gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

style: alejandra $(fd -e nix)

Browse source
This commit is contained in:
Kat Inskip 2024-03-13 15:08:42 -07:00
parent 97d9eecd3c
commit e63304937d
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
91 changed files with 1422 additions and 1102 deletions
Download patch file Download diff file Expand all files Collapse all files

37
nixos/access/freeipa.nix
View file

@ -3,8 +3,7 @@
meta,
lib,
...
}:
let
}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
inherit (lib.strings) optionalString concatStringsSep;
@ -56,18 +55,22 @@ in {
type = str;
};
preread = {
enable = mkEnableOption "ssl preread" // {
default = true;
};
enable =
mkEnableOption "ssl preread"
// {
default = true;
};
port = mkOption {
type = port;
default = 444;
};
};
kerberos = {
enable = mkEnableOption "proxy kerberos" // {
default = true;
};
enable =
mkEnableOption "proxy kerberos"
// {
default = true;
};
ports = {
ticket = mkOption {
type = port;
@ -86,7 +89,10 @@ in {
proxyPass = mkOption {
type = str;
default = let
scheme = if access.port == 443 then "https" else "http";
scheme =
if access.port == 443
then "https"
else "http";
in "${scheme}://${access.host}:${toString access.port}";
};
domain = mkOption {
@ -130,7 +136,7 @@ in {
port = mkDefault access.ldapPort;
useACMEHost = mkDefault access.useACMEHost;
};
resolver.addresses = mkIf access.preread.enable [ "[::1]" "127.0.0.1:5353" ];
resolver.addresses = mkIf access.preread.enable ["[::1]" "127.0.0.1:5353"];
defaultSSLListenPort = mkIf access.preread.enable access.preread.port;
streamConfig = let
preread = ''
@ -174,10 +180,11 @@ in {
proxy_pass ${access.host}:${toString access.kerberos.ports.kpasswd};
}
'';
in mkMerge [
(mkIf access.preread.enable preread)
(mkIf access.kerberos.enable kerberos)
];
in
mkMerge [
(mkIf access.preread.enable preread)
(mkIf access.kerberos.enable kerberos)
];
virtualHosts = {
${access.domain} = {
inherit locations extraConfig;
@ -207,7 +214,7 @@ in {
local.enable = true;
inherit locations;
};
${ldap.domain} = { config, ... }: {
${ldap.domain} = {config, ...}: {
useACMEHost = mkDefault virtualHosts.${access.domain}.useACMEHost;
addSSL = mkDefault (config.useACMEHost != null);
globalRedirect = access.domain;

78
nixos/access/freepbx.nix
View file

@ -12,9 +12,11 @@
freepbx = config.lib.access.systemFor "freepbx";
in {
options.services.nginx.access.freepbx = with lib.types; {
global.enable = mkEnableOption "global access" // {
default = access.useACMEHost != null;
};
global.enable =
mkEnableOption "global access"
// {
default = access.useACMEHost != null;
};
host = mkOption {
type = str;
default = freepbx.access.hostnameForNetwork.local;
@ -94,17 +96,19 @@ in {
};
"${access.domain}@ucp" = {
serverName = access.domain;
listen = concatMap (addr: [
{
inherit addr;
port = access.ucpPort;
}
(mkIf (access.useACMEHost != null) {
inherit addr;
port = access.ucpSslPort;
ssl = true;
})
]) nginx.defaultListenAddresses;
listen =
concatMap (addr: [
{
inherit addr;
port = access.ucpPort;
}
(mkIf (access.useACMEHost != null) {
inherit addr;
port = access.ucpSslPort;
ssl = true;
})
])
nginx.defaultListenAddresses;
proxy.websocket.enable = true;
local.enable = mkDefault (!access.global.enable);
addSSL = mkDefault (access.useACMEHost != null);
@ -116,27 +120,29 @@ in {
inherit extraConfig;
};
${access.localDomain} = {
listen = concatMap (addr: [
{
inherit addr;
port = nginx.defaultHTTPListenPort;
}
{
inherit addr;
port = access.ucpPort;
}
(mkIf (access.useACMEHost != null) {
inherit addr;
port = nginx.defaultSSLListenPort;
ssl = true;
})
(mkIf (access.useACMEHost != null) {
inherit addr;
port = access.ucpSslPort;
ssl = true;
})
]) nginx.defaultListenAddresses;
serverAliases = mkIf tailscale.enable [ access.tailDomain ];
listen =
concatMap (addr: [
{
inherit addr;
port = nginx.defaultHTTPListenPort;
}
{
inherit addr;
port = access.ucpPort;
}
(mkIf (access.useACMEHost != null) {
inherit addr;
port = nginx.defaultSSLListenPort;
ssl = true;
})
(mkIf (access.useACMEHost != null) {
inherit addr;
port = access.ucpSslPort;
ssl = true;
})
])
nginx.defaultListenAddresses;
serverAliases = mkIf tailscale.enable [access.tailDomain];
useACMEHost = mkDefault access.useACMEHost;
addSSL = mkDefault (access.useACMEHost != null);
kTLS = mkDefault true;
@ -146,7 +152,7 @@ in {
};
};
config.networking.firewall = let
websocketPorts = [ access.ucpPort ] ++ optional (access.useACMEHost != null) access.ucpSslPort;
websocketPorts = [access.ucpPort] ++ optional (access.useACMEHost != null) access.ucpSslPort;
in {
interfaces.local.allowedTCPPorts = websocketPorts;
allowedTCPPorts = mkIf access.global.enable websocketPorts;

5
nixos/access/global.nix
View file

@ -1,7 +1,4 @@
{
lib,
...
}: let
{lib, ...}: let
inherit (lib.modules) mkDefault;
in {
networking = {

18
nixos/access/invidious.nix
View file

@ -34,12 +34,14 @@ in {
url = mkOptionDefault "http://localhost:${toString cfg.port}";
};
virtualHosts = let
invidiousDomains = [
access.domain
access.localDomain
] ++ optional tailscale.enable access.tailDomain;
invidiousDomains =
[
access.domain
access.localDomain
]
++ optional tailscale.enable access.tailDomain;
contentSecurityPolicy' = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; manifest-src 'self'; media-src 'self' blob: https://*.googlevideo.com:443 https://*.youtube.com:443; child-src 'self' blob:; frame-src 'self'; frame-ancestors 'none'";
contentSecurityPolicy = replaceStrings [ "'self'" ] [ "'self' ${concatStringsSep " " invidiousDomains}" ] contentSecurityPolicy';
contentSecurityPolicy = replaceStrings ["'self'"] ["'self' ${concatStringsSep " " invidiousDomains}"] contentSecurityPolicy';
extraConfig = ''
# Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
send_timeout 100m;
@ -56,14 +58,14 @@ in {
'';
};
in {
${access.domain} = { config, ... }: {
${access.domain} = {config, ...}: {
vouch.enable = true;
locations."/" = location;
kTLS = mkDefault true;
inherit extraConfig;
};
${access.localDomain} = { config, ... }: {
serverAliases = mkIf tailscale.enable [ access.tailDomain ];
${access.localDomain} = {config, ...}: {
serverAliases = mkIf tailscale.enable [access.tailDomain];
local.enable = true;
locations."/" = mkMerge [
location

