kat/nixfiles
1
0
Fork 0
mirror of https://github.com/kittywitch/nixfiles.git synced 2026-02-09 20:39:18 -08:00
Code Issues Projects Releases Packages Wiki Activity

changes en masse, cleanup

Browse source
This commit is contained in:
Kat Inskip 2022-06-02 17:12:20 +01:00 committed by kat
parent 84351416d6
commit 89e4922c25
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
30 changed files with 304 additions and 581 deletions
Download patch file Download diff file Expand all files Collapse all files

124
.github/workflows/nodes.yml vendored
View file

@ -152,68 +152,6 @@ jobs:
command: ci-build-cache
quiet: false
stdin: ${{ runner.temp }}/ci.build.cache
goliath:
name: nodes-goliath
runs-on: ubuntu-latest
steps:
- id: checkout
name: git clone
uses: actions/checkout@v1
with:
submodules: false
- id: nix-install
name: nix install
uses: arcnmx/ci/actions/nix/install@nix2.4
- id: ci-setup
name: nix setup
uses: arcnmx/ci/actions/nix/run@nix2.4
with:
attrs: ci.job.goliath.run.bootstrap
quiet: false
- id: architectures
name: prepare for emulated builds
run: 'sudo $(which archbinfmt)
'
- id: ci-dirty
name: nix test dirty
uses: arcnmx/ci/actions/nix/run@nix2.4
with:
attrs: ci.job.goliath.run.test
command: ci-build-dirty
quiet: false
stdout: ${{ runner.temp }}/ci.build.dirty
- id: ci-test
name: nix test build
uses: arcnmx/ci/actions/nix/run@nix2.4
with:
attrs: ci.job.goliath.run.test
command: ci-build-realise
ignore-exit-code: true
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
- env:
CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
id: ci-summary
name: nix test results
uses: arcnmx/ci/actions/nix/run@nix2.4
with:
attrs: ci.job.goliath.run.test
command: ci-build-summarise
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
stdout: ${{ runner.temp }}/ci.build.cache
- env:
CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
id: ci-cache
if: always()
name: nix test cache
uses: arcnmx/ci/actions/nix/run@nix2.4
with:
attrs: ci.job.goliath.run.test
command: ci-build-cache
quiet: false
stdin: ${{ runner.temp }}/ci.build.cache
koishi:
name: nodes-koishi
runs-on: ubuntu-latest
@ -462,68 +400,6 @@ jobs:
command: ci-build-cache
quiet: false
stdin: ${{ runner.temp }}/ci.build.cache
shinmyoumaru:
name: nodes-shinmyoumaru
runs-on: ubuntu-latest
steps:
- id: checkout
name: git clone
uses: actions/checkout@v1
with:
submodules: false
- id: nix-install
name: nix install
uses: arcnmx/ci/actions/nix/install@nix2.4
- id: ci-setup
name: nix setup
uses: arcnmx/ci/actions/nix/run@nix2.4
with:
attrs: ci.job.shinmyoumaru.run.bootstrap
quiet: false
- id: architectures
name: prepare for emulated builds
run: 'sudo $(which archbinfmt)
'
- id: ci-dirty
name: nix test dirty
uses: arcnmx/ci/actions/nix/run@nix2.4
with:
attrs: ci.job.shinmyoumaru.run.test
command: ci-build-dirty
quiet: false
stdout: ${{ runner.temp }}/ci.build.dirty
- id: ci-test
name: nix test build
uses: arcnmx/ci/actions/nix/run@nix2.4
with:
attrs: ci.job.shinmyoumaru.run.test
command: ci-build-realise
ignore-exit-code: true
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
- env:
CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }}
id: ci-summary
name: nix test results
uses: arcnmx/ci/actions/nix/run@nix2.4
with:
attrs: ci.job.shinmyoumaru.run.test
command: ci-build-summarise
quiet: false
stdin: ${{ runner.temp }}/ci.build.dirty
stdout: ${{ runner.temp }}/ci.build.cache
- env:
CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }}
id: ci-cache
if: always()
name: nix test cache
uses: arcnmx/ci/actions/nix/run@nix2.4
with:
attrs: ci.job.shinmyoumaru.run.test
command: ci-build-cache
quiet: false
stdin: ${{ runner.temp }}/ci.build.cache
yukari:
name: nodes-yukari
runs-on: ubuntu-latest

1
config/hosts/daiyousei.nix
View file

@ -5,7 +5,6 @@
profiles.network
users.kat.services.weechat
services.nginx
services.gitea
services.murmur
services.murmur-ldap
services.prosody

51
config/hosts/issun-boushi.nix
View file

@ -1,51 +0,0 @@
{ config, meta, pkgs, lib, modulesPath, ... }: with lib; {
imports = with meta; [
profiles.hardware.raspi
(modulesPath + "/installer/sd-card/sd-image-raspberrypi.nix")
];
home-manager.users.kat.programs.neovim.enable = mkForce false;
programs.mosh.enable = mkForce false;
boot.supportedFilesystems = mkForce (singleton "ext4");
deploy.tf = {
resources.shinmyoumaru = {
provider = "null";
type = "resource";
connection = {
port = head config.services.openssh.ports;
host = config.network.addresses.private.nixos.ipv4.address;
};
};
};
networking = {
useDHCP = true;
interfaces.eth0.useDHCP = true;
};
network = {
addresses = {
private = {
enable = true;
nixos = {
ipv4.address = "192.168.1.34";
};
};
};
yggdrasil = {
enable = false;
pubkey = "70c18030247e98fdffe4fd81f5fa8c7c4ed43fd6a4fb2b5ef7af0a010d08f63c";
address = "200:691b:b4fb:6987:711f:bde:9b5c:8af3";
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
firewall = {
private.interfaces = singleton "yggdrasil";
public.interfaces = singleton "eth0";
};
};
system.stateVersion = "21.11";
}

