├── .gitignore ├── chrome-pass ├── requirements.txt ├── module.nix └── python-packages.nix ├── hetox ├── gitlab-secrets.tar.gpg ├── borgbackup.nix ├── gitlab-lowmem.nix ├── hardware-configuration.nix └── gitlab.nix ├── dev ├── stalin.nix ├── forth.nix ├── container.nix ├── muart.nix ├── ft2232h.nix ├── qemu.nix ├── gd32.nix ├── stlink.nix ├── saleae.nix ├── android.nix ├── maple.nix ├── hackrf.nix └── container.imperative.nix ├── .gitmodules ├── custom-kernel.nix ├── zfs.nix ├── desktop.gnupg.nix ├── ark.module.nix ├── docu-disable.module.nix ├── process-isolation.module.nix ├── standby-inhibit.module.nix ├── test-config ├── emacs-bendlas.nix ├── emacs.module.nix ├── rastox ├── kodi-wayland.nix ├── kodi-xorg.nix ├── custom-tools.nix ├── users.nix ├── server-monitor.in ├── nixpkgs-pr.nix ├── pistatus.in └── hardware-configuration.nix ├── bendlas.net ├── default.nix └── www │ └── index.html ├── tmpfs.module.nix ├── factorio-server.module.nix ├── .forgejo └── workflows │ ├── build.yml │ └── deploy.yml ├── distributed-build.nix ├── mobile-nixos.json ├── emacs-overlay.json ├── pinox ├── plasma-mobile.nix └── phosh.nix ├── brother-mfc-6490cw.module.nix ├── io-scheduler.nix ├── desktop.fonts.module.nix ├── epson-inkjet-printer-stylus-photo-r3000.module.nix ├── v4l2-request.module.nix ├── desktop.xserver.module.nix ├── docker.module.nix ├── minecraft-server.module.nix ├── ssh-keygen.sh ├── debug.module.nix ├── convenient.module.nix ├── priorities.module.nix ├── test-config.nix ├── arvitox └── uvc-gadget.nix ├── gravie.module.nix ├── bendlas-access.module.nix ├── iso-with-bcachefs.module.nix ├── chromium-extension-search-path.patch ├── waydroid.module.nix ├── desktop.essential.module.nix ├── aarch64-cross.nix ├── virtox.nix ├── samba.module.nix ├── taalo-build.nix ├── vm.nix ├── pivitox.nix ├── waydroid.patch ├── valheim-server.module.nix ├── avahi-disable-conflicts.patch ├── power-savings.nix ├── desktop.exwm.module.nix ├── desktop.layout-us-gerextra.module.nix ├── sound.module.nix ├── desktop.convenient.module.nix ├── microvms ├── _common.nix └── test.nix ├── rastox.nix ├── lenix └── bondig.nix ├── rotox.nix ├── mobile-nixos-bootloader.nix ├── epson-inkjet-printer-stylus-photo-r3000.package.nix ├── bendlas.module.nix ├── rpi1.nix ├── schentox.nix ├── raspix.nix ├── dev.nix ├── rotox.kernel.nix ├── hetox.nix ├── arvitox.nix ├── rpi3.nix ├── contox.nix ├── oauth2-proxies.module.nix ├── vfio.module.nix ├── keycloak.module.nix ├── vfio └── module2.nix ├── pitax.nix ├── pinox.nix ├── stidox.nix ├── scheltopusix.nix ├── nextcloud.module.nix ├── lenix.nix ├── jokix.nix ├── emacs-packages.nix ├── flake-apps.nix ├── nitox.nix ├── natox.nix └── 7days-server.module.nix /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | /result 3 | /tmp/ 4 | /.tmp 5 | -------------------------------------------------------------------------------- /chrome-pass/requirements.txt: -------------------------------------------------------------------------------- 1 | chrome-pass==0.3.0 2 | -------------------------------------------------------------------------------- /hetox/gitlab-secrets.tar.gpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bendlas/nixos-config/HEAD/hetox/gitlab-secrets.tar.gpg -------------------------------------------------------------------------------- /dev/stalin.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | environment.systemPackages = with pkgs; [ 4 | pkgsi686Linux.stalin 5 | ]; 6 | } 7 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "emacs.d"] 2 | path = emacs.d 3 | branch = main 4 | url = forgejo@git.bendlas.net:bendlas/emacs.d.git 5 | -------------------------------------------------------------------------------- /custom-kernel.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | { 3 | programs = { 4 | criu.enable = true; 5 | systemtap.enable = true; 6 | }; 7 | } 8 | -------------------------------------------------------------------------------- /dev/forth.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | environment.systemPackages = with pkgs; [ 6 | gforth ueforth 7 | ]; 8 | 9 | } 10 | -------------------------------------------------------------------------------- /zfs.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | { 3 | 4 | boot.kernelPackages = lib.mkForce pkgs.linuxPackages; 5 | boot.supportedFilesystems = [ "zfs" ]; 6 | 7 | } 8 | -------------------------------------------------------------------------------- /desktop.gnupg.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | { 3 | ## slightly higher prio than mkDefault 4 | programs.gnupg.agent.pinentryPackage = lib.mkOverride 900 pkgs.pinentry-gnome3; 5 | } 6 | -------------------------------------------------------------------------------- /ark.module.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | networking.firewall.allowedUDPPorts = [ 4 | 7777 7778 27015 5 | ]; 6 | networking.firewall.allowedTCPPorts = [ 7 | 27020 8 | ]; 9 | 10 | } 11 | -------------------------------------------------------------------------------- /docu-disable.module.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | ## disable man and gnome-help 6 | documentation.enable = false; 7 | environment.gnome.excludePackages = [ pkgs.gnome.yelp ]; 8 | 9 | } 10 | -------------------------------------------------------------------------------- /process-isolation.module.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | config.fileSystems."/proc" = { 4 | device = "/proc"; 5 | options = [ "nosuid" "noexec" "nodev" 6 | ## in case of secrets are passed via cmdline 7 | "hidepid=2" ]; 8 | }; 9 | 10 | } 11 | -------------------------------------------------------------------------------- /standby-inhibit.module.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | services.xserver.displayManager.gdm.autoSuspend = false; 4 | systemd.targets = { 5 | sleep.enable = false; 6 | suspend.enable = false; 7 | hibernate.enable = false; 8 | hybrid-sleep.enable = false; 9 | }; 10 | 11 | } 12 | -------------------------------------------------------------------------------- /test-config: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | READLINK="$(nix-build --no-out-link '' -A coreutils)/bin/readlink" 4 | ## http://stackoverflow.com/a/24114056/278651 5 | SELFDIR="$(dirname -- "$($READLINK -e -- "$BASH_SOURCE")")" 6 | 7 | exec nixos-rebuild -I "nixos-config=$SELFDIR/test-config.nix" dry-run 8 | -------------------------------------------------------------------------------- /emacs-bendlas.nix: -------------------------------------------------------------------------------- 1 | { emacsPackages, emacsDPath }: 2 | 3 | emacsPackages.trivialBuild { 4 | pname = "bendlas"; 5 | version = "bendlas"; 6 | # src = ./emacs.d; 7 | src = emacsDPath; 8 | packageRequires = [ emacsPackages.exwm ]; 9 | preBuild = '' 10 | cd lisp 11 | ''; 12 | } 13 | -------------------------------------------------------------------------------- /dev/container.nix: -------------------------------------------------------------------------------- 1 | { 2 | # DNSStubListenerExtra=10.233.1.1 3 | # services.resolved.extraConfig = '' 4 | # DNSStubListenerExtra=169.254.170.122 5 | # ''; 6 | # networking.firewall.interfaces."ve-virtox" = { 7 | # allowedTCPPorts = [ 53 ]; 8 | # allowedUDPPorts = [ 53 ]; 9 | # }; 10 | } 11 | -------------------------------------------------------------------------------- /dev/muart.nix: -------------------------------------------------------------------------------- 1 | { 2 | services.udev.extraRules = '' 3 | ATTRS{idProduct}=="6015", ATTRS{idVendor}=="0403", MODE="660", GROUP="plugdev" SYMLINK+="muart" 4 | ''; 5 | users.extraUsers.herwig.extraGroups = [ 6 | "plugdev" 7 | ]; 8 | users.extraGroups = { 9 | plugdev = {}; 10 | }; 11 | } 12 | -------------------------------------------------------------------------------- /emacs.module.nix: -------------------------------------------------------------------------------- 1 | { pkgs, emacsDPath, ... }: 2 | let 3 | customEmacs = pkgs.callPackage ./emacs-packages.nix { }; 4 | in { 5 | nixpkgs.config.packageOverrides = _: { 6 | inherit emacsDPath; 7 | inherit (customEmacs) emacsWithPackages emacsPackages emacsWithPackagesNox emacsPackagesNox; 8 | }; 9 | } 10 | -------------------------------------------------------------------------------- /rastox/kodi-wayland.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: { 2 | # Define a user account 3 | users.extraUsers.kodi.isNormalUser = true; 4 | services.cage.user = "kodi"; 5 | services.cage.program = "${pkgs.kodi-wayland}/bin/kodi-standalone"; 6 | services.cage.enable = true; 7 | # nixpkgs.config.kodi.enableAdvancedLauncher = true; 8 | } 9 | -------------------------------------------------------------------------------- /dev/ft2232h.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | services.udev.extraRules = '' 4 | ATTRS{idProduct}=="6010", ATTRS{idVendor}=="0403", MODE="660", GROUP="plugdev" SYMLINK+="ft2232h" 5 | ''; 6 | users.extraUsers.herwig.extraGroups = [ 7 | "plugdev" 8 | ]; 9 | users.extraGroups = { 10 | plugdev = {}; 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /bendlas.net/default.nix: -------------------------------------------------------------------------------- 1 | { 2 | services.nginx.virtualHosts = { 3 | "www.bendlas.net" = { 4 | enableACME = true; 5 | forceSSL = true; 6 | globalRedirect = "bendlas.net"; 7 | }; 8 | "bendlas.net" = { 9 | enableACME = true; 10 | forceSSL = true; 11 | root = ./www; 12 | }; 13 | }; 14 | } 15 | -------------------------------------------------------------------------------- /rastox/kodi-xorg.nix: -------------------------------------------------------------------------------- 1 | { 2 | services.xserver.enable = true; 3 | services.xserver.desktopManager.kodi.enable = true; 4 | # services.xserver.displayManager.autoLogin.enable = true; 5 | # services.xserver.displayManager.autoLogin.user = "kodi"; 6 | 7 | # Defined in users.nix 8 | # users.extraUsers.kodi.isNormalUser = true; 9 | } 10 | -------------------------------------------------------------------------------- /dev/qemu.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | { 3 | 4 | virtualisation.libvirtd.enable = true; 5 | 6 | programs.dconf.enable = true; 7 | environment.systemPackages = [ pkgs.virt-manager ]; 8 | 9 | users.users.${config.hst.site.adminUser}.extraGroups = [ "libvirtd" ]; 10 | 11 | ## boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; 12 | 13 | } 14 | -------------------------------------------------------------------------------- /tmpfs.module.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | ## tmpfs for /tmp 4 | boot.tmp.useTmpfs = true; 5 | boot.tmp.tmpfsSize = "150%"; 6 | 7 | ## tmpfs for /var/tmp 8 | systemd.mounts = [{ 9 | what = "vartmpfs"; 10 | where = "/var/tmp"; 11 | type = "tmpfs"; 12 | mountConfig.Options = [ "mode=1777" "strictatime" "rw" "nosuid" "nodev" "size=20%" ]; 13 | }]; 14 | 15 | } 16 | -------------------------------------------------------------------------------- /dev/gd32.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | environment.systemPackages = with pkgs; [ 4 | dfu-util 5 | ]; 6 | services.udev.extraRules = '' 7 | ATTRS{idProduct}=="0189", ATTRS{idVendor}=="28e9", MODE="660", GROUP="plugdev" SYMLINK+="gd32-dfu" 8 | ''; 9 | users.extraUsers.herwig.extraGroups = [ 10 | "plugdev" 11 | ]; 12 | users.extraGroups = { 13 | plugdev = {}; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /dev/stlink.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | environment.systemPackages = with pkgs; [ 4 | dfu-util 5 | ]; 6 | services.udev.extraRules = '' 7 | ATTRS{idProduct}=="3748", ATTRS{idVendor}=="0483", MODE="660", GROUP="plugdev" SYMLINK+="stlink" 8 | ''; 9 | users.extraUsers.herwig.extraGroups = [ 10 | "plugdev" 11 | ]; 12 | users.extraGroups = { 13 | plugdev = {}; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /factorio-server.module.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, config, ... }: 2 | { 3 | services.factorio = { 4 | enable = true; 5 | admins = [ 6 | "flowbot" 7 | ]; 8 | openFirewall = true; 9 | game-name = "manulinarium"; 10 | gamePasswordFile = "/etc/secrets/factorio/server-password"; 11 | requireUserVerification = false; 12 | }; 13 | 14 | nixpkgs.config.allowUnfree = true; 15 | } 16 | -------------------------------------------------------------------------------- /.forgejo/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: CI build 2 | on: 3 | pull_request: 4 | jobs: 5 | Build-Flake: 6 | runs-on: native 7 | steps: 8 | - uses: actions/checkout@v3 9 | - uses: https://github.com/webfactory/ssh-agent@v0.7.0 10 | with: 11 | ssh-private-key: "${{ secrets.AUTO_UPDATER_SSH_KEY }}" 12 | - run: nixos-rebuild --flake .\#$(cat /etc/hst-machine-name) build 13 | -------------------------------------------------------------------------------- /dev/saleae.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | environment.systemPackages = with pkgs; [ 4 | pulseview 5 | ]; 6 | services.udev.extraRules = '' 7 | ATTRS{idProduct}=="3881", ATTRS{idVendor}=="0925", MODE="660", GROUP="plugdev" SYMLINK+="saleae" 8 | ''; 9 | users.extraUsers.herwig.extraGroups = [ 10 | "plugdev" 11 | ]; 12 | users.extraGroups = { 13 | plugdev = {}; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /dev/android.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | environment.systemPackages = with pkgs; [ 4 | androidsdk_9_0 5 | ]; 6 | services.udev.extraRules = '' 7 | ATTRS{idVendor}=="12d1", ATTRS{idProduct}=="107e", MODE="660", GROUP="plugdev" SYMLINK+="huawei-p20" 8 | ''; 9 | users.extraUsers.herwig.extraGroups = [ 10 | "plugdev" 11 | ]; 12 | users.extraGroups = { 13 | plugdev = {}; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /distributed-build.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | 5 | nix.buildMachines = [{ 6 | hostName = "artox.bendlas.net"; 7 | sshUser = "root"; 8 | sshKey = "/tmp/ssh/id_rsa"; 9 | system = "x86_64-linux"; 10 | maxJobs = 1; 11 | speedFactor = 1; 12 | supportedFeatures = [ ]; 13 | mandatoryFeatures = [ ]; 14 | }]; 15 | nix.distributedBuilds = true; 16 | nix.extraOptions = '' 17 | builders-use-substitutes = true 18 | ''; 19 | 20 | } 21 | -------------------------------------------------------------------------------- /mobile-nixos.json: -------------------------------------------------------------------------------- 1 | { 2 | "url": "https://github.com/bendlas/mobile-nixos.git", 3 | "rev": "67f5c799960d903900c57678e9310ff20ebc74d9", 4 | "date": "2023-06-07T15:51:20+02:00", 5 | "path": "/nix/store/q6ha0j6181w5lknqfmbpcngfv0qc0zb0-mobile-nixos-67f5c79", 6 | "sha256": "0d18zhk2mjvm43ynlsbln9cmmqjr2jqwhynf7fv79l176hr5k7w6", 7 | "fetchLFS": false, 8 | "fetchSubmodules": false, 9 | "deepClone": false, 10 | "leaveDotGit": false, 11 | "branch": "rockpro64" 12 | } 13 | -------------------------------------------------------------------------------- /emacs-overlay.json: -------------------------------------------------------------------------------- 1 | { 2 | "url": "https://github.com/nix-community/emacs-overlay.git", 3 | "rev": "7f39dc5ed946c5d74cceae1414b6778c81fde25d", 4 | "date": "2023-06-21T10:49:04+00:00", 5 | "path": "/nix/store/p7f7j0hip5bzx3kq251650gn21vnpdvx-emacs-overlay-7f39dc5", 6 | "sha256": "1xz956v01l3d1nzmcjbn016sn669mfq2wx9asgl85yyvvz7m7f38", 7 | "fetchLFS": false, 8 | "fetchSubmodules": false, 9 | "deepClone": false, 10 | "leaveDotGit": false, 11 | "branch": "master" 12 | } 13 | -------------------------------------------------------------------------------- /rastox/custom-tools.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, ... }: 2 | { 3 | 4 | environment.systemPackages = with pkgs; [ 5 | (pkgs.runCommand "custom-tools" { 6 | inherit (pkgs.stdenv) shell; 7 | inherit (pkgs) libraspberrypi tmux htop iftop; 8 | } '' 9 | mkdir -p $out/bin 10 | substituteAll ${./pistatus.in} $out/bin/pistatus 11 | substituteAll ${./server-monitor.in} $out/bin/server-monitor 12 | chmod -R +x $out/bin 13 | '') 14 | ]; 15 | 16 | } 17 | -------------------------------------------------------------------------------- /pinox/plasma-mobile.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | services.xserver.enable = true; 4 | services.xserver.displayManager = { 5 | sddm.enable = true; 6 | autoLogin = { 7 | enable = true; 8 | user = "nixos"; 9 | }; 10 | defaultSession = "plasma-mobile"; 11 | }; 12 | services.xserver.desktopManager.plasma5 = { 13 | enable = true; 14 | mobile.enable = true; 15 | # mobile.installRecommendedSoftware = true; 16 | # runUsingSystemd = true; 17 | # useQTScaling = true; 18 | }; 19 | 20 | } 21 | -------------------------------------------------------------------------------- /brother-mfc-6490cw.module.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | imports = [ 4 | # 5 | 6 | ]; 7 | 8 | hardware = { 9 | sane = { 10 | enable = true; 11 | brscan5 = { 12 | enable = true; 13 | netDevices = { 14 | brother = { model = "MFC-6490CW"; nodename = "BRN001BA95F5BCC.local"; }; 15 | }; 16 | }; 17 | }; 18 | }; 19 | 20 | } 21 | -------------------------------------------------------------------------------- /io-scheduler.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | { 3 | 4 | services.udev.extraRules = '' 5 | ACTION=="add|change", KERNEL=="bcache*", ATTR{queue/rotational}="1" 6 | ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/iosched/slice_idle}="0" 7 | ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="mq-deadline" 8 | ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="bfq" 9 | ''; 10 | 11 | } 12 | -------------------------------------------------------------------------------- /desktop.fonts.module.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | { 3 | options.hst.fonts.monospace = with lib; with types; mkOption { 4 | type = listOf str; 5 | }; 6 | config.hst.fonts.monospace = lib.mkAfter [ "JetBrains Mono" ]; 7 | config.fonts = { 8 | packages = with pkgs; [ 9 | noto-fonts proggyfonts dejavu_fonts inconsolata profont anonymousPro fira-code jetbrains-mono liberation_ttf 10 | ]; 11 | fontconfig.defaultFonts = { 12 | inherit (config.hst.fonts) monospace; 13 | }; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /epson-inkjet-printer-stylus-photo-r3000.module.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | 5 | nixpkgs.overlays = [ 6 | (self: super: { 7 | epson-inkjet-printer-stylus-photo-r3000 = self.callPackage ./epson-inkjet-printer-stylus-photo-r3000.package.nix { 8 | # enableDebug = true; 9 | }; 10 | }) 11 | ]; 12 | 13 | services.printing.enable = true; 14 | # services.printing.logLevel = "debug"; 15 | services.printing.drivers = [ pkgs.epson-inkjet-printer-stylus-photo-r3000 ]; 16 | 17 | } 18 | -------------------------------------------------------------------------------- /pinox/phosh.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | # services.xserver.enable = true; 5 | services.xserver.desktopManager = { 6 | gnome.enable = true; 7 | phosh = { 8 | enable = true; 9 | user = "herwig"; 10 | group = "users"; 11 | }; 12 | }; 13 | 14 | # # unpatched gnome-initial-setup is partially broken in small screens 15 | # services.gnome.gnome-initial-setup.enable = false; 16 | 17 | environment.gnome.excludePackages = with pkgs.gnome; [ 18 | gnome-terminal 19 | ]; 20 | 21 | } 22 | -------------------------------------------------------------------------------- /v4l2-request.module.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | environment.systemPackages = with pkgs; [ 4 | v4l2-request-bendlas 5 | ]; 6 | nixpkgs.config.packageOverrides = pkgs: { 7 | v4l2-request-bendlas = pkgs.runCommand "v4l2-request-bendlas" { 8 | ffmpeg = pkgs.v4l2-request-ffmpeg; 9 | mpv = pkgs.v4l2-request-mpv; 10 | } '' 11 | mkdir -p $out/bin 12 | for b in $ffmpeg/bin/* $mpv/bin/* 13 | do 14 | ln -s $b $out/bin/v4l2-request-$(basename $b) 15 | done 16 | ''; 17 | }; 18 | } 19 | -------------------------------------------------------------------------------- /desktop.xserver.module.nix: -------------------------------------------------------------------------------- 1 | { lib, pkgs, ... }: 2 | 3 | { 4 | 5 | services.xserver = lib.mkDefault { 6 | enable = true; 7 | displayManager.gdm.enable = true; 8 | displayManager.gdm.wayland = false; 9 | displayManager.lightdm.enable = false; 10 | desktopManager.gnome.enable = true; 11 | }; 12 | 13 | ## disable tracker and tracker-miner 14 | ## to prevent tracker-miner from consuming 100% CPU 15 | services.gnome = { 16 | tracker-miners.enable = false; 17 | tracker.enable = false; 18 | }; 19 | 20 | } 21 | -------------------------------------------------------------------------------- /docker.module.nix: -------------------------------------------------------------------------------- 1 | { lib, pkgs, ... }: 2 | { 3 | # Recent version of docker should be able to handle this 4 | # necessary to freeze systemd units 5 | # see https://github.com/NixOS/nixpkgs/pull/104094#pullrequestreview-535717794 6 | systemd.enableUnifiedCgroupHierarchy = lib.mkForce true; 7 | 8 | virtualisation.docker = { 9 | enable = true; 10 | enableOnBoot = false; 11 | }; 12 | environment.systemPackages = [ 13 | pkgs.docker-compose 14 | ]; 15 | users.extraUsers = { 16 | "herwig".extraGroups = [ "docker" ]; 17 | }; 18 | } 19 | -------------------------------------------------------------------------------- /dev/maple.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | environment.systemPackages = with pkgs; [ 4 | pulseview 5 | ]; 6 | services.udev.extraRules = '' 7 | ATTRS{idProduct}=="0003", ATTRS{idVendor}=="1eaf", MODE="660", GROUP="plugdev" SYMLINK+="maple", ENV{ID_MM_DEVICE_IGNORE}="1" 8 | ATTRS{idProduct}=="0004", ATTRS{idVendor}=="1eaf", MODE="660", GROUP="plugdev" SYMLINK+="maple", ENV{ID_MM_DEVICE_IGNORE}="1" 9 | ''; 10 | users.extraUsers.herwig.extraGroups = [ 11 | "plugdev" "dialout" 12 | ]; 13 | users.extraGroups = { 14 | plugdev = {}; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /minecraft-server.module.nix: -------------------------------------------------------------------------------- 1 | { 2 | # services.minecraft-server.package 3 | # services.minecraft-server.jvmOpts 4 | # services.minecraft-server.dataDir 5 | services.minecraft-server.enable = true; 6 | services.minecraft-server.eula = true; 7 | services.minecraft-server.whitelist = { 8 | nara4241 = "63e8e9cc-e029-4e95-91bf-e28721baba32"; 9 | fichtennadel4 = "3d07d3a5-adba-4d54-b785-c3ce58c56a83"; 10 | }; 11 | services.minecraft-server.declarative = true; 12 | # services.minecraft-server.serverProperties 13 | services.minecraft-server.openFirewall = true; 14 | } 15 | -------------------------------------------------------------------------------- /ssh-keygen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -eu 3 | 4 | tmpdir= 5 | cleanup () { 6 | trap - EXIT 7 | if [ -n "$tmpdir" ] ; then rm -rf "$tmpdir"; fi 8 | if [ -n "$1" ]; then trap - $1; kill -$1 $$; fi 9 | } 10 | tmpdir=$(mktemp -d) 11 | trap 'cleanup ""' EXIT 12 | trap 'cleanup HUP' HUP 13 | trap 'cleanup TERM' TERM 14 | trap 'cleanup INT' INT 15 | 16 | keyFile=$tmpdir/id 17 | pubFile=$tmpdir/id.pub 18 | 19 | mkfifo $keyFile 20 | mkfifo $pubFile 21 | echo "y" | ssh-keygen -t ed25519 -N '' -f $keyFile "$@" & 22 | key=$(cat $keyFile) 23 | pub=$(cat $pubFile) 24 | echo "$key" 25 | echo "$pub" 26 | -------------------------------------------------------------------------------- /debug.module.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | let 3 | enableDebugInfo_ = lib: pkg: 4 | # lib.overrideDerivation 5 | pkg.overrideAttrs (attrs: { 6 | outputs = attrs.outputs or [ "out" ] ++ [ "debug" ]; 7 | nativeBuildInputs = attrs.nativeBuildInputs ++ [ 8 | # 9 | "${config.hst.folders.nixpkgs}/pkgs/build-support/setup-hooks/separate-debug-info.sh" 10 | ]; 11 | }); 12 | in { 13 | nixpkgs.config.packageOverrides = _: { 14 | enableDebugInfo = enableDebugInfo_ pkgs.lib; 15 | }; 16 | } 17 | -------------------------------------------------------------------------------- /hetox/borgbackup.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | services.borgbackup.repos = { 4 | valheim-contox = { 5 | authorizedKeysAppendOnly = [ 6 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKsTTvCNGI1NDr25uh7/neFy9aED5g6xic0M/RA+EFe valheim@contox" 7 | ]; 8 | path = "/var/borgbackup/valheim-contox"; 9 | }; 10 | herwig = { 11 | authorizedKeysAppendOnly = [ 12 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF/nw+URWOaWzJ3ZmT1BA2lKxGV0VyrOh9IbKF229kPw herwig@lenix" 13 | ]; 14 | path = "/var/borgbackup/herwig"; 15 | allowSubRepos = true; 16 | }; 17 | }; 18 | 19 | } 20 | -------------------------------------------------------------------------------- /rastox/users.nix: -------------------------------------------------------------------------------- 1 | { 2 | programs.zsh.enable = true; 3 | users = { 4 | extraUsers = { 5 | "herwig" = { 6 | description = "Herwig Hochleitner"; 7 | extraGroups = [ "wheel" ]; 8 | isNormalUser = true; 9 | uid = 1000; 10 | }; 11 | "nara" = { 12 | description = "Nara Richter"; 13 | isNormalUser = true; 14 | uid = 1001; 15 | }; 16 | "kodi" = { 17 | description = "Media Center"; 18 | isNormalUser = true; 19 | uid = 1002; 20 | }; 21 | }; 22 | extraGroups = { nobody = {}; }; 23 | }; 24 | } 25 | -------------------------------------------------------------------------------- /convenient.module.nix: -------------------------------------------------------------------------------- 1 | { pkgs, config, ... }: 2 | 3 | { 4 | 5 | ## almost essential, but blowing up closure size or build resources (due to non-cache) 6 | environment.systemPackages = with pkgs; [ 7 | 8 | ## graal 9 | 10 | jet 11 | 12 | ## rust 13 | 14 | nix-du 15 | 16 | ## build time / tmp space 17 | ## these may be added to hydra 18 | 19 | config.boot.kernelPackages.perf 20 | 21 | yq 22 | 23 | ### Pure nice to have 24 | 25 | ## Admin 26 | 27 | ntfs3g btrfs-progs 28 | 29 | ## Dev 30 | 31 | gitAndTools.hub 32 | 33 | ## Video 34 | 35 | ffmpeg imagemagick 36 | 37 | ## Misc tools 38 | 39 | geoip links2 cowsay 40 | 41 | ]; 42 | 43 | } 44 | -------------------------------------------------------------------------------- /rastox/server-monitor.in: -------------------------------------------------------------------------------- 1 | #!@shell@ 2 | 3 | set -eu 4 | 5 | @tmux@/bin/tmux new-session -s server-monitor "exec journalctl -f" \; \ 6 | set-option remain-on-exit on \; \ 7 | bind-key r respawn-pane \; \ 8 | split-window -h "exec @htop@/bin/htop" \; \ 9 | split-window -v "exec @iftop@/bin/iftop -i wlan0" \; \ 10 | split-window -v "exec watch @out@/bin/pistatus" \; \ 11 | split-window -v "exec watch cat /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_cur_freq" \; \ 12 | split-window -h "exec watch cat /sys/class/thermal/thermal_zone0/temp" \; \ 13 | new-window "exec watch -c iwctl station wlan0 show" \; \ 14 | split-window -h "exec iotop" \; \ 15 | select-pane -L \; \ 16 | split-window -v "exec watch df -h" \; \ 17 | previous-window \; 18 | -------------------------------------------------------------------------------- /.forgejo/workflows/deploy.yml: -------------------------------------------------------------------------------- 1 | name: CI deploy 2 | on: 3 | ## FIXME not implemented yet 4 | # workflow_run: 5 | # workflows: [ "CI build" ] 6 | # types: [ completed ] 7 | # branches: [ main ] 8 | push: 9 | branches: [ main ] 10 | jobs: 11 | Rebuild-Switch: 12 | # if: ${{ github.event.workflow_run.conclusion == 'success' }} 13 | runs-on: native 14 | steps: 15 | - uses: actions/checkout@v3 16 | - uses: https://github.com/webfactory/ssh-agent@v0.7.0 17 | with: 18 | ssh-private-key: "${{ secrets.AUTO_UPDATER_SSH_KEY }}" 19 | - run: nixos-rebuild --flake .\#$(cat /etc/hst-machine-name) build 20 | - run: echo TODO listen for main branch changes and update 21 | - run: echo TODO maybe schedule reboot 22 | -------------------------------------------------------------------------------- /priorities.module.nix: -------------------------------------------------------------------------------- 1 | let setPrio' = lib: num: drv: lib.addMetaAttrs { priority = num; } drv; 2 | in { 3 | nixpkgs.config.packageOverrides = pkgs: let setPrio = setPrio' pkgs.lib; in { 4 | ## prioritize packages to avoid path collisions 5 | nettools = setPrio 9 pkgs.nettools; ## nettools are deprecated in favor of inetutils 6 | traceroute = setPrio 2 pkgs.traceroute; ## traceroute should override inetutils, see https://askubuntu.com/questions/1017286/what-is-the-difference-between-traceroute-from-traceroute-and-inetutils-tracerou 7 | ncurses = setPrio 6 pkgs.ncurses; ## defer to per-terminal terminfo 8 | androidsdk_9_0 = setPrio 6 pkgs.androidsdk_9_0; ## defer to e2fsprogs 9 | unrar = setPrio 4 pkgs.unrar; ## open-source unrar should override proprietary rar 10 | 11 | }; 12 | } 13 | -------------------------------------------------------------------------------- /dev/hackrf.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ... }: 2 | { 3 | services.udev.extraRules = '' 4 | ATTR{idVendor}=="1d50", ATTR{idProduct}=="604b", SYMLINK+="hackrf-jawbreaker-%k", MODE="660", GROUP="plugdev" 5 | ATTR{idVendor}=="1d50", ATTR{idProduct}=="6089", SYMLINK+="hackrf-one-%k", MODE="660", GROUP="plugdev" 6 | ATTR{idVendor}=="1fc9", ATTR{idProduct}=="000c", SYMLINK+="hackrf-dfu-%k", MODE="660", GROUP="plugdev" 7 | ''; 8 | users.extraUsers.herwig.extraGroups = [ 9 | "plugdev" 10 | ]; 11 | users.extraGroups = { 12 | plugdev = {}; 13 | }; 14 | environment.systemPackages = with pkgs; [ 15 | hackrf welle-io cubicsdr gqrx 16 | # (gnuradio3_8.override { 17 | # extraPackages = lib.attrVals [ 18 | # "osmosdr" "ais" "rds" 19 | # ] gnuradio3_8Packages; 20 | # }) 21 | ]; 22 | } 23 | -------------------------------------------------------------------------------- /rastox/nixpkgs-pr.nix: -------------------------------------------------------------------------------- 1 | # From https://discourse.nixos.org/t/how-to-try-a-pr/15410/5 2 | # Idea by Bas van Dijk (https://www.youtube.com/watch?v=J4DgATIjx9E) 3 | 4 | # Use like 5 | # nixos-rebuild -I nixpkgs="$(nix-build nixpkgs-pr.nix --argstr pr 117102)" ... 6 | # To restore 7 | # nixos-rebuild -I nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos ... 8 | 9 | { pr }: 10 | let 11 | pkgs = import {}; 12 | patches = [ 13 | (builtins.fetchurl { 14 | url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/${pr}.patch"; 15 | }) 16 | ]; 17 | in pkgs.runCommand "nixpkgs-PR${pr}" { inherit patches; } '' 18 | cp -R ${pkgs.path} $out 19 | chmod -R +w $out 20 | for p in $patches; do 21 | echo "Applying patch $p" 22 | patch -d $out -p1 < "$p" 23 | done 24 | '' 25 | -------------------------------------------------------------------------------- /test-config.