3
nixos/access/kanidm.nix
View file

@ -3,8 +3,7 @@
meta,
lib,
...
}:
let
}: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
inherit (config) networking;

70
nixos/access/kitchencam.nix
View file

@ -64,39 +64,47 @@ in {
inherit extraConfig;
};
};
streamListen = { config, ... }: {
listen = concatMap (addr: [
(mkIf config.addSSL {
inherit addr;
port = nginx.defaultSSLListenPort;
ssl = true;
})
{
inherit addr;
port = nginx.defaultHTTPListenPort;
}
{
inherit addr;
port = access.streamPort;
}
]) nginx.defaultListenAddresses;
streamListen = {config, ...}: {
listen =
concatMap (addr: [
(mkIf config.addSSL {
inherit addr;
port = nginx.defaultSSLListenPort;
ssl = true;
})
{
inherit addr;
port = nginx.defaultHTTPListenPort;
}
{
inherit addr;
port = access.streamPort;
}
])
nginx.defaultListenAddresses;
};
in {
${access.domain} = mkMerge [ {
vouch.enable = true;
kTLS = mkDefault true;
inherit (access) useACMEHost;
addSSL = mkDefault (access.useACMEHost != null);
inherit locations;
} streamListen ];
${access.localDomain} = mkMerge [ {
serverAliases = mkIf config.services.tailscale.enable [ access.tailDomain ];
inherit (virtualHosts.${access.domain}) useACMEHost;
addSSL = mkDefault addSSL;
kTLS = mkDefault true;
local.enable = true;
inherit locations;
} streamListen ];
${access.domain} = mkMerge [
{
vouch.enable = true;
kTLS = mkDefault true;
inherit (access) useACMEHost;
addSSL = mkDefault (access.useACMEHost != null);
inherit locations;
}
streamListen
];
${access.localDomain} = mkMerge [
{
serverAliases = mkIf config.services.tailscale.enable [access.tailDomain];
inherit (virtualHosts.${access.domain}) useACMEHost;
addSSL = mkDefault addSSL;
kTLS = mkDefault true;
local.enable = true;
inherit locations;
}
streamListen
];
};
};
config.networking.firewall.allowedTCPPorts = [

56
nixos/access/ldap.nix
View file

@ -2,8 +2,7 @@
config,
lib,
...
}:
let
}: let
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge;
inherit (lib.strings) concatMapStringsSep optionalString;
@ -18,9 +17,11 @@ let
cidrForNetwork.loopback.all
++ cidrForNetwork.local.all
++ optionals tailscale.enable cidrForNetwork.tail.all;
allows = concatMapStringsSep "\n" mkAllow allowAddresses + optionalString localaddrs.enable ''
include ${localaddrs.stateDir}/*.nginx.conf;
'';
allows =
concatMapStringsSep "\n" mkAllow allowAddresses
+ optionalString localaddrs.enable ''
include ${localaddrs.stateDir}/*.nginx.conf;
'';
in ''
${allows}
deny all;
@ -61,28 +62,29 @@ in {
proxy_ssl on;
proxy_ssl_verify off;
'';
in mkIf access.enable (mkMerge [
''
server {
listen 0.0.0.0:389;
listen [::]:389;
${allows}
proxy_pass ${proxyPass};
${proxySsl}
}
''
(mkIf (access.useACMEHost != null) ''
server {
listen 0.0.0.0:636 ssl;
listen [::]:636 ssl;
ssl_certificate ${cert.directory}/fullchain.pem;
ssl_certificate_key ${cert.directory}/key.pem;
ssl_trusted_certificate ${cert.directory}/chain.pem;
proxy_pass ${proxyPass};
${proxySsl}
}
'')
]);
in
mkIf access.enable (mkMerge [
''
server {
listen 0.0.0.0:389;
listen [::]:389;
${allows}
proxy_pass ${proxyPass};
${proxySsl}
}
''
(mkIf (access.useACMEHost != null) ''
server {
listen 0.0.0.0:636 ssl;
listen [::]:636 ssl;
ssl_certificate ${cert.directory}/fullchain.pem;
ssl_certificate_key ${cert.directory}/key.pem;
ssl_trusted_certificate ${cert.directory}/chain.pem;
proxy_pass ${proxyPass};
${proxySsl}
}
'')
]);
};
networking.firewall = {

10
nixos/access/plex.nix
View file

@ -70,10 +70,12 @@ in {
plex-external = mkIf (access.externalPort != null) {
serverName = mkDefault access.domain;
default = mkDefault true;
listen = map (addr: {
inherit addr;
port = access.externalPort;
}) nginx.defaultListenAddresses;
listen =
map (addr: {
inherit addr;
port = access.externalPort;
})
nginx.defaultListenAddresses;
locations."/" = location;
inherit extraConfig;
};

47
nixos/access/proxmox.nix
View file

@ -14,10 +14,11 @@
proxyPass = "https://reisen.local.${config.networking.domain}:8006/";
unencrypted = mkSnakeOil {
name = "prox-local-cert";
domain = singleton "prox.local.${config.networking.domain}"
domain =
singleton "prox.local.${config.networking.domain}"
++ optional tailscale.enable "prox.tail.${config.networking.domain}";
};
sslHost = { config, ... }: {
sslHost = {config, ...}: {
sslCertificate = mkIf (!config.enableACME && config.useACMEHost == null) unencrypted.fullchain;
sslCertificateKey = mkIf (!config.enableACME && config.useACMEHost == null) unencrypted.key;
};
@ -91,24 +92,30 @@ in {
${access.domain} = {
inherit locations extraConfig;
};
${access.localDomain} = mkMerge [ {
inherit (virtualHosts.${access.domain}) useACMEHost;
local.enable = mkDefault true;
forceSSL = mkDefault true;
locations."/" = {
proxy.websocket.enable = true;
inherit proxyPass extraConfig;
};
} sslHost ];
${access.tailDomain} = mkIf tailscale.enable (mkMerge [ {
inherit (virtualHosts.${access.domain}) useACMEHost;
addSSL = mkDefault true;
local.enable = mkDefault true;
locations."/" = {
proxy.websocket.enable = true;
inherit proxyPass extraConfig;
};
} sslHost ]);
${access.localDomain} = mkMerge [
{
inherit (virtualHosts.${access.domain}) useACMEHost;
local.enable = mkDefault true;
forceSSL = mkDefault true;
locations."/" = {
proxy.websocket.enable = true;
inherit proxyPass extraConfig;
};
}
sslHost
];
${access.tailDomain} = mkIf tailscale.enable (mkMerge [
{
inherit (virtualHosts.${access.domain}) useACMEHost;
addSSL = mkDefault true;
local.enable = mkDefault true;
locations."/" = {
proxy.websocket.enable = true;
inherit proxyPass extraConfig;
};
}
sslHost
]);
};
config.sops.secrets.access-proxmox = {