3
config/hosts/rinnosuke.nix
View file

@ -3,7 +3,8 @@
profiles.hardware.oracle.ubuntu
profiles.network
services.nginx
] ++ optional (builtins.getEnv "CI_PLATFORM" == "impure" && builtins.pathExists ../trusted/knot) ../trusted/knot;
services.knot
];
kw.oci = {
specs = {

53
config/hosts/shinmyoumaru.nix
View file

@ -1,53 +0,0 @@
{ config, meta, pkgs, lib, modulesPath, ... }: with lib; {
imports = with meta; [
profiles.hardware.raspi
services.dnscrypt-proxy
services.dht22-exporter
(modulesPath + "/installer/sd-card/sd-image-raspberrypi.nix")
];
home-manager.users.kat.programs.neovim.enable = mkForce false;
programs.mosh.enable = mkForce false;
boot.supportedFilesystems = mkForce (singleton "ext4");
deploy.tf = {
resources.shinmyoumaru = {
provider = "null";
type = "resource";
connection = {
port = head config.services.openssh.ports;
host = config.network.addresses.private.nixos.ipv4.address;
};
};
};
networking = {
useDHCP = true;
interfaces.eth0.useDHCP = true;
};
network = {
addresses = {
private = {
enable = true;
nixos = {
ipv4.address = "192.168.1.33";
};
};
};
yggdrasil = {
enable = false;
pubkey = "70c18030247e98fdffe4fd81f5fa8c7c4ed43fd6a4fb2b5ef7af0a010d08f63c";
address = "200:691b:b4fb:6987:711f:bde:9b5c:8af3";
listen.enable = false;
listen.endpoints = [ "tcp://0.0.0.0:0" ];
};
firewall = {
private.interfaces = singleton "yggdrasil";
public.interfaces = singleton "eth0";
};
};
system.stateVersion = "21.11";
}

2
config/profiles/network.nix
View file

@ -48,7 +48,7 @@
services.tailscale.enable = true;
systemd.services.tailscale-autoconnect = {
systemd.services.tailscale-autoconnect = mkIf (builtins.getEnv "TF_IN_AUTOMATION" != "" || tf.state.enable) {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale

34
config/services/dnscrypt-proxy.nix
View file

@ -1,36 +1,2 @@
{ config, lib, pkgs, ... }: {
networking = {
resolvconf.useLocalResolver = true;
networkmanager.dns = "none";
};
services.dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = true;
require_dnssec = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key =
"RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
# You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
server_names = [
"acsacsar-ams-ipv4"
"acsacsar-ams-ipv6"
"dnscrypt.eu-dk"
"dnscrypt.eu-dk-ipv6"
"dnscrypt.eu-nl"
"dnscrypt.eu-nl-ipv6"
"meganerd"
"meganerd-ipv6"
];
};
};
}

49
config/services/irlmail.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, tf, meta, lib, ... }: with lib; {
dns.zones."inskip.me." = {
provider = "dns.katdns";
};
resources.gmail-mx = let
zone = config.dns.zones."inskip.me.";
in with zone; {
provider = provider.set;
type = "mx_record_set";
inputs = {
zone = domain;
ttl = 3600;
mx = [
{ preference = 1; exchange = "aspmx.l.google.com."; }
{ preference = 5; exchange = "alt1.aspmx.l.google.com."; }
{ preference = 5; exchange = "alt2.aspmx.l.google.com."; }
{ preference = 10; exchange = "alt3.aspmx.l.google.com."; }
{ preference = 10; exchange = "alt4.aspmx.l.google.com."; }
{ preference = 15; exchange = "6uyykkzhqi4zgogxiicbuamoqrxajwo5werga4byh77b2iyx3wma.mx-verification.google.com."; }
];
};
};
dns.records = {
services_inskip_a = {
zone = "inskip.me.";
a.address = meta.network.nodes.marisa.network.addresses.public.nixos.ipv4.address;
};
services_inskip_aaaa = {
zone = "inskip.me.";
aaaa.address = meta.network.nodes.marisa.network.addresses.public.nixos.ipv6.address;
};
services_gmail_spf = {
zone = "inskip.me.";
txt.value = "v=spf1 include:_spf.google.com ~all";
};
services_gmail_dkim = {
zone = "inskip.me.";
domain = "google._domainkey";
txt.value = "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkxag/EmXQ89XQmLrBDPpPtZ7EtEJT0hgvWf/+AFiOfBOm902tq9NbTTvRJ2dLeBLPaV+hNvq2Alc7UfkKUDlLTWQjeuiC6aOnRKQQg3LZ2W25U3AlIj0jd2IPiUhg9JGV4c66XiqQ5ylTBniShfUUyeAXxbPhYFBCkBg62LZcO/tFpFsdKWtZzLjgac5vTJID+M4F8duHpkA/ZCNNUEmtt7RNQB/LLI1Gr5yR4GdQl9z7NmwtOTo9pghbZuvljr8phYjdDrwZeFTMKQnvR1l2Eh/dZ8I0C4nP5Bk4QEfmLq666P1HzOxwT6iCU6Tc+P/pkWbrx0HJh39E1aKGyLJMQIDAQAB";
};
services_gmail_dmarc = {
zone = "inskip.me.";
domain = "_dmarc";
txt.value = "v=DMARC1; p=none; rua=mailto:dmarc-reports@inskip.me";
};
};
}

7
config/services/irlsite.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, lib, pkgs, ... }: {
services.nginx.virtualHosts."inskip.me" = {
root = pkgs.irlsite;
enableACME = true;
forceSSL = true;
};
}

1
config/services/keycloak.nix
View file

@ -13,6 +13,7 @@ in {
http-host = "127.0.0.1";
http-port = 8089;
https-port = 8445;
proxy = "edge";
hostname = "auth.kittywit.ch";
http-relative-path = "/auth";
hostname-strict-backchannel = true;