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | { 3 | imports = [ 4 | # ./desktop.nix ./dev.nix 5 | ./base.nix 6 | ./valheim-server.module.nix 7 | ]; 8 | bendlas.machine = "test-config"; 9 | fileSystems."/" = { device = "/dev/null"; }; 10 | boot.loader.grub.enable = false; 11 | # boot.supportedFilesystems = [ "zfs" ]; 12 | networking.hostId = "cafebabe"; 13 | networking.nat.externalInterface = "dummy"; 14 | # services.xserver.videoDrivers = [ "nvidia" "nouveau" "nv" "vesa" "intel" ]; 15 | services.avahi.enable = lib.mkForce false; 16 | services.valheim-server.password = ""; 17 | system.extraDependencies = with pkgs; [ 18 | # # virtualboxExtpack 19 | # bluez5 wireless-regdb 20 | # vaapiVdpau 21 | # splix brgenml1cupswrapper 22 | # firmwareLinuxNonfree 23 | # # opencl-icd mkl 24 | ]; 25 | 26 | } 27 | -------------------------------------------------------------------------------- /arvitox/uvc-gadget.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchgit, ninja, meson, pkg-config, libcamera, libjpeg }: 2 | 3 | stdenv.mkDerivation rec { 4 | pname = "uvc-gadget"; 5 | version = "0.4.0"; 6 | # src = /home/herwig/code/uvc-gadget; 7 | src = fetchgit { 8 | # url = "https://git.ideasonboard.org/uvc-gadget.git"; 9 | # hash = "sha256-fcL7HeV9W1feZmCFlzB6jYkj+ZRcnAbz0XDq8h8HfBc="; 10 | url = "https://gitlab.freedesktop.org/camera/uvc-gadget.git"; 11 | rev = "v${version}"; 12 | hash = "sha256-iHmKoylhDHNrFwEL6ShedqA4uA/DGL5VoEFwJsE405k="; 13 | }; 14 | nativeBuildInputs = [ pkg-config ninja meson ]; 15 | buildInputs = [ libcamera libjpeg ]; 16 | env.NIX_CFLAGS_COMPILE = toString (map (x: "-Wno-${x}") [ 17 | "unused-result" 18 | ]); 19 | postInstall = '' 20 | cp ../scripts/uvc-gadget.sh $out/bin/uvc-gadget-configfs 21 | ''; 22 | } 23 | -------------------------------------------------------------------------------- /gravie.module.nix: -------------------------------------------------------------------------------- 1 | { 2 | networking.firewall.extraCommands = '' 3 | iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8000 4 | iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 4430 5 | ''; 6 | networking.firewall.extraStopCommands = '' 7 | iptables -t nat -D OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8000 8 | iptables -t nat -D OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 4430 9 | ''; 10 | users.users = { 11 | "flexiana" = { 12 | description = "Flexiana Dev"; 13 | isNormalUser = true; 14 | extraGroups = [ "audio" "libvirtd" "docker" ]; 15 | }; 16 | "gravie" = { 17 | description = "Gravie Dev"; 18 | isNormalUser = true; 19 | extraGroups = [ "audio" "libvirtd" "docker" ]; 20 | }; 21 | }; 22 | } 23 | -------------------------------------------------------------------------------- /bendlas-access.module.nix: -------------------------------------------------------------------------------- 1 | { 2 | hst.wheel.logins = [ "herwig" ]; 3 | users.users."herwig".isNormalUser = true; 4 | hst.wheel.keys = [ 5 | "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC70QgW3EnX781iFOlojPnwST1CiMZaWdQEJNgSbsvaEFeHwFNDr9Ma2kTzjFQnpLKfb7eAr7BsUX3uSJjFq6MDTfgynCSXtgOxaahTfoVFFvJdGZPtXU09k7xSW043A7Ziwi8iPM0EFKUb85W6v4S1VACpjD57SEs4enUsyrXO8XVBDpqRQLdPDXjyNqzZ0zafbs22bDYDUmgr3UTItSzrGG7fzPyP3D2cJ1HKptQNUBRwjMvduG5by+ONxtuNJ7XGtQfFOyLJl4QFCWCSNwVEzv0CqAfrbq3XmqsAMXZJeMNo0OG/XpgQT2W4oP0QcyW9hHvxe6S34DjXDCaN8SreTJqq/8n3gQIj2/bkW9gGOHceZ98BDVXAeVXQj4opd3qF1V3DkP7NhUZEpgqHZglpkmcZqiufpdJbhnbjjIAUPN9c2dpEKWiR+UTR0hUedERDEGge6caM0XpfKPDiFXQpNgMBhatRkp9iNwoCIbp1muzYZpiu8YFNFbZmRmXcW8o8b3/MoEWZZTvMcffk7Yk+K0lItLmR7wjAJVZXM/7CbP6bVECbYAGNaQ50ZlPgt1wAU9VoE9oV3U2bVmV6Vdic1w1LS3pCOT9DNOXkGvbxLxp/gwJVFwkHVBAHnSLCyRyNn3GL+rzPO0Mzej2Q9stPUExcoMBkm6e4pUatynHONw== herwig@lenix" 6 | ]; 7 | } 8 | -------------------------------------------------------------------------------- /iso-with-bcachefs.module.nix: -------------------------------------------------------------------------------- 1 | # This module defines a small NixOS installation CD. It does not 2 | # contain any graphical stuff. 3 | { config, pkgs, lib, ... }: 4 | { 5 | hst.site.machine = "bcache-installer"; 6 | hst.site.adminUser = "nixos"; 7 | imports = [ 8 | # Currently fails on NixOS 23.05 to build due to ZFS incompatibility with bcachefs 9 | # 10 | 11 | 12 | ]; 13 | boot.supportedFilesystems = [ "bcachefs" ]; 14 | # kernelPackages already defined in installation-cd-minimal-new-kernel-no-zfs.nix 15 | boot.kernelPackages = pkgs.linuxPackages_latest; 16 | isoImage.squashfsCompression = "gzip -Xcompression-level 1"; 17 | } 18 | -------------------------------------------------------------------------------- /dev/container.imperative.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | networking.extraHosts = '' 4 | 10.233.1.2 container.local auth.container.local git.container.local pgadmin.container.local code.container.local manage.container.local cloud.container.local datomic-console.container.local hdirect.container.local shadow.hdirect.container.local hdirect.dev.container.local shadow.hdirect.dev.container.local matrix.container.local element.container.local yjs.container.local jacklist.container.local 5 | 10.233.2.2 www.chairio.local chairio.local auth.chairio.local git.chairio.local pgadmin.chairio.local code.chairio.local manage.chairio.local baikal.chairio.local sogo.chairio.local davis.chairio.local agendav.chairio.local onlyoffice.chairio.local example.onlyoffice.chairio.local scrumlr.chairio.local 6 | ''; 7 | 8 | networking.nat = { 9 | enable = true; 10 | internalInterfaces = [ "ve-+" ]; 11 | }; 12 | 13 | } 14 | -------------------------------------------------------------------------------- /hetox/gitlab-lowmem.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | ## see https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html 5 | ## see https://techoverflow.net/2020/04/18/how-i-reduced-gitlab-memory-consumption-in-my-docker-based-setup/ 6 | 7 | boot.kernel.sysctl = { 8 | "vm.swappiness" = 10; 9 | }; 10 | 11 | services.gitlab = { 12 | puma.workers = 0; 13 | extraEnv = { 14 | LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so"; 15 | # ENABLE_RBTRACE = "1"; 16 | RUBY_GC_HEAP_FREE_SLOTS_MIN_RATIO = "0.001"; 17 | RUBY_GC_HEAP_FREE_SLOTS_MAX_RATIO = "0.02"; 18 | ## https://github.com/jemalloc/jemalloc/blob/dev/TUNING.md 19 | MALLOC_CONF = "background_thread:true,dirty_decay_ms:5000,muzzy_decay_ms:5000,narenas:1,lg_tcache_max:13"; 20 | }; 21 | extraConfig = { 22 | prometheus.enabled = false; 23 | }; 24 | 25 | }; 26 | 27 | } 28 | -------------------------------------------------------------------------------- /chromium-extension-search-path.patch: -------------------------------------------------------------------------------- 1 | --- a/chrome/common/chrome_paths.cc 2 | +++ b/chrome/common/chrome_paths.cc 3 | @@ -4,6 +4,7 @@ 4 | 5 | #include "chrome/common/chrome_paths.h" 6 | 7 | +#include "base/environment.h" 8 | #include "base/files/file_util.h" 9 | #include "base/logging.h" 10 | #include "base/native_library.h" 11 | @@ -511,7 +512,13 @@ 12 | #endif 13 | #if defined(OS_LINUX) || defined(OS_CHROMEOS) 14 | case chrome::DIR_STANDALONE_EXTERNAL_EXTENSIONS: { 15 | - cur = base::FilePath(kFilepathSinglePrefExtensions); 16 | + std::unique_ptr environment(base::Environment::Create()); 17 | + std::string extension_dir; 18 | + if (environment->GetVar("CHROMIUM_EXTENSION_DIRECTORY", &extension_dir)) { 19 | + cur = base::FilePath(extension_dir); 20 | + } else { 21 | + cur = base::FilePath(kFilepathSinglePrefExtensions); 22 | + } 23 | break; 24 | } 25 | #endif 26 | -------------------------------------------------------------------------------- /waydroid.module.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | { 3 | 4 | virtualisation = { 5 | waydroid.enable = true; 6 | lxd.enable = true; 7 | lxc.enable = true; 8 | lxc.lxcfs.enable = true; 9 | }; 10 | 11 | ## override default from nixos. necessary since lineageos 18 12 | ## should be no problem any more 13 | ## https://wiki.debian.org/LXC/CGroupV2 14 | ## https://github.com/lxc/lxc/issues/3206 15 | systemd.enableUnifiedCgroupHierarchy = lib.mkForce true; 16 | 17 | # networking.interfaces.waydroid0.useDHCP = true; 18 | # services.avahi.allowInterfaces = [ "waydroid0" ]; 19 | # networking.bridges.waydroid0.interfaces = [ ]; 20 | # networking.bridges.waydroid0.interfaces = [ "wlan0" "wwan0" ]; 21 | # systemd.network-wait-online.ignore = [ "waydroid0" ]; 22 | networking.networkmanager.unmanaged = [ "waydroid0" "interface-name:veth*" ]; 23 | # networking.nat.enable = true; 24 | # networking.firewall.checkReversePath = "loose"; 25 | 26 | } 27 | -------------------------------------------------------------------------------- /chrome-pass/module.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | let 3 | # extensionId = "oblajhnjmknenodebpekmkliopipoolo"; 4 | extensionId = "ekljbjbjoegcpbofnfmbcdelbionnngn"; 5 | in { 6 | 7 | environment.etc."chromium/native-messaging-hosts/com.piaotech.chrome.extension.pass.json".text = builtins.toJSON { 8 | name = "com.piaotech.chrome.extension.pass"; 9 | description = "Chrome native host application for pass."; 10 | path = "${(pkgs.python3.override { 11 | packageOverrides = pkgs.callPackage ./python-packages.nix { }; 12 | }).pkgs.chrome-pass}/bin/nativePass"; 13 | type = "stdio"; 14 | allowed_origins = [ "chrome-extension://${extensionId}/" ]; 15 | }; 16 | 17 | environment.variables.CHROMIUM_EXTENSION_DIRECTORY = "/etc/chromium/extensions"; 18 | environment.etc."chromium/extensions/${extensionId}/0.3.0".source = "${pkgs.fetchFromGitHub { 19 | owner = "hsanson"; 20 | repo = "chrome-pass"; 21 | rev = "v0.3.0"; 22 | hash = "sha256-ueJh5CefwkiOOu39u6AsLB7NXbMO6tVddHA+o4EuSSI="; 23 | }}/extension"; 24 | 25 | } 26 | -------------------------------------------------------------------------------- /desktop.essential.module.nix: -------------------------------------------------------------------------------- 1 | { lib, pkgs, ... }: 2 | 3 | { 4 | 5 | services.physlock.enable = lib.mkDefault true; 6 | 7 | console.useXkbConfig = true; 8 | environment.systemPackages = with pkgs; [ 9 | ## Admin 10 | 11 | st gparted d-spy dbus 12 | 13 | libva-utils 14 | 15 | xorg.xhost xorg.xdpyinfo 16 | 17 | ## Chats 18 | 19 | mumble 20 | 21 | ## Dev tools 22 | 23 | xorg.xkill xorg.xbacklight xorg.xrandr xorg.xev 24 | 25 | xdotool 26 | 27 | ## Video 28 | 29 | gnome.cheese vlc gcolor3 glxinfo yt-dlp 30 | 31 | ## Audio 32 | 33 | gnome.gnome-sound-recorder 34 | 35 | ## Notification 36 | 37 | libnotify 38 | 39 | ## Clipboard 40 | 41 | xclip 42 | 43 | ]; 44 | 45 | nixpkgs.config.packageOverrides = pkgs: { 46 | ## this is unconditionally installed by gnome module, so disable it here 47 | gnome-tour = pkgs.writeScriptBin "gnome-tour" '' 48 | #!/bin/sh -eu 49 | echo >&2 "gnome-tour has been removed" 50 | exit 1 51 | ''; 52 | }; 53 | 54 | } 55 | -------------------------------------------------------------------------------- /aarch64-cross.nix: -------------------------------------------------------------------------------- 1 | let 2 | # pkgsFun = import ../nixpkgs/default.nix; 3 | pkgsFun = import ; 4 | pkgsNoParams = pkgsFun {}; 5 | crossSystem = { 6 | system = "aarch64-linux"; 7 | config = "aarch64-unknown-linux-gnueabi"; 8 | bigEndian = false; 9 | arch = "aarch64"; 10 | #float = "hard"; 11 | #fpu = "vfp"; 12 | withTLS = true; 13 | libc = "glibc"; 14 | platform = pkgsNoParams.platforms.aarch64-multiplatform; 15 | # openssl.system = "linux-generic32"; 16 | gcc = { 17 | arch = "armv8-a"; 18 | # fpu = "vfp"; 19 | # float = "softfp"; 20 | # abi = "aapcs-linux"; 21 | }; 22 | }; 23 | # in import ./nixos { 24 | # system = "aarch64-linux"; 25 | # configuration = { 26 | # imports = [ 27 | # ./rpi3.nix 28 | # # ./nixos/modules/installer/cd-dvd/sd-image-aarch64.nix 29 | # ]; 30 | # nixpkgs.config = { 31 | # packageOverrides = pkgs: (pkgsFun { inherit crossSystem; }); 32 | # }; 33 | # }; 34 | # } 35 | in (pkgsFun { inherit crossSystem; }) 36 | -------------------------------------------------------------------------------- /virtox.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, ... }: 2 | { 3 | hst.site.machine = "virtox"; 4 | hst.site.domain = "virtox.local"; 5 | hst.networking.interfaces = []; 6 | 7 | require = [ 8 | 9 | ./process-isolation.module.nix 10 | 11 | { 12 | environment = { 13 | fhs.enable = true; 14 | fhs.linkLibs = true; 15 | lsb.enable = true; 16 | lsb.support32Bit = true; 17 | }; 18 | } 19 | 20 | ]; 21 | 22 | users.users.herwig.password = "test"; 23 | 24 | environment.systemPackages = [ 25 | (pkgs.runCommand "sudo-direct" {} '' 26 | mkdir -p $out/bin 27 | ln -s /run/wrapper/bin/sudo $out/bin/sudo 28 | '') 29 | # (pkgs.mkRuby { 30 | # version = pkgs.mkRubyVersion "2" "6" "10" ""; 31 | # sha256 = "sha256-DcYJ8mPUnEF21XJd7vwzcnNnY5WYW14Bd4k3Poyt8W4="; 32 | # }) 33 | ]; 34 | # boot.isContainer = true; 35 | networking.firewall.allowedTCPPorts = [ 80 443 ]; 36 | # networking.firewall.enable = false; 37 | # environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; 38 | 39 | } 40 | -------------------------------------------------------------------------------- /samba.module.nix: -------------------------------------------------------------------------------- 1 | { 2 | networking.firewall.allowPing = true; 3 | services.samba = { 4 | enable = true; 5 | openFirewall = true; 6 | securityType = "user"; 7 | extraConfig = '' 8 | workgroup = WORKGROUP 9 | server string = natox 10 | netbios name = natox 11 | security = user 12 | #use sendfile = yes 13 | min protocol = smb2 14 | #hosts allow = 192.168.0.0/24 localhost 15 | #hosts deny = 0.0.0.0/0 16 | guest account = nobody 17 | map to guest = bad user 18 | ''; 19 | shares = { 20 | nara = { 21 | path = "/var/lib/Share"; 22 | browseable = "yes"; 23 | "read only" = "no"; 24 | "guest ok" = "no"; 25 | "create mask" = "0644"; 26 | "directory mask" = "0755"; 27 | # "force user" = "nara"; 28 | # "force group" = "users"; 29 | "valid users" = "nara"; 30 | public = "no"; 31 | writeable = "yes"; 32 | "fruit:aapl" = "yes"; 33 | "fruit:time machine" = "yes"; 34 | "vfs objects" = "fruit streams_xattr"; 35 | "ea support" = "yes"; 36 | }; 37 | }; 38 | }; 39 | } -------------------------------------------------------------------------------- /taalo-build.nix: -------------------------------------------------------------------------------- 1 | { stdenv, lib, runCommand, nix }: 2 | 3 | let 4 | nixRemote = "ssh-ng://nix-remote-build@taalo.headcounter.org?compress=true"; 5 | 6 | mkScript = cmd: lib.escapeShellArg '' 7 | #!${stdenv.shell} 8 | export NIX_REMOTE=${lib.escapeShellArg nixRemote} 9 | exec ${lib.escapeShellArg nix}/bin/${cmd} "$@" 10 | ''; 11 | 12 | downloadScript = lib.escapeShellArg '' 13 | #!${stdenv.shell} 14 | exec ${lib.escapeShellArg nix}/bin/nix-build --option binary-caches "https://cache.nixos.org/ https://headcounter.org/hydra" "$@" 15 | ''; 16 | 17 | bdScript = lib.escapeShellArg '' 18 | #!${stdenv.shell} 19 | taalo-build "$@" 20 | exec taalo-download "$@" 21 | ''; 22 | 23 | in runCommand "taalo-build" {} '' 24 | mkdir -p "$out/bin" 25 | 26 | echo -n ${mkScript "nix-build"} > "$out/bin/taalo-build" 27 | echo -n ${mkScript "nix-store -r"} > "$out/bin/taalo-realize" 28 | 29 | echo -n ${downloadScript} > "$out/bin/taalo-download" 30 | echo -n ${bdScript} > "$out/bin/taalo-bd" 31 | 32 | chmod +x "$out"/bin/taalo-{build,realize,download,bd} 33 | '' 34 | -------------------------------------------------------------------------------- /vm.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | { 3 | imports = [ 4 | ./base.nix 5 | ./desktop.nix 6 | ./dev.nix 7 | ]; 8 | 9 | users.extraUsers.root.password = "123"; 10 | users.extraUsers.vm.password = "123"; 11 | users.extraUsers.vm.isNormalUser = true; 12 | users.mutableUsers = false; 13 | 14 | networking.hostName = "vm"; 15 | networking.nat.externalInterface = "dummy"; 16 | 17 | environment.systemPackages = with pkgs; [ sudo ]; 18 | environment.enableDebugInfo = true; 19 | 20 | #services.xserver = { 21 | # enable = true; 22 | # xkb.layout = "de"; 23 | # xkbOptions = "eurosign:e"; 24 | # displayManager.qingy.enable = true; 25 | # displayManager.kdm.enable = lib.mkForce false; 26 | # displayManager.gdm.enable = true; 27 | # desktopManager.gnome3.enable = true; 28 | # windowManager.exwm.enable = true; 29 | # desktopManager.gnome3.enable = true; 30 | #}; 31 | 32 | #time.timeZone = "Europe/Vienna"; 33 | 34 | #i18n = { 35 | # consoleFont = "lat9w-16"; 36 | # consoleKeyMap = "de"; 37 | # defaultLocale = "de_AT.UTF-8"; 38 | #}; 39 | 40 | } 41 | -------------------------------------------------------------------------------- /hetox/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { config, lib, pkgs, modulesPath, ... }: 5 | 6 | { 7 | imports = [ 8 | (modulesPath + "/profiles/qemu-guest.nix") 9 | ]; 10 | 11 | boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; 12 | boot.initrd.kernelModules = [ ]; 13 | boot.kernelModules = [ ]; 14 | boot.extraModulePackages = [ ]; 15 | 16 | fileSystems."/" = { 17 | device = "/dev/disk/by-uuid/1a44af06-22dd-4f88-98cf-ec963d37c74d"; 18 | fsType = "ext4"; 19 | }; 20 | 21 | fileSystems."/var/borgbackup" = { 22 | device = "/dev/disk/by-uuid/973c2d03-b27e-436b-b8c1-be21f3c08131"; 23 | fsType = "ext4"; 24 | }; 25 | 26 | fileSystems."/boot/efi" = { 27 | device = "/dev/disk/by-uuid/FA01-0821"; 28 | fsType = "vfat"; 29 | }; 30 | 31 | swapDevices = [ 32 | { device = "/dev/disk/by-uuid/482ddf7f-4cb3-42b1-86f9-24c7424744a6"; } 33 | ]; 34 | 35 | } 36 | -------------------------------------------------------------------------------- /pivitox.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, ... }: 2 | { 3 | require = [ 4 | # shared with ./base.nix 5 | ./log.module.nix ./sources.module.nix ./nix.module.nix ./zsh.module.nix 6 | ./locale.module.nix ./essential.module.nix ./convenient.module.nix 7 | 8 | ./access.module.nix ./docu-disable.module.nix 9 | 10 | (import { device = "uefi-x86_64"; }) 11 | ./pinox/phosh.nix 12 | ]; 13 | 14 | mobile.boot.stage-1.kernel.additionalModules = [ 15 | "virtio-gpu" "virtiofs" 16 | "sysfs" "ramfs" "tmpfs" "devpts" "proc" "devtmpfs" 17 | ]; 18 | 19 | bendlas.machine = "pivitox"; 20 | # boot.isContainer = true; 21 | 22 | bendlas.wheel.logins = [ "nixos" ]; 23 | users.users.nixos = { 24 | isNormalUser = true; 25 | home = "/home/nixos"; 26 | createHome = true; 27 | password = "123456"; 28 | extraGroups = [ 29 | "networkmanager" 30 | "video" 31 | "feedbackd" 32 | "dialout" # required for modem access 33 | ]; 34 | uid = 1000; 35 | }; 36 | 37 | environment.systemPackages = with pkgs; [ 38 | sway 39 | ]; 40 | 41 | } 42 | -------------------------------------------------------------------------------- /rastox/pistatus.in: -------------------------------------------------------------------------------- 1 | #!@shell@ 2 | 3 | set -eu 4 | 5 | status=$(@libraspberrypi@/bin/vcgencmd get_throttled | sed -n 's|^throttled=\(.*\)|\1|p') 6 | if [[ ${status} -ne 0 ]]; then 7 | if [ $((${status} & 0x00001)) -ne 0 ]; then 8 | echo "Power is currently Under Voltage" 9 | elif [ $((${status} & 0x10000)) -ne 0 ]; then 10 | echo "Power has previously been Under Voltage" 11 | fi 12 | if [ $((${status} & 0x00002)) -ne 0 ]; then 13 | echo "ARM Frequency is currently Capped" 14 | elif [ $((${status} & 0x20000)) -ne 0 ]; then 15 | echo "ARM Frequency has previously been Capped" 16 | fi 17 | if [ $((${status} & 0x00004)) -ne 0 ]; then 18 | echo "CPU is currently Throttled" 19 | elif [ $((${status} & 0x40000)) -ne 0 ]; then 20 | echo "CPU has previously been Throttled" 21 | fi 22 | if [ $((${status} & 0x00008)) -ne 0 ]; then 23 | echo "Currently at Soft Temperature Limit" 24 | elif [ $((${status} & 0x80000)) -ne 0 ]; then 25 | echo "Previously at Soft Temperature Limit" 26 | fi 27 | else 28 | echo "No anomalies detected" 29 | fi 30 | -------------------------------------------------------------------------------- /waydroid.patch: -------------------------------------------------------------------------------- 1 | From 2ea666e083a65e674333239962b7b3a2c822fa77 Mon Sep 17 00:00:00 2001 2 | From: Herwig Hochleitner 3 | Date: Wed, 12 Oct 2022 16:42:13 +0200 4 | Subject: [PATCH] waydroid-net: set default gateway through DHCP 5 | 6 | fix https://github.com/waydroid/waydroid/issues/196 7 | --- 8 | data/scripts/waydroid-net.sh | 1 + 9 | 1 file changed, 1 insertion(+) 10 | 11 | diff --git a/data/scripts/waydroid-net.sh b/data/scripts/waydroid-net.sh 12 | index 995177c..bfcde16 100755 13 | --- a/data/scripts/waydroid-net.sh 14 | +++ b/data/scripts/waydroid-net.sh 15 | @@ -197,5 +197,6 @@ start() { 16 | dnsmasq $LXC_DHCP_CONFILE_ARG $LXC_DOMAIN_ARG $LXC_DHCP_PING_ARG -u ${DNSMASQ_USER} \ 17 | --strict-order --bind-interfaces --pid-file="${varrun}"/dnsmasq.pid \ 18 | --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} \ 19 | + --dhcp-option router,${LXC_ADDR} \ 20 | --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override \ 21 | --except-interface=lo --interface=${LXC_BRIDGE} \ 22 | --dhcp-leasefile="${varlib}"/misc/dnsmasq.${LXC_BRIDGE}.leases \ -------------------------------------------------------------------------------- /valheim-server.module.nix: -------------------------------------------------------------------------------- 1 | {config, pkgs, lib, ...}: 2 | let 3 | version-fetch = pkgs.callPackage ./steam-scanner/version-fetch.nix { }; 4 | serverName = "Manulinarium"; 5 | worldName = "Manulinarium"; 6 | public = false; 7 | port = 2456; 8 | in { 9 | 10 | hst.steam.server.games.valheim = { 11 | steamId = "896660"; 12 | steamBranch = "public"; 13 | # extraSteamUpdateArgs = "-betapassword yesimadebackups"; 14 | installDir = "/var/lib/valheim"; 15 | startCommand = '' 16 | ./valheim_server.x86_64 \ 17 | -nographics -batchmode \ 18 | -name "${serverName}" \ 19 | -port ${toString port} \ 20 | -world "${worldName}" \ 21 | -password "$(cat /etc/secrets/valheim/server-password)" \ 22 | -public ${if public then "1" else "0"} 23 | ''; 24 | }; 25 | 26 | networking.firewall.allowedUDPPorts = [ port (port + 1) ]; 27 | 28 | systemd.services.${config.hst.steam.server.games.valheim.id}.environment = { 29 | ## linux64 directory is required by Valheim. 30 | LD_LIBRARY_PATH = "linux64:${pkgs.glibc}/lib"; 31 | ## this is defaulted from steam_appid.txt, which gets installed 32 | # SteamAppID = "892970"; 33 | }; 34 | 35 | } 36 | -------------------------------------------------------------------------------- /avahi-disable-conflicts.patch: -------------------------------------------------------------------------------- 1 | From 3a6860ad85d527aaebf2df55eafd4bf3b0ef6335 Mon Sep 17 00:00:00 2001 2 | From: Ben Wolsieffer 3 | Date: Wed, 20 Mar 2019 19:54:48 -0400 4 | Subject: [PATCH] HACK: remove conflict detection because it is broken with 5 | IPv6 6 | 7 | --- 8 | avahi-core/server.c | 4 ---- 9 | 1 file changed, 4 deletions(-) 10 | 11 | diff --git a/avahi-core/server.c b/avahi-core/server.c 12 | index a2580e3..c8e7cdd 100644 13 | --- a/avahi-core/server.c 14 | +++ b/avahi-core/server.c 15 | @@ -304,16 +304,12 @@ static int handle_conflict(AvahiServer *s, AvahiInterface *i, AvahiRecord *recor 16 | if (avahi_entry_is_registered(s, e, i)) { 17 | 18 | /* A conflict => we have to return to probe mode */ 19 | - conflict = 1; 20 | - conflicting_entry = e; 21 | 22 | } else if (avahi_entry_is_probing(s, e, i)) { 23 | 24 | /* We are currently registering a matching record, but 25 | * someone else already claimed it, so let's 26 | * withdraw */ 27 | - conflict = 1; 28 | - withdraw_immediately = 1; 29 | } 30 | } 31 | } 32 | -- 33 | 2.21.0 34 | 35 | -------------------------------------------------------------------------------- /power-savings.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | 3 | { 4 | 5 | boot = { 6 | kernelParams = [ "pcie_aspm.policy=powersave" ]; 7 | # blacklistedKernelModules = [ "uvcvideo" ]; 8 | extraModprobeConfig = '' 9 | options snd_hda_intel power_save=1 10 | options iwlwifi power_save=1 d0i3_disable=0 uapsd_disable=0 11 | options iwldvm force_cam=0 12 | ''; 13 | kernel.sysctl = { 14 | "kernel.nmi_watchdog" = 0; 15 | "vm.dirty_writeback_centisecs" = 6000; 16 | "vm.laptop_mode" = 5; 17 | }; 18 | }; 19 | 20 | services = { 21 | udev.extraRules = '' 22 | ACTION=="add", SUBSYSTEM=="net", KERNEL=="eth*", RUN+="${pkgs.ethtool}/bin/ethtool -s %k wol d" 23 | ACTION=="add", SUBSYSTEM=="net", KERNEL=="wlan*", RUN+="${pkgs.iw}/bin/iw dev %k set power_save on" 24 | ACTION=="add", SUBSYSTEM=="pci", ATTR{power/control}="auto" 25 | ACTION=="add", SUBSYSTEM=="scsi_host", KERNEL=="host*", ATTR{link_power_management_policy}="min_power" 26 | ''; 27 | ## this leads to non-responsive input devices 28 | # ACTION=="add", SUBSYSTEM=="usb", TEST=="power/control", ATTR{power/control}="auto" 29 | # i2p.enable = pkgs.lib.mkForce false; 30 | # tor.enable = pkgs.lib.mkForce false; 31 | }; 32 | } 33 | -------------------------------------------------------------------------------- /desktop.exwm.module.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | services.xserver = { 5 | enable = true; 6 | updateDbusEnvironment = true; 7 | displayManager.startx.enable = true; 8 | windowManager.exwm = { 9 | enable = true; 10 | enableDefaultConfig = false; 11 | loadScript = '' 12 | ;; FIXME why no autoload 13 | (require 'bendlas.startup) 14 | (bendlas.startup/main) 15 | (exwm-init) 16 | ''; 17 | }; 18 | }; 19 | 20 | environment.systemPackages = [ 21 | (pkgs.writeTextFile rec { 22 | name = "disable-tracker-miner-fs-3.conf"; 23 | destination = "/share/dbus-1/session.d/disable-tracker-miner-fs-3.conf"; 24 | text = '' 25 | 27 | 28 | 31 | 32 | 33 | 34 | 35 | 36 | ''; 37 | }) 38 | ]; 39 | 40 | } 41 | -------------------------------------------------------------------------------- /desktop.layout-us-gerextra.module.nix: -------------------------------------------------------------------------------- 1 | { pkgs, lib, ...}: 2 | 3 | { 4 | services.xserver = { 5 | xkb.layout = lib.mkDefault "us-gerextra"; 6 | xkb.extraLayouts.us-gerextra = { 7 | description = '' 8 | English layout with german umlauts on AltGr 9 | ''; 10 | languages = [ "eng" "ger" ]; 11 | keycodesFile = pkgs.writeText "us-gerextra-keycodes" '' 12 | xkb_keycodes "us-gerextra" { include "evdev+aliases(qwerty)" }; 13 | ''; 14 | geometryFile = pkgs.writeText "us-gerextra-geometry" '' 15 | xkb_geometry "us-gerextra" { include "pc(pc104)" }; 16 | ''; 17 | typesFile = pkgs.writeText "us-gerextra-types" '' 18 | xkb_types "us-gerextra" { include "complete" }; 19 | ''; 20 | symbolsFile = pkgs.writeText "us-gerextra-symbols" '' 21 | xkb_symbols "us-gerextra" { 22 | key { [ e, E, EuroSign ] }; 23 | key { [ u, U, udiaeresis, Udiaeresis ] }; 24 | key { [ o, O, odiaeresis, Odiaeresis ] }; 25 | key { [ a, A, adiaeresis, Adiaeresis ] }; 26 | key { [ s, S, ssharp, U1E9E ] }; 27 | augment "pc+us+inet(evdev)+ctrl(nocaps)+level3(ralt_switch)" 28 | }; 29 | ''; 30 | }; 31 | }; 32 | } 33 | -------------------------------------------------------------------------------- /chrome-pass/python-packages.nix: -------------------------------------------------------------------------------- 1 | # Generated by pip2nix 0.8.0.dev1 2 | # See https://github.com/nix-community/pip2nix 3 | 4 | { pkgs, fetchurl, fetchgit, fetchhg }: 5 | 6 | self: super: { 7 | "chrome-pass" = super.buildPythonPackage rec { 8 | pname = "chrome-pass"; 9 | version = "0.3.0"; 10 | src = fetchurl { 11 | url = "https://files.pythonhosted.org/packages/aa/22/764488aeb60c7d13f399dd3e320a6a0175fee8ece9e147424fd82754d802/chrome-pass-0.3.0.tar.gz"; 12 | sha256 = "07hncv64gpk104344s7s61msmpgwgdlc38j45f6ikglgi8j71n9n"; 13 | }; 14 | format = "setuptools"; 15 | doCheck = false; 16 | buildInputs = []; 17 | checkInputs = []; 18 | nativeBuildInputs = []; 19 | propagatedBuildInputs = [ 20 | self."python-gnupg" 21 | ]; 22 | }; 23 | "python-gnupg" = super.buildPythonPackage rec { 24 | pname = "python-gnupg"; 25 | version = "0.5.1"; 26 | src = fetchurl { 27 | url = "https://files.pythonhosted.org/packages/22/ad/12d8df0a1b465593e736fa14a5d8144381bc64b222e6cd59bb13c6af95b4/python_gnupg-0.5.1-py2.py3-none-any.whl"; 28 | sha256 = "10j42x8p0k1h1vsr6kvfmsp3wa8brmv42634gndi6f7g6a82v6xz"; 29 | }; 30 | format = "wheel"; 31 | doCheck = false; 32 | buildInputs = []; 33 | checkInputs = []; 34 | nativeBuildInputs = []; 35 | propagatedBuildInputs = []; 36 | }; 37 | } 38 | -------------------------------------------------------------------------------- /sound.module.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | imports = [ 5 | # { 6 | # hardware.pulseaudio = { 7 | # enable = true; 8 | # support32Bit = true; 9 | # package = pkgs.pulseaudioFull; 10 | # tcp.enable = true; 11 | # zeroconf = { 12 | # discovery.enable = true; 13 | # publish.enable = true; 14 | # }; 15 | # }; 16 | # # Pulseaudio uses 4713 17 | # networking.firewall.allowedTCPPorts = [ 4713 ]; 18 | # } 19 | ]; 20 | 21 | hardware.pulseaudio.enable = false; 22 | # rtkit is optional but recommended 23 | security.rtkit.enable = true; 24 | services.pipewire = { 25 | enable = true; 26 | alsa.enable = true; 27 | alsa.support32Bit = true; 28 | pulse.enable = true; 29 | # If you want to use JACK applications, uncomment this 30 | jack.enable = true; 31 | }; 32 | ## pipewire instead 33 | sound.enable = false; 34 | hardware.bluetooth.enable = true; 35 | 36 | environment.systemPackages = with pkgs; [ 37 | beep alsa-utils 38 | paprefs pavucontrol 39 | qjackctl jack2 40 | ]; 41 | 42 | # ## Define a group for jack and the like 43 | # security.pam.loginLimits = [{ 44 | # domain = "@realtime"; 45 | # type = "-"; 46 | # item = "rtprio"; 47 | # value = "99"; 48 | # }{ 49 | # domain = "@realtime"; 50 | # type = "-"; 51 | # item = "memlock"; 52 | # value = "unlimited"; 53 | # }]; 54 | 55 | } 56 | -------------------------------------------------------------------------------- /hetox/gitlab.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | { 3 | 4 | services.gitlab = { 5 | enable = true; 6 | https = true; 7 | host = "gitlab.bendlas.net"; 8 | port = 443; 9 | user = "gitlab"; 10 | group = "gitlab"; 11 | initialRootEmail = "root@bendlas.net"; 12 | initialRootPasswordFile = "/etc/gitlab-secrets/initialRootPassword"; 13 | databasePasswordFile = "/etc/gitlab-secrets/databasePassword"; 14 | smtp = { 15 | enable = true; 16 | address = "mail.bendlas.net"; 17 | port = 587; 18 | username = "git@bendlas.net"; 19 | passwordFile = "/etc/gitlab-secrets/smtp.password"; 20 | }; 21 | extraConfig = { 22 | gitlab = { 23 | email_from = "git@bendlas.net"; 24 | email_display_name = "Gitlab on bendlas.net"; 25 | }; 26 | }; 27 | secrets = { 28 | dbFile = "/etc/gitlab-secrets/db"; 29 | secretFile = "/etc/gitlab-secrets/secret"; 30 | otpFile = "/etc/gitlab-secrets/otp"; 31 | jwsFile = "/etc/gitlab-secrets/jws"; 32 | }; 33 | }; 34 | 35 | services.nginx.virtualHosts."