26
nixos/access/unifi.nix
View file

@ -10,9 +10,11 @@
in {
options.services.nginx.access.unifi = with lib.types; {
global = {
enable = mkEnableOption "global access" // {
default = access.useACMEHost != null;
};
enable =
mkEnableOption "global access"
// {
default = access.useACMEHost != null;
};
management = mkEnableOption "global management port access";
};
host = mkOption {
@ -59,11 +61,13 @@ in {
};
in {
"${access.domain}@management" = mkIf access.global.management {
listen = map (addr: {
inherit addr;
port = access.managementPort;
ssl = true;
}) nginx.defaultListenAddresses;
listen =
map (addr: {
inherit addr;
port = access.managementPort;
ssl = true;
})
nginx.defaultListenAddresses;
serverName = access.domain;
default = mkDefault true;
forceSSL = mkDefault true;
@ -81,7 +85,7 @@ in {
inherit locations extraConfig;
};
${access.localDomain} = {
serverAliases = mkIf tailscale.enable [ access.tailDomain ];
serverAliases = mkIf tailscale.enable [access.tailDomain];
useACMEHost = mkDefault access.useACMEHost;
addSSL = mkDefault (access.useACMEHost != null);
kTLS = mkDefault true;
@ -91,7 +95,7 @@ in {
};
};
config.networking.firewall = {
interfaces.local.allowedTCPPorts = [ access.managementPort ];
allowedTCPPorts = mkIf access.global.management [ access.managementPort ];
interfaces.local.allowedTCPPorts = [access.managementPort];
allowedTCPPorts = mkIf access.global.management [access.managementPort];
};
}

29
nixos/access/vouch.nix
View file

@ -35,8 +35,12 @@ in {
access.vouch = mkIf cfg.enable {
url = let
inherit (cfg.settings.vouch) listen;
host = if listen == "0.0.0.0" || listen == "[::]" then "localhost" else listen;
in mkOptionDefault "http://${host}:${toString cfg.port}";
host =
if listen == "0.0.0.0" || listen == "[::]"
then "localhost"
else listen;
in
mkOptionDefault "http://${host}:${toString cfg.port}";
};
virtualHosts = let
locations = {
@ -46,17 +50,20 @@ in {
proxy_redirect default;
'';
};
"/validate" = { config, ... }: {
"/validate" = {config, ...}: {
proxyPass = mkDefault (access.url + "/validate");
recommendedProxySettings = mkDefault false;
extraConfig = if config.local.trusted then ''
if ($http_x_host = ''') {
set $http_x_host $host;
}
proxy_set_header Host $http_x_host;
'' else ''
proxy_set_header Host $host;
'';
extraConfig =
if config.local.trusted
then ''
if ($http_x_host = ''') {
set $http_x_host $host;
}
proxy_set_header Host $http_x_host;
''
else ''
proxy_set_header Host $host;
'';
};
};
localLocations = kanidmDomain: {

5
nixos/access/zigbee2mqtt.nix
View file

@ -2,8 +2,7 @@
config,
lib,
...
}:
let
}: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
cfg = config.services.zigbee2mqtt;
@ -46,7 +45,7 @@ in {
locations."/" = location;
};
${access.localDomain} = {
serverAliases = mkIf config.services.tailscale.enable [ access.tailDomain ];
serverAliases = mkIf config.services.tailscale.enable [access.tailDomain];
local.enable = true;
locations."/" = location;
};

43
nixos/acme.nix
View file

@ -8,18 +8,30 @@
inherit (lib.lists) head optional;
cfg = config.security.acme;
mkHash = with builtins; val: substring 0 20 (hashString "sha256" val);
mkAccountHash = { server ? null, keyType, email }: mkHash "${toString server} ${keyType} ${email}";
mkAccountHash = {
server ? null,
keyType,
email,
}:
mkHash "${toString server} ${keyType} ${email}";
mkHost = server: head (splitString "/" (removePrefix "https://" server));
mkAccountDir = { server ? null, email, keyType }: concatStringsSep "/" ([
accountDirRoot
(mkAccountHash { inherit server email keyType; })
] ++ optional (server != null) (
mkHost server
) ++ [
cfg.defaults.email
]);
mkAccountDir = {
server ? null,
email,
keyType,
}:
concatStringsSep "/" ([
accountDirRoot
(mkAccountHash {inherit server email keyType;})
]
++ optional (server != null) (
mkHost server
)
++ [
cfg.defaults.email
]);
accountDirRoot = "/var/lib/acme/.lego/accounts";
addr = concatStringsSep "@" [ "gensokyo" "arcn.mx" ];
addr = concatStringsSep "@" ["gensokyo" "arcn.mx"];
in {
security.acme = {
acceptTerms = true;
@ -35,16 +47,19 @@ in {
};
};
sops.secrets = let
accountDir = mkAccountDir { inherit (cfg.defaults) server email keyType; };
accountDir = mkAccountDir {inherit (cfg.defaults) server email keyType;};
acmeSecret = {
sopsFile = mkDefault ./secrets/acme.yaml;
owner = "acme";
group = "nginx";
};
in {
acme_account_key = mkMerge [ acmeSecret {
path = accountDir + "/keys/${cfg.defaults.email}.key";
} ];
acme_account_key = mkMerge [
acmeSecret
{
path = accountDir + "/keys/${cfg.defaults.email}.key";
}
];
acme_cloudflare_email = acmeSecret;
acme_cloudflare_token = acmeSecret;
};

35
nixos/avahi.nix
View file

@ -26,7 +26,7 @@ in {
daemon = "avahi-daemon.service";
avahi-daemon-watchdog = pkgs.writeShellScript "avahi-daemon-watchdog" ''
set -eu
export PATH="$PATH:${makeBinPath [ config.systemd.package pkgs.coreutils pkgs.gnugrep ]}"
export PATH="$PATH:${makeBinPath [config.systemd.package pkgs.coreutils pkgs.gnugrep]}"
while read -r line; do
if [[ $line = *"Host name conflict"* ]]; then
if systemctl is-active ${daemon} > /dev/null; then
@ -38,22 +38,23 @@ in {
fi
done < <(journalctl -o cat -feu ${daemon} | grep -F 'Host name conflict, retrying with ')
'';
in mkIf (cfg.enable && cfg.publish.enable) {
avahi-daemon = {
serviceConfig = {
inherit RestartSec;
in
mkIf (cfg.enable && cfg.publish.enable) {
avahi-daemon = {
serviceConfig = {
inherit RestartSec;
};
};
avahi-daemon-watchdog = {
wantedBy = [daemon];
serviceConfig = {
Type = mkOptionDefault "exec";
ExecStart = [
"${avahi-daemon-watchdog}"
];
Restart = mkOptionDefault "on-failure";
RestartSec = mkOptionDefault RestartSec;
};
};
};
avahi-daemon-watchdog = {
wantedBy = [ daemon ];
serviceConfig = {
Type = mkOptionDefault "exec";
ExecStart = [
"${avahi-daemon-watchdog}"
];
Restart = mkOptionDefault "on-failure";
RestartSec = mkOptionDefault RestartSec;
};
};
};
}