35
config/services/knot/default.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, lib, tf, pkgs, ... }:
{
network.dns.enable = false;
kw.secrets.variables = {
katdns-key-config = {
path = "secrets/katdns";
field = "notes";
};
};
network.firewall.public = {
tcp.ports = [ 53 ];
udp.ports = [ 53 ];
};
/* environment.etc."katdns/zones/gensokyo.zone.zone".text = let
dns = pkgs.dns;
in dns.lib.toString "gensokyo.zone" (import ./gensokyo.zone.nix { inherit dns lib; }); */
secrets.files.katdns-keyfile = {
text = "${tf.variables.katdns-key-config.ref}";
owner = "knot";
group = "knot";
};
services.knot = {
enable = true;
extraConfig = builtins.readFile ./knot.yaml;
keyFiles = [
config.secrets.files.katdns-keyfile.path
];
};
}

20
config/services/knot/dork.dev.nix Normal file
View file

@ -0,0 +1,20 @@
{ dns, lib }:
with dns.lib.combinators;
{
SOA = {
nameServer = "ns1";
adminEmail = "kat@kittywit.ch";
serial = 2021090100;
ttl = 3600;
};
CAA = map (x: x // { ttl = 3600; }) (letsEncrypt "acme@kittywit.ch");
NS = [
"ns1.kittywit.ch."
"rdns1.benjojo.co.uk."
"rdns2.benjojo.co.uk."
];
}

20
config/services/knot/gensokyo.zone.nix Normal file
View file

@ -0,0 +1,20 @@
{ dns, lib }:
with dns.lib.combinators;
{
SOA = {
nameServer = "ns1";
adminEmail = "kat@kittywit.ch";
serial = 2021090100;
ttl = 3600;
};
CAA = map (x: x // { ttl = 3600; }) (letsEncrypt "acme@kittywit.ch");
NS = [
"ns1.kittywit.ch."
"rdns1.benjojo.co.uk."
"rdns2.benjojo.co.uk."
];
}

20
config/services/knot/kittywit.ch.nix Normal file
View file

@ -0,0 +1,20 @@
{ dns, lib }:
with dns.lib.combinators;
{
SOA = {
nameServer = "ns1";
adminEmail = "kat@kittywit.ch";
serial = 2021083001;
ttl = 3600;
};
CAA = map (x: x // { ttl = 3600; }) (letsEncrypt "acme@kittywit.ch");
NS = [
"ns1.kittywit.ch."
"rdns1.benjojo.co.uk."
"rdns2.benjojo.co.uk."
];
}

60
config/services/knot/knot.yaml Normal file
View file

@ -0,0 +1,60 @@
server:
listen: [ 0.0.0.0@53, ::@53 ]
remote:
- id: benjojo-1
address: [ 185.230.223.84, 2a0c:2f07:4896:666:216:3eff:fedb:c742 ]
- id: benjojo-2
address: 185.236.240.26
- id: benjojo-3
address: 185.230.223.7
acl:
- id: dnsupdate
key: dnsupdate.kittywit.ch.
action: update
- id: benjojo
remote: [ benjojo-1, benjojo-2, benjojo-3 ]
action: transfer
zone:
- domain: kittywit.ch
semantic-checks: on
storage: /var/lib/knot/zones/
file: kittywit.ch.zone
dnssec-signing: on
module: mod-stats
notify: [ benjojo-1, benjojo-2, benjojo-3 ]
zonefile-load: difference
acl: [ benjojo, dnsupdate ]
- domain: dork.dev
semantic-checks: on
storage: /var/lib/knot/zones/
file: dork.dev.zone
dnssec-signing: on
module: mod-stats
notify: [ benjojo-1, benjojo-2, benjojo-3 ]
zonefile-load: difference
acl: [ benjojo, dnsupdate ]
- domain: inskip.me
semantic-checks: on
storage: /var/lib/knot/zones/
file: inskip.me.zone
dnssec-signing: on
module: mod-stats
notify: [ benjojo-1, benjojo-2, benjojo-3 ]
zonefile-load: difference
acl: [ benjojo, dnsupdate ]
- domain: gensokyo.zone
semantic-checks: on
storage: /var/lib/knot/zones/
file: gensokyo.zone.zone
dnssec-signing: on
module: mod-stats
notify: [ benjojo-1, benjojo-2, benjojo-3 ]
zonefile-load: difference
acl: [ benjojo, dnsupdate ]
log:
- target: syslog
any: info

2
config/services/openldap/default.nix
View file

@ -3,7 +3,7 @@
services.openldap = {
enable = true;
urlList = [ "ldap:///" "ldapi:///" "ldaps:///" ];
urlList = [ "ldap:///" "ldaps:///" ];
settings = {
attrs = {
objectClass = "olcGlobal";

3
config/services/website.nix
View file

@ -5,10 +5,9 @@
services.nginx.virtualHosts = {
"${config.network.dns.domain}" = {
root = pkgs.kat-hugosite;
root = pkgs.gensokyoZone;
enableACME = true;
forceSSL = true;
};
};
}

2
config/tf

@ -1 +1 @@
Subproject commit 046c6861f58f5113764ca2470748b7c87f29505e
Subproject commit 9422092e341bccb456c0d88c7cc5ee236f856e85

4
config/users/kat/base/shell.nix
View file

@ -57,10 +57,6 @@ in
"listrowsfirst"
]; in
''
${if config.anicca.enabled then ''
HISTFILE=/persist/home/.zsh_history
'' else ''
''}
${if pkgs.stdenv.system != "aarch64-darwin" then ''
eval $(dircolors)
'' else ''