${config.services.gitlab.host}" = { 36 | enableACME = true; 37 | forceSSL = true; 38 | locations."/" = { 39 | proxyPass = "http://unix:/var/run/gitlab/gitlab-workhorse.socket"; 40 | proxyWebsockets = true; 41 | }; 42 | }; 43 | 44 | security.acme.defaults.email = config.services.gitlab.initialRootEmail; 45 | 46 | services.postgresql.package = pkgs.postgresql_14; 47 | 48 | } 49 | -------------------------------------------------------------------------------- /desktop.convenient.module.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | 3 | { 4 | 5 | environment.systemPackages = with pkgs; [ 6 | 7 | ## Chats 8 | 9 | tdesktop signal-desktop 10 | 11 | ## Games 12 | 13 | wine winetricks 14 | 15 | # sauerbraten 16 | # dwarf-fortress dwarf-therapist 17 | 18 | ## Dev tools 19 | 20 | # nixops ## not working 21 | visualvm rustc cargo nim ant go dosbox 22 | 23 | nodejs debootstrap mercurial subversion cmake guile valgrind sbcl 24 | dos2unix nodePackages.grunt-cli mono luajit luarocks racket 25 | 26 | radare2 # radare2-cutter 27 | nix-generate-from-cpan 28 | 29 | python3 python3Packages.pip # pypy 30 | 31 | boot leiningen gettext jdk maven3 clojure 32 | 33 | # diffoscope ## pulls in androidsdk ~ 2 GiB 34 | 35 | graphviz 36 | 37 | ## Video 38 | 39 | inkscape antimony gimp openscad # blender 40 | 41 | ## Audio 42 | 43 | # clementine 44 | audacity 45 | 46 | ## Documents 47 | 48 | abiword gnumeric lyx 49 | 50 | ## Networking 51 | 52 | firefox deluge chromium 53 | thunderbird bitcoin ipfs 54 | 55 | # ml-workbench 56 | webtorrent_desktop 57 | 58 | ]; 59 | 60 | nixpkgs.config = { 61 | wine = { 62 | release = "staging"; 63 | build = "wineWow"; 64 | }; 65 | firefox = { 66 | jre = true; 67 | nativeMessagingHosts.packages = with pkgs; [ 68 | gnome-browser-connector 69 | ]; 70 | }; 71 | }; 72 | 73 | services.flatpak.enable = true; 74 | 75 | } 76 | -------------------------------------------------------------------------------- /microvms/_common.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | { 4 | systemd.network = { 5 | netdevs."10-microvm".netdevConfig = { 6 | Kind = "bridge"; 7 | Name = "microvm"; 8 | }; 9 | networks."10-microvm" = { 10 | matchConfig.Name = "microvm"; 11 | networkConfig = { 12 | IPv6SendRA = true; 13 | }; 14 | addresses = [ { 15 | addressConfig.Address = "10.0.0.1/24"; 16 | } { 17 | addressConfig.Address = "fd12:3456:789a::1/64"; 18 | } ]; 19 | ipv6Prefixes = [ { 20 | ipv6PrefixConfig.Prefix = "fd12:3456:789a::/64"; 21 | } ]; 22 | }; 23 | }; 24 | } 25 | { 26 | services.avahi.allowInterfaces = [ "microvm" ]; 27 | } 28 | { 29 | systemd.network.networks."10-microvm".networkConfig.DHCPServer = true; 30 | networking.firewall.interfaces.microvm.allowedUDPPorts = [ 67 ]; 31 | } 32 | { 33 | systemd.network = { 34 | networks."11-microvm" = { 35 | matchConfig.Name = "vm-*"; 36 | # Attach to the bridge that was configured above 37 | networkConfig.Bridge = "microvm"; 38 | }; 39 | }; 40 | } 41 | { 42 | networking.nat = { 43 | enable = true; 44 | enableIPv6 = true; 45 | # Change this to the interface with upstream Internet access 46 | externalInterface = "eno2"; 47 | internalInterfaces = [ "microvm" ]; 48 | }; 49 | } 50 | ]; 51 | } 52 | -------------------------------------------------------------------------------- /rastox.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | hst.site.machine = "rastox"; 4 | hst.site.domain = "bendlas.local"; 5 | hst.site.adminUser = "herwig"; 6 | imports = [ 7 | { 8 | users.users.autossh = { 9 | isSystemUser = true; 10 | home = "/var/autossh"; 11 | createHome = true; 12 | group = "autossh"; 13 | }; 14 | users.groups.autossh = {}; 15 | services.autossh.sessions = [{ 16 | extraArguments = "-N -R2201:localhost:22 hetox.bendlas.net"; 17 | monitoringPort = 20000; 18 | name = "hetox-reverse-tunnel"; 19 | user = "autossh"; 20 | }]; 21 | } 22 | ]; 23 | 24 | services.xserver = { 25 | enable = true; 26 | desktopManager.gnome.enable = true; 27 | displayManager.gdm.enable = true; 28 | }; 29 | 30 | services.murmur = { 31 | enable = true; 32 | openFirewall = true; 33 | }; 34 | 35 | services.cron.enable = false; 36 | # services.avahi.allowInterfaces = [ "end0" "wlan0" ]; 37 | 38 | ## The global useDHCP flag is deprecated, therefore explicitly set to false here. 39 | ## Per-interface useDHCP will be mandatory in the future, so this generated config 40 | ## replicates the default behaviour. 41 | # networking.useDHCP = false; 42 | # networking.interfaces.end0.useDHCP = true; 43 | # networking.interfaces.wlan0.useDHCP = true; 44 | hst.networking.interfaces = [ "end0" "wlan0" ]; 45 | 46 | environment.systemPackages = with pkgs; [ 47 | libraspberrypi raspberrypi-eeprom iw 48 | ]; 49 | 50 | system.stateVersion = "21.11"; 51 | 52 | } 53 | 54 | -------------------------------------------------------------------------------- /lenix/bondig.nix: -------------------------------------------------------------------------------- 1 | { 2 | 3 | hst.networking.interfaces = [ "bond0" ]; 4 | 5 | # boot.extraModprobeConfig = '' 6 | # options bonding mode=balance-alb 7 | # options bonding miimon=1000 8 | # options bonding fail_over_mac=active 9 | # ''; 10 | 11 | # boot.extraModprobeConfig = '' 12 | # options bonding mode=active-backup 13 | # options bonding primary=eth0 14 | # options bonding miimon=1000 15 | # options bonding fail_over_mac=active 16 | # ''; 17 | 18 | systemd.network = { 19 | enable = true; 20 | netdevs = { 21 | "10-bond0" = { 22 | netdevConfig = { 23 | Kind = "bond"; 24 | Name = "bond0"; 25 | }; 26 | bondConfig = { 27 | # Mode = "802.3ad"; 28 | # Mode = "balance-alb"; 29 | Mode = "active-backup"; 30 | PrimaryReselectPolicy = "always"; 31 | TransmitHashPolicy = "layer3+4"; 32 | }; 33 | }; 34 | }; 35 | networks = { 36 | "30-wlan0" = { 37 | matchConfig.Name = "wlan0"; 38 | networkConfig.Bond = "bond0"; 39 | }; 40 | 41 | "30-enp0s31f6" = { 42 | matchConfig.Name = "enp0s31f6"; 43 | networkConfig.Bond = "bond0"; 44 | networkConfig.PrimarySlave = true; 45 | }; 46 | 47 | "40-bond0" = { 48 | matchConfig.Name = "bond0"; 49 | linkConfig.RequiredForOnline = "carrier"; 50 | networkConfig.LinkLocalAddressing = "no"; 51 | networkConfig.BindCarrier = "wlan0 enp0s31f6"; 52 | ## provided by hst 53 | # networkConfig.DHCP = "ipv4"; 54 | }; 55 | }; 56 | }; 57 | } 58 | -------------------------------------------------------------------------------- /rotox.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | { 4 | 5 | hst.site.machine = "rotox"; 6 | hst.site.domain = "bendlas.local"; 7 | hst.site.adminUser = "herwig"; 8 | 9 | imports = [ 10 | # ./kodi-wayland.nix 11 | ./rastox/kodi-xorg.nix 12 | ./rastox/users.nix 13 | ]; 14 | 15 | services.xserver = { 16 | enable = true; 17 | desktopManager.gnome.enable = true; 18 | # displayManager.lightdm.enable = true; 19 | displayManager.gdm.enable = true; 20 | displayManager.gdm.wayland = false; 21 | # videoDrivers = [ "panfrost" "vesa" ]; 22 | }; 23 | 24 | services.murmur = { 25 | enable = true; 26 | openFirewall = true; 27 | }; 28 | 29 | services.cron.enable = false; 30 | 31 | hst.networking.interfaces = [ "end0" ]; 32 | # services.avahi.allowInterfaces = [ "end0" ]; 33 | # networking.useDHCP = false; 34 | # networking.interfaces.end0.useDHCP = true; 35 | 36 | environment.systemPackages = with pkgs; [ 37 | deluge webtorrent_desktop chromium youtube-dl 38 | ]; 39 | 40 | system.stateVersion = "23.05"; 41 | 42 | ## Hardware config 43 | 44 | boot.consoleLogLevel = 7; 45 | boot.loader.grub.enable = false; 46 | boot.loader.generic-extlinux-compatible.enable = true; 47 | mobile.bootloader.enable = false; 48 | 49 | fileSystems."/" = { 50 | device = "/dev/disk/by-uuid/62fcf4f0-0cac-4d13-8acc-ad12901312cb"; 51 | fsType = "ext4"; 52 | }; 53 | 54 | swapDevices = [{ 55 | device = "/dev/disk/by-uuid/4ac61bb0-3ba3-4169-a9c8-b45aae91e074"; 56 | }]; 57 | 58 | ## right now, crossPlatform is defined by mobile-nixos, but shouldn't be 59 | nixpkgs.hostPlatform = "aarch64-linux"; 60 | powerManagement.cpuFreqGovernor = "ondemand"; 61 | 62 | } 63 | -------------------------------------------------------------------------------- /mobile-nixos-bootloader.nix: -------------------------------------------------------------------------------- 1 | # https://git.c3pb.de/jens/dotfiles/-/blob/master/modules/mobile-nixos-bootloader.nix 2 | { config, lib, pkgs, ... }: 3 | with lib; 4 | 5 | let 6 | boot-partition = config.mobile.outputs.u-boot.boot-partition; 7 | cfg = config.mobile-nixos.install-bootloader; 8 | install-bootloader-script = pkgs.writeScript "install-bootloader" '' 9 | #!${pkgs.zsh}/bin/zsh 10 | 11 | set -eu 12 | 13 | install -d /var/lib/mobile-nixos-bootloader 14 | 15 | print "Requested bootloader: ${boot-partition}" 16 | 17 | if [[ -e /var/lib/mobile-nixos-bootloader/current ]] 18 | then 19 | 20 | current=$(realpath /var/lib/mobile-nixos-bootloader/current) 21 | 22 | print "Current bootloader: $current" 23 | 24 | if [[ "${boot-partition}" = "$current" ]] 25 | then 26 | print "No bootloader update required" 27 | exit 0 28 | fi 29 | 30 | else 31 | print "No information about current bootloader" 32 | fi 33 | 34 | print "Deploying bootloader to ${cfg.target}" 35 | 36 | dd if="${boot-partition}/mobile-nixos-boot.img" of="${cfg.target}" bs=16M conv=fsync oflag=direct status=progress 37 | ln -T -f -s "${boot-partition}" /var/lib/mobile-nixos-bootloader/current 38 | ''; 39 | 40 | in { 41 | options.mobile-nixos.install-bootloader = { 42 | enable = mkOption { 43 | type = types.bool; 44 | default = false; 45 | }; 46 | target = mkOption { 47 | type = types.path; 48 | default = "/dev/disk/by-label/mobile-nixos-boo"; 49 | description = '' 50 | Target block device. 51 | ''; 52 | }; 53 | }; 54 | config = mkIf cfg.enable { 55 | system.build.installBootLoader = install-bootloader-script; 56 | }; 57 | } 58 | -------------------------------------------------------------------------------- /epson-inkjet-printer-stylus-photo-r3000.package.nix: -------------------------------------------------------------------------------- 1 | { stdenv, lib 2 | , fetchurl, fetchpatch, rpm2targz, autoreconfHook 3 | , cups, libjpeg 4 | , enableDebug ? false 5 | }: 6 | 7 | stdenv.mkDerivation rec { 8 | pname = "epson-inkjet-printer-stylus-photo-r3000"; 9 | version = "1.0.0"; 10 | 11 | src = fetchurl { 12 | url = "http://download.ebz.epson.net/dsc/op/stable/SRPMS/${pname}-${version}-1lsb3.2.src.rpm"; 13 | sha256 = "sha256-JVW+WvjH8xvWZrHGMuo2BLIhXXMucZ3qMzlhlVqjoFQ="; 14 | }; 15 | 16 | nativeBuildInputs = [ rpm2targz autoreconfHook ]; 17 | buildInputs = [ cups libjpeg ]; 18 | 19 | unpackPhase = '' 20 | rpm2tar -O $src | tar -xO ./$pname-$version.tar.gz | tar -xz 21 | sourceDir=epson-inkjet-printer-filter-$version 22 | rpm2tar -O $src | tar -xO ./$sourceDir.tar.gz | tar -xz 23 | cd $sourceDir 24 | ''; 25 | 26 | ## From arch build. Apparently not needed, but kept in case we need it at some point 27 | # patches = [(fetchpatch { 28 | # url = "https://aur.archlinux.org/cgit/aur.git/plain/fixbuild.patch?h=epson-inkjet-printer-stylus-photo-r3000"; 29 | # sha256 = "sha256-Pk7hpscWPUivf5+jGInXDCv25h8IKDCCH3sgNPd4Csg="; 30 | # })]; 31 | 32 | LDFLAGS = "-Wl,--no-as-needed"; 33 | 34 | configureFlags = lib.optional (enableDebug) "--enable-debug"; 35 | 36 | dontMoveLib64 = 1; 37 | postInstall = '' 38 | ppdName=Epson_Stylus_Photo_R3000.ppd 39 | mkdir -p $out/share/cups/model/$pname $out/resource/ $out/lib64 $out/lib 40 | cp -a ../$pname-$version/resource/* $out/resource/ 41 | cp -a ../$pname-$version/lib64/* $out/lib64 42 | cp -a ../$pname-$version/lib/* $out/lib 43 | sed "s#/opt/epson-inkjet-printer-stylus-photo-r3000/cups/lib/filter/epson_inkjet_printer_filter#$out/lib/cups/filter/epson_inkjet_printer_filter#" \ 44 | < ../$pname-$version/ppds/$ppdName \ 45 | > $out/share/cups/model/$pname/$ppdName 46 | ''; 47 | 48 | } 49 | -------------------------------------------------------------------------------- /bendlas.module.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | 4 | security.sudo.wheelNeedsPassword = true; 5 | nix.settings.trusted-users = [ "herwig" ]; 6 | hst.wheel.logins = [ "herwig" ]; 7 | users.users = { 8 | "herwig" = { 9 | description = "Herwig Hochleitner"; 10 | extraGroups = [ "wheel" "networkmanager" "dialout" "audio" ]; 11 | shell = "/run/current-system/sw/bin/zsh"; 12 | isNormalUser = true; 13 | uid = 1000; 14 | }; 15 | }; 16 | 17 | environment.systemPackages = with pkgs; [ 18 | texlive-bendlas ungoogled-chromium-bendlas 19 | ]; 20 | 21 | hardware.enableRedistributableFirmware = true; 22 | nixpkgs.config.allowUnfree = true; 23 | 24 | services.resolved = { 25 | # dnssec = "allow-downgrade"; 26 | extraConfig = '' 27 | DNS=8.8.8.8 28 | DNSOverTLS=opportunistic 29 | ''; 30 | }; 31 | 32 | 33 | nixpkgs.config.packageOverrides = pkgs: { 34 | texlive-bendlas = pkgs.texlive.combine { 35 | inherit (pkgs.texlive) 36 | scheme-medium koma-script mathpazo gtl 37 | booktabs pdfpages hyperref g-brief xstring numprint unravel 38 | collection-latex collection-latexextra collection-latexrecommended 39 | collection-fontsrecommended komacv biblatex-ieee fontawesome; 40 | }; 41 | ungoogled-chromium-bendlas = pkgs.runCommand "ungoogled-chromium-bendlas" { 42 | orig = pkgs.ungoogled-chromium.override { 43 | ## FAT recompile 44 | # extraPatches = [ 45 | # # for declarative extension installation 46 | # # (search for extensions at CHROMIUM_EXTENSION_DIRECTORY instead of 47 | # # /usr/share/chromium/extensions) 48 | # ./chromium-extension-search-path.patch 49 | # ]; 50 | }; 51 | } '' 52 | mkdir -p $out/bin 53 | for b in $orig/bin/* 54 | do 55 | ln -s $b $out/bin/ungoogled-$(basename $b) 56 | done 57 | ''; 58 | }; 59 | } 60 | -------------------------------------------------------------------------------- /rpi1.nix: -------------------------------------------------------------------------------- 1 | { 2 | imports = [ 3 | ({ lib, ... }: { 4 | # nixpkgs.crossSystem.system = "armv6l-linux"; 5 | nixpkgs.crossSystem = lib.systems.examples.raspberryPi; 6 | }) 7 | # 8 | ({ lib, pkgs, ... }: { 9 | boot.loader.grub.enable = false; 10 | boot.loader.generic-extlinux-compatible.enable = true; 11 | 12 | boot.consoleLogLevel = lib.mkDefault 7; 13 | boot.kernelPackages = pkgs.linuxKernel.packages.linux_rpi1; 14 | 15 | # sdImage = { 16 | # populateFirmwareCommands = let 17 | # configTxt = pkgs.writeText "config.txt" '' 18 | # # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel 19 | # # when attempting to show low-voltage or overtemperature warnings. 20 | # avoid_warnings=1 21 | 22 | # [pi0] 23 | # kernel=u-boot-rpi0.bin 24 | 25 | # [pi1] 26 | # kernel=u-boot-rpi1.bin 27 | # ''; 28 | # in '' 29 | # (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/firmware/) 30 | # cp ${pkgs.ubootRaspberryPiZero}/u-boot.bin firmware/u-boot-rpi0.bin 31 | # cp ${pkgs.ubootRaspberryPi}/u-boot.bin firmware/u-boot-rpi1.bin 32 | # cp ${configTxt} firmware/config.txt 33 | # ''; 34 | # populateRootCommands = '' 35 | # mkdir -p ./files/boot 36 | # ${config.boot.loader.generic-extlinux-compatible.populateCmd} -c ${config.system.build.toplevel} -d ./files/boot 37 | # ''; 38 | # }; 39 | 40 | }) 41 | { 42 | hardware.enableRedistributableFirmware = true; 43 | networking.wireless.enable = true; 44 | } 45 | { 46 | fileSystems."/" = { 47 | device = "/dev/null"; 48 | fsType = "ext4"; 49 | }; 50 | } 51 | ]; 52 | } 53 | -------------------------------------------------------------------------------- /schentox.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | { ## Outsource nixpkgs.config to be shared with nix-env 4 | require = [ ./desktop.nix ./hardware-configuration.schentox.nix ./dev.nix ]; # ./power-savings.nix 5 | 6 | environment.systemPackages = (with pkgs; [ 7 | bluez5 8 | ]); 9 | 10 | boot = { 11 | initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ata_piix" "firewire_ohci" "usb_storage" ]; 12 | kernelModules = [ "kvm-intel" ]; 13 | loader.grub = { 14 | enable = true; 15 | version = 2; 16 | device = "/dev/sda"; 17 | }; 18 | kernelParams = [ "resume=UUID=d71e0b01-5042-4456-8a72-d4653d0b7e4e" ]; 19 | }; 20 | 21 | fileSystems."/" = 22 | { device = "/dev/disk/by-uuid/da948a98-1b1b-4c06-98c9-1147173448ee"; 23 | fsType = "ext4"; 24 | }; 25 | 26 | fileSystems."/home" = 27 | { device = "/dev/disk/by-uuid/0d892680-934c-437f-8ede-a42ef781c835"; 28 | fsType = "ext4"; 29 | }; 30 | 31 | fileSystems."/tmp" = 32 | { device = "tmp"; 33 | fsType = "tmpfs"; 34 | options = [ "size=8g" "mode=1777" ]; 35 | }; 36 | 37 | swapDevices = 38 | [ { device = "/dev/disk/by-uuid/d71e0b01-5042-4456-8a72-d4653d0b7e4e"; } 39 | ]; 40 | 41 | networking = rec { 42 | hostName = "schentox"; 43 | hostId = "99cfb55e"; 44 | nat.externalInterface = "wlp3s0"; 45 | wireless = { 46 | enable = true; 47 | userControlled.enable = true; 48 | }; 49 | }; 50 | 51 | services = { 52 | xserver = { 53 | videoDrivers = [ "nouveau" "vesa" ]; 54 | }; 55 | printing = { 56 | enable = true; 57 | drivers = [ pkgs.splix ]; 58 | }; 59 | udev.extraRules = '' 60 | ATTR{idvendor}=="04e8", ATTR{idProduct}=="344f", MODE:="0660", GROUP:="lp", ENV{libsane_matched}:="yes" 61 | ''; 62 | i2p.enable = lib.mkForce false; 63 | tor.enable = lib.mkForce false; 64 | }; 65 | 66 | hardware = { 67 | trackpoint.emulateWheel = true; 68 | bluetooth.enable = true; 69 | sane.enable = true; 70 | }; 71 | 72 | users.extraUsers = { 73 | "augustine" = { 74 | description = "Augustine Hochleitner"; 75 | isNormalUser = true; 76 | extraGroups = [ "networkmanager" ]; 77 | }; 78 | "dorothea" = { 79 | description = "Dorothea Hochleitner"; 80 | isNormalUser = true; 81 | extraGroups = [ "networkmanager" ]; 82 | }; 83 | }; 84 | 85 | nix.maxJobs = 2; 86 | 87 | } 88 | -------------------------------------------------------------------------------- /raspix.nix: -------------------------------------------------------------------------------- 1 | { pkgs, ... }: 2 | { 3 | hst.site.machine = "raspix"; 4 | hst.site.domain = "bendlas.local"; 5 | hst.site.adminUser = "herwig"; 6 | imports = [ 7 | { 8 | users.users.autossh = { 9 | isSystemUser = true; 10 | home = "/var/autossh"; 11 | createHome = true; 12 | group = "autossh"; 13 | }; 14 | users.groups.autossh = {}; 15 | services.autossh.sessions = [{ 16 | extraArguments = "-N -R2202:localhost:22 hetox.bendlas.net"; 17 | monitoringPort = 20000; 18 | name = "hetox-reverse-tunnel"; 19 | user = "autossh"; 20 | }]; 21 | } 22 | ]; 23 | 24 | # services.xserver = { 25 | # enable = true; 26 | # desktopManager.gnome.enable = true; 27 | # displayManager.gdm.enable = true; 28 | # }; 29 | 30 | # services.murmur = { 31 | # enable = true; 32 | # openFirewall = true; 33 | # }; 34 | 35 | services.cron.enable = false; 36 | # services.avahi.allowInterfaces = [ "end0" "wlan0" ]; 37 | 38 | ## The global useDHCP flag is deprecated, therefore explicitly set to false here. 39 | ## Per-interface useDHCP will be mandatory in the future, so this generated config 40 | ## replicates the default behaviour. 41 | # networking.useDHCP = false; 42 | # networking.interfaces.end0.useDHCP = true; 43 | # networking.interfaces.wlan0.useDHCP = true; 44 | hst.networking.interfaces = [ "end0" "wlan0" ]; 45 | 46 | environment.systemPackages = with pkgs; [ 47 | libraspberrypi raspberrypi-eeprom iw 48 | ]; 49 | 50 | powerManagement.cpuFreqGovernor = "ondemand"; 51 | nix.settings.cores = 4; 52 | 53 | boot = { 54 | consoleLogLevel = 7; 55 | # kernelPackages = pkgs.linuxPackages_rpi4; 56 | kernelParams = [ 57 | # "dwc_otg.lpm_enable=0" 58 | # "console=ttyAMA0,115200" 59 | "rootwait" 60 | # "elevator=deadline" 61 | "cma=32M" 62 | "usbhid.mousepoll=0" 63 | ]; 64 | loader = { 65 | generic-extlinux-compatible.enable = true; 66 | grub.enable = false; 67 | }; 68 | # initrd.kernelModules = [ "vc4" "bcm2835_dma" "i2c_bcm2835" ]; 69 | }; 70 | 71 | hardware.enableRedistributableFirmware = true; 72 | 73 | system.stateVersion = "24.05"; 74 | 75 | fileSystems."/" = 76 | { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; 77 | fsType = "ext4"; 78 | }; 79 | 80 | fileSystems."/boot/firmware" = 81 | { device = "/dev/disk/by-uuid/2178-694E"; 82 | fsType = "vfat"; 83 | }; 84 | 85 | swapDevices = 86 | [ { device = "/dev/disk/by-uuid/cc249a56-c9b8-4dac-b6d1-066bb6471844"; } 87 | ]; 88 | 89 | } 90 | 91 | -------------------------------------------------------------------------------- /dev.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | let 3 | container-host-ip = "10.233.2.1"; 4 | vitox-ip = "10.233.2.2"; 5 | in 6 | { 7 | ## require = [ ./matrix.nix ]; 8 | 9 | networking = { 10 | # 10.233.1.2 virtox.local auth.virtox.local git.virtox.local pgadmin.virtox.local code.virtox.local cloud.virtox.local 11 | 12 | extraHosts = '' 13 | 127.0.0.1 app.phoenix.dev mobile.phoenix.dev 14 | ${vitox-ip} jk.local hdnews.local static.local stats.local sub.hdnews.local 15 | ''; 16 | firewall = { 17 | # allowedTCPPorts = [ 22 80 443 3449 8081 8000 8050 8080 9981 9982 ]; 18 | # allowedUDPPorts = [ 9981 9982 ]; 19 | #allowedTCPPortRanges = [ 20 | # { from = 8000; to = 9000; } 21 | #]; 22 | allowPing = true; 23 | checkReversePath = "loose"; 24 | }; 25 | }; 26 | environment.systemPackages = with pkgs; [ 27 | # emacs.emacs.debug 28 | # nixops 29 | nodePackages.tern 30 | git-relevant-history 31 | git-filter-repo 32 | # ml-workbench 33 | # elixir 34 | # ruby 35 | ]; 36 | 37 | # systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [ 38 | # "" # clear old command 39 | # ## "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --ignore anbox0" 40 | # "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online -i lo:carrier" 41 | # ]; 42 | environment.enableDebugInfo = true; 43 | services = { 44 | postgresql = { 45 | enable = false; 46 | enableTCPIP = false; 47 | # authentication = pkgs.lib.mkForce '' 48 | # local all all trust 49 | # host all all 127.0.0.1/32 trust 50 | # host all all ::1/128 trust 51 | # ''; 52 | }; 53 | # pgmanage = { 54 | # enable = true; 55 | # # allowCustomConnections = true; 56 | # connections = { 57 | # nitox = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=prefer"; 58 | # }; 59 | # }; 60 | }; 61 | nix = { 62 | settings.trusted-substituters = [ "https://headcounter.org/hydra" "ssh://nitox.local" "ssh://natox.local" "ssh://lenix.local" "ssh://rastox.local" "ssh://pinox.local" ]; 63 | settings.trusted-public-keys = [ "headcounter.org:/7YANMvnQnyvcVB6rgFTdb8p5LG1OTXaO+21CaOSBzg=" ]; 64 | }; 65 | 66 | users.extraUsers = { 67 | "test" = { 68 | description = "Test User"; 69 | shell = "/run/current-system/sw/bin/zsh"; 70 | isNormalUser = true; 71 | }; 72 | }; 73 | 74 | # containers.vitox = { 75 | # config = /home/herwig/checkout/net.bendlas-next/etc/nixos/instances/vitox.nix; 76 | # privateNetwork = true; 77 | # hostAddress = container-host-ip; 78 | # localAddress = vitox-ip; 79 | # bindMounts."/src/net.bendlas".hostPath = "/home/herwig/checkout/net.bendlas-next"; 80 | # }; 81 | 82 | } 83 | -------------------------------------------------------------------------------- /rastox/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, modulesPath, ... }: 2 | 3 | let 4 | cma = 512; 5 | in { 6 | 7 | fileSystems."/" = 8 | { device = "/dev/disk/by-uuid/18121651-0c99-4b18-acda-11faf72e1f2f"; 9 | fsType = "ext4"; 10 | }; 11 | 12 | fileSystems."/boot/firmware" = 13 | { device = "/dev/disk/by-uuid/D449-45AA"; 14 | fsType = "vfat"; 15 | }; 16 | 17 | swapDevices = 18 | [ { device = "/dev/disk/by-uuid/af4a4349-3358-4a1d-b9e5-1de1c8989588"; } 19 | ]; 20 | 21 | powerManagement.cpuFreqGovernor = "ondemand"; 22 | nix.settings.cores = 4; 23 | 24 | boot = { 25 | consoleLogLevel = 7; 26 | kernelPackages = pkgs.linuxPackages_rpi4; 27 | kernelParams = [ 28 | # "dwc_otg.lpm_enable=0" 29 | # "console=ttyAMA0,115200" 30 | "rootwait" 31 | # "elevator=deadline" 32 | "cma=${toString cma}M" 33 | "usbhid.mousepoll=0" 34 | ]; 35 | loader = { 36 | generic-extlinux-compatible.enable = true; 37 | grub.enable = false; 38 | ## just disable raspi firmware generation, for now. Please 39 | ## update firmwareConfig yourself 40 | raspberryPi = { 41 | enable = false; 42 | version = 4; 43 | ## https://github.com/NixOS/nixpkgs/pull/67902#discussion_r744178864 44 | # firmwareDir = "/boot/firmware"; 45 | firmwareConfig = '' 46 | [pi3] 47 | kernel=u-boot-rpi3.bin 48 | 49 | [pi4] 50 | kernel=u-boot-rpi4.bin 51 | enable_gic=1 52 | armstub=armstub8-gic.bin 53 | 54 | # Otherwise the resolution will be weird in most cases, compared to 55 | # what the pi3 firmware does by default. 56 | disable_overscan=1 57 | 58 | [all] 59 | # Boot in 64-bit mode. 60 | arm_64bit=1 61 | 62 | # U-Boot needs this to work, regardless of whether UART is actually used or not. 63 | # Look in arch/arm/mach-bcm283x/Kconfig in the U-Boot tree to see if this is still 64 | # a requirement in the future. 65 | enable_uart=1 66 | 67 | # Prevent the firmware from smashing the framebuffer setup done by the mainline kernel 68 | # when attempting to show low-voltage or overtemperature warnings. 69 | avoid_warnings=1 70 | 71 | # Boost to 1.8GHz if safe 72 | arm_boost=1 73 | 74 | # hdmi_drive=2 75 | # hdmi_group=1 76 | # dtoverlay=vc4-fkms-v3d 77 | # dtoverlay=vc4-kms-v3d-pi4 78 | # max_framebuffers=2 79 | # dtparam=audio=on 80 | ''; 81 | uboot.enable = true; 82 | }; 83 | }; 84 | }; 85 | hardware.raspberry-pi."4" = { 86 | fkms-3d = { 87 | enable = true; 88 | inherit cma; 89 | }; 90 | audio.enable = true; 91 | }; 92 | 93 | } 94 | -------------------------------------------------------------------------------- /rotox.kernel.nix: -------------------------------------------------------------------------------- 1 | { stdenv, lib 2 | , fetchFromGitHub, buildLinux 3 | , argsOverride ? {} 4 | , modDirVersionArg ? null 5 | , ... } @ args: 6 | 7 | (callPackage ./mobile-nixos/kernel/builder.nix {}) rec { 8 | version = "5.9.0"; 9 | configfile = ./rotox.kernel.config; 10 | 11 | src = fetchFromGitHub { 12 | owner = "ayufan-rock64"; 13 | repo = "linux-mainline-kernel"; 14 | rev = "${version}-1146-ayufan"; 15 | sha256 = "sha256-GJneuZrgQU28/pOGU5VY5VJx+cm+8BAdnXGiOzvcaI0="; 16 | }; 17 | postInstall = '' 18 | echo ":: Installing FDTs" 19 | mkdir -p $out/dtbs/rockchip 20 | cp -v "$buildRoot/arch/arm64/boot/dts/rockchip/*" "$out/dtbs/rockchip/" 21 | ''; 22 | 23 | isModular = false; 24 | isCompressed = false; 25 | 26 | systemBuild-structuredConfig = { 27 | ## platform extension 28 | CRYPTO_AEGIS128_SIMD = no; 29 | RTC_DRV_RK808 = yes; 30 | STAGING = yes; 31 | STAGING_MEDIA = yes; 32 | ARCH_ROCKCHIP = yes; 33 | VIDEO_DEV = module; 34 | VIDEO_V4L2 = module; 35 | MEDIA_CONTROLLER = yes; 36 | MEDIA_CONTROLLER_REQUEST_API = yes; 37 | VIDEO_HANTRO = module; 38 | VIDEO_HANTRO_ROCKCHIP = yes; 39 | ## platform restriction 40 | DRM_RADEON = no; 41 | DRM_AMDGPU = no; 42 | DRM_NOUVEAU = no; 43 | ## swraid nixos module needs md_mod 44 | # BLK_DEV_MD = module; 45 | }; 46 | } 47 | 48 | # buildLinux (args // rec { 49 | # version = src.rev; 50 | # modDirVersion = "5.9.0"; 51 | # extraMeta.branch = "ayufan"; 52 | 53 | # # src = fetchFromGitLab { 54 | # # domain = "gitlab.manjaro.org"; 55 | # # owner = "tsys"; 56 | # # repo = "linux-pinebook-pro"; 57 | # # rev = "c04087388bdb7d79d5202ffb91aa387e36901056"; 58 | # # sha256 = "0igxbq8i0z6qs1kxxxs440d1n1j5p5a26lgcn7q5k82rdjqhwpw9"; 59 | # # }; 60 | 61 | # src = fetchFromGitHub { 62 | # owner = "ayufan-rock64"; 63 | # repo = "linux-mainline-kernel"; 64 | # rev = "${modDirVersion}-1146-${extraMeta.branch}"; 65 | # sha256 = "sha256-GJneuZrgQU28/pOGU5VY5VJx+cm+8BAdnXGiOzvcaI0="; 66 | # }; 67 | 68 | # defconfig = "rockchip_linux_defconfig"; 69 | 70 | # ## disable default configuration 71 | # # addCommonStructuredConfig = false; 72 | # # autoModules = true; 73 | # # extraPlatformConfig = ""; 74 | 75 | # structuredExtraConfig = with lib.kernel; { 76 | # ## platform extension 77 | # CRYPTO_AEGIS128_SIMD = no; 78 | # RTC_DRV_RK808 = yes; 79 | # STAGING = yes; 80 | # STAGING_MEDIA = yes; 81 | # ARCH_ROCKCHIP = yes; 82 | # VIDEO_DEV = module; 83 | # VIDEO_V4L2 = module; 84 | # MEDIA_CONTROLLER = yes; 85 | # MEDIA_CONTROLLER_REQUEST_API = yes; 86 | # VIDEO_HANTRO = module; 87 | # VIDEO_HANTRO_ROCKCHIP = yes; 88 | # ## platform restriction 89 | # DRM_RADEON = no; 90 | # DRM_AMDGPU = no; 91 | # DRM_NOUVEAU = no; 92 | # ## swraid nixos module needs md_mod 93 | # # BLK_DEV_MD = module; 94 | # }; 95 | # } // argsOverride) 96 | -------------------------------------------------------------------------------- /hetox.nix: -------------------------------------------------------------------------------- 1 | { lib, pkgs, ... }: 2 | { 3 | 4 | hst.site.machine = "hetox"; 5 | hst.site.domain = "bendlas.net"; 6 | hst.site.adminUser = "herwig"; 7 | hst.ldap.bindUser = "ldap-bind"; 8 | hst.matrix.adminUser = "bendlas"; 9 | 10 | ## from when we ran gitlab 11 | ## overrides stateVersion 12 | services.postgresql.package = pkgs.postgresql_14; 13 | 14 | imports = [ 15 | ./hetox/hardware-configuration.nix 16 | ./hetox/borgbackup.nix 17 | 18 | ./bendlas.net 19 | 20 | { 21 | users.users.autossh = { 22 | isSystemUser = true; 23 | openssh.authorizedKeys.keys = [ 24 | "command=\"/usr/bin/env false\" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJbkyXIY5eI+G+uK60Hensh+EmpMithyDhWQSvNOv58 autossh@rastox" 25 | "command=\"/usr/bin/env false\" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINydu//Or1ch82XHgguSuRvlaLx+yhj6/N4BAdU0Rdj0 autossh@jellydeck" 26 | ]; 27 | group = "autossh"; 28 | }; 29 | users.groups.autossh = {}; 30 | } 31 | 32 | { 33 | users.users."www-data".isSystemUser = true; 34 | users.users."www-data".group = "www-data"; 35 | users.groups."www-data" = {}; 36 | services.fcgiwrap.enable = true; 37 | services.nginx.virtualHosts."pb.bendlas.net" = { 38 | forceSSL = true; 39 | enableACME = true; 40 | locations."/cgi/" = { 41 | alias = "${pkgs.linkFarm "cgi-bin" [{ 42 | name = "cgi/gl_2023"; 43 | path = pkgs.writeScript "gl_2023.cgi" '' 44 | #!${pkgs.stdenv.shell} 45 | set -eu 46 | ${pkgs.util-linux}/bin/runuser -u www-data -- ${pkgs.postgresql}/bin/psql >&2 \ 47 | -v name="$GET_NAME" \ 48 | -v email="$GET_EMAIL" \ 49 | -v message="$GET_MESSAGE" \ 50 | <<< "INSERT INTO subscribers (email, name, message, campaign) 51 | VALUES (:'email', :'name', :'message', 'gl_2023');" 52 | cat <Danke für deine Teilnahme, wir kontaktieren dich mit Neuigkeiten.