13
nixos/base/access.nix
View file

@ -28,12 +28,11 @@
users.users.root = {
hashedPassword = "$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB.";
openssh.authorizedKeys.keys = with pkgs.lib;
(concatLists (mapAttrsToList
(name: user:
if elem "wheel" user.extraGroups
then user.openssh.authorizedKeys.keys
else [])
config.users.users));
openssh.authorizedKeys.keys = with pkgs.lib; (concatLists (mapAttrsToList
(name: user:
if elem "wheel" user.extraGroups
then user.openssh.authorizedKeys.keys
else [])
config.users.users));
};
}

2
nixos/base/documentation.nix
View file

@ -1,3 +1,3 @@
{ config, ... }: {
{config, ...}: {
documentation.nixos.enable = false;
}

8
nixos/base/kitty.nix
View file

@ -1,5 +1,7 @@
{ config, pkgs, ... }:
{
environment.systemPackages = [ pkgs.buildPackages.buildPackages.kitty.terminfo ];
config,
pkgs,
...
}: {
environment.systemPackages = [pkgs.buildPackages.buildPackages.kitty.terminfo];
}

19
nixos/base/nix.nix
View file

@ -1,4 +1,10 @@
{ config, options, lib, inputs, ... }: let
{
config,
options,
lib,
inputs,
...
}: let
inherit (lib.modules) mkIf mkDefault;
hasSops = options ? sops;
in {
@ -25,7 +31,8 @@ in {
experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes";
substituters = [
"https://gensokyo-infrastructure.cachix.org"
"https://arc.cachix.org" "https://kittywitch.cachix.org"
"https://arc.cachix.org"
"https://kittywitch.cachix.org"
"https://nix-community.cachix.org"
];
trusted-public-keys = [
@ -36,7 +43,7 @@ in {
"ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI="
];
auto-optimise-store = true;
trusted-users = [ "root" "@wheel" ];
trusted-users = ["root" "@wheel"];
};
extraOptions = mkIf hasSops ''
!include ${config.sops.secrets.github-access-token-public.path}
@ -47,7 +54,11 @@ in {
options = mkDefault "--delete-older-than 7d";
};
};
${if hasSops then "sops" else null}.secrets.github-access-token-public = {
${
if hasSops
then "sops"
else null
}.secrets.github-access-token-public = {
sopsFile = mkDefault ../secrets/nix.yaml;
group = mkDefault "users";
mode = mkDefault "0644";

5
nixos/base/nixpkgs.nix
View file

@ -1,7 +1,4 @@
{
inputs,
...
}: {
{inputs, ...}: {
nixpkgs = {
overlays = [
inputs.arcexprs.overlays.default

23
nixos/base/packages.nix
View file

@ -1,11 +1,16 @@
{ config, lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
neofetch
smartmontools
hddtemp
lm_sensors
gnupg
] ++ (lib.optional config.programs.gnupg.agent.enable pinentry-curses);
config,
lib,
pkgs,
...
}: {
environment.systemPackages = with pkgs;
[
neofetch
smartmontools
hddtemp
lm_sensors
gnupg
]
++ (lib.optional config.programs.gnupg.agent.enable pinentry-curses);
}

4
nixos/base/shell.nix
View file

@ -1,6 +1,4 @@
{ config, ... }:
{
{config, ...}: {
programs.zsh = {
enable = true;
enableCompletion = true;

2
nixos/base/ssh.nix
View file

@ -29,7 +29,7 @@ in {
};
networking.firewall = {
allowedTCPPorts = [publicPort];
interfaces.local.allowedTCPPorts = [ 22 ];
interfaces.local.allowedTCPPorts = [22];
};
programs.mosh.enable = true;

2
nixos/base/time.nix
View file

@ -1,3 +1,3 @@
{ config, ... }: {
{config, ...}: {
services.tzupdate.enable = true;
}

4
nixos/base/urxvt.nix
View file

@ -1,6 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
environment.systemPackages = [
pkgs.buildPackages.rxvt-unicode-unwrapped.terminfo
];

7
nixos/bazarr.nix
View file

@ -1,12 +1,9 @@
{
lib,
...
}: let
{lib, ...}: let
inherit (lib.modules) mkDefault;
in {
services.bazarr = {
enable = mkDefault true;
listenPort = mkDefault 6767;
};
users.users.bazarr.extraGroups = [ "kyuuto" ];
users.users.bazarr.extraGroups = ["kyuuto"];
}

24
nixos/ddclient.nix
View file

@ -14,26 +14,30 @@ in {
protocol = mkDefault "cloudflare";
zone = mkDefault config.networking.domain;
use = "no";
domains = [ ];
extraConfig = mkMerge [ (mkIf config.networking.enableIPv6 ''
usev6=webv6, webv6=https://ipv6.nsupdate.info/myip
'') ''
usev4=webv4, webv4=https://ipv4.nsupdate.info/myip
max-interval=1d
'' ];
domains = [];
extraConfig = mkMerge [
(mkIf config.networking.enableIPv6 ''
usev6=webv6, webv6=https://ipv6.nsupdate.info/myip
'')
''
usev4=webv4, webv4=https://ipv4.nsupdate.info/myip
max-interval=1d
''
];
passwordFile = config.sops.secrets.dyndns_cloudflare_token.path;
};
systemd.services.ddclient = mkIf cfg.enable rec {
wants = [ "network-online.target" ];
wants = ["network-online.target"];
after = wants;
wantedBy = mkForce [ ];
wantedBy = mkForce [];
serviceConfig = {
ExecStartPre = let
inherit (config.systemd.services.ddclient.serviceConfig) RuntimeDirectory;
prestart-domains = pkgs.writeShellScript "ddclient-prestart-domains" ''
cat ${config.sops.secrets.dyndns_ddclient_domains.path} >> /run/${RuntimeDirectory}/ddclient.conf
'';
in mkAfter [ "!${prestart-domains}" ];
in
mkAfter ["!${prestart-domains}"];
TimeoutStartSec = 90;
LogFilterPatterns = [
"~WARNING"

