEnvironment.path
];
environment = {
PUID = "994";
PGID = "993";
TZ = "Europe/Stockholm";
WEBUI_PORT = "${builtins.toString cfg.qbittorrent.port}";
};
};
})
(lib.mkIf cfg.slskd.enable {
slskd = {
image = "slskd/slskd:latest";
autoStart = true;
dependsOn = ["gluetun"];
ports = [
"5030:5030"
"5031:5031"
"50300:50300"
];
extraOptions = [
"--network=container:gluetun"
];
volumes = [
"/var/lib/slskd:/app:rw"
"/mnt/data/media/downloads:/downloads:rw"
];
environmentFiles = [
config.age.secrets.gluetunEnvironment.path
config.age.secrets.slskd.path
];
environment = {
TZ = "Europe/Stockholm";
PUID = "981";
PGID = "982";
SLSKD_REMOTE_CONFIGURATION = "true";
SLSKD_REMOTE_FILE_MANAGEMENT = "true";
SLSKD_DOWNLOADS_DIR = "/downloads";
SLSKD_UMASK = "022";
};
};
})
(lib.mkIf cfg.pihole.enable {
pihole = {
autoStart = true;
image = "pihole/pihole:2025.08.0";
volumes = [
"/var/lib/pihole:/etc/pihole/"
"/var/lib/dnsmasq.d:/etc/dnsmasq.d/"
];
environment = {
TZ = "Europe/Stockholm";
CUSTOM_CACHE_SIZE = "0";
WEBTHEME = "default-darker";
};
environmentFiles = getPiholeSecret config.networking.hostName;
ports = [
"53:53/tcp"
"53:53/udp"
"8053:80/tcp"
];
extraOptions = [
"--cap-add=NET_ADMIN"
"--cap-add=SYS_NICE"
"--cap-add=SYS_TIME"
];
};
})
];
};
}

80
modules/server/prowlarr/default.nix
View File

@@ -1,80 +0,0 @@
{
config,
lib,
...
}: let
unit = "prowlarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Prowlarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "PVR indexer";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "prowlarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
flaresolverr = {
enable = true;
};
traefik = {
dynamicConfigOptions = {
http = {
services = {
prowlarr = {
loadBalancer.servers = [{url = "http://127.0.0.1:9696";}];
};
flaresolverr = {
loadBalancer.servers = [{url = "http://127.0.0.1:8191";}];
};
};
routers = {
prowlarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "prowlarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
flaresolverr = {
entryPoints = ["websecure"];
rule = "Host(`flaresolverr.${srv.domain}`)";
service = "flaresolverr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
};
}

62
modules/server/radarr/default.nix
View File

@@ -1,62 +0,0 @@
{
config,
lib,
...
}: let
unit = "radarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Radarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Film collection manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "radarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.radarr.loadBalancer.servers = [{url = "http://127.0.0.1:7878";}];
routers = {
radarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "radarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

17
modules/server/services/bazarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "bazarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

19
modules/server/services/default.nix Normal file
View File

@@ -0,0 +1,19 @@
{
imports = [
./bazarr
./flaresolverr
./gitea
./homepage-dashboard
./jellyfin
./jellyseerr
./lidarr
./n8n
./nextcloud
./ollama
./prowlarr
./radarr
./sonarr
./uptime-kuma
./vaultwarden
];
}

16
modules/server/services/flaresolverr/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
unit = "flaresolverr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