56 | EOF 57 | ''; 58 | }]}/"; 59 | extraConfig = '' 60 | include ${pkgs.nginx}/conf/fastcgi.conf; 61 | fastcgi_pass unix:/run/fcgiwrap.sock; 62 | fastcgi_param GET_EMAIL $arg_email; 63 | fastcgi_param GET_NAME $arg_name; 64 | fastcgi_param GET_MESSAGE $arg_message; 65 | ''; 66 | }; 67 | }; 68 | services.postgresql = { 69 | ensureDatabases = [ "www-data" ]; 70 | ensureUsers = [{ 71 | name = "www-data"; 72 | ensureDBOwnership = true; 73 | }]; 74 | }; 75 | } 76 | 77 | ]; 78 | 79 | boot.loader.grub.enable = true; 80 | boot.loader.grub.devices = [ "/dev/sda" ]; 81 | 82 | # networking.useDHCP = false; 83 | # networking.interfaces.ens3.useDHCP = true; 84 | # networking.nat.externalInterface = "ens3"; 85 | hst.networking.interfaces = [ "ens3" ]; 86 | 87 | environment.systemPackages = with pkgs; [ 88 | # emacsBendlasNox 89 | emacs-nox 90 | ]; 91 | 92 | system.stateVersion = "21.05"; # Did you read the comment? 93 | 94 | } 95 | -------------------------------------------------------------------------------- /arvitox.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, ... }: 2 | { 3 | # bendlas.machine = "arvitox"; 4 | # bendlas.domain = "arvitox.local"; 5 | 6 | require = [ 7 | # 8 | { 9 | # networking.interfaces.wlan0.useDHCP = true; 10 | # services.avahi.allowInterfaces = [ "wlan0" ]; 11 | hst.networking.mdns.impl = "avahi"; 12 | hst.networking.interfaces = [ "wlan0" ]; 13 | networking.wireless.iwd.enable = true; 14 | } 15 | { 16 | environment.systemPackages = with pkgs; [ bluez bluez-tools ]; 17 | hardware.bluetooth.enable = true; 18 | # enable autoprobing of bluetooth driver 19 | # https://github.com/raspberrypi/linux/blob/c8c99191e1419062ac8b668956d19e788865912a/arch/arm/boot/dts/overlays/README#L222-L224 20 | hardware.raspberry-pi.config.all.base-dt-params.krnbt = { 21 | enable = true; 22 | value = "on"; 23 | }; 24 | } 25 | ## usb otg support 26 | ## see https://github.com/maxhbr/myconfig/blob/master/hosts/host.pi0/otg.nix 27 | { 28 | boot.kernelPatches = [{ 29 | name = "usb-otg"; 30 | patch = null; 31 | extraConfig = '' 32 | USB_GADGET y 33 | USB_DWC2 m 34 | USB_DWC2_DUAL_ROLE y 35 | ''; 36 | }]; 37 | boot.kernelModules = [ "dwc2" "libcomposite" ]; 38 | hardware.raspberry-pi.config.all.dt-overlays."dwc2" = { 39 | enable = true; 40 | params = {}; 41 | }; 42 | } 43 | { 44 | boot.kernelPatches = [{ 45 | name = "usb-cam"; 46 | patch = null; 47 | extraConfig = '' 48 | USB_G_WEBCAM m 49 | ''; 50 | }]; 51 | # boot.kernelModules = [ "g_webcam" ]; 52 | } 53 | { 54 | boot.kernelPatches = [{ 55 | name = "usb-serial"; 56 | patch = null; 57 | extraConfig = '' 58 | USB_G_SERIAL m 59 | ''; 60 | }]; 61 | # boot.kernelModules = [ "g_serial" ]; 62 | } 63 | # { 64 | # hardware.raspberry-pi.config.all.options = { 65 | # "start_x" = { 66 | # enable = true; 67 | # value = "1"; 68 | # }; 69 | # "gpu_mem" = { 70 | # enable = true; 71 | # value = "128"; 72 | # }; 73 | # }; 74 | # # boot.kernelModules = [ "bcm2835-v4l2" ]; 75 | # } 76 | { 77 | hardware.raspberry-pi.config.all = { 78 | dt-overlays."imx477" = { 79 | enable = true; 80 | params = {}; 81 | }; 82 | dt-overlays."vc4-kms-v3d".enable = false; 83 | dt-overlays."vc4-fkms-v3d" = { 84 | enable = true; 85 | params = {}; 86 | }; 87 | # options."start_x".enable = false; 88 | options."gpu_mem" = { 89 | enable = true; 90 | value = "64"; 91 | }; 92 | }; 93 | environment.systemPackages = [ 94 | pkgs.libraspberrypi 95 | pkgs.v4l-utils 96 | pkgs.libcamera 97 | ## rebuild 98 | pkgs.libcamera-apps 99 | # pkgs.v4l2-request-ffmpeg 100 | config.boot.kernelPackages.perf 101 | ]; 102 | } 103 | ]; 104 | 105 | } 106 | -------------------------------------------------------------------------------- /rpi3.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, ...}: 2 | { 3 | imports = [ 4 | 5 | ]; 6 | sdImage.firmwareSize = 128; 7 | boot = { 8 | consoleLogLevel = 7; 9 | # extraTTYs = [ "ttyAMA0" ]; 10 | kernelPackages = pkgs.linuxPackages_5_10; 11 | kernelParams = lib.mkForce [ 12 | # "dwc_otg.lpm_enable=0" 13 | # "console=ttyAMA0,115200" 14 | "rootwait" 15 | "elevator=deadline" 16 | "cma=32M" 17 | ]; 18 | loader = { 19 | grub.enable = false; 20 | generationsDir.enable = false; 21 | raspberryPi = { 22 | enable = true; 23 | version = 3; 24 | firmwareConfig = '' 25 | dtparam=audio=on 26 | ''; 27 | uboot.enable = true; 28 | }; 29 | # generic-extlinux-compatible.enable = true; 30 | }; 31 | initrd.kernelModules = [ "vc4" "bcm2835_dma" "i2c_bcm2835" ]; 32 | }; 33 | 34 | sound.enable = true; 35 | hardware.pulseaudio.enable = true; 36 | 37 | nix.settings.cores = 4; 38 | 39 | nixpkgs.config.platform = lib.systems.platforms.aarch64-multiplatform; 40 | 41 | # cpufrequtils doesn't build on ARM 42 | # powerManagement.enable = false; 43 | 44 | services.openssh.enable = true; 45 | services.cron.enable = false; 46 | 47 | networking.wireless.enable = true; 48 | 49 | hardware.enableRedistributableFirmware = true; 50 | # hardware.firmware = [ 51 | # (pkgs.stdenv.mkDerivation { 52 | # name = "broadcom-rpi3-extra"; 53 | # src = pkgs.fetchurl { 54 | # url = "https://raw.githubusercontent.com/RPi-Distro/firmware-nonfree/54bab3d/brcm80211/brcm/brcmfmac43430-sdio.txt"; 55 | # sha256 = "19bmdd7w0xzybfassn7x4rb30l70vynnw3c80nlapna2k57xwbw7"; 56 | # }; 57 | # phases = [ "installPhase" ]; 58 | # installPhase = '' 59 | # mkdir -p $out/lib/firmware/brcm 60 | # cp $src $out/lib/firmware/brcm/brcmfmac43430-sdio.txt 61 | # ''; 62 | # }) 63 | # ]; 64 | nixpkgs.overlays = [ 65 | (self: super: { 66 | firmwareLinuxNonfree = super.firmwareLinuxNonfree.overrideAttrs (old: { 67 | version = "2021-10-04"; 68 | src = pkgs.fetchgit { 69 | url = "https://github.com/RPi-Distro/firmware-nonfree.git"; 70 | rev = "e1c6815a98377b87e30b599d214a6bae1a72bc77"; 71 | sha256 = "1byla332p4dic5j1w08zynxp46sa4x7f99p03pcv80x7q51b5k7s"; 72 | }; 73 | outputHash = "1kkdz8dz8qjz79xg4b2q7y8w2cig2n11lgjnjm8z2ja911kqzil4"; 74 | }); 75 | }) 76 | ]; 77 | 78 | users.extraUsers.root.openssh.authorizedKeys.keys = [ 79 | "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC70QgW3EnX781iFOlojPnwST1CiMZaWdQEJNgSbsvaEFeHwFNDr9Ma2kTzjFQnpLKfb7eAr7BsUX3uSJjFq6MDTfgynCSXtgOxaahTfoVFFvJdGZPtXU09k7xSW043A7Ziwi8iPM0EFKUb85W6v4S1VACpjD57SEs4enUsyrXO8XVBDpqRQLdPDXjyNqzZ0zafbs22bDYDUmgr3UTItSzrGG7fzPyP3D2cJ1HKptQNUBRwjMvduG5by+ONxtuNJ7XGtQfFOyLJl4QFCWCSNwVEzv0CqAfrbq3XmqsAMXZJeMNo0OG/XpgQT2W4oP0QcyW9hHvxe6S34DjXDCaN8SreTJqq/8n3gQIj2/bkW9gGOHceZ98BDVXAeVXQj4opd3qF1V3DkP7NhUZEpgqHZglpkmcZqiufpdJbhnbjjIAUPN9c2dpEKWiR+UTR0hUedERDEGge6caM0XpfKPDiFXQpNgMBhatRkp9iNwoCIbp1muzYZpiu8YFNFbZmRmXcW8o8b3/MoEWZZTvMcffk7Yk+K0lItLmR7wjAJVZXM/7CbP6bVECbYAGNaQ50ZlPgt1wAU9VoE9oV3U2bVmV6Vdic1w1LS3pCOT9DNOXkGvbxLxp/gwJVFwkHVBAHnSLCyRyNn3GL+rzPO0Mzej2Q9stPUExcoMBkm6e4pUatynHONw== herwig@lenotox" 80 | ]; 81 | 82 | fileSystems = { 83 | "/" = { 84 | device = "/dev/disk/by-label/NIXOS_SD"; 85 | fsType = "ext4"; 86 | }; 87 | }; 88 | 89 | } 90 | -------------------------------------------------------------------------------- /contox.nix: -------------------------------------------------------------------------------- 1 | { config, lib, modulesPath, ... }: 2 | { 3 | hst.site.machine = "contox"; 4 | hst.site.domain = "contox.bendlas.net"; 5 | hst.site.adminUser = "herwig"; 6 | hst.ldap.bindUser = "ldap-bind"; 7 | 8 | imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 9 | 10 | services.borgbackup.jobs.valheim-contox = { 11 | user = config.hst.steam.server.games.valheim.installUser; 12 | repo = "borg@hetox.bendlas.net:."; 13 | compression = "auto,zstd"; 14 | encryption.mode = "none"; 15 | startAt = []; ## disable timer, will be started by path watcher 16 | paths = [ "/var/lib/valheim/.config/unity3d/IronGate/Valheim/" ]; 17 | }; 18 | ## borg backup jobs get an implicit borgbackup-job-* prefix on systemd unit level 19 | ## thus this timer will trigger the backup job 20 | systemd.timers.borgbackup-job-valheim-contox = { 21 | description = "Backup delay timer for valheim server config and saves. Delays backup start in order to ensure that everything has been written properly"; 22 | timerConfig.OnActiveSec = "10 seconds"; 23 | timerConfig.AccuracySec = "1 seconds"; 24 | ## stop timer after job completion, to re-prime for start 25 | timerConfig.RemainAfterElapse = false; 26 | }; 27 | systemd.paths.borgbackup-job-valheim-contox = { 28 | description = "File watcher for valheim server config and saves"; 29 | wantedBy = [ "multi-user.target" ]; 30 | pathConfig.PathChanged = [ 31 | "/var/lib/valheim/.config/unity3d/IronGate/Valheim" 32 | "/var/lib/valheim/.config/unity3d/IronGate/Valheim/worlds_local" 33 | ]; 34 | ## trigger delay timer instead of service directly 35 | pathConfig.Unit = "borgbackup-job-valheim-contox.timer"; 36 | }; 37 | 38 | ## web 39 | # services.nginx.enable = lib.mkForce false; 40 | 41 | security.acme.acceptTerms = true; 42 | security.acme.defaults.email = "herwig@bendlas.net"; 43 | security.acme.certs."manulinarium.bendlas.net" = { 44 | group = "manulinarium-certs"; 45 | reloadServices = [ "murmur.service" ]; 46 | # listenHTTP = ":80"; 47 | ## since we already run nginx 48 | webroot = "/var/lib/acme/acme-challenge"; 49 | }; 50 | services.murmur = { 51 | enable = true; 52 | openFirewall = true; 53 | sslKey = "${config.security.acme.certs."manulinarium.bendlas.net".directory}/key.pem"; 54 | sslCert = "${config.security.acme.certs."manulinarium.bendlas.net".directory}/fullchain.pem"; 55 | # bandwidth = 558000; 56 | password = "$MUMBLE_PASSWORD"; 57 | environmentFile = "/etc/secrets/mumble.env"; 58 | }; 59 | users.groups."manulinarium-certs".members = [ "murmur" ]; 60 | 61 | ## contox main 62 | users.users.herwig.isNormalUser = true; 63 | 64 | boot.loader.grub.enable = true; 65 | boot.loader.grub.device = "/dev/sda"; 66 | hardware.enableRedistributableFirmware = true; 67 | 68 | # networking.useDHCP = false; 69 | # networking.interfaces.eth0.useDHCP = true; 70 | hst.networking.interfaces = [ "eth0" ]; 71 | 72 | system.stateVersion = "21.11"; 73 | 74 | ## hardware-configuration.nix 75 | boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; 76 | boot.initrd.kernelModules = [ "dm-snapshot" ]; 77 | 78 | fileSystems."/" = { 79 | device = "/dev/disk/by-uuid/b79e2820-7c20-40e3-b1b5-9019df8b5560"; 80 | fsType = "xfs"; 81 | }; 82 | 83 | swapDevices = [ 84 | { device = "/dev/disk/by-uuid/ed4fd16e-5f50-41aa-8501-da7a6acf193a"; } 85 | ]; 86 | 87 | hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 88 | 89 | } 90 | -------------------------------------------------------------------------------- /oauth2-proxies.module.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | with lib; 3 | with types; 4 | let 5 | cfg = config.bendlas.oauth2-proxies; 6 | # ## Fix Gitea provider in OAP 7 | # ## https://github.com/oauth2-proxy/oauth2-proxy/issues/1636 8 | # oauth2Proxy = pkgs.oauth2-proxy.overrideAttrs 9 | # (old: { 10 | # patches = (old.patches or []) ++ [ 11 | # (pkgs.fetchpatch { 12 | # url = "https://github.com/igsol/oauth2-proxy/commit/749851f1b3446e2bb5eec2b5d5943c5873c34006.patch"; 13 | # sha256 = "sha256-Kkx0QgKq9aMVJEepZIWRgpeAIGDsO87UtC9c4JmnR/Q="; 14 | # }) 15 | # ]; 16 | # }); 17 | oauth2Proxy = pkgs.oauth2-proxy; 18 | oap = foldl ( 19 | { count, containers, hostAddresses }: 20 | { name, require, oauth2ProxyConfig }: let 21 | localAddress = "${cfg.localSubnet24}.${toString count}"; 22 | hostAddress = "${cfg.hostSubnet24}.${toString count}"; 23 | in { 24 | count = count + 1; 25 | hostAddresses = hostAddresses ++ [ hostAddress ]; 26 | containers = containers // { 27 | "oauth2-${name}" = { 28 | autoStart = true; 29 | privateNetwork = true; 30 | inherit localAddress hostAddress; 31 | config = { 32 | inherit require; 33 | # networking.useHostResolvConf = true; 34 | # environment.etc."resolv.conf".text = "nameserver ${hostAddress}"; 35 | environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; 36 | networking.firewall.enable = false; 37 | services.oauth2_proxy = mkMerge [{ 38 | enable = true; 39 | httpAddress = "http://${localAddress}:4180"; 40 | package = oauth2Proxy; 41 | } oauth2ProxyConfig (optionalAttrs cfg.devMode { 42 | # cookie.secure = false; 43 | extraConfig.ssl-insecure-skip-verify = true; 44 | })]; 45 | systemd.services.oauth2_proxy.serviceConfig = { 46 | ## make sure that restart rate limiting doesn't permanently disable oauth2_proxy 47 | ## introduce pause before restarting 48 | RestartSec = 3; 49 | ## disable restart rate limiting 50 | StartLimitIntervalSec = 0; 51 | }; 52 | 53 | }; 54 | }; 55 | }; 56 | }) { 57 | count = 0; 58 | hostAddresses = []; 59 | containers = {}; 60 | } 61 | cfg.applications; 62 | in { 63 | 64 | options.bendlas.oauth2-proxies = { 65 | devMode = mkOption { 66 | type = bool; 67 | default = false; 68 | }; 69 | hostSubnet24 = mkOption { 70 | type = str; 71 | default = "10.12.1"; 72 | }; 73 | localSubnet24 = mkOption { 74 | type = str; 75 | default = "10.12.2"; 76 | }; 77 | applications = mkOption { 78 | type = listOf (submodule { 79 | options = { 80 | name = mkOption { 81 | type = str; 82 | }; 83 | require = mkOption { 84 | type = listOf unspecified; 85 | default = []; 86 | }; 87 | oauth2ProxyConfig = mkOption { 88 | type = attrs; 89 | }; 90 | }; 91 | }); 92 | }; 93 | }; 94 | 95 | config.containers = oap.containers; 96 | 97 | # config.services.resolved.extraConfig = mkMerge ( 98 | # map (add: "DNSStubListenerExtra=${add}") 99 | # oap.hostAddresses); 100 | 101 | config.networking.nat = { 102 | enable = true; 103 | internalInterfaces = [ "ve-+" ]; 104 | externalInterface = "eth0"; 105 | }; 106 | 107 | } 108 | -------------------------------------------------------------------------------- /vfio.module.nix: -------------------------------------------------------------------------------- 1 | ## https://gist.github.com/CRTified/43b7ce84cd238673f7f24652c85980b3 2 | { lib, pkgs, config, ... }: 3 | with lib; 4 | let 5 | cfg = config.virtualisation.vfio; 6 | acscommit = "1ec4cb0753488353e111496a90bdfbe2a074827e"; 7 | in { 8 | options.virtualisation.vfio = { 9 | enable = mkEnableOption "VFIO Configuration"; 10 | IOMMUType = mkOption { 11 | type = types.enum [ "intel" "amd" ]; 12 | example = "intel"; 13 | description = "Type of the IOMMU used"; 14 | }; 15 | devices = mkOption { 16 | type = types.listOf (types.strMatching "[0-9a-f]{4}:[0-9a-f]{4}"); 17 | default = [ ]; 18 | example = [ "10de:1b80" "10de:10f0" ]; 19 | description = "PCI IDs of devices to bind to vfio-pci"; 20 | }; 21 | disableEFIfb = mkOption { 22 | type = types.bool; 23 | default = false; 24 | example = true; 25 | description = "Disables the usage of the EFI framebuffer on boot."; 26 | }; 27 | blacklistNvidia = mkOption { 28 | type = types.bool; 29 | default = false; 30 | description = "Add Nvidia GPU modules to blacklist"; 31 | }; 32 | ignoreMSRs = mkOption { 33 | type = types.bool; 34 | default = false; 35 | example = true; 36 | description = 37 | "Enables or disables kvm guest access to model-specific registers"; 38 | }; 39 | applyACSpatch = mkOption { 40 | type = types.bool; 41 | default = false; 42 | description = '' 43 | If set, the following things will happen: 44 | - The ACS override patch is applied 45 | - Applies the i915-vga-arbiter patch 46 | - Adds pcie_acs_override=downstream to the command line 47 | ''; 48 | }; 49 | }; 50 | 51 | config = lib.mkIf cfg.enable { 52 | services.udev.extraRules = '' 53 | SUBSYSTEM=="vfio", OWNER="root", GROUP="kvm" 54 | ''; 55 | 56 | boot.kernelParams = (if cfg.IOMMUType == "intel" then [ 57 | "intel_iommu=on" 58 | "intel_iommu=igfx_off" 59 | ] else 60 | [ "amd_iommu=on" ]) ++ (optional (builtins.length cfg.devices > 0) 61 | ("vfio-pci.ids=" + builtins.concatStringsSep "," cfg.devices)) 62 | ++ (optionals cfg.applyACSpatch [ 63 | "pcie_acs_override=downstream,multifunction" 64 | "pci=nomsi" 65 | ]) ++ (optional cfg.disableEFIfb "video=efifb:off") 66 | ++ (optionals cfg.ignoreMSRs [ 67 | "kvm.ignore_msrs=1" 68 | "kvm.report_ignored_msrs=0" 69 | ]); 70 | 71 | boot.loader.grub.gfxpayloadEfi = "text"; 72 | 73 | boot.kernelModules = [ "vfio_virqfd" "vfio_pci" "vfio_iommu_type1" "vfio" ]; 74 | 75 | boot.initrd.kernelModules = 76 | [ "vfio_virqfd" "vfio_pci" "vfio_iommu_type1" "vfio" ]; 77 | boot.blacklistedKernelModules = 78 | optionals cfg.blacklistNvidia [ "nvidia" "nouveau" ]; 79 | 80 | boot.kernelPatches = optionals cfg.applyACSpatch [ 81 | { 82 | name = "add-acs-overrides"; 83 | patch = pkgs.fetchurl { 84 | name = "add-acs-overrides.patch"; 85 | url = 86 | "https://raw.githubusercontent.com/slowbro/linux-vfio/v5.5.4-arch1/add-acs-overrides.patch"; 87 | #url = 88 | # "https://aur.archlinux.org/cgit/aur.git/plain/add-acs-overrides.patch?h=linux-vfio&id=${acscommit}"; 89 | sha256 = "0nbmc5bwv7pl84l1mfhacvyp8vnzwhar0ahqgckvmzlhgf1n1bii"; 90 | }; 91 | } 92 | { 93 | name = "i915-vga-arbiter"; 94 | patch = pkgs.fetchurl { 95 | name = "i915-vga-arbiter.patch"; 96 | url = 97 | "https://raw.githubusercontent.com/slowbro/linux-vfio/v5.5.4-arch1/i915-vga-arbiter.patch"; 98 | #url = 99 | # "https://aur.archlinux.org/cgit/aur.git/plain/i915-vga-arbiter.patch?h=linux-vfio&id=${acscommit}"; 100 | sha256 = "1m5nn9pfkf685g31y31ip70jv61sblvxgskqn8a0ca60mmr38krk"; 101 | }; 102 | } 103 | ]; 104 | }; 105 | } 106 | -------------------------------------------------------------------------------- /keycloak.module.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | let 3 | keycloakHostname = "10.233.1.2"; 4 | keycloakPath = "/auth"; 5 | keycloakRealm = "heterodoxnews"; 6 | oapHostname = "10.233.1.2"; 7 | oapPath = "/oauth2"; 8 | in { 9 | services.nginx = { 10 | enable = true; 11 | # package = pkgs.openresty; 12 | 13 | # enable recommended settings 14 | recommendedGzipSettings = true; 15 | recommendedOptimisation = true; 16 | recommendedTlsSettings = true; 17 | recommendedProxySettings = true; 18 | 19 | virtualHosts = { 20 | "${config.services.keycloak.settings.hostname}" = { 21 | forceSSL = true; 22 | enableACME = true; 23 | locations = { 24 | "${keycloakPath}/" = { 25 | proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}${keycloakPath}/"; 26 | extraConfig = '' 27 | proxy_busy_buffers_size 512k; 28 | proxy_buffers 4 512k; 29 | proxy_buffer_size 256k; 30 | ''; 31 | }; 32 | "${oapPath}/" = { 33 | proxyPass = config.services.oauth2_proxy.nginx.proxy; 34 | extraConfig = '' 35 | proxy_set_header X-Scheme $scheme; 36 | proxy_set_header X-Auth-Request-Redirect $request_uri; 37 | 38 | proxy_busy_buffers_size 512k; 39 | proxy_buffers 4 512k; 40 | proxy_buffer_size 256k; 41 | ''; 42 | }; 43 | "/protected/" = { 44 | alias = "/tmp/"; 45 | extraConfig = '' 46 | autoindex on; 47 | 48 | auth_request ${oapPath}/auth; 49 | error_page 401 = ${oapPath}/start; 50 | 51 | # pass information via X-User and X-Email headers to backend, 52 | # requires running with --set-xauthrequest flag 53 | auth_request_set $user $upstream_http_x_auth_request_user; 54 | auth_request_set $email $upstream_http_x_auth_request_email; 55 | proxy_set_header X-User $user; 56 | proxy_set_header X-Email $email; 57 | 58 | # if you enabled --cookie-refresh, this is needed for it to work with auth_request 59 | auth_request_set $auth_cookie $upstream_http_set_cookie; 60 | add_header Set-Cookie $auth_cookie; 61 | ''; 62 | }; 63 | }; 64 | }; 65 | }; 66 | }; 67 | 68 | services.keycloak = { 69 | enable = true; 70 | # sslCertificateKey = "${./kc-key.pem}"; 71 | # sslCertificate = "${./kc-cert.pem}"; 72 | ## settings.hostname = "${config.bendlas.machine}.local"; 73 | settings.hostname = keycloakHostname; 74 | settings.http-port = 38080; 75 | settings.proxy = "edge"; 76 | settings.http-relative-path = keycloakPath; 77 | database.passwordFile = "${pkgs.writeText "pass" "foobar"}"; 78 | }; 79 | 80 | services.oauth2_proxy = { 81 | enable = true; 82 | cookie.secure = true; 83 | cookie.httpOnly = false; 84 | email.domains = [ "*" ]; 85 | provider = "keycloak-oidc"; 86 | redirectURL = "https://${oapHostname}${oapPath}/callback"; 87 | extraConfig.oidc-issuer-url = "https://${keycloakHostname}${keycloakPath}/realms/${keycloakRealm}"; 88 | 89 | # scope = "openid read_user email"; 90 | # loginURL = "https://git.bendlas.net/oauth/authorize"; 91 | # redeemURL = "https://git.bendlas.net/oauth/token"; 92 | # validateURL = "https://git.bendlas.net/api/v4/user"; 93 | # reverseProxy = true; 94 | # keyFile = "/etc/oauth2_proxy-secrets"; 95 | 96 | # extraConfig.oidc-issuer-url = "https://git.bendlas.net"; 97 | setXauthrequest = true; 98 | }; 99 | systemd.services.oauth2_proxy.serviceConfig = { 100 | ## make sure that restart rate limiting doesn't permanently disable oauth2_proxy 101 | ## introduce pause before restarting 102 | RestartSec = 3; 103 | ## disable restart rate limiting 104 | StartLimitIntervalSec = 0; 105 | }; 106 | users.groups.oauth2_proxy = {}; 107 | users.users.oauth2_proxy.group = "oauth2_proxy"; 108 | 109 | } 110 | -------------------------------------------------------------------------------- /microvms/test.nix: -------------------------------------------------------------------------------- 1 | { lib, inputs, ... }: 2 | { 3 | imports = [{ 4 | microvm.vms.test = { 5 | ## The package set to use for the microvm. This also determines the microvm's architecture. 6 | ## Defaults to the host system's package set if not given. 7 | # pkgs = import inputs.nixpkgs { system = "x86_64-linux"; }; 8 | # inherit pkgs; 9 | 10 | # (Optional) A set of special arguments to be passed to the MicroVM's NixOS modules. 11 | #specialArgs = {}; 12 | 13 | config = { 14 | ## It is highly recommended to share the host's nix-store 15 | ## with the VMs to prevent building huge images. 16 | microvm.shares = [{ 17 | source = "/nix/store"; 18 | mountPoint = "/nix/.ro-store"; 19 | tag = "ro-store"; 20 | proto = "virtiofs"; 21 | } { 22 | source = "/var/lib/spinning-rust"; 23 | mountPoint = "/var/lib/spinning-rust"; 24 | tag = "spinning-rust"; 25 | proto = "virtiofs"; 26 | }]; 27 | 28 | microvm.qemu.extraArgs = [ 29 | ## harddisk mounts 30 | # "-drive" "format=raw,file=/dev/disk/by-id/ata-ST3000DM001-1CH166_Z1F0Y011,if=virtio,cache=none,aio=native" 31 | # "-drive" "format=raw,file=/dev/disk/by-id/ata-ST3000DM001-1CH166_Z1F1QSSW,if=virtio,cache=none,aio=native" 32 | # "-drive" "format=raw,file=/dev/disk/by-id/ata-ST3000DM001_Z1F1R124,if=virtio,cache=none,aio=native" 33 | ]; 34 | 35 | require = [ 36 | ## shared modules 37 | inputs.host-shell.nixosModules.core 38 | inputs.host-shell.nixosModules.networking 39 | ../bendlas-access.module.nix 40 | ## zfs [disabled] 41 | # ../zfs.nix 42 | { networking.hostId = "2c42bec5"; } 43 | ## basic config 44 | { 45 | users.users.root.password = "root"; 46 | # Host MicroVM settings 47 | microvm = { 48 | mem = 8192; 49 | vcpu = 8; 50 | }; 51 | ## pkgs is inherited from host 52 | nixpkgs.config = lib.mkForce { }; 53 | ## host shell 54 | hst.site.machine = "test-vm"; 55 | hst.folders.nixos-config = inputs.host-shell.gitignore.lib.gitignoreSource ./.; 56 | hst.folders.nixpkgs = inputs.nixpkgs.sourceInfo.outPath; 57 | } 58 | ## networking config 59 | { 60 | microvm.interfaces = [ { 61 | type = "tap"; 62 | # interface name on the host 63 | id = "vm-a1"; 64 | # Ethernet address of the MicroVM's interface, not the host's 65 | # Locally administered have one of 2/6/A/E in the second nibble. 66 | mac = "02:00:00:00:00:01"; 67 | } ]; 68 | 69 | # networking.useNetworkd = false; 70 | # networking.useDHCP = false; 71 | 72 | # services.avahi.allowInterfaces = [ "enp0s3" ]; 73 | # networking.interfaces.enp0s3.useDHCP = true; 74 | hst.networking.interfaces = [ "enp0s4" ]; 75 | 76 | # networking.firewall.enable = false; 77 | 78 | 79 | # networking.defaultGateway.interface = "enp0s3"; 80 | # networking.defaultGateway.address = "10.0.0.1"; 81 | # networking.defaultGateway6.interface = "enp0s3"; 82 | # networking.defaultGateway6.address = "fd12:3456:789a::1"; 83 | # networking.nameservers = [ 84 | # "8.8.8.8" 85 | # ]; 86 | # networking.interfaces."enp0s3".ipv4 = { 87 | # addresses = [{ address = "10.0.0.32"; 88 | # prefixLength = 24; }]; 89 | # }; 90 | # networking.interfaces."enp0s3".ipv6 = { 91 | # addresses = [{ address = "fd12:3456:789a::32/64"; 92 | # prefixLength = 64; }]; 93 | # }; 94 | 95 | } 96 | # { 97 | # microvm.qemu.extraArgs = [ 98 | # "-monitor" "telnet::45454,server,nowait" 99 | # ]; 100 | # services.getty.autologinUser = "root"; 101 | # } 102 | ]; 103 | # Any other configuration for your MicroVM 104 | # [...] 105 | }; 106 | }; 107 | 108 | }]; 109 | } 110 | -------------------------------------------------------------------------------- /vfio/module2.