34
nixos/deluge.nix
View file

@ -42,28 +42,32 @@ in {
parent = builtins.dirOf downloadDir;
hasCompletedSubdir = completedDir != null && hasPrefix parent completedDir;
completedSubdir = removePrefix parent completedDir;
download = if hasCompletedSubdir then {
path = parent;
subdirectories = [
(builtins.baseNameOf downloadDir)
completedSubdir
];
} else {
path = downloadDir;
};
download =
if hasCompletedSubdir
then {
path = parent;
subdirectories = [
(builtins.baseNameOf downloadDir)
completedSubdir
];
}
else {
path = downloadDir;
};
completed = {
path = cfg.config.move_completed_path;
};
in mkIf cfg.enable (mkAfter [
download
(mkIf (completedDir != null && !hasCompletedSubdir) completed)
]);
in
mkIf cfg.enable (mkAfter [
download
(mkIf (completedDir != null && !hasCompletedSubdir) completed)
]);
users.users = mkIf cfg.enable (mkMerge [
{
deluge.extraGroups = [ "kyuuto" ];
deluge.extraGroups = ["kyuuto"];
}
(mkIf mediatomb.enable {
${mediatomb.user}.extraGroups = [ cfg.group ];
${mediatomb.user}.extraGroups = [cfg.group];
})
]);
}

37
nixos/github-runner/zone.nix
View file

@ -14,9 +14,11 @@
genZoneAttrs = prefix: f: listToAttrs (genZone (i: nameValuePair "${prefix}${toString i}" (f i)));
in {
options.services.github-runner-zone = with lib.types; {
enable = mkEnableOption "github-runners.zone" // {
default = true;
};
enable =
mkEnableOption "github-runners.zone"
// {
default = true;
};
targetName = mkOption {
type = str;
default = "github-runner-zone";
@ -64,7 +66,7 @@ in {
enable = mkDefault true;
ephemeral = mkDefault cfg.ephemeral;
replace = mkDefault true;
extraLabels = [ "ubuntu-latest" ];
extraLabels = ["ubuntu-latest"];
tokenFile = mkDefault config.sops.secrets.github-runner-gensokyo-zone-token.path;
url = mkDefault "https://github.com/gensokyo-zone";
group = mkDefault cfg.group;
@ -73,9 +75,9 @@ in {
};
networkNamespace.name = mkIf (cfg.networkNamespace.name != null) (mkDefault cfg.networkNamespace.name);
serviceSettings = {
wantedBy = [ "${cfg.targetName}.target" ];
wantedBy = ["${cfg.targetName}.target"];
unitConfig = {
StopPropagatedFrom = [ "${cfg.targetName}.target" ];
StopPropagatedFrom = ["${cfg.targetName}.target"];
};
};
serviceOverrides = mkIf (!cfg.dynamicUser) {
@ -88,15 +90,16 @@ in {
};
};
services.github-runners = genZoneAttrs cfg.keyPrefix (i: mkMerge [
(unmerged.merge cfg.runnerSettings)
{
name = mkDefault "${cfg.namePrefix}${toString i}";
user = mkIf (cfg.userPrefix != null) (
mkDefault "${cfg.userPrefix}${toString i}"
);
}
]);
services.github-runners = genZoneAttrs cfg.keyPrefix (i:
mkMerge [
(unmerged.merge cfg.runnerSettings)
{
name = mkDefault "${cfg.namePrefix}${toString i}";
user = mkIf (cfg.userPrefix != null) (
mkDefault "${cfg.userPrefix}${toString i}"
);
}
]);
systemd = mkIf cfg.enable {
services.nix-daemon = mkIf cfg.enable {
@ -106,13 +109,13 @@ in {
};
};
targets.${cfg.targetName} = {
wantedBy = [ "multi-user.target" ];
wantedBy = ["multi-user.target"];
};
};
users = mkIf cfg.enable {
groups = mkIf (cfg.group != null) {
${toString cfg.group} = { };
${toString cfg.group} = {};
};
users = mkMerge [
(mkIf (!cfg.dynamicUser) (genZoneAttrs cfg.userPrefix (i: {

24
nixos/home-assistant.nix
View file

@ -85,17 +85,19 @@ in {
];
entity_config = {};
};
homekit = [ {
name = "Tewi";
port = 21063;
filter = let
inherit (cfg.config) google_assistant;
in {
include_domains = google_assistant.exposed_domains;
include_entities = "!include homekit_include_entities.yaml";
};
entity_config = "!include homekit_entity_config.yaml";
} ];
homekit = [
{
name = "Tewi";
port = 21063;
filter = let
inherit (cfg.config) google_assistant;
in {
include_domains = google_assistant.exposed_domains;
include_entities = "!include homekit_include_entities.yaml";
};
entity_config = "!include homekit_entity_config.yaml";
}
];
tts = [
{
platform = "google_translate";

11
nixos/invidious.nix
View file

@ -1,4 +1,8 @@
{ config, lib, ... }: let
{
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkDefault mkForce;
cfg = config.services.invidious;
in {
@ -6,12 +10,13 @@ in {
commonSecret = {
sopsFile = ./secrets/invidious.yaml;
owner = "invidious";
}; in {
};
in {
invidious_db_password = commonSecret;
invidious_hmac_key = commonSecret;
};
networking.firewall.interfaces.local.allowedTCPPorts = [ cfg.port ];
networking.firewall.interfaces.local.allowedTCPPorts = [cfg.port];
users.groups.invidious = {};
users.users.invidious = {
isSystemUser = true;

61
nixos/kyuuto/mount.nix
View file

@ -34,7 +34,7 @@ in {
};
gameLibraries = mkOption {
type = listOf str;
default = [ "PC" ];
default = ["PC"];
};
};
@ -42,10 +42,19 @@ in {
kyuuto = {
gameLibraries = [
"PC"
"Wii" "Gamecube" "N64" "SNES" "NES"
"NDS" "GBA" "GBC"
"PS3" "PS2" "PS1"
"PSVita" "PSP"
"Wii"
"Gamecube"
"N64"
"SNES"
"NES"
"NDS"
"GBA"
"GBC"
"PS3"
"PS2"
"PS1"
"PSVita"
"PSP"
"Genesis"
];
};
@ -74,7 +83,7 @@ in {
{
${cfg.shareDir} = mkMerge [
shared
{ group = "peeps"; }
{group = "peeps";}
];
${cfg.transferDir} = shared;
${cfg.libraryDir} = shared;
@ -108,28 +117,34 @@ in {
};
users = let
mapId = id: if config.proxmoxLXC.privileged or true then 100000 + id else id;
mapId = id:
if config.proxmoxLXC.privileged or true
then 100000 + id
else id;
mkDummyUsers = {
name,
group ? name,
enable ? !config.services.${serviceName}.enable, serviceName ? name,
enable ? !config.services.${serviceName}.enable,
serviceName ? name,
uid ? config.ids.uids.${name},
gid ? config.ids.gids.${group},
}: mkIf enable {
users.${name} = {
group = mkIf (group != null) group;
uid = mapId uid;
isSystemUser = true;
}:
mkIf enable {
users.${name} = {
group = mkIf (group != null) group;
uid = mapId uid;
isSystemUser = true;
};
groups.${group} = {
gid = mapId gid;
};
};
groups.${group} = {
gid = mapId gid;
};
};
in mkMerge [
(mkDummyUsers { name = "deluge"; })
(mkDummyUsers { name = "radarr"; })
(mkDummyUsers { name = "sonarr"; })
(mkDummyUsers { name = "lidarr"; })
];
in
mkMerge [
(mkDummyUsers {name = "deluge";})
(mkDummyUsers {name = "radarr";})
(mkDummyUsers {name = "sonarr";})
(mkDummyUsers {name = "lidarr";})
];
};
}