4
config/users/kat/dev/emacs.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, inputs, ... }: with lib;
{ tf, config, lib, pkgs, inputs, ... }: with lib;
let
doom-emacs = pkgs.callPackage inputs.nix-doom-emacs {
@ -15,7 +15,7 @@ let
};
};
in
optionalAttrs (builtins.getEnv "CI_PLATFORM" == "impure" && "mew" != "mew") {
optionalAttrs (builtins.getEnv "CI_PLATFORM" == "impure" && builtins.getEnv "TF_IN_AUTOMATION" != "") {
home.packages = [ doom-emacs pkgs.sqlite ];
home.file.".emacs.d/init.el".text = ''

1
config/users/kat/personal/packages.nix
View file

@ -3,5 +3,6 @@
{
home.packages = with pkgs; [
borgbackup
homebank
];
}

48
flake.lock generated
View file

@ -20,11 +20,11 @@
"arcexprs": {
"flake": false,
"locked": {
"lastModified": 1652207446,
"narHash": "sha256-KWMMkKny/5Ukh36rus2nr6X7rDmRBpjOdJeEwlnsJL8=",
"lastModified": 1654126673,
"narHash": "sha256-SxNpS14YUuwsSkd6PBfSTdzC191U6W36F3NQ0fJVr6U=",
"owner": "arcnmx",
"repo": "nixexprs",
"rev": "1d80363ae941952431cf377816c4790e451823f4",
"rev": "979321a3a55274c7eef9b85d74169b79e5a17824",
"type": "github"
},
"original": {
@ -37,11 +37,11 @@
"ci": {
"flake": false,
"locked": {
"lastModified": 1643398418,
"narHash": "sha256-j7Z+k1dUg65vvBhME+c3ve1Oxlu5GeI4oNwdo1NGL10=",
"lastModified": 1654122671,
"narHash": "sha256-75xNbnJ29pWK2GbOEA9yUA6mvx5hcDWBFaSOSpv5Ob0=",
"owner": "arcnmx",
"repo": "ci",
"rev": "1d38e73657284793de5251738adbe2c04a151c08",
"rev": "b78a5e52a21dad03dd4ca6d46354be6da1cf727a",
"type": "github"
},
"original": {
@ -113,11 +113,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1652959192,
"narHash": "sha256-bFEK+kNH7tMWVsdgUosIk9/xZFvapcaQDvF1ZroyLcw=",
"lastModified": 1654170097,
"narHash": "sha256-byrZN3k78pwg15puULonJUzTSEDjf8/YCkdUm/abla8=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "4681a0c9dcbcc70fb2befe2d3d56a5277fbac7f7",
"rev": "489651e2927fdf356b68123ed6f8c7910bfa7f7d",
"type": "github"
},
"original": {
@ -241,11 +241,11 @@
},
"flake-utils": {
"locked": {
"lastModified": 1652776076,
"narHash": "sha256-gzTw/v1vj4dOVbpBSJX4J0DwUR6LIyXo7/SuuTJp1kM=",
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "04c1b180862888302ddfb2e3ad9eaa63afc60cf8",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
@ -282,11 +282,11 @@
]
},
"locked": {
"lastModified": 1652913097,
"narHash": "sha256-hOs8Z5WYzCor+qP+JgSgrCJRC+UuN9pfTUnXqyRUBvY=",
"lastModified": 1654113406,
"narHash": "sha256-70esZvhal+FsyU89mJRcAb+cDGHKt0sgZ6MlRr9Cplg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "cb9f03d519cf96fcd7dfb990cc0e586a62ca6e69",
"rev": "684e85d01d333be91c4875baebb05b93c7d2ffaa",
"type": "github"
},
"original": {
@ -407,11 +407,11 @@
},
"nixpkgs-darwin": {
"locked": {
"lastModified": 1652881001,
"narHash": "sha256-k9JmPCojaJnqGz4aRXXT1HZqJKHCXijoMfBAb24abXk=",
"lastModified": 1654115789,
"narHash": "sha256-k9Qr8dLrmgEn+xIVbneJdQgCYG8FbbqOrTVaExUrLFI=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2d474d6a4a43a0348b78db68dc00c491032cf5cf",
"rev": "bce6d15455f8c15c9ef511368947e7ef789c5316",
"type": "github"
},
"original": {
@ -423,11 +423,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1652794215,
"narHash": "sha256-erVj41IcCPDWdt8CwT60ygD+SY/uhqip3RXwiESOCVk=",
"lastModified": 1653931853,
"narHash": "sha256-O3wncIouj9x7gBPntzHeK/Hkmm9M1SGlYq7JI7saTAE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "242efdc5a5aff8222c1152c0e4b9262bd02915b6",
"rev": "f1c167688a6f81f4a51ab542e5f476c8c595e457",
"type": "github"
},
"original": {
@ -455,11 +455,11 @@
},
"nur": {
"locked": {
"lastModified": 1652969435,
"narHash": "sha256-cbNoHYnKpAkhpx5wMnvXsZ9fvAsvVIPyk940nmOGog0=",
"lastModified": 1654172430,
"narHash": "sha256-6Y3ahiBZtqAYG0Mror5BdegviwWmhd5hcMhF/B/Nfng=",
"owner": "nix-community",
"repo": "nur",
"rev": "c5a7e11a501bed777dcbd0c6c7ab2093199f50e3",
"rev": "edb5c94d7640890a39325351825cc39fb1c014b1",
"type": "github"
},
"original": {