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | let 3 | start-script = pkgs.writeShellScript "vfio-pci-start" ('' 4 | set -eu 5 | 6 | if [ "$1:$2:$3" != "${cfg.vmName}:prepare:begin" ] 7 | then exit 0 8 | fi 9 | 10 | # Debugging 11 | # exec 19>/home/owner/Desktop/startlogfile 12 | # BASH_XTRACEFD=19 13 | # set -x 14 | 15 | # Stop display manager 16 | ${pkgs.systemd}/bin/systemctl stop display-manager.service 17 | 18 | # Unbind VTconsoles 19 | echo 0 > /sys/class/vtconsole/vtcon0/bind 20 | echo 0 > /sys/class/vtconsole/vtcon1/bind 21 | 22 | '' + lib.optionalString (cfg.gpuFlavor == "nvidia") '' 23 | # Unbind EFI Framebuffer 24 | echo efi-framebuffer.0 > /sys/bus/platform/drivers/efi-framebuffer/unbind 25 | 26 | '' + '' 27 | # Avoid race condition 28 | sleep 5 29 | 30 | # Unload GPU kernel modules 31 | ${pkgs.kmod}/bin/modprobe -r ${toString cfg.gpuKernelModules} 32 | 33 | # Detach GPU devices from host 34 | for id in ${toString cfg.virshNodedevIds} 35 | do ${pkgs.libvirt}/bin/virsh nodedev-detach $id 36 | done 37 | 38 | ## Load vfio module 39 | # ${pkgs.kmod}/bin/modprobe vfio-pci 40 | 41 | ${cfg.onStart} 42 | ''); 43 | stop-script = pkgs.writeShellScript "vfio-pci-stop" ('' 44 | set -eu 45 | 46 | if [ "$1:$2:$3" != "${cfg.vmName}:release:end" ] 47 | then exit 0 48 | fi 49 | 50 | # Debugging 51 | # exec 19>/home/owner/Desktop/startlogfile 52 | # BASH_XTRACEFD=19 53 | # set -x 54 | 55 | # Unload vfio module 56 | # ${pkgs.kmod}/bin/modprobe -r vfio-pci 57 | 58 | # Attach GPU devices from host 59 | for id in ${toString cfg.virshNodedevIds} 60 | do ${pkgs.libvirt}/bin/virsh nodedev-reattach $id 61 | done 62 | 63 | # Load GPU kernel modules 64 | ${pkgs.kmod}/bin/modprobe ${toString cfg.gpuKernelModules} 65 | 66 | # Avoid race condition 67 | sleep 5 68 | 69 | '' + lib.optionalString (cfg.gpuFlavor == "nvidia") '' 70 | # Bind EFI Framebuffer 71 | echo efi-framebuffer.0 > /sys/bus/platform/drivers/efi-framebuffer/bind 72 | 73 | '' + '' 74 | # Bind VTconsoles 75 | echo 1 > /sys/class/vtconsole/vtcon0/bind 76 | echo 1 > /sys/class/vtconsole/vtcon1/bind 77 | 78 | # Start display manager 79 | ${pkgs.systemd}/bin/systemctl start display-manager.service 80 | 81 | ${cfg.onStop} 82 | ''); 83 | cfg = config.hst.vfio; 84 | in { 85 | options.hst.vfio = with lib; with types; { 86 | vmName = mkOption { 87 | type = str; 88 | }; 89 | cpuFlavor = mkOption { 90 | type = enum [ "intel" "amd" ]; 91 | }; 92 | gpuFlavor = mkOption { 93 | type = enum [ "nvidia" "amd" ]; 94 | }; 95 | gpuKernelModules = mkOption { 96 | type = listOf str; 97 | default = 98 | if cfg.gpuFlavor == "nvidia" 99 | then [ "nvidia_drm" "nvidia_modeset" "nvidia_uvm" "nvidia" ] 100 | else [ "amdgpu" ]; 101 | }; 102 | virshNodedevIds = mkOption { 103 | type = listOf str; 104 | }; 105 | # deviceIds = mkOption { 106 | # type = listOf str; 107 | # }; 108 | onStart = mkOption { 109 | type = lines; 110 | default = ""; 111 | }; 112 | onStop = mkOption { 113 | type = lines; 114 | default = ""; 115 | }; 116 | }; 117 | imports = [(lib.mkIf ("intel" == cfg.cpuFlavor) { 118 | boot.kernelParams = [ "intel_iommu=on" ]; 119 | boot.kernelModules = [ "kvm-intel" ]; 120 | })(lib.mkIf ("amd" == cfg.cpuFlavor) { 121 | boot.kernelParams = [ "amd_iommu=on" ]; 122 | boot.kernelModules = [ "kvm-amd" ]; 123 | }){ 124 | boot.kernelParams = [ "iommu=pt" "pci=realloc" ]; 125 | boot.kernelModules = [ "vfio-pci" ]; 126 | }{ 127 | virtualisation.libvirtd = { 128 | enable = true; 129 | hooks.qemu."${cfg.vmName}-start" = start-script; 130 | hooks.qemu."${cfg.vmName}-stop" = stop-script; 131 | }; 132 | # }{ 133 | # systemd.services.libvirtd.path = pkgs.buildEnv { 134 | # name = "qemu-hook-env"; 135 | # paths = with pkgs; [ 136 | # # bash 137 | # # libvirt 138 | # # kmod 139 | # # systemd 140 | # # ripgrep 141 | # # sd 142 | # ]; 143 | # }; 144 | # }{ 145 | # systemd.services.libvirtd.preStart = '' 146 | # mkdir -p /var/lib/libvirt/hooks 147 | # ln -sf ${./kvm.conf} /var/lib/libvirt/hooks/kvm.conf 148 | # ''; 149 | }]; 150 | } 151 | -------------------------------------------------------------------------------- /pitax.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | { 3 | 4 | hst.site.machine = "pitax"; 5 | hst.site.domain = "bendlas.local"; 6 | hst.site.adminUser = "herwig"; 7 | system.stateVersion = "23.11"; 8 | 9 | imports = [ 10 | 11 | # ({ pkgs, ... }: { 12 | # users.users.herwig.shell = "/run/current-system/sw/bin/nu"; 13 | # environment.systemPackages = with pkgs; [ 14 | # ungoogled-chromium nushell 15 | # ]; 16 | # }) 17 | 18 | ]; 19 | 20 | users.extraUsers = { 21 | # "steam" = { 22 | # description = "Steam OS"; 23 | # isNormalUser = true; 24 | # uid = 1000; 25 | # }; 26 | # ## conflict with bendlas.module 27 | # "herwig".uid = lib.mkForce 1001; 28 | }; 29 | 30 | # jovian.devices.steamdeck.enable = true; 31 | # jovian.steam.user = "steam"; 32 | 33 | ## This means that using the Switch to Desktop function in Gaming 34 | ## Mode will relaunch Gaming Mode. 35 | ## Set jovian.steam.desktopSession to the name of a desktop session, or 36 | ## "steam-wayland" to keep this behavior. 37 | 38 | # jovian.steam.desktopSession = "phosh"; 39 | # jovian.steam.desktopSession = "plasma-mobile"; 40 | # hardware.pulseaudio.enable = lib.mkForce false; 41 | # services.physlock.enable = false; 42 | 43 | # services.xserver = { 44 | # enable = true; 45 | # displayManager.gdm.enable = true; 46 | # displayManager.gdm.autoSuspend = true; 47 | # displayManager.gdm.wayland = true; 48 | # desktopManager.gnome.enable = true; 49 | # }; 50 | 51 | # # services.xserver.enable = true; 52 | # services.xserver.desktopManager = { 53 | # gnome.enable = true; 54 | # phosh = { 55 | # enable = true; 56 | # user = "steam"; 57 | # group = "users"; 58 | # }; 59 | # }; 60 | # ## disable tracker and tracker-miner 61 | # ## to prevent tracker-miner from consuming 100% CPU 62 | # services.gnome = { 63 | # tracker-miners.enable = false; 64 | # tracker.enable = false; 65 | # }; 66 | 67 | # services.xserver.displayManager.sddm.settings.General.InputMethod = "qtvirtualkeyboard"; 68 | 69 | # jovian.steam.desktopSession = "plasma"; 70 | # services.xserver.enable = true; 71 | services.xserver.displayManager = { 72 | sddm.enable = true; 73 | sddm.wayland.enable = false; 74 | autoLogin = { 75 | enable = true; 76 | user = "herwig"; 77 | }; 78 | sddm.settings = { 79 | General.InputMethod = "qtvirtualkeyboard"; 80 | }; 81 | # defaultSession = "plasma-mobile"; 82 | }; 83 | 84 | # ## to make the steam keyboard work in desktop mode 85 | # services.xserver.displayManager.sddm.wayland.enable = false; 86 | services.xserver.desktopManager.plasma5 = { 87 | # enable = true; 88 | mobile.enable = true; 89 | # mobile.installRecommendedSoftware = true; 90 | runUsingSystemd = true; 91 | # useQTScaling = true; 92 | }; 93 | hardware.pulseaudio.enable = lib.mkForce false; 94 | 95 | 96 | # services.avahi.allowInterfaces = [ "enp4s0f3u1u4" "wlan0" ]; 97 | hst.networking.interfaces = [ "enu1u4" "wlan0" ]; 98 | systemd.network.wait-online.ignoredInterfaces = [ "enu1u4" ]; 99 | 100 | nixpkgs.config.allowUnfree = true; 101 | 102 | ## hardware config 103 | 104 | # imports = 105 | # [ (modulesPath + "/installer/scan/not-detected.nix") 106 | # ]; 107 | 108 | # boot.loader.grub.devices = [ "/dev/null" ]; 109 | # boot.loader = { 110 | # systemd-boot.enable = true; 111 | # efi.canTouchEfiVariables = true; 112 | # }; 113 | 114 | boot.loader = { 115 | grub.enable = false; 116 | generic-extlinux-compatible.enable = true; 117 | }; 118 | 119 | boot.initrd.availableKernelModules = [ ]; 120 | boot.initrd.kernelModules = [ ]; 121 | boot.kernelModules = [ ]; 122 | boot.extraModulePackages = [ ]; 123 | boot.kernelParams = [ "resume=UUID=63c5b8e8-1a3d-4f68-906e-f9db1a2edcfe" ]; 124 | 125 | fileSystems."/" = { 126 | device = "/dev/disk/by-uuid/98160087-3e5f-4a40-879a-5fc1bcb5730b"; 127 | fsType = "ext4"; 128 | }; 129 | 130 | # swapDevices = [{ 131 | # device = "/dev/disk/by-uuid/63c5b8e8-1a3d-4f68-906e-f9db1a2edcfe"; 132 | # }]; 133 | 134 | # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 135 | # (the default) this is the recommended approach. When using systemd-networkd it's 136 | # still possible to use this option, but it's recommended to use it in conjunction 137 | # with explicit per-interface declarations with `networking.interfaces..useDHCP`. 138 | networking.useDHCP = lib.mkDefault true; 139 | 140 | nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; 141 | # hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 142 | 143 | } 144 | -------------------------------------------------------------------------------- /pinox.nix: -------------------------------------------------------------------------------- 1 | { lib, pkgs, config, ... }: 2 | { 3 | 4 | hst.site.machine = "pinox"; 5 | hst.site.domain = "bendlas.local"; 6 | hst.site.adminUser = "herwig"; 7 | 8 | mobile-nixos.install-bootloader = { 9 | enable = true; 10 | target = "/dev/mmcblk2p3"; 11 | }; 12 | 13 | fileSystems."/" = { 14 | device = "/dev/disk/by-uuid/95ae60eb-2058-431b-b566-51542172d1b0"; 15 | fsType = "ext4"; 16 | }; 17 | 18 | fileSystems."/sdcard" = { 19 | device = "/dev/disk/by-uuid/ee8b2efa-17f4-4248-9e11-010937e2f458"; 20 | fsType = "ext4"; 21 | }; 22 | 23 | fileSystems."/var/lib/waydroid" = { 24 | depends = [ "/sdcard" ]; 25 | device = "/sdcard/var/lib/waydroid"; 26 | options = [ "bind" ]; 27 | }; 28 | 29 | swapDevices =[{ 30 | device = "/dev/disk/by-uuid/f3cb75f2-6045-4a40-b81b-075f0daf4328"; 31 | }]; 32 | 33 | 34 | users.users.herwig = { 35 | isNormalUser = true; 36 | home = "/home/herwig"; 37 | createHome = true; 38 | extraGroups = [ 39 | "networkmanager" 40 | "video" 41 | "feedbackd" 42 | "dialout" # required for modem access 43 | ]; 44 | uid = 1000; 45 | }; 46 | 47 | # "desktop" environment configuration 48 | powerManagement.enable = true; 49 | hardware.opengl.enable = true; 50 | 51 | services.locate.enable = false; 52 | services.flatpak.enable = true; 53 | 54 | services.geoclue2.enable = true; 55 | users.users.geoclue.extraGroups = [ "networkmanager" ]; 56 | 57 | programs.calls.enable = true; 58 | 59 | programs.xwayland.enable = true; 60 | 61 | hst.networking.interfaces = [ "wlan0" ]; 62 | # services.avahi.allowInterfaces = [ "wlan0" ]; 63 | 64 | environment.systemPackages = with pkgs; [ 65 | # (kgx.override { genericBranding = true; }) 66 | kgx 67 | 68 | chatty megapixels firefox-mobile 69 | 70 | tdesktop # signal-desktop ## not yet available on aarch64 71 | 72 | # (chromium.override { 73 | # enableWideVine = false; 74 | # # commandLineArgs = "--ozone-platform-hint=wayland"; 75 | # # --enable-features=VaapiVideoDecoder --ozone-platform-hint=auto --process-per-site 76 | # }) 77 | ]; 78 | 79 | ## may not be necessary with recent kernel 80 | environment.etc."machine-info".text = lib.mkDefault '' 81 | CHASSIS="handset" 82 | ''; 83 | 84 | ########################################################################## 85 | ## networking, modem and misc. 86 | ########################################################################## 87 | 88 | networking = { 89 | # FIXME : configure usb rndis through networkmanager in the future. 90 | # Currently this relies on stage-1 having configured it. 91 | networkmanager.unmanaged = [ "rndis0" "usb0" ]; 92 | }; 93 | 94 | # Setup USB gadget networking in initrd... 95 | # mobile.boot.stage-1.networking.enable = lib.mkDefault true; 96 | 97 | # Bluetooth 98 | hardware.bluetooth.enable = true; 99 | mobile.boot.stage-1.firmware = [ 100 | config.mobile.device.firmware 101 | ]; 102 | # Accelerometer 103 | hardware.sensor.iio.enable = true; 104 | hardware.firmware = [ 105 | config.mobile.device.firmware 106 | # pkgs.firmwareLinuxNonfree 107 | ]; 108 | 109 | # ==== 110 | 111 | ########################################################################## 112 | # default quirks 113 | ########################################################################## 114 | 115 | # Ensures this demo rootfs is useable for platforms requiring FBIOPAN_DISPLAY. 116 | #mobile.quirks.fb-refresher.enable = true; 117 | 118 | # Okay, systemd-udev-settle times out... no idea why yet... 119 | # Though, it seems fine to simply disable it. 120 | # FIXME : figure out why systemd-udev-settle doesn't work. 121 | #systemd.services.systemd-udev-settle.enable = false; 122 | 123 | # Force userdata for the target partition. It is assumed it will not 124 | # fit in the `system` partition. 125 | #mobile.system.android.system_partition_destination = "userdata"; 126 | 127 | ########################################################################## 128 | ## misc "system" 129 | ########################################################################## 130 | 131 | ## No mutable users. This requires us to set passwords with hashedPassword. 132 | # users.mutableUsers = false; 133 | 134 | nix = { 135 | gc = { 136 | # automatic = true; 137 | # options = "--delete-older-than 8d"; 138 | }; 139 | }; 140 | 141 | # This value determines the NixOS release with which your system is to be 142 | # compatible, in order to avoid breaking some software such as database 143 | # servers. You should change this only after NixOS release notes say you 144 | # should. 145 | system.stateVersion = "22.11"; 146 | 147 | } 148 | -------------------------------------------------------------------------------- /stidox.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | { 3 | 4 | hst.site.machine = "stidox"; 5 | hst.site.domain = "bendlas.local"; 6 | hst.site.adminUser = "herwig"; 7 | system.stateVersion = "23.05"; 8 | 9 | imports = [ 10 | ({ pkgs, ... }: { 11 | users.users.herwig.shell = "/run/current-system/sw/bin/nu"; 12 | environment.systemPackages = with pkgs; [ 13 | ungoogled-chromium nushell plymouth 14 | ]; 15 | }) 16 | # amdgpu vsync 17 | { services.xserver.deviceSection = '' 18 | Option "TearFree" "true" 19 | ''; } 20 | ]; 21 | 22 | users.extraUsers = { 23 | "steam" = { 24 | description = "Steam OS"; 25 | isNormalUser = true; 26 | uid = 1000; 27 | }; 28 | ## conflict with bendlas.module 29 | "herwig".uid = lib.mkForce 1001; 30 | }; 31 | 32 | jovian.devices.steamdeck.enable = true; 33 | jovian.steam.user = "steam"; 34 | 35 | ## This means that using the Switch to Desktop function in Gaming 36 | ## Mode will relaunch Gaming Mode. 37 | ## Set jovian.steam.desktopSession to the name of a desktop session, or 38 | ## "steam-wayland" to keep this behavior. 39 | 40 | # jovian.steam.desktopSession = "phosh"; 41 | # jovian.steam.desktopSession = "plasma-mobile"; 42 | hardware.pulseaudio.enable = lib.mkForce false; 43 | services.physlock.enable = false; 44 | 45 | hardware.bluetooth.enable = true; 46 | 47 | # services.xserver = { 48 | # enable = true; 49 | # displayManager.gdm.enable = true; 50 | # displayManager.gdm.autoSuspend = true; 51 | # displayManager.gdm.wayland = true; 52 | # desktopManager.gnome.enable = true; 53 | # }; 54 | 55 | # # services.xserver.enable = true; 56 | # services.xserver.desktopManager = { 57 | # gnome.enable = true; 58 | # phosh = { 59 | # enable = true; 60 | # user = "steam"; 61 | # group = "users"; 62 | # }; 63 | # }; 64 | # ## disable tracker and tracker-miner 65 | # ## to prevent tracker-miner from consuming 100% CPU 66 | # services.gnome = { 67 | # tracker-miners.enable = false; 68 | # tracker.enable = false; 69 | # }; 70 | 71 | # services.xserver.displayManager.sddm.settings.General.InputMethod = "qtvirtualkeyboard"; 72 | 73 | jovian.steam.desktopSession = "plasma"; 74 | # services.xserver.enable = true; 75 | services.displayManager = { 76 | # sddm.enable = true; 77 | sddm.wayland.enable = false; 78 | autoLogin = { 79 | enable = true; 80 | user = "steam"; 81 | }; 82 | sddm.settings = { 83 | General.InputMethod = "qtvirtualkeyboard"; 84 | }; 85 | # defaultSession = "plasma-mobile"; 86 | }; 87 | 88 | # ## to make the steam keyboard work in desktop mode 89 | # services.xserver.displayManager.sddm.wayland.enable = false; 90 | services.xserver.desktopManager.plasma5 = { 91 | enable = true; 92 | # mobile.enable = true; 93 | # mobile.installRecommendedSoftware = true; 94 | # runUsingSystemd = true; 95 | # useQTScaling = true; 96 | }; 97 | 98 | 99 | # services.avahi.allowInterfaces = [ "enp4s0f3u1u4" "wlan0" ]; 100 | hst.networking.interfaces = [ "enp4s0f3u1u4" "wlan0" ]; 101 | systemd.network.wait-online.ignoredInterfaces = [ "enp4s0f3u1u4" ]; 102 | 103 | nixpkgs.config.allowUnfree = true; 104 | 105 | ## hardware config 106 | 107 | # imports = 108 | # [ (modulesPath + "/installer/scan/not-detected.nix") 109 | # ]; 110 | 111 | # boot.loader.grub.devices = [ "/dev/null" ]; 112 | boot.loader = { 113 | systemd-boot.enable = true; 114 | efi.canTouchEfiVariables = true; 115 | }; 116 | 117 | boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" "bcache" ]; 118 | boot.initrd.kernelModules = [ ]; 119 | boot.kernelModules = [ "kvm-amd" ]; 120 | boot.extraModulePackages = [ ]; 121 | boot.kernelParams = [ "resume=UUID=7d671396-8626-49da-adc9-6e8164742c9c" ]; 122 | 123 | fileSystems."/" = 124 | { device = "/dev/disk/by-uuid/f20d1500-4315-48e1-b77a-5d5f626e9660"; 125 | fsType = "ext4"; 126 | }; 127 | 128 | fileSystems."/boot" = 129 | { device = "/dev/disk/by-uuid/5597-65F0"; 130 | fsType = "vfat"; 131 | }; 132 | 133 | swapDevices = [ 134 | { device = "/dev/disk/by-uuid/7d671396-8626-49da-adc9-6e8164742c9c"; } 135 | ]; 136 | 137 | # Enables DHCP on each ethernet and wireless interface. In case of scripted networking 138 | # (the default) this is the recommended approach. When using systemd-networkd it's 139 | # still possible to use this option, but it's recommended to use it in conjunction 140 | # with explicit per-interface declarations with `networking.interfaces..useDHCP`. 141 | networking.useDHCP = lib.mkDefault true; 142 | 143 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 144 | hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 145 | 146 | } 147 | -------------------------------------------------------------------------------- /scheltopusix.nix: -------------------------------------------------------------------------------- 1 | { inputs, config, pkgs, lib, ... }: 2 | 3 | { 4 | 5 | hst.site.machine = "scheltopusix"; 6 | hst.site.domain = "bendlas.local"; 7 | hst.site.adminUser = "herwig"; 8 | system.stateVersion = "23.05"; 9 | 10 | require = [ 11 | 12 | ./docker.module.nix 13 | 14 | { boot.kernelPackages = pkgs.linuxPackages_latest; } 15 | 16 | { programs.systemtap.enable = true; } 17 | 18 | { 19 | services.mediatomb = { 20 | enable = true; 21 | openFirewall = true; 22 | uuid = "e5cc884e-174c-4fa9-b8c7-90afa716f0a7"; 23 | serverName = "Scheltopusix"; 24 | }; 25 | } 26 | 27 | { 28 | virtualisation.spiceUSBRedirection.enable = true; 29 | virtualisation.libvirtd = { 30 | enable = true; 31 | qemu.swtpm.enable = true; 32 | # qemu.ovmf.enable = true; 33 | # qemu.ovmf.package = pkgs.OVMFFull; 34 | qemu.ovmf.enable = true; 35 | qemu.ovmf.packages = [ pkgs.OVMFFull.fd ]; 36 | }; 37 | environment.systemPackages = [ pkgs.swtpm ]; 38 | environment.etc = { 39 | "ovmf/edk2-x86_64-secure-code.fd" = { 40 | source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-x86_64-secure-code.fd"; 41 | }; 42 | 43 | "ovmf/edk2-i386-vars.fd" = { 44 | source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-i386-vars.fd"; 45 | }; 46 | }; 47 | } 48 | 49 | # { 50 | # # BG3 ports 51 | # networking.firewall.allowedTCPPorts = [27015 27036]; 52 | # networking.firewall.allowedUDPPorts = [27015 27031 27032 27033 27034 27035 27036]; 53 | # } 54 | 55 | { boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; } 56 | 57 | ## dunno .. 58 | # { hardware.bluetooth.settings.General.MultiProfile = "multiple"; } 59 | 60 | { 61 | # networking = { 62 | # bridges.br0.interfaces = [ "eno1" "eno2" ]; 63 | # interfaces.br0.macAddress = "F3:DF:D9:20:85:F2"; 64 | # interfaces.br0.useDHCP = true; 65 | # }; 66 | # services.avahi.allowInterfaces = [ "br0" ]; 67 | 68 | # services.avahi.allowInterfaces = [ "eno2" ]; 69 | # networking.interfaces.eno2.useDHCP = true; 70 | hst.networking.interfaces = [ "eno2" ]; 71 | 72 | # environment.etc."qemu/bridge.conf".text = '' 73 | # allow br0 74 | # ''; 75 | } 76 | 77 | { 78 | hardware.opengl = { 79 | enable = true; 80 | driSupport = true; 81 | driSupport32Bit = true; 82 | extraPackages = with pkgs; [ 83 | ## amdgpu opencl 84 | rocmPackages.clr 85 | rocmPackages.clr.icd 86 | ## open source vulcan 87 | amdvlk 88 | ## TODO 89 | # mesa-vdpau 90 | # libva-mesa-driver 91 | ]; 92 | extraPackages32 = with pkgs; [ 93 | driversi686Linux.amdvlk 94 | ]; 95 | }; 96 | boot.initrd.kernelModules = [ "amdgpu" ]; 97 | services.xserver = { 98 | videoDrivers = [ "amdgpu" "vesa" ]; 99 | }; 100 | } 101 | 102 | ]; 103 | 104 | nix = { 105 | nrBuildUsers = 128; 106 | settings.max-jobs = 16; 107 | settings.cores = 32; 108 | extraOptions = '' 109 | binary-caches-parallel-connections = 96 110 | gc-keep-outputs = true 111 | gc-keep-derivations = true 112 | ''; 113 | }; 114 | 115 | hardware.enableRedistributableFirmware = true; 116 | boot.loader.systemd-boot.enable = true; 117 | boot.loader.efi.canTouchEfiVariables = true; 118 | boot.supportedFilesystems = [ "bcachefs" ]; 119 | boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "bcache" ]; 120 | boot.initrd.kernelModules = [ ]; 121 | boot.kernelModules = [ "kvm-amd" ]; 122 | boot.extraModulePackages = [ ]; 123 | ## only one resume partition 124 | ## https://unix.stackexchange.com/questions/341922/linux-resume-when-using-multiple-swap-partitions/452385#452385 125 | ## use the lower-prio swap for hibernate 126 | boot.kernelParams = [ "resume=UUID=c2e473de-e171-4521-b66c-3864952bd602" ]; 127 | # boot.postBootCommands = '' 128 | # mount -o remount,ro,bind,noatime,discard,metadata_replicas=1,data_replicas=1 /nix/store 129 | # ''; 130 | 131 | fileSystems."/" = 132 | { device = lib.concatStringsSep ":" [ 133 | "/dev/disk/by-id/nvme-eui.002538b431bf8b3c-part3" 134 | "/dev/disk/by-id/nvme-eui.002538b531a35bd8-part2" 135 | "/dev/disk/by-id/ata-WDC_WD20EFAX-68FB5N0_WD-WX21AC9HA39A" 136 | "/dev/disk/by-id/ata-WDC_WD20EFAX-68FB5N0_WD-WXJ1A99FF47N" 137 | ]; 138 | fsType = "bcachefs"; 139 | }; 140 | 141 | fileSystems."/boot" = 142 | { device = "/dev/disk/by-uuid/D5D7-5925"; 143 | fsType = "vfat"; 144 | }; 145 | 146 | swapDevices = 147 | [ { device = "/dev/disk/by-uuid/1d62ba19-4f5b-458a-82a4-0a04c0ebcd69"; } 148 | { device = "/dev/disk/by-uuid/c2e473de-e171-4521-b66c-3864952bd602"; } 149 | ]; 150 | 151 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 152 | hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 153 | 154 | } 155 | -------------------------------------------------------------------------------- /nextcloud.module.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | { 3 | hst.subdomains.cloud = {}; 4 | services.authelia.instances."${config.hst.auth.instanceName}".settings.access_control.rules = [{ 5 | domain = "cloud.${config.hst.site.domain}"; 6 | policy = "one_factor"; 7 | }]; 8 | services.nextcloud = { 9 | enable = true; 10 | package = pkgs.nextcloud28; 11 | extraApps = with pkgs.nextcloud28Packages.apps; { 12 | # inherit spreed contacts polls tasks deck impersonate forms; # notify_push; # news; 13 | oidc_login = pkgs.fetchNextcloudApp rec { 14 | url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.0.2/oidc_login.tar.gz"; 15 | sha256 = "sha256-cN5azlThKPKRVip14yfUNR85of5z+N6NVI7sg6pSGQI="; 16 | license = pkgs.lib.licenses.mit.shortName; 17 | }; 18 | }; 19 | hostName = "cloud.${config.hst.site.domain}"; 20 | https = true; 21 | # extraAppsEnable = true; ## don't allow app store 22 | # notify_push.enable = true; ## problems with authelia 23 | # phpExtraExtensions = [ "php-systemd" ]; ## not packaged 24 | # logType = "systemd"; 25 | database.createLocally = true; 26 | config.adminpassFile = "/etc/secrets/nextcloud/adminpass"; 27 | config.dbtype = "pgsql"; 28 | caching = { 29 | redis = true; 30 | apcu = false; 31 | }; 32 | settings = { 33 | ## caching 34 | redis = { 35 | host = "/run/redis-nextcloud/redis.sock"; 36 | port = 0; 37 | }; 38 | "memcache.local" = "\\OC\\Memcache\\Redis"; 39 | "memcache.distributed" = "\\OC\\Memcache\\Redis"; 40 | "memcache.locking" = "\\OC\\Memcache\\Redis"; 41 | ## oidc-login 42 | allow_user_to_change_display_name = false; 43 | lost_password_link = "disabled"; 44 | oidc_login_provider_url = "https://${config.hst.auth.subdomain}.${config.hst.site.domain}/authelia"; 45 | oidc_login_client_id = "nextcloud"; 46 | oidc_login_auto_redirect = false; 47 | oidc_login_end_session_redirect = false; 48 | oidc_login_button_text = "Log in with ${config.hst.auth.subdomain}.${config.hst.site.domain}"; 49 | oidc_login_hide_password_form = true; 50 | oidc_login_use_id_token = true; 51 | oidc_login_attributes = { 52 | id = "preferred_username"; 53 | name = "name"; 54 | mail = "email"; 55 | groups = "groups"; 56 | }; 57 | oidc_login_default_group = "oidc"; 58 | oidc_login_use_external_storage = false; 59 | oidc_login_scope = "openid profile email groups"; 60 | oidc_login_proxy_ldap = false; 61 | oidc_login_disable_registration = false; 62 | oidc_login_redir_fallback = false; 63 | # oidc_login_alt_login_page = "assets/login.php"; 64 | oidc_login_tls_verify = true; 65 | oidc_create_groups = false; 66 | oidc_login_webdav_enabled = true; 67 | oidc_login_password_authentication = false; 68 | oidc_login_public_key_caching_time = 86400; 69 | oidc_login_min_time_between_jwks_requests = 10; 70 | oidc_login_well_known_caching_time = 86400; 71 | oidc_login_update_avatar = false; 72 | }; 73 | ## for oidc secret oidc_login_client_secret = "insecure_secret"; 74 | secretFile = "/run/secrets/nextcloud-setup/oidc-secret.json"; 75 | }; 76 | services.redis.servers.nextcloud = { 77 | enable = true; 78 | user = "nextcloud"; 79 | bind = null; 80 | port = 0; 81 | }; 82 | 83 | ## authelia client 84 | 85 | hst.secrets-generate."nextcloud-setup/oidc-secret.json".script = '' 86 | echo "{ \"oidc_login_client_secret\": \"$(cat /etc/secrets/nextcloud/oidc.secret)\" }" 87 | ''; 88 | 89 | hst.auth.enableOidc = true; 90 | hst.auth.extraConfigFiles = [ 91 | "/run/secrets/authelia-${config.hst.auth.instanceName}/oidc-nextcloud.yml" 92 | ]; 93 | hst.secrets-generate."authelia-${config.hst.auth.instanceName}/oidc-nextcloud.yml".script = '' 94 | ${pkgs.jq}/bin/jq "(.identity_providers.oidc.clients[] | select(.id == \"nextcloud\") | .secret) |= \"$(cat /etc/secrets/nextcloud/oidc.digest)\"" \ 95 | < ${config.hst.lib.jsonFile { 96 | identity_providers.oidc.clients = [{ 97 | id = "nextcloud"; 98 | description = "cloud.${config.hst.site.domain}"; 99 | secret = ""; 100 | public = false; 101 | authorization_policy = "one_factor"; 102 | redirect_uris = [ 103 | "https://cloud.${config.hst.site.domain}/apps/oidc_login/oidc" 104 | ]; 105 | scopes = [ "openid" "profile" "email" "groups"]; 106 | userinfo_signing_algorithm = "none"; 107 | }]; 108 | }} 109 | ''; 110 | 111 | ## secret handling 112 | hst.secrets.nextcloud = { 113 | ## authelia need access to oidc secret 114 | group = "authelia-${config.hst.auth.instanceName}"; 115 | files = { 116 | adminpass = {}; 117 | "oidc" = { 118 | bytes = 72; 119 | outputs = [ "oidc.secret" "oidc.digest" ]; 120 | generator = pkgs.writeScript "oidc" '' 121 | #!