1
nixos/kyuuto/nfs.nix
View file

@ -1,4 +1,3 @@
{
config,
lib,

41
nixos/kyuuto/opl.nix
View file

@ -10,9 +10,11 @@
cfg = kyuuto.opl;
in {
options.kyuuto.opl = with lib.types; {
enable = mkEnableOption "hosting" // {
default = config.services.samba.enable;
};
enable =
mkEnableOption "hosting"
// {
default = config.services.samba.enable;
};
user = mkOption {
type = str;
default = "opl";
@ -39,22 +41,25 @@ in {
};
shares.opl = let
inherit (config.networking.access) cidrForNetwork;
localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all
localAddrs =
cidrForNetwork.loopback.all
++ cidrForNetwork.local.all
++ lib.optionals config.services.tailscale.enable cidrForNetwork.tail.all;
in mkIf cfg.enable {
comment = "Kyuuto Media OPL";
path = cfg.rootDir;
writeable = true;
browseable = true;
public = false;
"valid users" = [
cfg.user
"@kyuuto-peeps"
];
"strict sync" = false;
"keepalive" = 0;
"hosts allow" = localAddrs;
};
in
mkIf cfg.enable {
comment = "Kyuuto Media OPL";
path = cfg.rootDir;
writeable = true;
browseable = true;
public = false;
"valid users" = [
cfg.user
"@kyuuto-peeps"
];
"strict sync" = false;
"keepalive" = 0;
"hosts allow" = localAddrs;
};
};
services.tmpfiles = let
setupFiles = {

31
nixos/kyuuto/samba.nix
View file

@ -1,4 +1,3 @@
{
config,
lib,
@ -9,17 +8,21 @@
inherit (config.networking.access) cidrForNetwork;
inherit (config) kyuuto;
cfg = config.services.samba;
localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all
localAddrs =
cidrForNetwork.loopback.all
++ cidrForNetwork.local.all
++ optionals config.services.tailscale.enable cidrForNetwork.tail.all;
guestUsers = mkIf cfg.guest.enable [ cfg.guest.user ];
guestUsers = mkIf cfg.guest.enable [cfg.guest.user];
kyuuto-media = {
"create mask" = "0664";
"force directory mode" = "3000";
"directory mask" = "7775";
};
kyuuto-library = kyuuto-media // {
"acl group control" = true;
};
kyuuto-library =
kyuuto-media
// {
"acl group control" = true;
};
in {
services.samba = {
usershare = {
@ -35,7 +38,7 @@ in {
public = true;
"valid users" = mkMerge [
guestUsers
[ "@peeps" ]
["@peeps"]
];
#"guest only" = true;
"hosts allow" = localAddrs;
@ -54,10 +57,10 @@ in {
public = true;
"valid users" = mkMerge [
guestUsers
[ "@kyuuto-peeps" ]
["@kyuuto-peeps"]
];
"read list" = guestUsers;
"write list" = [ "@kyuuto-peeps" ];
"write list" = ["@kyuuto-peeps"];
"hosts allow" = localAddrs;
}
];
@ -69,7 +72,7 @@ in {
writeable = true;
public = false;
browseable = false;
"valid users" = [ "@kyuuto-peeps" ];
"valid users" = ["@kyuuto-peeps"];
}
];
kyuuto-media = mkMerge [
@ -80,7 +83,7 @@ in {
writeable = true;
public = false;
browseable = false;
"valid users" = [ "@kyuuto-peeps" ];
"valid users" = ["@kyuuto-peeps"];
}
];
shared = {
@ -89,7 +92,7 @@ in {
writeable = true;
public = false;
browseable = false;
"valid users" = [ "@peeps" ];
"valid users" = ["@peeps"];
"create mask" = "0775";
"force create mode" = "0010";
"force directory mode" = "2000";
@ -99,7 +102,7 @@ in {
writeable = true;
browseable = true;
public = false;
"valid users" = [ "@peeps" ];
"valid users" = ["@peeps"];
"create mask" = "0664";
"force directory mode" = "5000";
"directory mask" = "7775";
@ -108,5 +111,5 @@ in {
};
# give guest users proper access to the transfer share
users.users.guest.extraGroups = [ "kyuuto" ];
users.users.guest.extraGroups = ["kyuuto"];
}

2
nixos/lidarr.nix
View file

@ -2,5 +2,5 @@ _: {
services.lidarr = {
enable = true;
};
users.users.lidarr.extraGroups = [ "kyuuto" ];
users.users.lidarr.extraGroups = ["kyuuto"];
}

2
nixos/mediatomb.nix
View file

@ -12,6 +12,6 @@ in {
uuid = mkDefault "082fd344-bf69-5b72-a68f-a5a4d88e76b2";
};
config.users.users = mkIf cfg.enable {
${cfg.user}.extraGroups = [ "kyuuto" ];
${cfg.user}.extraGroups = ["kyuuto"];
};
}

4
nixos/nfs.nix
View file

@ -29,9 +29,9 @@ in {
idmapd.settings = {
General.Domain = mkDefault config.networking.domain;
Translation.GSS-Methods = concatStringsSep "," (
[ "static" ]
["static"]
++ optional enableLdap "umich_ldap"
++ [ "nsswitch" ]
++ ["nsswitch"]
);
Static = {
};

5
nixos/ombi.nix
View file

@ -1,7 +1,4 @@
{
lib,
...
}: let
{lib, ...}: let
inherit (lib.modules) mkDefault;
in {
services.ombi = {

14
nixos/plex.nix
View file

@ -1,4 +1,9 @@
{config, lib, pkgs, ...}: let
{
config,
lib,
pkgs,
...
}: let
inherit (lib.modules) mkIf mkForce mkDefault;
inherit (lib.strings) escapeShellArg;
cfg = config.services.plex;
@ -21,9 +26,10 @@ in {
fi
${pkgs.coreutils}/bin/ln -sfT ../Cache "$PLEX_DATADIR/Plex Media Server/Cache"
'';
in mkForce [
''!${preStartScript}''
];
in
mkForce [
''!${preStartScript}''
];
# KillMode = "mixed" doesn't behave as expected...
TimeoutStopSec = 5;
};