94
modules/server/services/gitea/default.nix Normal file
View File

@@ -0,0 +1,94 @@
{
config,
lib,
self,
...
}: let
unit = "gitea";
cfg = config.server.services.${unit};
domain = "${cfg.subdomain}.${config.server.infra.www.url}";
in {
config = lib.mkIf cfg.enable {
age.secrets.giteaCloudflared.file = "${self}/secrets/giteaCloudflared.age";
server.infra = {
fail2ban.jails.${unit} = {
serviceName = "${unit}";
failRegex = ''.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>'';
};
postgresql.databases = [
{database = "gitea";}
];
};
services = {
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${domain}".service = "http://localhost:${toString cfg.port}";
};
};
gitea = {
enable = true;
appName = "cnix code forge";
database = {
type = "postgres";
socket = "/run/postgresql";
name = "gitea";
user = "gitea";
createDatabase = false;
};
lfs.enable = true;
settings = {
cors = {
ENABLED = true;
SCHEME = "https";
ALLOW_DOMAIN = domain;
};
log.MODE = "console";
mailer = {
ENABLED = false;
MAILER_TYPE = "sendmail";
FROM = "noreply+adam@cnst.dev";
SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
};
picture.DISABLE_GRAVATAR = true;
repository = {
DEFAULT_BRANCH = "main";
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
};
indexer.REPO_INDEXER_ENABLED = true;
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
ACCOUNT_LINKING = "auto";
};
server = {
DOMAIN = domain;
LANDING_PAGE = "explore";
HTTP_PORT = cfg.port;
ROOT_URL = "https://${domain}/";
};
security.DISABLE_GIT_HOOKS = false;
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
};
};
};
};
}

227
modules/server/services/homepage-dashboard/default.nix Normal file
View File

@@ -0,0 +1,227 @@
{
config,
lib,
self,
clib,
...
}: let
unit = "homepage-dashboard";
cfg = config.server.services.${unit};
srv = config.server;
in {
config = lib.mkIf cfg.enable {
age.secrets = {
homepageEnvironment = {
file = "${self}/secrets/homepageEnvironment.age";
};
};
services = {
glances.enable = true;
${unit} = {
enable = true;
environmentFile = config.age.secrets.homepageEnvironment.path;
settings = {
color = "stone";
theme = "dark";
headerStyle = "clean";
statusStyle = "dot";
hideVersion = true;
useEqualHeights = true;
layout = [
{
Glances = {
header = false;
style = "row";
columns = 4;
};
}
{
Arr = {
header = true;
style = "column";
};
}
{
Downloads = {
header = true;
style = "column";
};
}
{
Media = {
header = true;
style = "column";
};
}
{
Services = {
header = true;
style = "column";
};
}
];
};
widgets = [
{
openmeteo = {
label = "Kalmar";
timezone = "Europe/Stockholm";
units = "metric";
cache = 5;
latitude = 56.707262;
longitude = 16.324541;
};
}
{
resources = {
label = "SYSTEM";
memory = true;
cpu = true;
uptime = false;
};
}
];
services = let
homepageCategories = [
"Arr"
"Media"
"Downloads"
"Services"
];
allServices = srv.services;
getDomain = s: clib.server.mkHostDomain config s;
homepageServicesFor = category:
lib.filterAttrs
(
name: value:
name
!= unit
&& value ? homepage
&& value.homepage.category == category
)
allServices;
in
lib.lists.forEach homepageCategories (cat: {
"${cat}" =
lib.lists.forEach
(lib.attrsets.mapAttrsToList (name: _value: name) (homepageServicesFor cat))
(x: let
service = allServices.${x};
domain = getDomain service;
in {
"${service.homepage.name}" = {
icon = service.homepage.icon;
description = service.homepage.description;
href = "https://${service.subdomain}.${domain}${service.homepage.path or ""}";
siteMonitor = "https://${service.subdomain}.${domain}${x.homepage.path or ""}";
};
});
})
++ [
{
Glances = let
glancesShared = {
type = "glances";
url = "http://localhost:${toString config.services.glances.port}";
chart = true;
version = 4;
};
in [
{
Memory = {
widget =
glancesShared
// {
metric = "memory";
refreshInterval = 2000;
pointsLimit = 30;
};
};
}
{
"CPU Usage" = {
widget =
glancesShared
// {
metric = "cpu";
refreshInterval = 2000;
pointsLimit = 30;
};
};
}
{
"CPU Temp" = {
widget =
glancesShared
// {
metric = "sensor:Tctl";
refreshInterval = 5000;
pointsLimit = 20;
};
};
}
{
"GPU Radeon" = {
widget =
glancesShared
// {
metric = "sensor:junction";
};
};
}
{
"GPU Intel" = {
widget =
glancesShared
// {
metric = "sensor:pkg";
};
};
}
{
"ZFS Pool" = {
widget =
glancesShared
// {
metric = "fs:/mnt/data";
refreshInterval = 30000;
pointsLimit = 20;
diskUnits = "bytes";
};
};
}
{
Processes = {
widget =
glancesShared
// {
metric = "process";
};
};
}
{
Network = {
widget =
glancesShared
// {
metric = "network:enp6s0";
};
};
}
];
}
];
};
};
};
}