${pkgs.stdenv.shell} 122 | authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length $1 --random.charset rfc3986 | ( 123 | read PW 124 | read DIG 125 | echo "$PW" | cut -d ':' -f2 | tail -c+2 > $2.secret 126 | echo "$DIG" | cut -d ':' -f2 | tail -c+2 > $2.digest 127 | ) 128 | ''; 129 | }; 130 | }; 131 | }; 132 | 133 | } 134 | -------------------------------------------------------------------------------- /lenix.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | { ## Outsource nixpkgs.config to be shared with nix-env 4 | require = [ # ./desktop.nix 5 | ./dev.nix ./power-savings.nix ./dev/hackrf.nix 6 | # ./dev/maple.nix ./dev/saleae.nix ## pulseview is broken 7 | ./dev/muart.nix ./dev/gd32.nix ./dev/stlink.nix 8 | ./dev/qemu.nix 9 | ./dev/stalin.nix 10 | ## pull in from NUR 11 | # ./dev/forth.nix 12 | # ./dev/android.nix 13 | ./dev/container.nix ./dev/ft2232h.nix 14 | # ./ark.module.nix 15 | ./waydroid.module.nix ./docker.module.nix 16 | 17 | { users.users.test.isNormalUser = true; } 18 | 19 | { programs.cdemu.enable = true; 20 | users.users.herwig.extraGroups = [ "cdrom" ]; } 21 | 22 | { programs.systemtap.enable = true; } 23 | 24 | { 25 | services.mediatomb = { 26 | enable = true; 27 | openFirewall = true; 28 | uuid = "e3aa5ce8-1d22-4b9b-9f10-965b5cafbd3a"; 29 | serverName = "Lenix"; 30 | }; 31 | } 32 | 33 | # ./lenix/bonding.nix 34 | 35 | # { # Ethernet Server (for nitox) 36 | # networking.nat.externalInterface = "wlan0"; 37 | # networking.nat.internalInterfaces = [ "enp0s31f6" ]; 38 | # systemd.network-wait-online.ignore = [ "enp0s31f6" ]; 39 | 40 | # systemd.network.networks."10-enp0s31f6" = { 41 | # matchConfig.Name = "enp0s31f6"; 42 | # address = [ "10.0.0.1/24" ]; 43 | # networkConfig = { 44 | # ## handled by firewall config 45 | # # IPMasquerade = "yes"; 46 | # DHCPServer = "yes"; 47 | # }; 48 | # dhcpServerConfig = { 49 | # PoolOffset= 32; 50 | # PoolSize= 32; 51 | # }; 52 | # }; 53 | 54 | # services.avahi.allowInterfaces = [ "enp0s31f6" ]; 55 | # # for dhcp 56 | # networking.firewall.allowedUDPPorts = [ 67 ]; 57 | # } 58 | 59 | # { ## USB Modem 60 | # services.networkmanager = { 61 | # enable = pkgs.lib.mkForce true; 62 | # unmanaged = [ "lo" "wlan0" "enp0s31f6" "anbox0" ]; 63 | # packages = [ pkgs.networkmanager-openconnect pkgs.networkmanager-vpnc ]; 64 | # }; 65 | # } 66 | 67 | ]; 68 | 69 | hst.site.machine = "lenix"; 70 | hst.site.domain = "bendlas.local"; 71 | hst.site.adminUser = "herwig"; 72 | environment.systemPackages = (with pkgs; [ 73 | bluez5 wireless-regdb intel-gpu-tools 74 | ## TODO auto-start warpd 75 | warpd 76 | ]); 77 | 78 | environment.variables = { 79 | VAAPI_MPEG4_ENABLED = "true"; 80 | }; 81 | 82 | boot = { 83 | initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; 84 | kernelModules = [ "kvm-intel" ]; 85 | loader = { 86 | systemd-boot.enable = true; 87 | efi.canTouchEfiVariables = true; 88 | }; 89 | kernelParams = [ "resume=UUID=083e3aab-29cd-4d4c-a9b6-027c9b413af5" ]; 90 | }; 91 | 92 | fileSystems = { 93 | "/" ={ 94 | device = "/dev/disk/by-uuid/cf7a2c05-5a08-4716-aa30-2c3556f5033c"; 95 | fsType = "btrfs"; 96 | }; 97 | "/boot" = { 98 | device = "/dev/disk/by-uuid/D45C-9B25"; 99 | fsType = "vfat"; 100 | }; 101 | }; 102 | 103 | swapDevices = [ 104 | { device = "/dev/disk/by-uuid/083e3aab-29cd-4d4c-a9b6-027c9b413af5"; } 105 | ]; 106 | 107 | networking = rec { 108 | wireless = { 109 | iwd.enable = true; 110 | ## temp disable, as this interferes with /etc/wpa_supplicant.conf 111 | # userControlled.enable = true; 112 | # interfaces = [ "wlp3s0" ]; 113 | }; 114 | 115 | # interfaces = { 116 | # wlan0.useDHCP = true; 117 | # enp0s31f6.useDHCP = true; 118 | # enp0s20f0u6.useDHCP = true; ## USB Net from phone 119 | # # ve-virtox.useDHCP = true; 120 | # }; 121 | }; 122 | 123 | hst.networking.interfaces = [ "wlan0" "enp0s31f6" "enp0s20f0u6" ]; 124 | 125 | services = { 126 | # avahi.allowInterfaces = [ "wlan0" "enp0s31f6" ]; 127 | # teamspeak3 = { 128 | # enable = true; 129 | # openFirewall = true; 130 | # }; 131 | libinput.enable = false; 132 | xserver = { 133 | videoDrivers = [ "intel" ]; 134 | synaptics = { 135 | enable = true; 136 | twoFingerScroll = true; 137 | }; 138 | }; 139 | printing = { 140 | enable = true; 141 | drivers = [ pkgs.splix pkgs.brgenml1cupswrapper ]; 142 | }; 143 | borgbackup.jobs = { 144 | herwig_dropbox = { 145 | user = "herwig"; 146 | paths = [ 147 | "/home/herwig/Dropbox" 148 | ]; 149 | repo = "borg@hetox.bendlas.net:Dropbox"; 150 | encryption = { 151 | mode = "repokey-blake2"; 152 | passCommand = "${pkgs.pass}/bin/pass borgbackup/herwig"; 153 | }; 154 | compression = "auto,zstd"; 155 | startAt = "daily"; 156 | environment.BORG_RSH = "ssh -i /home/herwig/.ssh/id_ed25519_borgbackup"; 157 | }; 158 | }; 159 | }; 160 | 161 | hardware = { 162 | sane.enable = true; 163 | cpu.intel.updateMicrocode = true; 164 | trackpoint.emulateWheel = true; 165 | bluetooth.enable = true; 166 | # enableRedistributableFirmware = true; 167 | firmware = [ pkgs.firmwareLinuxNonfree ]; 168 | opengl = { 169 | enable = true; 170 | extraPackages = with pkgs; [ 171 | # intel-media-driver 172 | vaapiIntel 173 | ]; 174 | # extraPackages32 = with pkgs.pkgsi686Linux; [ 175 | # intel-media-driver 176 | # # vaapiIntel 177 | # ]; 178 | }; 179 | }; 180 | 181 | # boot.extraModulePackages = [ pkgs.linuxPackages.v4l2loopback ]; 182 | 183 | services.pcscd.enable = true; 184 | 185 | nix.settings.max-jobs = 2; 186 | # powerManagement.cpuFreqGovernor = "powersave"; 187 | system.stateVersion = "20.03"; 188 | } 189 | -------------------------------------------------------------------------------- /jokix.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, ... }: 2 | { 3 | 4 | hst.site.machine = "jokix"; 5 | hst.site.domain = "jakob-kapeller.org"; 6 | services.openvscode-server.user = "jacklist"; 7 | hdirect.user = "joko"; 8 | 9 | environment.systemPackages = with pkgs; [ 10 | deluge webtorrent_desktop chromium # emacsBendlas 11 | ]; 12 | 13 | require = [ 14 | ## backup config 15 | { 16 | services.borgbackup.jobs.postgresql = { 17 | repo = "/var/storage/borgbackup-repo"; 18 | compression = "auto,zstd"; 19 | encryption.mode = "none"; 20 | startAt = []; ## disable timer, will be started by path watcher 21 | paths = [ "/var/backup/postgresql" ]; 22 | }; 23 | ## borg backup jobs get an implicit borgbackup-job-* prefix on systemd unit level 24 | ## thus this timer will trigger the backup job 25 | systemd.timers.borgbackup-job-postgresql = { 26 | description = lib.mkForce "Backup delay timer for postgresql server backup. Delays backup start in order to ensure that everything has been written properly"; 27 | timerConfig.OnActiveSec = "10 seconds"; 28 | timerConfig.AccuracySec = "1 seconds"; 29 | ## stop timer after job completion, to re-prime for start 30 | timerConfig.RemainAfterElapse = false; 31 | }; 32 | systemd.paths.borgbackup-job-postgresql = { 33 | description = "File watcher for postgres server backup"; 34 | wantedBy = [ "multi-user.target" ]; 35 | pathConfig.PathChanged = [ 36 | "/var/backup/postgresql" 37 | ]; 38 | ## trigger delay timer instead of service directly 39 | pathConfig.Unit = "borgbackup-job-postgresql.timer"; 40 | }; 41 | # services.borgbackup.repos.storage.path = "/var/storage/borgbackup-repo"; 42 | services.postgresqlBackup = { 43 | enable = true; 44 | backupAll = true; 45 | compression = "none"; 46 | ## does nothing with backupAll 47 | # pgdumpOptions = "-C -F custom -Z none"; 48 | }; 49 | } 50 | ## nextcloud config 51 | { 52 | require = [ ./nextcloud.module.nix ]; 53 | services.nextcloud.datadir = "/var/storage/nextcloud"; 54 | systemd.tmpfiles.rules = [ 55 | "d /var/storage/nextcloud 0750 nextcloud nextcloud" 56 | ]; 57 | } 58 | 59 | ## rstudio-server config 60 | { 61 | hst.subdomains."rshiny".vHostConfig.locations."/".proxyPass = "http://127.0.0.1:8787/"; 62 | # services.rstudio-server.enable = true; 63 | } 64 | 65 | ### user configs 66 | { 67 | hst.wheel.logins = [ "joko" "herwig" ]; 68 | users.users = { 69 | joko.isNormalUser = true; 70 | herwig.isNormalUser = true; 71 | }; 72 | hst.wheel.keys = [ 73 | "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCoqKuesbWPjQljO0LgViKiC3yLRSV4hjw9A9bcXs9jI1z7TMYOVX2MKfusxBE+0h9B6zev+uqFLtUoQdHFLNuaYyzuOvlMDYZinosDIAEaSHHIyaeIHJ3/05+zAGiqBMbwRHPllVY6tWrU1n/VYus+Vtnn9gJ7UQade45v7ddvDdjnu3r+aPsLDAkU7lohFXR2tgUAJQj7HqcrAnrANbMUjrt1MO4y+5Sj/FtdDKXaI4s0sHNI3ViVvznLlm4jwISBrYGny71QlAhc1vjRfexVGBOCxcmuy967X8KqYEznbelSDzH99Iatow3TDK6Ql8EPIV6mlAyBJQh/dY5f3h4tDQsqfyJncWqw3studwJQ8rNe5j0JE5FGzQJEG4rg8JW2mHGpbYm9FpgjtQfCQhu6tbVhXiwrGCmg/cwasu9Lmnct2VUC3r5jn0Ub5bONBiahKrFXRSnK2d2A4+vy4vqUJvZpAauu2GeCjlhZXjzpfht121/cagFHstFkwoCOdzWd3IOuMkFHUGGbNH5iFjUG3uT2/XkAm7uIQEv/VxRJ1JDxEaDINcMb6kEhu2EroR2CsH7qw04WpUIDHK1ktabgHTj0UAO0QqqbKeRMZ0AMR4EEDDHg+PJnoE3cUME84jtA02BFWr94RXaYpb6JnyqjNo4uTDfk5Ik1EdSsuCHs4w== joko@JokosBook-2.local" 74 | "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC70QgW3EnX781iFOlojPnwST1CiMZaWdQEJNgSbsvaEFeHwFNDr9Ma2kTzjFQnpLKfb7eAr7BsUX3uSJjFq6MDTfgynCSXtgOxaahTfoVFFvJdGZPtXU09k7xSW043A7Ziwi8iPM0EFKUb85W6v4S1VACpjD57SEs4enUsyrXO8XVBDpqRQLdPDXjyNqzZ0zafbs22bDYDUmgr3UTItSzrGG7fzPyP3D2cJ1HKptQNUBRwjMvduG5by+ONxtuNJ7XGtQfFOyLJl4QFCWCSNwVEzv0CqAfrbq3XmqsAMXZJeMNo0OG/XpgQT2W4oP0QcyW9hHvxe6S34DjXDCaN8SreTJqq/8n3gQIj2/bkW9gGOHceZ98BDVXAeVXQj4opd3qF1V3DkP7NhUZEpgqHZglpkmcZqiufpdJbhnbjjIAUPN9c2dpEKWiR+UTR0hUedERDEGge6caM0XpfKPDiFXQpNgMBhatRkp9iNwoCIbp1muzYZpiu8YFNFbZmRmXcW8o8b3/MoEWZZTvMcffk7Yk+K0lItLmR7wjAJVZXM/7CbP6bVECbYAGNaQ50ZlPgt1wAU9VoE9oV3U2bVmV6Vdic1w1LS3pCOT9DNOXkGvbxLxp/gwJVFwkHVBAHnSLCyRyNn3GL+rzPO0Mzej2Q9stPUExcoMBkm6e4pUatynHONw== herwig@lenix" 75 | ]; 76 | } 77 | 78 | ### network config 79 | { 80 | services.openssh.ports = [ 22 2222 ]; 81 | # networking.useDHCP = false; 82 | # networking.interfaces.enp9s0.useDHCP = true; 83 | # networking.interfaces.enp10s0.useDHCP = true; 84 | # services.avahi.allowInterfaces = [ "enp10s0" "enp9s0" "wlan0" ]; 85 | hst.networking.interfaces = [ "enp10s0" "enp9s0" "wlan0" ]; 86 | ## disable waiting for unused network interfaces 87 | ## FIXME: wait for any 88 | systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; 89 | } 90 | ]; 91 | 92 | ### rest config 93 | system.stateVersion = "23.05"; 94 | 95 | ## xserver 96 | services.xserver = { 97 | displayManager.gdm.autoSuspend = false; 98 | xkb.layout = "de"; 99 | }; 100 | 101 | ### hardware configuration 102 | ## Use the systemd-boot EFI boot loader. 103 | boot.loader.systemd-boot.enable = true; 104 | boot.loader.efi.canTouchEfiVariables = true; 105 | 106 | boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "xhci_pci" "firewire_ohci" "usb_storage" "usbhid" ]; 107 | boot.initrd.kernelModules = [ ]; 108 | boot.kernelModules = [ "kvm-intel" "wl" ]; 109 | 110 | nixpkgs.config.allowUnfree = true; 111 | boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ]; 112 | 113 | fileSystems."/" = 114 | { device = "/dev/disk/by-uuid/4decab4b-5ccd-43b7-a4f8-6047f65bd443"; 115 | fsType = "ext4"; 116 | }; 117 | 118 | fileSystems."/boot" = 119 | { device = "/dev/disk/by-uuid/67E3-17ED"; 120 | fsType = "vfat"; 121 | }; 122 | 123 | fileSystems."/var/storage" = { 124 | device = "/dev/disk/by-uuid/d6ae60e3-df52-4e0c-8401-c955223a1fc3"; 125 | fsType = "ext4"; 126 | }; 127 | 128 | swapDevices = 129 | [ { device = "/dev/disk/by-uuid/689d1a04-8261-4a90-a667-89c12c26b6c3"; } 130 | ]; 131 | 132 | 133 | nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 134 | powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; 135 | hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 136 | hardware.enableRedistributableFirmware = true; 137 | 138 | } 139 | -------------------------------------------------------------------------------- /emacs-packages.nix: -------------------------------------------------------------------------------- 1 | { emacs28, emacs-unstable, emacsPackagesFor 2 | , enableDebugInfo, fetchFromGitHub 3 | , pkgs 4 | }: 5 | 6 | let 7 | 8 | ## TODO investigate why bendlas-autoloads don't work with stock emacs 9 | # baseEmacs = emacs28; 10 | baseEmacs = emacs-unstable; 11 | 12 | # baseEmacs = emacsGit.overrideAttrs (_: { 13 | # src = pkgs.fetchFromGitHub { 14 | # owner = "commercial-emacs"; 15 | # repo = "commercial-emacs"; 16 | # rev = "54a6e8174e22c649c3c3896f15b2a2e05c13c5cc"; 17 | # sha256 = "sha256-fureWFTpizuzQ7YfsCJ5fh+YfVDR3goTMd0zKsd0bhk="; 18 | # }; 19 | # }); 20 | 21 | emacsWithPackagesFor = emacsPackages: pfn: 22 | emacsPackages.emacsWithPackages 23 | (compOverrides [ 24 | (epkgs: epkgs // epkgs.melpaPackages) 25 | # see https://github.com/NixOS/nix-mode/pull/177 26 | (updatePackage "nix-mode" (epkgs: old: { 27 | propagatedBuildInputs = old.propagatedBuildInputs ++ [ epkgs.reformatter ]; 28 | propagatedUserEnvPkgs = old.propagatedUserEnvPkgs ++ [ epkgs.reformatter ]; 29 | })) 30 | # (patchPackage "volume" "https://patch-diff.githubusercontent.com/raw/dbrock/volume.el/pull/8.patch" "sha256-6e5UXtWSeP3iJFhsLw6KrIZGYmjMkip2oiF+yn40VaE=") 31 | # (patchPackage "benchmark-init" "https://patch-diff.githubusercontent.com/raw/dholm/benchmark-init-el/pull/16.patch" "sha256-lVEKRgy60uvpl3jAeuo2mabldU8SwukHfwTgoAi9A9Q=") 32 | # (epkgs: epkgs // { 33 | # exwm = epkgs.trivialBuild rec { 34 | # pname = "exwm"; 35 | # version = "2023-11-15"; 36 | # src = fetchFromGitHub { 37 | # owner = "bendlas"; 38 | # repo = "exwm"; 39 | # rev = version; 40 | # sha256 = "sha256-ADbDy59xZHiPnnftTz6km9a2Uzq90ZshxaiUdDTNug0="; 41 | # }; 42 | # packageRequires = with epkgs; [ xelb ]; 43 | # }; 44 | # }) 45 | (epkgs: builtinPackages epkgs ++ pfn epkgs ++ nativePkgs) 46 | ]); 47 | 48 | builtinPackages = epkgs: with epkgs; [ 49 | (pkgs.callPackage ./emacs-bendlas.nix { emacsPackages = epkgs; }) 50 | (epkgs.trivialBuild { 51 | pname = "emacs-gdb"; 52 | version = "bendlas"; 53 | src = pkgs.fetchFromGitHub { 54 | owner = "weirdNox"; 55 | repo = "emacs-gdb"; 56 | rev = "985423594e91a4fb774d4dc5322d4b9750393419"; 57 | sha256 = "sha256-CDwbFTQ/CCGasEG5n3ww/moe7HgO6CFR+hpWY5L79Sw="; 58 | }; 59 | packageRequires = with epkgs; [ hydra ]; 60 | preBuild = '' 61 | echo BUILD 62 | make gdb-module.so 63 | ''; 64 | postInstall = '' 65 | echo "echo \$installPhase" 66 | echo "$installPhase" 67 | echo "typeset -f installPhase" 68 | typeset -f installPhase 69 | echo "ls -l" 70 | ls -l 71 | install *.so $LISPDIR 72 | ''; 73 | }) 74 | 75 | ## Terminals 76 | 77 | vterm eat 78 | 79 | ## Rest 80 | 81 | cyberpunk-theme gh groovy-mode haskell-mode htmlize 82 | ibuffer-tramp epkgs."ido-completing-read+" idris-mode crm-custom 83 | javap-mode ninja-mode commenter js2-mode xref-js2 # geiser 84 | js2-highlight-vars js2-refactor js2-closure json-mode json-reformat 85 | typescript-mode 86 | jvm-mode multiple-cursors nixos-options org org-present 87 | paredit nim-mode mmm-mode markdown-mode macrostep 88 | levenshtein php-mode rainbow-delimiters skewer-mode skewer-less 89 | skewer-reload-stylesheets smex undo-tree wanderlust # elixir-mode 90 | alchemist # erlang-mode 91 | yasnippet with-editor string-edit-at-point keyfreq scala-mode 92 | uuidgen systemtap-mode gn-mode coffee-mode cask-mode elf-mode lua-mode 93 | elfeed elfeed-goodies elfeed-web elfeed-org volume dockerfile-mode yaml-mode 94 | impatient-mode livescript-mode cmake-mode adoc-mode 95 | ivy ivy-xref treemacs elmacro hy-mode robe haml-mode 96 | 97 | edit-list refine 98 | golden-ratio workgroups2 99 | 100 | go-mode gdscript-mode 101 | 102 | benchmark-init 103 | 104 | # projectile projectile-direnv projectile-codesearch 105 | # persp-mode persp-mode-projectile-bridge 106 | # exwm-x 107 | 108 | magit magit-popup cljsbuild-mode clojars nix-mode 109 | clj-refactor clojure-mode 110 | slime cider # ensime 111 | tern forth-mode 112 | parseclj # spiral 113 | magit-gh-pulls 114 | flycheck toml-mode rust-mode cargo flycheck-rust 115 | graphviz-dot-mode 116 | 117 | ## LSP support 118 | lsp-mode ccls 119 | 120 | ]; 121 | 122 | nativePkgs = with pkgs; [ 123 | ghostscript aspell 124 | ## LSP packages 125 | clojure-lsp ccls 126 | nil 127 | rust-analyzer 128 | ]; 129 | 130 | compOverrides = overrides: epkgs: 131 | if 0 == builtins.length overrides 132 | then epkgs 133 | else compOverrides (builtins.tail overrides) ((builtins.head overrides) epkgs); 134 | 135 | patchPackage = pname: url: sha256: epkgs: epkgs // { 136 | "${pname}" = epkgs."${pname}".overrideAttrs (old: { 137 | patches = (old.patches or []) ++ [ 138 | (pkgs.fetchpatch { 139 | inherit url sha256; 140 | }) 141 | ]; 142 | }); 143 | }; 144 | 145 | updatePackage = pname: f: epkgs: epkgs // { 146 | "${pname}" = epkgs."${pname}".overrideAttrs (f epkgs); 147 | }; 148 | 149 | sourcePackage = pname: src: epkgs: epkgs // { 150 | "${pname}" = epkgs."${pname}".overrideAttrs (old: { 151 | inherit src; 152 | }); 153 | }; 154 | 155 | emacsUnwrapped = baseEmacs; 156 | # ## emacs with X 157 | # emacsUnwrapped = baseEmacs.override { 158 | # inherit (pkgs) alsa-lib imagemagick acl gpm Xaw3d; 159 | # withGTK3 = true; withGTK2 = false; 160 | # withXwidgets = true; 161 | # }; 162 | 163 | emacsPackages = emacsPackagesFor ( 164 | emacsUnwrapped 165 | # enableDebugInfo ( 166 | # emacsUnwrapped 167 | # ) 168 | ); 169 | emacsWithPackages = emacsWithPackagesFor emacsPackages; 170 | emacs = emacsWithPackages (epkgs: []); 171 | 172 | ## emacs without X 173 | emacsUnwrappedNox = baseEmacs.override { 174 | withX = false; 175 | withNS = false; 176 | withGTK2 = false; 177 | withGTK3 = false; 178 | }; 179 | emacsPackagesNox = emacsPackagesFor ( 180 | emacsUnwrappedNox 181 | # enableDebugInfo ( 182 | # emacsUnwrappedNox 183 | # ) 184 | ); 185 | emacsWithPackagesNox = emacsWithPackagesFor emacsPackagesNox; 186 | emacsNox = emacsWithPackagesNox (epkgs: []); 187 | 188 | in { 189 | 190 | inherit emacsPackages emacsWithPackages emacs; 191 | inherit emacsPackagesNox emacsWithPackagesNox emacsNox; 192 | 193 | } 194 | -------------------------------------------------------------------------------- /flake-apps.nix: -------------------------------------------------------------------------------- 1 | { self, pkgs, ... }: 2 | 3 | { 4 | 5 | check-each-config = { 6 | type = "app"; 7 | program = toString (pkgs.writeShellScript "check-each-config" '' 8 | set -eu 9 | exec nix run .#each-config -- \ 10 | nix path-info .#nixosConfigurations.{}.config.system.build.toplevel \ 11 | --derivation \ 12 | --impure 13 | ''); 14 | }; 15 | 16 | each-config = { 17 | type = "app"; 18 | program = toString (pkgs.writeShellScript "each-config" '' 19 | set -eu 20 | exec ${pkgs.parallel}/bin/parallel --tag "$@" ::: ${toString (builtins.attrNames self.nixosConfigurations)} 21 | ''); 22 | }; 23 | 24 | deploy-ssh-for = { 25 | type = "app"; 26 | program = toString (pkgs.writeScript "deploy-ssh-for" '' 27 | #!${pkgs.stdenv.shell} 28 | set -eux 29 | configName=$1 30 | remote=root@$2 31 | action=$3 32 | shift 3 33 | if [ gc = "$action" ] 34 | then ssh -C $remote nix-collect-garbage "$@" 35 | exit 0 36 | fi 37 | configuration=$(nix build .#nixosConfigurations.$configName.config.system.build.toplevel --print-out-paths --no-link -L) 38 | nix-copy-closure $(if [ "''${1-}" != --direct ]; then echo --use-substitutes; fi) --gzip --to $remote $configuration 39 | if [ dry-run = "$action" ] 40 | then set +x 41 | echo "[dry-run] Would run these commands:" 42 | echo " ssh -C $remote nix-env --profile /nix/var/nix/profiles/system --set $configuration" 43 | echo " ssh -C $remote $configuration/bin/switch-to-configuration $action" 44 | else if [ build = "$action" ] 45 | then ssh -C $remote nix-env --profile /tmp/nixos-system --set $configuration 46 | else if [ boot = "$action" -o switch = "$action" ] 47 | then ssh -C $remote nix-env --profile /nix/var/nix/profiles/system --set $configuration 48 | ssh -C $remote $configuration/bin/switch-to-configuration $action 49 | else echo "Unknown action '$action'. Use one of: dry-run, boot, switch" 50 | fi fi fi 51 | ''); 52 | }; 53 | 54 | container-create = { 55 | type = "app"; 56 | program = toString (pkgs.writeScript "container-create" '' 57 | #!${pkgs.stdenv.shell} 58 | set -v 59 | nixos-container create nixos --flake .#container 60 | nixos-container start nixos 61 | nix run .#container-mount-sources 62 | nixos-container run nixos -- sh -v -c ' 63 | hst-secret-generate 64 | runuser -u forgejo -- forgejo actions generate-runner-token 65 | hst-forgejo-register-runner $(hst-forgejo-runner-token) 66 | systemctl start datomic 67 | systemctl restart postgresql # so that datomic tables are ensurePermissioned for applications read access 68 | systemctl start hdirect-server.service datomic-console.service 69 | ' 70 | ''); 71 | }; 72 | 73 | container-restart = { 74 | type = "app"; 75 | program = toString (pkgs.writeScript "container-init" '' 76 | #!${pkgs.stdenv.shell} 77 | set -v 78 | nixos-container restart nixos 79 | nix run .#container-mount-sources 80 | nixos-container run nixos -- sh -v -c ' 81 | systemctl restart hdirect-server.service datomic-console.service 82 | ' 83 | ''); 84 | }; 85 | 86 | container-error-log = { 87 | type = "app"; 88 | program = toString (pkgs.writeShellScript "container-error-log" '' 89 | set -euv 90 | nixos-container run nixos -- journalctl -f --output-fields SYSLOG_IDENTIFIER,MESSAGE,CODE_FUNC,CODE_FILE,CODE_LINE,EXN_NAME,EXN_MESSAGE,EXN_STACKTRACE -o verbose 91 | ''); 92 | }; 93 | 94 | container-mount-sources = { 95 | type = "app"; 96 | doc = '' 97 | Mount source directories ../hdirect and ../webnf 98 | into /var/lib in the `nixos` container 99 | ''; 100 | program = toString (pkgs.writeScript "container-mount-sources" '' 101 | #!${pkgs.stdenv.shell} 102 | if [ ! -d ../hdirect -o ! -d ../webnf ] 103 | then echo >&2 "please start from a nixos-config directory, with project directories one level up" 104 | exit 1 105 | fi 106 | machinectl bind nixos "$(readlink -f ../hdirect)" /var/lib/hdirect-src 107 | machinectl bind nixos "$(readlink -f ../webnf)" /var/lib/webnf-src 108 | ''); 109 | }; 110 | 111 | flake-update-from-checkouts = { 112 | type = "app"; 113 | program = toString (pkgs.writeScript "flake-update-from-checkouts" '' 114 | #!${pkgs.stdenv.shell} 115 | if [ ! -d ../hdirect -o ! -d ../webnf -o ! -d ../host-shell ] 116 | then echo >&2 "please start from a nixos-config directory, with project directories one level up" 117 | exit 1 118 | fi 119 | nix flake lock \ 120 | --update-input hdirect \ 121 | --override-input hdirect "$(readlink -f ../hdirect)" \ 122 | --update-input hdirect/database \ 123 | --override-input hdirect/database "$(readlink -f ../database)" \ 124 | --update-input host-shell \ 125 | --override-input host-shell "$(readlink -f ../host-shell)" 126 | ''); 127 | }; 128 | 129 | bcachefs-boot-medium-for = { 130 | type = "app"; 131 | program = toString (pkgs.writeShellScript "bcachefs-boot-medium-for" '' 132 | if [ -z "$1" ] 133 | then echo >&2 "Usage: $0 /dev/sdX" 134 | exit 1 135 | fi 136 | exec sudo ${pkgs.coreutils}/bin/dd \ 137 | bs=4M conv=fsync status=progress \ 138 | if=${ 139 | self.nixosConfigurations.iso-with-bcachefs.config.system.build.isoImage 140 | }/iso/${ 141 | self.nixosConfigurations.iso-with-bcachefs.config.system.build.isoImage.isoName 142 | } \ 143 | of="$1" 144 | ''); 145 | }; 146 | 147 | rebuild-switch = { 148 | type = "app"; 149 | doc = '' 150 | Unfortunately doesn't work in suid mode. store not unlocked (rw mounted) 151 | Just a neat example of how to execve with C 152 | ''; 153 | program = toString (pkgs.runCommand "unpriv-rebuild-switch" { 154 | source = pkgs.writeText "rebuild-switch.c" '' 155 | #include 156 | #include 157 | #include 158 | char *norProg = "/run/current-system/sw/bin/nixos-rebuild"; 159 | char *norArgv[] = { "nixos-rebuild", "--flake", ".#container", "dry-run", NULL }; 160 | int main(int argc, char *argv[], char *envp[]) { 161 | execve(norProg, norArgv, envp); 162 | perror("execve"); /* execve() only returns on error */ 163 | exit(EXIT_FAILURE); 164 | } 165 | ''; 166 | buildInputs = [ pkgs.gcc ]; 167 | } '' 168 | gcc -o $out $source 169 | ''); 170 | 171 | }; 172 | } 173 | -------------------------------------------------------------------------------- /nitox.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | 3 | { 4 | require = [ 5 | ./dev.nix 6 | # ./distributed-build.nix 7 | # ./dev/forth.nix 8 | ./dev/qemu.nix 9 | ./docker.module.nix 10 | # ./zfs.nix 11 | # ./ark.module.nix 12 | # { 13 | # networking.firewall.allowedTCPPorts = [ 2049 111 4000 4001 ]; 14 | # networking.firewall.allowedUDPPorts = [ 2049 111 4000 4001 ]; 15 | # services.nfs.server = { 16 | # enable = false; 17 | # statdPort = 4000; 18 | # lockdPort = 4001; 19 | # exports = '' 20 | # /var/public 10.0.2.0/24(rw,nohide,insecure,no_subtree_check,fsid=0) 192.168.0.0/24(rw,nohide,insecure,no_subtree_check,fsid=0) 21 | # ''; 22 | # }; 23 | # } 24 | 25 | { boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; } 26 | { hardware.openrazer.enable = true; } 27 | { programs.systemtap.enable = true; } 28 | { 29 | hardware.sane.enable = true; 30 | services.udev.extraRules = '' 31 | ATTR{idvendor}=="04e8", ATTR{idProduct}=="344f", MODE:="0660", GROUP:="lp", ENV{libsane_matched}:="yes" 32 | ''; 33 | services.printing = { 34 | enable = true; 35 | drivers = [ pkgs.splix ]; 36 | }; 37 | } 38 | 39 | { 40 | options.hst.scripts = with lib; with types; mkOption { 41 | type = attrsOf (submodule ({name, ... }: { 42 | options = { 43 | name = mkOption { 44 | default = name; 45 | type = string; 46 | }; 47 | shell = mkOption { 48 | default = "${pkgs.nushell}/bin/nu --stdin"; 49 | type = string; 50 | }; 51 | text = mkOption { 52 | type = string; 53 | }; 54 | }; 55 | })); 56 | }; 57 | 58 | config.environment.systemPackages = with lib; [ 59 | pkgs.nushell 60 | (pkgs.linkFarm "hst-scripts" 61 | (map ({ name, shell, text }:{ 62 | name = "bin/${name}"; 63 | path = pkgs.writeScript name "#!