7
nixos/postgres.nix
View file

@ -8,7 +8,7 @@
in {
services.postgresql = {
enable = mkDefault true;
ensureDatabases = ["hass" "invidious" "dex"];
ensureDatabases = ["hass" "invidious" "dex" "keycloak"];
ensureUsers = [
{
name = "hass";
@ -25,6 +25,11 @@ in {
ensureDBOwnership = true;
authentication.local.allow = true;
}
{
name = "keycloak";
ensureDBOwnership = true;
authentication.local.allow = true;
}
];
};

2
nixos/radarr.nix
View file

@ -3,5 +3,5 @@ _: {
enable = true;
};
users.users.radarr.extraGroups = [ "kyuuto" ];
users.users.radarr.extraGroups = ["kyuuto"];
}

2
nixos/readarr.nix
View file

@ -2,5 +2,5 @@ _: {
services.readarr = {
enable = true;
};
users.users.readarr.extraGroups = [ "kyuuto" ];
users.users.readarr.extraGroups = ["kyuuto"];
}

5
nixos/reisen-ct/filesystem.nix
View file

@ -1,7 +1,4 @@
{
lib,
...
}: let
{lib, ...}: let
inherit (lib) mkDefault;
in {
services.kanidm.serverSettings.db_fs_type = mkDefault "zfs";

4
nixos/samba.nix
View file

@ -6,8 +6,8 @@
inherit (lib.modules) mkIf mkDefault;
inherit (lib.lists) any;
inherit (lib.strings) hasInfix concatMapStringsSep splitString;
cfg = config.services.samba;
hasIpv4 = any (hasInfix ".") config.systemd.network.networks.eth0.address or [ ];
cfg = config.services.samba;
hasIpv4 = any (hasInfix ".") config.systemd.network.networks.eth0.address or [];
in {
services.samba = {
enable = mkDefault true;

6
nixos/secrets/postgres.yaml
View file

@ -1,4 +1,4 @@
postgresql-init: ENC[AES256_GCM,data:fW9g0WKVHTO9blqlEXLJejyQUqC3na/Xh6Il2GNfuX6c2LfRjfFSeour4qt2envtPO+WanGl+ueE1AMck5t02TjqrN4a6DsQpAIGFVE7L4ajp/13Gp308pY4Xu7OKHjkGpzVBATKgLDZkoU8yAkqKZCBEU3d4xegp8pgnsLSpb/LndKiITjhTe2IJOSkIJd9twSsra8JQWRYCW8WjZZ9YOe5nqtU+56b/zb0CxVhhln0jU/3e5s7pfblfou2TnvnFezswjNTIGftNU1wOaxSCA==,iv:hjKNZ4EbPpl5YIcaWJYLKJzxuOmMjL4AtfUeL4vm5QA=,tag:mYcu4cRUnZeLgeISfaxXPQ==,type:str]
postgresql-init: ENC[AES256_GCM,data:lbkeMv6PZgB7tEl4VbIYX9VUAgJ6Kcj0jLNyyqxJJcVJPjo1lF2d/i5bFnU1/6aJ2T7ftMW4hefYgrnIMdKXxPPfrHftaEMhl9bfJIsuX2I1CXAasZOhpsmg9Wf2cvXuVYIlqTVssg+3EKW0ejCMdX6OfGdAXvBlio1DQs7YrUc+BjDiEuAUAaaYbz67EYY3dpYQixQGl/8G2w7S897uCXpc1oOh6vbGY4Nl+GGQ7B5xrrbYcdATwfGyYlZYSlIv8feDsLv7Rt+w3o4tTAxcz+8qZ7KZ6sIsu/nUoYeqoT9MJ8uRpWccXKcBVAFSEooUIHUEBA/QsGizAXBgzCnyLDvuv3DOquo2xeMg0kWM8zsF1f9YRyUKqQ==,iv:RKIvggRZlPocygabF0iKNBThBRFG5rlzrIvGjjt7s0o=,tag:U/XUDJs5J8lHB9BJ5/0fFA==,type:str]
sops:
shamir_threshold: 1
kms: []
@ -33,8 +33,8 @@ sops:
a3l3bUx5NzdqUGd1TEpGY3UvQWt4TU0KB4MAjvI43FaOiGhWTkwPpeMMiAnX4v3L
rLZDdc/vegF10FKTNJdxdq1E7ccMaV1KwjQkJoOJnWe6teKLjGOFkA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-19T03:46:45Z"
mac: ENC[AES256_GCM,data:FMzWnFllHDpgIoDJIKS7aWpUSVNH0+ij0+AIzl3qtjeuzmUUluDtEes6yAR8g/Daq+nxiMRnsse0HfUqZeT0rVVEpqvQB4Wsoq+G9qj8mmEUrHJzjU5rSDWV8uf5F1BsZbvF13VBulh/RWsmWjps+z6vyJ7uM1QjS3hSF2k3hSM=,iv:tpH8XjoTtNzPOOIosObpsvOAzZO7ywK9xjow3xTOJqY=,tag:BTzezbH9zZDZBzy1x+AJ1w==,type:str]
lastmodified: "2024-03-13T21:46:56Z"
mac: ENC[AES256_GCM,data:rEtRHX3PH1B+uoR82lDH3ACKHPbhxy+y7B9YgR6TzPSU4yIaTSqSK51eLJZoUtW6UTl6QDcTrsKDA8lGu9M/Ohfx8ayp6rkX63H/hkl0h6YaQmWDAQoNAAEWqfJ9r8O8tKKpE6qF/rw4c4KpuA5ONufOl9qj1KSgFzz0WHaKtWk=,iv:TUBAe62dmF6FAjZOPaxwzQjWL21TdWQG0YyuXJGgtk8=,tag:dewWivfnZO30Np2gajwLIw==,type:str]
pgp:
- created_at: "2024-01-19T19:08:55Z"
enc: |-

2
nixos/sonarr.nix
View file

@ -2,5 +2,5 @@ _: {
services.sonarr = {
enable = true;
};
users.users.sonarr.extraGroups = [ "kyuuto" ];
users.users.sonarr.extraGroups = ["kyuuto"];
}

9
nixos/sops.nix
View file

@ -1,8 +1,13 @@
{ lib, inputs, ... }: with lib; {
{
lib,
inputs,
...
}:
with lib; {
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
age.sshKeyPaths = mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
age.sshKeyPaths = mkDefault ["/etc/ssh/ssh_host_ed25519_key"];
};
}

5
nixos/steam/account-switch.nix
View file

@ -1,7 +1,4 @@
{
lib,
...
}: let
{lib, ...}: let
inherit (lib.modules) mkDefault;
in {
services.steam.accountSwitch = {