36
flake.nix
View file

@ -14,11 +14,6 @@
url = "github:kittywitch/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs";
};
impermanence.url = "github:nix-community/impermanence/master";
anicca = {
url = "github:kittywitch/anicca/main";
flake = false;
};
nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-21.11-darwin";
darwin.url = "github:lnl7/nix-darwin/master";
darwin.inputs.nixpkgs.follows = "nixpkgs-darwin";
@ -29,16 +24,15 @@
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
emacs-overlay = {
url = "github:nix-community/emacs-overlay/master";
inputs.flake-utils.follows = "flake-utils";
};
nur.url = "github:nix-community/nur/master";
nix-doom-emacs = {
url = "github:vlaci/nix-doom-emacs/develop";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
emacs-overlay = {
url = "github:nix-community/emacs-overlay/master";
inputs.flake-utils.follows = "flake-utils";
};
tf-nix = {
url = "github:arcnmx/tf-nix/master";
flake = false;
@ -55,18 +49,18 @@
};
outputs = { self, nixpkgs, flake-utils, darwin, home-manager-darwin, ... }@inputs: flake-utils.lib.eachDefaultSystem
(system:
let pkgs = nixpkgs.legacyPackages.${system}; in
rec {
devShell = import ./devShell.nix { inherit inputs system; };
legacyPackages = import ./outputs.nix { inherit inputs system; };
nixosConfigurations = legacyPackages.network.nodes;
}
) // {
(system:
let pkgs = nixpkgs.legacyPackages.${system}; in
rec {
devShell = import ./devShell.nix { inherit inputs system; };
legacyPackages = import ./outputs.nix { inherit inputs system; };
nixosConfigurations = legacyPackages.network.nodes;
}
) // {
darwinConfigurations."sumireko" = let
system = "aarch64-darwin";
meta = self.legacyPackages.${system};
in darwin.lib.darwinSystem {
system = "aarch64-darwin";
meta = self.legacyPackages.${system};
in darwin.lib.darwinSystem {
inherit inputs;
inherit system;
specialArgs = {

2
overlays/darwin.nix
View file

@ -5,13 +5,11 @@ let
inherit system;
overlays = [
(import ./nur { inherit inputs; })
(import inputs.emacs-overlay)
(import ./dns { inherit inputs; })
(import ./local)
(import ./lib)
] ++ (map (path: import "${path}/overlay.nix") [
inputs.arcexprs
inputs.anicca
]);
config = {
allowUnfree = true;

2
overlays/default.nix
View file

@ -5,13 +5,11 @@ let
inherit system;
overlays = [
(import ./nur { inherit inputs; })
(import inputs.emacs-overlay)
(import ./dns { inherit inputs; })
(import ./local)
(import ./lib)
] ++ (map (path: import "${path}/overlay.nix") [
inputs.arcexprs
inputs.anicca
]);
config = {
allowUnfree = true;

1
overlays/local/default.nix
View file

@ -1,6 +1,5 @@
final: prev: {
vips = prev.vips.override { libjxl = null; };
kat-hugosite = final.callPackage ./kat-hugosite.nix { };
sway-scrot = final.callPackage ./sway-scrot { };
vfio-vm = final.callPackage ./vm.nix { };
vfio-vm-pinning = final.callPackage ./vm-pinning.nix { };

15
overlays/local/irlsite.nix Normal file
View file

@ -0,0 +1,15 @@
{ stdenv, fetchFromGitHub, lib }: stdenv.mkDerivation rec {
name = "irlsite";
src = fetchFromGitHub {
owner = "kittywitch";
repo = "inskip.me";
rev = "696e282339dd5b958b45bc1597d31f53c2e6616b";
sha256 = lib.fakeSha256;
};
buildPhase = ''
'';
installPhase = ''
mkdir $out
cp -r ./* $out
'';
}

16
overlays/local/kat-hugosite.nix
View file

@ -1,16 +0,0 @@
{ stdenv, fetchFromGitHub, hugo, lib }: stdenv.mkDerivation rec {
name = "kat-hugosite";
src = fetchFromGitHub {
owner = "kittywitch";
repo = "hugosite";
rev = "2dc44e1668d38bb706b2290387a936c26d0dd50b";
sha256 = "sha256-HuC8NebVfp7aXciFhaFbUin5g/ChH3g+zpRNJ/6qq7g=";
};
buildPhase = ''
${hugo}/bin/hugo
'';
installPhase = ''
mkdir $out
cp -r public/* $out
'';
}