${shell}\n\n${text}"; 64 | }) (attrValues config.hst.scripts))) 65 | ]; 66 | } 67 | { 68 | hst.scripts.set-cpu-fan-rpm.text = '' 69 | def main [ pwm: int ] { 70 | echo $pwm | save -rf /sys/class/hwmon/hwmon1/pwm2 71 | } 72 | ''; 73 | } 74 | ]; 75 | 76 | hst.site.machine = "nitox"; 77 | hst.site.domain = "bendlas.local"; 78 | hst.site.adminUser = "herwig"; 79 | system.stateVersion = "20.03"; 80 | 81 | boot = { 82 | initrd.availableKernelModules = [ "ehci_pci" "ahci" "nvme" "xhci_pci" "usbhid" "sd_mod" "sr_mod" "bcache" ]; 83 | kernelModules = [ "kvm-intel" "nct6775" ]; 84 | loader.grub = { 85 | enable = true; 86 | device = "/dev/sda"; 87 | }; 88 | kernelParams = [ "resume=UUID=a0056ae3-75e7-45aa-8b13-9cdeb395b96e" ]; 89 | extraModprobeConfig = '' 90 | options libahci skip_host_reset=1 91 | ''; 92 | }; 93 | 94 | fileSystems."/" = { 95 | device = "/dev/disk/by-uuid/b3f6dbba-8c4c-422d-80e3-b396c92b9c2a"; 96 | fsType = "ext4"; 97 | }; 98 | 99 | fileSystems."/boot" = { 100 | device = "/dev/disk/by-uuid/bf4791ad-62c0-481d-bc8c-a800ad9cf8f8"; 101 | fsType = "ext4"; 102 | }; 103 | 104 | ## re-enable when bcache fix has hit unstable 105 | ## https://github.com/NixOS/nixpkgs/pull/235815/commits/de643091d7596cddaeaa9690ff4d03d3a3304983 106 | # fileSystems."/var/spinning-rust" = { 107 | # device = "/dev/disk/by-uuid/3d369f1e-b1b5-4c36-90da-f34f2e0f6af0"; 108 | # fsType = "btrfs"; 109 | # options = [ "nossd" "discard" "compress=lzo" "noatime" "autodefrag" "nobootwait" ]; 110 | # }; 111 | 112 | swapDevices = [ 113 | { device = "/dev/disk/by-uuid/a0056ae3-75e7-45aa-8b13-9cdeb395b96e"; } 114 | ]; 115 | 116 | hardware.cpu.intel.updateMicrocode = true; 117 | 118 | hardware.opengl = { 119 | enable = true; 120 | driSupport = true; 121 | driSupport32Bit = true; 122 | extraPackages = with pkgs; [ 123 | ## amdgpu opencl 124 | rocmPackages.clr 125 | rocmPackages.clr.icd 126 | ## open source vulcan 127 | amdvlk 128 | ## video 129 | vaapiIntel 130 | ]; 131 | extraPackages32 = with pkgs; [ 132 | driversi686Linux.amdvlk 133 | ]; 134 | }; 135 | hardware.bluetooth.enable = true; 136 | hardware.firmware = [ pkgs.firmwareLinuxNonfree ]; 137 | 138 | networking = rec { 139 | ## for network forwarding 140 | # nat.externalInterface = "ww+"; 141 | 142 | hostId = "f26c47cc"; 143 | bridges.br0.interfaces = [ "enp6s0" ]; 144 | interfaces.br0.macAddress = "52:CB:A3:76:0F:0E"; 145 | 146 | # interfaces.br0.useDHCP = true; 147 | # nat.internalInterfaces = [ "br0" ]; 148 | 149 | # for dhcp 150 | firewall.allowedUDPPorts = [ 67 ]; 151 | 152 | }; 153 | 154 | environment.etc."qemu/bridge.conf".text = '' 155 | allow br0 156 | ''; 157 | 158 | systemd.network.wait-online.ignoredInterfaces = [ "br0" ]; 159 | 160 | # systemd.network.networks."10-enp6s0" = { 161 | # matchConfig.Name = "br0"; 162 | # address = [ "10.0.0.1/24" ]; 163 | # networkConfig = { 164 | # ## handled by firewall config 165 | # # IPMasquerade = "yes"; 166 | # DHCPServer = "yes"; 167 | # }; 168 | # dhcpServerConfig = { 169 | # PoolOffset= 32; 170 | # PoolSize= 32; 171 | # }; 172 | # }; 173 | 174 | users.users.herwig.extraGroups = [ "openrazer" ]; 175 | 176 | ## we don't need modemmanager any more 177 | # networking.networkmanager = { 178 | # enable = lib.mkForce true; 179 | # unmanaged = [ "lo" "br0" "enp6s0" "anbox0" ]; 180 | # }; 181 | 182 | services.xserver = { 183 | videoDrivers = [ "amdgpu" "intel" "vesa" ]; # "amdgpu-pro" "nvidia" "nouveau" "nv" "vesa" ]; 184 | # deviceSection = '' 185 | # Option "Coolbits" "12" 186 | # ''; 187 | }; 188 | 189 | services.printing = { 190 | enable = true; 191 | drivers = [ pkgs.splix ]; 192 | }; 193 | 194 | # ## AMD ROCM / HIP support 195 | 196 | # systemd.tmpfiles.rules = [ 197 | # "L+ /opt/rocm/hip - - - - ${pkgs.hip}" 198 | # ]; 199 | 200 | # nixpkgs.overlays = [ 201 | # (import ((import {}).fetchFromGitHub { 202 | # owner = "nixos-rocm"; 203 | # repo = "nixos-rocm"; 204 | # rev = "baa7e3b14f10dc4fc057cb83847e1a727f080b2d"; 205 | # sha256 = "sha256-0hEQPooixFP4nqtsAdN2RYcyatNgO0w5xE7SfhS0+SE="; 206 | # })) 207 | # ]; 208 | # nixpkgs.config.rocmTargets = [ "gfx803" ]; 209 | 210 | # services.avahi.allowInterfaces = [ "br0" ]; 211 | hst.networking.interfaces = [ "br0" ]; 212 | 213 | # hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470; 214 | # hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_390; 215 | # hardware.nvidia.modesetting.enable = true; 216 | # services.xserver.displayManager.gdm.wayland = true; 217 | 218 | nix.settings.max-jobs = 2; 219 | } 220 | -------------------------------------------------------------------------------- /natox.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | { 4 | hst.site.machine = "natox"; 5 | hst.site.domain = "bendlas.local"; 6 | hst.site.adminUser = "herwig"; 7 | imports = [ 8 | { 9 | # BG3 ports 10 | networking.firewall.allowedTCPPorts = [27015 27036]; 11 | networking.firewall.allowedUDPPorts = [27015 27031 27032 27033 27034 27035 27036]; 12 | } 13 | ./epson-inkjet-printer-stylus-photo-r3000.module.nix 14 | ./samba.module.nix 15 | ./ark.module.nix 16 | 17 | # ./vfio.module.nix 18 | # { 19 | # ## TODO look at https://astrid.tech/2022/09/22/0/nixos-gpu-vfio/ 20 | # virtualisation.vfio = { 21 | # enable = false; ## FIXME doesn't boot 22 | # IOMMUType = "amd"; 23 | # devices = [ "10de:13c2" "10de:0fbb" ]; 24 | # blacklistNvidia = false; 25 | # disableEFIfb = true; 26 | # ignoreMSRs = true; 27 | # applyACSpatch = false; 28 | # }; 29 | # } 30 | 31 | # ./vfio/module2.nix 32 | # { 33 | # hst.vfio = { 34 | # vmName = "win-vr"; 35 | # cpuFlavor = "amd"; 36 | # gpuFlavor = "amd"; 37 | # # deviceIds = [ "1002:73df" ]; 38 | # virshNodedevIds = [ 39 | # # "pci_0000_06_00_0" 40 | # # "pci_0000_07_00_0" 41 | # "pci_0000_08_00_0" 42 | # # "pci_0000_08_00_1" 43 | # ]; 44 | # }; 45 | # } 46 | 47 | # ./brother-mfc-6490cw.module.nix 48 | ]; 49 | 50 | # Use the systemd-boot EFI boot loader. 51 | boot.loader.systemd-boot.enable = true; 52 | boot.loader.efi.canTouchEfiVariables = true; 53 | boot.loader.efi.efiSysMountPoint = "/boot/efi"; 54 | 55 | boot.kernelPackages = pkgs.linuxPackages_latest; 56 | 57 | ## resolve wifi firmware crashes 58 | # options iwlwifi 11n_disable=1 swcrypto=0 bt_coex_active=0 power_save=0 uapsd_disable=1 59 | # boot.extraModprobeConfig = '' 60 | # options iwlwifi swcrypto=0 power_save=0 uapsd_disable=1 61 | # options iwlmvm power_scheme=1 62 | # ''; 63 | 64 | # The global useDHCP flag is deprecated, therefore explicitly set to false here. 65 | # Per-interface useDHCP will be mandatory in the future, so this generated config 66 | # replicates the default behaviour. 67 | # networking.useDHCP = false; 68 | # networking.interfaces.eno1.useDHCP = true; 69 | hst.networking.interfaces = [ "eno1" "wlan0" ]; 70 | 71 | ## controlled by iwd and named wlan0 72 | # networking.interfaces.wlp8s0.useDHCP = true; 73 | 74 | # Configure network proxy if necessary 75 | # networking.proxy.default = "http://user:password@proxy:port/"; 76 | # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; 77 | 78 | # Select internationalisation properties. 79 | i18n.defaultLocale = "de_AT.UTF-8"; 80 | 81 | # Enable sound. 82 | sound.enable = true; 83 | 84 | # Enable touchpad support (enabled default in most desktopManager). 85 | # services.libinput.enable = true; 86 | 87 | # Define a user account. Don't forget to set a password with ‘passwd’. 88 | users.groups = { 89 | steam = { }; 90 | }; 91 | users.users = { 92 | nara = { 93 | description = "Nara Richter"; 94 | isNormalUser = true; 95 | extraGroups = [ "wheel" "steam" "libvirtd" "kvm" "qemu-libvirtd" ]; 96 | }; 97 | herwig = { 98 | description = "Herwig Hochleitner"; 99 | isNormalUser = true; 100 | extraGroups = [ "wheel" "steam" "libvirtd" "kvm" "qemu-libvirtd" ]; 101 | }; 102 | }; 103 | security.sudo.wheelNeedsPassword = true; 104 | 105 | hardware = { 106 | opengl = { 107 | enable = true; 108 | driSupport = true; 109 | driSupport32Bit = true; 110 | extraPackages = with pkgs; [ 111 | # vaapiVdpau 112 | ## amdgpu opencl 113 | rocm-opencl-icd 114 | rocm-opencl-runtime 115 | ## open source vulcan 116 | amdvlk 117 | ]; 118 | }; 119 | enableRedistributableFirmware = true; 120 | }; 121 | 122 | services = { 123 | # avahi.allowInterfaces = [ "wlan0" "eno1" ]; 124 | xserver = { 125 | enable = true; 126 | videoDrivers = [ "amdgpu" "vesa" ]; 127 | displayManager.gdm.enable = true; 128 | displayManager.gdm.autoSuspend = false; 129 | displayManager.gdm.wayland = false; 130 | displayManager.lightdm.enable = false; 131 | desktopManager.gnome.enable = true; 132 | desktopManager.plasma5.enable = false; 133 | layout = "de"; 134 | }; 135 | locate.enable = false; 136 | fstrim.enable = true; 137 | flatpak.enable = true; 138 | physlock.enable = false; 139 | borgbackup.jobs = { 140 | nara = { 141 | user = "nara"; 142 | paths = [ 143 | "/home/nara/Bilder" 144 | "/home/nara/Gewerbe" 145 | "/home/nara/Dokumente" 146 | ]; 147 | repo = "ssh://u365143@u365143.your-storagebox.de/home/nara"; 148 | encryption = { 149 | mode = "repokey-blake2"; 150 | passCommand = "cat /home/nara/Dokumente/.backup_password"; 151 | }; 152 | compression = "auto,zstd"; 153 | startAt = "daily"; 154 | environment.BORG_RSH = "ssh -p23 -i /home/nara/.ssh/id_ed25519"; 155 | }; 156 | }; 157 | }; 158 | 159 | # List packages installed in system profile. To search, run: 160 | # $ nix search wget 161 | environment.systemPackages = with pkgs; [ 162 | gnumake tunctl 163 | firefox thunderbird chromium libreoffice gimp inkscape 164 | virt-manager qemu libguestfs p7zip 165 | python3 pciutils xorg.xkill spotify 166 | # teamspeak_client 167 | webtorrent_desktop vlc 168 | prismlauncher 169 | ]; 170 | 171 | virtualisation.libvirtd = { 172 | enable = true; 173 | qemu.swtpm.enable = true; 174 | # qemu.ovmf.enable = true; 175 | # qemu.ovmf.package = pkgs.OVMFFull; 176 | }; 177 | 178 | ## FIXME: port to NM 179 | # networking.nat.externalInterface = "wlan0"; 180 | # networking.nat.internalInterfaces = [ "enp0s31f6" ]; 181 | # networking.firewall.allowedUDPPorts = [ 67 ]; # for dhcp 182 | # systemd.network.networks."10-enp9s0" = { 183 | # matchConfig.Name = "enp9s0"; 184 | # address = [ "10.0.0.1/24" ]; 185 | # networkConfig = { 186 | # ## handled by firewall config 187 | # # IPMasquerade = "yes"; 188 | # DHCPServer = "yes"; 189 | # }; 190 | # dhcpServerConfig = { 191 | # PoolOffset= 32; 192 | # PoolSize= 32; 193 | # }; 194 | # }; 195 | 196 | nixpkgs.config = { 197 | allowUnfree = true; 198 | }; 199 | 200 | nix = { 201 | settings.max-jobs = 6; 202 | settings.cores = 12; 203 | extraOptions = '' 204 | binary-caches-parallel-connections = 24 205 | gc-keep-outputs = true 206 | gc-keep-derivations = true 207 | ''; 208 | }; 209 | 210 | # This value determines the NixOS release from which the default 211 | # settings for stateful data, like file locations and database versions 212 | # on your system were taken. It‘s perfectly fine and recommended to leave 213 | # this value at the release version of the first install of this system. 214 | # Before changing this value read the documentation for this option 215 | # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). 216 | system.stateVersion = "21.11"; # Did you read the comment? 217 | 218 | ## Hardware Configuration 219 | boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "uas" "sd_mod" ]; 220 | boot.initrd.kernelModules = [ ]; 221 | boot.kernelModules = [ "kvm-amd" "nct6775" ]; 222 | boot.extraModulePackages = [ ]; 223 | 224 | fileSystems."/" = { 225 | device = "/dev/disk/by-uuid/c9ebd73b-6a5e-4194-91da-92916e481c77"; 226 | fsType = "ext4"; 227 | }; 228 | 229 | fileSystems."/boot/efi" = { 230 | device = "/dev/disk/by-uuid/4A42-E4F5"; 231 | fsType = "vfat"; 232 | }; 233 | 234 | swapDevices = [ 235 | { device = "/dev/disk/by-uuid/fe7dcd85-96c3-4a5f-a5b0-eb5fff0f131e"; } 236 | ]; 237 | 238 | hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 239 | hardware.sane.enable = true; 240 | virtualisation.spiceUSBRedirection.enable = true; 241 | } 242 | -------------------------------------------------------------------------------- /7days-server.module.nix: -------------------------------------------------------------------------------- 1 | {config, pkgs, lib, ...}: 2 | let 3 | serverName = "Manulinarium"; 4 | worldName = "Manulinarium"; 5 | public = false; 6 | port = 26900; 7 | toStringConf = v: 8 | if v == true then "true" 9 | else if v == false then "false" 10 | else toString v; 11 | configXmlFile = pkgs.writeText "seven-days.serverconfig.xml" '' 12 | 13 | 14 | ${lib.concatStringsSep "\n " ( 15 | lib.mapAttrsToList (k: v: 16 | "" 17 | ) { 18 | ServerName = "Manulinarium"; 19 | ServerDescription = "Pallas Cat's Zombieland"; 20 | ServerWebsiteURL = ""; 21 | ServerPassword = "@serverPassword@"; 22 | ServerLoginConfirmationText = ""; 23 | Region = "Europe"; 24 | Language = "German"; 25 | ServerPort = port; 26 | ServerVisibility = 1; # 2 = public, 1 = only friends, 0 = not listed 27 | # Networking protocols that should not be used. Separated by comma. 28 | # Possible values: LiteNetLib, SteamNetworking. 29 | # Disable SteamNetworking if there is no 30 | # NAT router in between your users 31 | ServerDisabledNetworkProtocols = "SteamNetworking"; 32 | # Maximum (!) speed in kiB/s the world is transferred at to 33 | # a client on first connect if it does not have the world yet. 34 | # Maximum is about 1300 kiB/s, even if you set a highe value. 35 | ServerMaxWorldTransferSpeedKiBs = 1800; 36 | ServerMaxPlayerCount = 8; 37 | # Out of the MaxPlayerCount this many slots can only be used 38 | # by players with a specific permission level 39 | ServerReservedSlots = 0; 40 | # Required permission level to use reserved slots above 41 | ServerReservedSlotsPermission = 100; 42 | # This many admins can still join even if the server has reached MaxPlayerCount 43 | ServerAdminSlots = 0; 44 | # Required permission level to use the admin slots above 45 | ServerAdminSlotsPermission = 0; 46 | 47 | WebDashboardEnabled = true; # Enable/disable the web dashboard 48 | WebDashboardPort = 8076; # Port of the web dashboard 49 | WebDashboardUrl = ""; # External URL to the web dashboard if not just using the public IP of the server, e.g. if the web dashboard is behind a reverse proxy. Needs to be the full URL, like "https://domainOfReverseProxy.tld:1234/". Can be left empty if directly using the public IP and dashboard port 50 | EnableMapRendering = false; # Enable/disable rendering of the map to tile images while exploring it. This is used e.g. by the web dashboard to display a view of the map. 51 | 52 | TelnetEnabled = true; # Enable/Disable the telnet 53 | TelnetPort = 2376; # Port of the telnet server 54 | # Password to gain entry to telnet interface. If no password 55 | # is set the server will only listen on the local loopback 56 | # interface 57 | TelnetPassword = ""; 58 | # After this many wrong passwords from a single remote client the client will be blocked from connecting to the Telnet interface 59 | TelnetFailedLoginLimit = 10; 60 | # How long will the block persist (in seconds) 61 | TelnetFailedLoginsBlocktime = 10; 62 | # Show a terminal window for log output / command input (Windows only) 63 | TerminalWindowEnabled = false; 64 | # Server admin file name. Path relative to the SaveGameFolder 65 | AdminFileName = "serveradmin.xml"; 66 | 67 | ## Use this to override where the server stores all generated 68 | ## data, including RWG generated worlds. Do not forget to 69 | ## uncomment the entry! 70 | # UserDataFolder = "absolute path"; 71 | 72 | ## Use this to only override the save game path. Do not forget to uncomment the entry! 73 | # SaveGameFolder = "absolute path"; 74 | 75 | 76 | EACEnabled = false; # Enables/Disables EasyAntiCheat 77 | # Hide logging of command execution. 0 = show everything, 1 78 | # = hide only from Telnet/ControlPanel, 2 = also hide from 79 | # remote game clients, 3 = hide everything 80 | HideCommandExecutionLog = 0; 81 | # Override how many chunks can be uncovered on the ingame 82 | # map by each player. Resulting max map file size limit per 83 | # player is (x * 512 Bytes), uncovered area is (x * 256 84 | # m²). Default 131072 means max 32 km² can be uncovered at 85 | # any time 86 | MaxUncoveredMapChunksPerPlayer = 131072; 87 | # If disabled a player can join with any selected 88 | # profile. If true they will join with the last profile they 89 | # joined with 90 | PersistentPlayerProfiles = false; 91 | # "RWG" (see WorldGenSeed and WorldGenSize options below) or any 92 | # already existing world name in the Worlds folder (currently 93 | # shipping with e.g. "Navezgane", "PREGEN01", ...) 94 | GameWorld = "RWG"; 95 | # If RWG this is the seed for the generation of the new 96 | # world. If a world with the resulting name already exists 97 | # it will simply load it 98 | WorldGenSeed = worldName; 99 | # If RWG this controls the width and height of the created 100 | # world. It is also used in combination with WorldGenSeed to 101 | # create the internal RWG seed thus also creating a unique 102 | # map name even if using the same WorldGenSeed. Has to be a 103 | # multiple of 2048 between 2048 and 16384, though large map 104 | # sizes will take long to generate / download / load 105 | WorldGenSize = 6144; 106 | # Whatever you want the game name to be. This affects the 107 | # save game name as well as the seed used when placing 108 | # decoration (trees etc) in the world. It does not control 109 | # the generic layout of the world if creating an RWG world 110 | GameName = worldName; 111 | GameMode = "GameModeSurvival"; 112 | # 0 - 5, 0=easiest, 5=hardest 113 | GameDifficulty = 1; 114 | # How much damage do players to blocks (percentage in whole numbers) 115 | BlockDamagePlayer = 100; 116 | # How much damage do AIs to blocks (percentage in whole numbers) 117 | BlockDamageAI = 100; 118 | # How much damage do AIs during blood moons to blocks (percentage in whole numbers) 119 | BlockDamageAIBM = 100; 120 | # XP gain multiplier (percentage in whole numbers) 121 | XPMultiplier = 100; 122 | # If a player is less or equal this level he will create a safe zone (no enemies) when spawned 123 | PlayerSafeZoneLevel = 5; 124 | # Hours in world time this safe zone exists 125 | PlayerSafeZoneHours = 5; 126 | # cheat mode on/off 127 | BuildCreate = false; 128 | # real time minutes per in game day: 60 minutes 129 | DayNightLength = 60; 130 | # in game hours the sun shines per day: 18 hours day light per in game day 131 | DayLightLength = 18; 132 | # 0 = nothing, 1 = everything, 2 = toolbelt only, 3 = backpack only, 4 = delete all 133 | DropOnDeath = 1; 134 | # 0 = nothing, 1 = everything, 2 = toolbelt only, 3 = backpack only 135 | DropOnQuit = 0; 136 | # Size (box "radius", so a box with 2 times the given value 137 | # for each side's length) of bedroll deadzone, no zombies 138 | # will spawn inside this area, and any cleared sleeper 139 | # volumes that touch a bedroll deadzone will not spawn after 140 | # they've been cleared. 141 | BedrollDeadZoneSize = 15; 142 | # Number of real world days a bedroll stays active after owner was last online 143 | BedrollExpiryTime = 450; 144 | # This setting covers the entire map. There can only be this 145 | # many zombies on the entire map at one time. Changing this 146 | # setting has a huge impact on performance. 147 | MaxSpawnedZombies = 64; 148 | # If your server has a large number of players you can 149 | # increase this limit to add more wildlife. Animals don't 150 | # consume as much CPU as zombies. NOTE: That this doesn't 151 | # cause more animals to spawn arbitrarily: The biome 152 | # spawning system only spawns a certain number of animals in 153 | # a given area, but if you have lots of players that are all 154 | # spread out then you may be hitting the limit and can 155 | # increase it. 156 | MaxSpawnedAnimals = 50; 157 | # Max viewdistance a client may request (6 - 12). High impact on memory usage and performance. 158 | ServerMaxAllowedViewDistance = 12; 159 | # Maximum amount of Chunk mesh layers that can be enqueued 160 | # during mesh generation. Reducing this will improve memory 161 | # usage but may increase Chunk generation time 162 | MaxQueuedMeshLayers = 1000; 163 | # Enable/Disable enemy spawning 164 | EnemySpawnMode = true; 165 | # 0 = Normal, 1 = Feral 166 | EnemyDifficulty = 0; 167 | # 0-3 (Off, Day, Night, All) 168 | ZombieFeralSense = 0; 169 | # 0-4 (walk, jog, run, sprint, nightmare) 170 | ZombieMove = 0; 171 | # 0-4 (walk, jog, run, sprint, nightmare) 172 | ZombieMoveNight = 1; 173 | # 0-4 (walk, jog, run, sprint, nightmare) 174 | ZombieFeralMove = 2; 175 | # 0-4 (walk, jog, run, sprint, nightmare) 176 | ZombieBMMove = 3; 177 | # What frequency (in days) should a blood moon take place. Set to "0" for no blood moons 178 | BloodMoonFrequency = 7; 179 | # How many days can the actual blood moon day randomly 180 | # deviate from the above setting. Setting this to 0 makes 181 | # blood moons happen exactly each Nth day as specified in 182 | # BloodMoonFrequency 183 | BloodMoonRange = 0; 184 | # The Hour number that the red day number begins on a blood 185 | # moon day. Setting this to -1 makes the red never show. 186 | BloodMoonWarning = 8; 187 | # This is the number of zombies that can be alive (spawned 188 | # at the same time) at any time PER PLAYER during a blood 189 | # moon horde, however, MaxSpawnedZombies overrides this 190 | # number in multiplayer games. Also note that your game 191 | # stage sets the max number of zombies PER PARTY. Low game 192 | # stage values can result in lower number of zombies than 193 | # the BloodMoonEnemyCount setting. Changing this setting has 194 | # a huge impact on performance. 195 | BloodMoonEnemyCount = 6; 196 | # percentage in whole numbers 197 | LootAbundance = 100; 198 | # days in whole numbers 199 | LootRespawnDays = 7; 200 | # How often airdrop occur in game-hours, 0 == never 201 | AirDropFrequency = 72; 202 | # Sets if a marker is added to map/compass for air drops. 203 | AirDropMarker = true; 204 | # The distance you must be within to receive party shared 205 | # kill xp and quest party kill objective credit. 206 | PartySharedKillRange = 100; 207 | # Player Killing Settings (0 = No Killing, 1 = Kill Allies 208 | # Only, 2 = Kill Strangers Only, 3 = Kill Everyone) 209 | PlayerKillingMode = 2; 210 | # Maximum allowed land claims per player. 211 | LandClaimCount = 3; 212 | # Size in blocks that is protected by a keystone 213 | LandClaimSize = 41; 214 | # Keystones must be this many blocks apart (unless you are friends with the other player) 215 | LandClaimDeadZone = 30; 216 | # The number of real world days a player can be offline 217 | # before their claims expire and are no longer protected 218 | LandClaimExpiryTime = 720; 219 | # Controls how offline players land claims decay. 0=Slow 220 | # (Linear) , 1=Fast (Exponential), 2=None (Full protection 221 | # until claim is expired). 222 | LandClaimDecayMode = 2; 223 | # How much protected claim area block hardness is increased 224 | # when a player is online. 0 means infinite (no damage will 225 | # ever be taken). Default is 4x 226 | LandClaimOnlineDurabilityModifier = 4; 227 | # How much protected claim area block hardness is increased 228 | # when a player is offline. 0 means infinite (no damage will 229 | # ever be taken). Default is 4x 230 | LandClaimOfflineDurabilityModifier = 4; 231 | # The number of minutes after a player logs out that the 232 | # land claim area hardness transitions from online to 233 | # offline. Default is 0 234 | LandClaimOfflineDelay = 0; 235 | # Is Dynamic Mesh system enabled 236 | DynamicMeshEnabled = true; 237 | # Is Dynamic Mesh system only active in player LCB areas 238 | DynamicMeshLandClaimOnly = true; 239 | # Dynamic Mesh LCB chunk radius 240 | DynamicMeshLandClaimBuffer = 3; 241 | # How many items can be processed concurrently, higher values use more RAM 242 | DynamicMeshMaxItemCache = 3; 243 | # Required permission level to use twitch integration on the server 244 | TwitchServerPermission = 90; 245 | # If the server allows twitch actions during a blood 246 | # moon. This could cause server lag with extra zombies being 247 | # spawned during blood moon. 248 | TwitchBloodMoonAllowed = false; 249 | # The number of in-game days which must pass since visiting 250 | # a chunk before it will reset to its original state if not 251 | # revisited or protected (e.g. by a land claim or bedroll 252 | # being in close proximity). 253 | MaxChunkAge = "-1"; 254 | # The maximum disk space allowance for each saved game in 255 | # megabytes (MB). Saved chunks may be forceably reset to 256 | # their original states to free up space when this limit is 257 | # reached. Negative values disable the limit. 258 | SaveDataLimit = "-1"; 259 | } 260 | )} 261 | 262 | ''; 263 | in { 264 | 265 | networking.firewall.allowedTCPPortRanges = [ { from = port; to = port + 5; } ]; 266 | networking.firewall.allowedUDPPortRanges = [ { from = port; to = port + 5; } ]; 267 | 268 | hst.steam.server.games.seven-days = { 269 | steamId = "294420"; 270 | steamBranch = "public"; # "public-test"; 271 | # extraSteamUpdateArgs = "-betapassword yesimadebackups"; 272 | installDir = "/var/lib/seven-days"; 273 | prepareStart = [ 274 | "${pkgs.coreutils}/bin/cp -f ${configXmlFile} serverconfig.generated.xml" 275 | "${pkgs.coreutils}/bin/chmod u+w serverconfig.generated.xml" 276 | "${pkgs.writeShellScript "passwd-seven-days" '' 277 | ${pkgs.stdenv-substituters}/bin/substituteAllInPlace \ 278 | --subst-var-by serverPassword "$(cat /etc/secrets/seven-days/server-password)" 279 | ''}" 280 | ]; 281 | startCommand = '' 282 | ${pkgs.steam-run}/bin/steam-run ./startserver.sh \ 283 | -configfile=serverconfig.generated.xml 284 | ''; 285 | }; 286 | 287 | } 288 | -------------------------------------------------------------------------------- /bendlas.net/www/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 83 | 84 | 85 |
86 |
87 |