9
nixos/steam/beatsaber.nix
View file

@ -1,15 +1,12 @@
{
lib,
...
}: let
{lib, ...}: let
inherit (lib.modules) mkDefault;
in {
services.steam.beatsaber = {
enable = mkDefault true;
defaultVersion = mkDefault "1.29.0";
versions = {
"1.29.0" = { };
"1.34.2" = { };
"1.29.0" = {};
"1.34.2" = {};
};
};
}

2
nixos/syncthing-kat/syncthing.nix
View file

@ -1,4 +1,4 @@
{ config, ... }: {
{config, ...}: {
services.syncthing = {
enable = true;
relay.enable = true;

3
nixos/systemd2mqtt.nix
View file

@ -10,7 +10,8 @@ in {
enable = mkDefault true;
user = mkDefault "root";
mqtt = {
url = mkDefault (if config.services.mosquitto.enable
url = mkDefault (
if config.services.mosquitto.enable
then "tcp://localhost:1883"
else "tcp://mqtt.local.${config.networking.domain}:1883"
);

6
nixos/tautulli.nix
View file

@ -1,4 +1,8 @@
{config, lib, ...}: let
{
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkDefault;
cfg = config.services.tautulli;
in {

14
nixos/users/arc.nix
View file

@ -1,22 +1,22 @@
{ config, ... }:
{
users.users.arc = { name, ... }: {
{config, ...}: {
users.users.arc = {name, ...}: {
uid = 8001;
isNormalUser = true;
autoSubUidGidRange = false;
group = name;
extraGroups = [
"users" "peeps"
"users"
"peeps"
"kyuuto"
"steamaccount" "beatsaber"
"steamaccount"
"beatsaber"
"wheel"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp"
];
};
users.groups.arc = { name, ... }: {
users.groups.arc = {name, ...}: {
gid = config.users.users.${name}.uid;
};
}

11
nixos/users/connie.nix
View file

@ -1,17 +1,16 @@
{ config, ... }:
{
users.users.connieallure = { name, ... }: {
{config, ...}: {
users.users.connieallure = {name, ...}: {
uid = 8003;
isNormalUser = true;
autoSubUidGidRange = false;
group = name;
extraGroups = [
"users" "peeps"
"users"
"peeps"
"kyuuto"
];
};
users.groups.connieallure = { name, ... }: {
users.groups.connieallure = {name, ...}: {
gid = config.users.users.${name}.uid;
};
}

14
nixos/users/kaosu.nix
View file

@ -1,18 +1,18 @@
{ config, ... }:
{
users.users.kaosubaloo = { name, ... }: {
{config, ...}: {
users.users.kaosubaloo = {name, ...}: {
uid = 8002;
isNormalUser = true;
autoSubUidGidRange = false;
group = name;
extraGroups = [
"users" "peeps"
"users"
"peeps"
"kyuuto"
"steamaccount" "beatsaber"
"steamaccount"
"beatsaber"
];
};
users.groups.kaosubaloo = { name, ... }: {
users.groups.kaosubaloo = {name, ...}: {
gid = config.users.users.${name}.uid;
};
}

16
nixos/users/kat.nix
View file

@ -1,25 +1,25 @@
{ config, ... }:
{
users.users.kat = { name, ... }: {
{config, ...}: {
users.users.kat = {name, ...}: {
uid = 8000;
isNormalUser = true;
autoSubUidGidRange = false;
group = name;
extraGroups = [
"users" "peeps"
"users"
"peeps"
"kyuuto"
"steamaccount" "beatsaber"
"steamaccount"
"beatsaber"
"wheel"
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPsu3vNsvBb/G+wALpstD/DnoRZ3fipAs00jtl8rzDuv96RlS7AJr4aNvG6Pt2D9SYn2wVLaiw+76mz2gOycH9/N+VCvL4/0MN9uqj+7XIcxNRo0gHVOblmi2bOXcmGKh3eRwHj1xyDwRxo9WIuBEP2bPpDPz75OXRtEdlTgvky7siSguQxJu03cb0p9hNAYhUoohNXyWW2CjDCLUQVE1+QRVUzsKq3KkPy0cHYgmZC1gRSMQyKpMt72L5tayLz3Tp/zrshucc+QO5IJeZdqMxsNAcvALsysT1J5EqxZoYH9VpWLRhSgVD6Nvn853pycJAlXQxgOCpSD3/v/JbgUe5NE+ci0o7NMy5IiHUv2gQMRIEhwBHlRGwokUPL9upx0lsjaEiPya5xQqqDKRom87xytM778ANS5CuMdQMWg9qVbpHZUHMjA0QmNkjPgq71pUDXHk5L4mZuS8wVjyjnvlw68yIJuHEc8P7QiLcjvRHFS2L9Ck8NRmPDTQXlQi9kk6LmMyu6fdevR/kZL21b+xO1e2DMyxBbNDTot8luppiiL8adgUDMwptpIne7JCWB1o9NFCbXUVgwuCCYBif6pOGSc6bGo1JTAKMflRlcy6Mi3t5H0mR2lj/sCSTWwTlP5FM4aPIq08NvW6PeuK1bFJY9fIgTwVsUnbAKOhmsMt62w== cardno:12 078 454"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPsu3vNsvBb/G+wALpstD/DnoRZ3fipAs00jtl8rzDuv96RlS7AJr4aNvG6Pt2D9SYn2wVLaiw+76mz2gOycH9/N+VCvL4/0MN9uqj+7XIcxNRo0gHVOblmi2bOXcmGKh3eRwHj1xyDwRxo9WIuBEP2bPpDPz75OXRtEdlTgvky7siSguQxJu03cb0p9hNAYhUoohNXyWW2CjDCLUQVE1+QRVUzsKq3KkPy0cHYgmZC1gRSMQyKpMt72L5tayLz3Tp/zrshucc+QO5IJeZdqMxsNAcvALsysT1J5EqxZoYH9VpWLRhSgVD6Nvn853pycJAlXQxgOCpSD3/v/JbgUe5NE+ci0o7NMy5IiHUv2gQMRIEhwBHlRGwokUPL9upx0lsjaEiPya5xQqqDKRom87xytM778ANS5CuMdQMWg9qVbpHZUHMjA0QmNkjPgq71pUDXHk5L4mZuS8wVjyjnvlw68yIJuHEc8P7QiLcjvRHFS2L9Ck8NRmPDTQXlQi9kk6LmMyu6fdevR/kZL21b+xO1e2DMyxBbNDTot8luppiiL8adgUDMwptpIne7JCWB1o9NFCbXUVgwuCCYBif6pOGSc6bGo1JTAKMflRlcy6Mi3t5H0mR2lj/sCSTWwTlP5FM4aPIq08NvW6PeuK1bFJY9fIgTwVsUnbAKOhmsMt62w== cardno:12 078 454"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi"
];
};
users.groups.kat = { name, ... }: {
users.groups.kat = {name, ...}: {
gid = config.users.users.${name}.uid;
};
}