211
readme.md
View file

@ -1,137 +1,5 @@
# nixfiles
[![nodes][]][1]
[This repository on my self hosted git.][]
[This repository on GitHub.][]
These are the NixOS configurations for my systems. I run nothing other than NixOS on my hardware, aside from virtual machines.
## Nodes
| Node | Network | Purpose |
|------------------|---------|---------------------------------------------------------------|
| [kyouko][] | Public | Currently the main server. Ad-hoc hetzner cloud box. |
| [marisa][] | Public | Reverse proxier and wireguard interconnect. Ad-hoc BuyVM box. |
| [daiyousei][] | Public | Intended kyouko replacement. Provisioned OCI Ampere box. |
| [rinnosuke][] | Public | My primary nameserver. Provisioned OCI EPYC box. |
| [shinmyoumaru][] | Public | My Raspberry Pi 1 Model B+. DHT22 sensors box. |
| [yukari][] | Private | Home server. NAS + HTPC, does DVB stuff. |
| [goliath][] | Private | Beloved workstation. Does VFIO. |
| [koishi][] | Private | Main laptop. |
| [ran][] | Private | CCTV netbook. |
| [chen][] | Private | CCTV netbook. |
| [medicine][] | None | Work-in-progress Live USB. |
## Profiles
See [here][] for additional information on profiles.
| Profile | Purpose |
|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [base][] | Base profile, always used. Root access, base16, home-manager, locale, network module, nix, packages, {,neo}vim profiles, secrets, shell and sysctl configuration. |
| [gui][] | GUI profile. Provides window managers, includes [DNSCrypt/dnscrypt-proxy][] service, filesystem packages, font, NixOS-side GPG, mingetty, NFS, QT, sound (pipewire) and XDG portal configuration. |
| [network][] | Manages Wireguard Mesh. |
| [shared][] | Shared systems. Provides hexchen and arc users. |
| [vfio][] | Provides host-unspecific VFIO. Fancy patched QEMU from [arcnmx/nixexprs][], [arcnmx/screenstub][] (however, patched in-repo for Q35), AMDGPU vendor-reset and ACS override. |
| [hardware][] | Sub-profiles for my hardware are provided here. Some are reusable. Of note is the Oracle sub-profiles. |
| [cross][] | Sub-profiles are provided for emulated compiling and build caching. |
## User Profiles
| Profile | Purpose |
|--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|
| [base][2] | base16, git, inputrc, packages, secrets, kitty terminfo, SSH, tmux, weechat, vim, xdg and zsh configuration. |
| [dev][] | cookiecutters, rink, doom-emacs (although unused, forced to use PgtkGcc all fancily :3c), packages, rustfmt and (heavier on the node) vim configuration. |
| [gui][3] | firefox+userChrome+tst, font, kitty terminal, [dnkl/foot][] terminal, GTK, packages, QT, ranger and xdg configuration. |
| [media][] | mpv, obs, packages and syncplay configuration. |
| [personal][] | [arcnmx/rbw][] (fancier rbw), email via [arcnmx/notmuch-vim][], home-manager-side GPG, pass, weechat and zsh configuration. |
| [services][] | User services. weechat and mpd are provided. |
| [sway][] | sway, i3gopher, swayidle, swaylock-effects, screenshot tool, [kittywitch/konawall-rs][], mako, wofi, waybar and xkb (custom layout o:) configuration. |
## Services
| Service | Description |
|--------------------|--------------------------------------------------------------------------|
| [dnscrypt-proxy][] | DNSCrypt Proxy v2, fancy DNS stuffs. |
| [filehost][] | I sling things in here via SSH/SCP. |
| [fusionpbx][] | FusionPBX. Fancy PBX. |
| [gitea][] | Self-hosted git with mail support. |
| [glauth][] | LDAP server. |
| [jellyfin][] | HTPC/NAS stuff. |
| [katsplash][] | A splash screen for some hosts. |
| [kattv-ingest][] | Takes data from kattv, slings to RTMP. |
| [kattv][] | Takes data from a webcam, slings to kattv-ingest. |
| [keycloak][] | Fancy identity stuffs. |
| [knot][] | Knot DNS, authoritative DNS server. |
| [logrotate][] | Rotates logs! |
| [mail][] | [nixos-mailserver][]. |
| [matrix][] | Synapse and some appservices. Need to migrate the appservice configs in. |
| [murmur][] | Mumble! |
| [nfs][] | Network filesy stuff. |
| [nginx][] | Our NGINX preset configs. |
| [postgres][] | Database of choice. |
| [radicale][] | CalDAV, integrated with the mail service. |
| [restic][] | Backups! |
| [syncplay][] | Watching videos with friends and lovers. Usually, lovers. |
| [taskserver][] | Taskwarrior server. |
| [transmission][] | Linux distros, I swear. |
| [tvheadend][] | DVB-T ingest for Jellyfin and so on! |
| [vaultwarden][] | Passwords! |
| [website][] | Our personal website. |
| [xmpp][] | Prosody. |
| [zfs][] | ZFS snapshot settings. |
| [znc][] | IRC bouncer! |
## Modules
This list will include the modules provided by [kittywitch/nixexprs][] as “katexprs”.
They are available within this repo as [exprs][].
| Module | Domain | Description |
|--------------------------------|-----------------------------|----------------------------------------------------------------------------------------------------------|
| [arcnmx/nixexprs][] | NixOS + home-manager | I use… a lot of these. Syncplay, modprobe, base16, i3gopher, weechat, konawall, shell and probably more. |
| [arcnmx/tf-nix][] | Meta + NixOS + home-manager | Deployment, secrets and terraform. |
| [nix-community/impermanence][] | NixOS + home-manager | Erase your darlings. |
| [kittywitch/anicca][] | NixOS + home-manager | WIP Helpful modules for impermanence. |
| katexprs/nftables | NixOS | Uses nftables for the NixOS firewall module. |
| katexprs/firewall | NixOS + home-manager | Per-“domain” (private, public) -> interface abstractions for the firewall. Easier to remember. |
| katexprs/network (WIP) | NixOS + home-manager | Network abstractions. Handles DNS + certs, among virtualHosts. |
| katexprs/fusionpbx (WIP) | NixOS | FusionPBX. |
| arcexprs/swaylock | home-manager | Easier abstractions for using swaylock-effects. |
| nixfiles/secrets | Meta + NixOS + home-manager | Helper for tf-nixs secrets. |
| nixfiles/deploy | Meta + NixOS + home-manager | tf-nix deployment integration |
| nixfiles/network | Meta | Enables node to host config assignment & NixOS module. |