21
modules/server/services/jellyfin/default.nix Normal file
View File

@@ -0,0 +1,21 @@
{
config,
lib,
pkgs,
...
}: let
unit = "jellyfin";
cfg = config.server.services.${unit};
srv = config.server;
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
environment.systemPackages = with pkgs; [
jellyfin-ffmpeg
];
};
}

15
modules/server/services/jellyseerr/default.nix Normal file
View File

@@ -0,0 +1,15 @@
{
config,
lib,
...
}: let
unit = "jellyseerr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
port = cfg.port;
};
};
}

17
modules/server/services/lidarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "lidarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

17
modules/server/services/n8n/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "n8n";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
n8n = {
enable = true;
openFirewall = true;
};
};
};
}

101
modules/server/services/nextcloud/default.nix Normal file
View File

@@ -0,0 +1,101 @@
{
config,
pkgs,
lib,
self,
...
}: let
unit = "nextcloud";
cfg = config.server.services.${unit};
srv = config.server;
in {
config = lib.mkIf cfg.enable {
age.secrets = {
nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age";
nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age";
};
server.infra.fail2ban.jails.nextcloud = {
serviceName = "${unit}";
_groupsre = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
failRegex = ''
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
'';
datePattern = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
};
services = {
${unit} = {
enable = true;
package = pkgs.nextcloud32;
hostName = "nextcloud";
configureRedis = true;
caching = {
redis = true;
};
phpOptions = {
"opcache.interned_strings_buffer" = "32";
};
maxUploadSize = "50G";
settings = {
maintenance_window_start = "1";
trusted_proxies = [
"127.0.0.1"
"::1"
];
trusted_domains = ["cloud.${srv.domain}"];
overwriteprotocol = "https";
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminuser = "cnst";
adminpassFile = config.age.secrets.nextcloudAdminPass.path;
};
};
nginx = {
defaultListen = [
{
addr = "127.0.0.1";
port = 8182;
}
{
addr = "127.0.0.1";
port = 8482;
}
];
virtualHosts.nextcloud = {
forceSSL = false;
};
};
};
server.infra.postgresql.databases = [
{
database = "nextcloud";
}
];
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
};
}

28
modules/server/services/ollama/default.nix Normal file
View File

@@ -0,0 +1,28 @@
{
config,
lib,
pkgs,
...
}: let
unit = "ollama";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
ollama
intel-compute-runtime
intel-graphics-compiler
level-zero
];
services.open-webui = {
enable = true;
host = "0.0.0.0";
port = 8001;
environment = {
ANONYMIZED_TELEMETRY = "False";
BYPASS_MODEL_ACCESS_CONTROL = "True";
OLLAMA_BASE_URL = "http://localhost:11434";
};
};
};
}

16
modules/server/services/prowlarr/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
unit = "prowlarr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

17
modules/server/services/radarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "radarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

17
modules/server/services/sonarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "sonarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

16
modules/server/services/uptime-kuma/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
unit = "uptime-kuma";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