Herwig Hochleitner @bendlas

88 |

User-Stack Software Engineer

89 | 96 |
97 |
98 |
99 |

This a CV and profile of my skills and interests.

100 |

Areas of Expertise top

101 |

102 | My professional skills and interests, grouped by strength of expertise into senior, working and junior. 103 |

104 |

105 | Senior Level 106 | 107 |

108 |

109 | To consider myself "senior level" in an area, I need to feel 110 | comfortable to offer in-depth analyses of existing systems and 111 | to design, create and maintain lastable systems. 112 |

113 |

Functional Architecture

114 |

115 | I have extensive experience with functional programming techniques. That 116 | includes Nix(OS) on the operations level, Clojure(Script) on 117 | the application level and React(Native) on the UI level. 118 |

119 |

120 | I like to focus on declarative, reproducible and 121 | introspectable systems, with explicit effects, based on 122 | functional techniques. 123 |

124 |

User Stack Engineering

125 |

126 | The user stack is the part of the "Full Stack" running in the user space provided by a typical posix kernel. For a typical project, engineering the user stack entails: 127 |

128 |
    129 |
  • Requirement Design
    • 130 |
  • Security Design / API
    • 131 |
  • Storage / DBMS
    • 132 |
  • Distributed Consistency
    • 133 |
  • UI Programming
    • 134 |
135 |

136 | I do not consider myself a "Full Stack" developer. For that I would need to also become proficient in: 137 |

138 |
    139 |
  • Kernel programming and even lower software, like drivers, firmware or FPGA programs
    • 140 |
  • UI Design, this website is about the best I can do
    • 141 |
  • SEO. I'd rather work with a marketing team for such requirements
    • 142 |
  • Operations / Monitoring
    • 143 |
  • Provisioning / Scaling / Load Balancing
    • 144 |
145 |

Preferred Stack

146 |

To deliver full systems, I like to rely on these technologies in particular

147 |
    148 |
  1. Nix + NixOps
    2. 149 |
  2. PostgreSQL / Datomic
    3. 150 |
  3. JVM + Clojure
    4. 151 |
  4. GraphQL / HTTP
    5. 152 |
  5. React + ClojureScript
    6. 153 |
154 |

155 | Working Level 156 | 157 |

158 |

159 | To consider myself "working level" in an area, I need to feel 160 | comfortable to become productive within an existing system 161 | quickly and to create a new system after some research. 162 |

163 |

Java Programming

164 |

165 | I have delivered projects on JavaME, Android and JavaEE, and I 166 | know my way around the JVM pretty well. 167 |

168 |

169 | For server programming, I prefer using Clojure to program the 170 | JVM. For Android, I prefer using ReactNative, to keep the 171 | necessary Java to a minimum. At these, I'd consider myself 172 | senior level. 173 |

174 |

Browser Programming

175 |

176 | With web standards changing as fast as they do, I consider it 177 | really hard to stay senior level at this. I have been 178 | delivering UIs via the browser for all my programming life, 179 | habitually working around browser quirks. I care about 180 | accessability and progressive enhancement. 181 |

182 |

183 | Web APIs, I've used as a frontend programmer, include: 184 |

185 |
    186 |
  • Indexed DB
    • 187 |
  • Web Workers
    • 188 |
  • Web Audio
    • 189 |
  • Performance
    • 190 |
  • Notifications
    • 191 |
  • Local Storage
    • 192 |
  • History
    • 193 |
194 |

195 | Still on my TODO list: 196 |

197 |
    198 |
  • Service Workers
    • 199 |
  • Web Assembly
    • 200 |
  • Web GL
    • 201 |
202 |

203 | For browser work, I prefer to use ClojureScript with React. At 204 | this, I'd consider myself senior level. 205 |

206 |

Infrastructure Operations

207 |

208 | Many of my deliverables have been full user-facing systems, 209 | spanning browsers, mobile devices and server-side 210 | components. Often, I'd also operate the hardware for the 211 | servers. 212 |

213 |

214 | This means, that I'm basically familiar with Monitoring, 215 | Provisioning, Scaling and Load Balancing and I design my 216 | systems, such that they interact well with these. 217 |

218 |

219 | Apart from running my personal and development infrastructure, 220 | I prefer to work with an ops team. Though, I believe that 221 | functional, reactive architecture can bring development very 222 | close to operations. 223 |

224 |

Shell / Systems Programming

225 |

226 | It's hard to enumerate all the languages and technologies, 227 | I've worked with during my activity as a package maintainer 228 | for NixOS, most often there is Python (which I also did some 229 | application programming in), bourne shell, autotools, systemd 230 | and small C programs. 231 |

232 |

Event Sourcing

233 |

234 | Deriving consistency guarantees from the single-writer 235 | principle leads to simpler and more introspectable systems and 236 | I like to apply it in my designs, if possible. I have 237 | experience with Datomic, which designs a database system 238 | around this, as well as Matrix.org, which is ostensibly a chat 239 | protocol, but it's really a standardized event DAG. 240 |

241 |

Lisp

242 |

243 | In addition to Clojure, I've worked with Common Lisp and Emacs 244 | Lisp, and I found my skills to carry over well. 245 |

246 |

Docker

247 |

248 | I really appreciate docker for guiding me towards discovering 249 | the power of unshare(1). 251 |

252 |

253 | Junior Level 254 | 255 |

256 |

257 | To consider myself "junior level" in an area, I need to have 258 | set up a working environment and written some code 259 | myself. Here are some that I'm interested for expanding my 260 | skill in. 261 |

262 |

Custom Android Builds / ChromeOS Ecosystem

263 |

264 | Due to maintenance of the Chromium package in NixOS, as well 265 | as experiments with WebRTC, I'm somewhat familiar with the 266 | ChromeOS build system and infrastructure. I also developed a 267 | prototype of a kiosk, which included developing patches for 268 | Android. 269 |

270 |

Realtime Graphics

271 |

272 | I have developed an OpenGL ES feature for an android app at 273 | some point and I'm generally interested in hardware - 274 | accelerated realtime graphics, as well as scientific 275 | programming using CUDA or OpenCL. 276 |

277 |

Programming Languages

278 |

279 | I've done some toy projects / prototypes in these. Interested in picking them up again. 280 |

281 |
    282 |
  • Erlang / Elixir
    • 283 |
  • Ocaml
    • 284 |
  • Haskell
    • 285 |
286 |

Unfortunately no experience in Rust

287 |

288 | If you're willing to let me learn this on the job, I'd be delighted. 289 |

290 |

Working Experience top

291 |

292 | My work so far, in roughly chronological order. 293 |

294 |

Employments

295 |

Network Administrator at Urbas

296 |

297 | Linux, SunOS, Windows. Also did my first paid development: A python server + web UI for transferring files too large for email attachments (shouldn't be a problem nowadays .. hah). 298 |

299 |

Junior .. Senior Developer at Bolldorf

300 |

301 | A small shop, that I helped build up from very early stage. There I got my holistic view on systems, as well as an opportunity to use many different technologies in the field. 302 |

303 |

Frontend Developer at Diagnosia

304 |

305 | Helped them with expanding into the german market. 306 |

307 |

Open Source Engagements

308 |

309 | Projects with actual users, that I work on regularly. For more, visit my github profile. 310 |

311 |

Maintainer of Clojure's data.xml library

312 |

313 | Started out by implementing missing namespacing support. Got handed the keys. 314 |

315 |

Maintainer of nixpkgs

316 |

317 | The package collection for NixOS. This is a full linux 318 | distribution and I've been involved (amongst other) with the 319 | following packages: 320 |

321 |
    322 |
  • CDemu (Creator)
    • 323 |
  • Wine (Contributor)
    • 324 |
  • Chromium (Maintainer)
    • 325 |
  • systemtap (Contributor)
    • 326 |
  • Emacs (Contributor)
    • 327 |
  • Gnome (Contributor)
    • 328 |
  • ja2-stracciatella (Creator)
    • 329 |
  • firmware-linux (Contributor)
    • 330 |
  • dwarf-fortress (Contributor)
    • 331 |
332 |

Projects

333 |

334 | Notable projects from my employments and freelance gigs. 335 |

336 |

RingIt

337 |

338 | A smartphone gadget for a managers of a hotel chain, to 339 | display current resident when getting called from a 340 | room. Python on Nokia S60. 341 |

342 |

DIWNFC

343 |

344 | A full system for a facility management company, generating 345 | SLA compliance reports. Clojure, jQuery, NFC, JavaME on Nokia 346 | S40, Java on Android. 347 |

348 |

Car2Go for BlackBerry

349 |

350 | Carsharing app, cross-platform for BBOS6 and 351 | BBOS10. Clojurescript in WebView + native JavaME extensions on 352 | BBOS6. 353 |

354 |

diekriseverstehen.net

355 |

356 | Political information. Clojurescript, SVG. 357 |

358 |

Heterodox Newsletter backend

359 |

360 | A CMS and authoring system for an academic 361 | newsletter. Clojure, ClojureScript, Datomic. 362 |

363 |

lebensretter.at backend

364 |

365 | Service for volunteer first responders, to get notified in 366 | emergency situations near them. Clojure, ClojureScript 367 |

368 |

CNPView mobile map viewer

369 |

370 | High-Performance viewer for a map with vector and marker 371 | overlays. Java and GLES on Android, OpenGL ES. 372 |

373 |

Diagnosia germany UI

374 |

375 | Browser UI, as well as setup to unify native apps. ClojureScript, React, ReactNative. 376 |

377 |

378 | Education top 379 | 380 |

381 |

382 | Mechanical Engineering 383 | 384 |

385 |

386 | Cambridge 1st Certificate in English 387 | 388 |

389 |

390 | Software & Information Engineering 391 | 392 |

393 |

Other Interests top

394 |

Beatbox

395 |

396 | I'm a passionate beatboxer and regularly attend jam sessions and other events. 397 |

398 |

Climbing / Bouldering

399 |

400 | I love climbing as a holistic workout, but also as an excuse to visit interesting places. 401 |

402 |

403 | Free Software 404 | 405 |

406 |

407 | The free software community enriched my life and carreer to a great deal and I try to give back, when I can. 408 |

409 |

Event Management / Volunteer Coordination

410 |

411 | After many years of being involved in the beatbox community in Vienna, I have started to host a regular beatbox event. Also, I have been involved in organizing a 2-day festival, based on voluntary work, in my home town. 412 |

413 |

Cycling

414 |

415 | I'm really into cycling as a means of transportation and have worked in a bicycle workshop. I used to do the occasional single-trail. 416 |

417 |
418 | 429 | 430 | 431 | --------------------------------------------------------------------------------