| nixfiles/monitoring | NixOS | Grafana, Prometheus, Loki, node-exporter, netdata, promtail, … |
| nixfiles/theme | home-manager | Abstractions for themes. SASS templating. |
## CI
CI for this repository uses [arcnmx/ci][], is aarch64 emulated build enabled and aims to achieve two goals:
| Action | Purpose |
|----------------|-----------------------------------------------------------------------------------------------------------|
| [nodes][4] | Build and cache host closures, show state of host evaluability/buildability. |
| [flake-cron][] | Automatically update the dependencies used by the repository, cache host closure build results with them. |
## Dependencies
| Dependency | Reasoning |
|---------------------------------|--------------------------------------------------------------------------------------------------------|
| [nix-community/home-manager][] | home-manager. Self-explanatory. |
| [nix-community/NUR][] | Firefox extensions and such. |
| [arcnmx/tf-nix][] | The deploy system used, also provides DNS, secrets and node provisioning. (Anything terraform can do.) |
| [arcnmx/ci][] | The CI integration system used. |
| [arcnmx/nixexprs][] | Packages and modules I heavily make use of. |
| [nix-community/impermanence][] | Impermanence! Erase your darlings. |
| [kirelagin/nix-dns][] | A Nix DSL for zone files. For the WIP nameserver. |
| [kittywitch/anicca][] | A helper for moving to impermanence. |
| [kittywitch/nixexprs][] | Packages and modules I have made. |
| [nixos-mailserver][] | The mail server module I use. |
| [nix-community/emacs-overlay][] | An overlay for emacs versions. Currently unused. |
| [vlaci/nix-doom-emacs][] | Nixified DOOM emacs. Currently unused. |
## Commands
The commands here aside from the `nix build` command are provided through the shell. The `<target>` and `<host>` commands are runners provided through [arcnmx/tf-nix][].
@ -148,85 +16,6 @@ Please use `nix-shell` or [direnv/direnv][]. The shell is not compatible with [n
| `<host>-ssh` | SSH into the provided host. |
| `nix build -f . network.nodes.<host>.deploy.system` | Build a system closure for the provided host. |
[nodes]: https://github.com/kittywitch/nixfiles/actions/workflows/nodes.yml/badge.svg
[1]: https://github.com/kittywitch/nixfiles/actions/workflows/nodes.yml
[This repository on my self hosted git.]: https://git.kittywit.ch/kat/nixfiles
[This repository on GitHub.]: https://github.com/kittywitch/nixfiles
[kyouko]: config/hosts/kyouko.nix
[marisa]: config/hosts/marisa.nix
[daiyousei]: config/hosts/daiyousei.nix
[rinnosuke]: config/hosts/rinnosuke.nix
[shinmyoumaru]: config/hosts/shinmyoumaru.nix
[yukari]: config/hosts/yukari.nix
[goliath]: config/hosts/goliath.nix
[koishi]: config/hosts/ishi.nix
[ran]: config/hosts/ran.nix
[chen]: config/hosts/chen.nix
[medicine]: config/hosts/medicine.nix
[here]: config/profiles/base/profiles.nix
[base]: config/profiles/base
[gui]: config/profiles/gui
[DNSCrypt/dnscrypt-proxy]: https://github.com/DNSCrypt/dnscrypt-proxy
[network]: config/profiles/network.nix
[shared]: config/profiles/shared.nix
[vfio]: config/profiles/vfio
[arcnmx/nixexprs]: https://github.com/arcnmx/nixexprs
[arcnmx/screenstub]: https://github.com/arcnmx/screenstub
[hardware]: config/profiles/hardware
[cross]: config/profiles/cross
[2]: config/users/kat/base
[dev]: config/users/kat/dev
[3]: config/users/kat/gui
[dnkl/foot]: https://codeberg.org/dnkl/foot
[media]: config/users/kat/media
[personal]: config/users/kat/personal
[arcnmx/rbw]: https://github.com/arcnmx/rbw
[arcnmx/notmuch-vim]: https://github.com/arcnmx/notmuch-vim
[services]: config/users/kat/services
[sway]: config/users/kat/sway
[kittywitch/konawall-rs]: https://github.com/kittywitch/konawall-rs
[dnscrypt-proxy]: config/services/dnscrypt-proxy/default.nix
[filehost]: config/services/filehost/default.nix
[fusionpbx]: config/services/fusionpbx/default.nix
[gitea]: config/services/gitea/default.nix
[glauth]: config/services/glauth
[jellyfin]: config/services/jellyfin/default.nix
[katsplash]: config/services/katsplash/default.nix
[kattv-ingest]: config/services/kattv-ingest/default.nix
[kattv]: config/services/kattv/default.nix
[keycloak]: config/services/keycloak
[knot]: config/services/knot/default.nix
[logrotate]: config/services/logrotate/default.nix
[mail]: config/services/mail/default.nix
[nixos-mailserver]: https://gitlab.com/simple-nixos-mailserver/nixos-mailserver
[matrix]: config/services/matrix/default.nix
[murmur]: config/services/murmur/default.nix
[nfs]: config/services/nfs/default.nix
[nginx]: config/services/nginx/default.nix
[postgres]: config/services/postgres/default.nix
[radicale]: config/services/radicale/default.nix
[restic]: config/services/restic/default.nix
[syncplay]: config/services/syncplay/default.nix
[taskserver]: config/services/taskserver/default.nix
[transmission]: config/services/transmission/default.nix
[tvheadend]: config/services/tvheadend/default.nix
[vaultwarden]: config/services/vaultwarden/default.nix
[website]: config/services/website/default.nix
[xmpp]: config/services/xmpp/default.nix
[zfs]: config/services/zfs/default.nix
[znc]: config/services/znc/default.nix
[kittywitch/nixexprs]: https://github.com/kittywitch/nixexprs
[exprs]: overlays/exprs
[arcnmx/tf-nix]: https://github.com/arcnmx/tf-nix
[nix-community/impermanence]: https://github.com/nix-community/impermanence
[kittywitch/anicca]: https://github.com/kittywitch/anicca
[arcnmx/ci]: https://github.com/arcnmx/ci
[4]: ci/nodes.nix
[flake-cron]: ci/flake-cron.nix
[nix-community/home-manager]: https://github.com/nix-community/home-manager
[nix-community/NUR]: https://github.com/nix-community/NUR
[kirelagin/nix-dns]: https://github.com/kirelagin/nix-dns
[nix-community/emacs-overlay]: https://github.com/nix-community/emacs-overlay
[vlaci/nix-doom-emacs]: https://github.com/vlaci/nix-doom-emacs
[direnv/direnv]: https://github.com/direnv/direnv
[nix-community/nix-direnv]: https://github.com/nix-community/nix-direnv