59
modules/server/services/vaultwarden/default.nix Normal file
View File

@@ -0,0 +1,59 @@
# from @fufexan & @notthebee
{
config,
lib,
self,
...
}: let
unit = "vaultwarden";
cfg = config.server.services.${unit};
domain = "${cfg.subdomain}.${config.server.infra.www.url}";
in {
config = lib.mkIf cfg.enable {
age.secrets = {
vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
};
server.infra.fail2ban.jails.${unit} = {
serviceName = "${unit}";
failRegex = ''^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$'';
};
services = {
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${domain}".service = "http://localhost:${toString cfg.port}";
};
};
vaultwarden = {
enable = true;
environmentFile = config.age.secrets.vaultwardenEnvironment.path;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://${domain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = cfg.port;
IP_HEADER = "CF-Connecting-IP";
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = true;
showPasswordHint = false;
};
};
};
systemd.services.backup-vaultwarden.serviceConfig = {
User = "root";
Group = "root";
};
};
}

62
modules/server/sonarr/default.nix
View File

@@ -1,62 +0,0 @@
{
config,
lib,
...
}: let
unit = "sonarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Sonarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Series collection manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "sonarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.sonarr.loadBalancer.servers = [{url = "http://127.0.0.1:8989";}];
routers = {
sonarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "sonarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

104
modules/server/traefik/default.nix
View File

@@ -1,104 +0,0 @@
{
lib,
config,
pkgs,
self,
...
}: let
inherit (lib) mkEnableOption mkIf types;
cfg = config.server.traefik;
getCloudflareCredentials = hostname:
if hostname == "ziggy"
then config.age.secrets.cloudflareDnsCredentialsZiggy.path
else if hostname == "sobotka"
then config.age.secrets.cloudflareDnsCredentials.path
else throw "Unknown hostname: ${hostname}";
in {
options.server.traefik = {
enable = mkEnableOption "Enable global Traefik reverse proxy with ACME";
};
config = mkIf cfg.enable {
age.secrets.traefikEnv = {
file = "${self}/secrets/traefikEnv.age";
mode = "640";
owner = "traefik";
group = "traefik";
};
systemd.services.traefik = {
serviceConfig = {
EnvironmentFile = [config.age.secrets.traefikEnv.path];
};
};
networking.firewall.allowedTCPPorts = [80 443];
services = {
tailscale.permitCertUid = "traefik";
traefik = {
enable = true;
staticConfigOptions = {
log = {
level = "DEBUG";
};
tracing = {};
api = {
dashboard = true;
};
certificatesResolvers = {
vpn.tailscale = {};
letsencrypt = {
acme = {
email = "adam@cnst.dev";
storage = "/var/lib/traefik/cert.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"1.0.0.1:53"
];
};
};
};
};
entryPoints = {
redis = {
address = "0.0.0.0:6381";
};
postgres = {
address = "0.0.0.0:5433";
};
web = {
address = "0.0.0.0:80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
permanent = true;
};
};
websecure = {
address = "0.0.0.0:443";
http.tls = {
certResolver = "letsencrypt";
domains = [
{
main = "cnix.dev";
sans = ["*.cnix.dev"];
}
{
main = "ts.cnst.dev";
sans = ["*ts.cnst.dev"];
}
];
};
};
};
};
};
};
};
}

62
modules/server/uptime-kuma/default.nix
View File

@@ -1,62 +0,0 @@
{
config,
lib,
...
}: let
unit = "uptime-kuma";
cfg = config.server.${unit};
srv = config.server;
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/uptime-kuma";
};
url = lib.mkOption {
type = lib.types.str;
default = "uptime.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Uptime Kuma";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Service monitoring tool";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "uptime-kuma.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
traefik = {
dynamicConfigOptions = {
http = {
services.uptime-kuma.loadBalancer.servers = [{url = "http://127.0.0.1:3001";}];
routers = {
uptime-kuma = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "uptime-kuma";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
};
}