58
trusted/flake.lock generated
View file

@ -20,11 +20,11 @@
"arcexprs": {
"flake": false,
"locked": {
"lastModified": 1652207446,
"narHash": "sha256-KWMMkKny/5Ukh36rus2nr6X7rDmRBpjOdJeEwlnsJL8=",
"lastModified": 1654126673,
"narHash": "sha256-SxNpS14YUuwsSkd6PBfSTdzC191U6W36F3NQ0fJVr6U=",
"owner": "arcnmx",
"repo": "nixexprs",
"rev": "1d80363ae941952431cf377816c4790e451823f4",
"rev": "979321a3a55274c7eef9b85d74169b79e5a17824",
"type": "github"
},
"original": {
@ -37,11 +37,11 @@
"ci": {
"flake": false,
"locked": {
"lastModified": 1643398418,
"narHash": "sha256-j7Z+k1dUg65vvBhME+c3ve1Oxlu5GeI4oNwdo1NGL10=",
"lastModified": 1654122671,
"narHash": "sha256-75xNbnJ29pWK2GbOEA9yUA6mvx5hcDWBFaSOSpv5Ob0=",
"owner": "arcnmx",
"repo": "ci",
"rev": "1d38e73657284793de5251738adbe2c04a151c08",
"rev": "b78a5e52a21dad03dd4ca6d46354be6da1cf727a",
"type": "github"
},
"original": {
@ -115,11 +115,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1652934326,
"narHash": "sha256-YgSgR0V/rsqJX6DWyXlPOwsaXXiOkN+9z5rfE9kn2IU=",
"lastModified": 1654170097,
"narHash": "sha256-byrZN3k78pwg15puULonJUzTSEDjf8/YCkdUm/abla8=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "de5c826149bcfbaa5f0ce985bb184c9bc7f11e46",
"rev": "489651e2927fdf356b68123ed6f8c7910bfa7f7d",
"type": "github"
},
"original": {
@ -243,11 +243,11 @@
},
"flake-utils": {
"locked": {
"lastModified": 1652776076,
"narHash": "sha256-gzTw/v1vj4dOVbpBSJX4J0DwUR6LIyXo7/SuuTJp1kM=",
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "04c1b180862888302ddfb2e3ad9eaa63afc60cf8",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
@ -286,11 +286,11 @@
]
},
"locked": {
"lastModified": 1652913097,
"narHash": "sha256-hOs8Z5WYzCor+qP+JgSgrCJRC+UuN9pfTUnXqyRUBvY=",
"lastModified": 1654113406,
"narHash": "sha256-70esZvhal+FsyU89mJRcAb+cDGHKt0sgZ6MlRr9Cplg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "cb9f03d519cf96fcd7dfb990cc0e586a62ca6e69",
"rev": "684e85d01d333be91c4875baebb05b93c7d2ffaa",
"type": "github"
},
"original": {
@ -425,20 +425,20 @@
},
"locked": {
"lastModified": 0,
"narHash": "sha256-6xe8414ZG567zfDVV7ITkmw0TtIlQeD2tP5UuV9BkSU=",
"path": "/nix/store/gkmhcdc2vwj7x3rh70g3zax0lcyppxn7-source",
"narHash": "sha256-+q+B/uo3InU/vpaOfhceGg+J6TeW4hsgGxwSEsdBZe8=",
"path": "/nix/store/q2cgdly4k8zfxmi5mikwjh8wn1lwxfjl-source",
"type": "path"
},
"original": {
"path": "/nix/store/gkmhcdc2vwj7x3rh70g3zax0lcyppxn7-source",
"path": "/nix/store/q2cgdly4k8zfxmi5mikwjh8wn1lwxfjl-source",
"type": "path"
}
},
"nixpkgs": {
"locked": {
"lastModified": 0,
"narHash": "sha256-FqNrXC1EE6U2RACwXBlsAvg1lqQGLYpuYb6+W3DL9vA=",
"path": "/nix/store/57zwl7b883kkya60akvg6wssl1qkxwl5-source",
"narHash": "sha256-erVj41IcCPDWdt8CwT60ygD+SY/uhqip3RXwiESOCVk=",
"path": "/nix/store/3q18gxqzw5qzyd9n64nyi1kgb66qi8ac-source",
"type": "path"
},
"original": {
@ -448,11 +448,11 @@
},
"nixpkgs-darwin": {
"locked": {
"lastModified": 1652881001,
"narHash": "sha256-k9JmPCojaJnqGz4aRXXT1HZqJKHCXijoMfBAb24abXk=",
"lastModified": 1654115789,
"narHash": "sha256-k9Qr8dLrmgEn+xIVbneJdQgCYG8FbbqOrTVaExUrLFI=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2d474d6a4a43a0348b78db68dc00c491032cf5cf",
"rev": "bce6d15455f8c15c9ef511368947e7ef789c5316",
"type": "github"
},
"original": {
@ -464,11 +464,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1652659998,
"narHash": "sha256-FqNrXC1EE6U2RACwXBlsAvg1lqQGLYpuYb6+W3DL9vA=",
"lastModified": 1653931853,
"narHash": "sha256-O3wncIouj9x7gBPntzHeK/Hkmm9M1SGlYq7JI7saTAE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "1d7db1b9e4cf1ee075a9f52e5c36f7b9f4207502",
"rev": "f1c167688a6f81f4a51ab542e5f476c8c595e457",
"type": "github"
},
"original": {
@ -496,11 +496,11 @@
},
"nur": {
"locked": {
"lastModified": 1652938196,
"narHash": "sha256-kv6EEwTPtvtqVlaSH/sRhWx9ecONrr5bccMdxu1nhwc=",
"lastModified": 1654172430,
"narHash": "sha256-6Y3ahiBZtqAYG0Mror5BdegviwWmhd5hcMhF/B/Nfng=",
"owner": "nix-community",
"repo": "nur",
"rev": "2d8f65d73133859961b8714918ac8f60d98a76e5",
"rev": "edb5c94d7640890a39325351825cc39fb1c014b1",
"type": "github"
},
"original": {