89
modules/server/vaultwarden/default.nix
View File

@@ -1,89 +0,0 @@
# from @fufexan & @notthebee
{
config,
lib,
self,
...
}: let
inherit (lib) mkIf mkEnableOption;
vcfg = config.services.vaultwarden.config;
cfg = config.server.vaultwarden;
in {
options = {
server.vaultwarden = {
enable = mkEnableOption "Enables vaultwarden";
url = lib.mkOption {
type = lib.types.str;
default = "${cfg.domain}";
};
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
};
config = mkIf cfg.enable {
age.secrets = {
vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
};
server = {
fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = {
vaultwarden = {
serviceName = "vaultwarden";
failRegex = ''^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$'';
};
};
};
};
systemd.services.backup-vaultwarden.serviceConfig = {
User = "root";
Group = "root";
};
services = {
vaultwarden = {
enable = true;
environmentFile = config.age.secrets.vaultwardenEnvironment.path;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://${cfg.url}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
IP_HEADER = "CF-Connecting-IP";
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = true;
showPasswordHint = false;
};
};
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://${vcfg.ROCKET_ADDRESS}:${toString vcfg.ROCKET_PORT}";
};
};
};
};
}

31
modules/settings/accounts/default.nix
View File

@@ -2,8 +2,7 @@
lib, lib,
config, config,
... ...
}: }: let
let
inherit (lib) mkOption types; inherit (lib) mkOption types;
sshKeys = { sshKeys = {
@@ -16,14 +15,14 @@ let
keyName = config.settings.accounts.sshUser or null; keyName = config.settings.accounts.sshUser or null;
selectedKey = selectedKey =
if keyName != null then if keyName != null
then
lib.attrByPath [ lib.attrByPath [
keyName keyName
] (builtins.abort "No SSH key defined for hostname/key '${toString keyName}'") sshKeys ] (builtins.abort "No SSH key defined for hostname/key '${toString keyName}'")
else sshKeys
builtins.abort "No accounts.sshUser provided, cannot select SSH key."; else builtins.abort "No accounts.sshUser provided, cannot select SSH key.";
in in {
{
options.settings.accounts = { options.settings.accounts = {
username = mkOption { username = mkOption {
type = types.str; type = types.str;
@@ -46,5 +45,21 @@ in
default = null; default = null;
description = "Optional override for selecting an SSH key by name"; description = "Optional override for selecting an SSH key by name";
}; };
domains = lib.mkOption {
type = lib.types.submodule {
options = {
local = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = "The local domain of the host";
};
public = lib.mkOption {
type = lib.types.str;
default = "example.com";
description = "The public domain of the host";
};
};
};
};
}; };
} }

4
modules/settings/monitors/default.nix
View File

@@ -21,8 +21,8 @@ in
example = 1080; example = 1080;
}; };
refreshRate = mkOption { refreshRate = mkOption {
type = types.int; type = types.str;
default = 60; default = "60";
}; };
transform = mkOption { transform = mkOption {
type = types.int; type = types.int;

3
nix/nixpkgs/default.nix
View File

@@ -4,5 +4,8 @@
allowUnfree = true; allowUnfree = true;
input-fonts.acceptLicense = true; input-fonts.acceptLicense = true;
}; };
overlays = [
];
}; };
} }

12
pkgs/default.nix
View File

@@ -5,12 +5,10 @@
"aarch64-linux" "aarch64-linux"
]; ];
perSystem = perSystem = {pkgs, ...}: {
{ pkgs, ... }: packages = {
{ # instant repl with automatic flake loading
packages = { repl = pkgs.callPackage ./repl {};
# instant repl with automatic flake loading
repl = pkgs.callPackage ./repl { };
};
}; };
};
} }

11
secrets/crowdsecApi.age Normal file
View File

@@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 t9iOEg lf7aPbZX2v3WGzE/KI/069DBObphqrDtjq7rhNriGl8
Vv+Pqk6DbcE5R1A9135gVKroCex1xKsCLPETZdT3yTg
-> ssh-ed25519 KUYMFA XxtBSmCwrQCZ9G3VcCrbzTdMshTK1pjlHPYj7fke818
9tO2EcnHPD6v3TNeuZdL+zP39SM5R5q7om5sCFDB8lg
-> ssh-ed25519 76RhUQ I6O/fYFRqYxExC9uLijZr6/kFze7uze0cIudCsl2jTo
WAwb822vVj5UtUAdE1oVJ0/q6nQbWqdx0OHuGEogO7M
-> ssh-ed25519 Jf8sqw gWBoe4HhXNw7Ih58lQ/L2vBoQfbU1ht8+ZSLUx/4TWk
xor0ieJ2UI5bK4rSlCM0dX61PVbxYE37FNry0YSmHG4
--- Cp8b3eTb3NfjPFvBE12a2c+Yni2jW6DZUK10IaXmmvo
w<EFBFBD>xq<EFBFBD><EFBFBD>z:<3A>.{<7B>?<3F><><EFBFBD>f<EFBFBD><66><1D><><16><>A<EFBFBD>jT<6A><54>{<7B>J <20><>

BIN
secrets/homepageEnvironment.age
View File

Binary file not shown.

11
secrets/mikrotikSecret.age Normal file
View File

@@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 t9iOEg MLi7IOM8QlpvlCMSmo4SwZbTwZ9pyysSbiMMuWD/dyU
cotV5TJf7oyyXIaAmu8n9Ie1rl27i8w7hsduwtQFnis
-> ssh-ed25519 KUYMFA BhFQ/RXOH8L7gl/FSabAUv28fbaod+muvTGSV3rYQSs
fWqwAkhSAmg6YB+yEtj0e83Q4XO/r+TBnMTN7vXBNqU
-> ssh-ed25519 76RhUQ b1fDfGPNdJ9c3wtr8ww0mW5K4fKJxpxxTZy/ZCECWzs
qhbvucUrv7dzOPKUmUaRs/AtXtwQfy/qp5HnaYzZ5eQ
-> ssh-ed25519 Jf8sqw 19D2ztjyxJfGQAiUOTdgWyC0ZFso/wrC9VPEkmI34U8
PavT5O8M6Zc2Num9Hb2sY+F3UmMPqRgjUZxuvP6AhyM
--- uYOcbsL7JWoDF2mRUDLhXrbp6ssLFbQ9+a6RhAXNNPA
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> X<><58>PC<50><43>h<EFBFBD>;

2
secrets/secrets.nix
View File

@@ -63,6 +63,8 @@ in {
"wwwCloudflared.age".publicKeys = kima ++ sobotka; "wwwCloudflared.age".publicKeys = kima ++ sobotka;
"authentikCloudflared.age".publicKeys = kima ++ sobotka; "authentikCloudflared.age".publicKeys = kima ++ sobotka;
"sobotkaTsAuth.age".publicKeys = kima ++ sobotka; "sobotkaTsAuth.age".publicKeys = kima ++ sobotka;
"mikrotikSecret.age".publicKeys = kima ++ sobotka;
"crowdsecApi.age".publicKeys = kima ++ sobotka;
# Ziggy-specific # Ziggy-specific
"cloudflareDnsCredentialsZiggy.age".publicKeys = kima ++ ziggy; "cloudflareDnsCredentialsZiggy.age".publicKeys = kima ++ ziggy;

4
users/cnst/modules/kimamod.nix
View File

@@ -39,7 +39,7 @@
enable = true; enable = true;
}; };
ghostty = { ghostty = {
enable = true; enable = false;
}; };
helix = { helix = {
enable = true; enable = true;
@@ -57,7 +57,7 @@
enable = false; enable = false;
}; };
nvf = { nvf = {
enable = true; enable = false;
}; };
nwg-bar = { nwg-bar = {
enable = true; enable = true;